projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Use separate function for BCM92035 vendor setup
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 507 chan->scid = L2CAP_CID_LE_DATA;
508 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 509 } else {
510 /* Alloc CID for connection-oriented socket */
fe4128e0 511 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 512 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 513 }
5491120e
AE		 514 break;
515
516 case L2CAP_CHAN_CONN_LESS:
0139418c 517 /* Connectionless socket */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_CONN_LESS;
519 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 521 break;
522
416fa752
AE		 523 case L2CAP_CHAN_CONN_FIX_A2MP:
524 chan->scid = L2CAP_CID_A2MP;
525 chan->dcid = L2CAP_CID_A2MP;
526 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
527 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
528 break;
529
5491120e 530 default:
0139418c 531 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 532 chan->scid = L2CAP_CID_SIGNALING;
533 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 534 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 535 }
536
8f7975b1
AE		 537 chan->local_id = L2CAP_BESTEFFORT_ID;
538 chan->local_stype = L2CAP_SERV_BESTEFFORT;
539 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
540 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
541 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 542 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 543
371fd835 544 l2cap_chan_hold(chan);
baa7e1fa 545
3df91ea2 546 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 547}
548
466f8004 549void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 550{
551 mutex_lock(&conn->chan_lock);
552 __l2cap_chan_add(conn, chan);
3df91ea2 553 mutex_unlock(&conn->chan_lock);
0139418c
MH		 554}
555
466f8004 556void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 557{
8c1d787b 558 struct l2cap_conn *conn = chan->conn;
0139418c 559
c9b66675 560 __clear_chan_timer(chan);
0139418c 561
49208c9c 562 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 563
8e87d142 564 if (conn) {
56f60984 565 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 566 /* Delete from channel list */
3df91ea2 567 list_del(&chan->list);
3d57dc68 568
371fd835 569 l2cap_chan_put(chan);
baa7e1fa 570
8c1d787b 571 chan->conn = NULL;
3cabbfda
AE		 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_put(conn->hcon);
56f60984
AE		 575
576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL;
0139418c
MH		 578 }
579
419e08c1
AE		 580 if (chan->hs_hchan) {
581 struct hci_chan *hs_hchan = chan->hs_hchan;
582
583 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
584 amp_disconnect_logical_link(hs_hchan);
585 }
586
b699ec0d 587 chan->ops->teardown(chan, err);
6be36555 588
2827011f 589 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 590 return;
2ead70b8 591
ee556f66
GP		 592 switch(chan->mode) {
593 case L2CAP_MODE_BASIC:
594 break;
c13ffa62 595
ee556f66 596 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 597 __clear_retrans_timer(chan);
598 __clear_monitor_timer(chan);
599 __clear_ack_timer(chan);
c13ffa62 600
f1c6775b 601 skb_queue_purge(&chan->srej_q);
c13ffa62 602
3c588192
MM		 603 l2cap_seq_list_free(&chan->srej_list);
604 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 605
606 /* fall through */
607
608 case L2CAP_MODE_STREAMING:
609 skb_queue_purge(&chan->tx_q);
610 break;
c13ffa62 611 }
ee556f66
GP		 612
613 return;
0139418c
MH		 614}
615
0f852724 616void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 617{
618 struct l2cap_conn *conn = chan->conn;
619 struct sock *sk = chan->sk;
620
2d792818
GP		 621 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
622 sk);
4519de9a 623
89bc500e 624 switch (chan->state) {
4519de9a 625 case BT_LISTEN:
b699ec0d 626 chan->ops->teardown(chan, 0);
4519de9a
GP		 627 break;
628
629 case BT_CONNECTED:
630 case BT_CONFIG:
715ec005 631 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 632 conn->hcon->type == ACL_LINK) {
c9b66675 633 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 634 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 635 } else
636 l2cap_chan_del(chan, reason);
637 break;
638
639 case BT_CONNECT2:
715ec005 640 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 641 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 642 struct l2cap_conn_rsp rsp;
643 __u16 result;
644
c5daa683 645 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 646 result = L2CAP_CR_SEC_BLOCK;
647 else
648 result = L2CAP_CR_BAD_PSM;
89bc500e 649 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 650
651 rsp.scid = cpu_to_le16(chan->dcid);
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.result = cpu_to_le16(result);
ac73498c 654 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 655 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 656 sizeof(rsp), &rsp);
4519de9a
GP		 657 }
658
659 l2cap_chan_del(chan, reason);
660 break;
661
662 case BT_CONNECT:
663 case BT_DISCONN:
664 l2cap_chan_del(chan, reason);
665 break;
666
667 default:
b699ec0d 668 chan->ops->teardown(chan, 0);
4519de9a
GP		 669 break;
670 }
671}
672
4343478f 673static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 674{
715ec005 675 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 676 switch (chan->sec_level) {
8556edd3
JH		 677 case BT_SECURITY_HIGH:
678 return HCI_AT_DEDICATED_BONDING_MITM;
679 case BT_SECURITY_MEDIUM:
680 return HCI_AT_DEDICATED_BONDING;
681 default:
682 return HCI_AT_NO_BONDING;
683 }
2983fd68 684 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 685 if (chan->sec_level == BT_SECURITY_LOW)
686 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 687
4343478f 688 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 689 return HCI_AT_NO_BONDING_MITM;
00ae4af9 690 else
8556edd3 691 return HCI_AT_NO_BONDING;
00ae4af9 692 } else {
4343478f 693 switch (chan->sec_level) {
00ae4af9 694 case BT_SECURITY_HIGH:
8556edd3 695 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 696 case BT_SECURITY_MEDIUM:
8556edd3 697 return HCI_AT_GENERAL_BONDING;
00ae4af9 698 default:
8556edd3 699 return HCI_AT_NO_BONDING;
00ae4af9 700 }
0684e5f9 701 }
8556edd3
JH		 702}
703
704/* Service level security */
d45fc423 705int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 706{
8c1d787b 707 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 708 __u8 auth_type;
709
4343478f 710 auth_type = l2cap_get_auth_type(chan);
79d554a6 711
4343478f 712 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 713}
714
b5ad8b7f 715static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 716{
717 u8 id;
718
719 /* Get next available identificator.
720 * 1 - 128 are used by kernel.
721 * 129 - 199 are reserved.
722 * 200 - 254 are used by utilities like l2ping, etc.
723 */
724
333055f2 725 spin_lock(&conn->lock);
4e8402a3
MH		 726
727 if (++conn->tx_ident > 128)
728 conn->tx_ident = 1;
729
730 id = conn->tx_ident;
731
333055f2 732 spin_unlock(&conn->lock);
4e8402a3
MH		 733
734 return id;
735}
736
2d792818
GP		 737static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
738 void *data)
4e8402a3
MH		 739{
740 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 741 u8 flags;
4e8402a3
MH		 742
743 BT_DBG("code 0x%2.2x", code);
744
745 if (!skb)
9a9c6a34 746 return;
4e8402a3 747
e702112f
AE		 748 if (lmp_no_flush_capable(conn->hcon->hdev))
749 flags = ACL_START_NO_FLUSH;
750 else
751 flags = ACL_START;
752
14b12d0b 753 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 754 skb->priority = HCI_PRIO_MAX;
14b12d0b 755
73d80deb
LAD		 756 hci_send_acl(conn->hchan, skb, flags);
757}
758
02b0fbb9
MM		 759static bool __chan_is_moving(struct l2cap_chan *chan)
760{
761 return chan->move_state != L2CAP_MOVE_STABLE &&
762 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
763}
764
73d80deb
LAD		 765static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
766{
767 struct hci_conn *hcon = chan->conn->hcon;
768 u16 flags;
769
770 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 771 skb->priority);
73d80deb 772
d5f8a75d
MM		 773 if (chan->hs_hcon && !__chan_is_moving(chan)) {
774 if (chan->hs_hchan)
775 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
776 else
777 kfree_skb(skb);
778
779 return;
780 }
781
73d80deb 782 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 783 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 784 flags = ACL_START_NO_FLUSH;
785 else
786 flags = ACL_START;
14b12d0b 787
73d80deb
LAD		 788 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
789 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 790}
791
b76bbd66
MM		 792static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
793{
794 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
795 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
796
797 if (enh & L2CAP_CTRL_FRAME_TYPE) {
798 /* S-Frame */
799 control->sframe = 1;
800 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
801 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
802
803 control->sar = 0;
804 control->txseq = 0;
805 } else {
806 /* I-Frame */
807 control->sframe = 0;
808 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
809 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
810
811 control->poll = 0;
812 control->super = 0;
813 }
814}
815
b76bbd66
MM		 816static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
817{
818 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
819 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
820
821 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
822 /* S-Frame */
823 control->sframe = 1;
824 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
825 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
826
827 control->sar = 0;
828 control->txseq = 0;
829 } else {
830 /* I-Frame */
831 control->sframe = 0;
832 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
833 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
834
835 control->poll = 0;
836 control->super = 0;
837 }
838}
839
840static inline void __unpack_control(struct l2cap_chan *chan,
841 struct sk_buff *skb)
842{
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
844 __unpack_extended_control(get_unaligned_le32(skb->data),
845 &bt_cb(skb)->control);
cec8ab6e 846 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 847 } else {
848 __unpack_enhanced_control(get_unaligned_le16(skb->data),
849 &bt_cb(skb)->control);
cec8ab6e 850 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 851 }
852}
853
b5c6aaed
MM		 854static u32 __pack_extended_control(struct l2cap_ctrl *control)
855{
856 u32 packed;
857
858 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
859 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
860
861 if (control->sframe) {
862 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
863 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
864 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
865 } else {
866 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
867 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
868 }
869
870 return packed;
871}
872
873static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
874{
875 u16 packed;
876
877 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
878 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
879
880 if (control->sframe) {
881 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
882 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
883 packed |= L2CAP_CTRL_FRAME_TYPE;
884 } else {
885 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
886 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
887 }
888
889 return packed;
890}
891
b76bbd66
MM		 892static inline void __pack_control(struct l2cap_chan *chan,
893 struct l2cap_ctrl *control,
894 struct sk_buff *skb)
895{
896 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
897 put_unaligned_le32(__pack_extended_control(control),
898 skb->data + L2CAP_HDR_SIZE);
899 } else {
900 put_unaligned_le16(__pack_enhanced_control(control),
901 skb->data + L2CAP_HDR_SIZE);
902 }
903}
904
ba7aa64f
GP		 905static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
906{
907 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
908 return L2CAP_EXT_HDR_SIZE;
909 else
910 return L2CAP_ENH_HDR_SIZE;
911}
912
a67d7f6f
MM		 913static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
914 u32 control)
b5c6aaed
MM		 915{
916 struct sk_buff *skb;
917 struct l2cap_hdr *lh;
ba7aa64f 918 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 919
920 if (chan->fcs == L2CAP_FCS_CRC16)
921 hlen += L2CAP_FCS_SIZE;
922
a67d7f6f 923 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 924
b5c6aaed 925 if (!skb)
a67d7f6f 926 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 927
928 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
929 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
930 lh->cid = cpu_to_le16(chan->dcid);
931
a67d7f6f
MM		 932 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
933 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
934 else
935 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 936
937 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 938 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 939 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
940 }
941
942 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 943 return skb;
944}
945
946static void l2cap_send_sframe(struct l2cap_chan *chan,
947 struct l2cap_ctrl *control)
948{
949 struct sk_buff *skb;
950 u32 control_field;
951
952 BT_DBG("chan %p, control %p", chan, control);
953
954 if (!control->sframe)
955 return;
956
b99e13ad
MM		 957 if (__chan_is_moving(chan))
958 return;
959
a67d7f6f
MM		 960 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
961 !control->poll)
962 control->final = 1;
963
964 if (control->super == L2CAP_SUPER_RR)
965 clear_bit(CONN_RNR_SENT, &chan->conn_state);
966 else if (control->super == L2CAP_SUPER_RNR)
967 set_bit(CONN_RNR_SENT, &chan->conn_state);
968
969 if (control->super != L2CAP_SUPER_SREJ) {
970 chan->last_acked_seq = control->reqseq;
971 __clear_ack_timer(chan);
972 }
973
974 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
975 control->final, control->poll, control->super);
976
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
978 control_field = __pack_extended_control(control);
979 else
980 control_field = __pack_enhanced_control(control);
981
982 skb = l2cap_create_sframe_pdu(chan, control_field);
983 if (!IS_ERR(skb))
984 l2cap_do_send(chan, skb);
b5c6aaed
MM		 985}
986
c9e3d5e0 987static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 988{
c9e3d5e0
MM		 989 struct l2cap_ctrl control;
990
991 BT_DBG("chan %p, poll %d", chan, poll);
992
993 memset(&control, 0, sizeof(control));
994 control.sframe = 1;
995 control.poll = poll;
996
997 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
998 control.super = L2CAP_SUPER_RNR;
999 else
1000 control.super = L2CAP_SUPER_RR;
b5c6aaed 1001
c9e3d5e0
MM		 1002 control.reqseq = chan->buffer_seq;
1003 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1004}
1005
b4450035 1006static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1007{
c1360a1c 1008 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1009}
1010
93c3e8f5
AE		 1011static bool __amp_capable(struct l2cap_chan *chan)
1012{
1013 struct l2cap_conn *conn = chan->conn;
1014
1015 if (enable_hs &&
5d05416e 1016 hci_amp_capable() &&
93c3e8f5
AE		 1017 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1018 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1019 return true;
1020 else
1021 return false;
1022}
1023
5ce66b59
AE		 1024static bool l2cap_check_efs(struct l2cap_chan *chan)
1025{
1026 /* Check EFS parameters */
1027 return true;
1028}
1029
2766be48 1030void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1031{
1032 struct l2cap_conn *conn = chan->conn;
1033 struct l2cap_conn_req req;
1034
1035 req.scid = cpu_to_le16(chan->scid);
1036 req.psm = chan->psm;
1037
1038 chan->ident = l2cap_get_ident(conn);
1039
1040 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1041
1042 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1043}
1044
8eb200bd
MM		 1045static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1046{
1047 struct l2cap_create_chan_req req;
1048 req.scid = cpu_to_le16(chan->scid);
1049 req.psm = chan->psm;
1050 req.amp_id = amp_id;
1051
1052 chan->ident = l2cap_get_ident(chan->conn);
1053
1054 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1055 sizeof(req), &req);
1056}
1057
02b0fbb9
MM		 1058static void l2cap_move_setup(struct l2cap_chan *chan)
1059{
1060 struct sk_buff *skb;
1061
1062 BT_DBG("chan %p", chan);
1063
1064 if (chan->mode != L2CAP_MODE_ERTM)
1065 return;
1066
1067 __clear_retrans_timer(chan);
1068 __clear_monitor_timer(chan);
1069 __clear_ack_timer(chan);
1070
1071 chan->retry_count = 0;
1072 skb_queue_walk(&chan->tx_q, skb) {
1073 if (bt_cb(skb)->control.retries)
1074 bt_cb(skb)->control.retries = 1;
1075 else
1076 break;
1077 }
1078
1079 chan->expected_tx_seq = chan->buffer_seq;
1080
1081 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1082 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1083 l2cap_seq_list_clear(&chan->retrans_list);
1084 l2cap_seq_list_clear(&chan->srej_list);
1085 skb_queue_purge(&chan->srej_q);
1086
1087 chan->tx_state = L2CAP_TX_STATE_XMIT;
1088 chan->rx_state = L2CAP_RX_STATE_MOVE;
1089
1090 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1091}
1092
5f3847a4
MM		 1093static void l2cap_move_done(struct l2cap_chan *chan)
1094{
1095 u8 move_role = chan->move_role;
1096 BT_DBG("chan %p", chan);
1097
1098 chan->move_state = L2CAP_MOVE_STABLE;
1099 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1100
1101 if (chan->mode != L2CAP_MODE_ERTM)
1102 return;
1103
1104 switch (move_role) {
1105 case L2CAP_MOVE_ROLE_INITIATOR:
1106 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1107 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1108 break;
1109 case L2CAP_MOVE_ROLE_RESPONDER:
1110 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1111 break;
1112 }
1113}
1114
9f0caeb1
VCG		 1115static void l2cap_chan_ready(struct l2cap_chan *chan)
1116{
2827011f 1117 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1118 chan->conf_state = 0;
1119 __clear_chan_timer(chan);
1120
54a59aa2 1121 chan->state = BT_CONNECTED;
9f0caeb1 1122
fd83e2c2 1123 chan->ops->ready(chan);
9f0caeb1
VCG		 1124}
1125
93c3e8f5
AE		 1126static void l2cap_start_connection(struct l2cap_chan *chan)
1127{
1128 if (__amp_capable(chan)) {
1129 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1130 a2mp_discover_amp(chan);
1131 } else {
1132 l2cap_send_conn_req(chan);
1133 }
1134}
1135
fc7f8a7e 1136static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1137{
8c1d787b 1138 struct l2cap_conn *conn = chan->conn;
79d554a6 1139
9f0caeb1
VCG		 1140 if (conn->hcon->type == LE_LINK) {
1141 l2cap_chan_ready(chan);
1142 return;
1143 }
1144
79d554a6 1145 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1146 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1147 return;
1148
d45fc423 1149 if (l2cap_chan_check_security(chan) &&
2d792818 1150 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1151 l2cap_start_connection(chan);
1152 }
79d554a6
MH		 1153 } else {
1154 struct l2cap_info_req req;
ac73498c 1155 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1156
1157 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1158 conn->info_ident = l2cap_get_ident(conn);
1159
ba13ccd9 1160 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1161
2d792818
GP		 1162 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1163 sizeof(req), &req);
79d554a6
MH		 1164 }
1165}
1166
cf6c2c0b
GP		 1167static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1168{
1169 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1170 if (!disable_ertm)
cf6c2c0b
GP		 1171 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1172
1173 switch (mode) {
1174 case L2CAP_MODE_ERTM:
1175 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1176 case L2CAP_MODE_STREAMING:
1177 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1178 default:
1179 return 0x00;
1180 }
1181}
1182
5e4e3972 1183static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1184{
6be36555 1185 struct sock *sk = chan->sk;
5e4e3972 1186 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1187 struct l2cap_disconn_req req;
1188
c13ffa62
GP		 1189 if (!conn)
1190 return;
1191
aad3d0e3 1192 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1193 __clear_retrans_timer(chan);
1194 __clear_monitor_timer(chan);
1195 __clear_ack_timer(chan);
c13ffa62
GP		 1196 }
1197
416fa752 1198 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1199 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1200 return;
1201 }
1202
fe4128e0
GP		 1203 req.dcid = cpu_to_le16(chan->dcid);
1204 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1205 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1206 sizeof(req), &req);
c13ffa62 1207
6be36555 1208 lock_sock(sk);
0e587be7 1209 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1210 __l2cap_chan_set_err(chan, err);
6be36555 1211 release_sock(sk);
22121fc9
GP		 1212}
1213
1da177e4 1214/* ---- L2CAP connections ---- */
4e8402a3
MH		 1215static void l2cap_conn_start(struct l2cap_conn *conn)
1216{
3df91ea2 1217 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1218
1219 BT_DBG("conn %p", conn);
1220
3df91ea2 1221 mutex_lock(&conn->chan_lock);
4e8402a3 1222
3df91ea2 1223 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1224 struct sock *sk = chan->sk;
baa7e1fa 1225
6be36555 1226 l2cap_chan_lock(chan);
4e8402a3 1227
715ec005 1228 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1229 l2cap_chan_unlock(chan);
79d554a6
MH		 1230 continue;
1231 }
1232
89bc500e 1233 if (chan->state == BT_CONNECT) {
d45fc423 1234 if (!l2cap_chan_check_security(chan) ||
2d792818 1235 !__l2cap_no_conn_pending(chan)) {
6be36555 1236 l2cap_chan_unlock(chan);
47731de7
GP		 1237 continue;
1238 }
79d554a6 1239
c1360a1c 1240 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1241 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1242 &chan->conf_state)) {
89bc500e 1243 l2cap_chan_close(chan, ECONNRESET);
6be36555 1244 l2cap_chan_unlock(chan);
47731de7 1245 continue;
b1235d79 1246 }
47731de7 1247
93c3e8f5 1248 l2cap_start_connection(chan);
47731de7 1249
89bc500e 1250 } else if (chan->state == BT_CONNECT2) {
79d554a6 1251 struct l2cap_conn_rsp rsp;
e9aeb2dd 1252 char buf[128];
fe4128e0
GP		 1253 rsp.scid = cpu_to_le16(chan->dcid);
1254 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1255
d45fc423 1256 if (l2cap_chan_check_security(chan)) {
6be36555 1257 lock_sock(sk);
c5daa683
GP		 1258 if (test_bit(BT_SK_DEFER_SETUP,
1259 &bt_sk(sk)->flags)) {
ac73498c
AE		 1260 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1261 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1262 chan->ops->defer(chan);
f66dc81f
MH		 1263
1264 } else {
0e587be7 1265 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1266 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1267 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1268 }
6be36555 1269 release_sock(sk);
79d554a6 1270 } else {
ac73498c
AE		 1271 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1272 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1273 }
1274
fc7f8a7e 1275 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1276 sizeof(rsp), &rsp);
e9aeb2dd 1277
c1360a1c 1278 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1279 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1280 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1281 continue;
1282 }
1283
c1360a1c 1284 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1285 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1286 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1287 chan->num_conf_req++;
4e8402a3
MH		 1288 }
1289
6be36555 1290 l2cap_chan_unlock(chan);
4e8402a3
MH		 1291 }
1292
3df91ea2 1293 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1294}
1295
c2287681 1296/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1297 * Returns closest match, locked.
1298 */
d9b88702 1299static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1300 bdaddr_t *src,
1301 bdaddr_t *dst)
b62f328b 1302{
23691d75 1303 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1304
23691d75 1305 read_lock(&chan_list_lock);
b62f328b 1306
23691d75
GP		 1307 list_for_each_entry(c, &chan_list, global_l) {
1308 struct sock *sk = c->sk;
fe4128e0 1309
89bc500e 1310 if (state && c->state != state)
b62f328b
VT		 1311 continue;
1312
23691d75 1313 if (c->scid == cid) {
c2287681
IY		 1314 int src_match, dst_match;
1315 int src_any, dst_any;
1316
b62f328b 1317 /* Exact match. */
c2287681
IY		 1318 src_match = !bacmp(&bt_sk(sk)->src, src);
1319 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1320 if (src_match && dst_match) {
23691d75
GP		 1321 read_unlock(&chan_list_lock);
1322 return c;
1323 }
b62f328b
VT		 1324
1325 /* Closest match */
c2287681
IY		 1326 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1327 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1328 if ((src_match && dst_any) || (src_any && dst_match) ||
1329 (src_any && dst_any))
23691d75 1330 c1 = c;
b62f328b
VT		 1331 }
1332 }
280f294f 1333
23691d75 1334 read_unlock(&chan_list_lock);
b62f328b 1335
23691d75 1336 return c1;
b62f328b
VT		 1337}
1338
1339static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1340{
c916fbe4 1341 struct sock *parent, *sk;
23691d75 1342 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1343
1344 BT_DBG("");
1345
1346 /* Check if we have socket listening on cid */
23691d75 1347 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1348 conn->src, conn->dst);
23691d75 1349 if (!pchan)
b62f328b
VT		 1350 return;
1351
23691d75
GP		 1352 parent = pchan->sk;
1353
aa2ac881 1354 lock_sock(parent);
62f3a2cf 1355
80b98027 1356 chan = pchan->ops->new_connection(pchan);
80808e43 1357 if (!chan)
b62f328b
VT		 1358 goto clean;
1359
80808e43 1360 sk = chan->sk;
5d41ce1d 1361
b62f328b 1362 hci_conn_hold(conn->hcon);
a9ea3ed9 1363 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1364
b62f328b
VT		 1365 bacpy(&bt_sk(sk)->src, conn->src);
1366 bacpy(&bt_sk(sk)->dst, conn->dst);
1367
3d57dc68 1368 l2cap_chan_add(conn, chan);
48454079 1369
6754e0df 1370 l2cap_chan_ready(chan);
b62f328b 1371
b62f328b 1372clean:
aa2ac881 1373 release_sock(parent);
b62f328b
VT		 1374}
1375
4e8402a3
MH		 1376static void l2cap_conn_ready(struct l2cap_conn *conn)
1377{
48454079 1378 struct l2cap_chan *chan;
cc110922 1379 struct hci_conn *hcon = conn->hcon;
4e8402a3 1380
79d554a6 1381 BT_DBG("conn %p", conn);
4e8402a3 1382
cc110922 1383 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1384 l2cap_le_conn_ready(conn);
1385
cc110922
VCG		 1386 if (hcon->out && hcon->type == LE_LINK)
1387 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1388
3df91ea2 1389 mutex_lock(&conn->chan_lock);
4e8402a3 1390
3df91ea2 1391 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1392
6be36555 1393 l2cap_chan_lock(chan);
4e8402a3 1394
416fa752
AE		 1395 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1396 l2cap_chan_unlock(chan);
1397 continue;
1398 }
1399
cc110922
VCG		 1400 if (hcon->type == LE_LINK) {
1401 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1402 l2cap_chan_ready(chan);
acd7d370 1403
63128451 1404 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1405 struct sock *sk = chan->sk;
c9b66675 1406 __clear_chan_timer(chan);
6be36555 1407 lock_sock(sk);
0e587be7 1408 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1409 sk->sk_state_change(sk);
6be36555 1410 release_sock(sk);
b501d6a1 1411
89bc500e 1412 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1413 l2cap_do_start(chan);
4e8402a3 1414
6be36555 1415 l2cap_chan_unlock(chan);
4e8402a3 1416 }
79d554a6 1417
3df91ea2 1418 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1419}
1420
1421/* Notify sockets that we cannot guaranty reliability anymore */
1422static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1423{
48454079 1424 struct l2cap_chan *chan;
4e8402a3
MH		 1425
1426 BT_DBG("conn %p", conn);
1427
3df91ea2 1428 mutex_lock(&conn->chan_lock);
4e8402a3 1429
3df91ea2 1430 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1431 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1432 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1433 }
1434
3df91ea2 1435 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1436}
1437
f878fcad 1438static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1439{
f878fcad 1440 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1441 info_timer.work);
4e8402a3 1442
984947dc 1443 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1444 conn->info_ident = 0;
984947dc 1445
4e8402a3
MH		 1446 l2cap_conn_start(conn);
1447}
1448
5d3de7df
VCG		 1449static void l2cap_conn_del(struct hci_conn *hcon, int err)
1450{
1451 struct l2cap_conn *conn = hcon->l2cap_data;
1452 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1453
1454 if (!conn)
1455 return;
1456
1457 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1458
1459 kfree_skb(conn->rx_skb);
1460
3df91ea2
AE		 1461 mutex_lock(&conn->chan_lock);
1462
5d3de7df
VCG		 1463 /* Kill channels */
1464 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1465 l2cap_chan_hold(chan);
6be36555
AE		 1466 l2cap_chan_lock(chan);
1467
5d3de7df 1468 l2cap_chan_del(chan, err);
6be36555
AE		 1469
1470 l2cap_chan_unlock(chan);
1471
80b98027 1472 chan->ops->close(chan);
61d6ef3e 1473 l2cap_chan_put(chan);
5d3de7df
VCG		 1474 }
1475
3df91ea2
AE		 1476 mutex_unlock(&conn->chan_lock);
1477
73d80deb
LAD		 1478 hci_chan_del(conn->hchan);
1479
5d3de7df 1480 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1481 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1482
51a8efd7 1483 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1484 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1485 smp_chan_destroy(conn);
d26a2345 1486 }
5d3de7df
VCG		 1487
1488 hcon->l2cap_data = NULL;
1489 kfree(conn);
1490}
1491
6c9d42a1 1492static void security_timeout(struct work_struct *work)
5d3de7df 1493{
6c9d42a1 1494 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1495 security_timer.work);
5d3de7df 1496
d06cc416
JH		 1497 BT_DBG("conn %p", conn);
1498
1499 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1500 smp_chan_destroy(conn);
1501 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1502 }
5d3de7df
VCG		 1503}
1504
1da177e4
LT		 1505static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1506{
0139418c 1507 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1508 struct hci_chan *hchan;
1da177e4 1509
0139418c 1510 if (conn || status)
1da177e4
LT		 1511 return conn;
1512
73d80deb
LAD		 1513 hchan = hci_chan_create(hcon);
1514 if (!hchan)
1515 return NULL;
1516
8bcde1f2 1517 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1518 if (!conn) {
1519 hci_chan_del(hchan);
1da177e4 1520 return NULL;
73d80deb 1521 }
1da177e4
LT		 1522
1523 hcon->l2cap_data = conn;
1524 conn->hcon = hcon;
73d80deb 1525 conn->hchan = hchan;
1da177e4 1526
73d80deb 1527 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1528
dcc042d5 1529 switch (hcon->type) {
dcc042d5
AE		 1530 case LE_LINK:
1531 if (hcon->hdev->le_mtu) {
1532 conn->mtu = hcon->hdev->le_mtu;
1533 break;
1534 }
1535 /* fall through */
dcc042d5 1536 default:
acd7d370 1537 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1538 break;
1539 }
acd7d370 1540
1da177e4
LT		 1541 conn->src = &hcon->hdev->bdaddr;
1542 conn->dst = &hcon->dst;
1543
4e8402a3
MH		 1544 conn->feat_mask = 0;
1545
1da177e4 1546 spin_lock_init(&conn->lock);
3df91ea2 1547 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1548
1549 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1550
5d3de7df 1551 if (hcon->type == LE_LINK)
6c9d42a1 1552 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1553 else
030013d8 1554 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1555
9f5a0d7b 1556 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1557
1da177e4
LT		 1558 return conn;
1559}
1560
1da177e4 1561/* ---- Socket interface ---- */
1da177e4 1562
c2287681 1563/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1564 * Returns closest match.
1565 */
c2287681
IY		 1566static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1567 bdaddr_t *src,
1568 bdaddr_t *dst)
1da177e4 1569{
23691d75 1570 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1571
23691d75 1572 read_lock(&chan_list_lock);
e0f0cb56 1573
23691d75
GP		 1574 list_for_each_entry(c, &chan_list, global_l) {
1575 struct sock *sk = c->sk;
fe4128e0 1576
89bc500e 1577 if (state && c->state != state)
1da177e4
LT		 1578 continue;
1579
23691d75 1580 if (c->psm == psm) {
c2287681
IY		 1581 int src_match, dst_match;
1582 int src_any, dst_any;
1583
1da177e4 1584 /* Exact match. */
c2287681
IY		 1585 src_match = !bacmp(&bt_sk(sk)->src, src);
1586 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1587 if (src_match && dst_match) {
a7567b20 1588 read_unlock(&chan_list_lock);
23691d75
GP		 1589 return c;
1590 }
1da177e4
LT		 1591
1592 /* Closest match */
c2287681
IY		 1593 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1594 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1595 if ((src_match && dst_any) || (src_any && dst_match) ||
1596 (src_any && dst_any))
23691d75 1597 c1 = c;
1da177e4
LT		 1598 }
1599 }
1da177e4 1600
23691d75 1601 read_unlock(&chan_list_lock);
e0f0cb56 1602
23691d75 1603 return c1;
1da177e4
LT		 1604}
1605
8e9f9892
AG		 1606int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1607 bdaddr_t *dst, u8 dst_type)
1da177e4 1608{
5d41ce1d 1609 struct sock *sk = chan->sk;
1da177e4 1610 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1611 struct l2cap_conn *conn;
1612 struct hci_conn *hcon;
1613 struct hci_dev *hdev;
09ab6f4c 1614 __u8 auth_type;
44d0e48e 1615 int err;
1da177e4 1616
6ed93dc6 1617 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1618 dst_type, __le16_to_cpu(psm));
1da177e4 1619
af05b30b
GP		 1620 hdev = hci_get_route(dst, src);
1621 if (!hdev)
1da177e4
LT		 1622 return -EHOSTUNREACH;
1623
09fd0de5 1624 hci_dev_lock(hdev);
1da177e4 1625
6be36555 1626 l2cap_chan_lock(chan);
03a00194
GP		 1627
1628 /* PSM must be odd and lsb of upper byte must be 0 */
1629 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1630 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1631 err = -EINVAL;
1632 goto done;
1633 }
1634
1635 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1636 err = -EINVAL;
1637 goto done;
1638 }
1639
1640 switch (chan->mode) {
1641 case L2CAP_MODE_BASIC:
1642 break;
1643 case L2CAP_MODE_ERTM:
1644 case L2CAP_MODE_STREAMING:
1645 if (!disable_ertm)
1646 break;
1647 /* fall through */
1648 default:
1649 err = -ENOTSUPP;
1650 goto done;
1651 }
1652
0797e01d 1653 switch (chan->state) {
03a00194
GP		 1654 case BT_CONNECT:
1655 case BT_CONNECT2:
1656 case BT_CONFIG:
1657 /* Already connecting */
1658 err = 0;
1659 goto done;
1660
1661 case BT_CONNECTED:
1662 /* Already connected */
1663 err = -EISCONN;
1664 goto done;
1665
1666 case BT_OPEN:
1667 case BT_BOUND:
1668 /* Can connect */
1669 break;
1670
1671 default:
1672 err = -EBADFD;
1673 goto done;
1674 }
1675
1676 /* Set destination address and psm */
0797e01d 1677 lock_sock(sk);
9219b2a0 1678 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1679 release_sock(sk);
1680
03a00194
GP		 1681 chan->psm = psm;
1682 chan->dcid = cid;
1da177e4 1683
4343478f 1684 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1685
fe4128e0 1686 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1687 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1688 chan->sec_level, auth_type);
acd7d370 1689 else
8e9f9892 1690 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1691 chan->sec_level, auth_type);
acd7d370 1692
30e76272
VT		 1693 if (IS_ERR(hcon)) {
1694 err = PTR_ERR(hcon);
1da177e4 1695 goto done;
30e76272 1696 }
1da177e4
LT		 1697
1698 conn = l2cap_conn_add(hcon, 0);
1699 if (!conn) {
1700 hci_conn_put(hcon);
30e76272 1701 err = -ENOMEM;
1da177e4
LT		 1702 goto done;
1703 }
1704
9f0caeb1
VCG		 1705 if (hcon->type == LE_LINK) {
1706 err = 0;
1707
1708 if (!list_empty(&conn->chan_l)) {
1709 err = -EBUSY;
1710 hci_conn_put(hcon);
1711 }
1712
1713 if (err)
1714 goto done;
1715 }
1716
1da177e4
LT		 1717 /* Update source addr of the socket */
1718 bacpy(src, conn->src);
1719
6be36555 1720 l2cap_chan_unlock(chan);
48454079 1721 l2cap_chan_add(conn, chan);
6be36555 1722 l2cap_chan_lock(chan);
48454079 1723
6be36555 1724 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1725 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1726
1727 if (hcon->state == BT_CONNECTED) {
715ec005 1728 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1729 __clear_chan_timer(chan);
d45fc423 1730 if (l2cap_chan_check_security(chan))
6be36555 1731 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1732 } else
fc7f8a7e 1733 l2cap_do_start(chan);
1da177e4
LT		 1734 }
1735
30e76272
VT		 1736 err = 0;
1737
1da177e4 1738done:
6be36555 1739 l2cap_chan_unlock(chan);
09fd0de5 1740 hci_dev_unlock(hdev);
1da177e4
LT		 1741 hci_dev_put(hdev);
1742 return err;
1743}
1744
dcba0dba 1745int __l2cap_wait_ack(struct sock *sk)
6161c038 1746{
8c1d787b 1747 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1748 DECLARE_WAITQUEUE(wait, current);
1749 int err = 0;
1750 int timeo = HZ/5;
1751
2b0b05dd 1752 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1753 set_current_state(TASK_INTERRUPTIBLE);
1754 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1755 if (!timeo)
1756 timeo = HZ/5;
1757
1758 if (signal_pending(current)) {
1759 err = sock_intr_errno(timeo);
1760 break;
1761 }
1762
1763 release_sock(sk);
1764 timeo = schedule_timeout(timeo);
1765 lock_sock(sk);
a71a0cf4 1766 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1767
1768 err = sock_error(sk);
1769 if (err)
1770 break;
1771 }
1772 set_current_state(TASK_RUNNING);
2b0b05dd 1773 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1774 return err;
1775}
1776
721c4181 1777static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1778{
721c4181 1779 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1780 monitor_timer.work);
e90bac06 1781
525cd185 1782 BT_DBG("chan %p", chan);
0e98958d 1783
6be36555
AE		 1784 l2cap_chan_lock(chan);
1785
80909e04 1786 if (!chan->conn) {
6be36555 1787 l2cap_chan_unlock(chan);
8d7e1c7f 1788 l2cap_chan_put(chan);
e90bac06
GP		 1789 return;
1790 }
1791
401bb1f7 1792 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1793
6be36555 1794 l2cap_chan_unlock(chan);
8d7e1c7f 1795 l2cap_chan_put(chan);
e90bac06
GP		 1796}
1797
721c4181 1798static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1799{
721c4181 1800 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1801 retrans_timer.work);
e90bac06 1802
49208c9c 1803 BT_DBG("chan %p", chan);
0e98958d 1804
6be36555
AE		 1805 l2cap_chan_lock(chan);
1806
80909e04
MM		 1807 if (!chan->conn) {
1808 l2cap_chan_unlock(chan);
1809 l2cap_chan_put(chan);
1810 return;
1811 }
6be36555 1812
401bb1f7 1813 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1814 l2cap_chan_unlock(chan);
8d7e1c7f 1815 l2cap_chan_put(chan);
e90bac06
GP		 1816}
1817
d660366d
GP		 1818static void l2cap_streaming_send(struct l2cap_chan *chan,
1819 struct sk_buff_head *skbs)
6840ed07 1820{
ccbb84af 1821 struct sk_buff *skb;
3733937d 1822 struct l2cap_ctrl *control;
6840ed07 1823
3733937d
MM		 1824 BT_DBG("chan %p, skbs %p", chan, skbs);
1825
b99e13ad
MM		 1826 if (__chan_is_moving(chan))
1827 return;
1828
3733937d
MM		 1829 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1830
1831 while (!skb_queue_empty(&chan->tx_q)) {
1832
1833 skb = skb_dequeue(&chan->tx_q);
1834
1835 bt_cb(skb)->control.retries = 1;
1836 control = &bt_cb(skb)->control;
1837
1838 control->reqseq = 0;
1839 control->txseq = chan->next_tx_seq;
1840
1841 __pack_control(chan, control, skb);
6840ed07 1842
47d1ec61 1843 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1844 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1845 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1846 }
1847
4343478f 1848 l2cap_do_send(chan, skb);
6840ed07 1849
b4400672 1850 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1851
836be934 1852 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1853 chan->frames_sent++;
6840ed07 1854 }
6840ed07
GP		 1855}
1856
67c9e840 1857static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1858{
1859 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1860 struct l2cap_ctrl *control;
1861 int sent = 0;
1862
1863 BT_DBG("chan %p", chan);
1c2acffb 1864
89bc500e 1865 if (chan->state != BT_CONNECTED)
c13ffa62 1866 return -ENOTCONN;
e90bac06 1867
94122bbe
MM		 1868 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1869 return 0;
1870
b99e13ad
MM		 1871 if (__chan_is_moving(chan))
1872 return 0;
1873
18a48e76
MM		 1874 while (chan->tx_send_head &&
1875 chan->unacked_frames < chan->remote_tx_win &&
1876 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1877
18a48e76 1878 skb = chan->tx_send_head;
e90bac06 1879
18a48e76
MM		 1880 bt_cb(skb)->control.retries = 1;
1881 control = &bt_cb(skb)->control;
95ffa978 1882
e2ab4353 1883 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1884 control->final = 1;
e2ab4353 1885
18a48e76
MM		 1886 control->reqseq = chan->buffer_seq;
1887 chan->last_acked_seq = chan->buffer_seq;
1888 control->txseq = chan->next_tx_seq;
1c2acffb 1889
18a48e76 1890 __pack_control(chan, control, skb);
e90bac06 1891
47d1ec61 1892 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1893 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1894 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1895 }
1896
18a48e76
MM		 1897 /* Clone after data has been modified. Data is assumed to be
1898 read-only (for locking purposes) on cloned sk_buffs.
1899 */
1900 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1901
18a48e76
MM		 1902 if (!tx_skb)
1903 break;
1c2acffb 1904
18a48e76 1905 __set_retrans_timer(chan);
836be934
AE		 1906
1907 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1908 chan->unacked_frames++;
6a026610 1909 chan->frames_sent++;
18a48e76 1910 sent++;
1c2acffb 1911
58d35f87
GP		 1912 if (skb_queue_is_last(&chan->tx_q, skb))
1913 chan->tx_send_head = NULL;
1c2acffb 1914 else
58d35f87 1915 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1916
1917 l2cap_do_send(chan, tx_skb);
b4400672 1918 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1919 }
1920
b4400672
AE		 1921 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1922 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1923
1924 return sent;
9e917af1
GP		 1925}
1926
e1fbd4c1
MM		 1927static void l2cap_ertm_resend(struct l2cap_chan *chan)
1928{
1929 struct l2cap_ctrl control;
1930 struct sk_buff *skb;
1931 struct sk_buff *tx_skb;
1932 u16 seq;
1933
1934 BT_DBG("chan %p", chan);
1935
1936 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1937 return;
1938
b99e13ad
MM		 1939 if (__chan_is_moving(chan))
1940 return;
1941
e1fbd4c1
MM		 1942 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1943 seq = l2cap_seq_list_pop(&chan->retrans_list);
1944
1945 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1946 if (!skb) {
1947 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1948 seq);
e1fbd4c1
MM		 1949 continue;
1950 }
1951
1952 bt_cb(skb)->control.retries++;
1953 control = bt_cb(skb)->control;
1954
1955 if (chan->max_tx != 0 &&
1956 bt_cb(skb)->control.retries > chan->max_tx) {
1957 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1958 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1959 l2cap_seq_list_clear(&chan->retrans_list);
1960 break;
1961 }
1962
1963 control.reqseq = chan->buffer_seq;
1964 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1965 control.final = 1;
1966 else
1967 control.final = 0;
1968
1969 if (skb_cloned(skb)) {
1970 /* Cloned sk_buffs are read-only, so we need a
1971 * writeable copy
1972 */
8bcde1f2 1973 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1974 } else {
8bcde1f2 1975 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1976 }
1977
1978 if (!tx_skb) {
1979 l2cap_seq_list_clear(&chan->retrans_list);
1980 break;
1981 }
1982
1983 /* Update skb contents */
1984 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1985 put_unaligned_le32(__pack_extended_control(&control),
1986 tx_skb->data + L2CAP_HDR_SIZE);
1987 } else {
1988 put_unaligned_le16(__pack_enhanced_control(&control),
1989 tx_skb->data + L2CAP_HDR_SIZE);
1990 }
1991
1992 if (chan->fcs == L2CAP_FCS_CRC16) {
1993 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1994 put_unaligned_le16(fcs, skb_put(tx_skb,
1995 L2CAP_FCS_SIZE));
1996 }
1997
1998 l2cap_do_send(chan, tx_skb);
1999
2000 BT_DBG("Resent txseq %d", control.txseq);
2001
2002 chan->last_acked_seq = chan->buffer_seq;
2003 }
2004}
2005
f80842a8
MM		 2006static void l2cap_retransmit(struct l2cap_chan *chan,
2007 struct l2cap_ctrl *control)
2008{
2009 BT_DBG("chan %p, control %p", chan, control);
2010
2011 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2012 l2cap_ertm_resend(chan);
2013}
2014
d2a7ac5d
MM		 2015static void l2cap_retransmit_all(struct l2cap_chan *chan,
2016 struct l2cap_ctrl *control)
2017{
e1fbd4c1
MM		 2018 struct sk_buff *skb;
2019
2020 BT_DBG("chan %p, control %p", chan, control);
2021
2022 if (control->poll)
2023 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2024
2025 l2cap_seq_list_clear(&chan->retrans_list);
2026
2027 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2028 return;
2029
2030 if (chan->unacked_frames) {
2031 skb_queue_walk(&chan->tx_q, skb) {
2032 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2033 skb == chan->tx_send_head)
e1fbd4c1
MM		 2034 break;
2035 }
2036
2037 skb_queue_walk_from(&chan->tx_q, skb) {
2038 if (skb == chan->tx_send_head)
2039 break;
2040
2041 l2cap_seq_list_append(&chan->retrans_list,
2042 bt_cb(skb)->control.txseq);
2043 }
2044
2045 l2cap_ertm_resend(chan);
2046 }
d2a7ac5d
MM		 2047}
2048
0a0aba42 2049static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2050{
0a0aba42
MM		 2051 struct l2cap_ctrl control;
2052 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2053 chan->last_acked_seq);
2054 int threshold;
9e917af1 2055
0a0aba42
MM		 2056 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2057 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2058
0a0aba42
MM		 2059 memset(&control, 0, sizeof(control));
2060 control.sframe = 1;
dfc909be 2061
0a0aba42
MM		 2062 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2063 chan->rx_state == L2CAP_RX_STATE_RECV) {
2064 __clear_ack_timer(chan);
2065 control.super = L2CAP_SUPER_RNR;
2066 control.reqseq = chan->buffer_seq;
2067 l2cap_send_sframe(chan, &control);
2068 } else {
2069 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2070 l2cap_ertm_send(chan);
2071 /* If any i-frames were sent, they included an ack */
2072 if (chan->buffer_seq == chan->last_acked_seq)
2073 frames_to_ack = 0;
2074 }
dfc909be 2075
c20f8e35 2076 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2077 * Calculate without mul or div
2078 */
c20f8e35 2079 threshold = chan->ack_win;
0a0aba42
MM		 2080 threshold += threshold << 1;
2081 threshold >>= 2;
2082
b4400672 2083 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2084 threshold);
2085
2086 if (frames_to_ack >= threshold) {
2087 __clear_ack_timer(chan);
2088 control.super = L2CAP_SUPER_RR;
2089 control.reqseq = chan->buffer_seq;
2090 l2cap_send_sframe(chan, &control);
2091 frames_to_ack = 0;
2092 }
1c2acffb 2093
0a0aba42
MM		 2094 if (frames_to_ack)
2095 __set_ack_timer(chan);
2096 }
b17e73bb
SJ		 2097}
2098
04124681
GP		 2099static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2100 struct msghdr *msg, int len,
2101 int count, struct sk_buff *skb)
1c2acffb 2102{
0952a57a 2103 struct l2cap_conn *conn = chan->conn;
1c2acffb 2104 struct sk_buff **frag;
90338947 2105 int sent = 0;
1da177e4 2106
59203a21 2107 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2108 return -EFAULT;
1da177e4
LT		 2109
2110 sent += count;
2111 len -= count;
2112
2113 /* Continuation fragments (no L2CAP header) */
2114 frag = &skb_shinfo(skb)->frag_list;
2115 while (len) {
fbe00700
GP		 2116 struct sk_buff *tmp;
2117
1da177e4
LT		 2118 count = min_t(unsigned int, conn->mtu, len);
2119
fbe00700
GP		 2120 tmp = chan->ops->alloc_skb(chan, count,
2121 msg->msg_flags & MSG_DONTWAIT);
2122 if (IS_ERR(tmp))
2123 return PTR_ERR(tmp);
2124
2125 *frag = tmp;
2f7719ce 2126
1c2acffb
GP		 2127 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2128 return -EFAULT;
1da177e4 2129
5e59b791
LAD		 2130 (*frag)->priority = skb->priority;
2131
1da177e4
LT		 2132 sent += count;
2133 len -= count;
2134
2d0ed3d5
GP		 2135 skb->len += (*frag)->len;
2136 skb->data_len += (*frag)->len;
2137
1da177e4
LT		 2138 frag = &(*frag)->next;
2139 }
1da177e4
LT		 2140
2141 return sent;
1c2acffb 2142}
1da177e4 2143
5e59b791 2144static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2145 struct msghdr *msg, size_t len,
2146 u32 priority)
1c2acffb 2147{
8c1d787b 2148 struct l2cap_conn *conn = chan->conn;
1c2acffb 2149 struct sk_buff *skb;
03a51213 2150 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2151 struct l2cap_hdr *lh;
2152
b4400672 2153 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2154
2155 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2156
2157 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2158 msg->msg_flags & MSG_DONTWAIT);
2159 if (IS_ERR(skb))
2160 return skb;
1c2acffb 2161
5e59b791
LAD		 2162 skb->priority = priority;
2163
1c2acffb
GP		 2164 /* Create L2CAP header */
2165 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2166 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2167 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2168 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2169
0952a57a 2170 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2171 if (unlikely(err < 0)) {
2172 kfree_skb(skb);
2173 return ERR_PTR(err);
2174 }
2175 return skb;
2176}
2177
5e59b791 2178static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2179 struct msghdr *msg, size_t len,
2180 u32 priority)
1c2acffb 2181{
8c1d787b 2182 struct l2cap_conn *conn = chan->conn;
1c2acffb 2183 struct sk_buff *skb;
f2ba7fae 2184 int err, count;
1c2acffb
GP		 2185 struct l2cap_hdr *lh;
2186
b4400672 2187 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2188
f2ba7fae 2189 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2190
f2ba7fae 2191 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2192 msg->msg_flags & MSG_DONTWAIT);
2193 if (IS_ERR(skb))
2194 return skb;
1c2acffb 2195
5e59b791
LAD		 2196 skb->priority = priority;
2197
1c2acffb
GP		 2198 /* Create L2CAP header */
2199 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2200 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2201 lh->len = cpu_to_le16(len);
1c2acffb 2202
0952a57a 2203 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2204 if (unlikely(err < 0)) {
2205 kfree_skb(skb);
2206 return ERR_PTR(err);
2207 }
2208 return skb;
2209}
2210
ab0ff76d 2211static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2212 struct msghdr *msg, size_t len,
2213 u16 sdulen)
1c2acffb 2214{
8c1d787b 2215 struct l2cap_conn *conn = chan->conn;
1c2acffb 2216 struct sk_buff *skb;
e4ca6d98 2217 int err, count, hlen;
1c2acffb
GP		 2218 struct l2cap_hdr *lh;
2219
b4400672 2220 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2221
0ee0d208
GP		 2222 if (!conn)
2223 return ERR_PTR(-ENOTCONN);
2224
ba7aa64f 2225 hlen = __ertm_hdr_size(chan);
e4ca6d98 2226
c74e560c 2227 if (sdulen)
03a51213 2228 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2229
47d1ec61 2230 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2231 hlen += L2CAP_FCS_SIZE;
fcc203c3 2232
1c2acffb 2233 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2234
2235 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2236 msg->msg_flags & MSG_DONTWAIT);
2237 if (IS_ERR(skb))
2238 return skb;
1c2acffb
GP		 2239
2240 /* Create L2CAP header */
2241 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2242 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2243 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2244
18a48e76
MM		 2245 /* Control header is populated later */
2246 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2247 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2248 else
2249 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2250
c74e560c 2251 if (sdulen)
03a51213 2252 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2253
0952a57a 2254 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2255 if (unlikely(err < 0)) {
2256 kfree_skb(skb);
2257 return ERR_PTR(err);
2258 }
e90bac06 2259
18a48e76 2260 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2261 bt_cb(skb)->control.retries = 0;
1c2acffb 2262 return skb;
1da177e4
LT		 2263}
2264
94122bbe
MM		 2265static int l2cap_segment_sdu(struct l2cap_chan *chan,
2266 struct sk_buff_head *seg_queue,
2267 struct msghdr *msg, size_t len)
c74e560c 2268{
c74e560c 2269 struct sk_buff *skb;
94122bbe
MM		 2270 u16 sdu_len;
2271 size_t pdu_len;
94122bbe 2272 u8 sar;
c74e560c 2273
b4400672 2274 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2275
94122bbe
MM		 2276 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2277 * so fragmented skbs are not used. The HCI layer's handling
2278 * of fragmented skbs is not compatible with ERTM's queueing.
2279 */
c74e560c 2280
94122bbe
MM		 2281 /* PDU size is derived from the HCI MTU */
2282 pdu_len = chan->conn->mtu;
c74e560c 2283
a549574d
MM		 2284 /* Constrain PDU size for BR/EDR connections */
2285 if (!chan->hs_hcon)
2286 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2287
2288 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2289 if (chan->fcs)
2290 pdu_len -= L2CAP_FCS_SIZE;
2291
ba7aa64f 2292 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2293
2294 /* Remote device may have requested smaller PDUs */
2295 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2296
2297 if (len <= pdu_len) {
2298 sar = L2CAP_SAR_UNSEGMENTED;
2299 sdu_len = 0;
2300 pdu_len = len;
2301 } else {
2302 sar = L2CAP_SAR_START;
2303 sdu_len = len;
2304 pdu_len -= L2CAP_SDULEN_SIZE;
2305 }
2306
2307 while (len > 0) {
2308 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2309
c74e560c 2310 if (IS_ERR(skb)) {
94122bbe 2311 __skb_queue_purge(seg_queue);
c74e560c
GP		 2312 return PTR_ERR(skb);
2313 }
2314
94122bbe
MM		 2315 bt_cb(skb)->control.sar = sar;
2316 __skb_queue_tail(seg_queue, skb);
2317
2318 len -= pdu_len;
2319 if (sdu_len) {
2320 sdu_len = 0;
2321 pdu_len += L2CAP_SDULEN_SIZE;
2322 }
2323
2324 if (len <= pdu_len) {
2325 sar = L2CAP_SAR_END;
2326 pdu_len = len;
2327 } else {
2328 sar = L2CAP_SAR_CONTINUE;
2329 }
c74e560c 2330 }
c74e560c 2331
f0f62799 2332 return 0;
c74e560c
GP		 2333}
2334
5e59b791 2335int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2336 u32 priority)
9a91a04a 2337{
9a91a04a 2338 struct sk_buff *skb;
9a91a04a 2339 int err;
94122bbe 2340 struct sk_buff_head seg_queue;
9a91a04a
GP		 2341
2342 /* Connectionless channel */
715ec005 2343 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2344 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2345 if (IS_ERR(skb))
2346 return PTR_ERR(skb);
2347
2348 l2cap_do_send(chan, skb);
2349 return len;
2350 }
2351
2352 switch (chan->mode) {
2353 case L2CAP_MODE_BASIC:
2354 /* Check outgoing MTU */
2355 if (len > chan->omtu)
2356 return -EMSGSIZE;
2357
2358 /* Create a basic PDU */
5e59b791 2359 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2360 if (IS_ERR(skb))
2361 return PTR_ERR(skb);
2362
2363 l2cap_do_send(chan, skb);
2364 err = len;
2365 break;
2366
2367 case L2CAP_MODE_ERTM:
2368 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2369 /* Check outgoing MTU */
2370 if (len > chan->omtu) {
2371 err = -EMSGSIZE;
2372 break;
2373 }
9a91a04a 2374
94122bbe 2375 __skb_queue_head_init(&seg_queue);
9a91a04a 2376
94122bbe
MM		 2377 /* Do segmentation before calling in to the state machine,
2378 * since it's possible to block while waiting for memory
2379 * allocation.
2380 */
2381 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2382
94122bbe
MM		 2383 /* The channel could have been closed while segmenting,
2384 * check that it is still connected.
2385 */
2386 if (chan->state != BT_CONNECTED) {
2387 __skb_queue_purge(&seg_queue);
2388 err = -ENOTCONN;
9a91a04a
GP		 2389 }
2390
94122bbe 2391 if (err)
9a91a04a 2392 break;
9a91a04a 2393
3733937d 2394 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2395 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2396 else
d660366d 2397 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2398
d660366d 2399 err = len;
9a91a04a 2400
94122bbe
MM		 2401 /* If the skbs were not queued for sending, they'll still be in
2402 * seg_queue and need to be purged.
2403 */
2404 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2405 break;
2406
2407 default:
2408 BT_DBG("bad state %1.1x", chan->mode);
2409 err = -EBADFD;
2410 }
2411
2412 return err;
2413}
2414
d2a7ac5d
MM		 2415static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2416{
bed68bde
MM		 2417 struct l2cap_ctrl control;
2418 u16 seq;
2419
b4400672 2420 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2421
2422 memset(&control, 0, sizeof(control));
2423 control.sframe = 1;
2424 control.super = L2CAP_SUPER_SREJ;
2425
2426 for (seq = chan->expected_tx_seq; seq != txseq;
2427 seq = __next_seq(chan, seq)) {
2428 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2429 control.reqseq = seq;
2430 l2cap_send_sframe(chan, &control);
2431 l2cap_seq_list_append(&chan->srej_list, seq);
2432 }
2433 }
2434
2435 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2436}
2437
2438static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2439{
bed68bde
MM		 2440 struct l2cap_ctrl control;
2441
2442 BT_DBG("chan %p", chan);
2443
2444 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2445 return;
2446
2447 memset(&control, 0, sizeof(control));
2448 control.sframe = 1;
2449 control.super = L2CAP_SUPER_SREJ;
2450 control.reqseq = chan->srej_list.tail;
2451 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2452}
2453
2454static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2455{
bed68bde
MM		 2456 struct l2cap_ctrl control;
2457 u16 initial_head;
2458 u16 seq;
2459
b4400672 2460 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2461
2462 memset(&control, 0, sizeof(control));
2463 control.sframe = 1;
2464 control.super = L2CAP_SUPER_SREJ;
2465
2466 /* Capture initial list head to allow only one pass through the list. */
2467 initial_head = chan->srej_list.head;
2468
2469 do {
2470 seq = l2cap_seq_list_pop(&chan->srej_list);
2471 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2472 break;
2473
2474 control.reqseq = seq;
2475 l2cap_send_sframe(chan, &control);
2476 l2cap_seq_list_append(&chan->srej_list, seq);
2477 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2478}
2479
608bcc6d
MM		 2480static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2481{
2482 struct sk_buff *acked_skb;
2483 u16 ackseq;
2484
b4400672 2485 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2486
2487 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2488 return;
2489
b4400672 2490 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2491 chan->expected_ack_seq, chan->unacked_frames);
2492
2493 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2494 ackseq = __next_seq(chan, ackseq)) {
2495
2496 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2497 if (acked_skb) {
2498 skb_unlink(acked_skb, &chan->tx_q);
2499 kfree_skb(acked_skb);
2500 chan->unacked_frames--;
2501 }
2502 }
2503
2504 chan->expected_ack_seq = reqseq;
2505
2506 if (chan->unacked_frames == 0)
2507 __clear_retrans_timer(chan);
2508
b4400672 2509 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2510}
2511
2512static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2513{
2514 BT_DBG("chan %p", chan);
2515
2516 chan->expected_tx_seq = chan->buffer_seq;
2517 l2cap_seq_list_clear(&chan->srej_list);
2518 skb_queue_purge(&chan->srej_q);
2519 chan->rx_state = L2CAP_RX_STATE_RECV;
2520}
2521
d660366d
GP		 2522static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2523 struct l2cap_ctrl *control,
2524 struct sk_buff_head *skbs, u8 event)
608bcc6d 2525{
608bcc6d
MM		 2526 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2527 event);
2528
2529 switch (event) {
2530 case L2CAP_EV_DATA_REQUEST:
2531 if (chan->tx_send_head == NULL)
2532 chan->tx_send_head = skb_peek(skbs);
2533
2534 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2535 l2cap_ertm_send(chan);
2536 break;
2537 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2538 BT_DBG("Enter LOCAL_BUSY");
2539 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2540
2541 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2542 /* The SREJ_SENT state must be aborted if we are to
2543 * enter the LOCAL_BUSY state.
2544 */
2545 l2cap_abort_rx_srej_sent(chan);
2546 }
2547
2548 l2cap_send_ack(chan);
2549
2550 break;
2551 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2552 BT_DBG("Exit LOCAL_BUSY");
2553 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2554
2555 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2556 struct l2cap_ctrl local_control;
2557
2558 memset(&local_control, 0, sizeof(local_control));
2559 local_control.sframe = 1;
2560 local_control.super = L2CAP_SUPER_RR;
2561 local_control.poll = 1;
2562 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2563 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2564
2565 chan->retry_count = 1;
2566 __set_monitor_timer(chan);
2567 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2568 }
2569 break;
2570 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2571 l2cap_process_reqseq(chan, control->reqseq);
2572 break;
2573 case L2CAP_EV_EXPLICIT_POLL:
2574 l2cap_send_rr_or_rnr(chan, 1);
2575 chan->retry_count = 1;
2576 __set_monitor_timer(chan);
2577 __clear_ack_timer(chan);
2578 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2579 break;
2580 case L2CAP_EV_RETRANS_TO:
2581 l2cap_send_rr_or_rnr(chan, 1);
2582 chan->retry_count = 1;
2583 __set_monitor_timer(chan);
2584 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2585 break;
2586 case L2CAP_EV_RECV_FBIT:
2587 /* Nothing to process */
2588 break;
2589 default:
2590 break;
2591 }
608bcc6d
MM		 2592}
2593
d660366d
GP		 2594static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2595 struct l2cap_ctrl *control,
2596 struct sk_buff_head *skbs, u8 event)
608bcc6d 2597{
608bcc6d
MM		 2598 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2599 event);
2600
2601 switch (event) {
2602 case L2CAP_EV_DATA_REQUEST:
2603 if (chan->tx_send_head == NULL)
2604 chan->tx_send_head = skb_peek(skbs);
2605 /* Queue data, but don't send. */
2606 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2607 break;
2608 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2609 BT_DBG("Enter LOCAL_BUSY");
2610 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2611
2612 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2613 /* The SREJ_SENT state must be aborted if we are to
2614 * enter the LOCAL_BUSY state.
2615 */
2616 l2cap_abort_rx_srej_sent(chan);
2617 }
2618
2619 l2cap_send_ack(chan);
2620
2621 break;
2622 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2623 BT_DBG("Exit LOCAL_BUSY");
2624 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2625
2626 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2627 struct l2cap_ctrl local_control;
2628 memset(&local_control, 0, sizeof(local_control));
2629 local_control.sframe = 1;
2630 local_control.super = L2CAP_SUPER_RR;
2631 local_control.poll = 1;
2632 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2633 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2634
2635 chan->retry_count = 1;
2636 __set_monitor_timer(chan);
2637 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2638 }
2639 break;
2640 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2641 l2cap_process_reqseq(chan, control->reqseq);
2642
2643 /* Fall through */
2644
2645 case L2CAP_EV_RECV_FBIT:
2646 if (control && control->final) {
2647 __clear_monitor_timer(chan);
2648 if (chan->unacked_frames > 0)
2649 __set_retrans_timer(chan);
2650 chan->retry_count = 0;
2651 chan->tx_state = L2CAP_TX_STATE_XMIT;
2652 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2653 }
2654 break;
2655 case L2CAP_EV_EXPLICIT_POLL:
2656 /* Ignore */
2657 break;
2658 case L2CAP_EV_MONITOR_TO:
2659 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2660 l2cap_send_rr_or_rnr(chan, 1);
2661 __set_monitor_timer(chan);
2662 chan->retry_count++;
2663 } else {
5e4e3972 2664 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2665 }
2666 break;
2667 default:
2668 break;
2669 }
608bcc6d
MM		 2670}
2671
d660366d
GP		 2672static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2673 struct sk_buff_head *skbs, u8 event)
608bcc6d 2674{
608bcc6d
MM		 2675 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2676 chan, control, skbs, event, chan->tx_state);
2677
2678 switch (chan->tx_state) {
2679 case L2CAP_TX_STATE_XMIT:
d660366d 2680 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2681 break;
2682 case L2CAP_TX_STATE_WAIT_F:
d660366d 2683 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2684 break;
2685 default:
2686 /* Ignore event */
2687 break;
2688 }
608bcc6d
MM		 2689}
2690
4b51dae9
MM		 2691static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2692 struct l2cap_ctrl *control)
2693{
2694 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2695 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2696}
2697
f80842a8
MM		 2698static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2699 struct l2cap_ctrl *control)
2700{
2701 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2702 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2703}
2704
1da177e4
LT		 2705/* Copy frame to all raw sockets on that connection */
2706static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2707{
1da177e4 2708 struct sk_buff *nskb;
48454079 2709 struct l2cap_chan *chan;
1da177e4
LT		 2710
2711 BT_DBG("conn %p", conn);
2712
3df91ea2 2713 mutex_lock(&conn->chan_lock);
3d57dc68 2714
3df91ea2 2715 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2716 struct sock *sk = chan->sk;
715ec005 2717 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2718 continue;
2719
2720 /* Don't send frame to the socket it came from */
2721 if (skb->sk == sk)
2722 continue;
8bcde1f2 2723 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2724 if (!nskb)
1da177e4
LT		 2725 continue;
2726
80b98027 2727 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2728 kfree_skb(nskb);
2729 }
3d57dc68 2730
3df91ea2 2731 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2732}
2733
2734/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2735static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2736 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2737{
2738 struct sk_buff *skb, **frag;
2739 struct l2cap_cmd_hdr *cmd;
2740 struct l2cap_hdr *lh;
2741 int len, count;
2742
b4400672
AE		 2743 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2744 conn, code, ident, dlen);
1da177e4
LT		 2745
2746 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2747 count = min_t(unsigned int, conn->mtu, len);
2748
8bcde1f2 2749 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2750 if (!skb)
2751 return NULL;
2752
2753 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2754 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2755
2756 if (conn->hcon->type == LE_LINK)
ac73498c 2757 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2758 else
ac73498c 2759 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2760
2761 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2762 cmd->code = code;
2763 cmd->ident = ident;
aca3192c 2764 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2765
2766 if (dlen) {
2767 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2768 memcpy(skb_put(skb, count), data, count);
2769 data += count;
2770 }
2771
2772 len -= skb->len;
2773
2774 /* Continuation fragments (no L2CAP header) */
2775 frag = &skb_shinfo(skb)->frag_list;
2776 while (len) {
2777 count = min_t(unsigned int, conn->mtu, len);
2778
8bcde1f2 2779 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2780 if (!*frag)
2781 goto fail;
2782
2783 memcpy(skb_put(*frag, count), data, count);
2784
2785 len -= count;
2786 data += count;
2787
2788 frag = &(*frag)->next;
2789 }
2790
2791 return skb;
2792
2793fail:
2794 kfree_skb(skb);
2795 return NULL;
2796}
2797
2d792818
GP		 2798static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2799 unsigned long *val)
1da177e4
LT		 2800{
2801 struct l2cap_conf_opt *opt = *ptr;
2802 int len;
2803
2804 len = L2CAP_CONF_OPT_SIZE + opt->len;
2805 *ptr += len;
2806
2807 *type = opt->type;
2808 *olen = opt->len;
2809
2810 switch (opt->len) {
2811 case 1:
2812 *val = *((u8 *) opt->val);
2813 break;
2814
2815 case 2:
bfaaeb3e 2816 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2817 break;
2818
2819 case 4:
bfaaeb3e 2820 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2821 break;
2822
2823 default:
2824 *val = (unsigned long) opt->val;
2825 break;
2826 }
2827
b4400672 2828 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2829 return len;
2830}
2831
1da177e4
LT		 2832static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2833{
2834 struct l2cap_conf_opt *opt = *ptr;
2835
b4400672 2836 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2837
2838 opt->type = type;
2839 opt->len = len;
2840
2841 switch (len) {
2842 case 1:
2843 *((u8 *) opt->val) = val;
2844 break;
2845
2846 case 2:
4f8b691c 2847 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2848 break;
2849
2850 case 4:
4f8b691c 2851 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2852 break;
2853
2854 default:
2855 memcpy(opt->val, (void *) val, len);
2856 break;
2857 }
2858
2859 *ptr += L2CAP_CONF_OPT_SIZE + len;
2860}
2861
f89cef09
AE		 2862static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2863{
2864 struct l2cap_conf_efs efs;
2865
1ec918ce 2866 switch (chan->mode) {
f89cef09
AE		 2867 case L2CAP_MODE_ERTM:
2868 efs.id = chan->local_id;
2869 efs.stype = chan->local_stype;
2870 efs.msdu = cpu_to_le16(chan->local_msdu);
2871 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2872 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2873 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2874 break;
2875
2876 case L2CAP_MODE_STREAMING:
2877 efs.id = 1;
2878 efs.stype = L2CAP_SERV_BESTEFFORT;
2879 efs.msdu = cpu_to_le16(chan->local_msdu);
2880 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2881 efs.acc_lat = 0;
2882 efs.flush_to = 0;
2883 break;
2884
2885 default:
2886 return;
2887 }
2888
2889 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2890 (unsigned long) &efs);
f89cef09
AE		 2891}
2892
721c4181 2893static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2894{
721c4181 2895 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2896 ack_timer.work);
2897 u16 frames_to_ack;
c1b4f43b 2898
2fb9b3d4
GP		 2899 BT_DBG("chan %p", chan);
2900
6be36555
AE		 2901 l2cap_chan_lock(chan);
2902
0362520b
MM		 2903 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2904 chan->last_acked_seq);
6be36555 2905
0362520b
MM		 2906 if (frames_to_ack)
2907 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2908
0362520b 2909 l2cap_chan_unlock(chan);
09bfb2ee 2910 l2cap_chan_put(chan);
c1b4f43b
GP		 2911}
2912
466f8004 2913int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2914{
3c588192
MM		 2915 int err;
2916
105bdf9e
MM		 2917 chan->next_tx_seq = 0;
2918 chan->expected_tx_seq = 0;
42e5c802 2919 chan->expected_ack_seq = 0;
6a026610 2920 chan->unacked_frames = 0;
42e5c802 2921 chan->buffer_seq = 0;
6a026610 2922 chan->frames_sent = 0;
105bdf9e
MM		 2923 chan->last_acked_seq = 0;
2924 chan->sdu = NULL;
2925 chan->sdu_last_frag = NULL;
2926 chan->sdu_len = 0;
2927
d34c34fb
MM		 2928 skb_queue_head_init(&chan->tx_q);
2929
08333283
MM		 2930 chan->local_amp_id = 0;
2931 chan->move_id = 0;
2932 chan->move_state = L2CAP_MOVE_STABLE;
2933 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2934
105bdf9e
MM		 2935 if (chan->mode != L2CAP_MODE_ERTM)
2936 return 0;
2937
2938 chan->rx_state = L2CAP_RX_STATE_RECV;
2939 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2940
721c4181
GP		 2941 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2942 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2943 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2944
f1c6775b 2945 skb_queue_head_init(&chan->srej_q);
1890d36b 2946
3c588192
MM		 2947 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2948 if (err < 0)
2949 return err;
2950
9dc9affc
MM		 2951 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2952 if (err < 0)
2953 l2cap_seq_list_free(&chan->srej_list);
2954
2955 return err;
0565c1c2
GP		 2956}
2957
f2fcfcd6
GP		 2958static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2959{
2960 switch (mode) {
2961 case L2CAP_MODE_STREAMING:
2962 case L2CAP_MODE_ERTM:
2963 if (l2cap_mode_supported(mode, remote_feat_mask))
2964 return mode;
2965 /* fall through */
2966 default:
2967 return L2CAP_MODE_BASIC;
2968 }
2969}
2970
6327eb98
AE		 2971static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2972{
2973 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2974}
2975
f89cef09
AE		 2976static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2977{
2978 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2979}
2980
36c86c85
MM		 2981static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
2982 struct l2cap_conf_rfc *rfc)
2983{
2984 if (chan->local_amp_id && chan->hs_hcon) {
2985 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
2986
2987 /* Class 1 devices have must have ERTM timeouts
2988 * exceeding the Link Supervision Timeout. The
2989 * default Link Supervision Timeout for AMP
2990 * controllers is 10 seconds.
2991 *
2992 * Class 1 devices use 0xffffffff for their
2993 * best-effort flush timeout, so the clamping logic
2994 * will result in a timeout that meets the above
2995 * requirement. ERTM timeouts are 16-bit values, so
2996 * the maximum timeout is 65.535 seconds.
2997 */
2998
2999 /* Convert timeout to milliseconds and round */
3000 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3001
3002 /* This is the recommended formula for class 2 devices
3003 * that start ERTM timers when packets are sent to the
3004 * controller.
3005 */
3006 ertm_to = 3 * ertm_to + 500;
3007
3008 if (ertm_to > 0xffff)
3009 ertm_to = 0xffff;
3010
3011 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3012 rfc->monitor_timeout = rfc->retrans_timeout;
3013 } else {
3014 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3015 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3016 }
3017}
3018
6327eb98
AE		 3019static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3020{
3021 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3022 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3023 /* use extended control field */
3024 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3025 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3026 } else {
6327eb98 3027 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3028 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3029 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3030 }
c20f8e35 3031 chan->ack_win = chan->tx_win;
6327eb98
AE		 3032}
3033
710f9b0a 3034static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3035{
1da177e4 3036 struct l2cap_conf_req *req = data;
0c1bc5c6 3037 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3038 void *ptr = req->data;
c8f79162 3039 u16 size;
1da177e4 3040
49208c9c 3041 BT_DBG("chan %p", chan);
1da177e4 3042
73ffa904 3043 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3044 goto done;
3045
0c1bc5c6 3046 switch (chan->mode) {
f2fcfcd6
GP		 3047 case L2CAP_MODE_STREAMING:
3048 case L2CAP_MODE_ERTM:
c1360a1c 3049 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3050 break;
85eb53c6 3051
f89cef09
AE		 3052 if (__l2cap_efs_supported(chan))
3053 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3054
2ba13ed6 3055 /* fall through */
f2fcfcd6 3056 default:
8c1d787b 3057 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3058 break;
3059 }
3060
3061done:
0c1bc5c6
GP		 3062 if (chan->imtu != L2CAP_DEFAULT_MTU)
3063 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3064
0c1bc5c6 3065 switch (chan->mode) {
65c7c491 3066 case L2CAP_MODE_BASIC:
8c1d787b 3067 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3068 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3069 break;
3070
62547752
GP		 3071 rfc.mode = L2CAP_MODE_BASIC;
3072 rfc.txwin_size = 0;
3073 rfc.max_transmit = 0;
3074 rfc.retrans_timeout = 0;
3075 rfc.monitor_timeout = 0;
3076 rfc.max_pdu_size = 0;
3077
63406504 3078 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3079 (unsigned long) &rfc);
65c7c491
MH		 3080 break;
3081
3082 case L2CAP_MODE_ERTM:
3083 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3084 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3085
3086 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3087
3088 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3089 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3090 L2CAP_FCS_SIZE);
c8f79162 3091 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3092
6327eb98
AE		 3093 l2cap_txwin_setup(chan);
3094
3095 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3096 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3097
63406504 3098 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3099 (unsigned long) &rfc);
63406504 3100
f89cef09
AE		 3101 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3102 l2cap_add_opt_efs(&ptr, chan);
3103
6327eb98
AE		 3104 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3105 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3106 chan->tx_win);
60918918
AE		 3107
3108 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3109 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3110 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3111 chan->fcs = L2CAP_FCS_NONE;
3112 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3113 chan->fcs);
3114 }
f2fcfcd6
GP		 3115 break;
3116
3117 case L2CAP_MODE_STREAMING:
273759e2 3118 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3119 rfc.mode = L2CAP_MODE_STREAMING;
3120 rfc.txwin_size = 0;
3121 rfc.max_transmit = 0;
3122 rfc.retrans_timeout = 0;
3123 rfc.monitor_timeout = 0;
c8f79162
AE		 3124
3125 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3126 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3127 L2CAP_FCS_SIZE);
c8f79162 3128 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3129
63406504 3130 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3131 (unsigned long) &rfc);
63406504 3132
f89cef09
AE		 3133 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3134 l2cap_add_opt_efs(&ptr, chan);
3135
60918918
AE		 3136 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3137 if (chan->fcs == L2CAP_FCS_NONE ||
f2592d3e 3138 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
60918918
AE		 3139 chan->fcs = L2CAP_FCS_NONE;
3140 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3141 chan->fcs);
3142 }
65c7c491
MH		 3143 break;
3144 }
1da177e4 3145
fe4128e0 3146 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3147 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3148
3149 return ptr - data;
3150}
3151
73ffa904 3152static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3153{
5dee9e7c
MH		 3154 struct l2cap_conf_rsp *rsp = data;
3155 void *ptr = rsp->data;
73ffa904
GP		 3156 void *req = chan->conf_req;
3157 int len = chan->conf_len;
5dee9e7c
MH		 3158 int type, hint, olen;
3159 unsigned long val;
6464f35f 3160 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3161 struct l2cap_conf_efs efs;
3162 u8 remote_efs = 0;
861d6882 3163 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3164 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3165 u16 size;
1da177e4 3166
73ffa904 3167 BT_DBG("chan %p", chan);
820ae1b8 3168
5dee9e7c
MH		 3169 while (len >= L2CAP_CONF_OPT_SIZE) {
3170 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3171
589d2746 3172 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3173 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3174
3175 switch (type) {
3176 case L2CAP_CONF_MTU:
861d6882 3177 mtu = val;
5dee9e7c
MH		 3178 break;
3179
3180 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3181 chan->flush_to = val;
5dee9e7c
MH		 3182 break;
3183
3184 case L2CAP_CONF_QOS:
3185 break;
3186
6464f35f
MH		 3187 case L2CAP_CONF_RFC:
3188 if (olen == sizeof(rfc))
3189 memcpy(&rfc, (void *) val, olen);
3190 break;
3191
fcc203c3
GP		 3192 case L2CAP_CONF_FCS:
3193 if (val == L2CAP_FCS_NONE)
f2592d3e 3194 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
42dceae2 3195 break;
fcc203c3 3196
42dceae2
AE		 3197 case L2CAP_CONF_EFS:
3198 remote_efs = 1;
3199 if (olen == sizeof(efs))
3200 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3201 break;
3202
6327eb98
AE		 3203 case L2CAP_CONF_EWS:
3204 if (!enable_hs)
3205 return -ECONNREFUSED;
fcc203c3 3206
6327eb98
AE		 3207 set_bit(FLAG_EXT_CTRL, &chan->flags);
3208 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3209 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3210 chan->remote_tx_win = val;
fcc203c3
GP		 3211 break;
3212
5dee9e7c
MH		 3213 default:
3214 if (hint)
3215 break;
3216
3217 result = L2CAP_CONF_UNKNOWN;
3218 *((u8 *) ptr++) = type;
3219 break;
3220 }
3221 }
3222
73ffa904 3223 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3224 goto done;
3225
0c1bc5c6 3226 switch (chan->mode) {
f2fcfcd6
GP		 3227 case L2CAP_MODE_STREAMING:
3228 case L2CAP_MODE_ERTM:
c1360a1c 3229 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3230 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3231 chan->conn->feat_mask);
85eb53c6
GP		 3232 break;
3233 }
3234
42dceae2
AE		 3235 if (remote_efs) {
3236 if (__l2cap_efs_supported(chan))
3237 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3238 else
3239 return -ECONNREFUSED;
3240 }
3241
0c1bc5c6 3242 if (chan->mode != rfc.mode)
f2fcfcd6 3243 return -ECONNREFUSED;
742e519b 3244
f2fcfcd6 3245 break;
f2fcfcd6
GP		 3246 }
3247
3248done:
0c1bc5c6 3249 if (chan->mode != rfc.mode) {
f2fcfcd6 3250 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3251 rfc.mode = chan->mode;
f2fcfcd6 3252
73ffa904 3253 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3254 return -ECONNREFUSED;
3255
2d792818
GP		 3256 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3257 (unsigned long) &rfc);
f2fcfcd6
GP		 3258 }
3259
5dee9e7c
MH		 3260 if (result == L2CAP_CONF_SUCCESS) {
3261 /* Configure output options and let the other side know
3262 * which ones we don't like. */
3263
f2fcfcd6
GP		 3264 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3265 result = L2CAP_CONF_UNACCEPT;
3266 else {
0c1bc5c6 3267 chan->omtu = mtu;
c1360a1c 3268 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3269 }
0c1bc5c6 3270 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3271
42dceae2
AE		 3272 if (remote_efs) {
3273 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3274 efs.stype != L2CAP_SERV_NOTRAFIC &&
3275 efs.stype != chan->local_stype) {
42dceae2
AE		 3276
3277 result = L2CAP_CONF_UNACCEPT;
3278
3279 if (chan->num_conf_req >= 1)
3280 return -ECONNREFUSED;
3281
3282 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3283 sizeof(efs),
3284 (unsigned long) &efs);
0e8b207e 3285 } else {
3e6b3b95 3286 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3287 result = L2CAP_CONF_PENDING;
3288 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3289 }
3290 }
3291
f2fcfcd6
GP		 3292 switch (rfc.mode) {
3293 case L2CAP_MODE_BASIC:
47d1ec61 3294 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3295 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3296 break;
3297
3298 case L2CAP_MODE_ERTM:
6327eb98
AE		 3299 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3300 chan->remote_tx_win = rfc.txwin_size;
3301 else
3302 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3303
2c03a7a4 3304 chan->remote_max_tx = rfc.max_transmit;
1c762159 3305
c8f79162 3306 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3307 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3308 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3309 rfc.max_pdu_size = cpu_to_le16(size);
3310 chan->remote_mps = size;
f2fcfcd6 3311
36c86c85 3312 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3313
c1360a1c 3314 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3315
3316 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3317 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3318
42dceae2
AE		 3319 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3320 chan->remote_id = efs.id;
3321 chan->remote_stype = efs.stype;
3322 chan->remote_msdu = le16_to_cpu(efs.msdu);
3323 chan->remote_flush_to =
2d792818 3324 le32_to_cpu(efs.flush_to);
42dceae2 3325 chan->remote_acc_lat =
2d792818 3326 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3327 chan->remote_sdu_itime =
3328 le32_to_cpu(efs.sdu_itime);
3329 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3330 sizeof(efs),
3331 (unsigned long) &efs);
42dceae2 3332 }
f2fcfcd6
GP		 3333 break;
3334
3335 case L2CAP_MODE_STREAMING:
c8f79162 3336 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3337 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3338 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3339 rfc.max_pdu_size = cpu_to_le16(size);
3340 chan->remote_mps = size;
f2fcfcd6 3341
c1360a1c 3342 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3343
2d792818
GP		 3344 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3345 (unsigned long) &rfc);
68ae6639 3346
f2fcfcd6
GP		 3347 break;
3348
3349 default:
5dee9e7c 3350 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3351
6464f35f 3352 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3353 rfc.mode = chan->mode;
f2fcfcd6 3354 }
6464f35f 3355
f2fcfcd6 3356 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3357 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3358 }
fe4128e0 3359 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3360 rsp->result = cpu_to_le16(result);
59e54bd1 3361 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3362
3363 return ptr - data;
1da177e4
LT		 3364}
3365
2d792818
GP		 3366static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3367 void *data, u16 *result)
f2fcfcd6 3368{
f2fcfcd6
GP		 3369 struct l2cap_conf_req *req = data;
3370 void *ptr = req->data;
3371 int type, olen;
3372 unsigned long val;
36e999a8 3373 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3374 struct l2cap_conf_efs efs;
f2fcfcd6 3375
fe4128e0 3376 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3377
3378 while (len >= L2CAP_CONF_OPT_SIZE) {
3379 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3380
3381 switch (type) {
3382 case L2CAP_CONF_MTU:
3383 if (val < L2CAP_DEFAULT_MIN_MTU) {
3384 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3385 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3386 } else
0c1bc5c6
GP		 3387 chan->imtu = val;
3388 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3389 break;
3390
3391 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3392 chan->flush_to = val;
f2fcfcd6 3393 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3394 2, chan->flush_to);
f2fcfcd6
GP		 3395 break;
3396
3397 case L2CAP_CONF_RFC:
3398 if (olen == sizeof(rfc))
3399 memcpy(&rfc, (void *)val, olen);
3400
c1360a1c 3401 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3402 rfc.mode != chan->mode)
f2fcfcd6
GP		 3403 return -ECONNREFUSED;
3404
47d1ec61 3405 chan->fcs = 0;
f2fcfcd6
GP		 3406
3407 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3408 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3409 break;
6327eb98
AE		 3410
3411 case L2CAP_CONF_EWS:
c20f8e35 3412 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3413 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3414 chan->tx_win);
6327eb98 3415 break;
66af7aaf
AE		 3416
3417 case L2CAP_CONF_EFS:
3418 if (olen == sizeof(efs))
3419 memcpy(&efs, (void *)val, olen);
3420
3421 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3422 efs.stype != L2CAP_SERV_NOTRAFIC &&
3423 efs.stype != chan->local_stype)
66af7aaf
AE		 3424 return -ECONNREFUSED;
3425
2d792818
GP		 3426 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3427 (unsigned long) &efs);
66af7aaf 3428 break;
cbabee78
AE		 3429
3430 case L2CAP_CONF_FCS:
3431 if (*result == L2CAP_CONF_PENDING)
3432 if (val == L2CAP_FCS_NONE)
f2592d3e 3433 set_bit(CONF_RECV_NO_FCS,
cbabee78
AE		 3434 &chan->conf_state);
3435 break;
f2fcfcd6
GP		 3436 }
3437 }
3438
0c1bc5c6 3439 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3440 return -ECONNREFUSED;
3441
0c1bc5c6 3442 chan->mode = rfc.mode;
6c2ea7a8 3443
0e8b207e 3444 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3445 switch (rfc.mode) {
3446 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3447 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3448 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3449 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3450 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3451 chan->ack_win = min_t(u16, chan->ack_win,
3452 rfc.txwin_size);
66af7aaf
AE		 3453
3454 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3455 chan->local_msdu = le16_to_cpu(efs.msdu);
3456 chan->local_sdu_itime =
2d792818 3457 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3458 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3459 chan->local_flush_to =
2d792818 3460 le32_to_cpu(efs.flush_to);
66af7aaf 3461 }
f2fcfcd6 3462 break;
66af7aaf 3463
f2fcfcd6 3464 case L2CAP_MODE_STREAMING:
47d1ec61 3465 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3466 }
3467 }
3468
fe4128e0 3469 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3470 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3471
3472 return ptr - data;
3473}
3474
2d792818
GP		 3475static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3476 u16 result, u16 flags)
1da177e4
LT		 3477{
3478 struct l2cap_conf_rsp *rsp = data;
3479 void *ptr = rsp->data;
1da177e4 3480
fe4128e0 3481 BT_DBG("chan %p", chan);
1da177e4 3482
fe4128e0 3483 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3484 rsp->result = cpu_to_le16(result);
aca3192c 3485 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3486
3487 return ptr - data;
3488}
3489
8c1d787b 3490void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3491{
3492 struct l2cap_conn_rsp rsp;
8c1d787b 3493 struct l2cap_conn *conn = chan->conn;
710f9b0a 3494 u8 buf[128];
439f34ac 3495 u8 rsp_code;
710f9b0a 3496
fe4128e0
GP		 3497 rsp.scid = cpu_to_le16(chan->dcid);
3498 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3499 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3500 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3501
3502 if (chan->hs_hcon)
3503 rsp_code = L2CAP_CREATE_CHAN_RSP;
3504 else
3505 rsp_code = L2CAP_CONN_RSP;
3506
3507 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3508
3509 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3510
c1360a1c 3511 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3512 return;
3513
710f9b0a 3514 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3515 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3516 chan->num_conf_req++;
3517}
3518
47d1ec61 3519static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3520{
7b1c0049
GP		 3521 int type, olen;
3522 unsigned long val;
c20f8e35
MM		 3523 /* Use sane default values in case a misbehaving remote device
3524 * did not send an RFC or extended window size option.
3525 */
3526 u16 txwin_ext = chan->ack_win;
3527 struct l2cap_conf_rfc rfc = {
3528 .mode = chan->mode,
3529 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3530 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3531 .max_pdu_size = cpu_to_le16(chan->imtu),
3532 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3533 };
7b1c0049 3534
47d1ec61 3535 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3536
0c1bc5c6 3537 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3538 return;
3539
3540 while (len >= L2CAP_CONF_OPT_SIZE) {
3541 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3542
c20f8e35
MM		 3543 switch (type) {
3544 case L2CAP_CONF_RFC:
3545 if (olen == sizeof(rfc))
3546 memcpy(&rfc, (void *)val, olen);
8f321f85 3547 break;
c20f8e35
MM		 3548 case L2CAP_CONF_EWS:
3549 txwin_ext = val;
3550 break;
3551 }
7b1c0049
GP		 3552 }
3553
7b1c0049
GP		 3554 switch (rfc.mode) {
3555 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3556 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3557 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3558 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3559 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3560 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3561 else
3562 chan->ack_win = min_t(u16, chan->ack_win,
3563 rfc.txwin_size);
7b1c0049
GP		 3564 break;
3565 case L2CAP_MODE_STREAMING:
47d1ec61 3566 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3567 }
3568}
3569
2d792818
GP		 3570static inline int l2cap_command_rej(struct l2cap_conn *conn,
3571 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3572{
e2fd318e 3573 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3574
e2fd318e 3575 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3576 return 0;
3577
3578 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3579 cmd->ident == conn->info_ident) {
17cd3f37 3580 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3581
3582 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3583 conn->info_ident = 0;
984947dc 3584
4e8402a3
MH		 3585 l2cap_conn_start(conn);
3586 }
3587
3588 return 0;
3589}
3590
1700915f
MM		 3591static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3592 struct l2cap_cmd_hdr *cmd,
3593 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3594{
1da177e4
LT		 3595 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3596 struct l2cap_conn_rsp rsp;
23691d75 3597 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3598 struct sock *parent, *sk = NULL;
e7c29cb1 3599 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3600
3601 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3602 __le16 psm = req->psm;
1da177e4 3603
097db76c 3604 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3605
3606 /* Check if we have socket listening on psm */
c2287681 3607 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3608 if (!pchan) {
1da177e4
LT		 3609 result = L2CAP_CR_BAD_PSM;
3610 goto sendresp;
3611 }
3612
23691d75
GP		 3613 parent = pchan->sk;
3614
3df91ea2 3615 mutex_lock(&conn->chan_lock);
aa2ac881 3616 lock_sock(parent);
e0f0cb56 3617
e7c29cb1 3618 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3619 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3620 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3621 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3622 result = L2CAP_CR_SEC_BLOCK;
3623 goto response;
3624 }
3625
1da177e4
LT		 3626 result = L2CAP_CR_NO_MEM;
3627
2dfa1003
GP		 3628 /* Check if we already have channel with that dcid */
3629 if (__l2cap_get_chan_by_dcid(conn, scid))
3630 goto response;
3631
80b98027 3632 chan = pchan->ops->new_connection(pchan);
80808e43 3633 if (!chan)
1da177e4
LT		 3634 goto response;
3635
80808e43
GP		 3636 sk = chan->sk;
3637
1da177e4
LT		 3638 hci_conn_hold(conn->hcon);
3639
1da177e4
LT		 3640 bacpy(&bt_sk(sk)->src, conn->src);
3641 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3642 chan->psm = psm;
3643 chan->dcid = scid;
1700915f 3644 chan->local_amp_id = amp_id;
1da177e4 3645
6be36555 3646 __l2cap_chan_add(conn, chan);
48454079 3647
fe4128e0 3648 dcid = chan->scid;
1da177e4 3649
c9b66675 3650 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3651
fc7f8a7e 3652 chan->ident = cmd->ident;
1da177e4 3653
984947dc 3654 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3655 if (l2cap_chan_check_security(chan)) {
c5daa683 3656 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3657 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3658 result = L2CAP_CR_PEND;
3659 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3660 chan->ops->defer(chan);
f66dc81f 3661 } else {
1700915f
MM		 3662 /* Force pending result for AMP controllers.
3663 * The connection will succeed after the
3664 * physical link is up.
3665 */
3666 if (amp_id) {
3667 __l2cap_state_change(chan, BT_CONNECT2);
3668 result = L2CAP_CR_PEND;
3669 } else {
3670 __l2cap_state_change(chan, BT_CONFIG);
3671 result = L2CAP_CR_SUCCESS;
3672 }
f66dc81f
MH		 3673 status = L2CAP_CS_NO_INFO;
3674 }
79d554a6 3675 } else {
0e587be7 3676 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3677 result = L2CAP_CR_PEND;
3678 status = L2CAP_CS_AUTHEN_PEND;
3679 }
3680 } else {
0e587be7 3681 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3682 result = L2CAP_CR_PEND;
3683 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3684 }
3685
1da177e4 3686response:
aa2ac881 3687 release_sock(parent);
3df91ea2 3688 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3689
3690sendresp:
aca3192c
YH		 3691 rsp.scid = cpu_to_le16(scid);
3692 rsp.dcid = cpu_to_le16(dcid);
3693 rsp.result = cpu_to_le16(result);
3694 rsp.status = cpu_to_le16(status);
4c89b6aa 3695 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3696
3697 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3698 struct l2cap_info_req info;
ac73498c 3699 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3700
3701 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3702 conn->info_ident = l2cap_get_ident(conn);
3703
ba13ccd9 3704 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3705
2d792818
GP		 3706 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3707 sizeof(info), &info);
79d554a6
MH		 3708 }
3709
c1360a1c 3710 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3711 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3712 u8 buf[128];
c1360a1c 3713 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3714 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3715 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3716 chan->num_conf_req++;
e9aeb2dd 3717 }
1700915f
MM		 3718
3719 return chan;
4c89b6aa 3720}
e9aeb2dd 3721
4c89b6aa
MM		 3722static int l2cap_connect_req(struct l2cap_conn *conn,
3723 struct l2cap_cmd_hdr *cmd, u8 *data)
3724{
7b064eda
JK		 3725 struct hci_dev *hdev = conn->hcon->hdev;
3726 struct hci_conn *hcon = conn->hcon;
3727
3728 hci_dev_lock(hdev);
3729 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3730 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3731 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3732 hcon->dst_type, 0, NULL, 0,
3733 hcon->dev_class);
3734 hci_dev_unlock(hdev);
3735
300229f9 3736 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3737 return 0;
3738}
3739
5909cf30 3740static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3741 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3742{
3743 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3744 u16 scid, dcid, result, status;
48454079 3745 struct l2cap_chan *chan;
1da177e4 3746 u8 req[128];
3df91ea2 3747 int err;
1da177e4
LT		 3748
3749 scid = __le16_to_cpu(rsp->scid);
3750 dcid = __le16_to_cpu(rsp->dcid);
3751 result = __le16_to_cpu(rsp->result);
3752 status = __le16_to_cpu(rsp->status);
3753
1b009c98 3754 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3755 dcid, scid, result, status);
1da177e4 3756
3df91ea2
AE		 3757 mutex_lock(&conn->chan_lock);
3758
1da177e4 3759 if (scid) {
3df91ea2
AE		 3760 chan = __l2cap_get_chan_by_scid(conn, scid);
3761 if (!chan) {
3762 err = -EFAULT;
3763 goto unlock;
3764 }
1da177e4 3765 } else {
3df91ea2
AE		 3766 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3767 if (!chan) {
3768 err = -EFAULT;
3769 goto unlock;
3770 }
1da177e4
LT		 3771 }
3772
3df91ea2
AE		 3773 err = 0;
3774
6be36555 3775 l2cap_chan_lock(chan);
48454079 3776
1da177e4
LT		 3777 switch (result) {
3778 case L2CAP_CR_SUCCESS:
89bc500e 3779 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3780 chan->ident = 0;
fe4128e0 3781 chan->dcid = dcid;
c1360a1c 3782 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3783
c1360a1c 3784 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3785 break;
3786
1da177e4 3787 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3788 l2cap_build_conf_req(chan, req), req);
73ffa904 3789 chan->num_conf_req++;
1da177e4
LT		 3790 break;
3791
3792 case L2CAP_CR_PEND:
c1360a1c 3793 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3794 break;
3795
3796 default:
48454079 3797 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3798 break;
3799 }
3800
6be36555 3801 l2cap_chan_unlock(chan);
3df91ea2
AE		 3802
3803unlock:
3804 mutex_unlock(&conn->chan_lock);
3805
3806 return err;
1da177e4
LT		 3807}
3808
47d1ec61 3809static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3810{
3811 /* FCS is enabled only in ERTM or streaming mode, if one or both
3812 * sides request it.
3813 */
0c1bc5c6 3814 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3815 chan->fcs = L2CAP_FCS_NONE;
f2592d3e 3816 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
47d1ec61 3817 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3818}
3819
29d8a590
AE		 3820static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3821 u8 ident, u16 flags)
3822{
3823 struct l2cap_conn *conn = chan->conn;
3824
3825 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3826 flags);
3827
3828 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3829 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3830
3831 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3832 l2cap_build_conf_rsp(chan, data,
3833 L2CAP_CONF_SUCCESS, flags), data);
3834}
3835
2d792818
GP		 3836static inline int l2cap_config_req(struct l2cap_conn *conn,
3837 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3838 u8 *data)
1da177e4
LT		 3839{
3840 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3841 u16 dcid, flags;
3842 u8 rsp[64];
48454079 3843 struct l2cap_chan *chan;
3c588192 3844 int len, err = 0;
1da177e4
LT		 3845
3846 dcid = __le16_to_cpu(req->dcid);
3847 flags = __le16_to_cpu(req->flags);
3848
3849 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3850
baa7e1fa 3851 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3852 if (!chan)
1da177e4
LT		 3853 return -ENOENT;
3854
033b1142 3855 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3856 struct l2cap_cmd_rej_cid rej;
3857
ac73498c 3858 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3859 rej.scid = cpu_to_le16(chan->scid);
3860 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3861
df6bd743 3862 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3863 sizeof(rej), &rej);
354f60a9 3864 goto unlock;
df6bd743 3865 }
354f60a9 3866
5dee9e7c 3867 /* Reject if config buffer is too small. */
88219a0f 3868 len = cmd_len - sizeof(*req);
7ac28817 3869 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3870 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3871 l2cap_build_conf_rsp(chan, rsp,
3872 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3873 goto unlock;
3874 }
3875
3876 /* Store config. */
73ffa904
GP		 3877 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3878 chan->conf_len += len;
1da177e4 3879
59e54bd1 3880 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3881 /* Incomplete config. Send empty response. */
3882 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3883 l2cap_build_conf_rsp(chan, rsp,
3884 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3885 goto unlock;
3886 }
3887
3888 /* Complete config. */
73ffa904 3889 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3890 if (len < 0) {
5e4e3972 3891 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 3892 goto unlock;
f2fcfcd6 3893 }
1da177e4 3894
1500109b 3895 chan->ident = cmd->ident;
5dee9e7c 3896 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3897 chan->num_conf_rsp++;
5dee9e7c 3898
5dee9e7c 3899 /* Reset config buffer. */
73ffa904 3900 chan->conf_len = 0;
5dee9e7c 3901
c1360a1c 3902 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3903 goto unlock;
3904
c1360a1c 3905 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3906 set_default_fcs(chan);
fcc203c3 3907
105bdf9e
MM		 3908 if (chan->mode == L2CAP_MODE_ERTM ||
3909 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3910 err = l2cap_ertm_init(chan);
3911
3912 if (err < 0)
5e4e3972 3913 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 3914 else
3915 l2cap_chan_ready(chan);
0565c1c2 3916
876d9484
MH		 3917 goto unlock;
3918 }
3919
c1360a1c 3920 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3921 u8 buf[64];
1da177e4 3922 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3923 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3924 chan->num_conf_req++;
1da177e4
LT		 3925 }
3926
0e8b207e
AE		 3927 /* Got Conf Rsp PENDING from remote side and asume we sent
3928 Conf Rsp PENDING in the code above */
3929 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3930 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3931
3932 /* check compatibility */
3933
79de886d 3934 /* Send rsp for BR/EDR channel */
f351bc72 3935 if (!chan->hs_hcon)
79de886d
AE		 3936 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3937 else
3938 chan->ident = cmd->ident;
0e8b207e
AE		 3939 }
3940
1da177e4 3941unlock:
6be36555 3942 l2cap_chan_unlock(chan);
3c588192 3943 return err;
1da177e4
LT		 3944}
3945
2d792818
GP		 3946static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3947 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3948{
3949 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3950 u16 scid, flags, result;
48454079 3951 struct l2cap_chan *chan;
61386cba 3952 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3953 int err = 0;
1da177e4
LT		 3954
3955 scid = __le16_to_cpu(rsp->scid);
3956 flags = __le16_to_cpu(rsp->flags);
3957 result = __le16_to_cpu(rsp->result);
3958
61386cba
AE		 3959 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3960 result, len);
1da177e4 3961
baa7e1fa 3962 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3963 if (!chan)
1da177e4
LT		 3964 return 0;
3965
3966 switch (result) {
3967 case L2CAP_CONF_SUCCESS:
47d1ec61 3968 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3969 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3970 break;
3971
0e8b207e
AE		 3972 case L2CAP_CONF_PENDING:
3973 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3974
3975 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3976 char buf[64];
3977
3978 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3979 buf, &result);
0e8b207e 3980 if (len < 0) {
5e4e3972 3981 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 3982 goto done;
3983 }
3984
f351bc72 3985 if (!chan->hs_hcon) {
79de886d
AE		 3986 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3987 0);
5ce66b59
AE		 3988 } else {
3989 if (l2cap_check_efs(chan)) {
3990 amp_create_logical_link(chan);
3991 chan->ident = cmd->ident;
3992 }
3993 }
0e8b207e
AE		 3994 }
3995 goto done;
3996
1da177e4 3997 case L2CAP_CONF_UNACCEPT:
73ffa904 3998 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3999 char req[64];
4000
c2c77ec8 4001 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 4002 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 4003 goto done;
4004 }
4005
f2fcfcd6
GP		 4006 /* throw out any old stored conf requests */
4007 result = L2CAP_CONF_SUCCESS;
b4450035 4008 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 4009 req, &result);
f2fcfcd6 4010 if (len < 0) {
5e4e3972 4011 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4012 goto done;
4013 }
4014
4015 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4016 L2CAP_CONF_REQ, len, req);
73ffa904 4017 chan->num_conf_req++;
f2fcfcd6
GP		 4018 if (result != L2CAP_CONF_SUCCESS)
4019 goto done;
4020 break;
1da177e4
LT		 4021 }
4022
8e87d142 4023 default:
6be36555 4024 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4025
ba13ccd9 4026 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4027 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4028 goto done;
4029 }
4030
59e54bd1 4031 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4032 goto done;
4033
c1360a1c 4034 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4035
c1360a1c 4036 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4037 set_default_fcs(chan);
fcc203c3 4038
105bdf9e
MM		 4039 if (chan->mode == L2CAP_MODE_ERTM ||
4040 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4041 err = l2cap_ertm_init(chan);
0565c1c2 4042
3c588192 4043 if (err < 0)
5e4e3972 4044 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4045 else
4046 l2cap_chan_ready(chan);
1da177e4
LT		 4047 }
4048
4049done:
6be36555 4050 l2cap_chan_unlock(chan);
3c588192 4051 return err;
1da177e4
LT		 4052}
4053
2d792818
GP		 4054static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4055 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4056{
4057 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4058 struct l2cap_disconn_rsp rsp;
4059 u16 dcid, scid;
48454079 4060 struct l2cap_chan *chan;
1da177e4
LT		 4061 struct sock *sk;
4062
4063 scid = __le16_to_cpu(req->scid);
4064 dcid = __le16_to_cpu(req->dcid);
4065
4066 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4067
3df91ea2
AE		 4068 mutex_lock(&conn->chan_lock);
4069
4070 chan = __l2cap_get_chan_by_scid(conn, dcid);
4071 if (!chan) {
4072 mutex_unlock(&conn->chan_lock);
1da177e4 4073 return 0;
3df91ea2 4074 }
1da177e4 4075
6be36555
AE		 4076 l2cap_chan_lock(chan);
4077
48454079
GP		 4078 sk = chan->sk;
4079
fe4128e0
GP		 4080 rsp.dcid = cpu_to_le16(chan->scid);
4081 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4082 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4083
6be36555 4084 lock_sock(sk);
1da177e4 4085 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4086 release_sock(sk);
1da177e4 4087
61d6ef3e 4088 l2cap_chan_hold(chan);
48454079 4089 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4090
4091 l2cap_chan_unlock(chan);
1da177e4 4092
80b98027 4093 chan->ops->close(chan);
61d6ef3e 4094 l2cap_chan_put(chan);
3df91ea2
AE		 4095
4096 mutex_unlock(&conn->chan_lock);
4097
1da177e4
LT		 4098 return 0;
4099}
4100
2d792818
GP		 4101static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4102 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4103{
4104 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4105 u16 dcid, scid;
48454079 4106 struct l2cap_chan *chan;
1da177e4
LT		 4107
4108 scid = __le16_to_cpu(rsp->scid);
4109 dcid = __le16_to_cpu(rsp->dcid);
4110
4111 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4112
3df91ea2
AE		 4113 mutex_lock(&conn->chan_lock);
4114
4115 chan = __l2cap_get_chan_by_scid(conn, scid);
4116 if (!chan) {
4117 mutex_unlock(&conn->chan_lock);
1da177e4 4118 return 0;
3df91ea2 4119 }
1da177e4 4120
6be36555 4121 l2cap_chan_lock(chan);
48454079 4122
61d6ef3e 4123 l2cap_chan_hold(chan);
48454079 4124 l2cap_chan_del(chan, 0);
6be36555
AE		 4125
4126 l2cap_chan_unlock(chan);
1da177e4 4127
80b98027 4128 chan->ops->close(chan);
61d6ef3e 4129 l2cap_chan_put(chan);
3df91ea2
AE		 4130
4131 mutex_unlock(&conn->chan_lock);
4132
1da177e4
LT		 4133 return 0;
4134}
4135
2d792818
GP		 4136static inline int l2cap_information_req(struct l2cap_conn *conn,
4137 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4138{
4139 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4140 u16 type;
4141
4142 type = __le16_to_cpu(req->type);
4143
4144 BT_DBG("type 0x%4.4x", type);
4145
f0709e03
MH		 4146 if (type == L2CAP_IT_FEAT_MASK) {
4147 u8 buf[8];
44dd46de 4148 u32 feat_mask = l2cap_feat_mask;
f0709e03 4149 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4150 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4151 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4152 if (!disable_ertm)
fcc203c3 4153 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4154 | L2CAP_FEAT_FCS;
a5fd6f30 4155 if (enable_hs)
6327eb98 4156 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4157 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4158
1b7bf4ed 4159 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4160 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4161 buf);
e1027a7c
MH		 4162 } else if (type == L2CAP_IT_FIXED_CHAN) {
4163 u8 buf[12];
4164 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4165
4166 if (enable_hs)
4167 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4168 else
4169 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4170
ac73498c
AE		 4171 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4172 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4173 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4174 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4175 buf);
f0709e03
MH		 4176 } else {
4177 struct l2cap_info_rsp rsp;
4178 rsp.type = cpu_to_le16(type);
ac73498c 4179 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4180 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4181 &rsp);
f0709e03 4182 }
1da177e4
LT		 4183
4184 return 0;
4185}
4186
2d792818
GP		 4187static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4188 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4189{
4190 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4191 u16 type, result;
4192
4193 type = __le16_to_cpu(rsp->type);
4194 result = __le16_to_cpu(rsp->result);
4195
4196 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4197
e90165be
AE		 4198 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4199 if (cmd->ident != conn->info_ident ||
2d792818 4200 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4201 return 0;
4202
17cd3f37 4203 cancel_delayed_work(&conn->info_timer);
4e8402a3 4204
adb08ede
VT		 4205 if (result != L2CAP_IR_SUCCESS) {
4206 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4207 conn->info_ident = 0;
4208
4209 l2cap_conn_start(conn);
4210
4211 return 0;
4212 }
4213
978c93b9
AE		 4214 switch (type) {
4215 case L2CAP_IT_FEAT_MASK:
83985319 4216 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4217
47ec1dcd 4218 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4219 struct l2cap_info_req req;
ac73498c 4220 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4221
4222 conn->info_ident = l2cap_get_ident(conn);
4223
4224 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4225 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4226 } else {
4227 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4228 conn->info_ident = 0;
4229
4230 l2cap_conn_start(conn);
4231 }
978c93b9
AE		 4232 break;
4233
4234 case L2CAP_IT_FIXED_CHAN:
4235 conn->fixed_chan_mask = rsp->data[0];
984947dc 4236 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4237 conn->info_ident = 0;
984947dc
MH		 4238
4239 l2cap_conn_start(conn);
978c93b9 4240 break;
984947dc 4241 }
4e8402a3 4242
1da177e4
LT		 4243 return 0;
4244}
4245
1700915f
MM		 4246static int l2cap_create_channel_req(struct l2cap_conn *conn,
4247 struct l2cap_cmd_hdr *cmd,
4248 u16 cmd_len, void *data)
f94ff6ff
MM		 4249{
4250 struct l2cap_create_chan_req *req = data;
6e1df6a6 4251 struct l2cap_create_chan_rsp rsp;
1700915f 4252 struct l2cap_chan *chan;
6e1df6a6 4253 struct hci_dev *hdev;
f94ff6ff
MM		 4254 u16 psm, scid;
4255
4256 if (cmd_len != sizeof(*req))
4257 return -EPROTO;
4258
4259 if (!enable_hs)
4260 return -EINVAL;
4261
4262 psm = le16_to_cpu(req->psm);
4263 scid = le16_to_cpu(req->scid);
4264
ad0ac6ca 4265 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4266
6e1df6a6
AE		 4267 /* For controller id 0 make BR/EDR connection */
4268 if (req->amp_id == HCI_BREDR_ID) {
4269 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4270 req->amp_id);
4271 return 0;
4272 }
1700915f 4273
6e1df6a6
AE		 4274 /* Validate AMP controller id */
4275 hdev = hci_dev_get(req->amp_id);
4276 if (!hdev)
4277 goto error;
1700915f 4278
6e1df6a6
AE		 4279 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4280 hci_dev_put(hdev);
4281 goto error;
4282 }
1700915f 4283
6e1df6a6
AE		 4284 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4285 req->amp_id);
4286 if (chan) {
4287 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4288 struct hci_conn *hs_hcon;
1700915f 4289
6e1df6a6
AE		 4290 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4291 if (!hs_hcon) {
4292 hci_dev_put(hdev);
4293 return -EFAULT;
1700915f
MM		 4294 }
4295
6e1df6a6
AE		 4296 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4297
6e1df6a6
AE		 4298 mgr->bredr_chan = chan;
4299 chan->hs_hcon = hs_hcon;
fd45bf4c 4300 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4301 conn->mtu = hdev->block_mtu;
1700915f 4302 }
f94ff6ff 4303
6e1df6a6 4304 hci_dev_put(hdev);
f94ff6ff
MM		 4305
4306 return 0;
6e1df6a6
AE		 4307
4308error:
4309 rsp.dcid = 0;
4310 rsp.scid = cpu_to_le16(scid);
4311 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4312 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4313
4314 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4315 sizeof(rsp), &rsp);
4316
4317 return -EFAULT;
f94ff6ff
MM		 4318}
4319
8eb200bd
MM		 4320static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4321{
4322 struct l2cap_move_chan_req req;
4323 u8 ident;
4324
4325 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4326
4327 ident = l2cap_get_ident(chan->conn);
4328 chan->ident = ident;
4329
4330 req.icid = cpu_to_le16(chan->scid);
4331 req.dest_amp_id = dest_amp_id;
4332
4333 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4334 &req);
4335
4336 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4337}
4338
1500109b 4339static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4340{
4341 struct l2cap_move_chan_rsp rsp;
4342
1500109b 4343 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4344
1500109b 4345 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4346 rsp.result = cpu_to_le16(result);
4347
1500109b
MM		 4348 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4349 sizeof(rsp), &rsp);
8d5a04a1
MM		 4350}
4351
5b155ef9 4352static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4353{
4354 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4355
5b155ef9 4356 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4357
5b155ef9 4358 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4359
5b155ef9 4360 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4361 cfm.result = cpu_to_le16(result);
4362
5b155ef9
MM		 4363 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4364 sizeof(cfm), &cfm);
4365
4366 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4367}
4368
4369static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4370{
4371 struct l2cap_move_chan_cfm cfm;
4372
4373 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4374
4375 cfm.icid = cpu_to_le16(icid);
4376 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4377
4378 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4379 sizeof(cfm), &cfm);
8d5a04a1
MM		 4380}
4381
4382static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4383 u16 icid)
8d5a04a1
MM		 4384{
4385 struct l2cap_move_chan_cfm_rsp rsp;
4386
ad0ac6ca 4387 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4388
4389 rsp.icid = cpu_to_le16(icid);
4390 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4391}
4392
5f3847a4
MM		 4393static void __release_logical_link(struct l2cap_chan *chan)
4394{
4395 chan->hs_hchan = NULL;
4396 chan->hs_hcon = NULL;
4397
4398 /* Placeholder - release the logical link */
4399}
4400
1500109b
MM		 4401static void l2cap_logical_fail(struct l2cap_chan *chan)
4402{
4403 /* Logical link setup failed */
4404 if (chan->state != BT_CONNECTED) {
4405 /* Create channel failure, disconnect */
5e4e3972 4406 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4407 return;
4408 }
4409
4410 switch (chan->move_role) {
4411 case L2CAP_MOVE_ROLE_RESPONDER:
4412 l2cap_move_done(chan);
4413 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4414 break;
4415 case L2CAP_MOVE_ROLE_INITIATOR:
4416 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4417 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4418 /* Remote has only sent pending or
4419 * success responses, clean up
4420 */
4421 l2cap_move_done(chan);
4422 }
4423
4424 /* Other amp move states imply that the move
4425 * has already aborted
4426 */
4427 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4428 break;
4429 }
4430}
4431
4432static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4433 struct hci_chan *hchan)
4434{
4435 struct l2cap_conf_rsp rsp;
1500109b 4436
336178a3 4437 chan->hs_hchan = hchan;
1500109b
MM		 4438 chan->hs_hcon->l2cap_data = chan->conn;
4439
35ba9561 4440 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4441
4442 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4443 int err;
1500109b
MM		 4444
4445 set_default_fcs(chan);
4446
4447 err = l2cap_ertm_init(chan);
4448 if (err < 0)
5e4e3972 4449 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4450 else
4451 l2cap_chan_ready(chan);
4452 }
4453}
4454
4455static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4456 struct hci_chan *hchan)
4457{
4458 chan->hs_hcon = hchan->conn;
4459 chan->hs_hcon->l2cap_data = chan->conn;
4460
4461 BT_DBG("move_state %d", chan->move_state);
4462
4463 switch (chan->move_state) {
4464 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4465 /* Move confirm will be sent after a success
4466 * response is received
4467 */
4468 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4469 break;
4470 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4471 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4472 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4473 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4474 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4475 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4476 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4477 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4478 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4479 }
4480 break;
4481 default:
4482 /* Move was not in expected state, free the channel */
4483 __release_logical_link(chan);
4484
4485 chan->move_state = L2CAP_MOVE_STABLE;
4486 }
4487}
4488
4489/* Call with chan locked */
27695fb4
AE		 4490void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4491 u8 status)
5b155ef9 4492{
1500109b
MM		 4493 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4494
4495 if (status) {
4496 l2cap_logical_fail(chan);
4497 __release_logical_link(chan);
4498 return;
4499 }
4500
4501 if (chan->state != BT_CONNECTED) {
4502 /* Ignore logical link if channel is on BR/EDR */
4503 if (chan->local_amp_id)
4504 l2cap_logical_finish_create(chan, hchan);
4505 } else {
4506 l2cap_logical_finish_move(chan, hchan);
4507 }
5b155ef9
MM		 4508}
4509
3f7a56c4
MM		 4510void l2cap_move_start(struct l2cap_chan *chan)
4511{
4512 BT_DBG("chan %p", chan);
4513
4514 if (chan->local_amp_id == HCI_BREDR_ID) {
4515 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4516 return;
4517 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4518 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4519 /* Placeholder - start physical link setup */
4520 } else {
4521 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4522 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4523 chan->move_id = 0;
4524 l2cap_move_setup(chan);
4525 l2cap_send_move_chan_req(chan, 0);
4526 }
4527}
4528
8eb200bd
MM		 4529static void l2cap_do_create(struct l2cap_chan *chan, int result,
4530 u8 local_amp_id, u8 remote_amp_id)
4531{
62748ca1
AE		 4532 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4533 local_amp_id, remote_amp_id);
4534
12d6cc60
AE		 4535 chan->fcs = L2CAP_FCS_NONE;
4536
62748ca1
AE		 4537 /* Outgoing channel on AMP */
4538 if (chan->state == BT_CONNECT) {
4539 if (result == L2CAP_CR_SUCCESS) {
4540 chan->local_amp_id = local_amp_id;
4541 l2cap_send_create_chan_req(chan, remote_amp_id);
4542 } else {
4543 /* Revert to BR/EDR connect */
4544 l2cap_send_conn_req(chan);
4545 }
4546
4547 return;
4548 }
4549
4550 /* Incoming channel on AMP */
4551 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4552 struct l2cap_conn_rsp rsp;
4553 char buf[128];
4554 rsp.scid = cpu_to_le16(chan->dcid);
4555 rsp.dcid = cpu_to_le16(chan->scid);
4556
8eb200bd
MM		 4557 if (result == L2CAP_CR_SUCCESS) {
4558 /* Send successful response */
62cd50e2
AE		 4559 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4560 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4561 } else {
4562 /* Send negative response */
62cd50e2
AE		 4563 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4564 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4565 }
4566
4567 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4568 sizeof(rsp), &rsp);
4569
4570 if (result == L2CAP_CR_SUCCESS) {
4571 __l2cap_state_change(chan, BT_CONFIG);
4572 set_bit(CONF_REQ_SENT, &chan->conf_state);
4573 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4574 L2CAP_CONF_REQ,
4575 l2cap_build_conf_req(chan, buf), buf);
4576 chan->num_conf_req++;
4577 }
8eb200bd
MM		 4578 }
4579}
4580
4581static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4582 u8 remote_amp_id)
4583{
4584 l2cap_move_setup(chan);
4585 chan->move_id = local_amp_id;
4586 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4587
4588 l2cap_send_move_chan_req(chan, remote_amp_id);
4589}
4590
4591static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4592{
4593 struct hci_chan *hchan = NULL;
4594
4595 /* Placeholder - get hci_chan for logical link */
4596
4597 if (hchan) {
4598 if (hchan->state == BT_CONNECTED) {
4599 /* Logical link is ready to go */
4600 chan->hs_hcon = hchan->conn;
4601 chan->hs_hcon->l2cap_data = chan->conn;
4602 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4603 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4604
4605 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4606 } else {
4607 /* Wait for logical link to be ready */
4608 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4609 }
4610 } else {
4611 /* Logical link not available */
4612 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4613 }
4614}
4615
4616static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4617{
4618 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4619 u8 rsp_result;
4620 if (result == -EINVAL)
4621 rsp_result = L2CAP_MR_BAD_ID;
4622 else
4623 rsp_result = L2CAP_MR_NOT_ALLOWED;
4624
4625 l2cap_send_move_chan_rsp(chan, rsp_result);
4626 }
4627
4628 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4629 chan->move_state = L2CAP_MOVE_STABLE;
4630
4631 /* Restart data transmission */
4632 l2cap_ertm_send(chan);
4633}
4634
a514b17f
AE		 4635/* Invoke with locked chan */
4636void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4637{
770bfefa 4638 u8 local_amp_id = chan->local_amp_id;
fffadc08 4639 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4640
8eb200bd
MM		 4641 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4642 chan, result, local_amp_id, remote_amp_id);
4643
8eb200bd
MM		 4644 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4645 l2cap_chan_unlock(chan);
4646 return;
4647 }
4648
4649 if (chan->state != BT_CONNECTED) {
4650 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4651 } else if (result != L2CAP_MR_SUCCESS) {
4652 l2cap_do_move_cancel(chan, result);
4653 } else {
4654 switch (chan->move_role) {
4655 case L2CAP_MOVE_ROLE_INITIATOR:
4656 l2cap_do_move_initiate(chan, local_amp_id,
4657 remote_amp_id);
4658 break;
4659 case L2CAP_MOVE_ROLE_RESPONDER:
4660 l2cap_do_move_respond(chan, result);
4661 break;
4662 default:
4663 l2cap_do_move_cancel(chan, result);
4664 break;
4665 }
4666 }
8eb200bd
MM		 4667}
4668
8d5a04a1 4669static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4670 struct l2cap_cmd_hdr *cmd,
4671 u16 cmd_len, void *data)
8d5a04a1
MM		 4672{
4673 struct l2cap_move_chan_req *req = data;
1500109b 4674 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4675 struct l2cap_chan *chan;
8d5a04a1
MM		 4676 u16 icid = 0;
4677 u16 result = L2CAP_MR_NOT_ALLOWED;
4678
4679 if (cmd_len != sizeof(*req))
4680 return -EPROTO;
4681
4682 icid = le16_to_cpu(req->icid);
4683
ad0ac6ca 4684 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4685
4686 if (!enable_hs)
4687 return -EINVAL;
4688
02b0fbb9
MM		 4689 chan = l2cap_get_chan_by_dcid(conn, icid);
4690 if (!chan) {
1500109b
MM		 4691 rsp.icid = cpu_to_le16(icid);
4692 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4693 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4694 sizeof(rsp), &rsp);
02b0fbb9
MM		 4695 return 0;
4696 }
4697
1500109b
MM		 4698 chan->ident = cmd->ident;
4699
02b0fbb9
MM		 4700 if (chan->scid < L2CAP_CID_DYN_START ||
4701 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4702 (chan->mode != L2CAP_MODE_ERTM &&
4703 chan->mode != L2CAP_MODE_STREAMING)) {
4704 result = L2CAP_MR_NOT_ALLOWED;
4705 goto send_move_response;
4706 }
4707
4708 if (chan->local_amp_id == req->dest_amp_id) {
4709 result = L2CAP_MR_SAME_ID;
4710 goto send_move_response;
4711 }
4712
4713 if (req->dest_amp_id) {
4714 struct hci_dev *hdev;
4715 hdev = hci_dev_get(req->dest_amp_id);
4716 if (!hdev || hdev->dev_type != HCI_AMP ||
4717 !test_bit(HCI_UP, &hdev->flags)) {
4718 if (hdev)
4719 hci_dev_put(hdev);
4720
4721 result = L2CAP_MR_BAD_ID;
4722 goto send_move_response;
4723 }
4724 hci_dev_put(hdev);
4725 }
4726
4727 /* Detect a move collision. Only send a collision response
4728 * if this side has "lost", otherwise proceed with the move.
4729 * The winner has the larger bd_addr.
4730 */
4731 if ((__chan_is_moving(chan) ||
4732 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4733 bacmp(conn->src, conn->dst) > 0) {
4734 result = L2CAP_MR_COLLISION;
4735 goto send_move_response;
4736 }
4737
02b0fbb9
MM		 4738 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4739 l2cap_move_setup(chan);
4740 chan->move_id = req->dest_amp_id;
4741 icid = chan->dcid;
4742
4743 if (!req->dest_amp_id) {
4744 /* Moving to BR/EDR */
4745 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4746 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4747 result = L2CAP_MR_PEND;
4748 } else {
4749 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4750 result = L2CAP_MR_SUCCESS;
4751 }
4752 } else {
4753 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4754 /* Placeholder - uncomment when amp functions are available */
4755 /*amp_accept_physical(chan, req->dest_amp_id);*/
4756 result = L2CAP_MR_PEND;
4757 }
4758
4759send_move_response:
1500109b 4760 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4761
02b0fbb9
MM		 4762 l2cap_chan_unlock(chan);
4763
8d5a04a1
MM		 4764 return 0;
4765}
4766
5b155ef9
MM		 4767static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4768{
4769 struct l2cap_chan *chan;
4770 struct hci_chan *hchan = NULL;
4771
4772 chan = l2cap_get_chan_by_scid(conn, icid);
4773 if (!chan) {
4774 l2cap_send_move_chan_cfm_icid(conn, icid);
4775 return;
4776 }
4777
4778 __clear_chan_timer(chan);
4779 if (result == L2CAP_MR_PEND)
4780 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4781
4782 switch (chan->move_state) {
4783 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4784 /* Move confirm will be sent when logical link
4785 * is complete.
4786 */
4787 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4788 break;
4789 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4790 if (result == L2CAP_MR_PEND) {
4791 break;
4792 } else if (test_bit(CONN_LOCAL_BUSY,
4793 &chan->conn_state)) {
4794 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4795 } else {
4796 /* Logical link is up or moving to BR/EDR,
4797 * proceed with move
4798 */
4799 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4800 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4801 }
4802 break;
4803 case L2CAP_MOVE_WAIT_RSP:
4804 /* Moving to AMP */
4805 if (result == L2CAP_MR_SUCCESS) {
4806 /* Remote is ready, send confirm immediately
4807 * after logical link is ready
4808 */
4809 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4810 } else {
4811 /* Both logical link and move success
4812 * are required to confirm
4813 */
4814 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4815 }
4816
4817 /* Placeholder - get hci_chan for logical link */
4818 if (!hchan) {
4819 /* Logical link not available */
4820 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4821 break;
4822 }
4823
4824 /* If the logical link is not yet connected, do not
4825 * send confirmation.
4826 */
4827 if (hchan->state != BT_CONNECTED)
4828 break;
4829
4830 /* Logical link is already ready to go */
4831
4832 chan->hs_hcon = hchan->conn;
4833 chan->hs_hcon->l2cap_data = chan->conn;
4834
4835 if (result == L2CAP_MR_SUCCESS) {
4836 /* Can confirm now */
4837 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4838 } else {
4839 /* Now only need move success
4840 * to confirm
4841 */
4842 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4843 }
4844
4845 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4846 break;
4847 default:
4848 /* Any other amp move state means the move failed. */
4849 chan->move_id = chan->local_amp_id;
4850 l2cap_move_done(chan);
4851 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4852 }
4853
4854 l2cap_chan_unlock(chan);
4855}
4856
4857static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4858 u16 result)
4859{
4860 struct l2cap_chan *chan;
4861
4862 chan = l2cap_get_chan_by_ident(conn, ident);
4863 if (!chan) {
4864 /* Could not locate channel, icid is best guess */
4865 l2cap_send_move_chan_cfm_icid(conn, icid);
4866 return;
4867 }
4868
4869 __clear_chan_timer(chan);
4870
4871 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4872 if (result == L2CAP_MR_COLLISION) {
4873 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4874 } else {
4875 /* Cleanup - cancel move */
4876 chan->move_id = chan->local_amp_id;
4877 l2cap_move_done(chan);
4878 }
4879 }
4880
4881 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4882
4883 l2cap_chan_unlock(chan);
4884}
4885
4886static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4887 struct l2cap_cmd_hdr *cmd,
4888 u16 cmd_len, void *data)
8d5a04a1
MM		 4889{
4890 struct l2cap_move_chan_rsp *rsp = data;
4891 u16 icid, result;
4892
4893 if (cmd_len != sizeof(*rsp))
4894 return -EPROTO;
4895
4896 icid = le16_to_cpu(rsp->icid);
4897 result = le16_to_cpu(rsp->result);
4898
ad0ac6ca 4899 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4900
5b155ef9
MM		 4901 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4902 l2cap_move_continue(conn, icid, result);
4903 else
4904 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4905
4906 return 0;
4907}
4908
5f3847a4
MM		 4909static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4910 struct l2cap_cmd_hdr *cmd,
4911 u16 cmd_len, void *data)
8d5a04a1
MM		 4912{
4913 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4914 struct l2cap_chan *chan;
8d5a04a1
MM		 4915 u16 icid, result;
4916
4917 if (cmd_len != sizeof(*cfm))
4918 return -EPROTO;
4919
4920 icid = le16_to_cpu(cfm->icid);
4921 result = le16_to_cpu(cfm->result);
4922
ad0ac6ca 4923 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4924
5f3847a4
MM		 4925 chan = l2cap_get_chan_by_dcid(conn, icid);
4926 if (!chan) {
4927 /* Spec requires a response even if the icid was not found */
4928 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4929 return 0;
4930 }
4931
4932 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4933 if (result == L2CAP_MC_CONFIRMED) {
4934 chan->local_amp_id = chan->move_id;
4935 if (!chan->local_amp_id)
4936 __release_logical_link(chan);
4937 } else {
4938 chan->move_id = chan->local_amp_id;
4939 }
4940
4941 l2cap_move_done(chan);
4942 }
4943
8d5a04a1
MM		 4944 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4945
5f3847a4
MM		 4946 l2cap_chan_unlock(chan);
4947
8d5a04a1
MM		 4948 return 0;
4949}
4950
4951static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4952 struct l2cap_cmd_hdr *cmd,
4953 u16 cmd_len, void *data)
8d5a04a1
MM		 4954{
4955 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 4956 struct l2cap_chan *chan;
8d5a04a1
MM		 4957 u16 icid;
4958
4959 if (cmd_len != sizeof(*rsp))
4960 return -EPROTO;
4961
4962 icid = le16_to_cpu(rsp->icid);
4963
ad0ac6ca 4964 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 4965
3fd71a0a
MM		 4966 chan = l2cap_get_chan_by_scid(conn, icid);
4967 if (!chan)
4968 return 0;
4969
4970 __clear_chan_timer(chan);
4971
4972 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
4973 chan->local_amp_id = chan->move_id;
4974
4975 if (!chan->local_amp_id && chan->hs_hchan)
4976 __release_logical_link(chan);
4977
4978 l2cap_move_done(chan);
4979 }
4980
4981 l2cap_chan_unlock(chan);
4982
8d5a04a1
MM		 4983 return 0;
4984}
4985
e2174ca4 4986static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4987 u16 to_multiplier)
de73115a
CT		 4988{
4989 u16 max_latency;
4990
4991 if (min > max || min < 6 || max > 3200)
4992 return -EINVAL;
4993
4994 if (to_multiplier < 10 || to_multiplier > 3200)
4995 return -EINVAL;
4996
4997 if (max >= to_multiplier * 8)
4998 return -EINVAL;
4999
5000 max_latency = (to_multiplier * 8 / max) - 1;
5001 if (latency > 499 || latency > max_latency)
5002 return -EINVAL;
5003
5004 return 0;
5005}
5006
5007static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 5008 struct l2cap_cmd_hdr *cmd,
5009 u8 *data)
de73115a
CT		 5010{
5011 struct hci_conn *hcon = conn->hcon;
5012 struct l2cap_conn_param_update_req *req;
5013 struct l2cap_conn_param_update_rsp rsp;
5014 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5015 int err;
de73115a
CT		 5016
5017 if (!(hcon->link_mode & HCI_LM_MASTER))
5018 return -EINVAL;
5019
5020 cmd_len = __le16_to_cpu(cmd->len);
5021 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5022 return -EPROTO;
5023
5024 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5025 min = __le16_to_cpu(req->min);
5026 max = __le16_to_cpu(req->max);
de73115a
CT		 5027 latency = __le16_to_cpu(req->latency);
5028 to_multiplier = __le16_to_cpu(req->to_multiplier);
5029
5030 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5031 min, max, latency, to_multiplier);
de73115a
CT		 5032
5033 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5034
5035 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5036 if (err)
ac73498c 5037 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5038 else
ac73498c 5039 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5040
5041 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5042 sizeof(rsp), &rsp);
de73115a 5043
2ce603eb
CT		 5044 if (!err)
5045 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5046
de73115a
CT		 5047 return 0;
5048}
5049
3300d9a9 5050static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5051 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5052 u8 *data)
3300d9a9
CT		 5053{
5054 int err = 0;
5055
5056 switch (cmd->code) {
5057 case L2CAP_COMMAND_REJ:
5058 l2cap_command_rej(conn, cmd, data);
5059 break;
5060
5061 case L2CAP_CONN_REQ:
5062 err = l2cap_connect_req(conn, cmd, data);
5063 break;
5064
5065 case L2CAP_CONN_RSP:
f5a2598d 5066 case L2CAP_CREATE_CHAN_RSP:
5909cf30 5067 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 5068 break;
5069
5070 case L2CAP_CONF_REQ:
5071 err = l2cap_config_req(conn, cmd, cmd_len, data);
5072 break;
5073
5074 case L2CAP_CONF_RSP:
5075 err = l2cap_config_rsp(conn, cmd, data);
5076 break;
5077
5078 case L2CAP_DISCONN_REQ:
5079 err = l2cap_disconnect_req(conn, cmd, data);
5080 break;
5081
5082 case L2CAP_DISCONN_RSP:
5083 err = l2cap_disconnect_rsp(conn, cmd, data);
5084 break;
5085
5086 case L2CAP_ECHO_REQ:
5087 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5088 break;
5089
5090 case L2CAP_ECHO_RSP:
5091 break;
5092
5093 case L2CAP_INFO_REQ:
5094 err = l2cap_information_req(conn, cmd, data);
5095 break;
5096
5097 case L2CAP_INFO_RSP:
5098 err = l2cap_information_rsp(conn, cmd, data);
5099 break;
5100
f94ff6ff
MM		 5101 case L2CAP_CREATE_CHAN_REQ:
5102 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5103 break;
5104
8d5a04a1
MM		 5105 case L2CAP_MOVE_CHAN_REQ:
5106 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5107 break;
5108
5109 case L2CAP_MOVE_CHAN_RSP:
5110 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5111 break;
5112
5113 case L2CAP_MOVE_CHAN_CFM:
5114 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5115 break;
5116
5117 case L2CAP_MOVE_CHAN_CFM_RSP:
5118 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5119 break;
5120
3300d9a9
CT		 5121 default:
5122 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5123 err = -EINVAL;
5124 break;
5125 }
5126
5127 return err;
5128}
5129
5130static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5131 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5132{
5133 switch (cmd->code) {
5134 case L2CAP_COMMAND_REJ:
5135 return 0;
5136
5137 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5138 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5139
5140 case L2CAP_CONN_PARAM_UPDATE_RSP:
5141 return 0;
5142
5143 default:
5144 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5145 return -EINVAL;
5146 }
5147}
5148
5149static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5150 struct sk_buff *skb)
1da177e4
LT		 5151{
5152 u8 *data = skb->data;
5153 int len = skb->len;
5154 struct l2cap_cmd_hdr cmd;
3300d9a9 5155 int err;
1da177e4
LT		 5156
5157 l2cap_raw_recv(conn, skb);
5158
5159 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5160 u16 cmd_len;
1da177e4
LT		 5161 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5162 data += L2CAP_CMD_HDR_SIZE;
5163 len -= L2CAP_CMD_HDR_SIZE;
5164
88219a0f 5165 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5166
2d792818
GP		 5167 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5168 cmd.ident);
1da177e4 5169
88219a0f 5170 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5171 BT_DBG("corrupted command");
5172 break;
5173 }
5174
3300d9a9
CT		 5175 if (conn->hcon->type == LE_LINK)
5176 err = l2cap_le_sig_cmd(conn, &cmd, data);
5177 else
5178 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 5179
5180 if (err) {
e2fd318e 5181 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5182
5183 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5184
5185 /* FIXME: Map err to a valid reason */
ac73498c 5186 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5187 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5188 sizeof(rej), &rej);
1da177e4
LT		 5189 }
5190
88219a0f
AV		 5191 data += cmd_len;
5192 len -= cmd_len;
1da177e4
LT		 5193 }
5194
5195 kfree_skb(skb);
5196}
5197
47d1ec61 5198static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5199{
5200 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5201 int hdr_size;
5202
5203 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5204 hdr_size = L2CAP_EXT_HDR_SIZE;
5205 else
5206 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5207
47d1ec61 5208 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5209 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5210 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5211 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5212
5213 if (our_fcs != rcv_fcs)
7a560e5c 5214 return -EBADMSG;
fcc203c3
GP		 5215 }
5216 return 0;
5217}
5218
6ea00485 5219static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5220{
e31f7633 5221 struct l2cap_ctrl control;
d5392c8f 5222
e31f7633 5223 BT_DBG("chan %p", chan);
d5392c8f 5224
e31f7633
MM		 5225 memset(&control, 0, sizeof(control));
5226 control.sframe = 1;
5227 control.final = 1;
5228 control.reqseq = chan->buffer_seq;
5229 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5230
e2ab4353 5231 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5232 control.super = L2CAP_SUPER_RNR;
5233 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5234 }
5235
e31f7633
MM		 5236 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5237 chan->unacked_frames > 0)
5238 __set_retrans_timer(chan);
d5392c8f 5239
e31f7633 5240 /* Send pending iframes */
525cd185 5241 l2cap_ertm_send(chan);
d5392c8f 5242
e2ab4353 5243 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5244 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5245 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5246 * send it now.
5247 */
5248 control.super = L2CAP_SUPER_RR;
5249 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5250 }
5251}
5252
2d792818
GP		 5253static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5254 struct sk_buff **last_frag)
18778a63 5255{
84084a31
MM		 5256 /* skb->len reflects data in skb as well as all fragments
5257 * skb->data_len reflects only data in fragments
5258 */
5259 if (!skb_has_frag_list(skb))
5260 skb_shinfo(skb)->frag_list = new_frag;
5261
5262 new_frag->next = NULL;
5263
5264 (*last_frag)->next = new_frag;
5265 *last_frag = new_frag;
5266
5267 skb->len += new_frag->len;
5268 skb->data_len += new_frag->len;
5269 skb->truesize += new_frag->truesize;
5270}
5271
4b51dae9
MM		 5272static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5273 struct l2cap_ctrl *control)
84084a31
MM		 5274{
5275 int err = -EINVAL;
18778a63 5276
4b51dae9 5277 switch (control->sar) {
7e0ef6ee 5278 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5279 if (chan->sdu)
5280 break;
18778a63 5281
80b98027 5282 err = chan->ops->recv(chan, skb);
84084a31 5283 break;
18778a63 5284
7e0ef6ee 5285 case L2CAP_SAR_START:
84084a31
MM		 5286 if (chan->sdu)
5287 break;
18778a63 5288
6f61fd47 5289 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5290 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5291
84084a31
MM		 5292 if (chan->sdu_len > chan->imtu) {
5293 err = -EMSGSIZE;
5294 break;
5295 }
1890d36b 5296
84084a31
MM		 5297 if (skb->len >= chan->sdu_len)
5298 break;
18778a63 5299
84084a31
MM		 5300 chan->sdu = skb;
5301 chan->sdu_last_frag = skb;
18778a63 5302
84084a31
MM		 5303 skb = NULL;
5304 err = 0;
18778a63
GP		 5305 break;
5306
7e0ef6ee 5307 case L2CAP_SAR_CONTINUE:
6f61fd47 5308 if (!chan->sdu)
84084a31 5309 break;
18778a63 5310
84084a31
MM		 5311 append_skb_frag(chan->sdu, skb,
5312 &chan->sdu_last_frag);
5313 skb = NULL;
18778a63 5314
84084a31
MM		 5315 if (chan->sdu->len >= chan->sdu_len)
5316 break;
4178ba46 5317
84084a31 5318 err = 0;
18778a63
GP		 5319 break;
5320
7e0ef6ee 5321 case L2CAP_SAR_END:
6f61fd47 5322 if (!chan->sdu)
84084a31 5323 break;
18778a63 5324
84084a31
MM		 5325 append_skb_frag(chan->sdu, skb,
5326 &chan->sdu_last_frag);
5327 skb = NULL;
4178ba46 5328
84084a31
MM		 5329 if (chan->sdu->len != chan->sdu_len)
5330 break;
18778a63 5331
80b98027 5332 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5333
84084a31
MM		 5334 if (!err) {
5335 /* Reassembly complete */
5336 chan->sdu = NULL;
5337 chan->sdu_last_frag = NULL;
5338 chan->sdu_len = 0;
1890d36b 5339 }
18778a63
GP		 5340 break;
5341 }
5342
84084a31
MM		 5343 if (err) {
5344 kfree_skb(skb);
5345 kfree_skb(chan->sdu);
5346 chan->sdu = NULL;
5347 chan->sdu_last_frag = NULL;
5348 chan->sdu_len = 0;
5349 }
18778a63 5350
84084a31 5351 return err;
18778a63
GP		 5352}
5353
32b32735
MM		 5354static int l2cap_resegment(struct l2cap_chan *chan)
5355{
5356 /* Placeholder */
5357 return 0;
5358}
5359
61aa4f5b 5360void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5361{
61aa4f5b 5362 u8 event;
712132eb 5363
61aa4f5b
MM		 5364 if (chan->mode != L2CAP_MODE_ERTM)
5365 return;
712132eb 5366
61aa4f5b 5367 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5368 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5369}
5370
d2a7ac5d
MM		 5371static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5372{
63838725
MM		 5373 int err = 0;
5374 /* Pass sequential frames to l2cap_reassemble_sdu()
5375 * until a gap is encountered.
5376 */
5377
5378 BT_DBG("chan %p", chan);
5379
5380 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5381 struct sk_buff *skb;
5382 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5383 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5384
5385 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5386
5387 if (!skb)
5388 break;
5389
5390 skb_unlink(skb, &chan->srej_q);
5391 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5392 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5393 if (err)
5394 break;
5395 }
5396
5397 if (skb_queue_empty(&chan->srej_q)) {
5398 chan->rx_state = L2CAP_RX_STATE_RECV;
5399 l2cap_send_ack(chan);
5400 }
5401
5402 return err;
d2a7ac5d
MM		 5403}
5404
5405static void l2cap_handle_srej(struct l2cap_chan *chan,
5406 struct l2cap_ctrl *control)
5407{
f80842a8
MM		 5408 struct sk_buff *skb;
5409
5410 BT_DBG("chan %p, control %p", chan, control);
5411
5412 if (control->reqseq == chan->next_tx_seq) {
5413 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5414 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5415 return;
5416 }
5417
5418 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5419
5420 if (skb == NULL) {
5421 BT_DBG("Seq %d not available for retransmission",
5422 control->reqseq);
5423 return;
5424 }
5425
5426 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5427 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5428 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5429 return;
5430 }
5431
5432 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5433
5434 if (control->poll) {
5435 l2cap_pass_to_tx(chan, control);
5436
5437 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5438 l2cap_retransmit(chan, control);
5439 l2cap_ertm_send(chan);
5440
5441 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5442 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5443 chan->srej_save_reqseq = control->reqseq;
5444 }
5445 } else {
5446 l2cap_pass_to_tx_fbit(chan, control);
5447
5448 if (control->final) {
5449 if (chan->srej_save_reqseq != control->reqseq ||
5450 !test_and_clear_bit(CONN_SREJ_ACT,
5451 &chan->conn_state))
5452 l2cap_retransmit(chan, control);
5453 } else {
5454 l2cap_retransmit(chan, control);
5455 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5456 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5457 chan->srej_save_reqseq = control->reqseq;
5458 }
5459 }
5460 }
d2a7ac5d
MM		 5461}
5462
5463static void l2cap_handle_rej(struct l2cap_chan *chan,
5464 struct l2cap_ctrl *control)
5465{
fcd289df
MM		 5466 struct sk_buff *skb;
5467
5468 BT_DBG("chan %p, control %p", chan, control);
5469
5470 if (control->reqseq == chan->next_tx_seq) {
5471 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5472 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5473 return;
5474 }
5475
5476 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5477
5478 if (chan->max_tx && skb &&
5479 bt_cb(skb)->control.retries >= chan->max_tx) {
5480 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5481 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5482 return;
5483 }
5484
5485 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5486
5487 l2cap_pass_to_tx(chan, control);
5488
5489 if (control->final) {
5490 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5491 l2cap_retransmit_all(chan, control);
5492 } else {
5493 l2cap_retransmit_all(chan, control);
5494 l2cap_ertm_send(chan);
5495 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5496 set_bit(CONN_REJ_ACT, &chan->conn_state);
5497 }
d2a7ac5d
MM		 5498}
5499
4b51dae9
MM		 5500static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5501{
5502 BT_DBG("chan %p, txseq %d", chan, txseq);
5503
5504 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5505 chan->expected_tx_seq);
5506
5507 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5508 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5509 chan->tx_win) {
4b51dae9
MM		 5510 /* See notes below regarding "double poll" and
5511 * invalid packets.
5512 */
5513 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5514 BT_DBG("Invalid/Ignore - after SREJ");
5515 return L2CAP_TXSEQ_INVALID_IGNORE;
5516 } else {
5517 BT_DBG("Invalid - in window after SREJ sent");
5518 return L2CAP_TXSEQ_INVALID;
5519 }
5520 }
5521
5522 if (chan->srej_list.head == txseq) {
5523 BT_DBG("Expected SREJ");
5524 return L2CAP_TXSEQ_EXPECTED_SREJ;
5525 }
5526
5527 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5528 BT_DBG("Duplicate SREJ - txseq already stored");
5529 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5530 }
5531
5532 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5533 BT_DBG("Unexpected SREJ - not requested");
5534 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5535 }
5536 }
5537
5538 if (chan->expected_tx_seq == txseq) {
5539 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5540 chan->tx_win) {
5541 BT_DBG("Invalid - txseq outside tx window");
5542 return L2CAP_TXSEQ_INVALID;
5543 } else {
5544 BT_DBG("Expected");
5545 return L2CAP_TXSEQ_EXPECTED;
5546 }
5547 }
5548
5549 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5550 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5551 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5552 return L2CAP_TXSEQ_DUPLICATE;
5553 }
5554
5555 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5556 /* A source of invalid packets is a "double poll" condition,
5557 * where delays cause us to send multiple poll packets. If
5558 * the remote stack receives and processes both polls,
5559 * sequence numbers can wrap around in such a way that a
5560 * resent frame has a sequence number that looks like new data
5561 * with a sequence gap. This would trigger an erroneous SREJ
5562 * request.
5563 *
5564 * Fortunately, this is impossible with a tx window that's
5565 * less than half of the maximum sequence number, which allows
5566 * invalid frames to be safely ignored.
5567 *
5568 * With tx window sizes greater than half of the tx window
5569 * maximum, the frame is invalid and cannot be ignored. This
5570 * causes a disconnect.
5571 */
5572
5573 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5574 BT_DBG("Invalid/Ignore - txseq outside tx window");
5575 return L2CAP_TXSEQ_INVALID_IGNORE;
5576 } else {
5577 BT_DBG("Invalid - txseq outside tx window");
5578 return L2CAP_TXSEQ_INVALID;
5579 }
5580 } else {
5581 BT_DBG("Unexpected - txseq indicates missing frames");
5582 return L2CAP_TXSEQ_UNEXPECTED;
5583 }
5584}
5585
d2a7ac5d
MM		 5586static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5587 struct l2cap_ctrl *control,
5588 struct sk_buff *skb, u8 event)
5589{
5590 int err = 0;
5591 bool skb_in_use = 0;
5592
5593 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5594 event);
5595
5596 switch (event) {
5597 case L2CAP_EV_RECV_IFRAME:
5598 switch (l2cap_classify_txseq(chan, control->txseq)) {
5599 case L2CAP_TXSEQ_EXPECTED:
5600 l2cap_pass_to_tx(chan, control);
5601
5602 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5603 BT_DBG("Busy, discarding expected seq %d",
5604 control->txseq);
5605 break;
5606 }
5607
5608 chan->expected_tx_seq = __next_seq(chan,
5609 control->txseq);
5610
5611 chan->buffer_seq = chan->expected_tx_seq;
5612 skb_in_use = 1;
5613
5614 err = l2cap_reassemble_sdu(chan, skb, control);
5615 if (err)
5616 break;
5617
5618 if (control->final) {
5619 if (!test_and_clear_bit(CONN_REJ_ACT,
5620 &chan->conn_state)) {
5621 control->final = 0;
5622 l2cap_retransmit_all(chan, control);
5623 l2cap_ertm_send(chan);
5624 }
5625 }
5626
5627 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5628 l2cap_send_ack(chan);
5629 break;
5630 case L2CAP_TXSEQ_UNEXPECTED:
5631 l2cap_pass_to_tx(chan, control);
5632
5633 /* Can't issue SREJ frames in the local busy state.
5634 * Drop this frame, it will be seen as missing
5635 * when local busy is exited.
5636 */
5637 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5638 BT_DBG("Busy, discarding unexpected seq %d",
5639 control->txseq);
5640 break;
5641 }
5642
5643 /* There was a gap in the sequence, so an SREJ
5644 * must be sent for each missing frame. The
5645 * current frame is stored for later use.
5646 */
5647 skb_queue_tail(&chan->srej_q, skb);
5648 skb_in_use = 1;
5649 BT_DBG("Queued %p (queue len %d)", skb,
5650 skb_queue_len(&chan->srej_q));
5651
5652 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5653 l2cap_seq_list_clear(&chan->srej_list);
5654 l2cap_send_srej(chan, control->txseq);
5655
5656 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5657 break;
5658 case L2CAP_TXSEQ_DUPLICATE:
5659 l2cap_pass_to_tx(chan, control);
5660 break;
5661 case L2CAP_TXSEQ_INVALID_IGNORE:
5662 break;
5663 case L2CAP_TXSEQ_INVALID:
5664 default:
5e4e3972 5665 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5666 break;
5667 }
5668 break;
5669 case L2CAP_EV_RECV_RR:
5670 l2cap_pass_to_tx(chan, control);
5671 if (control->final) {
5672 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5673
e6a3ee6e
MM		 5674 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5675 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5676 control->final = 0;
5677 l2cap_retransmit_all(chan, control);
5678 }
5679
5680 l2cap_ertm_send(chan);
5681 } else if (control->poll) {
5682 l2cap_send_i_or_rr_or_rnr(chan);
5683 } else {
5684 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5685 &chan->conn_state) &&
5686 chan->unacked_frames)
5687 __set_retrans_timer(chan);
5688
5689 l2cap_ertm_send(chan);
5690 }
5691 break;
5692 case L2CAP_EV_RECV_RNR:
5693 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5694 l2cap_pass_to_tx(chan, control);
5695 if (control && control->poll) {
5696 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5697 l2cap_send_rr_or_rnr(chan, 0);
5698 }
5699 __clear_retrans_timer(chan);
5700 l2cap_seq_list_clear(&chan->retrans_list);
5701 break;
5702 case L2CAP_EV_RECV_REJ:
5703 l2cap_handle_rej(chan, control);
5704 break;
5705 case L2CAP_EV_RECV_SREJ:
5706 l2cap_handle_srej(chan, control);
5707 break;
5708 default:
5709 break;
5710 }
5711
5712 if (skb && !skb_in_use) {
5713 BT_DBG("Freeing %p", skb);
5714 kfree_skb(skb);
5715 }
5716
5717 return err;
5718}
5719
5720static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5721 struct l2cap_ctrl *control,
5722 struct sk_buff *skb, u8 event)
5723{
5724 int err = 0;
5725 u16 txseq = control->txseq;
5726 bool skb_in_use = 0;
5727
5728 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5729 event);
5730
5731 switch (event) {
5732 case L2CAP_EV_RECV_IFRAME:
5733 switch (l2cap_classify_txseq(chan, txseq)) {
5734 case L2CAP_TXSEQ_EXPECTED:
5735 /* Keep frame for reassembly later */
5736 l2cap_pass_to_tx(chan, control);
5737 skb_queue_tail(&chan->srej_q, skb);
5738 skb_in_use = 1;
5739 BT_DBG("Queued %p (queue len %d)", skb,
5740 skb_queue_len(&chan->srej_q));
5741
5742 chan->expected_tx_seq = __next_seq(chan, txseq);
5743 break;
5744 case L2CAP_TXSEQ_EXPECTED_SREJ:
5745 l2cap_seq_list_pop(&chan->srej_list);
5746
5747 l2cap_pass_to_tx(chan, control);
5748 skb_queue_tail(&chan->srej_q, skb);
5749 skb_in_use = 1;
5750 BT_DBG("Queued %p (queue len %d)", skb,
5751 skb_queue_len(&chan->srej_q));
5752
5753 err = l2cap_rx_queued_iframes(chan);
5754 if (err)
5755 break;
5756
5757 break;
5758 case L2CAP_TXSEQ_UNEXPECTED:
5759 /* Got a frame that can't be reassembled yet.
5760 * Save it for later, and send SREJs to cover
5761 * the missing frames.
5762 */
5763 skb_queue_tail(&chan->srej_q, skb);
5764 skb_in_use = 1;
5765 BT_DBG("Queued %p (queue len %d)", skb,
5766 skb_queue_len(&chan->srej_q));
5767
5768 l2cap_pass_to_tx(chan, control);
5769 l2cap_send_srej(chan, control->txseq);
5770 break;
5771 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5772 /* This frame was requested with an SREJ, but
5773 * some expected retransmitted frames are
5774 * missing. Request retransmission of missing
5775 * SREJ'd frames.
5776 */
5777 skb_queue_tail(&chan->srej_q, skb);
5778 skb_in_use = 1;
5779 BT_DBG("Queued %p (queue len %d)", skb,
5780 skb_queue_len(&chan->srej_q));
5781
5782 l2cap_pass_to_tx(chan, control);
5783 l2cap_send_srej_list(chan, control->txseq);
5784 break;
5785 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5786 /* We've already queued this frame. Drop this copy. */
5787 l2cap_pass_to_tx(chan, control);
5788 break;
5789 case L2CAP_TXSEQ_DUPLICATE:
5790 /* Expecting a later sequence number, so this frame
5791 * was already received. Ignore it completely.
5792 */
5793 break;
5794 case L2CAP_TXSEQ_INVALID_IGNORE:
5795 break;
5796 case L2CAP_TXSEQ_INVALID:
5797 default:
5e4e3972 5798 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5799 break;
5800 }
5801 break;
5802 case L2CAP_EV_RECV_RR:
5803 l2cap_pass_to_tx(chan, control);
5804 if (control->final) {
5805 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5806
5807 if (!test_and_clear_bit(CONN_REJ_ACT,
5808 &chan->conn_state)) {
5809 control->final = 0;
5810 l2cap_retransmit_all(chan, control);
5811 }
5812
5813 l2cap_ertm_send(chan);
5814 } else if (control->poll) {
5815 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5816 &chan->conn_state) &&
5817 chan->unacked_frames) {
5818 __set_retrans_timer(chan);
5819 }
5820
5821 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5822 l2cap_send_srej_tail(chan);
5823 } else {
5824 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5825 &chan->conn_state) &&
5826 chan->unacked_frames)
5827 __set_retrans_timer(chan);
5828
5829 l2cap_send_ack(chan);
5830 }
5831 break;
5832 case L2CAP_EV_RECV_RNR:
5833 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5834 l2cap_pass_to_tx(chan, control);
5835 if (control->poll) {
5836 l2cap_send_srej_tail(chan);
5837 } else {
5838 struct l2cap_ctrl rr_control;
5839 memset(&rr_control, 0, sizeof(rr_control));
5840 rr_control.sframe = 1;
5841 rr_control.super = L2CAP_SUPER_RR;
5842 rr_control.reqseq = chan->buffer_seq;
5843 l2cap_send_sframe(chan, &rr_control);
5844 }
5845
5846 break;
5847 case L2CAP_EV_RECV_REJ:
5848 l2cap_handle_rej(chan, control);
5849 break;
5850 case L2CAP_EV_RECV_SREJ:
5851 l2cap_handle_srej(chan, control);
5852 break;
5853 }
5854
5855 if (skb && !skb_in_use) {
5856 BT_DBG("Freeing %p", skb);
5857 kfree_skb(skb);
5858 }
5859
5860 return err;
5861}
5862
32b32735
MM		 5863static int l2cap_finish_move(struct l2cap_chan *chan)
5864{
5865 BT_DBG("chan %p", chan);
5866
5867 chan->rx_state = L2CAP_RX_STATE_RECV;
5868
5869 if (chan->hs_hcon)
5870 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5871 else
5872 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5873
5874 return l2cap_resegment(chan);
5875}
5876
5877static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5878 struct l2cap_ctrl *control,
5879 struct sk_buff *skb, u8 event)
5880{
5881 int err;
5882
5883 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5884 event);
5885
5886 if (!control->poll)
5887 return -EPROTO;
5888
5889 l2cap_process_reqseq(chan, control->reqseq);
5890
5891 if (!skb_queue_empty(&chan->tx_q))
5892 chan->tx_send_head = skb_peek(&chan->tx_q);
5893 else
5894 chan->tx_send_head = NULL;
5895
5896 /* Rewind next_tx_seq to the point expected
5897 * by the receiver.
5898 */
5899 chan->next_tx_seq = control->reqseq;
5900 chan->unacked_frames = 0;
5901
5902 err = l2cap_finish_move(chan);
5903 if (err)
5904 return err;
5905
5906 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5907 l2cap_send_i_or_rr_or_rnr(chan);
5908
5909 if (event == L2CAP_EV_RECV_IFRAME)
5910 return -EPROTO;
5911
5912 return l2cap_rx_state_recv(chan, control, NULL, event);
5913}
5914
5915static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5916 struct l2cap_ctrl *control,
5917 struct sk_buff *skb, u8 event)
5918{
5919 int err;
5920
5921 if (!control->final)
5922 return -EPROTO;
5923
5924 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5925
5926 chan->rx_state = L2CAP_RX_STATE_RECV;
5927 l2cap_process_reqseq(chan, control->reqseq);
5928
5929 if (!skb_queue_empty(&chan->tx_q))
5930 chan->tx_send_head = skb_peek(&chan->tx_q);
5931 else
5932 chan->tx_send_head = NULL;
5933
5934 /* Rewind next_tx_seq to the point expected
5935 * by the receiver.
5936 */
5937 chan->next_tx_seq = control->reqseq;
5938 chan->unacked_frames = 0;
5939
5940 if (chan->hs_hcon)
5941 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5942 else
5943 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5944
5945 err = l2cap_resegment(chan);
5946
5947 if (!err)
5948 err = l2cap_rx_state_recv(chan, control, skb, event);
5949
5950 return err;
5951}
5952
d2a7ac5d
MM		 5953static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5954{
5955 /* Make sure reqseq is for a packet that has been sent but not acked */
5956 u16 unacked;
5957
5958 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5959 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5960}
5961
cec8ab6e
MM		 5962static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5963 struct sk_buff *skb, u8 event)
218bb9df 5964{
d2a7ac5d
MM		 5965 int err = 0;
5966
5967 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5968 control, skb, event, chan->rx_state);
5969
5970 if (__valid_reqseq(chan, control->reqseq)) {
5971 switch (chan->rx_state) {
5972 case L2CAP_RX_STATE_RECV:
5973 err = l2cap_rx_state_recv(chan, control, skb, event);
5974 break;
5975 case L2CAP_RX_STATE_SREJ_SENT:
5976 err = l2cap_rx_state_srej_sent(chan, control, skb,
5977 event);
5978 break;
32b32735
MM		 5979 case L2CAP_RX_STATE_WAIT_P:
5980 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5981 break;
5982 case L2CAP_RX_STATE_WAIT_F:
5983 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5984 break;
d2a7ac5d
MM		 5985 default:
5986 /* shut it down */
5987 break;
5988 }
5989 } else {
5990 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5991 control->reqseq, chan->next_tx_seq,
5992 chan->expected_ack_seq);
5e4e3972 5993 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5994 }
5995
5996 return err;
cec8ab6e
MM		 5997}
5998
5999static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6000 struct sk_buff *skb)
6001{
4b51dae9
MM		 6002 int err = 0;
6003
6004 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6005 chan->rx_state);
6006
6007 if (l2cap_classify_txseq(chan, control->txseq) ==
6008 L2CAP_TXSEQ_EXPECTED) {
6009 l2cap_pass_to_tx(chan, control);
6010
6011 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6012 __next_seq(chan, chan->buffer_seq));
6013
6014 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6015
6016 l2cap_reassemble_sdu(chan, skb, control);
6017 } else {
6018 if (chan->sdu) {
6019 kfree_skb(chan->sdu);
6020 chan->sdu = NULL;
6021 }
6022 chan->sdu_last_frag = NULL;
6023 chan->sdu_len = 0;
6024
6025 if (skb) {
6026 BT_DBG("Freeing %p", skb);
6027 kfree_skb(skb);
6028 }
6029 }
6030
6031 chan->last_acked_seq = control->txseq;
6032 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6033
6034 return err;
cec8ab6e
MM		 6035}
6036
6037static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6038{
6039 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6040 u16 len;
6041 u8 event;
218bb9df 6042
b76bbd66
MM		 6043 __unpack_control(chan, skb);
6044
218bb9df
GP		 6045 len = skb->len;
6046
6047 /*
6048 * We can just drop the corrupted I-frame here.
6049 * Receiver will miss it and start proper recovery
cec8ab6e 6050 * procedures and ask for retransmission.
218bb9df 6051 */
47d1ec61 6052 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6053 goto drop;
6054
cec8ab6e 6055 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6056 len -= L2CAP_SDULEN_SIZE;
218bb9df 6057
47d1ec61 6058 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6059 len -= L2CAP_FCS_SIZE;
218bb9df 6060
47d1ec61 6061 if (len > chan->mps) {
5e4e3972 6062 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6063 goto drop;
6064 }
6065
cec8ab6e
MM		 6066 if (!control->sframe) {
6067 int err;
218bb9df 6068
cec8ab6e
MM		 6069 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6070 control->sar, control->reqseq, control->final,
6071 control->txseq);
218bb9df 6072
cec8ab6e
MM		 6073 /* Validate F-bit - F=0 always valid, F=1 only
6074 * valid in TX WAIT_F
6075 */
6076 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6077 goto drop;
cec8ab6e
MM		 6078
6079 if (chan->mode != L2CAP_MODE_STREAMING) {
6080 event = L2CAP_EV_RECV_IFRAME;
6081 err = l2cap_rx(chan, control, skb, event);
6082 } else {
6083 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6084 }
6085
cec8ab6e 6086 if (err)
5e4e3972 6087 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6088 } else {
cec8ab6e
MM		 6089 const u8 rx_func_to_event[4] = {
6090 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6091 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6092 };
6093
6094 /* Only I-frames are expected in streaming mode */
6095 if (chan->mode == L2CAP_MODE_STREAMING)
6096 goto drop;
6097
6098 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6099 control->reqseq, control->final, control->poll,
6100 control->super);
6101
218bb9df 6102 if (len != 0) {
1bb166e6 6103 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6104 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6105 goto drop;
6106 }
6107
cec8ab6e
MM		 6108 /* Validate F and P bits */
6109 if (control->final && (control->poll ||
6110 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6111 goto drop;
6112
6113 event = rx_func_to_event[control->super];
6114 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6115 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6116 }
6117
6118 return 0;
6119
6120drop:
6121 kfree_skb(skb);
6122 return 0;
6123}
6124
13ca56e0
AE		 6125static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6126 struct sk_buff *skb)
1da177e4 6127{
48454079 6128 struct l2cap_chan *chan;
1da177e4 6129
baa7e1fa 6130 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6131 if (!chan) {
97e8e89d
AE		 6132 if (cid == L2CAP_CID_A2MP) {
6133 chan = a2mp_channel_create(conn, skb);
6134 if (!chan) {
6135 kfree_skb(skb);
13ca56e0 6136 return;
97e8e89d
AE		 6137 }
6138
6139 l2cap_chan_lock(chan);
6140 } else {
6141 BT_DBG("unknown cid 0x%4.4x", cid);
6142 /* Drop packet and return */
6143 kfree_skb(skb);
13ca56e0 6144 return;
97e8e89d 6145 }
1da177e4
LT		 6146 }
6147
49208c9c 6148 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6149
89bc500e 6150 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6151 goto drop;
6152
0c1bc5c6 6153 switch (chan->mode) {
1c2acffb
GP		 6154 case L2CAP_MODE_BASIC:
6155 /* If socket recv buffers overflows we drop data here
6156 * which is *bad* because L2CAP has to be reliable.
6157 * But we don't have any other choice. L2CAP doesn't
6158 * provide flow control mechanism. */
1da177e4 6159
0c1bc5c6 6160 if (chan->imtu < skb->len)
1c2acffb 6161 goto drop;
1da177e4 6162
80b98027 6163 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6164 goto done;
6165 break;
6166
6167 case L2CAP_MODE_ERTM:
6840ed07 6168 case L2CAP_MODE_STREAMING:
cec8ab6e 6169 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6170 goto done;
6171
1c2acffb 6172 default:
0c1bc5c6 6173 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6174 break;
6175 }
1da177e4
LT		 6176
6177drop:
6178 kfree_skb(skb);
6179
6180done:
6be36555 6181 l2cap_chan_unlock(chan);
1da177e4
LT		 6182}
6183
84104b24
AE		 6184static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6185 struct sk_buff *skb)
1da177e4 6186{
23691d75 6187 struct l2cap_chan *chan;
1da177e4 6188
c2287681 6189 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6190 if (!chan)
1da177e4
LT		 6191 goto drop;
6192
5b4cedaa 6193 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6194
89bc500e 6195 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6196 goto drop;
6197
e13e21dc 6198 if (chan->imtu < skb->len)
1da177e4
LT		 6199 goto drop;
6200
80b98027 6201 if (!chan->ops->recv(chan, skb))
84104b24 6202 return;
1da177e4
LT		 6203
6204drop:
6205 kfree_skb(skb);
1da177e4
LT		 6206}
6207
6810fca7
AE		 6208static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
6209 struct sk_buff *skb)
9f69bda6 6210{
23691d75 6211 struct l2cap_chan *chan;
9f69bda6 6212
c2287681 6213 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 6214 if (!chan)
9f69bda6
GP		 6215 goto drop;
6216
5b4cedaa 6217 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6218
89bc500e 6219 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6220 goto drop;
6221
e13e21dc 6222 if (chan->imtu < skb->len)
9f69bda6
GP		 6223 goto drop;
6224
80b98027 6225 if (!chan->ops->recv(chan, skb))
6810fca7 6226 return;
9f69bda6
GP		 6227
6228drop:
6229 kfree_skb(skb);
9f69bda6
GP		 6230}
6231
1da177e4
LT		 6232static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6233{
6234 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6235 u16 cid, len;
6236 __le16 psm;
1da177e4
LT		 6237
6238 skb_pull(skb, L2CAP_HDR_SIZE);
6239 cid = __le16_to_cpu(lh->cid);
6240 len = __le16_to_cpu(lh->len);
6241
1c2acffb
GP		 6242 if (len != skb->len) {
6243 kfree_skb(skb);
6244 return;
6245 }
6246
1da177e4
LT		 6247 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6248
6249 switch (cid) {
3300d9a9 6250 case L2CAP_CID_LE_SIGNALING:
8db4dc46 6251 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6252 l2cap_sig_channel(conn, skb);
6253 break;
6254
8db4dc46 6255 case L2CAP_CID_CONN_LESS:
097db76c 6256 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6257 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6258 l2cap_conless_channel(conn, psm, skb);
6259 break;
6260
9f69bda6
GP		 6261 case L2CAP_CID_LE_DATA:
6262 l2cap_att_channel(conn, cid, skb);
6263 break;
6264
b501d6a1
AB		 6265 case L2CAP_CID_SMP:
6266 if (smp_sig_channel(conn, skb))
6267 l2cap_conn_del(conn->hcon, EACCES);
6268 break;
6269
1da177e4
LT		 6270 default:
6271 l2cap_data_channel(conn, cid, skb);
6272 break;
6273 }
6274}
6275
6276/* ---- L2CAP interface with lower layer (HCI) ---- */
6277
686ebf28 6278int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6279{
6280 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6281 struct l2cap_chan *c;
1da177e4 6282
6ed93dc6 6283 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6284
6285 /* Find listening sockets and check their link_mode */
23691d75
GP		 6286 read_lock(&chan_list_lock);
6287 list_for_each_entry(c, &chan_list, global_l) {
6288 struct sock *sk = c->sk;
4343478f 6289
89bc500e 6290 if (c->state != BT_LISTEN)
1da177e4
LT		 6291 continue;
6292
6293 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6294 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6295 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6296 lm1 |= HCI_LM_MASTER;
1da177e4 6297 exact++;
2af6b9d5
MH		 6298 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6299 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6300 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6301 lm2 |= HCI_LM_MASTER;
6302 }
1da177e4 6303 }
23691d75 6304 read_unlock(&chan_list_lock);
1da177e4
LT		 6305
6306 return exact ? lm1 : lm2;
6307}
6308
9e664631 6309void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6310{
0139418c
MH		 6311 struct l2cap_conn *conn;
6312
6ed93dc6 6313 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6314
1da177e4 6315 if (!status) {
1da177e4
LT		 6316 conn = l2cap_conn_add(hcon, status);
6317 if (conn)
6318 l2cap_conn_ready(conn);
ba6fc317 6319 } else {
e175072f 6320 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6321 }
1da177e4
LT		 6322}
6323
686ebf28 6324int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6325{
6326 struct l2cap_conn *conn = hcon->l2cap_data;
6327
6328 BT_DBG("hcon %p", hcon);
6329
686ebf28 6330 if (!conn)
9f5a0d7b 6331 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6332 return conn->disc_reason;
6333}
6334
9e664631 6335void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6336{
6337 BT_DBG("hcon %p reason %d", hcon, reason);
6338
e175072f 6339 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6340}
6341
4343478f 6342static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6343{
715ec005 6344 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6345 return;
6346
f62e4323 6347 if (encrypt == 0x00) {
4343478f 6348 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6349 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6350 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6351 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6352 } else {
4343478f 6353 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6354 __clear_chan_timer(chan);
f62e4323
MH		 6355 }
6356}
6357
686ebf28 6358int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6359{
0139418c 6360 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6361 struct l2cap_chan *chan;
1da177e4 6362
0139418c 6363 if (!conn)
1da177e4 6364 return 0;
0139418c 6365
89d8b407 6366 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6367
160dc6ac 6368 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6369 if (!status && encrypt)
6370 smp_distribute_keys(conn, 0);
17cd3f37 6371 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6372 }
6373
3df91ea2 6374 mutex_lock(&conn->chan_lock);
1da177e4 6375
3df91ea2 6376 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6377 l2cap_chan_lock(chan);
1da177e4 6378
89d8b407
AE		 6379 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6380 state_to_string(chan->state));
f1cb9af5 6381
78eb2f98
AE		 6382 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6383 l2cap_chan_unlock(chan);
6384 continue;
6385 }
6386
f1cb9af5
VCG		 6387 if (chan->scid == L2CAP_CID_LE_DATA) {
6388 if (!status && encrypt) {
6389 chan->sec_level = hcon->sec_level;
cf4cd009 6390 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6391 }
6392
6be36555 6393 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6394 continue;
6395 }
6396
96eff46e 6397 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6398 l2cap_chan_unlock(chan);
6a8d3010
MH		 6399 continue;
6400 }
6401
89bc500e 6402 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6403 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6404 struct sock *sk = chan->sk;
6405
c5daa683 6406 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6407 sk->sk_state_change(sk);
6408
4343478f 6409 l2cap_check_encryption(chan, encrypt);
6be36555 6410 l2cap_chan_unlock(chan);
9719f8af
MH		 6411 continue;
6412 }
6413
89bc500e 6414 if (chan->state == BT_CONNECT) {
b1235d79 6415 if (!status) {
93c3e8f5 6416 l2cap_start_connection(chan);
b1235d79 6417 } else {
ba13ccd9 6418 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6419 }
89bc500e 6420 } else if (chan->state == BT_CONNECT2) {
6be36555 6421 struct sock *sk = chan->sk;
b1235d79 6422 struct l2cap_conn_rsp rsp;
df3c3931 6423 __u16 res, stat;
1da177e4 6424
6be36555
AE		 6425 lock_sock(sk);
6426
b1235d79 6427 if (!status) {
c5daa683
GP		 6428 if (test_bit(BT_SK_DEFER_SETUP,
6429 &bt_sk(sk)->flags)) {
df3c3931
JH		 6430 res = L2CAP_CR_PEND;
6431 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6432 chan->ops->defer(chan);
df3c3931 6433 } else {
0e587be7 6434 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6435 res = L2CAP_CR_SUCCESS;
6436 stat = L2CAP_CS_NO_INFO;
6437 }
b1235d79 6438 } else {
0e587be7 6439 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6440 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6441 res = L2CAP_CR_SEC_BLOCK;
6442 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6443 }
6444
6be36555
AE		 6445 release_sock(sk);
6446
fe4128e0
GP		 6447 rsp.scid = cpu_to_le16(chan->dcid);
6448 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6449 rsp.result = cpu_to_le16(res);
6450 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6451 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6452 sizeof(rsp), &rsp);
2d369359
MM		 6453
6454 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6455 res == L2CAP_CR_SUCCESS) {
6456 char buf[128];
6457 set_bit(CONF_REQ_SENT, &chan->conf_state);
6458 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6459 L2CAP_CONF_REQ,
6460 l2cap_build_conf_req(chan, buf),
6461 buf);
6462 chan->num_conf_req++;
6463 }
b1235d79 6464 }
1da177e4 6465
6be36555 6466 l2cap_chan_unlock(chan);
1da177e4
LT		 6467 }
6468
3df91ea2 6469 mutex_unlock(&conn->chan_lock);
b1235d79 6470
1da177e4
LT		 6471 return 0;
6472}
6473
686ebf28 6474int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6475{
6476 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6477 struct l2cap_hdr *hdr;
6478 int len;
1da177e4 6479
1d13a254
AE		 6480 /* For AMP controller do not create l2cap conn */
6481 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6482 goto drop;
1da177e4 6483
5a08ecce
AE		 6484 if (!conn)
6485 conn = l2cap_conn_add(hcon, 0);
6486
6487 if (!conn)
1da177e4
LT		 6488 goto drop;
6489
6490 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6491
d73a0988
AE		 6492 switch (flags) {
6493 case ACL_START:
6494 case ACL_START_NO_FLUSH:
6495 case ACL_COMPLETE:
1da177e4
LT		 6496 if (conn->rx_len) {
6497 BT_ERR("Unexpected start frame (len %d)", skb->len);
6498 kfree_skb(conn->rx_skb);
6499 conn->rx_skb = NULL;
6500 conn->rx_len = 0;
6501 l2cap_conn_unreliable(conn, ECOMM);
6502 }
6503
aae7fe22
AE		 6504 /* Start fragment always begin with Basic L2CAP header */
6505 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6506 BT_ERR("Frame is too short (len %d)", skb->len);
6507 l2cap_conn_unreliable(conn, ECOMM);
6508 goto drop;
6509 }
6510
6511 hdr = (struct l2cap_hdr *) skb->data;
6512 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6513
6514 if (len == skb->len) {
6515 /* Complete frame received */
6516 l2cap_recv_frame(conn, skb);
6517 return 0;
6518 }
6519
6520 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6521
6522 if (skb->len > len) {
6523 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6524 skb->len, len);
1da177e4
LT		 6525 l2cap_conn_unreliable(conn, ECOMM);
6526 goto drop;
6527 }
6528
6529 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6530 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6531 if (!conn->rx_skb)
1da177e4
LT		 6532 goto drop;
6533
d626f62b 6534 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6535 skb->len);
1da177e4 6536 conn->rx_len = len - skb->len;
d73a0988
AE		 6537 break;
6538
6539 case ACL_CONT:
1da177e4
LT		 6540 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6541
6542 if (!conn->rx_len) {
6543 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6544 l2cap_conn_unreliable(conn, ECOMM);
6545 goto drop;
6546 }
6547
6548 if (skb->len > conn->rx_len) {
6549 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6550 skb->len, conn->rx_len);
1da177e4
LT		 6551 kfree_skb(conn->rx_skb);
6552 conn->rx_skb = NULL;
6553 conn->rx_len = 0;
6554 l2cap_conn_unreliable(conn, ECOMM);
6555 goto drop;
6556 }
6557
d626f62b 6558 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6559 skb->len);
1da177e4
LT		 6560 conn->rx_len -= skb->len;
6561
6562 if (!conn->rx_len) {
6563 /* Complete frame received */
6564 l2cap_recv_frame(conn, conn->rx_skb);
6565 conn->rx_skb = NULL;
6566 }
d73a0988 6567 break;
1da177e4
LT		 6568 }
6569
6570drop:
6571 kfree_skb(skb);
6572 return 0;
6573}
6574
aef7d97c 6575static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6576{
23691d75 6577 struct l2cap_chan *c;
1da177e4 6578
333055f2 6579 read_lock(&chan_list_lock);
1da177e4 6580
23691d75
GP		 6581 list_for_each_entry(c, &chan_list, global_l) {
6582 struct sock *sk = c->sk;
101545f6 6583
fcb73338
AE		 6584 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6585 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6586 c->state, __le16_to_cpu(c->psm),
6587 c->scid, c->dcid, c->imtu, c->omtu,
6588 c->sec_level, c->mode);
61e1b4b7 6589 }
1da177e4 6590
333055f2 6591 read_unlock(&chan_list_lock);
1da177e4 6592
aef7d97c 6593 return 0;
1da177e4
LT		 6594}
6595
aef7d97c
MH		 6596static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6597{
6598 return single_open(file, l2cap_debugfs_show, inode->i_private);
6599}
6600
6601static const struct file_operations l2cap_debugfs_fops = {
6602 .open = l2cap_debugfs_open,
6603 .read = seq_read,
6604 .llseek = seq_lseek,
6605 .release = single_release,
6606};
6607
6608static struct dentry *l2cap_debugfs;
1da177e4 6609
64274518 6610int __init l2cap_init(void)
1da177e4
LT		 6611{
6612 int err;
be9d1227 6613
bb58f747 6614 err = l2cap_init_sockets();
1da177e4
LT		 6615 if (err < 0)
6616 return err;
6617
aef7d97c 6618 if (bt_debugfs) {
2d792818
GP		 6619 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6620 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6621 if (!l2cap_debugfs)
6622 BT_ERR("Failed to create L2CAP debug file");
6623 }
1da177e4 6624
1da177e4 6625 return 0;
1da177e4
LT		 6626}
6627
64274518 6628void l2cap_exit(void)
1da177e4 6629{
aef7d97c 6630 debugfs_remove(l2cap_debugfs);
bb58f747 6631 l2cap_cleanup_sockets();
1da177e4
LT		 6632}
6633
d1c4a17d
GP		 6634module_param(disable_ertm, bool, 0644);
6635MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)