projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: l2cap: introduce l2cap_conn ref-counting
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 507 chan->scid = L2CAP_CID_LE_DATA;
508 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 509 } else {
510 /* Alloc CID for connection-oriented socket */
fe4128e0 511 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 512 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 513 }
5491120e
AE		 514 break;
515
516 case L2CAP_CHAN_CONN_LESS:
0139418c 517 /* Connectionless socket */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_CONN_LESS;
519 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 521 break;
522
416fa752
AE		 523 case L2CAP_CHAN_CONN_FIX_A2MP:
524 chan->scid = L2CAP_CID_A2MP;
525 chan->dcid = L2CAP_CID_A2MP;
526 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
527 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
528 break;
529
5491120e 530 default:
0139418c 531 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 532 chan->scid = L2CAP_CID_SIGNALING;
533 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 534 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 535 }
536
8f7975b1
AE		 537 chan->local_id = L2CAP_BESTEFFORT_ID;
538 chan->local_stype = L2CAP_SERV_BESTEFFORT;
539 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
540 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
541 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 542 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 543
371fd835 544 l2cap_chan_hold(chan);
baa7e1fa 545
3df91ea2 546 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 547}
548
466f8004 549void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 550{
551 mutex_lock(&conn->chan_lock);
552 __l2cap_chan_add(conn, chan);
3df91ea2 553 mutex_unlock(&conn->chan_lock);
0139418c
MH		 554}
555
466f8004 556void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 557{
8c1d787b 558 struct l2cap_conn *conn = chan->conn;
0139418c 559
c9b66675 560 __clear_chan_timer(chan);
0139418c 561
49208c9c 562 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 563
8e87d142 564 if (conn) {
56f60984 565 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 566 /* Delete from channel list */
3df91ea2 567 list_del(&chan->list);
3d57dc68 568
371fd835 569 l2cap_chan_put(chan);
baa7e1fa 570
8c1d787b 571 chan->conn = NULL;
3cabbfda
AE		 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
76a68ba0 574 hci_conn_drop(conn->hcon);
56f60984
AE		 575
576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL;
0139418c
MH		 578 }
579
419e08c1
AE		 580 if (chan->hs_hchan) {
581 struct hci_chan *hs_hchan = chan->hs_hchan;
582
583 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
584 amp_disconnect_logical_link(hs_hchan);
585 }
586
b699ec0d 587 chan->ops->teardown(chan, err);
6be36555 588
2827011f 589 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 590 return;
2ead70b8 591
ee556f66
GP		 592 switch(chan->mode) {
593 case L2CAP_MODE_BASIC:
594 break;
c13ffa62 595
ee556f66 596 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 597 __clear_retrans_timer(chan);
598 __clear_monitor_timer(chan);
599 __clear_ack_timer(chan);
c13ffa62 600
f1c6775b 601 skb_queue_purge(&chan->srej_q);
c13ffa62 602
3c588192
MM		 603 l2cap_seq_list_free(&chan->srej_list);
604 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 605
606 /* fall through */
607
608 case L2CAP_MODE_STREAMING:
609 skb_queue_purge(&chan->tx_q);
610 break;
c13ffa62 611 }
ee556f66
GP		 612
613 return;
0139418c
MH		 614}
615
0f852724 616void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 617{
618 struct l2cap_conn *conn = chan->conn;
619 struct sock *sk = chan->sk;
620
2d792818
GP		 621 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
622 sk);
4519de9a 623
89bc500e 624 switch (chan->state) {
4519de9a 625 case BT_LISTEN:
b699ec0d 626 chan->ops->teardown(chan, 0);
4519de9a
GP		 627 break;
628
629 case BT_CONNECTED:
630 case BT_CONFIG:
715ec005 631 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 632 conn->hcon->type == ACL_LINK) {
c9b66675 633 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 634 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 635 } else
636 l2cap_chan_del(chan, reason);
637 break;
638
639 case BT_CONNECT2:
715ec005 640 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 641 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 642 struct l2cap_conn_rsp rsp;
643 __u16 result;
644
c5daa683 645 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 646 result = L2CAP_CR_SEC_BLOCK;
647 else
648 result = L2CAP_CR_BAD_PSM;
89bc500e 649 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 650
651 rsp.scid = cpu_to_le16(chan->dcid);
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.result = cpu_to_le16(result);
ac73498c 654 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 655 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 656 sizeof(rsp), &rsp);
4519de9a
GP		 657 }
658
659 l2cap_chan_del(chan, reason);
660 break;
661
662 case BT_CONNECT:
663 case BT_DISCONN:
664 l2cap_chan_del(chan, reason);
665 break;
666
667 default:
b699ec0d 668 chan->ops->teardown(chan, 0);
4519de9a
GP		 669 break;
670 }
671}
672
4343478f 673static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 674{
715ec005 675 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 676 switch (chan->sec_level) {
8556edd3
JH		 677 case BT_SECURITY_HIGH:
678 return HCI_AT_DEDICATED_BONDING_MITM;
679 case BT_SECURITY_MEDIUM:
680 return HCI_AT_DEDICATED_BONDING;
681 default:
682 return HCI_AT_NO_BONDING;
683 }
2983fd68 684 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 685 if (chan->sec_level == BT_SECURITY_LOW)
686 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 687
4343478f 688 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 689 return HCI_AT_NO_BONDING_MITM;
00ae4af9 690 else
8556edd3 691 return HCI_AT_NO_BONDING;
00ae4af9 692 } else {
4343478f 693 switch (chan->sec_level) {
00ae4af9 694 case BT_SECURITY_HIGH:
8556edd3 695 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 696 case BT_SECURITY_MEDIUM:
8556edd3 697 return HCI_AT_GENERAL_BONDING;
00ae4af9 698 default:
8556edd3 699 return HCI_AT_NO_BONDING;
00ae4af9 700 }
0684e5f9 701 }
8556edd3
JH		 702}
703
704/* Service level security */
d45fc423 705int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 706{
8c1d787b 707 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 708 __u8 auth_type;
709
4343478f 710 auth_type = l2cap_get_auth_type(chan);
79d554a6 711
4343478f 712 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 713}
714
b5ad8b7f 715static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 716{
717 u8 id;
718
719 /* Get next available identificator.
720 * 1 - 128 are used by kernel.
721 * 129 - 199 are reserved.
722 * 200 - 254 are used by utilities like l2ping, etc.
723 */
724
333055f2 725 spin_lock(&conn->lock);
4e8402a3
MH		 726
727 if (++conn->tx_ident > 128)
728 conn->tx_ident = 1;
729
730 id = conn->tx_ident;
731
333055f2 732 spin_unlock(&conn->lock);
4e8402a3
MH		 733
734 return id;
735}
736
2d792818
GP		 737static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
738 void *data)
4e8402a3
MH		 739{
740 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 741 u8 flags;
4e8402a3
MH		 742
743 BT_DBG("code 0x%2.2x", code);
744
745 if (!skb)
9a9c6a34 746 return;
4e8402a3 747
e702112f
AE		 748 if (lmp_no_flush_capable(conn->hcon->hdev))
749 flags = ACL_START_NO_FLUSH;
750 else
751 flags = ACL_START;
752
14b12d0b 753 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 754 skb->priority = HCI_PRIO_MAX;
14b12d0b 755
73d80deb
LAD		 756 hci_send_acl(conn->hchan, skb, flags);
757}
758
02b0fbb9
MM		 759static bool __chan_is_moving(struct l2cap_chan *chan)
760{
761 return chan->move_state != L2CAP_MOVE_STABLE &&
762 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
763}
764
73d80deb
LAD		 765static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
766{
767 struct hci_conn *hcon = chan->conn->hcon;
768 u16 flags;
769
770 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 771 skb->priority);
73d80deb 772
d5f8a75d
MM		 773 if (chan->hs_hcon && !__chan_is_moving(chan)) {
774 if (chan->hs_hchan)
775 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
776 else
777 kfree_skb(skb);
778
779 return;
780 }
781
73d80deb 782 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 783 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 784 flags = ACL_START_NO_FLUSH;
785 else
786 flags = ACL_START;
14b12d0b 787
73d80deb
LAD		 788 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
789 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 790}
791
b76bbd66
MM		 792static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
793{
794 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
795 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
796
797 if (enh & L2CAP_CTRL_FRAME_TYPE) {
798 /* S-Frame */
799 control->sframe = 1;
800 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
801 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
802
803 control->sar = 0;
804 control->txseq = 0;
805 } else {
806 /* I-Frame */
807 control->sframe = 0;
808 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
809 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
810
811 control->poll = 0;
812 control->super = 0;
813 }
814}
815
b76bbd66
MM		 816static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
817{
818 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
819 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
820
821 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
822 /* S-Frame */
823 control->sframe = 1;
824 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
825 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
826
827 control->sar = 0;
828 control->txseq = 0;
829 } else {
830 /* I-Frame */
831 control->sframe = 0;
832 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
833 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
834
835 control->poll = 0;
836 control->super = 0;
837 }
838}
839
840static inline void __unpack_control(struct l2cap_chan *chan,
841 struct sk_buff *skb)
842{
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
844 __unpack_extended_control(get_unaligned_le32(skb->data),
845 &bt_cb(skb)->control);
cec8ab6e 846 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 847 } else {
848 __unpack_enhanced_control(get_unaligned_le16(skb->data),
849 &bt_cb(skb)->control);
cec8ab6e 850 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 851 }
852}
853
b5c6aaed
MM		 854static u32 __pack_extended_control(struct l2cap_ctrl *control)
855{
856 u32 packed;
857
858 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
859 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
860
861 if (control->sframe) {
862 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
863 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
864 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
865 } else {
866 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
867 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
868 }
869
870 return packed;
871}
872
873static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
874{
875 u16 packed;
876
877 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
878 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
879
880 if (control->sframe) {
881 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
882 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
883 packed |= L2CAP_CTRL_FRAME_TYPE;
884 } else {
885 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
886 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
887 }
888
889 return packed;
890}
891
b76bbd66
MM		 892static inline void __pack_control(struct l2cap_chan *chan,
893 struct l2cap_ctrl *control,
894 struct sk_buff *skb)
895{
896 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
897 put_unaligned_le32(__pack_extended_control(control),
898 skb->data + L2CAP_HDR_SIZE);
899 } else {
900 put_unaligned_le16(__pack_enhanced_control(control),
901 skb->data + L2CAP_HDR_SIZE);
902 }
903}
904
ba7aa64f
GP		 905static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
906{
907 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
908 return L2CAP_EXT_HDR_SIZE;
909 else
910 return L2CAP_ENH_HDR_SIZE;
911}
912
a67d7f6f
MM		 913static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
914 u32 control)
b5c6aaed
MM		 915{
916 struct sk_buff *skb;
917 struct l2cap_hdr *lh;
ba7aa64f 918 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 919
920 if (chan->fcs == L2CAP_FCS_CRC16)
921 hlen += L2CAP_FCS_SIZE;
922
a67d7f6f 923 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 924
b5c6aaed 925 if (!skb)
a67d7f6f 926 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 927
928 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
929 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
930 lh->cid = cpu_to_le16(chan->dcid);
931
a67d7f6f
MM		 932 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
933 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
934 else
935 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 936
937 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 938 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 939 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
940 }
941
942 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 943 return skb;
944}
945
946static void l2cap_send_sframe(struct l2cap_chan *chan,
947 struct l2cap_ctrl *control)
948{
949 struct sk_buff *skb;
950 u32 control_field;
951
952 BT_DBG("chan %p, control %p", chan, control);
953
954 if (!control->sframe)
955 return;
956
b99e13ad
MM		 957 if (__chan_is_moving(chan))
958 return;
959
a67d7f6f
MM		 960 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
961 !control->poll)
962 control->final = 1;
963
964 if (control->super == L2CAP_SUPER_RR)
965 clear_bit(CONN_RNR_SENT, &chan->conn_state);
966 else if (control->super == L2CAP_SUPER_RNR)
967 set_bit(CONN_RNR_SENT, &chan->conn_state);
968
969 if (control->super != L2CAP_SUPER_SREJ) {
970 chan->last_acked_seq = control->reqseq;
971 __clear_ack_timer(chan);
972 }
973
974 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
975 control->final, control->poll, control->super);
976
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
978 control_field = __pack_extended_control(control);
979 else
980 control_field = __pack_enhanced_control(control);
981
982 skb = l2cap_create_sframe_pdu(chan, control_field);
983 if (!IS_ERR(skb))
984 l2cap_do_send(chan, skb);
b5c6aaed
MM		 985}
986
c9e3d5e0 987static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 988{
c9e3d5e0
MM		 989 struct l2cap_ctrl control;
990
991 BT_DBG("chan %p, poll %d", chan, poll);
992
993 memset(&control, 0, sizeof(control));
994 control.sframe = 1;
995 control.poll = poll;
996
997 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
998 control.super = L2CAP_SUPER_RNR;
999 else
1000 control.super = L2CAP_SUPER_RR;
b5c6aaed 1001
c9e3d5e0
MM		 1002 control.reqseq = chan->buffer_seq;
1003 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1004}
1005
b4450035 1006static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1007{
c1360a1c 1008 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1009}
1010
93c3e8f5
AE		 1011static bool __amp_capable(struct l2cap_chan *chan)
1012{
1013 struct l2cap_conn *conn = chan->conn;
1014
1015 if (enable_hs &&
5d05416e 1016 hci_amp_capable() &&
93c3e8f5
AE		 1017 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1018 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1019 return true;
1020 else
1021 return false;
1022}
1023
5ce66b59
AE		 1024static bool l2cap_check_efs(struct l2cap_chan *chan)
1025{
1026 /* Check EFS parameters */
1027 return true;
1028}
1029
2766be48 1030void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1031{
1032 struct l2cap_conn *conn = chan->conn;
1033 struct l2cap_conn_req req;
1034
1035 req.scid = cpu_to_le16(chan->scid);
1036 req.psm = chan->psm;
1037
1038 chan->ident = l2cap_get_ident(conn);
1039
1040 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1041
1042 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1043}
1044
8eb200bd
MM		 1045static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1046{
1047 struct l2cap_create_chan_req req;
1048 req.scid = cpu_to_le16(chan->scid);
1049 req.psm = chan->psm;
1050 req.amp_id = amp_id;
1051
1052 chan->ident = l2cap_get_ident(chan->conn);
1053
1054 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1055 sizeof(req), &req);
1056}
1057
02b0fbb9
MM		 1058static void l2cap_move_setup(struct l2cap_chan *chan)
1059{
1060 struct sk_buff *skb;
1061
1062 BT_DBG("chan %p", chan);
1063
1064 if (chan->mode != L2CAP_MODE_ERTM)
1065 return;
1066
1067 __clear_retrans_timer(chan);
1068 __clear_monitor_timer(chan);
1069 __clear_ack_timer(chan);
1070
1071 chan->retry_count = 0;
1072 skb_queue_walk(&chan->tx_q, skb) {
1073 if (bt_cb(skb)->control.retries)
1074 bt_cb(skb)->control.retries = 1;
1075 else
1076 break;
1077 }
1078
1079 chan->expected_tx_seq = chan->buffer_seq;
1080
1081 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1082 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1083 l2cap_seq_list_clear(&chan->retrans_list);
1084 l2cap_seq_list_clear(&chan->srej_list);
1085 skb_queue_purge(&chan->srej_q);
1086
1087 chan->tx_state = L2CAP_TX_STATE_XMIT;
1088 chan->rx_state = L2CAP_RX_STATE_MOVE;
1089
1090 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1091}
1092
5f3847a4
MM		 1093static void l2cap_move_done(struct l2cap_chan *chan)
1094{
1095 u8 move_role = chan->move_role;
1096 BT_DBG("chan %p", chan);
1097
1098 chan->move_state = L2CAP_MOVE_STABLE;
1099 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1100
1101 if (chan->mode != L2CAP_MODE_ERTM)
1102 return;
1103
1104 switch (move_role) {
1105 case L2CAP_MOVE_ROLE_INITIATOR:
1106 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1107 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1108 break;
1109 case L2CAP_MOVE_ROLE_RESPONDER:
1110 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1111 break;
1112 }
1113}
1114
9f0caeb1
VCG		 1115static void l2cap_chan_ready(struct l2cap_chan *chan)
1116{
2827011f 1117 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1118 chan->conf_state = 0;
1119 __clear_chan_timer(chan);
1120
54a59aa2 1121 chan->state = BT_CONNECTED;
9f0caeb1 1122
fd83e2c2 1123 chan->ops->ready(chan);
9f0caeb1
VCG		 1124}
1125
93c3e8f5
AE		 1126static void l2cap_start_connection(struct l2cap_chan *chan)
1127{
1128 if (__amp_capable(chan)) {
1129 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1130 a2mp_discover_amp(chan);
1131 } else {
1132 l2cap_send_conn_req(chan);
1133 }
1134}
1135
fc7f8a7e 1136static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1137{
8c1d787b 1138 struct l2cap_conn *conn = chan->conn;
79d554a6 1139
9f0caeb1
VCG		 1140 if (conn->hcon->type == LE_LINK) {
1141 l2cap_chan_ready(chan);
1142 return;
1143 }
1144
79d554a6 1145 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1146 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1147 return;
1148
d45fc423 1149 if (l2cap_chan_check_security(chan) &&
2d792818 1150 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1151 l2cap_start_connection(chan);
1152 }
79d554a6
MH		 1153 } else {
1154 struct l2cap_info_req req;
ac73498c 1155 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1156
1157 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1158 conn->info_ident = l2cap_get_ident(conn);
1159
ba13ccd9 1160 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1161
2d792818
GP		 1162 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1163 sizeof(req), &req);
79d554a6
MH		 1164 }
1165}
1166
cf6c2c0b
GP		 1167static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1168{
1169 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1170 if (!disable_ertm)
cf6c2c0b
GP		 1171 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1172
1173 switch (mode) {
1174 case L2CAP_MODE_ERTM:
1175 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1176 case L2CAP_MODE_STREAMING:
1177 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1178 default:
1179 return 0x00;
1180 }
1181}
1182
5e4e3972 1183static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1184{
6be36555 1185 struct sock *sk = chan->sk;
5e4e3972 1186 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1187 struct l2cap_disconn_req req;
1188
c13ffa62
GP		 1189 if (!conn)
1190 return;
1191
aad3d0e3 1192 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1193 __clear_retrans_timer(chan);
1194 __clear_monitor_timer(chan);
1195 __clear_ack_timer(chan);
c13ffa62
GP		 1196 }
1197
416fa752 1198 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1199 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1200 return;
1201 }
1202
fe4128e0
GP		 1203 req.dcid = cpu_to_le16(chan->dcid);
1204 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1205 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1206 sizeof(req), &req);
c13ffa62 1207
6be36555 1208 lock_sock(sk);
0e587be7 1209 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1210 __l2cap_chan_set_err(chan, err);
6be36555 1211 release_sock(sk);
22121fc9
GP		 1212}
1213
1da177e4 1214/* ---- L2CAP connections ---- */
4e8402a3
MH		 1215static void l2cap_conn_start(struct l2cap_conn *conn)
1216{
3df91ea2 1217 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1218
1219 BT_DBG("conn %p", conn);
1220
3df91ea2 1221 mutex_lock(&conn->chan_lock);
4e8402a3 1222
3df91ea2 1223 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1224 struct sock *sk = chan->sk;
baa7e1fa 1225
6be36555 1226 l2cap_chan_lock(chan);
4e8402a3 1227
715ec005 1228 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1229 l2cap_chan_unlock(chan);
79d554a6
MH		 1230 continue;
1231 }
1232
89bc500e 1233 if (chan->state == BT_CONNECT) {
d45fc423 1234 if (!l2cap_chan_check_security(chan) ||
2d792818 1235 !__l2cap_no_conn_pending(chan)) {
6be36555 1236 l2cap_chan_unlock(chan);
47731de7
GP		 1237 continue;
1238 }
79d554a6 1239
c1360a1c 1240 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1241 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1242 &chan->conf_state)) {
89bc500e 1243 l2cap_chan_close(chan, ECONNRESET);
6be36555 1244 l2cap_chan_unlock(chan);
47731de7 1245 continue;
b1235d79 1246 }
47731de7 1247
93c3e8f5 1248 l2cap_start_connection(chan);
47731de7 1249
89bc500e 1250 } else if (chan->state == BT_CONNECT2) {
79d554a6 1251 struct l2cap_conn_rsp rsp;
e9aeb2dd 1252 char buf[128];
fe4128e0
GP		 1253 rsp.scid = cpu_to_le16(chan->dcid);
1254 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1255
d45fc423 1256 if (l2cap_chan_check_security(chan)) {
6be36555 1257 lock_sock(sk);
c5daa683
GP		 1258 if (test_bit(BT_SK_DEFER_SETUP,
1259 &bt_sk(sk)->flags)) {
ac73498c
AE		 1260 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1261 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1262 chan->ops->defer(chan);
f66dc81f
MH		 1263
1264 } else {
0e587be7 1265 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1266 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1267 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1268 }
6be36555 1269 release_sock(sk);
79d554a6 1270 } else {
ac73498c
AE		 1271 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1272 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1273 }
1274
fc7f8a7e 1275 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1276 sizeof(rsp), &rsp);
e9aeb2dd 1277
c1360a1c 1278 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1279 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1280 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1281 continue;
1282 }
1283
c1360a1c 1284 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1285 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1286 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1287 chan->num_conf_req++;
4e8402a3
MH		 1288 }
1289
6be36555 1290 l2cap_chan_unlock(chan);
4e8402a3
MH		 1291 }
1292
3df91ea2 1293 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1294}
1295
c2287681 1296/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1297 * Returns closest match, locked.
1298 */
d9b88702 1299static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1300 bdaddr_t *src,
1301 bdaddr_t *dst)
b62f328b 1302{
23691d75 1303 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1304
23691d75 1305 read_lock(&chan_list_lock);
b62f328b 1306
23691d75
GP		 1307 list_for_each_entry(c, &chan_list, global_l) {
1308 struct sock *sk = c->sk;
fe4128e0 1309
89bc500e 1310 if (state && c->state != state)
b62f328b
VT		 1311 continue;
1312
23691d75 1313 if (c->scid == cid) {
c2287681
IY		 1314 int src_match, dst_match;
1315 int src_any, dst_any;
1316
b62f328b 1317 /* Exact match. */
c2287681
IY		 1318 src_match = !bacmp(&bt_sk(sk)->src, src);
1319 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1320 if (src_match && dst_match) {
23691d75
GP		 1321 read_unlock(&chan_list_lock);
1322 return c;
1323 }
b62f328b
VT		 1324
1325 /* Closest match */
c2287681
IY		 1326 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1327 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1328 if ((src_match && dst_any) || (src_any && dst_match) ||
1329 (src_any && dst_any))
23691d75 1330 c1 = c;
b62f328b
VT		 1331 }
1332 }
280f294f 1333
23691d75 1334 read_unlock(&chan_list_lock);
b62f328b 1335
23691d75 1336 return c1;
b62f328b
VT		 1337}
1338
1339static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1340{
c916fbe4 1341 struct sock *parent, *sk;
23691d75 1342 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1343
1344 BT_DBG("");
1345
1346 /* Check if we have socket listening on cid */
23691d75 1347 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1348 conn->src, conn->dst);
23691d75 1349 if (!pchan)
b62f328b
VT		 1350 return;
1351
23691d75
GP		 1352 parent = pchan->sk;
1353
aa2ac881 1354 lock_sock(parent);
62f3a2cf 1355
80b98027 1356 chan = pchan->ops->new_connection(pchan);
80808e43 1357 if (!chan)
b62f328b
VT		 1358 goto clean;
1359
80808e43 1360 sk = chan->sk;
5d41ce1d 1361
b62f328b 1362 hci_conn_hold(conn->hcon);
a9ea3ed9 1363 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1364
b62f328b
VT		 1365 bacpy(&bt_sk(sk)->src, conn->src);
1366 bacpy(&bt_sk(sk)->dst, conn->dst);
1367
3d57dc68 1368 l2cap_chan_add(conn, chan);
48454079 1369
6754e0df 1370 l2cap_chan_ready(chan);
b62f328b 1371
b62f328b 1372clean:
aa2ac881 1373 release_sock(parent);
b62f328b
VT		 1374}
1375
4e8402a3
MH		 1376static void l2cap_conn_ready(struct l2cap_conn *conn)
1377{
48454079 1378 struct l2cap_chan *chan;
cc110922 1379 struct hci_conn *hcon = conn->hcon;
4e8402a3 1380
79d554a6 1381 BT_DBG("conn %p", conn);
4e8402a3 1382
cc110922 1383 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1384 l2cap_le_conn_ready(conn);
1385
cc110922
VCG		 1386 if (hcon->out && hcon->type == LE_LINK)
1387 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1388
3df91ea2 1389 mutex_lock(&conn->chan_lock);
4e8402a3 1390
3df91ea2 1391 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1392
6be36555 1393 l2cap_chan_lock(chan);
4e8402a3 1394
416fa752
AE		 1395 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1396 l2cap_chan_unlock(chan);
1397 continue;
1398 }
1399
cc110922
VCG		 1400 if (hcon->type == LE_LINK) {
1401 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1402 l2cap_chan_ready(chan);
acd7d370 1403
63128451 1404 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1405 struct sock *sk = chan->sk;
c9b66675 1406 __clear_chan_timer(chan);
6be36555 1407 lock_sock(sk);
0e587be7 1408 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1409 sk->sk_state_change(sk);
6be36555 1410 release_sock(sk);
b501d6a1 1411
89bc500e 1412 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1413 l2cap_do_start(chan);
4e8402a3 1414
6be36555 1415 l2cap_chan_unlock(chan);
4e8402a3 1416 }
79d554a6 1417
3df91ea2 1418 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1419}
1420
1421/* Notify sockets that we cannot guaranty reliability anymore */
1422static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1423{
48454079 1424 struct l2cap_chan *chan;
4e8402a3
MH		 1425
1426 BT_DBG("conn %p", conn);
1427
3df91ea2 1428 mutex_lock(&conn->chan_lock);
4e8402a3 1429
3df91ea2 1430 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1431 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1432 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1433 }
1434
3df91ea2 1435 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1436}
1437
f878fcad 1438static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1439{
f878fcad 1440 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1441 info_timer.work);
4e8402a3 1442
984947dc 1443 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1444 conn->info_ident = 0;
984947dc 1445
4e8402a3
MH		 1446 l2cap_conn_start(conn);
1447}
1448
5d3de7df
VCG		 1449static void l2cap_conn_del(struct hci_conn *hcon, int err)
1450{
1451 struct l2cap_conn *conn = hcon->l2cap_data;
1452 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1453
1454 if (!conn)
1455 return;
1456
1457 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1458
1459 kfree_skb(conn->rx_skb);
1460
3df91ea2
AE		 1461 mutex_lock(&conn->chan_lock);
1462
5d3de7df
VCG		 1463 /* Kill channels */
1464 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1465 l2cap_chan_hold(chan);
6be36555
AE		 1466 l2cap_chan_lock(chan);
1467
5d3de7df 1468 l2cap_chan_del(chan, err);
6be36555
AE		 1469
1470 l2cap_chan_unlock(chan);
1471
80b98027 1472 chan->ops->close(chan);
61d6ef3e 1473 l2cap_chan_put(chan);
5d3de7df
VCG		 1474 }
1475
3df91ea2
AE		 1476 mutex_unlock(&conn->chan_lock);
1477
73d80deb
LAD		 1478 hci_chan_del(conn->hchan);
1479
5d3de7df 1480 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1481 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1482
51a8efd7 1483 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1484 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1485 smp_chan_destroy(conn);
d26a2345 1486 }
5d3de7df
VCG		 1487
1488 hcon->l2cap_data = NULL;
9c903e37
DH		 1489 conn->hchan = NULL;
1490 l2cap_conn_put(conn);
5d3de7df
VCG		 1491}
1492
6c9d42a1 1493static void security_timeout(struct work_struct *work)
5d3de7df 1494{
6c9d42a1 1495 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1496 security_timer.work);
5d3de7df 1497
d06cc416
JH		 1498 BT_DBG("conn %p", conn);
1499
1500 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1501 smp_chan_destroy(conn);
1502 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1503 }
5d3de7df
VCG		 1504}
1505
baf43251 1506static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1da177e4 1507{
0139418c 1508 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1509 struct hci_chan *hchan;
1da177e4 1510
baf43251 1511 if (conn)
1da177e4
LT		 1512 return conn;
1513
73d80deb
LAD		 1514 hchan = hci_chan_create(hcon);
1515 if (!hchan)
1516 return NULL;
1517
8bcde1f2 1518 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1519 if (!conn) {
1520 hci_chan_del(hchan);
1da177e4 1521 return NULL;
73d80deb 1522 }
1da177e4 1523
9c903e37 1524 kref_init(&conn->ref);
1da177e4
LT		 1525 hcon->l2cap_data = conn;
1526 conn->hcon = hcon;
9c903e37 1527 hci_conn_get(conn->hcon);
73d80deb 1528 conn->hchan = hchan;
1da177e4 1529
73d80deb 1530 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1531
dcc042d5 1532 switch (hcon->type) {
dcc042d5
AE		 1533 case LE_LINK:
1534 if (hcon->hdev->le_mtu) {
1535 conn->mtu = hcon->hdev->le_mtu;
1536 break;
1537 }
1538 /* fall through */
dcc042d5 1539 default:
acd7d370 1540 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1541 break;
1542 }
acd7d370 1543
1da177e4
LT		 1544 conn->src = &hcon->hdev->bdaddr;
1545 conn->dst = &hcon->dst;
1546
4e8402a3
MH		 1547 conn->feat_mask = 0;
1548
1da177e4 1549 spin_lock_init(&conn->lock);
3df91ea2 1550 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1551
1552 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1553
5d3de7df 1554 if (hcon->type == LE_LINK)
6c9d42a1 1555 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1556 else
030013d8 1557 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1558
9f5a0d7b 1559 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1560
1da177e4
LT		 1561 return conn;
1562}
1563
9c903e37
DH		 1564static void l2cap_conn_free(struct kref *ref)
1565{
1566 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1567
1568 hci_conn_put(conn->hcon);
1569 kfree(conn);
1570}
1571
1572void l2cap_conn_get(struct l2cap_conn *conn)
1573{
1574 kref_get(&conn->ref);
1575}
1576EXPORT_SYMBOL(l2cap_conn_get);
1577
1578void l2cap_conn_put(struct l2cap_conn *conn)
1579{
1580 kref_put(&conn->ref, l2cap_conn_free);
1581}
1582EXPORT_SYMBOL(l2cap_conn_put);
1583
1da177e4 1584/* ---- Socket interface ---- */
1da177e4 1585
c2287681 1586/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1587 * Returns closest match.
1588 */
c2287681
IY		 1589static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1590 bdaddr_t *src,
1591 bdaddr_t *dst)
1da177e4 1592{
23691d75 1593 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1594
23691d75 1595 read_lock(&chan_list_lock);
e0f0cb56 1596
23691d75
GP		 1597 list_for_each_entry(c, &chan_list, global_l) {
1598 struct sock *sk = c->sk;
fe4128e0 1599
89bc500e 1600 if (state && c->state != state)
1da177e4
LT		 1601 continue;
1602
23691d75 1603 if (c->psm == psm) {
c2287681
IY		 1604 int src_match, dst_match;
1605 int src_any, dst_any;
1606
1da177e4 1607 /* Exact match. */
c2287681
IY		 1608 src_match = !bacmp(&bt_sk(sk)->src, src);
1609 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1610 if (src_match && dst_match) {
a7567b20 1611 read_unlock(&chan_list_lock);
23691d75
GP		 1612 return c;
1613 }
1da177e4
LT		 1614
1615 /* Closest match */
c2287681
IY		 1616 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1617 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1618 if ((src_match && dst_any) || (src_any && dst_match) ||
1619 (src_any && dst_any))
23691d75 1620 c1 = c;
1da177e4
LT		 1621 }
1622 }
1da177e4 1623
23691d75 1624 read_unlock(&chan_list_lock);
e0f0cb56 1625
23691d75 1626 return c1;
1da177e4
LT		 1627}
1628
8e9f9892
AG		 1629int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1630 bdaddr_t *dst, u8 dst_type)
1da177e4 1631{
5d41ce1d 1632 struct sock *sk = chan->sk;
1da177e4 1633 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1634 struct l2cap_conn *conn;
1635 struct hci_conn *hcon;
1636 struct hci_dev *hdev;
09ab6f4c 1637 __u8 auth_type;
44d0e48e 1638 int err;
1da177e4 1639
6ed93dc6 1640 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1641 dst_type, __le16_to_cpu(psm));
1da177e4 1642
af05b30b
GP		 1643 hdev = hci_get_route(dst, src);
1644 if (!hdev)
1da177e4
LT		 1645 return -EHOSTUNREACH;
1646
09fd0de5 1647 hci_dev_lock(hdev);
1da177e4 1648
6be36555 1649 l2cap_chan_lock(chan);
03a00194
GP		 1650
1651 /* PSM must be odd and lsb of upper byte must be 0 */
1652 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1653 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1654 err = -EINVAL;
1655 goto done;
1656 }
1657
1658 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1659 err = -EINVAL;
1660 goto done;
1661 }
1662
1663 switch (chan->mode) {
1664 case L2CAP_MODE_BASIC:
1665 break;
1666 case L2CAP_MODE_ERTM:
1667 case L2CAP_MODE_STREAMING:
1668 if (!disable_ertm)
1669 break;
1670 /* fall through */
1671 default:
1672 err = -ENOTSUPP;
1673 goto done;
1674 }
1675
0797e01d 1676 switch (chan->state) {
03a00194
GP		 1677 case BT_CONNECT:
1678 case BT_CONNECT2:
1679 case BT_CONFIG:
1680 /* Already connecting */
1681 err = 0;
1682 goto done;
1683
1684 case BT_CONNECTED:
1685 /* Already connected */
1686 err = -EISCONN;
1687 goto done;
1688
1689 case BT_OPEN:
1690 case BT_BOUND:
1691 /* Can connect */
1692 break;
1693
1694 default:
1695 err = -EBADFD;
1696 goto done;
1697 }
1698
1699 /* Set destination address and psm */
0797e01d 1700 lock_sock(sk);
9219b2a0 1701 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1702 release_sock(sk);
1703
03a00194
GP		 1704 chan->psm = psm;
1705 chan->dcid = cid;
1da177e4 1706
4343478f 1707 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1708
fe4128e0 1709 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1710 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1711 chan->sec_level, auth_type);
acd7d370 1712 else
8e9f9892 1713 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1714 chan->sec_level, auth_type);
acd7d370 1715
30e76272
VT		 1716 if (IS_ERR(hcon)) {
1717 err = PTR_ERR(hcon);
1da177e4 1718 goto done;
30e76272 1719 }
1da177e4 1720
baf43251 1721 conn = l2cap_conn_add(hcon);
1da177e4 1722 if (!conn) {
76a68ba0 1723 hci_conn_drop(hcon);
30e76272 1724 err = -ENOMEM;
1da177e4
LT		 1725 goto done;
1726 }
1727
9f0caeb1
VCG		 1728 if (hcon->type == LE_LINK) {
1729 err = 0;
1730
1731 if (!list_empty(&conn->chan_l)) {
1732 err = -EBUSY;
76a68ba0 1733 hci_conn_drop(hcon);
9f0caeb1
VCG		 1734 }
1735
1736 if (err)
1737 goto done;
1738 }
1739
1da177e4
LT		 1740 /* Update source addr of the socket */
1741 bacpy(src, conn->src);
1742
6be36555 1743 l2cap_chan_unlock(chan);
48454079 1744 l2cap_chan_add(conn, chan);
6be36555 1745 l2cap_chan_lock(chan);
48454079 1746
6be36555 1747 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1748 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1749
1750 if (hcon->state == BT_CONNECTED) {
715ec005 1751 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1752 __clear_chan_timer(chan);
d45fc423 1753 if (l2cap_chan_check_security(chan))
6be36555 1754 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1755 } else
fc7f8a7e 1756 l2cap_do_start(chan);
1da177e4
LT		 1757 }
1758
30e76272
VT		 1759 err = 0;
1760
1da177e4 1761done:
6be36555 1762 l2cap_chan_unlock(chan);
09fd0de5 1763 hci_dev_unlock(hdev);
1da177e4
LT		 1764 hci_dev_put(hdev);
1765 return err;
1766}
1767
dcba0dba 1768int __l2cap_wait_ack(struct sock *sk)
6161c038 1769{
8c1d787b 1770 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1771 DECLARE_WAITQUEUE(wait, current);
1772 int err = 0;
1773 int timeo = HZ/5;
1774
2b0b05dd 1775 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1776 set_current_state(TASK_INTERRUPTIBLE);
1777 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1778 if (!timeo)
1779 timeo = HZ/5;
1780
1781 if (signal_pending(current)) {
1782 err = sock_intr_errno(timeo);
1783 break;
1784 }
1785
1786 release_sock(sk);
1787 timeo = schedule_timeout(timeo);
1788 lock_sock(sk);
a71a0cf4 1789 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1790
1791 err = sock_error(sk);
1792 if (err)
1793 break;
1794 }
1795 set_current_state(TASK_RUNNING);
2b0b05dd 1796 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1797 return err;
1798}
1799
721c4181 1800static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1801{
721c4181 1802 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1803 monitor_timer.work);
e90bac06 1804
525cd185 1805 BT_DBG("chan %p", chan);
0e98958d 1806
6be36555
AE		 1807 l2cap_chan_lock(chan);
1808
80909e04 1809 if (!chan->conn) {
6be36555 1810 l2cap_chan_unlock(chan);
8d7e1c7f 1811 l2cap_chan_put(chan);
e90bac06
GP		 1812 return;
1813 }
1814
401bb1f7 1815 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1816
6be36555 1817 l2cap_chan_unlock(chan);
8d7e1c7f 1818 l2cap_chan_put(chan);
e90bac06
GP		 1819}
1820
721c4181 1821static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1822{
721c4181 1823 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1824 retrans_timer.work);
e90bac06 1825
49208c9c 1826 BT_DBG("chan %p", chan);
0e98958d 1827
6be36555
AE		 1828 l2cap_chan_lock(chan);
1829
80909e04
MM		 1830 if (!chan->conn) {
1831 l2cap_chan_unlock(chan);
1832 l2cap_chan_put(chan);
1833 return;
1834 }
6be36555 1835
401bb1f7 1836 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1837 l2cap_chan_unlock(chan);
8d7e1c7f 1838 l2cap_chan_put(chan);
e90bac06
GP		 1839}
1840
d660366d
GP		 1841static void l2cap_streaming_send(struct l2cap_chan *chan,
1842 struct sk_buff_head *skbs)
6840ed07 1843{
ccbb84af 1844 struct sk_buff *skb;
3733937d 1845 struct l2cap_ctrl *control;
6840ed07 1846
3733937d
MM		 1847 BT_DBG("chan %p, skbs %p", chan, skbs);
1848
b99e13ad
MM		 1849 if (__chan_is_moving(chan))
1850 return;
1851
3733937d
MM		 1852 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1853
1854 while (!skb_queue_empty(&chan->tx_q)) {
1855
1856 skb = skb_dequeue(&chan->tx_q);
1857
1858 bt_cb(skb)->control.retries = 1;
1859 control = &bt_cb(skb)->control;
1860
1861 control->reqseq = 0;
1862 control->txseq = chan->next_tx_seq;
1863
1864 __pack_control(chan, control, skb);
6840ed07 1865
47d1ec61 1866 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1867 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1868 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1869 }
1870
4343478f 1871 l2cap_do_send(chan, skb);
6840ed07 1872
b4400672 1873 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1874
836be934 1875 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1876 chan->frames_sent++;
6840ed07 1877 }
6840ed07
GP		 1878}
1879
67c9e840 1880static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1881{
1882 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1883 struct l2cap_ctrl *control;
1884 int sent = 0;
1885
1886 BT_DBG("chan %p", chan);
1c2acffb 1887
89bc500e 1888 if (chan->state != BT_CONNECTED)
c13ffa62 1889 return -ENOTCONN;
e90bac06 1890
94122bbe
MM		 1891 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1892 return 0;
1893
b99e13ad
MM		 1894 if (__chan_is_moving(chan))
1895 return 0;
1896
18a48e76
MM		 1897 while (chan->tx_send_head &&
1898 chan->unacked_frames < chan->remote_tx_win &&
1899 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1900
18a48e76 1901 skb = chan->tx_send_head;
e90bac06 1902
18a48e76
MM		 1903 bt_cb(skb)->control.retries = 1;
1904 control = &bt_cb(skb)->control;
95ffa978 1905
e2ab4353 1906 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1907 control->final = 1;
e2ab4353 1908
18a48e76
MM		 1909 control->reqseq = chan->buffer_seq;
1910 chan->last_acked_seq = chan->buffer_seq;
1911 control->txseq = chan->next_tx_seq;
1c2acffb 1912
18a48e76 1913 __pack_control(chan, control, skb);
e90bac06 1914
47d1ec61 1915 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1916 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1917 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1918 }
1919
18a48e76
MM		 1920 /* Clone after data has been modified. Data is assumed to be
1921 read-only (for locking purposes) on cloned sk_buffs.
1922 */
1923 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1924
18a48e76
MM		 1925 if (!tx_skb)
1926 break;
1c2acffb 1927
18a48e76 1928 __set_retrans_timer(chan);
836be934
AE		 1929
1930 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1931 chan->unacked_frames++;
6a026610 1932 chan->frames_sent++;
18a48e76 1933 sent++;
1c2acffb 1934
58d35f87
GP		 1935 if (skb_queue_is_last(&chan->tx_q, skb))
1936 chan->tx_send_head = NULL;
1c2acffb 1937 else
58d35f87 1938 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1939
1940 l2cap_do_send(chan, tx_skb);
b4400672 1941 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1942 }
1943
b4400672
AE		 1944 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1945 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1946
1947 return sent;
9e917af1
GP		 1948}
1949
e1fbd4c1
MM		 1950static void l2cap_ertm_resend(struct l2cap_chan *chan)
1951{
1952 struct l2cap_ctrl control;
1953 struct sk_buff *skb;
1954 struct sk_buff *tx_skb;
1955 u16 seq;
1956
1957 BT_DBG("chan %p", chan);
1958
1959 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1960 return;
1961
b99e13ad
MM		 1962 if (__chan_is_moving(chan))
1963 return;
1964
e1fbd4c1
MM		 1965 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1966 seq = l2cap_seq_list_pop(&chan->retrans_list);
1967
1968 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1969 if (!skb) {
1970 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1971 seq);
e1fbd4c1
MM		 1972 continue;
1973 }
1974
1975 bt_cb(skb)->control.retries++;
1976 control = bt_cb(skb)->control;
1977
1978 if (chan->max_tx != 0 &&
1979 bt_cb(skb)->control.retries > chan->max_tx) {
1980 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1981 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1982 l2cap_seq_list_clear(&chan->retrans_list);
1983 break;
1984 }
1985
1986 control.reqseq = chan->buffer_seq;
1987 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1988 control.final = 1;
1989 else
1990 control.final = 0;
1991
1992 if (skb_cloned(skb)) {
1993 /* Cloned sk_buffs are read-only, so we need a
1994 * writeable copy
1995 */
8bcde1f2 1996 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1997 } else {
8bcde1f2 1998 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1999 }
2000
2001 if (!tx_skb) {
2002 l2cap_seq_list_clear(&chan->retrans_list);
2003 break;
2004 }
2005
2006 /* Update skb contents */
2007 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2008 put_unaligned_le32(__pack_extended_control(&control),
2009 tx_skb->data + L2CAP_HDR_SIZE);
2010 } else {
2011 put_unaligned_le16(__pack_enhanced_control(&control),
2012 tx_skb->data + L2CAP_HDR_SIZE);
2013 }
2014
2015 if (chan->fcs == L2CAP_FCS_CRC16) {
2016 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2017 put_unaligned_le16(fcs, skb_put(tx_skb,
2018 L2CAP_FCS_SIZE));
2019 }
2020
2021 l2cap_do_send(chan, tx_skb);
2022
2023 BT_DBG("Resent txseq %d", control.txseq);
2024
2025 chan->last_acked_seq = chan->buffer_seq;
2026 }
2027}
2028
f80842a8
MM		 2029static void l2cap_retransmit(struct l2cap_chan *chan,
2030 struct l2cap_ctrl *control)
2031{
2032 BT_DBG("chan %p, control %p", chan, control);
2033
2034 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2035 l2cap_ertm_resend(chan);
2036}
2037
d2a7ac5d
MM		 2038static void l2cap_retransmit_all(struct l2cap_chan *chan,
2039 struct l2cap_ctrl *control)
2040{
e1fbd4c1
MM		 2041 struct sk_buff *skb;
2042
2043 BT_DBG("chan %p, control %p", chan, control);
2044
2045 if (control->poll)
2046 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2047
2048 l2cap_seq_list_clear(&chan->retrans_list);
2049
2050 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2051 return;
2052
2053 if (chan->unacked_frames) {
2054 skb_queue_walk(&chan->tx_q, skb) {
2055 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2056 skb == chan->tx_send_head)
e1fbd4c1
MM		 2057 break;
2058 }
2059
2060 skb_queue_walk_from(&chan->tx_q, skb) {
2061 if (skb == chan->tx_send_head)
2062 break;
2063
2064 l2cap_seq_list_append(&chan->retrans_list,
2065 bt_cb(skb)->control.txseq);
2066 }
2067
2068 l2cap_ertm_resend(chan);
2069 }
d2a7ac5d
MM		 2070}
2071
0a0aba42 2072static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2073{
0a0aba42
MM		 2074 struct l2cap_ctrl control;
2075 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2076 chan->last_acked_seq);
2077 int threshold;
9e917af1 2078
0a0aba42
MM		 2079 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2080 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2081
0a0aba42
MM		 2082 memset(&control, 0, sizeof(control));
2083 control.sframe = 1;
dfc909be 2084
0a0aba42
MM		 2085 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2086 chan->rx_state == L2CAP_RX_STATE_RECV) {
2087 __clear_ack_timer(chan);
2088 control.super = L2CAP_SUPER_RNR;
2089 control.reqseq = chan->buffer_seq;
2090 l2cap_send_sframe(chan, &control);
2091 } else {
2092 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2093 l2cap_ertm_send(chan);
2094 /* If any i-frames were sent, they included an ack */
2095 if (chan->buffer_seq == chan->last_acked_seq)
2096 frames_to_ack = 0;
2097 }
dfc909be 2098
c20f8e35 2099 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2100 * Calculate without mul or div
2101 */
c20f8e35 2102 threshold = chan->ack_win;
0a0aba42
MM		 2103 threshold += threshold << 1;
2104 threshold >>= 2;
2105
b4400672 2106 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2107 threshold);
2108
2109 if (frames_to_ack >= threshold) {
2110 __clear_ack_timer(chan);
2111 control.super = L2CAP_SUPER_RR;
2112 control.reqseq = chan->buffer_seq;
2113 l2cap_send_sframe(chan, &control);
2114 frames_to_ack = 0;
2115 }
1c2acffb 2116
0a0aba42
MM		 2117 if (frames_to_ack)
2118 __set_ack_timer(chan);
2119 }
b17e73bb
SJ		 2120}
2121
04124681
GP		 2122static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2123 struct msghdr *msg, int len,
2124 int count, struct sk_buff *skb)
1c2acffb 2125{
0952a57a 2126 struct l2cap_conn *conn = chan->conn;
1c2acffb 2127 struct sk_buff **frag;
90338947 2128 int sent = 0;
1da177e4 2129
59203a21 2130 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2131 return -EFAULT;
1da177e4
LT		 2132
2133 sent += count;
2134 len -= count;
2135
2136 /* Continuation fragments (no L2CAP header) */
2137 frag = &skb_shinfo(skb)->frag_list;
2138 while (len) {
fbe00700
GP		 2139 struct sk_buff *tmp;
2140
1da177e4
LT		 2141 count = min_t(unsigned int, conn->mtu, len);
2142
fbe00700
GP		 2143 tmp = chan->ops->alloc_skb(chan, count,
2144 msg->msg_flags & MSG_DONTWAIT);
2145 if (IS_ERR(tmp))
2146 return PTR_ERR(tmp);
2147
2148 *frag = tmp;
2f7719ce 2149
1c2acffb
GP		 2150 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2151 return -EFAULT;
1da177e4 2152
5e59b791
LAD		 2153 (*frag)->priority = skb->priority;
2154
1da177e4
LT		 2155 sent += count;
2156 len -= count;
2157
2d0ed3d5
GP		 2158 skb->len += (*frag)->len;
2159 skb->data_len += (*frag)->len;
2160
1da177e4
LT		 2161 frag = &(*frag)->next;
2162 }
1da177e4
LT		 2163
2164 return sent;
1c2acffb 2165}
1da177e4 2166
5e59b791 2167static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2168 struct msghdr *msg, size_t len,
2169 u32 priority)
1c2acffb 2170{
8c1d787b 2171 struct l2cap_conn *conn = chan->conn;
1c2acffb 2172 struct sk_buff *skb;
03a51213 2173 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2174 struct l2cap_hdr *lh;
2175
b4400672 2176 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2177
2178 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2179
2180 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2181 msg->msg_flags & MSG_DONTWAIT);
2182 if (IS_ERR(skb))
2183 return skb;
1c2acffb 2184
5e59b791
LAD		 2185 skb->priority = priority;
2186
1c2acffb
GP		 2187 /* Create L2CAP header */
2188 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2189 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2190 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2191 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2192
0952a57a 2193 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2194 if (unlikely(err < 0)) {
2195 kfree_skb(skb);
2196 return ERR_PTR(err);
2197 }
2198 return skb;
2199}
2200
5e59b791 2201static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2202 struct msghdr *msg, size_t len,
2203 u32 priority)
1c2acffb 2204{
8c1d787b 2205 struct l2cap_conn *conn = chan->conn;
1c2acffb 2206 struct sk_buff *skb;
f2ba7fae 2207 int err, count;
1c2acffb
GP		 2208 struct l2cap_hdr *lh;
2209
b4400672 2210 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2211
f2ba7fae 2212 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2213
f2ba7fae 2214 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2215 msg->msg_flags & MSG_DONTWAIT);
2216 if (IS_ERR(skb))
2217 return skb;
1c2acffb 2218
5e59b791
LAD		 2219 skb->priority = priority;
2220
1c2acffb
GP		 2221 /* Create L2CAP header */
2222 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2223 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2224 lh->len = cpu_to_le16(len);
1c2acffb 2225
0952a57a 2226 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2227 if (unlikely(err < 0)) {
2228 kfree_skb(skb);
2229 return ERR_PTR(err);
2230 }
2231 return skb;
2232}
2233
ab0ff76d 2234static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2235 struct msghdr *msg, size_t len,
2236 u16 sdulen)
1c2acffb 2237{
8c1d787b 2238 struct l2cap_conn *conn = chan->conn;
1c2acffb 2239 struct sk_buff *skb;
e4ca6d98 2240 int err, count, hlen;
1c2acffb
GP		 2241 struct l2cap_hdr *lh;
2242
b4400672 2243 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2244
0ee0d208
GP		 2245 if (!conn)
2246 return ERR_PTR(-ENOTCONN);
2247
ba7aa64f 2248 hlen = __ertm_hdr_size(chan);
e4ca6d98 2249
c74e560c 2250 if (sdulen)
03a51213 2251 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2252
47d1ec61 2253 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2254 hlen += L2CAP_FCS_SIZE;
fcc203c3 2255
1c2acffb 2256 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2257
2258 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2259 msg->msg_flags & MSG_DONTWAIT);
2260 if (IS_ERR(skb))
2261 return skb;
1c2acffb
GP		 2262
2263 /* Create L2CAP header */
2264 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2265 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2266 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2267
18a48e76
MM		 2268 /* Control header is populated later */
2269 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2270 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2271 else
2272 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2273
c74e560c 2274 if (sdulen)
03a51213 2275 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2276
0952a57a 2277 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2278 if (unlikely(err < 0)) {
2279 kfree_skb(skb);
2280 return ERR_PTR(err);
2281 }
e90bac06 2282
18a48e76 2283 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2284 bt_cb(skb)->control.retries = 0;
1c2acffb 2285 return skb;
1da177e4
LT		 2286}
2287
94122bbe
MM		 2288static int l2cap_segment_sdu(struct l2cap_chan *chan,
2289 struct sk_buff_head *seg_queue,
2290 struct msghdr *msg, size_t len)
c74e560c 2291{
c74e560c 2292 struct sk_buff *skb;
94122bbe
MM		 2293 u16 sdu_len;
2294 size_t pdu_len;
94122bbe 2295 u8 sar;
c74e560c 2296
b4400672 2297 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2298
94122bbe
MM		 2299 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2300 * so fragmented skbs are not used. The HCI layer's handling
2301 * of fragmented skbs is not compatible with ERTM's queueing.
2302 */
c74e560c 2303
94122bbe
MM		 2304 /* PDU size is derived from the HCI MTU */
2305 pdu_len = chan->conn->mtu;
c74e560c 2306
a549574d
MM		 2307 /* Constrain PDU size for BR/EDR connections */
2308 if (!chan->hs_hcon)
2309 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2310
2311 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2312 if (chan->fcs)
2313 pdu_len -= L2CAP_FCS_SIZE;
2314
ba7aa64f 2315 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2316
2317 /* Remote device may have requested smaller PDUs */
2318 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2319
2320 if (len <= pdu_len) {
2321 sar = L2CAP_SAR_UNSEGMENTED;
2322 sdu_len = 0;
2323 pdu_len = len;
2324 } else {
2325 sar = L2CAP_SAR_START;
2326 sdu_len = len;
2327 pdu_len -= L2CAP_SDULEN_SIZE;
2328 }
2329
2330 while (len > 0) {
2331 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2332
c74e560c 2333 if (IS_ERR(skb)) {
94122bbe 2334 __skb_queue_purge(seg_queue);
c74e560c
GP		 2335 return PTR_ERR(skb);
2336 }
2337
94122bbe
MM		 2338 bt_cb(skb)->control.sar = sar;
2339 __skb_queue_tail(seg_queue, skb);
2340
2341 len -= pdu_len;
2342 if (sdu_len) {
2343 sdu_len = 0;
2344 pdu_len += L2CAP_SDULEN_SIZE;
2345 }
2346
2347 if (len <= pdu_len) {
2348 sar = L2CAP_SAR_END;
2349 pdu_len = len;
2350 } else {
2351 sar = L2CAP_SAR_CONTINUE;
2352 }
c74e560c 2353 }
c74e560c 2354
f0f62799 2355 return 0;
c74e560c
GP		 2356}
2357
5e59b791 2358int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2359 u32 priority)
9a91a04a 2360{
9a91a04a 2361 struct sk_buff *skb;
9a91a04a 2362 int err;
94122bbe 2363 struct sk_buff_head seg_queue;
9a91a04a
GP		 2364
2365 /* Connectionless channel */
715ec005 2366 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2367 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2368 if (IS_ERR(skb))
2369 return PTR_ERR(skb);
2370
2371 l2cap_do_send(chan, skb);
2372 return len;
2373 }
2374
2375 switch (chan->mode) {
2376 case L2CAP_MODE_BASIC:
2377 /* Check outgoing MTU */
2378 if (len > chan->omtu)
2379 return -EMSGSIZE;
2380
2381 /* Create a basic PDU */
5e59b791 2382 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2383 if (IS_ERR(skb))
2384 return PTR_ERR(skb);
2385
2386 l2cap_do_send(chan, skb);
2387 err = len;
2388 break;
2389
2390 case L2CAP_MODE_ERTM:
2391 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2392 /* Check outgoing MTU */
2393 if (len > chan->omtu) {
2394 err = -EMSGSIZE;
2395 break;
2396 }
9a91a04a 2397
94122bbe 2398 __skb_queue_head_init(&seg_queue);
9a91a04a 2399
94122bbe
MM		 2400 /* Do segmentation before calling in to the state machine,
2401 * since it's possible to block while waiting for memory
2402 * allocation.
2403 */
2404 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2405
94122bbe
MM		 2406 /* The channel could have been closed while segmenting,
2407 * check that it is still connected.
2408 */
2409 if (chan->state != BT_CONNECTED) {
2410 __skb_queue_purge(&seg_queue);
2411 err = -ENOTCONN;
9a91a04a
GP		 2412 }
2413
94122bbe 2414 if (err)
9a91a04a 2415 break;
9a91a04a 2416
3733937d 2417 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2418 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2419 else
d660366d 2420 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2421
d660366d 2422 err = len;
9a91a04a 2423
94122bbe
MM		 2424 /* If the skbs were not queued for sending, they'll still be in
2425 * seg_queue and need to be purged.
2426 */
2427 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2428 break;
2429
2430 default:
2431 BT_DBG("bad state %1.1x", chan->mode);
2432 err = -EBADFD;
2433 }
2434
2435 return err;
2436}
2437
d2a7ac5d
MM		 2438static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2439{
bed68bde
MM		 2440 struct l2cap_ctrl control;
2441 u16 seq;
2442
b4400672 2443 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2444
2445 memset(&control, 0, sizeof(control));
2446 control.sframe = 1;
2447 control.super = L2CAP_SUPER_SREJ;
2448
2449 for (seq = chan->expected_tx_seq; seq != txseq;
2450 seq = __next_seq(chan, seq)) {
2451 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2452 control.reqseq = seq;
2453 l2cap_send_sframe(chan, &control);
2454 l2cap_seq_list_append(&chan->srej_list, seq);
2455 }
2456 }
2457
2458 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2459}
2460
2461static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2462{
bed68bde
MM		 2463 struct l2cap_ctrl control;
2464
2465 BT_DBG("chan %p", chan);
2466
2467 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2468 return;
2469
2470 memset(&control, 0, sizeof(control));
2471 control.sframe = 1;
2472 control.super = L2CAP_SUPER_SREJ;
2473 control.reqseq = chan->srej_list.tail;
2474 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2475}
2476
2477static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2478{
bed68bde
MM		 2479 struct l2cap_ctrl control;
2480 u16 initial_head;
2481 u16 seq;
2482
b4400672 2483 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2484
2485 memset(&control, 0, sizeof(control));
2486 control.sframe = 1;
2487 control.super = L2CAP_SUPER_SREJ;
2488
2489 /* Capture initial list head to allow only one pass through the list. */
2490 initial_head = chan->srej_list.head;
2491
2492 do {
2493 seq = l2cap_seq_list_pop(&chan->srej_list);
2494 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2495 break;
2496
2497 control.reqseq = seq;
2498 l2cap_send_sframe(chan, &control);
2499 l2cap_seq_list_append(&chan->srej_list, seq);
2500 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2501}
2502
608bcc6d
MM		 2503static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2504{
2505 struct sk_buff *acked_skb;
2506 u16 ackseq;
2507
b4400672 2508 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2509
2510 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2511 return;
2512
b4400672 2513 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2514 chan->expected_ack_seq, chan->unacked_frames);
2515
2516 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2517 ackseq = __next_seq(chan, ackseq)) {
2518
2519 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2520 if (acked_skb) {
2521 skb_unlink(acked_skb, &chan->tx_q);
2522 kfree_skb(acked_skb);
2523 chan->unacked_frames--;
2524 }
2525 }
2526
2527 chan->expected_ack_seq = reqseq;
2528
2529 if (chan->unacked_frames == 0)
2530 __clear_retrans_timer(chan);
2531
b4400672 2532 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2533}
2534
2535static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2536{
2537 BT_DBG("chan %p", chan);
2538
2539 chan->expected_tx_seq = chan->buffer_seq;
2540 l2cap_seq_list_clear(&chan->srej_list);
2541 skb_queue_purge(&chan->srej_q);
2542 chan->rx_state = L2CAP_RX_STATE_RECV;
2543}
2544
d660366d
GP		 2545static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2546 struct l2cap_ctrl *control,
2547 struct sk_buff_head *skbs, u8 event)
608bcc6d 2548{
608bcc6d
MM		 2549 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2550 event);
2551
2552 switch (event) {
2553 case L2CAP_EV_DATA_REQUEST:
2554 if (chan->tx_send_head == NULL)
2555 chan->tx_send_head = skb_peek(skbs);
2556
2557 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2558 l2cap_ertm_send(chan);
2559 break;
2560 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2561 BT_DBG("Enter LOCAL_BUSY");
2562 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2563
2564 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2565 /* The SREJ_SENT state must be aborted if we are to
2566 * enter the LOCAL_BUSY state.
2567 */
2568 l2cap_abort_rx_srej_sent(chan);
2569 }
2570
2571 l2cap_send_ack(chan);
2572
2573 break;
2574 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2575 BT_DBG("Exit LOCAL_BUSY");
2576 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2577
2578 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2579 struct l2cap_ctrl local_control;
2580
2581 memset(&local_control, 0, sizeof(local_control));
2582 local_control.sframe = 1;
2583 local_control.super = L2CAP_SUPER_RR;
2584 local_control.poll = 1;
2585 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2586 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2587
2588 chan->retry_count = 1;
2589 __set_monitor_timer(chan);
2590 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2591 }
2592 break;
2593 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2594 l2cap_process_reqseq(chan, control->reqseq);
2595 break;
2596 case L2CAP_EV_EXPLICIT_POLL:
2597 l2cap_send_rr_or_rnr(chan, 1);
2598 chan->retry_count = 1;
2599 __set_monitor_timer(chan);
2600 __clear_ack_timer(chan);
2601 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2602 break;
2603 case L2CAP_EV_RETRANS_TO:
2604 l2cap_send_rr_or_rnr(chan, 1);
2605 chan->retry_count = 1;
2606 __set_monitor_timer(chan);
2607 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2608 break;
2609 case L2CAP_EV_RECV_FBIT:
2610 /* Nothing to process */
2611 break;
2612 default:
2613 break;
2614 }
608bcc6d
MM		 2615}
2616
d660366d
GP		 2617static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2618 struct l2cap_ctrl *control,
2619 struct sk_buff_head *skbs, u8 event)
608bcc6d 2620{
608bcc6d
MM		 2621 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2622 event);
2623
2624 switch (event) {
2625 case L2CAP_EV_DATA_REQUEST:
2626 if (chan->tx_send_head == NULL)
2627 chan->tx_send_head = skb_peek(skbs);
2628 /* Queue data, but don't send. */
2629 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2630 break;
2631 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2632 BT_DBG("Enter LOCAL_BUSY");
2633 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2634
2635 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2636 /* The SREJ_SENT state must be aborted if we are to
2637 * enter the LOCAL_BUSY state.
2638 */
2639 l2cap_abort_rx_srej_sent(chan);
2640 }
2641
2642 l2cap_send_ack(chan);
2643
2644 break;
2645 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2646 BT_DBG("Exit LOCAL_BUSY");
2647 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2648
2649 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2650 struct l2cap_ctrl local_control;
2651 memset(&local_control, 0, sizeof(local_control));
2652 local_control.sframe = 1;
2653 local_control.super = L2CAP_SUPER_RR;
2654 local_control.poll = 1;
2655 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2656 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2657
2658 chan->retry_count = 1;
2659 __set_monitor_timer(chan);
2660 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2661 }
2662 break;
2663 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2664 l2cap_process_reqseq(chan, control->reqseq);
2665
2666 /* Fall through */
2667
2668 case L2CAP_EV_RECV_FBIT:
2669 if (control && control->final) {
2670 __clear_monitor_timer(chan);
2671 if (chan->unacked_frames > 0)
2672 __set_retrans_timer(chan);
2673 chan->retry_count = 0;
2674 chan->tx_state = L2CAP_TX_STATE_XMIT;
2675 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2676 }
2677 break;
2678 case L2CAP_EV_EXPLICIT_POLL:
2679 /* Ignore */
2680 break;
2681 case L2CAP_EV_MONITOR_TO:
2682 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2683 l2cap_send_rr_or_rnr(chan, 1);
2684 __set_monitor_timer(chan);
2685 chan->retry_count++;
2686 } else {
5e4e3972 2687 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2688 }
2689 break;
2690 default:
2691 break;
2692 }
608bcc6d
MM		 2693}
2694
d660366d
GP		 2695static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2696 struct sk_buff_head *skbs, u8 event)
608bcc6d 2697{
608bcc6d
MM		 2698 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2699 chan, control, skbs, event, chan->tx_state);
2700
2701 switch (chan->tx_state) {
2702 case L2CAP_TX_STATE_XMIT:
d660366d 2703 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2704 break;
2705 case L2CAP_TX_STATE_WAIT_F:
d660366d 2706 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2707 break;
2708 default:
2709 /* Ignore event */
2710 break;
2711 }
608bcc6d
MM		 2712}
2713
4b51dae9
MM		 2714static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2715 struct l2cap_ctrl *control)
2716{
2717 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2718 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2719}
2720
f80842a8
MM		 2721static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2722 struct l2cap_ctrl *control)
2723{
2724 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2725 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2726}
2727
1da177e4
LT		 2728/* Copy frame to all raw sockets on that connection */
2729static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2730{
1da177e4 2731 struct sk_buff *nskb;
48454079 2732 struct l2cap_chan *chan;
1da177e4
LT		 2733
2734 BT_DBG("conn %p", conn);
2735
3df91ea2 2736 mutex_lock(&conn->chan_lock);
3d57dc68 2737
3df91ea2 2738 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2739 struct sock *sk = chan->sk;
715ec005 2740 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2741 continue;
2742
2743 /* Don't send frame to the socket it came from */
2744 if (skb->sk == sk)
2745 continue;
8bcde1f2 2746 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2747 if (!nskb)
1da177e4
LT		 2748 continue;
2749
80b98027 2750 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2751 kfree_skb(nskb);
2752 }
3d57dc68 2753
3df91ea2 2754 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2755}
2756
2757/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2758static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2759 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2760{
2761 struct sk_buff *skb, **frag;
2762 struct l2cap_cmd_hdr *cmd;
2763 struct l2cap_hdr *lh;
2764 int len, count;
2765
b4400672
AE		 2766 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2767 conn, code, ident, dlen);
1da177e4
LT		 2768
2769 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2770 count = min_t(unsigned int, conn->mtu, len);
2771
8bcde1f2 2772 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2773 if (!skb)
2774 return NULL;
2775
2776 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2777 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2778
2779 if (conn->hcon->type == LE_LINK)
ac73498c 2780 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2781 else
ac73498c 2782 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2783
2784 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2785 cmd->code = code;
2786 cmd->ident = ident;
aca3192c 2787 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2788
2789 if (dlen) {
2790 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2791 memcpy(skb_put(skb, count), data, count);
2792 data += count;
2793 }
2794
2795 len -= skb->len;
2796
2797 /* Continuation fragments (no L2CAP header) */
2798 frag = &skb_shinfo(skb)->frag_list;
2799 while (len) {
2800 count = min_t(unsigned int, conn->mtu, len);
2801
8bcde1f2 2802 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2803 if (!*frag)
2804 goto fail;
2805
2806 memcpy(skb_put(*frag, count), data, count);
2807
2808 len -= count;
2809 data += count;
2810
2811 frag = &(*frag)->next;
2812 }
2813
2814 return skb;
2815
2816fail:
2817 kfree_skb(skb);
2818 return NULL;
2819}
2820
2d792818
GP		 2821static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2822 unsigned long *val)
1da177e4
LT		 2823{
2824 struct l2cap_conf_opt *opt = *ptr;
2825 int len;
2826
2827 len = L2CAP_CONF_OPT_SIZE + opt->len;
2828 *ptr += len;
2829
2830 *type = opt->type;
2831 *olen = opt->len;
2832
2833 switch (opt->len) {
2834 case 1:
2835 *val = *((u8 *) opt->val);
2836 break;
2837
2838 case 2:
bfaaeb3e 2839 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2840 break;
2841
2842 case 4:
bfaaeb3e 2843 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2844 break;
2845
2846 default:
2847 *val = (unsigned long) opt->val;
2848 break;
2849 }
2850
b4400672 2851 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2852 return len;
2853}
2854
1da177e4
LT		 2855static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2856{
2857 struct l2cap_conf_opt *opt = *ptr;
2858
b4400672 2859 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2860
2861 opt->type = type;
2862 opt->len = len;
2863
2864 switch (len) {
2865 case 1:
2866 *((u8 *) opt->val) = val;
2867 break;
2868
2869 case 2:
4f8b691c 2870 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2871 break;
2872
2873 case 4:
4f8b691c 2874 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2875 break;
2876
2877 default:
2878 memcpy(opt->val, (void *) val, len);
2879 break;
2880 }
2881
2882 *ptr += L2CAP_CONF_OPT_SIZE + len;
2883}
2884
f89cef09
AE		 2885static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2886{
2887 struct l2cap_conf_efs efs;
2888
1ec918ce 2889 switch (chan->mode) {
f89cef09
AE		 2890 case L2CAP_MODE_ERTM:
2891 efs.id = chan->local_id;
2892 efs.stype = chan->local_stype;
2893 efs.msdu = cpu_to_le16(chan->local_msdu);
2894 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2895 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2896 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2897 break;
2898
2899 case L2CAP_MODE_STREAMING:
2900 efs.id = 1;
2901 efs.stype = L2CAP_SERV_BESTEFFORT;
2902 efs.msdu = cpu_to_le16(chan->local_msdu);
2903 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2904 efs.acc_lat = 0;
2905 efs.flush_to = 0;
2906 break;
2907
2908 default:
2909 return;
2910 }
2911
2912 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2913 (unsigned long) &efs);
f89cef09
AE		 2914}
2915
721c4181 2916static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2917{
721c4181 2918 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2919 ack_timer.work);
2920 u16 frames_to_ack;
c1b4f43b 2921
2fb9b3d4
GP		 2922 BT_DBG("chan %p", chan);
2923
6be36555
AE		 2924 l2cap_chan_lock(chan);
2925
0362520b
MM		 2926 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2927 chan->last_acked_seq);
6be36555 2928
0362520b
MM		 2929 if (frames_to_ack)
2930 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2931
0362520b 2932 l2cap_chan_unlock(chan);
09bfb2ee 2933 l2cap_chan_put(chan);
c1b4f43b
GP		 2934}
2935
466f8004 2936int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2937{
3c588192
MM		 2938 int err;
2939
105bdf9e
MM		 2940 chan->next_tx_seq = 0;
2941 chan->expected_tx_seq = 0;
42e5c802 2942 chan->expected_ack_seq = 0;
6a026610 2943 chan->unacked_frames = 0;
42e5c802 2944 chan->buffer_seq = 0;
6a026610 2945 chan->frames_sent = 0;
105bdf9e
MM		 2946 chan->last_acked_seq = 0;
2947 chan->sdu = NULL;
2948 chan->sdu_last_frag = NULL;
2949 chan->sdu_len = 0;
2950
d34c34fb
MM		 2951 skb_queue_head_init(&chan->tx_q);
2952
08333283
MM		 2953 chan->local_amp_id = 0;
2954 chan->move_id = 0;
2955 chan->move_state = L2CAP_MOVE_STABLE;
2956 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2957
105bdf9e
MM		 2958 if (chan->mode != L2CAP_MODE_ERTM)
2959 return 0;
2960
2961 chan->rx_state = L2CAP_RX_STATE_RECV;
2962 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2963
721c4181
GP		 2964 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2965 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2966 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2967
f1c6775b 2968 skb_queue_head_init(&chan->srej_q);
1890d36b 2969
3c588192
MM		 2970 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2971 if (err < 0)
2972 return err;
2973
9dc9affc
MM		 2974 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2975 if (err < 0)
2976 l2cap_seq_list_free(&chan->srej_list);
2977
2978 return err;
0565c1c2
GP		 2979}
2980
f2fcfcd6
GP		 2981static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2982{
2983 switch (mode) {
2984 case L2CAP_MODE_STREAMING:
2985 case L2CAP_MODE_ERTM:
2986 if (l2cap_mode_supported(mode, remote_feat_mask))
2987 return mode;
2988 /* fall through */
2989 default:
2990 return L2CAP_MODE_BASIC;
2991 }
2992}
2993
6327eb98
AE		 2994static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2995{
2996 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2997}
2998
f89cef09
AE		 2999static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
3000{
3001 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3002}
3003
36c86c85
MM		 3004static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3005 struct l2cap_conf_rfc *rfc)
3006{
3007 if (chan->local_amp_id && chan->hs_hcon) {
3008 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3009
3010 /* Class 1 devices have must have ERTM timeouts
3011 * exceeding the Link Supervision Timeout. The
3012 * default Link Supervision Timeout for AMP
3013 * controllers is 10 seconds.
3014 *
3015 * Class 1 devices use 0xffffffff for their
3016 * best-effort flush timeout, so the clamping logic
3017 * will result in a timeout that meets the above
3018 * requirement. ERTM timeouts are 16-bit values, so
3019 * the maximum timeout is 65.535 seconds.
3020 */
3021
3022 /* Convert timeout to milliseconds and round */
3023 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3024
3025 /* This is the recommended formula for class 2 devices
3026 * that start ERTM timers when packets are sent to the
3027 * controller.
3028 */
3029 ertm_to = 3 * ertm_to + 500;
3030
3031 if (ertm_to > 0xffff)
3032 ertm_to = 0xffff;
3033
3034 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3035 rfc->monitor_timeout = rfc->retrans_timeout;
3036 } else {
3037 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3038 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3039 }
3040}
3041
6327eb98
AE		 3042static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3043{
3044 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3045 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3046 /* use extended control field */
3047 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3048 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3049 } else {
6327eb98 3050 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3051 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3052 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3053 }
c20f8e35 3054 chan->ack_win = chan->tx_win;
6327eb98
AE		 3055}
3056
710f9b0a 3057static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3058{
1da177e4 3059 struct l2cap_conf_req *req = data;
0c1bc5c6 3060 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3061 void *ptr = req->data;
c8f79162 3062 u16 size;
1da177e4 3063
49208c9c 3064 BT_DBG("chan %p", chan);
1da177e4 3065
73ffa904 3066 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3067 goto done;
3068
0c1bc5c6 3069 switch (chan->mode) {
f2fcfcd6
GP		 3070 case L2CAP_MODE_STREAMING:
3071 case L2CAP_MODE_ERTM:
c1360a1c 3072 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3073 break;
85eb53c6 3074
f89cef09
AE		 3075 if (__l2cap_efs_supported(chan))
3076 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3077
2ba13ed6 3078 /* fall through */
f2fcfcd6 3079 default:
8c1d787b 3080 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3081 break;
3082 }
3083
3084done:
0c1bc5c6
GP		 3085 if (chan->imtu != L2CAP_DEFAULT_MTU)
3086 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3087
0c1bc5c6 3088 switch (chan->mode) {
65c7c491 3089 case L2CAP_MODE_BASIC:
8c1d787b 3090 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3091 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3092 break;
3093
62547752
GP		 3094 rfc.mode = L2CAP_MODE_BASIC;
3095 rfc.txwin_size = 0;
3096 rfc.max_transmit = 0;
3097 rfc.retrans_timeout = 0;
3098 rfc.monitor_timeout = 0;
3099 rfc.max_pdu_size = 0;
3100
63406504 3101 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3102 (unsigned long) &rfc);
65c7c491
MH		 3103 break;
3104
3105 case L2CAP_MODE_ERTM:
3106 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3107 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3108
3109 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3110
3111 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3112 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3113 L2CAP_FCS_SIZE);
c8f79162 3114 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3115
6327eb98
AE		 3116 l2cap_txwin_setup(chan);
3117
3118 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3119 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3120
63406504 3121 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3122 (unsigned long) &rfc);
63406504 3123
f89cef09
AE		 3124 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3125 l2cap_add_opt_efs(&ptr, chan);
3126
6327eb98
AE		 3127 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3128 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3129 chan->tx_win);
60918918
AE		 3130
3131 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3132 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3133 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3134 chan->fcs = L2CAP_FCS_NONE;
3135 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3136 chan->fcs);
3137 }
f2fcfcd6
GP		 3138 break;
3139
3140 case L2CAP_MODE_STREAMING:
273759e2 3141 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3142 rfc.mode = L2CAP_MODE_STREAMING;
3143 rfc.txwin_size = 0;
3144 rfc.max_transmit = 0;
3145 rfc.retrans_timeout = 0;
3146 rfc.monitor_timeout = 0;
c8f79162
AE		 3147
3148 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3149 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3150 L2CAP_FCS_SIZE);
c8f79162 3151 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3152
63406504 3153 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3154 (unsigned long) &rfc);
63406504 3155
f89cef09
AE		 3156 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3157 l2cap_add_opt_efs(&ptr, chan);
3158
60918918
AE		 3159 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3160 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3161 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3162 chan->fcs = L2CAP_FCS_NONE;
3163 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3164 chan->fcs);
3165 }
65c7c491
MH		 3166 break;
3167 }
1da177e4 3168
fe4128e0 3169 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3170 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3171
3172 return ptr - data;
3173}
3174
73ffa904 3175static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3176{
5dee9e7c
MH		 3177 struct l2cap_conf_rsp *rsp = data;
3178 void *ptr = rsp->data;
73ffa904
GP		 3179 void *req = chan->conf_req;
3180 int len = chan->conf_len;
5dee9e7c
MH		 3181 int type, hint, olen;
3182 unsigned long val;
6464f35f 3183 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3184 struct l2cap_conf_efs efs;
3185 u8 remote_efs = 0;
861d6882 3186 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3187 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3188 u16 size;
1da177e4 3189
73ffa904 3190 BT_DBG("chan %p", chan);
820ae1b8 3191
5dee9e7c
MH		 3192 while (len >= L2CAP_CONF_OPT_SIZE) {
3193 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3194
589d2746 3195 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3196 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3197
3198 switch (type) {
3199 case L2CAP_CONF_MTU:
861d6882 3200 mtu = val;
5dee9e7c
MH		 3201 break;
3202
3203 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3204 chan->flush_to = val;
5dee9e7c
MH		 3205 break;
3206
3207 case L2CAP_CONF_QOS:
3208 break;
3209
6464f35f
MH		 3210 case L2CAP_CONF_RFC:
3211 if (olen == sizeof(rfc))
3212 memcpy(&rfc, (void *) val, olen);
3213 break;
3214
fcc203c3
GP		 3215 case L2CAP_CONF_FCS:
3216 if (val == L2CAP_FCS_NONE)
f2592d3e 3217 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3218 break;
fcc203c3 3219
42dceae2
AE		 3220 case L2CAP_CONF_EFS:
3221 remote_efs = 1;
3222 if (olen == sizeof(efs))
3223 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3224 break;
3225
6327eb98
AE		 3226 case L2CAP_CONF_EWS:
3227 if (!enable_hs)
3228 return -ECONNREFUSED;
fcc203c3 3229
6327eb98
AE		 3230 set_bit(FLAG_EXT_CTRL, &chan->flags);
3231 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3232 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3233 chan->remote_tx_win = val;
fcc203c3
GP		 3234 break;
3235
5dee9e7c
MH		 3236 default:
3237 if (hint)
3238 break;
3239
3240 result = L2CAP_CONF_UNKNOWN;
3241 *((u8 *) ptr++) = type;
3242 break;
3243 }
3244 }
3245
73ffa904 3246 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3247 goto done;
3248
0c1bc5c6 3249 switch (chan->mode) {
f2fcfcd6
GP		 3250 case L2CAP_MODE_STREAMING:
3251 case L2CAP_MODE_ERTM:
c1360a1c 3252 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3253 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3254 chan->conn->feat_mask);
85eb53c6
GP		 3255 break;
3256 }
3257
42dceae2
AE		 3258 if (remote_efs) {
3259 if (__l2cap_efs_supported(chan))
3260 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3261 else
3262 return -ECONNREFUSED;
3263 }
3264
0c1bc5c6 3265 if (chan->mode != rfc.mode)
f2fcfcd6 3266 return -ECONNREFUSED;
742e519b 3267
f2fcfcd6 3268 break;
f2fcfcd6
GP		 3269 }
3270
3271done:
0c1bc5c6 3272 if (chan->mode != rfc.mode) {
f2fcfcd6 3273 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3274 rfc.mode = chan->mode;
f2fcfcd6 3275
73ffa904 3276 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3277 return -ECONNREFUSED;
3278
2d792818
GP		 3279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3280 (unsigned long) &rfc);
f2fcfcd6
GP		 3281 }
3282
5dee9e7c
MH		 3283 if (result == L2CAP_CONF_SUCCESS) {
3284 /* Configure output options and let the other side know
3285 * which ones we don't like. */
3286
f2fcfcd6
GP		 3287 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3288 result = L2CAP_CONF_UNACCEPT;
3289 else {
0c1bc5c6 3290 chan->omtu = mtu;
c1360a1c 3291 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3292 }
0c1bc5c6 3293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3294
42dceae2
AE		 3295 if (remote_efs) {
3296 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3297 efs.stype != L2CAP_SERV_NOTRAFIC &&
3298 efs.stype != chan->local_stype) {
42dceae2
AE		 3299
3300 result = L2CAP_CONF_UNACCEPT;
3301
3302 if (chan->num_conf_req >= 1)
3303 return -ECONNREFUSED;
3304
3305 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3306 sizeof(efs),
3307 (unsigned long) &efs);
0e8b207e 3308 } else {
3e6b3b95 3309 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3310 result = L2CAP_CONF_PENDING;
3311 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3312 }
3313 }
3314
f2fcfcd6
GP		 3315 switch (rfc.mode) {
3316 case L2CAP_MODE_BASIC:
47d1ec61 3317 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3318 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3319 break;
3320
3321 case L2CAP_MODE_ERTM:
6327eb98
AE		 3322 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3323 chan->remote_tx_win = rfc.txwin_size;
3324 else
3325 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3326
2c03a7a4 3327 chan->remote_max_tx = rfc.max_transmit;
1c762159 3328
c8f79162 3329 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3330 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3331 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3332 rfc.max_pdu_size = cpu_to_le16(size);
3333 chan->remote_mps = size;
f2fcfcd6 3334
36c86c85 3335 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3336
c1360a1c 3337 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3338
3339 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3340 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3341
42dceae2
AE		 3342 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3343 chan->remote_id = efs.id;
3344 chan->remote_stype = efs.stype;
3345 chan->remote_msdu = le16_to_cpu(efs.msdu);
3346 chan->remote_flush_to =
2d792818 3347 le32_to_cpu(efs.flush_to);
42dceae2 3348 chan->remote_acc_lat =
2d792818 3349 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3350 chan->remote_sdu_itime =
3351 le32_to_cpu(efs.sdu_itime);
3352 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3353 sizeof(efs),
3354 (unsigned long) &efs);
42dceae2 3355 }
f2fcfcd6
GP		 3356 break;
3357
3358 case L2CAP_MODE_STREAMING:
c8f79162 3359 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3360 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3361 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3362 rfc.max_pdu_size = cpu_to_le16(size);
3363 chan->remote_mps = size;
f2fcfcd6 3364
c1360a1c 3365 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3366
2d792818
GP		 3367 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3368 (unsigned long) &rfc);
68ae6639 3369
f2fcfcd6
GP		 3370 break;
3371
3372 default:
5dee9e7c 3373 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3374
6464f35f 3375 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3376 rfc.mode = chan->mode;
f2fcfcd6 3377 }
6464f35f 3378
f2fcfcd6 3379 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3380 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3381 }
fe4128e0 3382 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3383 rsp->result = cpu_to_le16(result);
59e54bd1 3384 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3385
3386 return ptr - data;
1da177e4
LT		 3387}
3388
2d792818
GP		 3389static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3390 void *data, u16 *result)
f2fcfcd6 3391{
f2fcfcd6
GP		 3392 struct l2cap_conf_req *req = data;
3393 void *ptr = req->data;
3394 int type, olen;
3395 unsigned long val;
36e999a8 3396 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3397 struct l2cap_conf_efs efs;
f2fcfcd6 3398
fe4128e0 3399 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3400
3401 while (len >= L2CAP_CONF_OPT_SIZE) {
3402 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3403
3404 switch (type) {
3405 case L2CAP_CONF_MTU:
3406 if (val < L2CAP_DEFAULT_MIN_MTU) {
3407 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3408 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3409 } else
0c1bc5c6
GP		 3410 chan->imtu = val;
3411 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3412 break;
3413
3414 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3415 chan->flush_to = val;
f2fcfcd6 3416 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3417 2, chan->flush_to);
f2fcfcd6
GP		 3418 break;
3419
3420 case L2CAP_CONF_RFC:
3421 if (olen == sizeof(rfc))
3422 memcpy(&rfc, (void *)val, olen);
3423
c1360a1c 3424 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3425 rfc.mode != chan->mode)
f2fcfcd6
GP		 3426 return -ECONNREFUSED;
3427
47d1ec61 3428 chan->fcs = 0;
f2fcfcd6
GP		 3429
3430 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3431 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3432 break;
6327eb98
AE		 3433
3434 case L2CAP_CONF_EWS:
c20f8e35 3435 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3436 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3437 chan->tx_win);
6327eb98 3438 break;
66af7aaf
AE		 3439
3440 case L2CAP_CONF_EFS:
3441 if (olen == sizeof(efs))
3442 memcpy(&efs, (void *)val, olen);
3443
3444 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3445 efs.stype != L2CAP_SERV_NOTRAFIC &&
3446 efs.stype != chan->local_stype)
66af7aaf
AE		 3447 return -ECONNREFUSED;
3448
2d792818
GP		 3449 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3450 (unsigned long) &efs);
66af7aaf 3451 break;
cbabee78
AE		 3452
3453 case L2CAP_CONF_FCS:
3454 if (*result == L2CAP_CONF_PENDING)
3455 if (val == L2CAP_FCS_NONE)
f2592d3e 3456 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3457 &chan->conf_state);
3458 break;
f2fcfcd6
GP		 3459 }
3460 }
3461
0c1bc5c6 3462 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3463 return -ECONNREFUSED;
3464
0c1bc5c6 3465 chan->mode = rfc.mode;
6c2ea7a8 3466
0e8b207e 3467 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3468 switch (rfc.mode) {
3469 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3470 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3471 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3472 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3473 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3474 chan->ack_win = min_t(u16, chan->ack_win,
3475 rfc.txwin_size);
66af7aaf
AE		 3476
3477 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3478 chan->local_msdu = le16_to_cpu(efs.msdu);
3479 chan->local_sdu_itime =
2d792818 3480 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3481 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3482 chan->local_flush_to =
2d792818 3483 le32_to_cpu(efs.flush_to);
66af7aaf 3484 }
f2fcfcd6 3485 break;
66af7aaf 3486
f2fcfcd6 3487 case L2CAP_MODE_STREAMING:
47d1ec61 3488 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3489 }
3490 }
3491
fe4128e0 3492 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3493 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3494
3495 return ptr - data;
3496}
3497
2d792818
GP		 3498static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3499 u16 result, u16 flags)
1da177e4
LT		 3500{
3501 struct l2cap_conf_rsp *rsp = data;
3502 void *ptr = rsp->data;
1da177e4 3503
fe4128e0 3504 BT_DBG("chan %p", chan);
1da177e4 3505
fe4128e0 3506 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3507 rsp->result = cpu_to_le16(result);
aca3192c 3508 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3509
3510 return ptr - data;
3511}
3512
8c1d787b 3513void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3514{
3515 struct l2cap_conn_rsp rsp;
8c1d787b 3516 struct l2cap_conn *conn = chan->conn;
710f9b0a 3517 u8 buf[128];
439f34ac 3518 u8 rsp_code;
710f9b0a 3519
fe4128e0
GP		 3520 rsp.scid = cpu_to_le16(chan->dcid);
3521 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3522 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3523 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3524
3525 if (chan->hs_hcon)
3526 rsp_code = L2CAP_CREATE_CHAN_RSP;
3527 else
3528 rsp_code = L2CAP_CONN_RSP;
3529
3530 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3531
3532 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3533
c1360a1c 3534 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3535 return;
3536
710f9b0a 3537 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3538 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3539 chan->num_conf_req++;
3540}
3541
47d1ec61 3542static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3543{
7b1c0049
GP		 3544 int type, olen;
3545 unsigned long val;
c20f8e35
MM		 3546 /* Use sane default values in case a misbehaving remote device
3547 * did not send an RFC or extended window size option.
3548 */
3549 u16 txwin_ext = chan->ack_win;
3550 struct l2cap_conf_rfc rfc = {
3551 .mode = chan->mode,
3552 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3553 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3554 .max_pdu_size = cpu_to_le16(chan->imtu),
3555 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3556 };
7b1c0049 3557
47d1ec61 3558 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3559
0c1bc5c6 3560 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3561 return;
3562
3563 while (len >= L2CAP_CONF_OPT_SIZE) {
3564 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3565
c20f8e35
MM		 3566 switch (type) {
3567 case L2CAP_CONF_RFC:
3568 if (olen == sizeof(rfc))
3569 memcpy(&rfc, (void *)val, olen);
8f321f85 3570 break;
c20f8e35
MM		 3571 case L2CAP_CONF_EWS:
3572 txwin_ext = val;
3573 break;
3574 }
7b1c0049
GP		 3575 }
3576
7b1c0049
GP		 3577 switch (rfc.mode) {
3578 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3579 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3580 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3581 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3582 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3583 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3584 else
3585 chan->ack_win = min_t(u16, chan->ack_win,
3586 rfc.txwin_size);
7b1c0049
GP		 3587 break;
3588 case L2CAP_MODE_STREAMING:
47d1ec61 3589 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3590 }
3591}
3592
2d792818
GP		 3593static inline int l2cap_command_rej(struct l2cap_conn *conn,
3594 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3595{
e2fd318e 3596 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3597
e2fd318e 3598 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3599 return 0;
3600
3601 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3602 cmd->ident == conn->info_ident) {
17cd3f37 3603 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3604
3605 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3606 conn->info_ident = 0;
984947dc 3607
4e8402a3
MH		 3608 l2cap_conn_start(conn);
3609 }
3610
3611 return 0;
3612}
3613
1700915f
MM		 3614static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3615 struct l2cap_cmd_hdr *cmd,
3616 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3617{
1da177e4
LT		 3618 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3619 struct l2cap_conn_rsp rsp;
23691d75 3620 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3621 struct sock *parent, *sk = NULL;
e7c29cb1 3622 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3623
3624 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3625 __le16 psm = req->psm;
1da177e4 3626
097db76c 3627 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3628
3629 /* Check if we have socket listening on psm */
c2287681 3630 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3631 if (!pchan) {
1da177e4
LT		 3632 result = L2CAP_CR_BAD_PSM;
3633 goto sendresp;
3634 }
3635
23691d75
GP		 3636 parent = pchan->sk;
3637
3df91ea2 3638 mutex_lock(&conn->chan_lock);
aa2ac881 3639 lock_sock(parent);
e0f0cb56 3640
e7c29cb1 3641 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3642 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3643 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3644 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3645 result = L2CAP_CR_SEC_BLOCK;
3646 goto response;
3647 }
3648
1da177e4
LT		 3649 result = L2CAP_CR_NO_MEM;
3650
2dfa1003
GP		 3651 /* Check if we already have channel with that dcid */
3652 if (__l2cap_get_chan_by_dcid(conn, scid))
3653 goto response;
3654
80b98027 3655 chan = pchan->ops->new_connection(pchan);
80808e43 3656 if (!chan)
1da177e4
LT		 3657 goto response;
3658
80808e43
GP		 3659 sk = chan->sk;
3660
1da177e4
LT		 3661 hci_conn_hold(conn->hcon);
3662
1da177e4
LT		 3663 bacpy(&bt_sk(sk)->src, conn->src);
3664 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3665 chan->psm = psm;
3666 chan->dcid = scid;
1700915f 3667 chan->local_amp_id = amp_id;
1da177e4 3668
6be36555 3669 __l2cap_chan_add(conn, chan);
48454079 3670
fe4128e0 3671 dcid = chan->scid;
1da177e4 3672
c9b66675 3673 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3674
fc7f8a7e 3675 chan->ident = cmd->ident;
1da177e4 3676
984947dc 3677 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3678 if (l2cap_chan_check_security(chan)) {
c5daa683 3679 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3680 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3681 result = L2CAP_CR_PEND;
3682 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3683 chan->ops->defer(chan);
f66dc81f 3684 } else {
1700915f
MM		 3685 /* Force pending result for AMP controllers.
3686 * The connection will succeed after the
3687 * physical link is up.
3688 */
3689 if (amp_id) {
3690 __l2cap_state_change(chan, BT_CONNECT2);
3691 result = L2CAP_CR_PEND;
3692 } else {
3693 __l2cap_state_change(chan, BT_CONFIG);
3694 result = L2CAP_CR_SUCCESS;
3695 }
f66dc81f
MH		 3696 status = L2CAP_CS_NO_INFO;
3697 }
79d554a6 3698 } else {
0e587be7 3699 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3700 result = L2CAP_CR_PEND;
3701 status = L2CAP_CS_AUTHEN_PEND;
3702 }
3703 } else {
0e587be7 3704 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3705 result = L2CAP_CR_PEND;
3706 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3707 }
3708
1da177e4 3709response:
aa2ac881 3710 release_sock(parent);
3df91ea2 3711 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3712
3713sendresp:
aca3192c
YH		 3714 rsp.scid = cpu_to_le16(scid);
3715 rsp.dcid = cpu_to_le16(dcid);
3716 rsp.result = cpu_to_le16(result);
3717 rsp.status = cpu_to_le16(status);
4c89b6aa 3718 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3719
3720 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3721 struct l2cap_info_req info;
ac73498c 3722 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3723
3724 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3725 conn->info_ident = l2cap_get_ident(conn);
3726
ba13ccd9 3727 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3728
2d792818
GP		 3729 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3730 sizeof(info), &info);
79d554a6
MH		 3731 }
3732
c1360a1c 3733 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3734 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3735 u8 buf[128];
c1360a1c 3736 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3737 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3738 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3739 chan->num_conf_req++;
e9aeb2dd 3740 }
1700915f
MM		 3741
3742 return chan;
4c89b6aa 3743}
e9aeb2dd 3744
4c89b6aa
MM		 3745static int l2cap_connect_req(struct l2cap_conn *conn,
3746 struct l2cap_cmd_hdr *cmd, u8 *data)
3747{
7b064eda
JK		 3748 struct hci_dev *hdev = conn->hcon->hdev;
3749 struct hci_conn *hcon = conn->hcon;
3750
3751 hci_dev_lock(hdev);
3752 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3753 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3754 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3755 hcon->dst_type, 0, NULL, 0,
3756 hcon->dev_class);
3757 hci_dev_unlock(hdev);
3758
300229f9 3759 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3760 return 0;
3761}
3762
5909cf30 3763static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3764 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3765{
3766 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3767 u16 scid, dcid, result, status;
48454079 3768 struct l2cap_chan *chan;
1da177e4 3769 u8 req[128];
3df91ea2 3770 int err;
1da177e4
LT		 3771
3772 scid = __le16_to_cpu(rsp->scid);
3773 dcid = __le16_to_cpu(rsp->dcid);
3774 result = __le16_to_cpu(rsp->result);
3775 status = __le16_to_cpu(rsp->status);
3776
1b009c98 3777 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3778 dcid, scid, result, status);
1da177e4 3779
3df91ea2
AE		 3780 mutex_lock(&conn->chan_lock);
3781
1da177e4 3782 if (scid) {
3df91ea2
AE		 3783 chan = __l2cap_get_chan_by_scid(conn, scid);
3784 if (!chan) {
3785 err = -EFAULT;
3786 goto unlock;
3787 }
1da177e4 3788 } else {
3df91ea2
AE		 3789 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3790 if (!chan) {
3791 err = -EFAULT;
3792 goto unlock;
3793 }
1da177e4
LT		 3794 }
3795
3df91ea2
AE		 3796 err = 0;
3797
6be36555 3798 l2cap_chan_lock(chan);
48454079 3799
1da177e4
LT		 3800 switch (result) {
3801 case L2CAP_CR_SUCCESS:
89bc500e 3802 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3803 chan->ident = 0;
fe4128e0 3804 chan->dcid = dcid;
c1360a1c 3805 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3806
c1360a1c 3807 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3808 break;
3809
1da177e4 3810 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3811 l2cap_build_conf_req(chan, req), req);
73ffa904 3812 chan->num_conf_req++;
1da177e4
LT		 3813 break;
3814
3815 case L2CAP_CR_PEND:
c1360a1c 3816 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3817 break;
3818
3819 default:
48454079 3820 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3821 break;
3822 }
3823
6be36555 3824 l2cap_chan_unlock(chan);
3df91ea2
AE		 3825
3826unlock:
3827 mutex_unlock(&conn->chan_lock);
3828
3829 return err;
1da177e4
LT		 3830}
3831
47d1ec61 3832static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3833{
3834 /* FCS is enabled only in ERTM or streaming mode, if one or both
3835 * sides request it.
3836 */
0c1bc5c6 3837 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3838 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3839 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3840 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3841}
3842
29d8a590
AE		 3843static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3844 u8 ident, u16 flags)
3845{
3846 struct l2cap_conn *conn = chan->conn;
3847
3848 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3849 flags);
3850
3851 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3852 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3853
3854 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3855 l2cap_build_conf_rsp(chan, data,
3856 L2CAP_CONF_SUCCESS, flags), data);
3857}
3858
2d792818
GP		 3859static inline int l2cap_config_req(struct l2cap_conn *conn,
3860 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3861 u8 *data)
1da177e4
LT		 3862{
3863 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3864 u16 dcid, flags;
3865 u8 rsp[64];
48454079 3866 struct l2cap_chan *chan;
3c588192 3867 int len, err = 0;
1da177e4
LT		 3868
3869 dcid = __le16_to_cpu(req->dcid);
3870 flags = __le16_to_cpu(req->flags);
3871
3872 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3873
baa7e1fa 3874 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3875 if (!chan)
1da177e4
LT		 3876 return -ENOENT;
3877
033b1142 3878 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3879 struct l2cap_cmd_rej_cid rej;
3880
ac73498c 3881 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3882 rej.scid = cpu_to_le16(chan->scid);
3883 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3884
df6bd743 3885 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3886 sizeof(rej), &rej);
354f60a9 3887 goto unlock;
df6bd743 3888 }
354f60a9 3889
5dee9e7c 3890 /* Reject if config buffer is too small. */
88219a0f 3891 len = cmd_len - sizeof(*req);
7ac28817 3892 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3893 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3894 l2cap_build_conf_rsp(chan, rsp,
3895 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3896 goto unlock;
3897 }
3898
3899 /* Store config. */
73ffa904
GP		 3900 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3901 chan->conf_len += len;
1da177e4 3902
59e54bd1 3903 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3904 /* Incomplete config. Send empty response. */
3905 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3906 l2cap_build_conf_rsp(chan, rsp,
3907 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3908 goto unlock;
3909 }
3910
3911 /* Complete config. */
73ffa904 3912 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3913 if (len < 0) {
5e4e3972 3914 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 3915 goto unlock;
f2fcfcd6 3916 }
1da177e4 3917
1500109b 3918 chan->ident = cmd->ident;
5dee9e7c 3919 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3920 chan->num_conf_rsp++;
5dee9e7c 3921
5dee9e7c 3922 /* Reset config buffer. */
73ffa904 3923 chan->conf_len = 0;
5dee9e7c 3924
c1360a1c 3925 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3926 goto unlock;
3927
c1360a1c 3928 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3929 set_default_fcs(chan);
fcc203c3 3930
105bdf9e
MM		 3931 if (chan->mode == L2CAP_MODE_ERTM ||
3932 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3933 err = l2cap_ertm_init(chan);
3934
3935 if (err < 0)
5e4e3972 3936 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 3937 else
3938 l2cap_chan_ready(chan);
0565c1c2 3939
876d9484
MH		 3940 goto unlock;
3941 }
3942
c1360a1c 3943 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3944 u8 buf[64];
1da177e4 3945 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3946 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3947 chan->num_conf_req++;
1da177e4
LT		 3948 }
3949
0e8b207e
AE		 3950 /* Got Conf Rsp PENDING from remote side and asume we sent
3951 Conf Rsp PENDING in the code above */
3952 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3953 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3954
3955 /* check compatibility */
3956
79de886d 3957 /* Send rsp for BR/EDR channel */
f351bc72 3958 if (!chan->hs_hcon)
79de886d
AE		 3959 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3960 else
3961 chan->ident = cmd->ident;
0e8b207e
AE		 3962 }
3963
1da177e4 3964unlock:
6be36555 3965 l2cap_chan_unlock(chan);
3c588192 3966 return err;
1da177e4
LT		 3967}
3968
2d792818
GP		 3969static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3970 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3971{
3972 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3973 u16 scid, flags, result;
48454079 3974 struct l2cap_chan *chan;
61386cba 3975 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3976 int err = 0;
1da177e4
LT		 3977
3978 scid = __le16_to_cpu(rsp->scid);
3979 flags = __le16_to_cpu(rsp->flags);
3980 result = __le16_to_cpu(rsp->result);
3981
61386cba
AE		 3982 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3983 result, len);
1da177e4 3984
baa7e1fa 3985 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3986 if (!chan)
1da177e4
LT		 3987 return 0;
3988
3989 switch (result) {
3990 case L2CAP_CONF_SUCCESS:
47d1ec61 3991 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3992 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3993 break;
3994
0e8b207e
AE		 3995 case L2CAP_CONF_PENDING:
3996 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3997
3998 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3999 char buf[64];
4000
4001 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4002 buf, &result);
0e8b207e 4003 if (len < 0) {
5e4e3972 4004 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 4005 goto done;
4006 }
4007
f351bc72 4008 if (!chan->hs_hcon) {
79de886d
AE		 4009 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4010 0);
5ce66b59
AE		 4011 } else {
4012 if (l2cap_check_efs(chan)) {
4013 amp_create_logical_link(chan);
4014 chan->ident = cmd->ident;
4015 }
4016 }
0e8b207e
AE		 4017 }
4018 goto done;
4019
1da177e4 4020 case L2CAP_CONF_UNACCEPT:
73ffa904 4021 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 4022 char req[64];
4023
c2c77ec8 4024 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4025 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4026 goto done;
4027 }
4028
f2fcfcd6
GP		 4029 /* throw out any old stored conf requests */
4030 result = L2CAP_CONF_SUCCESS;
b4450035 4031 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4032 req, &result);
f2fcfcd6 4033 if (len < 0) {
5e4e3972 4034 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4035 goto done;
4036 }
4037
4038 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4039 L2CAP_CONF_REQ, len, req);
73ffa904 4040 chan->num_conf_req++;
f2fcfcd6
GP		 4041 if (result != L2CAP_CONF_SUCCESS)
4042 goto done;
4043 break;
1da177e4
LT		 4044 }
4045
8e87d142 4046 default:
6be36555 4047 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4048
ba13ccd9 4049 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4050 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4051 goto done;
4052 }
4053
59e54bd1 4054 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4055 goto done;
4056
c1360a1c 4057 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4058
c1360a1c 4059 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4060 set_default_fcs(chan);
fcc203c3 4061
105bdf9e
MM		 4062 if (chan->mode == L2CAP_MODE_ERTM ||
4063 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4064 err = l2cap_ertm_init(chan);
0565c1c2 4065
3c588192 4066 if (err < 0)
5e4e3972 4067 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4068 else
4069 l2cap_chan_ready(chan);
1da177e4
LT		 4070 }
4071
4072done:
6be36555 4073 l2cap_chan_unlock(chan);
3c588192 4074 return err;
1da177e4
LT		 4075}
4076
2d792818
GP		 4077static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4078 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4079{
4080 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4081 struct l2cap_disconn_rsp rsp;
4082 u16 dcid, scid;
48454079 4083 struct l2cap_chan *chan;
1da177e4
LT		 4084 struct sock *sk;
4085
4086 scid = __le16_to_cpu(req->scid);
4087 dcid = __le16_to_cpu(req->dcid);
4088
4089 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4090
3df91ea2
AE		 4091 mutex_lock(&conn->chan_lock);
4092
4093 chan = __l2cap_get_chan_by_scid(conn, dcid);
4094 if (!chan) {
4095 mutex_unlock(&conn->chan_lock);
1da177e4 4096 return 0;
3df91ea2 4097 }
1da177e4 4098
6be36555
AE		 4099 l2cap_chan_lock(chan);
4100
48454079
GP		 4101 sk = chan->sk;
4102
fe4128e0
GP		 4103 rsp.dcid = cpu_to_le16(chan->scid);
4104 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4105 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4106
6be36555 4107 lock_sock(sk);
1da177e4 4108 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4109 release_sock(sk);
1da177e4 4110
61d6ef3e 4111 l2cap_chan_hold(chan);
48454079 4112 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4113
4114 l2cap_chan_unlock(chan);
1da177e4 4115
80b98027 4116 chan->ops->close(chan);
61d6ef3e 4117 l2cap_chan_put(chan);
3df91ea2
AE		 4118
4119 mutex_unlock(&conn->chan_lock);
4120
1da177e4
LT		 4121 return 0;
4122}
4123
2d792818
GP		 4124static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4125 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4126{
4127 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4128 u16 dcid, scid;
48454079 4129 struct l2cap_chan *chan;
1da177e4
LT		 4130
4131 scid = __le16_to_cpu(rsp->scid);
4132 dcid = __le16_to_cpu(rsp->dcid);
4133
4134 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4135
3df91ea2
AE		 4136 mutex_lock(&conn->chan_lock);
4137
4138 chan = __l2cap_get_chan_by_scid(conn, scid);
4139 if (!chan) {
4140 mutex_unlock(&conn->chan_lock);
1da177e4 4141 return 0;
3df91ea2 4142 }
1da177e4 4143
6be36555 4144 l2cap_chan_lock(chan);
48454079 4145
61d6ef3e 4146 l2cap_chan_hold(chan);
48454079 4147 l2cap_chan_del(chan, 0);
6be36555
AE		 4148
4149 l2cap_chan_unlock(chan);
1da177e4 4150
80b98027 4151 chan->ops->close(chan);
61d6ef3e 4152 l2cap_chan_put(chan);
3df91ea2
AE		 4153
4154 mutex_unlock(&conn->chan_lock);
4155
1da177e4
LT		 4156 return 0;
4157}
4158
2d792818
GP		 4159static inline int l2cap_information_req(struct l2cap_conn *conn,
4160 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4161{
4162 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4163 u16 type;
4164
4165 type = __le16_to_cpu(req->type);
4166
4167 BT_DBG("type 0x%4.4x", type);
4168
f0709e03
MH		 4169 if (type == L2CAP_IT_FEAT_MASK) {
4170 u8 buf[8];
44dd46de 4171 u32 feat_mask = l2cap_feat_mask;
f0709e03 4172 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4173 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4174 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4175 if (!disable_ertm)
fcc203c3 4176 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4177 | L2CAP_FEAT_FCS;
a5fd6f30 4178 if (enable_hs)
6327eb98 4179 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4180 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4181
1b7bf4ed 4182 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4183 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4184 buf);
e1027a7c
MH		 4185 } else if (type == L2CAP_IT_FIXED_CHAN) {
4186 u8 buf[12];
4187 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4188
4189 if (enable_hs)
4190 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4191 else
4192 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4193
ac73498c
AE		 4194 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4195 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4196 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4197 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4198 buf);
f0709e03
MH		 4199 } else {
4200 struct l2cap_info_rsp rsp;
4201 rsp.type = cpu_to_le16(type);
ac73498c 4202 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4203 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4204 &rsp);
f0709e03 4205 }
1da177e4
LT		 4206
4207 return 0;
4208}
4209
2d792818
GP		 4210static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4211 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4212{
4213 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4214 u16 type, result;
4215
4216 type = __le16_to_cpu(rsp->type);
4217 result = __le16_to_cpu(rsp->result);
4218
4219 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4220
e90165be
AE		 4221 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4222 if (cmd->ident != conn->info_ident ||
2d792818 4223 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4224 return 0;
4225
17cd3f37 4226 cancel_delayed_work(&conn->info_timer);
4e8402a3 4227
adb08ede
VT		 4228 if (result != L2CAP_IR_SUCCESS) {
4229 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4230 conn->info_ident = 0;
4231
4232 l2cap_conn_start(conn);
4233
4234 return 0;
4235 }
4236
978c93b9
AE		 4237 switch (type) {
4238 case L2CAP_IT_FEAT_MASK:
83985319 4239 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4240
47ec1dcd 4241 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4242 struct l2cap_info_req req;
ac73498c 4243 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4244
4245 conn->info_ident = l2cap_get_ident(conn);
4246
4247 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4248 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4249 } else {
4250 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4251 conn->info_ident = 0;
4252
4253 l2cap_conn_start(conn);
4254 }
978c93b9
AE		 4255 break;
4256
4257 case L2CAP_IT_FIXED_CHAN:
4258 conn->fixed_chan_mask = rsp->data[0];
984947dc 4259 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4260 conn->info_ident = 0;
984947dc
MH		 4261
4262 l2cap_conn_start(conn);
978c93b9 4263 break;
984947dc 4264 }
4e8402a3 4265
1da177e4
LT		 4266 return 0;
4267}
4268
1700915f
MM		 4269static int l2cap_create_channel_req(struct l2cap_conn *conn,
4270 struct l2cap_cmd_hdr *cmd,
4271 u16 cmd_len, void *data)
f94ff6ff
MM		 4272{
4273 struct l2cap_create_chan_req *req = data;
6e1df6a6 4274 struct l2cap_create_chan_rsp rsp;
1700915f 4275 struct l2cap_chan *chan;
6e1df6a6 4276 struct hci_dev *hdev;
f94ff6ff
MM		 4277 u16 psm, scid;
4278
4279 if (cmd_len != sizeof(*req))
4280 return -EPROTO;
4281
4282 if (!enable_hs)
4283 return -EINVAL;
4284
4285 psm = le16_to_cpu(req->psm);
4286 scid = le16_to_cpu(req->scid);
4287
ad0ac6ca 4288 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4289
6e1df6a6
AE		 4290 /* For controller id 0 make BR/EDR connection */
4291 if (req->amp_id == HCI_BREDR_ID) {
4292 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4293 req->amp_id);
4294 return 0;
4295 }
1700915f 4296
6e1df6a6
AE		 4297 /* Validate AMP controller id */
4298 hdev = hci_dev_get(req->amp_id);
4299 if (!hdev)
4300 goto error;
1700915f 4301
6e1df6a6
AE		 4302 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4303 hci_dev_put(hdev);
4304 goto error;
4305 }
1700915f 4306
6e1df6a6
AE		 4307 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4308 req->amp_id);
4309 if (chan) {
4310 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4311 struct hci_conn *hs_hcon;
1700915f 4312
6e1df6a6
AE		 4313 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4314 if (!hs_hcon) {
4315 hci_dev_put(hdev);
4316 return -EFAULT;
1700915f
MM		 4317 }
4318
6e1df6a6
AE		 4319 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4320
6e1df6a6
AE		 4321 mgr->bredr_chan = chan;
4322 chan->hs_hcon = hs_hcon;
fd45bf4c 4323 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4324 conn->mtu = hdev->block_mtu;
1700915f 4325 }
f94ff6ff 4326
6e1df6a6 4327 hci_dev_put(hdev);
f94ff6ff
MM		 4328
4329 return 0;
6e1df6a6
AE		 4330
4331error:
4332 rsp.dcid = 0;
4333 rsp.scid = cpu_to_le16(scid);
4334 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4335 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4336
4337 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4338 sizeof(rsp), &rsp);
4339
4340 return -EFAULT;
f94ff6ff
MM		 4341}
4342
8eb200bd
MM		 4343static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4344{
4345 struct l2cap_move_chan_req req;
4346 u8 ident;
4347
4348 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4349
4350 ident = l2cap_get_ident(chan->conn);
4351 chan->ident = ident;
4352
4353 req.icid = cpu_to_le16(chan->scid);
4354 req.dest_amp_id = dest_amp_id;
4355
4356 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4357 &req);
4358
4359 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4360}
4361
1500109b 4362static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4363{
4364 struct l2cap_move_chan_rsp rsp;
4365
1500109b 4366 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4367
1500109b 4368 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4369 rsp.result = cpu_to_le16(result);
4370
1500109b
MM		 4371 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4372 sizeof(rsp), &rsp);
8d5a04a1
MM		 4373}
4374
5b155ef9 4375static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4376{
4377 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4378
5b155ef9 4379 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4380
5b155ef9 4381 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4382
5b155ef9 4383 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4384 cfm.result = cpu_to_le16(result);
4385
5b155ef9
MM		 4386 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4387 sizeof(cfm), &cfm);
4388
4389 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4390}
4391
4392static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4393{
4394 struct l2cap_move_chan_cfm cfm;
4395
4396 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4397
4398 cfm.icid = cpu_to_le16(icid);
4399 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4400
4401 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4402 sizeof(cfm), &cfm);
8d5a04a1
MM		 4403}
4404
4405static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4406 u16 icid)
8d5a04a1
MM		 4407{
4408 struct l2cap_move_chan_cfm_rsp rsp;
4409
ad0ac6ca 4410 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4411
4412 rsp.icid = cpu_to_le16(icid);
4413 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4414}
4415
5f3847a4
MM		 4416static void __release_logical_link(struct l2cap_chan *chan)
4417{
4418 chan->hs_hchan = NULL;
4419 chan->hs_hcon = NULL;
4420
4421 /* Placeholder - release the logical link */
4422}
4423
1500109b
MM		 4424static void l2cap_logical_fail(struct l2cap_chan *chan)
4425{
4426 /* Logical link setup failed */
4427 if (chan->state != BT_CONNECTED) {
4428 /* Create channel failure, disconnect */
5e4e3972 4429 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4430 return;
4431 }
4432
4433 switch (chan->move_role) {
4434 case L2CAP_MOVE_ROLE_RESPONDER:
4435 l2cap_move_done(chan);
4436 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4437 break;
4438 case L2CAP_MOVE_ROLE_INITIATOR:
4439 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4440 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4441 /* Remote has only sent pending or
4442 * success responses, clean up
4443 */
4444 l2cap_move_done(chan);
4445 }
4446
4447 /* Other amp move states imply that the move
4448 * has already aborted
4449 */
4450 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4451 break;
4452 }
4453}
4454
4455static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4456 struct hci_chan *hchan)
4457{
4458 struct l2cap_conf_rsp rsp;
1500109b 4459
336178a3 4460 chan->hs_hchan = hchan;
1500109b
MM		 4461 chan->hs_hcon->l2cap_data = chan->conn;
4462
35ba9561 4463 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4464
4465 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4466 int err;
1500109b
MM		 4467
4468 set_default_fcs(chan);
4469
4470 err = l2cap_ertm_init(chan);
4471 if (err < 0)
5e4e3972 4472 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4473 else
4474 l2cap_chan_ready(chan);
4475 }
4476}
4477
4478static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4479 struct hci_chan *hchan)
4480{
4481 chan->hs_hcon = hchan->conn;
4482 chan->hs_hcon->l2cap_data = chan->conn;
4483
4484 BT_DBG("move_state %d", chan->move_state);
4485
4486 switch (chan->move_state) {
4487 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4488 /* Move confirm will be sent after a success
4489 * response is received
4490 */
4491 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4492 break;
4493 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4494 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4495 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4496 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4497 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4498 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4499 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4500 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4501 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4502 }
4503 break;
4504 default:
4505 /* Move was not in expected state, free the channel */
4506 __release_logical_link(chan);
4507
4508 chan->move_state = L2CAP_MOVE_STABLE;
4509 }
4510}
4511
4512/* Call with chan locked */
27695fb4
AE		 4513void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4514 u8 status)
5b155ef9 4515{
1500109b
MM		 4516 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4517
4518 if (status) {
4519 l2cap_logical_fail(chan);
4520 __release_logical_link(chan);
4521 return;
4522 }
4523
4524 if (chan->state != BT_CONNECTED) {
4525 /* Ignore logical link if channel is on BR/EDR */
4526 if (chan->local_amp_id)
4527 l2cap_logical_finish_create(chan, hchan);
4528 } else {
4529 l2cap_logical_finish_move(chan, hchan);
4530 }
5b155ef9
MM		 4531}
4532
3f7a56c4
MM		 4533void l2cap_move_start(struct l2cap_chan *chan)
4534{
4535 BT_DBG("chan %p", chan);
4536
4537 if (chan->local_amp_id == HCI_BREDR_ID) {
4538 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4539 return;
4540 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4541 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4542 /* Placeholder - start physical link setup */
4543 } else {
4544 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4545 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4546 chan->move_id = 0;
4547 l2cap_move_setup(chan);
4548 l2cap_send_move_chan_req(chan, 0);
4549 }
4550}
4551
8eb200bd
MM		 4552static void l2cap_do_create(struct l2cap_chan *chan, int result,
4553 u8 local_amp_id, u8 remote_amp_id)
4554{
62748ca1
AE		 4555 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4556 local_amp_id, remote_amp_id);
4557
12d6cc60
AE		 4558 chan->fcs = L2CAP_FCS_NONE;
4559
62748ca1
AE		 4560 /* Outgoing channel on AMP */
4561 if (chan->state == BT_CONNECT) {
4562 if (result == L2CAP_CR_SUCCESS) {
4563 chan->local_amp_id = local_amp_id;
4564 l2cap_send_create_chan_req(chan, remote_amp_id);
4565 } else {
4566 /* Revert to BR/EDR connect */
4567 l2cap_send_conn_req(chan);
4568 }
4569
4570 return;
4571 }
4572
4573 /* Incoming channel on AMP */
4574 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4575 struct l2cap_conn_rsp rsp;
4576 char buf[128];
4577 rsp.scid = cpu_to_le16(chan->dcid);
4578 rsp.dcid = cpu_to_le16(chan->scid);
4579
8eb200bd
MM		 4580 if (result == L2CAP_CR_SUCCESS) {
4581 /* Send successful response */
62cd50e2
AE		 4582 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4583 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4584 } else {
4585 /* Send negative response */
62cd50e2
AE		 4586 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4587 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4588 }
4589
4590 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4591 sizeof(rsp), &rsp);
4592
4593 if (result == L2CAP_CR_SUCCESS) {
4594 __l2cap_state_change(chan, BT_CONFIG);
4595 set_bit(CONF_REQ_SENT, &chan->conf_state);
4596 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4597 L2CAP_CONF_REQ,
4598 l2cap_build_conf_req(chan, buf), buf);
4599 chan->num_conf_req++;
4600 }
8eb200bd
MM		 4601 }
4602}
4603
4604static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4605 u8 remote_amp_id)
4606{
4607 l2cap_move_setup(chan);
4608 chan->move_id = local_amp_id;
4609 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4610
4611 l2cap_send_move_chan_req(chan, remote_amp_id);
4612}
4613
4614static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4615{
4616 struct hci_chan *hchan = NULL;
4617
4618 /* Placeholder - get hci_chan for logical link */
4619
4620 if (hchan) {
4621 if (hchan->state == BT_CONNECTED) {
4622 /* Logical link is ready to go */
4623 chan->hs_hcon = hchan->conn;
4624 chan->hs_hcon->l2cap_data = chan->conn;
4625 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4626 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4627
4628 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4629 } else {
4630 /* Wait for logical link to be ready */
4631 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4632 }
4633 } else {
4634 /* Logical link not available */
4635 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4636 }
4637}
4638
4639static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4640{
4641 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4642 u8 rsp_result;
4643 if (result == -EINVAL)
4644 rsp_result = L2CAP_MR_BAD_ID;
4645 else
4646 rsp_result = L2CAP_MR_NOT_ALLOWED;
4647
4648 l2cap_send_move_chan_rsp(chan, rsp_result);
4649 }
4650
4651 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4652 chan->move_state = L2CAP_MOVE_STABLE;
4653
4654 /* Restart data transmission */
4655 l2cap_ertm_send(chan);
4656}
4657
a514b17f
AE		 4658/* Invoke with locked chan */
4659void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4660{
770bfefa 4661 u8 local_amp_id = chan->local_amp_id;
fffadc08 4662 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4663
8eb200bd
MM		 4664 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4665 chan, result, local_amp_id, remote_amp_id);
4666
8eb200bd
MM		 4667 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4668 l2cap_chan_unlock(chan);
4669 return;
4670 }
4671
4672 if (chan->state != BT_CONNECTED) {
4673 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4674 } else if (result != L2CAP_MR_SUCCESS) {
4675 l2cap_do_move_cancel(chan, result);
4676 } else {
4677 switch (chan->move_role) {
4678 case L2CAP_MOVE_ROLE_INITIATOR:
4679 l2cap_do_move_initiate(chan, local_amp_id,
4680 remote_amp_id);
4681 break;
4682 case L2CAP_MOVE_ROLE_RESPONDER:
4683 l2cap_do_move_respond(chan, result);
4684 break;
4685 default:
4686 l2cap_do_move_cancel(chan, result);
4687 break;
4688 }
4689 }
8eb200bd
MM		 4690}
4691
8d5a04a1 4692static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4693 struct l2cap_cmd_hdr *cmd,
4694 u16 cmd_len, void *data)
8d5a04a1
MM		 4695{
4696 struct l2cap_move_chan_req *req = data;
1500109b 4697 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4698 struct l2cap_chan *chan;
8d5a04a1
MM		 4699 u16 icid = 0;
4700 u16 result = L2CAP_MR_NOT_ALLOWED;
4701
4702 if (cmd_len != sizeof(*req))
4703 return -EPROTO;
4704
4705 icid = le16_to_cpu(req->icid);
4706
ad0ac6ca 4707 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4708
4709 if (!enable_hs)
4710 return -EINVAL;
4711
02b0fbb9
MM		 4712 chan = l2cap_get_chan_by_dcid(conn, icid);
4713 if (!chan) {
1500109b
MM		 4714 rsp.icid = cpu_to_le16(icid);
4715 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4716 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4717 sizeof(rsp), &rsp);
02b0fbb9
MM		 4718 return 0;
4719 }
4720
1500109b
MM		 4721 chan->ident = cmd->ident;
4722
02b0fbb9
MM		 4723 if (chan->scid < L2CAP_CID_DYN_START ||
4724 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4725 (chan->mode != L2CAP_MODE_ERTM &&
4726 chan->mode != L2CAP_MODE_STREAMING)) {
4727 result = L2CAP_MR_NOT_ALLOWED;
4728 goto send_move_response;
4729 }
4730
4731 if (chan->local_amp_id == req->dest_amp_id) {
4732 result = L2CAP_MR_SAME_ID;
4733 goto send_move_response;
4734 }
4735
4736 if (req->dest_amp_id) {
4737 struct hci_dev *hdev;
4738 hdev = hci_dev_get(req->dest_amp_id);
4739 if (!hdev || hdev->dev_type != HCI_AMP ||
4740 !test_bit(HCI_UP, &hdev->flags)) {
4741 if (hdev)
4742 hci_dev_put(hdev);
4743
4744 result = L2CAP_MR_BAD_ID;
4745 goto send_move_response;
4746 }
4747 hci_dev_put(hdev);
4748 }
4749
4750 /* Detect a move collision. Only send a collision response
4751 * if this side has "lost", otherwise proceed with the move.
4752 * The winner has the larger bd_addr.
4753 */
4754 if ((__chan_is_moving(chan) ||
4755 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4756 bacmp(conn->src, conn->dst) > 0) {
4757 result = L2CAP_MR_COLLISION;
4758 goto send_move_response;
4759 }
4760
02b0fbb9
MM		 4761 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4762 l2cap_move_setup(chan);
4763 chan->move_id = req->dest_amp_id;
4764 icid = chan->dcid;
4765
4766 if (!req->dest_amp_id) {
4767 /* Moving to BR/EDR */
4768 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4769 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4770 result = L2CAP_MR_PEND;
4771 } else {
4772 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4773 result = L2CAP_MR_SUCCESS;
4774 }
4775 } else {
4776 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4777 /* Placeholder - uncomment when amp functions are available */
4778 /*amp_accept_physical(chan, req->dest_amp_id);*/
4779 result = L2CAP_MR_PEND;
4780 }
4781
4782send_move_response:
1500109b 4783 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4784
02b0fbb9
MM		 4785 l2cap_chan_unlock(chan);
4786
8d5a04a1
MM		 4787 return 0;
4788}
4789
5b155ef9
MM		 4790static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4791{
4792 struct l2cap_chan *chan;
4793 struct hci_chan *hchan = NULL;
4794
4795 chan = l2cap_get_chan_by_scid(conn, icid);
4796 if (!chan) {
4797 l2cap_send_move_chan_cfm_icid(conn, icid);
4798 return;
4799 }
4800
4801 __clear_chan_timer(chan);
4802 if (result == L2CAP_MR_PEND)
4803 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4804
4805 switch (chan->move_state) {
4806 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4807 /* Move confirm will be sent when logical link
4808 * is complete.
4809 */
4810 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4811 break;
4812 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4813 if (result == L2CAP_MR_PEND) {
4814 break;
4815 } else if (test_bit(CONN_LOCAL_BUSY,
4816 &chan->conn_state)) {
4817 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4818 } else {
4819 /* Logical link is up or moving to BR/EDR,
4820 * proceed with move
4821 */
4822 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4823 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4824 }
4825 break;
4826 case L2CAP_MOVE_WAIT_RSP:
4827 /* Moving to AMP */
4828 if (result == L2CAP_MR_SUCCESS) {
4829 /* Remote is ready, send confirm immediately
4830 * after logical link is ready
4831 */
4832 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4833 } else {
4834 /* Both logical link and move success
4835 * are required to confirm
4836 */
4837 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4838 }
4839
4840 /* Placeholder - get hci_chan for logical link */
4841 if (!hchan) {
4842 /* Logical link not available */
4843 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4844 break;
4845 }
4846
4847 /* If the logical link is not yet connected, do not
4848 * send confirmation.
4849 */
4850 if (hchan->state != BT_CONNECTED)
4851 break;
4852
4853 /* Logical link is already ready to go */
4854
4855 chan->hs_hcon = hchan->conn;
4856 chan->hs_hcon->l2cap_data = chan->conn;
4857
4858 if (result == L2CAP_MR_SUCCESS) {
4859 /* Can confirm now */
4860 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4861 } else {
4862 /* Now only need move success
4863 * to confirm
4864 */
4865 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4866 }
4867
4868 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4869 break;
4870 default:
4871 /* Any other amp move state means the move failed. */
4872 chan->move_id = chan->local_amp_id;
4873 l2cap_move_done(chan);
4874 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4875 }
4876
4877 l2cap_chan_unlock(chan);
4878}
4879
4880static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4881 u16 result)
4882{
4883 struct l2cap_chan *chan;
4884
4885 chan = l2cap_get_chan_by_ident(conn, ident);
4886 if (!chan) {
4887 /* Could not locate channel, icid is best guess */
4888 l2cap_send_move_chan_cfm_icid(conn, icid);
4889 return;
4890 }
4891
4892 __clear_chan_timer(chan);
4893
4894 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4895 if (result == L2CAP_MR_COLLISION) {
4896 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4897 } else {
4898 /* Cleanup - cancel move */
4899 chan->move_id = chan->local_amp_id;
4900 l2cap_move_done(chan);
4901 }
4902 }
4903
4904 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4905
4906 l2cap_chan_unlock(chan);
4907}
4908
4909static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4910 struct l2cap_cmd_hdr *cmd,
4911 u16 cmd_len, void *data)
8d5a04a1
MM		 4912{
4913 struct l2cap_move_chan_rsp *rsp = data;
4914 u16 icid, result;
4915
4916 if (cmd_len != sizeof(*rsp))
4917 return -EPROTO;
4918
4919 icid = le16_to_cpu(rsp->icid);
4920 result = le16_to_cpu(rsp->result);
4921
ad0ac6ca 4922 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4923
5b155ef9
MM		 4924 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4925 l2cap_move_continue(conn, icid, result);
4926 else
4927 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4928
4929 return 0;
4930}
4931
5f3847a4
MM		 4932static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4933 struct l2cap_cmd_hdr *cmd,
4934 u16 cmd_len, void *data)
8d5a04a1
MM		 4935{
4936 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4937 struct l2cap_chan *chan;
8d5a04a1
MM		 4938 u16 icid, result;
4939
4940 if (cmd_len != sizeof(*cfm))
4941 return -EPROTO;
4942
4943 icid = le16_to_cpu(cfm->icid);
4944 result = le16_to_cpu(cfm->result);
4945
ad0ac6ca 4946 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4947
5f3847a4
MM		 4948 chan = l2cap_get_chan_by_dcid(conn, icid);
4949 if (!chan) {
4950 /* Spec requires a response even if the icid was not found */
4951 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4952 return 0;
4953 }
4954
4955 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4956 if (result == L2CAP_MC_CONFIRMED) {
4957 chan->local_amp_id = chan->move_id;
4958 if (!chan->local_amp_id)
4959 __release_logical_link(chan);
4960 } else {
4961 chan->move_id = chan->local_amp_id;
4962 }
4963
4964 l2cap_move_done(chan);
4965 }
4966
8d5a04a1
MM		 4967 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4968
5f3847a4
MM		 4969 l2cap_chan_unlock(chan);
4970
8d5a04a1
MM		 4971 return 0;
4972}
4973
4974static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4975 struct l2cap_cmd_hdr *cmd,
4976 u16 cmd_len, void *data)
8d5a04a1
MM		 4977{
4978 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 4979 struct l2cap_chan *chan;
8d5a04a1
MM		 4980 u16 icid;
4981
4982 if (cmd_len != sizeof(*rsp))
4983 return -EPROTO;
4984
4985 icid = le16_to_cpu(rsp->icid);
4986
ad0ac6ca 4987 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 4988
3fd71a0a
MM		 4989 chan = l2cap_get_chan_by_scid(conn, icid);
4990 if (!chan)
4991 return 0;
4992
4993 __clear_chan_timer(chan);
4994
4995 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
4996 chan->local_amp_id = chan->move_id;
4997
4998 if (!chan->local_amp_id && chan->hs_hchan)
4999 __release_logical_link(chan);
5000
5001 l2cap_move_done(chan);
5002 }
5003
5004 l2cap_chan_unlock(chan);
5005
8d5a04a1
MM		 5006 return 0;
5007}
5008
e2174ca4 5009static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 5010 u16 to_multiplier)
de73115a
CT		 5011{
5012 u16 max_latency;
5013
5014 if (min > max || min < 6 || max > 3200)
5015 return -EINVAL;
5016
5017 if (to_multiplier < 10 || to_multiplier > 3200)
5018 return -EINVAL;
5019
5020 if (max >= to_multiplier * 8)
5021 return -EINVAL;
5022
5023 max_latency = (to_multiplier * 8 / max) - 1;
5024 if (latency > 499 || latency > max_latency)
5025 return -EINVAL;
5026
5027 return 0;
5028}
5029
5030static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5031 struct l2cap_cmd_hdr *cmd,
5032 u8 *data)
de73115a
CT		 5033{
5034 struct hci_conn *hcon = conn->hcon;
5035 struct l2cap_conn_param_update_req *req;
5036 struct l2cap_conn_param_update_rsp rsp;
5037 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5038 int err;
de73115a
CT		 5039
5040 if (!(hcon->link_mode & HCI_LM_MASTER))
5041 return -EINVAL;
5042
5043 cmd_len = __le16_to_cpu(cmd->len);
5044 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5045 return -EPROTO;
5046
5047 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5048 min = __le16_to_cpu(req->min);
5049 max = __le16_to_cpu(req->max);
de73115a
CT		 5050 latency = __le16_to_cpu(req->latency);
5051 to_multiplier = __le16_to_cpu(req->to_multiplier);
5052
5053 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5054 min, max, latency, to_multiplier);
de73115a
CT		 5055
5056 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5057
5058 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5059 if (err)
ac73498c 5060 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5061 else
ac73498c 5062 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5063
5064 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5065 sizeof(rsp), &rsp);
de73115a 5066
2ce603eb
CT		 5067 if (!err)
5068 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5069
de73115a
CT		 5070 return 0;
5071}
5072
3300d9a9 5073static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5074 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5075 u8 *data)
3300d9a9
CT		 5076{
5077 int err = 0;
5078
5079 switch (cmd->code) {
5080 case L2CAP_COMMAND_REJ:
5081 l2cap_command_rej(conn, cmd, data);
5082 break;
5083
5084 case L2CAP_CONN_REQ:
5085 err = l2cap_connect_req(conn, cmd, data);
5086 break;
5087
5088 case L2CAP_CONN_RSP:
f5a2598d 5089 case L2CAP_CREATE_CHAN_RSP:
5909cf30 5090 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 5091 break;
5092
5093 case L2CAP_CONF_REQ:
5094 err = l2cap_config_req(conn, cmd, cmd_len, data);
5095 break;
5096
5097 case L2CAP_CONF_RSP:
5098 err = l2cap_config_rsp(conn, cmd, data);
5099 break;
5100
5101 case L2CAP_DISCONN_REQ:
5102 err = l2cap_disconnect_req(conn, cmd, data);
5103 break;
5104
5105 case L2CAP_DISCONN_RSP:
5106 err = l2cap_disconnect_rsp(conn, cmd, data);
5107 break;
5108
5109 case L2CAP_ECHO_REQ:
5110 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5111 break;
5112
5113 case L2CAP_ECHO_RSP:
5114 break;
5115
5116 case L2CAP_INFO_REQ:
5117 err = l2cap_information_req(conn, cmd, data);
5118 break;
5119
5120 case L2CAP_INFO_RSP:
5121 err = l2cap_information_rsp(conn, cmd, data);
5122 break;
5123
f94ff6ff
MM		 5124 case L2CAP_CREATE_CHAN_REQ:
5125 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5126 break;
5127
8d5a04a1
MM		 5128 case L2CAP_MOVE_CHAN_REQ:
5129 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5130 break;
5131
5132 case L2CAP_MOVE_CHAN_RSP:
5133 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5134 break;
5135
5136 case L2CAP_MOVE_CHAN_CFM:
5137 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5138 break;
5139
5140 case L2CAP_MOVE_CHAN_CFM_RSP:
5141 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5142 break;
5143
3300d9a9
CT		 5144 default:
5145 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5146 err = -EINVAL;
5147 break;
5148 }
5149
5150 return err;
5151}
5152
5153static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5154 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5155{
5156 switch (cmd->code) {
5157 case L2CAP_COMMAND_REJ:
5158 return 0;
5159
5160 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5161 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5162
5163 case L2CAP_CONN_PARAM_UPDATE_RSP:
5164 return 0;
5165
5166 default:
5167 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5168 return -EINVAL;
5169 }
5170}
5171
5172static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5173 struct sk_buff *skb)
1da177e4
LT		 5174{
5175 u8 *data = skb->data;
5176 int len = skb->len;
5177 struct l2cap_cmd_hdr cmd;
3300d9a9 5178 int err;
1da177e4
LT		 5179
5180 l2cap_raw_recv(conn, skb);
5181
5182 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5183 u16 cmd_len;
1da177e4
LT		 5184 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5185 data += L2CAP_CMD_HDR_SIZE;
5186 len -= L2CAP_CMD_HDR_SIZE;
5187
88219a0f 5188 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5189
2d792818
GP		 5190 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5191 cmd.ident);
1da177e4 5192
88219a0f 5193 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5194 BT_DBG("corrupted command");
5195 break;
5196 }
5197
3300d9a9
CT		 5198 if (conn->hcon->type == LE_LINK)
5199 err = l2cap_le_sig_cmd(conn, &cmd, data);
5200 else
5201 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 5202
5203 if (err) {
e2fd318e 5204 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5205
5206 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5207
5208 /* FIXME: Map err to a valid reason */
ac73498c 5209 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5210 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5211 sizeof(rej), &rej);
1da177e4
LT		 5212 }
5213
88219a0f
AV		 5214 data += cmd_len;
5215 len -= cmd_len;
1da177e4
LT		 5216 }
5217
5218 kfree_skb(skb);
5219}
5220
47d1ec61 5221static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5222{
5223 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5224 int hdr_size;
5225
5226 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5227 hdr_size = L2CAP_EXT_HDR_SIZE;
5228 else
5229 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5230
47d1ec61 5231 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5232 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5233 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5234 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5235
5236 if (our_fcs != rcv_fcs)
7a560e5c 5237 return -EBADMSG;
fcc203c3
GP		 5238 }
5239 return 0;
5240}
5241
6ea00485 5242static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5243{
e31f7633 5244 struct l2cap_ctrl control;
d5392c8f 5245
e31f7633 5246 BT_DBG("chan %p", chan);
d5392c8f 5247
e31f7633
MM		 5248 memset(&control, 0, sizeof(control));
5249 control.sframe = 1;
5250 control.final = 1;
5251 control.reqseq = chan->buffer_seq;
5252 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5253
e2ab4353 5254 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5255 control.super = L2CAP_SUPER_RNR;
5256 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5257 }
5258
e31f7633
MM		 5259 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5260 chan->unacked_frames > 0)
5261 __set_retrans_timer(chan);
d5392c8f 5262
e31f7633 5263 /* Send pending iframes */
525cd185 5264 l2cap_ertm_send(chan);
d5392c8f 5265
e2ab4353 5266 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5267 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5268 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5269 * send it now.
5270 */
5271 control.super = L2CAP_SUPER_RR;
5272 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5273 }
5274}
5275
2d792818
GP		 5276static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5277 struct sk_buff **last_frag)
18778a63 5278{
84084a31
MM		 5279 /* skb->len reflects data in skb as well as all fragments
5280 * skb->data_len reflects only data in fragments
5281 */
5282 if (!skb_has_frag_list(skb))
5283 skb_shinfo(skb)->frag_list = new_frag;
5284
5285 new_frag->next = NULL;
5286
5287 (*last_frag)->next = new_frag;
5288 *last_frag = new_frag;
5289
5290 skb->len += new_frag->len;
5291 skb->data_len += new_frag->len;
5292 skb->truesize += new_frag->truesize;
5293}
5294
4b51dae9
MM		 5295static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5296 struct l2cap_ctrl *control)
84084a31
MM		 5297{
5298 int err = -EINVAL;
18778a63 5299
4b51dae9 5300 switch (control->sar) {
7e0ef6ee 5301 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5302 if (chan->sdu)
5303 break;
18778a63 5304
80b98027 5305 err = chan->ops->recv(chan, skb);
84084a31 5306 break;
18778a63 5307
7e0ef6ee 5308 case L2CAP_SAR_START:
84084a31
MM		 5309 if (chan->sdu)
5310 break;
18778a63 5311
6f61fd47 5312 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5313 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5314
84084a31
MM		 5315 if (chan->sdu_len > chan->imtu) {
5316 err = -EMSGSIZE;
5317 break;
5318 }
1890d36b 5319
84084a31
MM		 5320 if (skb->len >= chan->sdu_len)
5321 break;
18778a63 5322
84084a31
MM		 5323 chan->sdu = skb;
5324 chan->sdu_last_frag = skb;
18778a63 5325
84084a31
MM		 5326 skb = NULL;
5327 err = 0;
18778a63
GP		 5328 break;
5329
7e0ef6ee 5330 case L2CAP_SAR_CONTINUE:
6f61fd47 5331 if (!chan->sdu)
84084a31 5332 break;
18778a63 5333
84084a31
MM		 5334 append_skb_frag(chan->sdu, skb,
5335 &chan->sdu_last_frag);
5336 skb = NULL;
18778a63 5337
84084a31
MM		 5338 if (chan->sdu->len >= chan->sdu_len)
5339 break;
4178ba46 5340
84084a31 5341 err = 0;
18778a63
GP		 5342 break;
5343
7e0ef6ee 5344 case L2CAP_SAR_END:
6f61fd47 5345 if (!chan->sdu)
84084a31 5346 break;
18778a63 5347
84084a31
MM		 5348 append_skb_frag(chan->sdu, skb,
5349 &chan->sdu_last_frag);
5350 skb = NULL;
4178ba46 5351
84084a31
MM		 5352 if (chan->sdu->len != chan->sdu_len)
5353 break;
18778a63 5354
80b98027 5355 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5356
84084a31
MM		 5357 if (!err) {
5358 /* Reassembly complete */
5359 chan->sdu = NULL;
5360 chan->sdu_last_frag = NULL;
5361 chan->sdu_len = 0;
1890d36b 5362 }
18778a63
GP		 5363 break;
5364 }
5365
84084a31
MM		 5366 if (err) {
5367 kfree_skb(skb);
5368 kfree_skb(chan->sdu);
5369 chan->sdu = NULL;
5370 chan->sdu_last_frag = NULL;
5371 chan->sdu_len = 0;
5372 }
18778a63 5373
84084a31 5374 return err;
18778a63
GP		 5375}
5376
32b32735
MM		 5377static int l2cap_resegment(struct l2cap_chan *chan)
5378{
5379 /* Placeholder */
5380 return 0;
5381}
5382
61aa4f5b 5383void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5384{
61aa4f5b 5385 u8 event;
712132eb 5386
61aa4f5b
MM		 5387 if (chan->mode != L2CAP_MODE_ERTM)
5388 return;
712132eb 5389
61aa4f5b 5390 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5391 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5392}
5393
d2a7ac5d
MM		 5394static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5395{
63838725
MM		 5396 int err = 0;
5397 /* Pass sequential frames to l2cap_reassemble_sdu()
5398 * until a gap is encountered.
5399 */
5400
5401 BT_DBG("chan %p", chan);
5402
5403 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5404 struct sk_buff *skb;
5405 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5406 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5407
5408 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5409
5410 if (!skb)
5411 break;
5412
5413 skb_unlink(skb, &chan->srej_q);
5414 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5415 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5416 if (err)
5417 break;
5418 }
5419
5420 if (skb_queue_empty(&chan->srej_q)) {
5421 chan->rx_state = L2CAP_RX_STATE_RECV;
5422 l2cap_send_ack(chan);
5423 }
5424
5425 return err;
d2a7ac5d
MM		 5426}
5427
5428static void l2cap_handle_srej(struct l2cap_chan *chan,
5429 struct l2cap_ctrl *control)
5430{
f80842a8
MM		 5431 struct sk_buff *skb;
5432
5433 BT_DBG("chan %p, control %p", chan, control);
5434
5435 if (control->reqseq == chan->next_tx_seq) {
5436 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5437 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5438 return;
5439 }
5440
5441 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5442
5443 if (skb == NULL) {
5444 BT_DBG("Seq %d not available for retransmission",
5445 control->reqseq);
5446 return;
5447 }
5448
5449 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5450 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5451 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5452 return;
5453 }
5454
5455 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5456
5457 if (control->poll) {
5458 l2cap_pass_to_tx(chan, control);
5459
5460 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5461 l2cap_retransmit(chan, control);
5462 l2cap_ertm_send(chan);
5463
5464 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5465 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5466 chan->srej_save_reqseq = control->reqseq;
5467 }
5468 } else {
5469 l2cap_pass_to_tx_fbit(chan, control);
5470
5471 if (control->final) {
5472 if (chan->srej_save_reqseq != control->reqseq ||
5473 !test_and_clear_bit(CONN_SREJ_ACT,
5474 &chan->conn_state))
5475 l2cap_retransmit(chan, control);
5476 } else {
5477 l2cap_retransmit(chan, control);
5478 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5479 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5480 chan->srej_save_reqseq = control->reqseq;
5481 }
5482 }
5483 }
d2a7ac5d
MM		 5484}
5485
5486static void l2cap_handle_rej(struct l2cap_chan *chan,
5487 struct l2cap_ctrl *control)
5488{
fcd289df
MM		 5489 struct sk_buff *skb;
5490
5491 BT_DBG("chan %p, control %p", chan, control);
5492
5493 if (control->reqseq == chan->next_tx_seq) {
5494 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5495 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5496 return;
5497 }
5498
5499 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5500
5501 if (chan->max_tx && skb &&
5502 bt_cb(skb)->control.retries >= chan->max_tx) {
5503 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5504 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5505 return;
5506 }
5507
5508 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5509
5510 l2cap_pass_to_tx(chan, control);
5511
5512 if (control->final) {
5513 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5514 l2cap_retransmit_all(chan, control);
5515 } else {
5516 l2cap_retransmit_all(chan, control);
5517 l2cap_ertm_send(chan);
5518 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5519 set_bit(CONN_REJ_ACT, &chan->conn_state);
5520 }
d2a7ac5d
MM		 5521}
5522
4b51dae9
MM		 5523static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5524{
5525 BT_DBG("chan %p, txseq %d", chan, txseq);
5526
5527 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5528 chan->expected_tx_seq);
5529
5530 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5531 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5532 chan->tx_win) {
4b51dae9
MM		 5533 /* See notes below regarding "double poll" and
5534 * invalid packets.
5535 */
5536 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5537 BT_DBG("Invalid/Ignore - after SREJ");
5538 return L2CAP_TXSEQ_INVALID_IGNORE;
5539 } else {
5540 BT_DBG("Invalid - in window after SREJ sent");
5541 return L2CAP_TXSEQ_INVALID;
5542 }
5543 }
5544
5545 if (chan->srej_list.head == txseq) {
5546 BT_DBG("Expected SREJ");
5547 return L2CAP_TXSEQ_EXPECTED_SREJ;
5548 }
5549
5550 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5551 BT_DBG("Duplicate SREJ - txseq already stored");
5552 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5553 }
5554
5555 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5556 BT_DBG("Unexpected SREJ - not requested");
5557 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5558 }
5559 }
5560
5561 if (chan->expected_tx_seq == txseq) {
5562 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5563 chan->tx_win) {
5564 BT_DBG("Invalid - txseq outside tx window");
5565 return L2CAP_TXSEQ_INVALID;
5566 } else {
5567 BT_DBG("Expected");
5568 return L2CAP_TXSEQ_EXPECTED;
5569 }
5570 }
5571
5572 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5573 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5574 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5575 return L2CAP_TXSEQ_DUPLICATE;
5576 }
5577
5578 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5579 /* A source of invalid packets is a "double poll" condition,
5580 * where delays cause us to send multiple poll packets. If
5581 * the remote stack receives and processes both polls,
5582 * sequence numbers can wrap around in such a way that a
5583 * resent frame has a sequence number that looks like new data
5584 * with a sequence gap. This would trigger an erroneous SREJ
5585 * request.
5586 *
5587 * Fortunately, this is impossible with a tx window that's
5588 * less than half of the maximum sequence number, which allows
5589 * invalid frames to be safely ignored.
5590 *
5591 * With tx window sizes greater than half of the tx window
5592 * maximum, the frame is invalid and cannot be ignored. This
5593 * causes a disconnect.
5594 */
5595
5596 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5597 BT_DBG("Invalid/Ignore - txseq outside tx window");
5598 return L2CAP_TXSEQ_INVALID_IGNORE;
5599 } else {
5600 BT_DBG("Invalid - txseq outside tx window");
5601 return L2CAP_TXSEQ_INVALID;
5602 }
5603 } else {
5604 BT_DBG("Unexpected - txseq indicates missing frames");
5605 return L2CAP_TXSEQ_UNEXPECTED;
5606 }
5607}
5608
d2a7ac5d
MM		 5609static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5610 struct l2cap_ctrl *control,
5611 struct sk_buff *skb, u8 event)
5612{
5613 int err = 0;
5614 bool skb_in_use = 0;
5615
5616 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5617 event);
5618
5619 switch (event) {
5620 case L2CAP_EV_RECV_IFRAME:
5621 switch (l2cap_classify_txseq(chan, control->txseq)) {
5622 case L2CAP_TXSEQ_EXPECTED:
5623 l2cap_pass_to_tx(chan, control);
5624
5625 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5626 BT_DBG("Busy, discarding expected seq %d",
5627 control->txseq);
5628 break;
5629 }
5630
5631 chan->expected_tx_seq = __next_seq(chan,
5632 control->txseq);
5633
5634 chan->buffer_seq = chan->expected_tx_seq;
5635 skb_in_use = 1;
5636
5637 err = l2cap_reassemble_sdu(chan, skb, control);
5638 if (err)
5639 break;
5640
5641 if (control->final) {
5642 if (!test_and_clear_bit(CONN_REJ_ACT,
5643 &chan->conn_state)) {
5644 control->final = 0;
5645 l2cap_retransmit_all(chan, control);
5646 l2cap_ertm_send(chan);
5647 }
5648 }
5649
5650 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5651 l2cap_send_ack(chan);
5652 break;
5653 case L2CAP_TXSEQ_UNEXPECTED:
5654 l2cap_pass_to_tx(chan, control);
5655
5656 /* Can't issue SREJ frames in the local busy state.
5657 * Drop this frame, it will be seen as missing
5658 * when local busy is exited.
5659 */
5660 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5661 BT_DBG("Busy, discarding unexpected seq %d",
5662 control->txseq);
5663 break;
5664 }
5665
5666 /* There was a gap in the sequence, so an SREJ
5667 * must be sent for each missing frame. The
5668 * current frame is stored for later use.
5669 */
5670 skb_queue_tail(&chan->srej_q, skb);
5671 skb_in_use = 1;
5672 BT_DBG("Queued %p (queue len %d)", skb,
5673 skb_queue_len(&chan->srej_q));
5674
5675 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5676 l2cap_seq_list_clear(&chan->srej_list);
5677 l2cap_send_srej(chan, control->txseq);
5678
5679 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5680 break;
5681 case L2CAP_TXSEQ_DUPLICATE:
5682 l2cap_pass_to_tx(chan, control);
5683 break;
5684 case L2CAP_TXSEQ_INVALID_IGNORE:
5685 break;
5686 case L2CAP_TXSEQ_INVALID:
5687 default:
5e4e3972 5688 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5689 break;
5690 }
5691 break;
5692 case L2CAP_EV_RECV_RR:
5693 l2cap_pass_to_tx(chan, control);
5694 if (control->final) {
5695 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5696
e6a3ee6e
MM		 5697 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5698 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5699 control->final = 0;
5700 l2cap_retransmit_all(chan, control);
5701 }
5702
5703 l2cap_ertm_send(chan);
5704 } else if (control->poll) {
5705 l2cap_send_i_or_rr_or_rnr(chan);
5706 } else {
5707 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5708 &chan->conn_state) &&
5709 chan->unacked_frames)
5710 __set_retrans_timer(chan);
5711
5712 l2cap_ertm_send(chan);
5713 }
5714 break;
5715 case L2CAP_EV_RECV_RNR:
5716 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5717 l2cap_pass_to_tx(chan, control);
5718 if (control && control->poll) {
5719 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5720 l2cap_send_rr_or_rnr(chan, 0);
5721 }
5722 __clear_retrans_timer(chan);
5723 l2cap_seq_list_clear(&chan->retrans_list);
5724 break;
5725 case L2CAP_EV_RECV_REJ:
5726 l2cap_handle_rej(chan, control);
5727 break;
5728 case L2CAP_EV_RECV_SREJ:
5729 l2cap_handle_srej(chan, control);
5730 break;
5731 default:
5732 break;
5733 }
5734
5735 if (skb && !skb_in_use) {
5736 BT_DBG("Freeing %p", skb);
5737 kfree_skb(skb);
5738 }
5739
5740 return err;
5741}
5742
5743static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5744 struct l2cap_ctrl *control,
5745 struct sk_buff *skb, u8 event)
5746{
5747 int err = 0;
5748 u16 txseq = control->txseq;
5749 bool skb_in_use = 0;
5750
5751 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5752 event);
5753
5754 switch (event) {
5755 case L2CAP_EV_RECV_IFRAME:
5756 switch (l2cap_classify_txseq(chan, txseq)) {
5757 case L2CAP_TXSEQ_EXPECTED:
5758 /* Keep frame for reassembly later */
5759 l2cap_pass_to_tx(chan, control);
5760 skb_queue_tail(&chan->srej_q, skb);
5761 skb_in_use = 1;
5762 BT_DBG("Queued %p (queue len %d)", skb,
5763 skb_queue_len(&chan->srej_q));
5764
5765 chan->expected_tx_seq = __next_seq(chan, txseq);
5766 break;
5767 case L2CAP_TXSEQ_EXPECTED_SREJ:
5768 l2cap_seq_list_pop(&chan->srej_list);
5769
5770 l2cap_pass_to_tx(chan, control);
5771 skb_queue_tail(&chan->srej_q, skb);
5772 skb_in_use = 1;
5773 BT_DBG("Queued %p (queue len %d)", skb,
5774 skb_queue_len(&chan->srej_q));
5775
5776 err = l2cap_rx_queued_iframes(chan);
5777 if (err)
5778 break;
5779
5780 break;
5781 case L2CAP_TXSEQ_UNEXPECTED:
5782 /* Got a frame that can't be reassembled yet.
5783 * Save it for later, and send SREJs to cover
5784 * the missing frames.
5785 */
5786 skb_queue_tail(&chan->srej_q, skb);
5787 skb_in_use = 1;
5788 BT_DBG("Queued %p (queue len %d)", skb,
5789 skb_queue_len(&chan->srej_q));
5790
5791 l2cap_pass_to_tx(chan, control);
5792 l2cap_send_srej(chan, control->txseq);
5793 break;
5794 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5795 /* This frame was requested with an SREJ, but
5796 * some expected retransmitted frames are
5797 * missing. Request retransmission of missing
5798 * SREJ'd frames.
5799 */
5800 skb_queue_tail(&chan->srej_q, skb);
5801 skb_in_use = 1;
5802 BT_DBG("Queued %p (queue len %d)", skb,
5803 skb_queue_len(&chan->srej_q));
5804
5805 l2cap_pass_to_tx(chan, control);
5806 l2cap_send_srej_list(chan, control->txseq);
5807 break;
5808 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5809 /* We've already queued this frame. Drop this copy. */
5810 l2cap_pass_to_tx(chan, control);
5811 break;
5812 case L2CAP_TXSEQ_DUPLICATE:
5813 /* Expecting a later sequence number, so this frame
5814 * was already received. Ignore it completely.
5815 */
5816 break;
5817 case L2CAP_TXSEQ_INVALID_IGNORE:
5818 break;
5819 case L2CAP_TXSEQ_INVALID:
5820 default:
5e4e3972 5821 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5822 break;
5823 }
5824 break;
5825 case L2CAP_EV_RECV_RR:
5826 l2cap_pass_to_tx(chan, control);
5827 if (control->final) {
5828 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5829
5830 if (!test_and_clear_bit(CONN_REJ_ACT,
5831 &chan->conn_state)) {
5832 control->final = 0;
5833 l2cap_retransmit_all(chan, control);
5834 }
5835
5836 l2cap_ertm_send(chan);
5837 } else if (control->poll) {
5838 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5839 &chan->conn_state) &&
5840 chan->unacked_frames) {
5841 __set_retrans_timer(chan);
5842 }
5843
5844 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5845 l2cap_send_srej_tail(chan);
5846 } else {
5847 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5848 &chan->conn_state) &&
5849 chan->unacked_frames)
5850 __set_retrans_timer(chan);
5851
5852 l2cap_send_ack(chan);
5853 }
5854 break;
5855 case L2CAP_EV_RECV_RNR:
5856 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5857 l2cap_pass_to_tx(chan, control);
5858 if (control->poll) {
5859 l2cap_send_srej_tail(chan);
5860 } else {
5861 struct l2cap_ctrl rr_control;
5862 memset(&rr_control, 0, sizeof(rr_control));
5863 rr_control.sframe = 1;
5864 rr_control.super = L2CAP_SUPER_RR;
5865 rr_control.reqseq = chan->buffer_seq;
5866 l2cap_send_sframe(chan, &rr_control);
5867 }
5868
5869 break;
5870 case L2CAP_EV_RECV_REJ:
5871 l2cap_handle_rej(chan, control);
5872 break;
5873 case L2CAP_EV_RECV_SREJ:
5874 l2cap_handle_srej(chan, control);
5875 break;
5876 }
5877
5878 if (skb && !skb_in_use) {
5879 BT_DBG("Freeing %p", skb);
5880 kfree_skb(skb);
5881 }
5882
5883 return err;
5884}
5885
32b32735
MM		 5886static int l2cap_finish_move(struct l2cap_chan *chan)
5887{
5888 BT_DBG("chan %p", chan);
5889
5890 chan->rx_state = L2CAP_RX_STATE_RECV;
5891
5892 if (chan->hs_hcon)
5893 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5894 else
5895 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5896
5897 return l2cap_resegment(chan);
5898}
5899
5900static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5901 struct l2cap_ctrl *control,
5902 struct sk_buff *skb, u8 event)
5903{
5904 int err;
5905
5906 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5907 event);
5908
5909 if (!control->poll)
5910 return -EPROTO;
5911
5912 l2cap_process_reqseq(chan, control->reqseq);
5913
5914 if (!skb_queue_empty(&chan->tx_q))
5915 chan->tx_send_head = skb_peek(&chan->tx_q);
5916 else
5917 chan->tx_send_head = NULL;
5918
5919 /* Rewind next_tx_seq to the point expected
5920 * by the receiver.
5921 */
5922 chan->next_tx_seq = control->reqseq;
5923 chan->unacked_frames = 0;
5924
5925 err = l2cap_finish_move(chan);
5926 if (err)
5927 return err;
5928
5929 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5930 l2cap_send_i_or_rr_or_rnr(chan);
5931
5932 if (event == L2CAP_EV_RECV_IFRAME)
5933 return -EPROTO;
5934
5935 return l2cap_rx_state_recv(chan, control, NULL, event);
5936}
5937
5938static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5939 struct l2cap_ctrl *control,
5940 struct sk_buff *skb, u8 event)
5941{
5942 int err;
5943
5944 if (!control->final)
5945 return -EPROTO;
5946
5947 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5948
5949 chan->rx_state = L2CAP_RX_STATE_RECV;
5950 l2cap_process_reqseq(chan, control->reqseq);
5951
5952 if (!skb_queue_empty(&chan->tx_q))
5953 chan->tx_send_head = skb_peek(&chan->tx_q);
5954 else
5955 chan->tx_send_head = NULL;
5956
5957 /* Rewind next_tx_seq to the point expected
5958 * by the receiver.
5959 */
5960 chan->next_tx_seq = control->reqseq;
5961 chan->unacked_frames = 0;
5962
5963 if (chan->hs_hcon)
5964 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5965 else
5966 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5967
5968 err = l2cap_resegment(chan);
5969
5970 if (!err)
5971 err = l2cap_rx_state_recv(chan, control, skb, event);
5972
5973 return err;
5974}
5975
d2a7ac5d
MM		 5976static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5977{
5978 /* Make sure reqseq is for a packet that has been sent but not acked */
5979 u16 unacked;
5980
5981 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5982 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5983}
5984
cec8ab6e
MM		 5985static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5986 struct sk_buff *skb, u8 event)
218bb9df 5987{
d2a7ac5d
MM		 5988 int err = 0;
5989
5990 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5991 control, skb, event, chan->rx_state);
5992
5993 if (__valid_reqseq(chan, control->reqseq)) {
5994 switch (chan->rx_state) {
5995 case L2CAP_RX_STATE_RECV:
5996 err = l2cap_rx_state_recv(chan, control, skb, event);
5997 break;
5998 case L2CAP_RX_STATE_SREJ_SENT:
5999 err = l2cap_rx_state_srej_sent(chan, control, skb,
6000 event);
6001 break;
32b32735
MM		 6002 case L2CAP_RX_STATE_WAIT_P:
6003 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6004 break;
6005 case L2CAP_RX_STATE_WAIT_F:
6006 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6007 break;
d2a7ac5d
MM		 6008 default:
6009 /* shut it down */
6010 break;
6011 }
6012 } else {
6013 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6014 control->reqseq, chan->next_tx_seq,
6015 chan->expected_ack_seq);
5e4e3972 6016 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 6017 }
6018
6019 return err;
cec8ab6e
MM		 6020}
6021
6022static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6023 struct sk_buff *skb)
6024{
4b51dae9
MM		 6025 int err = 0;
6026
6027 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6028 chan->rx_state);
6029
6030 if (l2cap_classify_txseq(chan, control->txseq) ==
6031 L2CAP_TXSEQ_EXPECTED) {
6032 l2cap_pass_to_tx(chan, control);
6033
6034 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6035 __next_seq(chan, chan->buffer_seq));
6036
6037 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6038
6039 l2cap_reassemble_sdu(chan, skb, control);
6040 } else {
6041 if (chan->sdu) {
6042 kfree_skb(chan->sdu);
6043 chan->sdu = NULL;
6044 }
6045 chan->sdu_last_frag = NULL;
6046 chan->sdu_len = 0;
6047
6048 if (skb) {
6049 BT_DBG("Freeing %p", skb);
6050 kfree_skb(skb);
6051 }
6052 }
6053
6054 chan->last_acked_seq = control->txseq;
6055 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6056
6057 return err;
cec8ab6e
MM		 6058}
6059
6060static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6061{
6062 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6063 u16 len;
6064 u8 event;
218bb9df 6065
b76bbd66
MM		 6066 __unpack_control(chan, skb);
6067
218bb9df
GP		 6068 len = skb->len;
6069
6070 /*
6071 * We can just drop the corrupted I-frame here.
6072 * Receiver will miss it and start proper recovery
cec8ab6e 6073 * procedures and ask for retransmission.
218bb9df 6074 */
47d1ec61 6075 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6076 goto drop;
6077
cec8ab6e 6078 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6079 len -= L2CAP_SDULEN_SIZE;
218bb9df 6080
47d1ec61 6081 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6082 len -= L2CAP_FCS_SIZE;
218bb9df 6083
47d1ec61 6084 if (len > chan->mps) {
5e4e3972 6085 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6086 goto drop;
6087 }
6088
cec8ab6e
MM		 6089 if (!control->sframe) {
6090 int err;
218bb9df 6091
cec8ab6e
MM		 6092 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6093 control->sar, control->reqseq, control->final,
6094 control->txseq);
218bb9df 6095
cec8ab6e
MM		 6096 /* Validate F-bit - F=0 always valid, F=1 only
6097 * valid in TX WAIT_F
6098 */
6099 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6100 goto drop;
cec8ab6e
MM		 6101
6102 if (chan->mode != L2CAP_MODE_STREAMING) {
6103 event = L2CAP_EV_RECV_IFRAME;
6104 err = l2cap_rx(chan, control, skb, event);
6105 } else {
6106 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6107 }
6108
cec8ab6e 6109 if (err)
5e4e3972 6110 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6111 } else {
cec8ab6e
MM		 6112 const u8 rx_func_to_event[4] = {
6113 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6114 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6115 };
6116
6117 /* Only I-frames are expected in streaming mode */
6118 if (chan->mode == L2CAP_MODE_STREAMING)
6119 goto drop;
6120
6121 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6122 control->reqseq, control->final, control->poll,
6123 control->super);
6124
218bb9df 6125 if (len != 0) {
1bb166e6 6126 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6127 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6128 goto drop;
6129 }
6130
cec8ab6e
MM		 6131 /* Validate F and P bits */
6132 if (control->final && (control->poll ||
6133 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6134 goto drop;
6135
6136 event = rx_func_to_event[control->super];
6137 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6138 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6139 }
6140
6141 return 0;
6142
6143drop:
6144 kfree_skb(skb);
6145 return 0;
6146}
6147
13ca56e0
AE		 6148static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6149 struct sk_buff *skb)
1da177e4 6150{
48454079 6151 struct l2cap_chan *chan;
1da177e4 6152
baa7e1fa 6153 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6154 if (!chan) {
97e8e89d
AE		 6155 if (cid == L2CAP_CID_A2MP) {
6156 chan = a2mp_channel_create(conn, skb);
6157 if (!chan) {
6158 kfree_skb(skb);
13ca56e0 6159 return;
97e8e89d
AE		 6160 }
6161
6162 l2cap_chan_lock(chan);
6163 } else {
6164 BT_DBG("unknown cid 0x%4.4x", cid);
6165 /* Drop packet and return */
6166 kfree_skb(skb);
13ca56e0 6167 return;
97e8e89d 6168 }
1da177e4
LT		 6169 }
6170
49208c9c 6171 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6172
89bc500e 6173 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6174 goto drop;
6175
0c1bc5c6 6176 switch (chan->mode) {
1c2acffb
GP		 6177 case L2CAP_MODE_BASIC:
6178 /* If socket recv buffers overflows we drop data here
6179 * which is *bad* because L2CAP has to be reliable.
6180 * But we don't have any other choice. L2CAP doesn't
6181 * provide flow control mechanism. */
1da177e4 6182
0c1bc5c6 6183 if (chan->imtu < skb->len)
1c2acffb 6184 goto drop;
1da177e4 6185
80b98027 6186 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6187 goto done;
6188 break;
6189
6190 case L2CAP_MODE_ERTM:
6840ed07 6191 case L2CAP_MODE_STREAMING:
cec8ab6e 6192 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6193 goto done;
6194
1c2acffb 6195 default:
0c1bc5c6 6196 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6197 break;
6198 }
1da177e4
LT		 6199
6200drop:
6201 kfree_skb(skb);
6202
6203done:
6be36555 6204 l2cap_chan_unlock(chan);
1da177e4
LT		 6205}
6206
84104b24
AE		 6207static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6208 struct sk_buff *skb)
1da177e4 6209{
23691d75 6210 struct l2cap_chan *chan;
1da177e4 6211
c2287681 6212 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6213 if (!chan)
1da177e4
LT		 6214 goto drop;
6215
5b4cedaa 6216 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6217
89bc500e 6218 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6219 goto drop;
6220
e13e21dc 6221 if (chan->imtu < skb->len)
1da177e4
LT		 6222 goto drop;
6223
80b98027 6224 if (!chan->ops->recv(chan, skb))
84104b24 6225 return;
1da177e4
LT		 6226
6227drop:
6228 kfree_skb(skb);
1da177e4
LT		 6229}
6230
6810fca7
AE		 6231static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
6232 struct sk_buff *skb)
9f69bda6 6233{
23691d75 6234 struct l2cap_chan *chan;
9f69bda6 6235
c2287681 6236 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 6237 if (!chan)
9f69bda6
GP		 6238 goto drop;
6239
5b4cedaa 6240 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6241
89bc500e 6242 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6243 goto drop;
6244
e13e21dc 6245 if (chan->imtu < skb->len)
9f69bda6
GP		 6246 goto drop;
6247
80b98027 6248 if (!chan->ops->recv(chan, skb))
6810fca7 6249 return;
9f69bda6
GP		 6250
6251drop:
6252 kfree_skb(skb);
9f69bda6
GP		 6253}
6254
1da177e4
LT		 6255static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6256{
6257 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6258 u16 cid, len;
6259 __le16 psm;
1da177e4
LT		 6260
6261 skb_pull(skb, L2CAP_HDR_SIZE);
6262 cid = __le16_to_cpu(lh->cid);
6263 len = __le16_to_cpu(lh->len);
6264
1c2acffb
GP		 6265 if (len != skb->len) {
6266 kfree_skb(skb);
6267 return;
6268 }
6269
1da177e4
LT		 6270 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6271
6272 switch (cid) {
3300d9a9 6273 case L2CAP_CID_LE_SIGNALING:
8db4dc46 6274 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6275 l2cap_sig_channel(conn, skb);
6276 break;
6277
8db4dc46 6278 case L2CAP_CID_CONN_LESS:
097db76c 6279 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6280 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6281 l2cap_conless_channel(conn, psm, skb);
6282 break;
6283
9f69bda6
GP		 6284 case L2CAP_CID_LE_DATA:
6285 l2cap_att_channel(conn, cid, skb);
6286 break;
6287
b501d6a1
AB		 6288 case L2CAP_CID_SMP:
6289 if (smp_sig_channel(conn, skb))
6290 l2cap_conn_del(conn->hcon, EACCES);
6291 break;
6292
1da177e4
LT		 6293 default:
6294 l2cap_data_channel(conn, cid, skb);
6295 break;
6296 }
6297}
6298
6299/* ---- L2CAP interface with lower layer (HCI) ---- */
6300
686ebf28 6301int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6302{
6303 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6304 struct l2cap_chan *c;
1da177e4 6305
6ed93dc6 6306 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6307
6308 /* Find listening sockets and check their link_mode */
23691d75
GP		 6309 read_lock(&chan_list_lock);
6310 list_for_each_entry(c, &chan_list, global_l) {
6311 struct sock *sk = c->sk;
4343478f 6312
89bc500e 6313 if (c->state != BT_LISTEN)
1da177e4
LT		 6314 continue;
6315
6316 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6317 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6318 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6319 lm1 |= HCI_LM_MASTER;
1da177e4 6320 exact++;
2af6b9d5
MH		 6321 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6322 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6323 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6324 lm2 |= HCI_LM_MASTER;
6325 }
1da177e4 6326 }
23691d75 6327 read_unlock(&chan_list_lock);
1da177e4
LT		 6328
6329 return exact ? lm1 : lm2;
6330}
6331
9e664631 6332void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6333{
0139418c
MH		 6334 struct l2cap_conn *conn;
6335
6ed93dc6 6336 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6337
1da177e4 6338 if (!status) {
baf43251 6339 conn = l2cap_conn_add(hcon);
1da177e4
LT		 6340 if (conn)
6341 l2cap_conn_ready(conn);
ba6fc317 6342 } else {
e175072f 6343 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6344 }
1da177e4
LT		 6345}
6346
686ebf28 6347int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6348{
6349 struct l2cap_conn *conn = hcon->l2cap_data;
6350
6351 BT_DBG("hcon %p", hcon);
6352
686ebf28 6353 if (!conn)
9f5a0d7b 6354 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6355 return conn->disc_reason;
6356}
6357
9e664631 6358void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6359{
6360 BT_DBG("hcon %p reason %d", hcon, reason);
6361
e175072f 6362 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6363}
6364
4343478f 6365static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6366{
715ec005 6367 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6368 return;
6369
f62e4323 6370 if (encrypt == 0x00) {
4343478f 6371 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6372 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6373 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6374 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6375 } else {
4343478f 6376 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6377 __clear_chan_timer(chan);
f62e4323
MH		 6378 }
6379}
6380
686ebf28 6381int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6382{
0139418c 6383 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6384 struct l2cap_chan *chan;
1da177e4 6385
0139418c 6386 if (!conn)
1da177e4 6387 return 0;
0139418c 6388
89d8b407 6389 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6390
160dc6ac 6391 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6392 if (!status && encrypt)
6393 smp_distribute_keys(conn, 0);
17cd3f37 6394 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6395 }
6396
3df91ea2 6397 mutex_lock(&conn->chan_lock);
1da177e4 6398
3df91ea2 6399 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6400 l2cap_chan_lock(chan);
1da177e4 6401
89d8b407
AE		 6402 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6403 state_to_string(chan->state));
f1cb9af5 6404
78eb2f98
AE		 6405 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6406 l2cap_chan_unlock(chan);
6407 continue;
6408 }
6409
f1cb9af5
VCG		 6410 if (chan->scid == L2CAP_CID_LE_DATA) {
6411 if (!status && encrypt) {
6412 chan->sec_level = hcon->sec_level;
cf4cd009 6413 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6414 }
6415
6be36555 6416 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6417 continue;
6418 }
6419
96eff46e 6420 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6421 l2cap_chan_unlock(chan);
6a8d3010
MH		 6422 continue;
6423 }
6424
89bc500e 6425 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6426 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6427 struct sock *sk = chan->sk;
6428
c5daa683 6429 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6430 sk->sk_state_change(sk);
6431
4343478f 6432 l2cap_check_encryption(chan, encrypt);
6be36555 6433 l2cap_chan_unlock(chan);
9719f8af
MH		 6434 continue;
6435 }
6436
89bc500e 6437 if (chan->state == BT_CONNECT) {
b1235d79 6438 if (!status) {
93c3e8f5 6439 l2cap_start_connection(chan);
b1235d79 6440 } else {
ba13ccd9 6441 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6442 }
89bc500e 6443 } else if (chan->state == BT_CONNECT2) {
6be36555 6444 struct sock *sk = chan->sk;
b1235d79 6445 struct l2cap_conn_rsp rsp;
df3c3931 6446 __u16 res, stat;
1da177e4 6447
6be36555
AE		 6448 lock_sock(sk);
6449
b1235d79 6450 if (!status) {
c5daa683
GP		 6451 if (test_bit(BT_SK_DEFER_SETUP,
6452 &bt_sk(sk)->flags)) {
df3c3931
JH		 6453 res = L2CAP_CR_PEND;
6454 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6455 chan->ops->defer(chan);
df3c3931 6456 } else {
0e587be7 6457 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6458 res = L2CAP_CR_SUCCESS;
6459 stat = L2CAP_CS_NO_INFO;
6460 }
b1235d79 6461 } else {
0e587be7 6462 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6463 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6464 res = L2CAP_CR_SEC_BLOCK;
6465 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6466 }
6467
6be36555
AE		 6468 release_sock(sk);
6469
fe4128e0
GP		 6470 rsp.scid = cpu_to_le16(chan->dcid);
6471 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6472 rsp.result = cpu_to_le16(res);
6473 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6474 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6475 sizeof(rsp), &rsp);
2d369359
MM		 6476
6477 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6478 res == L2CAP_CR_SUCCESS) {
6479 char buf[128];
6480 set_bit(CONF_REQ_SENT, &chan->conf_state);
6481 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6482 L2CAP_CONF_REQ,
6483 l2cap_build_conf_req(chan, buf),
6484 buf);
6485 chan->num_conf_req++;
6486 }
b1235d79 6487 }
1da177e4 6488
6be36555 6489 l2cap_chan_unlock(chan);
1da177e4
LT		 6490 }
6491
3df91ea2 6492 mutex_unlock(&conn->chan_lock);
b1235d79 6493
1da177e4
LT		 6494 return 0;
6495}
6496
686ebf28 6497int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6498{
6499 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6500 struct l2cap_hdr *hdr;
6501 int len;
1da177e4 6502
1d13a254
AE		 6503 /* For AMP controller do not create l2cap conn */
6504 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6505 goto drop;
1da177e4 6506
5a08ecce 6507 if (!conn)
baf43251 6508 conn = l2cap_conn_add(hcon);
5a08ecce
AE		 6509
6510 if (!conn)
1da177e4
LT		 6511 goto drop;
6512
6513 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6514
d73a0988
AE		 6515 switch (flags) {
6516 case ACL_START:
6517 case ACL_START_NO_FLUSH:
6518 case ACL_COMPLETE:
1da177e4
LT		 6519 if (conn->rx_len) {
6520 BT_ERR("Unexpected start frame (len %d)", skb->len);
6521 kfree_skb(conn->rx_skb);
6522 conn->rx_skb = NULL;
6523 conn->rx_len = 0;
6524 l2cap_conn_unreliable(conn, ECOMM);
6525 }
6526
aae7fe22
AE		 6527 /* Start fragment always begin with Basic L2CAP header */
6528 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6529 BT_ERR("Frame is too short (len %d)", skb->len);
6530 l2cap_conn_unreliable(conn, ECOMM);
6531 goto drop;
6532 }
6533
6534 hdr = (struct l2cap_hdr *) skb->data;
6535 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6536
6537 if (len == skb->len) {
6538 /* Complete frame received */
6539 l2cap_recv_frame(conn, skb);
6540 return 0;
6541 }
6542
6543 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6544
6545 if (skb->len > len) {
6546 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6547 skb->len, len);
1da177e4
LT		 6548 l2cap_conn_unreliable(conn, ECOMM);
6549 goto drop;
6550 }
6551
6552 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6553 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6554 if (!conn->rx_skb)
1da177e4
LT		 6555 goto drop;
6556
d626f62b 6557 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6558 skb->len);
1da177e4 6559 conn->rx_len = len - skb->len;
d73a0988
AE		 6560 break;
6561
6562 case ACL_CONT:
1da177e4
LT		 6563 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6564
6565 if (!conn->rx_len) {
6566 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6567 l2cap_conn_unreliable(conn, ECOMM);
6568 goto drop;
6569 }
6570
6571 if (skb->len > conn->rx_len) {
6572 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6573 skb->len, conn->rx_len);
1da177e4
LT		 6574 kfree_skb(conn->rx_skb);
6575 conn->rx_skb = NULL;
6576 conn->rx_len = 0;
6577 l2cap_conn_unreliable(conn, ECOMM);
6578 goto drop;
6579 }
6580
d626f62b 6581 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6582 skb->len);
1da177e4
LT		 6583 conn->rx_len -= skb->len;
6584
6585 if (!conn->rx_len) {
6586 /* Complete frame received */
6587 l2cap_recv_frame(conn, conn->rx_skb);
6588 conn->rx_skb = NULL;
6589 }
d73a0988 6590 break;
1da177e4
LT		 6591 }
6592
6593drop:
6594 kfree_skb(skb);
6595 return 0;
6596}
6597
aef7d97c 6598static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6599{
23691d75 6600 struct l2cap_chan *c;
1da177e4 6601
333055f2 6602 read_lock(&chan_list_lock);
1da177e4 6603
23691d75
GP		 6604 list_for_each_entry(c, &chan_list, global_l) {
6605 struct sock *sk = c->sk;
101545f6 6606
fcb73338
AE		 6607 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6608 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6609 c->state, __le16_to_cpu(c->psm),
6610 c->scid, c->dcid, c->imtu, c->omtu,
6611 c->sec_level, c->mode);
61e1b4b7 6612 }
1da177e4 6613
333055f2 6614 read_unlock(&chan_list_lock);
1da177e4 6615
aef7d97c 6616 return 0;
1da177e4
LT		 6617}
6618
aef7d97c
MH		 6619static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6620{
6621 return single_open(file, l2cap_debugfs_show, inode->i_private);
6622}
6623
6624static const struct file_operations l2cap_debugfs_fops = {
6625 .open = l2cap_debugfs_open,
6626 .read = seq_read,
6627 .llseek = seq_lseek,
6628 .release = single_release,
6629};
6630
6631static struct dentry *l2cap_debugfs;
1da177e4 6632
64274518 6633int __init l2cap_init(void)
1da177e4
LT		 6634{
6635 int err;
be9d1227 6636
bb58f747 6637 err = l2cap_init_sockets();
1da177e4
LT		 6638 if (err < 0)
6639 return err;
6640
aef7d97c 6641 if (bt_debugfs) {
2d792818
GP		 6642 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6643 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6644 if (!l2cap_debugfs)
6645 BT_ERR("Failed to create L2CAP debug file");
6646 }
1da177e4 6647
1da177e4 6648 return 0;
1da177e4
LT		 6649}
6650
64274518 6651void l2cap_exit(void)
1da177e4 6652{
aef7d97c 6653 debugfs_remove(l2cap_debugfs);
bb58f747 6654 l2cap_cleanup_sockets();
1da177e4
LT		 6655}
6656
d1c4a17d
GP		 6657module_param(disable_ertm, bool, 0644);
6658MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)