xref: /openbmc/linux/net/bluetooth/l2cap_core.c (revision dfd4f649)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5    Copyright (C) 2010 Google Inc.
6    Copyright (C) 2011 ProFUSION Embedded Systems
7    Copyright (c) 2012 Code Aurora Forum.  All rights reserved.
8 
9    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10 
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License version 2 as
13    published by the Free Software Foundation;
14 
15    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 
24    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26    SOFTWARE IS DISCLAIMED.
27 */
28 
29 /* Bluetooth L2CAP core. */
30 
31 #include <linux/module.h>
32 
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
36 
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
40 
41 #include "smp.h"
42 #include "a2mp.h"
43 #include "amp.h"
44 
45 #define LE_FLOWCTL_MAX_CREDITS 65535
46 
47 bool disable_ertm;
48 
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50 
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
53 
54 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
55 				       u8 code, u8 ident, u16 dlen, void *data);
56 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
57 			   void *data);
58 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
59 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
60 
61 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
62 		     struct sk_buff_head *skbs, u8 event);
63 
64 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
65 {
66 	if (link_type == LE_LINK) {
67 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
68 			return BDADDR_LE_PUBLIC;
69 		else
70 			return BDADDR_LE_RANDOM;
71 	}
72 
73 	return BDADDR_BREDR;
74 }
75 
76 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
77 {
78 	return bdaddr_type(hcon->type, hcon->src_type);
79 }
80 
81 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
82 {
83 	return bdaddr_type(hcon->type, hcon->dst_type);
84 }
85 
86 /* ---- L2CAP channels ---- */
87 
88 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
89 						   u16 cid)
90 {
91 	struct l2cap_chan *c;
92 
93 	list_for_each_entry(c, &conn->chan_l, list) {
94 		if (c->dcid == cid)
95 			return c;
96 	}
97 	return NULL;
98 }
99 
100 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
101 						   u16 cid)
102 {
103 	struct l2cap_chan *c;
104 
105 	list_for_each_entry(c, &conn->chan_l, list) {
106 		if (c->scid == cid)
107 			return c;
108 	}
109 	return NULL;
110 }
111 
112 /* Find channel with given SCID.
113  * Returns locked channel. */
114 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
115 						 u16 cid)
116 {
117 	struct l2cap_chan *c;
118 
119 	mutex_lock(&conn->chan_lock);
120 	c = __l2cap_get_chan_by_scid(conn, cid);
121 	if (c)
122 		l2cap_chan_lock(c);
123 	mutex_unlock(&conn->chan_lock);
124 
125 	return c;
126 }
127 
128 /* Find channel with given DCID.
129  * Returns locked channel.
130  */
131 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
132 						 u16 cid)
133 {
134 	struct l2cap_chan *c;
135 
136 	mutex_lock(&conn->chan_lock);
137 	c = __l2cap_get_chan_by_dcid(conn, cid);
138 	if (c)
139 		l2cap_chan_lock(c);
140 	mutex_unlock(&conn->chan_lock);
141 
142 	return c;
143 }
144 
145 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
146 						    u8 ident)
147 {
148 	struct l2cap_chan *c;
149 
150 	list_for_each_entry(c, &conn->chan_l, list) {
151 		if (c->ident == ident)
152 			return c;
153 	}
154 	return NULL;
155 }
156 
157 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
158 						  u8 ident)
159 {
160 	struct l2cap_chan *c;
161 
162 	mutex_lock(&conn->chan_lock);
163 	c = __l2cap_get_chan_by_ident(conn, ident);
164 	if (c)
165 		l2cap_chan_lock(c);
166 	mutex_unlock(&conn->chan_lock);
167 
168 	return c;
169 }
170 
171 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
172 {
173 	struct l2cap_chan *c;
174 
175 	list_for_each_entry(c, &chan_list, global_l) {
176 		if (c->sport == psm && !bacmp(&c->src, src))
177 			return c;
178 	}
179 	return NULL;
180 }
181 
182 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
183 {
184 	int err;
185 
186 	write_lock(&chan_list_lock);
187 
188 	if (psm && __l2cap_global_chan_by_addr(psm, src)) {
189 		err = -EADDRINUSE;
190 		goto done;
191 	}
192 
193 	if (psm) {
194 		chan->psm = psm;
195 		chan->sport = psm;
196 		err = 0;
197 	} else {
198 		u16 p, start, end, incr;
199 
200 		if (chan->src_type == BDADDR_BREDR) {
201 			start = L2CAP_PSM_DYN_START;
202 			end = L2CAP_PSM_AUTO_END;
203 			incr = 2;
204 		} else {
205 			start = L2CAP_PSM_LE_DYN_START;
206 			end = L2CAP_PSM_LE_DYN_END;
207 			incr = 1;
208 		}
209 
210 		err = -EINVAL;
211 		for (p = start; p <= end; p += incr)
212 			if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
213 				chan->psm   = cpu_to_le16(p);
214 				chan->sport = cpu_to_le16(p);
215 				err = 0;
216 				break;
217 			}
218 	}
219 
220 done:
221 	write_unlock(&chan_list_lock);
222 	return err;
223 }
224 EXPORT_SYMBOL_GPL(l2cap_add_psm);
225 
226 int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
227 {
228 	write_lock(&chan_list_lock);
229 
230 	/* Override the defaults (which are for conn-oriented) */
231 	chan->omtu = L2CAP_DEFAULT_MTU;
232 	chan->chan_type = L2CAP_CHAN_FIXED;
233 
234 	chan->scid = scid;
235 
236 	write_unlock(&chan_list_lock);
237 
238 	return 0;
239 }
240 
241 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
242 {
243 	u16 cid, dyn_end;
244 
245 	if (conn->hcon->type == LE_LINK)
246 		dyn_end = L2CAP_CID_LE_DYN_END;
247 	else
248 		dyn_end = L2CAP_CID_DYN_END;
249 
250 	for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
251 		if (!__l2cap_get_chan_by_scid(conn, cid))
252 			return cid;
253 	}
254 
255 	return 0;
256 }
257 
258 static void l2cap_state_change(struct l2cap_chan *chan, int state)
259 {
260 	BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
261 	       state_to_string(state));
262 
263 	chan->state = state;
264 	chan->ops->state_change(chan, state, 0);
265 }
266 
267 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
268 						int state, int err)
269 {
270 	chan->state = state;
271 	chan->ops->state_change(chan, chan->state, err);
272 }
273 
274 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
275 {
276 	chan->ops->state_change(chan, chan->state, err);
277 }
278 
279 static void __set_retrans_timer(struct l2cap_chan *chan)
280 {
281 	if (!delayed_work_pending(&chan->monitor_timer) &&
282 	    chan->retrans_timeout) {
283 		l2cap_set_timer(chan, &chan->retrans_timer,
284 				msecs_to_jiffies(chan->retrans_timeout));
285 	}
286 }
287 
288 static void __set_monitor_timer(struct l2cap_chan *chan)
289 {
290 	__clear_retrans_timer(chan);
291 	if (chan->monitor_timeout) {
292 		l2cap_set_timer(chan, &chan->monitor_timer,
293 				msecs_to_jiffies(chan->monitor_timeout));
294 	}
295 }
296 
297 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
298 					       u16 seq)
299 {
300 	struct sk_buff *skb;
301 
302 	skb_queue_walk(head, skb) {
303 		if (bt_cb(skb)->l2cap.txseq == seq)
304 			return skb;
305 	}
306 
307 	return NULL;
308 }
309 
310 /* ---- L2CAP sequence number lists ---- */
311 
312 /* For ERTM, ordered lists of sequence numbers must be tracked for
313  * SREJ requests that are received and for frames that are to be
314  * retransmitted. These seq_list functions implement a singly-linked
315  * list in an array, where membership in the list can also be checked
316  * in constant time. Items can also be added to the tail of the list
317  * and removed from the head in constant time, without further memory
318  * allocs or frees.
319  */
320 
321 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
322 {
323 	size_t alloc_size, i;
324 
325 	/* Allocated size is a power of 2 to map sequence numbers
326 	 * (which may be up to 14 bits) in to a smaller array that is
327 	 * sized for the negotiated ERTM transmit windows.
328 	 */
329 	alloc_size = roundup_pow_of_two(size);
330 
331 	seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
332 	if (!seq_list->list)
333 		return -ENOMEM;
334 
335 	seq_list->mask = alloc_size - 1;
336 	seq_list->head = L2CAP_SEQ_LIST_CLEAR;
337 	seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
338 	for (i = 0; i < alloc_size; i++)
339 		seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
340 
341 	return 0;
342 }
343 
344 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
345 {
346 	kfree(seq_list->list);
347 }
348 
349 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
350 					   u16 seq)
351 {
352 	/* Constant-time check for list membership */
353 	return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
354 }
355 
356 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
357 {
358 	u16 seq = seq_list->head;
359 	u16 mask = seq_list->mask;
360 
361 	seq_list->head = seq_list->list[seq & mask];
362 	seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
363 
364 	if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
365 		seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 		seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
367 	}
368 
369 	return seq;
370 }
371 
372 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
373 {
374 	u16 i;
375 
376 	if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
377 		return;
378 
379 	for (i = 0; i <= seq_list->mask; i++)
380 		seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
381 
382 	seq_list->head = L2CAP_SEQ_LIST_CLEAR;
383 	seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
384 }
385 
386 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
387 {
388 	u16 mask = seq_list->mask;
389 
390 	/* All appends happen in constant time */
391 
392 	if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
393 		return;
394 
395 	if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
396 		seq_list->head = seq;
397 	else
398 		seq_list->list[seq_list->tail & mask] = seq;
399 
400 	seq_list->tail = seq;
401 	seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
402 }
403 
404 static void l2cap_chan_timeout(struct work_struct *work)
405 {
406 	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
407 					       chan_timer.work);
408 	struct l2cap_conn *conn = chan->conn;
409 	int reason;
410 
411 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
412 
413 	mutex_lock(&conn->chan_lock);
414 	l2cap_chan_lock(chan);
415 
416 	if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
417 		reason = ECONNREFUSED;
418 	else if (chan->state == BT_CONNECT &&
419 		 chan->sec_level != BT_SECURITY_SDP)
420 		reason = ECONNREFUSED;
421 	else
422 		reason = ETIMEDOUT;
423 
424 	l2cap_chan_close(chan, reason);
425 
426 	l2cap_chan_unlock(chan);
427 
428 	chan->ops->close(chan);
429 	mutex_unlock(&conn->chan_lock);
430 
431 	l2cap_chan_put(chan);
432 }
433 
434 struct l2cap_chan *l2cap_chan_create(void)
435 {
436 	struct l2cap_chan *chan;
437 
438 	chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
439 	if (!chan)
440 		return NULL;
441 
442 	mutex_init(&chan->lock);
443 
444 	/* Set default lock nesting level */
445 	atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
446 
447 	write_lock(&chan_list_lock);
448 	list_add(&chan->global_l, &chan_list);
449 	write_unlock(&chan_list_lock);
450 
451 	INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
452 
453 	chan->state = BT_OPEN;
454 
455 	kref_init(&chan->kref);
456 
457 	/* This flag is cleared in l2cap_chan_ready() */
458 	set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
459 
460 	BT_DBG("chan %p", chan);
461 
462 	return chan;
463 }
464 EXPORT_SYMBOL_GPL(l2cap_chan_create);
465 
466 static void l2cap_chan_destroy(struct kref *kref)
467 {
468 	struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
469 
470 	BT_DBG("chan %p", chan);
471 
472 	write_lock(&chan_list_lock);
473 	list_del(&chan->global_l);
474 	write_unlock(&chan_list_lock);
475 
476 	kfree(chan);
477 }
478 
479 void l2cap_chan_hold(struct l2cap_chan *c)
480 {
481 	BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
482 
483 	kref_get(&c->kref);
484 }
485 
486 void l2cap_chan_put(struct l2cap_chan *c)
487 {
488 	BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
489 
490 	kref_put(&c->kref, l2cap_chan_destroy);
491 }
492 EXPORT_SYMBOL_GPL(l2cap_chan_put);
493 
494 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
495 {
496 	chan->fcs  = L2CAP_FCS_CRC16;
497 	chan->max_tx = L2CAP_DEFAULT_MAX_TX;
498 	chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
499 	chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
500 	chan->remote_max_tx = chan->max_tx;
501 	chan->remote_tx_win = chan->tx_win;
502 	chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
503 	chan->sec_level = BT_SECURITY_LOW;
504 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
505 	chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
506 	chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
507 	chan->conf_state = 0;
508 
509 	set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
510 }
511 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
512 
513 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
514 {
515 	chan->sdu = NULL;
516 	chan->sdu_last_frag = NULL;
517 	chan->sdu_len = 0;
518 	chan->tx_credits = 0;
519 	/* Derive MPS from connection MTU to stop HCI fragmentation */
520 	chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
521 	/* Give enough credits for a full packet */
522 	chan->rx_credits = (chan->imtu / chan->mps) + 1;
523 
524 	skb_queue_head_init(&chan->tx_q);
525 }
526 
527 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
528 {
529 	BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
530 	       __le16_to_cpu(chan->psm), chan->dcid);
531 
532 	conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
533 
534 	chan->conn = conn;
535 
536 	switch (chan->chan_type) {
537 	case L2CAP_CHAN_CONN_ORIENTED:
538 		/* Alloc CID for connection-oriented socket */
539 		chan->scid = l2cap_alloc_cid(conn);
540 		if (conn->hcon->type == ACL_LINK)
541 			chan->omtu = L2CAP_DEFAULT_MTU;
542 		break;
543 
544 	case L2CAP_CHAN_CONN_LESS:
545 		/* Connectionless socket */
546 		chan->scid = L2CAP_CID_CONN_LESS;
547 		chan->dcid = L2CAP_CID_CONN_LESS;
548 		chan->omtu = L2CAP_DEFAULT_MTU;
549 		break;
550 
551 	case L2CAP_CHAN_FIXED:
552 		/* Caller will set CID and CID specific MTU values */
553 		break;
554 
555 	default:
556 		/* Raw socket can send/recv signalling messages only */
557 		chan->scid = L2CAP_CID_SIGNALING;
558 		chan->dcid = L2CAP_CID_SIGNALING;
559 		chan->omtu = L2CAP_DEFAULT_MTU;
560 	}
561 
562 	chan->local_id		= L2CAP_BESTEFFORT_ID;
563 	chan->local_stype	= L2CAP_SERV_BESTEFFORT;
564 	chan->local_msdu	= L2CAP_DEFAULT_MAX_SDU_SIZE;
565 	chan->local_sdu_itime	= L2CAP_DEFAULT_SDU_ITIME;
566 	chan->local_acc_lat	= L2CAP_DEFAULT_ACC_LAT;
567 	chan->local_flush_to	= L2CAP_EFS_DEFAULT_FLUSH_TO;
568 
569 	l2cap_chan_hold(chan);
570 
571 	/* Only keep a reference for fixed channels if they requested it */
572 	if (chan->chan_type != L2CAP_CHAN_FIXED ||
573 	    test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
574 		hci_conn_hold(conn->hcon);
575 
576 	list_add(&chan->list, &conn->chan_l);
577 }
578 
579 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
580 {
581 	mutex_lock(&conn->chan_lock);
582 	__l2cap_chan_add(conn, chan);
583 	mutex_unlock(&conn->chan_lock);
584 }
585 
586 void l2cap_chan_del(struct l2cap_chan *chan, int err)
587 {
588 	struct l2cap_conn *conn = chan->conn;
589 
590 	__clear_chan_timer(chan);
591 
592 	BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
593 	       state_to_string(chan->state));
594 
595 	chan->ops->teardown(chan, err);
596 
597 	if (conn) {
598 		struct amp_mgr *mgr = conn->hcon->amp_mgr;
599 		/* Delete from channel list */
600 		list_del(&chan->list);
601 
602 		l2cap_chan_put(chan);
603 
604 		chan->conn = NULL;
605 
606 		/* Reference was only held for non-fixed channels or
607 		 * fixed channels that explicitly requested it using the
608 		 * FLAG_HOLD_HCI_CONN flag.
609 		 */
610 		if (chan->chan_type != L2CAP_CHAN_FIXED ||
611 		    test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
612 			hci_conn_drop(conn->hcon);
613 
614 		if (mgr && mgr->bredr_chan == chan)
615 			mgr->bredr_chan = NULL;
616 	}
617 
618 	if (chan->hs_hchan) {
619 		struct hci_chan *hs_hchan = chan->hs_hchan;
620 
621 		BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
622 		amp_disconnect_logical_link(hs_hchan);
623 	}
624 
625 	if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
626 		return;
627 
628 	switch(chan->mode) {
629 	case L2CAP_MODE_BASIC:
630 		break;
631 
632 	case L2CAP_MODE_LE_FLOWCTL:
633 		skb_queue_purge(&chan->tx_q);
634 		break;
635 
636 	case L2CAP_MODE_ERTM:
637 		__clear_retrans_timer(chan);
638 		__clear_monitor_timer(chan);
639 		__clear_ack_timer(chan);
640 
641 		skb_queue_purge(&chan->srej_q);
642 
643 		l2cap_seq_list_free(&chan->srej_list);
644 		l2cap_seq_list_free(&chan->retrans_list);
645 
646 		/* fall through */
647 
648 	case L2CAP_MODE_STREAMING:
649 		skb_queue_purge(&chan->tx_q);
650 		break;
651 	}
652 
653 	return;
654 }
655 EXPORT_SYMBOL_GPL(l2cap_chan_del);
656 
657 static void l2cap_conn_update_id_addr(struct work_struct *work)
658 {
659 	struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
660 					       id_addr_update_work);
661 	struct hci_conn *hcon = conn->hcon;
662 	struct l2cap_chan *chan;
663 
664 	mutex_lock(&conn->chan_lock);
665 
666 	list_for_each_entry(chan, &conn->chan_l, list) {
667 		l2cap_chan_lock(chan);
668 		bacpy(&chan->dst, &hcon->dst);
669 		chan->dst_type = bdaddr_dst_type(hcon);
670 		l2cap_chan_unlock(chan);
671 	}
672 
673 	mutex_unlock(&conn->chan_lock);
674 }
675 
676 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
677 {
678 	struct l2cap_conn *conn = chan->conn;
679 	struct l2cap_le_conn_rsp rsp;
680 	u16 result;
681 
682 	if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
683 		result = L2CAP_CR_LE_AUTHORIZATION;
684 	else
685 		result = L2CAP_CR_LE_BAD_PSM;
686 
687 	l2cap_state_change(chan, BT_DISCONN);
688 
689 	rsp.dcid    = cpu_to_le16(chan->scid);
690 	rsp.mtu     = cpu_to_le16(chan->imtu);
691 	rsp.mps     = cpu_to_le16(chan->mps);
692 	rsp.credits = cpu_to_le16(chan->rx_credits);
693 	rsp.result  = cpu_to_le16(result);
694 
695 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
696 		       &rsp);
697 }
698 
699 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
700 {
701 	struct l2cap_conn *conn = chan->conn;
702 	struct l2cap_conn_rsp rsp;
703 	u16 result;
704 
705 	if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
706 		result = L2CAP_CR_SEC_BLOCK;
707 	else
708 		result = L2CAP_CR_BAD_PSM;
709 
710 	l2cap_state_change(chan, BT_DISCONN);
711 
712 	rsp.scid   = cpu_to_le16(chan->dcid);
713 	rsp.dcid   = cpu_to_le16(chan->scid);
714 	rsp.result = cpu_to_le16(result);
715 	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
716 
717 	l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
718 }
719 
720 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
721 {
722 	struct l2cap_conn *conn = chan->conn;
723 
724 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
725 
726 	switch (chan->state) {
727 	case BT_LISTEN:
728 		chan->ops->teardown(chan, 0);
729 		break;
730 
731 	case BT_CONNECTED:
732 	case BT_CONFIG:
733 		if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
734 			__set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
735 			l2cap_send_disconn_req(chan, reason);
736 		} else
737 			l2cap_chan_del(chan, reason);
738 		break;
739 
740 	case BT_CONNECT2:
741 		if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
742 			if (conn->hcon->type == ACL_LINK)
743 				l2cap_chan_connect_reject(chan);
744 			else if (conn->hcon->type == LE_LINK)
745 				l2cap_chan_le_connect_reject(chan);
746 		}
747 
748 		l2cap_chan_del(chan, reason);
749 		break;
750 
751 	case BT_CONNECT:
752 	case BT_DISCONN:
753 		l2cap_chan_del(chan, reason);
754 		break;
755 
756 	default:
757 		chan->ops->teardown(chan, 0);
758 		break;
759 	}
760 }
761 EXPORT_SYMBOL(l2cap_chan_close);
762 
763 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
764 {
765 	switch (chan->chan_type) {
766 	case L2CAP_CHAN_RAW:
767 		switch (chan->sec_level) {
768 		case BT_SECURITY_HIGH:
769 		case BT_SECURITY_FIPS:
770 			return HCI_AT_DEDICATED_BONDING_MITM;
771 		case BT_SECURITY_MEDIUM:
772 			return HCI_AT_DEDICATED_BONDING;
773 		default:
774 			return HCI_AT_NO_BONDING;
775 		}
776 		break;
777 	case L2CAP_CHAN_CONN_LESS:
778 		if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
779 			if (chan->sec_level == BT_SECURITY_LOW)
780 				chan->sec_level = BT_SECURITY_SDP;
781 		}
782 		if (chan->sec_level == BT_SECURITY_HIGH ||
783 		    chan->sec_level == BT_SECURITY_FIPS)
784 			return HCI_AT_NO_BONDING_MITM;
785 		else
786 			return HCI_AT_NO_BONDING;
787 		break;
788 	case L2CAP_CHAN_CONN_ORIENTED:
789 		if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
790 			if (chan->sec_level == BT_SECURITY_LOW)
791 				chan->sec_level = BT_SECURITY_SDP;
792 
793 			if (chan->sec_level == BT_SECURITY_HIGH ||
794 			    chan->sec_level == BT_SECURITY_FIPS)
795 				return HCI_AT_NO_BONDING_MITM;
796 			else
797 				return HCI_AT_NO_BONDING;
798 		}
799 		/* fall through */
800 	default:
801 		switch (chan->sec_level) {
802 		case BT_SECURITY_HIGH:
803 		case BT_SECURITY_FIPS:
804 			return HCI_AT_GENERAL_BONDING_MITM;
805 		case BT_SECURITY_MEDIUM:
806 			return HCI_AT_GENERAL_BONDING;
807 		default:
808 			return HCI_AT_NO_BONDING;
809 		}
810 		break;
811 	}
812 }
813 
814 /* Service level security */
815 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
816 {
817 	struct l2cap_conn *conn = chan->conn;
818 	__u8 auth_type;
819 
820 	if (conn->hcon->type == LE_LINK)
821 		return smp_conn_security(conn->hcon, chan->sec_level);
822 
823 	auth_type = l2cap_get_auth_type(chan);
824 
825 	return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
826 				 initiator);
827 }
828 
829 static u8 l2cap_get_ident(struct l2cap_conn *conn)
830 {
831 	u8 id;
832 
833 	/* Get next available identificator.
834 	 *    1 - 128 are used by kernel.
835 	 *  129 - 199 are reserved.
836 	 *  200 - 254 are used by utilities like l2ping, etc.
837 	 */
838 
839 	mutex_lock(&conn->ident_lock);
840 
841 	if (++conn->tx_ident > 128)
842 		conn->tx_ident = 1;
843 
844 	id = conn->tx_ident;
845 
846 	mutex_unlock(&conn->ident_lock);
847 
848 	return id;
849 }
850 
851 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
852 			   void *data)
853 {
854 	struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
855 	u8 flags;
856 
857 	BT_DBG("code 0x%2.2x", code);
858 
859 	if (!skb)
860 		return;
861 
862 	/* Use NO_FLUSH if supported or we have an LE link (which does
863 	 * not support auto-flushing packets) */
864 	if (lmp_no_flush_capable(conn->hcon->hdev) ||
865 	    conn->hcon->type == LE_LINK)
866 		flags = ACL_START_NO_FLUSH;
867 	else
868 		flags = ACL_START;
869 
870 	bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
871 	skb->priority = HCI_PRIO_MAX;
872 
873 	hci_send_acl(conn->hchan, skb, flags);
874 }
875 
876 static bool __chan_is_moving(struct l2cap_chan *chan)
877 {
878 	return chan->move_state != L2CAP_MOVE_STABLE &&
879 	       chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
880 }
881 
882 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
883 {
884 	struct hci_conn *hcon = chan->conn->hcon;
885 	u16 flags;
886 
887 	BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
888 	       skb->priority);
889 
890 	if (chan->hs_hcon && !__chan_is_moving(chan)) {
891 		if (chan->hs_hchan)
892 			hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
893 		else
894 			kfree_skb(skb);
895 
896 		return;
897 	}
898 
899 	/* Use NO_FLUSH for LE links (where this is the only option) or
900 	 * if the BR/EDR link supports it and flushing has not been
901 	 * explicitly requested (through FLAG_FLUSHABLE).
902 	 */
903 	if (hcon->type == LE_LINK ||
904 	    (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
905 	     lmp_no_flush_capable(hcon->hdev)))
906 		flags = ACL_START_NO_FLUSH;
907 	else
908 		flags = ACL_START;
909 
910 	bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
911 	hci_send_acl(chan->conn->hchan, skb, flags);
912 }
913 
914 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
915 {
916 	control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
917 	control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
918 
919 	if (enh & L2CAP_CTRL_FRAME_TYPE) {
920 		/* S-Frame */
921 		control->sframe = 1;
922 		control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
923 		control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
924 
925 		control->sar = 0;
926 		control->txseq = 0;
927 	} else {
928 		/* I-Frame */
929 		control->sframe = 0;
930 		control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
931 		control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
932 
933 		control->poll = 0;
934 		control->super = 0;
935 	}
936 }
937 
938 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
939 {
940 	control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
941 	control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
942 
943 	if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
944 		/* S-Frame */
945 		control->sframe = 1;
946 		control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
947 		control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
948 
949 		control->sar = 0;
950 		control->txseq = 0;
951 	} else {
952 		/* I-Frame */
953 		control->sframe = 0;
954 		control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
955 		control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
956 
957 		control->poll = 0;
958 		control->super = 0;
959 	}
960 }
961 
962 static inline void __unpack_control(struct l2cap_chan *chan,
963 				    struct sk_buff *skb)
964 {
965 	if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
966 		__unpack_extended_control(get_unaligned_le32(skb->data),
967 					  &bt_cb(skb)->l2cap);
968 		skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
969 	} else {
970 		__unpack_enhanced_control(get_unaligned_le16(skb->data),
971 					  &bt_cb(skb)->l2cap);
972 		skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
973 	}
974 }
975 
976 static u32 __pack_extended_control(struct l2cap_ctrl *control)
977 {
978 	u32 packed;
979 
980 	packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
981 	packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
982 
983 	if (control->sframe) {
984 		packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
985 		packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
986 		packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
987 	} else {
988 		packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
989 		packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
990 	}
991 
992 	return packed;
993 }
994 
995 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
996 {
997 	u16 packed;
998 
999 	packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1000 	packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1001 
1002 	if (control->sframe) {
1003 		packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1004 		packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1005 		packed |= L2CAP_CTRL_FRAME_TYPE;
1006 	} else {
1007 		packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1008 		packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1009 	}
1010 
1011 	return packed;
1012 }
1013 
1014 static inline void __pack_control(struct l2cap_chan *chan,
1015 				  struct l2cap_ctrl *control,
1016 				  struct sk_buff *skb)
1017 {
1018 	if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1019 		put_unaligned_le32(__pack_extended_control(control),
1020 				   skb->data + L2CAP_HDR_SIZE);
1021 	} else {
1022 		put_unaligned_le16(__pack_enhanced_control(control),
1023 				   skb->data + L2CAP_HDR_SIZE);
1024 	}
1025 }
1026 
1027 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1028 {
1029 	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1030 		return L2CAP_EXT_HDR_SIZE;
1031 	else
1032 		return L2CAP_ENH_HDR_SIZE;
1033 }
1034 
1035 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1036 					       u32 control)
1037 {
1038 	struct sk_buff *skb;
1039 	struct l2cap_hdr *lh;
1040 	int hlen = __ertm_hdr_size(chan);
1041 
1042 	if (chan->fcs == L2CAP_FCS_CRC16)
1043 		hlen += L2CAP_FCS_SIZE;
1044 
1045 	skb = bt_skb_alloc(hlen, GFP_KERNEL);
1046 
1047 	if (!skb)
1048 		return ERR_PTR(-ENOMEM);
1049 
1050 	lh = skb_put(skb, L2CAP_HDR_SIZE);
1051 	lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1052 	lh->cid = cpu_to_le16(chan->dcid);
1053 
1054 	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 		put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1056 	else
1057 		put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1058 
1059 	if (chan->fcs == L2CAP_FCS_CRC16) {
1060 		u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1061 		put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1062 	}
1063 
1064 	skb->priority = HCI_PRIO_MAX;
1065 	return skb;
1066 }
1067 
1068 static void l2cap_send_sframe(struct l2cap_chan *chan,
1069 			      struct l2cap_ctrl *control)
1070 {
1071 	struct sk_buff *skb;
1072 	u32 control_field;
1073 
1074 	BT_DBG("chan %p, control %p", chan, control);
1075 
1076 	if (!control->sframe)
1077 		return;
1078 
1079 	if (__chan_is_moving(chan))
1080 		return;
1081 
1082 	if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1083 	    !control->poll)
1084 		control->final = 1;
1085 
1086 	if (control->super == L2CAP_SUPER_RR)
1087 		clear_bit(CONN_RNR_SENT, &chan->conn_state);
1088 	else if (control->super == L2CAP_SUPER_RNR)
1089 		set_bit(CONN_RNR_SENT, &chan->conn_state);
1090 
1091 	if (control->super != L2CAP_SUPER_SREJ) {
1092 		chan->last_acked_seq = control->reqseq;
1093 		__clear_ack_timer(chan);
1094 	}
1095 
1096 	BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1097 	       control->final, control->poll, control->super);
1098 
1099 	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1100 		control_field = __pack_extended_control(control);
1101 	else
1102 		control_field = __pack_enhanced_control(control);
1103 
1104 	skb = l2cap_create_sframe_pdu(chan, control_field);
1105 	if (!IS_ERR(skb))
1106 		l2cap_do_send(chan, skb);
1107 }
1108 
1109 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1110 {
1111 	struct l2cap_ctrl control;
1112 
1113 	BT_DBG("chan %p, poll %d", chan, poll);
1114 
1115 	memset(&control, 0, sizeof(control));
1116 	control.sframe = 1;
1117 	control.poll = poll;
1118 
1119 	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1120 		control.super = L2CAP_SUPER_RNR;
1121 	else
1122 		control.super = L2CAP_SUPER_RR;
1123 
1124 	control.reqseq = chan->buffer_seq;
1125 	l2cap_send_sframe(chan, &control);
1126 }
1127 
1128 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1129 {
1130 	if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1131 		return true;
1132 
1133 	return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1134 }
1135 
1136 static bool __amp_capable(struct l2cap_chan *chan)
1137 {
1138 	struct l2cap_conn *conn = chan->conn;
1139 	struct hci_dev *hdev;
1140 	bool amp_available = false;
1141 
1142 	if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1143 		return false;
1144 
1145 	if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1146 		return false;
1147 
1148 	read_lock(&hci_dev_list_lock);
1149 	list_for_each_entry(hdev, &hci_dev_list, list) {
1150 		if (hdev->amp_type != AMP_TYPE_BREDR &&
1151 		    test_bit(HCI_UP, &hdev->flags)) {
1152 			amp_available = true;
1153 			break;
1154 		}
1155 	}
1156 	read_unlock(&hci_dev_list_lock);
1157 
1158 	if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1159 		return amp_available;
1160 
1161 	return false;
1162 }
1163 
1164 static bool l2cap_check_efs(struct l2cap_chan *chan)
1165 {
1166 	/* Check EFS parameters */
1167 	return true;
1168 }
1169 
1170 void l2cap_send_conn_req(struct l2cap_chan *chan)
1171 {
1172 	struct l2cap_conn *conn = chan->conn;
1173 	struct l2cap_conn_req req;
1174 
1175 	req.scid = cpu_to_le16(chan->scid);
1176 	req.psm  = chan->psm;
1177 
1178 	chan->ident = l2cap_get_ident(conn);
1179 
1180 	set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1181 
1182 	l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1183 }
1184 
1185 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1186 {
1187 	struct l2cap_create_chan_req req;
1188 	req.scid = cpu_to_le16(chan->scid);
1189 	req.psm  = chan->psm;
1190 	req.amp_id = amp_id;
1191 
1192 	chan->ident = l2cap_get_ident(chan->conn);
1193 
1194 	l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1195 		       sizeof(req), &req);
1196 }
1197 
1198 static void l2cap_move_setup(struct l2cap_chan *chan)
1199 {
1200 	struct sk_buff *skb;
1201 
1202 	BT_DBG("chan %p", chan);
1203 
1204 	if (chan->mode != L2CAP_MODE_ERTM)
1205 		return;
1206 
1207 	__clear_retrans_timer(chan);
1208 	__clear_monitor_timer(chan);
1209 	__clear_ack_timer(chan);
1210 
1211 	chan->retry_count = 0;
1212 	skb_queue_walk(&chan->tx_q, skb) {
1213 		if (bt_cb(skb)->l2cap.retries)
1214 			bt_cb(skb)->l2cap.retries = 1;
1215 		else
1216 			break;
1217 	}
1218 
1219 	chan->expected_tx_seq = chan->buffer_seq;
1220 
1221 	clear_bit(CONN_REJ_ACT, &chan->conn_state);
1222 	clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1223 	l2cap_seq_list_clear(&chan->retrans_list);
1224 	l2cap_seq_list_clear(&chan->srej_list);
1225 	skb_queue_purge(&chan->srej_q);
1226 
1227 	chan->tx_state = L2CAP_TX_STATE_XMIT;
1228 	chan->rx_state = L2CAP_RX_STATE_MOVE;
1229 
1230 	set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1231 }
1232 
1233 static void l2cap_move_done(struct l2cap_chan *chan)
1234 {
1235 	u8 move_role = chan->move_role;
1236 	BT_DBG("chan %p", chan);
1237 
1238 	chan->move_state = L2CAP_MOVE_STABLE;
1239 	chan->move_role = L2CAP_MOVE_ROLE_NONE;
1240 
1241 	if (chan->mode != L2CAP_MODE_ERTM)
1242 		return;
1243 
1244 	switch (move_role) {
1245 	case L2CAP_MOVE_ROLE_INITIATOR:
1246 		l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1247 		chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1248 		break;
1249 	case L2CAP_MOVE_ROLE_RESPONDER:
1250 		chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1251 		break;
1252 	}
1253 }
1254 
1255 static void l2cap_chan_ready(struct l2cap_chan *chan)
1256 {
1257 	/* The channel may have already been flagged as connected in
1258 	 * case of receiving data before the L2CAP info req/rsp
1259 	 * procedure is complete.
1260 	 */
1261 	if (chan->state == BT_CONNECTED)
1262 		return;
1263 
1264 	/* This clears all conf flags, including CONF_NOT_COMPLETE */
1265 	chan->conf_state = 0;
1266 	__clear_chan_timer(chan);
1267 
1268 	if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1269 		chan->ops->suspend(chan);
1270 
1271 	chan->state = BT_CONNECTED;
1272 
1273 	chan->ops->ready(chan);
1274 }
1275 
1276 static void l2cap_le_connect(struct l2cap_chan *chan)
1277 {
1278 	struct l2cap_conn *conn = chan->conn;
1279 	struct l2cap_le_conn_req req;
1280 
1281 	if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1282 		return;
1283 
1284 	l2cap_le_flowctl_init(chan);
1285 
1286 	req.psm     = chan->psm;
1287 	req.scid    = cpu_to_le16(chan->scid);
1288 	req.mtu     = cpu_to_le16(chan->imtu);
1289 	req.mps     = cpu_to_le16(chan->mps);
1290 	req.credits = cpu_to_le16(chan->rx_credits);
1291 
1292 	chan->ident = l2cap_get_ident(conn);
1293 
1294 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1295 		       sizeof(req), &req);
1296 }
1297 
1298 static void l2cap_le_start(struct l2cap_chan *chan)
1299 {
1300 	struct l2cap_conn *conn = chan->conn;
1301 
1302 	if (!smp_conn_security(conn->hcon, chan->sec_level))
1303 		return;
1304 
1305 	if (!chan->psm) {
1306 		l2cap_chan_ready(chan);
1307 		return;
1308 	}
1309 
1310 	if (chan->state == BT_CONNECT)
1311 		l2cap_le_connect(chan);
1312 }
1313 
1314 static void l2cap_start_connection(struct l2cap_chan *chan)
1315 {
1316 	if (__amp_capable(chan)) {
1317 		BT_DBG("chan %p AMP capable: discover AMPs", chan);
1318 		a2mp_discover_amp(chan);
1319 	} else if (chan->conn->hcon->type == LE_LINK) {
1320 		l2cap_le_start(chan);
1321 	} else {
1322 		l2cap_send_conn_req(chan);
1323 	}
1324 }
1325 
1326 static void l2cap_request_info(struct l2cap_conn *conn)
1327 {
1328 	struct l2cap_info_req req;
1329 
1330 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1331 		return;
1332 
1333 	req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1334 
1335 	conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1336 	conn->info_ident = l2cap_get_ident(conn);
1337 
1338 	schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1339 
1340 	l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1341 		       sizeof(req), &req);
1342 }
1343 
1344 static void l2cap_do_start(struct l2cap_chan *chan)
1345 {
1346 	struct l2cap_conn *conn = chan->conn;
1347 
1348 	if (conn->hcon->type == LE_LINK) {
1349 		l2cap_le_start(chan);
1350 		return;
1351 	}
1352 
1353 	if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1354 		l2cap_request_info(conn);
1355 		return;
1356 	}
1357 
1358 	if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1359 		return;
1360 
1361 	if (l2cap_chan_check_security(chan, true) &&
1362 	    __l2cap_no_conn_pending(chan))
1363 		l2cap_start_connection(chan);
1364 }
1365 
1366 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1367 {
1368 	u32 local_feat_mask = l2cap_feat_mask;
1369 	if (!disable_ertm)
1370 		local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1371 
1372 	switch (mode) {
1373 	case L2CAP_MODE_ERTM:
1374 		return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1375 	case L2CAP_MODE_STREAMING:
1376 		return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1377 	default:
1378 		return 0x00;
1379 	}
1380 }
1381 
1382 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1383 {
1384 	struct l2cap_conn *conn = chan->conn;
1385 	struct l2cap_disconn_req req;
1386 
1387 	if (!conn)
1388 		return;
1389 
1390 	if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1391 		__clear_retrans_timer(chan);
1392 		__clear_monitor_timer(chan);
1393 		__clear_ack_timer(chan);
1394 	}
1395 
1396 	if (chan->scid == L2CAP_CID_A2MP) {
1397 		l2cap_state_change(chan, BT_DISCONN);
1398 		return;
1399 	}
1400 
1401 	req.dcid = cpu_to_le16(chan->dcid);
1402 	req.scid = cpu_to_le16(chan->scid);
1403 	l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1404 		       sizeof(req), &req);
1405 
1406 	l2cap_state_change_and_error(chan, BT_DISCONN, err);
1407 }
1408 
1409 /* ---- L2CAP connections ---- */
1410 static void l2cap_conn_start(struct l2cap_conn *conn)
1411 {
1412 	struct l2cap_chan *chan, *tmp;
1413 
1414 	BT_DBG("conn %p", conn);
1415 
1416 	mutex_lock(&conn->chan_lock);
1417 
1418 	list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1419 		l2cap_chan_lock(chan);
1420 
1421 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1422 			l2cap_chan_ready(chan);
1423 			l2cap_chan_unlock(chan);
1424 			continue;
1425 		}
1426 
1427 		if (chan->state == BT_CONNECT) {
1428 			if (!l2cap_chan_check_security(chan, true) ||
1429 			    !__l2cap_no_conn_pending(chan)) {
1430 				l2cap_chan_unlock(chan);
1431 				continue;
1432 			}
1433 
1434 			if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1435 			    && test_bit(CONF_STATE2_DEVICE,
1436 					&chan->conf_state)) {
1437 				l2cap_chan_close(chan, ECONNRESET);
1438 				l2cap_chan_unlock(chan);
1439 				continue;
1440 			}
1441 
1442 			l2cap_start_connection(chan);
1443 
1444 		} else if (chan->state == BT_CONNECT2) {
1445 			struct l2cap_conn_rsp rsp;
1446 			char buf[128];
1447 			rsp.scid = cpu_to_le16(chan->dcid);
1448 			rsp.dcid = cpu_to_le16(chan->scid);
1449 
1450 			if (l2cap_chan_check_security(chan, false)) {
1451 				if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1452 					rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1453 					rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1454 					chan->ops->defer(chan);
1455 
1456 				} else {
1457 					l2cap_state_change(chan, BT_CONFIG);
1458 					rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1459 					rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1460 				}
1461 			} else {
1462 				rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1463 				rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1464 			}
1465 
1466 			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1467 				       sizeof(rsp), &rsp);
1468 
1469 			if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1470 			    rsp.result != L2CAP_CR_SUCCESS) {
1471 				l2cap_chan_unlock(chan);
1472 				continue;
1473 			}
1474 
1475 			set_bit(CONF_REQ_SENT, &chan->conf_state);
1476 			l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1477 				       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1478 			chan->num_conf_req++;
1479 		}
1480 
1481 		l2cap_chan_unlock(chan);
1482 	}
1483 
1484 	mutex_unlock(&conn->chan_lock);
1485 }
1486 
1487 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1488 {
1489 	struct hci_conn *hcon = conn->hcon;
1490 	struct hci_dev *hdev = hcon->hdev;
1491 
1492 	BT_DBG("%s conn %p", hdev->name, conn);
1493 
1494 	/* For outgoing pairing which doesn't necessarily have an
1495 	 * associated socket (e.g. mgmt_pair_device).
1496 	 */
1497 	if (hcon->out)
1498 		smp_conn_security(hcon, hcon->pending_sec_level);
1499 
1500 	/* For LE slave connections, make sure the connection interval
1501 	 * is in the range of the minium and maximum interval that has
1502 	 * been configured for this connection. If not, then trigger
1503 	 * the connection update procedure.
1504 	 */
1505 	if (hcon->role == HCI_ROLE_SLAVE &&
1506 	    (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1507 	     hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1508 		struct l2cap_conn_param_update_req req;
1509 
1510 		req.min = cpu_to_le16(hcon->le_conn_min_interval);
1511 		req.max = cpu_to_le16(hcon->le_conn_max_interval);
1512 		req.latency = cpu_to_le16(hcon->le_conn_latency);
1513 		req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1514 
1515 		l2cap_send_cmd(conn, l2cap_get_ident(conn),
1516 			       L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1517 	}
1518 }
1519 
1520 static void l2cap_conn_ready(struct l2cap_conn *conn)
1521 {
1522 	struct l2cap_chan *chan;
1523 	struct hci_conn *hcon = conn->hcon;
1524 
1525 	BT_DBG("conn %p", conn);
1526 
1527 	if (hcon->type == ACL_LINK)
1528 		l2cap_request_info(conn);
1529 
1530 	mutex_lock(&conn->chan_lock);
1531 
1532 	list_for_each_entry(chan, &conn->chan_l, list) {
1533 
1534 		l2cap_chan_lock(chan);
1535 
1536 		if (chan->scid == L2CAP_CID_A2MP) {
1537 			l2cap_chan_unlock(chan);
1538 			continue;
1539 		}
1540 
1541 		if (hcon->type == LE_LINK) {
1542 			l2cap_le_start(chan);
1543 		} else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1544 			if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1545 				l2cap_chan_ready(chan);
1546 		} else if (chan->state == BT_CONNECT) {
1547 			l2cap_do_start(chan);
1548 		}
1549 
1550 		l2cap_chan_unlock(chan);
1551 	}
1552 
1553 	mutex_unlock(&conn->chan_lock);
1554 
1555 	if (hcon->type == LE_LINK)
1556 		l2cap_le_conn_ready(conn);
1557 
1558 	queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1559 }
1560 
1561 /* Notify sockets that we cannot guaranty reliability anymore */
1562 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1563 {
1564 	struct l2cap_chan *chan;
1565 
1566 	BT_DBG("conn %p", conn);
1567 
1568 	mutex_lock(&conn->chan_lock);
1569 
1570 	list_for_each_entry(chan, &conn->chan_l, list) {
1571 		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1572 			l2cap_chan_set_err(chan, err);
1573 	}
1574 
1575 	mutex_unlock(&conn->chan_lock);
1576 }
1577 
1578 static void l2cap_info_timeout(struct work_struct *work)
1579 {
1580 	struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1581 					       info_timer.work);
1582 
1583 	conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1584 	conn->info_ident = 0;
1585 
1586 	l2cap_conn_start(conn);
1587 }
1588 
1589 /*
1590  * l2cap_user
1591  * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1592  * callback is called during registration. The ->remove callback is called
1593  * during unregistration.
1594  * An l2cap_user object can either be explicitly unregistered or when the
1595  * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1596  * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1597  * External modules must own a reference to the l2cap_conn object if they intend
1598  * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1599  * any time if they don't.
1600  */
1601 
1602 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1603 {
1604 	struct hci_dev *hdev = conn->hcon->hdev;
1605 	int ret;
1606 
1607 	/* We need to check whether l2cap_conn is registered. If it is not, we
1608 	 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1609 	 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1610 	 * relies on the parent hci_conn object to be locked. This itself relies
1611 	 * on the hci_dev object to be locked. So we must lock the hci device
1612 	 * here, too. */
1613 
1614 	hci_dev_lock(hdev);
1615 
1616 	if (!list_empty(&user->list)) {
1617 		ret = -EINVAL;
1618 		goto out_unlock;
1619 	}
1620 
1621 	/* conn->hchan is NULL after l2cap_conn_del() was called */
1622 	if (!conn->hchan) {
1623 		ret = -ENODEV;
1624 		goto out_unlock;
1625 	}
1626 
1627 	ret = user->probe(conn, user);
1628 	if (ret)
1629 		goto out_unlock;
1630 
1631 	list_add(&user->list, &conn->users);
1632 	ret = 0;
1633 
1634 out_unlock:
1635 	hci_dev_unlock(hdev);
1636 	return ret;
1637 }
1638 EXPORT_SYMBOL(l2cap_register_user);
1639 
1640 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1641 {
1642 	struct hci_dev *hdev = conn->hcon->hdev;
1643 
1644 	hci_dev_lock(hdev);
1645 
1646 	if (list_empty(&user->list))
1647 		goto out_unlock;
1648 
1649 	list_del_init(&user->list);
1650 	user->remove(conn, user);
1651 
1652 out_unlock:
1653 	hci_dev_unlock(hdev);
1654 }
1655 EXPORT_SYMBOL(l2cap_unregister_user);
1656 
1657 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1658 {
1659 	struct l2cap_user *user;
1660 
1661 	while (!list_empty(&conn->users)) {
1662 		user = list_first_entry(&conn->users, struct l2cap_user, list);
1663 		list_del_init(&user->list);
1664 		user->remove(conn, user);
1665 	}
1666 }
1667 
1668 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1669 {
1670 	struct l2cap_conn *conn = hcon->l2cap_data;
1671 	struct l2cap_chan *chan, *l;
1672 
1673 	if (!conn)
1674 		return;
1675 
1676 	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1677 
1678 	kfree_skb(conn->rx_skb);
1679 
1680 	skb_queue_purge(&conn->pending_rx);
1681 
1682 	/* We can not call flush_work(&conn->pending_rx_work) here since we
1683 	 * might block if we are running on a worker from the same workqueue
1684 	 * pending_rx_work is waiting on.
1685 	 */
1686 	if (work_pending(&conn->pending_rx_work))
1687 		cancel_work_sync(&conn->pending_rx_work);
1688 
1689 	if (work_pending(&conn->id_addr_update_work))
1690 		cancel_work_sync(&conn->id_addr_update_work);
1691 
1692 	l2cap_unregister_all_users(conn);
1693 
1694 	/* Force the connection to be immediately dropped */
1695 	hcon->disc_timeout = 0;
1696 
1697 	mutex_lock(&conn->chan_lock);
1698 
1699 	/* Kill channels */
1700 	list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1701 		l2cap_chan_hold(chan);
1702 		l2cap_chan_lock(chan);
1703 
1704 		l2cap_chan_del(chan, err);
1705 
1706 		l2cap_chan_unlock(chan);
1707 
1708 		chan->ops->close(chan);
1709 		l2cap_chan_put(chan);
1710 	}
1711 
1712 	mutex_unlock(&conn->chan_lock);
1713 
1714 	hci_chan_del(conn->hchan);
1715 
1716 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1717 		cancel_delayed_work_sync(&conn->info_timer);
1718 
1719 	hcon->l2cap_data = NULL;
1720 	conn->hchan = NULL;
1721 	l2cap_conn_put(conn);
1722 }
1723 
1724 static void l2cap_conn_free(struct kref *ref)
1725 {
1726 	struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1727 
1728 	hci_conn_put(conn->hcon);
1729 	kfree(conn);
1730 }
1731 
1732 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1733 {
1734 	kref_get(&conn->ref);
1735 	return conn;
1736 }
1737 EXPORT_SYMBOL(l2cap_conn_get);
1738 
1739 void l2cap_conn_put(struct l2cap_conn *conn)
1740 {
1741 	kref_put(&conn->ref, l2cap_conn_free);
1742 }
1743 EXPORT_SYMBOL(l2cap_conn_put);
1744 
1745 /* ---- Socket interface ---- */
1746 
1747 /* Find socket with psm and source / destination bdaddr.
1748  * Returns closest match.
1749  */
1750 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1751 						   bdaddr_t *src,
1752 						   bdaddr_t *dst,
1753 						   u8 link_type)
1754 {
1755 	struct l2cap_chan *c, *c1 = NULL;
1756 
1757 	read_lock(&chan_list_lock);
1758 
1759 	list_for_each_entry(c, &chan_list, global_l) {
1760 		if (state && c->state != state)
1761 			continue;
1762 
1763 		if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1764 			continue;
1765 
1766 		if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1767 			continue;
1768 
1769 		if (c->psm == psm) {
1770 			int src_match, dst_match;
1771 			int src_any, dst_any;
1772 
1773 			/* Exact match. */
1774 			src_match = !bacmp(&c->src, src);
1775 			dst_match = !bacmp(&c->dst, dst);
1776 			if (src_match && dst_match) {
1777 				l2cap_chan_hold(c);
1778 				read_unlock(&chan_list_lock);
1779 				return c;
1780 			}
1781 
1782 			/* Closest match */
1783 			src_any = !bacmp(&c->src, BDADDR_ANY);
1784 			dst_any = !bacmp(&c->dst, BDADDR_ANY);
1785 			if ((src_match && dst_any) || (src_any && dst_match) ||
1786 			    (src_any && dst_any))
1787 				c1 = c;
1788 		}
1789 	}
1790 
1791 	if (c1)
1792 		l2cap_chan_hold(c1);
1793 
1794 	read_unlock(&chan_list_lock);
1795 
1796 	return c1;
1797 }
1798 
1799 static void l2cap_monitor_timeout(struct work_struct *work)
1800 {
1801 	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1802 					       monitor_timer.work);
1803 
1804 	BT_DBG("chan %p", chan);
1805 
1806 	l2cap_chan_lock(chan);
1807 
1808 	if (!chan->conn) {
1809 		l2cap_chan_unlock(chan);
1810 		l2cap_chan_put(chan);
1811 		return;
1812 	}
1813 
1814 	l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1815 
1816 	l2cap_chan_unlock(chan);
1817 	l2cap_chan_put(chan);
1818 }
1819 
1820 static void l2cap_retrans_timeout(struct work_struct *work)
1821 {
1822 	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1823 					       retrans_timer.work);
1824 
1825 	BT_DBG("chan %p", chan);
1826 
1827 	l2cap_chan_lock(chan);
1828 
1829 	if (!chan->conn) {
1830 		l2cap_chan_unlock(chan);
1831 		l2cap_chan_put(chan);
1832 		return;
1833 	}
1834 
1835 	l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1836 	l2cap_chan_unlock(chan);
1837 	l2cap_chan_put(chan);
1838 }
1839 
1840 static void l2cap_streaming_send(struct l2cap_chan *chan,
1841 				 struct sk_buff_head *skbs)
1842 {
1843 	struct sk_buff *skb;
1844 	struct l2cap_ctrl *control;
1845 
1846 	BT_DBG("chan %p, skbs %p", chan, skbs);
1847 
1848 	if (__chan_is_moving(chan))
1849 		return;
1850 
1851 	skb_queue_splice_tail_init(skbs, &chan->tx_q);
1852 
1853 	while (!skb_queue_empty(&chan->tx_q)) {
1854 
1855 		skb = skb_dequeue(&chan->tx_q);
1856 
1857 		bt_cb(skb)->l2cap.retries = 1;
1858 		control = &bt_cb(skb)->l2cap;
1859 
1860 		control->reqseq = 0;
1861 		control->txseq = chan->next_tx_seq;
1862 
1863 		__pack_control(chan, control, skb);
1864 
1865 		if (chan->fcs == L2CAP_FCS_CRC16) {
1866 			u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1867 			put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1868 		}
1869 
1870 		l2cap_do_send(chan, skb);
1871 
1872 		BT_DBG("Sent txseq %u", control->txseq);
1873 
1874 		chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1875 		chan->frames_sent++;
1876 	}
1877 }
1878 
1879 static int l2cap_ertm_send(struct l2cap_chan *chan)
1880 {
1881 	struct sk_buff *skb, *tx_skb;
1882 	struct l2cap_ctrl *control;
1883 	int sent = 0;
1884 
1885 	BT_DBG("chan %p", chan);
1886 
1887 	if (chan->state != BT_CONNECTED)
1888 		return -ENOTCONN;
1889 
1890 	if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1891 		return 0;
1892 
1893 	if (__chan_is_moving(chan))
1894 		return 0;
1895 
1896 	while (chan->tx_send_head &&
1897 	       chan->unacked_frames < chan->remote_tx_win &&
1898 	       chan->tx_state == L2CAP_TX_STATE_XMIT) {
1899 
1900 		skb = chan->tx_send_head;
1901 
1902 		bt_cb(skb)->l2cap.retries = 1;
1903 		control = &bt_cb(skb)->l2cap;
1904 
1905 		if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1906 			control->final = 1;
1907 
1908 		control->reqseq = chan->buffer_seq;
1909 		chan->last_acked_seq = chan->buffer_seq;
1910 		control->txseq = chan->next_tx_seq;
1911 
1912 		__pack_control(chan, control, skb);
1913 
1914 		if (chan->fcs == L2CAP_FCS_CRC16) {
1915 			u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1916 			put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1917 		}
1918 
1919 		/* Clone after data has been modified. Data is assumed to be
1920 		   read-only (for locking purposes) on cloned sk_buffs.
1921 		 */
1922 		tx_skb = skb_clone(skb, GFP_KERNEL);
1923 
1924 		if (!tx_skb)
1925 			break;
1926 
1927 		__set_retrans_timer(chan);
1928 
1929 		chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1930 		chan->unacked_frames++;
1931 		chan->frames_sent++;
1932 		sent++;
1933 
1934 		if (skb_queue_is_last(&chan->tx_q, skb))
1935 			chan->tx_send_head = NULL;
1936 		else
1937 			chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1938 
1939 		l2cap_do_send(chan, tx_skb);
1940 		BT_DBG("Sent txseq %u", control->txseq);
1941 	}
1942 
1943 	BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1944 	       chan->unacked_frames, skb_queue_len(&chan->tx_q));
1945 
1946 	return sent;
1947 }
1948 
1949 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1950 {
1951 	struct l2cap_ctrl control;
1952 	struct sk_buff *skb;
1953 	struct sk_buff *tx_skb;
1954 	u16 seq;
1955 
1956 	BT_DBG("chan %p", chan);
1957 
1958 	if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1959 		return;
1960 
1961 	if (__chan_is_moving(chan))
1962 		return;
1963 
1964 	while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1965 		seq = l2cap_seq_list_pop(&chan->retrans_list);
1966 
1967 		skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1968 		if (!skb) {
1969 			BT_DBG("Error: Can't retransmit seq %d, frame missing",
1970 			       seq);
1971 			continue;
1972 		}
1973 
1974 		bt_cb(skb)->l2cap.retries++;
1975 		control = bt_cb(skb)->l2cap;
1976 
1977 		if (chan->max_tx != 0 &&
1978 		    bt_cb(skb)->l2cap.retries > chan->max_tx) {
1979 			BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1980 			l2cap_send_disconn_req(chan, ECONNRESET);
1981 			l2cap_seq_list_clear(&chan->retrans_list);
1982 			break;
1983 		}
1984 
1985 		control.reqseq = chan->buffer_seq;
1986 		if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1987 			control.final = 1;
1988 		else
1989 			control.final = 0;
1990 
1991 		if (skb_cloned(skb)) {
1992 			/* Cloned sk_buffs are read-only, so we need a
1993 			 * writeable copy
1994 			 */
1995 			tx_skb = skb_copy(skb, GFP_KERNEL);
1996 		} else {
1997 			tx_skb = skb_clone(skb, GFP_KERNEL);
1998 		}
1999 
2000 		if (!tx_skb) {
2001 			l2cap_seq_list_clear(&chan->retrans_list);
2002 			break;
2003 		}
2004 
2005 		/* Update skb contents */
2006 		if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2007 			put_unaligned_le32(__pack_extended_control(&control),
2008 					   tx_skb->data + L2CAP_HDR_SIZE);
2009 		} else {
2010 			put_unaligned_le16(__pack_enhanced_control(&control),
2011 					   tx_skb->data + L2CAP_HDR_SIZE);
2012 		}
2013 
2014 		/* Update FCS */
2015 		if (chan->fcs == L2CAP_FCS_CRC16) {
2016 			u16 fcs = crc16(0, (u8 *) tx_skb->data,
2017 					tx_skb->len - L2CAP_FCS_SIZE);
2018 			put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2019 						L2CAP_FCS_SIZE);
2020 		}
2021 
2022 		l2cap_do_send(chan, tx_skb);
2023 
2024 		BT_DBG("Resent txseq %d", control.txseq);
2025 
2026 		chan->last_acked_seq = chan->buffer_seq;
2027 	}
2028 }
2029 
2030 static void l2cap_retransmit(struct l2cap_chan *chan,
2031 			     struct l2cap_ctrl *control)
2032 {
2033 	BT_DBG("chan %p, control %p", chan, control);
2034 
2035 	l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2036 	l2cap_ertm_resend(chan);
2037 }
2038 
2039 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2040 				 struct l2cap_ctrl *control)
2041 {
2042 	struct sk_buff *skb;
2043 
2044 	BT_DBG("chan %p, control %p", chan, control);
2045 
2046 	if (control->poll)
2047 		set_bit(CONN_SEND_FBIT, &chan->conn_state);
2048 
2049 	l2cap_seq_list_clear(&chan->retrans_list);
2050 
2051 	if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2052 		return;
2053 
2054 	if (chan->unacked_frames) {
2055 		skb_queue_walk(&chan->tx_q, skb) {
2056 			if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2057 			    skb == chan->tx_send_head)
2058 				break;
2059 		}
2060 
2061 		skb_queue_walk_from(&chan->tx_q, skb) {
2062 			if (skb == chan->tx_send_head)
2063 				break;
2064 
2065 			l2cap_seq_list_append(&chan->retrans_list,
2066 					      bt_cb(skb)->l2cap.txseq);
2067 		}
2068 
2069 		l2cap_ertm_resend(chan);
2070 	}
2071 }
2072 
2073 static void l2cap_send_ack(struct l2cap_chan *chan)
2074 {
2075 	struct l2cap_ctrl control;
2076 	u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2077 					 chan->last_acked_seq);
2078 	int threshold;
2079 
2080 	BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2081 	       chan, chan->last_acked_seq, chan->buffer_seq);
2082 
2083 	memset(&control, 0, sizeof(control));
2084 	control.sframe = 1;
2085 
2086 	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2087 	    chan->rx_state == L2CAP_RX_STATE_RECV) {
2088 		__clear_ack_timer(chan);
2089 		control.super = L2CAP_SUPER_RNR;
2090 		control.reqseq = chan->buffer_seq;
2091 		l2cap_send_sframe(chan, &control);
2092 	} else {
2093 		if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2094 			l2cap_ertm_send(chan);
2095 			/* If any i-frames were sent, they included an ack */
2096 			if (chan->buffer_seq == chan->last_acked_seq)
2097 				frames_to_ack = 0;
2098 		}
2099 
2100 		/* Ack now if the window is 3/4ths full.
2101 		 * Calculate without mul or div
2102 		 */
2103 		threshold = chan->ack_win;
2104 		threshold += threshold << 1;
2105 		threshold >>= 2;
2106 
2107 		BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2108 		       threshold);
2109 
2110 		if (frames_to_ack >= threshold) {
2111 			__clear_ack_timer(chan);
2112 			control.super = L2CAP_SUPER_RR;
2113 			control.reqseq = chan->buffer_seq;
2114 			l2cap_send_sframe(chan, &control);
2115 			frames_to_ack = 0;
2116 		}
2117 
2118 		if (frames_to_ack)
2119 			__set_ack_timer(chan);
2120 	}
2121 }
2122 
2123 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2124 					 struct msghdr *msg, int len,
2125 					 int count, struct sk_buff *skb)
2126 {
2127 	struct l2cap_conn *conn = chan->conn;
2128 	struct sk_buff **frag;
2129 	int sent = 0;
2130 
2131 	if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2132 		return -EFAULT;
2133 
2134 	sent += count;
2135 	len  -= count;
2136 
2137 	/* Continuation fragments (no L2CAP header) */
2138 	frag = &skb_shinfo(skb)->frag_list;
2139 	while (len) {
2140 		struct sk_buff *tmp;
2141 
2142 		count = min_t(unsigned int, conn->mtu, len);
2143 
2144 		tmp = chan->ops->alloc_skb(chan, 0, count,
2145 					   msg->msg_flags & MSG_DONTWAIT);
2146 		if (IS_ERR(tmp))
2147 			return PTR_ERR(tmp);
2148 
2149 		*frag = tmp;
2150 
2151 		if (!copy_from_iter_full(skb_put(*frag, count), count,
2152 				   &msg->msg_iter))
2153 			return -EFAULT;
2154 
2155 		sent += count;
2156 		len  -= count;
2157 
2158 		skb->len += (*frag)->len;
2159 		skb->data_len += (*frag)->len;
2160 
2161 		frag = &(*frag)->next;
2162 	}
2163 
2164 	return sent;
2165 }
2166 
2167 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2168 						 struct msghdr *msg, size_t len)
2169 {
2170 	struct l2cap_conn *conn = chan->conn;
2171 	struct sk_buff *skb;
2172 	int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2173 	struct l2cap_hdr *lh;
2174 
2175 	BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2176 	       __le16_to_cpu(chan->psm), len);
2177 
2178 	count = min_t(unsigned int, (conn->mtu - hlen), len);
2179 
2180 	skb = chan->ops->alloc_skb(chan, hlen, count,
2181 				   msg->msg_flags & MSG_DONTWAIT);
2182 	if (IS_ERR(skb))
2183 		return skb;
2184 
2185 	/* Create L2CAP header */
2186 	lh = skb_put(skb, L2CAP_HDR_SIZE);
2187 	lh->cid = cpu_to_le16(chan->dcid);
2188 	lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2189 	put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2190 
2191 	err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2192 	if (unlikely(err < 0)) {
2193 		kfree_skb(skb);
2194 		return ERR_PTR(err);
2195 	}
2196 	return skb;
2197 }
2198 
2199 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2200 					      struct msghdr *msg, size_t len)
2201 {
2202 	struct l2cap_conn *conn = chan->conn;
2203 	struct sk_buff *skb;
2204 	int err, count;
2205 	struct l2cap_hdr *lh;
2206 
2207 	BT_DBG("chan %p len %zu", chan, len);
2208 
2209 	count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2210 
2211 	skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2212 				   msg->msg_flags & MSG_DONTWAIT);
2213 	if (IS_ERR(skb))
2214 		return skb;
2215 
2216 	/* Create L2CAP header */
2217 	lh = skb_put(skb, L2CAP_HDR_SIZE);
2218 	lh->cid = cpu_to_le16(chan->dcid);
2219 	lh->len = cpu_to_le16(len);
2220 
2221 	err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2222 	if (unlikely(err < 0)) {
2223 		kfree_skb(skb);
2224 		return ERR_PTR(err);
2225 	}
2226 	return skb;
2227 }
2228 
2229 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2230 					       struct msghdr *msg, size_t len,
2231 					       u16 sdulen)
2232 {
2233 	struct l2cap_conn *conn = chan->conn;
2234 	struct sk_buff *skb;
2235 	int err, count, hlen;
2236 	struct l2cap_hdr *lh;
2237 
2238 	BT_DBG("chan %p len %zu", chan, len);
2239 
2240 	if (!conn)
2241 		return ERR_PTR(-ENOTCONN);
2242 
2243 	hlen = __ertm_hdr_size(chan);
2244 
2245 	if (sdulen)
2246 		hlen += L2CAP_SDULEN_SIZE;
2247 
2248 	if (chan->fcs == L2CAP_FCS_CRC16)
2249 		hlen += L2CAP_FCS_SIZE;
2250 
2251 	count = min_t(unsigned int, (conn->mtu - hlen), len);
2252 
2253 	skb = chan->ops->alloc_skb(chan, hlen, count,
2254 				   msg->msg_flags & MSG_DONTWAIT);
2255 	if (IS_ERR(skb))
2256 		return skb;
2257 
2258 	/* Create L2CAP header */
2259 	lh = skb_put(skb, L2CAP_HDR_SIZE);
2260 	lh->cid = cpu_to_le16(chan->dcid);
2261 	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2262 
2263 	/* Control header is populated later */
2264 	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2265 		put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2266 	else
2267 		put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2268 
2269 	if (sdulen)
2270 		put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2271 
2272 	err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2273 	if (unlikely(err < 0)) {
2274 		kfree_skb(skb);
2275 		return ERR_PTR(err);
2276 	}
2277 
2278 	bt_cb(skb)->l2cap.fcs = chan->fcs;
2279 	bt_cb(skb)->l2cap.retries = 0;
2280 	return skb;
2281 }
2282 
2283 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2284 			     struct sk_buff_head *seg_queue,
2285 			     struct msghdr *msg, size_t len)
2286 {
2287 	struct sk_buff *skb;
2288 	u16 sdu_len;
2289 	size_t pdu_len;
2290 	u8 sar;
2291 
2292 	BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2293 
2294 	/* It is critical that ERTM PDUs fit in a single HCI fragment,
2295 	 * so fragmented skbs are not used.  The HCI layer's handling
2296 	 * of fragmented skbs is not compatible with ERTM's queueing.
2297 	 */
2298 
2299 	/* PDU size is derived from the HCI MTU */
2300 	pdu_len = chan->conn->mtu;
2301 
2302 	/* Constrain PDU size for BR/EDR connections */
2303 	if (!chan->hs_hcon)
2304 		pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2305 
2306 	/* Adjust for largest possible L2CAP overhead. */
2307 	if (chan->fcs)
2308 		pdu_len -= L2CAP_FCS_SIZE;
2309 
2310 	pdu_len -= __ertm_hdr_size(chan);
2311 
2312 	/* Remote device may have requested smaller PDUs */
2313 	pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2314 
2315 	if (len <= pdu_len) {
2316 		sar = L2CAP_SAR_UNSEGMENTED;
2317 		sdu_len = 0;
2318 		pdu_len = len;
2319 	} else {
2320 		sar = L2CAP_SAR_START;
2321 		sdu_len = len;
2322 	}
2323 
2324 	while (len > 0) {
2325 		skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2326 
2327 		if (IS_ERR(skb)) {
2328 			__skb_queue_purge(seg_queue);
2329 			return PTR_ERR(skb);
2330 		}
2331 
2332 		bt_cb(skb)->l2cap.sar = sar;
2333 		__skb_queue_tail(seg_queue, skb);
2334 
2335 		len -= pdu_len;
2336 		if (sdu_len)
2337 			sdu_len = 0;
2338 
2339 		if (len <= pdu_len) {
2340 			sar = L2CAP_SAR_END;
2341 			pdu_len = len;
2342 		} else {
2343 			sar = L2CAP_SAR_CONTINUE;
2344 		}
2345 	}
2346 
2347 	return 0;
2348 }
2349 
2350 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2351 						   struct msghdr *msg,
2352 						   size_t len, u16 sdulen)
2353 {
2354 	struct l2cap_conn *conn = chan->conn;
2355 	struct sk_buff *skb;
2356 	int err, count, hlen;
2357 	struct l2cap_hdr *lh;
2358 
2359 	BT_DBG("chan %p len %zu", chan, len);
2360 
2361 	if (!conn)
2362 		return ERR_PTR(-ENOTCONN);
2363 
2364 	hlen = L2CAP_HDR_SIZE;
2365 
2366 	if (sdulen)
2367 		hlen += L2CAP_SDULEN_SIZE;
2368 
2369 	count = min_t(unsigned int, (conn->mtu - hlen), len);
2370 
2371 	skb = chan->ops->alloc_skb(chan, hlen, count,
2372 				   msg->msg_flags & MSG_DONTWAIT);
2373 	if (IS_ERR(skb))
2374 		return skb;
2375 
2376 	/* Create L2CAP header */
2377 	lh = skb_put(skb, L2CAP_HDR_SIZE);
2378 	lh->cid = cpu_to_le16(chan->dcid);
2379 	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2380 
2381 	if (sdulen)
2382 		put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2383 
2384 	err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2385 	if (unlikely(err < 0)) {
2386 		kfree_skb(skb);
2387 		return ERR_PTR(err);
2388 	}
2389 
2390 	return skb;
2391 }
2392 
2393 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2394 				struct sk_buff_head *seg_queue,
2395 				struct msghdr *msg, size_t len)
2396 {
2397 	struct sk_buff *skb;
2398 	size_t pdu_len;
2399 	u16 sdu_len;
2400 
2401 	BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2402 
2403 	sdu_len = len;
2404 	pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2405 
2406 	while (len > 0) {
2407 		if (len <= pdu_len)
2408 			pdu_len = len;
2409 
2410 		skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2411 		if (IS_ERR(skb)) {
2412 			__skb_queue_purge(seg_queue);
2413 			return PTR_ERR(skb);
2414 		}
2415 
2416 		__skb_queue_tail(seg_queue, skb);
2417 
2418 		len -= pdu_len;
2419 
2420 		if (sdu_len) {
2421 			sdu_len = 0;
2422 			pdu_len += L2CAP_SDULEN_SIZE;
2423 		}
2424 	}
2425 
2426 	return 0;
2427 }
2428 
2429 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2430 {
2431 	int sent = 0;
2432 
2433 	BT_DBG("chan %p", chan);
2434 
2435 	while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2436 		l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2437 		chan->tx_credits--;
2438 		sent++;
2439 	}
2440 
2441 	BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2442 	       skb_queue_len(&chan->tx_q));
2443 }
2444 
2445 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2446 {
2447 	struct sk_buff *skb;
2448 	int err;
2449 	struct sk_buff_head seg_queue;
2450 
2451 	if (!chan->conn)
2452 		return -ENOTCONN;
2453 
2454 	/* Connectionless channel */
2455 	if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2456 		skb = l2cap_create_connless_pdu(chan, msg, len);
2457 		if (IS_ERR(skb))
2458 			return PTR_ERR(skb);
2459 
2460 		/* Channel lock is released before requesting new skb and then
2461 		 * reacquired thus we need to recheck channel state.
2462 		 */
2463 		if (chan->state != BT_CONNECTED) {
2464 			kfree_skb(skb);
2465 			return -ENOTCONN;
2466 		}
2467 
2468 		l2cap_do_send(chan, skb);
2469 		return len;
2470 	}
2471 
2472 	switch (chan->mode) {
2473 	case L2CAP_MODE_LE_FLOWCTL:
2474 		/* Check outgoing MTU */
2475 		if (len > chan->omtu)
2476 			return -EMSGSIZE;
2477 
2478 		__skb_queue_head_init(&seg_queue);
2479 
2480 		err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2481 
2482 		if (chan->state != BT_CONNECTED) {
2483 			__skb_queue_purge(&seg_queue);
2484 			err = -ENOTCONN;
2485 		}
2486 
2487 		if (err)
2488 			return err;
2489 
2490 		skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2491 
2492 		l2cap_le_flowctl_send(chan);
2493 
2494 		if (!chan->tx_credits)
2495 			chan->ops->suspend(chan);
2496 
2497 		err = len;
2498 
2499 		break;
2500 
2501 	case L2CAP_MODE_BASIC:
2502 		/* Check outgoing MTU */
2503 		if (len > chan->omtu)
2504 			return -EMSGSIZE;
2505 
2506 		/* Create a basic PDU */
2507 		skb = l2cap_create_basic_pdu(chan, msg, len);
2508 		if (IS_ERR(skb))
2509 			return PTR_ERR(skb);
2510 
2511 		/* Channel lock is released before requesting new skb and then
2512 		 * reacquired thus we need to recheck channel state.
2513 		 */
2514 		if (chan->state != BT_CONNECTED) {
2515 			kfree_skb(skb);
2516 			return -ENOTCONN;
2517 		}
2518 
2519 		l2cap_do_send(chan, skb);
2520 		err = len;
2521 		break;
2522 
2523 	case L2CAP_MODE_ERTM:
2524 	case L2CAP_MODE_STREAMING:
2525 		/* Check outgoing MTU */
2526 		if (len > chan->omtu) {
2527 			err = -EMSGSIZE;
2528 			break;
2529 		}
2530 
2531 		__skb_queue_head_init(&seg_queue);
2532 
2533 		/* Do segmentation before calling in to the state machine,
2534 		 * since it's possible to block while waiting for memory
2535 		 * allocation.
2536 		 */
2537 		err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2538 
2539 		/* The channel could have been closed while segmenting,
2540 		 * check that it is still connected.
2541 		 */
2542 		if (chan->state != BT_CONNECTED) {
2543 			__skb_queue_purge(&seg_queue);
2544 			err = -ENOTCONN;
2545 		}
2546 
2547 		if (err)
2548 			break;
2549 
2550 		if (chan->mode == L2CAP_MODE_ERTM)
2551 			l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2552 		else
2553 			l2cap_streaming_send(chan, &seg_queue);
2554 
2555 		err = len;
2556 
2557 		/* If the skbs were not queued for sending, they'll still be in
2558 		 * seg_queue and need to be purged.
2559 		 */
2560 		__skb_queue_purge(&seg_queue);
2561 		break;
2562 
2563 	default:
2564 		BT_DBG("bad state %1.1x", chan->mode);
2565 		err = -EBADFD;
2566 	}
2567 
2568 	return err;
2569 }
2570 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2571 
2572 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2573 {
2574 	struct l2cap_ctrl control;
2575 	u16 seq;
2576 
2577 	BT_DBG("chan %p, txseq %u", chan, txseq);
2578 
2579 	memset(&control, 0, sizeof(control));
2580 	control.sframe = 1;
2581 	control.super = L2CAP_SUPER_SREJ;
2582 
2583 	for (seq = chan->expected_tx_seq; seq != txseq;
2584 	     seq = __next_seq(chan, seq)) {
2585 		if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2586 			control.reqseq = seq;
2587 			l2cap_send_sframe(chan, &control);
2588 			l2cap_seq_list_append(&chan->srej_list, seq);
2589 		}
2590 	}
2591 
2592 	chan->expected_tx_seq = __next_seq(chan, txseq);
2593 }
2594 
2595 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2596 {
2597 	struct l2cap_ctrl control;
2598 
2599 	BT_DBG("chan %p", chan);
2600 
2601 	if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2602 		return;
2603 
2604 	memset(&control, 0, sizeof(control));
2605 	control.sframe = 1;
2606 	control.super = L2CAP_SUPER_SREJ;
2607 	control.reqseq = chan->srej_list.tail;
2608 	l2cap_send_sframe(chan, &control);
2609 }
2610 
2611 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2612 {
2613 	struct l2cap_ctrl control;
2614 	u16 initial_head;
2615 	u16 seq;
2616 
2617 	BT_DBG("chan %p, txseq %u", chan, txseq);
2618 
2619 	memset(&control, 0, sizeof(control));
2620 	control.sframe = 1;
2621 	control.super = L2CAP_SUPER_SREJ;
2622 
2623 	/* Capture initial list head to allow only one pass through the list. */
2624 	initial_head = chan->srej_list.head;
2625 
2626 	do {
2627 		seq = l2cap_seq_list_pop(&chan->srej_list);
2628 		if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2629 			break;
2630 
2631 		control.reqseq = seq;
2632 		l2cap_send_sframe(chan, &control);
2633 		l2cap_seq_list_append(&chan->srej_list, seq);
2634 	} while (chan->srej_list.head != initial_head);
2635 }
2636 
2637 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2638 {
2639 	struct sk_buff *acked_skb;
2640 	u16 ackseq;
2641 
2642 	BT_DBG("chan %p, reqseq %u", chan, reqseq);
2643 
2644 	if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2645 		return;
2646 
2647 	BT_DBG("expected_ack_seq %u, unacked_frames %u",
2648 	       chan->expected_ack_seq, chan->unacked_frames);
2649 
2650 	for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2651 	     ackseq = __next_seq(chan, ackseq)) {
2652 
2653 		acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2654 		if (acked_skb) {
2655 			skb_unlink(acked_skb, &chan->tx_q);
2656 			kfree_skb(acked_skb);
2657 			chan->unacked_frames--;
2658 		}
2659 	}
2660 
2661 	chan->expected_ack_seq = reqseq;
2662 
2663 	if (chan->unacked_frames == 0)
2664 		__clear_retrans_timer(chan);
2665 
2666 	BT_DBG("unacked_frames %u", chan->unacked_frames);
2667 }
2668 
2669 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2670 {
2671 	BT_DBG("chan %p", chan);
2672 
2673 	chan->expected_tx_seq = chan->buffer_seq;
2674 	l2cap_seq_list_clear(&chan->srej_list);
2675 	skb_queue_purge(&chan->srej_q);
2676 	chan->rx_state = L2CAP_RX_STATE_RECV;
2677 }
2678 
2679 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2680 				struct l2cap_ctrl *control,
2681 				struct sk_buff_head *skbs, u8 event)
2682 {
2683 	BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2684 	       event);
2685 
2686 	switch (event) {
2687 	case L2CAP_EV_DATA_REQUEST:
2688 		if (chan->tx_send_head == NULL)
2689 			chan->tx_send_head = skb_peek(skbs);
2690 
2691 		skb_queue_splice_tail_init(skbs, &chan->tx_q);
2692 		l2cap_ertm_send(chan);
2693 		break;
2694 	case L2CAP_EV_LOCAL_BUSY_DETECTED:
2695 		BT_DBG("Enter LOCAL_BUSY");
2696 		set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2697 
2698 		if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2699 			/* The SREJ_SENT state must be aborted if we are to
2700 			 * enter the LOCAL_BUSY state.
2701 			 */
2702 			l2cap_abort_rx_srej_sent(chan);
2703 		}
2704 
2705 		l2cap_send_ack(chan);
2706 
2707 		break;
2708 	case L2CAP_EV_LOCAL_BUSY_CLEAR:
2709 		BT_DBG("Exit LOCAL_BUSY");
2710 		clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2711 
2712 		if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2713 			struct l2cap_ctrl local_control;
2714 
2715 			memset(&local_control, 0, sizeof(local_control));
2716 			local_control.sframe = 1;
2717 			local_control.super = L2CAP_SUPER_RR;
2718 			local_control.poll = 1;
2719 			local_control.reqseq = chan->buffer_seq;
2720 			l2cap_send_sframe(chan, &local_control);
2721 
2722 			chan->retry_count = 1;
2723 			__set_monitor_timer(chan);
2724 			chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2725 		}
2726 		break;
2727 	case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2728 		l2cap_process_reqseq(chan, control->reqseq);
2729 		break;
2730 	case L2CAP_EV_EXPLICIT_POLL:
2731 		l2cap_send_rr_or_rnr(chan, 1);
2732 		chan->retry_count = 1;
2733 		__set_monitor_timer(chan);
2734 		__clear_ack_timer(chan);
2735 		chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2736 		break;
2737 	case L2CAP_EV_RETRANS_TO:
2738 		l2cap_send_rr_or_rnr(chan, 1);
2739 		chan->retry_count = 1;
2740 		__set_monitor_timer(chan);
2741 		chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2742 		break;
2743 	case L2CAP_EV_RECV_FBIT:
2744 		/* Nothing to process */
2745 		break;
2746 	default:
2747 		break;
2748 	}
2749 }
2750 
2751 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2752 				  struct l2cap_ctrl *control,
2753 				  struct sk_buff_head *skbs, u8 event)
2754 {
2755 	BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2756 	       event);
2757 
2758 	switch (event) {
2759 	case L2CAP_EV_DATA_REQUEST:
2760 		if (chan->tx_send_head == NULL)
2761 			chan->tx_send_head = skb_peek(skbs);
2762 		/* Queue data, but don't send. */
2763 		skb_queue_splice_tail_init(skbs, &chan->tx_q);
2764 		break;
2765 	case L2CAP_EV_LOCAL_BUSY_DETECTED:
2766 		BT_DBG("Enter LOCAL_BUSY");
2767 		set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2768 
2769 		if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2770 			/* The SREJ_SENT state must be aborted if we are to
2771 			 * enter the LOCAL_BUSY state.
2772 			 */
2773 			l2cap_abort_rx_srej_sent(chan);
2774 		}
2775 
2776 		l2cap_send_ack(chan);
2777 
2778 		break;
2779 	case L2CAP_EV_LOCAL_BUSY_CLEAR:
2780 		BT_DBG("Exit LOCAL_BUSY");
2781 		clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2782 
2783 		if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2784 			struct l2cap_ctrl local_control;
2785 			memset(&local_control, 0, sizeof(local_control));
2786 			local_control.sframe = 1;
2787 			local_control.super = L2CAP_SUPER_RR;
2788 			local_control.poll = 1;
2789 			local_control.reqseq = chan->buffer_seq;
2790 			l2cap_send_sframe(chan, &local_control);
2791 
2792 			chan->retry_count = 1;
2793 			__set_monitor_timer(chan);
2794 			chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2795 		}
2796 		break;
2797 	case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2798 		l2cap_process_reqseq(chan, control->reqseq);
2799 
2800 		/* Fall through */
2801 
2802 	case L2CAP_EV_RECV_FBIT:
2803 		if (control && control->final) {
2804 			__clear_monitor_timer(chan);
2805 			if (chan->unacked_frames > 0)
2806 				__set_retrans_timer(chan);
2807 			chan->retry_count = 0;
2808 			chan->tx_state = L2CAP_TX_STATE_XMIT;
2809 			BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2810 		}
2811 		break;
2812 	case L2CAP_EV_EXPLICIT_POLL:
2813 		/* Ignore */
2814 		break;
2815 	case L2CAP_EV_MONITOR_TO:
2816 		if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2817 			l2cap_send_rr_or_rnr(chan, 1);
2818 			__set_monitor_timer(chan);
2819 			chan->retry_count++;
2820 		} else {
2821 			l2cap_send_disconn_req(chan, ECONNABORTED);
2822 		}
2823 		break;
2824 	default:
2825 		break;
2826 	}
2827 }
2828 
2829 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2830 		     struct sk_buff_head *skbs, u8 event)
2831 {
2832 	BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2833 	       chan, control, skbs, event, chan->tx_state);
2834 
2835 	switch (chan->tx_state) {
2836 	case L2CAP_TX_STATE_XMIT:
2837 		l2cap_tx_state_xmit(chan, control, skbs, event);
2838 		break;
2839 	case L2CAP_TX_STATE_WAIT_F:
2840 		l2cap_tx_state_wait_f(chan, control, skbs, event);
2841 		break;
2842 	default:
2843 		/* Ignore event */
2844 		break;
2845 	}
2846 }
2847 
2848 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2849 			     struct l2cap_ctrl *control)
2850 {
2851 	BT_DBG("chan %p, control %p", chan, control);
2852 	l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2853 }
2854 
2855 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2856 				  struct l2cap_ctrl *control)
2857 {
2858 	BT_DBG("chan %p, control %p", chan, control);
2859 	l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2860 }
2861 
2862 /* Copy frame to all raw sockets on that connection */
2863 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2864 {
2865 	struct sk_buff *nskb;
2866 	struct l2cap_chan *chan;
2867 
2868 	BT_DBG("conn %p", conn);
2869 
2870 	mutex_lock(&conn->chan_lock);
2871 
2872 	list_for_each_entry(chan, &conn->chan_l, list) {
2873 		if (chan->chan_type != L2CAP_CHAN_RAW)
2874 			continue;
2875 
2876 		/* Don't send frame to the channel it came from */
2877 		if (bt_cb(skb)->l2cap.chan == chan)
2878 			continue;
2879 
2880 		nskb = skb_clone(skb, GFP_KERNEL);
2881 		if (!nskb)
2882 			continue;
2883 		if (chan->ops->recv(chan, nskb))
2884 			kfree_skb(nskb);
2885 	}
2886 
2887 	mutex_unlock(&conn->chan_lock);
2888 }
2889 
2890 /* ---- L2CAP signalling commands ---- */
2891 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2892 				       u8 ident, u16 dlen, void *data)
2893 {
2894 	struct sk_buff *skb, **frag;
2895 	struct l2cap_cmd_hdr *cmd;
2896 	struct l2cap_hdr *lh;
2897 	int len, count;
2898 
2899 	BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2900 	       conn, code, ident, dlen);
2901 
2902 	if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2903 		return NULL;
2904 
2905 	len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2906 	count = min_t(unsigned int, conn->mtu, len);
2907 
2908 	skb = bt_skb_alloc(count, GFP_KERNEL);
2909 	if (!skb)
2910 		return NULL;
2911 
2912 	lh = skb_put(skb, L2CAP_HDR_SIZE);
2913 	lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2914 
2915 	if (conn->hcon->type == LE_LINK)
2916 		lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2917 	else
2918 		lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2919 
2920 	cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2921 	cmd->code  = code;
2922 	cmd->ident = ident;
2923 	cmd->len   = cpu_to_le16(dlen);
2924 
2925 	if (dlen) {
2926 		count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2927 		skb_put_data(skb, data, count);
2928 		data += count;
2929 	}
2930 
2931 	len -= skb->len;
2932 
2933 	/* Continuation fragments (no L2CAP header) */
2934 	frag = &skb_shinfo(skb)->frag_list;
2935 	while (len) {
2936 		count = min_t(unsigned int, conn->mtu, len);
2937 
2938 		*frag = bt_skb_alloc(count, GFP_KERNEL);
2939 		if (!*frag)
2940 			goto fail;
2941 
2942 		skb_put_data(*frag, data, count);
2943 
2944 		len  -= count;
2945 		data += count;
2946 
2947 		frag = &(*frag)->next;
2948 	}
2949 
2950 	return skb;
2951 
2952 fail:
2953 	kfree_skb(skb);
2954 	return NULL;
2955 }
2956 
2957 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2958 				     unsigned long *val)
2959 {
2960 	struct l2cap_conf_opt *opt = *ptr;
2961 	int len;
2962 
2963 	len = L2CAP_CONF_OPT_SIZE + opt->len;
2964 	*ptr += len;
2965 
2966 	*type = opt->type;
2967 	*olen = opt->len;
2968 
2969 	switch (opt->len) {
2970 	case 1:
2971 		*val = *((u8 *) opt->val);
2972 		break;
2973 
2974 	case 2:
2975 		*val = get_unaligned_le16(opt->val);
2976 		break;
2977 
2978 	case 4:
2979 		*val = get_unaligned_le32(opt->val);
2980 		break;
2981 
2982 	default:
2983 		*val = (unsigned long) opt->val;
2984 		break;
2985 	}
2986 
2987 	BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2988 	return len;
2989 }
2990 
2991 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
2992 {
2993 	struct l2cap_conf_opt *opt = *ptr;
2994 
2995 	BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2996 
2997 	if (size < L2CAP_CONF_OPT_SIZE + len)
2998 		return;
2999 
3000 	opt->type = type;
3001 	opt->len  = len;
3002 
3003 	switch (len) {
3004 	case 1:
3005 		*((u8 *) opt->val)  = val;
3006 		break;
3007 
3008 	case 2:
3009 		put_unaligned_le16(val, opt->val);
3010 		break;
3011 
3012 	case 4:
3013 		put_unaligned_le32(val, opt->val);
3014 		break;
3015 
3016 	default:
3017 		memcpy(opt->val, (void *) val, len);
3018 		break;
3019 	}
3020 
3021 	*ptr += L2CAP_CONF_OPT_SIZE + len;
3022 }
3023 
3024 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3025 {
3026 	struct l2cap_conf_efs efs;
3027 
3028 	switch (chan->mode) {
3029 	case L2CAP_MODE_ERTM:
3030 		efs.id		= chan->local_id;
3031 		efs.stype	= chan->local_stype;
3032 		efs.msdu	= cpu_to_le16(chan->local_msdu);
3033 		efs.sdu_itime	= cpu_to_le32(chan->local_sdu_itime);
3034 		efs.acc_lat	= cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3035 		efs.flush_to	= cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3036 		break;
3037 
3038 	case L2CAP_MODE_STREAMING:
3039 		efs.id		= 1;
3040 		efs.stype	= L2CAP_SERV_BESTEFFORT;
3041 		efs.msdu	= cpu_to_le16(chan->local_msdu);
3042 		efs.sdu_itime	= cpu_to_le32(chan->local_sdu_itime);
3043 		efs.acc_lat	= 0;
3044 		efs.flush_to	= 0;
3045 		break;
3046 
3047 	default:
3048 		return;
3049 	}
3050 
3051 	l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3052 			   (unsigned long) &efs, size);
3053 }
3054 
3055 static void l2cap_ack_timeout(struct work_struct *work)
3056 {
3057 	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3058 					       ack_timer.work);
3059 	u16 frames_to_ack;
3060 
3061 	BT_DBG("chan %p", chan);
3062 
3063 	l2cap_chan_lock(chan);
3064 
3065 	frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3066 				     chan->last_acked_seq);
3067 
3068 	if (frames_to_ack)
3069 		l2cap_send_rr_or_rnr(chan, 0);
3070 
3071 	l2cap_chan_unlock(chan);
3072 	l2cap_chan_put(chan);
3073 }
3074 
3075 int l2cap_ertm_init(struct l2cap_chan *chan)
3076 {
3077 	int err;
3078 
3079 	chan->next_tx_seq = 0;
3080 	chan->expected_tx_seq = 0;
3081 	chan->expected_ack_seq = 0;
3082 	chan->unacked_frames = 0;
3083 	chan->buffer_seq = 0;
3084 	chan->frames_sent = 0;
3085 	chan->last_acked_seq = 0;
3086 	chan->sdu = NULL;
3087 	chan->sdu_last_frag = NULL;
3088 	chan->sdu_len = 0;
3089 
3090 	skb_queue_head_init(&chan->tx_q);
3091 
3092 	chan->local_amp_id = AMP_ID_BREDR;
3093 	chan->move_id = AMP_ID_BREDR;
3094 	chan->move_state = L2CAP_MOVE_STABLE;
3095 	chan->move_role = L2CAP_MOVE_ROLE_NONE;
3096 
3097 	if (chan->mode != L2CAP_MODE_ERTM)
3098 		return 0;
3099 
3100 	chan->rx_state = L2CAP_RX_STATE_RECV;
3101 	chan->tx_state = L2CAP_TX_STATE_XMIT;
3102 
3103 	INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3104 	INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3105 	INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3106 
3107 	skb_queue_head_init(&chan->srej_q);
3108 
3109 	err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3110 	if (err < 0)
3111 		return err;
3112 
3113 	err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3114 	if (err < 0)
3115 		l2cap_seq_list_free(&chan->srej_list);
3116 
3117 	return err;
3118 }
3119 
3120 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3121 {
3122 	switch (mode) {
3123 	case L2CAP_MODE_STREAMING:
3124 	case L2CAP_MODE_ERTM:
3125 		if (l2cap_mode_supported(mode, remote_feat_mask))
3126 			return mode;
3127 		/* fall through */
3128 	default:
3129 		return L2CAP_MODE_BASIC;
3130 	}
3131 }
3132 
3133 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3134 {
3135 	return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3136 		(conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3137 }
3138 
3139 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3140 {
3141 	return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3142 		(conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3143 }
3144 
3145 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3146 				      struct l2cap_conf_rfc *rfc)
3147 {
3148 	if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3149 		u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3150 
3151 		/* Class 1 devices have must have ERTM timeouts
3152 		 * exceeding the Link Supervision Timeout.  The
3153 		 * default Link Supervision Timeout for AMP
3154 		 * controllers is 10 seconds.
3155 		 *
3156 		 * Class 1 devices use 0xffffffff for their
3157 		 * best-effort flush timeout, so the clamping logic
3158 		 * will result in a timeout that meets the above
3159 		 * requirement.  ERTM timeouts are 16-bit values, so
3160 		 * the maximum timeout is 65.535 seconds.
3161 		 */
3162 
3163 		/* Convert timeout to milliseconds and round */
3164 		ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3165 
3166 		/* This is the recommended formula for class 2 devices
3167 		 * that start ERTM timers when packets are sent to the
3168 		 * controller.
3169 		 */
3170 		ertm_to = 3 * ertm_to + 500;
3171 
3172 		if (ertm_to > 0xffff)
3173 			ertm_to = 0xffff;
3174 
3175 		rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3176 		rfc->monitor_timeout = rfc->retrans_timeout;
3177 	} else {
3178 		rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3179 		rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3180 	}
3181 }
3182 
3183 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3184 {
3185 	if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3186 	    __l2cap_ews_supported(chan->conn)) {
3187 		/* use extended control field */
3188 		set_bit(FLAG_EXT_CTRL, &chan->flags);
3189 		chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3190 	} else {
3191 		chan->tx_win = min_t(u16, chan->tx_win,
3192 				     L2CAP_DEFAULT_TX_WINDOW);
3193 		chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3194 	}
3195 	chan->ack_win = chan->tx_win;
3196 }
3197 
3198 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3199 {
3200 	struct l2cap_conf_req *req = data;
3201 	struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3202 	void *ptr = req->data;
3203 	void *endptr = data + data_size;
3204 	u16 size;
3205 
3206 	BT_DBG("chan %p", chan);
3207 
3208 	if (chan->num_conf_req || chan->num_conf_rsp)
3209 		goto done;
3210 
3211 	switch (chan->mode) {
3212 	case L2CAP_MODE_STREAMING:
3213 	case L2CAP_MODE_ERTM:
3214 		if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3215 			break;
3216 
3217 		if (__l2cap_efs_supported(chan->conn))
3218 			set_bit(FLAG_EFS_ENABLE, &chan->flags);
3219 
3220 		/* fall through */
3221 	default:
3222 		chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3223 		break;
3224 	}
3225 
3226 done:
3227 	if (chan->imtu != L2CAP_DEFAULT_MTU)
3228 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3229 
3230 	switch (chan->mode) {
3231 	case L2CAP_MODE_BASIC:
3232 		if (disable_ertm)
3233 			break;
3234 
3235 		if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3236 		    !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3237 			break;
3238 
3239 		rfc.mode            = L2CAP_MODE_BASIC;
3240 		rfc.txwin_size      = 0;
3241 		rfc.max_transmit    = 0;
3242 		rfc.retrans_timeout = 0;
3243 		rfc.monitor_timeout = 0;
3244 		rfc.max_pdu_size    = 0;
3245 
3246 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3247 				   (unsigned long) &rfc, endptr - ptr);
3248 		break;
3249 
3250 	case L2CAP_MODE_ERTM:
3251 		rfc.mode            = L2CAP_MODE_ERTM;
3252 		rfc.max_transmit    = chan->max_tx;
3253 
3254 		__l2cap_set_ertm_timeouts(chan, &rfc);
3255 
3256 		size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3257 			     L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3258 			     L2CAP_FCS_SIZE);
3259 		rfc.max_pdu_size = cpu_to_le16(size);
3260 
3261 		l2cap_txwin_setup(chan);
3262 
3263 		rfc.txwin_size = min_t(u16, chan->tx_win,
3264 				       L2CAP_DEFAULT_TX_WINDOW);
3265 
3266 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3267 				   (unsigned long) &rfc, endptr - ptr);
3268 
3269 		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3270 			l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3271 
3272 		if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3273 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3274 					   chan->tx_win, endptr - ptr);
3275 
3276 		if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3277 			if (chan->fcs == L2CAP_FCS_NONE ||
3278 			    test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3279 				chan->fcs = L2CAP_FCS_NONE;
3280 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3281 						   chan->fcs, endptr - ptr);
3282 			}
3283 		break;
3284 
3285 	case L2CAP_MODE_STREAMING:
3286 		l2cap_txwin_setup(chan);
3287 		rfc.mode            = L2CAP_MODE_STREAMING;
3288 		rfc.txwin_size      = 0;
3289 		rfc.max_transmit    = 0;
3290 		rfc.retrans_timeout = 0;
3291 		rfc.monitor_timeout = 0;
3292 
3293 		size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3294 			     L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3295 			     L2CAP_FCS_SIZE);
3296 		rfc.max_pdu_size = cpu_to_le16(size);
3297 
3298 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3299 				   (unsigned long) &rfc, endptr - ptr);
3300 
3301 		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3302 			l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3303 
3304 		if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3305 			if (chan->fcs == L2CAP_FCS_NONE ||
3306 			    test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3307 				chan->fcs = L2CAP_FCS_NONE;
3308 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3309 						   chan->fcs, endptr - ptr);
3310 			}
3311 		break;
3312 	}
3313 
3314 	req->dcid  = cpu_to_le16(chan->dcid);
3315 	req->flags = cpu_to_le16(0);
3316 
3317 	return ptr - data;
3318 }
3319 
3320 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3321 {
3322 	struct l2cap_conf_rsp *rsp = data;
3323 	void *ptr = rsp->data;
3324 	void *endptr = data + data_size;
3325 	void *req = chan->conf_req;
3326 	int len = chan->conf_len;
3327 	int type, hint, olen;
3328 	unsigned long val;
3329 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3330 	struct l2cap_conf_efs efs;
3331 	u8 remote_efs = 0;
3332 	u16 mtu = L2CAP_DEFAULT_MTU;
3333 	u16 result = L2CAP_CONF_SUCCESS;
3334 	u16 size;
3335 
3336 	BT_DBG("chan %p", chan);
3337 
3338 	while (len >= L2CAP_CONF_OPT_SIZE) {
3339 		len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3340 		if (len < 0)
3341 			break;
3342 
3343 		hint  = type & L2CAP_CONF_HINT;
3344 		type &= L2CAP_CONF_MASK;
3345 
3346 		switch (type) {
3347 		case L2CAP_CONF_MTU:
3348 			if (olen != 2)
3349 				break;
3350 			mtu = val;
3351 			break;
3352 
3353 		case L2CAP_CONF_FLUSH_TO:
3354 			if (olen != 2)
3355 				break;
3356 			chan->flush_to = val;
3357 			break;
3358 
3359 		case L2CAP_CONF_QOS:
3360 			break;
3361 
3362 		case L2CAP_CONF_RFC:
3363 			if (olen != sizeof(rfc))
3364 				break;
3365 			memcpy(&rfc, (void *) val, olen);
3366 			break;
3367 
3368 		case L2CAP_CONF_FCS:
3369 			if (olen != 1)
3370 				break;
3371 			if (val == L2CAP_FCS_NONE)
3372 				set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3373 			break;
3374 
3375 		case L2CAP_CONF_EFS:
3376 			if (olen != sizeof(efs))
3377 				break;
3378 			remote_efs = 1;
3379 			memcpy(&efs, (void *) val, olen);
3380 			break;
3381 
3382 		case L2CAP_CONF_EWS:
3383 			if (olen != 2)
3384 				break;
3385 			if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3386 				return -ECONNREFUSED;
3387 			set_bit(FLAG_EXT_CTRL, &chan->flags);
3388 			set_bit(CONF_EWS_RECV, &chan->conf_state);
3389 			chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3390 			chan->remote_tx_win = val;
3391 			break;
3392 
3393 		default:
3394 			if (hint)
3395 				break;
3396 			result = L2CAP_CONF_UNKNOWN;
3397 			*((u8 *) ptr++) = type;
3398 			break;
3399 		}
3400 	}
3401 
3402 	if (chan->num_conf_rsp || chan->num_conf_req > 1)
3403 		goto done;
3404 
3405 	switch (chan->mode) {
3406 	case L2CAP_MODE_STREAMING:
3407 	case L2CAP_MODE_ERTM:
3408 		if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3409 			chan->mode = l2cap_select_mode(rfc.mode,
3410 						       chan->conn->feat_mask);
3411 			break;
3412 		}
3413 
3414 		if (remote_efs) {
3415 			if (__l2cap_efs_supported(chan->conn))
3416 				set_bit(FLAG_EFS_ENABLE, &chan->flags);
3417 			else
3418 				return -ECONNREFUSED;
3419 		}
3420 
3421 		if (chan->mode != rfc.mode)
3422 			return -ECONNREFUSED;
3423 
3424 		break;
3425 	}
3426 
3427 done:
3428 	if (chan->mode != rfc.mode) {
3429 		result = L2CAP_CONF_UNACCEPT;
3430 		rfc.mode = chan->mode;
3431 
3432 		if (chan->num_conf_rsp == 1)
3433 			return -ECONNREFUSED;
3434 
3435 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3436 				   (unsigned long) &rfc, endptr - ptr);
3437 	}
3438 
3439 	if (result == L2CAP_CONF_SUCCESS) {
3440 		/* Configure output options and let the other side know
3441 		 * which ones we don't like. */
3442 
3443 		if (mtu < L2CAP_DEFAULT_MIN_MTU)
3444 			result = L2CAP_CONF_UNACCEPT;
3445 		else {
3446 			chan->omtu = mtu;
3447 			set_bit(CONF_MTU_DONE, &chan->conf_state);
3448 		}
3449 		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3450 
3451 		if (remote_efs) {
3452 			if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3453 			    efs.stype != L2CAP_SERV_NOTRAFIC &&
3454 			    efs.stype != chan->local_stype) {
3455 
3456 				result = L2CAP_CONF_UNACCEPT;
3457 
3458 				if (chan->num_conf_req >= 1)
3459 					return -ECONNREFUSED;
3460 
3461 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3462 						   sizeof(efs),
3463 						   (unsigned long) &efs, endptr - ptr);
3464 			} else {
3465 				/* Send PENDING Conf Rsp */
3466 				result = L2CAP_CONF_PENDING;
3467 				set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3468 			}
3469 		}
3470 
3471 		switch (rfc.mode) {
3472 		case L2CAP_MODE_BASIC:
3473 			chan->fcs = L2CAP_FCS_NONE;
3474 			set_bit(CONF_MODE_DONE, &chan->conf_state);
3475 			break;
3476 
3477 		case L2CAP_MODE_ERTM:
3478 			if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3479 				chan->remote_tx_win = rfc.txwin_size;
3480 			else
3481 				rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3482 
3483 			chan->remote_max_tx = rfc.max_transmit;
3484 
3485 			size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3486 				     chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3487 				     L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3488 			rfc.max_pdu_size = cpu_to_le16(size);
3489 			chan->remote_mps = size;
3490 
3491 			__l2cap_set_ertm_timeouts(chan, &rfc);
3492 
3493 			set_bit(CONF_MODE_DONE, &chan->conf_state);
3494 
3495 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3496 					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3497 
3498 			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3499 				chan->remote_id = efs.id;
3500 				chan->remote_stype = efs.stype;
3501 				chan->remote_msdu = le16_to_cpu(efs.msdu);
3502 				chan->remote_flush_to =
3503 					le32_to_cpu(efs.flush_to);
3504 				chan->remote_acc_lat =
3505 					le32_to_cpu(efs.acc_lat);
3506 				chan->remote_sdu_itime =
3507 					le32_to_cpu(efs.sdu_itime);
3508 				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3509 						   sizeof(efs),
3510 						   (unsigned long) &efs, endptr - ptr);
3511 			}
3512 			break;
3513 
3514 		case L2CAP_MODE_STREAMING:
3515 			size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3516 				     chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3517 				     L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3518 			rfc.max_pdu_size = cpu_to_le16(size);
3519 			chan->remote_mps = size;
3520 
3521 			set_bit(CONF_MODE_DONE, &chan->conf_state);
3522 
3523 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3524 					   (unsigned long) &rfc, endptr - ptr);
3525 
3526 			break;
3527 
3528 		default:
3529 			result = L2CAP_CONF_UNACCEPT;
3530 
3531 			memset(&rfc, 0, sizeof(rfc));
3532 			rfc.mode = chan->mode;
3533 		}
3534 
3535 		if (result == L2CAP_CONF_SUCCESS)
3536 			set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3537 	}
3538 	rsp->scid   = cpu_to_le16(chan->dcid);
3539 	rsp->result = cpu_to_le16(result);
3540 	rsp->flags  = cpu_to_le16(0);
3541 
3542 	return ptr - data;
3543 }
3544 
3545 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3546 				void *data, size_t size, u16 *result)
3547 {
3548 	struct l2cap_conf_req *req = data;
3549 	void *ptr = req->data;
3550 	void *endptr = data + size;
3551 	int type, olen;
3552 	unsigned long val;
3553 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3554 	struct l2cap_conf_efs efs;
3555 
3556 	BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3557 
3558 	while (len >= L2CAP_CONF_OPT_SIZE) {
3559 		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3560 		if (len < 0)
3561 			break;
3562 
3563 		switch (type) {
3564 		case L2CAP_CONF_MTU:
3565 			if (olen != 2)
3566 				break;
3567 			if (val < L2CAP_DEFAULT_MIN_MTU) {
3568 				*result = L2CAP_CONF_UNACCEPT;
3569 				chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3570 			} else
3571 				chan->imtu = val;
3572 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3573 					   endptr - ptr);
3574 			break;
3575 
3576 		case L2CAP_CONF_FLUSH_TO:
3577 			if (olen != 2)
3578 				break;
3579 			chan->flush_to = val;
3580 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3581 					   chan->flush_to, endptr - ptr);
3582 			break;
3583 
3584 		case L2CAP_CONF_RFC:
3585 			if (olen != sizeof(rfc))
3586 				break;
3587 			memcpy(&rfc, (void *)val, olen);
3588 			if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3589 			    rfc.mode != chan->mode)
3590 				return -ECONNREFUSED;
3591 			chan->fcs = 0;
3592 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3593 					   (unsigned long) &rfc, endptr - ptr);
3594 			break;
3595 
3596 		case L2CAP_CONF_EWS:
3597 			if (olen != 2)
3598 				break;
3599 			chan->ack_win = min_t(u16, val, chan->ack_win);
3600 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3601 					   chan->tx_win, endptr - ptr);
3602 			break;
3603 
3604 		case L2CAP_CONF_EFS:
3605 			if (olen != sizeof(efs))
3606 				break;
3607 			memcpy(&efs, (void *)val, olen);
3608 			if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3609 			    efs.stype != L2CAP_SERV_NOTRAFIC &&
3610 			    efs.stype != chan->local_stype)
3611 				return -ECONNREFUSED;
3612 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3613 					   (unsigned long) &efs, endptr - ptr);
3614 			break;
3615 
3616 		case L2CAP_CONF_FCS:
3617 			if (olen != 1)
3618 				break;
3619 			if (*result == L2CAP_CONF_PENDING)
3620 				if (val == L2CAP_FCS_NONE)
3621 					set_bit(CONF_RECV_NO_FCS,
3622 						&chan->conf_state);
3623 			break;
3624 		}
3625 	}
3626 
3627 	if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3628 		return -ECONNREFUSED;
3629 
3630 	chan->mode = rfc.mode;
3631 
3632 	if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3633 		switch (rfc.mode) {
3634 		case L2CAP_MODE_ERTM:
3635 			chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3636 			chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3637 			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
3638 			if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3639 				chan->ack_win = min_t(u16, chan->ack_win,
3640 						      rfc.txwin_size);
3641 
3642 			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3643 				chan->local_msdu = le16_to_cpu(efs.msdu);
3644 				chan->local_sdu_itime =
3645 					le32_to_cpu(efs.sdu_itime);
3646 				chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3647 				chan->local_flush_to =
3648 					le32_to_cpu(efs.flush_to);
3649 			}
3650 			break;
3651 
3652 		case L2CAP_MODE_STREAMING:
3653 			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
3654 		}
3655 	}
3656 
3657 	req->dcid   = cpu_to_le16(chan->dcid);
3658 	req->flags  = cpu_to_le16(0);
3659 
3660 	return ptr - data;
3661 }
3662 
3663 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3664 				u16 result, u16 flags)
3665 {
3666 	struct l2cap_conf_rsp *rsp = data;
3667 	void *ptr = rsp->data;
3668 
3669 	BT_DBG("chan %p", chan);
3670 
3671 	rsp->scid   = cpu_to_le16(chan->dcid);
3672 	rsp->result = cpu_to_le16(result);
3673 	rsp->flags  = cpu_to_le16(flags);
3674 
3675 	return ptr - data;
3676 }
3677 
3678 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3679 {
3680 	struct l2cap_le_conn_rsp rsp;
3681 	struct l2cap_conn *conn = chan->conn;
3682 
3683 	BT_DBG("chan %p", chan);
3684 
3685 	rsp.dcid    = cpu_to_le16(chan->scid);
3686 	rsp.mtu     = cpu_to_le16(chan->imtu);
3687 	rsp.mps     = cpu_to_le16(chan->mps);
3688 	rsp.credits = cpu_to_le16(chan->rx_credits);
3689 	rsp.result  = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3690 
3691 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3692 		       &rsp);
3693 }
3694 
3695 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3696 {
3697 	struct l2cap_conn_rsp rsp;
3698 	struct l2cap_conn *conn = chan->conn;
3699 	u8 buf[128];
3700 	u8 rsp_code;
3701 
3702 	rsp.scid   = cpu_to_le16(chan->dcid);
3703 	rsp.dcid   = cpu_to_le16(chan->scid);
3704 	rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3705 	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3706 
3707 	if (chan->hs_hcon)
3708 		rsp_code = L2CAP_CREATE_CHAN_RSP;
3709 	else
3710 		rsp_code = L2CAP_CONN_RSP;
3711 
3712 	BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3713 
3714 	l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3715 
3716 	if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3717 		return;
3718 
3719 	l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3720 		       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3721 	chan->num_conf_req++;
3722 }
3723 
3724 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3725 {
3726 	int type, olen;
3727 	unsigned long val;
3728 	/* Use sane default values in case a misbehaving remote device
3729 	 * did not send an RFC or extended window size option.
3730 	 */
3731 	u16 txwin_ext = chan->ack_win;
3732 	struct l2cap_conf_rfc rfc = {
3733 		.mode = chan->mode,
3734 		.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3735 		.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3736 		.max_pdu_size = cpu_to_le16(chan->imtu),
3737 		.txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3738 	};
3739 
3740 	BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3741 
3742 	if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3743 		return;
3744 
3745 	while (len >= L2CAP_CONF_OPT_SIZE) {
3746 		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3747 		if (len < 0)
3748 			break;
3749 
3750 		switch (type) {
3751 		case L2CAP_CONF_RFC:
3752 			if (olen != sizeof(rfc))
3753 				break;
3754 			memcpy(&rfc, (void *)val, olen);
3755 			break;
3756 		case L2CAP_CONF_EWS:
3757 			if (olen != 2)
3758 				break;
3759 			txwin_ext = val;
3760 			break;
3761 		}
3762 	}
3763 
3764 	switch (rfc.mode) {
3765 	case L2CAP_MODE_ERTM:
3766 		chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3767 		chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3768 		chan->mps = le16_to_cpu(rfc.max_pdu_size);
3769 		if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3770 			chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3771 		else
3772 			chan->ack_win = min_t(u16, chan->ack_win,
3773 					      rfc.txwin_size);
3774 		break;
3775 	case L2CAP_MODE_STREAMING:
3776 		chan->mps    = le16_to_cpu(rfc.max_pdu_size);
3777 	}
3778 }
3779 
3780 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3781 				    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3782 				    u8 *data)
3783 {
3784 	struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3785 
3786 	if (cmd_len < sizeof(*rej))
3787 		return -EPROTO;
3788 
3789 	if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3790 		return 0;
3791 
3792 	if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3793 	    cmd->ident == conn->info_ident) {
3794 		cancel_delayed_work(&conn->info_timer);
3795 
3796 		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3797 		conn->info_ident = 0;
3798 
3799 		l2cap_conn_start(conn);
3800 	}
3801 
3802 	return 0;
3803 }
3804 
3805 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3806 					struct l2cap_cmd_hdr *cmd,
3807 					u8 *data, u8 rsp_code, u8 amp_id)
3808 {
3809 	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3810 	struct l2cap_conn_rsp rsp;
3811 	struct l2cap_chan *chan = NULL, *pchan;
3812 	int result, status = L2CAP_CS_NO_INFO;
3813 
3814 	u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3815 	__le16 psm = req->psm;
3816 
3817 	BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3818 
3819 	/* Check if we have socket listening on psm */
3820 	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3821 					 &conn->hcon->dst, ACL_LINK);
3822 	if (!pchan) {
3823 		result = L2CAP_CR_BAD_PSM;
3824 		goto sendresp;
3825 	}
3826 
3827 	mutex_lock(&conn->chan_lock);
3828 	l2cap_chan_lock(pchan);
3829 
3830 	/* Check if the ACL is secure enough (if not SDP) */
3831 	if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3832 	    !hci_conn_check_link_mode(conn->hcon)) {
3833 		conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3834 		result = L2CAP_CR_SEC_BLOCK;
3835 		goto response;
3836 	}
3837 
3838 	result = L2CAP_CR_NO_MEM;
3839 
3840 	/* Check for valid dynamic CID range (as per Erratum 3253) */
3841 	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3842 		result = L2CAP_CR_INVALID_SCID;
3843 		goto response;
3844 	}
3845 
3846 	/* Check if we already have channel with that dcid */
3847 	if (__l2cap_get_chan_by_dcid(conn, scid)) {
3848 		result = L2CAP_CR_SCID_IN_USE;
3849 		goto response;
3850 	}
3851 
3852 	chan = pchan->ops->new_connection(pchan);
3853 	if (!chan)
3854 		goto response;
3855 
3856 	/* For certain devices (ex: HID mouse), support for authentication,
3857 	 * pairing and bonding is optional. For such devices, inorder to avoid
3858 	 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3859 	 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3860 	 */
3861 	conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3862 
3863 	bacpy(&chan->src, &conn->hcon->src);
3864 	bacpy(&chan->dst, &conn->hcon->dst);
3865 	chan->src_type = bdaddr_src_type(conn->hcon);
3866 	chan->dst_type = bdaddr_dst_type(conn->hcon);
3867 	chan->psm  = psm;
3868 	chan->dcid = scid;
3869 	chan->local_amp_id = amp_id;
3870 
3871 	__l2cap_chan_add(conn, chan);
3872 
3873 	dcid = chan->scid;
3874 
3875 	__set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3876 
3877 	chan->ident = cmd->ident;
3878 
3879 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3880 		if (l2cap_chan_check_security(chan, false)) {
3881 			if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3882 				l2cap_state_change(chan, BT_CONNECT2);
3883 				result = L2CAP_CR_PEND;
3884 				status = L2CAP_CS_AUTHOR_PEND;
3885 				chan->ops->defer(chan);
3886 			} else {
3887 				/* Force pending result for AMP controllers.
3888 				 * The connection will succeed after the
3889 				 * physical link is up.
3890 				 */
3891 				if (amp_id == AMP_ID_BREDR) {
3892 					l2cap_state_change(chan, BT_CONFIG);
3893 					result = L2CAP_CR_SUCCESS;
3894 				} else {
3895 					l2cap_state_change(chan, BT_CONNECT2);
3896 					result = L2CAP_CR_PEND;
3897 				}
3898 				status = L2CAP_CS_NO_INFO;
3899 			}
3900 		} else {
3901 			l2cap_state_change(chan, BT_CONNECT2);
3902 			result = L2CAP_CR_PEND;
3903 			status = L2CAP_CS_AUTHEN_PEND;
3904 		}
3905 	} else {
3906 		l2cap_state_change(chan, BT_CONNECT2);
3907 		result = L2CAP_CR_PEND;
3908 		status = L2CAP_CS_NO_INFO;
3909 	}
3910 
3911 response:
3912 	l2cap_chan_unlock(pchan);
3913 	mutex_unlock(&conn->chan_lock);
3914 	l2cap_chan_put(pchan);
3915 
3916 sendresp:
3917 	rsp.scid   = cpu_to_le16(scid);
3918 	rsp.dcid   = cpu_to_le16(dcid);
3919 	rsp.result = cpu_to_le16(result);
3920 	rsp.status = cpu_to_le16(status);
3921 	l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3922 
3923 	if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3924 		struct l2cap_info_req info;
3925 		info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3926 
3927 		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3928 		conn->info_ident = l2cap_get_ident(conn);
3929 
3930 		schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3931 
3932 		l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3933 			       sizeof(info), &info);
3934 	}
3935 
3936 	if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3937 	    result == L2CAP_CR_SUCCESS) {
3938 		u8 buf[128];
3939 		set_bit(CONF_REQ_SENT, &chan->conf_state);
3940 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3941 			       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3942 		chan->num_conf_req++;
3943 	}
3944 
3945 	return chan;
3946 }
3947 
3948 static int l2cap_connect_req(struct l2cap_conn *conn,
3949 			     struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3950 {
3951 	struct hci_dev *hdev = conn->hcon->hdev;
3952 	struct hci_conn *hcon = conn->hcon;
3953 
3954 	if (cmd_len < sizeof(struct l2cap_conn_req))
3955 		return -EPROTO;
3956 
3957 	hci_dev_lock(hdev);
3958 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3959 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3960 		mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3961 	hci_dev_unlock(hdev);
3962 
3963 	l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3964 	return 0;
3965 }
3966 
3967 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3968 				    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3969 				    u8 *data)
3970 {
3971 	struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3972 	u16 scid, dcid, result, status;
3973 	struct l2cap_chan *chan;
3974 	u8 req[128];
3975 	int err;
3976 
3977 	if (cmd_len < sizeof(*rsp))
3978 		return -EPROTO;
3979 
3980 	scid   = __le16_to_cpu(rsp->scid);
3981 	dcid   = __le16_to_cpu(rsp->dcid);
3982 	result = __le16_to_cpu(rsp->result);
3983 	status = __le16_to_cpu(rsp->status);
3984 
3985 	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3986 	       dcid, scid, result, status);
3987 
3988 	mutex_lock(&conn->chan_lock);
3989 
3990 	if (scid) {
3991 		chan = __l2cap_get_chan_by_scid(conn, scid);
3992 		if (!chan) {
3993 			err = -EBADSLT;
3994 			goto unlock;
3995 		}
3996 	} else {
3997 		chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3998 		if (!chan) {
3999 			err = -EBADSLT;
4000 			goto unlock;
4001 		}
4002 	}
4003 
4004 	err = 0;
4005 
4006 	l2cap_chan_lock(chan);
4007 
4008 	switch (result) {
4009 	case L2CAP_CR_SUCCESS:
4010 		l2cap_state_change(chan, BT_CONFIG);
4011 		chan->ident = 0;
4012 		chan->dcid = dcid;
4013 		clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4014 
4015 		if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4016 			break;
4017 
4018 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4019 			       l2cap_build_conf_req(chan, req, sizeof(req)), req);
4020 		chan->num_conf_req++;
4021 		break;
4022 
4023 	case L2CAP_CR_PEND:
4024 		set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4025 		break;
4026 
4027 	default:
4028 		l2cap_chan_del(chan, ECONNREFUSED);
4029 		break;
4030 	}
4031 
4032 	l2cap_chan_unlock(chan);
4033 
4034 unlock:
4035 	mutex_unlock(&conn->chan_lock);
4036 
4037 	return err;
4038 }
4039 
4040 static inline void set_default_fcs(struct l2cap_chan *chan)
4041 {
4042 	/* FCS is enabled only in ERTM or streaming mode, if one or both
4043 	 * sides request it.
4044 	 */
4045 	if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4046 		chan->fcs = L2CAP_FCS_NONE;
4047 	else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4048 		chan->fcs = L2CAP_FCS_CRC16;
4049 }
4050 
4051 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4052 				    u8 ident, u16 flags)
4053 {
4054 	struct l2cap_conn *conn = chan->conn;
4055 
4056 	BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4057 	       flags);
4058 
4059 	clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4060 	set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4061 
4062 	l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4063 		       l2cap_build_conf_rsp(chan, data,
4064 					    L2CAP_CONF_SUCCESS, flags), data);
4065 }
4066 
4067 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4068 				   u16 scid, u16 dcid)
4069 {
4070 	struct l2cap_cmd_rej_cid rej;
4071 
4072 	rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4073 	rej.scid = __cpu_to_le16(scid);
4074 	rej.dcid = __cpu_to_le16(dcid);
4075 
4076 	l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4077 }
4078 
4079 static inline int l2cap_config_req(struct l2cap_conn *conn,
4080 				   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4081 				   u8 *data)
4082 {
4083 	struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4084 	u16 dcid, flags;
4085 	u8 rsp[64];
4086 	struct l2cap_chan *chan;
4087 	int len, err = 0;
4088 
4089 	if (cmd_len < sizeof(*req))
4090 		return -EPROTO;
4091 
4092 	dcid  = __le16_to_cpu(req->dcid);
4093 	flags = __le16_to_cpu(req->flags);
4094 
4095 	BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4096 
4097 	chan = l2cap_get_chan_by_scid(conn, dcid);
4098 	if (!chan) {
4099 		cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4100 		return 0;
4101 	}
4102 
4103 	if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4104 		cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4105 				       chan->dcid);
4106 		goto unlock;
4107 	}
4108 
4109 	/* Reject if config buffer is too small. */
4110 	len = cmd_len - sizeof(*req);
4111 	if (chan->conf_len + len > sizeof(chan->conf_req)) {
4112 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4113 			       l2cap_build_conf_rsp(chan, rsp,
4114 			       L2CAP_CONF_REJECT, flags), rsp);
4115 		goto unlock;
4116 	}
4117 
4118 	/* Store config. */
4119 	memcpy(chan->conf_req + chan->conf_len, req->data, len);
4120 	chan->conf_len += len;
4121 
4122 	if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4123 		/* Incomplete config. Send empty response. */
4124 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4125 			       l2cap_build_conf_rsp(chan, rsp,
4126 			       L2CAP_CONF_SUCCESS, flags), rsp);
4127 		goto unlock;
4128 	}
4129 
4130 	/* Complete config. */
4131 	len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4132 	if (len < 0) {
4133 		l2cap_send_disconn_req(chan, ECONNRESET);
4134 		goto unlock;
4135 	}
4136 
4137 	chan->ident = cmd->ident;
4138 	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4139 	chan->num_conf_rsp++;
4140 
4141 	/* Reset config buffer. */
4142 	chan->conf_len = 0;
4143 
4144 	if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4145 		goto unlock;
4146 
4147 	if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4148 		set_default_fcs(chan);
4149 
4150 		if (chan->mode == L2CAP_MODE_ERTM ||
4151 		    chan->mode == L2CAP_MODE_STREAMING)
4152 			err = l2cap_ertm_init(chan);
4153 
4154 		if (err < 0)
4155 			l2cap_send_disconn_req(chan, -err);
4156 		else
4157 			l2cap_chan_ready(chan);
4158 
4159 		goto unlock;
4160 	}
4161 
4162 	if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4163 		u8 buf[64];
4164 		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4165 			       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4166 		chan->num_conf_req++;
4167 	}
4168 
4169 	/* Got Conf Rsp PENDING from remote side and assume we sent
4170 	   Conf Rsp PENDING in the code above */
4171 	if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4172 	    test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4173 
4174 		/* check compatibility */
4175 
4176 		/* Send rsp for BR/EDR channel */
4177 		if (!chan->hs_hcon)
4178 			l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4179 		else
4180 			chan->ident = cmd->ident;
4181 	}
4182 
4183 unlock:
4184 	l2cap_chan_unlock(chan);
4185 	return err;
4186 }
4187 
4188 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4189 				   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4190 				   u8 *data)
4191 {
4192 	struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4193 	u16 scid, flags, result;
4194 	struct l2cap_chan *chan;
4195 	int len = cmd_len - sizeof(*rsp);
4196 	int err = 0;
4197 
4198 	if (cmd_len < sizeof(*rsp))
4199 		return -EPROTO;
4200 
4201 	scid   = __le16_to_cpu(rsp->scid);
4202 	flags  = __le16_to_cpu(rsp->flags);
4203 	result = __le16_to_cpu(rsp->result);
4204 
4205 	BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4206 	       result, len);
4207 
4208 	chan = l2cap_get_chan_by_scid(conn, scid);
4209 	if (!chan)
4210 		return 0;
4211 
4212 	switch (result) {
4213 	case L2CAP_CONF_SUCCESS:
4214 		l2cap_conf_rfc_get(chan, rsp->data, len);
4215 		clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4216 		break;
4217 
4218 	case L2CAP_CONF_PENDING:
4219 		set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4220 
4221 		if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4222 			char buf[64];
4223 
4224 			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4225 						   buf, sizeof(buf), &result);
4226 			if (len < 0) {
4227 				l2cap_send_disconn_req(chan, ECONNRESET);
4228 				goto done;
4229 			}
4230 
4231 			if (!chan->hs_hcon) {
4232 				l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4233 							0);
4234 			} else {
4235 				if (l2cap_check_efs(chan)) {
4236 					amp_create_logical_link(chan);
4237 					chan->ident = cmd->ident;
4238 				}
4239 			}
4240 		}
4241 		goto done;
4242 
4243 	case L2CAP_CONF_UNACCEPT:
4244 		if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4245 			char req[64];
4246 
4247 			if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4248 				l2cap_send_disconn_req(chan, ECONNRESET);
4249 				goto done;
4250 			}
4251 
4252 			/* throw out any old stored conf requests */
4253 			result = L2CAP_CONF_SUCCESS;
4254 			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4255 						   req, sizeof(req), &result);
4256 			if (len < 0) {
4257 				l2cap_send_disconn_req(chan, ECONNRESET);
4258 				goto done;
4259 			}
4260 
4261 			l2cap_send_cmd(conn, l2cap_get_ident(conn),
4262 				       L2CAP_CONF_REQ, len, req);
4263 			chan->num_conf_req++;
4264 			if (result != L2CAP_CONF_SUCCESS)
4265 				goto done;
4266 			break;
4267 		}
4268 		/* fall through */
4269 
4270 	default:
4271 		l2cap_chan_set_err(chan, ECONNRESET);
4272 
4273 		__set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4274 		l2cap_send_disconn_req(chan, ECONNRESET);
4275 		goto done;
4276 	}
4277 
4278 	if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4279 		goto done;
4280 
4281 	set_bit(CONF_INPUT_DONE, &chan->conf_state);
4282 
4283 	if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4284 		set_default_fcs(chan);
4285 
4286 		if (chan->mode == L2CAP_MODE_ERTM ||
4287 		    chan->mode == L2CAP_MODE_STREAMING)
4288 			err = l2cap_ertm_init(chan);
4289 
4290 		if (err < 0)
4291 			l2cap_send_disconn_req(chan, -err);
4292 		else
4293 			l2cap_chan_ready(chan);
4294 	}
4295 
4296 done:
4297 	l2cap_chan_unlock(chan);
4298 	return err;
4299 }
4300 
4301 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4302 				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4303 				       u8 *data)
4304 {
4305 	struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4306 	struct l2cap_disconn_rsp rsp;
4307 	u16 dcid, scid;
4308 	struct l2cap_chan *chan;
4309 
4310 	if (cmd_len != sizeof(*req))
4311 		return -EPROTO;
4312 
4313 	scid = __le16_to_cpu(req->scid);
4314 	dcid = __le16_to_cpu(req->dcid);
4315 
4316 	BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4317 
4318 	mutex_lock(&conn->chan_lock);
4319 
4320 	chan = __l2cap_get_chan_by_scid(conn, dcid);
4321 	if (!chan) {
4322 		mutex_unlock(&conn->chan_lock);
4323 		cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4324 		return 0;
4325 	}
4326 
4327 	l2cap_chan_lock(chan);
4328 
4329 	rsp.dcid = cpu_to_le16(chan->scid);
4330 	rsp.scid = cpu_to_le16(chan->dcid);
4331 	l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4332 
4333 	chan->ops->set_shutdown(chan);
4334 
4335 	l2cap_chan_hold(chan);
4336 	l2cap_chan_del(chan, ECONNRESET);
4337 
4338 	l2cap_chan_unlock(chan);
4339 
4340 	chan->ops->close(chan);
4341 	l2cap_chan_put(chan);
4342 
4343 	mutex_unlock(&conn->chan_lock);
4344 
4345 	return 0;
4346 }
4347 
4348 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4349 				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4350 				       u8 *data)
4351 {
4352 	struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4353 	u16 dcid, scid;
4354 	struct l2cap_chan *chan;
4355 
4356 	if (cmd_len != sizeof(*rsp))
4357 		return -EPROTO;
4358 
4359 	scid = __le16_to_cpu(rsp->scid);
4360 	dcid = __le16_to_cpu(rsp->dcid);
4361 
4362 	BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4363 
4364 	mutex_lock(&conn->chan_lock);
4365 
4366 	chan = __l2cap_get_chan_by_scid(conn, scid);
4367 	if (!chan) {
4368 		mutex_unlock(&conn->chan_lock);
4369 		return 0;
4370 	}
4371 
4372 	l2cap_chan_lock(chan);
4373 
4374 	l2cap_chan_hold(chan);
4375 	l2cap_chan_del(chan, 0);
4376 
4377 	l2cap_chan_unlock(chan);
4378 
4379 	chan->ops->close(chan);
4380 	l2cap_chan_put(chan);
4381 
4382 	mutex_unlock(&conn->chan_lock);
4383 
4384 	return 0;
4385 }
4386 
4387 static inline int l2cap_information_req(struct l2cap_conn *conn,
4388 					struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4389 					u8 *data)
4390 {
4391 	struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4392 	u16 type;
4393 
4394 	if (cmd_len != sizeof(*req))
4395 		return -EPROTO;
4396 
4397 	type = __le16_to_cpu(req->type);
4398 
4399 	BT_DBG("type 0x%4.4x", type);
4400 
4401 	if (type == L2CAP_IT_FEAT_MASK) {
4402 		u8 buf[8];
4403 		u32 feat_mask = l2cap_feat_mask;
4404 		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4405 		rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4406 		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4407 		if (!disable_ertm)
4408 			feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4409 				| L2CAP_FEAT_FCS;
4410 		if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4411 			feat_mask |= L2CAP_FEAT_EXT_FLOW
4412 				| L2CAP_FEAT_EXT_WINDOW;
4413 
4414 		put_unaligned_le32(feat_mask, rsp->data);
4415 		l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4416 			       buf);
4417 	} else if (type == L2CAP_IT_FIXED_CHAN) {
4418 		u8 buf[12];
4419 		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4420 
4421 		rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4422 		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4423 		rsp->data[0] = conn->local_fixed_chan;
4424 		memset(rsp->data + 1, 0, 7);
4425 		l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4426 			       buf);
4427 	} else {
4428 		struct l2cap_info_rsp rsp;
4429 		rsp.type   = cpu_to_le16(type);
4430 		rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4431 		l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4432 			       &rsp);
4433 	}
4434 
4435 	return 0;
4436 }
4437 
4438 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4439 					struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4440 					u8 *data)
4441 {
4442 	struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4443 	u16 type, result;
4444 
4445 	if (cmd_len < sizeof(*rsp))
4446 		return -EPROTO;
4447 
4448 	type   = __le16_to_cpu(rsp->type);
4449 	result = __le16_to_cpu(rsp->result);
4450 
4451 	BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4452 
4453 	/* L2CAP Info req/rsp are unbound to channels, add extra checks */
4454 	if (cmd->ident != conn->info_ident ||
4455 	    conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4456 		return 0;
4457 
4458 	cancel_delayed_work(&conn->info_timer);
4459 
4460 	if (result != L2CAP_IR_SUCCESS) {
4461 		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4462 		conn->info_ident = 0;
4463 
4464 		l2cap_conn_start(conn);
4465 
4466 		return 0;
4467 	}
4468 
4469 	switch (type) {
4470 	case L2CAP_IT_FEAT_MASK:
4471 		conn->feat_mask = get_unaligned_le32(rsp->data);
4472 
4473 		if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4474 			struct l2cap_info_req req;
4475 			req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4476 
4477 			conn->info_ident = l2cap_get_ident(conn);
4478 
4479 			l2cap_send_cmd(conn, conn->info_ident,
4480 				       L2CAP_INFO_REQ, sizeof(req), &req);
4481 		} else {
4482 			conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4483 			conn->info_ident = 0;
4484 
4485 			l2cap_conn_start(conn);
4486 		}
4487 		break;
4488 
4489 	case L2CAP_IT_FIXED_CHAN:
4490 		conn->remote_fixed_chan = rsp->data[0];
4491 		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4492 		conn->info_ident = 0;
4493 
4494 		l2cap_conn_start(conn);
4495 		break;
4496 	}
4497 
4498 	return 0;
4499 }
4500 
4501 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4502 				    struct l2cap_cmd_hdr *cmd,
4503 				    u16 cmd_len, void *data)
4504 {
4505 	struct l2cap_create_chan_req *req = data;
4506 	struct l2cap_create_chan_rsp rsp;
4507 	struct l2cap_chan *chan;
4508 	struct hci_dev *hdev;
4509 	u16 psm, scid;
4510 
4511 	if (cmd_len != sizeof(*req))
4512 		return -EPROTO;
4513 
4514 	if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4515 		return -EINVAL;
4516 
4517 	psm = le16_to_cpu(req->psm);
4518 	scid = le16_to_cpu(req->scid);
4519 
4520 	BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4521 
4522 	/* For controller id 0 make BR/EDR connection */
4523 	if (req->amp_id == AMP_ID_BREDR) {
4524 		l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4525 			      req->amp_id);
4526 		return 0;
4527 	}
4528 
4529 	/* Validate AMP controller id */
4530 	hdev = hci_dev_get(req->amp_id);
4531 	if (!hdev)
4532 		goto error;
4533 
4534 	if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4535 		hci_dev_put(hdev);
4536 		goto error;
4537 	}
4538 
4539 	chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4540 			     req->amp_id);
4541 	if (chan) {
4542 		struct amp_mgr *mgr = conn->hcon->amp_mgr;
4543 		struct hci_conn *hs_hcon;
4544 
4545 		hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4546 						  &conn->hcon->dst);
4547 		if (!hs_hcon) {
4548 			hci_dev_put(hdev);
4549 			cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4550 					       chan->dcid);
4551 			return 0;
4552 		}
4553 
4554 		BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4555 
4556 		mgr->bredr_chan = chan;
4557 		chan->hs_hcon = hs_hcon;
4558 		chan->fcs = L2CAP_FCS_NONE;
4559 		conn->mtu = hdev->block_mtu;
4560 	}
4561 
4562 	hci_dev_put(hdev);
4563 
4564 	return 0;
4565 
4566 error:
4567 	rsp.dcid = 0;
4568 	rsp.scid = cpu_to_le16(scid);
4569 	rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4570 	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4571 
4572 	l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4573 		       sizeof(rsp), &rsp);
4574 
4575 	return 0;
4576 }
4577 
4578 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4579 {
4580 	struct l2cap_move_chan_req req;
4581 	u8 ident;
4582 
4583 	BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4584 
4585 	ident = l2cap_get_ident(chan->conn);
4586 	chan->ident = ident;
4587 
4588 	req.icid = cpu_to_le16(chan->scid);
4589 	req.dest_amp_id = dest_amp_id;
4590 
4591 	l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4592 		       &req);
4593 
4594 	__set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4595 }
4596 
4597 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4598 {
4599 	struct l2cap_move_chan_rsp rsp;
4600 
4601 	BT_DBG("chan %p, result 0x%4.4x", chan, result);
4602 
4603 	rsp.icid = cpu_to_le16(chan->dcid);
4604 	rsp.result = cpu_to_le16(result);
4605 
4606 	l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4607 		       sizeof(rsp), &rsp);
4608 }
4609 
4610 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4611 {
4612 	struct l2cap_move_chan_cfm cfm;
4613 
4614 	BT_DBG("chan %p, result 0x%4.4x", chan, result);
4615 
4616 	chan->ident = l2cap_get_ident(chan->conn);
4617 
4618 	cfm.icid = cpu_to_le16(chan->scid);
4619 	cfm.result = cpu_to_le16(result);
4620 
4621 	l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4622 		       sizeof(cfm), &cfm);
4623 
4624 	__set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4625 }
4626 
4627 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4628 {
4629 	struct l2cap_move_chan_cfm cfm;
4630 
4631 	BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4632 
4633 	cfm.icid = cpu_to_le16(icid);
4634 	cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4635 
4636 	l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4637 		       sizeof(cfm), &cfm);
4638 }
4639 
4640 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4641 					 u16 icid)
4642 {
4643 	struct l2cap_move_chan_cfm_rsp rsp;
4644 
4645 	BT_DBG("icid 0x%4.4x", icid);
4646 
4647 	rsp.icid = cpu_to_le16(icid);
4648 	l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4649 }
4650 
4651 static void __release_logical_link(struct l2cap_chan *chan)
4652 {
4653 	chan->hs_hchan = NULL;
4654 	chan->hs_hcon = NULL;
4655 
4656 	/* Placeholder - release the logical link */
4657 }
4658 
4659 static void l2cap_logical_fail(struct l2cap_chan *chan)
4660 {
4661 	/* Logical link setup failed */
4662 	if (chan->state != BT_CONNECTED) {
4663 		/* Create channel failure, disconnect */
4664 		l2cap_send_disconn_req(chan, ECONNRESET);
4665 		return;
4666 	}
4667 
4668 	switch (chan->move_role) {
4669 	case L2CAP_MOVE_ROLE_RESPONDER:
4670 		l2cap_move_done(chan);
4671 		l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4672 		break;
4673 	case L2CAP_MOVE_ROLE_INITIATOR:
4674 		if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4675 		    chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4676 			/* Remote has only sent pending or
4677 			 * success responses, clean up
4678 			 */
4679 			l2cap_move_done(chan);
4680 		}
4681 
4682 		/* Other amp move states imply that the move
4683 		 * has already aborted
4684 		 */
4685 		l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4686 		break;
4687 	}
4688 }
4689 
4690 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4691 					struct hci_chan *hchan)
4692 {
4693 	struct l2cap_conf_rsp rsp;
4694 
4695 	chan->hs_hchan = hchan;
4696 	chan->hs_hcon->l2cap_data = chan->conn;
4697 
4698 	l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4699 
4700 	if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4701 		int err;
4702 
4703 		set_default_fcs(chan);
4704 
4705 		err = l2cap_ertm_init(chan);
4706 		if (err < 0)
4707 			l2cap_send_disconn_req(chan, -err);
4708 		else
4709 			l2cap_chan_ready(chan);
4710 	}
4711 }
4712 
4713 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4714 				      struct hci_chan *hchan)
4715 {
4716 	chan->hs_hcon = hchan->conn;
4717 	chan->hs_hcon->l2cap_data = chan->conn;
4718 
4719 	BT_DBG("move_state %d", chan->move_state);
4720 
4721 	switch (chan->move_state) {
4722 	case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4723 		/* Move confirm will be sent after a success
4724 		 * response is received
4725 		 */
4726 		chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4727 		break;
4728 	case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4729 		if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4730 			chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4731 		} else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4732 			chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4733 			l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4734 		} else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4735 			chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4736 			l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4737 		}
4738 		break;
4739 	default:
4740 		/* Move was not in expected state, free the channel */
4741 		__release_logical_link(chan);
4742 
4743 		chan->move_state = L2CAP_MOVE_STABLE;
4744 	}
4745 }
4746 
4747 /* Call with chan locked */
4748 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4749 		       u8 status)
4750 {
4751 	BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4752 
4753 	if (status) {
4754 		l2cap_logical_fail(chan);
4755 		__release_logical_link(chan);
4756 		return;
4757 	}
4758 
4759 	if (chan->state != BT_CONNECTED) {
4760 		/* Ignore logical link if channel is on BR/EDR */
4761 		if (chan->local_amp_id != AMP_ID_BREDR)
4762 			l2cap_logical_finish_create(chan, hchan);
4763 	} else {
4764 		l2cap_logical_finish_move(chan, hchan);
4765 	}
4766 }
4767 
4768 void l2cap_move_start(struct l2cap_chan *chan)
4769 {
4770 	BT_DBG("chan %p", chan);
4771 
4772 	if (chan->local_amp_id == AMP_ID_BREDR) {
4773 		if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4774 			return;
4775 		chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4776 		chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4777 		/* Placeholder - start physical link setup */
4778 	} else {
4779 		chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4780 		chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4781 		chan->move_id = 0;
4782 		l2cap_move_setup(chan);
4783 		l2cap_send_move_chan_req(chan, 0);
4784 	}
4785 }
4786 
4787 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4788 			    u8 local_amp_id, u8 remote_amp_id)
4789 {
4790 	BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4791 	       local_amp_id, remote_amp_id);
4792 
4793 	chan->fcs = L2CAP_FCS_NONE;
4794 
4795 	/* Outgoing channel on AMP */
4796 	if (chan->state == BT_CONNECT) {
4797 		if (result == L2CAP_CR_SUCCESS) {
4798 			chan->local_amp_id = local_amp_id;
4799 			l2cap_send_create_chan_req(chan, remote_amp_id);
4800 		} else {
4801 			/* Revert to BR/EDR connect */
4802 			l2cap_send_conn_req(chan);
4803 		}
4804 
4805 		return;
4806 	}
4807 
4808 	/* Incoming channel on AMP */
4809 	if (__l2cap_no_conn_pending(chan)) {
4810 		struct l2cap_conn_rsp rsp;
4811 		char buf[128];
4812 		rsp.scid = cpu_to_le16(chan->dcid);
4813 		rsp.dcid = cpu_to_le16(chan->scid);
4814 
4815 		if (result == L2CAP_CR_SUCCESS) {
4816 			/* Send successful response */
4817 			rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4818 			rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4819 		} else {
4820 			/* Send negative response */
4821 			rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4822 			rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4823 		}
4824 
4825 		l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4826 			       sizeof(rsp), &rsp);
4827 
4828 		if (result == L2CAP_CR_SUCCESS) {
4829 			l2cap_state_change(chan, BT_CONFIG);
4830 			set_bit(CONF_REQ_SENT, &chan->conf_state);
4831 			l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4832 				       L2CAP_CONF_REQ,
4833 				       l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4834 			chan->num_conf_req++;
4835 		}
4836 	}
4837 }
4838 
4839 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4840 				   u8 remote_amp_id)
4841 {
4842 	l2cap_move_setup(chan);
4843 	chan->move_id = local_amp_id;
4844 	chan->move_state = L2CAP_MOVE_WAIT_RSP;
4845 
4846 	l2cap_send_move_chan_req(chan, remote_amp_id);
4847 }
4848 
4849 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4850 {
4851 	struct hci_chan *hchan = NULL;
4852 
4853 	/* Placeholder - get hci_chan for logical link */
4854 
4855 	if (hchan) {
4856 		if (hchan->state == BT_CONNECTED) {
4857 			/* Logical link is ready to go */
4858 			chan->hs_hcon = hchan->conn;
4859 			chan->hs_hcon->l2cap_data = chan->conn;
4860 			chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4861 			l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4862 
4863 			l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4864 		} else {
4865 			/* Wait for logical link to be ready */
4866 			chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4867 		}
4868 	} else {
4869 		/* Logical link not available */
4870 		l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4871 	}
4872 }
4873 
4874 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4875 {
4876 	if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4877 		u8 rsp_result;
4878 		if (result == -EINVAL)
4879 			rsp_result = L2CAP_MR_BAD_ID;
4880 		else
4881 			rsp_result = L2CAP_MR_NOT_ALLOWED;
4882 
4883 		l2cap_send_move_chan_rsp(chan, rsp_result);
4884 	}
4885 
4886 	chan->move_role = L2CAP_MOVE_ROLE_NONE;
4887 	chan->move_state = L2CAP_MOVE_STABLE;
4888 
4889 	/* Restart data transmission */
4890 	l2cap_ertm_send(chan);
4891 }
4892 
4893 /* Invoke with locked chan */
4894 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4895 {
4896 	u8 local_amp_id = chan->local_amp_id;
4897 	u8 remote_amp_id = chan->remote_amp_id;
4898 
4899 	BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4900 	       chan, result, local_amp_id, remote_amp_id);
4901 
4902 	if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4903 		l2cap_chan_unlock(chan);
4904 		return;
4905 	}
4906 
4907 	if (chan->state != BT_CONNECTED) {
4908 		l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4909 	} else if (result != L2CAP_MR_SUCCESS) {
4910 		l2cap_do_move_cancel(chan, result);
4911 	} else {
4912 		switch (chan->move_role) {
4913 		case L2CAP_MOVE_ROLE_INITIATOR:
4914 			l2cap_do_move_initiate(chan, local_amp_id,
4915 					       remote_amp_id);
4916 			break;
4917 		case L2CAP_MOVE_ROLE_RESPONDER:
4918 			l2cap_do_move_respond(chan, result);
4919 			break;
4920 		default:
4921 			l2cap_do_move_cancel(chan, result);
4922 			break;
4923 		}
4924 	}
4925 }
4926 
4927 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4928 					 struct l2cap_cmd_hdr *cmd,
4929 					 u16 cmd_len, void *data)
4930 {
4931 	struct l2cap_move_chan_req *req = data;
4932 	struct l2cap_move_chan_rsp rsp;
4933 	struct l2cap_chan *chan;
4934 	u16 icid = 0;
4935 	u16 result = L2CAP_MR_NOT_ALLOWED;
4936 
4937 	if (cmd_len != sizeof(*req))
4938 		return -EPROTO;
4939 
4940 	icid = le16_to_cpu(req->icid);
4941 
4942 	BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4943 
4944 	if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4945 		return -EINVAL;
4946 
4947 	chan = l2cap_get_chan_by_dcid(conn, icid);
4948 	if (!chan) {
4949 		rsp.icid = cpu_to_le16(icid);
4950 		rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4951 		l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4952 			       sizeof(rsp), &rsp);
4953 		return 0;
4954 	}
4955 
4956 	chan->ident = cmd->ident;
4957 
4958 	if (chan->scid < L2CAP_CID_DYN_START ||
4959 	    chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4960 	    (chan->mode != L2CAP_MODE_ERTM &&
4961 	     chan->mode != L2CAP_MODE_STREAMING)) {
4962 		result = L2CAP_MR_NOT_ALLOWED;
4963 		goto send_move_response;
4964 	}
4965 
4966 	if (chan->local_amp_id == req->dest_amp_id) {
4967 		result = L2CAP_MR_SAME_ID;
4968 		goto send_move_response;
4969 	}
4970 
4971 	if (req->dest_amp_id != AMP_ID_BREDR) {
4972 		struct hci_dev *hdev;
4973 		hdev = hci_dev_get(req->dest_amp_id);
4974 		if (!hdev || hdev->dev_type != HCI_AMP ||
4975 		    !test_bit(HCI_UP, &hdev->flags)) {
4976 			if (hdev)
4977 				hci_dev_put(hdev);
4978 
4979 			result = L2CAP_MR_BAD_ID;
4980 			goto send_move_response;
4981 		}
4982 		hci_dev_put(hdev);
4983 	}
4984 
4985 	/* Detect a move collision.  Only send a collision response
4986 	 * if this side has "lost", otherwise proceed with the move.
4987 	 * The winner has the larger bd_addr.
4988 	 */
4989 	if ((__chan_is_moving(chan) ||
4990 	     chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4991 	    bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4992 		result = L2CAP_MR_COLLISION;
4993 		goto send_move_response;
4994 	}
4995 
4996 	chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4997 	l2cap_move_setup(chan);
4998 	chan->move_id = req->dest_amp_id;
4999 	icid = chan->dcid;
5000 
5001 	if (req->dest_amp_id == AMP_ID_BREDR) {
5002 		/* Moving to BR/EDR */
5003 		if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5004 			chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5005 			result = L2CAP_MR_PEND;
5006 		} else {
5007 			chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5008 			result = L2CAP_MR_SUCCESS;
5009 		}
5010 	} else {
5011 		chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5012 		/* Placeholder - uncomment when amp functions are available */
5013 		/*amp_accept_physical(chan, req->dest_amp_id);*/
5014 		result = L2CAP_MR_PEND;
5015 	}
5016 
5017 send_move_response:
5018 	l2cap_send_move_chan_rsp(chan, result);
5019 
5020 	l2cap_chan_unlock(chan);
5021 
5022 	return 0;
5023 }
5024 
5025 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5026 {
5027 	struct l2cap_chan *chan;
5028 	struct hci_chan *hchan = NULL;
5029 
5030 	chan = l2cap_get_chan_by_scid(conn, icid);
5031 	if (!chan) {
5032 		l2cap_send_move_chan_cfm_icid(conn, icid);
5033 		return;
5034 	}
5035 
5036 	__clear_chan_timer(chan);
5037 	if (result == L2CAP_MR_PEND)
5038 		__set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5039 
5040 	switch (chan->move_state) {
5041 	case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5042 		/* Move confirm will be sent when logical link
5043 		 * is complete.
5044 		 */
5045 		chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5046 		break;
5047 	case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5048 		if (result == L2CAP_MR_PEND) {
5049 			break;
5050 		} else if (test_bit(CONN_LOCAL_BUSY,
5051 				    &chan->conn_state)) {
5052 			chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5053 		} else {
5054 			/* Logical link is up or moving to BR/EDR,
5055 			 * proceed with move
5056 			 */
5057 			chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5058 			l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5059 		}
5060 		break;
5061 	case L2CAP_MOVE_WAIT_RSP:
5062 		/* Moving to AMP */
5063 		if (result == L2CAP_MR_SUCCESS) {
5064 			/* Remote is ready, send confirm immediately
5065 			 * after logical link is ready
5066 			 */
5067 			chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5068 		} else {
5069 			/* Both logical link and move success
5070 			 * are required to confirm
5071 			 */
5072 			chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5073 		}
5074 
5075 		/* Placeholder - get hci_chan for logical link */
5076 		if (!hchan) {
5077 			/* Logical link not available */
5078 			l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5079 			break;
5080 		}
5081 
5082 		/* If the logical link is not yet connected, do not
5083 		 * send confirmation.
5084 		 */
5085 		if (hchan->state != BT_CONNECTED)
5086 			break;
5087 
5088 		/* Logical link is already ready to go */
5089 
5090 		chan->hs_hcon = hchan->conn;
5091 		chan->hs_hcon->l2cap_data = chan->conn;
5092 
5093 		if (result == L2CAP_MR_SUCCESS) {
5094 			/* Can confirm now */
5095 			l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5096 		} else {
5097 			/* Now only need move success
5098 			 * to confirm
5099 			 */
5100 			chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5101 		}
5102 
5103 		l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5104 		break;
5105 	default:
5106 		/* Any other amp move state means the move failed. */
5107 		chan->move_id = chan->local_amp_id;
5108 		l2cap_move_done(chan);
5109 		l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5110 	}
5111 
5112 	l2cap_chan_unlock(chan);
5113 }
5114 
5115 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5116 			    u16 result)
5117 {
5118 	struct l2cap_chan *chan;
5119 
5120 	chan = l2cap_get_chan_by_ident(conn, ident);
5121 	if (!chan) {
5122 		/* Could not locate channel, icid is best guess */
5123 		l2cap_send_move_chan_cfm_icid(conn, icid);
5124 		return;
5125 	}
5126 
5127 	__clear_chan_timer(chan);
5128 
5129 	if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5130 		if (result == L2CAP_MR_COLLISION) {
5131 			chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5132 		} else {
5133 			/* Cleanup - cancel move */
5134 			chan->move_id = chan->local_amp_id;
5135 			l2cap_move_done(chan);
5136 		}
5137 	}
5138 
5139 	l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5140 
5141 	l2cap_chan_unlock(chan);
5142 }
5143 
5144 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5145 				  struct l2cap_cmd_hdr *cmd,
5146 				  u16 cmd_len, void *data)
5147 {
5148 	struct l2cap_move_chan_rsp *rsp = data;
5149 	u16 icid, result;
5150 
5151 	if (cmd_len != sizeof(*rsp))
5152 		return -EPROTO;
5153 
5154 	icid = le16_to_cpu(rsp->icid);
5155 	result = le16_to_cpu(rsp->result);
5156 
5157 	BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5158 
5159 	if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5160 		l2cap_move_continue(conn, icid, result);
5161 	else
5162 		l2cap_move_fail(conn, cmd->ident, icid, result);
5163 
5164 	return 0;
5165 }
5166 
5167 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5168 				      struct l2cap_cmd_hdr *cmd,
5169 				      u16 cmd_len, void *data)
5170 {
5171 	struct l2cap_move_chan_cfm *cfm = data;
5172 	struct l2cap_chan *chan;
5173 	u16 icid, result;
5174 
5175 	if (cmd_len != sizeof(*cfm))
5176 		return -EPROTO;
5177 
5178 	icid = le16_to_cpu(cfm->icid);
5179 	result = le16_to_cpu(cfm->result);
5180 
5181 	BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5182 
5183 	chan = l2cap_get_chan_by_dcid(conn, icid);
5184 	if (!chan) {
5185 		/* Spec requires a response even if the icid was not found */
5186 		l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5187 		return 0;
5188 	}
5189 
5190 	if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5191 		if (result == L2CAP_MC_CONFIRMED) {
5192 			chan->local_amp_id = chan->move_id;
5193 			if (chan->local_amp_id == AMP_ID_BREDR)
5194 				__release_logical_link(chan);
5195 		} else {
5196 			chan->move_id = chan->local_amp_id;
5197 		}
5198 
5199 		l2cap_move_done(chan);
5200 	}
5201 
5202 	l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5203 
5204 	l2cap_chan_unlock(chan);
5205 
5206 	return 0;
5207 }
5208 
5209 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5210 						 struct l2cap_cmd_hdr *cmd,
5211 						 u16 cmd_len, void *data)
5212 {
5213 	struct l2cap_move_chan_cfm_rsp *rsp = data;
5214 	struct l2cap_chan *chan;
5215 	u16 icid;
5216 
5217 	if (cmd_len != sizeof(*rsp))
5218 		return -EPROTO;
5219 
5220 	icid = le16_to_cpu(rsp->icid);
5221 
5222 	BT_DBG("icid 0x%4.4x", icid);
5223 
5224 	chan = l2cap_get_chan_by_scid(conn, icid);
5225 	if (!chan)
5226 		return 0;
5227 
5228 	__clear_chan_timer(chan);
5229 
5230 	if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5231 		chan->local_amp_id = chan->move_id;
5232 
5233 		if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5234 			__release_logical_link(chan);
5235 
5236 		l2cap_move_done(chan);
5237 	}
5238 
5239 	l2cap_chan_unlock(chan);
5240 
5241 	return 0;
5242 }
5243 
5244 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5245 					      struct l2cap_cmd_hdr *cmd,
5246 					      u16 cmd_len, u8 *data)
5247 {
5248 	struct hci_conn *hcon = conn->hcon;
5249 	struct l2cap_conn_param_update_req *req;
5250 	struct l2cap_conn_param_update_rsp rsp;
5251 	u16 min, max, latency, to_multiplier;
5252 	int err;
5253 
5254 	if (hcon->role != HCI_ROLE_MASTER)
5255 		return -EINVAL;
5256 
5257 	if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5258 		return -EPROTO;
5259 
5260 	req = (struct l2cap_conn_param_update_req *) data;
5261 	min		= __le16_to_cpu(req->min);
5262 	max		= __le16_to_cpu(req->max);
5263 	latency		= __le16_to_cpu(req->latency);
5264 	to_multiplier	= __le16_to_cpu(req->to_multiplier);
5265 
5266 	BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5267 	       min, max, latency, to_multiplier);
5268 
5269 	memset(&rsp, 0, sizeof(rsp));
5270 
5271 	err = hci_check_conn_params(min, max, latency, to_multiplier);
5272 	if (err)
5273 		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5274 	else
5275 		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5276 
5277 	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5278 		       sizeof(rsp), &rsp);
5279 
5280 	if (!err) {
5281 		u8 store_hint;
5282 
5283 		store_hint = hci_le_conn_update(hcon, min, max, latency,
5284 						to_multiplier);
5285 		mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5286 				    store_hint, min, max, latency,
5287 				    to_multiplier);
5288 
5289 	}
5290 
5291 	return 0;
5292 }
5293 
5294 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5295 				struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5296 				u8 *data)
5297 {
5298 	struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5299 	struct hci_conn *hcon = conn->hcon;
5300 	u16 dcid, mtu, mps, credits, result;
5301 	struct l2cap_chan *chan;
5302 	int err, sec_level;
5303 
5304 	if (cmd_len < sizeof(*rsp))
5305 		return -EPROTO;
5306 
5307 	dcid    = __le16_to_cpu(rsp->dcid);
5308 	mtu     = __le16_to_cpu(rsp->mtu);
5309 	mps     = __le16_to_cpu(rsp->mps);
5310 	credits = __le16_to_cpu(rsp->credits);
5311 	result  = __le16_to_cpu(rsp->result);
5312 
5313 	if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5314 					   dcid < L2CAP_CID_DYN_START ||
5315 					   dcid > L2CAP_CID_LE_DYN_END))
5316 		return -EPROTO;
5317 
5318 	BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5319 	       dcid, mtu, mps, credits, result);
5320 
5321 	mutex_lock(&conn->chan_lock);
5322 
5323 	chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5324 	if (!chan) {
5325 		err = -EBADSLT;
5326 		goto unlock;
5327 	}
5328 
5329 	err = 0;
5330 
5331 	l2cap_chan_lock(chan);
5332 
5333 	switch (result) {
5334 	case L2CAP_CR_LE_SUCCESS:
5335 		if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5336 			err = -EBADSLT;
5337 			break;
5338 		}
5339 
5340 		chan->ident = 0;
5341 		chan->dcid = dcid;
5342 		chan->omtu = mtu;
5343 		chan->remote_mps = mps;
5344 		chan->tx_credits = credits;
5345 		l2cap_chan_ready(chan);
5346 		break;
5347 
5348 	case L2CAP_CR_LE_AUTHENTICATION:
5349 	case L2CAP_CR_LE_ENCRYPTION:
5350 		/* If we already have MITM protection we can't do
5351 		 * anything.
5352 		 */
5353 		if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5354 			l2cap_chan_del(chan, ECONNREFUSED);
5355 			break;
5356 		}
5357 
5358 		sec_level = hcon->sec_level + 1;
5359 		if (chan->sec_level < sec_level)
5360 			chan->sec_level = sec_level;
5361 
5362 		/* We'll need to send a new Connect Request */
5363 		clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5364 
5365 		smp_conn_security(hcon, chan->sec_level);
5366 		break;
5367 
5368 	default:
5369 		l2cap_chan_del(chan, ECONNREFUSED);
5370 		break;
5371 	}
5372 
5373 	l2cap_chan_unlock(chan);
5374 
5375 unlock:
5376 	mutex_unlock(&conn->chan_lock);
5377 
5378 	return err;
5379 }
5380 
5381 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5382 				      struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5383 				      u8 *data)
5384 {
5385 	int err = 0;
5386 
5387 	switch (cmd->code) {
5388 	case L2CAP_COMMAND_REJ:
5389 		l2cap_command_rej(conn, cmd, cmd_len, data);
5390 		break;
5391 
5392 	case L2CAP_CONN_REQ:
5393 		err = l2cap_connect_req(conn, cmd, cmd_len, data);
5394 		break;
5395 
5396 	case L2CAP_CONN_RSP:
5397 	case L2CAP_CREATE_CHAN_RSP:
5398 		l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5399 		break;
5400 
5401 	case L2CAP_CONF_REQ:
5402 		err = l2cap_config_req(conn, cmd, cmd_len, data);
5403 		break;
5404 
5405 	case L2CAP_CONF_RSP:
5406 		l2cap_config_rsp(conn, cmd, cmd_len, data);
5407 		break;
5408 
5409 	case L2CAP_DISCONN_REQ:
5410 		err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5411 		break;
5412 
5413 	case L2CAP_DISCONN_RSP:
5414 		l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5415 		break;
5416 
5417 	case L2CAP_ECHO_REQ:
5418 		l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5419 		break;
5420 
5421 	case L2CAP_ECHO_RSP:
5422 		break;
5423 
5424 	case L2CAP_INFO_REQ:
5425 		err = l2cap_information_req(conn, cmd, cmd_len, data);
5426 		break;
5427 
5428 	case L2CAP_INFO_RSP:
5429 		l2cap_information_rsp(conn, cmd, cmd_len, data);
5430 		break;
5431 
5432 	case L2CAP_CREATE_CHAN_REQ:
5433 		err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5434 		break;
5435 
5436 	case L2CAP_MOVE_CHAN_REQ:
5437 		err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5438 		break;
5439 
5440 	case L2CAP_MOVE_CHAN_RSP:
5441 		l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5442 		break;
5443 
5444 	case L2CAP_MOVE_CHAN_CFM:
5445 		err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5446 		break;
5447 
5448 	case L2CAP_MOVE_CHAN_CFM_RSP:
5449 		l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5450 		break;
5451 
5452 	default:
5453 		BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5454 		err = -EINVAL;
5455 		break;
5456 	}
5457 
5458 	return err;
5459 }
5460 
5461 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5462 				struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5463 				u8 *data)
5464 {
5465 	struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5466 	struct l2cap_le_conn_rsp rsp;
5467 	struct l2cap_chan *chan, *pchan;
5468 	u16 dcid, scid, credits, mtu, mps;
5469 	__le16 psm;
5470 	u8 result;
5471 
5472 	if (cmd_len != sizeof(*req))
5473 		return -EPROTO;
5474 
5475 	scid = __le16_to_cpu(req->scid);
5476 	mtu  = __le16_to_cpu(req->mtu);
5477 	mps  = __le16_to_cpu(req->mps);
5478 	psm  = req->psm;
5479 	dcid = 0;
5480 	credits = 0;
5481 
5482 	if (mtu < 23 || mps < 23)
5483 		return -EPROTO;
5484 
5485 	BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5486 	       scid, mtu, mps);
5487 
5488 	/* Check if we have socket listening on psm */
5489 	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5490 					 &conn->hcon->dst, LE_LINK);
5491 	if (!pchan) {
5492 		result = L2CAP_CR_LE_BAD_PSM;
5493 		chan = NULL;
5494 		goto response;
5495 	}
5496 
5497 	mutex_lock(&conn->chan_lock);
5498 	l2cap_chan_lock(pchan);
5499 
5500 	if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5501 				     SMP_ALLOW_STK)) {
5502 		result = L2CAP_CR_LE_AUTHENTICATION;
5503 		chan = NULL;
5504 		goto response_unlock;
5505 	}
5506 
5507 	/* Check for valid dynamic CID range */
5508 	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5509 		result = L2CAP_CR_LE_INVALID_SCID;
5510 		chan = NULL;
5511 		goto response_unlock;
5512 	}
5513 
5514 	/* Check if we already have channel with that dcid */
5515 	if (__l2cap_get_chan_by_dcid(conn, scid)) {
5516 		result = L2CAP_CR_LE_SCID_IN_USE;
5517 		chan = NULL;
5518 		goto response_unlock;
5519 	}
5520 
5521 	chan = pchan->ops->new_connection(pchan);
5522 	if (!chan) {
5523 		result = L2CAP_CR_LE_NO_MEM;
5524 		goto response_unlock;
5525 	}
5526 
5527 	bacpy(&chan->src, &conn->hcon->src);
5528 	bacpy(&chan->dst, &conn->hcon->dst);
5529 	chan->src_type = bdaddr_src_type(conn->hcon);
5530 	chan->dst_type = bdaddr_dst_type(conn->hcon);
5531 	chan->psm  = psm;
5532 	chan->dcid = scid;
5533 	chan->omtu = mtu;
5534 	chan->remote_mps = mps;
5535 	chan->tx_credits = __le16_to_cpu(req->credits);
5536 
5537 	__l2cap_chan_add(conn, chan);
5538 
5539 	l2cap_le_flowctl_init(chan);
5540 
5541 	dcid = chan->scid;
5542 	credits = chan->rx_credits;
5543 
5544 	__set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5545 
5546 	chan->ident = cmd->ident;
5547 
5548 	if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5549 		l2cap_state_change(chan, BT_CONNECT2);
5550 		/* The following result value is actually not defined
5551 		 * for LE CoC but we use it to let the function know
5552 		 * that it should bail out after doing its cleanup
5553 		 * instead of sending a response.
5554 		 */
5555 		result = L2CAP_CR_PEND;
5556 		chan->ops->defer(chan);
5557 	} else {
5558 		l2cap_chan_ready(chan);
5559 		result = L2CAP_CR_LE_SUCCESS;
5560 	}
5561 
5562 response_unlock:
5563 	l2cap_chan_unlock(pchan);
5564 	mutex_unlock(&conn->chan_lock);
5565 	l2cap_chan_put(pchan);
5566 
5567 	if (result == L2CAP_CR_PEND)
5568 		return 0;
5569 
5570 response:
5571 	if (chan) {
5572 		rsp.mtu = cpu_to_le16(chan->imtu);
5573 		rsp.mps = cpu_to_le16(chan->mps);
5574 	} else {
5575 		rsp.mtu = 0;
5576 		rsp.mps = 0;
5577 	}
5578 
5579 	rsp.dcid    = cpu_to_le16(dcid);
5580 	rsp.credits = cpu_to_le16(credits);
5581 	rsp.result  = cpu_to_le16(result);
5582 
5583 	l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5584 
5585 	return 0;
5586 }
5587 
5588 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5589 				   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5590 				   u8 *data)
5591 {
5592 	struct l2cap_le_credits *pkt;
5593 	struct l2cap_chan *chan;
5594 	u16 cid, credits, max_credits;
5595 
5596 	if (cmd_len != sizeof(*pkt))
5597 		return -EPROTO;
5598 
5599 	pkt = (struct l2cap_le_credits *) data;
5600 	cid	= __le16_to_cpu(pkt->cid);
5601 	credits	= __le16_to_cpu(pkt->credits);
5602 
5603 	BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5604 
5605 	chan = l2cap_get_chan_by_dcid(conn, cid);
5606 	if (!chan)
5607 		return -EBADSLT;
5608 
5609 	max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5610 	if (credits > max_credits) {
5611 		BT_ERR("LE credits overflow");
5612 		l2cap_send_disconn_req(chan, ECONNRESET);
5613 		l2cap_chan_unlock(chan);
5614 
5615 		/* Return 0 so that we don't trigger an unnecessary
5616 		 * command reject packet.
5617 		 */
5618 		return 0;
5619 	}
5620 
5621 	chan->tx_credits += credits;
5622 
5623 	/* Resume sending */
5624 	l2cap_le_flowctl_send(chan);
5625 
5626 	if (chan->tx_credits)
5627 		chan->ops->resume(chan);
5628 
5629 	l2cap_chan_unlock(chan);
5630 
5631 	return 0;
5632 }
5633 
5634 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5635 				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5636 				       u8 *data)
5637 {
5638 	struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5639 	struct l2cap_chan *chan;
5640 
5641 	if (cmd_len < sizeof(*rej))
5642 		return -EPROTO;
5643 
5644 	mutex_lock(&conn->chan_lock);
5645 
5646 	chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5647 	if (!chan)
5648 		goto done;
5649 
5650 	l2cap_chan_lock(chan);
5651 	l2cap_chan_del(chan, ECONNREFUSED);
5652 	l2cap_chan_unlock(chan);
5653 
5654 done:
5655 	mutex_unlock(&conn->chan_lock);
5656 	return 0;
5657 }
5658 
5659 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5660 				   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5661 				   u8 *data)
5662 {
5663 	int err = 0;
5664 
5665 	switch (cmd->code) {
5666 	case L2CAP_COMMAND_REJ:
5667 		l2cap_le_command_rej(conn, cmd, cmd_len, data);
5668 		break;
5669 
5670 	case L2CAP_CONN_PARAM_UPDATE_REQ:
5671 		err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5672 		break;
5673 
5674 	case L2CAP_CONN_PARAM_UPDATE_RSP:
5675 		break;
5676 
5677 	case L2CAP_LE_CONN_RSP:
5678 		l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5679 		break;
5680 
5681 	case L2CAP_LE_CONN_REQ:
5682 		err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5683 		break;
5684 
5685 	case L2CAP_LE_CREDITS:
5686 		err = l2cap_le_credits(conn, cmd, cmd_len, data);
5687 		break;
5688 
5689 	case L2CAP_DISCONN_REQ:
5690 		err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5691 		break;
5692 
5693 	case L2CAP_DISCONN_RSP:
5694 		l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5695 		break;
5696 
5697 	default:
5698 		BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5699 		err = -EINVAL;
5700 		break;
5701 	}
5702 
5703 	return err;
5704 }
5705 
5706 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5707 					struct sk_buff *skb)
5708 {
5709 	struct hci_conn *hcon = conn->hcon;
5710 	struct l2cap_cmd_hdr *cmd;
5711 	u16 len;
5712 	int err;
5713 
5714 	if (hcon->type != LE_LINK)
5715 		goto drop;
5716 
5717 	if (skb->len < L2CAP_CMD_HDR_SIZE)
5718 		goto drop;
5719 
5720 	cmd = (void *) skb->data;
5721 	skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5722 
5723 	len = le16_to_cpu(cmd->len);
5724 
5725 	BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5726 
5727 	if (len != skb->len || !cmd->ident) {
5728 		BT_DBG("corrupted command");
5729 		goto drop;
5730 	}
5731 
5732 	err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5733 	if (err) {
5734 		struct l2cap_cmd_rej_unk rej;
5735 
5736 		BT_ERR("Wrong link type (%d)", err);
5737 
5738 		rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5739 		l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5740 			       sizeof(rej), &rej);
5741 	}
5742 
5743 drop:
5744 	kfree_skb(skb);
5745 }
5746 
5747 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5748 				     struct sk_buff *skb)
5749 {
5750 	struct hci_conn *hcon = conn->hcon;
5751 	u8 *data = skb->data;
5752 	int len = skb->len;
5753 	struct l2cap_cmd_hdr cmd;
5754 	int err;
5755 
5756 	l2cap_raw_recv(conn, skb);
5757 
5758 	if (hcon->type != ACL_LINK)
5759 		goto drop;
5760 
5761 	while (len >= L2CAP_CMD_HDR_SIZE) {
5762 		u16 cmd_len;
5763 		memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5764 		data += L2CAP_CMD_HDR_SIZE;
5765 		len  -= L2CAP_CMD_HDR_SIZE;
5766 
5767 		cmd_len = le16_to_cpu(cmd.len);
5768 
5769 		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5770 		       cmd.ident);
5771 
5772 		if (cmd_len > len || !cmd.ident) {
5773 			BT_DBG("corrupted command");
5774 			break;
5775 		}
5776 
5777 		err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5778 		if (err) {
5779 			struct l2cap_cmd_rej_unk rej;
5780 
5781 			BT_ERR("Wrong link type (%d)", err);
5782 
5783 			rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5784 			l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5785 				       sizeof(rej), &rej);
5786 		}
5787 
5788 		data += cmd_len;
5789 		len  -= cmd_len;
5790 	}
5791 
5792 drop:
5793 	kfree_skb(skb);
5794 }
5795 
5796 static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
5797 {
5798 	u16 our_fcs, rcv_fcs;
5799 	int hdr_size;
5800 
5801 	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5802 		hdr_size = L2CAP_EXT_HDR_SIZE;
5803 	else
5804 		hdr_size = L2CAP_ENH_HDR_SIZE;
5805 
5806 	if (chan->fcs == L2CAP_FCS_CRC16) {
5807 		skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5808 		rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5809 		our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5810 
5811 		if (our_fcs != rcv_fcs)
5812 			return -EBADMSG;
5813 	}
5814 	return 0;
5815 }
5816 
5817 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5818 {
5819 	struct l2cap_ctrl control;
5820 
5821 	BT_DBG("chan %p", chan);
5822 
5823 	memset(&control, 0, sizeof(control));
5824 	control.sframe = 1;
5825 	control.final = 1;
5826 	control.reqseq = chan->buffer_seq;
5827 	set_bit(CONN_SEND_FBIT, &chan->conn_state);
5828 
5829 	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5830 		control.super = L2CAP_SUPER_RNR;
5831 		l2cap_send_sframe(chan, &control);
5832 	}
5833 
5834 	if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5835 	    chan->unacked_frames > 0)
5836 		__set_retrans_timer(chan);
5837 
5838 	/* Send pending iframes */
5839 	l2cap_ertm_send(chan);
5840 
5841 	if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5842 	    test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5843 		/* F-bit wasn't sent in an s-frame or i-frame yet, so
5844 		 * send it now.
5845 		 */
5846 		control.super = L2CAP_SUPER_RR;
5847 		l2cap_send_sframe(chan, &control);
5848 	}
5849 }
5850 
5851 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5852 			    struct sk_buff **last_frag)
5853 {
5854 	/* skb->len reflects data in skb as well as all fragments
5855 	 * skb->data_len reflects only data in fragments
5856 	 */
5857 	if (!skb_has_frag_list(skb))
5858 		skb_shinfo(skb)->frag_list = new_frag;
5859 
5860 	new_frag->next = NULL;
5861 
5862 	(*last_frag)->next = new_frag;
5863 	*last_frag = new_frag;
5864 
5865 	skb->len += new_frag->len;
5866 	skb->data_len += new_frag->len;
5867 	skb->truesize += new_frag->truesize;
5868 }
5869 
5870 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5871 				struct l2cap_ctrl *control)
5872 {
5873 	int err = -EINVAL;
5874 
5875 	switch (control->sar) {
5876 	case L2CAP_SAR_UNSEGMENTED:
5877 		if (chan->sdu)
5878 			break;
5879 
5880 		err = chan->ops->recv(chan, skb);
5881 		break;
5882 
5883 	case L2CAP_SAR_START:
5884 		if (chan->sdu)
5885 			break;
5886 
5887 		if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5888 			break;
5889 
5890 		chan->sdu_len = get_unaligned_le16(skb->data);
5891 		skb_pull(skb, L2CAP_SDULEN_SIZE);
5892 
5893 		if (chan->sdu_len > chan->imtu) {
5894 			err = -EMSGSIZE;
5895 			break;
5896 		}
5897 
5898 		if (skb->len >= chan->sdu_len)
5899 			break;
5900 
5901 		chan->sdu = skb;
5902 		chan->sdu_last_frag = skb;
5903 
5904 		skb = NULL;
5905 		err = 0;
5906 		break;
5907 
5908 	case L2CAP_SAR_CONTINUE:
5909 		if (!chan->sdu)
5910 			break;
5911 
5912 		append_skb_frag(chan->sdu, skb,
5913 				&chan->sdu_last_frag);
5914 		skb = NULL;
5915 
5916 		if (chan->sdu->len >= chan->sdu_len)
5917 			break;
5918 
5919 		err = 0;
5920 		break;
5921 
5922 	case L2CAP_SAR_END:
5923 		if (!chan->sdu)
5924 			break;
5925 
5926 		append_skb_frag(chan->sdu, skb,
5927 				&chan->sdu_last_frag);
5928 		skb = NULL;
5929 
5930 		if (chan->sdu->len != chan->sdu_len)
5931 			break;
5932 
5933 		err = chan->ops->recv(chan, chan->sdu);
5934 
5935 		if (!err) {
5936 			/* Reassembly complete */
5937 			chan->sdu = NULL;
5938 			chan->sdu_last_frag = NULL;
5939 			chan->sdu_len = 0;
5940 		}
5941 		break;
5942 	}
5943 
5944 	if (err) {
5945 		kfree_skb(skb);
5946 		kfree_skb(chan->sdu);
5947 		chan->sdu = NULL;
5948 		chan->sdu_last_frag = NULL;
5949 		chan->sdu_len = 0;
5950 	}
5951 
5952 	return err;
5953 }
5954 
5955 static int l2cap_resegment(struct l2cap_chan *chan)
5956 {
5957 	/* Placeholder */
5958 	return 0;
5959 }
5960 
5961 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5962 {
5963 	u8 event;
5964 
5965 	if (chan->mode != L2CAP_MODE_ERTM)
5966 		return;
5967 
5968 	event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5969 	l2cap_tx(chan, NULL, NULL, event);
5970 }
5971 
5972 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5973 {
5974 	int err = 0;
5975 	/* Pass sequential frames to l2cap_reassemble_sdu()
5976 	 * until a gap is encountered.
5977 	 */
5978 
5979 	BT_DBG("chan %p", chan);
5980 
5981 	while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5982 		struct sk_buff *skb;
5983 		BT_DBG("Searching for skb with txseq %d (queue len %d)",
5984 		       chan->buffer_seq, skb_queue_len(&chan->srej_q));
5985 
5986 		skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5987 
5988 		if (!skb)
5989 			break;
5990 
5991 		skb_unlink(skb, &chan->srej_q);
5992 		chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5993 		err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5994 		if (err)
5995 			break;
5996 	}
5997 
5998 	if (skb_queue_empty(&chan->srej_q)) {
5999 		chan->rx_state = L2CAP_RX_STATE_RECV;
6000 		l2cap_send_ack(chan);
6001 	}
6002 
6003 	return err;
6004 }
6005 
6006 static void l2cap_handle_srej(struct l2cap_chan *chan,
6007 			      struct l2cap_ctrl *control)
6008 {
6009 	struct sk_buff *skb;
6010 
6011 	BT_DBG("chan %p, control %p", chan, control);
6012 
6013 	if (control->reqseq == chan->next_tx_seq) {
6014 		BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6015 		l2cap_send_disconn_req(chan, ECONNRESET);
6016 		return;
6017 	}
6018 
6019 	skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6020 
6021 	if (skb == NULL) {
6022 		BT_DBG("Seq %d not available for retransmission",
6023 		       control->reqseq);
6024 		return;
6025 	}
6026 
6027 	if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6028 		BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6029 		l2cap_send_disconn_req(chan, ECONNRESET);
6030 		return;
6031 	}
6032 
6033 	clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6034 
6035 	if (control->poll) {
6036 		l2cap_pass_to_tx(chan, control);
6037 
6038 		set_bit(CONN_SEND_FBIT, &chan->conn_state);
6039 		l2cap_retransmit(chan, control);
6040 		l2cap_ertm_send(chan);
6041 
6042 		if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6043 			set_bit(CONN_SREJ_ACT, &chan->conn_state);
6044 			chan->srej_save_reqseq = control->reqseq;
6045 		}
6046 	} else {
6047 		l2cap_pass_to_tx_fbit(chan, control);
6048 
6049 		if (control->final) {
6050 			if (chan->srej_save_reqseq != control->reqseq ||
6051 			    !test_and_clear_bit(CONN_SREJ_ACT,
6052 						&chan->conn_state))
6053 				l2cap_retransmit(chan, control);
6054 		} else {
6055 			l2cap_retransmit(chan, control);
6056 			if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6057 				set_bit(CONN_SREJ_ACT, &chan->conn_state);
6058 				chan->srej_save_reqseq = control->reqseq;
6059 			}
6060 		}
6061 	}
6062 }
6063 
6064 static void l2cap_handle_rej(struct l2cap_chan *chan,
6065 			     struct l2cap_ctrl *control)
6066 {
6067 	struct sk_buff *skb;
6068 
6069 	BT_DBG("chan %p, control %p", chan, control);
6070 
6071 	if (control->reqseq == chan->next_tx_seq) {
6072 		BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6073 		l2cap_send_disconn_req(chan, ECONNRESET);
6074 		return;
6075 	}
6076 
6077 	skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6078 
6079 	if (chan->max_tx && skb &&
6080 	    bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6081 		BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6082 		l2cap_send_disconn_req(chan, ECONNRESET);
6083 		return;
6084 	}
6085 
6086 	clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6087 
6088 	l2cap_pass_to_tx(chan, control);
6089 
6090 	if (control->final) {
6091 		if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6092 			l2cap_retransmit_all(chan, control);
6093 	} else {
6094 		l2cap_retransmit_all(chan, control);
6095 		l2cap_ertm_send(chan);
6096 		if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6097 			set_bit(CONN_REJ_ACT, &chan->conn_state);
6098 	}
6099 }
6100 
6101 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6102 {
6103 	BT_DBG("chan %p, txseq %d", chan, txseq);
6104 
6105 	BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6106 	       chan->expected_tx_seq);
6107 
6108 	if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6109 		if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6110 		    chan->tx_win) {
6111 			/* See notes below regarding "double poll" and
6112 			 * invalid packets.
6113 			 */
6114 			if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6115 				BT_DBG("Invalid/Ignore - after SREJ");
6116 				return L2CAP_TXSEQ_INVALID_IGNORE;
6117 			} else {
6118 				BT_DBG("Invalid - in window after SREJ sent");
6119 				return L2CAP_TXSEQ_INVALID;
6120 			}
6121 		}
6122 
6123 		if (chan->srej_list.head == txseq) {
6124 			BT_DBG("Expected SREJ");
6125 			return L2CAP_TXSEQ_EXPECTED_SREJ;
6126 		}
6127 
6128 		if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6129 			BT_DBG("Duplicate SREJ - txseq already stored");
6130 			return L2CAP_TXSEQ_DUPLICATE_SREJ;
6131 		}
6132 
6133 		if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6134 			BT_DBG("Unexpected SREJ - not requested");
6135 			return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6136 		}
6137 	}
6138 
6139 	if (chan->expected_tx_seq == txseq) {
6140 		if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6141 		    chan->tx_win) {
6142 			BT_DBG("Invalid - txseq outside tx window");
6143 			return L2CAP_TXSEQ_INVALID;
6144 		} else {
6145 			BT_DBG("Expected");
6146 			return L2CAP_TXSEQ_EXPECTED;
6147 		}
6148 	}
6149 
6150 	if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6151 	    __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6152 		BT_DBG("Duplicate - expected_tx_seq later than txseq");
6153 		return L2CAP_TXSEQ_DUPLICATE;
6154 	}
6155 
6156 	if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6157 		/* A source of invalid packets is a "double poll" condition,
6158 		 * where delays cause us to send multiple poll packets.  If
6159 		 * the remote stack receives and processes both polls,
6160 		 * sequence numbers can wrap around in such a way that a
6161 		 * resent frame has a sequence number that looks like new data
6162 		 * with a sequence gap.  This would trigger an erroneous SREJ
6163 		 * request.
6164 		 *
6165 		 * Fortunately, this is impossible with a tx window that's
6166 		 * less than half of the maximum sequence number, which allows
6167 		 * invalid frames to be safely ignored.
6168 		 *
6169 		 * With tx window sizes greater than half of the tx window
6170 		 * maximum, the frame is invalid and cannot be ignored.  This
6171 		 * causes a disconnect.
6172 		 */
6173 
6174 		if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6175 			BT_DBG("Invalid/Ignore - txseq outside tx window");
6176 			return L2CAP_TXSEQ_INVALID_IGNORE;
6177 		} else {
6178 			BT_DBG("Invalid - txseq outside tx window");
6179 			return L2CAP_TXSEQ_INVALID;
6180 		}
6181 	} else {
6182 		BT_DBG("Unexpected - txseq indicates missing frames");
6183 		return L2CAP_TXSEQ_UNEXPECTED;
6184 	}
6185 }
6186 
6187 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6188 			       struct l2cap_ctrl *control,
6189 			       struct sk_buff *skb, u8 event)
6190 {
6191 	int err = 0;
6192 	bool skb_in_use = false;
6193 
6194 	BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6195 	       event);
6196 
6197 	switch (event) {
6198 	case L2CAP_EV_RECV_IFRAME:
6199 		switch (l2cap_classify_txseq(chan, control->txseq)) {
6200 		case L2CAP_TXSEQ_EXPECTED:
6201 			l2cap_pass_to_tx(chan, control);
6202 
6203 			if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6204 				BT_DBG("Busy, discarding expected seq %d",
6205 				       control->txseq);
6206 				break;
6207 			}
6208 
6209 			chan->expected_tx_seq = __next_seq(chan,
6210 							   control->txseq);
6211 
6212 			chan->buffer_seq = chan->expected_tx_seq;
6213 			skb_in_use = true;
6214 
6215 			err = l2cap_reassemble_sdu(chan, skb, control);
6216 			if (err)
6217 				break;
6218 
6219 			if (control->final) {
6220 				if (!test_and_clear_bit(CONN_REJ_ACT,
6221 							&chan->conn_state)) {
6222 					control->final = 0;
6223 					l2cap_retransmit_all(chan, control);
6224 					l2cap_ertm_send(chan);
6225 				}
6226 			}
6227 
6228 			if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6229 				l2cap_send_ack(chan);
6230 			break;
6231 		case L2CAP_TXSEQ_UNEXPECTED:
6232 			l2cap_pass_to_tx(chan, control);
6233 
6234 			/* Can't issue SREJ frames in the local busy state.
6235 			 * Drop this frame, it will be seen as missing
6236 			 * when local busy is exited.
6237 			 */
6238 			if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6239 				BT_DBG("Busy, discarding unexpected seq %d",
6240 				       control->txseq);
6241 				break;
6242 			}
6243 
6244 			/* There was a gap in the sequence, so an SREJ
6245 			 * must be sent for each missing frame.  The
6246 			 * current frame is stored for later use.
6247 			 */
6248 			skb_queue_tail(&chan->srej_q, skb);
6249 			skb_in_use = true;
6250 			BT_DBG("Queued %p (queue len %d)", skb,
6251 			       skb_queue_len(&chan->srej_q));
6252 
6253 			clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6254 			l2cap_seq_list_clear(&chan->srej_list);
6255 			l2cap_send_srej(chan, control->txseq);
6256 
6257 			chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6258 			break;
6259 		case L2CAP_TXSEQ_DUPLICATE:
6260 			l2cap_pass_to_tx(chan, control);
6261 			break;
6262 		case L2CAP_TXSEQ_INVALID_IGNORE:
6263 			break;
6264 		case L2CAP_TXSEQ_INVALID:
6265 		default:
6266 			l2cap_send_disconn_req(chan, ECONNRESET);
6267 			break;
6268 		}
6269 		break;
6270 	case L2CAP_EV_RECV_RR:
6271 		l2cap_pass_to_tx(chan, control);
6272 		if (control->final) {
6273 			clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6274 
6275 			if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6276 			    !__chan_is_moving(chan)) {
6277 				control->final = 0;
6278 				l2cap_retransmit_all(chan, control);
6279 			}
6280 
6281 			l2cap_ertm_send(chan);
6282 		} else if (control->poll) {
6283 			l2cap_send_i_or_rr_or_rnr(chan);
6284 		} else {
6285 			if (test_and_clear_bit(CONN_REMOTE_BUSY,
6286 					       &chan->conn_state) &&
6287 			    chan->unacked_frames)
6288 				__set_retrans_timer(chan);
6289 
6290 			l2cap_ertm_send(chan);
6291 		}
6292 		break;
6293 	case L2CAP_EV_RECV_RNR:
6294 		set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6295 		l2cap_pass_to_tx(chan, control);
6296 		if (control && control->poll) {
6297 			set_bit(CONN_SEND_FBIT, &chan->conn_state);
6298 			l2cap_send_rr_or_rnr(chan, 0);
6299 		}
6300 		__clear_retrans_timer(chan);
6301 		l2cap_seq_list_clear(&chan->retrans_list);
6302 		break;
6303 	case L2CAP_EV_RECV_REJ:
6304 		l2cap_handle_rej(chan, control);
6305 		break;
6306 	case L2CAP_EV_RECV_SREJ:
6307 		l2cap_handle_srej(chan, control);
6308 		break;
6309 	default:
6310 		break;
6311 	}
6312 
6313 	if (skb && !skb_in_use) {
6314 		BT_DBG("Freeing %p", skb);
6315 		kfree_skb(skb);
6316 	}
6317 
6318 	return err;
6319 }
6320 
6321 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6322 				    struct l2cap_ctrl *control,
6323 				    struct sk_buff *skb, u8 event)
6324 {
6325 	int err = 0;
6326 	u16 txseq = control->txseq;
6327 	bool skb_in_use = false;
6328 
6329 	BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6330 	       event);
6331 
6332 	switch (event) {
6333 	case L2CAP_EV_RECV_IFRAME:
6334 		switch (l2cap_classify_txseq(chan, txseq)) {
6335 		case L2CAP_TXSEQ_EXPECTED:
6336 			/* Keep frame for reassembly later */
6337 			l2cap_pass_to_tx(chan, control);
6338 			skb_queue_tail(&chan->srej_q, skb);
6339 			skb_in_use = true;
6340 			BT_DBG("Queued %p (queue len %d)", skb,
6341 			       skb_queue_len(&chan->srej_q));
6342 
6343 			chan->expected_tx_seq = __next_seq(chan, txseq);
6344 			break;
6345 		case L2CAP_TXSEQ_EXPECTED_SREJ:
6346 			l2cap_seq_list_pop(&chan->srej_list);
6347 
6348 			l2cap_pass_to_tx(chan, control);
6349 			skb_queue_tail(&chan->srej_q, skb);
6350 			skb_in_use = true;
6351 			BT_DBG("Queued %p (queue len %d)", skb,
6352 			       skb_queue_len(&chan->srej_q));
6353 
6354 			err = l2cap_rx_queued_iframes(chan);
6355 			if (err)
6356 				break;
6357 
6358 			break;
6359 		case L2CAP_TXSEQ_UNEXPECTED:
6360 			/* Got a frame that can't be reassembled yet.
6361 			 * Save it for later, and send SREJs to cover
6362 			 * the missing frames.
6363 			 */
6364 			skb_queue_tail(&chan->srej_q, skb);
6365 			skb_in_use = true;
6366 			BT_DBG("Queued %p (queue len %d)", skb,
6367 			       skb_queue_len(&chan->srej_q));
6368 
6369 			l2cap_pass_to_tx(chan, control);
6370 			l2cap_send_srej(chan, control->txseq);
6371 			break;
6372 		case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6373 			/* This frame was requested with an SREJ, but
6374 			 * some expected retransmitted frames are
6375 			 * missing.  Request retransmission of missing
6376 			 * SREJ'd frames.
6377 			 */
6378 			skb_queue_tail(&chan->srej_q, skb);
6379 			skb_in_use = true;
6380 			BT_DBG("Queued %p (queue len %d)", skb,
6381 			       skb_queue_len(&chan->srej_q));
6382 
6383 			l2cap_pass_to_tx(chan, control);
6384 			l2cap_send_srej_list(chan, control->txseq);
6385 			break;
6386 		case L2CAP_TXSEQ_DUPLICATE_SREJ:
6387 			/* We've already queued this frame.  Drop this copy. */
6388 			l2cap_pass_to_tx(chan, control);
6389 			break;
6390 		case L2CAP_TXSEQ_DUPLICATE:
6391 			/* Expecting a later sequence number, so this frame
6392 			 * was already received.  Ignore it completely.
6393 			 */
6394 			break;
6395 		case L2CAP_TXSEQ_INVALID_IGNORE:
6396 			break;
6397 		case L2CAP_TXSEQ_INVALID:
6398 		default:
6399 			l2cap_send_disconn_req(chan, ECONNRESET);
6400 			break;
6401 		}
6402 		break;
6403 	case L2CAP_EV_RECV_RR:
6404 		l2cap_pass_to_tx(chan, control);
6405 		if (control->final) {
6406 			clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6407 
6408 			if (!test_and_clear_bit(CONN_REJ_ACT,
6409 						&chan->conn_state)) {
6410 				control->final = 0;
6411 				l2cap_retransmit_all(chan, control);
6412 			}
6413 
6414 			l2cap_ertm_send(chan);
6415 		} else if (control->poll) {
6416 			if (test_and_clear_bit(CONN_REMOTE_BUSY,
6417 					       &chan->conn_state) &&
6418 			    chan->unacked_frames) {
6419 				__set_retrans_timer(chan);
6420 			}
6421 
6422 			set_bit(CONN_SEND_FBIT, &chan->conn_state);
6423 			l2cap_send_srej_tail(chan);
6424 		} else {
6425 			if (test_and_clear_bit(CONN_REMOTE_BUSY,
6426 					       &chan->conn_state) &&
6427 			    chan->unacked_frames)
6428 				__set_retrans_timer(chan);
6429 
6430 			l2cap_send_ack(chan);
6431 		}
6432 		break;
6433 	case L2CAP_EV_RECV_RNR:
6434 		set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6435 		l2cap_pass_to_tx(chan, control);
6436 		if (control->poll) {
6437 			l2cap_send_srej_tail(chan);
6438 		} else {
6439 			struct l2cap_ctrl rr_control;
6440 			memset(&rr_control, 0, sizeof(rr_control));
6441 			rr_control.sframe = 1;
6442 			rr_control.super = L2CAP_SUPER_RR;
6443 			rr_control.reqseq = chan->buffer_seq;
6444 			l2cap_send_sframe(chan, &rr_control);
6445 		}
6446 
6447 		break;
6448 	case L2CAP_EV_RECV_REJ:
6449 		l2cap_handle_rej(chan, control);
6450 		break;
6451 	case L2CAP_EV_RECV_SREJ:
6452 		l2cap_handle_srej(chan, control);
6453 		break;
6454 	}
6455 
6456 	if (skb && !skb_in_use) {
6457 		BT_DBG("Freeing %p", skb);
6458 		kfree_skb(skb);
6459 	}
6460 
6461 	return err;
6462 }
6463 
6464 static int l2cap_finish_move(struct l2cap_chan *chan)
6465 {
6466 	BT_DBG("chan %p", chan);
6467 
6468 	chan->rx_state = L2CAP_RX_STATE_RECV;
6469 
6470 	if (chan->hs_hcon)
6471 		chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6472 	else
6473 		chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6474 
6475 	return l2cap_resegment(chan);
6476 }
6477 
6478 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6479 				 struct l2cap_ctrl *control,
6480 				 struct sk_buff *skb, u8 event)
6481 {
6482 	int err;
6483 
6484 	BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6485 	       event);
6486 
6487 	if (!control->poll)
6488 		return -EPROTO;
6489 
6490 	l2cap_process_reqseq(chan, control->reqseq);
6491 
6492 	if (!skb_queue_empty(&chan->tx_q))
6493 		chan->tx_send_head = skb_peek(&chan->tx_q);
6494 	else
6495 		chan->tx_send_head = NULL;
6496 
6497 	/* Rewind next_tx_seq to the point expected
6498 	 * by the receiver.
6499 	 */
6500 	chan->next_tx_seq = control->reqseq;
6501 	chan->unacked_frames = 0;
6502 
6503 	err = l2cap_finish_move(chan);
6504 	if (err)
6505 		return err;
6506 
6507 	set_bit(CONN_SEND_FBIT, &chan->conn_state);
6508 	l2cap_send_i_or_rr_or_rnr(chan);
6509 
6510 	if (event == L2CAP_EV_RECV_IFRAME)
6511 		return -EPROTO;
6512 
6513 	return l2cap_rx_state_recv(chan, control, NULL, event);
6514 }
6515 
6516 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6517 				 struct l2cap_ctrl *control,
6518 				 struct sk_buff *skb, u8 event)
6519 {
6520 	int err;
6521 
6522 	if (!control->final)
6523 		return -EPROTO;
6524 
6525 	clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6526 
6527 	chan->rx_state = L2CAP_RX_STATE_RECV;
6528 	l2cap_process_reqseq(chan, control->reqseq);
6529 
6530 	if (!skb_queue_empty(&chan->tx_q))
6531 		chan->tx_send_head = skb_peek(&chan->tx_q);
6532 	else
6533 		chan->tx_send_head = NULL;
6534 
6535 	/* Rewind next_tx_seq to the point expected
6536 	 * by the receiver.
6537 	 */
6538 	chan->next_tx_seq = control->reqseq;
6539 	chan->unacked_frames = 0;
6540 
6541 	if (chan->hs_hcon)
6542 		chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6543 	else
6544 		chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6545 
6546 	err = l2cap_resegment(chan);
6547 
6548 	if (!err)
6549 		err = l2cap_rx_state_recv(chan, control, skb, event);
6550 
6551 	return err;
6552 }
6553 
6554 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6555 {
6556 	/* Make sure reqseq is for a packet that has been sent but not acked */
6557 	u16 unacked;
6558 
6559 	unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6560 	return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6561 }
6562 
6563 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6564 		    struct sk_buff *skb, u8 event)
6565 {
6566 	int err = 0;
6567 
6568 	BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6569 	       control, skb, event, chan->rx_state);
6570 
6571 	if (__valid_reqseq(chan, control->reqseq)) {
6572 		switch (chan->rx_state) {
6573 		case L2CAP_RX_STATE_RECV:
6574 			err = l2cap_rx_state_recv(chan, control, skb, event);
6575 			break;
6576 		case L2CAP_RX_STATE_SREJ_SENT:
6577 			err = l2cap_rx_state_srej_sent(chan, control, skb,
6578 						       event);
6579 			break;
6580 		case L2CAP_RX_STATE_WAIT_P:
6581 			err = l2cap_rx_state_wait_p(chan, control, skb, event);
6582 			break;
6583 		case L2CAP_RX_STATE_WAIT_F:
6584 			err = l2cap_rx_state_wait_f(chan, control, skb, event);
6585 			break;
6586 		default:
6587 			/* shut it down */
6588 			break;
6589 		}
6590 	} else {
6591 		BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6592 		       control->reqseq, chan->next_tx_seq,
6593 		       chan->expected_ack_seq);
6594 		l2cap_send_disconn_req(chan, ECONNRESET);
6595 	}
6596 
6597 	return err;
6598 }
6599 
6600 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6601 			   struct sk_buff *skb)
6602 {
6603 	BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6604 	       chan->rx_state);
6605 
6606 	if (l2cap_classify_txseq(chan, control->txseq) ==
6607 	    L2CAP_TXSEQ_EXPECTED) {
6608 		l2cap_pass_to_tx(chan, control);
6609 
6610 		BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6611 		       __next_seq(chan, chan->buffer_seq));
6612 
6613 		chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6614 
6615 		l2cap_reassemble_sdu(chan, skb, control);
6616 	} else {
6617 		if (chan->sdu) {
6618 			kfree_skb(chan->sdu);
6619 			chan->sdu = NULL;
6620 		}
6621 		chan->sdu_last_frag = NULL;
6622 		chan->sdu_len = 0;
6623 
6624 		if (skb) {
6625 			BT_DBG("Freeing %p", skb);
6626 			kfree_skb(skb);
6627 		}
6628 	}
6629 
6630 	chan->last_acked_seq = control->txseq;
6631 	chan->expected_tx_seq = __next_seq(chan, control->txseq);
6632 
6633 	return 0;
6634 }
6635 
6636 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6637 {
6638 	struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6639 	u16 len;
6640 	u8 event;
6641 
6642 	__unpack_control(chan, skb);
6643 
6644 	len = skb->len;
6645 
6646 	/*
6647 	 * We can just drop the corrupted I-frame here.
6648 	 * Receiver will miss it and start proper recovery
6649 	 * procedures and ask for retransmission.
6650 	 */
6651 	if (l2cap_check_fcs(chan, skb))
6652 		goto drop;
6653 
6654 	if (!control->sframe && control->sar == L2CAP_SAR_START)
6655 		len -= L2CAP_SDULEN_SIZE;
6656 
6657 	if (chan->fcs == L2CAP_FCS_CRC16)
6658 		len -= L2CAP_FCS_SIZE;
6659 
6660 	if (len > chan->mps) {
6661 		l2cap_send_disconn_req(chan, ECONNRESET);
6662 		goto drop;
6663 	}
6664 
6665 	if ((chan->mode == L2CAP_MODE_ERTM ||
6666 	     chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6667 		goto drop;
6668 
6669 	if (!control->sframe) {
6670 		int err;
6671 
6672 		BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6673 		       control->sar, control->reqseq, control->final,
6674 		       control->txseq);
6675 
6676 		/* Validate F-bit - F=0 always valid, F=1 only
6677 		 * valid in TX WAIT_F
6678 		 */
6679 		if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6680 			goto drop;
6681 
6682 		if (chan->mode != L2CAP_MODE_STREAMING) {
6683 			event = L2CAP_EV_RECV_IFRAME;
6684 			err = l2cap_rx(chan, control, skb, event);
6685 		} else {
6686 			err = l2cap_stream_rx(chan, control, skb);
6687 		}
6688 
6689 		if (err)
6690 			l2cap_send_disconn_req(chan, ECONNRESET);
6691 	} else {
6692 		const u8 rx_func_to_event[4] = {
6693 			L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6694 			L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6695 		};
6696 
6697 		/* Only I-frames are expected in streaming mode */
6698 		if (chan->mode == L2CAP_MODE_STREAMING)
6699 			goto drop;
6700 
6701 		BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6702 		       control->reqseq, control->final, control->poll,
6703 		       control->super);
6704 
6705 		if (len != 0) {
6706 			BT_ERR("Trailing bytes: %d in sframe", len);
6707 			l2cap_send_disconn_req(chan, ECONNRESET);
6708 			goto drop;
6709 		}
6710 
6711 		/* Validate F and P bits */
6712 		if (control->final && (control->poll ||
6713 				       chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6714 			goto drop;
6715 
6716 		event = rx_func_to_event[control->super];
6717 		if (l2cap_rx(chan, control, skb, event))
6718 			l2cap_send_disconn_req(chan, ECONNRESET);
6719 	}
6720 
6721 	return 0;
6722 
6723 drop:
6724 	kfree_skb(skb);
6725 	return 0;
6726 }
6727 
6728 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6729 {
6730 	struct l2cap_conn *conn = chan->conn;
6731 	struct l2cap_le_credits pkt;
6732 	u16 return_credits;
6733 
6734 	return_credits = ((chan->imtu / chan->mps) + 1) - chan->rx_credits;
6735 
6736 	if (!return_credits)
6737 		return;
6738 
6739 	BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6740 
6741 	chan->rx_credits += return_credits;
6742 
6743 	pkt.cid     = cpu_to_le16(chan->scid);
6744 	pkt.credits = cpu_to_le16(return_credits);
6745 
6746 	chan->ident = l2cap_get_ident(conn);
6747 
6748 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6749 }
6750 
6751 static int l2cap_le_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6752 {
6753 	int err;
6754 
6755 	BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6756 
6757 	/* Wait recv to confirm reception before updating the credits */
6758 	err = chan->ops->recv(chan, skb);
6759 
6760 	/* Update credits whenever an SDU is received */
6761 	l2cap_chan_le_send_credits(chan);
6762 
6763 	return err;
6764 }
6765 
6766 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6767 {
6768 	int err;
6769 
6770 	if (!chan->rx_credits) {
6771 		BT_ERR("No credits to receive LE L2CAP data");
6772 		l2cap_send_disconn_req(chan, ECONNRESET);
6773 		return -ENOBUFS;
6774 	}
6775 
6776 	if (chan->imtu < skb->len) {
6777 		BT_ERR("Too big LE L2CAP PDU");
6778 		return -ENOBUFS;
6779 	}
6780 
6781 	chan->rx_credits--;
6782 	BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6783 
6784 	/* Update if remote had run out of credits, this should only happens
6785 	 * if the remote is not using the entire MPS.
6786 	 */
6787 	if (!chan->rx_credits)
6788 		l2cap_chan_le_send_credits(chan);
6789 
6790 	err = 0;
6791 
6792 	if (!chan->sdu) {
6793 		u16 sdu_len;
6794 
6795 		sdu_len = get_unaligned_le16(skb->data);
6796 		skb_pull(skb, L2CAP_SDULEN_SIZE);
6797 
6798 		BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6799 		       sdu_len, skb->len, chan->imtu);
6800 
6801 		if (sdu_len > chan->imtu) {
6802 			BT_ERR("Too big LE L2CAP SDU length received");
6803 			err = -EMSGSIZE;
6804 			goto failed;
6805 		}
6806 
6807 		if (skb->len > sdu_len) {
6808 			BT_ERR("Too much LE L2CAP data received");
6809 			err = -EINVAL;
6810 			goto failed;
6811 		}
6812 
6813 		if (skb->len == sdu_len)
6814 			return l2cap_le_recv(chan, skb);
6815 
6816 		chan->sdu = skb;
6817 		chan->sdu_len = sdu_len;
6818 		chan->sdu_last_frag = skb;
6819 
6820 		/* Detect if remote is not able to use the selected MPS */
6821 		if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6822 			u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6823 
6824 			/* Adjust the number of credits */
6825 			BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6826 			chan->mps = mps_len;
6827 			l2cap_chan_le_send_credits(chan);
6828 		}
6829 
6830 		return 0;
6831 	}
6832 
6833 	BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6834 	       chan->sdu->len, skb->len, chan->sdu_len);
6835 
6836 	if (chan->sdu->len + skb->len > chan->sdu_len) {
6837 		BT_ERR("Too much LE L2CAP data received");
6838 		err = -EINVAL;
6839 		goto failed;
6840 	}
6841 
6842 	append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6843 	skb = NULL;
6844 
6845 	if (chan->sdu->len == chan->sdu_len) {
6846 		err = l2cap_le_recv(chan, chan->sdu);
6847 		if (!err) {
6848 			chan->sdu = NULL;
6849 			chan->sdu_last_frag = NULL;
6850 			chan->sdu_len = 0;
6851 		}
6852 	}
6853 
6854 failed:
6855 	if (err) {
6856 		kfree_skb(skb);
6857 		kfree_skb(chan->sdu);
6858 		chan->sdu = NULL;
6859 		chan->sdu_last_frag = NULL;
6860 		chan->sdu_len = 0;
6861 	}
6862 
6863 	/* We can't return an error here since we took care of the skb
6864 	 * freeing internally. An error return would cause the caller to
6865 	 * do a double-free of the skb.
6866 	 */
6867 	return 0;
6868 }
6869 
6870 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6871 			       struct sk_buff *skb)
6872 {
6873 	struct l2cap_chan *chan;
6874 
6875 	chan = l2cap_get_chan_by_scid(conn, cid);
6876 	if (!chan) {
6877 		if (cid == L2CAP_CID_A2MP) {
6878 			chan = a2mp_channel_create(conn, skb);
6879 			if (!chan) {
6880 				kfree_skb(skb);
6881 				return;
6882 			}
6883 
6884 			l2cap_chan_lock(chan);
6885 		} else {
6886 			BT_DBG("unknown cid 0x%4.4x", cid);
6887 			/* Drop packet and return */
6888 			kfree_skb(skb);
6889 			return;
6890 		}
6891 	}
6892 
6893 	BT_DBG("chan %p, len %d", chan, skb->len);
6894 
6895 	/* If we receive data on a fixed channel before the info req/rsp
6896 	 * procdure is done simply assume that the channel is supported
6897 	 * and mark it as ready.
6898 	 */
6899 	if (chan->chan_type == L2CAP_CHAN_FIXED)
6900 		l2cap_chan_ready(chan);
6901 
6902 	if (chan->state != BT_CONNECTED)
6903 		goto drop;
6904 
6905 	switch (chan->mode) {
6906 	case L2CAP_MODE_LE_FLOWCTL:
6907 		if (l2cap_le_data_rcv(chan, skb) < 0)
6908 			goto drop;
6909 
6910 		goto done;
6911 
6912 	case L2CAP_MODE_BASIC:
6913 		/* If socket recv buffers overflows we drop data here
6914 		 * which is *bad* because L2CAP has to be reliable.
6915 		 * But we don't have any other choice. L2CAP doesn't
6916 		 * provide flow control mechanism. */
6917 
6918 		if (chan->imtu < skb->len) {
6919 			BT_ERR("Dropping L2CAP data: receive buffer overflow");
6920 			goto drop;
6921 		}
6922 
6923 		if (!chan->ops->recv(chan, skb))
6924 			goto done;
6925 		break;
6926 
6927 	case L2CAP_MODE_ERTM:
6928 	case L2CAP_MODE_STREAMING:
6929 		l2cap_data_rcv(chan, skb);
6930 		goto done;
6931 
6932 	default:
6933 		BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6934 		break;
6935 	}
6936 
6937 drop:
6938 	kfree_skb(skb);
6939 
6940 done:
6941 	l2cap_chan_unlock(chan);
6942 }
6943 
6944 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6945 				  struct sk_buff *skb)
6946 {
6947 	struct hci_conn *hcon = conn->hcon;
6948 	struct l2cap_chan *chan;
6949 
6950 	if (hcon->type != ACL_LINK)
6951 		goto free_skb;
6952 
6953 	chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6954 					ACL_LINK);
6955 	if (!chan)
6956 		goto free_skb;
6957 
6958 	BT_DBG("chan %p, len %d", chan, skb->len);
6959 
6960 	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6961 		goto drop;
6962 
6963 	if (chan->imtu < skb->len)
6964 		goto drop;
6965 
6966 	/* Store remote BD_ADDR and PSM for msg_name */
6967 	bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6968 	bt_cb(skb)->l2cap.psm = psm;
6969 
6970 	if (!chan->ops->recv(chan, skb)) {
6971 		l2cap_chan_put(chan);
6972 		return;
6973 	}
6974 
6975 drop:
6976 	l2cap_chan_put(chan);
6977 free_skb:
6978 	kfree_skb(skb);
6979 }
6980 
6981 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6982 {
6983 	struct l2cap_hdr *lh = (void *) skb->data;
6984 	struct hci_conn *hcon = conn->hcon;
6985 	u16 cid, len;
6986 	__le16 psm;
6987 
6988 	if (hcon->state != BT_CONNECTED) {
6989 		BT_DBG("queueing pending rx skb");
6990 		skb_queue_tail(&conn->pending_rx, skb);
6991 		return;
6992 	}
6993 
6994 	skb_pull(skb, L2CAP_HDR_SIZE);
6995 	cid = __le16_to_cpu(lh->cid);
6996 	len = __le16_to_cpu(lh->len);
6997 
6998 	if (len != skb->len) {
6999 		kfree_skb(skb);
7000 		return;
7001 	}
7002 
7003 	/* Since we can't actively block incoming LE connections we must
7004 	 * at least ensure that we ignore incoming data from them.
7005 	 */
7006 	if (hcon->type == LE_LINK &&
7007 	    hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7008 				   bdaddr_dst_type(hcon))) {
7009 		kfree_skb(skb);
7010 		return;
7011 	}
7012 
7013 	BT_DBG("len %d, cid 0x%4.4x", len, cid);
7014 
7015 	switch (cid) {
7016 	case L2CAP_CID_SIGNALING:
7017 		l2cap_sig_channel(conn, skb);
7018 		break;
7019 
7020 	case L2CAP_CID_CONN_LESS:
7021 		psm = get_unaligned((__le16 *) skb->data);
7022 		skb_pull(skb, L2CAP_PSMLEN_SIZE);
7023 		l2cap_conless_channel(conn, psm, skb);
7024 		break;
7025 
7026 	case L2CAP_CID_LE_SIGNALING:
7027 		l2cap_le_sig_channel(conn, skb);
7028 		break;
7029 
7030 	default:
7031 		l2cap_data_channel(conn, cid, skb);
7032 		break;
7033 	}
7034 }
7035 
7036 static void process_pending_rx(struct work_struct *work)
7037 {
7038 	struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7039 					       pending_rx_work);
7040 	struct sk_buff *skb;
7041 
7042 	BT_DBG("");
7043 
7044 	while ((skb = skb_dequeue(&conn->pending_rx)))
7045 		l2cap_recv_frame(conn, skb);
7046 }
7047 
7048 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7049 {
7050 	struct l2cap_conn *conn = hcon->l2cap_data;
7051 	struct hci_chan *hchan;
7052 
7053 	if (conn)
7054 		return conn;
7055 
7056 	hchan = hci_chan_create(hcon);
7057 	if (!hchan)
7058 		return NULL;
7059 
7060 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7061 	if (!conn) {
7062 		hci_chan_del(hchan);
7063 		return NULL;
7064 	}
7065 
7066 	kref_init(&conn->ref);
7067 	hcon->l2cap_data = conn;
7068 	conn->hcon = hci_conn_get(hcon);
7069 	conn->hchan = hchan;
7070 
7071 	BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7072 
7073 	switch (hcon->type) {
7074 	case LE_LINK:
7075 		if (hcon->hdev->le_mtu) {
7076 			conn->mtu = hcon->hdev->le_mtu;
7077 			break;
7078 		}
7079 		/* fall through */
7080 	default:
7081 		conn->mtu = hcon->hdev->acl_mtu;
7082 		break;
7083 	}
7084 
7085 	conn->feat_mask = 0;
7086 
7087 	conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7088 
7089 	if (hcon->type == ACL_LINK &&
7090 	    hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7091 		conn->local_fixed_chan |= L2CAP_FC_A2MP;
7092 
7093 	if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7094 	    (bredr_sc_enabled(hcon->hdev) ||
7095 	     hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7096 		conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7097 
7098 	mutex_init(&conn->ident_lock);
7099 	mutex_init(&conn->chan_lock);
7100 
7101 	INIT_LIST_HEAD(&conn->chan_l);
7102 	INIT_LIST_HEAD(&conn->users);
7103 
7104 	INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7105 
7106 	skb_queue_head_init(&conn->pending_rx);
7107 	INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7108 	INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7109 
7110 	conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7111 
7112 	return conn;
7113 }
7114 
7115 static bool is_valid_psm(u16 psm, u8 dst_type) {
7116 	if (!psm)
7117 		return false;
7118 
7119 	if (bdaddr_type_is_le(dst_type))
7120 		return (psm <= 0x00ff);
7121 
7122 	/* PSM must be odd and lsb of upper byte must be 0 */
7123 	return ((psm & 0x0101) == 0x0001);
7124 }
7125 
7126 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7127 		       bdaddr_t *dst, u8 dst_type)
7128 {
7129 	struct l2cap_conn *conn;
7130 	struct hci_conn *hcon;
7131 	struct hci_dev *hdev;
7132 	int err;
7133 
7134 	BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7135 	       dst_type, __le16_to_cpu(psm));
7136 
7137 	hdev = hci_get_route(dst, &chan->src, chan->src_type);
7138 	if (!hdev)
7139 		return -EHOSTUNREACH;
7140 
7141 	hci_dev_lock(hdev);
7142 
7143 	if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7144 	    chan->chan_type != L2CAP_CHAN_RAW) {
7145 		err = -EINVAL;
7146 		goto done;
7147 	}
7148 
7149 	if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7150 		err = -EINVAL;
7151 		goto done;
7152 	}
7153 
7154 	if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7155 		err = -EINVAL;
7156 		goto done;
7157 	}
7158 
7159 	switch (chan->mode) {
7160 	case L2CAP_MODE_BASIC:
7161 		break;
7162 	case L2CAP_MODE_LE_FLOWCTL:
7163 		break;
7164 	case L2CAP_MODE_ERTM:
7165 	case L2CAP_MODE_STREAMING:
7166 		if (!disable_ertm)
7167 			break;
7168 		/* fall through */
7169 	default:
7170 		err = -EOPNOTSUPP;
7171 		goto done;
7172 	}
7173 
7174 	switch (chan->state) {
7175 	case BT_CONNECT:
7176 	case BT_CONNECT2:
7177 	case BT_CONFIG:
7178 		/* Already connecting */
7179 		err = 0;
7180 		goto done;
7181 
7182 	case BT_CONNECTED:
7183 		/* Already connected */
7184 		err = -EISCONN;
7185 		goto done;
7186 
7187 	case BT_OPEN:
7188 	case BT_BOUND:
7189 		/* Can connect */
7190 		break;
7191 
7192 	default:
7193 		err = -EBADFD;
7194 		goto done;
7195 	}
7196 
7197 	/* Set destination address and psm */
7198 	bacpy(&chan->dst, dst);
7199 	chan->dst_type = dst_type;
7200 
7201 	chan->psm = psm;
7202 	chan->dcid = cid;
7203 
7204 	if (bdaddr_type_is_le(dst_type)) {
7205 		/* Convert from L2CAP channel address type to HCI address type
7206 		 */
7207 		if (dst_type == BDADDR_LE_PUBLIC)
7208 			dst_type = ADDR_LE_DEV_PUBLIC;
7209 		else
7210 			dst_type = ADDR_LE_DEV_RANDOM;
7211 
7212 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7213 			hcon = hci_connect_le(hdev, dst, dst_type,
7214 					      chan->sec_level,
7215 					      HCI_LE_CONN_TIMEOUT,
7216 					      HCI_ROLE_SLAVE, NULL);
7217 		else
7218 			hcon = hci_connect_le_scan(hdev, dst, dst_type,
7219 						   chan->sec_level,
7220 						   HCI_LE_CONN_TIMEOUT);
7221 
7222 	} else {
7223 		u8 auth_type = l2cap_get_auth_type(chan);
7224 		hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7225 	}
7226 
7227 	if (IS_ERR(hcon)) {
7228 		err = PTR_ERR(hcon);
7229 		goto done;
7230 	}
7231 
7232 	conn = l2cap_conn_add(hcon);
7233 	if (!conn) {
7234 		hci_conn_drop(hcon);
7235 		err = -ENOMEM;
7236 		goto done;
7237 	}
7238 
7239 	mutex_lock(&conn->chan_lock);
7240 	l2cap_chan_lock(chan);
7241 
7242 	if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7243 		hci_conn_drop(hcon);
7244 		err = -EBUSY;
7245 		goto chan_unlock;
7246 	}
7247 
7248 	/* Update source addr of the socket */
7249 	bacpy(&chan->src, &hcon->src);
7250 	chan->src_type = bdaddr_src_type(hcon);
7251 
7252 	__l2cap_chan_add(conn, chan);
7253 
7254 	/* l2cap_chan_add takes its own ref so we can drop this one */
7255 	hci_conn_drop(hcon);
7256 
7257 	l2cap_state_change(chan, BT_CONNECT);
7258 	__set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7259 
7260 	/* Release chan->sport so that it can be reused by other
7261 	 * sockets (as it's only used for listening sockets).
7262 	 */
7263 	write_lock(&chan_list_lock);
7264 	chan->sport = 0;
7265 	write_unlock(&chan_list_lock);
7266 
7267 	if (hcon->state == BT_CONNECTED) {
7268 		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7269 			__clear_chan_timer(chan);
7270 			if (l2cap_chan_check_security(chan, true))
7271 				l2cap_state_change(chan, BT_CONNECTED);
7272 		} else
7273 			l2cap_do_start(chan);
7274 	}
7275 
7276 	err = 0;
7277 
7278 chan_unlock:
7279 	l2cap_chan_unlock(chan);
7280 	mutex_unlock(&conn->chan_lock);
7281 done:
7282 	hci_dev_unlock(hdev);
7283 	hci_dev_put(hdev);
7284 	return err;
7285 }
7286 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7287 
7288 /* ---- L2CAP interface with lower layer (HCI) ---- */
7289 
7290 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7291 {
7292 	int exact = 0, lm1 = 0, lm2 = 0;
7293 	struct l2cap_chan *c;
7294 
7295 	BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7296 
7297 	/* Find listening sockets and check their link_mode */
7298 	read_lock(&chan_list_lock);
7299 	list_for_each_entry(c, &chan_list, global_l) {
7300 		if (c->state != BT_LISTEN)
7301 			continue;
7302 
7303 		if (!bacmp(&c->src, &hdev->bdaddr)) {
7304 			lm1 |= HCI_LM_ACCEPT;
7305 			if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7306 				lm1 |= HCI_LM_MASTER;
7307 			exact++;
7308 		} else if (!bacmp(&c->src, BDADDR_ANY)) {
7309 			lm2 |= HCI_LM_ACCEPT;
7310 			if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7311 				lm2 |= HCI_LM_MASTER;
7312 		}
7313 	}
7314 	read_unlock(&chan_list_lock);
7315 
7316 	return exact ? lm1 : lm2;
7317 }
7318 
7319 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7320  * from an existing channel in the list or from the beginning of the
7321  * global list (by passing NULL as first parameter).
7322  */
7323 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7324 						  struct hci_conn *hcon)
7325 {
7326 	u8 src_type = bdaddr_src_type(hcon);
7327 
7328 	read_lock(&chan_list_lock);
7329 
7330 	if (c)
7331 		c = list_next_entry(c, global_l);
7332 	else
7333 		c = list_entry(chan_list.next, typeof(*c), global_l);
7334 
7335 	list_for_each_entry_from(c, &chan_list, global_l) {
7336 		if (c->chan_type != L2CAP_CHAN_FIXED)
7337 			continue;
7338 		if (c->state != BT_LISTEN)
7339 			continue;
7340 		if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7341 			continue;
7342 		if (src_type != c->src_type)
7343 			continue;
7344 
7345 		l2cap_chan_hold(c);
7346 		read_unlock(&chan_list_lock);
7347 		return c;
7348 	}
7349 
7350 	read_unlock(&chan_list_lock);
7351 
7352 	return NULL;
7353 }
7354 
7355 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7356 {
7357 	struct hci_dev *hdev = hcon->hdev;
7358 	struct l2cap_conn *conn;
7359 	struct l2cap_chan *pchan;
7360 	u8 dst_type;
7361 
7362 	if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7363 		return;
7364 
7365 	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7366 
7367 	if (status) {
7368 		l2cap_conn_del(hcon, bt_to_errno(status));
7369 		return;
7370 	}
7371 
7372 	conn = l2cap_conn_add(hcon);
7373 	if (!conn)
7374 		return;
7375 
7376 	dst_type = bdaddr_dst_type(hcon);
7377 
7378 	/* If device is blocked, do not create channels for it */
7379 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7380 		return;
7381 
7382 	/* Find fixed channels and notify them of the new connection. We
7383 	 * use multiple individual lookups, continuing each time where
7384 	 * we left off, because the list lock would prevent calling the
7385 	 * potentially sleeping l2cap_chan_lock() function.
7386 	 */
7387 	pchan = l2cap_global_fixed_chan(NULL, hcon);
7388 	while (pchan) {
7389 		struct l2cap_chan *chan, *next;
7390 
7391 		/* Client fixed channels should override server ones */
7392 		if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7393 			goto next;
7394 
7395 		l2cap_chan_lock(pchan);
7396 		chan = pchan->ops->new_connection(pchan);
7397 		if (chan) {
7398 			bacpy(&chan->src, &hcon->src);
7399 			bacpy(&chan->dst, &hcon->dst);
7400 			chan->src_type = bdaddr_src_type(hcon);
7401 			chan->dst_type = dst_type;
7402 
7403 			__l2cap_chan_add(conn, chan);
7404 		}
7405 
7406 		l2cap_chan_unlock(pchan);
7407 next:
7408 		next = l2cap_global_fixed_chan(pchan, hcon);
7409 		l2cap_chan_put(pchan);
7410 		pchan = next;
7411 	}
7412 
7413 	l2cap_conn_ready(conn);
7414 }
7415 
7416 int l2cap_disconn_ind(struct hci_conn *hcon)
7417 {
7418 	struct l2cap_conn *conn = hcon->l2cap_data;
7419 
7420 	BT_DBG("hcon %p", hcon);
7421 
7422 	if (!conn)
7423 		return HCI_ERROR_REMOTE_USER_TERM;
7424 	return conn->disc_reason;
7425 }
7426 
7427 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7428 {
7429 	if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7430 		return;
7431 
7432 	BT_DBG("hcon %p reason %d", hcon, reason);
7433 
7434 	l2cap_conn_del(hcon, bt_to_errno(reason));
7435 }
7436 
7437 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7438 {
7439 	if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7440 		return;
7441 
7442 	if (encrypt == 0x00) {
7443 		if (chan->sec_level == BT_SECURITY_MEDIUM) {
7444 			__set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7445 		} else if (chan->sec_level == BT_SECURITY_HIGH ||
7446 			   chan->sec_level == BT_SECURITY_FIPS)
7447 			l2cap_chan_close(chan, ECONNREFUSED);
7448 	} else {
7449 		if (chan->sec_level == BT_SECURITY_MEDIUM)
7450 			__clear_chan_timer(chan);
7451 	}
7452 }
7453 
7454 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7455 {
7456 	struct l2cap_conn *conn = hcon->l2cap_data;
7457 	struct l2cap_chan *chan;
7458 
7459 	if (!conn)
7460 		return;
7461 
7462 	BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7463 
7464 	mutex_lock(&conn->chan_lock);
7465 
7466 	list_for_each_entry(chan, &conn->chan_l, list) {
7467 		l2cap_chan_lock(chan);
7468 
7469 		BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7470 		       state_to_string(chan->state));
7471 
7472 		if (chan->scid == L2CAP_CID_A2MP) {
7473 			l2cap_chan_unlock(chan);
7474 			continue;
7475 		}
7476 
7477 		if (!status && encrypt)
7478 			chan->sec_level = hcon->sec_level;
7479 
7480 		if (!__l2cap_no_conn_pending(chan)) {
7481 			l2cap_chan_unlock(chan);
7482 			continue;
7483 		}
7484 
7485 		if (!status && (chan->state == BT_CONNECTED ||
7486 				chan->state == BT_CONFIG)) {
7487 			chan->ops->resume(chan);
7488 			l2cap_check_encryption(chan, encrypt);
7489 			l2cap_chan_unlock(chan);
7490 			continue;
7491 		}
7492 
7493 		if (chan->state == BT_CONNECT) {
7494 			if (!status)
7495 				l2cap_start_connection(chan);
7496 			else
7497 				__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7498 		} else if (chan->state == BT_CONNECT2 &&
7499 			   chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7500 			struct l2cap_conn_rsp rsp;
7501 			__u16 res, stat;
7502 
7503 			if (!status) {
7504 				if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7505 					res = L2CAP_CR_PEND;
7506 					stat = L2CAP_CS_AUTHOR_PEND;
7507 					chan->ops->defer(chan);
7508 				} else {
7509 					l2cap_state_change(chan, BT_CONFIG);
7510 					res = L2CAP_CR_SUCCESS;
7511 					stat = L2CAP_CS_NO_INFO;
7512 				}
7513 			} else {
7514 				l2cap_state_change(chan, BT_DISCONN);
7515 				__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7516 				res = L2CAP_CR_SEC_BLOCK;
7517 				stat = L2CAP_CS_NO_INFO;
7518 			}
7519 
7520 			rsp.scid   = cpu_to_le16(chan->dcid);
7521 			rsp.dcid   = cpu_to_le16(chan->scid);
7522 			rsp.result = cpu_to_le16(res);
7523 			rsp.status = cpu_to_le16(stat);
7524 			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7525 				       sizeof(rsp), &rsp);
7526 
7527 			if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7528 			    res == L2CAP_CR_SUCCESS) {
7529 				char buf[128];
7530 				set_bit(CONF_REQ_SENT, &chan->conf_state);
7531 				l2cap_send_cmd(conn, l2cap_get_ident(conn),
7532 					       L2CAP_CONF_REQ,
7533 					       l2cap_build_conf_req(chan, buf, sizeof(buf)),
7534 					       buf);
7535 				chan->num_conf_req++;
7536 			}
7537 		}
7538 
7539 		l2cap_chan_unlock(chan);
7540 	}
7541 
7542 	mutex_unlock(&conn->chan_lock);
7543 }
7544 
7545 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7546 {
7547 	struct l2cap_conn *conn = hcon->l2cap_data;
7548 	struct l2cap_hdr *hdr;
7549 	int len;
7550 
7551 	/* For AMP controller do not create l2cap conn */
7552 	if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7553 		goto drop;
7554 
7555 	if (!conn)
7556 		conn = l2cap_conn_add(hcon);
7557 
7558 	if (!conn)
7559 		goto drop;
7560 
7561 	BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7562 
7563 	switch (flags) {
7564 	case ACL_START:
7565 	case ACL_START_NO_FLUSH:
7566 	case ACL_COMPLETE:
7567 		if (conn->rx_len) {
7568 			BT_ERR("Unexpected start frame (len %d)", skb->len);
7569 			kfree_skb(conn->rx_skb);
7570 			conn->rx_skb = NULL;
7571 			conn->rx_len = 0;
7572 			l2cap_conn_unreliable(conn, ECOMM);
7573 		}
7574 
7575 		/* Start fragment always begin with Basic L2CAP header */
7576 		if (skb->len < L2CAP_HDR_SIZE) {
7577 			BT_ERR("Frame is too short (len %d)", skb->len);
7578 			l2cap_conn_unreliable(conn, ECOMM);
7579 			goto drop;
7580 		}
7581 
7582 		hdr = (struct l2cap_hdr *) skb->data;
7583 		len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7584 
7585 		if (len == skb->len) {
7586 			/* Complete frame received */
7587 			l2cap_recv_frame(conn, skb);
7588 			return;
7589 		}
7590 
7591 		BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7592 
7593 		if (skb->len > len) {
7594 			BT_ERR("Frame is too long (len %d, expected len %d)",
7595 			       skb->len, len);
7596 			l2cap_conn_unreliable(conn, ECOMM);
7597 			goto drop;
7598 		}
7599 
7600 		/* Allocate skb for the complete frame (with header) */
7601 		conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7602 		if (!conn->rx_skb)
7603 			goto drop;
7604 
7605 		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7606 					  skb->len);
7607 		conn->rx_len = len - skb->len;
7608 		break;
7609 
7610 	case ACL_CONT:
7611 		BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7612 
7613 		if (!conn->rx_len) {
7614 			BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7615 			l2cap_conn_unreliable(conn, ECOMM);
7616 			goto drop;
7617 		}
7618 
7619 		if (skb->len > conn->rx_len) {
7620 			BT_ERR("Fragment is too long (len %d, expected %d)",
7621 			       skb->len, conn->rx_len);
7622 			kfree_skb(conn->rx_skb);
7623 			conn->rx_skb = NULL;
7624 			conn->rx_len = 0;
7625 			l2cap_conn_unreliable(conn, ECOMM);
7626 			goto drop;
7627 		}
7628 
7629 		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7630 					  skb->len);
7631 		conn->rx_len -= skb->len;
7632 
7633 		if (!conn->rx_len) {
7634 			/* Complete frame received. l2cap_recv_frame
7635 			 * takes ownership of the skb so set the global
7636 			 * rx_skb pointer to NULL first.
7637 			 */
7638 			struct sk_buff *rx_skb = conn->rx_skb;
7639 			conn->rx_skb = NULL;
7640 			l2cap_recv_frame(conn, rx_skb);
7641 		}
7642 		break;
7643 	}
7644 
7645 drop:
7646 	kfree_skb(skb);
7647 }
7648 
7649 static struct hci_cb l2cap_cb = {
7650 	.name		= "L2CAP",
7651 	.connect_cfm	= l2cap_connect_cfm,
7652 	.disconn_cfm	= l2cap_disconn_cfm,
7653 	.security_cfm	= l2cap_security_cfm,
7654 };
7655 
7656 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7657 {
7658 	struct l2cap_chan *c;
7659 
7660 	read_lock(&chan_list_lock);
7661 
7662 	list_for_each_entry(c, &chan_list, global_l) {
7663 		seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7664 			   &c->src, c->src_type, &c->dst, c->dst_type,
7665 			   c->state, __le16_to_cpu(c->psm),
7666 			   c->scid, c->dcid, c->imtu, c->omtu,
7667 			   c->sec_level, c->mode);
7668 	}
7669 
7670 	read_unlock(&chan_list_lock);
7671 
7672 	return 0;
7673 }
7674 
7675 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7676 
7677 static struct dentry *l2cap_debugfs;
7678 
7679 int __init l2cap_init(void)
7680 {
7681 	int err;
7682 
7683 	err = l2cap_init_sockets();
7684 	if (err < 0)
7685 		return err;
7686 
7687 	hci_register_cb(&l2cap_cb);
7688 
7689 	if (IS_ERR_OR_NULL(bt_debugfs))
7690 		return 0;
7691 
7692 	l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7693 					    NULL, &l2cap_debugfs_fops);
7694 
7695 	return 0;
7696 }
7697 
7698 void l2cap_exit(void)
7699 {
7700 	debugfs_remove(l2cap_debugfs);
7701 	hci_unregister_cb(&l2cap_cb);
7702 	l2cap_cleanup_sockets();
7703 }
7704 
7705 module_param(disable_ertm, bool, 0644);
7706 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7707