1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#include <linux/module.h>
32
33#include <linux/debugfs.h>
34#include <linux/crc16.h>
35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
39
40#include "smp.h"
41#include "a2mp.h"
42#include "amp.h"
43
44#define LE_FLOWCTL_MAX_CREDITS 65535
45
46bool disable_ertm;
47
48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49
50static LIST_HEAD(chan_list);
51static DEFINE_RWLOCK(chan_list_lock);
52
53static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
56static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
57 u8 code, u8 ident, u16 dlen, void *data);
58static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 void *data);
60static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
61static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62
63static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
64 struct sk_buff_head *skbs, u8 event);
65
66static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67{
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76}
77
78static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79{
80 return bdaddr_type(hcon->type, hcon->src_type);
81}
82
83static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84{
85 return bdaddr_type(hcon->type, hcon->dst_type);
86}
87
88
89
90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
91 u16 cid)
92{
93 struct l2cap_chan *c;
94
95 list_for_each_entry(c, &conn->chan_l, list) {
96 if (c->dcid == cid)
97 return c;
98 }
99 return NULL;
100}
101
102static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
104{
105 struct l2cap_chan *c;
106
107 list_for_each_entry(c, &conn->chan_l, list) {
108 if (c->scid == cid)
109 return c;
110 }
111 return NULL;
112}
113
114
115
116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
117 u16 cid)
118{
119 struct l2cap_chan *c;
120
121 mutex_lock(&conn->chan_lock);
122 c = __l2cap_get_chan_by_scid(conn, cid);
123 if (c)
124 l2cap_chan_lock(c);
125 mutex_unlock(&conn->chan_lock);
126
127 return c;
128}
129
130
131
132
133static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
134 u16 cid)
135{
136 struct l2cap_chan *c;
137
138 mutex_lock(&conn->chan_lock);
139 c = __l2cap_get_chan_by_dcid(conn, cid);
140 if (c)
141 l2cap_chan_lock(c);
142 mutex_unlock(&conn->chan_lock);
143
144 return c;
145}
146
147static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
148 u8 ident)
149{
150 struct l2cap_chan *c;
151
152 list_for_each_entry(c, &conn->chan_l, list) {
153 if (c->ident == ident)
154 return c;
155 }
156 return NULL;
157}
158
159static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
160 u8 ident)
161{
162 struct l2cap_chan *c;
163
164 mutex_lock(&conn->chan_lock);
165 c = __l2cap_get_chan_by_ident(conn, ident);
166 if (c)
167 l2cap_chan_lock(c);
168 mutex_unlock(&conn->chan_lock);
169
170 return c;
171}
172
173static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
174{
175 struct l2cap_chan *c;
176
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (c->sport == psm && !bacmp(&c->src, src))
179 return c;
180 }
181 return NULL;
182}
183
184int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
185{
186 int err;
187
188 write_lock(&chan_list_lock);
189
190 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
191 err = -EADDRINUSE;
192 goto done;
193 }
194
195 if (psm) {
196 chan->psm = psm;
197 chan->sport = psm;
198 err = 0;
199 } else {
200 u16 p;
201
202 err = -EINVAL;
203 for (p = 0x1001; p < 0x1100; p += 2)
204 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
205 chan->psm = cpu_to_le16(p);
206 chan->sport = cpu_to_le16(p);
207 err = 0;
208 break;
209 }
210 }
211
212done:
213 write_unlock(&chan_list_lock);
214 return err;
215}
216EXPORT_SYMBOL_GPL(l2cap_add_psm);
217
218int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
219{
220 write_lock(&chan_list_lock);
221
222
223 chan->omtu = L2CAP_DEFAULT_MTU;
224 chan->chan_type = L2CAP_CHAN_FIXED;
225
226 chan->scid = scid;
227
228 write_unlock(&chan_list_lock);
229
230 return 0;
231}
232
233static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
234{
235 u16 cid, dyn_end;
236
237 if (conn->hcon->type == LE_LINK)
238 dyn_end = L2CAP_CID_LE_DYN_END;
239 else
240 dyn_end = L2CAP_CID_DYN_END;
241
242 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
243 if (!__l2cap_get_chan_by_scid(conn, cid))
244 return cid;
245 }
246
247 return 0;
248}
249
250static void l2cap_state_change(struct l2cap_chan *chan, int state)
251{
252 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
253 state_to_string(state));
254
255 chan->state = state;
256 chan->ops->state_change(chan, state, 0);
257}
258
259static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
260 int state, int err)
261{
262 chan->state = state;
263 chan->ops->state_change(chan, chan->state, err);
264}
265
266static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
267{
268 chan->ops->state_change(chan, chan->state, err);
269}
270
271static void __set_retrans_timer(struct l2cap_chan *chan)
272{
273 if (!delayed_work_pending(&chan->monitor_timer) &&
274 chan->retrans_timeout) {
275 l2cap_set_timer(chan, &chan->retrans_timer,
276 msecs_to_jiffies(chan->retrans_timeout));
277 }
278}
279
280static void __set_monitor_timer(struct l2cap_chan *chan)
281{
282 __clear_retrans_timer(chan);
283 if (chan->monitor_timeout) {
284 l2cap_set_timer(chan, &chan->monitor_timer,
285 msecs_to_jiffies(chan->monitor_timeout));
286 }
287}
288
289static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
290 u16 seq)
291{
292 struct sk_buff *skb;
293
294 skb_queue_walk(head, skb) {
295 if (bt_cb(skb)->control.txseq == seq)
296 return skb;
297 }
298
299 return NULL;
300}
301
302
303
304
305
306
307
308
309
310
311
312
313static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
314{
315 size_t alloc_size, i;
316
317
318
319
320
321 alloc_size = roundup_pow_of_two(size);
322
323 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
324 if (!seq_list->list)
325 return -ENOMEM;
326
327 seq_list->mask = alloc_size - 1;
328 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
329 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
330 for (i = 0; i < alloc_size; i++)
331 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
332
333 return 0;
334}
335
336static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
337{
338 kfree(seq_list->list);
339}
340
341static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
342 u16 seq)
343{
344
345 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
346}
347
348static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
349{
350 u16 seq = seq_list->head;
351 u16 mask = seq_list->mask;
352
353 seq_list->head = seq_list->list[seq & mask];
354 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
355
356 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
357 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
358 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
359 }
360
361 return seq;
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
366 u16 i;
367
368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382
383
384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
386
387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
394}
395
396static void l2cap_chan_timeout(struct work_struct *work)
397{
398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
399 chan_timer.work);
400 struct l2cap_conn *conn = chan->conn;
401 int reason;
402
403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
404
405 mutex_lock(&conn->chan_lock);
406 l2cap_chan_lock(chan);
407
408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
409 reason = ECONNREFUSED;
410 else if (chan->state == BT_CONNECT &&
411 chan->sec_level != BT_SECURITY_SDP)
412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
416 l2cap_chan_close(chan, reason);
417
418 l2cap_chan_unlock(chan);
419
420 chan->ops->close(chan);
421 mutex_unlock(&conn->chan_lock);
422
423 l2cap_chan_put(chan);
424}
425
426struct l2cap_chan *l2cap_chan_create(void)
427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
434 mutex_init(&chan->lock);
435
436
437 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
438
439 write_lock(&chan_list_lock);
440 list_add(&chan->global_l, &chan_list);
441 write_unlock(&chan_list_lock);
442
443 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
444
445 chan->state = BT_OPEN;
446
447 kref_init(&chan->kref);
448
449
450 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
451
452 BT_DBG("chan %p", chan);
453
454 return chan;
455}
456EXPORT_SYMBOL_GPL(l2cap_chan_create);
457
458static void l2cap_chan_destroy(struct kref *kref)
459{
460 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
461
462 BT_DBG("chan %p", chan);
463
464 write_lock(&chan_list_lock);
465 list_del(&chan->global_l);
466 write_unlock(&chan_list_lock);
467
468 kfree(chan);
469}
470
471void l2cap_chan_hold(struct l2cap_chan *c)
472{
473 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
474
475 kref_get(&c->kref);
476}
477
478void l2cap_chan_put(struct l2cap_chan *c)
479{
480 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
481
482 kref_put(&c->kref, l2cap_chan_destroy);
483}
484EXPORT_SYMBOL_GPL(l2cap_chan_put);
485
486void l2cap_chan_set_defaults(struct l2cap_chan *chan)
487{
488 chan->fcs = L2CAP_FCS_CRC16;
489 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
490 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
491 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
492 chan->remote_max_tx = chan->max_tx;
493 chan->remote_tx_win = chan->tx_win;
494 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
495 chan->sec_level = BT_SECURITY_LOW;
496 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
497 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
498 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
499 chan->conf_state = 0;
500
501 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
502}
503EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
504
505static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
506{
507 chan->sdu = NULL;
508 chan->sdu_last_frag = NULL;
509 chan->sdu_len = 0;
510 chan->tx_credits = 0;
511 chan->rx_credits = le_max_credits;
512 chan->mps = min_t(u16, chan->imtu, le_default_mps);
513
514 skb_queue_head_init(&chan->tx_q);
515}
516
517void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
518{
519 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
520 __le16_to_cpu(chan->psm), chan->dcid);
521
522 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
523
524 chan->conn = conn;
525
526 switch (chan->chan_type) {
527 case L2CAP_CHAN_CONN_ORIENTED:
528
529 chan->scid = l2cap_alloc_cid(conn);
530 if (conn->hcon->type == ACL_LINK)
531 chan->omtu = L2CAP_DEFAULT_MTU;
532 break;
533
534 case L2CAP_CHAN_CONN_LESS:
535
536 chan->scid = L2CAP_CID_CONN_LESS;
537 chan->dcid = L2CAP_CID_CONN_LESS;
538 chan->omtu = L2CAP_DEFAULT_MTU;
539 break;
540
541 case L2CAP_CHAN_FIXED:
542
543 break;
544
545 default:
546
547 chan->scid = L2CAP_CID_SIGNALING;
548 chan->dcid = L2CAP_CID_SIGNALING;
549 chan->omtu = L2CAP_DEFAULT_MTU;
550 }
551
552 chan->local_id = L2CAP_BESTEFFORT_ID;
553 chan->local_stype = L2CAP_SERV_BESTEFFORT;
554 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
555 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
556 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
557 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
558
559 l2cap_chan_hold(chan);
560
561
562 if (chan->chan_type != L2CAP_CHAN_FIXED ||
563 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
564 hci_conn_hold(conn->hcon);
565
566 list_add(&chan->list, &conn->chan_l);
567}
568
569void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
570{
571 mutex_lock(&conn->chan_lock);
572 __l2cap_chan_add(conn, chan);
573 mutex_unlock(&conn->chan_lock);
574}
575
576void l2cap_chan_del(struct l2cap_chan *chan, int err)
577{
578 struct l2cap_conn *conn = chan->conn;
579
580 __clear_chan_timer(chan);
581
582 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
583 state_to_string(chan->state));
584
585 chan->ops->teardown(chan, err);
586
587 if (conn) {
588 struct amp_mgr *mgr = conn->hcon->amp_mgr;
589
590 list_del(&chan->list);
591
592 l2cap_chan_put(chan);
593
594 chan->conn = NULL;
595
596
597
598
599
600 if (chan->chan_type != L2CAP_CHAN_FIXED ||
601 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
602 hci_conn_drop(conn->hcon);
603
604 if (mgr && mgr->bredr_chan == chan)
605 mgr->bredr_chan = NULL;
606 }
607
608 if (chan->hs_hchan) {
609 struct hci_chan *hs_hchan = chan->hs_hchan;
610
611 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
612 amp_disconnect_logical_link(hs_hchan);
613 }
614
615 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
616 return;
617
618 switch(chan->mode) {
619 case L2CAP_MODE_BASIC:
620 break;
621
622 case L2CAP_MODE_LE_FLOWCTL:
623 skb_queue_purge(&chan->tx_q);
624 break;
625
626 case L2CAP_MODE_ERTM:
627 __clear_retrans_timer(chan);
628 __clear_monitor_timer(chan);
629 __clear_ack_timer(chan);
630
631 skb_queue_purge(&chan->srej_q);
632
633 l2cap_seq_list_free(&chan->srej_list);
634 l2cap_seq_list_free(&chan->retrans_list);
635
636
637
638 case L2CAP_MODE_STREAMING:
639 skb_queue_purge(&chan->tx_q);
640 break;
641 }
642
643 return;
644}
645EXPORT_SYMBOL_GPL(l2cap_chan_del);
646
647static void l2cap_conn_update_id_addr(struct work_struct *work)
648{
649 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
650 id_addr_update_work);
651 struct hci_conn *hcon = conn->hcon;
652 struct l2cap_chan *chan;
653
654 mutex_lock(&conn->chan_lock);
655
656 list_for_each_entry(chan, &conn->chan_l, list) {
657 l2cap_chan_lock(chan);
658 bacpy(&chan->dst, &hcon->dst);
659 chan->dst_type = bdaddr_dst_type(hcon);
660 l2cap_chan_unlock(chan);
661 }
662
663 mutex_unlock(&conn->chan_lock);
664}
665
666static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
667{
668 struct l2cap_conn *conn = chan->conn;
669 struct l2cap_le_conn_rsp rsp;
670 u16 result;
671
672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
673 result = L2CAP_CR_AUTHORIZATION;
674 else
675 result = L2CAP_CR_BAD_PSM;
676
677 l2cap_state_change(chan, BT_DISCONN);
678
679 rsp.dcid = cpu_to_le16(chan->scid);
680 rsp.mtu = cpu_to_le16(chan->imtu);
681 rsp.mps = cpu_to_le16(chan->mps);
682 rsp.credits = cpu_to_le16(chan->rx_credits);
683 rsp.result = cpu_to_le16(result);
684
685 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
686 &rsp);
687}
688
689static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
690{
691 struct l2cap_conn *conn = chan->conn;
692 struct l2cap_conn_rsp rsp;
693 u16 result;
694
695 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
696 result = L2CAP_CR_SEC_BLOCK;
697 else
698 result = L2CAP_CR_BAD_PSM;
699
700 l2cap_state_change(chan, BT_DISCONN);
701
702 rsp.scid = cpu_to_le16(chan->dcid);
703 rsp.dcid = cpu_to_le16(chan->scid);
704 rsp.result = cpu_to_le16(result);
705 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
706
707 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
708}
709
710void l2cap_chan_close(struct l2cap_chan *chan, int reason)
711{
712 struct l2cap_conn *conn = chan->conn;
713
714 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
715
716 switch (chan->state) {
717 case BT_LISTEN:
718 chan->ops->teardown(chan, 0);
719 break;
720
721 case BT_CONNECTED:
722 case BT_CONFIG:
723 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
724 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
725 l2cap_send_disconn_req(chan, reason);
726 } else
727 l2cap_chan_del(chan, reason);
728 break;
729
730 case BT_CONNECT2:
731 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
732 if (conn->hcon->type == ACL_LINK)
733 l2cap_chan_connect_reject(chan);
734 else if (conn->hcon->type == LE_LINK)
735 l2cap_chan_le_connect_reject(chan);
736 }
737
738 l2cap_chan_del(chan, reason);
739 break;
740
741 case BT_CONNECT:
742 case BT_DISCONN:
743 l2cap_chan_del(chan, reason);
744 break;
745
746 default:
747 chan->ops->teardown(chan, 0);
748 break;
749 }
750}
751EXPORT_SYMBOL(l2cap_chan_close);
752
753static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
754{
755 switch (chan->chan_type) {
756 case L2CAP_CHAN_RAW:
757 switch (chan->sec_level) {
758 case BT_SECURITY_HIGH:
759 case BT_SECURITY_FIPS:
760 return HCI_AT_DEDICATED_BONDING_MITM;
761 case BT_SECURITY_MEDIUM:
762 return HCI_AT_DEDICATED_BONDING;
763 default:
764 return HCI_AT_NO_BONDING;
765 }
766 break;
767 case L2CAP_CHAN_CONN_LESS:
768 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
769 if (chan->sec_level == BT_SECURITY_LOW)
770 chan->sec_level = BT_SECURITY_SDP;
771 }
772 if (chan->sec_level == BT_SECURITY_HIGH ||
773 chan->sec_level == BT_SECURITY_FIPS)
774 return HCI_AT_NO_BONDING_MITM;
775 else
776 return HCI_AT_NO_BONDING;
777 break;
778 case L2CAP_CHAN_CONN_ORIENTED:
779 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
780 if (chan->sec_level == BT_SECURITY_LOW)
781 chan->sec_level = BT_SECURITY_SDP;
782
783 if (chan->sec_level == BT_SECURITY_HIGH ||
784 chan->sec_level == BT_SECURITY_FIPS)
785 return HCI_AT_NO_BONDING_MITM;
786 else
787 return HCI_AT_NO_BONDING;
788 }
789
790 default:
791 switch (chan->sec_level) {
792 case BT_SECURITY_HIGH:
793 case BT_SECURITY_FIPS:
794 return HCI_AT_GENERAL_BONDING_MITM;
795 case BT_SECURITY_MEDIUM:
796 return HCI_AT_GENERAL_BONDING;
797 default:
798 return HCI_AT_NO_BONDING;
799 }
800 break;
801 }
802}
803
804
805int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
806{
807 struct l2cap_conn *conn = chan->conn;
808 __u8 auth_type;
809
810 if (conn->hcon->type == LE_LINK)
811 return smp_conn_security(conn->hcon, chan->sec_level);
812
813 auth_type = l2cap_get_auth_type(chan);
814
815 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
816 initiator);
817}
818
819static u8 l2cap_get_ident(struct l2cap_conn *conn)
820{
821 u8 id;
822
823
824
825
826
827
828
829 mutex_lock(&conn->ident_lock);
830
831 if (++conn->tx_ident > 128)
832 conn->tx_ident = 1;
833
834 id = conn->tx_ident;
835
836 mutex_unlock(&conn->ident_lock);
837
838 return id;
839}
840
841static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
842 void *data)
843{
844 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
845 u8 flags;
846
847 BT_DBG("code 0x%2.2x", code);
848
849 if (!skb)
850 return;
851
852
853
854 if (lmp_no_flush_capable(conn->hcon->hdev) ||
855 conn->hcon->type == LE_LINK)
856 flags = ACL_START_NO_FLUSH;
857 else
858 flags = ACL_START;
859
860 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
861 skb->priority = HCI_PRIO_MAX;
862
863 hci_send_acl(conn->hchan, skb, flags);
864}
865
866static bool __chan_is_moving(struct l2cap_chan *chan)
867{
868 return chan->move_state != L2CAP_MOVE_STABLE &&
869 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
870}
871
872static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
873{
874 struct hci_conn *hcon = chan->conn->hcon;
875 u16 flags;
876
877 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
878 skb->priority);
879
880 if (chan->hs_hcon && !__chan_is_moving(chan)) {
881 if (chan->hs_hchan)
882 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
883 else
884 kfree_skb(skb);
885
886 return;
887 }
888
889
890
891
892
893 if (hcon->type == LE_LINK ||
894 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
895 lmp_no_flush_capable(hcon->hdev)))
896 flags = ACL_START_NO_FLUSH;
897 else
898 flags = ACL_START;
899
900 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
901 hci_send_acl(chan->conn->hchan, skb, flags);
902}
903
904static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
905{
906 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
907 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
908
909 if (enh & L2CAP_CTRL_FRAME_TYPE) {
910
911 control->sframe = 1;
912 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
913 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
914
915 control->sar = 0;
916 control->txseq = 0;
917 } else {
918
919 control->sframe = 0;
920 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
921 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
922
923 control->poll = 0;
924 control->super = 0;
925 }
926}
927
928static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
929{
930 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
931 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
932
933 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
934
935 control->sframe = 1;
936 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
937 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
938
939 control->sar = 0;
940 control->txseq = 0;
941 } else {
942
943 control->sframe = 0;
944 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
945 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
946
947 control->poll = 0;
948 control->super = 0;
949 }
950}
951
952static inline void __unpack_control(struct l2cap_chan *chan,
953 struct sk_buff *skb)
954{
955 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
956 __unpack_extended_control(get_unaligned_le32(skb->data),
957 &bt_cb(skb)->control);
958 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
959 } else {
960 __unpack_enhanced_control(get_unaligned_le16(skb->data),
961 &bt_cb(skb)->control);
962 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
963 }
964}
965
966static u32 __pack_extended_control(struct l2cap_ctrl *control)
967{
968 u32 packed;
969
970 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
971 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
972
973 if (control->sframe) {
974 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
975 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
976 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
977 } else {
978 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
979 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
980 }
981
982 return packed;
983}
984
985static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
986{
987 u16 packed;
988
989 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
990 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
991
992 if (control->sframe) {
993 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
994 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
995 packed |= L2CAP_CTRL_FRAME_TYPE;
996 } else {
997 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
998 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
999 }
1000
1001 return packed;
1002}
1003
1004static inline void __pack_control(struct l2cap_chan *chan,
1005 struct l2cap_ctrl *control,
1006 struct sk_buff *skb)
1007{
1008 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1009 put_unaligned_le32(__pack_extended_control(control),
1010 skb->data + L2CAP_HDR_SIZE);
1011 } else {
1012 put_unaligned_le16(__pack_enhanced_control(control),
1013 skb->data + L2CAP_HDR_SIZE);
1014 }
1015}
1016
1017static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1018{
1019 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1020 return L2CAP_EXT_HDR_SIZE;
1021 else
1022 return L2CAP_ENH_HDR_SIZE;
1023}
1024
1025static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1026 u32 control)
1027{
1028 struct sk_buff *skb;
1029 struct l2cap_hdr *lh;
1030 int hlen = __ertm_hdr_size(chan);
1031
1032 if (chan->fcs == L2CAP_FCS_CRC16)
1033 hlen += L2CAP_FCS_SIZE;
1034
1035 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1036
1037 if (!skb)
1038 return ERR_PTR(-ENOMEM);
1039
1040 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1041 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1042 lh->cid = cpu_to_le16(chan->dcid);
1043
1044 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1045 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1046 else
1047 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1048
1049 if (chan->fcs == L2CAP_FCS_CRC16) {
1050 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1051 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1052 }
1053
1054 skb->priority = HCI_PRIO_MAX;
1055 return skb;
1056}
1057
1058static void l2cap_send_sframe(struct l2cap_chan *chan,
1059 struct l2cap_ctrl *control)
1060{
1061 struct sk_buff *skb;
1062 u32 control_field;
1063
1064 BT_DBG("chan %p, control %p", chan, control);
1065
1066 if (!control->sframe)
1067 return;
1068
1069 if (__chan_is_moving(chan))
1070 return;
1071
1072 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1073 !control->poll)
1074 control->final = 1;
1075
1076 if (control->super == L2CAP_SUPER_RR)
1077 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1078 else if (control->super == L2CAP_SUPER_RNR)
1079 set_bit(CONN_RNR_SENT, &chan->conn_state);
1080
1081 if (control->super != L2CAP_SUPER_SREJ) {
1082 chan->last_acked_seq = control->reqseq;
1083 __clear_ack_timer(chan);
1084 }
1085
1086 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1087 control->final, control->poll, control->super);
1088
1089 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1090 control_field = __pack_extended_control(control);
1091 else
1092 control_field = __pack_enhanced_control(control);
1093
1094 skb = l2cap_create_sframe_pdu(chan, control_field);
1095 if (!IS_ERR(skb))
1096 l2cap_do_send(chan, skb);
1097}
1098
1099static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1100{
1101 struct l2cap_ctrl control;
1102
1103 BT_DBG("chan %p, poll %d", chan, poll);
1104
1105 memset(&control, 0, sizeof(control));
1106 control.sframe = 1;
1107 control.poll = poll;
1108
1109 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1110 control.super = L2CAP_SUPER_RNR;
1111 else
1112 control.super = L2CAP_SUPER_RR;
1113
1114 control.reqseq = chan->buffer_seq;
1115 l2cap_send_sframe(chan, &control);
1116}
1117
1118static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1119{
1120 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1121 return true;
1122
1123 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1124}
1125
1126static bool __amp_capable(struct l2cap_chan *chan)
1127{
1128 struct l2cap_conn *conn = chan->conn;
1129 struct hci_dev *hdev;
1130 bool amp_available = false;
1131
1132 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1133 return false;
1134
1135 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1136 return false;
1137
1138 read_lock(&hci_dev_list_lock);
1139 list_for_each_entry(hdev, &hci_dev_list, list) {
1140 if (hdev->amp_type != AMP_TYPE_BREDR &&
1141 test_bit(HCI_UP, &hdev->flags)) {
1142 amp_available = true;
1143 break;
1144 }
1145 }
1146 read_unlock(&hci_dev_list_lock);
1147
1148 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1149 return amp_available;
1150
1151 return false;
1152}
1153
1154static bool l2cap_check_efs(struct l2cap_chan *chan)
1155{
1156
1157 return true;
1158}
1159
1160void l2cap_send_conn_req(struct l2cap_chan *chan)
1161{
1162 struct l2cap_conn *conn = chan->conn;
1163 struct l2cap_conn_req req;
1164
1165 req.scid = cpu_to_le16(chan->scid);
1166 req.psm = chan->psm;
1167
1168 chan->ident = l2cap_get_ident(conn);
1169
1170 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1171
1172 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1173}
1174
1175static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1176{
1177 struct l2cap_create_chan_req req;
1178 req.scid = cpu_to_le16(chan->scid);
1179 req.psm = chan->psm;
1180 req.amp_id = amp_id;
1181
1182 chan->ident = l2cap_get_ident(chan->conn);
1183
1184 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1185 sizeof(req), &req);
1186}
1187
1188static void l2cap_move_setup(struct l2cap_chan *chan)
1189{
1190 struct sk_buff *skb;
1191
1192 BT_DBG("chan %p", chan);
1193
1194 if (chan->mode != L2CAP_MODE_ERTM)
1195 return;
1196
1197 __clear_retrans_timer(chan);
1198 __clear_monitor_timer(chan);
1199 __clear_ack_timer(chan);
1200
1201 chan->retry_count = 0;
1202 skb_queue_walk(&chan->tx_q, skb) {
1203 if (bt_cb(skb)->control.retries)
1204 bt_cb(skb)->control.retries = 1;
1205 else
1206 break;
1207 }
1208
1209 chan->expected_tx_seq = chan->buffer_seq;
1210
1211 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1212 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1213 l2cap_seq_list_clear(&chan->retrans_list);
1214 l2cap_seq_list_clear(&chan->srej_list);
1215 skb_queue_purge(&chan->srej_q);
1216
1217 chan->tx_state = L2CAP_TX_STATE_XMIT;
1218 chan->rx_state = L2CAP_RX_STATE_MOVE;
1219
1220 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1221}
1222
1223static void l2cap_move_done(struct l2cap_chan *chan)
1224{
1225 u8 move_role = chan->move_role;
1226 BT_DBG("chan %p", chan);
1227
1228 chan->move_state = L2CAP_MOVE_STABLE;
1229 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1230
1231 if (chan->mode != L2CAP_MODE_ERTM)
1232 return;
1233
1234 switch (move_role) {
1235 case L2CAP_MOVE_ROLE_INITIATOR:
1236 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1237 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1238 break;
1239 case L2CAP_MOVE_ROLE_RESPONDER:
1240 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1241 break;
1242 }
1243}
1244
1245static void l2cap_chan_ready(struct l2cap_chan *chan)
1246{
1247
1248 chan->conf_state = 0;
1249 __clear_chan_timer(chan);
1250
1251 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1252 chan->ops->suspend(chan);
1253
1254 chan->state = BT_CONNECTED;
1255
1256 chan->ops->ready(chan);
1257}
1258
1259static void l2cap_le_connect(struct l2cap_chan *chan)
1260{
1261 struct l2cap_conn *conn = chan->conn;
1262 struct l2cap_le_conn_req req;
1263
1264 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1265 return;
1266
1267 req.psm = chan->psm;
1268 req.scid = cpu_to_le16(chan->scid);
1269 req.mtu = cpu_to_le16(chan->imtu);
1270 req.mps = cpu_to_le16(chan->mps);
1271 req.credits = cpu_to_le16(chan->rx_credits);
1272
1273 chan->ident = l2cap_get_ident(conn);
1274
1275 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1276 sizeof(req), &req);
1277}
1278
1279static void l2cap_le_start(struct l2cap_chan *chan)
1280{
1281 struct l2cap_conn *conn = chan->conn;
1282
1283 if (!smp_conn_security(conn->hcon, chan->sec_level))
1284 return;
1285
1286 if (!chan->psm) {
1287 l2cap_chan_ready(chan);
1288 return;
1289 }
1290
1291 if (chan->state == BT_CONNECT)
1292 l2cap_le_connect(chan);
1293}
1294
1295static void l2cap_start_connection(struct l2cap_chan *chan)
1296{
1297 if (__amp_capable(chan)) {
1298 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1299 a2mp_discover_amp(chan);
1300 } else if (chan->conn->hcon->type == LE_LINK) {
1301 l2cap_le_start(chan);
1302 } else {
1303 l2cap_send_conn_req(chan);
1304 }
1305}
1306
1307static void l2cap_request_info(struct l2cap_conn *conn)
1308{
1309 struct l2cap_info_req req;
1310
1311 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1312 return;
1313
1314 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1315
1316 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1317 conn->info_ident = l2cap_get_ident(conn);
1318
1319 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1320
1321 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1322 sizeof(req), &req);
1323}
1324
1325static void l2cap_do_start(struct l2cap_chan *chan)
1326{
1327 struct l2cap_conn *conn = chan->conn;
1328
1329 if (conn->hcon->type == LE_LINK) {
1330 l2cap_le_start(chan);
1331 return;
1332 }
1333
1334 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1335 l2cap_request_info(conn);
1336 return;
1337 }
1338
1339 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1340 return;
1341
1342 if (l2cap_chan_check_security(chan, true) &&
1343 __l2cap_no_conn_pending(chan))
1344 l2cap_start_connection(chan);
1345}
1346
1347static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1348{
1349 u32 local_feat_mask = l2cap_feat_mask;
1350 if (!disable_ertm)
1351 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1352
1353 switch (mode) {
1354 case L2CAP_MODE_ERTM:
1355 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1356 case L2CAP_MODE_STREAMING:
1357 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1358 default:
1359 return 0x00;
1360 }
1361}
1362
1363static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1364{
1365 struct l2cap_conn *conn = chan->conn;
1366 struct l2cap_disconn_req req;
1367
1368 if (!conn)
1369 return;
1370
1371 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1372 __clear_retrans_timer(chan);
1373 __clear_monitor_timer(chan);
1374 __clear_ack_timer(chan);
1375 }
1376
1377 if (chan->scid == L2CAP_CID_A2MP) {
1378 l2cap_state_change(chan, BT_DISCONN);
1379 return;
1380 }
1381
1382 req.dcid = cpu_to_le16(chan->dcid);
1383 req.scid = cpu_to_le16(chan->scid);
1384 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1385 sizeof(req), &req);
1386
1387 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1388}
1389
1390
1391static void l2cap_conn_start(struct l2cap_conn *conn)
1392{
1393 struct l2cap_chan *chan, *tmp;
1394
1395 BT_DBG("conn %p", conn);
1396
1397 mutex_lock(&conn->chan_lock);
1398
1399 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1400 l2cap_chan_lock(chan);
1401
1402 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1403 l2cap_chan_ready(chan);
1404 l2cap_chan_unlock(chan);
1405 continue;
1406 }
1407
1408 if (chan->state == BT_CONNECT) {
1409 if (!l2cap_chan_check_security(chan, true) ||
1410 !__l2cap_no_conn_pending(chan)) {
1411 l2cap_chan_unlock(chan);
1412 continue;
1413 }
1414
1415 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1416 && test_bit(CONF_STATE2_DEVICE,
1417 &chan->conf_state)) {
1418 l2cap_chan_close(chan, ECONNRESET);
1419 l2cap_chan_unlock(chan);
1420 continue;
1421 }
1422
1423 l2cap_start_connection(chan);
1424
1425 } else if (chan->state == BT_CONNECT2) {
1426 struct l2cap_conn_rsp rsp;
1427 char buf[128];
1428 rsp.scid = cpu_to_le16(chan->dcid);
1429 rsp.dcid = cpu_to_le16(chan->scid);
1430
1431 if (l2cap_chan_check_security(chan, false)) {
1432 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1433 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1434 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1435 chan->ops->defer(chan);
1436
1437 } else {
1438 l2cap_state_change(chan, BT_CONFIG);
1439 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1440 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1441 }
1442 } else {
1443 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1444 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1445 }
1446
1447 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1448 sizeof(rsp), &rsp);
1449
1450 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1451 rsp.result != L2CAP_CR_SUCCESS) {
1452 l2cap_chan_unlock(chan);
1453 continue;
1454 }
1455
1456 set_bit(CONF_REQ_SENT, &chan->conf_state);
1457 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1458 l2cap_build_conf_req(chan, buf), buf);
1459 chan->num_conf_req++;
1460 }
1461
1462 l2cap_chan_unlock(chan);
1463 }
1464
1465 mutex_unlock(&conn->chan_lock);
1466}
1467
1468static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1469{
1470 struct hci_conn *hcon = conn->hcon;
1471 struct hci_dev *hdev = hcon->hdev;
1472
1473 BT_DBG("%s conn %p", hdev->name, conn);
1474
1475
1476
1477
1478 if (hcon->out)
1479 smp_conn_security(hcon, hcon->pending_sec_level);
1480
1481
1482
1483
1484
1485
1486 if (hcon->role == HCI_ROLE_SLAVE &&
1487 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1488 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1489 struct l2cap_conn_param_update_req req;
1490
1491 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1492 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1493 req.latency = cpu_to_le16(hcon->le_conn_latency);
1494 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1495
1496 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1497 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1498 }
1499}
1500
1501static void l2cap_conn_ready(struct l2cap_conn *conn)
1502{
1503 struct l2cap_chan *chan;
1504 struct hci_conn *hcon = conn->hcon;
1505
1506 BT_DBG("conn %p", conn);
1507
1508 if (hcon->type == ACL_LINK)
1509 l2cap_request_info(conn);
1510
1511 mutex_lock(&conn->chan_lock);
1512
1513 list_for_each_entry(chan, &conn->chan_l, list) {
1514
1515 l2cap_chan_lock(chan);
1516
1517 if (chan->scid == L2CAP_CID_A2MP) {
1518 l2cap_chan_unlock(chan);
1519 continue;
1520 }
1521
1522 if (hcon->type == LE_LINK) {
1523 l2cap_le_start(chan);
1524 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1525 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1526 l2cap_chan_ready(chan);
1527 } else if (chan->state == BT_CONNECT) {
1528 l2cap_do_start(chan);
1529 }
1530
1531 l2cap_chan_unlock(chan);
1532 }
1533
1534 mutex_unlock(&conn->chan_lock);
1535
1536 if (hcon->type == LE_LINK)
1537 l2cap_le_conn_ready(conn);
1538
1539 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1540}
1541
1542
1543static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1544{
1545 struct l2cap_chan *chan;
1546
1547 BT_DBG("conn %p", conn);
1548
1549 mutex_lock(&conn->chan_lock);
1550
1551 list_for_each_entry(chan, &conn->chan_l, list) {
1552 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1553 l2cap_chan_set_err(chan, err);
1554 }
1555
1556 mutex_unlock(&conn->chan_lock);
1557}
1558
1559static void l2cap_info_timeout(struct work_struct *work)
1560{
1561 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1562 info_timer.work);
1563
1564 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1565 conn->info_ident = 0;
1566
1567 l2cap_conn_start(conn);
1568}
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1584{
1585 struct hci_dev *hdev = conn->hcon->hdev;
1586 int ret;
1587
1588
1589
1590
1591
1592
1593
1594
1595 hci_dev_lock(hdev);
1596
1597 if (user->list.next || user->list.prev) {
1598 ret = -EINVAL;
1599 goto out_unlock;
1600 }
1601
1602
1603 if (!conn->hchan) {
1604 ret = -ENODEV;
1605 goto out_unlock;
1606 }
1607
1608 ret = user->probe(conn, user);
1609 if (ret)
1610 goto out_unlock;
1611
1612 list_add(&user->list, &conn->users);
1613 ret = 0;
1614
1615out_unlock:
1616 hci_dev_unlock(hdev);
1617 return ret;
1618}
1619EXPORT_SYMBOL(l2cap_register_user);
1620
1621void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1622{
1623 struct hci_dev *hdev = conn->hcon->hdev;
1624
1625 hci_dev_lock(hdev);
1626
1627 if (!user->list.next || !user->list.prev)
1628 goto out_unlock;
1629
1630 list_del(&user->list);
1631 user->list.next = NULL;
1632 user->list.prev = NULL;
1633 user->remove(conn, user);
1634
1635out_unlock:
1636 hci_dev_unlock(hdev);
1637}
1638EXPORT_SYMBOL(l2cap_unregister_user);
1639
1640static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1641{
1642 struct l2cap_user *user;
1643
1644 while (!list_empty(&conn->users)) {
1645 user = list_first_entry(&conn->users, struct l2cap_user, list);
1646 list_del(&user->list);
1647 user->list.next = NULL;
1648 user->list.prev = NULL;
1649 user->remove(conn, user);
1650 }
1651}
1652
1653static void l2cap_conn_del(struct hci_conn *hcon, int err)
1654{
1655 struct l2cap_conn *conn = hcon->l2cap_data;
1656 struct l2cap_chan *chan, *l;
1657
1658 if (!conn)
1659 return;
1660
1661 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1662
1663 kfree_skb(conn->rx_skb);
1664
1665 skb_queue_purge(&conn->pending_rx);
1666
1667
1668
1669
1670
1671 if (work_pending(&conn->pending_rx_work))
1672 cancel_work_sync(&conn->pending_rx_work);
1673
1674 if (work_pending(&conn->id_addr_update_work))
1675 cancel_work_sync(&conn->id_addr_update_work);
1676
1677 l2cap_unregister_all_users(conn);
1678
1679
1680 hcon->disc_timeout = 0;
1681
1682 mutex_lock(&conn->chan_lock);
1683
1684
1685 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1686 l2cap_chan_hold(chan);
1687 l2cap_chan_lock(chan);
1688
1689 l2cap_chan_del(chan, err);
1690
1691 l2cap_chan_unlock(chan);
1692
1693 chan->ops->close(chan);
1694 l2cap_chan_put(chan);
1695 }
1696
1697 mutex_unlock(&conn->chan_lock);
1698
1699 hci_chan_del(conn->hchan);
1700
1701 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1702 cancel_delayed_work_sync(&conn->info_timer);
1703
1704 hcon->l2cap_data = NULL;
1705 conn->hchan = NULL;
1706 l2cap_conn_put(conn);
1707}
1708
1709static void l2cap_conn_free(struct kref *ref)
1710{
1711 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1712
1713 hci_conn_put(conn->hcon);
1714 kfree(conn);
1715}
1716
1717struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1718{
1719 kref_get(&conn->ref);
1720 return conn;
1721}
1722EXPORT_SYMBOL(l2cap_conn_get);
1723
1724void l2cap_conn_put(struct l2cap_conn *conn)
1725{
1726 kref_put(&conn->ref, l2cap_conn_free);
1727}
1728EXPORT_SYMBOL(l2cap_conn_put);
1729
1730
1731
1732
1733
1734
1735static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1736 bdaddr_t *src,
1737 bdaddr_t *dst,
1738 u8 link_type)
1739{
1740 struct l2cap_chan *c, *c1 = NULL;
1741
1742 read_lock(&chan_list_lock);
1743
1744 list_for_each_entry(c, &chan_list, global_l) {
1745 if (state && c->state != state)
1746 continue;
1747
1748 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1749 continue;
1750
1751 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1752 continue;
1753
1754 if (c->psm == psm) {
1755 int src_match, dst_match;
1756 int src_any, dst_any;
1757
1758
1759 src_match = !bacmp(&c->src, src);
1760 dst_match = !bacmp(&c->dst, dst);
1761 if (src_match && dst_match) {
1762 l2cap_chan_hold(c);
1763 read_unlock(&chan_list_lock);
1764 return c;
1765 }
1766
1767
1768 src_any = !bacmp(&c->src, BDADDR_ANY);
1769 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1770 if ((src_match && dst_any) || (src_any && dst_match) ||
1771 (src_any && dst_any))
1772 c1 = c;
1773 }
1774 }
1775
1776 if (c1)
1777 l2cap_chan_hold(c1);
1778
1779 read_unlock(&chan_list_lock);
1780
1781 return c1;
1782}
1783
1784static void l2cap_monitor_timeout(struct work_struct *work)
1785{
1786 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1787 monitor_timer.work);
1788
1789 BT_DBG("chan %p", chan);
1790
1791 l2cap_chan_lock(chan);
1792
1793 if (!chan->conn) {
1794 l2cap_chan_unlock(chan);
1795 l2cap_chan_put(chan);
1796 return;
1797 }
1798
1799 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1800
1801 l2cap_chan_unlock(chan);
1802 l2cap_chan_put(chan);
1803}
1804
1805static void l2cap_retrans_timeout(struct work_struct *work)
1806{
1807 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1808 retrans_timer.work);
1809
1810 BT_DBG("chan %p", chan);
1811
1812 l2cap_chan_lock(chan);
1813
1814 if (!chan->conn) {
1815 l2cap_chan_unlock(chan);
1816 l2cap_chan_put(chan);
1817 return;
1818 }
1819
1820 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1821 l2cap_chan_unlock(chan);
1822 l2cap_chan_put(chan);
1823}
1824
1825static void l2cap_streaming_send(struct l2cap_chan *chan,
1826 struct sk_buff_head *skbs)
1827{
1828 struct sk_buff *skb;
1829 struct l2cap_ctrl *control;
1830
1831 BT_DBG("chan %p, skbs %p", chan, skbs);
1832
1833 if (__chan_is_moving(chan))
1834 return;
1835
1836 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1837
1838 while (!skb_queue_empty(&chan->tx_q)) {
1839
1840 skb = skb_dequeue(&chan->tx_q);
1841
1842 bt_cb(skb)->control.retries = 1;
1843 control = &bt_cb(skb)->control;
1844
1845 control->reqseq = 0;
1846 control->txseq = chan->next_tx_seq;
1847
1848 __pack_control(chan, control, skb);
1849
1850 if (chan->fcs == L2CAP_FCS_CRC16) {
1851 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1852 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1853 }
1854
1855 l2cap_do_send(chan, skb);
1856
1857 BT_DBG("Sent txseq %u", control->txseq);
1858
1859 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1860 chan->frames_sent++;
1861 }
1862}
1863
1864static int l2cap_ertm_send(struct l2cap_chan *chan)
1865{
1866 struct sk_buff *skb, *tx_skb;
1867 struct l2cap_ctrl *control;
1868 int sent = 0;
1869
1870 BT_DBG("chan %p", chan);
1871
1872 if (chan->state != BT_CONNECTED)
1873 return -ENOTCONN;
1874
1875 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1876 return 0;
1877
1878 if (__chan_is_moving(chan))
1879 return 0;
1880
1881 while (chan->tx_send_head &&
1882 chan->unacked_frames < chan->remote_tx_win &&
1883 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1884
1885 skb = chan->tx_send_head;
1886
1887 bt_cb(skb)->control.retries = 1;
1888 control = &bt_cb(skb)->control;
1889
1890 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1891 control->final = 1;
1892
1893 control->reqseq = chan->buffer_seq;
1894 chan->last_acked_seq = chan->buffer_seq;
1895 control->txseq = chan->next_tx_seq;
1896
1897 __pack_control(chan, control, skb);
1898
1899 if (chan->fcs == L2CAP_FCS_CRC16) {
1900 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1901 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1902 }
1903
1904
1905
1906
1907 tx_skb = skb_clone(skb, GFP_KERNEL);
1908
1909 if (!tx_skb)
1910 break;
1911
1912 __set_retrans_timer(chan);
1913
1914 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1915 chan->unacked_frames++;
1916 chan->frames_sent++;
1917 sent++;
1918
1919 if (skb_queue_is_last(&chan->tx_q, skb))
1920 chan->tx_send_head = NULL;
1921 else
1922 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1923
1924 l2cap_do_send(chan, tx_skb);
1925 BT_DBG("Sent txseq %u", control->txseq);
1926 }
1927
1928 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1929 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1930
1931 return sent;
1932}
1933
1934static void l2cap_ertm_resend(struct l2cap_chan *chan)
1935{
1936 struct l2cap_ctrl control;
1937 struct sk_buff *skb;
1938 struct sk_buff *tx_skb;
1939 u16 seq;
1940
1941 BT_DBG("chan %p", chan);
1942
1943 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1944 return;
1945
1946 if (__chan_is_moving(chan))
1947 return;
1948
1949 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1950 seq = l2cap_seq_list_pop(&chan->retrans_list);
1951
1952 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1953 if (!skb) {
1954 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1955 seq);
1956 continue;
1957 }
1958
1959 bt_cb(skb)->control.retries++;
1960 control = bt_cb(skb)->control;
1961
1962 if (chan->max_tx != 0 &&
1963 bt_cb(skb)->control.retries > chan->max_tx) {
1964 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1965 l2cap_send_disconn_req(chan, ECONNRESET);
1966 l2cap_seq_list_clear(&chan->retrans_list);
1967 break;
1968 }
1969
1970 control.reqseq = chan->buffer_seq;
1971 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1972 control.final = 1;
1973 else
1974 control.final = 0;
1975
1976 if (skb_cloned(skb)) {
1977
1978
1979
1980 tx_skb = skb_copy(skb, GFP_KERNEL);
1981 } else {
1982 tx_skb = skb_clone(skb, GFP_KERNEL);
1983 }
1984
1985 if (!tx_skb) {
1986 l2cap_seq_list_clear(&chan->retrans_list);
1987 break;
1988 }
1989
1990
1991 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1992 put_unaligned_le32(__pack_extended_control(&control),
1993 tx_skb->data + L2CAP_HDR_SIZE);
1994 } else {
1995 put_unaligned_le16(__pack_enhanced_control(&control),
1996 tx_skb->data + L2CAP_HDR_SIZE);
1997 }
1998
1999
2000 if (chan->fcs == L2CAP_FCS_CRC16) {
2001 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2002 tx_skb->len - L2CAP_FCS_SIZE);
2003 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2004 L2CAP_FCS_SIZE);
2005 }
2006
2007 l2cap_do_send(chan, tx_skb);
2008
2009 BT_DBG("Resent txseq %d", control.txseq);
2010
2011 chan->last_acked_seq = chan->buffer_seq;
2012 }
2013}
2014
2015static void l2cap_retransmit(struct l2cap_chan *chan,
2016 struct l2cap_ctrl *control)
2017{
2018 BT_DBG("chan %p, control %p", chan, control);
2019
2020 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2021 l2cap_ertm_resend(chan);
2022}
2023
2024static void l2cap_retransmit_all(struct l2cap_chan *chan,
2025 struct l2cap_ctrl *control)
2026{
2027 struct sk_buff *skb;
2028
2029 BT_DBG("chan %p, control %p", chan, control);
2030
2031 if (control->poll)
2032 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2033
2034 l2cap_seq_list_clear(&chan->retrans_list);
2035
2036 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2037 return;
2038
2039 if (chan->unacked_frames) {
2040 skb_queue_walk(&chan->tx_q, skb) {
2041 if (bt_cb(skb)->control.txseq == control->reqseq ||
2042 skb == chan->tx_send_head)
2043 break;
2044 }
2045
2046 skb_queue_walk_from(&chan->tx_q, skb) {
2047 if (skb == chan->tx_send_head)
2048 break;
2049
2050 l2cap_seq_list_append(&chan->retrans_list,
2051 bt_cb(skb)->control.txseq);
2052 }
2053
2054 l2cap_ertm_resend(chan);
2055 }
2056}
2057
2058static void l2cap_send_ack(struct l2cap_chan *chan)
2059{
2060 struct l2cap_ctrl control;
2061 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2062 chan->last_acked_seq);
2063 int threshold;
2064
2065 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2066 chan, chan->last_acked_seq, chan->buffer_seq);
2067
2068 memset(&control, 0, sizeof(control));
2069 control.sframe = 1;
2070
2071 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2072 chan->rx_state == L2CAP_RX_STATE_RECV) {
2073 __clear_ack_timer(chan);
2074 control.super = L2CAP_SUPER_RNR;
2075 control.reqseq = chan->buffer_seq;
2076 l2cap_send_sframe(chan, &control);
2077 } else {
2078 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2079 l2cap_ertm_send(chan);
2080
2081 if (chan->buffer_seq == chan->last_acked_seq)
2082 frames_to_ack = 0;
2083 }
2084
2085
2086
2087
2088 threshold = chan->ack_win;
2089 threshold += threshold << 1;
2090 threshold >>= 2;
2091
2092 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2093 threshold);
2094
2095 if (frames_to_ack >= threshold) {
2096 __clear_ack_timer(chan);
2097 control.super = L2CAP_SUPER_RR;
2098 control.reqseq = chan->buffer_seq;
2099 l2cap_send_sframe(chan, &control);
2100 frames_to_ack = 0;
2101 }
2102
2103 if (frames_to_ack)
2104 __set_ack_timer(chan);
2105 }
2106}
2107
2108static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2109 struct msghdr *msg, int len,
2110 int count, struct sk_buff *skb)
2111{
2112 struct l2cap_conn *conn = chan->conn;
2113 struct sk_buff **frag;
2114 int sent = 0;
2115
2116 if (copy_from_iter(skb_put(skb, count), count, &msg->msg_iter) != count)
2117 return -EFAULT;
2118
2119 sent += count;
2120 len -= count;
2121
2122
2123 frag = &skb_shinfo(skb)->frag_list;
2124 while (len) {
2125 struct sk_buff *tmp;
2126
2127 count = min_t(unsigned int, conn->mtu, len);
2128
2129 tmp = chan->ops->alloc_skb(chan, 0, count,
2130 msg->msg_flags & MSG_DONTWAIT);
2131 if (IS_ERR(tmp))
2132 return PTR_ERR(tmp);
2133
2134 *frag = tmp;
2135
2136 if (copy_from_iter(skb_put(*frag, count), count,
2137 &msg->msg_iter) != count)
2138 return -EFAULT;
2139
2140 sent += count;
2141 len -= count;
2142
2143 skb->len += (*frag)->len;
2144 skb->data_len += (*frag)->len;
2145
2146 frag = &(*frag)->next;
2147 }
2148
2149 return sent;
2150}
2151
2152static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2153 struct msghdr *msg, size_t len)
2154{
2155 struct l2cap_conn *conn = chan->conn;
2156 struct sk_buff *skb;
2157 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2158 struct l2cap_hdr *lh;
2159
2160 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2161 __le16_to_cpu(chan->psm), len);
2162
2163 count = min_t(unsigned int, (conn->mtu - hlen), len);
2164
2165 skb = chan->ops->alloc_skb(chan, hlen, count,
2166 msg->msg_flags & MSG_DONTWAIT);
2167 if (IS_ERR(skb))
2168 return skb;
2169
2170
2171 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2172 lh->cid = cpu_to_le16(chan->dcid);
2173 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2174 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2175
2176 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2177 if (unlikely(err < 0)) {
2178 kfree_skb(skb);
2179 return ERR_PTR(err);
2180 }
2181 return skb;
2182}
2183
2184static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2185 struct msghdr *msg, size_t len)
2186{
2187 struct l2cap_conn *conn = chan->conn;
2188 struct sk_buff *skb;
2189 int err, count;
2190 struct l2cap_hdr *lh;
2191
2192 BT_DBG("chan %p len %zu", chan, len);
2193
2194 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2195
2196 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2197 msg->msg_flags & MSG_DONTWAIT);
2198 if (IS_ERR(skb))
2199 return skb;
2200
2201
2202 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2203 lh->cid = cpu_to_le16(chan->dcid);
2204 lh->len = cpu_to_le16(len);
2205
2206 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2207 if (unlikely(err < 0)) {
2208 kfree_skb(skb);
2209 return ERR_PTR(err);
2210 }
2211 return skb;
2212}
2213
2214static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2215 struct msghdr *msg, size_t len,
2216 u16 sdulen)
2217{
2218 struct l2cap_conn *conn = chan->conn;
2219 struct sk_buff *skb;
2220 int err, count, hlen;
2221 struct l2cap_hdr *lh;
2222
2223 BT_DBG("chan %p len %zu", chan, len);
2224
2225 if (!conn)
2226 return ERR_PTR(-ENOTCONN);
2227
2228 hlen = __ertm_hdr_size(chan);
2229
2230 if (sdulen)
2231 hlen += L2CAP_SDULEN_SIZE;
2232
2233 if (chan->fcs == L2CAP_FCS_CRC16)
2234 hlen += L2CAP_FCS_SIZE;
2235
2236 count = min_t(unsigned int, (conn->mtu - hlen), len);
2237
2238 skb = chan->ops->alloc_skb(chan, hlen, count,
2239 msg->msg_flags & MSG_DONTWAIT);
2240 if (IS_ERR(skb))
2241 return skb;
2242
2243
2244 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2245 lh->cid = cpu_to_le16(chan->dcid);
2246 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2247
2248
2249 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2250 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2251 else
2252 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2253
2254 if (sdulen)
2255 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2256
2257 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2258 if (unlikely(err < 0)) {
2259 kfree_skb(skb);
2260 return ERR_PTR(err);
2261 }
2262
2263 bt_cb(skb)->control.fcs = chan->fcs;
2264 bt_cb(skb)->control.retries = 0;
2265 return skb;
2266}
2267
2268static int l2cap_segment_sdu(struct l2cap_chan *chan,
2269 struct sk_buff_head *seg_queue,
2270 struct msghdr *msg, size_t len)
2271{
2272 struct sk_buff *skb;
2273 u16 sdu_len;
2274 size_t pdu_len;
2275 u8 sar;
2276
2277 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2278
2279
2280
2281
2282
2283
2284
2285 pdu_len = chan->conn->mtu;
2286
2287
2288 if (!chan->hs_hcon)
2289 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2290
2291
2292 if (chan->fcs)
2293 pdu_len -= L2CAP_FCS_SIZE;
2294
2295 pdu_len -= __ertm_hdr_size(chan);
2296
2297
2298 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2299
2300 if (len <= pdu_len) {
2301 sar = L2CAP_SAR_UNSEGMENTED;
2302 sdu_len = 0;
2303 pdu_len = len;
2304 } else {
2305 sar = L2CAP_SAR_START;
2306 sdu_len = len;
2307 }
2308
2309 while (len > 0) {
2310 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2311
2312 if (IS_ERR(skb)) {
2313 __skb_queue_purge(seg_queue);
2314 return PTR_ERR(skb);
2315 }
2316
2317 bt_cb(skb)->control.sar = sar;
2318 __skb_queue_tail(seg_queue, skb);
2319
2320 len -= pdu_len;
2321 if (sdu_len)
2322 sdu_len = 0;
2323
2324 if (len <= pdu_len) {
2325 sar = L2CAP_SAR_END;
2326 pdu_len = len;
2327 } else {
2328 sar = L2CAP_SAR_CONTINUE;
2329 }
2330 }
2331
2332 return 0;
2333}
2334
2335static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2336 struct msghdr *msg,
2337 size_t len, u16 sdulen)
2338{
2339 struct l2cap_conn *conn = chan->conn;
2340 struct sk_buff *skb;
2341 int err, count, hlen;
2342 struct l2cap_hdr *lh;
2343
2344 BT_DBG("chan %p len %zu", chan, len);
2345
2346 if (!conn)
2347 return ERR_PTR(-ENOTCONN);
2348
2349 hlen = L2CAP_HDR_SIZE;
2350
2351 if (sdulen)
2352 hlen += L2CAP_SDULEN_SIZE;
2353
2354 count = min_t(unsigned int, (conn->mtu - hlen), len);
2355
2356 skb = chan->ops->alloc_skb(chan, hlen, count,
2357 msg->msg_flags & MSG_DONTWAIT);
2358 if (IS_ERR(skb))
2359 return skb;
2360
2361
2362 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2363 lh->cid = cpu_to_le16(chan->dcid);
2364 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2365
2366 if (sdulen)
2367 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2368
2369 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2370 if (unlikely(err < 0)) {
2371 kfree_skb(skb);
2372 return ERR_PTR(err);
2373 }
2374
2375 return skb;
2376}
2377
2378static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2379 struct sk_buff_head *seg_queue,
2380 struct msghdr *msg, size_t len)
2381{
2382 struct sk_buff *skb;
2383 size_t pdu_len;
2384 u16 sdu_len;
2385
2386 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2387
2388 sdu_len = len;
2389 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2390
2391 while (len > 0) {
2392 if (len <= pdu_len)
2393 pdu_len = len;
2394
2395 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2396 if (IS_ERR(skb)) {
2397 __skb_queue_purge(seg_queue);
2398 return PTR_ERR(skb);
2399 }
2400
2401 __skb_queue_tail(seg_queue, skb);
2402
2403 len -= pdu_len;
2404
2405 if (sdu_len) {
2406 sdu_len = 0;
2407 pdu_len += L2CAP_SDULEN_SIZE;
2408 }
2409 }
2410
2411 return 0;
2412}
2413
2414int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2415{
2416 struct sk_buff *skb;
2417 int err;
2418 struct sk_buff_head seg_queue;
2419
2420 if (!chan->conn)
2421 return -ENOTCONN;
2422
2423
2424 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2425 skb = l2cap_create_connless_pdu(chan, msg, len);
2426 if (IS_ERR(skb))
2427 return PTR_ERR(skb);
2428
2429
2430
2431
2432 if (chan->state != BT_CONNECTED) {
2433 kfree_skb(skb);
2434 return -ENOTCONN;
2435 }
2436
2437 l2cap_do_send(chan, skb);
2438 return len;
2439 }
2440
2441 switch (chan->mode) {
2442 case L2CAP_MODE_LE_FLOWCTL:
2443
2444 if (len > chan->omtu)
2445 return -EMSGSIZE;
2446
2447 if (!chan->tx_credits)
2448 return -EAGAIN;
2449
2450 __skb_queue_head_init(&seg_queue);
2451
2452 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2453
2454 if (chan->state != BT_CONNECTED) {
2455 __skb_queue_purge(&seg_queue);
2456 err = -ENOTCONN;
2457 }
2458
2459 if (err)
2460 return err;
2461
2462 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2463
2464 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2465 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2466 chan->tx_credits--;
2467 }
2468
2469 if (!chan->tx_credits)
2470 chan->ops->suspend(chan);
2471
2472 err = len;
2473
2474 break;
2475
2476 case L2CAP_MODE_BASIC:
2477
2478 if (len > chan->omtu)
2479 return -EMSGSIZE;
2480
2481
2482 skb = l2cap_create_basic_pdu(chan, msg, len);
2483 if (IS_ERR(skb))
2484 return PTR_ERR(skb);
2485
2486
2487
2488
2489 if (chan->state != BT_CONNECTED) {
2490 kfree_skb(skb);
2491 return -ENOTCONN;
2492 }
2493
2494 l2cap_do_send(chan, skb);
2495 err = len;
2496 break;
2497
2498 case L2CAP_MODE_ERTM:
2499 case L2CAP_MODE_STREAMING:
2500
2501 if (len > chan->omtu) {
2502 err = -EMSGSIZE;
2503 break;
2504 }
2505
2506 __skb_queue_head_init(&seg_queue);
2507
2508
2509
2510
2511
2512 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2513
2514
2515
2516
2517 if (chan->state != BT_CONNECTED) {
2518 __skb_queue_purge(&seg_queue);
2519 err = -ENOTCONN;
2520 }
2521
2522 if (err)
2523 break;
2524
2525 if (chan->mode == L2CAP_MODE_ERTM)
2526 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2527 else
2528 l2cap_streaming_send(chan, &seg_queue);
2529
2530 err = len;
2531
2532
2533
2534
2535 __skb_queue_purge(&seg_queue);
2536 break;
2537
2538 default:
2539 BT_DBG("bad state %1.1x", chan->mode);
2540 err = -EBADFD;
2541 }
2542
2543 return err;
2544}
2545EXPORT_SYMBOL_GPL(l2cap_chan_send);
2546
2547static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2548{
2549 struct l2cap_ctrl control;
2550 u16 seq;
2551
2552 BT_DBG("chan %p, txseq %u", chan, txseq);
2553
2554 memset(&control, 0, sizeof(control));
2555 control.sframe = 1;
2556 control.super = L2CAP_SUPER_SREJ;
2557
2558 for (seq = chan->expected_tx_seq; seq != txseq;
2559 seq = __next_seq(chan, seq)) {
2560 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2561 control.reqseq = seq;
2562 l2cap_send_sframe(chan, &control);
2563 l2cap_seq_list_append(&chan->srej_list, seq);
2564 }
2565 }
2566
2567 chan->expected_tx_seq = __next_seq(chan, txseq);
2568}
2569
2570static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2571{
2572 struct l2cap_ctrl control;
2573
2574 BT_DBG("chan %p", chan);
2575
2576 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2577 return;
2578
2579 memset(&control, 0, sizeof(control));
2580 control.sframe = 1;
2581 control.super = L2CAP_SUPER_SREJ;
2582 control.reqseq = chan->srej_list.tail;
2583 l2cap_send_sframe(chan, &control);
2584}
2585
2586static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2587{
2588 struct l2cap_ctrl control;
2589 u16 initial_head;
2590 u16 seq;
2591
2592 BT_DBG("chan %p, txseq %u", chan, txseq);
2593
2594 memset(&control, 0, sizeof(control));
2595 control.sframe = 1;
2596 control.super = L2CAP_SUPER_SREJ;
2597
2598
2599 initial_head = chan->srej_list.head;
2600
2601 do {
2602 seq = l2cap_seq_list_pop(&chan->srej_list);
2603 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2604 break;
2605
2606 control.reqseq = seq;
2607 l2cap_send_sframe(chan, &control);
2608 l2cap_seq_list_append(&chan->srej_list, seq);
2609 } while (chan->srej_list.head != initial_head);
2610}
2611
2612static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2613{
2614 struct sk_buff *acked_skb;
2615 u16 ackseq;
2616
2617 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2618
2619 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2620 return;
2621
2622 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2623 chan->expected_ack_seq, chan->unacked_frames);
2624
2625 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2626 ackseq = __next_seq(chan, ackseq)) {
2627
2628 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2629 if (acked_skb) {
2630 skb_unlink(acked_skb, &chan->tx_q);
2631 kfree_skb(acked_skb);
2632 chan->unacked_frames--;
2633 }
2634 }
2635
2636 chan->expected_ack_seq = reqseq;
2637
2638 if (chan->unacked_frames == 0)
2639 __clear_retrans_timer(chan);
2640
2641 BT_DBG("unacked_frames %u", chan->unacked_frames);
2642}
2643
2644static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2645{
2646 BT_DBG("chan %p", chan);
2647
2648 chan->expected_tx_seq = chan->buffer_seq;
2649 l2cap_seq_list_clear(&chan->srej_list);
2650 skb_queue_purge(&chan->srej_q);
2651 chan->rx_state = L2CAP_RX_STATE_RECV;
2652}
2653
2654static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2655 struct l2cap_ctrl *control,
2656 struct sk_buff_head *skbs, u8 event)
2657{
2658 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2659 event);
2660
2661 switch (event) {
2662 case L2CAP_EV_DATA_REQUEST:
2663 if (chan->tx_send_head == NULL)
2664 chan->tx_send_head = skb_peek(skbs);
2665
2666 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2667 l2cap_ertm_send(chan);
2668 break;
2669 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2670 BT_DBG("Enter LOCAL_BUSY");
2671 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2672
2673 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2674
2675
2676
2677 l2cap_abort_rx_srej_sent(chan);
2678 }
2679
2680 l2cap_send_ack(chan);
2681
2682 break;
2683 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2684 BT_DBG("Exit LOCAL_BUSY");
2685 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2686
2687 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2688 struct l2cap_ctrl local_control;
2689
2690 memset(&local_control, 0, sizeof(local_control));
2691 local_control.sframe = 1;
2692 local_control.super = L2CAP_SUPER_RR;
2693 local_control.poll = 1;
2694 local_control.reqseq = chan->buffer_seq;
2695 l2cap_send_sframe(chan, &local_control);
2696
2697 chan->retry_count = 1;
2698 __set_monitor_timer(chan);
2699 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2700 }
2701 break;
2702 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2703 l2cap_process_reqseq(chan, control->reqseq);
2704 break;
2705 case L2CAP_EV_EXPLICIT_POLL:
2706 l2cap_send_rr_or_rnr(chan, 1);
2707 chan->retry_count = 1;
2708 __set_monitor_timer(chan);
2709 __clear_ack_timer(chan);
2710 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2711 break;
2712 case L2CAP_EV_RETRANS_TO:
2713 l2cap_send_rr_or_rnr(chan, 1);
2714 chan->retry_count = 1;
2715 __set_monitor_timer(chan);
2716 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2717 break;
2718 case L2CAP_EV_RECV_FBIT:
2719
2720 break;
2721 default:
2722 break;
2723 }
2724}
2725
2726static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2727 struct l2cap_ctrl *control,
2728 struct sk_buff_head *skbs, u8 event)
2729{
2730 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2731 event);
2732
2733 switch (event) {
2734 case L2CAP_EV_DATA_REQUEST:
2735 if (chan->tx_send_head == NULL)
2736 chan->tx_send_head = skb_peek(skbs);
2737
2738 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2739 break;
2740 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2741 BT_DBG("Enter LOCAL_BUSY");
2742 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2743
2744 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2745
2746
2747
2748 l2cap_abort_rx_srej_sent(chan);
2749 }
2750
2751 l2cap_send_ack(chan);
2752
2753 break;
2754 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2755 BT_DBG("Exit LOCAL_BUSY");
2756 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2757
2758 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2759 struct l2cap_ctrl local_control;
2760 memset(&local_control, 0, sizeof(local_control));
2761 local_control.sframe = 1;
2762 local_control.super = L2CAP_SUPER_RR;
2763 local_control.poll = 1;
2764 local_control.reqseq = chan->buffer_seq;
2765 l2cap_send_sframe(chan, &local_control);
2766
2767 chan->retry_count = 1;
2768 __set_monitor_timer(chan);
2769 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2770 }
2771 break;
2772 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2773 l2cap_process_reqseq(chan, control->reqseq);
2774
2775
2776
2777 case L2CAP_EV_RECV_FBIT:
2778 if (control && control->final) {
2779 __clear_monitor_timer(chan);
2780 if (chan->unacked_frames > 0)
2781 __set_retrans_timer(chan);
2782 chan->retry_count = 0;
2783 chan->tx_state = L2CAP_TX_STATE_XMIT;
2784 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2785 }
2786 break;
2787 case L2CAP_EV_EXPLICIT_POLL:
2788
2789 break;
2790 case L2CAP_EV_MONITOR_TO:
2791 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2792 l2cap_send_rr_or_rnr(chan, 1);
2793 __set_monitor_timer(chan);
2794 chan->retry_count++;
2795 } else {
2796 l2cap_send_disconn_req(chan, ECONNABORTED);
2797 }
2798 break;
2799 default:
2800 break;
2801 }
2802}
2803
2804static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2805 struct sk_buff_head *skbs, u8 event)
2806{
2807 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2808 chan, control, skbs, event, chan->tx_state);
2809
2810 switch (chan->tx_state) {
2811 case L2CAP_TX_STATE_XMIT:
2812 l2cap_tx_state_xmit(chan, control, skbs, event);
2813 break;
2814 case L2CAP_TX_STATE_WAIT_F:
2815 l2cap_tx_state_wait_f(chan, control, skbs, event);
2816 break;
2817 default:
2818
2819 break;
2820 }
2821}
2822
2823static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2824 struct l2cap_ctrl *control)
2825{
2826 BT_DBG("chan %p, control %p", chan, control);
2827 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2828}
2829
2830static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2831 struct l2cap_ctrl *control)
2832{
2833 BT_DBG("chan %p, control %p", chan, control);
2834 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2835}
2836
2837
2838static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2839{
2840 struct sk_buff *nskb;
2841 struct l2cap_chan *chan;
2842
2843 BT_DBG("conn %p", conn);
2844
2845 mutex_lock(&conn->chan_lock);
2846
2847 list_for_each_entry(chan, &conn->chan_l, list) {
2848 if (chan->chan_type != L2CAP_CHAN_RAW)
2849 continue;
2850
2851
2852 if (bt_cb(skb)->chan == chan)
2853 continue;
2854
2855 nskb = skb_clone(skb, GFP_KERNEL);
2856 if (!nskb)
2857 continue;
2858 if (chan->ops->recv(chan, nskb))
2859 kfree_skb(nskb);
2860 }
2861
2862 mutex_unlock(&conn->chan_lock);
2863}
2864
2865
2866static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2867 u8 ident, u16 dlen, void *data)
2868{
2869 struct sk_buff *skb, **frag;
2870 struct l2cap_cmd_hdr *cmd;
2871 struct l2cap_hdr *lh;
2872 int len, count;
2873
2874 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2875 conn, code, ident, dlen);
2876
2877 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2878 return NULL;
2879
2880 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2881 count = min_t(unsigned int, conn->mtu, len);
2882
2883 skb = bt_skb_alloc(count, GFP_KERNEL);
2884 if (!skb)
2885 return NULL;
2886
2887 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2888 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2889
2890 if (conn->hcon->type == LE_LINK)
2891 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2892 else
2893 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2894
2895 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2896 cmd->code = code;
2897 cmd->ident = ident;
2898 cmd->len = cpu_to_le16(dlen);
2899
2900 if (dlen) {
2901 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2902 memcpy(skb_put(skb, count), data, count);
2903 data += count;
2904 }
2905
2906 len -= skb->len;
2907
2908
2909 frag = &skb_shinfo(skb)->frag_list;
2910 while (len) {
2911 count = min_t(unsigned int, conn->mtu, len);
2912
2913 *frag = bt_skb_alloc(count, GFP_KERNEL);
2914 if (!*frag)
2915 goto fail;
2916
2917 memcpy(skb_put(*frag, count), data, count);
2918
2919 len -= count;
2920 data += count;
2921
2922 frag = &(*frag)->next;
2923 }
2924
2925 return skb;
2926
2927fail:
2928 kfree_skb(skb);
2929 return NULL;
2930}
2931
2932static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2933 unsigned long *val)
2934{
2935 struct l2cap_conf_opt *opt = *ptr;
2936 int len;
2937
2938 len = L2CAP_CONF_OPT_SIZE + opt->len;
2939 *ptr += len;
2940
2941 *type = opt->type;
2942 *olen = opt->len;
2943
2944 switch (opt->len) {
2945 case 1:
2946 *val = *((u8 *) opt->val);
2947 break;
2948
2949 case 2:
2950 *val = get_unaligned_le16(opt->val);
2951 break;
2952
2953 case 4:
2954 *val = get_unaligned_le32(opt->val);
2955 break;
2956
2957 default:
2958 *val = (unsigned long) opt->val;
2959 break;
2960 }
2961
2962 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2963 return len;
2964}
2965
2966static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2967{
2968 struct l2cap_conf_opt *opt = *ptr;
2969
2970 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2971
2972 opt->type = type;
2973 opt->len = len;
2974
2975 switch (len) {
2976 case 1:
2977 *((u8 *) opt->val) = val;
2978 break;
2979
2980 case 2:
2981 put_unaligned_le16(val, opt->val);
2982 break;
2983
2984 case 4:
2985 put_unaligned_le32(val, opt->val);
2986 break;
2987
2988 default:
2989 memcpy(opt->val, (void *) val, len);
2990 break;
2991 }
2992
2993 *ptr += L2CAP_CONF_OPT_SIZE + len;
2994}
2995
2996static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2997{
2998 struct l2cap_conf_efs efs;
2999
3000 switch (chan->mode) {
3001 case L2CAP_MODE_ERTM:
3002 efs.id = chan->local_id;
3003 efs.stype = chan->local_stype;
3004 efs.msdu = cpu_to_le16(chan->local_msdu);
3005 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3006 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3007 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3008 break;
3009
3010 case L2CAP_MODE_STREAMING:
3011 efs.id = 1;
3012 efs.stype = L2CAP_SERV_BESTEFFORT;
3013 efs.msdu = cpu_to_le16(chan->local_msdu);
3014 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3015 efs.acc_lat = 0;
3016 efs.flush_to = 0;
3017 break;
3018
3019 default:
3020 return;
3021 }
3022
3023 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3024 (unsigned long) &efs);
3025}
3026
3027static void l2cap_ack_timeout(struct work_struct *work)
3028{
3029 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3030 ack_timer.work);
3031 u16 frames_to_ack;
3032
3033 BT_DBG("chan %p", chan);
3034
3035 l2cap_chan_lock(chan);
3036
3037 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3038 chan->last_acked_seq);
3039
3040 if (frames_to_ack)
3041 l2cap_send_rr_or_rnr(chan, 0);
3042
3043 l2cap_chan_unlock(chan);
3044 l2cap_chan_put(chan);
3045}
3046
3047int l2cap_ertm_init(struct l2cap_chan *chan)
3048{
3049 int err;
3050
3051 chan->next_tx_seq = 0;
3052 chan->expected_tx_seq = 0;
3053 chan->expected_ack_seq = 0;
3054 chan->unacked_frames = 0;
3055 chan->buffer_seq = 0;
3056 chan->frames_sent = 0;
3057 chan->last_acked_seq = 0;
3058 chan->sdu = NULL;
3059 chan->sdu_last_frag = NULL;
3060 chan->sdu_len = 0;
3061
3062 skb_queue_head_init(&chan->tx_q);
3063
3064 chan->local_amp_id = AMP_ID_BREDR;
3065 chan->move_id = AMP_ID_BREDR;
3066 chan->move_state = L2CAP_MOVE_STABLE;
3067 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3068
3069 if (chan->mode != L2CAP_MODE_ERTM)
3070 return 0;
3071
3072 chan->rx_state = L2CAP_RX_STATE_RECV;
3073 chan->tx_state = L2CAP_TX_STATE_XMIT;
3074
3075 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3076 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3077 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3078
3079 skb_queue_head_init(&chan->srej_q);
3080
3081 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3082 if (err < 0)
3083 return err;
3084
3085 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3086 if (err < 0)
3087 l2cap_seq_list_free(&chan->srej_list);
3088
3089 return err;
3090}
3091
3092static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3093{
3094 switch (mode) {
3095 case L2CAP_MODE_STREAMING:
3096 case L2CAP_MODE_ERTM:
3097 if (l2cap_mode_supported(mode, remote_feat_mask))
3098 return mode;
3099
3100 default:
3101 return L2CAP_MODE_BASIC;
3102 }
3103}
3104
3105static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3106{
3107 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3108 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3109}
3110
3111static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3112{
3113 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3114 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3115}
3116
3117static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3118 struct l2cap_conf_rfc *rfc)
3119{
3120 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3121 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3137
3138
3139
3140
3141
3142 ertm_to = 3 * ertm_to + 500;
3143
3144 if (ertm_to > 0xffff)
3145 ertm_to = 0xffff;
3146
3147 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3148 rfc->monitor_timeout = rfc->retrans_timeout;
3149 } else {
3150 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3151 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3152 }
3153}
3154
3155static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3156{
3157 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3158 __l2cap_ews_supported(chan->conn)) {
3159
3160 set_bit(FLAG_EXT_CTRL, &chan->flags);
3161 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3162 } else {
3163 chan->tx_win = min_t(u16, chan->tx_win,
3164 L2CAP_DEFAULT_TX_WINDOW);
3165 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3166 }
3167 chan->ack_win = chan->tx_win;
3168}
3169
3170static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3171{
3172 struct l2cap_conf_req *req = data;
3173 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3174 void *ptr = req->data;
3175 u16 size;
3176
3177 BT_DBG("chan %p", chan);
3178
3179 if (chan->num_conf_req || chan->num_conf_rsp)
3180 goto done;
3181
3182 switch (chan->mode) {
3183 case L2CAP_MODE_STREAMING:
3184 case L2CAP_MODE_ERTM:
3185 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3186 break;
3187
3188 if (__l2cap_efs_supported(chan->conn))
3189 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3190
3191
3192 default:
3193 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3194 break;
3195 }
3196
3197done:
3198 if (chan->imtu != L2CAP_DEFAULT_MTU)
3199 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3200
3201 switch (chan->mode) {
3202 case L2CAP_MODE_BASIC:
3203 if (disable_ertm)
3204 break;
3205
3206 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3207 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3208 break;
3209
3210 rfc.mode = L2CAP_MODE_BASIC;
3211 rfc.txwin_size = 0;
3212 rfc.max_transmit = 0;
3213 rfc.retrans_timeout = 0;
3214 rfc.monitor_timeout = 0;
3215 rfc.max_pdu_size = 0;
3216
3217 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3218 (unsigned long) &rfc);
3219 break;
3220
3221 case L2CAP_MODE_ERTM:
3222 rfc.mode = L2CAP_MODE_ERTM;
3223 rfc.max_transmit = chan->max_tx;
3224
3225 __l2cap_set_ertm_timeouts(chan, &rfc);
3226
3227 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3228 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3229 L2CAP_FCS_SIZE);
3230 rfc.max_pdu_size = cpu_to_le16(size);
3231
3232 l2cap_txwin_setup(chan);
3233
3234 rfc.txwin_size = min_t(u16, chan->tx_win,
3235 L2CAP_DEFAULT_TX_WINDOW);
3236
3237 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3238 (unsigned long) &rfc);
3239
3240 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3241 l2cap_add_opt_efs(&ptr, chan);
3242
3243 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3244 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3245 chan->tx_win);
3246
3247 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3248 if (chan->fcs == L2CAP_FCS_NONE ||
3249 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3250 chan->fcs = L2CAP_FCS_NONE;
3251 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3252 chan->fcs);
3253 }
3254 break;
3255
3256 case L2CAP_MODE_STREAMING:
3257 l2cap_txwin_setup(chan);
3258 rfc.mode = L2CAP_MODE_STREAMING;
3259 rfc.txwin_size = 0;
3260 rfc.max_transmit = 0;
3261 rfc.retrans_timeout = 0;
3262 rfc.monitor_timeout = 0;
3263
3264 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3265 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3266 L2CAP_FCS_SIZE);
3267 rfc.max_pdu_size = cpu_to_le16(size);
3268
3269 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3270 (unsigned long) &rfc);
3271
3272 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3273 l2cap_add_opt_efs(&ptr, chan);
3274
3275 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3276 if (chan->fcs == L2CAP_FCS_NONE ||
3277 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3278 chan->fcs = L2CAP_FCS_NONE;
3279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3280 chan->fcs);
3281 }
3282 break;
3283 }
3284
3285 req->dcid = cpu_to_le16(chan->dcid);
3286 req->flags = cpu_to_le16(0);
3287
3288 return ptr - data;
3289}
3290
3291static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3292{
3293 struct l2cap_conf_rsp *rsp = data;
3294 void *ptr = rsp->data;
3295 void *req = chan->conf_req;
3296 int len = chan->conf_len;
3297 int type, hint, olen;
3298 unsigned long val;
3299 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3300 struct l2cap_conf_efs efs;
3301 u8 remote_efs = 0;
3302 u16 mtu = L2CAP_DEFAULT_MTU;
3303 u16 result = L2CAP_CONF_SUCCESS;
3304 u16 size;
3305
3306 BT_DBG("chan %p", chan);
3307
3308 while (len >= L2CAP_CONF_OPT_SIZE) {
3309 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3310
3311 hint = type & L2CAP_CONF_HINT;
3312 type &= L2CAP_CONF_MASK;
3313
3314 switch (type) {
3315 case L2CAP_CONF_MTU:
3316 mtu = val;
3317 break;
3318
3319 case L2CAP_CONF_FLUSH_TO:
3320 chan->flush_to = val;
3321 break;
3322
3323 case L2CAP_CONF_QOS:
3324 break;
3325
3326 case L2CAP_CONF_RFC:
3327 if (olen == sizeof(rfc))
3328 memcpy(&rfc, (void *) val, olen);
3329 break;
3330
3331 case L2CAP_CONF_FCS:
3332 if (val == L2CAP_FCS_NONE)
3333 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3334 break;
3335
3336 case L2CAP_CONF_EFS:
3337 remote_efs = 1;
3338 if (olen == sizeof(efs))
3339 memcpy(&efs, (void *) val, olen);
3340 break;
3341
3342 case L2CAP_CONF_EWS:
3343 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3344 return -ECONNREFUSED;
3345
3346 set_bit(FLAG_EXT_CTRL, &chan->flags);
3347 set_bit(CONF_EWS_RECV, &chan->conf_state);
3348 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3349 chan->remote_tx_win = val;
3350 break;
3351
3352 default:
3353 if (hint)
3354 break;
3355
3356 result = L2CAP_CONF_UNKNOWN;
3357 *((u8 *) ptr++) = type;
3358 break;
3359 }
3360 }
3361
3362 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3363 goto done;
3364
3365 switch (chan->mode) {
3366 case L2CAP_MODE_STREAMING:
3367 case L2CAP_MODE_ERTM:
3368 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3369 chan->mode = l2cap_select_mode(rfc.mode,
3370 chan->conn->feat_mask);
3371 break;
3372 }
3373
3374 if (remote_efs) {
3375 if (__l2cap_efs_supported(chan->conn))
3376 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3377 else
3378 return -ECONNREFUSED;
3379 }
3380
3381 if (chan->mode != rfc.mode)
3382 return -ECONNREFUSED;
3383
3384 break;
3385 }
3386
3387done:
3388 if (chan->mode != rfc.mode) {
3389 result = L2CAP_CONF_UNACCEPT;
3390 rfc.mode = chan->mode;
3391
3392 if (chan->num_conf_rsp == 1)
3393 return -ECONNREFUSED;
3394
3395 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3396 (unsigned long) &rfc);
3397 }
3398
3399 if (result == L2CAP_CONF_SUCCESS) {
3400
3401
3402
3403 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3404 result = L2CAP_CONF_UNACCEPT;
3405 else {
3406 chan->omtu = mtu;
3407 set_bit(CONF_MTU_DONE, &chan->conf_state);
3408 }
3409 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3410
3411 if (remote_efs) {
3412 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3413 efs.stype != L2CAP_SERV_NOTRAFIC &&
3414 efs.stype != chan->local_stype) {
3415
3416 result = L2CAP_CONF_UNACCEPT;
3417
3418 if (chan->num_conf_req >= 1)
3419 return -ECONNREFUSED;
3420
3421 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3422 sizeof(efs),
3423 (unsigned long) &efs);
3424 } else {
3425
3426 result = L2CAP_CONF_PENDING;
3427 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3428 }
3429 }
3430
3431 switch (rfc.mode) {
3432 case L2CAP_MODE_BASIC:
3433 chan->fcs = L2CAP_FCS_NONE;
3434 set_bit(CONF_MODE_DONE, &chan->conf_state);
3435 break;
3436
3437 case L2CAP_MODE_ERTM:
3438 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3439 chan->remote_tx_win = rfc.txwin_size;
3440 else
3441 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3442
3443 chan->remote_max_tx = rfc.max_transmit;
3444
3445 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3446 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3447 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3448 rfc.max_pdu_size = cpu_to_le16(size);
3449 chan->remote_mps = size;
3450
3451 __l2cap_set_ertm_timeouts(chan, &rfc);
3452
3453 set_bit(CONF_MODE_DONE, &chan->conf_state);
3454
3455 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3456 sizeof(rfc), (unsigned long) &rfc);
3457
3458 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3459 chan->remote_id = efs.id;
3460 chan->remote_stype = efs.stype;
3461 chan->remote_msdu = le16_to_cpu(efs.msdu);
3462 chan->remote_flush_to =
3463 le32_to_cpu(efs.flush_to);
3464 chan->remote_acc_lat =
3465 le32_to_cpu(efs.acc_lat);
3466 chan->remote_sdu_itime =
3467 le32_to_cpu(efs.sdu_itime);
3468 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3469 sizeof(efs),
3470 (unsigned long) &efs);
3471 }
3472 break;
3473
3474 case L2CAP_MODE_STREAMING:
3475 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3476 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3477 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3478 rfc.max_pdu_size = cpu_to_le16(size);
3479 chan->remote_mps = size;
3480
3481 set_bit(CONF_MODE_DONE, &chan->conf_state);
3482
3483 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3484 (unsigned long) &rfc);
3485
3486 break;
3487
3488 default:
3489 result = L2CAP_CONF_UNACCEPT;
3490
3491 memset(&rfc, 0, sizeof(rfc));
3492 rfc.mode = chan->mode;
3493 }
3494
3495 if (result == L2CAP_CONF_SUCCESS)
3496 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3497 }
3498 rsp->scid = cpu_to_le16(chan->dcid);
3499 rsp->result = cpu_to_le16(result);
3500 rsp->flags = cpu_to_le16(0);
3501
3502 return ptr - data;
3503}
3504
3505static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3506 void *data, u16 *result)
3507{
3508 struct l2cap_conf_req *req = data;
3509 void *ptr = req->data;
3510 int type, olen;
3511 unsigned long val;
3512 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3513 struct l2cap_conf_efs efs;
3514
3515 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3516
3517 while (len >= L2CAP_CONF_OPT_SIZE) {
3518 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3519
3520 switch (type) {
3521 case L2CAP_CONF_MTU:
3522 if (val < L2CAP_DEFAULT_MIN_MTU) {
3523 *result = L2CAP_CONF_UNACCEPT;
3524 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3525 } else
3526 chan->imtu = val;
3527 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3528 break;
3529
3530 case L2CAP_CONF_FLUSH_TO:
3531 chan->flush_to = val;
3532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3533 2, chan->flush_to);
3534 break;
3535
3536 case L2CAP_CONF_RFC:
3537 if (olen == sizeof(rfc))
3538 memcpy(&rfc, (void *)val, olen);
3539
3540 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3541 rfc.mode != chan->mode)
3542 return -ECONNREFUSED;
3543
3544 chan->fcs = 0;
3545
3546 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3547 sizeof(rfc), (unsigned long) &rfc);
3548 break;
3549
3550 case L2CAP_CONF_EWS:
3551 chan->ack_win = min_t(u16, val, chan->ack_win);
3552 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3553 chan->tx_win);
3554 break;
3555
3556 case L2CAP_CONF_EFS:
3557 if (olen == sizeof(efs))
3558 memcpy(&efs, (void *)val, olen);
3559
3560 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3561 efs.stype != L2CAP_SERV_NOTRAFIC &&
3562 efs.stype != chan->local_stype)
3563 return -ECONNREFUSED;
3564
3565 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3566 (unsigned long) &efs);
3567 break;
3568
3569 case L2CAP_CONF_FCS:
3570 if (*result == L2CAP_CONF_PENDING)
3571 if (val == L2CAP_FCS_NONE)
3572 set_bit(CONF_RECV_NO_FCS,
3573 &chan->conf_state);
3574 break;
3575 }
3576 }
3577
3578 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3579 return -ECONNREFUSED;
3580
3581 chan->mode = rfc.mode;
3582
3583 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3584 switch (rfc.mode) {
3585 case L2CAP_MODE_ERTM:
3586 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3587 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3588 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3589 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3590 chan->ack_win = min_t(u16, chan->ack_win,
3591 rfc.txwin_size);
3592
3593 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3594 chan->local_msdu = le16_to_cpu(efs.msdu);
3595 chan->local_sdu_itime =
3596 le32_to_cpu(efs.sdu_itime);
3597 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3598 chan->local_flush_to =
3599 le32_to_cpu(efs.flush_to);
3600 }
3601 break;
3602
3603 case L2CAP_MODE_STREAMING:
3604 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3605 }
3606 }
3607
3608 req->dcid = cpu_to_le16(chan->dcid);
3609 req->flags = cpu_to_le16(0);
3610
3611 return ptr - data;
3612}
3613
3614static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3615 u16 result, u16 flags)
3616{
3617 struct l2cap_conf_rsp *rsp = data;
3618 void *ptr = rsp->data;
3619
3620 BT_DBG("chan %p", chan);
3621
3622 rsp->scid = cpu_to_le16(chan->dcid);
3623 rsp->result = cpu_to_le16(result);
3624 rsp->flags = cpu_to_le16(flags);
3625
3626 return ptr - data;
3627}
3628
3629void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3630{
3631 struct l2cap_le_conn_rsp rsp;
3632 struct l2cap_conn *conn = chan->conn;
3633
3634 BT_DBG("chan %p", chan);
3635
3636 rsp.dcid = cpu_to_le16(chan->scid);
3637 rsp.mtu = cpu_to_le16(chan->imtu);
3638 rsp.mps = cpu_to_le16(chan->mps);
3639 rsp.credits = cpu_to_le16(chan->rx_credits);
3640 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3641
3642 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3643 &rsp);
3644}
3645
3646void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3647{
3648 struct l2cap_conn_rsp rsp;
3649 struct l2cap_conn *conn = chan->conn;
3650 u8 buf[128];
3651 u8 rsp_code;
3652
3653 rsp.scid = cpu_to_le16(chan->dcid);
3654 rsp.dcid = cpu_to_le16(chan->scid);
3655 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3656 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3657
3658 if (chan->hs_hcon)
3659 rsp_code = L2CAP_CREATE_CHAN_RSP;
3660 else
3661 rsp_code = L2CAP_CONN_RSP;
3662
3663 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3664
3665 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3666
3667 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3668 return;
3669
3670 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3671 l2cap_build_conf_req(chan, buf), buf);
3672 chan->num_conf_req++;
3673}
3674
3675static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3676{
3677 int type, olen;
3678 unsigned long val;
3679
3680
3681
3682 u16 txwin_ext = chan->ack_win;
3683 struct l2cap_conf_rfc rfc = {
3684 .mode = chan->mode,
3685 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3686 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3687 .max_pdu_size = cpu_to_le16(chan->imtu),
3688 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3689 };
3690
3691 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3692
3693 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3694 return;
3695
3696 while (len >= L2CAP_CONF_OPT_SIZE) {
3697 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3698
3699 switch (type) {
3700 case L2CAP_CONF_RFC:
3701 if (olen == sizeof(rfc))
3702 memcpy(&rfc, (void *)val, olen);
3703 break;
3704 case L2CAP_CONF_EWS:
3705 txwin_ext = val;
3706 break;
3707 }
3708 }
3709
3710 switch (rfc.mode) {
3711 case L2CAP_MODE_ERTM:
3712 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3713 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3714 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3715 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3716 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3717 else
3718 chan->ack_win = min_t(u16, chan->ack_win,
3719 rfc.txwin_size);
3720 break;
3721 case L2CAP_MODE_STREAMING:
3722 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3723 }
3724}
3725
3726static inline int l2cap_command_rej(struct l2cap_conn *conn,
3727 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3728 u8 *data)
3729{
3730 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3731
3732 if (cmd_len < sizeof(*rej))
3733 return -EPROTO;
3734
3735 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3736 return 0;
3737
3738 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3739 cmd->ident == conn->info_ident) {
3740 cancel_delayed_work(&conn->info_timer);
3741
3742 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3743 conn->info_ident = 0;
3744
3745 l2cap_conn_start(conn);
3746 }
3747
3748 return 0;
3749}
3750
3751static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3752 struct l2cap_cmd_hdr *cmd,
3753 u8 *data, u8 rsp_code, u8 amp_id)
3754{
3755 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3756 struct l2cap_conn_rsp rsp;
3757 struct l2cap_chan *chan = NULL, *pchan;
3758 int result, status = L2CAP_CS_NO_INFO;
3759
3760 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3761 __le16 psm = req->psm;
3762
3763 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3764
3765
3766 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3767 &conn->hcon->dst, ACL_LINK);
3768 if (!pchan) {
3769 result = L2CAP_CR_BAD_PSM;
3770 goto sendresp;
3771 }
3772
3773 mutex_lock(&conn->chan_lock);
3774 l2cap_chan_lock(pchan);
3775
3776
3777 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3778 !hci_conn_check_link_mode(conn->hcon)) {
3779 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3780 result = L2CAP_CR_SEC_BLOCK;
3781 goto response;
3782 }
3783
3784 result = L2CAP_CR_NO_MEM;
3785
3786
3787 if (__l2cap_get_chan_by_dcid(conn, scid))
3788 goto response;
3789
3790 chan = pchan->ops->new_connection(pchan);
3791 if (!chan)
3792 goto response;
3793
3794
3795
3796
3797
3798
3799 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3800
3801 bacpy(&chan->src, &conn->hcon->src);
3802 bacpy(&chan->dst, &conn->hcon->dst);
3803 chan->src_type = bdaddr_src_type(conn->hcon);
3804 chan->dst_type = bdaddr_dst_type(conn->hcon);
3805 chan->psm = psm;
3806 chan->dcid = scid;
3807 chan->local_amp_id = amp_id;
3808
3809 __l2cap_chan_add(conn, chan);
3810
3811 dcid = chan->scid;
3812
3813 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3814
3815 chan->ident = cmd->ident;
3816
3817 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3818 if (l2cap_chan_check_security(chan, false)) {
3819 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3820 l2cap_state_change(chan, BT_CONNECT2);
3821 result = L2CAP_CR_PEND;
3822 status = L2CAP_CS_AUTHOR_PEND;
3823 chan->ops->defer(chan);
3824 } else {
3825
3826
3827
3828
3829 if (amp_id == AMP_ID_BREDR) {
3830 l2cap_state_change(chan, BT_CONFIG);
3831 result = L2CAP_CR_SUCCESS;
3832 } else {
3833 l2cap_state_change(chan, BT_CONNECT2);
3834 result = L2CAP_CR_PEND;
3835 }
3836 status = L2CAP_CS_NO_INFO;
3837 }
3838 } else {
3839 l2cap_state_change(chan, BT_CONNECT2);
3840 result = L2CAP_CR_PEND;
3841 status = L2CAP_CS_AUTHEN_PEND;
3842 }
3843 } else {
3844 l2cap_state_change(chan, BT_CONNECT2);
3845 result = L2CAP_CR_PEND;
3846 status = L2CAP_CS_NO_INFO;
3847 }
3848
3849response:
3850 l2cap_chan_unlock(pchan);
3851 mutex_unlock(&conn->chan_lock);
3852 l2cap_chan_put(pchan);
3853
3854sendresp:
3855 rsp.scid = cpu_to_le16(scid);
3856 rsp.dcid = cpu_to_le16(dcid);
3857 rsp.result = cpu_to_le16(result);
3858 rsp.status = cpu_to_le16(status);
3859 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3860
3861 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3862 struct l2cap_info_req info;
3863 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3864
3865 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3866 conn->info_ident = l2cap_get_ident(conn);
3867
3868 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3869
3870 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3871 sizeof(info), &info);
3872 }
3873
3874 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3875 result == L2CAP_CR_SUCCESS) {
3876 u8 buf[128];
3877 set_bit(CONF_REQ_SENT, &chan->conf_state);
3878 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3879 l2cap_build_conf_req(chan, buf), buf);
3880 chan->num_conf_req++;
3881 }
3882
3883 return chan;
3884}
3885
3886static int l2cap_connect_req(struct l2cap_conn *conn,
3887 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3888{
3889 struct hci_dev *hdev = conn->hcon->hdev;
3890 struct hci_conn *hcon = conn->hcon;
3891
3892 if (cmd_len < sizeof(struct l2cap_conn_req))
3893 return -EPROTO;
3894
3895 hci_dev_lock(hdev);
3896 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3897 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3898 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3899 hci_dev_unlock(hdev);
3900
3901 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3902 return 0;
3903}
3904
3905static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3906 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3907 u8 *data)
3908{
3909 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3910 u16 scid, dcid, result, status;
3911 struct l2cap_chan *chan;
3912 u8 req[128];
3913 int err;
3914
3915 if (cmd_len < sizeof(*rsp))
3916 return -EPROTO;
3917
3918 scid = __le16_to_cpu(rsp->scid);
3919 dcid = __le16_to_cpu(rsp->dcid);
3920 result = __le16_to_cpu(rsp->result);
3921 status = __le16_to_cpu(rsp->status);
3922
3923 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3924 dcid, scid, result, status);
3925
3926 mutex_lock(&conn->chan_lock);
3927
3928 if (scid) {
3929 chan = __l2cap_get_chan_by_scid(conn, scid);
3930 if (!chan) {
3931 err = -EBADSLT;
3932 goto unlock;
3933 }
3934 } else {
3935 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3936 if (!chan) {
3937 err = -EBADSLT;
3938 goto unlock;
3939 }
3940 }
3941
3942 err = 0;
3943
3944 l2cap_chan_lock(chan);
3945
3946 switch (result) {
3947 case L2CAP_CR_SUCCESS:
3948 l2cap_state_change(chan, BT_CONFIG);
3949 chan->ident = 0;
3950 chan->dcid = dcid;
3951 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3952
3953 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3954 break;
3955
3956 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3957 l2cap_build_conf_req(chan, req), req);
3958 chan->num_conf_req++;
3959 break;
3960
3961 case L2CAP_CR_PEND:
3962 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3963 break;
3964
3965 default:
3966 l2cap_chan_del(chan, ECONNREFUSED);
3967 break;
3968 }
3969
3970 l2cap_chan_unlock(chan);
3971
3972unlock:
3973 mutex_unlock(&conn->chan_lock);
3974
3975 return err;
3976}
3977
3978static inline void set_default_fcs(struct l2cap_chan *chan)
3979{
3980
3981
3982
3983 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3984 chan->fcs = L2CAP_FCS_NONE;
3985 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
3986 chan->fcs = L2CAP_FCS_CRC16;
3987}
3988
3989static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3990 u8 ident, u16 flags)
3991{
3992 struct l2cap_conn *conn = chan->conn;
3993
3994 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3995 flags);
3996
3997 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3998 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3999
4000 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4001 l2cap_build_conf_rsp(chan, data,
4002 L2CAP_CONF_SUCCESS, flags), data);
4003}
4004
4005static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4006 u16 scid, u16 dcid)
4007{
4008 struct l2cap_cmd_rej_cid rej;
4009
4010 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4011 rej.scid = __cpu_to_le16(scid);
4012 rej.dcid = __cpu_to_le16(dcid);
4013
4014 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4015}
4016
4017static inline int l2cap_config_req(struct l2cap_conn *conn,
4018 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4019 u8 *data)
4020{
4021 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4022 u16 dcid, flags;
4023 u8 rsp[64];
4024 struct l2cap_chan *chan;
4025 int len, err = 0;
4026
4027 if (cmd_len < sizeof(*req))
4028 return -EPROTO;
4029
4030 dcid = __le16_to_cpu(req->dcid);
4031 flags = __le16_to_cpu(req->flags);
4032
4033 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4034
4035 chan = l2cap_get_chan_by_scid(conn, dcid);
4036 if (!chan) {
4037 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4038 return 0;
4039 }
4040
4041 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4042 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4043 chan->dcid);
4044 goto unlock;
4045 }
4046
4047
4048 len = cmd_len - sizeof(*req);
4049 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4050 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4051 l2cap_build_conf_rsp(chan, rsp,
4052 L2CAP_CONF_REJECT, flags), rsp);
4053 goto unlock;
4054 }
4055
4056
4057 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4058 chan->conf_len += len;
4059
4060 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4061
4062 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4063 l2cap_build_conf_rsp(chan, rsp,
4064 L2CAP_CONF_SUCCESS, flags), rsp);
4065 goto unlock;
4066 }
4067
4068
4069 len = l2cap_parse_conf_req(chan, rsp);
4070 if (len < 0) {
4071 l2cap_send_disconn_req(chan, ECONNRESET);
4072 goto unlock;
4073 }
4074
4075 chan->ident = cmd->ident;
4076 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4077 chan->num_conf_rsp++;
4078
4079
4080 chan->conf_len = 0;
4081
4082 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4083 goto unlock;
4084
4085 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4086 set_default_fcs(chan);
4087
4088 if (chan->mode == L2CAP_MODE_ERTM ||
4089 chan->mode == L2CAP_MODE_STREAMING)
4090 err = l2cap_ertm_init(chan);
4091
4092 if (err < 0)
4093 l2cap_send_disconn_req(chan, -err);
4094 else
4095 l2cap_chan_ready(chan);
4096
4097 goto unlock;
4098 }
4099
4100 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4101 u8 buf[64];
4102 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4103 l2cap_build_conf_req(chan, buf), buf);
4104 chan->num_conf_req++;
4105 }
4106
4107
4108
4109 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4110 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4111
4112
4113
4114
4115 if (!chan->hs_hcon)
4116 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4117 else
4118 chan->ident = cmd->ident;
4119 }
4120
4121unlock:
4122 l2cap_chan_unlock(chan);
4123 return err;
4124}
4125
4126static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4127 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4128 u8 *data)
4129{
4130 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4131 u16 scid, flags, result;
4132 struct l2cap_chan *chan;
4133 int len = cmd_len - sizeof(*rsp);
4134 int err = 0;
4135
4136 if (cmd_len < sizeof(*rsp))
4137 return -EPROTO;
4138
4139 scid = __le16_to_cpu(rsp->scid);
4140 flags = __le16_to_cpu(rsp->flags);
4141 result = __le16_to_cpu(rsp->result);
4142
4143 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4144 result, len);
4145
4146 chan = l2cap_get_chan_by_scid(conn, scid);
4147 if (!chan)
4148 return 0;
4149
4150 switch (result) {
4151 case L2CAP_CONF_SUCCESS:
4152 l2cap_conf_rfc_get(chan, rsp->data, len);
4153 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4154 break;
4155
4156 case L2CAP_CONF_PENDING:
4157 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4158
4159 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4160 char buf[64];
4161
4162 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4163 buf, &result);
4164 if (len < 0) {
4165 l2cap_send_disconn_req(chan, ECONNRESET);
4166 goto done;
4167 }
4168
4169 if (!chan->hs_hcon) {
4170 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4171 0);
4172 } else {
4173 if (l2cap_check_efs(chan)) {
4174 amp_create_logical_link(chan);
4175 chan->ident = cmd->ident;
4176 }
4177 }
4178 }
4179 goto done;
4180
4181 case L2CAP_CONF_UNACCEPT:
4182 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4183 char req[64];
4184
4185 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4186 l2cap_send_disconn_req(chan, ECONNRESET);
4187 goto done;
4188 }
4189
4190
4191 result = L2CAP_CONF_SUCCESS;
4192 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4193 req, &result);
4194 if (len < 0) {
4195 l2cap_send_disconn_req(chan, ECONNRESET);
4196 goto done;
4197 }
4198
4199 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4200 L2CAP_CONF_REQ, len, req);
4201 chan->num_conf_req++;
4202 if (result != L2CAP_CONF_SUCCESS)
4203 goto done;
4204 break;
4205 }
4206
4207 default:
4208 l2cap_chan_set_err(chan, ECONNRESET);
4209
4210 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4211 l2cap_send_disconn_req(chan, ECONNRESET);
4212 goto done;
4213 }
4214
4215 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4216 goto done;
4217
4218 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4219
4220 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4221 set_default_fcs(chan);
4222
4223 if (chan->mode == L2CAP_MODE_ERTM ||
4224 chan->mode == L2CAP_MODE_STREAMING)
4225 err = l2cap_ertm_init(chan);
4226
4227 if (err < 0)
4228 l2cap_send_disconn_req(chan, -err);
4229 else
4230 l2cap_chan_ready(chan);
4231 }
4232
4233done:
4234 l2cap_chan_unlock(chan);
4235 return err;
4236}
4237
4238static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4239 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4240 u8 *data)
4241{
4242 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4243 struct l2cap_disconn_rsp rsp;
4244 u16 dcid, scid;
4245 struct l2cap_chan *chan;
4246
4247 if (cmd_len != sizeof(*req))
4248 return -EPROTO;
4249
4250 scid = __le16_to_cpu(req->scid);
4251 dcid = __le16_to_cpu(req->dcid);
4252
4253 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4254
4255 mutex_lock(&conn->chan_lock);
4256
4257 chan = __l2cap_get_chan_by_scid(conn, dcid);
4258 if (!chan) {
4259 mutex_unlock(&conn->chan_lock);
4260 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4261 return 0;
4262 }
4263
4264 l2cap_chan_lock(chan);
4265
4266 rsp.dcid = cpu_to_le16(chan->scid);
4267 rsp.scid = cpu_to_le16(chan->dcid);
4268 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4269
4270 chan->ops->set_shutdown(chan);
4271
4272 l2cap_chan_hold(chan);
4273 l2cap_chan_del(chan, ECONNRESET);
4274
4275 l2cap_chan_unlock(chan);
4276
4277 chan->ops->close(chan);
4278 l2cap_chan_put(chan);
4279
4280 mutex_unlock(&conn->chan_lock);
4281
4282 return 0;
4283}
4284
4285static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4286 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4287 u8 *data)
4288{
4289 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4290 u16 dcid, scid;
4291 struct l2cap_chan *chan;
4292
4293 if (cmd_len != sizeof(*rsp))
4294 return -EPROTO;
4295
4296 scid = __le16_to_cpu(rsp->scid);
4297 dcid = __le16_to_cpu(rsp->dcid);
4298
4299 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4300
4301 mutex_lock(&conn->chan_lock);
4302
4303 chan = __l2cap_get_chan_by_scid(conn, scid);
4304 if (!chan) {
4305 mutex_unlock(&conn->chan_lock);
4306 return 0;
4307 }
4308
4309 l2cap_chan_lock(chan);
4310
4311 l2cap_chan_hold(chan);
4312 l2cap_chan_del(chan, 0);
4313
4314 l2cap_chan_unlock(chan);
4315
4316 chan->ops->close(chan);
4317 l2cap_chan_put(chan);
4318
4319 mutex_unlock(&conn->chan_lock);
4320
4321 return 0;
4322}
4323
4324static inline int l2cap_information_req(struct l2cap_conn *conn,
4325 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4326 u8 *data)
4327{
4328 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4329 u16 type;
4330
4331 if (cmd_len != sizeof(*req))
4332 return -EPROTO;
4333
4334 type = __le16_to_cpu(req->type);
4335
4336 BT_DBG("type 0x%4.4x", type);
4337
4338 if (type == L2CAP_IT_FEAT_MASK) {
4339 u8 buf[8];
4340 u32 feat_mask = l2cap_feat_mask;
4341 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4342 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4343 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4344 if (!disable_ertm)
4345 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4346 | L2CAP_FEAT_FCS;
4347 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4348 feat_mask |= L2CAP_FEAT_EXT_FLOW
4349 | L2CAP_FEAT_EXT_WINDOW;
4350
4351 put_unaligned_le32(feat_mask, rsp->data);
4352 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4353 buf);
4354 } else if (type == L2CAP_IT_FIXED_CHAN) {
4355 u8 buf[12];
4356 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4357
4358 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4359 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4360 rsp->data[0] = conn->local_fixed_chan;
4361 memset(rsp->data + 1, 0, 7);
4362 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4363 buf);
4364 } else {
4365 struct l2cap_info_rsp rsp;
4366 rsp.type = cpu_to_le16(type);
4367 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4368 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4369 &rsp);
4370 }
4371
4372 return 0;
4373}
4374
4375static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4376 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4377 u8 *data)
4378{
4379 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4380 u16 type, result;
4381
4382 if (cmd_len < sizeof(*rsp))
4383 return -EPROTO;
4384
4385 type = __le16_to_cpu(rsp->type);
4386 result = __le16_to_cpu(rsp->result);
4387
4388 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4389
4390
4391 if (cmd->ident != conn->info_ident ||
4392 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4393 return 0;
4394
4395 cancel_delayed_work(&conn->info_timer);
4396
4397 if (result != L2CAP_IR_SUCCESS) {
4398 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4399 conn->info_ident = 0;
4400
4401 l2cap_conn_start(conn);
4402
4403 return 0;
4404 }
4405
4406 switch (type) {
4407 case L2CAP_IT_FEAT_MASK:
4408 conn->feat_mask = get_unaligned_le32(rsp->data);
4409
4410 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4411 struct l2cap_info_req req;
4412 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4413
4414 conn->info_ident = l2cap_get_ident(conn);
4415
4416 l2cap_send_cmd(conn, conn->info_ident,
4417 L2CAP_INFO_REQ, sizeof(req), &req);
4418 } else {
4419 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4420 conn->info_ident = 0;
4421
4422 l2cap_conn_start(conn);
4423 }
4424 break;
4425
4426 case L2CAP_IT_FIXED_CHAN:
4427 conn->remote_fixed_chan = rsp->data[0];
4428 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4429 conn->info_ident = 0;
4430
4431 l2cap_conn_start(conn);
4432 break;
4433 }
4434
4435 return 0;
4436}
4437
4438static int l2cap_create_channel_req(struct l2cap_conn *conn,
4439 struct l2cap_cmd_hdr *cmd,
4440 u16 cmd_len, void *data)
4441{
4442 struct l2cap_create_chan_req *req = data;
4443 struct l2cap_create_chan_rsp rsp;
4444 struct l2cap_chan *chan;
4445 struct hci_dev *hdev;
4446 u16 psm, scid;
4447
4448 if (cmd_len != sizeof(*req))
4449 return -EPROTO;
4450
4451 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4452 return -EINVAL;
4453
4454 psm = le16_to_cpu(req->psm);
4455 scid = le16_to_cpu(req->scid);
4456
4457 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4458
4459
4460 if (req->amp_id == AMP_ID_BREDR) {
4461 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4462 req->amp_id);
4463 return 0;
4464 }
4465
4466
4467 hdev = hci_dev_get(req->amp_id);
4468 if (!hdev)
4469 goto error;
4470
4471 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4472 hci_dev_put(hdev);
4473 goto error;
4474 }
4475
4476 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4477 req->amp_id);
4478 if (chan) {
4479 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4480 struct hci_conn *hs_hcon;
4481
4482 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4483 &conn->hcon->dst);
4484 if (!hs_hcon) {
4485 hci_dev_put(hdev);
4486 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4487 chan->dcid);
4488 return 0;
4489 }
4490
4491 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4492
4493 mgr->bredr_chan = chan;
4494 chan->hs_hcon = hs_hcon;
4495 chan->fcs = L2CAP_FCS_NONE;
4496 conn->mtu = hdev->block_mtu;
4497 }
4498
4499 hci_dev_put(hdev);
4500
4501 return 0;
4502
4503error:
4504 rsp.dcid = 0;
4505 rsp.scid = cpu_to_le16(scid);
4506 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4507 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4508
4509 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4510 sizeof(rsp), &rsp);
4511
4512 return 0;
4513}
4514
4515static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4516{
4517 struct l2cap_move_chan_req req;
4518 u8 ident;
4519
4520 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4521
4522 ident = l2cap_get_ident(chan->conn);
4523 chan->ident = ident;
4524
4525 req.icid = cpu_to_le16(chan->scid);
4526 req.dest_amp_id = dest_amp_id;
4527
4528 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4529 &req);
4530
4531 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4532}
4533
4534static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4535{
4536 struct l2cap_move_chan_rsp rsp;
4537
4538 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4539
4540 rsp.icid = cpu_to_le16(chan->dcid);
4541 rsp.result = cpu_to_le16(result);
4542
4543 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4544 sizeof(rsp), &rsp);
4545}
4546
4547static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4548{
4549 struct l2cap_move_chan_cfm cfm;
4550
4551 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4552
4553 chan->ident = l2cap_get_ident(chan->conn);
4554
4555 cfm.icid = cpu_to_le16(chan->scid);
4556 cfm.result = cpu_to_le16(result);
4557
4558 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4559 sizeof(cfm), &cfm);
4560
4561 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4562}
4563
4564static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4565{
4566 struct l2cap_move_chan_cfm cfm;
4567
4568 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4569
4570 cfm.icid = cpu_to_le16(icid);
4571 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4572
4573 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4574 sizeof(cfm), &cfm);
4575}
4576
4577static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4578 u16 icid)
4579{
4580 struct l2cap_move_chan_cfm_rsp rsp;
4581
4582 BT_DBG("icid 0x%4.4x", icid);
4583
4584 rsp.icid = cpu_to_le16(icid);
4585 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4586}
4587
4588static void __release_logical_link(struct l2cap_chan *chan)
4589{
4590 chan->hs_hchan = NULL;
4591 chan->hs_hcon = NULL;
4592
4593
4594}
4595
4596static void l2cap_logical_fail(struct l2cap_chan *chan)
4597{
4598
4599 if (chan->state != BT_CONNECTED) {
4600
4601 l2cap_send_disconn_req(chan, ECONNRESET);
4602 return;
4603 }
4604
4605 switch (chan->move_role) {
4606 case L2CAP_MOVE_ROLE_RESPONDER:
4607 l2cap_move_done(chan);
4608 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4609 break;
4610 case L2CAP_MOVE_ROLE_INITIATOR:
4611 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4612 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4613
4614
4615
4616 l2cap_move_done(chan);
4617 }
4618
4619
4620
4621
4622 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4623 break;
4624 }
4625}
4626
4627static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4628 struct hci_chan *hchan)
4629{
4630 struct l2cap_conf_rsp rsp;
4631
4632 chan->hs_hchan = hchan;
4633 chan->hs_hcon->l2cap_data = chan->conn;
4634
4635 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4636
4637 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4638 int err;
4639
4640 set_default_fcs(chan);
4641
4642 err = l2cap_ertm_init(chan);
4643 if (err < 0)
4644 l2cap_send_disconn_req(chan, -err);
4645 else
4646 l2cap_chan_ready(chan);
4647 }
4648}
4649
4650static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4651 struct hci_chan *hchan)
4652{
4653 chan->hs_hcon = hchan->conn;
4654 chan->hs_hcon->l2cap_data = chan->conn;
4655
4656 BT_DBG("move_state %d", chan->move_state);
4657
4658 switch (chan->move_state) {
4659 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4660
4661
4662
4663 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4664 break;
4665 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4666 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4667 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4668 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4669 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4670 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4671 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4672 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4673 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4674 }
4675 break;
4676 default:
4677
4678 __release_logical_link(chan);
4679
4680 chan->move_state = L2CAP_MOVE_STABLE;
4681 }
4682}
4683
4684
4685void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4686 u8 status)
4687{
4688 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4689
4690 if (status) {
4691 l2cap_logical_fail(chan);
4692 __release_logical_link(chan);
4693 return;
4694 }
4695
4696 if (chan->state != BT_CONNECTED) {
4697
4698 if (chan->local_amp_id != AMP_ID_BREDR)
4699 l2cap_logical_finish_create(chan, hchan);
4700 } else {
4701 l2cap_logical_finish_move(chan, hchan);
4702 }
4703}
4704
4705void l2cap_move_start(struct l2cap_chan *chan)
4706{
4707 BT_DBG("chan %p", chan);
4708
4709 if (chan->local_amp_id == AMP_ID_BREDR) {
4710 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4711 return;
4712 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4713 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4714
4715 } else {
4716 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4717 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4718 chan->move_id = 0;
4719 l2cap_move_setup(chan);
4720 l2cap_send_move_chan_req(chan, 0);
4721 }
4722}
4723
4724static void l2cap_do_create(struct l2cap_chan *chan, int result,
4725 u8 local_amp_id, u8 remote_amp_id)
4726{
4727 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4728 local_amp_id, remote_amp_id);
4729
4730 chan->fcs = L2CAP_FCS_NONE;
4731
4732
4733 if (chan->state == BT_CONNECT) {
4734 if (result == L2CAP_CR_SUCCESS) {
4735 chan->local_amp_id = local_amp_id;
4736 l2cap_send_create_chan_req(chan, remote_amp_id);
4737 } else {
4738
4739 l2cap_send_conn_req(chan);
4740 }
4741
4742 return;
4743 }
4744
4745
4746 if (__l2cap_no_conn_pending(chan)) {
4747 struct l2cap_conn_rsp rsp;
4748 char buf[128];
4749 rsp.scid = cpu_to_le16(chan->dcid);
4750 rsp.dcid = cpu_to_le16(chan->scid);
4751
4752 if (result == L2CAP_CR_SUCCESS) {
4753
4754 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4755 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4756 } else {
4757
4758 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4759 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4760 }
4761
4762 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4763 sizeof(rsp), &rsp);
4764
4765 if (result == L2CAP_CR_SUCCESS) {
4766 l2cap_state_change(chan, BT_CONFIG);
4767 set_bit(CONF_REQ_SENT, &chan->conf_state);
4768 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4769 L2CAP_CONF_REQ,
4770 l2cap_build_conf_req(chan, buf), buf);
4771 chan->num_conf_req++;
4772 }
4773 }
4774}
4775
4776static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4777 u8 remote_amp_id)
4778{
4779 l2cap_move_setup(chan);
4780 chan->move_id = local_amp_id;
4781 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4782
4783 l2cap_send_move_chan_req(chan, remote_amp_id);
4784}
4785
4786static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4787{
4788 struct hci_chan *hchan = NULL;
4789
4790
4791
4792 if (hchan) {
4793 if (hchan->state == BT_CONNECTED) {
4794
4795 chan->hs_hcon = hchan->conn;
4796 chan->hs_hcon->l2cap_data = chan->conn;
4797 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4798 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4799
4800 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4801 } else {
4802
4803 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4804 }
4805 } else {
4806
4807 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4808 }
4809}
4810
4811static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4812{
4813 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4814 u8 rsp_result;
4815 if (result == -EINVAL)
4816 rsp_result = L2CAP_MR_BAD_ID;
4817 else
4818 rsp_result = L2CAP_MR_NOT_ALLOWED;
4819
4820 l2cap_send_move_chan_rsp(chan, rsp_result);
4821 }
4822
4823 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4824 chan->move_state = L2CAP_MOVE_STABLE;
4825
4826
4827 l2cap_ertm_send(chan);
4828}
4829
4830
4831void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4832{
4833 u8 local_amp_id = chan->local_amp_id;
4834 u8 remote_amp_id = chan->remote_amp_id;
4835
4836 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4837 chan, result, local_amp_id, remote_amp_id);
4838
4839 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4840 l2cap_chan_unlock(chan);
4841 return;
4842 }
4843
4844 if (chan->state != BT_CONNECTED) {
4845 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4846 } else if (result != L2CAP_MR_SUCCESS) {
4847 l2cap_do_move_cancel(chan, result);
4848 } else {
4849 switch (chan->move_role) {
4850 case L2CAP_MOVE_ROLE_INITIATOR:
4851 l2cap_do_move_initiate(chan, local_amp_id,
4852 remote_amp_id);
4853 break;
4854 case L2CAP_MOVE_ROLE_RESPONDER:
4855 l2cap_do_move_respond(chan, result);
4856 break;
4857 default:
4858 l2cap_do_move_cancel(chan, result);
4859 break;
4860 }
4861 }
4862}
4863
4864static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4865 struct l2cap_cmd_hdr *cmd,
4866 u16 cmd_len, void *data)
4867{
4868 struct l2cap_move_chan_req *req = data;
4869 struct l2cap_move_chan_rsp rsp;
4870 struct l2cap_chan *chan;
4871 u16 icid = 0;
4872 u16 result = L2CAP_MR_NOT_ALLOWED;
4873
4874 if (cmd_len != sizeof(*req))
4875 return -EPROTO;
4876
4877 icid = le16_to_cpu(req->icid);
4878
4879 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4880
4881 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4882 return -EINVAL;
4883
4884 chan = l2cap_get_chan_by_dcid(conn, icid);
4885 if (!chan) {
4886 rsp.icid = cpu_to_le16(icid);
4887 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4888 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4889 sizeof(rsp), &rsp);
4890 return 0;
4891 }
4892
4893 chan->ident = cmd->ident;
4894
4895 if (chan->scid < L2CAP_CID_DYN_START ||
4896 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4897 (chan->mode != L2CAP_MODE_ERTM &&
4898 chan->mode != L2CAP_MODE_STREAMING)) {
4899 result = L2CAP_MR_NOT_ALLOWED;
4900 goto send_move_response;
4901 }
4902
4903 if (chan->local_amp_id == req->dest_amp_id) {
4904 result = L2CAP_MR_SAME_ID;
4905 goto send_move_response;
4906 }
4907
4908 if (req->dest_amp_id != AMP_ID_BREDR) {
4909 struct hci_dev *hdev;
4910 hdev = hci_dev_get(req->dest_amp_id);
4911 if (!hdev || hdev->dev_type != HCI_AMP ||
4912 !test_bit(HCI_UP, &hdev->flags)) {
4913 if (hdev)
4914 hci_dev_put(hdev);
4915
4916 result = L2CAP_MR_BAD_ID;
4917 goto send_move_response;
4918 }
4919 hci_dev_put(hdev);
4920 }
4921
4922
4923
4924
4925
4926 if ((__chan_is_moving(chan) ||
4927 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4928 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4929 result = L2CAP_MR_COLLISION;
4930 goto send_move_response;
4931 }
4932
4933 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4934 l2cap_move_setup(chan);
4935 chan->move_id = req->dest_amp_id;
4936 icid = chan->dcid;
4937
4938 if (req->dest_amp_id == AMP_ID_BREDR) {
4939
4940 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4941 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4942 result = L2CAP_MR_PEND;
4943 } else {
4944 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4945 result = L2CAP_MR_SUCCESS;
4946 }
4947 } else {
4948 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4949
4950
4951 result = L2CAP_MR_PEND;
4952 }
4953
4954send_move_response:
4955 l2cap_send_move_chan_rsp(chan, result);
4956
4957 l2cap_chan_unlock(chan);
4958
4959 return 0;
4960}
4961
4962static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4963{
4964 struct l2cap_chan *chan;
4965 struct hci_chan *hchan = NULL;
4966
4967 chan = l2cap_get_chan_by_scid(conn, icid);
4968 if (!chan) {
4969 l2cap_send_move_chan_cfm_icid(conn, icid);
4970 return;
4971 }
4972
4973 __clear_chan_timer(chan);
4974 if (result == L2CAP_MR_PEND)
4975 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4976
4977 switch (chan->move_state) {
4978 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4979
4980
4981
4982 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4983 break;
4984 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4985 if (result == L2CAP_MR_PEND) {
4986 break;
4987 } else if (test_bit(CONN_LOCAL_BUSY,
4988 &chan->conn_state)) {
4989 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4990 } else {
4991
4992
4993
4994 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4995 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4996 }
4997 break;
4998 case L2CAP_MOVE_WAIT_RSP:
4999
5000 if (result == L2CAP_MR_SUCCESS) {
5001
5002
5003
5004 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5005 } else {
5006
5007
5008
5009 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5010 }
5011
5012
5013 if (!hchan) {
5014
5015 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5016 break;
5017 }
5018
5019
5020
5021
5022 if (hchan->state != BT_CONNECTED)
5023 break;
5024
5025
5026
5027 chan->hs_hcon = hchan->conn;
5028 chan->hs_hcon->l2cap_data = chan->conn;
5029
5030 if (result == L2CAP_MR_SUCCESS) {
5031
5032 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5033 } else {
5034
5035
5036
5037 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5038 }
5039
5040 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5041 break;
5042 default:
5043
5044 chan->move_id = chan->local_amp_id;
5045 l2cap_move_done(chan);
5046 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5047 }
5048
5049 l2cap_chan_unlock(chan);
5050}
5051
5052static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5053 u16 result)
5054{
5055 struct l2cap_chan *chan;
5056
5057 chan = l2cap_get_chan_by_ident(conn, ident);
5058 if (!chan) {
5059
5060 l2cap_send_move_chan_cfm_icid(conn, icid);
5061 return;
5062 }
5063
5064 __clear_chan_timer(chan);
5065
5066 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5067 if (result == L2CAP_MR_COLLISION) {
5068 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5069 } else {
5070
5071 chan->move_id = chan->local_amp_id;
5072 l2cap_move_done(chan);
5073 }
5074 }
5075
5076 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5077
5078 l2cap_chan_unlock(chan);
5079}
5080
5081static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5082 struct l2cap_cmd_hdr *cmd,
5083 u16 cmd_len, void *data)
5084{
5085 struct l2cap_move_chan_rsp *rsp = data;
5086 u16 icid, result;
5087
5088 if (cmd_len != sizeof(*rsp))
5089 return -EPROTO;
5090
5091 icid = le16_to_cpu(rsp->icid);
5092 result = le16_to_cpu(rsp->result);
5093
5094 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5095
5096 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5097 l2cap_move_continue(conn, icid, result);
5098 else
5099 l2cap_move_fail(conn, cmd->ident, icid, result);
5100
5101 return 0;
5102}
5103
5104static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5105 struct l2cap_cmd_hdr *cmd,
5106 u16 cmd_len, void *data)
5107{
5108 struct l2cap_move_chan_cfm *cfm = data;
5109 struct l2cap_chan *chan;
5110 u16 icid, result;
5111
5112 if (cmd_len != sizeof(*cfm))
5113 return -EPROTO;
5114
5115 icid = le16_to_cpu(cfm->icid);
5116 result = le16_to_cpu(cfm->result);
5117
5118 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5119
5120 chan = l2cap_get_chan_by_dcid(conn, icid);
5121 if (!chan) {
5122
5123 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5124 return 0;
5125 }
5126
5127 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5128 if (result == L2CAP_MC_CONFIRMED) {
5129 chan->local_amp_id = chan->move_id;
5130 if (chan->local_amp_id == AMP_ID_BREDR)
5131 __release_logical_link(chan);
5132 } else {
5133 chan->move_id = chan->local_amp_id;
5134 }
5135
5136 l2cap_move_done(chan);
5137 }
5138
5139 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5140
5141 l2cap_chan_unlock(chan);
5142
5143 return 0;
5144}
5145
5146static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5147 struct l2cap_cmd_hdr *cmd,
5148 u16 cmd_len, void *data)
5149{
5150 struct l2cap_move_chan_cfm_rsp *rsp = data;
5151 struct l2cap_chan *chan;
5152 u16 icid;
5153
5154 if (cmd_len != sizeof(*rsp))
5155 return -EPROTO;
5156
5157 icid = le16_to_cpu(rsp->icid);
5158
5159 BT_DBG("icid 0x%4.4x", icid);
5160
5161 chan = l2cap_get_chan_by_scid(conn, icid);
5162 if (!chan)
5163 return 0;
5164
5165 __clear_chan_timer(chan);
5166
5167 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5168 chan->local_amp_id = chan->move_id;
5169
5170 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5171 __release_logical_link(chan);
5172
5173 l2cap_move_done(chan);
5174 }
5175
5176 l2cap_chan_unlock(chan);
5177
5178 return 0;
5179}
5180
5181static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5182 struct l2cap_cmd_hdr *cmd,
5183 u16 cmd_len, u8 *data)
5184{
5185 struct hci_conn *hcon = conn->hcon;
5186 struct l2cap_conn_param_update_req *req;
5187 struct l2cap_conn_param_update_rsp rsp;
5188 u16 min, max, latency, to_multiplier;
5189 int err;
5190
5191 if (hcon->role != HCI_ROLE_MASTER)
5192 return -EINVAL;
5193
5194 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5195 return -EPROTO;
5196
5197 req = (struct l2cap_conn_param_update_req *) data;
5198 min = __le16_to_cpu(req->min);
5199 max = __le16_to_cpu(req->max);
5200 latency = __le16_to_cpu(req->latency);
5201 to_multiplier = __le16_to_cpu(req->to_multiplier);
5202
5203 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5204 min, max, latency, to_multiplier);
5205
5206 memset(&rsp, 0, sizeof(rsp));
5207
5208 err = hci_check_conn_params(min, max, latency, to_multiplier);
5209 if (err)
5210 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5211 else
5212 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5213
5214 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5215 sizeof(rsp), &rsp);
5216
5217 if (!err) {
5218 u8 store_hint;
5219
5220 store_hint = hci_le_conn_update(hcon, min, max, latency,
5221 to_multiplier);
5222 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5223 store_hint, min, max, latency,
5224 to_multiplier);
5225
5226 }
5227
5228 return 0;
5229}
5230
5231static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5232 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5233 u8 *data)
5234{
5235 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5236 struct hci_conn *hcon = conn->hcon;
5237 u16 dcid, mtu, mps, credits, result;
5238 struct l2cap_chan *chan;
5239 int err, sec_level;
5240
5241 if (cmd_len < sizeof(*rsp))
5242 return -EPROTO;
5243
5244 dcid = __le16_to_cpu(rsp->dcid);
5245 mtu = __le16_to_cpu(rsp->mtu);
5246 mps = __le16_to_cpu(rsp->mps);
5247 credits = __le16_to_cpu(rsp->credits);
5248 result = __le16_to_cpu(rsp->result);
5249
5250 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5251 return -EPROTO;
5252
5253 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5254 dcid, mtu, mps, credits, result);
5255
5256 mutex_lock(&conn->chan_lock);
5257
5258 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5259 if (!chan) {
5260 err = -EBADSLT;
5261 goto unlock;
5262 }
5263
5264 err = 0;
5265
5266 l2cap_chan_lock(chan);
5267
5268 switch (result) {
5269 case L2CAP_CR_SUCCESS:
5270 chan->ident = 0;
5271 chan->dcid = dcid;
5272 chan->omtu = mtu;
5273 chan->remote_mps = mps;
5274 chan->tx_credits = credits;
5275 l2cap_chan_ready(chan);
5276 break;
5277
5278 case L2CAP_CR_AUTHENTICATION:
5279 case L2CAP_CR_ENCRYPTION:
5280
5281
5282
5283 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5284 l2cap_chan_del(chan, ECONNREFUSED);
5285 break;
5286 }
5287
5288 sec_level = hcon->sec_level + 1;
5289 if (chan->sec_level < sec_level)
5290 chan->sec_level = sec_level;
5291
5292
5293 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5294
5295 smp_conn_security(hcon, chan->sec_level);
5296 break;
5297
5298 default:
5299 l2cap_chan_del(chan, ECONNREFUSED);
5300 break;
5301 }
5302
5303 l2cap_chan_unlock(chan);
5304
5305unlock:
5306 mutex_unlock(&conn->chan_lock);
5307
5308 return err;
5309}
5310
5311static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5312 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5313 u8 *data)
5314{
5315 int err = 0;
5316
5317 switch (cmd->code) {
5318 case L2CAP_COMMAND_REJ:
5319 l2cap_command_rej(conn, cmd, cmd_len, data);
5320 break;
5321
5322 case L2CAP_CONN_REQ:
5323 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5324 break;
5325
5326 case L2CAP_CONN_RSP:
5327 case L2CAP_CREATE_CHAN_RSP:
5328 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5329 break;
5330
5331 case L2CAP_CONF_REQ:
5332 err = l2cap_config_req(conn, cmd, cmd_len, data);
5333 break;
5334
5335 case L2CAP_CONF_RSP:
5336 l2cap_config_rsp(conn, cmd, cmd_len, data);
5337 break;
5338
5339 case L2CAP_DISCONN_REQ:
5340 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5341 break;
5342
5343 case L2CAP_DISCONN_RSP:
5344 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5345 break;
5346
5347 case L2CAP_ECHO_REQ:
5348 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5349 break;
5350
5351 case L2CAP_ECHO_RSP:
5352 break;
5353
5354 case L2CAP_INFO_REQ:
5355 err = l2cap_information_req(conn, cmd, cmd_len, data);
5356 break;
5357
5358 case L2CAP_INFO_RSP:
5359 l2cap_information_rsp(conn, cmd, cmd_len, data);
5360 break;
5361
5362 case L2CAP_CREATE_CHAN_REQ:
5363 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5364 break;
5365
5366 case L2CAP_MOVE_CHAN_REQ:
5367 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5368 break;
5369
5370 case L2CAP_MOVE_CHAN_RSP:
5371 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5372 break;
5373
5374 case L2CAP_MOVE_CHAN_CFM:
5375 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5376 break;
5377
5378 case L2CAP_MOVE_CHAN_CFM_RSP:
5379 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5380 break;
5381
5382 default:
5383 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5384 err = -EINVAL;
5385 break;
5386 }
5387
5388 return err;
5389}
5390
5391static int l2cap_le_connect_req(struct l2cap_conn *conn,
5392 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5393 u8 *data)
5394{
5395 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5396 struct l2cap_le_conn_rsp rsp;
5397 struct l2cap_chan *chan, *pchan;
5398 u16 dcid, scid, credits, mtu, mps;
5399 __le16 psm;
5400 u8 result;
5401
5402 if (cmd_len != sizeof(*req))
5403 return -EPROTO;
5404
5405 scid = __le16_to_cpu(req->scid);
5406 mtu = __le16_to_cpu(req->mtu);
5407 mps = __le16_to_cpu(req->mps);
5408 psm = req->psm;
5409 dcid = 0;
5410 credits = 0;
5411
5412 if (mtu < 23 || mps < 23)
5413 return -EPROTO;
5414
5415 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5416 scid, mtu, mps);
5417
5418
5419 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5420 &conn->hcon->dst, LE_LINK);
5421 if (!pchan) {
5422 result = L2CAP_CR_BAD_PSM;
5423 chan = NULL;
5424 goto response;
5425 }
5426
5427 mutex_lock(&conn->chan_lock);
5428 l2cap_chan_lock(pchan);
5429
5430 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5431 SMP_ALLOW_STK)) {
5432 result = L2CAP_CR_AUTHENTICATION;
5433 chan = NULL;
5434 goto response_unlock;
5435 }
5436
5437
5438 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5439 result = L2CAP_CR_NO_MEM;
5440 chan = NULL;
5441 goto response_unlock;
5442 }
5443
5444 chan = pchan->ops->new_connection(pchan);
5445 if (!chan) {
5446 result = L2CAP_CR_NO_MEM;
5447 goto response_unlock;
5448 }
5449
5450 l2cap_le_flowctl_init(chan);
5451
5452 bacpy(&chan->src, &conn->hcon->src);
5453 bacpy(&chan->dst, &conn->hcon->dst);
5454 chan->src_type = bdaddr_src_type(conn->hcon);
5455 chan->dst_type = bdaddr_dst_type(conn->hcon);
5456 chan->psm = psm;
5457 chan->dcid = scid;
5458 chan->omtu = mtu;
5459 chan->remote_mps = mps;
5460 chan->tx_credits = __le16_to_cpu(req->credits);
5461
5462 __l2cap_chan_add(conn, chan);
5463 dcid = chan->scid;
5464 credits = chan->rx_credits;
5465
5466 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5467
5468 chan->ident = cmd->ident;
5469
5470 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5471 l2cap_state_change(chan, BT_CONNECT2);
5472
5473
5474
5475
5476
5477 result = L2CAP_CR_PEND;
5478 chan->ops->defer(chan);
5479 } else {
5480 l2cap_chan_ready(chan);
5481 result = L2CAP_CR_SUCCESS;
5482 }
5483
5484response_unlock:
5485 l2cap_chan_unlock(pchan);
5486 mutex_unlock(&conn->chan_lock);
5487 l2cap_chan_put(pchan);
5488
5489 if (result == L2CAP_CR_PEND)
5490 return 0;
5491
5492response:
5493 if (chan) {
5494 rsp.mtu = cpu_to_le16(chan->imtu);
5495 rsp.mps = cpu_to_le16(chan->mps);
5496 } else {
5497 rsp.mtu = 0;
5498 rsp.mps = 0;
5499 }
5500
5501 rsp.dcid = cpu_to_le16(dcid);
5502 rsp.credits = cpu_to_le16(credits);
5503 rsp.result = cpu_to_le16(result);
5504
5505 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5506
5507 return 0;
5508}
5509
5510static inline int l2cap_le_credits(struct l2cap_conn *conn,
5511 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5512 u8 *data)
5513{
5514 struct l2cap_le_credits *pkt;
5515 struct l2cap_chan *chan;
5516 u16 cid, credits, max_credits;
5517
5518 if (cmd_len != sizeof(*pkt))
5519 return -EPROTO;
5520
5521 pkt = (struct l2cap_le_credits *) data;
5522 cid = __le16_to_cpu(pkt->cid);
5523 credits = __le16_to_cpu(pkt->credits);
5524
5525 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5526
5527 chan = l2cap_get_chan_by_dcid(conn, cid);
5528 if (!chan)
5529 return -EBADSLT;
5530
5531 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5532 if (credits > max_credits) {
5533 BT_ERR("LE credits overflow");
5534 l2cap_send_disconn_req(chan, ECONNRESET);
5535 l2cap_chan_unlock(chan);
5536
5537
5538
5539
5540 return 0;
5541 }
5542
5543 chan->tx_credits += credits;
5544
5545 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5546 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5547 chan->tx_credits--;
5548 }
5549
5550 if (chan->tx_credits)
5551 chan->ops->resume(chan);
5552
5553 l2cap_chan_unlock(chan);
5554
5555 return 0;
5556}
5557
5558static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5559 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5560 u8 *data)
5561{
5562 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5563 struct l2cap_chan *chan;
5564
5565 if (cmd_len < sizeof(*rej))
5566 return -EPROTO;
5567
5568 mutex_lock(&conn->chan_lock);
5569
5570 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5571 if (!chan)
5572 goto done;
5573
5574 l2cap_chan_lock(chan);
5575 l2cap_chan_del(chan, ECONNREFUSED);
5576 l2cap_chan_unlock(chan);
5577
5578done:
5579 mutex_unlock(&conn->chan_lock);
5580 return 0;
5581}
5582
5583static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5584 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5585 u8 *data)
5586{
5587 int err = 0;
5588
5589 switch (cmd->code) {
5590 case L2CAP_COMMAND_REJ:
5591 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5592 break;
5593
5594 case L2CAP_CONN_PARAM_UPDATE_REQ:
5595 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5596 break;
5597
5598 case L2CAP_CONN_PARAM_UPDATE_RSP:
5599 break;
5600
5601 case L2CAP_LE_CONN_RSP:
5602 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5603 break;
5604
5605 case L2CAP_LE_CONN_REQ:
5606 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5607 break;
5608
5609 case L2CAP_LE_CREDITS:
5610 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5611 break;
5612
5613 case L2CAP_DISCONN_REQ:
5614 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5615 break;
5616
5617 case L2CAP_DISCONN_RSP:
5618 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5619 break;
5620
5621 default:
5622 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5623 err = -EINVAL;
5624 break;
5625 }
5626
5627 return err;
5628}
5629
5630static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5631 struct sk_buff *skb)
5632{
5633 struct hci_conn *hcon = conn->hcon;
5634 struct l2cap_cmd_hdr *cmd;
5635 u16 len;
5636 int err;
5637
5638 if (hcon->type != LE_LINK)
5639 goto drop;
5640
5641 if (skb->len < L2CAP_CMD_HDR_SIZE)
5642 goto drop;
5643
5644 cmd = (void *) skb->data;
5645 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5646
5647 len = le16_to_cpu(cmd->len);
5648
5649 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5650
5651 if (len != skb->len || !cmd->ident) {
5652 BT_DBG("corrupted command");
5653 goto drop;
5654 }
5655
5656 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5657 if (err) {
5658 struct l2cap_cmd_rej_unk rej;
5659
5660 BT_ERR("Wrong link type (%d)", err);
5661
5662 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5663 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5664 sizeof(rej), &rej);
5665 }
5666
5667drop:
5668 kfree_skb(skb);
5669}
5670
5671static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5672 struct sk_buff *skb)
5673{
5674 struct hci_conn *hcon = conn->hcon;
5675 u8 *data = skb->data;
5676 int len = skb->len;
5677 struct l2cap_cmd_hdr cmd;
5678 int err;
5679
5680 l2cap_raw_recv(conn, skb);
5681
5682 if (hcon->type != ACL_LINK)
5683 goto drop;
5684
5685 while (len >= L2CAP_CMD_HDR_SIZE) {
5686 u16 cmd_len;
5687 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5688 data += L2CAP_CMD_HDR_SIZE;
5689 len -= L2CAP_CMD_HDR_SIZE;
5690
5691 cmd_len = le16_to_cpu(cmd.len);
5692
5693 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5694 cmd.ident);
5695
5696 if (cmd_len > len || !cmd.ident) {
5697 BT_DBG("corrupted command");
5698 break;
5699 }
5700
5701 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5702 if (err) {
5703 struct l2cap_cmd_rej_unk rej;
5704
5705 BT_ERR("Wrong link type (%d)", err);
5706
5707 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5708 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5709 sizeof(rej), &rej);
5710 }
5711
5712 data += cmd_len;
5713 len -= cmd_len;
5714 }
5715
5716drop:
5717 kfree_skb(skb);
5718}
5719
5720static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5721{
5722 u16 our_fcs, rcv_fcs;
5723 int hdr_size;
5724
5725 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5726 hdr_size = L2CAP_EXT_HDR_SIZE;
5727 else
5728 hdr_size = L2CAP_ENH_HDR_SIZE;
5729
5730 if (chan->fcs == L2CAP_FCS_CRC16) {
5731 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5732 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5733 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5734
5735 if (our_fcs != rcv_fcs)
5736 return -EBADMSG;
5737 }
5738 return 0;
5739}
5740
5741static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5742{
5743 struct l2cap_ctrl control;
5744
5745 BT_DBG("chan %p", chan);
5746
5747 memset(&control, 0, sizeof(control));
5748 control.sframe = 1;
5749 control.final = 1;
5750 control.reqseq = chan->buffer_seq;
5751 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5752
5753 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5754 control.super = L2CAP_SUPER_RNR;
5755 l2cap_send_sframe(chan, &control);
5756 }
5757
5758 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5759 chan->unacked_frames > 0)
5760 __set_retrans_timer(chan);
5761
5762
5763 l2cap_ertm_send(chan);
5764
5765 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5766 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5767
5768
5769
5770 control.super = L2CAP_SUPER_RR;
5771 l2cap_send_sframe(chan, &control);
5772 }
5773}
5774
5775static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5776 struct sk_buff **last_frag)
5777{
5778
5779
5780
5781 if (!skb_has_frag_list(skb))
5782 skb_shinfo(skb)->frag_list = new_frag;
5783
5784 new_frag->next = NULL;
5785
5786 (*last_frag)->next = new_frag;
5787 *last_frag = new_frag;
5788
5789 skb->len += new_frag->len;
5790 skb->data_len += new_frag->len;
5791 skb->truesize += new_frag->truesize;
5792}
5793
5794static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5795 struct l2cap_ctrl *control)
5796{
5797 int err = -EINVAL;
5798
5799 switch (control->sar) {
5800 case L2CAP_SAR_UNSEGMENTED:
5801 if (chan->sdu)
5802 break;
5803
5804 err = chan->ops->recv(chan, skb);
5805 break;
5806
5807 case L2CAP_SAR_START:
5808 if (chan->sdu)
5809 break;
5810
5811 chan->sdu_len = get_unaligned_le16(skb->data);
5812 skb_pull(skb, L2CAP_SDULEN_SIZE);
5813
5814 if (chan->sdu_len > chan->imtu) {
5815 err = -EMSGSIZE;
5816 break;
5817 }
5818
5819 if (skb->len >= chan->sdu_len)
5820 break;
5821
5822 chan->sdu = skb;
5823 chan->sdu_last_frag = skb;
5824
5825 skb = NULL;
5826 err = 0;
5827 break;
5828
5829 case L2CAP_SAR_CONTINUE:
5830 if (!chan->sdu)
5831 break;
5832
5833 append_skb_frag(chan->sdu, skb,
5834 &chan->sdu_last_frag);
5835 skb = NULL;
5836
5837 if (chan->sdu->len >= chan->sdu_len)
5838 break;
5839
5840 err = 0;
5841 break;
5842
5843 case L2CAP_SAR_END:
5844 if (!chan->sdu)
5845 break;
5846
5847 append_skb_frag(chan->sdu, skb,
5848 &chan->sdu_last_frag);
5849 skb = NULL;
5850
5851 if (chan->sdu->len != chan->sdu_len)
5852 break;
5853
5854 err = chan->ops->recv(chan, chan->sdu);
5855
5856 if (!err) {
5857
5858 chan->sdu = NULL;
5859 chan->sdu_last_frag = NULL;
5860 chan->sdu_len = 0;
5861 }
5862 break;
5863 }
5864
5865 if (err) {
5866 kfree_skb(skb);
5867 kfree_skb(chan->sdu);
5868 chan->sdu = NULL;
5869 chan->sdu_last_frag = NULL;
5870 chan->sdu_len = 0;
5871 }
5872
5873 return err;
5874}
5875
5876static int l2cap_resegment(struct l2cap_chan *chan)
5877{
5878
5879 return 0;
5880}
5881
5882void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5883{
5884 u8 event;
5885
5886 if (chan->mode != L2CAP_MODE_ERTM)
5887 return;
5888
5889 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5890 l2cap_tx(chan, NULL, NULL, event);
5891}
5892
5893static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5894{
5895 int err = 0;
5896
5897
5898
5899
5900 BT_DBG("chan %p", chan);
5901
5902 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5903 struct sk_buff *skb;
5904 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5905 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5906
5907 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5908
5909 if (!skb)
5910 break;
5911
5912 skb_unlink(skb, &chan->srej_q);
5913 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5914 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5915 if (err)
5916 break;
5917 }
5918
5919 if (skb_queue_empty(&chan->srej_q)) {
5920 chan->rx_state = L2CAP_RX_STATE_RECV;
5921 l2cap_send_ack(chan);
5922 }
5923
5924 return err;
5925}
5926
5927static void l2cap_handle_srej(struct l2cap_chan *chan,
5928 struct l2cap_ctrl *control)
5929{
5930 struct sk_buff *skb;
5931
5932 BT_DBG("chan %p, control %p", chan, control);
5933
5934 if (control->reqseq == chan->next_tx_seq) {
5935 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5936 l2cap_send_disconn_req(chan, ECONNRESET);
5937 return;
5938 }
5939
5940 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5941
5942 if (skb == NULL) {
5943 BT_DBG("Seq %d not available for retransmission",
5944 control->reqseq);
5945 return;
5946 }
5947
5948 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5949 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5950 l2cap_send_disconn_req(chan, ECONNRESET);
5951 return;
5952 }
5953
5954 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5955
5956 if (control->poll) {
5957 l2cap_pass_to_tx(chan, control);
5958
5959 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5960 l2cap_retransmit(chan, control);
5961 l2cap_ertm_send(chan);
5962
5963 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5964 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5965 chan->srej_save_reqseq = control->reqseq;
5966 }
5967 } else {
5968 l2cap_pass_to_tx_fbit(chan, control);
5969
5970 if (control->final) {
5971 if (chan->srej_save_reqseq != control->reqseq ||
5972 !test_and_clear_bit(CONN_SREJ_ACT,
5973 &chan->conn_state))
5974 l2cap_retransmit(chan, control);
5975 } else {
5976 l2cap_retransmit(chan, control);
5977 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5978 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5979 chan->srej_save_reqseq = control->reqseq;
5980 }
5981 }
5982 }
5983}
5984
5985static void l2cap_handle_rej(struct l2cap_chan *chan,
5986 struct l2cap_ctrl *control)
5987{
5988 struct sk_buff *skb;
5989
5990 BT_DBG("chan %p, control %p", chan, control);
5991
5992 if (control->reqseq == chan->next_tx_seq) {
5993 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5994 l2cap_send_disconn_req(chan, ECONNRESET);
5995 return;
5996 }
5997
5998 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5999
6000 if (chan->max_tx && skb &&
6001 bt_cb(skb)->control.retries >= chan->max_tx) {
6002 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6003 l2cap_send_disconn_req(chan, ECONNRESET);
6004 return;
6005 }
6006
6007 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6008
6009 l2cap_pass_to_tx(chan, control);
6010
6011 if (control->final) {
6012 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6013 l2cap_retransmit_all(chan, control);
6014 } else {
6015 l2cap_retransmit_all(chan, control);
6016 l2cap_ertm_send(chan);
6017 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6018 set_bit(CONN_REJ_ACT, &chan->conn_state);
6019 }
6020}
6021
6022static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6023{
6024 BT_DBG("chan %p, txseq %d", chan, txseq);
6025
6026 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6027 chan->expected_tx_seq);
6028
6029 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6030 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6031 chan->tx_win) {
6032
6033
6034
6035 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6036 BT_DBG("Invalid/Ignore - after SREJ");
6037 return L2CAP_TXSEQ_INVALID_IGNORE;
6038 } else {
6039 BT_DBG("Invalid - in window after SREJ sent");
6040 return L2CAP_TXSEQ_INVALID;
6041 }
6042 }
6043
6044 if (chan->srej_list.head == txseq) {
6045 BT_DBG("Expected SREJ");
6046 return L2CAP_TXSEQ_EXPECTED_SREJ;
6047 }
6048
6049 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6050 BT_DBG("Duplicate SREJ - txseq already stored");
6051 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6052 }
6053
6054 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6055 BT_DBG("Unexpected SREJ - not requested");
6056 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6057 }
6058 }
6059
6060 if (chan->expected_tx_seq == txseq) {
6061 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6062 chan->tx_win) {
6063 BT_DBG("Invalid - txseq outside tx window");
6064 return L2CAP_TXSEQ_INVALID;
6065 } else {
6066 BT_DBG("Expected");
6067 return L2CAP_TXSEQ_EXPECTED;
6068 }
6069 }
6070
6071 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6072 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6073 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6074 return L2CAP_TXSEQ_DUPLICATE;
6075 }
6076
6077 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6096 BT_DBG("Invalid/Ignore - txseq outside tx window");
6097 return L2CAP_TXSEQ_INVALID_IGNORE;
6098 } else {
6099 BT_DBG("Invalid - txseq outside tx window");
6100 return L2CAP_TXSEQ_INVALID;
6101 }
6102 } else {
6103 BT_DBG("Unexpected - txseq indicates missing frames");
6104 return L2CAP_TXSEQ_UNEXPECTED;
6105 }
6106}
6107
6108static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6109 struct l2cap_ctrl *control,
6110 struct sk_buff *skb, u8 event)
6111{
6112 int err = 0;
6113 bool skb_in_use = false;
6114
6115 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6116 event);
6117
6118 switch (event) {
6119 case L2CAP_EV_RECV_IFRAME:
6120 switch (l2cap_classify_txseq(chan, control->txseq)) {
6121 case L2CAP_TXSEQ_EXPECTED:
6122 l2cap_pass_to_tx(chan, control);
6123
6124 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6125 BT_DBG("Busy, discarding expected seq %d",
6126 control->txseq);
6127 break;
6128 }
6129
6130 chan->expected_tx_seq = __next_seq(chan,
6131 control->txseq);
6132
6133 chan->buffer_seq = chan->expected_tx_seq;
6134 skb_in_use = true;
6135
6136 err = l2cap_reassemble_sdu(chan, skb, control);
6137 if (err)
6138 break;
6139
6140 if (control->final) {
6141 if (!test_and_clear_bit(CONN_REJ_ACT,
6142 &chan->conn_state)) {
6143 control->final = 0;
6144 l2cap_retransmit_all(chan, control);
6145 l2cap_ertm_send(chan);
6146 }
6147 }
6148
6149 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6150 l2cap_send_ack(chan);
6151 break;
6152 case L2CAP_TXSEQ_UNEXPECTED:
6153 l2cap_pass_to_tx(chan, control);
6154
6155
6156
6157
6158
6159 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6160 BT_DBG("Busy, discarding unexpected seq %d",
6161 control->txseq);
6162 break;
6163 }
6164
6165
6166
6167
6168
6169 skb_queue_tail(&chan->srej_q, skb);
6170 skb_in_use = true;
6171 BT_DBG("Queued %p (queue len %d)", skb,
6172 skb_queue_len(&chan->srej_q));
6173
6174 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6175 l2cap_seq_list_clear(&chan->srej_list);
6176 l2cap_send_srej(chan, control->txseq);
6177
6178 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6179 break;
6180 case L2CAP_TXSEQ_DUPLICATE:
6181 l2cap_pass_to_tx(chan, control);
6182 break;
6183 case L2CAP_TXSEQ_INVALID_IGNORE:
6184 break;
6185 case L2CAP_TXSEQ_INVALID:
6186 default:
6187 l2cap_send_disconn_req(chan, ECONNRESET);
6188 break;
6189 }
6190 break;
6191 case L2CAP_EV_RECV_RR:
6192 l2cap_pass_to_tx(chan, control);
6193 if (control->final) {
6194 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6195
6196 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6197 !__chan_is_moving(chan)) {
6198 control->final = 0;
6199 l2cap_retransmit_all(chan, control);
6200 }
6201
6202 l2cap_ertm_send(chan);
6203 } else if (control->poll) {
6204 l2cap_send_i_or_rr_or_rnr(chan);
6205 } else {
6206 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6207 &chan->conn_state) &&
6208 chan->unacked_frames)
6209 __set_retrans_timer(chan);
6210
6211 l2cap_ertm_send(chan);
6212 }
6213 break;
6214 case L2CAP_EV_RECV_RNR:
6215 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6216 l2cap_pass_to_tx(chan, control);
6217 if (control && control->poll) {
6218 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6219 l2cap_send_rr_or_rnr(chan, 0);
6220 }
6221 __clear_retrans_timer(chan);
6222 l2cap_seq_list_clear(&chan->retrans_list);
6223 break;
6224 case L2CAP_EV_RECV_REJ:
6225 l2cap_handle_rej(chan, control);
6226 break;
6227 case L2CAP_EV_RECV_SREJ:
6228 l2cap_handle_srej(chan, control);
6229 break;
6230 default:
6231 break;
6232 }
6233
6234 if (skb && !skb_in_use) {
6235 BT_DBG("Freeing %p", skb);
6236 kfree_skb(skb);
6237 }
6238
6239 return err;
6240}
6241
6242static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6243 struct l2cap_ctrl *control,
6244 struct sk_buff *skb, u8 event)
6245{
6246 int err = 0;
6247 u16 txseq = control->txseq;
6248 bool skb_in_use = false;
6249
6250 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6251 event);
6252
6253 switch (event) {
6254 case L2CAP_EV_RECV_IFRAME:
6255 switch (l2cap_classify_txseq(chan, txseq)) {
6256 case L2CAP_TXSEQ_EXPECTED:
6257
6258 l2cap_pass_to_tx(chan, control);
6259 skb_queue_tail(&chan->srej_q, skb);
6260 skb_in_use = true;
6261 BT_DBG("Queued %p (queue len %d)", skb,
6262 skb_queue_len(&chan->srej_q));
6263
6264 chan->expected_tx_seq = __next_seq(chan, txseq);
6265 break;
6266 case L2CAP_TXSEQ_EXPECTED_SREJ:
6267 l2cap_seq_list_pop(&chan->srej_list);
6268
6269 l2cap_pass_to_tx(chan, control);
6270 skb_queue_tail(&chan->srej_q, skb);
6271 skb_in_use = true;
6272 BT_DBG("Queued %p (queue len %d)", skb,
6273 skb_queue_len(&chan->srej_q));
6274
6275 err = l2cap_rx_queued_iframes(chan);
6276 if (err)
6277 break;
6278
6279 break;
6280 case L2CAP_TXSEQ_UNEXPECTED:
6281
6282
6283
6284
6285 skb_queue_tail(&chan->srej_q, skb);
6286 skb_in_use = true;
6287 BT_DBG("Queued %p (queue len %d)", skb,
6288 skb_queue_len(&chan->srej_q));
6289
6290 l2cap_pass_to_tx(chan, control);
6291 l2cap_send_srej(chan, control->txseq);
6292 break;
6293 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6294
6295
6296
6297
6298
6299 skb_queue_tail(&chan->srej_q, skb);
6300 skb_in_use = true;
6301 BT_DBG("Queued %p (queue len %d)", skb,
6302 skb_queue_len(&chan->srej_q));
6303
6304 l2cap_pass_to_tx(chan, control);
6305 l2cap_send_srej_list(chan, control->txseq);
6306 break;
6307 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6308
6309 l2cap_pass_to_tx(chan, control);
6310 break;
6311 case L2CAP_TXSEQ_DUPLICATE:
6312
6313
6314
6315 break;
6316 case L2CAP_TXSEQ_INVALID_IGNORE:
6317 break;
6318 case L2CAP_TXSEQ_INVALID:
6319 default:
6320 l2cap_send_disconn_req(chan, ECONNRESET);
6321 break;
6322 }
6323 break;
6324 case L2CAP_EV_RECV_RR:
6325 l2cap_pass_to_tx(chan, control);
6326 if (control->final) {
6327 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6328
6329 if (!test_and_clear_bit(CONN_REJ_ACT,
6330 &chan->conn_state)) {
6331 control->final = 0;
6332 l2cap_retransmit_all(chan, control);
6333 }
6334
6335 l2cap_ertm_send(chan);
6336 } else if (control->poll) {
6337 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6338 &chan->conn_state) &&
6339 chan->unacked_frames) {
6340 __set_retrans_timer(chan);
6341 }
6342
6343 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6344 l2cap_send_srej_tail(chan);
6345 } else {
6346 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6347 &chan->conn_state) &&
6348 chan->unacked_frames)
6349 __set_retrans_timer(chan);
6350
6351 l2cap_send_ack(chan);
6352 }
6353 break;
6354 case L2CAP_EV_RECV_RNR:
6355 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6356 l2cap_pass_to_tx(chan, control);
6357 if (control->poll) {
6358 l2cap_send_srej_tail(chan);
6359 } else {
6360 struct l2cap_ctrl rr_control;
6361 memset(&rr_control, 0, sizeof(rr_control));
6362 rr_control.sframe = 1;
6363 rr_control.super = L2CAP_SUPER_RR;
6364 rr_control.reqseq = chan->buffer_seq;
6365 l2cap_send_sframe(chan, &rr_control);
6366 }
6367
6368 break;
6369 case L2CAP_EV_RECV_REJ:
6370 l2cap_handle_rej(chan, control);
6371 break;
6372 case L2CAP_EV_RECV_SREJ:
6373 l2cap_handle_srej(chan, control);
6374 break;
6375 }
6376
6377 if (skb && !skb_in_use) {
6378 BT_DBG("Freeing %p", skb);
6379 kfree_skb(skb);
6380 }
6381
6382 return err;
6383}
6384
6385static int l2cap_finish_move(struct l2cap_chan *chan)
6386{
6387 BT_DBG("chan %p", chan);
6388
6389 chan->rx_state = L2CAP_RX_STATE_RECV;
6390
6391 if (chan->hs_hcon)
6392 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6393 else
6394 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6395
6396 return l2cap_resegment(chan);
6397}
6398
6399static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6400 struct l2cap_ctrl *control,
6401 struct sk_buff *skb, u8 event)
6402{
6403 int err;
6404
6405 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6406 event);
6407
6408 if (!control->poll)
6409 return -EPROTO;
6410
6411 l2cap_process_reqseq(chan, control->reqseq);
6412
6413 if (!skb_queue_empty(&chan->tx_q))
6414 chan->tx_send_head = skb_peek(&chan->tx_q);
6415 else
6416 chan->tx_send_head = NULL;
6417
6418
6419
6420
6421 chan->next_tx_seq = control->reqseq;
6422 chan->unacked_frames = 0;
6423
6424 err = l2cap_finish_move(chan);
6425 if (err)
6426 return err;
6427
6428 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6429 l2cap_send_i_or_rr_or_rnr(chan);
6430
6431 if (event == L2CAP_EV_RECV_IFRAME)
6432 return -EPROTO;
6433
6434 return l2cap_rx_state_recv(chan, control, NULL, event);
6435}
6436
6437static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6438 struct l2cap_ctrl *control,
6439 struct sk_buff *skb, u8 event)
6440{
6441 int err;
6442
6443 if (!control->final)
6444 return -EPROTO;
6445
6446 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6447
6448 chan->rx_state = L2CAP_RX_STATE_RECV;
6449 l2cap_process_reqseq(chan, control->reqseq);
6450
6451 if (!skb_queue_empty(&chan->tx_q))
6452 chan->tx_send_head = skb_peek(&chan->tx_q);
6453 else
6454 chan->tx_send_head = NULL;
6455
6456
6457
6458
6459 chan->next_tx_seq = control->reqseq;
6460 chan->unacked_frames = 0;
6461
6462 if (chan->hs_hcon)
6463 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6464 else
6465 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6466
6467 err = l2cap_resegment(chan);
6468
6469 if (!err)
6470 err = l2cap_rx_state_recv(chan, control, skb, event);
6471
6472 return err;
6473}
6474
6475static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6476{
6477
6478 u16 unacked;
6479
6480 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6481 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6482}
6483
6484static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6485 struct sk_buff *skb, u8 event)
6486{
6487 int err = 0;
6488
6489 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6490 control, skb, event, chan->rx_state);
6491
6492 if (__valid_reqseq(chan, control->reqseq)) {
6493 switch (chan->rx_state) {
6494 case L2CAP_RX_STATE_RECV:
6495 err = l2cap_rx_state_recv(chan, control, skb, event);
6496 break;
6497 case L2CAP_RX_STATE_SREJ_SENT:
6498 err = l2cap_rx_state_srej_sent(chan, control, skb,
6499 event);
6500 break;
6501 case L2CAP_RX_STATE_WAIT_P:
6502 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6503 break;
6504 case L2CAP_RX_STATE_WAIT_F:
6505 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6506 break;
6507 default:
6508
6509 break;
6510 }
6511 } else {
6512 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6513 control->reqseq, chan->next_tx_seq,
6514 chan->expected_ack_seq);
6515 l2cap_send_disconn_req(chan, ECONNRESET);
6516 }
6517
6518 return err;
6519}
6520
6521static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6522 struct sk_buff *skb)
6523{
6524 int err = 0;
6525
6526 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6527 chan->rx_state);
6528
6529 if (l2cap_classify_txseq(chan, control->txseq) ==
6530 L2CAP_TXSEQ_EXPECTED) {
6531 l2cap_pass_to_tx(chan, control);
6532
6533 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6534 __next_seq(chan, chan->buffer_seq));
6535
6536 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6537
6538 l2cap_reassemble_sdu(chan, skb, control);
6539 } else {
6540 if (chan->sdu) {
6541 kfree_skb(chan->sdu);
6542 chan->sdu = NULL;
6543 }
6544 chan->sdu_last_frag = NULL;
6545 chan->sdu_len = 0;
6546
6547 if (skb) {
6548 BT_DBG("Freeing %p", skb);
6549 kfree_skb(skb);
6550 }
6551 }
6552
6553 chan->last_acked_seq = control->txseq;
6554 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6555
6556 return err;
6557}
6558
6559static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6560{
6561 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6562 u16 len;
6563 u8 event;
6564
6565 __unpack_control(chan, skb);
6566
6567 len = skb->len;
6568
6569
6570
6571
6572
6573
6574 if (l2cap_check_fcs(chan, skb))
6575 goto drop;
6576
6577 if (!control->sframe && control->sar == L2CAP_SAR_START)
6578 len -= L2CAP_SDULEN_SIZE;
6579
6580 if (chan->fcs == L2CAP_FCS_CRC16)
6581 len -= L2CAP_FCS_SIZE;
6582
6583 if (len > chan->mps) {
6584 l2cap_send_disconn_req(chan, ECONNRESET);
6585 goto drop;
6586 }
6587
6588 if (!control->sframe) {
6589 int err;
6590
6591 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6592 control->sar, control->reqseq, control->final,
6593 control->txseq);
6594
6595
6596
6597
6598 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6599 goto drop;
6600
6601 if (chan->mode != L2CAP_MODE_STREAMING) {
6602 event = L2CAP_EV_RECV_IFRAME;
6603 err = l2cap_rx(chan, control, skb, event);
6604 } else {
6605 err = l2cap_stream_rx(chan, control, skb);
6606 }
6607
6608 if (err)
6609 l2cap_send_disconn_req(chan, ECONNRESET);
6610 } else {
6611 const u8 rx_func_to_event[4] = {
6612 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6613 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6614 };
6615
6616
6617 if (chan->mode == L2CAP_MODE_STREAMING)
6618 goto drop;
6619
6620 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6621 control->reqseq, control->final, control->poll,
6622 control->super);
6623
6624 if (len != 0) {
6625 BT_ERR("Trailing bytes: %d in sframe", len);
6626 l2cap_send_disconn_req(chan, ECONNRESET);
6627 goto drop;
6628 }
6629
6630
6631 if (control->final && (control->poll ||
6632 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6633 goto drop;
6634
6635 event = rx_func_to_event[control->super];
6636 if (l2cap_rx(chan, control, skb, event))
6637 l2cap_send_disconn_req(chan, ECONNRESET);
6638 }
6639
6640 return 0;
6641
6642drop:
6643 kfree_skb(skb);
6644 return 0;
6645}
6646
6647static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6648{
6649 struct l2cap_conn *conn = chan->conn;
6650 struct l2cap_le_credits pkt;
6651 u16 return_credits;
6652
6653
6654
6655
6656 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6657 return;
6658
6659 return_credits = le_max_credits - chan->rx_credits;
6660
6661 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6662
6663 chan->rx_credits += return_credits;
6664
6665 pkt.cid = cpu_to_le16(chan->scid);
6666 pkt.credits = cpu_to_le16(return_credits);
6667
6668 chan->ident = l2cap_get_ident(conn);
6669
6670 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6671}
6672
6673static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6674{
6675 int err;
6676
6677 if (!chan->rx_credits) {
6678 BT_ERR("No credits to receive LE L2CAP data");
6679 l2cap_send_disconn_req(chan, ECONNRESET);
6680 return -ENOBUFS;
6681 }
6682
6683 if (chan->imtu < skb->len) {
6684 BT_ERR("Too big LE L2CAP PDU");
6685 return -ENOBUFS;
6686 }
6687
6688 chan->rx_credits--;
6689 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6690
6691 l2cap_chan_le_send_credits(chan);
6692
6693 err = 0;
6694
6695 if (!chan->sdu) {
6696 u16 sdu_len;
6697
6698 sdu_len = get_unaligned_le16(skb->data);
6699 skb_pull(skb, L2CAP_SDULEN_SIZE);
6700
6701 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6702 sdu_len, skb->len, chan->imtu);
6703
6704 if (sdu_len > chan->imtu) {
6705 BT_ERR("Too big LE L2CAP SDU length received");
6706 err = -EMSGSIZE;
6707 goto failed;
6708 }
6709
6710 if (skb->len > sdu_len) {
6711 BT_ERR("Too much LE L2CAP data received");
6712 err = -EINVAL;
6713 goto failed;
6714 }
6715
6716 if (skb->len == sdu_len)
6717 return chan->ops->recv(chan, skb);
6718
6719 chan->sdu = skb;
6720 chan->sdu_len = sdu_len;
6721 chan->sdu_last_frag = skb;
6722
6723 return 0;
6724 }
6725
6726 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6727 chan->sdu->len, skb->len, chan->sdu_len);
6728
6729 if (chan->sdu->len + skb->len > chan->sdu_len) {
6730 BT_ERR("Too much LE L2CAP data received");
6731 err = -EINVAL;
6732 goto failed;
6733 }
6734
6735 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6736 skb = NULL;
6737
6738 if (chan->sdu->len == chan->sdu_len) {
6739 err = chan->ops->recv(chan, chan->sdu);
6740 if (!err) {
6741 chan->sdu = NULL;
6742 chan->sdu_last_frag = NULL;
6743 chan->sdu_len = 0;
6744 }
6745 }
6746
6747failed:
6748 if (err) {
6749 kfree_skb(skb);
6750 kfree_skb(chan->sdu);
6751 chan->sdu = NULL;
6752 chan->sdu_last_frag = NULL;
6753 chan->sdu_len = 0;
6754 }
6755
6756
6757
6758
6759
6760 return 0;
6761}
6762
6763static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6764 struct sk_buff *skb)
6765{
6766 struct l2cap_chan *chan;
6767
6768 chan = l2cap_get_chan_by_scid(conn, cid);
6769 if (!chan) {
6770 if (cid == L2CAP_CID_A2MP) {
6771 chan = a2mp_channel_create(conn, skb);
6772 if (!chan) {
6773 kfree_skb(skb);
6774 return;
6775 }
6776
6777 l2cap_chan_lock(chan);
6778 } else {
6779 BT_DBG("unknown cid 0x%4.4x", cid);
6780
6781 kfree_skb(skb);
6782 return;
6783 }
6784 }
6785
6786 BT_DBG("chan %p, len %d", chan, skb->len);
6787
6788 if (chan->state != BT_CONNECTED)
6789 goto drop;
6790
6791 switch (chan->mode) {
6792 case L2CAP_MODE_LE_FLOWCTL:
6793 if (l2cap_le_data_rcv(chan, skb) < 0)
6794 goto drop;
6795
6796 goto done;
6797
6798 case L2CAP_MODE_BASIC:
6799
6800
6801
6802
6803
6804 if (chan->imtu < skb->len) {
6805 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6806 goto drop;
6807 }
6808
6809 if (!chan->ops->recv(chan, skb))
6810 goto done;
6811 break;
6812
6813 case L2CAP_MODE_ERTM:
6814 case L2CAP_MODE_STREAMING:
6815 l2cap_data_rcv(chan, skb);
6816 goto done;
6817
6818 default:
6819 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6820 break;
6821 }
6822
6823drop:
6824 kfree_skb(skb);
6825
6826done:
6827 l2cap_chan_unlock(chan);
6828}
6829
6830static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6831 struct sk_buff *skb)
6832{
6833 struct hci_conn *hcon = conn->hcon;
6834 struct l2cap_chan *chan;
6835
6836 if (hcon->type != ACL_LINK)
6837 goto free_skb;
6838
6839 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6840 ACL_LINK);
6841 if (!chan)
6842 goto free_skb;
6843
6844 BT_DBG("chan %p, len %d", chan, skb->len);
6845
6846 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6847 goto drop;
6848
6849 if (chan->imtu < skb->len)
6850 goto drop;
6851
6852
6853 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
6854 bt_cb(skb)->psm = psm;
6855
6856 if (!chan->ops->recv(chan, skb)) {
6857 l2cap_chan_put(chan);
6858 return;
6859 }
6860
6861drop:
6862 l2cap_chan_put(chan);
6863free_skb:
6864 kfree_skb(skb);
6865}
6866
6867static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6868{
6869 struct l2cap_hdr *lh = (void *) skb->data;
6870 struct hci_conn *hcon = conn->hcon;
6871 u16 cid, len;
6872 __le16 psm;
6873
6874 if (hcon->state != BT_CONNECTED) {
6875 BT_DBG("queueing pending rx skb");
6876 skb_queue_tail(&conn->pending_rx, skb);
6877 return;
6878 }
6879
6880 skb_pull(skb, L2CAP_HDR_SIZE);
6881 cid = __le16_to_cpu(lh->cid);
6882 len = __le16_to_cpu(lh->len);
6883
6884 if (len != skb->len) {
6885 kfree_skb(skb);
6886 return;
6887 }
6888
6889
6890
6891
6892 if (hcon->type == LE_LINK &&
6893 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6894 bdaddr_dst_type(hcon))) {
6895 kfree_skb(skb);
6896 return;
6897 }
6898
6899 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6900
6901 switch (cid) {
6902 case L2CAP_CID_SIGNALING:
6903 l2cap_sig_channel(conn, skb);
6904 break;
6905
6906 case L2CAP_CID_CONN_LESS:
6907 psm = get_unaligned((__le16 *) skb->data);
6908 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6909 l2cap_conless_channel(conn, psm, skb);
6910 break;
6911
6912 case L2CAP_CID_LE_SIGNALING:
6913 l2cap_le_sig_channel(conn, skb);
6914 break;
6915
6916 default:
6917 l2cap_data_channel(conn, cid, skb);
6918 break;
6919 }
6920}
6921
6922static void process_pending_rx(struct work_struct *work)
6923{
6924 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6925 pending_rx_work);
6926 struct sk_buff *skb;
6927
6928 BT_DBG("");
6929
6930 while ((skb = skb_dequeue(&conn->pending_rx)))
6931 l2cap_recv_frame(conn, skb);
6932}
6933
6934static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6935{
6936 struct l2cap_conn *conn = hcon->l2cap_data;
6937 struct hci_chan *hchan;
6938
6939 if (conn)
6940 return conn;
6941
6942 hchan = hci_chan_create(hcon);
6943 if (!hchan)
6944 return NULL;
6945
6946 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6947 if (!conn) {
6948 hci_chan_del(hchan);
6949 return NULL;
6950 }
6951
6952 kref_init(&conn->ref);
6953 hcon->l2cap_data = conn;
6954 conn->hcon = hci_conn_get(hcon);
6955 conn->hchan = hchan;
6956
6957 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6958
6959 switch (hcon->type) {
6960 case LE_LINK:
6961 if (hcon->hdev->le_mtu) {
6962 conn->mtu = hcon->hdev->le_mtu;
6963 break;
6964 }
6965
6966 default:
6967 conn->mtu = hcon->hdev->acl_mtu;
6968 break;
6969 }
6970
6971 conn->feat_mask = 0;
6972
6973 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6974
6975 if (hcon->type == ACL_LINK &&
6976 test_bit(HCI_HS_ENABLED, &hcon->hdev->dev_flags))
6977 conn->local_fixed_chan |= L2CAP_FC_A2MP;
6978
6979 if (test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags) &&
6980 (bredr_sc_enabled(hcon->hdev) ||
6981 test_bit(HCI_FORCE_BREDR_SMP, &hcon->hdev->dbg_flags)))
6982 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6983
6984 mutex_init(&conn->ident_lock);
6985 mutex_init(&conn->chan_lock);
6986
6987 INIT_LIST_HEAD(&conn->chan_l);
6988 INIT_LIST_HEAD(&conn->users);
6989
6990 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6991
6992 skb_queue_head_init(&conn->pending_rx);
6993 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6994 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
6995
6996 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6997
6998 return conn;
6999}
7000
7001static bool is_valid_psm(u16 psm, u8 dst_type) {
7002 if (!psm)
7003 return false;
7004
7005 if (bdaddr_type_is_le(dst_type))
7006 return (psm <= 0x00ff);
7007
7008
7009 return ((psm & 0x0101) == 0x0001);
7010}
7011
7012int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7013 bdaddr_t *dst, u8 dst_type)
7014{
7015 struct l2cap_conn *conn;
7016 struct hci_conn *hcon;
7017 struct hci_dev *hdev;
7018 int err;
7019
7020 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7021 dst_type, __le16_to_cpu(psm));
7022
7023 hdev = hci_get_route(dst, &chan->src);
7024 if (!hdev)
7025 return -EHOSTUNREACH;
7026
7027 hci_dev_lock(hdev);
7028
7029 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7030 chan->chan_type != L2CAP_CHAN_RAW) {
7031 err = -EINVAL;
7032 goto done;
7033 }
7034
7035 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7036 err = -EINVAL;
7037 goto done;
7038 }
7039
7040 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7041 err = -EINVAL;
7042 goto done;
7043 }
7044
7045 switch (chan->mode) {
7046 case L2CAP_MODE_BASIC:
7047 break;
7048 case L2CAP_MODE_LE_FLOWCTL:
7049 l2cap_le_flowctl_init(chan);
7050 break;
7051 case L2CAP_MODE_ERTM:
7052 case L2CAP_MODE_STREAMING:
7053 if (!disable_ertm)
7054 break;
7055
7056 default:
7057 err = -EOPNOTSUPP;
7058 goto done;
7059 }
7060
7061 switch (chan->state) {
7062 case BT_CONNECT:
7063 case BT_CONNECT2:
7064 case BT_CONFIG:
7065
7066 err = 0;
7067 goto done;
7068
7069 case BT_CONNECTED:
7070
7071 err = -EISCONN;
7072 goto done;
7073
7074 case BT_OPEN:
7075 case BT_BOUND:
7076
7077 break;
7078
7079 default:
7080 err = -EBADFD;
7081 goto done;
7082 }
7083
7084
7085 bacpy(&chan->dst, dst);
7086 chan->dst_type = dst_type;
7087
7088 chan->psm = psm;
7089 chan->dcid = cid;
7090
7091 if (bdaddr_type_is_le(dst_type)) {
7092 u8 role;
7093
7094
7095
7096 if (dst_type == BDADDR_LE_PUBLIC)
7097 dst_type = ADDR_LE_DEV_PUBLIC;
7098 else
7099 dst_type = ADDR_LE_DEV_RANDOM;
7100
7101 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7102 role = HCI_ROLE_SLAVE;
7103 else
7104 role = HCI_ROLE_MASTER;
7105
7106 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
7107 HCI_LE_CONN_TIMEOUT, role);
7108 } else {
7109 u8 auth_type = l2cap_get_auth_type(chan);
7110 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7111 }
7112
7113 if (IS_ERR(hcon)) {
7114 err = PTR_ERR(hcon);
7115 goto done;
7116 }
7117
7118 conn = l2cap_conn_add(hcon);
7119 if (!conn) {
7120 hci_conn_drop(hcon);
7121 err = -ENOMEM;
7122 goto done;
7123 }
7124
7125 mutex_lock(&conn->chan_lock);
7126 l2cap_chan_lock(chan);
7127
7128 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7129 hci_conn_drop(hcon);
7130 err = -EBUSY;
7131 goto chan_unlock;
7132 }
7133
7134
7135 bacpy(&chan->src, &hcon->src);
7136 chan->src_type = bdaddr_src_type(hcon);
7137
7138 __l2cap_chan_add(conn, chan);
7139
7140
7141 hci_conn_drop(hcon);
7142
7143 l2cap_state_change(chan, BT_CONNECT);
7144 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7145
7146
7147
7148
7149 write_lock(&chan_list_lock);
7150 chan->sport = 0;
7151 write_unlock(&chan_list_lock);
7152
7153 if (hcon->state == BT_CONNECTED) {
7154 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7155 __clear_chan_timer(chan);
7156 if (l2cap_chan_check_security(chan, true))
7157 l2cap_state_change(chan, BT_CONNECTED);
7158 } else
7159 l2cap_do_start(chan);
7160 }
7161
7162 err = 0;
7163
7164chan_unlock:
7165 l2cap_chan_unlock(chan);
7166 mutex_unlock(&conn->chan_lock);
7167done:
7168 hci_dev_unlock(hdev);
7169 hci_dev_put(hdev);
7170 return err;
7171}
7172EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7173
7174
7175
7176int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7177{
7178 int exact = 0, lm1 = 0, lm2 = 0;
7179 struct l2cap_chan *c;
7180
7181 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7182
7183
7184 read_lock(&chan_list_lock);
7185 list_for_each_entry(c, &chan_list, global_l) {
7186 if (c->state != BT_LISTEN)
7187 continue;
7188
7189 if (!bacmp(&c->src, &hdev->bdaddr)) {
7190 lm1 |= HCI_LM_ACCEPT;
7191 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7192 lm1 |= HCI_LM_MASTER;
7193 exact++;
7194 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7195 lm2 |= HCI_LM_ACCEPT;
7196 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7197 lm2 |= HCI_LM_MASTER;
7198 }
7199 }
7200 read_unlock(&chan_list_lock);
7201
7202 return exact ? lm1 : lm2;
7203}
7204
7205
7206
7207
7208
7209static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7210 struct hci_conn *hcon)
7211{
7212 u8 src_type = bdaddr_src_type(hcon);
7213
7214 read_lock(&chan_list_lock);
7215
7216 if (c)
7217 c = list_next_entry(c, global_l);
7218 else
7219 c = list_entry(chan_list.next, typeof(*c), global_l);
7220
7221 list_for_each_entry_from(c, &chan_list, global_l) {
7222 if (c->chan_type != L2CAP_CHAN_FIXED)
7223 continue;
7224 if (c->state != BT_LISTEN)
7225 continue;
7226 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7227 continue;
7228 if (src_type != c->src_type)
7229 continue;
7230
7231 l2cap_chan_hold(c);
7232 read_unlock(&chan_list_lock);
7233 return c;
7234 }
7235
7236 read_unlock(&chan_list_lock);
7237
7238 return NULL;
7239}
7240
7241void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7242{
7243 struct hci_dev *hdev = hcon->hdev;
7244 struct l2cap_conn *conn;
7245 struct l2cap_chan *pchan;
7246 u8 dst_type;
7247
7248 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7249
7250 if (status) {
7251 l2cap_conn_del(hcon, bt_to_errno(status));
7252 return;
7253 }
7254
7255 conn = l2cap_conn_add(hcon);
7256 if (!conn)
7257 return;
7258
7259 dst_type = bdaddr_dst_type(hcon);
7260
7261
7262 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7263 return;
7264
7265
7266
7267
7268
7269
7270 pchan = l2cap_global_fixed_chan(NULL, hcon);
7271 while (pchan) {
7272 struct l2cap_chan *chan, *next;
7273
7274
7275 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7276 goto next;
7277
7278 l2cap_chan_lock(pchan);
7279 chan = pchan->ops->new_connection(pchan);
7280 if (chan) {
7281 bacpy(&chan->src, &hcon->src);
7282 bacpy(&chan->dst, &hcon->dst);
7283 chan->src_type = bdaddr_src_type(hcon);
7284 chan->dst_type = dst_type;
7285
7286 __l2cap_chan_add(conn, chan);
7287 }
7288
7289 l2cap_chan_unlock(pchan);
7290next:
7291 next = l2cap_global_fixed_chan(pchan, hcon);
7292 l2cap_chan_put(pchan);
7293 pchan = next;
7294 }
7295
7296 l2cap_conn_ready(conn);
7297}
7298
7299int l2cap_disconn_ind(struct hci_conn *hcon)
7300{
7301 struct l2cap_conn *conn = hcon->l2cap_data;
7302
7303 BT_DBG("hcon %p", hcon);
7304
7305 if (!conn)
7306 return HCI_ERROR_REMOTE_USER_TERM;
7307 return conn->disc_reason;
7308}
7309
7310void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7311{
7312 BT_DBG("hcon %p reason %d", hcon, reason);
7313
7314 l2cap_conn_del(hcon, bt_to_errno(reason));
7315}
7316
7317static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7318{
7319 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7320 return;
7321
7322 if (encrypt == 0x00) {
7323 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7324 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7325 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7326 chan->sec_level == BT_SECURITY_FIPS)
7327 l2cap_chan_close(chan, ECONNREFUSED);
7328 } else {
7329 if (chan->sec_level == BT_SECURITY_MEDIUM)
7330 __clear_chan_timer(chan);
7331 }
7332}
7333
7334int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7335{
7336 struct l2cap_conn *conn = hcon->l2cap_data;
7337 struct l2cap_chan *chan;
7338
7339 if (!conn)
7340 return 0;
7341
7342 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7343
7344 mutex_lock(&conn->chan_lock);
7345
7346 list_for_each_entry(chan, &conn->chan_l, list) {
7347 l2cap_chan_lock(chan);
7348
7349 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7350 state_to_string(chan->state));
7351
7352 if (chan->scid == L2CAP_CID_A2MP) {
7353 l2cap_chan_unlock(chan);
7354 continue;
7355 }
7356
7357 if (!status && encrypt)
7358 chan->sec_level = hcon->sec_level;
7359
7360 if (!__l2cap_no_conn_pending(chan)) {
7361 l2cap_chan_unlock(chan);
7362 continue;
7363 }
7364
7365 if (!status && (chan->state == BT_CONNECTED ||
7366 chan->state == BT_CONFIG)) {
7367 chan->ops->resume(chan);
7368 l2cap_check_encryption(chan, encrypt);
7369 l2cap_chan_unlock(chan);
7370 continue;
7371 }
7372
7373 if (chan->state == BT_CONNECT) {
7374 if (!status)
7375 l2cap_start_connection(chan);
7376 else
7377 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7378 } else if (chan->state == BT_CONNECT2 &&
7379 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7380 struct l2cap_conn_rsp rsp;
7381 __u16 res, stat;
7382
7383 if (!status) {
7384 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7385 res = L2CAP_CR_PEND;
7386 stat = L2CAP_CS_AUTHOR_PEND;
7387 chan->ops->defer(chan);
7388 } else {
7389 l2cap_state_change(chan, BT_CONFIG);
7390 res = L2CAP_CR_SUCCESS;
7391 stat = L2CAP_CS_NO_INFO;
7392 }
7393 } else {
7394 l2cap_state_change(chan, BT_DISCONN);
7395 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7396 res = L2CAP_CR_SEC_BLOCK;
7397 stat = L2CAP_CS_NO_INFO;
7398 }
7399
7400 rsp.scid = cpu_to_le16(chan->dcid);
7401 rsp.dcid = cpu_to_le16(chan->scid);
7402 rsp.result = cpu_to_le16(res);
7403 rsp.status = cpu_to_le16(stat);
7404 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7405 sizeof(rsp), &rsp);
7406
7407 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7408 res == L2CAP_CR_SUCCESS) {
7409 char buf[128];
7410 set_bit(CONF_REQ_SENT, &chan->conf_state);
7411 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7412 L2CAP_CONF_REQ,
7413 l2cap_build_conf_req(chan, buf),
7414 buf);
7415 chan->num_conf_req++;
7416 }
7417 }
7418
7419 l2cap_chan_unlock(chan);
7420 }
7421
7422 mutex_unlock(&conn->chan_lock);
7423
7424 return 0;
7425}
7426
7427int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7428{
7429 struct l2cap_conn *conn = hcon->l2cap_data;
7430 struct l2cap_hdr *hdr;
7431 int len;
7432
7433
7434 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7435 goto drop;
7436
7437 if (!conn)
7438 conn = l2cap_conn_add(hcon);
7439
7440 if (!conn)
7441 goto drop;
7442
7443 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7444
7445 switch (flags) {
7446 case ACL_START:
7447 case ACL_START_NO_FLUSH:
7448 case ACL_COMPLETE:
7449 if (conn->rx_len) {
7450 BT_ERR("Unexpected start frame (len %d)", skb->len);
7451 kfree_skb(conn->rx_skb);
7452 conn->rx_skb = NULL;
7453 conn->rx_len = 0;
7454 l2cap_conn_unreliable(conn, ECOMM);
7455 }
7456
7457
7458 if (skb->len < L2CAP_HDR_SIZE) {
7459 BT_ERR("Frame is too short (len %d)", skb->len);
7460 l2cap_conn_unreliable(conn, ECOMM);
7461 goto drop;
7462 }
7463
7464 hdr = (struct l2cap_hdr *) skb->data;
7465 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7466
7467 if (len == skb->len) {
7468
7469 l2cap_recv_frame(conn, skb);
7470 return 0;
7471 }
7472
7473 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7474
7475 if (skb->len > len) {
7476 BT_ERR("Frame is too long (len %d, expected len %d)",
7477 skb->len, len);
7478 l2cap_conn_unreliable(conn, ECOMM);
7479 goto drop;
7480 }
7481
7482
7483 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7484 if (!conn->rx_skb)
7485 goto drop;
7486
7487 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7488 skb->len);
7489 conn->rx_len = len - skb->len;
7490 break;
7491
7492 case ACL_CONT:
7493 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7494
7495 if (!conn->rx_len) {
7496 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7497 l2cap_conn_unreliable(conn, ECOMM);
7498 goto drop;
7499 }
7500
7501 if (skb->len > conn->rx_len) {
7502 BT_ERR("Fragment is too long (len %d, expected %d)",
7503 skb->len, conn->rx_len);
7504 kfree_skb(conn->rx_skb);
7505 conn->rx_skb = NULL;
7506 conn->rx_len = 0;
7507 l2cap_conn_unreliable(conn, ECOMM);
7508 goto drop;
7509 }
7510
7511 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7512 skb->len);
7513 conn->rx_len -= skb->len;
7514
7515 if (!conn->rx_len) {
7516
7517
7518
7519
7520 struct sk_buff *rx_skb = conn->rx_skb;
7521 conn->rx_skb = NULL;
7522 l2cap_recv_frame(conn, rx_skb);
7523 }
7524 break;
7525 }
7526
7527drop:
7528 kfree_skb(skb);
7529 return 0;
7530}
7531
7532static int l2cap_debugfs_show(struct seq_file *f, void *p)
7533{
7534 struct l2cap_chan *c;
7535
7536 read_lock(&chan_list_lock);
7537
7538 list_for_each_entry(c, &chan_list, global_l) {
7539 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7540 &c->src, c->src_type, &c->dst, c->dst_type,
7541 c->state, __le16_to_cpu(c->psm),
7542 c->scid, c->dcid, c->imtu, c->omtu,
7543 c->sec_level, c->mode);
7544 }
7545
7546 read_unlock(&chan_list_lock);
7547
7548 return 0;
7549}
7550
7551static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7552{
7553 return single_open(file, l2cap_debugfs_show, inode->i_private);
7554}
7555
7556static const struct file_operations l2cap_debugfs_fops = {
7557 .open = l2cap_debugfs_open,
7558 .read = seq_read,
7559 .llseek = seq_lseek,
7560 .release = single_release,
7561};
7562
7563static struct dentry *l2cap_debugfs;
7564
7565int __init l2cap_init(void)
7566{
7567 int err;
7568
7569 err = l2cap_init_sockets();
7570 if (err < 0)
7571 return err;
7572
7573 if (IS_ERR_OR_NULL(bt_debugfs))
7574 return 0;
7575
7576 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7577 NULL, &l2cap_debugfs_fops);
7578
7579 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7580 &le_max_credits);
7581 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7582 &le_default_mps);
7583
7584 return 0;
7585}
7586
7587void l2cap_exit(void)
7588{
7589 debugfs_remove(l2cap_debugfs);
7590 l2cap_cleanup_sockets();
7591}
7592
7593module_param(disable_ertm, bool, 0644);
7594MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7595
