projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: AMP: Mark controller radio powered down after HCIDEVDOWN
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
5e4e3972 56static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
1da177e4 57
d660366d 58static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 59 struct sk_buff_head *skbs, u8 event);
608bcc6d 60
0139418c 61/* ---- L2CAP channels ---- */
71ba0e56 62
2d792818
GP		 63static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
64 u16 cid)
0139418c 65{
3df91ea2 66 struct l2cap_chan *c;
3d57dc68 67
3df91ea2
AE		 68 list_for_each_entry(c, &conn->chan_l, list) {
69 if (c->dcid == cid)
70 return c;
0139418c 71 }
3df91ea2 72 return NULL;
0139418c
MH		 73}
74
2d792818
GP		 75static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
76 u16 cid)
0139418c 77{
3df91ea2 78 struct l2cap_chan *c;
3d57dc68 79
3df91ea2
AE		 80 list_for_each_entry(c, &conn->chan_l, list) {
81 if (c->scid == cid)
82 return c;
0139418c 83 }
3df91ea2 84 return NULL;
0139418c
MH		 85}
86
87/* Find channel with given SCID.
ef191ade 88 * Returns locked channel. */
2d792818
GP		 89static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
90 u16 cid)
0139418c 91{
48454079 92 struct l2cap_chan *c;
baa7e1fa 93
3df91ea2 94 mutex_lock(&conn->chan_lock);
baa7e1fa 95 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 96 if (c)
97 l2cap_chan_lock(c);
3df91ea2
AE		 98 mutex_unlock(&conn->chan_lock);
99
48454079 100 return c;
0139418c
MH		 101}
102
b1a130b7
MM		 103/* Find channel with given DCID.
104 * Returns locked channel.
105 */
106static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
2d792818
GP		 120static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
121 u8 ident)
0139418c 122{
3df91ea2 123 struct l2cap_chan *c;
3d57dc68 124
3df91ea2
AE		 125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
127 return c;
0139418c 128 }
3df91ea2 129 return NULL;
0139418c
MH		 130}
131
5b155ef9
MM		 132static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
133 u8 ident)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
23691d75 146static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 147{
23691d75 148 struct l2cap_chan *c;
9e4425ff 149
23691d75
GP		 150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 152 return c;
9e4425ff 153 }
250938cb 154 return NULL;
9e4425ff
GP		 155}
156
157int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
158{
73b2ec18
GP		 159 int err;
160
333055f2 161 write_lock(&chan_list_lock);
9e4425ff 162
23691d75 163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 164 err = -EADDRINUSE;
165 goto done;
9e4425ff
GP		 166 }
167
73b2ec18
GP		 168 if (psm) {
169 chan->psm = psm;
170 chan->sport = psm;
171 err = 0;
172 } else {
173 u16 p;
174
175 err = -EINVAL;
176 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
180 err = 0;
181 break;
182 }
183 }
9e4425ff 184
73b2ec18 185done:
333055f2 186 write_unlock(&chan_list_lock);
73b2ec18 187 return err;
9e4425ff
GP		 188}
189
190int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
191{
333055f2 192 write_lock(&chan_list_lock);
9e4425ff
GP		 193
194 chan->scid = scid;
195
333055f2 196 write_unlock(&chan_list_lock);
9e4425ff
GP		 197
198 return 0;
199}
200
baa7e1fa 201static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 202{
8db4dc46 203 u16 cid = L2CAP_CID_DYN_START;
0139418c 204
8db4dc46 205 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 206 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 207 return cid;
208 }
209
210 return 0;
211}
212
0e587be7 213static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 214{
42d2d87c 215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 216 state_to_string(state));
badaaa00 217
89bc500e 218 chan->state = state;
80b98027 219 chan->ops->state_change(chan, state);
89bc500e
GP		 220}
221
0e587be7
AE		 222static void l2cap_state_change(struct l2cap_chan *chan, int state)
223{
224 struct sock *sk = chan->sk;
225
226 lock_sock(sk);
227 __l2cap_state_change(chan, state);
228 release_sock(sk);
229}
230
2e0052e4
AE		 231static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
232{
233 struct sock *sk = chan->sk;
234
235 sk->sk_err = err;
236}
237
238static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
239{
240 struct sock *sk = chan->sk;
241
242 lock_sock(sk);
243 __l2cap_chan_set_err(chan, err);
244 release_sock(sk);
245}
246
4239d16f
MM		 247static void __set_retrans_timer(struct l2cap_chan *chan)
248{
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
253 }
254}
255
256static void __set_monitor_timer(struct l2cap_chan *chan)
257{
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
262 }
263}
264
608bcc6d
MM		 265static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
266 u16 seq)
267{
268 struct sk_buff *skb;
269
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
272 return skb;
273 }
274
275 return NULL;
276}
277
3c588192
MM		 278/* ---- L2CAP sequence number lists ---- */
279
280/* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
286 * allocs or frees.
287 */
288
289static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
290{
291 size_t alloc_size, i;
292
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
296 */
297 alloc_size = roundup_pow_of_two(size);
298
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
300 if (!seq_list->list)
301 return -ENOMEM;
302
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
308
309 return 0;
310}
311
312static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
313{
314 kfree(seq_list->list);
315}
316
317static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
318 u16 seq)
319{
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
322}
323
324static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
325{
326 u16 mask = seq_list->mask;
327
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
335
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 }
340 } else {
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
347 }
348
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
354 }
355 return seq;
356}
357
358static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
359{
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
f522ae36 366 u16 i;
3c588192 367
f522ae36
GP		 368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382 /* All appends happen in constant time */
383
f522ae36
GP		 384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
3c588192 386
f522ae36
GP		 387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 394}
395
721c4181 396static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 397{
721c4181 398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 399 chan_timer.work);
3df91ea2 400 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 401 int reason;
402
e05dcc32 403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 404
3df91ea2 405 mutex_lock(&conn->chan_lock);
6be36555 406 l2cap_chan_lock(chan);
ab07801d 407
89bc500e 408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 409 reason = ECONNREFUSED;
89bc500e 410 else if (chan->state == BT_CONNECT &&
2d792818 411 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
0f852724 416 l2cap_chan_close(chan, reason);
ab07801d 417
6be36555 418 l2cap_chan_unlock(chan);
ab07801d 419
80b98027 420 chan->ops->close(chan);
3df91ea2
AE		 421 mutex_unlock(&conn->chan_lock);
422
371fd835 423 l2cap_chan_put(chan);
ab07801d
GP		 424}
425
eef1d9b6 426struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
c03b355e
AE		 434 mutex_init(&chan->lock);
435
333055f2 436 write_lock(&chan_list_lock);
23691d75 437 list_add(&chan->global_l, &chan_list);
333055f2 438 write_unlock(&chan_list_lock);
23691d75 439
721c4181 440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 441
89bc500e
GP		 442 chan->state = BT_OPEN;
443
144ad330 444 kref_init(&chan->kref);
71ba0e56 445
2827011f
MM		 446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
448
eef1d9b6 449 BT_DBG("chan %p", chan);
abc545b8 450
48454079
GP		 451 return chan;
452}
453
144ad330 454static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 455{
144ad330
SS		 456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
457
4af66c69
JK		 458 BT_DBG("chan %p", chan);
459
333055f2 460 write_lock(&chan_list_lock);
23691d75 461 list_del(&chan->global_l);
333055f2 462 write_unlock(&chan_list_lock);
23691d75 463
4af66c69 464 kfree(chan);
6ff5abbf
GP		 465}
466
30648372
JK		 467void l2cap_chan_hold(struct l2cap_chan *c)
468{
144ad330 469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 470
144ad330 471 kref_get(&c->kref);
30648372
JK		 472}
473
474void l2cap_chan_put(struct l2cap_chan *c)
475{
144ad330 476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 477
144ad330 478 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 479}
480
bd4b1653
AE		 481void l2cap_chan_set_defaults(struct l2cap_chan *chan)
482{
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 488 chan->sec_level = BT_SECURITY_LOW;
489
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
491}
492
93c3e8f5 493void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 494{
af05b30b 495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 496 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 497
9f5a0d7b 498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 499
8c1d787b 500 chan->conn = conn;
0139418c 501
5491120e
AE		 502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 504 if (conn->hcon->type == LE_LINK) {
505 /* LE connection */
6fcb06a2 506 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 507 chan->scid = L2CAP_CID_LE_DATA;
508 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 509 } else {
510 /* Alloc CID for connection-oriented socket */
fe4128e0 511 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 512 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 513 }
5491120e
AE		 514 break;
515
516 case L2CAP_CHAN_CONN_LESS:
0139418c 517 /* Connectionless socket */
fe4128e0
GP		 518 chan->scid = L2CAP_CID_CONN_LESS;
519 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 520 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 521 break;
522
416fa752
AE		 523 case L2CAP_CHAN_CONN_FIX_A2MP:
524 chan->scid = L2CAP_CID_A2MP;
525 chan->dcid = L2CAP_CID_A2MP;
526 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
527 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
528 break;
529
5491120e 530 default:
0139418c 531 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 532 chan->scid = L2CAP_CID_SIGNALING;
533 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 534 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 535 }
536
8f7975b1
AE		 537 chan->local_id = L2CAP_BESTEFFORT_ID;
538 chan->local_stype = L2CAP_SERV_BESTEFFORT;
539 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
540 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
541 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 542 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 543
371fd835 544 l2cap_chan_hold(chan);
baa7e1fa 545
3df91ea2 546 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 547}
548
466f8004 549void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 550{
551 mutex_lock(&conn->chan_lock);
552 __l2cap_chan_add(conn, chan);
3df91ea2 553 mutex_unlock(&conn->chan_lock);
0139418c
MH		 554}
555
466f8004 556void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 557{
8c1d787b 558 struct l2cap_conn *conn = chan->conn;
0139418c 559
c9b66675 560 __clear_chan_timer(chan);
0139418c 561
49208c9c 562 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 563
8e87d142 564 if (conn) {
56f60984 565 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 566 /* Delete from channel list */
3df91ea2 567 list_del(&chan->list);
3d57dc68 568
371fd835 569 l2cap_chan_put(chan);
baa7e1fa 570
8c1d787b 571 chan->conn = NULL;
3cabbfda
AE		 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_put(conn->hcon);
56f60984
AE		 575
576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL;
0139418c
MH		 578 }
579
419e08c1
AE		 580 if (chan->hs_hchan) {
581 struct hci_chan *hs_hchan = chan->hs_hchan;
582
583 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
584 amp_disconnect_logical_link(hs_hchan);
585 }
586
b699ec0d 587 chan->ops->teardown(chan, err);
6be36555 588
2827011f 589 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 590 return;
2ead70b8 591
ee556f66
GP		 592 switch(chan->mode) {
593 case L2CAP_MODE_BASIC:
594 break;
c13ffa62 595
ee556f66 596 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 597 __clear_retrans_timer(chan);
598 __clear_monitor_timer(chan);
599 __clear_ack_timer(chan);
c13ffa62 600
f1c6775b 601 skb_queue_purge(&chan->srej_q);
c13ffa62 602
3c588192
MM		 603 l2cap_seq_list_free(&chan->srej_list);
604 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 605
606 /* fall through */
607
608 case L2CAP_MODE_STREAMING:
609 skb_queue_purge(&chan->tx_q);
610 break;
c13ffa62 611 }
ee556f66
GP		 612
613 return;
0139418c
MH		 614}
615
0f852724 616void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 617{
618 struct l2cap_conn *conn = chan->conn;
619 struct sock *sk = chan->sk;
620
2d792818
GP		 621 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
622 sk);
4519de9a 623
89bc500e 624 switch (chan->state) {
4519de9a 625 case BT_LISTEN:
b699ec0d 626 chan->ops->teardown(chan, 0);
4519de9a
GP		 627 break;
628
629 case BT_CONNECTED:
630 case BT_CONFIG:
715ec005 631 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 632 conn->hcon->type == ACL_LINK) {
c9b66675 633 __set_chan_timer(chan, sk->sk_sndtimeo);
5e4e3972 634 l2cap_send_disconn_req(chan, reason);
4519de9a
GP		 635 } else
636 l2cap_chan_del(chan, reason);
637 break;
638
639 case BT_CONNECT2:
715ec005 640 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 641 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 642 struct l2cap_conn_rsp rsp;
643 __u16 result;
644
c5daa683 645 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 646 result = L2CAP_CR_SEC_BLOCK;
647 else
648 result = L2CAP_CR_BAD_PSM;
89bc500e 649 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 650
651 rsp.scid = cpu_to_le16(chan->dcid);
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.result = cpu_to_le16(result);
ac73498c 654 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 655 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 656 sizeof(rsp), &rsp);
4519de9a
GP		 657 }
658
659 l2cap_chan_del(chan, reason);
660 break;
661
662 case BT_CONNECT:
663 case BT_DISCONN:
664 l2cap_chan_del(chan, reason);
665 break;
666
667 default:
b699ec0d 668 chan->ops->teardown(chan, 0);
4519de9a
GP		 669 break;
670 }
671}
672
4343478f 673static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 674{
715ec005 675 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 676 switch (chan->sec_level) {
8556edd3
JH		 677 case BT_SECURITY_HIGH:
678 return HCI_AT_DEDICATED_BONDING_MITM;
679 case BT_SECURITY_MEDIUM:
680 return HCI_AT_DEDICATED_BONDING;
681 default:
682 return HCI_AT_NO_BONDING;
683 }
2983fd68 684 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 685 if (chan->sec_level == BT_SECURITY_LOW)
686 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 687
4343478f 688 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 689 return HCI_AT_NO_BONDING_MITM;
00ae4af9 690 else
8556edd3 691 return HCI_AT_NO_BONDING;
00ae4af9 692 } else {
4343478f 693 switch (chan->sec_level) {
00ae4af9 694 case BT_SECURITY_HIGH:
8556edd3 695 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 696 case BT_SECURITY_MEDIUM:
8556edd3 697 return HCI_AT_GENERAL_BONDING;
00ae4af9 698 default:
8556edd3 699 return HCI_AT_NO_BONDING;
00ae4af9 700 }
0684e5f9 701 }
8556edd3
JH		 702}
703
704/* Service level security */
d45fc423 705int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 706{
8c1d787b 707 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 708 __u8 auth_type;
709
4343478f 710 auth_type = l2cap_get_auth_type(chan);
79d554a6 711
4343478f 712 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 713}
714
b5ad8b7f 715static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 716{
717 u8 id;
718
719 /* Get next available identificator.
720 * 1 - 128 are used by kernel.
721 * 129 - 199 are reserved.
722 * 200 - 254 are used by utilities like l2ping, etc.
723 */
724
333055f2 725 spin_lock(&conn->lock);
4e8402a3
MH		 726
727 if (++conn->tx_ident > 128)
728 conn->tx_ident = 1;
729
730 id = conn->tx_ident;
731
333055f2 732 spin_unlock(&conn->lock);
4e8402a3
MH		 733
734 return id;
735}
736
2d792818
GP		 737static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
738 void *data)
4e8402a3
MH		 739{
740 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 741 u8 flags;
4e8402a3
MH		 742
743 BT_DBG("code 0x%2.2x", code);
744
745 if (!skb)
9a9c6a34 746 return;
4e8402a3 747
e702112f
AE		 748 if (lmp_no_flush_capable(conn->hcon->hdev))
749 flags = ACL_START_NO_FLUSH;
750 else
751 flags = ACL_START;
752
14b12d0b 753 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 754 skb->priority = HCI_PRIO_MAX;
14b12d0b 755
73d80deb
LAD		 756 hci_send_acl(conn->hchan, skb, flags);
757}
758
02b0fbb9
MM		 759static bool __chan_is_moving(struct l2cap_chan *chan)
760{
761 return chan->move_state != L2CAP_MOVE_STABLE &&
762 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
763}
764
73d80deb
LAD		 765static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
766{
767 struct hci_conn *hcon = chan->conn->hcon;
768 u16 flags;
769
770 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 771 skb->priority);
73d80deb 772
d5f8a75d
MM		 773 if (chan->hs_hcon && !__chan_is_moving(chan)) {
774 if (chan->hs_hchan)
775 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
776 else
777 kfree_skb(skb);
778
779 return;
780 }
781
73d80deb 782 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 783 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 784 flags = ACL_START_NO_FLUSH;
785 else
786 flags = ACL_START;
14b12d0b 787
73d80deb
LAD		 788 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
789 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 790}
791
b76bbd66
MM		 792static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
793{
794 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
795 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
796
797 if (enh & L2CAP_CTRL_FRAME_TYPE) {
798 /* S-Frame */
799 control->sframe = 1;
800 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
801 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
802
803 control->sar = 0;
804 control->txseq = 0;
805 } else {
806 /* I-Frame */
807 control->sframe = 0;
808 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
809 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
810
811 control->poll = 0;
812 control->super = 0;
813 }
814}
815
b76bbd66
MM		 816static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
817{
818 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
819 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
820
821 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
822 /* S-Frame */
823 control->sframe = 1;
824 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
825 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
826
827 control->sar = 0;
828 control->txseq = 0;
829 } else {
830 /* I-Frame */
831 control->sframe = 0;
832 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
833 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
834
835 control->poll = 0;
836 control->super = 0;
837 }
838}
839
840static inline void __unpack_control(struct l2cap_chan *chan,
841 struct sk_buff *skb)
842{
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
844 __unpack_extended_control(get_unaligned_le32(skb->data),
845 &bt_cb(skb)->control);
cec8ab6e 846 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 847 } else {
848 __unpack_enhanced_control(get_unaligned_le16(skb->data),
849 &bt_cb(skb)->control);
cec8ab6e 850 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 851 }
852}
853
b5c6aaed
MM		 854static u32 __pack_extended_control(struct l2cap_ctrl *control)
855{
856 u32 packed;
857
858 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
859 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
860
861 if (control->sframe) {
862 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
863 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
864 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
865 } else {
866 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
867 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
868 }
869
870 return packed;
871}
872
873static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
874{
875 u16 packed;
876
877 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
878 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
879
880 if (control->sframe) {
881 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
882 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
883 packed |= L2CAP_CTRL_FRAME_TYPE;
884 } else {
885 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
886 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
887 }
888
889 return packed;
890}
891
b76bbd66
MM		 892static inline void __pack_control(struct l2cap_chan *chan,
893 struct l2cap_ctrl *control,
894 struct sk_buff *skb)
895{
896 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
897 put_unaligned_le32(__pack_extended_control(control),
898 skb->data + L2CAP_HDR_SIZE);
899 } else {
900 put_unaligned_le16(__pack_enhanced_control(control),
901 skb->data + L2CAP_HDR_SIZE);
902 }
903}
904
ba7aa64f
GP		 905static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
906{
907 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
908 return L2CAP_EXT_HDR_SIZE;
909 else
910 return L2CAP_ENH_HDR_SIZE;
911}
912
a67d7f6f
MM		 913static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
914 u32 control)
b5c6aaed
MM		 915{
916 struct sk_buff *skb;
917 struct l2cap_hdr *lh;
ba7aa64f 918 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 919
920 if (chan->fcs == L2CAP_FCS_CRC16)
921 hlen += L2CAP_FCS_SIZE;
922
a67d7f6f 923 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 924
b5c6aaed 925 if (!skb)
a67d7f6f 926 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 927
928 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
929 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
930 lh->cid = cpu_to_le16(chan->dcid);
931
a67d7f6f
MM		 932 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
933 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
934 else
935 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 936
937 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 938 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 939 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
940 }
941
942 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 943 return skb;
944}
945
946static void l2cap_send_sframe(struct l2cap_chan *chan,
947 struct l2cap_ctrl *control)
948{
949 struct sk_buff *skb;
950 u32 control_field;
951
952 BT_DBG("chan %p, control %p", chan, control);
953
954 if (!control->sframe)
955 return;
956
b99e13ad
MM		 957 if (__chan_is_moving(chan))
958 return;
959
a67d7f6f
MM		 960 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
961 !control->poll)
962 control->final = 1;
963
964 if (control->super == L2CAP_SUPER_RR)
965 clear_bit(CONN_RNR_SENT, &chan->conn_state);
966 else if (control->super == L2CAP_SUPER_RNR)
967 set_bit(CONN_RNR_SENT, &chan->conn_state);
968
969 if (control->super != L2CAP_SUPER_SREJ) {
970 chan->last_acked_seq = control->reqseq;
971 __clear_ack_timer(chan);
972 }
973
974 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
975 control->final, control->poll, control->super);
976
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
978 control_field = __pack_extended_control(control);
979 else
980 control_field = __pack_enhanced_control(control);
981
982 skb = l2cap_create_sframe_pdu(chan, control_field);
983 if (!IS_ERR(skb))
984 l2cap_do_send(chan, skb);
b5c6aaed
MM		 985}
986
c9e3d5e0 987static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 988{
c9e3d5e0
MM		 989 struct l2cap_ctrl control;
990
991 BT_DBG("chan %p, poll %d", chan, poll);
992
993 memset(&control, 0, sizeof(control));
994 control.sframe = 1;
995 control.poll = poll;
996
997 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
998 control.super = L2CAP_SUPER_RNR;
999 else
1000 control.super = L2CAP_SUPER_RR;
b5c6aaed 1001
c9e3d5e0
MM		 1002 control.reqseq = chan->buffer_seq;
1003 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 1004}
1005
b4450035 1006static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1007{
c1360a1c 1008 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1009}
1010
93c3e8f5
AE		 1011static bool __amp_capable(struct l2cap_chan *chan)
1012{
1013 struct l2cap_conn *conn = chan->conn;
1014
1015 if (enable_hs &&
1016 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1017 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1018 return true;
1019 else
1020 return false;
1021}
1022
5ce66b59
AE		 1023static bool l2cap_check_efs(struct l2cap_chan *chan)
1024{
1025 /* Check EFS parameters */
1026 return true;
1027}
1028
2766be48 1029void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1030{
1031 struct l2cap_conn *conn = chan->conn;
1032 struct l2cap_conn_req req;
1033
1034 req.scid = cpu_to_le16(chan->scid);
1035 req.psm = chan->psm;
1036
1037 chan->ident = l2cap_get_ident(conn);
1038
1039 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1040
1041 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1042}
1043
8eb200bd
MM		 1044static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1045{
1046 struct l2cap_create_chan_req req;
1047 req.scid = cpu_to_le16(chan->scid);
1048 req.psm = chan->psm;
1049 req.amp_id = amp_id;
1050
1051 chan->ident = l2cap_get_ident(chan->conn);
1052
1053 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1054 sizeof(req), &req);
1055}
1056
02b0fbb9
MM		 1057static void l2cap_move_setup(struct l2cap_chan *chan)
1058{
1059 struct sk_buff *skb;
1060
1061 BT_DBG("chan %p", chan);
1062
1063 if (chan->mode != L2CAP_MODE_ERTM)
1064 return;
1065
1066 __clear_retrans_timer(chan);
1067 __clear_monitor_timer(chan);
1068 __clear_ack_timer(chan);
1069
1070 chan->retry_count = 0;
1071 skb_queue_walk(&chan->tx_q, skb) {
1072 if (bt_cb(skb)->control.retries)
1073 bt_cb(skb)->control.retries = 1;
1074 else
1075 break;
1076 }
1077
1078 chan->expected_tx_seq = chan->buffer_seq;
1079
1080 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1081 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1082 l2cap_seq_list_clear(&chan->retrans_list);
1083 l2cap_seq_list_clear(&chan->srej_list);
1084 skb_queue_purge(&chan->srej_q);
1085
1086 chan->tx_state = L2CAP_TX_STATE_XMIT;
1087 chan->rx_state = L2CAP_RX_STATE_MOVE;
1088
1089 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1090}
1091
5f3847a4
MM		 1092static void l2cap_move_done(struct l2cap_chan *chan)
1093{
1094 u8 move_role = chan->move_role;
1095 BT_DBG("chan %p", chan);
1096
1097 chan->move_state = L2CAP_MOVE_STABLE;
1098 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1099
1100 if (chan->mode != L2CAP_MODE_ERTM)
1101 return;
1102
1103 switch (move_role) {
1104 case L2CAP_MOVE_ROLE_INITIATOR:
1105 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1106 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1107 break;
1108 case L2CAP_MOVE_ROLE_RESPONDER:
1109 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1110 break;
1111 }
1112}
1113
9f0caeb1
VCG		 1114static void l2cap_chan_ready(struct l2cap_chan *chan)
1115{
2827011f 1116 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1117 chan->conf_state = 0;
1118 __clear_chan_timer(chan);
1119
54a59aa2 1120 chan->state = BT_CONNECTED;
9f0caeb1 1121
fd83e2c2 1122 chan->ops->ready(chan);
9f0caeb1
VCG		 1123}
1124
93c3e8f5
AE		 1125static void l2cap_start_connection(struct l2cap_chan *chan)
1126{
1127 if (__amp_capable(chan)) {
1128 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1129 a2mp_discover_amp(chan);
1130 } else {
1131 l2cap_send_conn_req(chan);
1132 }
1133}
1134
fc7f8a7e 1135static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1136{
8c1d787b 1137 struct l2cap_conn *conn = chan->conn;
79d554a6 1138
9f0caeb1
VCG		 1139 if (conn->hcon->type == LE_LINK) {
1140 l2cap_chan_ready(chan);
1141 return;
1142 }
1143
79d554a6 1144 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1145 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1146 return;
1147
d45fc423 1148 if (l2cap_chan_check_security(chan) &&
2d792818 1149 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1150 l2cap_start_connection(chan);
1151 }
79d554a6
MH		 1152 } else {
1153 struct l2cap_info_req req;
ac73498c 1154 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1155
1156 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1157 conn->info_ident = l2cap_get_ident(conn);
1158
ba13ccd9 1159 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1160
2d792818
GP		 1161 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1162 sizeof(req), &req);
79d554a6
MH		 1163 }
1164}
1165
cf6c2c0b
GP		 1166static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1167{
1168 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1169 if (!disable_ertm)
cf6c2c0b
GP		 1170 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1171
1172 switch (mode) {
1173 case L2CAP_MODE_ERTM:
1174 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1175 case L2CAP_MODE_STREAMING:
1176 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1177 default:
1178 return 0x00;
1179 }
1180}
1181
5e4e3972 1182static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
22121fc9 1183{
6be36555 1184 struct sock *sk = chan->sk;
5e4e3972 1185 struct l2cap_conn *conn = chan->conn;
22121fc9
GP		 1186 struct l2cap_disconn_req req;
1187
c13ffa62
GP		 1188 if (!conn)
1189 return;
1190
aad3d0e3 1191 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1192 __clear_retrans_timer(chan);
1193 __clear_monitor_timer(chan);
1194 __clear_ack_timer(chan);
c13ffa62
GP		 1195 }
1196
416fa752 1197 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1198 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1199 return;
1200 }
1201
fe4128e0
GP		 1202 req.dcid = cpu_to_le16(chan->dcid);
1203 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1204 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1205 sizeof(req), &req);
c13ffa62 1206
6be36555 1207 lock_sock(sk);
0e587be7 1208 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1209 __l2cap_chan_set_err(chan, err);
6be36555 1210 release_sock(sk);
22121fc9
GP		 1211}
1212
1da177e4 1213/* ---- L2CAP connections ---- */
4e8402a3
MH		 1214static void l2cap_conn_start(struct l2cap_conn *conn)
1215{
3df91ea2 1216 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1217
1218 BT_DBG("conn %p", conn);
1219
3df91ea2 1220 mutex_lock(&conn->chan_lock);
4e8402a3 1221
3df91ea2 1222 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1223 struct sock *sk = chan->sk;
baa7e1fa 1224
6be36555 1225 l2cap_chan_lock(chan);
4e8402a3 1226
715ec005 1227 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1228 l2cap_chan_unlock(chan);
79d554a6
MH		 1229 continue;
1230 }
1231
89bc500e 1232 if (chan->state == BT_CONNECT) {
d45fc423 1233 if (!l2cap_chan_check_security(chan) ||
2d792818 1234 !__l2cap_no_conn_pending(chan)) {
6be36555 1235 l2cap_chan_unlock(chan);
47731de7
GP		 1236 continue;
1237 }
79d554a6 1238
c1360a1c 1239 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1240 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1241 &chan->conf_state)) {
89bc500e 1242 l2cap_chan_close(chan, ECONNRESET);
6be36555 1243 l2cap_chan_unlock(chan);
47731de7 1244 continue;
b1235d79 1245 }
47731de7 1246
93c3e8f5 1247 l2cap_start_connection(chan);
47731de7 1248
89bc500e 1249 } else if (chan->state == BT_CONNECT2) {
79d554a6 1250 struct l2cap_conn_rsp rsp;
e9aeb2dd 1251 char buf[128];
fe4128e0
GP		 1252 rsp.scid = cpu_to_le16(chan->dcid);
1253 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1254
d45fc423 1255 if (l2cap_chan_check_security(chan)) {
6be36555 1256 lock_sock(sk);
c5daa683
GP		 1257 if (test_bit(BT_SK_DEFER_SETUP,
1258 &bt_sk(sk)->flags)) {
ac73498c
AE		 1259 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1260 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1261 chan->ops->defer(chan);
f66dc81f
MH		 1262
1263 } else {
0e587be7 1264 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1265 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1266 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1267 }
6be36555 1268 release_sock(sk);
79d554a6 1269 } else {
ac73498c
AE		 1270 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1271 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1272 }
1273
fc7f8a7e 1274 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1275 sizeof(rsp), &rsp);
e9aeb2dd 1276
c1360a1c 1277 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1278 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1279 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1280 continue;
1281 }
1282
c1360a1c 1283 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1284 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1285 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1286 chan->num_conf_req++;
4e8402a3
MH		 1287 }
1288
6be36555 1289 l2cap_chan_unlock(chan);
4e8402a3
MH		 1290 }
1291
3df91ea2 1292 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1293}
1294
c2287681 1295/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1296 * Returns closest match, locked.
1297 */
d9b88702 1298static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1299 bdaddr_t *src,
1300 bdaddr_t *dst)
b62f328b 1301{
23691d75 1302 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1303
23691d75 1304 read_lock(&chan_list_lock);
b62f328b 1305
23691d75
GP		 1306 list_for_each_entry(c, &chan_list, global_l) {
1307 struct sock *sk = c->sk;
fe4128e0 1308
89bc500e 1309 if (state && c->state != state)
b62f328b
VT		 1310 continue;
1311
23691d75 1312 if (c->scid == cid) {
c2287681
IY		 1313 int src_match, dst_match;
1314 int src_any, dst_any;
1315
b62f328b 1316 /* Exact match. */
c2287681
IY		 1317 src_match = !bacmp(&bt_sk(sk)->src, src);
1318 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1319 if (src_match && dst_match) {
23691d75
GP		 1320 read_unlock(&chan_list_lock);
1321 return c;
1322 }
b62f328b
VT		 1323
1324 /* Closest match */
c2287681
IY		 1325 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1326 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1327 if ((src_match && dst_any) || (src_any && dst_match) ||
1328 (src_any && dst_any))
23691d75 1329 c1 = c;
b62f328b
VT		 1330 }
1331 }
280f294f 1332
23691d75 1333 read_unlock(&chan_list_lock);
b62f328b 1334
23691d75 1335 return c1;
b62f328b
VT		 1336}
1337
1338static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1339{
c916fbe4 1340 struct sock *parent, *sk;
23691d75 1341 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1342
1343 BT_DBG("");
1344
1345 /* Check if we have socket listening on cid */
23691d75 1346 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1347 conn->src, conn->dst);
23691d75 1348 if (!pchan)
b62f328b
VT		 1349 return;
1350
23691d75
GP		 1351 parent = pchan->sk;
1352
aa2ac881 1353 lock_sock(parent);
62f3a2cf 1354
80b98027 1355 chan = pchan->ops->new_connection(pchan);
80808e43 1356 if (!chan)
b62f328b
VT		 1357 goto clean;
1358
80808e43 1359 sk = chan->sk;
5d41ce1d 1360
b62f328b 1361 hci_conn_hold(conn->hcon);
a9ea3ed9 1362 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1363
b62f328b
VT		 1364 bacpy(&bt_sk(sk)->src, conn->src);
1365 bacpy(&bt_sk(sk)->dst, conn->dst);
1366
3d57dc68 1367 l2cap_chan_add(conn, chan);
48454079 1368
6754e0df 1369 l2cap_chan_ready(chan);
b62f328b 1370
b62f328b 1371clean:
aa2ac881 1372 release_sock(parent);
b62f328b
VT		 1373}
1374
4e8402a3
MH		 1375static void l2cap_conn_ready(struct l2cap_conn *conn)
1376{
48454079 1377 struct l2cap_chan *chan;
cc110922 1378 struct hci_conn *hcon = conn->hcon;
4e8402a3 1379
79d554a6 1380 BT_DBG("conn %p", conn);
4e8402a3 1381
cc110922 1382 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1383 l2cap_le_conn_ready(conn);
1384
cc110922
VCG		 1385 if (hcon->out && hcon->type == LE_LINK)
1386 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1387
3df91ea2 1388 mutex_lock(&conn->chan_lock);
4e8402a3 1389
3df91ea2 1390 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1391
6be36555 1392 l2cap_chan_lock(chan);
4e8402a3 1393
416fa752
AE		 1394 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1395 l2cap_chan_unlock(chan);
1396 continue;
1397 }
1398
cc110922
VCG		 1399 if (hcon->type == LE_LINK) {
1400 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1401 l2cap_chan_ready(chan);
acd7d370 1402
63128451 1403 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1404 struct sock *sk = chan->sk;
c9b66675 1405 __clear_chan_timer(chan);
6be36555 1406 lock_sock(sk);
0e587be7 1407 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1408 sk->sk_state_change(sk);
6be36555 1409 release_sock(sk);
b501d6a1 1410
89bc500e 1411 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1412 l2cap_do_start(chan);
4e8402a3 1413
6be36555 1414 l2cap_chan_unlock(chan);
4e8402a3 1415 }
79d554a6 1416
3df91ea2 1417 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1418}
1419
1420/* Notify sockets that we cannot guaranty reliability anymore */
1421static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1422{
48454079 1423 struct l2cap_chan *chan;
4e8402a3
MH		 1424
1425 BT_DBG("conn %p", conn);
1426
3df91ea2 1427 mutex_lock(&conn->chan_lock);
4e8402a3 1428
3df91ea2 1429 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1430 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1431 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1432 }
1433
3df91ea2 1434 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1435}
1436
f878fcad 1437static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1438{
f878fcad 1439 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1440 info_timer.work);
4e8402a3 1441
984947dc 1442 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1443 conn->info_ident = 0;
984947dc 1444
4e8402a3
MH		 1445 l2cap_conn_start(conn);
1446}
1447
5d3de7df
VCG		 1448static void l2cap_conn_del(struct hci_conn *hcon, int err)
1449{
1450 struct l2cap_conn *conn = hcon->l2cap_data;
1451 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1452
1453 if (!conn)
1454 return;
1455
1456 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1457
1458 kfree_skb(conn->rx_skb);
1459
3df91ea2
AE		 1460 mutex_lock(&conn->chan_lock);
1461
5d3de7df
VCG		 1462 /* Kill channels */
1463 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1464 l2cap_chan_hold(chan);
6be36555
AE		 1465 l2cap_chan_lock(chan);
1466
5d3de7df 1467 l2cap_chan_del(chan, err);
6be36555
AE		 1468
1469 l2cap_chan_unlock(chan);
1470
80b98027 1471 chan->ops->close(chan);
61d6ef3e 1472 l2cap_chan_put(chan);
5d3de7df
VCG		 1473 }
1474
3df91ea2
AE		 1475 mutex_unlock(&conn->chan_lock);
1476
73d80deb
LAD		 1477 hci_chan_del(conn->hchan);
1478
5d3de7df 1479 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1480 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1481
51a8efd7 1482 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1483 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1484 smp_chan_destroy(conn);
d26a2345 1485 }
5d3de7df
VCG		 1486
1487 hcon->l2cap_data = NULL;
1488 kfree(conn);
1489}
1490
6c9d42a1 1491static void security_timeout(struct work_struct *work)
5d3de7df 1492{
6c9d42a1 1493 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1494 security_timer.work);
5d3de7df 1495
d06cc416
JH		 1496 BT_DBG("conn %p", conn);
1497
1498 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1499 smp_chan_destroy(conn);
1500 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1501 }
5d3de7df
VCG		 1502}
1503
1da177e4
LT		 1504static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1505{
0139418c 1506 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1507 struct hci_chan *hchan;
1da177e4 1508
0139418c 1509 if (conn || status)
1da177e4
LT		 1510 return conn;
1511
73d80deb
LAD		 1512 hchan = hci_chan_create(hcon);
1513 if (!hchan)
1514 return NULL;
1515
8bcde1f2 1516 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1517 if (!conn) {
1518 hci_chan_del(hchan);
1da177e4 1519 return NULL;
73d80deb 1520 }
1da177e4
LT		 1521
1522 hcon->l2cap_data = conn;
1523 conn->hcon = hcon;
73d80deb 1524 conn->hchan = hchan;
1da177e4 1525
73d80deb 1526 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1527
dcc042d5
AE		 1528 switch (hcon->type) {
1529 case AMP_LINK:
1530 conn->mtu = hcon->hdev->block_mtu;
1531 break;
1532
1533 case LE_LINK:
1534 if (hcon->hdev->le_mtu) {
1535 conn->mtu = hcon->hdev->le_mtu;
1536 break;
1537 }
1538 /* fall through */
1539
1540 default:
acd7d370 1541 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1542 break;
1543 }
acd7d370 1544
1da177e4
LT		 1545 conn->src = &hcon->hdev->bdaddr;
1546 conn->dst = &hcon->dst;
1547
4e8402a3
MH		 1548 conn->feat_mask = 0;
1549
1da177e4 1550 spin_lock_init(&conn->lock);
3df91ea2 1551 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1552
1553 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1554
5d3de7df 1555 if (hcon->type == LE_LINK)
6c9d42a1 1556 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1557 else
030013d8 1558 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1559
9f5a0d7b 1560 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1561
1da177e4
LT		 1562 return conn;
1563}
1564
1da177e4 1565/* ---- Socket interface ---- */
1da177e4 1566
c2287681 1567/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1568 * Returns closest match.
1569 */
c2287681
IY		 1570static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1571 bdaddr_t *src,
1572 bdaddr_t *dst)
1da177e4 1573{
23691d75 1574 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1575
23691d75 1576 read_lock(&chan_list_lock);
e0f0cb56 1577
23691d75
GP		 1578 list_for_each_entry(c, &chan_list, global_l) {
1579 struct sock *sk = c->sk;
fe4128e0 1580
89bc500e 1581 if (state && c->state != state)
1da177e4
LT		 1582 continue;
1583
23691d75 1584 if (c->psm == psm) {
c2287681
IY		 1585 int src_match, dst_match;
1586 int src_any, dst_any;
1587
1da177e4 1588 /* Exact match. */
c2287681
IY		 1589 src_match = !bacmp(&bt_sk(sk)->src, src);
1590 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1591 if (src_match && dst_match) {
a7567b20 1592 read_unlock(&chan_list_lock);
23691d75
GP		 1593 return c;
1594 }
1da177e4
LT		 1595
1596 /* Closest match */
c2287681
IY		 1597 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1598 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1599 if ((src_match && dst_any) || (src_any && dst_match) ||
1600 (src_any && dst_any))
23691d75 1601 c1 = c;
1da177e4
LT		 1602 }
1603 }
1da177e4 1604
23691d75 1605 read_unlock(&chan_list_lock);
e0f0cb56 1606
23691d75 1607 return c1;
1da177e4
LT		 1608}
1609
8e9f9892
AG		 1610int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1611 bdaddr_t *dst, u8 dst_type)
1da177e4 1612{
5d41ce1d 1613 struct sock *sk = chan->sk;
1da177e4 1614 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1615 struct l2cap_conn *conn;
1616 struct hci_conn *hcon;
1617 struct hci_dev *hdev;
09ab6f4c 1618 __u8 auth_type;
44d0e48e 1619 int err;
1da177e4 1620
6ed93dc6 1621 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1622 dst_type, __le16_to_cpu(psm));
1da177e4 1623
af05b30b
GP		 1624 hdev = hci_get_route(dst, src);
1625 if (!hdev)
1da177e4
LT		 1626 return -EHOSTUNREACH;
1627
09fd0de5 1628 hci_dev_lock(hdev);
1da177e4 1629
6be36555 1630 l2cap_chan_lock(chan);
03a00194
GP		 1631
1632 /* PSM must be odd and lsb of upper byte must be 0 */
1633 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1634 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1635 err = -EINVAL;
1636 goto done;
1637 }
1638
1639 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1640 err = -EINVAL;
1641 goto done;
1642 }
1643
1644 switch (chan->mode) {
1645 case L2CAP_MODE_BASIC:
1646 break;
1647 case L2CAP_MODE_ERTM:
1648 case L2CAP_MODE_STREAMING:
1649 if (!disable_ertm)
1650 break;
1651 /* fall through */
1652 default:
1653 err = -ENOTSUPP;
1654 goto done;
1655 }
1656
0797e01d 1657 switch (chan->state) {
03a00194
GP		 1658 case BT_CONNECT:
1659 case BT_CONNECT2:
1660 case BT_CONFIG:
1661 /* Already connecting */
1662 err = 0;
1663 goto done;
1664
1665 case BT_CONNECTED:
1666 /* Already connected */
1667 err = -EISCONN;
1668 goto done;
1669
1670 case BT_OPEN:
1671 case BT_BOUND:
1672 /* Can connect */
1673 break;
1674
1675 default:
1676 err = -EBADFD;
1677 goto done;
1678 }
1679
1680 /* Set destination address and psm */
0797e01d 1681 lock_sock(sk);
9219b2a0 1682 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1683 release_sock(sk);
1684
03a00194
GP		 1685 chan->psm = psm;
1686 chan->dcid = cid;
1da177e4 1687
4343478f 1688 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1689
fe4128e0 1690 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1691 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1692 chan->sec_level, auth_type);
acd7d370 1693 else
8e9f9892 1694 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1695 chan->sec_level, auth_type);
acd7d370 1696
30e76272
VT		 1697 if (IS_ERR(hcon)) {
1698 err = PTR_ERR(hcon);
1da177e4 1699 goto done;
30e76272 1700 }
1da177e4
LT		 1701
1702 conn = l2cap_conn_add(hcon, 0);
1703 if (!conn) {
1704 hci_conn_put(hcon);
30e76272 1705 err = -ENOMEM;
1da177e4
LT		 1706 goto done;
1707 }
1708
9f0caeb1
VCG		 1709 if (hcon->type == LE_LINK) {
1710 err = 0;
1711
1712 if (!list_empty(&conn->chan_l)) {
1713 err = -EBUSY;
1714 hci_conn_put(hcon);
1715 }
1716
1717 if (err)
1718 goto done;
1719 }
1720
1da177e4
LT		 1721 /* Update source addr of the socket */
1722 bacpy(src, conn->src);
1723
6be36555 1724 l2cap_chan_unlock(chan);
48454079 1725 l2cap_chan_add(conn, chan);
6be36555 1726 l2cap_chan_lock(chan);
48454079 1727
6be36555 1728 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1729 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1730
1731 if (hcon->state == BT_CONNECTED) {
715ec005 1732 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1733 __clear_chan_timer(chan);
d45fc423 1734 if (l2cap_chan_check_security(chan))
6be36555 1735 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1736 } else
fc7f8a7e 1737 l2cap_do_start(chan);
1da177e4
LT		 1738 }
1739
30e76272
VT		 1740 err = 0;
1741
1da177e4 1742done:
6be36555 1743 l2cap_chan_unlock(chan);
09fd0de5 1744 hci_dev_unlock(hdev);
1da177e4
LT		 1745 hci_dev_put(hdev);
1746 return err;
1747}
1748
dcba0dba 1749int __l2cap_wait_ack(struct sock *sk)
6161c038 1750{
8c1d787b 1751 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1752 DECLARE_WAITQUEUE(wait, current);
1753 int err = 0;
1754 int timeo = HZ/5;
1755
2b0b05dd 1756 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1757 set_current_state(TASK_INTERRUPTIBLE);
1758 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1759 if (!timeo)
1760 timeo = HZ/5;
1761
1762 if (signal_pending(current)) {
1763 err = sock_intr_errno(timeo);
1764 break;
1765 }
1766
1767 release_sock(sk);
1768 timeo = schedule_timeout(timeo);
1769 lock_sock(sk);
a71a0cf4 1770 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1771
1772 err = sock_error(sk);
1773 if (err)
1774 break;
1775 }
1776 set_current_state(TASK_RUNNING);
2b0b05dd 1777 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1778 return err;
1779}
1780
721c4181 1781static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1782{
721c4181 1783 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1784 monitor_timer.work);
e90bac06 1785
525cd185 1786 BT_DBG("chan %p", chan);
0e98958d 1787
6be36555
AE		 1788 l2cap_chan_lock(chan);
1789
80909e04 1790 if (!chan->conn) {
6be36555 1791 l2cap_chan_unlock(chan);
8d7e1c7f 1792 l2cap_chan_put(chan);
e90bac06
GP		 1793 return;
1794 }
1795
401bb1f7 1796 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1797
6be36555 1798 l2cap_chan_unlock(chan);
8d7e1c7f 1799 l2cap_chan_put(chan);
e90bac06
GP		 1800}
1801
721c4181 1802static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1803{
721c4181 1804 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1805 retrans_timer.work);
e90bac06 1806
49208c9c 1807 BT_DBG("chan %p", chan);
0e98958d 1808
6be36555
AE		 1809 l2cap_chan_lock(chan);
1810
80909e04
MM		 1811 if (!chan->conn) {
1812 l2cap_chan_unlock(chan);
1813 l2cap_chan_put(chan);
1814 return;
1815 }
6be36555 1816
401bb1f7 1817 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1818 l2cap_chan_unlock(chan);
8d7e1c7f 1819 l2cap_chan_put(chan);
e90bac06
GP		 1820}
1821
d660366d
GP		 1822static void l2cap_streaming_send(struct l2cap_chan *chan,
1823 struct sk_buff_head *skbs)
6840ed07 1824{
ccbb84af 1825 struct sk_buff *skb;
3733937d 1826 struct l2cap_ctrl *control;
6840ed07 1827
3733937d
MM		 1828 BT_DBG("chan %p, skbs %p", chan, skbs);
1829
b99e13ad
MM		 1830 if (__chan_is_moving(chan))
1831 return;
1832
3733937d
MM		 1833 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1834
1835 while (!skb_queue_empty(&chan->tx_q)) {
1836
1837 skb = skb_dequeue(&chan->tx_q);
1838
1839 bt_cb(skb)->control.retries = 1;
1840 control = &bt_cb(skb)->control;
1841
1842 control->reqseq = 0;
1843 control->txseq = chan->next_tx_seq;
1844
1845 __pack_control(chan, control, skb);
6840ed07 1846
47d1ec61 1847 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1848 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1849 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1850 }
1851
4343478f 1852 l2cap_do_send(chan, skb);
6840ed07 1853
b4400672 1854 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1855
836be934 1856 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1857 chan->frames_sent++;
6840ed07 1858 }
6840ed07
GP		 1859}
1860
67c9e840 1861static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1862{
1863 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1864 struct l2cap_ctrl *control;
1865 int sent = 0;
1866
1867 BT_DBG("chan %p", chan);
1c2acffb 1868
89bc500e 1869 if (chan->state != BT_CONNECTED)
c13ffa62 1870 return -ENOTCONN;
e90bac06 1871
94122bbe
MM		 1872 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1873 return 0;
1874
b99e13ad
MM		 1875 if (__chan_is_moving(chan))
1876 return 0;
1877
18a48e76
MM		 1878 while (chan->tx_send_head &&
1879 chan->unacked_frames < chan->remote_tx_win &&
1880 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1881
18a48e76 1882 skb = chan->tx_send_head;
e90bac06 1883
18a48e76
MM		 1884 bt_cb(skb)->control.retries = 1;
1885 control = &bt_cb(skb)->control;
95ffa978 1886
e2ab4353 1887 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1888 control->final = 1;
e2ab4353 1889
18a48e76
MM		 1890 control->reqseq = chan->buffer_seq;
1891 chan->last_acked_seq = chan->buffer_seq;
1892 control->txseq = chan->next_tx_seq;
1c2acffb 1893
18a48e76 1894 __pack_control(chan, control, skb);
e90bac06 1895
47d1ec61 1896 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1897 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1898 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1899 }
1900
18a48e76
MM		 1901 /* Clone after data has been modified. Data is assumed to be
1902 read-only (for locking purposes) on cloned sk_buffs.
1903 */
1904 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1905
18a48e76
MM		 1906 if (!tx_skb)
1907 break;
1c2acffb 1908
18a48e76 1909 __set_retrans_timer(chan);
836be934
AE		 1910
1911 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1912 chan->unacked_frames++;
6a026610 1913 chan->frames_sent++;
18a48e76 1914 sent++;
1c2acffb 1915
58d35f87
GP		 1916 if (skb_queue_is_last(&chan->tx_q, skb))
1917 chan->tx_send_head = NULL;
1c2acffb 1918 else
58d35f87 1919 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1920
1921 l2cap_do_send(chan, tx_skb);
b4400672 1922 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1923 }
1924
b4400672
AE		 1925 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1926 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1927
1928 return sent;
9e917af1
GP		 1929}
1930
e1fbd4c1
MM		 1931static void l2cap_ertm_resend(struct l2cap_chan *chan)
1932{
1933 struct l2cap_ctrl control;
1934 struct sk_buff *skb;
1935 struct sk_buff *tx_skb;
1936 u16 seq;
1937
1938 BT_DBG("chan %p", chan);
1939
1940 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1941 return;
1942
b99e13ad
MM		 1943 if (__chan_is_moving(chan))
1944 return;
1945
e1fbd4c1
MM		 1946 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1947 seq = l2cap_seq_list_pop(&chan->retrans_list);
1948
1949 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1950 if (!skb) {
1951 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1952 seq);
e1fbd4c1
MM		 1953 continue;
1954 }
1955
1956 bt_cb(skb)->control.retries++;
1957 control = bt_cb(skb)->control;
1958
1959 if (chan->max_tx != 0 &&
1960 bt_cb(skb)->control.retries > chan->max_tx) {
1961 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 1962 l2cap_send_disconn_req(chan, ECONNRESET);
e1fbd4c1
MM		 1963 l2cap_seq_list_clear(&chan->retrans_list);
1964 break;
1965 }
1966
1967 control.reqseq = chan->buffer_seq;
1968 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1969 control.final = 1;
1970 else
1971 control.final = 0;
1972
1973 if (skb_cloned(skb)) {
1974 /* Cloned sk_buffs are read-only, so we need a
1975 * writeable copy
1976 */
8bcde1f2 1977 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1978 } else {
8bcde1f2 1979 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1980 }
1981
1982 if (!tx_skb) {
1983 l2cap_seq_list_clear(&chan->retrans_list);
1984 break;
1985 }
1986
1987 /* Update skb contents */
1988 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1989 put_unaligned_le32(__pack_extended_control(&control),
1990 tx_skb->data + L2CAP_HDR_SIZE);
1991 } else {
1992 put_unaligned_le16(__pack_enhanced_control(&control),
1993 tx_skb->data + L2CAP_HDR_SIZE);
1994 }
1995
1996 if (chan->fcs == L2CAP_FCS_CRC16) {
1997 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1998 put_unaligned_le16(fcs, skb_put(tx_skb,
1999 L2CAP_FCS_SIZE));
2000 }
2001
2002 l2cap_do_send(chan, tx_skb);
2003
2004 BT_DBG("Resent txseq %d", control.txseq);
2005
2006 chan->last_acked_seq = chan->buffer_seq;
2007 }
2008}
2009
f80842a8
MM		 2010static void l2cap_retransmit(struct l2cap_chan *chan,
2011 struct l2cap_ctrl *control)
2012{
2013 BT_DBG("chan %p, control %p", chan, control);
2014
2015 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2016 l2cap_ertm_resend(chan);
2017}
2018
d2a7ac5d
MM		 2019static void l2cap_retransmit_all(struct l2cap_chan *chan,
2020 struct l2cap_ctrl *control)
2021{
e1fbd4c1
MM		 2022 struct sk_buff *skb;
2023
2024 BT_DBG("chan %p, control %p", chan, control);
2025
2026 if (control->poll)
2027 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2028
2029 l2cap_seq_list_clear(&chan->retrans_list);
2030
2031 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2032 return;
2033
2034 if (chan->unacked_frames) {
2035 skb_queue_walk(&chan->tx_q, skb) {
2036 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2037 skb == chan->tx_send_head)
e1fbd4c1
MM		 2038 break;
2039 }
2040
2041 skb_queue_walk_from(&chan->tx_q, skb) {
2042 if (skb == chan->tx_send_head)
2043 break;
2044
2045 l2cap_seq_list_append(&chan->retrans_list,
2046 bt_cb(skb)->control.txseq);
2047 }
2048
2049 l2cap_ertm_resend(chan);
2050 }
d2a7ac5d
MM		 2051}
2052
0a0aba42 2053static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2054{
0a0aba42
MM		 2055 struct l2cap_ctrl control;
2056 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2057 chan->last_acked_seq);
2058 int threshold;
9e917af1 2059
0a0aba42
MM		 2060 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2061 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2062
0a0aba42
MM		 2063 memset(&control, 0, sizeof(control));
2064 control.sframe = 1;
dfc909be 2065
0a0aba42
MM		 2066 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2067 chan->rx_state == L2CAP_RX_STATE_RECV) {
2068 __clear_ack_timer(chan);
2069 control.super = L2CAP_SUPER_RNR;
2070 control.reqseq = chan->buffer_seq;
2071 l2cap_send_sframe(chan, &control);
2072 } else {
2073 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2074 l2cap_ertm_send(chan);
2075 /* If any i-frames were sent, they included an ack */
2076 if (chan->buffer_seq == chan->last_acked_seq)
2077 frames_to_ack = 0;
2078 }
dfc909be 2079
c20f8e35 2080 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2081 * Calculate without mul or div
2082 */
c20f8e35 2083 threshold = chan->ack_win;
0a0aba42
MM		 2084 threshold += threshold << 1;
2085 threshold >>= 2;
2086
b4400672 2087 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2088 threshold);
2089
2090 if (frames_to_ack >= threshold) {
2091 __clear_ack_timer(chan);
2092 control.super = L2CAP_SUPER_RR;
2093 control.reqseq = chan->buffer_seq;
2094 l2cap_send_sframe(chan, &control);
2095 frames_to_ack = 0;
2096 }
1c2acffb 2097
0a0aba42
MM		 2098 if (frames_to_ack)
2099 __set_ack_timer(chan);
2100 }
b17e73bb
SJ		 2101}
2102
04124681
GP		 2103static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2104 struct msghdr *msg, int len,
2105 int count, struct sk_buff *skb)
1c2acffb 2106{
0952a57a 2107 struct l2cap_conn *conn = chan->conn;
1c2acffb 2108 struct sk_buff **frag;
90338947 2109 int sent = 0;
1da177e4 2110
59203a21 2111 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2112 return -EFAULT;
1da177e4
LT		 2113
2114 sent += count;
2115 len -= count;
2116
2117 /* Continuation fragments (no L2CAP header) */
2118 frag = &skb_shinfo(skb)->frag_list;
2119 while (len) {
fbe00700
GP		 2120 struct sk_buff *tmp;
2121
1da177e4
LT		 2122 count = min_t(unsigned int, conn->mtu, len);
2123
fbe00700
GP		 2124 tmp = chan->ops->alloc_skb(chan, count,
2125 msg->msg_flags & MSG_DONTWAIT);
2126 if (IS_ERR(tmp))
2127 return PTR_ERR(tmp);
2128
2129 *frag = tmp;
2f7719ce 2130
1c2acffb
GP		 2131 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2132 return -EFAULT;
1da177e4 2133
5e59b791
LAD		 2134 (*frag)->priority = skb->priority;
2135
1da177e4
LT		 2136 sent += count;
2137 len -= count;
2138
2d0ed3d5
GP		 2139 skb->len += (*frag)->len;
2140 skb->data_len += (*frag)->len;
2141
1da177e4
LT		 2142 frag = &(*frag)->next;
2143 }
1da177e4
LT		 2144
2145 return sent;
1c2acffb 2146}
1da177e4 2147
5e59b791 2148static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2149 struct msghdr *msg, size_t len,
2150 u32 priority)
1c2acffb 2151{
8c1d787b 2152 struct l2cap_conn *conn = chan->conn;
1c2acffb 2153 struct sk_buff *skb;
03a51213 2154 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2155 struct l2cap_hdr *lh;
2156
b4400672 2157 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2158
2159 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2160
2161 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2162 msg->msg_flags & MSG_DONTWAIT);
2163 if (IS_ERR(skb))
2164 return skb;
1c2acffb 2165
5e59b791
LAD		 2166 skb->priority = priority;
2167
1c2acffb
GP		 2168 /* Create L2CAP header */
2169 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2170 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2171 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2172 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2173
0952a57a 2174 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2175 if (unlikely(err < 0)) {
2176 kfree_skb(skb);
2177 return ERR_PTR(err);
2178 }
2179 return skb;
2180}
2181
5e59b791 2182static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2183 struct msghdr *msg, size_t len,
2184 u32 priority)
1c2acffb 2185{
8c1d787b 2186 struct l2cap_conn *conn = chan->conn;
1c2acffb 2187 struct sk_buff *skb;
f2ba7fae 2188 int err, count;
1c2acffb
GP		 2189 struct l2cap_hdr *lh;
2190
b4400672 2191 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2192
f2ba7fae 2193 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2194
f2ba7fae 2195 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2196 msg->msg_flags & MSG_DONTWAIT);
2197 if (IS_ERR(skb))
2198 return skb;
1c2acffb 2199
5e59b791
LAD		 2200 skb->priority = priority;
2201
1c2acffb
GP		 2202 /* Create L2CAP header */
2203 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2204 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2205 lh->len = cpu_to_le16(len);
1c2acffb 2206
0952a57a 2207 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2208 if (unlikely(err < 0)) {
2209 kfree_skb(skb);
2210 return ERR_PTR(err);
2211 }
2212 return skb;
2213}
2214
ab0ff76d 2215static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2216 struct msghdr *msg, size_t len,
2217 u16 sdulen)
1c2acffb 2218{
8c1d787b 2219 struct l2cap_conn *conn = chan->conn;
1c2acffb 2220 struct sk_buff *skb;
e4ca6d98 2221 int err, count, hlen;
1c2acffb
GP		 2222 struct l2cap_hdr *lh;
2223
b4400672 2224 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2225
0ee0d208
GP		 2226 if (!conn)
2227 return ERR_PTR(-ENOTCONN);
2228
ba7aa64f 2229 hlen = __ertm_hdr_size(chan);
e4ca6d98 2230
c74e560c 2231 if (sdulen)
03a51213 2232 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2233
47d1ec61 2234 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2235 hlen += L2CAP_FCS_SIZE;
fcc203c3 2236
1c2acffb 2237 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2238
2239 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2240 msg->msg_flags & MSG_DONTWAIT);
2241 if (IS_ERR(skb))
2242 return skb;
1c2acffb
GP		 2243
2244 /* Create L2CAP header */
2245 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2246 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2247 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2248
18a48e76
MM		 2249 /* Control header is populated later */
2250 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2251 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2252 else
2253 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2254
c74e560c 2255 if (sdulen)
03a51213 2256 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2257
0952a57a 2258 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2259 if (unlikely(err < 0)) {
2260 kfree_skb(skb);
2261 return ERR_PTR(err);
2262 }
e90bac06 2263
18a48e76 2264 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2265 bt_cb(skb)->control.retries = 0;
1c2acffb 2266 return skb;
1da177e4
LT		 2267}
2268
94122bbe
MM		 2269static int l2cap_segment_sdu(struct l2cap_chan *chan,
2270 struct sk_buff_head *seg_queue,
2271 struct msghdr *msg, size_t len)
c74e560c 2272{
c74e560c 2273 struct sk_buff *skb;
94122bbe
MM		 2274 u16 sdu_len;
2275 size_t pdu_len;
94122bbe 2276 u8 sar;
c74e560c 2277
b4400672 2278 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2279
94122bbe
MM		 2280 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2281 * so fragmented skbs are not used. The HCI layer's handling
2282 * of fragmented skbs is not compatible with ERTM's queueing.
2283 */
c74e560c 2284
94122bbe
MM		 2285 /* PDU size is derived from the HCI MTU */
2286 pdu_len = chan->conn->mtu;
c74e560c 2287
a549574d
MM		 2288 /* Constrain PDU size for BR/EDR connections */
2289 if (!chan->hs_hcon)
2290 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2291
2292 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2293 if (chan->fcs)
2294 pdu_len -= L2CAP_FCS_SIZE;
2295
ba7aa64f 2296 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2297
2298 /* Remote device may have requested smaller PDUs */
2299 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2300
2301 if (len <= pdu_len) {
2302 sar = L2CAP_SAR_UNSEGMENTED;
2303 sdu_len = 0;
2304 pdu_len = len;
2305 } else {
2306 sar = L2CAP_SAR_START;
2307 sdu_len = len;
2308 pdu_len -= L2CAP_SDULEN_SIZE;
2309 }
2310
2311 while (len > 0) {
2312 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2313
c74e560c 2314 if (IS_ERR(skb)) {
94122bbe 2315 __skb_queue_purge(seg_queue);
c74e560c
GP		 2316 return PTR_ERR(skb);
2317 }
2318
94122bbe
MM		 2319 bt_cb(skb)->control.sar = sar;
2320 __skb_queue_tail(seg_queue, skb);
2321
2322 len -= pdu_len;
2323 if (sdu_len) {
2324 sdu_len = 0;
2325 pdu_len += L2CAP_SDULEN_SIZE;
2326 }
2327
2328 if (len <= pdu_len) {
2329 sar = L2CAP_SAR_END;
2330 pdu_len = len;
2331 } else {
2332 sar = L2CAP_SAR_CONTINUE;
2333 }
c74e560c 2334 }
c74e560c 2335
f0f62799 2336 return 0;
c74e560c
GP		 2337}
2338
5e59b791 2339int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2340 u32 priority)
9a91a04a 2341{
9a91a04a 2342 struct sk_buff *skb;
9a91a04a 2343 int err;
94122bbe 2344 struct sk_buff_head seg_queue;
9a91a04a
GP		 2345
2346 /* Connectionless channel */
715ec005 2347 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2348 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2349 if (IS_ERR(skb))
2350 return PTR_ERR(skb);
2351
2352 l2cap_do_send(chan, skb);
2353 return len;
2354 }
2355
2356 switch (chan->mode) {
2357 case L2CAP_MODE_BASIC:
2358 /* Check outgoing MTU */
2359 if (len > chan->omtu)
2360 return -EMSGSIZE;
2361
2362 /* Create a basic PDU */
5e59b791 2363 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2364 if (IS_ERR(skb))
2365 return PTR_ERR(skb);
2366
2367 l2cap_do_send(chan, skb);
2368 err = len;
2369 break;
2370
2371 case L2CAP_MODE_ERTM:
2372 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2373 /* Check outgoing MTU */
2374 if (len > chan->omtu) {
2375 err = -EMSGSIZE;
2376 break;
2377 }
9a91a04a 2378
94122bbe 2379 __skb_queue_head_init(&seg_queue);
9a91a04a 2380
94122bbe
MM		 2381 /* Do segmentation before calling in to the state machine,
2382 * since it's possible to block while waiting for memory
2383 * allocation.
2384 */
2385 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2386
94122bbe
MM		 2387 /* The channel could have been closed while segmenting,
2388 * check that it is still connected.
2389 */
2390 if (chan->state != BT_CONNECTED) {
2391 __skb_queue_purge(&seg_queue);
2392 err = -ENOTCONN;
9a91a04a
GP		 2393 }
2394
94122bbe 2395 if (err)
9a91a04a 2396 break;
9a91a04a 2397
3733937d 2398 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2399 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2400 else
d660366d 2401 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2402
d660366d 2403 err = len;
9a91a04a 2404
94122bbe
MM		 2405 /* If the skbs were not queued for sending, they'll still be in
2406 * seg_queue and need to be purged.
2407 */
2408 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2409 break;
2410
2411 default:
2412 BT_DBG("bad state %1.1x", chan->mode);
2413 err = -EBADFD;
2414 }
2415
2416 return err;
2417}
2418
d2a7ac5d
MM		 2419static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2420{
bed68bde
MM		 2421 struct l2cap_ctrl control;
2422 u16 seq;
2423
b4400672 2424 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2425
2426 memset(&control, 0, sizeof(control));
2427 control.sframe = 1;
2428 control.super = L2CAP_SUPER_SREJ;
2429
2430 for (seq = chan->expected_tx_seq; seq != txseq;
2431 seq = __next_seq(chan, seq)) {
2432 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2433 control.reqseq = seq;
2434 l2cap_send_sframe(chan, &control);
2435 l2cap_seq_list_append(&chan->srej_list, seq);
2436 }
2437 }
2438
2439 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2440}
2441
2442static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2443{
bed68bde
MM		 2444 struct l2cap_ctrl control;
2445
2446 BT_DBG("chan %p", chan);
2447
2448 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2449 return;
2450
2451 memset(&control, 0, sizeof(control));
2452 control.sframe = 1;
2453 control.super = L2CAP_SUPER_SREJ;
2454 control.reqseq = chan->srej_list.tail;
2455 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2456}
2457
2458static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2459{
bed68bde
MM		 2460 struct l2cap_ctrl control;
2461 u16 initial_head;
2462 u16 seq;
2463
b4400672 2464 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2465
2466 memset(&control, 0, sizeof(control));
2467 control.sframe = 1;
2468 control.super = L2CAP_SUPER_SREJ;
2469
2470 /* Capture initial list head to allow only one pass through the list. */
2471 initial_head = chan->srej_list.head;
2472
2473 do {
2474 seq = l2cap_seq_list_pop(&chan->srej_list);
2475 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2476 break;
2477
2478 control.reqseq = seq;
2479 l2cap_send_sframe(chan, &control);
2480 l2cap_seq_list_append(&chan->srej_list, seq);
2481 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2482}
2483
608bcc6d
MM		 2484static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2485{
2486 struct sk_buff *acked_skb;
2487 u16 ackseq;
2488
b4400672 2489 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2490
2491 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2492 return;
2493
b4400672 2494 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2495 chan->expected_ack_seq, chan->unacked_frames);
2496
2497 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2498 ackseq = __next_seq(chan, ackseq)) {
2499
2500 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2501 if (acked_skb) {
2502 skb_unlink(acked_skb, &chan->tx_q);
2503 kfree_skb(acked_skb);
2504 chan->unacked_frames--;
2505 }
2506 }
2507
2508 chan->expected_ack_seq = reqseq;
2509
2510 if (chan->unacked_frames == 0)
2511 __clear_retrans_timer(chan);
2512
b4400672 2513 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2514}
2515
2516static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2517{
2518 BT_DBG("chan %p", chan);
2519
2520 chan->expected_tx_seq = chan->buffer_seq;
2521 l2cap_seq_list_clear(&chan->srej_list);
2522 skb_queue_purge(&chan->srej_q);
2523 chan->rx_state = L2CAP_RX_STATE_RECV;
2524}
2525
d660366d
GP		 2526static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2527 struct l2cap_ctrl *control,
2528 struct sk_buff_head *skbs, u8 event)
608bcc6d 2529{
608bcc6d
MM		 2530 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2531 event);
2532
2533 switch (event) {
2534 case L2CAP_EV_DATA_REQUEST:
2535 if (chan->tx_send_head == NULL)
2536 chan->tx_send_head = skb_peek(skbs);
2537
2538 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2539 l2cap_ertm_send(chan);
2540 break;
2541 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2542 BT_DBG("Enter LOCAL_BUSY");
2543 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2544
2545 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2546 /* The SREJ_SENT state must be aborted if we are to
2547 * enter the LOCAL_BUSY state.
2548 */
2549 l2cap_abort_rx_srej_sent(chan);
2550 }
2551
2552 l2cap_send_ack(chan);
2553
2554 break;
2555 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2556 BT_DBG("Exit LOCAL_BUSY");
2557 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2558
2559 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2560 struct l2cap_ctrl local_control;
2561
2562 memset(&local_control, 0, sizeof(local_control));
2563 local_control.sframe = 1;
2564 local_control.super = L2CAP_SUPER_RR;
2565 local_control.poll = 1;
2566 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2567 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2568
2569 chan->retry_count = 1;
2570 __set_monitor_timer(chan);
2571 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2572 }
2573 break;
2574 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2575 l2cap_process_reqseq(chan, control->reqseq);
2576 break;
2577 case L2CAP_EV_EXPLICIT_POLL:
2578 l2cap_send_rr_or_rnr(chan, 1);
2579 chan->retry_count = 1;
2580 __set_monitor_timer(chan);
2581 __clear_ack_timer(chan);
2582 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2583 break;
2584 case L2CAP_EV_RETRANS_TO:
2585 l2cap_send_rr_or_rnr(chan, 1);
2586 chan->retry_count = 1;
2587 __set_monitor_timer(chan);
2588 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2589 break;
2590 case L2CAP_EV_RECV_FBIT:
2591 /* Nothing to process */
2592 break;
2593 default:
2594 break;
2595 }
608bcc6d
MM		 2596}
2597
d660366d
GP		 2598static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2599 struct l2cap_ctrl *control,
2600 struct sk_buff_head *skbs, u8 event)
608bcc6d 2601{
608bcc6d
MM		 2602 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2603 event);
2604
2605 switch (event) {
2606 case L2CAP_EV_DATA_REQUEST:
2607 if (chan->tx_send_head == NULL)
2608 chan->tx_send_head = skb_peek(skbs);
2609 /* Queue data, but don't send. */
2610 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2611 break;
2612 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2613 BT_DBG("Enter LOCAL_BUSY");
2614 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2615
2616 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2617 /* The SREJ_SENT state must be aborted if we are to
2618 * enter the LOCAL_BUSY state.
2619 */
2620 l2cap_abort_rx_srej_sent(chan);
2621 }
2622
2623 l2cap_send_ack(chan);
2624
2625 break;
2626 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2627 BT_DBG("Exit LOCAL_BUSY");
2628 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2629
2630 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2631 struct l2cap_ctrl local_control;
2632 memset(&local_control, 0, sizeof(local_control));
2633 local_control.sframe = 1;
2634 local_control.super = L2CAP_SUPER_RR;
2635 local_control.poll = 1;
2636 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2637 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2638
2639 chan->retry_count = 1;
2640 __set_monitor_timer(chan);
2641 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2642 }
2643 break;
2644 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2645 l2cap_process_reqseq(chan, control->reqseq);
2646
2647 /* Fall through */
2648
2649 case L2CAP_EV_RECV_FBIT:
2650 if (control && control->final) {
2651 __clear_monitor_timer(chan);
2652 if (chan->unacked_frames > 0)
2653 __set_retrans_timer(chan);
2654 chan->retry_count = 0;
2655 chan->tx_state = L2CAP_TX_STATE_XMIT;
2656 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2657 }
2658 break;
2659 case L2CAP_EV_EXPLICIT_POLL:
2660 /* Ignore */
2661 break;
2662 case L2CAP_EV_MONITOR_TO:
2663 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2664 l2cap_send_rr_or_rnr(chan, 1);
2665 __set_monitor_timer(chan);
2666 chan->retry_count++;
2667 } else {
5e4e3972 2668 l2cap_send_disconn_req(chan, ECONNABORTED);
608bcc6d
MM		 2669 }
2670 break;
2671 default:
2672 break;
2673 }
608bcc6d
MM		 2674}
2675
d660366d
GP		 2676static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2677 struct sk_buff_head *skbs, u8 event)
608bcc6d 2678{
608bcc6d
MM		 2679 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2680 chan, control, skbs, event, chan->tx_state);
2681
2682 switch (chan->tx_state) {
2683 case L2CAP_TX_STATE_XMIT:
d660366d 2684 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2685 break;
2686 case L2CAP_TX_STATE_WAIT_F:
d660366d 2687 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2688 break;
2689 default:
2690 /* Ignore event */
2691 break;
2692 }
608bcc6d
MM		 2693}
2694
4b51dae9
MM		 2695static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2696 struct l2cap_ctrl *control)
2697{
2698 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2699 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2700}
2701
f80842a8
MM		 2702static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2703 struct l2cap_ctrl *control)
2704{
2705 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2706 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2707}
2708
1da177e4
LT		 2709/* Copy frame to all raw sockets on that connection */
2710static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2711{
1da177e4 2712 struct sk_buff *nskb;
48454079 2713 struct l2cap_chan *chan;
1da177e4
LT		 2714
2715 BT_DBG("conn %p", conn);
2716
3df91ea2 2717 mutex_lock(&conn->chan_lock);
3d57dc68 2718
3df91ea2 2719 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2720 struct sock *sk = chan->sk;
715ec005 2721 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2722 continue;
2723
2724 /* Don't send frame to the socket it came from */
2725 if (skb->sk == sk)
2726 continue;
8bcde1f2 2727 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2728 if (!nskb)
1da177e4
LT		 2729 continue;
2730
80b98027 2731 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2732 kfree_skb(nskb);
2733 }
3d57dc68 2734
3df91ea2 2735 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2736}
2737
2738/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2739static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2740 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2741{
2742 struct sk_buff *skb, **frag;
2743 struct l2cap_cmd_hdr *cmd;
2744 struct l2cap_hdr *lh;
2745 int len, count;
2746
b4400672
AE		 2747 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2748 conn, code, ident, dlen);
1da177e4
LT		 2749
2750 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2751 count = min_t(unsigned int, conn->mtu, len);
2752
8bcde1f2 2753 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2754 if (!skb)
2755 return NULL;
2756
2757 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2758 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2759
2760 if (conn->hcon->type == LE_LINK)
ac73498c 2761 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2762 else
ac73498c 2763 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2764
2765 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2766 cmd->code = code;
2767 cmd->ident = ident;
aca3192c 2768 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2769
2770 if (dlen) {
2771 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2772 memcpy(skb_put(skb, count), data, count);
2773 data += count;
2774 }
2775
2776 len -= skb->len;
2777
2778 /* Continuation fragments (no L2CAP header) */
2779 frag = &skb_shinfo(skb)->frag_list;
2780 while (len) {
2781 count = min_t(unsigned int, conn->mtu, len);
2782
8bcde1f2 2783 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2784 if (!*frag)
2785 goto fail;
2786
2787 memcpy(skb_put(*frag, count), data, count);
2788
2789 len -= count;
2790 data += count;
2791
2792 frag = &(*frag)->next;
2793 }
2794
2795 return skb;
2796
2797fail:
2798 kfree_skb(skb);
2799 return NULL;
2800}
2801
2d792818
GP		 2802static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2803 unsigned long *val)
1da177e4
LT		 2804{
2805 struct l2cap_conf_opt *opt = *ptr;
2806 int len;
2807
2808 len = L2CAP_CONF_OPT_SIZE + opt->len;
2809 *ptr += len;
2810
2811 *type = opt->type;
2812 *olen = opt->len;
2813
2814 switch (opt->len) {
2815 case 1:
2816 *val = *((u8 *) opt->val);
2817 break;
2818
2819 case 2:
bfaaeb3e 2820 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2821 break;
2822
2823 case 4:
bfaaeb3e 2824 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2825 break;
2826
2827 default:
2828 *val = (unsigned long) opt->val;
2829 break;
2830 }
2831
b4400672 2832 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2833 return len;
2834}
2835
1da177e4
LT		 2836static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2837{
2838 struct l2cap_conf_opt *opt = *ptr;
2839
b4400672 2840 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2841
2842 opt->type = type;
2843 opt->len = len;
2844
2845 switch (len) {
2846 case 1:
2847 *((u8 *) opt->val) = val;
2848 break;
2849
2850 case 2:
4f8b691c 2851 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2852 break;
2853
2854 case 4:
4f8b691c 2855 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2856 break;
2857
2858 default:
2859 memcpy(opt->val, (void *) val, len);
2860 break;
2861 }
2862
2863 *ptr += L2CAP_CONF_OPT_SIZE + len;
2864}
2865
f89cef09
AE		 2866static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2867{
2868 struct l2cap_conf_efs efs;
2869
1ec918ce 2870 switch (chan->mode) {
f89cef09
AE		 2871 case L2CAP_MODE_ERTM:
2872 efs.id = chan->local_id;
2873 efs.stype = chan->local_stype;
2874 efs.msdu = cpu_to_le16(chan->local_msdu);
2875 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2876 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2877 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2878 break;
2879
2880 case L2CAP_MODE_STREAMING:
2881 efs.id = 1;
2882 efs.stype = L2CAP_SERV_BESTEFFORT;
2883 efs.msdu = cpu_to_le16(chan->local_msdu);
2884 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2885 efs.acc_lat = 0;
2886 efs.flush_to = 0;
2887 break;
2888
2889 default:
2890 return;
2891 }
2892
2893 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2894 (unsigned long) &efs);
f89cef09
AE		 2895}
2896
721c4181 2897static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2898{
721c4181 2899 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2900 ack_timer.work);
2901 u16 frames_to_ack;
c1b4f43b 2902
2fb9b3d4
GP		 2903 BT_DBG("chan %p", chan);
2904
6be36555
AE		 2905 l2cap_chan_lock(chan);
2906
0362520b
MM		 2907 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2908 chan->last_acked_seq);
6be36555 2909
0362520b
MM		 2910 if (frames_to_ack)
2911 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2912
0362520b 2913 l2cap_chan_unlock(chan);
09bfb2ee 2914 l2cap_chan_put(chan);
c1b4f43b
GP		 2915}
2916
466f8004 2917int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2918{
3c588192
MM		 2919 int err;
2920
105bdf9e
MM		 2921 chan->next_tx_seq = 0;
2922 chan->expected_tx_seq = 0;
42e5c802 2923 chan->expected_ack_seq = 0;
6a026610 2924 chan->unacked_frames = 0;
42e5c802 2925 chan->buffer_seq = 0;
6a026610 2926 chan->frames_sent = 0;
105bdf9e
MM		 2927 chan->last_acked_seq = 0;
2928 chan->sdu = NULL;
2929 chan->sdu_last_frag = NULL;
2930 chan->sdu_len = 0;
2931
d34c34fb
MM		 2932 skb_queue_head_init(&chan->tx_q);
2933
08333283
MM		 2934 chan->local_amp_id = 0;
2935 chan->move_id = 0;
2936 chan->move_state = L2CAP_MOVE_STABLE;
2937 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2938
105bdf9e
MM		 2939 if (chan->mode != L2CAP_MODE_ERTM)
2940 return 0;
2941
2942 chan->rx_state = L2CAP_RX_STATE_RECV;
2943 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2944
721c4181
GP		 2945 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2946 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2947 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2948
f1c6775b 2949 skb_queue_head_init(&chan->srej_q);
1890d36b 2950
3c588192
MM		 2951 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2952 if (err < 0)
2953 return err;
2954
9dc9affc
MM		 2955 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2956 if (err < 0)
2957 l2cap_seq_list_free(&chan->srej_list);
2958
2959 return err;
0565c1c2
GP		 2960}
2961
f2fcfcd6
GP		 2962static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2963{
2964 switch (mode) {
2965 case L2CAP_MODE_STREAMING:
2966 case L2CAP_MODE_ERTM:
2967 if (l2cap_mode_supported(mode, remote_feat_mask))
2968 return mode;
2969 /* fall through */
2970 default:
2971 return L2CAP_MODE_BASIC;
2972 }
2973}
2974
6327eb98
AE		 2975static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2976{
2977 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2978}
2979
f89cef09
AE		 2980static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2981{
2982 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2983}
2984
36c86c85
MM		 2985static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
2986 struct l2cap_conf_rfc *rfc)
2987{
2988 if (chan->local_amp_id && chan->hs_hcon) {
2989 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
2990
2991 /* Class 1 devices have must have ERTM timeouts
2992 * exceeding the Link Supervision Timeout. The
2993 * default Link Supervision Timeout for AMP
2994 * controllers is 10 seconds.
2995 *
2996 * Class 1 devices use 0xffffffff for their
2997 * best-effort flush timeout, so the clamping logic
2998 * will result in a timeout that meets the above
2999 * requirement. ERTM timeouts are 16-bit values, so
3000 * the maximum timeout is 65.535 seconds.
3001 */
3002
3003 /* Convert timeout to milliseconds and round */
3004 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3005
3006 /* This is the recommended formula for class 2 devices
3007 * that start ERTM timers when packets are sent to the
3008 * controller.
3009 */
3010 ertm_to = 3 * ertm_to + 500;
3011
3012 if (ertm_to > 0xffff)
3013 ertm_to = 0xffff;
3014
3015 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3016 rfc->monitor_timeout = rfc->retrans_timeout;
3017 } else {
3018 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3019 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3020 }
3021}
3022
6327eb98
AE		 3023static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3024{
3025 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3026 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3027 /* use extended control field */
3028 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3029 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3030 } else {
6327eb98 3031 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3032 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3033 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3034 }
c20f8e35 3035 chan->ack_win = chan->tx_win;
6327eb98
AE		 3036}
3037
710f9b0a 3038static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3039{
1da177e4 3040 struct l2cap_conf_req *req = data;
0c1bc5c6 3041 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3042 void *ptr = req->data;
c8f79162 3043 u16 size;
1da177e4 3044
49208c9c 3045 BT_DBG("chan %p", chan);
1da177e4 3046
73ffa904 3047 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3048 goto done;
3049
0c1bc5c6 3050 switch (chan->mode) {
f2fcfcd6
GP		 3051 case L2CAP_MODE_STREAMING:
3052 case L2CAP_MODE_ERTM:
c1360a1c 3053 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3054 break;
85eb53c6 3055
f89cef09
AE		 3056 if (__l2cap_efs_supported(chan))
3057 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3058
2ba13ed6 3059 /* fall through */
f2fcfcd6 3060 default:
8c1d787b 3061 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3062 break;
3063 }
3064
3065done:
0c1bc5c6
GP		 3066 if (chan->imtu != L2CAP_DEFAULT_MTU)
3067 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3068
0c1bc5c6 3069 switch (chan->mode) {
65c7c491 3070 case L2CAP_MODE_BASIC:
8c1d787b 3071 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3072 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3073 break;
3074
62547752
GP		 3075 rfc.mode = L2CAP_MODE_BASIC;
3076 rfc.txwin_size = 0;
3077 rfc.max_transmit = 0;
3078 rfc.retrans_timeout = 0;
3079 rfc.monitor_timeout = 0;
3080 rfc.max_pdu_size = 0;
3081
63406504 3082 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3083 (unsigned long) &rfc);
65c7c491
MH		 3084 break;
3085
3086 case L2CAP_MODE_ERTM:
3087 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3088 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3089
3090 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3091
3092 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3093 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3094 L2CAP_FCS_SIZE);
c8f79162 3095 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3096
6327eb98
AE		 3097 l2cap_txwin_setup(chan);
3098
3099 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3100 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3101
63406504 3102 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3103 (unsigned long) &rfc);
63406504 3104
f89cef09
AE		 3105 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3106 l2cap_add_opt_efs(&ptr, chan);
3107
8c1d787b 3108 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3109 break;
3110
47d1ec61 3111 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3112 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3113 chan->fcs = L2CAP_FCS_NONE;
3114 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3115 }
6327eb98
AE		 3116
3117 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3118 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3119 chan->tx_win);
f2fcfcd6
GP		 3120 break;
3121
3122 case L2CAP_MODE_STREAMING:
273759e2 3123 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3124 rfc.mode = L2CAP_MODE_STREAMING;
3125 rfc.txwin_size = 0;
3126 rfc.max_transmit = 0;
3127 rfc.retrans_timeout = 0;
3128 rfc.monitor_timeout = 0;
c8f79162
AE		 3129
3130 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3131 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3132 L2CAP_FCS_SIZE);
c8f79162 3133 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3134
63406504 3135 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3136 (unsigned long) &rfc);
63406504 3137
f89cef09
AE		 3138 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3139 l2cap_add_opt_efs(&ptr, chan);
3140
8c1d787b 3141 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3142 break;
3143
47d1ec61 3144 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3145 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3146 chan->fcs = L2CAP_FCS_NONE;
3147 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3148 }
65c7c491
MH		 3149 break;
3150 }
1da177e4 3151
fe4128e0 3152 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3153 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3154
3155 return ptr - data;
3156}
3157
73ffa904 3158static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3159{
5dee9e7c
MH		 3160 struct l2cap_conf_rsp *rsp = data;
3161 void *ptr = rsp->data;
73ffa904
GP		 3162 void *req = chan->conf_req;
3163 int len = chan->conf_len;
5dee9e7c
MH		 3164 int type, hint, olen;
3165 unsigned long val;
6464f35f 3166 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3167 struct l2cap_conf_efs efs;
3168 u8 remote_efs = 0;
861d6882 3169 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3170 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3171 u16 size;
1da177e4 3172
73ffa904 3173 BT_DBG("chan %p", chan);
820ae1b8 3174
5dee9e7c
MH		 3175 while (len >= L2CAP_CONF_OPT_SIZE) {
3176 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3177
589d2746 3178 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3179 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3180
3181 switch (type) {
3182 case L2CAP_CONF_MTU:
861d6882 3183 mtu = val;
5dee9e7c
MH		 3184 break;
3185
3186 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3187 chan->flush_to = val;
5dee9e7c
MH		 3188 break;
3189
3190 case L2CAP_CONF_QOS:
3191 break;
3192
6464f35f
MH		 3193 case L2CAP_CONF_RFC:
3194 if (olen == sizeof(rfc))
3195 memcpy(&rfc, (void *) val, olen);
3196 break;
3197
fcc203c3
GP		 3198 case L2CAP_CONF_FCS:
3199 if (val == L2CAP_FCS_NONE)
c1360a1c 3200 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3201 break;
fcc203c3 3202
42dceae2
AE		 3203 case L2CAP_CONF_EFS:
3204 remote_efs = 1;
3205 if (olen == sizeof(efs))
3206 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3207 break;
3208
6327eb98
AE		 3209 case L2CAP_CONF_EWS:
3210 if (!enable_hs)
3211 return -ECONNREFUSED;
fcc203c3 3212
6327eb98
AE		 3213 set_bit(FLAG_EXT_CTRL, &chan->flags);
3214 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3215 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3216 chan->remote_tx_win = val;
fcc203c3
GP		 3217 break;
3218
5dee9e7c
MH		 3219 default:
3220 if (hint)
3221 break;
3222
3223 result = L2CAP_CONF_UNKNOWN;
3224 *((u8 *) ptr++) = type;
3225 break;
3226 }
3227 }
3228
73ffa904 3229 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3230 goto done;
3231
0c1bc5c6 3232 switch (chan->mode) {
f2fcfcd6
GP		 3233 case L2CAP_MODE_STREAMING:
3234 case L2CAP_MODE_ERTM:
c1360a1c 3235 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3236 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3237 chan->conn->feat_mask);
85eb53c6
GP		 3238 break;
3239 }
3240
42dceae2
AE		 3241 if (remote_efs) {
3242 if (__l2cap_efs_supported(chan))
3243 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3244 else
3245 return -ECONNREFUSED;
3246 }
3247
0c1bc5c6 3248 if (chan->mode != rfc.mode)
f2fcfcd6 3249 return -ECONNREFUSED;
742e519b 3250
f2fcfcd6 3251 break;
f2fcfcd6
GP		 3252 }
3253
3254done:
0c1bc5c6 3255 if (chan->mode != rfc.mode) {
f2fcfcd6 3256 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3257 rfc.mode = chan->mode;
f2fcfcd6 3258
73ffa904 3259 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3260 return -ECONNREFUSED;
3261
2d792818
GP		 3262 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3263 (unsigned long) &rfc);
f2fcfcd6
GP		 3264 }
3265
5dee9e7c
MH		 3266 if (result == L2CAP_CONF_SUCCESS) {
3267 /* Configure output options and let the other side know
3268 * which ones we don't like. */
3269
f2fcfcd6
GP		 3270 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3271 result = L2CAP_CONF_UNACCEPT;
3272 else {
0c1bc5c6 3273 chan->omtu = mtu;
c1360a1c 3274 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3275 }
0c1bc5c6 3276 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3277
42dceae2
AE		 3278 if (remote_efs) {
3279 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3280 efs.stype != L2CAP_SERV_NOTRAFIC &&
3281 efs.stype != chan->local_stype) {
42dceae2
AE		 3282
3283 result = L2CAP_CONF_UNACCEPT;
3284
3285 if (chan->num_conf_req >= 1)
3286 return -ECONNREFUSED;
3287
3288 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3289 sizeof(efs),
3290 (unsigned long) &efs);
0e8b207e 3291 } else {
3e6b3b95 3292 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3293 result = L2CAP_CONF_PENDING;
3294 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3295 }
3296 }
3297
f2fcfcd6
GP		 3298 switch (rfc.mode) {
3299 case L2CAP_MODE_BASIC:
47d1ec61 3300 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3301 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3302 break;
3303
3304 case L2CAP_MODE_ERTM:
6327eb98
AE		 3305 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3306 chan->remote_tx_win = rfc.txwin_size;
3307 else
3308 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3309
2c03a7a4 3310 chan->remote_max_tx = rfc.max_transmit;
1c762159 3311
c8f79162 3312 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3313 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3314 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3315 rfc.max_pdu_size = cpu_to_le16(size);
3316 chan->remote_mps = size;
f2fcfcd6 3317
36c86c85 3318 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3319
c1360a1c 3320 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3321
3322 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3323 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3324
42dceae2
AE		 3325 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3326 chan->remote_id = efs.id;
3327 chan->remote_stype = efs.stype;
3328 chan->remote_msdu = le16_to_cpu(efs.msdu);
3329 chan->remote_flush_to =
2d792818 3330 le32_to_cpu(efs.flush_to);
42dceae2 3331 chan->remote_acc_lat =
2d792818 3332 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3333 chan->remote_sdu_itime =
3334 le32_to_cpu(efs.sdu_itime);
3335 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3336 sizeof(efs),
3337 (unsigned long) &efs);
42dceae2 3338 }
f2fcfcd6
GP		 3339 break;
3340
3341 case L2CAP_MODE_STREAMING:
c8f79162 3342 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3343 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3344 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3345 rfc.max_pdu_size = cpu_to_le16(size);
3346 chan->remote_mps = size;
f2fcfcd6 3347
c1360a1c 3348 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3349
2d792818
GP		 3350 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3351 (unsigned long) &rfc);
68ae6639 3352
f2fcfcd6
GP		 3353 break;
3354
3355 default:
5dee9e7c 3356 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3357
6464f35f 3358 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3359 rfc.mode = chan->mode;
f2fcfcd6 3360 }
6464f35f 3361
f2fcfcd6 3362 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3363 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3364 }
fe4128e0 3365 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3366 rsp->result = cpu_to_le16(result);
59e54bd1 3367 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3368
3369 return ptr - data;
1da177e4
LT		 3370}
3371
2d792818
GP		 3372static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3373 void *data, u16 *result)
f2fcfcd6 3374{
f2fcfcd6
GP		 3375 struct l2cap_conf_req *req = data;
3376 void *ptr = req->data;
3377 int type, olen;
3378 unsigned long val;
36e999a8 3379 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3380 struct l2cap_conf_efs efs;
f2fcfcd6 3381
fe4128e0 3382 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3383
3384 while (len >= L2CAP_CONF_OPT_SIZE) {
3385 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3386
3387 switch (type) {
3388 case L2CAP_CONF_MTU:
3389 if (val < L2CAP_DEFAULT_MIN_MTU) {
3390 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3391 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3392 } else
0c1bc5c6
GP		 3393 chan->imtu = val;
3394 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3395 break;
3396
3397 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3398 chan->flush_to = val;
f2fcfcd6 3399 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3400 2, chan->flush_to);
f2fcfcd6
GP		 3401 break;
3402
3403 case L2CAP_CONF_RFC:
3404 if (olen == sizeof(rfc))
3405 memcpy(&rfc, (void *)val, olen);
3406
c1360a1c 3407 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3408 rfc.mode != chan->mode)
f2fcfcd6
GP		 3409 return -ECONNREFUSED;
3410
47d1ec61 3411 chan->fcs = 0;
f2fcfcd6
GP		 3412
3413 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3414 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3415 break;
6327eb98
AE		 3416
3417 case L2CAP_CONF_EWS:
c20f8e35 3418 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3419 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3420 chan->tx_win);
6327eb98 3421 break;
66af7aaf
AE		 3422
3423 case L2CAP_CONF_EFS:
3424 if (olen == sizeof(efs))
3425 memcpy(&efs, (void *)val, olen);
3426
3427 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3428 efs.stype != L2CAP_SERV_NOTRAFIC &&
3429 efs.stype != chan->local_stype)
66af7aaf
AE		 3430 return -ECONNREFUSED;
3431
2d792818
GP		 3432 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3433 (unsigned long) &efs);
66af7aaf 3434 break;
f2fcfcd6
GP		 3435 }
3436 }
3437
0c1bc5c6 3438 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3439 return -ECONNREFUSED;
3440
0c1bc5c6 3441 chan->mode = rfc.mode;
6c2ea7a8 3442
0e8b207e 3443 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3444 switch (rfc.mode) {
3445 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3446 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3447 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3448 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3449 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3450 chan->ack_win = min_t(u16, chan->ack_win,
3451 rfc.txwin_size);
66af7aaf
AE		 3452
3453 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3454 chan->local_msdu = le16_to_cpu(efs.msdu);
3455 chan->local_sdu_itime =
2d792818 3456 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3457 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3458 chan->local_flush_to =
2d792818 3459 le32_to_cpu(efs.flush_to);
66af7aaf 3460 }
f2fcfcd6 3461 break;
66af7aaf 3462
f2fcfcd6 3463 case L2CAP_MODE_STREAMING:
47d1ec61 3464 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3465 }
3466 }
3467
fe4128e0 3468 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3469 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3470
3471 return ptr - data;
3472}
3473
2d792818
GP		 3474static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3475 u16 result, u16 flags)
1da177e4
LT		 3476{
3477 struct l2cap_conf_rsp *rsp = data;
3478 void *ptr = rsp->data;
1da177e4 3479
fe4128e0 3480 BT_DBG("chan %p", chan);
1da177e4 3481
fe4128e0 3482 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3483 rsp->result = cpu_to_le16(result);
aca3192c 3484 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3485
3486 return ptr - data;
3487}
3488
8c1d787b 3489void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3490{
3491 struct l2cap_conn_rsp rsp;
8c1d787b 3492 struct l2cap_conn *conn = chan->conn;
710f9b0a 3493 u8 buf[128];
439f34ac 3494 u8 rsp_code;
710f9b0a 3495
fe4128e0
GP		 3496 rsp.scid = cpu_to_le16(chan->dcid);
3497 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3498 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3499 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3500
3501 if (chan->hs_hcon)
3502 rsp_code = L2CAP_CREATE_CHAN_RSP;
3503 else
3504 rsp_code = L2CAP_CONN_RSP;
3505
3506 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3507
3508 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3509
c1360a1c 3510 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3511 return;
3512
710f9b0a 3513 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3514 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3515 chan->num_conf_req++;
3516}
3517
47d1ec61 3518static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3519{
7b1c0049
GP		 3520 int type, olen;
3521 unsigned long val;
c20f8e35
MM		 3522 /* Use sane default values in case a misbehaving remote device
3523 * did not send an RFC or extended window size option.
3524 */
3525 u16 txwin_ext = chan->ack_win;
3526 struct l2cap_conf_rfc rfc = {
3527 .mode = chan->mode,
3528 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3529 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3530 .max_pdu_size = cpu_to_le16(chan->imtu),
3531 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3532 };
7b1c0049 3533
47d1ec61 3534 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3535
0c1bc5c6 3536 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3537 return;
3538
3539 while (len >= L2CAP_CONF_OPT_SIZE) {
3540 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3541
c20f8e35
MM		 3542 switch (type) {
3543 case L2CAP_CONF_RFC:
3544 if (olen == sizeof(rfc))
3545 memcpy(&rfc, (void *)val, olen);
8f321f85 3546 break;
c20f8e35
MM		 3547 case L2CAP_CONF_EWS:
3548 txwin_ext = val;
3549 break;
3550 }
7b1c0049
GP		 3551 }
3552
7b1c0049
GP		 3553 switch (rfc.mode) {
3554 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3555 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3556 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3557 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3558 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3559 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3560 else
3561 chan->ack_win = min_t(u16, chan->ack_win,
3562 rfc.txwin_size);
7b1c0049
GP		 3563 break;
3564 case L2CAP_MODE_STREAMING:
47d1ec61 3565 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3566 }
3567}
3568
2d792818
GP		 3569static inline int l2cap_command_rej(struct l2cap_conn *conn,
3570 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3571{
e2fd318e 3572 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3573
e2fd318e 3574 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3575 return 0;
3576
3577 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3578 cmd->ident == conn->info_ident) {
17cd3f37 3579 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3580
3581 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3582 conn->info_ident = 0;
984947dc 3583
4e8402a3
MH		 3584 l2cap_conn_start(conn);
3585 }
3586
3587 return 0;
3588}
3589
1700915f
MM		 3590static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3591 struct l2cap_cmd_hdr *cmd,
3592 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3593{
1da177e4
LT		 3594 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3595 struct l2cap_conn_rsp rsp;
23691d75 3596 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3597 struct sock *parent, *sk = NULL;
e7c29cb1 3598 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3599
3600 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3601 __le16 psm = req->psm;
1da177e4 3602
097db76c 3603 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3604
3605 /* Check if we have socket listening on psm */
c2287681 3606 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3607 if (!pchan) {
1da177e4
LT		 3608 result = L2CAP_CR_BAD_PSM;
3609 goto sendresp;
3610 }
3611
23691d75
GP		 3612 parent = pchan->sk;
3613
3df91ea2 3614 mutex_lock(&conn->chan_lock);
aa2ac881 3615 lock_sock(parent);
e0f0cb56 3616
e7c29cb1 3617 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3618 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3619 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3620 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3621 result = L2CAP_CR_SEC_BLOCK;
3622 goto response;
3623 }
3624
1da177e4
LT		 3625 result = L2CAP_CR_NO_MEM;
3626
2dfa1003
GP		 3627 /* Check if we already have channel with that dcid */
3628 if (__l2cap_get_chan_by_dcid(conn, scid))
3629 goto response;
3630
80b98027 3631 chan = pchan->ops->new_connection(pchan);
80808e43 3632 if (!chan)
1da177e4
LT		 3633 goto response;
3634
80808e43
GP		 3635 sk = chan->sk;
3636
1da177e4
LT		 3637 hci_conn_hold(conn->hcon);
3638
1da177e4
LT		 3639 bacpy(&bt_sk(sk)->src, conn->src);
3640 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3641 chan->psm = psm;
3642 chan->dcid = scid;
1700915f 3643 chan->local_amp_id = amp_id;
1da177e4 3644
6be36555 3645 __l2cap_chan_add(conn, chan);
48454079 3646
fe4128e0 3647 dcid = chan->scid;
1da177e4 3648
c9b66675 3649 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3650
fc7f8a7e 3651 chan->ident = cmd->ident;
1da177e4 3652
984947dc 3653 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3654 if (l2cap_chan_check_security(chan)) {
c5daa683 3655 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3656 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3657 result = L2CAP_CR_PEND;
3658 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3659 chan->ops->defer(chan);
f66dc81f 3660 } else {
1700915f
MM		 3661 /* Force pending result for AMP controllers.
3662 * The connection will succeed after the
3663 * physical link is up.
3664 */
3665 if (amp_id) {
3666 __l2cap_state_change(chan, BT_CONNECT2);
3667 result = L2CAP_CR_PEND;
3668 } else {
3669 __l2cap_state_change(chan, BT_CONFIG);
3670 result = L2CAP_CR_SUCCESS;
3671 }
f66dc81f
MH		 3672 status = L2CAP_CS_NO_INFO;
3673 }
79d554a6 3674 } else {
0e587be7 3675 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3676 result = L2CAP_CR_PEND;
3677 status = L2CAP_CS_AUTHEN_PEND;
3678 }
3679 } else {
0e587be7 3680 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3681 result = L2CAP_CR_PEND;
3682 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3683 }
3684
1da177e4 3685response:
aa2ac881 3686 release_sock(parent);
3df91ea2 3687 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3688
3689sendresp:
aca3192c
YH		 3690 rsp.scid = cpu_to_le16(scid);
3691 rsp.dcid = cpu_to_le16(dcid);
3692 rsp.result = cpu_to_le16(result);
3693 rsp.status = cpu_to_le16(status);
4c89b6aa 3694 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3695
3696 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3697 struct l2cap_info_req info;
ac73498c 3698 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3699
3700 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3701 conn->info_ident = l2cap_get_ident(conn);
3702
ba13ccd9 3703 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3704
2d792818
GP		 3705 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3706 sizeof(info), &info);
79d554a6
MH		 3707 }
3708
c1360a1c 3709 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3710 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3711 u8 buf[128];
c1360a1c 3712 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3713 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3714 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3715 chan->num_conf_req++;
e9aeb2dd 3716 }
1700915f
MM		 3717
3718 return chan;
4c89b6aa 3719}
e9aeb2dd 3720
4c89b6aa
MM		 3721static int l2cap_connect_req(struct l2cap_conn *conn,
3722 struct l2cap_cmd_hdr *cmd, u8 *data)
3723{
300229f9 3724 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3725 return 0;
3726}
3727
5909cf30 3728static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3729 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3730{
3731 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3732 u16 scid, dcid, result, status;
48454079 3733 struct l2cap_chan *chan;
1da177e4 3734 u8 req[128];
3df91ea2 3735 int err;
1da177e4
LT		 3736
3737 scid = __le16_to_cpu(rsp->scid);
3738 dcid = __le16_to_cpu(rsp->dcid);
3739 result = __le16_to_cpu(rsp->result);
3740 status = __le16_to_cpu(rsp->status);
3741
1b009c98 3742 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3743 dcid, scid, result, status);
1da177e4 3744
3df91ea2
AE		 3745 mutex_lock(&conn->chan_lock);
3746
1da177e4 3747 if (scid) {
3df91ea2
AE		 3748 chan = __l2cap_get_chan_by_scid(conn, scid);
3749 if (!chan) {
3750 err = -EFAULT;
3751 goto unlock;
3752 }
1da177e4 3753 } else {
3df91ea2
AE		 3754 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3755 if (!chan) {
3756 err = -EFAULT;
3757 goto unlock;
3758 }
1da177e4
LT		 3759 }
3760
3df91ea2
AE		 3761 err = 0;
3762
6be36555 3763 l2cap_chan_lock(chan);
48454079 3764
1da177e4
LT		 3765 switch (result) {
3766 case L2CAP_CR_SUCCESS:
89bc500e 3767 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3768 chan->ident = 0;
fe4128e0 3769 chan->dcid = dcid;
c1360a1c 3770 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3771
c1360a1c 3772 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3773 break;
3774
1da177e4 3775 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3776 l2cap_build_conf_req(chan, req), req);
73ffa904 3777 chan->num_conf_req++;
1da177e4
LT		 3778 break;
3779
3780 case L2CAP_CR_PEND:
c1360a1c 3781 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3782 break;
3783
3784 default:
48454079 3785 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3786 break;
3787 }
3788
6be36555 3789 l2cap_chan_unlock(chan);
3df91ea2
AE		 3790
3791unlock:
3792 mutex_unlock(&conn->chan_lock);
3793
3794 return err;
1da177e4
LT		 3795}
3796
47d1ec61 3797static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3798{
3799 /* FCS is enabled only in ERTM or streaming mode, if one or both
3800 * sides request it.
3801 */
0c1bc5c6 3802 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3803 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3804 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3805 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3806}
3807
29d8a590
AE		 3808static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3809 u8 ident, u16 flags)
3810{
3811 struct l2cap_conn *conn = chan->conn;
3812
3813 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3814 flags);
3815
3816 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3817 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3818
3819 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3820 l2cap_build_conf_rsp(chan, data,
3821 L2CAP_CONF_SUCCESS, flags), data);
3822}
3823
2d792818
GP		 3824static inline int l2cap_config_req(struct l2cap_conn *conn,
3825 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3826 u8 *data)
1da177e4
LT		 3827{
3828 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3829 u16 dcid, flags;
3830 u8 rsp[64];
48454079 3831 struct l2cap_chan *chan;
3c588192 3832 int len, err = 0;
1da177e4
LT		 3833
3834 dcid = __le16_to_cpu(req->dcid);
3835 flags = __le16_to_cpu(req->flags);
3836
3837 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3838
baa7e1fa 3839 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3840 if (!chan)
1da177e4
LT		 3841 return -ENOENT;
3842
033b1142 3843 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3844 struct l2cap_cmd_rej_cid rej;
3845
ac73498c 3846 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3847 rej.scid = cpu_to_le16(chan->scid);
3848 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3849
df6bd743 3850 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3851 sizeof(rej), &rej);
354f60a9 3852 goto unlock;
df6bd743 3853 }
354f60a9 3854
5dee9e7c 3855 /* Reject if config buffer is too small. */
88219a0f 3856 len = cmd_len - sizeof(*req);
7ac28817 3857 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3858 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3859 l2cap_build_conf_rsp(chan, rsp,
3860 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3861 goto unlock;
3862 }
3863
3864 /* Store config. */
73ffa904
GP		 3865 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3866 chan->conf_len += len;
1da177e4 3867
59e54bd1 3868 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3869 /* Incomplete config. Send empty response. */
3870 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3871 l2cap_build_conf_rsp(chan, rsp,
3872 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3873 goto unlock;
3874 }
3875
3876 /* Complete config. */
73ffa904 3877 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3878 if (len < 0) {
5e4e3972 3879 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4 3880 goto unlock;
f2fcfcd6 3881 }
1da177e4 3882
1500109b 3883 chan->ident = cmd->ident;
5dee9e7c 3884 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3885 chan->num_conf_rsp++;
5dee9e7c 3886
5dee9e7c 3887 /* Reset config buffer. */
73ffa904 3888 chan->conf_len = 0;
5dee9e7c 3889
c1360a1c 3890 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3891 goto unlock;
3892
c1360a1c 3893 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3894 set_default_fcs(chan);
fcc203c3 3895
105bdf9e
MM		 3896 if (chan->mode == L2CAP_MODE_ERTM ||
3897 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3898 err = l2cap_ertm_init(chan);
3899
3900 if (err < 0)
5e4e3972 3901 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 3902 else
3903 l2cap_chan_ready(chan);
0565c1c2 3904
876d9484
MH		 3905 goto unlock;
3906 }
3907
c1360a1c 3908 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3909 u8 buf[64];
1da177e4 3910 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3911 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3912 chan->num_conf_req++;
1da177e4
LT		 3913 }
3914
0e8b207e
AE		 3915 /* Got Conf Rsp PENDING from remote side and asume we sent
3916 Conf Rsp PENDING in the code above */
3917 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3918 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3919
3920 /* check compatibility */
3921
79de886d 3922 /* Send rsp for BR/EDR channel */
f351bc72 3923 if (!chan->hs_hcon)
79de886d
AE		 3924 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3925 else
3926 chan->ident = cmd->ident;
0e8b207e
AE		 3927 }
3928
1da177e4 3929unlock:
6be36555 3930 l2cap_chan_unlock(chan);
3c588192 3931 return err;
1da177e4
LT		 3932}
3933
2d792818
GP		 3934static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3935 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3936{
3937 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3938 u16 scid, flags, result;
48454079 3939 struct l2cap_chan *chan;
61386cba 3940 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3941 int err = 0;
1da177e4
LT		 3942
3943 scid = __le16_to_cpu(rsp->scid);
3944 flags = __le16_to_cpu(rsp->flags);
3945 result = __le16_to_cpu(rsp->result);
3946
61386cba
AE		 3947 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3948 result, len);
1da177e4 3949
baa7e1fa 3950 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3951 if (!chan)
1da177e4
LT		 3952 return 0;
3953
3954 switch (result) {
3955 case L2CAP_CONF_SUCCESS:
47d1ec61 3956 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3957 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3958 break;
3959
0e8b207e
AE		 3960 case L2CAP_CONF_PENDING:
3961 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3962
3963 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3964 char buf[64];
3965
3966 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3967 buf, &result);
0e8b207e 3968 if (len < 0) {
5e4e3972 3969 l2cap_send_disconn_req(chan, ECONNRESET);
0e8b207e
AE		 3970 goto done;
3971 }
3972
f351bc72 3973 if (!chan->hs_hcon) {
79de886d
AE		 3974 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3975 0);
5ce66b59
AE		 3976 } else {
3977 if (l2cap_check_efs(chan)) {
3978 amp_create_logical_link(chan);
3979 chan->ident = cmd->ident;
3980 }
3981 }
0e8b207e
AE		 3982 }
3983 goto done;
3984
1da177e4 3985 case L2CAP_CONF_UNACCEPT:
73ffa904 3986 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3987 char req[64];
3988
c2c77ec8 3989 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
5e4e3972 3990 l2cap_send_disconn_req(chan, ECONNRESET);
c2c77ec8
AE		 3991 goto done;
3992 }
3993
f2fcfcd6
GP		 3994 /* throw out any old stored conf requests */
3995 result = L2CAP_CONF_SUCCESS;
b4450035 3996 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3997 req, &result);
f2fcfcd6 3998 if (len < 0) {
5e4e3972 3999 l2cap_send_disconn_req(chan, ECONNRESET);
f2fcfcd6
GP		 4000 goto done;
4001 }
4002
4003 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 4004 L2CAP_CONF_REQ, len, req);
73ffa904 4005 chan->num_conf_req++;
f2fcfcd6
GP		 4006 if (result != L2CAP_CONF_SUCCESS)
4007 goto done;
4008 break;
1da177e4
LT		 4009 }
4010
8e87d142 4011 default:
6be36555 4012 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4013
ba13ccd9 4014 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
5e4e3972 4015 l2cap_send_disconn_req(chan, ECONNRESET);
1da177e4
LT		 4016 goto done;
4017 }
4018
59e54bd1 4019 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4020 goto done;
4021
c1360a1c 4022 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4023
c1360a1c 4024 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4025 set_default_fcs(chan);
fcc203c3 4026
105bdf9e
MM		 4027 if (chan->mode == L2CAP_MODE_ERTM ||
4028 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4029 err = l2cap_ertm_init(chan);
0565c1c2 4030
3c588192 4031 if (err < 0)
5e4e3972 4032 l2cap_send_disconn_req(chan, -err);
3c588192
MM		 4033 else
4034 l2cap_chan_ready(chan);
1da177e4
LT		 4035 }
4036
4037done:
6be36555 4038 l2cap_chan_unlock(chan);
3c588192 4039 return err;
1da177e4
LT		 4040}
4041
2d792818
GP		 4042static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4043 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4044{
4045 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4046 struct l2cap_disconn_rsp rsp;
4047 u16 dcid, scid;
48454079 4048 struct l2cap_chan *chan;
1da177e4
LT		 4049 struct sock *sk;
4050
4051 scid = __le16_to_cpu(req->scid);
4052 dcid = __le16_to_cpu(req->dcid);
4053
4054 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4055
3df91ea2
AE		 4056 mutex_lock(&conn->chan_lock);
4057
4058 chan = __l2cap_get_chan_by_scid(conn, dcid);
4059 if (!chan) {
4060 mutex_unlock(&conn->chan_lock);
1da177e4 4061 return 0;
3df91ea2 4062 }
1da177e4 4063
6be36555
AE		 4064 l2cap_chan_lock(chan);
4065
48454079
GP		 4066 sk = chan->sk;
4067
fe4128e0
GP		 4068 rsp.dcid = cpu_to_le16(chan->scid);
4069 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4070 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4071
6be36555 4072 lock_sock(sk);
1da177e4 4073 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4074 release_sock(sk);
1da177e4 4075
61d6ef3e 4076 l2cap_chan_hold(chan);
48454079 4077 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4078
4079 l2cap_chan_unlock(chan);
1da177e4 4080
80b98027 4081 chan->ops->close(chan);
61d6ef3e 4082 l2cap_chan_put(chan);
3df91ea2
AE		 4083
4084 mutex_unlock(&conn->chan_lock);
4085
1da177e4
LT		 4086 return 0;
4087}
4088
2d792818
GP		 4089static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4090 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4091{
4092 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4093 u16 dcid, scid;
48454079 4094 struct l2cap_chan *chan;
1da177e4
LT		 4095
4096 scid = __le16_to_cpu(rsp->scid);
4097 dcid = __le16_to_cpu(rsp->dcid);
4098
4099 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4100
3df91ea2
AE		 4101 mutex_lock(&conn->chan_lock);
4102
4103 chan = __l2cap_get_chan_by_scid(conn, scid);
4104 if (!chan) {
4105 mutex_unlock(&conn->chan_lock);
1da177e4 4106 return 0;
3df91ea2 4107 }
1da177e4 4108
6be36555 4109 l2cap_chan_lock(chan);
48454079 4110
61d6ef3e 4111 l2cap_chan_hold(chan);
48454079 4112 l2cap_chan_del(chan, 0);
6be36555
AE		 4113
4114 l2cap_chan_unlock(chan);
1da177e4 4115
80b98027 4116 chan->ops->close(chan);
61d6ef3e 4117 l2cap_chan_put(chan);
3df91ea2
AE		 4118
4119 mutex_unlock(&conn->chan_lock);
4120
1da177e4
LT		 4121 return 0;
4122}
4123
2d792818
GP		 4124static inline int l2cap_information_req(struct l2cap_conn *conn,
4125 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4126{
4127 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4128 u16 type;
4129
4130 type = __le16_to_cpu(req->type);
4131
4132 BT_DBG("type 0x%4.4x", type);
4133
f0709e03
MH		 4134 if (type == L2CAP_IT_FEAT_MASK) {
4135 u8 buf[8];
44dd46de 4136 u32 feat_mask = l2cap_feat_mask;
f0709e03 4137 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4138 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4139 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4140 if (!disable_ertm)
fcc203c3 4141 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4142 | L2CAP_FEAT_FCS;
a5fd6f30 4143 if (enable_hs)
6327eb98 4144 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4145 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4146
1b7bf4ed 4147 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4148 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4149 buf);
e1027a7c
MH		 4150 } else if (type == L2CAP_IT_FIXED_CHAN) {
4151 u8 buf[12];
4152 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4153
4154 if (enable_hs)
4155 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4156 else
4157 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4158
ac73498c
AE		 4159 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4160 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4161 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4162 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4163 buf);
f0709e03
MH		 4164 } else {
4165 struct l2cap_info_rsp rsp;
4166 rsp.type = cpu_to_le16(type);
ac73498c 4167 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4168 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4169 &rsp);
f0709e03 4170 }
1da177e4
LT		 4171
4172 return 0;
4173}
4174
2d792818
GP		 4175static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4176 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4177{
4178 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4179 u16 type, result;
4180
4181 type = __le16_to_cpu(rsp->type);
4182 result = __le16_to_cpu(rsp->result);
4183
4184 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4185
e90165be
AE		 4186 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4187 if (cmd->ident != conn->info_ident ||
2d792818 4188 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4189 return 0;
4190
17cd3f37 4191 cancel_delayed_work(&conn->info_timer);
4e8402a3 4192
adb08ede
VT		 4193 if (result != L2CAP_IR_SUCCESS) {
4194 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4195 conn->info_ident = 0;
4196
4197 l2cap_conn_start(conn);
4198
4199 return 0;
4200 }
4201
978c93b9
AE		 4202 switch (type) {
4203 case L2CAP_IT_FEAT_MASK:
83985319 4204 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4205
47ec1dcd 4206 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4207 struct l2cap_info_req req;
ac73498c 4208 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4209
4210 conn->info_ident = l2cap_get_ident(conn);
4211
4212 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4213 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4214 } else {
4215 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4216 conn->info_ident = 0;
4217
4218 l2cap_conn_start(conn);
4219 }
978c93b9
AE		 4220 break;
4221
4222 case L2CAP_IT_FIXED_CHAN:
4223 conn->fixed_chan_mask = rsp->data[0];
984947dc 4224 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4225 conn->info_ident = 0;
984947dc
MH		 4226
4227 l2cap_conn_start(conn);
978c93b9 4228 break;
984947dc 4229 }
4e8402a3 4230
1da177e4
LT		 4231 return 0;
4232}
4233
1700915f
MM		 4234static int l2cap_create_channel_req(struct l2cap_conn *conn,
4235 struct l2cap_cmd_hdr *cmd,
4236 u16 cmd_len, void *data)
f94ff6ff
MM		 4237{
4238 struct l2cap_create_chan_req *req = data;
6e1df6a6 4239 struct l2cap_create_chan_rsp rsp;
1700915f 4240 struct l2cap_chan *chan;
6e1df6a6 4241 struct hci_dev *hdev;
f94ff6ff
MM		 4242 u16 psm, scid;
4243
4244 if (cmd_len != sizeof(*req))
4245 return -EPROTO;
4246
4247 if (!enable_hs)
4248 return -EINVAL;
4249
4250 psm = le16_to_cpu(req->psm);
4251 scid = le16_to_cpu(req->scid);
4252
ad0ac6ca 4253 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4254
6e1df6a6
AE		 4255 /* For controller id 0 make BR/EDR connection */
4256 if (req->amp_id == HCI_BREDR_ID) {
4257 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4258 req->amp_id);
4259 return 0;
4260 }
1700915f 4261
6e1df6a6
AE		 4262 /* Validate AMP controller id */
4263 hdev = hci_dev_get(req->amp_id);
4264 if (!hdev)
4265 goto error;
1700915f 4266
6e1df6a6
AE		 4267 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4268 hci_dev_put(hdev);
4269 goto error;
4270 }
1700915f 4271
6e1df6a6
AE		 4272 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4273 req->amp_id);
4274 if (chan) {
4275 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4276 struct hci_conn *hs_hcon;
1700915f 4277
6e1df6a6
AE		 4278 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4279 if (!hs_hcon) {
4280 hci_dev_put(hdev);
4281 return -EFAULT;
1700915f
MM		 4282 }
4283
6e1df6a6
AE		 4284 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4285
6e1df6a6
AE		 4286 mgr->bredr_chan = chan;
4287 chan->hs_hcon = hs_hcon;
fd45bf4c 4288 chan->fcs = L2CAP_FCS_NONE;
6e1df6a6 4289 conn->mtu = hdev->block_mtu;
1700915f 4290 }
f94ff6ff 4291
6e1df6a6 4292 hci_dev_put(hdev);
f94ff6ff
MM		 4293
4294 return 0;
6e1df6a6
AE		 4295
4296error:
4297 rsp.dcid = 0;
4298 rsp.scid = cpu_to_le16(scid);
4299 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4300 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4301
4302 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4303 sizeof(rsp), &rsp);
4304
4305 return -EFAULT;
f94ff6ff
MM		 4306}
4307
8eb200bd
MM		 4308static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4309{
4310 struct l2cap_move_chan_req req;
4311 u8 ident;
4312
4313 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4314
4315 ident = l2cap_get_ident(chan->conn);
4316 chan->ident = ident;
4317
4318 req.icid = cpu_to_le16(chan->scid);
4319 req.dest_amp_id = dest_amp_id;
4320
4321 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4322 &req);
4323
4324 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4325}
4326
1500109b 4327static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4328{
4329 struct l2cap_move_chan_rsp rsp;
4330
1500109b 4331 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4332
1500109b 4333 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4334 rsp.result = cpu_to_le16(result);
4335
1500109b
MM		 4336 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4337 sizeof(rsp), &rsp);
8d5a04a1
MM		 4338}
4339
5b155ef9 4340static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4341{
4342 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4343
5b155ef9 4344 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4345
5b155ef9 4346 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4347
5b155ef9 4348 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4349 cfm.result = cpu_to_le16(result);
4350
5b155ef9
MM		 4351 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4352 sizeof(cfm), &cfm);
4353
4354 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4355}
4356
4357static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4358{
4359 struct l2cap_move_chan_cfm cfm;
4360
4361 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4362
4363 cfm.icid = cpu_to_le16(icid);
4364 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4365
4366 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4367 sizeof(cfm), &cfm);
8d5a04a1
MM		 4368}
4369
4370static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4371 u16 icid)
8d5a04a1
MM		 4372{
4373 struct l2cap_move_chan_cfm_rsp rsp;
4374
ad0ac6ca 4375 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4376
4377 rsp.icid = cpu_to_le16(icid);
4378 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4379}
4380
5f3847a4
MM		 4381static void __release_logical_link(struct l2cap_chan *chan)
4382{
4383 chan->hs_hchan = NULL;
4384 chan->hs_hcon = NULL;
4385
4386 /* Placeholder - release the logical link */
4387}
4388
1500109b
MM		 4389static void l2cap_logical_fail(struct l2cap_chan *chan)
4390{
4391 /* Logical link setup failed */
4392 if (chan->state != BT_CONNECTED) {
4393 /* Create channel failure, disconnect */
5e4e3972 4394 l2cap_send_disconn_req(chan, ECONNRESET);
1500109b
MM		 4395 return;
4396 }
4397
4398 switch (chan->move_role) {
4399 case L2CAP_MOVE_ROLE_RESPONDER:
4400 l2cap_move_done(chan);
4401 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4402 break;
4403 case L2CAP_MOVE_ROLE_INITIATOR:
4404 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4405 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4406 /* Remote has only sent pending or
4407 * success responses, clean up
4408 */
4409 l2cap_move_done(chan);
4410 }
4411
4412 /* Other amp move states imply that the move
4413 * has already aborted
4414 */
4415 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4416 break;
4417 }
4418}
4419
4420static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4421 struct hci_chan *hchan)
4422{
4423 struct l2cap_conf_rsp rsp;
1500109b 4424
336178a3 4425 chan->hs_hchan = hchan;
1500109b
MM		 4426 chan->hs_hcon->l2cap_data = chan->conn;
4427
35ba9561 4428 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4429
4430 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4431 int err;
1500109b
MM		 4432
4433 set_default_fcs(chan);
4434
4435 err = l2cap_ertm_init(chan);
4436 if (err < 0)
5e4e3972 4437 l2cap_send_disconn_req(chan, -err);
1500109b
MM		 4438 else
4439 l2cap_chan_ready(chan);
4440 }
4441}
4442
4443static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4444 struct hci_chan *hchan)
4445{
4446 chan->hs_hcon = hchan->conn;
4447 chan->hs_hcon->l2cap_data = chan->conn;
4448
4449 BT_DBG("move_state %d", chan->move_state);
4450
4451 switch (chan->move_state) {
4452 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4453 /* Move confirm will be sent after a success
4454 * response is received
4455 */
4456 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4457 break;
4458 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4459 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4460 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4461 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4462 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4463 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4464 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4465 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4466 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4467 }
4468 break;
4469 default:
4470 /* Move was not in expected state, free the channel */
4471 __release_logical_link(chan);
4472
4473 chan->move_state = L2CAP_MOVE_STABLE;
4474 }
4475}
4476
4477/* Call with chan locked */
27695fb4
AE		 4478void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4479 u8 status)
5b155ef9 4480{
1500109b
MM		 4481 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4482
4483 if (status) {
4484 l2cap_logical_fail(chan);
4485 __release_logical_link(chan);
4486 return;
4487 }
4488
4489 if (chan->state != BT_CONNECTED) {
4490 /* Ignore logical link if channel is on BR/EDR */
4491 if (chan->local_amp_id)
4492 l2cap_logical_finish_create(chan, hchan);
4493 } else {
4494 l2cap_logical_finish_move(chan, hchan);
4495 }
5b155ef9
MM		 4496}
4497
3f7a56c4
MM		 4498void l2cap_move_start(struct l2cap_chan *chan)
4499{
4500 BT_DBG("chan %p", chan);
4501
4502 if (chan->local_amp_id == HCI_BREDR_ID) {
4503 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4504 return;
4505 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4506 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4507 /* Placeholder - start physical link setup */
4508 } else {
4509 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4510 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4511 chan->move_id = 0;
4512 l2cap_move_setup(chan);
4513 l2cap_send_move_chan_req(chan, 0);
4514 }
4515}
4516
8eb200bd
MM		 4517static void l2cap_do_create(struct l2cap_chan *chan, int result,
4518 u8 local_amp_id, u8 remote_amp_id)
4519{
62748ca1
AE		 4520 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4521 local_amp_id, remote_amp_id);
4522
12d6cc60
AE		 4523 chan->fcs = L2CAP_FCS_NONE;
4524
62748ca1
AE		 4525 /* Outgoing channel on AMP */
4526 if (chan->state == BT_CONNECT) {
4527 if (result == L2CAP_CR_SUCCESS) {
4528 chan->local_amp_id = local_amp_id;
4529 l2cap_send_create_chan_req(chan, remote_amp_id);
4530 } else {
4531 /* Revert to BR/EDR connect */
4532 l2cap_send_conn_req(chan);
4533 }
4534
4535 return;
4536 }
4537
4538 /* Incoming channel on AMP */
4539 if (__l2cap_no_conn_pending(chan)) {
8eb200bd
MM		 4540 struct l2cap_conn_rsp rsp;
4541 char buf[128];
4542 rsp.scid = cpu_to_le16(chan->dcid);
4543 rsp.dcid = cpu_to_le16(chan->scid);
4544
8eb200bd
MM		 4545 if (result == L2CAP_CR_SUCCESS) {
4546 /* Send successful response */
62cd50e2
AE		 4547 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4548 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4549 } else {
4550 /* Send negative response */
62cd50e2
AE		 4551 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4552 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
8eb200bd
MM		 4553 }
4554
4555 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4556 sizeof(rsp), &rsp);
4557
4558 if (result == L2CAP_CR_SUCCESS) {
4559 __l2cap_state_change(chan, BT_CONFIG);
4560 set_bit(CONF_REQ_SENT, &chan->conf_state);
4561 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4562 L2CAP_CONF_REQ,
4563 l2cap_build_conf_req(chan, buf), buf);
4564 chan->num_conf_req++;
4565 }
8eb200bd
MM		 4566 }
4567}
4568
4569static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4570 u8 remote_amp_id)
4571{
4572 l2cap_move_setup(chan);
4573 chan->move_id = local_amp_id;
4574 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4575
4576 l2cap_send_move_chan_req(chan, remote_amp_id);
4577}
4578
4579static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4580{
4581 struct hci_chan *hchan = NULL;
4582
4583 /* Placeholder - get hci_chan for logical link */
4584
4585 if (hchan) {
4586 if (hchan->state == BT_CONNECTED) {
4587 /* Logical link is ready to go */
4588 chan->hs_hcon = hchan->conn;
4589 chan->hs_hcon->l2cap_data = chan->conn;
4590 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4591 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4592
4593 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4594 } else {
4595 /* Wait for logical link to be ready */
4596 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4597 }
4598 } else {
4599 /* Logical link not available */
4600 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4601 }
4602}
4603
4604static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4605{
4606 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4607 u8 rsp_result;
4608 if (result == -EINVAL)
4609 rsp_result = L2CAP_MR_BAD_ID;
4610 else
4611 rsp_result = L2CAP_MR_NOT_ALLOWED;
4612
4613 l2cap_send_move_chan_rsp(chan, rsp_result);
4614 }
4615
4616 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4617 chan->move_state = L2CAP_MOVE_STABLE;
4618
4619 /* Restart data transmission */
4620 l2cap_ertm_send(chan);
4621}
4622
a514b17f
AE		 4623/* Invoke with locked chan */
4624void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4625{
770bfefa 4626 u8 local_amp_id = chan->local_amp_id;
fffadc08 4627 u8 remote_amp_id = chan->remote_amp_id;
770bfefa 4628
8eb200bd
MM		 4629 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4630 chan, result, local_amp_id, remote_amp_id);
4631
8eb200bd
MM		 4632 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4633 l2cap_chan_unlock(chan);
4634 return;
4635 }
4636
4637 if (chan->state != BT_CONNECTED) {
4638 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4639 } else if (result != L2CAP_MR_SUCCESS) {
4640 l2cap_do_move_cancel(chan, result);
4641 } else {
4642 switch (chan->move_role) {
4643 case L2CAP_MOVE_ROLE_INITIATOR:
4644 l2cap_do_move_initiate(chan, local_amp_id,
4645 remote_amp_id);
4646 break;
4647 case L2CAP_MOVE_ROLE_RESPONDER:
4648 l2cap_do_move_respond(chan, result);
4649 break;
4650 default:
4651 l2cap_do_move_cancel(chan, result);
4652 break;
4653 }
4654 }
8eb200bd
MM		 4655}
4656
8d5a04a1 4657static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4658 struct l2cap_cmd_hdr *cmd,
4659 u16 cmd_len, void *data)
8d5a04a1
MM		 4660{
4661 struct l2cap_move_chan_req *req = data;
1500109b 4662 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4663 struct l2cap_chan *chan;
8d5a04a1
MM		 4664 u16 icid = 0;
4665 u16 result = L2CAP_MR_NOT_ALLOWED;
4666
4667 if (cmd_len != sizeof(*req))
4668 return -EPROTO;
4669
4670 icid = le16_to_cpu(req->icid);
4671
ad0ac6ca 4672 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4673
4674 if (!enable_hs)
4675 return -EINVAL;
4676
02b0fbb9
MM		 4677 chan = l2cap_get_chan_by_dcid(conn, icid);
4678 if (!chan) {
1500109b
MM		 4679 rsp.icid = cpu_to_le16(icid);
4680 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4681 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4682 sizeof(rsp), &rsp);
02b0fbb9
MM		 4683 return 0;
4684 }
4685
1500109b
MM		 4686 chan->ident = cmd->ident;
4687
02b0fbb9
MM		 4688 if (chan->scid < L2CAP_CID_DYN_START ||
4689 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4690 (chan->mode != L2CAP_MODE_ERTM &&
4691 chan->mode != L2CAP_MODE_STREAMING)) {
4692 result = L2CAP_MR_NOT_ALLOWED;
4693 goto send_move_response;
4694 }
4695
4696 if (chan->local_amp_id == req->dest_amp_id) {
4697 result = L2CAP_MR_SAME_ID;
4698 goto send_move_response;
4699 }
4700
4701 if (req->dest_amp_id) {
4702 struct hci_dev *hdev;
4703 hdev = hci_dev_get(req->dest_amp_id);
4704 if (!hdev || hdev->dev_type != HCI_AMP ||
4705 !test_bit(HCI_UP, &hdev->flags)) {
4706 if (hdev)
4707 hci_dev_put(hdev);
4708
4709 result = L2CAP_MR_BAD_ID;
4710 goto send_move_response;
4711 }
4712 hci_dev_put(hdev);
4713 }
4714
4715 /* Detect a move collision. Only send a collision response
4716 * if this side has "lost", otherwise proceed with the move.
4717 * The winner has the larger bd_addr.
4718 */
4719 if ((__chan_is_moving(chan) ||
4720 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4721 bacmp(conn->src, conn->dst) > 0) {
4722 result = L2CAP_MR_COLLISION;
4723 goto send_move_response;
4724 }
4725
02b0fbb9
MM		 4726 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4727 l2cap_move_setup(chan);
4728 chan->move_id = req->dest_amp_id;
4729 icid = chan->dcid;
4730
4731 if (!req->dest_amp_id) {
4732 /* Moving to BR/EDR */
4733 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4734 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4735 result = L2CAP_MR_PEND;
4736 } else {
4737 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4738 result = L2CAP_MR_SUCCESS;
4739 }
4740 } else {
4741 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4742 /* Placeholder - uncomment when amp functions are available */
4743 /*amp_accept_physical(chan, req->dest_amp_id);*/
4744 result = L2CAP_MR_PEND;
4745 }
4746
4747send_move_response:
1500109b 4748 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4749
02b0fbb9
MM		 4750 l2cap_chan_unlock(chan);
4751
8d5a04a1
MM		 4752 return 0;
4753}
4754
5b155ef9
MM		 4755static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4756{
4757 struct l2cap_chan *chan;
4758 struct hci_chan *hchan = NULL;
4759
4760 chan = l2cap_get_chan_by_scid(conn, icid);
4761 if (!chan) {
4762 l2cap_send_move_chan_cfm_icid(conn, icid);
4763 return;
4764 }
4765
4766 __clear_chan_timer(chan);
4767 if (result == L2CAP_MR_PEND)
4768 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4769
4770 switch (chan->move_state) {
4771 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4772 /* Move confirm will be sent when logical link
4773 * is complete.
4774 */
4775 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4776 break;
4777 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4778 if (result == L2CAP_MR_PEND) {
4779 break;
4780 } else if (test_bit(CONN_LOCAL_BUSY,
4781 &chan->conn_state)) {
4782 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4783 } else {
4784 /* Logical link is up or moving to BR/EDR,
4785 * proceed with move
4786 */
4787 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4788 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4789 }
4790 break;
4791 case L2CAP_MOVE_WAIT_RSP:
4792 /* Moving to AMP */
4793 if (result == L2CAP_MR_SUCCESS) {
4794 /* Remote is ready, send confirm immediately
4795 * after logical link is ready
4796 */
4797 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4798 } else {
4799 /* Both logical link and move success
4800 * are required to confirm
4801 */
4802 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4803 }
4804
4805 /* Placeholder - get hci_chan for logical link */
4806 if (!hchan) {
4807 /* Logical link not available */
4808 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4809 break;
4810 }
4811
4812 /* If the logical link is not yet connected, do not
4813 * send confirmation.
4814 */
4815 if (hchan->state != BT_CONNECTED)
4816 break;
4817
4818 /* Logical link is already ready to go */
4819
4820 chan->hs_hcon = hchan->conn;
4821 chan->hs_hcon->l2cap_data = chan->conn;
4822
4823 if (result == L2CAP_MR_SUCCESS) {
4824 /* Can confirm now */
4825 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4826 } else {
4827 /* Now only need move success
4828 * to confirm
4829 */
4830 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4831 }
4832
4833 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4834 break;
4835 default:
4836 /* Any other amp move state means the move failed. */
4837 chan->move_id = chan->local_amp_id;
4838 l2cap_move_done(chan);
4839 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4840 }
4841
4842 l2cap_chan_unlock(chan);
4843}
4844
4845static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4846 u16 result)
4847{
4848 struct l2cap_chan *chan;
4849
4850 chan = l2cap_get_chan_by_ident(conn, ident);
4851 if (!chan) {
4852 /* Could not locate channel, icid is best guess */
4853 l2cap_send_move_chan_cfm_icid(conn, icid);
4854 return;
4855 }
4856
4857 __clear_chan_timer(chan);
4858
4859 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4860 if (result == L2CAP_MR_COLLISION) {
4861 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4862 } else {
4863 /* Cleanup - cancel move */
4864 chan->move_id = chan->local_amp_id;
4865 l2cap_move_done(chan);
4866 }
4867 }
4868
4869 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4870
4871 l2cap_chan_unlock(chan);
4872}
4873
4874static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4875 struct l2cap_cmd_hdr *cmd,
4876 u16 cmd_len, void *data)
8d5a04a1
MM		 4877{
4878 struct l2cap_move_chan_rsp *rsp = data;
4879 u16 icid, result;
4880
4881 if (cmd_len != sizeof(*rsp))
4882 return -EPROTO;
4883
4884 icid = le16_to_cpu(rsp->icid);
4885 result = le16_to_cpu(rsp->result);
4886
ad0ac6ca 4887 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4888
5b155ef9
MM		 4889 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4890 l2cap_move_continue(conn, icid, result);
4891 else
4892 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4893
4894 return 0;
4895}
4896
5f3847a4
MM		 4897static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4898 struct l2cap_cmd_hdr *cmd,
4899 u16 cmd_len, void *data)
8d5a04a1
MM		 4900{
4901 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4902 struct l2cap_chan *chan;
8d5a04a1
MM		 4903 u16 icid, result;
4904
4905 if (cmd_len != sizeof(*cfm))
4906 return -EPROTO;
4907
4908 icid = le16_to_cpu(cfm->icid);
4909 result = le16_to_cpu(cfm->result);
4910
ad0ac6ca 4911 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4912
5f3847a4
MM		 4913 chan = l2cap_get_chan_by_dcid(conn, icid);
4914 if (!chan) {
4915 /* Spec requires a response even if the icid was not found */
4916 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4917 return 0;
4918 }
4919
4920 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4921 if (result == L2CAP_MC_CONFIRMED) {
4922 chan->local_amp_id = chan->move_id;
4923 if (!chan->local_amp_id)
4924 __release_logical_link(chan);
4925 } else {
4926 chan->move_id = chan->local_amp_id;
4927 }
4928
4929 l2cap_move_done(chan);
4930 }
4931
8d5a04a1
MM		 4932 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4933
5f3847a4
MM		 4934 l2cap_chan_unlock(chan);
4935
8d5a04a1
MM		 4936 return 0;
4937}
4938
4939static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4940 struct l2cap_cmd_hdr *cmd,
4941 u16 cmd_len, void *data)
8d5a04a1
MM		 4942{
4943 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 4944 struct l2cap_chan *chan;
8d5a04a1
MM		 4945 u16 icid;
4946
4947 if (cmd_len != sizeof(*rsp))
4948 return -EPROTO;
4949
4950 icid = le16_to_cpu(rsp->icid);
4951
ad0ac6ca 4952 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 4953
3fd71a0a
MM		 4954 chan = l2cap_get_chan_by_scid(conn, icid);
4955 if (!chan)
4956 return 0;
4957
4958 __clear_chan_timer(chan);
4959
4960 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
4961 chan->local_amp_id = chan->move_id;
4962
4963 if (!chan->local_amp_id && chan->hs_hchan)
4964 __release_logical_link(chan);
4965
4966 l2cap_move_done(chan);
4967 }
4968
4969 l2cap_chan_unlock(chan);
4970
8d5a04a1
MM		 4971 return 0;
4972}
4973
e2174ca4 4974static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4975 u16 to_multiplier)
de73115a
CT		 4976{
4977 u16 max_latency;
4978
4979 if (min > max || min < 6 || max > 3200)
4980 return -EINVAL;
4981
4982 if (to_multiplier < 10 || to_multiplier > 3200)
4983 return -EINVAL;
4984
4985 if (max >= to_multiplier * 8)
4986 return -EINVAL;
4987
4988 max_latency = (to_multiplier * 8 / max) - 1;
4989 if (latency > 499 || latency > max_latency)
4990 return -EINVAL;
4991
4992 return 0;
4993}
4994
4995static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4996 struct l2cap_cmd_hdr *cmd,
4997 u8 *data)
de73115a
CT		 4998{
4999 struct hci_conn *hcon = conn->hcon;
5000 struct l2cap_conn_param_update_req *req;
5001 struct l2cap_conn_param_update_rsp rsp;
5002 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 5003 int err;
de73115a
CT		 5004
5005 if (!(hcon->link_mode & HCI_LM_MASTER))
5006 return -EINVAL;
5007
5008 cmd_len = __le16_to_cpu(cmd->len);
5009 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5010 return -EPROTO;
5011
5012 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 5013 min = __le16_to_cpu(req->min);
5014 max = __le16_to_cpu(req->max);
de73115a
CT		 5015 latency = __le16_to_cpu(req->latency);
5016 to_multiplier = __le16_to_cpu(req->to_multiplier);
5017
5018 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 5019 min, max, latency, to_multiplier);
de73115a
CT		 5020
5021 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 5022
5023 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5024 if (err)
ac73498c 5025 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 5026 else
ac73498c 5027 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 5028
5029 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 5030 sizeof(rsp), &rsp);
de73115a 5031
2ce603eb
CT		 5032 if (!err)
5033 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5034
de73115a
CT		 5035 return 0;
5036}
5037
3300d9a9 5038static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5039 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5040 u8 *data)
3300d9a9
CT		 5041{
5042 int err = 0;
5043
5044 switch (cmd->code) {
5045 case L2CAP_COMMAND_REJ:
5046 l2cap_command_rej(conn, cmd, data);
5047 break;
5048
5049 case L2CAP_CONN_REQ:
5050 err = l2cap_connect_req(conn, cmd, data);
5051 break;
5052
5053 case L2CAP_CONN_RSP:
f5a2598d 5054 case L2CAP_CREATE_CHAN_RSP:
5909cf30 5055 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 5056 break;
5057
5058 case L2CAP_CONF_REQ:
5059 err = l2cap_config_req(conn, cmd, cmd_len, data);
5060 break;
5061
5062 case L2CAP_CONF_RSP:
5063 err = l2cap_config_rsp(conn, cmd, data);
5064 break;
5065
5066 case L2CAP_DISCONN_REQ:
5067 err = l2cap_disconnect_req(conn, cmd, data);
5068 break;
5069
5070 case L2CAP_DISCONN_RSP:
5071 err = l2cap_disconnect_rsp(conn, cmd, data);
5072 break;
5073
5074 case L2CAP_ECHO_REQ:
5075 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5076 break;
5077
5078 case L2CAP_ECHO_RSP:
5079 break;
5080
5081 case L2CAP_INFO_REQ:
5082 err = l2cap_information_req(conn, cmd, data);
5083 break;
5084
5085 case L2CAP_INFO_RSP:
5086 err = l2cap_information_rsp(conn, cmd, data);
5087 break;
5088
f94ff6ff
MM		 5089 case L2CAP_CREATE_CHAN_REQ:
5090 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5091 break;
5092
8d5a04a1
MM		 5093 case L2CAP_MOVE_CHAN_REQ:
5094 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5095 break;
5096
5097 case L2CAP_MOVE_CHAN_RSP:
5098 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5099 break;
5100
5101 case L2CAP_MOVE_CHAN_CFM:
5102 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5103 break;
5104
5105 case L2CAP_MOVE_CHAN_CFM_RSP:
5106 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5107 break;
5108
3300d9a9
CT		 5109 default:
5110 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5111 err = -EINVAL;
5112 break;
5113 }
5114
5115 return err;
5116}
5117
5118static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5119 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5120{
5121 switch (cmd->code) {
5122 case L2CAP_COMMAND_REJ:
5123 return 0;
5124
5125 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5126 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5127
5128 case L2CAP_CONN_PARAM_UPDATE_RSP:
5129 return 0;
5130
5131 default:
5132 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5133 return -EINVAL;
5134 }
5135}
5136
5137static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5138 struct sk_buff *skb)
1da177e4
LT		 5139{
5140 u8 *data = skb->data;
5141 int len = skb->len;
5142 struct l2cap_cmd_hdr cmd;
3300d9a9 5143 int err;
1da177e4
LT		 5144
5145 l2cap_raw_recv(conn, skb);
5146
5147 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5148 u16 cmd_len;
1da177e4
LT		 5149 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5150 data += L2CAP_CMD_HDR_SIZE;
5151 len -= L2CAP_CMD_HDR_SIZE;
5152
88219a0f 5153 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5154
2d792818
GP		 5155 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5156 cmd.ident);
1da177e4 5157
88219a0f 5158 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5159 BT_DBG("corrupted command");
5160 break;
5161 }
5162
3300d9a9
CT		 5163 if (conn->hcon->type == LE_LINK)
5164 err = l2cap_le_sig_cmd(conn, &cmd, data);
5165 else
5166 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 5167
5168 if (err) {
e2fd318e 5169 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5170
5171 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5172
5173 /* FIXME: Map err to a valid reason */
ac73498c 5174 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5175 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5176 sizeof(rej), &rej);
1da177e4
LT		 5177 }
5178
88219a0f
AV		 5179 data += cmd_len;
5180 len -= cmd_len;
1da177e4
LT		 5181 }
5182
5183 kfree_skb(skb);
5184}
5185
47d1ec61 5186static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5187{
5188 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5189 int hdr_size;
5190
5191 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5192 hdr_size = L2CAP_EXT_HDR_SIZE;
5193 else
5194 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5195
47d1ec61 5196 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5197 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5198 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5199 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5200
5201 if (our_fcs != rcv_fcs)
7a560e5c 5202 return -EBADMSG;
fcc203c3
GP		 5203 }
5204 return 0;
5205}
5206
6ea00485 5207static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5208{
e31f7633 5209 struct l2cap_ctrl control;
d5392c8f 5210
e31f7633 5211 BT_DBG("chan %p", chan);
d5392c8f 5212
e31f7633
MM		 5213 memset(&control, 0, sizeof(control));
5214 control.sframe = 1;
5215 control.final = 1;
5216 control.reqseq = chan->buffer_seq;
5217 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5218
e2ab4353 5219 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5220 control.super = L2CAP_SUPER_RNR;
5221 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5222 }
5223
e31f7633
MM		 5224 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5225 chan->unacked_frames > 0)
5226 __set_retrans_timer(chan);
d5392c8f 5227
e31f7633 5228 /* Send pending iframes */
525cd185 5229 l2cap_ertm_send(chan);
d5392c8f 5230
e2ab4353 5231 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5232 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5233 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5234 * send it now.
5235 */
5236 control.super = L2CAP_SUPER_RR;
5237 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5238 }
5239}
5240
2d792818
GP		 5241static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5242 struct sk_buff **last_frag)
18778a63 5243{
84084a31
MM		 5244 /* skb->len reflects data in skb as well as all fragments
5245 * skb->data_len reflects only data in fragments
5246 */
5247 if (!skb_has_frag_list(skb))
5248 skb_shinfo(skb)->frag_list = new_frag;
5249
5250 new_frag->next = NULL;
5251
5252 (*last_frag)->next = new_frag;
5253 *last_frag = new_frag;
5254
5255 skb->len += new_frag->len;
5256 skb->data_len += new_frag->len;
5257 skb->truesize += new_frag->truesize;
5258}
5259
4b51dae9
MM		 5260static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5261 struct l2cap_ctrl *control)
84084a31
MM		 5262{
5263 int err = -EINVAL;
18778a63 5264
4b51dae9 5265 switch (control->sar) {
7e0ef6ee 5266 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5267 if (chan->sdu)
5268 break;
18778a63 5269
80b98027 5270 err = chan->ops->recv(chan, skb);
84084a31 5271 break;
18778a63 5272
7e0ef6ee 5273 case L2CAP_SAR_START:
84084a31
MM		 5274 if (chan->sdu)
5275 break;
18778a63 5276
6f61fd47 5277 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5278 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5279
84084a31
MM		 5280 if (chan->sdu_len > chan->imtu) {
5281 err = -EMSGSIZE;
5282 break;
5283 }
1890d36b 5284
84084a31
MM		 5285 if (skb->len >= chan->sdu_len)
5286 break;
18778a63 5287
84084a31
MM		 5288 chan->sdu = skb;
5289 chan->sdu_last_frag = skb;
18778a63 5290
84084a31
MM		 5291 skb = NULL;
5292 err = 0;
18778a63
GP		 5293 break;
5294
7e0ef6ee 5295 case L2CAP_SAR_CONTINUE:
6f61fd47 5296 if (!chan->sdu)
84084a31 5297 break;
18778a63 5298
84084a31
MM		 5299 append_skb_frag(chan->sdu, skb,
5300 &chan->sdu_last_frag);
5301 skb = NULL;
18778a63 5302
84084a31
MM		 5303 if (chan->sdu->len >= chan->sdu_len)
5304 break;
4178ba46 5305
84084a31 5306 err = 0;
18778a63
GP		 5307 break;
5308
7e0ef6ee 5309 case L2CAP_SAR_END:
6f61fd47 5310 if (!chan->sdu)
84084a31 5311 break;
18778a63 5312
84084a31
MM		 5313 append_skb_frag(chan->sdu, skb,
5314 &chan->sdu_last_frag);
5315 skb = NULL;
4178ba46 5316
84084a31
MM		 5317 if (chan->sdu->len != chan->sdu_len)
5318 break;
18778a63 5319
80b98027 5320 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5321
84084a31
MM		 5322 if (!err) {
5323 /* Reassembly complete */
5324 chan->sdu = NULL;
5325 chan->sdu_last_frag = NULL;
5326 chan->sdu_len = 0;
1890d36b 5327 }
18778a63
GP		 5328 break;
5329 }
5330
84084a31
MM		 5331 if (err) {
5332 kfree_skb(skb);
5333 kfree_skb(chan->sdu);
5334 chan->sdu = NULL;
5335 chan->sdu_last_frag = NULL;
5336 chan->sdu_len = 0;
5337 }
18778a63 5338
84084a31 5339 return err;
18778a63
GP		 5340}
5341
32b32735
MM		 5342static int l2cap_resegment(struct l2cap_chan *chan)
5343{
5344 /* Placeholder */
5345 return 0;
5346}
5347
61aa4f5b 5348void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5349{
61aa4f5b 5350 u8 event;
712132eb 5351
61aa4f5b
MM		 5352 if (chan->mode != L2CAP_MODE_ERTM)
5353 return;
712132eb 5354
61aa4f5b 5355 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5356 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5357}
5358
d2a7ac5d
MM		 5359static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5360{
63838725
MM		 5361 int err = 0;
5362 /* Pass sequential frames to l2cap_reassemble_sdu()
5363 * until a gap is encountered.
5364 */
5365
5366 BT_DBG("chan %p", chan);
5367
5368 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5369 struct sk_buff *skb;
5370 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5371 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5372
5373 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5374
5375 if (!skb)
5376 break;
5377
5378 skb_unlink(skb, &chan->srej_q);
5379 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5380 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5381 if (err)
5382 break;
5383 }
5384
5385 if (skb_queue_empty(&chan->srej_q)) {
5386 chan->rx_state = L2CAP_RX_STATE_RECV;
5387 l2cap_send_ack(chan);
5388 }
5389
5390 return err;
d2a7ac5d
MM		 5391}
5392
5393static void l2cap_handle_srej(struct l2cap_chan *chan,
5394 struct l2cap_ctrl *control)
5395{
f80842a8
MM		 5396 struct sk_buff *skb;
5397
5398 BT_DBG("chan %p, control %p", chan, control);
5399
5400 if (control->reqseq == chan->next_tx_seq) {
5401 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5402 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5403 return;
5404 }
5405
5406 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5407
5408 if (skb == NULL) {
5409 BT_DBG("Seq %d not available for retransmission",
5410 control->reqseq);
5411 return;
5412 }
5413
5414 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5415 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5416 l2cap_send_disconn_req(chan, ECONNRESET);
f80842a8
MM		 5417 return;
5418 }
5419
5420 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5421
5422 if (control->poll) {
5423 l2cap_pass_to_tx(chan, control);
5424
5425 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5426 l2cap_retransmit(chan, control);
5427 l2cap_ertm_send(chan);
5428
5429 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5430 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5431 chan->srej_save_reqseq = control->reqseq;
5432 }
5433 } else {
5434 l2cap_pass_to_tx_fbit(chan, control);
5435
5436 if (control->final) {
5437 if (chan->srej_save_reqseq != control->reqseq ||
5438 !test_and_clear_bit(CONN_SREJ_ACT,
5439 &chan->conn_state))
5440 l2cap_retransmit(chan, control);
5441 } else {
5442 l2cap_retransmit(chan, control);
5443 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5444 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5445 chan->srej_save_reqseq = control->reqseq;
5446 }
5447 }
5448 }
d2a7ac5d
MM		 5449}
5450
5451static void l2cap_handle_rej(struct l2cap_chan *chan,
5452 struct l2cap_ctrl *control)
5453{
fcd289df
MM		 5454 struct sk_buff *skb;
5455
5456 BT_DBG("chan %p, control %p", chan, control);
5457
5458 if (control->reqseq == chan->next_tx_seq) {
5459 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5e4e3972 5460 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5461 return;
5462 }
5463
5464 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5465
5466 if (chan->max_tx && skb &&
5467 bt_cb(skb)->control.retries >= chan->max_tx) {
5468 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5e4e3972 5469 l2cap_send_disconn_req(chan, ECONNRESET);
fcd289df
MM		 5470 return;
5471 }
5472
5473 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5474
5475 l2cap_pass_to_tx(chan, control);
5476
5477 if (control->final) {
5478 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5479 l2cap_retransmit_all(chan, control);
5480 } else {
5481 l2cap_retransmit_all(chan, control);
5482 l2cap_ertm_send(chan);
5483 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5484 set_bit(CONN_REJ_ACT, &chan->conn_state);
5485 }
d2a7ac5d
MM		 5486}
5487
4b51dae9
MM		 5488static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5489{
5490 BT_DBG("chan %p, txseq %d", chan, txseq);
5491
5492 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5493 chan->expected_tx_seq);
5494
5495 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5496 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5497 chan->tx_win) {
4b51dae9
MM		 5498 /* See notes below regarding "double poll" and
5499 * invalid packets.
5500 */
5501 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5502 BT_DBG("Invalid/Ignore - after SREJ");
5503 return L2CAP_TXSEQ_INVALID_IGNORE;
5504 } else {
5505 BT_DBG("Invalid - in window after SREJ sent");
5506 return L2CAP_TXSEQ_INVALID;
5507 }
5508 }
5509
5510 if (chan->srej_list.head == txseq) {
5511 BT_DBG("Expected SREJ");
5512 return L2CAP_TXSEQ_EXPECTED_SREJ;
5513 }
5514
5515 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5516 BT_DBG("Duplicate SREJ - txseq already stored");
5517 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5518 }
5519
5520 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5521 BT_DBG("Unexpected SREJ - not requested");
5522 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5523 }
5524 }
5525
5526 if (chan->expected_tx_seq == txseq) {
5527 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5528 chan->tx_win) {
5529 BT_DBG("Invalid - txseq outside tx window");
5530 return L2CAP_TXSEQ_INVALID;
5531 } else {
5532 BT_DBG("Expected");
5533 return L2CAP_TXSEQ_EXPECTED;
5534 }
5535 }
5536
5537 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5538 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5539 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5540 return L2CAP_TXSEQ_DUPLICATE;
5541 }
5542
5543 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5544 /* A source of invalid packets is a "double poll" condition,
5545 * where delays cause us to send multiple poll packets. If
5546 * the remote stack receives and processes both polls,
5547 * sequence numbers can wrap around in such a way that a
5548 * resent frame has a sequence number that looks like new data
5549 * with a sequence gap. This would trigger an erroneous SREJ
5550 * request.
5551 *
5552 * Fortunately, this is impossible with a tx window that's
5553 * less than half of the maximum sequence number, which allows
5554 * invalid frames to be safely ignored.
5555 *
5556 * With tx window sizes greater than half of the tx window
5557 * maximum, the frame is invalid and cannot be ignored. This
5558 * causes a disconnect.
5559 */
5560
5561 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5562 BT_DBG("Invalid/Ignore - txseq outside tx window");
5563 return L2CAP_TXSEQ_INVALID_IGNORE;
5564 } else {
5565 BT_DBG("Invalid - txseq outside tx window");
5566 return L2CAP_TXSEQ_INVALID;
5567 }
5568 } else {
5569 BT_DBG("Unexpected - txseq indicates missing frames");
5570 return L2CAP_TXSEQ_UNEXPECTED;
5571 }
5572}
5573
d2a7ac5d
MM		 5574static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5575 struct l2cap_ctrl *control,
5576 struct sk_buff *skb, u8 event)
5577{
5578 int err = 0;
5579 bool skb_in_use = 0;
5580
5581 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5582 event);
5583
5584 switch (event) {
5585 case L2CAP_EV_RECV_IFRAME:
5586 switch (l2cap_classify_txseq(chan, control->txseq)) {
5587 case L2CAP_TXSEQ_EXPECTED:
5588 l2cap_pass_to_tx(chan, control);
5589
5590 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5591 BT_DBG("Busy, discarding expected seq %d",
5592 control->txseq);
5593 break;
5594 }
5595
5596 chan->expected_tx_seq = __next_seq(chan,
5597 control->txseq);
5598
5599 chan->buffer_seq = chan->expected_tx_seq;
5600 skb_in_use = 1;
5601
5602 err = l2cap_reassemble_sdu(chan, skb, control);
5603 if (err)
5604 break;
5605
5606 if (control->final) {
5607 if (!test_and_clear_bit(CONN_REJ_ACT,
5608 &chan->conn_state)) {
5609 control->final = 0;
5610 l2cap_retransmit_all(chan, control);
5611 l2cap_ertm_send(chan);
5612 }
5613 }
5614
5615 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5616 l2cap_send_ack(chan);
5617 break;
5618 case L2CAP_TXSEQ_UNEXPECTED:
5619 l2cap_pass_to_tx(chan, control);
5620
5621 /* Can't issue SREJ frames in the local busy state.
5622 * Drop this frame, it will be seen as missing
5623 * when local busy is exited.
5624 */
5625 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5626 BT_DBG("Busy, discarding unexpected seq %d",
5627 control->txseq);
5628 break;
5629 }
5630
5631 /* There was a gap in the sequence, so an SREJ
5632 * must be sent for each missing frame. The
5633 * current frame is stored for later use.
5634 */
5635 skb_queue_tail(&chan->srej_q, skb);
5636 skb_in_use = 1;
5637 BT_DBG("Queued %p (queue len %d)", skb,
5638 skb_queue_len(&chan->srej_q));
5639
5640 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5641 l2cap_seq_list_clear(&chan->srej_list);
5642 l2cap_send_srej(chan, control->txseq);
5643
5644 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5645 break;
5646 case L2CAP_TXSEQ_DUPLICATE:
5647 l2cap_pass_to_tx(chan, control);
5648 break;
5649 case L2CAP_TXSEQ_INVALID_IGNORE:
5650 break;
5651 case L2CAP_TXSEQ_INVALID:
5652 default:
5e4e3972 5653 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5654 break;
5655 }
5656 break;
5657 case L2CAP_EV_RECV_RR:
5658 l2cap_pass_to_tx(chan, control);
5659 if (control->final) {
5660 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5661
e6a3ee6e
MM		 5662 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5663 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5664 control->final = 0;
5665 l2cap_retransmit_all(chan, control);
5666 }
5667
5668 l2cap_ertm_send(chan);
5669 } else if (control->poll) {
5670 l2cap_send_i_or_rr_or_rnr(chan);
5671 } else {
5672 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5673 &chan->conn_state) &&
5674 chan->unacked_frames)
5675 __set_retrans_timer(chan);
5676
5677 l2cap_ertm_send(chan);
5678 }
5679 break;
5680 case L2CAP_EV_RECV_RNR:
5681 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5682 l2cap_pass_to_tx(chan, control);
5683 if (control && control->poll) {
5684 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5685 l2cap_send_rr_or_rnr(chan, 0);
5686 }
5687 __clear_retrans_timer(chan);
5688 l2cap_seq_list_clear(&chan->retrans_list);
5689 break;
5690 case L2CAP_EV_RECV_REJ:
5691 l2cap_handle_rej(chan, control);
5692 break;
5693 case L2CAP_EV_RECV_SREJ:
5694 l2cap_handle_srej(chan, control);
5695 break;
5696 default:
5697 break;
5698 }
5699
5700 if (skb && !skb_in_use) {
5701 BT_DBG("Freeing %p", skb);
5702 kfree_skb(skb);
5703 }
5704
5705 return err;
5706}
5707
5708static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5709 struct l2cap_ctrl *control,
5710 struct sk_buff *skb, u8 event)
5711{
5712 int err = 0;
5713 u16 txseq = control->txseq;
5714 bool skb_in_use = 0;
5715
5716 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5717 event);
5718
5719 switch (event) {
5720 case L2CAP_EV_RECV_IFRAME:
5721 switch (l2cap_classify_txseq(chan, txseq)) {
5722 case L2CAP_TXSEQ_EXPECTED:
5723 /* Keep frame for reassembly later */
5724 l2cap_pass_to_tx(chan, control);
5725 skb_queue_tail(&chan->srej_q, skb);
5726 skb_in_use = 1;
5727 BT_DBG("Queued %p (queue len %d)", skb,
5728 skb_queue_len(&chan->srej_q));
5729
5730 chan->expected_tx_seq = __next_seq(chan, txseq);
5731 break;
5732 case L2CAP_TXSEQ_EXPECTED_SREJ:
5733 l2cap_seq_list_pop(&chan->srej_list);
5734
5735 l2cap_pass_to_tx(chan, control);
5736 skb_queue_tail(&chan->srej_q, skb);
5737 skb_in_use = 1;
5738 BT_DBG("Queued %p (queue len %d)", skb,
5739 skb_queue_len(&chan->srej_q));
5740
5741 err = l2cap_rx_queued_iframes(chan);
5742 if (err)
5743 break;
5744
5745 break;
5746 case L2CAP_TXSEQ_UNEXPECTED:
5747 /* Got a frame that can't be reassembled yet.
5748 * Save it for later, and send SREJs to cover
5749 * the missing frames.
5750 */
5751 skb_queue_tail(&chan->srej_q, skb);
5752 skb_in_use = 1;
5753 BT_DBG("Queued %p (queue len %d)", skb,
5754 skb_queue_len(&chan->srej_q));
5755
5756 l2cap_pass_to_tx(chan, control);
5757 l2cap_send_srej(chan, control->txseq);
5758 break;
5759 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5760 /* This frame was requested with an SREJ, but
5761 * some expected retransmitted frames are
5762 * missing. Request retransmission of missing
5763 * SREJ'd frames.
5764 */
5765 skb_queue_tail(&chan->srej_q, skb);
5766 skb_in_use = 1;
5767 BT_DBG("Queued %p (queue len %d)", skb,
5768 skb_queue_len(&chan->srej_q));
5769
5770 l2cap_pass_to_tx(chan, control);
5771 l2cap_send_srej_list(chan, control->txseq);
5772 break;
5773 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5774 /* We've already queued this frame. Drop this copy. */
5775 l2cap_pass_to_tx(chan, control);
5776 break;
5777 case L2CAP_TXSEQ_DUPLICATE:
5778 /* Expecting a later sequence number, so this frame
5779 * was already received. Ignore it completely.
5780 */
5781 break;
5782 case L2CAP_TXSEQ_INVALID_IGNORE:
5783 break;
5784 case L2CAP_TXSEQ_INVALID:
5785 default:
5e4e3972 5786 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5787 break;
5788 }
5789 break;
5790 case L2CAP_EV_RECV_RR:
5791 l2cap_pass_to_tx(chan, control);
5792 if (control->final) {
5793 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5794
5795 if (!test_and_clear_bit(CONN_REJ_ACT,
5796 &chan->conn_state)) {
5797 control->final = 0;
5798 l2cap_retransmit_all(chan, control);
5799 }
5800
5801 l2cap_ertm_send(chan);
5802 } else if (control->poll) {
5803 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5804 &chan->conn_state) &&
5805 chan->unacked_frames) {
5806 __set_retrans_timer(chan);
5807 }
5808
5809 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5810 l2cap_send_srej_tail(chan);
5811 } else {
5812 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5813 &chan->conn_state) &&
5814 chan->unacked_frames)
5815 __set_retrans_timer(chan);
5816
5817 l2cap_send_ack(chan);
5818 }
5819 break;
5820 case L2CAP_EV_RECV_RNR:
5821 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5822 l2cap_pass_to_tx(chan, control);
5823 if (control->poll) {
5824 l2cap_send_srej_tail(chan);
5825 } else {
5826 struct l2cap_ctrl rr_control;
5827 memset(&rr_control, 0, sizeof(rr_control));
5828 rr_control.sframe = 1;
5829 rr_control.super = L2CAP_SUPER_RR;
5830 rr_control.reqseq = chan->buffer_seq;
5831 l2cap_send_sframe(chan, &rr_control);
5832 }
5833
5834 break;
5835 case L2CAP_EV_RECV_REJ:
5836 l2cap_handle_rej(chan, control);
5837 break;
5838 case L2CAP_EV_RECV_SREJ:
5839 l2cap_handle_srej(chan, control);
5840 break;
5841 }
5842
5843 if (skb && !skb_in_use) {
5844 BT_DBG("Freeing %p", skb);
5845 kfree_skb(skb);
5846 }
5847
5848 return err;
5849}
5850
32b32735
MM		 5851static int l2cap_finish_move(struct l2cap_chan *chan)
5852{
5853 BT_DBG("chan %p", chan);
5854
5855 chan->rx_state = L2CAP_RX_STATE_RECV;
5856
5857 if (chan->hs_hcon)
5858 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5859 else
5860 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5861
5862 return l2cap_resegment(chan);
5863}
5864
5865static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5866 struct l2cap_ctrl *control,
5867 struct sk_buff *skb, u8 event)
5868{
5869 int err;
5870
5871 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5872 event);
5873
5874 if (!control->poll)
5875 return -EPROTO;
5876
5877 l2cap_process_reqseq(chan, control->reqseq);
5878
5879 if (!skb_queue_empty(&chan->tx_q))
5880 chan->tx_send_head = skb_peek(&chan->tx_q);
5881 else
5882 chan->tx_send_head = NULL;
5883
5884 /* Rewind next_tx_seq to the point expected
5885 * by the receiver.
5886 */
5887 chan->next_tx_seq = control->reqseq;
5888 chan->unacked_frames = 0;
5889
5890 err = l2cap_finish_move(chan);
5891 if (err)
5892 return err;
5893
5894 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5895 l2cap_send_i_or_rr_or_rnr(chan);
5896
5897 if (event == L2CAP_EV_RECV_IFRAME)
5898 return -EPROTO;
5899
5900 return l2cap_rx_state_recv(chan, control, NULL, event);
5901}
5902
5903static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5904 struct l2cap_ctrl *control,
5905 struct sk_buff *skb, u8 event)
5906{
5907 int err;
5908
5909 if (!control->final)
5910 return -EPROTO;
5911
5912 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5913
5914 chan->rx_state = L2CAP_RX_STATE_RECV;
5915 l2cap_process_reqseq(chan, control->reqseq);
5916
5917 if (!skb_queue_empty(&chan->tx_q))
5918 chan->tx_send_head = skb_peek(&chan->tx_q);
5919 else
5920 chan->tx_send_head = NULL;
5921
5922 /* Rewind next_tx_seq to the point expected
5923 * by the receiver.
5924 */
5925 chan->next_tx_seq = control->reqseq;
5926 chan->unacked_frames = 0;
5927
5928 if (chan->hs_hcon)
5929 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5930 else
5931 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5932
5933 err = l2cap_resegment(chan);
5934
5935 if (!err)
5936 err = l2cap_rx_state_recv(chan, control, skb, event);
5937
5938 return err;
5939}
5940
d2a7ac5d
MM		 5941static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5942{
5943 /* Make sure reqseq is for a packet that has been sent but not acked */
5944 u16 unacked;
5945
5946 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5947 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5948}
5949
cec8ab6e
MM		 5950static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5951 struct sk_buff *skb, u8 event)
218bb9df 5952{
d2a7ac5d
MM		 5953 int err = 0;
5954
5955 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5956 control, skb, event, chan->rx_state);
5957
5958 if (__valid_reqseq(chan, control->reqseq)) {
5959 switch (chan->rx_state) {
5960 case L2CAP_RX_STATE_RECV:
5961 err = l2cap_rx_state_recv(chan, control, skb, event);
5962 break;
5963 case L2CAP_RX_STATE_SREJ_SENT:
5964 err = l2cap_rx_state_srej_sent(chan, control, skb,
5965 event);
5966 break;
32b32735
MM		 5967 case L2CAP_RX_STATE_WAIT_P:
5968 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5969 break;
5970 case L2CAP_RX_STATE_WAIT_F:
5971 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5972 break;
d2a7ac5d
MM		 5973 default:
5974 /* shut it down */
5975 break;
5976 }
5977 } else {
5978 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5979 control->reqseq, chan->next_tx_seq,
5980 chan->expected_ack_seq);
5e4e3972 5981 l2cap_send_disconn_req(chan, ECONNRESET);
d2a7ac5d
MM		 5982 }
5983
5984 return err;
cec8ab6e
MM		 5985}
5986
5987static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5988 struct sk_buff *skb)
5989{
4b51dae9
MM		 5990 int err = 0;
5991
5992 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5993 chan->rx_state);
5994
5995 if (l2cap_classify_txseq(chan, control->txseq) ==
5996 L2CAP_TXSEQ_EXPECTED) {
5997 l2cap_pass_to_tx(chan, control);
5998
5999 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6000 __next_seq(chan, chan->buffer_seq));
6001
6002 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6003
6004 l2cap_reassemble_sdu(chan, skb, control);
6005 } else {
6006 if (chan->sdu) {
6007 kfree_skb(chan->sdu);
6008 chan->sdu = NULL;
6009 }
6010 chan->sdu_last_frag = NULL;
6011 chan->sdu_len = 0;
6012
6013 if (skb) {
6014 BT_DBG("Freeing %p", skb);
6015 kfree_skb(skb);
6016 }
6017 }
6018
6019 chan->last_acked_seq = control->txseq;
6020 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6021
6022 return err;
cec8ab6e
MM		 6023}
6024
6025static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6026{
6027 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6028 u16 len;
6029 u8 event;
218bb9df 6030
b76bbd66
MM		 6031 __unpack_control(chan, skb);
6032
218bb9df
GP		 6033 len = skb->len;
6034
6035 /*
6036 * We can just drop the corrupted I-frame here.
6037 * Receiver will miss it and start proper recovery
cec8ab6e 6038 * procedures and ask for retransmission.
218bb9df 6039 */
47d1ec61 6040 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6041 goto drop;
6042
cec8ab6e 6043 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6044 len -= L2CAP_SDULEN_SIZE;
218bb9df 6045
47d1ec61 6046 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6047 len -= L2CAP_FCS_SIZE;
218bb9df 6048
47d1ec61 6049 if (len > chan->mps) {
5e4e3972 6050 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6051 goto drop;
6052 }
6053
cec8ab6e
MM		 6054 if (!control->sframe) {
6055 int err;
218bb9df 6056
cec8ab6e
MM		 6057 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6058 control->sar, control->reqseq, control->final,
6059 control->txseq);
218bb9df 6060
cec8ab6e
MM		 6061 /* Validate F-bit - F=0 always valid, F=1 only
6062 * valid in TX WAIT_F
6063 */
6064 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6065 goto drop;
cec8ab6e
MM		 6066
6067 if (chan->mode != L2CAP_MODE_STREAMING) {
6068 event = L2CAP_EV_RECV_IFRAME;
6069 err = l2cap_rx(chan, control, skb, event);
6070 } else {
6071 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6072 }
6073
cec8ab6e 6074 if (err)
5e4e3972 6075 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df 6076 } else {
cec8ab6e
MM		 6077 const u8 rx_func_to_event[4] = {
6078 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6079 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6080 };
6081
6082 /* Only I-frames are expected in streaming mode */
6083 if (chan->mode == L2CAP_MODE_STREAMING)
6084 goto drop;
6085
6086 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6087 control->reqseq, control->final, control->poll,
6088 control->super);
6089
218bb9df 6090 if (len != 0) {
1bb166e6 6091 BT_ERR("Trailing bytes: %d in sframe", len);
5e4e3972 6092 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6093 goto drop;
6094 }
6095
cec8ab6e
MM		 6096 /* Validate F and P bits */
6097 if (control->final && (control->poll ||
6098 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6099 goto drop;
6100
6101 event = rx_func_to_event[control->super];
6102 if (l2cap_rx(chan, control, skb, event))
5e4e3972 6103 l2cap_send_disconn_req(chan, ECONNRESET);
218bb9df
GP		 6104 }
6105
6106 return 0;
6107
6108drop:
6109 kfree_skb(skb);
6110 return 0;
6111}
6112
13ca56e0
AE		 6113static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6114 struct sk_buff *skb)
1da177e4 6115{
48454079 6116 struct l2cap_chan *chan;
1da177e4 6117
baa7e1fa 6118 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6119 if (!chan) {
97e8e89d
AE		 6120 if (cid == L2CAP_CID_A2MP) {
6121 chan = a2mp_channel_create(conn, skb);
6122 if (!chan) {
6123 kfree_skb(skb);
13ca56e0 6124 return;
97e8e89d
AE		 6125 }
6126
6127 l2cap_chan_lock(chan);
6128 } else {
6129 BT_DBG("unknown cid 0x%4.4x", cid);
6130 /* Drop packet and return */
6131 kfree_skb(skb);
13ca56e0 6132 return;
97e8e89d 6133 }
1da177e4
LT		 6134 }
6135
49208c9c 6136 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6137
89bc500e 6138 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6139 goto drop;
6140
0c1bc5c6 6141 switch (chan->mode) {
1c2acffb
GP		 6142 case L2CAP_MODE_BASIC:
6143 /* If socket recv buffers overflows we drop data here
6144 * which is *bad* because L2CAP has to be reliable.
6145 * But we don't have any other choice. L2CAP doesn't
6146 * provide flow control mechanism. */
1da177e4 6147
0c1bc5c6 6148 if (chan->imtu < skb->len)
1c2acffb 6149 goto drop;
1da177e4 6150
80b98027 6151 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6152 goto done;
6153 break;
6154
6155 case L2CAP_MODE_ERTM:
6840ed07 6156 case L2CAP_MODE_STREAMING:
cec8ab6e 6157 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6158 goto done;
6159
1c2acffb 6160 default:
0c1bc5c6 6161 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6162 break;
6163 }
1da177e4
LT		 6164
6165drop:
6166 kfree_skb(skb);
6167
6168done:
6be36555 6169 l2cap_chan_unlock(chan);
1da177e4
LT		 6170}
6171
84104b24
AE		 6172static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6173 struct sk_buff *skb)
1da177e4 6174{
23691d75 6175 struct l2cap_chan *chan;
1da177e4 6176
c2287681 6177 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6178 if (!chan)
1da177e4
LT		 6179 goto drop;
6180
5b4cedaa 6181 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6182
89bc500e 6183 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6184 goto drop;
6185
e13e21dc 6186 if (chan->imtu < skb->len)
1da177e4
LT		 6187 goto drop;
6188
80b98027 6189 if (!chan->ops->recv(chan, skb))
84104b24 6190 return;
1da177e4
LT		 6191
6192drop:
6193 kfree_skb(skb);
1da177e4
LT		 6194}
6195
6810fca7
AE		 6196static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
6197 struct sk_buff *skb)
9f69bda6 6198{
23691d75 6199 struct l2cap_chan *chan;
9f69bda6 6200
c2287681 6201 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 6202 if (!chan)
9f69bda6
GP		 6203 goto drop;
6204
5b4cedaa 6205 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6206
89bc500e 6207 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6208 goto drop;
6209
e13e21dc 6210 if (chan->imtu < skb->len)
9f69bda6
GP		 6211 goto drop;
6212
80b98027 6213 if (!chan->ops->recv(chan, skb))
6810fca7 6214 return;
9f69bda6
GP		 6215
6216drop:
6217 kfree_skb(skb);
9f69bda6
GP		 6218}
6219
1da177e4
LT		 6220static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6221{
6222 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6223 u16 cid, len;
6224 __le16 psm;
1da177e4
LT		 6225
6226 skb_pull(skb, L2CAP_HDR_SIZE);
6227 cid = __le16_to_cpu(lh->cid);
6228 len = __le16_to_cpu(lh->len);
6229
1c2acffb
GP		 6230 if (len != skb->len) {
6231 kfree_skb(skb);
6232 return;
6233 }
6234
1da177e4
LT		 6235 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6236
6237 switch (cid) {
3300d9a9 6238 case L2CAP_CID_LE_SIGNALING:
8db4dc46 6239 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6240 l2cap_sig_channel(conn, skb);
6241 break;
6242
8db4dc46 6243 case L2CAP_CID_CONN_LESS:
097db76c 6244 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6245 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6246 l2cap_conless_channel(conn, psm, skb);
6247 break;
6248
9f69bda6
GP		 6249 case L2CAP_CID_LE_DATA:
6250 l2cap_att_channel(conn, cid, skb);
6251 break;
6252
b501d6a1
AB		 6253 case L2CAP_CID_SMP:
6254 if (smp_sig_channel(conn, skb))
6255 l2cap_conn_del(conn->hcon, EACCES);
6256 break;
6257
1da177e4
LT		 6258 default:
6259 l2cap_data_channel(conn, cid, skb);
6260 break;
6261 }
6262}
6263
6264/* ---- L2CAP interface with lower layer (HCI) ---- */
6265
686ebf28 6266int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6267{
6268 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6269 struct l2cap_chan *c;
1da177e4 6270
6ed93dc6 6271 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6272
6273 /* Find listening sockets and check their link_mode */
23691d75
GP		 6274 read_lock(&chan_list_lock);
6275 list_for_each_entry(c, &chan_list, global_l) {
6276 struct sock *sk = c->sk;
4343478f 6277
89bc500e 6278 if (c->state != BT_LISTEN)
1da177e4
LT		 6279 continue;
6280
6281 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6282 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6283 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6284 lm1 |= HCI_LM_MASTER;
1da177e4 6285 exact++;
2af6b9d5
MH		 6286 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6287 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6288 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6289 lm2 |= HCI_LM_MASTER;
6290 }
1da177e4 6291 }
23691d75 6292 read_unlock(&chan_list_lock);
1da177e4
LT		 6293
6294 return exact ? lm1 : lm2;
6295}
6296
9e664631 6297void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6298{
0139418c
MH		 6299 struct l2cap_conn *conn;
6300
6ed93dc6 6301 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6302
1da177e4 6303 if (!status) {
1da177e4
LT		 6304 conn = l2cap_conn_add(hcon, status);
6305 if (conn)
6306 l2cap_conn_ready(conn);
ba6fc317 6307 } else {
e175072f 6308 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6309 }
1da177e4
LT		 6310}
6311
686ebf28 6312int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6313{
6314 struct l2cap_conn *conn = hcon->l2cap_data;
6315
6316 BT_DBG("hcon %p", hcon);
6317
686ebf28 6318 if (!conn)
9f5a0d7b 6319 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6320 return conn->disc_reason;
6321}
6322
9e664631 6323void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6324{
6325 BT_DBG("hcon %p reason %d", hcon, reason);
6326
e175072f 6327 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6328}
6329
4343478f 6330static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6331{
715ec005 6332 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6333 return;
6334
f62e4323 6335 if (encrypt == 0x00) {
4343478f 6336 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6337 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6338 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6339 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6340 } else {
4343478f 6341 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6342 __clear_chan_timer(chan);
f62e4323
MH		 6343 }
6344}
6345
686ebf28 6346int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6347{
0139418c 6348 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6349 struct l2cap_chan *chan;
1da177e4 6350
0139418c 6351 if (!conn)
1da177e4 6352 return 0;
0139418c 6353
89d8b407 6354 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6355
160dc6ac 6356 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6357 if (!status && encrypt)
6358 smp_distribute_keys(conn, 0);
17cd3f37 6359 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6360 }
6361
3df91ea2 6362 mutex_lock(&conn->chan_lock);
1da177e4 6363
3df91ea2 6364 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6365 l2cap_chan_lock(chan);
1da177e4 6366
89d8b407
AE		 6367 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6368 state_to_string(chan->state));
f1cb9af5 6369
78eb2f98
AE		 6370 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6371 l2cap_chan_unlock(chan);
6372 continue;
6373 }
6374
f1cb9af5
VCG		 6375 if (chan->scid == L2CAP_CID_LE_DATA) {
6376 if (!status && encrypt) {
6377 chan->sec_level = hcon->sec_level;
cf4cd009 6378 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6379 }
6380
6be36555 6381 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6382 continue;
6383 }
6384
96eff46e 6385 if (!__l2cap_no_conn_pending(chan)) {
6be36555 6386 l2cap_chan_unlock(chan);
6a8d3010
MH		 6387 continue;
6388 }
6389
89bc500e 6390 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6391 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6392 struct sock *sk = chan->sk;
6393
c5daa683 6394 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6395 sk->sk_state_change(sk);
6396
4343478f 6397 l2cap_check_encryption(chan, encrypt);
6be36555 6398 l2cap_chan_unlock(chan);
9719f8af
MH		 6399 continue;
6400 }
6401
89bc500e 6402 if (chan->state == BT_CONNECT) {
b1235d79 6403 if (!status) {
93c3e8f5 6404 l2cap_start_connection(chan);
b1235d79 6405 } else {
ba13ccd9 6406 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6407 }
89bc500e 6408 } else if (chan->state == BT_CONNECT2) {
6be36555 6409 struct sock *sk = chan->sk;
b1235d79 6410 struct l2cap_conn_rsp rsp;
df3c3931 6411 __u16 res, stat;
1da177e4 6412
6be36555
AE		 6413 lock_sock(sk);
6414
b1235d79 6415 if (!status) {
c5daa683
GP		 6416 if (test_bit(BT_SK_DEFER_SETUP,
6417 &bt_sk(sk)->flags)) {
df3c3931
JH		 6418 res = L2CAP_CR_PEND;
6419 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6420 chan->ops->defer(chan);
df3c3931 6421 } else {
0e587be7 6422 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6423 res = L2CAP_CR_SUCCESS;
6424 stat = L2CAP_CS_NO_INFO;
6425 }
b1235d79 6426 } else {
0e587be7 6427 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6428 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6429 res = L2CAP_CR_SEC_BLOCK;
6430 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6431 }
6432
6be36555
AE		 6433 release_sock(sk);
6434
fe4128e0
GP		 6435 rsp.scid = cpu_to_le16(chan->dcid);
6436 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6437 rsp.result = cpu_to_le16(res);
6438 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6439 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6440 sizeof(rsp), &rsp);
2d369359
MM		 6441
6442 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6443 res == L2CAP_CR_SUCCESS) {
6444 char buf[128];
6445 set_bit(CONF_REQ_SENT, &chan->conf_state);
6446 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6447 L2CAP_CONF_REQ,
6448 l2cap_build_conf_req(chan, buf),
6449 buf);
6450 chan->num_conf_req++;
6451 }
b1235d79 6452 }
1da177e4 6453
6be36555 6454 l2cap_chan_unlock(chan);
1da177e4
LT		 6455 }
6456
3df91ea2 6457 mutex_unlock(&conn->chan_lock);
b1235d79 6458
1da177e4
LT		 6459 return 0;
6460}
6461
686ebf28 6462int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6463{
6464 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6465 struct l2cap_hdr *hdr;
6466 int len;
1da177e4 6467
1d13a254
AE		 6468 /* For AMP controller do not create l2cap conn */
6469 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6470 goto drop;
1da177e4 6471
5a08ecce
AE		 6472 if (!conn)
6473 conn = l2cap_conn_add(hcon, 0);
6474
6475 if (!conn)
1da177e4
LT		 6476 goto drop;
6477
6478 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6479
d73a0988
AE		 6480 switch (flags) {
6481 case ACL_START:
6482 case ACL_START_NO_FLUSH:
6483 case ACL_COMPLETE:
1da177e4
LT		 6484 if (conn->rx_len) {
6485 BT_ERR("Unexpected start frame (len %d)", skb->len);
6486 kfree_skb(conn->rx_skb);
6487 conn->rx_skb = NULL;
6488 conn->rx_len = 0;
6489 l2cap_conn_unreliable(conn, ECOMM);
6490 }
6491
aae7fe22
AE		 6492 /* Start fragment always begin with Basic L2CAP header */
6493 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6494 BT_ERR("Frame is too short (len %d)", skb->len);
6495 l2cap_conn_unreliable(conn, ECOMM);
6496 goto drop;
6497 }
6498
6499 hdr = (struct l2cap_hdr *) skb->data;
6500 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6501
6502 if (len == skb->len) {
6503 /* Complete frame received */
6504 l2cap_recv_frame(conn, skb);
6505 return 0;
6506 }
6507
6508 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6509
6510 if (skb->len > len) {
6511 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6512 skb->len, len);
1da177e4
LT		 6513 l2cap_conn_unreliable(conn, ECOMM);
6514 goto drop;
6515 }
6516
6517 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6518 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6519 if (!conn->rx_skb)
1da177e4
LT		 6520 goto drop;
6521
d626f62b 6522 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6523 skb->len);
1da177e4 6524 conn->rx_len = len - skb->len;
d73a0988
AE		 6525 break;
6526
6527 case ACL_CONT:
1da177e4
LT		 6528 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6529
6530 if (!conn->rx_len) {
6531 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6532 l2cap_conn_unreliable(conn, ECOMM);
6533 goto drop;
6534 }
6535
6536 if (skb->len > conn->rx_len) {
6537 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6538 skb->len, conn->rx_len);
1da177e4
LT		 6539 kfree_skb(conn->rx_skb);
6540 conn->rx_skb = NULL;
6541 conn->rx_len = 0;
6542 l2cap_conn_unreliable(conn, ECOMM);
6543 goto drop;
6544 }
6545
d626f62b 6546 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6547 skb->len);
1da177e4
LT		 6548 conn->rx_len -= skb->len;
6549
6550 if (!conn->rx_len) {
6551 /* Complete frame received */
6552 l2cap_recv_frame(conn, conn->rx_skb);
6553 conn->rx_skb = NULL;
6554 }
d73a0988 6555 break;
1da177e4
LT		 6556 }
6557
6558drop:
6559 kfree_skb(skb);
6560 return 0;
6561}
6562
aef7d97c 6563static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6564{
23691d75 6565 struct l2cap_chan *c;
1da177e4 6566
333055f2 6567 read_lock(&chan_list_lock);
1da177e4 6568
23691d75
GP		 6569 list_for_each_entry(c, &chan_list, global_l) {
6570 struct sock *sk = c->sk;
101545f6 6571
fcb73338
AE		 6572 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6573 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6574 c->state, __le16_to_cpu(c->psm),
6575 c->scid, c->dcid, c->imtu, c->omtu,
6576 c->sec_level, c->mode);
61e1b4b7 6577 }
1da177e4 6578
333055f2 6579 read_unlock(&chan_list_lock);
1da177e4 6580
aef7d97c 6581 return 0;
1da177e4
LT		 6582}
6583
aef7d97c
MH		 6584static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6585{
6586 return single_open(file, l2cap_debugfs_show, inode->i_private);
6587}
6588
6589static const struct file_operations l2cap_debugfs_fops = {
6590 .open = l2cap_debugfs_open,
6591 .read = seq_read,
6592 .llseek = seq_lseek,
6593 .release = single_release,
6594};
6595
6596static struct dentry *l2cap_debugfs;
1da177e4 6597
64274518 6598int __init l2cap_init(void)
1da177e4
LT		 6599{
6600 int err;
be9d1227 6601
bb58f747 6602 err = l2cap_init_sockets();
1da177e4
LT		 6603 if (err < 0)
6604 return err;
6605
aef7d97c 6606 if (bt_debugfs) {
2d792818
GP		 6607 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6608 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6609 if (!l2cap_debugfs)
6610 BT_ERR("Failed to create L2CAP debug file");
6611 }
1da177e4 6612
1da177e4 6613 return 0;
1da177e4
LT		 6614}
6615
64274518 6616void l2cap_exit(void)
1da177e4 6617{
aef7d97c 6618 debugfs_remove(l2cap_debugfs);
bb58f747 6619 l2cap_cleanup_sockets();
1da177e4
LT		 6620}
6621
d1c4a17d
GP		 6622module_param(disable_ertm, bool, 0644);
6623MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)