1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#include <linux/module.h>
32
33#include <linux/debugfs.h>
34#include <linux/crc16.h>
35#include <linux/filter.h>
36
37#include <net/bluetooth/bluetooth.h>
38#include <net/bluetooth/hci_core.h>
39#include <net/bluetooth/l2cap.h>
40
41#include "smp.h"
42#include "a2mp.h"
43#include "amp.h"
44
45#define LE_FLOWCTL_MAX_CREDITS 65535
46
47bool disable_ertm;
48bool enable_ecred;
49
50static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51
52static LIST_HEAD(chan_list);
53static DEFINE_RWLOCK(chan_list_lock);
54
55static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
58 void *data);
59static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
61
62static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
64
65static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
66{
67 if (link_type == LE_LINK) {
68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
69 return BDADDR_LE_PUBLIC;
70 else
71 return BDADDR_LE_RANDOM;
72 }
73
74 return BDADDR_BREDR;
75}
76
77static inline u8 bdaddr_src_type(struct hci_conn *hcon)
78{
79 return bdaddr_type(hcon->type, hcon->src_type);
80}
81
82static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
83{
84 return bdaddr_type(hcon->type, hcon->dst_type);
85}
86
87
88
89static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
90 u16 cid)
91{
92 struct l2cap_chan *c;
93
94 list_for_each_entry(c, &conn->chan_l, list) {
95 if (c->dcid == cid)
96 return c;
97 }
98 return NULL;
99}
100
101static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
102 u16 cid)
103{
104 struct l2cap_chan *c;
105
106 list_for_each_entry(c, &conn->chan_l, list) {
107 if (c->scid == cid)
108 return c;
109 }
110 return NULL;
111}
112
113
114
115static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
116 u16 cid)
117{
118 struct l2cap_chan *c;
119
120 mutex_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
122 if (c)
123 l2cap_chan_lock(c);
124 mutex_unlock(&conn->chan_lock);
125
126 return c;
127}
128
129
130
131
132static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
133 u16 cid)
134{
135 struct l2cap_chan *c;
136
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_dcid(conn, cid);
139 if (c)
140 l2cap_chan_lock(c);
141 mutex_unlock(&conn->chan_lock);
142
143 return c;
144}
145
146static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
147 u8 ident)
148{
149 struct l2cap_chan *c;
150
151 list_for_each_entry(c, &conn->chan_l, list) {
152 if (c->ident == ident)
153 return c;
154 }
155 return NULL;
156}
157
158static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
159 u8 ident)
160{
161 struct l2cap_chan *c;
162
163 mutex_lock(&conn->chan_lock);
164 c = __l2cap_get_chan_by_ident(conn, ident);
165 if (c)
166 l2cap_chan_lock(c);
167 mutex_unlock(&conn->chan_lock);
168
169 return c;
170}
171
172static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
173 u8 src_type)
174{
175 struct l2cap_chan *c;
176
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
179 continue;
180
181 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
182 continue;
183
184 if (c->sport == psm && !bacmp(&c->src, src))
185 return c;
186 }
187 return NULL;
188}
189
190int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
191{
192 int err;
193
194 write_lock(&chan_list_lock);
195
196 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
197 err = -EADDRINUSE;
198 goto done;
199 }
200
201 if (psm) {
202 chan->psm = psm;
203 chan->sport = psm;
204 err = 0;
205 } else {
206 u16 p, start, end, incr;
207
208 if (chan->src_type == BDADDR_BREDR) {
209 start = L2CAP_PSM_DYN_START;
210 end = L2CAP_PSM_AUTO_END;
211 incr = 2;
212 } else {
213 start = L2CAP_PSM_LE_DYN_START;
214 end = L2CAP_PSM_LE_DYN_END;
215 incr = 1;
216 }
217
218 err = -EINVAL;
219 for (p = start; p <= end; p += incr)
220 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
221 chan->src_type)) {
222 chan->psm = cpu_to_le16(p);
223 chan->sport = cpu_to_le16(p);
224 err = 0;
225 break;
226 }
227 }
228
229done:
230 write_unlock(&chan_list_lock);
231 return err;
232}
233EXPORT_SYMBOL_GPL(l2cap_add_psm);
234
235int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
236{
237 write_lock(&chan_list_lock);
238
239
240 chan->omtu = L2CAP_DEFAULT_MTU;
241 chan->chan_type = L2CAP_CHAN_FIXED;
242
243 chan->scid = scid;
244
245 write_unlock(&chan_list_lock);
246
247 return 0;
248}
249
250static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
251{
252 u16 cid, dyn_end;
253
254 if (conn->hcon->type == LE_LINK)
255 dyn_end = L2CAP_CID_LE_DYN_END;
256 else
257 dyn_end = L2CAP_CID_DYN_END;
258
259 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
260 if (!__l2cap_get_chan_by_scid(conn, cid))
261 return cid;
262 }
263
264 return 0;
265}
266
267static void l2cap_state_change(struct l2cap_chan *chan, int state)
268{
269 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
270 state_to_string(state));
271
272 chan->state = state;
273 chan->ops->state_change(chan, state, 0);
274}
275
276static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
277 int state, int err)
278{
279 chan->state = state;
280 chan->ops->state_change(chan, chan->state, err);
281}
282
283static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
284{
285 chan->ops->state_change(chan, chan->state, err);
286}
287
288static void __set_retrans_timer(struct l2cap_chan *chan)
289{
290 if (!delayed_work_pending(&chan->monitor_timer) &&
291 chan->retrans_timeout) {
292 l2cap_set_timer(chan, &chan->retrans_timer,
293 msecs_to_jiffies(chan->retrans_timeout));
294 }
295}
296
297static void __set_monitor_timer(struct l2cap_chan *chan)
298{
299 __clear_retrans_timer(chan);
300 if (chan->monitor_timeout) {
301 l2cap_set_timer(chan, &chan->monitor_timer,
302 msecs_to_jiffies(chan->monitor_timeout));
303 }
304}
305
306static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
307 u16 seq)
308{
309 struct sk_buff *skb;
310
311 skb_queue_walk(head, skb) {
312 if (bt_cb(skb)->l2cap.txseq == seq)
313 return skb;
314 }
315
316 return NULL;
317}
318
319
320
321
322
323
324
325
326
327
328
329
330static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
331{
332 size_t alloc_size, i;
333
334
335
336
337
338 alloc_size = roundup_pow_of_two(size);
339
340 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
341 if (!seq_list->list)
342 return -ENOMEM;
343
344 seq_list->mask = alloc_size - 1;
345 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
346 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
347 for (i = 0; i < alloc_size; i++)
348 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
349
350 return 0;
351}
352
353static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
354{
355 kfree(seq_list->list);
356}
357
358static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
359 u16 seq)
360{
361
362 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
363}
364
365static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
366{
367 u16 seq = seq_list->head;
368 u16 mask = seq_list->mask;
369
370 seq_list->head = seq_list->list[seq & mask];
371 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
372
373 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
376 }
377
378 return seq;
379}
380
381static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
382{
383 u16 i;
384
385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
386 return;
387
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
390
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
393}
394
395static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
396{
397 u16 mask = seq_list->mask;
398
399
400
401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
402 return;
403
404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
406 else
407 seq_list->list[seq_list->tail & mask] = seq;
408
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
411}
412
413static void l2cap_chan_timeout(struct work_struct *work)
414{
415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
416 chan_timer.work);
417 struct l2cap_conn *conn = chan->conn;
418 int reason;
419
420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
421
422 mutex_lock(&conn->chan_lock);
423
424
425
426 l2cap_chan_lock(chan);
427
428 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
429 reason = ECONNREFUSED;
430 else if (chan->state == BT_CONNECT &&
431 chan->sec_level != BT_SECURITY_SDP)
432 reason = ECONNREFUSED;
433 else
434 reason = ETIMEDOUT;
435
436 l2cap_chan_close(chan, reason);
437
438 chan->ops->close(chan);
439
440 l2cap_chan_unlock(chan);
441 l2cap_chan_put(chan);
442
443 mutex_unlock(&conn->chan_lock);
444}
445
446struct l2cap_chan *l2cap_chan_create(void)
447{
448 struct l2cap_chan *chan;
449
450 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
451 if (!chan)
452 return NULL;
453
454 mutex_init(&chan->lock);
455
456
457 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
458
459 write_lock(&chan_list_lock);
460 list_add(&chan->global_l, &chan_list);
461 write_unlock(&chan_list_lock);
462
463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
464
465 chan->state = BT_OPEN;
466
467 kref_init(&chan->kref);
468
469
470 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
471
472 BT_DBG("chan %p", chan);
473
474 return chan;
475}
476EXPORT_SYMBOL_GPL(l2cap_chan_create);
477
478static void l2cap_chan_destroy(struct kref *kref)
479{
480 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
481
482 BT_DBG("chan %p", chan);
483
484 write_lock(&chan_list_lock);
485 list_del(&chan->global_l);
486 write_unlock(&chan_list_lock);
487
488 kfree(chan);
489}
490
491void l2cap_chan_hold(struct l2cap_chan *c)
492{
493 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
494
495 kref_get(&c->kref);
496}
497
498void l2cap_chan_put(struct l2cap_chan *c)
499{
500 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
501
502 kref_put(&c->kref, l2cap_chan_destroy);
503}
504EXPORT_SYMBOL_GPL(l2cap_chan_put);
505
506void l2cap_chan_set_defaults(struct l2cap_chan *chan)
507{
508 chan->fcs = L2CAP_FCS_CRC16;
509 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
510 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
511 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
512 chan->remote_max_tx = chan->max_tx;
513 chan->remote_tx_win = chan->tx_win;
514 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
515 chan->sec_level = BT_SECURITY_LOW;
516 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
517 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
518 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
519 chan->conf_state = 0;
520
521 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
522}
523EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
524
525static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
526{
527 chan->sdu = NULL;
528 chan->sdu_last_frag = NULL;
529 chan->sdu_len = 0;
530 chan->tx_credits = tx_credits;
531
532 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
533
534 chan->rx_credits = (chan->imtu / chan->mps) + 1;
535
536 skb_queue_head_init(&chan->tx_q);
537}
538
539static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
540{
541 l2cap_le_flowctl_init(chan, tx_credits);
542
543
544 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
545 chan->mps = L2CAP_ECRED_MIN_MPS;
546 chan->rx_credits = (chan->imtu / chan->mps) + 1;
547 }
548}
549
550void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
551{
552 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
553 __le16_to_cpu(chan->psm), chan->dcid);
554
555 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
556
557 chan->conn = conn;
558
559 switch (chan->chan_type) {
560 case L2CAP_CHAN_CONN_ORIENTED:
561
562 chan->scid = l2cap_alloc_cid(conn);
563 if (conn->hcon->type == ACL_LINK)
564 chan->omtu = L2CAP_DEFAULT_MTU;
565 break;
566
567 case L2CAP_CHAN_CONN_LESS:
568
569 chan->scid = L2CAP_CID_CONN_LESS;
570 chan->dcid = L2CAP_CID_CONN_LESS;
571 chan->omtu = L2CAP_DEFAULT_MTU;
572 break;
573
574 case L2CAP_CHAN_FIXED:
575
576 break;
577
578 default:
579
580 chan->scid = L2CAP_CID_SIGNALING;
581 chan->dcid = L2CAP_CID_SIGNALING;
582 chan->omtu = L2CAP_DEFAULT_MTU;
583 }
584
585 chan->local_id = L2CAP_BESTEFFORT_ID;
586 chan->local_stype = L2CAP_SERV_BESTEFFORT;
587 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
588 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
589 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
590 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
591
592 l2cap_chan_hold(chan);
593
594
595 if (chan->chan_type != L2CAP_CHAN_FIXED ||
596 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
597 hci_conn_hold(conn->hcon);
598
599 list_add(&chan->list, &conn->chan_l);
600}
601
602void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
603{
604 mutex_lock(&conn->chan_lock);
605 __l2cap_chan_add(conn, chan);
606 mutex_unlock(&conn->chan_lock);
607}
608
609void l2cap_chan_del(struct l2cap_chan *chan, int err)
610{
611 struct l2cap_conn *conn = chan->conn;
612
613 __clear_chan_timer(chan);
614
615 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
616 state_to_string(chan->state));
617
618 chan->ops->teardown(chan, err);
619
620 if (conn) {
621 struct amp_mgr *mgr = conn->hcon->amp_mgr;
622
623 list_del(&chan->list);
624
625 l2cap_chan_put(chan);
626
627 chan->conn = NULL;
628
629
630
631
632
633 if (chan->chan_type != L2CAP_CHAN_FIXED ||
634 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
635 hci_conn_drop(conn->hcon);
636
637 if (mgr && mgr->bredr_chan == chan)
638 mgr->bredr_chan = NULL;
639 }
640
641 if (chan->hs_hchan) {
642 struct hci_chan *hs_hchan = chan->hs_hchan;
643
644 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
645 amp_disconnect_logical_link(hs_hchan);
646 }
647
648 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
649 return;
650
651 switch(chan->mode) {
652 case L2CAP_MODE_BASIC:
653 break;
654
655 case L2CAP_MODE_LE_FLOWCTL:
656 case L2CAP_MODE_EXT_FLOWCTL:
657 skb_queue_purge(&chan->tx_q);
658 break;
659
660 case L2CAP_MODE_ERTM:
661 __clear_retrans_timer(chan);
662 __clear_monitor_timer(chan);
663 __clear_ack_timer(chan);
664
665 skb_queue_purge(&chan->srej_q);
666
667 l2cap_seq_list_free(&chan->srej_list);
668 l2cap_seq_list_free(&chan->retrans_list);
669 fallthrough;
670
671 case L2CAP_MODE_STREAMING:
672 skb_queue_purge(&chan->tx_q);
673 break;
674 }
675
676 return;
677}
678EXPORT_SYMBOL_GPL(l2cap_chan_del);
679
680static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
681 void *data)
682{
683 struct l2cap_chan *chan;
684
685 list_for_each_entry(chan, &conn->chan_l, list) {
686 func(chan, data);
687 }
688}
689
690void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
691 void *data)
692{
693 if (!conn)
694 return;
695
696 mutex_lock(&conn->chan_lock);
697 __l2cap_chan_list(conn, func, data);
698 mutex_unlock(&conn->chan_lock);
699}
700
701EXPORT_SYMBOL_GPL(l2cap_chan_list);
702
703static void l2cap_conn_update_id_addr(struct work_struct *work)
704{
705 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
706 id_addr_update_work);
707 struct hci_conn *hcon = conn->hcon;
708 struct l2cap_chan *chan;
709
710 mutex_lock(&conn->chan_lock);
711
712 list_for_each_entry(chan, &conn->chan_l, list) {
713 l2cap_chan_lock(chan);
714 bacpy(&chan->dst, &hcon->dst);
715 chan->dst_type = bdaddr_dst_type(hcon);
716 l2cap_chan_unlock(chan);
717 }
718
719 mutex_unlock(&conn->chan_lock);
720}
721
722static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
723{
724 struct l2cap_conn *conn = chan->conn;
725 struct l2cap_le_conn_rsp rsp;
726 u16 result;
727
728 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
729 result = L2CAP_CR_LE_AUTHORIZATION;
730 else
731 result = L2CAP_CR_LE_BAD_PSM;
732
733 l2cap_state_change(chan, BT_DISCONN);
734
735 rsp.dcid = cpu_to_le16(chan->scid);
736 rsp.mtu = cpu_to_le16(chan->imtu);
737 rsp.mps = cpu_to_le16(chan->mps);
738 rsp.credits = cpu_to_le16(chan->rx_credits);
739 rsp.result = cpu_to_le16(result);
740
741 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
742 &rsp);
743}
744
745static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
746{
747 struct l2cap_conn *conn = chan->conn;
748 struct l2cap_ecred_conn_rsp rsp;
749 u16 result;
750
751 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
752 result = L2CAP_CR_LE_AUTHORIZATION;
753 else
754 result = L2CAP_CR_LE_BAD_PSM;
755
756 l2cap_state_change(chan, BT_DISCONN);
757
758 memset(&rsp, 0, sizeof(rsp));
759
760 rsp.result = cpu_to_le16(result);
761
762 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
763 &rsp);
764}
765
766static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
767{
768 struct l2cap_conn *conn = chan->conn;
769 struct l2cap_conn_rsp rsp;
770 u16 result;
771
772 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
773 result = L2CAP_CR_SEC_BLOCK;
774 else
775 result = L2CAP_CR_BAD_PSM;
776
777 l2cap_state_change(chan, BT_DISCONN);
778
779 rsp.scid = cpu_to_le16(chan->dcid);
780 rsp.dcid = cpu_to_le16(chan->scid);
781 rsp.result = cpu_to_le16(result);
782 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
783
784 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
785}
786
787void l2cap_chan_close(struct l2cap_chan *chan, int reason)
788{
789 struct l2cap_conn *conn = chan->conn;
790
791 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
792
793 switch (chan->state) {
794 case BT_LISTEN:
795 chan->ops->teardown(chan, 0);
796 break;
797
798 case BT_CONNECTED:
799 case BT_CONFIG:
800 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
801 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
802 l2cap_send_disconn_req(chan, reason);
803 } else
804 l2cap_chan_del(chan, reason);
805 break;
806
807 case BT_CONNECT2:
808 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
809 if (conn->hcon->type == ACL_LINK)
810 l2cap_chan_connect_reject(chan);
811 else if (conn->hcon->type == LE_LINK) {
812 switch (chan->mode) {
813 case L2CAP_MODE_LE_FLOWCTL:
814 l2cap_chan_le_connect_reject(chan);
815 break;
816 case L2CAP_MODE_EXT_FLOWCTL:
817 l2cap_chan_ecred_connect_reject(chan);
818 break;
819 }
820 }
821 }
822
823 l2cap_chan_del(chan, reason);
824 break;
825
826 case BT_CONNECT:
827 case BT_DISCONN:
828 l2cap_chan_del(chan, reason);
829 break;
830
831 default:
832 chan->ops->teardown(chan, 0);
833 break;
834 }
835}
836EXPORT_SYMBOL(l2cap_chan_close);
837
838static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
839{
840 switch (chan->chan_type) {
841 case L2CAP_CHAN_RAW:
842 switch (chan->sec_level) {
843 case BT_SECURITY_HIGH:
844 case BT_SECURITY_FIPS:
845 return HCI_AT_DEDICATED_BONDING_MITM;
846 case BT_SECURITY_MEDIUM:
847 return HCI_AT_DEDICATED_BONDING;
848 default:
849 return HCI_AT_NO_BONDING;
850 }
851 break;
852 case L2CAP_CHAN_CONN_LESS:
853 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
854 if (chan->sec_level == BT_SECURITY_LOW)
855 chan->sec_level = BT_SECURITY_SDP;
856 }
857 if (chan->sec_level == BT_SECURITY_HIGH ||
858 chan->sec_level == BT_SECURITY_FIPS)
859 return HCI_AT_NO_BONDING_MITM;
860 else
861 return HCI_AT_NO_BONDING;
862 break;
863 case L2CAP_CHAN_CONN_ORIENTED:
864 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
865 if (chan->sec_level == BT_SECURITY_LOW)
866 chan->sec_level = BT_SECURITY_SDP;
867
868 if (chan->sec_level == BT_SECURITY_HIGH ||
869 chan->sec_level == BT_SECURITY_FIPS)
870 return HCI_AT_NO_BONDING_MITM;
871 else
872 return HCI_AT_NO_BONDING;
873 }
874 fallthrough;
875
876 default:
877 switch (chan->sec_level) {
878 case BT_SECURITY_HIGH:
879 case BT_SECURITY_FIPS:
880 return HCI_AT_GENERAL_BONDING_MITM;
881 case BT_SECURITY_MEDIUM:
882 return HCI_AT_GENERAL_BONDING;
883 default:
884 return HCI_AT_NO_BONDING;
885 }
886 break;
887 }
888}
889
890
891int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
892{
893 struct l2cap_conn *conn = chan->conn;
894 __u8 auth_type;
895
896 if (conn->hcon->type == LE_LINK)
897 return smp_conn_security(conn->hcon, chan->sec_level);
898
899 auth_type = l2cap_get_auth_type(chan);
900
901 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
902 initiator);
903}
904
905static u8 l2cap_get_ident(struct l2cap_conn *conn)
906{
907 u8 id;
908
909
910
911
912
913
914
915 mutex_lock(&conn->ident_lock);
916
917 if (++conn->tx_ident > 128)
918 conn->tx_ident = 1;
919
920 id = conn->tx_ident;
921
922 mutex_unlock(&conn->ident_lock);
923
924 return id;
925}
926
927static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
928 void *data)
929{
930 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
931 u8 flags;
932
933 BT_DBG("code 0x%2.2x", code);
934
935 if (!skb)
936 return;
937
938
939
940 if (lmp_no_flush_capable(conn->hcon->hdev) ||
941 conn->hcon->type == LE_LINK)
942 flags = ACL_START_NO_FLUSH;
943 else
944 flags = ACL_START;
945
946 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
947 skb->priority = HCI_PRIO_MAX;
948
949 hci_send_acl(conn->hchan, skb, flags);
950}
951
952static bool __chan_is_moving(struct l2cap_chan *chan)
953{
954 return chan->move_state != L2CAP_MOVE_STABLE &&
955 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
956}
957
958static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
959{
960 struct hci_conn *hcon = chan->conn->hcon;
961 u16 flags;
962
963 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
964 skb->priority);
965
966 if (chan->hs_hcon && !__chan_is_moving(chan)) {
967 if (chan->hs_hchan)
968 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
969 else
970 kfree_skb(skb);
971
972 return;
973 }
974
975
976
977
978
979 if (hcon->type == LE_LINK ||
980 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
981 lmp_no_flush_capable(hcon->hdev)))
982 flags = ACL_START_NO_FLUSH;
983 else
984 flags = ACL_START;
985
986 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
987 hci_send_acl(chan->conn->hchan, skb, flags);
988}
989
990static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
991{
992 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
993 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
994
995 if (enh & L2CAP_CTRL_FRAME_TYPE) {
996
997 control->sframe = 1;
998 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
999 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1000
1001 control->sar = 0;
1002 control->txseq = 0;
1003 } else {
1004
1005 control->sframe = 0;
1006 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1007 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1008
1009 control->poll = 0;
1010 control->super = 0;
1011 }
1012}
1013
1014static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1015{
1016 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1017 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1018
1019 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1020
1021 control->sframe = 1;
1022 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1023 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1024
1025 control->sar = 0;
1026 control->txseq = 0;
1027 } else {
1028
1029 control->sframe = 0;
1030 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1031 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1032
1033 control->poll = 0;
1034 control->super = 0;
1035 }
1036}
1037
1038static inline void __unpack_control(struct l2cap_chan *chan,
1039 struct sk_buff *skb)
1040{
1041 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1042 __unpack_extended_control(get_unaligned_le32(skb->data),
1043 &bt_cb(skb)->l2cap);
1044 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1045 } else {
1046 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1047 &bt_cb(skb)->l2cap);
1048 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1049 }
1050}
1051
1052static u32 __pack_extended_control(struct l2cap_ctrl *control)
1053{
1054 u32 packed;
1055
1056 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1057 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1058
1059 if (control->sframe) {
1060 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1061 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1062 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1063 } else {
1064 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1065 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1066 }
1067
1068 return packed;
1069}
1070
1071static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1072{
1073 u16 packed;
1074
1075 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1076 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1077
1078 if (control->sframe) {
1079 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1080 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1081 packed |= L2CAP_CTRL_FRAME_TYPE;
1082 } else {
1083 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1084 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1085 }
1086
1087 return packed;
1088}
1089
1090static inline void __pack_control(struct l2cap_chan *chan,
1091 struct l2cap_ctrl *control,
1092 struct sk_buff *skb)
1093{
1094 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1095 put_unaligned_le32(__pack_extended_control(control),
1096 skb->data + L2CAP_HDR_SIZE);
1097 } else {
1098 put_unaligned_le16(__pack_enhanced_control(control),
1099 skb->data + L2CAP_HDR_SIZE);
1100 }
1101}
1102
1103static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1104{
1105 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1106 return L2CAP_EXT_HDR_SIZE;
1107 else
1108 return L2CAP_ENH_HDR_SIZE;
1109}
1110
1111static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1112 u32 control)
1113{
1114 struct sk_buff *skb;
1115 struct l2cap_hdr *lh;
1116 int hlen = __ertm_hdr_size(chan);
1117
1118 if (chan->fcs == L2CAP_FCS_CRC16)
1119 hlen += L2CAP_FCS_SIZE;
1120
1121 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1122
1123 if (!skb)
1124 return ERR_PTR(-ENOMEM);
1125
1126 lh = skb_put(skb, L2CAP_HDR_SIZE);
1127 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1128 lh->cid = cpu_to_le16(chan->dcid);
1129
1130 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1131 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1132 else
1133 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1134
1135 if (chan->fcs == L2CAP_FCS_CRC16) {
1136 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1137 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1138 }
1139
1140 skb->priority = HCI_PRIO_MAX;
1141 return skb;
1142}
1143
1144static void l2cap_send_sframe(struct l2cap_chan *chan,
1145 struct l2cap_ctrl *control)
1146{
1147 struct sk_buff *skb;
1148 u32 control_field;
1149
1150 BT_DBG("chan %p, control %p", chan, control);
1151
1152 if (!control->sframe)
1153 return;
1154
1155 if (__chan_is_moving(chan))
1156 return;
1157
1158 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1159 !control->poll)
1160 control->final = 1;
1161
1162 if (control->super == L2CAP_SUPER_RR)
1163 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1164 else if (control->super == L2CAP_SUPER_RNR)
1165 set_bit(CONN_RNR_SENT, &chan->conn_state);
1166
1167 if (control->super != L2CAP_SUPER_SREJ) {
1168 chan->last_acked_seq = control->reqseq;
1169 __clear_ack_timer(chan);
1170 }
1171
1172 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1173 control->final, control->poll, control->super);
1174
1175 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1176 control_field = __pack_extended_control(control);
1177 else
1178 control_field = __pack_enhanced_control(control);
1179
1180 skb = l2cap_create_sframe_pdu(chan, control_field);
1181 if (!IS_ERR(skb))
1182 l2cap_do_send(chan, skb);
1183}
1184
1185static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1186{
1187 struct l2cap_ctrl control;
1188
1189 BT_DBG("chan %p, poll %d", chan, poll);
1190
1191 memset(&control, 0, sizeof(control));
1192 control.sframe = 1;
1193 control.poll = poll;
1194
1195 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1196 control.super = L2CAP_SUPER_RNR;
1197 else
1198 control.super = L2CAP_SUPER_RR;
1199
1200 control.reqseq = chan->buffer_seq;
1201 l2cap_send_sframe(chan, &control);
1202}
1203
1204static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1205{
1206 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1207 return true;
1208
1209 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1210}
1211
1212static bool __amp_capable(struct l2cap_chan *chan)
1213{
1214 struct l2cap_conn *conn = chan->conn;
1215 struct hci_dev *hdev;
1216 bool amp_available = false;
1217
1218 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1219 return false;
1220
1221 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1222 return false;
1223
1224 read_lock(&hci_dev_list_lock);
1225 list_for_each_entry(hdev, &hci_dev_list, list) {
1226 if (hdev->amp_type != AMP_TYPE_BREDR &&
1227 test_bit(HCI_UP, &hdev->flags)) {
1228 amp_available = true;
1229 break;
1230 }
1231 }
1232 read_unlock(&hci_dev_list_lock);
1233
1234 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1235 return amp_available;
1236
1237 return false;
1238}
1239
1240static bool l2cap_check_efs(struct l2cap_chan *chan)
1241{
1242
1243 return true;
1244}
1245
1246void l2cap_send_conn_req(struct l2cap_chan *chan)
1247{
1248 struct l2cap_conn *conn = chan->conn;
1249 struct l2cap_conn_req req;
1250
1251 req.scid = cpu_to_le16(chan->scid);
1252 req.psm = chan->psm;
1253
1254 chan->ident = l2cap_get_ident(conn);
1255
1256 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1257
1258 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1259}
1260
1261static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1262{
1263 struct l2cap_create_chan_req req;
1264 req.scid = cpu_to_le16(chan->scid);
1265 req.psm = chan->psm;
1266 req.amp_id = amp_id;
1267
1268 chan->ident = l2cap_get_ident(chan->conn);
1269
1270 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1271 sizeof(req), &req);
1272}
1273
1274static void l2cap_move_setup(struct l2cap_chan *chan)
1275{
1276 struct sk_buff *skb;
1277
1278 BT_DBG("chan %p", chan);
1279
1280 if (chan->mode != L2CAP_MODE_ERTM)
1281 return;
1282
1283 __clear_retrans_timer(chan);
1284 __clear_monitor_timer(chan);
1285 __clear_ack_timer(chan);
1286
1287 chan->retry_count = 0;
1288 skb_queue_walk(&chan->tx_q, skb) {
1289 if (bt_cb(skb)->l2cap.retries)
1290 bt_cb(skb)->l2cap.retries = 1;
1291 else
1292 break;
1293 }
1294
1295 chan->expected_tx_seq = chan->buffer_seq;
1296
1297 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1298 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1299 l2cap_seq_list_clear(&chan->retrans_list);
1300 l2cap_seq_list_clear(&chan->srej_list);
1301 skb_queue_purge(&chan->srej_q);
1302
1303 chan->tx_state = L2CAP_TX_STATE_XMIT;
1304 chan->rx_state = L2CAP_RX_STATE_MOVE;
1305
1306 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1307}
1308
1309static void l2cap_move_done(struct l2cap_chan *chan)
1310{
1311 u8 move_role = chan->move_role;
1312 BT_DBG("chan %p", chan);
1313
1314 chan->move_state = L2CAP_MOVE_STABLE;
1315 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1316
1317 if (chan->mode != L2CAP_MODE_ERTM)
1318 return;
1319
1320 switch (move_role) {
1321 case L2CAP_MOVE_ROLE_INITIATOR:
1322 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1323 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1324 break;
1325 case L2CAP_MOVE_ROLE_RESPONDER:
1326 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1327 break;
1328 }
1329}
1330
1331static void l2cap_chan_ready(struct l2cap_chan *chan)
1332{
1333
1334
1335
1336
1337 if (chan->state == BT_CONNECTED)
1338 return;
1339
1340
1341 chan->conf_state = 0;
1342 __clear_chan_timer(chan);
1343
1344 switch (chan->mode) {
1345 case L2CAP_MODE_LE_FLOWCTL:
1346 case L2CAP_MODE_EXT_FLOWCTL:
1347 if (!chan->tx_credits)
1348 chan->ops->suspend(chan);
1349 break;
1350 }
1351
1352 chan->state = BT_CONNECTED;
1353
1354 chan->ops->ready(chan);
1355}
1356
1357static void l2cap_le_connect(struct l2cap_chan *chan)
1358{
1359 struct l2cap_conn *conn = chan->conn;
1360 struct l2cap_le_conn_req req;
1361
1362 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1363 return;
1364
1365 if (!chan->imtu)
1366 chan->imtu = chan->conn->mtu;
1367
1368 l2cap_le_flowctl_init(chan, 0);
1369
1370 req.psm = chan->psm;
1371 req.scid = cpu_to_le16(chan->scid);
1372 req.mtu = cpu_to_le16(chan->imtu);
1373 req.mps = cpu_to_le16(chan->mps);
1374 req.credits = cpu_to_le16(chan->rx_credits);
1375
1376 chan->ident = l2cap_get_ident(conn);
1377
1378 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1379 sizeof(req), &req);
1380}
1381
1382struct l2cap_ecred_conn_data {
1383 struct {
1384 struct l2cap_ecred_conn_req req;
1385 __le16 scid[5];
1386 } __packed pdu;
1387 struct l2cap_chan *chan;
1388 struct pid *pid;
1389 int count;
1390};
1391
1392static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1393{
1394 struct l2cap_ecred_conn_data *conn = data;
1395 struct pid *pid;
1396
1397 if (chan == conn->chan)
1398 return;
1399
1400 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1401 return;
1402
1403 pid = chan->ops->get_peer_pid(chan);
1404
1405
1406 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1407 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1408 return;
1409
1410 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1411 return;
1412
1413 l2cap_ecred_init(chan, 0);
1414
1415
1416 chan->ident = conn->chan->ident;
1417
1418
1419 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1420
1421 conn->count++;
1422}
1423
1424static void l2cap_ecred_connect(struct l2cap_chan *chan)
1425{
1426 struct l2cap_conn *conn = chan->conn;
1427 struct l2cap_ecred_conn_data data;
1428
1429 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1430 return;
1431
1432 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1433 return;
1434
1435 l2cap_ecred_init(chan, 0);
1436
1437 data.pdu.req.psm = chan->psm;
1438 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1439 data.pdu.req.mps = cpu_to_le16(chan->mps);
1440 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1441 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1442
1443 chan->ident = l2cap_get_ident(conn);
1444 data.pid = chan->ops->get_peer_pid(chan);
1445
1446 data.count = 1;
1447 data.chan = chan;
1448 data.pid = chan->ops->get_peer_pid(chan);
1449
1450 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1451
1452 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1453 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1454 &data.pdu);
1455}
1456
1457static void l2cap_le_start(struct l2cap_chan *chan)
1458{
1459 struct l2cap_conn *conn = chan->conn;
1460
1461 if (!smp_conn_security(conn->hcon, chan->sec_level))
1462 return;
1463
1464 if (!chan->psm) {
1465 l2cap_chan_ready(chan);
1466 return;
1467 }
1468
1469 if (chan->state == BT_CONNECT) {
1470 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1471 l2cap_ecred_connect(chan);
1472 else
1473 l2cap_le_connect(chan);
1474 }
1475}
1476
1477static void l2cap_start_connection(struct l2cap_chan *chan)
1478{
1479 if (__amp_capable(chan)) {
1480 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1481 a2mp_discover_amp(chan);
1482 } else if (chan->conn->hcon->type == LE_LINK) {
1483 l2cap_le_start(chan);
1484 } else {
1485 l2cap_send_conn_req(chan);
1486 }
1487}
1488
1489static void l2cap_request_info(struct l2cap_conn *conn)
1490{
1491 struct l2cap_info_req req;
1492
1493 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1494 return;
1495
1496 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1497
1498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1499 conn->info_ident = l2cap_get_ident(conn);
1500
1501 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1502
1503 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1504 sizeof(req), &req);
1505}
1506
1507static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1508{
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1519 hcon->enc_key_size >= hcon->hdev->min_enc_key_size);
1520}
1521
1522static void l2cap_do_start(struct l2cap_chan *chan)
1523{
1524 struct l2cap_conn *conn = chan->conn;
1525
1526 if (conn->hcon->type == LE_LINK) {
1527 l2cap_le_start(chan);
1528 return;
1529 }
1530
1531 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1532 l2cap_request_info(conn);
1533 return;
1534 }
1535
1536 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1537 return;
1538
1539 if (!l2cap_chan_check_security(chan, true) ||
1540 !__l2cap_no_conn_pending(chan))
1541 return;
1542
1543 if (l2cap_check_enc_key_size(conn->hcon))
1544 l2cap_start_connection(chan);
1545 else
1546 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1547}
1548
1549static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1550{
1551 u32 local_feat_mask = l2cap_feat_mask;
1552 if (!disable_ertm)
1553 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1554
1555 switch (mode) {
1556 case L2CAP_MODE_ERTM:
1557 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1558 case L2CAP_MODE_STREAMING:
1559 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1560 default:
1561 return 0x00;
1562 }
1563}
1564
1565static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1566{
1567 struct l2cap_conn *conn = chan->conn;
1568 struct l2cap_disconn_req req;
1569
1570 if (!conn)
1571 return;
1572
1573 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1574 __clear_retrans_timer(chan);
1575 __clear_monitor_timer(chan);
1576 __clear_ack_timer(chan);
1577 }
1578
1579 if (chan->scid == L2CAP_CID_A2MP) {
1580 l2cap_state_change(chan, BT_DISCONN);
1581 return;
1582 }
1583
1584 req.dcid = cpu_to_le16(chan->dcid);
1585 req.scid = cpu_to_le16(chan->scid);
1586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1587 sizeof(req), &req);
1588
1589 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1590}
1591
1592
1593static void l2cap_conn_start(struct l2cap_conn *conn)
1594{
1595 struct l2cap_chan *chan, *tmp;
1596
1597 BT_DBG("conn %p", conn);
1598
1599 mutex_lock(&conn->chan_lock);
1600
1601 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1602 l2cap_chan_lock(chan);
1603
1604 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1605 l2cap_chan_ready(chan);
1606 l2cap_chan_unlock(chan);
1607 continue;
1608 }
1609
1610 if (chan->state == BT_CONNECT) {
1611 if (!l2cap_chan_check_security(chan, true) ||
1612 !__l2cap_no_conn_pending(chan)) {
1613 l2cap_chan_unlock(chan);
1614 continue;
1615 }
1616
1617 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1618 && test_bit(CONF_STATE2_DEVICE,
1619 &chan->conf_state)) {
1620 l2cap_chan_close(chan, ECONNRESET);
1621 l2cap_chan_unlock(chan);
1622 continue;
1623 }
1624
1625 if (l2cap_check_enc_key_size(conn->hcon))
1626 l2cap_start_connection(chan);
1627 else
1628 l2cap_chan_close(chan, ECONNREFUSED);
1629
1630 } else if (chan->state == BT_CONNECT2) {
1631 struct l2cap_conn_rsp rsp;
1632 char buf[128];
1633 rsp.scid = cpu_to_le16(chan->dcid);
1634 rsp.dcid = cpu_to_le16(chan->scid);
1635
1636 if (l2cap_chan_check_security(chan, false)) {
1637 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1638 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1639 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1640 chan->ops->defer(chan);
1641
1642 } else {
1643 l2cap_state_change(chan, BT_CONFIG);
1644 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1645 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1646 }
1647 } else {
1648 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1649 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1650 }
1651
1652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1653 sizeof(rsp), &rsp);
1654
1655 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1656 rsp.result != L2CAP_CR_SUCCESS) {
1657 l2cap_chan_unlock(chan);
1658 continue;
1659 }
1660
1661 set_bit(CONF_REQ_SENT, &chan->conf_state);
1662 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1663 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1664 chan->num_conf_req++;
1665 }
1666
1667 l2cap_chan_unlock(chan);
1668 }
1669
1670 mutex_unlock(&conn->chan_lock);
1671}
1672
1673static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1674{
1675 struct hci_conn *hcon = conn->hcon;
1676 struct hci_dev *hdev = hcon->hdev;
1677
1678 BT_DBG("%s conn %p", hdev->name, conn);
1679
1680
1681
1682
1683 if (hcon->out)
1684 smp_conn_security(hcon, hcon->pending_sec_level);
1685
1686
1687
1688
1689
1690
1691 if (hcon->role == HCI_ROLE_SLAVE &&
1692 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1693 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1694 struct l2cap_conn_param_update_req req;
1695
1696 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1697 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1698 req.latency = cpu_to_le16(hcon->le_conn_latency);
1699 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1700
1701 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1702 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1703 }
1704}
1705
1706static void l2cap_conn_ready(struct l2cap_conn *conn)
1707{
1708 struct l2cap_chan *chan;
1709 struct hci_conn *hcon = conn->hcon;
1710
1711 BT_DBG("conn %p", conn);
1712
1713 if (hcon->type == ACL_LINK)
1714 l2cap_request_info(conn);
1715
1716 mutex_lock(&conn->chan_lock);
1717
1718 list_for_each_entry(chan, &conn->chan_l, list) {
1719
1720 l2cap_chan_lock(chan);
1721
1722 if (chan->scid == L2CAP_CID_A2MP) {
1723 l2cap_chan_unlock(chan);
1724 continue;
1725 }
1726
1727 if (hcon->type == LE_LINK) {
1728 l2cap_le_start(chan);
1729 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1730 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1731 l2cap_chan_ready(chan);
1732 } else if (chan->state == BT_CONNECT) {
1733 l2cap_do_start(chan);
1734 }
1735
1736 l2cap_chan_unlock(chan);
1737 }
1738
1739 mutex_unlock(&conn->chan_lock);
1740
1741 if (hcon->type == LE_LINK)
1742 l2cap_le_conn_ready(conn);
1743
1744 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1745}
1746
1747
1748static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1749{
1750 struct l2cap_chan *chan;
1751
1752 BT_DBG("conn %p", conn);
1753
1754 mutex_lock(&conn->chan_lock);
1755
1756 list_for_each_entry(chan, &conn->chan_l, list) {
1757 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1758 l2cap_chan_set_err(chan, err);
1759 }
1760
1761 mutex_unlock(&conn->chan_lock);
1762}
1763
1764static void l2cap_info_timeout(struct work_struct *work)
1765{
1766 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1767 info_timer.work);
1768
1769 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1770 conn->info_ident = 0;
1771
1772 l2cap_conn_start(conn);
1773}
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1789{
1790 struct hci_dev *hdev = conn->hcon->hdev;
1791 int ret;
1792
1793
1794
1795
1796
1797
1798
1799
1800 hci_dev_lock(hdev);
1801
1802 if (!list_empty(&user->list)) {
1803 ret = -EINVAL;
1804 goto out_unlock;
1805 }
1806
1807
1808 if (!conn->hchan) {
1809 ret = -ENODEV;
1810 goto out_unlock;
1811 }
1812
1813 ret = user->probe(conn, user);
1814 if (ret)
1815 goto out_unlock;
1816
1817 list_add(&user->list, &conn->users);
1818 ret = 0;
1819
1820out_unlock:
1821 hci_dev_unlock(hdev);
1822 return ret;
1823}
1824EXPORT_SYMBOL(l2cap_register_user);
1825
1826void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1827{
1828 struct hci_dev *hdev = conn->hcon->hdev;
1829
1830 hci_dev_lock(hdev);
1831
1832 if (list_empty(&user->list))
1833 goto out_unlock;
1834
1835 list_del_init(&user->list);
1836 user->remove(conn, user);
1837
1838out_unlock:
1839 hci_dev_unlock(hdev);
1840}
1841EXPORT_SYMBOL(l2cap_unregister_user);
1842
1843static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1844{
1845 struct l2cap_user *user;
1846
1847 while (!list_empty(&conn->users)) {
1848 user = list_first_entry(&conn->users, struct l2cap_user, list);
1849 list_del_init(&user->list);
1850 user->remove(conn, user);
1851 }
1852}
1853
1854static void l2cap_conn_del(struct hci_conn *hcon, int err)
1855{
1856 struct l2cap_conn *conn = hcon->l2cap_data;
1857 struct l2cap_chan *chan, *l;
1858
1859 if (!conn)
1860 return;
1861
1862 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1863
1864 kfree_skb(conn->rx_skb);
1865
1866 skb_queue_purge(&conn->pending_rx);
1867
1868
1869
1870
1871
1872 if (work_pending(&conn->pending_rx_work))
1873 cancel_work_sync(&conn->pending_rx_work);
1874
1875 if (work_pending(&conn->id_addr_update_work))
1876 cancel_work_sync(&conn->id_addr_update_work);
1877
1878 l2cap_unregister_all_users(conn);
1879
1880
1881 hcon->disc_timeout = 0;
1882
1883 mutex_lock(&conn->chan_lock);
1884
1885
1886 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1887 l2cap_chan_hold(chan);
1888 l2cap_chan_lock(chan);
1889
1890 l2cap_chan_del(chan, err);
1891
1892 chan->ops->close(chan);
1893
1894 l2cap_chan_unlock(chan);
1895 l2cap_chan_put(chan);
1896 }
1897
1898 mutex_unlock(&conn->chan_lock);
1899
1900 hci_chan_del(conn->hchan);
1901
1902 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1903 cancel_delayed_work_sync(&conn->info_timer);
1904
1905 hcon->l2cap_data = NULL;
1906 conn->hchan = NULL;
1907 l2cap_conn_put(conn);
1908}
1909
1910static void l2cap_conn_free(struct kref *ref)
1911{
1912 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1913
1914 hci_conn_put(conn->hcon);
1915 kfree(conn);
1916}
1917
1918struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1919{
1920 kref_get(&conn->ref);
1921 return conn;
1922}
1923EXPORT_SYMBOL(l2cap_conn_get);
1924
1925void l2cap_conn_put(struct l2cap_conn *conn)
1926{
1927 kref_put(&conn->ref, l2cap_conn_free);
1928}
1929EXPORT_SYMBOL(l2cap_conn_put);
1930
1931
1932
1933
1934
1935
1936static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1937 bdaddr_t *src,
1938 bdaddr_t *dst,
1939 u8 link_type)
1940{
1941 struct l2cap_chan *c, *c1 = NULL;
1942
1943 read_lock(&chan_list_lock);
1944
1945 list_for_each_entry(c, &chan_list, global_l) {
1946 if (state && c->state != state)
1947 continue;
1948
1949 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1950 continue;
1951
1952 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1953 continue;
1954
1955 if (c->psm == psm) {
1956 int src_match, dst_match;
1957 int src_any, dst_any;
1958
1959
1960 src_match = !bacmp(&c->src, src);
1961 dst_match = !bacmp(&c->dst, dst);
1962 if (src_match && dst_match) {
1963 l2cap_chan_hold(c);
1964 read_unlock(&chan_list_lock);
1965 return c;
1966 }
1967
1968
1969 src_any = !bacmp(&c->src, BDADDR_ANY);
1970 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1971 if ((src_match && dst_any) || (src_any && dst_match) ||
1972 (src_any && dst_any))
1973 c1 = c;
1974 }
1975 }
1976
1977 if (c1)
1978 l2cap_chan_hold(c1);
1979
1980 read_unlock(&chan_list_lock);
1981
1982 return c1;
1983}
1984
1985static void l2cap_monitor_timeout(struct work_struct *work)
1986{
1987 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1988 monitor_timer.work);
1989
1990 BT_DBG("chan %p", chan);
1991
1992 l2cap_chan_lock(chan);
1993
1994 if (!chan->conn) {
1995 l2cap_chan_unlock(chan);
1996 l2cap_chan_put(chan);
1997 return;
1998 }
1999
2000 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2001
2002 l2cap_chan_unlock(chan);
2003 l2cap_chan_put(chan);
2004}
2005
2006static void l2cap_retrans_timeout(struct work_struct *work)
2007{
2008 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2009 retrans_timer.work);
2010
2011 BT_DBG("chan %p", chan);
2012
2013 l2cap_chan_lock(chan);
2014
2015 if (!chan->conn) {
2016 l2cap_chan_unlock(chan);
2017 l2cap_chan_put(chan);
2018 return;
2019 }
2020
2021 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2022 l2cap_chan_unlock(chan);
2023 l2cap_chan_put(chan);
2024}
2025
2026static void l2cap_streaming_send(struct l2cap_chan *chan,
2027 struct sk_buff_head *skbs)
2028{
2029 struct sk_buff *skb;
2030 struct l2cap_ctrl *control;
2031
2032 BT_DBG("chan %p, skbs %p", chan, skbs);
2033
2034 if (__chan_is_moving(chan))
2035 return;
2036
2037 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2038
2039 while (!skb_queue_empty(&chan->tx_q)) {
2040
2041 skb = skb_dequeue(&chan->tx_q);
2042
2043 bt_cb(skb)->l2cap.retries = 1;
2044 control = &bt_cb(skb)->l2cap;
2045
2046 control->reqseq = 0;
2047 control->txseq = chan->next_tx_seq;
2048
2049 __pack_control(chan, control, skb);
2050
2051 if (chan->fcs == L2CAP_FCS_CRC16) {
2052 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2053 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2054 }
2055
2056 l2cap_do_send(chan, skb);
2057
2058 BT_DBG("Sent txseq %u", control->txseq);
2059
2060 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2061 chan->frames_sent++;
2062 }
2063}
2064
2065static int l2cap_ertm_send(struct l2cap_chan *chan)
2066{
2067 struct sk_buff *skb, *tx_skb;
2068 struct l2cap_ctrl *control;
2069 int sent = 0;
2070
2071 BT_DBG("chan %p", chan);
2072
2073 if (chan->state != BT_CONNECTED)
2074 return -ENOTCONN;
2075
2076 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2077 return 0;
2078
2079 if (__chan_is_moving(chan))
2080 return 0;
2081
2082 while (chan->tx_send_head &&
2083 chan->unacked_frames < chan->remote_tx_win &&
2084 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2085
2086 skb = chan->tx_send_head;
2087
2088 bt_cb(skb)->l2cap.retries = 1;
2089 control = &bt_cb(skb)->l2cap;
2090
2091 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2092 control->final = 1;
2093
2094 control->reqseq = chan->buffer_seq;
2095 chan->last_acked_seq = chan->buffer_seq;
2096 control->txseq = chan->next_tx_seq;
2097
2098 __pack_control(chan, control, skb);
2099
2100 if (chan->fcs == L2CAP_FCS_CRC16) {
2101 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2102 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2103 }
2104
2105
2106
2107
2108 tx_skb = skb_clone(skb, GFP_KERNEL);
2109
2110 if (!tx_skb)
2111 break;
2112
2113 __set_retrans_timer(chan);
2114
2115 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2116 chan->unacked_frames++;
2117 chan->frames_sent++;
2118 sent++;
2119
2120 if (skb_queue_is_last(&chan->tx_q, skb))
2121 chan->tx_send_head = NULL;
2122 else
2123 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2124
2125 l2cap_do_send(chan, tx_skb);
2126 BT_DBG("Sent txseq %u", control->txseq);
2127 }
2128
2129 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2130 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2131
2132 return sent;
2133}
2134
2135static void l2cap_ertm_resend(struct l2cap_chan *chan)
2136{
2137 struct l2cap_ctrl control;
2138 struct sk_buff *skb;
2139 struct sk_buff *tx_skb;
2140 u16 seq;
2141
2142 BT_DBG("chan %p", chan);
2143
2144 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2145 return;
2146
2147 if (__chan_is_moving(chan))
2148 return;
2149
2150 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2151 seq = l2cap_seq_list_pop(&chan->retrans_list);
2152
2153 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2154 if (!skb) {
2155 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2156 seq);
2157 continue;
2158 }
2159
2160 bt_cb(skb)->l2cap.retries++;
2161 control = bt_cb(skb)->l2cap;
2162
2163 if (chan->max_tx != 0 &&
2164 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2165 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2166 l2cap_send_disconn_req(chan, ECONNRESET);
2167 l2cap_seq_list_clear(&chan->retrans_list);
2168 break;
2169 }
2170
2171 control.reqseq = chan->buffer_seq;
2172 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2173 control.final = 1;
2174 else
2175 control.final = 0;
2176
2177 if (skb_cloned(skb)) {
2178
2179
2180
2181 tx_skb = skb_copy(skb, GFP_KERNEL);
2182 } else {
2183 tx_skb = skb_clone(skb, GFP_KERNEL);
2184 }
2185
2186 if (!tx_skb) {
2187 l2cap_seq_list_clear(&chan->retrans_list);
2188 break;
2189 }
2190
2191
2192 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2193 put_unaligned_le32(__pack_extended_control(&control),
2194 tx_skb->data + L2CAP_HDR_SIZE);
2195 } else {
2196 put_unaligned_le16(__pack_enhanced_control(&control),
2197 tx_skb->data + L2CAP_HDR_SIZE);
2198 }
2199
2200
2201 if (chan->fcs == L2CAP_FCS_CRC16) {
2202 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2203 tx_skb->len - L2CAP_FCS_SIZE);
2204 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2205 L2CAP_FCS_SIZE);
2206 }
2207
2208 l2cap_do_send(chan, tx_skb);
2209
2210 BT_DBG("Resent txseq %d", control.txseq);
2211
2212 chan->last_acked_seq = chan->buffer_seq;
2213 }
2214}
2215
2216static void l2cap_retransmit(struct l2cap_chan *chan,
2217 struct l2cap_ctrl *control)
2218{
2219 BT_DBG("chan %p, control %p", chan, control);
2220
2221 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2222 l2cap_ertm_resend(chan);
2223}
2224
2225static void l2cap_retransmit_all(struct l2cap_chan *chan,
2226 struct l2cap_ctrl *control)
2227{
2228 struct sk_buff *skb;
2229
2230 BT_DBG("chan %p, control %p", chan, control);
2231
2232 if (control->poll)
2233 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2234
2235 l2cap_seq_list_clear(&chan->retrans_list);
2236
2237 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2238 return;
2239
2240 if (chan->unacked_frames) {
2241 skb_queue_walk(&chan->tx_q, skb) {
2242 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2243 skb == chan->tx_send_head)
2244 break;
2245 }
2246
2247 skb_queue_walk_from(&chan->tx_q, skb) {
2248 if (skb == chan->tx_send_head)
2249 break;
2250
2251 l2cap_seq_list_append(&chan->retrans_list,
2252 bt_cb(skb)->l2cap.txseq);
2253 }
2254
2255 l2cap_ertm_resend(chan);
2256 }
2257}
2258
2259static void l2cap_send_ack(struct l2cap_chan *chan)
2260{
2261 struct l2cap_ctrl control;
2262 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2263 chan->last_acked_seq);
2264 int threshold;
2265
2266 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2267 chan, chan->last_acked_seq, chan->buffer_seq);
2268
2269 memset(&control, 0, sizeof(control));
2270 control.sframe = 1;
2271
2272 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2273 chan->rx_state == L2CAP_RX_STATE_RECV) {
2274 __clear_ack_timer(chan);
2275 control.super = L2CAP_SUPER_RNR;
2276 control.reqseq = chan->buffer_seq;
2277 l2cap_send_sframe(chan, &control);
2278 } else {
2279 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2280 l2cap_ertm_send(chan);
2281
2282 if (chan->buffer_seq == chan->last_acked_seq)
2283 frames_to_ack = 0;
2284 }
2285
2286
2287
2288
2289 threshold = chan->ack_win;
2290 threshold += threshold << 1;
2291 threshold >>= 2;
2292
2293 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2294 threshold);
2295
2296 if (frames_to_ack >= threshold) {
2297 __clear_ack_timer(chan);
2298 control.super = L2CAP_SUPER_RR;
2299 control.reqseq = chan->buffer_seq;
2300 l2cap_send_sframe(chan, &control);
2301 frames_to_ack = 0;
2302 }
2303
2304 if (frames_to_ack)
2305 __set_ack_timer(chan);
2306 }
2307}
2308
2309static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2310 struct msghdr *msg, int len,
2311 int count, struct sk_buff *skb)
2312{
2313 struct l2cap_conn *conn = chan->conn;
2314 struct sk_buff **frag;
2315 int sent = 0;
2316
2317 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2318 return -EFAULT;
2319
2320 sent += count;
2321 len -= count;
2322
2323
2324 frag = &skb_shinfo(skb)->frag_list;
2325 while (len) {
2326 struct sk_buff *tmp;
2327
2328 count = min_t(unsigned int, conn->mtu, len);
2329
2330 tmp = chan->ops->alloc_skb(chan, 0, count,
2331 msg->msg_flags & MSG_DONTWAIT);
2332 if (IS_ERR(tmp))
2333 return PTR_ERR(tmp);
2334
2335 *frag = tmp;
2336
2337 if (!copy_from_iter_full(skb_put(*frag, count), count,
2338 &msg->msg_iter))
2339 return -EFAULT;
2340
2341 sent += count;
2342 len -= count;
2343
2344 skb->len += (*frag)->len;
2345 skb->data_len += (*frag)->len;
2346
2347 frag = &(*frag)->next;
2348 }
2349
2350 return sent;
2351}
2352
2353static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2354 struct msghdr *msg, size_t len)
2355{
2356 struct l2cap_conn *conn = chan->conn;
2357 struct sk_buff *skb;
2358 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2359 struct l2cap_hdr *lh;
2360
2361 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2362 __le16_to_cpu(chan->psm), len);
2363
2364 count = min_t(unsigned int, (conn->mtu - hlen), len);
2365
2366 skb = chan->ops->alloc_skb(chan, hlen, count,
2367 msg->msg_flags & MSG_DONTWAIT);
2368 if (IS_ERR(skb))
2369 return skb;
2370
2371
2372 lh = skb_put(skb, L2CAP_HDR_SIZE);
2373 lh->cid = cpu_to_le16(chan->dcid);
2374 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2375 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2376
2377 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2378 if (unlikely(err < 0)) {
2379 kfree_skb(skb);
2380 return ERR_PTR(err);
2381 }
2382 return skb;
2383}
2384
2385static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2386 struct msghdr *msg, size_t len)
2387{
2388 struct l2cap_conn *conn = chan->conn;
2389 struct sk_buff *skb;
2390 int err, count;
2391 struct l2cap_hdr *lh;
2392
2393 BT_DBG("chan %p len %zu", chan, len);
2394
2395 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2396
2397 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2398 msg->msg_flags & MSG_DONTWAIT);
2399 if (IS_ERR(skb))
2400 return skb;
2401
2402
2403 lh = skb_put(skb, L2CAP_HDR_SIZE);
2404 lh->cid = cpu_to_le16(chan->dcid);
2405 lh->len = cpu_to_le16(len);
2406
2407 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2408 if (unlikely(err < 0)) {
2409 kfree_skb(skb);
2410 return ERR_PTR(err);
2411 }
2412 return skb;
2413}
2414
2415static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2416 struct msghdr *msg, size_t len,
2417 u16 sdulen)
2418{
2419 struct l2cap_conn *conn = chan->conn;
2420 struct sk_buff *skb;
2421 int err, count, hlen;
2422 struct l2cap_hdr *lh;
2423
2424 BT_DBG("chan %p len %zu", chan, len);
2425
2426 if (!conn)
2427 return ERR_PTR(-ENOTCONN);
2428
2429 hlen = __ertm_hdr_size(chan);
2430
2431 if (sdulen)
2432 hlen += L2CAP_SDULEN_SIZE;
2433
2434 if (chan->fcs == L2CAP_FCS_CRC16)
2435 hlen += L2CAP_FCS_SIZE;
2436
2437 count = min_t(unsigned int, (conn->mtu - hlen), len);
2438
2439 skb = chan->ops->alloc_skb(chan, hlen, count,
2440 msg->msg_flags & MSG_DONTWAIT);
2441 if (IS_ERR(skb))
2442 return skb;
2443
2444
2445 lh = skb_put(skb, L2CAP_HDR_SIZE);
2446 lh->cid = cpu_to_le16(chan->dcid);
2447 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2448
2449
2450 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2451 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2452 else
2453 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2454
2455 if (sdulen)
2456 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2457
2458 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2459 if (unlikely(err < 0)) {
2460 kfree_skb(skb);
2461 return ERR_PTR(err);
2462 }
2463
2464 bt_cb(skb)->l2cap.fcs = chan->fcs;
2465 bt_cb(skb)->l2cap.retries = 0;
2466 return skb;
2467}
2468
2469static int l2cap_segment_sdu(struct l2cap_chan *chan,
2470 struct sk_buff_head *seg_queue,
2471 struct msghdr *msg, size_t len)
2472{
2473 struct sk_buff *skb;
2474 u16 sdu_len;
2475 size_t pdu_len;
2476 u8 sar;
2477
2478 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2479
2480
2481
2482
2483
2484
2485
2486 pdu_len = chan->conn->mtu;
2487
2488
2489 if (!chan->hs_hcon)
2490 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2491
2492
2493 if (chan->fcs)
2494 pdu_len -= L2CAP_FCS_SIZE;
2495
2496 pdu_len -= __ertm_hdr_size(chan);
2497
2498
2499 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2500
2501 if (len <= pdu_len) {
2502 sar = L2CAP_SAR_UNSEGMENTED;
2503 sdu_len = 0;
2504 pdu_len = len;
2505 } else {
2506 sar = L2CAP_SAR_START;
2507 sdu_len = len;
2508 }
2509
2510 while (len > 0) {
2511 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2512
2513 if (IS_ERR(skb)) {
2514 __skb_queue_purge(seg_queue);
2515 return PTR_ERR(skb);
2516 }
2517
2518 bt_cb(skb)->l2cap.sar = sar;
2519 __skb_queue_tail(seg_queue, skb);
2520
2521 len -= pdu_len;
2522 if (sdu_len)
2523 sdu_len = 0;
2524
2525 if (len <= pdu_len) {
2526 sar = L2CAP_SAR_END;
2527 pdu_len = len;
2528 } else {
2529 sar = L2CAP_SAR_CONTINUE;
2530 }
2531 }
2532
2533 return 0;
2534}
2535
2536static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2537 struct msghdr *msg,
2538 size_t len, u16 sdulen)
2539{
2540 struct l2cap_conn *conn = chan->conn;
2541 struct sk_buff *skb;
2542 int err, count, hlen;
2543 struct l2cap_hdr *lh;
2544
2545 BT_DBG("chan %p len %zu", chan, len);
2546
2547 if (!conn)
2548 return ERR_PTR(-ENOTCONN);
2549
2550 hlen = L2CAP_HDR_SIZE;
2551
2552 if (sdulen)
2553 hlen += L2CAP_SDULEN_SIZE;
2554
2555 count = min_t(unsigned int, (conn->mtu - hlen), len);
2556
2557 skb = chan->ops->alloc_skb(chan, hlen, count,
2558 msg->msg_flags & MSG_DONTWAIT);
2559 if (IS_ERR(skb))
2560 return skb;
2561
2562
2563 lh = skb_put(skb, L2CAP_HDR_SIZE);
2564 lh->cid = cpu_to_le16(chan->dcid);
2565 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2566
2567 if (sdulen)
2568 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2569
2570 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2571 if (unlikely(err < 0)) {
2572 kfree_skb(skb);
2573 return ERR_PTR(err);
2574 }
2575
2576 return skb;
2577}
2578
2579static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2580 struct sk_buff_head *seg_queue,
2581 struct msghdr *msg, size_t len)
2582{
2583 struct sk_buff *skb;
2584 size_t pdu_len;
2585 u16 sdu_len;
2586
2587 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2588
2589 sdu_len = len;
2590 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2591
2592 while (len > 0) {
2593 if (len <= pdu_len)
2594 pdu_len = len;
2595
2596 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2597 if (IS_ERR(skb)) {
2598 __skb_queue_purge(seg_queue);
2599 return PTR_ERR(skb);
2600 }
2601
2602 __skb_queue_tail(seg_queue, skb);
2603
2604 len -= pdu_len;
2605
2606 if (sdu_len) {
2607 sdu_len = 0;
2608 pdu_len += L2CAP_SDULEN_SIZE;
2609 }
2610 }
2611
2612 return 0;
2613}
2614
2615static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2616{
2617 int sent = 0;
2618
2619 BT_DBG("chan %p", chan);
2620
2621 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2622 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2623 chan->tx_credits--;
2624 sent++;
2625 }
2626
2627 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2628 skb_queue_len(&chan->tx_q));
2629}
2630
2631int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2632{
2633 struct sk_buff *skb;
2634 int err;
2635 struct sk_buff_head seg_queue;
2636
2637 if (!chan->conn)
2638 return -ENOTCONN;
2639
2640
2641 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2642 skb = l2cap_create_connless_pdu(chan, msg, len);
2643 if (IS_ERR(skb))
2644 return PTR_ERR(skb);
2645
2646
2647
2648
2649 if (chan->state != BT_CONNECTED) {
2650 kfree_skb(skb);
2651 return -ENOTCONN;
2652 }
2653
2654 l2cap_do_send(chan, skb);
2655 return len;
2656 }
2657
2658 switch (chan->mode) {
2659 case L2CAP_MODE_LE_FLOWCTL:
2660 case L2CAP_MODE_EXT_FLOWCTL:
2661
2662 if (len > chan->omtu)
2663 return -EMSGSIZE;
2664
2665 __skb_queue_head_init(&seg_queue);
2666
2667 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2668
2669 if (chan->state != BT_CONNECTED) {
2670 __skb_queue_purge(&seg_queue);
2671 err = -ENOTCONN;
2672 }
2673
2674 if (err)
2675 return err;
2676
2677 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2678
2679 l2cap_le_flowctl_send(chan);
2680
2681 if (!chan->tx_credits)
2682 chan->ops->suspend(chan);
2683
2684 err = len;
2685
2686 break;
2687
2688 case L2CAP_MODE_BASIC:
2689
2690 if (len > chan->omtu)
2691 return -EMSGSIZE;
2692
2693
2694 skb = l2cap_create_basic_pdu(chan, msg, len);
2695 if (IS_ERR(skb))
2696 return PTR_ERR(skb);
2697
2698
2699
2700
2701 if (chan->state != BT_CONNECTED) {
2702 kfree_skb(skb);
2703 return -ENOTCONN;
2704 }
2705
2706 l2cap_do_send(chan, skb);
2707 err = len;
2708 break;
2709
2710 case L2CAP_MODE_ERTM:
2711 case L2CAP_MODE_STREAMING:
2712
2713 if (len > chan->omtu) {
2714 err = -EMSGSIZE;
2715 break;
2716 }
2717
2718 __skb_queue_head_init(&seg_queue);
2719
2720
2721
2722
2723
2724 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2725
2726
2727
2728
2729 if (chan->state != BT_CONNECTED) {
2730 __skb_queue_purge(&seg_queue);
2731 err = -ENOTCONN;
2732 }
2733
2734 if (err)
2735 break;
2736
2737 if (chan->mode == L2CAP_MODE_ERTM)
2738 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2739 else
2740 l2cap_streaming_send(chan, &seg_queue);
2741
2742 err = len;
2743
2744
2745
2746
2747 __skb_queue_purge(&seg_queue);
2748 break;
2749
2750 default:
2751 BT_DBG("bad state %1.1x", chan->mode);
2752 err = -EBADFD;
2753 }
2754
2755 return err;
2756}
2757EXPORT_SYMBOL_GPL(l2cap_chan_send);
2758
2759static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2760{
2761 struct l2cap_ctrl control;
2762 u16 seq;
2763
2764 BT_DBG("chan %p, txseq %u", chan, txseq);
2765
2766 memset(&control, 0, sizeof(control));
2767 control.sframe = 1;
2768 control.super = L2CAP_SUPER_SREJ;
2769
2770 for (seq = chan->expected_tx_seq; seq != txseq;
2771 seq = __next_seq(chan, seq)) {
2772 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2773 control.reqseq = seq;
2774 l2cap_send_sframe(chan, &control);
2775 l2cap_seq_list_append(&chan->srej_list, seq);
2776 }
2777 }
2778
2779 chan->expected_tx_seq = __next_seq(chan, txseq);
2780}
2781
2782static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2783{
2784 struct l2cap_ctrl control;
2785
2786 BT_DBG("chan %p", chan);
2787
2788 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2789 return;
2790
2791 memset(&control, 0, sizeof(control));
2792 control.sframe = 1;
2793 control.super = L2CAP_SUPER_SREJ;
2794 control.reqseq = chan->srej_list.tail;
2795 l2cap_send_sframe(chan, &control);
2796}
2797
2798static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2799{
2800 struct l2cap_ctrl control;
2801 u16 initial_head;
2802 u16 seq;
2803
2804 BT_DBG("chan %p, txseq %u", chan, txseq);
2805
2806 memset(&control, 0, sizeof(control));
2807 control.sframe = 1;
2808 control.super = L2CAP_SUPER_SREJ;
2809
2810
2811 initial_head = chan->srej_list.head;
2812
2813 do {
2814 seq = l2cap_seq_list_pop(&chan->srej_list);
2815 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2816 break;
2817
2818 control.reqseq = seq;
2819 l2cap_send_sframe(chan, &control);
2820 l2cap_seq_list_append(&chan->srej_list, seq);
2821 } while (chan->srej_list.head != initial_head);
2822}
2823
2824static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2825{
2826 struct sk_buff *acked_skb;
2827 u16 ackseq;
2828
2829 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2830
2831 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2832 return;
2833
2834 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2835 chan->expected_ack_seq, chan->unacked_frames);
2836
2837 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2838 ackseq = __next_seq(chan, ackseq)) {
2839
2840 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2841 if (acked_skb) {
2842 skb_unlink(acked_skb, &chan->tx_q);
2843 kfree_skb(acked_skb);
2844 chan->unacked_frames--;
2845 }
2846 }
2847
2848 chan->expected_ack_seq = reqseq;
2849
2850 if (chan->unacked_frames == 0)
2851 __clear_retrans_timer(chan);
2852
2853 BT_DBG("unacked_frames %u", chan->unacked_frames);
2854}
2855
2856static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2857{
2858 BT_DBG("chan %p", chan);
2859
2860 chan->expected_tx_seq = chan->buffer_seq;
2861 l2cap_seq_list_clear(&chan->srej_list);
2862 skb_queue_purge(&chan->srej_q);
2863 chan->rx_state = L2CAP_RX_STATE_RECV;
2864}
2865
2866static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2867 struct l2cap_ctrl *control,
2868 struct sk_buff_head *skbs, u8 event)
2869{
2870 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2871 event);
2872
2873 switch (event) {
2874 case L2CAP_EV_DATA_REQUEST:
2875 if (chan->tx_send_head == NULL)
2876 chan->tx_send_head = skb_peek(skbs);
2877
2878 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2879 l2cap_ertm_send(chan);
2880 break;
2881 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2882 BT_DBG("Enter LOCAL_BUSY");
2883 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2884
2885 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2886
2887
2888
2889 l2cap_abort_rx_srej_sent(chan);
2890 }
2891
2892 l2cap_send_ack(chan);
2893
2894 break;
2895 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2896 BT_DBG("Exit LOCAL_BUSY");
2897 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2898
2899 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2900 struct l2cap_ctrl local_control;
2901
2902 memset(&local_control, 0, sizeof(local_control));
2903 local_control.sframe = 1;
2904 local_control.super = L2CAP_SUPER_RR;
2905 local_control.poll = 1;
2906 local_control.reqseq = chan->buffer_seq;
2907 l2cap_send_sframe(chan, &local_control);
2908
2909 chan->retry_count = 1;
2910 __set_monitor_timer(chan);
2911 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2912 }
2913 break;
2914 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2915 l2cap_process_reqseq(chan, control->reqseq);
2916 break;
2917 case L2CAP_EV_EXPLICIT_POLL:
2918 l2cap_send_rr_or_rnr(chan, 1);
2919 chan->retry_count = 1;
2920 __set_monitor_timer(chan);
2921 __clear_ack_timer(chan);
2922 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2923 break;
2924 case L2CAP_EV_RETRANS_TO:
2925 l2cap_send_rr_or_rnr(chan, 1);
2926 chan->retry_count = 1;
2927 __set_monitor_timer(chan);
2928 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2929 break;
2930 case L2CAP_EV_RECV_FBIT:
2931
2932 break;
2933 default:
2934 break;
2935 }
2936}
2937
2938static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2939 struct l2cap_ctrl *control,
2940 struct sk_buff_head *skbs, u8 event)
2941{
2942 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2943 event);
2944
2945 switch (event) {
2946 case L2CAP_EV_DATA_REQUEST:
2947 if (chan->tx_send_head == NULL)
2948 chan->tx_send_head = skb_peek(skbs);
2949
2950 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2951 break;
2952 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2953 BT_DBG("Enter LOCAL_BUSY");
2954 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2955
2956 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2957
2958
2959
2960 l2cap_abort_rx_srej_sent(chan);
2961 }
2962
2963 l2cap_send_ack(chan);
2964
2965 break;
2966 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2967 BT_DBG("Exit LOCAL_BUSY");
2968 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2969
2970 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2971 struct l2cap_ctrl local_control;
2972 memset(&local_control, 0, sizeof(local_control));
2973 local_control.sframe = 1;
2974 local_control.super = L2CAP_SUPER_RR;
2975 local_control.poll = 1;
2976 local_control.reqseq = chan->buffer_seq;
2977 l2cap_send_sframe(chan, &local_control);
2978
2979 chan->retry_count = 1;
2980 __set_monitor_timer(chan);
2981 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2982 }
2983 break;
2984 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2985 l2cap_process_reqseq(chan, control->reqseq);
2986 fallthrough;
2987
2988 case L2CAP_EV_RECV_FBIT:
2989 if (control && control->final) {
2990 __clear_monitor_timer(chan);
2991 if (chan->unacked_frames > 0)
2992 __set_retrans_timer(chan);
2993 chan->retry_count = 0;
2994 chan->tx_state = L2CAP_TX_STATE_XMIT;
2995 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2996 }
2997 break;
2998 case L2CAP_EV_EXPLICIT_POLL:
2999
3000 break;
3001 case L2CAP_EV_MONITOR_TO:
3002 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3003 l2cap_send_rr_or_rnr(chan, 1);
3004 __set_monitor_timer(chan);
3005 chan->retry_count++;
3006 } else {
3007 l2cap_send_disconn_req(chan, ECONNABORTED);
3008 }
3009 break;
3010 default:
3011 break;
3012 }
3013}
3014
3015static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3016 struct sk_buff_head *skbs, u8 event)
3017{
3018 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3019 chan, control, skbs, event, chan->tx_state);
3020
3021 switch (chan->tx_state) {
3022 case L2CAP_TX_STATE_XMIT:
3023 l2cap_tx_state_xmit(chan, control, skbs, event);
3024 break;
3025 case L2CAP_TX_STATE_WAIT_F:
3026 l2cap_tx_state_wait_f(chan, control, skbs, event);
3027 break;
3028 default:
3029
3030 break;
3031 }
3032}
3033
3034static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3035 struct l2cap_ctrl *control)
3036{
3037 BT_DBG("chan %p, control %p", chan, control);
3038 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3039}
3040
3041static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3042 struct l2cap_ctrl *control)
3043{
3044 BT_DBG("chan %p, control %p", chan, control);
3045 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3046}
3047
3048
3049static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3050{
3051 struct sk_buff *nskb;
3052 struct l2cap_chan *chan;
3053
3054 BT_DBG("conn %p", conn);
3055
3056 mutex_lock(&conn->chan_lock);
3057
3058 list_for_each_entry(chan, &conn->chan_l, list) {
3059 if (chan->chan_type != L2CAP_CHAN_RAW)
3060 continue;
3061
3062
3063 if (bt_cb(skb)->l2cap.chan == chan)
3064 continue;
3065
3066 nskb = skb_clone(skb, GFP_KERNEL);
3067 if (!nskb)
3068 continue;
3069 if (chan->ops->recv(chan, nskb))
3070 kfree_skb(nskb);
3071 }
3072
3073 mutex_unlock(&conn->chan_lock);
3074}
3075
3076
3077static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3078 u8 ident, u16 dlen, void *data)
3079{
3080 struct sk_buff *skb, **frag;
3081 struct l2cap_cmd_hdr *cmd;
3082 struct l2cap_hdr *lh;
3083 int len, count;
3084
3085 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3086 conn, code, ident, dlen);
3087
3088 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3089 return NULL;
3090
3091 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3092 count = min_t(unsigned int, conn->mtu, len);
3093
3094 skb = bt_skb_alloc(count, GFP_KERNEL);
3095 if (!skb)
3096 return NULL;
3097
3098 lh = skb_put(skb, L2CAP_HDR_SIZE);
3099 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3100
3101 if (conn->hcon->type == LE_LINK)
3102 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3103 else
3104 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3105
3106 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3107 cmd->code = code;
3108 cmd->ident = ident;
3109 cmd->len = cpu_to_le16(dlen);
3110
3111 if (dlen) {
3112 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3113 skb_put_data(skb, data, count);
3114 data += count;
3115 }
3116
3117 len -= skb->len;
3118
3119
3120 frag = &skb_shinfo(skb)->frag_list;
3121 while (len) {
3122 count = min_t(unsigned int, conn->mtu, len);
3123
3124 *frag = bt_skb_alloc(count, GFP_KERNEL);
3125 if (!*frag)
3126 goto fail;
3127
3128 skb_put_data(*frag, data, count);
3129
3130 len -= count;
3131 data += count;
3132
3133 frag = &(*frag)->next;
3134 }
3135
3136 return skb;
3137
3138fail:
3139 kfree_skb(skb);
3140 return NULL;
3141}
3142
3143static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3144 unsigned long *val)
3145{
3146 struct l2cap_conf_opt *opt = *ptr;
3147 int len;
3148
3149 len = L2CAP_CONF_OPT_SIZE + opt->len;
3150 *ptr += len;
3151
3152 *type = opt->type;
3153 *olen = opt->len;
3154
3155 switch (opt->len) {
3156 case 1:
3157 *val = *((u8 *) opt->val);
3158 break;
3159
3160 case 2:
3161 *val = get_unaligned_le16(opt->val);
3162 break;
3163
3164 case 4:
3165 *val = get_unaligned_le32(opt->val);
3166 break;
3167
3168 default:
3169 *val = (unsigned long) opt->val;
3170 break;
3171 }
3172
3173 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3174 return len;
3175}
3176
3177static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3178{
3179 struct l2cap_conf_opt *opt = *ptr;
3180
3181 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3182
3183 if (size < L2CAP_CONF_OPT_SIZE + len)
3184 return;
3185
3186 opt->type = type;
3187 opt->len = len;
3188
3189 switch (len) {
3190 case 1:
3191 *((u8 *) opt->val) = val;
3192 break;
3193
3194 case 2:
3195 put_unaligned_le16(val, opt->val);
3196 break;
3197
3198 case 4:
3199 put_unaligned_le32(val, opt->val);
3200 break;
3201
3202 default:
3203 memcpy(opt->val, (void *) val, len);
3204 break;
3205 }
3206
3207 *ptr += L2CAP_CONF_OPT_SIZE + len;
3208}
3209
3210static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3211{
3212 struct l2cap_conf_efs efs;
3213
3214 switch (chan->mode) {
3215 case L2CAP_MODE_ERTM:
3216 efs.id = chan->local_id;
3217 efs.stype = chan->local_stype;
3218 efs.msdu = cpu_to_le16(chan->local_msdu);
3219 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3220 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3221 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3222 break;
3223
3224 case L2CAP_MODE_STREAMING:
3225 efs.id = 1;
3226 efs.stype = L2CAP_SERV_BESTEFFORT;
3227 efs.msdu = cpu_to_le16(chan->local_msdu);
3228 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3229 efs.acc_lat = 0;
3230 efs.flush_to = 0;
3231 break;
3232
3233 default:
3234 return;
3235 }
3236
3237 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3238 (unsigned long) &efs, size);
3239}
3240
3241static void l2cap_ack_timeout(struct work_struct *work)
3242{
3243 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3244 ack_timer.work);
3245 u16 frames_to_ack;
3246
3247 BT_DBG("chan %p", chan);
3248
3249 l2cap_chan_lock(chan);
3250
3251 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3252 chan->last_acked_seq);
3253
3254 if (frames_to_ack)
3255 l2cap_send_rr_or_rnr(chan, 0);
3256
3257 l2cap_chan_unlock(chan);
3258 l2cap_chan_put(chan);
3259}
3260
3261int l2cap_ertm_init(struct l2cap_chan *chan)
3262{
3263 int err;
3264
3265 chan->next_tx_seq = 0;
3266 chan->expected_tx_seq = 0;
3267 chan->expected_ack_seq = 0;
3268 chan->unacked_frames = 0;
3269 chan->buffer_seq = 0;
3270 chan->frames_sent = 0;
3271 chan->last_acked_seq = 0;
3272 chan->sdu = NULL;
3273 chan->sdu_last_frag = NULL;
3274 chan->sdu_len = 0;
3275
3276 skb_queue_head_init(&chan->tx_q);
3277
3278 chan->local_amp_id = AMP_ID_BREDR;
3279 chan->move_id = AMP_ID_BREDR;
3280 chan->move_state = L2CAP_MOVE_STABLE;
3281 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3282
3283 if (chan->mode != L2CAP_MODE_ERTM)
3284 return 0;
3285
3286 chan->rx_state = L2CAP_RX_STATE_RECV;
3287 chan->tx_state = L2CAP_TX_STATE_XMIT;
3288
3289 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3290 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3291 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3292
3293 skb_queue_head_init(&chan->srej_q);
3294
3295 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3296 if (err < 0)
3297 return err;
3298
3299 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3300 if (err < 0)
3301 l2cap_seq_list_free(&chan->srej_list);
3302
3303 return err;
3304}
3305
3306static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3307{
3308 switch (mode) {
3309 case L2CAP_MODE_STREAMING:
3310 case L2CAP_MODE_ERTM:
3311 if (l2cap_mode_supported(mode, remote_feat_mask))
3312 return mode;
3313 fallthrough;
3314 default:
3315 return L2CAP_MODE_BASIC;
3316 }
3317}
3318
3319static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3320{
3321 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3322 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3323}
3324
3325static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3326{
3327 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3328 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3329}
3330
3331static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3332 struct l2cap_conf_rfc *rfc)
3333{
3334 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3335 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3351
3352
3353
3354
3355
3356 ertm_to = 3 * ertm_to + 500;
3357
3358 if (ertm_to > 0xffff)
3359 ertm_to = 0xffff;
3360
3361 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3362 rfc->monitor_timeout = rfc->retrans_timeout;
3363 } else {
3364 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3365 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3366 }
3367}
3368
3369static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3370{
3371 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3372 __l2cap_ews_supported(chan->conn)) {
3373
3374 set_bit(FLAG_EXT_CTRL, &chan->flags);
3375 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3376 } else {
3377 chan->tx_win = min_t(u16, chan->tx_win,
3378 L2CAP_DEFAULT_TX_WINDOW);
3379 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3380 }
3381 chan->ack_win = chan->tx_win;
3382}
3383
3384static void l2cap_mtu_auto(struct l2cap_chan *chan)
3385{
3386 struct hci_conn *conn = chan->conn->hcon;
3387
3388 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3389
3390
3391
3392
3393 if (!(conn->pkt_type & HCI_2DH1))
3394 chan->imtu = 54;
3395
3396
3397
3398
3399 if (!(conn->pkt_type & HCI_3DH1))
3400 chan->imtu = 83;
3401
3402
3403
3404
3405 if (!(conn->pkt_type & HCI_2DH3))
3406 chan->imtu = 367;
3407
3408
3409
3410
3411 if (!(conn->pkt_type & HCI_3DH3))
3412 chan->imtu = 552;
3413
3414
3415
3416
3417 if (!(conn->pkt_type & HCI_2DH5))
3418 chan->imtu = 679;
3419
3420
3421
3422
3423 if (!(conn->pkt_type & HCI_3DH5))
3424 chan->imtu = 1021;
3425}
3426
3427static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3428{
3429 struct l2cap_conf_req *req = data;
3430 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3431 void *ptr = req->data;
3432 void *endptr = data + data_size;
3433 u16 size;
3434
3435 BT_DBG("chan %p", chan);
3436
3437 if (chan->num_conf_req || chan->num_conf_rsp)
3438 goto done;
3439
3440 switch (chan->mode) {
3441 case L2CAP_MODE_STREAMING:
3442 case L2CAP_MODE_ERTM:
3443 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3444 break;
3445
3446 if (__l2cap_efs_supported(chan->conn))
3447 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3448
3449 fallthrough;
3450 default:
3451 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3452 break;
3453 }
3454
3455done:
3456 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3457 if (!chan->imtu)
3458 l2cap_mtu_auto(chan);
3459 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3460 endptr - ptr);
3461 }
3462
3463 switch (chan->mode) {
3464 case L2CAP_MODE_BASIC:
3465 if (disable_ertm)
3466 break;
3467
3468 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3469 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3470 break;
3471
3472 rfc.mode = L2CAP_MODE_BASIC;
3473 rfc.txwin_size = 0;
3474 rfc.max_transmit = 0;
3475 rfc.retrans_timeout = 0;
3476 rfc.monitor_timeout = 0;
3477 rfc.max_pdu_size = 0;
3478
3479 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3480 (unsigned long) &rfc, endptr - ptr);
3481 break;
3482
3483 case L2CAP_MODE_ERTM:
3484 rfc.mode = L2CAP_MODE_ERTM;
3485 rfc.max_transmit = chan->max_tx;
3486
3487 __l2cap_set_ertm_timeouts(chan, &rfc);
3488
3489 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3490 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3491 L2CAP_FCS_SIZE);
3492 rfc.max_pdu_size = cpu_to_le16(size);
3493
3494 l2cap_txwin_setup(chan);
3495
3496 rfc.txwin_size = min_t(u16, chan->tx_win,
3497 L2CAP_DEFAULT_TX_WINDOW);
3498
3499 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3500 (unsigned long) &rfc, endptr - ptr);
3501
3502 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3503 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3504
3505 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3506 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3507 chan->tx_win, endptr - ptr);
3508
3509 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3510 if (chan->fcs == L2CAP_FCS_NONE ||
3511 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3512 chan->fcs = L2CAP_FCS_NONE;
3513 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3514 chan->fcs, endptr - ptr);
3515 }
3516 break;
3517
3518 case L2CAP_MODE_STREAMING:
3519 l2cap_txwin_setup(chan);
3520 rfc.mode = L2CAP_MODE_STREAMING;
3521 rfc.txwin_size = 0;
3522 rfc.max_transmit = 0;
3523 rfc.retrans_timeout = 0;
3524 rfc.monitor_timeout = 0;
3525
3526 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3527 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3528 L2CAP_FCS_SIZE);
3529 rfc.max_pdu_size = cpu_to_le16(size);
3530
3531 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3532 (unsigned long) &rfc, endptr - ptr);
3533
3534 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3535 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3536
3537 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3538 if (chan->fcs == L2CAP_FCS_NONE ||
3539 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3540 chan->fcs = L2CAP_FCS_NONE;
3541 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3542 chan->fcs, endptr - ptr);
3543 }
3544 break;
3545 }
3546
3547 req->dcid = cpu_to_le16(chan->dcid);
3548 req->flags = cpu_to_le16(0);
3549
3550 return ptr - data;
3551}
3552
3553static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3554{
3555 struct l2cap_conf_rsp *rsp = data;
3556 void *ptr = rsp->data;
3557 void *endptr = data + data_size;
3558 void *req = chan->conf_req;
3559 int len = chan->conf_len;
3560 int type, hint, olen;
3561 unsigned long val;
3562 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3563 struct l2cap_conf_efs efs;
3564 u8 remote_efs = 0;
3565 u16 mtu = L2CAP_DEFAULT_MTU;
3566 u16 result = L2CAP_CONF_SUCCESS;
3567 u16 size;
3568
3569 BT_DBG("chan %p", chan);
3570
3571 while (len >= L2CAP_CONF_OPT_SIZE) {
3572 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3573 if (len < 0)
3574 break;
3575
3576 hint = type & L2CAP_CONF_HINT;
3577 type &= L2CAP_CONF_MASK;
3578
3579 switch (type) {
3580 case L2CAP_CONF_MTU:
3581 if (olen != 2)
3582 break;
3583 mtu = val;
3584 break;
3585
3586 case L2CAP_CONF_FLUSH_TO:
3587 if (olen != 2)
3588 break;
3589 chan->flush_to = val;
3590 break;
3591
3592 case L2CAP_CONF_QOS:
3593 break;
3594
3595 case L2CAP_CONF_RFC:
3596 if (olen != sizeof(rfc))
3597 break;
3598 memcpy(&rfc, (void *) val, olen);
3599 break;
3600
3601 case L2CAP_CONF_FCS:
3602 if (olen != 1)
3603 break;
3604 if (val == L2CAP_FCS_NONE)
3605 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3606 break;
3607
3608 case L2CAP_CONF_EFS:
3609 if (olen != sizeof(efs))
3610 break;
3611 remote_efs = 1;
3612 memcpy(&efs, (void *) val, olen);
3613 break;
3614
3615 case L2CAP_CONF_EWS:
3616 if (olen != 2)
3617 break;
3618 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3619 return -ECONNREFUSED;
3620 set_bit(FLAG_EXT_CTRL, &chan->flags);
3621 set_bit(CONF_EWS_RECV, &chan->conf_state);
3622 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3623 chan->remote_tx_win = val;
3624 break;
3625
3626 default:
3627 if (hint)
3628 break;
3629 result = L2CAP_CONF_UNKNOWN;
3630 *((u8 *) ptr++) = type;
3631 break;
3632 }
3633 }
3634
3635 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3636 goto done;
3637
3638 switch (chan->mode) {
3639 case L2CAP_MODE_STREAMING:
3640 case L2CAP_MODE_ERTM:
3641 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3642 chan->mode = l2cap_select_mode(rfc.mode,
3643 chan->conn->feat_mask);
3644 break;
3645 }
3646
3647 if (remote_efs) {
3648 if (__l2cap_efs_supported(chan->conn))
3649 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3650 else
3651 return -ECONNREFUSED;
3652 }
3653
3654 if (chan->mode != rfc.mode)
3655 return -ECONNREFUSED;
3656
3657 break;
3658 }
3659
3660done:
3661 if (chan->mode != rfc.mode) {
3662 result = L2CAP_CONF_UNACCEPT;
3663 rfc.mode = chan->mode;
3664
3665 if (chan->num_conf_rsp == 1)
3666 return -ECONNREFUSED;
3667
3668 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3669 (unsigned long) &rfc, endptr - ptr);
3670 }
3671
3672 if (result == L2CAP_CONF_SUCCESS) {
3673
3674
3675
3676 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3677 result = L2CAP_CONF_UNACCEPT;
3678 else {
3679 chan->omtu = mtu;
3680 set_bit(CONF_MTU_DONE, &chan->conf_state);
3681 }
3682 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3683
3684 if (remote_efs) {
3685 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3686 efs.stype != L2CAP_SERV_NOTRAFIC &&
3687 efs.stype != chan->local_stype) {
3688
3689 result = L2CAP_CONF_UNACCEPT;
3690
3691 if (chan->num_conf_req >= 1)
3692 return -ECONNREFUSED;
3693
3694 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3695 sizeof(efs),
3696 (unsigned long) &efs, endptr - ptr);
3697 } else {
3698
3699 result = L2CAP_CONF_PENDING;
3700 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3701 }
3702 }
3703
3704 switch (rfc.mode) {
3705 case L2CAP_MODE_BASIC:
3706 chan->fcs = L2CAP_FCS_NONE;
3707 set_bit(CONF_MODE_DONE, &chan->conf_state);
3708 break;
3709
3710 case L2CAP_MODE_ERTM:
3711 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3712 chan->remote_tx_win = rfc.txwin_size;
3713 else
3714 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3715
3716 chan->remote_max_tx = rfc.max_transmit;
3717
3718 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3719 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3720 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3721 rfc.max_pdu_size = cpu_to_le16(size);
3722 chan->remote_mps = size;
3723
3724 __l2cap_set_ertm_timeouts(chan, &rfc);
3725
3726 set_bit(CONF_MODE_DONE, &chan->conf_state);
3727
3728 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3729 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3730
3731 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3732 chan->remote_id = efs.id;
3733 chan->remote_stype = efs.stype;
3734 chan->remote_msdu = le16_to_cpu(efs.msdu);
3735 chan->remote_flush_to =
3736 le32_to_cpu(efs.flush_to);
3737 chan->remote_acc_lat =
3738 le32_to_cpu(efs.acc_lat);
3739 chan->remote_sdu_itime =
3740 le32_to_cpu(efs.sdu_itime);
3741 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3742 sizeof(efs),
3743 (unsigned long) &efs, endptr - ptr);
3744 }
3745 break;
3746
3747 case L2CAP_MODE_STREAMING:
3748 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3749 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3750 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3751 rfc.max_pdu_size = cpu_to_le16(size);
3752 chan->remote_mps = size;
3753
3754 set_bit(CONF_MODE_DONE, &chan->conf_state);
3755
3756 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3757 (unsigned long) &rfc, endptr - ptr);
3758
3759 break;
3760
3761 default:
3762 result = L2CAP_CONF_UNACCEPT;
3763
3764 memset(&rfc, 0, sizeof(rfc));
3765 rfc.mode = chan->mode;
3766 }
3767
3768 if (result == L2CAP_CONF_SUCCESS)
3769 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3770 }
3771 rsp->scid = cpu_to_le16(chan->dcid);
3772 rsp->result = cpu_to_le16(result);
3773 rsp->flags = cpu_to_le16(0);
3774
3775 return ptr - data;
3776}
3777
3778static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3779 void *data, size_t size, u16 *result)
3780{
3781 struct l2cap_conf_req *req = data;
3782 void *ptr = req->data;
3783 void *endptr = data + size;
3784 int type, olen;
3785 unsigned long val;
3786 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3787 struct l2cap_conf_efs efs;
3788
3789 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3790
3791 while (len >= L2CAP_CONF_OPT_SIZE) {
3792 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3793 if (len < 0)
3794 break;
3795
3796 switch (type) {
3797 case L2CAP_CONF_MTU:
3798 if (olen != 2)
3799 break;
3800 if (val < L2CAP_DEFAULT_MIN_MTU) {
3801 *result = L2CAP_CONF_UNACCEPT;
3802 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3803 } else
3804 chan->imtu = val;
3805 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3806 endptr - ptr);
3807 break;
3808
3809 case L2CAP_CONF_FLUSH_TO:
3810 if (olen != 2)
3811 break;
3812 chan->flush_to = val;
3813 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3814 chan->flush_to, endptr - ptr);
3815 break;
3816
3817 case L2CAP_CONF_RFC:
3818 if (olen != sizeof(rfc))
3819 break;
3820 memcpy(&rfc, (void *)val, olen);
3821 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3822 rfc.mode != chan->mode)
3823 return -ECONNREFUSED;
3824 chan->fcs = 0;
3825 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3826 (unsigned long) &rfc, endptr - ptr);
3827 break;
3828
3829 case L2CAP_CONF_EWS:
3830 if (olen != 2)
3831 break;
3832 chan->ack_win = min_t(u16, val, chan->ack_win);
3833 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3834 chan->tx_win, endptr - ptr);
3835 break;
3836
3837 case L2CAP_CONF_EFS:
3838 if (olen != sizeof(efs))
3839 break;
3840 memcpy(&efs, (void *)val, olen);
3841 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3842 efs.stype != L2CAP_SERV_NOTRAFIC &&
3843 efs.stype != chan->local_stype)
3844 return -ECONNREFUSED;
3845 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3846 (unsigned long) &efs, endptr - ptr);
3847 break;
3848
3849 case L2CAP_CONF_FCS:
3850 if (olen != 1)
3851 break;
3852 if (*result == L2CAP_CONF_PENDING)
3853 if (val == L2CAP_FCS_NONE)
3854 set_bit(CONF_RECV_NO_FCS,
3855 &chan->conf_state);
3856 break;
3857 }
3858 }
3859
3860 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3861 return -ECONNREFUSED;
3862
3863 chan->mode = rfc.mode;
3864
3865 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3866 switch (rfc.mode) {
3867 case L2CAP_MODE_ERTM:
3868 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3869 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3870 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3871 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3872 chan->ack_win = min_t(u16, chan->ack_win,
3873 rfc.txwin_size);
3874
3875 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3876 chan->local_msdu = le16_to_cpu(efs.msdu);
3877 chan->local_sdu_itime =
3878 le32_to_cpu(efs.sdu_itime);
3879 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3880 chan->local_flush_to =
3881 le32_to_cpu(efs.flush_to);
3882 }
3883 break;
3884
3885 case L2CAP_MODE_STREAMING:
3886 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3887 }
3888 }
3889
3890 req->dcid = cpu_to_le16(chan->dcid);
3891 req->flags = cpu_to_le16(0);
3892
3893 return ptr - data;
3894}
3895
3896static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3897 u16 result, u16 flags)
3898{
3899 struct l2cap_conf_rsp *rsp = data;
3900 void *ptr = rsp->data;
3901
3902 BT_DBG("chan %p", chan);
3903
3904 rsp->scid = cpu_to_le16(chan->dcid);
3905 rsp->result = cpu_to_le16(result);
3906 rsp->flags = cpu_to_le16(flags);
3907
3908 return ptr - data;
3909}
3910
3911void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3912{
3913 struct l2cap_le_conn_rsp rsp;
3914 struct l2cap_conn *conn = chan->conn;
3915
3916 BT_DBG("chan %p", chan);
3917
3918 rsp.dcid = cpu_to_le16(chan->scid);
3919 rsp.mtu = cpu_to_le16(chan->imtu);
3920 rsp.mps = cpu_to_le16(chan->mps);
3921 rsp.credits = cpu_to_le16(chan->rx_credits);
3922 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3923
3924 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3925 &rsp);
3926}
3927
3928void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3929{
3930 struct {
3931 struct l2cap_ecred_conn_rsp rsp;
3932 __le16 dcid[5];
3933 } __packed pdu;
3934 struct l2cap_conn *conn = chan->conn;
3935 u16 ident = chan->ident;
3936 int i = 0;
3937
3938 if (!ident)
3939 return;
3940
3941 BT_DBG("chan %p ident %d", chan, ident);
3942
3943 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3944 pdu.rsp.mps = cpu_to_le16(chan->mps);
3945 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3946 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3947
3948 mutex_lock(&conn->chan_lock);
3949
3950 list_for_each_entry(chan, &conn->chan_l, list) {
3951 if (chan->ident != ident)
3952 continue;
3953
3954
3955 chan->ident = 0;
3956
3957
3958 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3959 }
3960
3961 mutex_unlock(&conn->chan_lock);
3962
3963 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3964 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3965}
3966
3967void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3968{
3969 struct l2cap_conn_rsp rsp;
3970 struct l2cap_conn *conn = chan->conn;
3971 u8 buf[128];
3972 u8 rsp_code;
3973
3974 rsp.scid = cpu_to_le16(chan->dcid);
3975 rsp.dcid = cpu_to_le16(chan->scid);
3976 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3977 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3978
3979 if (chan->hs_hcon)
3980 rsp_code = L2CAP_CREATE_CHAN_RSP;
3981 else
3982 rsp_code = L2CAP_CONN_RSP;
3983
3984 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3985
3986 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3987
3988 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3989 return;
3990
3991 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3992 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3993 chan->num_conf_req++;
3994}
3995
3996static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3997{
3998 int type, olen;
3999 unsigned long val;
4000
4001
4002
4003 u16 txwin_ext = chan->ack_win;
4004 struct l2cap_conf_rfc rfc = {
4005 .mode = chan->mode,
4006 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4007 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4008 .max_pdu_size = cpu_to_le16(chan->imtu),
4009 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4010 };
4011
4012 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4013
4014 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4015 return;
4016
4017 while (len >= L2CAP_CONF_OPT_SIZE) {
4018 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4019 if (len < 0)
4020 break;
4021
4022 switch (type) {
4023 case L2CAP_CONF_RFC:
4024 if (olen != sizeof(rfc))
4025 break;
4026 memcpy(&rfc, (void *)val, olen);
4027 break;
4028 case L2CAP_CONF_EWS:
4029 if (olen != 2)
4030 break;
4031 txwin_ext = val;
4032 break;
4033 }
4034 }
4035
4036 switch (rfc.mode) {
4037 case L2CAP_MODE_ERTM:
4038 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4039 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4040 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4041 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4042 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4043 else
4044 chan->ack_win = min_t(u16, chan->ack_win,
4045 rfc.txwin_size);
4046 break;
4047 case L2CAP_MODE_STREAMING:
4048 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4049 }
4050}
4051
4052static inline int l2cap_command_rej(struct l2cap_conn *conn,
4053 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4054 u8 *data)
4055{
4056 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4057
4058 if (cmd_len < sizeof(*rej))
4059 return -EPROTO;
4060
4061 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4062 return 0;
4063
4064 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4065 cmd->ident == conn->info_ident) {
4066 cancel_delayed_work(&conn->info_timer);
4067
4068 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4069 conn->info_ident = 0;
4070
4071 l2cap_conn_start(conn);
4072 }
4073
4074 return 0;
4075}
4076
4077static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4078 struct l2cap_cmd_hdr *cmd,
4079 u8 *data, u8 rsp_code, u8 amp_id)
4080{
4081 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4082 struct l2cap_conn_rsp rsp;
4083 struct l2cap_chan *chan = NULL, *pchan;
4084 int result, status = L2CAP_CS_NO_INFO;
4085
4086 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4087 __le16 psm = req->psm;
4088
4089 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4090
4091
4092 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4093 &conn->hcon->dst, ACL_LINK);
4094 if (!pchan) {
4095 result = L2CAP_CR_BAD_PSM;
4096 goto sendresp;
4097 }
4098
4099 mutex_lock(&conn->chan_lock);
4100 l2cap_chan_lock(pchan);
4101
4102
4103 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4104 !hci_conn_check_link_mode(conn->hcon)) {
4105 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4106 result = L2CAP_CR_SEC_BLOCK;
4107 goto response;
4108 }
4109
4110 result = L2CAP_CR_NO_MEM;
4111
4112
4113 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4114 result = L2CAP_CR_INVALID_SCID;
4115 goto response;
4116 }
4117
4118
4119 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4120 result = L2CAP_CR_SCID_IN_USE;
4121 goto response;
4122 }
4123
4124 chan = pchan->ops->new_connection(pchan);
4125 if (!chan)
4126 goto response;
4127
4128
4129
4130
4131
4132
4133 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4134
4135 bacpy(&chan->src, &conn->hcon->src);
4136 bacpy(&chan->dst, &conn->hcon->dst);
4137 chan->src_type = bdaddr_src_type(conn->hcon);
4138 chan->dst_type = bdaddr_dst_type(conn->hcon);
4139 chan->psm = psm;
4140 chan->dcid = scid;
4141 chan->local_amp_id = amp_id;
4142
4143 __l2cap_chan_add(conn, chan);
4144
4145 dcid = chan->scid;
4146
4147 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4148
4149 chan->ident = cmd->ident;
4150
4151 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4152 if (l2cap_chan_check_security(chan, false)) {
4153 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4154 l2cap_state_change(chan, BT_CONNECT2);
4155 result = L2CAP_CR_PEND;
4156 status = L2CAP_CS_AUTHOR_PEND;
4157 chan->ops->defer(chan);
4158 } else {
4159
4160
4161
4162
4163 if (amp_id == AMP_ID_BREDR) {
4164 l2cap_state_change(chan, BT_CONFIG);
4165 result = L2CAP_CR_SUCCESS;
4166 } else {
4167 l2cap_state_change(chan, BT_CONNECT2);
4168 result = L2CAP_CR_PEND;
4169 }
4170 status = L2CAP_CS_NO_INFO;
4171 }
4172 } else {
4173 l2cap_state_change(chan, BT_CONNECT2);
4174 result = L2CAP_CR_PEND;
4175 status = L2CAP_CS_AUTHEN_PEND;
4176 }
4177 } else {
4178 l2cap_state_change(chan, BT_CONNECT2);
4179 result = L2CAP_CR_PEND;
4180 status = L2CAP_CS_NO_INFO;
4181 }
4182
4183response:
4184 l2cap_chan_unlock(pchan);
4185 mutex_unlock(&conn->chan_lock);
4186 l2cap_chan_put(pchan);
4187
4188sendresp:
4189 rsp.scid = cpu_to_le16(scid);
4190 rsp.dcid = cpu_to_le16(dcid);
4191 rsp.result = cpu_to_le16(result);
4192 rsp.status = cpu_to_le16(status);
4193 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4194
4195 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4196 struct l2cap_info_req info;
4197 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4198
4199 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4200 conn->info_ident = l2cap_get_ident(conn);
4201
4202 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4203
4204 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4205 sizeof(info), &info);
4206 }
4207
4208 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4209 result == L2CAP_CR_SUCCESS) {
4210 u8 buf[128];
4211 set_bit(CONF_REQ_SENT, &chan->conf_state);
4212 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4213 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4214 chan->num_conf_req++;
4215 }
4216
4217 return chan;
4218}
4219
4220static int l2cap_connect_req(struct l2cap_conn *conn,
4221 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4222{
4223 struct hci_dev *hdev = conn->hcon->hdev;
4224 struct hci_conn *hcon = conn->hcon;
4225
4226 if (cmd_len < sizeof(struct l2cap_conn_req))
4227 return -EPROTO;
4228
4229 hci_dev_lock(hdev);
4230 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4231 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4232 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
4233 hci_dev_unlock(hdev);
4234
4235 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4236 return 0;
4237}
4238
4239static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4240 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4241 u8 *data)
4242{
4243 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4244 u16 scid, dcid, result, status;
4245 struct l2cap_chan *chan;
4246 u8 req[128];
4247 int err;
4248
4249 if (cmd_len < sizeof(*rsp))
4250 return -EPROTO;
4251
4252 scid = __le16_to_cpu(rsp->scid);
4253 dcid = __le16_to_cpu(rsp->dcid);
4254 result = __le16_to_cpu(rsp->result);
4255 status = __le16_to_cpu(rsp->status);
4256
4257 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4258 dcid, scid, result, status);
4259
4260 mutex_lock(&conn->chan_lock);
4261
4262 if (scid) {
4263 chan = __l2cap_get_chan_by_scid(conn, scid);
4264 if (!chan) {
4265 err = -EBADSLT;
4266 goto unlock;
4267 }
4268 } else {
4269 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4270 if (!chan) {
4271 err = -EBADSLT;
4272 goto unlock;
4273 }
4274 }
4275
4276 err = 0;
4277
4278 l2cap_chan_lock(chan);
4279
4280 switch (result) {
4281 case L2CAP_CR_SUCCESS:
4282 l2cap_state_change(chan, BT_CONFIG);
4283 chan->ident = 0;
4284 chan->dcid = dcid;
4285 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4286
4287 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4288 break;
4289
4290 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4291 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4292 chan->num_conf_req++;
4293 break;
4294
4295 case L2CAP_CR_PEND:
4296 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4297 break;
4298
4299 default:
4300 l2cap_chan_del(chan, ECONNREFUSED);
4301 break;
4302 }
4303
4304 l2cap_chan_unlock(chan);
4305
4306unlock:
4307 mutex_unlock(&conn->chan_lock);
4308
4309 return err;
4310}
4311
4312static inline void set_default_fcs(struct l2cap_chan *chan)
4313{
4314
4315
4316
4317 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4318 chan->fcs = L2CAP_FCS_NONE;
4319 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4320 chan->fcs = L2CAP_FCS_CRC16;
4321}
4322
4323static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4324 u8 ident, u16 flags)
4325{
4326 struct l2cap_conn *conn = chan->conn;
4327
4328 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4329 flags);
4330
4331 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4332 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4333
4334 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4335 l2cap_build_conf_rsp(chan, data,
4336 L2CAP_CONF_SUCCESS, flags), data);
4337}
4338
4339static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4340 u16 scid, u16 dcid)
4341{
4342 struct l2cap_cmd_rej_cid rej;
4343
4344 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4345 rej.scid = __cpu_to_le16(scid);
4346 rej.dcid = __cpu_to_le16(dcid);
4347
4348 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4349}
4350
4351static inline int l2cap_config_req(struct l2cap_conn *conn,
4352 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4353 u8 *data)
4354{
4355 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4356 u16 dcid, flags;
4357 u8 rsp[64];
4358 struct l2cap_chan *chan;
4359 int len, err = 0;
4360
4361 if (cmd_len < sizeof(*req))
4362 return -EPROTO;
4363
4364 dcid = __le16_to_cpu(req->dcid);
4365 flags = __le16_to_cpu(req->flags);
4366
4367 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4368
4369 chan = l2cap_get_chan_by_scid(conn, dcid);
4370 if (!chan) {
4371 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4372 return 0;
4373 }
4374
4375 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4376 chan->state != BT_CONNECTED) {
4377 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4378 chan->dcid);
4379 goto unlock;
4380 }
4381
4382
4383 len = cmd_len - sizeof(*req);
4384 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4385 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4386 l2cap_build_conf_rsp(chan, rsp,
4387 L2CAP_CONF_REJECT, flags), rsp);
4388 goto unlock;
4389 }
4390
4391
4392 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4393 chan->conf_len += len;
4394
4395 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4396
4397 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4398 l2cap_build_conf_rsp(chan, rsp,
4399 L2CAP_CONF_SUCCESS, flags), rsp);
4400 goto unlock;
4401 }
4402
4403
4404 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4405 if (len < 0) {
4406 l2cap_send_disconn_req(chan, ECONNRESET);
4407 goto unlock;
4408 }
4409
4410 chan->ident = cmd->ident;
4411 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4412 chan->num_conf_rsp++;
4413
4414
4415 chan->conf_len = 0;
4416
4417 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4418 goto unlock;
4419
4420 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4421 set_default_fcs(chan);
4422
4423 if (chan->mode == L2CAP_MODE_ERTM ||
4424 chan->mode == L2CAP_MODE_STREAMING)
4425 err = l2cap_ertm_init(chan);
4426
4427 if (err < 0)
4428 l2cap_send_disconn_req(chan, -err);
4429 else
4430 l2cap_chan_ready(chan);
4431
4432 goto unlock;
4433 }
4434
4435 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4436 u8 buf[64];
4437 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4438 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4439 chan->num_conf_req++;
4440 }
4441
4442
4443
4444 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4445 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4446
4447
4448
4449
4450 if (!chan->hs_hcon)
4451 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4452 else
4453 chan->ident = cmd->ident;
4454 }
4455
4456unlock:
4457 l2cap_chan_unlock(chan);
4458 return err;
4459}
4460
4461static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4462 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4463 u8 *data)
4464{
4465 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4466 u16 scid, flags, result;
4467 struct l2cap_chan *chan;
4468 int len = cmd_len - sizeof(*rsp);
4469 int err = 0;
4470
4471 if (cmd_len < sizeof(*rsp))
4472 return -EPROTO;
4473
4474 scid = __le16_to_cpu(rsp->scid);
4475 flags = __le16_to_cpu(rsp->flags);
4476 result = __le16_to_cpu(rsp->result);
4477
4478 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4479 result, len);
4480
4481 chan = l2cap_get_chan_by_scid(conn, scid);
4482 if (!chan)
4483 return 0;
4484
4485 switch (result) {
4486 case L2CAP_CONF_SUCCESS:
4487 l2cap_conf_rfc_get(chan, rsp->data, len);
4488 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4489 break;
4490
4491 case L2CAP_CONF_PENDING:
4492 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4493
4494 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4495 char buf[64];
4496
4497 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4498 buf, sizeof(buf), &result);
4499 if (len < 0) {
4500 l2cap_send_disconn_req(chan, ECONNRESET);
4501 goto done;
4502 }
4503
4504 if (!chan->hs_hcon) {
4505 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4506 0);
4507 } else {
4508 if (l2cap_check_efs(chan)) {
4509 amp_create_logical_link(chan);
4510 chan->ident = cmd->ident;
4511 }
4512 }
4513 }
4514 goto done;
4515
4516 case L2CAP_CONF_UNACCEPT:
4517 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4518 char req[64];
4519
4520 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4521 l2cap_send_disconn_req(chan, ECONNRESET);
4522 goto done;
4523 }
4524
4525
4526 result = L2CAP_CONF_SUCCESS;
4527 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4528 req, sizeof(req), &result);
4529 if (len < 0) {
4530 l2cap_send_disconn_req(chan, ECONNRESET);
4531 goto done;
4532 }
4533
4534 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4535 L2CAP_CONF_REQ, len, req);
4536 chan->num_conf_req++;
4537 if (result != L2CAP_CONF_SUCCESS)
4538 goto done;
4539 break;
4540 }
4541 fallthrough;
4542
4543 default:
4544 l2cap_chan_set_err(chan, ECONNRESET);
4545
4546 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4547 l2cap_send_disconn_req(chan, ECONNRESET);
4548 goto done;
4549 }
4550
4551 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4552 goto done;
4553
4554 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4555
4556 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4557 set_default_fcs(chan);
4558
4559 if (chan->mode == L2CAP_MODE_ERTM ||
4560 chan->mode == L2CAP_MODE_STREAMING)
4561 err = l2cap_ertm_init(chan);
4562
4563 if (err < 0)
4564 l2cap_send_disconn_req(chan, -err);
4565 else
4566 l2cap_chan_ready(chan);
4567 }
4568
4569done:
4570 l2cap_chan_unlock(chan);
4571 return err;
4572}
4573
4574static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4575 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4576 u8 *data)
4577{
4578 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4579 struct l2cap_disconn_rsp rsp;
4580 u16 dcid, scid;
4581 struct l2cap_chan *chan;
4582
4583 if (cmd_len != sizeof(*req))
4584 return -EPROTO;
4585
4586 scid = __le16_to_cpu(req->scid);
4587 dcid = __le16_to_cpu(req->dcid);
4588
4589 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4590
4591 mutex_lock(&conn->chan_lock);
4592
4593 chan = __l2cap_get_chan_by_scid(conn, dcid);
4594 if (!chan) {
4595 mutex_unlock(&conn->chan_lock);
4596 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4597 return 0;
4598 }
4599
4600 l2cap_chan_hold(chan);
4601 l2cap_chan_lock(chan);
4602
4603 rsp.dcid = cpu_to_le16(chan->scid);
4604 rsp.scid = cpu_to_le16(chan->dcid);
4605 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4606
4607 chan->ops->set_shutdown(chan);
4608
4609 l2cap_chan_del(chan, ECONNRESET);
4610
4611 chan->ops->close(chan);
4612
4613 l2cap_chan_unlock(chan);
4614 l2cap_chan_put(chan);
4615
4616 mutex_unlock(&conn->chan_lock);
4617
4618 return 0;
4619}
4620
4621static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4622 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4623 u8 *data)
4624{
4625 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4626 u16 dcid, scid;
4627 struct l2cap_chan *chan;
4628
4629 if (cmd_len != sizeof(*rsp))
4630 return -EPROTO;
4631
4632 scid = __le16_to_cpu(rsp->scid);
4633 dcid = __le16_to_cpu(rsp->dcid);
4634
4635 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4636
4637 mutex_lock(&conn->chan_lock);
4638
4639 chan = __l2cap_get_chan_by_scid(conn, scid);
4640 if (!chan) {
4641 mutex_unlock(&conn->chan_lock);
4642 return 0;
4643 }
4644
4645 l2cap_chan_hold(chan);
4646 l2cap_chan_lock(chan);
4647
4648 if (chan->state != BT_DISCONN) {
4649 l2cap_chan_unlock(chan);
4650 l2cap_chan_put(chan);
4651 mutex_unlock(&conn->chan_lock);
4652 return 0;
4653 }
4654
4655 l2cap_chan_del(chan, 0);
4656
4657 chan->ops->close(chan);
4658
4659 l2cap_chan_unlock(chan);
4660 l2cap_chan_put(chan);
4661
4662 mutex_unlock(&conn->chan_lock);
4663
4664 return 0;
4665}
4666
4667static inline int l2cap_information_req(struct l2cap_conn *conn,
4668 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4669 u8 *data)
4670{
4671 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4672 u16 type;
4673
4674 if (cmd_len != sizeof(*req))
4675 return -EPROTO;
4676
4677 type = __le16_to_cpu(req->type);
4678
4679 BT_DBG("type 0x%4.4x", type);
4680
4681 if (type == L2CAP_IT_FEAT_MASK) {
4682 u8 buf[8];
4683 u32 feat_mask = l2cap_feat_mask;
4684 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4685 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4686 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4687 if (!disable_ertm)
4688 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4689 | L2CAP_FEAT_FCS;
4690 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4691 feat_mask |= L2CAP_FEAT_EXT_FLOW
4692 | L2CAP_FEAT_EXT_WINDOW;
4693
4694 put_unaligned_le32(feat_mask, rsp->data);
4695 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4696 buf);
4697 } else if (type == L2CAP_IT_FIXED_CHAN) {
4698 u8 buf[12];
4699 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4700
4701 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4702 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4703 rsp->data[0] = conn->local_fixed_chan;
4704 memset(rsp->data + 1, 0, 7);
4705 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4706 buf);
4707 } else {
4708 struct l2cap_info_rsp rsp;
4709 rsp.type = cpu_to_le16(type);
4710 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4711 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4712 &rsp);
4713 }
4714
4715 return 0;
4716}
4717
4718static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4719 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4720 u8 *data)
4721{
4722 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4723 u16 type, result;
4724
4725 if (cmd_len < sizeof(*rsp))
4726 return -EPROTO;
4727
4728 type = __le16_to_cpu(rsp->type);
4729 result = __le16_to_cpu(rsp->result);
4730
4731 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4732
4733
4734 if (cmd->ident != conn->info_ident ||
4735 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4736 return 0;
4737
4738 cancel_delayed_work(&conn->info_timer);
4739
4740 if (result != L2CAP_IR_SUCCESS) {
4741 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4742 conn->info_ident = 0;
4743
4744 l2cap_conn_start(conn);
4745
4746 return 0;
4747 }
4748
4749 switch (type) {
4750 case L2CAP_IT_FEAT_MASK:
4751 conn->feat_mask = get_unaligned_le32(rsp->data);
4752
4753 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4754 struct l2cap_info_req req;
4755 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4756
4757 conn->info_ident = l2cap_get_ident(conn);
4758
4759 l2cap_send_cmd(conn, conn->info_ident,
4760 L2CAP_INFO_REQ, sizeof(req), &req);
4761 } else {
4762 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4763 conn->info_ident = 0;
4764
4765 l2cap_conn_start(conn);
4766 }
4767 break;
4768
4769 case L2CAP_IT_FIXED_CHAN:
4770 conn->remote_fixed_chan = rsp->data[0];
4771 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4772 conn->info_ident = 0;
4773
4774 l2cap_conn_start(conn);
4775 break;
4776 }
4777
4778 return 0;
4779}
4780
4781static int l2cap_create_channel_req(struct l2cap_conn *conn,
4782 struct l2cap_cmd_hdr *cmd,
4783 u16 cmd_len, void *data)
4784{
4785 struct l2cap_create_chan_req *req = data;
4786 struct l2cap_create_chan_rsp rsp;
4787 struct l2cap_chan *chan;
4788 struct hci_dev *hdev;
4789 u16 psm, scid;
4790
4791 if (cmd_len != sizeof(*req))
4792 return -EPROTO;
4793
4794 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4795 return -EINVAL;
4796
4797 psm = le16_to_cpu(req->psm);
4798 scid = le16_to_cpu(req->scid);
4799
4800 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4801
4802
4803 if (req->amp_id == AMP_ID_BREDR) {
4804 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4805 req->amp_id);
4806 return 0;
4807 }
4808
4809
4810 hdev = hci_dev_get(req->amp_id);
4811 if (!hdev)
4812 goto error;
4813
4814 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4815 hci_dev_put(hdev);
4816 goto error;
4817 }
4818
4819 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4820 req->amp_id);
4821 if (chan) {
4822 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4823 struct hci_conn *hs_hcon;
4824
4825 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4826 &conn->hcon->dst);
4827 if (!hs_hcon) {
4828 hci_dev_put(hdev);
4829 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4830 chan->dcid);
4831 return 0;
4832 }
4833
4834 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4835
4836 mgr->bredr_chan = chan;
4837 chan->hs_hcon = hs_hcon;
4838 chan->fcs = L2CAP_FCS_NONE;
4839 conn->mtu = hdev->block_mtu;
4840 }
4841
4842 hci_dev_put(hdev);
4843
4844 return 0;
4845
4846error:
4847 rsp.dcid = 0;
4848 rsp.scid = cpu_to_le16(scid);
4849 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4850 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4851
4852 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4853 sizeof(rsp), &rsp);
4854
4855 return 0;
4856}
4857
4858static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4859{
4860 struct l2cap_move_chan_req req;
4861 u8 ident;
4862
4863 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4864
4865 ident = l2cap_get_ident(chan->conn);
4866 chan->ident = ident;
4867
4868 req.icid = cpu_to_le16(chan->scid);
4869 req.dest_amp_id = dest_amp_id;
4870
4871 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4872 &req);
4873
4874 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4875}
4876
4877static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4878{
4879 struct l2cap_move_chan_rsp rsp;
4880
4881 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4882
4883 rsp.icid = cpu_to_le16(chan->dcid);
4884 rsp.result = cpu_to_le16(result);
4885
4886 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4887 sizeof(rsp), &rsp);
4888}
4889
4890static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4891{
4892 struct l2cap_move_chan_cfm cfm;
4893
4894 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4895
4896 chan->ident = l2cap_get_ident(chan->conn);
4897
4898 cfm.icid = cpu_to_le16(chan->scid);
4899 cfm.result = cpu_to_le16(result);
4900
4901 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4902 sizeof(cfm), &cfm);
4903
4904 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4905}
4906
4907static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4908{
4909 struct l2cap_move_chan_cfm cfm;
4910
4911 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4912
4913 cfm.icid = cpu_to_le16(icid);
4914 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4915
4916 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4917 sizeof(cfm), &cfm);
4918}
4919
4920static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4921 u16 icid)
4922{
4923 struct l2cap_move_chan_cfm_rsp rsp;
4924
4925 BT_DBG("icid 0x%4.4x", icid);
4926
4927 rsp.icid = cpu_to_le16(icid);
4928 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4929}
4930
4931static void __release_logical_link(struct l2cap_chan *chan)
4932{
4933 chan->hs_hchan = NULL;
4934 chan->hs_hcon = NULL;
4935
4936
4937}
4938
4939static void l2cap_logical_fail(struct l2cap_chan *chan)
4940{
4941
4942 if (chan->state != BT_CONNECTED) {
4943
4944 l2cap_send_disconn_req(chan, ECONNRESET);
4945 return;
4946 }
4947
4948 switch (chan->move_role) {
4949 case L2CAP_MOVE_ROLE_RESPONDER:
4950 l2cap_move_done(chan);
4951 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4952 break;
4953 case L2CAP_MOVE_ROLE_INITIATOR:
4954 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4955 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4956
4957
4958
4959 l2cap_move_done(chan);
4960 }
4961
4962
4963
4964
4965 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4966 break;
4967 }
4968}
4969
4970static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4971 struct hci_chan *hchan)
4972{
4973 struct l2cap_conf_rsp rsp;
4974
4975 chan->hs_hchan = hchan;
4976 chan->hs_hcon->l2cap_data = chan->conn;
4977
4978 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4979
4980 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4981 int err;
4982
4983 set_default_fcs(chan);
4984
4985 err = l2cap_ertm_init(chan);
4986 if (err < 0)
4987 l2cap_send_disconn_req(chan, -err);
4988 else
4989 l2cap_chan_ready(chan);
4990 }
4991}
4992
4993static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4994 struct hci_chan *hchan)
4995{
4996 chan->hs_hcon = hchan->conn;
4997 chan->hs_hcon->l2cap_data = chan->conn;
4998
4999 BT_DBG("move_state %d", chan->move_state);
5000
5001 switch (chan->move_state) {
5002 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5003
5004
5005
5006 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5007 break;
5008 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5009 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5010 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5011 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5012 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5013 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5014 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5015 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5016 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5017 }
5018 break;
5019 default:
5020
5021 __release_logical_link(chan);
5022
5023 chan->move_state = L2CAP_MOVE_STABLE;
5024 }
5025}
5026
5027
5028void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5029 u8 status)
5030{
5031 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5032
5033 if (status) {
5034 l2cap_logical_fail(chan);
5035 __release_logical_link(chan);
5036 return;
5037 }
5038
5039 if (chan->state != BT_CONNECTED) {
5040
5041 if (chan->local_amp_id != AMP_ID_BREDR)
5042 l2cap_logical_finish_create(chan, hchan);
5043 } else {
5044 l2cap_logical_finish_move(chan, hchan);
5045 }
5046}
5047
5048void l2cap_move_start(struct l2cap_chan *chan)
5049{
5050 BT_DBG("chan %p", chan);
5051
5052 if (chan->local_amp_id == AMP_ID_BREDR) {
5053 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5054 return;
5055 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5056 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5057
5058 } else {
5059 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5060 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5061 chan->move_id = 0;
5062 l2cap_move_setup(chan);
5063 l2cap_send_move_chan_req(chan, 0);
5064 }
5065}
5066
5067static void l2cap_do_create(struct l2cap_chan *chan, int result,
5068 u8 local_amp_id, u8 remote_amp_id)
5069{
5070 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5071 local_amp_id, remote_amp_id);
5072
5073 chan->fcs = L2CAP_FCS_NONE;
5074
5075
5076 if (chan->state == BT_CONNECT) {
5077 if (result == L2CAP_CR_SUCCESS) {
5078 chan->local_amp_id = local_amp_id;
5079 l2cap_send_create_chan_req(chan, remote_amp_id);
5080 } else {
5081
5082 l2cap_send_conn_req(chan);
5083 }
5084
5085 return;
5086 }
5087
5088
5089 if (__l2cap_no_conn_pending(chan)) {
5090 struct l2cap_conn_rsp rsp;
5091 char buf[128];
5092 rsp.scid = cpu_to_le16(chan->dcid);
5093 rsp.dcid = cpu_to_le16(chan->scid);
5094
5095 if (result == L2CAP_CR_SUCCESS) {
5096
5097 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5098 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5099 } else {
5100
5101 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5102 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5103 }
5104
5105 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5106 sizeof(rsp), &rsp);
5107
5108 if (result == L2CAP_CR_SUCCESS) {
5109 l2cap_state_change(chan, BT_CONFIG);
5110 set_bit(CONF_REQ_SENT, &chan->conf_state);
5111 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5112 L2CAP_CONF_REQ,
5113 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5114 chan->num_conf_req++;
5115 }
5116 }
5117}
5118
5119static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5120 u8 remote_amp_id)
5121{
5122 l2cap_move_setup(chan);
5123 chan->move_id = local_amp_id;
5124 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5125
5126 l2cap_send_move_chan_req(chan, remote_amp_id);
5127}
5128
5129static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5130{
5131 struct hci_chan *hchan = NULL;
5132
5133
5134
5135 if (hchan) {
5136 if (hchan->state == BT_CONNECTED) {
5137
5138 chan->hs_hcon = hchan->conn;
5139 chan->hs_hcon->l2cap_data = chan->conn;
5140 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5141 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5142
5143 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5144 } else {
5145
5146 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5147 }
5148 } else {
5149
5150 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5151 }
5152}
5153
5154static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5155{
5156 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5157 u8 rsp_result;
5158 if (result == -EINVAL)
5159 rsp_result = L2CAP_MR_BAD_ID;
5160 else
5161 rsp_result = L2CAP_MR_NOT_ALLOWED;
5162
5163 l2cap_send_move_chan_rsp(chan, rsp_result);
5164 }
5165
5166 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5167 chan->move_state = L2CAP_MOVE_STABLE;
5168
5169
5170 l2cap_ertm_send(chan);
5171}
5172
5173
5174void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5175{
5176 u8 local_amp_id = chan->local_amp_id;
5177 u8 remote_amp_id = chan->remote_amp_id;
5178
5179 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5180 chan, result, local_amp_id, remote_amp_id);
5181
5182 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5183 return;
5184
5185 if (chan->state != BT_CONNECTED) {
5186 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5187 } else if (result != L2CAP_MR_SUCCESS) {
5188 l2cap_do_move_cancel(chan, result);
5189 } else {
5190 switch (chan->move_role) {
5191 case L2CAP_MOVE_ROLE_INITIATOR:
5192 l2cap_do_move_initiate(chan, local_amp_id,
5193 remote_amp_id);
5194 break;
5195 case L2CAP_MOVE_ROLE_RESPONDER:
5196 l2cap_do_move_respond(chan, result);
5197 break;
5198 default:
5199 l2cap_do_move_cancel(chan, result);
5200 break;
5201 }
5202 }
5203}
5204
5205static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5206 struct l2cap_cmd_hdr *cmd,
5207 u16 cmd_len, void *data)
5208{
5209 struct l2cap_move_chan_req *req = data;
5210 struct l2cap_move_chan_rsp rsp;
5211 struct l2cap_chan *chan;
5212 u16 icid = 0;
5213 u16 result = L2CAP_MR_NOT_ALLOWED;
5214
5215 if (cmd_len != sizeof(*req))
5216 return -EPROTO;
5217
5218 icid = le16_to_cpu(req->icid);
5219
5220 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5221
5222 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5223 return -EINVAL;
5224
5225 chan = l2cap_get_chan_by_dcid(conn, icid);
5226 if (!chan) {
5227 rsp.icid = cpu_to_le16(icid);
5228 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5229 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5230 sizeof(rsp), &rsp);
5231 return 0;
5232 }
5233
5234 chan->ident = cmd->ident;
5235
5236 if (chan->scid < L2CAP_CID_DYN_START ||
5237 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5238 (chan->mode != L2CAP_MODE_ERTM &&
5239 chan->mode != L2CAP_MODE_STREAMING)) {
5240 result = L2CAP_MR_NOT_ALLOWED;
5241 goto send_move_response;
5242 }
5243
5244 if (chan->local_amp_id == req->dest_amp_id) {
5245 result = L2CAP_MR_SAME_ID;
5246 goto send_move_response;
5247 }
5248
5249 if (req->dest_amp_id != AMP_ID_BREDR) {
5250 struct hci_dev *hdev;
5251 hdev = hci_dev_get(req->dest_amp_id);
5252 if (!hdev || hdev->dev_type != HCI_AMP ||
5253 !test_bit(HCI_UP, &hdev->flags)) {
5254 if (hdev)
5255 hci_dev_put(hdev);
5256
5257 result = L2CAP_MR_BAD_ID;
5258 goto send_move_response;
5259 }
5260 hci_dev_put(hdev);
5261 }
5262
5263
5264
5265
5266
5267 if ((__chan_is_moving(chan) ||
5268 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5269 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5270 result = L2CAP_MR_COLLISION;
5271 goto send_move_response;
5272 }
5273
5274 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5275 l2cap_move_setup(chan);
5276 chan->move_id = req->dest_amp_id;
5277
5278 if (req->dest_amp_id == AMP_ID_BREDR) {
5279
5280 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5281 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5282 result = L2CAP_MR_PEND;
5283 } else {
5284 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5285 result = L2CAP_MR_SUCCESS;
5286 }
5287 } else {
5288 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5289
5290
5291 result = L2CAP_MR_PEND;
5292 }
5293
5294send_move_response:
5295 l2cap_send_move_chan_rsp(chan, result);
5296
5297 l2cap_chan_unlock(chan);
5298
5299 return 0;
5300}
5301
5302static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5303{
5304 struct l2cap_chan *chan;
5305 struct hci_chan *hchan = NULL;
5306
5307 chan = l2cap_get_chan_by_scid(conn, icid);
5308 if (!chan) {
5309 l2cap_send_move_chan_cfm_icid(conn, icid);
5310 return;
5311 }
5312
5313 __clear_chan_timer(chan);
5314 if (result == L2CAP_MR_PEND)
5315 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5316
5317 switch (chan->move_state) {
5318 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5319
5320
5321
5322 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5323 break;
5324 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5325 if (result == L2CAP_MR_PEND) {
5326 break;
5327 } else if (test_bit(CONN_LOCAL_BUSY,
5328 &chan->conn_state)) {
5329 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5330 } else {
5331
5332
5333
5334 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5335 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5336 }
5337 break;
5338 case L2CAP_MOVE_WAIT_RSP:
5339
5340 if (result == L2CAP_MR_SUCCESS) {
5341
5342
5343
5344 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5345 } else {
5346
5347
5348
5349 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5350 }
5351
5352
5353 if (!hchan) {
5354
5355 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5356 break;
5357 }
5358
5359
5360
5361
5362 if (hchan->state != BT_CONNECTED)
5363 break;
5364
5365
5366
5367 chan->hs_hcon = hchan->conn;
5368 chan->hs_hcon->l2cap_data = chan->conn;
5369
5370 if (result == L2CAP_MR_SUCCESS) {
5371
5372 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5373 } else {
5374
5375
5376
5377 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5378 }
5379
5380 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5381 break;
5382 default:
5383
5384 chan->move_id = chan->local_amp_id;
5385 l2cap_move_done(chan);
5386 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5387 }
5388
5389 l2cap_chan_unlock(chan);
5390}
5391
5392static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5393 u16 result)
5394{
5395 struct l2cap_chan *chan;
5396
5397 chan = l2cap_get_chan_by_ident(conn, ident);
5398 if (!chan) {
5399
5400 l2cap_send_move_chan_cfm_icid(conn, icid);
5401 return;
5402 }
5403
5404 __clear_chan_timer(chan);
5405
5406 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5407 if (result == L2CAP_MR_COLLISION) {
5408 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5409 } else {
5410
5411 chan->move_id = chan->local_amp_id;
5412 l2cap_move_done(chan);
5413 }
5414 }
5415
5416 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5417
5418 l2cap_chan_unlock(chan);
5419}
5420
5421static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5422 struct l2cap_cmd_hdr *cmd,
5423 u16 cmd_len, void *data)
5424{
5425 struct l2cap_move_chan_rsp *rsp = data;
5426 u16 icid, result;
5427
5428 if (cmd_len != sizeof(*rsp))
5429 return -EPROTO;
5430
5431 icid = le16_to_cpu(rsp->icid);
5432 result = le16_to_cpu(rsp->result);
5433
5434 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5435
5436 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5437 l2cap_move_continue(conn, icid, result);
5438 else
5439 l2cap_move_fail(conn, cmd->ident, icid, result);
5440
5441 return 0;
5442}
5443
5444static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5445 struct l2cap_cmd_hdr *cmd,
5446 u16 cmd_len, void *data)
5447{
5448 struct l2cap_move_chan_cfm *cfm = data;
5449 struct l2cap_chan *chan;
5450 u16 icid, result;
5451
5452 if (cmd_len != sizeof(*cfm))
5453 return -EPROTO;
5454
5455 icid = le16_to_cpu(cfm->icid);
5456 result = le16_to_cpu(cfm->result);
5457
5458 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5459
5460 chan = l2cap_get_chan_by_dcid(conn, icid);
5461 if (!chan) {
5462
5463 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5464 return 0;
5465 }
5466
5467 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5468 if (result == L2CAP_MC_CONFIRMED) {
5469 chan->local_amp_id = chan->move_id;
5470 if (chan->local_amp_id == AMP_ID_BREDR)
5471 __release_logical_link(chan);
5472 } else {
5473 chan->move_id = chan->local_amp_id;
5474 }
5475
5476 l2cap_move_done(chan);
5477 }
5478
5479 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5480
5481 l2cap_chan_unlock(chan);
5482
5483 return 0;
5484}
5485
5486static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5487 struct l2cap_cmd_hdr *cmd,
5488 u16 cmd_len, void *data)
5489{
5490 struct l2cap_move_chan_cfm_rsp *rsp = data;
5491 struct l2cap_chan *chan;
5492 u16 icid;
5493
5494 if (cmd_len != sizeof(*rsp))
5495 return -EPROTO;
5496
5497 icid = le16_to_cpu(rsp->icid);
5498
5499 BT_DBG("icid 0x%4.4x", icid);
5500
5501 chan = l2cap_get_chan_by_scid(conn, icid);
5502 if (!chan)
5503 return 0;
5504
5505 __clear_chan_timer(chan);
5506
5507 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5508 chan->local_amp_id = chan->move_id;
5509
5510 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5511 __release_logical_link(chan);
5512
5513 l2cap_move_done(chan);
5514 }
5515
5516 l2cap_chan_unlock(chan);
5517
5518 return 0;
5519}
5520
5521static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5522 struct l2cap_cmd_hdr *cmd,
5523 u16 cmd_len, u8 *data)
5524{
5525 struct hci_conn *hcon = conn->hcon;
5526 struct l2cap_conn_param_update_req *req;
5527 struct l2cap_conn_param_update_rsp rsp;
5528 u16 min, max, latency, to_multiplier;
5529 int err;
5530
5531 if (hcon->role != HCI_ROLE_MASTER)
5532 return -EINVAL;
5533
5534 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5535 return -EPROTO;
5536
5537 req = (struct l2cap_conn_param_update_req *) data;
5538 min = __le16_to_cpu(req->min);
5539 max = __le16_to_cpu(req->max);
5540 latency = __le16_to_cpu(req->latency);
5541 to_multiplier = __le16_to_cpu(req->to_multiplier);
5542
5543 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5544 min, max, latency, to_multiplier);
5545
5546 memset(&rsp, 0, sizeof(rsp));
5547
5548 err = hci_check_conn_params(min, max, latency, to_multiplier);
5549 if (err)
5550 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5551 else
5552 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5553
5554 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5555 sizeof(rsp), &rsp);
5556
5557 if (!err) {
5558 u8 store_hint;
5559
5560 store_hint = hci_le_conn_update(hcon, min, max, latency,
5561 to_multiplier);
5562 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5563 store_hint, min, max, latency,
5564 to_multiplier);
5565
5566 }
5567
5568 return 0;
5569}
5570
5571static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5572 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5573 u8 *data)
5574{
5575 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5576 struct hci_conn *hcon = conn->hcon;
5577 u16 dcid, mtu, mps, credits, result;
5578 struct l2cap_chan *chan;
5579 int err, sec_level;
5580
5581 if (cmd_len < sizeof(*rsp))
5582 return -EPROTO;
5583
5584 dcid = __le16_to_cpu(rsp->dcid);
5585 mtu = __le16_to_cpu(rsp->mtu);
5586 mps = __le16_to_cpu(rsp->mps);
5587 credits = __le16_to_cpu(rsp->credits);
5588 result = __le16_to_cpu(rsp->result);
5589
5590 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5591 dcid < L2CAP_CID_DYN_START ||
5592 dcid > L2CAP_CID_LE_DYN_END))
5593 return -EPROTO;
5594
5595 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5596 dcid, mtu, mps, credits, result);
5597
5598 mutex_lock(&conn->chan_lock);
5599
5600 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5601 if (!chan) {
5602 err = -EBADSLT;
5603 goto unlock;
5604 }
5605
5606 err = 0;
5607
5608 l2cap_chan_lock(chan);
5609
5610 switch (result) {
5611 case L2CAP_CR_LE_SUCCESS:
5612 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5613 err = -EBADSLT;
5614 break;
5615 }
5616
5617 chan->ident = 0;
5618 chan->dcid = dcid;
5619 chan->omtu = mtu;
5620 chan->remote_mps = mps;
5621 chan->tx_credits = credits;
5622 l2cap_chan_ready(chan);
5623 break;
5624
5625 case L2CAP_CR_LE_AUTHENTICATION:
5626 case L2CAP_CR_LE_ENCRYPTION:
5627
5628
5629
5630 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5631 l2cap_chan_del(chan, ECONNREFUSED);
5632 break;
5633 }
5634
5635 sec_level = hcon->sec_level + 1;
5636 if (chan->sec_level < sec_level)
5637 chan->sec_level = sec_level;
5638
5639
5640 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5641
5642 smp_conn_security(hcon, chan->sec_level);
5643 break;
5644
5645 default:
5646 l2cap_chan_del(chan, ECONNREFUSED);
5647 break;
5648 }
5649
5650 l2cap_chan_unlock(chan);
5651
5652unlock:
5653 mutex_unlock(&conn->chan_lock);
5654
5655 return err;
5656}
5657
5658static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5659 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5660 u8 *data)
5661{
5662 int err = 0;
5663
5664 switch (cmd->code) {
5665 case L2CAP_COMMAND_REJ:
5666 l2cap_command_rej(conn, cmd, cmd_len, data);
5667 break;
5668
5669 case L2CAP_CONN_REQ:
5670 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5671 break;
5672
5673 case L2CAP_CONN_RSP:
5674 case L2CAP_CREATE_CHAN_RSP:
5675 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5676 break;
5677
5678 case L2CAP_CONF_REQ:
5679 err = l2cap_config_req(conn, cmd, cmd_len, data);
5680 break;
5681
5682 case L2CAP_CONF_RSP:
5683 l2cap_config_rsp(conn, cmd, cmd_len, data);
5684 break;
5685
5686 case L2CAP_DISCONN_REQ:
5687 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5688 break;
5689
5690 case L2CAP_DISCONN_RSP:
5691 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5692 break;
5693
5694 case L2CAP_ECHO_REQ:
5695 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5696 break;
5697
5698 case L2CAP_ECHO_RSP:
5699 break;
5700
5701 case L2CAP_INFO_REQ:
5702 err = l2cap_information_req(conn, cmd, cmd_len, data);
5703 break;
5704
5705 case L2CAP_INFO_RSP:
5706 l2cap_information_rsp(conn, cmd, cmd_len, data);
5707 break;
5708
5709 case L2CAP_CREATE_CHAN_REQ:
5710 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5711 break;
5712
5713 case L2CAP_MOVE_CHAN_REQ:
5714 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5715 break;
5716
5717 case L2CAP_MOVE_CHAN_RSP:
5718 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5719 break;
5720
5721 case L2CAP_MOVE_CHAN_CFM:
5722 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5723 break;
5724
5725 case L2CAP_MOVE_CHAN_CFM_RSP:
5726 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5727 break;
5728
5729 default:
5730 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5731 err = -EINVAL;
5732 break;
5733 }
5734
5735 return err;
5736}
5737
5738static int l2cap_le_connect_req(struct l2cap_conn *conn,
5739 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5740 u8 *data)
5741{
5742 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5743 struct l2cap_le_conn_rsp rsp;
5744 struct l2cap_chan *chan, *pchan;
5745 u16 dcid, scid, credits, mtu, mps;
5746 __le16 psm;
5747 u8 result;
5748
5749 if (cmd_len != sizeof(*req))
5750 return -EPROTO;
5751
5752 scid = __le16_to_cpu(req->scid);
5753 mtu = __le16_to_cpu(req->mtu);
5754 mps = __le16_to_cpu(req->mps);
5755 psm = req->psm;
5756 dcid = 0;
5757 credits = 0;
5758
5759 if (mtu < 23 || mps < 23)
5760 return -EPROTO;
5761
5762 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5763 scid, mtu, mps);
5764
5765
5766 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5767 &conn->hcon->dst, LE_LINK);
5768 if (!pchan) {
5769 result = L2CAP_CR_LE_BAD_PSM;
5770 chan = NULL;
5771 goto response;
5772 }
5773
5774 mutex_lock(&conn->chan_lock);
5775 l2cap_chan_lock(pchan);
5776
5777 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5778 SMP_ALLOW_STK)) {
5779 result = L2CAP_CR_LE_AUTHENTICATION;
5780 chan = NULL;
5781 goto response_unlock;
5782 }
5783
5784
5785 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5786 result = L2CAP_CR_LE_INVALID_SCID;
5787 chan = NULL;
5788 goto response_unlock;
5789 }
5790
5791
5792 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5793 result = L2CAP_CR_LE_SCID_IN_USE;
5794 chan = NULL;
5795 goto response_unlock;
5796 }
5797
5798 chan = pchan->ops->new_connection(pchan);
5799 if (!chan) {
5800 result = L2CAP_CR_LE_NO_MEM;
5801 goto response_unlock;
5802 }
5803
5804 bacpy(&chan->src, &conn->hcon->src);
5805 bacpy(&chan->dst, &conn->hcon->dst);
5806 chan->src_type = bdaddr_src_type(conn->hcon);
5807 chan->dst_type = bdaddr_dst_type(conn->hcon);
5808 chan->psm = psm;
5809 chan->dcid = scid;
5810 chan->omtu = mtu;
5811 chan->remote_mps = mps;
5812
5813 __l2cap_chan_add(conn, chan);
5814
5815 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5816
5817 dcid = chan->scid;
5818 credits = chan->rx_credits;
5819
5820 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5821
5822 chan->ident = cmd->ident;
5823
5824 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5825 l2cap_state_change(chan, BT_CONNECT2);
5826
5827
5828
5829
5830
5831 result = L2CAP_CR_PEND;
5832 chan->ops->defer(chan);
5833 } else {
5834 l2cap_chan_ready(chan);
5835 result = L2CAP_CR_LE_SUCCESS;
5836 }
5837
5838response_unlock:
5839 l2cap_chan_unlock(pchan);
5840 mutex_unlock(&conn->chan_lock);
5841 l2cap_chan_put(pchan);
5842
5843 if (result == L2CAP_CR_PEND)
5844 return 0;
5845
5846response:
5847 if (chan) {
5848 rsp.mtu = cpu_to_le16(chan->imtu);
5849 rsp.mps = cpu_to_le16(chan->mps);
5850 } else {
5851 rsp.mtu = 0;
5852 rsp.mps = 0;
5853 }
5854
5855 rsp.dcid = cpu_to_le16(dcid);
5856 rsp.credits = cpu_to_le16(credits);
5857 rsp.result = cpu_to_le16(result);
5858
5859 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5860
5861 return 0;
5862}
5863
5864static inline int l2cap_le_credits(struct l2cap_conn *conn,
5865 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5866 u8 *data)
5867{
5868 struct l2cap_le_credits *pkt;
5869 struct l2cap_chan *chan;
5870 u16 cid, credits, max_credits;
5871
5872 if (cmd_len != sizeof(*pkt))
5873 return -EPROTO;
5874
5875 pkt = (struct l2cap_le_credits *) data;
5876 cid = __le16_to_cpu(pkt->cid);
5877 credits = __le16_to_cpu(pkt->credits);
5878
5879 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5880
5881 chan = l2cap_get_chan_by_dcid(conn, cid);
5882 if (!chan)
5883 return -EBADSLT;
5884
5885 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5886 if (credits > max_credits) {
5887 BT_ERR("LE credits overflow");
5888 l2cap_send_disconn_req(chan, ECONNRESET);
5889 l2cap_chan_unlock(chan);
5890
5891
5892
5893
5894 return 0;
5895 }
5896
5897 chan->tx_credits += credits;
5898
5899
5900 l2cap_le_flowctl_send(chan);
5901
5902 if (chan->tx_credits)
5903 chan->ops->resume(chan);
5904
5905 l2cap_chan_unlock(chan);
5906
5907 return 0;
5908}
5909
5910static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5911 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5912 u8 *data)
5913{
5914 struct l2cap_ecred_conn_req *req = (void *) data;
5915 struct {
5916 struct l2cap_ecred_conn_rsp rsp;
5917 __le16 dcid[5];
5918 } __packed pdu;
5919 struct l2cap_chan *chan, *pchan;
5920 u16 mtu, mps;
5921 __le16 psm;
5922 u8 result, len = 0;
5923 int i, num_scid;
5924 bool defer = false;
5925
5926 if (!enable_ecred)
5927 return -EINVAL;
5928
5929 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5930 result = L2CAP_CR_LE_INVALID_PARAMS;
5931 goto response;
5932 }
5933
5934 mtu = __le16_to_cpu(req->mtu);
5935 mps = __le16_to_cpu(req->mps);
5936
5937 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5938 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5939 goto response;
5940 }
5941
5942 psm = req->psm;
5943
5944 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5945
5946 memset(&pdu, 0, sizeof(pdu));
5947
5948
5949 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5950 &conn->hcon->dst, LE_LINK);
5951 if (!pchan) {
5952 result = L2CAP_CR_LE_BAD_PSM;
5953 goto response;
5954 }
5955
5956 mutex_lock(&conn->chan_lock);
5957 l2cap_chan_lock(pchan);
5958
5959 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5960 SMP_ALLOW_STK)) {
5961 result = L2CAP_CR_LE_AUTHENTICATION;
5962 goto unlock;
5963 }
5964
5965 result = L2CAP_CR_LE_SUCCESS;
5966 cmd_len -= sizeof(*req);
5967 num_scid = cmd_len / sizeof(u16);
5968
5969 for (i = 0; i < num_scid; i++) {
5970 u16 scid = __le16_to_cpu(req->scid[i]);
5971
5972 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5973
5974 pdu.dcid[i] = 0x0000;
5975 len += sizeof(*pdu.dcid);
5976
5977
5978 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5979 result = L2CAP_CR_LE_INVALID_SCID;
5980 continue;
5981 }
5982
5983
5984 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5985 result = L2CAP_CR_LE_SCID_IN_USE;
5986 continue;
5987 }
5988
5989 chan = pchan->ops->new_connection(pchan);
5990 if (!chan) {
5991 result = L2CAP_CR_LE_NO_MEM;
5992 continue;
5993 }
5994
5995 bacpy(&chan->src, &conn->hcon->src);
5996 bacpy(&chan->dst, &conn->hcon->dst);
5997 chan->src_type = bdaddr_src_type(conn->hcon);
5998 chan->dst_type = bdaddr_dst_type(conn->hcon);
5999 chan->psm = psm;
6000 chan->dcid = scid;
6001 chan->omtu = mtu;
6002 chan->remote_mps = mps;
6003
6004 __l2cap_chan_add(conn, chan);
6005
6006 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6007
6008
6009 if (!pdu.rsp.credits) {
6010 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6011 pdu.rsp.mps = cpu_to_le16(chan->mps);
6012 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6013 }
6014
6015 pdu.dcid[i] = cpu_to_le16(chan->scid);
6016
6017 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6018
6019 chan->ident = cmd->ident;
6020
6021 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6022 l2cap_state_change(chan, BT_CONNECT2);
6023 defer = true;
6024 chan->ops->defer(chan);
6025 } else {
6026 l2cap_chan_ready(chan);
6027 }
6028 }
6029
6030unlock:
6031 l2cap_chan_unlock(pchan);
6032 mutex_unlock(&conn->chan_lock);
6033 l2cap_chan_put(pchan);
6034
6035response:
6036 pdu.rsp.result = cpu_to_le16(result);
6037
6038 if (defer)
6039 return 0;
6040
6041 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6042 sizeof(pdu.rsp) + len, &pdu);
6043
6044 return 0;
6045}
6046
6047static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6048 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6049 u8 *data)
6050{
6051 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6052 struct hci_conn *hcon = conn->hcon;
6053 u16 mtu, mps, credits, result;
6054 struct l2cap_chan *chan;
6055 int err = 0, sec_level;
6056 int i = 0;
6057
6058 if (cmd_len < sizeof(*rsp))
6059 return -EPROTO;
6060
6061 mtu = __le16_to_cpu(rsp->mtu);
6062 mps = __le16_to_cpu(rsp->mps);
6063 credits = __le16_to_cpu(rsp->credits);
6064 result = __le16_to_cpu(rsp->result);
6065
6066 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6067 result);
6068
6069 mutex_lock(&conn->chan_lock);
6070
6071 cmd_len -= sizeof(*rsp);
6072
6073 list_for_each_entry(chan, &conn->chan_l, list) {
6074 u16 dcid;
6075
6076 if (chan->ident != cmd->ident ||
6077 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6078 chan->state == BT_CONNECTED)
6079 continue;
6080
6081 l2cap_chan_lock(chan);
6082
6083
6084 if (cmd_len < sizeof(dcid)) {
6085 l2cap_chan_del(chan, ECONNREFUSED);
6086 l2cap_chan_unlock(chan);
6087 continue;
6088 }
6089
6090 dcid = __le16_to_cpu(rsp->dcid[i++]);
6091 cmd_len -= sizeof(u16);
6092
6093 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6094
6095
6096 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6097
6098
6099
6100
6101
6102
6103 l2cap_chan_del(chan, ECONNREFUSED);
6104 l2cap_chan_unlock(chan);
6105 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6106 l2cap_chan_lock(chan);
6107 l2cap_chan_del(chan, ECONNRESET);
6108 l2cap_chan_unlock(chan);
6109 continue;
6110 }
6111
6112 switch (result) {
6113 case L2CAP_CR_LE_AUTHENTICATION:
6114 case L2CAP_CR_LE_ENCRYPTION:
6115
6116
6117
6118 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6119 l2cap_chan_del(chan, ECONNREFUSED);
6120 break;
6121 }
6122
6123 sec_level = hcon->sec_level + 1;
6124 if (chan->sec_level < sec_level)
6125 chan->sec_level = sec_level;
6126
6127
6128 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6129
6130 smp_conn_security(hcon, chan->sec_level);
6131 break;
6132
6133 case L2CAP_CR_LE_BAD_PSM:
6134 l2cap_chan_del(chan, ECONNREFUSED);
6135 break;
6136
6137 default:
6138
6139 if (!dcid) {
6140 l2cap_chan_del(chan, ECONNREFUSED);
6141 break;
6142 }
6143
6144 chan->ident = 0;
6145 chan->dcid = dcid;
6146 chan->omtu = mtu;
6147 chan->remote_mps = mps;
6148 chan->tx_credits = credits;
6149 l2cap_chan_ready(chan);
6150 break;
6151 }
6152
6153 l2cap_chan_unlock(chan);
6154 }
6155
6156 mutex_unlock(&conn->chan_lock);
6157
6158 return err;
6159}
6160
6161static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6162 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6163 u8 *data)
6164{
6165 struct l2cap_ecred_reconf_req *req = (void *) data;
6166 struct l2cap_ecred_reconf_rsp rsp;
6167 u16 mtu, mps, result;
6168 struct l2cap_chan *chan;
6169 int i, num_scid;
6170
6171 if (!enable_ecred)
6172 return -EINVAL;
6173
6174 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6175 result = L2CAP_CR_LE_INVALID_PARAMS;
6176 goto respond;
6177 }
6178
6179 mtu = __le16_to_cpu(req->mtu);
6180 mps = __le16_to_cpu(req->mps);
6181
6182 BT_DBG("mtu %u mps %u", mtu, mps);
6183
6184 if (mtu < L2CAP_ECRED_MIN_MTU) {
6185 result = L2CAP_RECONF_INVALID_MTU;
6186 goto respond;
6187 }
6188
6189 if (mps < L2CAP_ECRED_MIN_MPS) {
6190 result = L2CAP_RECONF_INVALID_MPS;
6191 goto respond;
6192 }
6193
6194 cmd_len -= sizeof(*req);
6195 num_scid = cmd_len / sizeof(u16);
6196 result = L2CAP_RECONF_SUCCESS;
6197
6198 for (i = 0; i < num_scid; i++) {
6199 u16 scid;
6200
6201 scid = __le16_to_cpu(req->scid[i]);
6202 if (!scid)
6203 return -EPROTO;
6204
6205 chan = __l2cap_get_chan_by_dcid(conn, scid);
6206 if (!chan)
6207 continue;
6208
6209
6210
6211
6212
6213 if (chan->omtu > mtu) {
6214 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6215 chan->omtu, mtu);
6216 result = L2CAP_RECONF_INVALID_MTU;
6217 }
6218
6219 chan->omtu = mtu;
6220 chan->remote_mps = mps;
6221 }
6222
6223respond:
6224 rsp.result = cpu_to_le16(result);
6225
6226 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6227 &rsp);
6228
6229 return 0;
6230}
6231
6232static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6233 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6234 u8 *data)
6235{
6236 struct l2cap_chan *chan;
6237 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6238 u16 result;
6239
6240 if (cmd_len < sizeof(*rsp))
6241 return -EPROTO;
6242
6243 result = __le16_to_cpu(rsp->result);
6244
6245 BT_DBG("result 0x%4.4x", rsp->result);
6246
6247 if (!result)
6248 return 0;
6249
6250 list_for_each_entry(chan, &conn->chan_l, list) {
6251 if (chan->ident != cmd->ident)
6252 continue;
6253
6254 l2cap_chan_del(chan, ECONNRESET);
6255 }
6256
6257 return 0;
6258}
6259
6260static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6261 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6262 u8 *data)
6263{
6264 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6265 struct l2cap_chan *chan;
6266
6267 if (cmd_len < sizeof(*rej))
6268 return -EPROTO;
6269
6270 mutex_lock(&conn->chan_lock);
6271
6272 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6273 if (!chan)
6274 goto done;
6275
6276 l2cap_chan_lock(chan);
6277 l2cap_chan_del(chan, ECONNREFUSED);
6278 l2cap_chan_unlock(chan);
6279
6280done:
6281 mutex_unlock(&conn->chan_lock);
6282 return 0;
6283}
6284
6285static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6286 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6287 u8 *data)
6288{
6289 int err = 0;
6290
6291 switch (cmd->code) {
6292 case L2CAP_COMMAND_REJ:
6293 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6294 break;
6295
6296 case L2CAP_CONN_PARAM_UPDATE_REQ:
6297 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6298 break;
6299
6300 case L2CAP_CONN_PARAM_UPDATE_RSP:
6301 break;
6302
6303 case L2CAP_LE_CONN_RSP:
6304 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6305 break;
6306
6307 case L2CAP_LE_CONN_REQ:
6308 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6309 break;
6310
6311 case L2CAP_LE_CREDITS:
6312 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6313 break;
6314
6315 case L2CAP_ECRED_CONN_REQ:
6316 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6317 break;
6318
6319 case L2CAP_ECRED_CONN_RSP:
6320 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6321 break;
6322
6323 case L2CAP_ECRED_RECONF_REQ:
6324 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6325 break;
6326
6327 case L2CAP_ECRED_RECONF_RSP:
6328 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6329 break;
6330
6331 case L2CAP_DISCONN_REQ:
6332 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6333 break;
6334
6335 case L2CAP_DISCONN_RSP:
6336 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6337 break;
6338
6339 default:
6340 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6341 err = -EINVAL;
6342 break;
6343 }
6344
6345 return err;
6346}
6347
6348static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6349 struct sk_buff *skb)
6350{
6351 struct hci_conn *hcon = conn->hcon;
6352 struct l2cap_cmd_hdr *cmd;
6353 u16 len;
6354 int err;
6355
6356 if (hcon->type != LE_LINK)
6357 goto drop;
6358
6359 if (skb->len < L2CAP_CMD_HDR_SIZE)
6360 goto drop;
6361
6362 cmd = (void *) skb->data;
6363 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6364
6365 len = le16_to_cpu(cmd->len);
6366
6367 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6368
6369 if (len != skb->len || !cmd->ident) {
6370 BT_DBG("corrupted command");
6371 goto drop;
6372 }
6373
6374 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6375 if (err) {
6376 struct l2cap_cmd_rej_unk rej;
6377
6378 BT_ERR("Wrong link type (%d)", err);
6379
6380 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6381 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6382 sizeof(rej), &rej);
6383 }
6384
6385drop:
6386 kfree_skb(skb);
6387}
6388
6389static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6390 struct sk_buff *skb)
6391{
6392 struct hci_conn *hcon = conn->hcon;
6393 struct l2cap_cmd_hdr *cmd;
6394 int err;
6395
6396 l2cap_raw_recv(conn, skb);
6397
6398 if (hcon->type != ACL_LINK)
6399 goto drop;
6400
6401 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6402 u16 len;
6403
6404 cmd = (void *) skb->data;
6405 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6406
6407 len = le16_to_cpu(cmd->len);
6408
6409 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6410 cmd->ident);
6411
6412 if (len > skb->len || !cmd->ident) {
6413 BT_DBG("corrupted command");
6414 break;
6415 }
6416
6417 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6418 if (err) {
6419 struct l2cap_cmd_rej_unk rej;
6420
6421 BT_ERR("Wrong link type (%d)", err);
6422
6423 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6424 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6425 sizeof(rej), &rej);
6426 }
6427
6428 skb_pull(skb, len);
6429 }
6430
6431drop:
6432 kfree_skb(skb);
6433}
6434
6435static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6436{
6437 u16 our_fcs, rcv_fcs;
6438 int hdr_size;
6439
6440 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6441 hdr_size = L2CAP_EXT_HDR_SIZE;
6442 else
6443 hdr_size = L2CAP_ENH_HDR_SIZE;
6444
6445 if (chan->fcs == L2CAP_FCS_CRC16) {
6446 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6447 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6448 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6449
6450 if (our_fcs != rcv_fcs)
6451 return -EBADMSG;
6452 }
6453 return 0;
6454}
6455
6456static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6457{
6458 struct l2cap_ctrl control;
6459
6460 BT_DBG("chan %p", chan);
6461
6462 memset(&control, 0, sizeof(control));
6463 control.sframe = 1;
6464 control.final = 1;
6465 control.reqseq = chan->buffer_seq;
6466 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6467
6468 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6469 control.super = L2CAP_SUPER_RNR;
6470 l2cap_send_sframe(chan, &control);
6471 }
6472
6473 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6474 chan->unacked_frames > 0)
6475 __set_retrans_timer(chan);
6476
6477
6478 l2cap_ertm_send(chan);
6479
6480 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6481 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6482
6483
6484
6485 control.super = L2CAP_SUPER_RR;
6486 l2cap_send_sframe(chan, &control);
6487 }
6488}
6489
6490static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6491 struct sk_buff **last_frag)
6492{
6493
6494
6495
6496 if (!skb_has_frag_list(skb))
6497 skb_shinfo(skb)->frag_list = new_frag;
6498
6499 new_frag->next = NULL;
6500
6501 (*last_frag)->next = new_frag;
6502 *last_frag = new_frag;
6503
6504 skb->len += new_frag->len;
6505 skb->data_len += new_frag->len;
6506 skb->truesize += new_frag->truesize;
6507}
6508
6509static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6510 struct l2cap_ctrl *control)
6511{
6512 int err = -EINVAL;
6513
6514 switch (control->sar) {
6515 case L2CAP_SAR_UNSEGMENTED:
6516 if (chan->sdu)
6517 break;
6518
6519 err = chan->ops->recv(chan, skb);
6520 break;
6521
6522 case L2CAP_SAR_START:
6523 if (chan->sdu)
6524 break;
6525
6526 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6527 break;
6528
6529 chan->sdu_len = get_unaligned_le16(skb->data);
6530 skb_pull(skb, L2CAP_SDULEN_SIZE);
6531
6532 if (chan->sdu_len > chan->imtu) {
6533 err = -EMSGSIZE;
6534 break;
6535 }
6536
6537 if (skb->len >= chan->sdu_len)
6538 break;
6539
6540 chan->sdu = skb;
6541 chan->sdu_last_frag = skb;
6542
6543 skb = NULL;
6544 err = 0;
6545 break;
6546
6547 case L2CAP_SAR_CONTINUE:
6548 if (!chan->sdu)
6549 break;
6550
6551 append_skb_frag(chan->sdu, skb,
6552 &chan->sdu_last_frag);
6553 skb = NULL;
6554
6555 if (chan->sdu->len >= chan->sdu_len)
6556 break;
6557
6558 err = 0;
6559 break;
6560
6561 case L2CAP_SAR_END:
6562 if (!chan->sdu)
6563 break;
6564
6565 append_skb_frag(chan->sdu, skb,
6566 &chan->sdu_last_frag);
6567 skb = NULL;
6568
6569 if (chan->sdu->len != chan->sdu_len)
6570 break;
6571
6572 err = chan->ops->recv(chan, chan->sdu);
6573
6574 if (!err) {
6575
6576 chan->sdu = NULL;
6577 chan->sdu_last_frag = NULL;
6578 chan->sdu_len = 0;
6579 }
6580 break;
6581 }
6582
6583 if (err) {
6584 kfree_skb(skb);
6585 kfree_skb(chan->sdu);
6586 chan->sdu = NULL;
6587 chan->sdu_last_frag = NULL;
6588 chan->sdu_len = 0;
6589 }
6590
6591 return err;
6592}
6593
6594static int l2cap_resegment(struct l2cap_chan *chan)
6595{
6596
6597 return 0;
6598}
6599
6600void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6601{
6602 u8 event;
6603
6604 if (chan->mode != L2CAP_MODE_ERTM)
6605 return;
6606
6607 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6608 l2cap_tx(chan, NULL, NULL, event);
6609}
6610
6611static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6612{
6613 int err = 0;
6614
6615
6616
6617
6618 BT_DBG("chan %p", chan);
6619
6620 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6621 struct sk_buff *skb;
6622 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6623 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6624
6625 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6626
6627 if (!skb)
6628 break;
6629
6630 skb_unlink(skb, &chan->srej_q);
6631 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6632 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6633 if (err)
6634 break;
6635 }
6636
6637 if (skb_queue_empty(&chan->srej_q)) {
6638 chan->rx_state = L2CAP_RX_STATE_RECV;
6639 l2cap_send_ack(chan);
6640 }
6641
6642 return err;
6643}
6644
6645static void l2cap_handle_srej(struct l2cap_chan *chan,
6646 struct l2cap_ctrl *control)
6647{
6648 struct sk_buff *skb;
6649
6650 BT_DBG("chan %p, control %p", chan, control);
6651
6652 if (control->reqseq == chan->next_tx_seq) {
6653 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6654 l2cap_send_disconn_req(chan, ECONNRESET);
6655 return;
6656 }
6657
6658 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6659
6660 if (skb == NULL) {
6661 BT_DBG("Seq %d not available for retransmission",
6662 control->reqseq);
6663 return;
6664 }
6665
6666 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6667 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6668 l2cap_send_disconn_req(chan, ECONNRESET);
6669 return;
6670 }
6671
6672 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6673
6674 if (control->poll) {
6675 l2cap_pass_to_tx(chan, control);
6676
6677 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6678 l2cap_retransmit(chan, control);
6679 l2cap_ertm_send(chan);
6680
6681 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6682 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6683 chan->srej_save_reqseq = control->reqseq;
6684 }
6685 } else {
6686 l2cap_pass_to_tx_fbit(chan, control);
6687
6688 if (control->final) {
6689 if (chan->srej_save_reqseq != control->reqseq ||
6690 !test_and_clear_bit(CONN_SREJ_ACT,
6691 &chan->conn_state))
6692 l2cap_retransmit(chan, control);
6693 } else {
6694 l2cap_retransmit(chan, control);
6695 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6696 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6697 chan->srej_save_reqseq = control->reqseq;
6698 }
6699 }
6700 }
6701}
6702
6703static void l2cap_handle_rej(struct l2cap_chan *chan,
6704 struct l2cap_ctrl *control)
6705{
6706 struct sk_buff *skb;
6707
6708 BT_DBG("chan %p, control %p", chan, control);
6709
6710 if (control->reqseq == chan->next_tx_seq) {
6711 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6712 l2cap_send_disconn_req(chan, ECONNRESET);
6713 return;
6714 }
6715
6716 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6717
6718 if (chan->max_tx && skb &&
6719 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6720 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6721 l2cap_send_disconn_req(chan, ECONNRESET);
6722 return;
6723 }
6724
6725 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6726
6727 l2cap_pass_to_tx(chan, control);
6728
6729 if (control->final) {
6730 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6731 l2cap_retransmit_all(chan, control);
6732 } else {
6733 l2cap_retransmit_all(chan, control);
6734 l2cap_ertm_send(chan);
6735 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6736 set_bit(CONN_REJ_ACT, &chan->conn_state);
6737 }
6738}
6739
6740static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6741{
6742 BT_DBG("chan %p, txseq %d", chan, txseq);
6743
6744 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6745 chan->expected_tx_seq);
6746
6747 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6748 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6749 chan->tx_win) {
6750
6751
6752
6753 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6754 BT_DBG("Invalid/Ignore - after SREJ");
6755 return L2CAP_TXSEQ_INVALID_IGNORE;
6756 } else {
6757 BT_DBG("Invalid - in window after SREJ sent");
6758 return L2CAP_TXSEQ_INVALID;
6759 }
6760 }
6761
6762 if (chan->srej_list.head == txseq) {
6763 BT_DBG("Expected SREJ");
6764 return L2CAP_TXSEQ_EXPECTED_SREJ;
6765 }
6766
6767 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6768 BT_DBG("Duplicate SREJ - txseq already stored");
6769 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6770 }
6771
6772 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6773 BT_DBG("Unexpected SREJ - not requested");
6774 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6775 }
6776 }
6777
6778 if (chan->expected_tx_seq == txseq) {
6779 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6780 chan->tx_win) {
6781 BT_DBG("Invalid - txseq outside tx window");
6782 return L2CAP_TXSEQ_INVALID;
6783 } else {
6784 BT_DBG("Expected");
6785 return L2CAP_TXSEQ_EXPECTED;
6786 }
6787 }
6788
6789 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6790 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6791 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6792 return L2CAP_TXSEQ_DUPLICATE;
6793 }
6794
6795 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6813 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6814 BT_DBG("Invalid/Ignore - txseq outside tx window");
6815 return L2CAP_TXSEQ_INVALID_IGNORE;
6816 } else {
6817 BT_DBG("Invalid - txseq outside tx window");
6818 return L2CAP_TXSEQ_INVALID;
6819 }
6820 } else {
6821 BT_DBG("Unexpected - txseq indicates missing frames");
6822 return L2CAP_TXSEQ_UNEXPECTED;
6823 }
6824}
6825
6826static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6827 struct l2cap_ctrl *control,
6828 struct sk_buff *skb, u8 event)
6829{
6830 int err = 0;
6831 bool skb_in_use = false;
6832
6833 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6834 event);
6835
6836 switch (event) {
6837 case L2CAP_EV_RECV_IFRAME:
6838 switch (l2cap_classify_txseq(chan, control->txseq)) {
6839 case L2CAP_TXSEQ_EXPECTED:
6840 l2cap_pass_to_tx(chan, control);
6841
6842 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6843 BT_DBG("Busy, discarding expected seq %d",
6844 control->txseq);
6845 break;
6846 }
6847
6848 chan->expected_tx_seq = __next_seq(chan,
6849 control->txseq);
6850
6851 chan->buffer_seq = chan->expected_tx_seq;
6852 skb_in_use = true;
6853
6854 err = l2cap_reassemble_sdu(chan, skb, control);
6855 if (err)
6856 break;
6857
6858 if (control->final) {
6859 if (!test_and_clear_bit(CONN_REJ_ACT,
6860 &chan->conn_state)) {
6861 control->final = 0;
6862 l2cap_retransmit_all(chan, control);
6863 l2cap_ertm_send(chan);
6864 }
6865 }
6866
6867 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6868 l2cap_send_ack(chan);
6869 break;
6870 case L2CAP_TXSEQ_UNEXPECTED:
6871 l2cap_pass_to_tx(chan, control);
6872
6873
6874
6875
6876
6877 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6878 BT_DBG("Busy, discarding unexpected seq %d",
6879 control->txseq);
6880 break;
6881 }
6882
6883
6884
6885
6886
6887 skb_queue_tail(&chan->srej_q, skb);
6888 skb_in_use = true;
6889 BT_DBG("Queued %p (queue len %d)", skb,
6890 skb_queue_len(&chan->srej_q));
6891
6892 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6893 l2cap_seq_list_clear(&chan->srej_list);
6894 l2cap_send_srej(chan, control->txseq);
6895
6896 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6897 break;
6898 case L2CAP_TXSEQ_DUPLICATE:
6899 l2cap_pass_to_tx(chan, control);
6900 break;
6901 case L2CAP_TXSEQ_INVALID_IGNORE:
6902 break;
6903 case L2CAP_TXSEQ_INVALID:
6904 default:
6905 l2cap_send_disconn_req(chan, ECONNRESET);
6906 break;
6907 }
6908 break;
6909 case L2CAP_EV_RECV_RR:
6910 l2cap_pass_to_tx(chan, control);
6911 if (control->final) {
6912 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6913
6914 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6915 !__chan_is_moving(chan)) {
6916 control->final = 0;
6917 l2cap_retransmit_all(chan, control);
6918 }
6919
6920 l2cap_ertm_send(chan);
6921 } else if (control->poll) {
6922 l2cap_send_i_or_rr_or_rnr(chan);
6923 } else {
6924 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6925 &chan->conn_state) &&
6926 chan->unacked_frames)
6927 __set_retrans_timer(chan);
6928
6929 l2cap_ertm_send(chan);
6930 }
6931 break;
6932 case L2CAP_EV_RECV_RNR:
6933 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6934 l2cap_pass_to_tx(chan, control);
6935 if (control && control->poll) {
6936 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6937 l2cap_send_rr_or_rnr(chan, 0);
6938 }
6939 __clear_retrans_timer(chan);
6940 l2cap_seq_list_clear(&chan->retrans_list);
6941 break;
6942 case L2CAP_EV_RECV_REJ:
6943 l2cap_handle_rej(chan, control);
6944 break;
6945 case L2CAP_EV_RECV_SREJ:
6946 l2cap_handle_srej(chan, control);
6947 break;
6948 default:
6949 break;
6950 }
6951
6952 if (skb && !skb_in_use) {
6953 BT_DBG("Freeing %p", skb);
6954 kfree_skb(skb);
6955 }
6956
6957 return err;
6958}
6959
6960static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6961 struct l2cap_ctrl *control,
6962 struct sk_buff *skb, u8 event)
6963{
6964 int err = 0;
6965 u16 txseq = control->txseq;
6966 bool skb_in_use = false;
6967
6968 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6969 event);
6970
6971 switch (event) {
6972 case L2CAP_EV_RECV_IFRAME:
6973 switch (l2cap_classify_txseq(chan, txseq)) {
6974 case L2CAP_TXSEQ_EXPECTED:
6975
6976 l2cap_pass_to_tx(chan, control);
6977 skb_queue_tail(&chan->srej_q, skb);
6978 skb_in_use = true;
6979 BT_DBG("Queued %p (queue len %d)", skb,
6980 skb_queue_len(&chan->srej_q));
6981
6982 chan->expected_tx_seq = __next_seq(chan, txseq);
6983 break;
6984 case L2CAP_TXSEQ_EXPECTED_SREJ:
6985 l2cap_seq_list_pop(&chan->srej_list);
6986
6987 l2cap_pass_to_tx(chan, control);
6988 skb_queue_tail(&chan->srej_q, skb);
6989 skb_in_use = true;
6990 BT_DBG("Queued %p (queue len %d)", skb,
6991 skb_queue_len(&chan->srej_q));
6992
6993 err = l2cap_rx_queued_iframes(chan);
6994 if (err)
6995 break;
6996
6997 break;
6998 case L2CAP_TXSEQ_UNEXPECTED:
6999
7000
7001
7002
7003 skb_queue_tail(&chan->srej_q, skb);
7004 skb_in_use = true;
7005 BT_DBG("Queued %p (queue len %d)", skb,
7006 skb_queue_len(&chan->srej_q));
7007
7008 l2cap_pass_to_tx(chan, control);
7009 l2cap_send_srej(chan, control->txseq);
7010 break;
7011 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7012
7013
7014
7015
7016
7017 skb_queue_tail(&chan->srej_q, skb);
7018 skb_in_use = true;
7019 BT_DBG("Queued %p (queue len %d)", skb,
7020 skb_queue_len(&chan->srej_q));
7021
7022 l2cap_pass_to_tx(chan, control);
7023 l2cap_send_srej_list(chan, control->txseq);
7024 break;
7025 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7026
7027 l2cap_pass_to_tx(chan, control);
7028 break;
7029 case L2CAP_TXSEQ_DUPLICATE:
7030
7031
7032
7033 break;
7034 case L2CAP_TXSEQ_INVALID_IGNORE:
7035 break;
7036 case L2CAP_TXSEQ_INVALID:
7037 default:
7038 l2cap_send_disconn_req(chan, ECONNRESET);
7039 break;
7040 }
7041 break;
7042 case L2CAP_EV_RECV_RR:
7043 l2cap_pass_to_tx(chan, control);
7044 if (control->final) {
7045 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7046
7047 if (!test_and_clear_bit(CONN_REJ_ACT,
7048 &chan->conn_state)) {
7049 control->final = 0;
7050 l2cap_retransmit_all(chan, control);
7051 }
7052
7053 l2cap_ertm_send(chan);
7054 } else if (control->poll) {
7055 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7056 &chan->conn_state) &&
7057 chan->unacked_frames) {
7058 __set_retrans_timer(chan);
7059 }
7060
7061 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7062 l2cap_send_srej_tail(chan);
7063 } else {
7064 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7065 &chan->conn_state) &&
7066 chan->unacked_frames)
7067 __set_retrans_timer(chan);
7068
7069 l2cap_send_ack(chan);
7070 }
7071 break;
7072 case L2CAP_EV_RECV_RNR:
7073 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7074 l2cap_pass_to_tx(chan, control);
7075 if (control->poll) {
7076 l2cap_send_srej_tail(chan);
7077 } else {
7078 struct l2cap_ctrl rr_control;
7079 memset(&rr_control, 0, sizeof(rr_control));
7080 rr_control.sframe = 1;
7081 rr_control.super = L2CAP_SUPER_RR;
7082 rr_control.reqseq = chan->buffer_seq;
7083 l2cap_send_sframe(chan, &rr_control);
7084 }
7085
7086 break;
7087 case L2CAP_EV_RECV_REJ:
7088 l2cap_handle_rej(chan, control);
7089 break;
7090 case L2CAP_EV_RECV_SREJ:
7091 l2cap_handle_srej(chan, control);
7092 break;
7093 }
7094
7095 if (skb && !skb_in_use) {
7096 BT_DBG("Freeing %p", skb);
7097 kfree_skb(skb);
7098 }
7099
7100 return err;
7101}
7102
7103static int l2cap_finish_move(struct l2cap_chan *chan)
7104{
7105 BT_DBG("chan %p", chan);
7106
7107 chan->rx_state = L2CAP_RX_STATE_RECV;
7108
7109 if (chan->hs_hcon)
7110 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7111 else
7112 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7113
7114 return l2cap_resegment(chan);
7115}
7116
7117static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7118 struct l2cap_ctrl *control,
7119 struct sk_buff *skb, u8 event)
7120{
7121 int err;
7122
7123 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7124 event);
7125
7126 if (!control->poll)
7127 return -EPROTO;
7128
7129 l2cap_process_reqseq(chan, control->reqseq);
7130
7131 if (!skb_queue_empty(&chan->tx_q))
7132 chan->tx_send_head = skb_peek(&chan->tx_q);
7133 else
7134 chan->tx_send_head = NULL;
7135
7136
7137
7138
7139 chan->next_tx_seq = control->reqseq;
7140 chan->unacked_frames = 0;
7141
7142 err = l2cap_finish_move(chan);
7143 if (err)
7144 return err;
7145
7146 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7147 l2cap_send_i_or_rr_or_rnr(chan);
7148
7149 if (event == L2CAP_EV_RECV_IFRAME)
7150 return -EPROTO;
7151
7152 return l2cap_rx_state_recv(chan, control, NULL, event);
7153}
7154
7155static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7156 struct l2cap_ctrl *control,
7157 struct sk_buff *skb, u8 event)
7158{
7159 int err;
7160
7161 if (!control->final)
7162 return -EPROTO;
7163
7164 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7165
7166 chan->rx_state = L2CAP_RX_STATE_RECV;
7167 l2cap_process_reqseq(chan, control->reqseq);
7168
7169 if (!skb_queue_empty(&chan->tx_q))
7170 chan->tx_send_head = skb_peek(&chan->tx_q);
7171 else
7172 chan->tx_send_head = NULL;
7173
7174
7175
7176
7177 chan->next_tx_seq = control->reqseq;
7178 chan->unacked_frames = 0;
7179
7180 if (chan->hs_hcon)
7181 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7182 else
7183 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7184
7185 err = l2cap_resegment(chan);
7186
7187 if (!err)
7188 err = l2cap_rx_state_recv(chan, control, skb, event);
7189
7190 return err;
7191}
7192
7193static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7194{
7195
7196 u16 unacked;
7197
7198 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7199 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7200}
7201
7202static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7203 struct sk_buff *skb, u8 event)
7204{
7205 int err = 0;
7206
7207 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7208 control, skb, event, chan->rx_state);
7209
7210 if (__valid_reqseq(chan, control->reqseq)) {
7211 switch (chan->rx_state) {
7212 case L2CAP_RX_STATE_RECV:
7213 err = l2cap_rx_state_recv(chan, control, skb, event);
7214 break;
7215 case L2CAP_RX_STATE_SREJ_SENT:
7216 err = l2cap_rx_state_srej_sent(chan, control, skb,
7217 event);
7218 break;
7219 case L2CAP_RX_STATE_WAIT_P:
7220 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7221 break;
7222 case L2CAP_RX_STATE_WAIT_F:
7223 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7224 break;
7225 default:
7226
7227 break;
7228 }
7229 } else {
7230 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7231 control->reqseq, chan->next_tx_seq,
7232 chan->expected_ack_seq);
7233 l2cap_send_disconn_req(chan, ECONNRESET);
7234 }
7235
7236 return err;
7237}
7238
7239static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7240 struct sk_buff *skb)
7241{
7242 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7243 chan->rx_state);
7244
7245 if (l2cap_classify_txseq(chan, control->txseq) ==
7246 L2CAP_TXSEQ_EXPECTED) {
7247 l2cap_pass_to_tx(chan, control);
7248
7249 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
7250 __next_seq(chan, chan->buffer_seq));
7251
7252 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7253
7254 l2cap_reassemble_sdu(chan, skb, control);
7255 } else {
7256 if (chan->sdu) {
7257 kfree_skb(chan->sdu);
7258 chan->sdu = NULL;
7259 }
7260 chan->sdu_last_frag = NULL;
7261 chan->sdu_len = 0;
7262
7263 if (skb) {
7264 BT_DBG("Freeing %p", skb);
7265 kfree_skb(skb);
7266 }
7267 }
7268
7269 chan->last_acked_seq = control->txseq;
7270 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7271
7272 return 0;
7273}
7274
7275static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7276{
7277 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7278 u16 len;
7279 u8 event;
7280
7281 __unpack_control(chan, skb);
7282
7283 len = skb->len;
7284
7285
7286
7287
7288
7289
7290 if (l2cap_check_fcs(chan, skb))
7291 goto drop;
7292
7293 if (!control->sframe && control->sar == L2CAP_SAR_START)
7294 len -= L2CAP_SDULEN_SIZE;
7295
7296 if (chan->fcs == L2CAP_FCS_CRC16)
7297 len -= L2CAP_FCS_SIZE;
7298
7299 if (len > chan->mps) {
7300 l2cap_send_disconn_req(chan, ECONNRESET);
7301 goto drop;
7302 }
7303
7304 if ((chan->mode == L2CAP_MODE_ERTM ||
7305 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
7306 goto drop;
7307
7308 if (!control->sframe) {
7309 int err;
7310
7311 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7312 control->sar, control->reqseq, control->final,
7313 control->txseq);
7314
7315
7316
7317
7318 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7319 goto drop;
7320
7321 if (chan->mode != L2CAP_MODE_STREAMING) {
7322 event = L2CAP_EV_RECV_IFRAME;
7323 err = l2cap_rx(chan, control, skb, event);
7324 } else {
7325 err = l2cap_stream_rx(chan, control, skb);
7326 }
7327
7328 if (err)
7329 l2cap_send_disconn_req(chan, ECONNRESET);
7330 } else {
7331 const u8 rx_func_to_event[4] = {
7332 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7333 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7334 };
7335
7336
7337 if (chan->mode == L2CAP_MODE_STREAMING)
7338 goto drop;
7339
7340 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7341 control->reqseq, control->final, control->poll,
7342 control->super);
7343
7344 if (len != 0) {
7345 BT_ERR("Trailing bytes: %d in sframe", len);
7346 l2cap_send_disconn_req(chan, ECONNRESET);
7347 goto drop;
7348 }
7349
7350
7351 if (control->final && (control->poll ||
7352 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7353 goto drop;
7354
7355 event = rx_func_to_event[control->super];
7356 if (l2cap_rx(chan, control, skb, event))
7357 l2cap_send_disconn_req(chan, ECONNRESET);
7358 }
7359
7360 return 0;
7361
7362drop:
7363 kfree_skb(skb);
7364 return 0;
7365}
7366
7367static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7368{
7369 struct l2cap_conn *conn = chan->conn;
7370 struct l2cap_le_credits pkt;
7371 u16 return_credits;
7372
7373 return_credits = (chan->imtu / chan->mps) + 1;
7374
7375 if (chan->rx_credits >= return_credits)
7376 return;
7377
7378 return_credits -= chan->rx_credits;
7379
7380 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7381
7382 chan->rx_credits += return_credits;
7383
7384 pkt.cid = cpu_to_le16(chan->scid);
7385 pkt.credits = cpu_to_le16(return_credits);
7386
7387 chan->ident = l2cap_get_ident(conn);
7388
7389 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7390}
7391
7392static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7393{
7394 int err;
7395
7396 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7397
7398
7399 err = chan->ops->recv(chan, skb);
7400
7401
7402 l2cap_chan_le_send_credits(chan);
7403
7404 return err;
7405}
7406
7407static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7408{
7409 int err;
7410
7411 if (!chan->rx_credits) {
7412 BT_ERR("No credits to receive LE L2CAP data");
7413 l2cap_send_disconn_req(chan, ECONNRESET);
7414 return -ENOBUFS;
7415 }
7416
7417 if (chan->imtu < skb->len) {
7418 BT_ERR("Too big LE L2CAP PDU");
7419 return -ENOBUFS;
7420 }
7421
7422 chan->rx_credits--;
7423 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7424
7425
7426
7427
7428 if (!chan->rx_credits)
7429 l2cap_chan_le_send_credits(chan);
7430
7431 err = 0;
7432
7433 if (!chan->sdu) {
7434 u16 sdu_len;
7435
7436 sdu_len = get_unaligned_le16(skb->data);
7437 skb_pull(skb, L2CAP_SDULEN_SIZE);
7438
7439 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7440 sdu_len, skb->len, chan->imtu);
7441
7442 if (sdu_len > chan->imtu) {
7443 BT_ERR("Too big LE L2CAP SDU length received");
7444 err = -EMSGSIZE;
7445 goto failed;
7446 }
7447
7448 if (skb->len > sdu_len) {
7449 BT_ERR("Too much LE L2CAP data received");
7450 err = -EINVAL;
7451 goto failed;
7452 }
7453
7454 if (skb->len == sdu_len)
7455 return l2cap_ecred_recv(chan, skb);
7456
7457 chan->sdu = skb;
7458 chan->sdu_len = sdu_len;
7459 chan->sdu_last_frag = skb;
7460
7461
7462 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7463 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7464
7465
7466 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7467 chan->mps = mps_len;
7468 l2cap_chan_le_send_credits(chan);
7469 }
7470
7471 return 0;
7472 }
7473
7474 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7475 chan->sdu->len, skb->len, chan->sdu_len);
7476
7477 if (chan->sdu->len + skb->len > chan->sdu_len) {
7478 BT_ERR("Too much LE L2CAP data received");
7479 err = -EINVAL;
7480 goto failed;
7481 }
7482
7483 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7484 skb = NULL;
7485
7486 if (chan->sdu->len == chan->sdu_len) {
7487 err = l2cap_ecred_recv(chan, chan->sdu);
7488 if (!err) {
7489 chan->sdu = NULL;
7490 chan->sdu_last_frag = NULL;
7491 chan->sdu_len = 0;
7492 }
7493 }
7494
7495failed:
7496 if (err) {
7497 kfree_skb(skb);
7498 kfree_skb(chan->sdu);
7499 chan->sdu = NULL;
7500 chan->sdu_last_frag = NULL;
7501 chan->sdu_len = 0;
7502 }
7503
7504
7505
7506
7507
7508 return 0;
7509}
7510
7511static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7512 struct sk_buff *skb)
7513{
7514 struct l2cap_chan *chan;
7515
7516 chan = l2cap_get_chan_by_scid(conn, cid);
7517 if (!chan) {
7518 if (cid == L2CAP_CID_A2MP) {
7519 chan = a2mp_channel_create(conn, skb);
7520 if (!chan) {
7521 kfree_skb(skb);
7522 return;
7523 }
7524
7525 l2cap_chan_lock(chan);
7526 } else {
7527 BT_DBG("unknown cid 0x%4.4x", cid);
7528
7529 kfree_skb(skb);
7530 return;
7531 }
7532 }
7533
7534 BT_DBG("chan %p, len %d", chan, skb->len);
7535
7536
7537
7538
7539
7540 if (chan->chan_type == L2CAP_CHAN_FIXED)
7541 l2cap_chan_ready(chan);
7542
7543 if (chan->state != BT_CONNECTED)
7544 goto drop;
7545
7546 switch (chan->mode) {
7547 case L2CAP_MODE_LE_FLOWCTL:
7548 case L2CAP_MODE_EXT_FLOWCTL:
7549 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7550 goto drop;
7551
7552 goto done;
7553
7554 case L2CAP_MODE_BASIC:
7555
7556
7557
7558
7559
7560 if (chan->imtu < skb->len) {
7561 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7562 goto drop;
7563 }
7564
7565 if (!chan->ops->recv(chan, skb))
7566 goto done;
7567 break;
7568
7569 case L2CAP_MODE_ERTM:
7570 case L2CAP_MODE_STREAMING:
7571 l2cap_data_rcv(chan, skb);
7572 goto done;
7573
7574 default:
7575 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7576 break;
7577 }
7578
7579drop:
7580 kfree_skb(skb);
7581
7582done:
7583 l2cap_chan_unlock(chan);
7584}
7585
7586static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7587 struct sk_buff *skb)
7588{
7589 struct hci_conn *hcon = conn->hcon;
7590 struct l2cap_chan *chan;
7591
7592 if (hcon->type != ACL_LINK)
7593 goto free_skb;
7594
7595 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7596 ACL_LINK);
7597 if (!chan)
7598 goto free_skb;
7599
7600 BT_DBG("chan %p, len %d", chan, skb->len);
7601
7602 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7603 goto drop;
7604
7605 if (chan->imtu < skb->len)
7606 goto drop;
7607
7608
7609 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7610 bt_cb(skb)->l2cap.psm = psm;
7611
7612 if (!chan->ops->recv(chan, skb)) {
7613 l2cap_chan_put(chan);
7614 return;
7615 }
7616
7617drop:
7618 l2cap_chan_put(chan);
7619free_skb:
7620 kfree_skb(skb);
7621}
7622
7623static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7624{
7625 struct l2cap_hdr *lh = (void *) skb->data;
7626 struct hci_conn *hcon = conn->hcon;
7627 u16 cid, len;
7628 __le16 psm;
7629
7630 if (hcon->state != BT_CONNECTED) {
7631 BT_DBG("queueing pending rx skb");
7632 skb_queue_tail(&conn->pending_rx, skb);
7633 return;
7634 }
7635
7636 skb_pull(skb, L2CAP_HDR_SIZE);
7637 cid = __le16_to_cpu(lh->cid);
7638 len = __le16_to_cpu(lh->len);
7639
7640 if (len != skb->len) {
7641 kfree_skb(skb);
7642 return;
7643 }
7644
7645
7646
7647
7648 if (hcon->type == LE_LINK &&
7649 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7650 bdaddr_dst_type(hcon))) {
7651 kfree_skb(skb);
7652 return;
7653 }
7654
7655 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7656
7657 switch (cid) {
7658 case L2CAP_CID_SIGNALING:
7659 l2cap_sig_channel(conn, skb);
7660 break;
7661
7662 case L2CAP_CID_CONN_LESS:
7663 psm = get_unaligned((__le16 *) skb->data);
7664 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7665 l2cap_conless_channel(conn, psm, skb);
7666 break;
7667
7668 case L2CAP_CID_LE_SIGNALING:
7669 l2cap_le_sig_channel(conn, skb);
7670 break;
7671
7672 default:
7673 l2cap_data_channel(conn, cid, skb);
7674 break;
7675 }
7676}
7677
7678static void process_pending_rx(struct work_struct *work)
7679{
7680 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7681 pending_rx_work);
7682 struct sk_buff *skb;
7683
7684 BT_DBG("");
7685
7686 while ((skb = skb_dequeue(&conn->pending_rx)))
7687 l2cap_recv_frame(conn, skb);
7688}
7689
7690static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7691{
7692 struct l2cap_conn *conn = hcon->l2cap_data;
7693 struct hci_chan *hchan;
7694
7695 if (conn)
7696 return conn;
7697
7698 hchan = hci_chan_create(hcon);
7699 if (!hchan)
7700 return NULL;
7701
7702 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7703 if (!conn) {
7704 hci_chan_del(hchan);
7705 return NULL;
7706 }
7707
7708 kref_init(&conn->ref);
7709 hcon->l2cap_data = conn;
7710 conn->hcon = hci_conn_get(hcon);
7711 conn->hchan = hchan;
7712
7713 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7714
7715 switch (hcon->type) {
7716 case LE_LINK:
7717 if (hcon->hdev->le_mtu) {
7718 conn->mtu = hcon->hdev->le_mtu;
7719 break;
7720 }
7721 fallthrough;
7722 default:
7723 conn->mtu = hcon->hdev->acl_mtu;
7724 break;
7725 }
7726
7727 conn->feat_mask = 0;
7728
7729 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7730
7731 if (hcon->type == ACL_LINK &&
7732 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7733 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7734
7735 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7736 (bredr_sc_enabled(hcon->hdev) ||
7737 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7738 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7739
7740 mutex_init(&conn->ident_lock);
7741 mutex_init(&conn->chan_lock);
7742
7743 INIT_LIST_HEAD(&conn->chan_l);
7744 INIT_LIST_HEAD(&conn->users);
7745
7746 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7747
7748 skb_queue_head_init(&conn->pending_rx);
7749 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7750 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7751
7752 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7753
7754 return conn;
7755}
7756
7757static bool is_valid_psm(u16 psm, u8 dst_type) {
7758 if (!psm)
7759 return false;
7760
7761 if (bdaddr_type_is_le(dst_type))
7762 return (psm <= 0x00ff);
7763
7764
7765 return ((psm & 0x0101) == 0x0001);
7766}
7767
7768struct l2cap_chan_data {
7769 struct l2cap_chan *chan;
7770 struct pid *pid;
7771 int count;
7772};
7773
7774static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7775{
7776 struct l2cap_chan_data *d = data;
7777 struct pid *pid;
7778
7779 if (chan == d->chan)
7780 return;
7781
7782 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7783 return;
7784
7785 pid = chan->ops->get_peer_pid(chan);
7786
7787
7788 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7789 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7790 return;
7791
7792 d->count++;
7793}
7794
7795int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7796 bdaddr_t *dst, u8 dst_type)
7797{
7798 struct l2cap_conn *conn;
7799 struct hci_conn *hcon;
7800 struct hci_dev *hdev;
7801 int err;
7802
7803 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7804 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7805
7806 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7807 if (!hdev)
7808 return -EHOSTUNREACH;
7809
7810 hci_dev_lock(hdev);
7811
7812 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7813 chan->chan_type != L2CAP_CHAN_RAW) {
7814 err = -EINVAL;
7815 goto done;
7816 }
7817
7818 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7819 err = -EINVAL;
7820 goto done;
7821 }
7822
7823 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7824 err = -EINVAL;
7825 goto done;
7826 }
7827
7828 switch (chan->mode) {
7829 case L2CAP_MODE_BASIC:
7830 break;
7831 case L2CAP_MODE_LE_FLOWCTL:
7832 break;
7833 case L2CAP_MODE_EXT_FLOWCTL:
7834 if (!enable_ecred) {
7835 err = -EOPNOTSUPP;
7836 goto done;
7837 }
7838 break;
7839 case L2CAP_MODE_ERTM:
7840 case L2CAP_MODE_STREAMING:
7841 if (!disable_ertm)
7842 break;
7843 fallthrough;
7844 default:
7845 err = -EOPNOTSUPP;
7846 goto done;
7847 }
7848
7849 switch (chan->state) {
7850 case BT_CONNECT:
7851 case BT_CONNECT2:
7852 case BT_CONFIG:
7853
7854 err = 0;
7855 goto done;
7856
7857 case BT_CONNECTED:
7858
7859 err = -EISCONN;
7860 goto done;
7861
7862 case BT_OPEN:
7863 case BT_BOUND:
7864
7865 break;
7866
7867 default:
7868 err = -EBADFD;
7869 goto done;
7870 }
7871
7872
7873 bacpy(&chan->dst, dst);
7874 chan->dst_type = dst_type;
7875
7876 chan->psm = psm;
7877 chan->dcid = cid;
7878
7879 if (bdaddr_type_is_le(dst_type)) {
7880
7881
7882 if (dst_type == BDADDR_LE_PUBLIC)
7883 dst_type = ADDR_LE_DEV_PUBLIC;
7884 else
7885 dst_type = ADDR_LE_DEV_RANDOM;
7886
7887 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7888 hcon = hci_connect_le(hdev, dst, dst_type,
7889 chan->sec_level,
7890 HCI_LE_CONN_TIMEOUT,
7891 HCI_ROLE_SLAVE, NULL);
7892 else
7893 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7894 chan->sec_level,
7895 HCI_LE_CONN_TIMEOUT,
7896 CONN_REASON_L2CAP_CHAN);
7897
7898 } else {
7899 u8 auth_type = l2cap_get_auth_type(chan);
7900 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7901 CONN_REASON_L2CAP_CHAN);
7902 }
7903
7904 if (IS_ERR(hcon)) {
7905 err = PTR_ERR(hcon);
7906 goto done;
7907 }
7908
7909 conn = l2cap_conn_add(hcon);
7910 if (!conn) {
7911 hci_conn_drop(hcon);
7912 err = -ENOMEM;
7913 goto done;
7914 }
7915
7916 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7917 struct l2cap_chan_data data;
7918
7919 data.chan = chan;
7920 data.pid = chan->ops->get_peer_pid(chan);
7921 data.count = 1;
7922
7923 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7924
7925
7926 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7927 hci_conn_drop(hcon);
7928 err = -EPROTO;
7929 goto done;
7930 }
7931 }
7932
7933 mutex_lock(&conn->chan_lock);
7934 l2cap_chan_lock(chan);
7935
7936 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7937 hci_conn_drop(hcon);
7938 err = -EBUSY;
7939 goto chan_unlock;
7940 }
7941
7942
7943 bacpy(&chan->src, &hcon->src);
7944 chan->src_type = bdaddr_src_type(hcon);
7945
7946 __l2cap_chan_add(conn, chan);
7947
7948
7949 hci_conn_drop(hcon);
7950
7951 l2cap_state_change(chan, BT_CONNECT);
7952 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7953
7954
7955
7956
7957 write_lock(&chan_list_lock);
7958 chan->sport = 0;
7959 write_unlock(&chan_list_lock);
7960
7961 if (hcon->state == BT_CONNECTED) {
7962 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7963 __clear_chan_timer(chan);
7964 if (l2cap_chan_check_security(chan, true))
7965 l2cap_state_change(chan, BT_CONNECTED);
7966 } else
7967 l2cap_do_start(chan);
7968 }
7969
7970 err = 0;
7971
7972chan_unlock:
7973 l2cap_chan_unlock(chan);
7974 mutex_unlock(&conn->chan_lock);
7975done:
7976 hci_dev_unlock(hdev);
7977 hci_dev_put(hdev);
7978 return err;
7979}
7980EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7981
7982static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7983{
7984 struct l2cap_conn *conn = chan->conn;
7985 struct {
7986 struct l2cap_ecred_reconf_req req;
7987 __le16 scid;
7988 } pdu;
7989
7990 pdu.req.mtu = cpu_to_le16(chan->imtu);
7991 pdu.req.mps = cpu_to_le16(chan->mps);
7992 pdu.scid = cpu_to_le16(chan->scid);
7993
7994 chan->ident = l2cap_get_ident(conn);
7995
7996 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
7997 sizeof(pdu), &pdu);
7998}
7999
8000int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8001{
8002 if (chan->imtu > mtu)
8003 return -EINVAL;
8004
8005 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8006
8007 chan->imtu = mtu;
8008
8009 l2cap_ecred_reconfigure(chan);
8010
8011 return 0;
8012}
8013
8014
8015
8016int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8017{
8018 int exact = 0, lm1 = 0, lm2 = 0;
8019 struct l2cap_chan *c;
8020
8021 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8022
8023
8024 read_lock(&chan_list_lock);
8025 list_for_each_entry(c, &chan_list, global_l) {
8026 if (c->state != BT_LISTEN)
8027 continue;
8028
8029 if (!bacmp(&c->src, &hdev->bdaddr)) {
8030 lm1 |= HCI_LM_ACCEPT;
8031 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8032 lm1 |= HCI_LM_MASTER;
8033 exact++;
8034 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8035 lm2 |= HCI_LM_ACCEPT;
8036 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8037 lm2 |= HCI_LM_MASTER;
8038 }
8039 }
8040 read_unlock(&chan_list_lock);
8041
8042 return exact ? lm1 : lm2;
8043}
8044
8045
8046
8047
8048
8049static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8050 struct hci_conn *hcon)
8051{
8052 u8 src_type = bdaddr_src_type(hcon);
8053
8054 read_lock(&chan_list_lock);
8055
8056 if (c)
8057 c = list_next_entry(c, global_l);
8058 else
8059 c = list_entry(chan_list.next, typeof(*c), global_l);
8060
8061 list_for_each_entry_from(c, &chan_list, global_l) {
8062 if (c->chan_type != L2CAP_CHAN_FIXED)
8063 continue;
8064 if (c->state != BT_LISTEN)
8065 continue;
8066 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8067 continue;
8068 if (src_type != c->src_type)
8069 continue;
8070
8071 l2cap_chan_hold(c);
8072 read_unlock(&chan_list_lock);
8073 return c;
8074 }
8075
8076 read_unlock(&chan_list_lock);
8077
8078 return NULL;
8079}
8080
8081static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8082{
8083 struct hci_dev *hdev = hcon->hdev;
8084 struct l2cap_conn *conn;
8085 struct l2cap_chan *pchan;
8086 u8 dst_type;
8087
8088 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8089 return;
8090
8091 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8092
8093 if (status) {
8094 l2cap_conn_del(hcon, bt_to_errno(status));
8095 return;
8096 }
8097
8098 conn = l2cap_conn_add(hcon);
8099 if (!conn)
8100 return;
8101
8102 dst_type = bdaddr_dst_type(hcon);
8103
8104
8105 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
8106 return;
8107
8108
8109
8110
8111
8112
8113 pchan = l2cap_global_fixed_chan(NULL, hcon);
8114 while (pchan) {
8115 struct l2cap_chan *chan, *next;
8116
8117
8118 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8119 goto next;
8120
8121 l2cap_chan_lock(pchan);
8122 chan = pchan->ops->new_connection(pchan);
8123 if (chan) {
8124 bacpy(&chan->src, &hcon->src);
8125 bacpy(&chan->dst, &hcon->dst);
8126 chan->src_type = bdaddr_src_type(hcon);
8127 chan->dst_type = dst_type;
8128
8129 __l2cap_chan_add(conn, chan);
8130 }
8131
8132 l2cap_chan_unlock(pchan);
8133next:
8134 next = l2cap_global_fixed_chan(pchan, hcon);
8135 l2cap_chan_put(pchan);
8136 pchan = next;
8137 }
8138
8139 l2cap_conn_ready(conn);
8140}
8141
8142int l2cap_disconn_ind(struct hci_conn *hcon)
8143{
8144 struct l2cap_conn *conn = hcon->l2cap_data;
8145
8146 BT_DBG("hcon %p", hcon);
8147
8148 if (!conn)
8149 return HCI_ERROR_REMOTE_USER_TERM;
8150 return conn->disc_reason;
8151}
8152
8153static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8154{
8155 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8156 return;
8157
8158 BT_DBG("hcon %p reason %d", hcon, reason);
8159
8160 l2cap_conn_del(hcon, bt_to_errno(reason));
8161}
8162
8163static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8164{
8165 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8166 return;
8167
8168 if (encrypt == 0x00) {
8169 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8170 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8171 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8172 chan->sec_level == BT_SECURITY_FIPS)
8173 l2cap_chan_close(chan, ECONNREFUSED);
8174 } else {
8175 if (chan->sec_level == BT_SECURITY_MEDIUM)
8176 __clear_chan_timer(chan);
8177 }
8178}
8179
8180static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8181{
8182 struct l2cap_conn *conn = hcon->l2cap_data;
8183 struct l2cap_chan *chan;
8184
8185 if (!conn)
8186 return;
8187
8188 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8189
8190 mutex_lock(&conn->chan_lock);
8191
8192 list_for_each_entry(chan, &conn->chan_l, list) {
8193 l2cap_chan_lock(chan);
8194
8195 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8196 state_to_string(chan->state));
8197
8198 if (chan->scid == L2CAP_CID_A2MP) {
8199 l2cap_chan_unlock(chan);
8200 continue;
8201 }
8202
8203 if (!status && encrypt)
8204 chan->sec_level = hcon->sec_level;
8205
8206 if (!__l2cap_no_conn_pending(chan)) {
8207 l2cap_chan_unlock(chan);
8208 continue;
8209 }
8210
8211 if (!status && (chan->state == BT_CONNECTED ||
8212 chan->state == BT_CONFIG)) {
8213 chan->ops->resume(chan);
8214 l2cap_check_encryption(chan, encrypt);
8215 l2cap_chan_unlock(chan);
8216 continue;
8217 }
8218
8219 if (chan->state == BT_CONNECT) {
8220 if (!status && l2cap_check_enc_key_size(hcon))
8221 l2cap_start_connection(chan);
8222 else
8223 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8224 } else if (chan->state == BT_CONNECT2 &&
8225 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8226 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8227 struct l2cap_conn_rsp rsp;
8228 __u16 res, stat;
8229
8230 if (!status && l2cap_check_enc_key_size(hcon)) {
8231 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8232 res = L2CAP_CR_PEND;
8233 stat = L2CAP_CS_AUTHOR_PEND;
8234 chan->ops->defer(chan);
8235 } else {
8236 l2cap_state_change(chan, BT_CONFIG);
8237 res = L2CAP_CR_SUCCESS;
8238 stat = L2CAP_CS_NO_INFO;
8239 }
8240 } else {
8241 l2cap_state_change(chan, BT_DISCONN);
8242 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8243 res = L2CAP_CR_SEC_BLOCK;
8244 stat = L2CAP_CS_NO_INFO;
8245 }
8246
8247 rsp.scid = cpu_to_le16(chan->dcid);
8248 rsp.dcid = cpu_to_le16(chan->scid);
8249 rsp.result = cpu_to_le16(res);
8250 rsp.status = cpu_to_le16(stat);
8251 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8252 sizeof(rsp), &rsp);
8253
8254 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8255 res == L2CAP_CR_SUCCESS) {
8256 char buf[128];
8257 set_bit(CONF_REQ_SENT, &chan->conf_state);
8258 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8259 L2CAP_CONF_REQ,
8260 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8261 buf);
8262 chan->num_conf_req++;
8263 }
8264 }
8265
8266 l2cap_chan_unlock(chan);
8267 }
8268
8269 mutex_unlock(&conn->chan_lock);
8270}
8271
8272void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8273{
8274 struct l2cap_conn *conn = hcon->l2cap_data;
8275 struct l2cap_hdr *hdr;
8276 int len;
8277
8278
8279 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8280 goto drop;
8281
8282 if (!conn)
8283 conn = l2cap_conn_add(hcon);
8284
8285 if (!conn)
8286 goto drop;
8287
8288 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
8289
8290 switch (flags) {
8291 case ACL_START:
8292 case ACL_START_NO_FLUSH:
8293 case ACL_COMPLETE:
8294 if (conn->rx_len) {
8295 BT_ERR("Unexpected start frame (len %d)", skb->len);
8296 kfree_skb(conn->rx_skb);
8297 conn->rx_skb = NULL;
8298 conn->rx_len = 0;
8299 l2cap_conn_unreliable(conn, ECOMM);
8300 }
8301
8302
8303 if (skb->len < L2CAP_HDR_SIZE) {
8304 BT_ERR("Frame is too short (len %d)", skb->len);
8305 l2cap_conn_unreliable(conn, ECOMM);
8306 goto drop;
8307 }
8308
8309 hdr = (struct l2cap_hdr *) skb->data;
8310 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
8311
8312 if (len == skb->len) {
8313
8314 l2cap_recv_frame(conn, skb);
8315 return;
8316 }
8317
8318 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
8319
8320 if (skb->len > len) {
8321 BT_ERR("Frame is too long (len %d, expected len %d)",
8322 skb->len, len);
8323 l2cap_conn_unreliable(conn, ECOMM);
8324 goto drop;
8325 }
8326
8327
8328 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8329 if (!conn->rx_skb)
8330 goto drop;
8331
8332 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8333 skb->len);
8334 conn->rx_len = len - skb->len;
8335 break;
8336
8337 case ACL_CONT:
8338 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
8339
8340 if (!conn->rx_len) {
8341 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8342 l2cap_conn_unreliable(conn, ECOMM);
8343 goto drop;
8344 }
8345
8346 if (skb->len > conn->rx_len) {
8347 BT_ERR("Fragment is too long (len %d, expected %d)",
8348 skb->len, conn->rx_len);
8349 kfree_skb(conn->rx_skb);
8350 conn->rx_skb = NULL;
8351 conn->rx_len = 0;
8352 l2cap_conn_unreliable(conn, ECOMM);
8353 goto drop;
8354 }
8355
8356 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8357 skb->len);
8358 conn->rx_len -= skb->len;
8359
8360 if (!conn->rx_len) {
8361
8362
8363
8364
8365 struct sk_buff *rx_skb = conn->rx_skb;
8366 conn->rx_skb = NULL;
8367 l2cap_recv_frame(conn, rx_skb);
8368 }
8369 break;
8370 }
8371
8372drop:
8373 kfree_skb(skb);
8374}
8375
8376static struct hci_cb l2cap_cb = {
8377 .name = "L2CAP",
8378 .connect_cfm = l2cap_connect_cfm,
8379 .disconn_cfm = l2cap_disconn_cfm,
8380 .security_cfm = l2cap_security_cfm,
8381};
8382
8383static int l2cap_debugfs_show(struct seq_file *f, void *p)
8384{
8385 struct l2cap_chan *c;
8386
8387 read_lock(&chan_list_lock);
8388
8389 list_for_each_entry(c, &chan_list, global_l) {
8390 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8391 &c->src, c->src_type, &c->dst, c->dst_type,
8392 c->state, __le16_to_cpu(c->psm),
8393 c->scid, c->dcid, c->imtu, c->omtu,
8394 c->sec_level, c->mode);
8395 }
8396
8397 read_unlock(&chan_list_lock);
8398
8399 return 0;
8400}
8401
8402DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8403
8404static struct dentry *l2cap_debugfs;
8405
8406int __init l2cap_init(void)
8407{
8408 int err;
8409
8410 err = l2cap_init_sockets();
8411 if (err < 0)
8412 return err;
8413
8414 hci_register_cb(&l2cap_cb);
8415
8416 if (IS_ERR_OR_NULL(bt_debugfs))
8417 return 0;
8418
8419 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8420 NULL, &l2cap_debugfs_fops);
8421
8422 return 0;
8423}
8424
8425void l2cap_exit(void)
8426{
8427 debugfs_remove(l2cap_debugfs);
8428 hci_unregister_cb(&l2cap_cb);
8429 l2cap_cleanup_sockets();
8430}
8431
8432module_param(disable_ertm, bool, 0644);
8433MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8434
8435module_param(enable_ecred, bool, 0644);
8436MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
8437
