1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#include <linux/module.h>
32
33#include <linux/debugfs.h>
34#include <linux/crc16.h>
35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
39
40#include "smp.h"
41#include "a2mp.h"
42#include "amp.h"
43#include "6lowpan.h"
44
45bool disable_ertm;
46
47static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
48static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
49
50static LIST_HEAD(chan_list);
51static DEFINE_RWLOCK(chan_list_lock);
52
53static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
56static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
57 u8 code, u8 ident, u16 dlen, void *data);
58static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 void *data);
60static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
61static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62
63static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
64 struct sk_buff_head *skbs, u8 event);
65
66static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
67{
68 if (hcon->type == LE_LINK) {
69 if (type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76}
77
78
79
80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
81 u16 cid)
82{
83 struct l2cap_chan *c;
84
85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
88 }
89 return NULL;
90}
91
92static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
93 u16 cid)
94{
95 struct l2cap_chan *c;
96
97 list_for_each_entry(c, &conn->chan_l, list) {
98 if (c->scid == cid)
99 return c;
100 }
101 return NULL;
102}
103
104
105
106static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
107 u16 cid)
108{
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_scid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118}
119
120
121
122
123static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
124 u16 cid)
125{
126 struct l2cap_chan *c;
127
128 mutex_lock(&conn->chan_lock);
129 c = __l2cap_get_chan_by_dcid(conn, cid);
130 if (c)
131 l2cap_chan_lock(c);
132 mutex_unlock(&conn->chan_lock);
133
134 return c;
135}
136
137static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
138 u8 ident)
139{
140 struct l2cap_chan *c;
141
142 list_for_each_entry(c, &conn->chan_l, list) {
143 if (c->ident == ident)
144 return c;
145 }
146 return NULL;
147}
148
149static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 u8 ident)
151{
152 struct l2cap_chan *c;
153
154 mutex_lock(&conn->chan_lock);
155 c = __l2cap_get_chan_by_ident(conn, ident);
156 if (c)
157 l2cap_chan_lock(c);
158 mutex_unlock(&conn->chan_lock);
159
160 return c;
161}
162
163static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
164{
165 struct l2cap_chan *c;
166
167 list_for_each_entry(c, &chan_list, global_l) {
168 if (c->sport == psm && !bacmp(&c->src, src))
169 return c;
170 }
171 return NULL;
172}
173
174int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
175{
176 int err;
177
178 write_lock(&chan_list_lock);
179
180 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
181 err = -EADDRINUSE;
182 goto done;
183 }
184
185 if (psm) {
186 chan->psm = psm;
187 chan->sport = psm;
188 err = 0;
189 } else {
190 u16 p;
191
192 err = -EINVAL;
193 for (p = 0x1001; p < 0x1100; p += 2)
194 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
195 chan->psm = cpu_to_le16(p);
196 chan->sport = cpu_to_le16(p);
197 err = 0;
198 break;
199 }
200 }
201
202done:
203 write_unlock(&chan_list_lock);
204 return err;
205}
206
207int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
208{
209 write_lock(&chan_list_lock);
210
211 chan->scid = scid;
212
213 write_unlock(&chan_list_lock);
214
215 return 0;
216}
217
218static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
219{
220 u16 cid, dyn_end;
221
222 if (conn->hcon->type == LE_LINK)
223 dyn_end = L2CAP_CID_LE_DYN_END;
224 else
225 dyn_end = L2CAP_CID_DYN_END;
226
227 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
228 if (!__l2cap_get_chan_by_scid(conn, cid))
229 return cid;
230 }
231
232 return 0;
233}
234
235static void l2cap_state_change(struct l2cap_chan *chan, int state)
236{
237 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
238 state_to_string(state));
239
240 chan->state = state;
241 chan->ops->state_change(chan, state, 0);
242}
243
244static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
245 int state, int err)
246{
247 chan->state = state;
248 chan->ops->state_change(chan, chan->state, err);
249}
250
251static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
252{
253 chan->ops->state_change(chan, chan->state, err);
254}
255
256static void __set_retrans_timer(struct l2cap_chan *chan)
257{
258 if (!delayed_work_pending(&chan->monitor_timer) &&
259 chan->retrans_timeout) {
260 l2cap_set_timer(chan, &chan->retrans_timer,
261 msecs_to_jiffies(chan->retrans_timeout));
262 }
263}
264
265static void __set_monitor_timer(struct l2cap_chan *chan)
266{
267 __clear_retrans_timer(chan);
268 if (chan->monitor_timeout) {
269 l2cap_set_timer(chan, &chan->monitor_timer,
270 msecs_to_jiffies(chan->monitor_timeout));
271 }
272}
273
274static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
275 u16 seq)
276{
277 struct sk_buff *skb;
278
279 skb_queue_walk(head, skb) {
280 if (bt_cb(skb)->control.txseq == seq)
281 return skb;
282 }
283
284 return NULL;
285}
286
287
288
289
290
291
292
293
294
295
296
297
298static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
299{
300 size_t alloc_size, i;
301
302
303
304
305
306 alloc_size = roundup_pow_of_two(size);
307
308 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
309 if (!seq_list->list)
310 return -ENOMEM;
311
312 seq_list->mask = alloc_size - 1;
313 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
314 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
315 for (i = 0; i < alloc_size; i++)
316 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
317
318 return 0;
319}
320
321static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
322{
323 kfree(seq_list->list);
324}
325
326static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
327 u16 seq)
328{
329
330 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
331}
332
333static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
334{
335 u16 mask = seq_list->mask;
336
337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
338
339 return L2CAP_SEQ_LIST_CLEAR;
340 } else if (seq_list->head == seq) {
341
342 seq_list->head = seq_list->list[seq & mask];
343 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
346 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
347 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
348 }
349 } else {
350
351 u16 prev = seq_list->head;
352 while (seq_list->list[prev & mask] != seq) {
353 prev = seq_list->list[prev & mask];
354 if (prev == L2CAP_SEQ_LIST_TAIL)
355 return L2CAP_SEQ_LIST_CLEAR;
356 }
357
358
359 seq_list->list[prev & mask] = seq_list->list[seq & mask];
360 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
361 if (seq_list->tail == seq)
362 seq_list->tail = prev;
363 }
364 return seq;
365}
366
367static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
368{
369
370 return l2cap_seq_list_remove(seq_list, seq_list->head);
371}
372
373static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
374{
375 u16 i;
376
377 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
378 return;
379
380 for (i = 0; i <= seq_list->mask; i++)
381 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382
383 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
384 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
385}
386
387static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388{
389 u16 mask = seq_list->mask;
390
391
392
393 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
394 return;
395
396 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
397 seq_list->head = seq;
398 else
399 seq_list->list[seq_list->tail & mask] = seq;
400
401 seq_list->tail = seq;
402 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
403}
404
405static void l2cap_chan_timeout(struct work_struct *work)
406{
407 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
408 chan_timer.work);
409 struct l2cap_conn *conn = chan->conn;
410 int reason;
411
412 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
413
414 mutex_lock(&conn->chan_lock);
415 l2cap_chan_lock(chan);
416
417 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
418 reason = ECONNREFUSED;
419 else if (chan->state == BT_CONNECT &&
420 chan->sec_level != BT_SECURITY_SDP)
421 reason = ECONNREFUSED;
422 else
423 reason = ETIMEDOUT;
424
425 l2cap_chan_close(chan, reason);
426
427 l2cap_chan_unlock(chan);
428
429 chan->ops->close(chan);
430 mutex_unlock(&conn->chan_lock);
431
432 l2cap_chan_put(chan);
433}
434
435struct l2cap_chan *l2cap_chan_create(void)
436{
437 struct l2cap_chan *chan;
438
439 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
440 if (!chan)
441 return NULL;
442
443 mutex_init(&chan->lock);
444
445 write_lock(&chan_list_lock);
446 list_add(&chan->global_l, &chan_list);
447 write_unlock(&chan_list_lock);
448
449 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
450
451 chan->state = BT_OPEN;
452
453 kref_init(&chan->kref);
454
455
456 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
457
458 BT_DBG("chan %p", chan);
459
460 return chan;
461}
462
463static void l2cap_chan_destroy(struct kref *kref)
464{
465 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
466
467 BT_DBG("chan %p", chan);
468
469 write_lock(&chan_list_lock);
470 list_del(&chan->global_l);
471 write_unlock(&chan_list_lock);
472
473 kfree(chan);
474}
475
476void l2cap_chan_hold(struct l2cap_chan *c)
477{
478 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
479
480 kref_get(&c->kref);
481}
482
483void l2cap_chan_put(struct l2cap_chan *c)
484{
485 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
486
487 kref_put(&c->kref, l2cap_chan_destroy);
488}
489
490void l2cap_chan_set_defaults(struct l2cap_chan *chan)
491{
492 chan->fcs = L2CAP_FCS_CRC16;
493 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
494 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
495 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
496 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
497 chan->sec_level = BT_SECURITY_LOW;
498
499 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
500}
501
502static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
503{
504 chan->sdu = NULL;
505 chan->sdu_last_frag = NULL;
506 chan->sdu_len = 0;
507 chan->tx_credits = 0;
508 chan->rx_credits = le_max_credits;
509 chan->mps = min_t(u16, chan->imtu, L2CAP_LE_DEFAULT_MPS);
510
511 skb_queue_head_init(&chan->tx_q);
512}
513
514void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
515{
516 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
517 __le16_to_cpu(chan->psm), chan->dcid);
518
519 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
520
521 chan->conn = conn;
522
523 switch (chan->chan_type) {
524 case L2CAP_CHAN_CONN_ORIENTED:
525 if (conn->hcon->type == LE_LINK) {
526 if (chan->dcid == L2CAP_CID_ATT) {
527 chan->omtu = L2CAP_DEFAULT_MTU;
528 chan->scid = L2CAP_CID_ATT;
529 } else {
530 chan->scid = l2cap_alloc_cid(conn);
531 }
532 } else {
533
534 chan->scid = l2cap_alloc_cid(conn);
535 chan->omtu = L2CAP_DEFAULT_MTU;
536 }
537 break;
538
539 case L2CAP_CHAN_CONN_LESS:
540
541 chan->scid = L2CAP_CID_CONN_LESS;
542 chan->dcid = L2CAP_CID_CONN_LESS;
543 chan->omtu = L2CAP_DEFAULT_MTU;
544 break;
545
546 case L2CAP_CHAN_CONN_FIX_A2MP:
547 chan->scid = L2CAP_CID_A2MP;
548 chan->dcid = L2CAP_CID_A2MP;
549 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
550 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
551 break;
552
553 default:
554
555 chan->scid = L2CAP_CID_SIGNALING;
556 chan->dcid = L2CAP_CID_SIGNALING;
557 chan->omtu = L2CAP_DEFAULT_MTU;
558 }
559
560 chan->local_id = L2CAP_BESTEFFORT_ID;
561 chan->local_stype = L2CAP_SERV_BESTEFFORT;
562 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
563 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
564 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
565 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
566
567 l2cap_chan_hold(chan);
568
569 hci_conn_hold(conn->hcon);
570
571 list_add(&chan->list, &conn->chan_l);
572}
573
574void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
575{
576 mutex_lock(&conn->chan_lock);
577 __l2cap_chan_add(conn, chan);
578 mutex_unlock(&conn->chan_lock);
579}
580
581void l2cap_chan_del(struct l2cap_chan *chan, int err)
582{
583 struct l2cap_conn *conn = chan->conn;
584
585 __clear_chan_timer(chan);
586
587 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
588
589 if (conn) {
590 struct amp_mgr *mgr = conn->hcon->amp_mgr;
591
592 list_del(&chan->list);
593
594 l2cap_chan_put(chan);
595
596 chan->conn = NULL;
597
598 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
599 hci_conn_drop(conn->hcon);
600
601 if (mgr && mgr->bredr_chan == chan)
602 mgr->bredr_chan = NULL;
603 }
604
605 if (chan->hs_hchan) {
606 struct hci_chan *hs_hchan = chan->hs_hchan;
607
608 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
609 amp_disconnect_logical_link(hs_hchan);
610 }
611
612 chan->ops->teardown(chan, err);
613
614 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
615 return;
616
617 switch(chan->mode) {
618 case L2CAP_MODE_BASIC:
619 break;
620
621 case L2CAP_MODE_LE_FLOWCTL:
622 skb_queue_purge(&chan->tx_q);
623 break;
624
625 case L2CAP_MODE_ERTM:
626 __clear_retrans_timer(chan);
627 __clear_monitor_timer(chan);
628 __clear_ack_timer(chan);
629
630 skb_queue_purge(&chan->srej_q);
631
632 l2cap_seq_list_free(&chan->srej_list);
633 l2cap_seq_list_free(&chan->retrans_list);
634
635
636
637 case L2CAP_MODE_STREAMING:
638 skb_queue_purge(&chan->tx_q);
639 break;
640 }
641
642 return;
643}
644
645static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
646{
647 struct l2cap_conn *conn = chan->conn;
648 struct l2cap_le_conn_rsp rsp;
649 u16 result;
650
651 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
652 result = L2CAP_CR_AUTHORIZATION;
653 else
654 result = L2CAP_CR_BAD_PSM;
655
656 l2cap_state_change(chan, BT_DISCONN);
657
658 rsp.dcid = cpu_to_le16(chan->scid);
659 rsp.mtu = cpu_to_le16(chan->imtu);
660 rsp.mps = cpu_to_le16(chan->mps);
661 rsp.credits = cpu_to_le16(chan->rx_credits);
662 rsp.result = cpu_to_le16(result);
663
664 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
665 &rsp);
666}
667
668static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
669{
670 struct l2cap_conn *conn = chan->conn;
671 struct l2cap_conn_rsp rsp;
672 u16 result;
673
674 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
675 result = L2CAP_CR_SEC_BLOCK;
676 else
677 result = L2CAP_CR_BAD_PSM;
678
679 l2cap_state_change(chan, BT_DISCONN);
680
681 rsp.scid = cpu_to_le16(chan->dcid);
682 rsp.dcid = cpu_to_le16(chan->scid);
683 rsp.result = cpu_to_le16(result);
684 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
685
686 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
687}
688
689void l2cap_chan_close(struct l2cap_chan *chan, int reason)
690{
691 struct l2cap_conn *conn = chan->conn;
692
693 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
694
695 switch (chan->state) {
696 case BT_LISTEN:
697 chan->ops->teardown(chan, 0);
698 break;
699
700 case BT_CONNECTED:
701 case BT_CONFIG:
702
703
704
705 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && chan->psm) {
706 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
707 l2cap_send_disconn_req(chan, reason);
708 } else
709 l2cap_chan_del(chan, reason);
710 break;
711
712 case BT_CONNECT2:
713 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
714 if (conn->hcon->type == ACL_LINK)
715 l2cap_chan_connect_reject(chan);
716 else if (conn->hcon->type == LE_LINK)
717 l2cap_chan_le_connect_reject(chan);
718 }
719
720 l2cap_chan_del(chan, reason);
721 break;
722
723 case BT_CONNECT:
724 case BT_DISCONN:
725 l2cap_chan_del(chan, reason);
726 break;
727
728 default:
729 chan->ops->teardown(chan, 0);
730 break;
731 }
732}
733
734static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
735{
736 switch (chan->chan_type) {
737 case L2CAP_CHAN_RAW:
738 switch (chan->sec_level) {
739 case BT_SECURITY_HIGH:
740 return HCI_AT_DEDICATED_BONDING_MITM;
741 case BT_SECURITY_MEDIUM:
742 return HCI_AT_DEDICATED_BONDING;
743 default:
744 return HCI_AT_NO_BONDING;
745 }
746 break;
747 case L2CAP_CHAN_CONN_LESS:
748 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
749 if (chan->sec_level == BT_SECURITY_LOW)
750 chan->sec_level = BT_SECURITY_SDP;
751 }
752 if (chan->sec_level == BT_SECURITY_HIGH)
753 return HCI_AT_NO_BONDING_MITM;
754 else
755 return HCI_AT_NO_BONDING;
756 break;
757 case L2CAP_CHAN_CONN_ORIENTED:
758 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
759 if (chan->sec_level == BT_SECURITY_LOW)
760 chan->sec_level = BT_SECURITY_SDP;
761
762 if (chan->sec_level == BT_SECURITY_HIGH)
763 return HCI_AT_NO_BONDING_MITM;
764 else
765 return HCI_AT_NO_BONDING;
766 }
767
768 default:
769 switch (chan->sec_level) {
770 case BT_SECURITY_HIGH:
771 return HCI_AT_GENERAL_BONDING_MITM;
772 case BT_SECURITY_MEDIUM:
773 return HCI_AT_GENERAL_BONDING;
774 default:
775 return HCI_AT_NO_BONDING;
776 }
777 break;
778 }
779}
780
781
782int l2cap_chan_check_security(struct l2cap_chan *chan)
783{
784 struct l2cap_conn *conn = chan->conn;
785 __u8 auth_type;
786
787 if (conn->hcon->type == LE_LINK)
788 return smp_conn_security(conn->hcon, chan->sec_level);
789
790 auth_type = l2cap_get_auth_type(chan);
791
792 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
793}
794
795static u8 l2cap_get_ident(struct l2cap_conn *conn)
796{
797 u8 id;
798
799
800
801
802
803
804
805 spin_lock(&conn->lock);
806
807 if (++conn->tx_ident > 128)
808 conn->tx_ident = 1;
809
810 id = conn->tx_ident;
811
812 spin_unlock(&conn->lock);
813
814 return id;
815}
816
817static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
818 void *data)
819{
820 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
821 u8 flags;
822
823 BT_DBG("code 0x%2.2x", code);
824
825 if (!skb)
826 return;
827
828 if (lmp_no_flush_capable(conn->hcon->hdev))
829 flags = ACL_START_NO_FLUSH;
830 else
831 flags = ACL_START;
832
833 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
834 skb->priority = HCI_PRIO_MAX;
835
836 hci_send_acl(conn->hchan, skb, flags);
837}
838
839static bool __chan_is_moving(struct l2cap_chan *chan)
840{
841 return chan->move_state != L2CAP_MOVE_STABLE &&
842 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
843}
844
845static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
846{
847 struct hci_conn *hcon = chan->conn->hcon;
848 u16 flags;
849
850 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
851 skb->priority);
852
853 if (chan->hs_hcon && !__chan_is_moving(chan)) {
854 if (chan->hs_hchan)
855 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
856 else
857 kfree_skb(skb);
858
859 return;
860 }
861
862 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
863 lmp_no_flush_capable(hcon->hdev))
864 flags = ACL_START_NO_FLUSH;
865 else
866 flags = ACL_START;
867
868 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
869 hci_send_acl(chan->conn->hchan, skb, flags);
870}
871
872static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
873{
874 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
875 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
876
877 if (enh & L2CAP_CTRL_FRAME_TYPE) {
878
879 control->sframe = 1;
880 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
881 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
882
883 control->sar = 0;
884 control->txseq = 0;
885 } else {
886
887 control->sframe = 0;
888 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
889 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
890
891 control->poll = 0;
892 control->super = 0;
893 }
894}
895
896static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
897{
898 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
899 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
900
901 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
902
903 control->sframe = 1;
904 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
905 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
906
907 control->sar = 0;
908 control->txseq = 0;
909 } else {
910
911 control->sframe = 0;
912 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
913 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
914
915 control->poll = 0;
916 control->super = 0;
917 }
918}
919
920static inline void __unpack_control(struct l2cap_chan *chan,
921 struct sk_buff *skb)
922{
923 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
924 __unpack_extended_control(get_unaligned_le32(skb->data),
925 &bt_cb(skb)->control);
926 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
927 } else {
928 __unpack_enhanced_control(get_unaligned_le16(skb->data),
929 &bt_cb(skb)->control);
930 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
931 }
932}
933
934static u32 __pack_extended_control(struct l2cap_ctrl *control)
935{
936 u32 packed;
937
938 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
939 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
940
941 if (control->sframe) {
942 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
943 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
944 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
945 } else {
946 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
947 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
948 }
949
950 return packed;
951}
952
953static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
954{
955 u16 packed;
956
957 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
958 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
959
960 if (control->sframe) {
961 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
962 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
963 packed |= L2CAP_CTRL_FRAME_TYPE;
964 } else {
965 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
966 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
967 }
968
969 return packed;
970}
971
972static inline void __pack_control(struct l2cap_chan *chan,
973 struct l2cap_ctrl *control,
974 struct sk_buff *skb)
975{
976 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
977 put_unaligned_le32(__pack_extended_control(control),
978 skb->data + L2CAP_HDR_SIZE);
979 } else {
980 put_unaligned_le16(__pack_enhanced_control(control),
981 skb->data + L2CAP_HDR_SIZE);
982 }
983}
984
985static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
986{
987 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
988 return L2CAP_EXT_HDR_SIZE;
989 else
990 return L2CAP_ENH_HDR_SIZE;
991}
992
993static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
994 u32 control)
995{
996 struct sk_buff *skb;
997 struct l2cap_hdr *lh;
998 int hlen = __ertm_hdr_size(chan);
999
1000 if (chan->fcs == L2CAP_FCS_CRC16)
1001 hlen += L2CAP_FCS_SIZE;
1002
1003 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1004
1005 if (!skb)
1006 return ERR_PTR(-ENOMEM);
1007
1008 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1009 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1010 lh->cid = cpu_to_le16(chan->dcid);
1011
1012 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1013 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1014 else
1015 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1016
1017 if (chan->fcs == L2CAP_FCS_CRC16) {
1018 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1019 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1020 }
1021
1022 skb->priority = HCI_PRIO_MAX;
1023 return skb;
1024}
1025
1026static void l2cap_send_sframe(struct l2cap_chan *chan,
1027 struct l2cap_ctrl *control)
1028{
1029 struct sk_buff *skb;
1030 u32 control_field;
1031
1032 BT_DBG("chan %p, control %p", chan, control);
1033
1034 if (!control->sframe)
1035 return;
1036
1037 if (__chan_is_moving(chan))
1038 return;
1039
1040 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1041 !control->poll)
1042 control->final = 1;
1043
1044 if (control->super == L2CAP_SUPER_RR)
1045 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1046 else if (control->super == L2CAP_SUPER_RNR)
1047 set_bit(CONN_RNR_SENT, &chan->conn_state);
1048
1049 if (control->super != L2CAP_SUPER_SREJ) {
1050 chan->last_acked_seq = control->reqseq;
1051 __clear_ack_timer(chan);
1052 }
1053
1054 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1055 control->final, control->poll, control->super);
1056
1057 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1058 control_field = __pack_extended_control(control);
1059 else
1060 control_field = __pack_enhanced_control(control);
1061
1062 skb = l2cap_create_sframe_pdu(chan, control_field);
1063 if (!IS_ERR(skb))
1064 l2cap_do_send(chan, skb);
1065}
1066
1067static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1068{
1069 struct l2cap_ctrl control;
1070
1071 BT_DBG("chan %p, poll %d", chan, poll);
1072
1073 memset(&control, 0, sizeof(control));
1074 control.sframe = 1;
1075 control.poll = poll;
1076
1077 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1078 control.super = L2CAP_SUPER_RNR;
1079 else
1080 control.super = L2CAP_SUPER_RR;
1081
1082 control.reqseq = chan->buffer_seq;
1083 l2cap_send_sframe(chan, &control);
1084}
1085
1086static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1087{
1088 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1089}
1090
1091static bool __amp_capable(struct l2cap_chan *chan)
1092{
1093 struct l2cap_conn *conn = chan->conn;
1094 struct hci_dev *hdev;
1095 bool amp_available = false;
1096
1097 if (!conn->hs_enabled)
1098 return false;
1099
1100 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1101 return false;
1102
1103 read_lock(&hci_dev_list_lock);
1104 list_for_each_entry(hdev, &hci_dev_list, list) {
1105 if (hdev->amp_type != AMP_TYPE_BREDR &&
1106 test_bit(HCI_UP, &hdev->flags)) {
1107 amp_available = true;
1108 break;
1109 }
1110 }
1111 read_unlock(&hci_dev_list_lock);
1112
1113 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1114 return amp_available;
1115
1116 return false;
1117}
1118
1119static bool l2cap_check_efs(struct l2cap_chan *chan)
1120{
1121
1122 return true;
1123}
1124
1125void l2cap_send_conn_req(struct l2cap_chan *chan)
1126{
1127 struct l2cap_conn *conn = chan->conn;
1128 struct l2cap_conn_req req;
1129
1130 req.scid = cpu_to_le16(chan->scid);
1131 req.psm = chan->psm;
1132
1133 chan->ident = l2cap_get_ident(conn);
1134
1135 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136
1137 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1138}
1139
1140static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1141{
1142 struct l2cap_create_chan_req req;
1143 req.scid = cpu_to_le16(chan->scid);
1144 req.psm = chan->psm;
1145 req.amp_id = amp_id;
1146
1147 chan->ident = l2cap_get_ident(chan->conn);
1148
1149 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1150 sizeof(req), &req);
1151}
1152
1153static void l2cap_move_setup(struct l2cap_chan *chan)
1154{
1155 struct sk_buff *skb;
1156
1157 BT_DBG("chan %p", chan);
1158
1159 if (chan->mode != L2CAP_MODE_ERTM)
1160 return;
1161
1162 __clear_retrans_timer(chan);
1163 __clear_monitor_timer(chan);
1164 __clear_ack_timer(chan);
1165
1166 chan->retry_count = 0;
1167 skb_queue_walk(&chan->tx_q, skb) {
1168 if (bt_cb(skb)->control.retries)
1169 bt_cb(skb)->control.retries = 1;
1170 else
1171 break;
1172 }
1173
1174 chan->expected_tx_seq = chan->buffer_seq;
1175
1176 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1177 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1178 l2cap_seq_list_clear(&chan->retrans_list);
1179 l2cap_seq_list_clear(&chan->srej_list);
1180 skb_queue_purge(&chan->srej_q);
1181
1182 chan->tx_state = L2CAP_TX_STATE_XMIT;
1183 chan->rx_state = L2CAP_RX_STATE_MOVE;
1184
1185 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1186}
1187
1188static void l2cap_move_done(struct l2cap_chan *chan)
1189{
1190 u8 move_role = chan->move_role;
1191 BT_DBG("chan %p", chan);
1192
1193 chan->move_state = L2CAP_MOVE_STABLE;
1194 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1195
1196 if (chan->mode != L2CAP_MODE_ERTM)
1197 return;
1198
1199 switch (move_role) {
1200 case L2CAP_MOVE_ROLE_INITIATOR:
1201 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1202 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1203 break;
1204 case L2CAP_MOVE_ROLE_RESPONDER:
1205 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1206 break;
1207 }
1208}
1209
1210static void l2cap_chan_ready(struct l2cap_chan *chan)
1211{
1212
1213 chan->conf_state = 0;
1214 __clear_chan_timer(chan);
1215
1216 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1217 chan->ops->suspend(chan);
1218
1219 chan->state = BT_CONNECTED;
1220
1221 chan->ops->ready(chan);
1222}
1223
1224static void l2cap_le_connect(struct l2cap_chan *chan)
1225{
1226 struct l2cap_conn *conn = chan->conn;
1227 struct l2cap_le_conn_req req;
1228
1229 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1230 return;
1231
1232 req.psm = chan->psm;
1233 req.scid = cpu_to_le16(chan->scid);
1234 req.mtu = cpu_to_le16(chan->imtu);
1235 req.mps = cpu_to_le16(chan->mps);
1236 req.credits = cpu_to_le16(chan->rx_credits);
1237
1238 chan->ident = l2cap_get_ident(conn);
1239
1240 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1241 sizeof(req), &req);
1242}
1243
1244static void l2cap_le_start(struct l2cap_chan *chan)
1245{
1246 struct l2cap_conn *conn = chan->conn;
1247
1248 if (!smp_conn_security(conn->hcon, chan->sec_level))
1249 return;
1250
1251 if (!chan->psm) {
1252 l2cap_chan_ready(chan);
1253 return;
1254 }
1255
1256 if (chan->state == BT_CONNECT)
1257 l2cap_le_connect(chan);
1258}
1259
1260static void l2cap_start_connection(struct l2cap_chan *chan)
1261{
1262 if (__amp_capable(chan)) {
1263 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1264 a2mp_discover_amp(chan);
1265 } else if (chan->conn->hcon->type == LE_LINK) {
1266 l2cap_le_start(chan);
1267 } else {
1268 l2cap_send_conn_req(chan);
1269 }
1270}
1271
1272static void l2cap_do_start(struct l2cap_chan *chan)
1273{
1274 struct l2cap_conn *conn = chan->conn;
1275
1276 if (conn->hcon->type == LE_LINK) {
1277 l2cap_le_start(chan);
1278 return;
1279 }
1280
1281 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
1282 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1283 return;
1284
1285 if (l2cap_chan_check_security(chan) &&
1286 __l2cap_no_conn_pending(chan)) {
1287 l2cap_start_connection(chan);
1288 }
1289 } else {
1290 struct l2cap_info_req req;
1291 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
1292
1293 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1294 conn->info_ident = l2cap_get_ident(conn);
1295
1296 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1297
1298 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1299 sizeof(req), &req);
1300 }
1301}
1302
1303static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1304{
1305 u32 local_feat_mask = l2cap_feat_mask;
1306 if (!disable_ertm)
1307 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1308
1309 switch (mode) {
1310 case L2CAP_MODE_ERTM:
1311 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1312 case L2CAP_MODE_STREAMING:
1313 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1314 default:
1315 return 0x00;
1316 }
1317}
1318
1319static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1320{
1321 struct l2cap_conn *conn = chan->conn;
1322 struct l2cap_disconn_req req;
1323
1324 if (!conn)
1325 return;
1326
1327 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1328 __clear_retrans_timer(chan);
1329 __clear_monitor_timer(chan);
1330 __clear_ack_timer(chan);
1331 }
1332
1333 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1334 l2cap_state_change(chan, BT_DISCONN);
1335 return;
1336 }
1337
1338 req.dcid = cpu_to_le16(chan->dcid);
1339 req.scid = cpu_to_le16(chan->scid);
1340 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1341 sizeof(req), &req);
1342
1343 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1344}
1345
1346
1347static void l2cap_conn_start(struct l2cap_conn *conn)
1348{
1349 struct l2cap_chan *chan, *tmp;
1350
1351 BT_DBG("conn %p", conn);
1352
1353 mutex_lock(&conn->chan_lock);
1354
1355 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1356 l2cap_chan_lock(chan);
1357
1358 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1359 l2cap_chan_unlock(chan);
1360 continue;
1361 }
1362
1363 if (chan->state == BT_CONNECT) {
1364 if (!l2cap_chan_check_security(chan) ||
1365 !__l2cap_no_conn_pending(chan)) {
1366 l2cap_chan_unlock(chan);
1367 continue;
1368 }
1369
1370 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1371 && test_bit(CONF_STATE2_DEVICE,
1372 &chan->conf_state)) {
1373 l2cap_chan_close(chan, ECONNRESET);
1374 l2cap_chan_unlock(chan);
1375 continue;
1376 }
1377
1378 l2cap_start_connection(chan);
1379
1380 } else if (chan->state == BT_CONNECT2) {
1381 struct l2cap_conn_rsp rsp;
1382 char buf[128];
1383 rsp.scid = cpu_to_le16(chan->dcid);
1384 rsp.dcid = cpu_to_le16(chan->scid);
1385
1386 if (l2cap_chan_check_security(chan)) {
1387 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1388 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1389 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1390 chan->ops->defer(chan);
1391
1392 } else {
1393 l2cap_state_change(chan, BT_CONFIG);
1394 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1395 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
1396 }
1397 } else {
1398 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1399 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1400 }
1401
1402 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1403 sizeof(rsp), &rsp);
1404
1405 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1406 rsp.result != L2CAP_CR_SUCCESS) {
1407 l2cap_chan_unlock(chan);
1408 continue;
1409 }
1410
1411 set_bit(CONF_REQ_SENT, &chan->conf_state);
1412 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1413 l2cap_build_conf_req(chan, buf), buf);
1414 chan->num_conf_req++;
1415 }
1416
1417 l2cap_chan_unlock(chan);
1418 }
1419
1420 mutex_unlock(&conn->chan_lock);
1421}
1422
1423
1424
1425
1426static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1427 bdaddr_t *src,
1428 bdaddr_t *dst)
1429{
1430 struct l2cap_chan *c, *c1 = NULL;
1431
1432 read_lock(&chan_list_lock);
1433
1434 list_for_each_entry(c, &chan_list, global_l) {
1435 if (state && c->state != state)
1436 continue;
1437
1438 if (c->scid == cid) {
1439 int src_match, dst_match;
1440 int src_any, dst_any;
1441
1442
1443 src_match = !bacmp(&c->src, src);
1444 dst_match = !bacmp(&c->dst, dst);
1445 if (src_match && dst_match) {
1446 read_unlock(&chan_list_lock);
1447 return c;
1448 }
1449
1450
1451 src_any = !bacmp(&c->src, BDADDR_ANY);
1452 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1453 if ((src_match && dst_any) || (src_any && dst_match) ||
1454 (src_any && dst_any))
1455 c1 = c;
1456 }
1457 }
1458
1459 read_unlock(&chan_list_lock);
1460
1461 return c1;
1462}
1463
1464static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1465{
1466 struct hci_conn *hcon = conn->hcon;
1467 struct l2cap_chan *chan, *pchan;
1468 u8 dst_type;
1469
1470 BT_DBG("");
1471
1472 bt_6lowpan_add_conn(conn);
1473
1474
1475 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
1476 &hcon->src, &hcon->dst);
1477 if (!pchan)
1478 return;
1479
1480
1481 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1482 return;
1483
1484 dst_type = bdaddr_type(hcon, hcon->dst_type);
1485
1486
1487 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1488 return;
1489
1490 l2cap_chan_lock(pchan);
1491
1492 chan = pchan->ops->new_connection(pchan);
1493 if (!chan)
1494 goto clean;
1495
1496 chan->dcid = L2CAP_CID_ATT;
1497
1498 bacpy(&chan->src, &hcon->src);
1499 bacpy(&chan->dst, &hcon->dst);
1500 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1501 chan->dst_type = dst_type;
1502
1503 __l2cap_chan_add(conn, chan);
1504
1505clean:
1506 l2cap_chan_unlock(pchan);
1507}
1508
1509static void l2cap_conn_ready(struct l2cap_conn *conn)
1510{
1511 struct l2cap_chan *chan;
1512 struct hci_conn *hcon = conn->hcon;
1513
1514 BT_DBG("conn %p", conn);
1515
1516
1517
1518
1519 if (hcon->out && hcon->type == LE_LINK)
1520 smp_conn_security(hcon, hcon->pending_sec_level);
1521
1522 mutex_lock(&conn->chan_lock);
1523
1524 if (hcon->type == LE_LINK)
1525 l2cap_le_conn_ready(conn);
1526
1527 list_for_each_entry(chan, &conn->chan_l, list) {
1528
1529 l2cap_chan_lock(chan);
1530
1531 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1532 l2cap_chan_unlock(chan);
1533 continue;
1534 }
1535
1536 if (hcon->type == LE_LINK) {
1537 l2cap_le_start(chan);
1538 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1539 l2cap_chan_ready(chan);
1540
1541 } else if (chan->state == BT_CONNECT) {
1542 l2cap_do_start(chan);
1543 }
1544
1545 l2cap_chan_unlock(chan);
1546 }
1547
1548 mutex_unlock(&conn->chan_lock);
1549}
1550
1551
1552static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1553{
1554 struct l2cap_chan *chan;
1555
1556 BT_DBG("conn %p", conn);
1557
1558 mutex_lock(&conn->chan_lock);
1559
1560 list_for_each_entry(chan, &conn->chan_l, list) {
1561 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1562 l2cap_chan_set_err(chan, err);
1563 }
1564
1565 mutex_unlock(&conn->chan_lock);
1566}
1567
1568static void l2cap_info_timeout(struct work_struct *work)
1569{
1570 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1571 info_timer.work);
1572
1573 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1574 conn->info_ident = 0;
1575
1576 l2cap_conn_start(conn);
1577}
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1593{
1594 struct hci_dev *hdev = conn->hcon->hdev;
1595 int ret;
1596
1597
1598
1599
1600
1601
1602
1603
1604 hci_dev_lock(hdev);
1605
1606 if (user->list.next || user->list.prev) {
1607 ret = -EINVAL;
1608 goto out_unlock;
1609 }
1610
1611
1612 if (!conn->hchan) {
1613 ret = -ENODEV;
1614 goto out_unlock;
1615 }
1616
1617 ret = user->probe(conn, user);
1618 if (ret)
1619 goto out_unlock;
1620
1621 list_add(&user->list, &conn->users);
1622 ret = 0;
1623
1624out_unlock:
1625 hci_dev_unlock(hdev);
1626 return ret;
1627}
1628EXPORT_SYMBOL(l2cap_register_user);
1629
1630void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1631{
1632 struct hci_dev *hdev = conn->hcon->hdev;
1633
1634 hci_dev_lock(hdev);
1635
1636 if (!user->list.next || !user->list.prev)
1637 goto out_unlock;
1638
1639 list_del(&user->list);
1640 user->list.next = NULL;
1641 user->list.prev = NULL;
1642 user->remove(conn, user);
1643
1644out_unlock:
1645 hci_dev_unlock(hdev);
1646}
1647EXPORT_SYMBOL(l2cap_unregister_user);
1648
1649static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1650{
1651 struct l2cap_user *user;
1652
1653 while (!list_empty(&conn->users)) {
1654 user = list_first_entry(&conn->users, struct l2cap_user, list);
1655 list_del(&user->list);
1656 user->list.next = NULL;
1657 user->list.prev = NULL;
1658 user->remove(conn, user);
1659 }
1660}
1661
1662static void l2cap_conn_del(struct hci_conn *hcon, int err)
1663{
1664 struct l2cap_conn *conn = hcon->l2cap_data;
1665 struct l2cap_chan *chan, *l;
1666
1667 if (!conn)
1668 return;
1669
1670 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1671
1672 kfree_skb(conn->rx_skb);
1673
1674 l2cap_unregister_all_users(conn);
1675
1676 mutex_lock(&conn->chan_lock);
1677
1678
1679 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1680 l2cap_chan_hold(chan);
1681 l2cap_chan_lock(chan);
1682
1683 l2cap_chan_del(chan, err);
1684
1685 l2cap_chan_unlock(chan);
1686
1687 chan->ops->close(chan);
1688 l2cap_chan_put(chan);
1689 }
1690
1691 mutex_unlock(&conn->chan_lock);
1692
1693 hci_chan_del(conn->hchan);
1694
1695 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1696 cancel_delayed_work_sync(&conn->info_timer);
1697
1698 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1699 cancel_delayed_work_sync(&conn->security_timer);
1700 smp_chan_destroy(conn);
1701 }
1702
1703 hcon->l2cap_data = NULL;
1704 conn->hchan = NULL;
1705 l2cap_conn_put(conn);
1706}
1707
1708static void security_timeout(struct work_struct *work)
1709{
1710 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1711 security_timer.work);
1712
1713 BT_DBG("conn %p", conn);
1714
1715 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1716 smp_chan_destroy(conn);
1717 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1718 }
1719}
1720
1721static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1722{
1723 struct l2cap_conn *conn = hcon->l2cap_data;
1724 struct hci_chan *hchan;
1725
1726 if (conn)
1727 return conn;
1728
1729 hchan = hci_chan_create(hcon);
1730 if (!hchan)
1731 return NULL;
1732
1733 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
1734 if (!conn) {
1735 hci_chan_del(hchan);
1736 return NULL;
1737 }
1738
1739 kref_init(&conn->ref);
1740 hcon->l2cap_data = conn;
1741 conn->hcon = hcon;
1742 hci_conn_get(conn->hcon);
1743 conn->hchan = hchan;
1744
1745 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1746
1747 switch (hcon->type) {
1748 case LE_LINK:
1749 if (hcon->hdev->le_mtu) {
1750 conn->mtu = hcon->hdev->le_mtu;
1751 break;
1752 }
1753
1754 default:
1755 conn->mtu = hcon->hdev->acl_mtu;
1756 break;
1757 }
1758
1759 conn->feat_mask = 0;
1760
1761 if (hcon->type == ACL_LINK)
1762 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1763 &hcon->hdev->dev_flags);
1764
1765 spin_lock_init(&conn->lock);
1766 mutex_init(&conn->chan_lock);
1767
1768 INIT_LIST_HEAD(&conn->chan_l);
1769 INIT_LIST_HEAD(&conn->users);
1770
1771 if (hcon->type == LE_LINK)
1772 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1773 else
1774 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1775
1776 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1777
1778 return conn;
1779}
1780
1781static void l2cap_conn_free(struct kref *ref)
1782{
1783 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1784
1785 hci_conn_put(conn->hcon);
1786 kfree(conn);
1787}
1788
1789void l2cap_conn_get(struct l2cap_conn *conn)
1790{
1791 kref_get(&conn->ref);
1792}
1793EXPORT_SYMBOL(l2cap_conn_get);
1794
1795void l2cap_conn_put(struct l2cap_conn *conn)
1796{
1797 kref_put(&conn->ref, l2cap_conn_free);
1798}
1799EXPORT_SYMBOL(l2cap_conn_put);
1800
1801
1802
1803
1804
1805
1806static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1807 bdaddr_t *src,
1808 bdaddr_t *dst,
1809 u8 link_type)
1810{
1811 struct l2cap_chan *c, *c1 = NULL;
1812
1813 read_lock(&chan_list_lock);
1814
1815 list_for_each_entry(c, &chan_list, global_l) {
1816 if (state && c->state != state)
1817 continue;
1818
1819 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1820 continue;
1821
1822 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1823 continue;
1824
1825 if (c->psm == psm) {
1826 int src_match, dst_match;
1827 int src_any, dst_any;
1828
1829
1830 src_match = !bacmp(&c->src, src);
1831 dst_match = !bacmp(&c->dst, dst);
1832 if (src_match && dst_match) {
1833 read_unlock(&chan_list_lock);
1834 return c;
1835 }
1836
1837
1838 src_any = !bacmp(&c->src, BDADDR_ANY);
1839 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1840 if ((src_match && dst_any) || (src_any && dst_match) ||
1841 (src_any && dst_any))
1842 c1 = c;
1843 }
1844 }
1845
1846 read_unlock(&chan_list_lock);
1847
1848 return c1;
1849}
1850
1851static bool is_valid_psm(u16 psm, u8 dst_type)
1852{
1853 if (!psm)
1854 return false;
1855
1856 if (bdaddr_type_is_le(dst_type))
1857 return (psm <= 0x00ff);
1858
1859
1860 return ((psm & 0x0101) == 0x0001);
1861}
1862
1863int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1864 bdaddr_t *dst, u8 dst_type)
1865{
1866 struct l2cap_conn *conn;
1867 struct hci_conn *hcon;
1868 struct hci_dev *hdev;
1869 __u8 auth_type;
1870 int err;
1871
1872 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
1873 dst_type, __le16_to_cpu(psm));
1874
1875 hdev = hci_get_route(dst, &chan->src);
1876 if (!hdev)
1877 return -EHOSTUNREACH;
1878
1879 hci_dev_lock(hdev);
1880
1881 l2cap_chan_lock(chan);
1882
1883 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
1884 chan->chan_type != L2CAP_CHAN_RAW) {
1885 err = -EINVAL;
1886 goto done;
1887 }
1888
1889 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1890 err = -EINVAL;
1891 goto done;
1892 }
1893
1894 switch (chan->mode) {
1895 case L2CAP_MODE_BASIC:
1896 break;
1897 case L2CAP_MODE_LE_FLOWCTL:
1898 l2cap_le_flowctl_init(chan);
1899 break;
1900 case L2CAP_MODE_ERTM:
1901 case L2CAP_MODE_STREAMING:
1902 if (!disable_ertm)
1903 break;
1904
1905 default:
1906 err = -ENOTSUPP;
1907 goto done;
1908 }
1909
1910 switch (chan->state) {
1911 case BT_CONNECT:
1912 case BT_CONNECT2:
1913 case BT_CONFIG:
1914
1915 err = 0;
1916 goto done;
1917
1918 case BT_CONNECTED:
1919
1920 err = -EISCONN;
1921 goto done;
1922
1923 case BT_OPEN:
1924 case BT_BOUND:
1925
1926 break;
1927
1928 default:
1929 err = -EBADFD;
1930 goto done;
1931 }
1932
1933
1934 bacpy(&chan->dst, dst);
1935 chan->dst_type = dst_type;
1936
1937 chan->psm = psm;
1938 chan->dcid = cid;
1939
1940 auth_type = l2cap_get_auth_type(chan);
1941
1942 if (bdaddr_type_is_le(dst_type))
1943 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1944 chan->sec_level, auth_type);
1945 else
1946 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1947 chan->sec_level, auth_type);
1948
1949 if (IS_ERR(hcon)) {
1950 err = PTR_ERR(hcon);
1951 goto done;
1952 }
1953
1954 conn = l2cap_conn_add(hcon);
1955 if (!conn) {
1956 hci_conn_drop(hcon);
1957 err = -ENOMEM;
1958 goto done;
1959 }
1960
1961 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1962 hci_conn_drop(hcon);
1963 err = -EBUSY;
1964 goto done;
1965 }
1966
1967
1968 bacpy(&chan->src, &hcon->src);
1969 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1970
1971 l2cap_chan_unlock(chan);
1972 l2cap_chan_add(conn, chan);
1973 l2cap_chan_lock(chan);
1974
1975
1976 hci_conn_drop(hcon);
1977
1978 l2cap_state_change(chan, BT_CONNECT);
1979 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1980
1981 if (hcon->state == BT_CONNECTED) {
1982 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1983 __clear_chan_timer(chan);
1984 if (l2cap_chan_check_security(chan))
1985 l2cap_state_change(chan, BT_CONNECTED);
1986 } else
1987 l2cap_do_start(chan);
1988 }
1989
1990 err = 0;
1991
1992done:
1993 l2cap_chan_unlock(chan);
1994 hci_dev_unlock(hdev);
1995 hci_dev_put(hdev);
1996 return err;
1997}
1998
1999static void l2cap_monitor_timeout(struct work_struct *work)
2000{
2001 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2002 monitor_timer.work);
2003
2004 BT_DBG("chan %p", chan);
2005
2006 l2cap_chan_lock(chan);
2007
2008 if (!chan->conn) {
2009 l2cap_chan_unlock(chan);
2010 l2cap_chan_put(chan);
2011 return;
2012 }
2013
2014 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2015
2016 l2cap_chan_unlock(chan);
2017 l2cap_chan_put(chan);
2018}
2019
2020static void l2cap_retrans_timeout(struct work_struct *work)
2021{
2022 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2023 retrans_timer.work);
2024
2025 BT_DBG("chan %p", chan);
2026
2027 l2cap_chan_lock(chan);
2028
2029 if (!chan->conn) {
2030 l2cap_chan_unlock(chan);
2031 l2cap_chan_put(chan);
2032 return;
2033 }
2034
2035 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2036 l2cap_chan_unlock(chan);
2037 l2cap_chan_put(chan);
2038}
2039
2040static void l2cap_streaming_send(struct l2cap_chan *chan,
2041 struct sk_buff_head *skbs)
2042{
2043 struct sk_buff *skb;
2044 struct l2cap_ctrl *control;
2045
2046 BT_DBG("chan %p, skbs %p", chan, skbs);
2047
2048 if (__chan_is_moving(chan))
2049 return;
2050
2051 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2052
2053 while (!skb_queue_empty(&chan->tx_q)) {
2054
2055 skb = skb_dequeue(&chan->tx_q);
2056
2057 bt_cb(skb)->control.retries = 1;
2058 control = &bt_cb(skb)->control;
2059
2060 control->reqseq = 0;
2061 control->txseq = chan->next_tx_seq;
2062
2063 __pack_control(chan, control, skb);
2064
2065 if (chan->fcs == L2CAP_FCS_CRC16) {
2066 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2067 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2068 }
2069
2070 l2cap_do_send(chan, skb);
2071
2072 BT_DBG("Sent txseq %u", control->txseq);
2073
2074 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2075 chan->frames_sent++;
2076 }
2077}
2078
2079static int l2cap_ertm_send(struct l2cap_chan *chan)
2080{
2081 struct sk_buff *skb, *tx_skb;
2082 struct l2cap_ctrl *control;
2083 int sent = 0;
2084
2085 BT_DBG("chan %p", chan);
2086
2087 if (chan->state != BT_CONNECTED)
2088 return -ENOTCONN;
2089
2090 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2091 return 0;
2092
2093 if (__chan_is_moving(chan))
2094 return 0;
2095
2096 while (chan->tx_send_head &&
2097 chan->unacked_frames < chan->remote_tx_win &&
2098 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2099
2100 skb = chan->tx_send_head;
2101
2102 bt_cb(skb)->control.retries = 1;
2103 control = &bt_cb(skb)->control;
2104
2105 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2106 control->final = 1;
2107
2108 control->reqseq = chan->buffer_seq;
2109 chan->last_acked_seq = chan->buffer_seq;
2110 control->txseq = chan->next_tx_seq;
2111
2112 __pack_control(chan, control, skb);
2113
2114 if (chan->fcs == L2CAP_FCS_CRC16) {
2115 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2116 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2117 }
2118
2119
2120
2121
2122 tx_skb = skb_clone(skb, GFP_KERNEL);
2123
2124 if (!tx_skb)
2125 break;
2126
2127 __set_retrans_timer(chan);
2128
2129 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2130 chan->unacked_frames++;
2131 chan->frames_sent++;
2132 sent++;
2133
2134 if (skb_queue_is_last(&chan->tx_q, skb))
2135 chan->tx_send_head = NULL;
2136 else
2137 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2138
2139 l2cap_do_send(chan, tx_skb);
2140 BT_DBG("Sent txseq %u", control->txseq);
2141 }
2142
2143 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2144 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2145
2146 return sent;
2147}
2148
2149static void l2cap_ertm_resend(struct l2cap_chan *chan)
2150{
2151 struct l2cap_ctrl control;
2152 struct sk_buff *skb;
2153 struct sk_buff *tx_skb;
2154 u16 seq;
2155
2156 BT_DBG("chan %p", chan);
2157
2158 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2159 return;
2160
2161 if (__chan_is_moving(chan))
2162 return;
2163
2164 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2165 seq = l2cap_seq_list_pop(&chan->retrans_list);
2166
2167 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2168 if (!skb) {
2169 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2170 seq);
2171 continue;
2172 }
2173
2174 bt_cb(skb)->control.retries++;
2175 control = bt_cb(skb)->control;
2176
2177 if (chan->max_tx != 0 &&
2178 bt_cb(skb)->control.retries > chan->max_tx) {
2179 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2180 l2cap_send_disconn_req(chan, ECONNRESET);
2181 l2cap_seq_list_clear(&chan->retrans_list);
2182 break;
2183 }
2184
2185 control.reqseq = chan->buffer_seq;
2186 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2187 control.final = 1;
2188 else
2189 control.final = 0;
2190
2191 if (skb_cloned(skb)) {
2192
2193
2194
2195 tx_skb = skb_copy(skb, GFP_KERNEL);
2196 } else {
2197 tx_skb = skb_clone(skb, GFP_KERNEL);
2198 }
2199
2200 if (!tx_skb) {
2201 l2cap_seq_list_clear(&chan->retrans_list);
2202 break;
2203 }
2204
2205
2206 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2207 put_unaligned_le32(__pack_extended_control(&control),
2208 tx_skb->data + L2CAP_HDR_SIZE);
2209 } else {
2210 put_unaligned_le16(__pack_enhanced_control(&control),
2211 tx_skb->data + L2CAP_HDR_SIZE);
2212 }
2213
2214 if (chan->fcs == L2CAP_FCS_CRC16) {
2215 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2216 put_unaligned_le16(fcs, skb_put(tx_skb,
2217 L2CAP_FCS_SIZE));
2218 }
2219
2220 l2cap_do_send(chan, tx_skb);
2221
2222 BT_DBG("Resent txseq %d", control.txseq);
2223
2224 chan->last_acked_seq = chan->buffer_seq;
2225 }
2226}
2227
2228static void l2cap_retransmit(struct l2cap_chan *chan,
2229 struct l2cap_ctrl *control)
2230{
2231 BT_DBG("chan %p, control %p", chan, control);
2232
2233 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2234 l2cap_ertm_resend(chan);
2235}
2236
2237static void l2cap_retransmit_all(struct l2cap_chan *chan,
2238 struct l2cap_ctrl *control)
2239{
2240 struct sk_buff *skb;
2241
2242 BT_DBG("chan %p, control %p", chan, control);
2243
2244 if (control->poll)
2245 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2246
2247 l2cap_seq_list_clear(&chan->retrans_list);
2248
2249 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2250 return;
2251
2252 if (chan->unacked_frames) {
2253 skb_queue_walk(&chan->tx_q, skb) {
2254 if (bt_cb(skb)->control.txseq == control->reqseq ||
2255 skb == chan->tx_send_head)
2256 break;
2257 }
2258
2259 skb_queue_walk_from(&chan->tx_q, skb) {
2260 if (skb == chan->tx_send_head)
2261 break;
2262
2263 l2cap_seq_list_append(&chan->retrans_list,
2264 bt_cb(skb)->control.txseq);
2265 }
2266
2267 l2cap_ertm_resend(chan);
2268 }
2269}
2270
2271static void l2cap_send_ack(struct l2cap_chan *chan)
2272{
2273 struct l2cap_ctrl control;
2274 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2275 chan->last_acked_seq);
2276 int threshold;
2277
2278 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2279 chan, chan->last_acked_seq, chan->buffer_seq);
2280
2281 memset(&control, 0, sizeof(control));
2282 control.sframe = 1;
2283
2284 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2285 chan->rx_state == L2CAP_RX_STATE_RECV) {
2286 __clear_ack_timer(chan);
2287 control.super = L2CAP_SUPER_RNR;
2288 control.reqseq = chan->buffer_seq;
2289 l2cap_send_sframe(chan, &control);
2290 } else {
2291 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2292 l2cap_ertm_send(chan);
2293
2294 if (chan->buffer_seq == chan->last_acked_seq)
2295 frames_to_ack = 0;
2296 }
2297
2298
2299
2300
2301 threshold = chan->ack_win;
2302 threshold += threshold << 1;
2303 threshold >>= 2;
2304
2305 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2306 threshold);
2307
2308 if (frames_to_ack >= threshold) {
2309 __clear_ack_timer(chan);
2310 control.super = L2CAP_SUPER_RR;
2311 control.reqseq = chan->buffer_seq;
2312 l2cap_send_sframe(chan, &control);
2313 frames_to_ack = 0;
2314 }
2315
2316 if (frames_to_ack)
2317 __set_ack_timer(chan);
2318 }
2319}
2320
2321static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2322 struct msghdr *msg, int len,
2323 int count, struct sk_buff *skb)
2324{
2325 struct l2cap_conn *conn = chan->conn;
2326 struct sk_buff **frag;
2327 int sent = 0;
2328
2329 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
2330 return -EFAULT;
2331
2332 sent += count;
2333 len -= count;
2334
2335
2336 frag = &skb_shinfo(skb)->frag_list;
2337 while (len) {
2338 struct sk_buff *tmp;
2339
2340 count = min_t(unsigned int, conn->mtu, len);
2341
2342 tmp = chan->ops->alloc_skb(chan, count,
2343 msg->msg_flags & MSG_DONTWAIT);
2344 if (IS_ERR(tmp))
2345 return PTR_ERR(tmp);
2346
2347 *frag = tmp;
2348
2349 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2350 return -EFAULT;
2351
2352 (*frag)->priority = skb->priority;
2353
2354 sent += count;
2355 len -= count;
2356
2357 skb->len += (*frag)->len;
2358 skb->data_len += (*frag)->len;
2359
2360 frag = &(*frag)->next;
2361 }
2362
2363 return sent;
2364}
2365
2366static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2367 struct msghdr *msg, size_t len,
2368 u32 priority)
2369{
2370 struct l2cap_conn *conn = chan->conn;
2371 struct sk_buff *skb;
2372 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2373 struct l2cap_hdr *lh;
2374
2375 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2376 __le16_to_cpu(chan->psm), len, priority);
2377
2378 count = min_t(unsigned int, (conn->mtu - hlen), len);
2379
2380 skb = chan->ops->alloc_skb(chan, count + hlen,
2381 msg->msg_flags & MSG_DONTWAIT);
2382 if (IS_ERR(skb))
2383 return skb;
2384
2385 skb->priority = priority;
2386
2387
2388 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2389 lh->cid = cpu_to_le16(chan->dcid);
2390 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2391 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2392
2393 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2394 if (unlikely(err < 0)) {
2395 kfree_skb(skb);
2396 return ERR_PTR(err);
2397 }
2398 return skb;
2399}
2400
2401static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2402 struct msghdr *msg, size_t len,
2403 u32 priority)
2404{
2405 struct l2cap_conn *conn = chan->conn;
2406 struct sk_buff *skb;
2407 int err, count;
2408 struct l2cap_hdr *lh;
2409
2410 BT_DBG("chan %p len %zu", chan, len);
2411
2412 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2413
2414 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
2415 msg->msg_flags & MSG_DONTWAIT);
2416 if (IS_ERR(skb))
2417 return skb;
2418
2419 skb->priority = priority;
2420
2421
2422 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2423 lh->cid = cpu_to_le16(chan->dcid);
2424 lh->len = cpu_to_le16(len);
2425
2426 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2427 if (unlikely(err < 0)) {
2428 kfree_skb(skb);
2429 return ERR_PTR(err);
2430 }
2431 return skb;
2432}
2433
2434static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2435 struct msghdr *msg, size_t len,
2436 u16 sdulen)
2437{
2438 struct l2cap_conn *conn = chan->conn;
2439 struct sk_buff *skb;
2440 int err, count, hlen;
2441 struct l2cap_hdr *lh;
2442
2443 BT_DBG("chan %p len %zu", chan, len);
2444
2445 if (!conn)
2446 return ERR_PTR(-ENOTCONN);
2447
2448 hlen = __ertm_hdr_size(chan);
2449
2450 if (sdulen)
2451 hlen += L2CAP_SDULEN_SIZE;
2452
2453 if (chan->fcs == L2CAP_FCS_CRC16)
2454 hlen += L2CAP_FCS_SIZE;
2455
2456 count = min_t(unsigned int, (conn->mtu - hlen), len);
2457
2458 skb = chan->ops->alloc_skb(chan, count + hlen,
2459 msg->msg_flags & MSG_DONTWAIT);
2460 if (IS_ERR(skb))
2461 return skb;
2462
2463
2464 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2465 lh->cid = cpu_to_le16(chan->dcid);
2466 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2467
2468
2469 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2470 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2471 else
2472 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2473
2474 if (sdulen)
2475 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2476
2477 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2478 if (unlikely(err < 0)) {
2479 kfree_skb(skb);
2480 return ERR_PTR(err);
2481 }
2482
2483 bt_cb(skb)->control.fcs = chan->fcs;
2484 bt_cb(skb)->control.retries = 0;
2485 return skb;
2486}
2487
2488static int l2cap_segment_sdu(struct l2cap_chan *chan,
2489 struct sk_buff_head *seg_queue,
2490 struct msghdr *msg, size_t len)
2491{
2492 struct sk_buff *skb;
2493 u16 sdu_len;
2494 size_t pdu_len;
2495 u8 sar;
2496
2497 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2498
2499
2500
2501
2502
2503
2504
2505 pdu_len = chan->conn->mtu;
2506
2507
2508 if (!chan->hs_hcon)
2509 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2510
2511
2512 if (chan->fcs)
2513 pdu_len -= L2CAP_FCS_SIZE;
2514
2515 pdu_len -= __ertm_hdr_size(chan);
2516
2517
2518 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2519
2520 if (len <= pdu_len) {
2521 sar = L2CAP_SAR_UNSEGMENTED;
2522 sdu_len = 0;
2523 pdu_len = len;
2524 } else {
2525 sar = L2CAP_SAR_START;
2526 sdu_len = len;
2527 pdu_len -= L2CAP_SDULEN_SIZE;
2528 }
2529
2530 while (len > 0) {
2531 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2532
2533 if (IS_ERR(skb)) {
2534 __skb_queue_purge(seg_queue);
2535 return PTR_ERR(skb);
2536 }
2537
2538 bt_cb(skb)->control.sar = sar;
2539 __skb_queue_tail(seg_queue, skb);
2540
2541 len -= pdu_len;
2542 if (sdu_len) {
2543 sdu_len = 0;
2544 pdu_len += L2CAP_SDULEN_SIZE;
2545 }
2546
2547 if (len <= pdu_len) {
2548 sar = L2CAP_SAR_END;
2549 pdu_len = len;
2550 } else {
2551 sar = L2CAP_SAR_CONTINUE;
2552 }
2553 }
2554
2555 return 0;
2556}
2557
2558static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2559 struct msghdr *msg,
2560 size_t len, u16 sdulen)
2561{
2562 struct l2cap_conn *conn = chan->conn;
2563 struct sk_buff *skb;
2564 int err, count, hlen;
2565 struct l2cap_hdr *lh;
2566
2567 BT_DBG("chan %p len %zu", chan, len);
2568
2569 if (!conn)
2570 return ERR_PTR(-ENOTCONN);
2571
2572 hlen = L2CAP_HDR_SIZE;
2573
2574 if (sdulen)
2575 hlen += L2CAP_SDULEN_SIZE;
2576
2577 count = min_t(unsigned int, (conn->mtu - hlen), len);
2578
2579 skb = chan->ops->alloc_skb(chan, count + hlen,
2580 msg->msg_flags & MSG_DONTWAIT);
2581 if (IS_ERR(skb))
2582 return skb;
2583
2584
2585 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2586 lh->cid = cpu_to_le16(chan->dcid);
2587 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2588
2589 if (sdulen)
2590 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2591
2592 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2593 if (unlikely(err < 0)) {
2594 kfree_skb(skb);
2595 return ERR_PTR(err);
2596 }
2597
2598 return skb;
2599}
2600
2601static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2602 struct sk_buff_head *seg_queue,
2603 struct msghdr *msg, size_t len)
2604{
2605 struct sk_buff *skb;
2606 size_t pdu_len;
2607 u16 sdu_len;
2608
2609 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2610
2611 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2612
2613 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2614
2615 sdu_len = len;
2616 pdu_len -= L2CAP_SDULEN_SIZE;
2617
2618 while (len > 0) {
2619 if (len <= pdu_len)
2620 pdu_len = len;
2621
2622 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2623 if (IS_ERR(skb)) {
2624 __skb_queue_purge(seg_queue);
2625 return PTR_ERR(skb);
2626 }
2627
2628 __skb_queue_tail(seg_queue, skb);
2629
2630 len -= pdu_len;
2631
2632 if (sdu_len) {
2633 sdu_len = 0;
2634 pdu_len += L2CAP_SDULEN_SIZE;
2635 }
2636 }
2637
2638 return 0;
2639}
2640
2641int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2642 u32 priority)
2643{
2644 struct sk_buff *skb;
2645 int err;
2646 struct sk_buff_head seg_queue;
2647
2648 if (!chan->conn)
2649 return -ENOTCONN;
2650
2651
2652 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2653 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2654 if (IS_ERR(skb))
2655 return PTR_ERR(skb);
2656
2657 l2cap_do_send(chan, skb);
2658 return len;
2659 }
2660
2661 switch (chan->mode) {
2662 case L2CAP_MODE_LE_FLOWCTL:
2663
2664 if (len > chan->omtu)
2665 return -EMSGSIZE;
2666
2667 if (!chan->tx_credits)
2668 return -EAGAIN;
2669
2670 __skb_queue_head_init(&seg_queue);
2671
2672 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2673
2674 if (chan->state != BT_CONNECTED) {
2675 __skb_queue_purge(&seg_queue);
2676 err = -ENOTCONN;
2677 }
2678
2679 if (err)
2680 return err;
2681
2682 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2683
2684 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2685 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2686 chan->tx_credits--;
2687 }
2688
2689 if (!chan->tx_credits)
2690 chan->ops->suspend(chan);
2691
2692 err = len;
2693
2694 break;
2695
2696 case L2CAP_MODE_BASIC:
2697
2698 if (len > chan->omtu)
2699 return -EMSGSIZE;
2700
2701
2702 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2703 if (IS_ERR(skb))
2704 return PTR_ERR(skb);
2705
2706 l2cap_do_send(chan, skb);
2707 err = len;
2708 break;
2709
2710 case L2CAP_MODE_ERTM:
2711 case L2CAP_MODE_STREAMING:
2712
2713 if (len > chan->omtu) {
2714 err = -EMSGSIZE;
2715 break;
2716 }
2717
2718 __skb_queue_head_init(&seg_queue);
2719
2720
2721
2722
2723
2724 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2725
2726
2727
2728
2729 if (chan->state != BT_CONNECTED) {
2730 __skb_queue_purge(&seg_queue);
2731 err = -ENOTCONN;
2732 }
2733
2734 if (err)
2735 break;
2736
2737 if (chan->mode == L2CAP_MODE_ERTM)
2738 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2739 else
2740 l2cap_streaming_send(chan, &seg_queue);
2741
2742 err = len;
2743
2744
2745
2746
2747 __skb_queue_purge(&seg_queue);
2748 break;
2749
2750 default:
2751 BT_DBG("bad state %1.1x", chan->mode);
2752 err = -EBADFD;
2753 }
2754
2755 return err;
2756}
2757
2758static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2759{
2760 struct l2cap_ctrl control;
2761 u16 seq;
2762
2763 BT_DBG("chan %p, txseq %u", chan, txseq);
2764
2765 memset(&control, 0, sizeof(control));
2766 control.sframe = 1;
2767 control.super = L2CAP_SUPER_SREJ;
2768
2769 for (seq = chan->expected_tx_seq; seq != txseq;
2770 seq = __next_seq(chan, seq)) {
2771 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2772 control.reqseq = seq;
2773 l2cap_send_sframe(chan, &control);
2774 l2cap_seq_list_append(&chan->srej_list, seq);
2775 }
2776 }
2777
2778 chan->expected_tx_seq = __next_seq(chan, txseq);
2779}
2780
2781static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2782{
2783 struct l2cap_ctrl control;
2784
2785 BT_DBG("chan %p", chan);
2786
2787 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2788 return;
2789
2790 memset(&control, 0, sizeof(control));
2791 control.sframe = 1;
2792 control.super = L2CAP_SUPER_SREJ;
2793 control.reqseq = chan->srej_list.tail;
2794 l2cap_send_sframe(chan, &control);
2795}
2796
2797static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2798{
2799 struct l2cap_ctrl control;
2800 u16 initial_head;
2801 u16 seq;
2802
2803 BT_DBG("chan %p, txseq %u", chan, txseq);
2804
2805 memset(&control, 0, sizeof(control));
2806 control.sframe = 1;
2807 control.super = L2CAP_SUPER_SREJ;
2808
2809
2810 initial_head = chan->srej_list.head;
2811
2812 do {
2813 seq = l2cap_seq_list_pop(&chan->srej_list);
2814 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2815 break;
2816
2817 control.reqseq = seq;
2818 l2cap_send_sframe(chan, &control);
2819 l2cap_seq_list_append(&chan->srej_list, seq);
2820 } while (chan->srej_list.head != initial_head);
2821}
2822
2823static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2824{
2825 struct sk_buff *acked_skb;
2826 u16 ackseq;
2827
2828 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2829
2830 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2831 return;
2832
2833 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2834 chan->expected_ack_seq, chan->unacked_frames);
2835
2836 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2837 ackseq = __next_seq(chan, ackseq)) {
2838
2839 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2840 if (acked_skb) {
2841 skb_unlink(acked_skb, &chan->tx_q);
2842 kfree_skb(acked_skb);
2843 chan->unacked_frames--;
2844 }
2845 }
2846
2847 chan->expected_ack_seq = reqseq;
2848
2849 if (chan->unacked_frames == 0)
2850 __clear_retrans_timer(chan);
2851
2852 BT_DBG("unacked_frames %u", chan->unacked_frames);
2853}
2854
2855static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2856{
2857 BT_DBG("chan %p", chan);
2858
2859 chan->expected_tx_seq = chan->buffer_seq;
2860 l2cap_seq_list_clear(&chan->srej_list);
2861 skb_queue_purge(&chan->srej_q);
2862 chan->rx_state = L2CAP_RX_STATE_RECV;
2863}
2864
2865static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2866 struct l2cap_ctrl *control,
2867 struct sk_buff_head *skbs, u8 event)
2868{
2869 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2870 event);
2871
2872 switch (event) {
2873 case L2CAP_EV_DATA_REQUEST:
2874 if (chan->tx_send_head == NULL)
2875 chan->tx_send_head = skb_peek(skbs);
2876
2877 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2878 l2cap_ertm_send(chan);
2879 break;
2880 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2881 BT_DBG("Enter LOCAL_BUSY");
2882 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2883
2884 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2885
2886
2887
2888 l2cap_abort_rx_srej_sent(chan);
2889 }
2890
2891 l2cap_send_ack(chan);
2892
2893 break;
2894 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2895 BT_DBG("Exit LOCAL_BUSY");
2896 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2897
2898 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2899 struct l2cap_ctrl local_control;
2900
2901 memset(&local_control, 0, sizeof(local_control));
2902 local_control.sframe = 1;
2903 local_control.super = L2CAP_SUPER_RR;
2904 local_control.poll = 1;
2905 local_control.reqseq = chan->buffer_seq;
2906 l2cap_send_sframe(chan, &local_control);
2907
2908 chan->retry_count = 1;
2909 __set_monitor_timer(chan);
2910 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2911 }
2912 break;
2913 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2914 l2cap_process_reqseq(chan, control->reqseq);
2915 break;
2916 case L2CAP_EV_EXPLICIT_POLL:
2917 l2cap_send_rr_or_rnr(chan, 1);
2918 chan->retry_count = 1;
2919 __set_monitor_timer(chan);
2920 __clear_ack_timer(chan);
2921 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2922 break;
2923 case L2CAP_EV_RETRANS_TO:
2924 l2cap_send_rr_or_rnr(chan, 1);
2925 chan->retry_count = 1;
2926 __set_monitor_timer(chan);
2927 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2928 break;
2929 case L2CAP_EV_RECV_FBIT:
2930
2931 break;
2932 default:
2933 break;
2934 }
2935}
2936
2937static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2938 struct l2cap_ctrl *control,
2939 struct sk_buff_head *skbs, u8 event)
2940{
2941 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2942 event);
2943
2944 switch (event) {
2945 case L2CAP_EV_DATA_REQUEST:
2946 if (chan->tx_send_head == NULL)
2947 chan->tx_send_head = skb_peek(skbs);
2948
2949 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2950 break;
2951 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2952 BT_DBG("Enter LOCAL_BUSY");
2953 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2954
2955 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2956
2957
2958
2959 l2cap_abort_rx_srej_sent(chan);
2960 }
2961
2962 l2cap_send_ack(chan);
2963
2964 break;
2965 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2966 BT_DBG("Exit LOCAL_BUSY");
2967 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2968
2969 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2970 struct l2cap_ctrl local_control;
2971 memset(&local_control, 0, sizeof(local_control));
2972 local_control.sframe = 1;
2973 local_control.super = L2CAP_SUPER_RR;
2974 local_control.poll = 1;
2975 local_control.reqseq = chan->buffer_seq;
2976 l2cap_send_sframe(chan, &local_control);
2977
2978 chan->retry_count = 1;
2979 __set_monitor_timer(chan);
2980 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2981 }
2982 break;
2983 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2984 l2cap_process_reqseq(chan, control->reqseq);
2985
2986
2987
2988 case L2CAP_EV_RECV_FBIT:
2989 if (control && control->final) {
2990 __clear_monitor_timer(chan);
2991 if (chan->unacked_frames > 0)
2992 __set_retrans_timer(chan);
2993 chan->retry_count = 0;
2994 chan->tx_state = L2CAP_TX_STATE_XMIT;
2995 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2996 }
2997 break;
2998 case L2CAP_EV_EXPLICIT_POLL:
2999
3000 break;
3001 case L2CAP_EV_MONITOR_TO:
3002 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3003 l2cap_send_rr_or_rnr(chan, 1);
3004 __set_monitor_timer(chan);
3005 chan->retry_count++;
3006 } else {
3007 l2cap_send_disconn_req(chan, ECONNABORTED);
3008 }
3009 break;
3010 default:
3011 break;
3012 }
3013}
3014
3015static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3016 struct sk_buff_head *skbs, u8 event)
3017{
3018 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3019 chan, control, skbs, event, chan->tx_state);
3020
3021 switch (chan->tx_state) {
3022 case L2CAP_TX_STATE_XMIT:
3023 l2cap_tx_state_xmit(chan, control, skbs, event);
3024 break;
3025 case L2CAP_TX_STATE_WAIT_F:
3026 l2cap_tx_state_wait_f(chan, control, skbs, event);
3027 break;
3028 default:
3029
3030 break;
3031 }
3032}
3033
3034static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3035 struct l2cap_ctrl *control)
3036{
3037 BT_DBG("chan %p, control %p", chan, control);
3038 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3039}
3040
3041static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3042 struct l2cap_ctrl *control)
3043{
3044 BT_DBG("chan %p, control %p", chan, control);
3045 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3046}
3047
3048
3049static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3050{
3051 struct sk_buff *nskb;
3052 struct l2cap_chan *chan;
3053
3054 BT_DBG("conn %p", conn);
3055
3056 mutex_lock(&conn->chan_lock);
3057
3058 list_for_each_entry(chan, &conn->chan_l, list) {
3059 if (chan->chan_type != L2CAP_CHAN_RAW)
3060 continue;
3061
3062
3063 if (bt_cb(skb)->chan == chan)
3064 continue;
3065
3066 nskb = skb_clone(skb, GFP_KERNEL);
3067 if (!nskb)
3068 continue;
3069 if (chan->ops->recv(chan, nskb))
3070 kfree_skb(nskb);
3071 }
3072
3073 mutex_unlock(&conn->chan_lock);
3074}
3075
3076
3077static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3078 u8 ident, u16 dlen, void *data)
3079{
3080 struct sk_buff *skb, **frag;
3081 struct l2cap_cmd_hdr *cmd;
3082 struct l2cap_hdr *lh;
3083 int len, count;
3084
3085 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3086 conn, code, ident, dlen);
3087
3088 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3089 return NULL;
3090
3091 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3092 count = min_t(unsigned int, conn->mtu, len);
3093
3094 skb = bt_skb_alloc(count, GFP_KERNEL);
3095 if (!skb)
3096 return NULL;
3097
3098 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
3099 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3100
3101 if (conn->hcon->type == LE_LINK)
3102 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3103 else
3104 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
3105
3106 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
3107 cmd->code = code;
3108 cmd->ident = ident;
3109 cmd->len = cpu_to_le16(dlen);
3110
3111 if (dlen) {
3112 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3113 memcpy(skb_put(skb, count), data, count);
3114 data += count;
3115 }
3116
3117 len -= skb->len;
3118
3119
3120 frag = &skb_shinfo(skb)->frag_list;
3121 while (len) {
3122 count = min_t(unsigned int, conn->mtu, len);
3123
3124 *frag = bt_skb_alloc(count, GFP_KERNEL);
3125 if (!*frag)
3126 goto fail;
3127
3128 memcpy(skb_put(*frag, count), data, count);
3129
3130 len -= count;
3131 data += count;
3132
3133 frag = &(*frag)->next;
3134 }
3135
3136 return skb;
3137
3138fail:
3139 kfree_skb(skb);
3140 return NULL;
3141}
3142
3143static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3144 unsigned long *val)
3145{
3146 struct l2cap_conf_opt *opt = *ptr;
3147 int len;
3148
3149 len = L2CAP_CONF_OPT_SIZE + opt->len;
3150 *ptr += len;
3151
3152 *type = opt->type;
3153 *olen = opt->len;
3154
3155 switch (opt->len) {
3156 case 1:
3157 *val = *((u8 *) opt->val);
3158 break;
3159
3160 case 2:
3161 *val = get_unaligned_le16(opt->val);
3162 break;
3163
3164 case 4:
3165 *val = get_unaligned_le32(opt->val);
3166 break;
3167
3168 default:
3169 *val = (unsigned long) opt->val;
3170 break;
3171 }
3172
3173 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3174 return len;
3175}
3176
3177static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
3178{
3179 struct l2cap_conf_opt *opt = *ptr;
3180
3181 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3182
3183 opt->type = type;
3184 opt->len = len;
3185
3186 switch (len) {
3187 case 1:
3188 *((u8 *) opt->val) = val;
3189 break;
3190
3191 case 2:
3192 put_unaligned_le16(val, opt->val);
3193 break;
3194
3195 case 4:
3196 put_unaligned_le32(val, opt->val);
3197 break;
3198
3199 default:
3200 memcpy(opt->val, (void *) val, len);
3201 break;
3202 }
3203
3204 *ptr += L2CAP_CONF_OPT_SIZE + len;
3205}
3206
3207static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3208{
3209 struct l2cap_conf_efs efs;
3210
3211 switch (chan->mode) {
3212 case L2CAP_MODE_ERTM:
3213 efs.id = chan->local_id;
3214 efs.stype = chan->local_stype;
3215 efs.msdu = cpu_to_le16(chan->local_msdu);
3216 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3217 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3218 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3219 break;
3220
3221 case L2CAP_MODE_STREAMING:
3222 efs.id = 1;
3223 efs.stype = L2CAP_SERV_BESTEFFORT;
3224 efs.msdu = cpu_to_le16(chan->local_msdu);
3225 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3226 efs.acc_lat = 0;
3227 efs.flush_to = 0;
3228 break;
3229
3230 default:
3231 return;
3232 }
3233
3234 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3235 (unsigned long) &efs);
3236}
3237
3238static void l2cap_ack_timeout(struct work_struct *work)
3239{
3240 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3241 ack_timer.work);
3242 u16 frames_to_ack;
3243
3244 BT_DBG("chan %p", chan);
3245
3246 l2cap_chan_lock(chan);
3247
3248 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3249 chan->last_acked_seq);
3250
3251 if (frames_to_ack)
3252 l2cap_send_rr_or_rnr(chan, 0);
3253
3254 l2cap_chan_unlock(chan);
3255 l2cap_chan_put(chan);
3256}
3257
3258int l2cap_ertm_init(struct l2cap_chan *chan)
3259{
3260 int err;
3261
3262 chan->next_tx_seq = 0;
3263 chan->expected_tx_seq = 0;
3264 chan->expected_ack_seq = 0;
3265 chan->unacked_frames = 0;
3266 chan->buffer_seq = 0;
3267 chan->frames_sent = 0;
3268 chan->last_acked_seq = 0;
3269 chan->sdu = NULL;
3270 chan->sdu_last_frag = NULL;
3271 chan->sdu_len = 0;
3272
3273 skb_queue_head_init(&chan->tx_q);
3274
3275 chan->local_amp_id = AMP_ID_BREDR;
3276 chan->move_id = AMP_ID_BREDR;
3277 chan->move_state = L2CAP_MOVE_STABLE;
3278 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3279
3280 if (chan->mode != L2CAP_MODE_ERTM)
3281 return 0;
3282
3283 chan->rx_state = L2CAP_RX_STATE_RECV;
3284 chan->tx_state = L2CAP_TX_STATE_XMIT;
3285
3286 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3287 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3288 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3289
3290 skb_queue_head_init(&chan->srej_q);
3291
3292 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3293 if (err < 0)
3294 return err;
3295
3296 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3297 if (err < 0)
3298 l2cap_seq_list_free(&chan->srej_list);
3299
3300 return err;
3301}
3302
3303static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3304{
3305 switch (mode) {
3306 case L2CAP_MODE_STREAMING:
3307 case L2CAP_MODE_ERTM:
3308 if (l2cap_mode_supported(mode, remote_feat_mask))
3309 return mode;
3310
3311 default:
3312 return L2CAP_MODE_BASIC;
3313 }
3314}
3315
3316static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3317{
3318 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3319}
3320
3321static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3322{
3323 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3324}
3325
3326static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3327 struct l2cap_conf_rfc *rfc)
3328{
3329 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3330 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3346
3347
3348
3349
3350
3351 ertm_to = 3 * ertm_to + 500;
3352
3353 if (ertm_to > 0xffff)
3354 ertm_to = 0xffff;
3355
3356 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3357 rfc->monitor_timeout = rfc->retrans_timeout;
3358 } else {
3359 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3360 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3361 }
3362}
3363
3364static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3365{
3366 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3367 __l2cap_ews_supported(chan->conn)) {
3368
3369 set_bit(FLAG_EXT_CTRL, &chan->flags);
3370 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3371 } else {
3372 chan->tx_win = min_t(u16, chan->tx_win,
3373 L2CAP_DEFAULT_TX_WINDOW);
3374 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3375 }
3376 chan->ack_win = chan->tx_win;
3377}
3378
3379static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3380{
3381 struct l2cap_conf_req *req = data;
3382 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3383 void *ptr = req->data;
3384 u16 size;
3385
3386 BT_DBG("chan %p", chan);
3387
3388 if (chan->num_conf_req || chan->num_conf_rsp)
3389 goto done;
3390
3391 switch (chan->mode) {
3392 case L2CAP_MODE_STREAMING:
3393 case L2CAP_MODE_ERTM:
3394 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3395 break;
3396
3397 if (__l2cap_efs_supported(chan->conn))
3398 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3399
3400
3401 default:
3402 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3403 break;
3404 }
3405
3406done:
3407 if (chan->imtu != L2CAP_DEFAULT_MTU)
3408 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3409
3410 switch (chan->mode) {
3411 case L2CAP_MODE_BASIC:
3412 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3413 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3414 break;
3415
3416 rfc.mode = L2CAP_MODE_BASIC;
3417 rfc.txwin_size = 0;
3418 rfc.max_transmit = 0;
3419 rfc.retrans_timeout = 0;
3420 rfc.monitor_timeout = 0;
3421 rfc.max_pdu_size = 0;
3422
3423 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3424 (unsigned long) &rfc);
3425 break;
3426
3427 case L2CAP_MODE_ERTM:
3428 rfc.mode = L2CAP_MODE_ERTM;
3429 rfc.max_transmit = chan->max_tx;
3430
3431 __l2cap_set_ertm_timeouts(chan, &rfc);
3432
3433 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3434 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3435 L2CAP_FCS_SIZE);
3436 rfc.max_pdu_size = cpu_to_le16(size);
3437
3438 l2cap_txwin_setup(chan);
3439
3440 rfc.txwin_size = min_t(u16, chan->tx_win,
3441 L2CAP_DEFAULT_TX_WINDOW);
3442
3443 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3444 (unsigned long) &rfc);
3445
3446 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3447 l2cap_add_opt_efs(&ptr, chan);
3448
3449 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3450 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3451 chan->tx_win);
3452
3453 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3454 if (chan->fcs == L2CAP_FCS_NONE ||
3455 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3456 chan->fcs = L2CAP_FCS_NONE;
3457 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3458 chan->fcs);
3459 }
3460 break;
3461
3462 case L2CAP_MODE_STREAMING:
3463 l2cap_txwin_setup(chan);
3464 rfc.mode = L2CAP_MODE_STREAMING;
3465 rfc.txwin_size = 0;
3466 rfc.max_transmit = 0;
3467 rfc.retrans_timeout = 0;
3468 rfc.monitor_timeout = 0;
3469
3470 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3471 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3472 L2CAP_FCS_SIZE);
3473 rfc.max_pdu_size = cpu_to_le16(size);
3474
3475 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3476 (unsigned long) &rfc);
3477
3478 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3479 l2cap_add_opt_efs(&ptr, chan);
3480
3481 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3482 if (chan->fcs == L2CAP_FCS_NONE ||
3483 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3484 chan->fcs = L2CAP_FCS_NONE;
3485 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3486 chan->fcs);
3487 }
3488 break;
3489 }
3490
3491 req->dcid = cpu_to_le16(chan->dcid);
3492 req->flags = __constant_cpu_to_le16(0);
3493
3494 return ptr - data;
3495}
3496
3497static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3498{
3499 struct l2cap_conf_rsp *rsp = data;
3500 void *ptr = rsp->data;
3501 void *req = chan->conf_req;
3502 int len = chan->conf_len;
3503 int type, hint, olen;
3504 unsigned long val;
3505 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3506 struct l2cap_conf_efs efs;
3507 u8 remote_efs = 0;
3508 u16 mtu = L2CAP_DEFAULT_MTU;
3509 u16 result = L2CAP_CONF_SUCCESS;
3510 u16 size;
3511
3512 BT_DBG("chan %p", chan);
3513
3514 while (len >= L2CAP_CONF_OPT_SIZE) {
3515 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3516
3517 hint = type & L2CAP_CONF_HINT;
3518 type &= L2CAP_CONF_MASK;
3519
3520 switch (type) {
3521 case L2CAP_CONF_MTU:
3522 mtu = val;
3523 break;
3524
3525 case L2CAP_CONF_FLUSH_TO:
3526 chan->flush_to = val;
3527 break;
3528
3529 case L2CAP_CONF_QOS:
3530 break;
3531
3532 case L2CAP_CONF_RFC:
3533 if (olen == sizeof(rfc))
3534 memcpy(&rfc, (void *) val, olen);
3535 break;
3536
3537 case L2CAP_CONF_FCS:
3538 if (val == L2CAP_FCS_NONE)
3539 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3540 break;
3541
3542 case L2CAP_CONF_EFS:
3543 remote_efs = 1;
3544 if (olen == sizeof(efs))
3545 memcpy(&efs, (void *) val, olen);
3546 break;
3547
3548 case L2CAP_CONF_EWS:
3549 if (!chan->conn->hs_enabled)
3550 return -ECONNREFUSED;
3551
3552 set_bit(FLAG_EXT_CTRL, &chan->flags);
3553 set_bit(CONF_EWS_RECV, &chan->conf_state);
3554 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3555 chan->remote_tx_win = val;
3556 break;
3557
3558 default:
3559 if (hint)
3560 break;
3561
3562 result = L2CAP_CONF_UNKNOWN;
3563 *((u8 *) ptr++) = type;
3564 break;
3565 }
3566 }
3567
3568 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3569 goto done;
3570
3571 switch (chan->mode) {
3572 case L2CAP_MODE_STREAMING:
3573 case L2CAP_MODE_ERTM:
3574 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3575 chan->mode = l2cap_select_mode(rfc.mode,
3576 chan->conn->feat_mask);
3577 break;
3578 }
3579
3580 if (remote_efs) {
3581 if (__l2cap_efs_supported(chan->conn))
3582 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3583 else
3584 return -ECONNREFUSED;
3585 }
3586
3587 if (chan->mode != rfc.mode)
3588 return -ECONNREFUSED;
3589
3590 break;
3591 }
3592
3593done:
3594 if (chan->mode != rfc.mode) {
3595 result = L2CAP_CONF_UNACCEPT;
3596 rfc.mode = chan->mode;
3597
3598 if (chan->num_conf_rsp == 1)
3599 return -ECONNREFUSED;
3600
3601 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3602 (unsigned long) &rfc);
3603 }
3604
3605 if (result == L2CAP_CONF_SUCCESS) {
3606
3607
3608
3609 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3610 result = L2CAP_CONF_UNACCEPT;
3611 else {
3612 chan->omtu = mtu;
3613 set_bit(CONF_MTU_DONE, &chan->conf_state);
3614 }
3615 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3616
3617 if (remote_efs) {
3618 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3619 efs.stype != L2CAP_SERV_NOTRAFIC &&
3620 efs.stype != chan->local_stype) {
3621
3622 result = L2CAP_CONF_UNACCEPT;
3623
3624 if (chan->num_conf_req >= 1)
3625 return -ECONNREFUSED;
3626
3627 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3628 sizeof(efs),
3629 (unsigned long) &efs);
3630 } else {
3631
3632 result = L2CAP_CONF_PENDING;
3633 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3634 }
3635 }
3636
3637 switch (rfc.mode) {
3638 case L2CAP_MODE_BASIC:
3639 chan->fcs = L2CAP_FCS_NONE;
3640 set_bit(CONF_MODE_DONE, &chan->conf_state);
3641 break;
3642
3643 case L2CAP_MODE_ERTM:
3644 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3645 chan->remote_tx_win = rfc.txwin_size;
3646 else
3647 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3648
3649 chan->remote_max_tx = rfc.max_transmit;
3650
3651 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3652 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3653 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3654 rfc.max_pdu_size = cpu_to_le16(size);
3655 chan->remote_mps = size;
3656
3657 __l2cap_set_ertm_timeouts(chan, &rfc);
3658
3659 set_bit(CONF_MODE_DONE, &chan->conf_state);
3660
3661 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3662 sizeof(rfc), (unsigned long) &rfc);
3663
3664 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3665 chan->remote_id = efs.id;
3666 chan->remote_stype = efs.stype;
3667 chan->remote_msdu = le16_to_cpu(efs.msdu);
3668 chan->remote_flush_to =
3669 le32_to_cpu(efs.flush_to);
3670 chan->remote_acc_lat =
3671 le32_to_cpu(efs.acc_lat);
3672 chan->remote_sdu_itime =
3673 le32_to_cpu(efs.sdu_itime);
3674 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3675 sizeof(efs),
3676 (unsigned long) &efs);
3677 }
3678 break;
3679
3680 case L2CAP_MODE_STREAMING:
3681 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3682 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3683 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3684 rfc.max_pdu_size = cpu_to_le16(size);
3685 chan->remote_mps = size;
3686
3687 set_bit(CONF_MODE_DONE, &chan->conf_state);
3688
3689 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3690 (unsigned long) &rfc);
3691
3692 break;
3693
3694 default:
3695 result = L2CAP_CONF_UNACCEPT;
3696
3697 memset(&rfc, 0, sizeof(rfc));
3698 rfc.mode = chan->mode;
3699 }
3700
3701 if (result == L2CAP_CONF_SUCCESS)
3702 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3703 }
3704 rsp->scid = cpu_to_le16(chan->dcid);
3705 rsp->result = cpu_to_le16(result);
3706 rsp->flags = __constant_cpu_to_le16(0);
3707
3708 return ptr - data;
3709}
3710
3711static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3712 void *data, u16 *result)
3713{
3714 struct l2cap_conf_req *req = data;
3715 void *ptr = req->data;
3716 int type, olen;
3717 unsigned long val;
3718 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3719 struct l2cap_conf_efs efs;
3720
3721 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3722
3723 while (len >= L2CAP_CONF_OPT_SIZE) {
3724 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3725
3726 switch (type) {
3727 case L2CAP_CONF_MTU:
3728 if (val < L2CAP_DEFAULT_MIN_MTU) {
3729 *result = L2CAP_CONF_UNACCEPT;
3730 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3731 } else
3732 chan->imtu = val;
3733 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3734 break;
3735
3736 case L2CAP_CONF_FLUSH_TO:
3737 chan->flush_to = val;
3738 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3739 2, chan->flush_to);
3740 break;
3741
3742 case L2CAP_CONF_RFC:
3743 if (olen == sizeof(rfc))
3744 memcpy(&rfc, (void *)val, olen);
3745
3746 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3747 rfc.mode != chan->mode)
3748 return -ECONNREFUSED;
3749
3750 chan->fcs = 0;
3751
3752 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3753 sizeof(rfc), (unsigned long) &rfc);
3754 break;
3755
3756 case L2CAP_CONF_EWS:
3757 chan->ack_win = min_t(u16, val, chan->ack_win);
3758 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3759 chan->tx_win);
3760 break;
3761
3762 case L2CAP_CONF_EFS:
3763 if (olen == sizeof(efs))
3764 memcpy(&efs, (void *)val, olen);
3765
3766 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3767 efs.stype != L2CAP_SERV_NOTRAFIC &&
3768 efs.stype != chan->local_stype)
3769 return -ECONNREFUSED;
3770
3771 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3772 (unsigned long) &efs);
3773 break;
3774
3775 case L2CAP_CONF_FCS:
3776 if (*result == L2CAP_CONF_PENDING)
3777 if (val == L2CAP_FCS_NONE)
3778 set_bit(CONF_RECV_NO_FCS,
3779 &chan->conf_state);
3780 break;
3781 }
3782 }
3783
3784 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3785 return -ECONNREFUSED;
3786
3787 chan->mode = rfc.mode;
3788
3789 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3790 switch (rfc.mode) {
3791 case L2CAP_MODE_ERTM:
3792 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3793 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3794 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3795 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3796 chan->ack_win = min_t(u16, chan->ack_win,
3797 rfc.txwin_size);
3798
3799 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3800 chan->local_msdu = le16_to_cpu(efs.msdu);
3801 chan->local_sdu_itime =
3802 le32_to_cpu(efs.sdu_itime);
3803 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3804 chan->local_flush_to =
3805 le32_to_cpu(efs.flush_to);
3806 }
3807 break;
3808
3809 case L2CAP_MODE_STREAMING:
3810 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3811 }
3812 }
3813
3814 req->dcid = cpu_to_le16(chan->dcid);
3815 req->flags = __constant_cpu_to_le16(0);
3816
3817 return ptr - data;
3818}
3819
3820static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3821 u16 result, u16 flags)
3822{
3823 struct l2cap_conf_rsp *rsp = data;
3824 void *ptr = rsp->data;
3825
3826 BT_DBG("chan %p", chan);
3827
3828 rsp->scid = cpu_to_le16(chan->dcid);
3829 rsp->result = cpu_to_le16(result);
3830 rsp->flags = cpu_to_le16(flags);
3831
3832 return ptr - data;
3833}
3834
3835void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3836{
3837 struct l2cap_le_conn_rsp rsp;
3838 struct l2cap_conn *conn = chan->conn;
3839
3840 BT_DBG("chan %p", chan);
3841
3842 rsp.dcid = cpu_to_le16(chan->scid);
3843 rsp.mtu = cpu_to_le16(chan->imtu);
3844 rsp.mps = cpu_to_le16(chan->mps);
3845 rsp.credits = cpu_to_le16(chan->rx_credits);
3846 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3847
3848 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3849 &rsp);
3850}
3851
3852void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3853{
3854 struct l2cap_conn_rsp rsp;
3855 struct l2cap_conn *conn = chan->conn;
3856 u8 buf[128];
3857 u8 rsp_code;
3858
3859 rsp.scid = cpu_to_le16(chan->dcid);
3860 rsp.dcid = cpu_to_le16(chan->scid);
3861 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3862 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3863
3864 if (chan->hs_hcon)
3865 rsp_code = L2CAP_CREATE_CHAN_RSP;
3866 else
3867 rsp_code = L2CAP_CONN_RSP;
3868
3869 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3870
3871 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3872
3873 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3874 return;
3875
3876 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3877 l2cap_build_conf_req(chan, buf), buf);
3878 chan->num_conf_req++;
3879}
3880
3881static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3882{
3883 int type, olen;
3884 unsigned long val;
3885
3886
3887
3888 u16 txwin_ext = chan->ack_win;
3889 struct l2cap_conf_rfc rfc = {
3890 .mode = chan->mode,
3891 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3892 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3893 .max_pdu_size = cpu_to_le16(chan->imtu),
3894 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3895 };
3896
3897 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3898
3899 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3900 return;
3901
3902 while (len >= L2CAP_CONF_OPT_SIZE) {
3903 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3904
3905 switch (type) {
3906 case L2CAP_CONF_RFC:
3907 if (olen == sizeof(rfc))
3908 memcpy(&rfc, (void *)val, olen);
3909 break;
3910 case L2CAP_CONF_EWS:
3911 txwin_ext = val;
3912 break;
3913 }
3914 }
3915
3916 switch (rfc.mode) {
3917 case L2CAP_MODE_ERTM:
3918 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3919 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3920 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3921 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3922 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3923 else
3924 chan->ack_win = min_t(u16, chan->ack_win,
3925 rfc.txwin_size);
3926 break;
3927 case L2CAP_MODE_STREAMING:
3928 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3929 }
3930}
3931
3932static inline int l2cap_command_rej(struct l2cap_conn *conn,
3933 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3934 u8 *data)
3935{
3936 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3937
3938 if (cmd_len < sizeof(*rej))
3939 return -EPROTO;
3940
3941 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3942 return 0;
3943
3944 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3945 cmd->ident == conn->info_ident) {
3946 cancel_delayed_work(&conn->info_timer);
3947
3948 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3949 conn->info_ident = 0;
3950
3951 l2cap_conn_start(conn);
3952 }
3953
3954 return 0;
3955}
3956
3957static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3958 struct l2cap_cmd_hdr *cmd,
3959 u8 *data, u8 rsp_code, u8 amp_id)
3960{
3961 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3962 struct l2cap_conn_rsp rsp;
3963 struct l2cap_chan *chan = NULL, *pchan;
3964 int result, status = L2CAP_CS_NO_INFO;
3965
3966 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3967 __le16 psm = req->psm;
3968
3969 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3970
3971
3972 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3973 &conn->hcon->dst, ACL_LINK);
3974 if (!pchan) {
3975 result = L2CAP_CR_BAD_PSM;
3976 goto sendresp;
3977 }
3978
3979 mutex_lock(&conn->chan_lock);
3980 l2cap_chan_lock(pchan);
3981
3982
3983 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
3984 !hci_conn_check_link_mode(conn->hcon)) {
3985 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3986 result = L2CAP_CR_SEC_BLOCK;
3987 goto response;
3988 }
3989
3990 result = L2CAP_CR_NO_MEM;
3991
3992
3993 if (__l2cap_get_chan_by_dcid(conn, scid))
3994 goto response;
3995
3996 chan = pchan->ops->new_connection(pchan);
3997 if (!chan)
3998 goto response;
3999
4000
4001
4002
4003
4004
4005 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4006
4007 bacpy(&chan->src, &conn->hcon->src);
4008 bacpy(&chan->dst, &conn->hcon->dst);
4009 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
4010 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
4011 chan->psm = psm;
4012 chan->dcid = scid;
4013 chan->local_amp_id = amp_id;
4014
4015 __l2cap_chan_add(conn, chan);
4016
4017 dcid = chan->scid;
4018
4019 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4020
4021 chan->ident = cmd->ident;
4022
4023 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4024 if (l2cap_chan_check_security(chan)) {
4025 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4026 l2cap_state_change(chan, BT_CONNECT2);
4027 result = L2CAP_CR_PEND;
4028 status = L2CAP_CS_AUTHOR_PEND;
4029 chan->ops->defer(chan);
4030 } else {
4031
4032
4033
4034
4035 if (amp_id == AMP_ID_BREDR) {
4036 l2cap_state_change(chan, BT_CONFIG);
4037 result = L2CAP_CR_SUCCESS;
4038 } else {
4039 l2cap_state_change(chan, BT_CONNECT2);
4040 result = L2CAP_CR_PEND;
4041 }
4042 status = L2CAP_CS_NO_INFO;
4043 }
4044 } else {
4045 l2cap_state_change(chan, BT_CONNECT2);
4046 result = L2CAP_CR_PEND;
4047 status = L2CAP_CS_AUTHEN_PEND;
4048 }
4049 } else {
4050 l2cap_state_change(chan, BT_CONNECT2);
4051 result = L2CAP_CR_PEND;
4052 status = L2CAP_CS_NO_INFO;
4053 }
4054
4055response:
4056 l2cap_chan_unlock(pchan);
4057 mutex_unlock(&conn->chan_lock);
4058
4059sendresp:
4060 rsp.scid = cpu_to_le16(scid);
4061 rsp.dcid = cpu_to_le16(dcid);
4062 rsp.result = cpu_to_le16(result);
4063 rsp.status = cpu_to_le16(status);
4064 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4065
4066 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4067 struct l2cap_info_req info;
4068 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4069
4070 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4071 conn->info_ident = l2cap_get_ident(conn);
4072
4073 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4074
4075 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4076 sizeof(info), &info);
4077 }
4078
4079 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4080 result == L2CAP_CR_SUCCESS) {
4081 u8 buf[128];
4082 set_bit(CONF_REQ_SENT, &chan->conf_state);
4083 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4084 l2cap_build_conf_req(chan, buf), buf);
4085 chan->num_conf_req++;
4086 }
4087
4088 return chan;
4089}
4090
4091static int l2cap_connect_req(struct l2cap_conn *conn,
4092 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4093{
4094 struct hci_dev *hdev = conn->hcon->hdev;
4095 struct hci_conn *hcon = conn->hcon;
4096
4097 if (cmd_len < sizeof(struct l2cap_conn_req))
4098 return -EPROTO;
4099
4100 hci_dev_lock(hdev);
4101 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
4102 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4103 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
4104 hcon->dst_type, 0, NULL, 0,
4105 hcon->dev_class);
4106 hci_dev_unlock(hdev);
4107
4108 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4109 return 0;
4110}
4111
4112static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4113 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4114 u8 *data)
4115{
4116 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4117 u16 scid, dcid, result, status;
4118 struct l2cap_chan *chan;
4119 u8 req[128];
4120 int err;
4121
4122 if (cmd_len < sizeof(*rsp))
4123 return -EPROTO;
4124
4125 scid = __le16_to_cpu(rsp->scid);
4126 dcid = __le16_to_cpu(rsp->dcid);
4127 result = __le16_to_cpu(rsp->result);
4128 status = __le16_to_cpu(rsp->status);
4129
4130 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4131 dcid, scid, result, status);
4132
4133 mutex_lock(&conn->chan_lock);
4134
4135 if (scid) {
4136 chan = __l2cap_get_chan_by_scid(conn, scid);
4137 if (!chan) {
4138 err = -EBADSLT;
4139 goto unlock;
4140 }
4141 } else {
4142 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4143 if (!chan) {
4144 err = -EBADSLT;
4145 goto unlock;
4146 }
4147 }
4148
4149 err = 0;
4150
4151 l2cap_chan_lock(chan);
4152
4153 switch (result) {
4154 case L2CAP_CR_SUCCESS:
4155 l2cap_state_change(chan, BT_CONFIG);
4156 chan->ident = 0;
4157 chan->dcid = dcid;
4158 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4159
4160 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4161 break;
4162
4163 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4164 l2cap_build_conf_req(chan, req), req);
4165 chan->num_conf_req++;
4166 break;
4167
4168 case L2CAP_CR_PEND:
4169 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4170 break;
4171
4172 default:
4173 l2cap_chan_del(chan, ECONNREFUSED);
4174 break;
4175 }
4176
4177 l2cap_chan_unlock(chan);
4178
4179unlock:
4180 mutex_unlock(&conn->chan_lock);
4181
4182 return err;
4183}
4184
4185static inline void set_default_fcs(struct l2cap_chan *chan)
4186{
4187
4188
4189
4190 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4191 chan->fcs = L2CAP_FCS_NONE;
4192 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4193 chan->fcs = L2CAP_FCS_CRC16;
4194}
4195
4196static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4197 u8 ident, u16 flags)
4198{
4199 struct l2cap_conn *conn = chan->conn;
4200
4201 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4202 flags);
4203
4204 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4205 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4206
4207 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4208 l2cap_build_conf_rsp(chan, data,
4209 L2CAP_CONF_SUCCESS, flags), data);
4210}
4211
4212static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4213 u16 scid, u16 dcid)
4214{
4215 struct l2cap_cmd_rej_cid rej;
4216
4217 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
4218 rej.scid = __cpu_to_le16(scid);
4219 rej.dcid = __cpu_to_le16(dcid);
4220
4221 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4222}
4223
4224static inline int l2cap_config_req(struct l2cap_conn *conn,
4225 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4226 u8 *data)
4227{
4228 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4229 u16 dcid, flags;
4230 u8 rsp[64];
4231 struct l2cap_chan *chan;
4232 int len, err = 0;
4233
4234 if (cmd_len < sizeof(*req))
4235 return -EPROTO;
4236
4237 dcid = __le16_to_cpu(req->dcid);
4238 flags = __le16_to_cpu(req->flags);
4239
4240 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4241
4242 chan = l2cap_get_chan_by_scid(conn, dcid);
4243 if (!chan) {
4244 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4245 return 0;
4246 }
4247
4248 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4249 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4250 chan->dcid);
4251 goto unlock;
4252 }
4253
4254
4255 len = cmd_len - sizeof(*req);
4256 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4257 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4258 l2cap_build_conf_rsp(chan, rsp,
4259 L2CAP_CONF_REJECT, flags), rsp);
4260 goto unlock;
4261 }
4262
4263
4264 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4265 chan->conf_len += len;
4266
4267 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4268
4269 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4270 l2cap_build_conf_rsp(chan, rsp,
4271 L2CAP_CONF_SUCCESS, flags), rsp);
4272 goto unlock;
4273 }
4274
4275
4276 len = l2cap_parse_conf_req(chan, rsp);
4277 if (len < 0) {
4278 l2cap_send_disconn_req(chan, ECONNRESET);
4279 goto unlock;
4280 }
4281
4282 chan->ident = cmd->ident;
4283 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4284 chan->num_conf_rsp++;
4285
4286
4287 chan->conf_len = 0;
4288
4289 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4290 goto unlock;
4291
4292 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4293 set_default_fcs(chan);
4294
4295 if (chan->mode == L2CAP_MODE_ERTM ||
4296 chan->mode == L2CAP_MODE_STREAMING)
4297 err = l2cap_ertm_init(chan);
4298
4299 if (err < 0)
4300 l2cap_send_disconn_req(chan, -err);
4301 else
4302 l2cap_chan_ready(chan);
4303
4304 goto unlock;
4305 }
4306
4307 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4308 u8 buf[64];
4309 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4310 l2cap_build_conf_req(chan, buf), buf);
4311 chan->num_conf_req++;
4312 }
4313
4314
4315
4316 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4317 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4318
4319
4320
4321
4322 if (!chan->hs_hcon)
4323 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4324 else
4325 chan->ident = cmd->ident;
4326 }
4327
4328unlock:
4329 l2cap_chan_unlock(chan);
4330 return err;
4331}
4332
4333static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4334 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4335 u8 *data)
4336{
4337 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4338 u16 scid, flags, result;
4339 struct l2cap_chan *chan;
4340 int len = cmd_len - sizeof(*rsp);
4341 int err = 0;
4342
4343 if (cmd_len < sizeof(*rsp))
4344 return -EPROTO;
4345
4346 scid = __le16_to_cpu(rsp->scid);
4347 flags = __le16_to_cpu(rsp->flags);
4348 result = __le16_to_cpu(rsp->result);
4349
4350 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4351 result, len);
4352
4353 chan = l2cap_get_chan_by_scid(conn, scid);
4354 if (!chan)
4355 return 0;
4356
4357 switch (result) {
4358 case L2CAP_CONF_SUCCESS:
4359 l2cap_conf_rfc_get(chan, rsp->data, len);
4360 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4361 break;
4362
4363 case L2CAP_CONF_PENDING:
4364 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4365
4366 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4367 char buf[64];
4368
4369 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4370 buf, &result);
4371 if (len < 0) {
4372 l2cap_send_disconn_req(chan, ECONNRESET);
4373 goto done;
4374 }
4375
4376 if (!chan->hs_hcon) {
4377 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4378 0);
4379 } else {
4380 if (l2cap_check_efs(chan)) {
4381 amp_create_logical_link(chan);
4382 chan->ident = cmd->ident;
4383 }
4384 }
4385 }
4386 goto done;
4387
4388 case L2CAP_CONF_UNACCEPT:
4389 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4390 char req[64];
4391
4392 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4393 l2cap_send_disconn_req(chan, ECONNRESET);
4394 goto done;
4395 }
4396
4397
4398 result = L2CAP_CONF_SUCCESS;
4399 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4400 req, &result);
4401 if (len < 0) {
4402 l2cap_send_disconn_req(chan, ECONNRESET);
4403 goto done;
4404 }
4405
4406 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4407 L2CAP_CONF_REQ, len, req);
4408 chan->num_conf_req++;
4409 if (result != L2CAP_CONF_SUCCESS)
4410 goto done;
4411 break;
4412 }
4413
4414 default:
4415 l2cap_chan_set_err(chan, ECONNRESET);
4416
4417 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4418 l2cap_send_disconn_req(chan, ECONNRESET);
4419 goto done;
4420 }
4421
4422 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4423 goto done;
4424
4425 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4426
4427 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4428 set_default_fcs(chan);
4429
4430 if (chan->mode == L2CAP_MODE_ERTM ||
4431 chan->mode == L2CAP_MODE_STREAMING)
4432 err = l2cap_ertm_init(chan);
4433
4434 if (err < 0)
4435 l2cap_send_disconn_req(chan, -err);
4436 else
4437 l2cap_chan_ready(chan);
4438 }
4439
4440done:
4441 l2cap_chan_unlock(chan);
4442 return err;
4443}
4444
4445static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4446 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4447 u8 *data)
4448{
4449 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4450 struct l2cap_disconn_rsp rsp;
4451 u16 dcid, scid;
4452 struct l2cap_chan *chan;
4453
4454 if (cmd_len != sizeof(*req))
4455 return -EPROTO;
4456
4457 scid = __le16_to_cpu(req->scid);
4458 dcid = __le16_to_cpu(req->dcid);
4459
4460 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4461
4462 mutex_lock(&conn->chan_lock);
4463
4464 chan = __l2cap_get_chan_by_scid(conn, dcid);
4465 if (!chan) {
4466 mutex_unlock(&conn->chan_lock);
4467 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4468 return 0;
4469 }
4470
4471 l2cap_chan_lock(chan);
4472
4473 rsp.dcid = cpu_to_le16(chan->scid);
4474 rsp.scid = cpu_to_le16(chan->dcid);
4475 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4476
4477 chan->ops->set_shutdown(chan);
4478
4479 l2cap_chan_hold(chan);
4480 l2cap_chan_del(chan, ECONNRESET);
4481
4482 l2cap_chan_unlock(chan);
4483
4484 chan->ops->close(chan);
4485 l2cap_chan_put(chan);
4486
4487 mutex_unlock(&conn->chan_lock);
4488
4489 return 0;
4490}
4491
4492static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4493 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4494 u8 *data)
4495{
4496 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4497 u16 dcid, scid;
4498 struct l2cap_chan *chan;
4499
4500 if (cmd_len != sizeof(*rsp))
4501 return -EPROTO;
4502
4503 scid = __le16_to_cpu(rsp->scid);
4504 dcid = __le16_to_cpu(rsp->dcid);
4505
4506 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4507
4508 mutex_lock(&conn->chan_lock);
4509
4510 chan = __l2cap_get_chan_by_scid(conn, scid);
4511 if (!chan) {
4512 mutex_unlock(&conn->chan_lock);
4513 return 0;
4514 }
4515
4516 l2cap_chan_lock(chan);
4517
4518 l2cap_chan_hold(chan);
4519 l2cap_chan_del(chan, 0);
4520
4521 l2cap_chan_unlock(chan);
4522
4523 chan->ops->close(chan);
4524 l2cap_chan_put(chan);
4525
4526 mutex_unlock(&conn->chan_lock);
4527
4528 return 0;
4529}
4530
4531static inline int l2cap_information_req(struct l2cap_conn *conn,
4532 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4533 u8 *data)
4534{
4535 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4536 u16 type;
4537
4538 if (cmd_len != sizeof(*req))
4539 return -EPROTO;
4540
4541 type = __le16_to_cpu(req->type);
4542
4543 BT_DBG("type 0x%4.4x", type);
4544
4545 if (type == L2CAP_IT_FEAT_MASK) {
4546 u8 buf[8];
4547 u32 feat_mask = l2cap_feat_mask;
4548 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4549 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4550 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4551 if (!disable_ertm)
4552 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4553 | L2CAP_FEAT_FCS;
4554 if (conn->hs_enabled)
4555 feat_mask |= L2CAP_FEAT_EXT_FLOW
4556 | L2CAP_FEAT_EXT_WINDOW;
4557
4558 put_unaligned_le32(feat_mask, rsp->data);
4559 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4560 buf);
4561 } else if (type == L2CAP_IT_FIXED_CHAN) {
4562 u8 buf[12];
4563 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4564
4565 if (conn->hs_enabled)
4566 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4567 else
4568 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4569
4570 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4571 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4572 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
4573 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4574 buf);
4575 } else {
4576 struct l2cap_info_rsp rsp;
4577 rsp.type = cpu_to_le16(type);
4578 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
4579 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4580 &rsp);
4581 }
4582
4583 return 0;
4584}
4585
4586static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4587 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4588 u8 *data)
4589{
4590 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4591 u16 type, result;
4592
4593 if (cmd_len < sizeof(*rsp))
4594 return -EPROTO;
4595
4596 type = __le16_to_cpu(rsp->type);
4597 result = __le16_to_cpu(rsp->result);
4598
4599 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4600
4601
4602 if (cmd->ident != conn->info_ident ||
4603 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4604 return 0;
4605
4606 cancel_delayed_work(&conn->info_timer);
4607
4608 if (result != L2CAP_IR_SUCCESS) {
4609 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4610 conn->info_ident = 0;
4611
4612 l2cap_conn_start(conn);
4613
4614 return 0;
4615 }
4616
4617 switch (type) {
4618 case L2CAP_IT_FEAT_MASK:
4619 conn->feat_mask = get_unaligned_le32(rsp->data);
4620
4621 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4622 struct l2cap_info_req req;
4623 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4624
4625 conn->info_ident = l2cap_get_ident(conn);
4626
4627 l2cap_send_cmd(conn, conn->info_ident,
4628 L2CAP_INFO_REQ, sizeof(req), &req);
4629 } else {
4630 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4631 conn->info_ident = 0;
4632
4633 l2cap_conn_start(conn);
4634 }
4635 break;
4636
4637 case L2CAP_IT_FIXED_CHAN:
4638 conn->fixed_chan_mask = rsp->data[0];
4639 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4640 conn->info_ident = 0;
4641
4642 l2cap_conn_start(conn);
4643 break;
4644 }
4645
4646 return 0;
4647}
4648
4649static int l2cap_create_channel_req(struct l2cap_conn *conn,
4650 struct l2cap_cmd_hdr *cmd,
4651 u16 cmd_len, void *data)
4652{
4653 struct l2cap_create_chan_req *req = data;
4654 struct l2cap_create_chan_rsp rsp;
4655 struct l2cap_chan *chan;
4656 struct hci_dev *hdev;
4657 u16 psm, scid;
4658
4659 if (cmd_len != sizeof(*req))
4660 return -EPROTO;
4661
4662 if (!conn->hs_enabled)
4663 return -EINVAL;
4664
4665 psm = le16_to_cpu(req->psm);
4666 scid = le16_to_cpu(req->scid);
4667
4668 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4669
4670
4671 if (req->amp_id == AMP_ID_BREDR) {
4672 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4673 req->amp_id);
4674 return 0;
4675 }
4676
4677
4678 hdev = hci_dev_get(req->amp_id);
4679 if (!hdev)
4680 goto error;
4681
4682 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4683 hci_dev_put(hdev);
4684 goto error;
4685 }
4686
4687 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4688 req->amp_id);
4689 if (chan) {
4690 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4691 struct hci_conn *hs_hcon;
4692
4693 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4694 &conn->hcon->dst);
4695 if (!hs_hcon) {
4696 hci_dev_put(hdev);
4697 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4698 chan->dcid);
4699 return 0;
4700 }
4701
4702 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4703
4704 mgr->bredr_chan = chan;
4705 chan->hs_hcon = hs_hcon;
4706 chan->fcs = L2CAP_FCS_NONE;
4707 conn->mtu = hdev->block_mtu;
4708 }
4709
4710 hci_dev_put(hdev);
4711
4712 return 0;
4713
4714error:
4715 rsp.dcid = 0;
4716 rsp.scid = cpu_to_le16(scid);
4717 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4718 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4719
4720 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4721 sizeof(rsp), &rsp);
4722
4723 return 0;
4724}
4725
4726static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4727{
4728 struct l2cap_move_chan_req req;
4729 u8 ident;
4730
4731 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4732
4733 ident = l2cap_get_ident(chan->conn);
4734 chan->ident = ident;
4735
4736 req.icid = cpu_to_le16(chan->scid);
4737 req.dest_amp_id = dest_amp_id;
4738
4739 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4740 &req);
4741
4742 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4743}
4744
4745static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4746{
4747 struct l2cap_move_chan_rsp rsp;
4748
4749 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4750
4751 rsp.icid = cpu_to_le16(chan->dcid);
4752 rsp.result = cpu_to_le16(result);
4753
4754 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4755 sizeof(rsp), &rsp);
4756}
4757
4758static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4759{
4760 struct l2cap_move_chan_cfm cfm;
4761
4762 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4763
4764 chan->ident = l2cap_get_ident(chan->conn);
4765
4766 cfm.icid = cpu_to_le16(chan->scid);
4767 cfm.result = cpu_to_le16(result);
4768
4769 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4770 sizeof(cfm), &cfm);
4771
4772 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4773}
4774
4775static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4776{
4777 struct l2cap_move_chan_cfm cfm;
4778
4779 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4780
4781 cfm.icid = cpu_to_le16(icid);
4782 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4783
4784 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4785 sizeof(cfm), &cfm);
4786}
4787
4788static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4789 u16 icid)
4790{
4791 struct l2cap_move_chan_cfm_rsp rsp;
4792
4793 BT_DBG("icid 0x%4.4x", icid);
4794
4795 rsp.icid = cpu_to_le16(icid);
4796 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4797}
4798
4799static void __release_logical_link(struct l2cap_chan *chan)
4800{
4801 chan->hs_hchan = NULL;
4802 chan->hs_hcon = NULL;
4803
4804
4805}
4806
4807static void l2cap_logical_fail(struct l2cap_chan *chan)
4808{
4809
4810 if (chan->state != BT_CONNECTED) {
4811
4812 l2cap_send_disconn_req(chan, ECONNRESET);
4813 return;
4814 }
4815
4816 switch (chan->move_role) {
4817 case L2CAP_MOVE_ROLE_RESPONDER:
4818 l2cap_move_done(chan);
4819 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4820 break;
4821 case L2CAP_MOVE_ROLE_INITIATOR:
4822 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4823 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4824
4825
4826
4827 l2cap_move_done(chan);
4828 }
4829
4830
4831
4832
4833 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4834 break;
4835 }
4836}
4837
4838static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4839 struct hci_chan *hchan)
4840{
4841 struct l2cap_conf_rsp rsp;
4842
4843 chan->hs_hchan = hchan;
4844 chan->hs_hcon->l2cap_data = chan->conn;
4845
4846 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4847
4848 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4849 int err;
4850
4851 set_default_fcs(chan);
4852
4853 err = l2cap_ertm_init(chan);
4854 if (err < 0)
4855 l2cap_send_disconn_req(chan, -err);
4856 else
4857 l2cap_chan_ready(chan);
4858 }
4859}
4860
4861static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4862 struct hci_chan *hchan)
4863{
4864 chan->hs_hcon = hchan->conn;
4865 chan->hs_hcon->l2cap_data = chan->conn;
4866
4867 BT_DBG("move_state %d", chan->move_state);
4868
4869 switch (chan->move_state) {
4870 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4871
4872
4873
4874 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4875 break;
4876 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4877 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4878 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4879 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4880 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4881 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4882 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4883 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4884 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4885 }
4886 break;
4887 default:
4888
4889 __release_logical_link(chan);
4890
4891 chan->move_state = L2CAP_MOVE_STABLE;
4892 }
4893}
4894
4895
4896void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4897 u8 status)
4898{
4899 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4900
4901 if (status) {
4902 l2cap_logical_fail(chan);
4903 __release_logical_link(chan);
4904 return;
4905 }
4906
4907 if (chan->state != BT_CONNECTED) {
4908
4909 if (chan->local_amp_id != AMP_ID_BREDR)
4910 l2cap_logical_finish_create(chan, hchan);
4911 } else {
4912 l2cap_logical_finish_move(chan, hchan);
4913 }
4914}
4915
4916void l2cap_move_start(struct l2cap_chan *chan)
4917{
4918 BT_DBG("chan %p", chan);
4919
4920 if (chan->local_amp_id == AMP_ID_BREDR) {
4921 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4922 return;
4923 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4924 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4925
4926 } else {
4927 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4928 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4929 chan->move_id = 0;
4930 l2cap_move_setup(chan);
4931 l2cap_send_move_chan_req(chan, 0);
4932 }
4933}
4934
4935static void l2cap_do_create(struct l2cap_chan *chan, int result,
4936 u8 local_amp_id, u8 remote_amp_id)
4937{
4938 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4939 local_amp_id, remote_amp_id);
4940
4941 chan->fcs = L2CAP_FCS_NONE;
4942
4943
4944 if (chan->state == BT_CONNECT) {
4945 if (result == L2CAP_CR_SUCCESS) {
4946 chan->local_amp_id = local_amp_id;
4947 l2cap_send_create_chan_req(chan, remote_amp_id);
4948 } else {
4949
4950 l2cap_send_conn_req(chan);
4951 }
4952
4953 return;
4954 }
4955
4956
4957 if (__l2cap_no_conn_pending(chan)) {
4958 struct l2cap_conn_rsp rsp;
4959 char buf[128];
4960 rsp.scid = cpu_to_le16(chan->dcid);
4961 rsp.dcid = cpu_to_le16(chan->scid);
4962
4963 if (result == L2CAP_CR_SUCCESS) {
4964
4965 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4966 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4967 } else {
4968
4969 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4970 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4971 }
4972
4973 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4974 sizeof(rsp), &rsp);
4975
4976 if (result == L2CAP_CR_SUCCESS) {
4977 l2cap_state_change(chan, BT_CONFIG);
4978 set_bit(CONF_REQ_SENT, &chan->conf_state);
4979 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4980 L2CAP_CONF_REQ,
4981 l2cap_build_conf_req(chan, buf), buf);
4982 chan->num_conf_req++;
4983 }
4984 }
4985}
4986
4987static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4988 u8 remote_amp_id)
4989{
4990 l2cap_move_setup(chan);
4991 chan->move_id = local_amp_id;
4992 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4993
4994 l2cap_send_move_chan_req(chan, remote_amp_id);
4995}
4996
4997static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4998{
4999 struct hci_chan *hchan = NULL;
5000
5001
5002
5003 if (hchan) {
5004 if (hchan->state == BT_CONNECTED) {
5005
5006 chan->hs_hcon = hchan->conn;
5007 chan->hs_hcon->l2cap_data = chan->conn;
5008 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5009 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5010
5011 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5012 } else {
5013
5014 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5015 }
5016 } else {
5017
5018 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5019 }
5020}
5021
5022static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5023{
5024 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5025 u8 rsp_result;
5026 if (result == -EINVAL)
5027 rsp_result = L2CAP_MR_BAD_ID;
5028 else
5029 rsp_result = L2CAP_MR_NOT_ALLOWED;
5030
5031 l2cap_send_move_chan_rsp(chan, rsp_result);
5032 }
5033
5034 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5035 chan->move_state = L2CAP_MOVE_STABLE;
5036
5037
5038 l2cap_ertm_send(chan);
5039}
5040
5041
5042void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5043{
5044 u8 local_amp_id = chan->local_amp_id;
5045 u8 remote_amp_id = chan->remote_amp_id;
5046
5047 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5048 chan, result, local_amp_id, remote_amp_id);
5049
5050 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
5051 l2cap_chan_unlock(chan);
5052 return;
5053 }
5054
5055 if (chan->state != BT_CONNECTED) {
5056 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5057 } else if (result != L2CAP_MR_SUCCESS) {
5058 l2cap_do_move_cancel(chan, result);
5059 } else {
5060 switch (chan->move_role) {
5061 case L2CAP_MOVE_ROLE_INITIATOR:
5062 l2cap_do_move_initiate(chan, local_amp_id,
5063 remote_amp_id);
5064 break;
5065 case L2CAP_MOVE_ROLE_RESPONDER:
5066 l2cap_do_move_respond(chan, result);
5067 break;
5068 default:
5069 l2cap_do_move_cancel(chan, result);
5070 break;
5071 }
5072 }
5073}
5074
5075static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5076 struct l2cap_cmd_hdr *cmd,
5077 u16 cmd_len, void *data)
5078{
5079 struct l2cap_move_chan_req *req = data;
5080 struct l2cap_move_chan_rsp rsp;
5081 struct l2cap_chan *chan;
5082 u16 icid = 0;
5083 u16 result = L2CAP_MR_NOT_ALLOWED;
5084
5085 if (cmd_len != sizeof(*req))
5086 return -EPROTO;
5087
5088 icid = le16_to_cpu(req->icid);
5089
5090 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5091
5092 if (!conn->hs_enabled)
5093 return -EINVAL;
5094
5095 chan = l2cap_get_chan_by_dcid(conn, icid);
5096 if (!chan) {
5097 rsp.icid = cpu_to_le16(icid);
5098 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5099 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5100 sizeof(rsp), &rsp);
5101 return 0;
5102 }
5103
5104 chan->ident = cmd->ident;
5105
5106 if (chan->scid < L2CAP_CID_DYN_START ||
5107 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5108 (chan->mode != L2CAP_MODE_ERTM &&
5109 chan->mode != L2CAP_MODE_STREAMING)) {
5110 result = L2CAP_MR_NOT_ALLOWED;
5111 goto send_move_response;
5112 }
5113
5114 if (chan->local_amp_id == req->dest_amp_id) {
5115 result = L2CAP_MR_SAME_ID;
5116 goto send_move_response;
5117 }
5118
5119 if (req->dest_amp_id != AMP_ID_BREDR) {
5120 struct hci_dev *hdev;
5121 hdev = hci_dev_get(req->dest_amp_id);
5122 if (!hdev || hdev->dev_type != HCI_AMP ||
5123 !test_bit(HCI_UP, &hdev->flags)) {
5124 if (hdev)
5125 hci_dev_put(hdev);
5126
5127 result = L2CAP_MR_BAD_ID;
5128 goto send_move_response;
5129 }
5130 hci_dev_put(hdev);
5131 }
5132
5133
5134
5135
5136
5137 if ((__chan_is_moving(chan) ||
5138 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5139 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5140 result = L2CAP_MR_COLLISION;
5141 goto send_move_response;
5142 }
5143
5144 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5145 l2cap_move_setup(chan);
5146 chan->move_id = req->dest_amp_id;
5147 icid = chan->dcid;
5148
5149 if (req->dest_amp_id == AMP_ID_BREDR) {
5150
5151 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5152 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5153 result = L2CAP_MR_PEND;
5154 } else {
5155 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5156 result = L2CAP_MR_SUCCESS;
5157 }
5158 } else {
5159 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5160
5161
5162 result = L2CAP_MR_PEND;
5163 }
5164
5165send_move_response:
5166 l2cap_send_move_chan_rsp(chan, result);
5167
5168 l2cap_chan_unlock(chan);
5169
5170 return 0;
5171}
5172
5173static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5174{
5175 struct l2cap_chan *chan;
5176 struct hci_chan *hchan = NULL;
5177
5178 chan = l2cap_get_chan_by_scid(conn, icid);
5179 if (!chan) {
5180 l2cap_send_move_chan_cfm_icid(conn, icid);
5181 return;
5182 }
5183
5184 __clear_chan_timer(chan);
5185 if (result == L2CAP_MR_PEND)
5186 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5187
5188 switch (chan->move_state) {
5189 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5190
5191
5192
5193 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5194 break;
5195 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5196 if (result == L2CAP_MR_PEND) {
5197 break;
5198 } else if (test_bit(CONN_LOCAL_BUSY,
5199 &chan->conn_state)) {
5200 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5201 } else {
5202
5203
5204
5205 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5206 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5207 }
5208 break;
5209 case L2CAP_MOVE_WAIT_RSP:
5210
5211 if (result == L2CAP_MR_SUCCESS) {
5212
5213
5214
5215 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5216 } else {
5217
5218
5219
5220 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5221 }
5222
5223
5224 if (!hchan) {
5225
5226 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5227 break;
5228 }
5229
5230
5231
5232
5233 if (hchan->state != BT_CONNECTED)
5234 break;
5235
5236
5237
5238 chan->hs_hcon = hchan->conn;
5239 chan->hs_hcon->l2cap_data = chan->conn;
5240
5241 if (result == L2CAP_MR_SUCCESS) {
5242
5243 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5244 } else {
5245
5246
5247
5248 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5249 }
5250
5251 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5252 break;
5253 default:
5254
5255 chan->move_id = chan->local_amp_id;
5256 l2cap_move_done(chan);
5257 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5258 }
5259
5260 l2cap_chan_unlock(chan);
5261}
5262
5263static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5264 u16 result)
5265{
5266 struct l2cap_chan *chan;
5267
5268 chan = l2cap_get_chan_by_ident(conn, ident);
5269 if (!chan) {
5270
5271 l2cap_send_move_chan_cfm_icid(conn, icid);
5272 return;
5273 }
5274
5275 __clear_chan_timer(chan);
5276
5277 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5278 if (result == L2CAP_MR_COLLISION) {
5279 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5280 } else {
5281
5282 chan->move_id = chan->local_amp_id;
5283 l2cap_move_done(chan);
5284 }
5285 }
5286
5287 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5288
5289 l2cap_chan_unlock(chan);
5290}
5291
5292static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5293 struct l2cap_cmd_hdr *cmd,
5294 u16 cmd_len, void *data)
5295{
5296 struct l2cap_move_chan_rsp *rsp = data;
5297 u16 icid, result;
5298
5299 if (cmd_len != sizeof(*rsp))
5300 return -EPROTO;
5301
5302 icid = le16_to_cpu(rsp->icid);
5303 result = le16_to_cpu(rsp->result);
5304
5305 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5306
5307 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5308 l2cap_move_continue(conn, icid, result);
5309 else
5310 l2cap_move_fail(conn, cmd->ident, icid, result);
5311
5312 return 0;
5313}
5314
5315static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5316 struct l2cap_cmd_hdr *cmd,
5317 u16 cmd_len, void *data)
5318{
5319 struct l2cap_move_chan_cfm *cfm = data;
5320 struct l2cap_chan *chan;
5321 u16 icid, result;
5322
5323 if (cmd_len != sizeof(*cfm))
5324 return -EPROTO;
5325
5326 icid = le16_to_cpu(cfm->icid);
5327 result = le16_to_cpu(cfm->result);
5328
5329 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5330
5331 chan = l2cap_get_chan_by_dcid(conn, icid);
5332 if (!chan) {
5333
5334 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5335 return 0;
5336 }
5337
5338 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5339 if (result == L2CAP_MC_CONFIRMED) {
5340 chan->local_amp_id = chan->move_id;
5341 if (chan->local_amp_id == AMP_ID_BREDR)
5342 __release_logical_link(chan);
5343 } else {
5344 chan->move_id = chan->local_amp_id;
5345 }
5346
5347 l2cap_move_done(chan);
5348 }
5349
5350 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5351
5352 l2cap_chan_unlock(chan);
5353
5354 return 0;
5355}
5356
5357static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5358 struct l2cap_cmd_hdr *cmd,
5359 u16 cmd_len, void *data)
5360{
5361 struct l2cap_move_chan_cfm_rsp *rsp = data;
5362 struct l2cap_chan *chan;
5363 u16 icid;
5364
5365 if (cmd_len != sizeof(*rsp))
5366 return -EPROTO;
5367
5368 icid = le16_to_cpu(rsp->icid);
5369
5370 BT_DBG("icid 0x%4.4x", icid);
5371
5372 chan = l2cap_get_chan_by_scid(conn, icid);
5373 if (!chan)
5374 return 0;
5375
5376 __clear_chan_timer(chan);
5377
5378 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5379 chan->local_amp_id = chan->move_id;
5380
5381 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5382 __release_logical_link(chan);
5383
5384 l2cap_move_done(chan);
5385 }
5386
5387 l2cap_chan_unlock(chan);
5388
5389 return 0;
5390}
5391
5392static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
5393 u16 to_multiplier)
5394{
5395 u16 max_latency;
5396
5397 if (min > max || min < 6 || max > 3200)
5398 return -EINVAL;
5399
5400 if (to_multiplier < 10 || to_multiplier > 3200)
5401 return -EINVAL;
5402
5403 if (max >= to_multiplier * 8)
5404 return -EINVAL;
5405
5406 max_latency = (to_multiplier * 8 / max) - 1;
5407 if (latency > 499 || latency > max_latency)
5408 return -EINVAL;
5409
5410 return 0;
5411}
5412
5413static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5414 struct l2cap_cmd_hdr *cmd,
5415 u16 cmd_len, u8 *data)
5416{
5417 struct hci_conn *hcon = conn->hcon;
5418 struct l2cap_conn_param_update_req *req;
5419 struct l2cap_conn_param_update_rsp rsp;
5420 u16 min, max, latency, to_multiplier;
5421 int err;
5422
5423 if (!(hcon->link_mode & HCI_LM_MASTER))
5424 return -EINVAL;
5425
5426 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5427 return -EPROTO;
5428
5429 req = (struct l2cap_conn_param_update_req *) data;
5430 min = __le16_to_cpu(req->min);
5431 max = __le16_to_cpu(req->max);
5432 latency = __le16_to_cpu(req->latency);
5433 to_multiplier = __le16_to_cpu(req->to_multiplier);
5434
5435 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5436 min, max, latency, to_multiplier);
5437
5438 memset(&rsp, 0, sizeof(rsp));
5439
5440 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5441 if (err)
5442 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5443 else
5444 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5445
5446 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5447 sizeof(rsp), &rsp);
5448
5449 if (!err)
5450 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5451
5452 return 0;
5453}
5454
5455static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5456 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5457 u8 *data)
5458{
5459 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5460 u16 dcid, mtu, mps, credits, result;
5461 struct l2cap_chan *chan;
5462 int err;
5463
5464 if (cmd_len < sizeof(*rsp))
5465 return -EPROTO;
5466
5467 dcid = __le16_to_cpu(rsp->dcid);
5468 mtu = __le16_to_cpu(rsp->mtu);
5469 mps = __le16_to_cpu(rsp->mps);
5470 credits = __le16_to_cpu(rsp->credits);
5471 result = __le16_to_cpu(rsp->result);
5472
5473 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5474 return -EPROTO;
5475
5476 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5477 dcid, mtu, mps, credits, result);
5478
5479 mutex_lock(&conn->chan_lock);
5480
5481 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5482 if (!chan) {
5483 err = -EBADSLT;
5484 goto unlock;
5485 }
5486
5487 err = 0;
5488
5489 l2cap_chan_lock(chan);
5490
5491 switch (result) {
5492 case L2CAP_CR_SUCCESS:
5493 chan->ident = 0;
5494 chan->dcid = dcid;
5495 chan->omtu = mtu;
5496 chan->remote_mps = mps;
5497 chan->tx_credits = credits;
5498 l2cap_chan_ready(chan);
5499 break;
5500
5501 default:
5502 l2cap_chan_del(chan, ECONNREFUSED);
5503 break;
5504 }
5505
5506 l2cap_chan_unlock(chan);
5507
5508unlock:
5509 mutex_unlock(&conn->chan_lock);
5510
5511 return err;
5512}
5513
5514static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5515 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5516 u8 *data)
5517{
5518 int err = 0;
5519
5520 switch (cmd->code) {
5521 case L2CAP_COMMAND_REJ:
5522 l2cap_command_rej(conn, cmd, cmd_len, data);
5523 break;
5524
5525 case L2CAP_CONN_REQ:
5526 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5527 break;
5528
5529 case L2CAP_CONN_RSP:
5530 case L2CAP_CREATE_CHAN_RSP:
5531 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5532 break;
5533
5534 case L2CAP_CONF_REQ:
5535 err = l2cap_config_req(conn, cmd, cmd_len, data);
5536 break;
5537
5538 case L2CAP_CONF_RSP:
5539 l2cap_config_rsp(conn, cmd, cmd_len, data);
5540 break;
5541
5542 case L2CAP_DISCONN_REQ:
5543 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5544 break;
5545
5546 case L2CAP_DISCONN_RSP:
5547 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5548 break;
5549
5550 case L2CAP_ECHO_REQ:
5551 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5552 break;
5553
5554 case L2CAP_ECHO_RSP:
5555 break;
5556
5557 case L2CAP_INFO_REQ:
5558 err = l2cap_information_req(conn, cmd, cmd_len, data);
5559 break;
5560
5561 case L2CAP_INFO_RSP:
5562 l2cap_information_rsp(conn, cmd, cmd_len, data);
5563 break;
5564
5565 case L2CAP_CREATE_CHAN_REQ:
5566 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5567 break;
5568
5569 case L2CAP_MOVE_CHAN_REQ:
5570 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5571 break;
5572
5573 case L2CAP_MOVE_CHAN_RSP:
5574 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5575 break;
5576
5577 case L2CAP_MOVE_CHAN_CFM:
5578 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5579 break;
5580
5581 case L2CAP_MOVE_CHAN_CFM_RSP:
5582 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5583 break;
5584
5585 default:
5586 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5587 err = -EINVAL;
5588 break;
5589 }
5590
5591 return err;
5592}
5593
5594static int l2cap_le_connect_req(struct l2cap_conn *conn,
5595 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5596 u8 *data)
5597{
5598 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5599 struct l2cap_le_conn_rsp rsp;
5600 struct l2cap_chan *chan, *pchan;
5601 u16 dcid, scid, credits, mtu, mps;
5602 __le16 psm;
5603 u8 result;
5604
5605 if (cmd_len != sizeof(*req))
5606 return -EPROTO;
5607
5608 scid = __le16_to_cpu(req->scid);
5609 mtu = __le16_to_cpu(req->mtu);
5610 mps = __le16_to_cpu(req->mps);
5611 psm = req->psm;
5612 dcid = 0;
5613 credits = 0;
5614
5615 if (mtu < 23 || mps < 23)
5616 return -EPROTO;
5617
5618 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5619 scid, mtu, mps);
5620
5621
5622 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5623 &conn->hcon->dst, LE_LINK);
5624 if (!pchan) {
5625 result = L2CAP_CR_BAD_PSM;
5626 chan = NULL;
5627 goto response;
5628 }
5629
5630 mutex_lock(&conn->chan_lock);
5631 l2cap_chan_lock(pchan);
5632
5633 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5634 result = L2CAP_CR_AUTHENTICATION;
5635 chan = NULL;
5636 goto response_unlock;
5637 }
5638
5639
5640 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5641 result = L2CAP_CR_NO_MEM;
5642 chan = NULL;
5643 goto response_unlock;
5644 }
5645
5646 chan = pchan->ops->new_connection(pchan);
5647 if (!chan) {
5648 result = L2CAP_CR_NO_MEM;
5649 goto response_unlock;
5650 }
5651
5652 l2cap_le_flowctl_init(chan);
5653
5654 bacpy(&chan->src, &conn->hcon->src);
5655 bacpy(&chan->dst, &conn->hcon->dst);
5656 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5657 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5658 chan->psm = psm;
5659 chan->dcid = scid;
5660 chan->omtu = mtu;
5661 chan->remote_mps = mps;
5662 chan->tx_credits = __le16_to_cpu(req->credits);
5663
5664 __l2cap_chan_add(conn, chan);
5665 dcid = chan->scid;
5666 credits = chan->rx_credits;
5667
5668 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5669
5670 chan->ident = cmd->ident;
5671
5672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5673 l2cap_state_change(chan, BT_CONNECT2);
5674 result = L2CAP_CR_PEND;
5675 chan->ops->defer(chan);
5676 } else {
5677 l2cap_chan_ready(chan);
5678 result = L2CAP_CR_SUCCESS;
5679 }
5680
5681response_unlock:
5682 l2cap_chan_unlock(pchan);
5683 mutex_unlock(&conn->chan_lock);
5684
5685 if (result == L2CAP_CR_PEND)
5686 return 0;
5687
5688response:
5689 if (chan) {
5690 rsp.mtu = cpu_to_le16(chan->imtu);
5691 rsp.mps = cpu_to_le16(chan->mps);
5692 } else {
5693 rsp.mtu = 0;
5694 rsp.mps = 0;
5695 }
5696
5697 rsp.dcid = cpu_to_le16(dcid);
5698 rsp.credits = cpu_to_le16(credits);
5699 rsp.result = cpu_to_le16(result);
5700
5701 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5702
5703 return 0;
5704}
5705
5706static inline int l2cap_le_credits(struct l2cap_conn *conn,
5707 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5708 u8 *data)
5709{
5710 struct l2cap_le_credits *pkt;
5711 struct l2cap_chan *chan;
5712 u16 cid, credits;
5713
5714 if (cmd_len != sizeof(*pkt))
5715 return -EPROTO;
5716
5717 pkt = (struct l2cap_le_credits *) data;
5718 cid = __le16_to_cpu(pkt->cid);
5719 credits = __le16_to_cpu(pkt->credits);
5720
5721 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5722
5723 chan = l2cap_get_chan_by_dcid(conn, cid);
5724 if (!chan)
5725 return -EBADSLT;
5726
5727 chan->tx_credits += credits;
5728
5729 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5730 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5731 chan->tx_credits--;
5732 }
5733
5734 if (chan->tx_credits)
5735 chan->ops->resume(chan);
5736
5737 l2cap_chan_unlock(chan);
5738
5739 return 0;
5740}
5741
5742static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5743 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5744 u8 *data)
5745{
5746 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5747 struct l2cap_chan *chan;
5748
5749 if (cmd_len < sizeof(*rej))
5750 return -EPROTO;
5751
5752 mutex_lock(&conn->chan_lock);
5753
5754 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5755 if (!chan)
5756 goto done;
5757
5758 l2cap_chan_lock(chan);
5759 l2cap_chan_del(chan, ECONNREFUSED);
5760 l2cap_chan_unlock(chan);
5761
5762done:
5763 mutex_unlock(&conn->chan_lock);
5764 return 0;
5765}
5766
5767static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5768 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5769 u8 *data)
5770{
5771 int err = 0;
5772
5773 if (!enable_lecoc) {
5774 switch (cmd->code) {
5775 case L2CAP_LE_CONN_REQ:
5776 case L2CAP_LE_CONN_RSP:
5777 case L2CAP_LE_CREDITS:
5778 case L2CAP_DISCONN_REQ:
5779 case L2CAP_DISCONN_RSP:
5780 return -EINVAL;
5781 }
5782 }
5783
5784 switch (cmd->code) {
5785 case L2CAP_COMMAND_REJ:
5786 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5787 break;
5788
5789 case L2CAP_CONN_PARAM_UPDATE_REQ:
5790 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5791 break;
5792
5793 case L2CAP_CONN_PARAM_UPDATE_RSP:
5794 break;
5795
5796 case L2CAP_LE_CONN_RSP:
5797 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5798 break;
5799
5800 case L2CAP_LE_CONN_REQ:
5801 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5802 break;
5803
5804 case L2CAP_LE_CREDITS:
5805 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5806 break;
5807
5808 case L2CAP_DISCONN_REQ:
5809 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5810 break;
5811
5812 case L2CAP_DISCONN_RSP:
5813 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5814 break;
5815
5816 default:
5817 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5818 err = -EINVAL;
5819 break;
5820 }
5821
5822 return err;
5823}
5824
5825static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5826 struct sk_buff *skb)
5827{
5828 struct hci_conn *hcon = conn->hcon;
5829 struct l2cap_cmd_hdr *cmd;
5830 u16 len;
5831 int err;
5832
5833 if (hcon->type != LE_LINK)
5834 goto drop;
5835
5836 if (skb->len < L2CAP_CMD_HDR_SIZE)
5837 goto drop;
5838
5839 cmd = (void *) skb->data;
5840 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5841
5842 len = le16_to_cpu(cmd->len);
5843
5844 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5845
5846 if (len != skb->len || !cmd->ident) {
5847 BT_DBG("corrupted command");
5848 goto drop;
5849 }
5850
5851 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5852 if (err) {
5853 struct l2cap_cmd_rej_unk rej;
5854
5855 BT_ERR("Wrong link type (%d)", err);
5856
5857 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5858 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5859 sizeof(rej), &rej);
5860 }
5861
5862drop:
5863 kfree_skb(skb);
5864}
5865
5866static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5867 struct sk_buff *skb)
5868{
5869 struct hci_conn *hcon = conn->hcon;
5870 u8 *data = skb->data;
5871 int len = skb->len;
5872 struct l2cap_cmd_hdr cmd;
5873 int err;
5874
5875 l2cap_raw_recv(conn, skb);
5876
5877 if (hcon->type != ACL_LINK)
5878 goto drop;
5879
5880 while (len >= L2CAP_CMD_HDR_SIZE) {
5881 u16 cmd_len;
5882 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5883 data += L2CAP_CMD_HDR_SIZE;
5884 len -= L2CAP_CMD_HDR_SIZE;
5885
5886 cmd_len = le16_to_cpu(cmd.len);
5887
5888 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5889 cmd.ident);
5890
5891 if (cmd_len > len || !cmd.ident) {
5892 BT_DBG("corrupted command");
5893 break;
5894 }
5895
5896 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5897 if (err) {
5898 struct l2cap_cmd_rej_unk rej;
5899
5900 BT_ERR("Wrong link type (%d)", err);
5901
5902 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5903 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5904 sizeof(rej), &rej);
5905 }
5906
5907 data += cmd_len;
5908 len -= cmd_len;
5909 }
5910
5911drop:
5912 kfree_skb(skb);
5913}
5914
5915static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5916{
5917 u16 our_fcs, rcv_fcs;
5918 int hdr_size;
5919
5920 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5921 hdr_size = L2CAP_EXT_HDR_SIZE;
5922 else
5923 hdr_size = L2CAP_ENH_HDR_SIZE;
5924
5925 if (chan->fcs == L2CAP_FCS_CRC16) {
5926 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5927 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5928 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5929
5930 if (our_fcs != rcv_fcs)
5931 return -EBADMSG;
5932 }
5933 return 0;
5934}
5935
5936static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5937{
5938 struct l2cap_ctrl control;
5939
5940 BT_DBG("chan %p", chan);
5941
5942 memset(&control, 0, sizeof(control));
5943 control.sframe = 1;
5944 control.final = 1;
5945 control.reqseq = chan->buffer_seq;
5946 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5947
5948 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5949 control.super = L2CAP_SUPER_RNR;
5950 l2cap_send_sframe(chan, &control);
5951 }
5952
5953 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5954 chan->unacked_frames > 0)
5955 __set_retrans_timer(chan);
5956
5957
5958 l2cap_ertm_send(chan);
5959
5960 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5961 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5962
5963
5964
5965 control.super = L2CAP_SUPER_RR;
5966 l2cap_send_sframe(chan, &control);
5967 }
5968}
5969
5970static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5971 struct sk_buff **last_frag)
5972{
5973
5974
5975
5976 if (!skb_has_frag_list(skb))
5977 skb_shinfo(skb)->frag_list = new_frag;
5978
5979 new_frag->next = NULL;
5980
5981 (*last_frag)->next = new_frag;
5982 *last_frag = new_frag;
5983
5984 skb->len += new_frag->len;
5985 skb->data_len += new_frag->len;
5986 skb->truesize += new_frag->truesize;
5987}
5988
5989static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5990 struct l2cap_ctrl *control)
5991{
5992 int err = -EINVAL;
5993
5994 switch (control->sar) {
5995 case L2CAP_SAR_UNSEGMENTED:
5996 if (chan->sdu)
5997 break;
5998
5999 err = chan->ops->recv(chan, skb);
6000 break;
6001
6002 case L2CAP_SAR_START:
6003 if (chan->sdu)
6004 break;
6005
6006 chan->sdu_len = get_unaligned_le16(skb->data);
6007 skb_pull(skb, L2CAP_SDULEN_SIZE);
6008
6009 if (chan->sdu_len > chan->imtu) {
6010 err = -EMSGSIZE;
6011 break;
6012 }
6013
6014 if (skb->len >= chan->sdu_len)
6015 break;
6016
6017 chan->sdu = skb;
6018 chan->sdu_last_frag = skb;
6019
6020 skb = NULL;
6021 err = 0;
6022 break;
6023
6024 case L2CAP_SAR_CONTINUE:
6025 if (!chan->sdu)
6026 break;
6027
6028 append_skb_frag(chan->sdu, skb,
6029 &chan->sdu_last_frag);
6030 skb = NULL;
6031
6032 if (chan->sdu->len >= chan->sdu_len)
6033 break;
6034
6035 err = 0;
6036 break;
6037
6038 case L2CAP_SAR_END:
6039 if (!chan->sdu)
6040 break;
6041
6042 append_skb_frag(chan->sdu, skb,
6043 &chan->sdu_last_frag);
6044 skb = NULL;
6045
6046 if (chan->sdu->len != chan->sdu_len)
6047 break;
6048
6049 err = chan->ops->recv(chan, chan->sdu);
6050
6051 if (!err) {
6052
6053 chan->sdu = NULL;
6054 chan->sdu_last_frag = NULL;
6055 chan->sdu_len = 0;
6056 }
6057 break;
6058 }
6059
6060 if (err) {
6061 kfree_skb(skb);
6062 kfree_skb(chan->sdu);
6063 chan->sdu = NULL;
6064 chan->sdu_last_frag = NULL;
6065 chan->sdu_len = 0;
6066 }
6067
6068 return err;
6069}
6070
6071static int l2cap_resegment(struct l2cap_chan *chan)
6072{
6073
6074 return 0;
6075}
6076
6077void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6078{
6079 u8 event;
6080
6081 if (chan->mode != L2CAP_MODE_ERTM)
6082 return;
6083
6084 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6085 l2cap_tx(chan, NULL, NULL, event);
6086}
6087
6088static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6089{
6090 int err = 0;
6091
6092
6093
6094
6095 BT_DBG("chan %p", chan);
6096
6097 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6098 struct sk_buff *skb;
6099 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6100 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6101
6102 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6103
6104 if (!skb)
6105 break;
6106
6107 skb_unlink(skb, &chan->srej_q);
6108 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6109 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
6110 if (err)
6111 break;
6112 }
6113
6114 if (skb_queue_empty(&chan->srej_q)) {
6115 chan->rx_state = L2CAP_RX_STATE_RECV;
6116 l2cap_send_ack(chan);
6117 }
6118
6119 return err;
6120}
6121
6122static void l2cap_handle_srej(struct l2cap_chan *chan,
6123 struct l2cap_ctrl *control)
6124{
6125 struct sk_buff *skb;
6126
6127 BT_DBG("chan %p, control %p", chan, control);
6128
6129 if (control->reqseq == chan->next_tx_seq) {
6130 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6131 l2cap_send_disconn_req(chan, ECONNRESET);
6132 return;
6133 }
6134
6135 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6136
6137 if (skb == NULL) {
6138 BT_DBG("Seq %d not available for retransmission",
6139 control->reqseq);
6140 return;
6141 }
6142
6143 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
6144 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6145 l2cap_send_disconn_req(chan, ECONNRESET);
6146 return;
6147 }
6148
6149 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6150
6151 if (control->poll) {
6152 l2cap_pass_to_tx(chan, control);
6153
6154 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6155 l2cap_retransmit(chan, control);
6156 l2cap_ertm_send(chan);
6157
6158 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6159 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6160 chan->srej_save_reqseq = control->reqseq;
6161 }
6162 } else {
6163 l2cap_pass_to_tx_fbit(chan, control);
6164
6165 if (control->final) {
6166 if (chan->srej_save_reqseq != control->reqseq ||
6167 !test_and_clear_bit(CONN_SREJ_ACT,
6168 &chan->conn_state))
6169 l2cap_retransmit(chan, control);
6170 } else {
6171 l2cap_retransmit(chan, control);
6172 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6173 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6174 chan->srej_save_reqseq = control->reqseq;
6175 }
6176 }
6177 }
6178}
6179
6180static void l2cap_handle_rej(struct l2cap_chan *chan,
6181 struct l2cap_ctrl *control)
6182{
6183 struct sk_buff *skb;
6184
6185 BT_DBG("chan %p, control %p", chan, control);
6186
6187 if (control->reqseq == chan->next_tx_seq) {
6188 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6189 l2cap_send_disconn_req(chan, ECONNRESET);
6190 return;
6191 }
6192
6193 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6194
6195 if (chan->max_tx && skb &&
6196 bt_cb(skb)->control.retries >= chan->max_tx) {
6197 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6198 l2cap_send_disconn_req(chan, ECONNRESET);
6199 return;
6200 }
6201
6202 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6203
6204 l2cap_pass_to_tx(chan, control);
6205
6206 if (control->final) {
6207 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6208 l2cap_retransmit_all(chan, control);
6209 } else {
6210 l2cap_retransmit_all(chan, control);
6211 l2cap_ertm_send(chan);
6212 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6213 set_bit(CONN_REJ_ACT, &chan->conn_state);
6214 }
6215}
6216
6217static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6218{
6219 BT_DBG("chan %p, txseq %d", chan, txseq);
6220
6221 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6222 chan->expected_tx_seq);
6223
6224 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6225 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6226 chan->tx_win) {
6227
6228
6229
6230 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6231 BT_DBG("Invalid/Ignore - after SREJ");
6232 return L2CAP_TXSEQ_INVALID_IGNORE;
6233 } else {
6234 BT_DBG("Invalid - in window after SREJ sent");
6235 return L2CAP_TXSEQ_INVALID;
6236 }
6237 }
6238
6239 if (chan->srej_list.head == txseq) {
6240 BT_DBG("Expected SREJ");
6241 return L2CAP_TXSEQ_EXPECTED_SREJ;
6242 }
6243
6244 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6245 BT_DBG("Duplicate SREJ - txseq already stored");
6246 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6247 }
6248
6249 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6250 BT_DBG("Unexpected SREJ - not requested");
6251 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6252 }
6253 }
6254
6255 if (chan->expected_tx_seq == txseq) {
6256 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6257 chan->tx_win) {
6258 BT_DBG("Invalid - txseq outside tx window");
6259 return L2CAP_TXSEQ_INVALID;
6260 } else {
6261 BT_DBG("Expected");
6262 return L2CAP_TXSEQ_EXPECTED;
6263 }
6264 }
6265
6266 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6267 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6268 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6269 return L2CAP_TXSEQ_DUPLICATE;
6270 }
6271
6272 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6273
6274
6275
6276
6277
6278
6279
6280
6281
6282
6283
6284
6285
6286
6287
6288
6289
6290 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6291 BT_DBG("Invalid/Ignore - txseq outside tx window");
6292 return L2CAP_TXSEQ_INVALID_IGNORE;
6293 } else {
6294 BT_DBG("Invalid - txseq outside tx window");
6295 return L2CAP_TXSEQ_INVALID;
6296 }
6297 } else {
6298 BT_DBG("Unexpected - txseq indicates missing frames");
6299 return L2CAP_TXSEQ_UNEXPECTED;
6300 }
6301}
6302
6303static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6304 struct l2cap_ctrl *control,
6305 struct sk_buff *skb, u8 event)
6306{
6307 int err = 0;
6308 bool skb_in_use = false;
6309
6310 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6311 event);
6312
6313 switch (event) {
6314 case L2CAP_EV_RECV_IFRAME:
6315 switch (l2cap_classify_txseq(chan, control->txseq)) {
6316 case L2CAP_TXSEQ_EXPECTED:
6317 l2cap_pass_to_tx(chan, control);
6318
6319 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6320 BT_DBG("Busy, discarding expected seq %d",
6321 control->txseq);
6322 break;
6323 }
6324
6325 chan->expected_tx_seq = __next_seq(chan,
6326 control->txseq);
6327
6328 chan->buffer_seq = chan->expected_tx_seq;
6329 skb_in_use = true;
6330
6331 err = l2cap_reassemble_sdu(chan, skb, control);
6332 if (err)
6333 break;
6334
6335 if (control->final) {
6336 if (!test_and_clear_bit(CONN_REJ_ACT,
6337 &chan->conn_state)) {
6338 control->final = 0;
6339 l2cap_retransmit_all(chan, control);
6340 l2cap_ertm_send(chan);
6341 }
6342 }
6343
6344 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6345 l2cap_send_ack(chan);
6346 break;
6347 case L2CAP_TXSEQ_UNEXPECTED:
6348 l2cap_pass_to_tx(chan, control);
6349
6350
6351
6352
6353
6354 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6355 BT_DBG("Busy, discarding unexpected seq %d",
6356 control->txseq);
6357 break;
6358 }
6359
6360
6361
6362
6363
6364 skb_queue_tail(&chan->srej_q, skb);
6365 skb_in_use = true;
6366 BT_DBG("Queued %p (queue len %d)", skb,
6367 skb_queue_len(&chan->srej_q));
6368
6369 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6370 l2cap_seq_list_clear(&chan->srej_list);
6371 l2cap_send_srej(chan, control->txseq);
6372
6373 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6374 break;
6375 case L2CAP_TXSEQ_DUPLICATE:
6376 l2cap_pass_to_tx(chan, control);
6377 break;
6378 case L2CAP_TXSEQ_INVALID_IGNORE:
6379 break;
6380 case L2CAP_TXSEQ_INVALID:
6381 default:
6382 l2cap_send_disconn_req(chan, ECONNRESET);
6383 break;
6384 }
6385 break;
6386 case L2CAP_EV_RECV_RR:
6387 l2cap_pass_to_tx(chan, control);
6388 if (control->final) {
6389 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6390
6391 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6392 !__chan_is_moving(chan)) {
6393 control->final = 0;
6394 l2cap_retransmit_all(chan, control);
6395 }
6396
6397 l2cap_ertm_send(chan);
6398 } else if (control->poll) {
6399 l2cap_send_i_or_rr_or_rnr(chan);
6400 } else {
6401 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6402 &chan->conn_state) &&
6403 chan->unacked_frames)
6404 __set_retrans_timer(chan);
6405
6406 l2cap_ertm_send(chan);
6407 }
6408 break;
6409 case L2CAP_EV_RECV_RNR:
6410 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6411 l2cap_pass_to_tx(chan, control);
6412 if (control && control->poll) {
6413 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6414 l2cap_send_rr_or_rnr(chan, 0);
6415 }
6416 __clear_retrans_timer(chan);
6417 l2cap_seq_list_clear(&chan->retrans_list);
6418 break;
6419 case L2CAP_EV_RECV_REJ:
6420 l2cap_handle_rej(chan, control);
6421 break;
6422 case L2CAP_EV_RECV_SREJ:
6423 l2cap_handle_srej(chan, control);
6424 break;
6425 default:
6426 break;
6427 }
6428
6429 if (skb && !skb_in_use) {
6430 BT_DBG("Freeing %p", skb);
6431 kfree_skb(skb);
6432 }
6433
6434 return err;
6435}
6436
6437static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6438 struct l2cap_ctrl *control,
6439 struct sk_buff *skb, u8 event)
6440{
6441 int err = 0;
6442 u16 txseq = control->txseq;
6443 bool skb_in_use = false;
6444
6445 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6446 event);
6447
6448 switch (event) {
6449 case L2CAP_EV_RECV_IFRAME:
6450 switch (l2cap_classify_txseq(chan, txseq)) {
6451 case L2CAP_TXSEQ_EXPECTED:
6452
6453 l2cap_pass_to_tx(chan, control);
6454 skb_queue_tail(&chan->srej_q, skb);
6455 skb_in_use = true;
6456 BT_DBG("Queued %p (queue len %d)", skb,
6457 skb_queue_len(&chan->srej_q));
6458
6459 chan->expected_tx_seq = __next_seq(chan, txseq);
6460 break;
6461 case L2CAP_TXSEQ_EXPECTED_SREJ:
6462 l2cap_seq_list_pop(&chan->srej_list);
6463
6464 l2cap_pass_to_tx(chan, control);
6465 skb_queue_tail(&chan->srej_q, skb);
6466 skb_in_use = true;
6467 BT_DBG("Queued %p (queue len %d)", skb,
6468 skb_queue_len(&chan->srej_q));
6469
6470 err = l2cap_rx_queued_iframes(chan);
6471 if (err)
6472 break;
6473
6474 break;
6475 case L2CAP_TXSEQ_UNEXPECTED:
6476
6477
6478
6479
6480 skb_queue_tail(&chan->srej_q, skb);
6481 skb_in_use = true;
6482 BT_DBG("Queued %p (queue len %d)", skb,
6483 skb_queue_len(&chan->srej_q));
6484
6485 l2cap_pass_to_tx(chan, control);
6486 l2cap_send_srej(chan, control->txseq);
6487 break;
6488 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6489
6490
6491
6492
6493
6494 skb_queue_tail(&chan->srej_q, skb);
6495 skb_in_use = true;
6496 BT_DBG("Queued %p (queue len %d)", skb,
6497 skb_queue_len(&chan->srej_q));
6498
6499 l2cap_pass_to_tx(chan, control);
6500 l2cap_send_srej_list(chan, control->txseq);
6501 break;
6502 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6503
6504 l2cap_pass_to_tx(chan, control);
6505 break;
6506 case L2CAP_TXSEQ_DUPLICATE:
6507
6508
6509
6510 break;
6511 case L2CAP_TXSEQ_INVALID_IGNORE:
6512 break;
6513 case L2CAP_TXSEQ_INVALID:
6514 default:
6515 l2cap_send_disconn_req(chan, ECONNRESET);
6516 break;
6517 }
6518 break;
6519 case L2CAP_EV_RECV_RR:
6520 l2cap_pass_to_tx(chan, control);
6521 if (control->final) {
6522 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6523
6524 if (!test_and_clear_bit(CONN_REJ_ACT,
6525 &chan->conn_state)) {
6526 control->final = 0;
6527 l2cap_retransmit_all(chan, control);
6528 }
6529
6530 l2cap_ertm_send(chan);
6531 } else if (control->poll) {
6532 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6533 &chan->conn_state) &&
6534 chan->unacked_frames) {
6535 __set_retrans_timer(chan);
6536 }
6537
6538 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6539 l2cap_send_srej_tail(chan);
6540 } else {
6541 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6542 &chan->conn_state) &&
6543 chan->unacked_frames)
6544 __set_retrans_timer(chan);
6545
6546 l2cap_send_ack(chan);
6547 }
6548 break;
6549 case L2CAP_EV_RECV_RNR:
6550 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6551 l2cap_pass_to_tx(chan, control);
6552 if (control->poll) {
6553 l2cap_send_srej_tail(chan);
6554 } else {
6555 struct l2cap_ctrl rr_control;
6556 memset(&rr_control, 0, sizeof(rr_control));
6557 rr_control.sframe = 1;
6558 rr_control.super = L2CAP_SUPER_RR;
6559 rr_control.reqseq = chan->buffer_seq;
6560 l2cap_send_sframe(chan, &rr_control);
6561 }
6562
6563 break;
6564 case L2CAP_EV_RECV_REJ:
6565 l2cap_handle_rej(chan, control);
6566 break;
6567 case L2CAP_EV_RECV_SREJ:
6568 l2cap_handle_srej(chan, control);
6569 break;
6570 }
6571
6572 if (skb && !skb_in_use) {
6573 BT_DBG("Freeing %p", skb);
6574 kfree_skb(skb);
6575 }
6576
6577 return err;
6578}
6579
6580static int l2cap_finish_move(struct l2cap_chan *chan)
6581{
6582 BT_DBG("chan %p", chan);
6583
6584 chan->rx_state = L2CAP_RX_STATE_RECV;
6585
6586 if (chan->hs_hcon)
6587 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6588 else
6589 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6590
6591 return l2cap_resegment(chan);
6592}
6593
6594static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6595 struct l2cap_ctrl *control,
6596 struct sk_buff *skb, u8 event)
6597{
6598 int err;
6599
6600 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6601 event);
6602
6603 if (!control->poll)
6604 return -EPROTO;
6605
6606 l2cap_process_reqseq(chan, control->reqseq);
6607
6608 if (!skb_queue_empty(&chan->tx_q))
6609 chan->tx_send_head = skb_peek(&chan->tx_q);
6610 else
6611 chan->tx_send_head = NULL;
6612
6613
6614
6615
6616 chan->next_tx_seq = control->reqseq;
6617 chan->unacked_frames = 0;
6618
6619 err = l2cap_finish_move(chan);
6620 if (err)
6621 return err;
6622
6623 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6624 l2cap_send_i_or_rr_or_rnr(chan);
6625
6626 if (event == L2CAP_EV_RECV_IFRAME)
6627 return -EPROTO;
6628
6629 return l2cap_rx_state_recv(chan, control, NULL, event);
6630}
6631
6632static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6633 struct l2cap_ctrl *control,
6634 struct sk_buff *skb, u8 event)
6635{
6636 int err;
6637
6638 if (!control->final)
6639 return -EPROTO;
6640
6641 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6642
6643 chan->rx_state = L2CAP_RX_STATE_RECV;
6644 l2cap_process_reqseq(chan, control->reqseq);
6645
6646 if (!skb_queue_empty(&chan->tx_q))
6647 chan->tx_send_head = skb_peek(&chan->tx_q);
6648 else
6649 chan->tx_send_head = NULL;
6650
6651
6652
6653
6654 chan->next_tx_seq = control->reqseq;
6655 chan->unacked_frames = 0;
6656
6657 if (chan->hs_hcon)
6658 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6659 else
6660 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6661
6662 err = l2cap_resegment(chan);
6663
6664 if (!err)
6665 err = l2cap_rx_state_recv(chan, control, skb, event);
6666
6667 return err;
6668}
6669
6670static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6671{
6672
6673 u16 unacked;
6674
6675 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6676 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6677}
6678
6679static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6680 struct sk_buff *skb, u8 event)
6681{
6682 int err = 0;
6683
6684 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6685 control, skb, event, chan->rx_state);
6686
6687 if (__valid_reqseq(chan, control->reqseq)) {
6688 switch (chan->rx_state) {
6689 case L2CAP_RX_STATE_RECV:
6690 err = l2cap_rx_state_recv(chan, control, skb, event);
6691 break;
6692 case L2CAP_RX_STATE_SREJ_SENT:
6693 err = l2cap_rx_state_srej_sent(chan, control, skb,
6694 event);
6695 break;
6696 case L2CAP_RX_STATE_WAIT_P:
6697 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6698 break;
6699 case L2CAP_RX_STATE_WAIT_F:
6700 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6701 break;
6702 default:
6703
6704 break;
6705 }
6706 } else {
6707 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6708 control->reqseq, chan->next_tx_seq,
6709 chan->expected_ack_seq);
6710 l2cap_send_disconn_req(chan, ECONNRESET);
6711 }
6712
6713 return err;
6714}
6715
6716static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6717 struct sk_buff *skb)
6718{
6719 int err = 0;
6720
6721 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6722 chan->rx_state);
6723
6724 if (l2cap_classify_txseq(chan, control->txseq) ==
6725 L2CAP_TXSEQ_EXPECTED) {
6726 l2cap_pass_to_tx(chan, control);
6727
6728 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6729 __next_seq(chan, chan->buffer_seq));
6730
6731 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6732
6733 l2cap_reassemble_sdu(chan, skb, control);
6734 } else {
6735 if (chan->sdu) {
6736 kfree_skb(chan->sdu);
6737 chan->sdu = NULL;
6738 }
6739 chan->sdu_last_frag = NULL;
6740 chan->sdu_len = 0;
6741
6742 if (skb) {
6743 BT_DBG("Freeing %p", skb);
6744 kfree_skb(skb);
6745 }
6746 }
6747
6748 chan->last_acked_seq = control->txseq;
6749 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6750
6751 return err;
6752}
6753
6754static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6755{
6756 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6757 u16 len;
6758 u8 event;
6759
6760 __unpack_control(chan, skb);
6761
6762 len = skb->len;
6763
6764
6765
6766
6767
6768
6769 if (l2cap_check_fcs(chan, skb))
6770 goto drop;
6771
6772 if (!control->sframe && control->sar == L2CAP_SAR_START)
6773 len -= L2CAP_SDULEN_SIZE;
6774
6775 if (chan->fcs == L2CAP_FCS_CRC16)
6776 len -= L2CAP_FCS_SIZE;
6777
6778 if (len > chan->mps) {
6779 l2cap_send_disconn_req(chan, ECONNRESET);
6780 goto drop;
6781 }
6782
6783 if (!control->sframe) {
6784 int err;
6785
6786 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6787 control->sar, control->reqseq, control->final,
6788 control->txseq);
6789
6790
6791
6792
6793 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6794 goto drop;
6795
6796 if (chan->mode != L2CAP_MODE_STREAMING) {
6797 event = L2CAP_EV_RECV_IFRAME;
6798 err = l2cap_rx(chan, control, skb, event);
6799 } else {
6800 err = l2cap_stream_rx(chan, control, skb);
6801 }
6802
6803 if (err)
6804 l2cap_send_disconn_req(chan, ECONNRESET);
6805 } else {
6806 const u8 rx_func_to_event[4] = {
6807 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6808 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6809 };
6810
6811
6812 if (chan->mode == L2CAP_MODE_STREAMING)
6813 goto drop;
6814
6815 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6816 control->reqseq, control->final, control->poll,
6817 control->super);
6818
6819 if (len != 0) {
6820 BT_ERR("Trailing bytes: %d in sframe", len);
6821 l2cap_send_disconn_req(chan, ECONNRESET);
6822 goto drop;
6823 }
6824
6825
6826 if (control->final && (control->poll ||
6827 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6828 goto drop;
6829
6830 event = rx_func_to_event[control->super];
6831 if (l2cap_rx(chan, control, skb, event))
6832 l2cap_send_disconn_req(chan, ECONNRESET);
6833 }
6834
6835 return 0;
6836
6837drop:
6838 kfree_skb(skb);
6839 return 0;
6840}
6841
6842static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6843{
6844 struct l2cap_conn *conn = chan->conn;
6845 struct l2cap_le_credits pkt;
6846 u16 return_credits;
6847
6848
6849
6850
6851 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6852 return;
6853
6854 return_credits = le_max_credits - chan->rx_credits;
6855
6856 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6857
6858 chan->rx_credits += return_credits;
6859
6860 pkt.cid = cpu_to_le16(chan->scid);
6861 pkt.credits = cpu_to_le16(return_credits);
6862
6863 chan->ident = l2cap_get_ident(conn);
6864
6865 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6866}
6867
6868static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6869{
6870 int err;
6871
6872 if (!chan->rx_credits) {
6873 BT_ERR("No credits to receive LE L2CAP data");
6874 return -ENOBUFS;
6875 }
6876
6877 if (chan->imtu < skb->len) {
6878 BT_ERR("Too big LE L2CAP PDU");
6879 return -ENOBUFS;
6880 }
6881
6882 chan->rx_credits--;
6883 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6884
6885 l2cap_chan_le_send_credits(chan);
6886
6887 err = 0;
6888
6889 if (!chan->sdu) {
6890 u16 sdu_len;
6891
6892 sdu_len = get_unaligned_le16(skb->data);
6893 skb_pull(skb, L2CAP_SDULEN_SIZE);
6894
6895 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6896 sdu_len, skb->len, chan->imtu);
6897
6898 if (sdu_len > chan->imtu) {
6899 BT_ERR("Too big LE L2CAP SDU length received");
6900 err = -EMSGSIZE;
6901 goto failed;
6902 }
6903
6904 if (skb->len > sdu_len) {
6905 BT_ERR("Too much LE L2CAP data received");
6906 err = -EINVAL;
6907 goto failed;
6908 }
6909
6910 if (skb->len == sdu_len)
6911 return chan->ops->recv(chan, skb);
6912
6913 chan->sdu = skb;
6914 chan->sdu_len = sdu_len;
6915 chan->sdu_last_frag = skb;
6916
6917 return 0;
6918 }
6919
6920 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6921 chan->sdu->len, skb->len, chan->sdu_len);
6922
6923 if (chan->sdu->len + skb->len > chan->sdu_len) {
6924 BT_ERR("Too much LE L2CAP data received");
6925 err = -EINVAL;
6926 goto failed;
6927 }
6928
6929 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6930 skb = NULL;
6931
6932 if (chan->sdu->len == chan->sdu_len) {
6933 err = chan->ops->recv(chan, chan->sdu);
6934 if (!err) {
6935 chan->sdu = NULL;
6936 chan->sdu_last_frag = NULL;
6937 chan->sdu_len = 0;
6938 }
6939 }
6940
6941failed:
6942 if (err) {
6943 kfree_skb(skb);
6944 kfree_skb(chan->sdu);
6945 chan->sdu = NULL;
6946 chan->sdu_last_frag = NULL;
6947 chan->sdu_len = 0;
6948 }
6949
6950
6951
6952
6953
6954 return 0;
6955}
6956
6957static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6958 struct sk_buff *skb)
6959{
6960 struct l2cap_chan *chan;
6961
6962 chan = l2cap_get_chan_by_scid(conn, cid);
6963 if (!chan) {
6964 if (cid == L2CAP_CID_A2MP) {
6965 chan = a2mp_channel_create(conn, skb);
6966 if (!chan) {
6967 kfree_skb(skb);
6968 return;
6969 }
6970
6971 l2cap_chan_lock(chan);
6972 } else {
6973 BT_DBG("unknown cid 0x%4.4x", cid);
6974
6975 kfree_skb(skb);
6976 return;
6977 }
6978 }
6979
6980 BT_DBG("chan %p, len %d", chan, skb->len);
6981
6982 if (chan->state != BT_CONNECTED)
6983 goto drop;
6984
6985 switch (chan->mode) {
6986 case L2CAP_MODE_LE_FLOWCTL:
6987 if (l2cap_le_data_rcv(chan, skb) < 0)
6988 goto drop;
6989
6990 goto done;
6991
6992 case L2CAP_MODE_BASIC:
6993
6994
6995
6996
6997
6998 if (chan->imtu < skb->len)
6999 goto drop;
7000
7001 if (!chan->ops->recv(chan, skb))
7002 goto done;
7003 break;
7004
7005 case L2CAP_MODE_ERTM:
7006 case L2CAP_MODE_STREAMING:
7007 l2cap_data_rcv(chan, skb);
7008 goto done;
7009
7010 default:
7011 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7012 break;
7013 }
7014
7015drop:
7016 kfree_skb(skb);
7017
7018done:
7019 l2cap_chan_unlock(chan);
7020}
7021
7022static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7023 struct sk_buff *skb)
7024{
7025 struct hci_conn *hcon = conn->hcon;
7026 struct l2cap_chan *chan;
7027
7028 if (hcon->type != ACL_LINK)
7029 goto drop;
7030
7031 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7032 ACL_LINK);
7033 if (!chan)
7034 goto drop;
7035
7036 BT_DBG("chan %p, len %d", chan, skb->len);
7037
7038 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7039 goto drop;
7040
7041 if (chan->imtu < skb->len)
7042 goto drop;
7043
7044
7045 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
7046 bt_cb(skb)->psm = psm;
7047
7048 if (!chan->ops->recv(chan, skb))
7049 return;
7050
7051drop:
7052 kfree_skb(skb);
7053}
7054
7055static void l2cap_att_channel(struct l2cap_conn *conn,
7056 struct sk_buff *skb)
7057{
7058 struct hci_conn *hcon = conn->hcon;
7059 struct l2cap_chan *chan;
7060
7061 if (hcon->type != LE_LINK)
7062 goto drop;
7063
7064 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
7065 &hcon->src, &hcon->dst);
7066 if (!chan)
7067 goto drop;
7068
7069 BT_DBG("chan %p, len %d", chan, skb->len);
7070
7071 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
7072 goto drop;
7073
7074 if (chan->imtu < skb->len)
7075 goto drop;
7076
7077 if (!chan->ops->recv(chan, skb))
7078 return;
7079
7080drop:
7081 kfree_skb(skb);
7082}
7083
7084static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7085{
7086 struct l2cap_hdr *lh = (void *) skb->data;
7087 u16 cid, len;
7088 __le16 psm;
7089
7090 skb_pull(skb, L2CAP_HDR_SIZE);
7091 cid = __le16_to_cpu(lh->cid);
7092 len = __le16_to_cpu(lh->len);
7093
7094 if (len != skb->len) {
7095 kfree_skb(skb);
7096 return;
7097 }
7098
7099 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7100
7101 switch (cid) {
7102 case L2CAP_CID_SIGNALING:
7103 l2cap_sig_channel(conn, skb);
7104 break;
7105
7106 case L2CAP_CID_CONN_LESS:
7107 psm = get_unaligned((__le16 *) skb->data);
7108 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7109 l2cap_conless_channel(conn, psm, skb);
7110 break;
7111
7112 case L2CAP_CID_ATT:
7113 l2cap_att_channel(conn, skb);
7114 break;
7115
7116 case L2CAP_CID_LE_SIGNALING:
7117 l2cap_le_sig_channel(conn, skb);
7118 break;
7119
7120 case L2CAP_CID_SMP:
7121 if (smp_sig_channel(conn, skb))
7122 l2cap_conn_del(conn->hcon, EACCES);
7123 break;
7124
7125 case L2CAP_FC_6LOWPAN:
7126 bt_6lowpan_recv(conn, skb);
7127 break;
7128
7129 default:
7130 l2cap_data_channel(conn, cid, skb);
7131 break;
7132 }
7133}
7134
7135
7136
7137int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7138{
7139 int exact = 0, lm1 = 0, lm2 = 0;
7140 struct l2cap_chan *c;
7141
7142 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7143
7144
7145 read_lock(&chan_list_lock);
7146 list_for_each_entry(c, &chan_list, global_l) {
7147 if (c->state != BT_LISTEN)
7148 continue;
7149
7150 if (!bacmp(&c->src, &hdev->bdaddr)) {
7151 lm1 |= HCI_LM_ACCEPT;
7152 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7153 lm1 |= HCI_LM_MASTER;
7154 exact++;
7155 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7156 lm2 |= HCI_LM_ACCEPT;
7157 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7158 lm2 |= HCI_LM_MASTER;
7159 }
7160 }
7161 read_unlock(&chan_list_lock);
7162
7163 return exact ? lm1 : lm2;
7164}
7165
7166void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7167{
7168 struct l2cap_conn *conn;
7169
7170 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7171
7172 if (!status) {
7173 conn = l2cap_conn_add(hcon);
7174 if (conn)
7175 l2cap_conn_ready(conn);
7176 } else {
7177 l2cap_conn_del(hcon, bt_to_errno(status));
7178 }
7179}
7180
7181int l2cap_disconn_ind(struct hci_conn *hcon)
7182{
7183 struct l2cap_conn *conn = hcon->l2cap_data;
7184
7185 BT_DBG("hcon %p", hcon);
7186
7187 if (!conn)
7188 return HCI_ERROR_REMOTE_USER_TERM;
7189 return conn->disc_reason;
7190}
7191
7192void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7193{
7194 BT_DBG("hcon %p reason %d", hcon, reason);
7195
7196 bt_6lowpan_del_conn(hcon->l2cap_data);
7197
7198 l2cap_conn_del(hcon, bt_to_errno(reason));
7199}
7200
7201static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7202{
7203 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7204 return;
7205
7206 if (encrypt == 0x00) {
7207 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7208 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7209 } else if (chan->sec_level == BT_SECURITY_HIGH)
7210 l2cap_chan_close(chan, ECONNREFUSED);
7211 } else {
7212 if (chan->sec_level == BT_SECURITY_MEDIUM)
7213 __clear_chan_timer(chan);
7214 }
7215}
7216
7217int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7218{
7219 struct l2cap_conn *conn = hcon->l2cap_data;
7220 struct l2cap_chan *chan;
7221
7222 if (!conn)
7223 return 0;
7224
7225 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7226
7227 if (hcon->type == LE_LINK) {
7228 if (!status && encrypt)
7229 smp_distribute_keys(conn, 0);
7230 cancel_delayed_work(&conn->security_timer);
7231 }
7232
7233 mutex_lock(&conn->chan_lock);
7234
7235 list_for_each_entry(chan, &conn->chan_l, list) {
7236 l2cap_chan_lock(chan);
7237
7238 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7239 state_to_string(chan->state));
7240
7241 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
7242 l2cap_chan_unlock(chan);
7243 continue;
7244 }
7245
7246 if (chan->scid == L2CAP_CID_ATT) {
7247 if (!status && encrypt) {
7248 chan->sec_level = hcon->sec_level;
7249 l2cap_chan_ready(chan);
7250 }
7251
7252 l2cap_chan_unlock(chan);
7253 continue;
7254 }
7255
7256 if (!__l2cap_no_conn_pending(chan)) {
7257 l2cap_chan_unlock(chan);
7258 continue;
7259 }
7260
7261 if (!status && (chan->state == BT_CONNECTED ||
7262 chan->state == BT_CONFIG)) {
7263 chan->ops->resume(chan);
7264 l2cap_check_encryption(chan, encrypt);
7265 l2cap_chan_unlock(chan);
7266 continue;
7267 }
7268
7269 if (chan->state == BT_CONNECT) {
7270 if (!status)
7271 l2cap_start_connection(chan);
7272 else
7273 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7274 } else if (chan->state == BT_CONNECT2) {
7275 struct l2cap_conn_rsp rsp;
7276 __u16 res, stat;
7277
7278 if (!status) {
7279 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7280 res = L2CAP_CR_PEND;
7281 stat = L2CAP_CS_AUTHOR_PEND;
7282 chan->ops->defer(chan);
7283 } else {
7284 l2cap_state_change(chan, BT_CONFIG);
7285 res = L2CAP_CR_SUCCESS;
7286 stat = L2CAP_CS_NO_INFO;
7287 }
7288 } else {
7289 l2cap_state_change(chan, BT_DISCONN);
7290 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7291 res = L2CAP_CR_SEC_BLOCK;
7292 stat = L2CAP_CS_NO_INFO;
7293 }
7294
7295 rsp.scid = cpu_to_le16(chan->dcid);
7296 rsp.dcid = cpu_to_le16(chan->scid);
7297 rsp.result = cpu_to_le16(res);
7298 rsp.status = cpu_to_le16(stat);
7299 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7300 sizeof(rsp), &rsp);
7301
7302 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7303 res == L2CAP_CR_SUCCESS) {
7304 char buf[128];
7305 set_bit(CONF_REQ_SENT, &chan->conf_state);
7306 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7307 L2CAP_CONF_REQ,
7308 l2cap_build_conf_req(chan, buf),
7309 buf);
7310 chan->num_conf_req++;
7311 }
7312 }
7313
7314 l2cap_chan_unlock(chan);
7315 }
7316
7317 mutex_unlock(&conn->chan_lock);
7318
7319 return 0;
7320}
7321
7322int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7323{
7324 struct l2cap_conn *conn = hcon->l2cap_data;
7325 struct l2cap_hdr *hdr;
7326 int len;
7327
7328
7329 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7330 goto drop;
7331
7332 if (!conn)
7333 conn = l2cap_conn_add(hcon);
7334
7335 if (!conn)
7336 goto drop;
7337
7338 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7339
7340 switch (flags) {
7341 case ACL_START:
7342 case ACL_START_NO_FLUSH:
7343 case ACL_COMPLETE:
7344 if (conn->rx_len) {
7345 BT_ERR("Unexpected start frame (len %d)", skb->len);
7346 kfree_skb(conn->rx_skb);
7347 conn->rx_skb = NULL;
7348 conn->rx_len = 0;
7349 l2cap_conn_unreliable(conn, ECOMM);
7350 }
7351
7352
7353 if (skb->len < L2CAP_HDR_SIZE) {
7354 BT_ERR("Frame is too short (len %d)", skb->len);
7355 l2cap_conn_unreliable(conn, ECOMM);
7356 goto drop;
7357 }
7358
7359 hdr = (struct l2cap_hdr *) skb->data;
7360 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7361
7362 if (len == skb->len) {
7363
7364 l2cap_recv_frame(conn, skb);
7365 return 0;
7366 }
7367
7368 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7369
7370 if (skb->len > len) {
7371 BT_ERR("Frame is too long (len %d, expected len %d)",
7372 skb->len, len);
7373 l2cap_conn_unreliable(conn, ECOMM);
7374 goto drop;
7375 }
7376
7377
7378 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7379 if (!conn->rx_skb)
7380 goto drop;
7381
7382 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7383 skb->len);
7384 conn->rx_len = len - skb->len;
7385 break;
7386
7387 case ACL_CONT:
7388 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7389
7390 if (!conn->rx_len) {
7391 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7392 l2cap_conn_unreliable(conn, ECOMM);
7393 goto drop;
7394 }
7395
7396 if (skb->len > conn->rx_len) {
7397 BT_ERR("Fragment is too long (len %d, expected %d)",
7398 skb->len, conn->rx_len);
7399 kfree_skb(conn->rx_skb);
7400 conn->rx_skb = NULL;
7401 conn->rx_len = 0;
7402 l2cap_conn_unreliable(conn, ECOMM);
7403 goto drop;
7404 }
7405
7406 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7407 skb->len);
7408 conn->rx_len -= skb->len;
7409
7410 if (!conn->rx_len) {
7411
7412
7413
7414
7415 struct sk_buff *rx_skb = conn->rx_skb;
7416 conn->rx_skb = NULL;
7417 l2cap_recv_frame(conn, rx_skb);
7418 }
7419 break;
7420 }
7421
7422drop:
7423 kfree_skb(skb);
7424 return 0;
7425}
7426
7427static int l2cap_debugfs_show(struct seq_file *f, void *p)
7428{
7429 struct l2cap_chan *c;
7430
7431 read_lock(&chan_list_lock);
7432
7433 list_for_each_entry(c, &chan_list, global_l) {
7434 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7435 &c->src, &c->dst,
7436 c->state, __le16_to_cpu(c->psm),
7437 c->scid, c->dcid, c->imtu, c->omtu,
7438 c->sec_level, c->mode);
7439 }
7440
7441 read_unlock(&chan_list_lock);
7442
7443 return 0;
7444}
7445
7446static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7447{
7448 return single_open(file, l2cap_debugfs_show, inode->i_private);
7449}
7450
7451static const struct file_operations l2cap_debugfs_fops = {
7452 .open = l2cap_debugfs_open,
7453 .read = seq_read,
7454 .llseek = seq_lseek,
7455 .release = single_release,
7456};
7457
7458static struct dentry *l2cap_debugfs;
7459
7460int __init l2cap_init(void)
7461{
7462 int err;
7463
7464 err = l2cap_init_sockets();
7465 if (err < 0)
7466 return err;
7467
7468 if (IS_ERR_OR_NULL(bt_debugfs))
7469 return 0;
7470
7471 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7472 NULL, &l2cap_debugfs_fops);
7473
7474 debugfs_create_u16("l2cap_le_max_credits", 0466, bt_debugfs,
7475 &le_max_credits);
7476 debugfs_create_u16("l2cap_le_default_mps", 0466, bt_debugfs,
7477 &le_default_mps);
7478
7479 bt_6lowpan_init();
7480
7481 return 0;
7482}
7483
7484void l2cap_exit(void)
7485{
7486 bt_6lowpan_cleanup();
7487 debugfs_remove(l2cap_debugfs);
7488 l2cap_cleanup_sockets();
7489}
7490
7491module_param(disable_ertm, bool, 0644);
7492MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7493
