l2cap_core.c 102.4 KB
Newer Older
1
/*
L
Linus Torvalds 已提交
2 3
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2000-2001 Qualcomm Incorporated
4
   Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5
   Copyright (C) 2010 Google Inc.
L
Linus Torvalds 已提交
6 7 8 9 10 11 12 13 14 15 16

   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
17 18 19
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
L
Linus Torvalds 已提交
20 21
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

22 23
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
L
Linus Torvalds 已提交
24 25 26
   SOFTWARE IS DISCLAIMED.
*/

27
/* Bluetooth L2CAP core. */
L
Linus Torvalds 已提交
28 29 30 31

#include <linux/module.h>

#include <linux/types.h>
32
#include <linux/capability.h>
L
Linus Torvalds 已提交
33 34 35 36 37 38 39 40 41 42 43
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/poll.h>
#include <linux/fcntl.h>
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/socket.h>
#include <linux/skbuff.h>
#include <linux/list.h>
44
#include <linux/device.h>
45 46
#include <linux/debugfs.h>
#include <linux/seq_file.h>
47
#include <linux/uaccess.h>
48
#include <linux/crc16.h>
L
Linus Torvalds 已提交
49 50 51 52 53 54 55 56
#include <net/sock.h>

#include <asm/system.h>
#include <asm/unaligned.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
57
#include <net/bluetooth/smp.h>
L
Linus Torvalds 已提交
58

59
int disable_ertm;
60
int enable_hs;
61

62
static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
63
static u8 l2cap_fixed_chan[8] = { 0x02, };
L
Linus Torvalds 已提交
64

65 66
static LIST_HEAD(chan_list);
static DEFINE_RWLOCK(chan_list_lock);
L
Linus Torvalds 已提交
67 68 69

static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
				u8 code, u8 ident, u16 dlen, void *data);
70 71
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
								void *data);
72
static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73 74
static void l2cap_send_disconn_req(struct l2cap_conn *conn,
				struct l2cap_chan *chan, int err);
L
Linus Torvalds 已提交
75

76 77
static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);

78
/* ---- L2CAP channels ---- */
79 80 81 82 83 84 85 86 87 88 89 90

static inline void chan_hold(struct l2cap_chan *c)
{
	atomic_inc(&c->refcnt);
}

static inline void chan_put(struct l2cap_chan *c)
{
	if (atomic_dec_and_test(&c->refcnt))
		kfree(c);
}

91
static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
92
{
93
	struct l2cap_chan *c;
94 95

	list_for_each_entry(c, &conn->chan_l, list) {
96
		if (c->dcid == cid)
97
			return c;
98
	}
99 100
	return NULL;

101 102
}

103
static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
104
{
105
	struct l2cap_chan *c;
106 107

	list_for_each_entry(c, &conn->chan_l, list) {
108
		if (c->scid == cid)
109
			return c;
110
	}
111
	return NULL;
112 113 114 115
}

/* Find channel with given SCID.
 * Returns locked socket */
116
static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
117
{
118
	struct l2cap_chan *c;
119 120 121

	read_lock(&conn->chan_lock);
	c = __l2cap_get_chan_by_scid(conn, cid);
122 123
	if (c)
		bh_lock_sock(c->sk);
124
	read_unlock(&conn->chan_lock);
125
	return c;
126 127
}

128
static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
129
{
130
	struct l2cap_chan *c;
131 132

	list_for_each_entry(c, &conn->chan_l, list) {
133
		if (c->ident == ident)
134
			return c;
135
	}
136
	return NULL;
137 138
}

139
static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
140
{
141
	struct l2cap_chan *c;
142 143 144

	read_lock(&conn->chan_lock);
	c = __l2cap_get_chan_by_ident(conn, ident);
145 146
	if (c)
		bh_lock_sock(c->sk);
147
	read_unlock(&conn->chan_lock);
148
	return c;
149 150
}

151
static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
152
{
153
	struct l2cap_chan *c;
154

155 156
	list_for_each_entry(c, &chan_list, global_l) {
		if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
157 158 159
			goto found;
	}

160
	c = NULL;
161
found:
162
	return c;
163 164 165 166
}

int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
{
167 168
	int err;

169
	write_lock_bh(&chan_list_lock);
170

171
	if (psm && __l2cap_global_chan_by_addr(psm, src)) {
172 173
		err = -EADDRINUSE;
		goto done;
174 175
	}

176 177 178 179 180 181 182 183 184
	if (psm) {
		chan->psm = psm;
		chan->sport = psm;
		err = 0;
	} else {
		u16 p;

		err = -EINVAL;
		for (p = 0x1001; p < 0x1100; p += 2)
185
			if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
186 187 188 189 190 191
				chan->psm   = cpu_to_le16(p);
				chan->sport = cpu_to_le16(p);
				err = 0;
				break;
			}
	}
192

193
done:
194
	write_unlock_bh(&chan_list_lock);
195
	return err;
196 197 198 199
}

int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
{
200
	write_lock_bh(&chan_list_lock);
201 202 203

	chan->scid = scid;

204
	write_unlock_bh(&chan_list_lock);
205 206 207 208

	return 0;
}

209
static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
210
{
211
	u16 cid = L2CAP_CID_DYN_START;
212

213
	for (; cid < L2CAP_CID_DYN_END; cid++) {
214
		if (!__l2cap_get_chan_by_scid(conn, cid))
215 216 217 218 219 220
			return cid;
	}

	return 0;
}

221
static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
222
{
223
	BT_DBG("chan %p state %d timeout %ld", chan->sk, chan->state, timeout);
224

225
	if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
226
		chan_hold(chan);
227 228
}

229
static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
230
{
231
	BT_DBG("chan %p state %d", chan, chan->state);
232

233 234
	if (timer_pending(timer) && del_timer(timer))
		chan_put(chan);
235 236
}

237 238 239 240 241 242
static void l2cap_state_change(struct l2cap_chan *chan, int state)
{
	chan->state = state;
	chan->ops->state_change(chan->data, state);
}

243 244 245 246 247 248
static void l2cap_chan_timeout(unsigned long arg)
{
	struct l2cap_chan *chan = (struct l2cap_chan *) arg;
	struct sock *sk = chan->sk;
	int reason;

249
	BT_DBG("chan %p state %d", chan, chan->state);
250 251 252 253 254

	bh_lock_sock(sk);

	if (sock_owned_by_user(sk)) {
		/* sk is owned by user. Try again later */
255
		__set_chan_timer(chan, HZ / 5);
256
		bh_unlock_sock(sk);
257
		chan_put(chan);
258 259 260
		return;
	}

261
	if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
262
		reason = ECONNREFUSED;
263
	else if (chan->state == BT_CONNECT &&
264 265 266 267 268
					chan->sec_level != BT_SECURITY_SDP)
		reason = ECONNREFUSED;
	else
		reason = ETIMEDOUT;

269
	l2cap_chan_close(chan, reason);
270 271 272

	bh_unlock_sock(sk);

273
	chan->ops->close(chan->data);
274
	chan_put(chan);
275 276
}

277
struct l2cap_chan *l2cap_chan_create(struct sock *sk)
278 279 280 281 282 283 284 285 286
{
	struct l2cap_chan *chan;

	chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
	if (!chan)
		return NULL;

	chan->sk = sk;

287 288 289 290
	write_lock_bh(&chan_list_lock);
	list_add(&chan->global_l, &chan_list);
	write_unlock_bh(&chan_list_lock);

291 292
	setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan);

293 294
	chan->state = BT_OPEN;

295 296
	atomic_set(&chan->refcnt, 1);

297 298 299
	return chan;
}

300
void l2cap_chan_destroy(struct l2cap_chan *chan)
301
{
302 303 304 305
	write_lock_bh(&chan_list_lock);
	list_del(&chan->global_l);
	write_unlock_bh(&chan_list_lock);

306
	chan_put(chan);
307 308
}

309
static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
310
{
311
	BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
312
			chan->psm, chan->dcid);
313

314 315
	conn->disc_reason = 0x13;

316
	chan->conn = conn;
317

318
	if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
319 320
		if (conn->hcon->type == LE_LINK) {
			/* LE connection */
321
			chan->omtu = L2CAP_LE_DEFAULT_MTU;
322 323
			chan->scid = L2CAP_CID_LE_DATA;
			chan->dcid = L2CAP_CID_LE_DATA;
324 325
		} else {
			/* Alloc CID for connection-oriented socket */
326
			chan->scid = l2cap_alloc_cid(conn);
327
			chan->omtu = L2CAP_DEFAULT_MTU;
328
		}
329
	} else if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
330
		/* Connectionless socket */
331 332
		chan->scid = L2CAP_CID_CONN_LESS;
		chan->dcid = L2CAP_CID_CONN_LESS;
333
		chan->omtu = L2CAP_DEFAULT_MTU;
334 335
	} else {
		/* Raw socket can send/recv signalling messages only */
336 337
		chan->scid = L2CAP_CID_SIGNALING;
		chan->dcid = L2CAP_CID_SIGNALING;
338
		chan->omtu = L2CAP_DEFAULT_MTU;
339 340
	}

341 342 343 344 345 346 347
	chan->local_id		= L2CAP_BESTEFFORT_ID;
	chan->local_stype	= L2CAP_SERV_BESTEFFORT;
	chan->local_msdu	= L2CAP_DEFAULT_MAX_SDU_SIZE;
	chan->local_sdu_itime	= L2CAP_DEFAULT_SDU_ITIME;
	chan->local_acc_lat	= L2CAP_DEFAULT_ACC_LAT;
	chan->local_flush_to	= L2CAP_DEFAULT_FLUSH_TO;

348
	chan_hold(chan);
349 350

	list_add(&chan->list, &conn->chan_l);
351 352
}

353
/* Delete channel.
354
 * Must be called on the locked socket. */
355
static void l2cap_chan_del(struct l2cap_chan *chan, int err)
356
{
357
	struct sock *sk = chan->sk;
358
	struct l2cap_conn *conn = chan->conn;
359 360
	struct sock *parent = bt_sk(sk)->parent;

361
	__clear_chan_timer(chan);
362

363
	BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
364

365
	if (conn) {
366 367 368 369
		/* Delete from channel list */
		write_lock_bh(&conn->chan_lock);
		list_del(&chan->list);
		write_unlock_bh(&conn->chan_lock);
370
		chan_put(chan);
371

372
		chan->conn = NULL;
373 374 375
		hci_conn_put(conn->hcon);
	}

376
	l2cap_state_change(chan, BT_CLOSED);
377 378 379 380 381 382 383 384 385 386
	sock_set_flag(sk, SOCK_ZAPPED);

	if (err)
		sk->sk_err = err;

	if (parent) {
		bt_accept_unlink(sk);
		parent->sk_data_ready(parent, 0);
	} else
		sk->sk_state_change(sk);
387

388 389
	if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
			test_bit(CONF_INPUT_DONE, &chan->conf_state)))
390
		return;
391

392
	skb_queue_purge(&chan->tx_q);
393

394
	if (chan->mode == L2CAP_MODE_ERTM) {
395 396
		struct srej_list *l, *tmp;

397 398 399
		__clear_retrans_timer(chan);
		__clear_monitor_timer(chan);
		__clear_ack_timer(chan);
400

401
		skb_queue_purge(&chan->srej_q);
402

403
		list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
404 405 406 407
			list_del(&l->list);
			kfree(l);
		}
	}
408 409
}

410 411 412 413 414 415 416
static void l2cap_chan_cleanup_listen(struct sock *parent)
{
	struct sock *sk;

	BT_DBG("parent %p", parent);

	/* Close not yet accepted channels */
417
	while ((sk = bt_accept_dequeue(parent, NULL))) {
418
		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
419
		__clear_chan_timer(chan);
420
		lock_sock(sk);
421
		l2cap_chan_close(chan, ECONNRESET);
422
		release_sock(sk);
423
		chan->ops->close(chan->data);
424
	}
425 426
}

427
void l2cap_chan_close(struct l2cap_chan *chan, int reason)
428 429 430 431
{
	struct l2cap_conn *conn = chan->conn;
	struct sock *sk = chan->sk;

432
	BT_DBG("chan %p state %d socket %p", chan, chan->state, sk->sk_socket);
433

434
	switch (chan->state) {
435 436
	case BT_LISTEN:
		l2cap_chan_cleanup_listen(sk);
437 438 439

		l2cap_state_change(chan, BT_CLOSED);
		sock_set_flag(sk, SOCK_ZAPPED);
440 441 442 443
		break;

	case BT_CONNECTED:
	case BT_CONFIG:
444
		if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
445
					conn->hcon->type == ACL_LINK) {
446 447
			__clear_chan_timer(chan);
			__set_chan_timer(chan, sk->sk_sndtimeo);
448 449 450 451 452 453
			l2cap_send_disconn_req(conn, chan, reason);
		} else
			l2cap_chan_del(chan, reason);
		break;

	case BT_CONNECT2:
454
		if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
455 456 457 458 459 460 461 462
					conn->hcon->type == ACL_LINK) {
			struct l2cap_conn_rsp rsp;
			__u16 result;

			if (bt_sk(sk)->defer_setup)
				result = L2CAP_CR_SEC_BLOCK;
			else
				result = L2CAP_CR_BAD_PSM;
463
			l2cap_state_change(chan, BT_DISCONN);
464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486

			rsp.scid   = cpu_to_le16(chan->dcid);
			rsp.dcid   = cpu_to_le16(chan->scid);
			rsp.result = cpu_to_le16(result);
			rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
		}

		l2cap_chan_del(chan, reason);
		break;

	case BT_CONNECT:
	case BT_DISCONN:
		l2cap_chan_del(chan, reason);
		break;

	default:
		sock_set_flag(sk, SOCK_ZAPPED);
		break;
	}
}

487
static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
488
{
489
	if (chan->chan_type == L2CAP_CHAN_RAW) {
490
		switch (chan->sec_level) {
491 492 493 494 495 496 497
		case BT_SECURITY_HIGH:
			return HCI_AT_DEDICATED_BONDING_MITM;
		case BT_SECURITY_MEDIUM:
			return HCI_AT_DEDICATED_BONDING;
		default:
			return HCI_AT_NO_BONDING;
		}
498
	} else if (chan->psm == cpu_to_le16(0x0001)) {
499 500
		if (chan->sec_level == BT_SECURITY_LOW)
			chan->sec_level = BT_SECURITY_SDP;
501

502
		if (chan->sec_level == BT_SECURITY_HIGH)
503
			return HCI_AT_NO_BONDING_MITM;
504
		else
505
			return HCI_AT_NO_BONDING;
506
	} else {
507
		switch (chan->sec_level) {
508
		case BT_SECURITY_HIGH:
509
			return HCI_AT_GENERAL_BONDING_MITM;
510
		case BT_SECURITY_MEDIUM:
511
			return HCI_AT_GENERAL_BONDING;
512
		default:
513
			return HCI_AT_NO_BONDING;
514
		}
515
	}
516 517 518
}

/* Service level security */
519
static inline int l2cap_check_security(struct l2cap_chan *chan)
520
{
521
	struct l2cap_conn *conn = chan->conn;
522 523
	__u8 auth_type;

524
	auth_type = l2cap_get_auth_type(chan);
525

526
	return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
527 528
}

529
static u8 l2cap_get_ident(struct l2cap_conn *conn)
530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550
{
	u8 id;

	/* Get next available identificator.
	 *    1 - 128 are used by kernel.
	 *  129 - 199 are reserved.
	 *  200 - 254 are used by utilities like l2ping, etc.
	 */

	spin_lock_bh(&conn->lock);

	if (++conn->tx_ident > 128)
		conn->tx_ident = 1;

	id = conn->tx_ident;

	spin_unlock_bh(&conn->lock);

	return id;
}

551
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
552 553
{
	struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
554
	u8 flags;
555 556 557 558

	BT_DBG("code 0x%2.2x", code);

	if (!skb)
559
		return;
560

561 562 563 564 565
	if (lmp_no_flush_capable(conn->hcon->hdev))
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;

566 567
	bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;

568
	hci_send_acl(conn->hcon, skb, flags);
569 570
}

571
static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
572 573 574
{
	struct sk_buff *skb;
	struct l2cap_hdr *lh;
575
	struct l2cap_conn *conn = chan->conn;
576
	int count, hlen;
577
	u8 flags;
578

579
	if (chan->state != BT_CONNECTED)
580 581
		return;

582 583 584 585 586
	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
		hlen = L2CAP_EXT_HDR_SIZE;
	else
		hlen = L2CAP_ENH_HDR_SIZE;

587
	if (chan->fcs == L2CAP_FCS_CRC16)
588
		hlen += L2CAP_FCS_SIZE;
589

590
	BT_DBG("chan %p, control 0x%8.8x", chan, control);
591

592
	count = min_t(unsigned int, conn->mtu, hlen);
593 594

	control |= __set_sframe(chan);
595

596
	if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
597
		control |= __set_ctrl_final(chan);
598

599
	if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
600
		control |= __set_ctrl_poll(chan);
601

602 603
	skb = bt_skb_alloc(count, GFP_ATOMIC);
	if (!skb)
604
		return;
605 606

	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
607
	lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
608
	lh->cid = cpu_to_le16(chan->dcid);
609 610

	__put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
611

612
	if (chan->fcs == L2CAP_FCS_CRC16) {
613 614
		u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
		put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
615 616
	}

617 618 619 620 621
	if (lmp_no_flush_capable(conn->hcon->hdev))
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;

622
	bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
623

624
	hci_send_acl(chan->conn->hcon, skb, flags);
625 626
}

627
static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
628
{
629
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
630
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
631
		set_bit(CONN_RNR_SENT, &chan->conn_state);
632
	} else
633
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
634

635
	control |= __set_reqseq(chan, chan->buffer_seq);
636

637
	l2cap_send_sframe(chan, control);
638 639
}

640
static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
641
{
642
	return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
643 644
}

645
static void l2cap_do_start(struct l2cap_chan *chan)
646
{
647
	struct l2cap_conn *conn = chan->conn;
648 649

	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
650 651 652
		if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
			return;

653 654
		if (l2cap_check_security(chan) &&
				__l2cap_no_conn_pending(chan)) {
655
			struct l2cap_conn_req req;
656 657
			req.scid = cpu_to_le16(chan->scid);
			req.psm  = chan->psm;
658

659
			chan->ident = l2cap_get_ident(conn);
660
			set_bit(CONF_CONNECT_PEND, &chan->conf_state);
661

662 663
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
							sizeof(req), &req);
664
		}
665 666 667 668 669 670 671 672 673 674 675 676 677 678 679
	} else {
		struct l2cap_info_req req;
		req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
		conn->info_ident = l2cap_get_ident(conn);

		mod_timer(&conn->info_timer, jiffies +
					msecs_to_jiffies(L2CAP_INFO_TIMEOUT));

		l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(req), &req);
	}
}

680 681 682
static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
{
	u32 local_feat_mask = l2cap_feat_mask;
683
	if (!disable_ertm)
684 685 686 687 688 689 690 691 692 693 694 695
		local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;

	switch (mode) {
	case L2CAP_MODE_ERTM:
		return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
	case L2CAP_MODE_STREAMING:
		return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
	default:
		return 0x00;
	}
}

696
static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
697
{
698
	struct sock *sk;
699 700
	struct l2cap_disconn_req req;

701 702 703
	if (!conn)
		return;

704 705
	sk = chan->sk;

706
	if (chan->mode == L2CAP_MODE_ERTM) {
707 708 709
		__clear_retrans_timer(chan);
		__clear_monitor_timer(chan);
		__clear_ack_timer(chan);
710 711
	}

712 713
	req.dcid = cpu_to_le16(chan->dcid);
	req.scid = cpu_to_le16(chan->scid);
714 715
	l2cap_send_cmd(conn, l2cap_get_ident(conn),
			L2CAP_DISCONN_REQ, sizeof(req), &req);
716

717
	l2cap_state_change(chan, BT_DISCONN);
718
	sk->sk_err = err;
719 720
}

L
Linus Torvalds 已提交
721
/* ---- L2CAP connections ---- */
722 723
static void l2cap_conn_start(struct l2cap_conn *conn)
{
724
	struct l2cap_chan *chan, *tmp;
725 726 727

	BT_DBG("conn %p", conn);

728
	read_lock(&conn->chan_lock);
729

730
	list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
731
		struct sock *sk = chan->sk;
732

733 734
		bh_lock_sock(sk);

735
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
736 737 738 739
			bh_unlock_sock(sk);
			continue;
		}

740
		if (chan->state == BT_CONNECT) {
741
			struct l2cap_conn_req req;
742

743
			if (!l2cap_check_security(chan) ||
744
					!__l2cap_no_conn_pending(chan)) {
745 746 747
				bh_unlock_sock(sk);
				continue;
			}
748

749 750 751
			if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
					&& test_bit(CONF_STATE2_DEVICE,
					&chan->conf_state)) {
752
				/* l2cap_chan_close() calls list_del(chan)
753
				 * so release the lock */
754
				read_unlock(&conn->chan_lock);
755
				l2cap_chan_close(chan, ECONNRESET);
756
				read_lock(&conn->chan_lock);
757 758
				bh_unlock_sock(sk);
				continue;
759
			}
760

761 762
			req.scid = cpu_to_le16(chan->scid);
			req.psm  = chan->psm;
763

764
			chan->ident = l2cap_get_ident(conn);
765
			set_bit(CONF_CONNECT_PEND, &chan->conf_state);
766

767 768
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
							sizeof(req), &req);
769

770
		} else if (chan->state == BT_CONNECT2) {
771
			struct l2cap_conn_rsp rsp;
772
			char buf[128];
773 774
			rsp.scid = cpu_to_le16(chan->dcid);
			rsp.dcid = cpu_to_le16(chan->scid);
775

776
			if (l2cap_check_security(chan)) {
777 778 779 780
				if (bt_sk(sk)->defer_setup) {
					struct sock *parent = bt_sk(sk)->parent;
					rsp.result = cpu_to_le16(L2CAP_CR_PEND);
					rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
781 782
					if (parent)
						parent->sk_data_ready(parent, 0);
783 784

				} else {
785
					l2cap_state_change(chan, BT_CONFIG);
786 787 788
					rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
					rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
				}
789 790 791 792 793
			} else {
				rsp.result = cpu_to_le16(L2CAP_CR_PEND);
				rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
			}

794 795
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
796

797
			if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
798 799 800 801 802
					rsp.result != L2CAP_CR_SUCCESS) {
				bh_unlock_sock(sk);
				continue;
			}

803
			set_bit(CONF_REQ_SENT, &chan->conf_state);
804
			l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
805 806
						l2cap_build_conf_req(chan, buf), buf);
			chan->num_conf_req++;
807 808 809 810 811
		}

		bh_unlock_sock(sk);
	}

812
	read_unlock(&conn->chan_lock);
813 814
}

815 816 817
/* Find socket with cid and source bdaddr.
 * Returns closest match, locked.
 */
818
static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
819
{
820
	struct l2cap_chan *c, *c1 = NULL;
821

822
	read_lock(&chan_list_lock);
823

824 825
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
826

827
		if (state && c->state != state)
828 829
			continue;

830
		if (c->scid == cid) {
831
			/* Exact match. */
832 833 834 835
			if (!bacmp(&bt_sk(sk)->src, src)) {
				read_unlock(&chan_list_lock);
				return c;
			}
836 837 838

			/* Closest match */
			if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
839
				c1 = c;
840 841
		}
	}
842

843
	read_unlock(&chan_list_lock);
844

845
	return c1;
846 847 848 849
}

static void l2cap_le_conn_ready(struct l2cap_conn *conn)
{
850
	struct sock *parent, *sk;
851
	struct l2cap_chan *chan, *pchan;
852 853 854 855

	BT_DBG("");

	/* Check if we have socket listening on cid */
856
	pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
857
							conn->src);
858
	if (!pchan)
859 860
		return;

861 862
	parent = pchan->sk;

863 864
	bh_lock_sock(parent);

865 866 867 868 869 870
	/* Check for backlog size */
	if (sk_acceptq_is_full(parent)) {
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
		goto clean;
	}

871 872
	chan = pchan->ops->new_connection(pchan->data);
	if (!chan)
873 874
		goto clean;

875
	sk = chan->sk;
876

877
	write_lock_bh(&conn->chan_lock);
878 879 880 881 882 883

	hci_conn_hold(conn->hcon);

	bacpy(&bt_sk(sk)->src, conn->src);
	bacpy(&bt_sk(sk)->dst, conn->dst);

884 885
	bt_accept_enqueue(parent, sk);

886 887
	__l2cap_chan_add(conn, chan);

888
	__set_chan_timer(chan, sk->sk_sndtimeo);
889

890
	l2cap_state_change(chan, BT_CONNECTED);
891 892
	parent->sk_data_ready(parent, 0);

893
	write_unlock_bh(&conn->chan_lock);
894 895 896 897 898

clean:
	bh_unlock_sock(parent);
}

899 900 901 902 903 904 905 906 907 908
static void l2cap_chan_ready(struct sock *sk)
{
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
	struct sock *parent = bt_sk(sk)->parent;

	BT_DBG("sk %p, parent %p", sk, parent);

	chan->conf_state = 0;
	__clear_chan_timer(chan);

909
	l2cap_state_change(chan, BT_CONNECTED);
910 911 912 913 914 915
	sk->sk_state_change(sk);

	if (parent)
		parent->sk_data_ready(parent, 0);
}

916 917
static void l2cap_conn_ready(struct l2cap_conn *conn)
{
918
	struct l2cap_chan *chan;
919

920
	BT_DBG("conn %p", conn);
921

922 923 924
	if (!conn->hcon->out && conn->hcon->type == LE_LINK)
		l2cap_le_conn_ready(conn);

925 926 927
	if (conn->hcon->out && conn->hcon->type == LE_LINK)
		smp_conn_security(conn, conn->hcon->pending_sec_level);

928
	read_lock(&conn->chan_lock);
929

930
	list_for_each_entry(chan, &conn->chan_l, list) {
931
		struct sock *sk = chan->sk;
932

933
		bh_lock_sock(sk);
934

935
		if (conn->hcon->type == LE_LINK) {
936
			if (smp_conn_security(conn, chan->sec_level))
937
				l2cap_chan_ready(sk);
938

939
		} else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
940
			__clear_chan_timer(chan);
941
			l2cap_state_change(chan, BT_CONNECTED);
942
			sk->sk_state_change(sk);
943

944
		} else if (chan->state == BT_CONNECT)
945
			l2cap_do_start(chan);
946

947
		bh_unlock_sock(sk);
948
	}
949

950
	read_unlock(&conn->chan_lock);
951 952 953 954 955
}

/* Notify sockets that we cannot guaranty reliability anymore */
static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
{
956
	struct l2cap_chan *chan;
957 958 959

	BT_DBG("conn %p", conn);

960
	read_lock(&conn->chan_lock);
961

962
	list_for_each_entry(chan, &conn->chan_l, list) {
963
		struct sock *sk = chan->sk;
964

965
		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
966 967 968
			sk->sk_err = err;
	}

969
	read_unlock(&conn->chan_lock);
970 971 972 973 974 975
}

static void l2cap_info_timeout(unsigned long arg)
{
	struct l2cap_conn *conn = (void *) arg;

976
	conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
977
	conn->info_ident = 0;
978

979 980 981
	l2cap_conn_start(conn);
}

982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006
static void l2cap_conn_del(struct hci_conn *hcon, int err)
{
	struct l2cap_conn *conn = hcon->l2cap_data;
	struct l2cap_chan *chan, *l;
	struct sock *sk;

	if (!conn)
		return;

	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);

	kfree_skb(conn->rx_skb);

	/* Kill channels */
	list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
		sk = chan->sk;
		bh_lock_sock(sk);
		l2cap_chan_del(chan, err);
		bh_unlock_sock(sk);
		chan->ops->close(chan->data);
	}

	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
		del_timer_sync(&conn->info_timer);

1007
	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
1008
		del_timer(&conn->security_timer);
1009
		smp_chan_destroy(conn);
1010
	}
1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022

	hcon->l2cap_data = NULL;
	kfree(conn);
}

static void security_timeout(unsigned long arg)
{
	struct l2cap_conn *conn = (void *) arg;

	l2cap_conn_del(conn->hcon, ETIMEDOUT);
}

L
Linus Torvalds 已提交
1023 1024
static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
{
1025
	struct l2cap_conn *conn = hcon->l2cap_data;
L
Linus Torvalds 已提交
1026

1027
	if (conn || status)
L
Linus Torvalds 已提交
1028 1029
		return conn;

1030 1031
	conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
	if (!conn)
L
Linus Torvalds 已提交
1032 1033 1034 1035 1036
		return NULL;

	hcon->l2cap_data = conn;
	conn->hcon = hcon;

1037 1038
	BT_DBG("hcon %p conn %p", hcon, conn);

1039 1040 1041 1042 1043
	if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
		conn->mtu = hcon->hdev->le_mtu;
	else
		conn->mtu = hcon->hdev->acl_mtu;

L
Linus Torvalds 已提交
1044 1045 1046
	conn->src = &hcon->hdev->bdaddr;
	conn->dst = &hcon->dst;

1047 1048
	conn->feat_mask = 0;

L
Linus Torvalds 已提交
1049
	spin_lock_init(&conn->lock);
1050 1051 1052
	rwlock_init(&conn->chan_lock);

	INIT_LIST_HEAD(&conn->chan_l);
L
Linus Torvalds 已提交
1053

1054 1055 1056 1057
	if (hcon->type == LE_LINK)
		setup_timer(&conn->security_timer, security_timeout,
						(unsigned long) conn);
	else
1058
		setup_timer(&conn->info_timer, l2cap_info_timeout,
D
Dave Young 已提交
1059 1060
						(unsigned long) conn);

1061 1062
	conn->disc_reason = 0x13;

L
Linus Torvalds 已提交
1063 1064 1065
	return conn;
}

1066
static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
L
Linus Torvalds 已提交
1067
{
1068
	write_lock_bh(&conn->chan_lock);
1069
	__l2cap_chan_add(conn, chan);
1070
	write_unlock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
1071 1072 1073 1074 1075 1076 1077
}

/* ---- Socket interface ---- */

/* Find socket with psm and source bdaddr.
 * Returns closest match.
 */
1078
static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
L
Linus Torvalds 已提交
1079
{
1080
	struct l2cap_chan *c, *c1 = NULL;
L
Linus Torvalds 已提交
1081

1082
	read_lock(&chan_list_lock);
1083

1084 1085
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
1086

1087
		if (state && c->state != state)
L
Linus Torvalds 已提交
1088 1089
			continue;

1090
		if (c->psm == psm) {
L
Linus Torvalds 已提交
1091
			/* Exact match. */
1092
			if (!bacmp(&bt_sk(sk)->src, src)) {
1093
				read_unlock(&chan_list_lock);
1094 1095
				return c;
			}
L
Linus Torvalds 已提交
1096 1097 1098

			/* Closest match */
			if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
1099
				c1 = c;
L
Linus Torvalds 已提交
1100 1101 1102
		}
	}

1103
	read_unlock(&chan_list_lock);
1104

1105
	return c1;
L
Linus Torvalds 已提交
1106 1107
}

1108
int l2cap_chan_connect(struct l2cap_chan *chan)
L
Linus Torvalds 已提交
1109
{
1110
	struct sock *sk = chan->sk;
L
Linus Torvalds 已提交
1111 1112 1113 1114 1115
	bdaddr_t *src = &bt_sk(sk)->src;
	bdaddr_t *dst = &bt_sk(sk)->dst;
	struct l2cap_conn *conn;
	struct hci_conn *hcon;
	struct hci_dev *hdev;
1116
	__u8 auth_type;
1117
	int err;
L
Linus Torvalds 已提交
1118

1119
	BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1120
							chan->psm);
L
Linus Torvalds 已提交
1121

1122 1123
	hdev = hci_get_route(dst, src);
	if (!hdev)
L
Linus Torvalds 已提交
1124 1125 1126 1127
		return -EHOSTUNREACH;

	hci_dev_lock_bh(hdev);

1128
	auth_type = l2cap_get_auth_type(chan);
1129

1130
	if (chan->dcid == L2CAP_CID_LE_DATA)
1131
		hcon = hci_connect(hdev, LE_LINK, dst,
1132
					chan->sec_level, auth_type);
1133 1134
	else
		hcon = hci_connect(hdev, ACL_LINK, dst,
1135
					chan->sec_level, auth_type);
1136

1137 1138
	if (IS_ERR(hcon)) {
		err = PTR_ERR(hcon);
L
Linus Torvalds 已提交
1139
		goto done;
1140
	}
L
Linus Torvalds 已提交
1141 1142 1143 1144

	conn = l2cap_conn_add(hcon, 0);
	if (!conn) {
		hci_conn_put(hcon);
1145
		err = -ENOMEM;
L
Linus Torvalds 已提交
1146 1147 1148 1149 1150 1151
		goto done;
	}

	/* Update source addr of the socket */
	bacpy(src, conn->src);

1152 1153
	l2cap_chan_add(conn, chan);

1154
	l2cap_state_change(chan, BT_CONNECT);
1155
	__set_chan_timer(chan, sk->sk_sndtimeo);
L
Linus Torvalds 已提交
1156 1157

	if (hcon->state == BT_CONNECTED) {
1158
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1159
			__clear_chan_timer(chan);
1160
			if (l2cap_check_security(chan))
1161
				l2cap_state_change(chan, BT_CONNECTED);
1162
		} else
1163
			l2cap_do_start(chan);
L
Linus Torvalds 已提交
1164 1165
	}

1166 1167
	err = 0;

L
Linus Torvalds 已提交
1168 1169 1170 1171 1172 1173
done:
	hci_dev_unlock_bh(hdev);
	hci_dev_put(hdev);
	return err;
}

1174
int __l2cap_wait_ack(struct sock *sk)
1175
{
1176
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1177 1178 1179 1180
	DECLARE_WAITQUEUE(wait, current);
	int err = 0;
	int timeo = HZ/5;

1181
	add_wait_queue(sk_sleep(sk), &wait);
1182 1183
	set_current_state(TASK_INTERRUPTIBLE);
	while (chan->unacked_frames > 0 && chan->conn) {
1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194
		if (!timeo)
			timeo = HZ/5;

		if (signal_pending(current)) {
			err = sock_intr_errno(timeo);
			break;
		}

		release_sock(sk);
		timeo = schedule_timeout(timeo);
		lock_sock(sk);
1195
		set_current_state(TASK_INTERRUPTIBLE);
1196 1197 1198 1199 1200 1201

		err = sock_error(sk);
		if (err)
			break;
	}
	set_current_state(TASK_RUNNING);
1202
	remove_wait_queue(sk_sleep(sk), &wait);
1203 1204 1205
	return err;
}

1206 1207
static void l2cap_monitor_timeout(unsigned long arg)
{
1208 1209
	struct l2cap_chan *chan = (void *) arg;
	struct sock *sk = chan->sk;
1210

1211
	BT_DBG("chan %p", chan);
1212

1213
	bh_lock_sock(sk);
1214
	if (chan->retry_count >= chan->remote_max_tx) {
1215
		l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1216
		bh_unlock_sock(sk);
1217 1218 1219
		return;
	}

1220
	chan->retry_count++;
1221
	__set_monitor_timer(chan);
1222

1223
	l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1224
	bh_unlock_sock(sk);
1225 1226 1227 1228
}

static void l2cap_retrans_timeout(unsigned long arg)
{
1229 1230
	struct l2cap_chan *chan = (void *) arg;
	struct sock *sk = chan->sk;
1231

1232
	BT_DBG("chan %p", chan);
1233

1234
	bh_lock_sock(sk);
1235
	chan->retry_count = 1;
1236
	__set_monitor_timer(chan);
1237

1238
	set_bit(CONN_WAIT_F, &chan->conn_state);
1239

1240
	l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1241
	bh_unlock_sock(sk);
1242 1243
}

1244
static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
L
Linus Torvalds 已提交
1245
{
1246
	struct sk_buff *skb;
L
Linus Torvalds 已提交
1247

1248
	while ((skb = skb_peek(&chan->tx_q)) &&
1249
			chan->unacked_frames) {
1250
		if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1251
			break;
L
Linus Torvalds 已提交
1252

1253
		skb = skb_dequeue(&chan->tx_q);
1254
		kfree_skb(skb);
L
Linus Torvalds 已提交
1255

1256
		chan->unacked_frames--;
1257
	}
L
Linus Torvalds 已提交
1258

1259
	if (!chan->unacked_frames)
1260
		__clear_retrans_timer(chan);
1261
}
L
Linus Torvalds 已提交
1262

1263
static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1264
{
1265
	struct hci_conn *hcon = chan->conn->hcon;
1266
	u16 flags;
1267

1268
	BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
L
Linus Torvalds 已提交
1269

1270 1271
	if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
					lmp_no_flush_capable(hcon->hdev))
1272 1273 1274 1275
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;

1276
	bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1277
	hci_send_acl(hcon, skb, flags);
1278 1279
}

1280
static void l2cap_streaming_send(struct l2cap_chan *chan)
1281
{
1282
	struct sk_buff *skb;
1283 1284
	u32 control;
	u16 fcs;
1285

1286
	while ((skb = skb_dequeue(&chan->tx_q))) {
1287
		control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
1288
		control |= __set_txseq(chan, chan->next_tx_seq);
1289
		__put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
1290

1291
		if (chan->fcs == L2CAP_FCS_CRC16) {
1292 1293 1294 1295
			fcs = crc16(0, (u8 *)skb->data,
						skb->len - L2CAP_FCS_SIZE);
			put_unaligned_le16(fcs,
					skb->data + skb->len - L2CAP_FCS_SIZE);
1296 1297
		}

1298
		l2cap_do_send(chan, skb);
1299

1300
		chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1301 1302 1303
	}
}

1304
static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
1305 1306
{
	struct sk_buff *skb, *tx_skb;
1307 1308
	u16 fcs;
	u32 control;
1309

1310
	skb = skb_peek(&chan->tx_q);
1311 1312
	if (!skb)
		return;
1313

1314 1315
	do {
		if (bt_cb(skb)->tx_seq == tx_seq)
1316 1317
			break;

1318
		if (skb_queue_is_last(&chan->tx_q, skb))
1319
			return;
1320

1321
	} while ((skb = skb_queue_next(&chan->tx_q, skb)));
1322

1323 1324
	if (chan->remote_max_tx &&
			bt_cb(skb)->retries == chan->remote_max_tx) {
1325
		l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1326 1327 1328 1329 1330
		return;
	}

	tx_skb = skb_clone(skb, GFP_ATOMIC);
	bt_cb(skb)->retries++;
1331 1332

	control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1333
	control &= __get_sar_mask(chan);
1334

1335
	if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1336
		control |= __set_ctrl_final(chan);
1337

1338
	control |= __set_reqseq(chan, chan->buffer_seq);
1339
	control |= __set_txseq(chan, tx_seq);
1340

1341
	__put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1342

1343
	if (chan->fcs == L2CAP_FCS_CRC16) {
1344 1345 1346 1347
		fcs = crc16(0, (u8 *)tx_skb->data,
						tx_skb->len - L2CAP_FCS_SIZE);
		put_unaligned_le16(fcs,
				tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
1348 1349
	}

1350
	l2cap_do_send(chan, tx_skb);
1351 1352
}

1353
static int l2cap_ertm_send(struct l2cap_chan *chan)
1354 1355
{
	struct sk_buff *skb, *tx_skb;
1356 1357
	u16 fcs;
	u32 control;
1358
	int nsent = 0;
1359

1360
	if (chan->state != BT_CONNECTED)
1361
		return -ENOTCONN;
1362

1363
	while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1364

1365 1366
		if (chan->remote_max_tx &&
				bt_cb(skb)->retries == chan->remote_max_tx) {
1367
			l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1368 1369 1370
			break;
		}

1371 1372
		tx_skb = skb_clone(skb, GFP_ATOMIC);

1373 1374
		bt_cb(skb)->retries++;

1375
		control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1376
		control &= __get_sar_mask(chan);
1377

1378
		if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1379
			control |= __set_ctrl_final(chan);
1380

1381
		control |= __set_reqseq(chan, chan->buffer_seq);
1382
		control |= __set_txseq(chan, chan->next_tx_seq);
1383

1384
		__put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1385

1386
		if (chan->fcs == L2CAP_FCS_CRC16) {
1387 1388 1389 1390
			fcs = crc16(0, (u8 *)skb->data,
						tx_skb->len - L2CAP_FCS_SIZE);
			put_unaligned_le16(fcs, skb->data +
						tx_skb->len - L2CAP_FCS_SIZE);
1391 1392
		}

1393
		l2cap_do_send(chan, tx_skb);
1394

1395
		__set_retrans_timer(chan);
1396

1397
		bt_cb(skb)->tx_seq = chan->next_tx_seq;
1398 1399

		chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1400

1401
		if (bt_cb(skb)->retries == 1)
1402
			chan->unacked_frames++;
1403

1404
		chan->frames_sent++;
1405

1406 1407
		if (skb_queue_is_last(&chan->tx_q, skb))
			chan->tx_send_head = NULL;
1408
		else
1409
			chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1410 1411

		nsent++;
1412 1413
	}

1414 1415 1416
	return nsent;
}

1417
static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1418 1419 1420
{
	int ret;

1421 1422
	if (!skb_queue_empty(&chan->tx_q))
		chan->tx_send_head = chan->tx_q.next;
1423

1424
	chan->next_tx_seq = chan->expected_ack_seq;
1425
	ret = l2cap_ertm_send(chan);
1426 1427 1428
	return ret;
}

1429
static void l2cap_send_ack(struct l2cap_chan *chan)
1430
{
1431
	u32 control = 0;
1432

1433
	control |= __set_reqseq(chan, chan->buffer_seq);
1434

1435
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1436
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
1437
		set_bit(CONN_RNR_SENT, &chan->conn_state);
1438
		l2cap_send_sframe(chan, control);
1439
		return;
1440
	}
1441

1442
	if (l2cap_ertm_send(chan) > 0)
1443 1444
		return;

1445
	control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1446
	l2cap_send_sframe(chan, control);
1447 1448
}

1449
static void l2cap_send_srejtail(struct l2cap_chan *chan)
1450 1451
{
	struct srej_list *tail;
1452
	u32 control;
1453

1454
	control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
1455
	control |= __set_ctrl_final(chan);
1456

1457
	tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1458
	control |= __set_reqseq(chan, tail->tx_seq);
1459

1460
	l2cap_send_sframe(chan, control);
1461 1462
}

1463 1464
static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
{
1465
	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1466 1467
	struct sk_buff **frag;
	int err, sent = 0;
L
Linus Torvalds 已提交
1468

1469
	if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1470
		return -EFAULT;
L
Linus Torvalds 已提交
1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481

	sent += count;
	len  -= count;

	/* Continuation fragments (no L2CAP header) */
	frag = &skb_shinfo(skb)->frag_list;
	while (len) {
		count = min_t(unsigned int, conn->mtu, len);

		*frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
		if (!*frag)
1482
			return err;
1483 1484
		if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
			return -EFAULT;
L
Linus Torvalds 已提交
1485 1486 1487 1488 1489 1490 1491 1492

		sent += count;
		len  -= count;

		frag = &(*frag)->next;
	}

	return sent;
1493
}
L
Linus Torvalds 已提交
1494

1495
static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1496
{
1497
	struct sock *sk = chan->sk;
1498
	struct l2cap_conn *conn = chan->conn;
1499
	struct sk_buff *skb;
1500
	int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1501 1502 1503 1504 1505 1506 1507 1508
	struct l2cap_hdr *lh;

	BT_DBG("sk %p len %d", sk, (int)len);

	count = min_t(unsigned int, (conn->mtu - hlen), len);
	skb = bt_skb_send_alloc(sk, count + hlen,
			msg->msg_flags & MSG_DONTWAIT, &err);
	if (!skb)
1509
		return ERR_PTR(err);
1510 1511 1512

	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1513
	lh->cid = cpu_to_le16(chan->dcid);
1514
	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1515
	put_unaligned_le16(chan->psm, skb_put(skb, 2));
1516 1517 1518 1519 1520 1521 1522 1523 1524

	err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
	return skb;
}

1525
static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1526
{
1527
	struct sock *sk = chan->sk;
1528
	struct l2cap_conn *conn = chan->conn;
1529 1530 1531 1532 1533 1534 1535 1536 1537 1538
	struct sk_buff *skb;
	int err, count, hlen = L2CAP_HDR_SIZE;
	struct l2cap_hdr *lh;

	BT_DBG("sk %p len %d", sk, (int)len);

	count = min_t(unsigned int, (conn->mtu - hlen), len);
	skb = bt_skb_send_alloc(sk, count + hlen,
			msg->msg_flags & MSG_DONTWAIT, &err);
	if (!skb)
1539
		return ERR_PTR(err);
1540 1541 1542

	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1543
	lh->cid = cpu_to_le16(chan->dcid);
1544 1545 1546 1547 1548 1549 1550 1551 1552 1553
	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));

	err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
	return skb;
}

1554 1555
static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
						struct msghdr *msg, size_t len,
1556
						u32 control, u16 sdulen)
1557
{
1558
	struct sock *sk = chan->sk;
1559
	struct l2cap_conn *conn = chan->conn;
1560
	struct sk_buff *skb;
1561
	int err, count, hlen;
1562 1563 1564 1565
	struct l2cap_hdr *lh;

	BT_DBG("sk %p len %d", sk, (int)len);

1566 1567 1568
	if (!conn)
		return ERR_PTR(-ENOTCONN);

1569 1570 1571 1572 1573
	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
		hlen = L2CAP_EXT_HDR_SIZE;
	else
		hlen = L2CAP_ENH_HDR_SIZE;

1574
	if (sdulen)
1575
		hlen += L2CAP_SDULEN_SIZE;
1576

1577
	if (chan->fcs == L2CAP_FCS_CRC16)
1578
		hlen += L2CAP_FCS_SIZE;
1579

1580 1581 1582 1583
	count = min_t(unsigned int, (conn->mtu - hlen), len);
	skb = bt_skb_send_alloc(sk, count + hlen,
			msg->msg_flags & MSG_DONTWAIT, &err);
	if (!skb)
1584
		return ERR_PTR(err);
1585 1586 1587

	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1588
	lh->cid = cpu_to_le16(chan->dcid);
1589
	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1590 1591 1592

	__put_control(chan, control, skb_put(skb, __ctrl_size(chan)));

1593
	if (sdulen)
1594
		put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1595 1596 1597 1598 1599 1600

	err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
1601

1602
	if (chan->fcs == L2CAP_FCS_CRC16)
1603
		put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
1604

1605
	bt_cb(skb)->retries = 0;
1606
	return skb;
L
Linus Torvalds 已提交
1607 1608
}

1609
static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1610 1611 1612
{
	struct sk_buff *skb;
	struct sk_buff_head sar_queue;
1613
	u32 control;
1614 1615
	size_t size = 0;

1616
	skb_queue_head_init(&sar_queue);
1617
	control = __set_ctrl_sar(chan, L2CAP_SAR_START);
1618
	skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1619 1620 1621 1622
	if (IS_ERR(skb))
		return PTR_ERR(skb);

	__skb_queue_tail(&sar_queue, skb);
1623 1624
	len -= chan->remote_mps;
	size += chan->remote_mps;
1625 1626 1627 1628

	while (len > 0) {
		size_t buflen;

1629
		if (len > chan->remote_mps) {
1630
			control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
1631
			buflen = chan->remote_mps;
1632
		} else {
1633
			control = __set_ctrl_sar(chan, L2CAP_SAR_END);
1634 1635 1636
			buflen = len;
		}

1637
		skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1638 1639 1640 1641 1642 1643 1644 1645 1646
		if (IS_ERR(skb)) {
			skb_queue_purge(&sar_queue);
			return PTR_ERR(skb);
		}

		__skb_queue_tail(&sar_queue, skb);
		len -= buflen;
		size += buflen;
	}
1647 1648 1649
	skb_queue_splice_tail(&sar_queue, &chan->tx_q);
	if (chan->tx_send_head == NULL)
		chan->tx_send_head = sar_queue.next;
1650 1651 1652 1653

	return size;
}

1654 1655 1656
int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
{
	struct sk_buff *skb;
1657
	u32 control;
1658 1659 1660
	int err;

	/* Connectionless channel */
1661
	if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688
		skb = l2cap_create_connless_pdu(chan, msg, len);
		if (IS_ERR(skb))
			return PTR_ERR(skb);

		l2cap_do_send(chan, skb);
		return len;
	}

	switch (chan->mode) {
	case L2CAP_MODE_BASIC:
		/* Check outgoing MTU */
		if (len > chan->omtu)
			return -EMSGSIZE;

		/* Create a basic PDU */
		skb = l2cap_create_basic_pdu(chan, msg, len);
		if (IS_ERR(skb))
			return PTR_ERR(skb);

		l2cap_do_send(chan, skb);
		err = len;
		break;

	case L2CAP_MODE_ERTM:
	case L2CAP_MODE_STREAMING:
		/* Entire SDU fits into one PDU */
		if (len <= chan->remote_mps) {
1689
			control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712
			skb = l2cap_create_iframe_pdu(chan, msg, len, control,
									0);
			if (IS_ERR(skb))
				return PTR_ERR(skb);

			__skb_queue_tail(&chan->tx_q, skb);

			if (chan->tx_send_head == NULL)
				chan->tx_send_head = skb;

		} else {
			/* Segment SDU into multiples PDUs */
			err = l2cap_sar_segment_sdu(chan, msg, len);
			if (err < 0)
				return err;
		}

		if (chan->mode == L2CAP_MODE_STREAMING) {
			l2cap_streaming_send(chan);
			err = len;
			break;
		}

1713 1714
		if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
				test_bit(CONN_WAIT_F, &chan->conn_state)) {
1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732
			err = len;
			break;
		}

		err = l2cap_ertm_send(chan);
		if (err >= 0)
			err = len;

		break;

	default:
		BT_DBG("bad state %1.1x", chan->mode);
		err = -EBADFD;
	}

	return err;
}

L
Linus Torvalds 已提交
1733 1734 1735 1736
/* Copy frame to all raw sockets on that connection */
static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct sk_buff *nskb;
1737
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
1738 1739 1740

	BT_DBG("conn %p", conn);

1741 1742
	read_lock(&conn->chan_lock);
	list_for_each_entry(chan, &conn->chan_l, list) {
1743
		struct sock *sk = chan->sk;
1744
		if (chan->chan_type != L2CAP_CHAN_RAW)
L
Linus Torvalds 已提交
1745 1746 1747 1748 1749
			continue;

		/* Don't send frame to the socket it came from */
		if (skb->sk == sk)
			continue;
1750 1751
		nskb = skb_clone(skb, GFP_ATOMIC);
		if (!nskb)
L
Linus Torvalds 已提交
1752 1753
			continue;

1754
		if (chan->ops->recv(chan->data, nskb))
L
Linus Torvalds 已提交
1755 1756
			kfree_skb(nskb);
	}
1757
	read_unlock(&conn->chan_lock);
L
Linus Torvalds 已提交
1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768
}

/* ---- L2CAP signalling commands ---- */
static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
				u8 code, u8 ident, u16 dlen, void *data)
{
	struct sk_buff *skb, **frag;
	struct l2cap_cmd_hdr *cmd;
	struct l2cap_hdr *lh;
	int len, count;

1769 1770
	BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
			conn, code, ident, dlen);
L
Linus Torvalds 已提交
1771 1772 1773 1774 1775 1776 1777 1778 1779

	len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
	count = min_t(unsigned int, conn->mtu, len);

	skb = bt_skb_alloc(count, GFP_ATOMIC);
	if (!skb)
		return NULL;

	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1780
	lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1781 1782 1783 1784 1785

	if (conn->hcon->type == LE_LINK)
		lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
	else
		lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
L
Linus Torvalds 已提交
1786 1787 1788 1789

	cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
	cmd->code  = code;
	cmd->ident = ident;
1790
	cmd->len   = cpu_to_le16(dlen);
L
Linus Torvalds 已提交
1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840

	if (dlen) {
		count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
		memcpy(skb_put(skb, count), data, count);
		data += count;
	}

	len -= skb->len;

	/* Continuation fragments (no L2CAP header) */
	frag = &skb_shinfo(skb)->frag_list;
	while (len) {
		count = min_t(unsigned int, conn->mtu, len);

		*frag = bt_skb_alloc(count, GFP_ATOMIC);
		if (!*frag)
			goto fail;

		memcpy(skb_put(*frag, count), data, count);

		len  -= count;
		data += count;

		frag = &(*frag)->next;
	}

	return skb;

fail:
	kfree_skb(skb);
	return NULL;
}

static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
{
	struct l2cap_conf_opt *opt = *ptr;
	int len;

	len = L2CAP_CONF_OPT_SIZE + opt->len;
	*ptr += len;

	*type = opt->type;
	*olen = opt->len;

	switch (opt->len) {
	case 1:
		*val = *((u8 *) opt->val);
		break;

	case 2:
1841
		*val = get_unaligned_le16(opt->val);
L
Linus Torvalds 已提交
1842 1843 1844
		break;

	case 4:
1845
		*val = get_unaligned_le32(opt->val);
L
Linus Torvalds 已提交
1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871
		break;

	default:
		*val = (unsigned long) opt->val;
		break;
	}

	BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
	return len;
}

static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
{
	struct l2cap_conf_opt *opt = *ptr;

	BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);

	opt->type = type;
	opt->len  = len;

	switch (len) {
	case 1:
		*((u8 *) opt->val)  = val;
		break;

	case 2:
1872
		put_unaligned_le16(val, opt->val);
L
Linus Torvalds 已提交
1873 1874 1875
		break;

	case 4:
1876
		put_unaligned_le32(val, opt->val);
L
Linus Torvalds 已提交
1877 1878 1879 1880 1881 1882 1883 1884 1885 1886
		break;

	default:
		memcpy(opt->val, (void *) val, len);
		break;
	}

	*ptr += L2CAP_CONF_OPT_SIZE + len;
}

1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917
static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
{
	struct l2cap_conf_efs efs;

	switch(chan->mode) {
	case L2CAP_MODE_ERTM:
		efs.id		= chan->local_id;
		efs.stype	= chan->local_stype;
		efs.msdu	= cpu_to_le16(chan->local_msdu);
		efs.sdu_itime	= cpu_to_le32(chan->local_sdu_itime);
		efs.acc_lat	= cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
		efs.flush_to	= cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
		break;

	case L2CAP_MODE_STREAMING:
		efs.id		= 1;
		efs.stype	= L2CAP_SERV_BESTEFFORT;
		efs.msdu	= cpu_to_le16(chan->local_msdu);
		efs.sdu_itime	= cpu_to_le32(chan->local_sdu_itime);
		efs.acc_lat	= 0;
		efs.flush_to	= 0;
		break;

	default:
		return;
	}

	l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
							(unsigned long) &efs);
}

1918 1919
static void l2cap_ack_timeout(unsigned long arg)
{
1920
	struct l2cap_chan *chan = (void *) arg;
1921

1922 1923 1924
	bh_lock_sock(chan->sk);
	l2cap_send_ack(chan);
	bh_unlock_sock(chan->sk);
1925 1926
}

1927
static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1928
{
1929 1930
	struct sock *sk = chan->sk;

1931
	chan->expected_ack_seq = 0;
1932
	chan->unacked_frames = 0;
1933
	chan->buffer_seq = 0;
1934 1935
	chan->num_acked = 0;
	chan->frames_sent = 0;
1936

1937 1938 1939 1940 1941
	setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
							(unsigned long) chan);
	setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
							(unsigned long) chan);
	setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1942

1943
	skb_queue_head_init(&chan->srej_q);
1944

1945 1946
	INIT_LIST_HEAD(&chan->srej_l);

1947 1948

	sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1949 1950
}

1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963
static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
{
	switch (mode) {
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
		if (l2cap_mode_supported(mode, remote_feat_mask))
			return mode;
		/* fall through */
	default:
		return L2CAP_MODE_BASIC;
	}
}

1964 1965 1966 1967 1968
static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
{
	return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
}

1969 1970 1971 1972 1973
static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
{
	return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
}

1974 1975 1976
static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
{
	if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
1977
						__l2cap_ews_supported(chan)) {
1978 1979
		/* use extended control field */
		set_bit(FLAG_EXT_CTRL, &chan->flags);
1980 1981
		chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
	} else {
1982 1983
		chan->tx_win = min_t(u16, chan->tx_win,
						L2CAP_DEFAULT_TX_WINDOW);
1984 1985
		chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
	}
1986 1987
}

1988
static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
L
Linus Torvalds 已提交
1989 1990
{
	struct l2cap_conf_req *req = data;
1991
	struct l2cap_conf_rfc rfc = { .mode = chan->mode };
L
Linus Torvalds 已提交
1992
	void *ptr = req->data;
1993
	u16 size;
L
Linus Torvalds 已提交
1994

1995
	BT_DBG("chan %p", chan);
L
Linus Torvalds 已提交
1996

1997
	if (chan->num_conf_req || chan->num_conf_rsp)
1998 1999
		goto done;

2000
	switch (chan->mode) {
2001 2002
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
2003
		if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
2004 2005
			break;

2006 2007 2008
		if (__l2cap_efs_supported(chan))
			set_bit(FLAG_EFS_ENABLE, &chan->flags);

2009
		/* fall through */
2010
	default:
2011
		chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
2012 2013 2014 2015
		break;
	}

done:
2016 2017
	if (chan->imtu != L2CAP_DEFAULT_MTU)
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2018

2019
	switch (chan->mode) {
2020
	case L2CAP_MODE_BASIC:
2021 2022
		if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
				!(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
2023 2024
			break;

2025 2026 2027 2028 2029 2030 2031
		rfc.mode            = L2CAP_MODE_BASIC;
		rfc.txwin_size      = 0;
		rfc.max_transmit    = 0;
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
		rfc.max_pdu_size    = 0;

2032 2033
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);
2034 2035 2036 2037
		break;

	case L2CAP_MODE_ERTM:
		rfc.mode            = L2CAP_MODE_ERTM;
2038
		rfc.max_transmit    = chan->max_tx;
2039 2040
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
2041 2042 2043 2044 2045 2046

		size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
		rfc.max_pdu_size = cpu_to_le16(size);
2047

2048 2049 2050 2051 2052
		l2cap_txwin_setup(chan);

		rfc.txwin_size = min_t(u16, chan->tx_win,
						L2CAP_DEFAULT_TX_WINDOW);

2053 2054 2055
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);

2056 2057 2058
		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
			l2cap_add_opt_efs(&ptr, chan);

2059
		if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2060 2061
			break;

2062
		if (chan->fcs == L2CAP_FCS_NONE ||
2063
				test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2064 2065
			chan->fcs = L2CAP_FCS_NONE;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2066
		}
2067 2068 2069 2070

		if (test_bit(FLAG_EXT_CTRL, &chan->flags))
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
								chan->tx_win);
2071 2072 2073 2074 2075 2076 2077 2078
		break;

	case L2CAP_MODE_STREAMING:
		rfc.mode            = L2CAP_MODE_STREAMING;
		rfc.txwin_size      = 0;
		rfc.max_transmit    = 0;
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
2079 2080 2081 2082 2083 2084

		size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
		rfc.max_pdu_size = cpu_to_le16(size);
2085

2086 2087 2088
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);

2089 2090 2091
		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
			l2cap_add_opt_efs(&ptr, chan);

2092
		if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2093 2094
			break;

2095
		if (chan->fcs == L2CAP_FCS_NONE ||
2096
				test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2097 2098
			chan->fcs = L2CAP_FCS_NONE;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2099
		}
2100 2101
		break;
	}
L
Linus Torvalds 已提交
2102

2103
	req->dcid  = cpu_to_le16(chan->dcid);
2104
	req->flags = cpu_to_le16(0);
L
Linus Torvalds 已提交
2105 2106 2107 2108

	return ptr - data;
}

2109
static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
L
Linus Torvalds 已提交
2110
{
2111 2112
	struct l2cap_conf_rsp *rsp = data;
	void *ptr = rsp->data;
2113 2114
	void *req = chan->conf_req;
	int len = chan->conf_len;
2115 2116
	int type, hint, olen;
	unsigned long val;
2117
	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2118 2119
	struct l2cap_conf_efs efs;
	u8 remote_efs = 0;
2120
	u16 mtu = L2CAP_DEFAULT_MTU;
2121
	u16 result = L2CAP_CONF_SUCCESS;
2122
	u16 size;
L
Linus Torvalds 已提交
2123

2124
	BT_DBG("chan %p", chan);
2125

2126 2127
	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
L
Linus Torvalds 已提交
2128

2129
		hint  = type & L2CAP_CONF_HINT;
2130
		type &= L2CAP_CONF_MASK;
2131 2132 2133

		switch (type) {
		case L2CAP_CONF_MTU:
2134
			mtu = val;
2135 2136 2137
			break;

		case L2CAP_CONF_FLUSH_TO:
2138
			chan->flush_to = val;
2139 2140 2141 2142 2143
			break;

		case L2CAP_CONF_QOS:
			break;

2144 2145 2146 2147 2148
		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *) val, olen);
			break;

2149 2150
		case L2CAP_CONF_FCS:
			if (val == L2CAP_FCS_NONE)
2151
				set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2152
			break;
2153

2154 2155 2156 2157
		case L2CAP_CONF_EFS:
			remote_efs = 1;
			if (olen == sizeof(efs))
				memcpy(&efs, (void *) val, olen);
2158 2159
			break;

2160 2161 2162 2163 2164 2165
		case L2CAP_CONF_EWS:
			if (!enable_hs)
				return -ECONNREFUSED;

			set_bit(FLAG_EXT_CTRL, &chan->flags);
			set_bit(CONF_EWS_RECV, &chan->conf_state);
2166
			chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2167 2168 2169
			chan->remote_tx_win = val;
			break;

2170 2171 2172 2173 2174 2175 2176 2177 2178 2179
		default:
			if (hint)
				break;

			result = L2CAP_CONF_UNKNOWN;
			*((u8 *) ptr++) = type;
			break;
		}
	}

2180
	if (chan->num_conf_rsp || chan->num_conf_req > 1)
2181 2182
		goto done;

2183
	switch (chan->mode) {
2184 2185
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
2186
		if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2187
			chan->mode = l2cap_select_mode(rfc.mode,
2188
					chan->conn->feat_mask);
2189 2190 2191
			break;
		}

2192 2193 2194 2195 2196 2197 2198
		if (remote_efs) {
			if (__l2cap_efs_supported(chan))
				set_bit(FLAG_EFS_ENABLE, &chan->flags);
			else
				return -ECONNREFUSED;
		}

2199
		if (chan->mode != rfc.mode)
2200
			return -ECONNREFUSED;
2201

2202 2203 2204 2205
		break;
	}

done:
2206
	if (chan->mode != rfc.mode) {
2207
		result = L2CAP_CONF_UNACCEPT;
2208
		rfc.mode = chan->mode;
2209

2210
		if (chan->num_conf_rsp == 1)
2211 2212 2213 2214 2215 2216
			return -ECONNREFUSED;

		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);
	}

2217 2218 2219 2220
	if (result == L2CAP_CONF_SUCCESS) {
		/* Configure output options and let the other side know
		 * which ones we don't like. */

2221 2222 2223
		if (mtu < L2CAP_DEFAULT_MIN_MTU)
			result = L2CAP_CONF_UNACCEPT;
		else {
2224
			chan->omtu = mtu;
2225
			set_bit(CONF_MTU_DONE, &chan->conf_state);
2226
		}
2227
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2228

2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239
		if (remote_efs) {
			if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
					efs.stype != L2CAP_SERV_NOTRAFIC &&
					efs.stype != chan->local_stype) {

				result = L2CAP_CONF_UNACCEPT;

				if (chan->num_conf_req >= 1)
					return -ECONNREFUSED;

				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2240
							sizeof(efs),
2241
							(unsigned long) &efs);
2242
			} else {
2243
				/* Send PENDING Conf Rsp */
2244 2245
				result = L2CAP_CONF_PENDING;
				set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2246 2247 2248
			}
		}

2249 2250
		switch (rfc.mode) {
		case L2CAP_MODE_BASIC:
2251
			chan->fcs = L2CAP_FCS_NONE;
2252
			set_bit(CONF_MODE_DONE, &chan->conf_state);
2253 2254 2255
			break;

		case L2CAP_MODE_ERTM:
2256 2257 2258 2259 2260
			if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
				chan->remote_tx_win = rfc.txwin_size;
			else
				rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;

2261
			chan->remote_max_tx = rfc.max_transmit;
2262

2263 2264 2265 2266 2267 2268 2269
			size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
						chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
			rfc.max_pdu_size = cpu_to_le16(size);
			chan->remote_mps = size;
2270

2271 2272 2273 2274
			rfc.retrans_timeout =
				le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
			rfc.monitor_timeout =
				le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
2275

2276
			set_bit(CONF_MODE_DONE, &chan->conf_state);
2277 2278 2279 2280

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);

2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293
			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
				chan->remote_id = efs.id;
				chan->remote_stype = efs.stype;
				chan->remote_msdu = le16_to_cpu(efs.msdu);
				chan->remote_flush_to =
						le32_to_cpu(efs.flush_to);
				chan->remote_acc_lat =
						le32_to_cpu(efs.acc_lat);
				chan->remote_sdu_itime =
					le32_to_cpu(efs.sdu_itime);
				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
					sizeof(efs), (unsigned long) &efs);
			}
2294 2295 2296
			break;

		case L2CAP_MODE_STREAMING:
2297 2298 2299 2300 2301 2302 2303
			size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
						chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
			rfc.max_pdu_size = cpu_to_le16(size);
			chan->remote_mps = size;
2304

2305
			set_bit(CONF_MODE_DONE, &chan->conf_state);
2306 2307 2308 2309

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);

2310 2311 2312
			break;

		default:
2313 2314
			result = L2CAP_CONF_UNACCEPT;

2315
			memset(&rfc, 0, sizeof(rfc));
2316
			rfc.mode = chan->mode;
2317
		}
2318

2319
		if (result == L2CAP_CONF_SUCCESS)
2320
			set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2321
	}
2322
	rsp->scid   = cpu_to_le16(chan->dcid);
2323 2324 2325 2326
	rsp->result = cpu_to_le16(result);
	rsp->flags  = cpu_to_le16(0x0000);

	return ptr - data;
L
Linus Torvalds 已提交
2327 2328
}

2329
static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2330 2331 2332 2333 2334 2335 2336
{
	struct l2cap_conf_req *req = data;
	void *ptr = req->data;
	int type, olen;
	unsigned long val;
	struct l2cap_conf_rfc rfc;

2337
	BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2338 2339 2340 2341 2342 2343 2344 2345

	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);

		switch (type) {
		case L2CAP_CONF_MTU:
			if (val < L2CAP_DEFAULT_MIN_MTU) {
				*result = L2CAP_CONF_UNACCEPT;
2346
				chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2347
			} else
2348 2349
				chan->imtu = val;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2350 2351 2352
			break;

		case L2CAP_CONF_FLUSH_TO:
2353
			chan->flush_to = val;
2354
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2355
							2, chan->flush_to);
2356 2357 2358 2359 2360 2361
			break;

		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *)val, olen);

2362
			if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2363
							rfc.mode != chan->mode)
2364 2365
				return -ECONNREFUSED;

2366
			chan->fcs = 0;
2367 2368 2369 2370

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);
			break;
2371 2372 2373 2374

		case L2CAP_CONF_EWS:
			chan->tx_win = min_t(u16, val,
						L2CAP_DEFAULT_EXT_WINDOW);
2375 2376
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
							chan->tx_win);
2377
			break;
2378 2379 2380
		}
	}

2381
	if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2382 2383
		return -ECONNREFUSED;

2384
	chan->mode = rfc.mode;
2385

2386
	if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
2387 2388
		switch (rfc.mode) {
		case L2CAP_MODE_ERTM:
2389 2390 2391
			chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
			chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2392 2393
			break;
		case L2CAP_MODE_STREAMING:
2394
			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2395 2396 2397
		}
	}

2398
	req->dcid   = cpu_to_le16(chan->dcid);
2399 2400 2401 2402 2403
	req->flags  = cpu_to_le16(0x0000);

	return ptr - data;
}

2404
static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
L
Linus Torvalds 已提交
2405 2406 2407 2408
{
	struct l2cap_conf_rsp *rsp = data;
	void *ptr = rsp->data;

2409
	BT_DBG("chan %p", chan);
L
Linus Torvalds 已提交
2410

2411
	rsp->scid   = cpu_to_le16(chan->dcid);
2412
	rsp->result = cpu_to_le16(result);
2413
	rsp->flags  = cpu_to_le16(flags);
L
Linus Torvalds 已提交
2414 2415 2416 2417

	return ptr - data;
}

2418
void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2419 2420
{
	struct l2cap_conn_rsp rsp;
2421
	struct l2cap_conn *conn = chan->conn;
2422 2423
	u8 buf[128];

2424 2425
	rsp.scid   = cpu_to_le16(chan->dcid);
	rsp.dcid   = cpu_to_le16(chan->scid);
2426 2427 2428 2429 2430
	rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
	l2cap_send_cmd(conn, chan->ident,
				L2CAP_CONN_RSP, sizeof(rsp), &rsp);

2431
	if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2432 2433 2434 2435 2436 2437 2438
		return;

	l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
			l2cap_build_conf_req(chan, buf), buf);
	chan->num_conf_req++;
}

2439
static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2440 2441 2442 2443 2444
{
	int type, olen;
	unsigned long val;
	struct l2cap_conf_rfc rfc;

2445
	BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2446

2447
	if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463
		return;

	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);

		switch (type) {
		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *)val, olen);
			goto done;
		}
	}

done:
	switch (rfc.mode) {
	case L2CAP_MODE_ERTM:
2464 2465 2466
		chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
		chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
		chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2467 2468
		break;
	case L2CAP_MODE_STREAMING:
2469
		chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2470 2471 2472
	}
}

2473 2474
static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
2475
	struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2476

2477
	if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2478 2479 2480 2481 2482
		return 0;

	if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
					cmd->ident == conn->info_ident) {
		del_timer(&conn->info_timer);
2483 2484

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2485
		conn->info_ident = 0;
2486

2487 2488 2489 2490 2491 2492
		l2cap_conn_start(conn);
	}

	return 0;
}

L
Linus Torvalds 已提交
2493 2494 2495 2496
static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
	struct l2cap_conn_rsp rsp;
2497
	struct l2cap_chan *chan = NULL, *pchan;
2498
	struct sock *parent, *sk = NULL;
2499
	int result, status = L2CAP_CS_NO_INFO;
L
Linus Torvalds 已提交
2500 2501

	u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2502
	__le16 psm = req->psm;
L
Linus Torvalds 已提交
2503 2504 2505 2506

	BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);

	/* Check if we have socket listening on psm */
2507 2508
	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
	if (!pchan) {
L
Linus Torvalds 已提交
2509 2510 2511 2512
		result = L2CAP_CR_BAD_PSM;
		goto sendresp;
	}

2513 2514
	parent = pchan->sk;

2515 2516
	bh_lock_sock(parent);

2517 2518 2519
	/* Check if the ACL is secure enough (if not SDP) */
	if (psm != cpu_to_le16(0x0001) &&
				!hci_conn_check_link_mode(conn->hcon)) {
2520
		conn->disc_reason = 0x05;
2521 2522 2523 2524
		result = L2CAP_CR_SEC_BLOCK;
		goto response;
	}

L
Linus Torvalds 已提交
2525 2526 2527 2528
	result = L2CAP_CR_NO_MEM;

	/* Check for backlog size */
	if (sk_acceptq_is_full(parent)) {
2529
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
L
Linus Torvalds 已提交
2530 2531 2532
		goto response;
	}

2533 2534
	chan = pchan->ops->new_connection(pchan->data);
	if (!chan)
L
Linus Torvalds 已提交
2535 2536
		goto response;

2537 2538
	sk = chan->sk;

2539
	write_lock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
2540 2541

	/* Check if we already have channel with that dcid */
2542 2543
	if (__l2cap_get_chan_by_dcid(conn, scid)) {
		write_unlock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
2544
		sock_set_flag(sk, SOCK_ZAPPED);
2545
		chan->ops->close(chan->data);
L
Linus Torvalds 已提交
2546 2547 2548 2549 2550 2551 2552
		goto response;
	}

	hci_conn_hold(conn->hcon);

	bacpy(&bt_sk(sk)->src, conn->src);
	bacpy(&bt_sk(sk)->dst, conn->dst);
2553 2554
	chan->psm  = psm;
	chan->dcid = scid;
L
Linus Torvalds 已提交
2555

2556 2557
	bt_accept_enqueue(parent, sk);

2558 2559
	__l2cap_chan_add(conn, chan);

2560
	dcid = chan->scid;
L
Linus Torvalds 已提交
2561

2562
	__set_chan_timer(chan, sk->sk_sndtimeo);
L
Linus Torvalds 已提交
2563

2564
	chan->ident = cmd->ident;
L
Linus Torvalds 已提交
2565

2566
	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2567
		if (l2cap_check_security(chan)) {
2568
			if (bt_sk(sk)->defer_setup) {
2569
				l2cap_state_change(chan, BT_CONNECT2);
2570 2571 2572 2573
				result = L2CAP_CR_PEND;
				status = L2CAP_CS_AUTHOR_PEND;
				parent->sk_data_ready(parent, 0);
			} else {
2574
				l2cap_state_change(chan, BT_CONFIG);
2575 2576 2577
				result = L2CAP_CR_SUCCESS;
				status = L2CAP_CS_NO_INFO;
			}
2578
		} else {
2579
			l2cap_state_change(chan, BT_CONNECT2);
2580 2581 2582 2583
			result = L2CAP_CR_PEND;
			status = L2CAP_CS_AUTHEN_PEND;
		}
	} else {
2584
		l2cap_state_change(chan, BT_CONNECT2);
2585 2586
		result = L2CAP_CR_PEND;
		status = L2CAP_CS_NO_INFO;
L
Linus Torvalds 已提交
2587 2588
	}

2589
	write_unlock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
2590 2591 2592 2593 2594

response:
	bh_unlock_sock(parent);

sendresp:
2595 2596 2597 2598
	rsp.scid   = cpu_to_le16(scid);
	rsp.dcid   = cpu_to_le16(dcid);
	rsp.result = cpu_to_le16(result);
	rsp.status = cpu_to_le16(status);
L
Linus Torvalds 已提交
2599
	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614

	if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
		struct l2cap_info_req info;
		info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
		conn->info_ident = l2cap_get_ident(conn);

		mod_timer(&conn->info_timer, jiffies +
					msecs_to_jiffies(L2CAP_INFO_TIMEOUT));

		l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(info), &info);
	}

2615
	if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2616 2617
				result == L2CAP_CR_SUCCESS) {
		u8 buf[128];
2618
		set_bit(CONF_REQ_SENT, &chan->conf_state);
2619
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2620 2621
					l2cap_build_conf_req(chan, buf), buf);
		chan->num_conf_req++;
2622 2623
	}

L
Linus Torvalds 已提交
2624 2625 2626 2627 2628 2629 2630
	return 0;
}

static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
	u16 scid, dcid, result, status;
2631
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642
	struct sock *sk;
	u8 req[128];

	scid   = __le16_to_cpu(rsp->scid);
	dcid   = __le16_to_cpu(rsp->dcid);
	result = __le16_to_cpu(rsp->result);
	status = __le16_to_cpu(rsp->status);

	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);

	if (scid) {
2643
		chan = l2cap_get_chan_by_scid(conn, scid);
2644
		if (!chan)
2645
			return -EFAULT;
L
Linus Torvalds 已提交
2646
	} else {
2647
		chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2648
		if (!chan)
2649
			return -EFAULT;
L
Linus Torvalds 已提交
2650 2651
	}

2652 2653
	sk = chan->sk;

L
Linus Torvalds 已提交
2654 2655
	switch (result) {
	case L2CAP_CR_SUCCESS:
2656
		l2cap_state_change(chan, BT_CONFIG);
2657
		chan->ident = 0;
2658
		chan->dcid = dcid;
2659
		clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2660

2661
		if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2662 2663
			break;

L
Linus Torvalds 已提交
2664
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2665 2666
					l2cap_build_conf_req(chan, req), req);
		chan->num_conf_req++;
L
Linus Torvalds 已提交
2667 2668 2669
		break;

	case L2CAP_CR_PEND:
2670
		set_bit(CONF_CONNECT_PEND, &chan->conf_state);
L
Linus Torvalds 已提交
2671 2672 2673
		break;

	default:
2674 2675
		/* don't delete l2cap channel if sk is owned by user */
		if (sock_owned_by_user(sk)) {
2676
			l2cap_state_change(chan, BT_DISCONN);
2677 2678
			__clear_chan_timer(chan);
			__set_chan_timer(chan, HZ / 5);
2679 2680 2681
			break;
		}

2682
		l2cap_chan_del(chan, ECONNREFUSED);
L
Linus Torvalds 已提交
2683 2684 2685 2686 2687 2688 2689
		break;
	}

	bh_unlock_sock(sk);
	return 0;
}

2690
static inline void set_default_fcs(struct l2cap_chan *chan)
2691 2692 2693 2694
{
	/* FCS is enabled only in ERTM or streaming mode, if one or both
	 * sides request it.
	 */
2695
	if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2696
		chan->fcs = L2CAP_FCS_NONE;
2697
	else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2698
		chan->fcs = L2CAP_FCS_CRC16;
2699 2700
}

2701
static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
L
Linus Torvalds 已提交
2702 2703 2704 2705
{
	struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
	u16 dcid, flags;
	u8 rsp[64];
2706
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2707
	struct sock *sk;
2708
	int len;
L
Linus Torvalds 已提交
2709 2710 2711 2712 2713 2714

	dcid  = __le16_to_cpu(req->dcid);
	flags = __le16_to_cpu(req->flags);

	BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);

2715
	chan = l2cap_get_chan_by_scid(conn, dcid);
2716
	if (!chan)
L
Linus Torvalds 已提交
2717 2718
		return -ENOENT;

2719 2720
	sk = chan->sk;

2721
	if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2722 2723 2724 2725 2726
		struct l2cap_cmd_rej_cid rej;

		rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
		rej.scid = cpu_to_le16(chan->scid);
		rej.dcid = cpu_to_le16(chan->dcid);
2727 2728 2729

		l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
				sizeof(rej), &rej);
2730
		goto unlock;
2731
	}
2732

2733
	/* Reject if config buffer is too small. */
2734
	len = cmd_len - sizeof(*req);
2735
	if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2736
		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2737
				l2cap_build_conf_rsp(chan, rsp,
2738 2739 2740 2741 2742
					L2CAP_CONF_REJECT, flags), rsp);
		goto unlock;
	}

	/* Store config. */
2743 2744
	memcpy(chan->conf_req + chan->conf_len, req->data, len);
	chan->conf_len += len;
L
Linus Torvalds 已提交
2745 2746 2747 2748

	if (flags & 0x0001) {
		/* Incomplete config. Send empty response. */
		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2749
				l2cap_build_conf_rsp(chan, rsp,
2750
					L2CAP_CONF_SUCCESS, 0x0001), rsp);
L
Linus Torvalds 已提交
2751 2752 2753 2754
		goto unlock;
	}

	/* Complete config. */
2755
	len = l2cap_parse_conf_req(chan, rsp);
2756
	if (len < 0) {
2757
		l2cap_send_disconn_req(conn, chan, ECONNRESET);
L
Linus Torvalds 已提交
2758
		goto unlock;
2759
	}
L
Linus Torvalds 已提交
2760

2761
	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2762
	chan->num_conf_rsp++;
2763 2764

	/* Reset config buffer. */
2765
	chan->conf_len = 0;
2766

2767
	if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2768 2769
		goto unlock;

2770
	if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2771
		set_default_fcs(chan);
2772

2773
		l2cap_state_change(chan, BT_CONNECTED);
2774

2775 2776
		chan->next_tx_seq = 0;
		chan->expected_tx_seq = 0;
2777
		skb_queue_head_init(&chan->tx_q);
2778
		if (chan->mode == L2CAP_MODE_ERTM)
2779
			l2cap_ertm_init(chan);
2780

L
Linus Torvalds 已提交
2781
		l2cap_chan_ready(sk);
2782 2783 2784
		goto unlock;
	}

2785
	if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2786
		u8 buf[64];
L
Linus Torvalds 已提交
2787
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2788 2789
					l2cap_build_conf_req(chan, buf), buf);
		chan->num_conf_req++;
L
Linus Torvalds 已提交
2790 2791
	}

2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802
	/* Got Conf Rsp PENDING from remote side and asume we sent
	   Conf Rsp PENDING in the code above */
	if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
			test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {

		/* check compatibility */

		clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
		set_bit(CONF_OUTPUT_DONE, &chan->conf_state);

		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2803
					l2cap_build_conf_rsp(chan, rsp,
2804 2805 2806
					L2CAP_CONF_SUCCESS, 0x0000), rsp);
	}

L
Linus Torvalds 已提交
2807 2808 2809 2810 2811 2812 2813 2814 2815
unlock:
	bh_unlock_sock(sk);
	return 0;
}

static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
	u16 scid, flags, result;
2816
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2817
	struct sock *sk;
2818
	int len = cmd->len - sizeof(*rsp);
L
Linus Torvalds 已提交
2819 2820 2821 2822 2823

	scid   = __le16_to_cpu(rsp->scid);
	flags  = __le16_to_cpu(rsp->flags);
	result = __le16_to_cpu(rsp->result);

2824 2825
	BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
			scid, flags, result);
L
Linus Torvalds 已提交
2826

2827
	chan = l2cap_get_chan_by_scid(conn, scid);
2828
	if (!chan)
L
Linus Torvalds 已提交
2829 2830
		return 0;

2831 2832
	sk = chan->sk;

L
Linus Torvalds 已提交
2833 2834
	switch (result) {
	case L2CAP_CONF_SUCCESS:
2835
		l2cap_conf_rfc_get(chan, rsp->data, len);
2836
		clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
L
Linus Torvalds 已提交
2837 2838
		break;

2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857
	case L2CAP_CONF_PENDING:
		set_bit(CONF_REM_CONF_PEND, &chan->conf_state);

		if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
			char buf[64];

			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
								buf, &result);
			if (len < 0) {
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
				goto done;
			}

			/* check compatibility */

			clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
			set_bit(CONF_OUTPUT_DONE, &chan->conf_state);

			l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2858
						l2cap_build_conf_rsp(chan, buf,
2859 2860 2861 2862
						L2CAP_CONF_SUCCESS, 0x0000), buf);
		}
		goto done;

L
Linus Torvalds 已提交
2863
	case L2CAP_CONF_UNACCEPT:
2864
		if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2865 2866
			char req[64];

2867
			if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2868
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
2869 2870 2871
				goto done;
			}

2872 2873
			/* throw out any old stored conf requests */
			result = L2CAP_CONF_SUCCESS;
2874 2875
			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
								req, &result);
2876
			if (len < 0) {
2877
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
2878 2879 2880 2881 2882
				goto done;
			}

			l2cap_send_cmd(conn, l2cap_get_ident(conn),
						L2CAP_CONF_REQ, len, req);
2883
			chan->num_conf_req++;
2884 2885 2886
			if (result != L2CAP_CONF_SUCCESS)
				goto done;
			break;
L
Linus Torvalds 已提交
2887 2888
		}

2889
	default:
2890
		sk->sk_err = ECONNRESET;
2891
		__set_chan_timer(chan, HZ * 5);
2892
		l2cap_send_disconn_req(conn, chan, ECONNRESET);
L
Linus Torvalds 已提交
2893 2894 2895 2896 2897 2898
		goto done;
	}

	if (flags & 0x01)
		goto done;

2899
	set_bit(CONF_INPUT_DONE, &chan->conf_state);
L
Linus Torvalds 已提交
2900

2901
	if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
2902
		set_default_fcs(chan);
2903

2904
		l2cap_state_change(chan, BT_CONNECTED);
2905 2906
		chan->next_tx_seq = 0;
		chan->expected_tx_seq = 0;
2907
		skb_queue_head_init(&chan->tx_q);
2908
		if (chan->mode ==  L2CAP_MODE_ERTM)
2909
			l2cap_ertm_init(chan);
2910

L
Linus Torvalds 已提交
2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923
		l2cap_chan_ready(sk);
	}

done:
	bh_unlock_sock(sk);
	return 0;
}

static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
	struct l2cap_disconn_rsp rsp;
	u16 dcid, scid;
2924
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2925 2926 2927 2928 2929 2930 2931
	struct sock *sk;

	scid = __le16_to_cpu(req->scid);
	dcid = __le16_to_cpu(req->dcid);

	BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);

2932
	chan = l2cap_get_chan_by_scid(conn, dcid);
2933
	if (!chan)
L
Linus Torvalds 已提交
2934 2935
		return 0;

2936 2937
	sk = chan->sk;

2938 2939
	rsp.dcid = cpu_to_le16(chan->scid);
	rsp.scid = cpu_to_le16(chan->dcid);
L
Linus Torvalds 已提交
2940 2941 2942 2943
	l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);

	sk->sk_shutdown = SHUTDOWN_MASK;

2944 2945
	/* don't delete l2cap channel if sk is owned by user */
	if (sock_owned_by_user(sk)) {
2946
		l2cap_state_change(chan, BT_DISCONN);
2947 2948
		__clear_chan_timer(chan);
		__set_chan_timer(chan, HZ / 5);
2949 2950 2951 2952
		bh_unlock_sock(sk);
		return 0;
	}

2953
	l2cap_chan_del(chan, ECONNRESET);
L
Linus Torvalds 已提交
2954 2955
	bh_unlock_sock(sk);

2956
	chan->ops->close(chan->data);
L
Linus Torvalds 已提交
2957 2958 2959 2960 2961 2962 2963
	return 0;
}

static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
	u16 dcid, scid;
2964
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2965 2966 2967 2968 2969 2970 2971
	struct sock *sk;

	scid = __le16_to_cpu(rsp->scid);
	dcid = __le16_to_cpu(rsp->dcid);

	BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);

2972
	chan = l2cap_get_chan_by_scid(conn, scid);
2973
	if (!chan)
L
Linus Torvalds 已提交
2974 2975
		return 0;

2976 2977
	sk = chan->sk;

2978 2979
	/* don't delete l2cap channel if sk is owned by user */
	if (sock_owned_by_user(sk)) {
2980
		l2cap_state_change(chan,BT_DISCONN);
2981 2982
		__clear_chan_timer(chan);
		__set_chan_timer(chan, HZ / 5);
2983 2984 2985 2986
		bh_unlock_sock(sk);
		return 0;
	}

2987
	l2cap_chan_del(chan, 0);
L
Linus Torvalds 已提交
2988 2989
	bh_unlock_sock(sk);

2990
	chan->ops->close(chan->data);
L
Linus Torvalds 已提交
2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002
	return 0;
}

static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_info_req *req = (struct l2cap_info_req *) data;
	u16 type;

	type = __le16_to_cpu(req->type);

	BT_DBG("type 0x%4.4x", type);

3003 3004
	if (type == L2CAP_IT_FEAT_MASK) {
		u8 buf[8];
3005
		u32 feat_mask = l2cap_feat_mask;
3006 3007 3008
		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
		rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3009
		if (!disable_ertm)
3010 3011
			feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
							 | L2CAP_FEAT_FCS;
3012
		if (enable_hs)
3013 3014
			feat_mask |= L2CAP_FEAT_EXT_FLOW
						| L2CAP_FEAT_EXT_WINDOW;
3015

3016
		put_unaligned_le32(feat_mask, rsp->data);
3017 3018
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(buf), buf);
3019 3020 3021 3022 3023 3024 3025 3026
	} else if (type == L2CAP_IT_FIXED_CHAN) {
		u8 buf[12];
		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
		rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
		memcpy(buf + 4, l2cap_fixed_chan, 8);
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(buf), buf);
3027 3028 3029 3030 3031 3032 3033
	} else {
		struct l2cap_info_rsp rsp;
		rsp.type   = cpu_to_le16(type);
		rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(rsp), &rsp);
	}
L
Linus Torvalds 已提交
3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047

	return 0;
}

static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
	u16 type, result;

	type   = __le16_to_cpu(rsp->type);
	result = __le16_to_cpu(rsp->result);

	BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);

3048 3049 3050 3051 3052
	/* L2CAP Info req/rsp are unbound to channels, add extra checks */
	if (cmd->ident != conn->info_ident ||
			conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
		return 0;

3053 3054
	del_timer(&conn->info_timer);

3055 3056 3057 3058 3059 3060 3061 3062 3063
	if (result != L2CAP_IR_SUCCESS) {
		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
		conn->info_ident = 0;

		l2cap_conn_start(conn);

		return 0;
	}

3064
	if (type == L2CAP_IT_FEAT_MASK) {
3065
		conn->feat_mask = get_unaligned_le32(rsp->data);
3066

3067
		if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081
			struct l2cap_info_req req;
			req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);

			conn->info_ident = l2cap_get_ident(conn);

			l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(req), &req);
		} else {
			conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
			conn->info_ident = 0;

			l2cap_conn_start(conn);
		}
	} else if (type == L2CAP_IT_FIXED_CHAN) {
3082
		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3083
		conn->info_ident = 0;
3084 3085 3086

		l2cap_conn_start(conn);
	}
3087

L
Linus Torvalds 已提交
3088 3089 3090
	return 0;
}

3091
static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118
							u16 to_multiplier)
{
	u16 max_latency;

	if (min > max || min < 6 || max > 3200)
		return -EINVAL;

	if (to_multiplier < 10 || to_multiplier > 3200)
		return -EINVAL;

	if (max >= to_multiplier * 8)
		return -EINVAL;

	max_latency = (to_multiplier * 8 / max) - 1;
	if (latency > 499 || latency > max_latency)
		return -EINVAL;

	return 0;
}

static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct hci_conn *hcon = conn->hcon;
	struct l2cap_conn_param_update_req *req;
	struct l2cap_conn_param_update_rsp rsp;
	u16 min, max, latency, to_multiplier, cmd_len;
3119
	int err;
3120 3121 3122 3123 3124 3125 3126 3127 3128

	if (!(hcon->link_mode & HCI_LM_MASTER))
		return -EINVAL;

	cmd_len = __le16_to_cpu(cmd->len);
	if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
		return -EPROTO;

	req = (struct l2cap_conn_param_update_req *) data;
3129 3130
	min		= __le16_to_cpu(req->min);
	max		= __le16_to_cpu(req->max);
3131 3132 3133 3134 3135 3136 3137
	latency		= __le16_to_cpu(req->latency);
	to_multiplier	= __le16_to_cpu(req->to_multiplier);

	BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
						min, max, latency, to_multiplier);

	memset(&rsp, 0, sizeof(rsp));
3138 3139 3140

	err = l2cap_check_conn_param(min, max, latency, to_multiplier);
	if (err)
3141 3142 3143 3144 3145 3146 3147
		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
	else
		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);

	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
							sizeof(rsp), &rsp);

3148 3149 3150
	if (!err)
		hci_le_conn_update(hcon, min, max, latency, to_multiplier);

3151 3152 3153
	return 0;
}

3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219
static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
			struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
{
	int err = 0;

	switch (cmd->code) {
	case L2CAP_COMMAND_REJ:
		l2cap_command_rej(conn, cmd, data);
		break;

	case L2CAP_CONN_REQ:
		err = l2cap_connect_req(conn, cmd, data);
		break;

	case L2CAP_CONN_RSP:
		err = l2cap_connect_rsp(conn, cmd, data);
		break;

	case L2CAP_CONF_REQ:
		err = l2cap_config_req(conn, cmd, cmd_len, data);
		break;

	case L2CAP_CONF_RSP:
		err = l2cap_config_rsp(conn, cmd, data);
		break;

	case L2CAP_DISCONN_REQ:
		err = l2cap_disconnect_req(conn, cmd, data);
		break;

	case L2CAP_DISCONN_RSP:
		err = l2cap_disconnect_rsp(conn, cmd, data);
		break;

	case L2CAP_ECHO_REQ:
		l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
		break;

	case L2CAP_ECHO_RSP:
		break;

	case L2CAP_INFO_REQ:
		err = l2cap_information_req(conn, cmd, data);
		break;

	case L2CAP_INFO_RSP:
		err = l2cap_information_rsp(conn, cmd, data);
		break;

	default:
		BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
		err = -EINVAL;
		break;
	}

	return err;
}

static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, u8 *data)
{
	switch (cmd->code) {
	case L2CAP_COMMAND_REJ:
		return 0;

	case L2CAP_CONN_PARAM_UPDATE_REQ:
3220
		return l2cap_conn_param_update_req(conn, cmd, data);
3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232

	case L2CAP_CONN_PARAM_UPDATE_RSP:
		return 0;

	default:
		BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
		return -EINVAL;
	}
}

static inline void l2cap_sig_channel(struct l2cap_conn *conn,
							struct sk_buff *skb)
L
Linus Torvalds 已提交
3233 3234 3235 3236
{
	u8 *data = skb->data;
	int len = skb->len;
	struct l2cap_cmd_hdr cmd;
3237
	int err;
L
Linus Torvalds 已提交
3238 3239 3240 3241

	l2cap_raw_recv(conn, skb);

	while (len >= L2CAP_CMD_HDR_SIZE) {
3242
		u16 cmd_len;
L
Linus Torvalds 已提交
3243 3244 3245 3246
		memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
		data += L2CAP_CMD_HDR_SIZE;
		len  -= L2CAP_CMD_HDR_SIZE;

3247
		cmd_len = le16_to_cpu(cmd.len);
L
Linus Torvalds 已提交
3248

3249
		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
L
Linus Torvalds 已提交
3250

3251
		if (cmd_len > len || !cmd.ident) {
L
Linus Torvalds 已提交
3252 3253 3254 3255
			BT_DBG("corrupted command");
			break;
		}

3256 3257 3258 3259
		if (conn->hcon->type == LE_LINK)
			err = l2cap_le_sig_cmd(conn, &cmd, data);
		else
			err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
L
Linus Torvalds 已提交
3260 3261

		if (err) {
3262
			struct l2cap_cmd_rej_unk rej;
3263 3264

			BT_ERR("Wrong link type (%d)", err);
L
Linus Torvalds 已提交
3265 3266

			/* FIXME: Map err to a valid reason */
3267
			rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
L
Linus Torvalds 已提交
3268 3269 3270
			l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
		}

3271 3272
		data += cmd_len;
		len  -= cmd_len;
L
Linus Torvalds 已提交
3273 3274 3275 3276 3277
	}

	kfree_skb(skb);
}

3278
static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
3279 3280
{
	u16 our_fcs, rcv_fcs;
3281 3282 3283 3284 3285 3286
	int hdr_size;

	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
		hdr_size = L2CAP_EXT_HDR_SIZE;
	else
		hdr_size = L2CAP_ENH_HDR_SIZE;
3287

3288
	if (chan->fcs == L2CAP_FCS_CRC16) {
3289
		skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
3290 3291 3292 3293
		rcv_fcs = get_unaligned_le16(skb->data + skb->len);
		our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);

		if (our_fcs != rcv_fcs)
3294
			return -EBADMSG;
3295 3296 3297 3298
	}
	return 0;
}

3299
static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3300
{
3301
	u32 control = 0;
3302

3303
	chan->frames_sent = 0;
3304

3305
	control |= __set_reqseq(chan, chan->buffer_seq);
3306

3307
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3308
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3309
		l2cap_send_sframe(chan, control);
3310
		set_bit(CONN_RNR_SENT, &chan->conn_state);
3311 3312
	}

3313
	if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3314
		l2cap_retransmit_frames(chan);
3315

3316
	l2cap_ertm_send(chan);
3317

3318
	if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3319
			chan->frames_sent == 0) {
3320
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3321
		l2cap_send_sframe(chan, control);
3322 3323 3324
	}
}

3325
static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
3326 3327
{
	struct sk_buff *next_skb;
3328
	int tx_seq_offset, next_tx_seq_offset;
3329 3330 3331 3332

	bt_cb(skb)->tx_seq = tx_seq;
	bt_cb(skb)->sar = sar;

3333
	next_skb = skb_peek(&chan->srej_q);
3334
	if (!next_skb) {
3335
		__skb_queue_tail(&chan->srej_q, skb);
3336
		return 0;
3337 3338
	}

3339
	tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3340

3341
	do {
3342 3343 3344
		if (bt_cb(next_skb)->tx_seq == tx_seq)
			return -EINVAL;

3345 3346
		next_tx_seq_offset = __seq_offset(chan,
				bt_cb(next_skb)->tx_seq, chan->buffer_seq);
3347 3348

		if (next_tx_seq_offset > tx_seq_offset) {
3349
			__skb_queue_before(&chan->srej_q, next_skb, skb);
3350
			return 0;
3351 3352
		}

3353
		if (skb_queue_is_last(&chan->srej_q, next_skb))
3354 3355
			break;

3356
	} while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
3357

3358
	__skb_queue_tail(&chan->srej_q, skb);
3359 3360

	return 0;
3361 3362
}

3363 3364
static void append_skb_frag(struct sk_buff *skb,
			struct sk_buff *new_frag, struct sk_buff **last_frag)
3365
{
3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 3380 3381
	/* skb->len reflects data in skb as well as all fragments
	 * skb->data_len reflects only data in fragments
	 */
	if (!skb_has_frag_list(skb))
		skb_shinfo(skb)->frag_list = new_frag;

	new_frag->next = NULL;

	(*last_frag)->next = new_frag;
	*last_frag = new_frag;

	skb->len += new_frag->len;
	skb->data_len += new_frag->len;
	skb->truesize += new_frag->truesize;
}

3382
static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
3383 3384
{
	int err = -EINVAL;
3385

3386 3387
	switch (__get_ctrl_sar(chan, control)) {
	case L2CAP_SAR_UNSEGMENTED:
3388 3389
		if (chan->sdu)
			break;
3390

3391 3392
		err = chan->ops->recv(chan->data, skb);
		break;
3393

3394
	case L2CAP_SAR_START:
3395 3396
		if (chan->sdu)
			break;
3397

3398
		chan->sdu_len = get_unaligned_le16(skb->data);
3399
		skb_pull(skb, L2CAP_SDULEN_SIZE);
3400

3401 3402 3403 3404
		if (chan->sdu_len > chan->imtu) {
			err = -EMSGSIZE;
			break;
		}
3405

3406 3407
		if (skb->len >= chan->sdu_len)
			break;
3408

3409 3410
		chan->sdu = skb;
		chan->sdu_last_frag = skb;
3411

3412 3413
		skb = NULL;
		err = 0;
3414 3415
		break;

3416
	case L2CAP_SAR_CONTINUE:
3417
		if (!chan->sdu)
3418
			break;
3419

3420 3421 3422
		append_skb_frag(chan->sdu, skb,
				&chan->sdu_last_frag);
		skb = NULL;
3423

3424 3425
		if (chan->sdu->len >= chan->sdu_len)
			break;
3426

3427
		err = 0;
3428 3429
		break;

3430
	case L2CAP_SAR_END:
3431
		if (!chan->sdu)
3432
			break;
3433

3434 3435 3436
		append_skb_frag(chan->sdu, skb,
				&chan->sdu_last_frag);
		skb = NULL;
3437

3438 3439
		if (chan->sdu->len != chan->sdu_len)
			break;
3440

3441
		err = chan->ops->recv(chan->data, chan->sdu);
3442

3443 3444 3445 3446 3447
		if (!err) {
			/* Reassembly complete */
			chan->sdu = NULL;
			chan->sdu_last_frag = NULL;
			chan->sdu_len = 0;
3448
		}
3449 3450 3451
		break;
	}

3452 3453 3454 3455 3456 3457 3458
	if (err) {
		kfree_skb(skb);
		kfree_skb(chan->sdu);
		chan->sdu = NULL;
		chan->sdu_last_frag = NULL;
		chan->sdu_len = 0;
	}
3459

3460
	return err;
3461 3462
}

3463
static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
3464
{
3465
	u32 control;
3466

3467
	BT_DBG("chan %p, Enter local busy", chan);
3468

3469 3470
	set_bit(CONN_LOCAL_BUSY, &chan->conn_state);

3471
	control = __set_reqseq(chan, chan->buffer_seq);
3472
	control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3473 3474 3475 3476 3477 3478 3479 3480 3481
	l2cap_send_sframe(chan, control);

	set_bit(CONN_RNR_SENT, &chan->conn_state);

	__clear_ack_timer(chan);
}

static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
{
3482
	u32 control;
3483

3484
	if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3485 3486
		goto done;

3487
	control = __set_reqseq(chan, chan->buffer_seq);
3488
	control |= __set_ctrl_poll(chan);
3489
	control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3490
	l2cap_send_sframe(chan, control);
3491
	chan->retry_count = 1;
3492

3493 3494
	__clear_retrans_timer(chan);
	__set_monitor_timer(chan);
3495

3496
	set_bit(CONN_WAIT_F, &chan->conn_state);
3497 3498

done:
3499 3500
	clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
	clear_bit(CONN_RNR_SENT, &chan->conn_state);
3501

3502
	BT_DBG("chan %p, Exit local busy", chan);
3503 3504
}

3505
void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
3506
{
3507 3508 3509 3510 3511
	if (chan->mode == L2CAP_MODE_ERTM) {
		if (busy)
			l2cap_ertm_enter_local_busy(chan);
		else
			l2cap_ertm_exit_local_busy(chan);
3512 3513 3514
	}
}

3515
static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
3516 3517
{
	struct sk_buff *skb;
3518
	u32 control;
3519

3520 3521 3522 3523
	while ((skb = skb_peek(&chan->srej_q)) &&
			!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
		int err;

3524 3525 3526
		if (bt_cb(skb)->tx_seq != tx_seq)
			break;

3527
		skb = skb_dequeue(&chan->srej_q);
3528
		control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
3529
		err = l2cap_reassemble_sdu(chan, skb, control);
3530 3531 3532 3533 3534 3535

		if (err < 0) {
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
			break;
		}

3536 3537
		chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
		tx_seq = __next_seq(chan, tx_seq);
3538 3539 3540
	}
}

3541
static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3542 3543
{
	struct srej_list *l, *tmp;
3544
	u32 control;
3545

3546
	list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3547 3548 3549 3550 3551
		if (l->tx_seq == tx_seq) {
			list_del(&l->list);
			kfree(l);
			return;
		}
3552
		control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3553
		control |= __set_reqseq(chan, l->tx_seq);
3554
		l2cap_send_sframe(chan, control);
3555
		list_del(&l->list);
3556
		list_add_tail(&l->list, &chan->srej_l);
3557 3558 3559
	}
}

3560
static void l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3561 3562
{
	struct srej_list *new;
3563
	u32 control;
3564

3565
	while (tx_seq != chan->expected_tx_seq) {
3566
		control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3567
		control |= __set_reqseq(chan, chan->expected_tx_seq);
3568
		l2cap_send_sframe(chan, control);
3569 3570

		new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3571
		new->tx_seq = chan->expected_tx_seq;
3572 3573 3574

		chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);

3575
		list_add_tail(&new->list, &chan->srej_l);
3576
	}
3577 3578

	chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3579 3580
}

3581
static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
3582
{
3583
	u16 tx_seq = __get_txseq(chan, rx_control);
3584
	u16 req_seq = __get_reqseq(chan, rx_control);
3585
	u8 sar = __get_ctrl_sar(chan, rx_control);
3586
	int tx_seq_offset, expected_tx_seq_offset;
3587
	int num_to_ack = (chan->tx_win/6) + 1;
3588 3589
	int err = 0;

3590
	BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
3591
							tx_seq, rx_control);
3592

3593
	if (__is_ctrl_final(chan, rx_control) &&
3594
			test_bit(CONN_WAIT_F, &chan->conn_state)) {
3595
		__clear_monitor_timer(chan);
3596
		if (chan->unacked_frames > 0)
3597
			__set_retrans_timer(chan);
3598
		clear_bit(CONN_WAIT_F, &chan->conn_state);
3599 3600
	}

3601 3602
	chan->expected_ack_seq = req_seq;
	l2cap_drop_acked_frames(chan);
3603

3604
	tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3605 3606

	/* invalid tx_seq */
3607
	if (tx_seq_offset >= chan->tx_win) {
3608
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3609 3610 3611
		goto drop;
	}

3612
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
3613 3614
		goto drop;

3615 3616 3617
	if (tx_seq == chan->expected_tx_seq)
		goto expected;

3618
	if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3619
		struct srej_list *first;
3620

3621
		first = list_first_entry(&chan->srej_l,
3622 3623
				struct srej_list, list);
		if (tx_seq == first->tx_seq) {
3624
			l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3625
			l2cap_check_srej_gap(chan, tx_seq);
3626 3627 3628 3629

			list_del(&first->list);
			kfree(first);

3630
			if (list_empty(&chan->srej_l)) {
3631
				chan->buffer_seq = chan->buffer_seq_srej;
3632
				clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3633
				l2cap_send_ack(chan);
3634
				BT_DBG("chan %p, Exit SREJ_SENT", chan);
3635 3636 3637
			}
		} else {
			struct srej_list *l;
3638 3639

			/* duplicated tx_seq */
3640
			if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3641
				goto drop;
3642

3643
			list_for_each_entry(l, &chan->srej_l, list) {
3644
				if (l->tx_seq == tx_seq) {
3645
					l2cap_resend_srejframe(chan, tx_seq);
3646 3647 3648
					return 0;
				}
			}
3649
			l2cap_send_srejframe(chan, tx_seq);
3650 3651
		}
	} else {
3652 3653
		expected_tx_seq_offset = __seq_offset(chan,
				chan->expected_tx_seq, chan->buffer_seq);
3654 3655 3656 3657 3658

		/* duplicated tx_seq */
		if (tx_seq_offset < expected_tx_seq_offset)
			goto drop;

3659
		set_bit(CONN_SREJ_SENT, &chan->conn_state);
3660

3661
		BT_DBG("chan %p, Enter SREJ", chan);
3662

3663
		INIT_LIST_HEAD(&chan->srej_l);
3664
		chan->buffer_seq_srej = chan->buffer_seq;
3665

3666
		__skb_queue_head_init(&chan->srej_q);
3667
		l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3668

3669
		set_bit(CONN_SEND_PBIT, &chan->conn_state);
3670

3671
		l2cap_send_srejframe(chan, tx_seq);
3672

3673
		__clear_ack_timer(chan);
3674
	}
3675 3676
	return 0;

3677
expected:
3678
	chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3679

3680
	if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3681 3682
		bt_cb(skb)->tx_seq = tx_seq;
		bt_cb(skb)->sar = sar;
3683
		__skb_queue_tail(&chan->srej_q, skb);
3684 3685 3686
		return 0;
	}

3687
	err = l2cap_reassemble_sdu(chan, skb, rx_control);
3688 3689
	chan->buffer_seq = __next_seq(chan, chan->buffer_seq);

3690 3691 3692 3693
	if (err < 0) {
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
		return err;
	}
3694

3695
	if (__is_ctrl_final(chan, rx_control)) {
3696
		if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3697
			l2cap_retransmit_frames(chan);
3698 3699
	}

3700
	__set_ack_timer(chan);
3701

3702 3703
	chan->num_acked = (chan->num_acked + 1) % num_to_ack;
	if (chan->num_acked == num_to_ack - 1)
3704
		l2cap_send_ack(chan);
3705

3706
	return 0;
3707 3708 3709 3710

drop:
	kfree_skb(skb);
	return 0;
3711 3712
}

3713
static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
3714
{
3715
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
3716
				__get_reqseq(chan, rx_control), rx_control);
3717

3718
	chan->expected_ack_seq = __get_reqseq(chan, rx_control);
3719
	l2cap_drop_acked_frames(chan);
3720

3721
	if (__is_ctrl_poll(chan, rx_control)) {
3722 3723 3724
		set_bit(CONN_SEND_FBIT, &chan->conn_state);
		if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
			if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3725
					(chan->unacked_frames > 0))
3726
				__set_retrans_timer(chan);
3727

3728
			clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3729
			l2cap_send_srejtail(chan);
3730
		} else {
3731
			l2cap_send_i_or_rr_or_rnr(chan);
3732
		}
3733

3734
	} else if (__is_ctrl_final(chan, rx_control)) {
3735
		clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3736

3737
		if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3738
			l2cap_retransmit_frames(chan);
3739

3740
	} else {
3741
		if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
3742
				(chan->unacked_frames > 0))
3743
			__set_retrans_timer(chan);
3744

3745 3746
		clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
		if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
3747
			l2cap_send_ack(chan);
3748
		else
3749
			l2cap_ertm_send(chan);
3750 3751
	}
}
3752

3753
static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
3754
{
3755
	u16 tx_seq = __get_reqseq(chan, rx_control);
3756

3757
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
3758

3759
	clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3760

3761 3762
	chan->expected_ack_seq = tx_seq;
	l2cap_drop_acked_frames(chan);
3763

3764
	if (__is_ctrl_final(chan, rx_control)) {
3765
		if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
3766
			l2cap_retransmit_frames(chan);
3767
	} else {
3768
		l2cap_retransmit_frames(chan);
3769

3770 3771
		if (test_bit(CONN_WAIT_F, &chan->conn_state))
			set_bit(CONN_REJ_ACT, &chan->conn_state);
3772 3773
	}
}
3774
static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
3775
{
3776
	u16 tx_seq = __get_reqseq(chan, rx_control);
3777

3778
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
3779

3780
	clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3781

3782
	if (__is_ctrl_poll(chan, rx_control)) {
3783 3784
		chan->expected_ack_seq = tx_seq;
		l2cap_drop_acked_frames(chan);
3785

3786
		set_bit(CONN_SEND_FBIT, &chan->conn_state);
3787
		l2cap_retransmit_one_frame(chan, tx_seq);
3788

3789
		l2cap_ertm_send(chan);
3790

3791
		if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3792
			chan->srej_save_reqseq = tx_seq;
3793
			set_bit(CONN_SREJ_ACT, &chan->conn_state);
3794
		}
3795
	} else if (__is_ctrl_final(chan, rx_control)) {
3796
		if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
3797
				chan->srej_save_reqseq == tx_seq)
3798
			clear_bit(CONN_SREJ_ACT, &chan->conn_state);
3799
		else
3800
			l2cap_retransmit_one_frame(chan, tx_seq);
3801
	} else {
3802
		l2cap_retransmit_one_frame(chan, tx_seq);
3803
		if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
3804
			chan->srej_save_reqseq = tx_seq;
3805
			set_bit(CONN_SREJ_ACT, &chan->conn_state);
3806
		}
3807 3808 3809
	}
}

3810
static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
3811
{
3812
	u16 tx_seq = __get_reqseq(chan, rx_control);
3813

3814
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
3815

3816
	set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
3817 3818
	chan->expected_ack_seq = tx_seq;
	l2cap_drop_acked_frames(chan);
3819

3820
	if (__is_ctrl_poll(chan, rx_control))
3821
		set_bit(CONN_SEND_FBIT, &chan->conn_state);
3822

3823
	if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3824
		__clear_retrans_timer(chan);
3825
		if (__is_ctrl_poll(chan, rx_control))
3826
			l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3827
		return;
3828
	}
3829

3830
	if (__is_ctrl_poll(chan, rx_control)) {
3831
		l2cap_send_srejtail(chan);
3832 3833 3834 3835
	} else {
		rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
		l2cap_send_sframe(chan, rx_control);
	}
3836 3837
}

3838
static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
3839
{
3840
	BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
3841

3842
	if (__is_ctrl_final(chan, rx_control) &&
3843
			test_bit(CONN_WAIT_F, &chan->conn_state)) {
3844
		__clear_monitor_timer(chan);
3845
		if (chan->unacked_frames > 0)
3846
			__set_retrans_timer(chan);
3847
		clear_bit(CONN_WAIT_F, &chan->conn_state);
3848 3849
	}

3850 3851
	switch (__get_ctrl_super(chan, rx_control)) {
	case L2CAP_SUPER_RR:
3852
		l2cap_data_channel_rrframe(chan, rx_control);
3853 3854
		break;

3855
	case L2CAP_SUPER_REJ:
3856
		l2cap_data_channel_rejframe(chan, rx_control);
3857
		break;
3858

3859
	case L2CAP_SUPER_SREJ:
3860
		l2cap_data_channel_srejframe(chan, rx_control);
3861 3862
		break;

3863
	case L2CAP_SUPER_RNR:
3864
		l2cap_data_channel_rnrframe(chan, rx_control);
3865 3866 3867
		break;
	}

3868
	kfree_skb(skb);
3869 3870 3871
	return 0;
}

3872 3873
static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
{
3874
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3875
	u32 control;
3876
	u16 req_seq;
3877 3878
	int len, next_tx_seq_offset, req_seq_offset;

3879 3880
	control = __get_control(chan, skb->data);
	skb_pull(skb, __ctrl_size(chan));
3881 3882 3883 3884 3885 3886 3887
	len = skb->len;

	/*
	 * We can just drop the corrupted I-frame here.
	 * Receiver will miss it and start proper recovery
	 * procedures and ask retransmission.
	 */
3888
	if (l2cap_check_fcs(chan, skb))
3889 3890
		goto drop;

3891
	if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
3892
		len -= L2CAP_SDULEN_SIZE;
3893

3894
	if (chan->fcs == L2CAP_FCS_CRC16)
3895
		len -= L2CAP_FCS_SIZE;
3896

3897
	if (len > chan->mps) {
3898
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3899 3900 3901
		goto drop;
	}

3902
	req_seq = __get_reqseq(chan, control);
3903

3904 3905 3906 3907
	req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);

	next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
						chan->expected_ack_seq);
3908 3909 3910

	/* check for invalid req-seq */
	if (req_seq_offset > next_tx_seq_offset) {
3911
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3912 3913 3914
		goto drop;
	}

3915
	if (!__is_sframe(chan, control)) {
3916
		if (len < 0) {
3917
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3918 3919 3920
			goto drop;
		}

3921
		l2cap_data_channel_iframe(chan, control, skb);
3922 3923 3924
	} else {
		if (len != 0) {
			BT_ERR("%d", len);
3925
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3926 3927 3928
			goto drop;
		}

3929
		l2cap_data_channel_sframe(chan, control, skb);
3930 3931 3932 3933 3934 3935 3936 3937 3938
	}

	return 0;

drop:
	kfree_skb(skb);
	return 0;
}

L
Linus Torvalds 已提交
3939 3940
static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
{
3941
	struct l2cap_chan *chan;
3942
	struct sock *sk = NULL;
3943
	u32 control;
3944
	u16 tx_seq;
3945
	int len;
L
Linus Torvalds 已提交
3946

3947
	chan = l2cap_get_chan_by_scid(conn, cid);
3948
	if (!chan) {
L
Linus Torvalds 已提交
3949 3950 3951 3952
		BT_DBG("unknown cid 0x%4.4x", cid);
		goto drop;
	}

3953
	sk = chan->sk;
3954

3955
	BT_DBG("chan %p, len %d", chan, skb->len);
L
Linus Torvalds 已提交
3956

3957
	if (chan->state != BT_CONNECTED)
L
Linus Torvalds 已提交
3958 3959
		goto drop;

3960
	switch (chan->mode) {
3961 3962 3963 3964 3965
	case L2CAP_MODE_BASIC:
		/* If socket recv buffers overflows we drop data here
		 * which is *bad* because L2CAP has to be reliable.
		 * But we don't have any other choice. L2CAP doesn't
		 * provide flow control mechanism. */
L
Linus Torvalds 已提交
3966

3967
		if (chan->imtu < skb->len)
3968
			goto drop;
L
Linus Torvalds 已提交
3969

3970
		if (!chan->ops->recv(chan->data, skb))
3971 3972 3973 3974
			goto done;
		break;

	case L2CAP_MODE_ERTM:
3975 3976
		if (!sock_owned_by_user(sk)) {
			l2cap_ertm_data_rcv(sk, skb);
3977
		} else {
3978
			if (sk_add_backlog(sk, skb))
3979 3980
				goto drop;
		}
3981

3982
		goto done;
3983

3984
	case L2CAP_MODE_STREAMING:
3985 3986
		control = __get_control(chan, skb->data);
		skb_pull(skb, __ctrl_size(chan));
3987 3988
		len = skb->len;

3989
		if (l2cap_check_fcs(chan, skb))
3990 3991
			goto drop;

3992
		if (__is_sar_start(chan, control))
3993
			len -= L2CAP_SDULEN_SIZE;
3994

3995
		if (chan->fcs == L2CAP_FCS_CRC16)
3996
			len -= L2CAP_FCS_SIZE;
3997

3998
		if (len > chan->mps || len < 0 || __is_sframe(chan, control))
3999 4000
			goto drop;

4001
		tx_seq = __get_txseq(chan, control);
4002

4003 4004 4005 4006 4007 4008
		if (chan->expected_tx_seq != tx_seq) {
			/* Frame(s) missing - must discard partial SDU */
			kfree_skb(chan->sdu);
			chan->sdu = NULL;
			chan->sdu_last_frag = NULL;
			chan->sdu_len = 0;
4009

4010 4011 4012
			/* TODO: Notify userland of missing data */
		}

4013
		chan->expected_tx_seq = __next_seq(chan, tx_seq);
4014 4015 4016

		if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4017 4018 4019

		goto done;

4020
	default:
4021
		BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
4022 4023
		break;
	}
L
Linus Torvalds 已提交
4024 4025 4026 4027 4028

drop:
	kfree_skb(skb);

done:
4029 4030 4031
	if (sk)
		bh_unlock_sock(sk);

L
Linus Torvalds 已提交
4032 4033 4034
	return 0;
}

4035
static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
L
Linus Torvalds 已提交
4036
{
4037
	struct sock *sk = NULL;
4038
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
4039

4040 4041
	chan = l2cap_global_chan_by_psm(0, psm, conn->src);
	if (!chan)
L
Linus Torvalds 已提交
4042 4043
		goto drop;

4044 4045
	sk = chan->sk;

4046 4047
	bh_lock_sock(sk);

L
Linus Torvalds 已提交
4048 4049
	BT_DBG("sk %p, len %d", sk, skb->len);

4050
	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
L
Linus Torvalds 已提交
4051 4052
		goto drop;

4053
	if (chan->imtu < skb->len)
L
Linus Torvalds 已提交
4054 4055
		goto drop;

4056
	if (!chan->ops->recv(chan->data, skb))
L
Linus Torvalds 已提交
4057 4058 4059 4060 4061 4062
		goto done;

drop:
	kfree_skb(skb);

done:
4063 4064
	if (sk)
		bh_unlock_sock(sk);
L
Linus Torvalds 已提交
4065 4066 4067
	return 0;
}

4068 4069
static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
{
4070
	struct sock *sk = NULL;
4071
	struct l2cap_chan *chan;
4072

4073 4074
	chan = l2cap_global_chan_by_scid(0, cid, conn->src);
	if (!chan)
4075 4076
		goto drop;

4077 4078
	sk = chan->sk;

4079 4080 4081 4082
	bh_lock_sock(sk);

	BT_DBG("sk %p, len %d", sk, skb->len);

4083
	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4084 4085
		goto drop;

4086
	if (chan->imtu < skb->len)
4087 4088
		goto drop;

4089
	if (!chan->ops->recv(chan->data, skb))
4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 4100
		goto done;

drop:
	kfree_skb(skb);

done:
	if (sk)
		bh_unlock_sock(sk);
	return 0;
}

L
Linus Torvalds 已提交
4101 4102 4103
static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct l2cap_hdr *lh = (void *) skb->data;
4104 4105
	u16 cid, len;
	__le16 psm;
L
Linus Torvalds 已提交
4106 4107 4108 4109 4110

	skb_pull(skb, L2CAP_HDR_SIZE);
	cid = __le16_to_cpu(lh->cid);
	len = __le16_to_cpu(lh->len);

4111 4112 4113 4114 4115
	if (len != skb->len) {
		kfree_skb(skb);
		return;
	}

L
Linus Torvalds 已提交
4116 4117 4118
	BT_DBG("len %d, cid 0x%4.4x", len, cid);

	switch (cid) {
4119
	case L2CAP_CID_LE_SIGNALING:
4120
	case L2CAP_CID_SIGNALING:
L
Linus Torvalds 已提交
4121 4122 4123
		l2cap_sig_channel(conn, skb);
		break;

4124
	case L2CAP_CID_CONN_LESS:
4125
		psm = get_unaligned_le16(skb->data);
L
Linus Torvalds 已提交
4126 4127 4128 4129
		skb_pull(skb, 2);
		l2cap_conless_channel(conn, psm, skb);
		break;

4130 4131 4132 4133
	case L2CAP_CID_LE_DATA:
		l2cap_att_channel(conn, cid, skb);
		break;

4134 4135 4136 4137 4138
	case L2CAP_CID_SMP:
		if (smp_sig_channel(conn, skb))
			l2cap_conn_del(conn->hcon, EACCES);
		break;

L
Linus Torvalds 已提交
4139 4140 4141 4142 4143 4144 4145 4146 4147 4148 4149
	default:
		l2cap_data_channel(conn, cid, skb);
		break;
	}
}

/* ---- L2CAP interface with lower layer (HCI) ---- */

static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
{
	int exact = 0, lm1 = 0, lm2 = 0;
4150
	struct l2cap_chan *c;
L
Linus Torvalds 已提交
4151 4152

	if (type != ACL_LINK)
4153
		return -EINVAL;
L
Linus Torvalds 已提交
4154 4155 4156 4157

	BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));

	/* Find listening sockets and check their link_mode */
4158 4159 4160
	read_lock(&chan_list_lock);
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
4161

4162
		if (c->state != BT_LISTEN)
L
Linus Torvalds 已提交
4163 4164 4165
			continue;

		if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4166
			lm1 |= HCI_LM_ACCEPT;
4167
			if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4168
				lm1 |= HCI_LM_MASTER;
L
Linus Torvalds 已提交
4169
			exact++;
4170 4171
		} else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
			lm2 |= HCI_LM_ACCEPT;
4172
			if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4173 4174
				lm2 |= HCI_LM_MASTER;
		}
L
Linus Torvalds 已提交
4175
	}
4176
	read_unlock(&chan_list_lock);
L
Linus Torvalds 已提交
4177 4178 4179 4180 4181 4182

	return exact ? lm1 : lm2;
}

static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
{
4183 4184
	struct l2cap_conn *conn;

L
Linus Torvalds 已提交
4185 4186
	BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);

4187
	if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
4188
		return -EINVAL;
L
Linus Torvalds 已提交
4189 4190 4191 4192 4193

	if (!status) {
		conn = l2cap_conn_add(hcon, status);
		if (conn)
			l2cap_conn_ready(conn);
4194
	} else
4195
		l2cap_conn_del(hcon, bt_to_errno(status));
L
Linus Torvalds 已提交
4196 4197 4198 4199

	return 0;
}

4200 4201 4202 4203 4204 4205
static int l2cap_disconn_ind(struct hci_conn *hcon)
{
	struct l2cap_conn *conn = hcon->l2cap_data;

	BT_DBG("hcon %p", hcon);

4206
	if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn)
4207 4208 4209 4210 4211 4212
		return 0x13;

	return conn->disc_reason;
}

static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
L
Linus Torvalds 已提交
4213 4214 4215
{
	BT_DBG("hcon %p reason %d", hcon, reason);

4216
	if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
4217
		return -EINVAL;
L
Linus Torvalds 已提交
4218

4219
	l2cap_conn_del(hcon, bt_to_errno(reason));
4220

L
Linus Torvalds 已提交
4221 4222 4223
	return 0;
}

4224
static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4225
{
4226
	if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
4227 4228
		return;

4229
	if (encrypt == 0x00) {
4230
		if (chan->sec_level == BT_SECURITY_MEDIUM) {
4231 4232
			__clear_chan_timer(chan);
			__set_chan_timer(chan, HZ * 5);
4233
		} else if (chan->sec_level == BT_SECURITY_HIGH)
4234
			l2cap_chan_close(chan, ECONNREFUSED);
4235
	} else {
4236
		if (chan->sec_level == BT_SECURITY_MEDIUM)
4237
			__clear_chan_timer(chan);
4238 4239 4240
	}
}

4241
static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
L
Linus Torvalds 已提交
4242
{
4243
	struct l2cap_conn *conn = hcon->l2cap_data;
4244
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
4245

4246
	if (!conn)
L
Linus Torvalds 已提交
4247
		return 0;
4248

L
Linus Torvalds 已提交
4249 4250
	BT_DBG("conn %p", conn);

4251 4252 4253 4254 4255
	if (hcon->type == LE_LINK) {
		smp_distribute_keys(conn, 0);
		del_timer(&conn->security_timer);
	}

4256
	read_lock(&conn->chan_lock);
L
Linus Torvalds 已提交
4257

4258
	list_for_each_entry(chan, &conn->chan_l, list) {
4259
		struct sock *sk = chan->sk;
4260

L
Linus Torvalds 已提交
4261 4262
		bh_lock_sock(sk);

4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274
		BT_DBG("chan->scid %d", chan->scid);

		if (chan->scid == L2CAP_CID_LE_DATA) {
			if (!status && encrypt) {
				chan->sec_level = hcon->sec_level;
				l2cap_chan_ready(sk);
			}

			bh_unlock_sock(sk);
			continue;
		}

4275
		if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4276 4277 4278 4279
			bh_unlock_sock(sk);
			continue;
		}

4280 4281
		if (!status && (chan->state == BT_CONNECTED ||
						chan->state == BT_CONFIG)) {
4282
			l2cap_check_encryption(chan, encrypt);
4283 4284 4285 4286
			bh_unlock_sock(sk);
			continue;
		}

4287
		if (chan->state == BT_CONNECT) {
4288 4289
			if (!status) {
				struct l2cap_conn_req req;
4290 4291
				req.scid = cpu_to_le16(chan->scid);
				req.psm  = chan->psm;
L
Linus Torvalds 已提交
4292

4293
				chan->ident = l2cap_get_ident(conn);
4294
				set_bit(CONF_CONNECT_PEND, &chan->conf_state);
L
Linus Torvalds 已提交
4295

4296
				l2cap_send_cmd(conn, chan->ident,
4297 4298
					L2CAP_CONN_REQ, sizeof(req), &req);
			} else {
4299 4300
				__clear_chan_timer(chan);
				__set_chan_timer(chan, HZ / 10);
4301
			}
4302
		} else if (chan->state == BT_CONNECT2) {
4303
			struct l2cap_conn_rsp rsp;
4304
			__u16 res, stat;
L
Linus Torvalds 已提交
4305

4306
			if (!status) {
4307 4308 4309 4310
				if (bt_sk(sk)->defer_setup) {
					struct sock *parent = bt_sk(sk)->parent;
					res = L2CAP_CR_PEND;
					stat = L2CAP_CS_AUTHOR_PEND;
4311 4312
					if (parent)
						parent->sk_data_ready(parent, 0);
4313
				} else {
4314
					l2cap_state_change(chan, BT_CONFIG);
4315 4316 4317
					res = L2CAP_CR_SUCCESS;
					stat = L2CAP_CS_NO_INFO;
				}
4318
			} else {
4319
				l2cap_state_change(chan, BT_DISCONN);
4320
				__set_chan_timer(chan, HZ / 10);
4321 4322
				res = L2CAP_CR_SEC_BLOCK;
				stat = L2CAP_CS_NO_INFO;
4323 4324
			}

4325 4326
			rsp.scid   = cpu_to_le16(chan->dcid);
			rsp.dcid   = cpu_to_le16(chan->scid);
4327 4328
			rsp.result = cpu_to_le16(res);
			rsp.status = cpu_to_le16(stat);
4329 4330
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
4331
		}
L
Linus Torvalds 已提交
4332 4333 4334 4335

		bh_unlock_sock(sk);
	}

4336
	read_unlock(&conn->chan_lock);
4337

L
Linus Torvalds 已提交
4338 4339 4340 4341 4342 4343 4344
	return 0;
}

static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
{
	struct l2cap_conn *conn = hcon->l2cap_data;

4345 4346 4347 4348
	if (!conn)
		conn = l2cap_conn_add(hcon, 0);

	if (!conn)
L
Linus Torvalds 已提交
4349 4350 4351 4352
		goto drop;

	BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);

4353
	if (!(flags & ACL_CONT)) {
L
Linus Torvalds 已提交
4354
		struct l2cap_hdr *hdr;
4355
		struct l2cap_chan *chan;
4356
		u16 cid;
L
Linus Torvalds 已提交
4357 4358 4359 4360 4361 4362 4363 4364 4365 4366
		int len;

		if (conn->rx_len) {
			BT_ERR("Unexpected start frame (len %d)", skb->len);
			kfree_skb(conn->rx_skb);
			conn->rx_skb = NULL;
			conn->rx_len = 0;
			l2cap_conn_unreliable(conn, ECOMM);
		}

4367 4368
		/* Start fragment always begin with Basic L2CAP header */
		if (skb->len < L2CAP_HDR_SIZE) {
L
Linus Torvalds 已提交
4369 4370 4371 4372 4373 4374 4375
			BT_ERR("Frame is too short (len %d)", skb->len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

		hdr = (struct l2cap_hdr *) skb->data;
		len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4376
		cid = __le16_to_cpu(hdr->cid);
L
Linus Torvalds 已提交
4377 4378 4379 4380 4381 4382 4383 4384 4385 4386 4387 4388 4389 4390 4391 4392

		if (len == skb->len) {
			/* Complete frame received */
			l2cap_recv_frame(conn, skb);
			return 0;
		}

		BT_DBG("Start: total len %d, frag len %d", len, skb->len);

		if (skb->len > len) {
			BT_ERR("Frame is too long (len %d, expected len %d)",
				skb->len, len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

4393
		chan = l2cap_get_chan_by_scid(conn, cid);
4394

4395 4396
		if (chan && chan->sk) {
			struct sock *sk = chan->sk;
4397

4398
			if (chan->imtu < len - L2CAP_HDR_SIZE) {
4399 4400
				BT_ERR("Frame exceeding recv MTU (len %d, "
							"MTU %d)", len,
4401
							chan->imtu);
4402 4403 4404 4405
				bh_unlock_sock(sk);
				l2cap_conn_unreliable(conn, ECOMM);
				goto drop;
			}
4406
			bh_unlock_sock(sk);
4407
		}
4408

L
Linus Torvalds 已提交
4409
		/* Allocate skb for the complete frame (with header) */
4410 4411
		conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
		if (!conn->rx_skb)
L
Linus Torvalds 已提交
4412 4413
			goto drop;

4414
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4415
								skb->len);
L
Linus Torvalds 已提交
4416 4417 4418 4419 4420 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435
		conn->rx_len = len - skb->len;
	} else {
		BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);

		if (!conn->rx_len) {
			BT_ERR("Unexpected continuation frame (len %d)", skb->len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

		if (skb->len > conn->rx_len) {
			BT_ERR("Fragment is too long (len %d, expected %d)",
					skb->len, conn->rx_len);
			kfree_skb(conn->rx_skb);
			conn->rx_skb = NULL;
			conn->rx_len = 0;
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

4436
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4437
								skb->len);
L
Linus Torvalds 已提交
4438 4439 4440 4441 4442 4443 4444 4445 4446 4447 4448 4449 4450 4451
		conn->rx_len -= skb->len;

		if (!conn->rx_len) {
			/* Complete frame received */
			l2cap_recv_frame(conn, conn->rx_skb);
			conn->rx_skb = NULL;
		}
	}

drop:
	kfree_skb(skb);
	return 0;
}

4452
static int l2cap_debugfs_show(struct seq_file *f, void *p)
L
Linus Torvalds 已提交
4453
{
4454
	struct l2cap_chan *c;
L
Linus Torvalds 已提交
4455

4456
	read_lock_bh(&chan_list_lock);
L
Linus Torvalds 已提交
4457

4458 4459
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
4460

4461
		seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4462 4463
					batostr(&bt_sk(sk)->src),
					batostr(&bt_sk(sk)->dst),
4464
					c->state, __le16_to_cpu(c->psm),
4465 4466
					c->scid, c->dcid, c->imtu, c->omtu,
					c->sec_level, c->mode);
4467
}
L
Linus Torvalds 已提交
4468

4469
	read_unlock_bh(&chan_list_lock);
L
Linus Torvalds 已提交
4470

4471
	return 0;
L
Linus Torvalds 已提交
4472 4473
}

4474 4475 4476 4477 4478 4479 4480 4481 4482 4483 4484 4485 4486
static int l2cap_debugfs_open(struct inode *inode, struct file *file)
{
	return single_open(file, l2cap_debugfs_show, inode->i_private);
}

static const struct file_operations l2cap_debugfs_fops = {
	.open		= l2cap_debugfs_open,
	.read		= seq_read,
	.llseek		= seq_lseek,
	.release	= single_release,
};

static struct dentry *l2cap_debugfs;
L
Linus Torvalds 已提交
4487 4488 4489 4490 4491 4492 4493

static struct hci_proto l2cap_hci_proto = {
	.name		= "L2CAP",
	.id		= HCI_PROTO_L2CAP,
	.connect_ind	= l2cap_connect_ind,
	.connect_cfm	= l2cap_connect_cfm,
	.disconn_ind	= l2cap_disconn_ind,
4494
	.disconn_cfm	= l2cap_disconn_cfm,
4495
	.security_cfm	= l2cap_security_cfm,
L
Linus Torvalds 已提交
4496 4497 4498
	.recv_acldata	= l2cap_recv_acldata
};

4499
int __init l2cap_init(void)
L
Linus Torvalds 已提交
4500 4501
{
	int err;
4502

4503
	err = l2cap_init_sockets();
L
Linus Torvalds 已提交
4504 4505 4506 4507 4508 4509 4510 4511 4512 4513
	if (err < 0)
		return err;

	err = hci_register_proto(&l2cap_hci_proto);
	if (err < 0) {
		BT_ERR("L2CAP protocol registration failed");
		bt_sock_unregister(BTPROTO_L2CAP);
		goto error;
	}

4514 4515 4516 4517 4518 4519
	if (bt_debugfs) {
		l2cap_debugfs = debugfs_create_file("l2cap", 0444,
					bt_debugfs, NULL, &l2cap_debugfs_fops);
		if (!l2cap_debugfs)
			BT_ERR("Failed to create L2CAP debug file");
	}
L
Linus Torvalds 已提交
4520 4521 4522 4523

	return 0;

error:
4524
	l2cap_cleanup_sockets();
L
Linus Torvalds 已提交
4525 4526 4527
	return err;
}

4528
void l2cap_exit(void)
L
Linus Torvalds 已提交
4529
{
4530
	debugfs_remove(l2cap_debugfs);
L
Linus Torvalds 已提交
4531 4532 4533 4534

	if (hci_unregister_proto(&l2cap_hci_proto) < 0)
		BT_ERR("L2CAP protocol unregistration failed");

4535
	l2cap_cleanup_sockets();
L
Linus Torvalds 已提交
4536 4537
}

4538 4539
module_param(disable_ertm, bool, 0644);
MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
4540 4541 4542

module_param(enable_hs, bool, 0644);
MODULE_PARM_DESC(enable_hs, "Enable High Speed");