l2cap_core.c 94.0 KB
Newer Older
1
/*
L
Linus Torvalds 已提交
2 3
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2000-2001 Qualcomm Incorporated
4
   Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5
   Copyright (C) 2010 Google Inc.
L
Linus Torvalds 已提交
6 7 8 9 10 11 12 13 14 15 16

   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
17 18 19
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
L
Linus Torvalds 已提交
20 21
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

22 23
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
L
Linus Torvalds 已提交
24 25 26
   SOFTWARE IS DISCLAIMED.
*/

27
/* Bluetooth L2CAP core. */
L
Linus Torvalds 已提交
28 29 30 31

#include <linux/module.h>

#include <linux/types.h>
32
#include <linux/capability.h>
L
Linus Torvalds 已提交
33 34 35 36 37 38 39 40 41 42 43
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/poll.h>
#include <linux/fcntl.h>
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/socket.h>
#include <linux/skbuff.h>
#include <linux/list.h>
44
#include <linux/device.h>
45 46
#include <linux/debugfs.h>
#include <linux/seq_file.h>
47
#include <linux/uaccess.h>
48
#include <linux/crc16.h>
L
Linus Torvalds 已提交
49 50 51 52 53 54 55 56 57
#include <net/sock.h>

#include <asm/system.h>
#include <asm/unaligned.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>

58
int disable_ertm;
59

60
static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
61
static u8 l2cap_fixed_chan[8] = { 0x02, };
L
Linus Torvalds 已提交
62

63 64
static struct workqueue_struct *_busy_wq;

65 66
LIST_HEAD(chan_list);
DEFINE_RWLOCK(chan_list_lock);
L
Linus Torvalds 已提交
67

68 69
static void l2cap_busy_work(struct work_struct *work);

L
Linus Torvalds 已提交
70 71
static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
				u8 code, u8 ident, u16 dlen, void *data);
72
static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
L
Linus Torvalds 已提交
73

74 75
static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);

76
/* ---- L2CAP channels ---- */
77
static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78
{
79
	struct l2cap_chan *c;
80 81

	list_for_each_entry(c, &conn->chan_l, list) {
82
		if (c->dcid == cid)
83
			return c;
84
	}
85 86
	return NULL;

87 88
}

89
static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
90
{
91
	struct l2cap_chan *c;
92 93

	list_for_each_entry(c, &conn->chan_l, list) {
94
		if (c->scid == cid)
95
			return c;
96
	}
97
	return NULL;
98 99 100 101
}

/* Find channel with given SCID.
 * Returns locked socket */
102
static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
103
{
104
	struct l2cap_chan *c;
105 106 107

	read_lock(&conn->chan_lock);
	c = __l2cap_get_chan_by_scid(conn, cid);
108 109
	if (c)
		bh_lock_sock(c->sk);
110
	read_unlock(&conn->chan_lock);
111
	return c;
112 113
}

114
static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
115
{
116
	struct l2cap_chan *c;
117 118

	list_for_each_entry(c, &conn->chan_l, list) {
119
		if (c->ident == ident)
120
			return c;
121
	}
122
	return NULL;
123 124
}

125
static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
126
{
127
	struct l2cap_chan *c;
128 129 130

	read_lock(&conn->chan_lock);
	c = __l2cap_get_chan_by_ident(conn, ident);
131 132
	if (c)
		bh_lock_sock(c->sk);
133
	read_unlock(&conn->chan_lock);
134
	return c;
135 136
}

137
static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
138
{
139
	struct l2cap_chan *c;
140

141 142
	list_for_each_entry(c, &chan_list, global_l) {
		if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
143 144 145
			goto found;
	}

146
	c = NULL;
147
found:
148
	return c;
149 150 151 152
}

int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
{
153 154
	int err;

155
	write_lock_bh(&chan_list_lock);
156

157
	if (psm && __l2cap_global_chan_by_addr(psm, src)) {
158 159
		err = -EADDRINUSE;
		goto done;
160 161
	}

162 163 164 165 166 167 168 169 170
	if (psm) {
		chan->psm = psm;
		chan->sport = psm;
		err = 0;
	} else {
		u16 p;

		err = -EINVAL;
		for (p = 0x1001; p < 0x1100; p += 2)
171
			if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
172 173 174 175 176 177
				chan->psm   = cpu_to_le16(p);
				chan->sport = cpu_to_le16(p);
				err = 0;
				break;
			}
	}
178

179
done:
180
	write_unlock_bh(&chan_list_lock);
181
	return err;
182 183 184 185
}

int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
{
186
	write_lock_bh(&chan_list_lock);
187 188 189

	chan->scid = scid;

190
	write_unlock_bh(&chan_list_lock);
191 192 193 194

	return 0;
}

195
static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
196
{
197
	u16 cid = L2CAP_CID_DYN_START;
198

199
	for (; cid < L2CAP_CID_DYN_END; cid++) {
200
		if (!__l2cap_get_chan_by_scid(conn, cid))
201 202 203 204 205 206
			return cid;
	}

	return 0;
}

207
struct l2cap_chan *l2cap_chan_create(struct sock *sk)
208 209 210 211 212 213 214 215 216
{
	struct l2cap_chan *chan;

	chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
	if (!chan)
		return NULL;

	chan->sk = sk;

217 218 219 220
	write_lock_bh(&chan_list_lock);
	list_add(&chan->global_l, &chan_list);
	write_unlock_bh(&chan_list_lock);

221 222 223
	return chan;
}

224
void l2cap_chan_destroy(struct l2cap_chan *chan)
225
{
226 227 228 229
	write_lock_bh(&chan_list_lock);
	list_del(&chan->global_l);
	write_unlock_bh(&chan_list_lock);

230 231 232
	kfree(chan);
}

233
static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
234
{
235
	struct sock *sk = chan->sk;
236

237
	BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
238
			chan->psm, chan->dcid);
239

240 241
	conn->disc_reason = 0x13;

242
	chan->conn = conn;
243

244
	if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
245 246
		if (conn->hcon->type == LE_LINK) {
			/* LE connection */
247
			chan->omtu = L2CAP_LE_DEFAULT_MTU;
248 249
			chan->scid = L2CAP_CID_LE_DATA;
			chan->dcid = L2CAP_CID_LE_DATA;
250 251
		} else {
			/* Alloc CID for connection-oriented socket */
252
			chan->scid = l2cap_alloc_cid(conn);
253
			chan->omtu = L2CAP_DEFAULT_MTU;
254
		}
255 256
	} else if (sk->sk_type == SOCK_DGRAM) {
		/* Connectionless socket */
257 258
		chan->scid = L2CAP_CID_CONN_LESS;
		chan->dcid = L2CAP_CID_CONN_LESS;
259
		chan->omtu = L2CAP_DEFAULT_MTU;
260 261
	} else {
		/* Raw socket can send/recv signalling messages only */
262 263
		chan->scid = L2CAP_CID_SIGNALING;
		chan->dcid = L2CAP_CID_SIGNALING;
264
		chan->omtu = L2CAP_DEFAULT_MTU;
265 266
	}

267 268 269
	sock_hold(sk);

	list_add(&chan->list, &conn->chan_l);
270 271
}

272
/* Delete channel.
273
 * Must be called on the locked socket. */
274
void l2cap_chan_del(struct l2cap_chan *chan, int err)
275
{
276
	struct sock *sk = chan->sk;
277
	struct l2cap_conn *conn = chan->conn;
278 279 280 281
	struct sock *parent = bt_sk(sk)->parent;

	l2cap_sock_clear_timer(sk);

282
	BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
283

284
	if (conn) {
285 286 287 288 289 290
		/* Delete from channel list */
		write_lock_bh(&conn->chan_lock);
		list_del(&chan->list);
		write_unlock_bh(&conn->chan_lock);
		__sock_put(sk);

291
		chan->conn = NULL;
292 293 294
		hci_conn_put(conn->hcon);
	}

295
	sk->sk_state = BT_CLOSED;
296 297 298 299 300 301 302 303 304 305
	sock_set_flag(sk, SOCK_ZAPPED);

	if (err)
		sk->sk_err = err;

	if (parent) {
		bt_accept_unlink(sk);
		parent->sk_data_ready(parent, 0);
	} else
		sk->sk_state_change(sk);
306

307 308
	if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
			chan->conf_state & L2CAP_CONF_INPUT_DONE))
309
		return;
310

311
	skb_queue_purge(&chan->tx_q);
312

313
	if (chan->mode == L2CAP_MODE_ERTM) {
314 315
		struct srej_list *l, *tmp;

316 317 318
		del_timer(&chan->retrans_timer);
		del_timer(&chan->monitor_timer);
		del_timer(&chan->ack_timer);
319

320 321
		skb_queue_purge(&chan->srej_q);
		skb_queue_purge(&chan->busy_q);
322

323
		list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
324 325 326 327
			list_del(&l->list);
			kfree(l);
		}
	}
328 329
}

330
static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
331
{
332 333
	struct sock *sk = chan->sk;

334
	if (sk->sk_type == SOCK_RAW) {
335
		switch (chan->sec_level) {
336 337 338 339 340 341 342
		case BT_SECURITY_HIGH:
			return HCI_AT_DEDICATED_BONDING_MITM;
		case BT_SECURITY_MEDIUM:
			return HCI_AT_DEDICATED_BONDING;
		default:
			return HCI_AT_NO_BONDING;
		}
343
	} else if (chan->psm == cpu_to_le16(0x0001)) {
344 345
		if (chan->sec_level == BT_SECURITY_LOW)
			chan->sec_level = BT_SECURITY_SDP;
346

347
		if (chan->sec_level == BT_SECURITY_HIGH)
348
			return HCI_AT_NO_BONDING_MITM;
349
		else
350
			return HCI_AT_NO_BONDING;
351
	} else {
352
		switch (chan->sec_level) {
353
		case BT_SECURITY_HIGH:
354
			return HCI_AT_GENERAL_BONDING_MITM;
355
		case BT_SECURITY_MEDIUM:
356
			return HCI_AT_GENERAL_BONDING;
357
		default:
358
			return HCI_AT_NO_BONDING;
359
		}
360
	}
361 362 363
}

/* Service level security */
364
static inline int l2cap_check_security(struct l2cap_chan *chan)
365
{
366
	struct l2cap_conn *conn = chan->conn;
367 368
	__u8 auth_type;

369
	auth_type = l2cap_get_auth_type(chan);
370

371
	return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
372 373
}

374
u8 l2cap_get_ident(struct l2cap_conn *conn)
375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395
{
	u8 id;

	/* Get next available identificator.
	 *    1 - 128 are used by kernel.
	 *  129 - 199 are reserved.
	 *  200 - 254 are used by utilities like l2ping, etc.
	 */

	spin_lock_bh(&conn->lock);

	if (++conn->tx_ident > 128)
		conn->tx_ident = 1;

	id = conn->tx_ident;

	spin_unlock_bh(&conn->lock);

	return id;
}

396
void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
397 398
{
	struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
399
	u8 flags;
400 401 402 403

	BT_DBG("code 0x%2.2x", code);

	if (!skb)
404
		return;
405

406 407 408 409 410 411
	if (lmp_no_flush_capable(conn->hcon->hdev))
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;

	hci_send_acl(conn->hcon, skb, flags);
412 413
}

414
static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
415 416 417
{
	struct sk_buff *skb;
	struct l2cap_hdr *lh;
418
	struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
419
	struct l2cap_conn *conn = chan->conn;
420
	struct sock *sk = (struct sock *)pi;
421
	int count, hlen = L2CAP_HDR_SIZE + 2;
422
	u8 flags;
423

424 425 426
	if (sk->sk_state != BT_CONNECTED)
		return;

427
	if (chan->fcs == L2CAP_FCS_CRC16)
428
		hlen += 2;
429

430
	BT_DBG("chan %p, control 0x%2.2x", chan, control);
431

432
	count = min_t(unsigned int, conn->mtu, hlen);
433 434
	control |= L2CAP_CTRL_FRAME_TYPE;

435
	if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
436
		control |= L2CAP_CTRL_FINAL;
437
		chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
438 439
	}

440
	if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
441
		control |= L2CAP_CTRL_POLL;
442
		chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
443 444
	}

445 446
	skb = bt_skb_alloc(count, GFP_ATOMIC);
	if (!skb)
447
		return;
448 449

	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
450
	lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
451
	lh->cid = cpu_to_le16(chan->dcid);
452 453
	put_unaligned_le16(control, skb_put(skb, 2));

454
	if (chan->fcs == L2CAP_FCS_CRC16) {
455 456 457 458
		u16 fcs = crc16(0, (u8 *)lh, count - 2);
		put_unaligned_le16(fcs, skb_put(skb, 2));
	}

459 460 461 462 463
	if (lmp_no_flush_capable(conn->hcon->hdev))
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;

464
	hci_send_acl(chan->conn->hcon, skb, flags);
465 466
}

467
static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
468
{
469
	if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
470
		control |= L2CAP_SUPER_RCV_NOT_READY;
471
		chan->conn_state |= L2CAP_CONN_RNR_SENT;
472
	} else
473 474
		control |= L2CAP_SUPER_RCV_READY;

475
	control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
476

477
	l2cap_send_sframe(chan, control);
478 479
}

480
static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
481
{
482
	return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
483 484
}

485
static void l2cap_do_start(struct l2cap_chan *chan)
486
{
487
	struct l2cap_conn *conn = chan->conn;
488 489

	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
490 491 492
		if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
			return;

493 494
		if (l2cap_check_security(chan) &&
				__l2cap_no_conn_pending(chan)) {
495
			struct l2cap_conn_req req;
496 497
			req.scid = cpu_to_le16(chan->scid);
			req.psm  = chan->psm;
498

499
			chan->ident = l2cap_get_ident(conn);
500
			chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
501

502 503
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
							sizeof(req), &req);
504
		}
505 506 507 508 509 510 511 512 513 514 515 516 517 518 519
	} else {
		struct l2cap_info_req req;
		req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
		conn->info_ident = l2cap_get_ident(conn);

		mod_timer(&conn->info_timer, jiffies +
					msecs_to_jiffies(L2CAP_INFO_TIMEOUT));

		l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(req), &req);
	}
}

520 521 522
static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
{
	u32 local_feat_mask = l2cap_feat_mask;
523
	if (!disable_ertm)
524 525 526 527 528 529 530 531 532 533 534 535
		local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;

	switch (mode) {
	case L2CAP_MODE_ERTM:
		return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
	case L2CAP_MODE_STREAMING:
		return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
	default:
		return 0x00;
	}
}

536
void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
537
{
538
	struct sock *sk;
539 540
	struct l2cap_disconn_req req;

541 542 543
	if (!conn)
		return;

544 545
	sk = chan->sk;

546
	if (chan->mode == L2CAP_MODE_ERTM) {
547 548 549
		del_timer(&chan->retrans_timer);
		del_timer(&chan->monitor_timer);
		del_timer(&chan->ack_timer);
550 551
	}

552 553
	req.dcid = cpu_to_le16(chan->dcid);
	req.scid = cpu_to_le16(chan->scid);
554 555
	l2cap_send_cmd(conn, l2cap_get_ident(conn),
			L2CAP_DISCONN_REQ, sizeof(req), &req);
556 557

	sk->sk_state = BT_DISCONN;
558
	sk->sk_err = err;
559 560
}

L
Linus Torvalds 已提交
561
/* ---- L2CAP connections ---- */
562 563
static void l2cap_conn_start(struct l2cap_conn *conn)
{
564
	struct l2cap_chan *chan, *tmp;
565 566 567

	BT_DBG("conn %p", conn);

568
	read_lock(&conn->chan_lock);
569

570
	list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
571
		struct sock *sk = chan->sk;
572

573 574
		bh_lock_sock(sk);

575 576
		if (sk->sk_type != SOCK_SEQPACKET &&
				sk->sk_type != SOCK_STREAM) {
577 578 579 580 581
			bh_unlock_sock(sk);
			continue;
		}

		if (sk->sk_state == BT_CONNECT) {
582
			struct l2cap_conn_req req;
583

584
			if (!l2cap_check_security(chan) ||
585
					!__l2cap_no_conn_pending(chan)) {
586 587 588
				bh_unlock_sock(sk);
				continue;
			}
589

590
			if (!l2cap_mode_supported(chan->mode,
591
					conn->feat_mask)
592
					&& chan->conf_state &
593
					L2CAP_CONF_STATE2_DEVICE) {
594 595 596 597 598
				/* __l2cap_sock_close() calls list_del(chan)
				 * so release the lock */
				read_unlock_bh(&conn->chan_lock);
				 __l2cap_sock_close(sk, ECONNRESET);
				read_lock_bh(&conn->chan_lock);
599 600
				bh_unlock_sock(sk);
				continue;
601
			}
602

603 604
			req.scid = cpu_to_le16(chan->scid);
			req.psm  = chan->psm;
605

606
			chan->ident = l2cap_get_ident(conn);
607
			chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
608

609 610
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
							sizeof(req), &req);
611

612 613
		} else if (sk->sk_state == BT_CONNECT2) {
			struct l2cap_conn_rsp rsp;
614
			char buf[128];
615 616
			rsp.scid = cpu_to_le16(chan->dcid);
			rsp.dcid = cpu_to_le16(chan->scid);
617

618
			if (l2cap_check_security(chan)) {
619 620 621 622 623 624 625 626 627 628 629
				if (bt_sk(sk)->defer_setup) {
					struct sock *parent = bt_sk(sk)->parent;
					rsp.result = cpu_to_le16(L2CAP_CR_PEND);
					rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
					parent->sk_data_ready(parent, 0);

				} else {
					sk->sk_state = BT_CONFIG;
					rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
					rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
				}
630 631 632 633 634
			} else {
				rsp.result = cpu_to_le16(L2CAP_CR_PEND);
				rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
			}

635 636
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
637

638
			if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
639 640 641 642 643
					rsp.result != L2CAP_CR_SUCCESS) {
				bh_unlock_sock(sk);
				continue;
			}

644
			chan->conf_state |= L2CAP_CONF_REQ_SENT;
645
			l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
646 647
						l2cap_build_conf_req(chan, buf), buf);
			chan->num_conf_req++;
648 649 650 651 652
		}

		bh_unlock_sock(sk);
	}

653
	read_unlock(&conn->chan_lock);
654 655
}

656 657 658
/* Find socket with cid and source bdaddr.
 * Returns closest match, locked.
 */
659
static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
660
{
661
	struct l2cap_chan *c, *c1 = NULL;
662

663
	read_lock(&chan_list_lock);
664

665 666
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
667

668 669 670
		if (state && sk->sk_state != state)
			continue;

671
		if (c->scid == cid) {
672
			/* Exact match. */
673 674 675 676
			if (!bacmp(&bt_sk(sk)->src, src)) {
				read_unlock(&chan_list_lock);
				return c;
			}
677 678 679

			/* Closest match */
			if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
680
				c1 = c;
681 682
		}
	}
683

684
	read_unlock(&chan_list_lock);
685

686
	return c1;
687 688 689 690
}

static void l2cap_le_conn_ready(struct l2cap_conn *conn)
{
691
	struct sock *parent, *sk;
692
	struct l2cap_chan *chan, *pchan;
693 694 695 696

	BT_DBG("");

	/* Check if we have socket listening on cid */
697
	pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
698
							conn->src);
699
	if (!pchan)
700 701
		return;

702 703
	parent = pchan->sk;

704 705
	bh_lock_sock(parent);

706 707 708 709 710 711 712 713 714 715
	/* Check for backlog size */
	if (sk_acceptq_is_full(parent)) {
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
		goto clean;
	}

	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
	if (!sk)
		goto clean;

716
	chan = l2cap_chan_create(sk);
717 718 719 720 721
	if (!chan) {
		l2cap_sock_kill(sk);
		goto clean;
	}

722 723
	l2cap_pi(sk)->chan = chan;

724
	write_lock_bh(&conn->chan_lock);
725 726 727 728

	hci_conn_hold(conn->hcon);

	l2cap_sock_init(sk, parent);
729

730 731 732
	bacpy(&bt_sk(sk)->src, conn->src);
	bacpy(&bt_sk(sk)->dst, conn->dst);

733 734
	bt_accept_enqueue(parent, sk);

735 736
	__l2cap_chan_add(conn, chan);

737 738 739 740 741
	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);

	sk->sk_state = BT_CONNECTED;
	parent->sk_data_ready(parent, 0);

742
	write_unlock_bh(&conn->chan_lock);
743 744 745 746 747

clean:
	bh_unlock_sock(parent);
}

748 749
static void l2cap_conn_ready(struct l2cap_conn *conn)
{
750
	struct l2cap_chan *chan;
751

752
	BT_DBG("conn %p", conn);
753

754 755 756
	if (!conn->hcon->out && conn->hcon->type == LE_LINK)
		l2cap_le_conn_ready(conn);

757
	read_lock(&conn->chan_lock);
758

759
	list_for_each_entry(chan, &conn->chan_l, list) {
760
		struct sock *sk = chan->sk;
761

762
		bh_lock_sock(sk);
763

764 765 766 767 768 769
		if (conn->hcon->type == LE_LINK) {
			l2cap_sock_clear_timer(sk);
			sk->sk_state = BT_CONNECTED;
			sk->sk_state_change(sk);
		}

770 771
		if (sk->sk_type != SOCK_SEQPACKET &&
				sk->sk_type != SOCK_STREAM) {
772 773 774 775
			l2cap_sock_clear_timer(sk);
			sk->sk_state = BT_CONNECTED;
			sk->sk_state_change(sk);
		} else if (sk->sk_state == BT_CONNECT)
776
			l2cap_do_start(chan);
777

778
		bh_unlock_sock(sk);
779
	}
780

781
	read_unlock(&conn->chan_lock);
782 783 784 785 786
}

/* Notify sockets that we cannot guaranty reliability anymore */
static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
{
787
	struct l2cap_chan *chan;
788 789 790

	BT_DBG("conn %p", conn);

791
	read_lock(&conn->chan_lock);
792

793
	list_for_each_entry(chan, &conn->chan_l, list) {
794
		struct sock *sk = chan->sk;
795

796
		if (chan->force_reliable)
797 798 799
			sk->sk_err = err;
	}

800
	read_unlock(&conn->chan_lock);
801 802 803 804 805 806
}

static void l2cap_info_timeout(unsigned long arg)
{
	struct l2cap_conn *conn = (void *) arg;

807
	conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
808
	conn->info_ident = 0;
809

810 811 812
	l2cap_conn_start(conn);
}

L
Linus Torvalds 已提交
813 814
static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
{
815
	struct l2cap_conn *conn = hcon->l2cap_data;
L
Linus Torvalds 已提交
816

817
	if (conn || status)
L
Linus Torvalds 已提交
818 819
		return conn;

820 821
	conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
	if (!conn)
L
Linus Torvalds 已提交
822 823 824 825 826
		return NULL;

	hcon->l2cap_data = conn;
	conn->hcon = hcon;

827 828
	BT_DBG("hcon %p conn %p", hcon, conn);

829 830 831 832 833
	if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
		conn->mtu = hcon->hdev->le_mtu;
	else
		conn->mtu = hcon->hdev->acl_mtu;

L
Linus Torvalds 已提交
834 835 836
	conn->src = &hcon->hdev->bdaddr;
	conn->dst = &hcon->dst;

837 838
	conn->feat_mask = 0;

L
Linus Torvalds 已提交
839
	spin_lock_init(&conn->lock);
840 841 842
	rwlock_init(&conn->chan_lock);

	INIT_LIST_HEAD(&conn->chan_l);
L
Linus Torvalds 已提交
843

844 845
	if (hcon->type != LE_LINK)
		setup_timer(&conn->info_timer, l2cap_info_timeout,
D
Dave Young 已提交
846 847
						(unsigned long) conn);

848 849
	conn->disc_reason = 0x13;

L
Linus Torvalds 已提交
850 851 852
	return conn;
}

853
static void l2cap_conn_del(struct hci_conn *hcon, int err)
L
Linus Torvalds 已提交
854
{
855
	struct l2cap_conn *conn = hcon->l2cap_data;
856
	struct l2cap_chan *chan, *l;
L
Linus Torvalds 已提交
857 858
	struct sock *sk;

859 860
	if (!conn)
		return;
L
Linus Torvalds 已提交
861 862 863

	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);

864
	kfree_skb(conn->rx_skb);
L
Linus Torvalds 已提交
865 866

	/* Kill channels */
867
	list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
868
		sk = chan->sk;
L
Linus Torvalds 已提交
869
		bh_lock_sock(sk);
870
		l2cap_chan_del(chan, err);
L
Linus Torvalds 已提交
871 872 873 874
		bh_unlock_sock(sk);
		l2cap_sock_kill(sk);
	}

875 876
	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
		del_timer_sync(&conn->info_timer);
877

L
Linus Torvalds 已提交
878 879 880 881
	hcon->l2cap_data = NULL;
	kfree(conn);
}

882
static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
L
Linus Torvalds 已提交
883
{
884
	write_lock_bh(&conn->chan_lock);
885
	__l2cap_chan_add(conn, chan);
886
	write_unlock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
887 888 889 890 891 892 893
}

/* ---- Socket interface ---- */

/* Find socket with psm and source bdaddr.
 * Returns closest match.
 */
894
static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
L
Linus Torvalds 已提交
895
{
896
	struct l2cap_chan *c, *c1 = NULL;
L
Linus Torvalds 已提交
897

898
	read_lock(&chan_list_lock);
899

900 901
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
902

L
Linus Torvalds 已提交
903 904 905
		if (state && sk->sk_state != state)
			continue;

906
		if (c->psm == psm) {
L
Linus Torvalds 已提交
907
			/* Exact match. */
908 909 910 911
			if (!bacmp(&bt_sk(sk)->src, src)) {
				read_unlock_bh(&chan_list_lock);
				return c;
			}
L
Linus Torvalds 已提交
912 913 914

			/* Closest match */
			if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
915
				c1 = c;
L
Linus Torvalds 已提交
916 917 918
		}
	}

919
	read_unlock(&chan_list_lock);
920

921
	return c1;
L
Linus Torvalds 已提交
922 923
}

924
int l2cap_chan_connect(struct l2cap_chan *chan)
L
Linus Torvalds 已提交
925
{
926
	struct sock *sk = chan->sk;
L
Linus Torvalds 已提交
927 928 929 930 931
	bdaddr_t *src = &bt_sk(sk)->src;
	bdaddr_t *dst = &bt_sk(sk)->dst;
	struct l2cap_conn *conn;
	struct hci_conn *hcon;
	struct hci_dev *hdev;
932
	__u8 auth_type;
933
	int err;
L
Linus Torvalds 已提交
934

935
	BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
936
							chan->psm);
L
Linus Torvalds 已提交
937

938 939
	hdev = hci_get_route(dst, src);
	if (!hdev)
L
Linus Torvalds 已提交
940 941 942 943
		return -EHOSTUNREACH;

	hci_dev_lock_bh(hdev);

944
	auth_type = l2cap_get_auth_type(chan);
945

946
	if (chan->dcid == L2CAP_CID_LE_DATA)
947
		hcon = hci_connect(hdev, LE_LINK, dst,
948
					chan->sec_level, auth_type);
949 950
	else
		hcon = hci_connect(hdev, ACL_LINK, dst,
951
					chan->sec_level, auth_type);
952

953 954
	if (IS_ERR(hcon)) {
		err = PTR_ERR(hcon);
L
Linus Torvalds 已提交
955
		goto done;
956
	}
L
Linus Torvalds 已提交
957 958 959 960

	conn = l2cap_conn_add(hcon, 0);
	if (!conn) {
		hci_conn_put(hcon);
961
		err = -ENOMEM;
L
Linus Torvalds 已提交
962 963 964 965 966 967
		goto done;
	}

	/* Update source addr of the socket */
	bacpy(src, conn->src);

968 969
	l2cap_chan_add(conn, chan);

L
Linus Torvalds 已提交
970 971 972 973
	sk->sk_state = BT_CONNECT;
	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);

	if (hcon->state == BT_CONNECTED) {
974 975
		if (sk->sk_type != SOCK_SEQPACKET &&
				sk->sk_type != SOCK_STREAM) {
L
Linus Torvalds 已提交
976
			l2cap_sock_clear_timer(sk);
977
			if (l2cap_check_security(chan))
978
				sk->sk_state = BT_CONNECTED;
979
		} else
980
			l2cap_do_start(chan);
L
Linus Torvalds 已提交
981 982
	}

983 984
	err = 0;

L
Linus Torvalds 已提交
985 986 987 988 989 990
done:
	hci_dev_unlock_bh(hdev);
	hci_dev_put(hdev);
	return err;
}

991
int __l2cap_wait_ack(struct sock *sk)
992
{
993
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
994 995 996 997
	DECLARE_WAITQUEUE(wait, current);
	int err = 0;
	int timeo = HZ/5;

998
	add_wait_queue(sk_sleep(sk), &wait);
999
	while ((chan->unacked_frames > 0 && chan->conn)) {
1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018
		set_current_state(TASK_INTERRUPTIBLE);

		if (!timeo)
			timeo = HZ/5;

		if (signal_pending(current)) {
			err = sock_intr_errno(timeo);
			break;
		}

		release_sock(sk);
		timeo = schedule_timeout(timeo);
		lock_sock(sk);

		err = sock_error(sk);
		if (err)
			break;
	}
	set_current_state(TASK_RUNNING);
1019
	remove_wait_queue(sk_sleep(sk), &wait);
1020 1021 1022
	return err;
}

1023 1024
static void l2cap_monitor_timeout(unsigned long arg)
{
1025 1026
	struct l2cap_chan *chan = (void *) arg;
	struct sock *sk = chan->sk;
1027

1028
	BT_DBG("chan %p", chan);
1029

1030
	bh_lock_sock(sk);
1031
	if (chan->retry_count >= chan->remote_max_tx) {
1032
		l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1033
		bh_unlock_sock(sk);
1034 1035 1036
		return;
	}

1037
	chan->retry_count++;
1038 1039
	__mod_monitor_timer();

1040
	l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1041
	bh_unlock_sock(sk);
1042 1043 1044 1045
}

static void l2cap_retrans_timeout(unsigned long arg)
{
1046 1047
	struct l2cap_chan *chan = (void *) arg;
	struct sock *sk = chan->sk;
1048

1049
	BT_DBG("chan %p", chan);
1050

1051
	bh_lock_sock(sk);
1052
	chan->retry_count = 1;
1053 1054
	__mod_monitor_timer();

1055
	chan->conn_state |= L2CAP_CONN_WAIT_F;
1056

1057
	l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1058
	bh_unlock_sock(sk);
1059 1060
}

1061
static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
L
Linus Torvalds 已提交
1062
{
1063
	struct sk_buff *skb;
L
Linus Torvalds 已提交
1064

1065
	while ((skb = skb_peek(&chan->tx_q)) &&
1066
			chan->unacked_frames) {
1067
		if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1068
			break;
L
Linus Torvalds 已提交
1069

1070
		skb = skb_dequeue(&chan->tx_q);
1071
		kfree_skb(skb);
L
Linus Torvalds 已提交
1072

1073
		chan->unacked_frames--;
1074
	}
L
Linus Torvalds 已提交
1075

1076
	if (!chan->unacked_frames)
1077
		del_timer(&chan->retrans_timer);
1078
}
L
Linus Torvalds 已提交
1079

1080
void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
1081
{
1082
	struct hci_conn *hcon = chan->conn->hcon;
1083
	u16 flags;
1084

1085
	BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
L
Linus Torvalds 已提交
1086

1087
	if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
1088 1089 1090 1091 1092
		flags = ACL_START_NO_FLUSH;
	else
		flags = ACL_START;

	hci_send_acl(hcon, skb, flags);
1093 1094
}

1095
void l2cap_streaming_send(struct l2cap_chan *chan)
1096
{
1097
	struct sk_buff *skb;
1098
	u16 control, fcs;
1099

1100
	while ((skb = skb_dequeue(&chan->tx_q))) {
1101
		control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
1102
		control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1103
		put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
1104

1105
		if (chan->fcs == L2CAP_FCS_CRC16) {
1106 1107
			fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
			put_unaligned_le16(fcs, skb->data + skb->len - 2);
1108 1109
		}

1110
		l2cap_do_send(chan, skb);
1111

1112
		chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1113 1114 1115
	}
}

1116
static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
1117 1118 1119 1120
{
	struct sk_buff *skb, *tx_skb;
	u16 control, fcs;

1121
	skb = skb_peek(&chan->tx_q);
1122 1123
	if (!skb)
		return;
1124

1125 1126
	do {
		if (bt_cb(skb)->tx_seq == tx_seq)
1127 1128
			break;

1129
		if (skb_queue_is_last(&chan->tx_q, skb))
1130
			return;
1131

1132
	} while ((skb = skb_queue_next(&chan->tx_q, skb)));
1133

1134 1135
	if (chan->remote_max_tx &&
			bt_cb(skb)->retries == chan->remote_max_tx) {
1136
		l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1137 1138 1139 1140 1141 1142
		return;
	}

	tx_skb = skb_clone(skb, GFP_ATOMIC);
	bt_cb(skb)->retries++;
	control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1143
	control &= L2CAP_CTRL_SAR;
1144

1145
	if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1146
		control |= L2CAP_CTRL_FINAL;
1147
		chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1148
	}
1149

1150
	control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1151
			| (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1152

1153 1154
	put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);

1155
	if (chan->fcs == L2CAP_FCS_CRC16) {
1156 1157 1158 1159
		fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
		put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
	}

1160
	l2cap_do_send(chan, tx_skb);
1161 1162
}

1163
int l2cap_ertm_send(struct l2cap_chan *chan)
1164 1165
{
	struct sk_buff *skb, *tx_skb;
1166
	struct sock *sk = chan->sk;
1167
	u16 control, fcs;
1168
	int nsent = 0;
1169

1170 1171
	if (sk->sk_state != BT_CONNECTED)
		return -ENOTCONN;
1172

1173
	while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1174

1175 1176
		if (chan->remote_max_tx &&
				bt_cb(skb)->retries == chan->remote_max_tx) {
1177
			l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1178 1179 1180
			break;
		}

1181 1182
		tx_skb = skb_clone(skb, GFP_ATOMIC);

1183 1184
		bt_cb(skb)->retries++;

1185
		control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1186 1187
		control &= L2CAP_CTRL_SAR;

1188
		if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
1189
			control |= L2CAP_CTRL_FINAL;
1190
			chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1191
		}
1192 1193
		control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
				| (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1194 1195
		put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);

1196

1197
		if (chan->fcs == L2CAP_FCS_CRC16) {
1198 1199 1200 1201
			fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
			put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
		}

1202
		l2cap_do_send(chan, tx_skb);
1203

1204
		__mod_retrans_timer();
1205

1206 1207
		bt_cb(skb)->tx_seq = chan->next_tx_seq;
		chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
1208

1209
		if (bt_cb(skb)->retries == 1)
1210
			chan->unacked_frames++;
1211

1212
		chan->frames_sent++;
1213

1214 1215
		if (skb_queue_is_last(&chan->tx_q, skb))
			chan->tx_send_head = NULL;
1216
		else
1217
			chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1218 1219

		nsent++;
1220 1221
	}

1222 1223 1224
	return nsent;
}

1225
static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1226 1227 1228
{
	int ret;

1229 1230
	if (!skb_queue_empty(&chan->tx_q))
		chan->tx_send_head = chan->tx_q.next;
1231

1232
	chan->next_tx_seq = chan->expected_ack_seq;
1233
	ret = l2cap_ertm_send(chan);
1234 1235 1236
	return ret;
}

1237
static void l2cap_send_ack(struct l2cap_chan *chan)
1238 1239 1240
{
	u16 control = 0;

1241
	control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1242

1243
	if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1244
		control |= L2CAP_SUPER_RCV_NOT_READY;
1245 1246
		chan->conn_state |= L2CAP_CONN_RNR_SENT;
		l2cap_send_sframe(chan, control);
1247
		return;
1248
	}
1249

1250
	if (l2cap_ertm_send(chan) > 0)
1251 1252 1253
		return;

	control |= L2CAP_SUPER_RCV_READY;
1254
	l2cap_send_sframe(chan, control);
1255 1256
}

1257
static void l2cap_send_srejtail(struct l2cap_chan *chan)
1258 1259 1260 1261 1262 1263 1264
{
	struct srej_list *tail;
	u16 control;

	control = L2CAP_SUPER_SELECT_REJECT;
	control |= L2CAP_CTRL_FINAL;

1265
	tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1266 1267
	control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;

1268
	l2cap_send_sframe(chan, control);
1269 1270
}

1271 1272
static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
{
1273
	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1274 1275
	struct sk_buff **frag;
	int err, sent = 0;
L
Linus Torvalds 已提交
1276

1277
	if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1278
		return -EFAULT;
L
Linus Torvalds 已提交
1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289

	sent += count;
	len  -= count;

	/* Continuation fragments (no L2CAP header) */
	frag = &skb_shinfo(skb)->frag_list;
	while (len) {
		count = min_t(unsigned int, conn->mtu, len);

		*frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
		if (!*frag)
1290
			return err;
1291 1292
		if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
			return -EFAULT;
L
Linus Torvalds 已提交
1293 1294 1295 1296 1297 1298 1299 1300

		sent += count;
		len  -= count;

		frag = &(*frag)->next;
	}

	return sent;
1301
}
L
Linus Torvalds 已提交
1302

1303
struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1304
{
1305
	struct sock *sk = chan->sk;
1306
	struct l2cap_conn *conn = chan->conn;
1307 1308 1309 1310 1311 1312 1313 1314 1315 1316
	struct sk_buff *skb;
	int err, count, hlen = L2CAP_HDR_SIZE + 2;
	struct l2cap_hdr *lh;

	BT_DBG("sk %p len %d", sk, (int)len);

	count = min_t(unsigned int, (conn->mtu - hlen), len);
	skb = bt_skb_send_alloc(sk, count + hlen,
			msg->msg_flags & MSG_DONTWAIT, &err);
	if (!skb)
1317
		return ERR_PTR(err);
1318 1319 1320

	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1321
	lh->cid = cpu_to_le16(chan->dcid);
1322
	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1323
	put_unaligned_le16(chan->psm, skb_put(skb, 2));
1324 1325 1326 1327 1328 1329 1330 1331 1332

	err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
	return skb;
}

1333
struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1334
{
1335
	struct sock *sk = chan->sk;
1336
	struct l2cap_conn *conn = chan->conn;
1337 1338 1339 1340 1341 1342 1343 1344 1345 1346
	struct sk_buff *skb;
	int err, count, hlen = L2CAP_HDR_SIZE;
	struct l2cap_hdr *lh;

	BT_DBG("sk %p len %d", sk, (int)len);

	count = min_t(unsigned int, (conn->mtu - hlen), len);
	skb = bt_skb_send_alloc(sk, count + hlen,
			msg->msg_flags & MSG_DONTWAIT, &err);
	if (!skb)
1347
		return ERR_PTR(err);
1348 1349 1350

	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1351
	lh->cid = cpu_to_le16(chan->dcid);
1352 1353 1354 1355 1356 1357 1358 1359 1360 1361
	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));

	err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
	return skb;
}

1362
struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1363
{
1364
	struct sock *sk = chan->sk;
1365
	struct l2cap_conn *conn = chan->conn;
1366 1367 1368 1369 1370 1371
	struct sk_buff *skb;
	int err, count, hlen = L2CAP_HDR_SIZE + 2;
	struct l2cap_hdr *lh;

	BT_DBG("sk %p len %d", sk, (int)len);

1372 1373 1374
	if (!conn)
		return ERR_PTR(-ENOTCONN);

1375 1376 1377
	if (sdulen)
		hlen += 2;

1378
	if (chan->fcs == L2CAP_FCS_CRC16)
1379 1380
		hlen += 2;

1381 1382 1383 1384
	count = min_t(unsigned int, (conn->mtu - hlen), len);
	skb = bt_skb_send_alloc(sk, count + hlen,
			msg->msg_flags & MSG_DONTWAIT, &err);
	if (!skb)
1385
		return ERR_PTR(err);
1386 1387 1388

	/* Create L2CAP header */
	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1389
	lh->cid = cpu_to_le16(chan->dcid);
1390 1391
	lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
	put_unaligned_le16(control, skb_put(skb, 2));
1392 1393
	if (sdulen)
		put_unaligned_le16(sdulen, skb_put(skb, 2));
1394 1395 1396 1397 1398 1399

	err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
	if (unlikely(err < 0)) {
		kfree_skb(skb);
		return ERR_PTR(err);
	}
1400

1401
	if (chan->fcs == L2CAP_FCS_CRC16)
1402 1403
		put_unaligned_le16(0, skb_put(skb, 2));

1404
	bt_cb(skb)->retries = 0;
1405
	return skb;
L
Linus Torvalds 已提交
1406 1407
}

1408
int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1409 1410 1411 1412 1413 1414
{
	struct sk_buff *skb;
	struct sk_buff_head sar_queue;
	u16 control;
	size_t size = 0;

1415
	skb_queue_head_init(&sar_queue);
1416
	control = L2CAP_SDU_START;
1417
	skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1418 1419 1420 1421
	if (IS_ERR(skb))
		return PTR_ERR(skb);

	__skb_queue_tail(&sar_queue, skb);
1422 1423
	len -= chan->remote_mps;
	size += chan->remote_mps;
1424 1425 1426 1427

	while (len > 0) {
		size_t buflen;

1428
		if (len > chan->remote_mps) {
1429
			control = L2CAP_SDU_CONTINUE;
1430
			buflen = chan->remote_mps;
1431
		} else {
1432
			control = L2CAP_SDU_END;
1433 1434 1435
			buflen = len;
		}

1436
		skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1437 1438 1439 1440 1441 1442 1443 1444 1445
		if (IS_ERR(skb)) {
			skb_queue_purge(&sar_queue);
			return PTR_ERR(skb);
		}

		__skb_queue_tail(&sar_queue, skb);
		len -= buflen;
		size += buflen;
	}
1446 1447 1448
	skb_queue_splice_tail(&sar_queue, &chan->tx_q);
	if (chan->tx_send_head == NULL)
		chan->tx_send_head = sar_queue.next;
1449 1450 1451 1452

	return size;
}

L
Linus Torvalds 已提交
1453 1454 1455
static void l2cap_chan_ready(struct sock *sk)
{
	struct sock *parent = bt_sk(sk)->parent;
1456
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
L
Linus Torvalds 已提交
1457 1458 1459

	BT_DBG("sk %p, parent %p", sk, parent);

1460
	chan->conf_state = 0;
L
Linus Torvalds 已提交
1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480
	l2cap_sock_clear_timer(sk);

	if (!parent) {
		/* Outgoing channel.
		 * Wake up socket sleeping on connect.
		 */
		sk->sk_state = BT_CONNECTED;
		sk->sk_state_change(sk);
	} else {
		/* Incoming channel.
		 * Wake up socket sleeping on accept.
		 */
		parent->sk_data_ready(parent, 0);
	}
}

/* Copy frame to all raw sockets on that connection */
static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct sk_buff *nskb;
1481
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
1482 1483 1484

	BT_DBG("conn %p", conn);

1485 1486
	read_lock(&conn->chan_lock);
	list_for_each_entry(chan, &conn->chan_l, list) {
1487
		struct sock *sk = chan->sk;
L
Linus Torvalds 已提交
1488 1489 1490 1491 1492 1493
		if (sk->sk_type != SOCK_RAW)
			continue;

		/* Don't send frame to the socket it came from */
		if (skb->sk == sk)
			continue;
1494 1495
		nskb = skb_clone(skb, GFP_ATOMIC);
		if (!nskb)
L
Linus Torvalds 已提交
1496 1497 1498 1499 1500
			continue;

		if (sock_queue_rcv_skb(sk, nskb))
			kfree_skb(nskb);
	}
1501
	read_unlock(&conn->chan_lock);
L
Linus Torvalds 已提交
1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512
}

/* ---- L2CAP signalling commands ---- */
static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
				u8 code, u8 ident, u16 dlen, void *data)
{
	struct sk_buff *skb, **frag;
	struct l2cap_cmd_hdr *cmd;
	struct l2cap_hdr *lh;
	int len, count;

1513 1514
	BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
			conn, code, ident, dlen);
L
Linus Torvalds 已提交
1515 1516 1517 1518 1519 1520 1521 1522 1523

	len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
	count = min_t(unsigned int, conn->mtu, len);

	skb = bt_skb_alloc(count, GFP_ATOMIC);
	if (!skb)
		return NULL;

	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1524
	lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1525 1526 1527 1528 1529

	if (conn->hcon->type == LE_LINK)
		lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
	else
		lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
L
Linus Torvalds 已提交
1530 1531 1532 1533

	cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
	cmd->code  = code;
	cmd->ident = ident;
1534
	cmd->len   = cpu_to_le16(dlen);
L
Linus Torvalds 已提交
1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584

	if (dlen) {
		count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
		memcpy(skb_put(skb, count), data, count);
		data += count;
	}

	len -= skb->len;

	/* Continuation fragments (no L2CAP header) */
	frag = &skb_shinfo(skb)->frag_list;
	while (len) {
		count = min_t(unsigned int, conn->mtu, len);

		*frag = bt_skb_alloc(count, GFP_ATOMIC);
		if (!*frag)
			goto fail;

		memcpy(skb_put(*frag, count), data, count);

		len  -= count;
		data += count;

		frag = &(*frag)->next;
	}

	return skb;

fail:
	kfree_skb(skb);
	return NULL;
}

static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
{
	struct l2cap_conf_opt *opt = *ptr;
	int len;

	len = L2CAP_CONF_OPT_SIZE + opt->len;
	*ptr += len;

	*type = opt->type;
	*olen = opt->len;

	switch (opt->len) {
	case 1:
		*val = *((u8 *) opt->val);
		break;

	case 2:
1585
		*val = get_unaligned_le16(opt->val);
L
Linus Torvalds 已提交
1586 1587 1588
		break;

	case 4:
1589
		*val = get_unaligned_le32(opt->val);
L
Linus Torvalds 已提交
1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615
		break;

	default:
		*val = (unsigned long) opt->val;
		break;
	}

	BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
	return len;
}

static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
{
	struct l2cap_conf_opt *opt = *ptr;

	BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);

	opt->type = type;
	opt->len  = len;

	switch (len) {
	case 1:
		*((u8 *) opt->val)  = val;
		break;

	case 2:
1616
		put_unaligned_le16(val, opt->val);
L
Linus Torvalds 已提交
1617 1618 1619
		break;

	case 4:
1620
		put_unaligned_le32(val, opt->val);
L
Linus Torvalds 已提交
1621 1622 1623 1624 1625 1626 1627 1628 1629 1630
		break;

	default:
		memcpy(opt->val, (void *) val, len);
		break;
	}

	*ptr += L2CAP_CONF_OPT_SIZE + len;
}

1631 1632
static void l2cap_ack_timeout(unsigned long arg)
{
1633
	struct l2cap_chan *chan = (void *) arg;
1634

1635 1636 1637
	bh_lock_sock(chan->sk);
	l2cap_send_ack(chan);
	bh_unlock_sock(chan->sk);
1638 1639
}

1640
static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1641
{
1642 1643
	struct sock *sk = chan->sk;

1644
	chan->expected_ack_seq = 0;
1645
	chan->unacked_frames = 0;
1646
	chan->buffer_seq = 0;
1647 1648
	chan->num_acked = 0;
	chan->frames_sent = 0;
1649

1650 1651 1652 1653 1654
	setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
							(unsigned long) chan);
	setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
							(unsigned long) chan);
	setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1655

1656 1657
	skb_queue_head_init(&chan->srej_q);
	skb_queue_head_init(&chan->busy_q);
1658

1659 1660
	INIT_LIST_HEAD(&chan->srej_l);

1661
	INIT_WORK(&chan->busy_work, l2cap_busy_work);
1662 1663

	sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1664 1665
}

1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678
static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
{
	switch (mode) {
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
		if (l2cap_mode_supported(mode, remote_feat_mask))
			return mode;
		/* fall through */
	default:
		return L2CAP_MODE_BASIC;
	}
}

1679
static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
L
Linus Torvalds 已提交
1680 1681
{
	struct l2cap_conf_req *req = data;
1682
	struct l2cap_conf_rfc rfc = { .mode = chan->mode };
L
Linus Torvalds 已提交
1683 1684
	void *ptr = req->data;

1685
	BT_DBG("chan %p", chan);
L
Linus Torvalds 已提交
1686

1687
	if (chan->num_conf_req || chan->num_conf_rsp)
1688 1689
		goto done;

1690
	switch (chan->mode) {
1691 1692
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
1693
		if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
1694 1695
			break;

1696
		/* fall through */
1697
	default:
1698
		chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
1699 1700 1701 1702
		break;
	}

done:
1703 1704
	if (chan->imtu != L2CAP_DEFAULT_MTU)
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
1705

1706
	switch (chan->mode) {
1707
	case L2CAP_MODE_BASIC:
1708 1709
		if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
				!(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
1710 1711
			break;

1712 1713 1714 1715 1716 1717 1718
		rfc.mode            = L2CAP_MODE_BASIC;
		rfc.txwin_size      = 0;
		rfc.max_transmit    = 0;
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
		rfc.max_pdu_size    = 0;

1719 1720
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);
1721 1722 1723 1724
		break;

	case L2CAP_MODE_ERTM:
		rfc.mode            = L2CAP_MODE_ERTM;
1725 1726
		rfc.txwin_size      = chan->tx_win;
		rfc.max_transmit    = chan->max_tx;
1727 1728
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
1729
		rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1730 1731
		if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
			rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1732

1733 1734 1735
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);

1736
		if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1737 1738
			break;

1739
		if (chan->fcs == L2CAP_FCS_NONE ||
1740
				chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1741 1742
			chan->fcs = L2CAP_FCS_NONE;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1743
		}
1744 1745 1746 1747 1748 1749 1750 1751
		break;

	case L2CAP_MODE_STREAMING:
		rfc.mode            = L2CAP_MODE_STREAMING;
		rfc.txwin_size      = 0;
		rfc.max_transmit    = 0;
		rfc.retrans_timeout = 0;
		rfc.monitor_timeout = 0;
1752
		rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
1753 1754
		if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
			rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1755

1756 1757 1758
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
							(unsigned long) &rfc);

1759
		if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
1760 1761
			break;

1762
		if (chan->fcs == L2CAP_FCS_NONE ||
1763
				chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
1764 1765
			chan->fcs = L2CAP_FCS_NONE;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
1766
		}
1767 1768
		break;
	}
L
Linus Torvalds 已提交
1769

1770
	req->dcid  = cpu_to_le16(chan->dcid);
1771
	req->flags = cpu_to_le16(0);
L
Linus Torvalds 已提交
1772 1773 1774 1775

	return ptr - data;
}

1776
static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
L
Linus Torvalds 已提交
1777
{
1778 1779
	struct l2cap_conf_rsp *rsp = data;
	void *ptr = rsp->data;
1780 1781
	void *req = chan->conf_req;
	int len = chan->conf_len;
1782 1783
	int type, hint, olen;
	unsigned long val;
1784
	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
1785
	u16 mtu = L2CAP_DEFAULT_MTU;
1786
	u16 result = L2CAP_CONF_SUCCESS;
L
Linus Torvalds 已提交
1787

1788
	BT_DBG("chan %p", chan);
1789

1790 1791
	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
L
Linus Torvalds 已提交
1792

1793
		hint  = type & L2CAP_CONF_HINT;
1794
		type &= L2CAP_CONF_MASK;
1795 1796 1797

		switch (type) {
		case L2CAP_CONF_MTU:
1798
			mtu = val;
1799 1800 1801
			break;

		case L2CAP_CONF_FLUSH_TO:
1802
			chan->flush_to = val;
1803 1804 1805 1806 1807
			break;

		case L2CAP_CONF_QOS:
			break;

1808 1809 1810 1811 1812
		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *) val, olen);
			break;

1813 1814
		case L2CAP_CONF_FCS:
			if (val == L2CAP_FCS_NONE)
1815
				chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
1816 1817 1818

			break;

1819 1820 1821 1822 1823 1824 1825 1826 1827 1828
		default:
			if (hint)
				break;

			result = L2CAP_CONF_UNKNOWN;
			*((u8 *) ptr++) = type;
			break;
		}
	}

1829
	if (chan->num_conf_rsp || chan->num_conf_req > 1)
1830 1831
		goto done;

1832
	switch (chan->mode) {
1833 1834
	case L2CAP_MODE_STREAMING:
	case L2CAP_MODE_ERTM:
1835
		if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
1836
			chan->mode = l2cap_select_mode(rfc.mode,
1837
					chan->conn->feat_mask);
1838 1839 1840
			break;
		}

1841
		if (chan->mode != rfc.mode)
1842
			return -ECONNREFUSED;
1843

1844 1845 1846 1847
		break;
	}

done:
1848
	if (chan->mode != rfc.mode) {
1849
		result = L2CAP_CONF_UNACCEPT;
1850
		rfc.mode = chan->mode;
1851

1852
		if (chan->num_conf_rsp == 1)
1853 1854 1855 1856 1857 1858 1859
			return -ECONNREFUSED;

		l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);
	}


1860 1861 1862 1863
	if (result == L2CAP_CONF_SUCCESS) {
		/* Configure output options and let the other side know
		 * which ones we don't like. */

1864 1865 1866
		if (mtu < L2CAP_DEFAULT_MIN_MTU)
			result = L2CAP_CONF_UNACCEPT;
		else {
1867
			chan->omtu = mtu;
1868
			chan->conf_state |= L2CAP_CONF_MTU_DONE;
1869
		}
1870
		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
1871

1872 1873
		switch (rfc.mode) {
		case L2CAP_MODE_BASIC:
1874
			chan->fcs = L2CAP_FCS_NONE;
1875
			chan->conf_state |= L2CAP_CONF_MODE_DONE;
1876 1877 1878
			break;

		case L2CAP_MODE_ERTM:
1879 1880
			chan->remote_tx_win = rfc.txwin_size;
			chan->remote_max_tx = rfc.max_transmit;
1881

1882 1883
			if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
				rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1884

1885
			chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1886

1887 1888 1889 1890
			rfc.retrans_timeout =
				le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
			rfc.monitor_timeout =
				le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
1891

1892
			chan->conf_state |= L2CAP_CONF_MODE_DONE;
1893 1894 1895 1896

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);

1897 1898 1899
			break;

		case L2CAP_MODE_STREAMING:
1900 1901
			if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
				rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
1902

1903
			chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
1904

1905
			chan->conf_state |= L2CAP_CONF_MODE_DONE;
1906 1907 1908 1909

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);

1910 1911 1912
			break;

		default:
1913 1914
			result = L2CAP_CONF_UNACCEPT;

1915
			memset(&rfc, 0, sizeof(rfc));
1916
			rfc.mode = chan->mode;
1917
		}
1918

1919
		if (result == L2CAP_CONF_SUCCESS)
1920
			chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
1921
	}
1922
	rsp->scid   = cpu_to_le16(chan->dcid);
1923 1924 1925 1926
	rsp->result = cpu_to_le16(result);
	rsp->flags  = cpu_to_le16(0x0000);

	return ptr - data;
L
Linus Torvalds 已提交
1927 1928
}

1929
static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
1930 1931 1932 1933 1934 1935 1936
{
	struct l2cap_conf_req *req = data;
	void *ptr = req->data;
	int type, olen;
	unsigned long val;
	struct l2cap_conf_rfc rfc;

1937
	BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
1938 1939 1940 1941 1942 1943 1944 1945

	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);

		switch (type) {
		case L2CAP_CONF_MTU:
			if (val < L2CAP_DEFAULT_MIN_MTU) {
				*result = L2CAP_CONF_UNACCEPT;
1946
				chan->imtu = L2CAP_DEFAULT_MIN_MTU;
1947
			} else
1948 1949
				chan->imtu = val;
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
1950 1951 1952
			break;

		case L2CAP_CONF_FLUSH_TO:
1953
			chan->flush_to = val;
1954
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
1955
							2, chan->flush_to);
1956 1957 1958 1959 1960 1961
			break;

		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *)val, olen);

1962
			if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
1963
							rfc.mode != chan->mode)
1964 1965
				return -ECONNREFUSED;

1966
			chan->fcs = 0;
1967 1968 1969 1970 1971 1972 1973

			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
					sizeof(rfc), (unsigned long) &rfc);
			break;
		}
	}

1974
	if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
1975 1976
		return -ECONNREFUSED;

1977
	chan->mode = rfc.mode;
1978

1979 1980 1981
	if (*result == L2CAP_CONF_SUCCESS) {
		switch (rfc.mode) {
		case L2CAP_MODE_ERTM:
1982 1983 1984
			chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
			chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
1985 1986
			break;
		case L2CAP_MODE_STREAMING:
1987
			chan->mps    = le16_to_cpu(rfc.max_pdu_size);
1988 1989 1990
		}
	}

1991
	req->dcid   = cpu_to_le16(chan->dcid);
1992 1993 1994 1995 1996
	req->flags  = cpu_to_le16(0x0000);

	return ptr - data;
}

1997
static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
L
Linus Torvalds 已提交
1998 1999 2000 2001
{
	struct l2cap_conf_rsp *rsp = data;
	void *ptr = rsp->data;

2002
	BT_DBG("chan %p", chan);
L
Linus Torvalds 已提交
2003

2004
	rsp->scid   = cpu_to_le16(chan->dcid);
2005
	rsp->result = cpu_to_le16(result);
2006
	rsp->flags  = cpu_to_le16(flags);
L
Linus Torvalds 已提交
2007 2008 2009 2010

	return ptr - data;
}

2011
void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2012 2013
{
	struct l2cap_conn_rsp rsp;
2014
	struct l2cap_conn *conn = chan->conn;
2015 2016
	u8 buf[128];

2017 2018
	rsp.scid   = cpu_to_le16(chan->dcid);
	rsp.dcid   = cpu_to_le16(chan->scid);
2019 2020 2021 2022 2023
	rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
	rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
	l2cap_send_cmd(conn, chan->ident,
				L2CAP_CONN_RSP, sizeof(rsp), &rsp);

2024
	if (chan->conf_state & L2CAP_CONF_REQ_SENT)
2025 2026
		return;

2027
	chan->conf_state |= L2CAP_CONF_REQ_SENT;
2028 2029 2030 2031 2032
	l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
			l2cap_build_conf_req(chan, buf), buf);
	chan->num_conf_req++;
}

2033
static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2034 2035 2036 2037 2038
{
	int type, olen;
	unsigned long val;
	struct l2cap_conf_rfc rfc;

2039
	BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2040

2041
	if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057
		return;

	while (len >= L2CAP_CONF_OPT_SIZE) {
		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);

		switch (type) {
		case L2CAP_CONF_RFC:
			if (olen == sizeof(rfc))
				memcpy(&rfc, (void *)val, olen);
			goto done;
		}
	}

done:
	switch (rfc.mode) {
	case L2CAP_MODE_ERTM:
2058 2059 2060
		chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
		chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
		chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2061 2062
		break;
	case L2CAP_MODE_STREAMING:
2063
		chan->mps    = le16_to_cpu(rfc.max_pdu_size);
2064 2065 2066
	}
}

2067 2068 2069 2070 2071 2072 2073 2074 2075 2076
static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;

	if (rej->reason != 0x0000)
		return 0;

	if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
					cmd->ident == conn->info_ident) {
		del_timer(&conn->info_timer);
2077 2078

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2079
		conn->info_ident = 0;
2080

2081 2082 2083 2084 2085 2086
		l2cap_conn_start(conn);
	}

	return 0;
}

L
Linus Torvalds 已提交
2087 2088 2089 2090
static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
	struct l2cap_conn_rsp rsp;
2091
	struct l2cap_chan *chan = NULL, *pchan;
2092
	struct sock *parent, *sk = NULL;
2093
	int result, status = L2CAP_CS_NO_INFO;
L
Linus Torvalds 已提交
2094 2095

	u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2096
	__le16 psm = req->psm;
L
Linus Torvalds 已提交
2097 2098 2099 2100

	BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);

	/* Check if we have socket listening on psm */
2101 2102
	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
	if (!pchan) {
L
Linus Torvalds 已提交
2103 2104 2105 2106
		result = L2CAP_CR_BAD_PSM;
		goto sendresp;
	}

2107 2108
	parent = pchan->sk;

2109 2110
	bh_lock_sock(parent);

2111 2112 2113
	/* Check if the ACL is secure enough (if not SDP) */
	if (psm != cpu_to_le16(0x0001) &&
				!hci_conn_check_link_mode(conn->hcon)) {
2114
		conn->disc_reason = 0x05;
2115 2116 2117 2118
		result = L2CAP_CR_SEC_BLOCK;
		goto response;
	}

L
Linus Torvalds 已提交
2119 2120 2121 2122
	result = L2CAP_CR_NO_MEM;

	/* Check for backlog size */
	if (sk_acceptq_is_full(parent)) {
2123
		BT_DBG("backlog full %d", parent->sk_ack_backlog);
L
Linus Torvalds 已提交
2124 2125 2126
		goto response;
	}

2127
	sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
L
Linus Torvalds 已提交
2128 2129 2130
	if (!sk)
		goto response;

2131
	chan = l2cap_chan_create(sk);
2132 2133 2134 2135 2136
	if (!chan) {
		l2cap_sock_kill(sk);
		goto response;
	}

2137 2138
	l2cap_pi(sk)->chan = chan;

2139
	write_lock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
2140 2141

	/* Check if we already have channel with that dcid */
2142 2143
	if (__l2cap_get_chan_by_dcid(conn, scid)) {
		write_unlock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
2144 2145 2146 2147 2148 2149 2150 2151 2152 2153
		sock_set_flag(sk, SOCK_ZAPPED);
		l2cap_sock_kill(sk);
		goto response;
	}

	hci_conn_hold(conn->hcon);

	l2cap_sock_init(sk, parent);
	bacpy(&bt_sk(sk)->src, conn->src);
	bacpy(&bt_sk(sk)->dst, conn->dst);
2154 2155
	chan->psm  = psm;
	chan->dcid = scid;
L
Linus Torvalds 已提交
2156

2157 2158
	bt_accept_enqueue(parent, sk);

2159 2160
	__l2cap_chan_add(conn, chan);

2161
	dcid = chan->scid;
L
Linus Torvalds 已提交
2162 2163 2164

	l2cap_sock_set_timer(sk, sk->sk_sndtimeo);

2165
	chan->ident = cmd->ident;
L
Linus Torvalds 已提交
2166

2167
	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2168
		if (l2cap_check_security(chan)) {
2169 2170 2171 2172 2173 2174 2175 2176 2177 2178
			if (bt_sk(sk)->defer_setup) {
				sk->sk_state = BT_CONNECT2;
				result = L2CAP_CR_PEND;
				status = L2CAP_CS_AUTHOR_PEND;
				parent->sk_data_ready(parent, 0);
			} else {
				sk->sk_state = BT_CONFIG;
				result = L2CAP_CR_SUCCESS;
				status = L2CAP_CS_NO_INFO;
			}
2179 2180 2181 2182 2183 2184 2185 2186 2187
		} else {
			sk->sk_state = BT_CONNECT2;
			result = L2CAP_CR_PEND;
			status = L2CAP_CS_AUTHEN_PEND;
		}
	} else {
		sk->sk_state = BT_CONNECT2;
		result = L2CAP_CR_PEND;
		status = L2CAP_CS_NO_INFO;
L
Linus Torvalds 已提交
2188 2189
	}

2190
	write_unlock_bh(&conn->chan_lock);
L
Linus Torvalds 已提交
2191 2192 2193 2194 2195

response:
	bh_unlock_sock(parent);

sendresp:
2196 2197 2198 2199
	rsp.scid   = cpu_to_le16(scid);
	rsp.dcid   = cpu_to_le16(dcid);
	rsp.result = cpu_to_le16(result);
	rsp.status = cpu_to_le16(status);
L
Linus Torvalds 已提交
2200
	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215

	if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
		struct l2cap_info_req info;
		info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);

		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
		conn->info_ident = l2cap_get_ident(conn);

		mod_timer(&conn->info_timer, jiffies +
					msecs_to_jiffies(L2CAP_INFO_TIMEOUT));

		l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(info), &info);
	}

2216
	if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
2217 2218
				result == L2CAP_CR_SUCCESS) {
		u8 buf[128];
2219
		chan->conf_state |= L2CAP_CONF_REQ_SENT;
2220
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2221 2222
					l2cap_build_conf_req(chan, buf), buf);
		chan->num_conf_req++;
2223 2224
	}

L
Linus Torvalds 已提交
2225 2226 2227 2228 2229 2230 2231
	return 0;
}

static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
	u16 scid, dcid, result, status;
2232
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243
	struct sock *sk;
	u8 req[128];

	scid   = __le16_to_cpu(rsp->scid);
	dcid   = __le16_to_cpu(rsp->dcid);
	result = __le16_to_cpu(rsp->result);
	status = __le16_to_cpu(rsp->status);

	BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);

	if (scid) {
2244
		chan = l2cap_get_chan_by_scid(conn, scid);
2245
		if (!chan)
2246
			return -EFAULT;
L
Linus Torvalds 已提交
2247
	} else {
2248
		chan = l2cap_get_chan_by_ident(conn, cmd->ident);
2249
		if (!chan)
2250
			return -EFAULT;
L
Linus Torvalds 已提交
2251 2252
	}

2253 2254
	sk = chan->sk;

L
Linus Torvalds 已提交
2255 2256 2257
	switch (result) {
	case L2CAP_CR_SUCCESS:
		sk->sk_state = BT_CONFIG;
2258
		chan->ident = 0;
2259
		chan->dcid = dcid;
2260
		chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2261

2262
		if (chan->conf_state & L2CAP_CONF_REQ_SENT)
2263 2264
			break;

2265
		chan->conf_state |= L2CAP_CONF_REQ_SENT;
2266

L
Linus Torvalds 已提交
2267
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2268 2269
					l2cap_build_conf_req(chan, req), req);
		chan->num_conf_req++;
L
Linus Torvalds 已提交
2270 2271 2272
		break;

	case L2CAP_CR_PEND:
2273
		chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
L
Linus Torvalds 已提交
2274 2275 2276
		break;

	default:
2277 2278 2279 2280 2281 2282 2283 2284
		/* don't delete l2cap channel if sk is owned by user */
		if (sock_owned_by_user(sk)) {
			sk->sk_state = BT_DISCONN;
			l2cap_sock_clear_timer(sk);
			l2cap_sock_set_timer(sk, HZ / 5);
			break;
		}

2285
		l2cap_chan_del(chan, ECONNREFUSED);
L
Linus Torvalds 已提交
2286 2287 2288 2289 2290 2291 2292
		break;
	}

	bh_unlock_sock(sk);
	return 0;
}

2293
static inline void set_default_fcs(struct l2cap_chan *chan)
2294
{
2295 2296
	struct l2cap_pinfo *pi = l2cap_pi(chan->sk);

2297 2298 2299
	/* FCS is enabled only in ERTM or streaming mode, if one or both
	 * sides request it.
	 */
2300
	if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2301
		chan->fcs = L2CAP_FCS_NONE;
2302
	else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
2303
		chan->fcs = L2CAP_FCS_CRC16;
2304 2305
}

2306
static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
L
Linus Torvalds 已提交
2307 2308 2309 2310
{
	struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
	u16 dcid, flags;
	u8 rsp[64];
2311
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2312
	struct sock *sk;
2313
	int len;
L
Linus Torvalds 已提交
2314 2315 2316 2317 2318 2319

	dcid  = __le16_to_cpu(req->dcid);
	flags = __le16_to_cpu(req->flags);

	BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);

2320
	chan = l2cap_get_chan_by_scid(conn, dcid);
2321
	if (!chan)
L
Linus Torvalds 已提交
2322 2323
		return -ENOENT;

2324 2325
	sk = chan->sk;

2326 2327 2328 2329 2330 2331
	if (sk->sk_state != BT_CONFIG) {
		struct l2cap_cmd_rej rej;

		rej.reason = cpu_to_le16(0x0002);
		l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
				sizeof(rej), &rej);
2332
		goto unlock;
2333
	}
2334

2335
	/* Reject if config buffer is too small. */
2336
	len = cmd_len - sizeof(*req);
2337
	if (chan->conf_len + len > sizeof(chan->conf_req)) {
2338
		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2339
				l2cap_build_conf_rsp(chan, rsp,
2340 2341 2342 2343 2344
					L2CAP_CONF_REJECT, flags), rsp);
		goto unlock;
	}

	/* Store config. */
2345 2346
	memcpy(chan->conf_req + chan->conf_len, req->data, len);
	chan->conf_len += len;
L
Linus Torvalds 已提交
2347 2348 2349 2350

	if (flags & 0x0001) {
		/* Incomplete config. Send empty response. */
		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2351
				l2cap_build_conf_rsp(chan, rsp,
2352
					L2CAP_CONF_SUCCESS, 0x0001), rsp);
L
Linus Torvalds 已提交
2353 2354 2355 2356
		goto unlock;
	}

	/* Complete config. */
2357
	len = l2cap_parse_conf_req(chan, rsp);
2358
	if (len < 0) {
2359
		l2cap_send_disconn_req(conn, chan, ECONNRESET);
L
Linus Torvalds 已提交
2360
		goto unlock;
2361
	}
L
Linus Torvalds 已提交
2362

2363
	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2364
	chan->num_conf_rsp++;
2365 2366

	/* Reset config buffer. */
2367
	chan->conf_len = 0;
2368

2369
	if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
2370 2371
		goto unlock;

2372
	if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
2373
		set_default_fcs(chan);
2374

L
Linus Torvalds 已提交
2375
		sk->sk_state = BT_CONNECTED;
2376

2377 2378
		chan->next_tx_seq = 0;
		chan->expected_tx_seq = 0;
2379
		skb_queue_head_init(&chan->tx_q);
2380
		if (chan->mode == L2CAP_MODE_ERTM)
2381
			l2cap_ertm_init(chan);
2382

L
Linus Torvalds 已提交
2383
		l2cap_chan_ready(sk);
2384 2385 2386
		goto unlock;
	}

2387
	if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
2388
		u8 buf[64];
2389
		chan->conf_state |= L2CAP_CONF_REQ_SENT;
L
Linus Torvalds 已提交
2390
		l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2391 2392
					l2cap_build_conf_req(chan, buf), buf);
		chan->num_conf_req++;
L
Linus Torvalds 已提交
2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403
	}

unlock:
	bh_unlock_sock(sk);
	return 0;
}

static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
	u16 scid, flags, result;
2404
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2405
	struct sock *sk;
2406
	int len = cmd->len - sizeof(*rsp);
L
Linus Torvalds 已提交
2407 2408 2409 2410 2411

	scid   = __le16_to_cpu(rsp->scid);
	flags  = __le16_to_cpu(rsp->flags);
	result = __le16_to_cpu(rsp->result);

2412 2413
	BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
			scid, flags, result);
L
Linus Torvalds 已提交
2414

2415
	chan = l2cap_get_chan_by_scid(conn, scid);
2416
	if (!chan)
L
Linus Torvalds 已提交
2417 2418
		return 0;

2419 2420
	sk = chan->sk;

L
Linus Torvalds 已提交
2421 2422
	switch (result) {
	case L2CAP_CONF_SUCCESS:
2423
		l2cap_conf_rfc_get(chan, rsp->data, len);
L
Linus Torvalds 已提交
2424 2425 2426
		break;

	case L2CAP_CONF_UNACCEPT:
2427
		if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
2428 2429
			char req[64];

2430
			if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
2431
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
2432 2433 2434
				goto done;
			}

2435 2436
			/* throw out any old stored conf requests */
			result = L2CAP_CONF_SUCCESS;
2437 2438
			len = l2cap_parse_conf_rsp(chan, rsp->data, len,
								req, &result);
2439
			if (len < 0) {
2440
				l2cap_send_disconn_req(conn, chan, ECONNRESET);
2441 2442 2443 2444 2445
				goto done;
			}

			l2cap_send_cmd(conn, l2cap_get_ident(conn),
						L2CAP_CONF_REQ, len, req);
2446
			chan->num_conf_req++;
2447 2448 2449
			if (result != L2CAP_CONF_SUCCESS)
				goto done;
			break;
L
Linus Torvalds 已提交
2450 2451
		}

2452
	default:
2453
		sk->sk_err = ECONNRESET;
L
Linus Torvalds 已提交
2454
		l2cap_sock_set_timer(sk, HZ * 5);
2455
		l2cap_send_disconn_req(conn, chan, ECONNRESET);
L
Linus Torvalds 已提交
2456 2457 2458 2459 2460 2461
		goto done;
	}

	if (flags & 0x01)
		goto done;

2462
	chan->conf_state |= L2CAP_CONF_INPUT_DONE;
L
Linus Torvalds 已提交
2463

2464
	if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
2465
		set_default_fcs(chan);
2466

L
Linus Torvalds 已提交
2467
		sk->sk_state = BT_CONNECTED;
2468 2469
		chan->next_tx_seq = 0;
		chan->expected_tx_seq = 0;
2470
		skb_queue_head_init(&chan->tx_q);
2471
		if (chan->mode ==  L2CAP_MODE_ERTM)
2472
			l2cap_ertm_init(chan);
2473

L
Linus Torvalds 已提交
2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486
		l2cap_chan_ready(sk);
	}

done:
	bh_unlock_sock(sk);
	return 0;
}

static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
	struct l2cap_disconn_rsp rsp;
	u16 dcid, scid;
2487
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2488 2489 2490 2491 2492 2493 2494
	struct sock *sk;

	scid = __le16_to_cpu(req->scid);
	dcid = __le16_to_cpu(req->dcid);

	BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);

2495
	chan = l2cap_get_chan_by_scid(conn, dcid);
2496
	if (!chan)
L
Linus Torvalds 已提交
2497 2498
		return 0;

2499 2500
	sk = chan->sk;

2501 2502
	rsp.dcid = cpu_to_le16(chan->scid);
	rsp.scid = cpu_to_le16(chan->dcid);
L
Linus Torvalds 已提交
2503 2504 2505 2506
	l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);

	sk->sk_shutdown = SHUTDOWN_MASK;

2507 2508 2509 2510 2511 2512 2513 2514 2515
	/* don't delete l2cap channel if sk is owned by user */
	if (sock_owned_by_user(sk)) {
		sk->sk_state = BT_DISCONN;
		l2cap_sock_clear_timer(sk);
		l2cap_sock_set_timer(sk, HZ / 5);
		bh_unlock_sock(sk);
		return 0;
	}

2516
	l2cap_chan_del(chan, ECONNRESET);
L
Linus Torvalds 已提交
2517 2518 2519 2520 2521 2522 2523 2524 2525 2526
	bh_unlock_sock(sk);

	l2cap_sock_kill(sk);
	return 0;
}

static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
	u16 dcid, scid;
2527
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
2528 2529 2530 2531 2532 2533 2534
	struct sock *sk;

	scid = __le16_to_cpu(rsp->scid);
	dcid = __le16_to_cpu(rsp->dcid);

	BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);

2535
	chan = l2cap_get_chan_by_scid(conn, scid);
2536
	if (!chan)
L
Linus Torvalds 已提交
2537 2538
		return 0;

2539 2540
	sk = chan->sk;

2541 2542 2543 2544 2545 2546 2547 2548 2549
	/* don't delete l2cap channel if sk is owned by user */
	if (sock_owned_by_user(sk)) {
		sk->sk_state = BT_DISCONN;
		l2cap_sock_clear_timer(sk);
		l2cap_sock_set_timer(sk, HZ / 5);
		bh_unlock_sock(sk);
		return 0;
	}

2550
	l2cap_chan_del(chan, 0);
L
Linus Torvalds 已提交
2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565
	bh_unlock_sock(sk);

	l2cap_sock_kill(sk);
	return 0;
}

static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_info_req *req = (struct l2cap_info_req *) data;
	u16 type;

	type = __le16_to_cpu(req->type);

	BT_DBG("type 0x%4.4x", type);

2566 2567
	if (type == L2CAP_IT_FEAT_MASK) {
		u8 buf[8];
2568
		u32 feat_mask = l2cap_feat_mask;
2569 2570 2571
		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
		rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
2572
		if (!disable_ertm)
2573 2574
			feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
							 | L2CAP_FEAT_FCS;
2575
		put_unaligned_le32(feat_mask, rsp->data);
2576 2577
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(buf), buf);
2578 2579 2580 2581 2582 2583 2584 2585
	} else if (type == L2CAP_IT_FIXED_CHAN) {
		u8 buf[12];
		struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
		rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
		rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
		memcpy(buf + 4, l2cap_fixed_chan, 8);
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(buf), buf);
2586 2587 2588 2589 2590 2591 2592
	} else {
		struct l2cap_info_rsp rsp;
		rsp.type   = cpu_to_le16(type);
		rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
		l2cap_send_cmd(conn, cmd->ident,
					L2CAP_INFO_RSP, sizeof(rsp), &rsp);
	}
L
Linus Torvalds 已提交
2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606

	return 0;
}

static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
	u16 type, result;

	type   = __le16_to_cpu(rsp->type);
	result = __le16_to_cpu(rsp->result);

	BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);

2607 2608 2609 2610 2611
	/* L2CAP Info req/rsp are unbound to channels, add extra checks */
	if (cmd->ident != conn->info_ident ||
			conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
		return 0;

2612 2613
	del_timer(&conn->info_timer);

2614 2615 2616 2617 2618 2619 2620 2621 2622
	if (result != L2CAP_IR_SUCCESS) {
		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
		conn->info_ident = 0;

		l2cap_conn_start(conn);

		return 0;
	}

2623
	if (type == L2CAP_IT_FEAT_MASK) {
2624
		conn->feat_mask = get_unaligned_le32(rsp->data);
2625

2626
		if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640
			struct l2cap_info_req req;
			req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);

			conn->info_ident = l2cap_get_ident(conn);

			l2cap_send_cmd(conn, conn->info_ident,
					L2CAP_INFO_REQ, sizeof(req), &req);
		} else {
			conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
			conn->info_ident = 0;

			l2cap_conn_start(conn);
		}
	} else if (type == L2CAP_IT_FIXED_CHAN) {
2641
		conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2642
		conn->info_ident = 0;
2643 2644 2645

		l2cap_conn_start(conn);
	}
2646

L
Linus Torvalds 已提交
2647 2648 2649
	return 0;
}

2650
static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
2651 2652 2653 2654 2655 2656 2657 2658 2659 2660 2661 2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676 2677
							u16 to_multiplier)
{
	u16 max_latency;

	if (min > max || min < 6 || max > 3200)
		return -EINVAL;

	if (to_multiplier < 10 || to_multiplier > 3200)
		return -EINVAL;

	if (max >= to_multiplier * 8)
		return -EINVAL;

	max_latency = (to_multiplier * 8 / max) - 1;
	if (latency > 499 || latency > max_latency)
		return -EINVAL;

	return 0;
}

static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, u8 *data)
{
	struct hci_conn *hcon = conn->hcon;
	struct l2cap_conn_param_update_req *req;
	struct l2cap_conn_param_update_rsp rsp;
	u16 min, max, latency, to_multiplier, cmd_len;
2678
	int err;
2679 2680 2681 2682 2683 2684 2685 2686 2687

	if (!(hcon->link_mode & HCI_LM_MASTER))
		return -EINVAL;

	cmd_len = __le16_to_cpu(cmd->len);
	if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
		return -EPROTO;

	req = (struct l2cap_conn_param_update_req *) data;
2688 2689
	min		= __le16_to_cpu(req->min);
	max		= __le16_to_cpu(req->max);
2690 2691 2692 2693 2694 2695 2696
	latency		= __le16_to_cpu(req->latency);
	to_multiplier	= __le16_to_cpu(req->to_multiplier);

	BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
						min, max, latency, to_multiplier);

	memset(&rsp, 0, sizeof(rsp));
2697 2698 2699

	err = l2cap_check_conn_param(min, max, latency, to_multiplier);
	if (err)
2700 2701 2702 2703 2704 2705 2706
		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
	else
		rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);

	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
							sizeof(rsp), &rsp);

2707 2708 2709
	if (!err)
		hci_le_conn_update(hcon, min, max, latency, to_multiplier);

2710 2711 2712
	return 0;
}

2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778
static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
			struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
{
	int err = 0;

	switch (cmd->code) {
	case L2CAP_COMMAND_REJ:
		l2cap_command_rej(conn, cmd, data);
		break;

	case L2CAP_CONN_REQ:
		err = l2cap_connect_req(conn, cmd, data);
		break;

	case L2CAP_CONN_RSP:
		err = l2cap_connect_rsp(conn, cmd, data);
		break;

	case L2CAP_CONF_REQ:
		err = l2cap_config_req(conn, cmd, cmd_len, data);
		break;

	case L2CAP_CONF_RSP:
		err = l2cap_config_rsp(conn, cmd, data);
		break;

	case L2CAP_DISCONN_REQ:
		err = l2cap_disconnect_req(conn, cmd, data);
		break;

	case L2CAP_DISCONN_RSP:
		err = l2cap_disconnect_rsp(conn, cmd, data);
		break;

	case L2CAP_ECHO_REQ:
		l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
		break;

	case L2CAP_ECHO_RSP:
		break;

	case L2CAP_INFO_REQ:
		err = l2cap_information_req(conn, cmd, data);
		break;

	case L2CAP_INFO_RSP:
		err = l2cap_information_rsp(conn, cmd, data);
		break;

	default:
		BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
		err = -EINVAL;
		break;
	}

	return err;
}

static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
					struct l2cap_cmd_hdr *cmd, u8 *data)
{
	switch (cmd->code) {
	case L2CAP_COMMAND_REJ:
		return 0;

	case L2CAP_CONN_PARAM_UPDATE_REQ:
2779
		return l2cap_conn_param_update_req(conn, cmd, data);
2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791

	case L2CAP_CONN_PARAM_UPDATE_RSP:
		return 0;

	default:
		BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
		return -EINVAL;
	}
}

static inline void l2cap_sig_channel(struct l2cap_conn *conn,
							struct sk_buff *skb)
L
Linus Torvalds 已提交
2792 2793 2794 2795
{
	u8 *data = skb->data;
	int len = skb->len;
	struct l2cap_cmd_hdr cmd;
2796
	int err;
L
Linus Torvalds 已提交
2797 2798 2799 2800

	l2cap_raw_recv(conn, skb);

	while (len >= L2CAP_CMD_HDR_SIZE) {
2801
		u16 cmd_len;
L
Linus Torvalds 已提交
2802 2803 2804 2805
		memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
		data += L2CAP_CMD_HDR_SIZE;
		len  -= L2CAP_CMD_HDR_SIZE;

2806
		cmd_len = le16_to_cpu(cmd.len);
L
Linus Torvalds 已提交
2807

2808
		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
L
Linus Torvalds 已提交
2809

2810
		if (cmd_len > len || !cmd.ident) {
L
Linus Torvalds 已提交
2811 2812 2813 2814
			BT_DBG("corrupted command");
			break;
		}

2815 2816 2817 2818
		if (conn->hcon->type == LE_LINK)
			err = l2cap_le_sig_cmd(conn, &cmd, data);
		else
			err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
L
Linus Torvalds 已提交
2819 2820 2821

		if (err) {
			struct l2cap_cmd_rej rej;
2822 2823

			BT_ERR("Wrong link type (%d)", err);
L
Linus Torvalds 已提交
2824 2825

			/* FIXME: Map err to a valid reason */
2826
			rej.reason = cpu_to_le16(0);
L
Linus Torvalds 已提交
2827 2828 2829
			l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
		}

2830 2831
		data += cmd_len;
		len  -= cmd_len;
L
Linus Torvalds 已提交
2832 2833 2834 2835 2836
	}

	kfree_skb(skb);
}

2837
static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
2838 2839 2840 2841
{
	u16 our_fcs, rcv_fcs;
	int hdr_size = L2CAP_HDR_SIZE + 2;

2842
	if (chan->fcs == L2CAP_FCS_CRC16) {
2843 2844 2845 2846 2847
		skb_trim(skb, skb->len - 2);
		rcv_fcs = get_unaligned_le16(skb->data + skb->len);
		our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);

		if (our_fcs != rcv_fcs)
2848
			return -EBADMSG;
2849 2850 2851 2852
	}
	return 0;
}

2853
static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
2854 2855 2856
{
	u16 control = 0;

2857
	chan->frames_sent = 0;
2858

2859
	control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
2860

2861
	if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
2862
		control |= L2CAP_SUPER_RCV_NOT_READY;
2863 2864
		l2cap_send_sframe(chan, control);
		chan->conn_state |= L2CAP_CONN_RNR_SENT;
2865 2866
	}

2867 2868
	if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
		l2cap_retransmit_frames(chan);
2869

2870
	l2cap_ertm_send(chan);
2871

2872
	if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
2873
			chan->frames_sent == 0) {
2874
		control |= L2CAP_SUPER_RCV_READY;
2875
		l2cap_send_sframe(chan, control);
2876 2877 2878
	}
}

2879
static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
2880 2881
{
	struct sk_buff *next_skb;
2882
	int tx_seq_offset, next_tx_seq_offset;
2883 2884 2885 2886

	bt_cb(skb)->tx_seq = tx_seq;
	bt_cb(skb)->sar = sar;

2887
	next_skb = skb_peek(&chan->srej_q);
2888
	if (!next_skb) {
2889
		__skb_queue_tail(&chan->srej_q, skb);
2890
		return 0;
2891 2892
	}

2893
	tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
2894 2895 2896
	if (tx_seq_offset < 0)
		tx_seq_offset += 64;

2897
	do {
2898 2899 2900
		if (bt_cb(next_skb)->tx_seq == tx_seq)
			return -EINVAL;

2901
		next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
2902
						chan->buffer_seq) % 64;
2903 2904 2905 2906
		if (next_tx_seq_offset < 0)
			next_tx_seq_offset += 64;

		if (next_tx_seq_offset > tx_seq_offset) {
2907
			__skb_queue_before(&chan->srej_q, next_skb, skb);
2908
			return 0;
2909 2910
		}

2911
		if (skb_queue_is_last(&chan->srej_q, next_skb))
2912 2913
			break;

2914
	} while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
2915

2916
	__skb_queue_tail(&chan->srej_q, skb);
2917 2918

	return 0;
2919 2920
}

2921
static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
2922 2923
{
	struct sk_buff *_skb;
2924
	int err;
2925 2926 2927

	switch (control & L2CAP_CTRL_SAR) {
	case L2CAP_SDU_UNSEGMENTED:
2928
		if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2929 2930
			goto drop;

2931
		err = sock_queue_rcv_skb(chan->sk, skb);
2932 2933 2934 2935 2936 2937
		if (!err)
			return err;

		break;

	case L2CAP_SDU_START:
2938
		if (chan->conn_state & L2CAP_CONN_SAR_SDU)
2939 2940
			goto drop;

2941
		chan->sdu_len = get_unaligned_le16(skb->data);
2942

2943
		if (chan->sdu_len > chan->imtu)
2944 2945
			goto disconnect;

2946 2947
		chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
		if (!chan->sdu)
2948 2949 2950 2951 2952 2953
			return -ENOMEM;

		/* pull sdu_len bytes only after alloc, because of Local Busy
		 * condition we have to be sure that this will be executed
		 * only once, i.e., when alloc does not fail */
		skb_pull(skb, 2);
2954

2955
		memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2956

2957
		chan->conn_state |= L2CAP_CONN_SAR_SDU;
2958
		chan->partial_sdu_len = skb->len;
2959 2960 2961
		break;

	case L2CAP_SDU_CONTINUE:
2962
		if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2963 2964
			goto disconnect;

2965
		if (!chan->sdu)
2966 2967
			goto disconnect;

2968 2969
		chan->partial_sdu_len += skb->len;
		if (chan->partial_sdu_len > chan->sdu_len)
2970 2971
			goto drop;

2972
		memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2973

2974 2975 2976
		break;

	case L2CAP_SDU_END:
2977
		if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
2978 2979
			goto disconnect;

2980
		if (!chan->sdu)
2981 2982
			goto disconnect;

2983
		if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
2984
			chan->partial_sdu_len += skb->len;
2985

2986
			if (chan->partial_sdu_len > chan->imtu)
2987
				goto drop;
2988

2989
			if (chan->partial_sdu_len != chan->sdu_len)
2990
				goto drop;
2991

2992
			memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
2993
		}
2994

2995
		_skb = skb_clone(chan->sdu, GFP_ATOMIC);
2996
		if (!_skb) {
2997
			chan->conn_state |= L2CAP_CONN_SAR_RETRY;
2998 2999 3000
			return -ENOMEM;
		}

3001
		err = sock_queue_rcv_skb(chan->sk, _skb);
3002
		if (err < 0) {
3003
			kfree_skb(_skb);
3004
			chan->conn_state |= L2CAP_CONN_SAR_RETRY;
3005 3006 3007
			return err;
		}

3008 3009
		chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
		chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3010

3011
		kfree_skb(chan->sdu);
3012 3013 3014 3015
		break;
	}

	kfree_skb(skb);
3016
	return 0;
3017 3018

drop:
3019 3020
	kfree_skb(chan->sdu);
	chan->sdu = NULL;
3021 3022

disconnect:
3023
	l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3024 3025 3026 3027
	kfree_skb(skb);
	return 0;
}

3028
static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
3029 3030 3031 3032 3033
{
	struct sk_buff *skb;
	u16 control;
	int err;

3034
	while ((skb = skb_dequeue(&chan->busy_q))) {
3035
		control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3036
		err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3037
		if (err < 0) {
3038
			skb_queue_head(&chan->busy_q, skb);
3039 3040 3041
			return -EBUSY;
		}

3042
		chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3043 3044
	}

3045
	if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
3046 3047
		goto done;

3048
	control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3049
	control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3050
	l2cap_send_sframe(chan, control);
3051
	chan->retry_count = 1;
3052

3053
	del_timer(&chan->retrans_timer);
3054 3055
	__mod_monitor_timer();

3056
	chan->conn_state |= L2CAP_CONN_WAIT_F;
3057 3058

done:
3059 3060
	chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
	chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
3061

3062
	BT_DBG("chan %p, Exit local busy", chan);
3063 3064 3065 3066

	return 0;
}

3067 3068 3069
static void l2cap_busy_work(struct work_struct *work)
{
	DECLARE_WAITQUEUE(wait, current);
3070 3071 3072
	struct l2cap_chan *chan =
		container_of(work, struct l2cap_chan, busy_work);
	struct sock *sk = chan->sk;
3073 3074 3075 3076 3077
	int n_tries = 0, timeo = HZ/5, err;
	struct sk_buff *skb;

	lock_sock(sk);

3078
	add_wait_queue(sk_sleep(sk), &wait);
3079
	while ((skb = skb_peek(&chan->busy_q))) {
3080 3081 3082 3083
		set_current_state(TASK_INTERRUPTIBLE);

		if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
			err = -EBUSY;
3084
			l2cap_send_disconn_req(chan->conn, chan, EBUSY);
3085
			break;
3086 3087 3088 3089 3090 3091 3092
		}

		if (!timeo)
			timeo = HZ/5;

		if (signal_pending(current)) {
			err = sock_intr_errno(timeo);
3093
			break;
3094 3095 3096 3097 3098 3099 3100 3101
		}

		release_sock(sk);
		timeo = schedule_timeout(timeo);
		lock_sock(sk);

		err = sock_error(sk);
		if (err)
3102
			break;
3103

3104
		if (l2cap_try_push_rx_skb(chan) == 0)
3105 3106 3107 3108
			break;
	}

	set_current_state(TASK_RUNNING);
3109
	remove_wait_queue(sk_sleep(sk), &wait);
3110 3111 3112 3113

	release_sock(sk);
}

3114
static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3115 3116 3117
{
	int sctrl, err;

3118
	if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3119
		bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3120
		__skb_queue_tail(&chan->busy_q, skb);
3121
		return l2cap_try_push_rx_skb(chan);
3122 3123


3124 3125
	}

3126
	err = l2cap_ertm_reassembly_sdu(chan, skb, control);
3127
	if (err >= 0) {
3128
		chan->buffer_seq = (chan->buffer_seq + 1) % 64;
3129 3130 3131 3132
		return err;
	}

	/* Busy Condition */
3133
	BT_DBG("chan %p, Enter local busy", chan);
3134

3135
	chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3136
	bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3137
	__skb_queue_tail(&chan->busy_q, skb);
3138

3139
	sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3140
	sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3141
	l2cap_send_sframe(chan, sctrl);
3142

3143
	chan->conn_state |= L2CAP_CONN_RNR_SENT;
3144

3145
	del_timer(&chan->ack_timer);
3146

3147
	queue_work(_busy_wq, &chan->busy_work);
3148 3149 3150 3151

	return err;
}

3152
static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
3153 3154 3155 3156
{
	struct sk_buff *_skb;
	int err = -EINVAL;

3157 3158 3159 3160 3161
	/*
	 * TODO: We have to notify the userland if some data is lost with the
	 * Streaming Mode.
	 */

3162 3163
	switch (control & L2CAP_CTRL_SAR) {
	case L2CAP_SDU_UNSEGMENTED:
3164
		if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3165
			kfree_skb(chan->sdu);
3166 3167 3168
			break;
		}

3169
		err = sock_queue_rcv_skb(chan->sk, skb);
3170 3171 3172 3173 3174 3175
		if (!err)
			return 0;

		break;

	case L2CAP_SDU_START:
3176
		if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
3177
			kfree_skb(chan->sdu);
3178 3179 3180
			break;
		}

3181
		chan->sdu_len = get_unaligned_le16(skb->data);
3182 3183
		skb_pull(skb, 2);

3184
		if (chan->sdu_len > chan->imtu) {
3185 3186 3187 3188
			err = -EMSGSIZE;
			break;
		}

3189 3190
		chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
		if (!chan->sdu) {
3191 3192 3193 3194
			err = -ENOMEM;
			break;
		}

3195
		memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3196

3197
		chan->conn_state |= L2CAP_CONN_SAR_SDU;
3198
		chan->partial_sdu_len = skb->len;
3199 3200 3201 3202
		err = 0;
		break;

	case L2CAP_SDU_CONTINUE:
3203
		if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3204 3205
			break;

3206
		memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3207

3208 3209 3210
		chan->partial_sdu_len += skb->len;
		if (chan->partial_sdu_len > chan->sdu_len)
			kfree_skb(chan->sdu);
3211 3212 3213 3214 3215 3216
		else
			err = 0;

		break;

	case L2CAP_SDU_END:
3217
		if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
3218 3219
			break;

3220
		memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
3221

3222
		chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
3223
		chan->partial_sdu_len += skb->len;
3224

3225
		if (chan->partial_sdu_len > chan->imtu)
3226 3227
			goto drop;

3228 3229
		if (chan->partial_sdu_len == chan->sdu_len) {
			_skb = skb_clone(chan->sdu, GFP_ATOMIC);
3230
			err = sock_queue_rcv_skb(chan->sk, _skb);
3231 3232 3233 3234 3235
			if (err < 0)
				kfree_skb(_skb);
		}
		err = 0;

3236
drop:
3237
		kfree_skb(chan->sdu);
3238 3239 3240 3241 3242 3243 3244
		break;
	}

	kfree_skb(skb);
	return err;
}

3245
static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
3246 3247
{
	struct sk_buff *skb;
3248
	u16 control;
3249

3250
	while ((skb = skb_peek(&chan->srej_q))) {
3251 3252 3253
		if (bt_cb(skb)->tx_seq != tx_seq)
			break;

3254
		skb = skb_dequeue(&chan->srej_q);
3255
		control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3256
		l2cap_ertm_reassembly_sdu(chan, skb, control);
3257 3258
		chan->buffer_seq_srej =
			(chan->buffer_seq_srej + 1) % 64;
3259
		tx_seq = (tx_seq + 1) % 64;
3260 3261 3262
	}
}

3263
static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3264 3265 3266 3267
{
	struct srej_list *l, *tmp;
	u16 control;

3268
	list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3269 3270 3271 3272 3273 3274 3275
		if (l->tx_seq == tx_seq) {
			list_del(&l->list);
			kfree(l);
			return;
		}
		control = L2CAP_SUPER_SELECT_REJECT;
		control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3276
		l2cap_send_sframe(chan, control);
3277
		list_del(&l->list);
3278
		list_add_tail(&l->list, &chan->srej_l);
3279 3280 3281
	}
}

3282
static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
3283 3284 3285 3286
{
	struct srej_list *new;
	u16 control;

3287
	while (tx_seq != chan->expected_tx_seq) {
3288
		control = L2CAP_SUPER_SELECT_REJECT;
3289
		control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3290
		l2cap_send_sframe(chan, control);
3291 3292

		new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3293 3294
		new->tx_seq = chan->expected_tx_seq;
		chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3295
		list_add_tail(&new->list, &chan->srej_l);
3296
	}
3297
	chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3298 3299
}

3300
static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3301 3302
{
	u8 tx_seq = __get_txseq(rx_control);
3303
	u8 req_seq = __get_reqseq(rx_control);
3304
	u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
3305
	int tx_seq_offset, expected_tx_seq_offset;
3306
	int num_to_ack = (chan->tx_win/6) + 1;
3307 3308
	int err = 0;

3309 3310
	BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
							tx_seq, rx_control);
3311

3312
	if (L2CAP_CTRL_FINAL & rx_control &&
3313
			chan->conn_state & L2CAP_CONN_WAIT_F) {
3314
		del_timer(&chan->monitor_timer);
3315
		if (chan->unacked_frames > 0)
3316
			__mod_retrans_timer();
3317
		chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3318 3319
	}

3320 3321
	chan->expected_ack_seq = req_seq;
	l2cap_drop_acked_frames(chan);
3322

3323
	if (tx_seq == chan->expected_tx_seq)
3324
		goto expected;
3325

3326
	tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
3327 3328 3329 3330
	if (tx_seq_offset < 0)
		tx_seq_offset += 64;

	/* invalid tx_seq */
3331
	if (tx_seq_offset >= chan->tx_win) {
3332
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3333 3334 3335
		goto drop;
	}

3336
	if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
3337 3338
		goto drop;

3339
	if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3340
		struct srej_list *first;
3341

3342
		first = list_first_entry(&chan->srej_l,
3343 3344
				struct srej_list, list);
		if (tx_seq == first->tx_seq) {
3345
			l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3346
			l2cap_check_srej_gap(chan, tx_seq);
3347 3348 3349 3350

			list_del(&first->list);
			kfree(first);

3351
			if (list_empty(&chan->srej_l)) {
3352
				chan->buffer_seq = chan->buffer_seq_srej;
3353 3354
				chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
				l2cap_send_ack(chan);
3355
				BT_DBG("chan %p, Exit SREJ_SENT", chan);
3356 3357 3358
			}
		} else {
			struct srej_list *l;
3359 3360

			/* duplicated tx_seq */
3361
			if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3362
				goto drop;
3363

3364
			list_for_each_entry(l, &chan->srej_l, list) {
3365
				if (l->tx_seq == tx_seq) {
3366
					l2cap_resend_srejframe(chan, tx_seq);
3367 3368 3369
					return 0;
				}
			}
3370
			l2cap_send_srejframe(chan, tx_seq);
3371 3372
		}
	} else {
3373
		expected_tx_seq_offset =
3374
			(chan->expected_tx_seq - chan->buffer_seq) % 64;
3375 3376 3377 3378 3379 3380 3381
		if (expected_tx_seq_offset < 0)
			expected_tx_seq_offset += 64;

		/* duplicated tx_seq */
		if (tx_seq_offset < expected_tx_seq_offset)
			goto drop;

3382
		chan->conn_state |= L2CAP_CONN_SREJ_SENT;
3383

3384
		BT_DBG("chan %p, Enter SREJ", chan);
3385

3386
		INIT_LIST_HEAD(&chan->srej_l);
3387
		chan->buffer_seq_srej = chan->buffer_seq;
3388

3389 3390
		__skb_queue_head_init(&chan->srej_q);
		__skb_queue_head_init(&chan->busy_q);
3391
		l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3392

3393
		chan->conn_state |= L2CAP_CONN_SEND_PBIT;
3394

3395
		l2cap_send_srejframe(chan, tx_seq);
3396

3397
		del_timer(&chan->ack_timer);
3398
	}
3399 3400
	return 0;

3401
expected:
3402
	chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3403

3404
	if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
3405 3406
		bt_cb(skb)->tx_seq = tx_seq;
		bt_cb(skb)->sar = sar;
3407
		__skb_queue_tail(&chan->srej_q, skb);
3408 3409 3410
		return 0;
	}

3411
	err = l2cap_push_rx_skb(chan, skb, rx_control);
3412 3413 3414
	if (err < 0)
		return 0;

3415
	if (rx_control & L2CAP_CTRL_FINAL) {
3416 3417
		if (chan->conn_state & L2CAP_CONN_REJ_ACT)
			chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3418
		else
3419
			l2cap_retransmit_frames(chan);
3420 3421
	}

3422 3423
	__mod_ack_timer();

3424 3425
	chan->num_acked = (chan->num_acked + 1) % num_to_ack;
	if (chan->num_acked == num_to_ack - 1)
3426
		l2cap_send_ack(chan);
3427

3428
	return 0;
3429 3430 3431 3432

drop:
	kfree_skb(skb);
	return 0;
3433 3434
}

3435
static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
3436
{
3437
	BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
3438 3439
						rx_control);

3440 3441
	chan->expected_ack_seq = __get_reqseq(rx_control);
	l2cap_drop_acked_frames(chan);
3442

3443
	if (rx_control & L2CAP_CTRL_POLL) {
3444 3445 3446
		chan->conn_state |= L2CAP_CONN_SEND_FBIT;
		if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
			if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3447
					(chan->unacked_frames > 0))
3448 3449
				__mod_retrans_timer();

3450 3451
			chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
			l2cap_send_srejtail(chan);
3452
		} else {
3453
			l2cap_send_i_or_rr_or_rnr(chan);
3454
		}
3455

3456
	} else if (rx_control & L2CAP_CTRL_FINAL) {
3457
		chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3458

3459 3460
		if (chan->conn_state & L2CAP_CONN_REJ_ACT)
			chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3461
		else
3462
			l2cap_retransmit_frames(chan);
3463

3464
	} else {
3465
		if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
3466
				(chan->unacked_frames > 0))
3467
			__mod_retrans_timer();
3468

3469 3470 3471
		chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
		if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
			l2cap_send_ack(chan);
3472
		else
3473
			l2cap_ertm_send(chan);
3474 3475
	}
}
3476

3477
static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
3478 3479
{
	u8 tx_seq = __get_reqseq(rx_control);
3480

3481
	BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3482

3483
	chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3484

3485 3486
	chan->expected_ack_seq = tx_seq;
	l2cap_drop_acked_frames(chan);
3487 3488

	if (rx_control & L2CAP_CTRL_FINAL) {
3489 3490
		if (chan->conn_state & L2CAP_CONN_REJ_ACT)
			chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
3491
		else
3492
			l2cap_retransmit_frames(chan);
3493
	} else {
3494
		l2cap_retransmit_frames(chan);
3495

3496 3497
		if (chan->conn_state & L2CAP_CONN_WAIT_F)
			chan->conn_state |= L2CAP_CONN_REJ_ACT;
3498 3499
	}
}
3500
static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
3501 3502
{
	u8 tx_seq = __get_reqseq(rx_control);
3503

3504
	BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3505

3506
	chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
3507

3508
	if (rx_control & L2CAP_CTRL_POLL) {
3509 3510
		chan->expected_ack_seq = tx_seq;
		l2cap_drop_acked_frames(chan);
3511

3512 3513
		chan->conn_state |= L2CAP_CONN_SEND_FBIT;
		l2cap_retransmit_one_frame(chan, tx_seq);
3514

3515
		l2cap_ertm_send(chan);
3516

3517
		if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3518
			chan->srej_save_reqseq = tx_seq;
3519
			chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3520
		}
3521
	} else if (rx_control & L2CAP_CTRL_FINAL) {
3522
		if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
3523
				chan->srej_save_reqseq == tx_seq)
3524
			chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
3525
		else
3526
			l2cap_retransmit_one_frame(chan, tx_seq);
3527
	} else {
3528 3529
		l2cap_retransmit_one_frame(chan, tx_seq);
		if (chan->conn_state & L2CAP_CONN_WAIT_F) {
3530
			chan->srej_save_reqseq = tx_seq;
3531
			chan->conn_state |= L2CAP_CONN_SREJ_ACT;
3532
		}
3533 3534 3535
	}
}

3536
static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
3537 3538 3539
{
	u8 tx_seq = __get_reqseq(rx_control);

3540
	BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
3541

3542
	chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
3543 3544
	chan->expected_ack_seq = tx_seq;
	l2cap_drop_acked_frames(chan);
3545

3546
	if (rx_control & L2CAP_CTRL_POLL)
3547
		chan->conn_state |= L2CAP_CONN_SEND_FBIT;
3548

3549
	if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
3550
		del_timer(&chan->retrans_timer);
3551
		if (rx_control & L2CAP_CTRL_POLL)
3552
			l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
3553
		return;
3554
	}
3555 3556

	if (rx_control & L2CAP_CTRL_POLL)
3557
		l2cap_send_srejtail(chan);
3558
	else
3559
		l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
3560 3561
}

3562
static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
3563
{
3564
	BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
3565

3566
	if (L2CAP_CTRL_FINAL & rx_control &&
3567
			chan->conn_state & L2CAP_CONN_WAIT_F) {
3568
		del_timer(&chan->monitor_timer);
3569
		if (chan->unacked_frames > 0)
3570
			__mod_retrans_timer();
3571
		chan->conn_state &= ~L2CAP_CONN_WAIT_F;
3572 3573 3574 3575
	}

	switch (rx_control & L2CAP_CTRL_SUPERVISE) {
	case L2CAP_SUPER_RCV_READY:
3576
		l2cap_data_channel_rrframe(chan, rx_control);
3577 3578
		break;

3579
	case L2CAP_SUPER_REJECT:
3580
		l2cap_data_channel_rejframe(chan, rx_control);
3581
		break;
3582

3583
	case L2CAP_SUPER_SELECT_REJECT:
3584
		l2cap_data_channel_srejframe(chan, rx_control);
3585 3586 3587
		break;

	case L2CAP_SUPER_RCV_NOT_READY:
3588
		l2cap_data_channel_rnrframe(chan, rx_control);
3589 3590 3591
		break;
	}

3592
	kfree_skb(skb);
3593 3594 3595
	return 0;
}

3596 3597
static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
{
3598
	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 3611
	u16 control;
	u8 req_seq;
	int len, next_tx_seq_offset, req_seq_offset;

	control = get_unaligned_le16(skb->data);
	skb_pull(skb, 2);
	len = skb->len;

	/*
	 * We can just drop the corrupted I-frame here.
	 * Receiver will miss it and start proper recovery
	 * procedures and ask retransmission.
	 */
3612
	if (l2cap_check_fcs(chan, skb))
3613 3614 3615 3616 3617
		goto drop;

	if (__is_sar_start(control) && __is_iframe(control))
		len -= 2;

3618
	if (chan->fcs == L2CAP_FCS_CRC16)
3619 3620
		len -= 2;

3621
	if (len > chan->mps) {
3622
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3623 3624 3625 3626
		goto drop;
	}

	req_seq = __get_reqseq(control);
3627
	req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
3628 3629 3630 3631
	if (req_seq_offset < 0)
		req_seq_offset += 64;

	next_tx_seq_offset =
3632
		(chan->next_tx_seq - chan->expected_ack_seq) % 64;
3633 3634 3635 3636 3637
	if (next_tx_seq_offset < 0)
		next_tx_seq_offset += 64;

	/* check for invalid req-seq */
	if (req_seq_offset > next_tx_seq_offset) {
3638
		l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3639 3640 3641 3642 3643
		goto drop;
	}

	if (__is_iframe(control)) {
		if (len < 0) {
3644
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3645 3646 3647
			goto drop;
		}

3648
		l2cap_data_channel_iframe(chan, control, skb);
3649 3650 3651
	} else {
		if (len != 0) {
			BT_ERR("%d", len);
3652
			l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3653 3654 3655
			goto drop;
		}

3656
		l2cap_data_channel_sframe(chan, control, skb);
3657 3658 3659 3660 3661 3662 3663 3664 3665
	}

	return 0;

drop:
	kfree_skb(skb);
	return 0;
}

L
Linus Torvalds 已提交
3666 3667
static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
{
3668
	struct l2cap_chan *chan;
3669
	struct sock *sk = NULL;
3670
	struct l2cap_pinfo *pi;
3671
	u16 control;
3672 3673
	u8 tx_seq;
	int len;
L
Linus Torvalds 已提交
3674

3675
	chan = l2cap_get_chan_by_scid(conn, cid);
3676
	if (!chan) {
L
Linus Torvalds 已提交
3677 3678 3679 3680
		BT_DBG("unknown cid 0x%4.4x", cid);
		goto drop;
	}

3681
	sk = chan->sk;
3682 3683
	pi = l2cap_pi(sk);

3684
	BT_DBG("chan %p, len %d", chan, skb->len);
L
Linus Torvalds 已提交
3685 3686 3687 3688

	if (sk->sk_state != BT_CONNECTED)
		goto drop;

3689
	switch (chan->mode) {
3690 3691 3692 3693 3694
	case L2CAP_MODE_BASIC:
		/* If socket recv buffers overflows we drop data here
		 * which is *bad* because L2CAP has to be reliable.
		 * But we don't have any other choice. L2CAP doesn't
		 * provide flow control mechanism. */
L
Linus Torvalds 已提交
3695

3696
		if (chan->imtu < skb->len)
3697
			goto drop;
L
Linus Torvalds 已提交
3698

3699 3700 3701 3702 3703
		if (!sock_queue_rcv_skb(sk, skb))
			goto done;
		break;

	case L2CAP_MODE_ERTM:
3704 3705
		if (!sock_owned_by_user(sk)) {
			l2cap_ertm_data_rcv(sk, skb);
3706
		} else {
3707
			if (sk_add_backlog(sk, skb))
3708 3709
				goto drop;
		}
3710

3711
		goto done;
3712

3713 3714 3715 3716 3717
	case L2CAP_MODE_STREAMING:
		control = get_unaligned_le16(skb->data);
		skb_pull(skb, 2);
		len = skb->len;

3718
		if (l2cap_check_fcs(chan, skb))
3719 3720
			goto drop;

3721 3722 3723
		if (__is_sar_start(control))
			len -= 2;

3724
		if (chan->fcs == L2CAP_FCS_CRC16)
3725 3726
			len -= 2;

3727
		if (len > chan->mps || len < 0 || __is_sframe(control))
3728 3729 3730 3731
			goto drop;

		tx_seq = __get_txseq(control);

3732 3733
		if (chan->expected_tx_seq == tx_seq)
			chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
3734
		else
3735
			chan->expected_tx_seq = (tx_seq + 1) % 64;
3736

3737
		l2cap_streaming_reassembly_sdu(chan, skb, control);
3738 3739 3740

		goto done;

3741
	default:
3742
		BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
3743 3744
		break;
	}
L
Linus Torvalds 已提交
3745 3746 3747 3748 3749

drop:
	kfree_skb(skb);

done:
3750 3751 3752
	if (sk)
		bh_unlock_sock(sk);

L
Linus Torvalds 已提交
3753 3754 3755
	return 0;
}

3756
static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
L
Linus Torvalds 已提交
3757 3758
{
	struct sock *sk;
3759
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
3760

3761 3762
	chan = l2cap_global_chan_by_psm(0, psm, conn->src);
	if (!chan)
L
Linus Torvalds 已提交
3763 3764
		goto drop;

3765 3766
	sk = chan->sk;

3767 3768
	bh_lock_sock(sk);

L
Linus Torvalds 已提交
3769 3770 3771 3772 3773
	BT_DBG("sk %p, len %d", sk, skb->len);

	if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
		goto drop;

3774
	if (l2cap_pi(sk)->chan->imtu < skb->len)
L
Linus Torvalds 已提交
3775 3776 3777 3778 3779 3780 3781 3782 3783
		goto drop;

	if (!sock_queue_rcv_skb(sk, skb))
		goto done;

drop:
	kfree_skb(skb);

done:
3784 3785
	if (sk)
		bh_unlock_sock(sk);
L
Linus Torvalds 已提交
3786 3787 3788
	return 0;
}

3789 3790 3791
static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
{
	struct sock *sk;
3792
	struct l2cap_chan *chan;
3793

3794 3795
	chan = l2cap_global_chan_by_scid(0, cid, conn->src);
	if (!chan)
3796 3797
		goto drop;

3798 3799
	sk = chan->sk;

3800 3801 3802 3803 3804 3805 3806
	bh_lock_sock(sk);

	BT_DBG("sk %p, len %d", sk, skb->len);

	if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
		goto drop;

3807
	if (l2cap_pi(sk)->chan->imtu < skb->len)
3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821
		goto drop;

	if (!sock_queue_rcv_skb(sk, skb))
		goto done;

drop:
	kfree_skb(skb);

done:
	if (sk)
		bh_unlock_sock(sk);
	return 0;
}

L
Linus Torvalds 已提交
3822 3823 3824
static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct l2cap_hdr *lh = (void *) skb->data;
3825 3826
	u16 cid, len;
	__le16 psm;
L
Linus Torvalds 已提交
3827 3828 3829 3830 3831

	skb_pull(skb, L2CAP_HDR_SIZE);
	cid = __le16_to_cpu(lh->cid);
	len = __le16_to_cpu(lh->len);

3832 3833 3834 3835 3836
	if (len != skb->len) {
		kfree_skb(skb);
		return;
	}

L
Linus Torvalds 已提交
3837 3838 3839
	BT_DBG("len %d, cid 0x%4.4x", len, cid);

	switch (cid) {
3840
	case L2CAP_CID_LE_SIGNALING:
3841
	case L2CAP_CID_SIGNALING:
L
Linus Torvalds 已提交
3842 3843 3844
		l2cap_sig_channel(conn, skb);
		break;

3845
	case L2CAP_CID_CONN_LESS:
3846
		psm = get_unaligned_le16(skb->data);
L
Linus Torvalds 已提交
3847 3848 3849 3850
		skb_pull(skb, 2);
		l2cap_conless_channel(conn, psm, skb);
		break;

3851 3852 3853 3854
	case L2CAP_CID_LE_DATA:
		l2cap_att_channel(conn, cid, skb);
		break;

L
Linus Torvalds 已提交
3855 3856 3857 3858 3859 3860 3861 3862 3863 3864 3865
	default:
		l2cap_data_channel(conn, cid, skb);
		break;
	}
}

/* ---- L2CAP interface with lower layer (HCI) ---- */

static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
{
	int exact = 0, lm1 = 0, lm2 = 0;
3866
	struct l2cap_chan *c;
L
Linus Torvalds 已提交
3867 3868

	if (type != ACL_LINK)
3869
		return -EINVAL;
L
Linus Torvalds 已提交
3870 3871 3872 3873

	BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));

	/* Find listening sockets and check their link_mode */
3874 3875 3876
	read_lock(&chan_list_lock);
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
3877

L
Linus Torvalds 已提交
3878 3879 3880 3881
		if (sk->sk_state != BT_LISTEN)
			continue;

		if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
3882
			lm1 |= HCI_LM_ACCEPT;
3883
			if (c->role_switch)
3884
				lm1 |= HCI_LM_MASTER;
L
Linus Torvalds 已提交
3885
			exact++;
3886 3887
		} else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
			lm2 |= HCI_LM_ACCEPT;
3888
			if (c->role_switch)
3889 3890
				lm2 |= HCI_LM_MASTER;
		}
L
Linus Torvalds 已提交
3891
	}
3892
	read_unlock(&chan_list_lock);
L
Linus Torvalds 已提交
3893 3894 3895 3896 3897 3898

	return exact ? lm1 : lm2;
}

static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
{
3899 3900
	struct l2cap_conn *conn;

L
Linus Torvalds 已提交
3901 3902
	BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);

3903
	if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3904
		return -EINVAL;
L
Linus Torvalds 已提交
3905 3906 3907 3908 3909

	if (!status) {
		conn = l2cap_conn_add(hcon, status);
		if (conn)
			l2cap_conn_ready(conn);
3910
	} else
L
Linus Torvalds 已提交
3911 3912 3913 3914 3915
		l2cap_conn_del(hcon, bt_err(status));

	return 0;
}

3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 3926 3927 3928
static int l2cap_disconn_ind(struct hci_conn *hcon)
{
	struct l2cap_conn *conn = hcon->l2cap_data;

	BT_DBG("hcon %p", hcon);

	if (hcon->type != ACL_LINK || !conn)
		return 0x13;

	return conn->disc_reason;
}

static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
L
Linus Torvalds 已提交
3929 3930 3931
{
	BT_DBG("hcon %p reason %d", hcon, reason);

3932
	if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
3933
		return -EINVAL;
L
Linus Torvalds 已提交
3934 3935

	l2cap_conn_del(hcon, bt_err(reason));
3936

L
Linus Torvalds 已提交
3937 3938 3939
	return 0;
}

3940
static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
3941
{
3942 3943
	struct sock *sk = chan->sk;

3944
	if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
3945 3946
		return;

3947
	if (encrypt == 0x00) {
3948
		if (chan->sec_level == BT_SECURITY_MEDIUM) {
3949 3950
			l2cap_sock_clear_timer(sk);
			l2cap_sock_set_timer(sk, HZ * 5);
3951
		} else if (chan->sec_level == BT_SECURITY_HIGH)
3952 3953
			__l2cap_sock_close(sk, ECONNREFUSED);
	} else {
3954
		if (chan->sec_level == BT_SECURITY_MEDIUM)
3955 3956 3957 3958
			l2cap_sock_clear_timer(sk);
	}
}

3959
static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
L
Linus Torvalds 已提交
3960
{
3961
	struct l2cap_conn *conn = hcon->l2cap_data;
3962
	struct l2cap_chan *chan;
L
Linus Torvalds 已提交
3963

3964
	if (!conn)
L
Linus Torvalds 已提交
3965
		return 0;
3966

L
Linus Torvalds 已提交
3967 3968
	BT_DBG("conn %p", conn);

3969
	read_lock(&conn->chan_lock);
L
Linus Torvalds 已提交
3970

3971
	list_for_each_entry(chan, &conn->chan_l, list) {
3972
		struct sock *sk = chan->sk;
3973

L
Linus Torvalds 已提交
3974 3975
		bh_lock_sock(sk);

3976
		if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
3977 3978 3979 3980
			bh_unlock_sock(sk);
			continue;
		}

3981
		if (!status && (sk->sk_state == BT_CONNECTED ||
3982
						sk->sk_state == BT_CONFIG)) {
3983
			l2cap_check_encryption(chan, encrypt);
3984 3985 3986 3987
			bh_unlock_sock(sk);
			continue;
		}

3988 3989 3990
		if (sk->sk_state == BT_CONNECT) {
			if (!status) {
				struct l2cap_conn_req req;
3991 3992
				req.scid = cpu_to_le16(chan->scid);
				req.psm  = chan->psm;
L
Linus Torvalds 已提交
3993

3994
				chan->ident = l2cap_get_ident(conn);
3995
				chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
L
Linus Torvalds 已提交
3996

3997
				l2cap_send_cmd(conn, chan->ident,
3998 3999 4000 4001 4002 4003 4004 4005
					L2CAP_CONN_REQ, sizeof(req), &req);
			} else {
				l2cap_sock_clear_timer(sk);
				l2cap_sock_set_timer(sk, HZ / 10);
			}
		} else if (sk->sk_state == BT_CONNECT2) {
			struct l2cap_conn_rsp rsp;
			__u16 result;
L
Linus Torvalds 已提交
4006

4007 4008 4009 4010 4011 4012 4013 4014 4015
			if (!status) {
				sk->sk_state = BT_CONFIG;
				result = L2CAP_CR_SUCCESS;
			} else {
				sk->sk_state = BT_DISCONN;
				l2cap_sock_set_timer(sk, HZ / 10);
				result = L2CAP_CR_SEC_BLOCK;
			}

4016 4017
			rsp.scid   = cpu_to_le16(chan->dcid);
			rsp.dcid   = cpu_to_le16(chan->scid);
4018
			rsp.result = cpu_to_le16(result);
4019
			rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4020 4021
			l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
							sizeof(rsp), &rsp);
4022
		}
L
Linus Torvalds 已提交
4023 4024 4025 4026

		bh_unlock_sock(sk);
	}

4027
	read_unlock(&conn->chan_lock);
4028

L
Linus Torvalds 已提交
4029 4030 4031 4032 4033 4034 4035
	return 0;
}

static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
{
	struct l2cap_conn *conn = hcon->l2cap_data;

4036 4037 4038 4039
	if (!conn)
		conn = l2cap_conn_add(hcon, 0);

	if (!conn)
L
Linus Torvalds 已提交
4040 4041 4042 4043
		goto drop;

	BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);

4044
	if (!(flags & ACL_CONT)) {
L
Linus Torvalds 已提交
4045
		struct l2cap_hdr *hdr;
4046
		struct l2cap_chan *chan;
4047
		u16 cid;
L
Linus Torvalds 已提交
4048 4049 4050 4051 4052 4053 4054 4055 4056 4057
		int len;

		if (conn->rx_len) {
			BT_ERR("Unexpected start frame (len %d)", skb->len);
			kfree_skb(conn->rx_skb);
			conn->rx_skb = NULL;
			conn->rx_len = 0;
			l2cap_conn_unreliable(conn, ECOMM);
		}

4058 4059
		/* Start fragment always begin with Basic L2CAP header */
		if (skb->len < L2CAP_HDR_SIZE) {
L
Linus Torvalds 已提交
4060 4061 4062 4063 4064 4065 4066
			BT_ERR("Frame is too short (len %d)", skb->len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

		hdr = (struct l2cap_hdr *) skb->data;
		len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4067
		cid = __le16_to_cpu(hdr->cid);
L
Linus Torvalds 已提交
4068 4069 4070 4071 4072 4073 4074 4075 4076 4077 4078 4079 4080 4081 4082 4083

		if (len == skb->len) {
			/* Complete frame received */
			l2cap_recv_frame(conn, skb);
			return 0;
		}

		BT_DBG("Start: total len %d, frag len %d", len, skb->len);

		if (skb->len > len) {
			BT_ERR("Frame is too long (len %d, expected len %d)",
				skb->len, len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

4084
		chan = l2cap_get_chan_by_scid(conn, cid);
4085

4086 4087
		if (chan && chan->sk) {
			struct sock *sk = chan->sk;
4088

4089
			if (chan->imtu < len - L2CAP_HDR_SIZE) {
4090 4091
				BT_ERR("Frame exceeding recv MTU (len %d, "
							"MTU %d)", len,
4092
							chan->imtu);
4093 4094 4095 4096
				bh_unlock_sock(sk);
				l2cap_conn_unreliable(conn, ECOMM);
				goto drop;
			}
4097
			bh_unlock_sock(sk);
4098
		}
4099

L
Linus Torvalds 已提交
4100
		/* Allocate skb for the complete frame (with header) */
4101 4102
		conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
		if (!conn->rx_skb)
L
Linus Torvalds 已提交
4103 4104
			goto drop;

4105
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4106
								skb->len);
L
Linus Torvalds 已提交
4107 4108 4109 4110 4111 4112 4113 4114 4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126
		conn->rx_len = len - skb->len;
	} else {
		BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);

		if (!conn->rx_len) {
			BT_ERR("Unexpected continuation frame (len %d)", skb->len);
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

		if (skb->len > conn->rx_len) {
			BT_ERR("Fragment is too long (len %d, expected %d)",
					skb->len, conn->rx_len);
			kfree_skb(conn->rx_skb);
			conn->rx_skb = NULL;
			conn->rx_len = 0;
			l2cap_conn_unreliable(conn, ECOMM);
			goto drop;
		}

4127
		skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4128
								skb->len);
L
Linus Torvalds 已提交
4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142
		conn->rx_len -= skb->len;

		if (!conn->rx_len) {
			/* Complete frame received */
			l2cap_recv_frame(conn, conn->rx_skb);
			conn->rx_skb = NULL;
		}
	}

drop:
	kfree_skb(skb);
	return 0;
}

4143
static int l2cap_debugfs_show(struct seq_file *f, void *p)
L
Linus Torvalds 已提交
4144
{
4145
	struct l2cap_chan *c;
L
Linus Torvalds 已提交
4146

4147
	read_lock_bh(&chan_list_lock);
L
Linus Torvalds 已提交
4148

4149 4150
	list_for_each_entry(c, &chan_list, global_l) {
		struct sock *sk = c->sk;
4151

4152
		seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4153 4154
					batostr(&bt_sk(sk)->src),
					batostr(&bt_sk(sk)->dst),
4155 4156 4157
					sk->sk_state, __le16_to_cpu(c->psm),
					c->scid, c->dcid, c->imtu, c->omtu,
					c->sec_level, c->mode);
4158
	}
L
Linus Torvalds 已提交
4159

4160
	read_unlock_bh(&chan_list_lock);
L
Linus Torvalds 已提交
4161

4162
	return 0;
L
Linus Torvalds 已提交
4163 4164
}

4165 4166 4167 4168 4169 4170 4171 4172 4173 4174 4175 4176 4177
static int l2cap_debugfs_open(struct inode *inode, struct file *file)
{
	return single_open(file, l2cap_debugfs_show, inode->i_private);
}

static const struct file_operations l2cap_debugfs_fops = {
	.open		= l2cap_debugfs_open,
	.read		= seq_read,
	.llseek		= seq_lseek,
	.release	= single_release,
};

static struct dentry *l2cap_debugfs;
L
Linus Torvalds 已提交
4178 4179 4180 4181 4182 4183 4184

static struct hci_proto l2cap_hci_proto = {
	.name		= "L2CAP",
	.id		= HCI_PROTO_L2CAP,
	.connect_ind	= l2cap_connect_ind,
	.connect_cfm	= l2cap_connect_cfm,
	.disconn_ind	= l2cap_disconn_ind,
4185
	.disconn_cfm	= l2cap_disconn_cfm,
4186
	.security_cfm	= l2cap_security_cfm,
L
Linus Torvalds 已提交
4187 4188 4189
	.recv_acldata	= l2cap_recv_acldata
};

4190
int __init l2cap_init(void)
L
Linus Torvalds 已提交
4191 4192
{
	int err;
4193

4194
	err = l2cap_init_sockets();
L
Linus Torvalds 已提交
4195 4196 4197
	if (err < 0)
		return err;

4198
	_busy_wq = create_singlethread_workqueue("l2cap");
4199
	if (!_busy_wq) {
4200
		err = -ENOMEM;
L
Linus Torvalds 已提交
4201 4202 4203 4204 4205 4206 4207 4208 4209 4210
		goto error;
	}

	err = hci_register_proto(&l2cap_hci_proto);
	if (err < 0) {
		BT_ERR("L2CAP protocol registration failed");
		bt_sock_unregister(BTPROTO_L2CAP);
		goto error;
	}

4211 4212 4213 4214 4215 4216
	if (bt_debugfs) {
		l2cap_debugfs = debugfs_create_file("l2cap", 0444,
					bt_debugfs, NULL, &l2cap_debugfs_fops);
		if (!l2cap_debugfs)
			BT_ERR("Failed to create L2CAP debug file");
	}
L
Linus Torvalds 已提交
4217 4218 4219 4220

	return 0;

error:
4221
	destroy_workqueue(_busy_wq);
4222
	l2cap_cleanup_sockets();
L
Linus Torvalds 已提交
4223 4224 4225
	return err;
}

4226
void l2cap_exit(void)
L
Linus Torvalds 已提交
4227
{
4228
	debugfs_remove(l2cap_debugfs);
L
Linus Torvalds 已提交
4229

4230 4231 4232
	flush_workqueue(_busy_wq);
	destroy_workqueue(_busy_wq);

L
Linus Torvalds 已提交
4233 4234 4235
	if (hci_unregister_proto(&l2cap_hci_proto) < 0)
		BT_ERR("L2CAP protocol unregistration failed");

4236
	l2cap_cleanup_sockets();
L
Linus Torvalds 已提交
4237 4238
}

4239 4240
module_param(disable_ertm, bool, 0644);
MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");