l2cap_core.c 116.9 KB
Newer Older
1
/*
L
Linus Torvalds 已提交
2 3
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2000-2001 Qualcomm Incorporated
4
   Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5
   Copyright (C) 2010 Google Inc.
6
   Copyright (C) 2011 ProFUSION Embedded Systems
7
   Copyright (c) 2012 Code Aurora Forum.  All rights reserved.
L
Linus Torvalds 已提交
8 9 10 11 12 13 14 15 16 17 18

   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 20 21
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
L
Linus Torvalds 已提交
22 23
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

24 25
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
L
Linus Torvalds 已提交
26 27 28
   SOFTWARE IS DISCLAIMED.
*/

29
/* Bluetooth L2CAP core. */
L
Linus Torvalds 已提交
30 31 32 33

#include <linux/module.h>

#include <linux/types.h>
34
#include <linux/capability.h>
L
Linus Torvalds 已提交
35 36 37 38 39 40 41 42 43 44 45
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/poll.h>
#include <linux/fcntl.h>
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/socket.h>
#include <linux/skbuff.h>
#include <linux/list.h>
46
#include <linux/device.h>
47 48
#include <linux/debugfs.h>
#include <linux/seq_file.h>
49
#include <linux/uaccess.h>
50
#include <linux/crc16.h>
L
Linus Torvalds 已提交
51 52 53 54 55 56 57
#include <net/sock.h>

#include <asm/unaligned.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
58
#include <net/bluetooth/smp.h>
L
Linus Torvalds 已提交
59

60
bool disable_ertm;
61

62
static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
63
static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
L
Linus Torvalds 已提交
64

65 66
static LIST_HEAD(chan_list);
static DEFINE_RWLOCK(chan_list_lock);
L
Linus Torvalds 已提交
67 68 69

static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
				u8 code, u8 ident, u16 dlen, void *data);
70 71
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
								void *data);
72
static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73
static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74
				   struct l2cap_chan *chan, int err);
L
Linus Torvalds 已提交
75

76
/* ---- L2CAP channels ---- */
77

78
static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
79
{
80
	struct l2cap_chan *c;
81

82 83 84
	list_for_each_entry(c, &conn->chan_l, list) {
		if (c->dcid == cid)
			return c;
85
	}
86
	return NULL;
87 88
}

89
static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
90
{
91
	struct l2cap_chan *c;
92

93 94 95
	list_for_each_entry(c, &conn->chan_l, list) {
		if (c->scid == cid)
			return c;
96
	}
97
	return NULL;
98 99 100
}

/* Find channel with given SCID.
101
 * Returns locked channel. */
102
static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
103
{
104
	struct l2cap_chan *c;
105

106
	mutex_lock(&conn->chan_lock);
107
	c = __l2cap_get_chan_by_scid(conn, cid);
108 109
	if (c)
		l2cap_chan_lock(c);
110 111
	mutex_unlock(&conn->chan_lock);

112
	return c;
113 114
}

115
static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
116
{
117
	struct l2cap_chan *c;
118

119 120 121
	list_for_each_entry(c, &conn->chan_l, list) {
		if (c->ident == ident)
			return c;
122
	}
123
	return NULL;
124 125
}

126
static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
127
{
128
	struct l2cap_chan *c;
129

130 131
	list_for_each_entry(c, &chan_list, global_l) {
		if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
132
			return c;
133
	}
134
	return NULL;
135 136 137 138
}

int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
{
139 140
	int err;

141
	write_lock(&chan_list_lock);
142

143
	if (psm && __l2cap_global_chan_by_addr(psm, src)) {
144 145
		err = -EADDRINUSE;
		goto done;
146 147
	}

148 149 150 151 152 153 154 155 156
	if (psm) {
		chan->psm = psm;
		chan->sport = psm;
		err = 0;
	} else {
		u16 p;

		err = -EINVAL;
		for (p = 0x1001; p < 0x1100; p += 2)
157
			if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
158 159 160 161 162 163
				chan->psm   = cpu_to_le16(p);
				chan->sport = cpu_to_le16(p);
				err = 0;
				break;
			}
	}
164

165
done:
166
	write_unlock(&chan_list_lock);
167
	return err;
168 169 170 171
}

int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
{
172
	write_lock(&chan_list_lock);
173 174 175

	chan->scid = scid;

176
	write_unlock(&chan_list_lock);
177 178 179 180

	return 0;
}

181
static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
182
{
183
	u16 cid = L2CAP_CID_DYN_START;
184

185
	for (; cid < L2CAP_CID_DYN_END; cid++) {
186
		if (!__l2cap_get_chan_by_scid(conn, cid))
187 188 189 190 191 192
			return cid;
	}

	return 0;
}

193
static void __l2cap_state_change(struct l2cap_chan *chan, int state)
194
{
195
	BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
196 197
						state_to_string(state));

198 199 200 201
	chan->state = state;
	chan->ops->state_change(chan->data, state);
}

202 203 204 205 206 207 208 209 210
static void l2cap_state_change(struct l2cap_chan *chan, int state)
{
	struct sock *sk = chan->sk;

	lock_sock(sk);
	__l2cap_state_change(chan, state);
	release_sock(sk);
}

211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226
static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
{
	struct sock *sk = chan->sk;

	sk->sk_err = err;
}

static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
{
	struct sock *sk = chan->sk;

	lock_sock(sk);
	__l2cap_chan_set_err(chan, err);
	release_sock(sk);
}

227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314
/* ---- L2CAP sequence number lists ---- */

/* For ERTM, ordered lists of sequence numbers must be tracked for
 * SREJ requests that are received and for frames that are to be
 * retransmitted. These seq_list functions implement a singly-linked
 * list in an array, where membership in the list can also be checked
 * in constant time. Items can also be added to the tail of the list
 * and removed from the head in constant time, without further memory
 * allocs or frees.
 */

static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
{
	size_t alloc_size, i;

	/* Allocated size is a power of 2 to map sequence numbers
	 * (which may be up to 14 bits) in to a smaller array that is
	 * sized for the negotiated ERTM transmit windows.
	 */
	alloc_size = roundup_pow_of_two(size);

	seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
	if (!seq_list->list)
		return -ENOMEM;

	seq_list->mask = alloc_size - 1;
	seq_list->head = L2CAP_SEQ_LIST_CLEAR;
	seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
	for (i = 0; i < alloc_size; i++)
		seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;

	return 0;
}

static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
{
	kfree(seq_list->list);
}

static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
					   u16 seq)
{
	/* Constant-time check for list membership */
	return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
}

static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
{
	u16 mask = seq_list->mask;

	if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
		/* In case someone tries to pop the head of an empty list */
		return L2CAP_SEQ_LIST_CLEAR;
	} else if (seq_list->head == seq) {
		/* Head can be removed in constant time */
		seq_list->head = seq_list->list[seq & mask];
		seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;

		if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
			seq_list->head = L2CAP_SEQ_LIST_CLEAR;
			seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
		}
	} else {
		/* Walk the list to find the sequence number */
		u16 prev = seq_list->head;
		while (seq_list->list[prev & mask] != seq) {
			prev = seq_list->list[prev & mask];
			if (prev == L2CAP_SEQ_LIST_TAIL)
				return L2CAP_SEQ_LIST_CLEAR;
		}

		/* Unlink the number from the list and clear it */
		seq_list->list[prev & mask] = seq_list->list[seq & mask];
		seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
		if (seq_list->tail == seq)
			seq_list->tail = prev;
	}
	return seq;
}

static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
{
	/* Remove the head in constant time */
	return l2cap_seq_list_remove(seq_list, seq_list->head);
}

static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
{
315
	u16 i;
316

317 318 319 320 321 322 323 324
	if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
		return;

	for (i = 0; i <= seq_list->mask; i++)
		seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;

	seq_list->head = L2CAP_SEQ_LIST_CLEAR;
	seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
325 326 327 328 329 330 331 332
}

static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
{
	u16 mask = seq_list->mask;

	/* All appends happen in constant time */

333 334
	if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
		return;
335

336 337 338 339 340 341 342
	if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
		seq_list->head = seq;
	else
		seq_list->list[seq_list->tail & mask] = seq;

	seq_list->tail = seq;
	seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
343 344
}

345
static void l2cap_chan_timeout(struct work_struct *work)
346
{
347 348
	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
							chan_timer.work);
349
	struct l2cap_conn *conn = chan->conn;
350 351
	int reason;

352
	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
353

354
	mutex_lock(&conn->chan_lock);
355
	l2cap_chan_lock(chan);
356

357
	if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
358
		reason = ECONNREFUSED;
359
	else if (chan->state == BT_CONNECT &&
360 361 362 363 364
					chan->sec_level != BT_SECURITY_SDP)
		reason = ECONNREFUSED;
	else
		reason = ETIMEDOUT;

365
	l2cap_chan_close(chan, reason);
366

367
	l2cap_chan_unlock(chan);
368

369
	chan->ops->close(chan->data);
370 371
	mutex_unlock(&conn->chan_lock);

372
	l2cap_chan_put(chan);
373 374
}

375
struct l2cap_chan *l2cap_chan_create(void)
376 377 378 379 380 381 382
{
	struct l2cap_chan *chan;

	chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
	if (!chan)
		return NULL;

383 384
	mutex_init(&chan->lock);

385
	write_lock(&chan_list_lock);
386
	list_add(&chan->global_l, &chan_list);
387
	write_unlock(&chan_list_lock);
388

389
	INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
390

391 392
	chan->state = BT_OPEN;

393 394
	atomic_set(&chan->refcnt, 1);

395
	BT_DBG("chan %p", chan);
396

397 398 399
	return chan;
}

400
void l2cap_chan_destroy(struct l2cap_chan *chan)
401
{
402
	write_lock(&chan_list_lock);
403
	list_del(&chan->global_l);
404
	write_unlock(&chan_list_lock);
405

406
	l2cap_chan_put(chan);
407 408
}

409 410 411 412 413 414 415 416 417 418 419
void l2cap_chan_set_defaults(struct l2cap_chan *chan)
{
	chan->fcs  = L2CAP_FCS_CRC16;
	chan->max_tx = L2CAP_DEFAULT_MAX_TX;
	chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
	chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
	chan->sec_level = BT_SECURITY_LOW;

	set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
}

420
static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
421
{
422
	BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
423
	       __le16_to_cpu(chan->psm), chan->dcid);
424

425
	conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
426

427
	chan->conn = conn;
428

429 430
	switch (chan->chan_type) {
	case L2CAP_CHAN_CONN_ORIENTED:
431 432
		if (conn->hcon->type == LE_LINK) {
			/* LE connection */
433
			chan->omtu = L2CAP_LE_DEFAULT_MTU;
434 435
			chan->scid = L2CAP_CID_LE_DATA;
			chan->dcid = L2CAP_CID_LE_DATA;
436 437
		} else {
			/* Alloc CID for connection-oriented socket */
438
			chan->scid = l2cap_alloc_cid(conn);
439
			chan->omtu = L2CAP_DEFAULT_MTU;
440
		}
441 442 443
		break;

	case L2CAP_CHAN_CONN_LESS:
444
		/* Connectionless socket */
445 446
		chan->scid = L2CAP_CID_CONN_LESS;
		chan->dcid = L2CAP_CID_CONN_LESS;
447
		chan->omtu = L2CAP_DEFAULT_MTU;
448 449 450
		break;

	default:
451
		/* Raw socket can send/recv signalling messages only */
452 453
		chan->scid = L2CAP_CID_SIGNALING;
		chan->dcid = L2CAP_CID_SIGNALING;
454
		chan->omtu = L2CAP_DEFAULT_MTU;
455 456
	}

457 458 459 460 461 462 463
	chan->local_id		= L2CAP_BESTEFFORT_ID;
	chan->local_stype	= L2CAP_SERV_BESTEFFORT;
	chan->local_msdu	= L2CAP_DEFAULT_MAX_SDU_SIZE;
	chan->local_sdu_itime	= L2CAP_DEFAULT_SDU_ITIME;
	chan->local_acc_lat	= L2CAP_DEFAULT_ACC_LAT;
	chan->local_flush_to	= L2CAP_DEFAULT_FLUSH_TO;

464
	l2cap_chan_hold(chan);
465

466
	list_add(&chan->list, &conn->chan_l);
467 468
}

469
static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
470 471 472
{
	mutex_lock(&conn->chan_lock);
	__l2cap_chan_add(conn, chan);
473
	mutex_unlock(&conn->chan_lock);
474 475
}

476
static void l2cap_chan_del(struct l2cap_chan *chan, int err)
477
{
478
	struct sock *sk = chan->sk;
479
	struct l2cap_conn *conn = chan->conn;
480 481
	struct sock *parent = bt_sk(sk)->parent;

482
	__clear_chan_timer(chan);
483

484
	BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
485

486
	if (conn) {
487
		/* Delete from channel list */
488
		list_del(&chan->list);
489

490
		l2cap_chan_put(chan);
491

492
		chan->conn = NULL;
493 494 495
		hci_conn_put(conn->hcon);
	}

496 497
	lock_sock(sk);

498
	__l2cap_state_change(chan, BT_CLOSED);
499 500 501
	sock_set_flag(sk, SOCK_ZAPPED);

	if (err)
502
		__l2cap_chan_set_err(chan, err);
503 504 505 506 507 508

	if (parent) {
		bt_accept_unlink(sk);
		parent->sk_data_ready(parent, 0);
	} else
		sk->sk_state_change(sk);
509

510 511
	release_sock(sk);

512 513
	if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
			test_bit(CONF_INPUT_DONE, &chan->conf_state)))
514
		return;
515

516
	skb_queue_purge(&chan->tx_q);
517

518
	if (chan->mode == L2CAP_MODE_ERTM) {
519 520
		struct srej_list *l, *tmp;

521 522 523
		__clear_retrans_timer(chan);
		__clear_monitor_timer(chan);
		__clear_ack_timer(chan);
524

525
		skb_queue_purge(&chan->srej_q);
526

527 528
		l2cap_seq_list_free(&chan->srej_list);
		l2cap_seq_list_free(&chan->retrans_list);
529
		list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
530 531 532 533
			list_del(&l->list);
			kfree(l);
		}
	}
534 535
}

536 537 538 539 540 541 542
static void l2cap_chan_cleanup_listen(struct sock *parent)
{
	struct sock *sk;

	BT_DBG("parent %p", parent);

	/* Close not yet accepted channels */
543
	while ((sk = bt_accept_dequeue(parent, NULL))) {
544
		struct l2cap_chan *chan = l2cap_pi(sk)->chan;
545

546
		l2cap_chan_lock(chan);
547
		__clear_chan_timer(chan);
548
		l2cap_chan_close(chan, ECONNRESET);
549
		l2cap_chan_unlock(chan);
550

551
		chan->ops->close(chan->data);
552
	}
553 554
}

555
void l2cap_chan_close(struct l2cap_chan *chan, int reason)
556 557 558 559
{
	struct l2cap_conn *conn = chan->conn;
	struct sock *sk = chan->sk;

560 561
	BT_DBG("chan %p state %s sk %p", chan,
					state_to_string(chan->state), sk);
562

563
	switch (chan->state) {
564
	case BT_LISTEN:
565
		lock_sock(sk);
566
		l2cap_chan_cleanup_listen(sk);
567

568
		__l2cap_state_change(chan, BT_CLOSED);
569
		sock_set_flag(sk, SOCK_ZAPPED);
570
		release_sock(sk);
571 572 573 574
		break;

	case BT_CONNECTED:
	case BT_CONFIG:
575
		if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
576
					conn->hcon->type == ACL_LINK) {
577
			__set_chan_timer(chan, sk->sk_sndtimeo);
578 579 580 581 582 583
			l2cap_send_disconn_req(conn, chan, reason);
		} else
			l2cap_chan_del(chan, reason);
		break;

	case BT_CONNECT2:
584
		if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
585 586 587 588
					conn->hcon->type == ACL_LINK) {
			struct l2cap_conn_rsp rsp;
			__u16 result;

589
			if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
590 591 592
				result = L2CAP_CR_SEC_BLOCK;
			else
				result = L2CAP_CR_BAD_PSM;
593
			l2cap_state_change(chan, BT_DISCONN);
594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611

			rsp.scid   = cpu_to_le16(chan->dcid);
			rsp.dcid   = cpu_to_le16(chan->scid);
			rsp.result = cpu_to_le16(result);
			rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
		}

		l2cap_chan_del(chan, reason);
		break;

	case BT_CONNECT:
	case BT_DISCONN:
		l2cap_chan_del(chan, reason);
		break;

	default:
612
		lock_sock(sk);
613
		sock_set_flag(sk, SOCK_ZAPPED);
614
		release_sock(sk);
615 616 617 618
		break;
	}
}

619
static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
620
{
621
	if (chan->chan_type == L2CAP_CHAN_RAW) {
622
		switch (chan->sec_level) {
623 624 625 626 627 628 629
		case BT_SECURITY_HIGH:
			return HCI_AT_DEDICATED_BONDING_MITM;
		case BT_SECURITY_MEDIUM:
			return HCI_AT_DEDICATED_BONDING;
		default:
			return HCI_AT_NO_BONDING;
		}
630
	} else if (chan->psm == cpu_to_le16(0x0001)) {
631 632
		if (chan->sec_level == BT_SECURITY_LOW)
			chan->sec_level = BT_SECURITY_SDP;
633

634
		if (chan->sec_level == BT_SECURITY_HIGH)
635
			return HCI_AT_NO_BONDING_MITM;
636
		else
637
			return HCI_AT_NO_BONDING;
638
	} else {
639
		switch (chan->sec_level) {
640
		case BT_SECURITY_HIGH:
641
			return HCI_AT_GENERAL_BONDING_MITM;
642
		case BT_SECURITY_MEDIUM:
643
			return HCI_AT_GENERAL_BONDING;
644
		default:
645
			return HCI_AT_NO_BONDING;
646
		}
647
	}
648 649 650
}

/* Service level security */
651
int l2cap_chan_check_security(struct l2cap_chan *chan)
652
{
653
	struct l2cap_conn *conn = chan->conn;
654 655
	__u8 auth_type;

656
	auth_type = l2cap_get_auth_type(chan);
657

658
	return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
659 660
}

661
static u8 l2cap_get_ident(struct l2cap_conn *conn)
662 663 664 665 666 667 668 669 670
{
	u8 id;

	/* Get next available identificator.
	 *    1 - 128 are used by kernel.
	 *  129 - 199 are reserved.
	 *  200 - 254 are used by utilities like l2ping, etc.
	 */

671
	spin_lock(&conn->lock);
672 673 674 675 676 677

	if (++conn->tx_ident > 128)
		conn->tx_ident = 1;

	id = conn->tx_ident;

678
	spin_unlock(&conn->lock);
679 680 681 682

	return id;
}

683
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
684 685
{
	struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
686
	u8 flags;
687 688 689 690

	BT_DBG("code 0x%2.2x", code);

	if (!skb)
691
		return;
692

693 694 695 696 697
	if (lmp_no_flush_capable(conn->hcon->hdev))
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;

698
	bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
699
	skb->priority = HCI_PRIO_MAX;
700

701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716
	hci_send_acl(conn->hchan, skb, flags);
}

static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
{
	struct hci_conn *hcon = chan->conn->hcon;
	u16 flags;

	BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
							skb->priority);

	if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
					lmp_no_flush_capable(hcon->hdev))
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;
717

718 719
	bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
	hci_send_acl(chan->conn->hchan, skb, flags);
720 721
}

722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781
static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
{
	control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
	control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;

	if (enh & L2CAP_CTRL_FRAME_TYPE) {
		/* S-Frame */
		control->sframe = 1;
		control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
		control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;

		control->sar = 0;
		control->txseq = 0;
	} else {
		/* I-Frame */
		control->sframe = 0;
		control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
		control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;

		control->poll = 0;
		control->super = 0;
	}
}

static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
{
	control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
	control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;

	if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
		/* S-Frame */
		control->sframe = 1;
		control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
		control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;

		control->sar = 0;
		control->txseq = 0;
	} else {
		/* I-Frame */
		control->sframe = 0;
		control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
		control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;

		control->poll = 0;
		control->super = 0;
	}
}

static inline void __unpack_control(struct l2cap_chan *chan,
				    struct sk_buff *skb)
{
	if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
		__unpack_extended_control(get_unaligned_le32(skb->data),
					  &bt_cb(skb)->control);
	} else {
		__unpack_enhanced_control(get_unaligned_le16(skb->data),
					  &bt_cb(skb)->control);
	}
}

782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819
static u32 __pack_extended_control(struct l2cap_ctrl *control)
{
	u32 packed;

	packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
	packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;

	if (control->sframe) {
		packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
		packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
		packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
	} else {
		packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
		packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
	}

	return packed;
}

static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
{
	u16 packed;

	packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
	packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;

	if (control->sframe) {
		packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
		packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
		packed |= L2CAP_CTRL_FRAME_TYPE;
	} else {
		packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
		packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
	}

	return packed;
}

820 821 822 823 824 825 826 827 828 829 830 831 832
static inline void __pack_control(struct l2cap_chan *chan,
				  struct l2cap_ctrl *control,
				  struct sk_buff *skb)
{
	if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
		put_unaligned_le32(__pack_extended_control(control),
				   skb->data + L2CAP_HDR_SIZE);
	} else {
		put_unaligned_le16(__pack_enhanced_control(control),
				   skb->data + L2CAP_HDR_SIZE);
	}
}

833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894
static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
{
	struct sk_buff *skb;
	struct l2cap_hdr *lh;
	struct l2cap_conn *conn = chan->conn;
	int count, hlen;

	if (chan->state != BT_CONNECTED)
		return;

	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
		hlen = L2CAP_EXT_HDR_SIZE;
	else
		hlen = L2CAP_ENH_HDR_SIZE;

	if (chan->fcs == L2CAP_FCS_CRC16)
		hlen += L2CAP_FCS_SIZE;

	BT_DBG("chan %p, control 0x%8.8x", chan, control);

	count = min_t(unsigned int, conn->mtu, hlen);

	control |= __set_sframe(chan);

	if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
		control |= __set_ctrl_final(chan);

	if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
		control |= __set_ctrl_poll(chan);

	skb = bt_skb_alloc(count, GFP_ATOMIC);
	if (!skb)
		return;

	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
	lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
	lh->cid = cpu_to_le16(chan->dcid);

	__put_control(chan, control, skb_put(skb, __ctrl_size(chan)));

	if (chan->fcs == L2CAP_FCS_CRC16) {
		u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
		put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
	}

	skb->priority = HCI_PRIO_MAX;
	l2cap_do_send(chan, skb);
}

static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
{
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
		set_bit(CONN_RNR_SENT, &chan->conn_state);
	} else
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);

	control |= __set_reqseq(chan, chan->buffer_seq);

	l2cap_send_sframe(chan, control);
}

895
static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
896
{
897
	return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
898 899
}

900 901 902 903 904 905 906 907 908 909 910 911 912 913 914
static void l2cap_send_conn_req(struct l2cap_chan *chan)
{
	struct l2cap_conn *conn = chan->conn;
	struct l2cap_conn_req req;

	req.scid = cpu_to_le16(chan->scid);
	req.psm  = chan->psm;

	chan->ident = l2cap_get_ident(conn);

	set_bit(CONF_CONNECT_PEND, &chan->conf_state);

	l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
}

915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937
static void l2cap_chan_ready(struct l2cap_chan *chan)
{
	struct sock *sk = chan->sk;
	struct sock *parent;

	lock_sock(sk);

	parent = bt_sk(sk)->parent;

	BT_DBG("sk %p, parent %p", sk, parent);

	chan->conf_state = 0;
	__clear_chan_timer(chan);

	__l2cap_state_change(chan, BT_CONNECTED);
	sk->sk_state_change(sk);

	if (parent)
		parent->sk_data_ready(parent, 0);

	release_sock(sk);
}

938
static void l2cap_do_start(struct l2cap_chan *chan)
939
{
940
	struct l2cap_conn *conn = chan->conn;
941

942 943 944 945 946
	if (conn->hcon->type == LE_LINK) {
		l2cap_chan_ready(chan);
		return;
	}

947
	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
948 949 950
		if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
			return;

951
		if (l2cap_chan_check_security(chan) &&
952 953
				__l2cap_no_conn_pending(chan))
			l2cap_send_conn_req(chan);
954 955 956 957 958 959 960
	} else {
		struct l2cap_info_req req;
		req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
		conn->info_ident = l2cap_get_ident(conn);

961
		schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
962 963 964 965 966 967

		l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(req), &req);
	}
}

968 969 970
static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
{
	u32 local_feat_mask = l2cap_feat_mask;
971
	if (!disable_ertm)
972 973 974 975 976 977 978 979 980 981 982 983
		local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;

	switch (mode) {
	case L2CAP_MODE_ERTM:
		return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
	case L2CAP_MODE_STREAMING:
		return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
	default:
		return 0x00;
	}
}

984
static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
985
{
986
	struct sock *sk = chan->sk;
987 988
	struct l2cap_disconn_req req;

989 990 991
	if (!conn)
		return;

992
	if (chan->mode == L2CAP_MODE_ERTM) {
993 994 995
		__clear_retrans_timer(chan);
		__clear_monitor_timer(chan);
		__clear_ack_timer(chan);
996 997
	}

998 999
	req.dcid = cpu_to_le16(chan->dcid);
	req.scid = cpu_to_le16(chan->scid);
1000 1001
	l2cap_send_cmd(conn, l2cap_get_ident(conn),
			L2CAP_DISCONN_REQ, sizeof(req), &req);
1002

1003
	lock_sock(sk);
1004
	__l2cap_state_change(chan, BT_DISCONN);
1005
	__l2cap_chan_set_err(chan, err);
1006
	release_sock(sk);
1007 1008
}

L
Linus Torvalds 已提交
1009
/* ---- L2CAP connections ---- */
1010 1011
static void l2cap_conn_start(struct l2cap_conn *conn)
{
1012
	struct l2cap_chan *chan, *tmp;
1013 1014 1015

	BT_DBG("conn %p", conn);

1016
	mutex_lock(&conn->chan_lock);
1017

1018
	list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1019
		struct sock *sk = chan->sk;
1020

1021
		l2cap_chan_lock(chan);
1022

1023
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1024
			l2cap_chan_unlock(chan);
1025 1026 1027
			continue;
		}

1028
		if (chan->state == BT_CONNECT) {
1029
			if (!l2cap_chan_check_security(chan) ||
1030
					!__l2cap_no_conn_pending(chan)) {
1031
				l2cap_chan_unlock(chan);
1032 1033
				continue;
			}
1034

1035 1036 1037
			if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
					&& test_bit(CONF_STATE2_DEVICE,
					&chan->conf_state)) {
1038
				l2cap_chan_close(chan, ECONNRESET);
1039
				l2cap_chan_unlock(chan);
1040
				continue;
1041
			}
1042

1043
			l2cap_send_conn_req(chan);
1044

1045
		} else if (chan->state == BT_CONNECT2) {
1046
			struct l2cap_conn_rsp rsp;
1047
			char buf[128];
1048 1049
			rsp.scid = cpu_to_le16(chan->dcid);
			rsp.dcid = cpu_to_le16(chan->scid);
1050

1051
			if (l2cap_chan_check_security(chan)) {
1052
				lock_sock(sk);
1053 1054
				if (test_bit(BT_SK_DEFER_SETUP,
					     &bt_sk(sk)->flags)) {
1055 1056 1057
					struct sock *parent = bt_sk(sk)->parent;
					rsp.result = cpu_to_le16(L2CAP_CR_PEND);
					rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1058 1059
					if (parent)
						parent->sk_data_ready(parent, 0);
1060 1061

				} else {
1062
					__l2cap_state_change(chan, BT_CONFIG);
1063 1064 1065
					rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
					rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
				}
1066
				release_sock(sk);
1067 1068 1069 1070 1071
			} else {
				rsp.result = cpu_to_le16(L2CAP_CR_PEND);
				rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
			}

1072 1073
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
1074

1075
			if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1076
					rsp.result != L2CAP_CR_SUCCESS) {
1077
				l2cap_chan_unlock(chan);
1078 1079 1080
				continue;
			}

1081
			set_bit(CONF_REQ_SENT, &chan->conf_state);
1082
			l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1083 1084
						l2cap_build_conf_req(chan, buf), buf);
			chan->num_conf_req++;
1085 1086
		}

1087
		l2cap_chan_unlock(chan);
1088 1089
	}

1090
	mutex_unlock(&conn->chan_lock);
1091 1092
}

1093
/* Find socket with cid and source/destination bdaddr.
1094 1095
 * Returns closest match, locked.
 */
1096
static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1097 1098
						    bdaddr_t *src,
						    bdaddr_t *dst)
1099
{
1100
	struct l2cap_chan *c, *c1 = NULL;
1101

1102
	read_lock(&chan_list_lock);
1103

1104 1105
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
1106

1107
		if (state && c->state != state)
1108 1109
			continue;

1110
		if (c->scid == cid) {
1111 1112 1113
			int src_match, dst_match;
			int src_any, dst_any;

1114
			/* Exact match. */
1115 1116 1117
			src_match = !bacmp(&bt_sk(sk)->src, src);
			dst_match = !bacmp(&bt_sk(sk)->dst, dst);
			if (src_match && dst_match) {
1118 1119 1120
				read_unlock(&chan_list_lock);
				return c;
			}
1121 1122

			/* Closest match */
1123 1124 1125 1126
			src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
			dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
			if ((src_match && dst_any) || (src_any && dst_match) ||
			    (src_any && dst_any))
1127
				c1 = c;
1128 1129
		}
	}
1130

1131
	read_unlock(&chan_list_lock);
1132

1133
	return c1;
1134 1135 1136 1137
}

static void l2cap_le_conn_ready(struct l2cap_conn *conn)
{
1138
	struct sock *parent, *sk;
1139
	struct l2cap_chan *chan, *pchan;
1140 1141 1142 1143

	BT_DBG("");

	/* Check if we have socket listening on cid */
1144
	pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
1145
					  conn->src, conn->dst);
1146
	if (!pchan)
1147 1148
		return;

1149 1150
	parent = pchan->sk;

1151
	lock_sock(parent);
1152

1153 1154 1155 1156 1157 1158
	/* Check for backlog size */
	if (sk_acceptq_is_full(parent)) {
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
		goto clean;
	}

1159 1160
	chan = pchan->ops->new_connection(pchan->data);
	if (!chan)
1161 1162
		goto clean;

1163
	sk = chan->sk;
1164

1165 1166 1167 1168 1169
	hci_conn_hold(conn->hcon);

	bacpy(&bt_sk(sk)->src, conn->src);
	bacpy(&bt_sk(sk)->dst, conn->dst);

1170 1171
	bt_accept_enqueue(parent, sk);

1172
	l2cap_chan_add(conn, chan);
1173

1174
	__set_chan_timer(chan, sk->sk_sndtimeo);
1175

1176
	__l2cap_state_change(chan, BT_CONNECTED);
1177 1178 1179
	parent->sk_data_ready(parent, 0);

clean:
1180
	release_sock(parent);
1181 1182
}

1183 1184
static void l2cap_conn_ready(struct l2cap_conn *conn)
{
1185
	struct l2cap_chan *chan;
1186

1187
	BT_DBG("conn %p", conn);
1188

1189 1190 1191
	if (!conn->hcon->out && conn->hcon->type == LE_LINK)
		l2cap_le_conn_ready(conn);

1192 1193 1194
	if (conn->hcon->out && conn->hcon->type == LE_LINK)
		smp_conn_security(conn, conn->hcon->pending_sec_level);

1195
	mutex_lock(&conn->chan_lock);
1196

1197
	list_for_each_entry(chan, &conn->chan_l, list) {
1198

1199
		l2cap_chan_lock(chan);
1200

1201
		if (conn->hcon->type == LE_LINK) {
1202
			if (smp_conn_security(conn, chan->sec_level))
1203
				l2cap_chan_ready(chan);
1204

1205
		} else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1206
			struct sock *sk = chan->sk;
1207
			__clear_chan_timer(chan);
1208
			lock_sock(sk);
1209
			__l2cap_state_change(chan, BT_CONNECTED);
1210
			sk->sk_state_change(sk);
1211
			release_sock(sk);
1212

1213
		} else if (chan->state == BT_CONNECT)
1214
			l2cap_do_start(chan);
1215

1216
		l2cap_chan_unlock(chan);
1217
	}
1218

1219
	mutex_unlock(&conn->chan_lock);
1220 1221 1222 1223 1224
}

/* Notify sockets that we cannot guaranty reliability anymore */
static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
{
1225
	struct l2cap_chan *chan;
1226 1227 1228

	BT_DBG("conn %p", conn);

1229
	mutex_lock(&conn->chan_lock);
1230

1231
	list_for_each_entry(chan, &conn->chan_l, list) {
1232
		if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1233
			__l2cap_chan_set_err(chan, err);
1234 1235
	}

1236
	mutex_unlock(&conn->chan_lock);
1237 1238
}

1239
static void l2cap_info_timeout(struct work_struct *work)
1240
{
1241
	struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1242
							info_timer.work);
1243

1244
	conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1245
	conn->info_ident = 0;
1246

1247 1248 1249
	l2cap_conn_start(conn);
}

1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261
static void l2cap_conn_del(struct hci_conn *hcon, int err)
{
	struct l2cap_conn *conn = hcon->l2cap_data;
	struct l2cap_chan *chan, *l;

	if (!conn)
		return;

	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);

	kfree_skb(conn->rx_skb);

1262 1263
	mutex_lock(&conn->chan_lock);

1264 1265
	/* Kill channels */
	list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1266
		l2cap_chan_hold(chan);
1267 1268
		l2cap_chan_lock(chan);

1269
		l2cap_chan_del(chan, err);
1270 1271 1272

		l2cap_chan_unlock(chan);

1273
		chan->ops->close(chan->data);
1274
		l2cap_chan_put(chan);
1275 1276
	}

1277 1278
	mutex_unlock(&conn->chan_lock);

1279 1280
	hci_chan_del(conn->hchan);

1281
	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1282
		cancel_delayed_work_sync(&conn->info_timer);
1283

1284
	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1285
		cancel_delayed_work_sync(&conn->security_timer);
1286
		smp_chan_destroy(conn);
1287
	}
1288 1289 1290 1291 1292

	hcon->l2cap_data = NULL;
	kfree(conn);
}

1293
static void security_timeout(struct work_struct *work)
1294
{
1295 1296
	struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
						security_timer.work);
1297 1298 1299 1300

	l2cap_conn_del(conn->hcon, ETIMEDOUT);
}

L
Linus Torvalds 已提交
1301 1302
static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
{
1303
	struct l2cap_conn *conn = hcon->l2cap_data;
1304
	struct hci_chan *hchan;
L
Linus Torvalds 已提交
1305

1306
	if (conn || status)
L
Linus Torvalds 已提交
1307 1308
		return conn;

1309 1310 1311 1312
	hchan = hci_chan_create(hcon);
	if (!hchan)
		return NULL;

1313
	conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1314 1315
	if (!conn) {
		hci_chan_del(hchan);
L
Linus Torvalds 已提交
1316
		return NULL;
1317
	}
L
Linus Torvalds 已提交
1318 1319 1320

	hcon->l2cap_data = conn;
	conn->hcon = hcon;
1321
	conn->hchan = hchan;
L
Linus Torvalds 已提交
1322

1323
	BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1324

1325 1326 1327 1328 1329
	if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
		conn->mtu = hcon->hdev->le_mtu;
	else
		conn->mtu = hcon->hdev->acl_mtu;

L
Linus Torvalds 已提交
1330 1331 1332
	conn->src = &hcon->hdev->bdaddr;
	conn->dst = &hcon->dst;

1333 1334
	conn->feat_mask = 0;

L
Linus Torvalds 已提交
1335
	spin_lock_init(&conn->lock);
1336
	mutex_init(&conn->chan_lock);
1337 1338

	INIT_LIST_HEAD(&conn->chan_l);
L
Linus Torvalds 已提交
1339

1340
	if (hcon->type == LE_LINK)
1341
		INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1342
	else
1343
		INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
D
Dave Young 已提交
1344

1345
	conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1346

L
Linus Torvalds 已提交
1347 1348 1349 1350 1351
	return conn;
}

/* ---- Socket interface ---- */

1352
/* Find socket with psm and source / destination bdaddr.
L
Linus Torvalds 已提交
1353 1354
 * Returns closest match.
 */
1355 1356 1357
static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
						   bdaddr_t *src,
						   bdaddr_t *dst)
L
Linus Torvalds 已提交
1358
{
1359
	struct l2cap_chan *c, *c1 = NULL;
L
Linus Torvalds 已提交
1360

1361
	read_lock(&chan_list_lock);
1362

1363 1364
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
1365

1366
		if (state && c->state != state)
L
Linus Torvalds 已提交
1367 1368
			continue;

1369
		if (c->psm == psm) {
1370 1371 1372
			int src_match, dst_match;
			int src_any, dst_any;

L
Linus Torvalds 已提交
1373
			/* Exact match. */
1374 1375 1376
			src_match = !bacmp(&bt_sk(sk)->src, src);
			dst_match = !bacmp(&bt_sk(sk)->dst, dst);
			if (src_match && dst_match) {
1377
				read_unlock(&chan_list_lock);
1378 1379
				return c;
			}
L
Linus Torvalds 已提交
1380 1381

			/* Closest match */
1382 1383 1384 1385
			src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
			dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
			if ((src_match && dst_any) || (src_any && dst_match) ||
			    (src_any && dst_any))
1386
				c1 = c;
L
Linus Torvalds 已提交
1387 1388 1389
		}
	}

1390
	read_unlock(&chan_list_lock);
1391

1392
	return c1;
L
Linus Torvalds 已提交
1393 1394
}

1395 1396
int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
		       bdaddr_t *dst, u8 dst_type)
L
Linus Torvalds 已提交
1397
{
1398
	struct sock *sk = chan->sk;
L
Linus Torvalds 已提交
1399 1400 1401 1402
	bdaddr_t *src = &bt_sk(sk)->src;
	struct l2cap_conn *conn;
	struct hci_conn *hcon;
	struct hci_dev *hdev;
1403
	__u8 auth_type;
1404
	int err;
L
Linus Torvalds 已提交
1405

1406 1407
	BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
	       dst_type, __le16_to_cpu(chan->psm));
L
Linus Torvalds 已提交
1408

1409 1410
	hdev = hci_get_route(dst, src);
	if (!hdev)
L
Linus Torvalds 已提交
1411 1412
		return -EHOSTUNREACH;

1413
	hci_dev_lock(hdev);
L
Linus Torvalds 已提交
1414

1415
	l2cap_chan_lock(chan);
1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441

	/* PSM must be odd and lsb of upper byte must be 0 */
	if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
					chan->chan_type != L2CAP_CHAN_RAW) {
		err = -EINVAL;
		goto done;
	}

	if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
		err = -EINVAL;
		goto done;
	}

	switch (chan->mode) {
	case L2CAP_MODE_BASIC:
		break;
	case L2CAP_MODE_ERTM:
	case L2CAP_MODE_STREAMING:
		if (!disable_ertm)
			break;
		/* fall through */
	default:
		err = -ENOTSUPP;
		goto done;
	}

1442 1443
	lock_sock(sk);

1444 1445 1446 1447 1448 1449
	switch (sk->sk_state) {
	case BT_CONNECT:
	case BT_CONNECT2:
	case BT_CONFIG:
		/* Already connecting */
		err = 0;
1450
		release_sock(sk);
1451 1452 1453 1454 1455
		goto done;

	case BT_CONNECTED:
		/* Already connected */
		err = -EISCONN;
1456
		release_sock(sk);
1457 1458 1459 1460 1461 1462 1463 1464 1465
		goto done;

	case BT_OPEN:
	case BT_BOUND:
		/* Can connect */
		break;

	default:
		err = -EBADFD;
1466
		release_sock(sk);
1467 1468 1469 1470
		goto done;
	}

	/* Set destination address and psm */
1471
	bacpy(&bt_sk(sk)->dst, dst);
1472 1473 1474

	release_sock(sk);

1475 1476
	chan->psm = psm;
	chan->dcid = cid;
L
Linus Torvalds 已提交
1477

1478
	auth_type = l2cap_get_auth_type(chan);
1479

1480
	if (chan->dcid == L2CAP_CID_LE_DATA)
1481
		hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1482
				   chan->sec_level, auth_type);
1483
	else
1484
		hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1485
				   chan->sec_level, auth_type);
1486

1487 1488
	if (IS_ERR(hcon)) {
		err = PTR_ERR(hcon);
L
Linus Torvalds 已提交
1489
		goto done;
1490
	}
L
Linus Torvalds 已提交
1491 1492 1493 1494

	conn = l2cap_conn_add(hcon, 0);
	if (!conn) {
		hci_conn_put(hcon);
1495
		err = -ENOMEM;
L
Linus Torvalds 已提交
1496 1497 1498
		goto done;
	}

1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510
	if (hcon->type == LE_LINK) {
		err = 0;

		if (!list_empty(&conn->chan_l)) {
			err = -EBUSY;
			hci_conn_put(hcon);
		}

		if (err)
			goto done;
	}

L
Linus Torvalds 已提交
1511 1512 1513
	/* Update source addr of the socket */
	bacpy(src, conn->src);

1514
	l2cap_chan_unlock(chan);
1515
	l2cap_chan_add(conn, chan);
1516
	l2cap_chan_lock(chan);
1517

1518
	l2cap_state_change(chan, BT_CONNECT);
1519
	__set_chan_timer(chan, sk->sk_sndtimeo);
L
Linus Torvalds 已提交
1520 1521

	if (hcon->state == BT_CONNECTED) {
1522
		if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1523
			__clear_chan_timer(chan);
1524
			if (l2cap_chan_check_security(chan))
1525
				l2cap_state_change(chan, BT_CONNECTED);
1526
		} else
1527
			l2cap_do_start(chan);
L
Linus Torvalds 已提交
1528 1529
	}

1530 1531
	err = 0;

L
Linus Torvalds 已提交
1532
done:
1533
	l2cap_chan_unlock(chan);
1534
	hci_dev_unlock(hdev);
L
Linus Torvalds 已提交
1535 1536 1537 1538
	hci_dev_put(hdev);
	return err;
}

1539
int __l2cap_wait_ack(struct sock *sk)
1540
{
1541
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1542 1543 1544 1545
	DECLARE_WAITQUEUE(wait, current);
	int err = 0;
	int timeo = HZ/5;

1546
	add_wait_queue(sk_sleep(sk), &wait);
1547 1548
	set_current_state(TASK_INTERRUPTIBLE);
	while (chan->unacked_frames > 0 && chan->conn) {
1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559
		if (!timeo)
			timeo = HZ/5;

		if (signal_pending(current)) {
			err = sock_intr_errno(timeo);
			break;
		}

		release_sock(sk);
		timeo = schedule_timeout(timeo);
		lock_sock(sk);
1560
		set_current_state(TASK_INTERRUPTIBLE);
1561 1562 1563 1564 1565 1566

		err = sock_error(sk);
		if (err)
			break;
	}
	set_current_state(TASK_RUNNING);
1567
	remove_wait_queue(sk_sleep(sk), &wait);
1568 1569 1570
	return err;
}

1571
static void l2cap_monitor_timeout(struct work_struct *work)
1572
{
1573 1574
	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
							monitor_timer.work);
1575

1576
	BT_DBG("chan %p", chan);
1577

1578 1579
	l2cap_chan_lock(chan);

1580
	if (chan->retry_count >= chan->remote_max_tx) {
1581
		l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1582
		l2cap_chan_unlock(chan);
1583
		l2cap_chan_put(chan);
1584 1585 1586
		return;
	}

1587
	chan->retry_count++;
1588
	__set_monitor_timer(chan);
1589

1590
	l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1591
	l2cap_chan_unlock(chan);
1592
	l2cap_chan_put(chan);
1593 1594
}

1595
static void l2cap_retrans_timeout(struct work_struct *work)
1596
{
1597 1598
	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
							retrans_timer.work);
1599

1600
	BT_DBG("chan %p", chan);
1601

1602 1603
	l2cap_chan_lock(chan);

1604
	chan->retry_count = 1;
1605
	__set_monitor_timer(chan);
1606

1607
	set_bit(CONN_WAIT_F, &chan->conn_state);
1608

1609
	l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1610 1611

	l2cap_chan_unlock(chan);
1612
	l2cap_chan_put(chan);
1613 1614
}

1615
static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
L
Linus Torvalds 已提交
1616
{
1617
	struct sk_buff *skb;
L
Linus Torvalds 已提交
1618

1619
	while ((skb = skb_peek(&chan->tx_q)) &&
1620
			chan->unacked_frames) {
1621
		if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1622
			break;
L
Linus Torvalds 已提交
1623

1624
		skb = skb_dequeue(&chan->tx_q);
1625
		kfree_skb(skb);
L
Linus Torvalds 已提交
1626

1627
		chan->unacked_frames--;
1628
	}
L
Linus Torvalds 已提交
1629

1630
	if (!chan->unacked_frames)
1631
		__clear_retrans_timer(chan);
1632
}
L
Linus Torvalds 已提交
1633

1634
static void l2cap_streaming_send(struct l2cap_chan *chan)
1635
{
1636
	struct sk_buff *skb;
1637 1638
	u32 control;
	u16 fcs;
1639

1640
	while ((skb = skb_dequeue(&chan->tx_q))) {
1641
		control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
1642
		control |= __set_txseq(chan, chan->next_tx_seq);
1643
		control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1644
		__put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
1645

1646
		if (chan->fcs == L2CAP_FCS_CRC16) {
1647 1648 1649 1650
			fcs = crc16(0, (u8 *)skb->data,
						skb->len - L2CAP_FCS_SIZE);
			put_unaligned_le16(fcs,
					skb->data + skb->len - L2CAP_FCS_SIZE);
1651 1652
		}

1653
		l2cap_do_send(chan, skb);
1654

1655
		chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1656 1657 1658
	}
}

1659
static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
1660 1661
{
	struct sk_buff *skb, *tx_skb;
1662 1663
	u16 fcs;
	u32 control;
1664

1665
	skb = skb_peek(&chan->tx_q);
1666 1667
	if (!skb)
		return;
1668

1669
	while (bt_cb(skb)->control.txseq != tx_seq) {
1670
		if (skb_queue_is_last(&chan->tx_q, skb))
1671
			return;
1672

1673 1674
		skb = skb_queue_next(&chan->tx_q, skb);
	}
1675

1676 1677
	if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
	    chan->remote_max_tx) {
1678
		l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1679 1680 1681 1682
		return;
	}

	tx_skb = skb_clone(skb, GFP_ATOMIC);
1683
	bt_cb(skb)->control.retries++;
1684 1685

	control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1686
	control &= __get_sar_mask(chan);
1687

1688
	if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1689
		control |= __set_ctrl_final(chan);
1690

1691
	control |= __set_reqseq(chan, chan->buffer_seq);
1692
	control |= __set_txseq(chan, tx_seq);
1693

1694
	__put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1695

1696
	if (chan->fcs == L2CAP_FCS_CRC16) {
1697 1698 1699 1700
		fcs = crc16(0, (u8 *)tx_skb->data,
						tx_skb->len - L2CAP_FCS_SIZE);
		put_unaligned_le16(fcs,
				tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
1701 1702
	}

1703
	l2cap_do_send(chan, tx_skb);
1704 1705
}

1706
static int l2cap_ertm_send(struct l2cap_chan *chan)
1707 1708
{
	struct sk_buff *skb, *tx_skb;
1709 1710
	u16 fcs;
	u32 control;
1711
	int nsent = 0;
1712

1713
	if (chan->state != BT_CONNECTED)
1714
		return -ENOTCONN;
1715

1716 1717 1718
	if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
		return 0;

1719
	while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1720

1721 1722
		if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
		    chan->remote_max_tx) {
1723
			l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1724 1725 1726
			break;
		}

1727 1728
		tx_skb = skb_clone(skb, GFP_ATOMIC);

1729
		bt_cb(skb)->control.retries++;
1730

1731
		control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1732
		control &= __get_sar_mask(chan);
1733

1734
		if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1735
			control |= __set_ctrl_final(chan);
1736

1737
		control |= __set_reqseq(chan, chan->buffer_seq);
1738
		control |= __set_txseq(chan, chan->next_tx_seq);
1739
		control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1740

1741
		__put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1742

1743
		if (chan->fcs == L2CAP_FCS_CRC16) {
1744 1745 1746 1747
			fcs = crc16(0, (u8 *)skb->data,
						tx_skb->len - L2CAP_FCS_SIZE);
			put_unaligned_le16(fcs, skb->data +
						tx_skb->len - L2CAP_FCS_SIZE);
1748 1749
		}

1750
		l2cap_do_send(chan, tx_skb);
1751

1752
		__set_retrans_timer(chan);
1753

1754
		bt_cb(skb)->control.txseq = chan->next_tx_seq;
1755 1756

		chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1757

1758
		if (bt_cb(skb)->control.retries == 1) {
1759
			chan->unacked_frames++;
1760 1761 1762

			if (!nsent++)
				__clear_ack_timer(chan);
1763
		}
1764

1765
		chan->frames_sent++;
1766

1767 1768
		if (skb_queue_is_last(&chan->tx_q, skb))
			chan->tx_send_head = NULL;
1769
		else
1770
			chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1771 1772
	}

1773 1774 1775
	return nsent;
}

1776
static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1777 1778 1779
{
	int ret;

1780 1781
	if (!skb_queue_empty(&chan->tx_q))
		chan->tx_send_head = chan->tx_q.next;
1782

1783
	chan->next_tx_seq = chan->expected_ack_seq;
1784
	ret = l2cap_ertm_send(chan);
1785 1786 1787
	return ret;
}

1788
static void __l2cap_send_ack(struct l2cap_chan *chan)
1789
{
1790
	u32 control = 0;
1791

1792
	control |= __set_reqseq(chan, chan->buffer_seq);
1793

1794
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1795
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
1796
		set_bit(CONN_RNR_SENT, &chan->conn_state);
1797
		l2cap_send_sframe(chan, control);
1798
		return;
1799
	}
1800

1801
	if (l2cap_ertm_send(chan) > 0)
1802 1803
		return;

1804
	control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1805
	l2cap_send_sframe(chan, control);
1806 1807
}

1808 1809 1810 1811 1812 1813
static void l2cap_send_ack(struct l2cap_chan *chan)
{
	__clear_ack_timer(chan);
	__l2cap_send_ack(chan);
}

1814
static void l2cap_send_srejtail(struct l2cap_chan *chan)
1815 1816
{
	struct srej_list *tail;
1817
	u32 control;
1818

1819
	control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
1820
	control |= __set_ctrl_final(chan);
1821

1822
	tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1823
	control |= __set_reqseq(chan, tail->tx_seq);
1824

1825
	l2cap_send_sframe(chan, control);
1826 1827
}

1828 1829 1830
static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
					 struct msghdr *msg, int len,
					 int count, struct sk_buff *skb)
1831
{
1832
	struct l2cap_conn *conn = chan->conn;
1833
	struct sk_buff **frag;
1834
	int sent = 0;
L
Linus Torvalds 已提交
1835

1836
	if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1837
		return -EFAULT;
L
Linus Torvalds 已提交
1838 1839 1840 1841 1842 1843 1844

	sent += count;
	len  -= count;

	/* Continuation fragments (no L2CAP header) */
	frag = &skb_shinfo(skb)->frag_list;
	while (len) {
1845 1846
		struct sk_buff *tmp;

L
Linus Torvalds 已提交
1847 1848
		count = min_t(unsigned int, conn->mtu, len);

1849 1850 1851 1852 1853 1854
		tmp = chan->ops->alloc_skb(chan, count,
					   msg->msg_flags & MSG_DONTWAIT);
		if (IS_ERR(tmp))
			return PTR_ERR(tmp);

		*frag = tmp;
1855

1856 1857
		if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
			return -EFAULT;
L
Linus Torvalds 已提交
1858

1859 1860
		(*frag)->priority = skb->priority;

L
Linus Torvalds 已提交
1861 1862 1863
		sent += count;
		len  -= count;

1864 1865 1866
		skb->len += (*frag)->len;
		skb->data_len += (*frag)->len;

L
Linus Torvalds 已提交
1867 1868 1869 1870
		frag = &(*frag)->next;
	}

	return sent;
1871
}
L
Linus Torvalds 已提交
1872

1873 1874 1875
static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
						struct msghdr *msg, size_t len,
						u32 priority)
1876
{
1877
	struct l2cap_conn *conn = chan->conn;
1878
	struct sk_buff *skb;
1879
	int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1880 1881
	struct l2cap_hdr *lh;

1882
	BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1883 1884

	count = min_t(unsigned int, (conn->mtu - hlen), len);
1885 1886

	skb = chan->ops->alloc_skb(chan, count + hlen,
1887 1888 1889
				   msg->msg_flags & MSG_DONTWAIT);
	if (IS_ERR(skb))
		return skb;
1890

1891 1892
	skb->priority = priority;

1893 1894
	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1895
	lh->cid = cpu_to_le16(chan->dcid);
1896 1897
	lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
	put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1898

1899
	err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1900 1901 1902 1903 1904 1905 1906
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
	return skb;
}

1907 1908 1909
static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
						struct msghdr *msg, size_t len,
						u32 priority)
1910
{
1911
	struct l2cap_conn *conn = chan->conn;
1912
	struct sk_buff *skb;
1913
	int err, count;
1914 1915
	struct l2cap_hdr *lh;

1916
	BT_DBG("chan %p len %d", chan, (int)len);
1917

1918
	count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
1919

1920
	skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
1921 1922 1923
				   msg->msg_flags & MSG_DONTWAIT);
	if (IS_ERR(skb))
		return skb;
1924

1925 1926
	skb->priority = priority;

1927 1928
	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1929
	lh->cid = cpu_to_le16(chan->dcid);
1930
	lh->len = cpu_to_le16(len);
1931

1932
	err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1933 1934 1935 1936 1937 1938 1939
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
	return skb;
}

1940 1941
static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
						struct msghdr *msg, size_t len,
1942
						u16 sdulen)
1943
{
1944
	struct l2cap_conn *conn = chan->conn;
1945
	struct sk_buff *skb;
1946
	int err, count, hlen;
1947 1948
	struct l2cap_hdr *lh;

1949
	BT_DBG("chan %p len %d", chan, (int)len);
1950

1951 1952 1953
	if (!conn)
		return ERR_PTR(-ENOTCONN);

1954 1955 1956 1957 1958
	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
		hlen = L2CAP_EXT_HDR_SIZE;
	else
		hlen = L2CAP_ENH_HDR_SIZE;

1959
	if (sdulen)
1960
		hlen += L2CAP_SDULEN_SIZE;
1961

1962
	if (chan->fcs == L2CAP_FCS_CRC16)
1963
		hlen += L2CAP_FCS_SIZE;
1964

1965
	count = min_t(unsigned int, (conn->mtu - hlen), len);
1966 1967

	skb = chan->ops->alloc_skb(chan, count + hlen,
1968 1969 1970
				   msg->msg_flags & MSG_DONTWAIT);
	if (IS_ERR(skb))
		return skb;
1971 1972 1973

	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1974
	lh->cid = cpu_to_le16(chan->dcid);
1975
	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1976

1977
	__put_control(chan, 0, skb_put(skb, __ctrl_size(chan)));
1978

1979
	if (sdulen)
1980
		put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1981

1982
	err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1983 1984 1985 1986
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
1987

1988
	if (chan->fcs == L2CAP_FCS_CRC16)
1989
		put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
1990

1991
	bt_cb(skb)->control.retries = 0;
1992
	return skb;
L
Linus Torvalds 已提交
1993 1994
}

1995 1996 1997
static int l2cap_segment_sdu(struct l2cap_chan *chan,
			     struct sk_buff_head *seg_queue,
			     struct msghdr *msg, size_t len)
1998 1999
{
	struct sk_buff *skb;
2000 2001 2002 2003
	u16 sdu_len;
	size_t pdu_len;
	int err = 0;
	u8 sar;
2004

2005
	BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
2006

2007 2008 2009 2010
	/* It is critical that ERTM PDUs fit in a single HCI fragment,
	 * so fragmented skbs are not used.  The HCI layer's handling
	 * of fragmented skbs is not compatible with ERTM's queueing.
	 */
2011

2012 2013
	/* PDU size is derived from the HCI MTU */
	pdu_len = chan->conn->mtu;
2014

2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034
	pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);

	/* Adjust for largest possible L2CAP overhead. */
	pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;

	/* Remote device may have requested smaller PDUs */
	pdu_len = min_t(size_t, pdu_len, chan->remote_mps);

	if (len <= pdu_len) {
		sar = L2CAP_SAR_UNSEGMENTED;
		sdu_len = 0;
		pdu_len = len;
	} else {
		sar = L2CAP_SAR_START;
		sdu_len = len;
		pdu_len -= L2CAP_SDULEN_SIZE;
	}

	while (len > 0) {
		skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2035 2036

		if (IS_ERR(skb)) {
2037
			__skb_queue_purge(seg_queue);
2038 2039 2040
			return PTR_ERR(skb);
		}

2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055
		bt_cb(skb)->control.sar = sar;
		__skb_queue_tail(seg_queue, skb);

		len -= pdu_len;
		if (sdu_len) {
			sdu_len = 0;
			pdu_len += L2CAP_SDULEN_SIZE;
		}

		if (len <= pdu_len) {
			sar = L2CAP_SAR_END;
			pdu_len = len;
		} else {
			sar = L2CAP_SAR_CONTINUE;
		}
2056 2057
	}

2058
	return err;
2059 2060
}

2061 2062
int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
								u32 priority)
2063 2064 2065
{
	struct sk_buff *skb;
	int err;
2066
	struct sk_buff_head seg_queue;
2067 2068

	/* Connectionless channel */
2069
	if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2070
		skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084
		if (IS_ERR(skb))
			return PTR_ERR(skb);

		l2cap_do_send(chan, skb);
		return len;
	}

	switch (chan->mode) {
	case L2CAP_MODE_BASIC:
		/* Check outgoing MTU */
		if (len > chan->omtu)
			return -EMSGSIZE;

		/* Create a basic PDU */
2085
		skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2086 2087 2088 2089 2090 2091 2092 2093 2094
		if (IS_ERR(skb))
			return PTR_ERR(skb);

		l2cap_do_send(chan, skb);
		err = len;
		break;

	case L2CAP_MODE_ERTM:
	case L2CAP_MODE_STREAMING:
2095 2096 2097 2098 2099
		/* Check outgoing MTU */
		if (len > chan->omtu) {
			err = -EMSGSIZE;
			break;
		}
2100

2101
		__skb_queue_head_init(&seg_queue);
2102

2103 2104 2105 2106 2107
		/* Do segmentation before calling in to the state machine,
		 * since it's possible to block while waiting for memory
		 * allocation.
		 */
		err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2108

2109 2110 2111 2112 2113 2114
		/* The channel could have been closed while segmenting,
		 * check that it is still connected.
		 */
		if (chan->state != BT_CONNECTED) {
			__skb_queue_purge(&seg_queue);
			err = -ENOTCONN;
2115 2116
		}

2117
		if (err)
2118 2119
			break;

2120 2121
		if (chan->mode == L2CAP_MODE_ERTM && chan->tx_send_head == NULL)
			chan->tx_send_head = seg_queue.next;
2122
		skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2123

2124 2125 2126 2127
		if (chan->mode == L2CAP_MODE_ERTM)
			err = l2cap_ertm_send(chan);
		else
			l2cap_streaming_send(chan);
2128 2129 2130 2131

		if (err >= 0)
			err = len;

2132 2133 2134 2135
		/* If the skbs were not queued for sending, they'll still be in
		 * seg_queue and need to be purged.
		 */
		__skb_queue_purge(&seg_queue);
2136 2137 2138 2139 2140 2141 2142 2143 2144 2145
		break;

	default:
		BT_DBG("bad state %1.1x", chan->mode);
		err = -EBADFD;
	}

	return err;
}

L
Linus Torvalds 已提交
2146 2147 2148 2149
/* Copy frame to all raw sockets on that connection */
static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct sk_buff *nskb;
2150
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2151 2152 2153

	BT_DBG("conn %p", conn);

2154
	mutex_lock(&conn->chan_lock);
2155

2156
	list_for_each_entry(chan, &conn->chan_l, list) {
2157
		struct sock *sk = chan->sk;
2158
		if (chan->chan_type != L2CAP_CHAN_RAW)
L
Linus Torvalds 已提交
2159 2160 2161 2162 2163
			continue;

		/* Don't send frame to the socket it came from */
		if (skb->sk == sk)
			continue;
2164 2165
		nskb = skb_clone(skb, GFP_ATOMIC);
		if (!nskb)
L
Linus Torvalds 已提交
2166 2167
			continue;

2168
		if (chan->ops->recv(chan->data, nskb))
L
Linus Torvalds 已提交
2169 2170
			kfree_skb(nskb);
	}
2171

2172
	mutex_unlock(&conn->chan_lock);
L
Linus Torvalds 已提交
2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183
}

/* ---- L2CAP signalling commands ---- */
static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
				u8 code, u8 ident, u16 dlen, void *data)
{
	struct sk_buff *skb, **frag;
	struct l2cap_cmd_hdr *cmd;
	struct l2cap_hdr *lh;
	int len, count;

2184 2185
	BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
			conn, code, ident, dlen);
L
Linus Torvalds 已提交
2186 2187 2188 2189 2190 2191 2192 2193 2194

	len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
	count = min_t(unsigned int, conn->mtu, len);

	skb = bt_skb_alloc(count, GFP_ATOMIC);
	if (!skb)
		return NULL;

	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2195
	lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2196 2197 2198 2199 2200

	if (conn->hcon->type == LE_LINK)
		lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
	else
		lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
L
Linus Torvalds 已提交
2201 2202 2203 2204

	cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
	cmd->code  = code;
	cmd->ident = ident;
2205
	cmd->len   = cpu_to_le16(dlen);
L
Linus Torvalds 已提交
2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255

	if (dlen) {
		count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
		memcpy(skb_put(skb, count), data, count);
		data += count;
	}

	len -= skb->len;

	/* Continuation fragments (no L2CAP header) */
	frag = &skb_shinfo(skb)->frag_list;
	while (len) {
		count = min_t(unsigned int, conn->mtu, len);

		*frag = bt_skb_alloc(count, GFP_ATOMIC);
		if (!*frag)
			goto fail;

		memcpy(skb_put(*frag, count), data, count);

		len  -= count;
		data += count;

		frag = &(*frag)->next;
	}

	return skb;

fail:
	kfree_skb(skb);
	return NULL;
}

static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
{
	struct l2cap_conf_opt *opt = *ptr;
	int len;

	len = L2CAP_CONF_OPT_SIZE + opt->len;
	*ptr += len;

	*type = opt->type;
	*olen = opt->len;

	switch (opt->len) {
	case 1:
		*val = *((u8 *) opt->val);
		break;

	case 2:
2256
		*val = get_unaligned_le16(opt->val);
L
Linus Torvalds 已提交
2257 2258 2259
		break;

	case 4:
2260
		*val = get_unaligned_le32(opt->val);
L
Linus Torvalds 已提交
2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286
		break;

	default:
		*val = (unsigned long) opt->val;
		break;
	}

	BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
	return len;
}

static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
{
	struct l2cap_conf_opt *opt = *ptr;

	BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);

	opt->type = type;
	opt->len  = len;

	switch (len) {
	case 1:
		*((u8 *) opt->val)  = val;
		break;

	case 2:
2287
		put_unaligned_le16(val, opt->val);
L
Linus Torvalds 已提交
2288 2289 2290
		break;

	case 4:
2291
		put_unaligned_le32(val, opt->val);
L
Linus Torvalds 已提交
2292 2293 2294 2295 2296 2297 2298 2299 2300 2301
		break;

	default:
		memcpy(opt->val, (void *) val, len);
		break;
	}

	*ptr += L2CAP_CONF_OPT_SIZE + len;
}

2302 2303 2304 2305
static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
{
	struct l2cap_conf_efs efs;

2306
	switch (chan->mode) {
2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332
	case L2CAP_MODE_ERTM:
		efs.id		= chan->local_id;
		efs.stype	= chan->local_stype;
		efs.msdu	= cpu_to_le16(chan->local_msdu);
		efs.sdu_itime	= cpu_to_le32(chan->local_sdu_itime);
		efs.acc_lat	= cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
		efs.flush_to	= cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
		break;

	case L2CAP_MODE_STREAMING:
		efs.id		= 1;
		efs.stype	= L2CAP_SERV_BESTEFFORT;
		efs.msdu	= cpu_to_le16(chan->local_msdu);
		efs.sdu_itime	= cpu_to_le32(chan->local_sdu_itime);
		efs.acc_lat	= 0;
		efs.flush_to	= 0;
		break;

	default:
		return;
	}

	l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
							(unsigned long) &efs);
}

2333
static void l2cap_ack_timeout(struct work_struct *work)
2334
{
2335 2336
	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
							ack_timer.work);
2337

2338 2339
	BT_DBG("chan %p", chan);

2340 2341
	l2cap_chan_lock(chan);

2342
	__l2cap_send_ack(chan);
2343 2344

	l2cap_chan_unlock(chan);
2345 2346

	l2cap_chan_put(chan);
2347 2348
}

2349
static inline int l2cap_ertm_init(struct l2cap_chan *chan)
2350
{
2351 2352
	int err;

2353 2354
	chan->next_tx_seq = 0;
	chan->expected_tx_seq = 0;
2355
	chan->expected_ack_seq = 0;
2356
	chan->unacked_frames = 0;
2357
	chan->buffer_seq = 0;
2358 2359
	chan->num_acked = 0;
	chan->frames_sent = 0;
2360 2361 2362 2363 2364
	chan->last_acked_seq = 0;
	chan->sdu = NULL;
	chan->sdu_last_frag = NULL;
	chan->sdu_len = 0;

2365 2366
	skb_queue_head_init(&chan->tx_q);

2367 2368 2369 2370 2371
	if (chan->mode != L2CAP_MODE_ERTM)
		return 0;

	chan->rx_state = L2CAP_RX_STATE_RECV;
	chan->tx_state = L2CAP_TX_STATE_XMIT;
2372

2373 2374 2375
	INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
	INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
	INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
2376

2377
	skb_queue_head_init(&chan->srej_q);
2378

2379
	INIT_LIST_HEAD(&chan->srej_l);
2380 2381 2382 2383
	err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
	if (err < 0)
		return err;

2384 2385 2386 2387 2388
	err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
	if (err < 0)
		l2cap_seq_list_free(&chan->srej_list);

	return err;
2389 2390
}

2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403
static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
{
	switch (mode) {
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
		if (l2cap_mode_supported(mode, remote_feat_mask))
			return mode;
		/* fall through */
	default:
		return L2CAP_MODE_BASIC;
	}
}

2404 2405 2406 2407 2408
static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
{
	return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
}

2409 2410 2411 2412 2413
static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
{
	return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
}

2414 2415 2416
static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
{
	if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2417
						__l2cap_ews_supported(chan)) {
2418 2419
		/* use extended control field */
		set_bit(FLAG_EXT_CTRL, &chan->flags);
2420 2421
		chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
	} else {
2422 2423
		chan->tx_win = min_t(u16, chan->tx_win,
						L2CAP_DEFAULT_TX_WINDOW);
2424 2425
		chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
	}
2426 2427
}

2428
static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
L
Linus Torvalds 已提交
2429 2430
{
	struct l2cap_conf_req *req = data;
2431
	struct l2cap_conf_rfc rfc = { .mode = chan->mode };
L
Linus Torvalds 已提交
2432
	void *ptr = req->data;
2433
	u16 size;
L
Linus Torvalds 已提交
2434

2435
	BT_DBG("chan %p", chan);
L
Linus Torvalds 已提交
2436

2437
	if (chan->num_conf_req || chan->num_conf_rsp)
2438 2439
		goto done;

2440
	switch (chan->mode) {
2441 2442
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
2443
		if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
2444 2445
			break;

2446 2447 2448
		if (__l2cap_efs_supported(chan))
			set_bit(FLAG_EFS_ENABLE, &chan->flags);

2449
		/* fall through */
2450
	default:
2451
		chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
2452 2453 2454 2455
		break;
	}

done:
2456 2457
	if (chan->imtu != L2CAP_DEFAULT_MTU)
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2458

2459
	switch (chan->mode) {
2460
	case L2CAP_MODE_BASIC:
2461 2462
		if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
				!(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
2463 2464
			break;

2465 2466 2467 2468 2469 2470 2471
		rfc.mode            = L2CAP_MODE_BASIC;
		rfc.txwin_size      = 0;
		rfc.max_transmit    = 0;
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
		rfc.max_pdu_size    = 0;

2472 2473
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);
2474 2475 2476 2477
		break;

	case L2CAP_MODE_ERTM:
		rfc.mode            = L2CAP_MODE_ERTM;
2478
		rfc.max_transmit    = chan->max_tx;
2479 2480
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
2481 2482 2483 2484 2485 2486

		size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
		rfc.max_pdu_size = cpu_to_le16(size);
2487

2488 2489 2490 2491
		l2cap_txwin_setup(chan);

		rfc.txwin_size = min_t(u16, chan->tx_win,
						L2CAP_DEFAULT_TX_WINDOW);
2492

2493 2494 2495
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);

2496 2497 2498
		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
			l2cap_add_opt_efs(&ptr, chan);

2499
		if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2500 2501
			break;

2502
		if (chan->fcs == L2CAP_FCS_NONE ||
2503
				test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2504 2505
			chan->fcs = L2CAP_FCS_NONE;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2506
		}
2507 2508 2509 2510

		if (test_bit(FLAG_EXT_CTRL, &chan->flags))
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
								chan->tx_win);
2511 2512 2513 2514 2515 2516 2517 2518
		break;

	case L2CAP_MODE_STREAMING:
		rfc.mode            = L2CAP_MODE_STREAMING;
		rfc.txwin_size      = 0;
		rfc.max_transmit    = 0;
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
2519 2520 2521 2522 2523 2524

		size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
		rfc.max_pdu_size = cpu_to_le16(size);
2525

2526 2527 2528
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);

2529 2530 2531
		if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
			l2cap_add_opt_efs(&ptr, chan);

2532
		if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2533 2534
			break;

2535
		if (chan->fcs == L2CAP_FCS_NONE ||
2536
				test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2537 2538
			chan->fcs = L2CAP_FCS_NONE;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2539
		}
2540 2541
		break;
	}
L
Linus Torvalds 已提交
2542

2543
	req->dcid  = cpu_to_le16(chan->dcid);
2544
	req->flags = cpu_to_le16(0);
L
Linus Torvalds 已提交
2545 2546 2547 2548

	return ptr - data;
}

2549
static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
L
Linus Torvalds 已提交
2550
{
2551 2552
	struct l2cap_conf_rsp *rsp = data;
	void *ptr = rsp->data;
2553 2554
	void *req = chan->conf_req;
	int len = chan->conf_len;
2555 2556
	int type, hint, olen;
	unsigned long val;
2557
	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2558 2559
	struct l2cap_conf_efs efs;
	u8 remote_efs = 0;
2560
	u16 mtu = L2CAP_DEFAULT_MTU;
2561
	u16 result = L2CAP_CONF_SUCCESS;
2562
	u16 size;
L
Linus Torvalds 已提交
2563

2564
	BT_DBG("chan %p", chan);
2565

2566 2567
	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
L
Linus Torvalds 已提交
2568

2569
		hint  = type & L2CAP_CONF_HINT;
2570
		type &= L2CAP_CONF_MASK;
2571 2572 2573

		switch (type) {
		case L2CAP_CONF_MTU:
2574
			mtu = val;
2575 2576 2577
			break;

		case L2CAP_CONF_FLUSH_TO:
2578
			chan->flush_to = val;
2579 2580 2581 2582 2583
			break;

		case L2CAP_CONF_QOS:
			break;

2584 2585 2586 2587 2588
		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *) val, olen);
			break;

2589 2590
		case L2CAP_CONF_FCS:
			if (val == L2CAP_FCS_NONE)
2591
				set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2592
			break;
2593

2594 2595 2596 2597
		case L2CAP_CONF_EFS:
			remote_efs = 1;
			if (olen == sizeof(efs))
				memcpy(&efs, (void *) val, olen);
2598 2599
			break;

2600 2601 2602
		case L2CAP_CONF_EWS:
			if (!enable_hs)
				return -ECONNREFUSED;
2603

2604 2605
			set_bit(FLAG_EXT_CTRL, &chan->flags);
			set_bit(CONF_EWS_RECV, &chan->conf_state);
2606
			chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2607
			chan->remote_tx_win = val;
2608 2609
			break;

2610 2611 2612 2613 2614 2615 2616 2617 2618 2619
		default:
			if (hint)
				break;

			result = L2CAP_CONF_UNKNOWN;
			*((u8 *) ptr++) = type;
			break;
		}
	}

2620
	if (chan->num_conf_rsp || chan->num_conf_req > 1)
2621 2622
		goto done;

2623
	switch (chan->mode) {
2624 2625
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
2626
		if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2627
			chan->mode = l2cap_select_mode(rfc.mode,
2628
					chan->conn->feat_mask);
2629 2630 2631
			break;
		}

2632 2633 2634 2635 2636 2637 2638
		if (remote_efs) {
			if (__l2cap_efs_supported(chan))
				set_bit(FLAG_EFS_ENABLE, &chan->flags);
			else
				return -ECONNREFUSED;
		}

2639
		if (chan->mode != rfc.mode)
2640
			return -ECONNREFUSED;
2641

2642 2643 2644 2645
		break;
	}

done:
2646
	if (chan->mode != rfc.mode) {
2647
		result = L2CAP_CONF_UNACCEPT;
2648
		rfc.mode = chan->mode;
2649

2650
		if (chan->num_conf_rsp == 1)
2651 2652 2653 2654 2655 2656
			return -ECONNREFUSED;

		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);
	}

2657 2658 2659 2660
	if (result == L2CAP_CONF_SUCCESS) {
		/* Configure output options and let the other side know
		 * which ones we don't like. */

2661 2662 2663
		if (mtu < L2CAP_DEFAULT_MIN_MTU)
			result = L2CAP_CONF_UNACCEPT;
		else {
2664
			chan->omtu = mtu;
2665
			set_bit(CONF_MTU_DONE, &chan->conf_state);
2666
		}
2667
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2668

2669 2670 2671 2672 2673 2674 2675 2676 2677 2678 2679
		if (remote_efs) {
			if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
					efs.stype != L2CAP_SERV_NOTRAFIC &&
					efs.stype != chan->local_stype) {

				result = L2CAP_CONF_UNACCEPT;

				if (chan->num_conf_req >= 1)
					return -ECONNREFUSED;

				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2680
							sizeof(efs),
2681
							(unsigned long) &efs);
2682
			} else {
2683
				/* Send PENDING Conf Rsp */
2684 2685
				result = L2CAP_CONF_PENDING;
				set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2686 2687 2688
			}
		}

2689 2690
		switch (rfc.mode) {
		case L2CAP_MODE_BASIC:
2691
			chan->fcs = L2CAP_FCS_NONE;
2692
			set_bit(CONF_MODE_DONE, &chan->conf_state);
2693 2694 2695
			break;

		case L2CAP_MODE_ERTM:
2696 2697 2698 2699
			if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
				chan->remote_tx_win = rfc.txwin_size;
			else
				rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2700

2701
			chan->remote_max_tx = rfc.max_transmit;
2702

2703 2704 2705 2706 2707 2708 2709
			size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
						chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
			rfc.max_pdu_size = cpu_to_le16(size);
			chan->remote_mps = size;
2710

2711
			rfc.retrans_timeout =
2712
				__constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2713
			rfc.monitor_timeout =
2714
				__constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2715

2716
			set_bit(CONF_MODE_DONE, &chan->conf_state);
2717 2718 2719 2720

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);

2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733
			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
				chan->remote_id = efs.id;
				chan->remote_stype = efs.stype;
				chan->remote_msdu = le16_to_cpu(efs.msdu);
				chan->remote_flush_to =
						le32_to_cpu(efs.flush_to);
				chan->remote_acc_lat =
						le32_to_cpu(efs.acc_lat);
				chan->remote_sdu_itime =
					le32_to_cpu(efs.sdu_itime);
				l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
					sizeof(efs), (unsigned long) &efs);
			}
2734 2735 2736
			break;

		case L2CAP_MODE_STREAMING:
2737 2738 2739 2740 2741 2742 2743
			size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
						chan->conn->mtu -
						L2CAP_EXT_HDR_SIZE -
						L2CAP_SDULEN_SIZE -
						L2CAP_FCS_SIZE);
			rfc.max_pdu_size = cpu_to_le16(size);
			chan->remote_mps = size;
2744

2745
			set_bit(CONF_MODE_DONE, &chan->conf_state);
2746 2747 2748 2749

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);

2750 2751 2752
			break;

		default:
2753 2754
			result = L2CAP_CONF_UNACCEPT;

2755
			memset(&rfc, 0, sizeof(rfc));
2756
			rfc.mode = chan->mode;
2757
		}
2758

2759
		if (result == L2CAP_CONF_SUCCESS)
2760
			set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2761
	}
2762
	rsp->scid   = cpu_to_le16(chan->dcid);
2763 2764 2765 2766
	rsp->result = cpu_to_le16(result);
	rsp->flags  = cpu_to_le16(0x0000);

	return ptr - data;
L
Linus Torvalds 已提交
2767 2768
}

2769
static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2770 2771 2772 2773 2774
{
	struct l2cap_conf_req *req = data;
	void *ptr = req->data;
	int type, olen;
	unsigned long val;
2775
	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2776
	struct l2cap_conf_efs efs;
2777

2778
	BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2779 2780 2781 2782 2783 2784 2785 2786

	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);

		switch (type) {
		case L2CAP_CONF_MTU:
			if (val < L2CAP_DEFAULT_MIN_MTU) {
				*result = L2CAP_CONF_UNACCEPT;
2787
				chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2788
			} else
2789 2790
				chan->imtu = val;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2791 2792 2793
			break;

		case L2CAP_CONF_FLUSH_TO:
2794
			chan->flush_to = val;
2795
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2796
							2, chan->flush_to);
2797 2798 2799 2800 2801 2802
			break;

		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *)val, olen);

2803
			if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2804
							rfc.mode != chan->mode)
2805 2806
				return -ECONNREFUSED;

2807
			chan->fcs = 0;
2808 2809 2810 2811

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);
			break;
2812 2813 2814 2815

		case L2CAP_CONF_EWS:
			chan->tx_win = min_t(u16, val,
						L2CAP_DEFAULT_EXT_WINDOW);
2816 2817
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
							chan->tx_win);
2818
			break;
2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831

		case L2CAP_CONF_EFS:
			if (olen == sizeof(efs))
				memcpy(&efs, (void *)val, olen);

			if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
					efs.stype != L2CAP_SERV_NOTRAFIC &&
					efs.stype != chan->local_stype)
				return -ECONNREFUSED;

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
					sizeof(efs), (unsigned long) &efs);
			break;
2832 2833 2834
		}
	}

2835
	if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2836 2837
		return -ECONNREFUSED;

2838
	chan->mode = rfc.mode;
2839

2840
	if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
2841 2842
		switch (rfc.mode) {
		case L2CAP_MODE_ERTM:
2843 2844 2845
			chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
			chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2846 2847 2848 2849 2850 2851 2852 2853 2854

			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
				chan->local_msdu = le16_to_cpu(efs.msdu);
				chan->local_sdu_itime =
						le32_to_cpu(efs.sdu_itime);
				chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
				chan->local_flush_to =
						le32_to_cpu(efs.flush_to);
			}
2855
			break;
2856

2857
		case L2CAP_MODE_STREAMING:
2858
			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2859 2860 2861
		}
	}

2862
	req->dcid   = cpu_to_le16(chan->dcid);
2863 2864 2865 2866 2867
	req->flags  = cpu_to_le16(0x0000);

	return ptr - data;
}

2868
static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
L
Linus Torvalds 已提交
2869 2870 2871 2872
{
	struct l2cap_conf_rsp *rsp = data;
	void *ptr = rsp->data;

2873
	BT_DBG("chan %p", chan);
L
Linus Torvalds 已提交
2874

2875
	rsp->scid   = cpu_to_le16(chan->dcid);
2876
	rsp->result = cpu_to_le16(result);
2877
	rsp->flags  = cpu_to_le16(flags);
L
Linus Torvalds 已提交
2878 2879 2880 2881

	return ptr - data;
}

2882
void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2883 2884
{
	struct l2cap_conn_rsp rsp;
2885
	struct l2cap_conn *conn = chan->conn;
2886 2887
	u8 buf[128];

2888 2889
	rsp.scid   = cpu_to_le16(chan->dcid);
	rsp.dcid   = cpu_to_le16(chan->scid);
2890 2891 2892 2893 2894
	rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
	l2cap_send_cmd(conn, chan->ident,
				L2CAP_CONN_RSP, sizeof(rsp), &rsp);

2895
	if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2896 2897 2898 2899 2900 2901 2902
		return;

	l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
			l2cap_build_conf_req(chan, buf), buf);
	chan->num_conf_req++;
}

2903
static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2904 2905 2906 2907 2908
{
	int type, olen;
	unsigned long val;
	struct l2cap_conf_rfc rfc;

2909
	BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2910

2911
	if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924
		return;

	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);

		switch (type) {
		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *)val, olen);
			goto done;
		}
	}

2925 2926 2927 2928 2929 2930 2931 2932 2933 2934
	/* Use sane default values in case a misbehaving remote device
	 * did not send an RFC option.
	 */
	rfc.mode = chan->mode;
	rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
	rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
	rfc.max_pdu_size = cpu_to_le16(chan->imtu);

	BT_ERR("Expected RFC option was not found, using defaults");

2935 2936 2937
done:
	switch (rfc.mode) {
	case L2CAP_MODE_ERTM:
2938 2939 2940
		chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
		chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
		chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2941 2942
		break;
	case L2CAP_MODE_STREAMING:
2943
		chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2944 2945 2946
	}
}

2947 2948
static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
2949
	struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2950

2951
	if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2952 2953 2954 2955
		return 0;

	if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
					cmd->ident == conn->info_ident) {
2956
		cancel_delayed_work(&conn->info_timer);
2957 2958

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2959
		conn->info_ident = 0;
2960

2961 2962 2963 2964 2965 2966
		l2cap_conn_start(conn);
	}

	return 0;
}

L
Linus Torvalds 已提交
2967 2968 2969 2970
static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
	struct l2cap_conn_rsp rsp;
2971
	struct l2cap_chan *chan = NULL, *pchan;
2972
	struct sock *parent, *sk = NULL;
2973
	int result, status = L2CAP_CS_NO_INFO;
L
Linus Torvalds 已提交
2974 2975

	u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2976
	__le16 psm = req->psm;
L
Linus Torvalds 已提交
2977

2978
	BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
L
Linus Torvalds 已提交
2979 2980

	/* Check if we have socket listening on psm */
2981
	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
2982
	if (!pchan) {
L
Linus Torvalds 已提交
2983 2984 2985 2986
		result = L2CAP_CR_BAD_PSM;
		goto sendresp;
	}

2987 2988
	parent = pchan->sk;

2989
	mutex_lock(&conn->chan_lock);
2990
	lock_sock(parent);
2991

2992 2993 2994
	/* Check if the ACL is secure enough (if not SDP) */
	if (psm != cpu_to_le16(0x0001) &&
				!hci_conn_check_link_mode(conn->hcon)) {
2995
		conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
2996 2997 2998 2999
		result = L2CAP_CR_SEC_BLOCK;
		goto response;
	}

L
Linus Torvalds 已提交
3000 3001 3002 3003
	result = L2CAP_CR_NO_MEM;

	/* Check for backlog size */
	if (sk_acceptq_is_full(parent)) {
3004
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
L
Linus Torvalds 已提交
3005 3006 3007
		goto response;
	}

3008 3009
	chan = pchan->ops->new_connection(pchan->data);
	if (!chan)
L
Linus Torvalds 已提交
3010 3011
		goto response;

3012 3013
	sk = chan->sk;

L
Linus Torvalds 已提交
3014
	/* Check if we already have channel with that dcid */
3015
	if (__l2cap_get_chan_by_dcid(conn, scid)) {
L
Linus Torvalds 已提交
3016
		sock_set_flag(sk, SOCK_ZAPPED);
3017
		chan->ops->close(chan->data);
L
Linus Torvalds 已提交
3018 3019 3020 3021 3022 3023 3024
		goto response;
	}

	hci_conn_hold(conn->hcon);

	bacpy(&bt_sk(sk)->src, conn->src);
	bacpy(&bt_sk(sk)->dst, conn->dst);
3025 3026
	chan->psm  = psm;
	chan->dcid = scid;
L
Linus Torvalds 已提交
3027

3028 3029
	bt_accept_enqueue(parent, sk);

3030
	__l2cap_chan_add(conn, chan);
3031

3032
	dcid = chan->scid;
L
Linus Torvalds 已提交
3033

3034
	__set_chan_timer(chan, sk->sk_sndtimeo);
L
Linus Torvalds 已提交
3035

3036
	chan->ident = cmd->ident;
L
Linus Torvalds 已提交
3037

3038
	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3039
		if (l2cap_chan_check_security(chan)) {
3040
			if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
3041
				__l2cap_state_change(chan, BT_CONNECT2);
3042 3043 3044 3045
				result = L2CAP_CR_PEND;
				status = L2CAP_CS_AUTHOR_PEND;
				parent->sk_data_ready(parent, 0);
			} else {
3046
				__l2cap_state_change(chan, BT_CONFIG);
3047 3048 3049
				result = L2CAP_CR_SUCCESS;
				status = L2CAP_CS_NO_INFO;
			}
3050
		} else {
3051
			__l2cap_state_change(chan, BT_CONNECT2);
3052 3053 3054 3055
			result = L2CAP_CR_PEND;
			status = L2CAP_CS_AUTHEN_PEND;
		}
	} else {
3056
		__l2cap_state_change(chan, BT_CONNECT2);
3057 3058
		result = L2CAP_CR_PEND;
		status = L2CAP_CS_NO_INFO;
L
Linus Torvalds 已提交
3059 3060 3061
	}

response:
3062
	release_sock(parent);
3063
	mutex_unlock(&conn->chan_lock);
L
Linus Torvalds 已提交
3064 3065

sendresp:
3066 3067 3068 3069
	rsp.scid   = cpu_to_le16(scid);
	rsp.dcid   = cpu_to_le16(dcid);
	rsp.result = cpu_to_le16(result);
	rsp.status = cpu_to_le16(status);
L
Linus Torvalds 已提交
3070
	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3071 3072 3073 3074 3075 3076 3077 3078

	if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
		struct l2cap_info_req info;
		info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
		conn->info_ident = l2cap_get_ident(conn);

3079
		schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3080 3081 3082 3083 3084

		l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(info), &info);
	}

3085
	if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3086 3087
				result == L2CAP_CR_SUCCESS) {
		u8 buf[128];
3088
		set_bit(CONF_REQ_SENT, &chan->conf_state);
3089
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3090 3091
					l2cap_build_conf_req(chan, buf), buf);
		chan->num_conf_req++;
3092 3093
	}

L
Linus Torvalds 已提交
3094 3095 3096 3097 3098 3099 3100
	return 0;
}

static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
	u16 scid, dcid, result, status;
3101
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
3102
	u8 req[128];
3103
	int err;
L
Linus Torvalds 已提交
3104 3105 3106 3107 3108 3109

	scid   = __le16_to_cpu(rsp->scid);
	dcid   = __le16_to_cpu(rsp->dcid);
	result = __le16_to_cpu(rsp->result);
	status = __le16_to_cpu(rsp->status);

3110 3111
	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
						dcid, scid, result, status);
L
Linus Torvalds 已提交
3112

3113 3114
	mutex_lock(&conn->chan_lock);

L
Linus Torvalds 已提交
3115
	if (scid) {
3116 3117 3118 3119 3120
		chan = __l2cap_get_chan_by_scid(conn, scid);
		if (!chan) {
			err = -EFAULT;
			goto unlock;
		}
L
Linus Torvalds 已提交
3121
	} else {
3122 3123 3124 3125 3126
		chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
		if (!chan) {
			err = -EFAULT;
			goto unlock;
		}
L
Linus Torvalds 已提交
3127 3128
	}

3129 3130
	err = 0;

3131
	l2cap_chan_lock(chan);
3132

L
Linus Torvalds 已提交
3133 3134
	switch (result) {
	case L2CAP_CR_SUCCESS:
3135
		l2cap_state_change(chan, BT_CONFIG);
3136
		chan->ident = 0;
3137
		chan->dcid = dcid;
3138
		clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3139

3140
		if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3141 3142
			break;

L
Linus Torvalds 已提交
3143
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3144 3145
					l2cap_build_conf_req(chan, req), req);
		chan->num_conf_req++;
L
Linus Torvalds 已提交
3146 3147 3148
		break;

	case L2CAP_CR_PEND:
3149
		set_bit(CONF_CONNECT_PEND, &chan->conf_state);
L
Linus Torvalds 已提交
3150 3151 3152
		break;

	default:
3153
		l2cap_chan_del(chan, ECONNREFUSED);
L
Linus Torvalds 已提交
3154 3155 3156
		break;
	}

3157
	l2cap_chan_unlock(chan);
3158 3159 3160 3161 3162

unlock:
	mutex_unlock(&conn->chan_lock);

	return err;
L
Linus Torvalds 已提交
3163 3164
}

3165
static inline void set_default_fcs(struct l2cap_chan *chan)
3166 3167 3168 3169
{
	/* FCS is enabled only in ERTM or streaming mode, if one or both
	 * sides request it.
	 */
3170
	if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3171
		chan->fcs = L2CAP_FCS_NONE;
3172
	else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
3173
		chan->fcs = L2CAP_FCS_CRC16;
3174 3175
}

3176
static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
L
Linus Torvalds 已提交
3177 3178 3179 3180
{
	struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
	u16 dcid, flags;
	u8 rsp[64];
3181
	struct l2cap_chan *chan;
3182
	int len, err = 0;
L
Linus Torvalds 已提交
3183 3184 3185 3186 3187 3188

	dcid  = __le16_to_cpu(req->dcid);
	flags = __le16_to_cpu(req->flags);

	BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);

3189
	chan = l2cap_get_chan_by_scid(conn, dcid);
3190
	if (!chan)
L
Linus Torvalds 已提交
3191 3192
		return -ENOENT;

3193
	if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
3194 3195 3196 3197 3198
		struct l2cap_cmd_rej_cid rej;

		rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
		rej.scid = cpu_to_le16(chan->scid);
		rej.dcid = cpu_to_le16(chan->dcid);
3199 3200 3201

		l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
				sizeof(rej), &rej);
3202
		goto unlock;
3203
	}
3204

3205
	/* Reject if config buffer is too small. */
3206
	len = cmd_len - sizeof(*req);
3207
	if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
3208
		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3209
				l2cap_build_conf_rsp(chan, rsp,
3210 3211 3212 3213 3214
					L2CAP_CONF_REJECT, flags), rsp);
		goto unlock;
	}

	/* Store config. */
3215 3216
	memcpy(chan->conf_req + chan->conf_len, req->data, len);
	chan->conf_len += len;
L
Linus Torvalds 已提交
3217 3218 3219 3220

	if (flags & 0x0001) {
		/* Incomplete config. Send empty response. */
		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3221
				l2cap_build_conf_rsp(chan, rsp,
3222
					L2CAP_CONF_SUCCESS, 0x0001), rsp);
L
Linus Torvalds 已提交
3223 3224 3225 3226
		goto unlock;
	}

	/* Complete config. */
3227
	len = l2cap_parse_conf_req(chan, rsp);
3228
	if (len < 0) {
3229
		l2cap_send_disconn_req(conn, chan, ECONNRESET);
L
Linus Torvalds 已提交
3230
		goto unlock;
3231
	}
L
Linus Torvalds 已提交
3232

3233
	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
3234
	chan->num_conf_rsp++;
3235 3236

	/* Reset config buffer. */
3237
	chan->conf_len = 0;
3238

3239
	if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
3240 3241
		goto unlock;

3242
	if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
3243
		set_default_fcs(chan);
3244

3245
		l2cap_state_change(chan, BT_CONNECTED);
3246

3247 3248
		if (chan->mode == L2CAP_MODE_ERTM ||
		    chan->mode == L2CAP_MODE_STREAMING)
3249 3250 3251 3252 3253 3254
			err = l2cap_ertm_init(chan);

		if (err < 0)
			l2cap_send_disconn_req(chan->conn, chan, -err);
		else
			l2cap_chan_ready(chan);
3255

3256 3257 3258
		goto unlock;
	}

3259
	if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
3260
		u8 buf[64];
L
Linus Torvalds 已提交
3261
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3262 3263
					l2cap_build_conf_req(chan, buf), buf);
		chan->num_conf_req++;
L
Linus Torvalds 已提交
3264 3265
	}

3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276
	/* Got Conf Rsp PENDING from remote side and asume we sent
	   Conf Rsp PENDING in the code above */
	if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
			test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {

		/* check compatibility */

		clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
		set_bit(CONF_OUTPUT_DONE, &chan->conf_state);

		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3277
					l2cap_build_conf_rsp(chan, rsp,
3278 3279 3280
					L2CAP_CONF_SUCCESS, 0x0000), rsp);
	}

L
Linus Torvalds 已提交
3281
unlock:
3282
	l2cap_chan_unlock(chan);
3283
	return err;
L
Linus Torvalds 已提交
3284 3285 3286 3287 3288 3289
}

static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
	u16 scid, flags, result;
3290
	struct l2cap_chan *chan;
3291
	int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3292
	int err = 0;
L
Linus Torvalds 已提交
3293 3294 3295 3296 3297

	scid   = __le16_to_cpu(rsp->scid);
	flags  = __le16_to_cpu(rsp->flags);
	result = __le16_to_cpu(rsp->result);

3298 3299
	BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
	       result, len);
L
Linus Torvalds 已提交
3300

3301
	chan = l2cap_get_chan_by_scid(conn, scid);
3302
	if (!chan)
L
Linus Torvalds 已提交
3303 3304 3305 3306
		return 0;

	switch (result) {
	case L2CAP_CONF_SUCCESS:
3307
		l2cap_conf_rfc_get(chan, rsp->data, len);
3308
		clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
L
Linus Torvalds 已提交
3309 3310
		break;

3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329
	case L2CAP_CONF_PENDING:
		set_bit(CONF_REM_CONF_PEND, &chan->conf_state);

		if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
			char buf[64];

			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
								buf, &result);
			if (len < 0) {
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
				goto done;
			}

			/* check compatibility */

			clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
			set_bit(CONF_OUTPUT_DONE, &chan->conf_state);

			l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3330
						l2cap_build_conf_rsp(chan, buf,
3331 3332 3333 3334
						L2CAP_CONF_SUCCESS, 0x0000), buf);
		}
		goto done;

L
Linus Torvalds 已提交
3335
	case L2CAP_CONF_UNACCEPT:
3336
		if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
3337 3338
			char req[64];

3339
			if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
3340
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
3341 3342 3343
				goto done;
			}

3344 3345
			/* throw out any old stored conf requests */
			result = L2CAP_CONF_SUCCESS;
3346 3347
			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
								req, &result);
3348
			if (len < 0) {
3349
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
3350 3351 3352 3353 3354
				goto done;
			}

			l2cap_send_cmd(conn, l2cap_get_ident(conn),
						L2CAP_CONF_REQ, len, req);
3355
			chan->num_conf_req++;
3356 3357 3358
			if (result != L2CAP_CONF_SUCCESS)
				goto done;
			break;
L
Linus Torvalds 已提交
3359 3360
		}

3361
	default:
3362
		l2cap_chan_set_err(chan, ECONNRESET);
3363

3364
		__set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
3365
		l2cap_send_disconn_req(conn, chan, ECONNRESET);
L
Linus Torvalds 已提交
3366 3367 3368 3369 3370 3371
		goto done;
	}

	if (flags & 0x01)
		goto done;

3372
	set_bit(CONF_INPUT_DONE, &chan->conf_state);
L
Linus Torvalds 已提交
3373

3374
	if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
3375
		set_default_fcs(chan);
3376

3377
		l2cap_state_change(chan, BT_CONNECTED);
3378 3379
		if (chan->mode == L2CAP_MODE_ERTM ||
		    chan->mode == L2CAP_MODE_STREAMING)
3380
			err = l2cap_ertm_init(chan);
3381

3382 3383 3384 3385
		if (err < 0)
			l2cap_send_disconn_req(chan->conn, chan, -err);
		else
			l2cap_chan_ready(chan);
L
Linus Torvalds 已提交
3386 3387 3388
	}

done:
3389
	l2cap_chan_unlock(chan);
3390
	return err;
L
Linus Torvalds 已提交
3391 3392 3393 3394 3395 3396 3397
}

static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
	struct l2cap_disconn_rsp rsp;
	u16 dcid, scid;
3398
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
3399 3400 3401 3402 3403 3404 3405
	struct sock *sk;

	scid = __le16_to_cpu(req->scid);
	dcid = __le16_to_cpu(req->dcid);

	BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);

3406 3407 3408 3409 3410
	mutex_lock(&conn->chan_lock);

	chan = __l2cap_get_chan_by_scid(conn, dcid);
	if (!chan) {
		mutex_unlock(&conn->chan_lock);
L
Linus Torvalds 已提交
3411
		return 0;
3412
	}
L
Linus Torvalds 已提交
3413

3414 3415
	l2cap_chan_lock(chan);

3416 3417
	sk = chan->sk;

3418 3419
	rsp.dcid = cpu_to_le16(chan->scid);
	rsp.scid = cpu_to_le16(chan->dcid);
L
Linus Torvalds 已提交
3420 3421
	l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);

3422
	lock_sock(sk);
L
Linus Torvalds 已提交
3423
	sk->sk_shutdown = SHUTDOWN_MASK;
3424
	release_sock(sk);
L
Linus Torvalds 已提交
3425

3426
	l2cap_chan_hold(chan);
3427
	l2cap_chan_del(chan, ECONNRESET);
3428 3429

	l2cap_chan_unlock(chan);
L
Linus Torvalds 已提交
3430

3431
	chan->ops->close(chan->data);
3432
	l2cap_chan_put(chan);
3433 3434 3435

	mutex_unlock(&conn->chan_lock);

L
Linus Torvalds 已提交
3436 3437 3438 3439 3440 3441 3442
	return 0;
}

static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
	u16 dcid, scid;
3443
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
3444 3445 3446 3447 3448 3449

	scid = __le16_to_cpu(rsp->scid);
	dcid = __le16_to_cpu(rsp->dcid);

	BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);

3450 3451 3452 3453 3454
	mutex_lock(&conn->chan_lock);

	chan = __l2cap_get_chan_by_scid(conn, scid);
	if (!chan) {
		mutex_unlock(&conn->chan_lock);
L
Linus Torvalds 已提交
3455
		return 0;
3456
	}
L
Linus Torvalds 已提交
3457

3458
	l2cap_chan_lock(chan);
3459

3460
	l2cap_chan_hold(chan);
3461
	l2cap_chan_del(chan, 0);
3462 3463

	l2cap_chan_unlock(chan);
L
Linus Torvalds 已提交
3464

3465
	chan->ops->close(chan->data);
3466
	l2cap_chan_put(chan);
3467 3468 3469

	mutex_unlock(&conn->chan_lock);

L
Linus Torvalds 已提交
3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481
	return 0;
}

static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_info_req *req = (struct l2cap_info_req *) data;
	u16 type;

	type = __le16_to_cpu(req->type);

	BT_DBG("type 0x%4.4x", type);

3482 3483
	if (type == L2CAP_IT_FEAT_MASK) {
		u8 buf[8];
3484
		u32 feat_mask = l2cap_feat_mask;
3485 3486 3487
		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
		rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3488
		if (!disable_ertm)
3489 3490
			feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
							 | L2CAP_FEAT_FCS;
3491
		if (enable_hs)
3492 3493
			feat_mask |= L2CAP_FEAT_EXT_FLOW
						| L2CAP_FEAT_EXT_WINDOW;
3494

3495
		put_unaligned_le32(feat_mask, rsp->data);
3496 3497
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(buf), buf);
3498 3499 3500
	} else if (type == L2CAP_IT_FIXED_CHAN) {
		u8 buf[12];
		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3501 3502 3503 3504 3505 3506

		if (enable_hs)
			l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
		else
			l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;

3507 3508
		rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3509
		memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
3510 3511
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(buf), buf);
3512 3513 3514 3515 3516 3517 3518
	} else {
		struct l2cap_info_rsp rsp;
		rsp.type   = cpu_to_le16(type);
		rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(rsp), &rsp);
	}
L
Linus Torvalds 已提交
3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532

	return 0;
}

static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
	u16 type, result;

	type   = __le16_to_cpu(rsp->type);
	result = __le16_to_cpu(rsp->result);

	BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);

3533 3534 3535 3536 3537
	/* L2CAP Info req/rsp are unbound to channels, add extra checks */
	if (cmd->ident != conn->info_ident ||
			conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
		return 0;

3538
	cancel_delayed_work(&conn->info_timer);
3539

3540 3541 3542 3543 3544 3545 3546 3547 3548
	if (result != L2CAP_IR_SUCCESS) {
		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
		conn->info_ident = 0;

		l2cap_conn_start(conn);

		return 0;
	}

3549 3550
	switch (type) {
	case L2CAP_IT_FEAT_MASK:
3551
		conn->feat_mask = get_unaligned_le32(rsp->data);
3552

3553
		if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3554 3555 3556 3557 3558 3559 3560 3561 3562 3563 3564 3565 3566
			struct l2cap_info_req req;
			req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);

			conn->info_ident = l2cap_get_ident(conn);

			l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(req), &req);
		} else {
			conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
			conn->info_ident = 0;

			l2cap_conn_start(conn);
		}
3567 3568 3569 3570
		break;

	case L2CAP_IT_FIXED_CHAN:
		conn->fixed_chan_mask = rsp->data[0];
3571
		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3572
		conn->info_ident = 0;
3573 3574

		l2cap_conn_start(conn);
3575
		break;
3576
	}
3577

L
Linus Torvalds 已提交
3578 3579 3580
	return 0;
}

3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602
static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, u16 cmd_len,
					void *data)
{
	struct l2cap_create_chan_req *req = data;
	struct l2cap_create_chan_rsp rsp;
	u16 psm, scid;

	if (cmd_len != sizeof(*req))
		return -EPROTO;

	if (!enable_hs)
		return -EINVAL;

	psm = le16_to_cpu(req->psm);
	scid = le16_to_cpu(req->scid);

	BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);

	/* Placeholder: Always reject */
	rsp.dcid = 0;
	rsp.scid = cpu_to_le16(scid);
3603 3604
	rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
	rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3605 3606 3607 3608 3609 3610 3611 3612 3613 3614 3615 3616 3617 3618 3619

	l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
		       sizeof(rsp), &rsp);

	return 0;
}

static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, void *data)
{
	BT_DBG("conn %p", conn);

	return l2cap_connect_rsp(conn, cmd, data);
}

3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671 3672 3673 3674 3675 3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739
static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
							u16 icid, u16 result)
{
	struct l2cap_move_chan_rsp rsp;

	BT_DBG("icid %d, result %d", icid, result);

	rsp.icid = cpu_to_le16(icid);
	rsp.result = cpu_to_le16(result);

	l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
}

static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
				struct l2cap_chan *chan, u16 icid, u16 result)
{
	struct l2cap_move_chan_cfm cfm;
	u8 ident;

	BT_DBG("icid %d, result %d", icid, result);

	ident = l2cap_get_ident(conn);
	if (chan)
		chan->ident = ident;

	cfm.icid = cpu_to_le16(icid);
	cfm.result = cpu_to_le16(result);

	l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
}

static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
								u16 icid)
{
	struct l2cap_move_chan_cfm_rsp rsp;

	BT_DBG("icid %d", icid);

	rsp.icid = cpu_to_le16(icid);
	l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
}

static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
			struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
{
	struct l2cap_move_chan_req *req = data;
	u16 icid = 0;
	u16 result = L2CAP_MR_NOT_ALLOWED;

	if (cmd_len != sizeof(*req))
		return -EPROTO;

	icid = le16_to_cpu(req->icid);

	BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);

	if (!enable_hs)
		return -EINVAL;

	/* Placeholder: Always refuse */
	l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);

	return 0;
}

static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
			struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
{
	struct l2cap_move_chan_rsp *rsp = data;
	u16 icid, result;

	if (cmd_len != sizeof(*rsp))
		return -EPROTO;

	icid = le16_to_cpu(rsp->icid);
	result = le16_to_cpu(rsp->result);

	BT_DBG("icid %d, result %d", icid, result);

	/* Placeholder: Always unconfirmed */
	l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);

	return 0;
}

static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
			struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
{
	struct l2cap_move_chan_cfm *cfm = data;
	u16 icid, result;

	if (cmd_len != sizeof(*cfm))
		return -EPROTO;

	icid = le16_to_cpu(cfm->icid);
	result = le16_to_cpu(cfm->result);

	BT_DBG("icid %d, result %d", icid, result);

	l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);

	return 0;
}

static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
			struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
{
	struct l2cap_move_chan_cfm_rsp *rsp = data;
	u16 icid;

	if (cmd_len != sizeof(*rsp))
		return -EPROTO;

	icid = le16_to_cpu(rsp->icid);

	BT_DBG("icid %d", icid);

	return 0;
}

3740
static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 3760 3761 3762 3763 3764 3765 3766 3767
							u16 to_multiplier)
{
	u16 max_latency;

	if (min > max || min < 6 || max > 3200)
		return -EINVAL;

	if (to_multiplier < 10 || to_multiplier > 3200)
		return -EINVAL;

	if (max >= to_multiplier * 8)
		return -EINVAL;

	max_latency = (to_multiplier * 8 / max) - 1;
	if (latency > 499 || latency > max_latency)
		return -EINVAL;

	return 0;
}

static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct hci_conn *hcon = conn->hcon;
	struct l2cap_conn_param_update_req *req;
	struct l2cap_conn_param_update_rsp rsp;
	u16 min, max, latency, to_multiplier, cmd_len;
3768
	int err;
3769 3770 3771 3772 3773 3774 3775 3776 3777

	if (!(hcon->link_mode & HCI_LM_MASTER))
		return -EINVAL;

	cmd_len = __le16_to_cpu(cmd->len);
	if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
		return -EPROTO;

	req = (struct l2cap_conn_param_update_req *) data;
3778 3779
	min		= __le16_to_cpu(req->min);
	max		= __le16_to_cpu(req->max);
3780 3781 3782 3783 3784 3785 3786
	latency		= __le16_to_cpu(req->latency);
	to_multiplier	= __le16_to_cpu(req->to_multiplier);

	BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
						min, max, latency, to_multiplier);

	memset(&rsp, 0, sizeof(rsp));
3787 3788 3789

	err = l2cap_check_conn_param(min, max, latency, to_multiplier);
	if (err)
3790 3791 3792 3793 3794 3795 3796
		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
	else
		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);

	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
							sizeof(rsp), &rsp);

3797 3798 3799
	if (!err)
		hci_le_conn_update(hcon, min, max, latency, to_multiplier);

3800 3801 3802
	return 0;
}

3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846 3847 3848 3849 3850 3851
static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
			struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
{
	int err = 0;

	switch (cmd->code) {
	case L2CAP_COMMAND_REJ:
		l2cap_command_rej(conn, cmd, data);
		break;

	case L2CAP_CONN_REQ:
		err = l2cap_connect_req(conn, cmd, data);
		break;

	case L2CAP_CONN_RSP:
		err = l2cap_connect_rsp(conn, cmd, data);
		break;

	case L2CAP_CONF_REQ:
		err = l2cap_config_req(conn, cmd, cmd_len, data);
		break;

	case L2CAP_CONF_RSP:
		err = l2cap_config_rsp(conn, cmd, data);
		break;

	case L2CAP_DISCONN_REQ:
		err = l2cap_disconnect_req(conn, cmd, data);
		break;

	case L2CAP_DISCONN_RSP:
		err = l2cap_disconnect_rsp(conn, cmd, data);
		break;

	case L2CAP_ECHO_REQ:
		l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
		break;

	case L2CAP_ECHO_RSP:
		break;

	case L2CAP_INFO_REQ:
		err = l2cap_information_req(conn, cmd, data);
		break;

	case L2CAP_INFO_RSP:
		err = l2cap_information_rsp(conn, cmd, data);
		break;

3852 3853 3854 3855 3856 3857 3858 3859
	case L2CAP_CREATE_CHAN_REQ:
		err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
		break;

	case L2CAP_CREATE_CHAN_RSP:
		err = l2cap_create_channel_rsp(conn, cmd, data);
		break;

3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871 3872 3873 3874 3875
	case L2CAP_MOVE_CHAN_REQ:
		err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
		break;

	case L2CAP_MOVE_CHAN_RSP:
		err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
		break;

	case L2CAP_MOVE_CHAN_CFM:
		err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
		break;

	case L2CAP_MOVE_CHAN_CFM_RSP:
		err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
		break;

3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889 3890 3891 3892
	default:
		BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
		err = -EINVAL;
		break;
	}

	return err;
}

static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, u8 *data)
{
	switch (cmd->code) {
	case L2CAP_COMMAND_REJ:
		return 0;

	case L2CAP_CONN_PARAM_UPDATE_REQ:
3893
		return l2cap_conn_param_update_req(conn, cmd, data);
3894 3895 3896 3897 3898 3899 3900 3901 3902 3903 3904 3905

	case L2CAP_CONN_PARAM_UPDATE_RSP:
		return 0;

	default:
		BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
		return -EINVAL;
	}
}

static inline void l2cap_sig_channel(struct l2cap_conn *conn,
							struct sk_buff *skb)
L
Linus Torvalds 已提交
3906 3907 3908 3909
{
	u8 *data = skb->data;
	int len = skb->len;
	struct l2cap_cmd_hdr cmd;
3910
	int err;
L
Linus Torvalds 已提交
3911 3912 3913 3914

	l2cap_raw_recv(conn, skb);

	while (len >= L2CAP_CMD_HDR_SIZE) {
3915
		u16 cmd_len;
L
Linus Torvalds 已提交
3916 3917 3918 3919
		memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
		data += L2CAP_CMD_HDR_SIZE;
		len  -= L2CAP_CMD_HDR_SIZE;

3920
		cmd_len = le16_to_cpu(cmd.len);
L
Linus Torvalds 已提交
3921

3922
		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
L
Linus Torvalds 已提交
3923

3924
		if (cmd_len > len || !cmd.ident) {
L
Linus Torvalds 已提交
3925 3926 3927 3928
			BT_DBG("corrupted command");
			break;
		}

3929 3930 3931 3932
		if (conn->hcon->type == LE_LINK)
			err = l2cap_le_sig_cmd(conn, &cmd, data);
		else
			err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
L
Linus Torvalds 已提交
3933 3934

		if (err) {
3935
			struct l2cap_cmd_rej_unk rej;
3936 3937

			BT_ERR("Wrong link type (%d)", err);
L
Linus Torvalds 已提交
3938 3939

			/* FIXME: Map err to a valid reason */
3940
			rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
L
Linus Torvalds 已提交
3941 3942 3943
			l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
		}

3944 3945
		data += cmd_len;
		len  -= cmd_len;
L
Linus Torvalds 已提交
3946 3947 3948 3949 3950
	}

	kfree_skb(skb);
}

3951
static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
3952 3953
{
	u16 our_fcs, rcv_fcs;
3954 3955 3956 3957 3958 3959
	int hdr_size;

	if (test_bit(FLAG_EXT_CTRL, &chan->flags))
		hdr_size = L2CAP_EXT_HDR_SIZE;
	else
		hdr_size = L2CAP_ENH_HDR_SIZE;
3960

3961
	if (chan->fcs == L2CAP_FCS_CRC16) {
3962
		skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
3963 3964 3965 3966
		rcv_fcs = get_unaligned_le16(skb->data + skb->len);
		our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);

		if (our_fcs != rcv_fcs)
3967
			return -EBADMSG;
3968 3969 3970 3971
	}
	return 0;
}

3972
static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3973
{
3974
	u32 control = 0;
3975

3976
	chan->frames_sent = 0;
3977

3978
	control |= __set_reqseq(chan, chan->buffer_seq);
3979

3980
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3981
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3982
		l2cap_send_sframe(chan, control);
3983
		set_bit(CONN_RNR_SENT, &chan->conn_state);
3984 3985
	}

3986
	if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3987
		l2cap_retransmit_frames(chan);
3988

3989
	l2cap_ertm_send(chan);
3990

3991
	if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3992
			chan->frames_sent == 0) {
3993
		control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3994
		l2cap_send_sframe(chan, control);
3995 3996 3997
	}
}

3998
static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
3999 4000
{
	struct sk_buff *next_skb;
4001
	int tx_seq_offset, next_tx_seq_offset;
4002

4003 4004
	bt_cb(skb)->control.txseq = tx_seq;
	bt_cb(skb)->control.sar = sar;
4005

4006
	next_skb = skb_peek(&chan->srej_q);
4007

4008
	tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
4009

4010
	while (next_skb) {
4011
		if (bt_cb(next_skb)->control.txseq == tx_seq)
4012 4013
			return -EINVAL;

4014
		next_tx_seq_offset = __seq_offset(chan,
4015
			bt_cb(next_skb)->control.txseq, chan->buffer_seq);
4016 4017

		if (next_tx_seq_offset > tx_seq_offset) {
4018
			__skb_queue_before(&chan->srej_q, next_skb, skb);
4019
			return 0;
4020 4021
		}

4022
		if (skb_queue_is_last(&chan->srej_q, next_skb))
4023 4024 4025 4026
			next_skb = NULL;
		else
			next_skb = skb_queue_next(&chan->srej_q, next_skb);
	}
4027

4028
	__skb_queue_tail(&chan->srej_q, skb);
4029 4030

	return 0;
4031 4032
}

4033 4034
static void append_skb_frag(struct sk_buff *skb,
			struct sk_buff *new_frag, struct sk_buff **last_frag)
4035
{
4036 4037 4038 4039 4040 4041 4042 4043 4044 4045 4046 4047 4048 4049 4050 4051
	/* skb->len reflects data in skb as well as all fragments
	 * skb->data_len reflects only data in fragments
	 */
	if (!skb_has_frag_list(skb))
		skb_shinfo(skb)->frag_list = new_frag;

	new_frag->next = NULL;

	(*last_frag)->next = new_frag;
	*last_frag = new_frag;

	skb->len += new_frag->len;
	skb->data_len += new_frag->len;
	skb->truesize += new_frag->truesize;
}

4052
static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
4053 4054
{
	int err = -EINVAL;
4055

4056 4057
	switch (__get_ctrl_sar(chan, control)) {
	case L2CAP_SAR_UNSEGMENTED:
4058 4059
		if (chan->sdu)
			break;
4060

4061 4062
		err = chan->ops->recv(chan->data, skb);
		break;
4063

4064
	case L2CAP_SAR_START:
4065 4066
		if (chan->sdu)
			break;
4067

4068
		chan->sdu_len = get_unaligned_le16(skb->data);
4069
		skb_pull(skb, L2CAP_SDULEN_SIZE);
4070

4071 4072 4073 4074
		if (chan->sdu_len > chan->imtu) {
			err = -EMSGSIZE;
			break;
		}
4075

4076 4077
		if (skb->len >= chan->sdu_len)
			break;
4078

4079 4080
		chan->sdu = skb;
		chan->sdu_last_frag = skb;
4081

4082 4083
		skb = NULL;
		err = 0;
4084 4085
		break;

4086
	case L2CAP_SAR_CONTINUE:
4087
		if (!chan->sdu)
4088
			break;
4089

4090 4091 4092
		append_skb_frag(chan->sdu, skb,
				&chan->sdu_last_frag);
		skb = NULL;
4093

4094 4095
		if (chan->sdu->len >= chan->sdu_len)
			break;
4096

4097
		err = 0;
4098 4099
		break;

4100
	case L2CAP_SAR_END:
4101
		if (!chan->sdu)
4102
			break;
4103

4104 4105 4106
		append_skb_frag(chan->sdu, skb,
				&chan->sdu_last_frag);
		skb = NULL;
4107

4108 4109
		if (chan->sdu->len != chan->sdu_len)
			break;
4110

4111
		err = chan->ops->recv(chan->data, chan->sdu);
4112

4113 4114 4115 4116 4117
		if (!err) {
			/* Reassembly complete */
			chan->sdu = NULL;
			chan->sdu_last_frag = NULL;
			chan->sdu_len = 0;
4118
		}
4119 4120 4121
		break;
	}

4122 4123 4124 4125 4126 4127 4128
	if (err) {
		kfree_skb(skb);
		kfree_skb(chan->sdu);
		chan->sdu = NULL;
		chan->sdu_last_frag = NULL;
		chan->sdu_len = 0;
	}
4129

4130
	return err;
4131 4132
}

4133
static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
4134
{
4135
	BT_DBG("chan %p, Enter local busy", chan);
4136

4137
	set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4138
	l2cap_seq_list_clear(&chan->srej_list);
4139

4140
	__set_ack_timer(chan);
4141 4142 4143 4144
}

static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
{
4145
	u32 control;
4146

4147
	if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4148 4149
		goto done;

4150
	control = __set_reqseq(chan, chan->buffer_seq);
4151
	control |= __set_ctrl_poll(chan);
4152
	control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
4153
	l2cap_send_sframe(chan, control);
4154
	chan->retry_count = 1;
4155

4156 4157
	__clear_retrans_timer(chan);
	__set_monitor_timer(chan);
4158

4159
	set_bit(CONN_WAIT_F, &chan->conn_state);
4160 4161

done:
4162 4163
	clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
	clear_bit(CONN_RNR_SENT, &chan->conn_state);
4164

4165
	BT_DBG("chan %p, Exit local busy", chan);
4166 4167
}

4168
void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
4169
{
4170 4171 4172 4173 4174
	if (chan->mode == L2CAP_MODE_ERTM) {
		if (busy)
			l2cap_ertm_enter_local_busy(chan);
		else
			l2cap_ertm_exit_local_busy(chan);
4175 4176 4177
	}
}

4178
static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
4179 4180
{
	struct sk_buff *skb;
4181
	u32 control;
4182

4183 4184 4185 4186
	while ((skb = skb_peek(&chan->srej_q)) &&
			!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
		int err;

4187
		if (bt_cb(skb)->control.txseq != tx_seq)
4188 4189
			break;

4190
		skb = skb_dequeue(&chan->srej_q);
4191
		control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
4192
		err = l2cap_reassemble_sdu(chan, skb, control);
4193 4194 4195 4196 4197 4198

		if (err < 0) {
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
			break;
		}

4199 4200
		chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
		tx_seq = __next_seq(chan, tx_seq);
4201 4202 4203
	}
}

4204
static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
4205 4206
{
	struct srej_list *l, *tmp;
4207
	u32 control;
4208

4209
	list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
4210 4211 4212 4213 4214
		if (l->tx_seq == tx_seq) {
			list_del(&l->list);
			kfree(l);
			return;
		}
4215
		control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
4216
		control |= __set_reqseq(chan, l->tx_seq);
4217
		l2cap_send_sframe(chan, control);
4218
		list_del(&l->list);
4219
		list_add_tail(&l->list, &chan->srej_l);
4220 4221 4222
	}
}

4223
static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
4224 4225
{
	struct srej_list *new;
4226
	u32 control;
4227

4228
	while (tx_seq != chan->expected_tx_seq) {
4229
		control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
4230
		control |= __set_reqseq(chan, chan->expected_tx_seq);
4231
		l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
4232
		l2cap_send_sframe(chan, control);
4233 4234

		new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
4235 4236 4237
		if (!new)
			return -ENOMEM;

4238
		new->tx_seq = chan->expected_tx_seq;
4239 4240 4241

		chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);

4242
		list_add_tail(&new->list, &chan->srej_l);
4243
	}
4244 4245

	chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4246 4247

	return 0;
4248 4249
}

4250
static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4251
{
4252
	u16 tx_seq = __get_txseq(chan, rx_control);
4253
	u16 req_seq = __get_reqseq(chan, rx_control);
4254
	u8 sar = __get_ctrl_sar(chan, rx_control);
4255
	int tx_seq_offset, expected_tx_seq_offset;
4256
	int num_to_ack = (chan->tx_win/6) + 1;
4257 4258
	int err = 0;

4259
	BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
4260
							tx_seq, rx_control);
4261

4262
	if (__is_ctrl_final(chan, rx_control) &&
4263
			test_bit(CONN_WAIT_F, &chan->conn_state)) {
4264
		__clear_monitor_timer(chan);
4265
		if (chan->unacked_frames > 0)
4266
			__set_retrans_timer(chan);
4267
		clear_bit(CONN_WAIT_F, &chan->conn_state);
4268 4269
	}

4270 4271
	chan->expected_ack_seq = req_seq;
	l2cap_drop_acked_frames(chan);
4272

4273
	tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
4274 4275

	/* invalid tx_seq */
4276
	if (tx_seq_offset >= chan->tx_win) {
4277
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4278 4279 4280
		goto drop;
	}

4281 4282 4283
	if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
		if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
			l2cap_send_ack(chan);
4284
		goto drop;
4285
	}
4286

4287 4288 4289
	if (tx_seq == chan->expected_tx_seq)
		goto expected;

4290
	if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4291
		struct srej_list *first;
4292

4293
		first = list_first_entry(&chan->srej_l,
4294 4295
				struct srej_list, list);
		if (tx_seq == first->tx_seq) {
4296
			l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
4297
			l2cap_check_srej_gap(chan, tx_seq);
4298 4299 4300 4301

			list_del(&first->list);
			kfree(first);

4302
			if (list_empty(&chan->srej_l)) {
4303
				chan->buffer_seq = chan->buffer_seq_srej;
4304
				clear_bit(CONN_SREJ_SENT, &chan->conn_state);
4305
				l2cap_send_ack(chan);
4306
				BT_DBG("chan %p, Exit SREJ_SENT", chan);
4307 4308 4309
			}
		} else {
			struct srej_list *l;
4310 4311

			/* duplicated tx_seq */
4312
			if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
4313
				goto drop;
4314

4315
			list_for_each_entry(l, &chan->srej_l, list) {
4316
				if (l->tx_seq == tx_seq) {
4317
					l2cap_resend_srejframe(chan, tx_seq);
4318 4319 4320
					return 0;
				}
			}
4321 4322 4323 4324 4325 4326

			err = l2cap_send_srejframe(chan, tx_seq);
			if (err < 0) {
				l2cap_send_disconn_req(chan->conn, chan, -err);
				return err;
			}
4327 4328
		}
	} else {
4329 4330
		expected_tx_seq_offset = __seq_offset(chan,
				chan->expected_tx_seq, chan->buffer_seq);
4331 4332 4333 4334 4335

		/* duplicated tx_seq */
		if (tx_seq_offset < expected_tx_seq_offset)
			goto drop;

4336
		set_bit(CONN_SREJ_SENT, &chan->conn_state);
4337

4338
		BT_DBG("chan %p, Enter SREJ", chan);
4339

4340
		INIT_LIST_HEAD(&chan->srej_l);
4341
		chan->buffer_seq_srej = chan->buffer_seq;
4342

4343
		__skb_queue_head_init(&chan->srej_q);
4344
		l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
4345

4346 4347 4348
		/* Set P-bit only if there are some I-frames to ack. */
		if (__clear_ack_timer(chan))
			set_bit(CONN_SEND_PBIT, &chan->conn_state);
4349

4350 4351 4352 4353 4354
		err = l2cap_send_srejframe(chan, tx_seq);
		if (err < 0) {
			l2cap_send_disconn_req(chan->conn, chan, -err);
			return err;
		}
4355
	}
4356 4357
	return 0;

4358
expected:
4359
	chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4360

4361
	if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4362 4363
		bt_cb(skb)->control.txseq = tx_seq;
		bt_cb(skb)->control.sar = sar;
4364
		__skb_queue_tail(&chan->srej_q, skb);
4365 4366 4367
		return 0;
	}

4368
	err = l2cap_reassemble_sdu(chan, skb, rx_control);
4369 4370
	chan->buffer_seq = __next_seq(chan, chan->buffer_seq);

4371 4372 4373 4374
	if (err < 0) {
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
		return err;
	}
4375

4376
	if (__is_ctrl_final(chan, rx_control)) {
4377
		if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4378
			l2cap_retransmit_frames(chan);
4379 4380
	}

4381

4382 4383
	chan->num_acked = (chan->num_acked + 1) % num_to_ack;
	if (chan->num_acked == num_to_ack - 1)
4384
		l2cap_send_ack(chan);
4385 4386
	else
		__set_ack_timer(chan);
4387

4388
	return 0;
4389 4390 4391 4392

drop:
	kfree_skb(skb);
	return 0;
4393 4394
}

4395
static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
4396
{
4397
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
4398
				__get_reqseq(chan, rx_control), rx_control);
4399

4400
	chan->expected_ack_seq = __get_reqseq(chan, rx_control);
4401
	l2cap_drop_acked_frames(chan);
4402

4403
	if (__is_ctrl_poll(chan, rx_control)) {
4404 4405 4406
		set_bit(CONN_SEND_FBIT, &chan->conn_state);
		if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
			if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4407
					(chan->unacked_frames > 0))
4408
				__set_retrans_timer(chan);
4409

4410
			clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4411
			l2cap_send_srejtail(chan);
4412
		} else {
4413
			l2cap_send_i_or_rr_or_rnr(chan);
4414
		}
4415

4416
	} else if (__is_ctrl_final(chan, rx_control)) {
4417
		clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4418

4419
		if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4420
			l2cap_retransmit_frames(chan);
4421

4422
	} else {
4423
		if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4424
				(chan->unacked_frames > 0))
4425
			__set_retrans_timer(chan);
4426

4427 4428
		clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
		if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
4429
			l2cap_send_ack(chan);
4430
		else
4431
			l2cap_ertm_send(chan);
4432 4433
	}
}
4434

4435
static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
4436
{
4437
	u16 tx_seq = __get_reqseq(chan, rx_control);
4438

4439
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4440

4441
	clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4442

4443 4444
	chan->expected_ack_seq = tx_seq;
	l2cap_drop_acked_frames(chan);
4445

4446
	if (__is_ctrl_final(chan, rx_control)) {
4447
		if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4448
			l2cap_retransmit_frames(chan);
4449
	} else {
4450
		l2cap_retransmit_frames(chan);
4451

4452 4453
		if (test_bit(CONN_WAIT_F, &chan->conn_state))
			set_bit(CONN_REJ_ACT, &chan->conn_state);
4454 4455
	}
}
4456
static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
4457
{
4458
	u16 tx_seq = __get_reqseq(chan, rx_control);
4459

4460
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4461

4462
	clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4463

4464
	if (__is_ctrl_poll(chan, rx_control)) {
4465 4466
		chan->expected_ack_seq = tx_seq;
		l2cap_drop_acked_frames(chan);
4467

4468
		set_bit(CONN_SEND_FBIT, &chan->conn_state);
4469
		l2cap_retransmit_one_frame(chan, tx_seq);
4470

4471
		l2cap_ertm_send(chan);
4472

4473
		if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4474
			chan->srej_save_reqseq = tx_seq;
4475
			set_bit(CONN_SREJ_ACT, &chan->conn_state);
4476
		}
4477
	} else if (__is_ctrl_final(chan, rx_control)) {
4478
		if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
4479
				chan->srej_save_reqseq == tx_seq)
4480
			clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4481
		else
4482
			l2cap_retransmit_one_frame(chan, tx_seq);
4483
	} else {
4484
		l2cap_retransmit_one_frame(chan, tx_seq);
4485
		if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4486
			chan->srej_save_reqseq = tx_seq;
4487
			set_bit(CONN_SREJ_ACT, &chan->conn_state);
4488
		}
4489 4490 4491
	}
}

4492
static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
4493
{
4494
	u16 tx_seq = __get_reqseq(chan, rx_control);
4495

4496
	BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4497

4498
	set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4499 4500
	chan->expected_ack_seq = tx_seq;
	l2cap_drop_acked_frames(chan);
4501

4502
	if (__is_ctrl_poll(chan, rx_control))
4503
		set_bit(CONN_SEND_FBIT, &chan->conn_state);
4504

4505
	if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4506
		__clear_retrans_timer(chan);
4507
		if (__is_ctrl_poll(chan, rx_control))
4508
			l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
4509
		return;
4510
	}
4511

4512
	if (__is_ctrl_poll(chan, rx_control)) {
4513
		l2cap_send_srejtail(chan);
4514 4515 4516 4517
	} else {
		rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
		l2cap_send_sframe(chan, rx_control);
	}
4518 4519
}

4520
static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4521
{
4522
	BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
4523

4524
	if (__is_ctrl_final(chan, rx_control) &&
4525
			test_bit(CONN_WAIT_F, &chan->conn_state)) {
4526
		__clear_monitor_timer(chan);
4527
		if (chan->unacked_frames > 0)
4528
			__set_retrans_timer(chan);
4529
		clear_bit(CONN_WAIT_F, &chan->conn_state);
4530 4531
	}

4532 4533
	switch (__get_ctrl_super(chan, rx_control)) {
	case L2CAP_SUPER_RR:
4534
		l2cap_data_channel_rrframe(chan, rx_control);
4535 4536
		break;

4537
	case L2CAP_SUPER_REJ:
4538
		l2cap_data_channel_rejframe(chan, rx_control);
4539
		break;
4540

4541
	case L2CAP_SUPER_SREJ:
4542
		l2cap_data_channel_srejframe(chan, rx_control);
4543 4544
		break;

4545
	case L2CAP_SUPER_RNR:
4546
		l2cap_data_channel_rnrframe(chan, rx_control);
4547 4548 4549
		break;
	}

4550
	kfree_skb(skb);
4551 4552 4553
	return 0;
}

4554
static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4555
{
4556
	u32 control;
4557
	u16 req_seq;
4558 4559
	int len, next_tx_seq_offset, req_seq_offset;

4560 4561
	__unpack_control(chan, skb);

4562 4563
	control = __get_control(chan, skb->data);
	skb_pull(skb, __ctrl_size(chan));
4564 4565 4566 4567 4568 4569 4570
	len = skb->len;

	/*
	 * We can just drop the corrupted I-frame here.
	 * Receiver will miss it and start proper recovery
	 * procedures and ask retransmission.
	 */
4571
	if (l2cap_check_fcs(chan, skb))
4572 4573
		goto drop;

4574
	if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
4575
		len -= L2CAP_SDULEN_SIZE;
4576

4577
	if (chan->fcs == L2CAP_FCS_CRC16)
4578
		len -= L2CAP_FCS_SIZE;
4579

4580
	if (len > chan->mps) {
4581
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4582 4583 4584
		goto drop;
	}

4585
	req_seq = __get_reqseq(chan, control);
4586

4587 4588 4589 4590
	req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);

	next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
						chan->expected_ack_seq);
4591 4592 4593

	/* check for invalid req-seq */
	if (req_seq_offset > next_tx_seq_offset) {
4594
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4595 4596 4597
		goto drop;
	}

4598
	if (!__is_sframe(chan, control)) {
4599
		if (len < 0) {
4600
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4601 4602 4603
			goto drop;
		}

4604
		l2cap_data_channel_iframe(chan, control, skb);
4605 4606 4607
	} else {
		if (len != 0) {
			BT_ERR("%d", len);
4608
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4609 4610 4611
			goto drop;
		}

4612
		l2cap_data_channel_sframe(chan, control, skb);
4613 4614 4615 4616 4617 4618 4619 4620 4621
	}

	return 0;

drop:
	kfree_skb(skb);
	return 0;
}

L
Linus Torvalds 已提交
4622 4623
static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
{
4624
	struct l2cap_chan *chan;
4625
	u32 control;
4626
	u16 tx_seq;
4627
	int len;
L
Linus Torvalds 已提交
4628

4629
	chan = l2cap_get_chan_by_scid(conn, cid);
4630
	if (!chan) {
L
Linus Torvalds 已提交
4631
		BT_DBG("unknown cid 0x%4.4x", cid);
4632
		/* Drop packet and return */
4633
		kfree_skb(skb);
4634
		return 0;
L
Linus Torvalds 已提交
4635 4636
	}

4637
	BT_DBG("chan %p, len %d", chan, skb->len);
L
Linus Torvalds 已提交
4638

4639
	if (chan->state != BT_CONNECTED)
L
Linus Torvalds 已提交
4640 4641
		goto drop;

4642
	switch (chan->mode) {
4643 4644 4645 4646 4647
	case L2CAP_MODE_BASIC:
		/* If socket recv buffers overflows we drop data here
		 * which is *bad* because L2CAP has to be reliable.
		 * But we don't have any other choice. L2CAP doesn't
		 * provide flow control mechanism. */
L
Linus Torvalds 已提交
4648

4649
		if (chan->imtu < skb->len)
4650
			goto drop;
L
Linus Torvalds 已提交
4651

4652
		if (!chan->ops->recv(chan->data, skb))
4653 4654 4655 4656
			goto done;
		break;

	case L2CAP_MODE_ERTM:
4657
		l2cap_ertm_data_rcv(chan, skb);
4658

4659
		goto done;
4660

4661
	case L2CAP_MODE_STREAMING:
4662 4663
		control = __get_control(chan, skb->data);
		skb_pull(skb, __ctrl_size(chan));
4664 4665
		len = skb->len;

4666
		if (l2cap_check_fcs(chan, skb))
4667 4668
			goto drop;

4669
		if (__is_sar_start(chan, control))
4670
			len -= L2CAP_SDULEN_SIZE;
4671

4672
		if (chan->fcs == L2CAP_FCS_CRC16)
4673
			len -= L2CAP_FCS_SIZE;
4674

4675
		if (len > chan->mps || len < 0 || __is_sframe(chan, control))
4676 4677
			goto drop;

4678
		tx_seq = __get_txseq(chan, control);
4679

4680 4681 4682 4683 4684 4685
		if (chan->expected_tx_seq != tx_seq) {
			/* Frame(s) missing - must discard partial SDU */
			kfree_skb(chan->sdu);
			chan->sdu = NULL;
			chan->sdu_last_frag = NULL;
			chan->sdu_len = 0;
4686

4687 4688 4689
			/* TODO: Notify userland of missing data */
		}

4690
		chan->expected_tx_seq = __next_seq(chan, tx_seq);
4691 4692 4693

		if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4694 4695 4696

		goto done;

4697
	default:
4698
		BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
4699 4700
		break;
	}
L
Linus Torvalds 已提交
4701 4702 4703 4704 4705

drop:
	kfree_skb(skb);

done:
4706
	l2cap_chan_unlock(chan);
4707

L
Linus Torvalds 已提交
4708 4709 4710
	return 0;
}

4711
static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
L
Linus Torvalds 已提交
4712
{
4713
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
4714

4715
	chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
4716
	if (!chan)
L
Linus Torvalds 已提交
4717 4718
		goto drop;

4719
	BT_DBG("chan %p, len %d", chan, skb->len);
L
Linus Torvalds 已提交
4720

4721
	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
L
Linus Torvalds 已提交
4722 4723
		goto drop;

4724
	if (chan->imtu < skb->len)
L
Linus Torvalds 已提交
4725 4726
		goto drop;

4727
	if (!chan->ops->recv(chan->data, skb))
4728
		return 0;
L
Linus Torvalds 已提交
4729 4730 4731 4732 4733 4734 4735

drop:
	kfree_skb(skb);

	return 0;
}

4736 4737
static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
				    struct sk_buff *skb)
4738
{
4739
	struct l2cap_chan *chan;
4740

4741
	chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
4742
	if (!chan)
4743 4744
		goto drop;

4745
	BT_DBG("chan %p, len %d", chan, skb->len);
4746

4747
	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4748 4749
		goto drop;

4750
	if (chan->imtu < skb->len)
4751 4752
		goto drop;

4753
	if (!chan->ops->recv(chan->data, skb))
4754
		return 0;
4755 4756 4757 4758 4759 4760 4761

drop:
	kfree_skb(skb);

	return 0;
}

L
Linus Torvalds 已提交
4762 4763 4764
static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct l2cap_hdr *lh = (void *) skb->data;
4765 4766
	u16 cid, len;
	__le16 psm;
L
Linus Torvalds 已提交
4767 4768 4769 4770 4771

	skb_pull(skb, L2CAP_HDR_SIZE);
	cid = __le16_to_cpu(lh->cid);
	len = __le16_to_cpu(lh->len);

4772 4773 4774 4775 4776
	if (len != skb->len) {
		kfree_skb(skb);
		return;
	}

L
Linus Torvalds 已提交
4777 4778 4779
	BT_DBG("len %d, cid 0x%4.4x", len, cid);

	switch (cid) {
4780
	case L2CAP_CID_LE_SIGNALING:
4781
	case L2CAP_CID_SIGNALING:
L
Linus Torvalds 已提交
4782 4783 4784
		l2cap_sig_channel(conn, skb);
		break;

4785
	case L2CAP_CID_CONN_LESS:
4786
		psm = get_unaligned((__le16 *) skb->data);
L
Linus Torvalds 已提交
4787 4788 4789 4790
		skb_pull(skb, 2);
		l2cap_conless_channel(conn, psm, skb);
		break;

4791 4792 4793 4794
	case L2CAP_CID_LE_DATA:
		l2cap_att_channel(conn, cid, skb);
		break;

4795 4796 4797 4798 4799
	case L2CAP_CID_SMP:
		if (smp_sig_channel(conn, skb))
			l2cap_conn_del(conn->hcon, EACCES);
		break;

L
Linus Torvalds 已提交
4800 4801 4802 4803 4804 4805 4806 4807
	default:
		l2cap_data_channel(conn, cid, skb);
		break;
	}
}

/* ---- L2CAP interface with lower layer (HCI) ---- */

4808
int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
L
Linus Torvalds 已提交
4809 4810
{
	int exact = 0, lm1 = 0, lm2 = 0;
4811
	struct l2cap_chan *c;
L
Linus Torvalds 已提交
4812 4813 4814 4815

	BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));

	/* Find listening sockets and check their link_mode */
4816 4817 4818
	read_lock(&chan_list_lock);
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
4819

4820
		if (c->state != BT_LISTEN)
L
Linus Torvalds 已提交
4821 4822 4823
			continue;

		if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4824
			lm1 |= HCI_LM_ACCEPT;
4825
			if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4826
				lm1 |= HCI_LM_MASTER;
L
Linus Torvalds 已提交
4827
			exact++;
4828 4829
		} else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
			lm2 |= HCI_LM_ACCEPT;
4830
			if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4831 4832
				lm2 |= HCI_LM_MASTER;
		}
L
Linus Torvalds 已提交
4833
	}
4834
	read_unlock(&chan_list_lock);
L
Linus Torvalds 已提交
4835 4836 4837 4838

	return exact ? lm1 : lm2;
}

4839
int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
L
Linus Torvalds 已提交
4840
{
4841 4842
	struct l2cap_conn *conn;

L
Linus Torvalds 已提交
4843 4844 4845 4846 4847 4848
	BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);

	if (!status) {
		conn = l2cap_conn_add(hcon, status);
		if (conn)
			l2cap_conn_ready(conn);
4849
	} else
4850
		l2cap_conn_del(hcon, bt_to_errno(status));
L
Linus Torvalds 已提交
4851 4852 4853 4854

	return 0;
}

4855
int l2cap_disconn_ind(struct hci_conn *hcon)
4856 4857 4858 4859 4860
{
	struct l2cap_conn *conn = hcon->l2cap_data;

	BT_DBG("hcon %p", hcon);

4861
	if (!conn)
4862
		return HCI_ERROR_REMOTE_USER_TERM;
4863 4864 4865
	return conn->disc_reason;
}

4866
int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
L
Linus Torvalds 已提交
4867 4868 4869
{
	BT_DBG("hcon %p reason %d", hcon, reason);

4870
	l2cap_conn_del(hcon, bt_to_errno(reason));
L
Linus Torvalds 已提交
4871 4872 4873
	return 0;
}

4874
static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4875
{
4876
	if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
4877 4878
		return;

4879
	if (encrypt == 0x00) {
4880
		if (chan->sec_level == BT_SECURITY_MEDIUM) {
4881
			__set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4882
		} else if (chan->sec_level == BT_SECURITY_HIGH)
4883
			l2cap_chan_close(chan, ECONNREFUSED);
4884
	} else {
4885
		if (chan->sec_level == BT_SECURITY_MEDIUM)
4886
			__clear_chan_timer(chan);
4887 4888 4889
	}
}

4890
int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
L
Linus Torvalds 已提交
4891
{
4892
	struct l2cap_conn *conn = hcon->l2cap_data;
4893
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
4894

4895
	if (!conn)
L
Linus Torvalds 已提交
4896
		return 0;
4897

L
Linus Torvalds 已提交
4898 4899
	BT_DBG("conn %p", conn);

4900
	if (hcon->type == LE_LINK) {
4901 4902
		if (!status && encrypt)
			smp_distribute_keys(conn, 0);
4903
		cancel_delayed_work(&conn->security_timer);
4904 4905
	}

4906
	mutex_lock(&conn->chan_lock);
L
Linus Torvalds 已提交
4907

4908
	list_for_each_entry(chan, &conn->chan_l, list) {
4909
		l2cap_chan_lock(chan);
L
Linus Torvalds 已提交
4910

4911 4912 4913 4914 4915
		BT_DBG("chan->scid %d", chan->scid);

		if (chan->scid == L2CAP_CID_LE_DATA) {
			if (!status && encrypt) {
				chan->sec_level = hcon->sec_level;
4916
				l2cap_chan_ready(chan);
4917 4918
			}

4919
			l2cap_chan_unlock(chan);
4920 4921 4922
			continue;
		}

4923
		if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4924
			l2cap_chan_unlock(chan);
4925 4926 4927
			continue;
		}

4928 4929
		if (!status && (chan->state == BT_CONNECTED ||
						chan->state == BT_CONFIG)) {
4930 4931
			struct sock *sk = chan->sk;

4932
			clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
4933 4934
			sk->sk_state_change(sk);

4935
			l2cap_check_encryption(chan, encrypt);
4936
			l2cap_chan_unlock(chan);
4937 4938 4939
			continue;
		}

4940
		if (chan->state == BT_CONNECT) {
4941
			if (!status) {
4942
				l2cap_send_conn_req(chan);
4943
			} else {
4944
				__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4945
			}
4946
		} else if (chan->state == BT_CONNECT2) {
4947
			struct sock *sk = chan->sk;
4948
			struct l2cap_conn_rsp rsp;
4949
			__u16 res, stat;
L
Linus Torvalds 已提交
4950

4951 4952
			lock_sock(sk);

4953
			if (!status) {
4954 4955
				if (test_bit(BT_SK_DEFER_SETUP,
					     &bt_sk(sk)->flags)) {
4956 4957 4958
					struct sock *parent = bt_sk(sk)->parent;
					res = L2CAP_CR_PEND;
					stat = L2CAP_CS_AUTHOR_PEND;
4959 4960
					if (parent)
						parent->sk_data_ready(parent, 0);
4961
				} else {
4962
					__l2cap_state_change(chan, BT_CONFIG);
4963 4964 4965
					res = L2CAP_CR_SUCCESS;
					stat = L2CAP_CS_NO_INFO;
				}
4966
			} else {
4967
				__l2cap_state_change(chan, BT_DISCONN);
4968
				__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4969 4970
				res = L2CAP_CR_SEC_BLOCK;
				stat = L2CAP_CS_NO_INFO;
4971 4972
			}

4973 4974
			release_sock(sk);

4975 4976
			rsp.scid   = cpu_to_le16(chan->dcid);
			rsp.dcid   = cpu_to_le16(chan->scid);
4977 4978
			rsp.result = cpu_to_le16(res);
			rsp.status = cpu_to_le16(stat);
4979 4980
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
4981
		}
L
Linus Torvalds 已提交
4982

4983
		l2cap_chan_unlock(chan);
L
Linus Torvalds 已提交
4984 4985
	}

4986
	mutex_unlock(&conn->chan_lock);
4987

L
Linus Torvalds 已提交
4988 4989 4990
	return 0;
}

4991
int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
L
Linus Torvalds 已提交
4992 4993 4994
{
	struct l2cap_conn *conn = hcon->l2cap_data;

4995 4996 4997 4998
	if (!conn)
		conn = l2cap_conn_add(hcon, 0);

	if (!conn)
L
Linus Torvalds 已提交
4999 5000 5001 5002
		goto drop;

	BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);

5003
	if (!(flags & ACL_CONT)) {
L
Linus Torvalds 已提交
5004 5005 5006 5007 5008 5009 5010 5011 5012 5013 5014
		struct l2cap_hdr *hdr;
		int len;

		if (conn->rx_len) {
			BT_ERR("Unexpected start frame (len %d)", skb->len);
			kfree_skb(conn->rx_skb);
			conn->rx_skb = NULL;
			conn->rx_len = 0;
			l2cap_conn_unreliable(conn, ECOMM);
		}

5015 5016
		/* Start fragment always begin with Basic L2CAP header */
		if (skb->len < L2CAP_HDR_SIZE) {
L
Linus Torvalds 已提交
5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040
			BT_ERR("Frame is too short (len %d)", skb->len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

		hdr = (struct l2cap_hdr *) skb->data;
		len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;

		if (len == skb->len) {
			/* Complete frame received */
			l2cap_recv_frame(conn, skb);
			return 0;
		}

		BT_DBG("Start: total len %d, frag len %d", len, skb->len);

		if (skb->len > len) {
			BT_ERR("Frame is too long (len %d, expected len %d)",
				skb->len, len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

		/* Allocate skb for the complete frame (with header) */
5041 5042
		conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
		if (!conn->rx_skb)
L
Linus Torvalds 已提交
5043 5044
			goto drop;

5045
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
5046
								skb->len);
L
Linus Torvalds 已提交
5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066
		conn->rx_len = len - skb->len;
	} else {
		BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);

		if (!conn->rx_len) {
			BT_ERR("Unexpected continuation frame (len %d)", skb->len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

		if (skb->len > conn->rx_len) {
			BT_ERR("Fragment is too long (len %d, expected %d)",
					skb->len, conn->rx_len);
			kfree_skb(conn->rx_skb);
			conn->rx_skb = NULL;
			conn->rx_len = 0;
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

5067
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
5068
								skb->len);
L
Linus Torvalds 已提交
5069 5070 5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082
		conn->rx_len -= skb->len;

		if (!conn->rx_len) {
			/* Complete frame received */
			l2cap_recv_frame(conn, conn->rx_skb);
			conn->rx_skb = NULL;
		}
	}

drop:
	kfree_skb(skb);
	return 0;
}

5083
static int l2cap_debugfs_show(struct seq_file *f, void *p)
L
Linus Torvalds 已提交
5084
{
5085
	struct l2cap_chan *c;
L
Linus Torvalds 已提交
5086

5087
	read_lock(&chan_list_lock);
L
Linus Torvalds 已提交
5088

5089 5090
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
5091

5092
		seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5093 5094
					batostr(&bt_sk(sk)->src),
					batostr(&bt_sk(sk)->dst),
5095
					c->state, __le16_to_cpu(c->psm),
5096 5097
					c->scid, c->dcid, c->imtu, c->omtu,
					c->sec_level, c->mode);
5098
	}
L
Linus Torvalds 已提交
5099

5100
	read_unlock(&chan_list_lock);
L
Linus Torvalds 已提交
5101

5102
	return 0;
L
Linus Torvalds 已提交
5103 5104
}

5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117
static int l2cap_debugfs_open(struct inode *inode, struct file *file)
{
	return single_open(file, l2cap_debugfs_show, inode->i_private);
}

static const struct file_operations l2cap_debugfs_fops = {
	.open		= l2cap_debugfs_open,
	.read		= seq_read,
	.llseek		= seq_lseek,
	.release	= single_release,
};

static struct dentry *l2cap_debugfs;
L
Linus Torvalds 已提交
5118

5119
int __init l2cap_init(void)
L
Linus Torvalds 已提交
5120 5121
{
	int err;
5122

5123
	err = l2cap_init_sockets();
L
Linus Torvalds 已提交
5124 5125 5126
	if (err < 0)
		return err;

5127 5128 5129 5130 5131 5132
	if (bt_debugfs) {
		l2cap_debugfs = debugfs_create_file("l2cap", 0444,
					bt_debugfs, NULL, &l2cap_debugfs_fops);
		if (!l2cap_debugfs)
			BT_ERR("Failed to create L2CAP debug file");
	}
L
Linus Torvalds 已提交
5133 5134 5135 5136

	return 0;
}

5137
void l2cap_exit(void)
L
Linus Torvalds 已提交
5138
{
5139
	debugfs_remove(l2cap_debugfs);
5140
	l2cap_cleanup_sockets();
L
Linus Torvalds 已提交
5141 5142
}

5143 5144
module_param(disable_ertm, bool, 0644);
MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");