1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#include <linux/module.h>
32
33#include <linux/debugfs.h>
34#include <linux/crc16.h>
35#include <linux/filter.h>
36
37#include <net/bluetooth/bluetooth.h>
38#include <net/bluetooth/hci_core.h>
39#include <net/bluetooth/l2cap.h>
40
41#include "smp.h"
42#include "a2mp.h"
43#include "amp.h"
44
45#define LE_FLOWCTL_MAX_CREDITS 65535
46
47bool disable_ertm;
48
49static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50
51static LIST_HEAD(chan_list);
52static DEFINE_RWLOCK(chan_list_lock);
53
54static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
57static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
58 u8 code, u8 ident, u16 dlen, void *data);
59static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
60 void *data);
61static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data,
62 size_t data_size);
63static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
64
65static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
66 struct sk_buff_head *skbs, u8 event);
67
68static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
69{
70 if (link_type == LE_LINK) {
71 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
72 return BDADDR_LE_PUBLIC;
73 else
74 return BDADDR_LE_RANDOM;
75 }
76
77 return BDADDR_BREDR;
78}
79
80static inline u8 bdaddr_src_type(struct hci_conn *hcon)
81{
82 return bdaddr_type(hcon->type, hcon->src_type);
83}
84
85static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
86{
87 return bdaddr_type(hcon->type, hcon->dst_type);
88}
89
90
91
92static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
93 u16 cid)
94{
95 struct l2cap_chan *c;
96
97 list_for_each_entry(c, &conn->chan_l, list) {
98 if (c->dcid == cid)
99 return c;
100 }
101 return NULL;
102}
103
104static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
105 u16 cid)
106{
107 struct l2cap_chan *c;
108
109 list_for_each_entry(c, &conn->chan_l, list) {
110 if (c->scid == cid)
111 return c;
112 }
113 return NULL;
114}
115
116
117
118static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
119 u16 cid)
120{
121 struct l2cap_chan *c;
122
123 mutex_lock(&conn->chan_lock);
124 c = __l2cap_get_chan_by_scid(conn, cid);
125 if (c)
126 l2cap_chan_lock(c);
127 mutex_unlock(&conn->chan_lock);
128
129 return c;
130}
131
132
133
134
135static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
136 u16 cid)
137{
138 struct l2cap_chan *c;
139
140 mutex_lock(&conn->chan_lock);
141 c = __l2cap_get_chan_by_dcid(conn, cid);
142 if (c)
143 l2cap_chan_lock(c);
144 mutex_unlock(&conn->chan_lock);
145
146 return c;
147}
148
149static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 u8 ident)
151{
152 struct l2cap_chan *c;
153
154 list_for_each_entry(c, &conn->chan_l, list) {
155 if (c->ident == ident)
156 return c;
157 }
158 return NULL;
159}
160
161static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
162 u8 ident)
163{
164 struct l2cap_chan *c;
165
166 mutex_lock(&conn->chan_lock);
167 c = __l2cap_get_chan_by_ident(conn, ident);
168 if (c)
169 l2cap_chan_lock(c);
170 mutex_unlock(&conn->chan_lock);
171
172 return c;
173}
174
175static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
176{
177 struct l2cap_chan *c;
178
179 list_for_each_entry(c, &chan_list, global_l) {
180 if (c->sport == psm && !bacmp(&c->src, src))
181 return c;
182 }
183 return NULL;
184}
185
186int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
187{
188 int err;
189
190 write_lock(&chan_list_lock);
191
192 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
193 err = -EADDRINUSE;
194 goto done;
195 }
196
197 if (psm) {
198 chan->psm = psm;
199 chan->sport = psm;
200 err = 0;
201 } else {
202 u16 p, start, end, incr;
203
204 if (chan->src_type == BDADDR_BREDR) {
205 start = L2CAP_PSM_DYN_START;
206 end = L2CAP_PSM_AUTO_END;
207 incr = 2;
208 } else {
209 start = L2CAP_PSM_LE_DYN_START;
210 end = L2CAP_PSM_LE_DYN_END;
211 incr = 1;
212 }
213
214 err = -EINVAL;
215 for (p = start; p <= end; p += incr)
216 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
217 chan->psm = cpu_to_le16(p);
218 chan->sport = cpu_to_le16(p);
219 err = 0;
220 break;
221 }
222 }
223
224done:
225 write_unlock(&chan_list_lock);
226 return err;
227}
228EXPORT_SYMBOL_GPL(l2cap_add_psm);
229
230int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
231{
232 write_lock(&chan_list_lock);
233
234
235 chan->omtu = L2CAP_DEFAULT_MTU;
236 chan->chan_type = L2CAP_CHAN_FIXED;
237
238 chan->scid = scid;
239
240 write_unlock(&chan_list_lock);
241
242 return 0;
243}
244
245static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
246{
247 u16 cid, dyn_end;
248
249 if (conn->hcon->type == LE_LINK)
250 dyn_end = L2CAP_CID_LE_DYN_END;
251 else
252 dyn_end = L2CAP_CID_DYN_END;
253
254 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
255 if (!__l2cap_get_chan_by_scid(conn, cid))
256 return cid;
257 }
258
259 return 0;
260}
261
262static void l2cap_state_change(struct l2cap_chan *chan, int state)
263{
264 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
265 state_to_string(state));
266
267 chan->state = state;
268 chan->ops->state_change(chan, state, 0);
269}
270
271static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
272 int state, int err)
273{
274 chan->state = state;
275 chan->ops->state_change(chan, chan->state, err);
276}
277
278static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
279{
280 chan->ops->state_change(chan, chan->state, err);
281}
282
283static void __set_retrans_timer(struct l2cap_chan *chan)
284{
285 if (!delayed_work_pending(&chan->monitor_timer) &&
286 chan->retrans_timeout) {
287 l2cap_set_timer(chan, &chan->retrans_timer,
288 msecs_to_jiffies(chan->retrans_timeout));
289 }
290}
291
292static void __set_monitor_timer(struct l2cap_chan *chan)
293{
294 __clear_retrans_timer(chan);
295 if (chan->monitor_timeout) {
296 l2cap_set_timer(chan, &chan->monitor_timer,
297 msecs_to_jiffies(chan->monitor_timeout));
298 }
299}
300
301static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
302 u16 seq)
303{
304 struct sk_buff *skb;
305
306 skb_queue_walk(head, skb) {
307 if (bt_cb(skb)->l2cap.txseq == seq)
308 return skb;
309 }
310
311 return NULL;
312}
313
314
315
316
317
318
319
320
321
322
323
324
325static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
326{
327 size_t alloc_size, i;
328
329
330
331
332
333 alloc_size = roundup_pow_of_two(size);
334
335 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
336 if (!seq_list->list)
337 return -ENOMEM;
338
339 seq_list->mask = alloc_size - 1;
340 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
341 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
342 for (i = 0; i < alloc_size; i++)
343 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
344
345 return 0;
346}
347
348static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
349{
350 kfree(seq_list->list);
351}
352
353static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
354 u16 seq)
355{
356
357 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
358}
359
360static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
361{
362 u16 seq = seq_list->head;
363 u16 mask = seq_list->mask;
364
365 seq_list->head = seq_list->list[seq & mask];
366 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
367
368 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
369 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
370 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
371 }
372
373 return seq;
374}
375
376static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
377{
378 u16 i;
379
380 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
381 return;
382
383 for (i = 0; i <= seq_list->mask; i++)
384 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
385
386 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
387 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
388}
389
390static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
391{
392 u16 mask = seq_list->mask;
393
394
395
396 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
397 return;
398
399 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
400 seq_list->head = seq;
401 else
402 seq_list->list[seq_list->tail & mask] = seq;
403
404 seq_list->tail = seq;
405 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
406}
407
408static void l2cap_chan_timeout(struct work_struct *work)
409{
410 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
411 chan_timer.work);
412 struct l2cap_conn *conn = chan->conn;
413 int reason;
414
415 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
416
417 mutex_lock(&conn->chan_lock);
418 l2cap_chan_lock(chan);
419
420 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
421 reason = ECONNREFUSED;
422 else if (chan->state == BT_CONNECT &&
423 chan->sec_level != BT_SECURITY_SDP)
424 reason = ECONNREFUSED;
425 else
426 reason = ETIMEDOUT;
427
428 l2cap_chan_close(chan, reason);
429
430 l2cap_chan_unlock(chan);
431
432 chan->ops->close(chan);
433 mutex_unlock(&conn->chan_lock);
434
435 l2cap_chan_put(chan);
436}
437
438struct l2cap_chan *l2cap_chan_create(void)
439{
440 struct l2cap_chan *chan;
441
442 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
443 if (!chan)
444 return NULL;
445
446 mutex_init(&chan->lock);
447
448
449 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
450
451 write_lock(&chan_list_lock);
452 list_add(&chan->global_l, &chan_list);
453 write_unlock(&chan_list_lock);
454
455 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
456
457 chan->state = BT_OPEN;
458
459 kref_init(&chan->kref);
460
461
462 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
463
464 BT_DBG("chan %p", chan);
465
466 return chan;
467}
468EXPORT_SYMBOL_GPL(l2cap_chan_create);
469
470static void l2cap_chan_destroy(struct kref *kref)
471{
472 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
473
474 BT_DBG("chan %p", chan);
475
476 write_lock(&chan_list_lock);
477 list_del(&chan->global_l);
478 write_unlock(&chan_list_lock);
479
480 kfree(chan);
481}
482
483void l2cap_chan_hold(struct l2cap_chan *c)
484{
485 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
486
487 kref_get(&c->kref);
488}
489
490void l2cap_chan_put(struct l2cap_chan *c)
491{
492 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
493
494 kref_put(&c->kref, l2cap_chan_destroy);
495}
496EXPORT_SYMBOL_GPL(l2cap_chan_put);
497
498void l2cap_chan_set_defaults(struct l2cap_chan *chan)
499{
500 chan->fcs = L2CAP_FCS_CRC16;
501 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
502 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
503 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
504 chan->remote_max_tx = chan->max_tx;
505 chan->remote_tx_win = chan->tx_win;
506 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
507 chan->sec_level = BT_SECURITY_LOW;
508 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
509 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
510 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
511 chan->conf_state = 0;
512
513 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
514}
515EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
516
517static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
518{
519 chan->sdu = NULL;
520 chan->sdu_last_frag = NULL;
521 chan->sdu_len = 0;
522 chan->tx_credits = 0;
523 chan->rx_credits = le_max_credits;
524 chan->mps = min_t(u16, chan->imtu, le_default_mps);
525
526 skb_queue_head_init(&chan->tx_q);
527}
528
529void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
530{
531 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
532 __le16_to_cpu(chan->psm), chan->dcid);
533
534 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
535
536 chan->conn = conn;
537
538 switch (chan->chan_type) {
539 case L2CAP_CHAN_CONN_ORIENTED:
540
541 chan->scid = l2cap_alloc_cid(conn);
542 if (conn->hcon->type == ACL_LINK)
543 chan->omtu = L2CAP_DEFAULT_MTU;
544 break;
545
546 case L2CAP_CHAN_CONN_LESS:
547
548 chan->scid = L2CAP_CID_CONN_LESS;
549 chan->dcid = L2CAP_CID_CONN_LESS;
550 chan->omtu = L2CAP_DEFAULT_MTU;
551 break;
552
553 case L2CAP_CHAN_FIXED:
554
555 break;
556
557 default:
558
559 chan->scid = L2CAP_CID_SIGNALING;
560 chan->dcid = L2CAP_CID_SIGNALING;
561 chan->omtu = L2CAP_DEFAULT_MTU;
562 }
563
564 chan->local_id = L2CAP_BESTEFFORT_ID;
565 chan->local_stype = L2CAP_SERV_BESTEFFORT;
566 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
567 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
568 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
569 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
570
571 l2cap_chan_hold(chan);
572
573
574 if (chan->chan_type != L2CAP_CHAN_FIXED ||
575 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
576 hci_conn_hold(conn->hcon);
577
578 list_add(&chan->list, &conn->chan_l);
579}
580
581void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
582{
583 mutex_lock(&conn->chan_lock);
584 __l2cap_chan_add(conn, chan);
585 mutex_unlock(&conn->chan_lock);
586}
587
588void l2cap_chan_del(struct l2cap_chan *chan, int err)
589{
590 struct l2cap_conn *conn = chan->conn;
591
592 __clear_chan_timer(chan);
593
594 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
595 state_to_string(chan->state));
596
597 chan->ops->teardown(chan, err);
598
599 if (conn) {
600 struct amp_mgr *mgr = conn->hcon->amp_mgr;
601
602 list_del(&chan->list);
603
604 l2cap_chan_put(chan);
605
606 chan->conn = NULL;
607
608
609
610
611
612 if (chan->chan_type != L2CAP_CHAN_FIXED ||
613 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
614 hci_conn_drop(conn->hcon);
615
616 if (mgr && mgr->bredr_chan == chan)
617 mgr->bredr_chan = NULL;
618 }
619
620 if (chan->hs_hchan) {
621 struct hci_chan *hs_hchan = chan->hs_hchan;
622
623 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
624 amp_disconnect_logical_link(hs_hchan);
625 }
626
627 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
628 return;
629
630 switch(chan->mode) {
631 case L2CAP_MODE_BASIC:
632 break;
633
634 case L2CAP_MODE_LE_FLOWCTL:
635 skb_queue_purge(&chan->tx_q);
636 break;
637
638 case L2CAP_MODE_ERTM:
639 __clear_retrans_timer(chan);
640 __clear_monitor_timer(chan);
641 __clear_ack_timer(chan);
642
643 skb_queue_purge(&chan->srej_q);
644
645 l2cap_seq_list_free(&chan->srej_list);
646 l2cap_seq_list_free(&chan->retrans_list);
647
648
649
650 case L2CAP_MODE_STREAMING:
651 skb_queue_purge(&chan->tx_q);
652 break;
653 }
654
655 return;
656}
657EXPORT_SYMBOL_GPL(l2cap_chan_del);
658
659static void l2cap_conn_update_id_addr(struct work_struct *work)
660{
661 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
662 id_addr_update_work);
663 struct hci_conn *hcon = conn->hcon;
664 struct l2cap_chan *chan;
665
666 mutex_lock(&conn->chan_lock);
667
668 list_for_each_entry(chan, &conn->chan_l, list) {
669 l2cap_chan_lock(chan);
670 bacpy(&chan->dst, &hcon->dst);
671 chan->dst_type = bdaddr_dst_type(hcon);
672 l2cap_chan_unlock(chan);
673 }
674
675 mutex_unlock(&conn->chan_lock);
676}
677
678static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
679{
680 struct l2cap_conn *conn = chan->conn;
681 struct l2cap_le_conn_rsp rsp;
682 u16 result;
683
684 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
685 result = L2CAP_CR_AUTHORIZATION;
686 else
687 result = L2CAP_CR_BAD_PSM;
688
689 l2cap_state_change(chan, BT_DISCONN);
690
691 rsp.dcid = cpu_to_le16(chan->scid);
692 rsp.mtu = cpu_to_le16(chan->imtu);
693 rsp.mps = cpu_to_le16(chan->mps);
694 rsp.credits = cpu_to_le16(chan->rx_credits);
695 rsp.result = cpu_to_le16(result);
696
697 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
698 &rsp);
699}
700
701static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
702{
703 struct l2cap_conn *conn = chan->conn;
704 struct l2cap_conn_rsp rsp;
705 u16 result;
706
707 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
708 result = L2CAP_CR_SEC_BLOCK;
709 else
710 result = L2CAP_CR_BAD_PSM;
711
712 l2cap_state_change(chan, BT_DISCONN);
713
714 rsp.scid = cpu_to_le16(chan->dcid);
715 rsp.dcid = cpu_to_le16(chan->scid);
716 rsp.result = cpu_to_le16(result);
717 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
718
719 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
720}
721
722void l2cap_chan_close(struct l2cap_chan *chan, int reason)
723{
724 struct l2cap_conn *conn = chan->conn;
725
726 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
727
728 switch (chan->state) {
729 case BT_LISTEN:
730 chan->ops->teardown(chan, 0);
731 break;
732
733 case BT_CONNECTED:
734 case BT_CONFIG:
735 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
736 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
737 l2cap_send_disconn_req(chan, reason);
738 } else
739 l2cap_chan_del(chan, reason);
740 break;
741
742 case BT_CONNECT2:
743 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
744 if (conn->hcon->type == ACL_LINK)
745 l2cap_chan_connect_reject(chan);
746 else if (conn->hcon->type == LE_LINK)
747 l2cap_chan_le_connect_reject(chan);
748 }
749
750 l2cap_chan_del(chan, reason);
751 break;
752
753 case BT_CONNECT:
754 case BT_DISCONN:
755 l2cap_chan_del(chan, reason);
756 break;
757
758 default:
759 chan->ops->teardown(chan, 0);
760 break;
761 }
762}
763EXPORT_SYMBOL(l2cap_chan_close);
764
765static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
766{
767 switch (chan->chan_type) {
768 case L2CAP_CHAN_RAW:
769 switch (chan->sec_level) {
770 case BT_SECURITY_HIGH:
771 case BT_SECURITY_FIPS:
772 return HCI_AT_DEDICATED_BONDING_MITM;
773 case BT_SECURITY_MEDIUM:
774 return HCI_AT_DEDICATED_BONDING;
775 default:
776 return HCI_AT_NO_BONDING;
777 }
778 break;
779 case L2CAP_CHAN_CONN_LESS:
780 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
781 if (chan->sec_level == BT_SECURITY_LOW)
782 chan->sec_level = BT_SECURITY_SDP;
783 }
784 if (chan->sec_level == BT_SECURITY_HIGH ||
785 chan->sec_level == BT_SECURITY_FIPS)
786 return HCI_AT_NO_BONDING_MITM;
787 else
788 return HCI_AT_NO_BONDING;
789 break;
790 case L2CAP_CHAN_CONN_ORIENTED:
791 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
792 if (chan->sec_level == BT_SECURITY_LOW)
793 chan->sec_level = BT_SECURITY_SDP;
794
795 if (chan->sec_level == BT_SECURITY_HIGH ||
796 chan->sec_level == BT_SECURITY_FIPS)
797 return HCI_AT_NO_BONDING_MITM;
798 else
799 return HCI_AT_NO_BONDING;
800 }
801
802 default:
803 switch (chan->sec_level) {
804 case BT_SECURITY_HIGH:
805 case BT_SECURITY_FIPS:
806 return HCI_AT_GENERAL_BONDING_MITM;
807 case BT_SECURITY_MEDIUM:
808 return HCI_AT_GENERAL_BONDING;
809 default:
810 return HCI_AT_NO_BONDING;
811 }
812 break;
813 }
814}
815
816
817int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
818{
819 struct l2cap_conn *conn = chan->conn;
820 __u8 auth_type;
821
822 if (conn->hcon->type == LE_LINK)
823 return smp_conn_security(conn->hcon, chan->sec_level);
824
825 auth_type = l2cap_get_auth_type(chan);
826
827 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
828 initiator);
829}
830
831static u8 l2cap_get_ident(struct l2cap_conn *conn)
832{
833 u8 id;
834
835
836
837
838
839
840
841 mutex_lock(&conn->ident_lock);
842
843 if (++conn->tx_ident > 128)
844 conn->tx_ident = 1;
845
846 id = conn->tx_ident;
847
848 mutex_unlock(&conn->ident_lock);
849
850 return id;
851}
852
853static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
854 void *data)
855{
856 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
857 u8 flags;
858
859 BT_DBG("code 0x%2.2x", code);
860
861 if (!skb)
862 return;
863
864
865
866 if (lmp_no_flush_capable(conn->hcon->hdev) ||
867 conn->hcon->type == LE_LINK)
868 flags = ACL_START_NO_FLUSH;
869 else
870 flags = ACL_START;
871
872 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
873 skb->priority = HCI_PRIO_MAX;
874
875 hci_send_acl(conn->hchan, skb, flags);
876}
877
878static bool __chan_is_moving(struct l2cap_chan *chan)
879{
880 return chan->move_state != L2CAP_MOVE_STABLE &&
881 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
882}
883
884static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
885{
886 struct hci_conn *hcon = chan->conn->hcon;
887 u16 flags;
888
889 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
890 skb->priority);
891
892 if (chan->hs_hcon && !__chan_is_moving(chan)) {
893 if (chan->hs_hchan)
894 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
895 else
896 kfree_skb(skb);
897
898 return;
899 }
900
901
902
903
904
905 if (hcon->type == LE_LINK ||
906 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
907 lmp_no_flush_capable(hcon->hdev)))
908 flags = ACL_START_NO_FLUSH;
909 else
910 flags = ACL_START;
911
912 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
913 hci_send_acl(chan->conn->hchan, skb, flags);
914}
915
916static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
917{
918 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
919 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
920
921 if (enh & L2CAP_CTRL_FRAME_TYPE) {
922
923 control->sframe = 1;
924 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
925 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
926
927 control->sar = 0;
928 control->txseq = 0;
929 } else {
930
931 control->sframe = 0;
932 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
933 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
934
935 control->poll = 0;
936 control->super = 0;
937 }
938}
939
940static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
941{
942 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
943 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
944
945 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
946
947 control->sframe = 1;
948 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
949 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
950
951 control->sar = 0;
952 control->txseq = 0;
953 } else {
954
955 control->sframe = 0;
956 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
957 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
958
959 control->poll = 0;
960 control->super = 0;
961 }
962}
963
964static inline void __unpack_control(struct l2cap_chan *chan,
965 struct sk_buff *skb)
966{
967 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
968 __unpack_extended_control(get_unaligned_le32(skb->data),
969 &bt_cb(skb)->l2cap);
970 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
971 } else {
972 __unpack_enhanced_control(get_unaligned_le16(skb->data),
973 &bt_cb(skb)->l2cap);
974 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
975 }
976}
977
978static u32 __pack_extended_control(struct l2cap_ctrl *control)
979{
980 u32 packed;
981
982 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
983 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
984
985 if (control->sframe) {
986 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
987 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
988 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
989 } else {
990 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
991 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
992 }
993
994 return packed;
995}
996
997static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
998{
999 u16 packed;
1000
1001 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1002 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1003
1004 if (control->sframe) {
1005 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1006 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1007 packed |= L2CAP_CTRL_FRAME_TYPE;
1008 } else {
1009 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1010 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1011 }
1012
1013 return packed;
1014}
1015
1016static inline void __pack_control(struct l2cap_chan *chan,
1017 struct l2cap_ctrl *control,
1018 struct sk_buff *skb)
1019{
1020 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1021 put_unaligned_le32(__pack_extended_control(control),
1022 skb->data + L2CAP_HDR_SIZE);
1023 } else {
1024 put_unaligned_le16(__pack_enhanced_control(control),
1025 skb->data + L2CAP_HDR_SIZE);
1026 }
1027}
1028
1029static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1030{
1031 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1032 return L2CAP_EXT_HDR_SIZE;
1033 else
1034 return L2CAP_ENH_HDR_SIZE;
1035}
1036
1037static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1038 u32 control)
1039{
1040 struct sk_buff *skb;
1041 struct l2cap_hdr *lh;
1042 int hlen = __ertm_hdr_size(chan);
1043
1044 if (chan->fcs == L2CAP_FCS_CRC16)
1045 hlen += L2CAP_FCS_SIZE;
1046
1047 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1048
1049 if (!skb)
1050 return ERR_PTR(-ENOMEM);
1051
1052 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1053 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1054 lh->cid = cpu_to_le16(chan->dcid);
1055
1056 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1057 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1058 else
1059 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1060
1061 if (chan->fcs == L2CAP_FCS_CRC16) {
1062 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1063 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1064 }
1065
1066 skb->priority = HCI_PRIO_MAX;
1067 return skb;
1068}
1069
1070static void l2cap_send_sframe(struct l2cap_chan *chan,
1071 struct l2cap_ctrl *control)
1072{
1073 struct sk_buff *skb;
1074 u32 control_field;
1075
1076 BT_DBG("chan %p, control %p", chan, control);
1077
1078 if (!control->sframe)
1079 return;
1080
1081 if (__chan_is_moving(chan))
1082 return;
1083
1084 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1085 !control->poll)
1086 control->final = 1;
1087
1088 if (control->super == L2CAP_SUPER_RR)
1089 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1090 else if (control->super == L2CAP_SUPER_RNR)
1091 set_bit(CONN_RNR_SENT, &chan->conn_state);
1092
1093 if (control->super != L2CAP_SUPER_SREJ) {
1094 chan->last_acked_seq = control->reqseq;
1095 __clear_ack_timer(chan);
1096 }
1097
1098 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1099 control->final, control->poll, control->super);
1100
1101 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1102 control_field = __pack_extended_control(control);
1103 else
1104 control_field = __pack_enhanced_control(control);
1105
1106 skb = l2cap_create_sframe_pdu(chan, control_field);
1107 if (!IS_ERR(skb))
1108 l2cap_do_send(chan, skb);
1109}
1110
1111static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1112{
1113 struct l2cap_ctrl control;
1114
1115 BT_DBG("chan %p, poll %d", chan, poll);
1116
1117 memset(&control, 0, sizeof(control));
1118 control.sframe = 1;
1119 control.poll = poll;
1120
1121 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1122 control.super = L2CAP_SUPER_RNR;
1123 else
1124 control.super = L2CAP_SUPER_RR;
1125
1126 control.reqseq = chan->buffer_seq;
1127 l2cap_send_sframe(chan, &control);
1128}
1129
1130static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1131{
1132 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1133 return true;
1134
1135 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136}
1137
1138static bool __amp_capable(struct l2cap_chan *chan)
1139{
1140 struct l2cap_conn *conn = chan->conn;
1141 struct hci_dev *hdev;
1142 bool amp_available = false;
1143
1144 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1145 return false;
1146
1147 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1148 return false;
1149
1150 read_lock(&hci_dev_list_lock);
1151 list_for_each_entry(hdev, &hci_dev_list, list) {
1152 if (hdev->amp_type != AMP_TYPE_BREDR &&
1153 test_bit(HCI_UP, &hdev->flags)) {
1154 amp_available = true;
1155 break;
1156 }
1157 }
1158 read_unlock(&hci_dev_list_lock);
1159
1160 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1161 return amp_available;
1162
1163 return false;
1164}
1165
1166static bool l2cap_check_efs(struct l2cap_chan *chan)
1167{
1168
1169 return true;
1170}
1171
1172void l2cap_send_conn_req(struct l2cap_chan *chan)
1173{
1174 struct l2cap_conn *conn = chan->conn;
1175 struct l2cap_conn_req req;
1176
1177 req.scid = cpu_to_le16(chan->scid);
1178 req.psm = chan->psm;
1179
1180 chan->ident = l2cap_get_ident(conn);
1181
1182 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1183
1184 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1185}
1186
1187static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1188{
1189 struct l2cap_create_chan_req req;
1190 req.scid = cpu_to_le16(chan->scid);
1191 req.psm = chan->psm;
1192 req.amp_id = amp_id;
1193
1194 chan->ident = l2cap_get_ident(chan->conn);
1195
1196 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1197 sizeof(req), &req);
1198}
1199
1200static void l2cap_move_setup(struct l2cap_chan *chan)
1201{
1202 struct sk_buff *skb;
1203
1204 BT_DBG("chan %p", chan);
1205
1206 if (chan->mode != L2CAP_MODE_ERTM)
1207 return;
1208
1209 __clear_retrans_timer(chan);
1210 __clear_monitor_timer(chan);
1211 __clear_ack_timer(chan);
1212
1213 chan->retry_count = 0;
1214 skb_queue_walk(&chan->tx_q, skb) {
1215 if (bt_cb(skb)->l2cap.retries)
1216 bt_cb(skb)->l2cap.retries = 1;
1217 else
1218 break;
1219 }
1220
1221 chan->expected_tx_seq = chan->buffer_seq;
1222
1223 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1224 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1225 l2cap_seq_list_clear(&chan->retrans_list);
1226 l2cap_seq_list_clear(&chan->srej_list);
1227 skb_queue_purge(&chan->srej_q);
1228
1229 chan->tx_state = L2CAP_TX_STATE_XMIT;
1230 chan->rx_state = L2CAP_RX_STATE_MOVE;
1231
1232 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1233}
1234
1235static void l2cap_move_done(struct l2cap_chan *chan)
1236{
1237 u8 move_role = chan->move_role;
1238 BT_DBG("chan %p", chan);
1239
1240 chan->move_state = L2CAP_MOVE_STABLE;
1241 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1242
1243 if (chan->mode != L2CAP_MODE_ERTM)
1244 return;
1245
1246 switch (move_role) {
1247 case L2CAP_MOVE_ROLE_INITIATOR:
1248 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1249 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1250 break;
1251 case L2CAP_MOVE_ROLE_RESPONDER:
1252 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1253 break;
1254 }
1255}
1256
1257static void l2cap_chan_ready(struct l2cap_chan *chan)
1258{
1259
1260
1261
1262
1263 if (chan->state == BT_CONNECTED)
1264 return;
1265
1266
1267 chan->conf_state = 0;
1268 __clear_chan_timer(chan);
1269
1270 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1271 chan->ops->suspend(chan);
1272
1273 chan->state = BT_CONNECTED;
1274
1275 chan->ops->ready(chan);
1276}
1277
1278static void l2cap_le_connect(struct l2cap_chan *chan)
1279{
1280 struct l2cap_conn *conn = chan->conn;
1281 struct l2cap_le_conn_req req;
1282
1283 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1284 return;
1285
1286 req.psm = chan->psm;
1287 req.scid = cpu_to_le16(chan->scid);
1288 req.mtu = cpu_to_le16(chan->imtu);
1289 req.mps = cpu_to_le16(chan->mps);
1290 req.credits = cpu_to_le16(chan->rx_credits);
1291
1292 chan->ident = l2cap_get_ident(conn);
1293
1294 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1295 sizeof(req), &req);
1296}
1297
1298static void l2cap_le_start(struct l2cap_chan *chan)
1299{
1300 struct l2cap_conn *conn = chan->conn;
1301
1302 if (!smp_conn_security(conn->hcon, chan->sec_level))
1303 return;
1304
1305 if (!chan->psm) {
1306 l2cap_chan_ready(chan);
1307 return;
1308 }
1309
1310 if (chan->state == BT_CONNECT)
1311 l2cap_le_connect(chan);
1312}
1313
1314static void l2cap_start_connection(struct l2cap_chan *chan)
1315{
1316 if (__amp_capable(chan)) {
1317 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1318 a2mp_discover_amp(chan);
1319 } else if (chan->conn->hcon->type == LE_LINK) {
1320 l2cap_le_start(chan);
1321 } else {
1322 l2cap_send_conn_req(chan);
1323 }
1324}
1325
1326static void l2cap_request_info(struct l2cap_conn *conn)
1327{
1328 struct l2cap_info_req req;
1329
1330 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1331 return;
1332
1333 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1334
1335 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1336 conn->info_ident = l2cap_get_ident(conn);
1337
1338 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1339
1340 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1341 sizeof(req), &req);
1342}
1343
1344static void l2cap_do_start(struct l2cap_chan *chan)
1345{
1346 struct l2cap_conn *conn = chan->conn;
1347
1348 if (conn->hcon->type == LE_LINK) {
1349 l2cap_le_start(chan);
1350 return;
1351 }
1352
1353 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1354 l2cap_request_info(conn);
1355 return;
1356 }
1357
1358 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1359 return;
1360
1361 if (l2cap_chan_check_security(chan, true) &&
1362 __l2cap_no_conn_pending(chan))
1363 l2cap_start_connection(chan);
1364}
1365
1366static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1367{
1368 u32 local_feat_mask = l2cap_feat_mask;
1369 if (!disable_ertm)
1370 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1371
1372 switch (mode) {
1373 case L2CAP_MODE_ERTM:
1374 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1375 case L2CAP_MODE_STREAMING:
1376 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1377 default:
1378 return 0x00;
1379 }
1380}
1381
1382static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1383{
1384 struct l2cap_conn *conn = chan->conn;
1385 struct l2cap_disconn_req req;
1386
1387 if (!conn)
1388 return;
1389
1390 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1391 __clear_retrans_timer(chan);
1392 __clear_monitor_timer(chan);
1393 __clear_ack_timer(chan);
1394 }
1395
1396 if (chan->scid == L2CAP_CID_A2MP) {
1397 l2cap_state_change(chan, BT_DISCONN);
1398 return;
1399 }
1400
1401 req.dcid = cpu_to_le16(chan->dcid);
1402 req.scid = cpu_to_le16(chan->scid);
1403 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1404 sizeof(req), &req);
1405
1406 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1407}
1408
1409
1410static void l2cap_conn_start(struct l2cap_conn *conn)
1411{
1412 struct l2cap_chan *chan, *tmp;
1413
1414 BT_DBG("conn %p", conn);
1415
1416 mutex_lock(&conn->chan_lock);
1417
1418 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1419 l2cap_chan_lock(chan);
1420
1421 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1422 l2cap_chan_ready(chan);
1423 l2cap_chan_unlock(chan);
1424 continue;
1425 }
1426
1427 if (chan->state == BT_CONNECT) {
1428 if (!l2cap_chan_check_security(chan, true) ||
1429 !__l2cap_no_conn_pending(chan)) {
1430 l2cap_chan_unlock(chan);
1431 continue;
1432 }
1433
1434 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1435 && test_bit(CONF_STATE2_DEVICE,
1436 &chan->conf_state)) {
1437 l2cap_chan_close(chan, ECONNRESET);
1438 l2cap_chan_unlock(chan);
1439 continue;
1440 }
1441
1442 l2cap_start_connection(chan);
1443
1444 } else if (chan->state == BT_CONNECT2) {
1445 struct l2cap_conn_rsp rsp;
1446 char buf[128];
1447 rsp.scid = cpu_to_le16(chan->dcid);
1448 rsp.dcid = cpu_to_le16(chan->scid);
1449
1450 if (l2cap_chan_check_security(chan, false)) {
1451 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1452 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1453 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1454 chan->ops->defer(chan);
1455
1456 } else {
1457 l2cap_state_change(chan, BT_CONFIG);
1458 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1459 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1460 }
1461 } else {
1462 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1463 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1464 }
1465
1466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1467 sizeof(rsp), &rsp);
1468
1469 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1470 rsp.result != L2CAP_CR_SUCCESS) {
1471 l2cap_chan_unlock(chan);
1472 continue;
1473 }
1474
1475 set_bit(CONF_REQ_SENT, &chan->conf_state);
1476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1477 l2cap_build_conf_req(chan, buf,
1478 sizeof(buf)),
1479 buf);
1480 chan->num_conf_req++;
1481 }
1482
1483 l2cap_chan_unlock(chan);
1484 }
1485
1486 mutex_unlock(&conn->chan_lock);
1487}
1488
1489static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1490{
1491 struct hci_conn *hcon = conn->hcon;
1492 struct hci_dev *hdev = hcon->hdev;
1493
1494 BT_DBG("%s conn %p", hdev->name, conn);
1495
1496
1497
1498
1499 if (hcon->out)
1500 smp_conn_security(hcon, hcon->pending_sec_level);
1501
1502
1503
1504
1505
1506
1507 if (hcon->role == HCI_ROLE_SLAVE &&
1508 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1509 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1510 struct l2cap_conn_param_update_req req;
1511
1512 gmb();
1513 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1514 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1515 req.latency = cpu_to_le16(hcon->le_conn_latency);
1516 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1517
1518 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1519 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1520 }
1521}
1522
1523static void l2cap_conn_ready(struct l2cap_conn *conn)
1524{
1525 struct l2cap_chan *chan;
1526 struct hci_conn *hcon = conn->hcon;
1527
1528 BT_DBG("conn %p", conn);
1529
1530 if (hcon->type == ACL_LINK)
1531 l2cap_request_info(conn);
1532
1533 mutex_lock(&conn->chan_lock);
1534
1535 list_for_each_entry(chan, &conn->chan_l, list) {
1536
1537 l2cap_chan_lock(chan);
1538
1539 if (chan->scid == L2CAP_CID_A2MP) {
1540 l2cap_chan_unlock(chan);
1541 continue;
1542 }
1543
1544 if (hcon->type == LE_LINK) {
1545 l2cap_le_start(chan);
1546 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1547 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1548 l2cap_chan_ready(chan);
1549 } else if (chan->state == BT_CONNECT) {
1550 l2cap_do_start(chan);
1551 }
1552
1553 l2cap_chan_unlock(chan);
1554 }
1555
1556 mutex_unlock(&conn->chan_lock);
1557
1558 if (hcon->type == LE_LINK)
1559 l2cap_le_conn_ready(conn);
1560
1561 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1562}
1563
1564
1565static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1566{
1567 struct l2cap_chan *chan;
1568
1569 BT_DBG("conn %p", conn);
1570
1571 mutex_lock(&conn->chan_lock);
1572
1573 list_for_each_entry(chan, &conn->chan_l, list) {
1574 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1575 l2cap_chan_set_err(chan, err);
1576 }
1577
1578 mutex_unlock(&conn->chan_lock);
1579}
1580
1581static void l2cap_info_timeout(struct work_struct *work)
1582{
1583 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1584 info_timer.work);
1585
1586 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1587 conn->info_ident = 0;
1588
1589 l2cap_conn_start(conn);
1590}
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1606{
1607 struct hci_dev *hdev = conn->hcon->hdev;
1608 int ret;
1609
1610
1611
1612
1613
1614
1615
1616
1617 hci_dev_lock(hdev);
1618
1619 if (!list_empty(&user->list)) {
1620 ret = -EINVAL;
1621 goto out_unlock;
1622 }
1623
1624
1625 if (!conn->hchan) {
1626 ret = -ENODEV;
1627 goto out_unlock;
1628 }
1629
1630 ret = user->probe(conn, user);
1631 if (ret)
1632 goto out_unlock;
1633
1634 list_add(&user->list, &conn->users);
1635 ret = 0;
1636
1637out_unlock:
1638 hci_dev_unlock(hdev);
1639 return ret;
1640}
1641EXPORT_SYMBOL(l2cap_register_user);
1642
1643void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1644{
1645 struct hci_dev *hdev = conn->hcon->hdev;
1646
1647 hci_dev_lock(hdev);
1648
1649 if (list_empty(&user->list))
1650 goto out_unlock;
1651
1652 list_del_init(&user->list);
1653 user->remove(conn, user);
1654
1655out_unlock:
1656 hci_dev_unlock(hdev);
1657}
1658EXPORT_SYMBOL(l2cap_unregister_user);
1659
1660static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1661{
1662 struct l2cap_user *user;
1663
1664 while (!list_empty(&conn->users)) {
1665 user = list_first_entry(&conn->users, struct l2cap_user, list);
1666 list_del_init(&user->list);
1667 user->remove(conn, user);
1668 }
1669}
1670
1671static void l2cap_conn_del(struct hci_conn *hcon, int err)
1672{
1673 struct l2cap_conn *conn = hcon->l2cap_data;
1674 struct l2cap_chan *chan, *l;
1675
1676 if (!conn)
1677 return;
1678
1679 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1680
1681 kfree_skb(conn->rx_skb);
1682
1683 skb_queue_purge(&conn->pending_rx);
1684
1685
1686
1687
1688
1689 if (work_pending(&conn->pending_rx_work))
1690 cancel_work_sync(&conn->pending_rx_work);
1691
1692 if (work_pending(&conn->id_addr_update_work))
1693 cancel_work_sync(&conn->id_addr_update_work);
1694
1695 l2cap_unregister_all_users(conn);
1696
1697
1698 hcon->disc_timeout = 0;
1699
1700 mutex_lock(&conn->chan_lock);
1701
1702
1703 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1704 l2cap_chan_hold(chan);
1705 l2cap_chan_lock(chan);
1706
1707 l2cap_chan_del(chan, err);
1708
1709 l2cap_chan_unlock(chan);
1710
1711 chan->ops->close(chan);
1712 l2cap_chan_put(chan);
1713 }
1714
1715 mutex_unlock(&conn->chan_lock);
1716
1717 hci_chan_del(conn->hchan);
1718
1719 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1720 cancel_delayed_work_sync(&conn->info_timer);
1721
1722 hcon->l2cap_data = NULL;
1723 conn->hchan = NULL;
1724 l2cap_conn_put(conn);
1725}
1726
1727static void l2cap_conn_free(struct kref *ref)
1728{
1729 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1730
1731 hci_conn_put(conn->hcon);
1732 kfree(conn);
1733}
1734
1735struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1736{
1737 kref_get(&conn->ref);
1738 return conn;
1739}
1740EXPORT_SYMBOL(l2cap_conn_get);
1741
1742void l2cap_conn_put(struct l2cap_conn *conn)
1743{
1744 kref_put(&conn->ref, l2cap_conn_free);
1745}
1746EXPORT_SYMBOL(l2cap_conn_put);
1747
1748
1749
1750
1751
1752
1753static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1754 bdaddr_t *src,
1755 bdaddr_t *dst,
1756 u8 link_type)
1757{
1758 struct l2cap_chan *c, *c1 = NULL;
1759
1760 read_lock(&chan_list_lock);
1761
1762 list_for_each_entry(c, &chan_list, global_l) {
1763 if (state && c->state != state)
1764 continue;
1765
1766 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1767 continue;
1768
1769 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1770 continue;
1771
1772 if (c->psm == psm) {
1773 int src_match, dst_match;
1774 int src_any, dst_any;
1775
1776
1777 src_match = !bacmp(&c->src, src);
1778 dst_match = !bacmp(&c->dst, dst);
1779 if (src_match && dst_match) {
1780 l2cap_chan_hold(c);
1781 read_unlock(&chan_list_lock);
1782 return c;
1783 }
1784
1785
1786 src_any = !bacmp(&c->src, BDADDR_ANY);
1787 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1788 if ((src_match && dst_any) || (src_any && dst_match) ||
1789 (src_any && dst_any))
1790 c1 = c;
1791 }
1792 }
1793
1794 if (c1)
1795 l2cap_chan_hold(c1);
1796
1797 read_unlock(&chan_list_lock);
1798
1799 return c1;
1800}
1801
1802static void l2cap_monitor_timeout(struct work_struct *work)
1803{
1804 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1805 monitor_timer.work);
1806
1807 BT_DBG("chan %p", chan);
1808
1809 l2cap_chan_lock(chan);
1810
1811 if (!chan->conn) {
1812 l2cap_chan_unlock(chan);
1813 l2cap_chan_put(chan);
1814 return;
1815 }
1816
1817 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1818
1819 l2cap_chan_unlock(chan);
1820 l2cap_chan_put(chan);
1821}
1822
1823static void l2cap_retrans_timeout(struct work_struct *work)
1824{
1825 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1826 retrans_timer.work);
1827
1828 BT_DBG("chan %p", chan);
1829
1830 l2cap_chan_lock(chan);
1831
1832 if (!chan->conn) {
1833 l2cap_chan_unlock(chan);
1834 l2cap_chan_put(chan);
1835 return;
1836 }
1837
1838 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1839 l2cap_chan_unlock(chan);
1840 l2cap_chan_put(chan);
1841}
1842
1843static void l2cap_streaming_send(struct l2cap_chan *chan,
1844 struct sk_buff_head *skbs)
1845{
1846 struct sk_buff *skb;
1847 struct l2cap_ctrl *control;
1848
1849 BT_DBG("chan %p, skbs %p", chan, skbs);
1850
1851 if (__chan_is_moving(chan))
1852 return;
1853
1854 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1855
1856 while (!skb_queue_empty(&chan->tx_q)) {
1857
1858 skb = skb_dequeue(&chan->tx_q);
1859
1860 bt_cb(skb)->l2cap.retries = 1;
1861 control = &bt_cb(skb)->l2cap;
1862
1863 control->reqseq = 0;
1864 control->txseq = chan->next_tx_seq;
1865
1866 __pack_control(chan, control, skb);
1867
1868 if (chan->fcs == L2CAP_FCS_CRC16) {
1869 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1870 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1871 }
1872
1873 l2cap_do_send(chan, skb);
1874
1875 BT_DBG("Sent txseq %u", control->txseq);
1876
1877 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1878 chan->frames_sent++;
1879 }
1880}
1881
1882static int l2cap_ertm_send(struct l2cap_chan *chan)
1883{
1884 struct sk_buff *skb, *tx_skb;
1885 struct l2cap_ctrl *control;
1886 int sent = 0;
1887
1888 BT_DBG("chan %p", chan);
1889
1890 if (chan->state != BT_CONNECTED)
1891 return -ENOTCONN;
1892
1893 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1894 return 0;
1895
1896 if (__chan_is_moving(chan))
1897 return 0;
1898
1899 while (chan->tx_send_head &&
1900 chan->unacked_frames < chan->remote_tx_win &&
1901 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1902
1903 skb = chan->tx_send_head;
1904
1905 bt_cb(skb)->l2cap.retries = 1;
1906 control = &bt_cb(skb)->l2cap;
1907
1908 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1909 control->final = 1;
1910
1911 control->reqseq = chan->buffer_seq;
1912 chan->last_acked_seq = chan->buffer_seq;
1913 control->txseq = chan->next_tx_seq;
1914
1915 __pack_control(chan, control, skb);
1916
1917 if (chan->fcs == L2CAP_FCS_CRC16) {
1918 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1919 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1920 }
1921
1922
1923
1924
1925 tx_skb = skb_clone(skb, GFP_KERNEL);
1926
1927 if (!tx_skb)
1928 break;
1929
1930 __set_retrans_timer(chan);
1931
1932 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1933 chan->unacked_frames++;
1934 chan->frames_sent++;
1935 sent++;
1936
1937 if (skb_queue_is_last(&chan->tx_q, skb))
1938 chan->tx_send_head = NULL;
1939 else
1940 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1941
1942 l2cap_do_send(chan, tx_skb);
1943 BT_DBG("Sent txseq %u", control->txseq);
1944 }
1945
1946 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1947 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1948
1949 return sent;
1950}
1951
1952static void l2cap_ertm_resend(struct l2cap_chan *chan)
1953{
1954 struct l2cap_ctrl control;
1955 struct sk_buff *skb;
1956 struct sk_buff *tx_skb;
1957 u16 seq;
1958
1959 BT_DBG("chan %p", chan);
1960
1961 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1962 return;
1963
1964 if (__chan_is_moving(chan))
1965 return;
1966
1967 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1968 seq = l2cap_seq_list_pop(&chan->retrans_list);
1969
1970 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1971 if (!skb) {
1972 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1973 seq);
1974 continue;
1975 }
1976
1977 bt_cb(skb)->l2cap.retries++;
1978 control = bt_cb(skb)->l2cap;
1979
1980 if (chan->max_tx != 0 &&
1981 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1982 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1983 l2cap_send_disconn_req(chan, ECONNRESET);
1984 l2cap_seq_list_clear(&chan->retrans_list);
1985 break;
1986 }
1987
1988 control.reqseq = chan->buffer_seq;
1989 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1990 control.final = 1;
1991 else
1992 control.final = 0;
1993
1994 if (skb_cloned(skb)) {
1995
1996
1997
1998 tx_skb = skb_copy(skb, GFP_KERNEL);
1999 } else {
2000 tx_skb = skb_clone(skb, GFP_KERNEL);
2001 }
2002
2003 if (!tx_skb) {
2004 l2cap_seq_list_clear(&chan->retrans_list);
2005 break;
2006 }
2007
2008
2009 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2010 put_unaligned_le32(__pack_extended_control(&control),
2011 tx_skb->data + L2CAP_HDR_SIZE);
2012 } else {
2013 put_unaligned_le16(__pack_enhanced_control(&control),
2014 tx_skb->data + L2CAP_HDR_SIZE);
2015 }
2016
2017
2018 if (chan->fcs == L2CAP_FCS_CRC16) {
2019 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2020 tx_skb->len - L2CAP_FCS_SIZE);
2021 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2022 L2CAP_FCS_SIZE);
2023 }
2024
2025 l2cap_do_send(chan, tx_skb);
2026
2027 BT_DBG("Resent txseq %d", control.txseq);
2028
2029 chan->last_acked_seq = chan->buffer_seq;
2030 }
2031}
2032
2033static void l2cap_retransmit(struct l2cap_chan *chan,
2034 struct l2cap_ctrl *control)
2035{
2036 BT_DBG("chan %p, control %p", chan, control);
2037
2038 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2039 l2cap_ertm_resend(chan);
2040}
2041
2042static void l2cap_retransmit_all(struct l2cap_chan *chan,
2043 struct l2cap_ctrl *control)
2044{
2045 struct sk_buff *skb;
2046
2047 BT_DBG("chan %p, control %p", chan, control);
2048
2049 if (control->poll)
2050 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2051
2052 l2cap_seq_list_clear(&chan->retrans_list);
2053
2054 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2055 return;
2056
2057 if (chan->unacked_frames) {
2058 skb_queue_walk(&chan->tx_q, skb) {
2059 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2060 skb == chan->tx_send_head)
2061 break;
2062 }
2063
2064 skb_queue_walk_from(&chan->tx_q, skb) {
2065 if (skb == chan->tx_send_head)
2066 break;
2067
2068 l2cap_seq_list_append(&chan->retrans_list,
2069 bt_cb(skb)->l2cap.txseq);
2070 }
2071
2072 l2cap_ertm_resend(chan);
2073 }
2074}
2075
2076static void l2cap_send_ack(struct l2cap_chan *chan)
2077{
2078 struct l2cap_ctrl control;
2079 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2080 chan->last_acked_seq);
2081 int threshold;
2082
2083 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2084 chan, chan->last_acked_seq, chan->buffer_seq);
2085
2086 memset(&control, 0, sizeof(control));
2087 control.sframe = 1;
2088
2089 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2090 chan->rx_state == L2CAP_RX_STATE_RECV) {
2091 __clear_ack_timer(chan);
2092 control.super = L2CAP_SUPER_RNR;
2093 control.reqseq = chan->buffer_seq;
2094 l2cap_send_sframe(chan, &control);
2095 } else {
2096 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2097 l2cap_ertm_send(chan);
2098
2099 if (chan->buffer_seq == chan->last_acked_seq)
2100 frames_to_ack = 0;
2101 }
2102
2103
2104
2105
2106 threshold = chan->ack_win;
2107 threshold += threshold << 1;
2108 threshold >>= 2;
2109
2110 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2111 threshold);
2112
2113 if (frames_to_ack >= threshold) {
2114 __clear_ack_timer(chan);
2115 control.super = L2CAP_SUPER_RR;
2116 control.reqseq = chan->buffer_seq;
2117 l2cap_send_sframe(chan, &control);
2118 frames_to_ack = 0;
2119 }
2120
2121 if (frames_to_ack)
2122 __set_ack_timer(chan);
2123 }
2124}
2125
2126static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2127 struct msghdr *msg, int len,
2128 int count, struct sk_buff *skb)
2129{
2130 struct l2cap_conn *conn = chan->conn;
2131 struct sk_buff **frag;
2132 int sent = 0;
2133
2134 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2135 msg, count))
2136 return -EFAULT;
2137
2138 sent += count;
2139 len -= count;
2140
2141
2142 frag = &skb_shinfo(skb)->frag_list;
2143 while (len) {
2144 struct sk_buff *tmp;
2145
2146 count = min_t(unsigned int, conn->mtu, len);
2147
2148 tmp = chan->ops->alloc_skb(chan, 0, count,
2149 msg->msg_flags & MSG_DONTWAIT);
2150 if (IS_ERR(tmp))
2151 return PTR_ERR(tmp);
2152
2153 *frag = tmp;
2154
2155 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2156 msg, count))
2157 return -EFAULT;
2158
2159 sent += count;
2160 len -= count;
2161
2162 skb->len += (*frag)->len;
2163 skb->data_len += (*frag)->len;
2164
2165 frag = &(*frag)->next;
2166 }
2167
2168 return sent;
2169}
2170
2171static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2172 struct msghdr *msg, size_t len)
2173{
2174 struct l2cap_conn *conn = chan->conn;
2175 struct sk_buff *skb;
2176 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2177 struct l2cap_hdr *lh;
2178
2179 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2180 __le16_to_cpu(chan->psm), len);
2181
2182 count = min_t(unsigned int, (conn->mtu - hlen), len);
2183
2184 skb = chan->ops->alloc_skb(chan, hlen, count,
2185 msg->msg_flags & MSG_DONTWAIT);
2186 if (IS_ERR(skb))
2187 return skb;
2188
2189
2190 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2191 lh->cid = cpu_to_le16(chan->dcid);
2192 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2193 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2194
2195 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2196 if (unlikely(err < 0)) {
2197 kfree_skb(skb);
2198 return ERR_PTR(err);
2199 }
2200 return skb;
2201}
2202
2203static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2204 struct msghdr *msg, size_t len)
2205{
2206 struct l2cap_conn *conn = chan->conn;
2207 struct sk_buff *skb;
2208 int err, count;
2209 struct l2cap_hdr *lh;
2210
2211 BT_DBG("chan %p len %zu", chan, len);
2212
2213 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2214
2215 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2216 msg->msg_flags & MSG_DONTWAIT);
2217 if (IS_ERR(skb))
2218 return skb;
2219
2220
2221 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2222 lh->cid = cpu_to_le16(chan->dcid);
2223 lh->len = cpu_to_le16(len);
2224
2225 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2226 if (unlikely(err < 0)) {
2227 kfree_skb(skb);
2228 return ERR_PTR(err);
2229 }
2230 return skb;
2231}
2232
2233static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2234 struct msghdr *msg, size_t len,
2235 u16 sdulen)
2236{
2237 struct l2cap_conn *conn = chan->conn;
2238 struct sk_buff *skb;
2239 int err, count, hlen;
2240 struct l2cap_hdr *lh;
2241
2242 BT_DBG("chan %p len %zu", chan, len);
2243
2244 if (!conn)
2245 return ERR_PTR(-ENOTCONN);
2246
2247 hlen = __ertm_hdr_size(chan);
2248
2249 if (sdulen)
2250 hlen += L2CAP_SDULEN_SIZE;
2251
2252 if (chan->fcs == L2CAP_FCS_CRC16)
2253 hlen += L2CAP_FCS_SIZE;
2254
2255 count = min_t(unsigned int, (conn->mtu - hlen), len);
2256
2257 skb = chan->ops->alloc_skb(chan, hlen, count,
2258 msg->msg_flags & MSG_DONTWAIT);
2259 if (IS_ERR(skb))
2260 return skb;
2261
2262
2263 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2264 lh->cid = cpu_to_le16(chan->dcid);
2265 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2266
2267
2268 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2269 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2270 else
2271 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2272
2273 if (sdulen)
2274 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2275
2276 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2277 if (unlikely(err < 0)) {
2278 kfree_skb(skb);
2279 return ERR_PTR(err);
2280 }
2281
2282 bt_cb(skb)->l2cap.fcs = chan->fcs;
2283 bt_cb(skb)->l2cap.retries = 0;
2284 return skb;
2285}
2286
2287static int l2cap_segment_sdu(struct l2cap_chan *chan,
2288 struct sk_buff_head *seg_queue,
2289 struct msghdr *msg, size_t len)
2290{
2291 struct sk_buff *skb;
2292 u16 sdu_len;
2293 size_t pdu_len;
2294 u8 sar;
2295
2296 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2297
2298
2299
2300
2301
2302
2303
2304 pdu_len = chan->conn->mtu;
2305
2306
2307 if (!chan->hs_hcon)
2308 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2309
2310
2311 if (chan->fcs)
2312 pdu_len -= L2CAP_FCS_SIZE;
2313
2314 pdu_len -= __ertm_hdr_size(chan);
2315
2316
2317 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2318
2319 if (len <= pdu_len) {
2320 sar = L2CAP_SAR_UNSEGMENTED;
2321 sdu_len = 0;
2322 pdu_len = len;
2323 } else {
2324 sar = L2CAP_SAR_START;
2325 sdu_len = len;
2326 }
2327
2328 while (len > 0) {
2329 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2330
2331 if (IS_ERR(skb)) {
2332 __skb_queue_purge(seg_queue);
2333 return PTR_ERR(skb);
2334 }
2335
2336 bt_cb(skb)->l2cap.sar = sar;
2337 __skb_queue_tail(seg_queue, skb);
2338
2339 len -= pdu_len;
2340 if (sdu_len)
2341 sdu_len = 0;
2342
2343 if (len <= pdu_len) {
2344 sar = L2CAP_SAR_END;
2345 pdu_len = len;
2346 } else {
2347 sar = L2CAP_SAR_CONTINUE;
2348 }
2349 }
2350
2351 return 0;
2352}
2353
2354static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2355 struct msghdr *msg,
2356 size_t len, u16 sdulen)
2357{
2358 struct l2cap_conn *conn = chan->conn;
2359 struct sk_buff *skb;
2360 int err, count, hlen;
2361 struct l2cap_hdr *lh;
2362
2363 BT_DBG("chan %p len %zu", chan, len);
2364
2365 if (!conn)
2366 return ERR_PTR(-ENOTCONN);
2367
2368 hlen = L2CAP_HDR_SIZE;
2369
2370 if (sdulen)
2371 hlen += L2CAP_SDULEN_SIZE;
2372
2373 count = min_t(unsigned int, (conn->mtu - hlen), len);
2374
2375 skb = chan->ops->alloc_skb(chan, hlen, count,
2376 msg->msg_flags & MSG_DONTWAIT);
2377 if (IS_ERR(skb))
2378 return skb;
2379
2380
2381 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2382 lh->cid = cpu_to_le16(chan->dcid);
2383 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2384
2385 if (sdulen)
2386 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2387
2388 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2389 if (unlikely(err < 0)) {
2390 kfree_skb(skb);
2391 return ERR_PTR(err);
2392 }
2393
2394 return skb;
2395}
2396
2397static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2398 struct sk_buff_head *seg_queue,
2399 struct msghdr *msg, size_t len)
2400{
2401 struct sk_buff *skb;
2402 size_t pdu_len;
2403 u16 sdu_len;
2404
2405 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2406
2407 sdu_len = len;
2408 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2409
2410 while (len > 0) {
2411 if (len <= pdu_len)
2412 pdu_len = len;
2413
2414 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2415 if (IS_ERR(skb)) {
2416 __skb_queue_purge(seg_queue);
2417 return PTR_ERR(skb);
2418 }
2419
2420 __skb_queue_tail(seg_queue, skb);
2421
2422 len -= pdu_len;
2423
2424 if (sdu_len) {
2425 sdu_len = 0;
2426 pdu_len += L2CAP_SDULEN_SIZE;
2427 }
2428 }
2429
2430 return 0;
2431}
2432
2433int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2434{
2435 struct sk_buff *skb;
2436 int err;
2437 struct sk_buff_head seg_queue;
2438
2439 if (!chan->conn)
2440 return -ENOTCONN;
2441
2442
2443 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2444 skb = l2cap_create_connless_pdu(chan, msg, len);
2445 if (IS_ERR(skb))
2446 return PTR_ERR(skb);
2447
2448
2449
2450
2451 if (chan->state != BT_CONNECTED) {
2452 kfree_skb(skb);
2453 return -ENOTCONN;
2454 }
2455
2456 l2cap_do_send(chan, skb);
2457 return len;
2458 }
2459
2460 switch (chan->mode) {
2461 case L2CAP_MODE_LE_FLOWCTL:
2462
2463 if (len > chan->omtu)
2464 return -EMSGSIZE;
2465
2466 if (!chan->tx_credits)
2467 return -EAGAIN;
2468
2469 __skb_queue_head_init(&seg_queue);
2470
2471 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2472
2473 if (chan->state != BT_CONNECTED) {
2474 __skb_queue_purge(&seg_queue);
2475 err = -ENOTCONN;
2476 }
2477
2478 if (err)
2479 return err;
2480
2481 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2482
2483 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2484 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2485 chan->tx_credits--;
2486 }
2487
2488 if (!chan->tx_credits)
2489 chan->ops->suspend(chan);
2490
2491 err = len;
2492
2493 break;
2494
2495 case L2CAP_MODE_BASIC:
2496
2497 if (len > chan->omtu)
2498 return -EMSGSIZE;
2499
2500
2501 skb = l2cap_create_basic_pdu(chan, msg, len);
2502 if (IS_ERR(skb))
2503 return PTR_ERR(skb);
2504
2505
2506
2507
2508 if (chan->state != BT_CONNECTED) {
2509 kfree_skb(skb);
2510 return -ENOTCONN;
2511 }
2512
2513 l2cap_do_send(chan, skb);
2514 err = len;
2515 break;
2516
2517 case L2CAP_MODE_ERTM:
2518 case L2CAP_MODE_STREAMING:
2519
2520 if (len > chan->omtu) {
2521 err = -EMSGSIZE;
2522 break;
2523 }
2524
2525 __skb_queue_head_init(&seg_queue);
2526
2527
2528
2529
2530
2531 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2532
2533
2534
2535
2536 if (chan->state != BT_CONNECTED) {
2537 __skb_queue_purge(&seg_queue);
2538 err = -ENOTCONN;
2539 }
2540
2541 if (err)
2542 break;
2543
2544 if (chan->mode == L2CAP_MODE_ERTM)
2545 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2546 else
2547 l2cap_streaming_send(chan, &seg_queue);
2548
2549 err = len;
2550
2551
2552
2553
2554 __skb_queue_purge(&seg_queue);
2555 break;
2556
2557 default:
2558 BT_DBG("bad state %1.1x", chan->mode);
2559 err = -EBADFD;
2560 }
2561
2562 return err;
2563}
2564EXPORT_SYMBOL_GPL(l2cap_chan_send);
2565
2566static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2567{
2568 struct l2cap_ctrl control;
2569 u16 seq;
2570
2571 BT_DBG("chan %p, txseq %u", chan, txseq);
2572
2573 memset(&control, 0, sizeof(control));
2574 control.sframe = 1;
2575 control.super = L2CAP_SUPER_SREJ;
2576
2577 for (seq = chan->expected_tx_seq; seq != txseq;
2578 seq = __next_seq(chan, seq)) {
2579 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2580 control.reqseq = seq;
2581 l2cap_send_sframe(chan, &control);
2582 l2cap_seq_list_append(&chan->srej_list, seq);
2583 }
2584 }
2585
2586 chan->expected_tx_seq = __next_seq(chan, txseq);
2587}
2588
2589static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2590{
2591 struct l2cap_ctrl control;
2592
2593 BT_DBG("chan %p", chan);
2594
2595 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2596 return;
2597
2598 memset(&control, 0, sizeof(control));
2599 control.sframe = 1;
2600 control.super = L2CAP_SUPER_SREJ;
2601 control.reqseq = chan->srej_list.tail;
2602 l2cap_send_sframe(chan, &control);
2603}
2604
2605static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2606{
2607 struct l2cap_ctrl control;
2608 u16 initial_head;
2609 u16 seq;
2610
2611 BT_DBG("chan %p, txseq %u", chan, txseq);
2612
2613 memset(&control, 0, sizeof(control));
2614 control.sframe = 1;
2615 control.super = L2CAP_SUPER_SREJ;
2616
2617
2618 initial_head = chan->srej_list.head;
2619
2620 do {
2621 seq = l2cap_seq_list_pop(&chan->srej_list);
2622 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2623 break;
2624
2625 control.reqseq = seq;
2626 l2cap_send_sframe(chan, &control);
2627 l2cap_seq_list_append(&chan->srej_list, seq);
2628 } while (chan->srej_list.head != initial_head);
2629}
2630
2631static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2632{
2633 struct sk_buff *acked_skb;
2634 u16 ackseq;
2635
2636 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2637
2638 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2639 return;
2640
2641 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2642 chan->expected_ack_seq, chan->unacked_frames);
2643
2644 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2645 ackseq = __next_seq(chan, ackseq)) {
2646
2647 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2648 if (acked_skb) {
2649 skb_unlink(acked_skb, &chan->tx_q);
2650 kfree_skb(acked_skb);
2651 chan->unacked_frames--;
2652 }
2653 }
2654
2655 chan->expected_ack_seq = reqseq;
2656
2657 if (chan->unacked_frames == 0)
2658 __clear_retrans_timer(chan);
2659
2660 BT_DBG("unacked_frames %u", chan->unacked_frames);
2661}
2662
2663static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2664{
2665 BT_DBG("chan %p", chan);
2666
2667 chan->expected_tx_seq = chan->buffer_seq;
2668 l2cap_seq_list_clear(&chan->srej_list);
2669 skb_queue_purge(&chan->srej_q);
2670 chan->rx_state = L2CAP_RX_STATE_RECV;
2671}
2672
2673static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2674 struct l2cap_ctrl *control,
2675 struct sk_buff_head *skbs, u8 event)
2676{
2677 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2678 event);
2679
2680 switch (event) {
2681 case L2CAP_EV_DATA_REQUEST:
2682 if (chan->tx_send_head == NULL)
2683 chan->tx_send_head = skb_peek(skbs);
2684
2685 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2686 l2cap_ertm_send(chan);
2687 break;
2688 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2689 BT_DBG("Enter LOCAL_BUSY");
2690 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2691
2692 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2693
2694
2695
2696 l2cap_abort_rx_srej_sent(chan);
2697 }
2698
2699 l2cap_send_ack(chan);
2700
2701 break;
2702 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2703 BT_DBG("Exit LOCAL_BUSY");
2704 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2705
2706 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2707 struct l2cap_ctrl local_control;
2708
2709 memset(&local_control, 0, sizeof(local_control));
2710 local_control.sframe = 1;
2711 local_control.super = L2CAP_SUPER_RR;
2712 local_control.poll = 1;
2713 local_control.reqseq = chan->buffer_seq;
2714 l2cap_send_sframe(chan, &local_control);
2715
2716 chan->retry_count = 1;
2717 __set_monitor_timer(chan);
2718 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2719 }
2720 break;
2721 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2722 l2cap_process_reqseq(chan, control->reqseq);
2723 break;
2724 case L2CAP_EV_EXPLICIT_POLL:
2725 l2cap_send_rr_or_rnr(chan, 1);
2726 chan->retry_count = 1;
2727 __set_monitor_timer(chan);
2728 __clear_ack_timer(chan);
2729 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2730 break;
2731 case L2CAP_EV_RETRANS_TO:
2732 l2cap_send_rr_or_rnr(chan, 1);
2733 chan->retry_count = 1;
2734 __set_monitor_timer(chan);
2735 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2736 break;
2737 case L2CAP_EV_RECV_FBIT:
2738
2739 break;
2740 default:
2741 break;
2742 }
2743}
2744
2745static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2746 struct l2cap_ctrl *control,
2747 struct sk_buff_head *skbs, u8 event)
2748{
2749 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2750 event);
2751
2752 switch (event) {
2753 case L2CAP_EV_DATA_REQUEST:
2754 if (chan->tx_send_head == NULL)
2755 chan->tx_send_head = skb_peek(skbs);
2756
2757 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2758 break;
2759 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2760 BT_DBG("Enter LOCAL_BUSY");
2761 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2762
2763 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2764
2765
2766
2767 l2cap_abort_rx_srej_sent(chan);
2768 }
2769
2770 l2cap_send_ack(chan);
2771
2772 break;
2773 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2774 BT_DBG("Exit LOCAL_BUSY");
2775 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2776
2777 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2778 struct l2cap_ctrl local_control;
2779 memset(&local_control, 0, sizeof(local_control));
2780 local_control.sframe = 1;
2781 local_control.super = L2CAP_SUPER_RR;
2782 local_control.poll = 1;
2783 local_control.reqseq = chan->buffer_seq;
2784 l2cap_send_sframe(chan, &local_control);
2785
2786 chan->retry_count = 1;
2787 __set_monitor_timer(chan);
2788 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2789 }
2790 break;
2791 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2792 l2cap_process_reqseq(chan, control->reqseq);
2793
2794
2795
2796 case L2CAP_EV_RECV_FBIT:
2797 if (control && control->final) {
2798 __clear_monitor_timer(chan);
2799 if (chan->unacked_frames > 0)
2800 __set_retrans_timer(chan);
2801 chan->retry_count = 0;
2802 chan->tx_state = L2CAP_TX_STATE_XMIT;
2803 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2804 }
2805 break;
2806 case L2CAP_EV_EXPLICIT_POLL:
2807
2808 break;
2809 case L2CAP_EV_MONITOR_TO:
2810 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2811 l2cap_send_rr_or_rnr(chan, 1);
2812 __set_monitor_timer(chan);
2813 chan->retry_count++;
2814 } else {
2815 l2cap_send_disconn_req(chan, ECONNABORTED);
2816 }
2817 break;
2818 default:
2819 break;
2820 }
2821}
2822
2823static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2824 struct sk_buff_head *skbs, u8 event)
2825{
2826 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2827 chan, control, skbs, event, chan->tx_state);
2828
2829 switch (chan->tx_state) {
2830 case L2CAP_TX_STATE_XMIT:
2831 l2cap_tx_state_xmit(chan, control, skbs, event);
2832 break;
2833 case L2CAP_TX_STATE_WAIT_F:
2834 l2cap_tx_state_wait_f(chan, control, skbs, event);
2835 break;
2836 default:
2837
2838 break;
2839 }
2840}
2841
2842static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2843 struct l2cap_ctrl *control)
2844{
2845 BT_DBG("chan %p, control %p", chan, control);
2846 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2847}
2848
2849static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2850 struct l2cap_ctrl *control)
2851{
2852 BT_DBG("chan %p, control %p", chan, control);
2853 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2854}
2855
2856
2857static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2858{
2859 struct sk_buff *nskb;
2860 struct l2cap_chan *chan;
2861
2862 BT_DBG("conn %p", conn);
2863
2864 mutex_lock(&conn->chan_lock);
2865
2866 list_for_each_entry(chan, &conn->chan_l, list) {
2867 if (chan->chan_type != L2CAP_CHAN_RAW)
2868 continue;
2869
2870
2871 if (bt_cb(skb)->l2cap.chan == chan)
2872 continue;
2873
2874 nskb = skb_clone(skb, GFP_KERNEL);
2875 if (!nskb)
2876 continue;
2877 if (chan->ops->recv(chan, nskb))
2878 kfree_skb(nskb);
2879 }
2880
2881 mutex_unlock(&conn->chan_lock);
2882}
2883
2884
2885static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2886 u8 ident, u16 dlen, void *data)
2887{
2888 struct sk_buff *skb, **frag;
2889 struct l2cap_cmd_hdr *cmd;
2890 struct l2cap_hdr *lh;
2891 int len, count;
2892
2893 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2894 conn, code, ident, dlen);
2895
2896 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2897 return NULL;
2898
2899 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2900 count = min_t(unsigned int, conn->mtu, len);
2901
2902 skb = bt_skb_alloc(count, GFP_KERNEL);
2903 if (!skb)
2904 return NULL;
2905
2906 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2907 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2908
2909 if (conn->hcon->type == LE_LINK)
2910 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2911 else
2912 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2913
2914 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2915 cmd->code = code;
2916 cmd->ident = ident;
2917 cmd->len = cpu_to_le16(dlen);
2918
2919 if (dlen) {
2920 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2921 memcpy(skb_put(skb, count), data, count);
2922 data += count;
2923 }
2924
2925 len -= skb->len;
2926
2927
2928 frag = &skb_shinfo(skb)->frag_list;
2929 while (len) {
2930 count = min_t(unsigned int, conn->mtu, len);
2931
2932 *frag = bt_skb_alloc(count, GFP_KERNEL);
2933 if (!*frag)
2934 goto fail;
2935
2936 memcpy(skb_put(*frag, count), data, count);
2937
2938 len -= count;
2939 data += count;
2940
2941 frag = &(*frag)->next;
2942 }
2943
2944 return skb;
2945
2946fail:
2947 kfree_skb(skb);
2948 return NULL;
2949}
2950
2951static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2952 unsigned long *val)
2953{
2954 struct l2cap_conf_opt *opt = *ptr;
2955 int len;
2956
2957 len = L2CAP_CONF_OPT_SIZE + opt->len;
2958 *ptr += len;
2959
2960 *type = opt->type;
2961 *olen = opt->len;
2962
2963 switch (opt->len) {
2964 case 1:
2965 *val = *((u8 *) opt->val);
2966 break;
2967
2968 case 2:
2969 *val = get_unaligned_le16(opt->val);
2970 break;
2971
2972 case 4:
2973 *val = get_unaligned_le32(opt->val);
2974 break;
2975
2976 default:
2977 *val = (unsigned long) opt->val;
2978 break;
2979 }
2980
2981 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2982 return len;
2983}
2984
2985static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val,
2986 size_t size)
2987{
2988 struct l2cap_conf_opt *opt = *ptr;
2989
2990 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2991
2992 if (size < (L2CAP_CONF_OPT_SIZE + len)) {
2993 return;
2994 }
2995
2996 opt->type = type;
2997 opt->len = len;
2998
2999 switch (len) {
3000 case 1:
3001 *((u8 *) opt->val) = val;
3002 break;
3003
3004 case 2:
3005 put_unaligned_le16(val, opt->val);
3006 break;
3007
3008 case 4:
3009 put_unaligned_le32(val, opt->val);
3010 break;
3011
3012 default:
3013 memcpy(opt->val, (void *) val, len);
3014 break;
3015 }
3016
3017 *ptr += L2CAP_CONF_OPT_SIZE + len;
3018}
3019
3020static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3021{
3022 struct l2cap_conf_efs efs;
3023
3024 switch (chan->mode) {
3025 case L2CAP_MODE_ERTM:
3026 efs.id = chan->local_id;
3027 efs.stype = chan->local_stype;
3028 efs.msdu = cpu_to_le16(chan->local_msdu);
3029 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3030 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3031 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3032 break;
3033
3034 case L2CAP_MODE_STREAMING:
3035 efs.id = 1;
3036 efs.stype = L2CAP_SERV_BESTEFFORT;
3037 efs.msdu = cpu_to_le16(chan->local_msdu);
3038 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3039 efs.acc_lat = 0;
3040 efs.flush_to = 0;
3041 break;
3042
3043 default:
3044 return;
3045 }
3046
3047 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3048 (unsigned long) &efs, size);
3049}
3050
3051static void l2cap_ack_timeout(struct work_struct *work)
3052{
3053 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3054 ack_timer.work);
3055 u16 frames_to_ack;
3056
3057 BT_DBG("chan %p", chan);
3058
3059 l2cap_chan_lock(chan);
3060
3061 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3062 chan->last_acked_seq);
3063
3064 if (frames_to_ack)
3065 l2cap_send_rr_or_rnr(chan, 0);
3066
3067 l2cap_chan_unlock(chan);
3068 l2cap_chan_put(chan);
3069}
3070
3071int l2cap_ertm_init(struct l2cap_chan *chan)
3072{
3073 int err;
3074
3075 chan->next_tx_seq = 0;
3076 chan->expected_tx_seq = 0;
3077 chan->expected_ack_seq = 0;
3078 chan->unacked_frames = 0;
3079 chan->buffer_seq = 0;
3080 chan->frames_sent = 0;
3081 chan->last_acked_seq = 0;
3082 chan->sdu = NULL;
3083 chan->sdu_last_frag = NULL;
3084 chan->sdu_len = 0;
3085
3086 skb_queue_head_init(&chan->tx_q);
3087
3088 chan->local_amp_id = AMP_ID_BREDR;
3089 chan->move_id = AMP_ID_BREDR;
3090 chan->move_state = L2CAP_MOVE_STABLE;
3091 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3092
3093 if (chan->mode != L2CAP_MODE_ERTM)
3094 return 0;
3095
3096 chan->rx_state = L2CAP_RX_STATE_RECV;
3097 chan->tx_state = L2CAP_TX_STATE_XMIT;
3098
3099 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3100 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3101 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3102
3103 skb_queue_head_init(&chan->srej_q);
3104
3105 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3106 if (err < 0)
3107 return err;
3108
3109 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3110 if (err < 0)
3111 l2cap_seq_list_free(&chan->srej_list);
3112
3113 return err;
3114}
3115
3116static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3117{
3118 switch (mode) {
3119 case L2CAP_MODE_STREAMING:
3120 case L2CAP_MODE_ERTM:
3121 if (l2cap_mode_supported(mode, remote_feat_mask))
3122 return mode;
3123
3124 default:
3125 return L2CAP_MODE_BASIC;
3126 }
3127}
3128
3129static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3130{
3131 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3132 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3133}
3134
3135static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3136{
3137 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3138 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3139}
3140
3141static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3142 struct l2cap_conf_rfc *rfc)
3143{
3144 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3145 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3161
3162
3163
3164
3165
3166 ertm_to = 3 * ertm_to + 500;
3167
3168 if (ertm_to > 0xffff)
3169 ertm_to = 0xffff;
3170
3171 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3172 rfc->monitor_timeout = rfc->retrans_timeout;
3173 } else {
3174 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3175 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3176 }
3177}
3178
3179static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3180{
3181 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3182 __l2cap_ews_supported(chan->conn)) {
3183
3184 set_bit(FLAG_EXT_CTRL, &chan->flags);
3185 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3186 } else {
3187 chan->tx_win = min_t(u16, chan->tx_win,
3188 L2CAP_DEFAULT_TX_WINDOW);
3189 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3190 }
3191 chan->ack_win = chan->tx_win;
3192}
3193
3194static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data,
3195 size_t data_size)
3196{
3197 struct l2cap_conf_req *req = data;
3198 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3199 void *ptr = req->data;
3200 void *endptr = data + data_size;
3201 u16 size;
3202
3203 BT_DBG("chan %p", chan);
3204
3205 if (chan->num_conf_req || chan->num_conf_rsp)
3206 goto done;
3207
3208 switch (chan->mode) {
3209 case L2CAP_MODE_STREAMING:
3210 case L2CAP_MODE_ERTM:
3211 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3212 break;
3213
3214 if (__l2cap_efs_supported(chan->conn))
3215 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3216
3217
3218 default:
3219 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3220 break;
3221 }
3222
3223done:
3224 if (chan->imtu != L2CAP_DEFAULT_MTU)
3225 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3226 endptr - ptr);
3227
3228 switch (chan->mode) {
3229 case L2CAP_MODE_BASIC:
3230 if (disable_ertm)
3231 break;
3232
3233 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3234 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3235 break;
3236
3237 rfc.mode = L2CAP_MODE_BASIC;
3238 rfc.txwin_size = 0;
3239 rfc.max_transmit = 0;
3240 rfc.retrans_timeout = 0;
3241 rfc.monitor_timeout = 0;
3242 rfc.max_pdu_size = 0;
3243
3244 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3245 (unsigned long) &rfc, endptr - ptr);
3246 break;
3247
3248 case L2CAP_MODE_ERTM:
3249 rfc.mode = L2CAP_MODE_ERTM;
3250 rfc.max_transmit = chan->max_tx;
3251
3252 __l2cap_set_ertm_timeouts(chan, &rfc);
3253
3254 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3255 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3256 L2CAP_FCS_SIZE);
3257 rfc.max_pdu_size = cpu_to_le16(size);
3258
3259 l2cap_txwin_setup(chan);
3260
3261 rfc.txwin_size = min_t(u16, chan->tx_win,
3262 L2CAP_DEFAULT_TX_WINDOW);
3263
3264 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3265 (unsigned long) &rfc, endptr - ptr);
3266
3267 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3268 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3269
3270 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3271 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3272 chan->tx_win, endptr - ptr);
3273
3274 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3275 if (chan->fcs == L2CAP_FCS_NONE ||
3276 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3277 chan->fcs = L2CAP_FCS_NONE;
3278 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3279 chan->fcs, endptr - ptr);
3280 }
3281 break;
3282
3283 case L2CAP_MODE_STREAMING:
3284 l2cap_txwin_setup(chan);
3285 rfc.mode = L2CAP_MODE_STREAMING;
3286 rfc.txwin_size = 0;
3287 rfc.max_transmit = 0;
3288 rfc.retrans_timeout = 0;
3289 rfc.monitor_timeout = 0;
3290
3291 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3292 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3293 L2CAP_FCS_SIZE);
3294 rfc.max_pdu_size = cpu_to_le16(size);
3295
3296 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3297 (unsigned long) &rfc, endptr - ptr);
3298
3299 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3300 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3301
3302 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3303 if (chan->fcs == L2CAP_FCS_NONE ||
3304 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3305 chan->fcs = L2CAP_FCS_NONE;
3306 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3307 chan->fcs, endptr - ptr);
3308 }
3309 break;
3310 }
3311
3312 req->dcid = cpu_to_le16(chan->dcid);
3313 req->flags = cpu_to_le16(0);
3314
3315 return ptr - data;
3316}
3317
3318static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data,
3319 size_t data_size)
3320{
3321 struct l2cap_conf_rsp *rsp = data;
3322 void *ptr = rsp->data;
3323 void *endptr = data + data_size;
3324 void *req = chan->conf_req;
3325 int len = chan->conf_len;
3326 int type, hint, olen;
3327 unsigned long val;
3328 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3329 struct l2cap_conf_efs efs;
3330 u8 remote_efs = 0;
3331 u16 mtu = L2CAP_DEFAULT_MTU;
3332 u16 result = L2CAP_CONF_SUCCESS;
3333 u16 size;
3334
3335 BT_DBG("chan %p", chan);
3336
3337 while (len >= L2CAP_CONF_OPT_SIZE) {
3338 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3339
3340 hint = type & L2CAP_CONF_HINT;
3341 type &= L2CAP_CONF_MASK;
3342
3343 switch (type) {
3344 case L2CAP_CONF_MTU:
3345 mtu = val;
3346 break;
3347
3348 case L2CAP_CONF_FLUSH_TO:
3349 chan->flush_to = val;
3350 break;
3351
3352 case L2CAP_CONF_QOS:
3353 break;
3354
3355 case L2CAP_CONF_RFC:
3356 if (olen == sizeof(rfc))
3357 memcpy(&rfc, (void *) val, olen);
3358 break;
3359
3360 case L2CAP_CONF_FCS:
3361 if (val == L2CAP_FCS_NONE)
3362 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3363 break;
3364
3365 case L2CAP_CONF_EFS:
3366 if (olen == sizeof(efs)) {
3367 remote_efs = 1;
3368 memcpy(&efs, (void *) val, olen);
3369 }
3370 break;
3371
3372 case L2CAP_CONF_EWS:
3373 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3374 return -ECONNREFUSED;
3375
3376 set_bit(FLAG_EXT_CTRL, &chan->flags);
3377 set_bit(CONF_EWS_RECV, &chan->conf_state);
3378 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3379 chan->remote_tx_win = val;
3380 break;
3381
3382 default:
3383 if (hint)
3384 break;
3385
3386 result = L2CAP_CONF_UNKNOWN;
3387 *((u8 *) ptr++) = type;
3388 break;
3389 }
3390 }
3391
3392 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3393 goto done;
3394
3395 switch (chan->mode) {
3396 case L2CAP_MODE_STREAMING:
3397 case L2CAP_MODE_ERTM:
3398 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3399 chan->mode = l2cap_select_mode(rfc.mode,
3400 chan->conn->feat_mask);
3401 break;
3402 }
3403
3404 if (remote_efs) {
3405 if (__l2cap_efs_supported(chan->conn))
3406 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3407 else
3408 return -ECONNREFUSED;
3409 }
3410
3411 if (chan->mode != rfc.mode)
3412 return -ECONNREFUSED;
3413
3414 break;
3415 }
3416
3417done:
3418 if (chan->mode != rfc.mode) {
3419 result = L2CAP_CONF_UNACCEPT;
3420 rfc.mode = chan->mode;
3421
3422 if (chan->num_conf_rsp == 1)
3423 return -ECONNREFUSED;
3424
3425 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3426 (unsigned long) &rfc, endptr - ptr);
3427 }
3428
3429 if (result == L2CAP_CONF_SUCCESS) {
3430
3431
3432
3433 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3434 result = L2CAP_CONF_UNACCEPT;
3435 else {
3436 chan->omtu = mtu;
3437 set_bit(CONF_MTU_DONE, &chan->conf_state);
3438 }
3439 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu,
3440 endptr - ptr);
3441
3442 if (remote_efs) {
3443 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3444 efs.stype != L2CAP_SERV_NOTRAFIC &&
3445 efs.stype != chan->local_stype) {
3446
3447 result = L2CAP_CONF_UNACCEPT;
3448
3449 if (chan->num_conf_req >= 1)
3450 return -ECONNREFUSED;
3451
3452 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3453 sizeof(efs),
3454 (unsigned long) &efs,
3455 endptr - ptr);
3456 } else {
3457
3458 result = L2CAP_CONF_PENDING;
3459 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3460 }
3461 }
3462
3463 switch (rfc.mode) {
3464 case L2CAP_MODE_BASIC:
3465 chan->fcs = L2CAP_FCS_NONE;
3466 set_bit(CONF_MODE_DONE, &chan->conf_state);
3467 break;
3468
3469 case L2CAP_MODE_ERTM:
3470 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3471 chan->remote_tx_win = rfc.txwin_size;
3472 else
3473 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3474
3475 chan->remote_max_tx = rfc.max_transmit;
3476
3477 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3478 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3479 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3480 rfc.max_pdu_size = cpu_to_le16(size);
3481 chan->remote_mps = size;
3482
3483 __l2cap_set_ertm_timeouts(chan, &rfc);
3484
3485 set_bit(CONF_MODE_DONE, &chan->conf_state);
3486
3487 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3488 sizeof(rfc), (unsigned long) &rfc,
3489 endptr - ptr);
3490
3491 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3492 chan->remote_id = efs.id;
3493 chan->remote_stype = efs.stype;
3494 chan->remote_msdu = le16_to_cpu(efs.msdu);
3495 chan->remote_flush_to =
3496 le32_to_cpu(efs.flush_to);
3497 chan->remote_acc_lat =
3498 le32_to_cpu(efs.acc_lat);
3499 chan->remote_sdu_itime =
3500 le32_to_cpu(efs.sdu_itime);
3501 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3502 sizeof(efs),
3503 (unsigned long) &efs,
3504 endptr - ptr);
3505 }
3506 break;
3507
3508 case L2CAP_MODE_STREAMING:
3509 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3510 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3511 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3512 rfc.max_pdu_size = cpu_to_le16(size);
3513 chan->remote_mps = size;
3514
3515 set_bit(CONF_MODE_DONE, &chan->conf_state);
3516
3517 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3518 (unsigned long) &rfc, endptr - ptr);
3519
3520 break;
3521
3522 default:
3523 result = L2CAP_CONF_UNACCEPT;
3524
3525 memset(&rfc, 0, sizeof(rfc));
3526 rfc.mode = chan->mode;
3527 }
3528
3529 if (result == L2CAP_CONF_SUCCESS)
3530 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3531 }
3532 rsp->scid = cpu_to_le16(chan->dcid);
3533 rsp->result = cpu_to_le16(result);
3534 rsp->flags = cpu_to_le16(0);
3535
3536 return ptr - data;
3537}
3538
3539static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3540 void *data, size_t size, u16 *result)
3541{
3542 struct l2cap_conf_req *req = data;
3543 void *ptr = req->data;
3544 void *endptr = data + size;
3545 int type, olen;
3546 unsigned long val;
3547 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3548 struct l2cap_conf_efs efs;
3549
3550 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3551
3552 while (len >= L2CAP_CONF_OPT_SIZE) {
3553 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3554
3555 switch (type) {
3556 case L2CAP_CONF_MTU:
3557 if (val < L2CAP_DEFAULT_MIN_MTU) {
3558 *result = L2CAP_CONF_UNACCEPT;
3559 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3560 } else
3561 chan->imtu = val;
3562 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3563 endptr - ptr);
3564 break;
3565
3566 case L2CAP_CONF_FLUSH_TO:
3567 chan->flush_to = val;
3568 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3569 2, chan->flush_to, endptr - ptr);
3570 break;
3571
3572 case L2CAP_CONF_RFC:
3573 if (olen == sizeof(rfc))
3574 memcpy(&rfc, (void *)val, olen);
3575
3576 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3577 rfc.mode != chan->mode)
3578 return -ECONNREFUSED;
3579
3580 chan->fcs = 0;
3581
3582 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3583 sizeof(rfc), (unsigned long) &rfc,
3584 endptr - ptr);
3585 break;
3586
3587 case L2CAP_CONF_EWS:
3588 chan->ack_win = min_t(u16, val, chan->ack_win);
3589 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3590 chan->tx_win, endptr - ptr);
3591 break;
3592
3593 case L2CAP_CONF_EFS:
3594 if (olen == sizeof(efs)) {
3595 memcpy(&efs, (void *)val, olen);
3596
3597 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3598 efs.stype != L2CAP_SERV_NOTRAFIC &&
3599 efs.stype != chan->local_stype)
3600 return -ECONNREFUSED;
3601
3602 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3603 (unsigned long) &efs, endptr - ptr);
3604 }
3605 break;
3606
3607 case L2CAP_CONF_FCS:
3608 if (*result == L2CAP_CONF_PENDING)
3609 if (val == L2CAP_FCS_NONE)
3610 set_bit(CONF_RECV_NO_FCS,
3611 &chan->conf_state);
3612 break;
3613 }
3614 }
3615
3616 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3617 return -ECONNREFUSED;
3618
3619 chan->mode = rfc.mode;
3620
3621 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3622 switch (rfc.mode) {
3623 case L2CAP_MODE_ERTM:
3624 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3625 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3626 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3627 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3628 chan->ack_win = min_t(u16, chan->ack_win,
3629 rfc.txwin_size);
3630
3631 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3632 chan->local_msdu = le16_to_cpu(efs.msdu);
3633 chan->local_sdu_itime =
3634 le32_to_cpu(efs.sdu_itime);
3635 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3636 chan->local_flush_to =
3637 le32_to_cpu(efs.flush_to);
3638 }
3639 break;
3640
3641 case L2CAP_MODE_STREAMING:
3642 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3643 }
3644 }
3645
3646 req->dcid = cpu_to_le16(chan->dcid);
3647 req->flags = cpu_to_le16(0);
3648
3649 return ptr - data;
3650}
3651
3652static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3653 u16 result, u16 flags)
3654{
3655 struct l2cap_conf_rsp *rsp = data;
3656 void *ptr = rsp->data;
3657
3658 BT_DBG("chan %p", chan);
3659
3660 rsp->scid = cpu_to_le16(chan->dcid);
3661 rsp->result = cpu_to_le16(result);
3662 rsp->flags = cpu_to_le16(flags);
3663
3664 return ptr - data;
3665}
3666
3667void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3668{
3669 struct l2cap_le_conn_rsp rsp;
3670 struct l2cap_conn *conn = chan->conn;
3671
3672 BT_DBG("chan %p", chan);
3673
3674 rsp.dcid = cpu_to_le16(chan->scid);
3675 rsp.mtu = cpu_to_le16(chan->imtu);
3676 rsp.mps = cpu_to_le16(chan->mps);
3677 rsp.credits = cpu_to_le16(chan->rx_credits);
3678 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3679
3680 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3681 &rsp);
3682}
3683
3684void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3685{
3686 struct l2cap_conn_rsp rsp;
3687 struct l2cap_conn *conn = chan->conn;
3688 u8 buf[128];
3689 u8 rsp_code;
3690
3691 rsp.scid = cpu_to_le16(chan->dcid);
3692 rsp.dcid = cpu_to_le16(chan->scid);
3693 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3694 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3695
3696 if (chan->hs_hcon)
3697 rsp_code = L2CAP_CREATE_CHAN_RSP;
3698 else
3699 rsp_code = L2CAP_CONN_RSP;
3700
3701 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3702
3703 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3704
3705 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3706 return;
3707
3708 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3709 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3710 chan->num_conf_req++;
3711}
3712
3713static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3714{
3715 int type, olen;
3716 unsigned long val;
3717
3718
3719
3720 u16 txwin_ext = chan->ack_win;
3721 struct l2cap_conf_rfc rfc = {
3722 .mode = chan->mode,
3723 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3724 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3725 .max_pdu_size = cpu_to_le16(chan->imtu),
3726 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3727 };
3728
3729 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3730
3731 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3732 return;
3733
3734 while (len >= L2CAP_CONF_OPT_SIZE) {
3735 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3736
3737 switch (type) {
3738 case L2CAP_CONF_RFC:
3739 if (olen == sizeof(rfc))
3740 memcpy(&rfc, (void *)val, olen);
3741 break;
3742 case L2CAP_CONF_EWS:
3743 txwin_ext = val;
3744 break;
3745 }
3746 }
3747
3748 switch (rfc.mode) {
3749 case L2CAP_MODE_ERTM:
3750 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3751 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3752 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3753 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3754 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3755 else
3756 chan->ack_win = min_t(u16, chan->ack_win,
3757 rfc.txwin_size);
3758 break;
3759 case L2CAP_MODE_STREAMING:
3760 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3761 }
3762}
3763
3764static inline int l2cap_command_rej(struct l2cap_conn *conn,
3765 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3766 u8 *data)
3767{
3768 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3769
3770 if (cmd_len < sizeof(*rej))
3771 return -EPROTO;
3772
3773 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3774 return 0;
3775
3776 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3777 cmd->ident == conn->info_ident) {
3778 cancel_delayed_work(&conn->info_timer);
3779
3780 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3781 conn->info_ident = 0;
3782
3783 l2cap_conn_start(conn);
3784 }
3785
3786 return 0;
3787}
3788
3789static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3790 struct l2cap_cmd_hdr *cmd,
3791 u8 *data, u8 rsp_code, u8 amp_id)
3792{
3793 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3794 struct l2cap_conn_rsp rsp;
3795 struct l2cap_chan *chan = NULL, *pchan;
3796 int result, status = L2CAP_CS_NO_INFO;
3797
3798 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3799 __le16 psm = req->psm;
3800
3801 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3802
3803
3804 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3805 &conn->hcon->dst, ACL_LINK);
3806 if (!pchan) {
3807 result = L2CAP_CR_BAD_PSM;
3808 goto sendresp;
3809 }
3810
3811 mutex_lock(&conn->chan_lock);
3812 l2cap_chan_lock(pchan);
3813
3814
3815 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3816 !hci_conn_check_link_mode(conn->hcon)) {
3817 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3818 result = L2CAP_CR_SEC_BLOCK;
3819 goto response;
3820 }
3821
3822 result = L2CAP_CR_NO_MEM;
3823
3824
3825 if (__l2cap_get_chan_by_dcid(conn, scid))
3826 goto response;
3827
3828 chan = pchan->ops->new_connection(pchan);
3829 if (!chan)
3830 goto response;
3831
3832
3833
3834
3835
3836
3837 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3838
3839 bacpy(&chan->src, &conn->hcon->src);
3840 bacpy(&chan->dst, &conn->hcon->dst);
3841 chan->src_type = bdaddr_src_type(conn->hcon);
3842 chan->dst_type = bdaddr_dst_type(conn->hcon);
3843 chan->psm = psm;
3844 chan->dcid = scid;
3845 chan->local_amp_id = amp_id;
3846
3847 __l2cap_chan_add(conn, chan);
3848
3849 dcid = chan->scid;
3850
3851 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3852
3853 chan->ident = cmd->ident;
3854
3855 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3856 if (l2cap_chan_check_security(chan, false)) {
3857 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3858 l2cap_state_change(chan, BT_CONNECT2);
3859 result = L2CAP_CR_PEND;
3860 status = L2CAP_CS_AUTHOR_PEND;
3861 chan->ops->defer(chan);
3862 } else {
3863
3864
3865
3866
3867 if (amp_id == AMP_ID_BREDR) {
3868 l2cap_state_change(chan, BT_CONFIG);
3869 result = L2CAP_CR_SUCCESS;
3870 } else {
3871 l2cap_state_change(chan, BT_CONNECT2);
3872 result = L2CAP_CR_PEND;
3873 }
3874 status = L2CAP_CS_NO_INFO;
3875 }
3876 } else {
3877 l2cap_state_change(chan, BT_CONNECT2);
3878 result = L2CAP_CR_PEND;
3879 status = L2CAP_CS_AUTHEN_PEND;
3880 }
3881 } else {
3882 l2cap_state_change(chan, BT_CONNECT2);
3883 result = L2CAP_CR_PEND;
3884 status = L2CAP_CS_NO_INFO;
3885 }
3886
3887response:
3888 l2cap_chan_unlock(pchan);
3889 mutex_unlock(&conn->chan_lock);
3890 l2cap_chan_put(pchan);
3891
3892sendresp:
3893 rsp.scid = cpu_to_le16(scid);
3894 rsp.dcid = cpu_to_le16(dcid);
3895 rsp.result = cpu_to_le16(result);
3896 rsp.status = cpu_to_le16(status);
3897 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3898
3899 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3900 struct l2cap_info_req info;
3901 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3902
3903 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3904 conn->info_ident = l2cap_get_ident(conn);
3905
3906 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3907
3908 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3909 sizeof(info), &info);
3910 }
3911
3912 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3913 result == L2CAP_CR_SUCCESS) {
3914 u8 buf[128];
3915 set_bit(CONF_REQ_SENT, &chan->conf_state);
3916 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3917 l2cap_build_conf_req(chan, buf, sizeof(buf)),
3918 buf);
3919 chan->num_conf_req++;
3920 }
3921
3922 return chan;
3923}
3924
3925static int l2cap_connect_req(struct l2cap_conn *conn,
3926 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3927{
3928 struct hci_dev *hdev = conn->hcon->hdev;
3929 struct hci_conn *hcon = conn->hcon;
3930
3931 if (cmd_len < sizeof(struct l2cap_conn_req))
3932 return -EPROTO;
3933
3934 hci_dev_lock(hdev);
3935 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3936 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3937 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3938 hci_dev_unlock(hdev);
3939
3940 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3941 return 0;
3942}
3943
3944static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3945 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3946 u8 *data)
3947{
3948 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3949 u16 scid, dcid, result, status;
3950 struct l2cap_chan *chan;
3951 u8 req[128];
3952 int err;
3953
3954 if (cmd_len < sizeof(*rsp))
3955 return -EPROTO;
3956
3957 scid = __le16_to_cpu(rsp->scid);
3958 dcid = __le16_to_cpu(rsp->dcid);
3959 result = __le16_to_cpu(rsp->result);
3960 status = __le16_to_cpu(rsp->status);
3961
3962 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3963 dcid, scid, result, status);
3964
3965 mutex_lock(&conn->chan_lock);
3966
3967 if (scid) {
3968 chan = __l2cap_get_chan_by_scid(conn, scid);
3969 if (!chan) {
3970 err = -EBADSLT;
3971 goto unlock;
3972 }
3973 } else {
3974 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3975 if (!chan) {
3976 err = -EBADSLT;
3977 goto unlock;
3978 }
3979 }
3980
3981 err = 0;
3982
3983 l2cap_chan_lock(chan);
3984
3985 switch (result) {
3986 case L2CAP_CR_SUCCESS:
3987 l2cap_state_change(chan, BT_CONFIG);
3988 chan->ident = 0;
3989 chan->dcid = dcid;
3990 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3991
3992 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3993 break;
3994
3995 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3996 l2cap_build_conf_req(chan, req, sizeof(req)),
3997 req);
3998 chan->num_conf_req++;
3999 break;
4000
4001 case L2CAP_CR_PEND:
4002 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4003 break;
4004
4005 default:
4006 l2cap_chan_del(chan, ECONNREFUSED);
4007 break;
4008 }
4009
4010 l2cap_chan_unlock(chan);
4011
4012unlock:
4013 mutex_unlock(&conn->chan_lock);
4014
4015 return err;
4016}
4017
4018static inline void set_default_fcs(struct l2cap_chan *chan)
4019{
4020
4021
4022
4023 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4024 chan->fcs = L2CAP_FCS_NONE;
4025 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4026 chan->fcs = L2CAP_FCS_CRC16;
4027}
4028
4029static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4030 u8 ident, u16 flags)
4031{
4032 struct l2cap_conn *conn = chan->conn;
4033
4034 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4035 flags);
4036
4037 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4038 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4039
4040 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4041 l2cap_build_conf_rsp(chan, data,
4042 L2CAP_CONF_SUCCESS, flags), data);
4043}
4044
4045static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4046 u16 scid, u16 dcid)
4047{
4048 struct l2cap_cmd_rej_cid rej;
4049
4050 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4051 rej.scid = __cpu_to_le16(scid);
4052 rej.dcid = __cpu_to_le16(dcid);
4053
4054 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4055}
4056
4057static inline int l2cap_config_req(struct l2cap_conn *conn,
4058 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4059 u8 *data)
4060{
4061 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4062 u16 dcid, flags;
4063 u8 rsp[64];
4064 struct l2cap_chan *chan;
4065 int len, err = 0;
4066
4067 if (cmd_len < sizeof(*req))
4068 return -EPROTO;
4069
4070 dcid = __le16_to_cpu(req->dcid);
4071 flags = __le16_to_cpu(req->flags);
4072
4073 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4074
4075 chan = l2cap_get_chan_by_scid(conn, dcid);
4076 if (!chan) {
4077 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4078 return 0;
4079 }
4080
4081 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4082 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4083 chan->dcid);
4084 goto unlock;
4085 }
4086
4087
4088 len = cmd_len - sizeof(*req);
4089 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4090 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4091 l2cap_build_conf_rsp(chan, rsp,
4092 L2CAP_CONF_REJECT, flags), rsp);
4093 goto unlock;
4094 }
4095
4096
4097 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4098 chan->conf_len += len;
4099
4100 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4101
4102 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4103 l2cap_build_conf_rsp(chan, rsp,
4104 L2CAP_CONF_SUCCESS, flags), rsp);
4105 goto unlock;
4106 }
4107
4108
4109 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4110 if (len < 0) {
4111 l2cap_send_disconn_req(chan, ECONNRESET);
4112 goto unlock;
4113 }
4114
4115 chan->ident = cmd->ident;
4116 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4117 chan->num_conf_rsp++;
4118
4119
4120 chan->conf_len = 0;
4121
4122 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4123 goto unlock;
4124
4125 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4126 set_default_fcs(chan);
4127
4128 if (chan->mode == L2CAP_MODE_ERTM ||
4129 chan->mode == L2CAP_MODE_STREAMING)
4130 err = l2cap_ertm_init(chan);
4131
4132 if (err < 0)
4133 l2cap_send_disconn_req(chan, -err);
4134 else
4135 l2cap_chan_ready(chan);
4136
4137 goto unlock;
4138 }
4139
4140 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4141 u8 buf[64];
4142 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4143 l2cap_build_conf_req(chan, buf, sizeof(buf)),
4144 buf);
4145 chan->num_conf_req++;
4146 }
4147
4148
4149
4150 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4151 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4152
4153
4154
4155
4156 if (!chan->hs_hcon)
4157 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4158 else
4159 chan->ident = cmd->ident;
4160 }
4161
4162unlock:
4163 l2cap_chan_unlock(chan);
4164 return err;
4165}
4166
4167static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4168 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4169 u8 *data)
4170{
4171 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4172 u16 scid, flags, result;
4173 struct l2cap_chan *chan;
4174 int len = cmd_len - sizeof(*rsp);
4175 int err = 0;
4176
4177 if (cmd_len < sizeof(*rsp))
4178 return -EPROTO;
4179
4180 scid = __le16_to_cpu(rsp->scid);
4181 flags = __le16_to_cpu(rsp->flags);
4182 result = __le16_to_cpu(rsp->result);
4183
4184 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4185 result, len);
4186
4187 chan = l2cap_get_chan_by_scid(conn, scid);
4188 if (!chan)
4189 return 0;
4190
4191 switch (result) {
4192 case L2CAP_CONF_SUCCESS:
4193 l2cap_conf_rfc_get(chan, rsp->data, len);
4194 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4195 break;
4196
4197 case L2CAP_CONF_PENDING:
4198 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4199
4200 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4201 char buf[64];
4202
4203 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4204 buf, sizeof(buf), &result);
4205 if (len < 0) {
4206 l2cap_send_disconn_req(chan, ECONNRESET);
4207 goto done;
4208 }
4209
4210 if (!chan->hs_hcon) {
4211 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4212 0);
4213 } else {
4214 if (l2cap_check_efs(chan)) {
4215 amp_create_logical_link(chan);
4216 chan->ident = cmd->ident;
4217 }
4218 }
4219 }
4220 goto done;
4221
4222 case L2CAP_CONF_UNACCEPT:
4223 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4224 char req[64];
4225
4226 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4227 l2cap_send_disconn_req(chan, ECONNRESET);
4228 goto done;
4229 }
4230
4231
4232 result = L2CAP_CONF_SUCCESS;
4233 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4234 req, sizeof(req), &result);
4235 if (len < 0) {
4236 l2cap_send_disconn_req(chan, ECONNRESET);
4237 goto done;
4238 }
4239
4240 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4241 L2CAP_CONF_REQ, len, req);
4242 chan->num_conf_req++;
4243 if (result != L2CAP_CONF_SUCCESS)
4244 goto done;
4245 break;
4246 }
4247
4248 default:
4249 l2cap_chan_set_err(chan, ECONNRESET);
4250
4251 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4252 l2cap_send_disconn_req(chan, ECONNRESET);
4253 goto done;
4254 }
4255
4256 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4257 goto done;
4258
4259 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4260
4261 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4262 set_default_fcs(chan);
4263
4264 if (chan->mode == L2CAP_MODE_ERTM ||
4265 chan->mode == L2CAP_MODE_STREAMING)
4266 err = l2cap_ertm_init(chan);
4267
4268 if (err < 0)
4269 l2cap_send_disconn_req(chan, -err);
4270 else
4271 l2cap_chan_ready(chan);
4272 }
4273
4274done:
4275 l2cap_chan_unlock(chan);
4276 return err;
4277}
4278
4279static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4280 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4281 u8 *data)
4282{
4283 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4284 struct l2cap_disconn_rsp rsp;
4285 u16 dcid, scid;
4286 struct l2cap_chan *chan;
4287
4288 if (cmd_len != sizeof(*req))
4289 return -EPROTO;
4290
4291 scid = __le16_to_cpu(req->scid);
4292 dcid = __le16_to_cpu(req->dcid);
4293
4294 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4295
4296 mutex_lock(&conn->chan_lock);
4297
4298 chan = __l2cap_get_chan_by_scid(conn, dcid);
4299 if (!chan) {
4300 mutex_unlock(&conn->chan_lock);
4301 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4302 return 0;
4303 }
4304
4305 l2cap_chan_lock(chan);
4306
4307 rsp.dcid = cpu_to_le16(chan->scid);
4308 rsp.scid = cpu_to_le16(chan->dcid);
4309 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4310
4311 chan->ops->set_shutdown(chan);
4312
4313 l2cap_chan_hold(chan);
4314 l2cap_chan_del(chan, ECONNRESET);
4315
4316 l2cap_chan_unlock(chan);
4317
4318 chan->ops->close(chan);
4319 l2cap_chan_put(chan);
4320
4321 mutex_unlock(&conn->chan_lock);
4322
4323 return 0;
4324}
4325
4326static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4327 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4328 u8 *data)
4329{
4330 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4331 u16 dcid, scid;
4332 struct l2cap_chan *chan;
4333
4334 if (cmd_len != sizeof(*rsp))
4335 return -EPROTO;
4336
4337 scid = __le16_to_cpu(rsp->scid);
4338 dcid = __le16_to_cpu(rsp->dcid);
4339
4340 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4341
4342 mutex_lock(&conn->chan_lock);
4343
4344 chan = __l2cap_get_chan_by_scid(conn, scid);
4345 if (!chan) {
4346 mutex_unlock(&conn->chan_lock);
4347 return 0;
4348 }
4349
4350 l2cap_chan_lock(chan);
4351
4352 l2cap_chan_hold(chan);
4353 l2cap_chan_del(chan, 0);
4354
4355 l2cap_chan_unlock(chan);
4356
4357 chan->ops->close(chan);
4358 l2cap_chan_put(chan);
4359
4360 mutex_unlock(&conn->chan_lock);
4361
4362 return 0;
4363}
4364
4365static inline int l2cap_information_req(struct l2cap_conn *conn,
4366 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4367 u8 *data)
4368{
4369 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4370 u16 type;
4371
4372 if (cmd_len != sizeof(*req))
4373 return -EPROTO;
4374
4375 type = __le16_to_cpu(req->type);
4376
4377 BT_DBG("type 0x%4.4x", type);
4378
4379 if (type == L2CAP_IT_FEAT_MASK) {
4380 u8 buf[8];
4381 u32 feat_mask = l2cap_feat_mask;
4382 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4383 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4384 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4385 if (!disable_ertm)
4386 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4387 | L2CAP_FEAT_FCS;
4388 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4389 feat_mask |= L2CAP_FEAT_EXT_FLOW
4390 | L2CAP_FEAT_EXT_WINDOW;
4391
4392 put_unaligned_le32(feat_mask, rsp->data);
4393 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4394 buf);
4395 } else if (type == L2CAP_IT_FIXED_CHAN) {
4396 u8 buf[12];
4397 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4398
4399 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4400 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4401 rsp->data[0] = conn->local_fixed_chan;
4402 memset(rsp->data + 1, 0, 7);
4403 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4404 buf);
4405 } else {
4406 struct l2cap_info_rsp rsp;
4407 rsp.type = cpu_to_le16(type);
4408 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4409 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4410 &rsp);
4411 }
4412
4413 return 0;
4414}
4415
4416static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4417 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4418 u8 *data)
4419{
4420 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4421 u16 type, result;
4422
4423 if (cmd_len < sizeof(*rsp))
4424 return -EPROTO;
4425
4426 type = __le16_to_cpu(rsp->type);
4427 result = __le16_to_cpu(rsp->result);
4428
4429 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4430
4431
4432 if (cmd->ident != conn->info_ident ||
4433 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4434 return 0;
4435
4436 cancel_delayed_work(&conn->info_timer);
4437
4438 if (result != L2CAP_IR_SUCCESS) {
4439 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4440 conn->info_ident = 0;
4441
4442 l2cap_conn_start(conn);
4443
4444 return 0;
4445 }
4446
4447 switch (type) {
4448 case L2CAP_IT_FEAT_MASK:
4449 conn->feat_mask = get_unaligned_le32(rsp->data);
4450
4451 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4452 struct l2cap_info_req req;
4453 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4454
4455 conn->info_ident = l2cap_get_ident(conn);
4456
4457 l2cap_send_cmd(conn, conn->info_ident,
4458 L2CAP_INFO_REQ, sizeof(req), &req);
4459 } else {
4460 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4461 conn->info_ident = 0;
4462
4463 l2cap_conn_start(conn);
4464 }
4465 break;
4466
4467 case L2CAP_IT_FIXED_CHAN:
4468 conn->remote_fixed_chan = rsp->data[0];
4469 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4470 conn->info_ident = 0;
4471
4472 l2cap_conn_start(conn);
4473 break;
4474 }
4475
4476 return 0;
4477}
4478
4479static int l2cap_create_channel_req(struct l2cap_conn *conn,
4480 struct l2cap_cmd_hdr *cmd,
4481 u16 cmd_len, void *data)
4482{
4483 struct l2cap_create_chan_req *req = data;
4484 struct l2cap_create_chan_rsp rsp;
4485 struct l2cap_chan *chan;
4486 struct hci_dev *hdev;
4487 u16 psm, scid;
4488
4489 if (cmd_len != sizeof(*req))
4490 return -EPROTO;
4491
4492 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4493 return -EINVAL;
4494
4495 psm = le16_to_cpu(req->psm);
4496 scid = le16_to_cpu(req->scid);
4497
4498 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4499
4500
4501 if (req->amp_id == AMP_ID_BREDR) {
4502 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4503 req->amp_id);
4504 return 0;
4505 }
4506
4507
4508 hdev = hci_dev_get(req->amp_id);
4509 if (!hdev)
4510 goto error;
4511
4512 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4513 hci_dev_put(hdev);
4514 goto error;
4515 }
4516
4517 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4518 req->amp_id);
4519 if (chan) {
4520 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4521 struct hci_conn *hs_hcon;
4522
4523 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4524 &conn->hcon->dst);
4525 if (!hs_hcon) {
4526 hci_dev_put(hdev);
4527 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4528 chan->dcid);
4529 return 0;
4530 }
4531
4532 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4533
4534 mgr->bredr_chan = chan;
4535 chan->hs_hcon = hs_hcon;
4536 chan->fcs = L2CAP_FCS_NONE;
4537 conn->mtu = hdev->block_mtu;
4538 }
4539
4540 hci_dev_put(hdev);
4541
4542 return 0;
4543
4544error:
4545 rsp.dcid = 0;
4546 rsp.scid = cpu_to_le16(scid);
4547 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4548 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4549
4550 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4551 sizeof(rsp), &rsp);
4552
4553 return 0;
4554}
4555
4556static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4557{
4558 struct l2cap_move_chan_req req;
4559 u8 ident;
4560
4561 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4562
4563 ident = l2cap_get_ident(chan->conn);
4564 chan->ident = ident;
4565
4566 req.icid = cpu_to_le16(chan->scid);
4567 req.dest_amp_id = dest_amp_id;
4568
4569 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4570 &req);
4571
4572 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4573}
4574
4575static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4576{
4577 struct l2cap_move_chan_rsp rsp;
4578
4579 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4580
4581 rsp.icid = cpu_to_le16(chan->dcid);
4582 rsp.result = cpu_to_le16(result);
4583
4584 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4585 sizeof(rsp), &rsp);
4586}
4587
4588static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4589{
4590 struct l2cap_move_chan_cfm cfm;
4591
4592 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4593
4594 chan->ident = l2cap_get_ident(chan->conn);
4595
4596 cfm.icid = cpu_to_le16(chan->scid);
4597 cfm.result = cpu_to_le16(result);
4598
4599 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4600 sizeof(cfm), &cfm);
4601
4602 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4603}
4604
4605static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4606{
4607 struct l2cap_move_chan_cfm cfm;
4608
4609 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4610
4611 cfm.icid = cpu_to_le16(icid);
4612 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4613
4614 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4615 sizeof(cfm), &cfm);
4616}
4617
4618static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4619 u16 icid)
4620{
4621 struct l2cap_move_chan_cfm_rsp rsp;
4622
4623 BT_DBG("icid 0x%4.4x", icid);
4624
4625 rsp.icid = cpu_to_le16(icid);
4626 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4627}
4628
4629static void __release_logical_link(struct l2cap_chan *chan)
4630{
4631 chan->hs_hchan = NULL;
4632 chan->hs_hcon = NULL;
4633
4634
4635}
4636
4637static void l2cap_logical_fail(struct l2cap_chan *chan)
4638{
4639
4640 if (chan->state != BT_CONNECTED) {
4641
4642 l2cap_send_disconn_req(chan, ECONNRESET);
4643 return;
4644 }
4645
4646 switch (chan->move_role) {
4647 case L2CAP_MOVE_ROLE_RESPONDER:
4648 l2cap_move_done(chan);
4649 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4650 break;
4651 case L2CAP_MOVE_ROLE_INITIATOR:
4652 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4653 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4654
4655
4656
4657 l2cap_move_done(chan);
4658 }
4659
4660
4661
4662
4663 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4664 break;
4665 }
4666}
4667
4668static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4669 struct hci_chan *hchan)
4670{
4671 struct l2cap_conf_rsp rsp;
4672
4673 chan->hs_hchan = hchan;
4674 chan->hs_hcon->l2cap_data = chan->conn;
4675
4676 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4677
4678 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4679 int err;
4680
4681 set_default_fcs(chan);
4682
4683 err = l2cap_ertm_init(chan);
4684 if (err < 0)
4685 l2cap_send_disconn_req(chan, -err);
4686 else
4687 l2cap_chan_ready(chan);
4688 }
4689}
4690
4691static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4692 struct hci_chan *hchan)
4693{
4694 chan->hs_hcon = hchan->conn;
4695 chan->hs_hcon->l2cap_data = chan->conn;
4696
4697 BT_DBG("move_state %d", chan->move_state);
4698
4699 switch (chan->move_state) {
4700 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4701
4702
4703
4704 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4705 break;
4706 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4707 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4708 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4709 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4710 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4711 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4712 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4713 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4714 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4715 }
4716 break;
4717 default:
4718
4719 __release_logical_link(chan);
4720
4721 chan->move_state = L2CAP_MOVE_STABLE;
4722 }
4723}
4724
4725
4726void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4727 u8 status)
4728{
4729 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4730
4731 if (status) {
4732 l2cap_logical_fail(chan);
4733 __release_logical_link(chan);
4734 return;
4735 }
4736
4737 if (chan->state != BT_CONNECTED) {
4738
4739 if (chan->local_amp_id != AMP_ID_BREDR)
4740 l2cap_logical_finish_create(chan, hchan);
4741 } else {
4742 l2cap_logical_finish_move(chan, hchan);
4743 }
4744}
4745
4746void l2cap_move_start(struct l2cap_chan *chan)
4747{
4748 BT_DBG("chan %p", chan);
4749
4750 if (chan->local_amp_id == AMP_ID_BREDR) {
4751 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4752 return;
4753 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4754 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4755
4756 } else {
4757 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4758 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4759 chan->move_id = 0;
4760 l2cap_move_setup(chan);
4761 l2cap_send_move_chan_req(chan, 0);
4762 }
4763}
4764
4765static void l2cap_do_create(struct l2cap_chan *chan, int result,
4766 u8 local_amp_id, u8 remote_amp_id)
4767{
4768 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4769 local_amp_id, remote_amp_id);
4770
4771 chan->fcs = L2CAP_FCS_NONE;
4772
4773
4774 if (chan->state == BT_CONNECT) {
4775 if (result == L2CAP_CR_SUCCESS) {
4776 chan->local_amp_id = local_amp_id;
4777 l2cap_send_create_chan_req(chan, remote_amp_id);
4778 } else {
4779
4780 l2cap_send_conn_req(chan);
4781 }
4782
4783 return;
4784 }
4785
4786
4787 if (__l2cap_no_conn_pending(chan)) {
4788 struct l2cap_conn_rsp rsp;
4789 char buf[128];
4790 rsp.scid = cpu_to_le16(chan->dcid);
4791 rsp.dcid = cpu_to_le16(chan->scid);
4792
4793 if (result == L2CAP_CR_SUCCESS) {
4794
4795 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4796 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4797 } else {
4798
4799 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4800 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4801 }
4802
4803 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4804 sizeof(rsp), &rsp);
4805
4806 if (result == L2CAP_CR_SUCCESS) {
4807 l2cap_state_change(chan, BT_CONFIG);
4808 set_bit(CONF_REQ_SENT, &chan->conf_state);
4809 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4810 L2CAP_CONF_REQ,
4811 l2cap_build_conf_req(chan, buf, sizeof(buf)),
4812 buf);
4813 chan->num_conf_req++;
4814 }
4815 }
4816}
4817
4818static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4819 u8 remote_amp_id)
4820{
4821 l2cap_move_setup(chan);
4822 chan->move_id = local_amp_id;
4823 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4824
4825 l2cap_send_move_chan_req(chan, remote_amp_id);
4826}
4827
4828static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4829{
4830 struct hci_chan *hchan = NULL;
4831
4832
4833
4834 if (hchan) {
4835 if (hchan->state == BT_CONNECTED) {
4836
4837 chan->hs_hcon = hchan->conn;
4838 chan->hs_hcon->l2cap_data = chan->conn;
4839 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4840 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4841
4842 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4843 } else {
4844
4845 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4846 }
4847 } else {
4848
4849 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4850 }
4851}
4852
4853static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4854{
4855 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4856 u8 rsp_result;
4857 if (result == -EINVAL)
4858 rsp_result = L2CAP_MR_BAD_ID;
4859 else
4860 rsp_result = L2CAP_MR_NOT_ALLOWED;
4861
4862 l2cap_send_move_chan_rsp(chan, rsp_result);
4863 }
4864
4865 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4866 chan->move_state = L2CAP_MOVE_STABLE;
4867
4868
4869 l2cap_ertm_send(chan);
4870}
4871
4872
4873void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4874{
4875 u8 local_amp_id = chan->local_amp_id;
4876 u8 remote_amp_id = chan->remote_amp_id;
4877
4878 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4879 chan, result, local_amp_id, remote_amp_id);
4880
4881 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4882 l2cap_chan_unlock(chan);
4883 return;
4884 }
4885
4886 if (chan->state != BT_CONNECTED) {
4887 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4888 } else if (result != L2CAP_MR_SUCCESS) {
4889 l2cap_do_move_cancel(chan, result);
4890 } else {
4891 switch (chan->move_role) {
4892 case L2CAP_MOVE_ROLE_INITIATOR:
4893 l2cap_do_move_initiate(chan, local_amp_id,
4894 remote_amp_id);
4895 break;
4896 case L2CAP_MOVE_ROLE_RESPONDER:
4897 l2cap_do_move_respond(chan, result);
4898 break;
4899 default:
4900 l2cap_do_move_cancel(chan, result);
4901 break;
4902 }
4903 }
4904}
4905
4906static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4907 struct l2cap_cmd_hdr *cmd,
4908 u16 cmd_len, void *data)
4909{
4910 struct l2cap_move_chan_req *req = data;
4911 struct l2cap_move_chan_rsp rsp;
4912 struct l2cap_chan *chan;
4913 u16 icid = 0;
4914 u16 result = L2CAP_MR_NOT_ALLOWED;
4915
4916 if (cmd_len != sizeof(*req))
4917 return -EPROTO;
4918
4919 icid = le16_to_cpu(req->icid);
4920
4921 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4922
4923 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4924 return -EINVAL;
4925
4926 chan = l2cap_get_chan_by_dcid(conn, icid);
4927 if (!chan) {
4928 rsp.icid = cpu_to_le16(icid);
4929 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4930 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4931 sizeof(rsp), &rsp);
4932 return 0;
4933 }
4934
4935 chan->ident = cmd->ident;
4936
4937 if (chan->scid < L2CAP_CID_DYN_START ||
4938 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4939 (chan->mode != L2CAP_MODE_ERTM &&
4940 chan->mode != L2CAP_MODE_STREAMING)) {
4941 result = L2CAP_MR_NOT_ALLOWED;
4942 goto send_move_response;
4943 }
4944
4945 if (chan->local_amp_id == req->dest_amp_id) {
4946 result = L2CAP_MR_SAME_ID;
4947 goto send_move_response;
4948 }
4949
4950 if (req->dest_amp_id != AMP_ID_BREDR) {
4951 struct hci_dev *hdev;
4952 hdev = hci_dev_get(req->dest_amp_id);
4953 if (!hdev || hdev->dev_type != HCI_AMP ||
4954 !test_bit(HCI_UP, &hdev->flags)) {
4955 if (hdev)
4956 hci_dev_put(hdev);
4957
4958 result = L2CAP_MR_BAD_ID;
4959 goto send_move_response;
4960 }
4961 hci_dev_put(hdev);
4962 }
4963
4964
4965
4966
4967
4968 if ((__chan_is_moving(chan) ||
4969 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4970 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4971 result = L2CAP_MR_COLLISION;
4972 goto send_move_response;
4973 }
4974
4975 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4976 l2cap_move_setup(chan);
4977 chan->move_id = req->dest_amp_id;
4978 icid = chan->dcid;
4979
4980 if (req->dest_amp_id == AMP_ID_BREDR) {
4981
4982 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4983 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4984 result = L2CAP_MR_PEND;
4985 } else {
4986 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4987 result = L2CAP_MR_SUCCESS;
4988 }
4989 } else {
4990 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4991
4992
4993 result = L2CAP_MR_PEND;
4994 }
4995
4996send_move_response:
4997 l2cap_send_move_chan_rsp(chan, result);
4998
4999 l2cap_chan_unlock(chan);
5000
5001 return 0;
5002}
5003
5004static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5005{
5006 struct l2cap_chan *chan;
5007 struct hci_chan *hchan = NULL;
5008
5009 chan = l2cap_get_chan_by_scid(conn, icid);
5010 if (!chan) {
5011 l2cap_send_move_chan_cfm_icid(conn, icid);
5012 return;
5013 }
5014
5015 __clear_chan_timer(chan);
5016 if (result == L2CAP_MR_PEND)
5017 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5018
5019 switch (chan->move_state) {
5020 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5021
5022
5023
5024 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5025 break;
5026 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5027 if (result == L2CAP_MR_PEND) {
5028 break;
5029 } else if (test_bit(CONN_LOCAL_BUSY,
5030 &chan->conn_state)) {
5031 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5032 } else {
5033
5034
5035
5036 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5037 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5038 }
5039 break;
5040 case L2CAP_MOVE_WAIT_RSP:
5041
5042 if (result == L2CAP_MR_SUCCESS) {
5043
5044
5045
5046 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5047 } else {
5048
5049
5050
5051 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5052 }
5053
5054
5055 if (!hchan) {
5056
5057 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5058 break;
5059 }
5060
5061
5062
5063
5064 if (hchan->state != BT_CONNECTED)
5065 break;
5066
5067
5068
5069 chan->hs_hcon = hchan->conn;
5070 chan->hs_hcon->l2cap_data = chan->conn;
5071
5072 if (result == L2CAP_MR_SUCCESS) {
5073
5074 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5075 } else {
5076
5077
5078
5079 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5080 }
5081
5082 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5083 break;
5084 default:
5085
5086 chan->move_id = chan->local_amp_id;
5087 l2cap_move_done(chan);
5088 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5089 }
5090
5091 l2cap_chan_unlock(chan);
5092}
5093
5094static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5095 u16 result)
5096{
5097 struct l2cap_chan *chan;
5098
5099 chan = l2cap_get_chan_by_ident(conn, ident);
5100 if (!chan) {
5101
5102 l2cap_send_move_chan_cfm_icid(conn, icid);
5103 return;
5104 }
5105
5106 __clear_chan_timer(chan);
5107
5108 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5109 if (result == L2CAP_MR_COLLISION) {
5110 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5111 } else {
5112
5113 chan->move_id = chan->local_amp_id;
5114 l2cap_move_done(chan);
5115 }
5116 }
5117
5118 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5119
5120 l2cap_chan_unlock(chan);
5121}
5122
5123static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5124 struct l2cap_cmd_hdr *cmd,
5125 u16 cmd_len, void *data)
5126{
5127 struct l2cap_move_chan_rsp *rsp = data;
5128 u16 icid, result;
5129
5130 if (cmd_len != sizeof(*rsp))
5131 return -EPROTO;
5132
5133 icid = le16_to_cpu(rsp->icid);
5134 result = le16_to_cpu(rsp->result);
5135
5136 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5137
5138 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5139 l2cap_move_continue(conn, icid, result);
5140 else
5141 l2cap_move_fail(conn, cmd->ident, icid, result);
5142
5143 return 0;
5144}
5145
5146static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5147 struct l2cap_cmd_hdr *cmd,
5148 u16 cmd_len, void *data)
5149{
5150 struct l2cap_move_chan_cfm *cfm = data;
5151 struct l2cap_chan *chan;
5152 u16 icid, result;
5153
5154 if (cmd_len != sizeof(*cfm))
5155 return -EPROTO;
5156
5157 icid = le16_to_cpu(cfm->icid);
5158 result = le16_to_cpu(cfm->result);
5159
5160 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5161
5162 chan = l2cap_get_chan_by_dcid(conn, icid);
5163 if (!chan) {
5164
5165 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5166 return 0;
5167 }
5168
5169 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5170 if (result == L2CAP_MC_CONFIRMED) {
5171 chan->local_amp_id = chan->move_id;
5172 if (chan->local_amp_id == AMP_ID_BREDR)
5173 __release_logical_link(chan);
5174 } else {
5175 chan->move_id = chan->local_amp_id;
5176 }
5177
5178 l2cap_move_done(chan);
5179 }
5180
5181 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5182
5183 l2cap_chan_unlock(chan);
5184
5185 return 0;
5186}
5187
5188static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5189 struct l2cap_cmd_hdr *cmd,
5190 u16 cmd_len, void *data)
5191{
5192 struct l2cap_move_chan_cfm_rsp *rsp = data;
5193 struct l2cap_chan *chan;
5194 u16 icid;
5195
5196 if (cmd_len != sizeof(*rsp))
5197 return -EPROTO;
5198
5199 icid = le16_to_cpu(rsp->icid);
5200
5201 BT_DBG("icid 0x%4.4x", icid);
5202
5203 chan = l2cap_get_chan_by_scid(conn, icid);
5204 if (!chan)
5205 return 0;
5206
5207 __clear_chan_timer(chan);
5208
5209 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5210 chan->local_amp_id = chan->move_id;
5211
5212 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5213 __release_logical_link(chan);
5214
5215 l2cap_move_done(chan);
5216 }
5217
5218 l2cap_chan_unlock(chan);
5219
5220 return 0;
5221}
5222
5223static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5224 struct l2cap_cmd_hdr *cmd,
5225 u16 cmd_len, u8 *data)
5226{
5227 struct hci_conn *hcon = conn->hcon;
5228 struct l2cap_conn_param_update_req *req;
5229 struct l2cap_conn_param_update_rsp rsp;
5230 u16 min, max, latency, to_multiplier;
5231 int err;
5232
5233 if (hcon->role != HCI_ROLE_MASTER)
5234 return -EINVAL;
5235
5236 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5237 return -EPROTO;
5238
5239 req = (struct l2cap_conn_param_update_req *) data;
5240 min = __le16_to_cpu(req->min);
5241 max = __le16_to_cpu(req->max);
5242 latency = __le16_to_cpu(req->latency);
5243 to_multiplier = __le16_to_cpu(req->to_multiplier);
5244
5245 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5246 min, max, latency, to_multiplier);
5247
5248 memset(&rsp, 0, sizeof(rsp));
5249
5250 err = hci_check_conn_params(min, max, latency, to_multiplier);
5251 if (err)
5252 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5253 else
5254 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5255
5256 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5257 sizeof(rsp), &rsp);
5258
5259 if (!err) {
5260 u8 store_hint;
5261
5262 store_hint = hci_le_conn_update(hcon, min, max, latency,
5263 to_multiplier);
5264 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5265 store_hint, min, max, latency,
5266 to_multiplier);
5267
5268 }
5269
5270 return 0;
5271}
5272
5273static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5274 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5275 u8 *data)
5276{
5277 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5278 struct hci_conn *hcon = conn->hcon;
5279 u16 dcid, mtu, mps, credits, result;
5280 struct l2cap_chan *chan;
5281 int err, sec_level;
5282
5283 if (cmd_len < sizeof(*rsp))
5284 return -EPROTO;
5285
5286 dcid = __le16_to_cpu(rsp->dcid);
5287 mtu = __le16_to_cpu(rsp->mtu);
5288 mps = __le16_to_cpu(rsp->mps);
5289 credits = __le16_to_cpu(rsp->credits);
5290 result = __le16_to_cpu(rsp->result);
5291
5292 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
5293 dcid < L2CAP_CID_DYN_START ||
5294 dcid > L2CAP_CID_LE_DYN_END))
5295 return -EPROTO;
5296
5297 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5298 dcid, mtu, mps, credits, result);
5299
5300 mutex_lock(&conn->chan_lock);
5301
5302 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5303 if (!chan) {
5304 err = -EBADSLT;
5305 goto unlock;
5306 }
5307
5308 err = 0;
5309
5310 l2cap_chan_lock(chan);
5311
5312 switch (result) {
5313 case L2CAP_CR_SUCCESS:
5314 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5315 err = -EBADSLT;
5316 break;
5317 }
5318
5319 chan->ident = 0;
5320 chan->dcid = dcid;
5321 chan->omtu = mtu;
5322 chan->remote_mps = mps;
5323 chan->tx_credits = credits;
5324 l2cap_chan_ready(chan);
5325 break;
5326
5327 case L2CAP_CR_AUTHENTICATION:
5328 case L2CAP_CR_ENCRYPTION:
5329
5330
5331
5332 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5333 l2cap_chan_del(chan, ECONNREFUSED);
5334 break;
5335 }
5336
5337 sec_level = hcon->sec_level + 1;
5338 if (chan->sec_level < sec_level)
5339 chan->sec_level = sec_level;
5340
5341
5342 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5343
5344 smp_conn_security(hcon, chan->sec_level);
5345 break;
5346
5347 default:
5348 l2cap_chan_del(chan, ECONNREFUSED);
5349 break;
5350 }
5351
5352 l2cap_chan_unlock(chan);
5353
5354unlock:
5355 mutex_unlock(&conn->chan_lock);
5356
5357 return err;
5358}
5359
5360static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5361 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5362 u8 *data)
5363{
5364 int err = 0;
5365
5366 switch (cmd->code) {
5367 case L2CAP_COMMAND_REJ:
5368 l2cap_command_rej(conn, cmd, cmd_len, data);
5369 break;
5370
5371 case L2CAP_CONN_REQ:
5372 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5373 break;
5374
5375 case L2CAP_CONN_RSP:
5376 case L2CAP_CREATE_CHAN_RSP:
5377 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5378 break;
5379
5380 case L2CAP_CONF_REQ:
5381 err = l2cap_config_req(conn, cmd, cmd_len, data);
5382 break;
5383
5384 case L2CAP_CONF_RSP:
5385 l2cap_config_rsp(conn, cmd, cmd_len, data);
5386 break;
5387
5388 case L2CAP_DISCONN_REQ:
5389 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5390 break;
5391
5392 case L2CAP_DISCONN_RSP:
5393 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5394 break;
5395
5396 case L2CAP_ECHO_REQ:
5397 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5398 break;
5399
5400 case L2CAP_ECHO_RSP:
5401 break;
5402
5403 case L2CAP_INFO_REQ:
5404 err = l2cap_information_req(conn, cmd, cmd_len, data);
5405 break;
5406
5407 case L2CAP_INFO_RSP:
5408 l2cap_information_rsp(conn, cmd, cmd_len, data);
5409 break;
5410
5411 case L2CAP_CREATE_CHAN_REQ:
5412 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5413 break;
5414
5415 case L2CAP_MOVE_CHAN_REQ:
5416 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5417 break;
5418
5419 case L2CAP_MOVE_CHAN_RSP:
5420 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5421 break;
5422
5423 case L2CAP_MOVE_CHAN_CFM:
5424 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5425 break;
5426
5427 case L2CAP_MOVE_CHAN_CFM_RSP:
5428 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5429 break;
5430
5431 default:
5432 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5433 err = -EINVAL;
5434 break;
5435 }
5436
5437 return err;
5438}
5439
5440static int l2cap_le_connect_req(struct l2cap_conn *conn,
5441 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5442 u8 *data)
5443{
5444 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5445 struct l2cap_le_conn_rsp rsp;
5446 struct l2cap_chan *chan, *pchan;
5447 u16 dcid, scid, credits, mtu, mps;
5448 __le16 psm;
5449 u8 result;
5450
5451 if (cmd_len != sizeof(*req))
5452 return -EPROTO;
5453
5454 scid = __le16_to_cpu(req->scid);
5455 mtu = __le16_to_cpu(req->mtu);
5456 mps = __le16_to_cpu(req->mps);
5457 psm = req->psm;
5458 dcid = 0;
5459 credits = 0;
5460
5461 if (mtu < 23 || mps < 23)
5462 return -EPROTO;
5463
5464 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5465 scid, mtu, mps);
5466
5467
5468 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5469 &conn->hcon->dst, LE_LINK);
5470 if (!pchan) {
5471 result = L2CAP_CR_BAD_PSM;
5472 chan = NULL;
5473 goto response;
5474 }
5475
5476 mutex_lock(&conn->chan_lock);
5477 l2cap_chan_lock(pchan);
5478
5479 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5480 SMP_ALLOW_STK)) {
5481 result = L2CAP_CR_AUTHENTICATION;
5482 chan = NULL;
5483 goto response_unlock;
5484 }
5485
5486
5487 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5488 result = L2CAP_CR_INVALID_SCID;
5489 chan = NULL;
5490 goto response_unlock;
5491 }
5492
5493
5494 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5495 result = L2CAP_CR_SCID_IN_USE;
5496 chan = NULL;
5497 goto response_unlock;
5498 }
5499
5500 chan = pchan->ops->new_connection(pchan);
5501 if (!chan) {
5502 result = L2CAP_CR_NO_MEM;
5503 goto response_unlock;
5504 }
5505
5506 l2cap_le_flowctl_init(chan);
5507
5508 bacpy(&chan->src, &conn->hcon->src);
5509 bacpy(&chan->dst, &conn->hcon->dst);
5510 chan->src_type = bdaddr_src_type(conn->hcon);
5511 chan->dst_type = bdaddr_dst_type(conn->hcon);
5512 chan->psm = psm;
5513 chan->dcid = scid;
5514 chan->omtu = mtu;
5515 chan->remote_mps = mps;
5516 chan->tx_credits = __le16_to_cpu(req->credits);
5517
5518 __l2cap_chan_add(conn, chan);
5519 dcid = chan->scid;
5520 credits = chan->rx_credits;
5521
5522 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5523
5524 chan->ident = cmd->ident;
5525
5526 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5527 l2cap_state_change(chan, BT_CONNECT2);
5528
5529
5530
5531
5532
5533 result = L2CAP_CR_PEND;
5534 chan->ops->defer(chan);
5535 } else {
5536 l2cap_chan_ready(chan);
5537 result = L2CAP_CR_SUCCESS;
5538 }
5539
5540response_unlock:
5541 l2cap_chan_unlock(pchan);
5542 mutex_unlock(&conn->chan_lock);
5543 l2cap_chan_put(pchan);
5544
5545 if (result == L2CAP_CR_PEND)
5546 return 0;
5547
5548response:
5549 if (chan) {
5550 rsp.mtu = cpu_to_le16(chan->imtu);
5551 rsp.mps = cpu_to_le16(chan->mps);
5552 } else {
5553 rsp.mtu = 0;
5554 rsp.mps = 0;
5555 }
5556
5557 rsp.dcid = cpu_to_le16(dcid);
5558 rsp.credits = cpu_to_le16(credits);
5559 rsp.result = cpu_to_le16(result);
5560
5561 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5562
5563 return 0;
5564}
5565
5566static inline int l2cap_le_credits(struct l2cap_conn *conn,
5567 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5568 u8 *data)
5569{
5570 struct l2cap_le_credits *pkt;
5571 struct l2cap_chan *chan;
5572 u16 cid, credits, max_credits;
5573
5574 if (cmd_len != sizeof(*pkt))
5575 return -EPROTO;
5576
5577 pkt = (struct l2cap_le_credits *) data;
5578 cid = __le16_to_cpu(pkt->cid);
5579 credits = __le16_to_cpu(pkt->credits);
5580
5581 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5582
5583 chan = l2cap_get_chan_by_dcid(conn, cid);
5584 if (!chan)
5585 return -EBADSLT;
5586
5587 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5588 if (credits > max_credits) {
5589 BT_ERR("LE credits overflow");
5590 l2cap_send_disconn_req(chan, ECONNRESET);
5591 l2cap_chan_unlock(chan);
5592
5593
5594
5595
5596 return 0;
5597 }
5598
5599 chan->tx_credits += credits;
5600
5601 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5602 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5603 chan->tx_credits--;
5604 }
5605
5606 if (chan->tx_credits)
5607 chan->ops->resume(chan);
5608
5609 l2cap_chan_unlock(chan);
5610
5611 return 0;
5612}
5613
5614static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5615 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5616 u8 *data)
5617{
5618 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5619 struct l2cap_chan *chan;
5620
5621 if (cmd_len < sizeof(*rej))
5622 return -EPROTO;
5623
5624 mutex_lock(&conn->chan_lock);
5625
5626 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5627 if (!chan)
5628 goto done;
5629
5630 l2cap_chan_lock(chan);
5631 l2cap_chan_del(chan, ECONNREFUSED);
5632 l2cap_chan_unlock(chan);
5633
5634done:
5635 mutex_unlock(&conn->chan_lock);
5636 return 0;
5637}
5638
5639static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5640 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5641 u8 *data)
5642{
5643 int err = 0;
5644
5645 switch (cmd->code) {
5646 case L2CAP_COMMAND_REJ:
5647 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5648 break;
5649
5650 case L2CAP_CONN_PARAM_UPDATE_REQ:
5651 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5652 break;
5653
5654 case L2CAP_CONN_PARAM_UPDATE_RSP:
5655 break;
5656
5657 case L2CAP_LE_CONN_RSP:
5658 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5659 break;
5660
5661 case L2CAP_LE_CONN_REQ:
5662 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5663 break;
5664
5665 case L2CAP_LE_CREDITS:
5666 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5667 break;
5668
5669 case L2CAP_DISCONN_REQ:
5670 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5671 break;
5672
5673 case L2CAP_DISCONN_RSP:
5674 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5675 break;
5676
5677 default:
5678 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5679 err = -EINVAL;
5680 break;
5681 }
5682
5683 return err;
5684}
5685
5686static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5687 struct sk_buff *skb)
5688{
5689 struct hci_conn *hcon = conn->hcon;
5690 struct l2cap_cmd_hdr *cmd;
5691 u16 len;
5692 int err;
5693
5694 if (hcon->type != LE_LINK)
5695 goto drop;
5696
5697 if (skb->len < L2CAP_CMD_HDR_SIZE)
5698 goto drop;
5699
5700 cmd = (void *) skb->data;
5701 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5702
5703 len = le16_to_cpu(cmd->len);
5704
5705 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5706
5707 if (len != skb->len || !cmd->ident) {
5708 BT_DBG("corrupted command");
5709 goto drop;
5710 }
5711
5712 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5713 if (err) {
5714 struct l2cap_cmd_rej_unk rej;
5715
5716 BT_ERR("Wrong link type (%d)", err);
5717
5718 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5719 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5720 sizeof(rej), &rej);
5721 }
5722
5723drop:
5724 kfree_skb(skb);
5725}
5726
5727static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5728 struct sk_buff *skb)
5729{
5730 struct hci_conn *hcon = conn->hcon;
5731 u8 *data = skb->data;
5732 int len = skb->len;
5733 struct l2cap_cmd_hdr cmd;
5734 int err;
5735
5736 l2cap_raw_recv(conn, skb);
5737
5738 if (hcon->type != ACL_LINK)
5739 goto drop;
5740
5741 while (len >= L2CAP_CMD_HDR_SIZE) {
5742 u16 cmd_len;
5743 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5744 data += L2CAP_CMD_HDR_SIZE;
5745 len -= L2CAP_CMD_HDR_SIZE;
5746
5747 cmd_len = le16_to_cpu(cmd.len);
5748
5749 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5750 cmd.ident);
5751
5752 if (cmd_len > len || !cmd.ident) {
5753 BT_DBG("corrupted command");
5754 break;
5755 }
5756
5757 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5758 if (err) {
5759 struct l2cap_cmd_rej_unk rej;
5760
5761 BT_ERR("Wrong link type (%d)", err);
5762
5763 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5764 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5765 sizeof(rej), &rej);
5766 }
5767
5768 data += cmd_len;
5769 len -= cmd_len;
5770 }
5771
5772drop:
5773 kfree_skb(skb);
5774}
5775
5776static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5777{
5778 u16 our_fcs, rcv_fcs;
5779 int hdr_size;
5780
5781 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5782 hdr_size = L2CAP_EXT_HDR_SIZE;
5783 else
5784 hdr_size = L2CAP_ENH_HDR_SIZE;
5785
5786 if (chan->fcs == L2CAP_FCS_CRC16) {
5787 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5788 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5789 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5790
5791 if (our_fcs != rcv_fcs)
5792 return -EBADMSG;
5793 }
5794 return 0;
5795}
5796
5797static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5798{
5799 struct l2cap_ctrl control;
5800
5801 BT_DBG("chan %p", chan);
5802
5803 memset(&control, 0, sizeof(control));
5804 control.sframe = 1;
5805 control.final = 1;
5806 control.reqseq = chan->buffer_seq;
5807 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5808
5809 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5810 control.super = L2CAP_SUPER_RNR;
5811 l2cap_send_sframe(chan, &control);
5812 }
5813
5814 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5815 chan->unacked_frames > 0)
5816 __set_retrans_timer(chan);
5817
5818
5819 l2cap_ertm_send(chan);
5820
5821 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5822 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5823
5824
5825
5826 control.super = L2CAP_SUPER_RR;
5827 l2cap_send_sframe(chan, &control);
5828 }
5829}
5830
5831static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5832 struct sk_buff **last_frag)
5833{
5834
5835
5836
5837 if (!skb_has_frag_list(skb))
5838 skb_shinfo(skb)->frag_list = new_frag;
5839
5840 new_frag->next = NULL;
5841
5842 (*last_frag)->next = new_frag;
5843 *last_frag = new_frag;
5844
5845 skb->len += new_frag->len;
5846 skb->data_len += new_frag->len;
5847 skb->truesize += new_frag->truesize;
5848}
5849
5850static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5851 struct l2cap_ctrl *control)
5852{
5853 int err = -EINVAL;
5854
5855 switch (control->sar) {
5856 case L2CAP_SAR_UNSEGMENTED:
5857 if (chan->sdu)
5858 break;
5859
5860 err = chan->ops->recv(chan, skb);
5861 break;
5862
5863 case L2CAP_SAR_START:
5864 if (chan->sdu)
5865 break;
5866
5867 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5868 break;
5869
5870 chan->sdu_len = get_unaligned_le16(skb->data);
5871 skb_pull(skb, L2CAP_SDULEN_SIZE);
5872
5873 if (chan->sdu_len > chan->imtu) {
5874 err = -EMSGSIZE;
5875 break;
5876 }
5877
5878 if (skb->len >= chan->sdu_len)
5879 break;
5880
5881 chan->sdu = skb;
5882 chan->sdu_last_frag = skb;
5883
5884 skb = NULL;
5885 err = 0;
5886 break;
5887
5888 case L2CAP_SAR_CONTINUE:
5889 if (!chan->sdu)
5890 break;
5891
5892 append_skb_frag(chan->sdu, skb,
5893 &chan->sdu_last_frag);
5894 skb = NULL;
5895
5896 if (chan->sdu->len >= chan->sdu_len)
5897 break;
5898
5899 err = 0;
5900 break;
5901
5902 case L2CAP_SAR_END:
5903 if (!chan->sdu)
5904 break;
5905
5906 append_skb_frag(chan->sdu, skb,
5907 &chan->sdu_last_frag);
5908 skb = NULL;
5909
5910 if (chan->sdu->len != chan->sdu_len)
5911 break;
5912
5913 err = chan->ops->recv(chan, chan->sdu);
5914
5915 if (!err) {
5916
5917 chan->sdu = NULL;
5918 chan->sdu_last_frag = NULL;
5919 chan->sdu_len = 0;
5920 }
5921 break;
5922 }
5923
5924 if (err) {
5925 kfree_skb(skb);
5926 kfree_skb(chan->sdu);
5927 chan->sdu = NULL;
5928 chan->sdu_last_frag = NULL;
5929 chan->sdu_len = 0;
5930 }
5931
5932 return err;
5933}
5934
5935static int l2cap_resegment(struct l2cap_chan *chan)
5936{
5937
5938 return 0;
5939}
5940
5941void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5942{
5943 u8 event;
5944
5945 if (chan->mode != L2CAP_MODE_ERTM)
5946 return;
5947
5948 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5949 l2cap_tx(chan, NULL, NULL, event);
5950}
5951
5952static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5953{
5954 int err = 0;
5955
5956
5957
5958
5959 BT_DBG("chan %p", chan);
5960
5961 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5962 struct sk_buff *skb;
5963 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5964 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5965
5966 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5967
5968 if (!skb)
5969 break;
5970
5971 skb_unlink(skb, &chan->srej_q);
5972 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5973 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5974 if (err)
5975 break;
5976 }
5977
5978 if (skb_queue_empty(&chan->srej_q)) {
5979 chan->rx_state = L2CAP_RX_STATE_RECV;
5980 l2cap_send_ack(chan);
5981 }
5982
5983 return err;
5984}
5985
5986static void l2cap_handle_srej(struct l2cap_chan *chan,
5987 struct l2cap_ctrl *control)
5988{
5989 struct sk_buff *skb;
5990
5991 BT_DBG("chan %p, control %p", chan, control);
5992
5993 if (control->reqseq == chan->next_tx_seq) {
5994 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5995 l2cap_send_disconn_req(chan, ECONNRESET);
5996 return;
5997 }
5998
5999 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6000
6001 if (skb == NULL) {
6002 BT_DBG("Seq %d not available for retransmission",
6003 control->reqseq);
6004 return;
6005 }
6006
6007 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6008 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6009 l2cap_send_disconn_req(chan, ECONNRESET);
6010 return;
6011 }
6012
6013 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6014
6015 if (control->poll) {
6016 l2cap_pass_to_tx(chan, control);
6017
6018 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6019 l2cap_retransmit(chan, control);
6020 l2cap_ertm_send(chan);
6021
6022 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6023 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6024 chan->srej_save_reqseq = control->reqseq;
6025 }
6026 } else {
6027 l2cap_pass_to_tx_fbit(chan, control);
6028
6029 if (control->final) {
6030 if (chan->srej_save_reqseq != control->reqseq ||
6031 !test_and_clear_bit(CONN_SREJ_ACT,
6032 &chan->conn_state))
6033 l2cap_retransmit(chan, control);
6034 } else {
6035 l2cap_retransmit(chan, control);
6036 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6037 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6038 chan->srej_save_reqseq = control->reqseq;
6039 }
6040 }
6041 }
6042}
6043
6044static void l2cap_handle_rej(struct l2cap_chan *chan,
6045 struct l2cap_ctrl *control)
6046{
6047 struct sk_buff *skb;
6048
6049 BT_DBG("chan %p, control %p", chan, control);
6050
6051 if (control->reqseq == chan->next_tx_seq) {
6052 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6053 l2cap_send_disconn_req(chan, ECONNRESET);
6054 return;
6055 }
6056
6057 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6058
6059 if (chan->max_tx && skb &&
6060 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6061 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6062 l2cap_send_disconn_req(chan, ECONNRESET);
6063 return;
6064 }
6065
6066 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6067
6068 l2cap_pass_to_tx(chan, control);
6069
6070 if (control->final) {
6071 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6072 l2cap_retransmit_all(chan, control);
6073 } else {
6074 l2cap_retransmit_all(chan, control);
6075 l2cap_ertm_send(chan);
6076 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6077 set_bit(CONN_REJ_ACT, &chan->conn_state);
6078 }
6079}
6080
6081static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6082{
6083 BT_DBG("chan %p, txseq %d", chan, txseq);
6084
6085 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6086 chan->expected_tx_seq);
6087
6088 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6089 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6090 chan->tx_win) {
6091
6092
6093
6094 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6095 BT_DBG("Invalid/Ignore - after SREJ");
6096 return L2CAP_TXSEQ_INVALID_IGNORE;
6097 } else {
6098 BT_DBG("Invalid - in window after SREJ sent");
6099 return L2CAP_TXSEQ_INVALID;
6100 }
6101 }
6102
6103 if (chan->srej_list.head == txseq) {
6104 BT_DBG("Expected SREJ");
6105 return L2CAP_TXSEQ_EXPECTED_SREJ;
6106 }
6107
6108 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6109 BT_DBG("Duplicate SREJ - txseq already stored");
6110 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6111 }
6112
6113 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6114 BT_DBG("Unexpected SREJ - not requested");
6115 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6116 }
6117 }
6118
6119 if (chan->expected_tx_seq == txseq) {
6120 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6121 chan->tx_win) {
6122 BT_DBG("Invalid - txseq outside tx window");
6123 return L2CAP_TXSEQ_INVALID;
6124 } else {
6125 BT_DBG("Expected");
6126 return L2CAP_TXSEQ_EXPECTED;
6127 }
6128 }
6129
6130 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6131 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6132 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6133 return L2CAP_TXSEQ_DUPLICATE;
6134 }
6135
6136 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6155 BT_DBG("Invalid/Ignore - txseq outside tx window");
6156 return L2CAP_TXSEQ_INVALID_IGNORE;
6157 } else {
6158 BT_DBG("Invalid - txseq outside tx window");
6159 return L2CAP_TXSEQ_INVALID;
6160 }
6161 } else {
6162 BT_DBG("Unexpected - txseq indicates missing frames");
6163 return L2CAP_TXSEQ_UNEXPECTED;
6164 }
6165}
6166
6167static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6168 struct l2cap_ctrl *control,
6169 struct sk_buff *skb, u8 event)
6170{
6171 int err = 0;
6172 bool skb_in_use = false;
6173
6174 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6175 event);
6176
6177 switch (event) {
6178 case L2CAP_EV_RECV_IFRAME:
6179 switch (l2cap_classify_txseq(chan, control->txseq)) {
6180 case L2CAP_TXSEQ_EXPECTED:
6181 l2cap_pass_to_tx(chan, control);
6182
6183 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6184 BT_DBG("Busy, discarding expected seq %d",
6185 control->txseq);
6186 break;
6187 }
6188
6189 chan->expected_tx_seq = __next_seq(chan,
6190 control->txseq);
6191
6192 chan->buffer_seq = chan->expected_tx_seq;
6193 skb_in_use = true;
6194
6195 err = l2cap_reassemble_sdu(chan, skb, control);
6196 if (err)
6197 break;
6198
6199 if (control->final) {
6200 if (!test_and_clear_bit(CONN_REJ_ACT,
6201 &chan->conn_state)) {
6202 control->final = 0;
6203 l2cap_retransmit_all(chan, control);
6204 l2cap_ertm_send(chan);
6205 }
6206 }
6207
6208 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6209 l2cap_send_ack(chan);
6210 break;
6211 case L2CAP_TXSEQ_UNEXPECTED:
6212 l2cap_pass_to_tx(chan, control);
6213
6214
6215
6216
6217
6218 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6219 BT_DBG("Busy, discarding unexpected seq %d",
6220 control->txseq);
6221 break;
6222 }
6223
6224
6225
6226
6227
6228 skb_queue_tail(&chan->srej_q, skb);
6229 skb_in_use = true;
6230 BT_DBG("Queued %p (queue len %d)", skb,
6231 skb_queue_len(&chan->srej_q));
6232
6233 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6234 l2cap_seq_list_clear(&chan->srej_list);
6235 l2cap_send_srej(chan, control->txseq);
6236
6237 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6238 break;
6239 case L2CAP_TXSEQ_DUPLICATE:
6240 l2cap_pass_to_tx(chan, control);
6241 break;
6242 case L2CAP_TXSEQ_INVALID_IGNORE:
6243 break;
6244 case L2CAP_TXSEQ_INVALID:
6245 default:
6246 l2cap_send_disconn_req(chan, ECONNRESET);
6247 break;
6248 }
6249 break;
6250 case L2CAP_EV_RECV_RR:
6251 l2cap_pass_to_tx(chan, control);
6252 if (control->final) {
6253 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6254
6255 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6256 !__chan_is_moving(chan)) {
6257 control->final = 0;
6258 l2cap_retransmit_all(chan, control);
6259 }
6260
6261 l2cap_ertm_send(chan);
6262 } else if (control->poll) {
6263 l2cap_send_i_or_rr_or_rnr(chan);
6264 } else {
6265 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6266 &chan->conn_state) &&
6267 chan->unacked_frames)
6268 __set_retrans_timer(chan);
6269
6270 l2cap_ertm_send(chan);
6271 }
6272 break;
6273 case L2CAP_EV_RECV_RNR:
6274 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6275 l2cap_pass_to_tx(chan, control);
6276 if (control && control->poll) {
6277 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6278 l2cap_send_rr_or_rnr(chan, 0);
6279 }
6280 __clear_retrans_timer(chan);
6281 l2cap_seq_list_clear(&chan->retrans_list);
6282 break;
6283 case L2CAP_EV_RECV_REJ:
6284 l2cap_handle_rej(chan, control);
6285 break;
6286 case L2CAP_EV_RECV_SREJ:
6287 l2cap_handle_srej(chan, control);
6288 break;
6289 default:
6290 break;
6291 }
6292
6293 if (skb && !skb_in_use) {
6294 BT_DBG("Freeing %p", skb);
6295 kfree_skb(skb);
6296 }
6297
6298 return err;
6299}
6300
6301static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6302 struct l2cap_ctrl *control,
6303 struct sk_buff *skb, u8 event)
6304{
6305 int err = 0;
6306 u16 txseq = control->txseq;
6307 bool skb_in_use = false;
6308
6309 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6310 event);
6311
6312 switch (event) {
6313 case L2CAP_EV_RECV_IFRAME:
6314 switch (l2cap_classify_txseq(chan, txseq)) {
6315 case L2CAP_TXSEQ_EXPECTED:
6316
6317 l2cap_pass_to_tx(chan, control);
6318 skb_queue_tail(&chan->srej_q, skb);
6319 skb_in_use = true;
6320 BT_DBG("Queued %p (queue len %d)", skb,
6321 skb_queue_len(&chan->srej_q));
6322
6323 chan->expected_tx_seq = __next_seq(chan, txseq);
6324 break;
6325 case L2CAP_TXSEQ_EXPECTED_SREJ:
6326 l2cap_seq_list_pop(&chan->srej_list);
6327
6328 l2cap_pass_to_tx(chan, control);
6329 skb_queue_tail(&chan->srej_q, skb);
6330 skb_in_use = true;
6331 BT_DBG("Queued %p (queue len %d)", skb,
6332 skb_queue_len(&chan->srej_q));
6333
6334 err = l2cap_rx_queued_iframes(chan);
6335 if (err)
6336 break;
6337
6338 break;
6339 case L2CAP_TXSEQ_UNEXPECTED:
6340
6341
6342
6343
6344 skb_queue_tail(&chan->srej_q, skb);
6345 skb_in_use = true;
6346 BT_DBG("Queued %p (queue len %d)", skb,
6347 skb_queue_len(&chan->srej_q));
6348
6349 l2cap_pass_to_tx(chan, control);
6350 l2cap_send_srej(chan, control->txseq);
6351 break;
6352 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6353
6354
6355
6356
6357
6358 skb_queue_tail(&chan->srej_q, skb);
6359 skb_in_use = true;
6360 BT_DBG("Queued %p (queue len %d)", skb,
6361 skb_queue_len(&chan->srej_q));
6362
6363 l2cap_pass_to_tx(chan, control);
6364 l2cap_send_srej_list(chan, control->txseq);
6365 break;
6366 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6367
6368 l2cap_pass_to_tx(chan, control);
6369 break;
6370 case L2CAP_TXSEQ_DUPLICATE:
6371
6372
6373
6374 break;
6375 case L2CAP_TXSEQ_INVALID_IGNORE:
6376 break;
6377 case L2CAP_TXSEQ_INVALID:
6378 default:
6379 l2cap_send_disconn_req(chan, ECONNRESET);
6380 break;
6381 }
6382 break;
6383 case L2CAP_EV_RECV_RR:
6384 l2cap_pass_to_tx(chan, control);
6385 if (control->final) {
6386 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6387
6388 if (!test_and_clear_bit(CONN_REJ_ACT,
6389 &chan->conn_state)) {
6390 control->final = 0;
6391 l2cap_retransmit_all(chan, control);
6392 }
6393
6394 l2cap_ertm_send(chan);
6395 } else if (control->poll) {
6396 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6397 &chan->conn_state) &&
6398 chan->unacked_frames) {
6399 __set_retrans_timer(chan);
6400 }
6401
6402 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6403 l2cap_send_srej_tail(chan);
6404 } else {
6405 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6406 &chan->conn_state) &&
6407 chan->unacked_frames)
6408 __set_retrans_timer(chan);
6409
6410 l2cap_send_ack(chan);
6411 }
6412 break;
6413 case L2CAP_EV_RECV_RNR:
6414 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6415 l2cap_pass_to_tx(chan, control);
6416 if (control->poll) {
6417 l2cap_send_srej_tail(chan);
6418 } else {
6419 struct l2cap_ctrl rr_control;
6420 memset(&rr_control, 0, sizeof(rr_control));
6421 rr_control.sframe = 1;
6422 rr_control.super = L2CAP_SUPER_RR;
6423 rr_control.reqseq = chan->buffer_seq;
6424 l2cap_send_sframe(chan, &rr_control);
6425 }
6426
6427 break;
6428 case L2CAP_EV_RECV_REJ:
6429 l2cap_handle_rej(chan, control);
6430 break;
6431 case L2CAP_EV_RECV_SREJ:
6432 l2cap_handle_srej(chan, control);
6433 break;
6434 }
6435
6436 if (skb && !skb_in_use) {
6437 BT_DBG("Freeing %p", skb);
6438 kfree_skb(skb);
6439 }
6440
6441 return err;
6442}
6443
6444static int l2cap_finish_move(struct l2cap_chan *chan)
6445{
6446 BT_DBG("chan %p", chan);
6447
6448 chan->rx_state = L2CAP_RX_STATE_RECV;
6449
6450 if (chan->hs_hcon)
6451 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6452 else
6453 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6454
6455 return l2cap_resegment(chan);
6456}
6457
6458static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6459 struct l2cap_ctrl *control,
6460 struct sk_buff *skb, u8 event)
6461{
6462 int err;
6463
6464 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6465 event);
6466
6467 if (!control->poll)
6468 return -EPROTO;
6469
6470 l2cap_process_reqseq(chan, control->reqseq);
6471
6472 if (!skb_queue_empty(&chan->tx_q))
6473 chan->tx_send_head = skb_peek(&chan->tx_q);
6474 else
6475 chan->tx_send_head = NULL;
6476
6477
6478
6479
6480 chan->next_tx_seq = control->reqseq;
6481 chan->unacked_frames = 0;
6482
6483 err = l2cap_finish_move(chan);
6484 if (err)
6485 return err;
6486
6487 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6488 l2cap_send_i_or_rr_or_rnr(chan);
6489
6490 if (event == L2CAP_EV_RECV_IFRAME)
6491 return -EPROTO;
6492
6493 return l2cap_rx_state_recv(chan, control, NULL, event);
6494}
6495
6496static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6497 struct l2cap_ctrl *control,
6498 struct sk_buff *skb, u8 event)
6499{
6500 int err;
6501
6502 if (!control->final)
6503 return -EPROTO;
6504
6505 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6506
6507 chan->rx_state = L2CAP_RX_STATE_RECV;
6508 l2cap_process_reqseq(chan, control->reqseq);
6509
6510 if (!skb_queue_empty(&chan->tx_q))
6511 chan->tx_send_head = skb_peek(&chan->tx_q);
6512 else
6513 chan->tx_send_head = NULL;
6514
6515
6516
6517
6518 chan->next_tx_seq = control->reqseq;
6519 chan->unacked_frames = 0;
6520
6521 if (chan->hs_hcon)
6522 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6523 else
6524 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6525
6526 err = l2cap_resegment(chan);
6527
6528 if (!err)
6529 err = l2cap_rx_state_recv(chan, control, skb, event);
6530
6531 return err;
6532}
6533
6534static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6535{
6536
6537 u16 unacked;
6538
6539 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6540 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6541}
6542
6543static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6544 struct sk_buff *skb, u8 event)
6545{
6546 int err = 0;
6547
6548 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6549 control, skb, event, chan->rx_state);
6550
6551 if (__valid_reqseq(chan, control->reqseq)) {
6552 switch (chan->rx_state) {
6553 case L2CAP_RX_STATE_RECV:
6554 err = l2cap_rx_state_recv(chan, control, skb, event);
6555 break;
6556 case L2CAP_RX_STATE_SREJ_SENT:
6557 err = l2cap_rx_state_srej_sent(chan, control, skb,
6558 event);
6559 break;
6560 case L2CAP_RX_STATE_WAIT_P:
6561 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6562 break;
6563 case L2CAP_RX_STATE_WAIT_F:
6564 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6565 break;
6566 default:
6567
6568 break;
6569 }
6570 } else {
6571 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6572 control->reqseq, chan->next_tx_seq,
6573 chan->expected_ack_seq);
6574 l2cap_send_disconn_req(chan, ECONNRESET);
6575 }
6576
6577 return err;
6578}
6579
6580static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6581 struct sk_buff *skb)
6582{
6583 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6584 chan->rx_state);
6585
6586 if (l2cap_classify_txseq(chan, control->txseq) ==
6587 L2CAP_TXSEQ_EXPECTED) {
6588 l2cap_pass_to_tx(chan, control);
6589
6590 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6591 __next_seq(chan, chan->buffer_seq));
6592
6593 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6594
6595 l2cap_reassemble_sdu(chan, skb, control);
6596 } else {
6597 if (chan->sdu) {
6598 kfree_skb(chan->sdu);
6599 chan->sdu = NULL;
6600 }
6601 chan->sdu_last_frag = NULL;
6602 chan->sdu_len = 0;
6603
6604 if (skb) {
6605 BT_DBG("Freeing %p", skb);
6606 kfree_skb(skb);
6607 }
6608 }
6609
6610 chan->last_acked_seq = control->txseq;
6611 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6612
6613 return 0;
6614}
6615
6616static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6617{
6618 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6619 u16 len;
6620 u8 event;
6621
6622 __unpack_control(chan, skb);
6623
6624 len = skb->len;
6625
6626
6627
6628
6629
6630
6631 if (l2cap_check_fcs(chan, skb))
6632 goto drop;
6633
6634 if (!control->sframe && control->sar == L2CAP_SAR_START)
6635 len -= L2CAP_SDULEN_SIZE;
6636
6637 if (chan->fcs == L2CAP_FCS_CRC16)
6638 len -= L2CAP_FCS_SIZE;
6639
6640 if (len > chan->mps) {
6641 l2cap_send_disconn_req(chan, ECONNRESET);
6642 goto drop;
6643 }
6644
6645 if ((chan->mode == L2CAP_MODE_ERTM ||
6646 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6647 goto drop;
6648
6649 if (!control->sframe) {
6650 int err;
6651
6652 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6653 control->sar, control->reqseq, control->final,
6654 control->txseq);
6655
6656
6657
6658
6659 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6660 goto drop;
6661
6662 if (chan->mode != L2CAP_MODE_STREAMING) {
6663 event = L2CAP_EV_RECV_IFRAME;
6664 err = l2cap_rx(chan, control, skb, event);
6665 } else {
6666 err = l2cap_stream_rx(chan, control, skb);
6667 }
6668
6669 if (err)
6670 l2cap_send_disconn_req(chan, ECONNRESET);
6671 } else {
6672 const u8 rx_func_to_event[4] = {
6673 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6674 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6675 };
6676
6677
6678 if (chan->mode == L2CAP_MODE_STREAMING)
6679 goto drop;
6680
6681 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6682 control->reqseq, control->final, control->poll,
6683 control->super);
6684
6685 if (len != 0) {
6686 BT_ERR("Trailing bytes: %d in sframe", len);
6687 l2cap_send_disconn_req(chan, ECONNRESET);
6688 goto drop;
6689 }
6690
6691
6692 if (control->final && (control->poll ||
6693 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6694 goto drop;
6695
6696 event = rx_func_to_event[control->super];
6697 if (l2cap_rx(chan, control, skb, event))
6698 l2cap_send_disconn_req(chan, ECONNRESET);
6699 }
6700
6701 return 0;
6702
6703drop:
6704 kfree_skb(skb);
6705 return 0;
6706}
6707
6708static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6709{
6710 struct l2cap_conn *conn = chan->conn;
6711 struct l2cap_le_credits pkt;
6712 u16 return_credits;
6713
6714
6715
6716
6717 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6718 return;
6719
6720 return_credits = le_max_credits - chan->rx_credits;
6721
6722 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6723
6724 chan->rx_credits += return_credits;
6725
6726 pkt.cid = cpu_to_le16(chan->scid);
6727 pkt.credits = cpu_to_le16(return_credits);
6728
6729 chan->ident = l2cap_get_ident(conn);
6730
6731 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6732}
6733
6734static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6735{
6736 int err;
6737
6738 if (!chan->rx_credits) {
6739 BT_ERR("No credits to receive LE L2CAP data");
6740 l2cap_send_disconn_req(chan, ECONNRESET);
6741 return -ENOBUFS;
6742 }
6743
6744 if (chan->imtu < skb->len) {
6745 BT_ERR("Too big LE L2CAP PDU");
6746 return -ENOBUFS;
6747 }
6748
6749 chan->rx_credits--;
6750 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6751
6752 l2cap_chan_le_send_credits(chan);
6753
6754 err = 0;
6755
6756 if (!chan->sdu) {
6757 u16 sdu_len;
6758
6759 sdu_len = get_unaligned_le16(skb->data);
6760 skb_pull(skb, L2CAP_SDULEN_SIZE);
6761
6762 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6763 sdu_len, skb->len, chan->imtu);
6764
6765 if (sdu_len > chan->imtu) {
6766 BT_ERR("Too big LE L2CAP SDU length received");
6767 err = -EMSGSIZE;
6768 goto failed;
6769 }
6770
6771 if (skb->len > sdu_len) {
6772 BT_ERR("Too much LE L2CAP data received");
6773 err = -EINVAL;
6774 goto failed;
6775 }
6776
6777 if (skb->len == sdu_len)
6778 return chan->ops->recv(chan, skb);
6779
6780 chan->sdu = skb;
6781 chan->sdu_len = sdu_len;
6782 chan->sdu_last_frag = skb;
6783
6784 return 0;
6785 }
6786
6787 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6788 chan->sdu->len, skb->len, chan->sdu_len);
6789
6790 if (chan->sdu->len + skb->len > chan->sdu_len) {
6791 BT_ERR("Too much LE L2CAP data received");
6792 err = -EINVAL;
6793 goto failed;
6794 }
6795
6796 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6797 skb = NULL;
6798
6799 if (chan->sdu->len == chan->sdu_len) {
6800 err = chan->ops->recv(chan, chan->sdu);
6801 if (!err) {
6802 chan->sdu = NULL;
6803 chan->sdu_last_frag = NULL;
6804 chan->sdu_len = 0;
6805 }
6806 }
6807
6808failed:
6809 if (err) {
6810 kfree_skb(skb);
6811 kfree_skb(chan->sdu);
6812 chan->sdu = NULL;
6813 chan->sdu_last_frag = NULL;
6814 chan->sdu_len = 0;
6815 }
6816
6817
6818
6819
6820
6821 return 0;
6822}
6823
6824static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6825 struct sk_buff *skb)
6826{
6827 struct l2cap_chan *chan;
6828
6829 chan = l2cap_get_chan_by_scid(conn, cid);
6830 if (!chan) {
6831 if (cid == L2CAP_CID_A2MP) {
6832 chan = a2mp_channel_create(conn, skb);
6833 if (!chan) {
6834 kfree_skb(skb);
6835 return;
6836 }
6837
6838 l2cap_chan_lock(chan);
6839 } else {
6840 BT_DBG("unknown cid 0x%4.4x", cid);
6841
6842 kfree_skb(skb);
6843 return;
6844 }
6845 }
6846
6847 BT_DBG("chan %p, len %d", chan, skb->len);
6848
6849
6850
6851
6852
6853 if (chan->chan_type == L2CAP_CHAN_FIXED)
6854 l2cap_chan_ready(chan);
6855
6856 if (chan->state != BT_CONNECTED)
6857 goto drop;
6858
6859 switch (chan->mode) {
6860 case L2CAP_MODE_LE_FLOWCTL:
6861 if (l2cap_le_data_rcv(chan, skb) < 0)
6862 goto drop;
6863
6864 goto done;
6865
6866 case L2CAP_MODE_BASIC:
6867
6868
6869
6870
6871
6872 if (chan->imtu < skb->len) {
6873 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6874 goto drop;
6875 }
6876
6877 if (!chan->ops->recv(chan, skb))
6878 goto done;
6879 break;
6880
6881 case L2CAP_MODE_ERTM:
6882 case L2CAP_MODE_STREAMING:
6883 l2cap_data_rcv(chan, skb);
6884 goto done;
6885
6886 default:
6887 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6888 break;
6889 }
6890
6891drop:
6892 kfree_skb(skb);
6893
6894done:
6895 l2cap_chan_unlock(chan);
6896}
6897
6898static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6899 struct sk_buff *skb)
6900{
6901 struct hci_conn *hcon = conn->hcon;
6902 struct l2cap_chan *chan;
6903
6904 if (hcon->type != ACL_LINK)
6905 goto free_skb;
6906
6907 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6908 ACL_LINK);
6909 if (!chan)
6910 goto free_skb;
6911
6912 BT_DBG("chan %p, len %d", chan, skb->len);
6913
6914 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6915 goto drop;
6916
6917 if (chan->imtu < skb->len)
6918 goto drop;
6919
6920
6921 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6922 bt_cb(skb)->l2cap.psm = psm;
6923
6924 if (!chan->ops->recv(chan, skb)) {
6925 l2cap_chan_put(chan);
6926 return;
6927 }
6928
6929drop:
6930 l2cap_chan_put(chan);
6931free_skb:
6932 kfree_skb(skb);
6933}
6934
6935static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6936{
6937 struct l2cap_hdr *lh = (void *) skb->data;
6938 struct hci_conn *hcon = conn->hcon;
6939 u16 cid, len;
6940 __le16 psm;
6941
6942 if (hcon->state != BT_CONNECTED) {
6943 BT_DBG("queueing pending rx skb");
6944 skb_queue_tail(&conn->pending_rx, skb);
6945 return;
6946 }
6947
6948 skb_pull(skb, L2CAP_HDR_SIZE);
6949 cid = __le16_to_cpu(lh->cid);
6950 len = __le16_to_cpu(lh->len);
6951
6952 if (len != skb->len) {
6953 kfree_skb(skb);
6954 return;
6955 }
6956
6957
6958
6959
6960 if (hcon->type == LE_LINK &&
6961 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6962 bdaddr_dst_type(hcon))) {
6963 kfree_skb(skb);
6964 return;
6965 }
6966
6967 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6968
6969 switch (cid) {
6970 case L2CAP_CID_SIGNALING:
6971 l2cap_sig_channel(conn, skb);
6972 break;
6973
6974 case L2CAP_CID_CONN_LESS:
6975 psm = get_unaligned((__le16 *) skb->data);
6976 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6977 l2cap_conless_channel(conn, psm, skb);
6978 break;
6979
6980 case L2CAP_CID_LE_SIGNALING:
6981 l2cap_le_sig_channel(conn, skb);
6982 break;
6983
6984 default:
6985 l2cap_data_channel(conn, cid, skb);
6986 break;
6987 }
6988}
6989
6990static void process_pending_rx(struct work_struct *work)
6991{
6992 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6993 pending_rx_work);
6994 struct sk_buff *skb;
6995
6996 BT_DBG("");
6997
6998 while ((skb = skb_dequeue(&conn->pending_rx)))
6999 l2cap_recv_frame(conn, skb);
7000}
7001
7002static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7003{
7004 struct l2cap_conn *conn = hcon->l2cap_data;
7005 struct hci_chan *hchan;
7006
7007 if (conn)
7008 return conn;
7009
7010 hchan = hci_chan_create(hcon);
7011 if (!hchan)
7012 return NULL;
7013
7014 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7015 if (!conn) {
7016 hci_chan_del(hchan);
7017 return NULL;
7018 }
7019
7020 kref_init(&conn->ref);
7021 hcon->l2cap_data = conn;
7022 conn->hcon = hci_conn_get(hcon);
7023 conn->hchan = hchan;
7024
7025 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7026
7027 switch (hcon->type) {
7028 case LE_LINK:
7029 if (hcon->hdev->le_mtu) {
7030 conn->mtu = hcon->hdev->le_mtu;
7031 break;
7032 }
7033
7034 default:
7035 conn->mtu = hcon->hdev->acl_mtu;
7036 break;
7037 }
7038
7039 conn->feat_mask = 0;
7040
7041 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7042
7043 if (hcon->type == ACL_LINK &&
7044 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7045 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7046
7047 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7048 (bredr_sc_enabled(hcon->hdev) ||
7049 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7050 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7051
7052 mutex_init(&conn->ident_lock);
7053 mutex_init(&conn->chan_lock);
7054
7055 INIT_LIST_HEAD(&conn->chan_l);
7056 INIT_LIST_HEAD(&conn->users);
7057
7058 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7059
7060 skb_queue_head_init(&conn->pending_rx);
7061 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7062 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7063
7064 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7065
7066 return conn;
7067}
7068
7069static bool is_valid_psm(u16 psm, u8 dst_type) {
7070 if (!psm)
7071 return false;
7072
7073 if (bdaddr_type_is_le(dst_type))
7074 return (psm <= 0x00ff);
7075
7076
7077 return ((psm & 0x0101) == 0x0001);
7078}
7079
7080int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7081 bdaddr_t *dst, u8 dst_type)
7082{
7083 struct l2cap_conn *conn;
7084 struct hci_conn *hcon;
7085 struct hci_dev *hdev;
7086 int err;
7087
7088 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7089 dst_type, __le16_to_cpu(psm));
7090
7091 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7092 if (!hdev)
7093 return -EHOSTUNREACH;
7094
7095 hci_dev_lock(hdev);
7096
7097 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7098 chan->chan_type != L2CAP_CHAN_RAW) {
7099 err = -EINVAL;
7100 goto done;
7101 }
7102
7103 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7104 err = -EINVAL;
7105 goto done;
7106 }
7107
7108 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7109 err = -EINVAL;
7110 goto done;
7111 }
7112
7113 switch (chan->mode) {
7114 case L2CAP_MODE_BASIC:
7115 break;
7116 case L2CAP_MODE_LE_FLOWCTL:
7117 l2cap_le_flowctl_init(chan);
7118 break;
7119 case L2CAP_MODE_ERTM:
7120 case L2CAP_MODE_STREAMING:
7121 if (!disable_ertm)
7122 break;
7123
7124 default:
7125 err = -EOPNOTSUPP;
7126 goto done;
7127 }
7128
7129 switch (chan->state) {
7130 case BT_CONNECT:
7131 case BT_CONNECT2:
7132 case BT_CONFIG:
7133
7134 err = 0;
7135 goto done;
7136
7137 case BT_CONNECTED:
7138
7139 err = -EISCONN;
7140 goto done;
7141
7142 case BT_OPEN:
7143 case BT_BOUND:
7144
7145 break;
7146
7147 default:
7148 err = -EBADFD;
7149 goto done;
7150 }
7151
7152
7153 bacpy(&chan->dst, dst);
7154 chan->dst_type = dst_type;
7155
7156 chan->psm = psm;
7157 chan->dcid = cid;
7158
7159 if (bdaddr_type_is_le(dst_type)) {
7160
7161
7162 if (dst_type == BDADDR_LE_PUBLIC)
7163 dst_type = ADDR_LE_DEV_PUBLIC;
7164 else
7165 dst_type = ADDR_LE_DEV_RANDOM;
7166
7167 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7168 hcon = hci_connect_le(hdev, dst, dst_type,
7169 chan->sec_level,
7170 HCI_LE_CONN_TIMEOUT,
7171 HCI_ROLE_SLAVE);
7172 else
7173 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7174 chan->sec_level,
7175 HCI_LE_CONN_TIMEOUT);
7176
7177 } else {
7178 u8 auth_type = l2cap_get_auth_type(chan);
7179 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7180 }
7181
7182 if (IS_ERR(hcon)) {
7183 err = PTR_ERR(hcon);
7184 goto done;
7185 }
7186
7187 conn = l2cap_conn_add(hcon);
7188 if (!conn) {
7189 hci_conn_drop(hcon);
7190 err = -ENOMEM;
7191 goto done;
7192 }
7193
7194 mutex_lock(&conn->chan_lock);
7195 l2cap_chan_lock(chan);
7196
7197 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7198 hci_conn_drop(hcon);
7199 err = -EBUSY;
7200 goto chan_unlock;
7201 }
7202
7203
7204 bacpy(&chan->src, &hcon->src);
7205 chan->src_type = bdaddr_src_type(hcon);
7206
7207 __l2cap_chan_add(conn, chan);
7208
7209
7210 hci_conn_drop(hcon);
7211
7212 l2cap_state_change(chan, BT_CONNECT);
7213 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7214
7215
7216
7217
7218 write_lock(&chan_list_lock);
7219 chan->sport = 0;
7220 write_unlock(&chan_list_lock);
7221
7222 if (hcon->state == BT_CONNECTED) {
7223 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7224 __clear_chan_timer(chan);
7225 if (l2cap_chan_check_security(chan, true))
7226 l2cap_state_change(chan, BT_CONNECTED);
7227 } else
7228 l2cap_do_start(chan);
7229 }
7230
7231 err = 0;
7232
7233chan_unlock:
7234 l2cap_chan_unlock(chan);
7235 mutex_unlock(&conn->chan_lock);
7236done:
7237 hci_dev_unlock(hdev);
7238 hci_dev_put(hdev);
7239 return err;
7240}
7241EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7242
7243
7244
7245int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7246{
7247 int exact = 0, lm1 = 0, lm2 = 0;
7248 struct l2cap_chan *c;
7249
7250 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7251
7252
7253 read_lock(&chan_list_lock);
7254 list_for_each_entry(c, &chan_list, global_l) {
7255 if (c->state != BT_LISTEN)
7256 continue;
7257
7258 if (!bacmp(&c->src, &hdev->bdaddr)) {
7259 lm1 |= HCI_LM_ACCEPT;
7260 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7261 lm1 |= HCI_LM_MASTER;
7262 exact++;
7263 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7264 lm2 |= HCI_LM_ACCEPT;
7265 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7266 lm2 |= HCI_LM_MASTER;
7267 }
7268 }
7269 read_unlock(&chan_list_lock);
7270
7271 return exact ? lm1 : lm2;
7272}
7273
7274
7275
7276
7277
7278static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7279 struct hci_conn *hcon)
7280{
7281 u8 src_type = bdaddr_src_type(hcon);
7282
7283 read_lock(&chan_list_lock);
7284
7285 if (c)
7286 c = list_next_entry(c, global_l);
7287 else
7288 c = list_entry(chan_list.next, typeof(*c), global_l);
7289
7290 list_for_each_entry_from(c, &chan_list, global_l) {
7291 if (c->chan_type != L2CAP_CHAN_FIXED)
7292 continue;
7293 if (c->state != BT_LISTEN)
7294 continue;
7295 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7296 continue;
7297 if (src_type != c->src_type)
7298 continue;
7299
7300 l2cap_chan_hold(c);
7301 read_unlock(&chan_list_lock);
7302 return c;
7303 }
7304
7305 read_unlock(&chan_list_lock);
7306
7307 return NULL;
7308}
7309
7310static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7311{
7312 struct hci_dev *hdev = hcon->hdev;
7313 struct l2cap_conn *conn;
7314 struct l2cap_chan *pchan;
7315 u8 dst_type;
7316
7317 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7318 return;
7319
7320 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7321
7322 if (status) {
7323 l2cap_conn_del(hcon, bt_to_errno(status));
7324 return;
7325 }
7326
7327 conn = l2cap_conn_add(hcon);
7328 if (!conn)
7329 return;
7330
7331 dst_type = bdaddr_dst_type(hcon);
7332
7333
7334 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7335 return;
7336
7337
7338
7339
7340
7341
7342 pchan = l2cap_global_fixed_chan(NULL, hcon);
7343 while (pchan) {
7344 struct l2cap_chan *chan, *next;
7345
7346
7347 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7348 goto next;
7349
7350 l2cap_chan_lock(pchan);
7351 chan = pchan->ops->new_connection(pchan);
7352 if (chan) {
7353 bacpy(&chan->src, &hcon->src);
7354 bacpy(&chan->dst, &hcon->dst);
7355 chan->src_type = bdaddr_src_type(hcon);
7356 chan->dst_type = dst_type;
7357
7358 __l2cap_chan_add(conn, chan);
7359 }
7360
7361 l2cap_chan_unlock(pchan);
7362next:
7363 next = l2cap_global_fixed_chan(pchan, hcon);
7364 l2cap_chan_put(pchan);
7365 pchan = next;
7366 }
7367
7368 l2cap_conn_ready(conn);
7369}
7370
7371int l2cap_disconn_ind(struct hci_conn *hcon)
7372{
7373 struct l2cap_conn *conn = hcon->l2cap_data;
7374
7375 BT_DBG("hcon %p", hcon);
7376
7377 if (!conn)
7378 return HCI_ERROR_REMOTE_USER_TERM;
7379 return conn->disc_reason;
7380}
7381
7382static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7383{
7384 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7385 return;
7386
7387 BT_DBG("hcon %p reason %d", hcon, reason);
7388
7389 l2cap_conn_del(hcon, bt_to_errno(reason));
7390}
7391
7392static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7393{
7394 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7395 return;
7396
7397 if (encrypt == 0x00) {
7398 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7399 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7400 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7401 chan->sec_level == BT_SECURITY_FIPS)
7402 l2cap_chan_close(chan, ECONNREFUSED);
7403 } else {
7404 if (chan->sec_level == BT_SECURITY_MEDIUM)
7405 __clear_chan_timer(chan);
7406 }
7407}
7408
7409static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7410{
7411 struct l2cap_conn *conn = hcon->l2cap_data;
7412 struct l2cap_chan *chan;
7413
7414 if (!conn)
7415 return;
7416
7417 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7418
7419 mutex_lock(&conn->chan_lock);
7420
7421 list_for_each_entry(chan, &conn->chan_l, list) {
7422 l2cap_chan_lock(chan);
7423
7424 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7425 state_to_string(chan->state));
7426
7427 if (chan->scid == L2CAP_CID_A2MP) {
7428 l2cap_chan_unlock(chan);
7429 continue;
7430 }
7431
7432 if (!status && encrypt)
7433 chan->sec_level = hcon->sec_level;
7434
7435 if (!__l2cap_no_conn_pending(chan)) {
7436 l2cap_chan_unlock(chan);
7437 continue;
7438 }
7439
7440 if (!status && (chan->state == BT_CONNECTED ||
7441 chan->state == BT_CONFIG)) {
7442 chan->ops->resume(chan);
7443 l2cap_check_encryption(chan, encrypt);
7444 l2cap_chan_unlock(chan);
7445 continue;
7446 }
7447
7448 if (chan->state == BT_CONNECT) {
7449 if (!status)
7450 l2cap_start_connection(chan);
7451 else
7452 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7453 } else if (chan->state == BT_CONNECT2 &&
7454 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7455 struct l2cap_conn_rsp rsp;
7456 __u16 res, stat;
7457
7458 if (!status) {
7459 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7460 res = L2CAP_CR_PEND;
7461 stat = L2CAP_CS_AUTHOR_PEND;
7462 chan->ops->defer(chan);
7463 } else {
7464 l2cap_state_change(chan, BT_CONFIG);
7465 res = L2CAP_CR_SUCCESS;
7466 stat = L2CAP_CS_NO_INFO;
7467 }
7468 } else {
7469 l2cap_state_change(chan, BT_DISCONN);
7470 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7471 res = L2CAP_CR_SEC_BLOCK;
7472 stat = L2CAP_CS_NO_INFO;
7473 }
7474
7475 rsp.scid = cpu_to_le16(chan->dcid);
7476 rsp.dcid = cpu_to_le16(chan->scid);
7477 rsp.result = cpu_to_le16(res);
7478 rsp.status = cpu_to_le16(stat);
7479 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7480 sizeof(rsp), &rsp);
7481
7482 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7483 res == L2CAP_CR_SUCCESS) {
7484 char buf[128];
7485 set_bit(CONF_REQ_SENT, &chan->conf_state);
7486 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7487 L2CAP_CONF_REQ,
7488 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7489 buf);
7490 chan->num_conf_req++;
7491 }
7492 }
7493
7494 l2cap_chan_unlock(chan);
7495 }
7496
7497 mutex_unlock(&conn->chan_lock);
7498}
7499
7500void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7501{
7502 struct l2cap_conn *conn = hcon->l2cap_data;
7503 struct l2cap_hdr *hdr;
7504 int len;
7505
7506
7507 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7508 goto drop;
7509
7510 if (!conn)
7511 conn = l2cap_conn_add(hcon);
7512
7513 if (!conn)
7514 goto drop;
7515
7516 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7517
7518 switch (flags) {
7519 case ACL_START:
7520 case ACL_START_NO_FLUSH:
7521 case ACL_COMPLETE:
7522 if (conn->rx_len) {
7523 BT_ERR("Unexpected start frame (len %d)", skb->len);
7524 kfree_skb(conn->rx_skb);
7525 conn->rx_skb = NULL;
7526 conn->rx_len = 0;
7527 l2cap_conn_unreliable(conn, ECOMM);
7528 }
7529
7530
7531 if (skb->len < L2CAP_HDR_SIZE) {
7532 BT_ERR("Frame is too short (len %d)", skb->len);
7533 l2cap_conn_unreliable(conn, ECOMM);
7534 goto drop;
7535 }
7536
7537 hdr = (struct l2cap_hdr *) skb->data;
7538 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7539
7540 if (len == skb->len) {
7541
7542 l2cap_recv_frame(conn, skb);
7543 return;
7544 }
7545
7546 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7547
7548 if (skb->len > len) {
7549 BT_ERR("Frame is too long (len %d, expected len %d)",
7550 skb->len, len);
7551 l2cap_conn_unreliable(conn, ECOMM);
7552 goto drop;
7553 }
7554
7555
7556 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7557 if (!conn->rx_skb)
7558 goto drop;
7559
7560 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7561 skb->len);
7562 conn->rx_len = len - skb->len;
7563 break;
7564
7565 case ACL_CONT:
7566 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7567
7568 if (!conn->rx_len) {
7569 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7570 l2cap_conn_unreliable(conn, ECOMM);
7571 goto drop;
7572 }
7573
7574 if (skb->len > conn->rx_len) {
7575 BT_ERR("Fragment is too long (len %d, expected %d)",
7576 skb->len, conn->rx_len);
7577 kfree_skb(conn->rx_skb);
7578 conn->rx_skb = NULL;
7579 conn->rx_len = 0;
7580 l2cap_conn_unreliable(conn, ECOMM);
7581 goto drop;
7582 }
7583
7584 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7585 skb->len);
7586 conn->rx_len -= skb->len;
7587
7588 if (!conn->rx_len) {
7589
7590
7591
7592
7593 struct sk_buff *rx_skb = conn->rx_skb;
7594 conn->rx_skb = NULL;
7595 l2cap_recv_frame(conn, rx_skb);
7596 }
7597 break;
7598 }
7599
7600drop:
7601 kfree_skb(skb);
7602}
7603
7604static struct hci_cb l2cap_cb = {
7605 .name = "L2CAP",
7606 .connect_cfm = l2cap_connect_cfm,
7607 .disconn_cfm = l2cap_disconn_cfm,
7608 .security_cfm = l2cap_security_cfm,
7609};
7610
7611static int l2cap_debugfs_show(struct seq_file *f, void *p)
7612{
7613 struct l2cap_chan *c;
7614
7615 read_lock(&chan_list_lock);
7616
7617 list_for_each_entry(c, &chan_list, global_l) {
7618 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7619 &c->src, c->src_type, &c->dst, c->dst_type,
7620 c->state, __le16_to_cpu(c->psm),
7621 c->scid, c->dcid, c->imtu, c->omtu,
7622 c->sec_level, c->mode);
7623 }
7624
7625 read_unlock(&chan_list_lock);
7626
7627 return 0;
7628}
7629
7630static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7631{
7632 return single_open(file, l2cap_debugfs_show, inode->i_private);
7633}
7634
7635static const struct file_operations l2cap_debugfs_fops = {
7636 .open = l2cap_debugfs_open,
7637 .read = seq_read,
7638 .llseek = seq_lseek,
7639 .release = single_release,
7640};
7641
7642static struct dentry *l2cap_debugfs;
7643
7644int __init l2cap_init(void)
7645{
7646 int err;
7647
7648 err = l2cap_init_sockets();
7649 if (err < 0)
7650 return err;
7651
7652 hci_register_cb(&l2cap_cb);
7653
7654 if (IS_ERR_OR_NULL(bt_debugfs))
7655 return 0;
7656
7657 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7658 NULL, &l2cap_debugfs_fops);
7659
7660 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7661 &le_max_credits);
7662 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7663 &le_default_mps);
7664
7665 return 0;
7666}
7667
7668void l2cap_exit(void)
7669{
7670 debugfs_remove(l2cap_debugfs);
7671 hci_unregister_cb(&l2cap_cb);
7672 l2cap_cleanup_sockets();
7673}
7674
7675module_param(disable_ertm, bool, 0644);
7676MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7677
