1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#include <linux/module.h>
32
33#include <linux/debugfs.h>
34#include <linux/crc16.h>
35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
39
40#include "smp.h"
41#include "a2mp.h"
42#include "amp.h"
43
44#define LE_FLOWCTL_MAX_CREDITS 65535
45
46bool disable_ertm;
47
48static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49
50static LIST_HEAD(chan_list);
51static DEFINE_RWLOCK(chan_list_lock);
52
53static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
56static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
57 u8 code, u8 ident, u16 dlen, void *data);
58static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 void *data);
60static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
61static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62
63static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
64 struct sk_buff_head *skbs, u8 event);
65
66static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67{
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76}
77
78static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79{
80 return bdaddr_type(hcon->type, hcon->src_type);
81}
82
83static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84{
85 return bdaddr_type(hcon->type, hcon->dst_type);
86}
87
88
89
90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
91 u16 cid)
92{
93 struct l2cap_chan *c;
94
95 list_for_each_entry(c, &conn->chan_l, list) {
96 if (c->dcid == cid)
97 return c;
98 }
99 return NULL;
100}
101
102static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
104{
105 struct l2cap_chan *c;
106
107 list_for_each_entry(c, &conn->chan_l, list) {
108 if (c->scid == cid)
109 return c;
110 }
111 return NULL;
112}
113
114
115
116static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
117 u16 cid)
118{
119 struct l2cap_chan *c;
120
121 mutex_lock(&conn->chan_lock);
122 c = __l2cap_get_chan_by_scid(conn, cid);
123 if (c)
124 l2cap_chan_lock(c);
125 mutex_unlock(&conn->chan_lock);
126
127 return c;
128}
129
130
131
132
133static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
134 u16 cid)
135{
136 struct l2cap_chan *c;
137
138 mutex_lock(&conn->chan_lock);
139 c = __l2cap_get_chan_by_dcid(conn, cid);
140 if (c)
141 l2cap_chan_lock(c);
142 mutex_unlock(&conn->chan_lock);
143
144 return c;
145}
146
147static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
148 u8 ident)
149{
150 struct l2cap_chan *c;
151
152 list_for_each_entry(c, &conn->chan_l, list) {
153 if (c->ident == ident)
154 return c;
155 }
156 return NULL;
157}
158
159static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
160 u8 ident)
161{
162 struct l2cap_chan *c;
163
164 mutex_lock(&conn->chan_lock);
165 c = __l2cap_get_chan_by_ident(conn, ident);
166 if (c)
167 l2cap_chan_lock(c);
168 mutex_unlock(&conn->chan_lock);
169
170 return c;
171}
172
173static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
174{
175 struct l2cap_chan *c;
176
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (c->sport == psm && !bacmp(&c->src, src))
179 return c;
180 }
181 return NULL;
182}
183
184int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
185{
186 int err;
187
188 write_lock(&chan_list_lock);
189
190 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
191 err = -EADDRINUSE;
192 goto done;
193 }
194
195 if (psm) {
196 chan->psm = psm;
197 chan->sport = psm;
198 err = 0;
199 } else {
200 u16 p;
201
202 err = -EINVAL;
203 for (p = 0x1001; p < 0x1100; p += 2)
204 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
205 chan->psm = cpu_to_le16(p);
206 chan->sport = cpu_to_le16(p);
207 err = 0;
208 break;
209 }
210 }
211
212done:
213 write_unlock(&chan_list_lock);
214 return err;
215}
216EXPORT_SYMBOL_GPL(l2cap_add_psm);
217
218int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
219{
220 write_lock(&chan_list_lock);
221
222
223 chan->omtu = L2CAP_DEFAULT_MTU;
224 chan->chan_type = L2CAP_CHAN_FIXED;
225
226 chan->scid = scid;
227
228 write_unlock(&chan_list_lock);
229
230 return 0;
231}
232
233static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
234{
235 u16 cid, dyn_end;
236
237 if (conn->hcon->type == LE_LINK)
238 dyn_end = L2CAP_CID_LE_DYN_END;
239 else
240 dyn_end = L2CAP_CID_DYN_END;
241
242 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
243 if (!__l2cap_get_chan_by_scid(conn, cid))
244 return cid;
245 }
246
247 return 0;
248}
249
250static void l2cap_state_change(struct l2cap_chan *chan, int state)
251{
252 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
253 state_to_string(state));
254
255 chan->state = state;
256 chan->ops->state_change(chan, state, 0);
257}
258
259static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
260 int state, int err)
261{
262 chan->state = state;
263 chan->ops->state_change(chan, chan->state, err);
264}
265
266static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
267{
268 chan->ops->state_change(chan, chan->state, err);
269}
270
271static void __set_retrans_timer(struct l2cap_chan *chan)
272{
273 if (!delayed_work_pending(&chan->monitor_timer) &&
274 chan->retrans_timeout) {
275 l2cap_set_timer(chan, &chan->retrans_timer,
276 msecs_to_jiffies(chan->retrans_timeout));
277 }
278}
279
280static void __set_monitor_timer(struct l2cap_chan *chan)
281{
282 __clear_retrans_timer(chan);
283 if (chan->monitor_timeout) {
284 l2cap_set_timer(chan, &chan->monitor_timer,
285 msecs_to_jiffies(chan->monitor_timeout));
286 }
287}
288
289static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
290 u16 seq)
291{
292 struct sk_buff *skb;
293
294 skb_queue_walk(head, skb) {
295 if (bt_cb(skb)->l2cap.txseq == seq)
296 return skb;
297 }
298
299 return NULL;
300}
301
302
303
304
305
306
307
308
309
310
311
312
313static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
314{
315 size_t alloc_size, i;
316
317
318
319
320
321 alloc_size = roundup_pow_of_two(size);
322
323 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
324 if (!seq_list->list)
325 return -ENOMEM;
326
327 seq_list->mask = alloc_size - 1;
328 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
329 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
330 for (i = 0; i < alloc_size; i++)
331 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
332
333 return 0;
334}
335
336static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
337{
338 kfree(seq_list->list);
339}
340
341static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
342 u16 seq)
343{
344
345 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
346}
347
348static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
349{
350 u16 seq = seq_list->head;
351 u16 mask = seq_list->mask;
352
353 seq_list->head = seq_list->list[seq & mask];
354 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
355
356 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
357 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
358 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
359 }
360
361 return seq;
362}
363
364static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
365{
366 u16 i;
367
368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
369 return;
370
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
373
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
376}
377
378static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
379{
380 u16 mask = seq_list->mask;
381
382
383
384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
385 return;
386
387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
389 else
390 seq_list->list[seq_list->tail & mask] = seq;
391
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
394}
395
396static void l2cap_chan_timeout(struct work_struct *work)
397{
398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
399 chan_timer.work);
400 struct l2cap_conn *conn = chan->conn;
401 int reason;
402
403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
404
405 mutex_lock(&conn->chan_lock);
406 l2cap_chan_lock(chan);
407
408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
409 reason = ECONNREFUSED;
410 else if (chan->state == BT_CONNECT &&
411 chan->sec_level != BT_SECURITY_SDP)
412 reason = ECONNREFUSED;
413 else
414 reason = ETIMEDOUT;
415
416 l2cap_chan_close(chan, reason);
417
418 l2cap_chan_unlock(chan);
419
420 chan->ops->close(chan);
421 mutex_unlock(&conn->chan_lock);
422
423 l2cap_chan_put(chan);
424}
425
426struct l2cap_chan *l2cap_chan_create(void)
427{
428 struct l2cap_chan *chan;
429
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
431 if (!chan)
432 return NULL;
433
434 mutex_init(&chan->lock);
435
436
437 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
438
439 write_lock(&chan_list_lock);
440 list_add(&chan->global_l, &chan_list);
441 write_unlock(&chan_list_lock);
442
443 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
444
445 chan->state = BT_OPEN;
446
447 kref_init(&chan->kref);
448
449
450 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
451
452 BT_DBG("chan %p", chan);
453
454 return chan;
455}
456EXPORT_SYMBOL_GPL(l2cap_chan_create);
457
458static void l2cap_chan_destroy(struct kref *kref)
459{
460 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
461
462 BT_DBG("chan %p", chan);
463
464 write_lock(&chan_list_lock);
465 list_del(&chan->global_l);
466 write_unlock(&chan_list_lock);
467
468 kfree(chan);
469}
470
471void l2cap_chan_hold(struct l2cap_chan *c)
472{
473 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
474
475 kref_get(&c->kref);
476}
477
478void l2cap_chan_put(struct l2cap_chan *c)
479{
480 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
481
482 kref_put(&c->kref, l2cap_chan_destroy);
483}
484EXPORT_SYMBOL_GPL(l2cap_chan_put);
485
486void l2cap_chan_set_defaults(struct l2cap_chan *chan)
487{
488 chan->fcs = L2CAP_FCS_CRC16;
489 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
490 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
491 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
492 chan->remote_max_tx = chan->max_tx;
493 chan->remote_tx_win = chan->tx_win;
494 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
495 chan->sec_level = BT_SECURITY_LOW;
496 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
497 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
498 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
499 chan->conf_state = 0;
500
501 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
502}
503EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
504
505static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
506{
507 chan->sdu = NULL;
508 chan->sdu_last_frag = NULL;
509 chan->sdu_len = 0;
510 chan->tx_credits = 0;
511 chan->rx_credits = le_max_credits;
512 chan->mps = min_t(u16, chan->imtu, le_default_mps);
513
514 skb_queue_head_init(&chan->tx_q);
515}
516
517void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
518{
519 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
520 __le16_to_cpu(chan->psm), chan->dcid);
521
522 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
523
524 chan->conn = conn;
525
526 switch (chan->chan_type) {
527 case L2CAP_CHAN_CONN_ORIENTED:
528
529 chan->scid = l2cap_alloc_cid(conn);
530 if (conn->hcon->type == ACL_LINK)
531 chan->omtu = L2CAP_DEFAULT_MTU;
532 break;
533
534 case L2CAP_CHAN_CONN_LESS:
535
536 chan->scid = L2CAP_CID_CONN_LESS;
537 chan->dcid = L2CAP_CID_CONN_LESS;
538 chan->omtu = L2CAP_DEFAULT_MTU;
539 break;
540
541 case L2CAP_CHAN_FIXED:
542
543 break;
544
545 default:
546
547 chan->scid = L2CAP_CID_SIGNALING;
548 chan->dcid = L2CAP_CID_SIGNALING;
549 chan->omtu = L2CAP_DEFAULT_MTU;
550 }
551
552 chan->local_id = L2CAP_BESTEFFORT_ID;
553 chan->local_stype = L2CAP_SERV_BESTEFFORT;
554 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
555 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
556 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
557 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
558
559 l2cap_chan_hold(chan);
560
561
562 if (chan->chan_type != L2CAP_CHAN_FIXED ||
563 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
564 hci_conn_hold(conn->hcon);
565
566 list_add(&chan->list, &conn->chan_l);
567}
568
569void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
570{
571 mutex_lock(&conn->chan_lock);
572 __l2cap_chan_add(conn, chan);
573 mutex_unlock(&conn->chan_lock);
574}
575
576void l2cap_chan_del(struct l2cap_chan *chan, int err)
577{
578 struct l2cap_conn *conn = chan->conn;
579
580 __clear_chan_timer(chan);
581
582 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
583 state_to_string(chan->state));
584
585 chan->ops->teardown(chan, err);
586
587 if (conn) {
588 struct amp_mgr *mgr = conn->hcon->amp_mgr;
589
590 list_del(&chan->list);
591
592 l2cap_chan_put(chan);
593
594 chan->conn = NULL;
595
596
597
598
599
600 if (chan->chan_type != L2CAP_CHAN_FIXED ||
601 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
602 hci_conn_drop(conn->hcon);
603
604 if (mgr && mgr->bredr_chan == chan)
605 mgr->bredr_chan = NULL;
606 }
607
608 if (chan->hs_hchan) {
609 struct hci_chan *hs_hchan = chan->hs_hchan;
610
611 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
612 amp_disconnect_logical_link(hs_hchan);
613 }
614
615 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
616 return;
617
618 switch(chan->mode) {
619 case L2CAP_MODE_BASIC:
620 break;
621
622 case L2CAP_MODE_LE_FLOWCTL:
623 skb_queue_purge(&chan->tx_q);
624 break;
625
626 case L2CAP_MODE_ERTM:
627 __clear_retrans_timer(chan);
628 __clear_monitor_timer(chan);
629 __clear_ack_timer(chan);
630
631 skb_queue_purge(&chan->srej_q);
632
633 l2cap_seq_list_free(&chan->srej_list);
634 l2cap_seq_list_free(&chan->retrans_list);
635
636
637
638 case L2CAP_MODE_STREAMING:
639 skb_queue_purge(&chan->tx_q);
640 break;
641 }
642
643 return;
644}
645EXPORT_SYMBOL_GPL(l2cap_chan_del);
646
647static void l2cap_conn_update_id_addr(struct work_struct *work)
648{
649 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
650 id_addr_update_work);
651 struct hci_conn *hcon = conn->hcon;
652 struct l2cap_chan *chan;
653
654 mutex_lock(&conn->chan_lock);
655
656 list_for_each_entry(chan, &conn->chan_l, list) {
657 l2cap_chan_lock(chan);
658 bacpy(&chan->dst, &hcon->dst);
659 chan->dst_type = bdaddr_dst_type(hcon);
660 l2cap_chan_unlock(chan);
661 }
662
663 mutex_unlock(&conn->chan_lock);
664}
665
666static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
667{
668 struct l2cap_conn *conn = chan->conn;
669 struct l2cap_le_conn_rsp rsp;
670 u16 result;
671
672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
673 result = L2CAP_CR_AUTHORIZATION;
674 else
675 result = L2CAP_CR_BAD_PSM;
676
677 l2cap_state_change(chan, BT_DISCONN);
678
679 rsp.dcid = cpu_to_le16(chan->scid);
680 rsp.mtu = cpu_to_le16(chan->imtu);
681 rsp.mps = cpu_to_le16(chan->mps);
682 rsp.credits = cpu_to_le16(chan->rx_credits);
683 rsp.result = cpu_to_le16(result);
684
685 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
686 &rsp);
687}
688
689static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
690{
691 struct l2cap_conn *conn = chan->conn;
692 struct l2cap_conn_rsp rsp;
693 u16 result;
694
695 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
696 result = L2CAP_CR_SEC_BLOCK;
697 else
698 result = L2CAP_CR_BAD_PSM;
699
700 l2cap_state_change(chan, BT_DISCONN);
701
702 rsp.scid = cpu_to_le16(chan->dcid);
703 rsp.dcid = cpu_to_le16(chan->scid);
704 rsp.result = cpu_to_le16(result);
705 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
706
707 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
708}
709
710void l2cap_chan_close(struct l2cap_chan *chan, int reason)
711{
712 struct l2cap_conn *conn = chan->conn;
713
714 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
715
716 switch (chan->state) {
717 case BT_LISTEN:
718 chan->ops->teardown(chan, 0);
719 break;
720
721 case BT_CONNECTED:
722 case BT_CONFIG:
723 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
724 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
725 l2cap_send_disconn_req(chan, reason);
726 } else
727 l2cap_chan_del(chan, reason);
728 break;
729
730 case BT_CONNECT2:
731 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
732 if (conn->hcon->type == ACL_LINK)
733 l2cap_chan_connect_reject(chan);
734 else if (conn->hcon->type == LE_LINK)
735 l2cap_chan_le_connect_reject(chan);
736 }
737
738 l2cap_chan_del(chan, reason);
739 break;
740
741 case BT_CONNECT:
742 case BT_DISCONN:
743 l2cap_chan_del(chan, reason);
744 break;
745
746 default:
747 chan->ops->teardown(chan, 0);
748 break;
749 }
750}
751EXPORT_SYMBOL(l2cap_chan_close);
752
753static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
754{
755 switch (chan->chan_type) {
756 case L2CAP_CHAN_RAW:
757 switch (chan->sec_level) {
758 case BT_SECURITY_HIGH:
759 case BT_SECURITY_FIPS:
760 return HCI_AT_DEDICATED_BONDING_MITM;
761 case BT_SECURITY_MEDIUM:
762 return HCI_AT_DEDICATED_BONDING;
763 default:
764 return HCI_AT_NO_BONDING;
765 }
766 break;
767 case L2CAP_CHAN_CONN_LESS:
768 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
769 if (chan->sec_level == BT_SECURITY_LOW)
770 chan->sec_level = BT_SECURITY_SDP;
771 }
772 if (chan->sec_level == BT_SECURITY_HIGH ||
773 chan->sec_level == BT_SECURITY_FIPS)
774 return HCI_AT_NO_BONDING_MITM;
775 else
776 return HCI_AT_NO_BONDING;
777 break;
778 case L2CAP_CHAN_CONN_ORIENTED:
779 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
780 if (chan->sec_level == BT_SECURITY_LOW)
781 chan->sec_level = BT_SECURITY_SDP;
782
783 if (chan->sec_level == BT_SECURITY_HIGH ||
784 chan->sec_level == BT_SECURITY_FIPS)
785 return HCI_AT_NO_BONDING_MITM;
786 else
787 return HCI_AT_NO_BONDING;
788 }
789
790 default:
791 switch (chan->sec_level) {
792 case BT_SECURITY_HIGH:
793 case BT_SECURITY_FIPS:
794 return HCI_AT_GENERAL_BONDING_MITM;
795 case BT_SECURITY_MEDIUM:
796 return HCI_AT_GENERAL_BONDING;
797 default:
798 return HCI_AT_NO_BONDING;
799 }
800 break;
801 }
802}
803
804
805int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
806{
807 struct l2cap_conn *conn = chan->conn;
808 __u8 auth_type;
809
810 if (conn->hcon->type == LE_LINK)
811 return smp_conn_security(conn->hcon, chan->sec_level);
812
813 auth_type = l2cap_get_auth_type(chan);
814
815 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
816 initiator);
817}
818
819static u8 l2cap_get_ident(struct l2cap_conn *conn)
820{
821 u8 id;
822
823
824
825
826
827
828
829 mutex_lock(&conn->ident_lock);
830
831 if (++conn->tx_ident > 128)
832 conn->tx_ident = 1;
833
834 id = conn->tx_ident;
835
836 mutex_unlock(&conn->ident_lock);
837
838 return id;
839}
840
841static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
842 void *data)
843{
844 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
845 u8 flags;
846
847 BT_DBG("code 0x%2.2x", code);
848
849 if (!skb)
850 return;
851
852
853
854 if (lmp_no_flush_capable(conn->hcon->hdev) ||
855 conn->hcon->type == LE_LINK)
856 flags = ACL_START_NO_FLUSH;
857 else
858 flags = ACL_START;
859
860 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
861 skb->priority = HCI_PRIO_MAX;
862
863 hci_send_acl(conn->hchan, skb, flags);
864}
865
866static bool __chan_is_moving(struct l2cap_chan *chan)
867{
868 return chan->move_state != L2CAP_MOVE_STABLE &&
869 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
870}
871
872static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
873{
874 struct hci_conn *hcon = chan->conn->hcon;
875 u16 flags;
876
877 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
878 skb->priority);
879
880 if (chan->hs_hcon && !__chan_is_moving(chan)) {
881 if (chan->hs_hchan)
882 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
883 else
884 kfree_skb(skb);
885
886 return;
887 }
888
889
890
891
892
893 if (hcon->type == LE_LINK ||
894 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
895 lmp_no_flush_capable(hcon->hdev)))
896 flags = ACL_START_NO_FLUSH;
897 else
898 flags = ACL_START;
899
900 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
901 hci_send_acl(chan->conn->hchan, skb, flags);
902}
903
904static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
905{
906 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
907 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
908
909 if (enh & L2CAP_CTRL_FRAME_TYPE) {
910
911 control->sframe = 1;
912 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
913 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
914
915 control->sar = 0;
916 control->txseq = 0;
917 } else {
918
919 control->sframe = 0;
920 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
921 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
922
923 control->poll = 0;
924 control->super = 0;
925 }
926}
927
928static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
929{
930 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
931 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
932
933 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
934
935 control->sframe = 1;
936 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
937 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
938
939 control->sar = 0;
940 control->txseq = 0;
941 } else {
942
943 control->sframe = 0;
944 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
945 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
946
947 control->poll = 0;
948 control->super = 0;
949 }
950}
951
952static inline void __unpack_control(struct l2cap_chan *chan,
953 struct sk_buff *skb)
954{
955 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
956 __unpack_extended_control(get_unaligned_le32(skb->data),
957 &bt_cb(skb)->l2cap);
958 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
959 } else {
960 __unpack_enhanced_control(get_unaligned_le16(skb->data),
961 &bt_cb(skb)->l2cap);
962 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
963 }
964}
965
966static u32 __pack_extended_control(struct l2cap_ctrl *control)
967{
968 u32 packed;
969
970 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
971 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
972
973 if (control->sframe) {
974 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
975 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
976 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
977 } else {
978 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
979 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
980 }
981
982 return packed;
983}
984
985static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
986{
987 u16 packed;
988
989 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
990 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
991
992 if (control->sframe) {
993 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
994 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
995 packed |= L2CAP_CTRL_FRAME_TYPE;
996 } else {
997 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
998 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
999 }
1000
1001 return packed;
1002}
1003
1004static inline void __pack_control(struct l2cap_chan *chan,
1005 struct l2cap_ctrl *control,
1006 struct sk_buff *skb)
1007{
1008 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1009 put_unaligned_le32(__pack_extended_control(control),
1010 skb->data + L2CAP_HDR_SIZE);
1011 } else {
1012 put_unaligned_le16(__pack_enhanced_control(control),
1013 skb->data + L2CAP_HDR_SIZE);
1014 }
1015}
1016
1017static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1018{
1019 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1020 return L2CAP_EXT_HDR_SIZE;
1021 else
1022 return L2CAP_ENH_HDR_SIZE;
1023}
1024
1025static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1026 u32 control)
1027{
1028 struct sk_buff *skb;
1029 struct l2cap_hdr *lh;
1030 int hlen = __ertm_hdr_size(chan);
1031
1032 if (chan->fcs == L2CAP_FCS_CRC16)
1033 hlen += L2CAP_FCS_SIZE;
1034
1035 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1036
1037 if (!skb)
1038 return ERR_PTR(-ENOMEM);
1039
1040 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1041 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1042 lh->cid = cpu_to_le16(chan->dcid);
1043
1044 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1045 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1046 else
1047 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1048
1049 if (chan->fcs == L2CAP_FCS_CRC16) {
1050 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1051 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1052 }
1053
1054 skb->priority = HCI_PRIO_MAX;
1055 return skb;
1056}
1057
1058static void l2cap_send_sframe(struct l2cap_chan *chan,
1059 struct l2cap_ctrl *control)
1060{
1061 struct sk_buff *skb;
1062 u32 control_field;
1063
1064 BT_DBG("chan %p, control %p", chan, control);
1065
1066 if (!control->sframe)
1067 return;
1068
1069 if (__chan_is_moving(chan))
1070 return;
1071
1072 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1073 !control->poll)
1074 control->final = 1;
1075
1076 if (control->super == L2CAP_SUPER_RR)
1077 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1078 else if (control->super == L2CAP_SUPER_RNR)
1079 set_bit(CONN_RNR_SENT, &chan->conn_state);
1080
1081 if (control->super != L2CAP_SUPER_SREJ) {
1082 chan->last_acked_seq = control->reqseq;
1083 __clear_ack_timer(chan);
1084 }
1085
1086 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1087 control->final, control->poll, control->super);
1088
1089 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1090 control_field = __pack_extended_control(control);
1091 else
1092 control_field = __pack_enhanced_control(control);
1093
1094 skb = l2cap_create_sframe_pdu(chan, control_field);
1095 if (!IS_ERR(skb))
1096 l2cap_do_send(chan, skb);
1097}
1098
1099static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1100{
1101 struct l2cap_ctrl control;
1102
1103 BT_DBG("chan %p, poll %d", chan, poll);
1104
1105 memset(&control, 0, sizeof(control));
1106 control.sframe = 1;
1107 control.poll = poll;
1108
1109 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1110 control.super = L2CAP_SUPER_RNR;
1111 else
1112 control.super = L2CAP_SUPER_RR;
1113
1114 control.reqseq = chan->buffer_seq;
1115 l2cap_send_sframe(chan, &control);
1116}
1117
1118static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1119{
1120 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1121 return true;
1122
1123 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1124}
1125
1126static bool __amp_capable(struct l2cap_chan *chan)
1127{
1128 struct l2cap_conn *conn = chan->conn;
1129 struct hci_dev *hdev;
1130 bool amp_available = false;
1131
1132 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1133 return false;
1134
1135 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1136 return false;
1137
1138 read_lock(&hci_dev_list_lock);
1139 list_for_each_entry(hdev, &hci_dev_list, list) {
1140 if (hdev->amp_type != AMP_TYPE_BREDR &&
1141 test_bit(HCI_UP, &hdev->flags)) {
1142 amp_available = true;
1143 break;
1144 }
1145 }
1146 read_unlock(&hci_dev_list_lock);
1147
1148 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1149 return amp_available;
1150
1151 return false;
1152}
1153
1154static bool l2cap_check_efs(struct l2cap_chan *chan)
1155{
1156
1157 return true;
1158}
1159
1160void l2cap_send_conn_req(struct l2cap_chan *chan)
1161{
1162 struct l2cap_conn *conn = chan->conn;
1163 struct l2cap_conn_req req;
1164
1165 req.scid = cpu_to_le16(chan->scid);
1166 req.psm = chan->psm;
1167
1168 chan->ident = l2cap_get_ident(conn);
1169
1170 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1171
1172 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1173}
1174
1175static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1176{
1177 struct l2cap_create_chan_req req;
1178 req.scid = cpu_to_le16(chan->scid);
1179 req.psm = chan->psm;
1180 req.amp_id = amp_id;
1181
1182 chan->ident = l2cap_get_ident(chan->conn);
1183
1184 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1185 sizeof(req), &req);
1186}
1187
1188static void l2cap_move_setup(struct l2cap_chan *chan)
1189{
1190 struct sk_buff *skb;
1191
1192 BT_DBG("chan %p", chan);
1193
1194 if (chan->mode != L2CAP_MODE_ERTM)
1195 return;
1196
1197 __clear_retrans_timer(chan);
1198 __clear_monitor_timer(chan);
1199 __clear_ack_timer(chan);
1200
1201 chan->retry_count = 0;
1202 skb_queue_walk(&chan->tx_q, skb) {
1203 if (bt_cb(skb)->l2cap.retries)
1204 bt_cb(skb)->l2cap.retries = 1;
1205 else
1206 break;
1207 }
1208
1209 chan->expected_tx_seq = chan->buffer_seq;
1210
1211 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1212 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1213 l2cap_seq_list_clear(&chan->retrans_list);
1214 l2cap_seq_list_clear(&chan->srej_list);
1215 skb_queue_purge(&chan->srej_q);
1216
1217 chan->tx_state = L2CAP_TX_STATE_XMIT;
1218 chan->rx_state = L2CAP_RX_STATE_MOVE;
1219
1220 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1221}
1222
1223static void l2cap_move_done(struct l2cap_chan *chan)
1224{
1225 u8 move_role = chan->move_role;
1226 BT_DBG("chan %p", chan);
1227
1228 chan->move_state = L2CAP_MOVE_STABLE;
1229 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1230
1231 if (chan->mode != L2CAP_MODE_ERTM)
1232 return;
1233
1234 switch (move_role) {
1235 case L2CAP_MOVE_ROLE_INITIATOR:
1236 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1237 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1238 break;
1239 case L2CAP_MOVE_ROLE_RESPONDER:
1240 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1241 break;
1242 }
1243}
1244
1245static void l2cap_chan_ready(struct l2cap_chan *chan)
1246{
1247
1248
1249
1250
1251 if (chan->state == BT_CONNECTED)
1252 return;
1253
1254
1255 chan->conf_state = 0;
1256 __clear_chan_timer(chan);
1257
1258 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1259 chan->ops->suspend(chan);
1260
1261 chan->state = BT_CONNECTED;
1262
1263 chan->ops->ready(chan);
1264}
1265
1266static void l2cap_le_connect(struct l2cap_chan *chan)
1267{
1268 struct l2cap_conn *conn = chan->conn;
1269 struct l2cap_le_conn_req req;
1270
1271 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1272 return;
1273
1274 req.psm = chan->psm;
1275 req.scid = cpu_to_le16(chan->scid);
1276 req.mtu = cpu_to_le16(chan->imtu);
1277 req.mps = cpu_to_le16(chan->mps);
1278 req.credits = cpu_to_le16(chan->rx_credits);
1279
1280 chan->ident = l2cap_get_ident(conn);
1281
1282 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1283 sizeof(req), &req);
1284}
1285
1286static void l2cap_le_start(struct l2cap_chan *chan)
1287{
1288 struct l2cap_conn *conn = chan->conn;
1289
1290 if (!smp_conn_security(conn->hcon, chan->sec_level))
1291 return;
1292
1293 if (!chan->psm) {
1294 l2cap_chan_ready(chan);
1295 return;
1296 }
1297
1298 if (chan->state == BT_CONNECT)
1299 l2cap_le_connect(chan);
1300}
1301
1302static void l2cap_start_connection(struct l2cap_chan *chan)
1303{
1304 if (__amp_capable(chan)) {
1305 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1306 a2mp_discover_amp(chan);
1307 } else if (chan->conn->hcon->type == LE_LINK) {
1308 l2cap_le_start(chan);
1309 } else {
1310 l2cap_send_conn_req(chan);
1311 }
1312}
1313
1314static void l2cap_request_info(struct l2cap_conn *conn)
1315{
1316 struct l2cap_info_req req;
1317
1318 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1319 return;
1320
1321 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1322
1323 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1324 conn->info_ident = l2cap_get_ident(conn);
1325
1326 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1327
1328 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1329 sizeof(req), &req);
1330}
1331
1332static void l2cap_do_start(struct l2cap_chan *chan)
1333{
1334 struct l2cap_conn *conn = chan->conn;
1335
1336 if (conn->hcon->type == LE_LINK) {
1337 l2cap_le_start(chan);
1338 return;
1339 }
1340
1341 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1342 l2cap_request_info(conn);
1343 return;
1344 }
1345
1346 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1347 return;
1348
1349 if (l2cap_chan_check_security(chan, true) &&
1350 __l2cap_no_conn_pending(chan))
1351 l2cap_start_connection(chan);
1352}
1353
1354static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1355{
1356 u32 local_feat_mask = l2cap_feat_mask;
1357 if (!disable_ertm)
1358 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1359
1360 switch (mode) {
1361 case L2CAP_MODE_ERTM:
1362 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1363 case L2CAP_MODE_STREAMING:
1364 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1365 default:
1366 return 0x00;
1367 }
1368}
1369
1370static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1371{
1372 struct l2cap_conn *conn = chan->conn;
1373 struct l2cap_disconn_req req;
1374
1375 if (!conn)
1376 return;
1377
1378 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1379 __clear_retrans_timer(chan);
1380 __clear_monitor_timer(chan);
1381 __clear_ack_timer(chan);
1382 }
1383
1384 if (chan->scid == L2CAP_CID_A2MP) {
1385 l2cap_state_change(chan, BT_DISCONN);
1386 return;
1387 }
1388
1389 req.dcid = cpu_to_le16(chan->dcid);
1390 req.scid = cpu_to_le16(chan->scid);
1391 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1392 sizeof(req), &req);
1393
1394 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1395}
1396
1397
1398static void l2cap_conn_start(struct l2cap_conn *conn)
1399{
1400 struct l2cap_chan *chan, *tmp;
1401
1402 BT_DBG("conn %p", conn);
1403
1404 mutex_lock(&conn->chan_lock);
1405
1406 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1407 l2cap_chan_lock(chan);
1408
1409 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1410 l2cap_chan_ready(chan);
1411 l2cap_chan_unlock(chan);
1412 continue;
1413 }
1414
1415 if (chan->state == BT_CONNECT) {
1416 if (!l2cap_chan_check_security(chan, true) ||
1417 !__l2cap_no_conn_pending(chan)) {
1418 l2cap_chan_unlock(chan);
1419 continue;
1420 }
1421
1422 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1423 && test_bit(CONF_STATE2_DEVICE,
1424 &chan->conf_state)) {
1425 l2cap_chan_close(chan, ECONNRESET);
1426 l2cap_chan_unlock(chan);
1427 continue;
1428 }
1429
1430 l2cap_start_connection(chan);
1431
1432 } else if (chan->state == BT_CONNECT2) {
1433 struct l2cap_conn_rsp rsp;
1434 char buf[128];
1435 rsp.scid = cpu_to_le16(chan->dcid);
1436 rsp.dcid = cpu_to_le16(chan->scid);
1437
1438 if (l2cap_chan_check_security(chan, false)) {
1439 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1440 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1441 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1442 chan->ops->defer(chan);
1443
1444 } else {
1445 l2cap_state_change(chan, BT_CONFIG);
1446 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1447 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1448 }
1449 } else {
1450 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1451 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1452 }
1453
1454 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1455 sizeof(rsp), &rsp);
1456
1457 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1458 rsp.result != L2CAP_CR_SUCCESS) {
1459 l2cap_chan_unlock(chan);
1460 continue;
1461 }
1462
1463 set_bit(CONF_REQ_SENT, &chan->conf_state);
1464 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1465 l2cap_build_conf_req(chan, buf), buf);
1466 chan->num_conf_req++;
1467 }
1468
1469 l2cap_chan_unlock(chan);
1470 }
1471
1472 mutex_unlock(&conn->chan_lock);
1473}
1474
1475static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1476{
1477 struct hci_conn *hcon = conn->hcon;
1478 struct hci_dev *hdev = hcon->hdev;
1479
1480 BT_DBG("%s conn %p", hdev->name, conn);
1481
1482
1483
1484
1485 if (hcon->out)
1486 smp_conn_security(hcon, hcon->pending_sec_level);
1487
1488
1489
1490
1491
1492
1493 if (hcon->role == HCI_ROLE_SLAVE &&
1494 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1495 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1496 struct l2cap_conn_param_update_req req;
1497
1498 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1499 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1500 req.latency = cpu_to_le16(hcon->le_conn_latency);
1501 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1502
1503 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1504 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1505 }
1506}
1507
1508static void l2cap_conn_ready(struct l2cap_conn *conn)
1509{
1510 struct l2cap_chan *chan;
1511 struct hci_conn *hcon = conn->hcon;
1512
1513 BT_DBG("conn %p", conn);
1514
1515 if (hcon->type == ACL_LINK)
1516 l2cap_request_info(conn);
1517
1518 mutex_lock(&conn->chan_lock);
1519
1520 list_for_each_entry(chan, &conn->chan_l, list) {
1521
1522 l2cap_chan_lock(chan);
1523
1524 if (chan->scid == L2CAP_CID_A2MP) {
1525 l2cap_chan_unlock(chan);
1526 continue;
1527 }
1528
1529 if (hcon->type == LE_LINK) {
1530 l2cap_le_start(chan);
1531 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1532 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1533 l2cap_chan_ready(chan);
1534 } else if (chan->state == BT_CONNECT) {
1535 l2cap_do_start(chan);
1536 }
1537
1538 l2cap_chan_unlock(chan);
1539 }
1540
1541 mutex_unlock(&conn->chan_lock);
1542
1543 if (hcon->type == LE_LINK)
1544 l2cap_le_conn_ready(conn);
1545
1546 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1547}
1548
1549
1550static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1551{
1552 struct l2cap_chan *chan;
1553
1554 BT_DBG("conn %p", conn);
1555
1556 mutex_lock(&conn->chan_lock);
1557
1558 list_for_each_entry(chan, &conn->chan_l, list) {
1559 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1560 l2cap_chan_set_err(chan, err);
1561 }
1562
1563 mutex_unlock(&conn->chan_lock);
1564}
1565
1566static void l2cap_info_timeout(struct work_struct *work)
1567{
1568 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1569 info_timer.work);
1570
1571 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1572 conn->info_ident = 0;
1573
1574 l2cap_conn_start(conn);
1575}
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1591{
1592 struct hci_dev *hdev = conn->hcon->hdev;
1593 int ret;
1594
1595
1596
1597
1598
1599
1600
1601
1602 hci_dev_lock(hdev);
1603
1604 if (!list_empty(&user->list)) {
1605 ret = -EINVAL;
1606 goto out_unlock;
1607 }
1608
1609
1610 if (!conn->hchan) {
1611 ret = -ENODEV;
1612 goto out_unlock;
1613 }
1614
1615 ret = user->probe(conn, user);
1616 if (ret)
1617 goto out_unlock;
1618
1619 list_add(&user->list, &conn->users);
1620 ret = 0;
1621
1622out_unlock:
1623 hci_dev_unlock(hdev);
1624 return ret;
1625}
1626EXPORT_SYMBOL(l2cap_register_user);
1627
1628void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1629{
1630 struct hci_dev *hdev = conn->hcon->hdev;
1631
1632 hci_dev_lock(hdev);
1633
1634 if (list_empty(&user->list))
1635 goto out_unlock;
1636
1637 list_del_init(&user->list);
1638 user->remove(conn, user);
1639
1640out_unlock:
1641 hci_dev_unlock(hdev);
1642}
1643EXPORT_SYMBOL(l2cap_unregister_user);
1644
1645static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1646{
1647 struct l2cap_user *user;
1648
1649 while (!list_empty(&conn->users)) {
1650 user = list_first_entry(&conn->users, struct l2cap_user, list);
1651 list_del_init(&user->list);
1652 user->remove(conn, user);
1653 }
1654}
1655
1656static void l2cap_conn_del(struct hci_conn *hcon, int err)
1657{
1658 struct l2cap_conn *conn = hcon->l2cap_data;
1659 struct l2cap_chan *chan, *l;
1660
1661 if (!conn)
1662 return;
1663
1664 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1665
1666 kfree_skb(conn->rx_skb);
1667
1668 skb_queue_purge(&conn->pending_rx);
1669
1670
1671
1672
1673
1674 if (work_pending(&conn->pending_rx_work))
1675 cancel_work_sync(&conn->pending_rx_work);
1676
1677 if (work_pending(&conn->id_addr_update_work))
1678 cancel_work_sync(&conn->id_addr_update_work);
1679
1680 l2cap_unregister_all_users(conn);
1681
1682
1683 hcon->disc_timeout = 0;
1684
1685 mutex_lock(&conn->chan_lock);
1686
1687
1688 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1689 l2cap_chan_hold(chan);
1690 l2cap_chan_lock(chan);
1691
1692 l2cap_chan_del(chan, err);
1693
1694 l2cap_chan_unlock(chan);
1695
1696 chan->ops->close(chan);
1697 l2cap_chan_put(chan);
1698 }
1699
1700 mutex_unlock(&conn->chan_lock);
1701
1702 hci_chan_del(conn->hchan);
1703
1704 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1705 cancel_delayed_work_sync(&conn->info_timer);
1706
1707 hcon->l2cap_data = NULL;
1708 conn->hchan = NULL;
1709 l2cap_conn_put(conn);
1710}
1711
1712static void l2cap_conn_free(struct kref *ref)
1713{
1714 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1715
1716 hci_conn_put(conn->hcon);
1717 kfree(conn);
1718}
1719
1720struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1721{
1722 kref_get(&conn->ref);
1723 return conn;
1724}
1725EXPORT_SYMBOL(l2cap_conn_get);
1726
1727void l2cap_conn_put(struct l2cap_conn *conn)
1728{
1729 kref_put(&conn->ref, l2cap_conn_free);
1730}
1731EXPORT_SYMBOL(l2cap_conn_put);
1732
1733
1734
1735
1736
1737
1738static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1739 bdaddr_t *src,
1740 bdaddr_t *dst,
1741 u8 link_type)
1742{
1743 struct l2cap_chan *c, *c1 = NULL;
1744
1745 read_lock(&chan_list_lock);
1746
1747 list_for_each_entry(c, &chan_list, global_l) {
1748 if (state && c->state != state)
1749 continue;
1750
1751 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1752 continue;
1753
1754 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1755 continue;
1756
1757 if (c->psm == psm) {
1758 int src_match, dst_match;
1759 int src_any, dst_any;
1760
1761
1762 src_match = !bacmp(&c->src, src);
1763 dst_match = !bacmp(&c->dst, dst);
1764 if (src_match && dst_match) {
1765 l2cap_chan_hold(c);
1766 read_unlock(&chan_list_lock);
1767 return c;
1768 }
1769
1770
1771 src_any = !bacmp(&c->src, BDADDR_ANY);
1772 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1773 if ((src_match && dst_any) || (src_any && dst_match) ||
1774 (src_any && dst_any))
1775 c1 = c;
1776 }
1777 }
1778
1779 if (c1)
1780 l2cap_chan_hold(c1);
1781
1782 read_unlock(&chan_list_lock);
1783
1784 return c1;
1785}
1786
1787static void l2cap_monitor_timeout(struct work_struct *work)
1788{
1789 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1790 monitor_timer.work);
1791
1792 BT_DBG("chan %p", chan);
1793
1794 l2cap_chan_lock(chan);
1795
1796 if (!chan->conn) {
1797 l2cap_chan_unlock(chan);
1798 l2cap_chan_put(chan);
1799 return;
1800 }
1801
1802 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1803
1804 l2cap_chan_unlock(chan);
1805 l2cap_chan_put(chan);
1806}
1807
1808static void l2cap_retrans_timeout(struct work_struct *work)
1809{
1810 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1811 retrans_timer.work);
1812
1813 BT_DBG("chan %p", chan);
1814
1815 l2cap_chan_lock(chan);
1816
1817 if (!chan->conn) {
1818 l2cap_chan_unlock(chan);
1819 l2cap_chan_put(chan);
1820 return;
1821 }
1822
1823 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1824 l2cap_chan_unlock(chan);
1825 l2cap_chan_put(chan);
1826}
1827
1828static void l2cap_streaming_send(struct l2cap_chan *chan,
1829 struct sk_buff_head *skbs)
1830{
1831 struct sk_buff *skb;
1832 struct l2cap_ctrl *control;
1833
1834 BT_DBG("chan %p, skbs %p", chan, skbs);
1835
1836 if (__chan_is_moving(chan))
1837 return;
1838
1839 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1840
1841 while (!skb_queue_empty(&chan->tx_q)) {
1842
1843 skb = skb_dequeue(&chan->tx_q);
1844
1845 bt_cb(skb)->l2cap.retries = 1;
1846 control = &bt_cb(skb)->l2cap;
1847
1848 control->reqseq = 0;
1849 control->txseq = chan->next_tx_seq;
1850
1851 __pack_control(chan, control, skb);
1852
1853 if (chan->fcs == L2CAP_FCS_CRC16) {
1854 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1855 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1856 }
1857
1858 l2cap_do_send(chan, skb);
1859
1860 BT_DBG("Sent txseq %u", control->txseq);
1861
1862 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1863 chan->frames_sent++;
1864 }
1865}
1866
1867static int l2cap_ertm_send(struct l2cap_chan *chan)
1868{
1869 struct sk_buff *skb, *tx_skb;
1870 struct l2cap_ctrl *control;
1871 int sent = 0;
1872
1873 BT_DBG("chan %p", chan);
1874
1875 if (chan->state != BT_CONNECTED)
1876 return -ENOTCONN;
1877
1878 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1879 return 0;
1880
1881 if (__chan_is_moving(chan))
1882 return 0;
1883
1884 while (chan->tx_send_head &&
1885 chan->unacked_frames < chan->remote_tx_win &&
1886 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1887
1888 skb = chan->tx_send_head;
1889
1890 bt_cb(skb)->l2cap.retries = 1;
1891 control = &bt_cb(skb)->l2cap;
1892
1893 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1894 control->final = 1;
1895
1896 control->reqseq = chan->buffer_seq;
1897 chan->last_acked_seq = chan->buffer_seq;
1898 control->txseq = chan->next_tx_seq;
1899
1900 __pack_control(chan, control, skb);
1901
1902 if (chan->fcs == L2CAP_FCS_CRC16) {
1903 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1904 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1905 }
1906
1907
1908
1909
1910 tx_skb = skb_clone(skb, GFP_KERNEL);
1911
1912 if (!tx_skb)
1913 break;
1914
1915 __set_retrans_timer(chan);
1916
1917 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1918 chan->unacked_frames++;
1919 chan->frames_sent++;
1920 sent++;
1921
1922 if (skb_queue_is_last(&chan->tx_q, skb))
1923 chan->tx_send_head = NULL;
1924 else
1925 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1926
1927 l2cap_do_send(chan, tx_skb);
1928 BT_DBG("Sent txseq %u", control->txseq);
1929 }
1930
1931 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1932 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1933
1934 return sent;
1935}
1936
1937static void l2cap_ertm_resend(struct l2cap_chan *chan)
1938{
1939 struct l2cap_ctrl control;
1940 struct sk_buff *skb;
1941 struct sk_buff *tx_skb;
1942 u16 seq;
1943
1944 BT_DBG("chan %p", chan);
1945
1946 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1947 return;
1948
1949 if (__chan_is_moving(chan))
1950 return;
1951
1952 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1953 seq = l2cap_seq_list_pop(&chan->retrans_list);
1954
1955 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1956 if (!skb) {
1957 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1958 seq);
1959 continue;
1960 }
1961
1962 bt_cb(skb)->l2cap.retries++;
1963 control = bt_cb(skb)->l2cap;
1964
1965 if (chan->max_tx != 0 &&
1966 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1967 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1968 l2cap_send_disconn_req(chan, ECONNRESET);
1969 l2cap_seq_list_clear(&chan->retrans_list);
1970 break;
1971 }
1972
1973 control.reqseq = chan->buffer_seq;
1974 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1975 control.final = 1;
1976 else
1977 control.final = 0;
1978
1979 if (skb_cloned(skb)) {
1980
1981
1982
1983 tx_skb = skb_copy(skb, GFP_KERNEL);
1984 } else {
1985 tx_skb = skb_clone(skb, GFP_KERNEL);
1986 }
1987
1988 if (!tx_skb) {
1989 l2cap_seq_list_clear(&chan->retrans_list);
1990 break;
1991 }
1992
1993
1994 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1995 put_unaligned_le32(__pack_extended_control(&control),
1996 tx_skb->data + L2CAP_HDR_SIZE);
1997 } else {
1998 put_unaligned_le16(__pack_enhanced_control(&control),
1999 tx_skb->data + L2CAP_HDR_SIZE);
2000 }
2001
2002
2003 if (chan->fcs == L2CAP_FCS_CRC16) {
2004 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2005 tx_skb->len - L2CAP_FCS_SIZE);
2006 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2007 L2CAP_FCS_SIZE);
2008 }
2009
2010 l2cap_do_send(chan, tx_skb);
2011
2012 BT_DBG("Resent txseq %d", control.txseq);
2013
2014 chan->last_acked_seq = chan->buffer_seq;
2015 }
2016}
2017
2018static void l2cap_retransmit(struct l2cap_chan *chan,
2019 struct l2cap_ctrl *control)
2020{
2021 BT_DBG("chan %p, control %p", chan, control);
2022
2023 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2024 l2cap_ertm_resend(chan);
2025}
2026
2027static void l2cap_retransmit_all(struct l2cap_chan *chan,
2028 struct l2cap_ctrl *control)
2029{
2030 struct sk_buff *skb;
2031
2032 BT_DBG("chan %p, control %p", chan, control);
2033
2034 if (control->poll)
2035 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2036
2037 l2cap_seq_list_clear(&chan->retrans_list);
2038
2039 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2040 return;
2041
2042 if (chan->unacked_frames) {
2043 skb_queue_walk(&chan->tx_q, skb) {
2044 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2045 skb == chan->tx_send_head)
2046 break;
2047 }
2048
2049 skb_queue_walk_from(&chan->tx_q, skb) {
2050 if (skb == chan->tx_send_head)
2051 break;
2052
2053 l2cap_seq_list_append(&chan->retrans_list,
2054 bt_cb(skb)->l2cap.txseq);
2055 }
2056
2057 l2cap_ertm_resend(chan);
2058 }
2059}
2060
2061static void l2cap_send_ack(struct l2cap_chan *chan)
2062{
2063 struct l2cap_ctrl control;
2064 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2065 chan->last_acked_seq);
2066 int threshold;
2067
2068 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2069 chan, chan->last_acked_seq, chan->buffer_seq);
2070
2071 memset(&control, 0, sizeof(control));
2072 control.sframe = 1;
2073
2074 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2075 chan->rx_state == L2CAP_RX_STATE_RECV) {
2076 __clear_ack_timer(chan);
2077 control.super = L2CAP_SUPER_RNR;
2078 control.reqseq = chan->buffer_seq;
2079 l2cap_send_sframe(chan, &control);
2080 } else {
2081 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2082 l2cap_ertm_send(chan);
2083
2084 if (chan->buffer_seq == chan->last_acked_seq)
2085 frames_to_ack = 0;
2086 }
2087
2088
2089
2090
2091 threshold = chan->ack_win;
2092 threshold += threshold << 1;
2093 threshold >>= 2;
2094
2095 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2096 threshold);
2097
2098 if (frames_to_ack >= threshold) {
2099 __clear_ack_timer(chan);
2100 control.super = L2CAP_SUPER_RR;
2101 control.reqseq = chan->buffer_seq;
2102 l2cap_send_sframe(chan, &control);
2103 frames_to_ack = 0;
2104 }
2105
2106 if (frames_to_ack)
2107 __set_ack_timer(chan);
2108 }
2109}
2110
2111static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2112 struct msghdr *msg, int len,
2113 int count, struct sk_buff *skb)
2114{
2115 struct l2cap_conn *conn = chan->conn;
2116 struct sk_buff **frag;
2117 int sent = 0;
2118
2119 if (copy_from_iter(skb_put(skb, count), count, &msg->msg_iter) != count)
2120 return -EFAULT;
2121
2122 sent += count;
2123 len -= count;
2124
2125
2126 frag = &skb_shinfo(skb)->frag_list;
2127 while (len) {
2128 struct sk_buff *tmp;
2129
2130 count = min_t(unsigned int, conn->mtu, len);
2131
2132 tmp = chan->ops->alloc_skb(chan, 0, count,
2133 msg->msg_flags & MSG_DONTWAIT);
2134 if (IS_ERR(tmp))
2135 return PTR_ERR(tmp);
2136
2137 *frag = tmp;
2138
2139 if (copy_from_iter(skb_put(*frag, count), count,
2140 &msg->msg_iter) != count)
2141 return -EFAULT;
2142
2143 sent += count;
2144 len -= count;
2145
2146 skb->len += (*frag)->len;
2147 skb->data_len += (*frag)->len;
2148
2149 frag = &(*frag)->next;
2150 }
2151
2152 return sent;
2153}
2154
2155static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2156 struct msghdr *msg, size_t len)
2157{
2158 struct l2cap_conn *conn = chan->conn;
2159 struct sk_buff *skb;
2160 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2161 struct l2cap_hdr *lh;
2162
2163 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2164 __le16_to_cpu(chan->psm), len);
2165
2166 count = min_t(unsigned int, (conn->mtu - hlen), len);
2167
2168 skb = chan->ops->alloc_skb(chan, hlen, count,
2169 msg->msg_flags & MSG_DONTWAIT);
2170 if (IS_ERR(skb))
2171 return skb;
2172
2173
2174 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2175 lh->cid = cpu_to_le16(chan->dcid);
2176 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2177 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2178
2179 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2180 if (unlikely(err < 0)) {
2181 kfree_skb(skb);
2182 return ERR_PTR(err);
2183 }
2184 return skb;
2185}
2186
2187static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2188 struct msghdr *msg, size_t len)
2189{
2190 struct l2cap_conn *conn = chan->conn;
2191 struct sk_buff *skb;
2192 int err, count;
2193 struct l2cap_hdr *lh;
2194
2195 BT_DBG("chan %p len %zu", chan, len);
2196
2197 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2198
2199 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2200 msg->msg_flags & MSG_DONTWAIT);
2201 if (IS_ERR(skb))
2202 return skb;
2203
2204
2205 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2206 lh->cid = cpu_to_le16(chan->dcid);
2207 lh->len = cpu_to_le16(len);
2208
2209 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2210 if (unlikely(err < 0)) {
2211 kfree_skb(skb);
2212 return ERR_PTR(err);
2213 }
2214 return skb;
2215}
2216
2217static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2218 struct msghdr *msg, size_t len,
2219 u16 sdulen)
2220{
2221 struct l2cap_conn *conn = chan->conn;
2222 struct sk_buff *skb;
2223 int err, count, hlen;
2224 struct l2cap_hdr *lh;
2225
2226 BT_DBG("chan %p len %zu", chan, len);
2227
2228 if (!conn)
2229 return ERR_PTR(-ENOTCONN);
2230
2231 hlen = __ertm_hdr_size(chan);
2232
2233 if (sdulen)
2234 hlen += L2CAP_SDULEN_SIZE;
2235
2236 if (chan->fcs == L2CAP_FCS_CRC16)
2237 hlen += L2CAP_FCS_SIZE;
2238
2239 count = min_t(unsigned int, (conn->mtu - hlen), len);
2240
2241 skb = chan->ops->alloc_skb(chan, hlen, count,
2242 msg->msg_flags & MSG_DONTWAIT);
2243 if (IS_ERR(skb))
2244 return skb;
2245
2246
2247 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2248 lh->cid = cpu_to_le16(chan->dcid);
2249 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2250
2251
2252 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2253 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2254 else
2255 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2256
2257 if (sdulen)
2258 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2259
2260 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2261 if (unlikely(err < 0)) {
2262 kfree_skb(skb);
2263 return ERR_PTR(err);
2264 }
2265
2266 bt_cb(skb)->l2cap.fcs = chan->fcs;
2267 bt_cb(skb)->l2cap.retries = 0;
2268 return skb;
2269}
2270
2271static int l2cap_segment_sdu(struct l2cap_chan *chan,
2272 struct sk_buff_head *seg_queue,
2273 struct msghdr *msg, size_t len)
2274{
2275 struct sk_buff *skb;
2276 u16 sdu_len;
2277 size_t pdu_len;
2278 u8 sar;
2279
2280 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2281
2282
2283
2284
2285
2286
2287
2288 pdu_len = chan->conn->mtu;
2289
2290
2291 if (!chan->hs_hcon)
2292 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2293
2294
2295 if (chan->fcs)
2296 pdu_len -= L2CAP_FCS_SIZE;
2297
2298 pdu_len -= __ertm_hdr_size(chan);
2299
2300
2301 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2302
2303 if (len <= pdu_len) {
2304 sar = L2CAP_SAR_UNSEGMENTED;
2305 sdu_len = 0;
2306 pdu_len = len;
2307 } else {
2308 sar = L2CAP_SAR_START;
2309 sdu_len = len;
2310 }
2311
2312 while (len > 0) {
2313 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2314
2315 if (IS_ERR(skb)) {
2316 __skb_queue_purge(seg_queue);
2317 return PTR_ERR(skb);
2318 }
2319
2320 bt_cb(skb)->l2cap.sar = sar;
2321 __skb_queue_tail(seg_queue, skb);
2322
2323 len -= pdu_len;
2324 if (sdu_len)
2325 sdu_len = 0;
2326
2327 if (len <= pdu_len) {
2328 sar = L2CAP_SAR_END;
2329 pdu_len = len;
2330 } else {
2331 sar = L2CAP_SAR_CONTINUE;
2332 }
2333 }
2334
2335 return 0;
2336}
2337
2338static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2339 struct msghdr *msg,
2340 size_t len, u16 sdulen)
2341{
2342 struct l2cap_conn *conn = chan->conn;
2343 struct sk_buff *skb;
2344 int err, count, hlen;
2345 struct l2cap_hdr *lh;
2346
2347 BT_DBG("chan %p len %zu", chan, len);
2348
2349 if (!conn)
2350 return ERR_PTR(-ENOTCONN);
2351
2352 hlen = L2CAP_HDR_SIZE;
2353
2354 if (sdulen)
2355 hlen += L2CAP_SDULEN_SIZE;
2356
2357 count = min_t(unsigned int, (conn->mtu - hlen), len);
2358
2359 skb = chan->ops->alloc_skb(chan, hlen, count,
2360 msg->msg_flags & MSG_DONTWAIT);
2361 if (IS_ERR(skb))
2362 return skb;
2363
2364
2365 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2366 lh->cid = cpu_to_le16(chan->dcid);
2367 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2368
2369 if (sdulen)
2370 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2371
2372 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2373 if (unlikely(err < 0)) {
2374 kfree_skb(skb);
2375 return ERR_PTR(err);
2376 }
2377
2378 return skb;
2379}
2380
2381static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2382 struct sk_buff_head *seg_queue,
2383 struct msghdr *msg, size_t len)
2384{
2385 struct sk_buff *skb;
2386 size_t pdu_len;
2387 u16 sdu_len;
2388
2389 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2390
2391 sdu_len = len;
2392 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2393
2394 while (len > 0) {
2395 if (len <= pdu_len)
2396 pdu_len = len;
2397
2398 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2399 if (IS_ERR(skb)) {
2400 __skb_queue_purge(seg_queue);
2401 return PTR_ERR(skb);
2402 }
2403
2404 __skb_queue_tail(seg_queue, skb);
2405
2406 len -= pdu_len;
2407
2408 if (sdu_len) {
2409 sdu_len = 0;
2410 pdu_len += L2CAP_SDULEN_SIZE;
2411 }
2412 }
2413
2414 return 0;
2415}
2416
2417int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2418{
2419 struct sk_buff *skb;
2420 int err;
2421 struct sk_buff_head seg_queue;
2422
2423 if (!chan->conn)
2424 return -ENOTCONN;
2425
2426
2427 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2428 skb = l2cap_create_connless_pdu(chan, msg, len);
2429 if (IS_ERR(skb))
2430 return PTR_ERR(skb);
2431
2432
2433
2434
2435 if (chan->state != BT_CONNECTED) {
2436 kfree_skb(skb);
2437 return -ENOTCONN;
2438 }
2439
2440 l2cap_do_send(chan, skb);
2441 return len;
2442 }
2443
2444 switch (chan->mode) {
2445 case L2CAP_MODE_LE_FLOWCTL:
2446
2447 if (len > chan->omtu)
2448 return -EMSGSIZE;
2449
2450 if (!chan->tx_credits)
2451 return -EAGAIN;
2452
2453 __skb_queue_head_init(&seg_queue);
2454
2455 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2456
2457 if (chan->state != BT_CONNECTED) {
2458 __skb_queue_purge(&seg_queue);
2459 err = -ENOTCONN;
2460 }
2461
2462 if (err)
2463 return err;
2464
2465 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2466
2467 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2468 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2469 chan->tx_credits--;
2470 }
2471
2472 if (!chan->tx_credits)
2473 chan->ops->suspend(chan);
2474
2475 err = len;
2476
2477 break;
2478
2479 case L2CAP_MODE_BASIC:
2480
2481 if (len > chan->omtu)
2482 return -EMSGSIZE;
2483
2484
2485 skb = l2cap_create_basic_pdu(chan, msg, len);
2486 if (IS_ERR(skb))
2487 return PTR_ERR(skb);
2488
2489
2490
2491
2492 if (chan->state != BT_CONNECTED) {
2493 kfree_skb(skb);
2494 return -ENOTCONN;
2495 }
2496
2497 l2cap_do_send(chan, skb);
2498 err = len;
2499 break;
2500
2501 case L2CAP_MODE_ERTM:
2502 case L2CAP_MODE_STREAMING:
2503
2504 if (len > chan->omtu) {
2505 err = -EMSGSIZE;
2506 break;
2507 }
2508
2509 __skb_queue_head_init(&seg_queue);
2510
2511
2512
2513
2514
2515 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2516
2517
2518
2519
2520 if (chan->state != BT_CONNECTED) {
2521 __skb_queue_purge(&seg_queue);
2522 err = -ENOTCONN;
2523 }
2524
2525 if (err)
2526 break;
2527
2528 if (chan->mode == L2CAP_MODE_ERTM)
2529 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2530 else
2531 l2cap_streaming_send(chan, &seg_queue);
2532
2533 err = len;
2534
2535
2536
2537
2538 __skb_queue_purge(&seg_queue);
2539 break;
2540
2541 default:
2542 BT_DBG("bad state %1.1x", chan->mode);
2543 err = -EBADFD;
2544 }
2545
2546 return err;
2547}
2548EXPORT_SYMBOL_GPL(l2cap_chan_send);
2549
2550static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2551{
2552 struct l2cap_ctrl control;
2553 u16 seq;
2554
2555 BT_DBG("chan %p, txseq %u", chan, txseq);
2556
2557 memset(&control, 0, sizeof(control));
2558 control.sframe = 1;
2559 control.super = L2CAP_SUPER_SREJ;
2560
2561 for (seq = chan->expected_tx_seq; seq != txseq;
2562 seq = __next_seq(chan, seq)) {
2563 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2564 control.reqseq = seq;
2565 l2cap_send_sframe(chan, &control);
2566 l2cap_seq_list_append(&chan->srej_list, seq);
2567 }
2568 }
2569
2570 chan->expected_tx_seq = __next_seq(chan, txseq);
2571}
2572
2573static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2574{
2575 struct l2cap_ctrl control;
2576
2577 BT_DBG("chan %p", chan);
2578
2579 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2580 return;
2581
2582 memset(&control, 0, sizeof(control));
2583 control.sframe = 1;
2584 control.super = L2CAP_SUPER_SREJ;
2585 control.reqseq = chan->srej_list.tail;
2586 l2cap_send_sframe(chan, &control);
2587}
2588
2589static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2590{
2591 struct l2cap_ctrl control;
2592 u16 initial_head;
2593 u16 seq;
2594
2595 BT_DBG("chan %p, txseq %u", chan, txseq);
2596
2597 memset(&control, 0, sizeof(control));
2598 control.sframe = 1;
2599 control.super = L2CAP_SUPER_SREJ;
2600
2601
2602 initial_head = chan->srej_list.head;
2603
2604 do {
2605 seq = l2cap_seq_list_pop(&chan->srej_list);
2606 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2607 break;
2608
2609 control.reqseq = seq;
2610 l2cap_send_sframe(chan, &control);
2611 l2cap_seq_list_append(&chan->srej_list, seq);
2612 } while (chan->srej_list.head != initial_head);
2613}
2614
2615static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2616{
2617 struct sk_buff *acked_skb;
2618 u16 ackseq;
2619
2620 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2621
2622 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2623 return;
2624
2625 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2626 chan->expected_ack_seq, chan->unacked_frames);
2627
2628 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2629 ackseq = __next_seq(chan, ackseq)) {
2630
2631 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2632 if (acked_skb) {
2633 skb_unlink(acked_skb, &chan->tx_q);
2634 kfree_skb(acked_skb);
2635 chan->unacked_frames--;
2636 }
2637 }
2638
2639 chan->expected_ack_seq = reqseq;
2640
2641 if (chan->unacked_frames == 0)
2642 __clear_retrans_timer(chan);
2643
2644 BT_DBG("unacked_frames %u", chan->unacked_frames);
2645}
2646
2647static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2648{
2649 BT_DBG("chan %p", chan);
2650
2651 chan->expected_tx_seq = chan->buffer_seq;
2652 l2cap_seq_list_clear(&chan->srej_list);
2653 skb_queue_purge(&chan->srej_q);
2654 chan->rx_state = L2CAP_RX_STATE_RECV;
2655}
2656
2657static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2658 struct l2cap_ctrl *control,
2659 struct sk_buff_head *skbs, u8 event)
2660{
2661 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2662 event);
2663
2664 switch (event) {
2665 case L2CAP_EV_DATA_REQUEST:
2666 if (chan->tx_send_head == NULL)
2667 chan->tx_send_head = skb_peek(skbs);
2668
2669 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2670 l2cap_ertm_send(chan);
2671 break;
2672 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2673 BT_DBG("Enter LOCAL_BUSY");
2674 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2675
2676 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2677
2678
2679
2680 l2cap_abort_rx_srej_sent(chan);
2681 }
2682
2683 l2cap_send_ack(chan);
2684
2685 break;
2686 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2687 BT_DBG("Exit LOCAL_BUSY");
2688 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2689
2690 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2691 struct l2cap_ctrl local_control;
2692
2693 memset(&local_control, 0, sizeof(local_control));
2694 local_control.sframe = 1;
2695 local_control.super = L2CAP_SUPER_RR;
2696 local_control.poll = 1;
2697 local_control.reqseq = chan->buffer_seq;
2698 l2cap_send_sframe(chan, &local_control);
2699
2700 chan->retry_count = 1;
2701 __set_monitor_timer(chan);
2702 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2703 }
2704 break;
2705 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2706 l2cap_process_reqseq(chan, control->reqseq);
2707 break;
2708 case L2CAP_EV_EXPLICIT_POLL:
2709 l2cap_send_rr_or_rnr(chan, 1);
2710 chan->retry_count = 1;
2711 __set_monitor_timer(chan);
2712 __clear_ack_timer(chan);
2713 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2714 break;
2715 case L2CAP_EV_RETRANS_TO:
2716 l2cap_send_rr_or_rnr(chan, 1);
2717 chan->retry_count = 1;
2718 __set_monitor_timer(chan);
2719 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2720 break;
2721 case L2CAP_EV_RECV_FBIT:
2722
2723 break;
2724 default:
2725 break;
2726 }
2727}
2728
2729static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2730 struct l2cap_ctrl *control,
2731 struct sk_buff_head *skbs, u8 event)
2732{
2733 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2734 event);
2735
2736 switch (event) {
2737 case L2CAP_EV_DATA_REQUEST:
2738 if (chan->tx_send_head == NULL)
2739 chan->tx_send_head = skb_peek(skbs);
2740
2741 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2742 break;
2743 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2744 BT_DBG("Enter LOCAL_BUSY");
2745 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2746
2747 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2748
2749
2750
2751 l2cap_abort_rx_srej_sent(chan);
2752 }
2753
2754 l2cap_send_ack(chan);
2755
2756 break;
2757 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2758 BT_DBG("Exit LOCAL_BUSY");
2759 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2760
2761 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2762 struct l2cap_ctrl local_control;
2763 memset(&local_control, 0, sizeof(local_control));
2764 local_control.sframe = 1;
2765 local_control.super = L2CAP_SUPER_RR;
2766 local_control.poll = 1;
2767 local_control.reqseq = chan->buffer_seq;
2768 l2cap_send_sframe(chan, &local_control);
2769
2770 chan->retry_count = 1;
2771 __set_monitor_timer(chan);
2772 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2773 }
2774 break;
2775 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2776 l2cap_process_reqseq(chan, control->reqseq);
2777
2778
2779
2780 case L2CAP_EV_RECV_FBIT:
2781 if (control && control->final) {
2782 __clear_monitor_timer(chan);
2783 if (chan->unacked_frames > 0)
2784 __set_retrans_timer(chan);
2785 chan->retry_count = 0;
2786 chan->tx_state = L2CAP_TX_STATE_XMIT;
2787 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2788 }
2789 break;
2790 case L2CAP_EV_EXPLICIT_POLL:
2791
2792 break;
2793 case L2CAP_EV_MONITOR_TO:
2794 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2795 l2cap_send_rr_or_rnr(chan, 1);
2796 __set_monitor_timer(chan);
2797 chan->retry_count++;
2798 } else {
2799 l2cap_send_disconn_req(chan, ECONNABORTED);
2800 }
2801 break;
2802 default:
2803 break;
2804 }
2805}
2806
2807static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2808 struct sk_buff_head *skbs, u8 event)
2809{
2810 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2811 chan, control, skbs, event, chan->tx_state);
2812
2813 switch (chan->tx_state) {
2814 case L2CAP_TX_STATE_XMIT:
2815 l2cap_tx_state_xmit(chan, control, skbs, event);
2816 break;
2817 case L2CAP_TX_STATE_WAIT_F:
2818 l2cap_tx_state_wait_f(chan, control, skbs, event);
2819 break;
2820 default:
2821
2822 break;
2823 }
2824}
2825
2826static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2827 struct l2cap_ctrl *control)
2828{
2829 BT_DBG("chan %p, control %p", chan, control);
2830 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2831}
2832
2833static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2834 struct l2cap_ctrl *control)
2835{
2836 BT_DBG("chan %p, control %p", chan, control);
2837 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2838}
2839
2840
2841static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2842{
2843 struct sk_buff *nskb;
2844 struct l2cap_chan *chan;
2845
2846 BT_DBG("conn %p", conn);
2847
2848 mutex_lock(&conn->chan_lock);
2849
2850 list_for_each_entry(chan, &conn->chan_l, list) {
2851 if (chan->chan_type != L2CAP_CHAN_RAW)
2852 continue;
2853
2854
2855 if (bt_cb(skb)->l2cap.chan == chan)
2856 continue;
2857
2858 nskb = skb_clone(skb, GFP_KERNEL);
2859 if (!nskb)
2860 continue;
2861 if (chan->ops->recv(chan, nskb))
2862 kfree_skb(nskb);
2863 }
2864
2865 mutex_unlock(&conn->chan_lock);
2866}
2867
2868
2869static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2870 u8 ident, u16 dlen, void *data)
2871{
2872 struct sk_buff *skb, **frag;
2873 struct l2cap_cmd_hdr *cmd;
2874 struct l2cap_hdr *lh;
2875 int len, count;
2876
2877 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2878 conn, code, ident, dlen);
2879
2880 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2881 return NULL;
2882
2883 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2884 count = min_t(unsigned int, conn->mtu, len);
2885
2886 skb = bt_skb_alloc(count, GFP_KERNEL);
2887 if (!skb)
2888 return NULL;
2889
2890 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2891 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2892
2893 if (conn->hcon->type == LE_LINK)
2894 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2895 else
2896 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2897
2898 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2899 cmd->code = code;
2900 cmd->ident = ident;
2901 cmd->len = cpu_to_le16(dlen);
2902
2903 if (dlen) {
2904 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2905 memcpy(skb_put(skb, count), data, count);
2906 data += count;
2907 }
2908
2909 len -= skb->len;
2910
2911
2912 frag = &skb_shinfo(skb)->frag_list;
2913 while (len) {
2914 count = min_t(unsigned int, conn->mtu, len);
2915
2916 *frag = bt_skb_alloc(count, GFP_KERNEL);
2917 if (!*frag)
2918 goto fail;
2919
2920 memcpy(skb_put(*frag, count), data, count);
2921
2922 len -= count;
2923 data += count;
2924
2925 frag = &(*frag)->next;
2926 }
2927
2928 return skb;
2929
2930fail:
2931 kfree_skb(skb);
2932 return NULL;
2933}
2934
2935static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2936 unsigned long *val)
2937{
2938 struct l2cap_conf_opt *opt = *ptr;
2939 int len;
2940
2941 len = L2CAP_CONF_OPT_SIZE + opt->len;
2942 *ptr += len;
2943
2944 *type = opt->type;
2945 *olen = opt->len;
2946
2947 switch (opt->len) {
2948 case 1:
2949 *val = *((u8 *) opt->val);
2950 break;
2951
2952 case 2:
2953 *val = get_unaligned_le16(opt->val);
2954 break;
2955
2956 case 4:
2957 *val = get_unaligned_le32(opt->val);
2958 break;
2959
2960 default:
2961 *val = (unsigned long) opt->val;
2962 break;
2963 }
2964
2965 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2966 return len;
2967}
2968
2969static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2970{
2971 struct l2cap_conf_opt *opt = *ptr;
2972
2973 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2974
2975 opt->type = type;
2976 opt->len = len;
2977
2978 switch (len) {
2979 case 1:
2980 *((u8 *) opt->val) = val;
2981 break;
2982
2983 case 2:
2984 put_unaligned_le16(val, opt->val);
2985 break;
2986
2987 case 4:
2988 put_unaligned_le32(val, opt->val);
2989 break;
2990
2991 default:
2992 memcpy(opt->val, (void *) val, len);
2993 break;
2994 }
2995
2996 *ptr += L2CAP_CONF_OPT_SIZE + len;
2997}
2998
2999static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3000{
3001 struct l2cap_conf_efs efs;
3002
3003 switch (chan->mode) {
3004 case L2CAP_MODE_ERTM:
3005 efs.id = chan->local_id;
3006 efs.stype = chan->local_stype;
3007 efs.msdu = cpu_to_le16(chan->local_msdu);
3008 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3009 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3010 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3011 break;
3012
3013 case L2CAP_MODE_STREAMING:
3014 efs.id = 1;
3015 efs.stype = L2CAP_SERV_BESTEFFORT;
3016 efs.msdu = cpu_to_le16(chan->local_msdu);
3017 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3018 efs.acc_lat = 0;
3019 efs.flush_to = 0;
3020 break;
3021
3022 default:
3023 return;
3024 }
3025
3026 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3027 (unsigned long) &efs);
3028}
3029
3030static void l2cap_ack_timeout(struct work_struct *work)
3031{
3032 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3033 ack_timer.work);
3034 u16 frames_to_ack;
3035
3036 BT_DBG("chan %p", chan);
3037
3038 l2cap_chan_lock(chan);
3039
3040 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3041 chan->last_acked_seq);
3042
3043 if (frames_to_ack)
3044 l2cap_send_rr_or_rnr(chan, 0);
3045
3046 l2cap_chan_unlock(chan);
3047 l2cap_chan_put(chan);
3048}
3049
3050int l2cap_ertm_init(struct l2cap_chan *chan)
3051{
3052 int err;
3053
3054 chan->next_tx_seq = 0;
3055 chan->expected_tx_seq = 0;
3056 chan->expected_ack_seq = 0;
3057 chan->unacked_frames = 0;
3058 chan->buffer_seq = 0;
3059 chan->frames_sent = 0;
3060 chan->last_acked_seq = 0;
3061 chan->sdu = NULL;
3062 chan->sdu_last_frag = NULL;
3063 chan->sdu_len = 0;
3064
3065 skb_queue_head_init(&chan->tx_q);
3066
3067 chan->local_amp_id = AMP_ID_BREDR;
3068 chan->move_id = AMP_ID_BREDR;
3069 chan->move_state = L2CAP_MOVE_STABLE;
3070 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3071
3072 if (chan->mode != L2CAP_MODE_ERTM)
3073 return 0;
3074
3075 chan->rx_state = L2CAP_RX_STATE_RECV;
3076 chan->tx_state = L2CAP_TX_STATE_XMIT;
3077
3078 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3079 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3080 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3081
3082 skb_queue_head_init(&chan->srej_q);
3083
3084 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3085 if (err < 0)
3086 return err;
3087
3088 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3089 if (err < 0)
3090 l2cap_seq_list_free(&chan->srej_list);
3091
3092 return err;
3093}
3094
3095static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3096{
3097 switch (mode) {
3098 case L2CAP_MODE_STREAMING:
3099 case L2CAP_MODE_ERTM:
3100 if (l2cap_mode_supported(mode, remote_feat_mask))
3101 return mode;
3102
3103 default:
3104 return L2CAP_MODE_BASIC;
3105 }
3106}
3107
3108static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3109{
3110 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3111 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3112}
3113
3114static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3115{
3116 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3117 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3118}
3119
3120static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3121 struct l2cap_conf_rfc *rfc)
3122{
3123 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3124 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3140
3141
3142
3143
3144
3145 ertm_to = 3 * ertm_to + 500;
3146
3147 if (ertm_to > 0xffff)
3148 ertm_to = 0xffff;
3149
3150 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3151 rfc->monitor_timeout = rfc->retrans_timeout;
3152 } else {
3153 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3154 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3155 }
3156}
3157
3158static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3159{
3160 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3161 __l2cap_ews_supported(chan->conn)) {
3162
3163 set_bit(FLAG_EXT_CTRL, &chan->flags);
3164 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3165 } else {
3166 chan->tx_win = min_t(u16, chan->tx_win,
3167 L2CAP_DEFAULT_TX_WINDOW);
3168 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3169 }
3170 chan->ack_win = chan->tx_win;
3171}
3172
3173static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3174{
3175 struct l2cap_conf_req *req = data;
3176 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3177 void *ptr = req->data;
3178 u16 size;
3179
3180 BT_DBG("chan %p", chan);
3181
3182 if (chan->num_conf_req || chan->num_conf_rsp)
3183 goto done;
3184
3185 switch (chan->mode) {
3186 case L2CAP_MODE_STREAMING:
3187 case L2CAP_MODE_ERTM:
3188 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3189 break;
3190
3191 if (__l2cap_efs_supported(chan->conn))
3192 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3193
3194
3195 default:
3196 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3197 break;
3198 }
3199
3200done:
3201 if (chan->imtu != L2CAP_DEFAULT_MTU)
3202 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3203
3204 switch (chan->mode) {
3205 case L2CAP_MODE_BASIC:
3206 if (disable_ertm)
3207 break;
3208
3209 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3210 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3211 break;
3212
3213 rfc.mode = L2CAP_MODE_BASIC;
3214 rfc.txwin_size = 0;
3215 rfc.max_transmit = 0;
3216 rfc.retrans_timeout = 0;
3217 rfc.monitor_timeout = 0;
3218 rfc.max_pdu_size = 0;
3219
3220 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3221 (unsigned long) &rfc);
3222 break;
3223
3224 case L2CAP_MODE_ERTM:
3225 rfc.mode = L2CAP_MODE_ERTM;
3226 rfc.max_transmit = chan->max_tx;
3227
3228 __l2cap_set_ertm_timeouts(chan, &rfc);
3229
3230 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3231 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3232 L2CAP_FCS_SIZE);
3233 rfc.max_pdu_size = cpu_to_le16(size);
3234
3235 l2cap_txwin_setup(chan);
3236
3237 rfc.txwin_size = min_t(u16, chan->tx_win,
3238 L2CAP_DEFAULT_TX_WINDOW);
3239
3240 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3241 (unsigned long) &rfc);
3242
3243 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3244 l2cap_add_opt_efs(&ptr, chan);
3245
3246 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3247 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3248 chan->tx_win);
3249
3250 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3251 if (chan->fcs == L2CAP_FCS_NONE ||
3252 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3253 chan->fcs = L2CAP_FCS_NONE;
3254 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3255 chan->fcs);
3256 }
3257 break;
3258
3259 case L2CAP_MODE_STREAMING:
3260 l2cap_txwin_setup(chan);
3261 rfc.mode = L2CAP_MODE_STREAMING;
3262 rfc.txwin_size = 0;
3263 rfc.max_transmit = 0;
3264 rfc.retrans_timeout = 0;
3265 rfc.monitor_timeout = 0;
3266
3267 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3268 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3269 L2CAP_FCS_SIZE);
3270 rfc.max_pdu_size = cpu_to_le16(size);
3271
3272 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3273 (unsigned long) &rfc);
3274
3275 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3276 l2cap_add_opt_efs(&ptr, chan);
3277
3278 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3279 if (chan->fcs == L2CAP_FCS_NONE ||
3280 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3281 chan->fcs = L2CAP_FCS_NONE;
3282 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3283 chan->fcs);
3284 }
3285 break;
3286 }
3287
3288 req->dcid = cpu_to_le16(chan->dcid);
3289 req->flags = cpu_to_le16(0);
3290
3291 return ptr - data;
3292}
3293
3294static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3295{
3296 struct l2cap_conf_rsp *rsp = data;
3297 void *ptr = rsp->data;
3298 void *req = chan->conf_req;
3299 int len = chan->conf_len;
3300 int type, hint, olen;
3301 unsigned long val;
3302 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3303 struct l2cap_conf_efs efs;
3304 u8 remote_efs = 0;
3305 u16 mtu = L2CAP_DEFAULT_MTU;
3306 u16 result = L2CAP_CONF_SUCCESS;
3307 u16 size;
3308
3309 BT_DBG("chan %p", chan);
3310
3311 while (len >= L2CAP_CONF_OPT_SIZE) {
3312 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3313
3314 hint = type & L2CAP_CONF_HINT;
3315 type &= L2CAP_CONF_MASK;
3316
3317 switch (type) {
3318 case L2CAP_CONF_MTU:
3319 mtu = val;
3320 break;
3321
3322 case L2CAP_CONF_FLUSH_TO:
3323 chan->flush_to = val;
3324 break;
3325
3326 case L2CAP_CONF_QOS:
3327 break;
3328
3329 case L2CAP_CONF_RFC:
3330 if (olen == sizeof(rfc))
3331 memcpy(&rfc, (void *) val, olen);
3332 break;
3333
3334 case L2CAP_CONF_FCS:
3335 if (val == L2CAP_FCS_NONE)
3336 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3337 break;
3338
3339 case L2CAP_CONF_EFS:
3340 remote_efs = 1;
3341 if (olen == sizeof(efs))
3342 memcpy(&efs, (void *) val, olen);
3343 break;
3344
3345 case L2CAP_CONF_EWS:
3346 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3347 return -ECONNREFUSED;
3348
3349 set_bit(FLAG_EXT_CTRL, &chan->flags);
3350 set_bit(CONF_EWS_RECV, &chan->conf_state);
3351 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3352 chan->remote_tx_win = val;
3353 break;
3354
3355 default:
3356 if (hint)
3357 break;
3358
3359 result = L2CAP_CONF_UNKNOWN;
3360 *((u8 *) ptr++) = type;
3361 break;
3362 }
3363 }
3364
3365 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3366 goto done;
3367
3368 switch (chan->mode) {
3369 case L2CAP_MODE_STREAMING:
3370 case L2CAP_MODE_ERTM:
3371 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3372 chan->mode = l2cap_select_mode(rfc.mode,
3373 chan->conn->feat_mask);
3374 break;
3375 }
3376
3377 if (remote_efs) {
3378 if (__l2cap_efs_supported(chan->conn))
3379 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3380 else
3381 return -ECONNREFUSED;
3382 }
3383
3384 if (chan->mode != rfc.mode)
3385 return -ECONNREFUSED;
3386
3387 break;
3388 }
3389
3390done:
3391 if (chan->mode != rfc.mode) {
3392 result = L2CAP_CONF_UNACCEPT;
3393 rfc.mode = chan->mode;
3394
3395 if (chan->num_conf_rsp == 1)
3396 return -ECONNREFUSED;
3397
3398 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3399 (unsigned long) &rfc);
3400 }
3401
3402 if (result == L2CAP_CONF_SUCCESS) {
3403
3404
3405
3406 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3407 result = L2CAP_CONF_UNACCEPT;
3408 else {
3409 chan->omtu = mtu;
3410 set_bit(CONF_MTU_DONE, &chan->conf_state);
3411 }
3412 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3413
3414 if (remote_efs) {
3415 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3416 efs.stype != L2CAP_SERV_NOTRAFIC &&
3417 efs.stype != chan->local_stype) {
3418
3419 result = L2CAP_CONF_UNACCEPT;
3420
3421 if (chan->num_conf_req >= 1)
3422 return -ECONNREFUSED;
3423
3424 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3425 sizeof(efs),
3426 (unsigned long) &efs);
3427 } else {
3428
3429 result = L2CAP_CONF_PENDING;
3430 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3431 }
3432 }
3433
3434 switch (rfc.mode) {
3435 case L2CAP_MODE_BASIC:
3436 chan->fcs = L2CAP_FCS_NONE;
3437 set_bit(CONF_MODE_DONE, &chan->conf_state);
3438 break;
3439
3440 case L2CAP_MODE_ERTM:
3441 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3442 chan->remote_tx_win = rfc.txwin_size;
3443 else
3444 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3445
3446 chan->remote_max_tx = rfc.max_transmit;
3447
3448 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3449 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3450 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3451 rfc.max_pdu_size = cpu_to_le16(size);
3452 chan->remote_mps = size;
3453
3454 __l2cap_set_ertm_timeouts(chan, &rfc);
3455
3456 set_bit(CONF_MODE_DONE, &chan->conf_state);
3457
3458 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3459 sizeof(rfc), (unsigned long) &rfc);
3460
3461 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3462 chan->remote_id = efs.id;
3463 chan->remote_stype = efs.stype;
3464 chan->remote_msdu = le16_to_cpu(efs.msdu);
3465 chan->remote_flush_to =
3466 le32_to_cpu(efs.flush_to);
3467 chan->remote_acc_lat =
3468 le32_to_cpu(efs.acc_lat);
3469 chan->remote_sdu_itime =
3470 le32_to_cpu(efs.sdu_itime);
3471 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3472 sizeof(efs),
3473 (unsigned long) &efs);
3474 }
3475 break;
3476
3477 case L2CAP_MODE_STREAMING:
3478 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3479 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3480 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3481 rfc.max_pdu_size = cpu_to_le16(size);
3482 chan->remote_mps = size;
3483
3484 set_bit(CONF_MODE_DONE, &chan->conf_state);
3485
3486 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3487 (unsigned long) &rfc);
3488
3489 break;
3490
3491 default:
3492 result = L2CAP_CONF_UNACCEPT;
3493
3494 memset(&rfc, 0, sizeof(rfc));
3495 rfc.mode = chan->mode;
3496 }
3497
3498 if (result == L2CAP_CONF_SUCCESS)
3499 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3500 }
3501 rsp->scid = cpu_to_le16(chan->dcid);
3502 rsp->result = cpu_to_le16(result);
3503 rsp->flags = cpu_to_le16(0);
3504
3505 return ptr - data;
3506}
3507
3508static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3509 void *data, u16 *result)
3510{
3511 struct l2cap_conf_req *req = data;
3512 void *ptr = req->data;
3513 int type, olen;
3514 unsigned long val;
3515 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3516 struct l2cap_conf_efs efs;
3517
3518 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3519
3520 while (len >= L2CAP_CONF_OPT_SIZE) {
3521 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3522
3523 switch (type) {
3524 case L2CAP_CONF_MTU:
3525 if (val < L2CAP_DEFAULT_MIN_MTU) {
3526 *result = L2CAP_CONF_UNACCEPT;
3527 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3528 } else
3529 chan->imtu = val;
3530 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3531 break;
3532
3533 case L2CAP_CONF_FLUSH_TO:
3534 chan->flush_to = val;
3535 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3536 2, chan->flush_to);
3537 break;
3538
3539 case L2CAP_CONF_RFC:
3540 if (olen == sizeof(rfc))
3541 memcpy(&rfc, (void *)val, olen);
3542
3543 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3544 rfc.mode != chan->mode)
3545 return -ECONNREFUSED;
3546
3547 chan->fcs = 0;
3548
3549 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3550 sizeof(rfc), (unsigned long) &rfc);
3551 break;
3552
3553 case L2CAP_CONF_EWS:
3554 chan->ack_win = min_t(u16, val, chan->ack_win);
3555 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3556 chan->tx_win);
3557 break;
3558
3559 case L2CAP_CONF_EFS:
3560 if (olen == sizeof(efs))
3561 memcpy(&efs, (void *)val, olen);
3562
3563 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3564 efs.stype != L2CAP_SERV_NOTRAFIC &&
3565 efs.stype != chan->local_stype)
3566 return -ECONNREFUSED;
3567
3568 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3569 (unsigned long) &efs);
3570 break;
3571
3572 case L2CAP_CONF_FCS:
3573 if (*result == L2CAP_CONF_PENDING)
3574 if (val == L2CAP_FCS_NONE)
3575 set_bit(CONF_RECV_NO_FCS,
3576 &chan->conf_state);
3577 break;
3578 }
3579 }
3580
3581 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3582 return -ECONNREFUSED;
3583
3584 chan->mode = rfc.mode;
3585
3586 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3587 switch (rfc.mode) {
3588 case L2CAP_MODE_ERTM:
3589 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3590 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3591 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3592 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3593 chan->ack_win = min_t(u16, chan->ack_win,
3594 rfc.txwin_size);
3595
3596 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3597 chan->local_msdu = le16_to_cpu(efs.msdu);
3598 chan->local_sdu_itime =
3599 le32_to_cpu(efs.sdu_itime);
3600 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3601 chan->local_flush_to =
3602 le32_to_cpu(efs.flush_to);
3603 }
3604 break;
3605
3606 case L2CAP_MODE_STREAMING:
3607 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3608 }
3609 }
3610
3611 req->dcid = cpu_to_le16(chan->dcid);
3612 req->flags = cpu_to_le16(0);
3613
3614 return ptr - data;
3615}
3616
3617static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3618 u16 result, u16 flags)
3619{
3620 struct l2cap_conf_rsp *rsp = data;
3621 void *ptr = rsp->data;
3622
3623 BT_DBG("chan %p", chan);
3624
3625 rsp->scid = cpu_to_le16(chan->dcid);
3626 rsp->result = cpu_to_le16(result);
3627 rsp->flags = cpu_to_le16(flags);
3628
3629 return ptr - data;
3630}
3631
3632void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3633{
3634 struct l2cap_le_conn_rsp rsp;
3635 struct l2cap_conn *conn = chan->conn;
3636
3637 BT_DBG("chan %p", chan);
3638
3639 rsp.dcid = cpu_to_le16(chan->scid);
3640 rsp.mtu = cpu_to_le16(chan->imtu);
3641 rsp.mps = cpu_to_le16(chan->mps);
3642 rsp.credits = cpu_to_le16(chan->rx_credits);
3643 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3644
3645 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3646 &rsp);
3647}
3648
3649void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3650{
3651 struct l2cap_conn_rsp rsp;
3652 struct l2cap_conn *conn = chan->conn;
3653 u8 buf[128];
3654 u8 rsp_code;
3655
3656 rsp.scid = cpu_to_le16(chan->dcid);
3657 rsp.dcid = cpu_to_le16(chan->scid);
3658 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3659 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3660
3661 if (chan->hs_hcon)
3662 rsp_code = L2CAP_CREATE_CHAN_RSP;
3663 else
3664 rsp_code = L2CAP_CONN_RSP;
3665
3666 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3667
3668 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3669
3670 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3671 return;
3672
3673 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3674 l2cap_build_conf_req(chan, buf), buf);
3675 chan->num_conf_req++;
3676}
3677
3678static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3679{
3680 int type, olen;
3681 unsigned long val;
3682
3683
3684
3685 u16 txwin_ext = chan->ack_win;
3686 struct l2cap_conf_rfc rfc = {
3687 .mode = chan->mode,
3688 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3689 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3690 .max_pdu_size = cpu_to_le16(chan->imtu),
3691 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3692 };
3693
3694 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3695
3696 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3697 return;
3698
3699 while (len >= L2CAP_CONF_OPT_SIZE) {
3700 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3701
3702 switch (type) {
3703 case L2CAP_CONF_RFC:
3704 if (olen == sizeof(rfc))
3705 memcpy(&rfc, (void *)val, olen);
3706 break;
3707 case L2CAP_CONF_EWS:
3708 txwin_ext = val;
3709 break;
3710 }
3711 }
3712
3713 switch (rfc.mode) {
3714 case L2CAP_MODE_ERTM:
3715 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3716 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3717 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3718 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3719 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3720 else
3721 chan->ack_win = min_t(u16, chan->ack_win,
3722 rfc.txwin_size);
3723 break;
3724 case L2CAP_MODE_STREAMING:
3725 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3726 }
3727}
3728
3729static inline int l2cap_command_rej(struct l2cap_conn *conn,
3730 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3731 u8 *data)
3732{
3733 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3734
3735 if (cmd_len < sizeof(*rej))
3736 return -EPROTO;
3737
3738 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3739 return 0;
3740
3741 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3742 cmd->ident == conn->info_ident) {
3743 cancel_delayed_work(&conn->info_timer);
3744
3745 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3746 conn->info_ident = 0;
3747
3748 l2cap_conn_start(conn);
3749 }
3750
3751 return 0;
3752}
3753
3754static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3755 struct l2cap_cmd_hdr *cmd,
3756 u8 *data, u8 rsp_code, u8 amp_id)
3757{
3758 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3759 struct l2cap_conn_rsp rsp;
3760 struct l2cap_chan *chan = NULL, *pchan;
3761 int result, status = L2CAP_CS_NO_INFO;
3762
3763 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3764 __le16 psm = req->psm;
3765
3766 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3767
3768
3769 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3770 &conn->hcon->dst, ACL_LINK);
3771 if (!pchan) {
3772 result = L2CAP_CR_BAD_PSM;
3773 goto sendresp;
3774 }
3775
3776 mutex_lock(&conn->chan_lock);
3777 l2cap_chan_lock(pchan);
3778
3779
3780 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3781 !hci_conn_check_link_mode(conn->hcon)) {
3782 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3783 result = L2CAP_CR_SEC_BLOCK;
3784 goto response;
3785 }
3786
3787 result = L2CAP_CR_NO_MEM;
3788
3789
3790 if (__l2cap_get_chan_by_dcid(conn, scid))
3791 goto response;
3792
3793 chan = pchan->ops->new_connection(pchan);
3794 if (!chan)
3795 goto response;
3796
3797
3798
3799
3800
3801
3802 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3803
3804 bacpy(&chan->src, &conn->hcon->src);
3805 bacpy(&chan->dst, &conn->hcon->dst);
3806 chan->src_type = bdaddr_src_type(conn->hcon);
3807 chan->dst_type = bdaddr_dst_type(conn->hcon);
3808 chan->psm = psm;
3809 chan->dcid = scid;
3810 chan->local_amp_id = amp_id;
3811
3812 __l2cap_chan_add(conn, chan);
3813
3814 dcid = chan->scid;
3815
3816 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3817
3818 chan->ident = cmd->ident;
3819
3820 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3821 if (l2cap_chan_check_security(chan, false)) {
3822 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3823 l2cap_state_change(chan, BT_CONNECT2);
3824 result = L2CAP_CR_PEND;
3825 status = L2CAP_CS_AUTHOR_PEND;
3826 chan->ops->defer(chan);
3827 } else {
3828
3829
3830
3831
3832 if (amp_id == AMP_ID_BREDR) {
3833 l2cap_state_change(chan, BT_CONFIG);
3834 result = L2CAP_CR_SUCCESS;
3835 } else {
3836 l2cap_state_change(chan, BT_CONNECT2);
3837 result = L2CAP_CR_PEND;
3838 }
3839 status = L2CAP_CS_NO_INFO;
3840 }
3841 } else {
3842 l2cap_state_change(chan, BT_CONNECT2);
3843 result = L2CAP_CR_PEND;
3844 status = L2CAP_CS_AUTHEN_PEND;
3845 }
3846 } else {
3847 l2cap_state_change(chan, BT_CONNECT2);
3848 result = L2CAP_CR_PEND;
3849 status = L2CAP_CS_NO_INFO;
3850 }
3851
3852response:
3853 l2cap_chan_unlock(pchan);
3854 mutex_unlock(&conn->chan_lock);
3855 l2cap_chan_put(pchan);
3856
3857sendresp:
3858 rsp.scid = cpu_to_le16(scid);
3859 rsp.dcid = cpu_to_le16(dcid);
3860 rsp.result = cpu_to_le16(result);
3861 rsp.status = cpu_to_le16(status);
3862 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3863
3864 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3865 struct l2cap_info_req info;
3866 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3867
3868 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3869 conn->info_ident = l2cap_get_ident(conn);
3870
3871 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3872
3873 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3874 sizeof(info), &info);
3875 }
3876
3877 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3878 result == L2CAP_CR_SUCCESS) {
3879 u8 buf[128];
3880 set_bit(CONF_REQ_SENT, &chan->conf_state);
3881 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3882 l2cap_build_conf_req(chan, buf), buf);
3883 chan->num_conf_req++;
3884 }
3885
3886 return chan;
3887}
3888
3889static int l2cap_connect_req(struct l2cap_conn *conn,
3890 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3891{
3892 struct hci_dev *hdev = conn->hcon->hdev;
3893 struct hci_conn *hcon = conn->hcon;
3894
3895 if (cmd_len < sizeof(struct l2cap_conn_req))
3896 return -EPROTO;
3897
3898 hci_dev_lock(hdev);
3899 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3900 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3901 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3902 hci_dev_unlock(hdev);
3903
3904 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3905 return 0;
3906}
3907
3908static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3909 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3910 u8 *data)
3911{
3912 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3913 u16 scid, dcid, result, status;
3914 struct l2cap_chan *chan;
3915 u8 req[128];
3916 int err;
3917
3918 if (cmd_len < sizeof(*rsp))
3919 return -EPROTO;
3920
3921 scid = __le16_to_cpu(rsp->scid);
3922 dcid = __le16_to_cpu(rsp->dcid);
3923 result = __le16_to_cpu(rsp->result);
3924 status = __le16_to_cpu(rsp->status);
3925
3926 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3927 dcid, scid, result, status);
3928
3929 mutex_lock(&conn->chan_lock);
3930
3931 if (scid) {
3932 chan = __l2cap_get_chan_by_scid(conn, scid);
3933 if (!chan) {
3934 err = -EBADSLT;
3935 goto unlock;
3936 }
3937 } else {
3938 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3939 if (!chan) {
3940 err = -EBADSLT;
3941 goto unlock;
3942 }
3943 }
3944
3945 err = 0;
3946
3947 l2cap_chan_lock(chan);
3948
3949 switch (result) {
3950 case L2CAP_CR_SUCCESS:
3951 l2cap_state_change(chan, BT_CONFIG);
3952 chan->ident = 0;
3953 chan->dcid = dcid;
3954 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3955
3956 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3957 break;
3958
3959 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3960 l2cap_build_conf_req(chan, req), req);
3961 chan->num_conf_req++;
3962 break;
3963
3964 case L2CAP_CR_PEND:
3965 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3966 break;
3967
3968 default:
3969 l2cap_chan_del(chan, ECONNREFUSED);
3970 break;
3971 }
3972
3973 l2cap_chan_unlock(chan);
3974
3975unlock:
3976 mutex_unlock(&conn->chan_lock);
3977
3978 return err;
3979}
3980
3981static inline void set_default_fcs(struct l2cap_chan *chan)
3982{
3983
3984
3985
3986 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3987 chan->fcs = L2CAP_FCS_NONE;
3988 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
3989 chan->fcs = L2CAP_FCS_CRC16;
3990}
3991
3992static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3993 u8 ident, u16 flags)
3994{
3995 struct l2cap_conn *conn = chan->conn;
3996
3997 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3998 flags);
3999
4000 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4001 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4002
4003 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4004 l2cap_build_conf_rsp(chan, data,
4005 L2CAP_CONF_SUCCESS, flags), data);
4006}
4007
4008static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4009 u16 scid, u16 dcid)
4010{
4011 struct l2cap_cmd_rej_cid rej;
4012
4013 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4014 rej.scid = __cpu_to_le16(scid);
4015 rej.dcid = __cpu_to_le16(dcid);
4016
4017 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4018}
4019
4020static inline int l2cap_config_req(struct l2cap_conn *conn,
4021 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4022 u8 *data)
4023{
4024 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4025 u16 dcid, flags;
4026 u8 rsp[64];
4027 struct l2cap_chan *chan;
4028 int len, err = 0;
4029
4030 if (cmd_len < sizeof(*req))
4031 return -EPROTO;
4032
4033 dcid = __le16_to_cpu(req->dcid);
4034 flags = __le16_to_cpu(req->flags);
4035
4036 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4037
4038 chan = l2cap_get_chan_by_scid(conn, dcid);
4039 if (!chan) {
4040 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4041 return 0;
4042 }
4043
4044 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4045 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4046 chan->dcid);
4047 goto unlock;
4048 }
4049
4050
4051 len = cmd_len - sizeof(*req);
4052 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4053 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4054 l2cap_build_conf_rsp(chan, rsp,
4055 L2CAP_CONF_REJECT, flags), rsp);
4056 goto unlock;
4057 }
4058
4059
4060 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4061 chan->conf_len += len;
4062
4063 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4064
4065 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4066 l2cap_build_conf_rsp(chan, rsp,
4067 L2CAP_CONF_SUCCESS, flags), rsp);
4068 goto unlock;
4069 }
4070
4071
4072 len = l2cap_parse_conf_req(chan, rsp);
4073 if (len < 0) {
4074 l2cap_send_disconn_req(chan, ECONNRESET);
4075 goto unlock;
4076 }
4077
4078 chan->ident = cmd->ident;
4079 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4080 chan->num_conf_rsp++;
4081
4082
4083 chan->conf_len = 0;
4084
4085 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4086 goto unlock;
4087
4088 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4089 set_default_fcs(chan);
4090
4091 if (chan->mode == L2CAP_MODE_ERTM ||
4092 chan->mode == L2CAP_MODE_STREAMING)
4093 err = l2cap_ertm_init(chan);
4094
4095 if (err < 0)
4096 l2cap_send_disconn_req(chan, -err);
4097 else
4098 l2cap_chan_ready(chan);
4099
4100 goto unlock;
4101 }
4102
4103 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4104 u8 buf[64];
4105 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4106 l2cap_build_conf_req(chan, buf), buf);
4107 chan->num_conf_req++;
4108 }
4109
4110
4111
4112 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4113 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4114
4115
4116
4117
4118 if (!chan->hs_hcon)
4119 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4120 else
4121 chan->ident = cmd->ident;
4122 }
4123
4124unlock:
4125 l2cap_chan_unlock(chan);
4126 return err;
4127}
4128
4129static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4130 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4131 u8 *data)
4132{
4133 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4134 u16 scid, flags, result;
4135 struct l2cap_chan *chan;
4136 int len = cmd_len - sizeof(*rsp);
4137 int err = 0;
4138
4139 if (cmd_len < sizeof(*rsp))
4140 return -EPROTO;
4141
4142 scid = __le16_to_cpu(rsp->scid);
4143 flags = __le16_to_cpu(rsp->flags);
4144 result = __le16_to_cpu(rsp->result);
4145
4146 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4147 result, len);
4148
4149 chan = l2cap_get_chan_by_scid(conn, scid);
4150 if (!chan)
4151 return 0;
4152
4153 switch (result) {
4154 case L2CAP_CONF_SUCCESS:
4155 l2cap_conf_rfc_get(chan, rsp->data, len);
4156 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4157 break;
4158
4159 case L2CAP_CONF_PENDING:
4160 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4161
4162 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4163 char buf[64];
4164
4165 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4166 buf, &result);
4167 if (len < 0) {
4168 l2cap_send_disconn_req(chan, ECONNRESET);
4169 goto done;
4170 }
4171
4172 if (!chan->hs_hcon) {
4173 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4174 0);
4175 } else {
4176 if (l2cap_check_efs(chan)) {
4177 amp_create_logical_link(chan);
4178 chan->ident = cmd->ident;
4179 }
4180 }
4181 }
4182 goto done;
4183
4184 case L2CAP_CONF_UNACCEPT:
4185 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4186 char req[64];
4187
4188 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4189 l2cap_send_disconn_req(chan, ECONNRESET);
4190 goto done;
4191 }
4192
4193
4194 result = L2CAP_CONF_SUCCESS;
4195 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4196 req, &result);
4197 if (len < 0) {
4198 l2cap_send_disconn_req(chan, ECONNRESET);
4199 goto done;
4200 }
4201
4202 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4203 L2CAP_CONF_REQ, len, req);
4204 chan->num_conf_req++;
4205 if (result != L2CAP_CONF_SUCCESS)
4206 goto done;
4207 break;
4208 }
4209
4210 default:
4211 l2cap_chan_set_err(chan, ECONNRESET);
4212
4213 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4214 l2cap_send_disconn_req(chan, ECONNRESET);
4215 goto done;
4216 }
4217
4218 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4219 goto done;
4220
4221 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4222
4223 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4224 set_default_fcs(chan);
4225
4226 if (chan->mode == L2CAP_MODE_ERTM ||
4227 chan->mode == L2CAP_MODE_STREAMING)
4228 err = l2cap_ertm_init(chan);
4229
4230 if (err < 0)
4231 l2cap_send_disconn_req(chan, -err);
4232 else
4233 l2cap_chan_ready(chan);
4234 }
4235
4236done:
4237 l2cap_chan_unlock(chan);
4238 return err;
4239}
4240
4241static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4242 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4243 u8 *data)
4244{
4245 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4246 struct l2cap_disconn_rsp rsp;
4247 u16 dcid, scid;
4248 struct l2cap_chan *chan;
4249
4250 if (cmd_len != sizeof(*req))
4251 return -EPROTO;
4252
4253 scid = __le16_to_cpu(req->scid);
4254 dcid = __le16_to_cpu(req->dcid);
4255
4256 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4257
4258 mutex_lock(&conn->chan_lock);
4259
4260 chan = __l2cap_get_chan_by_scid(conn, dcid);
4261 if (!chan) {
4262 mutex_unlock(&conn->chan_lock);
4263 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4264 return 0;
4265 }
4266
4267 l2cap_chan_lock(chan);
4268
4269 rsp.dcid = cpu_to_le16(chan->scid);
4270 rsp.scid = cpu_to_le16(chan->dcid);
4271 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4272
4273 chan->ops->set_shutdown(chan);
4274
4275 l2cap_chan_hold(chan);
4276 l2cap_chan_del(chan, ECONNRESET);
4277
4278 l2cap_chan_unlock(chan);
4279
4280 chan->ops->close(chan);
4281 l2cap_chan_put(chan);
4282
4283 mutex_unlock(&conn->chan_lock);
4284
4285 return 0;
4286}
4287
4288static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4289 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4290 u8 *data)
4291{
4292 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4293 u16 dcid, scid;
4294 struct l2cap_chan *chan;
4295
4296 if (cmd_len != sizeof(*rsp))
4297 return -EPROTO;
4298
4299 scid = __le16_to_cpu(rsp->scid);
4300 dcid = __le16_to_cpu(rsp->dcid);
4301
4302 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4303
4304 mutex_lock(&conn->chan_lock);
4305
4306 chan = __l2cap_get_chan_by_scid(conn, scid);
4307 if (!chan) {
4308 mutex_unlock(&conn->chan_lock);
4309 return 0;
4310 }
4311
4312 l2cap_chan_lock(chan);
4313
4314 l2cap_chan_hold(chan);
4315 l2cap_chan_del(chan, 0);
4316
4317 l2cap_chan_unlock(chan);
4318
4319 chan->ops->close(chan);
4320 l2cap_chan_put(chan);
4321
4322 mutex_unlock(&conn->chan_lock);
4323
4324 return 0;
4325}
4326
4327static inline int l2cap_information_req(struct l2cap_conn *conn,
4328 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4329 u8 *data)
4330{
4331 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4332 u16 type;
4333
4334 if (cmd_len != sizeof(*req))
4335 return -EPROTO;
4336
4337 type = __le16_to_cpu(req->type);
4338
4339 BT_DBG("type 0x%4.4x", type);
4340
4341 if (type == L2CAP_IT_FEAT_MASK) {
4342 u8 buf[8];
4343 u32 feat_mask = l2cap_feat_mask;
4344 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4345 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4346 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4347 if (!disable_ertm)
4348 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4349 | L2CAP_FEAT_FCS;
4350 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4351 feat_mask |= L2CAP_FEAT_EXT_FLOW
4352 | L2CAP_FEAT_EXT_WINDOW;
4353
4354 put_unaligned_le32(feat_mask, rsp->data);
4355 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4356 buf);
4357 } else if (type == L2CAP_IT_FIXED_CHAN) {
4358 u8 buf[12];
4359 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4360
4361 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4362 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4363 rsp->data[0] = conn->local_fixed_chan;
4364 memset(rsp->data + 1, 0, 7);
4365 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4366 buf);
4367 } else {
4368 struct l2cap_info_rsp rsp;
4369 rsp.type = cpu_to_le16(type);
4370 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4371 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4372 &rsp);
4373 }
4374
4375 return 0;
4376}
4377
4378static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4379 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4380 u8 *data)
4381{
4382 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4383 u16 type, result;
4384
4385 if (cmd_len < sizeof(*rsp))
4386 return -EPROTO;
4387
4388 type = __le16_to_cpu(rsp->type);
4389 result = __le16_to_cpu(rsp->result);
4390
4391 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4392
4393
4394 if (cmd->ident != conn->info_ident ||
4395 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4396 return 0;
4397
4398 cancel_delayed_work(&conn->info_timer);
4399
4400 if (result != L2CAP_IR_SUCCESS) {
4401 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4402 conn->info_ident = 0;
4403
4404 l2cap_conn_start(conn);
4405
4406 return 0;
4407 }
4408
4409 switch (type) {
4410 case L2CAP_IT_FEAT_MASK:
4411 conn->feat_mask = get_unaligned_le32(rsp->data);
4412
4413 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4414 struct l2cap_info_req req;
4415 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4416
4417 conn->info_ident = l2cap_get_ident(conn);
4418
4419 l2cap_send_cmd(conn, conn->info_ident,
4420 L2CAP_INFO_REQ, sizeof(req), &req);
4421 } else {
4422 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4423 conn->info_ident = 0;
4424
4425 l2cap_conn_start(conn);
4426 }
4427 break;
4428
4429 case L2CAP_IT_FIXED_CHAN:
4430 conn->remote_fixed_chan = rsp->data[0];
4431 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4432 conn->info_ident = 0;
4433
4434 l2cap_conn_start(conn);
4435 break;
4436 }
4437
4438 return 0;
4439}
4440
4441static int l2cap_create_channel_req(struct l2cap_conn *conn,
4442 struct l2cap_cmd_hdr *cmd,
4443 u16 cmd_len, void *data)
4444{
4445 struct l2cap_create_chan_req *req = data;
4446 struct l2cap_create_chan_rsp rsp;
4447 struct l2cap_chan *chan;
4448 struct hci_dev *hdev;
4449 u16 psm, scid;
4450
4451 if (cmd_len != sizeof(*req))
4452 return -EPROTO;
4453
4454 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4455 return -EINVAL;
4456
4457 psm = le16_to_cpu(req->psm);
4458 scid = le16_to_cpu(req->scid);
4459
4460 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4461
4462
4463 if (req->amp_id == AMP_ID_BREDR) {
4464 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4465 req->amp_id);
4466 return 0;
4467 }
4468
4469
4470 hdev = hci_dev_get(req->amp_id);
4471 if (!hdev)
4472 goto error;
4473
4474 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4475 hci_dev_put(hdev);
4476 goto error;
4477 }
4478
4479 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4480 req->amp_id);
4481 if (chan) {
4482 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4483 struct hci_conn *hs_hcon;
4484
4485 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4486 &conn->hcon->dst);
4487 if (!hs_hcon) {
4488 hci_dev_put(hdev);
4489 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4490 chan->dcid);
4491 return 0;
4492 }
4493
4494 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4495
4496 mgr->bredr_chan = chan;
4497 chan->hs_hcon = hs_hcon;
4498 chan->fcs = L2CAP_FCS_NONE;
4499 conn->mtu = hdev->block_mtu;
4500 }
4501
4502 hci_dev_put(hdev);
4503
4504 return 0;
4505
4506error:
4507 rsp.dcid = 0;
4508 rsp.scid = cpu_to_le16(scid);
4509 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4510 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4511
4512 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4513 sizeof(rsp), &rsp);
4514
4515 return 0;
4516}
4517
4518static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4519{
4520 struct l2cap_move_chan_req req;
4521 u8 ident;
4522
4523 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4524
4525 ident = l2cap_get_ident(chan->conn);
4526 chan->ident = ident;
4527
4528 req.icid = cpu_to_le16(chan->scid);
4529 req.dest_amp_id = dest_amp_id;
4530
4531 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4532 &req);
4533
4534 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4535}
4536
4537static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4538{
4539 struct l2cap_move_chan_rsp rsp;
4540
4541 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4542
4543 rsp.icid = cpu_to_le16(chan->dcid);
4544 rsp.result = cpu_to_le16(result);
4545
4546 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4547 sizeof(rsp), &rsp);
4548}
4549
4550static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4551{
4552 struct l2cap_move_chan_cfm cfm;
4553
4554 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4555
4556 chan->ident = l2cap_get_ident(chan->conn);
4557
4558 cfm.icid = cpu_to_le16(chan->scid);
4559 cfm.result = cpu_to_le16(result);
4560
4561 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4562 sizeof(cfm), &cfm);
4563
4564 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4565}
4566
4567static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4568{
4569 struct l2cap_move_chan_cfm cfm;
4570
4571 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4572
4573 cfm.icid = cpu_to_le16(icid);
4574 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4575
4576 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4577 sizeof(cfm), &cfm);
4578}
4579
4580static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4581 u16 icid)
4582{
4583 struct l2cap_move_chan_cfm_rsp rsp;
4584
4585 BT_DBG("icid 0x%4.4x", icid);
4586
4587 rsp.icid = cpu_to_le16(icid);
4588 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4589}
4590
4591static void __release_logical_link(struct l2cap_chan *chan)
4592{
4593 chan->hs_hchan = NULL;
4594 chan->hs_hcon = NULL;
4595
4596
4597}
4598
4599static void l2cap_logical_fail(struct l2cap_chan *chan)
4600{
4601
4602 if (chan->state != BT_CONNECTED) {
4603
4604 l2cap_send_disconn_req(chan, ECONNRESET);
4605 return;
4606 }
4607
4608 switch (chan->move_role) {
4609 case L2CAP_MOVE_ROLE_RESPONDER:
4610 l2cap_move_done(chan);
4611 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4612 break;
4613 case L2CAP_MOVE_ROLE_INITIATOR:
4614 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4615 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4616
4617
4618
4619 l2cap_move_done(chan);
4620 }
4621
4622
4623
4624
4625 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4626 break;
4627 }
4628}
4629
4630static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4631 struct hci_chan *hchan)
4632{
4633 struct l2cap_conf_rsp rsp;
4634
4635 chan->hs_hchan = hchan;
4636 chan->hs_hcon->l2cap_data = chan->conn;
4637
4638 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4639
4640 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4641 int err;
4642
4643 set_default_fcs(chan);
4644
4645 err = l2cap_ertm_init(chan);
4646 if (err < 0)
4647 l2cap_send_disconn_req(chan, -err);
4648 else
4649 l2cap_chan_ready(chan);
4650 }
4651}
4652
4653static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4654 struct hci_chan *hchan)
4655{
4656 chan->hs_hcon = hchan->conn;
4657 chan->hs_hcon->l2cap_data = chan->conn;
4658
4659 BT_DBG("move_state %d", chan->move_state);
4660
4661 switch (chan->move_state) {
4662 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4663
4664
4665
4666 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4667 break;
4668 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4669 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4670 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4671 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4672 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4673 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4674 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4675 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4676 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4677 }
4678 break;
4679 default:
4680
4681 __release_logical_link(chan);
4682
4683 chan->move_state = L2CAP_MOVE_STABLE;
4684 }
4685}
4686
4687
4688void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4689 u8 status)
4690{
4691 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4692
4693 if (status) {
4694 l2cap_logical_fail(chan);
4695 __release_logical_link(chan);
4696 return;
4697 }
4698
4699 if (chan->state != BT_CONNECTED) {
4700
4701 if (chan->local_amp_id != AMP_ID_BREDR)
4702 l2cap_logical_finish_create(chan, hchan);
4703 } else {
4704 l2cap_logical_finish_move(chan, hchan);
4705 }
4706}
4707
4708void l2cap_move_start(struct l2cap_chan *chan)
4709{
4710 BT_DBG("chan %p", chan);
4711
4712 if (chan->local_amp_id == AMP_ID_BREDR) {
4713 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4714 return;
4715 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4716 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4717
4718 } else {
4719 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4720 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4721 chan->move_id = 0;
4722 l2cap_move_setup(chan);
4723 l2cap_send_move_chan_req(chan, 0);
4724 }
4725}
4726
4727static void l2cap_do_create(struct l2cap_chan *chan, int result,
4728 u8 local_amp_id, u8 remote_amp_id)
4729{
4730 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4731 local_amp_id, remote_amp_id);
4732
4733 chan->fcs = L2CAP_FCS_NONE;
4734
4735
4736 if (chan->state == BT_CONNECT) {
4737 if (result == L2CAP_CR_SUCCESS) {
4738 chan->local_amp_id = local_amp_id;
4739 l2cap_send_create_chan_req(chan, remote_amp_id);
4740 } else {
4741
4742 l2cap_send_conn_req(chan);
4743 }
4744
4745 return;
4746 }
4747
4748
4749 if (__l2cap_no_conn_pending(chan)) {
4750 struct l2cap_conn_rsp rsp;
4751 char buf[128];
4752 rsp.scid = cpu_to_le16(chan->dcid);
4753 rsp.dcid = cpu_to_le16(chan->scid);
4754
4755 if (result == L2CAP_CR_SUCCESS) {
4756
4757 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4758 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4759 } else {
4760
4761 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4762 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4763 }
4764
4765 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4766 sizeof(rsp), &rsp);
4767
4768 if (result == L2CAP_CR_SUCCESS) {
4769 l2cap_state_change(chan, BT_CONFIG);
4770 set_bit(CONF_REQ_SENT, &chan->conf_state);
4771 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4772 L2CAP_CONF_REQ,
4773 l2cap_build_conf_req(chan, buf), buf);
4774 chan->num_conf_req++;
4775 }
4776 }
4777}
4778
4779static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4780 u8 remote_amp_id)
4781{
4782 l2cap_move_setup(chan);
4783 chan->move_id = local_amp_id;
4784 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4785
4786 l2cap_send_move_chan_req(chan, remote_amp_id);
4787}
4788
4789static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4790{
4791 struct hci_chan *hchan = NULL;
4792
4793
4794
4795 if (hchan) {
4796 if (hchan->state == BT_CONNECTED) {
4797
4798 chan->hs_hcon = hchan->conn;
4799 chan->hs_hcon->l2cap_data = chan->conn;
4800 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4801 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4802
4803 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4804 } else {
4805
4806 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4807 }
4808 } else {
4809
4810 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4811 }
4812}
4813
4814static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4815{
4816 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4817 u8 rsp_result;
4818 if (result == -EINVAL)
4819 rsp_result = L2CAP_MR_BAD_ID;
4820 else
4821 rsp_result = L2CAP_MR_NOT_ALLOWED;
4822
4823 l2cap_send_move_chan_rsp(chan, rsp_result);
4824 }
4825
4826 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4827 chan->move_state = L2CAP_MOVE_STABLE;
4828
4829
4830 l2cap_ertm_send(chan);
4831}
4832
4833
4834void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4835{
4836 u8 local_amp_id = chan->local_amp_id;
4837 u8 remote_amp_id = chan->remote_amp_id;
4838
4839 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4840 chan, result, local_amp_id, remote_amp_id);
4841
4842 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4843 l2cap_chan_unlock(chan);
4844 return;
4845 }
4846
4847 if (chan->state != BT_CONNECTED) {
4848 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4849 } else if (result != L2CAP_MR_SUCCESS) {
4850 l2cap_do_move_cancel(chan, result);
4851 } else {
4852 switch (chan->move_role) {
4853 case L2CAP_MOVE_ROLE_INITIATOR:
4854 l2cap_do_move_initiate(chan, local_amp_id,
4855 remote_amp_id);
4856 break;
4857 case L2CAP_MOVE_ROLE_RESPONDER:
4858 l2cap_do_move_respond(chan, result);
4859 break;
4860 default:
4861 l2cap_do_move_cancel(chan, result);
4862 break;
4863 }
4864 }
4865}
4866
4867static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4868 struct l2cap_cmd_hdr *cmd,
4869 u16 cmd_len, void *data)
4870{
4871 struct l2cap_move_chan_req *req = data;
4872 struct l2cap_move_chan_rsp rsp;
4873 struct l2cap_chan *chan;
4874 u16 icid = 0;
4875 u16 result = L2CAP_MR_NOT_ALLOWED;
4876
4877 if (cmd_len != sizeof(*req))
4878 return -EPROTO;
4879
4880 icid = le16_to_cpu(req->icid);
4881
4882 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4883
4884 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4885 return -EINVAL;
4886
4887 chan = l2cap_get_chan_by_dcid(conn, icid);
4888 if (!chan) {
4889 rsp.icid = cpu_to_le16(icid);
4890 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4891 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4892 sizeof(rsp), &rsp);
4893 return 0;
4894 }
4895
4896 chan->ident = cmd->ident;
4897
4898 if (chan->scid < L2CAP_CID_DYN_START ||
4899 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4900 (chan->mode != L2CAP_MODE_ERTM &&
4901 chan->mode != L2CAP_MODE_STREAMING)) {
4902 result = L2CAP_MR_NOT_ALLOWED;
4903 goto send_move_response;
4904 }
4905
4906 if (chan->local_amp_id == req->dest_amp_id) {
4907 result = L2CAP_MR_SAME_ID;
4908 goto send_move_response;
4909 }
4910
4911 if (req->dest_amp_id != AMP_ID_BREDR) {
4912 struct hci_dev *hdev;
4913 hdev = hci_dev_get(req->dest_amp_id);
4914 if (!hdev || hdev->dev_type != HCI_AMP ||
4915 !test_bit(HCI_UP, &hdev->flags)) {
4916 if (hdev)
4917 hci_dev_put(hdev);
4918
4919 result = L2CAP_MR_BAD_ID;
4920 goto send_move_response;
4921 }
4922 hci_dev_put(hdev);
4923 }
4924
4925
4926
4927
4928
4929 if ((__chan_is_moving(chan) ||
4930 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4931 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4932 result = L2CAP_MR_COLLISION;
4933 goto send_move_response;
4934 }
4935
4936 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4937 l2cap_move_setup(chan);
4938 chan->move_id = req->dest_amp_id;
4939 icid = chan->dcid;
4940
4941 if (req->dest_amp_id == AMP_ID_BREDR) {
4942
4943 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4944 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4945 result = L2CAP_MR_PEND;
4946 } else {
4947 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4948 result = L2CAP_MR_SUCCESS;
4949 }
4950 } else {
4951 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4952
4953
4954 result = L2CAP_MR_PEND;
4955 }
4956
4957send_move_response:
4958 l2cap_send_move_chan_rsp(chan, result);
4959
4960 l2cap_chan_unlock(chan);
4961
4962 return 0;
4963}
4964
4965static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4966{
4967 struct l2cap_chan *chan;
4968 struct hci_chan *hchan = NULL;
4969
4970 chan = l2cap_get_chan_by_scid(conn, icid);
4971 if (!chan) {
4972 l2cap_send_move_chan_cfm_icid(conn, icid);
4973 return;
4974 }
4975
4976 __clear_chan_timer(chan);
4977 if (result == L2CAP_MR_PEND)
4978 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4979
4980 switch (chan->move_state) {
4981 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4982
4983
4984
4985 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4986 break;
4987 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4988 if (result == L2CAP_MR_PEND) {
4989 break;
4990 } else if (test_bit(CONN_LOCAL_BUSY,
4991 &chan->conn_state)) {
4992 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4993 } else {
4994
4995
4996
4997 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4998 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4999 }
5000 break;
5001 case L2CAP_MOVE_WAIT_RSP:
5002
5003 if (result == L2CAP_MR_SUCCESS) {
5004
5005
5006
5007 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5008 } else {
5009
5010
5011
5012 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5013 }
5014
5015
5016 if (!hchan) {
5017
5018 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5019 break;
5020 }
5021
5022
5023
5024
5025 if (hchan->state != BT_CONNECTED)
5026 break;
5027
5028
5029
5030 chan->hs_hcon = hchan->conn;
5031 chan->hs_hcon->l2cap_data = chan->conn;
5032
5033 if (result == L2CAP_MR_SUCCESS) {
5034
5035 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5036 } else {
5037
5038
5039
5040 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5041 }
5042
5043 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5044 break;
5045 default:
5046
5047 chan->move_id = chan->local_amp_id;
5048 l2cap_move_done(chan);
5049 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5050 }
5051
5052 l2cap_chan_unlock(chan);
5053}
5054
5055static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5056 u16 result)
5057{
5058 struct l2cap_chan *chan;
5059
5060 chan = l2cap_get_chan_by_ident(conn, ident);
5061 if (!chan) {
5062
5063 l2cap_send_move_chan_cfm_icid(conn, icid);
5064 return;
5065 }
5066
5067 __clear_chan_timer(chan);
5068
5069 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5070 if (result == L2CAP_MR_COLLISION) {
5071 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5072 } else {
5073
5074 chan->move_id = chan->local_amp_id;
5075 l2cap_move_done(chan);
5076 }
5077 }
5078
5079 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5080
5081 l2cap_chan_unlock(chan);
5082}
5083
5084static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5085 struct l2cap_cmd_hdr *cmd,
5086 u16 cmd_len, void *data)
5087{
5088 struct l2cap_move_chan_rsp *rsp = data;
5089 u16 icid, result;
5090
5091 if (cmd_len != sizeof(*rsp))
5092 return -EPROTO;
5093
5094 icid = le16_to_cpu(rsp->icid);
5095 result = le16_to_cpu(rsp->result);
5096
5097 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5098
5099 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5100 l2cap_move_continue(conn, icid, result);
5101 else
5102 l2cap_move_fail(conn, cmd->ident, icid, result);
5103
5104 return 0;
5105}
5106
5107static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5108 struct l2cap_cmd_hdr *cmd,
5109 u16 cmd_len, void *data)
5110{
5111 struct l2cap_move_chan_cfm *cfm = data;
5112 struct l2cap_chan *chan;
5113 u16 icid, result;
5114
5115 if (cmd_len != sizeof(*cfm))
5116 return -EPROTO;
5117
5118 icid = le16_to_cpu(cfm->icid);
5119 result = le16_to_cpu(cfm->result);
5120
5121 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5122
5123 chan = l2cap_get_chan_by_dcid(conn, icid);
5124 if (!chan) {
5125
5126 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5127 return 0;
5128 }
5129
5130 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5131 if (result == L2CAP_MC_CONFIRMED) {
5132 chan->local_amp_id = chan->move_id;
5133 if (chan->local_amp_id == AMP_ID_BREDR)
5134 __release_logical_link(chan);
5135 } else {
5136 chan->move_id = chan->local_amp_id;
5137 }
5138
5139 l2cap_move_done(chan);
5140 }
5141
5142 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5143
5144 l2cap_chan_unlock(chan);
5145
5146 return 0;
5147}
5148
5149static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5150 struct l2cap_cmd_hdr *cmd,
5151 u16 cmd_len, void *data)
5152{
5153 struct l2cap_move_chan_cfm_rsp *rsp = data;
5154 struct l2cap_chan *chan;
5155 u16 icid;
5156
5157 if (cmd_len != sizeof(*rsp))
5158 return -EPROTO;
5159
5160 icid = le16_to_cpu(rsp->icid);
5161
5162 BT_DBG("icid 0x%4.4x", icid);
5163
5164 chan = l2cap_get_chan_by_scid(conn, icid);
5165 if (!chan)
5166 return 0;
5167
5168 __clear_chan_timer(chan);
5169
5170 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5171 chan->local_amp_id = chan->move_id;
5172
5173 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5174 __release_logical_link(chan);
5175
5176 l2cap_move_done(chan);
5177 }
5178
5179 l2cap_chan_unlock(chan);
5180
5181 return 0;
5182}
5183
5184static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5185 struct l2cap_cmd_hdr *cmd,
5186 u16 cmd_len, u8 *data)
5187{
5188 struct hci_conn *hcon = conn->hcon;
5189 struct l2cap_conn_param_update_req *req;
5190 struct l2cap_conn_param_update_rsp rsp;
5191 u16 min, max, latency, to_multiplier;
5192 int err;
5193
5194 if (hcon->role != HCI_ROLE_MASTER)
5195 return -EINVAL;
5196
5197 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5198 return -EPROTO;
5199
5200 req = (struct l2cap_conn_param_update_req *) data;
5201 min = __le16_to_cpu(req->min);
5202 max = __le16_to_cpu(req->max);
5203 latency = __le16_to_cpu(req->latency);
5204 to_multiplier = __le16_to_cpu(req->to_multiplier);
5205
5206 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5207 min, max, latency, to_multiplier);
5208
5209 memset(&rsp, 0, sizeof(rsp));
5210
5211 err = hci_check_conn_params(min, max, latency, to_multiplier);
5212 if (err)
5213 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5214 else
5215 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5216
5217 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5218 sizeof(rsp), &rsp);
5219
5220 if (!err) {
5221 u8 store_hint;
5222
5223 store_hint = hci_le_conn_update(hcon, min, max, latency,
5224 to_multiplier);
5225 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5226 store_hint, min, max, latency,
5227 to_multiplier);
5228
5229 }
5230
5231 return 0;
5232}
5233
5234static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5235 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5236 u8 *data)
5237{
5238 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5239 struct hci_conn *hcon = conn->hcon;
5240 u16 dcid, mtu, mps, credits, result;
5241 struct l2cap_chan *chan;
5242 int err, sec_level;
5243
5244 if (cmd_len < sizeof(*rsp))
5245 return -EPROTO;
5246
5247 dcid = __le16_to_cpu(rsp->dcid);
5248 mtu = __le16_to_cpu(rsp->mtu);
5249 mps = __le16_to_cpu(rsp->mps);
5250 credits = __le16_to_cpu(rsp->credits);
5251 result = __le16_to_cpu(rsp->result);
5252
5253 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5254 return -EPROTO;
5255
5256 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5257 dcid, mtu, mps, credits, result);
5258
5259 mutex_lock(&conn->chan_lock);
5260
5261 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5262 if (!chan) {
5263 err = -EBADSLT;
5264 goto unlock;
5265 }
5266
5267 err = 0;
5268
5269 l2cap_chan_lock(chan);
5270
5271 switch (result) {
5272 case L2CAP_CR_SUCCESS:
5273 chan->ident = 0;
5274 chan->dcid = dcid;
5275 chan->omtu = mtu;
5276 chan->remote_mps = mps;
5277 chan->tx_credits = credits;
5278 l2cap_chan_ready(chan);
5279 break;
5280
5281 case L2CAP_CR_AUTHENTICATION:
5282 case L2CAP_CR_ENCRYPTION:
5283
5284
5285
5286 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5287 l2cap_chan_del(chan, ECONNREFUSED);
5288 break;
5289 }
5290
5291 sec_level = hcon->sec_level + 1;
5292 if (chan->sec_level < sec_level)
5293 chan->sec_level = sec_level;
5294
5295
5296 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5297
5298 smp_conn_security(hcon, chan->sec_level);
5299 break;
5300
5301 default:
5302 l2cap_chan_del(chan, ECONNREFUSED);
5303 break;
5304 }
5305
5306 l2cap_chan_unlock(chan);
5307
5308unlock:
5309 mutex_unlock(&conn->chan_lock);
5310
5311 return err;
5312}
5313
5314static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5315 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5316 u8 *data)
5317{
5318 int err = 0;
5319
5320 switch (cmd->code) {
5321 case L2CAP_COMMAND_REJ:
5322 l2cap_command_rej(conn, cmd, cmd_len, data);
5323 break;
5324
5325 case L2CAP_CONN_REQ:
5326 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5327 break;
5328
5329 case L2CAP_CONN_RSP:
5330 case L2CAP_CREATE_CHAN_RSP:
5331 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5332 break;
5333
5334 case L2CAP_CONF_REQ:
5335 err = l2cap_config_req(conn, cmd, cmd_len, data);
5336 break;
5337
5338 case L2CAP_CONF_RSP:
5339 l2cap_config_rsp(conn, cmd, cmd_len, data);
5340 break;
5341
5342 case L2CAP_DISCONN_REQ:
5343 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5344 break;
5345
5346 case L2CAP_DISCONN_RSP:
5347 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5348 break;
5349
5350 case L2CAP_ECHO_REQ:
5351 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5352 break;
5353
5354 case L2CAP_ECHO_RSP:
5355 break;
5356
5357 case L2CAP_INFO_REQ:
5358 err = l2cap_information_req(conn, cmd, cmd_len, data);
5359 break;
5360
5361 case L2CAP_INFO_RSP:
5362 l2cap_information_rsp(conn, cmd, cmd_len, data);
5363 break;
5364
5365 case L2CAP_CREATE_CHAN_REQ:
5366 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5367 break;
5368
5369 case L2CAP_MOVE_CHAN_REQ:
5370 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5371 break;
5372
5373 case L2CAP_MOVE_CHAN_RSP:
5374 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5375 break;
5376
5377 case L2CAP_MOVE_CHAN_CFM:
5378 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5379 break;
5380
5381 case L2CAP_MOVE_CHAN_CFM_RSP:
5382 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5383 break;
5384
5385 default:
5386 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5387 err = -EINVAL;
5388 break;
5389 }
5390
5391 return err;
5392}
5393
5394static int l2cap_le_connect_req(struct l2cap_conn *conn,
5395 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5396 u8 *data)
5397{
5398 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5399 struct l2cap_le_conn_rsp rsp;
5400 struct l2cap_chan *chan, *pchan;
5401 u16 dcid, scid, credits, mtu, mps;
5402 __le16 psm;
5403 u8 result;
5404
5405 if (cmd_len != sizeof(*req))
5406 return -EPROTO;
5407
5408 scid = __le16_to_cpu(req->scid);
5409 mtu = __le16_to_cpu(req->mtu);
5410 mps = __le16_to_cpu(req->mps);
5411 psm = req->psm;
5412 dcid = 0;
5413 credits = 0;
5414
5415 if (mtu < 23 || mps < 23)
5416 return -EPROTO;
5417
5418 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5419 scid, mtu, mps);
5420
5421
5422 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5423 &conn->hcon->dst, LE_LINK);
5424 if (!pchan) {
5425 result = L2CAP_CR_BAD_PSM;
5426 chan = NULL;
5427 goto response;
5428 }
5429
5430 mutex_lock(&conn->chan_lock);
5431 l2cap_chan_lock(pchan);
5432
5433 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5434 SMP_ALLOW_STK)) {
5435 result = L2CAP_CR_AUTHENTICATION;
5436 chan = NULL;
5437 goto response_unlock;
5438 }
5439
5440
5441 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5442 result = L2CAP_CR_NO_MEM;
5443 chan = NULL;
5444 goto response_unlock;
5445 }
5446
5447 chan = pchan->ops->new_connection(pchan);
5448 if (!chan) {
5449 result = L2CAP_CR_NO_MEM;
5450 goto response_unlock;
5451 }
5452
5453 l2cap_le_flowctl_init(chan);
5454
5455 bacpy(&chan->src, &conn->hcon->src);
5456 bacpy(&chan->dst, &conn->hcon->dst);
5457 chan->src_type = bdaddr_src_type(conn->hcon);
5458 chan->dst_type = bdaddr_dst_type(conn->hcon);
5459 chan->psm = psm;
5460 chan->dcid = scid;
5461 chan->omtu = mtu;
5462 chan->remote_mps = mps;
5463 chan->tx_credits = __le16_to_cpu(req->credits);
5464
5465 __l2cap_chan_add(conn, chan);
5466 dcid = chan->scid;
5467 credits = chan->rx_credits;
5468
5469 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5470
5471 chan->ident = cmd->ident;
5472
5473 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5474 l2cap_state_change(chan, BT_CONNECT2);
5475
5476
5477
5478
5479
5480 result = L2CAP_CR_PEND;
5481 chan->ops->defer(chan);
5482 } else {
5483 l2cap_chan_ready(chan);
5484 result = L2CAP_CR_SUCCESS;
5485 }
5486
5487response_unlock:
5488 l2cap_chan_unlock(pchan);
5489 mutex_unlock(&conn->chan_lock);
5490 l2cap_chan_put(pchan);
5491
5492 if (result == L2CAP_CR_PEND)
5493 return 0;
5494
5495response:
5496 if (chan) {
5497 rsp.mtu = cpu_to_le16(chan->imtu);
5498 rsp.mps = cpu_to_le16(chan->mps);
5499 } else {
5500 rsp.mtu = 0;
5501 rsp.mps = 0;
5502 }
5503
5504 rsp.dcid = cpu_to_le16(dcid);
5505 rsp.credits = cpu_to_le16(credits);
5506 rsp.result = cpu_to_le16(result);
5507
5508 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5509
5510 return 0;
5511}
5512
5513static inline int l2cap_le_credits(struct l2cap_conn *conn,
5514 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5515 u8 *data)
5516{
5517 struct l2cap_le_credits *pkt;
5518 struct l2cap_chan *chan;
5519 u16 cid, credits, max_credits;
5520
5521 if (cmd_len != sizeof(*pkt))
5522 return -EPROTO;
5523
5524 pkt = (struct l2cap_le_credits *) data;
5525 cid = __le16_to_cpu(pkt->cid);
5526 credits = __le16_to_cpu(pkt->credits);
5527
5528 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5529
5530 chan = l2cap_get_chan_by_dcid(conn, cid);
5531 if (!chan)
5532 return -EBADSLT;
5533
5534 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5535 if (credits > max_credits) {
5536 BT_ERR("LE credits overflow");
5537 l2cap_send_disconn_req(chan, ECONNRESET);
5538 l2cap_chan_unlock(chan);
5539
5540
5541
5542
5543 return 0;
5544 }
5545
5546 chan->tx_credits += credits;
5547
5548 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5549 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5550 chan->tx_credits--;
5551 }
5552
5553 if (chan->tx_credits)
5554 chan->ops->resume(chan);
5555
5556 l2cap_chan_unlock(chan);
5557
5558 return 0;
5559}
5560
5561static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5562 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5563 u8 *data)
5564{
5565 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5566 struct l2cap_chan *chan;
5567
5568 if (cmd_len < sizeof(*rej))
5569 return -EPROTO;
5570
5571 mutex_lock(&conn->chan_lock);
5572
5573 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5574 if (!chan)
5575 goto done;
5576
5577 l2cap_chan_lock(chan);
5578 l2cap_chan_del(chan, ECONNREFUSED);
5579 l2cap_chan_unlock(chan);
5580
5581done:
5582 mutex_unlock(&conn->chan_lock);
5583 return 0;
5584}
5585
5586static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5587 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5588 u8 *data)
5589{
5590 int err = 0;
5591
5592 switch (cmd->code) {
5593 case L2CAP_COMMAND_REJ:
5594 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5595 break;
5596
5597 case L2CAP_CONN_PARAM_UPDATE_REQ:
5598 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5599 break;
5600
5601 case L2CAP_CONN_PARAM_UPDATE_RSP:
5602 break;
5603
5604 case L2CAP_LE_CONN_RSP:
5605 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5606 break;
5607
5608 case L2CAP_LE_CONN_REQ:
5609 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5610 break;
5611
5612 case L2CAP_LE_CREDITS:
5613 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5614 break;
5615
5616 case L2CAP_DISCONN_REQ:
5617 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5618 break;
5619
5620 case L2CAP_DISCONN_RSP:
5621 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5622 break;
5623
5624 default:
5625 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5626 err = -EINVAL;
5627 break;
5628 }
5629
5630 return err;
5631}
5632
5633static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5634 struct sk_buff *skb)
5635{
5636 struct hci_conn *hcon = conn->hcon;
5637 struct l2cap_cmd_hdr *cmd;
5638 u16 len;
5639 int err;
5640
5641 if (hcon->type != LE_LINK)
5642 goto drop;
5643
5644 if (skb->len < L2CAP_CMD_HDR_SIZE)
5645 goto drop;
5646
5647 cmd = (void *) skb->data;
5648 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5649
5650 len = le16_to_cpu(cmd->len);
5651
5652 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5653
5654 if (len != skb->len || !cmd->ident) {
5655 BT_DBG("corrupted command");
5656 goto drop;
5657 }
5658
5659 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5660 if (err) {
5661 struct l2cap_cmd_rej_unk rej;
5662
5663 BT_ERR("Wrong link type (%d)", err);
5664
5665 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5666 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5667 sizeof(rej), &rej);
5668 }
5669
5670drop:
5671 kfree_skb(skb);
5672}
5673
5674static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5675 struct sk_buff *skb)
5676{
5677 struct hci_conn *hcon = conn->hcon;
5678 u8 *data = skb->data;
5679 int len = skb->len;
5680 struct l2cap_cmd_hdr cmd;
5681 int err;
5682
5683 l2cap_raw_recv(conn, skb);
5684
5685 if (hcon->type != ACL_LINK)
5686 goto drop;
5687
5688 while (len >= L2CAP_CMD_HDR_SIZE) {
5689 u16 cmd_len;
5690 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5691 data += L2CAP_CMD_HDR_SIZE;
5692 len -= L2CAP_CMD_HDR_SIZE;
5693
5694 cmd_len = le16_to_cpu(cmd.len);
5695
5696 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5697 cmd.ident);
5698
5699 if (cmd_len > len || !cmd.ident) {
5700 BT_DBG("corrupted command");
5701 break;
5702 }
5703
5704 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5705 if (err) {
5706 struct l2cap_cmd_rej_unk rej;
5707
5708 BT_ERR("Wrong link type (%d)", err);
5709
5710 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5711 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5712 sizeof(rej), &rej);
5713 }
5714
5715 data += cmd_len;
5716 len -= cmd_len;
5717 }
5718
5719drop:
5720 kfree_skb(skb);
5721}
5722
5723static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5724{
5725 u16 our_fcs, rcv_fcs;
5726 int hdr_size;
5727
5728 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5729 hdr_size = L2CAP_EXT_HDR_SIZE;
5730 else
5731 hdr_size = L2CAP_ENH_HDR_SIZE;
5732
5733 if (chan->fcs == L2CAP_FCS_CRC16) {
5734 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5735 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5736 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5737
5738 if (our_fcs != rcv_fcs)
5739 return -EBADMSG;
5740 }
5741 return 0;
5742}
5743
5744static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5745{
5746 struct l2cap_ctrl control;
5747
5748 BT_DBG("chan %p", chan);
5749
5750 memset(&control, 0, sizeof(control));
5751 control.sframe = 1;
5752 control.final = 1;
5753 control.reqseq = chan->buffer_seq;
5754 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5755
5756 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5757 control.super = L2CAP_SUPER_RNR;
5758 l2cap_send_sframe(chan, &control);
5759 }
5760
5761 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5762 chan->unacked_frames > 0)
5763 __set_retrans_timer(chan);
5764
5765
5766 l2cap_ertm_send(chan);
5767
5768 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5769 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5770
5771
5772
5773 control.super = L2CAP_SUPER_RR;
5774 l2cap_send_sframe(chan, &control);
5775 }
5776}
5777
5778static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5779 struct sk_buff **last_frag)
5780{
5781
5782
5783
5784 if (!skb_has_frag_list(skb))
5785 skb_shinfo(skb)->frag_list = new_frag;
5786
5787 new_frag->next = NULL;
5788
5789 (*last_frag)->next = new_frag;
5790 *last_frag = new_frag;
5791
5792 skb->len += new_frag->len;
5793 skb->data_len += new_frag->len;
5794 skb->truesize += new_frag->truesize;
5795}
5796
5797static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5798 struct l2cap_ctrl *control)
5799{
5800 int err = -EINVAL;
5801
5802 switch (control->sar) {
5803 case L2CAP_SAR_UNSEGMENTED:
5804 if (chan->sdu)
5805 break;
5806
5807 err = chan->ops->recv(chan, skb);
5808 break;
5809
5810 case L2CAP_SAR_START:
5811 if (chan->sdu)
5812 break;
5813
5814 chan->sdu_len = get_unaligned_le16(skb->data);
5815 skb_pull(skb, L2CAP_SDULEN_SIZE);
5816
5817 if (chan->sdu_len > chan->imtu) {
5818 err = -EMSGSIZE;
5819 break;
5820 }
5821
5822 if (skb->len >= chan->sdu_len)
5823 break;
5824
5825 chan->sdu = skb;
5826 chan->sdu_last_frag = skb;
5827
5828 skb = NULL;
5829 err = 0;
5830 break;
5831
5832 case L2CAP_SAR_CONTINUE:
5833 if (!chan->sdu)
5834 break;
5835
5836 append_skb_frag(chan->sdu, skb,
5837 &chan->sdu_last_frag);
5838 skb = NULL;
5839
5840 if (chan->sdu->len >= chan->sdu_len)
5841 break;
5842
5843 err = 0;
5844 break;
5845
5846 case L2CAP_SAR_END:
5847 if (!chan->sdu)
5848 break;
5849
5850 append_skb_frag(chan->sdu, skb,
5851 &chan->sdu_last_frag);
5852 skb = NULL;
5853
5854 if (chan->sdu->len != chan->sdu_len)
5855 break;
5856
5857 err = chan->ops->recv(chan, chan->sdu);
5858
5859 if (!err) {
5860
5861 chan->sdu = NULL;
5862 chan->sdu_last_frag = NULL;
5863 chan->sdu_len = 0;
5864 }
5865 break;
5866 }
5867
5868 if (err) {
5869 kfree_skb(skb);
5870 kfree_skb(chan->sdu);
5871 chan->sdu = NULL;
5872 chan->sdu_last_frag = NULL;
5873 chan->sdu_len = 0;
5874 }
5875
5876 return err;
5877}
5878
5879static int l2cap_resegment(struct l2cap_chan *chan)
5880{
5881
5882 return 0;
5883}
5884
5885void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5886{
5887 u8 event;
5888
5889 if (chan->mode != L2CAP_MODE_ERTM)
5890 return;
5891
5892 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5893 l2cap_tx(chan, NULL, NULL, event);
5894}
5895
5896static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5897{
5898 int err = 0;
5899
5900
5901
5902
5903 BT_DBG("chan %p", chan);
5904
5905 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5906 struct sk_buff *skb;
5907 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5908 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5909
5910 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5911
5912 if (!skb)
5913 break;
5914
5915 skb_unlink(skb, &chan->srej_q);
5916 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5917 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5918 if (err)
5919 break;
5920 }
5921
5922 if (skb_queue_empty(&chan->srej_q)) {
5923 chan->rx_state = L2CAP_RX_STATE_RECV;
5924 l2cap_send_ack(chan);
5925 }
5926
5927 return err;
5928}
5929
5930static void l2cap_handle_srej(struct l2cap_chan *chan,
5931 struct l2cap_ctrl *control)
5932{
5933 struct sk_buff *skb;
5934
5935 BT_DBG("chan %p, control %p", chan, control);
5936
5937 if (control->reqseq == chan->next_tx_seq) {
5938 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5939 l2cap_send_disconn_req(chan, ECONNRESET);
5940 return;
5941 }
5942
5943 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5944
5945 if (skb == NULL) {
5946 BT_DBG("Seq %d not available for retransmission",
5947 control->reqseq);
5948 return;
5949 }
5950
5951 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5952 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5953 l2cap_send_disconn_req(chan, ECONNRESET);
5954 return;
5955 }
5956
5957 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5958
5959 if (control->poll) {
5960 l2cap_pass_to_tx(chan, control);
5961
5962 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5963 l2cap_retransmit(chan, control);
5964 l2cap_ertm_send(chan);
5965
5966 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5967 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5968 chan->srej_save_reqseq = control->reqseq;
5969 }
5970 } else {
5971 l2cap_pass_to_tx_fbit(chan, control);
5972
5973 if (control->final) {
5974 if (chan->srej_save_reqseq != control->reqseq ||
5975 !test_and_clear_bit(CONN_SREJ_ACT,
5976 &chan->conn_state))
5977 l2cap_retransmit(chan, control);
5978 } else {
5979 l2cap_retransmit(chan, control);
5980 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5981 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5982 chan->srej_save_reqseq = control->reqseq;
5983 }
5984 }
5985 }
5986}
5987
5988static void l2cap_handle_rej(struct l2cap_chan *chan,
5989 struct l2cap_ctrl *control)
5990{
5991 struct sk_buff *skb;
5992
5993 BT_DBG("chan %p, control %p", chan, control);
5994
5995 if (control->reqseq == chan->next_tx_seq) {
5996 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5997 l2cap_send_disconn_req(chan, ECONNRESET);
5998 return;
5999 }
6000
6001 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6002
6003 if (chan->max_tx && skb &&
6004 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6005 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6006 l2cap_send_disconn_req(chan, ECONNRESET);
6007 return;
6008 }
6009
6010 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6011
6012 l2cap_pass_to_tx(chan, control);
6013
6014 if (control->final) {
6015 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6016 l2cap_retransmit_all(chan, control);
6017 } else {
6018 l2cap_retransmit_all(chan, control);
6019 l2cap_ertm_send(chan);
6020 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6021 set_bit(CONN_REJ_ACT, &chan->conn_state);
6022 }
6023}
6024
6025static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6026{
6027 BT_DBG("chan %p, txseq %d", chan, txseq);
6028
6029 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6030 chan->expected_tx_seq);
6031
6032 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6033 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6034 chan->tx_win) {
6035
6036
6037
6038 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6039 BT_DBG("Invalid/Ignore - after SREJ");
6040 return L2CAP_TXSEQ_INVALID_IGNORE;
6041 } else {
6042 BT_DBG("Invalid - in window after SREJ sent");
6043 return L2CAP_TXSEQ_INVALID;
6044 }
6045 }
6046
6047 if (chan->srej_list.head == txseq) {
6048 BT_DBG("Expected SREJ");
6049 return L2CAP_TXSEQ_EXPECTED_SREJ;
6050 }
6051
6052 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6053 BT_DBG("Duplicate SREJ - txseq already stored");
6054 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6055 }
6056
6057 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6058 BT_DBG("Unexpected SREJ - not requested");
6059 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6060 }
6061 }
6062
6063 if (chan->expected_tx_seq == txseq) {
6064 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6065 chan->tx_win) {
6066 BT_DBG("Invalid - txseq outside tx window");
6067 return L2CAP_TXSEQ_INVALID;
6068 } else {
6069 BT_DBG("Expected");
6070 return L2CAP_TXSEQ_EXPECTED;
6071 }
6072 }
6073
6074 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6075 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6076 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6077 return L2CAP_TXSEQ_DUPLICATE;
6078 }
6079
6080 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6099 BT_DBG("Invalid/Ignore - txseq outside tx window");
6100 return L2CAP_TXSEQ_INVALID_IGNORE;
6101 } else {
6102 BT_DBG("Invalid - txseq outside tx window");
6103 return L2CAP_TXSEQ_INVALID;
6104 }
6105 } else {
6106 BT_DBG("Unexpected - txseq indicates missing frames");
6107 return L2CAP_TXSEQ_UNEXPECTED;
6108 }
6109}
6110
6111static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6112 struct l2cap_ctrl *control,
6113 struct sk_buff *skb, u8 event)
6114{
6115 int err = 0;
6116 bool skb_in_use = false;
6117
6118 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6119 event);
6120
6121 switch (event) {
6122 case L2CAP_EV_RECV_IFRAME:
6123 switch (l2cap_classify_txseq(chan, control->txseq)) {
6124 case L2CAP_TXSEQ_EXPECTED:
6125 l2cap_pass_to_tx(chan, control);
6126
6127 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6128 BT_DBG("Busy, discarding expected seq %d",
6129 control->txseq);
6130 break;
6131 }
6132
6133 chan->expected_tx_seq = __next_seq(chan,
6134 control->txseq);
6135
6136 chan->buffer_seq = chan->expected_tx_seq;
6137 skb_in_use = true;
6138
6139 err = l2cap_reassemble_sdu(chan, skb, control);
6140 if (err)
6141 break;
6142
6143 if (control->final) {
6144 if (!test_and_clear_bit(CONN_REJ_ACT,
6145 &chan->conn_state)) {
6146 control->final = 0;
6147 l2cap_retransmit_all(chan, control);
6148 l2cap_ertm_send(chan);
6149 }
6150 }
6151
6152 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6153 l2cap_send_ack(chan);
6154 break;
6155 case L2CAP_TXSEQ_UNEXPECTED:
6156 l2cap_pass_to_tx(chan, control);
6157
6158
6159
6160
6161
6162 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6163 BT_DBG("Busy, discarding unexpected seq %d",
6164 control->txseq);
6165 break;
6166 }
6167
6168
6169
6170
6171
6172 skb_queue_tail(&chan->srej_q, skb);
6173 skb_in_use = true;
6174 BT_DBG("Queued %p (queue len %d)", skb,
6175 skb_queue_len(&chan->srej_q));
6176
6177 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6178 l2cap_seq_list_clear(&chan->srej_list);
6179 l2cap_send_srej(chan, control->txseq);
6180
6181 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6182 break;
6183 case L2CAP_TXSEQ_DUPLICATE:
6184 l2cap_pass_to_tx(chan, control);
6185 break;
6186 case L2CAP_TXSEQ_INVALID_IGNORE:
6187 break;
6188 case L2CAP_TXSEQ_INVALID:
6189 default:
6190 l2cap_send_disconn_req(chan, ECONNRESET);
6191 break;
6192 }
6193 break;
6194 case L2CAP_EV_RECV_RR:
6195 l2cap_pass_to_tx(chan, control);
6196 if (control->final) {
6197 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6198
6199 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6200 !__chan_is_moving(chan)) {
6201 control->final = 0;
6202 l2cap_retransmit_all(chan, control);
6203 }
6204
6205 l2cap_ertm_send(chan);
6206 } else if (control->poll) {
6207 l2cap_send_i_or_rr_or_rnr(chan);
6208 } else {
6209 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6210 &chan->conn_state) &&
6211 chan->unacked_frames)
6212 __set_retrans_timer(chan);
6213
6214 l2cap_ertm_send(chan);
6215 }
6216 break;
6217 case L2CAP_EV_RECV_RNR:
6218 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6219 l2cap_pass_to_tx(chan, control);
6220 if (control && control->poll) {
6221 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6222 l2cap_send_rr_or_rnr(chan, 0);
6223 }
6224 __clear_retrans_timer(chan);
6225 l2cap_seq_list_clear(&chan->retrans_list);
6226 break;
6227 case L2CAP_EV_RECV_REJ:
6228 l2cap_handle_rej(chan, control);
6229 break;
6230 case L2CAP_EV_RECV_SREJ:
6231 l2cap_handle_srej(chan, control);
6232 break;
6233 default:
6234 break;
6235 }
6236
6237 if (skb && !skb_in_use) {
6238 BT_DBG("Freeing %p", skb);
6239 kfree_skb(skb);
6240 }
6241
6242 return err;
6243}
6244
6245static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6246 struct l2cap_ctrl *control,
6247 struct sk_buff *skb, u8 event)
6248{
6249 int err = 0;
6250 u16 txseq = control->txseq;
6251 bool skb_in_use = false;
6252
6253 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6254 event);
6255
6256 switch (event) {
6257 case L2CAP_EV_RECV_IFRAME:
6258 switch (l2cap_classify_txseq(chan, txseq)) {
6259 case L2CAP_TXSEQ_EXPECTED:
6260
6261 l2cap_pass_to_tx(chan, control);
6262 skb_queue_tail(&chan->srej_q, skb);
6263 skb_in_use = true;
6264 BT_DBG("Queued %p (queue len %d)", skb,
6265 skb_queue_len(&chan->srej_q));
6266
6267 chan->expected_tx_seq = __next_seq(chan, txseq);
6268 break;
6269 case L2CAP_TXSEQ_EXPECTED_SREJ:
6270 l2cap_seq_list_pop(&chan->srej_list);
6271
6272 l2cap_pass_to_tx(chan, control);
6273 skb_queue_tail(&chan->srej_q, skb);
6274 skb_in_use = true;
6275 BT_DBG("Queued %p (queue len %d)", skb,
6276 skb_queue_len(&chan->srej_q));
6277
6278 err = l2cap_rx_queued_iframes(chan);
6279 if (err)
6280 break;
6281
6282 break;
6283 case L2CAP_TXSEQ_UNEXPECTED:
6284
6285
6286
6287
6288 skb_queue_tail(&chan->srej_q, skb);
6289 skb_in_use = true;
6290 BT_DBG("Queued %p (queue len %d)", skb,
6291 skb_queue_len(&chan->srej_q));
6292
6293 l2cap_pass_to_tx(chan, control);
6294 l2cap_send_srej(chan, control->txseq);
6295 break;
6296 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6297
6298
6299
6300
6301
6302 skb_queue_tail(&chan->srej_q, skb);
6303 skb_in_use = true;
6304 BT_DBG("Queued %p (queue len %d)", skb,
6305 skb_queue_len(&chan->srej_q));
6306
6307 l2cap_pass_to_tx(chan, control);
6308 l2cap_send_srej_list(chan, control->txseq);
6309 break;
6310 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6311
6312 l2cap_pass_to_tx(chan, control);
6313 break;
6314 case L2CAP_TXSEQ_DUPLICATE:
6315
6316
6317
6318 break;
6319 case L2CAP_TXSEQ_INVALID_IGNORE:
6320 break;
6321 case L2CAP_TXSEQ_INVALID:
6322 default:
6323 l2cap_send_disconn_req(chan, ECONNRESET);
6324 break;
6325 }
6326 break;
6327 case L2CAP_EV_RECV_RR:
6328 l2cap_pass_to_tx(chan, control);
6329 if (control->final) {
6330 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6331
6332 if (!test_and_clear_bit(CONN_REJ_ACT,
6333 &chan->conn_state)) {
6334 control->final = 0;
6335 l2cap_retransmit_all(chan, control);
6336 }
6337
6338 l2cap_ertm_send(chan);
6339 } else if (control->poll) {
6340 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6341 &chan->conn_state) &&
6342 chan->unacked_frames) {
6343 __set_retrans_timer(chan);
6344 }
6345
6346 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6347 l2cap_send_srej_tail(chan);
6348 } else {
6349 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6350 &chan->conn_state) &&
6351 chan->unacked_frames)
6352 __set_retrans_timer(chan);
6353
6354 l2cap_send_ack(chan);
6355 }
6356 break;
6357 case L2CAP_EV_RECV_RNR:
6358 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6359 l2cap_pass_to_tx(chan, control);
6360 if (control->poll) {
6361 l2cap_send_srej_tail(chan);
6362 } else {
6363 struct l2cap_ctrl rr_control;
6364 memset(&rr_control, 0, sizeof(rr_control));
6365 rr_control.sframe = 1;
6366 rr_control.super = L2CAP_SUPER_RR;
6367 rr_control.reqseq = chan->buffer_seq;
6368 l2cap_send_sframe(chan, &rr_control);
6369 }
6370
6371 break;
6372 case L2CAP_EV_RECV_REJ:
6373 l2cap_handle_rej(chan, control);
6374 break;
6375 case L2CAP_EV_RECV_SREJ:
6376 l2cap_handle_srej(chan, control);
6377 break;
6378 }
6379
6380 if (skb && !skb_in_use) {
6381 BT_DBG("Freeing %p", skb);
6382 kfree_skb(skb);
6383 }
6384
6385 return err;
6386}
6387
6388static int l2cap_finish_move(struct l2cap_chan *chan)
6389{
6390 BT_DBG("chan %p", chan);
6391
6392 chan->rx_state = L2CAP_RX_STATE_RECV;
6393
6394 if (chan->hs_hcon)
6395 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6396 else
6397 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6398
6399 return l2cap_resegment(chan);
6400}
6401
6402static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6403 struct l2cap_ctrl *control,
6404 struct sk_buff *skb, u8 event)
6405{
6406 int err;
6407
6408 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6409 event);
6410
6411 if (!control->poll)
6412 return -EPROTO;
6413
6414 l2cap_process_reqseq(chan, control->reqseq);
6415
6416 if (!skb_queue_empty(&chan->tx_q))
6417 chan->tx_send_head = skb_peek(&chan->tx_q);
6418 else
6419 chan->tx_send_head = NULL;
6420
6421
6422
6423
6424 chan->next_tx_seq = control->reqseq;
6425 chan->unacked_frames = 0;
6426
6427 err = l2cap_finish_move(chan);
6428 if (err)
6429 return err;
6430
6431 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6432 l2cap_send_i_or_rr_or_rnr(chan);
6433
6434 if (event == L2CAP_EV_RECV_IFRAME)
6435 return -EPROTO;
6436
6437 return l2cap_rx_state_recv(chan, control, NULL, event);
6438}
6439
6440static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6441 struct l2cap_ctrl *control,
6442 struct sk_buff *skb, u8 event)
6443{
6444 int err;
6445
6446 if (!control->final)
6447 return -EPROTO;
6448
6449 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6450
6451 chan->rx_state = L2CAP_RX_STATE_RECV;
6452 l2cap_process_reqseq(chan, control->reqseq);
6453
6454 if (!skb_queue_empty(&chan->tx_q))
6455 chan->tx_send_head = skb_peek(&chan->tx_q);
6456 else
6457 chan->tx_send_head = NULL;
6458
6459
6460
6461
6462 chan->next_tx_seq = control->reqseq;
6463 chan->unacked_frames = 0;
6464
6465 if (chan->hs_hcon)
6466 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6467 else
6468 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6469
6470 err = l2cap_resegment(chan);
6471
6472 if (!err)
6473 err = l2cap_rx_state_recv(chan, control, skb, event);
6474
6475 return err;
6476}
6477
6478static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6479{
6480
6481 u16 unacked;
6482
6483 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6484 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6485}
6486
6487static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6488 struct sk_buff *skb, u8 event)
6489{
6490 int err = 0;
6491
6492 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6493 control, skb, event, chan->rx_state);
6494
6495 if (__valid_reqseq(chan, control->reqseq)) {
6496 switch (chan->rx_state) {
6497 case L2CAP_RX_STATE_RECV:
6498 err = l2cap_rx_state_recv(chan, control, skb, event);
6499 break;
6500 case L2CAP_RX_STATE_SREJ_SENT:
6501 err = l2cap_rx_state_srej_sent(chan, control, skb,
6502 event);
6503 break;
6504 case L2CAP_RX_STATE_WAIT_P:
6505 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6506 break;
6507 case L2CAP_RX_STATE_WAIT_F:
6508 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6509 break;
6510 default:
6511
6512 break;
6513 }
6514 } else {
6515 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6516 control->reqseq, chan->next_tx_seq,
6517 chan->expected_ack_seq);
6518 l2cap_send_disconn_req(chan, ECONNRESET);
6519 }
6520
6521 return err;
6522}
6523
6524static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6525 struct sk_buff *skb)
6526{
6527 int err = 0;
6528
6529 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6530 chan->rx_state);
6531
6532 if (l2cap_classify_txseq(chan, control->txseq) ==
6533 L2CAP_TXSEQ_EXPECTED) {
6534 l2cap_pass_to_tx(chan, control);
6535
6536 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6537 __next_seq(chan, chan->buffer_seq));
6538
6539 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6540
6541 l2cap_reassemble_sdu(chan, skb, control);
6542 } else {
6543 if (chan->sdu) {
6544 kfree_skb(chan->sdu);
6545 chan->sdu = NULL;
6546 }
6547 chan->sdu_last_frag = NULL;
6548 chan->sdu_len = 0;
6549
6550 if (skb) {
6551 BT_DBG("Freeing %p", skb);
6552 kfree_skb(skb);
6553 }
6554 }
6555
6556 chan->last_acked_seq = control->txseq;
6557 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6558
6559 return err;
6560}
6561
6562static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6563{
6564 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6565 u16 len;
6566 u8 event;
6567
6568 __unpack_control(chan, skb);
6569
6570 len = skb->len;
6571
6572
6573
6574
6575
6576
6577 if (l2cap_check_fcs(chan, skb))
6578 goto drop;
6579
6580 if (!control->sframe && control->sar == L2CAP_SAR_START)
6581 len -= L2CAP_SDULEN_SIZE;
6582
6583 if (chan->fcs == L2CAP_FCS_CRC16)
6584 len -= L2CAP_FCS_SIZE;
6585
6586 if (len > chan->mps) {
6587 l2cap_send_disconn_req(chan, ECONNRESET);
6588 goto drop;
6589 }
6590
6591 if (!control->sframe) {
6592 int err;
6593
6594 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6595 control->sar, control->reqseq, control->final,
6596 control->txseq);
6597
6598
6599
6600
6601 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6602 goto drop;
6603
6604 if (chan->mode != L2CAP_MODE_STREAMING) {
6605 event = L2CAP_EV_RECV_IFRAME;
6606 err = l2cap_rx(chan, control, skb, event);
6607 } else {
6608 err = l2cap_stream_rx(chan, control, skb);
6609 }
6610
6611 if (err)
6612 l2cap_send_disconn_req(chan, ECONNRESET);
6613 } else {
6614 const u8 rx_func_to_event[4] = {
6615 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6616 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6617 };
6618
6619
6620 if (chan->mode == L2CAP_MODE_STREAMING)
6621 goto drop;
6622
6623 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6624 control->reqseq, control->final, control->poll,
6625 control->super);
6626
6627 if (len != 0) {
6628 BT_ERR("Trailing bytes: %d in sframe", len);
6629 l2cap_send_disconn_req(chan, ECONNRESET);
6630 goto drop;
6631 }
6632
6633
6634 if (control->final && (control->poll ||
6635 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6636 goto drop;
6637
6638 event = rx_func_to_event[control->super];
6639 if (l2cap_rx(chan, control, skb, event))
6640 l2cap_send_disconn_req(chan, ECONNRESET);
6641 }
6642
6643 return 0;
6644
6645drop:
6646 kfree_skb(skb);
6647 return 0;
6648}
6649
6650static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6651{
6652 struct l2cap_conn *conn = chan->conn;
6653 struct l2cap_le_credits pkt;
6654 u16 return_credits;
6655
6656
6657
6658
6659 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6660 return;
6661
6662 return_credits = le_max_credits - chan->rx_credits;
6663
6664 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6665
6666 chan->rx_credits += return_credits;
6667
6668 pkt.cid = cpu_to_le16(chan->scid);
6669 pkt.credits = cpu_to_le16(return_credits);
6670
6671 chan->ident = l2cap_get_ident(conn);
6672
6673 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6674}
6675
6676static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6677{
6678 int err;
6679
6680 if (!chan->rx_credits) {
6681 BT_ERR("No credits to receive LE L2CAP data");
6682 l2cap_send_disconn_req(chan, ECONNRESET);
6683 return -ENOBUFS;
6684 }
6685
6686 if (chan->imtu < skb->len) {
6687 BT_ERR("Too big LE L2CAP PDU");
6688 return -ENOBUFS;
6689 }
6690
6691 chan->rx_credits--;
6692 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6693
6694 l2cap_chan_le_send_credits(chan);
6695
6696 err = 0;
6697
6698 if (!chan->sdu) {
6699 u16 sdu_len;
6700
6701 sdu_len = get_unaligned_le16(skb->data);
6702 skb_pull(skb, L2CAP_SDULEN_SIZE);
6703
6704 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6705 sdu_len, skb->len, chan->imtu);
6706
6707 if (sdu_len > chan->imtu) {
6708 BT_ERR("Too big LE L2CAP SDU length received");
6709 err = -EMSGSIZE;
6710 goto failed;
6711 }
6712
6713 if (skb->len > sdu_len) {
6714 BT_ERR("Too much LE L2CAP data received");
6715 err = -EINVAL;
6716 goto failed;
6717 }
6718
6719 if (skb->len == sdu_len)
6720 return chan->ops->recv(chan, skb);
6721
6722 chan->sdu = skb;
6723 chan->sdu_len = sdu_len;
6724 chan->sdu_last_frag = skb;
6725
6726 return 0;
6727 }
6728
6729 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6730 chan->sdu->len, skb->len, chan->sdu_len);
6731
6732 if (chan->sdu->len + skb->len > chan->sdu_len) {
6733 BT_ERR("Too much LE L2CAP data received");
6734 err = -EINVAL;
6735 goto failed;
6736 }
6737
6738 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6739 skb = NULL;
6740
6741 if (chan->sdu->len == chan->sdu_len) {
6742 err = chan->ops->recv(chan, chan->sdu);
6743 if (!err) {
6744 chan->sdu = NULL;
6745 chan->sdu_last_frag = NULL;
6746 chan->sdu_len = 0;
6747 }
6748 }
6749
6750failed:
6751 if (err) {
6752 kfree_skb(skb);
6753 kfree_skb(chan->sdu);
6754 chan->sdu = NULL;
6755 chan->sdu_last_frag = NULL;
6756 chan->sdu_len = 0;
6757 }
6758
6759
6760
6761
6762
6763 return 0;
6764}
6765
6766static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6767 struct sk_buff *skb)
6768{
6769 struct l2cap_chan *chan;
6770
6771 chan = l2cap_get_chan_by_scid(conn, cid);
6772 if (!chan) {
6773 if (cid == L2CAP_CID_A2MP) {
6774 chan = a2mp_channel_create(conn, skb);
6775 if (!chan) {
6776 kfree_skb(skb);
6777 return;
6778 }
6779
6780 l2cap_chan_lock(chan);
6781 } else {
6782 BT_DBG("unknown cid 0x%4.4x", cid);
6783
6784 kfree_skb(skb);
6785 return;
6786 }
6787 }
6788
6789 BT_DBG("chan %p, len %d", chan, skb->len);
6790
6791
6792
6793
6794
6795 if (chan->chan_type == L2CAP_CHAN_FIXED)
6796 l2cap_chan_ready(chan);
6797
6798 if (chan->state != BT_CONNECTED)
6799 goto drop;
6800
6801 switch (chan->mode) {
6802 case L2CAP_MODE_LE_FLOWCTL:
6803 if (l2cap_le_data_rcv(chan, skb) < 0)
6804 goto drop;
6805
6806 goto done;
6807
6808 case L2CAP_MODE_BASIC:
6809
6810
6811
6812
6813
6814 if (chan->imtu < skb->len) {
6815 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6816 goto drop;
6817 }
6818
6819 if (!chan->ops->recv(chan, skb))
6820 goto done;
6821 break;
6822
6823 case L2CAP_MODE_ERTM:
6824 case L2CAP_MODE_STREAMING:
6825 l2cap_data_rcv(chan, skb);
6826 goto done;
6827
6828 default:
6829 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6830 break;
6831 }
6832
6833drop:
6834 kfree_skb(skb);
6835
6836done:
6837 l2cap_chan_unlock(chan);
6838}
6839
6840static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6841 struct sk_buff *skb)
6842{
6843 struct hci_conn *hcon = conn->hcon;
6844 struct l2cap_chan *chan;
6845
6846 if (hcon->type != ACL_LINK)
6847 goto free_skb;
6848
6849 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6850 ACL_LINK);
6851 if (!chan)
6852 goto free_skb;
6853
6854 BT_DBG("chan %p, len %d", chan, skb->len);
6855
6856 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6857 goto drop;
6858
6859 if (chan->imtu < skb->len)
6860 goto drop;
6861
6862
6863 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6864 bt_cb(skb)->l2cap.psm = psm;
6865
6866 if (!chan->ops->recv(chan, skb)) {
6867 l2cap_chan_put(chan);
6868 return;
6869 }
6870
6871drop:
6872 l2cap_chan_put(chan);
6873free_skb:
6874 kfree_skb(skb);
6875}
6876
6877static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6878{
6879 struct l2cap_hdr *lh = (void *) skb->data;
6880 struct hci_conn *hcon = conn->hcon;
6881 u16 cid, len;
6882 __le16 psm;
6883
6884 if (hcon->state != BT_CONNECTED) {
6885 BT_DBG("queueing pending rx skb");
6886 skb_queue_tail(&conn->pending_rx, skb);
6887 return;
6888 }
6889
6890 skb_pull(skb, L2CAP_HDR_SIZE);
6891 cid = __le16_to_cpu(lh->cid);
6892 len = __le16_to_cpu(lh->len);
6893
6894 if (len != skb->len) {
6895 kfree_skb(skb);
6896 return;
6897 }
6898
6899
6900
6901
6902 if (hcon->type == LE_LINK &&
6903 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6904 bdaddr_dst_type(hcon))) {
6905 kfree_skb(skb);
6906 return;
6907 }
6908
6909 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6910
6911 switch (cid) {
6912 case L2CAP_CID_SIGNALING:
6913 l2cap_sig_channel(conn, skb);
6914 break;
6915
6916 case L2CAP_CID_CONN_LESS:
6917 psm = get_unaligned((__le16 *) skb->data);
6918 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6919 l2cap_conless_channel(conn, psm, skb);
6920 break;
6921
6922 case L2CAP_CID_LE_SIGNALING:
6923 l2cap_le_sig_channel(conn, skb);
6924 break;
6925
6926 default:
6927 l2cap_data_channel(conn, cid, skb);
6928 break;
6929 }
6930}
6931
6932static void process_pending_rx(struct work_struct *work)
6933{
6934 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6935 pending_rx_work);
6936 struct sk_buff *skb;
6937
6938 BT_DBG("");
6939
6940 while ((skb = skb_dequeue(&conn->pending_rx)))
6941 l2cap_recv_frame(conn, skb);
6942}
6943
6944static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6945{
6946 struct l2cap_conn *conn = hcon->l2cap_data;
6947 struct hci_chan *hchan;
6948
6949 if (conn)
6950 return conn;
6951
6952 hchan = hci_chan_create(hcon);
6953 if (!hchan)
6954 return NULL;
6955
6956 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6957 if (!conn) {
6958 hci_chan_del(hchan);
6959 return NULL;
6960 }
6961
6962 kref_init(&conn->ref);
6963 hcon->l2cap_data = conn;
6964 conn->hcon = hci_conn_get(hcon);
6965 conn->hchan = hchan;
6966
6967 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6968
6969 switch (hcon->type) {
6970 case LE_LINK:
6971 if (hcon->hdev->le_mtu) {
6972 conn->mtu = hcon->hdev->le_mtu;
6973 break;
6974 }
6975
6976 default:
6977 conn->mtu = hcon->hdev->acl_mtu;
6978 break;
6979 }
6980
6981 conn->feat_mask = 0;
6982
6983 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6984
6985 if (hcon->type == ACL_LINK &&
6986 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
6987 conn->local_fixed_chan |= L2CAP_FC_A2MP;
6988
6989 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
6990 (bredr_sc_enabled(hcon->hdev) ||
6991 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
6992 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6993
6994 mutex_init(&conn->ident_lock);
6995 mutex_init(&conn->chan_lock);
6996
6997 INIT_LIST_HEAD(&conn->chan_l);
6998 INIT_LIST_HEAD(&conn->users);
6999
7000 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7001
7002 skb_queue_head_init(&conn->pending_rx);
7003 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7004 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7005
7006 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7007
7008 return conn;
7009}
7010
7011static bool is_valid_psm(u16 psm, u8 dst_type) {
7012 if (!psm)
7013 return false;
7014
7015 if (bdaddr_type_is_le(dst_type))
7016 return (psm <= 0x00ff);
7017
7018
7019 return ((psm & 0x0101) == 0x0001);
7020}
7021
7022int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7023 bdaddr_t *dst, u8 dst_type)
7024{
7025 struct l2cap_conn *conn;
7026 struct hci_conn *hcon;
7027 struct hci_dev *hdev;
7028 int err;
7029
7030 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7031 dst_type, __le16_to_cpu(psm));
7032
7033 hdev = hci_get_route(dst, &chan->src);
7034 if (!hdev)
7035 return -EHOSTUNREACH;
7036
7037 hci_dev_lock(hdev);
7038
7039 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7040 chan->chan_type != L2CAP_CHAN_RAW) {
7041 err = -EINVAL;
7042 goto done;
7043 }
7044
7045 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7046 err = -EINVAL;
7047 goto done;
7048 }
7049
7050 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7051 err = -EINVAL;
7052 goto done;
7053 }
7054
7055 switch (chan->mode) {
7056 case L2CAP_MODE_BASIC:
7057 break;
7058 case L2CAP_MODE_LE_FLOWCTL:
7059 l2cap_le_flowctl_init(chan);
7060 break;
7061 case L2CAP_MODE_ERTM:
7062 case L2CAP_MODE_STREAMING:
7063 if (!disable_ertm)
7064 break;
7065
7066 default:
7067 err = -EOPNOTSUPP;
7068 goto done;
7069 }
7070
7071 switch (chan->state) {
7072 case BT_CONNECT:
7073 case BT_CONNECT2:
7074 case BT_CONFIG:
7075
7076 err = 0;
7077 goto done;
7078
7079 case BT_CONNECTED:
7080
7081 err = -EISCONN;
7082 goto done;
7083
7084 case BT_OPEN:
7085 case BT_BOUND:
7086
7087 break;
7088
7089 default:
7090 err = -EBADFD;
7091 goto done;
7092 }
7093
7094
7095 bacpy(&chan->dst, dst);
7096 chan->dst_type = dst_type;
7097
7098 chan->psm = psm;
7099 chan->dcid = cid;
7100
7101 if (bdaddr_type_is_le(dst_type)) {
7102 u8 role;
7103
7104
7105
7106 if (dst_type == BDADDR_LE_PUBLIC)
7107 dst_type = ADDR_LE_DEV_PUBLIC;
7108 else
7109 dst_type = ADDR_LE_DEV_RANDOM;
7110
7111 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7112 role = HCI_ROLE_SLAVE;
7113 else
7114 role = HCI_ROLE_MASTER;
7115
7116 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
7117 HCI_LE_CONN_TIMEOUT, role);
7118 } else {
7119 u8 auth_type = l2cap_get_auth_type(chan);
7120 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7121 }
7122
7123 if (IS_ERR(hcon)) {
7124 err = PTR_ERR(hcon);
7125 goto done;
7126 }
7127
7128 conn = l2cap_conn_add(hcon);
7129 if (!conn) {
7130 hci_conn_drop(hcon);
7131 err = -ENOMEM;
7132 goto done;
7133 }
7134
7135 mutex_lock(&conn->chan_lock);
7136 l2cap_chan_lock(chan);
7137
7138 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7139 hci_conn_drop(hcon);
7140 err = -EBUSY;
7141 goto chan_unlock;
7142 }
7143
7144
7145 bacpy(&chan->src, &hcon->src);
7146 chan->src_type = bdaddr_src_type(hcon);
7147
7148 __l2cap_chan_add(conn, chan);
7149
7150
7151 hci_conn_drop(hcon);
7152
7153 l2cap_state_change(chan, BT_CONNECT);
7154 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7155
7156
7157
7158
7159 write_lock(&chan_list_lock);
7160 chan->sport = 0;
7161 write_unlock(&chan_list_lock);
7162
7163 if (hcon->state == BT_CONNECTED) {
7164 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7165 __clear_chan_timer(chan);
7166 if (l2cap_chan_check_security(chan, true))
7167 l2cap_state_change(chan, BT_CONNECTED);
7168 } else
7169 l2cap_do_start(chan);
7170 }
7171
7172 err = 0;
7173
7174chan_unlock:
7175 l2cap_chan_unlock(chan);
7176 mutex_unlock(&conn->chan_lock);
7177done:
7178 hci_dev_unlock(hdev);
7179 hci_dev_put(hdev);
7180 return err;
7181}
7182EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7183
7184
7185
7186int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7187{
7188 int exact = 0, lm1 = 0, lm2 = 0;
7189 struct l2cap_chan *c;
7190
7191 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7192
7193
7194 read_lock(&chan_list_lock);
7195 list_for_each_entry(c, &chan_list, global_l) {
7196 if (c->state != BT_LISTEN)
7197 continue;
7198
7199 if (!bacmp(&c->src, &hdev->bdaddr)) {
7200 lm1 |= HCI_LM_ACCEPT;
7201 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7202 lm1 |= HCI_LM_MASTER;
7203 exact++;
7204 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7205 lm2 |= HCI_LM_ACCEPT;
7206 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7207 lm2 |= HCI_LM_MASTER;
7208 }
7209 }
7210 read_unlock(&chan_list_lock);
7211
7212 return exact ? lm1 : lm2;
7213}
7214
7215
7216
7217
7218
7219static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7220 struct hci_conn *hcon)
7221{
7222 u8 src_type = bdaddr_src_type(hcon);
7223
7224 read_lock(&chan_list_lock);
7225
7226 if (c)
7227 c = list_next_entry(c, global_l);
7228 else
7229 c = list_entry(chan_list.next, typeof(*c), global_l);
7230
7231 list_for_each_entry_from(c, &chan_list, global_l) {
7232 if (c->chan_type != L2CAP_CHAN_FIXED)
7233 continue;
7234 if (c->state != BT_LISTEN)
7235 continue;
7236 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7237 continue;
7238 if (src_type != c->src_type)
7239 continue;
7240
7241 l2cap_chan_hold(c);
7242 read_unlock(&chan_list_lock);
7243 return c;
7244 }
7245
7246 read_unlock(&chan_list_lock);
7247
7248 return NULL;
7249}
7250
7251static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7252{
7253 struct hci_dev *hdev = hcon->hdev;
7254 struct l2cap_conn *conn;
7255 struct l2cap_chan *pchan;
7256 u8 dst_type;
7257
7258 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7259 return;
7260
7261 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7262
7263 if (status) {
7264 l2cap_conn_del(hcon, bt_to_errno(status));
7265 return;
7266 }
7267
7268 conn = l2cap_conn_add(hcon);
7269 if (!conn)
7270 return;
7271
7272 dst_type = bdaddr_dst_type(hcon);
7273
7274
7275 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7276 return;
7277
7278
7279
7280
7281
7282
7283 pchan = l2cap_global_fixed_chan(NULL, hcon);
7284 while (pchan) {
7285 struct l2cap_chan *chan, *next;
7286
7287
7288 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7289 goto next;
7290
7291 l2cap_chan_lock(pchan);
7292 chan = pchan->ops->new_connection(pchan);
7293 if (chan) {
7294 bacpy(&chan->src, &hcon->src);
7295 bacpy(&chan->dst, &hcon->dst);
7296 chan->src_type = bdaddr_src_type(hcon);
7297 chan->dst_type = dst_type;
7298
7299 __l2cap_chan_add(conn, chan);
7300 }
7301
7302 l2cap_chan_unlock(pchan);
7303next:
7304 next = l2cap_global_fixed_chan(pchan, hcon);
7305 l2cap_chan_put(pchan);
7306 pchan = next;
7307 }
7308
7309 l2cap_conn_ready(conn);
7310}
7311
7312int l2cap_disconn_ind(struct hci_conn *hcon)
7313{
7314 struct l2cap_conn *conn = hcon->l2cap_data;
7315
7316 BT_DBG("hcon %p", hcon);
7317
7318 if (!conn)
7319 return HCI_ERROR_REMOTE_USER_TERM;
7320 return conn->disc_reason;
7321}
7322
7323static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7324{
7325 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7326 return;
7327
7328 BT_DBG("hcon %p reason %d", hcon, reason);
7329
7330 l2cap_conn_del(hcon, bt_to_errno(reason));
7331}
7332
7333static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7334{
7335 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7336 return;
7337
7338 if (encrypt == 0x00) {
7339 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7340 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7341 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7342 chan->sec_level == BT_SECURITY_FIPS)
7343 l2cap_chan_close(chan, ECONNREFUSED);
7344 } else {
7345 if (chan->sec_level == BT_SECURITY_MEDIUM)
7346 __clear_chan_timer(chan);
7347 }
7348}
7349
7350static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7351{
7352 struct l2cap_conn *conn = hcon->l2cap_data;
7353 struct l2cap_chan *chan;
7354
7355 if (!conn)
7356 return;
7357
7358 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7359
7360 mutex_lock(&conn->chan_lock);
7361
7362 list_for_each_entry(chan, &conn->chan_l, list) {
7363 l2cap_chan_lock(chan);
7364
7365 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7366 state_to_string(chan->state));
7367
7368 if (chan->scid == L2CAP_CID_A2MP) {
7369 l2cap_chan_unlock(chan);
7370 continue;
7371 }
7372
7373 if (!status && encrypt)
7374 chan->sec_level = hcon->sec_level;
7375
7376 if (!__l2cap_no_conn_pending(chan)) {
7377 l2cap_chan_unlock(chan);
7378 continue;
7379 }
7380
7381 if (!status && (chan->state == BT_CONNECTED ||
7382 chan->state == BT_CONFIG)) {
7383 chan->ops->resume(chan);
7384 l2cap_check_encryption(chan, encrypt);
7385 l2cap_chan_unlock(chan);
7386 continue;
7387 }
7388
7389 if (chan->state == BT_CONNECT) {
7390 if (!status)
7391 l2cap_start_connection(chan);
7392 else
7393 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7394 } else if (chan->state == BT_CONNECT2 &&
7395 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7396 struct l2cap_conn_rsp rsp;
7397 __u16 res, stat;
7398
7399 if (!status) {
7400 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7401 res = L2CAP_CR_PEND;
7402 stat = L2CAP_CS_AUTHOR_PEND;
7403 chan->ops->defer(chan);
7404 } else {
7405 l2cap_state_change(chan, BT_CONFIG);
7406 res = L2CAP_CR_SUCCESS;
7407 stat = L2CAP_CS_NO_INFO;
7408 }
7409 } else {
7410 l2cap_state_change(chan, BT_DISCONN);
7411 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7412 res = L2CAP_CR_SEC_BLOCK;
7413 stat = L2CAP_CS_NO_INFO;
7414 }
7415
7416 rsp.scid = cpu_to_le16(chan->dcid);
7417 rsp.dcid = cpu_to_le16(chan->scid);
7418 rsp.result = cpu_to_le16(res);
7419 rsp.status = cpu_to_le16(stat);
7420 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7421 sizeof(rsp), &rsp);
7422
7423 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7424 res == L2CAP_CR_SUCCESS) {
7425 char buf[128];
7426 set_bit(CONF_REQ_SENT, &chan->conf_state);
7427 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7428 L2CAP_CONF_REQ,
7429 l2cap_build_conf_req(chan, buf),
7430 buf);
7431 chan->num_conf_req++;
7432 }
7433 }
7434
7435 l2cap_chan_unlock(chan);
7436 }
7437
7438 mutex_unlock(&conn->chan_lock);
7439}
7440
7441void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7442{
7443 struct l2cap_conn *conn = hcon->l2cap_data;
7444 struct l2cap_hdr *hdr;
7445 int len;
7446
7447
7448 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7449 goto drop;
7450
7451 if (!conn)
7452 conn = l2cap_conn_add(hcon);
7453
7454 if (!conn)
7455 goto drop;
7456
7457 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7458
7459 switch (flags) {
7460 case ACL_START:
7461 case ACL_START_NO_FLUSH:
7462 case ACL_COMPLETE:
7463 if (conn->rx_len) {
7464 BT_ERR("Unexpected start frame (len %d)", skb->len);
7465 kfree_skb(conn->rx_skb);
7466 conn->rx_skb = NULL;
7467 conn->rx_len = 0;
7468 l2cap_conn_unreliable(conn, ECOMM);
7469 }
7470
7471
7472 if (skb->len < L2CAP_HDR_SIZE) {
7473 BT_ERR("Frame is too short (len %d)", skb->len);
7474 l2cap_conn_unreliable(conn, ECOMM);
7475 goto drop;
7476 }
7477
7478 hdr = (struct l2cap_hdr *) skb->data;
7479 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7480
7481 if (len == skb->len) {
7482
7483 l2cap_recv_frame(conn, skb);
7484 return;
7485 }
7486
7487 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7488
7489 if (skb->len > len) {
7490 BT_ERR("Frame is too long (len %d, expected len %d)",
7491 skb->len, len);
7492 l2cap_conn_unreliable(conn, ECOMM);
7493 goto drop;
7494 }
7495
7496
7497 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7498 if (!conn->rx_skb)
7499 goto drop;
7500
7501 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7502 skb->len);
7503 conn->rx_len = len - skb->len;
7504 break;
7505
7506 case ACL_CONT:
7507 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7508
7509 if (!conn->rx_len) {
7510 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7511 l2cap_conn_unreliable(conn, ECOMM);
7512 goto drop;
7513 }
7514
7515 if (skb->len > conn->rx_len) {
7516 BT_ERR("Fragment is too long (len %d, expected %d)",
7517 skb->len, conn->rx_len);
7518 kfree_skb(conn->rx_skb);
7519 conn->rx_skb = NULL;
7520 conn->rx_len = 0;
7521 l2cap_conn_unreliable(conn, ECOMM);
7522 goto drop;
7523 }
7524
7525 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7526 skb->len);
7527 conn->rx_len -= skb->len;
7528
7529 if (!conn->rx_len) {
7530
7531
7532
7533
7534 struct sk_buff *rx_skb = conn->rx_skb;
7535 conn->rx_skb = NULL;
7536 l2cap_recv_frame(conn, rx_skb);
7537 }
7538 break;
7539 }
7540
7541drop:
7542 kfree_skb(skb);
7543}
7544
7545static struct hci_cb l2cap_cb = {
7546 .name = "L2CAP",
7547 .connect_cfm = l2cap_connect_cfm,
7548 .disconn_cfm = l2cap_disconn_cfm,
7549 .security_cfm = l2cap_security_cfm,
7550};
7551
7552static int l2cap_debugfs_show(struct seq_file *f, void *p)
7553{
7554 struct l2cap_chan *c;
7555
7556 read_lock(&chan_list_lock);
7557
7558 list_for_each_entry(c, &chan_list, global_l) {
7559 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7560 &c->src, c->src_type, &c->dst, c->dst_type,
7561 c->state, __le16_to_cpu(c->psm),
7562 c->scid, c->dcid, c->imtu, c->omtu,
7563 c->sec_level, c->mode);
7564 }
7565
7566 read_unlock(&chan_list_lock);
7567
7568 return 0;
7569}
7570
7571static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7572{
7573 return single_open(file, l2cap_debugfs_show, inode->i_private);
7574}
7575
7576static const struct file_operations l2cap_debugfs_fops = {
7577 .open = l2cap_debugfs_open,
7578 .read = seq_read,
7579 .llseek = seq_lseek,
7580 .release = single_release,
7581};
7582
7583static struct dentry *l2cap_debugfs;
7584
7585int __init l2cap_init(void)
7586{
7587 int err;
7588
7589 err = l2cap_init_sockets();
7590 if (err < 0)
7591 return err;
7592
7593 hci_register_cb(&l2cap_cb);
7594
7595 if (IS_ERR_OR_NULL(bt_debugfs))
7596 return 0;
7597
7598 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7599 NULL, &l2cap_debugfs_fops);
7600
7601 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7602 &le_max_credits);
7603 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7604 &le_default_mps);
7605
7606 return 0;
7607}
7608
7609void l2cap_exit(void)
7610{
7611 debugfs_remove(l2cap_debugfs);
7612 hci_unregister_cb(&l2cap_cb);
7613 l2cap_cleanup_sockets();
7614}
7615
7616module_param(disable_ertm, bool, 0644);
7617MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7618
