1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
36
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
40
41 #include "smp.h"
42
43 #define LE_FLOWCTL_MAX_CREDITS 65535
44
45 bool disable_ertm;
46 bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED);
47
48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49
50 static LIST_HEAD(chan_list);
51 static DEFINE_RWLOCK(chan_list_lock);
52
53 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
54 u8 code, u8 ident, u16 dlen, void *data);
55 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
56 void *data);
57 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
58 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
59
60 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
61 struct sk_buff_head *skbs, u8 event);
62 static void l2cap_retrans_timeout(struct work_struct *work);
63 static void l2cap_monitor_timeout(struct work_struct *work);
64 static void l2cap_ack_timeout(struct work_struct *work);
65
66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67 {
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76 }
77
78 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79 {
80 return bdaddr_type(hcon->type, hcon->src_type);
81 }
82
83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84 {
85 return bdaddr_type(hcon->type, hcon->dst_type);
86 }
87
88 /* ---- L2CAP channels ---- */
89
90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
91 u16 cid)
92 {
93 struct l2cap_chan *c;
94
95 list_for_each_entry(c, &conn->chan_l, list) {
96 if (c->dcid == cid)
97 return c;
98 }
99 return NULL;
100 }
101
102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
104 {
105 struct l2cap_chan *c;
106
107 list_for_each_entry(c, &conn->chan_l, list) {
108 if (c->scid == cid)
109 return c;
110 }
111 return NULL;
112 }
113
114 /* Find channel with given SCID.
115 * Returns a reference locked channel.
116 */
117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 u16 cid)
119 {
120 struct l2cap_chan *c;
121
122 mutex_lock(&conn->chan_lock);
123 c = __l2cap_get_chan_by_scid(conn, cid);
124 if (c) {
125 /* Only lock if chan reference is not 0 */
126 c = l2cap_chan_hold_unless_zero(c);
127 if (c)
128 l2cap_chan_lock(c);
129 }
130 mutex_unlock(&conn->chan_lock);
131
132 return c;
133 }
134
135 /* Find channel with given DCID.
136 * Returns a reference locked channel.
137 */
138 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
139 u16 cid)
140 {
141 struct l2cap_chan *c;
142
143 mutex_lock(&conn->chan_lock);
144 c = __l2cap_get_chan_by_dcid(conn, cid);
145 if (c) {
146 /* Only lock if chan reference is not 0 */
147 c = l2cap_chan_hold_unless_zero(c);
148 if (c)
149 l2cap_chan_lock(c);
150 }
151 mutex_unlock(&conn->chan_lock);
152
153 return c;
154 }
155
156 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
157 u8 ident)
158 {
159 struct l2cap_chan *c;
160
161 list_for_each_entry(c, &conn->chan_l, list) {
162 if (c->ident == ident)
163 return c;
164 }
165 return NULL;
166 }
167
168 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
169 u8 src_type)
170 {
171 struct l2cap_chan *c;
172
173 list_for_each_entry(c, &chan_list, global_l) {
174 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
175 continue;
176
177 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
178 continue;
179
180 if (c->sport == psm && !bacmp(&c->src, src))
181 return c;
182 }
183 return NULL;
184 }
185
186 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
187 {
188 int err;
189
190 write_lock(&chan_list_lock);
191
192 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
193 err = -EADDRINUSE;
194 goto done;
195 }
196
197 if (psm) {
198 chan->psm = psm;
199 chan->sport = psm;
200 err = 0;
201 } else {
202 u16 p, start, end, incr;
203
204 if (chan->src_type == BDADDR_BREDR) {
205 start = L2CAP_PSM_DYN_START;
206 end = L2CAP_PSM_AUTO_END;
207 incr = 2;
208 } else {
209 start = L2CAP_PSM_LE_DYN_START;
210 end = L2CAP_PSM_LE_DYN_END;
211 incr = 1;
212 }
213
214 err = -EINVAL;
215 for (p = start; p <= end; p += incr)
216 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
217 chan->src_type)) {
218 chan->psm = cpu_to_le16(p);
219 chan->sport = cpu_to_le16(p);
220 err = 0;
221 break;
222 }
223 }
224
225 done:
226 write_unlock(&chan_list_lock);
227 return err;
228 }
229 EXPORT_SYMBOL_GPL(l2cap_add_psm);
230
231 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
232 {
233 write_lock(&chan_list_lock);
234
235 /* Override the defaults (which are for conn-oriented) */
236 chan->omtu = L2CAP_DEFAULT_MTU;
237 chan->chan_type = L2CAP_CHAN_FIXED;
238
239 chan->scid = scid;
240
241 write_unlock(&chan_list_lock);
242
243 return 0;
244 }
245
246 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
247 {
248 u16 cid, dyn_end;
249
250 if (conn->hcon->type == LE_LINK)
251 dyn_end = L2CAP_CID_LE_DYN_END;
252 else
253 dyn_end = L2CAP_CID_DYN_END;
254
255 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
256 if (!__l2cap_get_chan_by_scid(conn, cid))
257 return cid;
258 }
259
260 return 0;
261 }
262
263 static void l2cap_state_change(struct l2cap_chan *chan, int state)
264 {
265 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
266 state_to_string(state));
267
268 chan->state = state;
269 chan->ops->state_change(chan, state, 0);
270 }
271
272 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
273 int state, int err)
274 {
275 chan->state = state;
276 chan->ops->state_change(chan, chan->state, err);
277 }
278
279 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
280 {
281 chan->ops->state_change(chan, chan->state, err);
282 }
283
284 static void __set_retrans_timer(struct l2cap_chan *chan)
285 {
286 if (!delayed_work_pending(&chan->monitor_timer) &&
287 chan->retrans_timeout) {
288 l2cap_set_timer(chan, &chan->retrans_timer,
289 msecs_to_jiffies(chan->retrans_timeout));
290 }
291 }
292
293 static void __set_monitor_timer(struct l2cap_chan *chan)
294 {
295 __clear_retrans_timer(chan);
296 if (chan->monitor_timeout) {
297 l2cap_set_timer(chan, &chan->monitor_timer,
298 msecs_to_jiffies(chan->monitor_timeout));
299 }
300 }
301
302 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
303 u16 seq)
304 {
305 struct sk_buff *skb;
306
307 skb_queue_walk(head, skb) {
308 if (bt_cb(skb)->l2cap.txseq == seq)
309 return skb;
310 }
311
312 return NULL;
313 }
314
315 /* ---- L2CAP sequence number lists ---- */
316
317 /* For ERTM, ordered lists of sequence numbers must be tracked for
318 * SREJ requests that are received and for frames that are to be
319 * retransmitted. These seq_list functions implement a singly-linked
320 * list in an array, where membership in the list can also be checked
321 * in constant time. Items can also be added to the tail of the list
322 * and removed from the head in constant time, without further memory
323 * allocs or frees.
324 */
325
326 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
327 {
328 size_t alloc_size, i;
329
330 /* Allocated size is a power of 2 to map sequence numbers
331 * (which may be up to 14 bits) in to a smaller array that is
332 * sized for the negotiated ERTM transmit windows.
333 */
334 alloc_size = roundup_pow_of_two(size);
335
336 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
337 if (!seq_list->list)
338 return -ENOMEM;
339
340 seq_list->mask = alloc_size - 1;
341 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
342 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
343 for (i = 0; i < alloc_size; i++)
344 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
345
346 return 0;
347 }
348
349 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
350 {
351 kfree(seq_list->list);
352 }
353
354 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
355 u16 seq)
356 {
357 /* Constant-time check for list membership */
358 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
359 }
360
361 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
362 {
363 u16 seq = seq_list->head;
364 u16 mask = seq_list->mask;
365
366 seq_list->head = seq_list->list[seq & mask];
367 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
368
369 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
370 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
371 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
372 }
373
374 return seq;
375 }
376
377 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
378 {
379 u16 i;
380
381 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
382 return;
383
384 for (i = 0; i <= seq_list->mask; i++)
385 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
386
387 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
388 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
389 }
390
391 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
392 {
393 u16 mask = seq_list->mask;
394
395 /* All appends happen in constant time */
396
397 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
398 return;
399
400 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
401 seq_list->head = seq;
402 else
403 seq_list->list[seq_list->tail & mask] = seq;
404
405 seq_list->tail = seq;
406 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
407 }
408
409 static void l2cap_chan_timeout(struct work_struct *work)
410 {
411 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
412 chan_timer.work);
413 struct l2cap_conn *conn = chan->conn;
414 int reason;
415
416 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
417
418 if (!conn)
419 return;
420
421 mutex_lock(&conn->chan_lock);
422 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
423 * this work. No need to call l2cap_chan_hold(chan) here again.
424 */
425 l2cap_chan_lock(chan);
426
427 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
428 reason = ECONNREFUSED;
429 else if (chan->state == BT_CONNECT &&
430 chan->sec_level != BT_SECURITY_SDP)
431 reason = ECONNREFUSED;
432 else
433 reason = ETIMEDOUT;
434
435 l2cap_chan_close(chan, reason);
436
437 chan->ops->close(chan);
438
439 l2cap_chan_unlock(chan);
440 l2cap_chan_put(chan);
441
442 mutex_unlock(&conn->chan_lock);
443 }
444
445 struct l2cap_chan *l2cap_chan_create(void)
446 {
447 struct l2cap_chan *chan;
448
449 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
450 if (!chan)
451 return NULL;
452
453 skb_queue_head_init(&chan->tx_q);
454 skb_queue_head_init(&chan->srej_q);
455 mutex_init(&chan->lock);
456
457 /* Set default lock nesting level */
458 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
459
460 /* Available receive buffer space is initially unknown */
461 chan->rx_avail = -1;
462
463 write_lock(&chan_list_lock);
464 list_add(&chan->global_l, &chan_list);
465 write_unlock(&chan_list_lock);
466
467 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
468 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
469 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
470 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
471
472 chan->state = BT_OPEN;
473
474 kref_init(&chan->kref);
475
476 /* This flag is cleared in l2cap_chan_ready() */
477 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
478
479 BT_DBG("chan %p", chan);
480
481 return chan;
482 }
483 EXPORT_SYMBOL_GPL(l2cap_chan_create);
484
485 static void l2cap_chan_destroy(struct kref *kref)
486 {
487 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
488
489 BT_DBG("chan %p", chan);
490
491 write_lock(&chan_list_lock);
492 list_del(&chan->global_l);
493 write_unlock(&chan_list_lock);
494
495 kfree(chan);
496 }
497
498 void l2cap_chan_hold(struct l2cap_chan *c)
499 {
500 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
501
502 kref_get(&c->kref);
503 }
504
505 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)
506 {
507 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
508
509 if (!kref_get_unless_zero(&c->kref))
510 return NULL;
511
512 return c;
513 }
514
515 void l2cap_chan_put(struct l2cap_chan *c)
516 {
517 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
518
519 kref_put(&c->kref, l2cap_chan_destroy);
520 }
521 EXPORT_SYMBOL_GPL(l2cap_chan_put);
522
523 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
524 {
525 chan->fcs = L2CAP_FCS_CRC16;
526 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
527 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
528 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
529 chan->remote_max_tx = chan->max_tx;
530 chan->remote_tx_win = chan->tx_win;
531 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
532 chan->sec_level = BT_SECURITY_LOW;
533 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
534 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
535 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
536
537 chan->conf_state = 0;
538 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
539
540 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
541 }
542 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
543
544 static __u16 l2cap_le_rx_credits(struct l2cap_chan *chan)
545 {
546 size_t sdu_len = chan->sdu ? chan->sdu->len : 0;
547
548 if (chan->mps == 0)
549 return 0;
550
551 /* If we don't know the available space in the receiver buffer, give
552 * enough credits for a full packet.
553 */
554 if (chan->rx_avail == -1)
555 return (chan->imtu / chan->mps) + 1;
556
557 /* If we know how much space is available in the receive buffer, give
558 * out as many credits as would fill the buffer.
559 */
560 if (chan->rx_avail <= sdu_len)
561 return 0;
562
563 return DIV_ROUND_UP(chan->rx_avail - sdu_len, chan->mps);
564 }
565
566 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
567 {
568 chan->sdu = NULL;
569 chan->sdu_last_frag = NULL;
570 chan->sdu_len = 0;
571 chan->tx_credits = tx_credits;
572 /* Derive MPS from connection MTU to stop HCI fragmentation */
573 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
574 chan->rx_credits = l2cap_le_rx_credits(chan);
575
576 skb_queue_head_init(&chan->tx_q);
577 }
578
579 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
580 {
581 l2cap_le_flowctl_init(chan, tx_credits);
582
583 /* L2CAP implementations shall support a minimum MPS of 64 octets */
584 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
585 chan->mps = L2CAP_ECRED_MIN_MPS;
586 chan->rx_credits = l2cap_le_rx_credits(chan);
587 }
588 }
589
590 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
591 {
592 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
593 __le16_to_cpu(chan->psm), chan->dcid);
594
595 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
596
597 chan->conn = conn;
598
599 switch (chan->chan_type) {
600 case L2CAP_CHAN_CONN_ORIENTED:
601 /* Alloc CID for connection-oriented socket */
602 chan->scid = l2cap_alloc_cid(conn);
603 if (conn->hcon->type == ACL_LINK)
604 chan->omtu = L2CAP_DEFAULT_MTU;
605 break;
606
607 case L2CAP_CHAN_CONN_LESS:
608 /* Connectionless socket */
609 chan->scid = L2CAP_CID_CONN_LESS;
610 chan->dcid = L2CAP_CID_CONN_LESS;
611 chan->omtu = L2CAP_DEFAULT_MTU;
612 break;
613
614 case L2CAP_CHAN_FIXED:
615 /* Caller will set CID and CID specific MTU values */
616 break;
617
618 default:
619 /* Raw socket can send/recv signalling messages only */
620 chan->scid = L2CAP_CID_SIGNALING;
621 chan->dcid = L2CAP_CID_SIGNALING;
622 chan->omtu = L2CAP_DEFAULT_MTU;
623 }
624
625 chan->local_id = L2CAP_BESTEFFORT_ID;
626 chan->local_stype = L2CAP_SERV_BESTEFFORT;
627 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
628 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
629 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
630 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
631
632 l2cap_chan_hold(chan);
633
634 /* Only keep a reference for fixed channels if they requested it */
635 if (chan->chan_type != L2CAP_CHAN_FIXED ||
636 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
637 hci_conn_hold(conn->hcon);
638
639 list_add(&chan->list, &conn->chan_l);
640 }
641
642 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
643 {
644 mutex_lock(&conn->chan_lock);
645 __l2cap_chan_add(conn, chan);
646 mutex_unlock(&conn->chan_lock);
647 }
648
649 void l2cap_chan_del(struct l2cap_chan *chan, int err)
650 {
651 struct l2cap_conn *conn = chan->conn;
652
653 __clear_chan_timer(chan);
654
655 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
656 state_to_string(chan->state));
657
658 chan->ops->teardown(chan, err);
659
660 if (conn) {
661 /* Delete from channel list */
662 list_del(&chan->list);
663
664 l2cap_chan_put(chan);
665
666 chan->conn = NULL;
667
668 /* Reference was only held for non-fixed channels or
669 * fixed channels that explicitly requested it using the
670 * FLAG_HOLD_HCI_CONN flag.
671 */
672 if (chan->chan_type != L2CAP_CHAN_FIXED ||
673 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
674 hci_conn_drop(conn->hcon);
675 }
676
677 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
678 return;
679
680 switch (chan->mode) {
681 case L2CAP_MODE_BASIC:
682 break;
683
684 case L2CAP_MODE_LE_FLOWCTL:
685 case L2CAP_MODE_EXT_FLOWCTL:
686 skb_queue_purge(&chan->tx_q);
687 break;
688
689 case L2CAP_MODE_ERTM:
690 __clear_retrans_timer(chan);
691 __clear_monitor_timer(chan);
692 __clear_ack_timer(chan);
693
694 skb_queue_purge(&chan->srej_q);
695
696 l2cap_seq_list_free(&chan->srej_list);
697 l2cap_seq_list_free(&chan->retrans_list);
698 fallthrough;
699
700 case L2CAP_MODE_STREAMING:
701 skb_queue_purge(&chan->tx_q);
702 break;
703 }
704 }
705 EXPORT_SYMBOL_GPL(l2cap_chan_del);
706
707 static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id,
708 l2cap_chan_func_t func, void *data)
709 {
710 struct l2cap_chan *chan, *l;
711
712 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
713 if (chan->ident == id)
714 func(chan, data);
715 }
716 }
717
718 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
719 void *data)
720 {
721 struct l2cap_chan *chan;
722
723 list_for_each_entry(chan, &conn->chan_l, list) {
724 func(chan, data);
725 }
726 }
727
728 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
729 void *data)
730 {
731 if (!conn)
732 return;
733
734 mutex_lock(&conn->chan_lock);
735 __l2cap_chan_list(conn, func, data);
736 mutex_unlock(&conn->chan_lock);
737 }
738
739 EXPORT_SYMBOL_GPL(l2cap_chan_list);
740
741 static void l2cap_conn_update_id_addr(struct work_struct *work)
742 {
743 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
744 id_addr_timer.work);
745 struct hci_conn *hcon = conn->hcon;
746 struct l2cap_chan *chan;
747
748 mutex_lock(&conn->chan_lock);
749
750 list_for_each_entry(chan, &conn->chan_l, list) {
751 l2cap_chan_lock(chan);
752 bacpy(&chan->dst, &hcon->dst);
753 chan->dst_type = bdaddr_dst_type(hcon);
754 l2cap_chan_unlock(chan);
755 }
756
757 mutex_unlock(&conn->chan_lock);
758 }
759
760 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
761 {
762 struct l2cap_conn *conn = chan->conn;
763 struct l2cap_le_conn_rsp rsp;
764 u16 result;
765
766 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
767 result = L2CAP_CR_LE_AUTHORIZATION;
768 else
769 result = L2CAP_CR_LE_BAD_PSM;
770
771 l2cap_state_change(chan, BT_DISCONN);
772
773 rsp.dcid = cpu_to_le16(chan->scid);
774 rsp.mtu = cpu_to_le16(chan->imtu);
775 rsp.mps = cpu_to_le16(chan->mps);
776 rsp.credits = cpu_to_le16(chan->rx_credits);
777 rsp.result = cpu_to_le16(result);
778
779 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
780 &rsp);
781 }
782
783 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
784 {
785 l2cap_state_change(chan, BT_DISCONN);
786
787 __l2cap_ecred_conn_rsp_defer(chan);
788 }
789
790 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
791 {
792 struct l2cap_conn *conn = chan->conn;
793 struct l2cap_conn_rsp rsp;
794 u16 result;
795
796 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
797 result = L2CAP_CR_SEC_BLOCK;
798 else
799 result = L2CAP_CR_BAD_PSM;
800
801 l2cap_state_change(chan, BT_DISCONN);
802
803 rsp.scid = cpu_to_le16(chan->dcid);
804 rsp.dcid = cpu_to_le16(chan->scid);
805 rsp.result = cpu_to_le16(result);
806 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
807
808 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
809 }
810
811 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
812 {
813 struct l2cap_conn *conn = chan->conn;
814
815 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
816
817 switch (chan->state) {
818 case BT_LISTEN:
819 chan->ops->teardown(chan, 0);
820 break;
821
822 case BT_CONNECTED:
823 case BT_CONFIG:
824 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
825 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
826 l2cap_send_disconn_req(chan, reason);
827 } else
828 l2cap_chan_del(chan, reason);
829 break;
830
831 case BT_CONNECT2:
832 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
833 if (conn->hcon->type == ACL_LINK)
834 l2cap_chan_connect_reject(chan);
835 else if (conn->hcon->type == LE_LINK) {
836 switch (chan->mode) {
837 case L2CAP_MODE_LE_FLOWCTL:
838 l2cap_chan_le_connect_reject(chan);
839 break;
840 case L2CAP_MODE_EXT_FLOWCTL:
841 l2cap_chan_ecred_connect_reject(chan);
842 return;
843 }
844 }
845 }
846
847 l2cap_chan_del(chan, reason);
848 break;
849
850 case BT_CONNECT:
851 case BT_DISCONN:
852 l2cap_chan_del(chan, reason);
853 break;
854
855 default:
856 chan->ops->teardown(chan, 0);
857 break;
858 }
859 }
860 EXPORT_SYMBOL(l2cap_chan_close);
861
862 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
863 {
864 switch (chan->chan_type) {
865 case L2CAP_CHAN_RAW:
866 switch (chan->sec_level) {
867 case BT_SECURITY_HIGH:
868 case BT_SECURITY_FIPS:
869 return HCI_AT_DEDICATED_BONDING_MITM;
870 case BT_SECURITY_MEDIUM:
871 return HCI_AT_DEDICATED_BONDING;
872 default:
873 return HCI_AT_NO_BONDING;
874 }
875 break;
876 case L2CAP_CHAN_CONN_LESS:
877 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
878 if (chan->sec_level == BT_SECURITY_LOW)
879 chan->sec_level = BT_SECURITY_SDP;
880 }
881 if (chan->sec_level == BT_SECURITY_HIGH ||
882 chan->sec_level == BT_SECURITY_FIPS)
883 return HCI_AT_NO_BONDING_MITM;
884 else
885 return HCI_AT_NO_BONDING;
886 break;
887 case L2CAP_CHAN_CONN_ORIENTED:
888 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
889 if (chan->sec_level == BT_SECURITY_LOW)
890 chan->sec_level = BT_SECURITY_SDP;
891
892 if (chan->sec_level == BT_SECURITY_HIGH ||
893 chan->sec_level == BT_SECURITY_FIPS)
894 return HCI_AT_NO_BONDING_MITM;
895 else
896 return HCI_AT_NO_BONDING;
897 }
898 fallthrough;
899
900 default:
901 switch (chan->sec_level) {
902 case BT_SECURITY_HIGH:
903 case BT_SECURITY_FIPS:
904 return HCI_AT_GENERAL_BONDING_MITM;
905 case BT_SECURITY_MEDIUM:
906 return HCI_AT_GENERAL_BONDING;
907 default:
908 return HCI_AT_NO_BONDING;
909 }
910 break;
911 }
912 }
913
914 /* Service level security */
915 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
916 {
917 struct l2cap_conn *conn = chan->conn;
918 __u8 auth_type;
919
920 if (conn->hcon->type == LE_LINK)
921 return smp_conn_security(conn->hcon, chan->sec_level);
922
923 auth_type = l2cap_get_auth_type(chan);
924
925 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
926 initiator);
927 }
928
929 static u8 l2cap_get_ident(struct l2cap_conn *conn)
930 {
931 u8 id;
932
933 /* Get next available identificator.
934 * 1 - 128 are used by kernel.
935 * 129 - 199 are reserved.
936 * 200 - 254 are used by utilities like l2ping, etc.
937 */
938
939 mutex_lock(&conn->ident_lock);
940
941 if (++conn->tx_ident > 128)
942 conn->tx_ident = 1;
943
944 id = conn->tx_ident;
945
946 mutex_unlock(&conn->ident_lock);
947
948 return id;
949 }
950
951 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
952 void *data)
953 {
954 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
955 u8 flags;
956
957 BT_DBG("code 0x%2.2x", code);
958
959 if (!skb)
960 return;
961
962 /* Use NO_FLUSH if supported or we have an LE link (which does
963 * not support auto-flushing packets) */
964 if (lmp_no_flush_capable(conn->hcon->hdev) ||
965 conn->hcon->type == LE_LINK)
966 flags = ACL_START_NO_FLUSH;
967 else
968 flags = ACL_START;
969
970 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
971 skb->priority = HCI_PRIO_MAX;
972
973 hci_send_acl(conn->hchan, skb, flags);
974 }
975
976 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
977 {
978 struct hci_conn *hcon = chan->conn->hcon;
979 u16 flags;
980
981 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
982 skb->priority);
983
984 /* Use NO_FLUSH for LE links (where this is the only option) or
985 * if the BR/EDR link supports it and flushing has not been
986 * explicitly requested (through FLAG_FLUSHABLE).
987 */
988 if (hcon->type == LE_LINK ||
989 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
990 lmp_no_flush_capable(hcon->hdev)))
991 flags = ACL_START_NO_FLUSH;
992 else
993 flags = ACL_START;
994
995 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
996 hci_send_acl(chan->conn->hchan, skb, flags);
997 }
998
999 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
1000 {
1001 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
1002 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
1003
1004 if (enh & L2CAP_CTRL_FRAME_TYPE) {
1005 /* S-Frame */
1006 control->sframe = 1;
1007 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
1008 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1009
1010 control->sar = 0;
1011 control->txseq = 0;
1012 } else {
1013 /* I-Frame */
1014 control->sframe = 0;
1015 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1016 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1017
1018 control->poll = 0;
1019 control->super = 0;
1020 }
1021 }
1022
1023 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1024 {
1025 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1026 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1027
1028 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1029 /* S-Frame */
1030 control->sframe = 1;
1031 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1032 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1033
1034 control->sar = 0;
1035 control->txseq = 0;
1036 } else {
1037 /* I-Frame */
1038 control->sframe = 0;
1039 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1040 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1041
1042 control->poll = 0;
1043 control->super = 0;
1044 }
1045 }
1046
1047 static inline void __unpack_control(struct l2cap_chan *chan,
1048 struct sk_buff *skb)
1049 {
1050 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1051 __unpack_extended_control(get_unaligned_le32(skb->data),
1052 &bt_cb(skb)->l2cap);
1053 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1054 } else {
1055 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1056 &bt_cb(skb)->l2cap);
1057 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1058 }
1059 }
1060
1061 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1062 {
1063 u32 packed;
1064
1065 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1066 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1067
1068 if (control->sframe) {
1069 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1070 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1071 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1072 } else {
1073 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1074 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1075 }
1076
1077 return packed;
1078 }
1079
1080 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1081 {
1082 u16 packed;
1083
1084 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1085 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1086
1087 if (control->sframe) {
1088 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1089 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1090 packed |= L2CAP_CTRL_FRAME_TYPE;
1091 } else {
1092 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1093 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1094 }
1095
1096 return packed;
1097 }
1098
1099 static inline void __pack_control(struct l2cap_chan *chan,
1100 struct l2cap_ctrl *control,
1101 struct sk_buff *skb)
1102 {
1103 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1104 put_unaligned_le32(__pack_extended_control(control),
1105 skb->data + L2CAP_HDR_SIZE);
1106 } else {
1107 put_unaligned_le16(__pack_enhanced_control(control),
1108 skb->data + L2CAP_HDR_SIZE);
1109 }
1110 }
1111
1112 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1113 {
1114 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1115 return L2CAP_EXT_HDR_SIZE;
1116 else
1117 return L2CAP_ENH_HDR_SIZE;
1118 }
1119
1120 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1121 u32 control)
1122 {
1123 struct sk_buff *skb;
1124 struct l2cap_hdr *lh;
1125 int hlen = __ertm_hdr_size(chan);
1126
1127 if (chan->fcs == L2CAP_FCS_CRC16)
1128 hlen += L2CAP_FCS_SIZE;
1129
1130 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1131
1132 if (!skb)
1133 return ERR_PTR(-ENOMEM);
1134
1135 lh = skb_put(skb, L2CAP_HDR_SIZE);
1136 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1137 lh->cid = cpu_to_le16(chan->dcid);
1138
1139 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1140 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1141 else
1142 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1143
1144 if (chan->fcs == L2CAP_FCS_CRC16) {
1145 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1146 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1147 }
1148
1149 skb->priority = HCI_PRIO_MAX;
1150 return skb;
1151 }
1152
1153 static void l2cap_send_sframe(struct l2cap_chan *chan,
1154 struct l2cap_ctrl *control)
1155 {
1156 struct sk_buff *skb;
1157 u32 control_field;
1158
1159 BT_DBG("chan %p, control %p", chan, control);
1160
1161 if (!control->sframe)
1162 return;
1163
1164 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1165 !control->poll)
1166 control->final = 1;
1167
1168 if (control->super == L2CAP_SUPER_RR)
1169 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1170 else if (control->super == L2CAP_SUPER_RNR)
1171 set_bit(CONN_RNR_SENT, &chan->conn_state);
1172
1173 if (control->super != L2CAP_SUPER_SREJ) {
1174 chan->last_acked_seq = control->reqseq;
1175 __clear_ack_timer(chan);
1176 }
1177
1178 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1179 control->final, control->poll, control->super);
1180
1181 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1182 control_field = __pack_extended_control(control);
1183 else
1184 control_field = __pack_enhanced_control(control);
1185
1186 skb = l2cap_create_sframe_pdu(chan, control_field);
1187 if (!IS_ERR(skb))
1188 l2cap_do_send(chan, skb);
1189 }
1190
1191 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1192 {
1193 struct l2cap_ctrl control;
1194
1195 BT_DBG("chan %p, poll %d", chan, poll);
1196
1197 memset(&control, 0, sizeof(control));
1198 control.sframe = 1;
1199 control.poll = poll;
1200
1201 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1202 control.super = L2CAP_SUPER_RNR;
1203 else
1204 control.super = L2CAP_SUPER_RR;
1205
1206 control.reqseq = chan->buffer_seq;
1207 l2cap_send_sframe(chan, &control);
1208 }
1209
1210 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1211 {
1212 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1213 return true;
1214
1215 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1216 }
1217
1218 void l2cap_send_conn_req(struct l2cap_chan *chan)
1219 {
1220 struct l2cap_conn *conn = chan->conn;
1221 struct l2cap_conn_req req;
1222
1223 req.scid = cpu_to_le16(chan->scid);
1224 req.psm = chan->psm;
1225
1226 chan->ident = l2cap_get_ident(conn);
1227
1228 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1229
1230 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1231 }
1232
1233 static void l2cap_chan_ready(struct l2cap_chan *chan)
1234 {
1235 /* The channel may have already been flagged as connected in
1236 * case of receiving data before the L2CAP info req/rsp
1237 * procedure is complete.
1238 */
1239 if (chan->state == BT_CONNECTED)
1240 return;
1241
1242 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1243 chan->conf_state = 0;
1244 __clear_chan_timer(chan);
1245
1246 switch (chan->mode) {
1247 case L2CAP_MODE_LE_FLOWCTL:
1248 case L2CAP_MODE_EXT_FLOWCTL:
1249 if (!chan->tx_credits)
1250 chan->ops->suspend(chan);
1251 break;
1252 }
1253
1254 chan->state = BT_CONNECTED;
1255
1256 chan->ops->ready(chan);
1257 }
1258
1259 static void l2cap_le_connect(struct l2cap_chan *chan)
1260 {
1261 struct l2cap_conn *conn = chan->conn;
1262 struct l2cap_le_conn_req req;
1263
1264 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1265 return;
1266
1267 if (!chan->imtu)
1268 chan->imtu = chan->conn->mtu;
1269
1270 l2cap_le_flowctl_init(chan, 0);
1271
1272 memset(&req, 0, sizeof(req));
1273 req.psm = chan->psm;
1274 req.scid = cpu_to_le16(chan->scid);
1275 req.mtu = cpu_to_le16(chan->imtu);
1276 req.mps = cpu_to_le16(chan->mps);
1277 req.credits = cpu_to_le16(chan->rx_credits);
1278
1279 chan->ident = l2cap_get_ident(conn);
1280
1281 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1282 sizeof(req), &req);
1283 }
1284
1285 struct l2cap_ecred_conn_data {
1286 struct {
1287 struct l2cap_ecred_conn_req_hdr req;
1288 __le16 scid[5];
1289 } __packed pdu;
1290 struct l2cap_chan *chan;
1291 struct pid *pid;
1292 int count;
1293 };
1294
1295 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1296 {
1297 struct l2cap_ecred_conn_data *conn = data;
1298 struct pid *pid;
1299
1300 if (chan == conn->chan)
1301 return;
1302
1303 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1304 return;
1305
1306 pid = chan->ops->get_peer_pid(chan);
1307
1308 /* Only add deferred channels with the same PID/PSM */
1309 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1310 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1311 return;
1312
1313 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1314 return;
1315
1316 l2cap_ecred_init(chan, 0);
1317
1318 /* Set the same ident so we can match on the rsp */
1319 chan->ident = conn->chan->ident;
1320
1321 /* Include all channels deferred */
1322 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1323
1324 conn->count++;
1325 }
1326
1327 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1328 {
1329 struct l2cap_conn *conn = chan->conn;
1330 struct l2cap_ecred_conn_data data;
1331
1332 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1333 return;
1334
1335 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1336 return;
1337
1338 l2cap_ecred_init(chan, 0);
1339
1340 memset(&data, 0, sizeof(data));
1341 data.pdu.req.psm = chan->psm;
1342 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1343 data.pdu.req.mps = cpu_to_le16(chan->mps);
1344 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1345 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1346
1347 chan->ident = l2cap_get_ident(conn);
1348
1349 data.count = 1;
1350 data.chan = chan;
1351 data.pid = chan->ops->get_peer_pid(chan);
1352
1353 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1354
1355 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1356 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1357 &data.pdu);
1358 }
1359
1360 static void l2cap_le_start(struct l2cap_chan *chan)
1361 {
1362 struct l2cap_conn *conn = chan->conn;
1363
1364 if (!smp_conn_security(conn->hcon, chan->sec_level))
1365 return;
1366
1367 if (!chan->psm) {
1368 l2cap_chan_ready(chan);
1369 return;
1370 }
1371
1372 if (chan->state == BT_CONNECT) {
1373 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1374 l2cap_ecred_connect(chan);
1375 else
1376 l2cap_le_connect(chan);
1377 }
1378 }
1379
1380 static void l2cap_start_connection(struct l2cap_chan *chan)
1381 {
1382 if (chan->conn->hcon->type == LE_LINK) {
1383 l2cap_le_start(chan);
1384 } else {
1385 l2cap_send_conn_req(chan);
1386 }
1387 }
1388
1389 static void l2cap_request_info(struct l2cap_conn *conn)
1390 {
1391 struct l2cap_info_req req;
1392
1393 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1394 return;
1395
1396 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1397
1398 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1399 conn->info_ident = l2cap_get_ident(conn);
1400
1401 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1402
1403 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1404 sizeof(req), &req);
1405 }
1406
1407 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1408 {
1409 /* The minimum encryption key size needs to be enforced by the
1410 * host stack before establishing any L2CAP connections. The
1411 * specification in theory allows a minimum of 1, but to align
1412 * BR/EDR and LE transports, a minimum of 7 is chosen.
1413 *
1414 * This check might also be called for unencrypted connections
1415 * that have no key size requirements. Ensure that the link is
1416 * actually encrypted before enforcing a key size.
1417 */
1418 int min_key_size = hcon->hdev->min_enc_key_size;
1419
1420 /* On FIPS security level, key size must be 16 bytes */
1421 if (hcon->sec_level == BT_SECURITY_FIPS)
1422 min_key_size = 16;
1423
1424 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1425 hcon->enc_key_size >= min_key_size);
1426 }
1427
1428 static void l2cap_do_start(struct l2cap_chan *chan)
1429 {
1430 struct l2cap_conn *conn = chan->conn;
1431
1432 if (conn->hcon->type == LE_LINK) {
1433 l2cap_le_start(chan);
1434 return;
1435 }
1436
1437 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1438 l2cap_request_info(conn);
1439 return;
1440 }
1441
1442 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1443 return;
1444
1445 if (!l2cap_chan_check_security(chan, true) ||
1446 !__l2cap_no_conn_pending(chan))
1447 return;
1448
1449 if (l2cap_check_enc_key_size(conn->hcon))
1450 l2cap_start_connection(chan);
1451 else
1452 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1453 }
1454
1455 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1456 {
1457 u32 local_feat_mask = l2cap_feat_mask;
1458 if (!disable_ertm)
1459 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1460
1461 switch (mode) {
1462 case L2CAP_MODE_ERTM:
1463 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1464 case L2CAP_MODE_STREAMING:
1465 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1466 default:
1467 return 0x00;
1468 }
1469 }
1470
1471 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1472 {
1473 struct l2cap_conn *conn = chan->conn;
1474 struct l2cap_disconn_req req;
1475
1476 if (!conn)
1477 return;
1478
1479 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1480 __clear_retrans_timer(chan);
1481 __clear_monitor_timer(chan);
1482 __clear_ack_timer(chan);
1483 }
1484
1485 req.dcid = cpu_to_le16(chan->dcid);
1486 req.scid = cpu_to_le16(chan->scid);
1487 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1488 sizeof(req), &req);
1489
1490 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1491 }
1492
1493 /* ---- L2CAP connections ---- */
1494 static void l2cap_conn_start(struct l2cap_conn *conn)
1495 {
1496 struct l2cap_chan *chan, *tmp;
1497
1498 BT_DBG("conn %p", conn);
1499
1500 mutex_lock(&conn->chan_lock);
1501
1502 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1503 l2cap_chan_lock(chan);
1504
1505 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1506 l2cap_chan_ready(chan);
1507 l2cap_chan_unlock(chan);
1508 continue;
1509 }
1510
1511 if (chan->state == BT_CONNECT) {
1512 if (!l2cap_chan_check_security(chan, true) ||
1513 !__l2cap_no_conn_pending(chan)) {
1514 l2cap_chan_unlock(chan);
1515 continue;
1516 }
1517
1518 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1519 && test_bit(CONF_STATE2_DEVICE,
1520 &chan->conf_state)) {
1521 l2cap_chan_close(chan, ECONNRESET);
1522 l2cap_chan_unlock(chan);
1523 continue;
1524 }
1525
1526 if (l2cap_check_enc_key_size(conn->hcon))
1527 l2cap_start_connection(chan);
1528 else
1529 l2cap_chan_close(chan, ECONNREFUSED);
1530
1531 } else if (chan->state == BT_CONNECT2) {
1532 struct l2cap_conn_rsp rsp;
1533 char buf[128];
1534 rsp.scid = cpu_to_le16(chan->dcid);
1535 rsp.dcid = cpu_to_le16(chan->scid);
1536
1537 if (l2cap_chan_check_security(chan, false)) {
1538 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1539 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1540 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1541 chan->ops->defer(chan);
1542
1543 } else {
1544 l2cap_state_change(chan, BT_CONFIG);
1545 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1546 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1547 }
1548 } else {
1549 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1550 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1551 }
1552
1553 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1554 sizeof(rsp), &rsp);
1555
1556 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1557 rsp.result != L2CAP_CR_SUCCESS) {
1558 l2cap_chan_unlock(chan);
1559 continue;
1560 }
1561
1562 set_bit(CONF_REQ_SENT, &chan->conf_state);
1563 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1564 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1565 chan->num_conf_req++;
1566 }
1567
1568 l2cap_chan_unlock(chan);
1569 }
1570
1571 mutex_unlock(&conn->chan_lock);
1572 }
1573
1574 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1575 {
1576 struct hci_conn *hcon = conn->hcon;
1577 struct hci_dev *hdev = hcon->hdev;
1578
1579 BT_DBG("%s conn %p", hdev->name, conn);
1580
1581 /* For outgoing pairing which doesn't necessarily have an
1582 * associated socket (e.g. mgmt_pair_device).
1583 */
1584 if (hcon->out)
1585 smp_conn_security(hcon, hcon->pending_sec_level);
1586
1587 /* For LE peripheral connections, make sure the connection interval
1588 * is in the range of the minimum and maximum interval that has
1589 * been configured for this connection. If not, then trigger
1590 * the connection update procedure.
1591 */
1592 if (hcon->role == HCI_ROLE_SLAVE &&
1593 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1594 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1595 struct l2cap_conn_param_update_req req;
1596
1597 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1598 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1599 req.latency = cpu_to_le16(hcon->le_conn_latency);
1600 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1601
1602 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1603 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1604 }
1605 }
1606
1607 static void l2cap_conn_ready(struct l2cap_conn *conn)
1608 {
1609 struct l2cap_chan *chan;
1610 struct hci_conn *hcon = conn->hcon;
1611
1612 BT_DBG("conn %p", conn);
1613
1614 if (hcon->type == ACL_LINK)
1615 l2cap_request_info(conn);
1616
1617 mutex_lock(&conn->chan_lock);
1618
1619 list_for_each_entry(chan, &conn->chan_l, list) {
1620
1621 l2cap_chan_lock(chan);
1622
1623 if (hcon->type == LE_LINK) {
1624 l2cap_le_start(chan);
1625 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1626 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1627 l2cap_chan_ready(chan);
1628 } else if (chan->state == BT_CONNECT) {
1629 l2cap_do_start(chan);
1630 }
1631
1632 l2cap_chan_unlock(chan);
1633 }
1634
1635 mutex_unlock(&conn->chan_lock);
1636
1637 if (hcon->type == LE_LINK)
1638 l2cap_le_conn_ready(conn);
1639
1640 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1641 }
1642
1643 /* Notify sockets that we cannot guaranty reliability anymore */
1644 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1645 {
1646 struct l2cap_chan *chan;
1647
1648 BT_DBG("conn %p", conn);
1649
1650 mutex_lock(&conn->chan_lock);
1651
1652 list_for_each_entry(chan, &conn->chan_l, list) {
1653 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1654 l2cap_chan_set_err(chan, err);
1655 }
1656
1657 mutex_unlock(&conn->chan_lock);
1658 }
1659
1660 static void l2cap_info_timeout(struct work_struct *work)
1661 {
1662 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1663 info_timer.work);
1664
1665 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1666 conn->info_ident = 0;
1667
1668 l2cap_conn_start(conn);
1669 }
1670
1671 /*
1672 * l2cap_user
1673 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1674 * callback is called during registration. The ->remove callback is called
1675 * during unregistration.
1676 * An l2cap_user object can either be explicitly unregistered or when the
1677 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1678 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1679 * External modules must own a reference to the l2cap_conn object if they intend
1680 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1681 * any time if they don't.
1682 */
1683
1684 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1685 {
1686 struct hci_dev *hdev = conn->hcon->hdev;
1687 int ret;
1688
1689 /* We need to check whether l2cap_conn is registered. If it is not, we
1690 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1691 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1692 * relies on the parent hci_conn object to be locked. This itself relies
1693 * on the hci_dev object to be locked. So we must lock the hci device
1694 * here, too. */
1695
1696 hci_dev_lock(hdev);
1697
1698 if (!list_empty(&user->list)) {
1699 ret = -EINVAL;
1700 goto out_unlock;
1701 }
1702
1703 /* conn->hchan is NULL after l2cap_conn_del() was called */
1704 if (!conn->hchan) {
1705 ret = -ENODEV;
1706 goto out_unlock;
1707 }
1708
1709 ret = user->probe(conn, user);
1710 if (ret)
1711 goto out_unlock;
1712
1713 list_add(&user->list, &conn->users);
1714 ret = 0;
1715
1716 out_unlock:
1717 hci_dev_unlock(hdev);
1718 return ret;
1719 }
1720 EXPORT_SYMBOL(l2cap_register_user);
1721
1722 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1723 {
1724 struct hci_dev *hdev = conn->hcon->hdev;
1725
1726 hci_dev_lock(hdev);
1727
1728 if (list_empty(&user->list))
1729 goto out_unlock;
1730
1731 list_del_init(&user->list);
1732 user->remove(conn, user);
1733
1734 out_unlock:
1735 hci_dev_unlock(hdev);
1736 }
1737 EXPORT_SYMBOL(l2cap_unregister_user);
1738
1739 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1740 {
1741 struct l2cap_user *user;
1742
1743 while (!list_empty(&conn->users)) {
1744 user = list_first_entry(&conn->users, struct l2cap_user, list);
1745 list_del_init(&user->list);
1746 user->remove(conn, user);
1747 }
1748 }
1749
1750 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1751 {
1752 struct l2cap_conn *conn = hcon->l2cap_data;
1753 struct l2cap_chan *chan, *l;
1754
1755 if (!conn)
1756 return;
1757
1758 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1759
1760 kfree_skb(conn->rx_skb);
1761
1762 skb_queue_purge(&conn->pending_rx);
1763
1764 /* We can not call flush_work(&conn->pending_rx_work) here since we
1765 * might block if we are running on a worker from the same workqueue
1766 * pending_rx_work is waiting on.
1767 */
1768 if (work_pending(&conn->pending_rx_work))
1769 cancel_work_sync(&conn->pending_rx_work);
1770
1771 cancel_delayed_work_sync(&conn->id_addr_timer);
1772
1773 l2cap_unregister_all_users(conn);
1774
1775 /* Force the connection to be immediately dropped */
1776 hcon->disc_timeout = 0;
1777
1778 mutex_lock(&conn->chan_lock);
1779
1780 /* Kill channels */
1781 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1782 l2cap_chan_hold(chan);
1783 l2cap_chan_lock(chan);
1784
1785 l2cap_chan_del(chan, err);
1786
1787 chan->ops->close(chan);
1788
1789 l2cap_chan_unlock(chan);
1790 l2cap_chan_put(chan);
1791 }
1792
1793 mutex_unlock(&conn->chan_lock);
1794
1795 hci_chan_del(conn->hchan);
1796
1797 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1798 cancel_delayed_work_sync(&conn->info_timer);
1799
1800 hcon->l2cap_data = NULL;
1801 conn->hchan = NULL;
1802 l2cap_conn_put(conn);
1803 }
1804
1805 static void l2cap_conn_free(struct kref *ref)
1806 {
1807 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1808
1809 hci_conn_put(conn->hcon);
1810 kfree(conn);
1811 }
1812
1813 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1814 {
1815 kref_get(&conn->ref);
1816 return conn;
1817 }
1818 EXPORT_SYMBOL(l2cap_conn_get);
1819
1820 void l2cap_conn_put(struct l2cap_conn *conn)
1821 {
1822 kref_put(&conn->ref, l2cap_conn_free);
1823 }
1824 EXPORT_SYMBOL(l2cap_conn_put);
1825
1826 /* ---- Socket interface ---- */
1827
1828 /* Find socket with psm and source / destination bdaddr.
1829 * Returns closest match.
1830 */
1831 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1832 bdaddr_t *src,
1833 bdaddr_t *dst,
1834 u8 link_type)
1835 {
1836 struct l2cap_chan *c, *tmp, *c1 = NULL;
1837
1838 read_lock(&chan_list_lock);
1839
1840 list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
1841 if (state && c->state != state)
1842 continue;
1843
1844 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1845 continue;
1846
1847 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1848 continue;
1849
1850 if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
1851 int src_match, dst_match;
1852 int src_any, dst_any;
1853
1854 /* Exact match. */
1855 src_match = !bacmp(&c->src, src);
1856 dst_match = !bacmp(&c->dst, dst);
1857 if (src_match && dst_match) {
1858 if (!l2cap_chan_hold_unless_zero(c))
1859 continue;
1860
1861 read_unlock(&chan_list_lock);
1862 return c;
1863 }
1864
1865 /* Closest match */
1866 src_any = !bacmp(&c->src, BDADDR_ANY);
1867 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1868 if ((src_match && dst_any) || (src_any && dst_match) ||
1869 (src_any && dst_any))
1870 c1 = c;
1871 }
1872 }
1873
1874 if (c1)
1875 c1 = l2cap_chan_hold_unless_zero(c1);
1876
1877 read_unlock(&chan_list_lock);
1878
1879 return c1;
1880 }
1881
1882 static void l2cap_monitor_timeout(struct work_struct *work)
1883 {
1884 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1885 monitor_timer.work);
1886
1887 BT_DBG("chan %p", chan);
1888
1889 l2cap_chan_lock(chan);
1890
1891 if (!chan->conn) {
1892 l2cap_chan_unlock(chan);
1893 l2cap_chan_put(chan);
1894 return;
1895 }
1896
1897 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1898
1899 l2cap_chan_unlock(chan);
1900 l2cap_chan_put(chan);
1901 }
1902
1903 static void l2cap_retrans_timeout(struct work_struct *work)
1904 {
1905 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1906 retrans_timer.work);
1907
1908 BT_DBG("chan %p", chan);
1909
1910 l2cap_chan_lock(chan);
1911
1912 if (!chan->conn) {
1913 l2cap_chan_unlock(chan);
1914 l2cap_chan_put(chan);
1915 return;
1916 }
1917
1918 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1919 l2cap_chan_unlock(chan);
1920 l2cap_chan_put(chan);
1921 }
1922
1923 static void l2cap_streaming_send(struct l2cap_chan *chan,
1924 struct sk_buff_head *skbs)
1925 {
1926 struct sk_buff *skb;
1927 struct l2cap_ctrl *control;
1928
1929 BT_DBG("chan %p, skbs %p", chan, skbs);
1930
1931 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1932
1933 while (!skb_queue_empty(&chan->tx_q)) {
1934
1935 skb = skb_dequeue(&chan->tx_q);
1936
1937 bt_cb(skb)->l2cap.retries = 1;
1938 control = &bt_cb(skb)->l2cap;
1939
1940 control->reqseq = 0;
1941 control->txseq = chan->next_tx_seq;
1942
1943 __pack_control(chan, control, skb);
1944
1945 if (chan->fcs == L2CAP_FCS_CRC16) {
1946 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1947 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1948 }
1949
1950 l2cap_do_send(chan, skb);
1951
1952 BT_DBG("Sent txseq %u", control->txseq);
1953
1954 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1955 chan->frames_sent++;
1956 }
1957 }
1958
1959 static int l2cap_ertm_send(struct l2cap_chan *chan)
1960 {
1961 struct sk_buff *skb, *tx_skb;
1962 struct l2cap_ctrl *control;
1963 int sent = 0;
1964
1965 BT_DBG("chan %p", chan);
1966
1967 if (chan->state != BT_CONNECTED)
1968 return -ENOTCONN;
1969
1970 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1971 return 0;
1972
1973 while (chan->tx_send_head &&
1974 chan->unacked_frames < chan->remote_tx_win &&
1975 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1976
1977 skb = chan->tx_send_head;
1978
1979 bt_cb(skb)->l2cap.retries = 1;
1980 control = &bt_cb(skb)->l2cap;
1981
1982 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1983 control->final = 1;
1984
1985 control->reqseq = chan->buffer_seq;
1986 chan->last_acked_seq = chan->buffer_seq;
1987 control->txseq = chan->next_tx_seq;
1988
1989 __pack_control(chan, control, skb);
1990
1991 if (chan->fcs == L2CAP_FCS_CRC16) {
1992 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1993 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1994 }
1995
1996 /* Clone after data has been modified. Data is assumed to be
1997 read-only (for locking purposes) on cloned sk_buffs.
1998 */
1999 tx_skb = skb_clone(skb, GFP_KERNEL);
2000
2001 if (!tx_skb)
2002 break;
2003
2004 __set_retrans_timer(chan);
2005
2006 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2007 chan->unacked_frames++;
2008 chan->frames_sent++;
2009 sent++;
2010
2011 if (skb_queue_is_last(&chan->tx_q, skb))
2012 chan->tx_send_head = NULL;
2013 else
2014 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2015
2016 l2cap_do_send(chan, tx_skb);
2017 BT_DBG("Sent txseq %u", control->txseq);
2018 }
2019
2020 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2021 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2022
2023 return sent;
2024 }
2025
2026 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2027 {
2028 struct l2cap_ctrl control;
2029 struct sk_buff *skb;
2030 struct sk_buff *tx_skb;
2031 u16 seq;
2032
2033 BT_DBG("chan %p", chan);
2034
2035 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2036 return;
2037
2038 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2039 seq = l2cap_seq_list_pop(&chan->retrans_list);
2040
2041 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2042 if (!skb) {
2043 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2044 seq);
2045 continue;
2046 }
2047
2048 bt_cb(skb)->l2cap.retries++;
2049 control = bt_cb(skb)->l2cap;
2050
2051 if (chan->max_tx != 0 &&
2052 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2053 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2054 l2cap_send_disconn_req(chan, ECONNRESET);
2055 l2cap_seq_list_clear(&chan->retrans_list);
2056 break;
2057 }
2058
2059 control.reqseq = chan->buffer_seq;
2060 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2061 control.final = 1;
2062 else
2063 control.final = 0;
2064
2065 if (skb_cloned(skb)) {
2066 /* Cloned sk_buffs are read-only, so we need a
2067 * writeable copy
2068 */
2069 tx_skb = skb_copy(skb, GFP_KERNEL);
2070 } else {
2071 tx_skb = skb_clone(skb, GFP_KERNEL);
2072 }
2073
2074 if (!tx_skb) {
2075 l2cap_seq_list_clear(&chan->retrans_list);
2076 break;
2077 }
2078
2079 /* Update skb contents */
2080 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2081 put_unaligned_le32(__pack_extended_control(&control),
2082 tx_skb->data + L2CAP_HDR_SIZE);
2083 } else {
2084 put_unaligned_le16(__pack_enhanced_control(&control),
2085 tx_skb->data + L2CAP_HDR_SIZE);
2086 }
2087
2088 /* Update FCS */
2089 if (chan->fcs == L2CAP_FCS_CRC16) {
2090 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2091 tx_skb->len - L2CAP_FCS_SIZE);
2092 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2093 L2CAP_FCS_SIZE);
2094 }
2095
2096 l2cap_do_send(chan, tx_skb);
2097
2098 BT_DBG("Resent txseq %d", control.txseq);
2099
2100 chan->last_acked_seq = chan->buffer_seq;
2101 }
2102 }
2103
2104 static void l2cap_retransmit(struct l2cap_chan *chan,
2105 struct l2cap_ctrl *control)
2106 {
2107 BT_DBG("chan %p, control %p", chan, control);
2108
2109 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2110 l2cap_ertm_resend(chan);
2111 }
2112
2113 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2114 struct l2cap_ctrl *control)
2115 {
2116 struct sk_buff *skb;
2117
2118 BT_DBG("chan %p, control %p", chan, control);
2119
2120 if (control->poll)
2121 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2122
2123 l2cap_seq_list_clear(&chan->retrans_list);
2124
2125 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2126 return;
2127
2128 if (chan->unacked_frames) {
2129 skb_queue_walk(&chan->tx_q, skb) {
2130 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2131 skb == chan->tx_send_head)
2132 break;
2133 }
2134
2135 skb_queue_walk_from(&chan->tx_q, skb) {
2136 if (skb == chan->tx_send_head)
2137 break;
2138
2139 l2cap_seq_list_append(&chan->retrans_list,
2140 bt_cb(skb)->l2cap.txseq);
2141 }
2142
2143 l2cap_ertm_resend(chan);
2144 }
2145 }
2146
2147 static void l2cap_send_ack(struct l2cap_chan *chan)
2148 {
2149 struct l2cap_ctrl control;
2150 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2151 chan->last_acked_seq);
2152 int threshold;
2153
2154 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2155 chan, chan->last_acked_seq, chan->buffer_seq);
2156
2157 memset(&control, 0, sizeof(control));
2158 control.sframe = 1;
2159
2160 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2161 chan->rx_state == L2CAP_RX_STATE_RECV) {
2162 __clear_ack_timer(chan);
2163 control.super = L2CAP_SUPER_RNR;
2164 control.reqseq = chan->buffer_seq;
2165 l2cap_send_sframe(chan, &control);
2166 } else {
2167 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2168 l2cap_ertm_send(chan);
2169 /* If any i-frames were sent, they included an ack */
2170 if (chan->buffer_seq == chan->last_acked_seq)
2171 frames_to_ack = 0;
2172 }
2173
2174 /* Ack now if the window is 3/4ths full.
2175 * Calculate without mul or div
2176 */
2177 threshold = chan->ack_win;
2178 threshold += threshold << 1;
2179 threshold >>= 2;
2180
2181 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2182 threshold);
2183
2184 if (frames_to_ack >= threshold) {
2185 __clear_ack_timer(chan);
2186 control.super = L2CAP_SUPER_RR;
2187 control.reqseq = chan->buffer_seq;
2188 l2cap_send_sframe(chan, &control);
2189 frames_to_ack = 0;
2190 }
2191
2192 if (frames_to_ack)
2193 __set_ack_timer(chan);
2194 }
2195 }
2196
2197 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2198 struct msghdr *msg, int len,
2199 int count, struct sk_buff *skb)
2200 {
2201 struct l2cap_conn *conn = chan->conn;
2202 struct sk_buff **frag;
2203 int sent = 0;
2204
2205 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2206 return -EFAULT;
2207
2208 sent += count;
2209 len -= count;
2210
2211 /* Continuation fragments (no L2CAP header) */
2212 frag = &skb_shinfo(skb)->frag_list;
2213 while (len) {
2214 struct sk_buff *tmp;
2215
2216 count = min_t(unsigned int, conn->mtu, len);
2217
2218 tmp = chan->ops->alloc_skb(chan, 0, count,
2219 msg->msg_flags & MSG_DONTWAIT);
2220 if (IS_ERR(tmp))
2221 return PTR_ERR(tmp);
2222
2223 *frag = tmp;
2224
2225 if (!copy_from_iter_full(skb_put(*frag, count), count,
2226 &msg->msg_iter))
2227 return -EFAULT;
2228
2229 sent += count;
2230 len -= count;
2231
2232 skb->len += (*frag)->len;
2233 skb->data_len += (*frag)->len;
2234
2235 frag = &(*frag)->next;
2236 }
2237
2238 return sent;
2239 }
2240
2241 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2242 struct msghdr *msg, size_t len)
2243 {
2244 struct l2cap_conn *conn = chan->conn;
2245 struct sk_buff *skb;
2246 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2247 struct l2cap_hdr *lh;
2248
2249 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2250 __le16_to_cpu(chan->psm), len);
2251
2252 count = min_t(unsigned int, (conn->mtu - hlen), len);
2253
2254 skb = chan->ops->alloc_skb(chan, hlen, count,
2255 msg->msg_flags & MSG_DONTWAIT);
2256 if (IS_ERR(skb))
2257 return skb;
2258
2259 /* Create L2CAP header */
2260 lh = skb_put(skb, L2CAP_HDR_SIZE);
2261 lh->cid = cpu_to_le16(chan->dcid);
2262 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2263 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2264
2265 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2266 if (unlikely(err < 0)) {
2267 kfree_skb(skb);
2268 return ERR_PTR(err);
2269 }
2270 return skb;
2271 }
2272
2273 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2274 struct msghdr *msg, size_t len)
2275 {
2276 struct l2cap_conn *conn = chan->conn;
2277 struct sk_buff *skb;
2278 int err, count;
2279 struct l2cap_hdr *lh;
2280
2281 BT_DBG("chan %p len %zu", chan, len);
2282
2283 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2284
2285 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2286 msg->msg_flags & MSG_DONTWAIT);
2287 if (IS_ERR(skb))
2288 return skb;
2289
2290 /* Create L2CAP header */
2291 lh = skb_put(skb, L2CAP_HDR_SIZE);
2292 lh->cid = cpu_to_le16(chan->dcid);
2293 lh->len = cpu_to_le16(len);
2294
2295 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2296 if (unlikely(err < 0)) {
2297 kfree_skb(skb);
2298 return ERR_PTR(err);
2299 }
2300 return skb;
2301 }
2302
2303 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2304 struct msghdr *msg, size_t len,
2305 u16 sdulen)
2306 {
2307 struct l2cap_conn *conn = chan->conn;
2308 struct sk_buff *skb;
2309 int err, count, hlen;
2310 struct l2cap_hdr *lh;
2311
2312 BT_DBG("chan %p len %zu", chan, len);
2313
2314 if (!conn)
2315 return ERR_PTR(-ENOTCONN);
2316
2317 hlen = __ertm_hdr_size(chan);
2318
2319 if (sdulen)
2320 hlen += L2CAP_SDULEN_SIZE;
2321
2322 if (chan->fcs == L2CAP_FCS_CRC16)
2323 hlen += L2CAP_FCS_SIZE;
2324
2325 count = min_t(unsigned int, (conn->mtu - hlen), len);
2326
2327 skb = chan->ops->alloc_skb(chan, hlen, count,
2328 msg->msg_flags & MSG_DONTWAIT);
2329 if (IS_ERR(skb))
2330 return skb;
2331
2332 /* Create L2CAP header */
2333 lh = skb_put(skb, L2CAP_HDR_SIZE);
2334 lh->cid = cpu_to_le16(chan->dcid);
2335 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2336
2337 /* Control header is populated later */
2338 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2339 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2340 else
2341 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2342
2343 if (sdulen)
2344 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2345
2346 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2347 if (unlikely(err < 0)) {
2348 kfree_skb(skb);
2349 return ERR_PTR(err);
2350 }
2351
2352 bt_cb(skb)->l2cap.fcs = chan->fcs;
2353 bt_cb(skb)->l2cap.retries = 0;
2354 return skb;
2355 }
2356
2357 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2358 struct sk_buff_head *seg_queue,
2359 struct msghdr *msg, size_t len)
2360 {
2361 struct sk_buff *skb;
2362 u16 sdu_len;
2363 size_t pdu_len;
2364 u8 sar;
2365
2366 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2367
2368 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2369 * so fragmented skbs are not used. The HCI layer's handling
2370 * of fragmented skbs is not compatible with ERTM's queueing.
2371 */
2372
2373 /* PDU size is derived from the HCI MTU */
2374 pdu_len = chan->conn->mtu;
2375
2376 /* Constrain PDU size for BR/EDR connections */
2377 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2378
2379 /* Adjust for largest possible L2CAP overhead. */
2380 if (chan->fcs)
2381 pdu_len -= L2CAP_FCS_SIZE;
2382
2383 pdu_len -= __ertm_hdr_size(chan);
2384
2385 /* Remote device may have requested smaller PDUs */
2386 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2387
2388 if (len <= pdu_len) {
2389 sar = L2CAP_SAR_UNSEGMENTED;
2390 sdu_len = 0;
2391 pdu_len = len;
2392 } else {
2393 sar = L2CAP_SAR_START;
2394 sdu_len = len;
2395 }
2396
2397 while (len > 0) {
2398 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2399
2400 if (IS_ERR(skb)) {
2401 __skb_queue_purge(seg_queue);
2402 return PTR_ERR(skb);
2403 }
2404
2405 bt_cb(skb)->l2cap.sar = sar;
2406 __skb_queue_tail(seg_queue, skb);
2407
2408 len -= pdu_len;
2409 if (sdu_len)
2410 sdu_len = 0;
2411
2412 if (len <= pdu_len) {
2413 sar = L2CAP_SAR_END;
2414 pdu_len = len;
2415 } else {
2416 sar = L2CAP_SAR_CONTINUE;
2417 }
2418 }
2419
2420 return 0;
2421 }
2422
2423 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2424 struct msghdr *msg,
2425 size_t len, u16 sdulen)
2426 {
2427 struct l2cap_conn *conn = chan->conn;
2428 struct sk_buff *skb;
2429 int err, count, hlen;
2430 struct l2cap_hdr *lh;
2431
2432 BT_DBG("chan %p len %zu", chan, len);
2433
2434 if (!conn)
2435 return ERR_PTR(-ENOTCONN);
2436
2437 hlen = L2CAP_HDR_SIZE;
2438
2439 if (sdulen)
2440 hlen += L2CAP_SDULEN_SIZE;
2441
2442 count = min_t(unsigned int, (conn->mtu - hlen), len);
2443
2444 skb = chan->ops->alloc_skb(chan, hlen, count,
2445 msg->msg_flags & MSG_DONTWAIT);
2446 if (IS_ERR(skb))
2447 return skb;
2448
2449 /* Create L2CAP header */
2450 lh = skb_put(skb, L2CAP_HDR_SIZE);
2451 lh->cid = cpu_to_le16(chan->dcid);
2452 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2453
2454 if (sdulen)
2455 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2456
2457 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2458 if (unlikely(err < 0)) {
2459 kfree_skb(skb);
2460 return ERR_PTR(err);
2461 }
2462
2463 return skb;
2464 }
2465
2466 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2467 struct sk_buff_head *seg_queue,
2468 struct msghdr *msg, size_t len)
2469 {
2470 struct sk_buff *skb;
2471 size_t pdu_len;
2472 u16 sdu_len;
2473
2474 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2475
2476 sdu_len = len;
2477 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2478
2479 while (len > 0) {
2480 if (len <= pdu_len)
2481 pdu_len = len;
2482
2483 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2484 if (IS_ERR(skb)) {
2485 __skb_queue_purge(seg_queue);
2486 return PTR_ERR(skb);
2487 }
2488
2489 __skb_queue_tail(seg_queue, skb);
2490
2491 len -= pdu_len;
2492
2493 if (sdu_len) {
2494 sdu_len = 0;
2495 pdu_len += L2CAP_SDULEN_SIZE;
2496 }
2497 }
2498
2499 return 0;
2500 }
2501
2502 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2503 {
2504 int sent = 0;
2505
2506 BT_DBG("chan %p", chan);
2507
2508 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2509 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2510 chan->tx_credits--;
2511 sent++;
2512 }
2513
2514 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2515 skb_queue_len(&chan->tx_q));
2516 }
2517
2518 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2519 {
2520 struct sk_buff *skb;
2521 int err;
2522 struct sk_buff_head seg_queue;
2523
2524 if (!chan->conn)
2525 return -ENOTCONN;
2526
2527 /* Connectionless channel */
2528 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2529 skb = l2cap_create_connless_pdu(chan, msg, len);
2530 if (IS_ERR(skb))
2531 return PTR_ERR(skb);
2532
2533 l2cap_do_send(chan, skb);
2534 return len;
2535 }
2536
2537 switch (chan->mode) {
2538 case L2CAP_MODE_LE_FLOWCTL:
2539 case L2CAP_MODE_EXT_FLOWCTL:
2540 /* Check outgoing MTU */
2541 if (len > chan->omtu)
2542 return -EMSGSIZE;
2543
2544 __skb_queue_head_init(&seg_queue);
2545
2546 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2547
2548 if (chan->state != BT_CONNECTED) {
2549 __skb_queue_purge(&seg_queue);
2550 err = -ENOTCONN;
2551 }
2552
2553 if (err)
2554 return err;
2555
2556 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2557
2558 l2cap_le_flowctl_send(chan);
2559
2560 if (!chan->tx_credits)
2561 chan->ops->suspend(chan);
2562
2563 err = len;
2564
2565 break;
2566
2567 case L2CAP_MODE_BASIC:
2568 /* Check outgoing MTU */
2569 if (len > chan->omtu)
2570 return -EMSGSIZE;
2571
2572 /* Create a basic PDU */
2573 skb = l2cap_create_basic_pdu(chan, msg, len);
2574 if (IS_ERR(skb))
2575 return PTR_ERR(skb);
2576
2577 l2cap_do_send(chan, skb);
2578 err = len;
2579 break;
2580
2581 case L2CAP_MODE_ERTM:
2582 case L2CAP_MODE_STREAMING:
2583 /* Check outgoing MTU */
2584 if (len > chan->omtu) {
2585 err = -EMSGSIZE;
2586 break;
2587 }
2588
2589 __skb_queue_head_init(&seg_queue);
2590
2591 /* Do segmentation before calling in to the state machine,
2592 * since it's possible to block while waiting for memory
2593 * allocation.
2594 */
2595 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2596
2597 if (err)
2598 break;
2599
2600 if (chan->mode == L2CAP_MODE_ERTM)
2601 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2602 else
2603 l2cap_streaming_send(chan, &seg_queue);
2604
2605 err = len;
2606
2607 /* If the skbs were not queued for sending, they'll still be in
2608 * seg_queue and need to be purged.
2609 */
2610 __skb_queue_purge(&seg_queue);
2611 break;
2612
2613 default:
2614 BT_DBG("bad state %1.1x", chan->mode);
2615 err = -EBADFD;
2616 }
2617
2618 return err;
2619 }
2620 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2621
2622 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2623 {
2624 struct l2cap_ctrl control;
2625 u16 seq;
2626
2627 BT_DBG("chan %p, txseq %u", chan, txseq);
2628
2629 memset(&control, 0, sizeof(control));
2630 control.sframe = 1;
2631 control.super = L2CAP_SUPER_SREJ;
2632
2633 for (seq = chan->expected_tx_seq; seq != txseq;
2634 seq = __next_seq(chan, seq)) {
2635 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2636 control.reqseq = seq;
2637 l2cap_send_sframe(chan, &control);
2638 l2cap_seq_list_append(&chan->srej_list, seq);
2639 }
2640 }
2641
2642 chan->expected_tx_seq = __next_seq(chan, txseq);
2643 }
2644
2645 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2646 {
2647 struct l2cap_ctrl control;
2648
2649 BT_DBG("chan %p", chan);
2650
2651 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2652 return;
2653
2654 memset(&control, 0, sizeof(control));
2655 control.sframe = 1;
2656 control.super = L2CAP_SUPER_SREJ;
2657 control.reqseq = chan->srej_list.tail;
2658 l2cap_send_sframe(chan, &control);
2659 }
2660
2661 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2662 {
2663 struct l2cap_ctrl control;
2664 u16 initial_head;
2665 u16 seq;
2666
2667 BT_DBG("chan %p, txseq %u", chan, txseq);
2668
2669 memset(&control, 0, sizeof(control));
2670 control.sframe = 1;
2671 control.super = L2CAP_SUPER_SREJ;
2672
2673 /* Capture initial list head to allow only one pass through the list. */
2674 initial_head = chan->srej_list.head;
2675
2676 do {
2677 seq = l2cap_seq_list_pop(&chan->srej_list);
2678 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2679 break;
2680
2681 control.reqseq = seq;
2682 l2cap_send_sframe(chan, &control);
2683 l2cap_seq_list_append(&chan->srej_list, seq);
2684 } while (chan->srej_list.head != initial_head);
2685 }
2686
2687 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2688 {
2689 struct sk_buff *acked_skb;
2690 u16 ackseq;
2691
2692 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2693
2694 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2695 return;
2696
2697 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2698 chan->expected_ack_seq, chan->unacked_frames);
2699
2700 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2701 ackseq = __next_seq(chan, ackseq)) {
2702
2703 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2704 if (acked_skb) {
2705 skb_unlink(acked_skb, &chan->tx_q);
2706 kfree_skb(acked_skb);
2707 chan->unacked_frames--;
2708 }
2709 }
2710
2711 chan->expected_ack_seq = reqseq;
2712
2713 if (chan->unacked_frames == 0)
2714 __clear_retrans_timer(chan);
2715
2716 BT_DBG("unacked_frames %u", chan->unacked_frames);
2717 }
2718
2719 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2720 {
2721 BT_DBG("chan %p", chan);
2722
2723 chan->expected_tx_seq = chan->buffer_seq;
2724 l2cap_seq_list_clear(&chan->srej_list);
2725 skb_queue_purge(&chan->srej_q);
2726 chan->rx_state = L2CAP_RX_STATE_RECV;
2727 }
2728
2729 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2730 struct l2cap_ctrl *control,
2731 struct sk_buff_head *skbs, u8 event)
2732 {
2733 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2734 event);
2735
2736 switch (event) {
2737 case L2CAP_EV_DATA_REQUEST:
2738 if (chan->tx_send_head == NULL)
2739 chan->tx_send_head = skb_peek(skbs);
2740
2741 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2742 l2cap_ertm_send(chan);
2743 break;
2744 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2745 BT_DBG("Enter LOCAL_BUSY");
2746 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2747
2748 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2749 /* The SREJ_SENT state must be aborted if we are to
2750 * enter the LOCAL_BUSY state.
2751 */
2752 l2cap_abort_rx_srej_sent(chan);
2753 }
2754
2755 l2cap_send_ack(chan);
2756
2757 break;
2758 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2759 BT_DBG("Exit LOCAL_BUSY");
2760 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2761
2762 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2763 struct l2cap_ctrl local_control;
2764
2765 memset(&local_control, 0, sizeof(local_control));
2766 local_control.sframe = 1;
2767 local_control.super = L2CAP_SUPER_RR;
2768 local_control.poll = 1;
2769 local_control.reqseq = chan->buffer_seq;
2770 l2cap_send_sframe(chan, &local_control);
2771
2772 chan->retry_count = 1;
2773 __set_monitor_timer(chan);
2774 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2775 }
2776 break;
2777 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2778 l2cap_process_reqseq(chan, control->reqseq);
2779 break;
2780 case L2CAP_EV_EXPLICIT_POLL:
2781 l2cap_send_rr_or_rnr(chan, 1);
2782 chan->retry_count = 1;
2783 __set_monitor_timer(chan);
2784 __clear_ack_timer(chan);
2785 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2786 break;
2787 case L2CAP_EV_RETRANS_TO:
2788 l2cap_send_rr_or_rnr(chan, 1);
2789 chan->retry_count = 1;
2790 __set_monitor_timer(chan);
2791 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2792 break;
2793 case L2CAP_EV_RECV_FBIT:
2794 /* Nothing to process */
2795 break;
2796 default:
2797 break;
2798 }
2799 }
2800
2801 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2802 struct l2cap_ctrl *control,
2803 struct sk_buff_head *skbs, u8 event)
2804 {
2805 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2806 event);
2807
2808 switch (event) {
2809 case L2CAP_EV_DATA_REQUEST:
2810 if (chan->tx_send_head == NULL)
2811 chan->tx_send_head = skb_peek(skbs);
2812 /* Queue data, but don't send. */
2813 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2814 break;
2815 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2816 BT_DBG("Enter LOCAL_BUSY");
2817 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2818
2819 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2820 /* The SREJ_SENT state must be aborted if we are to
2821 * enter the LOCAL_BUSY state.
2822 */
2823 l2cap_abort_rx_srej_sent(chan);
2824 }
2825
2826 l2cap_send_ack(chan);
2827
2828 break;
2829 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2830 BT_DBG("Exit LOCAL_BUSY");
2831 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2832
2833 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2834 struct l2cap_ctrl local_control;
2835 memset(&local_control, 0, sizeof(local_control));
2836 local_control.sframe = 1;
2837 local_control.super = L2CAP_SUPER_RR;
2838 local_control.poll = 1;
2839 local_control.reqseq = chan->buffer_seq;
2840 l2cap_send_sframe(chan, &local_control);
2841
2842 chan->retry_count = 1;
2843 __set_monitor_timer(chan);
2844 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2845 }
2846 break;
2847 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2848 l2cap_process_reqseq(chan, control->reqseq);
2849 fallthrough;
2850
2851 case L2CAP_EV_RECV_FBIT:
2852 if (control && control->final) {
2853 __clear_monitor_timer(chan);
2854 if (chan->unacked_frames > 0)
2855 __set_retrans_timer(chan);
2856 chan->retry_count = 0;
2857 chan->tx_state = L2CAP_TX_STATE_XMIT;
2858 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2859 }
2860 break;
2861 case L2CAP_EV_EXPLICIT_POLL:
2862 /* Ignore */
2863 break;
2864 case L2CAP_EV_MONITOR_TO:
2865 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2866 l2cap_send_rr_or_rnr(chan, 1);
2867 __set_monitor_timer(chan);
2868 chan->retry_count++;
2869 } else {
2870 l2cap_send_disconn_req(chan, ECONNABORTED);
2871 }
2872 break;
2873 default:
2874 break;
2875 }
2876 }
2877
2878 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2879 struct sk_buff_head *skbs, u8 event)
2880 {
2881 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2882 chan, control, skbs, event, chan->tx_state);
2883
2884 switch (chan->tx_state) {
2885 case L2CAP_TX_STATE_XMIT:
2886 l2cap_tx_state_xmit(chan, control, skbs, event);
2887 break;
2888 case L2CAP_TX_STATE_WAIT_F:
2889 l2cap_tx_state_wait_f(chan, control, skbs, event);
2890 break;
2891 default:
2892 /* Ignore event */
2893 break;
2894 }
2895 }
2896
2897 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2898 struct l2cap_ctrl *control)
2899 {
2900 BT_DBG("chan %p, control %p", chan, control);
2901 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2902 }
2903
2904 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2905 struct l2cap_ctrl *control)
2906 {
2907 BT_DBG("chan %p, control %p", chan, control);
2908 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2909 }
2910
2911 /* Copy frame to all raw sockets on that connection */
2912 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2913 {
2914 struct sk_buff *nskb;
2915 struct l2cap_chan *chan;
2916
2917 BT_DBG("conn %p", conn);
2918
2919 mutex_lock(&conn->chan_lock);
2920
2921 list_for_each_entry(chan, &conn->chan_l, list) {
2922 if (chan->chan_type != L2CAP_CHAN_RAW)
2923 continue;
2924
2925 /* Don't send frame to the channel it came from */
2926 if (bt_cb(skb)->l2cap.chan == chan)
2927 continue;
2928
2929 nskb = skb_clone(skb, GFP_KERNEL);
2930 if (!nskb)
2931 continue;
2932 if (chan->ops->recv(chan, nskb))
2933 kfree_skb(nskb);
2934 }
2935
2936 mutex_unlock(&conn->chan_lock);
2937 }
2938
2939 /* ---- L2CAP signalling commands ---- */
2940 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2941 u8 ident, u16 dlen, void *data)
2942 {
2943 struct sk_buff *skb, **frag;
2944 struct l2cap_cmd_hdr *cmd;
2945 struct l2cap_hdr *lh;
2946 int len, count;
2947
2948 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2949 conn, code, ident, dlen);
2950
2951 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2952 return NULL;
2953
2954 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2955 count = min_t(unsigned int, conn->mtu, len);
2956
2957 skb = bt_skb_alloc(count, GFP_KERNEL);
2958 if (!skb)
2959 return NULL;
2960
2961 lh = skb_put(skb, L2CAP_HDR_SIZE);
2962 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2963
2964 if (conn->hcon->type == LE_LINK)
2965 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2966 else
2967 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2968
2969 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2970 cmd->code = code;
2971 cmd->ident = ident;
2972 cmd->len = cpu_to_le16(dlen);
2973
2974 if (dlen) {
2975 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2976 skb_put_data(skb, data, count);
2977 data += count;
2978 }
2979
2980 len -= skb->len;
2981
2982 /* Continuation fragments (no L2CAP header) */
2983 frag = &skb_shinfo(skb)->frag_list;
2984 while (len) {
2985 count = min_t(unsigned int, conn->mtu, len);
2986
2987 *frag = bt_skb_alloc(count, GFP_KERNEL);
2988 if (!*frag)
2989 goto fail;
2990
2991 skb_put_data(*frag, data, count);
2992
2993 len -= count;
2994 data += count;
2995
2996 frag = &(*frag)->next;
2997 }
2998
2999 return skb;
3000
3001 fail:
3002 kfree_skb(skb);
3003 return NULL;
3004 }
3005
3006 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3007 unsigned long *val)
3008 {
3009 struct l2cap_conf_opt *opt = *ptr;
3010 int len;
3011
3012 len = L2CAP_CONF_OPT_SIZE + opt->len;
3013 *ptr += len;
3014
3015 *type = opt->type;
3016 *olen = opt->len;
3017
3018 switch (opt->len) {
3019 case 1:
3020 *val = *((u8 *) opt->val);
3021 break;
3022
3023 case 2:
3024 *val = get_unaligned_le16(opt->val);
3025 break;
3026
3027 case 4:
3028 *val = get_unaligned_le32(opt->val);
3029 break;
3030
3031 default:
3032 *val = (unsigned long) opt->val;
3033 break;
3034 }
3035
3036 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3037 return len;
3038 }
3039
3040 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3041 {
3042 struct l2cap_conf_opt *opt = *ptr;
3043
3044 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3045
3046 if (size < L2CAP_CONF_OPT_SIZE + len)
3047 return;
3048
3049 opt->type = type;
3050 opt->len = len;
3051
3052 switch (len) {
3053 case 1:
3054 *((u8 *) opt->val) = val;
3055 break;
3056
3057 case 2:
3058 put_unaligned_le16(val, opt->val);
3059 break;
3060
3061 case 4:
3062 put_unaligned_le32(val, opt->val);
3063 break;
3064
3065 default:
3066 memcpy(opt->val, (void *) val, len);
3067 break;
3068 }
3069
3070 *ptr += L2CAP_CONF_OPT_SIZE + len;
3071 }
3072
3073 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3074 {
3075 struct l2cap_conf_efs efs;
3076
3077 switch (chan->mode) {
3078 case L2CAP_MODE_ERTM:
3079 efs.id = chan->local_id;
3080 efs.stype = chan->local_stype;
3081 efs.msdu = cpu_to_le16(chan->local_msdu);
3082 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3083 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3084 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3085 break;
3086
3087 case L2CAP_MODE_STREAMING:
3088 efs.id = 1;
3089 efs.stype = L2CAP_SERV_BESTEFFORT;
3090 efs.msdu = cpu_to_le16(chan->local_msdu);
3091 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3092 efs.acc_lat = 0;
3093 efs.flush_to = 0;
3094 break;
3095
3096 default:
3097 return;
3098 }
3099
3100 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3101 (unsigned long) &efs, size);
3102 }
3103
3104 static void l2cap_ack_timeout(struct work_struct *work)
3105 {
3106 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3107 ack_timer.work);
3108 u16 frames_to_ack;
3109
3110 BT_DBG("chan %p", chan);
3111
3112 l2cap_chan_lock(chan);
3113
3114 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3115 chan->last_acked_seq);
3116
3117 if (frames_to_ack)
3118 l2cap_send_rr_or_rnr(chan, 0);
3119
3120 l2cap_chan_unlock(chan);
3121 l2cap_chan_put(chan);
3122 }
3123
3124 int l2cap_ertm_init(struct l2cap_chan *chan)
3125 {
3126 int err;
3127
3128 chan->next_tx_seq = 0;
3129 chan->expected_tx_seq = 0;
3130 chan->expected_ack_seq = 0;
3131 chan->unacked_frames = 0;
3132 chan->buffer_seq = 0;
3133 chan->frames_sent = 0;
3134 chan->last_acked_seq = 0;
3135 chan->sdu = NULL;
3136 chan->sdu_last_frag = NULL;
3137 chan->sdu_len = 0;
3138
3139 skb_queue_head_init(&chan->tx_q);
3140
3141 if (chan->mode != L2CAP_MODE_ERTM)
3142 return 0;
3143
3144 chan->rx_state = L2CAP_RX_STATE_RECV;
3145 chan->tx_state = L2CAP_TX_STATE_XMIT;
3146
3147 skb_queue_head_init(&chan->srej_q);
3148
3149 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3150 if (err < 0)
3151 return err;
3152
3153 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3154 if (err < 0)
3155 l2cap_seq_list_free(&chan->srej_list);
3156
3157 return err;
3158 }
3159
3160 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3161 {
3162 switch (mode) {
3163 case L2CAP_MODE_STREAMING:
3164 case L2CAP_MODE_ERTM:
3165 if (l2cap_mode_supported(mode, remote_feat_mask))
3166 return mode;
3167 fallthrough;
3168 default:
3169 return L2CAP_MODE_BASIC;
3170 }
3171 }
3172
3173 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3174 {
3175 return (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW);
3176 }
3177
3178 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3179 {
3180 return (conn->feat_mask & L2CAP_FEAT_EXT_FLOW);
3181 }
3182
3183 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3184 struct l2cap_conf_rfc *rfc)
3185 {
3186 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3187 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3188 }
3189
3190 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3191 {
3192 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3193 __l2cap_ews_supported(chan->conn)) {
3194 /* use extended control field */
3195 set_bit(FLAG_EXT_CTRL, &chan->flags);
3196 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3197 } else {
3198 chan->tx_win = min_t(u16, chan->tx_win,
3199 L2CAP_DEFAULT_TX_WINDOW);
3200 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3201 }
3202 chan->ack_win = chan->tx_win;
3203 }
3204
3205 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3206 {
3207 struct hci_conn *conn = chan->conn->hcon;
3208
3209 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3210
3211 /* The 2-DH1 packet has between 2 and 56 information bytes
3212 * (including the 2-byte payload header)
3213 */
3214 if (!(conn->pkt_type & HCI_2DH1))
3215 chan->imtu = 54;
3216
3217 /* The 3-DH1 packet has between 2 and 85 information bytes
3218 * (including the 2-byte payload header)
3219 */
3220 if (!(conn->pkt_type & HCI_3DH1))
3221 chan->imtu = 83;
3222
3223 /* The 2-DH3 packet has between 2 and 369 information bytes
3224 * (including the 2-byte payload header)
3225 */
3226 if (!(conn->pkt_type & HCI_2DH3))
3227 chan->imtu = 367;
3228
3229 /* The 3-DH3 packet has between 2 and 554 information bytes
3230 * (including the 2-byte payload header)
3231 */
3232 if (!(conn->pkt_type & HCI_3DH3))
3233 chan->imtu = 552;
3234
3235 /* The 2-DH5 packet has between 2 and 681 information bytes
3236 * (including the 2-byte payload header)
3237 */
3238 if (!(conn->pkt_type & HCI_2DH5))
3239 chan->imtu = 679;
3240
3241 /* The 3-DH5 packet has between 2 and 1023 information bytes
3242 * (including the 2-byte payload header)
3243 */
3244 if (!(conn->pkt_type & HCI_3DH5))
3245 chan->imtu = 1021;
3246 }
3247
3248 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3249 {
3250 struct l2cap_conf_req *req = data;
3251 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3252 void *ptr = req->data;
3253 void *endptr = data + data_size;
3254 u16 size;
3255
3256 BT_DBG("chan %p", chan);
3257
3258 if (chan->num_conf_req || chan->num_conf_rsp)
3259 goto done;
3260
3261 switch (chan->mode) {
3262 case L2CAP_MODE_STREAMING:
3263 case L2CAP_MODE_ERTM:
3264 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3265 break;
3266
3267 if (__l2cap_efs_supported(chan->conn))
3268 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3269
3270 fallthrough;
3271 default:
3272 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3273 break;
3274 }
3275
3276 done:
3277 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3278 if (!chan->imtu)
3279 l2cap_mtu_auto(chan);
3280 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3281 endptr - ptr);
3282 }
3283
3284 switch (chan->mode) {
3285 case L2CAP_MODE_BASIC:
3286 if (disable_ertm)
3287 break;
3288
3289 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3290 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3291 break;
3292
3293 rfc.mode = L2CAP_MODE_BASIC;
3294 rfc.txwin_size = 0;
3295 rfc.max_transmit = 0;
3296 rfc.retrans_timeout = 0;
3297 rfc.monitor_timeout = 0;
3298 rfc.max_pdu_size = 0;
3299
3300 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3301 (unsigned long) &rfc, endptr - ptr);
3302 break;
3303
3304 case L2CAP_MODE_ERTM:
3305 rfc.mode = L2CAP_MODE_ERTM;
3306 rfc.max_transmit = chan->max_tx;
3307
3308 __l2cap_set_ertm_timeouts(chan, &rfc);
3309
3310 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3311 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3312 L2CAP_FCS_SIZE);
3313 rfc.max_pdu_size = cpu_to_le16(size);
3314
3315 l2cap_txwin_setup(chan);
3316
3317 rfc.txwin_size = min_t(u16, chan->tx_win,
3318 L2CAP_DEFAULT_TX_WINDOW);
3319
3320 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3321 (unsigned long) &rfc, endptr - ptr);
3322
3323 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3324 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3325
3326 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3327 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3328 chan->tx_win, endptr - ptr);
3329
3330 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3331 if (chan->fcs == L2CAP_FCS_NONE ||
3332 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3333 chan->fcs = L2CAP_FCS_NONE;
3334 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3335 chan->fcs, endptr - ptr);
3336 }
3337 break;
3338
3339 case L2CAP_MODE_STREAMING:
3340 l2cap_txwin_setup(chan);
3341 rfc.mode = L2CAP_MODE_STREAMING;
3342 rfc.txwin_size = 0;
3343 rfc.max_transmit = 0;
3344 rfc.retrans_timeout = 0;
3345 rfc.monitor_timeout = 0;
3346
3347 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3348 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3349 L2CAP_FCS_SIZE);
3350 rfc.max_pdu_size = cpu_to_le16(size);
3351
3352 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3353 (unsigned long) &rfc, endptr - ptr);
3354
3355 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3356 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3357
3358 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3359 if (chan->fcs == L2CAP_FCS_NONE ||
3360 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3361 chan->fcs = L2CAP_FCS_NONE;
3362 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3363 chan->fcs, endptr - ptr);
3364 }
3365 break;
3366 }
3367
3368 req->dcid = cpu_to_le16(chan->dcid);
3369 req->flags = cpu_to_le16(0);
3370
3371 return ptr - data;
3372 }
3373
3374 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3375 {
3376 struct l2cap_conf_rsp *rsp = data;
3377 void *ptr = rsp->data;
3378 void *endptr = data + data_size;
3379 void *req = chan->conf_req;
3380 int len = chan->conf_len;
3381 int type, hint, olen;
3382 unsigned long val;
3383 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3384 struct l2cap_conf_efs efs;
3385 u8 remote_efs = 0;
3386 u16 mtu = L2CAP_DEFAULT_MTU;
3387 u16 result = L2CAP_CONF_SUCCESS;
3388 u16 size;
3389
3390 BT_DBG("chan %p", chan);
3391
3392 while (len >= L2CAP_CONF_OPT_SIZE) {
3393 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3394 if (len < 0)
3395 break;
3396
3397 hint = type & L2CAP_CONF_HINT;
3398 type &= L2CAP_CONF_MASK;
3399
3400 switch (type) {
3401 case L2CAP_CONF_MTU:
3402 if (olen != 2)
3403 break;
3404 mtu = val;
3405 break;
3406
3407 case L2CAP_CONF_FLUSH_TO:
3408 if (olen != 2)
3409 break;
3410 chan->flush_to = val;
3411 break;
3412
3413 case L2CAP_CONF_QOS:
3414 break;
3415
3416 case L2CAP_CONF_RFC:
3417 if (olen != sizeof(rfc))
3418 break;
3419 memcpy(&rfc, (void *) val, olen);
3420 break;
3421
3422 case L2CAP_CONF_FCS:
3423 if (olen != 1)
3424 break;
3425 if (val == L2CAP_FCS_NONE)
3426 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3427 break;
3428
3429 case L2CAP_CONF_EFS:
3430 if (olen != sizeof(efs))
3431 break;
3432 remote_efs = 1;
3433 memcpy(&efs, (void *) val, olen);
3434 break;
3435
3436 case L2CAP_CONF_EWS:
3437 if (olen != 2)
3438 break;
3439 return -ECONNREFUSED;
3440
3441 default:
3442 if (hint)
3443 break;
3444 result = L2CAP_CONF_UNKNOWN;
3445 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr);
3446 break;
3447 }
3448 }
3449
3450 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3451 goto done;
3452
3453 switch (chan->mode) {
3454 case L2CAP_MODE_STREAMING:
3455 case L2CAP_MODE_ERTM:
3456 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3457 chan->mode = l2cap_select_mode(rfc.mode,
3458 chan->conn->feat_mask);
3459 break;
3460 }
3461
3462 if (remote_efs) {
3463 if (__l2cap_efs_supported(chan->conn))
3464 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3465 else
3466 return -ECONNREFUSED;
3467 }
3468
3469 if (chan->mode != rfc.mode)
3470 return -ECONNREFUSED;
3471
3472 break;
3473 }
3474
3475 done:
3476 if (chan->mode != rfc.mode) {
3477 result = L2CAP_CONF_UNACCEPT;
3478 rfc.mode = chan->mode;
3479
3480 if (chan->num_conf_rsp == 1)
3481 return -ECONNREFUSED;
3482
3483 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3484 (unsigned long) &rfc, endptr - ptr);
3485 }
3486
3487 if (result == L2CAP_CONF_SUCCESS) {
3488 /* Configure output options and let the other side know
3489 * which ones we don't like. */
3490
3491 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3492 result = L2CAP_CONF_UNACCEPT;
3493 else {
3494 chan->omtu = mtu;
3495 set_bit(CONF_MTU_DONE, &chan->conf_state);
3496 }
3497 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3498
3499 if (remote_efs) {
3500 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3501 efs.stype != L2CAP_SERV_NOTRAFIC &&
3502 efs.stype != chan->local_stype) {
3503
3504 result = L2CAP_CONF_UNACCEPT;
3505
3506 if (chan->num_conf_req >= 1)
3507 return -ECONNREFUSED;
3508
3509 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3510 sizeof(efs),
3511 (unsigned long) &efs, endptr - ptr);
3512 } else {
3513 /* Send PENDING Conf Rsp */
3514 result = L2CAP_CONF_PENDING;
3515 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3516 }
3517 }
3518
3519 switch (rfc.mode) {
3520 case L2CAP_MODE_BASIC:
3521 chan->fcs = L2CAP_FCS_NONE;
3522 set_bit(CONF_MODE_DONE, &chan->conf_state);
3523 break;
3524
3525 case L2CAP_MODE_ERTM:
3526 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3527 chan->remote_tx_win = rfc.txwin_size;
3528 else
3529 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3530
3531 chan->remote_max_tx = rfc.max_transmit;
3532
3533 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3534 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3535 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3536 rfc.max_pdu_size = cpu_to_le16(size);
3537 chan->remote_mps = size;
3538
3539 __l2cap_set_ertm_timeouts(chan, &rfc);
3540
3541 set_bit(CONF_MODE_DONE, &chan->conf_state);
3542
3543 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3544 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3545
3546 if (remote_efs &&
3547 test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3548 chan->remote_id = efs.id;
3549 chan->remote_stype = efs.stype;
3550 chan->remote_msdu = le16_to_cpu(efs.msdu);
3551 chan->remote_flush_to =
3552 le32_to_cpu(efs.flush_to);
3553 chan->remote_acc_lat =
3554 le32_to_cpu(efs.acc_lat);
3555 chan->remote_sdu_itime =
3556 le32_to_cpu(efs.sdu_itime);
3557 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3558 sizeof(efs),
3559 (unsigned long) &efs, endptr - ptr);
3560 }
3561 break;
3562
3563 case L2CAP_MODE_STREAMING:
3564 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3565 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3566 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3567 rfc.max_pdu_size = cpu_to_le16(size);
3568 chan->remote_mps = size;
3569
3570 set_bit(CONF_MODE_DONE, &chan->conf_state);
3571
3572 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3573 (unsigned long) &rfc, endptr - ptr);
3574
3575 break;
3576
3577 default:
3578 result = L2CAP_CONF_UNACCEPT;
3579
3580 memset(&rfc, 0, sizeof(rfc));
3581 rfc.mode = chan->mode;
3582 }
3583
3584 if (result == L2CAP_CONF_SUCCESS)
3585 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3586 }
3587 rsp->scid = cpu_to_le16(chan->dcid);
3588 rsp->result = cpu_to_le16(result);
3589 rsp->flags = cpu_to_le16(0);
3590
3591 return ptr - data;
3592 }
3593
3594 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3595 void *data, size_t size, u16 *result)
3596 {
3597 struct l2cap_conf_req *req = data;
3598 void *ptr = req->data;
3599 void *endptr = data + size;
3600 int type, olen;
3601 unsigned long val;
3602 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3603 struct l2cap_conf_efs efs;
3604
3605 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3606
3607 while (len >= L2CAP_CONF_OPT_SIZE) {
3608 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3609 if (len < 0)
3610 break;
3611
3612 switch (type) {
3613 case L2CAP_CONF_MTU:
3614 if (olen != 2)
3615 break;
3616 if (val < L2CAP_DEFAULT_MIN_MTU) {
3617 *result = L2CAP_CONF_UNACCEPT;
3618 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3619 } else
3620 chan->imtu = val;
3621 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3622 endptr - ptr);
3623 break;
3624
3625 case L2CAP_CONF_FLUSH_TO:
3626 if (olen != 2)
3627 break;
3628 chan->flush_to = val;
3629 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3630 chan->flush_to, endptr - ptr);
3631 break;
3632
3633 case L2CAP_CONF_RFC:
3634 if (olen != sizeof(rfc))
3635 break;
3636 memcpy(&rfc, (void *)val, olen);
3637 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3638 rfc.mode != chan->mode)
3639 return -ECONNREFUSED;
3640 chan->fcs = 0;
3641 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3642 (unsigned long) &rfc, endptr - ptr);
3643 break;
3644
3645 case L2CAP_CONF_EWS:
3646 if (olen != 2)
3647 break;
3648 chan->ack_win = min_t(u16, val, chan->ack_win);
3649 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3650 chan->tx_win, endptr - ptr);
3651 break;
3652
3653 case L2CAP_CONF_EFS:
3654 if (olen != sizeof(efs))
3655 break;
3656 memcpy(&efs, (void *)val, olen);
3657 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3658 efs.stype != L2CAP_SERV_NOTRAFIC &&
3659 efs.stype != chan->local_stype)
3660 return -ECONNREFUSED;
3661 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3662 (unsigned long) &efs, endptr - ptr);
3663 break;
3664
3665 case L2CAP_CONF_FCS:
3666 if (olen != 1)
3667 break;
3668 if (*result == L2CAP_CONF_PENDING)
3669 if (val == L2CAP_FCS_NONE)
3670 set_bit(CONF_RECV_NO_FCS,
3671 &chan->conf_state);
3672 break;
3673 }
3674 }
3675
3676 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3677 return -ECONNREFUSED;
3678
3679 chan->mode = rfc.mode;
3680
3681 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3682 switch (rfc.mode) {
3683 case L2CAP_MODE_ERTM:
3684 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3685 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3686 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3687 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3688 chan->ack_win = min_t(u16, chan->ack_win,
3689 rfc.txwin_size);
3690
3691 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3692 chan->local_msdu = le16_to_cpu(efs.msdu);
3693 chan->local_sdu_itime =
3694 le32_to_cpu(efs.sdu_itime);
3695 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3696 chan->local_flush_to =
3697 le32_to_cpu(efs.flush_to);
3698 }
3699 break;
3700
3701 case L2CAP_MODE_STREAMING:
3702 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3703 }
3704 }
3705
3706 req->dcid = cpu_to_le16(chan->dcid);
3707 req->flags = cpu_to_le16(0);
3708
3709 return ptr - data;
3710 }
3711
3712 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3713 u16 result, u16 flags)
3714 {
3715 struct l2cap_conf_rsp *rsp = data;
3716 void *ptr = rsp->data;
3717
3718 BT_DBG("chan %p", chan);
3719
3720 rsp->scid = cpu_to_le16(chan->dcid);
3721 rsp->result = cpu_to_le16(result);
3722 rsp->flags = cpu_to_le16(flags);
3723
3724 return ptr - data;
3725 }
3726
3727 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3728 {
3729 struct l2cap_le_conn_rsp rsp;
3730 struct l2cap_conn *conn = chan->conn;
3731
3732 BT_DBG("chan %p", chan);
3733
3734 rsp.dcid = cpu_to_le16(chan->scid);
3735 rsp.mtu = cpu_to_le16(chan->imtu);
3736 rsp.mps = cpu_to_le16(chan->mps);
3737 rsp.credits = cpu_to_le16(chan->rx_credits);
3738 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3739
3740 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3741 &rsp);
3742 }
3743
3744 static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data)
3745 {
3746 int *result = data;
3747
3748 if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
3749 return;
3750
3751 switch (chan->state) {
3752 case BT_CONNECT2:
3753 /* If channel still pending accept add to result */
3754 (*result)++;
3755 return;
3756 case BT_CONNECTED:
3757 return;
3758 default:
3759 /* If not connected or pending accept it has been refused */
3760 *result = -ECONNREFUSED;
3761 return;
3762 }
3763 }
3764
3765 struct l2cap_ecred_rsp_data {
3766 struct {
3767 struct l2cap_ecred_conn_rsp_hdr rsp;
3768 __le16 scid[L2CAP_ECRED_MAX_CID];
3769 } __packed pdu;
3770 int count;
3771 };
3772
3773 static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data)
3774 {
3775 struct l2cap_ecred_rsp_data *rsp = data;
3776 struct l2cap_ecred_conn_rsp *rsp_flex =
3777 container_of(&rsp->pdu.rsp, struct l2cap_ecred_conn_rsp, hdr);
3778
3779 if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
3780 return;
3781
3782 /* Reset ident so only one response is sent */
3783 chan->ident = 0;
3784
3785 /* Include all channels pending with the same ident */
3786 if (!rsp->pdu.rsp.result)
3787 rsp_flex->dcid[rsp->count++] = cpu_to_le16(chan->scid);
3788 else
3789 l2cap_chan_del(chan, ECONNRESET);
3790 }
3791
3792 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3793 {
3794 struct l2cap_conn *conn = chan->conn;
3795 struct l2cap_ecred_rsp_data data;
3796 u16 id = chan->ident;
3797 int result = 0;
3798
3799 if (!id)
3800 return;
3801
3802 BT_DBG("chan %p id %d", chan, id);
3803
3804 memset(&data, 0, sizeof(data));
3805
3806 data.pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3807 data.pdu.rsp.mps = cpu_to_le16(chan->mps);
3808 data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3809 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3810
3811 /* Verify that all channels are ready */
3812 __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result);
3813
3814 if (result > 0)
3815 return;
3816
3817 if (result < 0)
3818 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION);
3819
3820 /* Build response */
3821 __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data);
3822
3823 l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP,
3824 sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)),
3825 &data.pdu);
3826 }
3827
3828 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3829 {
3830 struct l2cap_conn_rsp rsp;
3831 struct l2cap_conn *conn = chan->conn;
3832 u8 buf[128];
3833 u8 rsp_code;
3834
3835 rsp.scid = cpu_to_le16(chan->dcid);
3836 rsp.dcid = cpu_to_le16(chan->scid);
3837 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3838 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3839 rsp_code = L2CAP_CONN_RSP;
3840
3841 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3842
3843 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3844
3845 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3846 return;
3847
3848 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3849 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3850 chan->num_conf_req++;
3851 }
3852
3853 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3854 {
3855 int type, olen;
3856 unsigned long val;
3857 /* Use sane default values in case a misbehaving remote device
3858 * did not send an RFC or extended window size option.
3859 */
3860 u16 txwin_ext = chan->ack_win;
3861 struct l2cap_conf_rfc rfc = {
3862 .mode = chan->mode,
3863 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3864 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3865 .max_pdu_size = cpu_to_le16(chan->imtu),
3866 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3867 };
3868
3869 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3870
3871 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3872 return;
3873
3874 while (len >= L2CAP_CONF_OPT_SIZE) {
3875 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3876 if (len < 0)
3877 break;
3878
3879 switch (type) {
3880 case L2CAP_CONF_RFC:
3881 if (olen != sizeof(rfc))
3882 break;
3883 memcpy(&rfc, (void *)val, olen);
3884 break;
3885 case L2CAP_CONF_EWS:
3886 if (olen != 2)
3887 break;
3888 txwin_ext = val;
3889 break;
3890 }
3891 }
3892
3893 switch (rfc.mode) {
3894 case L2CAP_MODE_ERTM:
3895 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3896 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3897 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3898 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3899 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3900 else
3901 chan->ack_win = min_t(u16, chan->ack_win,
3902 rfc.txwin_size);
3903 break;
3904 case L2CAP_MODE_STREAMING:
3905 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3906 }
3907 }
3908
3909 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3910 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3911 u8 *data)
3912 {
3913 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3914
3915 if (cmd_len < sizeof(*rej))
3916 return -EPROTO;
3917
3918 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3919 return 0;
3920
3921 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3922 cmd->ident == conn->info_ident) {
3923 cancel_delayed_work(&conn->info_timer);
3924
3925 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3926 conn->info_ident = 0;
3927
3928 l2cap_conn_start(conn);
3929 }
3930
3931 return 0;
3932 }
3933
3934 static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
3935 u8 *data, u8 rsp_code)
3936 {
3937 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3938 struct l2cap_conn_rsp rsp;
3939 struct l2cap_chan *chan = NULL, *pchan = NULL;
3940 int result, status = L2CAP_CS_NO_INFO;
3941
3942 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3943 __le16 psm = req->psm;
3944
3945 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3946
3947 /* Check if we have socket listening on psm */
3948 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3949 &conn->hcon->dst, ACL_LINK);
3950 if (!pchan) {
3951 result = L2CAP_CR_BAD_PSM;
3952 goto response;
3953 }
3954
3955 mutex_lock(&conn->chan_lock);
3956 l2cap_chan_lock(pchan);
3957
3958 /* Check if the ACL is secure enough (if not SDP) */
3959 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3960 !hci_conn_check_link_mode(conn->hcon)) {
3961 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3962 result = L2CAP_CR_SEC_BLOCK;
3963 goto response;
3964 }
3965
3966 result = L2CAP_CR_NO_MEM;
3967
3968 /* Check for valid dynamic CID range (as per Erratum 3253) */
3969 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3970 result = L2CAP_CR_INVALID_SCID;
3971 goto response;
3972 }
3973
3974 /* Check if we already have channel with that dcid */
3975 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3976 result = L2CAP_CR_SCID_IN_USE;
3977 goto response;
3978 }
3979
3980 chan = pchan->ops->new_connection(pchan);
3981 if (!chan)
3982 goto response;
3983
3984 /* For certain devices (ex: HID mouse), support for authentication,
3985 * pairing and bonding is optional. For such devices, inorder to avoid
3986 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3987 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3988 */
3989 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3990
3991 bacpy(&chan->src, &conn->hcon->src);
3992 bacpy(&chan->dst, &conn->hcon->dst);
3993 chan->src_type = bdaddr_src_type(conn->hcon);
3994 chan->dst_type = bdaddr_dst_type(conn->hcon);
3995 chan->psm = psm;
3996 chan->dcid = scid;
3997
3998 __l2cap_chan_add(conn, chan);
3999
4000 dcid = chan->scid;
4001
4002 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4003
4004 chan->ident = cmd->ident;
4005
4006 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4007 if (l2cap_chan_check_security(chan, false)) {
4008 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4009 l2cap_state_change(chan, BT_CONNECT2);
4010 result = L2CAP_CR_PEND;
4011 status = L2CAP_CS_AUTHOR_PEND;
4012 chan->ops->defer(chan);
4013 } else {
4014 l2cap_state_change(chan, BT_CONFIG);
4015 result = L2CAP_CR_SUCCESS;
4016 status = L2CAP_CS_NO_INFO;
4017 }
4018 } else {
4019 l2cap_state_change(chan, BT_CONNECT2);
4020 result = L2CAP_CR_PEND;
4021 status = L2CAP_CS_AUTHEN_PEND;
4022 }
4023 } else {
4024 l2cap_state_change(chan, BT_CONNECT2);
4025 result = L2CAP_CR_PEND;
4026 status = L2CAP_CS_NO_INFO;
4027 }
4028
4029 response:
4030 rsp.scid = cpu_to_le16(scid);
4031 rsp.dcid = cpu_to_le16(dcid);
4032 rsp.result = cpu_to_le16(result);
4033 rsp.status = cpu_to_le16(status);
4034 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4035
4036 if (!pchan)
4037 return;
4038
4039 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4040 struct l2cap_info_req info;
4041 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4042
4043 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4044 conn->info_ident = l2cap_get_ident(conn);
4045
4046 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4047
4048 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4049 sizeof(info), &info);
4050 }
4051
4052 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4053 result == L2CAP_CR_SUCCESS) {
4054 u8 buf[128];
4055 set_bit(CONF_REQ_SENT, &chan->conf_state);
4056 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4057 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4058 chan->num_conf_req++;
4059 }
4060
4061 l2cap_chan_unlock(pchan);
4062 mutex_unlock(&conn->chan_lock);
4063 l2cap_chan_put(pchan);
4064 }
4065
4066 static int l2cap_connect_req(struct l2cap_conn *conn,
4067 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4068 {
4069 struct hci_dev *hdev = conn->hcon->hdev;
4070 struct hci_conn *hcon = conn->hcon;
4071
4072 if (cmd_len < sizeof(struct l2cap_conn_req))
4073 return -EPROTO;
4074
4075 hci_dev_lock(hdev);
4076 if (hci_dev_test_flag(hdev, HCI_MGMT))
4077 mgmt_device_connected(hdev, hcon, NULL, 0);
4078 hci_dev_unlock(hdev);
4079
4080 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP);
4081 return 0;
4082 }
4083
4084 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4085 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4086 u8 *data)
4087 {
4088 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4089 u16 scid, dcid, result, status;
4090 struct l2cap_chan *chan;
4091 u8 req[128];
4092 int err;
4093
4094 if (cmd_len < sizeof(*rsp))
4095 return -EPROTO;
4096
4097 scid = __le16_to_cpu(rsp->scid);
4098 dcid = __le16_to_cpu(rsp->dcid);
4099 result = __le16_to_cpu(rsp->result);
4100 status = __le16_to_cpu(rsp->status);
4101
4102 if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START ||
4103 dcid > L2CAP_CID_DYN_END))
4104 return -EPROTO;
4105
4106 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4107 dcid, scid, result, status);
4108
4109 mutex_lock(&conn->chan_lock);
4110
4111 if (scid) {
4112 chan = __l2cap_get_chan_by_scid(conn, scid);
4113 if (!chan) {
4114 err = -EBADSLT;
4115 goto unlock;
4116 }
4117 } else {
4118 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4119 if (!chan) {
4120 err = -EBADSLT;
4121 goto unlock;
4122 }
4123 }
4124
4125 chan = l2cap_chan_hold_unless_zero(chan);
4126 if (!chan) {
4127 err = -EBADSLT;
4128 goto unlock;
4129 }
4130
4131 err = 0;
4132
4133 l2cap_chan_lock(chan);
4134
4135 switch (result) {
4136 case L2CAP_CR_SUCCESS:
4137 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4138 err = -EBADSLT;
4139 break;
4140 }
4141
4142 l2cap_state_change(chan, BT_CONFIG);
4143 chan->ident = 0;
4144 chan->dcid = dcid;
4145 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4146
4147 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4148 break;
4149
4150 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4151 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4152 chan->num_conf_req++;
4153 break;
4154
4155 case L2CAP_CR_PEND:
4156 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4157 break;
4158
4159 default:
4160 l2cap_chan_del(chan, ECONNREFUSED);
4161 break;
4162 }
4163
4164 l2cap_chan_unlock(chan);
4165 l2cap_chan_put(chan);
4166
4167 unlock:
4168 mutex_unlock(&conn->chan_lock);
4169
4170 return err;
4171 }
4172
4173 static inline void set_default_fcs(struct l2cap_chan *chan)
4174 {
4175 /* FCS is enabled only in ERTM or streaming mode, if one or both
4176 * sides request it.
4177 */
4178 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4179 chan->fcs = L2CAP_FCS_NONE;
4180 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4181 chan->fcs = L2CAP_FCS_CRC16;
4182 }
4183
4184 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4185 u8 ident, u16 flags)
4186 {
4187 struct l2cap_conn *conn = chan->conn;
4188
4189 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4190 flags);
4191
4192 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4193 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4194
4195 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4196 l2cap_build_conf_rsp(chan, data,
4197 L2CAP_CONF_SUCCESS, flags), data);
4198 }
4199
4200 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4201 u16 scid, u16 dcid)
4202 {
4203 struct l2cap_cmd_rej_cid rej;
4204
4205 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4206 rej.scid = __cpu_to_le16(scid);
4207 rej.dcid = __cpu_to_le16(dcid);
4208
4209 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4210 }
4211
4212 static inline int l2cap_config_req(struct l2cap_conn *conn,
4213 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4214 u8 *data)
4215 {
4216 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4217 u16 dcid, flags;
4218 u8 rsp[64];
4219 struct l2cap_chan *chan;
4220 int len, err = 0;
4221
4222 if (cmd_len < sizeof(*req))
4223 return -EPROTO;
4224
4225 dcid = __le16_to_cpu(req->dcid);
4226 flags = __le16_to_cpu(req->flags);
4227
4228 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4229
4230 chan = l2cap_get_chan_by_scid(conn, dcid);
4231 if (!chan) {
4232 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4233 return 0;
4234 }
4235
4236 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4237 chan->state != BT_CONNECTED) {
4238 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4239 chan->dcid);
4240 goto unlock;
4241 }
4242
4243 /* Reject if config buffer is too small. */
4244 len = cmd_len - sizeof(*req);
4245 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4246 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4247 l2cap_build_conf_rsp(chan, rsp,
4248 L2CAP_CONF_REJECT, flags), rsp);
4249 goto unlock;
4250 }
4251
4252 /* Store config. */
4253 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4254 chan->conf_len += len;
4255
4256 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4257 /* Incomplete config. Send empty response. */
4258 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4259 l2cap_build_conf_rsp(chan, rsp,
4260 L2CAP_CONF_SUCCESS, flags), rsp);
4261 goto unlock;
4262 }
4263
4264 /* Complete config. */
4265 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4266 if (len < 0) {
4267 l2cap_send_disconn_req(chan, ECONNRESET);
4268 goto unlock;
4269 }
4270
4271 chan->ident = cmd->ident;
4272 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4273 if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
4274 chan->num_conf_rsp++;
4275
4276 /* Reset config buffer. */
4277 chan->conf_len = 0;
4278
4279 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4280 goto unlock;
4281
4282 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4283 set_default_fcs(chan);
4284
4285 if (chan->mode == L2CAP_MODE_ERTM ||
4286 chan->mode == L2CAP_MODE_STREAMING)
4287 err = l2cap_ertm_init(chan);
4288
4289 if (err < 0)
4290 l2cap_send_disconn_req(chan, -err);
4291 else
4292 l2cap_chan_ready(chan);
4293
4294 goto unlock;
4295 }
4296
4297 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4298 u8 buf[64];
4299 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4300 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4301 chan->num_conf_req++;
4302 }
4303
4304 /* Got Conf Rsp PENDING from remote side and assume we sent
4305 Conf Rsp PENDING in the code above */
4306 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4307 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4308
4309 /* check compatibility */
4310
4311 /* Send rsp for BR/EDR channel */
4312 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4313 }
4314
4315 unlock:
4316 l2cap_chan_unlock(chan);
4317 l2cap_chan_put(chan);
4318 return err;
4319 }
4320
4321 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4322 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4323 u8 *data)
4324 {
4325 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4326 u16 scid, flags, result;
4327 struct l2cap_chan *chan;
4328 int len = cmd_len - sizeof(*rsp);
4329 int err = 0;
4330
4331 if (cmd_len < sizeof(*rsp))
4332 return -EPROTO;
4333
4334 scid = __le16_to_cpu(rsp->scid);
4335 flags = __le16_to_cpu(rsp->flags);
4336 result = __le16_to_cpu(rsp->result);
4337
4338 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4339 result, len);
4340
4341 chan = l2cap_get_chan_by_scid(conn, scid);
4342 if (!chan)
4343 return 0;
4344
4345 switch (result) {
4346 case L2CAP_CONF_SUCCESS:
4347 l2cap_conf_rfc_get(chan, rsp->data, len);
4348 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4349 break;
4350
4351 case L2CAP_CONF_PENDING:
4352 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4353
4354 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4355 char buf[64];
4356
4357 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4358 buf, sizeof(buf), &result);
4359 if (len < 0) {
4360 l2cap_send_disconn_req(chan, ECONNRESET);
4361 goto done;
4362 }
4363
4364 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
4365 }
4366 goto done;
4367
4368 case L2CAP_CONF_UNKNOWN:
4369 case L2CAP_CONF_UNACCEPT:
4370 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4371 char req[64];
4372
4373 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4374 l2cap_send_disconn_req(chan, ECONNRESET);
4375 goto done;
4376 }
4377
4378 /* throw out any old stored conf requests */
4379 result = L2CAP_CONF_SUCCESS;
4380 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4381 req, sizeof(req), &result);
4382 if (len < 0) {
4383 l2cap_send_disconn_req(chan, ECONNRESET);
4384 goto done;
4385 }
4386
4387 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4388 L2CAP_CONF_REQ, len, req);
4389 chan->num_conf_req++;
4390 if (result != L2CAP_CONF_SUCCESS)
4391 goto done;
4392 break;
4393 }
4394 fallthrough;
4395
4396 default:
4397 l2cap_chan_set_err(chan, ECONNRESET);
4398
4399 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4400 l2cap_send_disconn_req(chan, ECONNRESET);
4401 goto done;
4402 }
4403
4404 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4405 goto done;
4406
4407 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4408
4409 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4410 set_default_fcs(chan);
4411
4412 if (chan->mode == L2CAP_MODE_ERTM ||
4413 chan->mode == L2CAP_MODE_STREAMING)
4414 err = l2cap_ertm_init(chan);
4415
4416 if (err < 0)
4417 l2cap_send_disconn_req(chan, -err);
4418 else
4419 l2cap_chan_ready(chan);
4420 }
4421
4422 done:
4423 l2cap_chan_unlock(chan);
4424 l2cap_chan_put(chan);
4425 return err;
4426 }
4427
4428 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4429 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4430 u8 *data)
4431 {
4432 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4433 struct l2cap_disconn_rsp rsp;
4434 u16 dcid, scid;
4435 struct l2cap_chan *chan;
4436
4437 if (cmd_len != sizeof(*req))
4438 return -EPROTO;
4439
4440 scid = __le16_to_cpu(req->scid);
4441 dcid = __le16_to_cpu(req->dcid);
4442
4443 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4444
4445 chan = l2cap_get_chan_by_scid(conn, dcid);
4446 if (!chan) {
4447 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4448 return 0;
4449 }
4450
4451 rsp.dcid = cpu_to_le16(chan->scid);
4452 rsp.scid = cpu_to_le16(chan->dcid);
4453 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4454
4455 chan->ops->set_shutdown(chan);
4456
4457 l2cap_chan_unlock(chan);
4458 mutex_lock(&conn->chan_lock);
4459 l2cap_chan_lock(chan);
4460 l2cap_chan_del(chan, ECONNRESET);
4461 mutex_unlock(&conn->chan_lock);
4462
4463 chan->ops->close(chan);
4464
4465 l2cap_chan_unlock(chan);
4466 l2cap_chan_put(chan);
4467
4468 return 0;
4469 }
4470
4471 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4472 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4473 u8 *data)
4474 {
4475 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4476 u16 dcid, scid;
4477 struct l2cap_chan *chan;
4478
4479 if (cmd_len != sizeof(*rsp))
4480 return -EPROTO;
4481
4482 scid = __le16_to_cpu(rsp->scid);
4483 dcid = __le16_to_cpu(rsp->dcid);
4484
4485 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4486
4487 chan = l2cap_get_chan_by_scid(conn, scid);
4488 if (!chan) {
4489 return 0;
4490 }
4491
4492 if (chan->state != BT_DISCONN) {
4493 l2cap_chan_unlock(chan);
4494 l2cap_chan_put(chan);
4495 return 0;
4496 }
4497
4498 l2cap_chan_unlock(chan);
4499 mutex_lock(&conn->chan_lock);
4500 l2cap_chan_lock(chan);
4501 l2cap_chan_del(chan, 0);
4502 mutex_unlock(&conn->chan_lock);
4503
4504 chan->ops->close(chan);
4505
4506 l2cap_chan_unlock(chan);
4507 l2cap_chan_put(chan);
4508
4509 return 0;
4510 }
4511
4512 static inline int l2cap_information_req(struct l2cap_conn *conn,
4513 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4514 u8 *data)
4515 {
4516 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4517 u16 type;
4518
4519 if (cmd_len != sizeof(*req))
4520 return -EPROTO;
4521
4522 type = __le16_to_cpu(req->type);
4523
4524 BT_DBG("type 0x%4.4x", type);
4525
4526 if (type == L2CAP_IT_FEAT_MASK) {
4527 u8 buf[8];
4528 u32 feat_mask = l2cap_feat_mask;
4529 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4530 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4531 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4532 if (!disable_ertm)
4533 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4534 | L2CAP_FEAT_FCS;
4535
4536 put_unaligned_le32(feat_mask, rsp->data);
4537 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4538 buf);
4539 } else if (type == L2CAP_IT_FIXED_CHAN) {
4540 u8 buf[12];
4541 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4542
4543 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4544 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4545 rsp->data[0] = conn->local_fixed_chan;
4546 memset(rsp->data + 1, 0, 7);
4547 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4548 buf);
4549 } else {
4550 struct l2cap_info_rsp rsp;
4551 rsp.type = cpu_to_le16(type);
4552 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4553 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4554 &rsp);
4555 }
4556
4557 return 0;
4558 }
4559
4560 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4561 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4562 u8 *data)
4563 {
4564 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4565 u16 type, result;
4566
4567 if (cmd_len < sizeof(*rsp))
4568 return -EPROTO;
4569
4570 type = __le16_to_cpu(rsp->type);
4571 result = __le16_to_cpu(rsp->result);
4572
4573 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4574
4575 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4576 if (cmd->ident != conn->info_ident ||
4577 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4578 return 0;
4579
4580 cancel_delayed_work(&conn->info_timer);
4581
4582 if (result != L2CAP_IR_SUCCESS) {
4583 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4584 conn->info_ident = 0;
4585
4586 l2cap_conn_start(conn);
4587
4588 return 0;
4589 }
4590
4591 switch (type) {
4592 case L2CAP_IT_FEAT_MASK:
4593 conn->feat_mask = get_unaligned_le32(rsp->data);
4594
4595 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4596 struct l2cap_info_req req;
4597 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4598
4599 conn->info_ident = l2cap_get_ident(conn);
4600
4601 l2cap_send_cmd(conn, conn->info_ident,
4602 L2CAP_INFO_REQ, sizeof(req), &req);
4603 } else {
4604 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4605 conn->info_ident = 0;
4606
4607 l2cap_conn_start(conn);
4608 }
4609 break;
4610
4611 case L2CAP_IT_FIXED_CHAN:
4612 conn->remote_fixed_chan = rsp->data[0];
4613 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4614 conn->info_ident = 0;
4615
4616 l2cap_conn_start(conn);
4617 break;
4618 }
4619
4620 return 0;
4621 }
4622
4623 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4624 struct l2cap_cmd_hdr *cmd,
4625 u16 cmd_len, u8 *data)
4626 {
4627 struct hci_conn *hcon = conn->hcon;
4628 struct l2cap_conn_param_update_req *req;
4629 struct l2cap_conn_param_update_rsp rsp;
4630 u16 min, max, latency, to_multiplier;
4631 int err;
4632
4633 if (hcon->role != HCI_ROLE_MASTER)
4634 return -EINVAL;
4635
4636 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4637 return -EPROTO;
4638
4639 req = (struct l2cap_conn_param_update_req *) data;
4640 min = __le16_to_cpu(req->min);
4641 max = __le16_to_cpu(req->max);
4642 latency = __le16_to_cpu(req->latency);
4643 to_multiplier = __le16_to_cpu(req->to_multiplier);
4644
4645 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4646 min, max, latency, to_multiplier);
4647
4648 memset(&rsp, 0, sizeof(rsp));
4649
4650 err = hci_check_conn_params(min, max, latency, to_multiplier);
4651 if (err)
4652 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4653 else
4654 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4655
4656 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4657 sizeof(rsp), &rsp);
4658
4659 if (!err) {
4660 u8 store_hint;
4661
4662 store_hint = hci_le_conn_update(hcon, min, max, latency,
4663 to_multiplier);
4664 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
4665 store_hint, min, max, latency,
4666 to_multiplier);
4667
4668 }
4669
4670 return 0;
4671 }
4672
4673 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
4674 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4675 u8 *data)
4676 {
4677 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
4678 struct hci_conn *hcon = conn->hcon;
4679 u16 dcid, mtu, mps, credits, result;
4680 struct l2cap_chan *chan;
4681 int err, sec_level;
4682
4683 if (cmd_len < sizeof(*rsp))
4684 return -EPROTO;
4685
4686 dcid = __le16_to_cpu(rsp->dcid);
4687 mtu = __le16_to_cpu(rsp->mtu);
4688 mps = __le16_to_cpu(rsp->mps);
4689 credits = __le16_to_cpu(rsp->credits);
4690 result = __le16_to_cpu(rsp->result);
4691
4692 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
4693 dcid < L2CAP_CID_DYN_START ||
4694 dcid > L2CAP_CID_LE_DYN_END))
4695 return -EPROTO;
4696
4697 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
4698 dcid, mtu, mps, credits, result);
4699
4700 mutex_lock(&conn->chan_lock);
4701
4702 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4703 if (!chan) {
4704 err = -EBADSLT;
4705 goto unlock;
4706 }
4707
4708 err = 0;
4709
4710 l2cap_chan_lock(chan);
4711
4712 switch (result) {
4713 case L2CAP_CR_LE_SUCCESS:
4714 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4715 err = -EBADSLT;
4716 break;
4717 }
4718
4719 chan->ident = 0;
4720 chan->dcid = dcid;
4721 chan->omtu = mtu;
4722 chan->remote_mps = mps;
4723 chan->tx_credits = credits;
4724 l2cap_chan_ready(chan);
4725 break;
4726
4727 case L2CAP_CR_LE_AUTHENTICATION:
4728 case L2CAP_CR_LE_ENCRYPTION:
4729 /* If we already have MITM protection we can't do
4730 * anything.
4731 */
4732 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
4733 l2cap_chan_del(chan, ECONNREFUSED);
4734 break;
4735 }
4736
4737 sec_level = hcon->sec_level + 1;
4738 if (chan->sec_level < sec_level)
4739 chan->sec_level = sec_level;
4740
4741 /* We'll need to send a new Connect Request */
4742 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
4743
4744 smp_conn_security(hcon, chan->sec_level);
4745 break;
4746
4747 default:
4748 l2cap_chan_del(chan, ECONNREFUSED);
4749 break;
4750 }
4751
4752 l2cap_chan_unlock(chan);
4753
4754 unlock:
4755 mutex_unlock(&conn->chan_lock);
4756
4757 return err;
4758 }
4759
4760 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4761 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4762 u8 *data)
4763 {
4764 int err = 0;
4765
4766 switch (cmd->code) {
4767 case L2CAP_COMMAND_REJ:
4768 l2cap_command_rej(conn, cmd, cmd_len, data);
4769 break;
4770
4771 case L2CAP_CONN_REQ:
4772 err = l2cap_connect_req(conn, cmd, cmd_len, data);
4773 break;
4774
4775 case L2CAP_CONN_RSP:
4776 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
4777 break;
4778
4779 case L2CAP_CONF_REQ:
4780 err = l2cap_config_req(conn, cmd, cmd_len, data);
4781 break;
4782
4783 case L2CAP_CONF_RSP:
4784 l2cap_config_rsp(conn, cmd, cmd_len, data);
4785 break;
4786
4787 case L2CAP_DISCONN_REQ:
4788 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
4789 break;
4790
4791 case L2CAP_DISCONN_RSP:
4792 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
4793 break;
4794
4795 case L2CAP_ECHO_REQ:
4796 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4797 break;
4798
4799 case L2CAP_ECHO_RSP:
4800 break;
4801
4802 case L2CAP_INFO_REQ:
4803 err = l2cap_information_req(conn, cmd, cmd_len, data);
4804 break;
4805
4806 case L2CAP_INFO_RSP:
4807 l2cap_information_rsp(conn, cmd, cmd_len, data);
4808 break;
4809
4810 default:
4811 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4812 err = -EINVAL;
4813 break;
4814 }
4815
4816 return err;
4817 }
4818
4819 static int l2cap_le_connect_req(struct l2cap_conn *conn,
4820 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4821 u8 *data)
4822 {
4823 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
4824 struct l2cap_le_conn_rsp rsp;
4825 struct l2cap_chan *chan, *pchan;
4826 u16 dcid, scid, credits, mtu, mps;
4827 __le16 psm;
4828 u8 result;
4829
4830 if (cmd_len != sizeof(*req))
4831 return -EPROTO;
4832
4833 scid = __le16_to_cpu(req->scid);
4834 mtu = __le16_to_cpu(req->mtu);
4835 mps = __le16_to_cpu(req->mps);
4836 psm = req->psm;
4837 dcid = 0;
4838 credits = 0;
4839
4840 if (mtu < 23 || mps < 23)
4841 return -EPROTO;
4842
4843 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
4844 scid, mtu, mps);
4845
4846 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
4847 * page 1059:
4848 *
4849 * Valid range: 0x0001-0x00ff
4850 *
4851 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
4852 */
4853 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
4854 result = L2CAP_CR_LE_BAD_PSM;
4855 chan = NULL;
4856 goto response;
4857 }
4858
4859 /* Check if we have socket listening on psm */
4860 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4861 &conn->hcon->dst, LE_LINK);
4862 if (!pchan) {
4863 result = L2CAP_CR_LE_BAD_PSM;
4864 chan = NULL;
4865 goto response;
4866 }
4867
4868 mutex_lock(&conn->chan_lock);
4869 l2cap_chan_lock(pchan);
4870
4871 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
4872 SMP_ALLOW_STK)) {
4873 result = L2CAP_CR_LE_AUTHENTICATION;
4874 chan = NULL;
4875 goto response_unlock;
4876 }
4877
4878 /* Check for valid dynamic CID range */
4879 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
4880 result = L2CAP_CR_LE_INVALID_SCID;
4881 chan = NULL;
4882 goto response_unlock;
4883 }
4884
4885 /* Check if we already have channel with that dcid */
4886 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4887 result = L2CAP_CR_LE_SCID_IN_USE;
4888 chan = NULL;
4889 goto response_unlock;
4890 }
4891
4892 chan = pchan->ops->new_connection(pchan);
4893 if (!chan) {
4894 result = L2CAP_CR_LE_NO_MEM;
4895 goto response_unlock;
4896 }
4897
4898 bacpy(&chan->src, &conn->hcon->src);
4899 bacpy(&chan->dst, &conn->hcon->dst);
4900 chan->src_type = bdaddr_src_type(conn->hcon);
4901 chan->dst_type = bdaddr_dst_type(conn->hcon);
4902 chan->psm = psm;
4903 chan->dcid = scid;
4904 chan->omtu = mtu;
4905 chan->remote_mps = mps;
4906
4907 __l2cap_chan_add(conn, chan);
4908
4909 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
4910
4911 dcid = chan->scid;
4912 credits = chan->rx_credits;
4913
4914 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4915
4916 chan->ident = cmd->ident;
4917
4918 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4919 l2cap_state_change(chan, BT_CONNECT2);
4920 /* The following result value is actually not defined
4921 * for LE CoC but we use it to let the function know
4922 * that it should bail out after doing its cleanup
4923 * instead of sending a response.
4924 */
4925 result = L2CAP_CR_PEND;
4926 chan->ops->defer(chan);
4927 } else {
4928 l2cap_chan_ready(chan);
4929 result = L2CAP_CR_LE_SUCCESS;
4930 }
4931
4932 response_unlock:
4933 l2cap_chan_unlock(pchan);
4934 mutex_unlock(&conn->chan_lock);
4935 l2cap_chan_put(pchan);
4936
4937 if (result == L2CAP_CR_PEND)
4938 return 0;
4939
4940 response:
4941 if (chan) {
4942 rsp.mtu = cpu_to_le16(chan->imtu);
4943 rsp.mps = cpu_to_le16(chan->mps);
4944 } else {
4945 rsp.mtu = 0;
4946 rsp.mps = 0;
4947 }
4948
4949 rsp.dcid = cpu_to_le16(dcid);
4950 rsp.credits = cpu_to_le16(credits);
4951 rsp.result = cpu_to_le16(result);
4952
4953 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
4954
4955 return 0;
4956 }
4957
4958 static inline int l2cap_le_credits(struct l2cap_conn *conn,
4959 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4960 u8 *data)
4961 {
4962 struct l2cap_le_credits *pkt;
4963 struct l2cap_chan *chan;
4964 u16 cid, credits, max_credits;
4965
4966 if (cmd_len != sizeof(*pkt))
4967 return -EPROTO;
4968
4969 pkt = (struct l2cap_le_credits *) data;
4970 cid = __le16_to_cpu(pkt->cid);
4971 credits = __le16_to_cpu(pkt->credits);
4972
4973 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
4974
4975 chan = l2cap_get_chan_by_dcid(conn, cid);
4976 if (!chan)
4977 return -EBADSLT;
4978
4979 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
4980 if (credits > max_credits) {
4981 BT_ERR("LE credits overflow");
4982 l2cap_send_disconn_req(chan, ECONNRESET);
4983
4984 /* Return 0 so that we don't trigger an unnecessary
4985 * command reject packet.
4986 */
4987 goto unlock;
4988 }
4989
4990 chan->tx_credits += credits;
4991
4992 /* Resume sending */
4993 l2cap_le_flowctl_send(chan);
4994
4995 if (chan->tx_credits)
4996 chan->ops->resume(chan);
4997
4998 unlock:
4999 l2cap_chan_unlock(chan);
5000 l2cap_chan_put(chan);
5001
5002 return 0;
5003 }
5004
5005 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5006 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5007 u8 *data)
5008 {
5009 struct l2cap_ecred_conn_req *req = (void *) data;
5010 DEFINE_RAW_FLEX(struct l2cap_ecred_conn_rsp, pdu, dcid, L2CAP_ECRED_MAX_CID);
5011 struct l2cap_chan *chan, *pchan;
5012 u16 mtu, mps;
5013 __le16 psm;
5014 u8 result, len = 0;
5015 int i, num_scid;
5016 bool defer = false;
5017
5018 if (!enable_ecred)
5019 return -EINVAL;
5020
5021 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5022 result = L2CAP_CR_LE_INVALID_PARAMS;
5023 goto response;
5024 }
5025
5026 cmd_len -= sizeof(*req);
5027 num_scid = cmd_len / sizeof(u16);
5028
5029 if (num_scid > L2CAP_ECRED_MAX_CID) {
5030 result = L2CAP_CR_LE_INVALID_PARAMS;
5031 goto response;
5032 }
5033
5034 mtu = __le16_to_cpu(req->mtu);
5035 mps = __le16_to_cpu(req->mps);
5036
5037 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5038 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5039 goto response;
5040 }
5041
5042 psm = req->psm;
5043
5044 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
5045 * page 1059:
5046 *
5047 * Valid range: 0x0001-0x00ff
5048 *
5049 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
5050 */
5051 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
5052 result = L2CAP_CR_LE_BAD_PSM;
5053 goto response;
5054 }
5055
5056 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5057
5058 memset(pdu, 0, sizeof(*pdu));
5059
5060 /* Check if we have socket listening on psm */
5061 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5062 &conn->hcon->dst, LE_LINK);
5063 if (!pchan) {
5064 result = L2CAP_CR_LE_BAD_PSM;
5065 goto response;
5066 }
5067
5068 mutex_lock(&conn->chan_lock);
5069 l2cap_chan_lock(pchan);
5070
5071 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5072 SMP_ALLOW_STK)) {
5073 result = L2CAP_CR_LE_AUTHENTICATION;
5074 goto unlock;
5075 }
5076
5077 result = L2CAP_CR_LE_SUCCESS;
5078
5079 for (i = 0; i < num_scid; i++) {
5080 u16 scid = __le16_to_cpu(req->scid[i]);
5081
5082 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5083
5084 pdu->dcid[i] = 0x0000;
5085 len += sizeof(*pdu->dcid);
5086
5087 /* Check for valid dynamic CID range */
5088 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5089 result = L2CAP_CR_LE_INVALID_SCID;
5090 continue;
5091 }
5092
5093 /* Check if we already have channel with that dcid */
5094 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5095 result = L2CAP_CR_LE_SCID_IN_USE;
5096 continue;
5097 }
5098
5099 chan = pchan->ops->new_connection(pchan);
5100 if (!chan) {
5101 result = L2CAP_CR_LE_NO_MEM;
5102 continue;
5103 }
5104
5105 bacpy(&chan->src, &conn->hcon->src);
5106 bacpy(&chan->dst, &conn->hcon->dst);
5107 chan->src_type = bdaddr_src_type(conn->hcon);
5108 chan->dst_type = bdaddr_dst_type(conn->hcon);
5109 chan->psm = psm;
5110 chan->dcid = scid;
5111 chan->omtu = mtu;
5112 chan->remote_mps = mps;
5113
5114 __l2cap_chan_add(conn, chan);
5115
5116 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
5117
5118 /* Init response */
5119 if (!pdu->credits) {
5120 pdu->mtu = cpu_to_le16(chan->imtu);
5121 pdu->mps = cpu_to_le16(chan->mps);
5122 pdu->credits = cpu_to_le16(chan->rx_credits);
5123 }
5124
5125 pdu->dcid[i] = cpu_to_le16(chan->scid);
5126
5127 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5128
5129 chan->ident = cmd->ident;
5130 chan->mode = L2CAP_MODE_EXT_FLOWCTL;
5131
5132 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5133 l2cap_state_change(chan, BT_CONNECT2);
5134 defer = true;
5135 chan->ops->defer(chan);
5136 } else {
5137 l2cap_chan_ready(chan);
5138 }
5139 }
5140
5141 unlock:
5142 l2cap_chan_unlock(pchan);
5143 mutex_unlock(&conn->chan_lock);
5144 l2cap_chan_put(pchan);
5145
5146 response:
5147 pdu->result = cpu_to_le16(result);
5148
5149 if (defer)
5150 return 0;
5151
5152 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
5153 sizeof(*pdu) + len, pdu);
5154
5155 return 0;
5156 }
5157
5158 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
5159 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5160 u8 *data)
5161 {
5162 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5163 struct hci_conn *hcon = conn->hcon;
5164 u16 mtu, mps, credits, result;
5165 struct l2cap_chan *chan, *tmp;
5166 int err = 0, sec_level;
5167 int i = 0;
5168
5169 if (cmd_len < sizeof(*rsp))
5170 return -EPROTO;
5171
5172 mtu = __le16_to_cpu(rsp->mtu);
5173 mps = __le16_to_cpu(rsp->mps);
5174 credits = __le16_to_cpu(rsp->credits);
5175 result = __le16_to_cpu(rsp->result);
5176
5177 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
5178 result);
5179
5180 mutex_lock(&conn->chan_lock);
5181
5182 cmd_len -= sizeof(*rsp);
5183
5184 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5185 u16 dcid;
5186
5187 if (chan->ident != cmd->ident ||
5188 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
5189 chan->state == BT_CONNECTED)
5190 continue;
5191
5192 l2cap_chan_lock(chan);
5193
5194 /* Check that there is a dcid for each pending channel */
5195 if (cmd_len < sizeof(dcid)) {
5196 l2cap_chan_del(chan, ECONNREFUSED);
5197 l2cap_chan_unlock(chan);
5198 continue;
5199 }
5200
5201 dcid = __le16_to_cpu(rsp->dcid[i++]);
5202 cmd_len -= sizeof(u16);
5203
5204 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
5205
5206 /* Check if dcid is already in use */
5207 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
5208 /* If a device receives a
5209 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
5210 * already-assigned Destination CID, then both the
5211 * original channel and the new channel shall be
5212 * immediately discarded and not used.
5213 */
5214 l2cap_chan_del(chan, ECONNREFUSED);
5215 l2cap_chan_unlock(chan);
5216 chan = __l2cap_get_chan_by_dcid(conn, dcid);
5217 l2cap_chan_lock(chan);
5218 l2cap_chan_del(chan, ECONNRESET);
5219 l2cap_chan_unlock(chan);
5220 continue;
5221 }
5222
5223 switch (result) {
5224 case L2CAP_CR_LE_AUTHENTICATION:
5225 case L2CAP_CR_LE_ENCRYPTION:
5226 /* If we already have MITM protection we can't do
5227 * anything.
5228 */
5229 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5230 l2cap_chan_del(chan, ECONNREFUSED);
5231 break;
5232 }
5233
5234 sec_level = hcon->sec_level + 1;
5235 if (chan->sec_level < sec_level)
5236 chan->sec_level = sec_level;
5237
5238 /* We'll need to send a new Connect Request */
5239 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
5240
5241 smp_conn_security(hcon, chan->sec_level);
5242 break;
5243
5244 case L2CAP_CR_LE_BAD_PSM:
5245 l2cap_chan_del(chan, ECONNREFUSED);
5246 break;
5247
5248 default:
5249 /* If dcid was not set it means channels was refused */
5250 if (!dcid) {
5251 l2cap_chan_del(chan, ECONNREFUSED);
5252 break;
5253 }
5254
5255 chan->ident = 0;
5256 chan->dcid = dcid;
5257 chan->omtu = mtu;
5258 chan->remote_mps = mps;
5259 chan->tx_credits = credits;
5260 l2cap_chan_ready(chan);
5261 break;
5262 }
5263
5264 l2cap_chan_unlock(chan);
5265 }
5266
5267 mutex_unlock(&conn->chan_lock);
5268
5269 return err;
5270 }
5271
5272 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
5273 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5274 u8 *data)
5275 {
5276 struct l2cap_ecred_reconf_req *req = (void *) data;
5277 struct l2cap_ecred_reconf_rsp rsp;
5278 u16 mtu, mps, result;
5279 struct l2cap_chan *chan;
5280 int i, num_scid;
5281
5282 if (!enable_ecred)
5283 return -EINVAL;
5284
5285 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
5286 result = L2CAP_CR_LE_INVALID_PARAMS;
5287 goto respond;
5288 }
5289
5290 mtu = __le16_to_cpu(req->mtu);
5291 mps = __le16_to_cpu(req->mps);
5292
5293 BT_DBG("mtu %u mps %u", mtu, mps);
5294
5295 if (mtu < L2CAP_ECRED_MIN_MTU) {
5296 result = L2CAP_RECONF_INVALID_MTU;
5297 goto respond;
5298 }
5299
5300 if (mps < L2CAP_ECRED_MIN_MPS) {
5301 result = L2CAP_RECONF_INVALID_MPS;
5302 goto respond;
5303 }
5304
5305 cmd_len -= sizeof(*req);
5306 num_scid = cmd_len / sizeof(u16);
5307 result = L2CAP_RECONF_SUCCESS;
5308
5309 for (i = 0; i < num_scid; i++) {
5310 u16 scid;
5311
5312 scid = __le16_to_cpu(req->scid[i]);
5313 if (!scid)
5314 return -EPROTO;
5315
5316 chan = __l2cap_get_chan_by_dcid(conn, scid);
5317 if (!chan)
5318 continue;
5319
5320 /* If the MTU value is decreased for any of the included
5321 * channels, then the receiver shall disconnect all
5322 * included channels.
5323 */
5324 if (chan->omtu > mtu) {
5325 BT_ERR("chan %p decreased MTU %u -> %u", chan,
5326 chan->omtu, mtu);
5327 result = L2CAP_RECONF_INVALID_MTU;
5328 }
5329
5330 chan->omtu = mtu;
5331 chan->remote_mps = mps;
5332 }
5333
5334 respond:
5335 rsp.result = cpu_to_le16(result);
5336
5337 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
5338 &rsp);
5339
5340 return 0;
5341 }
5342
5343 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
5344 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5345 u8 *data)
5346 {
5347 struct l2cap_chan *chan, *tmp;
5348 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5349 u16 result;
5350
5351 if (cmd_len < sizeof(*rsp))
5352 return -EPROTO;
5353
5354 result = __le16_to_cpu(rsp->result);
5355
5356 BT_DBG("result 0x%4.4x", rsp->result);
5357
5358 if (!result)
5359 return 0;
5360
5361 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5362 if (chan->ident != cmd->ident)
5363 continue;
5364
5365 l2cap_chan_del(chan, ECONNRESET);
5366 }
5367
5368 return 0;
5369 }
5370
5371 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5372 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5373 u8 *data)
5374 {
5375 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5376 struct l2cap_chan *chan;
5377
5378 if (cmd_len < sizeof(*rej))
5379 return -EPROTO;
5380
5381 mutex_lock(&conn->chan_lock);
5382
5383 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5384 if (!chan)
5385 goto done;
5386
5387 chan = l2cap_chan_hold_unless_zero(chan);
5388 if (!chan)
5389 goto done;
5390
5391 l2cap_chan_lock(chan);
5392 l2cap_chan_del(chan, ECONNREFUSED);
5393 l2cap_chan_unlock(chan);
5394 l2cap_chan_put(chan);
5395
5396 done:
5397 mutex_unlock(&conn->chan_lock);
5398 return 0;
5399 }
5400
5401 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5402 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5403 u8 *data)
5404 {
5405 int err = 0;
5406
5407 switch (cmd->code) {
5408 case L2CAP_COMMAND_REJ:
5409 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5410 break;
5411
5412 case L2CAP_CONN_PARAM_UPDATE_REQ:
5413 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5414 break;
5415
5416 case L2CAP_CONN_PARAM_UPDATE_RSP:
5417 break;
5418
5419 case L2CAP_LE_CONN_RSP:
5420 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5421 break;
5422
5423 case L2CAP_LE_CONN_REQ:
5424 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5425 break;
5426
5427 case L2CAP_LE_CREDITS:
5428 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5429 break;
5430
5431 case L2CAP_ECRED_CONN_REQ:
5432 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
5433 break;
5434
5435 case L2CAP_ECRED_CONN_RSP:
5436 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
5437 break;
5438
5439 case L2CAP_ECRED_RECONF_REQ:
5440 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
5441 break;
5442
5443 case L2CAP_ECRED_RECONF_RSP:
5444 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
5445 break;
5446
5447 case L2CAP_DISCONN_REQ:
5448 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5449 break;
5450
5451 case L2CAP_DISCONN_RSP:
5452 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5453 break;
5454
5455 default:
5456 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5457 err = -EINVAL;
5458 break;
5459 }
5460
5461 return err;
5462 }
5463
5464 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5465 struct sk_buff *skb)
5466 {
5467 struct hci_conn *hcon = conn->hcon;
5468 struct l2cap_cmd_hdr *cmd;
5469 u16 len;
5470 int err;
5471
5472 if (hcon->type != LE_LINK)
5473 goto drop;
5474
5475 if (skb->len < L2CAP_CMD_HDR_SIZE)
5476 goto drop;
5477
5478 cmd = (void *) skb->data;
5479 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5480
5481 len = le16_to_cpu(cmd->len);
5482
5483 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5484
5485 if (len != skb->len || !cmd->ident) {
5486 BT_DBG("corrupted command");
5487 goto drop;
5488 }
5489
5490 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5491 if (err) {
5492 struct l2cap_cmd_rej_unk rej;
5493
5494 BT_ERR("Wrong link type (%d)", err);
5495
5496 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5497 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5498 sizeof(rej), &rej);
5499 }
5500
5501 drop:
5502 kfree_skb(skb);
5503 }
5504
5505 static inline void l2cap_sig_send_rej(struct l2cap_conn *conn, u16 ident)
5506 {
5507 struct l2cap_cmd_rej_unk rej;
5508
5509 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5510 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
5511 }
5512
5513 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5514 struct sk_buff *skb)
5515 {
5516 struct hci_conn *hcon = conn->hcon;
5517 struct l2cap_cmd_hdr *cmd;
5518 int err;
5519
5520 l2cap_raw_recv(conn, skb);
5521
5522 if (hcon->type != ACL_LINK)
5523 goto drop;
5524
5525 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
5526 u16 len;
5527
5528 cmd = (void *) skb->data;
5529 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5530
5531 len = le16_to_cpu(cmd->len);
5532
5533 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
5534 cmd->ident);
5535
5536 if (len > skb->len || !cmd->ident) {
5537 BT_DBG("corrupted command");
5538 l2cap_sig_send_rej(conn, cmd->ident);
5539 skb_pull(skb, len > skb->len ? skb->len : len);
5540 continue;
5541 }
5542
5543 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
5544 if (err) {
5545 BT_ERR("Wrong link type (%d)", err);
5546 l2cap_sig_send_rej(conn, cmd->ident);
5547 }
5548
5549 skb_pull(skb, len);
5550 }
5551
5552 if (skb->len > 0) {
5553 BT_DBG("corrupted command");
5554 l2cap_sig_send_rej(conn, 0);
5555 }
5556
5557 drop:
5558 kfree_skb(skb);
5559 }
5560
5561 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5562 {
5563 u16 our_fcs, rcv_fcs;
5564 int hdr_size;
5565
5566 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5567 hdr_size = L2CAP_EXT_HDR_SIZE;
5568 else
5569 hdr_size = L2CAP_ENH_HDR_SIZE;
5570
5571 if (chan->fcs == L2CAP_FCS_CRC16) {
5572 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5573 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5574 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5575
5576 if (our_fcs != rcv_fcs)
5577 return -EBADMSG;
5578 }
5579 return 0;
5580 }
5581
5582 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5583 {
5584 struct l2cap_ctrl control;
5585
5586 BT_DBG("chan %p", chan);
5587
5588 memset(&control, 0, sizeof(control));
5589 control.sframe = 1;
5590 control.final = 1;
5591 control.reqseq = chan->buffer_seq;
5592 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5593
5594 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5595 control.super = L2CAP_SUPER_RNR;
5596 l2cap_send_sframe(chan, &control);
5597 }
5598
5599 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5600 chan->unacked_frames > 0)
5601 __set_retrans_timer(chan);
5602
5603 /* Send pending iframes */
5604 l2cap_ertm_send(chan);
5605
5606 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5607 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5608 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5609 * send it now.
5610 */
5611 control.super = L2CAP_SUPER_RR;
5612 l2cap_send_sframe(chan, &control);
5613 }
5614 }
5615
5616 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5617 struct sk_buff **last_frag)
5618 {
5619 /* skb->len reflects data in skb as well as all fragments
5620 * skb->data_len reflects only data in fragments
5621 */
5622 if (!skb_has_frag_list(skb))
5623 skb_shinfo(skb)->frag_list = new_frag;
5624
5625 new_frag->next = NULL;
5626
5627 (*last_frag)->next = new_frag;
5628 *last_frag = new_frag;
5629
5630 skb->len += new_frag->len;
5631 skb->data_len += new_frag->len;
5632 skb->truesize += new_frag->truesize;
5633 }
5634
5635 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5636 struct l2cap_ctrl *control)
5637 {
5638 int err = -EINVAL;
5639
5640 switch (control->sar) {
5641 case L2CAP_SAR_UNSEGMENTED:
5642 if (chan->sdu)
5643 break;
5644
5645 err = chan->ops->recv(chan, skb);
5646 break;
5647
5648 case L2CAP_SAR_START:
5649 if (chan->sdu)
5650 break;
5651
5652 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5653 break;
5654
5655 chan->sdu_len = get_unaligned_le16(skb->data);
5656 skb_pull(skb, L2CAP_SDULEN_SIZE);
5657
5658 if (chan->sdu_len > chan->imtu) {
5659 err = -EMSGSIZE;
5660 break;
5661 }
5662
5663 if (skb->len >= chan->sdu_len)
5664 break;
5665
5666 chan->sdu = skb;
5667 chan->sdu_last_frag = skb;
5668
5669 skb = NULL;
5670 err = 0;
5671 break;
5672
5673 case L2CAP_SAR_CONTINUE:
5674 if (!chan->sdu)
5675 break;
5676
5677 append_skb_frag(chan->sdu, skb,
5678 &chan->sdu_last_frag);
5679 skb = NULL;
5680
5681 if (chan->sdu->len >= chan->sdu_len)
5682 break;
5683
5684 err = 0;
5685 break;
5686
5687 case L2CAP_SAR_END:
5688 if (!chan->sdu)
5689 break;
5690
5691 append_skb_frag(chan->sdu, skb,
5692 &chan->sdu_last_frag);
5693 skb = NULL;
5694
5695 if (chan->sdu->len != chan->sdu_len)
5696 break;
5697
5698 err = chan->ops->recv(chan, chan->sdu);
5699
5700 if (!err) {
5701 /* Reassembly complete */
5702 chan->sdu = NULL;
5703 chan->sdu_last_frag = NULL;
5704 chan->sdu_len = 0;
5705 }
5706 break;
5707 }
5708
5709 if (err) {
5710 kfree_skb(skb);
5711 kfree_skb(chan->sdu);
5712 chan->sdu = NULL;
5713 chan->sdu_last_frag = NULL;
5714 chan->sdu_len = 0;
5715 }
5716
5717 return err;
5718 }
5719
5720 static int l2cap_resegment(struct l2cap_chan *chan)
5721 {
5722 /* Placeholder */
5723 return 0;
5724 }
5725
5726 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5727 {
5728 u8 event;
5729
5730 if (chan->mode != L2CAP_MODE_ERTM)
5731 return;
5732
5733 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5734 l2cap_tx(chan, NULL, NULL, event);
5735 }
5736
5737 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5738 {
5739 int err = 0;
5740 /* Pass sequential frames to l2cap_reassemble_sdu()
5741 * until a gap is encountered.
5742 */
5743
5744 BT_DBG("chan %p", chan);
5745
5746 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5747 struct sk_buff *skb;
5748 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5749 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5750
5751 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5752
5753 if (!skb)
5754 break;
5755
5756 skb_unlink(skb, &chan->srej_q);
5757 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5758 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5759 if (err)
5760 break;
5761 }
5762
5763 if (skb_queue_empty(&chan->srej_q)) {
5764 chan->rx_state = L2CAP_RX_STATE_RECV;
5765 l2cap_send_ack(chan);
5766 }
5767
5768 return err;
5769 }
5770
5771 static void l2cap_handle_srej(struct l2cap_chan *chan,
5772 struct l2cap_ctrl *control)
5773 {
5774 struct sk_buff *skb;
5775
5776 BT_DBG("chan %p, control %p", chan, control);
5777
5778 if (control->reqseq == chan->next_tx_seq) {
5779 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5780 l2cap_send_disconn_req(chan, ECONNRESET);
5781 return;
5782 }
5783
5784 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5785
5786 if (skb == NULL) {
5787 BT_DBG("Seq %d not available for retransmission",
5788 control->reqseq);
5789 return;
5790 }
5791
5792 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5793 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5794 l2cap_send_disconn_req(chan, ECONNRESET);
5795 return;
5796 }
5797
5798 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5799
5800 if (control->poll) {
5801 l2cap_pass_to_tx(chan, control);
5802
5803 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5804 l2cap_retransmit(chan, control);
5805 l2cap_ertm_send(chan);
5806
5807 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5808 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5809 chan->srej_save_reqseq = control->reqseq;
5810 }
5811 } else {
5812 l2cap_pass_to_tx_fbit(chan, control);
5813
5814 if (control->final) {
5815 if (chan->srej_save_reqseq != control->reqseq ||
5816 !test_and_clear_bit(CONN_SREJ_ACT,
5817 &chan->conn_state))
5818 l2cap_retransmit(chan, control);
5819 } else {
5820 l2cap_retransmit(chan, control);
5821 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5822 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5823 chan->srej_save_reqseq = control->reqseq;
5824 }
5825 }
5826 }
5827 }
5828
5829 static void l2cap_handle_rej(struct l2cap_chan *chan,
5830 struct l2cap_ctrl *control)
5831 {
5832 struct sk_buff *skb;
5833
5834 BT_DBG("chan %p, control %p", chan, control);
5835
5836 if (control->reqseq == chan->next_tx_seq) {
5837 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5838 l2cap_send_disconn_req(chan, ECONNRESET);
5839 return;
5840 }
5841
5842 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5843
5844 if (chan->max_tx && skb &&
5845 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5846 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5847 l2cap_send_disconn_req(chan, ECONNRESET);
5848 return;
5849 }
5850
5851 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5852
5853 l2cap_pass_to_tx(chan, control);
5854
5855 if (control->final) {
5856 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5857 l2cap_retransmit_all(chan, control);
5858 } else {
5859 l2cap_retransmit_all(chan, control);
5860 l2cap_ertm_send(chan);
5861 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5862 set_bit(CONN_REJ_ACT, &chan->conn_state);
5863 }
5864 }
5865
5866 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5867 {
5868 BT_DBG("chan %p, txseq %d", chan, txseq);
5869
5870 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5871 chan->expected_tx_seq);
5872
5873 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5874 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5875 chan->tx_win) {
5876 /* See notes below regarding "double poll" and
5877 * invalid packets.
5878 */
5879 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5880 BT_DBG("Invalid/Ignore - after SREJ");
5881 return L2CAP_TXSEQ_INVALID_IGNORE;
5882 } else {
5883 BT_DBG("Invalid - in window after SREJ sent");
5884 return L2CAP_TXSEQ_INVALID;
5885 }
5886 }
5887
5888 if (chan->srej_list.head == txseq) {
5889 BT_DBG("Expected SREJ");
5890 return L2CAP_TXSEQ_EXPECTED_SREJ;
5891 }
5892
5893 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5894 BT_DBG("Duplicate SREJ - txseq already stored");
5895 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5896 }
5897
5898 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5899 BT_DBG("Unexpected SREJ - not requested");
5900 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5901 }
5902 }
5903
5904 if (chan->expected_tx_seq == txseq) {
5905 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5906 chan->tx_win) {
5907 BT_DBG("Invalid - txseq outside tx window");
5908 return L2CAP_TXSEQ_INVALID;
5909 } else {
5910 BT_DBG("Expected");
5911 return L2CAP_TXSEQ_EXPECTED;
5912 }
5913 }
5914
5915 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
5916 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
5917 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5918 return L2CAP_TXSEQ_DUPLICATE;
5919 }
5920
5921 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5922 /* A source of invalid packets is a "double poll" condition,
5923 * where delays cause us to send multiple poll packets. If
5924 * the remote stack receives and processes both polls,
5925 * sequence numbers can wrap around in such a way that a
5926 * resent frame has a sequence number that looks like new data
5927 * with a sequence gap. This would trigger an erroneous SREJ
5928 * request.
5929 *
5930 * Fortunately, this is impossible with a tx window that's
5931 * less than half of the maximum sequence number, which allows
5932 * invalid frames to be safely ignored.
5933 *
5934 * With tx window sizes greater than half of the tx window
5935 * maximum, the frame is invalid and cannot be ignored. This
5936 * causes a disconnect.
5937 */
5938
5939 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5940 BT_DBG("Invalid/Ignore - txseq outside tx window");
5941 return L2CAP_TXSEQ_INVALID_IGNORE;
5942 } else {
5943 BT_DBG("Invalid - txseq outside tx window");
5944 return L2CAP_TXSEQ_INVALID;
5945 }
5946 } else {
5947 BT_DBG("Unexpected - txseq indicates missing frames");
5948 return L2CAP_TXSEQ_UNEXPECTED;
5949 }
5950 }
5951
5952 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5953 struct l2cap_ctrl *control,
5954 struct sk_buff *skb, u8 event)
5955 {
5956 struct l2cap_ctrl local_control;
5957 int err = 0;
5958 bool skb_in_use = false;
5959
5960 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5961 event);
5962
5963 switch (event) {
5964 case L2CAP_EV_RECV_IFRAME:
5965 switch (l2cap_classify_txseq(chan, control->txseq)) {
5966 case L2CAP_TXSEQ_EXPECTED:
5967 l2cap_pass_to_tx(chan, control);
5968
5969 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5970 BT_DBG("Busy, discarding expected seq %d",
5971 control->txseq);
5972 break;
5973 }
5974
5975 chan->expected_tx_seq = __next_seq(chan,
5976 control->txseq);
5977
5978 chan->buffer_seq = chan->expected_tx_seq;
5979 skb_in_use = true;
5980
5981 /* l2cap_reassemble_sdu may free skb, hence invalidate
5982 * control, so make a copy in advance to use it after
5983 * l2cap_reassemble_sdu returns and to avoid the race
5984 * condition, for example:
5985 *
5986 * The current thread calls:
5987 * l2cap_reassemble_sdu
5988 * chan->ops->recv == l2cap_sock_recv_cb
5989 * __sock_queue_rcv_skb
5990 * Another thread calls:
5991 * bt_sock_recvmsg
5992 * skb_recv_datagram
5993 * skb_free_datagram
5994 * Then the current thread tries to access control, but
5995 * it was freed by skb_free_datagram.
5996 */
5997 local_control = *control;
5998 err = l2cap_reassemble_sdu(chan, skb, control);
5999 if (err)
6000 break;
6001
6002 if (local_control.final) {
6003 if (!test_and_clear_bit(CONN_REJ_ACT,
6004 &chan->conn_state)) {
6005 local_control.final = 0;
6006 l2cap_retransmit_all(chan, &local_control);
6007 l2cap_ertm_send(chan);
6008 }
6009 }
6010
6011 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6012 l2cap_send_ack(chan);
6013 break;
6014 case L2CAP_TXSEQ_UNEXPECTED:
6015 l2cap_pass_to_tx(chan, control);
6016
6017 /* Can't issue SREJ frames in the local busy state.
6018 * Drop this frame, it will be seen as missing
6019 * when local busy is exited.
6020 */
6021 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6022 BT_DBG("Busy, discarding unexpected seq %d",
6023 control->txseq);
6024 break;
6025 }
6026
6027 /* There was a gap in the sequence, so an SREJ
6028 * must be sent for each missing frame. The
6029 * current frame is stored for later use.
6030 */
6031 skb_queue_tail(&chan->srej_q, skb);
6032 skb_in_use = true;
6033 BT_DBG("Queued %p (queue len %d)", skb,
6034 skb_queue_len(&chan->srej_q));
6035
6036 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6037 l2cap_seq_list_clear(&chan->srej_list);
6038 l2cap_send_srej(chan, control->txseq);
6039
6040 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6041 break;
6042 case L2CAP_TXSEQ_DUPLICATE:
6043 l2cap_pass_to_tx(chan, control);
6044 break;
6045 case L2CAP_TXSEQ_INVALID_IGNORE:
6046 break;
6047 case L2CAP_TXSEQ_INVALID:
6048 default:
6049 l2cap_send_disconn_req(chan, ECONNRESET);
6050 break;
6051 }
6052 break;
6053 case L2CAP_EV_RECV_RR:
6054 l2cap_pass_to_tx(chan, control);
6055 if (control->final) {
6056 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6057
6058 if (!test_and_clear_bit(CONN_REJ_ACT,
6059 &chan->conn_state)) {
6060 control->final = 0;
6061 l2cap_retransmit_all(chan, control);
6062 }
6063
6064 l2cap_ertm_send(chan);
6065 } else if (control->poll) {
6066 l2cap_send_i_or_rr_or_rnr(chan);
6067 } else {
6068 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6069 &chan->conn_state) &&
6070 chan->unacked_frames)
6071 __set_retrans_timer(chan);
6072
6073 l2cap_ertm_send(chan);
6074 }
6075 break;
6076 case L2CAP_EV_RECV_RNR:
6077 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6078 l2cap_pass_to_tx(chan, control);
6079 if (control && control->poll) {
6080 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6081 l2cap_send_rr_or_rnr(chan, 0);
6082 }
6083 __clear_retrans_timer(chan);
6084 l2cap_seq_list_clear(&chan->retrans_list);
6085 break;
6086 case L2CAP_EV_RECV_REJ:
6087 l2cap_handle_rej(chan, control);
6088 break;
6089 case L2CAP_EV_RECV_SREJ:
6090 l2cap_handle_srej(chan, control);
6091 break;
6092 default:
6093 break;
6094 }
6095
6096 if (skb && !skb_in_use) {
6097 BT_DBG("Freeing %p", skb);
6098 kfree_skb(skb);
6099 }
6100
6101 return err;
6102 }
6103
6104 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6105 struct l2cap_ctrl *control,
6106 struct sk_buff *skb, u8 event)
6107 {
6108 int err = 0;
6109 u16 txseq = control->txseq;
6110 bool skb_in_use = false;
6111
6112 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6113 event);
6114
6115 switch (event) {
6116 case L2CAP_EV_RECV_IFRAME:
6117 switch (l2cap_classify_txseq(chan, txseq)) {
6118 case L2CAP_TXSEQ_EXPECTED:
6119 /* Keep frame for reassembly later */
6120 l2cap_pass_to_tx(chan, control);
6121 skb_queue_tail(&chan->srej_q, skb);
6122 skb_in_use = true;
6123 BT_DBG("Queued %p (queue len %d)", skb,
6124 skb_queue_len(&chan->srej_q));
6125
6126 chan->expected_tx_seq = __next_seq(chan, txseq);
6127 break;
6128 case L2CAP_TXSEQ_EXPECTED_SREJ:
6129 l2cap_seq_list_pop(&chan->srej_list);
6130
6131 l2cap_pass_to_tx(chan, control);
6132 skb_queue_tail(&chan->srej_q, skb);
6133 skb_in_use = true;
6134 BT_DBG("Queued %p (queue len %d)", skb,
6135 skb_queue_len(&chan->srej_q));
6136
6137 err = l2cap_rx_queued_iframes(chan);
6138 if (err)
6139 break;
6140
6141 break;
6142 case L2CAP_TXSEQ_UNEXPECTED:
6143 /* Got a frame that can't be reassembled yet.
6144 * Save it for later, and send SREJs to cover
6145 * the missing frames.
6146 */
6147 skb_queue_tail(&chan->srej_q, skb);
6148 skb_in_use = true;
6149 BT_DBG("Queued %p (queue len %d)", skb,
6150 skb_queue_len(&chan->srej_q));
6151
6152 l2cap_pass_to_tx(chan, control);
6153 l2cap_send_srej(chan, control->txseq);
6154 break;
6155 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6156 /* This frame was requested with an SREJ, but
6157 * some expected retransmitted frames are
6158 * missing. Request retransmission of missing
6159 * SREJ'd frames.
6160 */
6161 skb_queue_tail(&chan->srej_q, skb);
6162 skb_in_use = true;
6163 BT_DBG("Queued %p (queue len %d)", skb,
6164 skb_queue_len(&chan->srej_q));
6165
6166 l2cap_pass_to_tx(chan, control);
6167 l2cap_send_srej_list(chan, control->txseq);
6168 break;
6169 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6170 /* We've already queued this frame. Drop this copy. */
6171 l2cap_pass_to_tx(chan, control);
6172 break;
6173 case L2CAP_TXSEQ_DUPLICATE:
6174 /* Expecting a later sequence number, so this frame
6175 * was already received. Ignore it completely.
6176 */
6177 break;
6178 case L2CAP_TXSEQ_INVALID_IGNORE:
6179 break;
6180 case L2CAP_TXSEQ_INVALID:
6181 default:
6182 l2cap_send_disconn_req(chan, ECONNRESET);
6183 break;
6184 }
6185 break;
6186 case L2CAP_EV_RECV_RR:
6187 l2cap_pass_to_tx(chan, control);
6188 if (control->final) {
6189 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6190
6191 if (!test_and_clear_bit(CONN_REJ_ACT,
6192 &chan->conn_state)) {
6193 control->final = 0;
6194 l2cap_retransmit_all(chan, control);
6195 }
6196
6197 l2cap_ertm_send(chan);
6198 } else if (control->poll) {
6199 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6200 &chan->conn_state) &&
6201 chan->unacked_frames) {
6202 __set_retrans_timer(chan);
6203 }
6204
6205 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6206 l2cap_send_srej_tail(chan);
6207 } else {
6208 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6209 &chan->conn_state) &&
6210 chan->unacked_frames)
6211 __set_retrans_timer(chan);
6212
6213 l2cap_send_ack(chan);
6214 }
6215 break;
6216 case L2CAP_EV_RECV_RNR:
6217 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6218 l2cap_pass_to_tx(chan, control);
6219 if (control->poll) {
6220 l2cap_send_srej_tail(chan);
6221 } else {
6222 struct l2cap_ctrl rr_control;
6223 memset(&rr_control, 0, sizeof(rr_control));
6224 rr_control.sframe = 1;
6225 rr_control.super = L2CAP_SUPER_RR;
6226 rr_control.reqseq = chan->buffer_seq;
6227 l2cap_send_sframe(chan, &rr_control);
6228 }
6229
6230 break;
6231 case L2CAP_EV_RECV_REJ:
6232 l2cap_handle_rej(chan, control);
6233 break;
6234 case L2CAP_EV_RECV_SREJ:
6235 l2cap_handle_srej(chan, control);
6236 break;
6237 }
6238
6239 if (skb && !skb_in_use) {
6240 BT_DBG("Freeing %p", skb);
6241 kfree_skb(skb);
6242 }
6243
6244 return err;
6245 }
6246
6247 static int l2cap_finish_move(struct l2cap_chan *chan)
6248 {
6249 BT_DBG("chan %p", chan);
6250
6251 chan->rx_state = L2CAP_RX_STATE_RECV;
6252 chan->conn->mtu = chan->conn->hcon->mtu;
6253
6254 return l2cap_resegment(chan);
6255 }
6256
6257 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6258 struct l2cap_ctrl *control,
6259 struct sk_buff *skb, u8 event)
6260 {
6261 int err;
6262
6263 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6264 event);
6265
6266 if (!control->poll)
6267 return -EPROTO;
6268
6269 l2cap_process_reqseq(chan, control->reqseq);
6270
6271 if (!skb_queue_empty(&chan->tx_q))
6272 chan->tx_send_head = skb_peek(&chan->tx_q);
6273 else
6274 chan->tx_send_head = NULL;
6275
6276 /* Rewind next_tx_seq to the point expected
6277 * by the receiver.
6278 */
6279 chan->next_tx_seq = control->reqseq;
6280 chan->unacked_frames = 0;
6281
6282 err = l2cap_finish_move(chan);
6283 if (err)
6284 return err;
6285
6286 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6287 l2cap_send_i_or_rr_or_rnr(chan);
6288
6289 if (event == L2CAP_EV_RECV_IFRAME)
6290 return -EPROTO;
6291
6292 return l2cap_rx_state_recv(chan, control, NULL, event);
6293 }
6294
6295 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6296 struct l2cap_ctrl *control,
6297 struct sk_buff *skb, u8 event)
6298 {
6299 int err;
6300
6301 if (!control->final)
6302 return -EPROTO;
6303
6304 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6305
6306 chan->rx_state = L2CAP_RX_STATE_RECV;
6307 l2cap_process_reqseq(chan, control->reqseq);
6308
6309 if (!skb_queue_empty(&chan->tx_q))
6310 chan->tx_send_head = skb_peek(&chan->tx_q);
6311 else
6312 chan->tx_send_head = NULL;
6313
6314 /* Rewind next_tx_seq to the point expected
6315 * by the receiver.
6316 */
6317 chan->next_tx_seq = control->reqseq;
6318 chan->unacked_frames = 0;
6319 chan->conn->mtu = chan->conn->hcon->mtu;
6320
6321 err = l2cap_resegment(chan);
6322
6323 if (!err)
6324 err = l2cap_rx_state_recv(chan, control, skb, event);
6325
6326 return err;
6327 }
6328
6329 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6330 {
6331 /* Make sure reqseq is for a packet that has been sent but not acked */
6332 u16 unacked;
6333
6334 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6335 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6336 }
6337
6338 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6339 struct sk_buff *skb, u8 event)
6340 {
6341 int err = 0;
6342
6343 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6344 control, skb, event, chan->rx_state);
6345
6346 if (__valid_reqseq(chan, control->reqseq)) {
6347 switch (chan->rx_state) {
6348 case L2CAP_RX_STATE_RECV:
6349 err = l2cap_rx_state_recv(chan, control, skb, event);
6350 break;
6351 case L2CAP_RX_STATE_SREJ_SENT:
6352 err = l2cap_rx_state_srej_sent(chan, control, skb,
6353 event);
6354 break;
6355 case L2CAP_RX_STATE_WAIT_P:
6356 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6357 break;
6358 case L2CAP_RX_STATE_WAIT_F:
6359 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6360 break;
6361 default:
6362 /* shut it down */
6363 break;
6364 }
6365 } else {
6366 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6367 control->reqseq, chan->next_tx_seq,
6368 chan->expected_ack_seq);
6369 l2cap_send_disconn_req(chan, ECONNRESET);
6370 }
6371
6372 return err;
6373 }
6374
6375 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6376 struct sk_buff *skb)
6377 {
6378 /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store
6379 * the txseq field in advance to use it after l2cap_reassemble_sdu
6380 * returns and to avoid the race condition, for example:
6381 *
6382 * The current thread calls:
6383 * l2cap_reassemble_sdu
6384 * chan->ops->recv == l2cap_sock_recv_cb
6385 * __sock_queue_rcv_skb
6386 * Another thread calls:
6387 * bt_sock_recvmsg
6388 * skb_recv_datagram
6389 * skb_free_datagram
6390 * Then the current thread tries to access control, but it was freed by
6391 * skb_free_datagram.
6392 */
6393 u16 txseq = control->txseq;
6394
6395 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6396 chan->rx_state);
6397
6398 if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) {
6399 l2cap_pass_to_tx(chan, control);
6400
6401 BT_DBG("buffer_seq %u->%u", chan->buffer_seq,
6402 __next_seq(chan, chan->buffer_seq));
6403
6404 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6405
6406 l2cap_reassemble_sdu(chan, skb, control);
6407 } else {
6408 if (chan->sdu) {
6409 kfree_skb(chan->sdu);
6410 chan->sdu = NULL;
6411 }
6412 chan->sdu_last_frag = NULL;
6413 chan->sdu_len = 0;
6414
6415 if (skb) {
6416 BT_DBG("Freeing %p", skb);
6417 kfree_skb(skb);
6418 }
6419 }
6420
6421 chan->last_acked_seq = txseq;
6422 chan->expected_tx_seq = __next_seq(chan, txseq);
6423
6424 return 0;
6425 }
6426
6427 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6428 {
6429 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6430 u16 len;
6431 u8 event;
6432
6433 __unpack_control(chan, skb);
6434
6435 len = skb->len;
6436
6437 /*
6438 * We can just drop the corrupted I-frame here.
6439 * Receiver will miss it and start proper recovery
6440 * procedures and ask for retransmission.
6441 */
6442 if (l2cap_check_fcs(chan, skb))
6443 goto drop;
6444
6445 if (!control->sframe && control->sar == L2CAP_SAR_START)
6446 len -= L2CAP_SDULEN_SIZE;
6447
6448 if (chan->fcs == L2CAP_FCS_CRC16)
6449 len -= L2CAP_FCS_SIZE;
6450
6451 if (len > chan->mps) {
6452 l2cap_send_disconn_req(chan, ECONNRESET);
6453 goto drop;
6454 }
6455
6456 if (chan->ops->filter) {
6457 if (chan->ops->filter(chan, skb))
6458 goto drop;
6459 }
6460
6461 if (!control->sframe) {
6462 int err;
6463
6464 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6465 control->sar, control->reqseq, control->final,
6466 control->txseq);
6467
6468 /* Validate F-bit - F=0 always valid, F=1 only
6469 * valid in TX WAIT_F
6470 */
6471 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6472 goto drop;
6473
6474 if (chan->mode != L2CAP_MODE_STREAMING) {
6475 event = L2CAP_EV_RECV_IFRAME;
6476 err = l2cap_rx(chan, control, skb, event);
6477 } else {
6478 err = l2cap_stream_rx(chan, control, skb);
6479 }
6480
6481 if (err)
6482 l2cap_send_disconn_req(chan, ECONNRESET);
6483 } else {
6484 const u8 rx_func_to_event[4] = {
6485 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6486 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6487 };
6488
6489 /* Only I-frames are expected in streaming mode */
6490 if (chan->mode == L2CAP_MODE_STREAMING)
6491 goto drop;
6492
6493 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6494 control->reqseq, control->final, control->poll,
6495 control->super);
6496
6497 if (len != 0) {
6498 BT_ERR("Trailing bytes: %d in sframe", len);
6499 l2cap_send_disconn_req(chan, ECONNRESET);
6500 goto drop;
6501 }
6502
6503 /* Validate F and P bits */
6504 if (control->final && (control->poll ||
6505 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6506 goto drop;
6507
6508 event = rx_func_to_event[control->super];
6509 if (l2cap_rx(chan, control, skb, event))
6510 l2cap_send_disconn_req(chan, ECONNRESET);
6511 }
6512
6513 return 0;
6514
6515 drop:
6516 kfree_skb(skb);
6517 return 0;
6518 }
6519
6520 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6521 {
6522 struct l2cap_conn *conn = chan->conn;
6523 struct l2cap_le_credits pkt;
6524 u16 return_credits = l2cap_le_rx_credits(chan);
6525
6526 if (chan->rx_credits >= return_credits)
6527 return;
6528
6529 return_credits -= chan->rx_credits;
6530
6531 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6532
6533 chan->rx_credits += return_credits;
6534
6535 pkt.cid = cpu_to_le16(chan->scid);
6536 pkt.credits = cpu_to_le16(return_credits);
6537
6538 chan->ident = l2cap_get_ident(conn);
6539
6540 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6541 }
6542
6543 void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail)
6544 {
6545 if (chan->rx_avail == rx_avail)
6546 return;
6547
6548 BT_DBG("chan %p has %zd bytes avail for rx", chan, rx_avail);
6549
6550 chan->rx_avail = rx_avail;
6551
6552 if (chan->state == BT_CONNECTED)
6553 l2cap_chan_le_send_credits(chan);
6554 }
6555
6556 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6557 {
6558 int err;
6559
6560 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6561
6562 /* Wait recv to confirm reception before updating the credits */
6563 err = chan->ops->recv(chan, skb);
6564
6565 if (err < 0 && chan->rx_avail != -1) {
6566 BT_ERR("Queueing received LE L2CAP data failed");
6567 l2cap_send_disconn_req(chan, ECONNRESET);
6568 return err;
6569 }
6570
6571 /* Update credits whenever an SDU is received */
6572 l2cap_chan_le_send_credits(chan);
6573
6574 return err;
6575 }
6576
6577 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6578 {
6579 int err;
6580
6581 if (!chan->rx_credits) {
6582 BT_ERR("No credits to receive LE L2CAP data");
6583 l2cap_send_disconn_req(chan, ECONNRESET);
6584 return -ENOBUFS;
6585 }
6586
6587 if (chan->imtu < skb->len) {
6588 BT_ERR("Too big LE L2CAP PDU");
6589 return -ENOBUFS;
6590 }
6591
6592 chan->rx_credits--;
6593 BT_DBG("chan %p: rx_credits %u -> %u",
6594 chan, chan->rx_credits + 1, chan->rx_credits);
6595
6596 /* Update if remote had run out of credits, this should only happens
6597 * if the remote is not using the entire MPS.
6598 */
6599 if (!chan->rx_credits)
6600 l2cap_chan_le_send_credits(chan);
6601
6602 err = 0;
6603
6604 if (!chan->sdu) {
6605 u16 sdu_len;
6606
6607 sdu_len = get_unaligned_le16(skb->data);
6608 skb_pull(skb, L2CAP_SDULEN_SIZE);
6609
6610 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6611 sdu_len, skb->len, chan->imtu);
6612
6613 if (sdu_len > chan->imtu) {
6614 BT_ERR("Too big LE L2CAP SDU length received");
6615 err = -EMSGSIZE;
6616 goto failed;
6617 }
6618
6619 if (skb->len > sdu_len) {
6620 BT_ERR("Too much LE L2CAP data received");
6621 err = -EINVAL;
6622 goto failed;
6623 }
6624
6625 if (skb->len == sdu_len)
6626 return l2cap_ecred_recv(chan, skb);
6627
6628 chan->sdu = skb;
6629 chan->sdu_len = sdu_len;
6630 chan->sdu_last_frag = skb;
6631
6632 /* Detect if remote is not able to use the selected MPS */
6633 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6634 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6635
6636 /* Adjust the number of credits */
6637 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6638 chan->mps = mps_len;
6639 l2cap_chan_le_send_credits(chan);
6640 }
6641
6642 return 0;
6643 }
6644
6645 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6646 chan->sdu->len, skb->len, chan->sdu_len);
6647
6648 if (chan->sdu->len + skb->len > chan->sdu_len) {
6649 BT_ERR("Too much LE L2CAP data received");
6650 err = -EINVAL;
6651 goto failed;
6652 }
6653
6654 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6655 skb = NULL;
6656
6657 if (chan->sdu->len == chan->sdu_len) {
6658 err = l2cap_ecred_recv(chan, chan->sdu);
6659 if (!err) {
6660 chan->sdu = NULL;
6661 chan->sdu_last_frag = NULL;
6662 chan->sdu_len = 0;
6663 }
6664 }
6665
6666 failed:
6667 if (err) {
6668 kfree_skb(skb);
6669 kfree_skb(chan->sdu);
6670 chan->sdu = NULL;
6671 chan->sdu_last_frag = NULL;
6672 chan->sdu_len = 0;
6673 }
6674
6675 /* We can't return an error here since we took care of the skb
6676 * freeing internally. An error return would cause the caller to
6677 * do a double-free of the skb.
6678 */
6679 return 0;
6680 }
6681
6682 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6683 struct sk_buff *skb)
6684 {
6685 struct l2cap_chan *chan;
6686
6687 chan = l2cap_get_chan_by_scid(conn, cid);
6688 if (!chan) {
6689 BT_DBG("unknown cid 0x%4.4x", cid);
6690 /* Drop packet and return */
6691 kfree_skb(skb);
6692 return;
6693 }
6694
6695 BT_DBG("chan %p, len %d", chan, skb->len);
6696
6697 /* If we receive data on a fixed channel before the info req/rsp
6698 * procedure is done simply assume that the channel is supported
6699 * and mark it as ready.
6700 */
6701 if (chan->chan_type == L2CAP_CHAN_FIXED)
6702 l2cap_chan_ready(chan);
6703
6704 if (chan->state != BT_CONNECTED)
6705 goto drop;
6706
6707 switch (chan->mode) {
6708 case L2CAP_MODE_LE_FLOWCTL:
6709 case L2CAP_MODE_EXT_FLOWCTL:
6710 if (l2cap_ecred_data_rcv(chan, skb) < 0)
6711 goto drop;
6712
6713 goto done;
6714
6715 case L2CAP_MODE_BASIC:
6716 /* If socket recv buffers overflows we drop data here
6717 * which is *bad* because L2CAP has to be reliable.
6718 * But we don't have any other choice. L2CAP doesn't
6719 * provide flow control mechanism. */
6720
6721 if (chan->imtu < skb->len) {
6722 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6723 goto drop;
6724 }
6725
6726 if (!chan->ops->recv(chan, skb))
6727 goto done;
6728 break;
6729
6730 case L2CAP_MODE_ERTM:
6731 case L2CAP_MODE_STREAMING:
6732 l2cap_data_rcv(chan, skb);
6733 goto done;
6734
6735 default:
6736 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6737 break;
6738 }
6739
6740 drop:
6741 kfree_skb(skb);
6742
6743 done:
6744 l2cap_chan_unlock(chan);
6745 l2cap_chan_put(chan);
6746 }
6747
6748 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6749 struct sk_buff *skb)
6750 {
6751 struct hci_conn *hcon = conn->hcon;
6752 struct l2cap_chan *chan;
6753
6754 if (hcon->type != ACL_LINK)
6755 goto free_skb;
6756
6757 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6758 ACL_LINK);
6759 if (!chan)
6760 goto free_skb;
6761
6762 BT_DBG("chan %p, len %d", chan, skb->len);
6763
6764 l2cap_chan_lock(chan);
6765
6766 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6767 goto drop;
6768
6769 if (chan->imtu < skb->len)
6770 goto drop;
6771
6772 /* Store remote BD_ADDR and PSM for msg_name */
6773 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6774 bt_cb(skb)->l2cap.psm = psm;
6775
6776 if (!chan->ops->recv(chan, skb)) {
6777 l2cap_chan_unlock(chan);
6778 l2cap_chan_put(chan);
6779 return;
6780 }
6781
6782 drop:
6783 l2cap_chan_unlock(chan);
6784 l2cap_chan_put(chan);
6785 free_skb:
6786 kfree_skb(skb);
6787 }
6788
6789 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6790 {
6791 struct l2cap_hdr *lh = (void *) skb->data;
6792 struct hci_conn *hcon = conn->hcon;
6793 u16 cid, len;
6794 __le16 psm;
6795
6796 if (hcon->state != BT_CONNECTED) {
6797 BT_DBG("queueing pending rx skb");
6798 skb_queue_tail(&conn->pending_rx, skb);
6799 return;
6800 }
6801
6802 skb_pull(skb, L2CAP_HDR_SIZE);
6803 cid = __le16_to_cpu(lh->cid);
6804 len = __le16_to_cpu(lh->len);
6805
6806 if (len != skb->len) {
6807 kfree_skb(skb);
6808 return;
6809 }
6810
6811 /* Since we can't actively block incoming LE connections we must
6812 * at least ensure that we ignore incoming data from them.
6813 */
6814 if (hcon->type == LE_LINK &&
6815 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst,
6816 bdaddr_dst_type(hcon))) {
6817 kfree_skb(skb);
6818 return;
6819 }
6820
6821 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6822
6823 switch (cid) {
6824 case L2CAP_CID_SIGNALING:
6825 l2cap_sig_channel(conn, skb);
6826 break;
6827
6828 case L2CAP_CID_CONN_LESS:
6829 psm = get_unaligned((__le16 *) skb->data);
6830 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6831 l2cap_conless_channel(conn, psm, skb);
6832 break;
6833
6834 case L2CAP_CID_LE_SIGNALING:
6835 l2cap_le_sig_channel(conn, skb);
6836 break;
6837
6838 default:
6839 l2cap_data_channel(conn, cid, skb);
6840 break;
6841 }
6842 }
6843
6844 static void process_pending_rx(struct work_struct *work)
6845 {
6846 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6847 pending_rx_work);
6848 struct sk_buff *skb;
6849
6850 BT_DBG("");
6851
6852 while ((skb = skb_dequeue(&conn->pending_rx)))
6853 l2cap_recv_frame(conn, skb);
6854 }
6855
6856 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6857 {
6858 struct l2cap_conn *conn = hcon->l2cap_data;
6859 struct hci_chan *hchan;
6860
6861 if (conn)
6862 return conn;
6863
6864 hchan = hci_chan_create(hcon);
6865 if (!hchan)
6866 return NULL;
6867
6868 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6869 if (!conn) {
6870 hci_chan_del(hchan);
6871 return NULL;
6872 }
6873
6874 kref_init(&conn->ref);
6875 hcon->l2cap_data = conn;
6876 conn->hcon = hci_conn_get(hcon);
6877 conn->hchan = hchan;
6878
6879 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6880
6881 conn->mtu = hcon->mtu;
6882 conn->feat_mask = 0;
6883
6884 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6885
6886 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
6887 (bredr_sc_enabled(hcon->hdev) ||
6888 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
6889 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6890
6891 mutex_init(&conn->ident_lock);
6892 mutex_init(&conn->chan_lock);
6893
6894 INIT_LIST_HEAD(&conn->chan_l);
6895 INIT_LIST_HEAD(&conn->users);
6896
6897 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6898
6899 skb_queue_head_init(&conn->pending_rx);
6900 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6901 INIT_DELAYED_WORK(&conn->id_addr_timer, l2cap_conn_update_id_addr);
6902
6903 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6904
6905 return conn;
6906 }
6907
6908 static bool is_valid_psm(u16 psm, u8 dst_type)
6909 {
6910 if (!psm)
6911 return false;
6912
6913 if (bdaddr_type_is_le(dst_type))
6914 return (psm <= 0x00ff);
6915
6916 /* PSM must be odd and lsb of upper byte must be 0 */
6917 return ((psm & 0x0101) == 0x0001);
6918 }
6919
6920 struct l2cap_chan_data {
6921 struct l2cap_chan *chan;
6922 struct pid *pid;
6923 int count;
6924 };
6925
6926 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
6927 {
6928 struct l2cap_chan_data *d = data;
6929 struct pid *pid;
6930
6931 if (chan == d->chan)
6932 return;
6933
6934 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
6935 return;
6936
6937 pid = chan->ops->get_peer_pid(chan);
6938
6939 /* Only count deferred channels with the same PID/PSM */
6940 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
6941 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
6942 return;
6943
6944 d->count++;
6945 }
6946
6947 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6948 bdaddr_t *dst, u8 dst_type, u16 timeout)
6949 {
6950 struct l2cap_conn *conn;
6951 struct hci_conn *hcon;
6952 struct hci_dev *hdev;
6953 int err;
6954
6955 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
6956 dst, dst_type, __le16_to_cpu(psm), chan->mode);
6957
6958 hdev = hci_get_route(dst, &chan->src, chan->src_type);
6959 if (!hdev)
6960 return -EHOSTUNREACH;
6961
6962 hci_dev_lock(hdev);
6963
6964 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6965 chan->chan_type != L2CAP_CHAN_RAW) {
6966 err = -EINVAL;
6967 goto done;
6968 }
6969
6970 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6971 err = -EINVAL;
6972 goto done;
6973 }
6974
6975 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
6976 err = -EINVAL;
6977 goto done;
6978 }
6979
6980 switch (chan->mode) {
6981 case L2CAP_MODE_BASIC:
6982 break;
6983 case L2CAP_MODE_LE_FLOWCTL:
6984 break;
6985 case L2CAP_MODE_EXT_FLOWCTL:
6986 if (!enable_ecred) {
6987 err = -EOPNOTSUPP;
6988 goto done;
6989 }
6990 break;
6991 case L2CAP_MODE_ERTM:
6992 case L2CAP_MODE_STREAMING:
6993 if (!disable_ertm)
6994 break;
6995 fallthrough;
6996 default:
6997 err = -EOPNOTSUPP;
6998 goto done;
6999 }
7000
7001 switch (chan->state) {
7002 case BT_CONNECT:
7003 case BT_CONNECT2:
7004 case BT_CONFIG:
7005 /* Already connecting */
7006 err = 0;
7007 goto done;
7008
7009 case BT_CONNECTED:
7010 /* Already connected */
7011 err = -EISCONN;
7012 goto done;
7013
7014 case BT_OPEN:
7015 case BT_BOUND:
7016 /* Can connect */
7017 break;
7018
7019 default:
7020 err = -EBADFD;
7021 goto done;
7022 }
7023
7024 /* Set destination address and psm */
7025 bacpy(&chan->dst, dst);
7026 chan->dst_type = dst_type;
7027
7028 chan->psm = psm;
7029 chan->dcid = cid;
7030
7031 if (bdaddr_type_is_le(dst_type)) {
7032 /* Convert from L2CAP channel address type to HCI address type
7033 */
7034 if (dst_type == BDADDR_LE_PUBLIC)
7035 dst_type = ADDR_LE_DEV_PUBLIC;
7036 else
7037 dst_type = ADDR_LE_DEV_RANDOM;
7038
7039 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7040 hcon = hci_connect_le(hdev, dst, dst_type, false,
7041 chan->sec_level, timeout,
7042 HCI_ROLE_SLAVE, 0, 0);
7043 else
7044 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7045 chan->sec_level, timeout,
7046 CONN_REASON_L2CAP_CHAN);
7047
7048 } else {
7049 u8 auth_type = l2cap_get_auth_type(chan);
7050 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7051 CONN_REASON_L2CAP_CHAN, timeout);
7052 }
7053
7054 if (IS_ERR(hcon)) {
7055 err = PTR_ERR(hcon);
7056 goto done;
7057 }
7058
7059 conn = l2cap_conn_add(hcon);
7060 if (!conn) {
7061 hci_conn_drop(hcon);
7062 err = -ENOMEM;
7063 goto done;
7064 }
7065
7066 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7067 struct l2cap_chan_data data;
7068
7069 data.chan = chan;
7070 data.pid = chan->ops->get_peer_pid(chan);
7071 data.count = 1;
7072
7073 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7074
7075 /* Check if there isn't too many channels being connected */
7076 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7077 hci_conn_drop(hcon);
7078 err = -EPROTO;
7079 goto done;
7080 }
7081 }
7082
7083 mutex_lock(&conn->chan_lock);
7084 l2cap_chan_lock(chan);
7085
7086 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7087 hci_conn_drop(hcon);
7088 err = -EBUSY;
7089 goto chan_unlock;
7090 }
7091
7092 /* Update source addr of the socket */
7093 bacpy(&chan->src, &hcon->src);
7094 chan->src_type = bdaddr_src_type(hcon);
7095
7096 __l2cap_chan_add(conn, chan);
7097
7098 /* l2cap_chan_add takes its own ref so we can drop this one */
7099 hci_conn_drop(hcon);
7100
7101 l2cap_state_change(chan, BT_CONNECT);
7102 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7103
7104 /* Release chan->sport so that it can be reused by other
7105 * sockets (as it's only used for listening sockets).
7106 */
7107 write_lock(&chan_list_lock);
7108 chan->sport = 0;
7109 write_unlock(&chan_list_lock);
7110
7111 if (hcon->state == BT_CONNECTED) {
7112 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7113 __clear_chan_timer(chan);
7114 if (l2cap_chan_check_security(chan, true))
7115 l2cap_state_change(chan, BT_CONNECTED);
7116 } else
7117 l2cap_do_start(chan);
7118 }
7119
7120 err = 0;
7121
7122 chan_unlock:
7123 l2cap_chan_unlock(chan);
7124 mutex_unlock(&conn->chan_lock);
7125 done:
7126 hci_dev_unlock(hdev);
7127 hci_dev_put(hdev);
7128 return err;
7129 }
7130 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7131
7132 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7133 {
7134 struct l2cap_conn *conn = chan->conn;
7135 DEFINE_RAW_FLEX(struct l2cap_ecred_reconf_req, pdu, scid, 1);
7136
7137 pdu->mtu = cpu_to_le16(chan->imtu);
7138 pdu->mps = cpu_to_le16(chan->mps);
7139 pdu->scid[0] = cpu_to_le16(chan->scid);
7140
7141 chan->ident = l2cap_get_ident(conn);
7142
7143 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
7144 sizeof(pdu), &pdu);
7145 }
7146
7147 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
7148 {
7149 if (chan->imtu > mtu)
7150 return -EINVAL;
7151
7152 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
7153
7154 chan->imtu = mtu;
7155
7156 l2cap_ecred_reconfigure(chan);
7157
7158 return 0;
7159 }
7160
7161 /* ---- L2CAP interface with lower layer (HCI) ---- */
7162
7163 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7164 {
7165 int exact = 0, lm1 = 0, lm2 = 0;
7166 struct l2cap_chan *c;
7167
7168 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7169
7170 /* Find listening sockets and check their link_mode */
7171 read_lock(&chan_list_lock);
7172 list_for_each_entry(c, &chan_list, global_l) {
7173 if (c->state != BT_LISTEN)
7174 continue;
7175
7176 if (!bacmp(&c->src, &hdev->bdaddr)) {
7177 lm1 |= HCI_LM_ACCEPT;
7178 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7179 lm1 |= HCI_LM_MASTER;
7180 exact++;
7181 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7182 lm2 |= HCI_LM_ACCEPT;
7183 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7184 lm2 |= HCI_LM_MASTER;
7185 }
7186 }
7187 read_unlock(&chan_list_lock);
7188
7189 return exact ? lm1 : lm2;
7190 }
7191
7192 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7193 * from an existing channel in the list or from the beginning of the
7194 * global list (by passing NULL as first parameter).
7195 */
7196 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7197 struct hci_conn *hcon)
7198 {
7199 u8 src_type = bdaddr_src_type(hcon);
7200
7201 read_lock(&chan_list_lock);
7202
7203 if (c)
7204 c = list_next_entry(c, global_l);
7205 else
7206 c = list_entry(chan_list.next, typeof(*c), global_l);
7207
7208 list_for_each_entry_from(c, &chan_list, global_l) {
7209 if (c->chan_type != L2CAP_CHAN_FIXED)
7210 continue;
7211 if (c->state != BT_LISTEN)
7212 continue;
7213 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7214 continue;
7215 if (src_type != c->src_type)
7216 continue;
7217
7218 c = l2cap_chan_hold_unless_zero(c);
7219 read_unlock(&chan_list_lock);
7220 return c;
7221 }
7222
7223 read_unlock(&chan_list_lock);
7224
7225 return NULL;
7226 }
7227
7228 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7229 {
7230 struct hci_dev *hdev = hcon->hdev;
7231 struct l2cap_conn *conn;
7232 struct l2cap_chan *pchan;
7233 u8 dst_type;
7234
7235 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7236 return;
7237
7238 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7239
7240 if (status) {
7241 l2cap_conn_del(hcon, bt_to_errno(status));
7242 return;
7243 }
7244
7245 conn = l2cap_conn_add(hcon);
7246 if (!conn)
7247 return;
7248
7249 dst_type = bdaddr_dst_type(hcon);
7250
7251 /* If device is blocked, do not create channels for it */
7252 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type))
7253 return;
7254
7255 /* Find fixed channels and notify them of the new connection. We
7256 * use multiple individual lookups, continuing each time where
7257 * we left off, because the list lock would prevent calling the
7258 * potentially sleeping l2cap_chan_lock() function.
7259 */
7260 pchan = l2cap_global_fixed_chan(NULL, hcon);
7261 while (pchan) {
7262 struct l2cap_chan *chan, *next;
7263
7264 /* Client fixed channels should override server ones */
7265 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7266 goto next;
7267
7268 l2cap_chan_lock(pchan);
7269 chan = pchan->ops->new_connection(pchan);
7270 if (chan) {
7271 bacpy(&chan->src, &hcon->src);
7272 bacpy(&chan->dst, &hcon->dst);
7273 chan->src_type = bdaddr_src_type(hcon);
7274 chan->dst_type = dst_type;
7275
7276 __l2cap_chan_add(conn, chan);
7277 }
7278
7279 l2cap_chan_unlock(pchan);
7280 next:
7281 next = l2cap_global_fixed_chan(pchan, hcon);
7282 l2cap_chan_put(pchan);
7283 pchan = next;
7284 }
7285
7286 l2cap_conn_ready(conn);
7287 }
7288
7289 int l2cap_disconn_ind(struct hci_conn *hcon)
7290 {
7291 struct l2cap_conn *conn = hcon->l2cap_data;
7292
7293 BT_DBG("hcon %p", hcon);
7294
7295 if (!conn)
7296 return HCI_ERROR_REMOTE_USER_TERM;
7297 return conn->disc_reason;
7298 }
7299
7300 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7301 {
7302 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7303 return;
7304
7305 BT_DBG("hcon %p reason %d", hcon, reason);
7306
7307 l2cap_conn_del(hcon, bt_to_errno(reason));
7308 }
7309
7310 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7311 {
7312 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7313 return;
7314
7315 if (encrypt == 0x00) {
7316 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7317 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7318 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7319 chan->sec_level == BT_SECURITY_FIPS)
7320 l2cap_chan_close(chan, ECONNREFUSED);
7321 } else {
7322 if (chan->sec_level == BT_SECURITY_MEDIUM)
7323 __clear_chan_timer(chan);
7324 }
7325 }
7326
7327 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7328 {
7329 struct l2cap_conn *conn = hcon->l2cap_data;
7330 struct l2cap_chan *chan;
7331
7332 if (!conn)
7333 return;
7334
7335 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7336
7337 mutex_lock(&conn->chan_lock);
7338
7339 list_for_each_entry(chan, &conn->chan_l, list) {
7340 l2cap_chan_lock(chan);
7341
7342 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7343 state_to_string(chan->state));
7344
7345 if (!status && encrypt)
7346 chan->sec_level = hcon->sec_level;
7347
7348 if (!__l2cap_no_conn_pending(chan)) {
7349 l2cap_chan_unlock(chan);
7350 continue;
7351 }
7352
7353 if (!status && (chan->state == BT_CONNECTED ||
7354 chan->state == BT_CONFIG)) {
7355 chan->ops->resume(chan);
7356 l2cap_check_encryption(chan, encrypt);
7357 l2cap_chan_unlock(chan);
7358 continue;
7359 }
7360
7361 if (chan->state == BT_CONNECT) {
7362 if (!status && l2cap_check_enc_key_size(hcon))
7363 l2cap_start_connection(chan);
7364 else
7365 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7366 } else if (chan->state == BT_CONNECT2 &&
7367 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
7368 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
7369 struct l2cap_conn_rsp rsp;
7370 __u16 res, stat;
7371
7372 if (!status && l2cap_check_enc_key_size(hcon)) {
7373 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7374 res = L2CAP_CR_PEND;
7375 stat = L2CAP_CS_AUTHOR_PEND;
7376 chan->ops->defer(chan);
7377 } else {
7378 l2cap_state_change(chan, BT_CONFIG);
7379 res = L2CAP_CR_SUCCESS;
7380 stat = L2CAP_CS_NO_INFO;
7381 }
7382 } else {
7383 l2cap_state_change(chan, BT_DISCONN);
7384 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7385 res = L2CAP_CR_SEC_BLOCK;
7386 stat = L2CAP_CS_NO_INFO;
7387 }
7388
7389 rsp.scid = cpu_to_le16(chan->dcid);
7390 rsp.dcid = cpu_to_le16(chan->scid);
7391 rsp.result = cpu_to_le16(res);
7392 rsp.status = cpu_to_le16(stat);
7393 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7394 sizeof(rsp), &rsp);
7395
7396 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7397 res == L2CAP_CR_SUCCESS) {
7398 char buf[128];
7399 set_bit(CONF_REQ_SENT, &chan->conf_state);
7400 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7401 L2CAP_CONF_REQ,
7402 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7403 buf);
7404 chan->num_conf_req++;
7405 }
7406 }
7407
7408 l2cap_chan_unlock(chan);
7409 }
7410
7411 mutex_unlock(&conn->chan_lock);
7412 }
7413
7414 /* Append fragment into frame respecting the maximum len of rx_skb */
7415 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb,
7416 u16 len)
7417 {
7418 if (!conn->rx_skb) {
7419 /* Allocate skb for the complete frame (with header) */
7420 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7421 if (!conn->rx_skb)
7422 return -ENOMEM;
7423 /* Init rx_len */
7424 conn->rx_len = len;
7425 }
7426
7427 /* Copy as much as the rx_skb can hold */
7428 len = min_t(u16, len, skb->len);
7429 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len);
7430 skb_pull(skb, len);
7431 conn->rx_len -= len;
7432
7433 return len;
7434 }
7435
7436 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb)
7437 {
7438 struct sk_buff *rx_skb;
7439 int len;
7440
7441 /* Append just enough to complete the header */
7442 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len);
7443
7444 /* If header could not be read just continue */
7445 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE)
7446 return len;
7447
7448 rx_skb = conn->rx_skb;
7449 len = get_unaligned_le16(rx_skb->data);
7450
7451 /* Check if rx_skb has enough space to received all fragments */
7452 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) {
7453 /* Update expected len */
7454 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE);
7455 return L2CAP_LEN_SIZE;
7456 }
7457
7458 /* Reset conn->rx_skb since it will need to be reallocated in order to
7459 * fit all fragments.
7460 */
7461 conn->rx_skb = NULL;
7462
7463 /* Reallocates rx_skb using the exact expected length */
7464 len = l2cap_recv_frag(conn, rx_skb,
7465 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE));
7466 kfree_skb(rx_skb);
7467
7468 return len;
7469 }
7470
7471 static void l2cap_recv_reset(struct l2cap_conn *conn)
7472 {
7473 kfree_skb(conn->rx_skb);
7474 conn->rx_skb = NULL;
7475 conn->rx_len = 0;
7476 }
7477
7478 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7479 {
7480 struct l2cap_conn *conn = hcon->l2cap_data;
7481 int len;
7482
7483 if (!conn)
7484 conn = l2cap_conn_add(hcon);
7485
7486 if (!conn)
7487 goto drop;
7488
7489 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
7490
7491 switch (flags) {
7492 case ACL_START:
7493 case ACL_START_NO_FLUSH:
7494 case ACL_COMPLETE:
7495 if (conn->rx_skb) {
7496 BT_ERR("Unexpected start frame (len %d)", skb->len);
7497 l2cap_recv_reset(conn);
7498 l2cap_conn_unreliable(conn, ECOMM);
7499 }
7500
7501 /* Start fragment may not contain the L2CAP length so just
7502 * copy the initial byte when that happens and use conn->mtu as
7503 * expected length.
7504 */
7505 if (skb->len < L2CAP_LEN_SIZE) {
7506 l2cap_recv_frag(conn, skb, conn->mtu);
7507 break;
7508 }
7509
7510 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE;
7511
7512 if (len == skb->len) {
7513 /* Complete frame received */
7514 l2cap_recv_frame(conn, skb);
7515 return;
7516 }
7517
7518 BT_DBG("Start: total len %d, frag len %u", len, skb->len);
7519
7520 if (skb->len > len) {
7521 BT_ERR("Frame is too long (len %u, expected len %d)",
7522 skb->len, len);
7523 l2cap_conn_unreliable(conn, ECOMM);
7524 goto drop;
7525 }
7526
7527 /* Append fragment into frame (with header) */
7528 if (l2cap_recv_frag(conn, skb, len) < 0)
7529 goto drop;
7530
7531 break;
7532
7533 case ACL_CONT:
7534 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len);
7535
7536 if (!conn->rx_skb) {
7537 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7538 l2cap_conn_unreliable(conn, ECOMM);
7539 goto drop;
7540 }
7541
7542 /* Complete the L2CAP length if it has not been read */
7543 if (conn->rx_skb->len < L2CAP_LEN_SIZE) {
7544 if (l2cap_recv_len(conn, skb) < 0) {
7545 l2cap_conn_unreliable(conn, ECOMM);
7546 goto drop;
7547 }
7548
7549 /* Header still could not be read just continue */
7550 if (conn->rx_skb->len < L2CAP_LEN_SIZE)
7551 break;
7552 }
7553
7554 if (skb->len > conn->rx_len) {
7555 BT_ERR("Fragment is too long (len %u, expected %u)",
7556 skb->len, conn->rx_len);
7557 l2cap_recv_reset(conn);
7558 l2cap_conn_unreliable(conn, ECOMM);
7559 goto drop;
7560 }
7561
7562 /* Append fragment into frame (with header) */
7563 l2cap_recv_frag(conn, skb, skb->len);
7564
7565 if (!conn->rx_len) {
7566 /* Complete frame received. l2cap_recv_frame
7567 * takes ownership of the skb so set the global
7568 * rx_skb pointer to NULL first.
7569 */
7570 struct sk_buff *rx_skb = conn->rx_skb;
7571 conn->rx_skb = NULL;
7572 l2cap_recv_frame(conn, rx_skb);
7573 }
7574 break;
7575 }
7576
7577 drop:
7578 kfree_skb(skb);
7579 }
7580
7581 static struct hci_cb l2cap_cb = {
7582 .name = "L2CAP",
7583 .connect_cfm = l2cap_connect_cfm,
7584 .disconn_cfm = l2cap_disconn_cfm,
7585 .security_cfm = l2cap_security_cfm,
7586 };
7587
7588 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7589 {
7590 struct l2cap_chan *c;
7591
7592 read_lock(&chan_list_lock);
7593
7594 list_for_each_entry(c, &chan_list, global_l) {
7595 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7596 &c->src, c->src_type, &c->dst, c->dst_type,
7597 c->state, __le16_to_cpu(c->psm),
7598 c->scid, c->dcid, c->imtu, c->omtu,
7599 c->sec_level, c->mode);
7600 }
7601
7602 read_unlock(&chan_list_lock);
7603
7604 return 0;
7605 }
7606
7607 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7608
7609 static struct dentry *l2cap_debugfs;
7610
7611 int __init l2cap_init(void)
7612 {
7613 int err;
7614
7615 err = l2cap_init_sockets();
7616 if (err < 0)
7617 return err;
7618
7619 hci_register_cb(&l2cap_cb);
7620
7621 if (IS_ERR_OR_NULL(bt_debugfs))
7622 return 0;
7623
7624 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7625 NULL, &l2cap_debugfs_fops);
7626
7627 return 0;
7628 }
7629
7630 void l2cap_exit(void)
7631 {
7632 debugfs_remove(l2cap_debugfs);
7633 hci_unregister_cb(&l2cap_cb);
7634 l2cap_cleanup_sockets();
7635 }
7636
7637 module_param(disable_ertm, bool, 0644);
7638 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7639
7640 module_param(enable_ecred, bool, 0644);
7641 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
7642
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.