1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#include <linux/module.h>
32
33#include <linux/debugfs.h>
34#include <linux/crc16.h>
35#include <linux/filter.h>
36
37#include <net/bluetooth/bluetooth.h>
38#include <net/bluetooth/hci_core.h>
39#include <net/bluetooth/l2cap.h>
40
41#include "smp.h"
42#include "a2mp.h"
43#include "amp.h"
44
45#define LE_FLOWCTL_MAX_CREDITS 65535
46
47bool disable_ertm;
48bool enable_ecred;
49
50static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51
52static LIST_HEAD(chan_list);
53static DEFINE_RWLOCK(chan_list_lock);
54
55static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
58 void *data);
59static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
61
62static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
64
65static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
66{
67 if (link_type == LE_LINK) {
68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
69 return BDADDR_LE_PUBLIC;
70 else
71 return BDADDR_LE_RANDOM;
72 }
73
74 return BDADDR_BREDR;
75}
76
77static inline u8 bdaddr_src_type(struct hci_conn *hcon)
78{
79 return bdaddr_type(hcon->type, hcon->src_type);
80}
81
82static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
83{
84 return bdaddr_type(hcon->type, hcon->dst_type);
85}
86
87
88
89static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
90 u16 cid)
91{
92 struct l2cap_chan *c;
93
94 list_for_each_entry(c, &conn->chan_l, list) {
95 if (c->dcid == cid)
96 return c;
97 }
98 return NULL;
99}
100
101static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
102 u16 cid)
103{
104 struct l2cap_chan *c;
105
106 list_for_each_entry(c, &conn->chan_l, list) {
107 if (c->scid == cid)
108 return c;
109 }
110 return NULL;
111}
112
113
114
115static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
116 u16 cid)
117{
118 struct l2cap_chan *c;
119
120 mutex_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
122 if (c)
123 l2cap_chan_lock(c);
124 mutex_unlock(&conn->chan_lock);
125
126 return c;
127}
128
129
130
131
132static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
133 u16 cid)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_dcid(conn, cid);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
146static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
147 u8 ident)
148{
149 struct l2cap_chan *c;
150
151 list_for_each_entry(c, &conn->chan_l, list) {
152 if (c->ident == ident)
153 return c;
154 }
155 return NULL;
156}
157
158static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
159 u8 ident)
160{
161 struct l2cap_chan *c;
162
163 mutex_lock(&conn->chan_lock);
164 c = __l2cap_get_chan_by_ident(conn, ident);
165 if (c)
166 l2cap_chan_lock(c);
167 mutex_unlock(&conn->chan_lock);
168
169 return c;
170}
171
172static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
173 u8 src_type)
174{
175 struct l2cap_chan *c;
176
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
179 continue;
180
181 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
182 continue;
183
184 if (c->sport == psm && !bacmp(&c->src, src))
185 return c;
186 }
187 return NULL;
188}
189
190int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
191{
192 int err;
193
194 write_lock(&chan_list_lock);
195
196 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
197 err = -EADDRINUSE;
198 goto done;
199 }
200
201 if (psm) {
202 chan->psm = psm;
203 chan->sport = psm;
204 err = 0;
205 } else {
206 u16 p, start, end, incr;
207
208 if (chan->src_type == BDADDR_BREDR) {
209 start = L2CAP_PSM_DYN_START;
210 end = L2CAP_PSM_AUTO_END;
211 incr = 2;
212 } else {
213 start = L2CAP_PSM_LE_DYN_START;
214 end = L2CAP_PSM_LE_DYN_END;
215 incr = 1;
216 }
217
218 err = -EINVAL;
219 for (p = start; p <= end; p += incr)
220 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
221 chan->src_type)) {
222 chan->psm = cpu_to_le16(p);
223 chan->sport = cpu_to_le16(p);
224 err = 0;
225 break;
226 }
227 }
228
229done:
230 write_unlock(&chan_list_lock);
231 return err;
232}
233EXPORT_SYMBOL_GPL(l2cap_add_psm);
234
235int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
236{
237 write_lock(&chan_list_lock);
238
239
240 chan->omtu = L2CAP_DEFAULT_MTU;
241 chan->chan_type = L2CAP_CHAN_FIXED;
242
243 chan->scid = scid;
244
245 write_unlock(&chan_list_lock);
246
247 return 0;
248}
249
250static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
251{
252 u16 cid, dyn_end;
253
254 if (conn->hcon->type == LE_LINK)
255 dyn_end = L2CAP_CID_LE_DYN_END;
256 else
257 dyn_end = L2CAP_CID_DYN_END;
258
259 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
260 if (!__l2cap_get_chan_by_scid(conn, cid))
261 return cid;
262 }
263
264 return 0;
265}
266
267static void l2cap_state_change(struct l2cap_chan *chan, int state)
268{
269 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
270 state_to_string(state));
271
272 chan->state = state;
273 chan->ops->state_change(chan, state, 0);
274}
275
276static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
277 int state, int err)
278{
279 chan->state = state;
280 chan->ops->state_change(chan, chan->state, err);
281}
282
283static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
284{
285 chan->ops->state_change(chan, chan->state, err);
286}
287
288static void __set_retrans_timer(struct l2cap_chan *chan)
289{
290 if (!delayed_work_pending(&chan->monitor_timer) &&
291 chan->retrans_timeout) {
292 l2cap_set_timer(chan, &chan->retrans_timer,
293 msecs_to_jiffies(chan->retrans_timeout));
294 }
295}
296
297static void __set_monitor_timer(struct l2cap_chan *chan)
298{
299 __clear_retrans_timer(chan);
300 if (chan->monitor_timeout) {
301 l2cap_set_timer(chan, &chan->monitor_timer,
302 msecs_to_jiffies(chan->monitor_timeout));
303 }
304}
305
306static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
307 u16 seq)
308{
309 struct sk_buff *skb;
310
311 skb_queue_walk(head, skb) {
312 if (bt_cb(skb)->l2cap.txseq == seq)
313 return skb;
314 }
315
316 return NULL;
317}
318
319
320
321
322
323
324
325
326
327
328
329
330static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
331{
332 size_t alloc_size, i;
333
334
335
336
337
338 alloc_size = roundup_pow_of_two(size);
339
340 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
341 if (!seq_list->list)
342 return -ENOMEM;
343
344 seq_list->mask = alloc_size - 1;
345 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
346 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
347 for (i = 0; i < alloc_size; i++)
348 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
349
350 return 0;
351}
352
353static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
354{
355 kfree(seq_list->list);
356}
357
358static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
359 u16 seq)
360{
361
362 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
363}
364
365static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
366{
367 u16 seq = seq_list->head;
368 u16 mask = seq_list->mask;
369
370 seq_list->head = seq_list->list[seq & mask];
371 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
372
373 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
376 }
377
378 return seq;
379}
380
381static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
382{
383 u16 i;
384
385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
386 return;
387
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
390
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
393}
394
395static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
396{
397 u16 mask = seq_list->mask;
398
399
400
401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
402 return;
403
404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
406 else
407 seq_list->list[seq_list->tail & mask] = seq;
408
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
411}
412
413static void l2cap_chan_timeout(struct work_struct *work)
414{
415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
416 chan_timer.work);
417 struct l2cap_conn *conn = chan->conn;
418 int reason;
419
420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
421
422 mutex_lock(&conn->chan_lock);
423
424
425
426 l2cap_chan_lock(chan);
427
428 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
429 reason = ECONNREFUSED;
430 else if (chan->state == BT_CONNECT &&
431 chan->sec_level != BT_SECURITY_SDP)
432 reason = ECONNREFUSED;
433 else
434 reason = ETIMEDOUT;
435
436 l2cap_chan_close(chan, reason);
437
438 chan->ops->close(chan);
439
440 l2cap_chan_unlock(chan);
441 l2cap_chan_put(chan);
442
443 mutex_unlock(&conn->chan_lock);
444}
445
446struct l2cap_chan *l2cap_chan_create(void)
447{
448 struct l2cap_chan *chan;
449
450 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
451 if (!chan)
452 return NULL;
453
454 mutex_init(&chan->lock);
455
456
457 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
458
459 write_lock(&chan_list_lock);
460 list_add(&chan->global_l, &chan_list);
461 write_unlock(&chan_list_lock);
462
463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
464
465 chan->state = BT_OPEN;
466
467 kref_init(&chan->kref);
468
469
470 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
471
472 BT_DBG("chan %p", chan);
473
474 return chan;
475}
476EXPORT_SYMBOL_GPL(l2cap_chan_create);
477
478static void l2cap_chan_destroy(struct kref *kref)
479{
480 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
481
482 BT_DBG("chan %p", chan);
483
484 write_lock(&chan_list_lock);
485 list_del(&chan->global_l);
486 write_unlock(&chan_list_lock);
487
488 kfree(chan);
489}
490
491void l2cap_chan_hold(struct l2cap_chan *c)
492{
493 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
494
495 kref_get(&c->kref);
496}
497
498void l2cap_chan_put(struct l2cap_chan *c)
499{
500 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
501
502 kref_put(&c->kref, l2cap_chan_destroy);
503}
504EXPORT_SYMBOL_GPL(l2cap_chan_put);
505
506void l2cap_chan_set_defaults(struct l2cap_chan *chan)
507{
508 chan->fcs = L2CAP_FCS_CRC16;
509 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
510 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
511 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
512 chan->remote_max_tx = chan->max_tx;
513 chan->remote_tx_win = chan->tx_win;
514 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
515 chan->sec_level = BT_SECURITY_LOW;
516 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
517 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
518 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
519 chan->conf_state = 0;
520
521 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
522}
523EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
524
525static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
526{
527 chan->sdu = NULL;
528 chan->sdu_last_frag = NULL;
529 chan->sdu_len = 0;
530 chan->tx_credits = tx_credits;
531
532 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
533
534 chan->rx_credits = (chan->imtu / chan->mps) + 1;
535
536 skb_queue_head_init(&chan->tx_q);
537}
538
539static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
540{
541 l2cap_le_flowctl_init(chan, tx_credits);
542
543
544 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
545 chan->mps = L2CAP_ECRED_MIN_MPS;
546 chan->rx_credits = (chan->imtu / chan->mps) + 1;
547 }
548}
549
550void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
551{
552 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
553 __le16_to_cpu(chan->psm), chan->dcid);
554
555 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
556
557 chan->conn = conn;
558
559 switch (chan->chan_type) {
560 case L2CAP_CHAN_CONN_ORIENTED:
561
562 chan->scid = l2cap_alloc_cid(conn);
563 if (conn->hcon->type == ACL_LINK)
564 chan->omtu = L2CAP_DEFAULT_MTU;
565 break;
566
567 case L2CAP_CHAN_CONN_LESS:
568
569 chan->scid = L2CAP_CID_CONN_LESS;
570 chan->dcid = L2CAP_CID_CONN_LESS;
571 chan->omtu = L2CAP_DEFAULT_MTU;
572 break;
573
574 case L2CAP_CHAN_FIXED:
575
576 break;
577
578 default:
579
580 chan->scid = L2CAP_CID_SIGNALING;
581 chan->dcid = L2CAP_CID_SIGNALING;
582 chan->omtu = L2CAP_DEFAULT_MTU;
583 }
584
585 chan->local_id = L2CAP_BESTEFFORT_ID;
586 chan->local_stype = L2CAP_SERV_BESTEFFORT;
587 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
588 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
589 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
590 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
591
592 l2cap_chan_hold(chan);
593
594
595 if (chan->chan_type != L2CAP_CHAN_FIXED ||
596 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
597 hci_conn_hold(conn->hcon);
598
599 list_add(&chan->list, &conn->chan_l);
600}
601
602void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
603{
604 mutex_lock(&conn->chan_lock);
605 __l2cap_chan_add(conn, chan);
606 mutex_unlock(&conn->chan_lock);
607}
608
609void l2cap_chan_del(struct l2cap_chan *chan, int err)
610{
611 struct l2cap_conn *conn = chan->conn;
612
613 __clear_chan_timer(chan);
614
615 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
616 state_to_string(chan->state));
617
618 chan->ops->teardown(chan, err);
619
620 if (conn) {
621 struct amp_mgr *mgr = conn->hcon->amp_mgr;
622
623 list_del(&chan->list);
624
625 l2cap_chan_put(chan);
626
627 chan->conn = NULL;
628
629
630
631
632
633 if (chan->chan_type != L2CAP_CHAN_FIXED ||
634 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
635 hci_conn_drop(conn->hcon);
636
637 if (mgr && mgr->bredr_chan == chan)
638 mgr->bredr_chan = NULL;
639 }
640
641 if (chan->hs_hchan) {
642 struct hci_chan *hs_hchan = chan->hs_hchan;
643
644 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
645 amp_disconnect_logical_link(hs_hchan);
646 }
647
648 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
649 return;
650
651 switch(chan->mode) {
652 case L2CAP_MODE_BASIC:
653 break;
654
655 case L2CAP_MODE_LE_FLOWCTL:
656 case L2CAP_MODE_EXT_FLOWCTL:
657 skb_queue_purge(&chan->tx_q);
658 break;
659
660 case L2CAP_MODE_ERTM:
661 __clear_retrans_timer(chan);
662 __clear_monitor_timer(chan);
663 __clear_ack_timer(chan);
664
665 skb_queue_purge(&chan->srej_q);
666
667 l2cap_seq_list_free(&chan->srej_list);
668 l2cap_seq_list_free(&chan->retrans_list);
669
670
671
672 case L2CAP_MODE_STREAMING:
673 skb_queue_purge(&chan->tx_q);
674 break;
675 }
676
677 return;
678}
679EXPORT_SYMBOL_GPL(l2cap_chan_del);
680
681static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
682 void *data)
683{
684 struct l2cap_chan *chan;
685
686 list_for_each_entry(chan, &conn->chan_l, list) {
687 func(chan, data);
688 }
689}
690
691void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
692 void *data)
693{
694 if (!conn)
695 return;
696
697 mutex_lock(&conn->chan_lock);
698 __l2cap_chan_list(conn, func, data);
699 mutex_unlock(&conn->chan_lock);
700}
701
702EXPORT_SYMBOL_GPL(l2cap_chan_list);
703
704static void l2cap_conn_update_id_addr(struct work_struct *work)
705{
706 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
707 id_addr_update_work);
708 struct hci_conn *hcon = conn->hcon;
709 struct l2cap_chan *chan;
710
711 mutex_lock(&conn->chan_lock);
712
713 list_for_each_entry(chan, &conn->chan_l, list) {
714 l2cap_chan_lock(chan);
715 bacpy(&chan->dst, &hcon->dst);
716 chan->dst_type = bdaddr_dst_type(hcon);
717 l2cap_chan_unlock(chan);
718 }
719
720 mutex_unlock(&conn->chan_lock);
721}
722
723static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
724{
725 struct l2cap_conn *conn = chan->conn;
726 struct l2cap_le_conn_rsp rsp;
727 u16 result;
728
729 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
730 result = L2CAP_CR_LE_AUTHORIZATION;
731 else
732 result = L2CAP_CR_LE_BAD_PSM;
733
734 l2cap_state_change(chan, BT_DISCONN);
735
736 rsp.dcid = cpu_to_le16(chan->scid);
737 rsp.mtu = cpu_to_le16(chan->imtu);
738 rsp.mps = cpu_to_le16(chan->mps);
739 rsp.credits = cpu_to_le16(chan->rx_credits);
740 rsp.result = cpu_to_le16(result);
741
742 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
743 &rsp);
744}
745
746static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
747{
748 struct l2cap_conn *conn = chan->conn;
749 struct l2cap_ecred_conn_rsp rsp;
750 u16 result;
751
752 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
753 result = L2CAP_CR_LE_AUTHORIZATION;
754 else
755 result = L2CAP_CR_LE_BAD_PSM;
756
757 l2cap_state_change(chan, BT_DISCONN);
758
759 memset(&rsp, 0, sizeof(rsp));
760
761 rsp.result = cpu_to_le16(result);
762
763 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
764 &rsp);
765}
766
767static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
768{
769 struct l2cap_conn *conn = chan->conn;
770 struct l2cap_conn_rsp rsp;
771 u16 result;
772
773 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
774 result = L2CAP_CR_SEC_BLOCK;
775 else
776 result = L2CAP_CR_BAD_PSM;
777
778 l2cap_state_change(chan, BT_DISCONN);
779
780 rsp.scid = cpu_to_le16(chan->dcid);
781 rsp.dcid = cpu_to_le16(chan->scid);
782 rsp.result = cpu_to_le16(result);
783 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
784
785 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
786}
787
788void l2cap_chan_close(struct l2cap_chan *chan, int reason)
789{
790 struct l2cap_conn *conn = chan->conn;
791
792 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
793
794 switch (chan->state) {
795 case BT_LISTEN:
796 chan->ops->teardown(chan, 0);
797 break;
798
799 case BT_CONNECTED:
800 case BT_CONFIG:
801 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
802 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
803 l2cap_send_disconn_req(chan, reason);
804 } else
805 l2cap_chan_del(chan, reason);
806 break;
807
808 case BT_CONNECT2:
809 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
810 if (conn->hcon->type == ACL_LINK)
811 l2cap_chan_connect_reject(chan);
812 else if (conn->hcon->type == LE_LINK) {
813 switch (chan->mode) {
814 case L2CAP_MODE_LE_FLOWCTL:
815 l2cap_chan_le_connect_reject(chan);
816 break;
817 case L2CAP_MODE_EXT_FLOWCTL:
818 l2cap_chan_ecred_connect_reject(chan);
819 break;
820 }
821 }
822 }
823
824 l2cap_chan_del(chan, reason);
825 break;
826
827 case BT_CONNECT:
828 case BT_DISCONN:
829 l2cap_chan_del(chan, reason);
830 break;
831
832 default:
833 chan->ops->teardown(chan, 0);
834 break;
835 }
836}
837EXPORT_SYMBOL(l2cap_chan_close);
838
839static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
840{
841 switch (chan->chan_type) {
842 case L2CAP_CHAN_RAW:
843 switch (chan->sec_level) {
844 case BT_SECURITY_HIGH:
845 case BT_SECURITY_FIPS:
846 return HCI_AT_DEDICATED_BONDING_MITM;
847 case BT_SECURITY_MEDIUM:
848 return HCI_AT_DEDICATED_BONDING;
849 default:
850 return HCI_AT_NO_BONDING;
851 }
852 break;
853 case L2CAP_CHAN_CONN_LESS:
854 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
855 if (chan->sec_level == BT_SECURITY_LOW)
856 chan->sec_level = BT_SECURITY_SDP;
857 }
858 if (chan->sec_level == BT_SECURITY_HIGH ||
859 chan->sec_level == BT_SECURITY_FIPS)
860 return HCI_AT_NO_BONDING_MITM;
861 else
862 return HCI_AT_NO_BONDING;
863 break;
864 case L2CAP_CHAN_CONN_ORIENTED:
865 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
866 if (chan->sec_level == BT_SECURITY_LOW)
867 chan->sec_level = BT_SECURITY_SDP;
868
869 if (chan->sec_level == BT_SECURITY_HIGH ||
870 chan->sec_level == BT_SECURITY_FIPS)
871 return HCI_AT_NO_BONDING_MITM;
872 else
873 return HCI_AT_NO_BONDING;
874 }
875
876 default:
877 switch (chan->sec_level) {
878 case BT_SECURITY_HIGH:
879 case BT_SECURITY_FIPS:
880 return HCI_AT_GENERAL_BONDING_MITM;
881 case BT_SECURITY_MEDIUM:
882 return HCI_AT_GENERAL_BONDING;
883 default:
884 return HCI_AT_NO_BONDING;
885 }
886 break;
887 }
888}
889
890
891int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
892{
893 struct l2cap_conn *conn = chan->conn;
894 __u8 auth_type;
895
896 if (conn->hcon->type == LE_LINK)
897 return smp_conn_security(conn->hcon, chan->sec_level);
898
899 auth_type = l2cap_get_auth_type(chan);
900
901 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
902 initiator);
903}
904
905static u8 l2cap_get_ident(struct l2cap_conn *conn)
906{
907 u8 id;
908
909
910
911
912
913
914
915 mutex_lock(&conn->ident_lock);
916
917 if (++conn->tx_ident > 128)
918 conn->tx_ident = 1;
919
920 id = conn->tx_ident;
921
922 mutex_unlock(&conn->ident_lock);
923
924 return id;
925}
926
927static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
928 void *data)
929{
930 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
931 u8 flags;
932
933 BT_DBG("code 0x%2.2x", code);
934
935 if (!skb)
936 return;
937
938
939
940 if (lmp_no_flush_capable(conn->hcon->hdev) ||
941 conn->hcon->type == LE_LINK)
942 flags = ACL_START_NO_FLUSH;
943 else
944 flags = ACL_START;
945
946 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
947 skb->priority = HCI_PRIO_MAX;
948
949 hci_send_acl(conn->hchan, skb, flags);
950}
951
952static bool __chan_is_moving(struct l2cap_chan *chan)
953{
954 return chan->move_state != L2CAP_MOVE_STABLE &&
955 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
956}
957
958static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
959{
960 struct hci_conn *hcon = chan->conn->hcon;
961 u16 flags;
962
963 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
964 skb->priority);
965
966 if (chan->hs_hcon && !__chan_is_moving(chan)) {
967 if (chan->hs_hchan)
968 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
969 else
970 kfree_skb(skb);
971
972 return;
973 }
974
975
976
977
978
979 if (hcon->type == LE_LINK ||
980 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
981 lmp_no_flush_capable(hcon->hdev)))
982 flags = ACL_START_NO_FLUSH;
983 else
984 flags = ACL_START;
985
986 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
987 hci_send_acl(chan->conn->hchan, skb, flags);
988}
989
990static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
991{
992 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
993 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
994
995 if (enh & L2CAP_CTRL_FRAME_TYPE) {
996
997 control->sframe = 1;
998 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
999 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1000
1001 control->sar = 0;
1002 control->txseq = 0;
1003 } else {
1004
1005 control->sframe = 0;
1006 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1007 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1008
1009 control->poll = 0;
1010 control->super = 0;
1011 }
1012}
1013
1014static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1015{
1016 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1017 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1018
1019 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1020
1021 control->sframe = 1;
1022 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1023 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1024
1025 control->sar = 0;
1026 control->txseq = 0;
1027 } else {
1028
1029 control->sframe = 0;
1030 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1031 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1032
1033 control->poll = 0;
1034 control->super = 0;
1035 }
1036}
1037
1038static inline void __unpack_control(struct l2cap_chan *chan,
1039 struct sk_buff *skb)
1040{
1041 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1042 __unpack_extended_control(get_unaligned_le32(skb->data),
1043 &bt_cb(skb)->l2cap);
1044 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1045 } else {
1046 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1047 &bt_cb(skb)->l2cap);
1048 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1049 }
1050}
1051
1052static u32 __pack_extended_control(struct l2cap_ctrl *control)
1053{
1054 u32 packed;
1055
1056 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1057 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1058
1059 if (control->sframe) {
1060 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1061 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1062 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1063 } else {
1064 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1065 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1066 }
1067
1068 return packed;
1069}
1070
1071static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1072{
1073 u16 packed;
1074
1075 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1076 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1077
1078 if (control->sframe) {
1079 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1080 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1081 packed |= L2CAP_CTRL_FRAME_TYPE;
1082 } else {
1083 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1084 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1085 }
1086
1087 return packed;
1088}
1089
1090static inline void __pack_control(struct l2cap_chan *chan,
1091 struct l2cap_ctrl *control,
1092 struct sk_buff *skb)
1093{
1094 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1095 put_unaligned_le32(__pack_extended_control(control),
1096 skb->data + L2CAP_HDR_SIZE);
1097 } else {
1098 put_unaligned_le16(__pack_enhanced_control(control),
1099 skb->data + L2CAP_HDR_SIZE);
1100 }
1101}
1102
1103static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1104{
1105 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1106 return L2CAP_EXT_HDR_SIZE;
1107 else
1108 return L2CAP_ENH_HDR_SIZE;
1109}
1110
1111static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1112 u32 control)
1113{
1114 struct sk_buff *skb;
1115 struct l2cap_hdr *lh;
1116 int hlen = __ertm_hdr_size(chan);
1117
1118 if (chan->fcs == L2CAP_FCS_CRC16)
1119 hlen += L2CAP_FCS_SIZE;
1120
1121 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1122
1123 if (!skb)
1124 return ERR_PTR(-ENOMEM);
1125
1126 lh = skb_put(skb, L2CAP_HDR_SIZE);
1127 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1128 lh->cid = cpu_to_le16(chan->dcid);
1129
1130 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1131 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1132 else
1133 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1134
1135 if (chan->fcs == L2CAP_FCS_CRC16) {
1136 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1137 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1138 }
1139
1140 skb->priority = HCI_PRIO_MAX;
1141 return skb;
1142}
1143
1144static void l2cap_send_sframe(struct l2cap_chan *chan,
1145 struct l2cap_ctrl *control)
1146{
1147 struct sk_buff *skb;
1148 u32 control_field;
1149
1150 BT_DBG("chan %p, control %p", chan, control);
1151
1152 if (!control->sframe)
1153 return;
1154
1155 if (__chan_is_moving(chan))
1156 return;
1157
1158 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1159 !control->poll)
1160 control->final = 1;
1161
1162 if (control->super == L2CAP_SUPER_RR)
1163 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1164 else if (control->super == L2CAP_SUPER_RNR)
1165 set_bit(CONN_RNR_SENT, &chan->conn_state);
1166
1167 if (control->super != L2CAP_SUPER_SREJ) {
1168 chan->last_acked_seq = control->reqseq;
1169 __clear_ack_timer(chan);
1170 }
1171
1172 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1173 control->final, control->poll, control->super);
1174
1175 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1176 control_field = __pack_extended_control(control);
1177 else
1178 control_field = __pack_enhanced_control(control);
1179
1180 skb = l2cap_create_sframe_pdu(chan, control_field);
1181 if (!IS_ERR(skb))
1182 l2cap_do_send(chan, skb);
1183}
1184
1185static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1186{
1187 struct l2cap_ctrl control;
1188
1189 BT_DBG("chan %p, poll %d", chan, poll);
1190
1191 memset(&control, 0, sizeof(control));
1192 control.sframe = 1;
1193 control.poll = poll;
1194
1195 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1196 control.super = L2CAP_SUPER_RNR;
1197 else
1198 control.super = L2CAP_SUPER_RR;
1199
1200 control.reqseq = chan->buffer_seq;
1201 l2cap_send_sframe(chan, &control);
1202}
1203
1204static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1205{
1206 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1207 return true;
1208
1209 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1210}
1211
1212static bool __amp_capable(struct l2cap_chan *chan)
1213{
1214 struct l2cap_conn *conn = chan->conn;
1215 struct hci_dev *hdev;
1216 bool amp_available = false;
1217
1218 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1219 return false;
1220
1221 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1222 return false;
1223
1224 read_lock(&hci_dev_list_lock);
1225 list_for_each_entry(hdev, &hci_dev_list, list) {
1226 if (hdev->amp_type != AMP_TYPE_BREDR &&
1227 test_bit(HCI_UP, &hdev->flags)) {
1228 amp_available = true;
1229 break;
1230 }
1231 }
1232 read_unlock(&hci_dev_list_lock);
1233
1234 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1235 return amp_available;
1236
1237 return false;
1238}
1239
1240static bool l2cap_check_efs(struct l2cap_chan *chan)
1241{
1242
1243 return true;
1244}
1245
1246void l2cap_send_conn_req(struct l2cap_chan *chan)
1247{
1248 struct l2cap_conn *conn = chan->conn;
1249 struct l2cap_conn_req req;
1250
1251 req.scid = cpu_to_le16(chan->scid);
1252 req.psm = chan->psm;
1253
1254 chan->ident = l2cap_get_ident(conn);
1255
1256 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1257
1258 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1259}
1260
1261static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1262{
1263 struct l2cap_create_chan_req req;
1264 req.scid = cpu_to_le16(chan->scid);
1265 req.psm = chan->psm;
1266 req.amp_id = amp_id;
1267
1268 chan->ident = l2cap_get_ident(chan->conn);
1269
1270 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1271 sizeof(req), &req);
1272}
1273
1274static void l2cap_move_setup(struct l2cap_chan *chan)
1275{
1276 struct sk_buff *skb;
1277
1278 BT_DBG("chan %p", chan);
1279
1280 if (chan->mode != L2CAP_MODE_ERTM)
1281 return;
1282
1283 __clear_retrans_timer(chan);
1284 __clear_monitor_timer(chan);
1285 __clear_ack_timer(chan);
1286
1287 chan->retry_count = 0;
1288 skb_queue_walk(&chan->tx_q, skb) {
1289 if (bt_cb(skb)->l2cap.retries)
1290 bt_cb(skb)->l2cap.retries = 1;
1291 else
1292 break;
1293 }
1294
1295 chan->expected_tx_seq = chan->buffer_seq;
1296
1297 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1298 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1299 l2cap_seq_list_clear(&chan->retrans_list);
1300 l2cap_seq_list_clear(&chan->srej_list);
1301 skb_queue_purge(&chan->srej_q);
1302
1303 chan->tx_state = L2CAP_TX_STATE_XMIT;
1304 chan->rx_state = L2CAP_RX_STATE_MOVE;
1305
1306 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1307}
1308
1309static void l2cap_move_done(struct l2cap_chan *chan)
1310{
1311 u8 move_role = chan->move_role;
1312 BT_DBG("chan %p", chan);
1313
1314 chan->move_state = L2CAP_MOVE_STABLE;
1315 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1316
1317 if (chan->mode != L2CAP_MODE_ERTM)
1318 return;
1319
1320 switch (move_role) {
1321 case L2CAP_MOVE_ROLE_INITIATOR:
1322 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1323 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1324 break;
1325 case L2CAP_MOVE_ROLE_RESPONDER:
1326 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1327 break;
1328 }
1329}
1330
1331static void l2cap_chan_ready(struct l2cap_chan *chan)
1332{
1333
1334
1335
1336
1337 if (chan->state == BT_CONNECTED)
1338 return;
1339
1340
1341 chan->conf_state = 0;
1342 __clear_chan_timer(chan);
1343
1344 switch (chan->mode) {
1345 case L2CAP_MODE_LE_FLOWCTL:
1346 case L2CAP_MODE_EXT_FLOWCTL:
1347 if (!chan->tx_credits)
1348 chan->ops->suspend(chan);
1349 break;
1350 }
1351
1352 chan->state = BT_CONNECTED;
1353
1354 chan->ops->ready(chan);
1355}
1356
1357static void l2cap_le_connect(struct l2cap_chan *chan)
1358{
1359 struct l2cap_conn *conn = chan->conn;
1360 struct l2cap_le_conn_req req;
1361
1362 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1363 return;
1364
1365 if (!chan->imtu)
1366 chan->imtu = chan->conn->mtu;
1367
1368 l2cap_le_flowctl_init(chan, 0);
1369
1370 req.psm = chan->psm;
1371 req.scid = cpu_to_le16(chan->scid);
1372 req.mtu = cpu_to_le16(chan->imtu);
1373 req.mps = cpu_to_le16(chan->mps);
1374 req.credits = cpu_to_le16(chan->rx_credits);
1375
1376 chan->ident = l2cap_get_ident(conn);
1377
1378 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1379 sizeof(req), &req);
1380}
1381
1382struct l2cap_ecred_conn_data {
1383 struct {
1384 struct l2cap_ecred_conn_req req;
1385 __le16 scid[5];
1386 } __packed pdu;
1387 struct l2cap_chan *chan;
1388 struct pid *pid;
1389 int count;
1390};
1391
1392static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1393{
1394 struct l2cap_ecred_conn_data *conn = data;
1395 struct pid *pid;
1396
1397 if (chan == conn->chan)
1398 return;
1399
1400 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1401 return;
1402
1403 pid = chan->ops->get_peer_pid(chan);
1404
1405
1406 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1407 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1408 return;
1409
1410 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1411 return;
1412
1413 l2cap_ecred_init(chan, 0);
1414
1415
1416 chan->ident = conn->chan->ident;
1417
1418
1419 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1420
1421 conn->count++;
1422}
1423
1424static void l2cap_ecred_connect(struct l2cap_chan *chan)
1425{
1426 struct l2cap_conn *conn = chan->conn;
1427 struct l2cap_ecred_conn_data data;
1428
1429 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1430 return;
1431
1432 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1433 return;
1434
1435 l2cap_ecred_init(chan, 0);
1436
1437 data.pdu.req.psm = chan->psm;
1438 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1439 data.pdu.req.mps = cpu_to_le16(chan->mps);
1440 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1441 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1442
1443 chan->ident = l2cap_get_ident(conn);
1444 data.pid = chan->ops->get_peer_pid(chan);
1445
1446 data.count = 1;
1447 data.chan = chan;
1448 data.pid = chan->ops->get_peer_pid(chan);
1449
1450 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1451
1452 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1453 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1454 &data.pdu);
1455}
1456
1457static void l2cap_le_start(struct l2cap_chan *chan)
1458{
1459 struct l2cap_conn *conn = chan->conn;
1460
1461 if (!smp_conn_security(conn->hcon, chan->sec_level))
1462 return;
1463
1464 if (!chan->psm) {
1465 l2cap_chan_ready(chan);
1466 return;
1467 }
1468
1469 if (chan->state == BT_CONNECT) {
1470 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1471 l2cap_ecred_connect(chan);
1472 else
1473 l2cap_le_connect(chan);
1474 }
1475}
1476
1477static void l2cap_start_connection(struct l2cap_chan *chan)
1478{
1479 if (__amp_capable(chan)) {
1480 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1481 a2mp_discover_amp(chan);
1482 } else if (chan->conn->hcon->type == LE_LINK) {
1483 l2cap_le_start(chan);
1484 } else {
1485 l2cap_send_conn_req(chan);
1486 }
1487}
1488
1489static void l2cap_request_info(struct l2cap_conn *conn)
1490{
1491 struct l2cap_info_req req;
1492
1493 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1494 return;
1495
1496 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1497
1498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1499 conn->info_ident = l2cap_get_ident(conn);
1500
1501 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1502
1503 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1504 sizeof(req), &req);
1505}
1506
1507static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1508{
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1519 hcon->enc_key_size >= hcon->hdev->min_enc_key_size);
1520}
1521
1522static void l2cap_do_start(struct l2cap_chan *chan)
1523{
1524 struct l2cap_conn *conn = chan->conn;
1525
1526 if (conn->hcon->type == LE_LINK) {
1527 l2cap_le_start(chan);
1528 return;
1529 }
1530
1531 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1532 l2cap_request_info(conn);
1533 return;
1534 }
1535
1536 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1537 return;
1538
1539 if (!l2cap_chan_check_security(chan, true) ||
1540 !__l2cap_no_conn_pending(chan))
1541 return;
1542
1543 if (l2cap_check_enc_key_size(conn->hcon))
1544 l2cap_start_connection(chan);
1545 else
1546 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1547}
1548
1549static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1550{
1551 u32 local_feat_mask = l2cap_feat_mask;
1552 if (!disable_ertm)
1553 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1554
1555 switch (mode) {
1556 case L2CAP_MODE_ERTM:
1557 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1558 case L2CAP_MODE_STREAMING:
1559 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1560 default:
1561 return 0x00;
1562 }
1563}
1564
1565static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1566{
1567 struct l2cap_conn *conn = chan->conn;
1568 struct l2cap_disconn_req req;
1569
1570 if (!conn)
1571 return;
1572
1573 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1574 __clear_retrans_timer(chan);
1575 __clear_monitor_timer(chan);
1576 __clear_ack_timer(chan);
1577 }
1578
1579 if (chan->scid == L2CAP_CID_A2MP) {
1580 l2cap_state_change(chan, BT_DISCONN);
1581 return;
1582 }
1583
1584 req.dcid = cpu_to_le16(chan->dcid);
1585 req.scid = cpu_to_le16(chan->scid);
1586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1587 sizeof(req), &req);
1588
1589 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1590}
1591
1592
1593static void l2cap_conn_start(struct l2cap_conn *conn)
1594{
1595 struct l2cap_chan *chan, *tmp;
1596
1597 BT_DBG("conn %p", conn);
1598
1599 mutex_lock(&conn->chan_lock);
1600
1601 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1602 l2cap_chan_lock(chan);
1603
1604 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1605 l2cap_chan_ready(chan);
1606 l2cap_chan_unlock(chan);
1607 continue;
1608 }
1609
1610 if (chan->state == BT_CONNECT) {
1611 if (!l2cap_chan_check_security(chan, true) ||
1612 !__l2cap_no_conn_pending(chan)) {
1613 l2cap_chan_unlock(chan);
1614 continue;
1615 }
1616
1617 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1618 && test_bit(CONF_STATE2_DEVICE,
1619 &chan->conf_state)) {
1620 l2cap_chan_close(chan, ECONNRESET);
1621 l2cap_chan_unlock(chan);
1622 continue;
1623 }
1624
1625 if (l2cap_check_enc_key_size(conn->hcon))
1626 l2cap_start_connection(chan);
1627 else
1628 l2cap_chan_close(chan, ECONNREFUSED);
1629
1630 } else if (chan->state == BT_CONNECT2) {
1631 struct l2cap_conn_rsp rsp;
1632 char buf[128];
1633 rsp.scid = cpu_to_le16(chan->dcid);
1634 rsp.dcid = cpu_to_le16(chan->scid);
1635
1636 if (l2cap_chan_check_security(chan, false)) {
1637 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1638 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1639 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1640 chan->ops->defer(chan);
1641
1642 } else {
1643 l2cap_state_change(chan, BT_CONFIG);
1644 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1645 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1646 }
1647 } else {
1648 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1649 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1650 }
1651
1652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1653 sizeof(rsp), &rsp);
1654
1655 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1656 rsp.result != L2CAP_CR_SUCCESS) {
1657 l2cap_chan_unlock(chan);
1658 continue;
1659 }
1660
1661 set_bit(CONF_REQ_SENT, &chan->conf_state);
1662 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1663 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1664 chan->num_conf_req++;
1665 }
1666
1667 l2cap_chan_unlock(chan);
1668 }
1669
1670 mutex_unlock(&conn->chan_lock);
1671}
1672
1673static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1674{
1675 struct hci_conn *hcon = conn->hcon;
1676 struct hci_dev *hdev = hcon->hdev;
1677
1678 BT_DBG("%s conn %p", hdev->name, conn);
1679
1680
1681
1682
1683 if (hcon->out)
1684 smp_conn_security(hcon, hcon->pending_sec_level);
1685
1686
1687
1688
1689
1690
1691 if (hcon->role == HCI_ROLE_SLAVE &&
1692 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1693 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1694 struct l2cap_conn_param_update_req req;
1695
1696 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1697 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1698 req.latency = cpu_to_le16(hcon->le_conn_latency);
1699 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1700
1701 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1702 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1703 }
1704}
1705
1706static void l2cap_conn_ready(struct l2cap_conn *conn)
1707{
1708 struct l2cap_chan *chan;
1709 struct hci_conn *hcon = conn->hcon;
1710
1711 BT_DBG("conn %p", conn);
1712
1713 if (hcon->type == ACL_LINK)
1714 l2cap_request_info(conn);
1715
1716 mutex_lock(&conn->chan_lock);
1717
1718 list_for_each_entry(chan, &conn->chan_l, list) {
1719
1720 l2cap_chan_lock(chan);
1721
1722 if (chan->scid == L2CAP_CID_A2MP) {
1723 l2cap_chan_unlock(chan);
1724 continue;
1725 }
1726
1727 if (hcon->type == LE_LINK) {
1728 l2cap_le_start(chan);
1729 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1730 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1731 l2cap_chan_ready(chan);
1732 } else if (chan->state == BT_CONNECT) {
1733 l2cap_do_start(chan);
1734 }
1735
1736 l2cap_chan_unlock(chan);
1737 }
1738
1739 mutex_unlock(&conn->chan_lock);
1740
1741 if (hcon->type == LE_LINK)
1742 l2cap_le_conn_ready(conn);
1743
1744 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1745}
1746
1747
1748static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1749{
1750 struct l2cap_chan *chan;
1751
1752 BT_DBG("conn %p", conn);
1753
1754 mutex_lock(&conn->chan_lock);
1755
1756 list_for_each_entry(chan, &conn->chan_l, list) {
1757 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1758 l2cap_chan_set_err(chan, err);
1759 }
1760
1761 mutex_unlock(&conn->chan_lock);
1762}
1763
1764static void l2cap_info_timeout(struct work_struct *work)
1765{
1766 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1767 info_timer.work);
1768
1769 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1770 conn->info_ident = 0;
1771
1772 l2cap_conn_start(conn);
1773}
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1789{
1790 struct hci_dev *hdev = conn->hcon->hdev;
1791 int ret;
1792
1793
1794
1795
1796
1797
1798
1799
1800 hci_dev_lock(hdev);
1801
1802 if (!list_empty(&user->list)) {
1803 ret = -EINVAL;
1804 goto out_unlock;
1805 }
1806
1807
1808 if (!conn->hchan) {
1809 ret = -ENODEV;
1810 goto out_unlock;
1811 }
1812
1813 ret = user->probe(conn, user);
1814 if (ret)
1815 goto out_unlock;
1816
1817 list_add(&user->list, &conn->users);
1818 ret = 0;
1819
1820out_unlock:
1821 hci_dev_unlock(hdev);
1822 return ret;
1823}
1824EXPORT_SYMBOL(l2cap_register_user);
1825
1826void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1827{
1828 struct hci_dev *hdev = conn->hcon->hdev;
1829
1830 hci_dev_lock(hdev);
1831
1832 if (list_empty(&user->list))
1833 goto out_unlock;
1834
1835 list_del_init(&user->list);
1836 user->remove(conn, user);
1837
1838out_unlock:
1839 hci_dev_unlock(hdev);
1840}
1841EXPORT_SYMBOL(l2cap_unregister_user);
1842
1843static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1844{
1845 struct l2cap_user *user;
1846
1847 while (!list_empty(&conn->users)) {
1848 user = list_first_entry(&conn->users, struct l2cap_user, list);
1849 list_del_init(&user->list);
1850 user->remove(conn, user);
1851 }
1852}
1853
1854static void l2cap_conn_del(struct hci_conn *hcon, int err)
1855{
1856 struct l2cap_conn *conn = hcon->l2cap_data;
1857 struct l2cap_chan *chan, *l;
1858
1859 if (!conn)
1860 return;
1861
1862 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1863
1864 kfree_skb(conn->rx_skb);
1865
1866 skb_queue_purge(&conn->pending_rx);
1867
1868
1869
1870
1871
1872 if (work_pending(&conn->pending_rx_work))
1873 cancel_work_sync(&conn->pending_rx_work);
1874
1875 if (work_pending(&conn->id_addr_update_work))
1876 cancel_work_sync(&conn->id_addr_update_work);
1877
1878 l2cap_unregister_all_users(conn);
1879
1880
1881 hcon->disc_timeout = 0;
1882
1883 mutex_lock(&conn->chan_lock);
1884
1885
1886 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1887 l2cap_chan_hold(chan);
1888 l2cap_chan_lock(chan);
1889
1890 l2cap_chan_del(chan, err);
1891
1892 chan->ops->close(chan);
1893
1894 l2cap_chan_unlock(chan);
1895 l2cap_chan_put(chan);
1896 }
1897
1898 mutex_unlock(&conn->chan_lock);
1899
1900 hci_chan_del(conn->hchan);
1901
1902 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1903 cancel_delayed_work_sync(&conn->info_timer);
1904
1905 hcon->l2cap_data = NULL;
1906 conn->hchan = NULL;
1907 l2cap_conn_put(conn);
1908}
1909
1910static void l2cap_conn_free(struct kref *ref)
1911{
1912 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1913
1914 hci_conn_put(conn->hcon);
1915 kfree(conn);
1916}
1917
1918struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1919{
1920 kref_get(&conn->ref);
1921 return conn;
1922}
1923EXPORT_SYMBOL(l2cap_conn_get);
1924
1925void l2cap_conn_put(struct l2cap_conn *conn)
1926{
1927 kref_put(&conn->ref, l2cap_conn_free);
1928}
1929EXPORT_SYMBOL(l2cap_conn_put);
1930
1931
1932
1933
1934
1935
1936static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1937 bdaddr_t *src,
1938 bdaddr_t *dst,
1939 u8 link_type)
1940{
1941 struct l2cap_chan *c, *c1 = NULL;
1942
1943 read_lock(&chan_list_lock);
1944
1945 list_for_each_entry(c, &chan_list, global_l) {
1946 if (state && c->state != state)
1947 continue;
1948
1949 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1950 continue;
1951
1952 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1953 continue;
1954
1955 if (c->psm == psm) {
1956 int src_match, dst_match;
1957 int src_any, dst_any;
1958
1959
1960 src_match = !bacmp(&c->src, src);
1961 dst_match = !bacmp(&c->dst, dst);
1962 if (src_match && dst_match) {
1963 l2cap_chan_hold(c);
1964 read_unlock(&chan_list_lock);
1965 return c;
1966 }
1967
1968
1969 src_any = !bacmp(&c->src, BDADDR_ANY);
1970 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1971 if ((src_match && dst_any) || (src_any && dst_match) ||
1972 (src_any && dst_any))
1973 c1 = c;
1974 }
1975 }
1976
1977 if (c1)
1978 l2cap_chan_hold(c1);
1979
1980 read_unlock(&chan_list_lock);
1981
1982 return c1;
1983}
1984
1985static void l2cap_monitor_timeout(struct work_struct *work)
1986{
1987 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1988 monitor_timer.work);
1989
1990 BT_DBG("chan %p", chan);
1991
1992 l2cap_chan_lock(chan);
1993
1994 if (!chan->conn) {
1995 l2cap_chan_unlock(chan);
1996 l2cap_chan_put(chan);
1997 return;
1998 }
1999
2000 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2001
2002 l2cap_chan_unlock(chan);
2003 l2cap_chan_put(chan);
2004}
2005
2006static void l2cap_retrans_timeout(struct work_struct *work)
2007{
2008 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2009 retrans_timer.work);
2010
2011 BT_DBG("chan %p", chan);
2012
2013 l2cap_chan_lock(chan);
2014
2015 if (!chan->conn) {
2016 l2cap_chan_unlock(chan);
2017 l2cap_chan_put(chan);
2018 return;
2019 }
2020
2021 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2022 l2cap_chan_unlock(chan);
2023 l2cap_chan_put(chan);
2024}
2025
2026static void l2cap_streaming_send(struct l2cap_chan *chan,
2027 struct sk_buff_head *skbs)
2028{
2029 struct sk_buff *skb;
2030 struct l2cap_ctrl *control;
2031
2032 BT_DBG("chan %p, skbs %p", chan, skbs);
2033
2034 if (__chan_is_moving(chan))
2035 return;
2036
2037 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2038
2039 while (!skb_queue_empty(&chan->tx_q)) {
2040
2041 skb = skb_dequeue(&chan->tx_q);
2042
2043 bt_cb(skb)->l2cap.retries = 1;
2044 control = &bt_cb(skb)->l2cap;
2045
2046 control->reqseq = 0;
2047 control->txseq = chan->next_tx_seq;
2048
2049 __pack_control(chan, control, skb);
2050
2051 if (chan->fcs == L2CAP_FCS_CRC16) {
2052 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2053 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2054 }
2055
2056 l2cap_do_send(chan, skb);
2057
2058 BT_DBG("Sent txseq %u", control->txseq);
2059
2060 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2061 chan->frames_sent++;
2062 }
2063}
2064
2065static int l2cap_ertm_send(struct l2cap_chan *chan)
2066{
2067 struct sk_buff *skb, *tx_skb;
2068 struct l2cap_ctrl *control;
2069 int sent = 0;
2070
2071 BT_DBG("chan %p", chan);
2072
2073 if (chan->state != BT_CONNECTED)
2074 return -ENOTCONN;
2075
2076 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2077 return 0;
2078
2079 if (__chan_is_moving(chan))
2080 return 0;
2081
2082 while (chan->tx_send_head &&
2083 chan->unacked_frames < chan->remote_tx_win &&
2084 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2085
2086 skb = chan->tx_send_head;
2087
2088 bt_cb(skb)->l2cap.retries = 1;
2089 control = &bt_cb(skb)->l2cap;
2090
2091 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2092 control->final = 1;
2093
2094 control->reqseq = chan->buffer_seq;
2095 chan->last_acked_seq = chan->buffer_seq;
2096 control->txseq = chan->next_tx_seq;
2097
2098 __pack_control(chan, control, skb);
2099
2100 if (chan->fcs == L2CAP_FCS_CRC16) {
2101 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2102 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2103 }
2104
2105
2106
2107
2108 tx_skb = skb_clone(skb, GFP_KERNEL);
2109
2110 if (!tx_skb)
2111 break;
2112
2113 __set_retrans_timer(chan);
2114
2115 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2116 chan->unacked_frames++;
2117 chan->frames_sent++;
2118 sent++;
2119
2120 if (skb_queue_is_last(&chan->tx_q, skb))
2121 chan->tx_send_head = NULL;
2122 else
2123 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2124
2125 l2cap_do_send(chan, tx_skb);
2126 BT_DBG("Sent txseq %u", control->txseq);
2127 }
2128
2129 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2130 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2131
2132 return sent;
2133}
2134
2135static void l2cap_ertm_resend(struct l2cap_chan *chan)
2136{
2137 struct l2cap_ctrl control;
2138 struct sk_buff *skb;
2139 struct sk_buff *tx_skb;
2140 u16 seq;
2141
2142 BT_DBG("chan %p", chan);
2143
2144 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2145 return;
2146
2147 if (__chan_is_moving(chan))
2148 return;
2149
2150 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2151 seq = l2cap_seq_list_pop(&chan->retrans_list);
2152
2153 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2154 if (!skb) {
2155 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2156 seq);
2157 continue;
2158 }
2159
2160 bt_cb(skb)->l2cap.retries++;
2161 control = bt_cb(skb)->l2cap;
2162
2163 if (chan->max_tx != 0 &&
2164 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2165 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2166 l2cap_send_disconn_req(chan, ECONNRESET);
2167 l2cap_seq_list_clear(&chan->retrans_list);
2168 break;
2169 }
2170
2171 control.reqseq = chan->buffer_seq;
2172 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2173 control.final = 1;
2174 else
2175 control.final = 0;
2176
2177 if (skb_cloned(skb)) {
2178
2179
2180
2181 tx_skb = skb_copy(skb, GFP_KERNEL);
2182 } else {
2183 tx_skb = skb_clone(skb, GFP_KERNEL);
2184 }
2185
2186 if (!tx_skb) {
2187 l2cap_seq_list_clear(&chan->retrans_list);
2188 break;
2189 }
2190
2191
2192 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2193 put_unaligned_le32(__pack_extended_control(&control),
2194 tx_skb->data + L2CAP_HDR_SIZE);
2195 } else {
2196 put_unaligned_le16(__pack_enhanced_control(&control),
2197 tx_skb->data + L2CAP_HDR_SIZE);
2198 }
2199
2200
2201 if (chan->fcs == L2CAP_FCS_CRC16) {
2202 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2203 tx_skb->len - L2CAP_FCS_SIZE);
2204 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2205 L2CAP_FCS_SIZE);
2206 }
2207
2208 l2cap_do_send(chan, tx_skb);
2209
2210 BT_DBG("Resent txseq %d", control.txseq);
2211
2212 chan->last_acked_seq = chan->buffer_seq;
2213 }
2214}
2215
2216static void l2cap_retransmit(struct l2cap_chan *chan,
2217 struct l2cap_ctrl *control)
2218{
2219 BT_DBG("chan %p, control %p", chan, control);
2220
2221 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2222 l2cap_ertm_resend(chan);
2223}
2224
2225static void l2cap_retransmit_all(struct l2cap_chan *chan,
2226 struct l2cap_ctrl *control)
2227{
2228 struct sk_buff *skb;
2229
2230 BT_DBG("chan %p, control %p", chan, control);
2231
2232 if (control->poll)
2233 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2234
2235 l2cap_seq_list_clear(&chan->retrans_list);
2236
2237 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2238 return;
2239
2240 if (chan->unacked_frames) {
2241 skb_queue_walk(&chan->tx_q, skb) {
2242 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2243 skb == chan->tx_send_head)
2244 break;
2245 }
2246
2247 skb_queue_walk_from(&chan->tx_q, skb) {
2248 if (skb == chan->tx_send_head)
2249 break;
2250
2251 l2cap_seq_list_append(&chan->retrans_list,
2252 bt_cb(skb)->l2cap.txseq);
2253 }
2254
2255 l2cap_ertm_resend(chan);
2256 }
2257}
2258
2259static void l2cap_send_ack(struct l2cap_chan *chan)
2260{
2261 struct l2cap_ctrl control;
2262 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2263 chan->last_acked_seq);
2264 int threshold;
2265
2266 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2267 chan, chan->last_acked_seq, chan->buffer_seq);
2268
2269 memset(&control, 0, sizeof(control));
2270 control.sframe = 1;
2271
2272 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2273 chan->rx_state == L2CAP_RX_STATE_RECV) {
2274 __clear_ack_timer(chan);
2275 control.super = L2CAP_SUPER_RNR;
2276 control.reqseq = chan->buffer_seq;
2277 l2cap_send_sframe(chan, &control);
2278 } else {
2279 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2280 l2cap_ertm_send(chan);
2281
2282 if (chan->buffer_seq == chan->last_acked_seq)
2283 frames_to_ack = 0;
2284 }
2285
2286
2287
2288
2289 threshold = chan->ack_win;
2290 threshold += threshold << 1;
2291 threshold >>= 2;
2292
2293 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2294 threshold);
2295
2296 if (frames_to_ack >= threshold) {
2297 __clear_ack_timer(chan);
2298 control.super = L2CAP_SUPER_RR;
2299 control.reqseq = chan->buffer_seq;
2300 l2cap_send_sframe(chan, &control);
2301 frames_to_ack = 0;
2302 }
2303
2304 if (frames_to_ack)
2305 __set_ack_timer(chan);
2306 }
2307}
2308
2309static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2310 struct msghdr *msg, int len,
2311 int count, struct sk_buff *skb)
2312{
2313 struct l2cap_conn *conn = chan->conn;
2314 struct sk_buff **frag;
2315 int sent = 0;
2316
2317 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2318 return -EFAULT;
2319
2320 sent += count;
2321 len -= count;
2322
2323
2324 frag = &skb_shinfo(skb)->frag_list;
2325 while (len) {
2326 struct sk_buff *tmp;
2327
2328 count = min_t(unsigned int, conn->mtu, len);
2329
2330 tmp = chan->ops->alloc_skb(chan, 0, count,
2331 msg->msg_flags & MSG_DONTWAIT);
2332 if (IS_ERR(tmp))
2333 return PTR_ERR(tmp);
2334
2335 *frag = tmp;
2336
2337 if (!copy_from_iter_full(skb_put(*frag, count), count,
2338 &msg->msg_iter))
2339 return -EFAULT;
2340
2341 sent += count;
2342 len -= count;
2343
2344 skb->len += (*frag)->len;
2345 skb->data_len += (*frag)->len;
2346
2347 frag = &(*frag)->next;
2348 }
2349
2350 return sent;
2351}
2352
2353static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2354 struct msghdr *msg, size_t len)
2355{
2356 struct l2cap_conn *conn = chan->conn;
2357 struct sk_buff *skb;
2358 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2359 struct l2cap_hdr *lh;
2360
2361 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2362 __le16_to_cpu(chan->psm), len);
2363
2364 count = min_t(unsigned int, (conn->mtu - hlen), len);
2365
2366 skb = chan->ops->alloc_skb(chan, hlen, count,
2367 msg->msg_flags & MSG_DONTWAIT);
2368 if (IS_ERR(skb))
2369 return skb;
2370
2371
2372 lh = skb_put(skb, L2CAP_HDR_SIZE);
2373 lh->cid = cpu_to_le16(chan->dcid);
2374 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2375 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2376
2377 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2378 if (unlikely(err < 0)) {
2379 kfree_skb(skb);
2380 return ERR_PTR(err);
2381 }
2382 return skb;
2383}
2384
2385static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2386 struct msghdr *msg, size_t len)
2387{
2388 struct l2cap_conn *conn = chan->conn;
2389 struct sk_buff *skb;
2390 int err, count;
2391 struct l2cap_hdr *lh;
2392
2393 BT_DBG("chan %p len %zu", chan, len);
2394
2395 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2396
2397 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2398 msg->msg_flags & MSG_DONTWAIT);
2399 if (IS_ERR(skb))
2400 return skb;
2401
2402
2403 lh = skb_put(skb, L2CAP_HDR_SIZE);
2404 lh->cid = cpu_to_le16(chan->dcid);
2405 lh->len = cpu_to_le16(len);
2406
2407 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2408 if (unlikely(err < 0)) {
2409 kfree_skb(skb);
2410 return ERR_PTR(err);
2411 }
2412 return skb;
2413}
2414
2415static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2416 struct msghdr *msg, size_t len,
2417 u16 sdulen)
2418{
2419 struct l2cap_conn *conn = chan->conn;
2420 struct sk_buff *skb;
2421 int err, count, hlen;
2422 struct l2cap_hdr *lh;
2423
2424 BT_DBG("chan %p len %zu", chan, len);
2425
2426 if (!conn)
2427 return ERR_PTR(-ENOTCONN);
2428
2429 hlen = __ertm_hdr_size(chan);
2430
2431 if (sdulen)
2432 hlen += L2CAP_SDULEN_SIZE;
2433
2434 if (chan->fcs == L2CAP_FCS_CRC16)
2435 hlen += L2CAP_FCS_SIZE;
2436
2437 count = min_t(unsigned int, (conn->mtu - hlen), len);
2438
2439 skb = chan->ops->alloc_skb(chan, hlen, count,
2440 msg->msg_flags & MSG_DONTWAIT);
2441 if (IS_ERR(skb))
2442 return skb;
2443
2444
2445 lh = skb_put(skb, L2CAP_HDR_SIZE);
2446 lh->cid = cpu_to_le16(chan->dcid);
2447 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2448
2449
2450 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2451 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2452 else
2453 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2454
2455 if (sdulen)
2456 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2457
2458 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2459 if (unlikely(err < 0)) {
2460 kfree_skb(skb);
2461 return ERR_PTR(err);
2462 }
2463
2464 bt_cb(skb)->l2cap.fcs = chan->fcs;
2465 bt_cb(skb)->l2cap.retries = 0;
2466 return skb;
2467}
2468
2469static int l2cap_segment_sdu(struct l2cap_chan *chan,
2470 struct sk_buff_head *seg_queue,
2471 struct msghdr *msg, size_t len)
2472{
2473 struct sk_buff *skb;
2474 u16 sdu_len;
2475 size_t pdu_len;
2476 u8 sar;
2477
2478 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2479
2480
2481
2482
2483
2484
2485
2486 pdu_len = chan->conn->mtu;
2487
2488
2489 if (!chan->hs_hcon)
2490 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2491
2492
2493 if (chan->fcs)
2494 pdu_len -= L2CAP_FCS_SIZE;
2495
2496 pdu_len -= __ertm_hdr_size(chan);
2497
2498
2499 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2500
2501 if (len <= pdu_len) {
2502 sar = L2CAP_SAR_UNSEGMENTED;
2503 sdu_len = 0;
2504 pdu_len = len;
2505 } else {
2506 sar = L2CAP_SAR_START;
2507 sdu_len = len;
2508 }
2509
2510 while (len > 0) {
2511 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2512
2513 if (IS_ERR(skb)) {
2514 __skb_queue_purge(seg_queue);
2515 return PTR_ERR(skb);
2516 }
2517
2518 bt_cb(skb)->l2cap.sar = sar;
2519 __skb_queue_tail(seg_queue, skb);
2520
2521 len -= pdu_len;
2522 if (sdu_len)
2523 sdu_len = 0;
2524
2525 if (len <= pdu_len) {
2526 sar = L2CAP_SAR_END;
2527 pdu_len = len;
2528 } else {
2529 sar = L2CAP_SAR_CONTINUE;
2530 }
2531 }
2532
2533 return 0;
2534}
2535
2536static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2537 struct msghdr *msg,
2538 size_t len, u16 sdulen)
2539{
2540 struct l2cap_conn *conn = chan->conn;
2541 struct sk_buff *skb;
2542 int err, count, hlen;
2543 struct l2cap_hdr *lh;
2544
2545 BT_DBG("chan %p len %zu", chan, len);
2546
2547 if (!conn)
2548 return ERR_PTR(-ENOTCONN);
2549
2550 hlen = L2CAP_HDR_SIZE;
2551
2552 if (sdulen)
2553 hlen += L2CAP_SDULEN_SIZE;
2554
2555 count = min_t(unsigned int, (conn->mtu - hlen), len);
2556
2557 skb = chan->ops->alloc_skb(chan, hlen, count,
2558 msg->msg_flags & MSG_DONTWAIT);
2559 if (IS_ERR(skb))
2560 return skb;
2561
2562
2563 lh = skb_put(skb, L2CAP_HDR_SIZE);
2564 lh->cid = cpu_to_le16(chan->dcid);
2565 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2566
2567 if (sdulen)
2568 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2569
2570 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2571 if (unlikely(err < 0)) {
2572 kfree_skb(skb);
2573 return ERR_PTR(err);
2574 }
2575
2576 return skb;
2577}
2578
2579static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2580 struct sk_buff_head *seg_queue,
2581 struct msghdr *msg, size_t len)
2582{
2583 struct sk_buff *skb;
2584 size_t pdu_len;
2585 u16 sdu_len;
2586
2587 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2588
2589 sdu_len = len;
2590 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2591
2592 while (len > 0) {
2593 if (len <= pdu_len)
2594 pdu_len = len;
2595
2596 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2597 if (IS_ERR(skb)) {
2598 __skb_queue_purge(seg_queue);
2599 return PTR_ERR(skb);
2600 }
2601
2602 __skb_queue_tail(seg_queue, skb);
2603
2604 len -= pdu_len;
2605
2606 if (sdu_len) {
2607 sdu_len = 0;
2608 pdu_len += L2CAP_SDULEN_SIZE;
2609 }
2610 }
2611
2612 return 0;
2613}
2614
2615static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2616{
2617 int sent = 0;
2618
2619 BT_DBG("chan %p", chan);
2620
2621 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2622 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2623 chan->tx_credits--;
2624 sent++;
2625 }
2626
2627 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2628 skb_queue_len(&chan->tx_q));
2629}
2630
2631int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2632{
2633 struct sk_buff *skb;
2634 int err;
2635 struct sk_buff_head seg_queue;
2636
2637 if (!chan->conn)
2638 return -ENOTCONN;
2639
2640
2641 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2642 skb = l2cap_create_connless_pdu(chan, msg, len);
2643 if (IS_ERR(skb))
2644 return PTR_ERR(skb);
2645
2646
2647
2648
2649 if (chan->state != BT_CONNECTED) {
2650 kfree_skb(skb);
2651 return -ENOTCONN;
2652 }
2653
2654 l2cap_do_send(chan, skb);
2655 return len;
2656 }
2657
2658 switch (chan->mode) {
2659 case L2CAP_MODE_LE_FLOWCTL:
2660 case L2CAP_MODE_EXT_FLOWCTL:
2661
2662 if (len > chan->omtu)
2663 return -EMSGSIZE;
2664
2665 __skb_queue_head_init(&seg_queue);
2666
2667 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2668
2669 if (chan->state != BT_CONNECTED) {
2670 __skb_queue_purge(&seg_queue);
2671 err = -ENOTCONN;
2672 }
2673
2674 if (err)
2675 return err;
2676
2677 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2678
2679 l2cap_le_flowctl_send(chan);
2680
2681 if (!chan->tx_credits)
2682 chan->ops->suspend(chan);
2683
2684 err = len;
2685
2686 break;
2687
2688 case L2CAP_MODE_BASIC:
2689
2690 if (len > chan->omtu)
2691 return -EMSGSIZE;
2692
2693
2694 skb = l2cap_create_basic_pdu(chan, msg, len);
2695 if (IS_ERR(skb))
2696 return PTR_ERR(skb);
2697
2698
2699
2700
2701 if (chan->state != BT_CONNECTED) {
2702 kfree_skb(skb);
2703 return -ENOTCONN;
2704 }
2705
2706 l2cap_do_send(chan, skb);
2707 err = len;
2708 break;
2709
2710 case L2CAP_MODE_ERTM:
2711 case L2CAP_MODE_STREAMING:
2712
2713 if (len > chan->omtu) {
2714 err = -EMSGSIZE;
2715 break;
2716 }
2717
2718 __skb_queue_head_init(&seg_queue);
2719
2720
2721
2722
2723
2724 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2725
2726
2727
2728
2729 if (chan->state != BT_CONNECTED) {
2730 __skb_queue_purge(&seg_queue);
2731 err = -ENOTCONN;
2732 }
2733
2734 if (err)
2735 break;
2736
2737 if (chan->mode == L2CAP_MODE_ERTM)
2738 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2739 else
2740 l2cap_streaming_send(chan, &seg_queue);
2741
2742 err = len;
2743
2744
2745
2746
2747 __skb_queue_purge(&seg_queue);
2748 break;
2749
2750 default:
2751 BT_DBG("bad state %1.1x", chan->mode);
2752 err = -EBADFD;
2753 }
2754
2755 return err;
2756}
2757EXPORT_SYMBOL_GPL(l2cap_chan_send);
2758
2759static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2760{
2761 struct l2cap_ctrl control;
2762 u16 seq;
2763
2764 BT_DBG("chan %p, txseq %u", chan, txseq);
2765
2766 memset(&control, 0, sizeof(control));
2767 control.sframe = 1;
2768 control.super = L2CAP_SUPER_SREJ;
2769
2770 for (seq = chan->expected_tx_seq; seq != txseq;
2771 seq = __next_seq(chan, seq)) {
2772 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2773 control.reqseq = seq;
2774 l2cap_send_sframe(chan, &control);
2775 l2cap_seq_list_append(&chan->srej_list, seq);
2776 }
2777 }
2778
2779 chan->expected_tx_seq = __next_seq(chan, txseq);
2780}
2781
2782static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2783{
2784 struct l2cap_ctrl control;
2785
2786 BT_DBG("chan %p", chan);
2787
2788 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2789 return;
2790
2791 memset(&control, 0, sizeof(control));
2792 control.sframe = 1;
2793 control.super = L2CAP_SUPER_SREJ;
2794 control.reqseq = chan->srej_list.tail;
2795 l2cap_send_sframe(chan, &control);
2796}
2797
2798static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2799{
2800 struct l2cap_ctrl control;
2801 u16 initial_head;
2802 u16 seq;
2803
2804 BT_DBG("chan %p, txseq %u", chan, txseq);
2805
2806 memset(&control, 0, sizeof(control));
2807 control.sframe = 1;
2808 control.super = L2CAP_SUPER_SREJ;
2809
2810
2811 initial_head = chan->srej_list.head;
2812
2813 do {
2814 seq = l2cap_seq_list_pop(&chan->srej_list);
2815 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2816 break;
2817
2818 control.reqseq = seq;
2819 l2cap_send_sframe(chan, &control);
2820 l2cap_seq_list_append(&chan->srej_list, seq);
2821 } while (chan->srej_list.head != initial_head);
2822}
2823
2824static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2825{
2826 struct sk_buff *acked_skb;
2827 u16 ackseq;
2828
2829 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2830
2831 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2832 return;
2833
2834 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2835 chan->expected_ack_seq, chan->unacked_frames);
2836
2837 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2838 ackseq = __next_seq(chan, ackseq)) {
2839
2840 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2841 if (acked_skb) {
2842 skb_unlink(acked_skb, &chan->tx_q);
2843 kfree_skb(acked_skb);
2844 chan->unacked_frames--;
2845 }
2846 }
2847
2848 chan->expected_ack_seq = reqseq;
2849
2850 if (chan->unacked_frames == 0)
2851 __clear_retrans_timer(chan);
2852
2853 BT_DBG("unacked_frames %u", chan->unacked_frames);
2854}
2855
2856static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2857{
2858 BT_DBG("chan %p", chan);
2859
2860 chan->expected_tx_seq = chan->buffer_seq;
2861 l2cap_seq_list_clear(&chan->srej_list);
2862 skb_queue_purge(&chan->srej_q);
2863 chan->rx_state = L2CAP_RX_STATE_RECV;
2864}
2865
2866static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2867 struct l2cap_ctrl *control,
2868 struct sk_buff_head *skbs, u8 event)
2869{
2870 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2871 event);
2872
2873 switch (event) {
2874 case L2CAP_EV_DATA_REQUEST:
2875 if (chan->tx_send_head == NULL)
2876 chan->tx_send_head = skb_peek(skbs);
2877
2878 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2879 l2cap_ertm_send(chan);
2880 break;
2881 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2882 BT_DBG("Enter LOCAL_BUSY");
2883 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2884
2885 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2886
2887
2888
2889 l2cap_abort_rx_srej_sent(chan);
2890 }
2891
2892 l2cap_send_ack(chan);
2893
2894 break;
2895 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2896 BT_DBG("Exit LOCAL_BUSY");
2897 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2898
2899 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2900 struct l2cap_ctrl local_control;
2901
2902 memset(&local_control, 0, sizeof(local_control));
2903 local_control.sframe = 1;
2904 local_control.super = L2CAP_SUPER_RR;
2905 local_control.poll = 1;
2906 local_control.reqseq = chan->buffer_seq;
2907 l2cap_send_sframe(chan, &local_control);
2908
2909 chan->retry_count = 1;
2910 __set_monitor_timer(chan);
2911 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2912 }
2913 break;
2914 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2915 l2cap_process_reqseq(chan, control->reqseq);
2916 break;
2917 case L2CAP_EV_EXPLICIT_POLL:
2918 l2cap_send_rr_or_rnr(chan, 1);
2919 chan->retry_count = 1;
2920 __set_monitor_timer(chan);
2921 __clear_ack_timer(chan);
2922 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2923 break;
2924 case L2CAP_EV_RETRANS_TO:
2925 l2cap_send_rr_or_rnr(chan, 1);
2926 chan->retry_count = 1;
2927 __set_monitor_timer(chan);
2928 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2929 break;
2930 case L2CAP_EV_RECV_FBIT:
2931
2932 break;
2933 default:
2934 break;
2935 }
2936}
2937
2938static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2939 struct l2cap_ctrl *control,
2940 struct sk_buff_head *skbs, u8 event)
2941{
2942 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2943 event);
2944
2945 switch (event) {
2946 case L2CAP_EV_DATA_REQUEST:
2947 if (chan->tx_send_head == NULL)
2948 chan->tx_send_head = skb_peek(skbs);
2949
2950 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2951 break;
2952 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2953 BT_DBG("Enter LOCAL_BUSY");
2954 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2955
2956 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2957
2958
2959
2960 l2cap_abort_rx_srej_sent(chan);
2961 }
2962
2963 l2cap_send_ack(chan);
2964
2965 break;
2966 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2967 BT_DBG("Exit LOCAL_BUSY");
2968 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2969
2970 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2971 struct l2cap_ctrl local_control;
2972 memset(&local_control, 0, sizeof(local_control));
2973 local_control.sframe = 1;
2974 local_control.super = L2CAP_SUPER_RR;
2975 local_control.poll = 1;
2976 local_control.reqseq = chan->buffer_seq;
2977 l2cap_send_sframe(chan, &local_control);
2978
2979 chan->retry_count = 1;
2980 __set_monitor_timer(chan);
2981 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2982 }
2983 break;
2984 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2985 l2cap_process_reqseq(chan, control->reqseq);
2986
2987
2988
2989 case L2CAP_EV_RECV_FBIT:
2990 if (control && control->final) {
2991 __clear_monitor_timer(chan);
2992 if (chan->unacked_frames > 0)
2993 __set_retrans_timer(chan);
2994 chan->retry_count = 0;
2995 chan->tx_state = L2CAP_TX_STATE_XMIT;
2996 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2997 }
2998 break;
2999 case L2CAP_EV_EXPLICIT_POLL:
3000
3001 break;
3002 case L2CAP_EV_MONITOR_TO:
3003 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3004 l2cap_send_rr_or_rnr(chan, 1);
3005 __set_monitor_timer(chan);
3006 chan->retry_count++;
3007 } else {
3008 l2cap_send_disconn_req(chan, ECONNABORTED);
3009 }
3010 break;
3011 default:
3012 break;
3013 }
3014}
3015
3016static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3017 struct sk_buff_head *skbs, u8 event)
3018{
3019 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3020 chan, control, skbs, event, chan->tx_state);
3021
3022 switch (chan->tx_state) {
3023 case L2CAP_TX_STATE_XMIT:
3024 l2cap_tx_state_xmit(chan, control, skbs, event);
3025 break;
3026 case L2CAP_TX_STATE_WAIT_F:
3027 l2cap_tx_state_wait_f(chan, control, skbs, event);
3028 break;
3029 default:
3030
3031 break;
3032 }
3033}
3034
3035static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3036 struct l2cap_ctrl *control)
3037{
3038 BT_DBG("chan %p, control %p", chan, control);
3039 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3040}
3041
3042static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3043 struct l2cap_ctrl *control)
3044{
3045 BT_DBG("chan %p, control %p", chan, control);
3046 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3047}
3048
3049
3050static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3051{
3052 struct sk_buff *nskb;
3053 struct l2cap_chan *chan;
3054
3055 BT_DBG("conn %p", conn);
3056
3057 mutex_lock(&conn->chan_lock);
3058
3059 list_for_each_entry(chan, &conn->chan_l, list) {
3060 if (chan->chan_type != L2CAP_CHAN_RAW)
3061 continue;
3062
3063
3064 if (bt_cb(skb)->l2cap.chan == chan)
3065 continue;
3066
3067 nskb = skb_clone(skb, GFP_KERNEL);
3068 if (!nskb)
3069 continue;
3070 if (chan->ops->recv(chan, nskb))
3071 kfree_skb(nskb);
3072 }
3073
3074 mutex_unlock(&conn->chan_lock);
3075}
3076
3077
3078static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3079 u8 ident, u16 dlen, void *data)
3080{
3081 struct sk_buff *skb, **frag;
3082 struct l2cap_cmd_hdr *cmd;
3083 struct l2cap_hdr *lh;
3084 int len, count;
3085
3086 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3087 conn, code, ident, dlen);
3088
3089 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3090 return NULL;
3091
3092 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3093 count = min_t(unsigned int, conn->mtu, len);
3094
3095 skb = bt_skb_alloc(count, GFP_KERNEL);
3096 if (!skb)
3097 return NULL;
3098
3099 lh = skb_put(skb, L2CAP_HDR_SIZE);
3100 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3101
3102 if (conn->hcon->type == LE_LINK)
3103 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3104 else
3105 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3106
3107 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3108 cmd->code = code;
3109 cmd->ident = ident;
3110 cmd->len = cpu_to_le16(dlen);
3111
3112 if (dlen) {
3113 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3114 skb_put_data(skb, data, count);
3115 data += count;
3116 }
3117
3118 len -= skb->len;
3119
3120
3121 frag = &skb_shinfo(skb)->frag_list;
3122 while (len) {
3123 count = min_t(unsigned int, conn->mtu, len);
3124
3125 *frag = bt_skb_alloc(count, GFP_KERNEL);
3126 if (!*frag)
3127 goto fail;
3128
3129 skb_put_data(*frag, data, count);
3130
3131 len -= count;
3132 data += count;
3133
3134 frag = &(*frag)->next;
3135 }
3136
3137 return skb;
3138
3139fail:
3140 kfree_skb(skb);
3141 return NULL;
3142}
3143
3144static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3145 unsigned long *val)
3146{
3147 struct l2cap_conf_opt *opt = *ptr;
3148 int len;
3149
3150 len = L2CAP_CONF_OPT_SIZE + opt->len;
3151 *ptr += len;
3152
3153 *type = opt->type;
3154 *olen = opt->len;
3155
3156 switch (opt->len) {
3157 case 1:
3158 *val = *((u8 *) opt->val);
3159 break;
3160
3161 case 2:
3162 *val = get_unaligned_le16(opt->val);
3163 break;
3164
3165 case 4:
3166 *val = get_unaligned_le32(opt->val);
3167 break;
3168
3169 default:
3170 *val = (unsigned long) opt->val;
3171 break;
3172 }
3173
3174 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3175 return len;
3176}
3177
3178static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3179{
3180 struct l2cap_conf_opt *opt = *ptr;
3181
3182 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3183
3184 if (size < L2CAP_CONF_OPT_SIZE + len)
3185 return;
3186
3187 opt->type = type;
3188 opt->len = len;
3189
3190 switch (len) {
3191 case 1:
3192 *((u8 *) opt->val) = val;
3193 break;
3194
3195 case 2:
3196 put_unaligned_le16(val, opt->val);
3197 break;
3198
3199 case 4:
3200 put_unaligned_le32(val, opt->val);
3201 break;
3202
3203 default:
3204 memcpy(opt->val, (void *) val, len);
3205 break;
3206 }
3207
3208 *ptr += L2CAP_CONF_OPT_SIZE + len;
3209}
3210
3211static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3212{
3213 struct l2cap_conf_efs efs;
3214
3215 switch (chan->mode) {
3216 case L2CAP_MODE_ERTM:
3217 efs.id = chan->local_id;
3218 efs.stype = chan->local_stype;
3219 efs.msdu = cpu_to_le16(chan->local_msdu);
3220 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3221 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3222 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3223 break;
3224
3225 case L2CAP_MODE_STREAMING:
3226 efs.id = 1;
3227 efs.stype = L2CAP_SERV_BESTEFFORT;
3228 efs.msdu = cpu_to_le16(chan->local_msdu);
3229 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3230 efs.acc_lat = 0;
3231 efs.flush_to = 0;
3232 break;
3233
3234 default:
3235 return;
3236 }
3237
3238 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3239 (unsigned long) &efs, size);
3240}
3241
3242static void l2cap_ack_timeout(struct work_struct *work)
3243{
3244 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3245 ack_timer.work);
3246 u16 frames_to_ack;
3247
3248 BT_DBG("chan %p", chan);
3249
3250 l2cap_chan_lock(chan);
3251
3252 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3253 chan->last_acked_seq);
3254
3255 if (frames_to_ack)
3256 l2cap_send_rr_or_rnr(chan, 0);
3257
3258 l2cap_chan_unlock(chan);
3259 l2cap_chan_put(chan);
3260}
3261
3262int l2cap_ertm_init(struct l2cap_chan *chan)
3263{
3264 int err;
3265
3266 chan->next_tx_seq = 0;
3267 chan->expected_tx_seq = 0;
3268 chan->expected_ack_seq = 0;
3269 chan->unacked_frames = 0;
3270 chan->buffer_seq = 0;
3271 chan->frames_sent = 0;
3272 chan->last_acked_seq = 0;
3273 chan->sdu = NULL;
3274 chan->sdu_last_frag = NULL;
3275 chan->sdu_len = 0;
3276
3277 skb_queue_head_init(&chan->tx_q);
3278
3279 chan->local_amp_id = AMP_ID_BREDR;
3280 chan->move_id = AMP_ID_BREDR;
3281 chan->move_state = L2CAP_MOVE_STABLE;
3282 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3283
3284 if (chan->mode != L2CAP_MODE_ERTM)
3285 return 0;
3286
3287 chan->rx_state = L2CAP_RX_STATE_RECV;
3288 chan->tx_state = L2CAP_TX_STATE_XMIT;
3289
3290 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3291 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3292 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3293
3294 skb_queue_head_init(&chan->srej_q);
3295
3296 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3297 if (err < 0)
3298 return err;
3299
3300 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3301 if (err < 0)
3302 l2cap_seq_list_free(&chan->srej_list);
3303
3304 return err;
3305}
3306
3307static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3308{
3309 switch (mode) {
3310 case L2CAP_MODE_STREAMING:
3311 case L2CAP_MODE_ERTM:
3312 if (l2cap_mode_supported(mode, remote_feat_mask))
3313 return mode;
3314
3315 default:
3316 return L2CAP_MODE_BASIC;
3317 }
3318}
3319
3320static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3321{
3322 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3323 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3324}
3325
3326static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3327{
3328 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3329 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3330}
3331
3332static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3333 struct l2cap_conf_rfc *rfc)
3334{
3335 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3336 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3352
3353
3354
3355
3356
3357 ertm_to = 3 * ertm_to + 500;
3358
3359 if (ertm_to > 0xffff)
3360 ertm_to = 0xffff;
3361
3362 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3363 rfc->monitor_timeout = rfc->retrans_timeout;
3364 } else {
3365 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3366 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3367 }
3368}
3369
3370static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3371{
3372 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3373 __l2cap_ews_supported(chan->conn)) {
3374
3375 set_bit(FLAG_EXT_CTRL, &chan->flags);
3376 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3377 } else {
3378 chan->tx_win = min_t(u16, chan->tx_win,
3379 L2CAP_DEFAULT_TX_WINDOW);
3380 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3381 }
3382 chan->ack_win = chan->tx_win;
3383}
3384
3385static void l2cap_mtu_auto(struct l2cap_chan *chan)
3386{
3387 struct hci_conn *conn = chan->conn->hcon;
3388
3389 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3390
3391
3392
3393
3394 if (!(conn->pkt_type & HCI_2DH1))
3395 chan->imtu = 54;
3396
3397
3398
3399
3400 if (!(conn->pkt_type & HCI_3DH1))
3401 chan->imtu = 83;
3402
3403
3404
3405
3406 if (!(conn->pkt_type & HCI_2DH3))
3407 chan->imtu = 367;
3408
3409
3410
3411
3412 if (!(conn->pkt_type & HCI_3DH3))
3413 chan->imtu = 552;
3414
3415
3416
3417
3418 if (!(conn->pkt_type & HCI_2DH5))
3419 chan->imtu = 679;
3420
3421
3422
3423
3424 if (!(conn->pkt_type & HCI_3DH5))
3425 chan->imtu = 1021;
3426}
3427
3428static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3429{
3430 struct l2cap_conf_req *req = data;
3431 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3432 void *ptr = req->data;
3433 void *endptr = data + data_size;
3434 u16 size;
3435
3436 BT_DBG("chan %p", chan);
3437
3438 if (chan->num_conf_req || chan->num_conf_rsp)
3439 goto done;
3440
3441 switch (chan->mode) {
3442 case L2CAP_MODE_STREAMING:
3443 case L2CAP_MODE_ERTM:
3444 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3445 break;
3446
3447 if (__l2cap_efs_supported(chan->conn))
3448 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3449
3450
3451 default:
3452 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3453 break;
3454 }
3455
3456done:
3457 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3458 if (!chan->imtu)
3459 l2cap_mtu_auto(chan);
3460 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3461 endptr - ptr);
3462 }
3463
3464 switch (chan->mode) {
3465 case L2CAP_MODE_BASIC:
3466 if (disable_ertm)
3467 break;
3468
3469 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3470 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3471 break;
3472
3473 rfc.mode = L2CAP_MODE_BASIC;
3474 rfc.txwin_size = 0;
3475 rfc.max_transmit = 0;
3476 rfc.retrans_timeout = 0;
3477 rfc.monitor_timeout = 0;
3478 rfc.max_pdu_size = 0;
3479
3480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3481 (unsigned long) &rfc, endptr - ptr);
3482 break;
3483
3484 case L2CAP_MODE_ERTM:
3485 rfc.mode = L2CAP_MODE_ERTM;
3486 rfc.max_transmit = chan->max_tx;
3487
3488 __l2cap_set_ertm_timeouts(chan, &rfc);
3489
3490 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3491 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3492 L2CAP_FCS_SIZE);
3493 rfc.max_pdu_size = cpu_to_le16(size);
3494
3495 l2cap_txwin_setup(chan);
3496
3497 rfc.txwin_size = min_t(u16, chan->tx_win,
3498 L2CAP_DEFAULT_TX_WINDOW);
3499
3500 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3501 (unsigned long) &rfc, endptr - ptr);
3502
3503 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3504 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3505
3506 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3508 chan->tx_win, endptr - ptr);
3509
3510 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3511 if (chan->fcs == L2CAP_FCS_NONE ||
3512 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3513 chan->fcs = L2CAP_FCS_NONE;
3514 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3515 chan->fcs, endptr - ptr);
3516 }
3517 break;
3518
3519 case L2CAP_MODE_STREAMING:
3520 l2cap_txwin_setup(chan);
3521 rfc.mode = L2CAP_MODE_STREAMING;
3522 rfc.txwin_size = 0;
3523 rfc.max_transmit = 0;
3524 rfc.retrans_timeout = 0;
3525 rfc.monitor_timeout = 0;
3526
3527 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3528 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3529 L2CAP_FCS_SIZE);
3530 rfc.max_pdu_size = cpu_to_le16(size);
3531
3532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3533 (unsigned long) &rfc, endptr - ptr);
3534
3535 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3536 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3537
3538 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3539 if (chan->fcs == L2CAP_FCS_NONE ||
3540 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3541 chan->fcs = L2CAP_FCS_NONE;
3542 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3543 chan->fcs, endptr - ptr);
3544 }
3545 break;
3546 }
3547
3548 req->dcid = cpu_to_le16(chan->dcid);
3549 req->flags = cpu_to_le16(0);
3550
3551 return ptr - data;
3552}
3553
3554static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3555{
3556 struct l2cap_conf_rsp *rsp = data;
3557 void *ptr = rsp->data;
3558 void *endptr = data + data_size;
3559 void *req = chan->conf_req;
3560 int len = chan->conf_len;
3561 int type, hint, olen;
3562 unsigned long val;
3563 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3564 struct l2cap_conf_efs efs;
3565 u8 remote_efs = 0;
3566 u16 mtu = L2CAP_DEFAULT_MTU;
3567 u16 result = L2CAP_CONF_SUCCESS;
3568 u16 size;
3569
3570 BT_DBG("chan %p", chan);
3571
3572 while (len >= L2CAP_CONF_OPT_SIZE) {
3573 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3574 if (len < 0)
3575 break;
3576
3577 hint = type & L2CAP_CONF_HINT;
3578 type &= L2CAP_CONF_MASK;
3579
3580 switch (type) {
3581 case L2CAP_CONF_MTU:
3582 if (olen != 2)
3583 break;
3584 mtu = val;
3585 break;
3586
3587 case L2CAP_CONF_FLUSH_TO:
3588 if (olen != 2)
3589 break;
3590 chan->flush_to = val;
3591 break;
3592
3593 case L2CAP_CONF_QOS:
3594 break;
3595
3596 case L2CAP_CONF_RFC:
3597 if (olen != sizeof(rfc))
3598 break;
3599 memcpy(&rfc, (void *) val, olen);
3600 break;
3601
3602 case L2CAP_CONF_FCS:
3603 if (olen != 1)
3604 break;
3605 if (val == L2CAP_FCS_NONE)
3606 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3607 break;
3608
3609 case L2CAP_CONF_EFS:
3610 if (olen != sizeof(efs))
3611 break;
3612 remote_efs = 1;
3613 memcpy(&efs, (void *) val, olen);
3614 break;
3615
3616 case L2CAP_CONF_EWS:
3617 if (olen != 2)
3618 break;
3619 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3620 return -ECONNREFUSED;
3621 set_bit(FLAG_EXT_CTRL, &chan->flags);
3622 set_bit(CONF_EWS_RECV, &chan->conf_state);
3623 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3624 chan->remote_tx_win = val;
3625 break;
3626
3627 default:
3628 if (hint)
3629 break;
3630 result = L2CAP_CONF_UNKNOWN;
3631 *((u8 *) ptr++) = type;
3632 break;
3633 }
3634 }
3635
3636 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3637 goto done;
3638
3639 switch (chan->mode) {
3640 case L2CAP_MODE_STREAMING:
3641 case L2CAP_MODE_ERTM:
3642 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3643 chan->mode = l2cap_select_mode(rfc.mode,
3644 chan->conn->feat_mask);
3645 break;
3646 }
3647
3648 if (remote_efs) {
3649 if (__l2cap_efs_supported(chan->conn))
3650 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3651 else
3652 return -ECONNREFUSED;
3653 }
3654
3655 if (chan->mode != rfc.mode)
3656 return -ECONNREFUSED;
3657
3658 break;
3659 }
3660
3661done:
3662 if (chan->mode != rfc.mode) {
3663 result = L2CAP_CONF_UNACCEPT;
3664 rfc.mode = chan->mode;
3665
3666 if (chan->num_conf_rsp == 1)
3667 return -ECONNREFUSED;
3668
3669 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3670 (unsigned long) &rfc, endptr - ptr);
3671 }
3672
3673 if (result == L2CAP_CONF_SUCCESS) {
3674
3675
3676
3677 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3678 result = L2CAP_CONF_UNACCEPT;
3679 else {
3680 chan->omtu = mtu;
3681 set_bit(CONF_MTU_DONE, &chan->conf_state);
3682 }
3683 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3684
3685 if (remote_efs) {
3686 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3687 efs.stype != L2CAP_SERV_NOTRAFIC &&
3688 efs.stype != chan->local_stype) {
3689
3690 result = L2CAP_CONF_UNACCEPT;
3691
3692 if (chan->num_conf_req >= 1)
3693 return -ECONNREFUSED;
3694
3695 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3696 sizeof(efs),
3697 (unsigned long) &efs, endptr - ptr);
3698 } else {
3699
3700 result = L2CAP_CONF_PENDING;
3701 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3702 }
3703 }
3704
3705 switch (rfc.mode) {
3706 case L2CAP_MODE_BASIC:
3707 chan->fcs = L2CAP_FCS_NONE;
3708 set_bit(CONF_MODE_DONE, &chan->conf_state);
3709 break;
3710
3711 case L2CAP_MODE_ERTM:
3712 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3713 chan->remote_tx_win = rfc.txwin_size;
3714 else
3715 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3716
3717 chan->remote_max_tx = rfc.max_transmit;
3718
3719 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3720 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3721 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3722 rfc.max_pdu_size = cpu_to_le16(size);
3723 chan->remote_mps = size;
3724
3725 __l2cap_set_ertm_timeouts(chan, &rfc);
3726
3727 set_bit(CONF_MODE_DONE, &chan->conf_state);
3728
3729 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3730 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3731
3732 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3733 chan->remote_id = efs.id;
3734 chan->remote_stype = efs.stype;
3735 chan->remote_msdu = le16_to_cpu(efs.msdu);
3736 chan->remote_flush_to =
3737 le32_to_cpu(efs.flush_to);
3738 chan->remote_acc_lat =
3739 le32_to_cpu(efs.acc_lat);
3740 chan->remote_sdu_itime =
3741 le32_to_cpu(efs.sdu_itime);
3742 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3743 sizeof(efs),
3744 (unsigned long) &efs, endptr - ptr);
3745 }
3746 break;
3747
3748 case L2CAP_MODE_STREAMING:
3749 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3750 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3751 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3752 rfc.max_pdu_size = cpu_to_le16(size);
3753 chan->remote_mps = size;
3754
3755 set_bit(CONF_MODE_DONE, &chan->conf_state);
3756
3757 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3758 (unsigned long) &rfc, endptr - ptr);
3759
3760 break;
3761
3762 default:
3763 result = L2CAP_CONF_UNACCEPT;
3764
3765 memset(&rfc, 0, sizeof(rfc));
3766 rfc.mode = chan->mode;
3767 }
3768
3769 if (result == L2CAP_CONF_SUCCESS)
3770 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3771 }
3772 rsp->scid = cpu_to_le16(chan->dcid);
3773 rsp->result = cpu_to_le16(result);
3774 rsp->flags = cpu_to_le16(0);
3775
3776 return ptr - data;
3777}
3778
3779static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3780 void *data, size_t size, u16 *result)
3781{
3782 struct l2cap_conf_req *req = data;
3783 void *ptr = req->data;
3784 void *endptr = data + size;
3785 int type, olen;
3786 unsigned long val;
3787 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3788 struct l2cap_conf_efs efs;
3789
3790 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3791
3792 while (len >= L2CAP_CONF_OPT_SIZE) {
3793 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3794 if (len < 0)
3795 break;
3796
3797 switch (type) {
3798 case L2CAP_CONF_MTU:
3799 if (olen != 2)
3800 break;
3801 if (val < L2CAP_DEFAULT_MIN_MTU) {
3802 *result = L2CAP_CONF_UNACCEPT;
3803 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3804 } else
3805 chan->imtu = val;
3806 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3807 endptr - ptr);
3808 break;
3809
3810 case L2CAP_CONF_FLUSH_TO:
3811 if (olen != 2)
3812 break;
3813 chan->flush_to = val;
3814 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3815 chan->flush_to, endptr - ptr);
3816 break;
3817
3818 case L2CAP_CONF_RFC:
3819 if (olen != sizeof(rfc))
3820 break;
3821 memcpy(&rfc, (void *)val, olen);
3822 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3823 rfc.mode != chan->mode)
3824 return -ECONNREFUSED;
3825 chan->fcs = 0;
3826 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3827 (unsigned long) &rfc, endptr - ptr);
3828 break;
3829
3830 case L2CAP_CONF_EWS:
3831 if (olen != 2)
3832 break;
3833 chan->ack_win = min_t(u16, val, chan->ack_win);
3834 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3835 chan->tx_win, endptr - ptr);
3836 break;
3837
3838 case L2CAP_CONF_EFS:
3839 if (olen != sizeof(efs))
3840 break;
3841 memcpy(&efs, (void *)val, olen);
3842 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3843 efs.stype != L2CAP_SERV_NOTRAFIC &&
3844 efs.stype != chan->local_stype)
3845 return -ECONNREFUSED;
3846 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3847 (unsigned long) &efs, endptr - ptr);
3848 break;
3849
3850 case L2CAP_CONF_FCS:
3851 if (olen != 1)
3852 break;
3853 if (*result == L2CAP_CONF_PENDING)
3854 if (val == L2CAP_FCS_NONE)
3855 set_bit(CONF_RECV_NO_FCS,
3856 &chan->conf_state);
3857 break;
3858 }
3859 }
3860
3861 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3862 return -ECONNREFUSED;
3863
3864 chan->mode = rfc.mode;
3865
3866 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3867 switch (rfc.mode) {
3868 case L2CAP_MODE_ERTM:
3869 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3870 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3871 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3872 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3873 chan->ack_win = min_t(u16, chan->ack_win,
3874 rfc.txwin_size);
3875
3876 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3877 chan->local_msdu = le16_to_cpu(efs.msdu);
3878 chan->local_sdu_itime =
3879 le32_to_cpu(efs.sdu_itime);
3880 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3881 chan->local_flush_to =
3882 le32_to_cpu(efs.flush_to);
3883 }
3884 break;
3885
3886 case L2CAP_MODE_STREAMING:
3887 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3888 }
3889 }
3890
3891 req->dcid = cpu_to_le16(chan->dcid);
3892 req->flags = cpu_to_le16(0);
3893
3894 return ptr - data;
3895}
3896
3897static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3898 u16 result, u16 flags)
3899{
3900 struct l2cap_conf_rsp *rsp = data;
3901 void *ptr = rsp->data;
3902
3903 BT_DBG("chan %p", chan);
3904
3905 rsp->scid = cpu_to_le16(chan->dcid);
3906 rsp->result = cpu_to_le16(result);
3907 rsp->flags = cpu_to_le16(flags);
3908
3909 return ptr - data;
3910}
3911
3912void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3913{
3914 struct l2cap_le_conn_rsp rsp;
3915 struct l2cap_conn *conn = chan->conn;
3916
3917 BT_DBG("chan %p", chan);
3918
3919 rsp.dcid = cpu_to_le16(chan->scid);
3920 rsp.mtu = cpu_to_le16(chan->imtu);
3921 rsp.mps = cpu_to_le16(chan->mps);
3922 rsp.credits = cpu_to_le16(chan->rx_credits);
3923 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3924
3925 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3926 &rsp);
3927}
3928
3929void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3930{
3931 struct {
3932 struct l2cap_ecred_conn_rsp rsp;
3933 __le16 dcid[5];
3934 } __packed pdu;
3935 struct l2cap_conn *conn = chan->conn;
3936 u16 ident = chan->ident;
3937 int i = 0;
3938
3939 if (!ident)
3940 return;
3941
3942 BT_DBG("chan %p ident %d", chan, ident);
3943
3944 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3945 pdu.rsp.mps = cpu_to_le16(chan->mps);
3946 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3947 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3948
3949 mutex_lock(&conn->chan_lock);
3950
3951 list_for_each_entry(chan, &conn->chan_l, list) {
3952 if (chan->ident != ident)
3953 continue;
3954
3955
3956 chan->ident = 0;
3957
3958
3959 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3960 }
3961
3962 mutex_unlock(&conn->chan_lock);
3963
3964 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3965 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3966}
3967
3968void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3969{
3970 struct l2cap_conn_rsp rsp;
3971 struct l2cap_conn *conn = chan->conn;
3972 u8 buf[128];
3973 u8 rsp_code;
3974
3975 rsp.scid = cpu_to_le16(chan->dcid);
3976 rsp.dcid = cpu_to_le16(chan->scid);
3977 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3978 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3979
3980 if (chan->hs_hcon)
3981 rsp_code = L2CAP_CREATE_CHAN_RSP;
3982 else
3983 rsp_code = L2CAP_CONN_RSP;
3984
3985 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3986
3987 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3988
3989 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3990 return;
3991
3992 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3993 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3994 chan->num_conf_req++;
3995}
3996
3997static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3998{
3999 int type, olen;
4000 unsigned long val;
4001
4002
4003
4004 u16 txwin_ext = chan->ack_win;
4005 struct l2cap_conf_rfc rfc = {
4006 .mode = chan->mode,
4007 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4008 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4009 .max_pdu_size = cpu_to_le16(chan->imtu),
4010 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4011 };
4012
4013 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4014
4015 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4016 return;
4017
4018 while (len >= L2CAP_CONF_OPT_SIZE) {
4019 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4020 if (len < 0)
4021 break;
4022
4023 switch (type) {
4024 case L2CAP_CONF_RFC:
4025 if (olen != sizeof(rfc))
4026 break;
4027 memcpy(&rfc, (void *)val, olen);
4028 break;
4029 case L2CAP_CONF_EWS:
4030 if (olen != 2)
4031 break;
4032 txwin_ext = val;
4033 break;
4034 }
4035 }
4036
4037 switch (rfc.mode) {
4038 case L2CAP_MODE_ERTM:
4039 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4040 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4041 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4042 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4043 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4044 else
4045 chan->ack_win = min_t(u16, chan->ack_win,
4046 rfc.txwin_size);
4047 break;
4048 case L2CAP_MODE_STREAMING:
4049 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4050 }
4051}
4052
4053static inline int l2cap_command_rej(struct l2cap_conn *conn,
4054 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4055 u8 *data)
4056{
4057 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4058
4059 if (cmd_len < sizeof(*rej))
4060 return -EPROTO;
4061
4062 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4063 return 0;
4064
4065 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4066 cmd->ident == conn->info_ident) {
4067 cancel_delayed_work(&conn->info_timer);
4068
4069 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4070 conn->info_ident = 0;
4071
4072 l2cap_conn_start(conn);
4073 }
4074
4075 return 0;
4076}
4077
4078static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4079 struct l2cap_cmd_hdr *cmd,
4080 u8 *data, u8 rsp_code, u8 amp_id)
4081{
4082 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4083 struct l2cap_conn_rsp rsp;
4084 struct l2cap_chan *chan = NULL, *pchan;
4085 int result, status = L2CAP_CS_NO_INFO;
4086
4087 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4088 __le16 psm = req->psm;
4089
4090 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4091
4092
4093 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4094 &conn->hcon->dst, ACL_LINK);
4095 if (!pchan) {
4096 result = L2CAP_CR_BAD_PSM;
4097 goto sendresp;
4098 }
4099
4100 mutex_lock(&conn->chan_lock);
4101 l2cap_chan_lock(pchan);
4102
4103
4104 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4105 !hci_conn_check_link_mode(conn->hcon)) {
4106 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4107 result = L2CAP_CR_SEC_BLOCK;
4108 goto response;
4109 }
4110
4111 result = L2CAP_CR_NO_MEM;
4112
4113
4114 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4115 result = L2CAP_CR_INVALID_SCID;
4116 goto response;
4117 }
4118
4119
4120 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4121 result = L2CAP_CR_SCID_IN_USE;
4122 goto response;
4123 }
4124
4125 chan = pchan->ops->new_connection(pchan);
4126 if (!chan)
4127 goto response;
4128
4129
4130
4131
4132
4133
4134 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4135
4136 bacpy(&chan->src, &conn->hcon->src);
4137 bacpy(&chan->dst, &conn->hcon->dst);
4138 chan->src_type = bdaddr_src_type(conn->hcon);
4139 chan->dst_type = bdaddr_dst_type(conn->hcon);
4140 chan->psm = psm;
4141 chan->dcid = scid;
4142 chan->local_amp_id = amp_id;
4143
4144 __l2cap_chan_add(conn, chan);
4145
4146 dcid = chan->scid;
4147
4148 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4149
4150 chan->ident = cmd->ident;
4151
4152 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4153 if (l2cap_chan_check_security(chan, false)) {
4154 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4155 l2cap_state_change(chan, BT_CONNECT2);
4156 result = L2CAP_CR_PEND;
4157 status = L2CAP_CS_AUTHOR_PEND;
4158 chan->ops->defer(chan);
4159 } else {
4160
4161
4162
4163
4164 if (amp_id == AMP_ID_BREDR) {
4165 l2cap_state_change(chan, BT_CONFIG);
4166 result = L2CAP_CR_SUCCESS;
4167 } else {
4168 l2cap_state_change(chan, BT_CONNECT2);
4169 result = L2CAP_CR_PEND;
4170 }
4171 status = L2CAP_CS_NO_INFO;
4172 }
4173 } else {
4174 l2cap_state_change(chan, BT_CONNECT2);
4175 result = L2CAP_CR_PEND;
4176 status = L2CAP_CS_AUTHEN_PEND;
4177 }
4178 } else {
4179 l2cap_state_change(chan, BT_CONNECT2);
4180 result = L2CAP_CR_PEND;
4181 status = L2CAP_CS_NO_INFO;
4182 }
4183
4184response:
4185 l2cap_chan_unlock(pchan);
4186 mutex_unlock(&conn->chan_lock);
4187 l2cap_chan_put(pchan);
4188
4189sendresp:
4190 rsp.scid = cpu_to_le16(scid);
4191 rsp.dcid = cpu_to_le16(dcid);
4192 rsp.result = cpu_to_le16(result);
4193 rsp.status = cpu_to_le16(status);
4194 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4195
4196 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4197 struct l2cap_info_req info;
4198 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4199
4200 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4201 conn->info_ident = l2cap_get_ident(conn);
4202
4203 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4204
4205 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4206 sizeof(info), &info);
4207 }
4208
4209 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4210 result == L2CAP_CR_SUCCESS) {
4211 u8 buf[128];
4212 set_bit(CONF_REQ_SENT, &chan->conf_state);
4213 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4214 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4215 chan->num_conf_req++;
4216 }
4217
4218 return chan;
4219}
4220
4221static int l2cap_connect_req(struct l2cap_conn *conn,
4222 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4223{
4224 struct hci_dev *hdev = conn->hcon->hdev;
4225 struct hci_conn *hcon = conn->hcon;
4226
4227 if (cmd_len < sizeof(struct l2cap_conn_req))
4228 return -EPROTO;
4229
4230 hci_dev_lock(hdev);
4231 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4232 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4233 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
4234 hci_dev_unlock(hdev);
4235
4236 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4237 return 0;
4238}
4239
4240static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4241 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4242 u8 *data)
4243{
4244 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4245 u16 scid, dcid, result, status;
4246 struct l2cap_chan *chan;
4247 u8 req[128];
4248 int err;
4249
4250 if (cmd_len < sizeof(*rsp))
4251 return -EPROTO;
4252
4253 scid = __le16_to_cpu(rsp->scid);
4254 dcid = __le16_to_cpu(rsp->dcid);
4255 result = __le16_to_cpu(rsp->result);
4256 status = __le16_to_cpu(rsp->status);
4257
4258 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4259 dcid, scid, result, status);
4260
4261 mutex_lock(&conn->chan_lock);
4262
4263 if (scid) {
4264 chan = __l2cap_get_chan_by_scid(conn, scid);
4265 if (!chan) {
4266 err = -EBADSLT;
4267 goto unlock;
4268 }
4269 } else {
4270 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4271 if (!chan) {
4272 err = -EBADSLT;
4273 goto unlock;
4274 }
4275 }
4276
4277 err = 0;
4278
4279 l2cap_chan_lock(chan);
4280
4281 switch (result) {
4282 case L2CAP_CR_SUCCESS:
4283 l2cap_state_change(chan, BT_CONFIG);
4284 chan->ident = 0;
4285 chan->dcid = dcid;
4286 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4287
4288 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4289 break;
4290
4291 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4292 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4293 chan->num_conf_req++;
4294 break;
4295
4296 case L2CAP_CR_PEND:
4297 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4298 break;
4299
4300 default:
4301 l2cap_chan_del(chan, ECONNREFUSED);
4302 break;
4303 }
4304
4305 l2cap_chan_unlock(chan);
4306
4307unlock:
4308 mutex_unlock(&conn->chan_lock);
4309
4310 return err;
4311}
4312
4313static inline void set_default_fcs(struct l2cap_chan *chan)
4314{
4315
4316
4317
4318 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4319 chan->fcs = L2CAP_FCS_NONE;
4320 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4321 chan->fcs = L2CAP_FCS_CRC16;
4322}
4323
4324static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4325 u8 ident, u16 flags)
4326{
4327 struct l2cap_conn *conn = chan->conn;
4328
4329 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4330 flags);
4331
4332 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4333 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4334
4335 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4336 l2cap_build_conf_rsp(chan, data,
4337 L2CAP_CONF_SUCCESS, flags), data);
4338}
4339
4340static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4341 u16 scid, u16 dcid)
4342{
4343 struct l2cap_cmd_rej_cid rej;
4344
4345 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4346 rej.scid = __cpu_to_le16(scid);
4347 rej.dcid = __cpu_to_le16(dcid);
4348
4349 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4350}
4351
4352static inline int l2cap_config_req(struct l2cap_conn *conn,
4353 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4354 u8 *data)
4355{
4356 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4357 u16 dcid, flags;
4358 u8 rsp[64];
4359 struct l2cap_chan *chan;
4360 int len, err = 0;
4361
4362 if (cmd_len < sizeof(*req))
4363 return -EPROTO;
4364
4365 dcid = __le16_to_cpu(req->dcid);
4366 flags = __le16_to_cpu(req->flags);
4367
4368 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4369
4370 chan = l2cap_get_chan_by_scid(conn, dcid);
4371 if (!chan) {
4372 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4373 return 0;
4374 }
4375
4376 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4377 chan->state != BT_CONNECTED) {
4378 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4379 chan->dcid);
4380 goto unlock;
4381 }
4382
4383
4384 len = cmd_len - sizeof(*req);
4385 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4386 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4387 l2cap_build_conf_rsp(chan, rsp,
4388 L2CAP_CONF_REJECT, flags), rsp);
4389 goto unlock;
4390 }
4391
4392
4393 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4394 chan->conf_len += len;
4395
4396 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4397
4398 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4399 l2cap_build_conf_rsp(chan, rsp,
4400 L2CAP_CONF_SUCCESS, flags), rsp);
4401 goto unlock;
4402 }
4403
4404
4405 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4406 if (len < 0) {
4407 l2cap_send_disconn_req(chan, ECONNRESET);
4408 goto unlock;
4409 }
4410
4411 chan->ident = cmd->ident;
4412 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4413 chan->num_conf_rsp++;
4414
4415
4416 chan->conf_len = 0;
4417
4418 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4419 goto unlock;
4420
4421 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4422 set_default_fcs(chan);
4423
4424 if (chan->mode == L2CAP_MODE_ERTM ||
4425 chan->mode == L2CAP_MODE_STREAMING)
4426 err = l2cap_ertm_init(chan);
4427
4428 if (err < 0)
4429 l2cap_send_disconn_req(chan, -err);
4430 else
4431 l2cap_chan_ready(chan);
4432
4433 goto unlock;
4434 }
4435
4436 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4437 u8 buf[64];
4438 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4439 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4440 chan->num_conf_req++;
4441 }
4442
4443
4444
4445 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4446 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4447
4448
4449
4450
4451 if (!chan->hs_hcon)
4452 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4453 else
4454 chan->ident = cmd->ident;
4455 }
4456
4457unlock:
4458 l2cap_chan_unlock(chan);
4459 return err;
4460}
4461
4462static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4463 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4464 u8 *data)
4465{
4466 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4467 u16 scid, flags, result;
4468 struct l2cap_chan *chan;
4469 int len = cmd_len - sizeof(*rsp);
4470 int err = 0;
4471
4472 if (cmd_len < sizeof(*rsp))
4473 return -EPROTO;
4474
4475 scid = __le16_to_cpu(rsp->scid);
4476 flags = __le16_to_cpu(rsp->flags);
4477 result = __le16_to_cpu(rsp->result);
4478
4479 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4480 result, len);
4481
4482 chan = l2cap_get_chan_by_scid(conn, scid);
4483 if (!chan)
4484 return 0;
4485
4486 switch (result) {
4487 case L2CAP_CONF_SUCCESS:
4488 l2cap_conf_rfc_get(chan, rsp->data, len);
4489 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4490 break;
4491
4492 case L2CAP_CONF_PENDING:
4493 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4494
4495 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4496 char buf[64];
4497
4498 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4499 buf, sizeof(buf), &result);
4500 if (len < 0) {
4501 l2cap_send_disconn_req(chan, ECONNRESET);
4502 goto done;
4503 }
4504
4505 if (!chan->hs_hcon) {
4506 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4507 0);
4508 } else {
4509 if (l2cap_check_efs(chan)) {
4510 amp_create_logical_link(chan);
4511 chan->ident = cmd->ident;
4512 }
4513 }
4514 }
4515 goto done;
4516
4517 case L2CAP_CONF_UNACCEPT:
4518 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4519 char req[64];
4520
4521 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4522 l2cap_send_disconn_req(chan, ECONNRESET);
4523 goto done;
4524 }
4525
4526
4527 result = L2CAP_CONF_SUCCESS;
4528 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4529 req, sizeof(req), &result);
4530 if (len < 0) {
4531 l2cap_send_disconn_req(chan, ECONNRESET);
4532 goto done;
4533 }
4534
4535 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4536 L2CAP_CONF_REQ, len, req);
4537 chan->num_conf_req++;
4538 if (result != L2CAP_CONF_SUCCESS)
4539 goto done;
4540 break;
4541 }
4542
4543
4544 default:
4545 l2cap_chan_set_err(chan, ECONNRESET);
4546
4547 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4548 l2cap_send_disconn_req(chan, ECONNRESET);
4549 goto done;
4550 }
4551
4552 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4553 goto done;
4554
4555 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4556
4557 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4558 set_default_fcs(chan);
4559
4560 if (chan->mode == L2CAP_MODE_ERTM ||
4561 chan->mode == L2CAP_MODE_STREAMING)
4562 err = l2cap_ertm_init(chan);
4563
4564 if (err < 0)
4565 l2cap_send_disconn_req(chan, -err);
4566 else
4567 l2cap_chan_ready(chan);
4568 }
4569
4570done:
4571 l2cap_chan_unlock(chan);
4572 return err;
4573}
4574
4575static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4576 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4577 u8 *data)
4578{
4579 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4580 struct l2cap_disconn_rsp rsp;
4581 u16 dcid, scid;
4582 struct l2cap_chan *chan;
4583
4584 if (cmd_len != sizeof(*req))
4585 return -EPROTO;
4586
4587 scid = __le16_to_cpu(req->scid);
4588 dcid = __le16_to_cpu(req->dcid);
4589
4590 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4591
4592 mutex_lock(&conn->chan_lock);
4593
4594 chan = __l2cap_get_chan_by_scid(conn, dcid);
4595 if (!chan) {
4596 mutex_unlock(&conn->chan_lock);
4597 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4598 return 0;
4599 }
4600
4601 l2cap_chan_hold(chan);
4602 l2cap_chan_lock(chan);
4603
4604 rsp.dcid = cpu_to_le16(chan->scid);
4605 rsp.scid = cpu_to_le16(chan->dcid);
4606 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4607
4608 chan->ops->set_shutdown(chan);
4609
4610 l2cap_chan_del(chan, ECONNRESET);
4611
4612 chan->ops->close(chan);
4613
4614 l2cap_chan_unlock(chan);
4615 l2cap_chan_put(chan);
4616
4617 mutex_unlock(&conn->chan_lock);
4618
4619 return 0;
4620}
4621
4622static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4623 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4624 u8 *data)
4625{
4626 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4627 u16 dcid, scid;
4628 struct l2cap_chan *chan;
4629
4630 if (cmd_len != sizeof(*rsp))
4631 return -EPROTO;
4632
4633 scid = __le16_to_cpu(rsp->scid);
4634 dcid = __le16_to_cpu(rsp->dcid);
4635
4636 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4637
4638 mutex_lock(&conn->chan_lock);
4639
4640 chan = __l2cap_get_chan_by_scid(conn, scid);
4641 if (!chan) {
4642 mutex_unlock(&conn->chan_lock);
4643 return 0;
4644 }
4645
4646 l2cap_chan_hold(chan);
4647 l2cap_chan_lock(chan);
4648
4649 if (chan->state != BT_DISCONN) {
4650 l2cap_chan_unlock(chan);
4651 l2cap_chan_put(chan);
4652 mutex_unlock(&conn->chan_lock);
4653 return 0;
4654 }
4655
4656 l2cap_chan_del(chan, 0);
4657
4658 chan->ops->close(chan);
4659
4660 l2cap_chan_unlock(chan);
4661 l2cap_chan_put(chan);
4662
4663 mutex_unlock(&conn->chan_lock);
4664
4665 return 0;
4666}
4667
4668static inline int l2cap_information_req(struct l2cap_conn *conn,
4669 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4670 u8 *data)
4671{
4672 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4673 u16 type;
4674
4675 if (cmd_len != sizeof(*req))
4676 return -EPROTO;
4677
4678 type = __le16_to_cpu(req->type);
4679
4680 BT_DBG("type 0x%4.4x", type);
4681
4682 if (type == L2CAP_IT_FEAT_MASK) {
4683 u8 buf[8];
4684 u32 feat_mask = l2cap_feat_mask;
4685 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4686 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4687 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4688 if (!disable_ertm)
4689 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4690 | L2CAP_FEAT_FCS;
4691 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4692 feat_mask |= L2CAP_FEAT_EXT_FLOW
4693 | L2CAP_FEAT_EXT_WINDOW;
4694
4695 put_unaligned_le32(feat_mask, rsp->data);
4696 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4697 buf);
4698 } else if (type == L2CAP_IT_FIXED_CHAN) {
4699 u8 buf[12];
4700 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4701
4702 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4703 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4704 rsp->data[0] = conn->local_fixed_chan;
4705 memset(rsp->data + 1, 0, 7);
4706 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4707 buf);
4708 } else {
4709 struct l2cap_info_rsp rsp;
4710 rsp.type = cpu_to_le16(type);
4711 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4712 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4713 &rsp);
4714 }
4715
4716 return 0;
4717}
4718
4719static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4720 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4721 u8 *data)
4722{
4723 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4724 u16 type, result;
4725
4726 if (cmd_len < sizeof(*rsp))
4727 return -EPROTO;
4728
4729 type = __le16_to_cpu(rsp->type);
4730 result = __le16_to_cpu(rsp->result);
4731
4732 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4733
4734
4735 if (cmd->ident != conn->info_ident ||
4736 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4737 return 0;
4738
4739 cancel_delayed_work(&conn->info_timer);
4740
4741 if (result != L2CAP_IR_SUCCESS) {
4742 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4743 conn->info_ident = 0;
4744
4745 l2cap_conn_start(conn);
4746
4747 return 0;
4748 }
4749
4750 switch (type) {
4751 case L2CAP_IT_FEAT_MASK:
4752 conn->feat_mask = get_unaligned_le32(rsp->data);
4753
4754 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4755 struct l2cap_info_req req;
4756 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4757
4758 conn->info_ident = l2cap_get_ident(conn);
4759
4760 l2cap_send_cmd(conn, conn->info_ident,
4761 L2CAP_INFO_REQ, sizeof(req), &req);
4762 } else {
4763 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4764 conn->info_ident = 0;
4765
4766 l2cap_conn_start(conn);
4767 }
4768 break;
4769
4770 case L2CAP_IT_FIXED_CHAN:
4771 conn->remote_fixed_chan = rsp->data[0];
4772 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4773 conn->info_ident = 0;
4774
4775 l2cap_conn_start(conn);
4776 break;
4777 }
4778
4779 return 0;
4780}
4781
4782static int l2cap_create_channel_req(struct l2cap_conn *conn,
4783 struct l2cap_cmd_hdr *cmd,
4784 u16 cmd_len, void *data)
4785{
4786 struct l2cap_create_chan_req *req = data;
4787 struct l2cap_create_chan_rsp rsp;
4788 struct l2cap_chan *chan;
4789 struct hci_dev *hdev;
4790 u16 psm, scid;
4791
4792 if (cmd_len != sizeof(*req))
4793 return -EPROTO;
4794
4795 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4796 return -EINVAL;
4797
4798 psm = le16_to_cpu(req->psm);
4799 scid = le16_to_cpu(req->scid);
4800
4801 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4802
4803
4804 if (req->amp_id == AMP_ID_BREDR) {
4805 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4806 req->amp_id);
4807 return 0;
4808 }
4809
4810
4811 hdev = hci_dev_get(req->amp_id);
4812 if (!hdev)
4813 goto error;
4814
4815 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4816 hci_dev_put(hdev);
4817 goto error;
4818 }
4819
4820 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4821 req->amp_id);
4822 if (chan) {
4823 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4824 struct hci_conn *hs_hcon;
4825
4826 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4827 &conn->hcon->dst);
4828 if (!hs_hcon) {
4829 hci_dev_put(hdev);
4830 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4831 chan->dcid);
4832 return 0;
4833 }
4834
4835 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4836
4837 mgr->bredr_chan = chan;
4838 chan->hs_hcon = hs_hcon;
4839 chan->fcs = L2CAP_FCS_NONE;
4840 conn->mtu = hdev->block_mtu;
4841 }
4842
4843 hci_dev_put(hdev);
4844
4845 return 0;
4846
4847error:
4848 rsp.dcid = 0;
4849 rsp.scid = cpu_to_le16(scid);
4850 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4851 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4852
4853 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4854 sizeof(rsp), &rsp);
4855
4856 return 0;
4857}
4858
4859static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4860{
4861 struct l2cap_move_chan_req req;
4862 u8 ident;
4863
4864 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4865
4866 ident = l2cap_get_ident(chan->conn);
4867 chan->ident = ident;
4868
4869 req.icid = cpu_to_le16(chan->scid);
4870 req.dest_amp_id = dest_amp_id;
4871
4872 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4873 &req);
4874
4875 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4876}
4877
4878static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4879{
4880 struct l2cap_move_chan_rsp rsp;
4881
4882 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4883
4884 rsp.icid = cpu_to_le16(chan->dcid);
4885 rsp.result = cpu_to_le16(result);
4886
4887 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4888 sizeof(rsp), &rsp);
4889}
4890
4891static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4892{
4893 struct l2cap_move_chan_cfm cfm;
4894
4895 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4896
4897 chan->ident = l2cap_get_ident(chan->conn);
4898
4899 cfm.icid = cpu_to_le16(chan->scid);
4900 cfm.result = cpu_to_le16(result);
4901
4902 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4903 sizeof(cfm), &cfm);
4904
4905 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4906}
4907
4908static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4909{
4910 struct l2cap_move_chan_cfm cfm;
4911
4912 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4913
4914 cfm.icid = cpu_to_le16(icid);
4915 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4916
4917 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4918 sizeof(cfm), &cfm);
4919}
4920
4921static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4922 u16 icid)
4923{
4924 struct l2cap_move_chan_cfm_rsp rsp;
4925
4926 BT_DBG("icid 0x%4.4x", icid);
4927
4928 rsp.icid = cpu_to_le16(icid);
4929 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4930}
4931
4932static void __release_logical_link(struct l2cap_chan *chan)
4933{
4934 chan->hs_hchan = NULL;
4935 chan->hs_hcon = NULL;
4936
4937
4938}
4939
4940static void l2cap_logical_fail(struct l2cap_chan *chan)
4941{
4942
4943 if (chan->state != BT_CONNECTED) {
4944
4945 l2cap_send_disconn_req(chan, ECONNRESET);
4946 return;
4947 }
4948
4949 switch (chan->move_role) {
4950 case L2CAP_MOVE_ROLE_RESPONDER:
4951 l2cap_move_done(chan);
4952 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4953 break;
4954 case L2CAP_MOVE_ROLE_INITIATOR:
4955 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4956 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4957
4958
4959
4960 l2cap_move_done(chan);
4961 }
4962
4963
4964
4965
4966 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4967 break;
4968 }
4969}
4970
4971static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4972 struct hci_chan *hchan)
4973{
4974 struct l2cap_conf_rsp rsp;
4975
4976 chan->hs_hchan = hchan;
4977 chan->hs_hcon->l2cap_data = chan->conn;
4978
4979 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4980
4981 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4982 int err;
4983
4984 set_default_fcs(chan);
4985
4986 err = l2cap_ertm_init(chan);
4987 if (err < 0)
4988 l2cap_send_disconn_req(chan, -err);
4989 else
4990 l2cap_chan_ready(chan);
4991 }
4992}
4993
4994static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4995 struct hci_chan *hchan)
4996{
4997 chan->hs_hcon = hchan->conn;
4998 chan->hs_hcon->l2cap_data = chan->conn;
4999
5000 BT_DBG("move_state %d", chan->move_state);
5001
5002 switch (chan->move_state) {
5003 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5004
5005
5006
5007 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5008 break;
5009 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5010 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5011 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5012 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5013 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5014 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5015 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5016 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5017 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5018 }
5019 break;
5020 default:
5021
5022 __release_logical_link(chan);
5023
5024 chan->move_state = L2CAP_MOVE_STABLE;
5025 }
5026}
5027
5028
5029void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5030 u8 status)
5031{
5032 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5033
5034 if (status) {
5035 l2cap_logical_fail(chan);
5036 __release_logical_link(chan);
5037 return;
5038 }
5039
5040 if (chan->state != BT_CONNECTED) {
5041
5042 if (chan->local_amp_id != AMP_ID_BREDR)
5043 l2cap_logical_finish_create(chan, hchan);
5044 } else {
5045 l2cap_logical_finish_move(chan, hchan);
5046 }
5047}
5048
5049void l2cap_move_start(struct l2cap_chan *chan)
5050{
5051 BT_DBG("chan %p", chan);
5052
5053 if (chan->local_amp_id == AMP_ID_BREDR) {
5054 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5055 return;
5056 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5057 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5058
5059 } else {
5060 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5061 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5062 chan->move_id = 0;
5063 l2cap_move_setup(chan);
5064 l2cap_send_move_chan_req(chan, 0);
5065 }
5066}
5067
5068static void l2cap_do_create(struct l2cap_chan *chan, int result,
5069 u8 local_amp_id, u8 remote_amp_id)
5070{
5071 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5072 local_amp_id, remote_amp_id);
5073
5074 chan->fcs = L2CAP_FCS_NONE;
5075
5076
5077 if (chan->state == BT_CONNECT) {
5078 if (result == L2CAP_CR_SUCCESS) {
5079 chan->local_amp_id = local_amp_id;
5080 l2cap_send_create_chan_req(chan, remote_amp_id);
5081 } else {
5082
5083 l2cap_send_conn_req(chan);
5084 }
5085
5086 return;
5087 }
5088
5089
5090 if (__l2cap_no_conn_pending(chan)) {
5091 struct l2cap_conn_rsp rsp;
5092 char buf[128];
5093 rsp.scid = cpu_to_le16(chan->dcid);
5094 rsp.dcid = cpu_to_le16(chan->scid);
5095
5096 if (result == L2CAP_CR_SUCCESS) {
5097
5098 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5099 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5100 } else {
5101
5102 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5103 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5104 }
5105
5106 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5107 sizeof(rsp), &rsp);
5108
5109 if (result == L2CAP_CR_SUCCESS) {
5110 l2cap_state_change(chan, BT_CONFIG);
5111 set_bit(CONF_REQ_SENT, &chan->conf_state);
5112 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5113 L2CAP_CONF_REQ,
5114 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5115 chan->num_conf_req++;
5116 }
5117 }
5118}
5119
5120static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5121 u8 remote_amp_id)
5122{
5123 l2cap_move_setup(chan);
5124 chan->move_id = local_amp_id;
5125 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5126
5127 l2cap_send_move_chan_req(chan, remote_amp_id);
5128}
5129
5130static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5131{
5132 struct hci_chan *hchan = NULL;
5133
5134
5135
5136 if (hchan) {
5137 if (hchan->state == BT_CONNECTED) {
5138
5139 chan->hs_hcon = hchan->conn;
5140 chan->hs_hcon->l2cap_data = chan->conn;
5141 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5142 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5143
5144 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5145 } else {
5146
5147 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5148 }
5149 } else {
5150
5151 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5152 }
5153}
5154
5155static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5156{
5157 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5158 u8 rsp_result;
5159 if (result == -EINVAL)
5160 rsp_result = L2CAP_MR_BAD_ID;
5161 else
5162 rsp_result = L2CAP_MR_NOT_ALLOWED;
5163
5164 l2cap_send_move_chan_rsp(chan, rsp_result);
5165 }
5166
5167 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5168 chan->move_state = L2CAP_MOVE_STABLE;
5169
5170
5171 l2cap_ertm_send(chan);
5172}
5173
5174
5175void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5176{
5177 u8 local_amp_id = chan->local_amp_id;
5178 u8 remote_amp_id = chan->remote_amp_id;
5179
5180 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5181 chan, result, local_amp_id, remote_amp_id);
5182
5183 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5184 return;
5185
5186 if (chan->state != BT_CONNECTED) {
5187 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5188 } else if (result != L2CAP_MR_SUCCESS) {
5189 l2cap_do_move_cancel(chan, result);
5190 } else {
5191 switch (chan->move_role) {
5192 case L2CAP_MOVE_ROLE_INITIATOR:
5193 l2cap_do_move_initiate(chan, local_amp_id,
5194 remote_amp_id);
5195 break;
5196 case L2CAP_MOVE_ROLE_RESPONDER:
5197 l2cap_do_move_respond(chan, result);
5198 break;
5199 default:
5200 l2cap_do_move_cancel(chan, result);
5201 break;
5202 }
5203 }
5204}
5205
5206static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5207 struct l2cap_cmd_hdr *cmd,
5208 u16 cmd_len, void *data)
5209{
5210 struct l2cap_move_chan_req *req = data;
5211 struct l2cap_move_chan_rsp rsp;
5212 struct l2cap_chan *chan;
5213 u16 icid = 0;
5214 u16 result = L2CAP_MR_NOT_ALLOWED;
5215
5216 if (cmd_len != sizeof(*req))
5217 return -EPROTO;
5218
5219 icid = le16_to_cpu(req->icid);
5220
5221 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5222
5223 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5224 return -EINVAL;
5225
5226 chan = l2cap_get_chan_by_dcid(conn, icid);
5227 if (!chan) {
5228 rsp.icid = cpu_to_le16(icid);
5229 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5230 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5231 sizeof(rsp), &rsp);
5232 return 0;
5233 }
5234
5235 chan->ident = cmd->ident;
5236
5237 if (chan->scid < L2CAP_CID_DYN_START ||
5238 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5239 (chan->mode != L2CAP_MODE_ERTM &&
5240 chan->mode != L2CAP_MODE_STREAMING)) {
5241 result = L2CAP_MR_NOT_ALLOWED;
5242 goto send_move_response;
5243 }
5244
5245 if (chan->local_amp_id == req->dest_amp_id) {
5246 result = L2CAP_MR_SAME_ID;
5247 goto send_move_response;
5248 }
5249
5250 if (req->dest_amp_id != AMP_ID_BREDR) {
5251 struct hci_dev *hdev;
5252 hdev = hci_dev_get(req->dest_amp_id);
5253 if (!hdev || hdev->dev_type != HCI_AMP ||
5254 !test_bit(HCI_UP, &hdev->flags)) {
5255 if (hdev)
5256 hci_dev_put(hdev);
5257
5258 result = L2CAP_MR_BAD_ID;
5259 goto send_move_response;
5260 }
5261 hci_dev_put(hdev);
5262 }
5263
5264
5265
5266
5267
5268 if ((__chan_is_moving(chan) ||
5269 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5270 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5271 result = L2CAP_MR_COLLISION;
5272 goto send_move_response;
5273 }
5274
5275 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5276 l2cap_move_setup(chan);
5277 chan->move_id = req->dest_amp_id;
5278
5279 if (req->dest_amp_id == AMP_ID_BREDR) {
5280
5281 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5282 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5283 result = L2CAP_MR_PEND;
5284 } else {
5285 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5286 result = L2CAP_MR_SUCCESS;
5287 }
5288 } else {
5289 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5290
5291
5292 result = L2CAP_MR_PEND;
5293 }
5294
5295send_move_response:
5296 l2cap_send_move_chan_rsp(chan, result);
5297
5298 l2cap_chan_unlock(chan);
5299
5300 return 0;
5301}
5302
5303static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5304{
5305 struct l2cap_chan *chan;
5306 struct hci_chan *hchan = NULL;
5307
5308 chan = l2cap_get_chan_by_scid(conn, icid);
5309 if (!chan) {
5310 l2cap_send_move_chan_cfm_icid(conn, icid);
5311 return;
5312 }
5313
5314 __clear_chan_timer(chan);
5315 if (result == L2CAP_MR_PEND)
5316 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5317
5318 switch (chan->move_state) {
5319 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5320
5321
5322
5323 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5324 break;
5325 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5326 if (result == L2CAP_MR_PEND) {
5327 break;
5328 } else if (test_bit(CONN_LOCAL_BUSY,
5329 &chan->conn_state)) {
5330 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5331 } else {
5332
5333
5334
5335 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5336 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5337 }
5338 break;
5339 case L2CAP_MOVE_WAIT_RSP:
5340
5341 if (result == L2CAP_MR_SUCCESS) {
5342
5343
5344
5345 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5346 } else {
5347
5348
5349
5350 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5351 }
5352
5353
5354 if (!hchan) {
5355
5356 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5357 break;
5358 }
5359
5360
5361
5362
5363 if (hchan->state != BT_CONNECTED)
5364 break;
5365
5366
5367
5368 chan->hs_hcon = hchan->conn;
5369 chan->hs_hcon->l2cap_data = chan->conn;
5370
5371 if (result == L2CAP_MR_SUCCESS) {
5372
5373 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5374 } else {
5375
5376
5377
5378 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5379 }
5380
5381 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5382 break;
5383 default:
5384
5385 chan->move_id = chan->local_amp_id;
5386 l2cap_move_done(chan);
5387 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5388 }
5389
5390 l2cap_chan_unlock(chan);
5391}
5392
5393static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5394 u16 result)
5395{
5396 struct l2cap_chan *chan;
5397
5398 chan = l2cap_get_chan_by_ident(conn, ident);
5399 if (!chan) {
5400
5401 l2cap_send_move_chan_cfm_icid(conn, icid);
5402 return;
5403 }
5404
5405 __clear_chan_timer(chan);
5406
5407 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5408 if (result == L2CAP_MR_COLLISION) {
5409 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5410 } else {
5411
5412 chan->move_id = chan->local_amp_id;
5413 l2cap_move_done(chan);
5414 }
5415 }
5416
5417 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5418
5419 l2cap_chan_unlock(chan);
5420}
5421
5422static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5423 struct l2cap_cmd_hdr *cmd,
5424 u16 cmd_len, void *data)
5425{
5426 struct l2cap_move_chan_rsp *rsp = data;
5427 u16 icid, result;
5428
5429 if (cmd_len != sizeof(*rsp))
5430 return -EPROTO;
5431
5432 icid = le16_to_cpu(rsp->icid);
5433 result = le16_to_cpu(rsp->result);
5434
5435 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5436
5437 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5438 l2cap_move_continue(conn, icid, result);
5439 else
5440 l2cap_move_fail(conn, cmd->ident, icid, result);
5441
5442 return 0;
5443}
5444
5445static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5446 struct l2cap_cmd_hdr *cmd,
5447 u16 cmd_len, void *data)
5448{
5449 struct l2cap_move_chan_cfm *cfm = data;
5450 struct l2cap_chan *chan;
5451 u16 icid, result;
5452
5453 if (cmd_len != sizeof(*cfm))
5454 return -EPROTO;
5455
5456 icid = le16_to_cpu(cfm->icid);
5457 result = le16_to_cpu(cfm->result);
5458
5459 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5460
5461 chan = l2cap_get_chan_by_dcid(conn, icid);
5462 if (!chan) {
5463
5464 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5465 return 0;
5466 }
5467
5468 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5469 if (result == L2CAP_MC_CONFIRMED) {
5470 chan->local_amp_id = chan->move_id;
5471 if (chan->local_amp_id == AMP_ID_BREDR)
5472 __release_logical_link(chan);
5473 } else {
5474 chan->move_id = chan->local_amp_id;
5475 }
5476
5477 l2cap_move_done(chan);
5478 }
5479
5480 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5481
5482 l2cap_chan_unlock(chan);
5483
5484 return 0;
5485}
5486
5487static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5488 struct l2cap_cmd_hdr *cmd,
5489 u16 cmd_len, void *data)
5490{
5491 struct l2cap_move_chan_cfm_rsp *rsp = data;
5492 struct l2cap_chan *chan;
5493 u16 icid;
5494
5495 if (cmd_len != sizeof(*rsp))
5496 return -EPROTO;
5497
5498 icid = le16_to_cpu(rsp->icid);
5499
5500 BT_DBG("icid 0x%4.4x", icid);
5501
5502 chan = l2cap_get_chan_by_scid(conn, icid);
5503 if (!chan)
5504 return 0;
5505
5506 __clear_chan_timer(chan);
5507
5508 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5509 chan->local_amp_id = chan->move_id;
5510
5511 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5512 __release_logical_link(chan);
5513
5514 l2cap_move_done(chan);
5515 }
5516
5517 l2cap_chan_unlock(chan);
5518
5519 return 0;
5520}
5521
5522static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5523 struct l2cap_cmd_hdr *cmd,
5524 u16 cmd_len, u8 *data)
5525{
5526 struct hci_conn *hcon = conn->hcon;
5527 struct l2cap_conn_param_update_req *req;
5528 struct l2cap_conn_param_update_rsp rsp;
5529 u16 min, max, latency, to_multiplier;
5530 int err;
5531
5532 if (hcon->role != HCI_ROLE_MASTER)
5533 return -EINVAL;
5534
5535 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5536 return -EPROTO;
5537
5538 req = (struct l2cap_conn_param_update_req *) data;
5539 min = __le16_to_cpu(req->min);
5540 max = __le16_to_cpu(req->max);
5541 latency = __le16_to_cpu(req->latency);
5542 to_multiplier = __le16_to_cpu(req->to_multiplier);
5543
5544 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5545 min, max, latency, to_multiplier);
5546
5547 memset(&rsp, 0, sizeof(rsp));
5548
5549 err = hci_check_conn_params(min, max, latency, to_multiplier);
5550 if (err)
5551 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5552 else
5553 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5554
5555 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5556 sizeof(rsp), &rsp);
5557
5558 if (!err) {
5559 u8 store_hint;
5560
5561 store_hint = hci_le_conn_update(hcon, min, max, latency,
5562 to_multiplier);
5563 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5564 store_hint, min, max, latency,
5565 to_multiplier);
5566
5567 }
5568
5569 return 0;
5570}
5571
5572static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5573 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5574 u8 *data)
5575{
5576 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5577 struct hci_conn *hcon = conn->hcon;
5578 u16 dcid, mtu, mps, credits, result;
5579 struct l2cap_chan *chan;
5580 int err, sec_level;
5581
5582 if (cmd_len < sizeof(*rsp))
5583 return -EPROTO;
5584
5585 dcid = __le16_to_cpu(rsp->dcid);
5586 mtu = __le16_to_cpu(rsp->mtu);
5587 mps = __le16_to_cpu(rsp->mps);
5588 credits = __le16_to_cpu(rsp->credits);
5589 result = __le16_to_cpu(rsp->result);
5590
5591 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5592 dcid < L2CAP_CID_DYN_START ||
5593 dcid > L2CAP_CID_LE_DYN_END))
5594 return -EPROTO;
5595
5596 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5597 dcid, mtu, mps, credits, result);
5598
5599 mutex_lock(&conn->chan_lock);
5600
5601 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5602 if (!chan) {
5603 err = -EBADSLT;
5604 goto unlock;
5605 }
5606
5607 err = 0;
5608
5609 l2cap_chan_lock(chan);
5610
5611 switch (result) {
5612 case L2CAP_CR_LE_SUCCESS:
5613 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5614 err = -EBADSLT;
5615 break;
5616 }
5617
5618 chan->ident = 0;
5619 chan->dcid = dcid;
5620 chan->omtu = mtu;
5621 chan->remote_mps = mps;
5622 chan->tx_credits = credits;
5623 l2cap_chan_ready(chan);
5624 break;
5625
5626 case L2CAP_CR_LE_AUTHENTICATION:
5627 case L2CAP_CR_LE_ENCRYPTION:
5628
5629
5630
5631 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5632 l2cap_chan_del(chan, ECONNREFUSED);
5633 break;
5634 }
5635
5636 sec_level = hcon->sec_level + 1;
5637 if (chan->sec_level < sec_level)
5638 chan->sec_level = sec_level;
5639
5640
5641 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5642
5643 smp_conn_security(hcon, chan->sec_level);
5644 break;
5645
5646 default:
5647 l2cap_chan_del(chan, ECONNREFUSED);
5648 break;
5649 }
5650
5651 l2cap_chan_unlock(chan);
5652
5653unlock:
5654 mutex_unlock(&conn->chan_lock);
5655
5656 return err;
5657}
5658
5659static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5660 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5661 u8 *data)
5662{
5663 int err = 0;
5664
5665 switch (cmd->code) {
5666 case L2CAP_COMMAND_REJ:
5667 l2cap_command_rej(conn, cmd, cmd_len, data);
5668 break;
5669
5670 case L2CAP_CONN_REQ:
5671 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5672 break;
5673
5674 case L2CAP_CONN_RSP:
5675 case L2CAP_CREATE_CHAN_RSP:
5676 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5677 break;
5678
5679 case L2CAP_CONF_REQ:
5680 err = l2cap_config_req(conn, cmd, cmd_len, data);
5681 break;
5682
5683 case L2CAP_CONF_RSP:
5684 l2cap_config_rsp(conn, cmd, cmd_len, data);
5685 break;
5686
5687 case L2CAP_DISCONN_REQ:
5688 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5689 break;
5690
5691 case L2CAP_DISCONN_RSP:
5692 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5693 break;
5694
5695 case L2CAP_ECHO_REQ:
5696 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5697 break;
5698
5699 case L2CAP_ECHO_RSP:
5700 break;
5701
5702 case L2CAP_INFO_REQ:
5703 err = l2cap_information_req(conn, cmd, cmd_len, data);
5704 break;
5705
5706 case L2CAP_INFO_RSP:
5707 l2cap_information_rsp(conn, cmd, cmd_len, data);
5708 break;
5709
5710 case L2CAP_CREATE_CHAN_REQ:
5711 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5712 break;
5713
5714 case L2CAP_MOVE_CHAN_REQ:
5715 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5716 break;
5717
5718 case L2CAP_MOVE_CHAN_RSP:
5719 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5720 break;
5721
5722 case L2CAP_MOVE_CHAN_CFM:
5723 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5724 break;
5725
5726 case L2CAP_MOVE_CHAN_CFM_RSP:
5727 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5728 break;
5729
5730 default:
5731 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5732 err = -EINVAL;
5733 break;
5734 }
5735
5736 return err;
5737}
5738
5739static int l2cap_le_connect_req(struct l2cap_conn *conn,
5740 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5741 u8 *data)
5742{
5743 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5744 struct l2cap_le_conn_rsp rsp;
5745 struct l2cap_chan *chan, *pchan;
5746 u16 dcid, scid, credits, mtu, mps;
5747 __le16 psm;
5748 u8 result;
5749
5750 if (cmd_len != sizeof(*req))
5751 return -EPROTO;
5752
5753 scid = __le16_to_cpu(req->scid);
5754 mtu = __le16_to_cpu(req->mtu);
5755 mps = __le16_to_cpu(req->mps);
5756 psm = req->psm;
5757 dcid = 0;
5758 credits = 0;
5759
5760 if (mtu < 23 || mps < 23)
5761 return -EPROTO;
5762
5763 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5764 scid, mtu, mps);
5765
5766
5767 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5768 &conn->hcon->dst, LE_LINK);
5769 if (!pchan) {
5770 result = L2CAP_CR_LE_BAD_PSM;
5771 chan = NULL;
5772 goto response;
5773 }
5774
5775 mutex_lock(&conn->chan_lock);
5776 l2cap_chan_lock(pchan);
5777
5778 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5779 SMP_ALLOW_STK)) {
5780 result = L2CAP_CR_LE_AUTHENTICATION;
5781 chan = NULL;
5782 goto response_unlock;
5783 }
5784
5785
5786 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5787 result = L2CAP_CR_LE_INVALID_SCID;
5788 chan = NULL;
5789 goto response_unlock;
5790 }
5791
5792
5793 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5794 result = L2CAP_CR_LE_SCID_IN_USE;
5795 chan = NULL;
5796 goto response_unlock;
5797 }
5798
5799 chan = pchan->ops->new_connection(pchan);
5800 if (!chan) {
5801 result = L2CAP_CR_LE_NO_MEM;
5802 goto response_unlock;
5803 }
5804
5805 bacpy(&chan->src, &conn->hcon->src);
5806 bacpy(&chan->dst, &conn->hcon->dst);
5807 chan->src_type = bdaddr_src_type(conn->hcon);
5808 chan->dst_type = bdaddr_dst_type(conn->hcon);
5809 chan->psm = psm;
5810 chan->dcid = scid;
5811 chan->omtu = mtu;
5812 chan->remote_mps = mps;
5813
5814 __l2cap_chan_add(conn, chan);
5815
5816 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5817
5818 dcid = chan->scid;
5819 credits = chan->rx_credits;
5820
5821 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5822
5823 chan->ident = cmd->ident;
5824
5825 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5826 l2cap_state_change(chan, BT_CONNECT2);
5827
5828
5829
5830
5831
5832 result = L2CAP_CR_PEND;
5833 chan->ops->defer(chan);
5834 } else {
5835 l2cap_chan_ready(chan);
5836 result = L2CAP_CR_LE_SUCCESS;
5837 }
5838
5839response_unlock:
5840 l2cap_chan_unlock(pchan);
5841 mutex_unlock(&conn->chan_lock);
5842 l2cap_chan_put(pchan);
5843
5844 if (result == L2CAP_CR_PEND)
5845 return 0;
5846
5847response:
5848 if (chan) {
5849 rsp.mtu = cpu_to_le16(chan->imtu);
5850 rsp.mps = cpu_to_le16(chan->mps);
5851 } else {
5852 rsp.mtu = 0;
5853 rsp.mps = 0;
5854 }
5855
5856 rsp.dcid = cpu_to_le16(dcid);
5857 rsp.credits = cpu_to_le16(credits);
5858 rsp.result = cpu_to_le16(result);
5859
5860 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5861
5862 return 0;
5863}
5864
5865static inline int l2cap_le_credits(struct l2cap_conn *conn,
5866 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5867 u8 *data)
5868{
5869 struct l2cap_le_credits *pkt;
5870 struct l2cap_chan *chan;
5871 u16 cid, credits, max_credits;
5872
5873 if (cmd_len != sizeof(*pkt))
5874 return -EPROTO;
5875
5876 pkt = (struct l2cap_le_credits *) data;
5877 cid = __le16_to_cpu(pkt->cid);
5878 credits = __le16_to_cpu(pkt->credits);
5879
5880 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5881
5882 chan = l2cap_get_chan_by_dcid(conn, cid);
5883 if (!chan)
5884 return -EBADSLT;
5885
5886 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5887 if (credits > max_credits) {
5888 BT_ERR("LE credits overflow");
5889 l2cap_send_disconn_req(chan, ECONNRESET);
5890 l2cap_chan_unlock(chan);
5891
5892
5893
5894
5895 return 0;
5896 }
5897
5898 chan->tx_credits += credits;
5899
5900
5901 l2cap_le_flowctl_send(chan);
5902
5903 if (chan->tx_credits)
5904 chan->ops->resume(chan);
5905
5906 l2cap_chan_unlock(chan);
5907
5908 return 0;
5909}
5910
5911static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5912 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5913 u8 *data)
5914{
5915 struct l2cap_ecred_conn_req *req = (void *) data;
5916 struct {
5917 struct l2cap_ecred_conn_rsp rsp;
5918 __le16 dcid[5];
5919 } __packed pdu;
5920 struct l2cap_chan *chan, *pchan;
5921 u16 mtu, mps;
5922 __le16 psm;
5923 u8 result, len = 0;
5924 int i, num_scid;
5925 bool defer = false;
5926
5927 if (!enable_ecred)
5928 return -EINVAL;
5929
5930 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5931 result = L2CAP_CR_LE_INVALID_PARAMS;
5932 goto response;
5933 }
5934
5935 mtu = __le16_to_cpu(req->mtu);
5936 mps = __le16_to_cpu(req->mps);
5937
5938 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5939 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5940 goto response;
5941 }
5942
5943 psm = req->psm;
5944
5945 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5946
5947 memset(&pdu, 0, sizeof(pdu));
5948
5949
5950 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5951 &conn->hcon->dst, LE_LINK);
5952 if (!pchan) {
5953 result = L2CAP_CR_LE_BAD_PSM;
5954 goto response;
5955 }
5956
5957 mutex_lock(&conn->chan_lock);
5958 l2cap_chan_lock(pchan);
5959
5960 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5961 SMP_ALLOW_STK)) {
5962 result = L2CAP_CR_LE_AUTHENTICATION;
5963 goto unlock;
5964 }
5965
5966 result = L2CAP_CR_LE_SUCCESS;
5967 cmd_len -= sizeof(*req);
5968 num_scid = cmd_len / sizeof(u16);
5969
5970 for (i = 0; i < num_scid; i++) {
5971 u16 scid = __le16_to_cpu(req->scid[i]);
5972
5973 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5974
5975 pdu.dcid[i] = 0x0000;
5976 len += sizeof(*pdu.dcid);
5977
5978
5979 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5980 result = L2CAP_CR_LE_INVALID_SCID;
5981 continue;
5982 }
5983
5984
5985 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5986 result = L2CAP_CR_LE_SCID_IN_USE;
5987 continue;
5988 }
5989
5990 chan = pchan->ops->new_connection(pchan);
5991 if (!chan) {
5992 result = L2CAP_CR_LE_NO_MEM;
5993 continue;
5994 }
5995
5996 bacpy(&chan->src, &conn->hcon->src);
5997 bacpy(&chan->dst, &conn->hcon->dst);
5998 chan->src_type = bdaddr_src_type(conn->hcon);
5999 chan->dst_type = bdaddr_dst_type(conn->hcon);
6000 chan->psm = psm;
6001 chan->dcid = scid;
6002 chan->omtu = mtu;
6003 chan->remote_mps = mps;
6004
6005 __l2cap_chan_add(conn, chan);
6006
6007 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6008
6009
6010 if (!pdu.rsp.credits) {
6011 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6012 pdu.rsp.mps = cpu_to_le16(chan->mps);
6013 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6014 }
6015
6016 pdu.dcid[i] = cpu_to_le16(chan->scid);
6017
6018 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6019
6020 chan->ident = cmd->ident;
6021
6022 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6023 l2cap_state_change(chan, BT_CONNECT2);
6024 defer = true;
6025 chan->ops->defer(chan);
6026 } else {
6027 l2cap_chan_ready(chan);
6028 }
6029 }
6030
6031unlock:
6032 l2cap_chan_unlock(pchan);
6033 mutex_unlock(&conn->chan_lock);
6034 l2cap_chan_put(pchan);
6035
6036response:
6037 pdu.rsp.result = cpu_to_le16(result);
6038
6039 if (defer)
6040 return 0;
6041
6042 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6043 sizeof(pdu.rsp) + len, &pdu);
6044
6045 return 0;
6046}
6047
6048static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6049 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6050 u8 *data)
6051{
6052 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6053 struct hci_conn *hcon = conn->hcon;
6054 u16 mtu, mps, credits, result;
6055 struct l2cap_chan *chan;
6056 int err = 0, sec_level;
6057 int i = 0;
6058
6059 if (cmd_len < sizeof(*rsp))
6060 return -EPROTO;
6061
6062 mtu = __le16_to_cpu(rsp->mtu);
6063 mps = __le16_to_cpu(rsp->mps);
6064 credits = __le16_to_cpu(rsp->credits);
6065 result = __le16_to_cpu(rsp->result);
6066
6067 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6068 result);
6069
6070 mutex_lock(&conn->chan_lock);
6071
6072 cmd_len -= sizeof(*rsp);
6073
6074 list_for_each_entry(chan, &conn->chan_l, list) {
6075 u16 dcid;
6076
6077 if (chan->ident != cmd->ident ||
6078 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6079 chan->state == BT_CONNECTED)
6080 continue;
6081
6082 l2cap_chan_lock(chan);
6083
6084
6085 if (cmd_len < sizeof(dcid)) {
6086 l2cap_chan_del(chan, ECONNREFUSED);
6087 l2cap_chan_unlock(chan);
6088 continue;
6089 }
6090
6091 dcid = __le16_to_cpu(rsp->dcid[i++]);
6092 cmd_len -= sizeof(u16);
6093
6094 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6095
6096
6097 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6098
6099
6100
6101
6102
6103
6104 l2cap_chan_del(chan, ECONNREFUSED);
6105 l2cap_chan_unlock(chan);
6106 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6107 l2cap_chan_lock(chan);
6108 l2cap_chan_del(chan, ECONNRESET);
6109 l2cap_chan_unlock(chan);
6110 continue;
6111 }
6112
6113 switch (result) {
6114 case L2CAP_CR_LE_AUTHENTICATION:
6115 case L2CAP_CR_LE_ENCRYPTION:
6116
6117
6118
6119 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6120 l2cap_chan_del(chan, ECONNREFUSED);
6121 break;
6122 }
6123
6124 sec_level = hcon->sec_level + 1;
6125 if (chan->sec_level < sec_level)
6126 chan->sec_level = sec_level;
6127
6128
6129 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6130
6131 smp_conn_security(hcon, chan->sec_level);
6132 break;
6133
6134 case L2CAP_CR_LE_BAD_PSM:
6135 l2cap_chan_del(chan, ECONNREFUSED);
6136 break;
6137
6138 default:
6139
6140 if (!dcid) {
6141 l2cap_chan_del(chan, ECONNREFUSED);
6142 break;
6143 }
6144
6145 chan->ident = 0;
6146 chan->dcid = dcid;
6147 chan->omtu = mtu;
6148 chan->remote_mps = mps;
6149 chan->tx_credits = credits;
6150 l2cap_chan_ready(chan);
6151 break;
6152 }
6153
6154 l2cap_chan_unlock(chan);
6155 }
6156
6157 mutex_unlock(&conn->chan_lock);
6158
6159 return err;
6160}
6161
6162static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6163 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6164 u8 *data)
6165{
6166 struct l2cap_ecred_reconf_req *req = (void *) data;
6167 struct l2cap_ecred_reconf_rsp rsp;
6168 u16 mtu, mps, result;
6169 struct l2cap_chan *chan;
6170 int i, num_scid;
6171
6172 if (!enable_ecred)
6173 return -EINVAL;
6174
6175 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6176 result = L2CAP_CR_LE_INVALID_PARAMS;
6177 goto respond;
6178 }
6179
6180 mtu = __le16_to_cpu(req->mtu);
6181 mps = __le16_to_cpu(req->mps);
6182
6183 BT_DBG("mtu %u mps %u", mtu, mps);
6184
6185 if (mtu < L2CAP_ECRED_MIN_MTU) {
6186 result = L2CAP_RECONF_INVALID_MTU;
6187 goto respond;
6188 }
6189
6190 if (mps < L2CAP_ECRED_MIN_MPS) {
6191 result = L2CAP_RECONF_INVALID_MPS;
6192 goto respond;
6193 }
6194
6195 cmd_len -= sizeof(*req);
6196 num_scid = cmd_len / sizeof(u16);
6197 result = L2CAP_RECONF_SUCCESS;
6198
6199 for (i = 0; i < num_scid; i++) {
6200 u16 scid;
6201
6202 scid = __le16_to_cpu(req->scid[i]);
6203 if (!scid)
6204 return -EPROTO;
6205
6206 chan = __l2cap_get_chan_by_dcid(conn, scid);
6207 if (!chan)
6208 continue;
6209
6210
6211
6212
6213
6214 if (chan->omtu > mtu) {
6215 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6216 chan->omtu, mtu);
6217 result = L2CAP_RECONF_INVALID_MTU;
6218 }
6219
6220 chan->omtu = mtu;
6221 chan->remote_mps = mps;
6222 }
6223
6224respond:
6225 rsp.result = cpu_to_le16(result);
6226
6227 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6228 &rsp);
6229
6230 return 0;
6231}
6232
6233static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6234 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6235 u8 *data)
6236{
6237 struct l2cap_chan *chan;
6238 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6239 u16 result;
6240
6241 if (cmd_len < sizeof(*rsp))
6242 return -EPROTO;
6243
6244 result = __le16_to_cpu(rsp->result);
6245
6246 BT_DBG("result 0x%4.4x", rsp->result);
6247
6248 if (!result)
6249 return 0;
6250
6251 list_for_each_entry(chan, &conn->chan_l, list) {
6252 if (chan->ident != cmd->ident)
6253 continue;
6254
6255 l2cap_chan_del(chan, ECONNRESET);
6256 }
6257
6258 return 0;
6259}
6260
6261static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6262 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6263 u8 *data)
6264{
6265 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6266 struct l2cap_chan *chan;
6267
6268 if (cmd_len < sizeof(*rej))
6269 return -EPROTO;
6270
6271 mutex_lock(&conn->chan_lock);
6272
6273 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6274 if (!chan)
6275 goto done;
6276
6277 l2cap_chan_lock(chan);
6278 l2cap_chan_del(chan, ECONNREFUSED);
6279 l2cap_chan_unlock(chan);
6280
6281done:
6282 mutex_unlock(&conn->chan_lock);
6283 return 0;
6284}
6285
6286static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6287 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6288 u8 *data)
6289{
6290 int err = 0;
6291
6292 switch (cmd->code) {
6293 case L2CAP_COMMAND_REJ:
6294 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6295 break;
6296
6297 case L2CAP_CONN_PARAM_UPDATE_REQ:
6298 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6299 break;
6300
6301 case L2CAP_CONN_PARAM_UPDATE_RSP:
6302 break;
6303
6304 case L2CAP_LE_CONN_RSP:
6305 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6306 break;
6307
6308 case L2CAP_LE_CONN_REQ:
6309 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6310 break;
6311
6312 case L2CAP_LE_CREDITS:
6313 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6314 break;
6315
6316 case L2CAP_ECRED_CONN_REQ:
6317 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6318 break;
6319
6320 case L2CAP_ECRED_CONN_RSP:
6321 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6322 break;
6323
6324 case L2CAP_ECRED_RECONF_REQ:
6325 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6326 break;
6327
6328 case L2CAP_ECRED_RECONF_RSP:
6329 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6330 break;
6331
6332 case L2CAP_DISCONN_REQ:
6333 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6334 break;
6335
6336 case L2CAP_DISCONN_RSP:
6337 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6338 break;
6339
6340 default:
6341 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6342 err = -EINVAL;
6343 break;
6344 }
6345
6346 return err;
6347}
6348
6349static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6350 struct sk_buff *skb)
6351{
6352 struct hci_conn *hcon = conn->hcon;
6353 struct l2cap_cmd_hdr *cmd;
6354 u16 len;
6355 int err;
6356
6357 if (hcon->type != LE_LINK)
6358 goto drop;
6359
6360 if (skb->len < L2CAP_CMD_HDR_SIZE)
6361 goto drop;
6362
6363 cmd = (void *) skb->data;
6364 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6365
6366 len = le16_to_cpu(cmd->len);
6367
6368 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6369
6370 if (len != skb->len || !cmd->ident) {
6371 BT_DBG("corrupted command");
6372 goto drop;
6373 }
6374
6375 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6376 if (err) {
6377 struct l2cap_cmd_rej_unk rej;
6378
6379 BT_ERR("Wrong link type (%d)", err);
6380
6381 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6382 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6383 sizeof(rej), &rej);
6384 }
6385
6386drop:
6387 kfree_skb(skb);
6388}
6389
6390static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6391 struct sk_buff *skb)
6392{
6393 struct hci_conn *hcon = conn->hcon;
6394 struct l2cap_cmd_hdr *cmd;
6395 int err;
6396
6397 l2cap_raw_recv(conn, skb);
6398
6399 if (hcon->type != ACL_LINK)
6400 goto drop;
6401
6402 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6403 u16 len;
6404
6405 cmd = (void *) skb->data;
6406 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6407
6408 len = le16_to_cpu(cmd->len);
6409
6410 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6411 cmd->ident);
6412
6413 if (len > skb->len || !cmd->ident) {
6414 BT_DBG("corrupted command");
6415 break;
6416 }
6417
6418 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6419 if (err) {
6420 struct l2cap_cmd_rej_unk rej;
6421
6422 BT_ERR("Wrong link type (%d)", err);
6423
6424 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6425 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6426 sizeof(rej), &rej);
6427 }
6428
6429 skb_pull(skb, len);
6430 }
6431
6432drop:
6433 kfree_skb(skb);
6434}
6435
6436static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6437{
6438 u16 our_fcs, rcv_fcs;
6439 int hdr_size;
6440
6441 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6442 hdr_size = L2CAP_EXT_HDR_SIZE;
6443 else
6444 hdr_size = L2CAP_ENH_HDR_SIZE;
6445
6446 if (chan->fcs == L2CAP_FCS_CRC16) {
6447 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6448 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6449 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6450
6451 if (our_fcs != rcv_fcs)
6452 return -EBADMSG;
6453 }
6454 return 0;
6455}
6456
6457static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6458{
6459 struct l2cap_ctrl control;
6460
6461 BT_DBG("chan %p", chan);
6462
6463 memset(&control, 0, sizeof(control));
6464 control.sframe = 1;
6465 control.final = 1;
6466 control.reqseq = chan->buffer_seq;
6467 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6468
6469 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6470 control.super = L2CAP_SUPER_RNR;
6471 l2cap_send_sframe(chan, &control);
6472 }
6473
6474 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6475 chan->unacked_frames > 0)
6476 __set_retrans_timer(chan);
6477
6478
6479 l2cap_ertm_send(chan);
6480
6481 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6482 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6483
6484
6485
6486 control.super = L2CAP_SUPER_RR;
6487 l2cap_send_sframe(chan, &control);
6488 }
6489}
6490
6491static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6492 struct sk_buff **last_frag)
6493{
6494
6495
6496
6497 if (!skb_has_frag_list(skb))
6498 skb_shinfo(skb)->frag_list = new_frag;
6499
6500 new_frag->next = NULL;
6501
6502 (*last_frag)->next = new_frag;
6503 *last_frag = new_frag;
6504
6505 skb->len += new_frag->len;
6506 skb->data_len += new_frag->len;
6507 skb->truesize += new_frag->truesize;
6508}
6509
6510static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6511 struct l2cap_ctrl *control)
6512{
6513 int err = -EINVAL;
6514
6515 switch (control->sar) {
6516 case L2CAP_SAR_UNSEGMENTED:
6517 if (chan->sdu)
6518 break;
6519
6520 err = chan->ops->recv(chan, skb);
6521 break;
6522
6523 case L2CAP_SAR_START:
6524 if (chan->sdu)
6525 break;
6526
6527 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6528 break;
6529
6530 chan->sdu_len = get_unaligned_le16(skb->data);
6531 skb_pull(skb, L2CAP_SDULEN_SIZE);
6532
6533 if (chan->sdu_len > chan->imtu) {
6534 err = -EMSGSIZE;
6535 break;
6536 }
6537
6538 if (skb->len >= chan->sdu_len)
6539 break;
6540
6541 chan->sdu = skb;
6542 chan->sdu_last_frag = skb;
6543
6544 skb = NULL;
6545 err = 0;
6546 break;
6547
6548 case L2CAP_SAR_CONTINUE:
6549 if (!chan->sdu)
6550 break;
6551
6552 append_skb_frag(chan->sdu, skb,
6553 &chan->sdu_last_frag);
6554 skb = NULL;
6555
6556 if (chan->sdu->len >= chan->sdu_len)
6557 break;
6558
6559 err = 0;
6560 break;
6561
6562 case L2CAP_SAR_END:
6563 if (!chan->sdu)
6564 break;
6565
6566 append_skb_frag(chan->sdu, skb,
6567 &chan->sdu_last_frag);
6568 skb = NULL;
6569
6570 if (chan->sdu->len != chan->sdu_len)
6571 break;
6572
6573 err = chan->ops->recv(chan, chan->sdu);
6574
6575 if (!err) {
6576
6577 chan->sdu = NULL;
6578 chan->sdu_last_frag = NULL;
6579 chan->sdu_len = 0;
6580 }
6581 break;
6582 }
6583
6584 if (err) {
6585 kfree_skb(skb);
6586 kfree_skb(chan->sdu);
6587 chan->sdu = NULL;
6588 chan->sdu_last_frag = NULL;
6589 chan->sdu_len = 0;
6590 }
6591
6592 return err;
6593}
6594
6595static int l2cap_resegment(struct l2cap_chan *chan)
6596{
6597
6598 return 0;
6599}
6600
6601void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6602{
6603 u8 event;
6604
6605 if (chan->mode != L2CAP_MODE_ERTM)
6606 return;
6607
6608 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6609 l2cap_tx(chan, NULL, NULL, event);
6610}
6611
6612static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6613{
6614 int err = 0;
6615
6616
6617
6618
6619 BT_DBG("chan %p", chan);
6620
6621 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6622 struct sk_buff *skb;
6623 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6624 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6625
6626 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6627
6628 if (!skb)
6629 break;
6630
6631 skb_unlink(skb, &chan->srej_q);
6632 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6633 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6634 if (err)
6635 break;
6636 }
6637
6638 if (skb_queue_empty(&chan->srej_q)) {
6639 chan->rx_state = L2CAP_RX_STATE_RECV;
6640 l2cap_send_ack(chan);
6641 }
6642
6643 return err;
6644}
6645
6646static void l2cap_handle_srej(struct l2cap_chan *chan,
6647 struct l2cap_ctrl *control)
6648{
6649 struct sk_buff *skb;
6650
6651 BT_DBG("chan %p, control %p", chan, control);
6652
6653 if (control->reqseq == chan->next_tx_seq) {
6654 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6655 l2cap_send_disconn_req(chan, ECONNRESET);
6656 return;
6657 }
6658
6659 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6660
6661 if (skb == NULL) {
6662 BT_DBG("Seq %d not available for retransmission",
6663 control->reqseq);
6664 return;
6665 }
6666
6667 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6668 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6669 l2cap_send_disconn_req(chan, ECONNRESET);
6670 return;
6671 }
6672
6673 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6674
6675 if (control->poll) {
6676 l2cap_pass_to_tx(chan, control);
6677
6678 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6679 l2cap_retransmit(chan, control);
6680 l2cap_ertm_send(chan);
6681
6682 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6683 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6684 chan->srej_save_reqseq = control->reqseq;
6685 }
6686 } else {
6687 l2cap_pass_to_tx_fbit(chan, control);
6688
6689 if (control->final) {
6690 if (chan->srej_save_reqseq != control->reqseq ||
6691 !test_and_clear_bit(CONN_SREJ_ACT,
6692 &chan->conn_state))
6693 l2cap_retransmit(chan, control);
6694 } else {
6695 l2cap_retransmit(chan, control);
6696 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6697 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6698 chan->srej_save_reqseq = control->reqseq;
6699 }
6700 }
6701 }
6702}
6703
6704static void l2cap_handle_rej(struct l2cap_chan *chan,
6705 struct l2cap_ctrl *control)
6706{
6707 struct sk_buff *skb;
6708
6709 BT_DBG("chan %p, control %p", chan, control);
6710
6711 if (control->reqseq == chan->next_tx_seq) {
6712 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6713 l2cap_send_disconn_req(chan, ECONNRESET);
6714 return;
6715 }
6716
6717 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6718
6719 if (chan->max_tx && skb &&
6720 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6721 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6722 l2cap_send_disconn_req(chan, ECONNRESET);
6723 return;
6724 }
6725
6726 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6727
6728 l2cap_pass_to_tx(chan, control);
6729
6730 if (control->final) {
6731 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6732 l2cap_retransmit_all(chan, control);
6733 } else {
6734 l2cap_retransmit_all(chan, control);
6735 l2cap_ertm_send(chan);
6736 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6737 set_bit(CONN_REJ_ACT, &chan->conn_state);
6738 }
6739}
6740
6741static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6742{
6743 BT_DBG("chan %p, txseq %d", chan, txseq);
6744
6745 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6746 chan->expected_tx_seq);
6747
6748 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6749 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6750 chan->tx_win) {
6751
6752
6753
6754 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6755 BT_DBG("Invalid/Ignore - after SREJ");
6756 return L2CAP_TXSEQ_INVALID_IGNORE;
6757 } else {
6758 BT_DBG("Invalid - in window after SREJ sent");
6759 return L2CAP_TXSEQ_INVALID;
6760 }
6761 }
6762
6763 if (chan->srej_list.head == txseq) {
6764 BT_DBG("Expected SREJ");
6765 return L2CAP_TXSEQ_EXPECTED_SREJ;
6766 }
6767
6768 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6769 BT_DBG("Duplicate SREJ - txseq already stored");
6770 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6771 }
6772
6773 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6774 BT_DBG("Unexpected SREJ - not requested");
6775 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6776 }
6777 }
6778
6779 if (chan->expected_tx_seq == txseq) {
6780 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6781 chan->tx_win) {
6782 BT_DBG("Invalid - txseq outside tx window");
6783 return L2CAP_TXSEQ_INVALID;
6784 } else {
6785 BT_DBG("Expected");
6786 return L2CAP_TXSEQ_EXPECTED;
6787 }
6788 }
6789
6790 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6791 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6792 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6793 return L2CAP_TXSEQ_DUPLICATE;
6794 }
6795
6796 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6813
6814 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6815 BT_DBG("Invalid/Ignore - txseq outside tx window");
6816 return L2CAP_TXSEQ_INVALID_IGNORE;
6817 } else {
6818 BT_DBG("Invalid - txseq outside tx window");
6819 return L2CAP_TXSEQ_INVALID;
6820 }
6821 } else {
6822 BT_DBG("Unexpected - txseq indicates missing frames");
6823 return L2CAP_TXSEQ_UNEXPECTED;
6824 }
6825}
6826
6827static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6828 struct l2cap_ctrl *control,
6829 struct sk_buff *skb, u8 event)
6830{
6831 int err = 0;
6832 bool skb_in_use = false;
6833
6834 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6835 event);
6836
6837 switch (event) {
6838 case L2CAP_EV_RECV_IFRAME:
6839 switch (l2cap_classify_txseq(chan, control->txseq)) {
6840 case L2CAP_TXSEQ_EXPECTED:
6841 l2cap_pass_to_tx(chan, control);
6842
6843 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6844 BT_DBG("Busy, discarding expected seq %d",
6845 control->txseq);
6846 break;
6847 }
6848
6849 chan->expected_tx_seq = __next_seq(chan,
6850 control->txseq);
6851
6852 chan->buffer_seq = chan->expected_tx_seq;
6853 skb_in_use = true;
6854
6855 err = l2cap_reassemble_sdu(chan, skb, control);
6856 if (err)
6857 break;
6858
6859 if (control->final) {
6860 if (!test_and_clear_bit(CONN_REJ_ACT,
6861 &chan->conn_state)) {
6862 control->final = 0;
6863 l2cap_retransmit_all(chan, control);
6864 l2cap_ertm_send(chan);
6865 }
6866 }
6867
6868 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6869 l2cap_send_ack(chan);
6870 break;
6871 case L2CAP_TXSEQ_UNEXPECTED:
6872 l2cap_pass_to_tx(chan, control);
6873
6874
6875
6876
6877
6878 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6879 BT_DBG("Busy, discarding unexpected seq %d",
6880 control->txseq);
6881 break;
6882 }
6883
6884
6885
6886
6887
6888 skb_queue_tail(&chan->srej_q, skb);
6889 skb_in_use = true;
6890 BT_DBG("Queued %p (queue len %d)", skb,
6891 skb_queue_len(&chan->srej_q));
6892
6893 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6894 l2cap_seq_list_clear(&chan->srej_list);
6895 l2cap_send_srej(chan, control->txseq);
6896
6897 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6898 break;
6899 case L2CAP_TXSEQ_DUPLICATE:
6900 l2cap_pass_to_tx(chan, control);
6901 break;
6902 case L2CAP_TXSEQ_INVALID_IGNORE:
6903 break;
6904 case L2CAP_TXSEQ_INVALID:
6905 default:
6906 l2cap_send_disconn_req(chan, ECONNRESET);
6907 break;
6908 }
6909 break;
6910 case L2CAP_EV_RECV_RR:
6911 l2cap_pass_to_tx(chan, control);
6912 if (control->final) {
6913 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6914
6915 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6916 !__chan_is_moving(chan)) {
6917 control->final = 0;
6918 l2cap_retransmit_all(chan, control);
6919 }
6920
6921 l2cap_ertm_send(chan);
6922 } else if (control->poll) {
6923 l2cap_send_i_or_rr_or_rnr(chan);
6924 } else {
6925 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6926 &chan->conn_state) &&
6927 chan->unacked_frames)
6928 __set_retrans_timer(chan);
6929
6930 l2cap_ertm_send(chan);
6931 }
6932 break;
6933 case L2CAP_EV_RECV_RNR:
6934 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6935 l2cap_pass_to_tx(chan, control);
6936 if (control && control->poll) {
6937 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6938 l2cap_send_rr_or_rnr(chan, 0);
6939 }
6940 __clear_retrans_timer(chan);
6941 l2cap_seq_list_clear(&chan->retrans_list);
6942 break;
6943 case L2CAP_EV_RECV_REJ:
6944 l2cap_handle_rej(chan, control);
6945 break;
6946 case L2CAP_EV_RECV_SREJ:
6947 l2cap_handle_srej(chan, control);
6948 break;
6949 default:
6950 break;
6951 }
6952
6953 if (skb && !skb_in_use) {
6954 BT_DBG("Freeing %p", skb);
6955 kfree_skb(skb);
6956 }
6957
6958 return err;
6959}
6960
6961static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6962 struct l2cap_ctrl *control,
6963 struct sk_buff *skb, u8 event)
6964{
6965 int err = 0;
6966 u16 txseq = control->txseq;
6967 bool skb_in_use = false;
6968
6969 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6970 event);
6971
6972 switch (event) {
6973 case L2CAP_EV_RECV_IFRAME:
6974 switch (l2cap_classify_txseq(chan, txseq)) {
6975 case L2CAP_TXSEQ_EXPECTED:
6976
6977 l2cap_pass_to_tx(chan, control);
6978 skb_queue_tail(&chan->srej_q, skb);
6979 skb_in_use = true;
6980 BT_DBG("Queued %p (queue len %d)", skb,
6981 skb_queue_len(&chan->srej_q));
6982
6983 chan->expected_tx_seq = __next_seq(chan, txseq);
6984 break;
6985 case L2CAP_TXSEQ_EXPECTED_SREJ:
6986 l2cap_seq_list_pop(&chan->srej_list);
6987
6988 l2cap_pass_to_tx(chan, control);
6989 skb_queue_tail(&chan->srej_q, skb);
6990 skb_in_use = true;
6991 BT_DBG("Queued %p (queue len %d)", skb,
6992 skb_queue_len(&chan->srej_q));
6993
6994 err = l2cap_rx_queued_iframes(chan);
6995 if (err)
6996 break;
6997
6998 break;
6999 case L2CAP_TXSEQ_UNEXPECTED:
7000
7001
7002
7003
7004 skb_queue_tail(&chan->srej_q, skb);
7005 skb_in_use = true;
7006 BT_DBG("Queued %p (queue len %d)", skb,
7007 skb_queue_len(&chan->srej_q));
7008
7009 l2cap_pass_to_tx(chan, control);
7010 l2cap_send_srej(chan, control->txseq);
7011 break;
7012 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7013
7014
7015
7016
7017
7018 skb_queue_tail(&chan->srej_q, skb);
7019 skb_in_use = true;
7020 BT_DBG("Queued %p (queue len %d)", skb,
7021 skb_queue_len(&chan->srej_q));
7022
7023 l2cap_pass_to_tx(chan, control);
7024 l2cap_send_srej_list(chan, control->txseq);
7025 break;
7026 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7027
7028 l2cap_pass_to_tx(chan, control);
7029 break;
7030 case L2CAP_TXSEQ_DUPLICATE:
7031
7032
7033
7034 break;
7035 case L2CAP_TXSEQ_INVALID_IGNORE:
7036 break;
7037 case L2CAP_TXSEQ_INVALID:
7038 default:
7039 l2cap_send_disconn_req(chan, ECONNRESET);
7040 break;
7041 }
7042 break;
7043 case L2CAP_EV_RECV_RR:
7044 l2cap_pass_to_tx(chan, control);
7045 if (control->final) {
7046 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7047
7048 if (!test_and_clear_bit(CONN_REJ_ACT,
7049 &chan->conn_state)) {
7050 control->final = 0;
7051 l2cap_retransmit_all(chan, control);
7052 }
7053
7054 l2cap_ertm_send(chan);
7055 } else if (control->poll) {
7056 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7057 &chan->conn_state) &&
7058 chan->unacked_frames) {
7059 __set_retrans_timer(chan);
7060 }
7061
7062 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7063 l2cap_send_srej_tail(chan);
7064 } else {
7065 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7066 &chan->conn_state) &&
7067 chan->unacked_frames)
7068 __set_retrans_timer(chan);
7069
7070 l2cap_send_ack(chan);
7071 }
7072 break;
7073 case L2CAP_EV_RECV_RNR:
7074 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7075 l2cap_pass_to_tx(chan, control);
7076 if (control->poll) {
7077 l2cap_send_srej_tail(chan);
7078 } else {
7079 struct l2cap_ctrl rr_control;
7080 memset(&rr_control, 0, sizeof(rr_control));
7081 rr_control.sframe = 1;
7082 rr_control.super = L2CAP_SUPER_RR;
7083 rr_control.reqseq = chan->buffer_seq;
7084 l2cap_send_sframe(chan, &rr_control);
7085 }
7086
7087 break;
7088 case L2CAP_EV_RECV_REJ:
7089 l2cap_handle_rej(chan, control);
7090 break;
7091 case L2CAP_EV_RECV_SREJ:
7092 l2cap_handle_srej(chan, control);
7093 break;
7094 }
7095
7096 if (skb && !skb_in_use) {
7097 BT_DBG("Freeing %p", skb);
7098 kfree_skb(skb);
7099 }
7100
7101 return err;
7102}
7103
7104static int l2cap_finish_move(struct l2cap_chan *chan)
7105{
7106 BT_DBG("chan %p", chan);
7107
7108 chan->rx_state = L2CAP_RX_STATE_RECV;
7109
7110 if (chan->hs_hcon)
7111 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7112 else
7113 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7114
7115 return l2cap_resegment(chan);
7116}
7117
7118static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7119 struct l2cap_ctrl *control,
7120 struct sk_buff *skb, u8 event)
7121{
7122 int err;
7123
7124 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7125 event);
7126
7127 if (!control->poll)
7128 return -EPROTO;
7129
7130 l2cap_process_reqseq(chan, control->reqseq);
7131
7132 if (!skb_queue_empty(&chan->tx_q))
7133 chan->tx_send_head = skb_peek(&chan->tx_q);
7134 else
7135 chan->tx_send_head = NULL;
7136
7137
7138
7139
7140 chan->next_tx_seq = control->reqseq;
7141 chan->unacked_frames = 0;
7142
7143 err = l2cap_finish_move(chan);
7144 if (err)
7145 return err;
7146
7147 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7148 l2cap_send_i_or_rr_or_rnr(chan);
7149
7150 if (event == L2CAP_EV_RECV_IFRAME)
7151 return -EPROTO;
7152
7153 return l2cap_rx_state_recv(chan, control, NULL, event);
7154}
7155
7156static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7157 struct l2cap_ctrl *control,
7158 struct sk_buff *skb, u8 event)
7159{
7160 int err;
7161
7162 if (!control->final)
7163 return -EPROTO;
7164
7165 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7166
7167 chan->rx_state = L2CAP_RX_STATE_RECV;
7168 l2cap_process_reqseq(chan, control->reqseq);
7169
7170 if (!skb_queue_empty(&chan->tx_q))
7171 chan->tx_send_head = skb_peek(&chan->tx_q);
7172 else
7173 chan->tx_send_head = NULL;
7174
7175
7176
7177
7178 chan->next_tx_seq = control->reqseq;
7179 chan->unacked_frames = 0;
7180
7181 if (chan->hs_hcon)
7182 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7183 else
7184 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7185
7186 err = l2cap_resegment(chan);
7187
7188 if (!err)
7189 err = l2cap_rx_state_recv(chan, control, skb, event);
7190
7191 return err;
7192}
7193
7194static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7195{
7196
7197 u16 unacked;
7198
7199 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7200 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7201}
7202
7203static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7204 struct sk_buff *skb, u8 event)
7205{
7206 int err = 0;
7207
7208 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7209 control, skb, event, chan->rx_state);
7210
7211 if (__valid_reqseq(chan, control->reqseq)) {
7212 switch (chan->rx_state) {
7213 case L2CAP_RX_STATE_RECV:
7214 err = l2cap_rx_state_recv(chan, control, skb, event);
7215 break;
7216 case L2CAP_RX_STATE_SREJ_SENT:
7217 err = l2cap_rx_state_srej_sent(chan, control, skb,
7218 event);
7219 break;
7220 case L2CAP_RX_STATE_WAIT_P:
7221 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7222 break;
7223 case L2CAP_RX_STATE_WAIT_F:
7224 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7225 break;
7226 default:
7227
7228 break;
7229 }
7230 } else {
7231 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7232 control->reqseq, chan->next_tx_seq,
7233 chan->expected_ack_seq);
7234 l2cap_send_disconn_req(chan, ECONNRESET);
7235 }
7236
7237 return err;
7238}
7239
7240static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7241 struct sk_buff *skb)
7242{
7243 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7244 chan->rx_state);
7245
7246 if (l2cap_classify_txseq(chan, control->txseq) ==
7247 L2CAP_TXSEQ_EXPECTED) {
7248 l2cap_pass_to_tx(chan, control);
7249
7250 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
7251 __next_seq(chan, chan->buffer_seq));
7252
7253 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7254
7255 l2cap_reassemble_sdu(chan, skb, control);
7256 } else {
7257 if (chan->sdu) {
7258 kfree_skb(chan->sdu);
7259 chan->sdu = NULL;
7260 }
7261 chan->sdu_last_frag = NULL;
7262 chan->sdu_len = 0;
7263
7264 if (skb) {
7265 BT_DBG("Freeing %p", skb);
7266 kfree_skb(skb);
7267 }
7268 }
7269
7270 chan->last_acked_seq = control->txseq;
7271 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7272
7273 return 0;
7274}
7275
7276static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7277{
7278 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7279 u16 len;
7280 u8 event;
7281
7282 __unpack_control(chan, skb);
7283
7284 len = skb->len;
7285
7286
7287
7288
7289
7290
7291 if (l2cap_check_fcs(chan, skb))
7292 goto drop;
7293
7294 if (!control->sframe && control->sar == L2CAP_SAR_START)
7295 len -= L2CAP_SDULEN_SIZE;
7296
7297 if (chan->fcs == L2CAP_FCS_CRC16)
7298 len -= L2CAP_FCS_SIZE;
7299
7300 if (len > chan->mps) {
7301 l2cap_send_disconn_req(chan, ECONNRESET);
7302 goto drop;
7303 }
7304
7305 if ((chan->mode == L2CAP_MODE_ERTM ||
7306 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
7307 goto drop;
7308
7309 if (!control->sframe) {
7310 int err;
7311
7312 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7313 control->sar, control->reqseq, control->final,
7314 control->txseq);
7315
7316
7317
7318
7319 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7320 goto drop;
7321
7322 if (chan->mode != L2CAP_MODE_STREAMING) {
7323 event = L2CAP_EV_RECV_IFRAME;
7324 err = l2cap_rx(chan, control, skb, event);
7325 } else {
7326 err = l2cap_stream_rx(chan, control, skb);
7327 }
7328
7329 if (err)
7330 l2cap_send_disconn_req(chan, ECONNRESET);
7331 } else {
7332 const u8 rx_func_to_event[4] = {
7333 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7334 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7335 };
7336
7337
7338 if (chan->mode == L2CAP_MODE_STREAMING)
7339 goto drop;
7340
7341 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7342 control->reqseq, control->final, control->poll,
7343 control->super);
7344
7345 if (len != 0) {
7346 BT_ERR("Trailing bytes: %d in sframe", len);
7347 l2cap_send_disconn_req(chan, ECONNRESET);
7348 goto drop;
7349 }
7350
7351
7352 if (control->final && (control->poll ||
7353 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7354 goto drop;
7355
7356 event = rx_func_to_event[control->super];
7357 if (l2cap_rx(chan, control, skb, event))
7358 l2cap_send_disconn_req(chan, ECONNRESET);
7359 }
7360
7361 return 0;
7362
7363drop:
7364 kfree_skb(skb);
7365 return 0;
7366}
7367
7368static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7369{
7370 struct l2cap_conn *conn = chan->conn;
7371 struct l2cap_le_credits pkt;
7372 u16 return_credits;
7373
7374 return_credits = (chan->imtu / chan->mps) + 1;
7375
7376 if (chan->rx_credits >= return_credits)
7377 return;
7378
7379 return_credits -= chan->rx_credits;
7380
7381 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7382
7383 chan->rx_credits += return_credits;
7384
7385 pkt.cid = cpu_to_le16(chan->scid);
7386 pkt.credits = cpu_to_le16(return_credits);
7387
7388 chan->ident = l2cap_get_ident(conn);
7389
7390 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7391}
7392
7393static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7394{
7395 int err;
7396
7397 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7398
7399
7400 err = chan->ops->recv(chan, skb);
7401
7402
7403 l2cap_chan_le_send_credits(chan);
7404
7405 return err;
7406}
7407
7408static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7409{
7410 int err;
7411
7412 if (!chan->rx_credits) {
7413 BT_ERR("No credits to receive LE L2CAP data");
7414 l2cap_send_disconn_req(chan, ECONNRESET);
7415 return -ENOBUFS;
7416 }
7417
7418 if (chan->imtu < skb->len) {
7419 BT_ERR("Too big LE L2CAP PDU");
7420 return -ENOBUFS;
7421 }
7422
7423 chan->rx_credits--;
7424 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7425
7426
7427
7428
7429 if (!chan->rx_credits)
7430 l2cap_chan_le_send_credits(chan);
7431
7432 err = 0;
7433
7434 if (!chan->sdu) {
7435 u16 sdu_len;
7436
7437 sdu_len = get_unaligned_le16(skb->data);
7438 skb_pull(skb, L2CAP_SDULEN_SIZE);
7439
7440 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7441 sdu_len, skb->len, chan->imtu);
7442
7443 if (sdu_len > chan->imtu) {
7444 BT_ERR("Too big LE L2CAP SDU length received");
7445 err = -EMSGSIZE;
7446 goto failed;
7447 }
7448
7449 if (skb->len > sdu_len) {
7450 BT_ERR("Too much LE L2CAP data received");
7451 err = -EINVAL;
7452 goto failed;
7453 }
7454
7455 if (skb->len == sdu_len)
7456 return l2cap_ecred_recv(chan, skb);
7457
7458 chan->sdu = skb;
7459 chan->sdu_len = sdu_len;
7460 chan->sdu_last_frag = skb;
7461
7462
7463 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7464 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7465
7466
7467 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7468 chan->mps = mps_len;
7469 l2cap_chan_le_send_credits(chan);
7470 }
7471
7472 return 0;
7473 }
7474
7475 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7476 chan->sdu->len, skb->len, chan->sdu_len);
7477
7478 if (chan->sdu->len + skb->len > chan->sdu_len) {
7479 BT_ERR("Too much LE L2CAP data received");
7480 err = -EINVAL;
7481 goto failed;
7482 }
7483
7484 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7485 skb = NULL;
7486
7487 if (chan->sdu->len == chan->sdu_len) {
7488 err = l2cap_ecred_recv(chan, chan->sdu);
7489 if (!err) {
7490 chan->sdu = NULL;
7491 chan->sdu_last_frag = NULL;
7492 chan->sdu_len = 0;
7493 }
7494 }
7495
7496failed:
7497 if (err) {
7498 kfree_skb(skb);
7499 kfree_skb(chan->sdu);
7500 chan->sdu = NULL;
7501 chan->sdu_last_frag = NULL;
7502 chan->sdu_len = 0;
7503 }
7504
7505
7506
7507
7508
7509 return 0;
7510}
7511
7512static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7513 struct sk_buff *skb)
7514{
7515 struct l2cap_chan *chan;
7516
7517 chan = l2cap_get_chan_by_scid(conn, cid);
7518 if (!chan) {
7519 if (cid == L2CAP_CID_A2MP) {
7520 chan = a2mp_channel_create(conn, skb);
7521 if (!chan) {
7522 kfree_skb(skb);
7523 return;
7524 }
7525
7526 l2cap_chan_lock(chan);
7527 } else {
7528 BT_DBG("unknown cid 0x%4.4x", cid);
7529
7530 kfree_skb(skb);
7531 return;
7532 }
7533 }
7534
7535 BT_DBG("chan %p, len %d", chan, skb->len);
7536
7537
7538
7539
7540
7541 if (chan->chan_type == L2CAP_CHAN_FIXED)
7542 l2cap_chan_ready(chan);
7543
7544 if (chan->state != BT_CONNECTED)
7545 goto drop;
7546
7547 switch (chan->mode) {
7548 case L2CAP_MODE_LE_FLOWCTL:
7549 case L2CAP_MODE_EXT_FLOWCTL:
7550 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7551 goto drop;
7552
7553 goto done;
7554
7555 case L2CAP_MODE_BASIC:
7556
7557
7558
7559
7560
7561 if (chan->imtu < skb->len) {
7562 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7563 goto drop;
7564 }
7565
7566 if (!chan->ops->recv(chan, skb))
7567 goto done;
7568 break;
7569
7570 case L2CAP_MODE_ERTM:
7571 case L2CAP_MODE_STREAMING:
7572 l2cap_data_rcv(chan, skb);
7573 goto done;
7574
7575 default:
7576 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7577 break;
7578 }
7579
7580drop:
7581 kfree_skb(skb);
7582
7583done:
7584 l2cap_chan_unlock(chan);
7585}
7586
7587static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7588 struct sk_buff *skb)
7589{
7590 struct hci_conn *hcon = conn->hcon;
7591 struct l2cap_chan *chan;
7592
7593 if (hcon->type != ACL_LINK)
7594 goto free_skb;
7595
7596 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7597 ACL_LINK);
7598 if (!chan)
7599 goto free_skb;
7600
7601 BT_DBG("chan %p, len %d", chan, skb->len);
7602
7603 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7604 goto drop;
7605
7606 if (chan->imtu < skb->len)
7607 goto drop;
7608
7609
7610 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7611 bt_cb(skb)->l2cap.psm = psm;
7612
7613 if (!chan->ops->recv(chan, skb)) {
7614 l2cap_chan_put(chan);
7615 return;
7616 }
7617
7618drop:
7619 l2cap_chan_put(chan);
7620free_skb:
7621 kfree_skb(skb);
7622}
7623
7624static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7625{
7626 struct l2cap_hdr *lh = (void *) skb->data;
7627 struct hci_conn *hcon = conn->hcon;
7628 u16 cid, len;
7629 __le16 psm;
7630
7631 if (hcon->state != BT_CONNECTED) {
7632 BT_DBG("queueing pending rx skb");
7633 skb_queue_tail(&conn->pending_rx, skb);
7634 return;
7635 }
7636
7637 skb_pull(skb, L2CAP_HDR_SIZE);
7638 cid = __le16_to_cpu(lh->cid);
7639 len = __le16_to_cpu(lh->len);
7640
7641 if (len != skb->len) {
7642 kfree_skb(skb);
7643 return;
7644 }
7645
7646
7647
7648
7649 if (hcon->type == LE_LINK &&
7650 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7651 bdaddr_dst_type(hcon))) {
7652 kfree_skb(skb);
7653 return;
7654 }
7655
7656 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7657
7658 switch (cid) {
7659 case L2CAP_CID_SIGNALING:
7660 l2cap_sig_channel(conn, skb);
7661 break;
7662
7663 case L2CAP_CID_CONN_LESS:
7664 psm = get_unaligned((__le16 *) skb->data);
7665 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7666 l2cap_conless_channel(conn, psm, skb);
7667 break;
7668
7669 case L2CAP_CID_LE_SIGNALING:
7670 l2cap_le_sig_channel(conn, skb);
7671 break;
7672
7673 default:
7674 l2cap_data_channel(conn, cid, skb);
7675 break;
7676 }
7677}
7678
7679static void process_pending_rx(struct work_struct *work)
7680{
7681 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7682 pending_rx_work);
7683 struct sk_buff *skb;
7684
7685 BT_DBG("");
7686
7687 while ((skb = skb_dequeue(&conn->pending_rx)))
7688 l2cap_recv_frame(conn, skb);
7689}
7690
7691static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7692{
7693 struct l2cap_conn *conn = hcon->l2cap_data;
7694 struct hci_chan *hchan;
7695
7696 if (conn)
7697 return conn;
7698
7699 hchan = hci_chan_create(hcon);
7700 if (!hchan)
7701 return NULL;
7702
7703 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7704 if (!conn) {
7705 hci_chan_del(hchan);
7706 return NULL;
7707 }
7708
7709 kref_init(&conn->ref);
7710 hcon->l2cap_data = conn;
7711 conn->hcon = hci_conn_get(hcon);
7712 conn->hchan = hchan;
7713
7714 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7715
7716 switch (hcon->type) {
7717 case LE_LINK:
7718 if (hcon->hdev->le_mtu) {
7719 conn->mtu = hcon->hdev->le_mtu;
7720 break;
7721 }
7722
7723 default:
7724 conn->mtu = hcon->hdev->acl_mtu;
7725 break;
7726 }
7727
7728 conn->feat_mask = 0;
7729
7730 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7731
7732 if (hcon->type == ACL_LINK &&
7733 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7734 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7735
7736 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7737 (bredr_sc_enabled(hcon->hdev) ||
7738 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7739 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7740
7741 mutex_init(&conn->ident_lock);
7742 mutex_init(&conn->chan_lock);
7743
7744 INIT_LIST_HEAD(&conn->chan_l);
7745 INIT_LIST_HEAD(&conn->users);
7746
7747 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7748
7749 skb_queue_head_init(&conn->pending_rx);
7750 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7751 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7752
7753 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7754
7755 return conn;
7756}
7757
7758static bool is_valid_psm(u16 psm, u8 dst_type) {
7759 if (!psm)
7760 return false;
7761
7762 if (bdaddr_type_is_le(dst_type))
7763 return (psm <= 0x00ff);
7764
7765
7766 return ((psm & 0x0101) == 0x0001);
7767}
7768
7769struct l2cap_chan_data {
7770 struct l2cap_chan *chan;
7771 struct pid *pid;
7772 int count;
7773};
7774
7775static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7776{
7777 struct l2cap_chan_data *d = data;
7778 struct pid *pid;
7779
7780 if (chan == d->chan)
7781 return;
7782
7783 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7784 return;
7785
7786 pid = chan->ops->get_peer_pid(chan);
7787
7788
7789 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7790 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7791 return;
7792
7793 d->count++;
7794}
7795
7796int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7797 bdaddr_t *dst, u8 dst_type)
7798{
7799 struct l2cap_conn *conn;
7800 struct hci_conn *hcon;
7801 struct hci_dev *hdev;
7802 int err;
7803
7804 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7805 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7806
7807 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7808 if (!hdev)
7809 return -EHOSTUNREACH;
7810
7811 hci_dev_lock(hdev);
7812
7813 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7814 chan->chan_type != L2CAP_CHAN_RAW) {
7815 err = -EINVAL;
7816 goto done;
7817 }
7818
7819 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7820 err = -EINVAL;
7821 goto done;
7822 }
7823
7824 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7825 err = -EINVAL;
7826 goto done;
7827 }
7828
7829 switch (chan->mode) {
7830 case L2CAP_MODE_BASIC:
7831 break;
7832 case L2CAP_MODE_LE_FLOWCTL:
7833 break;
7834 case L2CAP_MODE_EXT_FLOWCTL:
7835 if (!enable_ecred) {
7836 err = -EOPNOTSUPP;
7837 goto done;
7838 }
7839 break;
7840 case L2CAP_MODE_ERTM:
7841 case L2CAP_MODE_STREAMING:
7842 if (!disable_ertm)
7843 break;
7844
7845 default:
7846 err = -EOPNOTSUPP;
7847 goto done;
7848 }
7849
7850 switch (chan->state) {
7851 case BT_CONNECT:
7852 case BT_CONNECT2:
7853 case BT_CONFIG:
7854
7855 err = 0;
7856 goto done;
7857
7858 case BT_CONNECTED:
7859
7860 err = -EISCONN;
7861 goto done;
7862
7863 case BT_OPEN:
7864 case BT_BOUND:
7865
7866 break;
7867
7868 default:
7869 err = -EBADFD;
7870 goto done;
7871 }
7872
7873
7874 bacpy(&chan->dst, dst);
7875 chan->dst_type = dst_type;
7876
7877 chan->psm = psm;
7878 chan->dcid = cid;
7879
7880 if (bdaddr_type_is_le(dst_type)) {
7881
7882
7883 if (dst_type == BDADDR_LE_PUBLIC)
7884 dst_type = ADDR_LE_DEV_PUBLIC;
7885 else
7886 dst_type = ADDR_LE_DEV_RANDOM;
7887
7888 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7889 hcon = hci_connect_le(hdev, dst, dst_type,
7890 chan->sec_level,
7891 HCI_LE_CONN_TIMEOUT,
7892 HCI_ROLE_SLAVE, NULL);
7893 else
7894 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7895 chan->sec_level,
7896 HCI_LE_CONN_TIMEOUT);
7897
7898 } else {
7899 u8 auth_type = l2cap_get_auth_type(chan);
7900 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7901 }
7902
7903 if (IS_ERR(hcon)) {
7904 err = PTR_ERR(hcon);
7905 goto done;
7906 }
7907
7908 conn = l2cap_conn_add(hcon);
7909 if (!conn) {
7910 hci_conn_drop(hcon);
7911 err = -ENOMEM;
7912 goto done;
7913 }
7914
7915 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7916 struct l2cap_chan_data data;
7917
7918 data.chan = chan;
7919 data.pid = chan->ops->get_peer_pid(chan);
7920 data.count = 1;
7921
7922 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7923
7924
7925 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7926 hci_conn_drop(hcon);
7927 err = -EPROTO;
7928 goto done;
7929 }
7930 }
7931
7932 mutex_lock(&conn->chan_lock);
7933 l2cap_chan_lock(chan);
7934
7935 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7936 hci_conn_drop(hcon);
7937 err = -EBUSY;
7938 goto chan_unlock;
7939 }
7940
7941
7942 bacpy(&chan->src, &hcon->src);
7943 chan->src_type = bdaddr_src_type(hcon);
7944
7945 __l2cap_chan_add(conn, chan);
7946
7947
7948 hci_conn_drop(hcon);
7949
7950 l2cap_state_change(chan, BT_CONNECT);
7951 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7952
7953
7954
7955
7956 write_lock(&chan_list_lock);
7957 chan->sport = 0;
7958 write_unlock(&chan_list_lock);
7959
7960 if (hcon->state == BT_CONNECTED) {
7961 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7962 __clear_chan_timer(chan);
7963 if (l2cap_chan_check_security(chan, true))
7964 l2cap_state_change(chan, BT_CONNECTED);
7965 } else
7966 l2cap_do_start(chan);
7967 }
7968
7969 err = 0;
7970
7971chan_unlock:
7972 l2cap_chan_unlock(chan);
7973 mutex_unlock(&conn->chan_lock);
7974done:
7975 hci_dev_unlock(hdev);
7976 hci_dev_put(hdev);
7977 return err;
7978}
7979EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7980
7981static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7982{
7983 struct l2cap_conn *conn = chan->conn;
7984 struct {
7985 struct l2cap_ecred_reconf_req req;
7986 __le16 scid;
7987 } pdu;
7988
7989 pdu.req.mtu = cpu_to_le16(chan->imtu);
7990 pdu.req.mps = cpu_to_le16(chan->mps);
7991 pdu.scid = cpu_to_le16(chan->scid);
7992
7993 chan->ident = l2cap_get_ident(conn);
7994
7995 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
7996 sizeof(pdu), &pdu);
7997}
7998
7999int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8000{
8001 if (chan->imtu > mtu)
8002 return -EINVAL;
8003
8004 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8005
8006 chan->imtu = mtu;
8007
8008 l2cap_ecred_reconfigure(chan);
8009
8010 return 0;
8011}
8012
8013
8014
8015int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8016{
8017 int exact = 0, lm1 = 0, lm2 = 0;
8018 struct l2cap_chan *c;
8019
8020 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8021
8022
8023 read_lock(&chan_list_lock);
8024 list_for_each_entry(c, &chan_list, global_l) {
8025 if (c->state != BT_LISTEN)
8026 continue;
8027
8028 if (!bacmp(&c->src, &hdev->bdaddr)) {
8029 lm1 |= HCI_LM_ACCEPT;
8030 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8031 lm1 |= HCI_LM_MASTER;
8032 exact++;
8033 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8034 lm2 |= HCI_LM_ACCEPT;
8035 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8036 lm2 |= HCI_LM_MASTER;
8037 }
8038 }
8039 read_unlock(&chan_list_lock);
8040
8041 return exact ? lm1 : lm2;
8042}
8043
8044
8045
8046
8047
8048static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8049 struct hci_conn *hcon)
8050{
8051 u8 src_type = bdaddr_src_type(hcon);
8052
8053 read_lock(&chan_list_lock);
8054
8055 if (c)
8056 c = list_next_entry(c, global_l);
8057 else
8058 c = list_entry(chan_list.next, typeof(*c), global_l);
8059
8060 list_for_each_entry_from(c, &chan_list, global_l) {
8061 if (c->chan_type != L2CAP_CHAN_FIXED)
8062 continue;
8063 if (c->state != BT_LISTEN)
8064 continue;
8065 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8066 continue;
8067 if (src_type != c->src_type)
8068 continue;
8069
8070 l2cap_chan_hold(c);
8071 read_unlock(&chan_list_lock);
8072 return c;
8073 }
8074
8075 read_unlock(&chan_list_lock);
8076
8077 return NULL;
8078}
8079
8080static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8081{
8082 struct hci_dev *hdev = hcon->hdev;
8083 struct l2cap_conn *conn;
8084 struct l2cap_chan *pchan;
8085 u8 dst_type;
8086
8087 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8088 return;
8089
8090 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8091
8092 if (status) {
8093 l2cap_conn_del(hcon, bt_to_errno(status));
8094 return;
8095 }
8096
8097 conn = l2cap_conn_add(hcon);
8098 if (!conn)
8099 return;
8100
8101 dst_type = bdaddr_dst_type(hcon);
8102
8103
8104 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
8105 return;
8106
8107
8108
8109
8110
8111
8112 pchan = l2cap_global_fixed_chan(NULL, hcon);
8113 while (pchan) {
8114 struct l2cap_chan *chan, *next;
8115
8116
8117 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8118 goto next;
8119
8120 l2cap_chan_lock(pchan);
8121 chan = pchan->ops->new_connection(pchan);
8122 if (chan) {
8123 bacpy(&chan->src, &hcon->src);
8124 bacpy(&chan->dst, &hcon->dst);
8125 chan->src_type = bdaddr_src_type(hcon);
8126 chan->dst_type = dst_type;
8127
8128 __l2cap_chan_add(conn, chan);
8129 }
8130
8131 l2cap_chan_unlock(pchan);
8132next:
8133 next = l2cap_global_fixed_chan(pchan, hcon);
8134 l2cap_chan_put(pchan);
8135 pchan = next;
8136 }
8137
8138 l2cap_conn_ready(conn);
8139}
8140
8141int l2cap_disconn_ind(struct hci_conn *hcon)
8142{
8143 struct l2cap_conn *conn = hcon->l2cap_data;
8144
8145 BT_DBG("hcon %p", hcon);
8146
8147 if (!conn)
8148 return HCI_ERROR_REMOTE_USER_TERM;
8149 return conn->disc_reason;
8150}
8151
8152static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8153{
8154 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8155 return;
8156
8157 BT_DBG("hcon %p reason %d", hcon, reason);
8158
8159 l2cap_conn_del(hcon, bt_to_errno(reason));
8160}
8161
8162static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8163{
8164 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8165 return;
8166
8167 if (encrypt == 0x00) {
8168 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8169 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8170 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8171 chan->sec_level == BT_SECURITY_FIPS)
8172 l2cap_chan_close(chan, ECONNREFUSED);
8173 } else {
8174 if (chan->sec_level == BT_SECURITY_MEDIUM)
8175 __clear_chan_timer(chan);
8176 }
8177}
8178
8179static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8180{
8181 struct l2cap_conn *conn = hcon->l2cap_data;
8182 struct l2cap_chan *chan;
8183
8184 if (!conn)
8185 return;
8186
8187 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8188
8189 mutex_lock(&conn->chan_lock);
8190
8191 list_for_each_entry(chan, &conn->chan_l, list) {
8192 l2cap_chan_lock(chan);
8193
8194 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8195 state_to_string(chan->state));
8196
8197 if (chan->scid == L2CAP_CID_A2MP) {
8198 l2cap_chan_unlock(chan);
8199 continue;
8200 }
8201
8202 if (!status && encrypt)
8203 chan->sec_level = hcon->sec_level;
8204
8205 if (!__l2cap_no_conn_pending(chan)) {
8206 l2cap_chan_unlock(chan);
8207 continue;
8208 }
8209
8210 if (!status && (chan->state == BT_CONNECTED ||
8211 chan->state == BT_CONFIG)) {
8212 chan->ops->resume(chan);
8213 l2cap_check_encryption(chan, encrypt);
8214 l2cap_chan_unlock(chan);
8215 continue;
8216 }
8217
8218 if (chan->state == BT_CONNECT) {
8219 if (!status && l2cap_check_enc_key_size(hcon))
8220 l2cap_start_connection(chan);
8221 else
8222 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8223 } else if (chan->state == BT_CONNECT2 &&
8224 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8225 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8226 struct l2cap_conn_rsp rsp;
8227 __u16 res, stat;
8228
8229 if (!status && l2cap_check_enc_key_size(hcon)) {
8230 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8231 res = L2CAP_CR_PEND;
8232 stat = L2CAP_CS_AUTHOR_PEND;
8233 chan->ops->defer(chan);
8234 } else {
8235 l2cap_state_change(chan, BT_CONFIG);
8236 res = L2CAP_CR_SUCCESS;
8237 stat = L2CAP_CS_NO_INFO;
8238 }
8239 } else {
8240 l2cap_state_change(chan, BT_DISCONN);
8241 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8242 res = L2CAP_CR_SEC_BLOCK;
8243 stat = L2CAP_CS_NO_INFO;
8244 }
8245
8246 rsp.scid = cpu_to_le16(chan->dcid);
8247 rsp.dcid = cpu_to_le16(chan->scid);
8248 rsp.result = cpu_to_le16(res);
8249 rsp.status = cpu_to_le16(stat);
8250 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8251 sizeof(rsp), &rsp);
8252
8253 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8254 res == L2CAP_CR_SUCCESS) {
8255 char buf[128];
8256 set_bit(CONF_REQ_SENT, &chan->conf_state);
8257 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8258 L2CAP_CONF_REQ,
8259 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8260 buf);
8261 chan->num_conf_req++;
8262 }
8263 }
8264
8265 l2cap_chan_unlock(chan);
8266 }
8267
8268 mutex_unlock(&conn->chan_lock);
8269}
8270
8271void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8272{
8273 struct l2cap_conn *conn = hcon->l2cap_data;
8274 struct l2cap_hdr *hdr;
8275 int len;
8276
8277
8278 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8279 goto drop;
8280
8281 if (!conn)
8282 conn = l2cap_conn_add(hcon);
8283
8284 if (!conn)
8285 goto drop;
8286
8287 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
8288
8289 switch (flags) {
8290 case ACL_START:
8291 case ACL_START_NO_FLUSH:
8292 case ACL_COMPLETE:
8293 if (conn->rx_len) {
8294 BT_ERR("Unexpected start frame (len %d)", skb->len);
8295 kfree_skb(conn->rx_skb);
8296 conn->rx_skb = NULL;
8297 conn->rx_len = 0;
8298 l2cap_conn_unreliable(conn, ECOMM);
8299 }
8300
8301
8302 if (skb->len < L2CAP_HDR_SIZE) {
8303 BT_ERR("Frame is too short (len %d)", skb->len);
8304 l2cap_conn_unreliable(conn, ECOMM);
8305 goto drop;
8306 }
8307
8308 hdr = (struct l2cap_hdr *) skb->data;
8309 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
8310
8311 if (len == skb->len) {
8312
8313 l2cap_recv_frame(conn, skb);
8314 return;
8315 }
8316
8317 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
8318
8319 if (skb->len > len) {
8320 BT_ERR("Frame is too long (len %d, expected len %d)",
8321 skb->len, len);
8322 l2cap_conn_unreliable(conn, ECOMM);
8323 goto drop;
8324 }
8325
8326
8327 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8328 if (!conn->rx_skb)
8329 goto drop;
8330
8331 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8332 skb->len);
8333 conn->rx_len = len - skb->len;
8334 break;
8335
8336 case ACL_CONT:
8337 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
8338
8339 if (!conn->rx_len) {
8340 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8341 l2cap_conn_unreliable(conn, ECOMM);
8342 goto drop;
8343 }
8344
8345 if (skb->len > conn->rx_len) {
8346 BT_ERR("Fragment is too long (len %d, expected %d)",
8347 skb->len, conn->rx_len);
8348 kfree_skb(conn->rx_skb);
8349 conn->rx_skb = NULL;
8350 conn->rx_len = 0;
8351 l2cap_conn_unreliable(conn, ECOMM);
8352 goto drop;
8353 }
8354
8355 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8356 skb->len);
8357 conn->rx_len -= skb->len;
8358
8359 if (!conn->rx_len) {
8360
8361
8362
8363
8364 struct sk_buff *rx_skb = conn->rx_skb;
8365 conn->rx_skb = NULL;
8366 l2cap_recv_frame(conn, rx_skb);
8367 }
8368 break;
8369 }
8370
8371drop:
8372 kfree_skb(skb);
8373}
8374
8375static struct hci_cb l2cap_cb = {
8376 .name = "L2CAP",
8377 .connect_cfm = l2cap_connect_cfm,
8378 .disconn_cfm = l2cap_disconn_cfm,
8379 .security_cfm = l2cap_security_cfm,
8380};
8381
8382static int l2cap_debugfs_show(struct seq_file *f, void *p)
8383{
8384 struct l2cap_chan *c;
8385
8386 read_lock(&chan_list_lock);
8387
8388 list_for_each_entry(c, &chan_list, global_l) {
8389 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8390 &c->src, c->src_type, &c->dst, c->dst_type,
8391 c->state, __le16_to_cpu(c->psm),
8392 c->scid, c->dcid, c->imtu, c->omtu,
8393 c->sec_level, c->mode);
8394 }
8395
8396 read_unlock(&chan_list_lock);
8397
8398 return 0;
8399}
8400
8401DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8402
8403static struct dentry *l2cap_debugfs;
8404
8405int __init l2cap_init(void)
8406{
8407 int err;
8408
8409 err = l2cap_init_sockets();
8410 if (err < 0)
8411 return err;
8412
8413 hci_register_cb(&l2cap_cb);
8414
8415 if (IS_ERR_OR_NULL(bt_debugfs))
8416 return 0;
8417
8418 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8419 NULL, &l2cap_debugfs_fops);
8420
8421 return 0;
8422}
8423
8424void l2cap_exit(void)
8425{
8426 debugfs_remove(l2cap_debugfs);
8427 hci_unregister_cb(&l2cap_cb);
8428 l2cap_cleanup_sockets();
8429}
8430
8431module_param(disable_ertm, bool, 0644);
8432MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8433
8434module_param(enable_ecred, bool, 0644);
8435MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
8436
