projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: AMP: Remove hci_conn receiving error command status
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap_core.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
ce5706bd 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5d8868ff 5 Copyright (C) 2010 Google Inc.
590051de 6 Copyright (C) 2011 ProFUSION Embedded Systems
422e925b 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
1da177e4
LT		 8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
8e87d142
YH		 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 26 SOFTWARE IS DISCLAIMED.
27*/
28
bb58f747 29/* Bluetooth L2CAP core. */
1da177e4 30
1da177e4
LT		 31#include <linux/module.h>
32
aef7d97c 33#include <linux/debugfs.h>
fcc203c3 34#include <linux/crc16.h>
1da177e4
LT		 35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
b501d6a1 39#include <net/bluetooth/smp.h>
97e8e89d 40#include <net/bluetooth/a2mp.h>
5ce66b59 41#include <net/bluetooth/amp.h>
1da177e4 42
d1de6d46 43bool disable_ertm;
f0709e03 44
47ec1dcd 45static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
50a147cd 46static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
1da177e4 47
b5ad8b7f
JB		 48static LIST_HEAD(chan_list);
49static DEFINE_RWLOCK(chan_list_lock);
1da177e4 50
1da177e4 51static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2d792818 52 u8 code, u8 ident, u16 dlen, void *data);
4519de9a 53static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
2d792818 54 void *data);
710f9b0a 55static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
4519de9a 56static void l2cap_send_disconn_req(struct l2cap_conn *conn,
c5daa683 57 struct l2cap_chan *chan, int err);
1da177e4 58
d660366d 59static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2d792818 60 struct sk_buff_head *skbs, u8 event);
608bcc6d 61
0139418c 62/* ---- L2CAP channels ---- */
71ba0e56 63
2d792818
GP		 64static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
65 u16 cid)
0139418c 66{
3df91ea2 67 struct l2cap_chan *c;
3d57dc68 68
3df91ea2
AE		 69 list_for_each_entry(c, &conn->chan_l, list) {
70 if (c->dcid == cid)
71 return c;
0139418c 72 }
3df91ea2 73 return NULL;
0139418c
MH		 74}
75
2d792818
GP		 76static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
77 u16 cid)
0139418c 78{
3df91ea2 79 struct l2cap_chan *c;
3d57dc68 80
3df91ea2
AE		 81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->scid == cid)
83 return c;
0139418c 84 }
3df91ea2 85 return NULL;
0139418c
MH		 86}
87
88/* Find channel with given SCID.
ef191ade 89 * Returns locked channel. */
2d792818
GP		 90static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
91 u16 cid)
0139418c 92{
48454079 93 struct l2cap_chan *c;
baa7e1fa 94
3df91ea2 95 mutex_lock(&conn->chan_lock);
baa7e1fa 96 c = __l2cap_get_chan_by_scid(conn, cid);
ef191ade
MM		 97 if (c)
98 l2cap_chan_lock(c);
3df91ea2
AE		 99 mutex_unlock(&conn->chan_lock);
100
48454079 101 return c;
0139418c
MH		 102}
103
b1a130b7
MM		 104/* Find channel with given DCID.
105 * Returns locked channel.
106 */
107static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
108 u16 cid)
109{
110 struct l2cap_chan *c;
111
112 mutex_lock(&conn->chan_lock);
113 c = __l2cap_get_chan_by_dcid(conn, cid);
114 if (c)
115 l2cap_chan_lock(c);
116 mutex_unlock(&conn->chan_lock);
117
118 return c;
119}
120
2d792818
GP		 121static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
122 u8 ident)
0139418c 123{
3df91ea2 124 struct l2cap_chan *c;
3d57dc68 125
3df91ea2
AE		 126 list_for_each_entry(c, &conn->chan_l, list) {
127 if (c->ident == ident)
128 return c;
0139418c 129 }
3df91ea2 130 return NULL;
0139418c
MH		 131}
132
5b155ef9
MM		 133static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
134 u8 ident)
135{
136 struct l2cap_chan *c;
137
138 mutex_lock(&conn->chan_lock);
139 c = __l2cap_get_chan_by_ident(conn, ident);
140 if (c)
141 l2cap_chan_lock(c);
142 mutex_unlock(&conn->chan_lock);
143
144 return c;
145}
146
23691d75 147static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
9e4425ff 148{
23691d75 149 struct l2cap_chan *c;
9e4425ff 150
23691d75
GP		 151 list_for_each_entry(c, &chan_list, global_l) {
152 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
250938cb 153 return c;
9e4425ff 154 }
250938cb 155 return NULL;
9e4425ff
GP		 156}
157
158int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
159{
73b2ec18
GP		 160 int err;
161
333055f2 162 write_lock(&chan_list_lock);
9e4425ff 163
23691d75 164 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
73b2ec18
GP		 165 err = -EADDRINUSE;
166 goto done;
9e4425ff
GP		 167 }
168
73b2ec18
GP		 169 if (psm) {
170 chan->psm = psm;
171 chan->sport = psm;
172 err = 0;
173 } else {
174 u16 p;
175
176 err = -EINVAL;
177 for (p = 0x1001; p < 0x1100; p += 2)
23691d75 178 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
73b2ec18
GP		 179 chan->psm = cpu_to_le16(p);
180 chan->sport = cpu_to_le16(p);
181 err = 0;
182 break;
183 }
184 }
9e4425ff 185
73b2ec18 186done:
333055f2 187 write_unlock(&chan_list_lock);
73b2ec18 188 return err;
9e4425ff
GP		 189}
190
191int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
192{
333055f2 193 write_lock(&chan_list_lock);
9e4425ff
GP		 194
195 chan->scid = scid;
196
333055f2 197 write_unlock(&chan_list_lock);
9e4425ff
GP		 198
199 return 0;
200}
201
baa7e1fa 202static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
0139418c 203{
8db4dc46 204 u16 cid = L2CAP_CID_DYN_START;
0139418c 205
8db4dc46 206 for (; cid < L2CAP_CID_DYN_END; cid++) {
baa7e1fa 207 if (!__l2cap_get_chan_by_scid(conn, cid))
0139418c
MH		 208 return cid;
209 }
210
211 return 0;
212}
213
0e587be7 214static void __l2cap_state_change(struct l2cap_chan *chan, int state)
89bc500e 215{
42d2d87c 216 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
2d792818 217 state_to_string(state));
badaaa00 218
89bc500e 219 chan->state = state;
80b98027 220 chan->ops->state_change(chan, state);
89bc500e
GP		 221}
222
0e587be7
AE		 223static void l2cap_state_change(struct l2cap_chan *chan, int state)
224{
225 struct sock *sk = chan->sk;
226
227 lock_sock(sk);
228 __l2cap_state_change(chan, state);
229 release_sock(sk);
230}
231
2e0052e4
AE		 232static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
233{
234 struct sock *sk = chan->sk;
235
236 sk->sk_err = err;
237}
238
239static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
240{
241 struct sock *sk = chan->sk;
242
243 lock_sock(sk);
244 __l2cap_chan_set_err(chan, err);
245 release_sock(sk);
246}
247
4239d16f
MM		 248static void __set_retrans_timer(struct l2cap_chan *chan)
249{
250 if (!delayed_work_pending(&chan->monitor_timer) &&
251 chan->retrans_timeout) {
252 l2cap_set_timer(chan, &chan->retrans_timer,
253 msecs_to_jiffies(chan->retrans_timeout));
254 }
255}
256
257static void __set_monitor_timer(struct l2cap_chan *chan)
258{
259 __clear_retrans_timer(chan);
260 if (chan->monitor_timeout) {
261 l2cap_set_timer(chan, &chan->monitor_timer,
262 msecs_to_jiffies(chan->monitor_timeout));
263 }
264}
265
608bcc6d
MM		 266static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
267 u16 seq)
268{
269 struct sk_buff *skb;
270
271 skb_queue_walk(head, skb) {
272 if (bt_cb(skb)->control.txseq == seq)
273 return skb;
274 }
275
276 return NULL;
277}
278
3c588192
MM		 279/* ---- L2CAP sequence number lists ---- */
280
281/* For ERTM, ordered lists of sequence numbers must be tracked for
282 * SREJ requests that are received and for frames that are to be
283 * retransmitted. These seq_list functions implement a singly-linked
284 * list in an array, where membership in the list can also be checked
285 * in constant time. Items can also be added to the tail of the list
286 * and removed from the head in constant time, without further memory
287 * allocs or frees.
288 */
289
290static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
291{
292 size_t alloc_size, i;
293
294 /* Allocated size is a power of 2 to map sequence numbers
295 * (which may be up to 14 bits) in to a smaller array that is
296 * sized for the negotiated ERTM transmit windows.
297 */
298 alloc_size = roundup_pow_of_two(size);
299
300 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
301 if (!seq_list->list)
302 return -ENOMEM;
303
304 seq_list->mask = alloc_size - 1;
305 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
306 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
307 for (i = 0; i < alloc_size; i++)
308 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
309
310 return 0;
311}
312
313static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
314{
315 kfree(seq_list->list);
316}
317
318static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
319 u16 seq)
320{
321 /* Constant-time check for list membership */
322 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
323}
324
325static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
326{
327 u16 mask = seq_list->mask;
328
329 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
330 /* In case someone tries to pop the head of an empty list */
331 return L2CAP_SEQ_LIST_CLEAR;
332 } else if (seq_list->head == seq) {
333 /* Head can be removed in constant time */
334 seq_list->head = seq_list->list[seq & mask];
335 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
336
337 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
338 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
339 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
340 }
341 } else {
342 /* Walk the list to find the sequence number */
343 u16 prev = seq_list->head;
344 while (seq_list->list[prev & mask] != seq) {
345 prev = seq_list->list[prev & mask];
346 if (prev == L2CAP_SEQ_LIST_TAIL)
347 return L2CAP_SEQ_LIST_CLEAR;
348 }
349
350 /* Unlink the number from the list and clear it */
351 seq_list->list[prev & mask] = seq_list->list[seq & mask];
352 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
353 if (seq_list->tail == seq)
354 seq_list->tail = prev;
355 }
356 return seq;
357}
358
359static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
360{
361 /* Remove the head in constant time */
362 return l2cap_seq_list_remove(seq_list, seq_list->head);
363}
364
365static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
366{
f522ae36 367 u16 i;
3c588192 368
f522ae36
GP		 369 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
370 return;
371
372 for (i = 0; i <= seq_list->mask; i++)
373 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
374
375 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
376 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
3c588192
MM		 377}
378
379static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
380{
381 u16 mask = seq_list->mask;
382
383 /* All appends happen in constant time */
384
f522ae36
GP		 385 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
386 return;
3c588192 387
f522ae36
GP		 388 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
389 seq_list->head = seq;
390 else
391 seq_list->list[seq_list->tail & mask] = seq;
392
393 seq_list->tail = seq;
394 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
3c588192
MM		 395}
396
721c4181 397static void l2cap_chan_timeout(struct work_struct *work)
ab07801d 398{
721c4181 399 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2d792818 400 chan_timer.work);
3df91ea2 401 struct l2cap_conn *conn = chan->conn;
ab07801d
GP		 402 int reason;
403
e05dcc32 404 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
ab07801d 405
3df91ea2 406 mutex_lock(&conn->chan_lock);
6be36555 407 l2cap_chan_lock(chan);
ab07801d 408
89bc500e 409 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
ab07801d 410 reason = ECONNREFUSED;
89bc500e 411 else if (chan->state == BT_CONNECT &&
2d792818 412 chan->sec_level != BT_SECURITY_SDP)
ab07801d
GP		 413 reason = ECONNREFUSED;
414 else
415 reason = ETIMEDOUT;
416
0f852724 417 l2cap_chan_close(chan, reason);
ab07801d 418
6be36555 419 l2cap_chan_unlock(chan);
ab07801d 420
80b98027 421 chan->ops->close(chan);
3df91ea2
AE		 422 mutex_unlock(&conn->chan_lock);
423
371fd835 424 l2cap_chan_put(chan);
ab07801d
GP		 425}
426
eef1d9b6 427struct l2cap_chan *l2cap_chan_create(void)
48454079
GP		 428{
429 struct l2cap_chan *chan;
430
431 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
432 if (!chan)
433 return NULL;
434
c03b355e
AE		 435 mutex_init(&chan->lock);
436
333055f2 437 write_lock(&chan_list_lock);
23691d75 438 list_add(&chan->global_l, &chan_list);
333055f2 439 write_unlock(&chan_list_lock);
23691d75 440
721c4181 441 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
ab07801d 442
89bc500e
GP		 443 chan->state = BT_OPEN;
444
144ad330 445 kref_init(&chan->kref);
71ba0e56 446
2827011f
MM		 447 /* This flag is cleared in l2cap_chan_ready() */
448 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
449
eef1d9b6 450 BT_DBG("chan %p", chan);
abc545b8 451
48454079
GP		 452 return chan;
453}
454
144ad330 455static void l2cap_chan_destroy(struct kref *kref)
6ff5abbf 456{
144ad330
SS		 457 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
458
4af66c69
JK		 459 BT_DBG("chan %p", chan);
460
333055f2 461 write_lock(&chan_list_lock);
23691d75 462 list_del(&chan->global_l);
333055f2 463 write_unlock(&chan_list_lock);
23691d75 464
4af66c69 465 kfree(chan);
6ff5abbf
GP		 466}
467
30648372
JK		 468void l2cap_chan_hold(struct l2cap_chan *c)
469{
144ad330 470 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 471
144ad330 472 kref_get(&c->kref);
30648372
JK		 473}
474
475void l2cap_chan_put(struct l2cap_chan *c)
476{
144ad330 477 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
30648372 478
144ad330 479 kref_put(&c->kref, l2cap_chan_destroy);
30648372
JK		 480}
481
bd4b1653
AE		 482void l2cap_chan_set_defaults(struct l2cap_chan *chan)
483{
484 chan->fcs = L2CAP_FCS_CRC16;
485 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
486 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
487 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
c20f8e35 488 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
bd4b1653
AE		 489 chan->sec_level = BT_SECURITY_LOW;
490
491 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
492}
493
93c3e8f5 494void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
0139418c 495{
af05b30b 496 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
097db76c 497 __le16_to_cpu(chan->psm), chan->dcid);
0139418c 498
9f5a0d7b 499 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 500
8c1d787b 501 chan->conn = conn;
0139418c 502
5491120e
AE		 503 switch (chan->chan_type) {
504 case L2CAP_CHAN_CONN_ORIENTED:
b62f328b
VT		 505 if (conn->hcon->type == LE_LINK) {
506 /* LE connection */
6fcb06a2 507 chan->omtu = L2CAP_DEFAULT_MTU;
fe4128e0
GP		 508 chan->scid = L2CAP_CID_LE_DATA;
509 chan->dcid = L2CAP_CID_LE_DATA;
b62f328b
VT		 510 } else {
511 /* Alloc CID for connection-oriented socket */
fe4128e0 512 chan->scid = l2cap_alloc_cid(conn);
0c1bc5c6 513 chan->omtu = L2CAP_DEFAULT_MTU;
b62f328b 514 }
5491120e
AE		 515 break;
516
517 case L2CAP_CHAN_CONN_LESS:
0139418c 518 /* Connectionless socket */
fe4128e0
GP		 519 chan->scid = L2CAP_CID_CONN_LESS;
520 chan->dcid = L2CAP_CID_CONN_LESS;
0c1bc5c6 521 chan->omtu = L2CAP_DEFAULT_MTU;
5491120e
AE		 522 break;
523
416fa752
AE		 524 case L2CAP_CHAN_CONN_FIX_A2MP:
525 chan->scid = L2CAP_CID_A2MP;
526 chan->dcid = L2CAP_CID_A2MP;
527 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
528 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
529 break;
530
5491120e 531 default:
0139418c 532 /* Raw socket can send/recv signalling messages only */
fe4128e0
GP		 533 chan->scid = L2CAP_CID_SIGNALING;
534 chan->dcid = L2CAP_CID_SIGNALING;
0c1bc5c6 535 chan->omtu = L2CAP_DEFAULT_MTU;
0139418c
MH		 536 }
537
8f7975b1
AE		 538 chan->local_id = L2CAP_BESTEFFORT_ID;
539 chan->local_stype = L2CAP_SERV_BESTEFFORT;
540 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
541 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
542 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
8936fa6d 543 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
8f7975b1 544
371fd835 545 l2cap_chan_hold(chan);
baa7e1fa 546
3df91ea2 547 list_add(&chan->list, &conn->chan_l);
643162a8
AE		 548}
549
466f8004 550void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643162a8
AE		 551{
552 mutex_lock(&conn->chan_lock);
553 __l2cap_chan_add(conn, chan);
3df91ea2 554 mutex_unlock(&conn->chan_lock);
0139418c
MH		 555}
556
466f8004 557void l2cap_chan_del(struct l2cap_chan *chan, int err)
0139418c 558{
8c1d787b 559 struct l2cap_conn *conn = chan->conn;
0139418c 560
c9b66675 561 __clear_chan_timer(chan);
0139418c 562
49208c9c 563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
0139418c 564
8e87d142 565 if (conn) {
56f60984 566 struct amp_mgr *mgr = conn->hcon->amp_mgr;
baa7e1fa 567 /* Delete from channel list */
3df91ea2 568 list_del(&chan->list);
3d57dc68 569
371fd835 570 l2cap_chan_put(chan);
baa7e1fa 571
8c1d787b 572 chan->conn = NULL;
3cabbfda
AE		 573
574 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
575 hci_conn_put(conn->hcon);
56f60984
AE		 576
577 if (mgr && mgr->bredr_chan == chan)
578 mgr->bredr_chan = NULL;
0139418c
MH		 579 }
580
b699ec0d 581 chan->ops->teardown(chan, err);
6be36555 582
2827011f 583 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
6ff5abbf 584 return;
2ead70b8 585
ee556f66
GP		 586 switch(chan->mode) {
587 case L2CAP_MODE_BASIC:
588 break;
c13ffa62 589
ee556f66 590 case L2CAP_MODE_ERTM:
1a09bcb9
GP		 591 __clear_retrans_timer(chan);
592 __clear_monitor_timer(chan);
593 __clear_ack_timer(chan);
c13ffa62 594
f1c6775b 595 skb_queue_purge(&chan->srej_q);
c13ffa62 596
3c588192
MM		 597 l2cap_seq_list_free(&chan->srej_list);
598 l2cap_seq_list_free(&chan->retrans_list);
ee556f66
GP		 599
600 /* fall through */
601
602 case L2CAP_MODE_STREAMING:
603 skb_queue_purge(&chan->tx_q);
604 break;
c13ffa62 605 }
ee556f66
GP		 606
607 return;
0139418c
MH		 608}
609
0f852724 610void l2cap_chan_close(struct l2cap_chan *chan, int reason)
4519de9a
GP		 611{
612 struct l2cap_conn *conn = chan->conn;
613 struct sock *sk = chan->sk;
614
2d792818
GP		 615 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
616 sk);
4519de9a 617
89bc500e 618 switch (chan->state) {
4519de9a 619 case BT_LISTEN:
b699ec0d 620 chan->ops->teardown(chan, 0);
4519de9a
GP		 621 break;
622
623 case BT_CONNECTED:
624 case BT_CONFIG:
715ec005 625 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 626 conn->hcon->type == ACL_LINK) {
c9b66675 627 __set_chan_timer(chan, sk->sk_sndtimeo);
4519de9a
GP		 628 l2cap_send_disconn_req(conn, chan, reason);
629 } else
630 l2cap_chan_del(chan, reason);
631 break;
632
633 case BT_CONNECT2:
715ec005 634 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
2d792818 635 conn->hcon->type == ACL_LINK) {
4519de9a
GP		 636 struct l2cap_conn_rsp rsp;
637 __u16 result;
638
c5daa683 639 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
4519de9a
GP		 640 result = L2CAP_CR_SEC_BLOCK;
641 else
642 result = L2CAP_CR_BAD_PSM;
89bc500e 643 l2cap_state_change(chan, BT_DISCONN);
4519de9a
GP		 644
645 rsp.scid = cpu_to_le16(chan->dcid);
646 rsp.dcid = cpu_to_le16(chan->scid);
647 rsp.result = cpu_to_le16(result);
ac73498c 648 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4519de9a 649 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 650 sizeof(rsp), &rsp);
4519de9a
GP		 651 }
652
653 l2cap_chan_del(chan, reason);
654 break;
655
656 case BT_CONNECT:
657 case BT_DISCONN:
658 l2cap_chan_del(chan, reason);
659 break;
660
661 default:
b699ec0d 662 chan->ops->teardown(chan, 0);
4519de9a
GP		 663 break;
664 }
665}
666
4343478f 667static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
79d554a6 668{
715ec005 669 if (chan->chan_type == L2CAP_CHAN_RAW) {
4343478f 670 switch (chan->sec_level) {
8556edd3
JH		 671 case BT_SECURITY_HIGH:
672 return HCI_AT_DEDICATED_BONDING_MITM;
673 case BT_SECURITY_MEDIUM:
674 return HCI_AT_DEDICATED_BONDING;
675 default:
676 return HCI_AT_NO_BONDING;
677 }
2983fd68 678 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
4343478f
GP		 679 if (chan->sec_level == BT_SECURITY_LOW)
680 chan->sec_level = BT_SECURITY_SDP;
0684e5f9 681
4343478f 682 if (chan->sec_level == BT_SECURITY_HIGH)
8556edd3 683 return HCI_AT_NO_BONDING_MITM;
00ae4af9 684 else
8556edd3 685 return HCI_AT_NO_BONDING;
00ae4af9 686 } else {
4343478f 687 switch (chan->sec_level) {
00ae4af9 688 case BT_SECURITY_HIGH:
8556edd3 689 return HCI_AT_GENERAL_BONDING_MITM;
00ae4af9 690 case BT_SECURITY_MEDIUM:
8556edd3 691 return HCI_AT_GENERAL_BONDING;
00ae4af9 692 default:
8556edd3 693 return HCI_AT_NO_BONDING;
00ae4af9 694 }
0684e5f9 695 }
8556edd3
JH		 696}
697
698/* Service level security */
d45fc423 699int l2cap_chan_check_security(struct l2cap_chan *chan)
8556edd3 700{
8c1d787b 701 struct l2cap_conn *conn = chan->conn;
8556edd3
JH		 702 __u8 auth_type;
703
4343478f 704 auth_type = l2cap_get_auth_type(chan);
79d554a6 705
4343478f 706 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
79d554a6
MH		 707}
708
b5ad8b7f 709static u8 l2cap_get_ident(struct l2cap_conn *conn)
4e8402a3
MH		 710{
711 u8 id;
712
713 /* Get next available identificator.
714 * 1 - 128 are used by kernel.
715 * 129 - 199 are reserved.
716 * 200 - 254 are used by utilities like l2ping, etc.
717 */
718
333055f2 719 spin_lock(&conn->lock);
4e8402a3
MH		 720
721 if (++conn->tx_ident > 128)
722 conn->tx_ident = 1;
723
724 id = conn->tx_ident;
725
333055f2 726 spin_unlock(&conn->lock);
4e8402a3
MH		 727
728 return id;
729}
730
2d792818
GP		 731static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
732 void *data)
4e8402a3
MH		 733{
734 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
e702112f 735 u8 flags;
4e8402a3
MH		 736
737 BT_DBG("code 0x%2.2x", code);
738
739 if (!skb)
9a9c6a34 740 return;
4e8402a3 741
e702112f
AE		 742 if (lmp_no_flush_capable(conn->hcon->hdev))
743 flags = ACL_START_NO_FLUSH;
744 else
745 flags = ACL_START;
746
14b12d0b 747 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
5e59b791 748 skb->priority = HCI_PRIO_MAX;
14b12d0b 749
73d80deb
LAD		 750 hci_send_acl(conn->hchan, skb, flags);
751}
752
02b0fbb9
MM		 753static bool __chan_is_moving(struct l2cap_chan *chan)
754{
755 return chan->move_state != L2CAP_MOVE_STABLE &&
756 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
757}
758
73d80deb
LAD		 759static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
760{
761 struct hci_conn *hcon = chan->conn->hcon;
762 u16 flags;
763
764 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
2d792818 765 skb->priority);
73d80deb 766
d5f8a75d
MM		 767 if (chan->hs_hcon && !__chan_is_moving(chan)) {
768 if (chan->hs_hchan)
769 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
770 else
771 kfree_skb(skb);
772
773 return;
774 }
775
73d80deb 776 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
2d792818 777 lmp_no_flush_capable(hcon->hdev))
73d80deb
LAD		 778 flags = ACL_START_NO_FLUSH;
779 else
780 flags = ACL_START;
14b12d0b 781
73d80deb
LAD		 782 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
783 hci_send_acl(chan->conn->hchan, skb, flags);
4e8402a3
MH		 784}
785
b76bbd66
MM		 786static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
787{
788 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
789 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
790
791 if (enh & L2CAP_CTRL_FRAME_TYPE) {
792 /* S-Frame */
793 control->sframe = 1;
794 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
795 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
796
797 control->sar = 0;
798 control->txseq = 0;
799 } else {
800 /* I-Frame */
801 control->sframe = 0;
802 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
803 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
804
805 control->poll = 0;
806 control->super = 0;
807 }
808}
809
b76bbd66
MM		 810static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
811{
812 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
813 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
814
815 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
816 /* S-Frame */
817 control->sframe = 1;
818 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
819 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
820
821 control->sar = 0;
822 control->txseq = 0;
823 } else {
824 /* I-Frame */
825 control->sframe = 0;
826 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
827 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
828
829 control->poll = 0;
830 control->super = 0;
831 }
832}
833
834static inline void __unpack_control(struct l2cap_chan *chan,
835 struct sk_buff *skb)
836{
837 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
838 __unpack_extended_control(get_unaligned_le32(skb->data),
839 &bt_cb(skb)->control);
cec8ab6e 840 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
b76bbd66
MM		 841 } else {
842 __unpack_enhanced_control(get_unaligned_le16(skb->data),
843 &bt_cb(skb)->control);
cec8ab6e 844 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
b76bbd66
MM		 845 }
846}
847
b5c6aaed
MM		 848static u32 __pack_extended_control(struct l2cap_ctrl *control)
849{
850 u32 packed;
851
852 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
853 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
854
855 if (control->sframe) {
856 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
857 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
858 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
859 } else {
860 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
861 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
862 }
863
864 return packed;
865}
866
867static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
868{
869 u16 packed;
870
871 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
872 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
873
874 if (control->sframe) {
875 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
876 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
877 packed |= L2CAP_CTRL_FRAME_TYPE;
878 } else {
879 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
880 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
881 }
882
883 return packed;
884}
885
b76bbd66
MM		 886static inline void __pack_control(struct l2cap_chan *chan,
887 struct l2cap_ctrl *control,
888 struct sk_buff *skb)
889{
890 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
891 put_unaligned_le32(__pack_extended_control(control),
892 skb->data + L2CAP_HDR_SIZE);
893 } else {
894 put_unaligned_le16(__pack_enhanced_control(control),
895 skb->data + L2CAP_HDR_SIZE);
896 }
897}
898
ba7aa64f
GP		 899static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
900{
901 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
902 return L2CAP_EXT_HDR_SIZE;
903 else
904 return L2CAP_ENH_HDR_SIZE;
905}
906
a67d7f6f
MM		 907static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
908 u32 control)
b5c6aaed
MM		 909{
910 struct sk_buff *skb;
911 struct l2cap_hdr *lh;
ba7aa64f 912 int hlen = __ertm_hdr_size(chan);
b5c6aaed
MM		 913
914 if (chan->fcs == L2CAP_FCS_CRC16)
915 hlen += L2CAP_FCS_SIZE;
916
a67d7f6f 917 skb = bt_skb_alloc(hlen, GFP_KERNEL);
b5c6aaed 918
b5c6aaed 919 if (!skb)
a67d7f6f 920 return ERR_PTR(-ENOMEM);
b5c6aaed
MM		 921
922 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
923 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
924 lh->cid = cpu_to_le16(chan->dcid);
925
a67d7f6f
MM		 926 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
927 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
928 else
929 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
b5c6aaed
MM		 930
931 if (chan->fcs == L2CAP_FCS_CRC16) {
a67d7f6f 932 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
b5c6aaed
MM		 933 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
934 }
935
936 skb->priority = HCI_PRIO_MAX;
a67d7f6f
MM		 937 return skb;
938}
939
940static void l2cap_send_sframe(struct l2cap_chan *chan,
941 struct l2cap_ctrl *control)
942{
943 struct sk_buff *skb;
944 u32 control_field;
945
946 BT_DBG("chan %p, control %p", chan, control);
947
948 if (!control->sframe)
949 return;
950
b99e13ad
MM		 951 if (__chan_is_moving(chan))
952 return;
953
a67d7f6f
MM		 954 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
955 !control->poll)
956 control->final = 1;
957
958 if (control->super == L2CAP_SUPER_RR)
959 clear_bit(CONN_RNR_SENT, &chan->conn_state);
960 else if (control->super == L2CAP_SUPER_RNR)
961 set_bit(CONN_RNR_SENT, &chan->conn_state);
962
963 if (control->super != L2CAP_SUPER_SREJ) {
964 chan->last_acked_seq = control->reqseq;
965 __clear_ack_timer(chan);
966 }
967
968 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
969 control->final, control->poll, control->super);
970
971 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
972 control_field = __pack_extended_control(control);
973 else
974 control_field = __pack_enhanced_control(control);
975
976 skb = l2cap_create_sframe_pdu(chan, control_field);
977 if (!IS_ERR(skb))
978 l2cap_do_send(chan, skb);
b5c6aaed
MM		 979}
980
c9e3d5e0 981static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
b5c6aaed 982{
c9e3d5e0
MM		 983 struct l2cap_ctrl control;
984
985 BT_DBG("chan %p, poll %d", chan, poll);
986
987 memset(&control, 0, sizeof(control));
988 control.sframe = 1;
989 control.poll = poll;
990
991 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
992 control.super = L2CAP_SUPER_RNR;
993 else
994 control.super = L2CAP_SUPER_RR;
b5c6aaed 995
c9e3d5e0
MM		 996 control.reqseq = chan->buffer_seq;
997 l2cap_send_sframe(chan, &control);
b5c6aaed
MM		 998}
999
b4450035 1000static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
e501d055 1001{
c1360a1c 1002 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
e501d055
AE		 1003}
1004
93c3e8f5
AE		 1005static bool __amp_capable(struct l2cap_chan *chan)
1006{
1007 struct l2cap_conn *conn = chan->conn;
1008
1009 if (enable_hs &&
1010 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1011 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1012 return true;
1013 else
1014 return false;
1015}
1016
5ce66b59
AE		 1017static bool l2cap_check_efs(struct l2cap_chan *chan)
1018{
1019 /* Check EFS parameters */
1020 return true;
1021}
1022
2766be48 1023void l2cap_send_conn_req(struct l2cap_chan *chan)
9b27f350
AE		 1024{
1025 struct l2cap_conn *conn = chan->conn;
1026 struct l2cap_conn_req req;
1027
1028 req.scid = cpu_to_le16(chan->scid);
1029 req.psm = chan->psm;
1030
1031 chan->ident = l2cap_get_ident(conn);
1032
1033 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1034
1035 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1036}
1037
8eb200bd
MM		 1038static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1039{
1040 struct l2cap_create_chan_req req;
1041 req.scid = cpu_to_le16(chan->scid);
1042 req.psm = chan->psm;
1043 req.amp_id = amp_id;
1044
1045 chan->ident = l2cap_get_ident(chan->conn);
1046
1047 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1048 sizeof(req), &req);
1049}
1050
02b0fbb9
MM		 1051static void l2cap_move_setup(struct l2cap_chan *chan)
1052{
1053 struct sk_buff *skb;
1054
1055 BT_DBG("chan %p", chan);
1056
1057 if (chan->mode != L2CAP_MODE_ERTM)
1058 return;
1059
1060 __clear_retrans_timer(chan);
1061 __clear_monitor_timer(chan);
1062 __clear_ack_timer(chan);
1063
1064 chan->retry_count = 0;
1065 skb_queue_walk(&chan->tx_q, skb) {
1066 if (bt_cb(skb)->control.retries)
1067 bt_cb(skb)->control.retries = 1;
1068 else
1069 break;
1070 }
1071
1072 chan->expected_tx_seq = chan->buffer_seq;
1073
1074 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1075 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1076 l2cap_seq_list_clear(&chan->retrans_list);
1077 l2cap_seq_list_clear(&chan->srej_list);
1078 skb_queue_purge(&chan->srej_q);
1079
1080 chan->tx_state = L2CAP_TX_STATE_XMIT;
1081 chan->rx_state = L2CAP_RX_STATE_MOVE;
1082
1083 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1084}
1085
5f3847a4
MM		 1086static void l2cap_move_done(struct l2cap_chan *chan)
1087{
1088 u8 move_role = chan->move_role;
1089 BT_DBG("chan %p", chan);
1090
1091 chan->move_state = L2CAP_MOVE_STABLE;
1092 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1093
1094 if (chan->mode != L2CAP_MODE_ERTM)
1095 return;
1096
1097 switch (move_role) {
1098 case L2CAP_MOVE_ROLE_INITIATOR:
1099 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1100 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1101 break;
1102 case L2CAP_MOVE_ROLE_RESPONDER:
1103 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1104 break;
1105 }
1106}
1107
9f0caeb1
VCG		 1108static void l2cap_chan_ready(struct l2cap_chan *chan)
1109{
2827011f 1110 /* This clears all conf flags, including CONF_NOT_COMPLETE */
9f0caeb1
VCG		 1111 chan->conf_state = 0;
1112 __clear_chan_timer(chan);
1113
54a59aa2 1114 chan->state = BT_CONNECTED;
9f0caeb1 1115
fd83e2c2 1116 chan->ops->ready(chan);
9f0caeb1
VCG		 1117}
1118
93c3e8f5
AE		 1119static void l2cap_start_connection(struct l2cap_chan *chan)
1120{
1121 if (__amp_capable(chan)) {
1122 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1123 a2mp_discover_amp(chan);
1124 } else {
1125 l2cap_send_conn_req(chan);
1126 }
1127}
1128
fc7f8a7e 1129static void l2cap_do_start(struct l2cap_chan *chan)
79d554a6 1130{
8c1d787b 1131 struct l2cap_conn *conn = chan->conn;
79d554a6 1132
9f0caeb1
VCG		 1133 if (conn->hcon->type == LE_LINK) {
1134 l2cap_chan_ready(chan);
1135 return;
1136 }
1137
79d554a6 1138 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 1139 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1140 return;
1141
d45fc423 1142 if (l2cap_chan_check_security(chan) &&
2d792818 1143 __l2cap_no_conn_pending(chan)) {
93c3e8f5
AE		 1144 l2cap_start_connection(chan);
1145 }
79d554a6
MH		 1146 } else {
1147 struct l2cap_info_req req;
ac73498c 1148 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 1149
1150 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1151 conn->info_ident = l2cap_get_ident(conn);
1152
ba13ccd9 1153 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 1154
2d792818
GP		 1155 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1156 sizeof(req), &req);
79d554a6
MH		 1157 }
1158}
1159
cf6c2c0b
GP		 1160static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1161{
1162 u32 local_feat_mask = l2cap_feat_mask;
d1c4a17d 1163 if (!disable_ertm)
cf6c2c0b
GP		 1164 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1165
1166 switch (mode) {
1167 case L2CAP_MODE_ERTM:
1168 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1169 case L2CAP_MODE_STREAMING:
1170 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1171 default:
1172 return 0x00;
1173 }
1174}
1175
2d792818
GP		 1176static void l2cap_send_disconn_req(struct l2cap_conn *conn,
1177 struct l2cap_chan *chan, int err)
22121fc9 1178{
6be36555 1179 struct sock *sk = chan->sk;
22121fc9
GP		 1180 struct l2cap_disconn_req req;
1181
c13ffa62
GP		 1182 if (!conn)
1183 return;
1184
aad3d0e3 1185 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1a09bcb9
GP		 1186 __clear_retrans_timer(chan);
1187 __clear_monitor_timer(chan);
1188 __clear_ack_timer(chan);
c13ffa62
GP		 1189 }
1190
416fa752 1191 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
d117773c 1192 l2cap_state_change(chan, BT_DISCONN);
416fa752
AE		 1193 return;
1194 }
1195
fe4128e0
GP		 1196 req.dcid = cpu_to_le16(chan->dcid);
1197 req.scid = cpu_to_le16(chan->scid);
2d792818
GP		 1198 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1199 sizeof(req), &req);
c13ffa62 1200
6be36555 1201 lock_sock(sk);
0e587be7 1202 __l2cap_state_change(chan, BT_DISCONN);
2e0052e4 1203 __l2cap_chan_set_err(chan, err);
6be36555 1204 release_sock(sk);
22121fc9
GP		 1205}
1206
1da177e4 1207/* ---- L2CAP connections ---- */
4e8402a3
MH		 1208static void l2cap_conn_start(struct l2cap_conn *conn)
1209{
3df91ea2 1210 struct l2cap_chan *chan, *tmp;
4e8402a3
MH		 1211
1212 BT_DBG("conn %p", conn);
1213
3df91ea2 1214 mutex_lock(&conn->chan_lock);
4e8402a3 1215
3df91ea2 1216 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
48454079 1217 struct sock *sk = chan->sk;
baa7e1fa 1218
6be36555 1219 l2cap_chan_lock(chan);
4e8402a3 1220
715ec005 1221 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1222 l2cap_chan_unlock(chan);
79d554a6
MH		 1223 continue;
1224 }
1225
89bc500e 1226 if (chan->state == BT_CONNECT) {
d45fc423 1227 if (!l2cap_chan_check_security(chan) ||
2d792818 1228 !__l2cap_no_conn_pending(chan)) {
6be36555 1229 l2cap_chan_unlock(chan);
47731de7
GP		 1230 continue;
1231 }
79d554a6 1232
c1360a1c 1233 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
2d792818 1234 && test_bit(CONF_STATE2_DEVICE,
c1360a1c 1235 &chan->conf_state)) {
89bc500e 1236 l2cap_chan_close(chan, ECONNRESET);
6be36555 1237 l2cap_chan_unlock(chan);
47731de7 1238 continue;
b1235d79 1239 }
47731de7 1240
93c3e8f5 1241 l2cap_start_connection(chan);
47731de7 1242
89bc500e 1243 } else if (chan->state == BT_CONNECT2) {
79d554a6 1244 struct l2cap_conn_rsp rsp;
e9aeb2dd 1245 char buf[128];
fe4128e0
GP		 1246 rsp.scid = cpu_to_le16(chan->dcid);
1247 rsp.dcid = cpu_to_le16(chan->scid);
79d554a6 1248
d45fc423 1249 if (l2cap_chan_check_security(chan)) {
6be36555 1250 lock_sock(sk);
c5daa683
GP		 1251 if (test_bit(BT_SK_DEFER_SETUP,
1252 &bt_sk(sk)->flags)) {
ac73498c
AE		 1253 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1254 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
2dc4e510 1255 chan->ops->defer(chan);
f66dc81f
MH		 1256
1257 } else {
0e587be7 1258 __l2cap_state_change(chan, BT_CONFIG);
ac73498c
AE		 1259 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1260 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
f66dc81f 1261 }
6be36555 1262 release_sock(sk);
79d554a6 1263 } else {
ac73498c
AE		 1264 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1265 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
79d554a6
MH		 1266 }
1267
fc7f8a7e 1268 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 1269 sizeof(rsp), &rsp);
e9aeb2dd 1270
c1360a1c 1271 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
2d792818 1272 rsp.result != L2CAP_CR_SUCCESS) {
6be36555 1273 l2cap_chan_unlock(chan);
e9aeb2dd
GP		 1274 continue;
1275 }
1276
c1360a1c 1277 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 1278 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 1279 l2cap_build_conf_req(chan, buf), buf);
73ffa904 1280 chan->num_conf_req++;
4e8402a3
MH		 1281 }
1282
6be36555 1283 l2cap_chan_unlock(chan);
4e8402a3
MH		 1284 }
1285
3df91ea2 1286 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1287}
1288
c2287681 1289/* Find socket with cid and source/destination bdaddr.
b62f328b
VT		 1290 * Returns closest match, locked.
1291 */
d9b88702 1292static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
c2287681
IY		 1293 bdaddr_t *src,
1294 bdaddr_t *dst)
b62f328b 1295{
23691d75 1296 struct l2cap_chan *c, *c1 = NULL;
b62f328b 1297
23691d75 1298 read_lock(&chan_list_lock);
b62f328b 1299
23691d75
GP		 1300 list_for_each_entry(c, &chan_list, global_l) {
1301 struct sock *sk = c->sk;
fe4128e0 1302
89bc500e 1303 if (state && c->state != state)
b62f328b
VT		 1304 continue;
1305
23691d75 1306 if (c->scid == cid) {
c2287681
IY		 1307 int src_match, dst_match;
1308 int src_any, dst_any;
1309
b62f328b 1310 /* Exact match. */
c2287681
IY		 1311 src_match = !bacmp(&bt_sk(sk)->src, src);
1312 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1313 if (src_match && dst_match) {
23691d75
GP		 1314 read_unlock(&chan_list_lock);
1315 return c;
1316 }
b62f328b
VT		 1317
1318 /* Closest match */
c2287681
IY		 1319 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1320 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1321 if ((src_match && dst_any) || (src_any && dst_match) ||
1322 (src_any && dst_any))
23691d75 1323 c1 = c;
b62f328b
VT		 1324 }
1325 }
280f294f 1326
23691d75 1327 read_unlock(&chan_list_lock);
b62f328b 1328
23691d75 1329 return c1;
b62f328b
VT		 1330}
1331
1332static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1333{
c916fbe4 1334 struct sock *parent, *sk;
23691d75 1335 struct l2cap_chan *chan, *pchan;
b62f328b
VT		 1336
1337 BT_DBG("");
1338
1339 /* Check if we have socket listening on cid */
23691d75 1340 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
c2287681 1341 conn->src, conn->dst);
23691d75 1342 if (!pchan)
b62f328b
VT		 1343 return;
1344
23691d75
GP		 1345 parent = pchan->sk;
1346
aa2ac881 1347 lock_sock(parent);
62f3a2cf 1348
80b98027 1349 chan = pchan->ops->new_connection(pchan);
80808e43 1350 if (!chan)
b62f328b
VT		 1351 goto clean;
1352
80808e43 1353 sk = chan->sk;
5d41ce1d 1354
b62f328b 1355 hci_conn_hold(conn->hcon);
a9ea3ed9 1356 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
b62f328b 1357
b62f328b
VT		 1358 bacpy(&bt_sk(sk)->src, conn->src);
1359 bacpy(&bt_sk(sk)->dst, conn->dst);
1360
3d57dc68 1361 l2cap_chan_add(conn, chan);
48454079 1362
6754e0df 1363 l2cap_chan_ready(chan);
b62f328b 1364
b62f328b 1365clean:
aa2ac881 1366 release_sock(parent);
b62f328b
VT		 1367}
1368
4e8402a3
MH		 1369static void l2cap_conn_ready(struct l2cap_conn *conn)
1370{
48454079 1371 struct l2cap_chan *chan;
cc110922 1372 struct hci_conn *hcon = conn->hcon;
4e8402a3 1373
79d554a6 1374 BT_DBG("conn %p", conn);
4e8402a3 1375
cc110922 1376 if (!hcon->out && hcon->type == LE_LINK)
b62f328b
VT		 1377 l2cap_le_conn_ready(conn);
1378
cc110922
VCG		 1379 if (hcon->out && hcon->type == LE_LINK)
1380 smp_conn_security(hcon, hcon->pending_sec_level);
160dc6ac 1381
3df91ea2 1382 mutex_lock(&conn->chan_lock);
4e8402a3 1383
3df91ea2 1384 list_for_each_entry(chan, &conn->chan_l, list) {
baa7e1fa 1385
6be36555 1386 l2cap_chan_lock(chan);
4e8402a3 1387
416fa752
AE		 1388 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1389 l2cap_chan_unlock(chan);
1390 continue;
1391 }
1392
cc110922
VCG		 1393 if (hcon->type == LE_LINK) {
1394 if (smp_conn_security(hcon, chan->sec_level))
cf4cd009 1395 l2cap_chan_ready(chan);
acd7d370 1396
63128451 1397 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
6be36555 1398 struct sock *sk = chan->sk;
c9b66675 1399 __clear_chan_timer(chan);
6be36555 1400 lock_sock(sk);
0e587be7 1401 __l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1402 sk->sk_state_change(sk);
6be36555 1403 release_sock(sk);
b501d6a1 1404
89bc500e 1405 } else if (chan->state == BT_CONNECT)
fc7f8a7e 1406 l2cap_do_start(chan);
4e8402a3 1407
6be36555 1408 l2cap_chan_unlock(chan);
4e8402a3 1409 }
79d554a6 1410
3df91ea2 1411 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1412}
1413
1414/* Notify sockets that we cannot guaranty reliability anymore */
1415static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1416{
48454079 1417 struct l2cap_chan *chan;
4e8402a3
MH		 1418
1419 BT_DBG("conn %p", conn);
1420
3df91ea2 1421 mutex_lock(&conn->chan_lock);
4e8402a3 1422
3df91ea2 1423 list_for_each_entry(chan, &conn->chan_l, list) {
ecf61bdb 1424 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1d8b1fd5 1425 l2cap_chan_set_err(chan, err);
4e8402a3
MH		 1426 }
1427
3df91ea2 1428 mutex_unlock(&conn->chan_lock);
4e8402a3
MH		 1429}
1430
f878fcad 1431static void l2cap_info_timeout(struct work_struct *work)
4e8402a3 1432{
f878fcad 1433 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1434 info_timer.work);
4e8402a3 1435
984947dc 1436 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 1437 conn->info_ident = 0;
984947dc 1438
4e8402a3
MH		 1439 l2cap_conn_start(conn);
1440}
1441
5d3de7df
VCG		 1442static void l2cap_conn_del(struct hci_conn *hcon, int err)
1443{
1444 struct l2cap_conn *conn = hcon->l2cap_data;
1445 struct l2cap_chan *chan, *l;
5d3de7df
VCG		 1446
1447 if (!conn)
1448 return;
1449
1450 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1451
1452 kfree_skb(conn->rx_skb);
1453
3df91ea2
AE		 1454 mutex_lock(&conn->chan_lock);
1455
5d3de7df
VCG		 1456 /* Kill channels */
1457 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
61d6ef3e 1458 l2cap_chan_hold(chan);
6be36555
AE		 1459 l2cap_chan_lock(chan);
1460
5d3de7df 1461 l2cap_chan_del(chan, err);
6be36555
AE		 1462
1463 l2cap_chan_unlock(chan);
1464
80b98027 1465 chan->ops->close(chan);
61d6ef3e 1466 l2cap_chan_put(chan);
5d3de7df
VCG		 1467 }
1468
3df91ea2
AE		 1469 mutex_unlock(&conn->chan_lock);
1470
73d80deb
LAD		 1471 hci_chan_del(conn->hchan);
1472
5d3de7df 1473 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
127074bf 1474 cancel_delayed_work_sync(&conn->info_timer);
5d3de7df 1475
51a8efd7 1476 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
127074bf 1477 cancel_delayed_work_sync(&conn->security_timer);
8aab4757 1478 smp_chan_destroy(conn);
d26a2345 1479 }
5d3de7df
VCG		 1480
1481 hcon->l2cap_data = NULL;
1482 kfree(conn);
1483}
1484
6c9d42a1 1485static void security_timeout(struct work_struct *work)
5d3de7df 1486{
6c9d42a1 1487 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
2d792818 1488 security_timer.work);
5d3de7df 1489
d06cc416
JH		 1490 BT_DBG("conn %p", conn);
1491
1492 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1493 smp_chan_destroy(conn);
1494 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1495 }
5d3de7df
VCG		 1496}
1497
1da177e4
LT		 1498static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1499{
0139418c 1500 struct l2cap_conn *conn = hcon->l2cap_data;
73d80deb 1501 struct hci_chan *hchan;
1da177e4 1502
0139418c 1503 if (conn || status)
1da177e4
LT		 1504 return conn;
1505
73d80deb
LAD		 1506 hchan = hci_chan_create(hcon);
1507 if (!hchan)
1508 return NULL;
1509
8bcde1f2 1510 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
73d80deb
LAD		 1511 if (!conn) {
1512 hci_chan_del(hchan);
1da177e4 1513 return NULL;
73d80deb 1514 }
1da177e4
LT		 1515
1516 hcon->l2cap_data = conn;
1517 conn->hcon = hcon;
73d80deb 1518 conn->hchan = hchan;
1da177e4 1519
73d80deb 1520 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
0139418c 1521
dcc042d5
AE		 1522 switch (hcon->type) {
1523 case AMP_LINK:
1524 conn->mtu = hcon->hdev->block_mtu;
1525 break;
1526
1527 case LE_LINK:
1528 if (hcon->hdev->le_mtu) {
1529 conn->mtu = hcon->hdev->le_mtu;
1530 break;
1531 }
1532 /* fall through */
1533
1534 default:
acd7d370 1535 conn->mtu = hcon->hdev->acl_mtu;
dcc042d5
AE		 1536 break;
1537 }
acd7d370 1538
1da177e4
LT		 1539 conn->src = &hcon->hdev->bdaddr;
1540 conn->dst = &hcon->dst;
1541
4e8402a3
MH		 1542 conn->feat_mask = 0;
1543
1da177e4 1544 spin_lock_init(&conn->lock);
3df91ea2 1545 mutex_init(&conn->chan_lock);
baa7e1fa
GP		 1546
1547 INIT_LIST_HEAD(&conn->chan_l);
1da177e4 1548
5d3de7df 1549 if (hcon->type == LE_LINK)
6c9d42a1 1550 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
5d3de7df 1551 else
030013d8 1552 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
45054dc1 1553
9f5a0d7b 1554 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
2950f21a 1555
1da177e4
LT		 1556 return conn;
1557}
1558
1da177e4 1559/* ---- Socket interface ---- */
1da177e4 1560
c2287681 1561/* Find socket with psm and source / destination bdaddr.
1da177e4
LT		 1562 * Returns closest match.
1563 */
c2287681
IY		 1564static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1565 bdaddr_t *src,
1566 bdaddr_t *dst)
1da177e4 1567{
23691d75 1568 struct l2cap_chan *c, *c1 = NULL;
1da177e4 1569
23691d75 1570 read_lock(&chan_list_lock);
e0f0cb56 1571
23691d75
GP		 1572 list_for_each_entry(c, &chan_list, global_l) {
1573 struct sock *sk = c->sk;
fe4128e0 1574
89bc500e 1575 if (state && c->state != state)
1da177e4
LT		 1576 continue;
1577
23691d75 1578 if (c->psm == psm) {
c2287681
IY		 1579 int src_match, dst_match;
1580 int src_any, dst_any;
1581
1da177e4 1582 /* Exact match. */
c2287681
IY		 1583 src_match = !bacmp(&bt_sk(sk)->src, src);
1584 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1585 if (src_match && dst_match) {
a7567b20 1586 read_unlock(&chan_list_lock);
23691d75
GP		 1587 return c;
1588 }
1da177e4
LT		 1589
1590 /* Closest match */
c2287681
IY		 1591 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1592 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1593 if ((src_match && dst_any) || (src_any && dst_match) ||
1594 (src_any && dst_any))
23691d75 1595 c1 = c;
1da177e4
LT		 1596 }
1597 }
1da177e4 1598
23691d75 1599 read_unlock(&chan_list_lock);
e0f0cb56 1600
23691d75 1601 return c1;
1da177e4
LT		 1602}
1603
8e9f9892
AG		 1604int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1605 bdaddr_t *dst, u8 dst_type)
1da177e4 1606{
5d41ce1d 1607 struct sock *sk = chan->sk;
1da177e4 1608 bdaddr_t *src = &bt_sk(sk)->src;
1da177e4
LT		 1609 struct l2cap_conn *conn;
1610 struct hci_conn *hcon;
1611 struct hci_dev *hdev;
09ab6f4c 1612 __u8 auth_type;
44d0e48e 1613 int err;
1da177e4 1614
6ed93dc6 1615 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
ab19516a 1616 dst_type, __le16_to_cpu(psm));
1da177e4 1617
af05b30b
GP		 1618 hdev = hci_get_route(dst, src);
1619 if (!hdev)
1da177e4
LT		 1620 return -EHOSTUNREACH;
1621
09fd0de5 1622 hci_dev_lock(hdev);
1da177e4 1623
6be36555 1624 l2cap_chan_lock(chan);
03a00194
GP		 1625
1626 /* PSM must be odd and lsb of upper byte must be 0 */
1627 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
2d792818 1628 chan->chan_type != L2CAP_CHAN_RAW) {
03a00194
GP		 1629 err = -EINVAL;
1630 goto done;
1631 }
1632
1633 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1634 err = -EINVAL;
1635 goto done;
1636 }
1637
1638 switch (chan->mode) {
1639 case L2CAP_MODE_BASIC:
1640 break;
1641 case L2CAP_MODE_ERTM:
1642 case L2CAP_MODE_STREAMING:
1643 if (!disable_ertm)
1644 break;
1645 /* fall through */
1646 default:
1647 err = -ENOTSUPP;
1648 goto done;
1649 }
1650
0797e01d 1651 switch (chan->state) {
03a00194
GP		 1652 case BT_CONNECT:
1653 case BT_CONNECT2:
1654 case BT_CONFIG:
1655 /* Already connecting */
1656 err = 0;
1657 goto done;
1658
1659 case BT_CONNECTED:
1660 /* Already connected */
1661 err = -EISCONN;
1662 goto done;
1663
1664 case BT_OPEN:
1665 case BT_BOUND:
1666 /* Can connect */
1667 break;
1668
1669 default:
1670 err = -EBADFD;
1671 goto done;
1672 }
1673
1674 /* Set destination address and psm */
0797e01d 1675 lock_sock(sk);
9219b2a0 1676 bacpy(&bt_sk(sk)->dst, dst);
6be36555
AE		 1677 release_sock(sk);
1678
03a00194
GP		 1679 chan->psm = psm;
1680 chan->dcid = cid;
1da177e4 1681
4343478f 1682 auth_type = l2cap_get_auth_type(chan);
09ab6f4c 1683
fe4128e0 1684 if (chan->dcid == L2CAP_CID_LE_DATA)
8e9f9892 1685 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
b12f62cf 1686 chan->sec_level, auth_type);
acd7d370 1687 else
8e9f9892 1688 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
b12f62cf 1689 chan->sec_level, auth_type);
acd7d370 1690
30e76272
VT		 1691 if (IS_ERR(hcon)) {
1692 err = PTR_ERR(hcon);
1da177e4 1693 goto done;
30e76272 1694 }
1da177e4
LT		 1695
1696 conn = l2cap_conn_add(hcon, 0);
1697 if (!conn) {
1698 hci_conn_put(hcon);
30e76272 1699 err = -ENOMEM;
1da177e4
LT		 1700 goto done;
1701 }
1702
9f0caeb1
VCG		 1703 if (hcon->type == LE_LINK) {
1704 err = 0;
1705
1706 if (!list_empty(&conn->chan_l)) {
1707 err = -EBUSY;
1708 hci_conn_put(hcon);
1709 }
1710
1711 if (err)
1712 goto done;
1713 }
1714
1da177e4
LT		 1715 /* Update source addr of the socket */
1716 bacpy(src, conn->src);
1717
6be36555 1718 l2cap_chan_unlock(chan);
48454079 1719 l2cap_chan_add(conn, chan);
6be36555 1720 l2cap_chan_lock(chan);
48454079 1721
6be36555 1722 l2cap_state_change(chan, BT_CONNECT);
c9b66675 1723 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4
LT		 1724
1725 if (hcon->state == BT_CONNECTED) {
715ec005 1726 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
c9b66675 1727 __clear_chan_timer(chan);
d45fc423 1728 if (l2cap_chan_check_security(chan))
6be36555 1729 l2cap_state_change(chan, BT_CONNECTED);
79d554a6 1730 } else
fc7f8a7e 1731 l2cap_do_start(chan);
1da177e4
LT		 1732 }
1733
30e76272
VT		 1734 err = 0;
1735
1da177e4 1736done:
6be36555 1737 l2cap_chan_unlock(chan);
09fd0de5 1738 hci_dev_unlock(hdev);
1da177e4
LT		 1739 hci_dev_put(hdev);
1740 return err;
1741}
1742
dcba0dba 1743int __l2cap_wait_ack(struct sock *sk)
6161c038 1744{
8c1d787b 1745 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
6161c038
GP		 1746 DECLARE_WAITQUEUE(wait, current);
1747 int err = 0;
1748 int timeo = HZ/5;
1749
2b0b05dd 1750 add_wait_queue(sk_sleep(sk), &wait);
a71a0cf4
PH		 1751 set_current_state(TASK_INTERRUPTIBLE);
1752 while (chan->unacked_frames > 0 && chan->conn) {
6161c038
GP		 1753 if (!timeo)
1754 timeo = HZ/5;
1755
1756 if (signal_pending(current)) {
1757 err = sock_intr_errno(timeo);
1758 break;
1759 }
1760
1761 release_sock(sk);
1762 timeo = schedule_timeout(timeo);
1763 lock_sock(sk);
a71a0cf4 1764 set_current_state(TASK_INTERRUPTIBLE);
6161c038
GP		 1765
1766 err = sock_error(sk);
1767 if (err)
1768 break;
1769 }
1770 set_current_state(TASK_RUNNING);
2b0b05dd 1771 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1772 return err;
1773}
1774
721c4181 1775static void l2cap_monitor_timeout(struct work_struct *work)
e90bac06 1776{
721c4181 1777 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1778 monitor_timer.work);
e90bac06 1779
525cd185 1780 BT_DBG("chan %p", chan);
0e98958d 1781
6be36555
AE		 1782 l2cap_chan_lock(chan);
1783
80909e04 1784 if (!chan->conn) {
6be36555 1785 l2cap_chan_unlock(chan);
8d7e1c7f 1786 l2cap_chan_put(chan);
e90bac06
GP		 1787 return;
1788 }
1789
401bb1f7 1790 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
e90bac06 1791
6be36555 1792 l2cap_chan_unlock(chan);
8d7e1c7f 1793 l2cap_chan_put(chan);
e90bac06
GP		 1794}
1795
721c4181 1796static void l2cap_retrans_timeout(struct work_struct *work)
e90bac06 1797{
721c4181 1798 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
4239d16f 1799 retrans_timer.work);
e90bac06 1800
49208c9c 1801 BT_DBG("chan %p", chan);
0e98958d 1802
6be36555
AE		 1803 l2cap_chan_lock(chan);
1804
80909e04
MM		 1805 if (!chan->conn) {
1806 l2cap_chan_unlock(chan);
1807 l2cap_chan_put(chan);
1808 return;
1809 }
6be36555 1810
401bb1f7 1811 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
6be36555 1812 l2cap_chan_unlock(chan);
8d7e1c7f 1813 l2cap_chan_put(chan);
e90bac06
GP		 1814}
1815
d660366d
GP		 1816static void l2cap_streaming_send(struct l2cap_chan *chan,
1817 struct sk_buff_head *skbs)
6840ed07 1818{
ccbb84af 1819 struct sk_buff *skb;
3733937d 1820 struct l2cap_ctrl *control;
6840ed07 1821
3733937d
MM		 1822 BT_DBG("chan %p, skbs %p", chan, skbs);
1823
b99e13ad
MM		 1824 if (__chan_is_moving(chan))
1825 return;
1826
3733937d
MM		 1827 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1828
1829 while (!skb_queue_empty(&chan->tx_q)) {
1830
1831 skb = skb_dequeue(&chan->tx_q);
1832
1833 bt_cb(skb)->control.retries = 1;
1834 control = &bt_cb(skb)->control;
1835
1836 control->reqseq = 0;
1837 control->txseq = chan->next_tx_seq;
1838
1839 __pack_control(chan, control, skb);
6840ed07 1840
47d1ec61 1841 if (chan->fcs == L2CAP_FCS_CRC16) {
3733937d
MM		 1842 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1843 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1844 }
1845
4343478f 1846 l2cap_do_send(chan, skb);
6840ed07 1847
b4400672 1848 BT_DBG("Sent txseq %u", control->txseq);
3733937d 1849
836be934 1850 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
3733937d 1851 chan->frames_sent++;
6840ed07 1852 }
6840ed07
GP		 1853}
1854
67c9e840 1855static int l2cap_ertm_send(struct l2cap_chan *chan)
1c2acffb
GP		 1856{
1857 struct sk_buff *skb, *tx_skb;
18a48e76
MM		 1858 struct l2cap_ctrl *control;
1859 int sent = 0;
1860
1861 BT_DBG("chan %p", chan);
1c2acffb 1862
89bc500e 1863 if (chan->state != BT_CONNECTED)
c13ffa62 1864 return -ENOTCONN;
e90bac06 1865
94122bbe
MM		 1866 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1867 return 0;
1868
b99e13ad
MM		 1869 if (__chan_is_moving(chan))
1870 return 0;
1871
18a48e76
MM		 1872 while (chan->tx_send_head &&
1873 chan->unacked_frames < chan->remote_tx_win &&
1874 chan->tx_state == L2CAP_TX_STATE_XMIT) {
e420aba3 1875
18a48e76 1876 skb = chan->tx_send_head;
e90bac06 1877
18a48e76
MM		 1878 bt_cb(skb)->control.retries = 1;
1879 control = &bt_cb(skb)->control;
95ffa978 1880
e2ab4353 1881 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
18a48e76 1882 control->final = 1;
e2ab4353 1883
18a48e76
MM		 1884 control->reqseq = chan->buffer_seq;
1885 chan->last_acked_seq = chan->buffer_seq;
1886 control->txseq = chan->next_tx_seq;
1c2acffb 1887
18a48e76 1888 __pack_control(chan, control, skb);
e90bac06 1889
47d1ec61 1890 if (chan->fcs == L2CAP_FCS_CRC16) {
18a48e76
MM		 1891 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1892 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
fcc203c3
GP		 1893 }
1894
18a48e76
MM		 1895 /* Clone after data has been modified. Data is assumed to be
1896 read-only (for locking purposes) on cloned sk_buffs.
1897 */
1898 tx_skb = skb_clone(skb, GFP_KERNEL);
9a9c6a34 1899
18a48e76
MM		 1900 if (!tx_skb)
1901 break;
1c2acffb 1902
18a48e76 1903 __set_retrans_timer(chan);
836be934
AE		 1904
1905 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
18a48e76 1906 chan->unacked_frames++;
6a026610 1907 chan->frames_sent++;
18a48e76 1908 sent++;
1c2acffb 1909
58d35f87
GP		 1910 if (skb_queue_is_last(&chan->tx_q, skb))
1911 chan->tx_send_head = NULL;
1c2acffb 1912 else
58d35f87 1913 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
18a48e76
MM		 1914
1915 l2cap_do_send(chan, tx_skb);
b4400672 1916 BT_DBG("Sent txseq %u", control->txseq);
1c2acffb
GP		 1917 }
1918
b4400672
AE		 1919 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1920 chan->unacked_frames, skb_queue_len(&chan->tx_q));
18a48e76
MM		 1921
1922 return sent;
9e917af1
GP		 1923}
1924
e1fbd4c1
MM		 1925static void l2cap_ertm_resend(struct l2cap_chan *chan)
1926{
1927 struct l2cap_ctrl control;
1928 struct sk_buff *skb;
1929 struct sk_buff *tx_skb;
1930 u16 seq;
1931
1932 BT_DBG("chan %p", chan);
1933
1934 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1935 return;
1936
b99e13ad
MM		 1937 if (__chan_is_moving(chan))
1938 return;
1939
e1fbd4c1
MM		 1940 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1941 seq = l2cap_seq_list_pop(&chan->retrans_list);
1942
1943 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1944 if (!skb) {
1945 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2d792818 1946 seq);
e1fbd4c1
MM		 1947 continue;
1948 }
1949
1950 bt_cb(skb)->control.retries++;
1951 control = bt_cb(skb)->control;
1952
1953 if (chan->max_tx != 0 &&
1954 bt_cb(skb)->control.retries > chan->max_tx) {
1955 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1956 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
1957 l2cap_seq_list_clear(&chan->retrans_list);
1958 break;
1959 }
1960
1961 control.reqseq = chan->buffer_seq;
1962 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1963 control.final = 1;
1964 else
1965 control.final = 0;
1966
1967 if (skb_cloned(skb)) {
1968 /* Cloned sk_buffs are read-only, so we need a
1969 * writeable copy
1970 */
8bcde1f2 1971 tx_skb = skb_copy(skb, GFP_KERNEL);
e1fbd4c1 1972 } else {
8bcde1f2 1973 tx_skb = skb_clone(skb, GFP_KERNEL);
e1fbd4c1
MM		 1974 }
1975
1976 if (!tx_skb) {
1977 l2cap_seq_list_clear(&chan->retrans_list);
1978 break;
1979 }
1980
1981 /* Update skb contents */
1982 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1983 put_unaligned_le32(__pack_extended_control(&control),
1984 tx_skb->data + L2CAP_HDR_SIZE);
1985 } else {
1986 put_unaligned_le16(__pack_enhanced_control(&control),
1987 tx_skb->data + L2CAP_HDR_SIZE);
1988 }
1989
1990 if (chan->fcs == L2CAP_FCS_CRC16) {
1991 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
1992 put_unaligned_le16(fcs, skb_put(tx_skb,
1993 L2CAP_FCS_SIZE));
1994 }
1995
1996 l2cap_do_send(chan, tx_skb);
1997
1998 BT_DBG("Resent txseq %d", control.txseq);
1999
2000 chan->last_acked_seq = chan->buffer_seq;
2001 }
2002}
2003
f80842a8
MM		 2004static void l2cap_retransmit(struct l2cap_chan *chan,
2005 struct l2cap_ctrl *control)
2006{
2007 BT_DBG("chan %p, control %p", chan, control);
2008
2009 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2010 l2cap_ertm_resend(chan);
2011}
2012
d2a7ac5d
MM		 2013static void l2cap_retransmit_all(struct l2cap_chan *chan,
2014 struct l2cap_ctrl *control)
2015{
e1fbd4c1
MM		 2016 struct sk_buff *skb;
2017
2018 BT_DBG("chan %p, control %p", chan, control);
2019
2020 if (control->poll)
2021 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2022
2023 l2cap_seq_list_clear(&chan->retrans_list);
2024
2025 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2026 return;
2027
2028 if (chan->unacked_frames) {
2029 skb_queue_walk(&chan->tx_q, skb) {
2030 if (bt_cb(skb)->control.txseq == control->reqseq ||
2d792818 2031 skb == chan->tx_send_head)
e1fbd4c1
MM		 2032 break;
2033 }
2034
2035 skb_queue_walk_from(&chan->tx_q, skb) {
2036 if (skb == chan->tx_send_head)
2037 break;
2038
2039 l2cap_seq_list_append(&chan->retrans_list,
2040 bt_cb(skb)->control.txseq);
2041 }
2042
2043 l2cap_ertm_resend(chan);
2044 }
d2a7ac5d
MM		 2045}
2046
0a0aba42 2047static void l2cap_send_ack(struct l2cap_chan *chan)
9e917af1 2048{
0a0aba42
MM		 2049 struct l2cap_ctrl control;
2050 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2051 chan->last_acked_seq);
2052 int threshold;
9e917af1 2053
0a0aba42
MM		 2054 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2055 chan, chan->last_acked_seq, chan->buffer_seq);
9e917af1 2056
0a0aba42
MM		 2057 memset(&control, 0, sizeof(control));
2058 control.sframe = 1;
dfc909be 2059
0a0aba42
MM		 2060 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2061 chan->rx_state == L2CAP_RX_STATE_RECV) {
2062 __clear_ack_timer(chan);
2063 control.super = L2CAP_SUPER_RNR;
2064 control.reqseq = chan->buffer_seq;
2065 l2cap_send_sframe(chan, &control);
2066 } else {
2067 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2068 l2cap_ertm_send(chan);
2069 /* If any i-frames were sent, they included an ack */
2070 if (chan->buffer_seq == chan->last_acked_seq)
2071 frames_to_ack = 0;
2072 }
dfc909be 2073
c20f8e35 2074 /* Ack now if the window is 3/4ths full.
0a0aba42
MM		 2075 * Calculate without mul or div
2076 */
c20f8e35 2077 threshold = chan->ack_win;
0a0aba42
MM		 2078 threshold += threshold << 1;
2079 threshold >>= 2;
2080
b4400672 2081 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
0a0aba42
MM		 2082 threshold);
2083
2084 if (frames_to_ack >= threshold) {
2085 __clear_ack_timer(chan);
2086 control.super = L2CAP_SUPER_RR;
2087 control.reqseq = chan->buffer_seq;
2088 l2cap_send_sframe(chan, &control);
2089 frames_to_ack = 0;
2090 }
1c2acffb 2091
0a0aba42
MM		 2092 if (frames_to_ack)
2093 __set_ack_timer(chan);
2094 }
b17e73bb
SJ		 2095}
2096
04124681
GP		 2097static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2098 struct msghdr *msg, int len,
2099 int count, struct sk_buff *skb)
1c2acffb 2100{
0952a57a 2101 struct l2cap_conn *conn = chan->conn;
1c2acffb 2102 struct sk_buff **frag;
90338947 2103 int sent = 0;
1da177e4 2104
59203a21 2105 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 2106 return -EFAULT;
1da177e4
LT		 2107
2108 sent += count;
2109 len -= count;
2110
2111 /* Continuation fragments (no L2CAP header) */
2112 frag = &skb_shinfo(skb)->frag_list;
2113 while (len) {
fbe00700
GP		 2114 struct sk_buff *tmp;
2115
1da177e4
LT		 2116 count = min_t(unsigned int, conn->mtu, len);
2117
fbe00700
GP		 2118 tmp = chan->ops->alloc_skb(chan, count,
2119 msg->msg_flags & MSG_DONTWAIT);
2120 if (IS_ERR(tmp))
2121 return PTR_ERR(tmp);
2122
2123 *frag = tmp;
2f7719ce 2124
1c2acffb
GP		 2125 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2126 return -EFAULT;
1da177e4 2127
5e59b791
LAD		 2128 (*frag)->priority = skb->priority;
2129
1da177e4
LT		 2130 sent += count;
2131 len -= count;
2132
2d0ed3d5
GP		 2133 skb->len += (*frag)->len;
2134 skb->data_len += (*frag)->len;
2135
1da177e4
LT		 2136 frag = &(*frag)->next;
2137 }
1da177e4
LT		 2138
2139 return sent;
1c2acffb 2140}
1da177e4 2141
5e59b791 2142static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
b4400672
AE		 2143 struct msghdr *msg, size_t len,
2144 u32 priority)
1c2acffb 2145{
8c1d787b 2146 struct l2cap_conn *conn = chan->conn;
1c2acffb 2147 struct sk_buff *skb;
03a51213 2148 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1c2acffb
GP		 2149 struct l2cap_hdr *lh;
2150
b4400672 2151 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
1c2acffb
GP		 2152
2153 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2154
2155 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2156 msg->msg_flags & MSG_DONTWAIT);
2157 if (IS_ERR(skb))
2158 return skb;
1c2acffb 2159
5e59b791
LAD		 2160 skb->priority = priority;
2161
1c2acffb
GP		 2162 /* Create L2CAP header */
2163 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2164 lh->cid = cpu_to_le16(chan->dcid);
daf6a78c
AE		 2165 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2166 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1c2acffb 2167
0952a57a 2168 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2169 if (unlikely(err < 0)) {
2170 kfree_skb(skb);
2171 return ERR_PTR(err);
2172 }
2173 return skb;
2174}
2175
5e59b791 2176static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
b4400672
AE		 2177 struct msghdr *msg, size_t len,
2178 u32 priority)
1c2acffb 2179{
8c1d787b 2180 struct l2cap_conn *conn = chan->conn;
1c2acffb 2181 struct sk_buff *skb;
f2ba7fae 2182 int err, count;
1c2acffb
GP		 2183 struct l2cap_hdr *lh;
2184
b4400672 2185 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2186
f2ba7fae 2187 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2f7719ce 2188
f2ba7fae 2189 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
90338947
GP		 2190 msg->msg_flags & MSG_DONTWAIT);
2191 if (IS_ERR(skb))
2192 return skb;
1c2acffb 2193
5e59b791
LAD		 2194 skb->priority = priority;
2195
1c2acffb
GP		 2196 /* Create L2CAP header */
2197 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2198 lh->cid = cpu_to_le16(chan->dcid);
6ff9b5ef 2199 lh->len = cpu_to_le16(len);
1c2acffb 2200
0952a57a 2201 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2202 if (unlikely(err < 0)) {
2203 kfree_skb(skb);
2204 return ERR_PTR(err);
2205 }
2206 return skb;
2207}
2208
ab0ff76d 2209static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
b4400672
AE		 2210 struct msghdr *msg, size_t len,
2211 u16 sdulen)
1c2acffb 2212{
8c1d787b 2213 struct l2cap_conn *conn = chan->conn;
1c2acffb 2214 struct sk_buff *skb;
e4ca6d98 2215 int err, count, hlen;
1c2acffb
GP		 2216 struct l2cap_hdr *lh;
2217
b4400672 2218 BT_DBG("chan %p len %zu", chan, len);
1c2acffb 2219
0ee0d208
GP		 2220 if (!conn)
2221 return ERR_PTR(-ENOTCONN);
2222
ba7aa64f 2223 hlen = __ertm_hdr_size(chan);
e4ca6d98 2224
c74e560c 2225 if (sdulen)
03a51213 2226 hlen += L2CAP_SDULEN_SIZE;
c74e560c 2227
47d1ec61 2228 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 2229 hlen += L2CAP_FCS_SIZE;
fcc203c3 2230
1c2acffb 2231 count = min_t(unsigned int, (conn->mtu - hlen), len);
2f7719ce
AE		 2232
2233 skb = chan->ops->alloc_skb(chan, count + hlen,
90338947
GP		 2234 msg->msg_flags & MSG_DONTWAIT);
2235 if (IS_ERR(skb))
2236 return skb;
1c2acffb
GP		 2237
2238 /* Create L2CAP header */
2239 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fe4128e0 2240 lh->cid = cpu_to_le16(chan->dcid);
1c2acffb 2241 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
88843ab0 2242
18a48e76
MM		 2243 /* Control header is populated later */
2244 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2245 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2246 else
2247 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
88843ab0 2248
c74e560c 2249 if (sdulen)
03a51213 2250 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1c2acffb 2251
0952a57a 2252 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1c2acffb
GP		 2253 if (unlikely(err < 0)) {
2254 kfree_skb(skb);
2255 return ERR_PTR(err);
2256 }
e90bac06 2257
18a48e76 2258 bt_cb(skb)->control.fcs = chan->fcs;
3ce3514f 2259 bt_cb(skb)->control.retries = 0;
1c2acffb 2260 return skb;
1da177e4
LT		 2261}
2262
94122bbe
MM		 2263static int l2cap_segment_sdu(struct l2cap_chan *chan,
2264 struct sk_buff_head *seg_queue,
2265 struct msghdr *msg, size_t len)
c74e560c 2266{
c74e560c 2267 struct sk_buff *skb;
94122bbe
MM		 2268 u16 sdu_len;
2269 size_t pdu_len;
94122bbe 2270 u8 sar;
c74e560c 2271
b4400672 2272 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
c74e560c 2273
94122bbe
MM		 2274 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2275 * so fragmented skbs are not used. The HCI layer's handling
2276 * of fragmented skbs is not compatible with ERTM's queueing.
2277 */
c74e560c 2278
94122bbe
MM		 2279 /* PDU size is derived from the HCI MTU */
2280 pdu_len = chan->conn->mtu;
c74e560c 2281
a549574d
MM		 2282 /* Constrain PDU size for BR/EDR connections */
2283 if (!chan->hs_hcon)
2284 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
94122bbe
MM		 2285
2286 /* Adjust for largest possible L2CAP overhead. */
35d401df
GP		 2287 if (chan->fcs)
2288 pdu_len -= L2CAP_FCS_SIZE;
2289
ba7aa64f 2290 pdu_len -= __ertm_hdr_size(chan);
94122bbe
MM		 2291
2292 /* Remote device may have requested smaller PDUs */
2293 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2294
2295 if (len <= pdu_len) {
2296 sar = L2CAP_SAR_UNSEGMENTED;
2297 sdu_len = 0;
2298 pdu_len = len;
2299 } else {
2300 sar = L2CAP_SAR_START;
2301 sdu_len = len;
2302 pdu_len -= L2CAP_SDULEN_SIZE;
2303 }
2304
2305 while (len > 0) {
2306 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
c74e560c 2307
c74e560c 2308 if (IS_ERR(skb)) {
94122bbe 2309 __skb_queue_purge(seg_queue);
c74e560c
GP		 2310 return PTR_ERR(skb);
2311 }
2312
94122bbe
MM		 2313 bt_cb(skb)->control.sar = sar;
2314 __skb_queue_tail(seg_queue, skb);
2315
2316 len -= pdu_len;
2317 if (sdu_len) {
2318 sdu_len = 0;
2319 pdu_len += L2CAP_SDULEN_SIZE;
2320 }
2321
2322 if (len <= pdu_len) {
2323 sar = L2CAP_SAR_END;
2324 pdu_len = len;
2325 } else {
2326 sar = L2CAP_SAR_CONTINUE;
2327 }
c74e560c 2328 }
c74e560c 2329
f0f62799 2330 return 0;
c74e560c
GP		 2331}
2332
5e59b791 2333int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2d792818 2334 u32 priority)
9a91a04a 2335{
9a91a04a 2336 struct sk_buff *skb;
9a91a04a 2337 int err;
94122bbe 2338 struct sk_buff_head seg_queue;
9a91a04a
GP		 2339
2340 /* Connectionless channel */
715ec005 2341 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
5e59b791 2342 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
9a91a04a
GP		 2343 if (IS_ERR(skb))
2344 return PTR_ERR(skb);
2345
2346 l2cap_do_send(chan, skb);
2347 return len;
2348 }
2349
2350 switch (chan->mode) {
2351 case L2CAP_MODE_BASIC:
2352 /* Check outgoing MTU */
2353 if (len > chan->omtu)
2354 return -EMSGSIZE;
2355
2356 /* Create a basic PDU */
5e59b791 2357 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
9a91a04a
GP		 2358 if (IS_ERR(skb))
2359 return PTR_ERR(skb);
2360
2361 l2cap_do_send(chan, skb);
2362 err = len;
2363 break;
2364
2365 case L2CAP_MODE_ERTM:
2366 case L2CAP_MODE_STREAMING:
94122bbe
MM		 2367 /* Check outgoing MTU */
2368 if (len > chan->omtu) {
2369 err = -EMSGSIZE;
2370 break;
2371 }
9a91a04a 2372
94122bbe 2373 __skb_queue_head_init(&seg_queue);
9a91a04a 2374
94122bbe
MM		 2375 /* Do segmentation before calling in to the state machine,
2376 * since it's possible to block while waiting for memory
2377 * allocation.
2378 */
2379 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
9a91a04a 2380
94122bbe
MM		 2381 /* The channel could have been closed while segmenting,
2382 * check that it is still connected.
2383 */
2384 if (chan->state != BT_CONNECTED) {
2385 __skb_queue_purge(&seg_queue);
2386 err = -ENOTCONN;
9a91a04a
GP		 2387 }
2388
94122bbe 2389 if (err)
9a91a04a 2390 break;
9a91a04a 2391
3733937d 2392 if (chan->mode == L2CAP_MODE_ERTM)
d660366d 2393 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
3733937d 2394 else
d660366d 2395 l2cap_streaming_send(chan, &seg_queue);
9a91a04a 2396
d660366d 2397 err = len;
9a91a04a 2398
94122bbe
MM		 2399 /* If the skbs were not queued for sending, they'll still be in
2400 * seg_queue and need to be purged.
2401 */
2402 __skb_queue_purge(&seg_queue);
9a91a04a
GP		 2403 break;
2404
2405 default:
2406 BT_DBG("bad state %1.1x", chan->mode);
2407 err = -EBADFD;
2408 }
2409
2410 return err;
2411}
2412
d2a7ac5d
MM		 2413static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2414{
bed68bde
MM		 2415 struct l2cap_ctrl control;
2416 u16 seq;
2417
b4400672 2418 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2419
2420 memset(&control, 0, sizeof(control));
2421 control.sframe = 1;
2422 control.super = L2CAP_SUPER_SREJ;
2423
2424 for (seq = chan->expected_tx_seq; seq != txseq;
2425 seq = __next_seq(chan, seq)) {
2426 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2427 control.reqseq = seq;
2428 l2cap_send_sframe(chan, &control);
2429 l2cap_seq_list_append(&chan->srej_list, seq);
2430 }
2431 }
2432
2433 chan->expected_tx_seq = __next_seq(chan, txseq);
d2a7ac5d
MM		 2434}
2435
2436static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2437{
bed68bde
MM		 2438 struct l2cap_ctrl control;
2439
2440 BT_DBG("chan %p", chan);
2441
2442 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2443 return;
2444
2445 memset(&control, 0, sizeof(control));
2446 control.sframe = 1;
2447 control.super = L2CAP_SUPER_SREJ;
2448 control.reqseq = chan->srej_list.tail;
2449 l2cap_send_sframe(chan, &control);
d2a7ac5d
MM		 2450}
2451
2452static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2453{
bed68bde
MM		 2454 struct l2cap_ctrl control;
2455 u16 initial_head;
2456 u16 seq;
2457
b4400672 2458 BT_DBG("chan %p, txseq %u", chan, txseq);
bed68bde
MM		 2459
2460 memset(&control, 0, sizeof(control));
2461 control.sframe = 1;
2462 control.super = L2CAP_SUPER_SREJ;
2463
2464 /* Capture initial list head to allow only one pass through the list. */
2465 initial_head = chan->srej_list.head;
2466
2467 do {
2468 seq = l2cap_seq_list_pop(&chan->srej_list);
2469 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2470 break;
2471
2472 control.reqseq = seq;
2473 l2cap_send_sframe(chan, &control);
2474 l2cap_seq_list_append(&chan->srej_list, seq);
2475 } while (chan->srej_list.head != initial_head);
d2a7ac5d
MM		 2476}
2477
608bcc6d
MM		 2478static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2479{
2480 struct sk_buff *acked_skb;
2481 u16 ackseq;
2482
b4400672 2483 BT_DBG("chan %p, reqseq %u", chan, reqseq);
608bcc6d
MM		 2484
2485 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2486 return;
2487
b4400672 2488 BT_DBG("expected_ack_seq %u, unacked_frames %u",
608bcc6d
MM		 2489 chan->expected_ack_seq, chan->unacked_frames);
2490
2491 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2492 ackseq = __next_seq(chan, ackseq)) {
2493
2494 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2495 if (acked_skb) {
2496 skb_unlink(acked_skb, &chan->tx_q);
2497 kfree_skb(acked_skb);
2498 chan->unacked_frames--;
2499 }
2500 }
2501
2502 chan->expected_ack_seq = reqseq;
2503
2504 if (chan->unacked_frames == 0)
2505 __clear_retrans_timer(chan);
2506
b4400672 2507 BT_DBG("unacked_frames %u", chan->unacked_frames);
608bcc6d
MM		 2508}
2509
2510static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2511{
2512 BT_DBG("chan %p", chan);
2513
2514 chan->expected_tx_seq = chan->buffer_seq;
2515 l2cap_seq_list_clear(&chan->srej_list);
2516 skb_queue_purge(&chan->srej_q);
2517 chan->rx_state = L2CAP_RX_STATE_RECV;
2518}
2519
d660366d
GP		 2520static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2521 struct l2cap_ctrl *control,
2522 struct sk_buff_head *skbs, u8 event)
608bcc6d 2523{
608bcc6d
MM		 2524 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2525 event);
2526
2527 switch (event) {
2528 case L2CAP_EV_DATA_REQUEST:
2529 if (chan->tx_send_head == NULL)
2530 chan->tx_send_head = skb_peek(skbs);
2531
2532 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2533 l2cap_ertm_send(chan);
2534 break;
2535 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2536 BT_DBG("Enter LOCAL_BUSY");
2537 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2538
2539 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2540 /* The SREJ_SENT state must be aborted if we are to
2541 * enter the LOCAL_BUSY state.
2542 */
2543 l2cap_abort_rx_srej_sent(chan);
2544 }
2545
2546 l2cap_send_ack(chan);
2547
2548 break;
2549 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2550 BT_DBG("Exit LOCAL_BUSY");
2551 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2552
2553 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2554 struct l2cap_ctrl local_control;
2555
2556 memset(&local_control, 0, sizeof(local_control));
2557 local_control.sframe = 1;
2558 local_control.super = L2CAP_SUPER_RR;
2559 local_control.poll = 1;
2560 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2561 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2562
2563 chan->retry_count = 1;
2564 __set_monitor_timer(chan);
2565 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2566 }
2567 break;
2568 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2569 l2cap_process_reqseq(chan, control->reqseq);
2570 break;
2571 case L2CAP_EV_EXPLICIT_POLL:
2572 l2cap_send_rr_or_rnr(chan, 1);
2573 chan->retry_count = 1;
2574 __set_monitor_timer(chan);
2575 __clear_ack_timer(chan);
2576 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2577 break;
2578 case L2CAP_EV_RETRANS_TO:
2579 l2cap_send_rr_or_rnr(chan, 1);
2580 chan->retry_count = 1;
2581 __set_monitor_timer(chan);
2582 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2583 break;
2584 case L2CAP_EV_RECV_FBIT:
2585 /* Nothing to process */
2586 break;
2587 default:
2588 break;
2589 }
608bcc6d
MM		 2590}
2591
d660366d
GP		 2592static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2593 struct l2cap_ctrl *control,
2594 struct sk_buff_head *skbs, u8 event)
608bcc6d 2595{
608bcc6d
MM		 2596 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2597 event);
2598
2599 switch (event) {
2600 case L2CAP_EV_DATA_REQUEST:
2601 if (chan->tx_send_head == NULL)
2602 chan->tx_send_head = skb_peek(skbs);
2603 /* Queue data, but don't send. */
2604 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2605 break;
2606 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2607 BT_DBG("Enter LOCAL_BUSY");
2608 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2609
2610 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2611 /* The SREJ_SENT state must be aborted if we are to
2612 * enter the LOCAL_BUSY state.
2613 */
2614 l2cap_abort_rx_srej_sent(chan);
2615 }
2616
2617 l2cap_send_ack(chan);
2618
2619 break;
2620 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2621 BT_DBG("Exit LOCAL_BUSY");
2622 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2623
2624 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2625 struct l2cap_ctrl local_control;
2626 memset(&local_control, 0, sizeof(local_control));
2627 local_control.sframe = 1;
2628 local_control.super = L2CAP_SUPER_RR;
2629 local_control.poll = 1;
2630 local_control.reqseq = chan->buffer_seq;
a67d7f6f 2631 l2cap_send_sframe(chan, &local_control);
608bcc6d
MM		 2632
2633 chan->retry_count = 1;
2634 __set_monitor_timer(chan);
2635 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2636 }
2637 break;
2638 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2639 l2cap_process_reqseq(chan, control->reqseq);
2640
2641 /* Fall through */
2642
2643 case L2CAP_EV_RECV_FBIT:
2644 if (control && control->final) {
2645 __clear_monitor_timer(chan);
2646 if (chan->unacked_frames > 0)
2647 __set_retrans_timer(chan);
2648 chan->retry_count = 0;
2649 chan->tx_state = L2CAP_TX_STATE_XMIT;
2650 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2651 }
2652 break;
2653 case L2CAP_EV_EXPLICIT_POLL:
2654 /* Ignore */
2655 break;
2656 case L2CAP_EV_MONITOR_TO:
2657 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2658 l2cap_send_rr_or_rnr(chan, 1);
2659 __set_monitor_timer(chan);
2660 chan->retry_count++;
2661 } else {
2662 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
2663 }
2664 break;
2665 default:
2666 break;
2667 }
608bcc6d
MM		 2668}
2669
d660366d
GP		 2670static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2671 struct sk_buff_head *skbs, u8 event)
608bcc6d 2672{
608bcc6d
MM		 2673 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2674 chan, control, skbs, event, chan->tx_state);
2675
2676 switch (chan->tx_state) {
2677 case L2CAP_TX_STATE_XMIT:
d660366d 2678 l2cap_tx_state_xmit(chan, control, skbs, event);
608bcc6d
MM		 2679 break;
2680 case L2CAP_TX_STATE_WAIT_F:
d660366d 2681 l2cap_tx_state_wait_f(chan, control, skbs, event);
608bcc6d
MM		 2682 break;
2683 default:
2684 /* Ignore event */
2685 break;
2686 }
608bcc6d
MM		 2687}
2688
4b51dae9
MM		 2689static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2690 struct l2cap_ctrl *control)
2691{
2692 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2693 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
4b51dae9
MM		 2694}
2695
f80842a8
MM		 2696static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2697 struct l2cap_ctrl *control)
2698{
2699 BT_DBG("chan %p, control %p", chan, control);
401bb1f7 2700 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
f80842a8
MM		 2701}
2702
1da177e4
LT		 2703/* Copy frame to all raw sockets on that connection */
2704static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2705{
1da177e4 2706 struct sk_buff *nskb;
48454079 2707 struct l2cap_chan *chan;
1da177e4
LT		 2708
2709 BT_DBG("conn %p", conn);
2710
3df91ea2 2711 mutex_lock(&conn->chan_lock);
3d57dc68 2712
3df91ea2 2713 list_for_each_entry(chan, &conn->chan_l, list) {
48454079 2714 struct sock *sk = chan->sk;
715ec005 2715 if (chan->chan_type != L2CAP_CHAN_RAW)
1da177e4
LT		 2716 continue;
2717
2718 /* Don't send frame to the socket it came from */
2719 if (skb->sk == sk)
2720 continue;
8bcde1f2 2721 nskb = skb_clone(skb, GFP_KERNEL);
af05b30b 2722 if (!nskb)
1da177e4
LT		 2723 continue;
2724
80b98027 2725 if (chan->ops->recv(chan, nskb))
1da177e4
LT		 2726 kfree_skb(nskb);
2727 }
3d57dc68 2728
3df91ea2 2729 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 2730}
2731
2732/* ---- L2CAP signalling commands ---- */
b4400672
AE		 2733static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2734 u8 ident, u16 dlen, void *data)
1da177e4
LT		 2735{
2736 struct sk_buff *skb, **frag;
2737 struct l2cap_cmd_hdr *cmd;
2738 struct l2cap_hdr *lh;
2739 int len, count;
2740
b4400672
AE		 2741 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2742 conn, code, ident, dlen);
1da177e4
LT		 2743
2744 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2745 count = min_t(unsigned int, conn->mtu, len);
2746
8bcde1f2 2747 skb = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2748 if (!skb)
2749 return NULL;
2750
2751 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2752 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3300d9a9
CT		 2753
2754 if (conn->hcon->type == LE_LINK)
ac73498c 2755 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3300d9a9 2756 else
ac73498c 2757 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2758
2759 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2760 cmd->code = code;
2761 cmd->ident = ident;
aca3192c 2762 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2763
2764 if (dlen) {
2765 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2766 memcpy(skb_put(skb, count), data, count);
2767 data += count;
2768 }
2769
2770 len -= skb->len;
2771
2772 /* Continuation fragments (no L2CAP header) */
2773 frag = &skb_shinfo(skb)->frag_list;
2774 while (len) {
2775 count = min_t(unsigned int, conn->mtu, len);
2776
8bcde1f2 2777 *frag = bt_skb_alloc(count, GFP_KERNEL);
1da177e4
LT		 2778 if (!*frag)
2779 goto fail;
2780
2781 memcpy(skb_put(*frag, count), data, count);
2782
2783 len -= count;
2784 data += count;
2785
2786 frag = &(*frag)->next;
2787 }
2788
2789 return skb;
2790
2791fail:
2792 kfree_skb(skb);
2793 return NULL;
2794}
2795
2d792818
GP		 2796static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2797 unsigned long *val)
1da177e4
LT		 2798{
2799 struct l2cap_conf_opt *opt = *ptr;
2800 int len;
2801
2802 len = L2CAP_CONF_OPT_SIZE + opt->len;
2803 *ptr += len;
2804
2805 *type = opt->type;
2806 *olen = opt->len;
2807
2808 switch (opt->len) {
2809 case 1:
2810 *val = *((u8 *) opt->val);
2811 break;
2812
2813 case 2:
bfaaeb3e 2814 *val = get_unaligned_le16(opt->val);
1da177e4
LT		 2815 break;
2816
2817 case 4:
bfaaeb3e 2818 *val = get_unaligned_le32(opt->val);
1da177e4
LT		 2819 break;
2820
2821 default:
2822 *val = (unsigned long) opt->val;
2823 break;
2824 }
2825
b4400672 2826 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
1da177e4
LT		 2827 return len;
2828}
2829
1da177e4
LT		 2830static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2831{
2832 struct l2cap_conf_opt *opt = *ptr;
2833
b4400672 2834 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
1da177e4
LT		 2835
2836 opt->type = type;
2837 opt->len = len;
2838
2839 switch (len) {
2840 case 1:
2841 *((u8 *) opt->val) = val;
2842 break;
2843
2844 case 2:
4f8b691c 2845 put_unaligned_le16(val, opt->val);
1da177e4
LT		 2846 break;
2847
2848 case 4:
4f8b691c 2849 put_unaligned_le32(val, opt->val);
1da177e4
LT		 2850 break;
2851
2852 default:
2853 memcpy(opt->val, (void *) val, len);
2854 break;
2855 }
2856
2857 *ptr += L2CAP_CONF_OPT_SIZE + len;
2858}
2859
f89cef09
AE		 2860static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2861{
2862 struct l2cap_conf_efs efs;
2863
1ec918ce 2864 switch (chan->mode) {
f89cef09
AE		 2865 case L2CAP_MODE_ERTM:
2866 efs.id = chan->local_id;
2867 efs.stype = chan->local_stype;
2868 efs.msdu = cpu_to_le16(chan->local_msdu);
2869 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
ac73498c 2870 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
8936fa6d 2871 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
f89cef09
AE		 2872 break;
2873
2874 case L2CAP_MODE_STREAMING:
2875 efs.id = 1;
2876 efs.stype = L2CAP_SERV_BESTEFFORT;
2877 efs.msdu = cpu_to_le16(chan->local_msdu);
2878 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2879 efs.acc_lat = 0;
2880 efs.flush_to = 0;
2881 break;
2882
2883 default:
2884 return;
2885 }
2886
2887 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
8936fa6d 2888 (unsigned long) &efs);
f89cef09
AE		 2889}
2890
721c4181 2891static void l2cap_ack_timeout(struct work_struct *work)
c1b4f43b 2892{
721c4181 2893 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
0362520b
MM		 2894 ack_timer.work);
2895 u16 frames_to_ack;
c1b4f43b 2896
2fb9b3d4
GP		 2897 BT_DBG("chan %p", chan);
2898
6be36555
AE		 2899 l2cap_chan_lock(chan);
2900
0362520b
MM		 2901 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2902 chan->last_acked_seq);
6be36555 2903
0362520b
MM		 2904 if (frames_to_ack)
2905 l2cap_send_rr_or_rnr(chan, 0);
09bfb2ee 2906
0362520b 2907 l2cap_chan_unlock(chan);
09bfb2ee 2908 l2cap_chan_put(chan);
c1b4f43b
GP		 2909}
2910
466f8004 2911int l2cap_ertm_init(struct l2cap_chan *chan)
0565c1c2 2912{
3c588192
MM		 2913 int err;
2914
105bdf9e
MM		 2915 chan->next_tx_seq = 0;
2916 chan->expected_tx_seq = 0;
42e5c802 2917 chan->expected_ack_seq = 0;
6a026610 2918 chan->unacked_frames = 0;
42e5c802 2919 chan->buffer_seq = 0;
6a026610 2920 chan->frames_sent = 0;
105bdf9e
MM		 2921 chan->last_acked_seq = 0;
2922 chan->sdu = NULL;
2923 chan->sdu_last_frag = NULL;
2924 chan->sdu_len = 0;
2925
d34c34fb
MM		 2926 skb_queue_head_init(&chan->tx_q);
2927
08333283
MM		 2928 chan->local_amp_id = 0;
2929 chan->move_id = 0;
2930 chan->move_state = L2CAP_MOVE_STABLE;
2931 chan->move_role = L2CAP_MOVE_ROLE_NONE;
2932
105bdf9e
MM		 2933 if (chan->mode != L2CAP_MODE_ERTM)
2934 return 0;
2935
2936 chan->rx_state = L2CAP_RX_STATE_RECV;
2937 chan->tx_state = L2CAP_TX_STATE_XMIT;
0565c1c2 2938
721c4181
GP		 2939 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2940 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2941 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
0565c1c2 2942
f1c6775b 2943 skb_queue_head_init(&chan->srej_q);
1890d36b 2944
3c588192
MM		 2945 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2946 if (err < 0)
2947 return err;
2948
9dc9affc
MM		 2949 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2950 if (err < 0)
2951 l2cap_seq_list_free(&chan->srej_list);
2952
2953 return err;
0565c1c2
GP		 2954}
2955
f2fcfcd6
GP		 2956static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2957{
2958 switch (mode) {
2959 case L2CAP_MODE_STREAMING:
2960 case L2CAP_MODE_ERTM:
2961 if (l2cap_mode_supported(mode, remote_feat_mask))
2962 return mode;
2963 /* fall through */
2964 default:
2965 return L2CAP_MODE_BASIC;
2966 }
2967}
2968
6327eb98
AE		 2969static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2970{
2971 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2972}
2973
f89cef09
AE		 2974static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2975{
2976 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2977}
2978
36c86c85
MM		 2979static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
2980 struct l2cap_conf_rfc *rfc)
2981{
2982 if (chan->local_amp_id && chan->hs_hcon) {
2983 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
2984
2985 /* Class 1 devices have must have ERTM timeouts
2986 * exceeding the Link Supervision Timeout. The
2987 * default Link Supervision Timeout for AMP
2988 * controllers is 10 seconds.
2989 *
2990 * Class 1 devices use 0xffffffff for their
2991 * best-effort flush timeout, so the clamping logic
2992 * will result in a timeout that meets the above
2993 * requirement. ERTM timeouts are 16-bit values, so
2994 * the maximum timeout is 65.535 seconds.
2995 */
2996
2997 /* Convert timeout to milliseconds and round */
2998 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
2999
3000 /* This is the recommended formula for class 2 devices
3001 * that start ERTM timers when packets are sent to the
3002 * controller.
3003 */
3004 ertm_to = 3 * ertm_to + 500;
3005
3006 if (ertm_to > 0xffff)
3007 ertm_to = 0xffff;
3008
3009 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3010 rfc->monitor_timeout = rfc->retrans_timeout;
3011 } else {
3012 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3013 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3014 }
3015}
3016
6327eb98
AE		 3017static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3018{
3019 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2d792818 3020 __l2cap_ews_supported(chan)) {
6327eb98
AE		 3021 /* use extended control field */
3022 set_bit(FLAG_EXT_CTRL, &chan->flags);
836be934
AE		 3023 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3024 } else {
6327eb98 3025 chan->tx_win = min_t(u16, chan->tx_win,
2d792818 3026 L2CAP_DEFAULT_TX_WINDOW);
836be934
AE		 3027 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3028 }
c20f8e35 3029 chan->ack_win = chan->tx_win;
6327eb98
AE		 3030}
3031
710f9b0a 3032static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3033{
1da177e4 3034 struct l2cap_conf_req *req = data;
0c1bc5c6 3035 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
1da177e4 3036 void *ptr = req->data;
c8f79162 3037 u16 size;
1da177e4 3038
49208c9c 3039 BT_DBG("chan %p", chan);
1da177e4 3040
73ffa904 3041 if (chan->num_conf_req || chan->num_conf_rsp)
f2fcfcd6
GP		 3042 goto done;
3043
0c1bc5c6 3044 switch (chan->mode) {
f2fcfcd6
GP		 3045 case L2CAP_MODE_STREAMING:
3046 case L2CAP_MODE_ERTM:
c1360a1c 3047 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
85eb53c6 3048 break;
85eb53c6 3049
f89cef09
AE		 3050 if (__l2cap_efs_supported(chan))
3051 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3052
2ba13ed6 3053 /* fall through */
f2fcfcd6 3054 default:
8c1d787b 3055 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
f2fcfcd6
GP		 3056 break;
3057 }
3058
3059done:
0c1bc5c6
GP		 3060 if (chan->imtu != L2CAP_DEFAULT_MTU)
3061 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
7990681c 3062
0c1bc5c6 3063 switch (chan->mode) {
65c7c491 3064 case L2CAP_MODE_BASIC:
8c1d787b 3065 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2d792818 3066 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
63406504
GP		 3067 break;
3068
62547752
GP		 3069 rfc.mode = L2CAP_MODE_BASIC;
3070 rfc.txwin_size = 0;
3071 rfc.max_transmit = 0;
3072 rfc.retrans_timeout = 0;
3073 rfc.monitor_timeout = 0;
3074 rfc.max_pdu_size = 0;
3075
63406504 3076 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3077 (unsigned long) &rfc);
65c7c491
MH		 3078 break;
3079
3080 case L2CAP_MODE_ERTM:
3081 rfc.mode = L2CAP_MODE_ERTM;
47d1ec61 3082 rfc.max_transmit = chan->max_tx;
36c86c85
MM		 3083
3084 __l2cap_set_ertm_timeouts(chan, &rfc);
c8f79162
AE		 3085
3086 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3087 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3088 L2CAP_FCS_SIZE);
c8f79162 3089 rfc.max_pdu_size = cpu_to_le16(size);
f2fcfcd6 3090
6327eb98
AE		 3091 l2cap_txwin_setup(chan);
3092
3093 rfc.txwin_size = min_t(u16, chan->tx_win,
2d792818 3094 L2CAP_DEFAULT_TX_WINDOW);
f2fcfcd6 3095
63406504 3096 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3097 (unsigned long) &rfc);
63406504 3098
f89cef09
AE		 3099 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3100 l2cap_add_opt_efs(&ptr, chan);
3101
8c1d787b 3102 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3103 break;
3104
47d1ec61 3105 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3106 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3107 chan->fcs = L2CAP_FCS_NONE;
3108 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3109 }
6327eb98
AE		 3110
3111 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3112 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2d792818 3113 chan->tx_win);
f2fcfcd6
GP		 3114 break;
3115
3116 case L2CAP_MODE_STREAMING:
273759e2 3117 l2cap_txwin_setup(chan);
f2fcfcd6
GP		 3118 rfc.mode = L2CAP_MODE_STREAMING;
3119 rfc.txwin_size = 0;
3120 rfc.max_transmit = 0;
3121 rfc.retrans_timeout = 0;
3122 rfc.monitor_timeout = 0;
c8f79162
AE		 3123
3124 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2d792818
GP		 3125 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3126 L2CAP_FCS_SIZE);
c8f79162 3127 rfc.max_pdu_size = cpu_to_le16(size);
65c7c491 3128
63406504 3129 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2d792818 3130 (unsigned long) &rfc);
63406504 3131
f89cef09
AE		 3132 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3133 l2cap_add_opt_efs(&ptr, chan);
3134
8c1d787b 3135 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
fcc203c3
GP		 3136 break;
3137
47d1ec61 3138 if (chan->fcs == L2CAP_FCS_NONE ||
2d792818 3139 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
47d1ec61
GP		 3140 chan->fcs = L2CAP_FCS_NONE;
3141 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
fcc203c3 3142 }
65c7c491
MH		 3143 break;
3144 }
1da177e4 3145
fe4128e0 3146 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3147 req->flags = __constant_cpu_to_le16(0);
1da177e4
LT		 3148
3149 return ptr - data;
3150}
3151
73ffa904 3152static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
1da177e4 3153{
5dee9e7c
MH		 3154 struct l2cap_conf_rsp *rsp = data;
3155 void *ptr = rsp->data;
73ffa904
GP		 3156 void *req = chan->conf_req;
3157 int len = chan->conf_len;
5dee9e7c
MH		 3158 int type, hint, olen;
3159 unsigned long val;
6464f35f 3160 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
42dceae2
AE		 3161 struct l2cap_conf_efs efs;
3162 u8 remote_efs = 0;
861d6882 3163 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 3164 u16 result = L2CAP_CONF_SUCCESS;
c8f79162 3165 u16 size;
1da177e4 3166
73ffa904 3167 BT_DBG("chan %p", chan);
820ae1b8 3168
5dee9e7c
MH		 3169 while (len >= L2CAP_CONF_OPT_SIZE) {
3170 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 3171
589d2746 3172 hint = type & L2CAP_CONF_HINT;
47ec1dcd 3173 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 3174
3175 switch (type) {
3176 case L2CAP_CONF_MTU:
861d6882 3177 mtu = val;
5dee9e7c
MH		 3178 break;
3179
3180 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3181 chan->flush_to = val;
5dee9e7c
MH		 3182 break;
3183
3184 case L2CAP_CONF_QOS:
3185 break;
3186
6464f35f
MH		 3187 case L2CAP_CONF_RFC:
3188 if (olen == sizeof(rfc))
3189 memcpy(&rfc, (void *) val, olen);
3190 break;
3191
fcc203c3
GP		 3192 case L2CAP_CONF_FCS:
3193 if (val == L2CAP_FCS_NONE)
c1360a1c 3194 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
42dceae2 3195 break;
fcc203c3 3196
42dceae2
AE		 3197 case L2CAP_CONF_EFS:
3198 remote_efs = 1;
3199 if (olen == sizeof(efs))
3200 memcpy(&efs, (void *) val, olen);
fcc203c3
GP		 3201 break;
3202
6327eb98
AE		 3203 case L2CAP_CONF_EWS:
3204 if (!enable_hs)
3205 return -ECONNREFUSED;
fcc203c3 3206
6327eb98
AE		 3207 set_bit(FLAG_EXT_CTRL, &chan->flags);
3208 set_bit(CONF_EWS_RECV, &chan->conf_state);
836be934 3209 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
6327eb98 3210 chan->remote_tx_win = val;
fcc203c3
GP		 3211 break;
3212
5dee9e7c
MH		 3213 default:
3214 if (hint)
3215 break;
3216
3217 result = L2CAP_CONF_UNKNOWN;
3218 *((u8 *) ptr++) = type;
3219 break;
3220 }
3221 }
3222
73ffa904 3223 if (chan->num_conf_rsp || chan->num_conf_req > 1)
f2fcfcd6
GP		 3224 goto done;
3225
0c1bc5c6 3226 switch (chan->mode) {
f2fcfcd6
GP		 3227 case L2CAP_MODE_STREAMING:
3228 case L2CAP_MODE_ERTM:
c1360a1c 3229 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
0c1bc5c6 3230 chan->mode = l2cap_select_mode(rfc.mode,
2d792818 3231 chan->conn->feat_mask);
85eb53c6
GP		 3232 break;
3233 }
3234
42dceae2
AE		 3235 if (remote_efs) {
3236 if (__l2cap_efs_supported(chan))
3237 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3238 else
3239 return -ECONNREFUSED;
3240 }
3241
0c1bc5c6 3242 if (chan->mode != rfc.mode)
f2fcfcd6 3243 return -ECONNREFUSED;
742e519b 3244
f2fcfcd6 3245 break;
f2fcfcd6
GP		 3246 }
3247
3248done:
0c1bc5c6 3249 if (chan->mode != rfc.mode) {
f2fcfcd6 3250 result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3251 rfc.mode = chan->mode;
f2fcfcd6 3252
73ffa904 3253 if (chan->num_conf_rsp == 1)
f2fcfcd6
GP		 3254 return -ECONNREFUSED;
3255
2d792818
GP		 3256 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3257 (unsigned long) &rfc);
f2fcfcd6
GP		 3258 }
3259
5dee9e7c
MH		 3260 if (result == L2CAP_CONF_SUCCESS) {
3261 /* Configure output options and let the other side know
3262 * which ones we don't like. */
3263
f2fcfcd6
GP		 3264 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3265 result = L2CAP_CONF_UNACCEPT;
3266 else {
0c1bc5c6 3267 chan->omtu = mtu;
c1360a1c 3268 set_bit(CONF_MTU_DONE, &chan->conf_state);
f2fcfcd6 3269 }
0c1bc5c6 3270 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
6464f35f 3271
42dceae2
AE		 3272 if (remote_efs) {
3273 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3274 efs.stype != L2CAP_SERV_NOTRAFIC &&
3275 efs.stype != chan->local_stype) {
42dceae2
AE		 3276
3277 result = L2CAP_CONF_UNACCEPT;
3278
3279 if (chan->num_conf_req >= 1)
3280 return -ECONNREFUSED;
3281
3282 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3283 sizeof(efs),
3284 (unsigned long) &efs);
0e8b207e 3285 } else {
3e6b3b95 3286 /* Send PENDING Conf Rsp */
0e8b207e
AE		 3287 result = L2CAP_CONF_PENDING;
3288 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
42dceae2
AE		 3289 }
3290 }
3291
f2fcfcd6
GP		 3292 switch (rfc.mode) {
3293 case L2CAP_MODE_BASIC:
47d1ec61 3294 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3295 set_bit(CONF_MODE_DONE, &chan->conf_state);
f2fcfcd6
GP		 3296 break;
3297
3298 case L2CAP_MODE_ERTM:
6327eb98
AE		 3299 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3300 chan->remote_tx_win = rfc.txwin_size;
3301 else
3302 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
86b1b263 3303
2c03a7a4 3304 chan->remote_max_tx = rfc.max_transmit;
1c762159 3305
c8f79162 3306 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3307 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3308 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3309 rfc.max_pdu_size = cpu_to_le16(size);
3310 chan->remote_mps = size;
f2fcfcd6 3311
36c86c85 3312 __l2cap_set_ertm_timeouts(chan, &rfc);
f2fcfcd6 3313
c1360a1c 3314 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639
GP		 3315
3316 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3317 sizeof(rfc), (unsigned long) &rfc);
68ae6639 3318
42dceae2
AE		 3319 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3320 chan->remote_id = efs.id;
3321 chan->remote_stype = efs.stype;
3322 chan->remote_msdu = le16_to_cpu(efs.msdu);
3323 chan->remote_flush_to =
2d792818 3324 le32_to_cpu(efs.flush_to);
42dceae2 3325 chan->remote_acc_lat =
2d792818 3326 le32_to_cpu(efs.acc_lat);
42dceae2
AE		 3327 chan->remote_sdu_itime =
3328 le32_to_cpu(efs.sdu_itime);
3329 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2d792818
GP		 3330 sizeof(efs),
3331 (unsigned long) &efs);
42dceae2 3332 }
f2fcfcd6
GP		 3333 break;
3334
3335 case L2CAP_MODE_STREAMING:
c8f79162 3336 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2d792818
GP		 3337 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3338 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
c8f79162
AE		 3339 rfc.max_pdu_size = cpu_to_le16(size);
3340 chan->remote_mps = size;
f2fcfcd6 3341
c1360a1c 3342 set_bit(CONF_MODE_DONE, &chan->conf_state);
68ae6639 3343
2d792818
GP		 3344 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3345 (unsigned long) &rfc);
68ae6639 3346
f2fcfcd6
GP		 3347 break;
3348
3349 default:
5dee9e7c 3350 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 3351
6464f35f 3352 memset(&rfc, 0, sizeof(rfc));
0c1bc5c6 3353 rfc.mode = chan->mode;
f2fcfcd6 3354 }
6464f35f 3355
f2fcfcd6 3356 if (result == L2CAP_CONF_SUCCESS)
c1360a1c 3357 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
f2fcfcd6 3358 }
fe4128e0 3359 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3360 rsp->result = cpu_to_le16(result);
59e54bd1 3361 rsp->flags = __constant_cpu_to_le16(0);
5dee9e7c
MH		 3362
3363 return ptr - data;
1da177e4
LT		 3364}
3365
2d792818
GP		 3366static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3367 void *data, u16 *result)
f2fcfcd6 3368{
f2fcfcd6
GP		 3369 struct l2cap_conf_req *req = data;
3370 void *ptr = req->data;
3371 int type, olen;
3372 unsigned long val;
36e999a8 3373 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
66af7aaf 3374 struct l2cap_conf_efs efs;
f2fcfcd6 3375
fe4128e0 3376 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
f2fcfcd6
GP		 3377
3378 while (len >= L2CAP_CONF_OPT_SIZE) {
3379 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3380
3381 switch (type) {
3382 case L2CAP_CONF_MTU:
3383 if (val < L2CAP_DEFAULT_MIN_MTU) {
3384 *result = L2CAP_CONF_UNACCEPT;
0c1bc5c6 3385 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
f2fcfcd6 3386 } else
0c1bc5c6
GP		 3387 chan->imtu = val;
3388 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
f2fcfcd6
GP		 3389 break;
3390
3391 case L2CAP_CONF_FLUSH_TO:
0c1bc5c6 3392 chan->flush_to = val;
f2fcfcd6 3393 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2d792818 3394 2, chan->flush_to);
f2fcfcd6
GP		 3395 break;
3396
3397 case L2CAP_CONF_RFC:
3398 if (olen == sizeof(rfc))
3399 memcpy(&rfc, (void *)val, olen);
3400
c1360a1c 3401 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2d792818 3402 rfc.mode != chan->mode)
f2fcfcd6
GP		 3403 return -ECONNREFUSED;
3404
47d1ec61 3405 chan->fcs = 0;
f2fcfcd6
GP		 3406
3407 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2d792818 3408 sizeof(rfc), (unsigned long) &rfc);
f2fcfcd6 3409 break;
6327eb98
AE		 3410
3411 case L2CAP_CONF_EWS:
c20f8e35 3412 chan->ack_win = min_t(u16, val, chan->ack_win);
3e6b3b95 3413 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
c20f8e35 3414 chan->tx_win);
6327eb98 3415 break;
66af7aaf
AE		 3416
3417 case L2CAP_CONF_EFS:
3418 if (olen == sizeof(efs))
3419 memcpy(&efs, (void *)val, olen);
3420
3421 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2d792818
GP		 3422 efs.stype != L2CAP_SERV_NOTRAFIC &&
3423 efs.stype != chan->local_stype)
66af7aaf
AE		 3424 return -ECONNREFUSED;
3425
2d792818
GP		 3426 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3427 (unsigned long) &efs);
66af7aaf 3428 break;
f2fcfcd6
GP		 3429 }
3430 }
3431
0c1bc5c6 3432 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
6c2ea7a8
GP		 3433 return -ECONNREFUSED;
3434
0c1bc5c6 3435 chan->mode = rfc.mode;
6c2ea7a8 3436
0e8b207e 3437 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
f2fcfcd6
GP		 3438 switch (rfc.mode) {
3439 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3440 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3441 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3442 chan->mps = le16_to_cpu(rfc.max_pdu_size);
c20f8e35
MM		 3443 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3444 chan->ack_win = min_t(u16, chan->ack_win,
3445 rfc.txwin_size);
66af7aaf
AE		 3446
3447 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3448 chan->local_msdu = le16_to_cpu(efs.msdu);
3449 chan->local_sdu_itime =
2d792818 3450 le32_to_cpu(efs.sdu_itime);
66af7aaf
AE		 3451 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3452 chan->local_flush_to =
2d792818 3453 le32_to_cpu(efs.flush_to);
66af7aaf 3454 }
f2fcfcd6 3455 break;
66af7aaf 3456
f2fcfcd6 3457 case L2CAP_MODE_STREAMING:
47d1ec61 3458 chan->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 3459 }
3460 }
3461
fe4128e0 3462 req->dcid = cpu_to_le16(chan->dcid);
59e54bd1 3463 req->flags = __constant_cpu_to_le16(0);
f2fcfcd6
GP		 3464
3465 return ptr - data;
3466}
3467
2d792818
GP		 3468static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3469 u16 result, u16 flags)
1da177e4
LT		 3470{
3471 struct l2cap_conf_rsp *rsp = data;
3472 void *ptr = rsp->data;
1da177e4 3473
fe4128e0 3474 BT_DBG("chan %p", chan);
1da177e4 3475
fe4128e0 3476 rsp->scid = cpu_to_le16(chan->dcid);
5dee9e7c 3477 rsp->result = cpu_to_le16(result);
aca3192c 3478 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 3479
3480 return ptr - data;
3481}
3482
8c1d787b 3483void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
710f9b0a
GP		 3484{
3485 struct l2cap_conn_rsp rsp;
8c1d787b 3486 struct l2cap_conn *conn = chan->conn;
710f9b0a 3487 u8 buf[128];
439f34ac 3488 u8 rsp_code;
710f9b0a 3489
fe4128e0
GP		 3490 rsp.scid = cpu_to_le16(chan->dcid);
3491 rsp.dcid = cpu_to_le16(chan->scid);
ac73498c
AE		 3492 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3493 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
439f34ac
AE		 3494
3495 if (chan->hs_hcon)
3496 rsp_code = L2CAP_CREATE_CHAN_RSP;
3497 else
3498 rsp_code = L2CAP_CONN_RSP;
3499
3500 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3501
3502 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
710f9b0a 3503
c1360a1c 3504 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
710f9b0a
GP		 3505 return;
3506
710f9b0a 3507 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3508 l2cap_build_conf_req(chan, buf), buf);
710f9b0a
GP		 3509 chan->num_conf_req++;
3510}
3511
47d1ec61 3512static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
7b1c0049 3513{
7b1c0049
GP		 3514 int type, olen;
3515 unsigned long val;
c20f8e35
MM		 3516 /* Use sane default values in case a misbehaving remote device
3517 * did not send an RFC or extended window size option.
3518 */
3519 u16 txwin_ext = chan->ack_win;
3520 struct l2cap_conf_rfc rfc = {
3521 .mode = chan->mode,
3522 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3523 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3524 .max_pdu_size = cpu_to_le16(chan->imtu),
3525 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3526 };
7b1c0049 3527
47d1ec61 3528 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
7b1c0049 3529
0c1bc5c6 3530 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
7b1c0049
GP		 3531 return;
3532
3533 while (len >= L2CAP_CONF_OPT_SIZE) {
3534 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3535
c20f8e35
MM		 3536 switch (type) {
3537 case L2CAP_CONF_RFC:
3538 if (olen == sizeof(rfc))
3539 memcpy(&rfc, (void *)val, olen);
8f321f85 3540 break;
c20f8e35
MM		 3541 case L2CAP_CONF_EWS:
3542 txwin_ext = val;
3543 break;
3544 }
7b1c0049
GP		 3545 }
3546
7b1c0049
GP		 3547 switch (rfc.mode) {
3548 case L2CAP_MODE_ERTM:
47d1ec61
GP		 3549 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3550 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
c20f8e35
MM		 3551 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3552 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3553 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3554 else
3555 chan->ack_win = min_t(u16, chan->ack_win,
3556 rfc.txwin_size);
7b1c0049
GP		 3557 break;
3558 case L2CAP_MODE_STREAMING:
47d1ec61 3559 chan->mps = le16_to_cpu(rfc.max_pdu_size);
7b1c0049
GP		 3560 }
3561}
3562
2d792818
GP		 3563static inline int l2cap_command_rej(struct l2cap_conn *conn,
3564 struct l2cap_cmd_hdr *cmd, u8 *data)
4e8402a3 3565{
e2fd318e 3566 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4e8402a3 3567
e2fd318e 3568 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4e8402a3
MH		 3569 return 0;
3570
3571 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2d792818 3572 cmd->ident == conn->info_ident) {
17cd3f37 3573 cancel_delayed_work(&conn->info_timer);
984947dc
MH		 3574
3575 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3576 conn->info_ident = 0;
984947dc 3577
4e8402a3
MH		 3578 l2cap_conn_start(conn);
3579 }
3580
3581 return 0;
3582}
3583
1700915f
MM		 3584static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3585 struct l2cap_cmd_hdr *cmd,
3586 u8 *data, u8 rsp_code, u8 amp_id)
1da177e4 3587{
1da177e4
LT		 3588 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3589 struct l2cap_conn_rsp rsp;
23691d75 3590 struct l2cap_chan *chan = NULL, *pchan;
d793fe8c 3591 struct sock *parent, *sk = NULL;
e7c29cb1 3592 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3593
3594 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 3595 __le16 psm = req->psm;
1da177e4 3596
097db76c 3597 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
1da177e4
LT		 3598
3599 /* Check if we have socket listening on psm */
c2287681 3600 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
23691d75 3601 if (!pchan) {
1da177e4
LT		 3602 result = L2CAP_CR_BAD_PSM;
3603 goto sendresp;
3604 }
3605
23691d75
GP		 3606 parent = pchan->sk;
3607
3df91ea2 3608 mutex_lock(&conn->chan_lock);
aa2ac881 3609 lock_sock(parent);
e0f0cb56 3610
e7c29cb1 3611 /* Check if the ACL is secure enough (if not SDP) */
2983fd68 3612 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
2d792818 3613 !hci_conn_check_link_mode(conn->hcon)) {
9f5a0d7b 3614 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
e7c29cb1
MH		 3615 result = L2CAP_CR_SEC_BLOCK;
3616 goto response;
3617 }
3618
1da177e4
LT		 3619 result = L2CAP_CR_NO_MEM;
3620
2dfa1003
GP		 3621 /* Check if we already have channel with that dcid */
3622 if (__l2cap_get_chan_by_dcid(conn, scid))
3623 goto response;
3624
80b98027 3625 chan = pchan->ops->new_connection(pchan);
80808e43 3626 if (!chan)
1da177e4
LT		 3627 goto response;
3628
80808e43
GP		 3629 sk = chan->sk;
3630
1da177e4
LT		 3631 hci_conn_hold(conn->hcon);
3632
1da177e4
LT		 3633 bacpy(&bt_sk(sk)->src, conn->src);
3634 bacpy(&bt_sk(sk)->dst, conn->dst);
fe4128e0
GP		 3635 chan->psm = psm;
3636 chan->dcid = scid;
1700915f 3637 chan->local_amp_id = amp_id;
1da177e4 3638
6be36555 3639 __l2cap_chan_add(conn, chan);
48454079 3640
fe4128e0 3641 dcid = chan->scid;
1da177e4 3642
c9b66675 3643 __set_chan_timer(chan, sk->sk_sndtimeo);
1da177e4 3644
fc7f8a7e 3645 chan->ident = cmd->ident;
1da177e4 3646
984947dc 3647 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
d45fc423 3648 if (l2cap_chan_check_security(chan)) {
c5daa683 3649 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
0e587be7 3650 __l2cap_state_change(chan, BT_CONNECT2);
f66dc81f
MH		 3651 result = L2CAP_CR_PEND;
3652 status = L2CAP_CS_AUTHOR_PEND;
2dc4e510 3653 chan->ops->defer(chan);
f66dc81f 3654 } else {
1700915f
MM		 3655 /* Force pending result for AMP controllers.
3656 * The connection will succeed after the
3657 * physical link is up.
3658 */
3659 if (amp_id) {
3660 __l2cap_state_change(chan, BT_CONNECT2);
3661 result = L2CAP_CR_PEND;
3662 } else {
3663 __l2cap_state_change(chan, BT_CONFIG);
3664 result = L2CAP_CR_SUCCESS;
3665 }
f66dc81f
MH		 3666 status = L2CAP_CS_NO_INFO;
3667 }
79d554a6 3668 } else {
0e587be7 3669 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3670 result = L2CAP_CR_PEND;
3671 status = L2CAP_CS_AUTHEN_PEND;
3672 }
3673 } else {
0e587be7 3674 __l2cap_state_change(chan, BT_CONNECT2);
79d554a6
MH		 3675 result = L2CAP_CR_PEND;
3676 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 3677 }
3678
1da177e4 3679response:
aa2ac881 3680 release_sock(parent);
3df91ea2 3681 mutex_unlock(&conn->chan_lock);
1da177e4
LT		 3682
3683sendresp:
aca3192c
YH		 3684 rsp.scid = cpu_to_le16(scid);
3685 rsp.dcid = cpu_to_le16(dcid);
3686 rsp.result = cpu_to_le16(result);
3687 rsp.status = cpu_to_le16(status);
4c89b6aa 3688 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
79d554a6
MH		 3689
3690 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3691 struct l2cap_info_req info;
ac73498c 3692 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
79d554a6
MH		 3693
3694 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3695 conn->info_ident = l2cap_get_ident(conn);
3696
ba13ccd9 3697 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
79d554a6 3698
2d792818
GP		 3699 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3700 sizeof(info), &info);
79d554a6
MH		 3701 }
3702
c1360a1c 3703 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2d792818 3704 result == L2CAP_CR_SUCCESS) {
e9aeb2dd 3705 u8 buf[128];
c1360a1c 3706 set_bit(CONF_REQ_SENT, &chan->conf_state);
e9aeb2dd 3707 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3708 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3709 chan->num_conf_req++;
e9aeb2dd 3710 }
1700915f
MM		 3711
3712 return chan;
4c89b6aa 3713}
e9aeb2dd 3714
4c89b6aa
MM		 3715static int l2cap_connect_req(struct l2cap_conn *conn,
3716 struct l2cap_cmd_hdr *cmd, u8 *data)
3717{
300229f9 3718 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
1da177e4
LT		 3719 return 0;
3720}
3721
5909cf30 3722static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
2d792818 3723 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3724{
3725 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3726 u16 scid, dcid, result, status;
48454079 3727 struct l2cap_chan *chan;
1da177e4 3728 u8 req[128];
3df91ea2 3729 int err;
1da177e4
LT		 3730
3731 scid = __le16_to_cpu(rsp->scid);
3732 dcid = __le16_to_cpu(rsp->dcid);
3733 result = __le16_to_cpu(rsp->result);
3734 status = __le16_to_cpu(rsp->status);
3735
1b009c98 3736 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2d792818 3737 dcid, scid, result, status);
1da177e4 3738
3df91ea2
AE		 3739 mutex_lock(&conn->chan_lock);
3740
1da177e4 3741 if (scid) {
3df91ea2
AE		 3742 chan = __l2cap_get_chan_by_scid(conn, scid);
3743 if (!chan) {
3744 err = -EFAULT;
3745 goto unlock;
3746 }
1da177e4 3747 } else {
3df91ea2
AE		 3748 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3749 if (!chan) {
3750 err = -EFAULT;
3751 goto unlock;
3752 }
1da177e4
LT		 3753 }
3754
3df91ea2
AE		 3755 err = 0;
3756
6be36555 3757 l2cap_chan_lock(chan);
48454079 3758
1da177e4
LT		 3759 switch (result) {
3760 case L2CAP_CR_SUCCESS:
89bc500e 3761 l2cap_state_change(chan, BT_CONFIG);
fc7f8a7e 3762 chan->ident = 0;
fe4128e0 3763 chan->dcid = dcid;
c1360a1c 3764 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
6a8d3010 3765
c1360a1c 3766 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
e9aeb2dd
GP		 3767 break;
3768
1da177e4 3769 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3770 l2cap_build_conf_req(chan, req), req);
73ffa904 3771 chan->num_conf_req++;
1da177e4
LT		 3772 break;
3773
3774 case L2CAP_CR_PEND:
c1360a1c 3775 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1da177e4
LT		 3776 break;
3777
3778 default:
48454079 3779 l2cap_chan_del(chan, ECONNREFUSED);
1da177e4
LT		 3780 break;
3781 }
3782
6be36555 3783 l2cap_chan_unlock(chan);
3df91ea2
AE		 3784
3785unlock:
3786 mutex_unlock(&conn->chan_lock);
3787
3788 return err;
1da177e4
LT		 3789}
3790
47d1ec61 3791static inline void set_default_fcs(struct l2cap_chan *chan)
8c462b60
MM		 3792{
3793 /* FCS is enabled only in ERTM or streaming mode, if one or both
3794 * sides request it.
3795 */
0c1bc5c6 3796 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
47d1ec61 3797 chan->fcs = L2CAP_FCS_NONE;
c1360a1c 3798 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
47d1ec61 3799 chan->fcs = L2CAP_FCS_CRC16;
8c462b60
MM		 3800}
3801
29d8a590
AE		 3802static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3803 u8 ident, u16 flags)
3804{
3805 struct l2cap_conn *conn = chan->conn;
3806
3807 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3808 flags);
3809
3810 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3811 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3812
3813 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3814 l2cap_build_conf_rsp(chan, data,
3815 L2CAP_CONF_SUCCESS, flags), data);
3816}
3817
2d792818
GP		 3818static inline int l2cap_config_req(struct l2cap_conn *conn,
3819 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3820 u8 *data)
1da177e4
LT		 3821{
3822 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3823 u16 dcid, flags;
3824 u8 rsp[64];
48454079 3825 struct l2cap_chan *chan;
3c588192 3826 int len, err = 0;
1da177e4
LT		 3827
3828 dcid = __le16_to_cpu(req->dcid);
3829 flags = __le16_to_cpu(req->flags);
3830
3831 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3832
baa7e1fa 3833 chan = l2cap_get_chan_by_scid(conn, dcid);
48454079 3834 if (!chan)
1da177e4
LT		 3835 return -ENOENT;
3836
033b1142 3837 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
e2fd318e
IK		 3838 struct l2cap_cmd_rej_cid rej;
3839
ac73498c 3840 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
e2fd318e
IK		 3841 rej.scid = cpu_to_le16(chan->scid);
3842 rej.dcid = cpu_to_le16(chan->dcid);
df6bd743 3843
df6bd743 3844 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2d792818 3845 sizeof(rej), &rej);
354f60a9 3846 goto unlock;
df6bd743 3847 }
354f60a9 3848
5dee9e7c 3849 /* Reject if config buffer is too small. */
88219a0f 3850 len = cmd_len - sizeof(*req);
7ac28817 3851 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
5dee9e7c 3852 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3853 l2cap_build_conf_rsp(chan, rsp,
3854 L2CAP_CONF_REJECT, flags), rsp);
5dee9e7c
MH		 3855 goto unlock;
3856 }
3857
3858 /* Store config. */
73ffa904
GP		 3859 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3860 chan->conf_len += len;
1da177e4 3861
59e54bd1 3862 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
1da177e4
LT		 3863 /* Incomplete config. Send empty response. */
3864 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2d792818
GP		 3865 l2cap_build_conf_rsp(chan, rsp,
3866 L2CAP_CONF_SUCCESS, flags), rsp);
1da177e4
LT		 3867 goto unlock;
3868 }
3869
3870 /* Complete config. */
73ffa904 3871 len = l2cap_parse_conf_req(chan, rsp);
f2fcfcd6 3872 if (len < 0) {
e92c8e70 3873 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4 3874 goto unlock;
f2fcfcd6 3875 }
1da177e4 3876
1500109b 3877 chan->ident = cmd->ident;
5dee9e7c 3878 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
73ffa904 3879 chan->num_conf_rsp++;
5dee9e7c 3880
5dee9e7c 3881 /* Reset config buffer. */
73ffa904 3882 chan->conf_len = 0;
5dee9e7c 3883
c1360a1c 3884 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
876d9484
MH		 3885 goto unlock;
3886
c1360a1c 3887 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
47d1ec61 3888 set_default_fcs(chan);
fcc203c3 3889
105bdf9e
MM		 3890 if (chan->mode == L2CAP_MODE_ERTM ||
3891 chan->mode == L2CAP_MODE_STREAMING)
3c588192
MM		 3892 err = l2cap_ertm_init(chan);
3893
3894 if (err < 0)
3895 l2cap_send_disconn_req(chan->conn, chan, -err);
3896 else
3897 l2cap_chan_ready(chan);
0565c1c2 3898
876d9484
MH		 3899 goto unlock;
3900 }
3901
c1360a1c 3902 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
79d554a6 3903 u8 buf[64];
1da177e4 3904 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2d792818 3905 l2cap_build_conf_req(chan, buf), buf);
73ffa904 3906 chan->num_conf_req++;
1da177e4
LT		 3907 }
3908
0e8b207e
AE		 3909 /* Got Conf Rsp PENDING from remote side and asume we sent
3910 Conf Rsp PENDING in the code above */
3911 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
29d8a590 3912 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
0e8b207e
AE		 3913
3914 /* check compatibility */
3915
79de886d
AE		 3916 /* Send rsp for BR/EDR channel */
3917 if (!chan->ctrl_id)
3918 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
3919 else
3920 chan->ident = cmd->ident;
0e8b207e
AE		 3921 }
3922
1da177e4 3923unlock:
6be36555 3924 l2cap_chan_unlock(chan);
3c588192 3925 return err;
1da177e4
LT		 3926}
3927
2d792818
GP		 3928static inline int l2cap_config_rsp(struct l2cap_conn *conn,
3929 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 3930{
3931 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3932 u16 scid, flags, result;
48454079 3933 struct l2cap_chan *chan;
61386cba 3934 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3c588192 3935 int err = 0;
1da177e4
LT		 3936
3937 scid = __le16_to_cpu(rsp->scid);
3938 flags = __le16_to_cpu(rsp->flags);
3939 result = __le16_to_cpu(rsp->result);
3940
61386cba
AE		 3941 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3942 result, len);
1da177e4 3943
baa7e1fa 3944 chan = l2cap_get_chan_by_scid(conn, scid);
48454079 3945 if (!chan)
1da177e4
LT		 3946 return 0;
3947
3948 switch (result) {
3949 case L2CAP_CONF_SUCCESS:
47d1ec61 3950 l2cap_conf_rfc_get(chan, rsp->data, len);
0e8b207e 3951 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
1da177e4
LT		 3952 break;
3953
0e8b207e
AE		 3954 case L2CAP_CONF_PENDING:
3955 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3956
3957 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3958 char buf[64];
3959
3960 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3961 buf, &result);
0e8b207e
AE		 3962 if (len < 0) {
3963 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3964 goto done;
3965 }
3966
5ce66b59 3967 if (!chan->ctrl_id) {
79de886d
AE		 3968 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
3969 0);
5ce66b59
AE		 3970 } else {
3971 if (l2cap_check_efs(chan)) {
3972 amp_create_logical_link(chan);
3973 chan->ident = cmd->ident;
3974 }
3975 }
0e8b207e
AE		 3976 }
3977 goto done;
3978
1da177e4 3979 case L2CAP_CONF_UNACCEPT:
73ffa904 3980 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3981 char req[64];
3982
c2c77ec8 3983 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
e92c8e70 3984 l2cap_send_disconn_req(conn, chan, ECONNRESET);
c2c77ec8
AE		 3985 goto done;
3986 }
3987
f2fcfcd6
GP		 3988 /* throw out any old stored conf requests */
3989 result = L2CAP_CONF_SUCCESS;
b4450035 3990 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2d792818 3991 req, &result);
f2fcfcd6 3992 if (len < 0) {
e92c8e70 3993 l2cap_send_disconn_req(conn, chan, ECONNRESET);
f2fcfcd6
GP		 3994 goto done;
3995 }
3996
3997 l2cap_send_cmd(conn, l2cap_get_ident(conn),
2d792818 3998 L2CAP_CONF_REQ, len, req);
73ffa904 3999 chan->num_conf_req++;
f2fcfcd6
GP		 4000 if (result != L2CAP_CONF_SUCCESS)
4001 goto done;
4002 break;
1da177e4
LT		 4003 }
4004
8e87d142 4005 default:
6be36555 4006 l2cap_chan_set_err(chan, ECONNRESET);
2e0052e4 4007
ba13ccd9 4008 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
e92c8e70 4009 l2cap_send_disconn_req(conn, chan, ECONNRESET);
1da177e4
LT		 4010 goto done;
4011 }
4012
59e54bd1 4013 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
1da177e4
LT		 4014 goto done;
4015
c1360a1c 4016 set_bit(CONF_INPUT_DONE, &chan->conf_state);
1da177e4 4017
c1360a1c 4018 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
47d1ec61 4019 set_default_fcs(chan);
fcc203c3 4020
105bdf9e
MM		 4021 if (chan->mode == L2CAP_MODE_ERTM ||
4022 chan->mode == L2CAP_MODE_STREAMING)
3c588192 4023 err = l2cap_ertm_init(chan);
0565c1c2 4024
3c588192
MM		 4025 if (err < 0)
4026 l2cap_send_disconn_req(chan->conn, chan, -err);
4027 else
4028 l2cap_chan_ready(chan);
1da177e4
LT		 4029 }
4030
4031done:
6be36555 4032 l2cap_chan_unlock(chan);
3c588192 4033 return err;
1da177e4
LT		 4034}
4035
2d792818
GP		 4036static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4037 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4038{
4039 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4040 struct l2cap_disconn_rsp rsp;
4041 u16 dcid, scid;
48454079 4042 struct l2cap_chan *chan;
1da177e4
LT		 4043 struct sock *sk;
4044
4045 scid = __le16_to_cpu(req->scid);
4046 dcid = __le16_to_cpu(req->dcid);
4047
4048 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4049
3df91ea2
AE		 4050 mutex_lock(&conn->chan_lock);
4051
4052 chan = __l2cap_get_chan_by_scid(conn, dcid);
4053 if (!chan) {
4054 mutex_unlock(&conn->chan_lock);
1da177e4 4055 return 0;
3df91ea2 4056 }
1da177e4 4057
6be36555
AE		 4058 l2cap_chan_lock(chan);
4059
48454079
GP		 4060 sk = chan->sk;
4061
fe4128e0
GP		 4062 rsp.dcid = cpu_to_le16(chan->scid);
4063 rsp.scid = cpu_to_le16(chan->dcid);
1da177e4
LT		 4064 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4065
6be36555 4066 lock_sock(sk);
1da177e4 4067 sk->sk_shutdown = SHUTDOWN_MASK;
6be36555 4068 release_sock(sk);
1da177e4 4069
61d6ef3e 4070 l2cap_chan_hold(chan);
48454079 4071 l2cap_chan_del(chan, ECONNRESET);
6be36555
AE		 4072
4073 l2cap_chan_unlock(chan);
1da177e4 4074
80b98027 4075 chan->ops->close(chan);
61d6ef3e 4076 l2cap_chan_put(chan);
3df91ea2
AE		 4077
4078 mutex_unlock(&conn->chan_lock);
4079
1da177e4
LT		 4080 return 0;
4081}
4082
2d792818
GP		 4083static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4084 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4085{
4086 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4087 u16 dcid, scid;
48454079 4088 struct l2cap_chan *chan;
1da177e4
LT		 4089
4090 scid = __le16_to_cpu(rsp->scid);
4091 dcid = __le16_to_cpu(rsp->dcid);
4092
4093 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4094
3df91ea2
AE		 4095 mutex_lock(&conn->chan_lock);
4096
4097 chan = __l2cap_get_chan_by_scid(conn, scid);
4098 if (!chan) {
4099 mutex_unlock(&conn->chan_lock);
1da177e4 4100 return 0;
3df91ea2 4101 }
1da177e4 4102
6be36555 4103 l2cap_chan_lock(chan);
48454079 4104
61d6ef3e 4105 l2cap_chan_hold(chan);
48454079 4106 l2cap_chan_del(chan, 0);
6be36555
AE		 4107
4108 l2cap_chan_unlock(chan);
1da177e4 4109
80b98027 4110 chan->ops->close(chan);
61d6ef3e 4111 l2cap_chan_put(chan);
3df91ea2
AE		 4112
4113 mutex_unlock(&conn->chan_lock);
4114
1da177e4
LT		 4115 return 0;
4116}
4117
2d792818
GP		 4118static inline int l2cap_information_req(struct l2cap_conn *conn,
4119 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4120{
4121 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 4122 u16 type;
4123
4124 type = __le16_to_cpu(req->type);
4125
4126 BT_DBG("type 0x%4.4x", type);
4127
f0709e03
MH		 4128 if (type == L2CAP_IT_FEAT_MASK) {
4129 u8 buf[8];
44dd46de 4130 u32 feat_mask = l2cap_feat_mask;
f0709e03 4131 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
ac73498c
AE		 4132 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4133 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
d1c4a17d 4134 if (!disable_ertm)
fcc203c3 4135 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
2d792818 4136 | L2CAP_FEAT_FCS;
a5fd6f30 4137 if (enable_hs)
6327eb98 4138 feat_mask |= L2CAP_FEAT_EXT_FLOW
2d792818 4139 | L2CAP_FEAT_EXT_WINDOW;
a5fd6f30 4140
1b7bf4ed 4141 put_unaligned_le32(feat_mask, rsp->data);
2d792818
GP		 4142 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4143 buf);
e1027a7c
MH		 4144 } else if (type == L2CAP_IT_FIXED_CHAN) {
4145 u8 buf[12];
4146 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
50a147cd
MM		 4147
4148 if (enable_hs)
4149 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4150 else
4151 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4152
ac73498c
AE		 4153 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4154 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
c6337ea6 4155 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
2d792818
GP		 4156 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4157 buf);
f0709e03
MH		 4158 } else {
4159 struct l2cap_info_rsp rsp;
4160 rsp.type = cpu_to_le16(type);
ac73498c 4161 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
2d792818
GP		 4162 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4163 &rsp);
f0709e03 4164 }
1da177e4
LT		 4165
4166 return 0;
4167}
4168
2d792818
GP		 4169static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4170 struct l2cap_cmd_hdr *cmd, u8 *data)
1da177e4
LT		 4171{
4172 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4173 u16 type, result;
4174
4175 type = __le16_to_cpu(rsp->type);
4176 result = __le16_to_cpu(rsp->result);
4177
4178 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4179
e90165be
AE		 4180 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4181 if (cmd->ident != conn->info_ident ||
2d792818 4182 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
e90165be
AE		 4183 return 0;
4184
17cd3f37 4185 cancel_delayed_work(&conn->info_timer);
4e8402a3 4186
adb08ede
VT		 4187 if (result != L2CAP_IR_SUCCESS) {
4188 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4189 conn->info_ident = 0;
4190
4191 l2cap_conn_start(conn);
4192
4193 return 0;
4194 }
4195
978c93b9
AE		 4196 switch (type) {
4197 case L2CAP_IT_FEAT_MASK:
83985319 4198 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 4199
47ec1dcd 4200 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c 4201 struct l2cap_info_req req;
ac73498c 4202 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
e1027a7c
MH		 4203
4204 conn->info_ident = l2cap_get_ident(conn);
4205
4206 l2cap_send_cmd(conn, conn->info_ident,
2d792818 4207 L2CAP_INFO_REQ, sizeof(req), &req);
e1027a7c
MH		 4208 } else {
4209 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4210 conn->info_ident = 0;
4211
4212 l2cap_conn_start(conn);
4213 }
978c93b9
AE		 4214 break;
4215
4216 case L2CAP_IT_FIXED_CHAN:
4217 conn->fixed_chan_mask = rsp->data[0];
984947dc 4218 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 4219 conn->info_ident = 0;
984947dc
MH		 4220
4221 l2cap_conn_start(conn);
978c93b9 4222 break;
984947dc 4223 }
4e8402a3 4224
1da177e4
LT		 4225 return 0;
4226}
4227
1700915f
MM		 4228static int l2cap_create_channel_req(struct l2cap_conn *conn,
4229 struct l2cap_cmd_hdr *cmd,
4230 u16 cmd_len, void *data)
f94ff6ff
MM		 4231{
4232 struct l2cap_create_chan_req *req = data;
1700915f 4233 struct l2cap_chan *chan;
f94ff6ff
MM		 4234 u16 psm, scid;
4235
4236 if (cmd_len != sizeof(*req))
4237 return -EPROTO;
4238
4239 if (!enable_hs)
4240 return -EINVAL;
4241
4242 psm = le16_to_cpu(req->psm);
4243 scid = le16_to_cpu(req->scid);
4244
ad0ac6ca 4245 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
f94ff6ff 4246
1700915f
MM		 4247 if (req->amp_id) {
4248 struct hci_dev *hdev;
4249
4250 /* Validate AMP controller id */
4251 hdev = hci_dev_get(req->amp_id);
4252 if (!hdev || hdev->dev_type != HCI_AMP ||
4253 !test_bit(HCI_UP, &hdev->flags)) {
4254 struct l2cap_create_chan_rsp rsp;
4255
4256 rsp.dcid = 0;
4257 rsp.scid = cpu_to_le16(scid);
4258 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4259 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4260
4261 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4262 sizeof(rsp), &rsp);
4263
4264 if (hdev)
4265 hci_dev_put(hdev);
4266
4267 return 0;
4268 }
4269
4270 hci_dev_put(hdev);
4271 }
f94ff6ff 4272
1700915f
MM		 4273 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4274 req->amp_id);
f94ff6ff
MM		 4275
4276 return 0;
4277}
4278
8eb200bd
MM		 4279static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4280{
4281 struct l2cap_move_chan_req req;
4282 u8 ident;
4283
4284 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4285
4286 ident = l2cap_get_ident(chan->conn);
4287 chan->ident = ident;
4288
4289 req.icid = cpu_to_le16(chan->scid);
4290 req.dest_amp_id = dest_amp_id;
4291
4292 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4293 &req);
4294
4295 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4296}
4297
1500109b 4298static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4299{
4300 struct l2cap_move_chan_rsp rsp;
4301
1500109b 4302 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4303
1500109b 4304 rsp.icid = cpu_to_le16(chan->dcid);
8d5a04a1
MM		 4305 rsp.result = cpu_to_le16(result);
4306
1500109b
MM		 4307 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4308 sizeof(rsp), &rsp);
8d5a04a1
MM		 4309}
4310
5b155ef9 4311static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
8d5a04a1
MM		 4312{
4313 struct l2cap_move_chan_cfm cfm;
8d5a04a1 4314
5b155ef9 4315 BT_DBG("chan %p, result 0x%4.4x", chan, result);
8d5a04a1 4316
5b155ef9 4317 chan->ident = l2cap_get_ident(chan->conn);
8d5a04a1 4318
5b155ef9 4319 cfm.icid = cpu_to_le16(chan->scid);
8d5a04a1
MM		 4320 cfm.result = cpu_to_le16(result);
4321
5b155ef9
MM		 4322 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4323 sizeof(cfm), &cfm);
4324
4325 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4326}
4327
4328static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4329{
4330 struct l2cap_move_chan_cfm cfm;
4331
4332 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4333
4334 cfm.icid = cpu_to_le16(icid);
4335 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4336
4337 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4338 sizeof(cfm), &cfm);
8d5a04a1
MM		 4339}
4340
4341static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
ad0ac6ca 4342 u16 icid)
8d5a04a1
MM		 4343{
4344 struct l2cap_move_chan_cfm_rsp rsp;
4345
ad0ac6ca 4346 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1
MM		 4347
4348 rsp.icid = cpu_to_le16(icid);
4349 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4350}
4351
5f3847a4
MM		 4352static void __release_logical_link(struct l2cap_chan *chan)
4353{
4354 chan->hs_hchan = NULL;
4355 chan->hs_hcon = NULL;
4356
4357 /* Placeholder - release the logical link */
4358}
4359
1500109b
MM		 4360static void l2cap_logical_fail(struct l2cap_chan *chan)
4361{
4362 /* Logical link setup failed */
4363 if (chan->state != BT_CONNECTED) {
4364 /* Create channel failure, disconnect */
4365 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4366 return;
4367 }
4368
4369 switch (chan->move_role) {
4370 case L2CAP_MOVE_ROLE_RESPONDER:
4371 l2cap_move_done(chan);
4372 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4373 break;
4374 case L2CAP_MOVE_ROLE_INITIATOR:
4375 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4376 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4377 /* Remote has only sent pending or
4378 * success responses, clean up
4379 */
4380 l2cap_move_done(chan);
4381 }
4382
4383 /* Other amp move states imply that the move
4384 * has already aborted
4385 */
4386 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4387 break;
4388 }
4389}
4390
4391static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4392 struct hci_chan *hchan)
4393{
4394 struct l2cap_conf_rsp rsp;
1500109b 4395
336178a3 4396 chan->hs_hchan = hchan;
1500109b
MM		 4397 chan->hs_hcon->l2cap_data = chan->conn;
4398
35ba9561 4399 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
1500109b
MM		 4400
4401 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
fe79c6fe 4402 int err;
1500109b
MM		 4403
4404 set_default_fcs(chan);
4405
4406 err = l2cap_ertm_init(chan);
4407 if (err < 0)
4408 l2cap_send_disconn_req(chan->conn, chan, -err);
4409 else
4410 l2cap_chan_ready(chan);
4411 }
4412}
4413
4414static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4415 struct hci_chan *hchan)
4416{
4417 chan->hs_hcon = hchan->conn;
4418 chan->hs_hcon->l2cap_data = chan->conn;
4419
4420 BT_DBG("move_state %d", chan->move_state);
4421
4422 switch (chan->move_state) {
4423 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4424 /* Move confirm will be sent after a success
4425 * response is received
4426 */
4427 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4428 break;
4429 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4430 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4431 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4432 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4433 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4434 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4435 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4436 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4437 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4438 }
4439 break;
4440 default:
4441 /* Move was not in expected state, free the channel */
4442 __release_logical_link(chan);
4443
4444 chan->move_state = L2CAP_MOVE_STABLE;
4445 }
4446}
4447
4448/* Call with chan locked */
27695fb4
AE		 4449void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4450 u8 status)
5b155ef9 4451{
1500109b
MM		 4452 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4453
4454 if (status) {
4455 l2cap_logical_fail(chan);
4456 __release_logical_link(chan);
4457 return;
4458 }
4459
4460 if (chan->state != BT_CONNECTED) {
4461 /* Ignore logical link if channel is on BR/EDR */
4462 if (chan->local_amp_id)
4463 l2cap_logical_finish_create(chan, hchan);
4464 } else {
4465 l2cap_logical_finish_move(chan, hchan);
4466 }
5b155ef9
MM		 4467}
4468
3f7a56c4
MM		 4469void l2cap_move_start(struct l2cap_chan *chan)
4470{
4471 BT_DBG("chan %p", chan);
4472
4473 if (chan->local_amp_id == HCI_BREDR_ID) {
4474 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4475 return;
4476 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4477 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4478 /* Placeholder - start physical link setup */
4479 } else {
4480 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4481 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4482 chan->move_id = 0;
4483 l2cap_move_setup(chan);
4484 l2cap_send_move_chan_req(chan, 0);
4485 }
4486}
4487
8eb200bd
MM		 4488static void l2cap_do_create(struct l2cap_chan *chan, int result,
4489 u8 local_amp_id, u8 remote_amp_id)
4490{
4491 if (!test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4492 struct l2cap_conn_rsp rsp;
4493 char buf[128];
4494 rsp.scid = cpu_to_le16(chan->dcid);
4495 rsp.dcid = cpu_to_le16(chan->scid);
4496
4497 /* Incoming channel on AMP */
4498 if (result == L2CAP_CR_SUCCESS) {
4499 /* Send successful response */
4500 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4501 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4502 } else {
4503 /* Send negative response */
4504 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4505 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4506 }
4507
4508 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4509 sizeof(rsp), &rsp);
4510
4511 if (result == L2CAP_CR_SUCCESS) {
4512 __l2cap_state_change(chan, BT_CONFIG);
4513 set_bit(CONF_REQ_SENT, &chan->conf_state);
4514 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4515 L2CAP_CONF_REQ,
4516 l2cap_build_conf_req(chan, buf), buf);
4517 chan->num_conf_req++;
4518 }
4519 } else {
4520 /* Outgoing channel on AMP */
4521 if (result == L2CAP_CR_SUCCESS) {
4522 chan->local_amp_id = local_amp_id;
4523 l2cap_send_create_chan_req(chan, remote_amp_id);
4524 } else {
4525 /* Revert to BR/EDR connect */
4526 l2cap_send_conn_req(chan);
4527 }
4528 }
4529}
4530
4531static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4532 u8 remote_amp_id)
4533{
4534 l2cap_move_setup(chan);
4535 chan->move_id = local_amp_id;
4536 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4537
4538 l2cap_send_move_chan_req(chan, remote_amp_id);
4539}
4540
4541static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4542{
4543 struct hci_chan *hchan = NULL;
4544
4545 /* Placeholder - get hci_chan for logical link */
4546
4547 if (hchan) {
4548 if (hchan->state == BT_CONNECTED) {
4549 /* Logical link is ready to go */
4550 chan->hs_hcon = hchan->conn;
4551 chan->hs_hcon->l2cap_data = chan->conn;
4552 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4553 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4554
4555 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4556 } else {
4557 /* Wait for logical link to be ready */
4558 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4559 }
4560 } else {
4561 /* Logical link not available */
4562 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4563 }
4564}
4565
4566static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4567{
4568 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4569 u8 rsp_result;
4570 if (result == -EINVAL)
4571 rsp_result = L2CAP_MR_BAD_ID;
4572 else
4573 rsp_result = L2CAP_MR_NOT_ALLOWED;
4574
4575 l2cap_send_move_chan_rsp(chan, rsp_result);
4576 }
4577
4578 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4579 chan->move_state = L2CAP_MOVE_STABLE;
4580
4581 /* Restart data transmission */
4582 l2cap_ertm_send(chan);
4583}
4584
770bfefa 4585void l2cap_physical_cfm(struct l2cap_chan *chan, int result)
8eb200bd 4586{
770bfefa
AE		 4587 u8 local_amp_id = chan->local_amp_id;
4588 u8 remote_amp_id = chan->ctrl_id;
4589
8eb200bd
MM		 4590 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4591 chan, result, local_amp_id, remote_amp_id);
4592
4593 l2cap_chan_lock(chan);
4594
4595 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4596 l2cap_chan_unlock(chan);
4597 return;
4598 }
4599
4600 if (chan->state != BT_CONNECTED) {
4601 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4602 } else if (result != L2CAP_MR_SUCCESS) {
4603 l2cap_do_move_cancel(chan, result);
4604 } else {
4605 switch (chan->move_role) {
4606 case L2CAP_MOVE_ROLE_INITIATOR:
4607 l2cap_do_move_initiate(chan, local_amp_id,
4608 remote_amp_id);
4609 break;
4610 case L2CAP_MOVE_ROLE_RESPONDER:
4611 l2cap_do_move_respond(chan, result);
4612 break;
4613 default:
4614 l2cap_do_move_cancel(chan, result);
4615 break;
4616 }
4617 }
4618
4619 l2cap_chan_unlock(chan);
4620}
4621
8d5a04a1 4622static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
ad0ac6ca
AE		 4623 struct l2cap_cmd_hdr *cmd,
4624 u16 cmd_len, void *data)
8d5a04a1
MM		 4625{
4626 struct l2cap_move_chan_req *req = data;
1500109b 4627 struct l2cap_move_chan_rsp rsp;
02b0fbb9 4628 struct l2cap_chan *chan;
8d5a04a1
MM		 4629 u16 icid = 0;
4630 u16 result = L2CAP_MR_NOT_ALLOWED;
4631
4632 if (cmd_len != sizeof(*req))
4633 return -EPROTO;
4634
4635 icid = le16_to_cpu(req->icid);
4636
ad0ac6ca 4637 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
8d5a04a1
MM		 4638
4639 if (!enable_hs)
4640 return -EINVAL;
4641
02b0fbb9
MM		 4642 chan = l2cap_get_chan_by_dcid(conn, icid);
4643 if (!chan) {
1500109b
MM		 4644 rsp.icid = cpu_to_le16(icid);
4645 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4646 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4647 sizeof(rsp), &rsp);
02b0fbb9
MM		 4648 return 0;
4649 }
4650
1500109b
MM		 4651 chan->ident = cmd->ident;
4652
02b0fbb9
MM		 4653 if (chan->scid < L2CAP_CID_DYN_START ||
4654 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4655 (chan->mode != L2CAP_MODE_ERTM &&
4656 chan->mode != L2CAP_MODE_STREAMING)) {
4657 result = L2CAP_MR_NOT_ALLOWED;
4658 goto send_move_response;
4659 }
4660
4661 if (chan->local_amp_id == req->dest_amp_id) {
4662 result = L2CAP_MR_SAME_ID;
4663 goto send_move_response;
4664 }
4665
4666 if (req->dest_amp_id) {
4667 struct hci_dev *hdev;
4668 hdev = hci_dev_get(req->dest_amp_id);
4669 if (!hdev || hdev->dev_type != HCI_AMP ||
4670 !test_bit(HCI_UP, &hdev->flags)) {
4671 if (hdev)
4672 hci_dev_put(hdev);
4673
4674 result = L2CAP_MR_BAD_ID;
4675 goto send_move_response;
4676 }
4677 hci_dev_put(hdev);
4678 }
4679
4680 /* Detect a move collision. Only send a collision response
4681 * if this side has "lost", otherwise proceed with the move.
4682 * The winner has the larger bd_addr.
4683 */
4684 if ((__chan_is_moving(chan) ||
4685 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4686 bacmp(conn->src, conn->dst) > 0) {
4687 result = L2CAP_MR_COLLISION;
4688 goto send_move_response;
4689 }
4690
02b0fbb9
MM		 4691 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4692 l2cap_move_setup(chan);
4693 chan->move_id = req->dest_amp_id;
4694 icid = chan->dcid;
4695
4696 if (!req->dest_amp_id) {
4697 /* Moving to BR/EDR */
4698 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4699 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4700 result = L2CAP_MR_PEND;
4701 } else {
4702 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4703 result = L2CAP_MR_SUCCESS;
4704 }
4705 } else {
4706 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4707 /* Placeholder - uncomment when amp functions are available */
4708 /*amp_accept_physical(chan, req->dest_amp_id);*/
4709 result = L2CAP_MR_PEND;
4710 }
4711
4712send_move_response:
1500109b 4713 l2cap_send_move_chan_rsp(chan, result);
8d5a04a1 4714
02b0fbb9
MM		 4715 l2cap_chan_unlock(chan);
4716
8d5a04a1
MM		 4717 return 0;
4718}
4719
5b155ef9
MM		 4720static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4721{
4722 struct l2cap_chan *chan;
4723 struct hci_chan *hchan = NULL;
4724
4725 chan = l2cap_get_chan_by_scid(conn, icid);
4726 if (!chan) {
4727 l2cap_send_move_chan_cfm_icid(conn, icid);
4728 return;
4729 }
4730
4731 __clear_chan_timer(chan);
4732 if (result == L2CAP_MR_PEND)
4733 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4734
4735 switch (chan->move_state) {
4736 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4737 /* Move confirm will be sent when logical link
4738 * is complete.
4739 */
4740 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4741 break;
4742 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4743 if (result == L2CAP_MR_PEND) {
4744 break;
4745 } else if (test_bit(CONN_LOCAL_BUSY,
4746 &chan->conn_state)) {
4747 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4748 } else {
4749 /* Logical link is up or moving to BR/EDR,
4750 * proceed with move
4751 */
4752 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4753 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4754 }
4755 break;
4756 case L2CAP_MOVE_WAIT_RSP:
4757 /* Moving to AMP */
4758 if (result == L2CAP_MR_SUCCESS) {
4759 /* Remote is ready, send confirm immediately
4760 * after logical link is ready
4761 */
4762 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4763 } else {
4764 /* Both logical link and move success
4765 * are required to confirm
4766 */
4767 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4768 }
4769
4770 /* Placeholder - get hci_chan for logical link */
4771 if (!hchan) {
4772 /* Logical link not available */
4773 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4774 break;
4775 }
4776
4777 /* If the logical link is not yet connected, do not
4778 * send confirmation.
4779 */
4780 if (hchan->state != BT_CONNECTED)
4781 break;
4782
4783 /* Logical link is already ready to go */
4784
4785 chan->hs_hcon = hchan->conn;
4786 chan->hs_hcon->l2cap_data = chan->conn;
4787
4788 if (result == L2CAP_MR_SUCCESS) {
4789 /* Can confirm now */
4790 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4791 } else {
4792 /* Now only need move success
4793 * to confirm
4794 */
4795 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4796 }
4797
4798 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4799 break;
4800 default:
4801 /* Any other amp move state means the move failed. */
4802 chan->move_id = chan->local_amp_id;
4803 l2cap_move_done(chan);
4804 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4805 }
4806
4807 l2cap_chan_unlock(chan);
4808}
4809
4810static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
4811 u16 result)
4812{
4813 struct l2cap_chan *chan;
4814
4815 chan = l2cap_get_chan_by_ident(conn, ident);
4816 if (!chan) {
4817 /* Could not locate channel, icid is best guess */
4818 l2cap_send_move_chan_cfm_icid(conn, icid);
4819 return;
4820 }
4821
4822 __clear_chan_timer(chan);
4823
4824 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4825 if (result == L2CAP_MR_COLLISION) {
4826 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4827 } else {
4828 /* Cleanup - cancel move */
4829 chan->move_id = chan->local_amp_id;
4830 l2cap_move_done(chan);
4831 }
4832 }
4833
4834 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4835
4836 l2cap_chan_unlock(chan);
4837}
4838
4839static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
4840 struct l2cap_cmd_hdr *cmd,
4841 u16 cmd_len, void *data)
8d5a04a1
MM		 4842{
4843 struct l2cap_move_chan_rsp *rsp = data;
4844 u16 icid, result;
4845
4846 if (cmd_len != sizeof(*rsp))
4847 return -EPROTO;
4848
4849 icid = le16_to_cpu(rsp->icid);
4850 result = le16_to_cpu(rsp->result);
4851
ad0ac6ca 4852 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4853
5b155ef9
MM		 4854 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
4855 l2cap_move_continue(conn, icid, result);
4856 else
4857 l2cap_move_fail(conn, cmd->ident, icid, result);
8d5a04a1
MM		 4858
4859 return 0;
4860}
4861
5f3847a4
MM		 4862static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
4863 struct l2cap_cmd_hdr *cmd,
4864 u16 cmd_len, void *data)
8d5a04a1
MM		 4865{
4866 struct l2cap_move_chan_cfm *cfm = data;
5f3847a4 4867 struct l2cap_chan *chan;
8d5a04a1
MM		 4868 u16 icid, result;
4869
4870 if (cmd_len != sizeof(*cfm))
4871 return -EPROTO;
4872
4873 icid = le16_to_cpu(cfm->icid);
4874 result = le16_to_cpu(cfm->result);
4875
ad0ac6ca 4876 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
8d5a04a1 4877
5f3847a4
MM		 4878 chan = l2cap_get_chan_by_dcid(conn, icid);
4879 if (!chan) {
4880 /* Spec requires a response even if the icid was not found */
4881 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4882 return 0;
4883 }
4884
4885 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
4886 if (result == L2CAP_MC_CONFIRMED) {
4887 chan->local_amp_id = chan->move_id;
4888 if (!chan->local_amp_id)
4889 __release_logical_link(chan);
4890 } else {
4891 chan->move_id = chan->local_amp_id;
4892 }
4893
4894 l2cap_move_done(chan);
4895 }
4896
8d5a04a1
MM		 4897 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
4898
5f3847a4
MM		 4899 l2cap_chan_unlock(chan);
4900
8d5a04a1
MM		 4901 return 0;
4902}
4903
4904static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
ad0ac6ca
AE		 4905 struct l2cap_cmd_hdr *cmd,
4906 u16 cmd_len, void *data)
8d5a04a1
MM		 4907{
4908 struct l2cap_move_chan_cfm_rsp *rsp = data;
3fd71a0a 4909 struct l2cap_chan *chan;
8d5a04a1
MM		 4910 u16 icid;
4911
4912 if (cmd_len != sizeof(*rsp))
4913 return -EPROTO;
4914
4915 icid = le16_to_cpu(rsp->icid);
4916
ad0ac6ca 4917 BT_DBG("icid 0x%4.4x", icid);
8d5a04a1 4918
3fd71a0a
MM		 4919 chan = l2cap_get_chan_by_scid(conn, icid);
4920 if (!chan)
4921 return 0;
4922
4923 __clear_chan_timer(chan);
4924
4925 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
4926 chan->local_amp_id = chan->move_id;
4927
4928 if (!chan->local_amp_id && chan->hs_hchan)
4929 __release_logical_link(chan);
4930
4931 l2cap_move_done(chan);
4932 }
4933
4934 l2cap_chan_unlock(chan);
4935
8d5a04a1
MM		 4936 return 0;
4937}
4938
e2174ca4 4939static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2d792818 4940 u16 to_multiplier)
de73115a
CT		 4941{
4942 u16 max_latency;
4943
4944 if (min > max || min < 6 || max > 3200)
4945 return -EINVAL;
4946
4947 if (to_multiplier < 10 || to_multiplier > 3200)
4948 return -EINVAL;
4949
4950 if (max >= to_multiplier * 8)
4951 return -EINVAL;
4952
4953 max_latency = (to_multiplier * 8 / max) - 1;
4954 if (latency > 499 || latency > max_latency)
4955 return -EINVAL;
4956
4957 return 0;
4958}
4959
4960static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
2d792818
GP		 4961 struct l2cap_cmd_hdr *cmd,
4962 u8 *data)
de73115a
CT		 4963{
4964 struct hci_conn *hcon = conn->hcon;
4965 struct l2cap_conn_param_update_req *req;
4966 struct l2cap_conn_param_update_rsp rsp;
4967 u16 min, max, latency, to_multiplier, cmd_len;
2ce603eb 4968 int err;
de73115a
CT		 4969
4970 if (!(hcon->link_mode & HCI_LM_MASTER))
4971 return -EINVAL;
4972
4973 cmd_len = __le16_to_cpu(cmd->len);
4974 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4975 return -EPROTO;
4976
4977 req = (struct l2cap_conn_param_update_req *) data;
e2174ca4
GP		 4978 min = __le16_to_cpu(req->min);
4979 max = __le16_to_cpu(req->max);
de73115a
CT		 4980 latency = __le16_to_cpu(req->latency);
4981 to_multiplier = __le16_to_cpu(req->to_multiplier);
4982
4983 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
2d792818 4984 min, max, latency, to_multiplier);
de73115a
CT		 4985
4986 memset(&rsp, 0, sizeof(rsp));
2ce603eb
CT		 4987
4988 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
4989 if (err)
ac73498c 4990 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
de73115a 4991 else
ac73498c 4992 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
de73115a
CT		 4993
4994 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
2d792818 4995 sizeof(rsp), &rsp);
de73115a 4996
2ce603eb
CT		 4997 if (!err)
4998 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
4999
de73115a
CT		 5000 return 0;
5001}
5002
3300d9a9 5003static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
2d792818
GP		 5004 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5005 u8 *data)
3300d9a9
CT		 5006{
5007 int err = 0;
5008
5009 switch (cmd->code) {
5010 case L2CAP_COMMAND_REJ:
5011 l2cap_command_rej(conn, cmd, data);
5012 break;
5013
5014 case L2CAP_CONN_REQ:
5015 err = l2cap_connect_req(conn, cmd, data);
5016 break;
5017
5018 case L2CAP_CONN_RSP:
f5a2598d 5019 case L2CAP_CREATE_CHAN_RSP:
5909cf30 5020 err = l2cap_connect_create_rsp(conn, cmd, data);
3300d9a9
CT		 5021 break;
5022
5023 case L2CAP_CONF_REQ:
5024 err = l2cap_config_req(conn, cmd, cmd_len, data);
5025 break;
5026
5027 case L2CAP_CONF_RSP:
5028 err = l2cap_config_rsp(conn, cmd, data);
5029 break;
5030
5031 case L2CAP_DISCONN_REQ:
5032 err = l2cap_disconnect_req(conn, cmd, data);
5033 break;
5034
5035 case L2CAP_DISCONN_RSP:
5036 err = l2cap_disconnect_rsp(conn, cmd, data);
5037 break;
5038
5039 case L2CAP_ECHO_REQ:
5040 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5041 break;
5042
5043 case L2CAP_ECHO_RSP:
5044 break;
5045
5046 case L2CAP_INFO_REQ:
5047 err = l2cap_information_req(conn, cmd, data);
5048 break;
5049
5050 case L2CAP_INFO_RSP:
5051 err = l2cap_information_rsp(conn, cmd, data);
5052 break;
5053
f94ff6ff
MM		 5054 case L2CAP_CREATE_CHAN_REQ:
5055 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5056 break;
5057
8d5a04a1
MM		 5058 case L2CAP_MOVE_CHAN_REQ:
5059 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5060 break;
5061
5062 case L2CAP_MOVE_CHAN_RSP:
5063 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5064 break;
5065
5066 case L2CAP_MOVE_CHAN_CFM:
5067 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5068 break;
5069
5070 case L2CAP_MOVE_CHAN_CFM_RSP:
5071 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5072 break;
5073
3300d9a9
CT		 5074 default:
5075 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5076 err = -EINVAL;
5077 break;
5078 }
5079
5080 return err;
5081}
5082
5083static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
2d792818 5084 struct l2cap_cmd_hdr *cmd, u8 *data)
3300d9a9
CT		 5085{
5086 switch (cmd->code) {
5087 case L2CAP_COMMAND_REJ:
5088 return 0;
5089
5090 case L2CAP_CONN_PARAM_UPDATE_REQ:
de73115a 5091 return l2cap_conn_param_update_req(conn, cmd, data);
3300d9a9
CT		 5092
5093 case L2CAP_CONN_PARAM_UPDATE_RSP:
5094 return 0;
5095
5096 default:
5097 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5098 return -EINVAL;
5099 }
5100}
5101
5102static inline void l2cap_sig_channel(struct l2cap_conn *conn,
2d792818 5103 struct sk_buff *skb)
1da177e4
LT		 5104{
5105 u8 *data = skb->data;
5106 int len = skb->len;
5107 struct l2cap_cmd_hdr cmd;
3300d9a9 5108 int err;
1da177e4
LT		 5109
5110 l2cap_raw_recv(conn, skb);
5111
5112 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 5113 u16 cmd_len;
1da177e4
LT		 5114 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5115 data += L2CAP_CMD_HDR_SIZE;
5116 len -= L2CAP_CMD_HDR_SIZE;
5117
88219a0f 5118 cmd_len = le16_to_cpu(cmd.len);
1da177e4 5119
2d792818
GP		 5120 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5121 cmd.ident);
1da177e4 5122
88219a0f 5123 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 5124 BT_DBG("corrupted command");
5125 break;
5126 }
5127
3300d9a9
CT		 5128 if (conn->hcon->type == LE_LINK)
5129 err = l2cap_le_sig_cmd(conn, &cmd, data);
5130 else
5131 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
1da177e4
LT		 5132
5133 if (err) {
e2fd318e 5134 struct l2cap_cmd_rej_unk rej;
2c6d1a2e
GP		 5135
5136 BT_ERR("Wrong link type (%d)", err);
1da177e4
LT		 5137
5138 /* FIXME: Map err to a valid reason */
ac73498c 5139 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
2d792818
GP		 5140 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5141 sizeof(rej), &rej);
1da177e4
LT		 5142 }
5143
88219a0f
AV		 5144 data += cmd_len;
5145 len -= cmd_len;
1da177e4
LT		 5146 }
5147
5148 kfree_skb(skb);
5149}
5150
47d1ec61 5151static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
fcc203c3
GP		 5152{
5153 u16 our_fcs, rcv_fcs;
e4ca6d98
AE		 5154 int hdr_size;
5155
5156 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5157 hdr_size = L2CAP_EXT_HDR_SIZE;
5158 else
5159 hdr_size = L2CAP_ENH_HDR_SIZE;
fcc203c3 5160
47d1ec61 5161 if (chan->fcs == L2CAP_FCS_CRC16) {
03a51213 5162 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
fcc203c3
GP		 5163 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5164 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5165
5166 if (our_fcs != rcv_fcs)
7a560e5c 5167 return -EBADMSG;
fcc203c3
GP		 5168 }
5169 return 0;
5170}
5171
6ea00485 5172static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
d5392c8f 5173{
e31f7633 5174 struct l2cap_ctrl control;
d5392c8f 5175
e31f7633 5176 BT_DBG("chan %p", chan);
d5392c8f 5177
e31f7633
MM		 5178 memset(&control, 0, sizeof(control));
5179 control.sframe = 1;
5180 control.final = 1;
5181 control.reqseq = chan->buffer_seq;
5182 set_bit(CONN_SEND_FBIT, &chan->conn_state);
d5392c8f 5183
e2ab4353 5184 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
e31f7633
MM		 5185 control.super = L2CAP_SUPER_RNR;
5186 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5187 }
5188
e31f7633
MM		 5189 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5190 chan->unacked_frames > 0)
5191 __set_retrans_timer(chan);
d5392c8f 5192
e31f7633 5193 /* Send pending iframes */
525cd185 5194 l2cap_ertm_send(chan);
d5392c8f 5195
e2ab4353 5196 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
e31f7633
MM		 5197 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5198 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5199 * send it now.
5200 */
5201 control.super = L2CAP_SUPER_RR;
5202 l2cap_send_sframe(chan, &control);
d5392c8f
GP		 5203 }
5204}
5205
2d792818
GP		 5206static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5207 struct sk_buff **last_frag)
18778a63 5208{
84084a31
MM		 5209 /* skb->len reflects data in skb as well as all fragments
5210 * skb->data_len reflects only data in fragments
5211 */
5212 if (!skb_has_frag_list(skb))
5213 skb_shinfo(skb)->frag_list = new_frag;
5214
5215 new_frag->next = NULL;
5216
5217 (*last_frag)->next = new_frag;
5218 *last_frag = new_frag;
5219
5220 skb->len += new_frag->len;
5221 skb->data_len += new_frag->len;
5222 skb->truesize += new_frag->truesize;
5223}
5224
4b51dae9
MM		 5225static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5226 struct l2cap_ctrl *control)
84084a31
MM		 5227{
5228 int err = -EINVAL;
18778a63 5229
4b51dae9 5230 switch (control->sar) {
7e0ef6ee 5231 case L2CAP_SAR_UNSEGMENTED:
84084a31
MM		 5232 if (chan->sdu)
5233 break;
18778a63 5234
80b98027 5235 err = chan->ops->recv(chan, skb);
84084a31 5236 break;
18778a63 5237
7e0ef6ee 5238 case L2CAP_SAR_START:
84084a31
MM		 5239 if (chan->sdu)
5240 break;
18778a63 5241
6f61fd47 5242 chan->sdu_len = get_unaligned_le16(skb->data);
03a51213 5243 skb_pull(skb, L2CAP_SDULEN_SIZE);
18778a63 5244
84084a31
MM		 5245 if (chan->sdu_len > chan->imtu) {
5246 err = -EMSGSIZE;
5247 break;
5248 }
1890d36b 5249
84084a31
MM		 5250 if (skb->len >= chan->sdu_len)
5251 break;
18778a63 5252
84084a31
MM		 5253 chan->sdu = skb;
5254 chan->sdu_last_frag = skb;
18778a63 5255
84084a31
MM		 5256 skb = NULL;
5257 err = 0;
18778a63
GP		 5258 break;
5259
7e0ef6ee 5260 case L2CAP_SAR_CONTINUE:
6f61fd47 5261 if (!chan->sdu)
84084a31 5262 break;
18778a63 5263
84084a31
MM		 5264 append_skb_frag(chan->sdu, skb,
5265 &chan->sdu_last_frag);
5266 skb = NULL;
18778a63 5267
84084a31
MM		 5268 if (chan->sdu->len >= chan->sdu_len)
5269 break;
4178ba46 5270
84084a31 5271 err = 0;
18778a63
GP		 5272 break;
5273
7e0ef6ee 5274 case L2CAP_SAR_END:
6f61fd47 5275 if (!chan->sdu)
84084a31 5276 break;
18778a63 5277
84084a31
MM		 5278 append_skb_frag(chan->sdu, skb,
5279 &chan->sdu_last_frag);
5280 skb = NULL;
4178ba46 5281
84084a31
MM		 5282 if (chan->sdu->len != chan->sdu_len)
5283 break;
18778a63 5284
80b98027 5285 err = chan->ops->recv(chan, chan->sdu);
1890d36b 5286
84084a31
MM		 5287 if (!err) {
5288 /* Reassembly complete */
5289 chan->sdu = NULL;
5290 chan->sdu_last_frag = NULL;
5291 chan->sdu_len = 0;
1890d36b 5292 }
18778a63
GP		 5293 break;
5294 }
5295
84084a31
MM		 5296 if (err) {
5297 kfree_skb(skb);
5298 kfree_skb(chan->sdu);
5299 chan->sdu = NULL;
5300 chan->sdu_last_frag = NULL;
5301 chan->sdu_len = 0;
5302 }
18778a63 5303
84084a31 5304 return err;
18778a63
GP		 5305}
5306
32b32735
MM		 5307static int l2cap_resegment(struct l2cap_chan *chan)
5308{
5309 /* Placeholder */
5310 return 0;
5311}
5312
61aa4f5b 5313void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
26f880d2 5314{
61aa4f5b 5315 u8 event;
712132eb 5316
61aa4f5b
MM		 5317 if (chan->mode != L2CAP_MODE_ERTM)
5318 return;
712132eb 5319
61aa4f5b 5320 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
401bb1f7 5321 l2cap_tx(chan, NULL, NULL, event);
1890d36b
GP		 5322}
5323
d2a7ac5d
MM		 5324static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5325{
63838725
MM		 5326 int err = 0;
5327 /* Pass sequential frames to l2cap_reassemble_sdu()
5328 * until a gap is encountered.
5329 */
5330
5331 BT_DBG("chan %p", chan);
5332
5333 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5334 struct sk_buff *skb;
5335 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5336 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5337
5338 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5339
5340 if (!skb)
5341 break;
5342
5343 skb_unlink(skb, &chan->srej_q);
5344 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5345 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5346 if (err)
5347 break;
5348 }
5349
5350 if (skb_queue_empty(&chan->srej_q)) {
5351 chan->rx_state = L2CAP_RX_STATE_RECV;
5352 l2cap_send_ack(chan);
5353 }
5354
5355 return err;
d2a7ac5d
MM		 5356}
5357
5358static void l2cap_handle_srej(struct l2cap_chan *chan,
5359 struct l2cap_ctrl *control)
5360{
f80842a8
MM		 5361 struct sk_buff *skb;
5362
5363 BT_DBG("chan %p, control %p", chan, control);
5364
5365 if (control->reqseq == chan->next_tx_seq) {
5366 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5367 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5368 return;
5369 }
5370
5371 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5372
5373 if (skb == NULL) {
5374 BT_DBG("Seq %d not available for retransmission",
5375 control->reqseq);
5376 return;
5377 }
5378
5379 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5380 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5381 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5382 return;
5383 }
5384
5385 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5386
5387 if (control->poll) {
5388 l2cap_pass_to_tx(chan, control);
5389
5390 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5391 l2cap_retransmit(chan, control);
5392 l2cap_ertm_send(chan);
5393
5394 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5395 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5396 chan->srej_save_reqseq = control->reqseq;
5397 }
5398 } else {
5399 l2cap_pass_to_tx_fbit(chan, control);
5400
5401 if (control->final) {
5402 if (chan->srej_save_reqseq != control->reqseq ||
5403 !test_and_clear_bit(CONN_SREJ_ACT,
5404 &chan->conn_state))
5405 l2cap_retransmit(chan, control);
5406 } else {
5407 l2cap_retransmit(chan, control);
5408 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5409 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5410 chan->srej_save_reqseq = control->reqseq;
5411 }
5412 }
5413 }
d2a7ac5d
MM		 5414}
5415
5416static void l2cap_handle_rej(struct l2cap_chan *chan,
5417 struct l2cap_ctrl *control)
5418{
fcd289df
MM		 5419 struct sk_buff *skb;
5420
5421 BT_DBG("chan %p, control %p", chan, control);
5422
5423 if (control->reqseq == chan->next_tx_seq) {
5424 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5425 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5426 return;
5427 }
5428
5429 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5430
5431 if (chan->max_tx && skb &&
5432 bt_cb(skb)->control.retries >= chan->max_tx) {
5433 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5434 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5435 return;
5436 }
5437
5438 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5439
5440 l2cap_pass_to_tx(chan, control);
5441
5442 if (control->final) {
5443 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5444 l2cap_retransmit_all(chan, control);
5445 } else {
5446 l2cap_retransmit_all(chan, control);
5447 l2cap_ertm_send(chan);
5448 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5449 set_bit(CONN_REJ_ACT, &chan->conn_state);
5450 }
d2a7ac5d
MM		 5451}
5452
4b51dae9
MM		 5453static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5454{
5455 BT_DBG("chan %p, txseq %d", chan, txseq);
5456
5457 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5458 chan->expected_tx_seq);
5459
5460 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5461 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
2d792818 5462 chan->tx_win) {
4b51dae9
MM		 5463 /* See notes below regarding "double poll" and
5464 * invalid packets.
5465 */
5466 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5467 BT_DBG("Invalid/Ignore - after SREJ");
5468 return L2CAP_TXSEQ_INVALID_IGNORE;
5469 } else {
5470 BT_DBG("Invalid - in window after SREJ sent");
5471 return L2CAP_TXSEQ_INVALID;
5472 }
5473 }
5474
5475 if (chan->srej_list.head == txseq) {
5476 BT_DBG("Expected SREJ");
5477 return L2CAP_TXSEQ_EXPECTED_SREJ;
5478 }
5479
5480 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5481 BT_DBG("Duplicate SREJ - txseq already stored");
5482 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5483 }
5484
5485 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5486 BT_DBG("Unexpected SREJ - not requested");
5487 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5488 }
5489 }
5490
5491 if (chan->expected_tx_seq == txseq) {
5492 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5493 chan->tx_win) {
5494 BT_DBG("Invalid - txseq outside tx window");
5495 return L2CAP_TXSEQ_INVALID;
5496 } else {
5497 BT_DBG("Expected");
5498 return L2CAP_TXSEQ_EXPECTED;
5499 }
5500 }
5501
5502 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
2d792818 5503 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
4b51dae9
MM		 5504 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5505 return L2CAP_TXSEQ_DUPLICATE;
5506 }
5507
5508 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5509 /* A source of invalid packets is a "double poll" condition,
5510 * where delays cause us to send multiple poll packets. If
5511 * the remote stack receives and processes both polls,
5512 * sequence numbers can wrap around in such a way that a
5513 * resent frame has a sequence number that looks like new data
5514 * with a sequence gap. This would trigger an erroneous SREJ
5515 * request.
5516 *
5517 * Fortunately, this is impossible with a tx window that's
5518 * less than half of the maximum sequence number, which allows
5519 * invalid frames to be safely ignored.
5520 *
5521 * With tx window sizes greater than half of the tx window
5522 * maximum, the frame is invalid and cannot be ignored. This
5523 * causes a disconnect.
5524 */
5525
5526 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5527 BT_DBG("Invalid/Ignore - txseq outside tx window");
5528 return L2CAP_TXSEQ_INVALID_IGNORE;
5529 } else {
5530 BT_DBG("Invalid - txseq outside tx window");
5531 return L2CAP_TXSEQ_INVALID;
5532 }
5533 } else {
5534 BT_DBG("Unexpected - txseq indicates missing frames");
5535 return L2CAP_TXSEQ_UNEXPECTED;
5536 }
5537}
5538
d2a7ac5d
MM		 5539static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5540 struct l2cap_ctrl *control,
5541 struct sk_buff *skb, u8 event)
5542{
5543 int err = 0;
5544 bool skb_in_use = 0;
5545
5546 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5547 event);
5548
5549 switch (event) {
5550 case L2CAP_EV_RECV_IFRAME:
5551 switch (l2cap_classify_txseq(chan, control->txseq)) {
5552 case L2CAP_TXSEQ_EXPECTED:
5553 l2cap_pass_to_tx(chan, control);
5554
5555 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5556 BT_DBG("Busy, discarding expected seq %d",
5557 control->txseq);
5558 break;
5559 }
5560
5561 chan->expected_tx_seq = __next_seq(chan,
5562 control->txseq);
5563
5564 chan->buffer_seq = chan->expected_tx_seq;
5565 skb_in_use = 1;
5566
5567 err = l2cap_reassemble_sdu(chan, skb, control);
5568 if (err)
5569 break;
5570
5571 if (control->final) {
5572 if (!test_and_clear_bit(CONN_REJ_ACT,
5573 &chan->conn_state)) {
5574 control->final = 0;
5575 l2cap_retransmit_all(chan, control);
5576 l2cap_ertm_send(chan);
5577 }
5578 }
5579
5580 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5581 l2cap_send_ack(chan);
5582 break;
5583 case L2CAP_TXSEQ_UNEXPECTED:
5584 l2cap_pass_to_tx(chan, control);
5585
5586 /* Can't issue SREJ frames in the local busy state.
5587 * Drop this frame, it will be seen as missing
5588 * when local busy is exited.
5589 */
5590 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5591 BT_DBG("Busy, discarding unexpected seq %d",
5592 control->txseq);
5593 break;
5594 }
5595
5596 /* There was a gap in the sequence, so an SREJ
5597 * must be sent for each missing frame. The
5598 * current frame is stored for later use.
5599 */
5600 skb_queue_tail(&chan->srej_q, skb);
5601 skb_in_use = 1;
5602 BT_DBG("Queued %p (queue len %d)", skb,
5603 skb_queue_len(&chan->srej_q));
5604
5605 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5606 l2cap_seq_list_clear(&chan->srej_list);
5607 l2cap_send_srej(chan, control->txseq);
5608
5609 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5610 break;
5611 case L2CAP_TXSEQ_DUPLICATE:
5612 l2cap_pass_to_tx(chan, control);
5613 break;
5614 case L2CAP_TXSEQ_INVALID_IGNORE:
5615 break;
5616 case L2CAP_TXSEQ_INVALID:
5617 default:
5618 l2cap_send_disconn_req(chan->conn, chan,
5619 ECONNRESET);
5620 break;
5621 }
5622 break;
5623 case L2CAP_EV_RECV_RR:
5624 l2cap_pass_to_tx(chan, control);
5625 if (control->final) {
5626 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5627
e6a3ee6e
MM		 5628 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5629 !__chan_is_moving(chan)) {
d2a7ac5d
MM		 5630 control->final = 0;
5631 l2cap_retransmit_all(chan, control);
5632 }
5633
5634 l2cap_ertm_send(chan);
5635 } else if (control->poll) {
5636 l2cap_send_i_or_rr_or_rnr(chan);
5637 } else {
5638 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5639 &chan->conn_state) &&
5640 chan->unacked_frames)
5641 __set_retrans_timer(chan);
5642
5643 l2cap_ertm_send(chan);
5644 }
5645 break;
5646 case L2CAP_EV_RECV_RNR:
5647 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5648 l2cap_pass_to_tx(chan, control);
5649 if (control && control->poll) {
5650 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5651 l2cap_send_rr_or_rnr(chan, 0);
5652 }
5653 __clear_retrans_timer(chan);
5654 l2cap_seq_list_clear(&chan->retrans_list);
5655 break;
5656 case L2CAP_EV_RECV_REJ:
5657 l2cap_handle_rej(chan, control);
5658 break;
5659 case L2CAP_EV_RECV_SREJ:
5660 l2cap_handle_srej(chan, control);
5661 break;
5662 default:
5663 break;
5664 }
5665
5666 if (skb && !skb_in_use) {
5667 BT_DBG("Freeing %p", skb);
5668 kfree_skb(skb);
5669 }
5670
5671 return err;
5672}
5673
5674static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5675 struct l2cap_ctrl *control,
5676 struct sk_buff *skb, u8 event)
5677{
5678 int err = 0;
5679 u16 txseq = control->txseq;
5680 bool skb_in_use = 0;
5681
5682 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5683 event);
5684
5685 switch (event) {
5686 case L2CAP_EV_RECV_IFRAME:
5687 switch (l2cap_classify_txseq(chan, txseq)) {
5688 case L2CAP_TXSEQ_EXPECTED:
5689 /* Keep frame for reassembly later */
5690 l2cap_pass_to_tx(chan, control);
5691 skb_queue_tail(&chan->srej_q, skb);
5692 skb_in_use = 1;
5693 BT_DBG("Queued %p (queue len %d)", skb,
5694 skb_queue_len(&chan->srej_q));
5695
5696 chan->expected_tx_seq = __next_seq(chan, txseq);
5697 break;
5698 case L2CAP_TXSEQ_EXPECTED_SREJ:
5699 l2cap_seq_list_pop(&chan->srej_list);
5700
5701 l2cap_pass_to_tx(chan, control);
5702 skb_queue_tail(&chan->srej_q, skb);
5703 skb_in_use = 1;
5704 BT_DBG("Queued %p (queue len %d)", skb,
5705 skb_queue_len(&chan->srej_q));
5706
5707 err = l2cap_rx_queued_iframes(chan);
5708 if (err)
5709 break;
5710
5711 break;
5712 case L2CAP_TXSEQ_UNEXPECTED:
5713 /* Got a frame that can't be reassembled yet.
5714 * Save it for later, and send SREJs to cover
5715 * the missing frames.
5716 */
5717 skb_queue_tail(&chan->srej_q, skb);
5718 skb_in_use = 1;
5719 BT_DBG("Queued %p (queue len %d)", skb,
5720 skb_queue_len(&chan->srej_q));
5721
5722 l2cap_pass_to_tx(chan, control);
5723 l2cap_send_srej(chan, control->txseq);
5724 break;
5725 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5726 /* This frame was requested with an SREJ, but
5727 * some expected retransmitted frames are
5728 * missing. Request retransmission of missing
5729 * SREJ'd frames.
5730 */
5731 skb_queue_tail(&chan->srej_q, skb);
5732 skb_in_use = 1;
5733 BT_DBG("Queued %p (queue len %d)", skb,
5734 skb_queue_len(&chan->srej_q));
5735
5736 l2cap_pass_to_tx(chan, control);
5737 l2cap_send_srej_list(chan, control->txseq);
5738 break;
5739 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5740 /* We've already queued this frame. Drop this copy. */
5741 l2cap_pass_to_tx(chan, control);
5742 break;
5743 case L2CAP_TXSEQ_DUPLICATE:
5744 /* Expecting a later sequence number, so this frame
5745 * was already received. Ignore it completely.
5746 */
5747 break;
5748 case L2CAP_TXSEQ_INVALID_IGNORE:
5749 break;
5750 case L2CAP_TXSEQ_INVALID:
5751 default:
5752 l2cap_send_disconn_req(chan->conn, chan,
5753 ECONNRESET);
5754 break;
5755 }
5756 break;
5757 case L2CAP_EV_RECV_RR:
5758 l2cap_pass_to_tx(chan, control);
5759 if (control->final) {
5760 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5761
5762 if (!test_and_clear_bit(CONN_REJ_ACT,
5763 &chan->conn_state)) {
5764 control->final = 0;
5765 l2cap_retransmit_all(chan, control);
5766 }
5767
5768 l2cap_ertm_send(chan);
5769 } else if (control->poll) {
5770 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5771 &chan->conn_state) &&
5772 chan->unacked_frames) {
5773 __set_retrans_timer(chan);
5774 }
5775
5776 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5777 l2cap_send_srej_tail(chan);
5778 } else {
5779 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5780 &chan->conn_state) &&
5781 chan->unacked_frames)
5782 __set_retrans_timer(chan);
5783
5784 l2cap_send_ack(chan);
5785 }
5786 break;
5787 case L2CAP_EV_RECV_RNR:
5788 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5789 l2cap_pass_to_tx(chan, control);
5790 if (control->poll) {
5791 l2cap_send_srej_tail(chan);
5792 } else {
5793 struct l2cap_ctrl rr_control;
5794 memset(&rr_control, 0, sizeof(rr_control));
5795 rr_control.sframe = 1;
5796 rr_control.super = L2CAP_SUPER_RR;
5797 rr_control.reqseq = chan->buffer_seq;
5798 l2cap_send_sframe(chan, &rr_control);
5799 }
5800
5801 break;
5802 case L2CAP_EV_RECV_REJ:
5803 l2cap_handle_rej(chan, control);
5804 break;
5805 case L2CAP_EV_RECV_SREJ:
5806 l2cap_handle_srej(chan, control);
5807 break;
5808 }
5809
5810 if (skb && !skb_in_use) {
5811 BT_DBG("Freeing %p", skb);
5812 kfree_skb(skb);
5813 }
5814
5815 return err;
5816}
5817
32b32735
MM		 5818static int l2cap_finish_move(struct l2cap_chan *chan)
5819{
5820 BT_DBG("chan %p", chan);
5821
5822 chan->rx_state = L2CAP_RX_STATE_RECV;
5823
5824 if (chan->hs_hcon)
5825 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5826 else
5827 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5828
5829 return l2cap_resegment(chan);
5830}
5831
5832static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
5833 struct l2cap_ctrl *control,
5834 struct sk_buff *skb, u8 event)
5835{
5836 int err;
5837
5838 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5839 event);
5840
5841 if (!control->poll)
5842 return -EPROTO;
5843
5844 l2cap_process_reqseq(chan, control->reqseq);
5845
5846 if (!skb_queue_empty(&chan->tx_q))
5847 chan->tx_send_head = skb_peek(&chan->tx_q);
5848 else
5849 chan->tx_send_head = NULL;
5850
5851 /* Rewind next_tx_seq to the point expected
5852 * by the receiver.
5853 */
5854 chan->next_tx_seq = control->reqseq;
5855 chan->unacked_frames = 0;
5856
5857 err = l2cap_finish_move(chan);
5858 if (err)
5859 return err;
5860
5861 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5862 l2cap_send_i_or_rr_or_rnr(chan);
5863
5864 if (event == L2CAP_EV_RECV_IFRAME)
5865 return -EPROTO;
5866
5867 return l2cap_rx_state_recv(chan, control, NULL, event);
5868}
5869
5870static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
5871 struct l2cap_ctrl *control,
5872 struct sk_buff *skb, u8 event)
5873{
5874 int err;
5875
5876 if (!control->final)
5877 return -EPROTO;
5878
5879 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5880
5881 chan->rx_state = L2CAP_RX_STATE_RECV;
5882 l2cap_process_reqseq(chan, control->reqseq);
5883
5884 if (!skb_queue_empty(&chan->tx_q))
5885 chan->tx_send_head = skb_peek(&chan->tx_q);
5886 else
5887 chan->tx_send_head = NULL;
5888
5889 /* Rewind next_tx_seq to the point expected
5890 * by the receiver.
5891 */
5892 chan->next_tx_seq = control->reqseq;
5893 chan->unacked_frames = 0;
5894
5895 if (chan->hs_hcon)
5896 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
5897 else
5898 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
5899
5900 err = l2cap_resegment(chan);
5901
5902 if (!err)
5903 err = l2cap_rx_state_recv(chan, control, skb, event);
5904
5905 return err;
5906}
5907
d2a7ac5d
MM		 5908static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
5909{
5910 /* Make sure reqseq is for a packet that has been sent but not acked */
5911 u16 unacked;
5912
5913 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
5914 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
5915}
5916
cec8ab6e
MM		 5917static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5918 struct sk_buff *skb, u8 event)
218bb9df 5919{
d2a7ac5d
MM		 5920 int err = 0;
5921
5922 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
5923 control, skb, event, chan->rx_state);
5924
5925 if (__valid_reqseq(chan, control->reqseq)) {
5926 switch (chan->rx_state) {
5927 case L2CAP_RX_STATE_RECV:
5928 err = l2cap_rx_state_recv(chan, control, skb, event);
5929 break;
5930 case L2CAP_RX_STATE_SREJ_SENT:
5931 err = l2cap_rx_state_srej_sent(chan, control, skb,
5932 event);
5933 break;
32b32735
MM		 5934 case L2CAP_RX_STATE_WAIT_P:
5935 err = l2cap_rx_state_wait_p(chan, control, skb, event);
5936 break;
5937 case L2CAP_RX_STATE_WAIT_F:
5938 err = l2cap_rx_state_wait_f(chan, control, skb, event);
5939 break;
d2a7ac5d
MM		 5940 default:
5941 /* shut it down */
5942 break;
5943 }
5944 } else {
5945 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
5946 control->reqseq, chan->next_tx_seq,
5947 chan->expected_ack_seq);
5948 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
5949 }
5950
5951 return err;
cec8ab6e
MM		 5952}
5953
5954static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
5955 struct sk_buff *skb)
5956{
4b51dae9
MM		 5957 int err = 0;
5958
5959 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
5960 chan->rx_state);
5961
5962 if (l2cap_classify_txseq(chan, control->txseq) ==
5963 L2CAP_TXSEQ_EXPECTED) {
5964 l2cap_pass_to_tx(chan, control);
5965
5966 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
5967 __next_seq(chan, chan->buffer_seq));
5968
5969 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5970
5971 l2cap_reassemble_sdu(chan, skb, control);
5972 } else {
5973 if (chan->sdu) {
5974 kfree_skb(chan->sdu);
5975 chan->sdu = NULL;
5976 }
5977 chan->sdu_last_frag = NULL;
5978 chan->sdu_len = 0;
5979
5980 if (skb) {
5981 BT_DBG("Freeing %p", skb);
5982 kfree_skb(skb);
5983 }
5984 }
5985
5986 chan->last_acked_seq = control->txseq;
5987 chan->expected_tx_seq = __next_seq(chan, control->txseq);
5988
5989 return err;
cec8ab6e
MM		 5990}
5991
5992static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
5993{
5994 struct l2cap_ctrl *control = &bt_cb(skb)->control;
5995 u16 len;
5996 u8 event;
218bb9df 5997
b76bbd66
MM		 5998 __unpack_control(chan, skb);
5999
218bb9df
GP		 6000 len = skb->len;
6001
6002 /*
6003 * We can just drop the corrupted I-frame here.
6004 * Receiver will miss it and start proper recovery
cec8ab6e 6005 * procedures and ask for retransmission.
218bb9df 6006 */
47d1ec61 6007 if (l2cap_check_fcs(chan, skb))
218bb9df
GP		 6008 goto drop;
6009
cec8ab6e 6010 if (!control->sframe && control->sar == L2CAP_SAR_START)
03a51213 6011 len -= L2CAP_SDULEN_SIZE;
218bb9df 6012
47d1ec61 6013 if (chan->fcs == L2CAP_FCS_CRC16)
03a51213 6014 len -= L2CAP_FCS_SIZE;
218bb9df 6015
47d1ec61 6016 if (len > chan->mps) {
8c1d787b 6017 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6018 goto drop;
6019 }
6020
cec8ab6e
MM		 6021 if (!control->sframe) {
6022 int err;
218bb9df 6023
cec8ab6e
MM		 6024 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6025 control->sar, control->reqseq, control->final,
6026 control->txseq);
218bb9df 6027
cec8ab6e
MM		 6028 /* Validate F-bit - F=0 always valid, F=1 only
6029 * valid in TX WAIT_F
6030 */
6031 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
218bb9df 6032 goto drop;
cec8ab6e
MM		 6033
6034 if (chan->mode != L2CAP_MODE_STREAMING) {
6035 event = L2CAP_EV_RECV_IFRAME;
6036 err = l2cap_rx(chan, control, skb, event);
6037 } else {
6038 err = l2cap_stream_rx(chan, control, skb);
218bb9df
GP		 6039 }
6040
cec8ab6e
MM		 6041 if (err)
6042 l2cap_send_disconn_req(chan->conn, chan,
6043 ECONNRESET);
218bb9df 6044 } else {
cec8ab6e
MM		 6045 const u8 rx_func_to_event[4] = {
6046 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6047 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6048 };
6049
6050 /* Only I-frames are expected in streaming mode */
6051 if (chan->mode == L2CAP_MODE_STREAMING)
6052 goto drop;
6053
6054 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6055 control->reqseq, control->final, control->poll,
6056 control->super);
6057
218bb9df
GP		 6058 if (len != 0) {
6059 BT_ERR("%d", len);
8c1d787b 6060 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6061 goto drop;
6062 }
6063
cec8ab6e
MM		 6064 /* Validate F and P bits */
6065 if (control->final && (control->poll ||
6066 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6067 goto drop;
6068
6069 event = rx_func_to_event[control->super];
6070 if (l2cap_rx(chan, control, skb, event))
6071 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
218bb9df
GP		 6072 }
6073
6074 return 0;
6075
6076drop:
6077 kfree_skb(skb);
6078 return 0;
6079}
6080
13ca56e0
AE		 6081static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6082 struct sk_buff *skb)
1da177e4 6083{
48454079 6084 struct l2cap_chan *chan;
1da177e4 6085
baa7e1fa 6086 chan = l2cap_get_chan_by_scid(conn, cid);
48454079 6087 if (!chan) {
97e8e89d
AE		 6088 if (cid == L2CAP_CID_A2MP) {
6089 chan = a2mp_channel_create(conn, skb);
6090 if (!chan) {
6091 kfree_skb(skb);
13ca56e0 6092 return;
97e8e89d
AE		 6093 }
6094
6095 l2cap_chan_lock(chan);
6096 } else {
6097 BT_DBG("unknown cid 0x%4.4x", cid);
6098 /* Drop packet and return */
6099 kfree_skb(skb);
13ca56e0 6100 return;
97e8e89d 6101 }
1da177e4
LT		 6102 }
6103
49208c9c 6104 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6105
89bc500e 6106 if (chan->state != BT_CONNECTED)
1da177e4
LT		 6107 goto drop;
6108
0c1bc5c6 6109 switch (chan->mode) {
1c2acffb
GP		 6110 case L2CAP_MODE_BASIC:
6111 /* If socket recv buffers overflows we drop data here
6112 * which is *bad* because L2CAP has to be reliable.
6113 * But we don't have any other choice. L2CAP doesn't
6114 * provide flow control mechanism. */
1da177e4 6115
0c1bc5c6 6116 if (chan->imtu < skb->len)
1c2acffb 6117 goto drop;
1da177e4 6118
80b98027 6119 if (!chan->ops->recv(chan, skb))
1c2acffb
GP		 6120 goto done;
6121 break;
6122
6123 case L2CAP_MODE_ERTM:
6840ed07 6124 case L2CAP_MODE_STREAMING:
cec8ab6e 6125 l2cap_data_rcv(chan, skb);
6840ed07
GP		 6126 goto done;
6127
1c2acffb 6128 default:
0c1bc5c6 6129 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
1c2acffb
GP		 6130 break;
6131 }
1da177e4
LT		 6132
6133drop:
6134 kfree_skb(skb);
6135
6136done:
6be36555 6137 l2cap_chan_unlock(chan);
1da177e4
LT		 6138}
6139
84104b24
AE		 6140static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6141 struct sk_buff *skb)
1da177e4 6142{
23691d75 6143 struct l2cap_chan *chan;
1da177e4 6144
c2287681 6145 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
23691d75 6146 if (!chan)
1da177e4
LT		 6147 goto drop;
6148
5b4cedaa 6149 BT_DBG("chan %p, len %d", chan, skb->len);
1da177e4 6150
89bc500e 6151 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
1da177e4
LT		 6152 goto drop;
6153
e13e21dc 6154 if (chan->imtu < skb->len)
1da177e4
LT		 6155 goto drop;
6156
80b98027 6157 if (!chan->ops->recv(chan, skb))
84104b24 6158 return;
1da177e4
LT		 6159
6160drop:
6161 kfree_skb(skb);
1da177e4
LT		 6162}
6163
6810fca7
AE		 6164static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
6165 struct sk_buff *skb)
9f69bda6 6166{
23691d75 6167 struct l2cap_chan *chan;
9f69bda6 6168
c2287681 6169 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
23691d75 6170 if (!chan)
9f69bda6
GP		 6171 goto drop;
6172
5b4cedaa 6173 BT_DBG("chan %p, len %d", chan, skb->len);
9f69bda6 6174
89bc500e 6175 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
9f69bda6
GP		 6176 goto drop;
6177
e13e21dc 6178 if (chan->imtu < skb->len)
9f69bda6
GP		 6179 goto drop;
6180
80b98027 6181 if (!chan->ops->recv(chan, skb))
6810fca7 6182 return;
9f69bda6
GP		 6183
6184drop:
6185 kfree_skb(skb);
9f69bda6
GP		 6186}
6187
1da177e4
LT		 6188static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6189{
6190 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 6191 u16 cid, len;
6192 __le16 psm;
1da177e4
LT		 6193
6194 skb_pull(skb, L2CAP_HDR_SIZE);
6195 cid = __le16_to_cpu(lh->cid);
6196 len = __le16_to_cpu(lh->len);
6197
1c2acffb
GP		 6198 if (len != skb->len) {
6199 kfree_skb(skb);
6200 return;
6201 }
6202
1da177e4
LT		 6203 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6204
6205 switch (cid) {
3300d9a9 6206 case L2CAP_CID_LE_SIGNALING:
8db4dc46 6207 case L2CAP_CID_SIGNALING:
1da177e4
LT		 6208 l2cap_sig_channel(conn, skb);
6209 break;
6210
8db4dc46 6211 case L2CAP_CID_CONN_LESS:
097db76c 6212 psm = get_unaligned((__le16 *) skb->data);
0181a70f 6213 skb_pull(skb, L2CAP_PSMLEN_SIZE);
1da177e4
LT		 6214 l2cap_conless_channel(conn, psm, skb);
6215 break;
6216
9f69bda6
GP		 6217 case L2CAP_CID_LE_DATA:
6218 l2cap_att_channel(conn, cid, skb);
6219 break;
6220
b501d6a1
AB		 6221 case L2CAP_CID_SMP:
6222 if (smp_sig_channel(conn, skb))
6223 l2cap_conn_del(conn->hcon, EACCES);
6224 break;
6225
1da177e4
LT		 6226 default:
6227 l2cap_data_channel(conn, cid, skb);
6228 break;
6229 }
6230}
6231
6232/* ---- L2CAP interface with lower layer (HCI) ---- */
6233
686ebf28 6234int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
1da177e4
LT		 6235{
6236 int exact = 0, lm1 = 0, lm2 = 0;
23691d75 6237 struct l2cap_chan *c;
1da177e4 6238
6ed93dc6 6239 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1da177e4
LT		 6240
6241 /* Find listening sockets and check their link_mode */
23691d75
GP		 6242 read_lock(&chan_list_lock);
6243 list_for_each_entry(c, &chan_list, global_l) {
6244 struct sock *sk = c->sk;
4343478f 6245
89bc500e 6246 if (c->state != BT_LISTEN)
1da177e4
LT		 6247 continue;
6248
6249 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5 6250 lm1 |= HCI_LM_ACCEPT;
43bd0f32 6251 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5 6252 lm1 |= HCI_LM_MASTER;
1da177e4 6253 exact++;
2af6b9d5
MH		 6254 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6255 lm2 |= HCI_LM_ACCEPT;
43bd0f32 6256 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
2af6b9d5
MH		 6257 lm2 |= HCI_LM_MASTER;
6258 }
1da177e4 6259 }
23691d75 6260 read_unlock(&chan_list_lock);
1da177e4
LT		 6261
6262 return exact ? lm1 : lm2;
6263}
6264
9e664631 6265void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
1da177e4 6266{
0139418c
MH		 6267 struct l2cap_conn *conn;
6268
6ed93dc6 6269 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1da177e4 6270
1da177e4 6271 if (!status) {
1da177e4
LT		 6272 conn = l2cap_conn_add(hcon, status);
6273 if (conn)
6274 l2cap_conn_ready(conn);
ba6fc317 6275 } else {
e175072f 6276 l2cap_conn_del(hcon, bt_to_errno(status));
ba6fc317 6277 }
1da177e4
LT		 6278}
6279
686ebf28 6280int l2cap_disconn_ind(struct hci_conn *hcon)
2950f21a
MH		 6281{
6282 struct l2cap_conn *conn = hcon->l2cap_data;
6283
6284 BT_DBG("hcon %p", hcon);
6285
686ebf28 6286 if (!conn)
9f5a0d7b 6287 return HCI_ERROR_REMOTE_USER_TERM;
2950f21a
MH		 6288 return conn->disc_reason;
6289}
6290
9e664631 6291void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 6292{
6293 BT_DBG("hcon %p reason %d", hcon, reason);
6294
e175072f 6295 l2cap_conn_del(hcon, bt_to_errno(reason));
1da177e4
LT		 6296}
6297
4343478f 6298static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
f62e4323 6299{
715ec005 6300 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
255c7601
MH		 6301 return;
6302
f62e4323 6303 if (encrypt == 0x00) {
4343478f 6304 if (chan->sec_level == BT_SECURITY_MEDIUM) {
ba13ccd9 6305 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4343478f 6306 } else if (chan->sec_level == BT_SECURITY_HIGH)
0f852724 6307 l2cap_chan_close(chan, ECONNREFUSED);
f62e4323 6308 } else {
4343478f 6309 if (chan->sec_level == BT_SECURITY_MEDIUM)
c9b66675 6310 __clear_chan_timer(chan);
f62e4323
MH		 6311 }
6312}
6313
686ebf28 6314int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4 6315{
0139418c 6316 struct l2cap_conn *conn = hcon->l2cap_data;
48454079 6317 struct l2cap_chan *chan;
1da177e4 6318
0139418c 6319 if (!conn)
1da177e4 6320 return 0;
0139418c 6321
89d8b407 6322 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
1da177e4 6323
160dc6ac 6324 if (hcon->type == LE_LINK) {
35d4adcc
HG		 6325 if (!status && encrypt)
6326 smp_distribute_keys(conn, 0);
17cd3f37 6327 cancel_delayed_work(&conn->security_timer);
160dc6ac
VCG		 6328 }
6329
3df91ea2 6330 mutex_lock(&conn->chan_lock);
1da177e4 6331
3df91ea2 6332 list_for_each_entry(chan, &conn->chan_l, list) {
6be36555 6333 l2cap_chan_lock(chan);
1da177e4 6334
89d8b407
AE		 6335 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6336 state_to_string(chan->state));
f1cb9af5 6337
78eb2f98
AE		 6338 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6339 l2cap_chan_unlock(chan);
6340 continue;
6341 }
6342
f1cb9af5
VCG		 6343 if (chan->scid == L2CAP_CID_LE_DATA) {
6344 if (!status && encrypt) {
6345 chan->sec_level = hcon->sec_level;
cf4cd009 6346 l2cap_chan_ready(chan);
f1cb9af5
VCG		 6347 }
6348
6be36555 6349 l2cap_chan_unlock(chan);
f1cb9af5
VCG		 6350 continue;
6351 }
6352
c1360a1c 6353 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
6be36555 6354 l2cap_chan_unlock(chan);
6a8d3010
MH		 6355 continue;
6356 }
6357
89bc500e 6358 if (!status && (chan->state == BT_CONNECTED ||
2d792818 6359 chan->state == BT_CONFIG)) {
a7d7723a
GP		 6360 struct sock *sk = chan->sk;
6361
c5daa683 6362 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
a7d7723a
GP		 6363 sk->sk_state_change(sk);
6364
4343478f 6365 l2cap_check_encryption(chan, encrypt);
6be36555 6366 l2cap_chan_unlock(chan);
9719f8af
MH		 6367 continue;
6368 }
6369
89bc500e 6370 if (chan->state == BT_CONNECT) {
b1235d79 6371 if (!status) {
93c3e8f5 6372 l2cap_start_connection(chan);
b1235d79 6373 } else {
ba13ccd9 6374 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
b1235d79 6375 }
89bc500e 6376 } else if (chan->state == BT_CONNECT2) {
6be36555 6377 struct sock *sk = chan->sk;
b1235d79 6378 struct l2cap_conn_rsp rsp;
df3c3931 6379 __u16 res, stat;
1da177e4 6380
6be36555
AE		 6381 lock_sock(sk);
6382
b1235d79 6383 if (!status) {
c5daa683
GP		 6384 if (test_bit(BT_SK_DEFER_SETUP,
6385 &bt_sk(sk)->flags)) {
df3c3931
JH		 6386 res = L2CAP_CR_PEND;
6387 stat = L2CAP_CS_AUTHOR_PEND;
2dc4e510 6388 chan->ops->defer(chan);
df3c3931 6389 } else {
0e587be7 6390 __l2cap_state_change(chan, BT_CONFIG);
df3c3931
JH		 6391 res = L2CAP_CR_SUCCESS;
6392 stat = L2CAP_CS_NO_INFO;
6393 }
b1235d79 6394 } else {
0e587be7 6395 __l2cap_state_change(chan, BT_DISCONN);
ba13ccd9 6396 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
df3c3931
JH		 6397 res = L2CAP_CR_SEC_BLOCK;
6398 stat = L2CAP_CS_NO_INFO;
b1235d79
MH		 6399 }
6400
6be36555
AE		 6401 release_sock(sk);
6402
fe4128e0
GP		 6403 rsp.scid = cpu_to_le16(chan->dcid);
6404 rsp.dcid = cpu_to_le16(chan->scid);
df3c3931
JH		 6405 rsp.result = cpu_to_le16(res);
6406 rsp.status = cpu_to_le16(stat);
fc7f8a7e 6407 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
2d792818 6408 sizeof(rsp), &rsp);
2d369359
MM		 6409
6410 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6411 res == L2CAP_CR_SUCCESS) {
6412 char buf[128];
6413 set_bit(CONF_REQ_SENT, &chan->conf_state);
6414 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6415 L2CAP_CONF_REQ,
6416 l2cap_build_conf_req(chan, buf),
6417 buf);
6418 chan->num_conf_req++;
6419 }
b1235d79 6420 }
1da177e4 6421
6be36555 6422 l2cap_chan_unlock(chan);
1da177e4
LT		 6423 }
6424
3df91ea2 6425 mutex_unlock(&conn->chan_lock);
b1235d79 6426
1da177e4
LT		 6427 return 0;
6428}
6429
686ebf28 6430int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
1da177e4
LT		 6431{
6432 struct l2cap_conn *conn = hcon->l2cap_data;
d73a0988
AE		 6433 struct l2cap_hdr *hdr;
6434 int len;
1da177e4 6435
1d13a254
AE		 6436 /* For AMP controller do not create l2cap conn */
6437 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6438 goto drop;
1da177e4 6439
5a08ecce
AE		 6440 if (!conn)
6441 conn = l2cap_conn_add(hcon, 0);
6442
6443 if (!conn)
1da177e4
LT		 6444 goto drop;
6445
6446 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6447
d73a0988
AE		 6448 switch (flags) {
6449 case ACL_START:
6450 case ACL_START_NO_FLUSH:
6451 case ACL_COMPLETE:
1da177e4
LT		 6452 if (conn->rx_len) {
6453 BT_ERR("Unexpected start frame (len %d)", skb->len);
6454 kfree_skb(conn->rx_skb);
6455 conn->rx_skb = NULL;
6456 conn->rx_len = 0;
6457 l2cap_conn_unreliable(conn, ECOMM);
6458 }
6459
aae7fe22
AE		 6460 /* Start fragment always begin with Basic L2CAP header */
6461 if (skb->len < L2CAP_HDR_SIZE) {
1da177e4
LT		 6462 BT_ERR("Frame is too short (len %d)", skb->len);
6463 l2cap_conn_unreliable(conn, ECOMM);
6464 goto drop;
6465 }
6466
6467 hdr = (struct l2cap_hdr *) skb->data;
6468 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6469
6470 if (len == skb->len) {
6471 /* Complete frame received */
6472 l2cap_recv_frame(conn, skb);
6473 return 0;
6474 }
6475
6476 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6477
6478 if (skb->len > len) {
6479 BT_ERR("Frame is too long (len %d, expected len %d)",
2d792818 6480 skb->len, len);
1da177e4
LT		 6481 l2cap_conn_unreliable(conn, ECOMM);
6482 goto drop;
6483 }
6484
6485 /* Allocate skb for the complete frame (with header) */
8bcde1f2 6486 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
af05b30b 6487 if (!conn->rx_skb)
1da177e4
LT		 6488 goto drop;
6489
d626f62b 6490 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6491 skb->len);
1da177e4 6492 conn->rx_len = len - skb->len;
d73a0988
AE		 6493 break;
6494
6495 case ACL_CONT:
1da177e4
LT		 6496 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6497
6498 if (!conn->rx_len) {
6499 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6500 l2cap_conn_unreliable(conn, ECOMM);
6501 goto drop;
6502 }
6503
6504 if (skb->len > conn->rx_len) {
6505 BT_ERR("Fragment is too long (len %d, expected %d)",
2d792818 6506 skb->len, conn->rx_len);
1da177e4
LT		 6507 kfree_skb(conn->rx_skb);
6508 conn->rx_skb = NULL;
6509 conn->rx_len = 0;
6510 l2cap_conn_unreliable(conn, ECOMM);
6511 goto drop;
6512 }
6513
d626f62b 6514 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
2d792818 6515 skb->len);
1da177e4
LT		 6516 conn->rx_len -= skb->len;
6517
6518 if (!conn->rx_len) {
6519 /* Complete frame received */
6520 l2cap_recv_frame(conn, conn->rx_skb);
6521 conn->rx_skb = NULL;
6522 }
d73a0988 6523 break;
1da177e4
LT		 6524 }
6525
6526drop:
6527 kfree_skb(skb);
6528 return 0;
6529}
6530
aef7d97c 6531static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4 6532{
23691d75 6533 struct l2cap_chan *c;
1da177e4 6534
333055f2 6535 read_lock(&chan_list_lock);
1da177e4 6536
23691d75
GP		 6537 list_for_each_entry(c, &chan_list, global_l) {
6538 struct sock *sk = c->sk;
101545f6 6539
fcb73338
AE		 6540 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6541 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6542 c->state, __le16_to_cpu(c->psm),
6543 c->scid, c->dcid, c->imtu, c->omtu,
6544 c->sec_level, c->mode);
61e1b4b7 6545 }
1da177e4 6546
333055f2 6547 read_unlock(&chan_list_lock);
1da177e4 6548
aef7d97c 6549 return 0;
1da177e4
LT		 6550}
6551
aef7d97c
MH		 6552static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6553{
6554 return single_open(file, l2cap_debugfs_show, inode->i_private);
6555}
6556
6557static const struct file_operations l2cap_debugfs_fops = {
6558 .open = l2cap_debugfs_open,
6559 .read = seq_read,
6560 .llseek = seq_lseek,
6561 .release = single_release,
6562};
6563
6564static struct dentry *l2cap_debugfs;
1da177e4 6565
64274518 6566int __init l2cap_init(void)
1da177e4
LT		 6567{
6568 int err;
be9d1227 6569
bb58f747 6570 err = l2cap_init_sockets();
1da177e4
LT		 6571 if (err < 0)
6572 return err;
6573
aef7d97c 6574 if (bt_debugfs) {
2d792818
GP		 6575 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6576 NULL, &l2cap_debugfs_fops);
aef7d97c
MH		 6577 if (!l2cap_debugfs)
6578 BT_ERR("Failed to create L2CAP debug file");
6579 }
1da177e4 6580
1da177e4 6581 return 0;
1da177e4
LT		 6582}
6583
64274518 6584void l2cap_exit(void)
1da177e4 6585{
aef7d97c 6586 debugfs_remove(l2cap_debugfs);
bb58f747 6587 l2cap_cleanup_sockets();
1da177e4
LT		 6588}
6589
d1c4a17d
GP		 6590module_param(disable_ertm, bool, 0644);
6591MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
kernel source for telekom puls (alcatel/mediatek)