1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#include <linux/module.h>
32
33#include <linux/debugfs.h>
34#include <linux/crc16.h>
35#include <linux/filter.h>
36
37#include <net/bluetooth/bluetooth.h>
38#include <net/bluetooth/hci_core.h>
39#include <net/bluetooth/l2cap.h>
40
41#include "smp.h"
42#include "a2mp.h"
43#include "amp.h"
44
45#define LE_FLOWCTL_MAX_CREDITS 65535
46
47bool disable_ertm;
48bool enable_ecred;
49
50static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51
52static LIST_HEAD(chan_list);
53static DEFINE_RWLOCK(chan_list_lock);
54
55static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
58 void *data);
59static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
61
62static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
64
65static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
66{
67 if (link_type == LE_LINK) {
68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
69 return BDADDR_LE_PUBLIC;
70 else
71 return BDADDR_LE_RANDOM;
72 }
73
74 return BDADDR_BREDR;
75}
76
77static inline u8 bdaddr_src_type(struct hci_conn *hcon)
78{
79 return bdaddr_type(hcon->type, hcon->src_type);
80}
81
82static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
83{
84 return bdaddr_type(hcon->type, hcon->dst_type);
85}
86
87
88
89static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
90 u16 cid)
91{
92 struct l2cap_chan *c;
93
94 list_for_each_entry(c, &conn->chan_l, list) {
95 if (c->dcid == cid)
96 return c;
97 }
98 return NULL;
99}
100
101static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
102 u16 cid)
103{
104 struct l2cap_chan *c;
105
106 list_for_each_entry(c, &conn->chan_l, list) {
107 if (c->scid == cid)
108 return c;
109 }
110 return NULL;
111}
112
113
114
115static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
116 u16 cid)
117{
118 struct l2cap_chan *c;
119
120 mutex_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
122 if (c)
123 l2cap_chan_lock(c);
124 mutex_unlock(&conn->chan_lock);
125
126 return c;
127}
128
129
130
131
132static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
133 u16 cid)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_dcid(conn, cid);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
146static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
147 u8 ident)
148{
149 struct l2cap_chan *c;
150
151 list_for_each_entry(c, &conn->chan_l, list) {
152 if (c->ident == ident)
153 return c;
154 }
155 return NULL;
156}
157
158static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
159 u8 ident)
160{
161 struct l2cap_chan *c;
162
163 mutex_lock(&conn->chan_lock);
164 c = __l2cap_get_chan_by_ident(conn, ident);
165 if (c)
166 l2cap_chan_lock(c);
167 mutex_unlock(&conn->chan_lock);
168
169 return c;
170}
171
172static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
173 u8 src_type)
174{
175 struct l2cap_chan *c;
176
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
179 continue;
180
181 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
182 continue;
183
184 if (c->sport == psm && !bacmp(&c->src, src))
185 return c;
186 }
187 return NULL;
188}
189
190int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
191{
192 int err;
193
194 write_lock(&chan_list_lock);
195
196 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
197 err = -EADDRINUSE;
198 goto done;
199 }
200
201 if (psm) {
202 chan->psm = psm;
203 chan->sport = psm;
204 err = 0;
205 } else {
206 u16 p, start, end, incr;
207
208 if (chan->src_type == BDADDR_BREDR) {
209 start = L2CAP_PSM_DYN_START;
210 end = L2CAP_PSM_AUTO_END;
211 incr = 2;
212 } else {
213 start = L2CAP_PSM_LE_DYN_START;
214 end = L2CAP_PSM_LE_DYN_END;
215 incr = 1;
216 }
217
218 err = -EINVAL;
219 for (p = start; p <= end; p += incr)
220 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
221 chan->src_type)) {
222 chan->psm = cpu_to_le16(p);
223 chan->sport = cpu_to_le16(p);
224 err = 0;
225 break;
226 }
227 }
228
229done:
230 write_unlock(&chan_list_lock);
231 return err;
232}
233EXPORT_SYMBOL_GPL(l2cap_add_psm);
234
235int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
236{
237 write_lock(&chan_list_lock);
238
239
240 chan->omtu = L2CAP_DEFAULT_MTU;
241 chan->chan_type = L2CAP_CHAN_FIXED;
242
243 chan->scid = scid;
244
245 write_unlock(&chan_list_lock);
246
247 return 0;
248}
249
250static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
251{
252 u16 cid, dyn_end;
253
254 if (conn->hcon->type == LE_LINK)
255 dyn_end = L2CAP_CID_LE_DYN_END;
256 else
257 dyn_end = L2CAP_CID_DYN_END;
258
259 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
260 if (!__l2cap_get_chan_by_scid(conn, cid))
261 return cid;
262 }
263
264 return 0;
265}
266
267static void l2cap_state_change(struct l2cap_chan *chan, int state)
268{
269 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
270 state_to_string(state));
271
272 chan->state = state;
273 chan->ops->state_change(chan, state, 0);
274}
275
276static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
277 int state, int err)
278{
279 chan->state = state;
280 chan->ops->state_change(chan, chan->state, err);
281}
282
283static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
284{
285 chan->ops->state_change(chan, chan->state, err);
286}
287
288static void __set_retrans_timer(struct l2cap_chan *chan)
289{
290 if (!delayed_work_pending(&chan->monitor_timer) &&
291 chan->retrans_timeout) {
292 l2cap_set_timer(chan, &chan->retrans_timer,
293 msecs_to_jiffies(chan->retrans_timeout));
294 }
295}
296
297static void __set_monitor_timer(struct l2cap_chan *chan)
298{
299 __clear_retrans_timer(chan);
300 if (chan->monitor_timeout) {
301 l2cap_set_timer(chan, &chan->monitor_timer,
302 msecs_to_jiffies(chan->monitor_timeout));
303 }
304}
305
306static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
307 u16 seq)
308{
309 struct sk_buff *skb;
310
311 skb_queue_walk(head, skb) {
312 if (bt_cb(skb)->l2cap.txseq == seq)
313 return skb;
314 }
315
316 return NULL;
317}
318
319
320
321
322
323
324
325
326
327
328
329
330static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
331{
332 size_t alloc_size, i;
333
334
335
336
337
338 alloc_size = roundup_pow_of_two(size);
339
340 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
341 if (!seq_list->list)
342 return -ENOMEM;
343
344 seq_list->mask = alloc_size - 1;
345 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
346 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
347 for (i = 0; i < alloc_size; i++)
348 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
349
350 return 0;
351}
352
353static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
354{
355 kfree(seq_list->list);
356}
357
358static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
359 u16 seq)
360{
361
362 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
363}
364
365static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
366{
367 u16 seq = seq_list->head;
368 u16 mask = seq_list->mask;
369
370 seq_list->head = seq_list->list[seq & mask];
371 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
372
373 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
376 }
377
378 return seq;
379}
380
381static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
382{
383 u16 i;
384
385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
386 return;
387
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
390
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
393}
394
395static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
396{
397 u16 mask = seq_list->mask;
398
399
400
401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
402 return;
403
404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
406 else
407 seq_list->list[seq_list->tail & mask] = seq;
408
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
411}
412
413static void l2cap_chan_timeout(struct work_struct *work)
414{
415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
416 chan_timer.work);
417 struct l2cap_conn *conn = chan->conn;
418 int reason;
419
420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
421
422 mutex_lock(&conn->chan_lock);
423
424
425
426 l2cap_chan_lock(chan);
427
428 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
429 reason = ECONNREFUSED;
430 else if (chan->state == BT_CONNECT &&
431 chan->sec_level != BT_SECURITY_SDP)
432 reason = ECONNREFUSED;
433 else
434 reason = ETIMEDOUT;
435
436 l2cap_chan_close(chan, reason);
437
438 chan->ops->close(chan);
439
440 l2cap_chan_unlock(chan);
441 l2cap_chan_put(chan);
442
443 mutex_unlock(&conn->chan_lock);
444}
445
446struct l2cap_chan *l2cap_chan_create(void)
447{
448 struct l2cap_chan *chan;
449
450 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
451 if (!chan)
452 return NULL;
453
454 skb_queue_head_init(&chan->tx_q);
455 skb_queue_head_init(&chan->srej_q);
456 mutex_init(&chan->lock);
457
458
459 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
460
461 write_lock(&chan_list_lock);
462 list_add(&chan->global_l, &chan_list);
463 write_unlock(&chan_list_lock);
464
465 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
466
467 chan->state = BT_OPEN;
468
469 kref_init(&chan->kref);
470
471
472 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
473
474 BT_DBG("chan %p", chan);
475
476 return chan;
477}
478EXPORT_SYMBOL_GPL(l2cap_chan_create);
479
480static void l2cap_chan_destroy(struct kref *kref)
481{
482 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
483
484 BT_DBG("chan %p", chan);
485
486 write_lock(&chan_list_lock);
487 list_del(&chan->global_l);
488 write_unlock(&chan_list_lock);
489
490 kfree(chan);
491}
492
493void l2cap_chan_hold(struct l2cap_chan *c)
494{
495 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
496
497 kref_get(&c->kref);
498}
499
500void l2cap_chan_put(struct l2cap_chan *c)
501{
502 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
503
504 kref_put(&c->kref, l2cap_chan_destroy);
505}
506EXPORT_SYMBOL_GPL(l2cap_chan_put);
507
508void l2cap_chan_set_defaults(struct l2cap_chan *chan)
509{
510 chan->fcs = L2CAP_FCS_CRC16;
511 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
512 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
513 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
514 chan->remote_max_tx = chan->max_tx;
515 chan->remote_tx_win = chan->tx_win;
516 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
517 chan->sec_level = BT_SECURITY_LOW;
518 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
519 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
520 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
521
522 chan->conf_state = 0;
523 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
524
525 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
526}
527EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
528
529static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
530{
531 chan->sdu = NULL;
532 chan->sdu_last_frag = NULL;
533 chan->sdu_len = 0;
534 chan->tx_credits = tx_credits;
535
536 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
537
538 chan->rx_credits = (chan->imtu / chan->mps) + 1;
539
540 skb_queue_head_init(&chan->tx_q);
541}
542
543static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
544{
545 l2cap_le_flowctl_init(chan, tx_credits);
546
547
548 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
549 chan->mps = L2CAP_ECRED_MIN_MPS;
550 chan->rx_credits = (chan->imtu / chan->mps) + 1;
551 }
552}
553
554void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
555{
556 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
557 __le16_to_cpu(chan->psm), chan->dcid);
558
559 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
560
561 chan->conn = conn;
562
563 switch (chan->chan_type) {
564 case L2CAP_CHAN_CONN_ORIENTED:
565
566 chan->scid = l2cap_alloc_cid(conn);
567 if (conn->hcon->type == ACL_LINK)
568 chan->omtu = L2CAP_DEFAULT_MTU;
569 break;
570
571 case L2CAP_CHAN_CONN_LESS:
572
573 chan->scid = L2CAP_CID_CONN_LESS;
574 chan->dcid = L2CAP_CID_CONN_LESS;
575 chan->omtu = L2CAP_DEFAULT_MTU;
576 break;
577
578 case L2CAP_CHAN_FIXED:
579
580 break;
581
582 default:
583
584 chan->scid = L2CAP_CID_SIGNALING;
585 chan->dcid = L2CAP_CID_SIGNALING;
586 chan->omtu = L2CAP_DEFAULT_MTU;
587 }
588
589 chan->local_id = L2CAP_BESTEFFORT_ID;
590 chan->local_stype = L2CAP_SERV_BESTEFFORT;
591 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
592 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
593 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
594 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
595
596 l2cap_chan_hold(chan);
597
598
599 if (chan->chan_type != L2CAP_CHAN_FIXED ||
600 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
601 hci_conn_hold(conn->hcon);
602
603 list_add(&chan->list, &conn->chan_l);
604}
605
606void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
607{
608 mutex_lock(&conn->chan_lock);
609 __l2cap_chan_add(conn, chan);
610 mutex_unlock(&conn->chan_lock);
611}
612
613void l2cap_chan_del(struct l2cap_chan *chan, int err)
614{
615 struct l2cap_conn *conn = chan->conn;
616
617 __clear_chan_timer(chan);
618
619 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
620 state_to_string(chan->state));
621
622 chan->ops->teardown(chan, err);
623
624 if (conn) {
625 struct amp_mgr *mgr = conn->hcon->amp_mgr;
626
627 list_del(&chan->list);
628
629 l2cap_chan_put(chan);
630
631 chan->conn = NULL;
632
633
634
635
636
637 if (chan->chan_type != L2CAP_CHAN_FIXED ||
638 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
639 hci_conn_drop(conn->hcon);
640
641 if (mgr && mgr->bredr_chan == chan)
642 mgr->bredr_chan = NULL;
643 }
644
645 if (chan->hs_hchan) {
646 struct hci_chan *hs_hchan = chan->hs_hchan;
647
648 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
649 amp_disconnect_logical_link(hs_hchan);
650 }
651
652 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
653 return;
654
655 switch (chan->mode) {
656 case L2CAP_MODE_BASIC:
657 break;
658
659 case L2CAP_MODE_LE_FLOWCTL:
660 case L2CAP_MODE_EXT_FLOWCTL:
661 skb_queue_purge(&chan->tx_q);
662 break;
663
664 case L2CAP_MODE_ERTM:
665 __clear_retrans_timer(chan);
666 __clear_monitor_timer(chan);
667 __clear_ack_timer(chan);
668
669 skb_queue_purge(&chan->srej_q);
670
671 l2cap_seq_list_free(&chan->srej_list);
672 l2cap_seq_list_free(&chan->retrans_list);
673 fallthrough;
674
675 case L2CAP_MODE_STREAMING:
676 skb_queue_purge(&chan->tx_q);
677 break;
678 }
679}
680EXPORT_SYMBOL_GPL(l2cap_chan_del);
681
682static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
683 void *data)
684{
685 struct l2cap_chan *chan;
686
687 list_for_each_entry(chan, &conn->chan_l, list) {
688 func(chan, data);
689 }
690}
691
692void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
693 void *data)
694{
695 if (!conn)
696 return;
697
698 mutex_lock(&conn->chan_lock);
699 __l2cap_chan_list(conn, func, data);
700 mutex_unlock(&conn->chan_lock);
701}
702
703EXPORT_SYMBOL_GPL(l2cap_chan_list);
704
705static void l2cap_conn_update_id_addr(struct work_struct *work)
706{
707 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
708 id_addr_update_work);
709 struct hci_conn *hcon = conn->hcon;
710 struct l2cap_chan *chan;
711
712 mutex_lock(&conn->chan_lock);
713
714 list_for_each_entry(chan, &conn->chan_l, list) {
715 l2cap_chan_lock(chan);
716 bacpy(&chan->dst, &hcon->dst);
717 chan->dst_type = bdaddr_dst_type(hcon);
718 l2cap_chan_unlock(chan);
719 }
720
721 mutex_unlock(&conn->chan_lock);
722}
723
724static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
725{
726 struct l2cap_conn *conn = chan->conn;
727 struct l2cap_le_conn_rsp rsp;
728 u16 result;
729
730 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
731 result = L2CAP_CR_LE_AUTHORIZATION;
732 else
733 result = L2CAP_CR_LE_BAD_PSM;
734
735 l2cap_state_change(chan, BT_DISCONN);
736
737 rsp.dcid = cpu_to_le16(chan->scid);
738 rsp.mtu = cpu_to_le16(chan->imtu);
739 rsp.mps = cpu_to_le16(chan->mps);
740 rsp.credits = cpu_to_le16(chan->rx_credits);
741 rsp.result = cpu_to_le16(result);
742
743 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
744 &rsp);
745}
746
747static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
748{
749 struct l2cap_conn *conn = chan->conn;
750 struct l2cap_ecred_conn_rsp rsp;
751 u16 result;
752
753 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
754 result = L2CAP_CR_LE_AUTHORIZATION;
755 else
756 result = L2CAP_CR_LE_BAD_PSM;
757
758 l2cap_state_change(chan, BT_DISCONN);
759
760 memset(&rsp, 0, sizeof(rsp));
761
762 rsp.result = cpu_to_le16(result);
763
764 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
765 &rsp);
766}
767
768static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
769{
770 struct l2cap_conn *conn = chan->conn;
771 struct l2cap_conn_rsp rsp;
772 u16 result;
773
774 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
775 result = L2CAP_CR_SEC_BLOCK;
776 else
777 result = L2CAP_CR_BAD_PSM;
778
779 l2cap_state_change(chan, BT_DISCONN);
780
781 rsp.scid = cpu_to_le16(chan->dcid);
782 rsp.dcid = cpu_to_le16(chan->scid);
783 rsp.result = cpu_to_le16(result);
784 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
785
786 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
787}
788
789void l2cap_chan_close(struct l2cap_chan *chan, int reason)
790{
791 struct l2cap_conn *conn = chan->conn;
792
793 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
794
795 switch (chan->state) {
796 case BT_LISTEN:
797 chan->ops->teardown(chan, 0);
798 break;
799
800 case BT_CONNECTED:
801 case BT_CONFIG:
802 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
803 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
804 l2cap_send_disconn_req(chan, reason);
805 } else
806 l2cap_chan_del(chan, reason);
807 break;
808
809 case BT_CONNECT2:
810 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
811 if (conn->hcon->type == ACL_LINK)
812 l2cap_chan_connect_reject(chan);
813 else if (conn->hcon->type == LE_LINK) {
814 switch (chan->mode) {
815 case L2CAP_MODE_LE_FLOWCTL:
816 l2cap_chan_le_connect_reject(chan);
817 break;
818 case L2CAP_MODE_EXT_FLOWCTL:
819 l2cap_chan_ecred_connect_reject(chan);
820 break;
821 }
822 }
823 }
824
825 l2cap_chan_del(chan, reason);
826 break;
827
828 case BT_CONNECT:
829 case BT_DISCONN:
830 l2cap_chan_del(chan, reason);
831 break;
832
833 default:
834 chan->ops->teardown(chan, 0);
835 break;
836 }
837}
838EXPORT_SYMBOL(l2cap_chan_close);
839
840static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
841{
842 switch (chan->chan_type) {
843 case L2CAP_CHAN_RAW:
844 switch (chan->sec_level) {
845 case BT_SECURITY_HIGH:
846 case BT_SECURITY_FIPS:
847 return HCI_AT_DEDICATED_BONDING_MITM;
848 case BT_SECURITY_MEDIUM:
849 return HCI_AT_DEDICATED_BONDING;
850 default:
851 return HCI_AT_NO_BONDING;
852 }
853 break;
854 case L2CAP_CHAN_CONN_LESS:
855 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
856 if (chan->sec_level == BT_SECURITY_LOW)
857 chan->sec_level = BT_SECURITY_SDP;
858 }
859 if (chan->sec_level == BT_SECURITY_HIGH ||
860 chan->sec_level == BT_SECURITY_FIPS)
861 return HCI_AT_NO_BONDING_MITM;
862 else
863 return HCI_AT_NO_BONDING;
864 break;
865 case L2CAP_CHAN_CONN_ORIENTED:
866 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
867 if (chan->sec_level == BT_SECURITY_LOW)
868 chan->sec_level = BT_SECURITY_SDP;
869
870 if (chan->sec_level == BT_SECURITY_HIGH ||
871 chan->sec_level == BT_SECURITY_FIPS)
872 return HCI_AT_NO_BONDING_MITM;
873 else
874 return HCI_AT_NO_BONDING;
875 }
876 fallthrough;
877
878 default:
879 switch (chan->sec_level) {
880 case BT_SECURITY_HIGH:
881 case BT_SECURITY_FIPS:
882 return HCI_AT_GENERAL_BONDING_MITM;
883 case BT_SECURITY_MEDIUM:
884 return HCI_AT_GENERAL_BONDING;
885 default:
886 return HCI_AT_NO_BONDING;
887 }
888 break;
889 }
890}
891
892
893int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
894{
895 struct l2cap_conn *conn = chan->conn;
896 __u8 auth_type;
897
898 if (conn->hcon->type == LE_LINK)
899 return smp_conn_security(conn->hcon, chan->sec_level);
900
901 auth_type = l2cap_get_auth_type(chan);
902
903 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
904 initiator);
905}
906
907static u8 l2cap_get_ident(struct l2cap_conn *conn)
908{
909 u8 id;
910
911
912
913
914
915
916
917 mutex_lock(&conn->ident_lock);
918
919 if (++conn->tx_ident > 128)
920 conn->tx_ident = 1;
921
922 id = conn->tx_ident;
923
924 mutex_unlock(&conn->ident_lock);
925
926 return id;
927}
928
929static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
930 void *data)
931{
932 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
933 u8 flags;
934
935 BT_DBG("code 0x%2.2x", code);
936
937 if (!skb)
938 return;
939
940
941
942 if (lmp_no_flush_capable(conn->hcon->hdev) ||
943 conn->hcon->type == LE_LINK)
944 flags = ACL_START_NO_FLUSH;
945 else
946 flags = ACL_START;
947
948 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
949 skb->priority = HCI_PRIO_MAX;
950
951 hci_send_acl(conn->hchan, skb, flags);
952}
953
954static bool __chan_is_moving(struct l2cap_chan *chan)
955{
956 return chan->move_state != L2CAP_MOVE_STABLE &&
957 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
958}
959
960static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
961{
962 struct hci_conn *hcon = chan->conn->hcon;
963 u16 flags;
964
965 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
966 skb->priority);
967
968 if (chan->hs_hcon && !__chan_is_moving(chan)) {
969 if (chan->hs_hchan)
970 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
971 else
972 kfree_skb(skb);
973
974 return;
975 }
976
977
978
979
980
981 if (hcon->type == LE_LINK ||
982 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
983 lmp_no_flush_capable(hcon->hdev)))
984 flags = ACL_START_NO_FLUSH;
985 else
986 flags = ACL_START;
987
988 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
989 hci_send_acl(chan->conn->hchan, skb, flags);
990}
991
992static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
993{
994 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
995 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
996
997 if (enh & L2CAP_CTRL_FRAME_TYPE) {
998
999 control->sframe = 1;
1000 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
1001 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1002
1003 control->sar = 0;
1004 control->txseq = 0;
1005 } else {
1006
1007 control->sframe = 0;
1008 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1009 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1010
1011 control->poll = 0;
1012 control->super = 0;
1013 }
1014}
1015
1016static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1017{
1018 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1019 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1020
1021 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1022
1023 control->sframe = 1;
1024 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1025 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1026
1027 control->sar = 0;
1028 control->txseq = 0;
1029 } else {
1030
1031 control->sframe = 0;
1032 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1033 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1034
1035 control->poll = 0;
1036 control->super = 0;
1037 }
1038}
1039
1040static inline void __unpack_control(struct l2cap_chan *chan,
1041 struct sk_buff *skb)
1042{
1043 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1044 __unpack_extended_control(get_unaligned_le32(skb->data),
1045 &bt_cb(skb)->l2cap);
1046 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1047 } else {
1048 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1049 &bt_cb(skb)->l2cap);
1050 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1051 }
1052}
1053
1054static u32 __pack_extended_control(struct l2cap_ctrl *control)
1055{
1056 u32 packed;
1057
1058 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1059 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1060
1061 if (control->sframe) {
1062 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1063 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1064 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1065 } else {
1066 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1067 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1068 }
1069
1070 return packed;
1071}
1072
1073static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1074{
1075 u16 packed;
1076
1077 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1078 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1079
1080 if (control->sframe) {
1081 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1082 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1083 packed |= L2CAP_CTRL_FRAME_TYPE;
1084 } else {
1085 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1086 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1087 }
1088
1089 return packed;
1090}
1091
1092static inline void __pack_control(struct l2cap_chan *chan,
1093 struct l2cap_ctrl *control,
1094 struct sk_buff *skb)
1095{
1096 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1097 put_unaligned_le32(__pack_extended_control(control),
1098 skb->data + L2CAP_HDR_SIZE);
1099 } else {
1100 put_unaligned_le16(__pack_enhanced_control(control),
1101 skb->data + L2CAP_HDR_SIZE);
1102 }
1103}
1104
1105static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1106{
1107 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1108 return L2CAP_EXT_HDR_SIZE;
1109 else
1110 return L2CAP_ENH_HDR_SIZE;
1111}
1112
1113static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1114 u32 control)
1115{
1116 struct sk_buff *skb;
1117 struct l2cap_hdr *lh;
1118 int hlen = __ertm_hdr_size(chan);
1119
1120 if (chan->fcs == L2CAP_FCS_CRC16)
1121 hlen += L2CAP_FCS_SIZE;
1122
1123 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1124
1125 if (!skb)
1126 return ERR_PTR(-ENOMEM);
1127
1128 lh = skb_put(skb, L2CAP_HDR_SIZE);
1129 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1130 lh->cid = cpu_to_le16(chan->dcid);
1131
1132 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1133 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1134 else
1135 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1136
1137 if (chan->fcs == L2CAP_FCS_CRC16) {
1138 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1139 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1140 }
1141
1142 skb->priority = HCI_PRIO_MAX;
1143 return skb;
1144}
1145
1146static void l2cap_send_sframe(struct l2cap_chan *chan,
1147 struct l2cap_ctrl *control)
1148{
1149 struct sk_buff *skb;
1150 u32 control_field;
1151
1152 BT_DBG("chan %p, control %p", chan, control);
1153
1154 if (!control->sframe)
1155 return;
1156
1157 if (__chan_is_moving(chan))
1158 return;
1159
1160 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1161 !control->poll)
1162 control->final = 1;
1163
1164 if (control->super == L2CAP_SUPER_RR)
1165 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1166 else if (control->super == L2CAP_SUPER_RNR)
1167 set_bit(CONN_RNR_SENT, &chan->conn_state);
1168
1169 if (control->super != L2CAP_SUPER_SREJ) {
1170 chan->last_acked_seq = control->reqseq;
1171 __clear_ack_timer(chan);
1172 }
1173
1174 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1175 control->final, control->poll, control->super);
1176
1177 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1178 control_field = __pack_extended_control(control);
1179 else
1180 control_field = __pack_enhanced_control(control);
1181
1182 skb = l2cap_create_sframe_pdu(chan, control_field);
1183 if (!IS_ERR(skb))
1184 l2cap_do_send(chan, skb);
1185}
1186
1187static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1188{
1189 struct l2cap_ctrl control;
1190
1191 BT_DBG("chan %p, poll %d", chan, poll);
1192
1193 memset(&control, 0, sizeof(control));
1194 control.sframe = 1;
1195 control.poll = poll;
1196
1197 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1198 control.super = L2CAP_SUPER_RNR;
1199 else
1200 control.super = L2CAP_SUPER_RR;
1201
1202 control.reqseq = chan->buffer_seq;
1203 l2cap_send_sframe(chan, &control);
1204}
1205
1206static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1207{
1208 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1209 return true;
1210
1211 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1212}
1213
1214static bool __amp_capable(struct l2cap_chan *chan)
1215{
1216 struct l2cap_conn *conn = chan->conn;
1217 struct hci_dev *hdev;
1218 bool amp_available = false;
1219
1220 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1221 return false;
1222
1223 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1224 return false;
1225
1226 read_lock(&hci_dev_list_lock);
1227 list_for_each_entry(hdev, &hci_dev_list, list) {
1228 if (hdev->amp_type != AMP_TYPE_BREDR &&
1229 test_bit(HCI_UP, &hdev->flags)) {
1230 amp_available = true;
1231 break;
1232 }
1233 }
1234 read_unlock(&hci_dev_list_lock);
1235
1236 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1237 return amp_available;
1238
1239 return false;
1240}
1241
1242static bool l2cap_check_efs(struct l2cap_chan *chan)
1243{
1244
1245 return true;
1246}
1247
1248void l2cap_send_conn_req(struct l2cap_chan *chan)
1249{
1250 struct l2cap_conn *conn = chan->conn;
1251 struct l2cap_conn_req req;
1252
1253 req.scid = cpu_to_le16(chan->scid);
1254 req.psm = chan->psm;
1255
1256 chan->ident = l2cap_get_ident(conn);
1257
1258 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1259
1260 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1261}
1262
1263static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1264{
1265 struct l2cap_create_chan_req req;
1266 req.scid = cpu_to_le16(chan->scid);
1267 req.psm = chan->psm;
1268 req.amp_id = amp_id;
1269
1270 chan->ident = l2cap_get_ident(chan->conn);
1271
1272 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1273 sizeof(req), &req);
1274}
1275
1276static void l2cap_move_setup(struct l2cap_chan *chan)
1277{
1278 struct sk_buff *skb;
1279
1280 BT_DBG("chan %p", chan);
1281
1282 if (chan->mode != L2CAP_MODE_ERTM)
1283 return;
1284
1285 __clear_retrans_timer(chan);
1286 __clear_monitor_timer(chan);
1287 __clear_ack_timer(chan);
1288
1289 chan->retry_count = 0;
1290 skb_queue_walk(&chan->tx_q, skb) {
1291 if (bt_cb(skb)->l2cap.retries)
1292 bt_cb(skb)->l2cap.retries = 1;
1293 else
1294 break;
1295 }
1296
1297 chan->expected_tx_seq = chan->buffer_seq;
1298
1299 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1300 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1301 l2cap_seq_list_clear(&chan->retrans_list);
1302 l2cap_seq_list_clear(&chan->srej_list);
1303 skb_queue_purge(&chan->srej_q);
1304
1305 chan->tx_state = L2CAP_TX_STATE_XMIT;
1306 chan->rx_state = L2CAP_RX_STATE_MOVE;
1307
1308 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1309}
1310
1311static void l2cap_move_done(struct l2cap_chan *chan)
1312{
1313 u8 move_role = chan->move_role;
1314 BT_DBG("chan %p", chan);
1315
1316 chan->move_state = L2CAP_MOVE_STABLE;
1317 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1318
1319 if (chan->mode != L2CAP_MODE_ERTM)
1320 return;
1321
1322 switch (move_role) {
1323 case L2CAP_MOVE_ROLE_INITIATOR:
1324 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1325 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1326 break;
1327 case L2CAP_MOVE_ROLE_RESPONDER:
1328 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1329 break;
1330 }
1331}
1332
1333static void l2cap_chan_ready(struct l2cap_chan *chan)
1334{
1335
1336
1337
1338
1339 if (chan->state == BT_CONNECTED)
1340 return;
1341
1342
1343 chan->conf_state = 0;
1344 __clear_chan_timer(chan);
1345
1346 switch (chan->mode) {
1347 case L2CAP_MODE_LE_FLOWCTL:
1348 case L2CAP_MODE_EXT_FLOWCTL:
1349 if (!chan->tx_credits)
1350 chan->ops->suspend(chan);
1351 break;
1352 }
1353
1354 chan->state = BT_CONNECTED;
1355
1356 chan->ops->ready(chan);
1357}
1358
1359static void l2cap_le_connect(struct l2cap_chan *chan)
1360{
1361 struct l2cap_conn *conn = chan->conn;
1362 struct l2cap_le_conn_req req;
1363
1364 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1365 return;
1366
1367 if (!chan->imtu)
1368 chan->imtu = chan->conn->mtu;
1369
1370 l2cap_le_flowctl_init(chan, 0);
1371
1372 req.psm = chan->psm;
1373 req.scid = cpu_to_le16(chan->scid);
1374 req.mtu = cpu_to_le16(chan->imtu);
1375 req.mps = cpu_to_le16(chan->mps);
1376 req.credits = cpu_to_le16(chan->rx_credits);
1377
1378 chan->ident = l2cap_get_ident(conn);
1379
1380 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1381 sizeof(req), &req);
1382}
1383
1384struct l2cap_ecred_conn_data {
1385 struct {
1386 struct l2cap_ecred_conn_req req;
1387 __le16 scid[5];
1388 } __packed pdu;
1389 struct l2cap_chan *chan;
1390 struct pid *pid;
1391 int count;
1392};
1393
1394static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1395{
1396 struct l2cap_ecred_conn_data *conn = data;
1397 struct pid *pid;
1398
1399 if (chan == conn->chan)
1400 return;
1401
1402 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1403 return;
1404
1405 pid = chan->ops->get_peer_pid(chan);
1406
1407
1408 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1409 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1410 return;
1411
1412 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1413 return;
1414
1415 l2cap_ecred_init(chan, 0);
1416
1417
1418 chan->ident = conn->chan->ident;
1419
1420
1421 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1422
1423 conn->count++;
1424}
1425
1426static void l2cap_ecred_connect(struct l2cap_chan *chan)
1427{
1428 struct l2cap_conn *conn = chan->conn;
1429 struct l2cap_ecred_conn_data data;
1430
1431 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1432 return;
1433
1434 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1435 return;
1436
1437 l2cap_ecred_init(chan, 0);
1438
1439 data.pdu.req.psm = chan->psm;
1440 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1441 data.pdu.req.mps = cpu_to_le16(chan->mps);
1442 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1443 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1444
1445 chan->ident = l2cap_get_ident(conn);
1446 data.pid = chan->ops->get_peer_pid(chan);
1447
1448 data.count = 1;
1449 data.chan = chan;
1450 data.pid = chan->ops->get_peer_pid(chan);
1451
1452 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1453
1454 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1455 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1456 &data.pdu);
1457}
1458
1459static void l2cap_le_start(struct l2cap_chan *chan)
1460{
1461 struct l2cap_conn *conn = chan->conn;
1462
1463 if (!smp_conn_security(conn->hcon, chan->sec_level))
1464 return;
1465
1466 if (!chan->psm) {
1467 l2cap_chan_ready(chan);
1468 return;
1469 }
1470
1471 if (chan->state == BT_CONNECT) {
1472 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1473 l2cap_ecred_connect(chan);
1474 else
1475 l2cap_le_connect(chan);
1476 }
1477}
1478
1479static void l2cap_start_connection(struct l2cap_chan *chan)
1480{
1481 if (__amp_capable(chan)) {
1482 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1483 a2mp_discover_amp(chan);
1484 } else if (chan->conn->hcon->type == LE_LINK) {
1485 l2cap_le_start(chan);
1486 } else {
1487 l2cap_send_conn_req(chan);
1488 }
1489}
1490
1491static void l2cap_request_info(struct l2cap_conn *conn)
1492{
1493 struct l2cap_info_req req;
1494
1495 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1496 return;
1497
1498 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1499
1500 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1501 conn->info_ident = l2cap_get_ident(conn);
1502
1503 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1504
1505 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1506 sizeof(req), &req);
1507}
1508
1509static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1510{
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520 int min_key_size = hcon->hdev->min_enc_key_size;
1521
1522
1523 if (hcon->sec_level == BT_SECURITY_FIPS)
1524 min_key_size = 16;
1525
1526 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1527 hcon->enc_key_size >= min_key_size);
1528}
1529
1530static void l2cap_do_start(struct l2cap_chan *chan)
1531{
1532 struct l2cap_conn *conn = chan->conn;
1533
1534 if (conn->hcon->type == LE_LINK) {
1535 l2cap_le_start(chan);
1536 return;
1537 }
1538
1539 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1540 l2cap_request_info(conn);
1541 return;
1542 }
1543
1544 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1545 return;
1546
1547 if (!l2cap_chan_check_security(chan, true) ||
1548 !__l2cap_no_conn_pending(chan))
1549 return;
1550
1551 if (l2cap_check_enc_key_size(conn->hcon))
1552 l2cap_start_connection(chan);
1553 else
1554 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1555}
1556
1557static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1558{
1559 u32 local_feat_mask = l2cap_feat_mask;
1560 if (!disable_ertm)
1561 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1562
1563 switch (mode) {
1564 case L2CAP_MODE_ERTM:
1565 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1566 case L2CAP_MODE_STREAMING:
1567 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1568 default:
1569 return 0x00;
1570 }
1571}
1572
1573static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1574{
1575 struct l2cap_conn *conn = chan->conn;
1576 struct l2cap_disconn_req req;
1577
1578 if (!conn)
1579 return;
1580
1581 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1582 __clear_retrans_timer(chan);
1583 __clear_monitor_timer(chan);
1584 __clear_ack_timer(chan);
1585 }
1586
1587 if (chan->scid == L2CAP_CID_A2MP) {
1588 l2cap_state_change(chan, BT_DISCONN);
1589 return;
1590 }
1591
1592 req.dcid = cpu_to_le16(chan->dcid);
1593 req.scid = cpu_to_le16(chan->scid);
1594 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1595 sizeof(req), &req);
1596
1597 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1598}
1599
1600
1601static void l2cap_conn_start(struct l2cap_conn *conn)
1602{
1603 struct l2cap_chan *chan, *tmp;
1604
1605 BT_DBG("conn %p", conn);
1606
1607 mutex_lock(&conn->chan_lock);
1608
1609 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1610 l2cap_chan_lock(chan);
1611
1612 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1613 l2cap_chan_ready(chan);
1614 l2cap_chan_unlock(chan);
1615 continue;
1616 }
1617
1618 if (chan->state == BT_CONNECT) {
1619 if (!l2cap_chan_check_security(chan, true) ||
1620 !__l2cap_no_conn_pending(chan)) {
1621 l2cap_chan_unlock(chan);
1622 continue;
1623 }
1624
1625 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1626 && test_bit(CONF_STATE2_DEVICE,
1627 &chan->conf_state)) {
1628 l2cap_chan_close(chan, ECONNRESET);
1629 l2cap_chan_unlock(chan);
1630 continue;
1631 }
1632
1633 if (l2cap_check_enc_key_size(conn->hcon))
1634 l2cap_start_connection(chan);
1635 else
1636 l2cap_chan_close(chan, ECONNREFUSED);
1637
1638 } else if (chan->state == BT_CONNECT2) {
1639 struct l2cap_conn_rsp rsp;
1640 char buf[128];
1641 rsp.scid = cpu_to_le16(chan->dcid);
1642 rsp.dcid = cpu_to_le16(chan->scid);
1643
1644 if (l2cap_chan_check_security(chan, false)) {
1645 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1646 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1647 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1648 chan->ops->defer(chan);
1649
1650 } else {
1651 l2cap_state_change(chan, BT_CONFIG);
1652 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1653 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1654 }
1655 } else {
1656 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1657 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1658 }
1659
1660 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1661 sizeof(rsp), &rsp);
1662
1663 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1664 rsp.result != L2CAP_CR_SUCCESS) {
1665 l2cap_chan_unlock(chan);
1666 continue;
1667 }
1668
1669 set_bit(CONF_REQ_SENT, &chan->conf_state);
1670 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1671 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1672 chan->num_conf_req++;
1673 }
1674
1675 l2cap_chan_unlock(chan);
1676 }
1677
1678 mutex_unlock(&conn->chan_lock);
1679}
1680
1681static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1682{
1683 struct hci_conn *hcon = conn->hcon;
1684 struct hci_dev *hdev = hcon->hdev;
1685
1686 BT_DBG("%s conn %p", hdev->name, conn);
1687
1688
1689
1690
1691 if (hcon->out)
1692 smp_conn_security(hcon, hcon->pending_sec_level);
1693
1694
1695
1696
1697
1698
1699 if (hcon->role == HCI_ROLE_SLAVE &&
1700 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1701 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1702 struct l2cap_conn_param_update_req req;
1703
1704 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1705 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1706 req.latency = cpu_to_le16(hcon->le_conn_latency);
1707 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1708
1709 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1710 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1711 }
1712}
1713
1714static void l2cap_conn_ready(struct l2cap_conn *conn)
1715{
1716 struct l2cap_chan *chan;
1717 struct hci_conn *hcon = conn->hcon;
1718
1719 BT_DBG("conn %p", conn);
1720
1721 if (hcon->type == ACL_LINK)
1722 l2cap_request_info(conn);
1723
1724 mutex_lock(&conn->chan_lock);
1725
1726 list_for_each_entry(chan, &conn->chan_l, list) {
1727
1728 l2cap_chan_lock(chan);
1729
1730 if (chan->scid == L2CAP_CID_A2MP) {
1731 l2cap_chan_unlock(chan);
1732 continue;
1733 }
1734
1735 if (hcon->type == LE_LINK) {
1736 l2cap_le_start(chan);
1737 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1738 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1739 l2cap_chan_ready(chan);
1740 } else if (chan->state == BT_CONNECT) {
1741 l2cap_do_start(chan);
1742 }
1743
1744 l2cap_chan_unlock(chan);
1745 }
1746
1747 mutex_unlock(&conn->chan_lock);
1748
1749 if (hcon->type == LE_LINK)
1750 l2cap_le_conn_ready(conn);
1751
1752 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1753}
1754
1755
1756static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1757{
1758 struct l2cap_chan *chan;
1759
1760 BT_DBG("conn %p", conn);
1761
1762 mutex_lock(&conn->chan_lock);
1763
1764 list_for_each_entry(chan, &conn->chan_l, list) {
1765 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1766 l2cap_chan_set_err(chan, err);
1767 }
1768
1769 mutex_unlock(&conn->chan_lock);
1770}
1771
1772static void l2cap_info_timeout(struct work_struct *work)
1773{
1774 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1775 info_timer.work);
1776
1777 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1778 conn->info_ident = 0;
1779
1780 l2cap_conn_start(conn);
1781}
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1797{
1798 struct hci_dev *hdev = conn->hcon->hdev;
1799 int ret;
1800
1801
1802
1803
1804
1805
1806
1807
1808 hci_dev_lock(hdev);
1809
1810 if (!list_empty(&user->list)) {
1811 ret = -EINVAL;
1812 goto out_unlock;
1813 }
1814
1815
1816 if (!conn->hchan) {
1817 ret = -ENODEV;
1818 goto out_unlock;
1819 }
1820
1821 ret = user->probe(conn, user);
1822 if (ret)
1823 goto out_unlock;
1824
1825 list_add(&user->list, &conn->users);
1826 ret = 0;
1827
1828out_unlock:
1829 hci_dev_unlock(hdev);
1830 return ret;
1831}
1832EXPORT_SYMBOL(l2cap_register_user);
1833
1834void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1835{
1836 struct hci_dev *hdev = conn->hcon->hdev;
1837
1838 hci_dev_lock(hdev);
1839
1840 if (list_empty(&user->list))
1841 goto out_unlock;
1842
1843 list_del_init(&user->list);
1844 user->remove(conn, user);
1845
1846out_unlock:
1847 hci_dev_unlock(hdev);
1848}
1849EXPORT_SYMBOL(l2cap_unregister_user);
1850
1851static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1852{
1853 struct l2cap_user *user;
1854
1855 while (!list_empty(&conn->users)) {
1856 user = list_first_entry(&conn->users, struct l2cap_user, list);
1857 list_del_init(&user->list);
1858 user->remove(conn, user);
1859 }
1860}
1861
1862static void l2cap_conn_del(struct hci_conn *hcon, int err)
1863{
1864 struct l2cap_conn *conn = hcon->l2cap_data;
1865 struct l2cap_chan *chan, *l;
1866
1867 if (!conn)
1868 return;
1869
1870 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1871
1872 kfree_skb(conn->rx_skb);
1873
1874 skb_queue_purge(&conn->pending_rx);
1875
1876
1877
1878
1879
1880 if (work_pending(&conn->pending_rx_work))
1881 cancel_work_sync(&conn->pending_rx_work);
1882
1883 if (work_pending(&conn->id_addr_update_work))
1884 cancel_work_sync(&conn->id_addr_update_work);
1885
1886 l2cap_unregister_all_users(conn);
1887
1888
1889 hcon->disc_timeout = 0;
1890
1891 mutex_lock(&conn->chan_lock);
1892
1893
1894 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1895 l2cap_chan_hold(chan);
1896 l2cap_chan_lock(chan);
1897
1898 l2cap_chan_del(chan, err);
1899
1900 chan->ops->close(chan);
1901
1902 l2cap_chan_unlock(chan);
1903 l2cap_chan_put(chan);
1904 }
1905
1906 mutex_unlock(&conn->chan_lock);
1907
1908 hci_chan_del(conn->hchan);
1909
1910 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1911 cancel_delayed_work_sync(&conn->info_timer);
1912
1913 hcon->l2cap_data = NULL;
1914 conn->hchan = NULL;
1915 l2cap_conn_put(conn);
1916}
1917
1918static void l2cap_conn_free(struct kref *ref)
1919{
1920 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1921
1922 hci_conn_put(conn->hcon);
1923 kfree(conn);
1924}
1925
1926struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1927{
1928 kref_get(&conn->ref);
1929 return conn;
1930}
1931EXPORT_SYMBOL(l2cap_conn_get);
1932
1933void l2cap_conn_put(struct l2cap_conn *conn)
1934{
1935 kref_put(&conn->ref, l2cap_conn_free);
1936}
1937EXPORT_SYMBOL(l2cap_conn_put);
1938
1939
1940
1941
1942
1943
1944static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1945 bdaddr_t *src,
1946 bdaddr_t *dst,
1947 u8 link_type)
1948{
1949 struct l2cap_chan *c, *c1 = NULL;
1950
1951 read_lock(&chan_list_lock);
1952
1953 list_for_each_entry(c, &chan_list, global_l) {
1954 if (state && c->state != state)
1955 continue;
1956
1957 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1958 continue;
1959
1960 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1961 continue;
1962
1963 if (c->psm == psm) {
1964 int src_match, dst_match;
1965 int src_any, dst_any;
1966
1967
1968 src_match = !bacmp(&c->src, src);
1969 dst_match = !bacmp(&c->dst, dst);
1970 if (src_match && dst_match) {
1971 l2cap_chan_hold(c);
1972 read_unlock(&chan_list_lock);
1973 return c;
1974 }
1975
1976
1977 src_any = !bacmp(&c->src, BDADDR_ANY);
1978 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1979 if ((src_match && dst_any) || (src_any && dst_match) ||
1980 (src_any && dst_any))
1981 c1 = c;
1982 }
1983 }
1984
1985 if (c1)
1986 l2cap_chan_hold(c1);
1987
1988 read_unlock(&chan_list_lock);
1989
1990 return c1;
1991}
1992
1993static void l2cap_monitor_timeout(struct work_struct *work)
1994{
1995 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1996 monitor_timer.work);
1997
1998 BT_DBG("chan %p", chan);
1999
2000 l2cap_chan_lock(chan);
2001
2002 if (!chan->conn) {
2003 l2cap_chan_unlock(chan);
2004 l2cap_chan_put(chan);
2005 return;
2006 }
2007
2008 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2009
2010 l2cap_chan_unlock(chan);
2011 l2cap_chan_put(chan);
2012}
2013
2014static void l2cap_retrans_timeout(struct work_struct *work)
2015{
2016 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2017 retrans_timer.work);
2018
2019 BT_DBG("chan %p", chan);
2020
2021 l2cap_chan_lock(chan);
2022
2023 if (!chan->conn) {
2024 l2cap_chan_unlock(chan);
2025 l2cap_chan_put(chan);
2026 return;
2027 }
2028
2029 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2030 l2cap_chan_unlock(chan);
2031 l2cap_chan_put(chan);
2032}
2033
2034static void l2cap_streaming_send(struct l2cap_chan *chan,
2035 struct sk_buff_head *skbs)
2036{
2037 struct sk_buff *skb;
2038 struct l2cap_ctrl *control;
2039
2040 BT_DBG("chan %p, skbs %p", chan, skbs);
2041
2042 if (__chan_is_moving(chan))
2043 return;
2044
2045 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2046
2047 while (!skb_queue_empty(&chan->tx_q)) {
2048
2049 skb = skb_dequeue(&chan->tx_q);
2050
2051 bt_cb(skb)->l2cap.retries = 1;
2052 control = &bt_cb(skb)->l2cap;
2053
2054 control->reqseq = 0;
2055 control->txseq = chan->next_tx_seq;
2056
2057 __pack_control(chan, control, skb);
2058
2059 if (chan->fcs == L2CAP_FCS_CRC16) {
2060 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2061 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2062 }
2063
2064 l2cap_do_send(chan, skb);
2065
2066 BT_DBG("Sent txseq %u", control->txseq);
2067
2068 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2069 chan->frames_sent++;
2070 }
2071}
2072
2073static int l2cap_ertm_send(struct l2cap_chan *chan)
2074{
2075 struct sk_buff *skb, *tx_skb;
2076 struct l2cap_ctrl *control;
2077 int sent = 0;
2078
2079 BT_DBG("chan %p", chan);
2080
2081 if (chan->state != BT_CONNECTED)
2082 return -ENOTCONN;
2083
2084 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2085 return 0;
2086
2087 if (__chan_is_moving(chan))
2088 return 0;
2089
2090 while (chan->tx_send_head &&
2091 chan->unacked_frames < chan->remote_tx_win &&
2092 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2093
2094 skb = chan->tx_send_head;
2095
2096 bt_cb(skb)->l2cap.retries = 1;
2097 control = &bt_cb(skb)->l2cap;
2098
2099 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2100 control->final = 1;
2101
2102 control->reqseq = chan->buffer_seq;
2103 chan->last_acked_seq = chan->buffer_seq;
2104 control->txseq = chan->next_tx_seq;
2105
2106 __pack_control(chan, control, skb);
2107
2108 if (chan->fcs == L2CAP_FCS_CRC16) {
2109 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2110 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2111 }
2112
2113
2114
2115
2116 tx_skb = skb_clone(skb, GFP_KERNEL);
2117
2118 if (!tx_skb)
2119 break;
2120
2121 __set_retrans_timer(chan);
2122
2123 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2124 chan->unacked_frames++;
2125 chan->frames_sent++;
2126 sent++;
2127
2128 if (skb_queue_is_last(&chan->tx_q, skb))
2129 chan->tx_send_head = NULL;
2130 else
2131 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2132
2133 l2cap_do_send(chan, tx_skb);
2134 BT_DBG("Sent txseq %u", control->txseq);
2135 }
2136
2137 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2138 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2139
2140 return sent;
2141}
2142
2143static void l2cap_ertm_resend(struct l2cap_chan *chan)
2144{
2145 struct l2cap_ctrl control;
2146 struct sk_buff *skb;
2147 struct sk_buff *tx_skb;
2148 u16 seq;
2149
2150 BT_DBG("chan %p", chan);
2151
2152 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2153 return;
2154
2155 if (__chan_is_moving(chan))
2156 return;
2157
2158 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2159 seq = l2cap_seq_list_pop(&chan->retrans_list);
2160
2161 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2162 if (!skb) {
2163 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2164 seq);
2165 continue;
2166 }
2167
2168 bt_cb(skb)->l2cap.retries++;
2169 control = bt_cb(skb)->l2cap;
2170
2171 if (chan->max_tx != 0 &&
2172 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2173 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2174 l2cap_send_disconn_req(chan, ECONNRESET);
2175 l2cap_seq_list_clear(&chan->retrans_list);
2176 break;
2177 }
2178
2179 control.reqseq = chan->buffer_seq;
2180 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2181 control.final = 1;
2182 else
2183 control.final = 0;
2184
2185 if (skb_cloned(skb)) {
2186
2187
2188
2189 tx_skb = skb_copy(skb, GFP_KERNEL);
2190 } else {
2191 tx_skb = skb_clone(skb, GFP_KERNEL);
2192 }
2193
2194 if (!tx_skb) {
2195 l2cap_seq_list_clear(&chan->retrans_list);
2196 break;
2197 }
2198
2199
2200 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2201 put_unaligned_le32(__pack_extended_control(&control),
2202 tx_skb->data + L2CAP_HDR_SIZE);
2203 } else {
2204 put_unaligned_le16(__pack_enhanced_control(&control),
2205 tx_skb->data + L2CAP_HDR_SIZE);
2206 }
2207
2208
2209 if (chan->fcs == L2CAP_FCS_CRC16) {
2210 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2211 tx_skb->len - L2CAP_FCS_SIZE);
2212 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2213 L2CAP_FCS_SIZE);
2214 }
2215
2216 l2cap_do_send(chan, tx_skb);
2217
2218 BT_DBG("Resent txseq %d", control.txseq);
2219
2220 chan->last_acked_seq = chan->buffer_seq;
2221 }
2222}
2223
2224static void l2cap_retransmit(struct l2cap_chan *chan,
2225 struct l2cap_ctrl *control)
2226{
2227 BT_DBG("chan %p, control %p", chan, control);
2228
2229 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2230 l2cap_ertm_resend(chan);
2231}
2232
2233static void l2cap_retransmit_all(struct l2cap_chan *chan,
2234 struct l2cap_ctrl *control)
2235{
2236 struct sk_buff *skb;
2237
2238 BT_DBG("chan %p, control %p", chan, control);
2239
2240 if (control->poll)
2241 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2242
2243 l2cap_seq_list_clear(&chan->retrans_list);
2244
2245 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2246 return;
2247
2248 if (chan->unacked_frames) {
2249 skb_queue_walk(&chan->tx_q, skb) {
2250 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2251 skb == chan->tx_send_head)
2252 break;
2253 }
2254
2255 skb_queue_walk_from(&chan->tx_q, skb) {
2256 if (skb == chan->tx_send_head)
2257 break;
2258
2259 l2cap_seq_list_append(&chan->retrans_list,
2260 bt_cb(skb)->l2cap.txseq);
2261 }
2262
2263 l2cap_ertm_resend(chan);
2264 }
2265}
2266
2267static void l2cap_send_ack(struct l2cap_chan *chan)
2268{
2269 struct l2cap_ctrl control;
2270 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2271 chan->last_acked_seq);
2272 int threshold;
2273
2274 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2275 chan, chan->last_acked_seq, chan->buffer_seq);
2276
2277 memset(&control, 0, sizeof(control));
2278 control.sframe = 1;
2279
2280 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2281 chan->rx_state == L2CAP_RX_STATE_RECV) {
2282 __clear_ack_timer(chan);
2283 control.super = L2CAP_SUPER_RNR;
2284 control.reqseq = chan->buffer_seq;
2285 l2cap_send_sframe(chan, &control);
2286 } else {
2287 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2288 l2cap_ertm_send(chan);
2289
2290 if (chan->buffer_seq == chan->last_acked_seq)
2291 frames_to_ack = 0;
2292 }
2293
2294
2295
2296
2297 threshold = chan->ack_win;
2298 threshold += threshold << 1;
2299 threshold >>= 2;
2300
2301 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2302 threshold);
2303
2304 if (frames_to_ack >= threshold) {
2305 __clear_ack_timer(chan);
2306 control.super = L2CAP_SUPER_RR;
2307 control.reqseq = chan->buffer_seq;
2308 l2cap_send_sframe(chan, &control);
2309 frames_to_ack = 0;
2310 }
2311
2312 if (frames_to_ack)
2313 __set_ack_timer(chan);
2314 }
2315}
2316
2317static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2318 struct msghdr *msg, int len,
2319 int count, struct sk_buff *skb)
2320{
2321 struct l2cap_conn *conn = chan->conn;
2322 struct sk_buff **frag;
2323 int sent = 0;
2324
2325 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2326 return -EFAULT;
2327
2328 sent += count;
2329 len -= count;
2330
2331
2332 frag = &skb_shinfo(skb)->frag_list;
2333 while (len) {
2334 struct sk_buff *tmp;
2335
2336 count = min_t(unsigned int, conn->mtu, len);
2337
2338 tmp = chan->ops->alloc_skb(chan, 0, count,
2339 msg->msg_flags & MSG_DONTWAIT);
2340 if (IS_ERR(tmp))
2341 return PTR_ERR(tmp);
2342
2343 *frag = tmp;
2344
2345 if (!copy_from_iter_full(skb_put(*frag, count), count,
2346 &msg->msg_iter))
2347 return -EFAULT;
2348
2349 sent += count;
2350 len -= count;
2351
2352 skb->len += (*frag)->len;
2353 skb->data_len += (*frag)->len;
2354
2355 frag = &(*frag)->next;
2356 }
2357
2358 return sent;
2359}
2360
2361static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2362 struct msghdr *msg, size_t len)
2363{
2364 struct l2cap_conn *conn = chan->conn;
2365 struct sk_buff *skb;
2366 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2367 struct l2cap_hdr *lh;
2368
2369 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2370 __le16_to_cpu(chan->psm), len);
2371
2372 count = min_t(unsigned int, (conn->mtu - hlen), len);
2373
2374 skb = chan->ops->alloc_skb(chan, hlen, count,
2375 msg->msg_flags & MSG_DONTWAIT);
2376 if (IS_ERR(skb))
2377 return skb;
2378
2379
2380 lh = skb_put(skb, L2CAP_HDR_SIZE);
2381 lh->cid = cpu_to_le16(chan->dcid);
2382 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2383 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2384
2385 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2386 if (unlikely(err < 0)) {
2387 kfree_skb(skb);
2388 return ERR_PTR(err);
2389 }
2390 return skb;
2391}
2392
2393static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2394 struct msghdr *msg, size_t len)
2395{
2396 struct l2cap_conn *conn = chan->conn;
2397 struct sk_buff *skb;
2398 int err, count;
2399 struct l2cap_hdr *lh;
2400
2401 BT_DBG("chan %p len %zu", chan, len);
2402
2403 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2404
2405 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2406 msg->msg_flags & MSG_DONTWAIT);
2407 if (IS_ERR(skb))
2408 return skb;
2409
2410
2411 lh = skb_put(skb, L2CAP_HDR_SIZE);
2412 lh->cid = cpu_to_le16(chan->dcid);
2413 lh->len = cpu_to_le16(len);
2414
2415 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2416 if (unlikely(err < 0)) {
2417 kfree_skb(skb);
2418 return ERR_PTR(err);
2419 }
2420 return skb;
2421}
2422
2423static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2424 struct msghdr *msg, size_t len,
2425 u16 sdulen)
2426{
2427 struct l2cap_conn *conn = chan->conn;
2428 struct sk_buff *skb;
2429 int err, count, hlen;
2430 struct l2cap_hdr *lh;
2431
2432 BT_DBG("chan %p len %zu", chan, len);
2433
2434 if (!conn)
2435 return ERR_PTR(-ENOTCONN);
2436
2437 hlen = __ertm_hdr_size(chan);
2438
2439 if (sdulen)
2440 hlen += L2CAP_SDULEN_SIZE;
2441
2442 if (chan->fcs == L2CAP_FCS_CRC16)
2443 hlen += L2CAP_FCS_SIZE;
2444
2445 count = min_t(unsigned int, (conn->mtu - hlen), len);
2446
2447 skb = chan->ops->alloc_skb(chan, hlen, count,
2448 msg->msg_flags & MSG_DONTWAIT);
2449 if (IS_ERR(skb))
2450 return skb;
2451
2452
2453 lh = skb_put(skb, L2CAP_HDR_SIZE);
2454 lh->cid = cpu_to_le16(chan->dcid);
2455 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2456
2457
2458 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2459 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2460 else
2461 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2462
2463 if (sdulen)
2464 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2465
2466 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2467 if (unlikely(err < 0)) {
2468 kfree_skb(skb);
2469 return ERR_PTR(err);
2470 }
2471
2472 bt_cb(skb)->l2cap.fcs = chan->fcs;
2473 bt_cb(skb)->l2cap.retries = 0;
2474 return skb;
2475}
2476
2477static int l2cap_segment_sdu(struct l2cap_chan *chan,
2478 struct sk_buff_head *seg_queue,
2479 struct msghdr *msg, size_t len)
2480{
2481 struct sk_buff *skb;
2482 u16 sdu_len;
2483 size_t pdu_len;
2484 u8 sar;
2485
2486 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2487
2488
2489
2490
2491
2492
2493
2494 pdu_len = chan->conn->mtu;
2495
2496
2497 if (!chan->hs_hcon)
2498 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2499
2500
2501 if (chan->fcs)
2502 pdu_len -= L2CAP_FCS_SIZE;
2503
2504 pdu_len -= __ertm_hdr_size(chan);
2505
2506
2507 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2508
2509 if (len <= pdu_len) {
2510 sar = L2CAP_SAR_UNSEGMENTED;
2511 sdu_len = 0;
2512 pdu_len = len;
2513 } else {
2514 sar = L2CAP_SAR_START;
2515 sdu_len = len;
2516 }
2517
2518 while (len > 0) {
2519 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2520
2521 if (IS_ERR(skb)) {
2522 __skb_queue_purge(seg_queue);
2523 return PTR_ERR(skb);
2524 }
2525
2526 bt_cb(skb)->l2cap.sar = sar;
2527 __skb_queue_tail(seg_queue, skb);
2528
2529 len -= pdu_len;
2530 if (sdu_len)
2531 sdu_len = 0;
2532
2533 if (len <= pdu_len) {
2534 sar = L2CAP_SAR_END;
2535 pdu_len = len;
2536 } else {
2537 sar = L2CAP_SAR_CONTINUE;
2538 }
2539 }
2540
2541 return 0;
2542}
2543
2544static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2545 struct msghdr *msg,
2546 size_t len, u16 sdulen)
2547{
2548 struct l2cap_conn *conn = chan->conn;
2549 struct sk_buff *skb;
2550 int err, count, hlen;
2551 struct l2cap_hdr *lh;
2552
2553 BT_DBG("chan %p len %zu", chan, len);
2554
2555 if (!conn)
2556 return ERR_PTR(-ENOTCONN);
2557
2558 hlen = L2CAP_HDR_SIZE;
2559
2560 if (sdulen)
2561 hlen += L2CAP_SDULEN_SIZE;
2562
2563 count = min_t(unsigned int, (conn->mtu - hlen), len);
2564
2565 skb = chan->ops->alloc_skb(chan, hlen, count,
2566 msg->msg_flags & MSG_DONTWAIT);
2567 if (IS_ERR(skb))
2568 return skb;
2569
2570
2571 lh = skb_put(skb, L2CAP_HDR_SIZE);
2572 lh->cid = cpu_to_le16(chan->dcid);
2573 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2574
2575 if (sdulen)
2576 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2577
2578 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2579 if (unlikely(err < 0)) {
2580 kfree_skb(skb);
2581 return ERR_PTR(err);
2582 }
2583
2584 return skb;
2585}
2586
2587static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2588 struct sk_buff_head *seg_queue,
2589 struct msghdr *msg, size_t len)
2590{
2591 struct sk_buff *skb;
2592 size_t pdu_len;
2593 u16 sdu_len;
2594
2595 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2596
2597 sdu_len = len;
2598 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2599
2600 while (len > 0) {
2601 if (len <= pdu_len)
2602 pdu_len = len;
2603
2604 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2605 if (IS_ERR(skb)) {
2606 __skb_queue_purge(seg_queue);
2607 return PTR_ERR(skb);
2608 }
2609
2610 __skb_queue_tail(seg_queue, skb);
2611
2612 len -= pdu_len;
2613
2614 if (sdu_len) {
2615 sdu_len = 0;
2616 pdu_len += L2CAP_SDULEN_SIZE;
2617 }
2618 }
2619
2620 return 0;
2621}
2622
2623static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2624{
2625 int sent = 0;
2626
2627 BT_DBG("chan %p", chan);
2628
2629 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2630 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2631 chan->tx_credits--;
2632 sent++;
2633 }
2634
2635 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2636 skb_queue_len(&chan->tx_q));
2637}
2638
2639int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2640{
2641 struct sk_buff *skb;
2642 int err;
2643 struct sk_buff_head seg_queue;
2644
2645 if (!chan->conn)
2646 return -ENOTCONN;
2647
2648
2649 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2650 skb = l2cap_create_connless_pdu(chan, msg, len);
2651 if (IS_ERR(skb))
2652 return PTR_ERR(skb);
2653
2654
2655
2656
2657 if (chan->state != BT_CONNECTED) {
2658 kfree_skb(skb);
2659 return -ENOTCONN;
2660 }
2661
2662 l2cap_do_send(chan, skb);
2663 return len;
2664 }
2665
2666 switch (chan->mode) {
2667 case L2CAP_MODE_LE_FLOWCTL:
2668 case L2CAP_MODE_EXT_FLOWCTL:
2669
2670 if (len > chan->omtu)
2671 return -EMSGSIZE;
2672
2673 __skb_queue_head_init(&seg_queue);
2674
2675 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2676
2677 if (chan->state != BT_CONNECTED) {
2678 __skb_queue_purge(&seg_queue);
2679 err = -ENOTCONN;
2680 }
2681
2682 if (err)
2683 return err;
2684
2685 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2686
2687 l2cap_le_flowctl_send(chan);
2688
2689 if (!chan->tx_credits)
2690 chan->ops->suspend(chan);
2691
2692 err = len;
2693
2694 break;
2695
2696 case L2CAP_MODE_BASIC:
2697
2698 if (len > chan->omtu)
2699 return -EMSGSIZE;
2700
2701
2702 skb = l2cap_create_basic_pdu(chan, msg, len);
2703 if (IS_ERR(skb))
2704 return PTR_ERR(skb);
2705
2706
2707
2708
2709 if (chan->state != BT_CONNECTED) {
2710 kfree_skb(skb);
2711 return -ENOTCONN;
2712 }
2713
2714 l2cap_do_send(chan, skb);
2715 err = len;
2716 break;
2717
2718 case L2CAP_MODE_ERTM:
2719 case L2CAP_MODE_STREAMING:
2720
2721 if (len > chan->omtu) {
2722 err = -EMSGSIZE;
2723 break;
2724 }
2725
2726 __skb_queue_head_init(&seg_queue);
2727
2728
2729
2730
2731
2732 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2733
2734
2735
2736
2737 if (chan->state != BT_CONNECTED) {
2738 __skb_queue_purge(&seg_queue);
2739 err = -ENOTCONN;
2740 }
2741
2742 if (err)
2743 break;
2744
2745 if (chan->mode == L2CAP_MODE_ERTM)
2746 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2747 else
2748 l2cap_streaming_send(chan, &seg_queue);
2749
2750 err = len;
2751
2752
2753
2754
2755 __skb_queue_purge(&seg_queue);
2756 break;
2757
2758 default:
2759 BT_DBG("bad state %1.1x", chan->mode);
2760 err = -EBADFD;
2761 }
2762
2763 return err;
2764}
2765EXPORT_SYMBOL_GPL(l2cap_chan_send);
2766
2767static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2768{
2769 struct l2cap_ctrl control;
2770 u16 seq;
2771
2772 BT_DBG("chan %p, txseq %u", chan, txseq);
2773
2774 memset(&control, 0, sizeof(control));
2775 control.sframe = 1;
2776 control.super = L2CAP_SUPER_SREJ;
2777
2778 for (seq = chan->expected_tx_seq; seq != txseq;
2779 seq = __next_seq(chan, seq)) {
2780 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2781 control.reqseq = seq;
2782 l2cap_send_sframe(chan, &control);
2783 l2cap_seq_list_append(&chan->srej_list, seq);
2784 }
2785 }
2786
2787 chan->expected_tx_seq = __next_seq(chan, txseq);
2788}
2789
2790static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2791{
2792 struct l2cap_ctrl control;
2793
2794 BT_DBG("chan %p", chan);
2795
2796 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2797 return;
2798
2799 memset(&control, 0, sizeof(control));
2800 control.sframe = 1;
2801 control.super = L2CAP_SUPER_SREJ;
2802 control.reqseq = chan->srej_list.tail;
2803 l2cap_send_sframe(chan, &control);
2804}
2805
2806static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2807{
2808 struct l2cap_ctrl control;
2809 u16 initial_head;
2810 u16 seq;
2811
2812 BT_DBG("chan %p, txseq %u", chan, txseq);
2813
2814 memset(&control, 0, sizeof(control));
2815 control.sframe = 1;
2816 control.super = L2CAP_SUPER_SREJ;
2817
2818
2819 initial_head = chan->srej_list.head;
2820
2821 do {
2822 seq = l2cap_seq_list_pop(&chan->srej_list);
2823 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2824 break;
2825
2826 control.reqseq = seq;
2827 l2cap_send_sframe(chan, &control);
2828 l2cap_seq_list_append(&chan->srej_list, seq);
2829 } while (chan->srej_list.head != initial_head);
2830}
2831
2832static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2833{
2834 struct sk_buff *acked_skb;
2835 u16 ackseq;
2836
2837 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2838
2839 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2840 return;
2841
2842 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2843 chan->expected_ack_seq, chan->unacked_frames);
2844
2845 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2846 ackseq = __next_seq(chan, ackseq)) {
2847
2848 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2849 if (acked_skb) {
2850 skb_unlink(acked_skb, &chan->tx_q);
2851 kfree_skb(acked_skb);
2852 chan->unacked_frames--;
2853 }
2854 }
2855
2856 chan->expected_ack_seq = reqseq;
2857
2858 if (chan->unacked_frames == 0)
2859 __clear_retrans_timer(chan);
2860
2861 BT_DBG("unacked_frames %u", chan->unacked_frames);
2862}
2863
2864static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2865{
2866 BT_DBG("chan %p", chan);
2867
2868 chan->expected_tx_seq = chan->buffer_seq;
2869 l2cap_seq_list_clear(&chan->srej_list);
2870 skb_queue_purge(&chan->srej_q);
2871 chan->rx_state = L2CAP_RX_STATE_RECV;
2872}
2873
2874static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2875 struct l2cap_ctrl *control,
2876 struct sk_buff_head *skbs, u8 event)
2877{
2878 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2879 event);
2880
2881 switch (event) {
2882 case L2CAP_EV_DATA_REQUEST:
2883 if (chan->tx_send_head == NULL)
2884 chan->tx_send_head = skb_peek(skbs);
2885
2886 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2887 l2cap_ertm_send(chan);
2888 break;
2889 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2890 BT_DBG("Enter LOCAL_BUSY");
2891 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2892
2893 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2894
2895
2896
2897 l2cap_abort_rx_srej_sent(chan);
2898 }
2899
2900 l2cap_send_ack(chan);
2901
2902 break;
2903 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2904 BT_DBG("Exit LOCAL_BUSY");
2905 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2906
2907 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2908 struct l2cap_ctrl local_control;
2909
2910 memset(&local_control, 0, sizeof(local_control));
2911 local_control.sframe = 1;
2912 local_control.super = L2CAP_SUPER_RR;
2913 local_control.poll = 1;
2914 local_control.reqseq = chan->buffer_seq;
2915 l2cap_send_sframe(chan, &local_control);
2916
2917 chan->retry_count = 1;
2918 __set_monitor_timer(chan);
2919 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2920 }
2921 break;
2922 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2923 l2cap_process_reqseq(chan, control->reqseq);
2924 break;
2925 case L2CAP_EV_EXPLICIT_POLL:
2926 l2cap_send_rr_or_rnr(chan, 1);
2927 chan->retry_count = 1;
2928 __set_monitor_timer(chan);
2929 __clear_ack_timer(chan);
2930 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2931 break;
2932 case L2CAP_EV_RETRANS_TO:
2933 l2cap_send_rr_or_rnr(chan, 1);
2934 chan->retry_count = 1;
2935 __set_monitor_timer(chan);
2936 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2937 break;
2938 case L2CAP_EV_RECV_FBIT:
2939
2940 break;
2941 default:
2942 break;
2943 }
2944}
2945
2946static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2947 struct l2cap_ctrl *control,
2948 struct sk_buff_head *skbs, u8 event)
2949{
2950 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2951 event);
2952
2953 switch (event) {
2954 case L2CAP_EV_DATA_REQUEST:
2955 if (chan->tx_send_head == NULL)
2956 chan->tx_send_head = skb_peek(skbs);
2957
2958 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2959 break;
2960 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2961 BT_DBG("Enter LOCAL_BUSY");
2962 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2963
2964 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2965
2966
2967
2968 l2cap_abort_rx_srej_sent(chan);
2969 }
2970
2971 l2cap_send_ack(chan);
2972
2973 break;
2974 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2975 BT_DBG("Exit LOCAL_BUSY");
2976 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2977
2978 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2979 struct l2cap_ctrl local_control;
2980 memset(&local_control, 0, sizeof(local_control));
2981 local_control.sframe = 1;
2982 local_control.super = L2CAP_SUPER_RR;
2983 local_control.poll = 1;
2984 local_control.reqseq = chan->buffer_seq;
2985 l2cap_send_sframe(chan, &local_control);
2986
2987 chan->retry_count = 1;
2988 __set_monitor_timer(chan);
2989 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2990 }
2991 break;
2992 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2993 l2cap_process_reqseq(chan, control->reqseq);
2994 fallthrough;
2995
2996 case L2CAP_EV_RECV_FBIT:
2997 if (control && control->final) {
2998 __clear_monitor_timer(chan);
2999 if (chan->unacked_frames > 0)
3000 __set_retrans_timer(chan);
3001 chan->retry_count = 0;
3002 chan->tx_state = L2CAP_TX_STATE_XMIT;
3003 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
3004 }
3005 break;
3006 case L2CAP_EV_EXPLICIT_POLL:
3007
3008 break;
3009 case L2CAP_EV_MONITOR_TO:
3010 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3011 l2cap_send_rr_or_rnr(chan, 1);
3012 __set_monitor_timer(chan);
3013 chan->retry_count++;
3014 } else {
3015 l2cap_send_disconn_req(chan, ECONNABORTED);
3016 }
3017 break;
3018 default:
3019 break;
3020 }
3021}
3022
3023static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3024 struct sk_buff_head *skbs, u8 event)
3025{
3026 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3027 chan, control, skbs, event, chan->tx_state);
3028
3029 switch (chan->tx_state) {
3030 case L2CAP_TX_STATE_XMIT:
3031 l2cap_tx_state_xmit(chan, control, skbs, event);
3032 break;
3033 case L2CAP_TX_STATE_WAIT_F:
3034 l2cap_tx_state_wait_f(chan, control, skbs, event);
3035 break;
3036 default:
3037
3038 break;
3039 }
3040}
3041
3042static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3043 struct l2cap_ctrl *control)
3044{
3045 BT_DBG("chan %p, control %p", chan, control);
3046 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3047}
3048
3049static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3050 struct l2cap_ctrl *control)
3051{
3052 BT_DBG("chan %p, control %p", chan, control);
3053 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3054}
3055
3056
3057static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3058{
3059 struct sk_buff *nskb;
3060 struct l2cap_chan *chan;
3061
3062 BT_DBG("conn %p", conn);
3063
3064 mutex_lock(&conn->chan_lock);
3065
3066 list_for_each_entry(chan, &conn->chan_l, list) {
3067 if (chan->chan_type != L2CAP_CHAN_RAW)
3068 continue;
3069
3070
3071 if (bt_cb(skb)->l2cap.chan == chan)
3072 continue;
3073
3074 nskb = skb_clone(skb, GFP_KERNEL);
3075 if (!nskb)
3076 continue;
3077 if (chan->ops->recv(chan, nskb))
3078 kfree_skb(nskb);
3079 }
3080
3081 mutex_unlock(&conn->chan_lock);
3082}
3083
3084
3085static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3086 u8 ident, u16 dlen, void *data)
3087{
3088 struct sk_buff *skb, **frag;
3089 struct l2cap_cmd_hdr *cmd;
3090 struct l2cap_hdr *lh;
3091 int len, count;
3092
3093 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3094 conn, code, ident, dlen);
3095
3096 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3097 return NULL;
3098
3099 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3100 count = min_t(unsigned int, conn->mtu, len);
3101
3102 skb = bt_skb_alloc(count, GFP_KERNEL);
3103 if (!skb)
3104 return NULL;
3105
3106 lh = skb_put(skb, L2CAP_HDR_SIZE);
3107 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3108
3109 if (conn->hcon->type == LE_LINK)
3110 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3111 else
3112 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3113
3114 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3115 cmd->code = code;
3116 cmd->ident = ident;
3117 cmd->len = cpu_to_le16(dlen);
3118
3119 if (dlen) {
3120 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3121 skb_put_data(skb, data, count);
3122 data += count;
3123 }
3124
3125 len -= skb->len;
3126
3127
3128 frag = &skb_shinfo(skb)->frag_list;
3129 while (len) {
3130 count = min_t(unsigned int, conn->mtu, len);
3131
3132 *frag = bt_skb_alloc(count, GFP_KERNEL);
3133 if (!*frag)
3134 goto fail;
3135
3136 skb_put_data(*frag, data, count);
3137
3138 len -= count;
3139 data += count;
3140
3141 frag = &(*frag)->next;
3142 }
3143
3144 return skb;
3145
3146fail:
3147 kfree_skb(skb);
3148 return NULL;
3149}
3150
3151static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3152 unsigned long *val)
3153{
3154 struct l2cap_conf_opt *opt = *ptr;
3155 int len;
3156
3157 len = L2CAP_CONF_OPT_SIZE + opt->len;
3158 *ptr += len;
3159
3160 *type = opt->type;
3161 *olen = opt->len;
3162
3163 switch (opt->len) {
3164 case 1:
3165 *val = *((u8 *) opt->val);
3166 break;
3167
3168 case 2:
3169 *val = get_unaligned_le16(opt->val);
3170 break;
3171
3172 case 4:
3173 *val = get_unaligned_le32(opt->val);
3174 break;
3175
3176 default:
3177 *val = (unsigned long) opt->val;
3178 break;
3179 }
3180
3181 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3182 return len;
3183}
3184
3185static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3186{
3187 struct l2cap_conf_opt *opt = *ptr;
3188
3189 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3190
3191 if (size < L2CAP_CONF_OPT_SIZE + len)
3192 return;
3193
3194 opt->type = type;
3195 opt->len = len;
3196
3197 switch (len) {
3198 case 1:
3199 *((u8 *) opt->val) = val;
3200 break;
3201
3202 case 2:
3203 put_unaligned_le16(val, opt->val);
3204 break;
3205
3206 case 4:
3207 put_unaligned_le32(val, opt->val);
3208 break;
3209
3210 default:
3211 memcpy(opt->val, (void *) val, len);
3212 break;
3213 }
3214
3215 *ptr += L2CAP_CONF_OPT_SIZE + len;
3216}
3217
3218static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3219{
3220 struct l2cap_conf_efs efs;
3221
3222 switch (chan->mode) {
3223 case L2CAP_MODE_ERTM:
3224 efs.id = chan->local_id;
3225 efs.stype = chan->local_stype;
3226 efs.msdu = cpu_to_le16(chan->local_msdu);
3227 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3228 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3229 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3230 break;
3231
3232 case L2CAP_MODE_STREAMING:
3233 efs.id = 1;
3234 efs.stype = L2CAP_SERV_BESTEFFORT;
3235 efs.msdu = cpu_to_le16(chan->local_msdu);
3236 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3237 efs.acc_lat = 0;
3238 efs.flush_to = 0;
3239 break;
3240
3241 default:
3242 return;
3243 }
3244
3245 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3246 (unsigned long) &efs, size);
3247}
3248
3249static void l2cap_ack_timeout(struct work_struct *work)
3250{
3251 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3252 ack_timer.work);
3253 u16 frames_to_ack;
3254
3255 BT_DBG("chan %p", chan);
3256
3257 l2cap_chan_lock(chan);
3258
3259 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3260 chan->last_acked_seq);
3261
3262 if (frames_to_ack)
3263 l2cap_send_rr_or_rnr(chan, 0);
3264
3265 l2cap_chan_unlock(chan);
3266 l2cap_chan_put(chan);
3267}
3268
3269int l2cap_ertm_init(struct l2cap_chan *chan)
3270{
3271 int err;
3272
3273 chan->next_tx_seq = 0;
3274 chan->expected_tx_seq = 0;
3275 chan->expected_ack_seq = 0;
3276 chan->unacked_frames = 0;
3277 chan->buffer_seq = 0;
3278 chan->frames_sent = 0;
3279 chan->last_acked_seq = 0;
3280 chan->sdu = NULL;
3281 chan->sdu_last_frag = NULL;
3282 chan->sdu_len = 0;
3283
3284 skb_queue_head_init(&chan->tx_q);
3285
3286 chan->local_amp_id = AMP_ID_BREDR;
3287 chan->move_id = AMP_ID_BREDR;
3288 chan->move_state = L2CAP_MOVE_STABLE;
3289 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3290
3291 if (chan->mode != L2CAP_MODE_ERTM)
3292 return 0;
3293
3294 chan->rx_state = L2CAP_RX_STATE_RECV;
3295 chan->tx_state = L2CAP_TX_STATE_XMIT;
3296
3297 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3298 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3299 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3300
3301 skb_queue_head_init(&chan->srej_q);
3302
3303 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3304 if (err < 0)
3305 return err;
3306
3307 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3308 if (err < 0)
3309 l2cap_seq_list_free(&chan->srej_list);
3310
3311 return err;
3312}
3313
3314static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3315{
3316 switch (mode) {
3317 case L2CAP_MODE_STREAMING:
3318 case L2CAP_MODE_ERTM:
3319 if (l2cap_mode_supported(mode, remote_feat_mask))
3320 return mode;
3321 fallthrough;
3322 default:
3323 return L2CAP_MODE_BASIC;
3324 }
3325}
3326
3327static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3328{
3329 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3330 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3331}
3332
3333static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3334{
3335 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3336 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3337}
3338
3339static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3340 struct l2cap_conf_rfc *rfc)
3341{
3342 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3343 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3359
3360
3361
3362
3363
3364 ertm_to = 3 * ertm_to + 500;
3365
3366 if (ertm_to > 0xffff)
3367 ertm_to = 0xffff;
3368
3369 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3370 rfc->monitor_timeout = rfc->retrans_timeout;
3371 } else {
3372 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3373 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3374 }
3375}
3376
3377static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3378{
3379 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3380 __l2cap_ews_supported(chan->conn)) {
3381
3382 set_bit(FLAG_EXT_CTRL, &chan->flags);
3383 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3384 } else {
3385 chan->tx_win = min_t(u16, chan->tx_win,
3386 L2CAP_DEFAULT_TX_WINDOW);
3387 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3388 }
3389 chan->ack_win = chan->tx_win;
3390}
3391
3392static void l2cap_mtu_auto(struct l2cap_chan *chan)
3393{
3394 struct hci_conn *conn = chan->conn->hcon;
3395
3396 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3397
3398
3399
3400
3401 if (!(conn->pkt_type & HCI_2DH1))
3402 chan->imtu = 54;
3403
3404
3405
3406
3407 if (!(conn->pkt_type & HCI_3DH1))
3408 chan->imtu = 83;
3409
3410
3411
3412
3413 if (!(conn->pkt_type & HCI_2DH3))
3414 chan->imtu = 367;
3415
3416
3417
3418
3419 if (!(conn->pkt_type & HCI_3DH3))
3420 chan->imtu = 552;
3421
3422
3423
3424
3425 if (!(conn->pkt_type & HCI_2DH5))
3426 chan->imtu = 679;
3427
3428
3429
3430
3431 if (!(conn->pkt_type & HCI_3DH5))
3432 chan->imtu = 1021;
3433}
3434
3435static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3436{
3437 struct l2cap_conf_req *req = data;
3438 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3439 void *ptr = req->data;
3440 void *endptr = data + data_size;
3441 u16 size;
3442
3443 BT_DBG("chan %p", chan);
3444
3445 if (chan->num_conf_req || chan->num_conf_rsp)
3446 goto done;
3447
3448 switch (chan->mode) {
3449 case L2CAP_MODE_STREAMING:
3450 case L2CAP_MODE_ERTM:
3451 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3452 break;
3453
3454 if (__l2cap_efs_supported(chan->conn))
3455 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3456
3457 fallthrough;
3458 default:
3459 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3460 break;
3461 }
3462
3463done:
3464 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3465 if (!chan->imtu)
3466 l2cap_mtu_auto(chan);
3467 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3468 endptr - ptr);
3469 }
3470
3471 switch (chan->mode) {
3472 case L2CAP_MODE_BASIC:
3473 if (disable_ertm)
3474 break;
3475
3476 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3477 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3478 break;
3479
3480 rfc.mode = L2CAP_MODE_BASIC;
3481 rfc.txwin_size = 0;
3482 rfc.max_transmit = 0;
3483 rfc.retrans_timeout = 0;
3484 rfc.monitor_timeout = 0;
3485 rfc.max_pdu_size = 0;
3486
3487 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3488 (unsigned long) &rfc, endptr - ptr);
3489 break;
3490
3491 case L2CAP_MODE_ERTM:
3492 rfc.mode = L2CAP_MODE_ERTM;
3493 rfc.max_transmit = chan->max_tx;
3494
3495 __l2cap_set_ertm_timeouts(chan, &rfc);
3496
3497 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3498 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3499 L2CAP_FCS_SIZE);
3500 rfc.max_pdu_size = cpu_to_le16(size);
3501
3502 l2cap_txwin_setup(chan);
3503
3504 rfc.txwin_size = min_t(u16, chan->tx_win,
3505 L2CAP_DEFAULT_TX_WINDOW);
3506
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3508 (unsigned long) &rfc, endptr - ptr);
3509
3510 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3511 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3512
3513 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3514 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3515 chan->tx_win, endptr - ptr);
3516
3517 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3518 if (chan->fcs == L2CAP_FCS_NONE ||
3519 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3520 chan->fcs = L2CAP_FCS_NONE;
3521 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3522 chan->fcs, endptr - ptr);
3523 }
3524 break;
3525
3526 case L2CAP_MODE_STREAMING:
3527 l2cap_txwin_setup(chan);
3528 rfc.mode = L2CAP_MODE_STREAMING;
3529 rfc.txwin_size = 0;
3530 rfc.max_transmit = 0;
3531 rfc.retrans_timeout = 0;
3532 rfc.monitor_timeout = 0;
3533
3534 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3535 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3536 L2CAP_FCS_SIZE);
3537 rfc.max_pdu_size = cpu_to_le16(size);
3538
3539 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3540 (unsigned long) &rfc, endptr - ptr);
3541
3542 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3543 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3544
3545 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3546 if (chan->fcs == L2CAP_FCS_NONE ||
3547 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3548 chan->fcs = L2CAP_FCS_NONE;
3549 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3550 chan->fcs, endptr - ptr);
3551 }
3552 break;
3553 }
3554
3555 req->dcid = cpu_to_le16(chan->dcid);
3556 req->flags = cpu_to_le16(0);
3557
3558 return ptr - data;
3559}
3560
3561static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3562{
3563 struct l2cap_conf_rsp *rsp = data;
3564 void *ptr = rsp->data;
3565 void *endptr = data + data_size;
3566 void *req = chan->conf_req;
3567 int len = chan->conf_len;
3568 int type, hint, olen;
3569 unsigned long val;
3570 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3571 struct l2cap_conf_efs efs;
3572 u8 remote_efs = 0;
3573 u16 mtu = L2CAP_DEFAULT_MTU;
3574 u16 result = L2CAP_CONF_SUCCESS;
3575 u16 size;
3576
3577 BT_DBG("chan %p", chan);
3578
3579 while (len >= L2CAP_CONF_OPT_SIZE) {
3580 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3581 if (len < 0)
3582 break;
3583
3584 hint = type & L2CAP_CONF_HINT;
3585 type &= L2CAP_CONF_MASK;
3586
3587 switch (type) {
3588 case L2CAP_CONF_MTU:
3589 if (olen != 2)
3590 break;
3591 mtu = val;
3592 break;
3593
3594 case L2CAP_CONF_FLUSH_TO:
3595 if (olen != 2)
3596 break;
3597 chan->flush_to = val;
3598 break;
3599
3600 case L2CAP_CONF_QOS:
3601 break;
3602
3603 case L2CAP_CONF_RFC:
3604 if (olen != sizeof(rfc))
3605 break;
3606 memcpy(&rfc, (void *) val, olen);
3607 break;
3608
3609 case L2CAP_CONF_FCS:
3610 if (olen != 1)
3611 break;
3612 if (val == L2CAP_FCS_NONE)
3613 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3614 break;
3615
3616 case L2CAP_CONF_EFS:
3617 if (olen != sizeof(efs))
3618 break;
3619 remote_efs = 1;
3620 memcpy(&efs, (void *) val, olen);
3621 break;
3622
3623 case L2CAP_CONF_EWS:
3624 if (olen != 2)
3625 break;
3626 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3627 return -ECONNREFUSED;
3628 set_bit(FLAG_EXT_CTRL, &chan->flags);
3629 set_bit(CONF_EWS_RECV, &chan->conf_state);
3630 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3631 chan->remote_tx_win = val;
3632 break;
3633
3634 default:
3635 if (hint)
3636 break;
3637 result = L2CAP_CONF_UNKNOWN;
3638 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr);
3639 break;
3640 }
3641 }
3642
3643 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3644 goto done;
3645
3646 switch (chan->mode) {
3647 case L2CAP_MODE_STREAMING:
3648 case L2CAP_MODE_ERTM:
3649 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3650 chan->mode = l2cap_select_mode(rfc.mode,
3651 chan->conn->feat_mask);
3652 break;
3653 }
3654
3655 if (remote_efs) {
3656 if (__l2cap_efs_supported(chan->conn))
3657 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3658 else
3659 return -ECONNREFUSED;
3660 }
3661
3662 if (chan->mode != rfc.mode)
3663 return -ECONNREFUSED;
3664
3665 break;
3666 }
3667
3668done:
3669 if (chan->mode != rfc.mode) {
3670 result = L2CAP_CONF_UNACCEPT;
3671 rfc.mode = chan->mode;
3672
3673 if (chan->num_conf_rsp == 1)
3674 return -ECONNREFUSED;
3675
3676 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3677 (unsigned long) &rfc, endptr - ptr);
3678 }
3679
3680 if (result == L2CAP_CONF_SUCCESS) {
3681
3682
3683
3684 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3685 result = L2CAP_CONF_UNACCEPT;
3686 else {
3687 chan->omtu = mtu;
3688 set_bit(CONF_MTU_DONE, &chan->conf_state);
3689 }
3690 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3691
3692 if (remote_efs) {
3693 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3694 efs.stype != L2CAP_SERV_NOTRAFIC &&
3695 efs.stype != chan->local_stype) {
3696
3697 result = L2CAP_CONF_UNACCEPT;
3698
3699 if (chan->num_conf_req >= 1)
3700 return -ECONNREFUSED;
3701
3702 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3703 sizeof(efs),
3704 (unsigned long) &efs, endptr - ptr);
3705 } else {
3706
3707 result = L2CAP_CONF_PENDING;
3708 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3709 }
3710 }
3711
3712 switch (rfc.mode) {
3713 case L2CAP_MODE_BASIC:
3714 chan->fcs = L2CAP_FCS_NONE;
3715 set_bit(CONF_MODE_DONE, &chan->conf_state);
3716 break;
3717
3718 case L2CAP_MODE_ERTM:
3719 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3720 chan->remote_tx_win = rfc.txwin_size;
3721 else
3722 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3723
3724 chan->remote_max_tx = rfc.max_transmit;
3725
3726 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3727 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3728 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3729 rfc.max_pdu_size = cpu_to_le16(size);
3730 chan->remote_mps = size;
3731
3732 __l2cap_set_ertm_timeouts(chan, &rfc);
3733
3734 set_bit(CONF_MODE_DONE, &chan->conf_state);
3735
3736 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3737 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3738
3739 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3740 chan->remote_id = efs.id;
3741 chan->remote_stype = efs.stype;
3742 chan->remote_msdu = le16_to_cpu(efs.msdu);
3743 chan->remote_flush_to =
3744 le32_to_cpu(efs.flush_to);
3745 chan->remote_acc_lat =
3746 le32_to_cpu(efs.acc_lat);
3747 chan->remote_sdu_itime =
3748 le32_to_cpu(efs.sdu_itime);
3749 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3750 sizeof(efs),
3751 (unsigned long) &efs, endptr - ptr);
3752 }
3753 break;
3754
3755 case L2CAP_MODE_STREAMING:
3756 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3757 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3758 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3759 rfc.max_pdu_size = cpu_to_le16(size);
3760 chan->remote_mps = size;
3761
3762 set_bit(CONF_MODE_DONE, &chan->conf_state);
3763
3764 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3765 (unsigned long) &rfc, endptr - ptr);
3766
3767 break;
3768
3769 default:
3770 result = L2CAP_CONF_UNACCEPT;
3771
3772 memset(&rfc, 0, sizeof(rfc));
3773 rfc.mode = chan->mode;
3774 }
3775
3776 if (result == L2CAP_CONF_SUCCESS)
3777 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3778 }
3779 rsp->scid = cpu_to_le16(chan->dcid);
3780 rsp->result = cpu_to_le16(result);
3781 rsp->flags = cpu_to_le16(0);
3782
3783 return ptr - data;
3784}
3785
3786static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3787 void *data, size_t size, u16 *result)
3788{
3789 struct l2cap_conf_req *req = data;
3790 void *ptr = req->data;
3791 void *endptr = data + size;
3792 int type, olen;
3793 unsigned long val;
3794 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3795 struct l2cap_conf_efs efs;
3796
3797 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3798
3799 while (len >= L2CAP_CONF_OPT_SIZE) {
3800 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3801 if (len < 0)
3802 break;
3803
3804 switch (type) {
3805 case L2CAP_CONF_MTU:
3806 if (olen != 2)
3807 break;
3808 if (val < L2CAP_DEFAULT_MIN_MTU) {
3809 *result = L2CAP_CONF_UNACCEPT;
3810 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3811 } else
3812 chan->imtu = val;
3813 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3814 endptr - ptr);
3815 break;
3816
3817 case L2CAP_CONF_FLUSH_TO:
3818 if (olen != 2)
3819 break;
3820 chan->flush_to = val;
3821 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3822 chan->flush_to, endptr - ptr);
3823 break;
3824
3825 case L2CAP_CONF_RFC:
3826 if (olen != sizeof(rfc))
3827 break;
3828 memcpy(&rfc, (void *)val, olen);
3829 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3830 rfc.mode != chan->mode)
3831 return -ECONNREFUSED;
3832 chan->fcs = 0;
3833 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3834 (unsigned long) &rfc, endptr - ptr);
3835 break;
3836
3837 case L2CAP_CONF_EWS:
3838 if (olen != 2)
3839 break;
3840 chan->ack_win = min_t(u16, val, chan->ack_win);
3841 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3842 chan->tx_win, endptr - ptr);
3843 break;
3844
3845 case L2CAP_CONF_EFS:
3846 if (olen != sizeof(efs))
3847 break;
3848 memcpy(&efs, (void *)val, olen);
3849 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3850 efs.stype != L2CAP_SERV_NOTRAFIC &&
3851 efs.stype != chan->local_stype)
3852 return -ECONNREFUSED;
3853 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3854 (unsigned long) &efs, endptr - ptr);
3855 break;
3856
3857 case L2CAP_CONF_FCS:
3858 if (olen != 1)
3859 break;
3860 if (*result == L2CAP_CONF_PENDING)
3861 if (val == L2CAP_FCS_NONE)
3862 set_bit(CONF_RECV_NO_FCS,
3863 &chan->conf_state);
3864 break;
3865 }
3866 }
3867
3868 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3869 return -ECONNREFUSED;
3870
3871 chan->mode = rfc.mode;
3872
3873 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3874 switch (rfc.mode) {
3875 case L2CAP_MODE_ERTM:
3876 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3877 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3878 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3879 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3880 chan->ack_win = min_t(u16, chan->ack_win,
3881 rfc.txwin_size);
3882
3883 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3884 chan->local_msdu = le16_to_cpu(efs.msdu);
3885 chan->local_sdu_itime =
3886 le32_to_cpu(efs.sdu_itime);
3887 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3888 chan->local_flush_to =
3889 le32_to_cpu(efs.flush_to);
3890 }
3891 break;
3892
3893 case L2CAP_MODE_STREAMING:
3894 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3895 }
3896 }
3897
3898 req->dcid = cpu_to_le16(chan->dcid);
3899 req->flags = cpu_to_le16(0);
3900
3901 return ptr - data;
3902}
3903
3904static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3905 u16 result, u16 flags)
3906{
3907 struct l2cap_conf_rsp *rsp = data;
3908 void *ptr = rsp->data;
3909
3910 BT_DBG("chan %p", chan);
3911
3912 rsp->scid = cpu_to_le16(chan->dcid);
3913 rsp->result = cpu_to_le16(result);
3914 rsp->flags = cpu_to_le16(flags);
3915
3916 return ptr - data;
3917}
3918
3919void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3920{
3921 struct l2cap_le_conn_rsp rsp;
3922 struct l2cap_conn *conn = chan->conn;
3923
3924 BT_DBG("chan %p", chan);
3925
3926 rsp.dcid = cpu_to_le16(chan->scid);
3927 rsp.mtu = cpu_to_le16(chan->imtu);
3928 rsp.mps = cpu_to_le16(chan->mps);
3929 rsp.credits = cpu_to_le16(chan->rx_credits);
3930 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3931
3932 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3933 &rsp);
3934}
3935
3936void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3937{
3938 struct {
3939 struct l2cap_ecred_conn_rsp rsp;
3940 __le16 dcid[5];
3941 } __packed pdu;
3942 struct l2cap_conn *conn = chan->conn;
3943 u16 ident = chan->ident;
3944 int i = 0;
3945
3946 if (!ident)
3947 return;
3948
3949 BT_DBG("chan %p ident %d", chan, ident);
3950
3951 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3952 pdu.rsp.mps = cpu_to_le16(chan->mps);
3953 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3954 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3955
3956 mutex_lock(&conn->chan_lock);
3957
3958 list_for_each_entry(chan, &conn->chan_l, list) {
3959 if (chan->ident != ident)
3960 continue;
3961
3962
3963 chan->ident = 0;
3964
3965
3966 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3967 }
3968
3969 mutex_unlock(&conn->chan_lock);
3970
3971 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3972 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3973}
3974
3975void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3976{
3977 struct l2cap_conn_rsp rsp;
3978 struct l2cap_conn *conn = chan->conn;
3979 u8 buf[128];
3980 u8 rsp_code;
3981
3982 rsp.scid = cpu_to_le16(chan->dcid);
3983 rsp.dcid = cpu_to_le16(chan->scid);
3984 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3985 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3986
3987 if (chan->hs_hcon)
3988 rsp_code = L2CAP_CREATE_CHAN_RSP;
3989 else
3990 rsp_code = L2CAP_CONN_RSP;
3991
3992 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3993
3994 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3995
3996 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3997 return;
3998
3999 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4000 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4001 chan->num_conf_req++;
4002}
4003
4004static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
4005{
4006 int type, olen;
4007 unsigned long val;
4008
4009
4010
4011 u16 txwin_ext = chan->ack_win;
4012 struct l2cap_conf_rfc rfc = {
4013 .mode = chan->mode,
4014 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4015 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4016 .max_pdu_size = cpu_to_le16(chan->imtu),
4017 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4018 };
4019
4020 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4021
4022 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4023 return;
4024
4025 while (len >= L2CAP_CONF_OPT_SIZE) {
4026 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4027 if (len < 0)
4028 break;
4029
4030 switch (type) {
4031 case L2CAP_CONF_RFC:
4032 if (olen != sizeof(rfc))
4033 break;
4034 memcpy(&rfc, (void *)val, olen);
4035 break;
4036 case L2CAP_CONF_EWS:
4037 if (olen != 2)
4038 break;
4039 txwin_ext = val;
4040 break;
4041 }
4042 }
4043
4044 switch (rfc.mode) {
4045 case L2CAP_MODE_ERTM:
4046 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4047 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4048 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4049 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4050 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4051 else
4052 chan->ack_win = min_t(u16, chan->ack_win,
4053 rfc.txwin_size);
4054 break;
4055 case L2CAP_MODE_STREAMING:
4056 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4057 }
4058}
4059
4060static inline int l2cap_command_rej(struct l2cap_conn *conn,
4061 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4062 u8 *data)
4063{
4064 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4065
4066 if (cmd_len < sizeof(*rej))
4067 return -EPROTO;
4068
4069 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4070 return 0;
4071
4072 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4073 cmd->ident == conn->info_ident) {
4074 cancel_delayed_work(&conn->info_timer);
4075
4076 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4077 conn->info_ident = 0;
4078
4079 l2cap_conn_start(conn);
4080 }
4081
4082 return 0;
4083}
4084
4085static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4086 struct l2cap_cmd_hdr *cmd,
4087 u8 *data, u8 rsp_code, u8 amp_id)
4088{
4089 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4090 struct l2cap_conn_rsp rsp;
4091 struct l2cap_chan *chan = NULL, *pchan;
4092 int result, status = L2CAP_CS_NO_INFO;
4093
4094 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4095 __le16 psm = req->psm;
4096
4097 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4098
4099
4100 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4101 &conn->hcon->dst, ACL_LINK);
4102 if (!pchan) {
4103 result = L2CAP_CR_BAD_PSM;
4104 goto sendresp;
4105 }
4106
4107 mutex_lock(&conn->chan_lock);
4108 l2cap_chan_lock(pchan);
4109
4110
4111 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4112 !hci_conn_check_link_mode(conn->hcon)) {
4113 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4114 result = L2CAP_CR_SEC_BLOCK;
4115 goto response;
4116 }
4117
4118 result = L2CAP_CR_NO_MEM;
4119
4120
4121 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4122 result = L2CAP_CR_INVALID_SCID;
4123 goto response;
4124 }
4125
4126
4127 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4128 result = L2CAP_CR_SCID_IN_USE;
4129 goto response;
4130 }
4131
4132 chan = pchan->ops->new_connection(pchan);
4133 if (!chan)
4134 goto response;
4135
4136
4137
4138
4139
4140
4141 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4142
4143 bacpy(&chan->src, &conn->hcon->src);
4144 bacpy(&chan->dst, &conn->hcon->dst);
4145 chan->src_type = bdaddr_src_type(conn->hcon);
4146 chan->dst_type = bdaddr_dst_type(conn->hcon);
4147 chan->psm = psm;
4148 chan->dcid = scid;
4149 chan->local_amp_id = amp_id;
4150
4151 __l2cap_chan_add(conn, chan);
4152
4153 dcid = chan->scid;
4154
4155 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4156
4157 chan->ident = cmd->ident;
4158
4159 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4160 if (l2cap_chan_check_security(chan, false)) {
4161 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4162 l2cap_state_change(chan, BT_CONNECT2);
4163 result = L2CAP_CR_PEND;
4164 status = L2CAP_CS_AUTHOR_PEND;
4165 chan->ops->defer(chan);
4166 } else {
4167
4168
4169
4170
4171 if (amp_id == AMP_ID_BREDR) {
4172 l2cap_state_change(chan, BT_CONFIG);
4173 result = L2CAP_CR_SUCCESS;
4174 } else {
4175 l2cap_state_change(chan, BT_CONNECT2);
4176 result = L2CAP_CR_PEND;
4177 }
4178 status = L2CAP_CS_NO_INFO;
4179 }
4180 } else {
4181 l2cap_state_change(chan, BT_CONNECT2);
4182 result = L2CAP_CR_PEND;
4183 status = L2CAP_CS_AUTHEN_PEND;
4184 }
4185 } else {
4186 l2cap_state_change(chan, BT_CONNECT2);
4187 result = L2CAP_CR_PEND;
4188 status = L2CAP_CS_NO_INFO;
4189 }
4190
4191response:
4192 l2cap_chan_unlock(pchan);
4193 mutex_unlock(&conn->chan_lock);
4194 l2cap_chan_put(pchan);
4195
4196sendresp:
4197 rsp.scid = cpu_to_le16(scid);
4198 rsp.dcid = cpu_to_le16(dcid);
4199 rsp.result = cpu_to_le16(result);
4200 rsp.status = cpu_to_le16(status);
4201 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4202
4203 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4204 struct l2cap_info_req info;
4205 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4206
4207 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4208 conn->info_ident = l2cap_get_ident(conn);
4209
4210 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4211
4212 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4213 sizeof(info), &info);
4214 }
4215
4216 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4217 result == L2CAP_CR_SUCCESS) {
4218 u8 buf[128];
4219 set_bit(CONF_REQ_SENT, &chan->conf_state);
4220 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4221 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4222 chan->num_conf_req++;
4223 }
4224
4225 return chan;
4226}
4227
4228static int l2cap_connect_req(struct l2cap_conn *conn,
4229 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4230{
4231 struct hci_dev *hdev = conn->hcon->hdev;
4232 struct hci_conn *hcon = conn->hcon;
4233
4234 if (cmd_len < sizeof(struct l2cap_conn_req))
4235 return -EPROTO;
4236
4237 hci_dev_lock(hdev);
4238 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4239 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4240 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
4241 hci_dev_unlock(hdev);
4242
4243 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4244 return 0;
4245}
4246
4247static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4248 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4249 u8 *data)
4250{
4251 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4252 u16 scid, dcid, result, status;
4253 struct l2cap_chan *chan;
4254 u8 req[128];
4255 int err;
4256
4257 if (cmd_len < sizeof(*rsp))
4258 return -EPROTO;
4259
4260 scid = __le16_to_cpu(rsp->scid);
4261 dcid = __le16_to_cpu(rsp->dcid);
4262 result = __le16_to_cpu(rsp->result);
4263 status = __le16_to_cpu(rsp->status);
4264
4265 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4266 dcid, scid, result, status);
4267
4268 mutex_lock(&conn->chan_lock);
4269
4270 if (scid) {
4271 chan = __l2cap_get_chan_by_scid(conn, scid);
4272 if (!chan) {
4273 err = -EBADSLT;
4274 goto unlock;
4275 }
4276 } else {
4277 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4278 if (!chan) {
4279 err = -EBADSLT;
4280 goto unlock;
4281 }
4282 }
4283
4284 err = 0;
4285
4286 l2cap_chan_lock(chan);
4287
4288 switch (result) {
4289 case L2CAP_CR_SUCCESS:
4290 l2cap_state_change(chan, BT_CONFIG);
4291 chan->ident = 0;
4292 chan->dcid = dcid;
4293 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4294
4295 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4296 break;
4297
4298 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4299 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4300 chan->num_conf_req++;
4301 break;
4302
4303 case L2CAP_CR_PEND:
4304 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4305 break;
4306
4307 default:
4308 l2cap_chan_del(chan, ECONNREFUSED);
4309 break;
4310 }
4311
4312 l2cap_chan_unlock(chan);
4313
4314unlock:
4315 mutex_unlock(&conn->chan_lock);
4316
4317 return err;
4318}
4319
4320static inline void set_default_fcs(struct l2cap_chan *chan)
4321{
4322
4323
4324
4325 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4326 chan->fcs = L2CAP_FCS_NONE;
4327 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4328 chan->fcs = L2CAP_FCS_CRC16;
4329}
4330
4331static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4332 u8 ident, u16 flags)
4333{
4334 struct l2cap_conn *conn = chan->conn;
4335
4336 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4337 flags);
4338
4339 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4340 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4341
4342 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4343 l2cap_build_conf_rsp(chan, data,
4344 L2CAP_CONF_SUCCESS, flags), data);
4345}
4346
4347static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4348 u16 scid, u16 dcid)
4349{
4350 struct l2cap_cmd_rej_cid rej;
4351
4352 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4353 rej.scid = __cpu_to_le16(scid);
4354 rej.dcid = __cpu_to_le16(dcid);
4355
4356 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4357}
4358
4359static inline int l2cap_config_req(struct l2cap_conn *conn,
4360 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4361 u8 *data)
4362{
4363 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4364 u16 dcid, flags;
4365 u8 rsp[64];
4366 struct l2cap_chan *chan;
4367 int len, err = 0;
4368
4369 if (cmd_len < sizeof(*req))
4370 return -EPROTO;
4371
4372 dcid = __le16_to_cpu(req->dcid);
4373 flags = __le16_to_cpu(req->flags);
4374
4375 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4376
4377 chan = l2cap_get_chan_by_scid(conn, dcid);
4378 if (!chan) {
4379 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4380 return 0;
4381 }
4382
4383 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4384 chan->state != BT_CONNECTED) {
4385 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4386 chan->dcid);
4387 goto unlock;
4388 }
4389
4390
4391 len = cmd_len - sizeof(*req);
4392 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4393 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4394 l2cap_build_conf_rsp(chan, rsp,
4395 L2CAP_CONF_REJECT, flags), rsp);
4396 goto unlock;
4397 }
4398
4399
4400 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4401 chan->conf_len += len;
4402
4403 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4404
4405 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4406 l2cap_build_conf_rsp(chan, rsp,
4407 L2CAP_CONF_SUCCESS, flags), rsp);
4408 goto unlock;
4409 }
4410
4411
4412 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4413 if (len < 0) {
4414 l2cap_send_disconn_req(chan, ECONNRESET);
4415 goto unlock;
4416 }
4417
4418 chan->ident = cmd->ident;
4419 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4420 chan->num_conf_rsp++;
4421
4422
4423 chan->conf_len = 0;
4424
4425 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4426 goto unlock;
4427
4428 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4429 set_default_fcs(chan);
4430
4431 if (chan->mode == L2CAP_MODE_ERTM ||
4432 chan->mode == L2CAP_MODE_STREAMING)
4433 err = l2cap_ertm_init(chan);
4434
4435 if (err < 0)
4436 l2cap_send_disconn_req(chan, -err);
4437 else
4438 l2cap_chan_ready(chan);
4439
4440 goto unlock;
4441 }
4442
4443 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4444 u8 buf[64];
4445 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4446 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4447 chan->num_conf_req++;
4448 }
4449
4450
4451
4452 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4453 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4454
4455
4456
4457
4458 if (!chan->hs_hcon)
4459 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4460 else
4461 chan->ident = cmd->ident;
4462 }
4463
4464unlock:
4465 l2cap_chan_unlock(chan);
4466 return err;
4467}
4468
4469static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4470 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4471 u8 *data)
4472{
4473 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4474 u16 scid, flags, result;
4475 struct l2cap_chan *chan;
4476 int len = cmd_len - sizeof(*rsp);
4477 int err = 0;
4478
4479 if (cmd_len < sizeof(*rsp))
4480 return -EPROTO;
4481
4482 scid = __le16_to_cpu(rsp->scid);
4483 flags = __le16_to_cpu(rsp->flags);
4484 result = __le16_to_cpu(rsp->result);
4485
4486 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4487 result, len);
4488
4489 chan = l2cap_get_chan_by_scid(conn, scid);
4490 if (!chan)
4491 return 0;
4492
4493 switch (result) {
4494 case L2CAP_CONF_SUCCESS:
4495 l2cap_conf_rfc_get(chan, rsp->data, len);
4496 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4497 break;
4498
4499 case L2CAP_CONF_PENDING:
4500 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4501
4502 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4503 char buf[64];
4504
4505 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4506 buf, sizeof(buf), &result);
4507 if (len < 0) {
4508 l2cap_send_disconn_req(chan, ECONNRESET);
4509 goto done;
4510 }
4511
4512 if (!chan->hs_hcon) {
4513 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4514 0);
4515 } else {
4516 if (l2cap_check_efs(chan)) {
4517 amp_create_logical_link(chan);
4518 chan->ident = cmd->ident;
4519 }
4520 }
4521 }
4522 goto done;
4523
4524 case L2CAP_CONF_UNKNOWN:
4525 case L2CAP_CONF_UNACCEPT:
4526 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4527 char req[64];
4528
4529 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4530 l2cap_send_disconn_req(chan, ECONNRESET);
4531 goto done;
4532 }
4533
4534
4535 result = L2CAP_CONF_SUCCESS;
4536 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4537 req, sizeof(req), &result);
4538 if (len < 0) {
4539 l2cap_send_disconn_req(chan, ECONNRESET);
4540 goto done;
4541 }
4542
4543 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4544 L2CAP_CONF_REQ, len, req);
4545 chan->num_conf_req++;
4546 if (result != L2CAP_CONF_SUCCESS)
4547 goto done;
4548 break;
4549 }
4550 fallthrough;
4551
4552 default:
4553 l2cap_chan_set_err(chan, ECONNRESET);
4554
4555 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4556 l2cap_send_disconn_req(chan, ECONNRESET);
4557 goto done;
4558 }
4559
4560 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4561 goto done;
4562
4563 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4564
4565 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4566 set_default_fcs(chan);
4567
4568 if (chan->mode == L2CAP_MODE_ERTM ||
4569 chan->mode == L2CAP_MODE_STREAMING)
4570 err = l2cap_ertm_init(chan);
4571
4572 if (err < 0)
4573 l2cap_send_disconn_req(chan, -err);
4574 else
4575 l2cap_chan_ready(chan);
4576 }
4577
4578done:
4579 l2cap_chan_unlock(chan);
4580 return err;
4581}
4582
4583static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4584 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4585 u8 *data)
4586{
4587 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4588 struct l2cap_disconn_rsp rsp;
4589 u16 dcid, scid;
4590 struct l2cap_chan *chan;
4591
4592 if (cmd_len != sizeof(*req))
4593 return -EPROTO;
4594
4595 scid = __le16_to_cpu(req->scid);
4596 dcid = __le16_to_cpu(req->dcid);
4597
4598 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4599
4600 mutex_lock(&conn->chan_lock);
4601
4602 chan = __l2cap_get_chan_by_scid(conn, dcid);
4603 if (!chan) {
4604 mutex_unlock(&conn->chan_lock);
4605 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4606 return 0;
4607 }
4608
4609 l2cap_chan_hold(chan);
4610 l2cap_chan_lock(chan);
4611
4612 rsp.dcid = cpu_to_le16(chan->scid);
4613 rsp.scid = cpu_to_le16(chan->dcid);
4614 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4615
4616 chan->ops->set_shutdown(chan);
4617
4618 l2cap_chan_del(chan, ECONNRESET);
4619
4620 chan->ops->close(chan);
4621
4622 l2cap_chan_unlock(chan);
4623 l2cap_chan_put(chan);
4624
4625 mutex_unlock(&conn->chan_lock);
4626
4627 return 0;
4628}
4629
4630static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4631 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4632 u8 *data)
4633{
4634 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4635 u16 dcid, scid;
4636 struct l2cap_chan *chan;
4637
4638 if (cmd_len != sizeof(*rsp))
4639 return -EPROTO;
4640
4641 scid = __le16_to_cpu(rsp->scid);
4642 dcid = __le16_to_cpu(rsp->dcid);
4643
4644 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4645
4646 mutex_lock(&conn->chan_lock);
4647
4648 chan = __l2cap_get_chan_by_scid(conn, scid);
4649 if (!chan) {
4650 mutex_unlock(&conn->chan_lock);
4651 return 0;
4652 }
4653
4654 l2cap_chan_hold(chan);
4655 l2cap_chan_lock(chan);
4656
4657 if (chan->state != BT_DISCONN) {
4658 l2cap_chan_unlock(chan);
4659 l2cap_chan_put(chan);
4660 mutex_unlock(&conn->chan_lock);
4661 return 0;
4662 }
4663
4664 l2cap_chan_del(chan, 0);
4665
4666 chan->ops->close(chan);
4667
4668 l2cap_chan_unlock(chan);
4669 l2cap_chan_put(chan);
4670
4671 mutex_unlock(&conn->chan_lock);
4672
4673 return 0;
4674}
4675
4676static inline int l2cap_information_req(struct l2cap_conn *conn,
4677 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4678 u8 *data)
4679{
4680 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4681 u16 type;
4682
4683 if (cmd_len != sizeof(*req))
4684 return -EPROTO;
4685
4686 type = __le16_to_cpu(req->type);
4687
4688 BT_DBG("type 0x%4.4x", type);
4689
4690 if (type == L2CAP_IT_FEAT_MASK) {
4691 u8 buf[8];
4692 u32 feat_mask = l2cap_feat_mask;
4693 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4694 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4695 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4696 if (!disable_ertm)
4697 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4698 | L2CAP_FEAT_FCS;
4699 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4700 feat_mask |= L2CAP_FEAT_EXT_FLOW
4701 | L2CAP_FEAT_EXT_WINDOW;
4702
4703 put_unaligned_le32(feat_mask, rsp->data);
4704 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4705 buf);
4706 } else if (type == L2CAP_IT_FIXED_CHAN) {
4707 u8 buf[12];
4708 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4709
4710 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4711 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4712 rsp->data[0] = conn->local_fixed_chan;
4713 memset(rsp->data + 1, 0, 7);
4714 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4715 buf);
4716 } else {
4717 struct l2cap_info_rsp rsp;
4718 rsp.type = cpu_to_le16(type);
4719 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4720 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4721 &rsp);
4722 }
4723
4724 return 0;
4725}
4726
4727static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4728 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4729 u8 *data)
4730{
4731 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4732 u16 type, result;
4733
4734 if (cmd_len < sizeof(*rsp))
4735 return -EPROTO;
4736
4737 type = __le16_to_cpu(rsp->type);
4738 result = __le16_to_cpu(rsp->result);
4739
4740 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4741
4742
4743 if (cmd->ident != conn->info_ident ||
4744 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4745 return 0;
4746
4747 cancel_delayed_work(&conn->info_timer);
4748
4749 if (result != L2CAP_IR_SUCCESS) {
4750 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4751 conn->info_ident = 0;
4752
4753 l2cap_conn_start(conn);
4754
4755 return 0;
4756 }
4757
4758 switch (type) {
4759 case L2CAP_IT_FEAT_MASK:
4760 conn->feat_mask = get_unaligned_le32(rsp->data);
4761
4762 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4763 struct l2cap_info_req req;
4764 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4765
4766 conn->info_ident = l2cap_get_ident(conn);
4767
4768 l2cap_send_cmd(conn, conn->info_ident,
4769 L2CAP_INFO_REQ, sizeof(req), &req);
4770 } else {
4771 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4772 conn->info_ident = 0;
4773
4774 l2cap_conn_start(conn);
4775 }
4776 break;
4777
4778 case L2CAP_IT_FIXED_CHAN:
4779 conn->remote_fixed_chan = rsp->data[0];
4780 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4781 conn->info_ident = 0;
4782
4783 l2cap_conn_start(conn);
4784 break;
4785 }
4786
4787 return 0;
4788}
4789
4790static int l2cap_create_channel_req(struct l2cap_conn *conn,
4791 struct l2cap_cmd_hdr *cmd,
4792 u16 cmd_len, void *data)
4793{
4794 struct l2cap_create_chan_req *req = data;
4795 struct l2cap_create_chan_rsp rsp;
4796 struct l2cap_chan *chan;
4797 struct hci_dev *hdev;
4798 u16 psm, scid;
4799
4800 if (cmd_len != sizeof(*req))
4801 return -EPROTO;
4802
4803 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4804 return -EINVAL;
4805
4806 psm = le16_to_cpu(req->psm);
4807 scid = le16_to_cpu(req->scid);
4808
4809 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4810
4811
4812 if (req->amp_id == AMP_ID_BREDR) {
4813 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4814 req->amp_id);
4815 return 0;
4816 }
4817
4818
4819 hdev = hci_dev_get(req->amp_id);
4820 if (!hdev)
4821 goto error;
4822
4823 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4824 hci_dev_put(hdev);
4825 goto error;
4826 }
4827
4828 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4829 req->amp_id);
4830 if (chan) {
4831 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4832 struct hci_conn *hs_hcon;
4833
4834 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4835 &conn->hcon->dst);
4836 if (!hs_hcon) {
4837 hci_dev_put(hdev);
4838 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4839 chan->dcid);
4840 return 0;
4841 }
4842
4843 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4844
4845 mgr->bredr_chan = chan;
4846 chan->hs_hcon = hs_hcon;
4847 chan->fcs = L2CAP_FCS_NONE;
4848 conn->mtu = hdev->block_mtu;
4849 }
4850
4851 hci_dev_put(hdev);
4852
4853 return 0;
4854
4855error:
4856 rsp.dcid = 0;
4857 rsp.scid = cpu_to_le16(scid);
4858 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4859 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4860
4861 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4862 sizeof(rsp), &rsp);
4863
4864 return 0;
4865}
4866
4867static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4868{
4869 struct l2cap_move_chan_req req;
4870 u8 ident;
4871
4872 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4873
4874 ident = l2cap_get_ident(chan->conn);
4875 chan->ident = ident;
4876
4877 req.icid = cpu_to_le16(chan->scid);
4878 req.dest_amp_id = dest_amp_id;
4879
4880 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4881 &req);
4882
4883 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4884}
4885
4886static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4887{
4888 struct l2cap_move_chan_rsp rsp;
4889
4890 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4891
4892 rsp.icid = cpu_to_le16(chan->dcid);
4893 rsp.result = cpu_to_le16(result);
4894
4895 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4896 sizeof(rsp), &rsp);
4897}
4898
4899static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4900{
4901 struct l2cap_move_chan_cfm cfm;
4902
4903 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4904
4905 chan->ident = l2cap_get_ident(chan->conn);
4906
4907 cfm.icid = cpu_to_le16(chan->scid);
4908 cfm.result = cpu_to_le16(result);
4909
4910 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4911 sizeof(cfm), &cfm);
4912
4913 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4914}
4915
4916static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4917{
4918 struct l2cap_move_chan_cfm cfm;
4919
4920 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4921
4922 cfm.icid = cpu_to_le16(icid);
4923 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4924
4925 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4926 sizeof(cfm), &cfm);
4927}
4928
4929static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4930 u16 icid)
4931{
4932 struct l2cap_move_chan_cfm_rsp rsp;
4933
4934 BT_DBG("icid 0x%4.4x", icid);
4935
4936 rsp.icid = cpu_to_le16(icid);
4937 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4938}
4939
4940static void __release_logical_link(struct l2cap_chan *chan)
4941{
4942 chan->hs_hchan = NULL;
4943 chan->hs_hcon = NULL;
4944
4945
4946}
4947
4948static void l2cap_logical_fail(struct l2cap_chan *chan)
4949{
4950
4951 if (chan->state != BT_CONNECTED) {
4952
4953 l2cap_send_disconn_req(chan, ECONNRESET);
4954 return;
4955 }
4956
4957 switch (chan->move_role) {
4958 case L2CAP_MOVE_ROLE_RESPONDER:
4959 l2cap_move_done(chan);
4960 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4961 break;
4962 case L2CAP_MOVE_ROLE_INITIATOR:
4963 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4964 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4965
4966
4967
4968 l2cap_move_done(chan);
4969 }
4970
4971
4972
4973
4974 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4975 break;
4976 }
4977}
4978
4979static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4980 struct hci_chan *hchan)
4981{
4982 struct l2cap_conf_rsp rsp;
4983
4984 chan->hs_hchan = hchan;
4985 chan->hs_hcon->l2cap_data = chan->conn;
4986
4987 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4988
4989 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4990 int err;
4991
4992 set_default_fcs(chan);
4993
4994 err = l2cap_ertm_init(chan);
4995 if (err < 0)
4996 l2cap_send_disconn_req(chan, -err);
4997 else
4998 l2cap_chan_ready(chan);
4999 }
5000}
5001
5002static void l2cap_logical_finish_move(struct l2cap_chan *chan,
5003 struct hci_chan *hchan)
5004{
5005 chan->hs_hcon = hchan->conn;
5006 chan->hs_hcon->l2cap_data = chan->conn;
5007
5008 BT_DBG("move_state %d", chan->move_state);
5009
5010 switch (chan->move_state) {
5011 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5012
5013
5014
5015 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5016 break;
5017 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5018 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5019 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5020 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5021 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5022 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5023 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5024 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5025 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5026 }
5027 break;
5028 default:
5029
5030 __release_logical_link(chan);
5031
5032 chan->move_state = L2CAP_MOVE_STABLE;
5033 }
5034}
5035
5036
5037void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5038 u8 status)
5039{
5040 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5041
5042 if (status) {
5043 l2cap_logical_fail(chan);
5044 __release_logical_link(chan);
5045 return;
5046 }
5047
5048 if (chan->state != BT_CONNECTED) {
5049
5050 if (chan->local_amp_id != AMP_ID_BREDR)
5051 l2cap_logical_finish_create(chan, hchan);
5052 } else {
5053 l2cap_logical_finish_move(chan, hchan);
5054 }
5055}
5056
5057void l2cap_move_start(struct l2cap_chan *chan)
5058{
5059 BT_DBG("chan %p", chan);
5060
5061 if (chan->local_amp_id == AMP_ID_BREDR) {
5062 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5063 return;
5064 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5065 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5066
5067 } else {
5068 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5069 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5070 chan->move_id = 0;
5071 l2cap_move_setup(chan);
5072 l2cap_send_move_chan_req(chan, 0);
5073 }
5074}
5075
5076static void l2cap_do_create(struct l2cap_chan *chan, int result,
5077 u8 local_amp_id, u8 remote_amp_id)
5078{
5079 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5080 local_amp_id, remote_amp_id);
5081
5082 chan->fcs = L2CAP_FCS_NONE;
5083
5084
5085 if (chan->state == BT_CONNECT) {
5086 if (result == L2CAP_CR_SUCCESS) {
5087 chan->local_amp_id = local_amp_id;
5088 l2cap_send_create_chan_req(chan, remote_amp_id);
5089 } else {
5090
5091 l2cap_send_conn_req(chan);
5092 }
5093
5094 return;
5095 }
5096
5097
5098 if (__l2cap_no_conn_pending(chan)) {
5099 struct l2cap_conn_rsp rsp;
5100 char buf[128];
5101 rsp.scid = cpu_to_le16(chan->dcid);
5102 rsp.dcid = cpu_to_le16(chan->scid);
5103
5104 if (result == L2CAP_CR_SUCCESS) {
5105
5106 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5107 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5108 } else {
5109
5110 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5111 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5112 }
5113
5114 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5115 sizeof(rsp), &rsp);
5116
5117 if (result == L2CAP_CR_SUCCESS) {
5118 l2cap_state_change(chan, BT_CONFIG);
5119 set_bit(CONF_REQ_SENT, &chan->conf_state);
5120 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5121 L2CAP_CONF_REQ,
5122 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5123 chan->num_conf_req++;
5124 }
5125 }
5126}
5127
5128static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5129 u8 remote_amp_id)
5130{
5131 l2cap_move_setup(chan);
5132 chan->move_id = local_amp_id;
5133 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5134
5135 l2cap_send_move_chan_req(chan, remote_amp_id);
5136}
5137
5138static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5139{
5140 struct hci_chan *hchan = NULL;
5141
5142
5143
5144 if (hchan) {
5145 if (hchan->state == BT_CONNECTED) {
5146
5147 chan->hs_hcon = hchan->conn;
5148 chan->hs_hcon->l2cap_data = chan->conn;
5149 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5150 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5151
5152 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5153 } else {
5154
5155 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5156 }
5157 } else {
5158
5159 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5160 }
5161}
5162
5163static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5164{
5165 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5166 u8 rsp_result;
5167 if (result == -EINVAL)
5168 rsp_result = L2CAP_MR_BAD_ID;
5169 else
5170 rsp_result = L2CAP_MR_NOT_ALLOWED;
5171
5172 l2cap_send_move_chan_rsp(chan, rsp_result);
5173 }
5174
5175 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5176 chan->move_state = L2CAP_MOVE_STABLE;
5177
5178
5179 l2cap_ertm_send(chan);
5180}
5181
5182
5183void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5184{
5185 u8 local_amp_id = chan->local_amp_id;
5186 u8 remote_amp_id = chan->remote_amp_id;
5187
5188 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5189 chan, result, local_amp_id, remote_amp_id);
5190
5191 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5192 return;
5193
5194 if (chan->state != BT_CONNECTED) {
5195 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5196 } else if (result != L2CAP_MR_SUCCESS) {
5197 l2cap_do_move_cancel(chan, result);
5198 } else {
5199 switch (chan->move_role) {
5200 case L2CAP_MOVE_ROLE_INITIATOR:
5201 l2cap_do_move_initiate(chan, local_amp_id,
5202 remote_amp_id);
5203 break;
5204 case L2CAP_MOVE_ROLE_RESPONDER:
5205 l2cap_do_move_respond(chan, result);
5206 break;
5207 default:
5208 l2cap_do_move_cancel(chan, result);
5209 break;
5210 }
5211 }
5212}
5213
5214static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5215 struct l2cap_cmd_hdr *cmd,
5216 u16 cmd_len, void *data)
5217{
5218 struct l2cap_move_chan_req *req = data;
5219 struct l2cap_move_chan_rsp rsp;
5220 struct l2cap_chan *chan;
5221 u16 icid = 0;
5222 u16 result = L2CAP_MR_NOT_ALLOWED;
5223
5224 if (cmd_len != sizeof(*req))
5225 return -EPROTO;
5226
5227 icid = le16_to_cpu(req->icid);
5228
5229 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5230
5231 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5232 return -EINVAL;
5233
5234 chan = l2cap_get_chan_by_dcid(conn, icid);
5235 if (!chan) {
5236 rsp.icid = cpu_to_le16(icid);
5237 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5238 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5239 sizeof(rsp), &rsp);
5240 return 0;
5241 }
5242
5243 chan->ident = cmd->ident;
5244
5245 if (chan->scid < L2CAP_CID_DYN_START ||
5246 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5247 (chan->mode != L2CAP_MODE_ERTM &&
5248 chan->mode != L2CAP_MODE_STREAMING)) {
5249 result = L2CAP_MR_NOT_ALLOWED;
5250 goto send_move_response;
5251 }
5252
5253 if (chan->local_amp_id == req->dest_amp_id) {
5254 result = L2CAP_MR_SAME_ID;
5255 goto send_move_response;
5256 }
5257
5258 if (req->dest_amp_id != AMP_ID_BREDR) {
5259 struct hci_dev *hdev;
5260 hdev = hci_dev_get(req->dest_amp_id);
5261 if (!hdev || hdev->dev_type != HCI_AMP ||
5262 !test_bit(HCI_UP, &hdev->flags)) {
5263 if (hdev)
5264 hci_dev_put(hdev);
5265
5266 result = L2CAP_MR_BAD_ID;
5267 goto send_move_response;
5268 }
5269 hci_dev_put(hdev);
5270 }
5271
5272
5273
5274
5275
5276 if ((__chan_is_moving(chan) ||
5277 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5278 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5279 result = L2CAP_MR_COLLISION;
5280 goto send_move_response;
5281 }
5282
5283 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5284 l2cap_move_setup(chan);
5285 chan->move_id = req->dest_amp_id;
5286
5287 if (req->dest_amp_id == AMP_ID_BREDR) {
5288
5289 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5290 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5291 result = L2CAP_MR_PEND;
5292 } else {
5293 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5294 result = L2CAP_MR_SUCCESS;
5295 }
5296 } else {
5297 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5298
5299
5300 result = L2CAP_MR_PEND;
5301 }
5302
5303send_move_response:
5304 l2cap_send_move_chan_rsp(chan, result);
5305
5306 l2cap_chan_unlock(chan);
5307
5308 return 0;
5309}
5310
5311static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5312{
5313 struct l2cap_chan *chan;
5314 struct hci_chan *hchan = NULL;
5315
5316 chan = l2cap_get_chan_by_scid(conn, icid);
5317 if (!chan) {
5318 l2cap_send_move_chan_cfm_icid(conn, icid);
5319 return;
5320 }
5321
5322 __clear_chan_timer(chan);
5323 if (result == L2CAP_MR_PEND)
5324 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5325
5326 switch (chan->move_state) {
5327 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5328
5329
5330
5331 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5332 break;
5333 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5334 if (result == L2CAP_MR_PEND) {
5335 break;
5336 } else if (test_bit(CONN_LOCAL_BUSY,
5337 &chan->conn_state)) {
5338 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5339 } else {
5340
5341
5342
5343 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5344 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5345 }
5346 break;
5347 case L2CAP_MOVE_WAIT_RSP:
5348
5349 if (result == L2CAP_MR_SUCCESS) {
5350
5351
5352
5353 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5354 } else {
5355
5356
5357
5358 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5359 }
5360
5361
5362 if (!hchan) {
5363
5364 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5365 break;
5366 }
5367
5368
5369
5370
5371 if (hchan->state != BT_CONNECTED)
5372 break;
5373
5374
5375
5376 chan->hs_hcon = hchan->conn;
5377 chan->hs_hcon->l2cap_data = chan->conn;
5378
5379 if (result == L2CAP_MR_SUCCESS) {
5380
5381 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5382 } else {
5383
5384
5385
5386 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5387 }
5388
5389 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5390 break;
5391 default:
5392
5393 chan->move_id = chan->local_amp_id;
5394 l2cap_move_done(chan);
5395 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5396 }
5397
5398 l2cap_chan_unlock(chan);
5399}
5400
5401static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5402 u16 result)
5403{
5404 struct l2cap_chan *chan;
5405
5406 chan = l2cap_get_chan_by_ident(conn, ident);
5407 if (!chan) {
5408
5409 l2cap_send_move_chan_cfm_icid(conn, icid);
5410 return;
5411 }
5412
5413 __clear_chan_timer(chan);
5414
5415 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5416 if (result == L2CAP_MR_COLLISION) {
5417 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5418 } else {
5419
5420 chan->move_id = chan->local_amp_id;
5421 l2cap_move_done(chan);
5422 }
5423 }
5424
5425 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5426
5427 l2cap_chan_unlock(chan);
5428}
5429
5430static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5431 struct l2cap_cmd_hdr *cmd,
5432 u16 cmd_len, void *data)
5433{
5434 struct l2cap_move_chan_rsp *rsp = data;
5435 u16 icid, result;
5436
5437 if (cmd_len != sizeof(*rsp))
5438 return -EPROTO;
5439
5440 icid = le16_to_cpu(rsp->icid);
5441 result = le16_to_cpu(rsp->result);
5442
5443 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5444
5445 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5446 l2cap_move_continue(conn, icid, result);
5447 else
5448 l2cap_move_fail(conn, cmd->ident, icid, result);
5449
5450 return 0;
5451}
5452
5453static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5454 struct l2cap_cmd_hdr *cmd,
5455 u16 cmd_len, void *data)
5456{
5457 struct l2cap_move_chan_cfm *cfm = data;
5458 struct l2cap_chan *chan;
5459 u16 icid, result;
5460
5461 if (cmd_len != sizeof(*cfm))
5462 return -EPROTO;
5463
5464 icid = le16_to_cpu(cfm->icid);
5465 result = le16_to_cpu(cfm->result);
5466
5467 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5468
5469 chan = l2cap_get_chan_by_dcid(conn, icid);
5470 if (!chan) {
5471
5472 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5473 return 0;
5474 }
5475
5476 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5477 if (result == L2CAP_MC_CONFIRMED) {
5478 chan->local_amp_id = chan->move_id;
5479 if (chan->local_amp_id == AMP_ID_BREDR)
5480 __release_logical_link(chan);
5481 } else {
5482 chan->move_id = chan->local_amp_id;
5483 }
5484
5485 l2cap_move_done(chan);
5486 }
5487
5488 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5489
5490 l2cap_chan_unlock(chan);
5491
5492 return 0;
5493}
5494
5495static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5496 struct l2cap_cmd_hdr *cmd,
5497 u16 cmd_len, void *data)
5498{
5499 struct l2cap_move_chan_cfm_rsp *rsp = data;
5500 struct l2cap_chan *chan;
5501 u16 icid;
5502
5503 if (cmd_len != sizeof(*rsp))
5504 return -EPROTO;
5505
5506 icid = le16_to_cpu(rsp->icid);
5507
5508 BT_DBG("icid 0x%4.4x", icid);
5509
5510 chan = l2cap_get_chan_by_scid(conn, icid);
5511 if (!chan)
5512 return 0;
5513
5514 __clear_chan_timer(chan);
5515
5516 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5517 chan->local_amp_id = chan->move_id;
5518
5519 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5520 __release_logical_link(chan);
5521
5522 l2cap_move_done(chan);
5523 }
5524
5525 l2cap_chan_unlock(chan);
5526
5527 return 0;
5528}
5529
5530static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5531 struct l2cap_cmd_hdr *cmd,
5532 u16 cmd_len, u8 *data)
5533{
5534 struct hci_conn *hcon = conn->hcon;
5535 struct l2cap_conn_param_update_req *req;
5536 struct l2cap_conn_param_update_rsp rsp;
5537 u16 min, max, latency, to_multiplier;
5538 int err;
5539
5540 if (hcon->role != HCI_ROLE_MASTER)
5541 return -EINVAL;
5542
5543 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5544 return -EPROTO;
5545
5546 req = (struct l2cap_conn_param_update_req *) data;
5547 min = __le16_to_cpu(req->min);
5548 max = __le16_to_cpu(req->max);
5549 latency = __le16_to_cpu(req->latency);
5550 to_multiplier = __le16_to_cpu(req->to_multiplier);
5551
5552 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5553 min, max, latency, to_multiplier);
5554
5555 memset(&rsp, 0, sizeof(rsp));
5556
5557 err = hci_check_conn_params(min, max, latency, to_multiplier);
5558 if (err)
5559 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5560 else
5561 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5562
5563 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5564 sizeof(rsp), &rsp);
5565
5566 if (!err) {
5567 u8 store_hint;
5568
5569 store_hint = hci_le_conn_update(hcon, min, max, latency,
5570 to_multiplier);
5571 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5572 store_hint, min, max, latency,
5573 to_multiplier);
5574
5575 }
5576
5577 return 0;
5578}
5579
5580static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5581 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5582 u8 *data)
5583{
5584 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5585 struct hci_conn *hcon = conn->hcon;
5586 u16 dcid, mtu, mps, credits, result;
5587 struct l2cap_chan *chan;
5588 int err, sec_level;
5589
5590 if (cmd_len < sizeof(*rsp))
5591 return -EPROTO;
5592
5593 dcid = __le16_to_cpu(rsp->dcid);
5594 mtu = __le16_to_cpu(rsp->mtu);
5595 mps = __le16_to_cpu(rsp->mps);
5596 credits = __le16_to_cpu(rsp->credits);
5597 result = __le16_to_cpu(rsp->result);
5598
5599 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5600 dcid < L2CAP_CID_DYN_START ||
5601 dcid > L2CAP_CID_LE_DYN_END))
5602 return -EPROTO;
5603
5604 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5605 dcid, mtu, mps, credits, result);
5606
5607 mutex_lock(&conn->chan_lock);
5608
5609 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5610 if (!chan) {
5611 err = -EBADSLT;
5612 goto unlock;
5613 }
5614
5615 err = 0;
5616
5617 l2cap_chan_lock(chan);
5618
5619 switch (result) {
5620 case L2CAP_CR_LE_SUCCESS:
5621 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5622 err = -EBADSLT;
5623 break;
5624 }
5625
5626 chan->ident = 0;
5627 chan->dcid = dcid;
5628 chan->omtu = mtu;
5629 chan->remote_mps = mps;
5630 chan->tx_credits = credits;
5631 l2cap_chan_ready(chan);
5632 break;
5633
5634 case L2CAP_CR_LE_AUTHENTICATION:
5635 case L2CAP_CR_LE_ENCRYPTION:
5636
5637
5638
5639 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5640 l2cap_chan_del(chan, ECONNREFUSED);
5641 break;
5642 }
5643
5644 sec_level = hcon->sec_level + 1;
5645 if (chan->sec_level < sec_level)
5646 chan->sec_level = sec_level;
5647
5648
5649 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5650
5651 smp_conn_security(hcon, chan->sec_level);
5652 break;
5653
5654 default:
5655 l2cap_chan_del(chan, ECONNREFUSED);
5656 break;
5657 }
5658
5659 l2cap_chan_unlock(chan);
5660
5661unlock:
5662 mutex_unlock(&conn->chan_lock);
5663
5664 return err;
5665}
5666
5667static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5668 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5669 u8 *data)
5670{
5671 int err = 0;
5672
5673 switch (cmd->code) {
5674 case L2CAP_COMMAND_REJ:
5675 l2cap_command_rej(conn, cmd, cmd_len, data);
5676 break;
5677
5678 case L2CAP_CONN_REQ:
5679 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5680 break;
5681
5682 case L2CAP_CONN_RSP:
5683 case L2CAP_CREATE_CHAN_RSP:
5684 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5685 break;
5686
5687 case L2CAP_CONF_REQ:
5688 err = l2cap_config_req(conn, cmd, cmd_len, data);
5689 break;
5690
5691 case L2CAP_CONF_RSP:
5692 l2cap_config_rsp(conn, cmd, cmd_len, data);
5693 break;
5694
5695 case L2CAP_DISCONN_REQ:
5696 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5697 break;
5698
5699 case L2CAP_DISCONN_RSP:
5700 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5701 break;
5702
5703 case L2CAP_ECHO_REQ:
5704 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5705 break;
5706
5707 case L2CAP_ECHO_RSP:
5708 break;
5709
5710 case L2CAP_INFO_REQ:
5711 err = l2cap_information_req(conn, cmd, cmd_len, data);
5712 break;
5713
5714 case L2CAP_INFO_RSP:
5715 l2cap_information_rsp(conn, cmd, cmd_len, data);
5716 break;
5717
5718 case L2CAP_CREATE_CHAN_REQ:
5719 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5720 break;
5721
5722 case L2CAP_MOVE_CHAN_REQ:
5723 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5724 break;
5725
5726 case L2CAP_MOVE_CHAN_RSP:
5727 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5728 break;
5729
5730 case L2CAP_MOVE_CHAN_CFM:
5731 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5732 break;
5733
5734 case L2CAP_MOVE_CHAN_CFM_RSP:
5735 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5736 break;
5737
5738 default:
5739 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5740 err = -EINVAL;
5741 break;
5742 }
5743
5744 return err;
5745}
5746
5747static int l2cap_le_connect_req(struct l2cap_conn *conn,
5748 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5749 u8 *data)
5750{
5751 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5752 struct l2cap_le_conn_rsp rsp;
5753 struct l2cap_chan *chan, *pchan;
5754 u16 dcid, scid, credits, mtu, mps;
5755 __le16 psm;
5756 u8 result;
5757
5758 if (cmd_len != sizeof(*req))
5759 return -EPROTO;
5760
5761 scid = __le16_to_cpu(req->scid);
5762 mtu = __le16_to_cpu(req->mtu);
5763 mps = __le16_to_cpu(req->mps);
5764 psm = req->psm;
5765 dcid = 0;
5766 credits = 0;
5767
5768 if (mtu < 23 || mps < 23)
5769 return -EPROTO;
5770
5771 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5772 scid, mtu, mps);
5773
5774
5775 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5776 &conn->hcon->dst, LE_LINK);
5777 if (!pchan) {
5778 result = L2CAP_CR_LE_BAD_PSM;
5779 chan = NULL;
5780 goto response;
5781 }
5782
5783 mutex_lock(&conn->chan_lock);
5784 l2cap_chan_lock(pchan);
5785
5786 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5787 SMP_ALLOW_STK)) {
5788 result = L2CAP_CR_LE_AUTHENTICATION;
5789 chan = NULL;
5790 goto response_unlock;
5791 }
5792
5793
5794 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5795 result = L2CAP_CR_LE_INVALID_SCID;
5796 chan = NULL;
5797 goto response_unlock;
5798 }
5799
5800
5801 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5802 result = L2CAP_CR_LE_SCID_IN_USE;
5803 chan = NULL;
5804 goto response_unlock;
5805 }
5806
5807 chan = pchan->ops->new_connection(pchan);
5808 if (!chan) {
5809 result = L2CAP_CR_LE_NO_MEM;
5810 goto response_unlock;
5811 }
5812
5813 bacpy(&chan->src, &conn->hcon->src);
5814 bacpy(&chan->dst, &conn->hcon->dst);
5815 chan->src_type = bdaddr_src_type(conn->hcon);
5816 chan->dst_type = bdaddr_dst_type(conn->hcon);
5817 chan->psm = psm;
5818 chan->dcid = scid;
5819 chan->omtu = mtu;
5820 chan->remote_mps = mps;
5821
5822 __l2cap_chan_add(conn, chan);
5823
5824 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5825
5826 dcid = chan->scid;
5827 credits = chan->rx_credits;
5828
5829 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5830
5831 chan->ident = cmd->ident;
5832
5833 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5834 l2cap_state_change(chan, BT_CONNECT2);
5835
5836
5837
5838
5839
5840 result = L2CAP_CR_PEND;
5841 chan->ops->defer(chan);
5842 } else {
5843 l2cap_chan_ready(chan);
5844 result = L2CAP_CR_LE_SUCCESS;
5845 }
5846
5847response_unlock:
5848 l2cap_chan_unlock(pchan);
5849 mutex_unlock(&conn->chan_lock);
5850 l2cap_chan_put(pchan);
5851
5852 if (result == L2CAP_CR_PEND)
5853 return 0;
5854
5855response:
5856 if (chan) {
5857 rsp.mtu = cpu_to_le16(chan->imtu);
5858 rsp.mps = cpu_to_le16(chan->mps);
5859 } else {
5860 rsp.mtu = 0;
5861 rsp.mps = 0;
5862 }
5863
5864 rsp.dcid = cpu_to_le16(dcid);
5865 rsp.credits = cpu_to_le16(credits);
5866 rsp.result = cpu_to_le16(result);
5867
5868 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5869
5870 return 0;
5871}
5872
5873static inline int l2cap_le_credits(struct l2cap_conn *conn,
5874 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5875 u8 *data)
5876{
5877 struct l2cap_le_credits *pkt;
5878 struct l2cap_chan *chan;
5879 u16 cid, credits, max_credits;
5880
5881 if (cmd_len != sizeof(*pkt))
5882 return -EPROTO;
5883
5884 pkt = (struct l2cap_le_credits *) data;
5885 cid = __le16_to_cpu(pkt->cid);
5886 credits = __le16_to_cpu(pkt->credits);
5887
5888 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5889
5890 chan = l2cap_get_chan_by_dcid(conn, cid);
5891 if (!chan)
5892 return -EBADSLT;
5893
5894 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5895 if (credits > max_credits) {
5896 BT_ERR("LE credits overflow");
5897 l2cap_send_disconn_req(chan, ECONNRESET);
5898 l2cap_chan_unlock(chan);
5899
5900
5901
5902
5903 return 0;
5904 }
5905
5906 chan->tx_credits += credits;
5907
5908
5909 l2cap_le_flowctl_send(chan);
5910
5911 if (chan->tx_credits)
5912 chan->ops->resume(chan);
5913
5914 l2cap_chan_unlock(chan);
5915
5916 return 0;
5917}
5918
5919static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5920 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5921 u8 *data)
5922{
5923 struct l2cap_ecred_conn_req *req = (void *) data;
5924 struct {
5925 struct l2cap_ecred_conn_rsp rsp;
5926 __le16 dcid[L2CAP_ECRED_MAX_CID];
5927 } __packed pdu;
5928 struct l2cap_chan *chan, *pchan;
5929 u16 mtu, mps;
5930 __le16 psm;
5931 u8 result, len = 0;
5932 int i, num_scid;
5933 bool defer = false;
5934
5935 if (!enable_ecred)
5936 return -EINVAL;
5937
5938 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5939 result = L2CAP_CR_LE_INVALID_PARAMS;
5940 goto response;
5941 }
5942
5943 cmd_len -= sizeof(*req);
5944 num_scid = cmd_len / sizeof(u16);
5945
5946 if (num_scid > ARRAY_SIZE(pdu.dcid)) {
5947 result = L2CAP_CR_LE_INVALID_PARAMS;
5948 goto response;
5949 }
5950
5951 mtu = __le16_to_cpu(req->mtu);
5952 mps = __le16_to_cpu(req->mps);
5953
5954 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5955 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5956 goto response;
5957 }
5958
5959 psm = req->psm;
5960
5961 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5962
5963 memset(&pdu, 0, sizeof(pdu));
5964
5965
5966 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5967 &conn->hcon->dst, LE_LINK);
5968 if (!pchan) {
5969 result = L2CAP_CR_LE_BAD_PSM;
5970 goto response;
5971 }
5972
5973 mutex_lock(&conn->chan_lock);
5974 l2cap_chan_lock(pchan);
5975
5976 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5977 SMP_ALLOW_STK)) {
5978 result = L2CAP_CR_LE_AUTHENTICATION;
5979 goto unlock;
5980 }
5981
5982 result = L2CAP_CR_LE_SUCCESS;
5983
5984 for (i = 0; i < num_scid; i++) {
5985 u16 scid = __le16_to_cpu(req->scid[i]);
5986
5987 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5988
5989 pdu.dcid[i] = 0x0000;
5990 len += sizeof(*pdu.dcid);
5991
5992
5993 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5994 result = L2CAP_CR_LE_INVALID_SCID;
5995 continue;
5996 }
5997
5998
5999 if (__l2cap_get_chan_by_dcid(conn, scid)) {
6000 result = L2CAP_CR_LE_SCID_IN_USE;
6001 continue;
6002 }
6003
6004 chan = pchan->ops->new_connection(pchan);
6005 if (!chan) {
6006 result = L2CAP_CR_LE_NO_MEM;
6007 continue;
6008 }
6009
6010 bacpy(&chan->src, &conn->hcon->src);
6011 bacpy(&chan->dst, &conn->hcon->dst);
6012 chan->src_type = bdaddr_src_type(conn->hcon);
6013 chan->dst_type = bdaddr_dst_type(conn->hcon);
6014 chan->psm = psm;
6015 chan->dcid = scid;
6016 chan->omtu = mtu;
6017 chan->remote_mps = mps;
6018
6019 __l2cap_chan_add(conn, chan);
6020
6021 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6022
6023
6024 if (!pdu.rsp.credits) {
6025 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6026 pdu.rsp.mps = cpu_to_le16(chan->mps);
6027 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6028 }
6029
6030 pdu.dcid[i] = cpu_to_le16(chan->scid);
6031
6032 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6033
6034 chan->ident = cmd->ident;
6035
6036 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6037 l2cap_state_change(chan, BT_CONNECT2);
6038 defer = true;
6039 chan->ops->defer(chan);
6040 } else {
6041 l2cap_chan_ready(chan);
6042 }
6043 }
6044
6045unlock:
6046 l2cap_chan_unlock(pchan);
6047 mutex_unlock(&conn->chan_lock);
6048 l2cap_chan_put(pchan);
6049
6050response:
6051 pdu.rsp.result = cpu_to_le16(result);
6052
6053 if (defer)
6054 return 0;
6055
6056 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6057 sizeof(pdu.rsp) + len, &pdu);
6058
6059 return 0;
6060}
6061
6062static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6063 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6064 u8 *data)
6065{
6066 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6067 struct hci_conn *hcon = conn->hcon;
6068 u16 mtu, mps, credits, result;
6069 struct l2cap_chan *chan;
6070 int err = 0, sec_level;
6071 int i = 0;
6072
6073 if (cmd_len < sizeof(*rsp))
6074 return -EPROTO;
6075
6076 mtu = __le16_to_cpu(rsp->mtu);
6077 mps = __le16_to_cpu(rsp->mps);
6078 credits = __le16_to_cpu(rsp->credits);
6079 result = __le16_to_cpu(rsp->result);
6080
6081 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6082 result);
6083
6084 mutex_lock(&conn->chan_lock);
6085
6086 cmd_len -= sizeof(*rsp);
6087
6088 list_for_each_entry(chan, &conn->chan_l, list) {
6089 u16 dcid;
6090
6091 if (chan->ident != cmd->ident ||
6092 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6093 chan->state == BT_CONNECTED)
6094 continue;
6095
6096 l2cap_chan_lock(chan);
6097
6098
6099 if (cmd_len < sizeof(dcid)) {
6100 l2cap_chan_del(chan, ECONNREFUSED);
6101 l2cap_chan_unlock(chan);
6102 continue;
6103 }
6104
6105 dcid = __le16_to_cpu(rsp->dcid[i++]);
6106 cmd_len -= sizeof(u16);
6107
6108 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6109
6110
6111 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6112
6113
6114
6115
6116
6117
6118 l2cap_chan_del(chan, ECONNREFUSED);
6119 l2cap_chan_unlock(chan);
6120 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6121 l2cap_chan_lock(chan);
6122 l2cap_chan_del(chan, ECONNRESET);
6123 l2cap_chan_unlock(chan);
6124 continue;
6125 }
6126
6127 switch (result) {
6128 case L2CAP_CR_LE_AUTHENTICATION:
6129 case L2CAP_CR_LE_ENCRYPTION:
6130
6131
6132
6133 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6134 l2cap_chan_del(chan, ECONNREFUSED);
6135 break;
6136 }
6137
6138 sec_level = hcon->sec_level + 1;
6139 if (chan->sec_level < sec_level)
6140 chan->sec_level = sec_level;
6141
6142
6143 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6144
6145 smp_conn_security(hcon, chan->sec_level);
6146 break;
6147
6148 case L2CAP_CR_LE_BAD_PSM:
6149 l2cap_chan_del(chan, ECONNREFUSED);
6150 break;
6151
6152 default:
6153
6154 if (!dcid) {
6155 l2cap_chan_del(chan, ECONNREFUSED);
6156 break;
6157 }
6158
6159 chan->ident = 0;
6160 chan->dcid = dcid;
6161 chan->omtu = mtu;
6162 chan->remote_mps = mps;
6163 chan->tx_credits = credits;
6164 l2cap_chan_ready(chan);
6165 break;
6166 }
6167
6168 l2cap_chan_unlock(chan);
6169 }
6170
6171 mutex_unlock(&conn->chan_lock);
6172
6173 return err;
6174}
6175
6176static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6177 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6178 u8 *data)
6179{
6180 struct l2cap_ecred_reconf_req *req = (void *) data;
6181 struct l2cap_ecred_reconf_rsp rsp;
6182 u16 mtu, mps, result;
6183 struct l2cap_chan *chan;
6184 int i, num_scid;
6185
6186 if (!enable_ecred)
6187 return -EINVAL;
6188
6189 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6190 result = L2CAP_CR_LE_INVALID_PARAMS;
6191 goto respond;
6192 }
6193
6194 mtu = __le16_to_cpu(req->mtu);
6195 mps = __le16_to_cpu(req->mps);
6196
6197 BT_DBG("mtu %u mps %u", mtu, mps);
6198
6199 if (mtu < L2CAP_ECRED_MIN_MTU) {
6200 result = L2CAP_RECONF_INVALID_MTU;
6201 goto respond;
6202 }
6203
6204 if (mps < L2CAP_ECRED_MIN_MPS) {
6205 result = L2CAP_RECONF_INVALID_MPS;
6206 goto respond;
6207 }
6208
6209 cmd_len -= sizeof(*req);
6210 num_scid = cmd_len / sizeof(u16);
6211 result = L2CAP_RECONF_SUCCESS;
6212
6213 for (i = 0; i < num_scid; i++) {
6214 u16 scid;
6215
6216 scid = __le16_to_cpu(req->scid[i]);
6217 if (!scid)
6218 return -EPROTO;
6219
6220 chan = __l2cap_get_chan_by_dcid(conn, scid);
6221 if (!chan)
6222 continue;
6223
6224
6225
6226
6227
6228 if (chan->omtu > mtu) {
6229 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6230 chan->omtu, mtu);
6231 result = L2CAP_RECONF_INVALID_MTU;
6232 }
6233
6234 chan->omtu = mtu;
6235 chan->remote_mps = mps;
6236 }
6237
6238respond:
6239 rsp.result = cpu_to_le16(result);
6240
6241 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6242 &rsp);
6243
6244 return 0;
6245}
6246
6247static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6248 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6249 u8 *data)
6250{
6251 struct l2cap_chan *chan;
6252 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6253 u16 result;
6254
6255 if (cmd_len < sizeof(*rsp))
6256 return -EPROTO;
6257
6258 result = __le16_to_cpu(rsp->result);
6259
6260 BT_DBG("result 0x%4.4x", rsp->result);
6261
6262 if (!result)
6263 return 0;
6264
6265 list_for_each_entry(chan, &conn->chan_l, list) {
6266 if (chan->ident != cmd->ident)
6267 continue;
6268
6269 l2cap_chan_del(chan, ECONNRESET);
6270 }
6271
6272 return 0;
6273}
6274
6275static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6276 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6277 u8 *data)
6278{
6279 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6280 struct l2cap_chan *chan;
6281
6282 if (cmd_len < sizeof(*rej))
6283 return -EPROTO;
6284
6285 mutex_lock(&conn->chan_lock);
6286
6287 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6288 if (!chan)
6289 goto done;
6290
6291 l2cap_chan_lock(chan);
6292 l2cap_chan_del(chan, ECONNREFUSED);
6293 l2cap_chan_unlock(chan);
6294
6295done:
6296 mutex_unlock(&conn->chan_lock);
6297 return 0;
6298}
6299
6300static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6301 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6302 u8 *data)
6303{
6304 int err = 0;
6305
6306 switch (cmd->code) {
6307 case L2CAP_COMMAND_REJ:
6308 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6309 break;
6310
6311 case L2CAP_CONN_PARAM_UPDATE_REQ:
6312 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6313 break;
6314
6315 case L2CAP_CONN_PARAM_UPDATE_RSP:
6316 break;
6317
6318 case L2CAP_LE_CONN_RSP:
6319 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6320 break;
6321
6322 case L2CAP_LE_CONN_REQ:
6323 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6324 break;
6325
6326 case L2CAP_LE_CREDITS:
6327 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6328 break;
6329
6330 case L2CAP_ECRED_CONN_REQ:
6331 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6332 break;
6333
6334 case L2CAP_ECRED_CONN_RSP:
6335 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6336 break;
6337
6338 case L2CAP_ECRED_RECONF_REQ:
6339 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6340 break;
6341
6342 case L2CAP_ECRED_RECONF_RSP:
6343 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6344 break;
6345
6346 case L2CAP_DISCONN_REQ:
6347 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6348 break;
6349
6350 case L2CAP_DISCONN_RSP:
6351 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6352 break;
6353
6354 default:
6355 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6356 err = -EINVAL;
6357 break;
6358 }
6359
6360 return err;
6361}
6362
6363static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6364 struct sk_buff *skb)
6365{
6366 struct hci_conn *hcon = conn->hcon;
6367 struct l2cap_cmd_hdr *cmd;
6368 u16 len;
6369 int err;
6370
6371 if (hcon->type != LE_LINK)
6372 goto drop;
6373
6374 if (skb->len < L2CAP_CMD_HDR_SIZE)
6375 goto drop;
6376
6377 cmd = (void *) skb->data;
6378 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6379
6380 len = le16_to_cpu(cmd->len);
6381
6382 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6383
6384 if (len != skb->len || !cmd->ident) {
6385 BT_DBG("corrupted command");
6386 goto drop;
6387 }
6388
6389 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6390 if (err) {
6391 struct l2cap_cmd_rej_unk rej;
6392
6393 BT_ERR("Wrong link type (%d)", err);
6394
6395 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6396 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6397 sizeof(rej), &rej);
6398 }
6399
6400drop:
6401 kfree_skb(skb);
6402}
6403
6404static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6405 struct sk_buff *skb)
6406{
6407 struct hci_conn *hcon = conn->hcon;
6408 struct l2cap_cmd_hdr *cmd;
6409 int err;
6410
6411 l2cap_raw_recv(conn, skb);
6412
6413 if (hcon->type != ACL_LINK)
6414 goto drop;
6415
6416 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6417 u16 len;
6418
6419 cmd = (void *) skb->data;
6420 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6421
6422 len = le16_to_cpu(cmd->len);
6423
6424 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6425 cmd->ident);
6426
6427 if (len > skb->len || !cmd->ident) {
6428 BT_DBG("corrupted command");
6429 break;
6430 }
6431
6432 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6433 if (err) {
6434 struct l2cap_cmd_rej_unk rej;
6435
6436 BT_ERR("Wrong link type (%d)", err);
6437
6438 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6439 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6440 sizeof(rej), &rej);
6441 }
6442
6443 skb_pull(skb, len);
6444 }
6445
6446drop:
6447 kfree_skb(skb);
6448}
6449
6450static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6451{
6452 u16 our_fcs, rcv_fcs;
6453 int hdr_size;
6454
6455 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6456 hdr_size = L2CAP_EXT_HDR_SIZE;
6457 else
6458 hdr_size = L2CAP_ENH_HDR_SIZE;
6459
6460 if (chan->fcs == L2CAP_FCS_CRC16) {
6461 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6462 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6463 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6464
6465 if (our_fcs != rcv_fcs)
6466 return -EBADMSG;
6467 }
6468 return 0;
6469}
6470
6471static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6472{
6473 struct l2cap_ctrl control;
6474
6475 BT_DBG("chan %p", chan);
6476
6477 memset(&control, 0, sizeof(control));
6478 control.sframe = 1;
6479 control.final = 1;
6480 control.reqseq = chan->buffer_seq;
6481 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6482
6483 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6484 control.super = L2CAP_SUPER_RNR;
6485 l2cap_send_sframe(chan, &control);
6486 }
6487
6488 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6489 chan->unacked_frames > 0)
6490 __set_retrans_timer(chan);
6491
6492
6493 l2cap_ertm_send(chan);
6494
6495 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6496 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6497
6498
6499
6500 control.super = L2CAP_SUPER_RR;
6501 l2cap_send_sframe(chan, &control);
6502 }
6503}
6504
6505static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6506 struct sk_buff **last_frag)
6507{
6508
6509
6510
6511 if (!skb_has_frag_list(skb))
6512 skb_shinfo(skb)->frag_list = new_frag;
6513
6514 new_frag->next = NULL;
6515
6516 (*last_frag)->next = new_frag;
6517 *last_frag = new_frag;
6518
6519 skb->len += new_frag->len;
6520 skb->data_len += new_frag->len;
6521 skb->truesize += new_frag->truesize;
6522}
6523
6524static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6525 struct l2cap_ctrl *control)
6526{
6527 int err = -EINVAL;
6528
6529 switch (control->sar) {
6530 case L2CAP_SAR_UNSEGMENTED:
6531 if (chan->sdu)
6532 break;
6533
6534 err = chan->ops->recv(chan, skb);
6535 break;
6536
6537 case L2CAP_SAR_START:
6538 if (chan->sdu)
6539 break;
6540
6541 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6542 break;
6543
6544 chan->sdu_len = get_unaligned_le16(skb->data);
6545 skb_pull(skb, L2CAP_SDULEN_SIZE);
6546
6547 if (chan->sdu_len > chan->imtu) {
6548 err = -EMSGSIZE;
6549 break;
6550 }
6551
6552 if (skb->len >= chan->sdu_len)
6553 break;
6554
6555 chan->sdu = skb;
6556 chan->sdu_last_frag = skb;
6557
6558 skb = NULL;
6559 err = 0;
6560 break;
6561
6562 case L2CAP_SAR_CONTINUE:
6563 if (!chan->sdu)
6564 break;
6565
6566 append_skb_frag(chan->sdu, skb,
6567 &chan->sdu_last_frag);
6568 skb = NULL;
6569
6570 if (chan->sdu->len >= chan->sdu_len)
6571 break;
6572
6573 err = 0;
6574 break;
6575
6576 case L2CAP_SAR_END:
6577 if (!chan->sdu)
6578 break;
6579
6580 append_skb_frag(chan->sdu, skb,
6581 &chan->sdu_last_frag);
6582 skb = NULL;
6583
6584 if (chan->sdu->len != chan->sdu_len)
6585 break;
6586
6587 err = chan->ops->recv(chan, chan->sdu);
6588
6589 if (!err) {
6590
6591 chan->sdu = NULL;
6592 chan->sdu_last_frag = NULL;
6593 chan->sdu_len = 0;
6594 }
6595 break;
6596 }
6597
6598 if (err) {
6599 kfree_skb(skb);
6600 kfree_skb(chan->sdu);
6601 chan->sdu = NULL;
6602 chan->sdu_last_frag = NULL;
6603 chan->sdu_len = 0;
6604 }
6605
6606 return err;
6607}
6608
6609static int l2cap_resegment(struct l2cap_chan *chan)
6610{
6611
6612 return 0;
6613}
6614
6615void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6616{
6617 u8 event;
6618
6619 if (chan->mode != L2CAP_MODE_ERTM)
6620 return;
6621
6622 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6623 l2cap_tx(chan, NULL, NULL, event);
6624}
6625
6626static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6627{
6628 int err = 0;
6629
6630
6631
6632
6633 BT_DBG("chan %p", chan);
6634
6635 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6636 struct sk_buff *skb;
6637 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6638 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6639
6640 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6641
6642 if (!skb)
6643 break;
6644
6645 skb_unlink(skb, &chan->srej_q);
6646 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6647 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6648 if (err)
6649 break;
6650 }
6651
6652 if (skb_queue_empty(&chan->srej_q)) {
6653 chan->rx_state = L2CAP_RX_STATE_RECV;
6654 l2cap_send_ack(chan);
6655 }
6656
6657 return err;
6658}
6659
6660static void l2cap_handle_srej(struct l2cap_chan *chan,
6661 struct l2cap_ctrl *control)
6662{
6663 struct sk_buff *skb;
6664
6665 BT_DBG("chan %p, control %p", chan, control);
6666
6667 if (control->reqseq == chan->next_tx_seq) {
6668 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6669 l2cap_send_disconn_req(chan, ECONNRESET);
6670 return;
6671 }
6672
6673 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6674
6675 if (skb == NULL) {
6676 BT_DBG("Seq %d not available for retransmission",
6677 control->reqseq);
6678 return;
6679 }
6680
6681 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6682 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6683 l2cap_send_disconn_req(chan, ECONNRESET);
6684 return;
6685 }
6686
6687 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6688
6689 if (control->poll) {
6690 l2cap_pass_to_tx(chan, control);
6691
6692 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6693 l2cap_retransmit(chan, control);
6694 l2cap_ertm_send(chan);
6695
6696 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6697 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6698 chan->srej_save_reqseq = control->reqseq;
6699 }
6700 } else {
6701 l2cap_pass_to_tx_fbit(chan, control);
6702
6703 if (control->final) {
6704 if (chan->srej_save_reqseq != control->reqseq ||
6705 !test_and_clear_bit(CONN_SREJ_ACT,
6706 &chan->conn_state))
6707 l2cap_retransmit(chan, control);
6708 } else {
6709 l2cap_retransmit(chan, control);
6710 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6711 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6712 chan->srej_save_reqseq = control->reqseq;
6713 }
6714 }
6715 }
6716}
6717
6718static void l2cap_handle_rej(struct l2cap_chan *chan,
6719 struct l2cap_ctrl *control)
6720{
6721 struct sk_buff *skb;
6722
6723 BT_DBG("chan %p, control %p", chan, control);
6724
6725 if (control->reqseq == chan->next_tx_seq) {
6726 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6727 l2cap_send_disconn_req(chan, ECONNRESET);
6728 return;
6729 }
6730
6731 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6732
6733 if (chan->max_tx && skb &&
6734 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6735 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6736 l2cap_send_disconn_req(chan, ECONNRESET);
6737 return;
6738 }
6739
6740 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6741
6742 l2cap_pass_to_tx(chan, control);
6743
6744 if (control->final) {
6745 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6746 l2cap_retransmit_all(chan, control);
6747 } else {
6748 l2cap_retransmit_all(chan, control);
6749 l2cap_ertm_send(chan);
6750 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6751 set_bit(CONN_REJ_ACT, &chan->conn_state);
6752 }
6753}
6754
6755static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6756{
6757 BT_DBG("chan %p, txseq %d", chan, txseq);
6758
6759 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6760 chan->expected_tx_seq);
6761
6762 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6763 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6764 chan->tx_win) {
6765
6766
6767
6768 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6769 BT_DBG("Invalid/Ignore - after SREJ");
6770 return L2CAP_TXSEQ_INVALID_IGNORE;
6771 } else {
6772 BT_DBG("Invalid - in window after SREJ sent");
6773 return L2CAP_TXSEQ_INVALID;
6774 }
6775 }
6776
6777 if (chan->srej_list.head == txseq) {
6778 BT_DBG("Expected SREJ");
6779 return L2CAP_TXSEQ_EXPECTED_SREJ;
6780 }
6781
6782 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6783 BT_DBG("Duplicate SREJ - txseq already stored");
6784 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6785 }
6786
6787 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6788 BT_DBG("Unexpected SREJ - not requested");
6789 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6790 }
6791 }
6792
6793 if (chan->expected_tx_seq == txseq) {
6794 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6795 chan->tx_win) {
6796 BT_DBG("Invalid - txseq outside tx window");
6797 return L2CAP_TXSEQ_INVALID;
6798 } else {
6799 BT_DBG("Expected");
6800 return L2CAP_TXSEQ_EXPECTED;
6801 }
6802 }
6803
6804 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6805 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6806 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6807 return L2CAP_TXSEQ_DUPLICATE;
6808 }
6809
6810 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6811
6812
6813
6814
6815
6816
6817
6818
6819
6820
6821
6822
6823
6824
6825
6826
6827
6828 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6829 BT_DBG("Invalid/Ignore - txseq outside tx window");
6830 return L2CAP_TXSEQ_INVALID_IGNORE;
6831 } else {
6832 BT_DBG("Invalid - txseq outside tx window");
6833 return L2CAP_TXSEQ_INVALID;
6834 }
6835 } else {
6836 BT_DBG("Unexpected - txseq indicates missing frames");
6837 return L2CAP_TXSEQ_UNEXPECTED;
6838 }
6839}
6840
6841static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6842 struct l2cap_ctrl *control,
6843 struct sk_buff *skb, u8 event)
6844{
6845 int err = 0;
6846 bool skb_in_use = false;
6847
6848 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6849 event);
6850
6851 switch (event) {
6852 case L2CAP_EV_RECV_IFRAME:
6853 switch (l2cap_classify_txseq(chan, control->txseq)) {
6854 case L2CAP_TXSEQ_EXPECTED:
6855 l2cap_pass_to_tx(chan, control);
6856
6857 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6858 BT_DBG("Busy, discarding expected seq %d",
6859 control->txseq);
6860 break;
6861 }
6862
6863 chan->expected_tx_seq = __next_seq(chan,
6864 control->txseq);
6865
6866 chan->buffer_seq = chan->expected_tx_seq;
6867 skb_in_use = true;
6868
6869 err = l2cap_reassemble_sdu(chan, skb, control);
6870 if (err)
6871 break;
6872
6873 if (control->final) {
6874 if (!test_and_clear_bit(CONN_REJ_ACT,
6875 &chan->conn_state)) {
6876 control->final = 0;
6877 l2cap_retransmit_all(chan, control);
6878 l2cap_ertm_send(chan);
6879 }
6880 }
6881
6882 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6883 l2cap_send_ack(chan);
6884 break;
6885 case L2CAP_TXSEQ_UNEXPECTED:
6886 l2cap_pass_to_tx(chan, control);
6887
6888
6889
6890
6891
6892 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6893 BT_DBG("Busy, discarding unexpected seq %d",
6894 control->txseq);
6895 break;
6896 }
6897
6898
6899
6900
6901
6902 skb_queue_tail(&chan->srej_q, skb);
6903 skb_in_use = true;
6904 BT_DBG("Queued %p (queue len %d)", skb,
6905 skb_queue_len(&chan->srej_q));
6906
6907 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6908 l2cap_seq_list_clear(&chan->srej_list);
6909 l2cap_send_srej(chan, control->txseq);
6910
6911 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6912 break;
6913 case L2CAP_TXSEQ_DUPLICATE:
6914 l2cap_pass_to_tx(chan, control);
6915 break;
6916 case L2CAP_TXSEQ_INVALID_IGNORE:
6917 break;
6918 case L2CAP_TXSEQ_INVALID:
6919 default:
6920 l2cap_send_disconn_req(chan, ECONNRESET);
6921 break;
6922 }
6923 break;
6924 case L2CAP_EV_RECV_RR:
6925 l2cap_pass_to_tx(chan, control);
6926 if (control->final) {
6927 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6928
6929 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6930 !__chan_is_moving(chan)) {
6931 control->final = 0;
6932 l2cap_retransmit_all(chan, control);
6933 }
6934
6935 l2cap_ertm_send(chan);
6936 } else if (control->poll) {
6937 l2cap_send_i_or_rr_or_rnr(chan);
6938 } else {
6939 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6940 &chan->conn_state) &&
6941 chan->unacked_frames)
6942 __set_retrans_timer(chan);
6943
6944 l2cap_ertm_send(chan);
6945 }
6946 break;
6947 case L2CAP_EV_RECV_RNR:
6948 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6949 l2cap_pass_to_tx(chan, control);
6950 if (control && control->poll) {
6951 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6952 l2cap_send_rr_or_rnr(chan, 0);
6953 }
6954 __clear_retrans_timer(chan);
6955 l2cap_seq_list_clear(&chan->retrans_list);
6956 break;
6957 case L2CAP_EV_RECV_REJ:
6958 l2cap_handle_rej(chan, control);
6959 break;
6960 case L2CAP_EV_RECV_SREJ:
6961 l2cap_handle_srej(chan, control);
6962 break;
6963 default:
6964 break;
6965 }
6966
6967 if (skb && !skb_in_use) {
6968 BT_DBG("Freeing %p", skb);
6969 kfree_skb(skb);
6970 }
6971
6972 return err;
6973}
6974
6975static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6976 struct l2cap_ctrl *control,
6977 struct sk_buff *skb, u8 event)
6978{
6979 int err = 0;
6980 u16 txseq = control->txseq;
6981 bool skb_in_use = false;
6982
6983 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6984 event);
6985
6986 switch (event) {
6987 case L2CAP_EV_RECV_IFRAME:
6988 switch (l2cap_classify_txseq(chan, txseq)) {
6989 case L2CAP_TXSEQ_EXPECTED:
6990
6991 l2cap_pass_to_tx(chan, control);
6992 skb_queue_tail(&chan->srej_q, skb);
6993 skb_in_use = true;
6994 BT_DBG("Queued %p (queue len %d)", skb,
6995 skb_queue_len(&chan->srej_q));
6996
6997 chan->expected_tx_seq = __next_seq(chan, txseq);
6998 break;
6999 case L2CAP_TXSEQ_EXPECTED_SREJ:
7000 l2cap_seq_list_pop(&chan->srej_list);
7001
7002 l2cap_pass_to_tx(chan, control);
7003 skb_queue_tail(&chan->srej_q, skb);
7004 skb_in_use = true;
7005 BT_DBG("Queued %p (queue len %d)", skb,
7006 skb_queue_len(&chan->srej_q));
7007
7008 err = l2cap_rx_queued_iframes(chan);
7009 if (err)
7010 break;
7011
7012 break;
7013 case L2CAP_TXSEQ_UNEXPECTED:
7014
7015
7016
7017
7018 skb_queue_tail(&chan->srej_q, skb);
7019 skb_in_use = true;
7020 BT_DBG("Queued %p (queue len %d)", skb,
7021 skb_queue_len(&chan->srej_q));
7022
7023 l2cap_pass_to_tx(chan, control);
7024 l2cap_send_srej(chan, control->txseq);
7025 break;
7026 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7027
7028
7029
7030
7031
7032 skb_queue_tail(&chan->srej_q, skb);
7033 skb_in_use = true;
7034 BT_DBG("Queued %p (queue len %d)", skb,
7035 skb_queue_len(&chan->srej_q));
7036
7037 l2cap_pass_to_tx(chan, control);
7038 l2cap_send_srej_list(chan, control->txseq);
7039 break;
7040 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7041
7042 l2cap_pass_to_tx(chan, control);
7043 break;
7044 case L2CAP_TXSEQ_DUPLICATE:
7045
7046
7047
7048 break;
7049 case L2CAP_TXSEQ_INVALID_IGNORE:
7050 break;
7051 case L2CAP_TXSEQ_INVALID:
7052 default:
7053 l2cap_send_disconn_req(chan, ECONNRESET);
7054 break;
7055 }
7056 break;
7057 case L2CAP_EV_RECV_RR:
7058 l2cap_pass_to_tx(chan, control);
7059 if (control->final) {
7060 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7061
7062 if (!test_and_clear_bit(CONN_REJ_ACT,
7063 &chan->conn_state)) {
7064 control->final = 0;
7065 l2cap_retransmit_all(chan, control);
7066 }
7067
7068 l2cap_ertm_send(chan);
7069 } else if (control->poll) {
7070 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7071 &chan->conn_state) &&
7072 chan->unacked_frames) {
7073 __set_retrans_timer(chan);
7074 }
7075
7076 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7077 l2cap_send_srej_tail(chan);
7078 } else {
7079 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7080 &chan->conn_state) &&
7081 chan->unacked_frames)
7082 __set_retrans_timer(chan);
7083
7084 l2cap_send_ack(chan);
7085 }
7086 break;
7087 case L2CAP_EV_RECV_RNR:
7088 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7089 l2cap_pass_to_tx(chan, control);
7090 if (control->poll) {
7091 l2cap_send_srej_tail(chan);
7092 } else {
7093 struct l2cap_ctrl rr_control;
7094 memset(&rr_control, 0, sizeof(rr_control));
7095 rr_control.sframe = 1;
7096 rr_control.super = L2CAP_SUPER_RR;
7097 rr_control.reqseq = chan->buffer_seq;
7098 l2cap_send_sframe(chan, &rr_control);
7099 }
7100
7101 break;
7102 case L2CAP_EV_RECV_REJ:
7103 l2cap_handle_rej(chan, control);
7104 break;
7105 case L2CAP_EV_RECV_SREJ:
7106 l2cap_handle_srej(chan, control);
7107 break;
7108 }
7109
7110 if (skb && !skb_in_use) {
7111 BT_DBG("Freeing %p", skb);
7112 kfree_skb(skb);
7113 }
7114
7115 return err;
7116}
7117
7118static int l2cap_finish_move(struct l2cap_chan *chan)
7119{
7120 BT_DBG("chan %p", chan);
7121
7122 chan->rx_state = L2CAP_RX_STATE_RECV;
7123
7124 if (chan->hs_hcon)
7125 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7126 else
7127 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7128
7129 return l2cap_resegment(chan);
7130}
7131
7132static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7133 struct l2cap_ctrl *control,
7134 struct sk_buff *skb, u8 event)
7135{
7136 int err;
7137
7138 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7139 event);
7140
7141 if (!control->poll)
7142 return -EPROTO;
7143
7144 l2cap_process_reqseq(chan, control->reqseq);
7145
7146 if (!skb_queue_empty(&chan->tx_q))
7147 chan->tx_send_head = skb_peek(&chan->tx_q);
7148 else
7149 chan->tx_send_head = NULL;
7150
7151
7152
7153
7154 chan->next_tx_seq = control->reqseq;
7155 chan->unacked_frames = 0;
7156
7157 err = l2cap_finish_move(chan);
7158 if (err)
7159 return err;
7160
7161 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7162 l2cap_send_i_or_rr_or_rnr(chan);
7163
7164 if (event == L2CAP_EV_RECV_IFRAME)
7165 return -EPROTO;
7166
7167 return l2cap_rx_state_recv(chan, control, NULL, event);
7168}
7169
7170static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7171 struct l2cap_ctrl *control,
7172 struct sk_buff *skb, u8 event)
7173{
7174 int err;
7175
7176 if (!control->final)
7177 return -EPROTO;
7178
7179 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7180
7181 chan->rx_state = L2CAP_RX_STATE_RECV;
7182 l2cap_process_reqseq(chan, control->reqseq);
7183
7184 if (!skb_queue_empty(&chan->tx_q))
7185 chan->tx_send_head = skb_peek(&chan->tx_q);
7186 else
7187 chan->tx_send_head = NULL;
7188
7189
7190
7191
7192 chan->next_tx_seq = control->reqseq;
7193 chan->unacked_frames = 0;
7194
7195 if (chan->hs_hcon)
7196 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7197 else
7198 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7199
7200 err = l2cap_resegment(chan);
7201
7202 if (!err)
7203 err = l2cap_rx_state_recv(chan, control, skb, event);
7204
7205 return err;
7206}
7207
7208static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7209{
7210
7211 u16 unacked;
7212
7213 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7214 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7215}
7216
7217static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7218 struct sk_buff *skb, u8 event)
7219{
7220 int err = 0;
7221
7222 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7223 control, skb, event, chan->rx_state);
7224
7225 if (__valid_reqseq(chan, control->reqseq)) {
7226 switch (chan->rx_state) {
7227 case L2CAP_RX_STATE_RECV:
7228 err = l2cap_rx_state_recv(chan, control, skb, event);
7229 break;
7230 case L2CAP_RX_STATE_SREJ_SENT:
7231 err = l2cap_rx_state_srej_sent(chan, control, skb,
7232 event);
7233 break;
7234 case L2CAP_RX_STATE_WAIT_P:
7235 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7236 break;
7237 case L2CAP_RX_STATE_WAIT_F:
7238 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7239 break;
7240 default:
7241
7242 break;
7243 }
7244 } else {
7245 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7246 control->reqseq, chan->next_tx_seq,
7247 chan->expected_ack_seq);
7248 l2cap_send_disconn_req(chan, ECONNRESET);
7249 }
7250
7251 return err;
7252}
7253
7254static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7255 struct sk_buff *skb)
7256{
7257 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7258 chan->rx_state);
7259
7260 if (l2cap_classify_txseq(chan, control->txseq) ==
7261 L2CAP_TXSEQ_EXPECTED) {
7262 l2cap_pass_to_tx(chan, control);
7263
7264 BT_DBG("buffer_seq %u->%u", chan->buffer_seq,
7265 __next_seq(chan, chan->buffer_seq));
7266
7267 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7268
7269 l2cap_reassemble_sdu(chan, skb, control);
7270 } else {
7271 if (chan->sdu) {
7272 kfree_skb(chan->sdu);
7273 chan->sdu = NULL;
7274 }
7275 chan->sdu_last_frag = NULL;
7276 chan->sdu_len = 0;
7277
7278 if (skb) {
7279 BT_DBG("Freeing %p", skb);
7280 kfree_skb(skb);
7281 }
7282 }
7283
7284 chan->last_acked_seq = control->txseq;
7285 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7286
7287 return 0;
7288}
7289
7290static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7291{
7292 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7293 u16 len;
7294 u8 event;
7295
7296 __unpack_control(chan, skb);
7297
7298 len = skb->len;
7299
7300
7301
7302
7303
7304
7305 if (l2cap_check_fcs(chan, skb))
7306 goto drop;
7307
7308 if (!control->sframe && control->sar == L2CAP_SAR_START)
7309 len -= L2CAP_SDULEN_SIZE;
7310
7311 if (chan->fcs == L2CAP_FCS_CRC16)
7312 len -= L2CAP_FCS_SIZE;
7313
7314 if (len > chan->mps) {
7315 l2cap_send_disconn_req(chan, ECONNRESET);
7316 goto drop;
7317 }
7318
7319 if (chan->ops->filter) {
7320 if (chan->ops->filter(chan, skb))
7321 goto drop;
7322 }
7323
7324 if (!control->sframe) {
7325 int err;
7326
7327 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7328 control->sar, control->reqseq, control->final,
7329 control->txseq);
7330
7331
7332
7333
7334 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7335 goto drop;
7336
7337 if (chan->mode != L2CAP_MODE_STREAMING) {
7338 event = L2CAP_EV_RECV_IFRAME;
7339 err = l2cap_rx(chan, control, skb, event);
7340 } else {
7341 err = l2cap_stream_rx(chan, control, skb);
7342 }
7343
7344 if (err)
7345 l2cap_send_disconn_req(chan, ECONNRESET);
7346 } else {
7347 const u8 rx_func_to_event[4] = {
7348 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7349 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7350 };
7351
7352
7353 if (chan->mode == L2CAP_MODE_STREAMING)
7354 goto drop;
7355
7356 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7357 control->reqseq, control->final, control->poll,
7358 control->super);
7359
7360 if (len != 0) {
7361 BT_ERR("Trailing bytes: %d in sframe", len);
7362 l2cap_send_disconn_req(chan, ECONNRESET);
7363 goto drop;
7364 }
7365
7366
7367 if (control->final && (control->poll ||
7368 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7369 goto drop;
7370
7371 event = rx_func_to_event[control->super];
7372 if (l2cap_rx(chan, control, skb, event))
7373 l2cap_send_disconn_req(chan, ECONNRESET);
7374 }
7375
7376 return 0;
7377
7378drop:
7379 kfree_skb(skb);
7380 return 0;
7381}
7382
7383static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7384{
7385 struct l2cap_conn *conn = chan->conn;
7386 struct l2cap_le_credits pkt;
7387 u16 return_credits;
7388
7389 return_credits = (chan->imtu / chan->mps) + 1;
7390
7391 if (chan->rx_credits >= return_credits)
7392 return;
7393
7394 return_credits -= chan->rx_credits;
7395
7396 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7397
7398 chan->rx_credits += return_credits;
7399
7400 pkt.cid = cpu_to_le16(chan->scid);
7401 pkt.credits = cpu_to_le16(return_credits);
7402
7403 chan->ident = l2cap_get_ident(conn);
7404
7405 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7406}
7407
7408static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7409{
7410 int err;
7411
7412 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7413
7414
7415 err = chan->ops->recv(chan, skb);
7416
7417
7418 l2cap_chan_le_send_credits(chan);
7419
7420 return err;
7421}
7422
7423static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7424{
7425 int err;
7426
7427 if (!chan->rx_credits) {
7428 BT_ERR("No credits to receive LE L2CAP data");
7429 l2cap_send_disconn_req(chan, ECONNRESET);
7430 return -ENOBUFS;
7431 }
7432
7433 if (chan->imtu < skb->len) {
7434 BT_ERR("Too big LE L2CAP PDU");
7435 return -ENOBUFS;
7436 }
7437
7438 chan->rx_credits--;
7439 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7440
7441
7442
7443
7444 if (!chan->rx_credits)
7445 l2cap_chan_le_send_credits(chan);
7446
7447 err = 0;
7448
7449 if (!chan->sdu) {
7450 u16 sdu_len;
7451
7452 sdu_len = get_unaligned_le16(skb->data);
7453 skb_pull(skb, L2CAP_SDULEN_SIZE);
7454
7455 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7456 sdu_len, skb->len, chan->imtu);
7457
7458 if (sdu_len > chan->imtu) {
7459 BT_ERR("Too big LE L2CAP SDU length received");
7460 err = -EMSGSIZE;
7461 goto failed;
7462 }
7463
7464 if (skb->len > sdu_len) {
7465 BT_ERR("Too much LE L2CAP data received");
7466 err = -EINVAL;
7467 goto failed;
7468 }
7469
7470 if (skb->len == sdu_len)
7471 return l2cap_ecred_recv(chan, skb);
7472
7473 chan->sdu = skb;
7474 chan->sdu_len = sdu_len;
7475 chan->sdu_last_frag = skb;
7476
7477
7478 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7479 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7480
7481
7482 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7483 chan->mps = mps_len;
7484 l2cap_chan_le_send_credits(chan);
7485 }
7486
7487 return 0;
7488 }
7489
7490 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7491 chan->sdu->len, skb->len, chan->sdu_len);
7492
7493 if (chan->sdu->len + skb->len > chan->sdu_len) {
7494 BT_ERR("Too much LE L2CAP data received");
7495 err = -EINVAL;
7496 goto failed;
7497 }
7498
7499 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7500 skb = NULL;
7501
7502 if (chan->sdu->len == chan->sdu_len) {
7503 err = l2cap_ecred_recv(chan, chan->sdu);
7504 if (!err) {
7505 chan->sdu = NULL;
7506 chan->sdu_last_frag = NULL;
7507 chan->sdu_len = 0;
7508 }
7509 }
7510
7511failed:
7512 if (err) {
7513 kfree_skb(skb);
7514 kfree_skb(chan->sdu);
7515 chan->sdu = NULL;
7516 chan->sdu_last_frag = NULL;
7517 chan->sdu_len = 0;
7518 }
7519
7520
7521
7522
7523
7524 return 0;
7525}
7526
7527static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7528 struct sk_buff *skb)
7529{
7530 struct l2cap_chan *chan;
7531
7532 chan = l2cap_get_chan_by_scid(conn, cid);
7533 if (!chan) {
7534 if (cid == L2CAP_CID_A2MP) {
7535 chan = a2mp_channel_create(conn, skb);
7536 if (!chan) {
7537 kfree_skb(skb);
7538 return;
7539 }
7540
7541 l2cap_chan_lock(chan);
7542 } else {
7543 BT_DBG("unknown cid 0x%4.4x", cid);
7544
7545 kfree_skb(skb);
7546 return;
7547 }
7548 }
7549
7550 BT_DBG("chan %p, len %d", chan, skb->len);
7551
7552
7553
7554
7555
7556 if (chan->chan_type == L2CAP_CHAN_FIXED)
7557 l2cap_chan_ready(chan);
7558
7559 if (chan->state != BT_CONNECTED)
7560 goto drop;
7561
7562 switch (chan->mode) {
7563 case L2CAP_MODE_LE_FLOWCTL:
7564 case L2CAP_MODE_EXT_FLOWCTL:
7565 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7566 goto drop;
7567
7568 goto done;
7569
7570 case L2CAP_MODE_BASIC:
7571
7572
7573
7574
7575
7576 if (chan->imtu < skb->len) {
7577 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7578 goto drop;
7579 }
7580
7581 if (!chan->ops->recv(chan, skb))
7582 goto done;
7583 break;
7584
7585 case L2CAP_MODE_ERTM:
7586 case L2CAP_MODE_STREAMING:
7587 l2cap_data_rcv(chan, skb);
7588 goto done;
7589
7590 default:
7591 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7592 break;
7593 }
7594
7595drop:
7596 kfree_skb(skb);
7597
7598done:
7599 l2cap_chan_unlock(chan);
7600}
7601
7602static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7603 struct sk_buff *skb)
7604{
7605 struct hci_conn *hcon = conn->hcon;
7606 struct l2cap_chan *chan;
7607
7608 if (hcon->type != ACL_LINK)
7609 goto free_skb;
7610
7611 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7612 ACL_LINK);
7613 if (!chan)
7614 goto free_skb;
7615
7616 BT_DBG("chan %p, len %d", chan, skb->len);
7617
7618 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7619 goto drop;
7620
7621 if (chan->imtu < skb->len)
7622 goto drop;
7623
7624
7625 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7626 bt_cb(skb)->l2cap.psm = psm;
7627
7628 if (!chan->ops->recv(chan, skb)) {
7629 l2cap_chan_put(chan);
7630 return;
7631 }
7632
7633drop:
7634 l2cap_chan_put(chan);
7635free_skb:
7636 kfree_skb(skb);
7637}
7638
7639static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7640{
7641 struct l2cap_hdr *lh = (void *) skb->data;
7642 struct hci_conn *hcon = conn->hcon;
7643 u16 cid, len;
7644 __le16 psm;
7645
7646 if (hcon->state != BT_CONNECTED) {
7647 BT_DBG("queueing pending rx skb");
7648 skb_queue_tail(&conn->pending_rx, skb);
7649 return;
7650 }
7651
7652 skb_pull(skb, L2CAP_HDR_SIZE);
7653 cid = __le16_to_cpu(lh->cid);
7654 len = __le16_to_cpu(lh->len);
7655
7656 if (len != skb->len) {
7657 kfree_skb(skb);
7658 return;
7659 }
7660
7661
7662
7663
7664 if (hcon->type == LE_LINK &&
7665 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7666 bdaddr_dst_type(hcon))) {
7667 kfree_skb(skb);
7668 return;
7669 }
7670
7671 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7672
7673 switch (cid) {
7674 case L2CAP_CID_SIGNALING:
7675 l2cap_sig_channel(conn, skb);
7676 break;
7677
7678 case L2CAP_CID_CONN_LESS:
7679 psm = get_unaligned((__le16 *) skb->data);
7680 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7681 l2cap_conless_channel(conn, psm, skb);
7682 break;
7683
7684 case L2CAP_CID_LE_SIGNALING:
7685 l2cap_le_sig_channel(conn, skb);
7686 break;
7687
7688 default:
7689 l2cap_data_channel(conn, cid, skb);
7690 break;
7691 }
7692}
7693
7694static void process_pending_rx(struct work_struct *work)
7695{
7696 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7697 pending_rx_work);
7698 struct sk_buff *skb;
7699
7700 BT_DBG("");
7701
7702 while ((skb = skb_dequeue(&conn->pending_rx)))
7703 l2cap_recv_frame(conn, skb);
7704}
7705
7706static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7707{
7708 struct l2cap_conn *conn = hcon->l2cap_data;
7709 struct hci_chan *hchan;
7710
7711 if (conn)
7712 return conn;
7713
7714 hchan = hci_chan_create(hcon);
7715 if (!hchan)
7716 return NULL;
7717
7718 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7719 if (!conn) {
7720 hci_chan_del(hchan);
7721 return NULL;
7722 }
7723
7724 kref_init(&conn->ref);
7725 hcon->l2cap_data = conn;
7726 conn->hcon = hci_conn_get(hcon);
7727 conn->hchan = hchan;
7728
7729 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7730
7731 switch (hcon->type) {
7732 case LE_LINK:
7733 if (hcon->hdev->le_mtu) {
7734 conn->mtu = hcon->hdev->le_mtu;
7735 break;
7736 }
7737 fallthrough;
7738 default:
7739 conn->mtu = hcon->hdev->acl_mtu;
7740 break;
7741 }
7742
7743 conn->feat_mask = 0;
7744
7745 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7746
7747 if (hcon->type == ACL_LINK &&
7748 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7749 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7750
7751 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7752 (bredr_sc_enabled(hcon->hdev) ||
7753 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7754 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7755
7756 mutex_init(&conn->ident_lock);
7757 mutex_init(&conn->chan_lock);
7758
7759 INIT_LIST_HEAD(&conn->chan_l);
7760 INIT_LIST_HEAD(&conn->users);
7761
7762 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7763
7764 skb_queue_head_init(&conn->pending_rx);
7765 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7766 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7767
7768 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7769
7770 return conn;
7771}
7772
7773static bool is_valid_psm(u16 psm, u8 dst_type)
7774{
7775 if (!psm)
7776 return false;
7777
7778 if (bdaddr_type_is_le(dst_type))
7779 return (psm <= 0x00ff);
7780
7781
7782 return ((psm & 0x0101) == 0x0001);
7783}
7784
7785struct l2cap_chan_data {
7786 struct l2cap_chan *chan;
7787 struct pid *pid;
7788 int count;
7789};
7790
7791static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7792{
7793 struct l2cap_chan_data *d = data;
7794 struct pid *pid;
7795
7796 if (chan == d->chan)
7797 return;
7798
7799 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7800 return;
7801
7802 pid = chan->ops->get_peer_pid(chan);
7803
7804
7805 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7806 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7807 return;
7808
7809 d->count++;
7810}
7811
7812int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7813 bdaddr_t *dst, u8 dst_type)
7814{
7815 struct l2cap_conn *conn;
7816 struct hci_conn *hcon;
7817 struct hci_dev *hdev;
7818 int err;
7819
7820 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7821 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7822
7823 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7824 if (!hdev)
7825 return -EHOSTUNREACH;
7826
7827 hci_dev_lock(hdev);
7828
7829 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7830 chan->chan_type != L2CAP_CHAN_RAW) {
7831 err = -EINVAL;
7832 goto done;
7833 }
7834
7835 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7836 err = -EINVAL;
7837 goto done;
7838 }
7839
7840 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7841 err = -EINVAL;
7842 goto done;
7843 }
7844
7845 switch (chan->mode) {
7846 case L2CAP_MODE_BASIC:
7847 break;
7848 case L2CAP_MODE_LE_FLOWCTL:
7849 break;
7850 case L2CAP_MODE_EXT_FLOWCTL:
7851 if (!enable_ecred) {
7852 err = -EOPNOTSUPP;
7853 goto done;
7854 }
7855 break;
7856 case L2CAP_MODE_ERTM:
7857 case L2CAP_MODE_STREAMING:
7858 if (!disable_ertm)
7859 break;
7860 fallthrough;
7861 default:
7862 err = -EOPNOTSUPP;
7863 goto done;
7864 }
7865
7866 switch (chan->state) {
7867 case BT_CONNECT:
7868 case BT_CONNECT2:
7869 case BT_CONFIG:
7870
7871 err = 0;
7872 goto done;
7873
7874 case BT_CONNECTED:
7875
7876 err = -EISCONN;
7877 goto done;
7878
7879 case BT_OPEN:
7880 case BT_BOUND:
7881
7882 break;
7883
7884 default:
7885 err = -EBADFD;
7886 goto done;
7887 }
7888
7889
7890 bacpy(&chan->dst, dst);
7891 chan->dst_type = dst_type;
7892
7893 chan->psm = psm;
7894 chan->dcid = cid;
7895
7896 if (bdaddr_type_is_le(dst_type)) {
7897
7898
7899 if (dst_type == BDADDR_LE_PUBLIC)
7900 dst_type = ADDR_LE_DEV_PUBLIC;
7901 else
7902 dst_type = ADDR_LE_DEV_RANDOM;
7903
7904 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7905 hcon = hci_connect_le(hdev, dst, dst_type,
7906 chan->sec_level,
7907 HCI_LE_CONN_TIMEOUT,
7908 HCI_ROLE_SLAVE, NULL);
7909 else
7910 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7911 chan->sec_level,
7912 HCI_LE_CONN_TIMEOUT,
7913 CONN_REASON_L2CAP_CHAN);
7914
7915 } else {
7916 u8 auth_type = l2cap_get_auth_type(chan);
7917 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7918 CONN_REASON_L2CAP_CHAN);
7919 }
7920
7921 if (IS_ERR(hcon)) {
7922 err = PTR_ERR(hcon);
7923 goto done;
7924 }
7925
7926 conn = l2cap_conn_add(hcon);
7927 if (!conn) {
7928 hci_conn_drop(hcon);
7929 err = -ENOMEM;
7930 goto done;
7931 }
7932
7933 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7934 struct l2cap_chan_data data;
7935
7936 data.chan = chan;
7937 data.pid = chan->ops->get_peer_pid(chan);
7938 data.count = 1;
7939
7940 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7941
7942
7943 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7944 hci_conn_drop(hcon);
7945 err = -EPROTO;
7946 goto done;
7947 }
7948 }
7949
7950 mutex_lock(&conn->chan_lock);
7951 l2cap_chan_lock(chan);
7952
7953 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7954 hci_conn_drop(hcon);
7955 err = -EBUSY;
7956 goto chan_unlock;
7957 }
7958
7959
7960 bacpy(&chan->src, &hcon->src);
7961 chan->src_type = bdaddr_src_type(hcon);
7962
7963 __l2cap_chan_add(conn, chan);
7964
7965
7966 hci_conn_drop(hcon);
7967
7968 l2cap_state_change(chan, BT_CONNECT);
7969 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7970
7971
7972
7973
7974 write_lock(&chan_list_lock);
7975 chan->sport = 0;
7976 write_unlock(&chan_list_lock);
7977
7978 if (hcon->state == BT_CONNECTED) {
7979 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7980 __clear_chan_timer(chan);
7981 if (l2cap_chan_check_security(chan, true))
7982 l2cap_state_change(chan, BT_CONNECTED);
7983 } else
7984 l2cap_do_start(chan);
7985 }
7986
7987 err = 0;
7988
7989chan_unlock:
7990 l2cap_chan_unlock(chan);
7991 mutex_unlock(&conn->chan_lock);
7992done:
7993 hci_dev_unlock(hdev);
7994 hci_dev_put(hdev);
7995 return err;
7996}
7997EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7998
7999static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
8000{
8001 struct l2cap_conn *conn = chan->conn;
8002 struct {
8003 struct l2cap_ecred_reconf_req req;
8004 __le16 scid;
8005 } pdu;
8006
8007 pdu.req.mtu = cpu_to_le16(chan->imtu);
8008 pdu.req.mps = cpu_to_le16(chan->mps);
8009 pdu.scid = cpu_to_le16(chan->scid);
8010
8011 chan->ident = l2cap_get_ident(conn);
8012
8013 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
8014 sizeof(pdu), &pdu);
8015}
8016
8017int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8018{
8019 if (chan->imtu > mtu)
8020 return -EINVAL;
8021
8022 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8023
8024 chan->imtu = mtu;
8025
8026 l2cap_ecred_reconfigure(chan);
8027
8028 return 0;
8029}
8030
8031
8032
8033int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8034{
8035 int exact = 0, lm1 = 0, lm2 = 0;
8036 struct l2cap_chan *c;
8037
8038 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8039
8040
8041 read_lock(&chan_list_lock);
8042 list_for_each_entry(c, &chan_list, global_l) {
8043 if (c->state != BT_LISTEN)
8044 continue;
8045
8046 if (!bacmp(&c->src, &hdev->bdaddr)) {
8047 lm1 |= HCI_LM_ACCEPT;
8048 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8049 lm1 |= HCI_LM_MASTER;
8050 exact++;
8051 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8052 lm2 |= HCI_LM_ACCEPT;
8053 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8054 lm2 |= HCI_LM_MASTER;
8055 }
8056 }
8057 read_unlock(&chan_list_lock);
8058
8059 return exact ? lm1 : lm2;
8060}
8061
8062
8063
8064
8065
8066static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8067 struct hci_conn *hcon)
8068{
8069 u8 src_type = bdaddr_src_type(hcon);
8070
8071 read_lock(&chan_list_lock);
8072
8073 if (c)
8074 c = list_next_entry(c, global_l);
8075 else
8076 c = list_entry(chan_list.next, typeof(*c), global_l);
8077
8078 list_for_each_entry_from(c, &chan_list, global_l) {
8079 if (c->chan_type != L2CAP_CHAN_FIXED)
8080 continue;
8081 if (c->state != BT_LISTEN)
8082 continue;
8083 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8084 continue;
8085 if (src_type != c->src_type)
8086 continue;
8087
8088 l2cap_chan_hold(c);
8089 read_unlock(&chan_list_lock);
8090 return c;
8091 }
8092
8093 read_unlock(&chan_list_lock);
8094
8095 return NULL;
8096}
8097
8098static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8099{
8100 struct hci_dev *hdev = hcon->hdev;
8101 struct l2cap_conn *conn;
8102 struct l2cap_chan *pchan;
8103 u8 dst_type;
8104
8105 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8106 return;
8107
8108 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8109
8110 if (status) {
8111 l2cap_conn_del(hcon, bt_to_errno(status));
8112 return;
8113 }
8114
8115 conn = l2cap_conn_add(hcon);
8116 if (!conn)
8117 return;
8118
8119 dst_type = bdaddr_dst_type(hcon);
8120
8121
8122 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
8123 return;
8124
8125
8126
8127
8128
8129
8130 pchan = l2cap_global_fixed_chan(NULL, hcon);
8131 while (pchan) {
8132 struct l2cap_chan *chan, *next;
8133
8134
8135 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8136 goto next;
8137
8138 l2cap_chan_lock(pchan);
8139 chan = pchan->ops->new_connection(pchan);
8140 if (chan) {
8141 bacpy(&chan->src, &hcon->src);
8142 bacpy(&chan->dst, &hcon->dst);
8143 chan->src_type = bdaddr_src_type(hcon);
8144 chan->dst_type = dst_type;
8145
8146 __l2cap_chan_add(conn, chan);
8147 }
8148
8149 l2cap_chan_unlock(pchan);
8150next:
8151 next = l2cap_global_fixed_chan(pchan, hcon);
8152 l2cap_chan_put(pchan);
8153 pchan = next;
8154 }
8155
8156 l2cap_conn_ready(conn);
8157}
8158
8159int l2cap_disconn_ind(struct hci_conn *hcon)
8160{
8161 struct l2cap_conn *conn = hcon->l2cap_data;
8162
8163 BT_DBG("hcon %p", hcon);
8164
8165 if (!conn)
8166 return HCI_ERROR_REMOTE_USER_TERM;
8167 return conn->disc_reason;
8168}
8169
8170static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8171{
8172 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8173 return;
8174
8175 BT_DBG("hcon %p reason %d", hcon, reason);
8176
8177 l2cap_conn_del(hcon, bt_to_errno(reason));
8178}
8179
8180static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8181{
8182 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8183 return;
8184
8185 if (encrypt == 0x00) {
8186 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8187 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8188 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8189 chan->sec_level == BT_SECURITY_FIPS)
8190 l2cap_chan_close(chan, ECONNREFUSED);
8191 } else {
8192 if (chan->sec_level == BT_SECURITY_MEDIUM)
8193 __clear_chan_timer(chan);
8194 }
8195}
8196
8197static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8198{
8199 struct l2cap_conn *conn = hcon->l2cap_data;
8200 struct l2cap_chan *chan;
8201
8202 if (!conn)
8203 return;
8204
8205 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8206
8207 mutex_lock(&conn->chan_lock);
8208
8209 list_for_each_entry(chan, &conn->chan_l, list) {
8210 l2cap_chan_lock(chan);
8211
8212 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8213 state_to_string(chan->state));
8214
8215 if (chan->scid == L2CAP_CID_A2MP) {
8216 l2cap_chan_unlock(chan);
8217 continue;
8218 }
8219
8220 if (!status && encrypt)
8221 chan->sec_level = hcon->sec_level;
8222
8223 if (!__l2cap_no_conn_pending(chan)) {
8224 l2cap_chan_unlock(chan);
8225 continue;
8226 }
8227
8228 if (!status && (chan->state == BT_CONNECTED ||
8229 chan->state == BT_CONFIG)) {
8230 chan->ops->resume(chan);
8231 l2cap_check_encryption(chan, encrypt);
8232 l2cap_chan_unlock(chan);
8233 continue;
8234 }
8235
8236 if (chan->state == BT_CONNECT) {
8237 if (!status && l2cap_check_enc_key_size(hcon))
8238 l2cap_start_connection(chan);
8239 else
8240 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8241 } else if (chan->state == BT_CONNECT2 &&
8242 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8243 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8244 struct l2cap_conn_rsp rsp;
8245 __u16 res, stat;
8246
8247 if (!status && l2cap_check_enc_key_size(hcon)) {
8248 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8249 res = L2CAP_CR_PEND;
8250 stat = L2CAP_CS_AUTHOR_PEND;
8251 chan->ops->defer(chan);
8252 } else {
8253 l2cap_state_change(chan, BT_CONFIG);
8254 res = L2CAP_CR_SUCCESS;
8255 stat = L2CAP_CS_NO_INFO;
8256 }
8257 } else {
8258 l2cap_state_change(chan, BT_DISCONN);
8259 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8260 res = L2CAP_CR_SEC_BLOCK;
8261 stat = L2CAP_CS_NO_INFO;
8262 }
8263
8264 rsp.scid = cpu_to_le16(chan->dcid);
8265 rsp.dcid = cpu_to_le16(chan->scid);
8266 rsp.result = cpu_to_le16(res);
8267 rsp.status = cpu_to_le16(stat);
8268 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8269 sizeof(rsp), &rsp);
8270
8271 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8272 res == L2CAP_CR_SUCCESS) {
8273 char buf[128];
8274 set_bit(CONF_REQ_SENT, &chan->conf_state);
8275 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8276 L2CAP_CONF_REQ,
8277 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8278 buf);
8279 chan->num_conf_req++;
8280 }
8281 }
8282
8283 l2cap_chan_unlock(chan);
8284 }
8285
8286 mutex_unlock(&conn->chan_lock);
8287}
8288
8289
8290static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb,
8291 u16 len)
8292{
8293 if (!conn->rx_skb) {
8294
8295 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8296 if (!conn->rx_skb)
8297 return -ENOMEM;
8298
8299 conn->rx_len = len;
8300 }
8301
8302
8303 len = min_t(u16, len, skb->len);
8304 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len);
8305 skb_pull(skb, len);
8306 conn->rx_len -= len;
8307
8308 return len;
8309}
8310
8311static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb)
8312{
8313 struct sk_buff *rx_skb;
8314 int len;
8315
8316
8317 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len);
8318
8319
8320 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE)
8321 return len;
8322
8323 rx_skb = conn->rx_skb;
8324 len = get_unaligned_le16(rx_skb->data);
8325
8326
8327 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) {
8328
8329 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE);
8330 return L2CAP_LEN_SIZE;
8331 }
8332
8333
8334
8335
8336 conn->rx_skb = NULL;
8337
8338
8339 len = l2cap_recv_frag(conn, rx_skb,
8340 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE));
8341 kfree_skb(rx_skb);
8342
8343 return len;
8344}
8345
8346static void l2cap_recv_reset(struct l2cap_conn *conn)
8347{
8348 kfree_skb(conn->rx_skb);
8349 conn->rx_skb = NULL;
8350 conn->rx_len = 0;
8351}
8352
8353void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8354{
8355 struct l2cap_conn *conn = hcon->l2cap_data;
8356 int len;
8357
8358
8359 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8360 goto drop;
8361
8362 if (!conn)
8363 conn = l2cap_conn_add(hcon);
8364
8365 if (!conn)
8366 goto drop;
8367
8368 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
8369
8370 switch (flags) {
8371 case ACL_START:
8372 case ACL_START_NO_FLUSH:
8373 case ACL_COMPLETE:
8374 if (conn->rx_skb) {
8375 BT_ERR("Unexpected start frame (len %d)", skb->len);
8376 l2cap_recv_reset(conn);
8377 l2cap_conn_unreliable(conn, ECOMM);
8378 }
8379
8380
8381
8382
8383
8384 if (skb->len < L2CAP_LEN_SIZE) {
8385 if (l2cap_recv_frag(conn, skb, conn->mtu) < 0)
8386 goto drop;
8387 return;
8388 }
8389
8390 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE;
8391
8392 if (len == skb->len) {
8393
8394 l2cap_recv_frame(conn, skb);
8395 return;
8396 }
8397
8398 BT_DBG("Start: total len %d, frag len %u", len, skb->len);
8399
8400 if (skb->len > len) {
8401 BT_ERR("Frame is too long (len %u, expected len %d)",
8402 skb->len, len);
8403 l2cap_conn_unreliable(conn, ECOMM);
8404 goto drop;
8405 }
8406
8407
8408 if (l2cap_recv_frag(conn, skb, len) < 0)
8409 goto drop;
8410
8411 break;
8412
8413 case ACL_CONT:
8414 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len);
8415
8416 if (!conn->rx_skb) {
8417 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8418 l2cap_conn_unreliable(conn, ECOMM);
8419 goto drop;
8420 }
8421
8422
8423 if (conn->rx_skb->len < L2CAP_LEN_SIZE) {
8424 if (l2cap_recv_len(conn, skb) < 0) {
8425 l2cap_conn_unreliable(conn, ECOMM);
8426 goto drop;
8427 }
8428
8429
8430 if (conn->rx_skb->len < L2CAP_LEN_SIZE)
8431 return;
8432 }
8433
8434 if (skb->len > conn->rx_len) {
8435 BT_ERR("Fragment is too long (len %u, expected %u)",
8436 skb->len, conn->rx_len);
8437 l2cap_recv_reset(conn);
8438 l2cap_conn_unreliable(conn, ECOMM);
8439 goto drop;
8440 }
8441
8442
8443 l2cap_recv_frag(conn, skb, skb->len);
8444
8445 if (!conn->rx_len) {
8446
8447
8448
8449
8450 struct sk_buff *rx_skb = conn->rx_skb;
8451 conn->rx_skb = NULL;
8452 l2cap_recv_frame(conn, rx_skb);
8453 }
8454 break;
8455 }
8456
8457drop:
8458 kfree_skb(skb);
8459}
8460
8461static struct hci_cb l2cap_cb = {
8462 .name = "L2CAP",
8463 .connect_cfm = l2cap_connect_cfm,
8464 .disconn_cfm = l2cap_disconn_cfm,
8465 .security_cfm = l2cap_security_cfm,
8466};
8467
8468static int l2cap_debugfs_show(struct seq_file *f, void *p)
8469{
8470 struct l2cap_chan *c;
8471
8472 read_lock(&chan_list_lock);
8473
8474 list_for_each_entry(c, &chan_list, global_l) {
8475 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8476 &c->src, c->src_type, &c->dst, c->dst_type,
8477 c->state, __le16_to_cpu(c->psm),
8478 c->scid, c->dcid, c->imtu, c->omtu,
8479 c->sec_level, c->mode);
8480 }
8481
8482 read_unlock(&chan_list_lock);
8483
8484 return 0;
8485}
8486
8487DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8488
8489static struct dentry *l2cap_debugfs;
8490
8491int __init l2cap_init(void)
8492{
8493 int err;
8494
8495 err = l2cap_init_sockets();
8496 if (err < 0)
8497 return err;
8498
8499 hci_register_cb(&l2cap_cb);
8500
8501 if (IS_ERR_OR_NULL(bt_debugfs))
8502 return 0;
8503
8504 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8505 NULL, &l2cap_debugfs_fops);
8506
8507 return 0;
8508}
8509
8510void l2cap_exit(void)
8511{
8512 debugfs_remove(l2cap_debugfs);
8513 hci_unregister_cb(&l2cap_cb);
8514 l2cap_cleanup_sockets();
8515}
8516
8517module_param(disable_ertm, bool, 0644);
8518MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8519
8520module_param(enable_ecred, bool, 0644);
8521MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
8522
