projects / deliverable / linux.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Bluetooth: Remove err parameter from alloc_skb()
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
... / ...
CommitLineData
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7
8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
13
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
26*/
27
28/* Bluetooth L2CAP core. */
29
30#include <linux/module.h>
31
32#include <linux/types.h>
33#include <linux/capability.h>
34#include <linux/errno.h>
35#include <linux/kernel.h>
36#include <linux/sched.h>
37#include <linux/slab.h>
38#include <linux/poll.h>
39#include <linux/fcntl.h>
40#include <linux/init.h>
41#include <linux/interrupt.h>
42#include <linux/socket.h>
43#include <linux/skbuff.h>
44#include <linux/list.h>
45#include <linux/device.h>
46#include <linux/debugfs.h>
47#include <linux/seq_file.h>
48#include <linux/uaccess.h>
49#include <linux/crc16.h>
50#include <net/sock.h>
51
52#include <asm/unaligned.h>
53
54#include <net/bluetooth/bluetooth.h>
55#include <net/bluetooth/hci_core.h>
56#include <net/bluetooth/l2cap.h>
57#include <net/bluetooth/smp.h>
58
59bool disable_ertm;
60
61static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
62static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
63
64static LIST_HEAD(chan_list);
65static DEFINE_RWLOCK(chan_list_lock);
66
67static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
68 u8 code, u8 ident, u16 dlen, void *data);
69static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
70 void *data);
71static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
72static void l2cap_send_disconn_req(struct l2cap_conn *conn,
73 struct l2cap_chan *chan, int err);
74
75/* ---- L2CAP channels ---- */
76
77static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
78{
79 struct l2cap_chan *c;
80
81 list_for_each_entry(c, &conn->chan_l, list) {
82 if (c->dcid == cid)
83 return c;
84 }
85 return NULL;
86}
87
88static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
89{
90 struct l2cap_chan *c;
91
92 list_for_each_entry(c, &conn->chan_l, list) {
93 if (c->scid == cid)
94 return c;
95 }
96 return NULL;
97}
98
99/* Find channel with given SCID.
100 * Returns locked socket */
101static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
102{
103 struct l2cap_chan *c;
104
105 mutex_lock(&conn->chan_lock);
106 c = __l2cap_get_chan_by_scid(conn, cid);
107 mutex_unlock(&conn->chan_lock);
108
109 return c;
110}
111
112static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
113{
114 struct l2cap_chan *c;
115
116 list_for_each_entry(c, &conn->chan_l, list) {
117 if (c->ident == ident)
118 return c;
119 }
120 return NULL;
121}
122
123static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
124{
125 struct l2cap_chan *c;
126
127 mutex_lock(&conn->chan_lock);
128 c = __l2cap_get_chan_by_ident(conn, ident);
129 mutex_unlock(&conn->chan_lock);
130
131 return c;
132}
133
134static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
135{
136 struct l2cap_chan *c;
137
138 list_for_each_entry(c, &chan_list, global_l) {
139 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
140 return c;
141 }
142 return NULL;
143}
144
145int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
146{
147 int err;
148
149 write_lock(&chan_list_lock);
150
151 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
152 err = -EADDRINUSE;
153 goto done;
154 }
155
156 if (psm) {
157 chan->psm = psm;
158 chan->sport = psm;
159 err = 0;
160 } else {
161 u16 p;
162
163 err = -EINVAL;
164 for (p = 0x1001; p < 0x1100; p += 2)
165 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
166 chan->psm = cpu_to_le16(p);
167 chan->sport = cpu_to_le16(p);
168 err = 0;
169 break;
170 }
171 }
172
173done:
174 write_unlock(&chan_list_lock);
175 return err;
176}
177
178int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
179{
180 write_lock(&chan_list_lock);
181
182 chan->scid = scid;
183
184 write_unlock(&chan_list_lock);
185
186 return 0;
187}
188
189static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
190{
191 u16 cid = L2CAP_CID_DYN_START;
192
193 for (; cid < L2CAP_CID_DYN_END; cid++) {
194 if (!__l2cap_get_chan_by_scid(conn, cid))
195 return cid;
196 }
197
198 return 0;
199}
200
201static void __l2cap_state_change(struct l2cap_chan *chan, int state)
202{
203 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
204 state_to_string(state));
205
206 chan->state = state;
207 chan->ops->state_change(chan->data, state);
208}
209
210static void l2cap_state_change(struct l2cap_chan *chan, int state)
211{
212 struct sock *sk = chan->sk;
213
214 lock_sock(sk);
215 __l2cap_state_change(chan, state);
216 release_sock(sk);
217}
218
219static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
220{
221 struct sock *sk = chan->sk;
222
223 sk->sk_err = err;
224}
225
226static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
227{
228 struct sock *sk = chan->sk;
229
230 lock_sock(sk);
231 __l2cap_chan_set_err(chan, err);
232 release_sock(sk);
233}
234
235static void l2cap_chan_timeout(struct work_struct *work)
236{
237 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
238 chan_timer.work);
239 struct l2cap_conn *conn = chan->conn;
240 int reason;
241
242 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
243
244 mutex_lock(&conn->chan_lock);
245 l2cap_chan_lock(chan);
246
247 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
248 reason = ECONNREFUSED;
249 else if (chan->state == BT_CONNECT &&
250 chan->sec_level != BT_SECURITY_SDP)
251 reason = ECONNREFUSED;
252 else
253 reason = ETIMEDOUT;
254
255 l2cap_chan_close(chan, reason);
256
257 l2cap_chan_unlock(chan);
258
259 chan->ops->close(chan->data);
260 mutex_unlock(&conn->chan_lock);
261
262 l2cap_chan_put(chan);
263}
264
265struct l2cap_chan *l2cap_chan_create(void)
266{
267 struct l2cap_chan *chan;
268
269 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
270 if (!chan)
271 return NULL;
272
273 mutex_init(&chan->lock);
274
275 write_lock(&chan_list_lock);
276 list_add(&chan->global_l, &chan_list);
277 write_unlock(&chan_list_lock);
278
279 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
280
281 chan->state = BT_OPEN;
282
283 atomic_set(&chan->refcnt, 1);
284
285 BT_DBG("chan %p", chan);
286
287 return chan;
288}
289
290void l2cap_chan_destroy(struct l2cap_chan *chan)
291{
292 write_lock(&chan_list_lock);
293 list_del(&chan->global_l);
294 write_unlock(&chan_list_lock);
295
296 l2cap_chan_put(chan);
297}
298
299void l2cap_chan_set_defaults(struct l2cap_chan *chan)
300{
301 chan->fcs = L2CAP_FCS_CRC16;
302 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
303 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
304 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
305 chan->sec_level = BT_SECURITY_LOW;
306
307 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
308}
309
310static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
311{
312 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
313 __le16_to_cpu(chan->psm), chan->dcid);
314
315 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
316
317 chan->conn = conn;
318
319 switch (chan->chan_type) {
320 case L2CAP_CHAN_CONN_ORIENTED:
321 if (conn->hcon->type == LE_LINK) {
322 /* LE connection */
323 chan->omtu = L2CAP_LE_DEFAULT_MTU;
324 chan->scid = L2CAP_CID_LE_DATA;
325 chan->dcid = L2CAP_CID_LE_DATA;
326 } else {
327 /* Alloc CID for connection-oriented socket */
328 chan->scid = l2cap_alloc_cid(conn);
329 chan->omtu = L2CAP_DEFAULT_MTU;
330 }
331 break;
332
333 case L2CAP_CHAN_CONN_LESS:
334 /* Connectionless socket */
335 chan->scid = L2CAP_CID_CONN_LESS;
336 chan->dcid = L2CAP_CID_CONN_LESS;
337 chan->omtu = L2CAP_DEFAULT_MTU;
338 break;
339
340 default:
341 /* Raw socket can send/recv signalling messages only */
342 chan->scid = L2CAP_CID_SIGNALING;
343 chan->dcid = L2CAP_CID_SIGNALING;
344 chan->omtu = L2CAP_DEFAULT_MTU;
345 }
346
347 chan->local_id = L2CAP_BESTEFFORT_ID;
348 chan->local_stype = L2CAP_SERV_BESTEFFORT;
349 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
350 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
351 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
352 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
353
354 l2cap_chan_hold(chan);
355
356 list_add(&chan->list, &conn->chan_l);
357}
358
359static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
360{
361 mutex_lock(&conn->chan_lock);
362 __l2cap_chan_add(conn, chan);
363 mutex_unlock(&conn->chan_lock);
364}
365
366static void l2cap_chan_del(struct l2cap_chan *chan, int err)
367{
368 struct sock *sk = chan->sk;
369 struct l2cap_conn *conn = chan->conn;
370 struct sock *parent = bt_sk(sk)->parent;
371
372 __clear_chan_timer(chan);
373
374 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
375
376 if (conn) {
377 /* Delete from channel list */
378 list_del(&chan->list);
379
380 l2cap_chan_put(chan);
381
382 chan->conn = NULL;
383 hci_conn_put(conn->hcon);
384 }
385
386 lock_sock(sk);
387
388 __l2cap_state_change(chan, BT_CLOSED);
389 sock_set_flag(sk, SOCK_ZAPPED);
390
391 if (err)
392 __l2cap_chan_set_err(chan, err);
393
394 if (parent) {
395 bt_accept_unlink(sk);
396 parent->sk_data_ready(parent, 0);
397 } else
398 sk->sk_state_change(sk);
399
400 release_sock(sk);
401
402 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
403 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
404 return;
405
406 skb_queue_purge(&chan->tx_q);
407
408 if (chan->mode == L2CAP_MODE_ERTM) {
409 struct srej_list *l, *tmp;
410
411 __clear_retrans_timer(chan);
412 __clear_monitor_timer(chan);
413 __clear_ack_timer(chan);
414
415 skb_queue_purge(&chan->srej_q);
416
417 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
418 list_del(&l->list);
419 kfree(l);
420 }
421 }
422}
423
424static void l2cap_chan_cleanup_listen(struct sock *parent)
425{
426 struct sock *sk;
427
428 BT_DBG("parent %p", parent);
429
430 /* Close not yet accepted channels */
431 while ((sk = bt_accept_dequeue(parent, NULL))) {
432 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
433
434 l2cap_chan_lock(chan);
435 __clear_chan_timer(chan);
436 l2cap_chan_close(chan, ECONNRESET);
437 l2cap_chan_unlock(chan);
438
439 chan->ops->close(chan->data);
440 }
441}
442
443void l2cap_chan_close(struct l2cap_chan *chan, int reason)
444{
445 struct l2cap_conn *conn = chan->conn;
446 struct sock *sk = chan->sk;
447
448 BT_DBG("chan %p state %s sk %p", chan,
449 state_to_string(chan->state), sk);
450
451 switch (chan->state) {
452 case BT_LISTEN:
453 lock_sock(sk);
454 l2cap_chan_cleanup_listen(sk);
455
456 __l2cap_state_change(chan, BT_CLOSED);
457 sock_set_flag(sk, SOCK_ZAPPED);
458 release_sock(sk);
459 break;
460
461 case BT_CONNECTED:
462 case BT_CONFIG:
463 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
464 conn->hcon->type == ACL_LINK) {
465 __set_chan_timer(chan, sk->sk_sndtimeo);
466 l2cap_send_disconn_req(conn, chan, reason);
467 } else
468 l2cap_chan_del(chan, reason);
469 break;
470
471 case BT_CONNECT2:
472 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
473 conn->hcon->type == ACL_LINK) {
474 struct l2cap_conn_rsp rsp;
475 __u16 result;
476
477 if (bt_sk(sk)->defer_setup)
478 result = L2CAP_CR_SEC_BLOCK;
479 else
480 result = L2CAP_CR_BAD_PSM;
481 l2cap_state_change(chan, BT_DISCONN);
482
483 rsp.scid = cpu_to_le16(chan->dcid);
484 rsp.dcid = cpu_to_le16(chan->scid);
485 rsp.result = cpu_to_le16(result);
486 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
487 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
488 sizeof(rsp), &rsp);
489 }
490
491 l2cap_chan_del(chan, reason);
492 break;
493
494 case BT_CONNECT:
495 case BT_DISCONN:
496 l2cap_chan_del(chan, reason);
497 break;
498
499 default:
500 lock_sock(sk);
501 sock_set_flag(sk, SOCK_ZAPPED);
502 release_sock(sk);
503 break;
504 }
505}
506
507static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
508{
509 if (chan->chan_type == L2CAP_CHAN_RAW) {
510 switch (chan->sec_level) {
511 case BT_SECURITY_HIGH:
512 return HCI_AT_DEDICATED_BONDING_MITM;
513 case BT_SECURITY_MEDIUM:
514 return HCI_AT_DEDICATED_BONDING;
515 default:
516 return HCI_AT_NO_BONDING;
517 }
518 } else if (chan->psm == cpu_to_le16(0x0001)) {
519 if (chan->sec_level == BT_SECURITY_LOW)
520 chan->sec_level = BT_SECURITY_SDP;
521
522 if (chan->sec_level == BT_SECURITY_HIGH)
523 return HCI_AT_NO_BONDING_MITM;
524 else
525 return HCI_AT_NO_BONDING;
526 } else {
527 switch (chan->sec_level) {
528 case BT_SECURITY_HIGH:
529 return HCI_AT_GENERAL_BONDING_MITM;
530 case BT_SECURITY_MEDIUM:
531 return HCI_AT_GENERAL_BONDING;
532 default:
533 return HCI_AT_NO_BONDING;
534 }
535 }
536}
537
538/* Service level security */
539int l2cap_chan_check_security(struct l2cap_chan *chan)
540{
541 struct l2cap_conn *conn = chan->conn;
542 __u8 auth_type;
543
544 auth_type = l2cap_get_auth_type(chan);
545
546 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
547}
548
549static u8 l2cap_get_ident(struct l2cap_conn *conn)
550{
551 u8 id;
552
553 /* Get next available identificator.
554 * 1 - 128 are used by kernel.
555 * 129 - 199 are reserved.
556 * 200 - 254 are used by utilities like l2ping, etc.
557 */
558
559 spin_lock(&conn->lock);
560
561 if (++conn->tx_ident > 128)
562 conn->tx_ident = 1;
563
564 id = conn->tx_ident;
565
566 spin_unlock(&conn->lock);
567
568 return id;
569}
570
571static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
572{
573 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
574 u8 flags;
575
576 BT_DBG("code 0x%2.2x", code);
577
578 if (!skb)
579 return;
580
581 if (lmp_no_flush_capable(conn->hcon->hdev))
582 flags = ACL_START_NO_FLUSH;
583 else
584 flags = ACL_START;
585
586 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
587 skb->priority = HCI_PRIO_MAX;
588
589 hci_send_acl(conn->hchan, skb, flags);
590}
591
592static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
593{
594 struct hci_conn *hcon = chan->conn->hcon;
595 u16 flags;
596
597 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
598 skb->priority);
599
600 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
601 lmp_no_flush_capable(hcon->hdev))
602 flags = ACL_START_NO_FLUSH;
603 else
604 flags = ACL_START;
605
606 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
607 hci_send_acl(chan->conn->hchan, skb, flags);
608}
609
610static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
611{
612 struct sk_buff *skb;
613 struct l2cap_hdr *lh;
614 struct l2cap_conn *conn = chan->conn;
615 int count, hlen;
616
617 if (chan->state != BT_CONNECTED)
618 return;
619
620 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
621 hlen = L2CAP_EXT_HDR_SIZE;
622 else
623 hlen = L2CAP_ENH_HDR_SIZE;
624
625 if (chan->fcs == L2CAP_FCS_CRC16)
626 hlen += L2CAP_FCS_SIZE;
627
628 BT_DBG("chan %p, control 0x%8.8x", chan, control);
629
630 count = min_t(unsigned int, conn->mtu, hlen);
631
632 control |= __set_sframe(chan);
633
634 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
635 control |= __set_ctrl_final(chan);
636
637 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
638 control |= __set_ctrl_poll(chan);
639
640 skb = bt_skb_alloc(count, GFP_ATOMIC);
641 if (!skb)
642 return;
643
644 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
645 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
646 lh->cid = cpu_to_le16(chan->dcid);
647
648 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
649
650 if (chan->fcs == L2CAP_FCS_CRC16) {
651 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
652 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
653 }
654
655 skb->priority = HCI_PRIO_MAX;
656 l2cap_do_send(chan, skb);
657}
658
659static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
660{
661 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
662 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
663 set_bit(CONN_RNR_SENT, &chan->conn_state);
664 } else
665 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
666
667 control |= __set_reqseq(chan, chan->buffer_seq);
668
669 l2cap_send_sframe(chan, control);
670}
671
672static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
673{
674 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
675}
676
677static void l2cap_send_conn_req(struct l2cap_chan *chan)
678{
679 struct l2cap_conn *conn = chan->conn;
680 struct l2cap_conn_req req;
681
682 req.scid = cpu_to_le16(chan->scid);
683 req.psm = chan->psm;
684
685 chan->ident = l2cap_get_ident(conn);
686
687 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
688
689 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
690}
691
692static void l2cap_do_start(struct l2cap_chan *chan)
693{
694 struct l2cap_conn *conn = chan->conn;
695
696 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
697 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
698 return;
699
700 if (l2cap_chan_check_security(chan) &&
701 __l2cap_no_conn_pending(chan))
702 l2cap_send_conn_req(chan);
703 } else {
704 struct l2cap_info_req req;
705 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
706
707 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
708 conn->info_ident = l2cap_get_ident(conn);
709
710 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
711
712 l2cap_send_cmd(conn, conn->info_ident,
713 L2CAP_INFO_REQ, sizeof(req), &req);
714 }
715}
716
717static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
718{
719 u32 local_feat_mask = l2cap_feat_mask;
720 if (!disable_ertm)
721 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
722
723 switch (mode) {
724 case L2CAP_MODE_ERTM:
725 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
726 case L2CAP_MODE_STREAMING:
727 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
728 default:
729 return 0x00;
730 }
731}
732
733static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
734{
735 struct sock *sk = chan->sk;
736 struct l2cap_disconn_req req;
737
738 if (!conn)
739 return;
740
741 if (chan->mode == L2CAP_MODE_ERTM) {
742 __clear_retrans_timer(chan);
743 __clear_monitor_timer(chan);
744 __clear_ack_timer(chan);
745 }
746
747 req.dcid = cpu_to_le16(chan->dcid);
748 req.scid = cpu_to_le16(chan->scid);
749 l2cap_send_cmd(conn, l2cap_get_ident(conn),
750 L2CAP_DISCONN_REQ, sizeof(req), &req);
751
752 lock_sock(sk);
753 __l2cap_state_change(chan, BT_DISCONN);
754 __l2cap_chan_set_err(chan, err);
755 release_sock(sk);
756}
757
758/* ---- L2CAP connections ---- */
759static void l2cap_conn_start(struct l2cap_conn *conn)
760{
761 struct l2cap_chan *chan, *tmp;
762
763 BT_DBG("conn %p", conn);
764
765 mutex_lock(&conn->chan_lock);
766
767 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
768 struct sock *sk = chan->sk;
769
770 l2cap_chan_lock(chan);
771
772 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
773 l2cap_chan_unlock(chan);
774 continue;
775 }
776
777 if (chan->state == BT_CONNECT) {
778 if (!l2cap_chan_check_security(chan) ||
779 !__l2cap_no_conn_pending(chan)) {
780 l2cap_chan_unlock(chan);
781 continue;
782 }
783
784 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
785 && test_bit(CONF_STATE2_DEVICE,
786 &chan->conf_state)) {
787 l2cap_chan_close(chan, ECONNRESET);
788 l2cap_chan_unlock(chan);
789 continue;
790 }
791
792 l2cap_send_conn_req(chan);
793
794 } else if (chan->state == BT_CONNECT2) {
795 struct l2cap_conn_rsp rsp;
796 char buf[128];
797 rsp.scid = cpu_to_le16(chan->dcid);
798 rsp.dcid = cpu_to_le16(chan->scid);
799
800 if (l2cap_chan_check_security(chan)) {
801 lock_sock(sk);
802 if (bt_sk(sk)->defer_setup) {
803 struct sock *parent = bt_sk(sk)->parent;
804 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
805 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
806 if (parent)
807 parent->sk_data_ready(parent, 0);
808
809 } else {
810 __l2cap_state_change(chan, BT_CONFIG);
811 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
812 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
813 }
814 release_sock(sk);
815 } else {
816 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
817 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
818 }
819
820 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
821 sizeof(rsp), &rsp);
822
823 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
824 rsp.result != L2CAP_CR_SUCCESS) {
825 l2cap_chan_unlock(chan);
826 continue;
827 }
828
829 set_bit(CONF_REQ_SENT, &chan->conf_state);
830 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
831 l2cap_build_conf_req(chan, buf), buf);
832 chan->num_conf_req++;
833 }
834
835 l2cap_chan_unlock(chan);
836 }
837
838 mutex_unlock(&conn->chan_lock);
839}
840
841/* Find socket with cid and source bdaddr.
842 * Returns closest match, locked.
843 */
844static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
845 bdaddr_t *src)
846{
847 struct l2cap_chan *c, *c1 = NULL;
848
849 read_lock(&chan_list_lock);
850
851 list_for_each_entry(c, &chan_list, global_l) {
852 struct sock *sk = c->sk;
853
854 if (state && c->state != state)
855 continue;
856
857 if (c->scid == cid) {
858 /* Exact match. */
859 if (!bacmp(&bt_sk(sk)->src, src)) {
860 read_unlock(&chan_list_lock);
861 return c;
862 }
863
864 /* Closest match */
865 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
866 c1 = c;
867 }
868 }
869
870 read_unlock(&chan_list_lock);
871
872 return c1;
873}
874
875static void l2cap_le_conn_ready(struct l2cap_conn *conn)
876{
877 struct sock *parent, *sk;
878 struct l2cap_chan *chan, *pchan;
879
880 BT_DBG("");
881
882 /* Check if we have socket listening on cid */
883 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
884 conn->src);
885 if (!pchan)
886 return;
887
888 parent = pchan->sk;
889
890 lock_sock(parent);
891
892 /* Check for backlog size */
893 if (sk_acceptq_is_full(parent)) {
894 BT_DBG("backlog full %d", parent->sk_ack_backlog);
895 goto clean;
896 }
897
898 chan = pchan->ops->new_connection(pchan->data);
899 if (!chan)
900 goto clean;
901
902 sk = chan->sk;
903
904 hci_conn_hold(conn->hcon);
905
906 bacpy(&bt_sk(sk)->src, conn->src);
907 bacpy(&bt_sk(sk)->dst, conn->dst);
908
909 bt_accept_enqueue(parent, sk);
910
911 l2cap_chan_add(conn, chan);
912
913 __set_chan_timer(chan, sk->sk_sndtimeo);
914
915 __l2cap_state_change(chan, BT_CONNECTED);
916 parent->sk_data_ready(parent, 0);
917
918clean:
919 release_sock(parent);
920}
921
922static void l2cap_chan_ready(struct l2cap_chan *chan)
923{
924 struct sock *sk = chan->sk;
925 struct sock *parent;
926
927 lock_sock(sk);
928
929 parent = bt_sk(sk)->parent;
930
931 BT_DBG("sk %p, parent %p", sk, parent);
932
933 chan->conf_state = 0;
934 __clear_chan_timer(chan);
935
936 __l2cap_state_change(chan, BT_CONNECTED);
937 sk->sk_state_change(sk);
938
939 if (parent)
940 parent->sk_data_ready(parent, 0);
941
942 release_sock(sk);
943}
944
945static void l2cap_conn_ready(struct l2cap_conn *conn)
946{
947 struct l2cap_chan *chan;
948
949 BT_DBG("conn %p", conn);
950
951 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
952 l2cap_le_conn_ready(conn);
953
954 if (conn->hcon->out && conn->hcon->type == LE_LINK)
955 smp_conn_security(conn, conn->hcon->pending_sec_level);
956
957 mutex_lock(&conn->chan_lock);
958
959 list_for_each_entry(chan, &conn->chan_l, list) {
960
961 l2cap_chan_lock(chan);
962
963 if (conn->hcon->type == LE_LINK) {
964 if (smp_conn_security(conn, chan->sec_level))
965 l2cap_chan_ready(chan);
966
967 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
968 struct sock *sk = chan->sk;
969 __clear_chan_timer(chan);
970 lock_sock(sk);
971 __l2cap_state_change(chan, BT_CONNECTED);
972 sk->sk_state_change(sk);
973 release_sock(sk);
974
975 } else if (chan->state == BT_CONNECT)
976 l2cap_do_start(chan);
977
978 l2cap_chan_unlock(chan);
979 }
980
981 mutex_unlock(&conn->chan_lock);
982}
983
984/* Notify sockets that we cannot guaranty reliability anymore */
985static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
986{
987 struct l2cap_chan *chan;
988
989 BT_DBG("conn %p", conn);
990
991 mutex_lock(&conn->chan_lock);
992
993 list_for_each_entry(chan, &conn->chan_l, list) {
994 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
995 __l2cap_chan_set_err(chan, err);
996 }
997
998 mutex_unlock(&conn->chan_lock);
999}
1000
1001static void l2cap_info_timeout(struct work_struct *work)
1002{
1003 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1004 info_timer.work);
1005
1006 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1007 conn->info_ident = 0;
1008
1009 l2cap_conn_start(conn);
1010}
1011
1012static void l2cap_conn_del(struct hci_conn *hcon, int err)
1013{
1014 struct l2cap_conn *conn = hcon->l2cap_data;
1015 struct l2cap_chan *chan, *l;
1016
1017 if (!conn)
1018 return;
1019
1020 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1021
1022 kfree_skb(conn->rx_skb);
1023
1024 mutex_lock(&conn->chan_lock);
1025
1026 /* Kill channels */
1027 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1028 l2cap_chan_lock(chan);
1029
1030 l2cap_chan_del(chan, err);
1031
1032 l2cap_chan_unlock(chan);
1033
1034 chan->ops->close(chan->data);
1035 }
1036
1037 mutex_unlock(&conn->chan_lock);
1038
1039 hci_chan_del(conn->hchan);
1040
1041 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1042 cancel_delayed_work_sync(&conn->info_timer);
1043
1044 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1045 cancel_delayed_work_sync(&conn->security_timer);
1046 smp_chan_destroy(conn);
1047 }
1048
1049 hcon->l2cap_data = NULL;
1050 kfree(conn);
1051}
1052
1053static void security_timeout(struct work_struct *work)
1054{
1055 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1056 security_timer.work);
1057
1058 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1059}
1060
1061static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1062{
1063 struct l2cap_conn *conn = hcon->l2cap_data;
1064 struct hci_chan *hchan;
1065
1066 if (conn || status)
1067 return conn;
1068
1069 hchan = hci_chan_create(hcon);
1070 if (!hchan)
1071 return NULL;
1072
1073 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1074 if (!conn) {
1075 hci_chan_del(hchan);
1076 return NULL;
1077 }
1078
1079 hcon->l2cap_data = conn;
1080 conn->hcon = hcon;
1081 conn->hchan = hchan;
1082
1083 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1084
1085 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1086 conn->mtu = hcon->hdev->le_mtu;
1087 else
1088 conn->mtu = hcon->hdev->acl_mtu;
1089
1090 conn->src = &hcon->hdev->bdaddr;
1091 conn->dst = &hcon->dst;
1092
1093 conn->feat_mask = 0;
1094
1095 spin_lock_init(&conn->lock);
1096 mutex_init(&conn->chan_lock);
1097
1098 INIT_LIST_HEAD(&conn->chan_l);
1099
1100 if (hcon->type == LE_LINK)
1101 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1102 else
1103 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1104
1105 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1106
1107 return conn;
1108}
1109
1110/* ---- Socket interface ---- */
1111
1112/* Find socket with psm and source bdaddr.
1113 * Returns closest match.
1114 */
1115static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
1116{
1117 struct l2cap_chan *c, *c1 = NULL;
1118
1119 read_lock(&chan_list_lock);
1120
1121 list_for_each_entry(c, &chan_list, global_l) {
1122 struct sock *sk = c->sk;
1123
1124 if (state && c->state != state)
1125 continue;
1126
1127 if (c->psm == psm) {
1128 /* Exact match. */
1129 if (!bacmp(&bt_sk(sk)->src, src)) {
1130 read_unlock(&chan_list_lock);
1131 return c;
1132 }
1133
1134 /* Closest match */
1135 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
1136 c1 = c;
1137 }
1138 }
1139
1140 read_unlock(&chan_list_lock);
1141
1142 return c1;
1143}
1144
1145int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1146{
1147 struct sock *sk = chan->sk;
1148 bdaddr_t *src = &bt_sk(sk)->src;
1149 struct l2cap_conn *conn;
1150 struct hci_conn *hcon;
1151 struct hci_dev *hdev;
1152 __u8 auth_type;
1153 int err;
1154
1155 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1156 __le16_to_cpu(chan->psm));
1157
1158 hdev = hci_get_route(dst, src);
1159 if (!hdev)
1160 return -EHOSTUNREACH;
1161
1162 hci_dev_lock(hdev);
1163
1164 l2cap_chan_lock(chan);
1165
1166 /* PSM must be odd and lsb of upper byte must be 0 */
1167 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1168 chan->chan_type != L2CAP_CHAN_RAW) {
1169 err = -EINVAL;
1170 goto done;
1171 }
1172
1173 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1174 err = -EINVAL;
1175 goto done;
1176 }
1177
1178 switch (chan->mode) {
1179 case L2CAP_MODE_BASIC:
1180 break;
1181 case L2CAP_MODE_ERTM:
1182 case L2CAP_MODE_STREAMING:
1183 if (!disable_ertm)
1184 break;
1185 /* fall through */
1186 default:
1187 err = -ENOTSUPP;
1188 goto done;
1189 }
1190
1191 lock_sock(sk);
1192
1193 switch (sk->sk_state) {
1194 case BT_CONNECT:
1195 case BT_CONNECT2:
1196 case BT_CONFIG:
1197 /* Already connecting */
1198 err = 0;
1199 release_sock(sk);
1200 goto done;
1201
1202 case BT_CONNECTED:
1203 /* Already connected */
1204 err = -EISCONN;
1205 release_sock(sk);
1206 goto done;
1207
1208 case BT_OPEN:
1209 case BT_BOUND:
1210 /* Can connect */
1211 break;
1212
1213 default:
1214 err = -EBADFD;
1215 release_sock(sk);
1216 goto done;
1217 }
1218
1219 /* Set destination address and psm */
1220 bacpy(&bt_sk(sk)->dst, dst);
1221
1222 release_sock(sk);
1223
1224 chan->psm = psm;
1225 chan->dcid = cid;
1226
1227 auth_type = l2cap_get_auth_type(chan);
1228
1229 if (chan->dcid == L2CAP_CID_LE_DATA)
1230 hcon = hci_connect(hdev, LE_LINK, dst,
1231 chan->sec_level, auth_type);
1232 else
1233 hcon = hci_connect(hdev, ACL_LINK, dst,
1234 chan->sec_level, auth_type);
1235
1236 if (IS_ERR(hcon)) {
1237 err = PTR_ERR(hcon);
1238 goto done;
1239 }
1240
1241 conn = l2cap_conn_add(hcon, 0);
1242 if (!conn) {
1243 hci_conn_put(hcon);
1244 err = -ENOMEM;
1245 goto done;
1246 }
1247
1248 /* Update source addr of the socket */
1249 bacpy(src, conn->src);
1250
1251 l2cap_chan_unlock(chan);
1252 l2cap_chan_add(conn, chan);
1253 l2cap_chan_lock(chan);
1254
1255 l2cap_state_change(chan, BT_CONNECT);
1256 __set_chan_timer(chan, sk->sk_sndtimeo);
1257
1258 if (hcon->state == BT_CONNECTED) {
1259 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1260 __clear_chan_timer(chan);
1261 if (l2cap_chan_check_security(chan))
1262 l2cap_state_change(chan, BT_CONNECTED);
1263 } else
1264 l2cap_do_start(chan);
1265 }
1266
1267 err = 0;
1268
1269done:
1270 l2cap_chan_unlock(chan);
1271 hci_dev_unlock(hdev);
1272 hci_dev_put(hdev);
1273 return err;
1274}
1275
1276int __l2cap_wait_ack(struct sock *sk)
1277{
1278 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1279 DECLARE_WAITQUEUE(wait, current);
1280 int err = 0;
1281 int timeo = HZ/5;
1282
1283 add_wait_queue(sk_sleep(sk), &wait);
1284 set_current_state(TASK_INTERRUPTIBLE);
1285 while (chan->unacked_frames > 0 && chan->conn) {
1286 if (!timeo)
1287 timeo = HZ/5;
1288
1289 if (signal_pending(current)) {
1290 err = sock_intr_errno(timeo);
1291 break;
1292 }
1293
1294 release_sock(sk);
1295 timeo = schedule_timeout(timeo);
1296 lock_sock(sk);
1297 set_current_state(TASK_INTERRUPTIBLE);
1298
1299 err = sock_error(sk);
1300 if (err)
1301 break;
1302 }
1303 set_current_state(TASK_RUNNING);
1304 remove_wait_queue(sk_sleep(sk), &wait);
1305 return err;
1306}
1307
1308static void l2cap_monitor_timeout(struct work_struct *work)
1309{
1310 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1311 monitor_timer.work);
1312
1313 BT_DBG("chan %p", chan);
1314
1315 l2cap_chan_lock(chan);
1316
1317 if (chan->retry_count >= chan->remote_max_tx) {
1318 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1319 l2cap_chan_unlock(chan);
1320 l2cap_chan_put(chan);
1321 return;
1322 }
1323
1324 chan->retry_count++;
1325 __set_monitor_timer(chan);
1326
1327 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1328 l2cap_chan_unlock(chan);
1329 l2cap_chan_put(chan);
1330}
1331
1332static void l2cap_retrans_timeout(struct work_struct *work)
1333{
1334 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1335 retrans_timer.work);
1336
1337 BT_DBG("chan %p", chan);
1338
1339 l2cap_chan_lock(chan);
1340
1341 chan->retry_count = 1;
1342 __set_monitor_timer(chan);
1343
1344 set_bit(CONN_WAIT_F, &chan->conn_state);
1345
1346 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1347
1348 l2cap_chan_unlock(chan);
1349 l2cap_chan_put(chan);
1350}
1351
1352static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1353{
1354 struct sk_buff *skb;
1355
1356 while ((skb = skb_peek(&chan->tx_q)) &&
1357 chan->unacked_frames) {
1358 if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
1359 break;
1360
1361 skb = skb_dequeue(&chan->tx_q);
1362 kfree_skb(skb);
1363
1364 chan->unacked_frames--;
1365 }
1366
1367 if (!chan->unacked_frames)
1368 __clear_retrans_timer(chan);
1369}
1370
1371static void l2cap_streaming_send(struct l2cap_chan *chan)
1372{
1373 struct sk_buff *skb;
1374 u32 control;
1375 u16 fcs;
1376
1377 while ((skb = skb_dequeue(&chan->tx_q))) {
1378 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
1379 control |= __set_txseq(chan, chan->next_tx_seq);
1380 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
1381
1382 if (chan->fcs == L2CAP_FCS_CRC16) {
1383 fcs = crc16(0, (u8 *)skb->data,
1384 skb->len - L2CAP_FCS_SIZE);
1385 put_unaligned_le16(fcs,
1386 skb->data + skb->len - L2CAP_FCS_SIZE);
1387 }
1388
1389 l2cap_do_send(chan, skb);
1390
1391 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1392 }
1393}
1394
1395static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
1396{
1397 struct sk_buff *skb, *tx_skb;
1398 u16 fcs;
1399 u32 control;
1400
1401 skb = skb_peek(&chan->tx_q);
1402 if (!skb)
1403 return;
1404
1405 while (bt_cb(skb)->tx_seq != tx_seq) {
1406 if (skb_queue_is_last(&chan->tx_q, skb))
1407 return;
1408
1409 skb = skb_queue_next(&chan->tx_q, skb);
1410 }
1411
1412 if (chan->remote_max_tx &&
1413 bt_cb(skb)->retries == chan->remote_max_tx) {
1414 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1415 return;
1416 }
1417
1418 tx_skb = skb_clone(skb, GFP_ATOMIC);
1419 bt_cb(skb)->retries++;
1420
1421 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1422 control &= __get_sar_mask(chan);
1423
1424 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1425 control |= __set_ctrl_final(chan);
1426
1427 control |= __set_reqseq(chan, chan->buffer_seq);
1428 control |= __set_txseq(chan, tx_seq);
1429
1430 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1431
1432 if (chan->fcs == L2CAP_FCS_CRC16) {
1433 fcs = crc16(0, (u8 *)tx_skb->data,
1434 tx_skb->len - L2CAP_FCS_SIZE);
1435 put_unaligned_le16(fcs,
1436 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
1437 }
1438
1439 l2cap_do_send(chan, tx_skb);
1440}
1441
1442static int l2cap_ertm_send(struct l2cap_chan *chan)
1443{
1444 struct sk_buff *skb, *tx_skb;
1445 u16 fcs;
1446 u32 control;
1447 int nsent = 0;
1448
1449 if (chan->state != BT_CONNECTED)
1450 return -ENOTCONN;
1451
1452 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1453
1454 if (chan->remote_max_tx &&
1455 bt_cb(skb)->retries == chan->remote_max_tx) {
1456 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1457 break;
1458 }
1459
1460 tx_skb = skb_clone(skb, GFP_ATOMIC);
1461
1462 bt_cb(skb)->retries++;
1463
1464 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1465 control &= __get_sar_mask(chan);
1466
1467 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1468 control |= __set_ctrl_final(chan);
1469
1470 control |= __set_reqseq(chan, chan->buffer_seq);
1471 control |= __set_txseq(chan, chan->next_tx_seq);
1472
1473 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1474
1475 if (chan->fcs == L2CAP_FCS_CRC16) {
1476 fcs = crc16(0, (u8 *)skb->data,
1477 tx_skb->len - L2CAP_FCS_SIZE);
1478 put_unaligned_le16(fcs, skb->data +
1479 tx_skb->len - L2CAP_FCS_SIZE);
1480 }
1481
1482 l2cap_do_send(chan, tx_skb);
1483
1484 __set_retrans_timer(chan);
1485
1486 bt_cb(skb)->tx_seq = chan->next_tx_seq;
1487
1488 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1489
1490 if (bt_cb(skb)->retries == 1) {
1491 chan->unacked_frames++;
1492
1493 if (!nsent++)
1494 __clear_ack_timer(chan);
1495 }
1496
1497 chan->frames_sent++;
1498
1499 if (skb_queue_is_last(&chan->tx_q, skb))
1500 chan->tx_send_head = NULL;
1501 else
1502 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1503 }
1504
1505 return nsent;
1506}
1507
1508static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1509{
1510 int ret;
1511
1512 if (!skb_queue_empty(&chan->tx_q))
1513 chan->tx_send_head = chan->tx_q.next;
1514
1515 chan->next_tx_seq = chan->expected_ack_seq;
1516 ret = l2cap_ertm_send(chan);
1517 return ret;
1518}
1519
1520static void __l2cap_send_ack(struct l2cap_chan *chan)
1521{
1522 u32 control = 0;
1523
1524 control |= __set_reqseq(chan, chan->buffer_seq);
1525
1526 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1527 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
1528 set_bit(CONN_RNR_SENT, &chan->conn_state);
1529 l2cap_send_sframe(chan, control);
1530 return;
1531 }
1532
1533 if (l2cap_ertm_send(chan) > 0)
1534 return;
1535
1536 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1537 l2cap_send_sframe(chan, control);
1538}
1539
1540static void l2cap_send_ack(struct l2cap_chan *chan)
1541{
1542 __clear_ack_timer(chan);
1543 __l2cap_send_ack(chan);
1544}
1545
1546static void l2cap_send_srejtail(struct l2cap_chan *chan)
1547{
1548 struct srej_list *tail;
1549 u32 control;
1550
1551 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
1552 control |= __set_ctrl_final(chan);
1553
1554 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1555 control |= __set_reqseq(chan, tail->tx_seq);
1556
1557 l2cap_send_sframe(chan, control);
1558}
1559
1560static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1561 struct msghdr *msg, int len,
1562 int count, struct sk_buff *skb)
1563{
1564 struct l2cap_conn *conn = chan->conn;
1565 struct sk_buff **frag;
1566 int sent = 0;
1567
1568 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1569 return -EFAULT;
1570
1571 sent += count;
1572 len -= count;
1573
1574 /* Continuation fragments (no L2CAP header) */
1575 frag = &skb_shinfo(skb)->frag_list;
1576 while (len) {
1577 count = min_t(unsigned int, conn->mtu, len);
1578
1579 *frag = chan->ops->alloc_skb(chan, count,
1580 msg->msg_flags & MSG_DONTWAIT);
1581
1582 if (IS_ERR(*frag))
1583 return PTR_ERR(*frag);
1584 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1585 return -EFAULT;
1586
1587 (*frag)->priority = skb->priority;
1588
1589 sent += count;
1590 len -= count;
1591
1592 frag = &(*frag)->next;
1593 }
1594
1595 return sent;
1596}
1597
1598static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1599 struct msghdr *msg, size_t len,
1600 u32 priority)
1601{
1602 struct l2cap_conn *conn = chan->conn;
1603 struct sk_buff *skb;
1604 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1605 struct l2cap_hdr *lh;
1606
1607 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1608
1609 count = min_t(unsigned int, (conn->mtu - hlen), len);
1610
1611 skb = chan->ops->alloc_skb(chan, count + hlen,
1612 msg->msg_flags & MSG_DONTWAIT);
1613 if (IS_ERR(skb))
1614 return skb;
1615
1616 skb->priority = priority;
1617
1618 /* Create L2CAP header */
1619 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1620 lh->cid = cpu_to_le16(chan->dcid);
1621 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1622 put_unaligned(chan->psm, skb_put(skb, 2));
1623
1624 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1625 if (unlikely(err < 0)) {
1626 kfree_skb(skb);
1627 return ERR_PTR(err);
1628 }
1629 return skb;
1630}
1631
1632static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1633 struct msghdr *msg, size_t len,
1634 u32 priority)
1635{
1636 struct l2cap_conn *conn = chan->conn;
1637 struct sk_buff *skb;
1638 int err, count, hlen = L2CAP_HDR_SIZE;
1639 struct l2cap_hdr *lh;
1640
1641 BT_DBG("chan %p len %d", chan, (int)len);
1642
1643 count = min_t(unsigned int, (conn->mtu - hlen), len);
1644
1645 skb = chan->ops->alloc_skb(chan, count + hlen,
1646 msg->msg_flags & MSG_DONTWAIT);
1647 if (IS_ERR(skb))
1648 return skb;
1649
1650 skb->priority = priority;
1651
1652 /* Create L2CAP header */
1653 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1654 lh->cid = cpu_to_le16(chan->dcid);
1655 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1656
1657 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1658 if (unlikely(err < 0)) {
1659 kfree_skb(skb);
1660 return ERR_PTR(err);
1661 }
1662 return skb;
1663}
1664
1665static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1666 struct msghdr *msg, size_t len,
1667 u32 control, u16 sdulen)
1668{
1669 struct l2cap_conn *conn = chan->conn;
1670 struct sk_buff *skb;
1671 int err, count, hlen;
1672 struct l2cap_hdr *lh;
1673
1674 BT_DBG("chan %p len %d", chan, (int)len);
1675
1676 if (!conn)
1677 return ERR_PTR(-ENOTCONN);
1678
1679 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1680 hlen = L2CAP_EXT_HDR_SIZE;
1681 else
1682 hlen = L2CAP_ENH_HDR_SIZE;
1683
1684 if (sdulen)
1685 hlen += L2CAP_SDULEN_SIZE;
1686
1687 if (chan->fcs == L2CAP_FCS_CRC16)
1688 hlen += L2CAP_FCS_SIZE;
1689
1690 count = min_t(unsigned int, (conn->mtu - hlen), len);
1691
1692 skb = chan->ops->alloc_skb(chan, count + hlen,
1693 msg->msg_flags & MSG_DONTWAIT);
1694 if (IS_ERR(skb))
1695 return skb;
1696
1697 /* Create L2CAP header */
1698 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1699 lh->cid = cpu_to_le16(chan->dcid);
1700 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1701
1702 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
1703
1704 if (sdulen)
1705 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1706
1707 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1708 if (unlikely(err < 0)) {
1709 kfree_skb(skb);
1710 return ERR_PTR(err);
1711 }
1712
1713 if (chan->fcs == L2CAP_FCS_CRC16)
1714 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
1715
1716 bt_cb(skb)->retries = 0;
1717 return skb;
1718}
1719
1720static int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
1721{
1722 struct sk_buff *skb;
1723 struct sk_buff_head sar_queue;
1724 u32 control;
1725 size_t size = 0;
1726
1727 skb_queue_head_init(&sar_queue);
1728 control = __set_ctrl_sar(chan, L2CAP_SAR_START);
1729 skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
1730 if (IS_ERR(skb))
1731 return PTR_ERR(skb);
1732
1733 __skb_queue_tail(&sar_queue, skb);
1734 len -= chan->remote_mps;
1735 size += chan->remote_mps;
1736
1737 while (len > 0) {
1738 size_t buflen;
1739
1740 if (len > chan->remote_mps) {
1741 control = __set_ctrl_sar(chan, L2CAP_SAR_CONTINUE);
1742 buflen = chan->remote_mps;
1743 } else {
1744 control = __set_ctrl_sar(chan, L2CAP_SAR_END);
1745 buflen = len;
1746 }
1747
1748 skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
1749 if (IS_ERR(skb)) {
1750 skb_queue_purge(&sar_queue);
1751 return PTR_ERR(skb);
1752 }
1753
1754 __skb_queue_tail(&sar_queue, skb);
1755 len -= buflen;
1756 size += buflen;
1757 }
1758 skb_queue_splice_tail(&sar_queue, &chan->tx_q);
1759 if (chan->tx_send_head == NULL)
1760 chan->tx_send_head = sar_queue.next;
1761
1762 return size;
1763}
1764
1765int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
1766 u32 priority)
1767{
1768 struct sk_buff *skb;
1769 u32 control;
1770 int err;
1771
1772 /* Connectionless channel */
1773 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
1774 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
1775 if (IS_ERR(skb))
1776 return PTR_ERR(skb);
1777
1778 l2cap_do_send(chan, skb);
1779 return len;
1780 }
1781
1782 switch (chan->mode) {
1783 case L2CAP_MODE_BASIC:
1784 /* Check outgoing MTU */
1785 if (len > chan->omtu)
1786 return -EMSGSIZE;
1787
1788 /* Create a basic PDU */
1789 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
1790 if (IS_ERR(skb))
1791 return PTR_ERR(skb);
1792
1793 l2cap_do_send(chan, skb);
1794 err = len;
1795 break;
1796
1797 case L2CAP_MODE_ERTM:
1798 case L2CAP_MODE_STREAMING:
1799 /* Entire SDU fits into one PDU */
1800 if (len <= chan->remote_mps) {
1801 control = __set_ctrl_sar(chan, L2CAP_SAR_UNSEGMENTED);
1802 skb = l2cap_create_iframe_pdu(chan, msg, len, control,
1803 0);
1804 if (IS_ERR(skb))
1805 return PTR_ERR(skb);
1806
1807 __skb_queue_tail(&chan->tx_q, skb);
1808
1809 if (chan->tx_send_head == NULL)
1810 chan->tx_send_head = skb;
1811
1812 } else {
1813 /* Segment SDU into multiples PDUs */
1814 err = l2cap_sar_segment_sdu(chan, msg, len);
1815 if (err < 0)
1816 return err;
1817 }
1818
1819 if (chan->mode == L2CAP_MODE_STREAMING) {
1820 l2cap_streaming_send(chan);
1821 err = len;
1822 break;
1823 }
1824
1825 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
1826 test_bit(CONN_WAIT_F, &chan->conn_state)) {
1827 err = len;
1828 break;
1829 }
1830
1831 err = l2cap_ertm_send(chan);
1832 if (err >= 0)
1833 err = len;
1834
1835 break;
1836
1837 default:
1838 BT_DBG("bad state %1.1x", chan->mode);
1839 err = -EBADFD;
1840 }
1841
1842 return err;
1843}
1844
1845/* Copy frame to all raw sockets on that connection */
1846static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1847{
1848 struct sk_buff *nskb;
1849 struct l2cap_chan *chan;
1850
1851 BT_DBG("conn %p", conn);
1852
1853 mutex_lock(&conn->chan_lock);
1854
1855 list_for_each_entry(chan, &conn->chan_l, list) {
1856 struct sock *sk = chan->sk;
1857 if (chan->chan_type != L2CAP_CHAN_RAW)
1858 continue;
1859
1860 /* Don't send frame to the socket it came from */
1861 if (skb->sk == sk)
1862 continue;
1863 nskb = skb_clone(skb, GFP_ATOMIC);
1864 if (!nskb)
1865 continue;
1866
1867 if (chan->ops->recv(chan->data, nskb))
1868 kfree_skb(nskb);
1869 }
1870
1871 mutex_unlock(&conn->chan_lock);
1872}
1873
1874/* ---- L2CAP signalling commands ---- */
1875static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
1876 u8 code, u8 ident, u16 dlen, void *data)
1877{
1878 struct sk_buff *skb, **frag;
1879 struct l2cap_cmd_hdr *cmd;
1880 struct l2cap_hdr *lh;
1881 int len, count;
1882
1883 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
1884 conn, code, ident, dlen);
1885
1886 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
1887 count = min_t(unsigned int, conn->mtu, len);
1888
1889 skb = bt_skb_alloc(count, GFP_ATOMIC);
1890 if (!skb)
1891 return NULL;
1892
1893 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1894 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
1895
1896 if (conn->hcon->type == LE_LINK)
1897 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
1898 else
1899 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1900
1901 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
1902 cmd->code = code;
1903 cmd->ident = ident;
1904 cmd->len = cpu_to_le16(dlen);
1905
1906 if (dlen) {
1907 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
1908 memcpy(skb_put(skb, count), data, count);
1909 data += count;
1910 }
1911
1912 len -= skb->len;
1913
1914 /* Continuation fragments (no L2CAP header) */
1915 frag = &skb_shinfo(skb)->frag_list;
1916 while (len) {
1917 count = min_t(unsigned int, conn->mtu, len);
1918
1919 *frag = bt_skb_alloc(count, GFP_ATOMIC);
1920 if (!*frag)
1921 goto fail;
1922
1923 memcpy(skb_put(*frag, count), data, count);
1924
1925 len -= count;
1926 data += count;
1927
1928 frag = &(*frag)->next;
1929 }
1930
1931 return skb;
1932
1933fail:
1934 kfree_skb(skb);
1935 return NULL;
1936}
1937
1938static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
1939{
1940 struct l2cap_conf_opt *opt = *ptr;
1941 int len;
1942
1943 len = L2CAP_CONF_OPT_SIZE + opt->len;
1944 *ptr += len;
1945
1946 *type = opt->type;
1947 *olen = opt->len;
1948
1949 switch (opt->len) {
1950 case 1:
1951 *val = *((u8 *) opt->val);
1952 break;
1953
1954 case 2:
1955 *val = get_unaligned_le16(opt->val);
1956 break;
1957
1958 case 4:
1959 *val = get_unaligned_le32(opt->val);
1960 break;
1961
1962 default:
1963 *val = (unsigned long) opt->val;
1964 break;
1965 }
1966
1967 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
1968 return len;
1969}
1970
1971static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
1972{
1973 struct l2cap_conf_opt *opt = *ptr;
1974
1975 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
1976
1977 opt->type = type;
1978 opt->len = len;
1979
1980 switch (len) {
1981 case 1:
1982 *((u8 *) opt->val) = val;
1983 break;
1984
1985 case 2:
1986 put_unaligned_le16(val, opt->val);
1987 break;
1988
1989 case 4:
1990 put_unaligned_le32(val, opt->val);
1991 break;
1992
1993 default:
1994 memcpy(opt->val, (void *) val, len);
1995 break;
1996 }
1997
1998 *ptr += L2CAP_CONF_OPT_SIZE + len;
1999}
2000
2001static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2002{
2003 struct l2cap_conf_efs efs;
2004
2005 switch (chan->mode) {
2006 case L2CAP_MODE_ERTM:
2007 efs.id = chan->local_id;
2008 efs.stype = chan->local_stype;
2009 efs.msdu = cpu_to_le16(chan->local_msdu);
2010 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2011 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2012 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2013 break;
2014
2015 case L2CAP_MODE_STREAMING:
2016 efs.id = 1;
2017 efs.stype = L2CAP_SERV_BESTEFFORT;
2018 efs.msdu = cpu_to_le16(chan->local_msdu);
2019 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2020 efs.acc_lat = 0;
2021 efs.flush_to = 0;
2022 break;
2023
2024 default:
2025 return;
2026 }
2027
2028 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2029 (unsigned long) &efs);
2030}
2031
2032static void l2cap_ack_timeout(struct work_struct *work)
2033{
2034 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2035 ack_timer.work);
2036
2037 BT_DBG("chan %p", chan);
2038
2039 l2cap_chan_lock(chan);
2040
2041 __l2cap_send_ack(chan);
2042
2043 l2cap_chan_unlock(chan);
2044
2045 l2cap_chan_put(chan);
2046}
2047
2048static inline void l2cap_ertm_init(struct l2cap_chan *chan)
2049{
2050 chan->expected_ack_seq = 0;
2051 chan->unacked_frames = 0;
2052 chan->buffer_seq = 0;
2053 chan->num_acked = 0;
2054 chan->frames_sent = 0;
2055
2056 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2057 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2058 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
2059
2060 skb_queue_head_init(&chan->srej_q);
2061
2062 INIT_LIST_HEAD(&chan->srej_l);
2063}
2064
2065static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2066{
2067 switch (mode) {
2068 case L2CAP_MODE_STREAMING:
2069 case L2CAP_MODE_ERTM:
2070 if (l2cap_mode_supported(mode, remote_feat_mask))
2071 return mode;
2072 /* fall through */
2073 default:
2074 return L2CAP_MODE_BASIC;
2075 }
2076}
2077
2078static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2079{
2080 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2081}
2082
2083static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2084{
2085 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2086}
2087
2088static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2089{
2090 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2091 __l2cap_ews_supported(chan)) {
2092 /* use extended control field */
2093 set_bit(FLAG_EXT_CTRL, &chan->flags);
2094 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2095 } else {
2096 chan->tx_win = min_t(u16, chan->tx_win,
2097 L2CAP_DEFAULT_TX_WINDOW);
2098 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2099 }
2100}
2101
2102static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
2103{
2104 struct l2cap_conf_req *req = data;
2105 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
2106 void *ptr = req->data;
2107 u16 size;
2108
2109 BT_DBG("chan %p", chan);
2110
2111 if (chan->num_conf_req || chan->num_conf_rsp)
2112 goto done;
2113
2114 switch (chan->mode) {
2115 case L2CAP_MODE_STREAMING:
2116 case L2CAP_MODE_ERTM:
2117 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
2118 break;
2119
2120 if (__l2cap_efs_supported(chan))
2121 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2122
2123 /* fall through */
2124 default:
2125 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
2126 break;
2127 }
2128
2129done:
2130 if (chan->imtu != L2CAP_DEFAULT_MTU)
2131 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2132
2133 switch (chan->mode) {
2134 case L2CAP_MODE_BASIC:
2135 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2136 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
2137 break;
2138
2139 rfc.mode = L2CAP_MODE_BASIC;
2140 rfc.txwin_size = 0;
2141 rfc.max_transmit = 0;
2142 rfc.retrans_timeout = 0;
2143 rfc.monitor_timeout = 0;
2144 rfc.max_pdu_size = 0;
2145
2146 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2147 (unsigned long) &rfc);
2148 break;
2149
2150 case L2CAP_MODE_ERTM:
2151 rfc.mode = L2CAP_MODE_ERTM;
2152 rfc.max_transmit = chan->max_tx;
2153 rfc.retrans_timeout = 0;
2154 rfc.monitor_timeout = 0;
2155
2156 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2157 L2CAP_EXT_HDR_SIZE -
2158 L2CAP_SDULEN_SIZE -
2159 L2CAP_FCS_SIZE);
2160 rfc.max_pdu_size = cpu_to_le16(size);
2161
2162 l2cap_txwin_setup(chan);
2163
2164 rfc.txwin_size = min_t(u16, chan->tx_win,
2165 L2CAP_DEFAULT_TX_WINDOW);
2166
2167 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2168 (unsigned long) &rfc);
2169
2170 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2171 l2cap_add_opt_efs(&ptr, chan);
2172
2173 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2174 break;
2175
2176 if (chan->fcs == L2CAP_FCS_NONE ||
2177 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2178 chan->fcs = L2CAP_FCS_NONE;
2179 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2180 }
2181
2182 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2183 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2184 chan->tx_win);
2185 break;
2186
2187 case L2CAP_MODE_STREAMING:
2188 rfc.mode = L2CAP_MODE_STREAMING;
2189 rfc.txwin_size = 0;
2190 rfc.max_transmit = 0;
2191 rfc.retrans_timeout = 0;
2192 rfc.monitor_timeout = 0;
2193
2194 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2195 L2CAP_EXT_HDR_SIZE -
2196 L2CAP_SDULEN_SIZE -
2197 L2CAP_FCS_SIZE);
2198 rfc.max_pdu_size = cpu_to_le16(size);
2199
2200 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2201 (unsigned long) &rfc);
2202
2203 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2204 l2cap_add_opt_efs(&ptr, chan);
2205
2206 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2207 break;
2208
2209 if (chan->fcs == L2CAP_FCS_NONE ||
2210 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2211 chan->fcs = L2CAP_FCS_NONE;
2212 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2213 }
2214 break;
2215 }
2216
2217 req->dcid = cpu_to_le16(chan->dcid);
2218 req->flags = cpu_to_le16(0);
2219
2220 return ptr - data;
2221}
2222
2223static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
2224{
2225 struct l2cap_conf_rsp *rsp = data;
2226 void *ptr = rsp->data;
2227 void *req = chan->conf_req;
2228 int len = chan->conf_len;
2229 int type, hint, olen;
2230 unsigned long val;
2231 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2232 struct l2cap_conf_efs efs;
2233 u8 remote_efs = 0;
2234 u16 mtu = L2CAP_DEFAULT_MTU;
2235 u16 result = L2CAP_CONF_SUCCESS;
2236 u16 size;
2237
2238 BT_DBG("chan %p", chan);
2239
2240 while (len >= L2CAP_CONF_OPT_SIZE) {
2241 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2242
2243 hint = type & L2CAP_CONF_HINT;
2244 type &= L2CAP_CONF_MASK;
2245
2246 switch (type) {
2247 case L2CAP_CONF_MTU:
2248 mtu = val;
2249 break;
2250
2251 case L2CAP_CONF_FLUSH_TO:
2252 chan->flush_to = val;
2253 break;
2254
2255 case L2CAP_CONF_QOS:
2256 break;
2257
2258 case L2CAP_CONF_RFC:
2259 if (olen == sizeof(rfc))
2260 memcpy(&rfc, (void *) val, olen);
2261 break;
2262
2263 case L2CAP_CONF_FCS:
2264 if (val == L2CAP_FCS_NONE)
2265 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2266 break;
2267
2268 case L2CAP_CONF_EFS:
2269 remote_efs = 1;
2270 if (olen == sizeof(efs))
2271 memcpy(&efs, (void *) val, olen);
2272 break;
2273
2274 case L2CAP_CONF_EWS:
2275 if (!enable_hs)
2276 return -ECONNREFUSED;
2277
2278 set_bit(FLAG_EXT_CTRL, &chan->flags);
2279 set_bit(CONF_EWS_RECV, &chan->conf_state);
2280 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2281 chan->remote_tx_win = val;
2282 break;
2283
2284 default:
2285 if (hint)
2286 break;
2287
2288 result = L2CAP_CONF_UNKNOWN;
2289 *((u8 *) ptr++) = type;
2290 break;
2291 }
2292 }
2293
2294 if (chan->num_conf_rsp || chan->num_conf_req > 1)
2295 goto done;
2296
2297 switch (chan->mode) {
2298 case L2CAP_MODE_STREAMING:
2299 case L2CAP_MODE_ERTM:
2300 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2301 chan->mode = l2cap_select_mode(rfc.mode,
2302 chan->conn->feat_mask);
2303 break;
2304 }
2305
2306 if (remote_efs) {
2307 if (__l2cap_efs_supported(chan))
2308 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2309 else
2310 return -ECONNREFUSED;
2311 }
2312
2313 if (chan->mode != rfc.mode)
2314 return -ECONNREFUSED;
2315
2316 break;
2317 }
2318
2319done:
2320 if (chan->mode != rfc.mode) {
2321 result = L2CAP_CONF_UNACCEPT;
2322 rfc.mode = chan->mode;
2323
2324 if (chan->num_conf_rsp == 1)
2325 return -ECONNREFUSED;
2326
2327 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2328 sizeof(rfc), (unsigned long) &rfc);
2329 }
2330
2331 if (result == L2CAP_CONF_SUCCESS) {
2332 /* Configure output options and let the other side know
2333 * which ones we don't like. */
2334
2335 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2336 result = L2CAP_CONF_UNACCEPT;
2337 else {
2338 chan->omtu = mtu;
2339 set_bit(CONF_MTU_DONE, &chan->conf_state);
2340 }
2341 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2342
2343 if (remote_efs) {
2344 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2345 efs.stype != L2CAP_SERV_NOTRAFIC &&
2346 efs.stype != chan->local_stype) {
2347
2348 result = L2CAP_CONF_UNACCEPT;
2349
2350 if (chan->num_conf_req >= 1)
2351 return -ECONNREFUSED;
2352
2353 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2354 sizeof(efs),
2355 (unsigned long) &efs);
2356 } else {
2357 /* Send PENDING Conf Rsp */
2358 result = L2CAP_CONF_PENDING;
2359 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2360 }
2361 }
2362
2363 switch (rfc.mode) {
2364 case L2CAP_MODE_BASIC:
2365 chan->fcs = L2CAP_FCS_NONE;
2366 set_bit(CONF_MODE_DONE, &chan->conf_state);
2367 break;
2368
2369 case L2CAP_MODE_ERTM:
2370 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2371 chan->remote_tx_win = rfc.txwin_size;
2372 else
2373 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2374
2375 chan->remote_max_tx = rfc.max_transmit;
2376
2377 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2378 chan->conn->mtu -
2379 L2CAP_EXT_HDR_SIZE -
2380 L2CAP_SDULEN_SIZE -
2381 L2CAP_FCS_SIZE);
2382 rfc.max_pdu_size = cpu_to_le16(size);
2383 chan->remote_mps = size;
2384
2385 rfc.retrans_timeout =
2386 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2387 rfc.monitor_timeout =
2388 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2389
2390 set_bit(CONF_MODE_DONE, &chan->conf_state);
2391
2392 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2393 sizeof(rfc), (unsigned long) &rfc);
2394
2395 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2396 chan->remote_id = efs.id;
2397 chan->remote_stype = efs.stype;
2398 chan->remote_msdu = le16_to_cpu(efs.msdu);
2399 chan->remote_flush_to =
2400 le32_to_cpu(efs.flush_to);
2401 chan->remote_acc_lat =
2402 le32_to_cpu(efs.acc_lat);
2403 chan->remote_sdu_itime =
2404 le32_to_cpu(efs.sdu_itime);
2405 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2406 sizeof(efs), (unsigned long) &efs);
2407 }
2408 break;
2409
2410 case L2CAP_MODE_STREAMING:
2411 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2412 chan->conn->mtu -
2413 L2CAP_EXT_HDR_SIZE -
2414 L2CAP_SDULEN_SIZE -
2415 L2CAP_FCS_SIZE);
2416 rfc.max_pdu_size = cpu_to_le16(size);
2417 chan->remote_mps = size;
2418
2419 set_bit(CONF_MODE_DONE, &chan->conf_state);
2420
2421 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2422 sizeof(rfc), (unsigned long) &rfc);
2423
2424 break;
2425
2426 default:
2427 result = L2CAP_CONF_UNACCEPT;
2428
2429 memset(&rfc, 0, sizeof(rfc));
2430 rfc.mode = chan->mode;
2431 }
2432
2433 if (result == L2CAP_CONF_SUCCESS)
2434 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2435 }
2436 rsp->scid = cpu_to_le16(chan->dcid);
2437 rsp->result = cpu_to_le16(result);
2438 rsp->flags = cpu_to_le16(0x0000);
2439
2440 return ptr - data;
2441}
2442
2443static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2444{
2445 struct l2cap_conf_req *req = data;
2446 void *ptr = req->data;
2447 int type, olen;
2448 unsigned long val;
2449 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2450 struct l2cap_conf_efs efs;
2451
2452 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2453
2454 while (len >= L2CAP_CONF_OPT_SIZE) {
2455 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2456
2457 switch (type) {
2458 case L2CAP_CONF_MTU:
2459 if (val < L2CAP_DEFAULT_MIN_MTU) {
2460 *result = L2CAP_CONF_UNACCEPT;
2461 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2462 } else
2463 chan->imtu = val;
2464 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2465 break;
2466
2467 case L2CAP_CONF_FLUSH_TO:
2468 chan->flush_to = val;
2469 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2470 2, chan->flush_to);
2471 break;
2472
2473 case L2CAP_CONF_RFC:
2474 if (olen == sizeof(rfc))
2475 memcpy(&rfc, (void *)val, olen);
2476
2477 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2478 rfc.mode != chan->mode)
2479 return -ECONNREFUSED;
2480
2481 chan->fcs = 0;
2482
2483 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2484 sizeof(rfc), (unsigned long) &rfc);
2485 break;
2486
2487 case L2CAP_CONF_EWS:
2488 chan->tx_win = min_t(u16, val,
2489 L2CAP_DEFAULT_EXT_WINDOW);
2490 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2491 chan->tx_win);
2492 break;
2493
2494 case L2CAP_CONF_EFS:
2495 if (olen == sizeof(efs))
2496 memcpy(&efs, (void *)val, olen);
2497
2498 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2499 efs.stype != L2CAP_SERV_NOTRAFIC &&
2500 efs.stype != chan->local_stype)
2501 return -ECONNREFUSED;
2502
2503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2504 sizeof(efs), (unsigned long) &efs);
2505 break;
2506 }
2507 }
2508
2509 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2510 return -ECONNREFUSED;
2511
2512 chan->mode = rfc.mode;
2513
2514 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
2515 switch (rfc.mode) {
2516 case L2CAP_MODE_ERTM:
2517 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2518 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2519 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2520
2521 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2522 chan->local_msdu = le16_to_cpu(efs.msdu);
2523 chan->local_sdu_itime =
2524 le32_to_cpu(efs.sdu_itime);
2525 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2526 chan->local_flush_to =
2527 le32_to_cpu(efs.flush_to);
2528 }
2529 break;
2530
2531 case L2CAP_MODE_STREAMING:
2532 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2533 }
2534 }
2535
2536 req->dcid = cpu_to_le16(chan->dcid);
2537 req->flags = cpu_to_le16(0x0000);
2538
2539 return ptr - data;
2540}
2541
2542static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
2543{
2544 struct l2cap_conf_rsp *rsp = data;
2545 void *ptr = rsp->data;
2546
2547 BT_DBG("chan %p", chan);
2548
2549 rsp->scid = cpu_to_le16(chan->dcid);
2550 rsp->result = cpu_to_le16(result);
2551 rsp->flags = cpu_to_le16(flags);
2552
2553 return ptr - data;
2554}
2555
2556void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2557{
2558 struct l2cap_conn_rsp rsp;
2559 struct l2cap_conn *conn = chan->conn;
2560 u8 buf[128];
2561
2562 rsp.scid = cpu_to_le16(chan->dcid);
2563 rsp.dcid = cpu_to_le16(chan->scid);
2564 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2565 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2566 l2cap_send_cmd(conn, chan->ident,
2567 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2568
2569 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2570 return;
2571
2572 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2573 l2cap_build_conf_req(chan, buf), buf);
2574 chan->num_conf_req++;
2575}
2576
2577static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2578{
2579 int type, olen;
2580 unsigned long val;
2581 struct l2cap_conf_rfc rfc;
2582
2583 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2584
2585 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2586 return;
2587
2588 while (len >= L2CAP_CONF_OPT_SIZE) {
2589 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2590
2591 switch (type) {
2592 case L2CAP_CONF_RFC:
2593 if (olen == sizeof(rfc))
2594 memcpy(&rfc, (void *)val, olen);
2595 goto done;
2596 }
2597 }
2598
2599 /* Use sane default values in case a misbehaving remote device
2600 * did not send an RFC option.
2601 */
2602 rfc.mode = chan->mode;
2603 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2604 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2605 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2606
2607 BT_ERR("Expected RFC option was not found, using defaults");
2608
2609done:
2610 switch (rfc.mode) {
2611 case L2CAP_MODE_ERTM:
2612 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2613 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2614 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2615 break;
2616 case L2CAP_MODE_STREAMING:
2617 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2618 }
2619}
2620
2621static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2622{
2623 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2624
2625 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2626 return 0;
2627
2628 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2629 cmd->ident == conn->info_ident) {
2630 cancel_delayed_work(&conn->info_timer);
2631
2632 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2633 conn->info_ident = 0;
2634
2635 l2cap_conn_start(conn);
2636 }
2637
2638 return 0;
2639}
2640
2641static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2642{
2643 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2644 struct l2cap_conn_rsp rsp;
2645 struct l2cap_chan *chan = NULL, *pchan;
2646 struct sock *parent, *sk = NULL;
2647 int result, status = L2CAP_CS_NO_INFO;
2648
2649 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2650 __le16 psm = req->psm;
2651
2652 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
2653
2654 /* Check if we have socket listening on psm */
2655 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
2656 if (!pchan) {
2657 result = L2CAP_CR_BAD_PSM;
2658 goto sendresp;
2659 }
2660
2661 parent = pchan->sk;
2662
2663 mutex_lock(&conn->chan_lock);
2664 lock_sock(parent);
2665
2666 /* Check if the ACL is secure enough (if not SDP) */
2667 if (psm != cpu_to_le16(0x0001) &&
2668 !hci_conn_check_link_mode(conn->hcon)) {
2669 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
2670 result = L2CAP_CR_SEC_BLOCK;
2671 goto response;
2672 }
2673
2674 result = L2CAP_CR_NO_MEM;
2675
2676 /* Check for backlog size */
2677 if (sk_acceptq_is_full(parent)) {
2678 BT_DBG("backlog full %d", parent->sk_ack_backlog);
2679 goto response;
2680 }
2681
2682 chan = pchan->ops->new_connection(pchan->data);
2683 if (!chan)
2684 goto response;
2685
2686 sk = chan->sk;
2687
2688 /* Check if we already have channel with that dcid */
2689 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2690 sock_set_flag(sk, SOCK_ZAPPED);
2691 chan->ops->close(chan->data);
2692 goto response;
2693 }
2694
2695 hci_conn_hold(conn->hcon);
2696
2697 bacpy(&bt_sk(sk)->src, conn->src);
2698 bacpy(&bt_sk(sk)->dst, conn->dst);
2699 chan->psm = psm;
2700 chan->dcid = scid;
2701
2702 bt_accept_enqueue(parent, sk);
2703
2704 __l2cap_chan_add(conn, chan);
2705
2706 dcid = chan->scid;
2707
2708 __set_chan_timer(chan, sk->sk_sndtimeo);
2709
2710 chan->ident = cmd->ident;
2711
2712 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2713 if (l2cap_chan_check_security(chan)) {
2714 if (bt_sk(sk)->defer_setup) {
2715 __l2cap_state_change(chan, BT_CONNECT2);
2716 result = L2CAP_CR_PEND;
2717 status = L2CAP_CS_AUTHOR_PEND;
2718 parent->sk_data_ready(parent, 0);
2719 } else {
2720 __l2cap_state_change(chan, BT_CONFIG);
2721 result = L2CAP_CR_SUCCESS;
2722 status = L2CAP_CS_NO_INFO;
2723 }
2724 } else {
2725 __l2cap_state_change(chan, BT_CONNECT2);
2726 result = L2CAP_CR_PEND;
2727 status = L2CAP_CS_AUTHEN_PEND;
2728 }
2729 } else {
2730 __l2cap_state_change(chan, BT_CONNECT2);
2731 result = L2CAP_CR_PEND;
2732 status = L2CAP_CS_NO_INFO;
2733 }
2734
2735response:
2736 release_sock(parent);
2737 mutex_unlock(&conn->chan_lock);
2738
2739sendresp:
2740 rsp.scid = cpu_to_le16(scid);
2741 rsp.dcid = cpu_to_le16(dcid);
2742 rsp.result = cpu_to_le16(result);
2743 rsp.status = cpu_to_le16(status);
2744 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2745
2746 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2747 struct l2cap_info_req info;
2748 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2749
2750 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2751 conn->info_ident = l2cap_get_ident(conn);
2752
2753 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
2754
2755 l2cap_send_cmd(conn, conn->info_ident,
2756 L2CAP_INFO_REQ, sizeof(info), &info);
2757 }
2758
2759 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
2760 result == L2CAP_CR_SUCCESS) {
2761 u8 buf[128];
2762 set_bit(CONF_REQ_SENT, &chan->conf_state);
2763 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2764 l2cap_build_conf_req(chan, buf), buf);
2765 chan->num_conf_req++;
2766 }
2767
2768 return 0;
2769}
2770
2771static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2772{
2773 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2774 u16 scid, dcid, result, status;
2775 struct l2cap_chan *chan;
2776 u8 req[128];
2777 int err;
2778
2779 scid = __le16_to_cpu(rsp->scid);
2780 dcid = __le16_to_cpu(rsp->dcid);
2781 result = __le16_to_cpu(rsp->result);
2782 status = __le16_to_cpu(rsp->status);
2783
2784 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
2785 dcid, scid, result, status);
2786
2787 mutex_lock(&conn->chan_lock);
2788
2789 if (scid) {
2790 chan = __l2cap_get_chan_by_scid(conn, scid);
2791 if (!chan) {
2792 err = -EFAULT;
2793 goto unlock;
2794 }
2795 } else {
2796 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
2797 if (!chan) {
2798 err = -EFAULT;
2799 goto unlock;
2800 }
2801 }
2802
2803 err = 0;
2804
2805 l2cap_chan_lock(chan);
2806
2807 switch (result) {
2808 case L2CAP_CR_SUCCESS:
2809 l2cap_state_change(chan, BT_CONFIG);
2810 chan->ident = 0;
2811 chan->dcid = dcid;
2812 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
2813
2814 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2815 break;
2816
2817 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2818 l2cap_build_conf_req(chan, req), req);
2819 chan->num_conf_req++;
2820 break;
2821
2822 case L2CAP_CR_PEND:
2823 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
2824 break;
2825
2826 default:
2827 l2cap_chan_del(chan, ECONNREFUSED);
2828 break;
2829 }
2830
2831 l2cap_chan_unlock(chan);
2832
2833unlock:
2834 mutex_unlock(&conn->chan_lock);
2835
2836 return err;
2837}
2838
2839static inline void set_default_fcs(struct l2cap_chan *chan)
2840{
2841 /* FCS is enabled only in ERTM or streaming mode, if one or both
2842 * sides request it.
2843 */
2844 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
2845 chan->fcs = L2CAP_FCS_NONE;
2846 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
2847 chan->fcs = L2CAP_FCS_CRC16;
2848}
2849
2850static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
2851{
2852 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
2853 u16 dcid, flags;
2854 u8 rsp[64];
2855 struct l2cap_chan *chan;
2856 int len;
2857
2858 dcid = __le16_to_cpu(req->dcid);
2859 flags = __le16_to_cpu(req->flags);
2860
2861 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
2862
2863 chan = l2cap_get_chan_by_scid(conn, dcid);
2864 if (!chan)
2865 return -ENOENT;
2866
2867 l2cap_chan_lock(chan);
2868
2869 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
2870 struct l2cap_cmd_rej_cid rej;
2871
2872 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
2873 rej.scid = cpu_to_le16(chan->scid);
2874 rej.dcid = cpu_to_le16(chan->dcid);
2875
2876 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
2877 sizeof(rej), &rej);
2878 goto unlock;
2879 }
2880
2881 /* Reject if config buffer is too small. */
2882 len = cmd_len - sizeof(*req);
2883 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
2884 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2885 l2cap_build_conf_rsp(chan, rsp,
2886 L2CAP_CONF_REJECT, flags), rsp);
2887 goto unlock;
2888 }
2889
2890 /* Store config. */
2891 memcpy(chan->conf_req + chan->conf_len, req->data, len);
2892 chan->conf_len += len;
2893
2894 if (flags & 0x0001) {
2895 /* Incomplete config. Send empty response. */
2896 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2897 l2cap_build_conf_rsp(chan, rsp,
2898 L2CAP_CONF_SUCCESS, 0x0001), rsp);
2899 goto unlock;
2900 }
2901
2902 /* Complete config. */
2903 len = l2cap_parse_conf_req(chan, rsp);
2904 if (len < 0) {
2905 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2906 goto unlock;
2907 }
2908
2909 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
2910 chan->num_conf_rsp++;
2911
2912 /* Reset config buffer. */
2913 chan->conf_len = 0;
2914
2915 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
2916 goto unlock;
2917
2918 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
2919 set_default_fcs(chan);
2920
2921 l2cap_state_change(chan, BT_CONNECTED);
2922
2923 chan->next_tx_seq = 0;
2924 chan->expected_tx_seq = 0;
2925 skb_queue_head_init(&chan->tx_q);
2926 if (chan->mode == L2CAP_MODE_ERTM)
2927 l2cap_ertm_init(chan);
2928
2929 l2cap_chan_ready(chan);
2930 goto unlock;
2931 }
2932
2933 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
2934 u8 buf[64];
2935 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2936 l2cap_build_conf_req(chan, buf), buf);
2937 chan->num_conf_req++;
2938 }
2939
2940 /* Got Conf Rsp PENDING from remote side and asume we sent
2941 Conf Rsp PENDING in the code above */
2942 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
2943 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2944
2945 /* check compatibility */
2946
2947 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2948 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2949
2950 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
2951 l2cap_build_conf_rsp(chan, rsp,
2952 L2CAP_CONF_SUCCESS, 0x0000), rsp);
2953 }
2954
2955unlock:
2956 l2cap_chan_unlock(chan);
2957 return 0;
2958}
2959
2960static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2961{
2962 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
2963 u16 scid, flags, result;
2964 struct l2cap_chan *chan;
2965 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
2966
2967 scid = __le16_to_cpu(rsp->scid);
2968 flags = __le16_to_cpu(rsp->flags);
2969 result = __le16_to_cpu(rsp->result);
2970
2971 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
2972 result, len);
2973
2974 chan = l2cap_get_chan_by_scid(conn, scid);
2975 if (!chan)
2976 return 0;
2977
2978 l2cap_chan_lock(chan);
2979
2980 switch (result) {
2981 case L2CAP_CONF_SUCCESS:
2982 l2cap_conf_rfc_get(chan, rsp->data, len);
2983 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2984 break;
2985
2986 case L2CAP_CONF_PENDING:
2987 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
2988
2989 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
2990 char buf[64];
2991
2992 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
2993 buf, &result);
2994 if (len < 0) {
2995 l2cap_send_disconn_req(conn, chan, ECONNRESET);
2996 goto done;
2997 }
2998
2999 /* check compatibility */
3000
3001 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3002 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3003
3004 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3005 l2cap_build_conf_rsp(chan, buf,
3006 L2CAP_CONF_SUCCESS, 0x0000), buf);
3007 }
3008 goto done;
3009
3010 case L2CAP_CONF_UNACCEPT:
3011 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
3012 char req[64];
3013
3014 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
3015 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3016 goto done;
3017 }
3018
3019 /* throw out any old stored conf requests */
3020 result = L2CAP_CONF_SUCCESS;
3021 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3022 req, &result);
3023 if (len < 0) {
3024 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3025 goto done;
3026 }
3027
3028 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3029 L2CAP_CONF_REQ, len, req);
3030 chan->num_conf_req++;
3031 if (result != L2CAP_CONF_SUCCESS)
3032 goto done;
3033 break;
3034 }
3035
3036 default:
3037 l2cap_chan_set_err(chan, ECONNRESET);
3038
3039 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
3040 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3041 goto done;
3042 }
3043
3044 if (flags & 0x01)
3045 goto done;
3046
3047 set_bit(CONF_INPUT_DONE, &chan->conf_state);
3048
3049 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
3050 set_default_fcs(chan);
3051
3052 l2cap_state_change(chan, BT_CONNECTED);
3053 chan->next_tx_seq = 0;
3054 chan->expected_tx_seq = 0;
3055 skb_queue_head_init(&chan->tx_q);
3056 if (chan->mode == L2CAP_MODE_ERTM)
3057 l2cap_ertm_init(chan);
3058
3059 l2cap_chan_ready(chan);
3060 }
3061
3062done:
3063 l2cap_chan_unlock(chan);
3064 return 0;
3065}
3066
3067static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3068{
3069 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3070 struct l2cap_disconn_rsp rsp;
3071 u16 dcid, scid;
3072 struct l2cap_chan *chan;
3073 struct sock *sk;
3074
3075 scid = __le16_to_cpu(req->scid);
3076 dcid = __le16_to_cpu(req->dcid);
3077
3078 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3079
3080 mutex_lock(&conn->chan_lock);
3081
3082 chan = __l2cap_get_chan_by_scid(conn, dcid);
3083 if (!chan) {
3084 mutex_unlock(&conn->chan_lock);
3085 return 0;
3086 }
3087
3088 l2cap_chan_lock(chan);
3089
3090 sk = chan->sk;
3091
3092 rsp.dcid = cpu_to_le16(chan->scid);
3093 rsp.scid = cpu_to_le16(chan->dcid);
3094 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3095
3096 lock_sock(sk);
3097 sk->sk_shutdown = SHUTDOWN_MASK;
3098 release_sock(sk);
3099
3100 l2cap_chan_del(chan, ECONNRESET);
3101
3102 l2cap_chan_unlock(chan);
3103
3104 chan->ops->close(chan->data);
3105
3106 mutex_unlock(&conn->chan_lock);
3107
3108 return 0;
3109}
3110
3111static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3112{
3113 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3114 u16 dcid, scid;
3115 struct l2cap_chan *chan;
3116
3117 scid = __le16_to_cpu(rsp->scid);
3118 dcid = __le16_to_cpu(rsp->dcid);
3119
3120 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3121
3122 mutex_lock(&conn->chan_lock);
3123
3124 chan = __l2cap_get_chan_by_scid(conn, scid);
3125 if (!chan) {
3126 mutex_unlock(&conn->chan_lock);
3127 return 0;
3128 }
3129
3130 l2cap_chan_lock(chan);
3131
3132 l2cap_chan_del(chan, 0);
3133
3134 l2cap_chan_unlock(chan);
3135
3136 chan->ops->close(chan->data);
3137
3138 mutex_unlock(&conn->chan_lock);
3139
3140 return 0;
3141}
3142
3143static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3144{
3145 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
3146 u16 type;
3147
3148 type = __le16_to_cpu(req->type);
3149
3150 BT_DBG("type 0x%4.4x", type);
3151
3152 if (type == L2CAP_IT_FEAT_MASK) {
3153 u8 buf[8];
3154 u32 feat_mask = l2cap_feat_mask;
3155 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3156 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3157 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3158 if (!disable_ertm)
3159 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3160 | L2CAP_FEAT_FCS;
3161 if (enable_hs)
3162 feat_mask |= L2CAP_FEAT_EXT_FLOW
3163 | L2CAP_FEAT_EXT_WINDOW;
3164
3165 put_unaligned_le32(feat_mask, rsp->data);
3166 l2cap_send_cmd(conn, cmd->ident,
3167 L2CAP_INFO_RSP, sizeof(buf), buf);
3168 } else if (type == L2CAP_IT_FIXED_CHAN) {
3169 u8 buf[12];
3170 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3171
3172 if (enable_hs)
3173 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3174 else
3175 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3176
3177 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3178 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3179 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
3180 l2cap_send_cmd(conn, cmd->ident,
3181 L2CAP_INFO_RSP, sizeof(buf), buf);
3182 } else {
3183 struct l2cap_info_rsp rsp;
3184 rsp.type = cpu_to_le16(type);
3185 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3186 l2cap_send_cmd(conn, cmd->ident,
3187 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3188 }
3189
3190 return 0;
3191}
3192
3193static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3194{
3195 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3196 u16 type, result;
3197
3198 type = __le16_to_cpu(rsp->type);
3199 result = __le16_to_cpu(rsp->result);
3200
3201 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3202
3203 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3204 if (cmd->ident != conn->info_ident ||
3205 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3206 return 0;
3207
3208 cancel_delayed_work(&conn->info_timer);
3209
3210 if (result != L2CAP_IR_SUCCESS) {
3211 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3212 conn->info_ident = 0;
3213
3214 l2cap_conn_start(conn);
3215
3216 return 0;
3217 }
3218
3219 switch (type) {
3220 case L2CAP_IT_FEAT_MASK:
3221 conn->feat_mask = get_unaligned_le32(rsp->data);
3222
3223 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3224 struct l2cap_info_req req;
3225 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3226
3227 conn->info_ident = l2cap_get_ident(conn);
3228
3229 l2cap_send_cmd(conn, conn->info_ident,
3230 L2CAP_INFO_REQ, sizeof(req), &req);
3231 } else {
3232 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3233 conn->info_ident = 0;
3234
3235 l2cap_conn_start(conn);
3236 }
3237 break;
3238
3239 case L2CAP_IT_FIXED_CHAN:
3240 conn->fixed_chan_mask = rsp->data[0];
3241 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3242 conn->info_ident = 0;
3243
3244 l2cap_conn_start(conn);
3245 break;
3246 }
3247
3248 return 0;
3249}
3250
3251static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3252 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3253 void *data)
3254{
3255 struct l2cap_create_chan_req *req = data;
3256 struct l2cap_create_chan_rsp rsp;
3257 u16 psm, scid;
3258
3259 if (cmd_len != sizeof(*req))
3260 return -EPROTO;
3261
3262 if (!enable_hs)
3263 return -EINVAL;
3264
3265 psm = le16_to_cpu(req->psm);
3266 scid = le16_to_cpu(req->scid);
3267
3268 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3269
3270 /* Placeholder: Always reject */
3271 rsp.dcid = 0;
3272 rsp.scid = cpu_to_le16(scid);
3273 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3274 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3275
3276 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3277 sizeof(rsp), &rsp);
3278
3279 return 0;
3280}
3281
3282static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3283 struct l2cap_cmd_hdr *cmd, void *data)
3284{
3285 BT_DBG("conn %p", conn);
3286
3287 return l2cap_connect_rsp(conn, cmd, data);
3288}
3289
3290static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3291 u16 icid, u16 result)
3292{
3293 struct l2cap_move_chan_rsp rsp;
3294
3295 BT_DBG("icid %d, result %d", icid, result);
3296
3297 rsp.icid = cpu_to_le16(icid);
3298 rsp.result = cpu_to_le16(result);
3299
3300 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3301}
3302
3303static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3304 struct l2cap_chan *chan, u16 icid, u16 result)
3305{
3306 struct l2cap_move_chan_cfm cfm;
3307 u8 ident;
3308
3309 BT_DBG("icid %d, result %d", icid, result);
3310
3311 ident = l2cap_get_ident(conn);
3312 if (chan)
3313 chan->ident = ident;
3314
3315 cfm.icid = cpu_to_le16(icid);
3316 cfm.result = cpu_to_le16(result);
3317
3318 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3319}
3320
3321static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3322 u16 icid)
3323{
3324 struct l2cap_move_chan_cfm_rsp rsp;
3325
3326 BT_DBG("icid %d", icid);
3327
3328 rsp.icid = cpu_to_le16(icid);
3329 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3330}
3331
3332static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3333 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3334{
3335 struct l2cap_move_chan_req *req = data;
3336 u16 icid = 0;
3337 u16 result = L2CAP_MR_NOT_ALLOWED;
3338
3339 if (cmd_len != sizeof(*req))
3340 return -EPROTO;
3341
3342 icid = le16_to_cpu(req->icid);
3343
3344 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3345
3346 if (!enable_hs)
3347 return -EINVAL;
3348
3349 /* Placeholder: Always refuse */
3350 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3351
3352 return 0;
3353}
3354
3355static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3356 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3357{
3358 struct l2cap_move_chan_rsp *rsp = data;
3359 u16 icid, result;
3360
3361 if (cmd_len != sizeof(*rsp))
3362 return -EPROTO;
3363
3364 icid = le16_to_cpu(rsp->icid);
3365 result = le16_to_cpu(rsp->result);
3366
3367 BT_DBG("icid %d, result %d", icid, result);
3368
3369 /* Placeholder: Always unconfirmed */
3370 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3371
3372 return 0;
3373}
3374
3375static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3376 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3377{
3378 struct l2cap_move_chan_cfm *cfm = data;
3379 u16 icid, result;
3380
3381 if (cmd_len != sizeof(*cfm))
3382 return -EPROTO;
3383
3384 icid = le16_to_cpu(cfm->icid);
3385 result = le16_to_cpu(cfm->result);
3386
3387 BT_DBG("icid %d, result %d", icid, result);
3388
3389 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3390
3391 return 0;
3392}
3393
3394static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3395 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3396{
3397 struct l2cap_move_chan_cfm_rsp *rsp = data;
3398 u16 icid;
3399
3400 if (cmd_len != sizeof(*rsp))
3401 return -EPROTO;
3402
3403 icid = le16_to_cpu(rsp->icid);
3404
3405 BT_DBG("icid %d", icid);
3406
3407 return 0;
3408}
3409
3410static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
3411 u16 to_multiplier)
3412{
3413 u16 max_latency;
3414
3415 if (min > max || min < 6 || max > 3200)
3416 return -EINVAL;
3417
3418 if (to_multiplier < 10 || to_multiplier > 3200)
3419 return -EINVAL;
3420
3421 if (max >= to_multiplier * 8)
3422 return -EINVAL;
3423
3424 max_latency = (to_multiplier * 8 / max) - 1;
3425 if (latency > 499 || latency > max_latency)
3426 return -EINVAL;
3427
3428 return 0;
3429}
3430
3431static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3432 struct l2cap_cmd_hdr *cmd, u8 *data)
3433{
3434 struct hci_conn *hcon = conn->hcon;
3435 struct l2cap_conn_param_update_req *req;
3436 struct l2cap_conn_param_update_rsp rsp;
3437 u16 min, max, latency, to_multiplier, cmd_len;
3438 int err;
3439
3440 if (!(hcon->link_mode & HCI_LM_MASTER))
3441 return -EINVAL;
3442
3443 cmd_len = __le16_to_cpu(cmd->len);
3444 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3445 return -EPROTO;
3446
3447 req = (struct l2cap_conn_param_update_req *) data;
3448 min = __le16_to_cpu(req->min);
3449 max = __le16_to_cpu(req->max);
3450 latency = __le16_to_cpu(req->latency);
3451 to_multiplier = __le16_to_cpu(req->to_multiplier);
3452
3453 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3454 min, max, latency, to_multiplier);
3455
3456 memset(&rsp, 0, sizeof(rsp));
3457
3458 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3459 if (err)
3460 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3461 else
3462 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3463
3464 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3465 sizeof(rsp), &rsp);
3466
3467 if (!err)
3468 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3469
3470 return 0;
3471}
3472
3473static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3474 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3475{
3476 int err = 0;
3477
3478 switch (cmd->code) {
3479 case L2CAP_COMMAND_REJ:
3480 l2cap_command_rej(conn, cmd, data);
3481 break;
3482
3483 case L2CAP_CONN_REQ:
3484 err = l2cap_connect_req(conn, cmd, data);
3485 break;
3486
3487 case L2CAP_CONN_RSP:
3488 err = l2cap_connect_rsp(conn, cmd, data);
3489 break;
3490
3491 case L2CAP_CONF_REQ:
3492 err = l2cap_config_req(conn, cmd, cmd_len, data);
3493 break;
3494
3495 case L2CAP_CONF_RSP:
3496 err = l2cap_config_rsp(conn, cmd, data);
3497 break;
3498
3499 case L2CAP_DISCONN_REQ:
3500 err = l2cap_disconnect_req(conn, cmd, data);
3501 break;
3502
3503 case L2CAP_DISCONN_RSP:
3504 err = l2cap_disconnect_rsp(conn, cmd, data);
3505 break;
3506
3507 case L2CAP_ECHO_REQ:
3508 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3509 break;
3510
3511 case L2CAP_ECHO_RSP:
3512 break;
3513
3514 case L2CAP_INFO_REQ:
3515 err = l2cap_information_req(conn, cmd, data);
3516 break;
3517
3518 case L2CAP_INFO_RSP:
3519 err = l2cap_information_rsp(conn, cmd, data);
3520 break;
3521
3522 case L2CAP_CREATE_CHAN_REQ:
3523 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3524 break;
3525
3526 case L2CAP_CREATE_CHAN_RSP:
3527 err = l2cap_create_channel_rsp(conn, cmd, data);
3528 break;
3529
3530 case L2CAP_MOVE_CHAN_REQ:
3531 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3532 break;
3533
3534 case L2CAP_MOVE_CHAN_RSP:
3535 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3536 break;
3537
3538 case L2CAP_MOVE_CHAN_CFM:
3539 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3540 break;
3541
3542 case L2CAP_MOVE_CHAN_CFM_RSP:
3543 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3544 break;
3545
3546 default:
3547 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3548 err = -EINVAL;
3549 break;
3550 }
3551
3552 return err;
3553}
3554
3555static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3556 struct l2cap_cmd_hdr *cmd, u8 *data)
3557{
3558 switch (cmd->code) {
3559 case L2CAP_COMMAND_REJ:
3560 return 0;
3561
3562 case L2CAP_CONN_PARAM_UPDATE_REQ:
3563 return l2cap_conn_param_update_req(conn, cmd, data);
3564
3565 case L2CAP_CONN_PARAM_UPDATE_RSP:
3566 return 0;
3567
3568 default:
3569 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3570 return -EINVAL;
3571 }
3572}
3573
3574static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3575 struct sk_buff *skb)
3576{
3577 u8 *data = skb->data;
3578 int len = skb->len;
3579 struct l2cap_cmd_hdr cmd;
3580 int err;
3581
3582 l2cap_raw_recv(conn, skb);
3583
3584 while (len >= L2CAP_CMD_HDR_SIZE) {
3585 u16 cmd_len;
3586 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3587 data += L2CAP_CMD_HDR_SIZE;
3588 len -= L2CAP_CMD_HDR_SIZE;
3589
3590 cmd_len = le16_to_cpu(cmd.len);
3591
3592 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3593
3594 if (cmd_len > len || !cmd.ident) {
3595 BT_DBG("corrupted command");
3596 break;
3597 }
3598
3599 if (conn->hcon->type == LE_LINK)
3600 err = l2cap_le_sig_cmd(conn, &cmd, data);
3601 else
3602 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
3603
3604 if (err) {
3605 struct l2cap_cmd_rej_unk rej;
3606
3607 BT_ERR("Wrong link type (%d)", err);
3608
3609 /* FIXME: Map err to a valid reason */
3610 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
3611 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3612 }
3613
3614 data += cmd_len;
3615 len -= cmd_len;
3616 }
3617
3618 kfree_skb(skb);
3619}
3620
3621static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
3622{
3623 u16 our_fcs, rcv_fcs;
3624 int hdr_size;
3625
3626 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3627 hdr_size = L2CAP_EXT_HDR_SIZE;
3628 else
3629 hdr_size = L2CAP_ENH_HDR_SIZE;
3630
3631 if (chan->fcs == L2CAP_FCS_CRC16) {
3632 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
3633 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3634 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3635
3636 if (our_fcs != rcv_fcs)
3637 return -EBADMSG;
3638 }
3639 return 0;
3640}
3641
3642static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3643{
3644 u32 control = 0;
3645
3646 chan->frames_sent = 0;
3647
3648 control |= __set_reqseq(chan, chan->buffer_seq);
3649
3650 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3651 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3652 l2cap_send_sframe(chan, control);
3653 set_bit(CONN_RNR_SENT, &chan->conn_state);
3654 }
3655
3656 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3657 l2cap_retransmit_frames(chan);
3658
3659 l2cap_ertm_send(chan);
3660
3661 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3662 chan->frames_sent == 0) {
3663 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3664 l2cap_send_sframe(chan, control);
3665 }
3666}
3667
3668static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
3669{
3670 struct sk_buff *next_skb;
3671 int tx_seq_offset, next_tx_seq_offset;
3672
3673 bt_cb(skb)->tx_seq = tx_seq;
3674 bt_cb(skb)->sar = sar;
3675
3676 next_skb = skb_peek(&chan->srej_q);
3677
3678 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3679
3680 while (next_skb) {
3681 if (bt_cb(next_skb)->tx_seq == tx_seq)
3682 return -EINVAL;
3683
3684 next_tx_seq_offset = __seq_offset(chan,
3685 bt_cb(next_skb)->tx_seq, chan->buffer_seq);
3686
3687 if (next_tx_seq_offset > tx_seq_offset) {
3688 __skb_queue_before(&chan->srej_q, next_skb, skb);
3689 return 0;
3690 }
3691
3692 if (skb_queue_is_last(&chan->srej_q, next_skb))
3693 next_skb = NULL;
3694 else
3695 next_skb = skb_queue_next(&chan->srej_q, next_skb);
3696 }
3697
3698 __skb_queue_tail(&chan->srej_q, skb);
3699
3700 return 0;
3701}
3702
3703static void append_skb_frag(struct sk_buff *skb,
3704 struct sk_buff *new_frag, struct sk_buff **last_frag)
3705{
3706 /* skb->len reflects data in skb as well as all fragments
3707 * skb->data_len reflects only data in fragments
3708 */
3709 if (!skb_has_frag_list(skb))
3710 skb_shinfo(skb)->frag_list = new_frag;
3711
3712 new_frag->next = NULL;
3713
3714 (*last_frag)->next = new_frag;
3715 *last_frag = new_frag;
3716
3717 skb->len += new_frag->len;
3718 skb->data_len += new_frag->len;
3719 skb->truesize += new_frag->truesize;
3720}
3721
3722static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
3723{
3724 int err = -EINVAL;
3725
3726 switch (__get_ctrl_sar(chan, control)) {
3727 case L2CAP_SAR_UNSEGMENTED:
3728 if (chan->sdu)
3729 break;
3730
3731 err = chan->ops->recv(chan->data, skb);
3732 break;
3733
3734 case L2CAP_SAR_START:
3735 if (chan->sdu)
3736 break;
3737
3738 chan->sdu_len = get_unaligned_le16(skb->data);
3739 skb_pull(skb, L2CAP_SDULEN_SIZE);
3740
3741 if (chan->sdu_len > chan->imtu) {
3742 err = -EMSGSIZE;
3743 break;
3744 }
3745
3746 if (skb->len >= chan->sdu_len)
3747 break;
3748
3749 chan->sdu = skb;
3750 chan->sdu_last_frag = skb;
3751
3752 skb = NULL;
3753 err = 0;
3754 break;
3755
3756 case L2CAP_SAR_CONTINUE:
3757 if (!chan->sdu)
3758 break;
3759
3760 append_skb_frag(chan->sdu, skb,
3761 &chan->sdu_last_frag);
3762 skb = NULL;
3763
3764 if (chan->sdu->len >= chan->sdu_len)
3765 break;
3766
3767 err = 0;
3768 break;
3769
3770 case L2CAP_SAR_END:
3771 if (!chan->sdu)
3772 break;
3773
3774 append_skb_frag(chan->sdu, skb,
3775 &chan->sdu_last_frag);
3776 skb = NULL;
3777
3778 if (chan->sdu->len != chan->sdu_len)
3779 break;
3780
3781 err = chan->ops->recv(chan->data, chan->sdu);
3782
3783 if (!err) {
3784 /* Reassembly complete */
3785 chan->sdu = NULL;
3786 chan->sdu_last_frag = NULL;
3787 chan->sdu_len = 0;
3788 }
3789 break;
3790 }
3791
3792 if (err) {
3793 kfree_skb(skb);
3794 kfree_skb(chan->sdu);
3795 chan->sdu = NULL;
3796 chan->sdu_last_frag = NULL;
3797 chan->sdu_len = 0;
3798 }
3799
3800 return err;
3801}
3802
3803static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
3804{
3805 BT_DBG("chan %p, Enter local busy", chan);
3806
3807 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3808
3809 __set_ack_timer(chan);
3810}
3811
3812static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
3813{
3814 u32 control;
3815
3816 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3817 goto done;
3818
3819 control = __set_reqseq(chan, chan->buffer_seq);
3820 control |= __set_ctrl_poll(chan);
3821 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3822 l2cap_send_sframe(chan, control);
3823 chan->retry_count = 1;
3824
3825 __clear_retrans_timer(chan);
3826 __set_monitor_timer(chan);
3827
3828 set_bit(CONN_WAIT_F, &chan->conn_state);
3829
3830done:
3831 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3832 clear_bit(CONN_RNR_SENT, &chan->conn_state);
3833
3834 BT_DBG("chan %p, Exit local busy", chan);
3835}
3836
3837void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
3838{
3839 if (chan->mode == L2CAP_MODE_ERTM) {
3840 if (busy)
3841 l2cap_ertm_enter_local_busy(chan);
3842 else
3843 l2cap_ertm_exit_local_busy(chan);
3844 }
3845}
3846
3847static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
3848{
3849 struct sk_buff *skb;
3850 u32 control;
3851
3852 while ((skb = skb_peek(&chan->srej_q)) &&
3853 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3854 int err;
3855
3856 if (bt_cb(skb)->tx_seq != tx_seq)
3857 break;
3858
3859 skb = skb_dequeue(&chan->srej_q);
3860 control = __set_ctrl_sar(chan, bt_cb(skb)->sar);
3861 err = l2cap_reassemble_sdu(chan, skb, control);
3862
3863 if (err < 0) {
3864 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3865 break;
3866 }
3867
3868 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
3869 tx_seq = __next_seq(chan, tx_seq);
3870 }
3871}
3872
3873static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3874{
3875 struct srej_list *l, *tmp;
3876 u32 control;
3877
3878 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
3879 if (l->tx_seq == tx_seq) {
3880 list_del(&l->list);
3881 kfree(l);
3882 return;
3883 }
3884 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3885 control |= __set_reqseq(chan, l->tx_seq);
3886 l2cap_send_sframe(chan, control);
3887 list_del(&l->list);
3888 list_add_tail(&l->list, &chan->srej_l);
3889 }
3890}
3891
3892static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
3893{
3894 struct srej_list *new;
3895 u32 control;
3896
3897 while (tx_seq != chan->expected_tx_seq) {
3898 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
3899 control |= __set_reqseq(chan, chan->expected_tx_seq);
3900 l2cap_send_sframe(chan, control);
3901
3902 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
3903 if (!new)
3904 return -ENOMEM;
3905
3906 new->tx_seq = chan->expected_tx_seq;
3907
3908 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3909
3910 list_add_tail(&new->list, &chan->srej_l);
3911 }
3912
3913 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
3914
3915 return 0;
3916}
3917
3918static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
3919{
3920 u16 tx_seq = __get_txseq(chan, rx_control);
3921 u16 req_seq = __get_reqseq(chan, rx_control);
3922 u8 sar = __get_ctrl_sar(chan, rx_control);
3923 int tx_seq_offset, expected_tx_seq_offset;
3924 int num_to_ack = (chan->tx_win/6) + 1;
3925 int err = 0;
3926
3927 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
3928 tx_seq, rx_control);
3929
3930 if (__is_ctrl_final(chan, rx_control) &&
3931 test_bit(CONN_WAIT_F, &chan->conn_state)) {
3932 __clear_monitor_timer(chan);
3933 if (chan->unacked_frames > 0)
3934 __set_retrans_timer(chan);
3935 clear_bit(CONN_WAIT_F, &chan->conn_state);
3936 }
3937
3938 chan->expected_ack_seq = req_seq;
3939 l2cap_drop_acked_frames(chan);
3940
3941 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
3942
3943 /* invalid tx_seq */
3944 if (tx_seq_offset >= chan->tx_win) {
3945 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
3946 goto drop;
3947 }
3948
3949 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3950 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
3951 l2cap_send_ack(chan);
3952 goto drop;
3953 }
3954
3955 if (tx_seq == chan->expected_tx_seq)
3956 goto expected;
3957
3958 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
3959 struct srej_list *first;
3960
3961 first = list_first_entry(&chan->srej_l,
3962 struct srej_list, list);
3963 if (tx_seq == first->tx_seq) {
3964 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
3965 l2cap_check_srej_gap(chan, tx_seq);
3966
3967 list_del(&first->list);
3968 kfree(first);
3969
3970 if (list_empty(&chan->srej_l)) {
3971 chan->buffer_seq = chan->buffer_seq_srej;
3972 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
3973 l2cap_send_ack(chan);
3974 BT_DBG("chan %p, Exit SREJ_SENT", chan);
3975 }
3976 } else {
3977 struct srej_list *l;
3978
3979 /* duplicated tx_seq */
3980 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
3981 goto drop;
3982
3983 list_for_each_entry(l, &chan->srej_l, list) {
3984 if (l->tx_seq == tx_seq) {
3985 l2cap_resend_srejframe(chan, tx_seq);
3986 return 0;
3987 }
3988 }
3989
3990 err = l2cap_send_srejframe(chan, tx_seq);
3991 if (err < 0) {
3992 l2cap_send_disconn_req(chan->conn, chan, -err);
3993 return err;
3994 }
3995 }
3996 } else {
3997 expected_tx_seq_offset = __seq_offset(chan,
3998 chan->expected_tx_seq, chan->buffer_seq);
3999
4000 /* duplicated tx_seq */
4001 if (tx_seq_offset < expected_tx_seq_offset)
4002 goto drop;
4003
4004 set_bit(CONN_SREJ_SENT, &chan->conn_state);
4005
4006 BT_DBG("chan %p, Enter SREJ", chan);
4007
4008 INIT_LIST_HEAD(&chan->srej_l);
4009 chan->buffer_seq_srej = chan->buffer_seq;
4010
4011 __skb_queue_head_init(&chan->srej_q);
4012 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
4013
4014 /* Set P-bit only if there are some I-frames to ack. */
4015 if (__clear_ack_timer(chan))
4016 set_bit(CONN_SEND_PBIT, &chan->conn_state);
4017
4018 err = l2cap_send_srejframe(chan, tx_seq);
4019 if (err < 0) {
4020 l2cap_send_disconn_req(chan->conn, chan, -err);
4021 return err;
4022 }
4023 }
4024 return 0;
4025
4026expected:
4027 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4028
4029 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4030 bt_cb(skb)->tx_seq = tx_seq;
4031 bt_cb(skb)->sar = sar;
4032 __skb_queue_tail(&chan->srej_q, skb);
4033 return 0;
4034 }
4035
4036 err = l2cap_reassemble_sdu(chan, skb, rx_control);
4037 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4038
4039 if (err < 0) {
4040 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4041 return err;
4042 }
4043
4044 if (__is_ctrl_final(chan, rx_control)) {
4045 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4046 l2cap_retransmit_frames(chan);
4047 }
4048
4049
4050 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4051 if (chan->num_acked == num_to_ack - 1)
4052 l2cap_send_ack(chan);
4053 else
4054 __set_ack_timer(chan);
4055
4056 return 0;
4057
4058drop:
4059 kfree_skb(skb);
4060 return 0;
4061}
4062
4063static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
4064{
4065 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
4066 __get_reqseq(chan, rx_control), rx_control);
4067
4068 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
4069 l2cap_drop_acked_frames(chan);
4070
4071 if (__is_ctrl_poll(chan, rx_control)) {
4072 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4073 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4074 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4075 (chan->unacked_frames > 0))
4076 __set_retrans_timer(chan);
4077
4078 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4079 l2cap_send_srejtail(chan);
4080 } else {
4081 l2cap_send_i_or_rr_or_rnr(chan);
4082 }
4083
4084 } else if (__is_ctrl_final(chan, rx_control)) {
4085 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4086
4087 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4088 l2cap_retransmit_frames(chan);
4089
4090 } else {
4091 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4092 (chan->unacked_frames > 0))
4093 __set_retrans_timer(chan);
4094
4095 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4096 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
4097 l2cap_send_ack(chan);
4098 else
4099 l2cap_ertm_send(chan);
4100 }
4101}
4102
4103static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
4104{
4105 u16 tx_seq = __get_reqseq(chan, rx_control);
4106
4107 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4108
4109 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4110
4111 chan->expected_ack_seq = tx_seq;
4112 l2cap_drop_acked_frames(chan);
4113
4114 if (__is_ctrl_final(chan, rx_control)) {
4115 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4116 l2cap_retransmit_frames(chan);
4117 } else {
4118 l2cap_retransmit_frames(chan);
4119
4120 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4121 set_bit(CONN_REJ_ACT, &chan->conn_state);
4122 }
4123}
4124static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
4125{
4126 u16 tx_seq = __get_reqseq(chan, rx_control);
4127
4128 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4129
4130 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4131
4132 if (__is_ctrl_poll(chan, rx_control)) {
4133 chan->expected_ack_seq = tx_seq;
4134 l2cap_drop_acked_frames(chan);
4135
4136 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4137 l2cap_retransmit_one_frame(chan, tx_seq);
4138
4139 l2cap_ertm_send(chan);
4140
4141 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4142 chan->srej_save_reqseq = tx_seq;
4143 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4144 }
4145 } else if (__is_ctrl_final(chan, rx_control)) {
4146 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
4147 chan->srej_save_reqseq == tx_seq)
4148 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4149 else
4150 l2cap_retransmit_one_frame(chan, tx_seq);
4151 } else {
4152 l2cap_retransmit_one_frame(chan, tx_seq);
4153 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4154 chan->srej_save_reqseq = tx_seq;
4155 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4156 }
4157 }
4158}
4159
4160static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
4161{
4162 u16 tx_seq = __get_reqseq(chan, rx_control);
4163
4164 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4165
4166 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4167 chan->expected_ack_seq = tx_seq;
4168 l2cap_drop_acked_frames(chan);
4169
4170 if (__is_ctrl_poll(chan, rx_control))
4171 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4172
4173 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4174 __clear_retrans_timer(chan);
4175 if (__is_ctrl_poll(chan, rx_control))
4176 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
4177 return;
4178 }
4179
4180 if (__is_ctrl_poll(chan, rx_control)) {
4181 l2cap_send_srejtail(chan);
4182 } else {
4183 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4184 l2cap_send_sframe(chan, rx_control);
4185 }
4186}
4187
4188static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4189{
4190 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
4191
4192 if (__is_ctrl_final(chan, rx_control) &&
4193 test_bit(CONN_WAIT_F, &chan->conn_state)) {
4194 __clear_monitor_timer(chan);
4195 if (chan->unacked_frames > 0)
4196 __set_retrans_timer(chan);
4197 clear_bit(CONN_WAIT_F, &chan->conn_state);
4198 }
4199
4200 switch (__get_ctrl_super(chan, rx_control)) {
4201 case L2CAP_SUPER_RR:
4202 l2cap_data_channel_rrframe(chan, rx_control);
4203 break;
4204
4205 case L2CAP_SUPER_REJ:
4206 l2cap_data_channel_rejframe(chan, rx_control);
4207 break;
4208
4209 case L2CAP_SUPER_SREJ:
4210 l2cap_data_channel_srejframe(chan, rx_control);
4211 break;
4212
4213 case L2CAP_SUPER_RNR:
4214 l2cap_data_channel_rnrframe(chan, rx_control);
4215 break;
4216 }
4217
4218 kfree_skb(skb);
4219 return 0;
4220}
4221
4222static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4223{
4224 u32 control;
4225 u16 req_seq;
4226 int len, next_tx_seq_offset, req_seq_offset;
4227
4228 control = __get_control(chan, skb->data);
4229 skb_pull(skb, __ctrl_size(chan));
4230 len = skb->len;
4231
4232 /*
4233 * We can just drop the corrupted I-frame here.
4234 * Receiver will miss it and start proper recovery
4235 * procedures and ask retransmission.
4236 */
4237 if (l2cap_check_fcs(chan, skb))
4238 goto drop;
4239
4240 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
4241 len -= L2CAP_SDULEN_SIZE;
4242
4243 if (chan->fcs == L2CAP_FCS_CRC16)
4244 len -= L2CAP_FCS_SIZE;
4245
4246 if (len > chan->mps) {
4247 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4248 goto drop;
4249 }
4250
4251 req_seq = __get_reqseq(chan, control);
4252
4253 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4254
4255 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4256 chan->expected_ack_seq);
4257
4258 /* check for invalid req-seq */
4259 if (req_seq_offset > next_tx_seq_offset) {
4260 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4261 goto drop;
4262 }
4263
4264 if (!__is_sframe(chan, control)) {
4265 if (len < 0) {
4266 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4267 goto drop;
4268 }
4269
4270 l2cap_data_channel_iframe(chan, control, skb);
4271 } else {
4272 if (len != 0) {
4273 BT_ERR("%d", len);
4274 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4275 goto drop;
4276 }
4277
4278 l2cap_data_channel_sframe(chan, control, skb);
4279 }
4280
4281 return 0;
4282
4283drop:
4284 kfree_skb(skb);
4285 return 0;
4286}
4287
4288static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4289{
4290 struct l2cap_chan *chan;
4291 u32 control;
4292 u16 tx_seq;
4293 int len;
4294
4295 chan = l2cap_get_chan_by_scid(conn, cid);
4296 if (!chan) {
4297 BT_DBG("unknown cid 0x%4.4x", cid);
4298 /* Drop packet and return */
4299 kfree_skb(skb);
4300 return 0;
4301 }
4302
4303 l2cap_chan_lock(chan);
4304
4305 BT_DBG("chan %p, len %d", chan, skb->len);
4306
4307 if (chan->state != BT_CONNECTED)
4308 goto drop;
4309
4310 switch (chan->mode) {
4311 case L2CAP_MODE_BASIC:
4312 /* If socket recv buffers overflows we drop data here
4313 * which is *bad* because L2CAP has to be reliable.
4314 * But we don't have any other choice. L2CAP doesn't
4315 * provide flow control mechanism. */
4316
4317 if (chan->imtu < skb->len)
4318 goto drop;
4319
4320 if (!chan->ops->recv(chan->data, skb))
4321 goto done;
4322 break;
4323
4324 case L2CAP_MODE_ERTM:
4325 l2cap_ertm_data_rcv(chan, skb);
4326
4327 goto done;
4328
4329 case L2CAP_MODE_STREAMING:
4330 control = __get_control(chan, skb->data);
4331 skb_pull(skb, __ctrl_size(chan));
4332 len = skb->len;
4333
4334 if (l2cap_check_fcs(chan, skb))
4335 goto drop;
4336
4337 if (__is_sar_start(chan, control))
4338 len -= L2CAP_SDULEN_SIZE;
4339
4340 if (chan->fcs == L2CAP_FCS_CRC16)
4341 len -= L2CAP_FCS_SIZE;
4342
4343 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
4344 goto drop;
4345
4346 tx_seq = __get_txseq(chan, control);
4347
4348 if (chan->expected_tx_seq != tx_seq) {
4349 /* Frame(s) missing - must discard partial SDU */
4350 kfree_skb(chan->sdu);
4351 chan->sdu = NULL;
4352 chan->sdu_last_frag = NULL;
4353 chan->sdu_len = 0;
4354
4355 /* TODO: Notify userland of missing data */
4356 }
4357
4358 chan->expected_tx_seq = __next_seq(chan, tx_seq);
4359
4360 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4361 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4362
4363 goto done;
4364
4365 default:
4366 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
4367 break;
4368 }
4369
4370drop:
4371 kfree_skb(skb);
4372
4373done:
4374 l2cap_chan_unlock(chan);
4375
4376 return 0;
4377}
4378
4379static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
4380{
4381 struct l2cap_chan *chan;
4382
4383 chan = l2cap_global_chan_by_psm(0, psm, conn->src);
4384 if (!chan)
4385 goto drop;
4386
4387 BT_DBG("chan %p, len %d", chan, skb->len);
4388
4389 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4390 goto drop;
4391
4392 if (chan->imtu < skb->len)
4393 goto drop;
4394
4395 if (!chan->ops->recv(chan->data, skb))
4396 return 0;
4397
4398drop:
4399 kfree_skb(skb);
4400
4401 return 0;
4402}
4403
4404static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4405 struct sk_buff *skb)
4406{
4407 struct l2cap_chan *chan;
4408
4409 chan = l2cap_global_chan_by_scid(0, cid, conn->src);
4410 if (!chan)
4411 goto drop;
4412
4413 BT_DBG("chan %p, len %d", chan, skb->len);
4414
4415 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4416 goto drop;
4417
4418 if (chan->imtu < skb->len)
4419 goto drop;
4420
4421 if (!chan->ops->recv(chan->data, skb))
4422 return 0;
4423
4424drop:
4425 kfree_skb(skb);
4426
4427 return 0;
4428}
4429
4430static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4431{
4432 struct l2cap_hdr *lh = (void *) skb->data;
4433 u16 cid, len;
4434 __le16 psm;
4435
4436 skb_pull(skb, L2CAP_HDR_SIZE);
4437 cid = __le16_to_cpu(lh->cid);
4438 len = __le16_to_cpu(lh->len);
4439
4440 if (len != skb->len) {
4441 kfree_skb(skb);
4442 return;
4443 }
4444
4445 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4446
4447 switch (cid) {
4448 case L2CAP_CID_LE_SIGNALING:
4449 case L2CAP_CID_SIGNALING:
4450 l2cap_sig_channel(conn, skb);
4451 break;
4452
4453 case L2CAP_CID_CONN_LESS:
4454 psm = get_unaligned((__le16 *) skb->data);
4455 skb_pull(skb, 2);
4456 l2cap_conless_channel(conn, psm, skb);
4457 break;
4458
4459 case L2CAP_CID_LE_DATA:
4460 l2cap_att_channel(conn, cid, skb);
4461 break;
4462
4463 case L2CAP_CID_SMP:
4464 if (smp_sig_channel(conn, skb))
4465 l2cap_conn_del(conn->hcon, EACCES);
4466 break;
4467
4468 default:
4469 l2cap_data_channel(conn, cid, skb);
4470 break;
4471 }
4472}
4473
4474/* ---- L2CAP interface with lower layer (HCI) ---- */
4475
4476int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
4477{
4478 int exact = 0, lm1 = 0, lm2 = 0;
4479 struct l2cap_chan *c;
4480
4481 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4482
4483 /* Find listening sockets and check their link_mode */
4484 read_lock(&chan_list_lock);
4485 list_for_each_entry(c, &chan_list, global_l) {
4486 struct sock *sk = c->sk;
4487
4488 if (c->state != BT_LISTEN)
4489 continue;
4490
4491 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4492 lm1 |= HCI_LM_ACCEPT;
4493 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4494 lm1 |= HCI_LM_MASTER;
4495 exact++;
4496 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4497 lm2 |= HCI_LM_ACCEPT;
4498 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4499 lm2 |= HCI_LM_MASTER;
4500 }
4501 }
4502 read_unlock(&chan_list_lock);
4503
4504 return exact ? lm1 : lm2;
4505}
4506
4507int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4508{
4509 struct l2cap_conn *conn;
4510
4511 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4512
4513 if (!status) {
4514 conn = l2cap_conn_add(hcon, status);
4515 if (conn)
4516 l2cap_conn_ready(conn);
4517 } else
4518 l2cap_conn_del(hcon, bt_to_errno(status));
4519
4520 return 0;
4521}
4522
4523int l2cap_disconn_ind(struct hci_conn *hcon)
4524{
4525 struct l2cap_conn *conn = hcon->l2cap_data;
4526
4527 BT_DBG("hcon %p", hcon);
4528
4529 if (!conn)
4530 return HCI_ERROR_REMOTE_USER_TERM;
4531 return conn->disc_reason;
4532}
4533
4534int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4535{
4536 BT_DBG("hcon %p reason %d", hcon, reason);
4537
4538 l2cap_conn_del(hcon, bt_to_errno(reason));
4539 return 0;
4540}
4541
4542static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4543{
4544 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
4545 return;
4546
4547 if (encrypt == 0x00) {
4548 if (chan->sec_level == BT_SECURITY_MEDIUM) {
4549 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4550 } else if (chan->sec_level == BT_SECURITY_HIGH)
4551 l2cap_chan_close(chan, ECONNREFUSED);
4552 } else {
4553 if (chan->sec_level == BT_SECURITY_MEDIUM)
4554 __clear_chan_timer(chan);
4555 }
4556}
4557
4558int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4559{
4560 struct l2cap_conn *conn = hcon->l2cap_data;
4561 struct l2cap_chan *chan;
4562
4563 if (!conn)
4564 return 0;
4565
4566 BT_DBG("conn %p", conn);
4567
4568 if (hcon->type == LE_LINK) {
4569 smp_distribute_keys(conn, 0);
4570 cancel_delayed_work(&conn->security_timer);
4571 }
4572
4573 mutex_lock(&conn->chan_lock);
4574
4575 list_for_each_entry(chan, &conn->chan_l, list) {
4576 l2cap_chan_lock(chan);
4577
4578 BT_DBG("chan->scid %d", chan->scid);
4579
4580 if (chan->scid == L2CAP_CID_LE_DATA) {
4581 if (!status && encrypt) {
4582 chan->sec_level = hcon->sec_level;
4583 l2cap_chan_ready(chan);
4584 }
4585
4586 l2cap_chan_unlock(chan);
4587 continue;
4588 }
4589
4590 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4591 l2cap_chan_unlock(chan);
4592 continue;
4593 }
4594
4595 if (!status && (chan->state == BT_CONNECTED ||
4596 chan->state == BT_CONFIG)) {
4597 l2cap_check_encryption(chan, encrypt);
4598 l2cap_chan_unlock(chan);
4599 continue;
4600 }
4601
4602 if (chan->state == BT_CONNECT) {
4603 if (!status) {
4604 l2cap_send_conn_req(chan);
4605 } else {
4606 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4607 }
4608 } else if (chan->state == BT_CONNECT2) {
4609 struct sock *sk = chan->sk;
4610 struct l2cap_conn_rsp rsp;
4611 __u16 res, stat;
4612
4613 lock_sock(sk);
4614
4615 if (!status) {
4616 if (bt_sk(sk)->defer_setup) {
4617 struct sock *parent = bt_sk(sk)->parent;
4618 res = L2CAP_CR_PEND;
4619 stat = L2CAP_CS_AUTHOR_PEND;
4620 if (parent)
4621 parent->sk_data_ready(parent, 0);
4622 } else {
4623 __l2cap_state_change(chan, BT_CONFIG);
4624 res = L2CAP_CR_SUCCESS;
4625 stat = L2CAP_CS_NO_INFO;
4626 }
4627 } else {
4628 __l2cap_state_change(chan, BT_DISCONN);
4629 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4630 res = L2CAP_CR_SEC_BLOCK;
4631 stat = L2CAP_CS_NO_INFO;
4632 }
4633
4634 release_sock(sk);
4635
4636 rsp.scid = cpu_to_le16(chan->dcid);
4637 rsp.dcid = cpu_to_le16(chan->scid);
4638 rsp.result = cpu_to_le16(res);
4639 rsp.status = cpu_to_le16(stat);
4640 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4641 sizeof(rsp), &rsp);
4642 }
4643
4644 l2cap_chan_unlock(chan);
4645 }
4646
4647 mutex_unlock(&conn->chan_lock);
4648
4649 return 0;
4650}
4651
4652int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4653{
4654 struct l2cap_conn *conn = hcon->l2cap_data;
4655
4656 if (!conn)
4657 conn = l2cap_conn_add(hcon, 0);
4658
4659 if (!conn)
4660 goto drop;
4661
4662 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4663
4664 if (!(flags & ACL_CONT)) {
4665 struct l2cap_hdr *hdr;
4666 struct l2cap_chan *chan;
4667 u16 cid;
4668 int len;
4669
4670 if (conn->rx_len) {
4671 BT_ERR("Unexpected start frame (len %d)", skb->len);
4672 kfree_skb(conn->rx_skb);
4673 conn->rx_skb = NULL;
4674 conn->rx_len = 0;
4675 l2cap_conn_unreliable(conn, ECOMM);
4676 }
4677
4678 /* Start fragment always begin with Basic L2CAP header */
4679 if (skb->len < L2CAP_HDR_SIZE) {
4680 BT_ERR("Frame is too short (len %d)", skb->len);
4681 l2cap_conn_unreliable(conn, ECOMM);
4682 goto drop;
4683 }
4684
4685 hdr = (struct l2cap_hdr *) skb->data;
4686 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4687 cid = __le16_to_cpu(hdr->cid);
4688
4689 if (len == skb->len) {
4690 /* Complete frame received */
4691 l2cap_recv_frame(conn, skb);
4692 return 0;
4693 }
4694
4695 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4696
4697 if (skb->len > len) {
4698 BT_ERR("Frame is too long (len %d, expected len %d)",
4699 skb->len, len);
4700 l2cap_conn_unreliable(conn, ECOMM);
4701 goto drop;
4702 }
4703
4704 chan = l2cap_get_chan_by_scid(conn, cid);
4705
4706 if (chan && chan->sk) {
4707 struct sock *sk = chan->sk;
4708 lock_sock(sk);
4709
4710 if (chan->imtu < len - L2CAP_HDR_SIZE) {
4711 BT_ERR("Frame exceeding recv MTU (len %d, "
4712 "MTU %d)", len,
4713 chan->imtu);
4714 release_sock(sk);
4715 l2cap_conn_unreliable(conn, ECOMM);
4716 goto drop;
4717 }
4718 release_sock(sk);
4719 }
4720
4721 /* Allocate skb for the complete frame (with header) */
4722 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4723 if (!conn->rx_skb)
4724 goto drop;
4725
4726 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4727 skb->len);
4728 conn->rx_len = len - skb->len;
4729 } else {
4730 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4731
4732 if (!conn->rx_len) {
4733 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4734 l2cap_conn_unreliable(conn, ECOMM);
4735 goto drop;
4736 }
4737
4738 if (skb->len > conn->rx_len) {
4739 BT_ERR("Fragment is too long (len %d, expected %d)",
4740 skb->len, conn->rx_len);
4741 kfree_skb(conn->rx_skb);
4742 conn->rx_skb = NULL;
4743 conn->rx_len = 0;
4744 l2cap_conn_unreliable(conn, ECOMM);
4745 goto drop;
4746 }
4747
4748 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
4749 skb->len);
4750 conn->rx_len -= skb->len;
4751
4752 if (!conn->rx_len) {
4753 /* Complete frame received */
4754 l2cap_recv_frame(conn, conn->rx_skb);
4755 conn->rx_skb = NULL;
4756 }
4757 }
4758
4759drop:
4760 kfree_skb(skb);
4761 return 0;
4762}
4763
4764static int l2cap_debugfs_show(struct seq_file *f, void *p)
4765{
4766 struct l2cap_chan *c;
4767
4768 read_lock(&chan_list_lock);
4769
4770 list_for_each_entry(c, &chan_list, global_l) {
4771 struct sock *sk = c->sk;
4772
4773 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
4774 batostr(&bt_sk(sk)->src),
4775 batostr(&bt_sk(sk)->dst),
4776 c->state, __le16_to_cpu(c->psm),
4777 c->scid, c->dcid, c->imtu, c->omtu,
4778 c->sec_level, c->mode);
4779 }
4780
4781 read_unlock(&chan_list_lock);
4782
4783 return 0;
4784}
4785
4786static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4787{
4788 return single_open(file, l2cap_debugfs_show, inode->i_private);
4789}
4790
4791static const struct file_operations l2cap_debugfs_fops = {
4792 .open = l2cap_debugfs_open,
4793 .read = seq_read,
4794 .llseek = seq_lseek,
4795 .release = single_release,
4796};
4797
4798static struct dentry *l2cap_debugfs;
4799
4800int __init l2cap_init(void)
4801{
4802 int err;
4803
4804 err = l2cap_init_sockets();
4805 if (err < 0)
4806 return err;
4807
4808 if (bt_debugfs) {
4809 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4810 bt_debugfs, NULL, &l2cap_debugfs_fops);
4811 if (!l2cap_debugfs)
4812 BT_ERR("Failed to create L2CAP debug file");
4813 }
4814
4815 return 0;
4816}
4817
4818void l2cap_exit(void)
4819{
4820 debugfs_remove(l2cap_debugfs);
4821 l2cap_cleanup_sockets();
4822}
4823
4824module_param(disable_ertm, bool, 0644);
4825MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 0.040918 seconds and 5 git commands to generate.