projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Set local_amp_id after getting Phylink Completed evt
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 56static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 57 struct l2cap_chan *chan, int err);
1da177e4 58
d660366d 59static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 60 struct sk_buff_head *skbs, u8 event);
608bcc6d 61
0139418c 62/* ---- L2CAP channels ---- */
71ba0e56 63
2d792818
GP		 64static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
65 u16 cid)
0139418c 66{
3df91ea2 67 struct l2cap_chan *c;
3d57dc68 68
3df91ea2
AE		 69 list_for_each_entry(c, &conn->chan_l, list) {
70 if (c->dcid == cid)
71 return c;
0139418c 72 }
3df91ea2 73 return NULL;
0139418c
MH		 74}
75
2d792818
GP		 76static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
77 u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->scid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
88/* Find channel with given SCID.
ef191ade 89 * Returns locked channel. */
2d792818
GP		 90static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
91 u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa 94
3df91ea2 95 mutex_lock(&conn->chan_lock);
baa7e1fa 96 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 97 if (c)
98 l2cap_chan_lock(c);
3df91ea2
AE		 99 mutex_unlock(&conn->chan_lock);
100
48454079 101 return c;
0139418c
MH		 102}
103
b1a130b7
MM		 104/* Find channel with given DCID.
105 * Returns locked channel.
106 */
107static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
108 u16 cid)
109{
110 struct l2cap_chan *c;
111
112 mutex_lock(&conn->chan_lock);
113 c = __l2cap_get_chan_by_dcid(conn, cid);
114 if (c)
115 l2cap_chan_lock(c);
116 mutex_unlock(&conn->chan_lock);
117
118 return c;
119}
120
2d792818
GP		 121static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
122 u8 ident)
0139418c 123{
3df91ea2 124 struct l2cap_chan *c;
3d57dc68 125
3df91ea2
AE		 126 list_for_each_entry(c, &conn->chan_l, list) {
127 if (c->ident == ident)
128 return c;
0139418c 129 }
3df91ea2 130 return NULL;
0139418c
MH		 131}
132
5b155ef9
MM		 133static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
134 u8 ident)
135{
136 struct l2cap_chan *c;
137
138 mutex_lock(&conn->chan_lock);
139 c = __l2cap_get_chan_by_ident(conn, ident);
140 if (c)
141 l2cap_chan_lock(c);
142 mutex_unlock(&conn->chan_lock);
143
144 return c;
145}
146
23691d75 147static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 148{
23691d75 149 struct l2cap_chan *c;
9e4425ff 150
23691d75
GP		 151 list_for_each_entry(c, &chan_list, global_l) {
152 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 153 return c;
9e4425ff 154 }
250938cb 155 return NULL;
9e4425ff
GP		 156}
157
158int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
159{
73b2ec18
GP		 160 int err;
161
333055f2 162 write_lock(&chan_list_lock);
9e4425ff 163
23691d75 164 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 165 err = -EADDRINUSE;
166 goto done;
9e4425ff
GP		 167 }
168
73b2ec18
GP		 169 if (psm) {
170 chan->psm = psm;
171 chan->sport = psm;
172 err = 0;
173 } else {
174 u16 p;
175
176 err = -EINVAL;
177 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 178 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 179 chan->psm = cpu_to_le16(p);
180 chan->sport = cpu_to_le16(p);
181 err = 0;
182 break;
183 }
184 }
9e4425ff 185
73b2ec18 186done:
333055f2 187 write_unlock(&chan_list_lock);
73b2ec18 188 return err;
9e4425ff
GP		 189}
190
191int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
192{
333055f2 193 write_lock(&chan_list_lock);
9e4425ff
GP		 194
195 chan->scid = scid;
196
333055f2 197 write_unlock(&chan_list_lock);
9e4425ff
GP		 198
199 return 0;
200}
201
baa7e1fa 202static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 203{
8db4dc46 204 u16 cid = L2CAP_CID_DYN_START;
0139418c 205
8db4dc46 206 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 207 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 208 return cid;
209 }
210
211 return 0;
212}
213
0e587be7 214static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 215{
42d2d87c 216 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 217 state_to_string(state));
badaaa00 218
89bc500e 219 chan->state = state;
80b98027 220 chan->ops->state_change(chan, state);
89bc500e
GP		 221}
222
0e587be7
AE		 223static void l2cap_state_change(struct l2cap_chan *chan, int state)
224{
225 struct sock *sk = chan->sk;
226
227 lock_sock(sk);
228 __l2cap_state_change(chan, state);
229 release_sock(sk);
230}
231
2e0052e4
AE		 232static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
233{
234 struct sock *sk = chan->sk;
235
236 sk->sk_err = err;
237}
238
239static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
240{
241 struct sock *sk = chan->sk;
242
243 lock_sock(sk);
244 __l2cap_chan_set_err(chan, err);
245 release_sock(sk);
246}
247
4239d16f
MM		 248static void __set_retrans_timer(struct l2cap_chan *chan)
249{
250 if (!delayed_work_pending(&chan->monitor_timer) &&
251 chan->retrans_timeout) {
252 l2cap_set_timer(chan, &chan->retrans_timer,
253 msecs_to_jiffies(chan->retrans_timeout));
254 }
255}
256
257static void __set_monitor_timer(struct l2cap_chan *chan)
258{
259 __clear_retrans_timer(chan);
260 if (chan->monitor_timeout) {
261 l2cap_set_timer(chan, &chan->monitor_timer,
262 msecs_to_jiffies(chan->monitor_timeout));
263 }
264}
265
608bcc6d
MM		 266static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
267 u16 seq)
268{
269 struct sk_buff *skb;
270
271 skb_queue_walk(head, skb) {
272 if (bt_cb(skb)->control.txseq == seq)
273 return skb;
274 }
275
276 return NULL;
277}
278
3c588192
MM		 279/* ---- L2CAP sequence number lists ---- */
280
281/* For ERTM, ordered lists of sequence numbers must be tracked for
282 * SREJ requests that are received and for frames that are to be
283 * retransmitted. These seq_list functions implement a singly-linked
284 * list in an array, where membership in the list can also be checked
285 * in constant time. Items can also be added to the tail of the list
286 * and removed from the head in constant time, without further memory
287 * allocs or frees.
288 */
289
290static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
291{
292 size_t alloc_size, i;
293
294 /* Allocated size is a power of 2 to map sequence numbers
295 * (which may be up to 14 bits) in to a smaller array that is
296 * sized for the negotiated ERTM transmit windows.
297 */
298 alloc_size = roundup_pow_of_two(size);
299
300 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
301 if (!seq_list->list)
302 return -ENOMEM;
303
304 seq_list->mask = alloc_size - 1;
305 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
306 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
307 for (i = 0; i < alloc_size; i++)
308 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
309
310 return 0;
311}
312
313static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
314{
315 kfree(seq_list->list);
316}
317
318static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
319 u16 seq)
320{
321 /* Constant-time check for list membership */
322 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
323}
324
325static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
326{
327 u16 mask = seq_list->mask;
328
329 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
330 /* In case someone tries to pop the head of an empty list */
331 return L2CAP_SEQ_LIST_CLEAR;
332 } else if (seq_list->head == seq) {
333 /* Head can be removed in constant time */
334 seq_list->head = seq_list->list[seq & mask];
335 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
336
337 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
338 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
339 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
340 }
341 } else {
342 /* Walk the list to find the sequence number */
343 u16 prev = seq_list->head;
344 while (seq_list->list[prev & mask] != seq) {
345 prev = seq_list->list[prev & mask];
346 if (prev == L2CAP_SEQ_LIST_TAIL)
347 return L2CAP_SEQ_LIST_CLEAR;
348 }
349
350 /* Unlink the number from the list and clear it */
351 seq_list->list[prev & mask] = seq_list->list[seq & mask];
352 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
353 if (seq_list->tail == seq)
354 seq_list->tail = prev;
355 }
356 return seq;
357}
358
359static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
360{
361 /* Remove the head in constant time */
362 return l2cap_seq_list_remove(seq_list, seq_list->head);
363}
364
365static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
366{
f522ae36 367 u16 i;
3c588192 368
f522ae36
GP		 369 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
370 return;
371
372 for (i = 0; i <= seq_list->mask; i++)
373 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
374
375 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
376 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 377}
378
379static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
380{
381 u16 mask = seq_list->mask;
382
383 /* All appends happen in constant time */
384
f522ae36
GP		 385 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
386 return;
3c588192 387
f522ae36
GP		 388 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
389 seq_list->head = seq;
390 else
391 seq_list->list[seq_list->tail & mask] = seq;
392
393 seq_list->tail = seq;
394 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 395}
396
721c4181 397static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 398{
721c4181 399 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 400 chan_timer.work);
3df91ea2 401 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 402 int reason;
403
e05dcc32 404 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 405
3df91ea2 406 mutex_lock(&conn->chan_lock);
6be36555 407 l2cap_chan_lock(chan);
ab07801d 408
89bc500e 409 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 410 reason = ECONNREFUSED;
89bc500e 411 else if (chan->state == BT_CONNECT &&
2d792818 412 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 413 reason = ECONNREFUSED;
414 else
415 reason = ETIMEDOUT;
416
0f852724 417 l2cap_chan_close(chan, reason);
ab07801d 418
6be36555 419 l2cap_chan_unlock(chan);
ab07801d 420
80b98027 421 chan->ops->close(chan);
3df91ea2
AE		 422 mutex_unlock(&conn->chan_lock);
423
371fd835 424 l2cap_chan_put(chan);
ab07801d
GP		 425}
426
eef1d9b6 427struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 428{
429 struct l2cap_chan *chan;
430
431 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
432 if (!chan)
433 return NULL;
434
c03b355e
AE		 435 mutex_init(&chan->lock);
436
333055f2 437 write_lock(&chan_list_lock);
23691d75 438 list_add(&chan->global_l, &chan_list);
333055f2 439 write_unlock(&chan_list_lock);
23691d75 440
721c4181 441 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 442
89bc500e
GP		 443 chan->state = BT_OPEN;
444
144ad330 445 kref_init(&chan->kref);
71ba0e56 446
2827011f
MM		 447 /* This flag is cleared in l2cap_chan_ready() */
448 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
449
eef1d9b6 450 BT_DBG("chan %p", chan);
abc545b8 451
48454079
GP		 452 return chan;
453}
454
144ad330 455static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 456{
144ad330
SS		 457 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
458
4af66c69
JK		 459 BT_DBG("chan %p", chan);
460
333055f2 461 write_lock(&chan_list_lock);
23691d75 462 list_del(&chan->global_l);
333055f2 463 write_unlock(&chan_list_lock);
23691d75 464
4af66c69 465 kfree(chan);
6ff5abbf
GP		 466}
467
30648372
JK		 468void l2cap_chan_hold(struct l2cap_chan *c)
469{
144ad330 470 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 471
144ad330 472 kref_get(&c->kref);
30648372
JK		 473}
474
475void l2cap_chan_put(struct l2cap_chan *c)
476{
144ad330 477 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 478
144ad330 479 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 480}
481
bd4b1653
AE		 482void l2cap_chan_set_defaults(struct l2cap_chan *chan)
483{
484 chan->fcs = L2CAP_FCS_CRC16;
485 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
486 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
487 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 488 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 489 chan->sec_level = BT_SECURITY_LOW;
490
491 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
492}
493
93c3e8f5 494void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 495{
af05b30b 496 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 497 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 498
9f5a0d7b 499 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 500
8c1d787b 501 chan->conn = conn;
0139418c 502
5491120e
AE		 503 switch (chan->chan_type) {
504 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 505 if (conn->hcon->type == LE_LINK) {
506 /* LE connection */
6fcb06a2 507 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 508 chan->scid = L2CAP_CID_LE_DATA;
509 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 510 } else {
511 /* Alloc CID for connection-oriented socket */
fe4128e0 512 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 513 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 514 }
5491120e
AE		 515 break;
516
517 case L2CAP_CHAN_CONN_LESS:
0139418c 518 /* Connectionless socket */
fe4128e0
GP		 519 chan->scid = L2CAP_CID_CONN_LESS;
520 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 521 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 522 break;
523
416fa752
AE		 524 case L2CAP_CHAN_CONN_FIX_A2MP:
525 chan->scid = L2CAP_CID_A2MP;
526 chan->dcid = L2CAP_CID_A2MP;
527 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
528 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
529 break;
530
5491120e 531 default:
0139418c 532 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 533 chan->scid = L2CAP_CID_SIGNALING;
534 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 535 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 536 }
537
8f7975b1
AE		 538 chan->local_id = L2CAP_BESTEFFORT_ID;
539 chan->local_stype = L2CAP_SERV_BESTEFFORT;
540 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
541 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
542 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 543 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 544
371fd835 545 l2cap_chan_hold(chan);
baa7e1fa 546
3df91ea2 547 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 548}
549
466f8004 550void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 551{
552 mutex_lock(&conn->chan_lock);
553 __l2cap_chan_add(conn, chan);
3df91ea2 554 mutex_unlock(&conn->chan_lock);
0139418c
MH		 555}
556
466f8004 557void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 558{
8c1d787b 559 struct l2cap_conn *conn = chan->conn;
0139418c 560
c9b66675 561 __clear_chan_timer(chan);
0139418c 562
49208c9c 563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 564
8e87d142 565 if (conn) {
56f60984 566 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 567 /* Delete from channel list */
3df91ea2 568 list_del(&chan->list);
3d57dc68 569
371fd835 570 l2cap_chan_put(chan);
baa7e1fa 571
8c1d787b 572 chan->conn = NULL;
3cabbfda
AE		 573
574 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
575 hci_conn_put(conn->hcon);
56f60984
AE		 576
577 if (mgr && mgr->bredr_chan == chan)
578 mgr->bredr_chan = NULL;
0139418c
MH		 579 }
580
419e08c1
AE		 581 if (chan->hs_hchan) {
582 struct hci_chan *hs_hchan = chan->hs_hchan;
583
584 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
585 amp_disconnect_logical_link(hs_hchan);
586 }
587
b699ec0d 588 chan->ops->teardown(chan, err);
6be36555 589
2827011f 590 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 591 return;
2ead70b8 592
ee556f66
GP		 593 switch(chan->mode) {
594 case L2CAP_MODE_BASIC:
595 break;
c13ffa62 596
ee556f66 597 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 598 __clear_retrans_timer(chan);
599 __clear_monitor_timer(chan);
600 __clear_ack_timer(chan);
c13ffa62 601
f1c6775b 602 skb_queue_purge(&chan->srej_q);
c13ffa62 603
3c588192
MM		 604 l2cap_seq_list_free(&chan->srej_list);
605 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 606
607 /* fall through */
608
609 case L2CAP_MODE_STREAMING:
610 skb_queue_purge(&chan->tx_q);
611 break;
c13ffa62 612 }
ee556f66
GP		 613
614 return;
0139418c
MH		 615}
616
0f852724 617void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 618{
619 struct l2cap_conn *conn = chan->conn;
620 struct sock *sk = chan->sk;
621
2d792818
GP		 622 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
623 sk);
4519de9a 624
89bc500e 625 switch (chan->state) {
4519de9a 626 case BT_LISTEN:
b699ec0d 627 chan->ops->teardown(chan, 0);
4519de9a
GP		 628 break;
629
630 case BT_CONNECTED:
631 case BT_CONFIG:
715ec005 632 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 633 conn->hcon->type == ACL_LINK) {
c9b66675 634 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 635 l2cap_send_disconn_req(conn, chan, reason);
636 } else
637 l2cap_chan_del(chan, reason);
638 break;
639
640 case BT_CONNECT2:
715ec005 641 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 642 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 643 struct l2cap_conn_rsp rsp;
644 __u16 result;
645
c5daa683 646 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 647 result = L2CAP_CR_SEC_BLOCK;
648 else
649 result = L2CAP_CR_BAD_PSM;
89bc500e 650 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 651
652 rsp.scid = cpu_to_le16(chan->dcid);
653 rsp.dcid = cpu_to_le16(chan->scid);
654 rsp.result = cpu_to_le16(result);
ac73498c 655 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 656 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 657 sizeof(rsp), &rsp);
4519de9a
GP		 658 }
659
660 l2cap_chan_del(chan, reason);
661 break;
662
663 case BT_CONNECT:
664 case BT_DISCONN:
665 l2cap_chan_del(chan, reason);
666 break;
667
668 default:
b699ec0d 669 chan->ops->teardown(chan, 0);
4519de9a
GP		 670 break;
671 }
672}
673
4343478f 674static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 675{
715ec005 676 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 677 switch (chan->sec_level) {
8556edd3
JH		 678 case BT_SECURITY_HIGH:
679 return HCI_AT_DEDICATED_BONDING_MITM;
680 case BT_SECURITY_MEDIUM:
681 return HCI_AT_DEDICATED_BONDING;
682 default:
683 return HCI_AT_NO_BONDING;
684 }
2983fd68 685 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 686 if (chan->sec_level == BT_SECURITY_LOW)
687 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 688
4343478f 689 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 690 return HCI_AT_NO_BONDING_MITM;
00ae4af9 691 else
8556edd3 692 return HCI_AT_NO_BONDING;
00ae4af9 693 } else {
4343478f 694 switch (chan->sec_level) {
00ae4af9 695 case BT_SECURITY_HIGH:
8556edd3 696 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 697 case BT_SECURITY_MEDIUM:
8556edd3 698 return HCI_AT_GENERAL_BONDING;
00ae4af9 699 default:
8556edd3 700 return HCI_AT_NO_BONDING;
00ae4af9 701 }
0684e5f9 702 }
8556edd3
JH		 703}
704
705/* Service level security */
d45fc423 706int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 707{
8c1d787b 708 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 709 __u8 auth_type;
710
4343478f 711 auth_type = l2cap_get_auth_type(chan);
79d554a6 712
4343478f 713 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 714}
715
b5ad8b7f 716static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 717{
718 u8 id;
719
720 /* Get next available identificator.
721 * 1 - 128 are used by kernel.
722 * 129 - 199 are reserved.
723 * 200 - 254 are used by utilities like l2ping, etc.
724 */
725
333055f2 726 spin_lock(&conn->lock);
4e8402a3
MH		 727
728 if (++conn->tx_ident > 128)
729 conn->tx_ident = 1;
730
731 id = conn->tx_ident;
732
333055f2 733 spin_unlock(&conn->lock);
4e8402a3
MH		 734
735 return id;
736}
737
2d792818
GP		 738static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
739 void *data)
4e8402a3
MH		 740{
741 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 742 u8 flags;
4e8402a3
MH		 743
744 BT_DBG("code 0x%2.2x", code);
745
746 if (!skb)
9a9c6a34 747 return;
4e8402a3 748
e702112f
AE		 749 if (lmp_no_flush_capable(conn->hcon->hdev))
750 flags = ACL_START_NO_FLUSH;
751 else
752 flags = ACL_START;
753
14b12d0b 754 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 755 skb->priority = HCI_PRIO_MAX;
14b12d0b 756
73d80deb
LAD		 757 hci_send_acl(conn->hchan, skb, flags);
758}
759
02b0fbb9
MM		 760static bool __chan_is_moving(struct l2cap_chan *chan)
761{
762 return chan->move_state != L2CAP_MOVE_STABLE &&
763 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
764}
765
73d80deb
LAD		 766static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
767{
768 struct hci_conn *hcon = chan->conn->hcon;
769 u16 flags;
770
771 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 772 skb->priority);
73d80deb 773
d5f8a75d
MM		 774 if (chan->hs_hcon && !__chan_is_moving(chan)) {
775 if (chan->hs_hchan)
776 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
777 else
778 kfree_skb(skb);
779
780 return;
781 }
782
73d80deb 783 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 784 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 785 flags = ACL_START_NO_FLUSH;
786 else
787 flags = ACL_START;
14b12d0b 788
73d80deb
LAD		 789 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
790 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 791}
792
b76bbd66
MM		 793static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
794{
795 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
796 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
797
798 if (enh & L2CAP_CTRL_FRAME_TYPE) {
799 /* S-Frame */
800 control->sframe = 1;
801 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
802 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
803
804 control->sar = 0;
805 control->txseq = 0;
806 } else {
807 /* I-Frame */
808 control->sframe = 0;
809 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
810 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
811
812 control->poll = 0;
813 control->super = 0;
814 }
815}
816
b76bbd66
MM		 817static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
818{
819 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
820 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
821
822 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
823 /* S-Frame */
824 control->sframe = 1;
825 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
826 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
827
828 control->sar = 0;
829 control->txseq = 0;
830 } else {
831 /* I-Frame */
832 control->sframe = 0;
833 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
834 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
835
836 control->poll = 0;
837 control->super = 0;
838 }
839}
840
841static inline void __unpack_control(struct l2cap_chan *chan,
842 struct sk_buff *skb)
843{
844 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
845 __unpack_extended_control(get_unaligned_le32(skb->data),
846 &bt_cb(skb)->control);
cec8ab6e 847 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 848 } else {
849 __unpack_enhanced_control(get_unaligned_le16(skb->data),
850 &bt_cb(skb)->control);
cec8ab6e 851 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 852 }
853}
854
b5c6aaed
MM		 855static u32 __pack_extended_control(struct l2cap_ctrl *control)
856{
857 u32 packed;
858
859 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
860 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
861
862 if (control->sframe) {
863 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
864 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
865 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
866 } else {
867 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
868 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
869 }
870
871 return packed;
872}
873
874static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
875{
876 u16 packed;
877
878 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
879 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
880
881 if (control->sframe) {
882 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
883 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
884 packed |= L2CAP_CTRL_FRAME_TYPE;
885 } else {
886 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
887 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
888 }
889
890 return packed;
891}
892
b76bbd66
MM		 893static inline void __pack_control(struct l2cap_chan *chan,
894 struct l2cap_ctrl *control,
895 struct sk_buff *skb)
896{
897 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
898 put_unaligned_le32(__pack_extended_control(control),
899 skb->data + L2CAP_HDR_SIZE);
900 } else {
901 put_unaligned_le16(__pack_enhanced_control(control),
902 skb->data + L2CAP_HDR_SIZE);
903 }
904}
905
ba7aa64f
GP		 906static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
907{
908 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
909 return L2CAP_EXT_HDR_SIZE;
910 else
911 return L2CAP_ENH_HDR_SIZE;
912}
913
a67d7f6f
MM		 914static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
915 u32 control)
b5c6aaed
MM		 916{
917 struct sk_buff *skb;
918 struct l2cap_hdr *lh;
ba7aa64f 919 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 920
921 if (chan->fcs == L2CAP_FCS_CRC16)
922 hlen += L2CAP_FCS_SIZE;
923
a67d7f6f 924 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 925
b5c6aaed 926 if (!skb)
a67d7f6f 927 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 928
929 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
930 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
931 lh->cid = cpu_to_le16(chan->dcid);
932
a67d7f6f
MM		 933 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
934 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
935 else
936 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 937
938 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 939 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 940 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
941 }
942
943 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 944 return skb;
945}
946
947static void l2cap_send_sframe(struct l2cap_chan *chan,
948 struct l2cap_ctrl *control)
949{
950 struct sk_buff *skb;
951 u32 control_field;
952
953 BT_DBG("chan %p, control %p", chan, control);
954
955 if (!control->sframe)
956 return;
957
b99e13ad
MM		 958 if (__chan_is_moving(chan))
959 return;
960
a67d7f6f
MM		 961 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
962 !control->poll)
963 control->final = 1;
964
965 if (control->super == L2CAP_SUPER_RR)
966 clear_bit(CONN_RNR_SENT, &chan->conn_state);
967 else if (control->super == L2CAP_SUPER_RNR)
968 set_bit(CONN_RNR_SENT, &chan->conn_state);
969
970 if (control->super != L2CAP_SUPER_SREJ) {
971 chan->last_acked_seq = control->reqseq;
972 __clear_ack_timer(chan);
973 }
974
975 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
976 control->final, control->poll, control->super);
977
978 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
979 control_field = __pack_extended_control(control);
980 else
981 control_field = __pack_enhanced_control(control);
982
983 skb = l2cap_create_sframe_pdu(chan, control_field);
984 if (!IS_ERR(skb))
985 l2cap_do_send(chan, skb);
b5c6aaed
MM		 986}
987
c9e3d5e0 988static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 989{
c9e3d5e0
MM		 990 struct l2cap_ctrl control;
991
992 BT_DBG("chan %p, poll %d", chan, poll);
993
994 memset(&control, 0, sizeof(control));
995 control.sframe = 1;
996 control.poll = poll;
997
998 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
999 control.super = L2CAP_SUPER_RNR;
1000 else
1001 control.super = L2CAP_SUPER_RR;
b5c6aaed 1002
c9e3d5e0
MM		 1003 control.reqseq = chan->buffer_seq;
1004 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1005}
1006
b4450035 1007static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1008{
c1360a1c 1009 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1010}
1011
93c3e8f5
AE		 1012static bool __amp_capable(struct l2cap_chan *chan)
1013{
1014 struct l2cap_conn *conn = chan->conn;
1015
1016 if (enable_hs &&
1017 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1018 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1019 return true;
1020 else
1021 return false;
1022}
1023
5ce66b59
AE		 1024static bool l2cap_check_efs(struct l2cap_chan *chan)
1025{
1026 /* Check EFS parameters */
1027 return true;
1028}
1029
2766be48 1030void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1031{
1032 struct l2cap_conn *conn = chan->conn;
1033 struct l2cap_conn_req req;
1034
1035 req.scid = cpu_to_le16(chan->scid);
1036 req.psm = chan->psm;
1037
1038 chan->ident = l2cap_get_ident(conn);
1039
1040 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1041
1042 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1043}
1044
8eb200bd
MM		 1045static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1046{
1047 struct l2cap_create_chan_req req;
1048 req.scid = cpu_to_le16(chan->scid);
1049 req.psm = chan->psm;
1050 req.amp_id = amp_id;
1051
1052 chan->ident = l2cap_get_ident(chan->conn);
1053
1054 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1055 sizeof(req), &req);
1056}
1057
02b0fbb9
MM		 1058static void l2cap_move_setup(struct l2cap_chan *chan)
1059{
1060 struct sk_buff *skb;
1061
1062 BT_DBG("chan %p", chan);
1063
1064 if (chan->mode != L2CAP_MODE_ERTM)
1065 return;
1066
1067 __clear_retrans_timer(chan);
1068 __clear_monitor_timer(chan);
1069 __clear_ack_timer(chan);
1070
1071 chan->retry_count = 0;
1072 skb_queue_walk(&chan->tx_q, skb) {
1073 if (bt_cb(skb)->control.retries)
1074 bt_cb(skb)->control.retries = 1;
1075 else
1076 break;
1077 }
1078
1079 chan->expected_tx_seq = chan->buffer_seq;
1080
1081 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1082 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1083 l2cap_seq_list_clear(&chan->retrans_list);
1084 l2cap_seq_list_clear(&chan->srej_list);
1085 skb_queue_purge(&chan->srej_q);
1086
1087 chan->tx_state = L2CAP_TX_STATE_XMIT;
1088 chan->rx_state = L2CAP_RX_STATE_MOVE;
1089
1090 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1091}
1092
5f3847a4
MM		 1093static void l2cap_move_done(struct l2cap_chan *chan)
1094{
1095 u8 move_role = chan->move_role;
1096 BT_DBG("chan %p", chan);
1097
1098 chan->move_state = L2CAP_MOVE_STABLE;
1099 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1100
1101 if (chan->mode != L2CAP_MODE_ERTM)
1102 return;
1103
1104 switch (move_role) {
1105 case L2CAP_MOVE_ROLE_INITIATOR:
1106 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1107 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1108 break;
1109 case L2CAP_MOVE_ROLE_RESPONDER:
1110 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1111 break;
1112 }
1113}
1114
9f0caeb1
VCG		 1115static void l2cap_chan_ready(struct l2cap_chan *chan)
1116{
2827011f 1117 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1118 chan->conf_state = 0;
1119 __clear_chan_timer(chan);
1120
54a59aa2 1121 chan->state = BT_CONNECTED;
9f0caeb1 1122
fd83e2c2 1123 chan->ops->ready(chan);
9f0caeb1
VCG		 1124}
1125
93c3e8f5
AE		 1126static void l2cap_start_connection(struct l2cap_chan *chan)
1127{
1128 if (__amp_capable(chan)) {
1129 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1130 a2mp_discover_amp(chan);
1131 } else {
1132 l2cap_send_conn_req(chan);
1133 }
1134}
1135
fc7f8a7e 1136static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1137{
8c1d787b 1138 struct l2cap_conn *conn = chan->conn;
79d554a6 1139
9f0caeb1
VCG		 1140 if (conn->hcon->type == LE_LINK) {
1141 l2cap_chan_ready(chan);
1142 return;
1143 }
1144
79d554a6 1145 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1146 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1147 return;
1148
d45fc423 1149 if (l2cap_chan_check_security(chan) &&
2d792818 1150 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1151 l2cap_start_connection(chan);
1152 }
79d554a6
MH		 1153 } else {
1154 struct l2cap_info_req req;
ac73498c 1155 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1156
1157 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1158 conn->info_ident = l2cap_get_ident(conn);
1159
ba13ccd9 1160 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1161
2d792818
GP		 1162 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1163 sizeof(req), &req);
79d554a6
MH		 1164 }
1165}
1166
cf6c2c0b
GP		 1167static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1168{
1169 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1170 if (!disable_ertm)
cf6c2c0b
GP		 1171 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1172
1173 switch (mode) {
1174 case L2CAP_MODE_ERTM:
1175 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1176 case L2CAP_MODE_STREAMING:
1177 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1178 default:
1179 return 0x00;
1180 }
1181}
1182
2d792818
GP		 1183static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1184 struct l2cap_chan *chan, int err)
22121fc9 1185{
6be36555 1186 struct sock *sk = chan->sk;
22121fc9
GP		 1187 struct l2cap_disconn_req req;
1188
c13ffa62
GP		 1189 if (!conn)
1190 return;
1191
aad3d0e3 1192 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1193 __clear_retrans_timer(chan);
1194 __clear_monitor_timer(chan);
1195 __clear_ack_timer(chan);
c13ffa62
GP		 1196 }
1197
416fa752 1198 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1199 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1200 return;
1201 }
1202
fe4128e0
GP		 1203 req.dcid = cpu_to_le16(chan->dcid);
1204 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1205 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1206 sizeof(req), &req);
c13ffa62 1207
6be36555 1208 lock_sock(sk);
0e587be7 1209 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1210 __l2cap_chan_set_err(chan, err);
6be36555 1211 release_sock(sk);
22121fc9
GP		 1212}
1213
1da177e4 1214/* ---- L2CAP connections ---- */
4e8402a3
MH		 1215static void l2cap_conn_start(struct l2cap_conn *conn)
1216{
3df91ea2 1217 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1218
1219 BT_DBG("conn %p", conn);
1220
3df91ea2 1221 mutex_lock(&conn->chan_lock);
4e8402a3 1222
3df91ea2 1223 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1224 struct sock *sk = chan->sk;
baa7e1fa 1225
6be36555 1226 l2cap_chan_lock(chan);
4e8402a3 1227
715ec005 1228 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1229 l2cap_chan_unlock(chan);
79d554a6
MH		 1230 continue;
1231 }
1232
89bc500e 1233 if (chan->state == BT_CONNECT) {
d45fc423 1234 if (!l2cap_chan_check_security(chan) ||
2d792818 1235 !__l2cap_no_conn_pending(chan)) {
6be36555 1236 l2cap_chan_unlock(chan);
47731de7
GP		 1237 continue;
1238 }
79d554a6 1239
c1360a1c 1240 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1241 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1242 &chan->conf_state)) {
89bc500e 1243 l2cap_chan_close(chan, ECONNRESET);
6be36555 1244 l2cap_chan_unlock(chan);
47731de7 1245 continue;
b1235d79 1246 }
47731de7 1247
93c3e8f5 1248 l2cap_start_connection(chan);
47731de7 1249
89bc500e 1250 } else if (chan->state == BT_CONNECT2) {
79d554a6 1251 struct l2cap_conn_rsp rsp;
e9aeb2dd 1252 char buf[128];
fe4128e0
GP		 1253 rsp.scid = cpu_to_le16(chan->dcid);
1254 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1255
d45fc423 1256 if (l2cap_chan_check_security(chan)) {
6be36555 1257 lock_sock(sk);
c5daa683
GP		 1258 if (test_bit(BT_SK_DEFER_SETUP,
1259 &bt_sk(sk)->flags)) {
ac73498c
AE		 1260 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1261 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1262 chan->ops->defer(chan);
f66dc81f
MH		 1263
1264 } else {
0e587be7 1265 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1266 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1267 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1268 }
6be36555 1269 release_sock(sk);
79d554a6 1270 } else {
ac73498c
AE		 1271 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1272 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1273 }
1274
fc7f8a7e 1275 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1276 sizeof(rsp), &rsp);
e9aeb2dd 1277
c1360a1c 1278 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1279 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1280 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1281 continue;
1282 }
1283
c1360a1c 1284 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1285 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1286 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1287 chan->num_conf_req++;
4e8402a3
MH		 1288 }
1289
6be36555 1290 l2cap_chan_unlock(chan);
4e8402a3
MH		 1291 }
1292
3df91ea2 1293 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1294}
1295
c2287681 1296/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1297 * Returns closest match, locked.
1298 */
d9b88702 1299static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1300 bdaddr_t *src,
1301 bdaddr_t *dst)
b62f328b 1302{
23691d75 1303 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1304
23691d75 1305 read_lock(&chan_list_lock);
b62f328b 1306
23691d75
GP		 1307 list_for_each_entry(c, &chan_list, global_l) {
1308 struct sock *sk = c->sk;
fe4128e0 1309
89bc500e 1310 if (state && c->state != state)
b62f328b
VT		 1311 continue;
1312
23691d75 1313 if (c->scid == cid) {
c2287681
IY		 1314 int src_match, dst_match;
1315 int src_any, dst_any;
1316
b62f328b 1317 /* Exact match. */
c2287681
IY		 1318 src_match = !bacmp(&bt_sk(sk)->src, src);
1319 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1320 if (src_match && dst_match) {
23691d75
GP		 1321 read_unlock(&chan_list_lock);
1322 return c;
1323 }
b62f328b
VT		 1324
1325 /* Closest match */
c2287681
IY		 1326 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1327 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1328 if ((src_match && dst_any) || (src_any && dst_match) ||
1329 (src_any && dst_any))
23691d75 1330 c1 = c;
b62f328b
VT		 1331 }
1332 }
280f294f 1333
23691d75 1334 read_unlock(&chan_list_lock);
b62f328b 1335
23691d75 1336 return c1;
b62f328b
VT		 1337}
1338
1339static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1340{
c916fbe4 1341 struct sock *parent, *sk;
23691d75 1342 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1343
1344 BT_DBG("");
1345
1346 /* Check if we have socket listening on cid */
23691d75 1347 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1348 conn->src, conn->dst);
23691d75 1349 if (!pchan)
b62f328b
VT		 1350 return;
1351
23691d75
GP		 1352 parent = pchan->sk;
1353
aa2ac881 1354 lock_sock(parent);
62f3a2cf 1355
80b98027 1356 chan = pchan->ops->new_connection(pchan);
80808e43 1357 if (!chan)
b62f328b
VT		 1358 goto clean;
1359
80808e43 1360 sk = chan->sk;
5d41ce1d 1361
b62f328b 1362 hci_conn_hold(conn->hcon);
a9ea3ed9 1363 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1364
b62f328b
VT		 1365 bacpy(&bt_sk(sk)->src, conn->src);
1366 bacpy(&bt_sk(sk)->dst, conn->dst);
1367
3d57dc68 1368 l2cap_chan_add(conn, chan);
48454079 1369
6754e0df 1370 l2cap_chan_ready(chan);
b62f328b 1371
b62f328b 1372clean:
aa2ac881 1373 release_sock(parent);
b62f328b
VT		 1374}
1375
4e8402a3
MH		 1376static void l2cap_conn_ready(struct l2cap_conn *conn)
1377{
48454079 1378 struct l2cap_chan *chan;
cc110922 1379 struct hci_conn *hcon = conn->hcon;
4e8402a3 1380
79d554a6 1381 BT_DBG("conn %p", conn);
4e8402a3 1382
cc110922 1383 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1384 l2cap_le_conn_ready(conn);
1385
cc110922
VCG		 1386 if (hcon->out && hcon->type == LE_LINK)
1387 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1388
3df91ea2 1389 mutex_lock(&conn->chan_lock);
4e8402a3 1390
3df91ea2 1391 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1392
6be36555 1393 l2cap_chan_lock(chan);
4e8402a3 1394
416fa752
AE		 1395 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1396 l2cap_chan_unlock(chan);
1397 continue;
1398 }
1399
cc110922
VCG		 1400 if (hcon->type == LE_LINK) {
1401 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1402 l2cap_chan_ready(chan);
acd7d370 1403
63128451 1404 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1405 struct sock *sk = chan->sk;
c9b66675 1406 __clear_chan_timer(chan);
6be36555 1407 lock_sock(sk);
0e587be7 1408 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1409 sk->sk_state_change(sk);
6be36555 1410 release_sock(sk);
b501d6a1 1411
89bc500e 1412 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1413 l2cap_do_start(chan);
4e8402a3 1414
6be36555 1415 l2cap_chan_unlock(chan);
4e8402a3 1416 }
79d554a6 1417
3df91ea2 1418 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1419}
1420
1421/* Notify sockets that we cannot guaranty reliability anymore */
1422static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1423{
48454079 1424 struct l2cap_chan *chan;
4e8402a3
MH		 1425
1426 BT_DBG("conn %p", conn);
1427
3df91ea2 1428 mutex_lock(&conn->chan_lock);
4e8402a3 1429
3df91ea2 1430 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1431 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1432 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1433 }
1434
3df91ea2 1435 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1436}
1437
f878fcad 1438static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1439{
f878fcad 1440 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1441 info_timer.work);
4e8402a3 1442
984947dc 1443 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1444 conn->info_ident = 0;
984947dc 1445
4e8402a3
MH		 1446 l2cap_conn_start(conn);
1447}
1448
5d3de7df
VCG		 1449static void l2cap_conn_del(struct hci_conn *hcon, int err)
1450{
1451 struct l2cap_conn *conn = hcon->l2cap_data;
1452 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1453
1454 if (!conn)
1455 return;
1456
1457 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1458
1459 kfree_skb(conn->rx_skb);
1460
3df91ea2
AE		 1461 mutex_lock(&conn->chan_lock);
1462
5d3de7df
VCG		 1463 /* Kill channels */
1464 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1465 l2cap_chan_hold(chan);
6be36555
AE		 1466 l2cap_chan_lock(chan);
1467
5d3de7df 1468 l2cap_chan_del(chan, err);
6be36555
AE		 1469
1470 l2cap_chan_unlock(chan);
1471
80b98027 1472 chan->ops->close(chan);
61d6ef3e 1473 l2cap_chan_put(chan);
5d3de7df
VCG		 1474 }
1475
3df91ea2
AE		 1476 mutex_unlock(&conn->chan_lock);
1477
73d80deb
LAD		 1478 hci_chan_del(conn->hchan);
1479
5d3de7df 1480 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1481 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1482
51a8efd7 1483 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1484 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1485 smp_chan_destroy(conn);
d26a2345 1486 }
5d3de7df
VCG		 1487
1488 hcon->l2cap_data = NULL;
1489 kfree(conn);
1490}
1491
6c9d42a1 1492static void security_timeout(struct work_struct *work)
5d3de7df 1493{
6c9d42a1 1494 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1495 security_timer.work);
5d3de7df 1496
d06cc416
JH		 1497 BT_DBG("conn %p", conn);
1498
1499 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1500 smp_chan_destroy(conn);
1501 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1502 }
5d3de7df
VCG		 1503}
1504
1da177e4
LT		 1505static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1506{
0139418c 1507 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1508 struct hci_chan *hchan;
1da177e4 1509
0139418c 1510 if (conn || status)
1da177e4
LT		 1511 return conn;
1512
73d80deb
LAD		 1513 hchan = hci_chan_create(hcon);
1514 if (!hchan)
1515 return NULL;
1516
8bcde1f2 1517 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1518 if (!conn) {
1519 hci_chan_del(hchan);
1da177e4 1520 return NULL;
73d80deb 1521 }
1da177e4
LT		 1522
1523 hcon->l2cap_data = conn;
1524 conn->hcon = hcon;
73d80deb 1525 conn->hchan = hchan;
1da177e4 1526
73d80deb 1527 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1528
dcc042d5
AE		 1529 switch (hcon->type) {
1530 case AMP_LINK:
1531 conn->mtu = hcon->hdev->block_mtu;
1532 break;
1533
1534 case LE_LINK:
1535 if (hcon->hdev->le_mtu) {
1536 conn->mtu = hcon->hdev->le_mtu;
1537 break;
1538 }
1539 /* fall through */
1540
1541 default:
acd7d370 1542 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1543 break;
1544 }
acd7d370 1545
1da177e4
LT		 1546 conn->src = &hcon->hdev->bdaddr;
1547 conn->dst = &hcon->dst;
1548
4e8402a3
MH		 1549 conn->feat_mask = 0;
1550
1da177e4 1551 spin_lock_init(&conn->lock);
3df91ea2 1552 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1553
1554 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1555
5d3de7df 1556 if (hcon->type == LE_LINK)
6c9d42a1 1557 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1558 else
030013d8 1559 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1560
9f5a0d7b 1561 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1562
1da177e4
LT		 1563 return conn;
1564}
1565
1da177e4 1566/* ---- Socket interface ---- */
1da177e4 1567
c2287681 1568/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1569 * Returns closest match.
1570 */
c2287681
IY		 1571static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1572 bdaddr_t *src,
1573 bdaddr_t *dst)
1da177e4 1574{
23691d75 1575 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1576
23691d75 1577 read_lock(&chan_list_lock);
e0f0cb56 1578
23691d75
GP		 1579 list_for_each_entry(c, &chan_list, global_l) {
1580 struct sock *sk = c->sk;
fe4128e0 1581
89bc500e 1582 if (state && c->state != state)
1da177e4
LT		 1583 continue;
1584
23691d75 1585 if (c->psm == psm) {
c2287681
IY		 1586 int src_match, dst_match;
1587 int src_any, dst_any;
1588
1da177e4 1589 /* Exact match. */
c2287681
IY		 1590 src_match = !bacmp(&bt_sk(sk)->src, src);
1591 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1592 if (src_match && dst_match) {
a7567b20 1593 read_unlock(&chan_list_lock);
23691d75
GP		 1594 return c;
1595 }
1da177e4
LT		 1596
1597 /* Closest match */
c2287681
IY		 1598 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1599 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1600 if ((src_match && dst_any) || (src_any && dst_match) ||
1601 (src_any && dst_any))
23691d75 1602 c1 = c;
1da177e4
LT		 1603 }
1604 }
1da177e4 1605
23691d75 1606 read_unlock(&chan_list_lock);
e0f0cb56 1607
23691d75 1608 return c1;
1da177e4
LT		 1609}
1610
8e9f9892
AG		 1611int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1612 bdaddr_t *dst, u8 dst_type)
1da177e4 1613{
5d41ce1d 1614 struct sock *sk = chan->sk;
1da177e4 1615 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1616 struct l2cap_conn *conn;
1617 struct hci_conn *hcon;
1618 struct hci_dev *hdev;
09ab6f4c 1619 __u8 auth_type;
44d0e48e 1620 int err;
1da177e4 1621
6ed93dc6 1622 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1623 dst_type, __le16_to_cpu(psm));
1da177e4 1624
af05b30b
GP		 1625 hdev = hci_get_route(dst, src);
1626 if (!hdev)
1da177e4
LT		 1627 return -EHOSTUNREACH;
1628
09fd0de5 1629 hci_dev_lock(hdev);
1da177e4 1630
6be36555 1631 l2cap_chan_lock(chan);
03a00194
GP		 1632
1633 /* PSM must be odd and lsb of upper byte must be 0 */
1634 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1635 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1636 err = -EINVAL;
1637 goto done;
1638 }
1639
1640 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1641 err = -EINVAL;
1642 goto done;
1643 }
1644
1645 switch (chan->mode) {
1646 case L2CAP_MODE_BASIC:
1647 break;
1648 case L2CAP_MODE_ERTM:
1649 case L2CAP_MODE_STREAMING:
1650 if (!disable_ertm)
1651 break;
1652 /* fall through */
1653 default:
1654 err = -ENOTSUPP;
1655 goto done;
1656 }
1657
0797e01d 1658 switch (chan->state) {
03a00194
GP		 1659 case BT_CONNECT:
1660 case BT_CONNECT2:
1661 case BT_CONFIG:
1662 /* Already connecting */
1663 err = 0;
1664 goto done;
1665
1666 case BT_CONNECTED:
1667 /* Already connected */
1668 err = -EISCONN;
1669 goto done;
1670
1671 case BT_OPEN:
1672 case BT_BOUND:
1673 /* Can connect */
1674 break;
1675
1676 default:
1677 err = -EBADFD;
1678 goto done;
1679 }
1680
1681 /* Set destination address and psm */
0797e01d 1682 lock_sock(sk);
9219b2a0 1683 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1684 release_sock(sk);
1685
03a00194
GP		 1686 chan->psm = psm;
1687 chan->dcid = cid;
1da177e4 1688
4343478f 1689 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1690
fe4128e0 1691 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1692 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1693 chan->sec_level, auth_type);
acd7d370 1694 else
8e9f9892 1695 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1696 chan->sec_level, auth_type);
acd7d370 1697
30e76272
VT		 1698 if (IS_ERR(hcon)) {
1699 err = PTR_ERR(hcon);
1da177e4 1700 goto done;
30e76272 1701 }
1da177e4
LT		 1702
1703 conn = l2cap_conn_add(hcon, 0);
1704 if (!conn) {
1705 hci_conn_put(hcon);
30e76272 1706 err = -ENOMEM;
1da177e4
LT		 1707 goto done;
1708 }
1709
9f0caeb1
VCG		 1710 if (hcon->type == LE_LINK) {
1711 err = 0;
1712
1713 if (!list_empty(&conn->chan_l)) {
1714 err = -EBUSY;
1715 hci_conn_put(hcon);
1716 }
1717
1718 if (err)
1719 goto done;
1720 }
1721
1da177e4
LT		 1722 /* Update source addr of the socket */
1723 bacpy(src, conn->src);
1724
6be36555 1725 l2cap_chan_unlock(chan);
48454079 1726 l2cap_chan_add(conn, chan);
6be36555 1727 l2cap_chan_lock(chan);
48454079 1728
6be36555 1729 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1730 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1731
1732 if (hcon->state == BT_CONNECTED) {
715ec005 1733 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1734 __clear_chan_timer(chan);
d45fc423 1735 if (l2cap_chan_check_security(chan))
6be36555 1736 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1737 } else
fc7f8a7e 1738 l2cap_do_start(chan);
1da177e4
LT		 1739 }
1740
30e76272
VT		 1741 err = 0;
1742
1da177e4 1743done:
6be36555 1744 l2cap_chan_unlock(chan);
09fd0de5 1745 hci_dev_unlock(hdev);
1da177e4
LT		 1746 hci_dev_put(hdev);
1747 return err;
1748}
1749
dcba0dba 1750int __l2cap_wait_ack(struct sock *sk)
6161c038 1751{
8c1d787b 1752 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1753 DECLARE_WAITQUEUE(wait, current);
1754 int err = 0;
1755 int timeo = HZ/5;
1756
2b0b05dd 1757 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1758 set_current_state(TASK_INTERRUPTIBLE);
1759 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1760 if (!timeo)
1761 timeo = HZ/5;
1762
1763 if (signal_pending(current)) {
1764 err = sock_intr_errno(timeo);
1765 break;
1766 }
1767
1768 release_sock(sk);
1769 timeo = schedule_timeout(timeo);
1770 lock_sock(sk);
a71a0cf4 1771 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1772
1773 err = sock_error(sk);
1774 if (err)
1775 break;
1776 }
1777 set_current_state(TASK_RUNNING);
2b0b05dd 1778 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1779 return err;
1780}
1781
721c4181 1782static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1783{
721c4181 1784 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1785 monitor_timer.work);
e90bac06 1786
525cd185 1787 BT_DBG("chan %p", chan);
0e98958d 1788
6be36555
AE		 1789 l2cap_chan_lock(chan);
1790
80909e04 1791 if (!chan->conn) {
6be36555 1792 l2cap_chan_unlock(chan);
8d7e1c7f 1793 l2cap_chan_put(chan);
e90bac06
GP		 1794 return;
1795 }
1796
401bb1f7 1797 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1798
6be36555 1799 l2cap_chan_unlock(chan);
8d7e1c7f 1800 l2cap_chan_put(chan);
e90bac06
GP		 1801}
1802
721c4181 1803static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1804{
721c4181 1805 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1806 retrans_timer.work);
e90bac06 1807
49208c9c 1808 BT_DBG("chan %p", chan);
0e98958d 1809
6be36555
AE		 1810 l2cap_chan_lock(chan);
1811
80909e04
MM		 1812 if (!chan->conn) {
1813 l2cap_chan_unlock(chan);
1814 l2cap_chan_put(chan);
1815 return;
1816 }
6be36555 1817
401bb1f7 1818 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1819 l2cap_chan_unlock(chan);
8d7e1c7f 1820 l2cap_chan_put(chan);
e90bac06
GP		 1821}
1822
d660366d
GP		 1823static void l2cap_streaming_send(struct l2cap_chan *chan,
1824 struct sk_buff_head *skbs)
6840ed07 1825{
ccbb84af 1826 struct sk_buff *skb;
3733937d 1827 struct l2cap_ctrl *control;
6840ed07 1828
3733937d
MM		 1829 BT_DBG("chan %p, skbs %p", chan, skbs);
1830
b99e13ad
MM		 1831 if (__chan_is_moving(chan))
1832 return;
1833
3733937d
MM		 1834 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1835
1836 while (!skb_queue_empty(&chan->tx_q)) {
1837
1838 skb = skb_dequeue(&chan->tx_q);
1839
1840 bt_cb(skb)->control.retries = 1;
1841 control = &bt_cb(skb)->control;
1842
1843 control->reqseq = 0;
1844 control->txseq = chan->next_tx_seq;
1845
1846 __pack_control(chan, control, skb);
6840ed07 1847
47d1ec61 1848 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1849 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1850 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1851 }
1852
4343478f 1853 l2cap_do_send(chan, skb);
6840ed07 1854
b4400672 1855 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1856
836be934 1857 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1858 chan->frames_sent++;
6840ed07 1859 }
6840ed07
GP		 1860}
1861
67c9e840 1862static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1863{
1864 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1865 struct l2cap_ctrl *control;
1866 int sent = 0;
1867
1868 BT_DBG("chan %p", chan);
1c2acffb 1869
89bc500e 1870 if (chan->state != BT_CONNECTED)
c13ffa62 1871 return -ENOTCONN;
e90bac06 1872
94122bbe
MM		 1873 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1874 return 0;
1875
b99e13ad
MM		 1876 if (__chan_is_moving(chan))
1877 return 0;
1878
18a48e76
MM		 1879 while (chan->tx_send_head &&
1880 chan->unacked_frames < chan->remote_tx_win &&
1881 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1882
18a48e76 1883 skb = chan->tx_send_head;
e90bac06 1884
18a48e76
MM		 1885 bt_cb(skb)->control.retries = 1;
1886 control = &bt_cb(skb)->control;
95ffa978 1887
e2ab4353 1888 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1889 control->final = 1;
e2ab4353 1890
18a48e76
MM		 1891 control->reqseq = chan->buffer_seq;
1892 chan->last_acked_seq = chan->buffer_seq;
1893 control->txseq = chan->next_tx_seq;
1c2acffb 1894
18a48e76 1895 __pack_control(chan, control, skb);
e90bac06 1896
47d1ec61 1897 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1898 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1899 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1900 }
1901
18a48e76
MM		 1902 /* Clone after data has been modified. Data is assumed to be
1903 read-only (for locking purposes) on cloned sk_buffs.
1904 */
1905 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1906
18a48e76
MM		 1907 if (!tx_skb)
1908 break;
1c2acffb 1909
18a48e76 1910 __set_retrans_timer(chan);
836be934
AE		 1911
1912 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1913 chan->unacked_frames++;
6a026610 1914 chan->frames_sent++;
18a48e76 1915 sent++;
1c2acffb 1916
58d35f87
GP		 1917 if (skb_queue_is_last(&chan->tx_q, skb))
1918 chan->tx_send_head = NULL;
1c2acffb 1919 else
58d35f87 1920 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1921
1922 l2cap_do_send(chan, tx_skb);
b4400672 1923 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1924 }
1925
b4400672
AE		 1926 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1927 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1928
1929 return sent;
9e917af1
GP		 1930}
1931
e1fbd4c1
MM		 1932static void l2cap_ertm_resend(struct l2cap_chan *chan)
1933{
1934 struct l2cap_ctrl control;
1935 struct sk_buff *skb;
1936 struct sk_buff *tx_skb;
1937 u16 seq;
1938
1939 BT_DBG("chan %p", chan);
1940
1941 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1942 return;
1943
b99e13ad
MM		 1944 if (__chan_is_moving(chan))
1945 return;
1946
e1fbd4c1
MM		 1947 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1948 seq = l2cap_seq_list_pop(&chan->retrans_list);
1949
1950 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1951 if (!skb) {
1952 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1953 seq);
e1fbd4c1
MM		 1954 continue;
1955 }
1956
1957 bt_cb(skb)->control.retries++;
1958 control = bt_cb(skb)->control;
1959
1960 if (chan->max_tx != 0 &&
1961 bt_cb(skb)->control.retries > chan->max_tx) {
1962 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1963 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1964 l2cap_seq_list_clear(&chan->retrans_list);
1965 break;
1966 }
1967
1968 control.reqseq = chan->buffer_seq;
1969 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1970 control.final = 1;
1971 else
1972 control.final = 0;
1973
1974 if (skb_cloned(skb)) {
1975 /* Cloned sk_buffs are read-only, so we need a
1976 * writeable copy
1977 */
8bcde1f2 1978 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1979 } else {
8bcde1f2 1980 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1981 }
1982
1983 if (!tx_skb) {
1984 l2cap_seq_list_clear(&chan->retrans_list);
1985 break;
1986 }
1987
1988 /* Update skb contents */
1989 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1990 put_unaligned_le32(__pack_extended_control(&control),
1991 tx_skb->data + L2CAP_HDR_SIZE);
1992 } else {
1993 put_unaligned_le16(__pack_enhanced_control(&control),
1994 tx_skb->data + L2CAP_HDR_SIZE);
1995 }
1996
1997 if (chan->fcs == L2CAP_FCS_CRC16) {
1998 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1999 put_unaligned_le16(fcs, skb_put(tx_skb,
2000 L2CAP_FCS_SIZE));
2001 }
2002
2003 l2cap_do_send(chan, tx_skb);
2004
2005 BT_DBG("Resent txseq %d", control.txseq);
2006
2007 chan->last_acked_seq = chan->buffer_seq;
2008 }
2009}
2010
f80842a8
MM		 2011static void l2cap_retransmit(struct l2cap_chan *chan,
2012 struct l2cap_ctrl *control)
2013{
2014 BT_DBG("chan %p, control %p", chan, control);
2015
2016 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2017 l2cap_ertm_resend(chan);
2018}
2019
d2a7ac5d
MM		 2020static void l2cap_retransmit_all(struct l2cap_chan *chan,
2021 struct l2cap_ctrl *control)
2022{
e1fbd4c1
MM		 2023 struct sk_buff *skb;
2024
2025 BT_DBG("chan %p, control %p", chan, control);
2026
2027 if (control->poll)
2028 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2029
2030 l2cap_seq_list_clear(&chan->retrans_list);
2031
2032 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2033 return;
2034
2035 if (chan->unacked_frames) {
2036 skb_queue_walk(&chan->tx_q, skb) {
2037 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2038 skb == chan->tx_send_head)
e1fbd4c1
MM		 2039 break;
2040 }
2041
2042 skb_queue_walk_from(&chan->tx_q, skb) {
2043 if (skb == chan->tx_send_head)
2044 break;
2045
2046 l2cap_seq_list_append(&chan->retrans_list,
2047 bt_cb(skb)->control.txseq);
2048 }
2049
2050 l2cap_ertm_resend(chan);
2051 }
d2a7ac5d
MM		 2052}
2053
0a0aba42 2054static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2055{
0a0aba42
MM		 2056 struct l2cap_ctrl control;
2057 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2058 chan->last_acked_seq);
2059 int threshold;
9e917af1 2060
0a0aba42
MM		 2061 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2062 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2063
0a0aba42
MM		 2064 memset(&control, 0, sizeof(control));
2065 control.sframe = 1;
dfc909be 2066
0a0aba42
MM		 2067 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2068 chan->rx_state == L2CAP_RX_STATE_RECV) {
2069 __clear_ack_timer(chan);
2070 control.super = L2CAP_SUPER_RNR;
2071 control.reqseq = chan->buffer_seq;
2072 l2cap_send_sframe(chan, &control);
2073 } else {
2074 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2075 l2cap_ertm_send(chan);
2076 /* If any i-frames were sent, they included an ack */
2077 if (chan->buffer_seq == chan->last_acked_seq)
2078 frames_to_ack = 0;
2079 }
dfc909be 2080
c20f8e35 2081 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2082 * Calculate without mul or div
2083 */
c20f8e35 2084 threshold = chan->ack_win;
0a0aba42
MM		 2085 threshold += threshold << 1;
2086 threshold >>= 2;
2087
b4400672 2088 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2089 threshold);
2090
2091 if (frames_to_ack >= threshold) {
2092 __clear_ack_timer(chan);
2093 control.super = L2CAP_SUPER_RR;
2094 control.reqseq = chan->buffer_seq;
2095 l2cap_send_sframe(chan, &control);
2096 frames_to_ack = 0;
2097 }
1c2acffb 2098
0a0aba42
MM		 2099 if (frames_to_ack)
2100 __set_ack_timer(chan);
2101 }
b17e73bb
SJ		 2102}
2103
04124681
GP		 2104static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2105 struct msghdr *msg, int len,
2106 int count, struct sk_buff *skb)
1c2acffb 2107{
0952a57a 2108 struct l2cap_conn *conn = chan->conn;
1c2acffb 2109 struct sk_buff **frag;
90338947 2110 int sent = 0;
1da177e4 2111
59203a21 2112 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2113 return -EFAULT;
1da177e4
LT		 2114
2115 sent += count;
2116 len -= count;
2117
2118 /* Continuation fragments (no L2CAP header) */
2119 frag = &skb_shinfo(skb)->frag_list;
2120 while (len) {
fbe00700
GP		 2121 struct sk_buff *tmp;
2122
1da177e4
LT		 2123 count = min_t(unsigned int, conn->mtu, len);
2124
fbe00700
GP		 2125 tmp = chan->ops->alloc_skb(chan, count,
2126 msg->msg_flags & MSG_DONTWAIT);
2127 if (IS_ERR(tmp))
2128 return PTR_ERR(tmp);
2129
2130 *frag = tmp;
2f7719ce 2131
1c2acffb
GP		 2132 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2133 return -EFAULT;
1da177e4 2134
5e59b791
LAD		 2135 (*frag)->priority = skb->priority;
2136
1da177e4
LT		 2137 sent += count;
2138 len -= count;
2139
2d0ed3d5
GP		 2140 skb->len += (*frag)->len;
2141 skb->data_len += (*frag)->len;
2142
1da177e4
LT		 2143 frag = &(*frag)->next;
2144 }
1da177e4
LT		 2145
2146 return sent;
1c2acffb 2147}
1da177e4 2148
5e59b791 2149static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2150 struct msghdr *msg, size_t len,
2151 u32 priority)
1c2acffb 2152{
8c1d787b 2153 struct l2cap_conn *conn = chan->conn;
1c2acffb 2154 struct sk_buff *skb;
03a51213 2155 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2156 struct l2cap_hdr *lh;
2157
b4400672 2158 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2159
2160 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2161
2162 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2163 msg->msg_flags & MSG_DONTWAIT);
2164 if (IS_ERR(skb))
2165 return skb;
1c2acffb 2166
5e59b791
LAD		 2167 skb->priority = priority;
2168
1c2acffb
GP		 2169 /* Create L2CAP header */
2170 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2171 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2172 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2173 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2174
0952a57a 2175 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2176 if (unlikely(err < 0)) {
2177 kfree_skb(skb);
2178 return ERR_PTR(err);
2179 }
2180 return skb;
2181}
2182
5e59b791 2183static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2184 struct msghdr *msg, size_t len,
2185 u32 priority)
1c2acffb 2186{
8c1d787b 2187 struct l2cap_conn *conn = chan->conn;
1c2acffb 2188 struct sk_buff *skb;
f2ba7fae 2189 int err, count;
1c2acffb
GP		 2190 struct l2cap_hdr *lh;
2191
b4400672 2192 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2193
f2ba7fae 2194 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2195
f2ba7fae 2196 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2197 msg->msg_flags & MSG_DONTWAIT);
2198 if (IS_ERR(skb))
2199 return skb;
1c2acffb 2200
5e59b791
LAD		 2201 skb->priority = priority;
2202
1c2acffb
GP		 2203 /* Create L2CAP header */
2204 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2205 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2206 lh->len = cpu_to_le16(len);
1c2acffb 2207
0952a57a 2208 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2209 if (unlikely(err < 0)) {
2210 kfree_skb(skb);
2211 return ERR_PTR(err);
2212 }
2213 return skb;
2214}
2215
ab0ff76d 2216static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2217 struct msghdr *msg, size_t len,
2218 u16 sdulen)
1c2acffb 2219{
8c1d787b 2220 struct l2cap_conn *conn = chan->conn;
1c2acffb 2221 struct sk_buff *skb;
e4ca6d98 2222 int err, count, hlen;
1c2acffb
GP		 2223 struct l2cap_hdr *lh;
2224
b4400672 2225 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2226
0ee0d208
GP		 2227 if (!conn)
2228 return ERR_PTR(-ENOTCONN);
2229
ba7aa64f 2230 hlen = __ertm_hdr_size(chan);
e4ca6d98 2231
c74e560c 2232 if (sdulen)
03a51213 2233 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2234
47d1ec61 2235 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2236 hlen += L2CAP_FCS_SIZE;
fcc203c3 2237
1c2acffb 2238 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2239
2240 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2241 msg->msg_flags & MSG_DONTWAIT);
2242 if (IS_ERR(skb))
2243 return skb;
1c2acffb
GP		 2244
2245 /* Create L2CAP header */
2246 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2247 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2248 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2249
18a48e76
MM		 2250 /* Control header is populated later */
2251 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2252 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2253 else
2254 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2255
c74e560c 2256 if (sdulen)
03a51213 2257 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2258
0952a57a 2259 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2260 if (unlikely(err < 0)) {
2261 kfree_skb(skb);
2262 return ERR_PTR(err);
2263 }
e90bac06 2264
18a48e76 2265 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2266 bt_cb(skb)->control.retries = 0;
1c2acffb 2267 return skb;
1da177e4
LT		 2268}
2269
94122bbe
MM		 2270static int l2cap_segment_sdu(struct l2cap_chan *chan,
2271 struct sk_buff_head *seg_queue,
2272 struct msghdr *msg, size_t len)
c74e560c 2273{
c74e560c 2274 struct sk_buff *skb;
94122bbe
MM		 2275 u16 sdu_len;
2276 size_t pdu_len;
94122bbe 2277 u8 sar;
c74e560c 2278
b4400672 2279 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2280
94122bbe
MM		 2281 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2282 * so fragmented skbs are not used. The HCI layer's handling
2283 * of fragmented skbs is not compatible with ERTM's queueing.
2284 */
c74e560c 2285
94122bbe
MM		 2286 /* PDU size is derived from the HCI MTU */
2287 pdu_len = chan->conn->mtu;
c74e560c 2288
a549574d
MM		 2289 /* Constrain PDU size for BR/EDR connections */
2290 if (!chan->hs_hcon)
2291 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2292
2293 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2294 if (chan->fcs)
2295 pdu_len -= L2CAP_FCS_SIZE;
2296
ba7aa64f 2297 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2298
2299 /* Remote device may have requested smaller PDUs */
2300 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2301
2302 if (len <= pdu_len) {
2303 sar = L2CAP_SAR_UNSEGMENTED;
2304 sdu_len = 0;
2305 pdu_len = len;
2306 } else {
2307 sar = L2CAP_SAR_START;
2308 sdu_len = len;
2309 pdu_len -= L2CAP_SDULEN_SIZE;
2310 }
2311
2312 while (len > 0) {
2313 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2314
c74e560c 2315 if (IS_ERR(skb)) {
94122bbe 2316 __skb_queue_purge(seg_queue);
c74e560c
GP		 2317 return PTR_ERR(skb);
2318 }
2319
94122bbe
MM		 2320 bt_cb(skb)->control.sar = sar;
2321 __skb_queue_tail(seg_queue, skb);
2322
2323 len -= pdu_len;
2324 if (sdu_len) {
2325 sdu_len = 0;
2326 pdu_len += L2CAP_SDULEN_SIZE;
2327 }
2328
2329 if (len <= pdu_len) {
2330 sar = L2CAP_SAR_END;
2331 pdu_len = len;
2332 } else {
2333 sar = L2CAP_SAR_CONTINUE;
2334 }
c74e560c 2335 }
c74e560c 2336
f0f62799 2337 return 0;
c74e560c
GP		 2338}
2339
5e59b791 2340int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2341 u32 priority)
9a91a04a 2342{
9a91a04a 2343 struct sk_buff *skb;
9a91a04a 2344 int err;
94122bbe 2345 struct sk_buff_head seg_queue;
9a91a04a
GP		 2346
2347 /* Connectionless channel */
715ec005 2348 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2349 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2350 if (IS_ERR(skb))
2351 return PTR_ERR(skb);
2352
2353 l2cap_do_send(chan, skb);
2354 return len;
2355 }
2356
2357 switch (chan->mode) {
2358 case L2CAP_MODE_BASIC:
2359 /* Check outgoing MTU */
2360 if (len > chan->omtu)
2361 return -EMSGSIZE;
2362
2363 /* Create a basic PDU */
5e59b791 2364 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2365 if (IS_ERR(skb))
2366 return PTR_ERR(skb);
2367
2368 l2cap_do_send(chan, skb);
2369 err = len;
2370 break;
2371
2372 case L2CAP_MODE_ERTM:
2373 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2374 /* Check outgoing MTU */
2375 if (len > chan->omtu) {
2376 err = -EMSGSIZE;
2377 break;
2378 }
9a91a04a 2379
94122bbe 2380 __skb_queue_head_init(&seg_queue);
9a91a04a 2381
94122bbe
MM		 2382 /* Do segmentation before calling in to the state machine,
2383 * since it's possible to block while waiting for memory
2384 * allocation.
2385 */
2386 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2387
94122bbe
MM		 2388 /* The channel could have been closed while segmenting,
2389 * check that it is still connected.
2390 */
2391 if (chan->state != BT_CONNECTED) {
2392 __skb_queue_purge(&seg_queue);
2393 err = -ENOTCONN;
9a91a04a
GP		 2394 }
2395
94122bbe 2396 if (err)
9a91a04a 2397 break;
9a91a04a 2398
3733937d 2399 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2400 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2401 else
d660366d 2402 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2403
d660366d 2404 err = len;
9a91a04a 2405
94122bbe
MM		 2406 /* If the skbs were not queued for sending, they'll still be in
2407 * seg_queue and need to be purged.
2408 */
2409 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2410 break;
2411
2412 default:
2413 BT_DBG("bad state %1.1x", chan->mode);
2414 err = -EBADFD;
2415 }
2416
2417 return err;
2418}
2419
d2a7ac5d
MM		 2420static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2421{
bed68bde
MM		 2422 struct l2cap_ctrl control;
2423 u16 seq;
2424
b4400672 2425 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2426
2427 memset(&control, 0, sizeof(control));
2428 control.sframe = 1;
2429 control.super = L2CAP_SUPER_SREJ;
2430
2431 for (seq = chan->expected_tx_seq; seq != txseq;
2432 seq = __next_seq(chan, seq)) {
2433 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2434 control.reqseq = seq;
2435 l2cap_send_sframe(chan, &control);
2436 l2cap_seq_list_append(&chan->srej_list, seq);
2437 }
2438 }
2439
2440 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2441}
2442
2443static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2444{
bed68bde
MM		 2445 struct l2cap_ctrl control;
2446
2447 BT_DBG("chan %p", chan);
2448
2449 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2450 return;
2451
2452 memset(&control, 0, sizeof(control));
2453 control.sframe = 1;
2454 control.super = L2CAP_SUPER_SREJ;
2455 control.reqseq = chan->srej_list.tail;
2456 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2457}
2458
2459static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2460{
bed68bde
MM		 2461 struct l2cap_ctrl control;
2462 u16 initial_head;
2463 u16 seq;
2464
b4400672 2465 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2466
2467 memset(&control, 0, sizeof(control));
2468 control.sframe = 1;
2469 control.super = L2CAP_SUPER_SREJ;
2470
2471 /* Capture initial list head to allow only one pass through the list. */
2472 initial_head = chan->srej_list.head;
2473
2474 do {
2475 seq = l2cap_seq_list_pop(&chan->srej_list);
2476 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2477 break;
2478
2479 control.reqseq = seq;
2480 l2cap_send_sframe(chan, &control);
2481 l2cap_seq_list_append(&chan->srej_list, seq);
2482 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2483}
2484
608bcc6d
MM		 2485static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2486{
2487 struct sk_buff *acked_skb;
2488 u16 ackseq;
2489
b4400672 2490 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2491
2492 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2493 return;
2494
b4400672 2495 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2496 chan->expected_ack_seq, chan->unacked_frames);
2497
2498 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2499 ackseq = __next_seq(chan, ackseq)) {
2500
2501 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2502 if (acked_skb) {
2503 skb_unlink(acked_skb, &chan->tx_q);
2504 kfree_skb(acked_skb);
2505 chan->unacked_frames--;
2506 }
2507 }
2508
2509 chan->expected_ack_seq = reqseq;
2510
2511 if (chan->unacked_frames == 0)
2512 __clear_retrans_timer(chan);
2513
b4400672 2514 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2515}
2516
2517static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2518{
2519 BT_DBG("chan %p", chan);
2520
2521 chan->expected_tx_seq = chan->buffer_seq;
2522 l2cap_seq_list_clear(&chan->srej_list);
2523 skb_queue_purge(&chan->srej_q);
2524 chan->rx_state = L2CAP_RX_STATE_RECV;
2525}
2526
d660366d
GP		 2527static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2528 struct l2cap_ctrl *control,
2529 struct sk_buff_head *skbs, u8 event)
608bcc6d 2530{
608bcc6d
MM		 2531 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2532 event);
2533
2534 switch (event) {
2535 case L2CAP_EV_DATA_REQUEST:
2536 if (chan->tx_send_head == NULL)
2537 chan->tx_send_head = skb_peek(skbs);
2538
2539 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2540 l2cap_ertm_send(chan);
2541 break;
2542 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2543 BT_DBG("Enter LOCAL_BUSY");
2544 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2545
2546 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2547 /* The SREJ_SENT state must be aborted if we are to
2548 * enter the LOCAL_BUSY state.
2549 */
2550 l2cap_abort_rx_srej_sent(chan);
2551 }
2552
2553 l2cap_send_ack(chan);
2554
2555 break;
2556 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2557 BT_DBG("Exit LOCAL_BUSY");
2558 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2559
2560 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2561 struct l2cap_ctrl local_control;
2562
2563 memset(&local_control, 0, sizeof(local_control));
2564 local_control.sframe = 1;
2565 local_control.super = L2CAP_SUPER_RR;
2566 local_control.poll = 1;
2567 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2568 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2569
2570 chan->retry_count = 1;
2571 __set_monitor_timer(chan);
2572 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2573 }
2574 break;
2575 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2576 l2cap_process_reqseq(chan, control->reqseq);
2577 break;
2578 case L2CAP_EV_EXPLICIT_POLL:
2579 l2cap_send_rr_or_rnr(chan, 1);
2580 chan->retry_count = 1;
2581 __set_monitor_timer(chan);
2582 __clear_ack_timer(chan);
2583 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2584 break;
2585 case L2CAP_EV_RETRANS_TO:
2586 l2cap_send_rr_or_rnr(chan, 1);
2587 chan->retry_count = 1;
2588 __set_monitor_timer(chan);
2589 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2590 break;
2591 case L2CAP_EV_RECV_FBIT:
2592 /* Nothing to process */
2593 break;
2594 default:
2595 break;
2596 }
608bcc6d
MM		 2597}
2598
d660366d
GP		 2599static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2600 struct l2cap_ctrl *control,
2601 struct sk_buff_head *skbs, u8 event)
608bcc6d 2602{
608bcc6d
MM		 2603 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2604 event);
2605
2606 switch (event) {
2607 case L2CAP_EV_DATA_REQUEST:
2608 if (chan->tx_send_head == NULL)
2609 chan->tx_send_head = skb_peek(skbs);
2610 /* Queue data, but don't send. */
2611 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2612 break;
2613 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2614 BT_DBG("Enter LOCAL_BUSY");
2615 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2616
2617 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2618 /* The SREJ_SENT state must be aborted if we are to
2619 * enter the LOCAL_BUSY state.
2620 */
2621 l2cap_abort_rx_srej_sent(chan);
2622 }
2623
2624 l2cap_send_ack(chan);
2625
2626 break;
2627 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2628 BT_DBG("Exit LOCAL_BUSY");
2629 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2630
2631 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2632 struct l2cap_ctrl local_control;
2633 memset(&local_control, 0, sizeof(local_control));
2634 local_control.sframe = 1;
2635 local_control.super = L2CAP_SUPER_RR;
2636 local_control.poll = 1;
2637 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2638 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2639
2640 chan->retry_count = 1;
2641 __set_monitor_timer(chan);
2642 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2643 }
2644 break;
2645 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2646 l2cap_process_reqseq(chan, control->reqseq);
2647
2648 /* Fall through */
2649
2650 case L2CAP_EV_RECV_FBIT:
2651 if (control && control->final) {
2652 __clear_monitor_timer(chan);
2653 if (chan->unacked_frames > 0)
2654 __set_retrans_timer(chan);
2655 chan->retry_count = 0;
2656 chan->tx_state = L2CAP_TX_STATE_XMIT;
2657 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2658 }
2659 break;
2660 case L2CAP_EV_EXPLICIT_POLL:
2661 /* Ignore */
2662 break;
2663 case L2CAP_EV_MONITOR_TO:
2664 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2665 l2cap_send_rr_or_rnr(chan, 1);
2666 __set_monitor_timer(chan);
2667 chan->retry_count++;
2668 } else {
2669 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2670 }
2671 break;
2672 default:
2673 break;
2674 }
608bcc6d
MM		 2675}
2676
d660366d
GP		 2677static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2678 struct sk_buff_head *skbs, u8 event)
608bcc6d 2679{
608bcc6d
MM		 2680 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2681 chan, control, skbs, event, chan->tx_state);
2682
2683 switch (chan->tx_state) {
2684 case L2CAP_TX_STATE_XMIT:
d660366d 2685 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2686 break;
2687 case L2CAP_TX_STATE_WAIT_F:
d660366d 2688 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2689 break;
2690 default:
2691 /* Ignore event */
2692 break;
2693 }
608bcc6d
MM		 2694}
2695
4b51dae9
MM		 2696static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2697 struct l2cap_ctrl *control)
2698{
2699 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2700 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2701}
2702
f80842a8
MM		 2703static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2704 struct l2cap_ctrl *control)
2705{
2706 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2707 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2708}
2709
1da177e4
LT		 2710/* Copy frame to all raw sockets on that connection */
2711static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2712{
1da177e4 2713 struct sk_buff *nskb;
48454079 2714 struct l2cap_chan *chan;
1da177e4
LT		 2715
2716 BT_DBG("conn %p", conn);
2717
3df91ea2 2718 mutex_lock(&conn->chan_lock);
3d57dc68 2719
3df91ea2 2720 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2721 struct sock *sk = chan->sk;
715ec005 2722 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2723 continue;
2724
2725 /* Don't send frame to the socket it came from */
2726 if (skb->sk == sk)
2727 continue;
8bcde1f2 2728 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2729 if (!nskb)
1da177e4
LT		 2730 continue;
2731
80b98027 2732 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2733 kfree_skb(nskb);
2734 }
3d57dc68 2735
3df91ea2 2736 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2737}
2738
2739/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2740static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2741 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2742{
2743 struct sk_buff *skb, **frag;
2744 struct l2cap_cmd_hdr *cmd;
2745 struct l2cap_hdr *lh;
2746 int len, count;
2747
b4400672
AE		 2748 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2749 conn, code, ident, dlen);
1da177e4
LT		 2750
2751 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2752 count = min_t(unsigned int, conn->mtu, len);
2753
8bcde1f2 2754 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2755 if (!skb)
2756 return NULL;
2757
2758 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2759 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2760
2761 if (conn->hcon->type == LE_LINK)
ac73498c 2762 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2763 else
ac73498c 2764 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2765
2766 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2767 cmd->code = code;
2768 cmd->ident = ident;
aca3192c 2769 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2770
2771 if (dlen) {
2772 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2773 memcpy(skb_put(skb, count), data, count);
2774 data += count;
2775 }
2776
2777 len -= skb->len;
2778
2779 /* Continuation fragments (no L2CAP header) */
2780 frag = &skb_shinfo(skb)->frag_list;
2781 while (len) {
2782 count = min_t(unsigned int, conn->mtu, len);
2783
8bcde1f2 2784 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2785 if (!*frag)
2786 goto fail;
2787
2788 memcpy(skb_put(*frag, count), data, count);
2789
2790 len -= count;
2791 data += count;
2792
2793 frag = &(*frag)->next;
2794 }
2795
2796 return skb;
2797
2798fail:
2799 kfree_skb(skb);
2800 return NULL;
2801}
2802
2d792818
GP		 2803static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2804 unsigned long *val)
1da177e4
LT		 2805{
2806 struct l2cap_conf_opt *opt = *ptr;
2807 int len;
2808
2809 len = L2CAP_CONF_OPT_SIZE + opt->len;
2810 *ptr += len;
2811
2812 *type = opt->type;
2813 *olen = opt->len;
2814
2815 switch (opt->len) {
2816 case 1:
2817 *val = *((u8 *) opt->val);
2818 break;
2819
2820 case 2:
bfaaeb3e 2821 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2822 break;
2823
2824 case 4:
bfaaeb3e 2825 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2826 break;
2827
2828 default:
2829 *val = (unsigned long) opt->val;
2830 break;
2831 }
2832
b4400672 2833 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2834 return len;
2835}
2836
1da177e4
LT		 2837static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2838{
2839 struct l2cap_conf_opt *opt = *ptr;
2840
b4400672 2841 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2842
2843 opt->type = type;
2844 opt->len = len;
2845
2846 switch (len) {
2847 case 1:
2848 *((u8 *) opt->val) = val;
2849 break;
2850
2851 case 2:
4f8b691c 2852 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2853 break;
2854
2855 case 4:
4f8b691c 2856 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2857 break;
2858
2859 default:
2860 memcpy(opt->val, (void *) val, len);
2861 break;
2862 }
2863
2864 *ptr += L2CAP_CONF_OPT_SIZE + len;
2865}
2866
f89cef09
AE		 2867static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2868{
2869 struct l2cap_conf_efs efs;
2870
1ec918ce 2871 switch (chan->mode) {
f89cef09
AE		 2872 case L2CAP_MODE_ERTM:
2873 efs.id = chan->local_id;
2874 efs.stype = chan->local_stype;
2875 efs.msdu = cpu_to_le16(chan->local_msdu);
2876 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2877 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2878 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2879 break;
2880
2881 case L2CAP_MODE_STREAMING:
2882 efs.id = 1;
2883 efs.stype = L2CAP_SERV_BESTEFFORT;
2884 efs.msdu = cpu_to_le16(chan->local_msdu);
2885 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2886 efs.acc_lat = 0;
2887 efs.flush_to = 0;
2888 break;
2889
2890 default:
2891 return;
2892 }
2893
2894 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2895 (unsigned long) &efs);
f89cef09
AE		 2896}
2897
721c4181 2898static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2899{
721c4181 2900 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2901 ack_timer.work);
2902 u16 frames_to_ack;
c1b4f43b 2903
2fb9b3d4
GP		 2904 BT_DBG("chan %p", chan);
2905
6be36555
AE		 2906 l2cap_chan_lock(chan);
2907
0362520b
MM		 2908 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2909 chan->last_acked_seq);
6be36555 2910
0362520b
MM		 2911 if (frames_to_ack)
2912 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2913
0362520b 2914 l2cap_chan_unlock(chan);
09bfb2ee 2915 l2cap_chan_put(chan);
c1b4f43b
GP		 2916}
2917
466f8004 2918int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2919{
3c588192
MM		 2920 int err;
2921
105bdf9e
MM		 2922 chan->next_tx_seq = 0;
2923 chan->expected_tx_seq = 0;
42e5c802 2924 chan->expected_ack_seq = 0;
6a026610 2925 chan->unacked_frames = 0;
42e5c802 2926 chan->buffer_seq = 0;
6a026610 2927 chan->frames_sent = 0;
105bdf9e
MM		 2928 chan->last_acked_seq = 0;
2929 chan->sdu = NULL;
2930 chan->sdu_last_frag = NULL;
2931 chan->sdu_len = 0;
2932
d34c34fb
MM		 2933 skb_queue_head_init(&chan->tx_q);
2934
08333283
MM		 2935 chan->local_amp_id = 0;
2936 chan->move_id = 0;
2937 chan->move_state = L2CAP_MOVE_STABLE;
2938 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2939
105bdf9e
MM		 2940 if (chan->mode != L2CAP_MODE_ERTM)
2941 return 0;
2942
2943 chan->rx_state = L2CAP_RX_STATE_RECV;
2944 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2945
721c4181
GP		 2946 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2947 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2948 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2949
f1c6775b 2950 skb_queue_head_init(&chan->srej_q);
1890d36b 2951
3c588192
MM		 2952 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2953 if (err < 0)
2954 return err;
2955
9dc9affc
MM		 2956 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2957 if (err < 0)
2958 l2cap_seq_list_free(&chan->srej_list);
2959
2960 return err;
0565c1c2
GP		 2961}
2962
f2fcfcd6
GP		 2963static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2964{
2965 switch (mode) {
2966 case L2CAP_MODE_STREAMING:
2967 case L2CAP_MODE_ERTM:
2968 if (l2cap_mode_supported(mode, remote_feat_mask))
2969 return mode;
2970 /* fall through */
2971 default:
2972 return L2CAP_MODE_BASIC;
2973 }
2974}
2975
6327eb98
AE		 2976static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2977{
2978 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2979}
2980
f89cef09
AE		 2981static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2982{
2983 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2984}
2985
36c86c85
MM		 2986static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
2987 struct l2cap_conf_rfc *rfc)
2988{
2989 if (chan->local_amp_id && chan->hs_hcon) {
2990 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
2991
2992 /* Class 1 devices have must have ERTM timeouts
2993 * exceeding the Link Supervision Timeout. The
2994 * default Link Supervision Timeout for AMP
2995 * controllers is 10 seconds.
2996 *
2997 * Class 1 devices use 0xffffffff for their
2998 * best-effort flush timeout, so the clamping logic
2999 * will result in a timeout that meets the above
3000 * requirement. ERTM timeouts are 16-bit values, so
3001 * the maximum timeout is 65.535 seconds.
3002 */
3003
3004 /* Convert timeout to milliseconds and round */
3005 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3006
3007 /* This is the recommended formula for class 2 devices
3008 * that start ERTM timers when packets are sent to the
3009 * controller.
3010 */
3011 ertm_to = 3 * ertm_to + 500;
3012
3013 if (ertm_to > 0xffff)
3014 ertm_to = 0xffff;
3015
3016 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3017 rfc->monitor_timeout = rfc->retrans_timeout;
3018 } else {
3019 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3020 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3021 }
3022}
3023
6327eb98
AE		 3024static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3025{
3026 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3027 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3028 /* use extended control field */
3029 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3030 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3031 } else {
6327eb98 3032 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3033 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3034 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3035 }
c20f8e35 3036 chan->ack_win = chan->tx_win;
6327eb98
AE		 3037}
3038
710f9b0a 3039static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3040{
1da177e4 3041 struct l2cap_conf_req *req = data;
0c1bc5c6 3042 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3043 void *ptr = req->data;
c8f79162 3044 u16 size;
1da177e4 3045
49208c9c 3046 BT_DBG("chan %p", chan);
1da177e4 3047
73ffa904 3048 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3049 goto done;
3050
0c1bc5c6 3051 switch (chan->mode) {
f2fcfcd6
GP		 3052 case L2CAP_MODE_STREAMING:
3053 case L2CAP_MODE_ERTM:
c1360a1c 3054 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3055 break;
85eb53c6 3056
f89cef09
AE		 3057 if (__l2cap_efs_supported(chan))
3058 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3059
2ba13ed6 3060 /* fall through */
f2fcfcd6 3061 default:
8c1d787b 3062 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3063 break;
3064 }
3065
3066done:
0c1bc5c6
GP		 3067 if (chan->imtu != L2CAP_DEFAULT_MTU)
3068 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3069
0c1bc5c6 3070 switch (chan->mode) {
65c7c491 3071 case L2CAP_MODE_BASIC:
8c1d787b 3072 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3073 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3074 break;
3075
62547752
GP		 3076 rfc.mode = L2CAP_MODE_BASIC;
3077 rfc.txwin_size = 0;
3078 rfc.max_transmit = 0;
3079 rfc.retrans_timeout = 0;
3080 rfc.monitor_timeout = 0;
3081 rfc.max_pdu_size = 0;
3082
63406504 3083 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3084 (unsigned long) &rfc);
65c7c491
MH		 3085 break;
3086
3087 case L2CAP_MODE_ERTM:
3088 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3089 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3090
3091 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3092
3093 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3094 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3095 L2CAP_FCS_SIZE);
c8f79162 3096 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3097
6327eb98
AE		 3098 l2cap_txwin_setup(chan);
3099
3100 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3101 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3102
63406504 3103 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3104 (unsigned long) &rfc);
63406504 3105
f89cef09
AE		 3106 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3107 l2cap_add_opt_efs(&ptr, chan);
3108
8c1d787b 3109 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3110 break;
3111
47d1ec61 3112 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3113 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3114 chan->fcs = L2CAP_FCS_NONE;
3115 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3116 }
6327eb98
AE		 3117
3118 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3119 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3120 chan->tx_win);
f2fcfcd6
GP		 3121 break;
3122
3123 case L2CAP_MODE_STREAMING:
273759e2 3124 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3125 rfc.mode = L2CAP_MODE_STREAMING;
3126 rfc.txwin_size = 0;
3127 rfc.max_transmit = 0;
3128 rfc.retrans_timeout = 0;
3129 rfc.monitor_timeout = 0;
c8f79162
AE		 3130
3131 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3132 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3133 L2CAP_FCS_SIZE);
c8f79162 3134 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3135
63406504 3136 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3137 (unsigned long) &rfc);
63406504 3138
f89cef09
AE		 3139 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3140 l2cap_add_opt_efs(&ptr, chan);
3141
8c1d787b 3142 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3143 break;
3144
47d1ec61 3145 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3146 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3147 chan->fcs = L2CAP_FCS_NONE;
3148 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3149 }
65c7c491
MH		 3150 break;
3151 }
1da177e4 3152
fe4128e0 3153 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3154 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3155
3156 return ptr - data;
3157}
3158
73ffa904 3159static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3160{
5dee9e7c
MH		 3161 struct l2cap_conf_rsp *rsp = data;
3162 void *ptr = rsp->data;
73ffa904
GP		 3163 void *req = chan->conf_req;
3164 int len = chan->conf_len;
5dee9e7c
MH		 3165 int type, hint, olen;
3166 unsigned long val;
6464f35f 3167 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3168 struct l2cap_conf_efs efs;
3169 u8 remote_efs = 0;
861d6882 3170 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3171 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3172 u16 size;
1da177e4 3173
73ffa904 3174 BT_DBG("chan %p", chan);
820ae1b8 3175
5dee9e7c
MH		 3176 while (len >= L2CAP_CONF_OPT_SIZE) {
3177 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3178
589d2746 3179 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3180 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3181
3182 switch (type) {
3183 case L2CAP_CONF_MTU:
861d6882 3184 mtu = val;
5dee9e7c
MH		 3185 break;
3186
3187 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3188 chan->flush_to = val;
5dee9e7c
MH		 3189 break;
3190
3191 case L2CAP_CONF_QOS:
3192 break;
3193
6464f35f
MH		 3194 case L2CAP_CONF_RFC:
3195 if (olen == sizeof(rfc))
3196 memcpy(&rfc, (void *) val, olen);
3197 break;
3198
fcc203c3
GP		 3199 case L2CAP_CONF_FCS:
3200 if (val == L2CAP_FCS_NONE)
c1360a1c 3201 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3202 break;
fcc203c3 3203
42dceae2
AE		 3204 case L2CAP_CONF_EFS:
3205 remote_efs = 1;
3206 if (olen == sizeof(efs))
3207 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3208 break;
3209
6327eb98
AE		 3210 case L2CAP_CONF_EWS:
3211 if (!enable_hs)
3212 return -ECONNREFUSED;
fcc203c3 3213
6327eb98
AE		 3214 set_bit(FLAG_EXT_CTRL, &chan->flags);
3215 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3216 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3217 chan->remote_tx_win = val;
fcc203c3
GP		 3218 break;
3219
5dee9e7c
MH		 3220 default:
3221 if (hint)
3222 break;
3223
3224 result = L2CAP_CONF_UNKNOWN;
3225 *((u8 *) ptr++) = type;
3226 break;
3227 }
3228 }
3229
73ffa904 3230 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3231 goto done;
3232
0c1bc5c6 3233 switch (chan->mode) {
f2fcfcd6
GP		 3234 case L2CAP_MODE_STREAMING:
3235 case L2CAP_MODE_ERTM:
c1360a1c 3236 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3237 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3238 chan->conn->feat_mask);
85eb53c6
GP		 3239 break;
3240 }
3241
42dceae2
AE		 3242 if (remote_efs) {
3243 if (__l2cap_efs_supported(chan))
3244 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3245 else
3246 return -ECONNREFUSED;
3247 }
3248
0c1bc5c6 3249 if (chan->mode != rfc.mode)
f2fcfcd6 3250 return -ECONNREFUSED;
742e519b 3251
f2fcfcd6 3252 break;
f2fcfcd6
GP		 3253 }
3254
3255done:
0c1bc5c6 3256 if (chan->mode != rfc.mode) {
f2fcfcd6 3257 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3258 rfc.mode = chan->mode;
f2fcfcd6 3259
73ffa904 3260 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3261 return -ECONNREFUSED;
3262
2d792818
GP		 3263 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3264 (unsigned long) &rfc);
f2fcfcd6
GP		 3265 }
3266
5dee9e7c
MH		 3267 if (result == L2CAP_CONF_SUCCESS) {
3268 /* Configure output options and let the other side know
3269 * which ones we don't like. */
3270
f2fcfcd6
GP		 3271 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3272 result = L2CAP_CONF_UNACCEPT;
3273 else {
0c1bc5c6 3274 chan->omtu = mtu;
c1360a1c 3275 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3276 }
0c1bc5c6 3277 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3278
42dceae2
AE		 3279 if (remote_efs) {
3280 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3281 efs.stype != L2CAP_SERV_NOTRAFIC &&
3282 efs.stype != chan->local_stype) {
42dceae2
AE		 3283
3284 result = L2CAP_CONF_UNACCEPT;
3285
3286 if (chan->num_conf_req >= 1)
3287 return -ECONNREFUSED;
3288
3289 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3290 sizeof(efs),
3291 (unsigned long) &efs);
0e8b207e 3292 } else {
3e6b3b95 3293 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3294 result = L2CAP_CONF_PENDING;
3295 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3296 }
3297 }
3298
f2fcfcd6
GP		 3299 switch (rfc.mode) {
3300 case L2CAP_MODE_BASIC:
47d1ec61 3301 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3302 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3303 break;
3304
3305 case L2CAP_MODE_ERTM:
6327eb98
AE		 3306 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3307 chan->remote_tx_win = rfc.txwin_size;
3308 else
3309 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3310
2c03a7a4 3311 chan->remote_max_tx = rfc.max_transmit;
1c762159 3312
c8f79162 3313 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3314 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3315 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3316 rfc.max_pdu_size = cpu_to_le16(size);
3317 chan->remote_mps = size;
f2fcfcd6 3318
36c86c85 3319 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3320
c1360a1c 3321 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3322
3323 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3324 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3325
42dceae2
AE		 3326 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3327 chan->remote_id = efs.id;
3328 chan->remote_stype = efs.stype;
3329 chan->remote_msdu = le16_to_cpu(efs.msdu);
3330 chan->remote_flush_to =
2d792818 3331 le32_to_cpu(efs.flush_to);
42dceae2 3332 chan->remote_acc_lat =
2d792818 3333 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3334 chan->remote_sdu_itime =
3335 le32_to_cpu(efs.sdu_itime);
3336 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3337 sizeof(efs),
3338 (unsigned long) &efs);
42dceae2 3339 }
f2fcfcd6
GP		 3340 break;
3341
3342 case L2CAP_MODE_STREAMING:
c8f79162 3343 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3344 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3345 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3346 rfc.max_pdu_size = cpu_to_le16(size);
3347 chan->remote_mps = size;
f2fcfcd6 3348
c1360a1c 3349 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3350
2d792818
GP		 3351 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3352 (unsigned long) &rfc);
68ae6639 3353
f2fcfcd6
GP		 3354 break;
3355
3356 default:
5dee9e7c 3357 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3358
6464f35f 3359 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3360 rfc.mode = chan->mode;
f2fcfcd6 3361 }
6464f35f 3362
f2fcfcd6 3363 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3364 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3365 }
fe4128e0 3366 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3367 rsp->result = cpu_to_le16(result);
59e54bd1 3368 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3369
3370 return ptr - data;
1da177e4
LT		 3371}
3372
2d792818
GP		 3373static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3374 void *data, u16 *result)
f2fcfcd6 3375{
f2fcfcd6
GP		 3376 struct l2cap_conf_req *req = data;
3377 void *ptr = req->data;
3378 int type, olen;
3379 unsigned long val;
36e999a8 3380 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3381 struct l2cap_conf_efs efs;
f2fcfcd6 3382
fe4128e0 3383 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3384
3385 while (len >= L2CAP_CONF_OPT_SIZE) {
3386 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3387
3388 switch (type) {
3389 case L2CAP_CONF_MTU:
3390 if (val < L2CAP_DEFAULT_MIN_MTU) {
3391 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3392 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3393 } else
0c1bc5c6
GP		 3394 chan->imtu = val;
3395 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3396 break;
3397
3398 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3399 chan->flush_to = val;
f2fcfcd6 3400 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3401 2, chan->flush_to);
f2fcfcd6
GP		 3402 break;
3403
3404 case L2CAP_CONF_RFC:
3405 if (olen == sizeof(rfc))
3406 memcpy(&rfc, (void *)val, olen);
3407
c1360a1c 3408 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3409 rfc.mode != chan->mode)
f2fcfcd6
GP		 3410 return -ECONNREFUSED;
3411
47d1ec61 3412 chan->fcs = 0;
f2fcfcd6
GP		 3413
3414 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3415 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3416 break;
6327eb98
AE		 3417
3418 case L2CAP_CONF_EWS:
c20f8e35 3419 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3420 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3421 chan->tx_win);
6327eb98 3422 break;
66af7aaf
AE		 3423
3424 case L2CAP_CONF_EFS:
3425 if (olen == sizeof(efs))
3426 memcpy(&efs, (void *)val, olen);
3427
3428 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3429 efs.stype != L2CAP_SERV_NOTRAFIC &&
3430 efs.stype != chan->local_stype)
66af7aaf
AE		 3431 return -ECONNREFUSED;
3432
2d792818
GP		 3433 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3434 (unsigned long) &efs);
66af7aaf 3435 break;
f2fcfcd6
GP		 3436 }
3437 }
3438
0c1bc5c6 3439 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3440 return -ECONNREFUSED;
3441
0c1bc5c6 3442 chan->mode = rfc.mode;
6c2ea7a8 3443
0e8b207e 3444 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3445 switch (rfc.mode) {
3446 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3447 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3448 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3449 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3450 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3451 chan->ack_win = min_t(u16, chan->ack_win,
3452 rfc.txwin_size);
66af7aaf
AE		 3453
3454 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3455 chan->local_msdu = le16_to_cpu(efs.msdu);
3456 chan->local_sdu_itime =
2d792818 3457 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3458 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3459 chan->local_flush_to =
2d792818 3460 le32_to_cpu(efs.flush_to);
66af7aaf 3461 }
f2fcfcd6 3462 break;
66af7aaf 3463
f2fcfcd6 3464 case L2CAP_MODE_STREAMING:
47d1ec61 3465 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3466 }
3467 }
3468
fe4128e0 3469 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3470 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3471
3472 return ptr - data;
3473}
3474
2d792818
GP		 3475static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3476 u16 result, u16 flags)
1da177e4
LT		 3477{
3478 struct l2cap_conf_rsp *rsp = data;
3479 void *ptr = rsp->data;
1da177e4 3480
fe4128e0 3481 BT_DBG("chan %p", chan);
1da177e4 3482
fe4128e0 3483 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3484 rsp->result = cpu_to_le16(result);
aca3192c 3485 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3486
3487 return ptr - data;
3488}
3489
8c1d787b 3490void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3491{
3492 struct l2cap_conn_rsp rsp;
8c1d787b 3493 struct l2cap_conn *conn = chan->conn;
710f9b0a 3494 u8 buf[128];
439f34ac 3495 u8 rsp_code;
710f9b0a 3496
fe4128e0
GP		 3497 rsp.scid = cpu_to_le16(chan->dcid);
3498 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3499 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3500 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3501
3502 if (chan->hs_hcon)
3503 rsp_code = L2CAP_CREATE_CHAN_RSP;
3504 else
3505 rsp_code = L2CAP_CONN_RSP;
3506
3507 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3508
3509 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3510
c1360a1c 3511 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3512 return;
3513
710f9b0a 3514 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3515 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3516 chan->num_conf_req++;
3517}
3518
47d1ec61 3519static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3520{
7b1c0049
GP		 3521 int type, olen;
3522 unsigned long val;
c20f8e35
MM		 3523 /* Use sane default values in case a misbehaving remote device
3524 * did not send an RFC or extended window size option.
3525 */
3526 u16 txwin_ext = chan->ack_win;
3527 struct l2cap_conf_rfc rfc = {
3528 .mode = chan->mode,
3529 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3530 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3531 .max_pdu_size = cpu_to_le16(chan->imtu),
3532 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3533 };
7b1c0049 3534
47d1ec61 3535 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3536
0c1bc5c6 3537 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3538 return;
3539
3540 while (len >= L2CAP_CONF_OPT_SIZE) {
3541 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3542
c20f8e35
MM		 3543 switch (type) {
3544 case L2CAP_CONF_RFC:
3545 if (olen == sizeof(rfc))
3546 memcpy(&rfc, (void *)val, olen);
8f321f85 3547 break;
c20f8e35
MM		 3548 case L2CAP_CONF_EWS:
3549 txwin_ext = val;
3550 break;
3551 }
7b1c0049
GP		 3552 }
3553
7b1c0049
GP		 3554 switch (rfc.mode) {
3555 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3556 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3557 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3558 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3559 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3560 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3561 else
3562 chan->ack_win = min_t(u16, chan->ack_win,
3563 rfc.txwin_size);
7b1c0049
GP		 3564 break;
3565 case L2CAP_MODE_STREAMING:
47d1ec61 3566 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3567 }
3568}
3569
2d792818
GP		 3570static inline int l2cap_command_rej(struct l2cap_conn *conn,
3571 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3572{
e2fd318e 3573 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3574
e2fd318e 3575 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3576 return 0;
3577
3578 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3579 cmd->ident == conn->info_ident) {
17cd3f37 3580 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3581
3582 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3583 conn->info_ident = 0;
984947dc 3584
4e8402a3
MH		 3585 l2cap_conn_start(conn);
3586 }
3587
3588 return 0;
3589}
3590
1700915f
MM		 3591static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3592 struct l2cap_cmd_hdr *cmd,
3593 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3594{
1da177e4
LT		 3595 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3596 struct l2cap_conn_rsp rsp;
23691d75 3597 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3598 struct sock *parent, *sk = NULL;
e7c29cb1 3599 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3600
3601 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3602 __le16 psm = req->psm;
1da177e4 3603
097db76c 3604 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3605
3606 /* Check if we have socket listening on psm */
c2287681 3607 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3608 if (!pchan) {
1da177e4
LT		 3609 result = L2CAP_CR_BAD_PSM;
3610 goto sendresp;
3611 }
3612
23691d75
GP		 3613 parent = pchan->sk;
3614
3df91ea2 3615 mutex_lock(&conn->chan_lock);
aa2ac881 3616 lock_sock(parent);
e0f0cb56 3617
e7c29cb1 3618 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3619 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3620 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3621 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3622 result = L2CAP_CR_SEC_BLOCK;
3623 goto response;
3624 }
3625
1da177e4
LT		 3626 result = L2CAP_CR_NO_MEM;
3627
2dfa1003
GP		 3628 /* Check if we already have channel with that dcid */
3629 if (__l2cap_get_chan_by_dcid(conn, scid))
3630 goto response;
3631
80b98027 3632 chan = pchan->ops->new_connection(pchan);
80808e43 3633 if (!chan)
1da177e4
LT		 3634 goto response;
3635
80808e43
GP		 3636 sk = chan->sk;
3637
1da177e4
LT		 3638 hci_conn_hold(conn->hcon);
3639
1da177e4
LT		 3640 bacpy(&bt_sk(sk)->src, conn->src);
3641 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3642 chan->psm = psm;
3643 chan->dcid = scid;
1700915f 3644 chan->local_amp_id = amp_id;
1da177e4 3645
6be36555 3646 __l2cap_chan_add(conn, chan);
48454079 3647
fe4128e0 3648 dcid = chan->scid;
1da177e4 3649
c9b66675 3650 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3651
fc7f8a7e 3652 chan->ident = cmd->ident;
1da177e4 3653
984947dc 3654 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3655 if (l2cap_chan_check_security(chan)) {
c5daa683 3656 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3657 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3658 result = L2CAP_CR_PEND;
3659 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3660 chan->ops->defer(chan);
f66dc81f 3661 } else {
1700915f
MM		 3662 /* Force pending result for AMP controllers.
3663 * The connection will succeed after the
3664 * physical link is up.
3665 */
3666 if (amp_id) {
3667 __l2cap_state_change(chan, BT_CONNECT2);
3668 result = L2CAP_CR_PEND;
3669 } else {
3670 __l2cap_state_change(chan, BT_CONFIG);
3671 result = L2CAP_CR_SUCCESS;
3672 }
f66dc81f
MH		 3673 status = L2CAP_CS_NO_INFO;
3674 }
79d554a6 3675 } else {
0e587be7 3676 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3677 result = L2CAP_CR_PEND;
3678 status = L2CAP_CS_AUTHEN_PEND;
3679 }
3680 } else {
0e587be7 3681 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3682 result = L2CAP_CR_PEND;
3683 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3684 }
3685
1da177e4 3686response:
aa2ac881 3687 release_sock(parent);
3df91ea2 3688 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3689
3690sendresp:
aca3192c
YH		 3691 rsp.scid = cpu_to_le16(scid);
3692 rsp.dcid = cpu_to_le16(dcid);
3693 rsp.result = cpu_to_le16(result);
3694 rsp.status = cpu_to_le16(status);
4c89b6aa 3695 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3696
3697 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3698 struct l2cap_info_req info;
ac73498c 3699 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3700
3701 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3702 conn->info_ident = l2cap_get_ident(conn);
3703
ba13ccd9 3704 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3705
2d792818
GP		 3706 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3707 sizeof(info), &info);
79d554a6
MH		 3708 }
3709
c1360a1c 3710 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3711 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3712 u8 buf[128];
c1360a1c 3713 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3714 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3715 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3716 chan->num_conf_req++;
e9aeb2dd 3717 }
1700915f
MM		 3718
3719 return chan;
4c89b6aa 3720}
e9aeb2dd 3721
4c89b6aa
MM		 3722static int l2cap_connect_req(struct l2cap_conn *conn,
3723 struct l2cap_cmd_hdr *cmd, u8 *data)
3724{
300229f9 3725 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3726 return 0;
3727}
3728
5909cf30 3729static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3730 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3731{
3732 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3733 u16 scid, dcid, result, status;
48454079 3734 struct l2cap_chan *chan;
1da177e4 3735 u8 req[128];
3df91ea2 3736 int err;
1da177e4
LT		 3737
3738 scid = __le16_to_cpu(rsp->scid);
3739 dcid = __le16_to_cpu(rsp->dcid);
3740 result = __le16_to_cpu(rsp->result);
3741 status = __le16_to_cpu(rsp->status);
3742
1b009c98 3743 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3744 dcid, scid, result, status);
1da177e4 3745
3df91ea2
AE		 3746 mutex_lock(&conn->chan_lock);
3747
1da177e4 3748 if (scid) {
3df91ea2
AE		 3749 chan = __l2cap_get_chan_by_scid(conn, scid);
3750 if (!chan) {
3751 err = -EFAULT;
3752 goto unlock;
3753 }
1da177e4 3754 } else {
3df91ea2
AE		 3755 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3756 if (!chan) {
3757 err = -EFAULT;
3758 goto unlock;
3759 }
1da177e4
LT		 3760 }
3761
3df91ea2
AE		 3762 err = 0;
3763
6be36555 3764 l2cap_chan_lock(chan);
48454079 3765
1da177e4
LT		 3766 switch (result) {
3767 case L2CAP_CR_SUCCESS:
89bc500e 3768 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3769 chan->ident = 0;
fe4128e0 3770 chan->dcid = dcid;
c1360a1c 3771 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3772
c1360a1c 3773 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3774 break;
3775
1da177e4 3776 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3777 l2cap_build_conf_req(chan, req), req);
73ffa904 3778 chan->num_conf_req++;
1da177e4
LT		 3779 break;
3780
3781 case L2CAP_CR_PEND:
c1360a1c 3782 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3783 break;
3784
3785 default:
48454079 3786 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3787 break;
3788 }
3789
6be36555 3790 l2cap_chan_unlock(chan);
3df91ea2
AE		 3791
3792unlock:
3793 mutex_unlock(&conn->chan_lock);
3794
3795 return err;
1da177e4
LT		 3796}
3797
47d1ec61 3798static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3799{
3800 /* FCS is enabled only in ERTM or streaming mode, if one or both
3801 * sides request it.
3802 */
0c1bc5c6 3803 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3804 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3805 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3806 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3807}
3808
29d8a590
AE		 3809static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3810 u8 ident, u16 flags)
3811{
3812 struct l2cap_conn *conn = chan->conn;
3813
3814 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3815 flags);
3816
3817 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3818 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3819
3820 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3821 l2cap_build_conf_rsp(chan, data,
3822 L2CAP_CONF_SUCCESS, flags), data);
3823}
3824
2d792818
GP		 3825static inline int l2cap_config_req(struct l2cap_conn *conn,
3826 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3827 u8 *data)
1da177e4
LT		 3828{
3829 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3830 u16 dcid, flags;
3831 u8 rsp[64];
48454079 3832 struct l2cap_chan *chan;
3c588192 3833 int len, err = 0;
1da177e4
LT		 3834
3835 dcid = __le16_to_cpu(req->dcid);
3836 flags = __le16_to_cpu(req->flags);
3837
3838 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3839
baa7e1fa 3840 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3841 if (!chan)
1da177e4
LT		 3842 return -ENOENT;
3843
033b1142 3844 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3845 struct l2cap_cmd_rej_cid rej;
3846
ac73498c 3847 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3848 rej.scid = cpu_to_le16(chan->scid);
3849 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3850
df6bd743 3851 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3852 sizeof(rej), &rej);
354f60a9 3853 goto unlock;
df6bd743 3854 }
354f60a9 3855
5dee9e7c 3856 /* Reject if config buffer is too small. */
88219a0f 3857 len = cmd_len - sizeof(*req);
7ac28817 3858 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3859 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3860 l2cap_build_conf_rsp(chan, rsp,
3861 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3862 goto unlock;
3863 }
3864
3865 /* Store config. */
73ffa904
GP		 3866 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3867 chan->conf_len += len;
1da177e4 3868
59e54bd1 3869 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3870 /* Incomplete config. Send empty response. */
3871 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3872 l2cap_build_conf_rsp(chan, rsp,
3873 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3874 goto unlock;
3875 }
3876
3877 /* Complete config. */
73ffa904 3878 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3879 if (len < 0) {
e92c8e70 3880 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3881 goto unlock;
f2fcfcd6 3882 }
1da177e4 3883
1500109b 3884 chan->ident = cmd->ident;
5dee9e7c 3885 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3886 chan->num_conf_rsp++;
5dee9e7c 3887
5dee9e7c 3888 /* Reset config buffer. */
73ffa904 3889 chan->conf_len = 0;
5dee9e7c 3890
c1360a1c 3891 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3892 goto unlock;
3893
c1360a1c 3894 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3895 set_default_fcs(chan);
fcc203c3 3896
105bdf9e
MM		 3897 if (chan->mode == L2CAP_MODE_ERTM ||
3898 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3899 err = l2cap_ertm_init(chan);
3900
3901 if (err < 0)
3902 l2cap_send_disconn_req(chan->conn, chan, -err);
3903 else
3904 l2cap_chan_ready(chan);
0565c1c2 3905
876d9484
MH		 3906 goto unlock;
3907 }
3908
c1360a1c 3909 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3910 u8 buf[64];
1da177e4 3911 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3912 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3913 chan->num_conf_req++;
1da177e4
LT		 3914 }
3915
0e8b207e
AE		 3916 /* Got Conf Rsp PENDING from remote side and asume we sent
3917 Conf Rsp PENDING in the code above */
3918 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3919 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3920
3921 /* check compatibility */
3922
79de886d 3923 /* Send rsp for BR/EDR channel */
f351bc72 3924 if (!chan->hs_hcon)
79de886d
AE		 3925 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3926 else
3927 chan->ident = cmd->ident;
0e8b207e
AE		 3928 }
3929
1da177e4 3930unlock:
6be36555 3931 l2cap_chan_unlock(chan);
3c588192 3932 return err;
1da177e4
LT		 3933}
3934
2d792818
GP		 3935static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3936 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3937{
3938 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3939 u16 scid, flags, result;
48454079 3940 struct l2cap_chan *chan;
61386cba 3941 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3942 int err = 0;
1da177e4
LT		 3943
3944 scid = __le16_to_cpu(rsp->scid);
3945 flags = __le16_to_cpu(rsp->flags);
3946 result = __le16_to_cpu(rsp->result);
3947
61386cba
AE		 3948 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3949 result, len);
1da177e4 3950
baa7e1fa 3951 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3952 if (!chan)
1da177e4
LT		 3953 return 0;
3954
3955 switch (result) {
3956 case L2CAP_CONF_SUCCESS:
47d1ec61 3957 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3958 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3959 break;
3960
0e8b207e
AE		 3961 case L2CAP_CONF_PENDING:
3962 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3963
3964 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3965 char buf[64];
3966
3967 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3968 buf, &result);
0e8b207e
AE		 3969 if (len < 0) {
3970 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3971 goto done;
3972 }
3973
f351bc72 3974 if (!chan->hs_hcon) {
79de886d
AE		 3975 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3976 0);
5ce66b59
AE		 3977 } else {
3978 if (l2cap_check_efs(chan)) {
3979 amp_create_logical_link(chan);
3980 chan->ident = cmd->ident;
3981 }
3982 }
0e8b207e
AE		 3983 }
3984 goto done;
3985
1da177e4 3986 case L2CAP_CONF_UNACCEPT:
73ffa904 3987 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3988 char req[64];
3989
c2c77ec8 3990 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3991 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3992 goto done;
3993 }
3994
f2fcfcd6
GP		 3995 /* throw out any old stored conf requests */
3996 result = L2CAP_CONF_SUCCESS;
b4450035 3997 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3998 req, &result);
f2fcfcd6 3999 if (len < 0) {
e92c8e70 4000 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 4001 goto done;
4002 }
4003
4004 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4005 L2CAP_CONF_REQ, len, req);
73ffa904 4006 chan->num_conf_req++;
f2fcfcd6
GP		 4007 if (result != L2CAP_CONF_SUCCESS)
4008 goto done;
4009 break;
1da177e4
LT		 4010 }
4011
8e87d142 4012 default:
6be36555 4013 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4014
ba13ccd9 4015 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 4016 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 4017 goto done;
4018 }
4019
59e54bd1 4020 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4021 goto done;
4022
c1360a1c 4023 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4024
c1360a1c 4025 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4026 set_default_fcs(chan);
fcc203c3 4027
105bdf9e
MM		 4028 if (chan->mode == L2CAP_MODE_ERTM ||
4029 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4030 err = l2cap_ertm_init(chan);
0565c1c2 4031
3c588192
MM		 4032 if (err < 0)
4033 l2cap_send_disconn_req(chan->conn, chan, -err);
4034 else
4035 l2cap_chan_ready(chan);
1da177e4
LT		 4036 }
4037
4038done:
6be36555 4039 l2cap_chan_unlock(chan);
3c588192 4040 return err;
1da177e4
LT		 4041}
4042
2d792818
GP		 4043static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4044 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4045{
4046 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4047 struct l2cap_disconn_rsp rsp;
4048 u16 dcid, scid;
48454079 4049 struct l2cap_chan *chan;
1da177e4
LT		 4050 struct sock *sk;
4051
4052 scid = __le16_to_cpu(req->scid);
4053 dcid = __le16_to_cpu(req->dcid);
4054
4055 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4056
3df91ea2
AE		 4057 mutex_lock(&conn->chan_lock);
4058
4059 chan = __l2cap_get_chan_by_scid(conn, dcid);
4060 if (!chan) {
4061 mutex_unlock(&conn->chan_lock);
1da177e4 4062 return 0;
3df91ea2 4063 }
1da177e4 4064
6be36555
AE		 4065 l2cap_chan_lock(chan);
4066
48454079
GP		 4067 sk = chan->sk;
4068
fe4128e0
GP		 4069 rsp.dcid = cpu_to_le16(chan->scid);
4070 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4071 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4072
6be36555 4073 lock_sock(sk);
1da177e4 4074 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4075 release_sock(sk);
1da177e4 4076
61d6ef3e 4077 l2cap_chan_hold(chan);
48454079 4078 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4079
4080 l2cap_chan_unlock(chan);
1da177e4 4081
80b98027 4082 chan->ops->close(chan);
61d6ef3e 4083 l2cap_chan_put(chan);
3df91ea2
AE		 4084
4085 mutex_unlock(&conn->chan_lock);
4086
1da177e4
LT		 4087 return 0;
4088}
4089
2d792818
GP		 4090static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4091 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4092{
4093 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4094 u16 dcid, scid;
48454079 4095 struct l2cap_chan *chan;
1da177e4
LT		 4096
4097 scid = __le16_to_cpu(rsp->scid);
4098 dcid = __le16_to_cpu(rsp->dcid);
4099
4100 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4101
3df91ea2
AE		 4102 mutex_lock(&conn->chan_lock);
4103
4104 chan = __l2cap_get_chan_by_scid(conn, scid);
4105 if (!chan) {
4106 mutex_unlock(&conn->chan_lock);
1da177e4 4107 return 0;
3df91ea2 4108 }
1da177e4 4109
6be36555 4110 l2cap_chan_lock(chan);
48454079 4111
61d6ef3e 4112 l2cap_chan_hold(chan);
48454079 4113 l2cap_chan_del(chan, 0);
6be36555
AE		 4114
4115 l2cap_chan_unlock(chan);
1da177e4 4116
80b98027 4117 chan->ops->close(chan);
61d6ef3e 4118 l2cap_chan_put(chan);
3df91ea2
AE		 4119
4120 mutex_unlock(&conn->chan_lock);
4121
1da177e4
LT		 4122 return 0;
4123}
4124
2d792818
GP		 4125static inline int l2cap_information_req(struct l2cap_conn *conn,
4126 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4127{
4128 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4129 u16 type;
4130
4131 type = __le16_to_cpu(req->type);
4132
4133 BT_DBG("type 0x%4.4x", type);
4134
f0709e03
MH		 4135 if (type == L2CAP_IT_FEAT_MASK) {
4136 u8 buf[8];
44dd46de 4137 u32 feat_mask = l2cap_feat_mask;
f0709e03 4138 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4139 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4140 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4141 if (!disable_ertm)
fcc203c3 4142 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4143 | L2CAP_FEAT_FCS;
a5fd6f30 4144 if (enable_hs)
6327eb98 4145 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4146 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4147
1b7bf4ed 4148 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4149 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4150 buf);
e1027a7c
MH		 4151 } else if (type == L2CAP_IT_FIXED_CHAN) {
4152 u8 buf[12];
4153 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4154
4155 if (enable_hs)
4156 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4157 else
4158 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4159
ac73498c
AE		 4160 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4161 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4162 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4163 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4164 buf);
f0709e03
MH		 4165 } else {
4166 struct l2cap_info_rsp rsp;
4167 rsp.type = cpu_to_le16(type);
ac73498c 4168 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4169 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4170 &rsp);
f0709e03 4171 }
1da177e4
LT		 4172
4173 return 0;
4174}
4175
2d792818
GP		 4176static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4177 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4178{
4179 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4180 u16 type, result;
4181
4182 type = __le16_to_cpu(rsp->type);
4183 result = __le16_to_cpu(rsp->result);
4184
4185 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4186
e90165be
AE		 4187 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4188 if (cmd->ident != conn->info_ident ||
2d792818 4189 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4190 return 0;
4191
17cd3f37 4192 cancel_delayed_work(&conn->info_timer);
4e8402a3 4193
adb08ede
VT		 4194 if (result != L2CAP_IR_SUCCESS) {
4195 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4196 conn->info_ident = 0;
4197
4198 l2cap_conn_start(conn);
4199
4200 return 0;
4201 }
4202
978c93b9
AE		 4203 switch (type) {
4204 case L2CAP_IT_FEAT_MASK:
83985319 4205 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4206
47ec1dcd 4207 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4208 struct l2cap_info_req req;
ac73498c 4209 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4210
4211 conn->info_ident = l2cap_get_ident(conn);
4212
4213 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4214 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4215 } else {
4216 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4217 conn->info_ident = 0;
4218
4219 l2cap_conn_start(conn);
4220 }
978c93b9
AE		 4221 break;
4222
4223 case L2CAP_IT_FIXED_CHAN:
4224 conn->fixed_chan_mask = rsp->data[0];
984947dc 4225 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4226 conn->info_ident = 0;
984947dc
MH		 4227
4228 l2cap_conn_start(conn);
978c93b9 4229 break;
984947dc 4230 }
4e8402a3 4231
1da177e4
LT		 4232 return 0;
4233}
4234
1700915f
MM		 4235static int l2cap_create_channel_req(struct l2cap_conn *conn,
4236 struct l2cap_cmd_hdr *cmd,
4237 u16 cmd_len, void *data)
f94ff6ff
MM		 4238{
4239 struct l2cap_create_chan_req *req = data;
6e1df6a6 4240 struct l2cap_create_chan_rsp rsp;
1700915f 4241 struct l2cap_chan *chan;
6e1df6a6 4242 struct hci_dev *hdev;
f94ff6ff
MM		 4243 u16 psm, scid;
4244
4245 if (cmd_len != sizeof(*req))
4246 return -EPROTO;
4247
4248 if (!enable_hs)
4249 return -EINVAL;
4250
4251 psm = le16_to_cpu(req->psm);
4252 scid = le16_to_cpu(req->scid);
4253
ad0ac6ca 4254 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4255
6e1df6a6
AE		 4256 /* For controller id 0 make BR/EDR connection */
4257 if (req->amp_id == HCI_BREDR_ID) {
4258 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4259 req->amp_id);
4260 return 0;
4261 }
1700915f 4262
6e1df6a6
AE		 4263 /* Validate AMP controller id */
4264 hdev = hci_dev_get(req->amp_id);
4265 if (!hdev)
4266 goto error;
1700915f 4267
6e1df6a6
AE		 4268 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4269 hci_dev_put(hdev);
4270 goto error;
4271 }
1700915f 4272
6e1df6a6
AE		 4273 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4274 req->amp_id);
4275 if (chan) {
4276 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4277 struct hci_conn *hs_hcon;
1700915f 4278
6e1df6a6
AE		 4279 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4280 if (!hs_hcon) {
4281 hci_dev_put(hdev);
4282 return -EFAULT;
1700915f
MM		 4283 }
4284
6e1df6a6
AE		 4285 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4286
6e1df6a6
AE		 4287 mgr->bredr_chan = chan;
4288 chan->hs_hcon = hs_hcon;
4289 conn->mtu = hdev->block_mtu;
1700915f 4290 }
f94ff6ff 4291
6e1df6a6 4292 hci_dev_put(hdev);
f94ff6ff
MM		 4293
4294 return 0;
6e1df6a6
AE		 4295
4296error:
4297 rsp.dcid = 0;
4298 rsp.scid = cpu_to_le16(scid);
4299 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4300 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4301
4302 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4303 sizeof(rsp), &rsp);
4304
4305 return -EFAULT;
f94ff6ff
MM		 4306}
4307
8eb200bd
MM		 4308static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4309{
4310 struct l2cap_move_chan_req req;
4311 u8 ident;
4312
4313 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4314
4315 ident = l2cap_get_ident(chan->conn);
4316 chan->ident = ident;
4317
4318 req.icid = cpu_to_le16(chan->scid);
4319 req.dest_amp_id = dest_amp_id;
4320
4321 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4322 &req);
4323
4324 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4325}
4326
1500109b 4327static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4328{
4329 struct l2cap_move_chan_rsp rsp;
4330
1500109b 4331 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4332
1500109b 4333 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4334 rsp.result = cpu_to_le16(result);
4335
1500109b
MM		 4336 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4337 sizeof(rsp), &rsp);
8d5a04a1
MM		 4338}
4339
5b155ef9 4340static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4341{
4342 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4343
5b155ef9 4344 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4345
5b155ef9 4346 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4347
5b155ef9 4348 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4349 cfm.result = cpu_to_le16(result);
4350
5b155ef9
MM		 4351 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4352 sizeof(cfm), &cfm);
4353
4354 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4355}
4356
4357static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4358{
4359 struct l2cap_move_chan_cfm cfm;
4360
4361 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4362
4363 cfm.icid = cpu_to_le16(icid);
4364 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4365
4366 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4367 sizeof(cfm), &cfm);
8d5a04a1
MM		 4368}
4369
4370static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4371 u16 icid)
8d5a04a1
MM		 4372{
4373 struct l2cap_move_chan_cfm_rsp rsp;
4374
ad0ac6ca 4375 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4376
4377 rsp.icid = cpu_to_le16(icid);
4378 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4379}
4380
5f3847a4
MM		 4381static void __release_logical_link(struct l2cap_chan *chan)
4382{
4383 chan->hs_hchan = NULL;
4384 chan->hs_hcon = NULL;
4385
4386 /* Placeholder - release the logical link */
4387}
4388
1500109b
MM		 4389static void l2cap_logical_fail(struct l2cap_chan *chan)
4390{
4391 /* Logical link setup failed */
4392 if (chan->state != BT_CONNECTED) {
4393 /* Create channel failure, disconnect */
4394 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4395 return;
4396 }
4397
4398 switch (chan->move_role) {
4399 case L2CAP_MOVE_ROLE_RESPONDER:
4400 l2cap_move_done(chan);
4401 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4402 break;
4403 case L2CAP_MOVE_ROLE_INITIATOR:
4404 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4405 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4406 /* Remote has only sent pending or
4407 * success responses, clean up
4408 */
4409 l2cap_move_done(chan);
4410 }
4411
4412 /* Other amp move states imply that the move
4413 * has already aborted
4414 */
4415 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4416 break;
4417 }
4418}
4419
4420static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4421 struct hci_chan *hchan)
4422{
4423 struct l2cap_conf_rsp rsp;
1500109b 4424
336178a3 4425 chan->hs_hchan = hchan;
1500109b
MM		 4426 chan->hs_hcon->l2cap_data = chan->conn;
4427
35ba9561 4428 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4429
4430 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4431 int err;
1500109b
MM		 4432
4433 set_default_fcs(chan);
4434
4435 err = l2cap_ertm_init(chan);
4436 if (err < 0)
4437 l2cap_send_disconn_req(chan->conn, chan, -err);
4438 else
4439 l2cap_chan_ready(chan);
4440 }
4441}
4442
4443static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4444 struct hci_chan *hchan)
4445{
4446 chan->hs_hcon = hchan->conn;
4447 chan->hs_hcon->l2cap_data = chan->conn;
4448
4449 BT_DBG("move_state %d", chan->move_state);
4450
4451 switch (chan->move_state) {
4452 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4453 /* Move confirm will be sent after a success
4454 * response is received
4455 */
4456 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4457 break;
4458 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4459 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4460 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4461 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4462 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4463 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4464 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4465 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4466 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4467 }
4468 break;
4469 default:
4470 /* Move was not in expected state, free the channel */
4471 __release_logical_link(chan);
4472
4473 chan->move_state = L2CAP_MOVE_STABLE;
4474 }
4475}
4476
4477/* Call with chan locked */
27695fb4
AE		 4478void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4479 u8 status)
5b155ef9 4480{
1500109b
MM		 4481 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4482
4483 if (status) {
4484 l2cap_logical_fail(chan);
4485 __release_logical_link(chan);
4486 return;
4487 }
4488
4489 if (chan->state != BT_CONNECTED) {
4490 /* Ignore logical link if channel is on BR/EDR */
4491 if (chan->local_amp_id)
4492 l2cap_logical_finish_create(chan, hchan);
4493 } else {
4494 l2cap_logical_finish_move(chan, hchan);
4495 }
5b155ef9
MM		 4496}
4497
3f7a56c4
MM		 4498void l2cap_move_start(struct l2cap_chan *chan)
4499{
4500 BT_DBG("chan %p", chan);
4501
4502 if (chan->local_amp_id == HCI_BREDR_ID) {
4503 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4504 return;
4505 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4506 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4507 /* Placeholder - start physical link setup */
4508 } else {
4509 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4510 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4511 chan->move_id = 0;
4512 l2cap_move_setup(chan);
4513 l2cap_send_move_chan_req(chan, 0);
4514 }
4515}
4516
8eb200bd
MM		 4517static void l2cap_do_create(struct l2cap_chan *chan, int result,
4518 u8 local_amp_id, u8 remote_amp_id)
4519{
62748ca1
AE		 4520 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4521 local_amp_id, remote_amp_id);
4522
12d6cc60
AE		 4523 chan->fcs = L2CAP_FCS_NONE;
4524
62748ca1
AE		 4525 /* Outgoing channel on AMP */
4526 if (chan->state == BT_CONNECT) {
4527 if (result == L2CAP_CR_SUCCESS) {
4528 chan->local_amp_id = local_amp_id;
4529 l2cap_send_create_chan_req(chan, remote_amp_id);
4530 } else {
4531 /* Revert to BR/EDR connect */
4532 l2cap_send_conn_req(chan);
4533 }
4534
4535 return;
4536 }
4537
4538 /* Incoming channel on AMP */
4539 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4540 struct l2cap_conn_rsp rsp;
4541 char buf[128];
4542 rsp.scid = cpu_to_le16(chan->dcid);
4543 rsp.dcid = cpu_to_le16(chan->scid);
4544
8eb200bd
MM		 4545 if (result == L2CAP_CR_SUCCESS) {
4546 /* Send successful response */
62cd50e2
AE		 4547 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4548 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4549 } else {
4550 /* Send negative response */
62cd50e2
AE		 4551 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4552 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4553 }
4554
4555 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4556 sizeof(rsp), &rsp);
4557
4558 if (result == L2CAP_CR_SUCCESS) {
4559 __l2cap_state_change(chan, BT_CONFIG);
4560 set_bit(CONF_REQ_SENT, &chan->conf_state);
4561 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4562 L2CAP_CONF_REQ,
4563 l2cap_build_conf_req(chan, buf), buf);
4564 chan->num_conf_req++;
4565 }
8eb200bd
MM		 4566 }
4567}
4568
4569static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4570 u8 remote_amp_id)
4571{
4572 l2cap_move_setup(chan);
4573 chan->move_id = local_amp_id;
4574 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4575
4576 l2cap_send_move_chan_req(chan, remote_amp_id);
4577}
4578
4579static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4580{
4581 struct hci_chan *hchan = NULL;
4582
4583 /* Placeholder - get hci_chan for logical link */
4584
4585 if (hchan) {
4586 if (hchan->state == BT_CONNECTED) {
4587 /* Logical link is ready to go */
4588 chan->hs_hcon = hchan->conn;
4589 chan->hs_hcon->l2cap_data = chan->conn;
4590 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4591 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4592
4593 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4594 } else {
4595 /* Wait for logical link to be ready */
4596 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4597 }
4598 } else {
4599 /* Logical link not available */
4600 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4601 }
4602}
4603
4604static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4605{
4606 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4607 u8 rsp_result;
4608 if (result == -EINVAL)
4609 rsp_result = L2CAP_MR_BAD_ID;
4610 else
4611 rsp_result = L2CAP_MR_NOT_ALLOWED;
4612
4613 l2cap_send_move_chan_rsp(chan, rsp_result);
4614 }
4615
4616 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4617 chan->move_state = L2CAP_MOVE_STABLE;
4618
4619 /* Restart data transmission */
4620 l2cap_ertm_send(chan);
4621}
4622
a514b17f
AE		 4623/* Invoke with locked chan */
4624void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4625{
770bfefa 4626 u8 local_amp_id = chan->local_amp_id;
fffadc08 4627 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4628
8eb200bd
MM		 4629 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4630 chan, result, local_amp_id, remote_amp_id);
4631
8eb200bd
MM		 4632 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4633 l2cap_chan_unlock(chan);
4634 return;
4635 }
4636
4637 if (chan->state != BT_CONNECTED) {
4638 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4639 } else if (result != L2CAP_MR_SUCCESS) {
4640 l2cap_do_move_cancel(chan, result);
4641 } else {
4642 switch (chan->move_role) {
4643 case L2CAP_MOVE_ROLE_INITIATOR:
4644 l2cap_do_move_initiate(chan, local_amp_id,
4645 remote_amp_id);
4646 break;
4647 case L2CAP_MOVE_ROLE_RESPONDER:
4648 l2cap_do_move_respond(chan, result);
4649 break;
4650 default:
4651 l2cap_do_move_cancel(chan, result);
4652 break;
4653 }
4654 }
8eb200bd
MM		 4655}
4656
8d5a04a1 4657static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4658 struct l2cap_cmd_hdr *cmd,
4659 u16 cmd_len, void *data)
8d5a04a1
MM		 4660{
4661 struct l2cap_move_chan_req *req = data;
1500109b 4662 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4663 struct l2cap_chan *chan;
8d5a04a1
MM		 4664 u16 icid = 0;
4665 u16 result = L2CAP_MR_NOT_ALLOWED;
4666
4667 if (cmd_len != sizeof(*req))
4668 return -EPROTO;
4669
4670 icid = le16_to_cpu(req->icid);
4671
ad0ac6ca 4672 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4673
4674 if (!enable_hs)
4675 return -EINVAL;
4676
02b0fbb9
MM		 4677 chan = l2cap_get_chan_by_dcid(conn, icid);
4678 if (!chan) {
1500109b
MM		 4679 rsp.icid = cpu_to_le16(icid);
4680 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4681 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4682 sizeof(rsp), &rsp);
02b0fbb9
MM		 4683 return 0;
4684 }
4685
1500109b
MM		 4686 chan->ident = cmd->ident;
4687
02b0fbb9
MM		 4688 if (chan->scid < L2CAP_CID_DYN_START ||
4689 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4690 (chan->mode != L2CAP_MODE_ERTM &&
4691 chan->mode != L2CAP_MODE_STREAMING)) {
4692 result = L2CAP_MR_NOT_ALLOWED;
4693 goto send_move_response;
4694 }
4695
4696 if (chan->local_amp_id == req->dest_amp_id) {
4697 result = L2CAP_MR_SAME_ID;
4698 goto send_move_response;
4699 }
4700
4701 if (req->dest_amp_id) {
4702 struct hci_dev *hdev;
4703 hdev = hci_dev_get(req->dest_amp_id);
4704 if (!hdev || hdev->dev_type != HCI_AMP ||
4705 !test_bit(HCI_UP, &hdev->flags)) {
4706 if (hdev)
4707 hci_dev_put(hdev);
4708
4709 result = L2CAP_MR_BAD_ID;
4710 goto send_move_response;
4711 }
4712 hci_dev_put(hdev);
4713 }
4714
4715 /* Detect a move collision. Only send a collision response
4716 * if this side has "lost", otherwise proceed with the move.
4717 * The winner has the larger bd_addr.
4718 */
4719 if ((__chan_is_moving(chan) ||
4720 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4721 bacmp(conn->src, conn->dst) > 0) {
4722 result = L2CAP_MR_COLLISION;
4723 goto send_move_response;
4724 }
4725
02b0fbb9
MM		 4726 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4727 l2cap_move_setup(chan);
4728 chan->move_id = req->dest_amp_id;
4729 icid = chan->dcid;
4730
4731 if (!req->dest_amp_id) {
4732 /* Moving to BR/EDR */
4733 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4734 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4735 result = L2CAP_MR_PEND;
4736 } else {
4737 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4738 result = L2CAP_MR_SUCCESS;
4739 }
4740 } else {
4741 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4742 /* Placeholder - uncomment when amp functions are available */
4743 /*amp_accept_physical(chan, req->dest_amp_id);*/
4744 result = L2CAP_MR_PEND;
4745 }
4746
4747send_move_response:
1500109b 4748 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4749
02b0fbb9
MM		 4750 l2cap_chan_unlock(chan);
4751
8d5a04a1
MM		 4752 return 0;
4753}
4754
5b155ef9
MM		 4755static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4756{
4757 struct l2cap_chan *chan;
4758 struct hci_chan *hchan = NULL;
4759
4760 chan = l2cap_get_chan_by_scid(conn, icid);
4761 if (!chan) {
4762 l2cap_send_move_chan_cfm_icid(conn, icid);
4763 return;
4764 }
4765
4766 __clear_chan_timer(chan);
4767 if (result == L2CAP_MR_PEND)
4768 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4769
4770 switch (chan->move_state) {
4771 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4772 /* Move confirm will be sent when logical link
4773 * is complete.
4774 */
4775 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4776 break;
4777 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4778 if (result == L2CAP_MR_PEND) {
4779 break;
4780 } else if (test_bit(CONN_LOCAL_BUSY,
4781 &chan->conn_state)) {
4782 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4783 } else {
4784 /* Logical link is up or moving to BR/EDR,
4785 * proceed with move
4786 */
4787 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4788 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4789 }
4790 break;
4791 case L2CAP_MOVE_WAIT_RSP:
4792 /* Moving to AMP */
4793 if (result == L2CAP_MR_SUCCESS) {
4794 /* Remote is ready, send confirm immediately
4795 * after logical link is ready
4796 */
4797 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4798 } else {
4799 /* Both logical link and move success
4800 * are required to confirm
4801 */
4802 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4803 }
4804
4805 /* Placeholder - get hci_chan for logical link */
4806 if (!hchan) {
4807 /* Logical link not available */
4808 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4809 break;
4810 }
4811
4812 /* If the logical link is not yet connected, do not
4813 * send confirmation.
4814 */
4815 if (hchan->state != BT_CONNECTED)
4816 break;
4817
4818 /* Logical link is already ready to go */
4819
4820 chan->hs_hcon = hchan->conn;
4821 chan->hs_hcon->l2cap_data = chan->conn;
4822
4823 if (result == L2CAP_MR_SUCCESS) {
4824 /* Can confirm now */
4825 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4826 } else {
4827 /* Now only need move success
4828 * to confirm
4829 */
4830 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4831 }
4832
4833 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4834 break;
4835 default:
4836 /* Any other amp move state means the move failed. */
4837 chan->move_id = chan->local_amp_id;
4838 l2cap_move_done(chan);
4839 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4840 }
4841
4842 l2cap_chan_unlock(chan);
4843}
4844
4845static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4846 u16 result)
4847{
4848 struct l2cap_chan *chan;
4849
4850 chan = l2cap_get_chan_by_ident(conn, ident);
4851 if (!chan) {
4852 /* Could not locate channel, icid is best guess */
4853 l2cap_send_move_chan_cfm_icid(conn, icid);
4854 return;
4855 }
4856
4857 __clear_chan_timer(chan);
4858
4859 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4860 if (result == L2CAP_MR_COLLISION) {
4861 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4862 } else {
4863 /* Cleanup - cancel move */
4864 chan->move_id = chan->local_amp_id;
4865 l2cap_move_done(chan);
4866 }
4867 }
4868
4869 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4870
4871 l2cap_chan_unlock(chan);
4872}
4873
4874static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4875 struct l2cap_cmd_hdr *cmd,
4876 u16 cmd_len, void *data)
8d5a04a1
MM		 4877{
4878 struct l2cap_move_chan_rsp *rsp = data;
4879 u16 icid, result;
4880
4881 if (cmd_len != sizeof(*rsp))
4882 return -EPROTO;
4883
4884 icid = le16_to_cpu(rsp->icid);
4885 result = le16_to_cpu(rsp->result);
4886
ad0ac6ca 4887 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4888
5b155ef9
MM		 4889 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4890 l2cap_move_continue(conn, icid, result);
4891 else
4892 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4893
4894 return 0;
4895}
4896
5f3847a4
MM		 4897static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4898 struct l2cap_cmd_hdr *cmd,
4899 u16 cmd_len, void *data)
8d5a04a1
MM		 4900{
4901 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4902 struct l2cap_chan *chan;
8d5a04a1
MM		 4903 u16 icid, result;
4904
4905 if (cmd_len != sizeof(*cfm))
4906 return -EPROTO;
4907
4908 icid = le16_to_cpu(cfm->icid);
4909 result = le16_to_cpu(cfm->result);
4910
ad0ac6ca 4911 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4912
5f3847a4
MM		 4913 chan = l2cap_get_chan_by_dcid(conn, icid);
4914 if (!chan) {
4915 /* Spec requires a response even if the icid was not found */
4916 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4917 return 0;
4918 }
4919
4920 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4921 if (result == L2CAP_MC_CONFIRMED) {
4922 chan->local_amp_id = chan->move_id;
4923 if (!chan->local_amp_id)
4924 __release_logical_link(chan);
4925 } else {
4926 chan->move_id = chan->local_amp_id;
4927 }
4928
4929 l2cap_move_done(chan);
4930 }
4931
8d5a04a1
MM		 4932 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4933
5f3847a4
MM		 4934 l2cap_chan_unlock(chan);
4935
8d5a04a1
MM		 4936 return 0;
4937}
4938
4939static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4940 struct l2cap_cmd_hdr *cmd,
4941 u16 cmd_len, void *data)
8d5a04a1
MM		 4942{
4943 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 4944 struct l2cap_chan *chan;
8d5a04a1
MM		 4945 u16 icid;
4946
4947 if (cmd_len != sizeof(*rsp))
4948 return -EPROTO;
4949
4950 icid = le16_to_cpu(rsp->icid);
4951
ad0ac6ca 4952 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 4953
3fd71a0a
MM		 4954 chan = l2cap_get_chan_by_scid(conn, icid);
4955 if (!chan)
4956 return 0;
4957
4958 __clear_chan_timer(chan);
4959
4960 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
4961 chan->local_amp_id = chan->move_id;
4962
4963 if (!chan->local_amp_id && chan->hs_hchan)
4964 __release_logical_link(chan);
4965
4966 l2cap_move_done(chan);
4967 }
4968
4969 l2cap_chan_unlock(chan);
4970
8d5a04a1
MM		 4971 return 0;
4972}
4973
e2174ca4 4974static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4975 u16 to_multiplier)
de73115a
CT		 4976{
4977 u16 max_latency;
4978
4979 if (min > max || min < 6 || max > 3200)
4980 return -EINVAL;
4981
4982 if (to_multiplier < 10 || to_multiplier > 3200)
4983 return -EINVAL;
4984
4985 if (max >= to_multiplier * 8)
4986 return -EINVAL;
4987
4988 max_latency = (to_multiplier * 8 / max) - 1;
4989 if (latency > 499 || latency > max_latency)
4990 return -EINVAL;
4991
4992 return 0;
4993}
4994
4995static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4996 struct l2cap_cmd_hdr *cmd,
4997 u8 *data)
de73115a
CT		 4998{
4999 struct hci_conn *hcon = conn->hcon;
5000 struct l2cap_conn_param_update_req *req;
5001 struct l2cap_conn_param_update_rsp rsp;
5002 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5003 int err;
de73115a
CT		 5004
5005 if (!(hcon->link_mode & HCI_LM_MASTER))
5006 return -EINVAL;
5007
5008 cmd_len = __le16_to_cpu(cmd->len);
5009 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5010 return -EPROTO;
5011
5012 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5013 min = __le16_to_cpu(req->min);
5014 max = __le16_to_cpu(req->max);
de73115a
CT		 5015 latency = __le16_to_cpu(req->latency);
5016 to_multiplier = __le16_to_cpu(req->to_multiplier);
5017
5018 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5019 min, max, latency, to_multiplier);
de73115a
CT		 5020
5021 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5022
5023 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5024 if (err)
ac73498c 5025 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5026 else
ac73498c 5027 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5028
5029 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5030 sizeof(rsp), &rsp);
de73115a 5031
2ce603eb
CT		 5032 if (!err)
5033 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5034
de73115a
CT		 5035 return 0;
5036}
5037
3300d9a9 5038static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5039 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5040 u8 *data)
3300d9a9
CT		 5041{
5042 int err = 0;
5043
5044 switch (cmd->code) {
5045 case L2CAP_COMMAND_REJ:
5046 l2cap_command_rej(conn, cmd, data);
5047 break;
5048
5049 case L2CAP_CONN_REQ:
5050 err = l2cap_connect_req(conn, cmd, data);
5051 break;
5052
5053 case L2CAP_CONN_RSP:
f5a2598d 5054 case L2CAP_CREATE_CHAN_RSP:
5909cf30 5055 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 5056 break;
5057
5058 case L2CAP_CONF_REQ:
5059 err = l2cap_config_req(conn, cmd, cmd_len, data);
5060 break;
5061
5062 case L2CAP_CONF_RSP:
5063 err = l2cap_config_rsp(conn, cmd, data);
5064 break;
5065
5066 case L2CAP_DISCONN_REQ:
5067 err = l2cap_disconnect_req(conn, cmd, data);
5068 break;
5069
5070 case L2CAP_DISCONN_RSP:
5071 err = l2cap_disconnect_rsp(conn, cmd, data);
5072 break;
5073
5074 case L2CAP_ECHO_REQ:
5075 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5076 break;
5077
5078 case L2CAP_ECHO_RSP:
5079 break;
5080
5081 case L2CAP_INFO_REQ:
5082 err = l2cap_information_req(conn, cmd, data);
5083 break;
5084
5085 case L2CAP_INFO_RSP:
5086 err = l2cap_information_rsp(conn, cmd, data);
5087 break;
5088
f94ff6ff
MM		 5089 case L2CAP_CREATE_CHAN_REQ:
5090 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5091 break;
5092
8d5a04a1
MM		 5093 case L2CAP_MOVE_CHAN_REQ:
5094 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5095 break;
5096
5097 case L2CAP_MOVE_CHAN_RSP:
5098 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5099 break;
5100
5101 case L2CAP_MOVE_CHAN_CFM:
5102 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5103 break;
5104
5105 case L2CAP_MOVE_CHAN_CFM_RSP:
5106 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5107 break;
5108
3300d9a9
CT		 5109 default:
5110 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5111 err = -EINVAL;
5112 break;
5113 }
5114
5115 return err;
5116}
5117
5118static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5119 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5120{
5121 switch (cmd->code) {
5122 case L2CAP_COMMAND_REJ:
5123 return 0;
5124
5125 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5126 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5127
5128 case L2CAP_CONN_PARAM_UPDATE_RSP:
5129 return 0;
5130
5131 default:
5132 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5133 return -EINVAL;
5134 }
5135}
5136
5137static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5138 struct sk_buff *skb)
1da177e4
LT		 5139{
5140 u8 *data = skb->data;
5141 int len = skb->len;
5142 struct l2cap_cmd_hdr cmd;
3300d9a9 5143 int err;
1da177e4
LT		 5144
5145 l2cap_raw_recv(conn, skb);
5146
5147 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5148 u16 cmd_len;
1da177e4
LT		 5149 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5150 data += L2CAP_CMD_HDR_SIZE;
5151 len -= L2CAP_CMD_HDR_SIZE;
5152
88219a0f 5153 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5154
2d792818
GP		 5155 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5156 cmd.ident);
1da177e4 5157
88219a0f 5158 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5159 BT_DBG("corrupted command");
5160 break;
5161 }
5162
3300d9a9
CT		 5163 if (conn->hcon->type == LE_LINK)
5164 err = l2cap_le_sig_cmd(conn, &cmd, data);
5165 else
5166 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 5167
5168 if (err) {
e2fd318e 5169 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5170
5171 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5172
5173 /* FIXME: Map err to a valid reason */
ac73498c 5174 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5175 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5176 sizeof(rej), &rej);
1da177e4
LT		 5177 }
5178
88219a0f
AV		 5179 data += cmd_len;
5180 len -= cmd_len;
1da177e4
LT		 5181 }
5182
5183 kfree_skb(skb);
5184}
5185
47d1ec61 5186static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5187{
5188 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5189 int hdr_size;
5190
5191 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5192 hdr_size = L2CAP_EXT_HDR_SIZE;
5193 else
5194 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5195
47d1ec61 5196 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5197 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5198 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5199 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5200
5201 if (our_fcs != rcv_fcs)
7a560e5c 5202 return -EBADMSG;
fcc203c3
GP		 5203 }
5204 return 0;
5205}
5206
6ea00485 5207static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5208{
e31f7633 5209 struct l2cap_ctrl control;
d5392c8f 5210
e31f7633 5211 BT_DBG("chan %p", chan);
d5392c8f 5212
e31f7633
MM		 5213 memset(&control, 0, sizeof(control));
5214 control.sframe = 1;
5215 control.final = 1;
5216 control.reqseq = chan->buffer_seq;
5217 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5218
e2ab4353 5219 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5220 control.super = L2CAP_SUPER_RNR;
5221 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5222 }
5223
e31f7633
MM		 5224 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5225 chan->unacked_frames > 0)
5226 __set_retrans_timer(chan);
d5392c8f 5227
e31f7633 5228 /* Send pending iframes */
525cd185 5229 l2cap_ertm_send(chan);
d5392c8f 5230
e2ab4353 5231 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5232 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5233 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5234 * send it now.
5235 */
5236 control.super = L2CAP_SUPER_RR;
5237 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5238 }
5239}
5240
2d792818
GP		 5241static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5242 struct sk_buff **last_frag)
18778a63 5243{
84084a31
MM		 5244 /* skb->len reflects data in skb as well as all fragments
5245 * skb->data_len reflects only data in fragments
5246 */
5247 if (!skb_has_frag_list(skb))
5248 skb_shinfo(skb)->frag_list = new_frag;
5249
5250 new_frag->next = NULL;
5251
5252 (*last_frag)->next = new_frag;
5253 *last_frag = new_frag;
5254
5255 skb->len += new_frag->len;
5256 skb->data_len += new_frag->len;
5257 skb->truesize += new_frag->truesize;
5258}
5259
4b51dae9
MM		 5260static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5261 struct l2cap_ctrl *control)
84084a31
MM		 5262{
5263 int err = -EINVAL;
18778a63 5264
4b51dae9 5265 switch (control->sar) {
7e0ef6ee 5266 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5267 if (chan->sdu)
5268 break;
18778a63 5269
80b98027 5270 err = chan->ops->recv(chan, skb);
84084a31 5271 break;
18778a63 5272
7e0ef6ee 5273 case L2CAP_SAR_START:
84084a31
MM		 5274 if (chan->sdu)
5275 break;
18778a63 5276
6f61fd47 5277 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5278 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5279
84084a31
MM		 5280 if (chan->sdu_len > chan->imtu) {
5281 err = -EMSGSIZE;
5282 break;
5283 }
1890d36b 5284
84084a31
MM		 5285 if (skb->len >= chan->sdu_len)
5286 break;
18778a63 5287
84084a31
MM		 5288 chan->sdu = skb;
5289 chan->sdu_last_frag = skb;
18778a63 5290
84084a31
MM		 5291 skb = NULL;
5292 err = 0;
18778a63
GP		 5293 break;
5294
7e0ef6ee 5295 case L2CAP_SAR_CONTINUE:
6f61fd47 5296 if (!chan->sdu)
84084a31 5297 break;
18778a63 5298
84084a31
MM		 5299 append_skb_frag(chan->sdu, skb,
5300 &chan->sdu_last_frag);
5301 skb = NULL;
18778a63 5302
84084a31
MM		 5303 if (chan->sdu->len >= chan->sdu_len)
5304 break;
4178ba46 5305
84084a31 5306 err = 0;
18778a63
GP		 5307 break;
5308
7e0ef6ee 5309 case L2CAP_SAR_END:
6f61fd47 5310 if (!chan->sdu)
84084a31 5311 break;
18778a63 5312
84084a31
MM		 5313 append_skb_frag(chan->sdu, skb,
5314 &chan->sdu_last_frag);
5315 skb = NULL;
4178ba46 5316
84084a31
MM		 5317 if (chan->sdu->len != chan->sdu_len)
5318 break;
18778a63 5319
80b98027 5320 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5321
84084a31
MM		 5322 if (!err) {
5323 /* Reassembly complete */
5324 chan->sdu = NULL;
5325 chan->sdu_last_frag = NULL;
5326 chan->sdu_len = 0;
1890d36b 5327 }
18778a63
GP		 5328 break;
5329 }
5330
84084a31
MM		 5331 if (err) {
5332 kfree_skb(skb);
5333 kfree_skb(chan->sdu);
5334 chan->sdu = NULL;
5335 chan->sdu_last_frag = NULL;
5336 chan->sdu_len = 0;
5337 }
18778a63 5338
84084a31 5339 return err;
18778a63
GP		 5340}
5341
32b32735
MM		 5342static int l2cap_resegment(struct l2cap_chan *chan)
5343{
5344 /* Placeholder */
5345 return 0;
5346}
5347
61aa4f5b 5348void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5349{
61aa4f5b 5350 u8 event;
712132eb 5351
61aa4f5b
MM		 5352 if (chan->mode != L2CAP_MODE_ERTM)
5353 return;
712132eb 5354
61aa4f5b 5355 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5356 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5357}
5358
d2a7ac5d
MM		 5359static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5360{
63838725
MM		 5361 int err = 0;
5362 /* Pass sequential frames to l2cap_reassemble_sdu()
5363 * until a gap is encountered.
5364 */
5365
5366 BT_DBG("chan %p", chan);
5367
5368 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5369 struct sk_buff *skb;
5370 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5371 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5372
5373 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5374
5375 if (!skb)
5376 break;
5377
5378 skb_unlink(skb, &chan->srej_q);
5379 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5380 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5381 if (err)
5382 break;
5383 }
5384
5385 if (skb_queue_empty(&chan->srej_q)) {
5386 chan->rx_state = L2CAP_RX_STATE_RECV;
5387 l2cap_send_ack(chan);
5388 }
5389
5390 return err;
d2a7ac5d
MM		 5391}
5392
5393static void l2cap_handle_srej(struct l2cap_chan *chan,
5394 struct l2cap_ctrl *control)
5395{
f80842a8
MM		 5396 struct sk_buff *skb;
5397
5398 BT_DBG("chan %p, control %p", chan, control);
5399
5400 if (control->reqseq == chan->next_tx_seq) {
5401 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5402 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5403 return;
5404 }
5405
5406 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5407
5408 if (skb == NULL) {
5409 BT_DBG("Seq %d not available for retransmission",
5410 control->reqseq);
5411 return;
5412 }
5413
5414 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5415 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5416 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5417 return;
5418 }
5419
5420 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5421
5422 if (control->poll) {
5423 l2cap_pass_to_tx(chan, control);
5424
5425 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5426 l2cap_retransmit(chan, control);
5427 l2cap_ertm_send(chan);
5428
5429 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5430 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5431 chan->srej_save_reqseq = control->reqseq;
5432 }
5433 } else {
5434 l2cap_pass_to_tx_fbit(chan, control);
5435
5436 if (control->final) {
5437 if (chan->srej_save_reqseq != control->reqseq ||
5438 !test_and_clear_bit(CONN_SREJ_ACT,
5439 &chan->conn_state))
5440 l2cap_retransmit(chan, control);
5441 } else {
5442 l2cap_retransmit(chan, control);
5443 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5444 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5445 chan->srej_save_reqseq = control->reqseq;
5446 }
5447 }
5448 }
d2a7ac5d
MM		 5449}
5450
5451static void l2cap_handle_rej(struct l2cap_chan *chan,
5452 struct l2cap_ctrl *control)
5453{
fcd289df
MM		 5454 struct sk_buff *skb;
5455
5456 BT_DBG("chan %p, control %p", chan, control);
5457
5458 if (control->reqseq == chan->next_tx_seq) {
5459 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5460 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5461 return;
5462 }
5463
5464 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5465
5466 if (chan->max_tx && skb &&
5467 bt_cb(skb)->control.retries >= chan->max_tx) {
5468 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5469 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5470 return;
5471 }
5472
5473 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5474
5475 l2cap_pass_to_tx(chan, control);
5476
5477 if (control->final) {
5478 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5479 l2cap_retransmit_all(chan, control);
5480 } else {
5481 l2cap_retransmit_all(chan, control);
5482 l2cap_ertm_send(chan);
5483 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5484 set_bit(CONN_REJ_ACT, &chan->conn_state);
5485 }
d2a7ac5d
MM		 5486}
5487
4b51dae9
MM		 5488static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5489{
5490 BT_DBG("chan %p, txseq %d", chan, txseq);
5491
5492 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5493 chan->expected_tx_seq);
5494
5495 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5496 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5497 chan->tx_win) {
4b51dae9
MM		 5498 /* See notes below regarding "double poll" and
5499 * invalid packets.
5500 */
5501 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5502 BT_DBG("Invalid/Ignore - after SREJ");
5503 return L2CAP_TXSEQ_INVALID_IGNORE;
5504 } else {
5505 BT_DBG("Invalid - in window after SREJ sent");
5506 return L2CAP_TXSEQ_INVALID;
5507 }
5508 }
5509
5510 if (chan->srej_list.head == txseq) {
5511 BT_DBG("Expected SREJ");
5512 return L2CAP_TXSEQ_EXPECTED_SREJ;
5513 }
5514
5515 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5516 BT_DBG("Duplicate SREJ - txseq already stored");
5517 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5518 }
5519
5520 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5521 BT_DBG("Unexpected SREJ - not requested");
5522 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5523 }
5524 }
5525
5526 if (chan->expected_tx_seq == txseq) {
5527 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5528 chan->tx_win) {
5529 BT_DBG("Invalid - txseq outside tx window");
5530 return L2CAP_TXSEQ_INVALID;
5531 } else {
5532 BT_DBG("Expected");
5533 return L2CAP_TXSEQ_EXPECTED;
5534 }
5535 }
5536
5537 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5538 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5539 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5540 return L2CAP_TXSEQ_DUPLICATE;
5541 }
5542
5543 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5544 /* A source of invalid packets is a "double poll" condition,
5545 * where delays cause us to send multiple poll packets. If
5546 * the remote stack receives and processes both polls,
5547 * sequence numbers can wrap around in such a way that a
5548 * resent frame has a sequence number that looks like new data
5549 * with a sequence gap. This would trigger an erroneous SREJ
5550 * request.
5551 *
5552 * Fortunately, this is impossible with a tx window that's
5553 * less than half of the maximum sequence number, which allows
5554 * invalid frames to be safely ignored.
5555 *
5556 * With tx window sizes greater than half of the tx window
5557 * maximum, the frame is invalid and cannot be ignored. This
5558 * causes a disconnect.
5559 */
5560
5561 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5562 BT_DBG("Invalid/Ignore - txseq outside tx window");
5563 return L2CAP_TXSEQ_INVALID_IGNORE;
5564 } else {
5565 BT_DBG("Invalid - txseq outside tx window");
5566 return L2CAP_TXSEQ_INVALID;
5567 }
5568 } else {
5569 BT_DBG("Unexpected - txseq indicates missing frames");
5570 return L2CAP_TXSEQ_UNEXPECTED;
5571 }
5572}
5573
d2a7ac5d
MM		 5574static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5575 struct l2cap_ctrl *control,
5576 struct sk_buff *skb, u8 event)
5577{
5578 int err = 0;
5579 bool skb_in_use = 0;
5580
5581 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5582 event);
5583
5584 switch (event) {
5585 case L2CAP_EV_RECV_IFRAME:
5586 switch (l2cap_classify_txseq(chan, control->txseq)) {
5587 case L2CAP_TXSEQ_EXPECTED:
5588 l2cap_pass_to_tx(chan, control);
5589
5590 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5591 BT_DBG("Busy, discarding expected seq %d",
5592 control->txseq);
5593 break;
5594 }
5595
5596 chan->expected_tx_seq = __next_seq(chan,
5597 control->txseq);
5598
5599 chan->buffer_seq = chan->expected_tx_seq;
5600 skb_in_use = 1;
5601
5602 err = l2cap_reassemble_sdu(chan, skb, control);
5603 if (err)
5604 break;
5605
5606 if (control->final) {
5607 if (!test_and_clear_bit(CONN_REJ_ACT,
5608 &chan->conn_state)) {
5609 control->final = 0;
5610 l2cap_retransmit_all(chan, control);
5611 l2cap_ertm_send(chan);
5612 }
5613 }
5614
5615 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5616 l2cap_send_ack(chan);
5617 break;
5618 case L2CAP_TXSEQ_UNEXPECTED:
5619 l2cap_pass_to_tx(chan, control);
5620
5621 /* Can't issue SREJ frames in the local busy state.
5622 * Drop this frame, it will be seen as missing
5623 * when local busy is exited.
5624 */
5625 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5626 BT_DBG("Busy, discarding unexpected seq %d",
5627 control->txseq);
5628 break;
5629 }
5630
5631 /* There was a gap in the sequence, so an SREJ
5632 * must be sent for each missing frame. The
5633 * current frame is stored for later use.
5634 */
5635 skb_queue_tail(&chan->srej_q, skb);
5636 skb_in_use = 1;
5637 BT_DBG("Queued %p (queue len %d)", skb,
5638 skb_queue_len(&chan->srej_q));
5639
5640 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5641 l2cap_seq_list_clear(&chan->srej_list);
5642 l2cap_send_srej(chan, control->txseq);
5643
5644 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5645 break;
5646 case L2CAP_TXSEQ_DUPLICATE:
5647 l2cap_pass_to_tx(chan, control);
5648 break;
5649 case L2CAP_TXSEQ_INVALID_IGNORE:
5650 break;
5651 case L2CAP_TXSEQ_INVALID:
5652 default:
5653 l2cap_send_disconn_req(chan->conn, chan,
5654 ECONNRESET);
5655 break;
5656 }
5657 break;
5658 case L2CAP_EV_RECV_RR:
5659 l2cap_pass_to_tx(chan, control);
5660 if (control->final) {
5661 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5662
e6a3ee6e
MM		 5663 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5664 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5665 control->final = 0;
5666 l2cap_retransmit_all(chan, control);
5667 }
5668
5669 l2cap_ertm_send(chan);
5670 } else if (control->poll) {
5671 l2cap_send_i_or_rr_or_rnr(chan);
5672 } else {
5673 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5674 &chan->conn_state) &&
5675 chan->unacked_frames)
5676 __set_retrans_timer(chan);
5677
5678 l2cap_ertm_send(chan);
5679 }
5680 break;
5681 case L2CAP_EV_RECV_RNR:
5682 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5683 l2cap_pass_to_tx(chan, control);
5684 if (control && control->poll) {
5685 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5686 l2cap_send_rr_or_rnr(chan, 0);
5687 }
5688 __clear_retrans_timer(chan);
5689 l2cap_seq_list_clear(&chan->retrans_list);
5690 break;
5691 case L2CAP_EV_RECV_REJ:
5692 l2cap_handle_rej(chan, control);
5693 break;
5694 case L2CAP_EV_RECV_SREJ:
5695 l2cap_handle_srej(chan, control);
5696 break;
5697 default:
5698 break;
5699 }
5700
5701 if (skb && !skb_in_use) {
5702 BT_DBG("Freeing %p", skb);
5703 kfree_skb(skb);
5704 }
5705
5706 return err;
5707}
5708
5709static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5710 struct l2cap_ctrl *control,
5711 struct sk_buff *skb, u8 event)
5712{
5713 int err = 0;
5714 u16 txseq = control->txseq;
5715 bool skb_in_use = 0;
5716
5717 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5718 event);
5719
5720 switch (event) {
5721 case L2CAP_EV_RECV_IFRAME:
5722 switch (l2cap_classify_txseq(chan, txseq)) {
5723 case L2CAP_TXSEQ_EXPECTED:
5724 /* Keep frame for reassembly later */
5725 l2cap_pass_to_tx(chan, control);
5726 skb_queue_tail(&chan->srej_q, skb);
5727 skb_in_use = 1;
5728 BT_DBG("Queued %p (queue len %d)", skb,
5729 skb_queue_len(&chan->srej_q));
5730
5731 chan->expected_tx_seq = __next_seq(chan, txseq);
5732 break;
5733 case L2CAP_TXSEQ_EXPECTED_SREJ:
5734 l2cap_seq_list_pop(&chan->srej_list);
5735
5736 l2cap_pass_to_tx(chan, control);
5737 skb_queue_tail(&chan->srej_q, skb);
5738 skb_in_use = 1;
5739 BT_DBG("Queued %p (queue len %d)", skb,
5740 skb_queue_len(&chan->srej_q));
5741
5742 err = l2cap_rx_queued_iframes(chan);
5743 if (err)
5744 break;
5745
5746 break;
5747 case L2CAP_TXSEQ_UNEXPECTED:
5748 /* Got a frame that can't be reassembled yet.
5749 * Save it for later, and send SREJs to cover
5750 * the missing frames.
5751 */
5752 skb_queue_tail(&chan->srej_q, skb);
5753 skb_in_use = 1;
5754 BT_DBG("Queued %p (queue len %d)", skb,
5755 skb_queue_len(&chan->srej_q));
5756
5757 l2cap_pass_to_tx(chan, control);
5758 l2cap_send_srej(chan, control->txseq);
5759 break;
5760 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5761 /* This frame was requested with an SREJ, but
5762 * some expected retransmitted frames are
5763 * missing. Request retransmission of missing
5764 * SREJ'd frames.
5765 */
5766 skb_queue_tail(&chan->srej_q, skb);
5767 skb_in_use = 1;
5768 BT_DBG("Queued %p (queue len %d)", skb,
5769 skb_queue_len(&chan->srej_q));
5770
5771 l2cap_pass_to_tx(chan, control);
5772 l2cap_send_srej_list(chan, control->txseq);
5773 break;
5774 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5775 /* We've already queued this frame. Drop this copy. */
5776 l2cap_pass_to_tx(chan, control);
5777 break;
5778 case L2CAP_TXSEQ_DUPLICATE:
5779 /* Expecting a later sequence number, so this frame
5780 * was already received. Ignore it completely.
5781 */
5782 break;
5783 case L2CAP_TXSEQ_INVALID_IGNORE:
5784 break;
5785 case L2CAP_TXSEQ_INVALID:
5786 default:
5787 l2cap_send_disconn_req(chan->conn, chan,
5788 ECONNRESET);
5789 break;
5790 }
5791 break;
5792 case L2CAP_EV_RECV_RR:
5793 l2cap_pass_to_tx(chan, control);
5794 if (control->final) {
5795 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5796
5797 if (!test_and_clear_bit(CONN_REJ_ACT,
5798 &chan->conn_state)) {
5799 control->final = 0;
5800 l2cap_retransmit_all(chan, control);
5801 }
5802
5803 l2cap_ertm_send(chan);
5804 } else if (control->poll) {
5805 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5806 &chan->conn_state) &&
5807 chan->unacked_frames) {
5808 __set_retrans_timer(chan);
5809 }
5810
5811 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5812 l2cap_send_srej_tail(chan);
5813 } else {
5814 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5815 &chan->conn_state) &&
5816 chan->unacked_frames)
5817 __set_retrans_timer(chan);
5818
5819 l2cap_send_ack(chan);
5820 }
5821 break;
5822 case L2CAP_EV_RECV_RNR:
5823 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5824 l2cap_pass_to_tx(chan, control);
5825 if (control->poll) {
5826 l2cap_send_srej_tail(chan);
5827 } else {
5828 struct l2cap_ctrl rr_control;
5829 memset(&rr_control, 0, sizeof(rr_control));
5830 rr_control.sframe = 1;
5831 rr_control.super = L2CAP_SUPER_RR;
5832 rr_control.reqseq = chan->buffer_seq;
5833 l2cap_send_sframe(chan, &rr_control);
5834 }
5835
5836 break;
5837 case L2CAP_EV_RECV_REJ:
5838 l2cap_handle_rej(chan, control);
5839 break;
5840 case L2CAP_EV_RECV_SREJ:
5841 l2cap_handle_srej(chan, control);
5842 break;
5843 }
5844
5845 if (skb && !skb_in_use) {
5846 BT_DBG("Freeing %p", skb);
5847 kfree_skb(skb);
5848 }
5849
5850 return err;
5851}
5852
32b32735
MM		 5853static int l2cap_finish_move(struct l2cap_chan *chan)
5854{
5855 BT_DBG("chan %p", chan);
5856
5857 chan->rx_state = L2CAP_RX_STATE_RECV;
5858
5859 if (chan->hs_hcon)
5860 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5861 else
5862 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5863
5864 return l2cap_resegment(chan);
5865}
5866
5867static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5868 struct l2cap_ctrl *control,
5869 struct sk_buff *skb, u8 event)
5870{
5871 int err;
5872
5873 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5874 event);
5875
5876 if (!control->poll)
5877 return -EPROTO;
5878
5879 l2cap_process_reqseq(chan, control->reqseq);
5880
5881 if (!skb_queue_empty(&chan->tx_q))
5882 chan->tx_send_head = skb_peek(&chan->tx_q);
5883 else
5884 chan->tx_send_head = NULL;
5885
5886 /* Rewind next_tx_seq to the point expected
5887 * by the receiver.
5888 */
5889 chan->next_tx_seq = control->reqseq;
5890 chan->unacked_frames = 0;
5891
5892 err = l2cap_finish_move(chan);
5893 if (err)
5894 return err;
5895
5896 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5897 l2cap_send_i_or_rr_or_rnr(chan);
5898
5899 if (event == L2CAP_EV_RECV_IFRAME)
5900 return -EPROTO;
5901
5902 return l2cap_rx_state_recv(chan, control, NULL, event);
5903}
5904
5905static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5906 struct l2cap_ctrl *control,
5907 struct sk_buff *skb, u8 event)
5908{
5909 int err;
5910
5911 if (!control->final)
5912 return -EPROTO;
5913
5914 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5915
5916 chan->rx_state = L2CAP_RX_STATE_RECV;
5917 l2cap_process_reqseq(chan, control->reqseq);
5918
5919 if (!skb_queue_empty(&chan->tx_q))
5920 chan->tx_send_head = skb_peek(&chan->tx_q);
5921 else
5922 chan->tx_send_head = NULL;
5923
5924 /* Rewind next_tx_seq to the point expected
5925 * by the receiver.
5926 */
5927 chan->next_tx_seq = control->reqseq;
5928 chan->unacked_frames = 0;
5929
5930 if (chan->hs_hcon)
5931 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5932 else
5933 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5934
5935 err = l2cap_resegment(chan);
5936
5937 if (!err)
5938 err = l2cap_rx_state_recv(chan, control, skb, event);
5939
5940 return err;
5941}
5942
d2a7ac5d
MM		 5943static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5944{
5945 /* Make sure reqseq is for a packet that has been sent but not acked */
5946 u16 unacked;
5947
5948 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5949 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5950}
5951
cec8ab6e
MM		 5952static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5953 struct sk_buff *skb, u8 event)
218bb9df 5954{
d2a7ac5d
MM		 5955 int err = 0;
5956
5957 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5958 control, skb, event, chan->rx_state);
5959
5960 if (__valid_reqseq(chan, control->reqseq)) {
5961 switch (chan->rx_state) {
5962 case L2CAP_RX_STATE_RECV:
5963 err = l2cap_rx_state_recv(chan, control, skb, event);
5964 break;
5965 case L2CAP_RX_STATE_SREJ_SENT:
5966 err = l2cap_rx_state_srej_sent(chan, control, skb,
5967 event);
5968 break;
32b32735
MM		 5969 case L2CAP_RX_STATE_WAIT_P:
5970 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5971 break;
5972 case L2CAP_RX_STATE_WAIT_F:
5973 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5974 break;
d2a7ac5d
MM		 5975 default:
5976 /* shut it down */
5977 break;
5978 }
5979 } else {
5980 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5981 control->reqseq, chan->next_tx_seq,
5982 chan->expected_ack_seq);
5983 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5984 }
5985
5986 return err;
cec8ab6e
MM		 5987}
5988
5989static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5990 struct sk_buff *skb)
5991{
4b51dae9
MM		 5992 int err = 0;
5993
5994 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5995 chan->rx_state);
5996
5997 if (l2cap_classify_txseq(chan, control->txseq) ==
5998 L2CAP_TXSEQ_EXPECTED) {
5999 l2cap_pass_to_tx(chan, control);
6000
6001 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6002 __next_seq(chan, chan->buffer_seq));
6003
6004 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6005
6006 l2cap_reassemble_sdu(chan, skb, control);
6007 } else {
6008 if (chan->sdu) {
6009 kfree_skb(chan->sdu);
6010 chan->sdu = NULL;
6011 }
6012 chan->sdu_last_frag = NULL;
6013 chan->sdu_len = 0;
6014
6015 if (skb) {
6016 BT_DBG("Freeing %p", skb);
6017 kfree_skb(skb);
6018 }
6019 }
6020
6021 chan->last_acked_seq = control->txseq;
6022 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6023
6024 return err;
cec8ab6e
MM		 6025}
6026
6027static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6028{
6029 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6030 u16 len;
6031 u8 event;
218bb9df 6032
b76bbd66
MM		 6033 __unpack_control(chan, skb);
6034
218bb9df
GP		 6035 len = skb->len;
6036
6037 /*
6038 * We can just drop the corrupted I-frame here.
6039 * Receiver will miss it and start proper recovery
cec8ab6e 6040 * procedures and ask for retransmission.
218bb9df 6041 */
47d1ec61 6042 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6043 goto drop;
6044
cec8ab6e 6045 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6046 len -= L2CAP_SDULEN_SIZE;
218bb9df 6047
47d1ec61 6048 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6049 len -= L2CAP_FCS_SIZE;
218bb9df 6050
47d1ec61 6051 if (len > chan->mps) {
8c1d787b 6052 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6053 goto drop;
6054 }
6055
cec8ab6e
MM		 6056 if (!control->sframe) {
6057 int err;
218bb9df 6058
cec8ab6e
MM		 6059 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6060 control->sar, control->reqseq, control->final,
6061 control->txseq);
218bb9df 6062
cec8ab6e
MM		 6063 /* Validate F-bit - F=0 always valid, F=1 only
6064 * valid in TX WAIT_F
6065 */
6066 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6067 goto drop;
cec8ab6e
MM		 6068
6069 if (chan->mode != L2CAP_MODE_STREAMING) {
6070 event = L2CAP_EV_RECV_IFRAME;
6071 err = l2cap_rx(chan, control, skb, event);
6072 } else {
6073 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6074 }
6075
cec8ab6e
MM		 6076 if (err)
6077 l2cap_send_disconn_req(chan->conn, chan,
6078 ECONNRESET);
218bb9df 6079 } else {
cec8ab6e
MM		 6080 const u8 rx_func_to_event[4] = {
6081 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6082 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6083 };
6084
6085 /* Only I-frames are expected in streaming mode */
6086 if (chan->mode == L2CAP_MODE_STREAMING)
6087 goto drop;
6088
6089 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6090 control->reqseq, control->final, control->poll,
6091 control->super);
6092
218bb9df
GP		 6093 if (len != 0) {
6094 BT_ERR("%d", len);
8c1d787b 6095 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6096 goto drop;
6097 }
6098
cec8ab6e
MM		 6099 /* Validate F and P bits */
6100 if (control->final && (control->poll ||
6101 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6102 goto drop;
6103
6104 event = rx_func_to_event[control->super];
6105 if (l2cap_rx(chan, control, skb, event))
6106 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6107 }
6108
6109 return 0;
6110
6111drop:
6112 kfree_skb(skb);
6113 return 0;
6114}
6115
13ca56e0
AE		 6116static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6117 struct sk_buff *skb)
1da177e4 6118{
48454079 6119 struct l2cap_chan *chan;
1da177e4 6120
baa7e1fa 6121 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6122 if (!chan) {
97e8e89d
AE		 6123 if (cid == L2CAP_CID_A2MP) {
6124 chan = a2mp_channel_create(conn, skb);
6125 if (!chan) {
6126 kfree_skb(skb);
13ca56e0 6127 return;
97e8e89d
AE		 6128 }
6129
6130 l2cap_chan_lock(chan);
6131 } else {
6132 BT_DBG("unknown cid 0x%4.4x", cid);
6133 /* Drop packet and return */
6134 kfree_skb(skb);
13ca56e0 6135 return;
97e8e89d 6136 }
1da177e4
LT		 6137 }
6138
49208c9c 6139 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6140
89bc500e 6141 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6142 goto drop;
6143
0c1bc5c6 6144 switch (chan->mode) {
1c2acffb
GP		 6145 case L2CAP_MODE_BASIC:
6146 /* If socket recv buffers overflows we drop data here
6147 * which is *bad* because L2CAP has to be reliable.
6148 * But we don't have any other choice. L2CAP doesn't
6149 * provide flow control mechanism. */
1da177e4 6150
0c1bc5c6 6151 if (chan->imtu < skb->len)
1c2acffb 6152 goto drop;
1da177e4 6153
80b98027 6154 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6155 goto done;
6156 break;
6157
6158 case L2CAP_MODE_ERTM:
6840ed07 6159 case L2CAP_MODE_STREAMING:
cec8ab6e 6160 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6161 goto done;
6162
1c2acffb 6163 default:
0c1bc5c6 6164 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6165 break;
6166 }
1da177e4
LT		 6167
6168drop:
6169 kfree_skb(skb);
6170
6171done:
6be36555 6172 l2cap_chan_unlock(chan);
1da177e4
LT		 6173}
6174
84104b24
AE		 6175static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6176 struct sk_buff *skb)
1da177e4 6177{
23691d75 6178 struct l2cap_chan *chan;
1da177e4 6179
c2287681 6180 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6181 if (!chan)
1da177e4
LT		 6182 goto drop;
6183
5b4cedaa 6184 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6185
89bc500e 6186 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6187 goto drop;
6188
e13e21dc 6189 if (chan->imtu < skb->len)
1da177e4
LT		 6190 goto drop;
6191
80b98027 6192 if (!chan->ops->recv(chan, skb))
84104b24 6193 return;
1da177e4
LT		 6194
6195drop:
6196 kfree_skb(skb);
1da177e4
LT		 6197}
6198
6810fca7
AE		 6199static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
6200 struct sk_buff *skb)
9f69bda6 6201{
23691d75 6202 struct l2cap_chan *chan;
9f69bda6 6203
c2287681 6204 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 6205 if (!chan)
9f69bda6
GP		 6206 goto drop;
6207
5b4cedaa 6208 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6209
89bc500e 6210 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6211 goto drop;
6212
e13e21dc 6213 if (chan->imtu < skb->len)
9f69bda6
GP		 6214 goto drop;
6215
80b98027 6216 if (!chan->ops->recv(chan, skb))
6810fca7 6217 return;
9f69bda6
GP		 6218
6219drop:
6220 kfree_skb(skb);
9f69bda6
GP		 6221}
6222
1da177e4
LT		 6223static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6224{
6225 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6226 u16 cid, len;
6227 __le16 psm;
1da177e4
LT		 6228
6229 skb_pull(skb, L2CAP_HDR_SIZE);
6230 cid = __le16_to_cpu(lh->cid);
6231 len = __le16_to_cpu(lh->len);
6232
1c2acffb
GP		 6233 if (len != skb->len) {
6234 kfree_skb(skb);
6235 return;
6236 }
6237
1da177e4
LT		 6238 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6239
6240 switch (cid) {
3300d9a9 6241 case L2CAP_CID_LE_SIGNALING:
8db4dc46 6242 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6243 l2cap_sig_channel(conn, skb);
6244 break;
6245
8db4dc46 6246 case L2CAP_CID_CONN_LESS:
097db76c 6247 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6248 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6249 l2cap_conless_channel(conn, psm, skb);
6250 break;
6251
9f69bda6
GP		 6252 case L2CAP_CID_LE_DATA:
6253 l2cap_att_channel(conn, cid, skb);
6254 break;
6255
b501d6a1
AB		 6256 case L2CAP_CID_SMP:
6257 if (smp_sig_channel(conn, skb))
6258 l2cap_conn_del(conn->hcon, EACCES);
6259 break;
6260
1da177e4
LT		 6261 default:
6262 l2cap_data_channel(conn, cid, skb);
6263 break;
6264 }
6265}
6266
6267/* ---- L2CAP interface with lower layer (HCI) ---- */
6268
686ebf28 6269int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6270{
6271 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6272 struct l2cap_chan *c;
1da177e4 6273
6ed93dc6 6274 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6275
6276 /* Find listening sockets and check their link_mode */
23691d75
GP		 6277 read_lock(&chan_list_lock);
6278 list_for_each_entry(c, &chan_list, global_l) {
6279 struct sock *sk = c->sk;
4343478f 6280
89bc500e 6281 if (c->state != BT_LISTEN)
1da177e4
LT		 6282 continue;
6283
6284 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6285 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6286 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6287 lm1 |= HCI_LM_MASTER;
1da177e4 6288 exact++;
2af6b9d5
MH		 6289 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6290 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6291 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6292 lm2 |= HCI_LM_MASTER;
6293 }
1da177e4 6294 }
23691d75 6295 read_unlock(&chan_list_lock);
1da177e4
LT		 6296
6297 return exact ? lm1 : lm2;
6298}
6299
9e664631 6300void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6301{
0139418c
MH		 6302 struct l2cap_conn *conn;
6303
6ed93dc6 6304 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6305
1da177e4 6306 if (!status) {
1da177e4
LT		 6307 conn = l2cap_conn_add(hcon, status);
6308 if (conn)
6309 l2cap_conn_ready(conn);
ba6fc317 6310 } else {
e175072f 6311 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6312 }
1da177e4
LT		 6313}
6314
686ebf28 6315int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6316{
6317 struct l2cap_conn *conn = hcon->l2cap_data;
6318
6319 BT_DBG("hcon %p", hcon);
6320
686ebf28 6321 if (!conn)
9f5a0d7b 6322 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6323 return conn->disc_reason;
6324}
6325
9e664631 6326void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6327{
6328 BT_DBG("hcon %p reason %d", hcon, reason);
6329
e175072f 6330 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6331}
6332
4343478f 6333static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6334{
715ec005 6335 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6336 return;
6337
f62e4323 6338 if (encrypt == 0x00) {
4343478f 6339 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6340 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6341 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6342 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6343 } else {
4343478f 6344 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6345 __clear_chan_timer(chan);
f62e4323
MH		 6346 }
6347}
6348
686ebf28 6349int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6350{
0139418c 6351 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6352 struct l2cap_chan *chan;
1da177e4 6353
0139418c 6354 if (!conn)
1da177e4 6355 return 0;
0139418c 6356
89d8b407 6357 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6358
160dc6ac 6359 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6360 if (!status && encrypt)
6361 smp_distribute_keys(conn, 0);
17cd3f37 6362 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6363 }
6364
3df91ea2 6365 mutex_lock(&conn->chan_lock);
1da177e4 6366
3df91ea2 6367 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6368 l2cap_chan_lock(chan);
1da177e4 6369
89d8b407
AE		 6370 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6371 state_to_string(chan->state));
f1cb9af5 6372
78eb2f98
AE		 6373 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6374 l2cap_chan_unlock(chan);
6375 continue;
6376 }
6377
f1cb9af5
VCG		 6378 if (chan->scid == L2CAP_CID_LE_DATA) {
6379 if (!status && encrypt) {
6380 chan->sec_level = hcon->sec_level;
cf4cd009 6381 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6382 }
6383
6be36555 6384 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6385 continue;
6386 }
6387
96eff46e 6388 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6389 l2cap_chan_unlock(chan);
6a8d3010
MH		 6390 continue;
6391 }
6392
89bc500e 6393 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6394 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6395 struct sock *sk = chan->sk;
6396
c5daa683 6397 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6398 sk->sk_state_change(sk);
6399
4343478f 6400 l2cap_check_encryption(chan, encrypt);
6be36555 6401 l2cap_chan_unlock(chan);
9719f8af
MH		 6402 continue;
6403 }
6404
89bc500e 6405 if (chan->state == BT_CONNECT) {
b1235d79 6406 if (!status) {
93c3e8f5 6407 l2cap_start_connection(chan);
b1235d79 6408 } else {
ba13ccd9 6409 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6410 }
89bc500e 6411 } else if (chan->state == BT_CONNECT2) {
6be36555 6412 struct sock *sk = chan->sk;
b1235d79 6413 struct l2cap_conn_rsp rsp;
df3c3931 6414 __u16 res, stat;
1da177e4 6415
6be36555
AE		 6416 lock_sock(sk);
6417
b1235d79 6418 if (!status) {
c5daa683
GP		 6419 if (test_bit(BT_SK_DEFER_SETUP,
6420 &bt_sk(sk)->flags)) {
df3c3931
JH		 6421 res = L2CAP_CR_PEND;
6422 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6423 chan->ops->defer(chan);
df3c3931 6424 } else {
0e587be7 6425 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6426 res = L2CAP_CR_SUCCESS;
6427 stat = L2CAP_CS_NO_INFO;
6428 }
b1235d79 6429 } else {
0e587be7 6430 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6431 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6432 res = L2CAP_CR_SEC_BLOCK;
6433 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6434 }
6435
6be36555
AE		 6436 release_sock(sk);
6437
fe4128e0
GP		 6438 rsp.scid = cpu_to_le16(chan->dcid);
6439 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6440 rsp.result = cpu_to_le16(res);
6441 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6442 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6443 sizeof(rsp), &rsp);
2d369359
MM		 6444
6445 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6446 res == L2CAP_CR_SUCCESS) {
6447 char buf[128];
6448 set_bit(CONF_REQ_SENT, &chan->conf_state);
6449 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6450 L2CAP_CONF_REQ,
6451 l2cap_build_conf_req(chan, buf),
6452 buf);
6453 chan->num_conf_req++;
6454 }
b1235d79 6455 }
1da177e4 6456
6be36555 6457 l2cap_chan_unlock(chan);
1da177e4
LT		 6458 }
6459
3df91ea2 6460 mutex_unlock(&conn->chan_lock);
b1235d79 6461
1da177e4
LT		 6462 return 0;
6463}
6464
686ebf28 6465int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6466{
6467 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6468 struct l2cap_hdr *hdr;
6469 int len;
1da177e4 6470
1d13a254
AE		 6471 /* For AMP controller do not create l2cap conn */
6472 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6473 goto drop;
1da177e4 6474
5a08ecce
AE		 6475 if (!conn)
6476 conn = l2cap_conn_add(hcon, 0);
6477
6478 if (!conn)
1da177e4
LT		 6479 goto drop;
6480
6481 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6482
d73a0988
AE		 6483 switch (flags) {
6484 case ACL_START:
6485 case ACL_START_NO_FLUSH:
6486 case ACL_COMPLETE:
1da177e4
LT		 6487 if (conn->rx_len) {
6488 BT_ERR("Unexpected start frame (len %d)", skb->len);
6489 kfree_skb(conn->rx_skb);
6490 conn->rx_skb = NULL;
6491 conn->rx_len = 0;
6492 l2cap_conn_unreliable(conn, ECOMM);
6493 }
6494
aae7fe22
AE		 6495 /* Start fragment always begin with Basic L2CAP header */
6496 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6497 BT_ERR("Frame is too short (len %d)", skb->len);
6498 l2cap_conn_unreliable(conn, ECOMM);
6499 goto drop;
6500 }
6501
6502 hdr = (struct l2cap_hdr *) skb->data;
6503 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6504
6505 if (len == skb->len) {
6506 /* Complete frame received */
6507 l2cap_recv_frame(conn, skb);
6508 return 0;
6509 }
6510
6511 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6512
6513 if (skb->len > len) {
6514 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6515 skb->len, len);
1da177e4
LT		 6516 l2cap_conn_unreliable(conn, ECOMM);
6517 goto drop;
6518 }
6519
6520 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6521 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6522 if (!conn->rx_skb)
1da177e4
LT		 6523 goto drop;
6524
d626f62b 6525 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6526 skb->len);
1da177e4 6527 conn->rx_len = len - skb->len;
d73a0988
AE		 6528 break;
6529
6530 case ACL_CONT:
1da177e4
LT		 6531 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6532
6533 if (!conn->rx_len) {
6534 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6535 l2cap_conn_unreliable(conn, ECOMM);
6536 goto drop;
6537 }
6538
6539 if (skb->len > conn->rx_len) {
6540 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6541 skb->len, conn->rx_len);
1da177e4
LT		 6542 kfree_skb(conn->rx_skb);
6543 conn->rx_skb = NULL;
6544 conn->rx_len = 0;
6545 l2cap_conn_unreliable(conn, ECOMM);
6546 goto drop;
6547 }
6548
d626f62b 6549 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6550 skb->len);
1da177e4
LT		 6551 conn->rx_len -= skb->len;
6552
6553 if (!conn->rx_len) {
6554 /* Complete frame received */
6555 l2cap_recv_frame(conn, conn->rx_skb);
6556 conn->rx_skb = NULL;
6557 }
d73a0988 6558 break;
1da177e4
LT		 6559 }
6560
6561drop:
6562 kfree_skb(skb);
6563 return 0;
6564}
6565
aef7d97c 6566static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6567{
23691d75 6568 struct l2cap_chan *c;
1da177e4 6569
333055f2 6570 read_lock(&chan_list_lock);
1da177e4 6571
23691d75
GP		 6572 list_for_each_entry(c, &chan_list, global_l) {
6573 struct sock *sk = c->sk;
101545f6 6574
fcb73338
AE		 6575 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6576 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6577 c->state, __le16_to_cpu(c->psm),
6578 c->scid, c->dcid, c->imtu, c->omtu,
6579 c->sec_level, c->mode);
61e1b4b7 6580 }
1da177e4 6581
333055f2 6582 read_unlock(&chan_list_lock);
1da177e4 6583
aef7d97c 6584 return 0;
1da177e4
LT		 6585}
6586
aef7d97c
MH		 6587static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6588{
6589 return single_open(file, l2cap_debugfs_show, inode->i_private);
6590}
6591
6592static const struct file_operations l2cap_debugfs_fops = {
6593 .open = l2cap_debugfs_open,
6594 .read = seq_read,
6595 .llseek = seq_lseek,
6596 .release = single_release,
6597};
6598
6599static struct dentry *l2cap_debugfs;
1da177e4 6600
64274518 6601int __init l2cap_init(void)
1da177e4
LT		 6602{
6603 int err;
be9d1227 6604
bb58f747 6605 err = l2cap_init_sockets();
1da177e4
LT		 6606 if (err < 0)
6607 return err;
6608
aef7d97c 6609 if (bt_debugfs) {
2d792818
GP		 6610 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6611 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6612 if (!l2cap_debugfs)
6613 BT_ERR("Failed to create L2CAP debug file");
6614 }
1da177e4 6615
1da177e4 6616 return 0;
1da177e4
LT		 6617}
6618
64274518 6619void l2cap_exit(void)
1da177e4 6620{
aef7d97c 6621 debugfs_remove(l2cap_debugfs);
bb58f747 6622 l2cap_cleanup_sockets();
1da177e4
LT		 6623}
6624
d1c4a17d
GP		 6625module_param(disable_ertm, bool, 0644);
6626MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)