1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
36
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
40
41 #include "smp.h"
42
43 #define LE_FLOWCTL_MAX_CREDITS 65535
44
45 bool disable_ertm;
46 bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED);
47
48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49
50 static LIST_HEAD(chan_list);
51 static DEFINE_RWLOCK(chan_list_lock);
52
53 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
54 u8 code, u8 ident, u16 dlen, void *data);
55 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
56 void *data);
57 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
58 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
59
60 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
61 struct sk_buff_head *skbs, u8 event);
62 static void l2cap_retrans_timeout(struct work_struct *work);
63 static void l2cap_monitor_timeout(struct work_struct *work);
64 static void l2cap_ack_timeout(struct work_struct *work);
65
bdaddr_type(u8 link_type,u8 bdaddr_type)66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67 {
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76 }
77
bdaddr_src_type(struct hci_conn * hcon)78 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79 {
80 return bdaddr_type(hcon->type, hcon->src_type);
81 }
82
bdaddr_dst_type(struct hci_conn * hcon)83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84 {
85 return bdaddr_type(hcon->type, hcon->dst_type);
86 }
87
88 /* ---- L2CAP channels ---- */
89
__l2cap_get_chan_by_dcid(struct l2cap_conn * conn,u16 cid)90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
91 u16 cid)
92 {
93 struct l2cap_chan *c;
94
95 list_for_each_entry(c, &conn->chan_l, list) {
96 if (c->dcid == cid)
97 return c;
98 }
99 return NULL;
100 }
101
__l2cap_get_chan_by_scid(struct l2cap_conn * conn,u16 cid)102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
104 {
105 struct l2cap_chan *c;
106
107 list_for_each_entry(c, &conn->chan_l, list) {
108 if (c->scid == cid)
109 return c;
110 }
111 return NULL;
112 }
113
114 /* Find channel with given SCID.
115 * Returns a reference locked channel.
116 */
l2cap_get_chan_by_scid(struct l2cap_conn * conn,u16 cid)117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 u16 cid)
119 {
120 struct l2cap_chan *c;
121
122 c = __l2cap_get_chan_by_scid(conn, cid);
123 if (c) {
124 /* Only lock if chan reference is not 0 */
125 c = l2cap_chan_hold_unless_zero(c);
126 if (c)
127 l2cap_chan_lock(c);
128 }
129
130 return c;
131 }
132
133 /* Find channel with given DCID.
134 * Returns a reference locked channel.
135 */
l2cap_get_chan_by_dcid(struct l2cap_conn * conn,u16 cid)136 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
137 u16 cid)
138 {
139 struct l2cap_chan *c;
140
141 c = __l2cap_get_chan_by_dcid(conn, cid);
142 if (c) {
143 /* Only lock if chan reference is not 0 */
144 c = l2cap_chan_hold_unless_zero(c);
145 if (c)
146 l2cap_chan_lock(c);
147 }
148
149 return c;
150 }
151
__l2cap_get_chan_by_ident(struct l2cap_conn * conn,u8 ident)152 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
153 u8 ident)
154 {
155 struct l2cap_chan *c;
156
157 list_for_each_entry(c, &conn->chan_l, list) {
158 if (c->ident == ident)
159 return c;
160 }
161 return NULL;
162 }
163
__l2cap_global_chan_by_addr(__le16 psm,bdaddr_t * src,u8 src_type)164 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
165 u8 src_type)
166 {
167 struct l2cap_chan *c;
168
169 list_for_each_entry(c, &chan_list, global_l) {
170 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
171 continue;
172
173 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
174 continue;
175
176 if (c->sport == psm && !bacmp(&c->src, src))
177 return c;
178 }
179 return NULL;
180 }
181
l2cap_add_psm(struct l2cap_chan * chan,bdaddr_t * src,__le16 psm)182 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
183 {
184 int err;
185
186 write_lock(&chan_list_lock);
187
188 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
189 err = -EADDRINUSE;
190 goto done;
191 }
192
193 if (psm) {
194 chan->psm = psm;
195 chan->sport = psm;
196 err = 0;
197 } else {
198 u16 p, start, end, incr;
199
200 if (chan->src_type == BDADDR_BREDR) {
201 start = L2CAP_PSM_DYN_START;
202 end = L2CAP_PSM_AUTO_END;
203 incr = 2;
204 } else {
205 start = L2CAP_PSM_LE_DYN_START;
206 end = L2CAP_PSM_LE_DYN_END;
207 incr = 1;
208 }
209
210 err = -EINVAL;
211 for (p = start; p <= end; p += incr)
212 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
213 chan->src_type)) {
214 chan->psm = cpu_to_le16(p);
215 chan->sport = cpu_to_le16(p);
216 err = 0;
217 break;
218 }
219 }
220
221 done:
222 write_unlock(&chan_list_lock);
223 return err;
224 }
225 EXPORT_SYMBOL_GPL(l2cap_add_psm);
226
l2cap_add_scid(struct l2cap_chan * chan,__u16 scid)227 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
228 {
229 write_lock(&chan_list_lock);
230
231 /* Override the defaults (which are for conn-oriented) */
232 chan->omtu = L2CAP_DEFAULT_MTU;
233 chan->chan_type = L2CAP_CHAN_FIXED;
234
235 chan->scid = scid;
236
237 write_unlock(&chan_list_lock);
238
239 return 0;
240 }
241
l2cap_alloc_cid(struct l2cap_conn * conn)242 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
243 {
244 u16 cid, dyn_end;
245
246 if (conn->hcon->type == LE_LINK)
247 dyn_end = L2CAP_CID_LE_DYN_END;
248 else
249 dyn_end = L2CAP_CID_DYN_END;
250
251 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
252 if (!__l2cap_get_chan_by_scid(conn, cid))
253 return cid;
254 }
255
256 return 0;
257 }
258
l2cap_state_change(struct l2cap_chan * chan,int state)259 static void l2cap_state_change(struct l2cap_chan *chan, int state)
260 {
261 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
262 state_to_string(state));
263
264 chan->state = state;
265 chan->ops->state_change(chan, state, 0);
266 }
267
l2cap_state_change_and_error(struct l2cap_chan * chan,int state,int err)268 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
269 int state, int err)
270 {
271 chan->state = state;
272 chan->ops->state_change(chan, chan->state, err);
273 }
274
l2cap_chan_set_err(struct l2cap_chan * chan,int err)275 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
276 {
277 chan->ops->state_change(chan, chan->state, err);
278 }
279
__set_retrans_timer(struct l2cap_chan * chan)280 static void __set_retrans_timer(struct l2cap_chan *chan)
281 {
282 if (!delayed_work_pending(&chan->monitor_timer) &&
283 chan->retrans_timeout) {
284 l2cap_set_timer(chan, &chan->retrans_timer,
285 msecs_to_jiffies(chan->retrans_timeout));
286 }
287 }
288
__set_monitor_timer(struct l2cap_chan * chan)289 static void __set_monitor_timer(struct l2cap_chan *chan)
290 {
291 __clear_retrans_timer(chan);
292 if (chan->monitor_timeout) {
293 l2cap_set_timer(chan, &chan->monitor_timer,
294 msecs_to_jiffies(chan->monitor_timeout));
295 }
296 }
297
l2cap_ertm_seq_in_queue(struct sk_buff_head * head,u16 seq)298 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
299 u16 seq)
300 {
301 struct sk_buff *skb;
302
303 skb_queue_walk(head, skb) {
304 if (bt_cb(skb)->l2cap.txseq == seq)
305 return skb;
306 }
307
308 return NULL;
309 }
310
311 /* ---- L2CAP sequence number lists ---- */
312
313 /* For ERTM, ordered lists of sequence numbers must be tracked for
314 * SREJ requests that are received and for frames that are to be
315 * retransmitted. These seq_list functions implement a singly-linked
316 * list in an array, where membership in the list can also be checked
317 * in constant time. Items can also be added to the tail of the list
318 * and removed from the head in constant time, without further memory
319 * allocs or frees.
320 */
321
l2cap_seq_list_init(struct l2cap_seq_list * seq_list,u16 size)322 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
323 {
324 size_t alloc_size, i;
325
326 /* Allocated size is a power of 2 to map sequence numbers
327 * (which may be up to 14 bits) in to a smaller array that is
328 * sized for the negotiated ERTM transmit windows.
329 */
330 alloc_size = roundup_pow_of_two(size);
331
332 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
333 if (!seq_list->list)
334 return -ENOMEM;
335
336 seq_list->mask = alloc_size - 1;
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 for (i = 0; i < alloc_size; i++)
340 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
341
342 return 0;
343 }
344
l2cap_seq_list_free(struct l2cap_seq_list * seq_list)345 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
346 {
347 kfree(seq_list->list);
348 }
349
l2cap_seq_list_contains(struct l2cap_seq_list * seq_list,u16 seq)350 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
351 u16 seq)
352 {
353 /* Constant-time check for list membership */
354 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
355 }
356
l2cap_seq_list_pop(struct l2cap_seq_list * seq_list)357 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
358 {
359 u16 seq = seq_list->head;
360 u16 mask = seq_list->mask;
361
362 seq_list->head = seq_list->list[seq & mask];
363 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
364
365 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
366 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
367 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
368 }
369
370 return seq;
371 }
372
l2cap_seq_list_clear(struct l2cap_seq_list * seq_list)373 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
374 {
375 u16 i;
376
377 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
378 return;
379
380 for (i = 0; i <= seq_list->mask; i++)
381 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382
383 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
384 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
385 }
386
l2cap_seq_list_append(struct l2cap_seq_list * seq_list,u16 seq)387 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388 {
389 u16 mask = seq_list->mask;
390
391 /* All appends happen in constant time */
392
393 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
394 return;
395
396 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
397 seq_list->head = seq;
398 else
399 seq_list->list[seq_list->tail & mask] = seq;
400
401 seq_list->tail = seq;
402 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
403 }
404
l2cap_chan_timeout(struct work_struct * work)405 static void l2cap_chan_timeout(struct work_struct *work)
406 {
407 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
408 chan_timer.work);
409 struct l2cap_conn *conn = chan->conn;
410 int reason;
411
412 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
413
414 if (!conn)
415 return;
416
417 mutex_lock(&conn->lock);
418 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
419 * this work. No need to call l2cap_chan_hold(chan) here again.
420 */
421 l2cap_chan_lock(chan);
422
423 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
424 reason = ECONNREFUSED;
425 else if (chan->state == BT_CONNECT &&
426 chan->sec_level != BT_SECURITY_SDP)
427 reason = ECONNREFUSED;
428 else
429 reason = ETIMEDOUT;
430
431 l2cap_chan_close(chan, reason);
432
433 chan->ops->close(chan);
434
435 l2cap_chan_unlock(chan);
436 l2cap_chan_put(chan);
437
438 mutex_unlock(&conn->lock);
439 }
440
l2cap_chan_create(void)441 struct l2cap_chan *l2cap_chan_create(void)
442 {
443 struct l2cap_chan *chan;
444
445 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
446 if (!chan)
447 return NULL;
448
449 skb_queue_head_init(&chan->tx_q);
450 skb_queue_head_init(&chan->srej_q);
451 mutex_init(&chan->lock);
452
453 /* Set default lock nesting level */
454 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
455
456 /* Available receive buffer space is initially unknown */
457 chan->rx_avail = -1;
458
459 write_lock(&chan_list_lock);
460 list_add(&chan->global_l, &chan_list);
461 write_unlock(&chan_list_lock);
462
463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
464 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
465 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
466 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
467
468 chan->state = BT_OPEN;
469
470 kref_init(&chan->kref);
471
472 /* This flag is cleared in l2cap_chan_ready() */
473 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
474
475 BT_DBG("chan %p", chan);
476
477 return chan;
478 }
479 EXPORT_SYMBOL_GPL(l2cap_chan_create);
480
l2cap_chan_destroy(struct kref * kref)481 static void l2cap_chan_destroy(struct kref *kref)
482 {
483 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
484
485 BT_DBG("chan %p", chan);
486
487 write_lock(&chan_list_lock);
488 list_del(&chan->global_l);
489 write_unlock(&chan_list_lock);
490
491 kfree(chan);
492 }
493
l2cap_chan_hold(struct l2cap_chan * c)494 void l2cap_chan_hold(struct l2cap_chan *c)
495 {
496 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
497
498 kref_get(&c->kref);
499 }
500
l2cap_chan_hold_unless_zero(struct l2cap_chan * c)501 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)
502 {
503 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
504
505 if (!kref_get_unless_zero(&c->kref))
506 return NULL;
507
508 return c;
509 }
510
l2cap_chan_put(struct l2cap_chan * c)511 void l2cap_chan_put(struct l2cap_chan *c)
512 {
513 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
514
515 kref_put(&c->kref, l2cap_chan_destroy);
516 }
517 EXPORT_SYMBOL_GPL(l2cap_chan_put);
518
l2cap_chan_set_defaults(struct l2cap_chan * chan)519 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
520 {
521 chan->fcs = L2CAP_FCS_CRC16;
522 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
523 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
524 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
525 chan->remote_max_tx = chan->max_tx;
526 chan->remote_tx_win = chan->tx_win;
527 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
528 chan->sec_level = BT_SECURITY_LOW;
529 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
530 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
531 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
532
533 chan->conf_state = 0;
534 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
535
536 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
537 }
538 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
539
l2cap_le_rx_credits(struct l2cap_chan * chan)540 static __u16 l2cap_le_rx_credits(struct l2cap_chan *chan)
541 {
542 size_t sdu_len = chan->sdu ? chan->sdu->len : 0;
543
544 if (chan->mps == 0)
545 return 0;
546
547 /* If we don't know the available space in the receiver buffer, give
548 * enough credits for a full packet.
549 */
550 if (chan->rx_avail == -1)
551 return (chan->imtu / chan->mps) + 1;
552
553 /* If we know how much space is available in the receive buffer, give
554 * out as many credits as would fill the buffer.
555 */
556 if (chan->rx_avail <= sdu_len)
557 return 0;
558
559 return DIV_ROUND_UP(chan->rx_avail - sdu_len, chan->mps);
560 }
561
l2cap_le_flowctl_init(struct l2cap_chan * chan,u16 tx_credits)562 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
563 {
564 chan->sdu = NULL;
565 chan->sdu_last_frag = NULL;
566 chan->sdu_len = 0;
567 chan->tx_credits = tx_credits;
568 /* Derive MPS from connection MTU to stop HCI fragmentation */
569 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
570 chan->rx_credits = l2cap_le_rx_credits(chan);
571
572 skb_queue_head_init(&chan->tx_q);
573 }
574
l2cap_ecred_init(struct l2cap_chan * chan,u16 tx_credits)575 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
576 {
577 l2cap_le_flowctl_init(chan, tx_credits);
578
579 /* L2CAP implementations shall support a minimum MPS of 64 octets */
580 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
581 chan->mps = L2CAP_ECRED_MIN_MPS;
582 chan->rx_credits = l2cap_le_rx_credits(chan);
583 }
584 }
585
__l2cap_chan_add(struct l2cap_conn * conn,struct l2cap_chan * chan)586 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
587 {
588 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
589 __le16_to_cpu(chan->psm), chan->dcid);
590
591 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
592
593 chan->conn = conn;
594
595 switch (chan->chan_type) {
596 case L2CAP_CHAN_CONN_ORIENTED:
597 /* Alloc CID for connection-oriented socket */
598 chan->scid = l2cap_alloc_cid(conn);
599 if (conn->hcon->type == ACL_LINK)
600 chan->omtu = L2CAP_DEFAULT_MTU;
601 break;
602
603 case L2CAP_CHAN_CONN_LESS:
604 /* Connectionless socket */
605 chan->scid = L2CAP_CID_CONN_LESS;
606 chan->dcid = L2CAP_CID_CONN_LESS;
607 chan->omtu = L2CAP_DEFAULT_MTU;
608 break;
609
610 case L2CAP_CHAN_FIXED:
611 /* Caller will set CID and CID specific MTU values */
612 break;
613
614 default:
615 /* Raw socket can send/recv signalling messages only */
616 chan->scid = L2CAP_CID_SIGNALING;
617 chan->dcid = L2CAP_CID_SIGNALING;
618 chan->omtu = L2CAP_DEFAULT_MTU;
619 }
620
621 chan->local_id = L2CAP_BESTEFFORT_ID;
622 chan->local_stype = L2CAP_SERV_BESTEFFORT;
623 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
624 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
625 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
626 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
627
628 l2cap_chan_hold(chan);
629
630 /* Only keep a reference for fixed channels if they requested it */
631 if (chan->chan_type != L2CAP_CHAN_FIXED ||
632 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
633 hci_conn_hold(conn->hcon);
634
635 /* Append to the list since the order matters for ECRED */
636 list_add_tail(&chan->list, &conn->chan_l);
637 }
638
l2cap_chan_add(struct l2cap_conn * conn,struct l2cap_chan * chan)639 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
640 {
641 mutex_lock(&conn->lock);
642 __l2cap_chan_add(conn, chan);
643 mutex_unlock(&conn->lock);
644 }
645
l2cap_chan_del(struct l2cap_chan * chan,int err)646 void l2cap_chan_del(struct l2cap_chan *chan, int err)
647 {
648 struct l2cap_conn *conn = chan->conn;
649
650 __clear_chan_timer(chan);
651
652 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
653 state_to_string(chan->state));
654
655 chan->ops->teardown(chan, err);
656
657 if (conn) {
658 /* Delete from channel list */
659 list_del(&chan->list);
660
661 l2cap_chan_put(chan);
662
663 chan->conn = NULL;
664
665 /* Reference was only held for non-fixed channels or
666 * fixed channels that explicitly requested it using the
667 * FLAG_HOLD_HCI_CONN flag.
668 */
669 if (chan->chan_type != L2CAP_CHAN_FIXED ||
670 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
671 hci_conn_drop(conn->hcon);
672 }
673
674 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
675 return;
676
677 switch (chan->mode) {
678 case L2CAP_MODE_BASIC:
679 break;
680
681 case L2CAP_MODE_LE_FLOWCTL:
682 case L2CAP_MODE_EXT_FLOWCTL:
683 skb_queue_purge(&chan->tx_q);
684 break;
685
686 case L2CAP_MODE_ERTM:
687 __clear_retrans_timer(chan);
688 __clear_monitor_timer(chan);
689 __clear_ack_timer(chan);
690
691 skb_queue_purge(&chan->srej_q);
692
693 l2cap_seq_list_free(&chan->srej_list);
694 l2cap_seq_list_free(&chan->retrans_list);
695 fallthrough;
696
697 case L2CAP_MODE_STREAMING:
698 skb_queue_purge(&chan->tx_q);
699 break;
700 }
701 }
702 EXPORT_SYMBOL_GPL(l2cap_chan_del);
703
__l2cap_chan_list_id(struct l2cap_conn * conn,u16 id,l2cap_chan_func_t func,void * data)704 static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id,
705 l2cap_chan_func_t func, void *data)
706 {
707 struct l2cap_chan *chan, *l;
708
709 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
710 if (chan->ident == id)
711 func(chan, data);
712 }
713 }
714
__l2cap_chan_list(struct l2cap_conn * conn,l2cap_chan_func_t func,void * data)715 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
716 void *data)
717 {
718 struct l2cap_chan *chan;
719
720 list_for_each_entry(chan, &conn->chan_l, list) {
721 func(chan, data);
722 }
723 }
724
l2cap_chan_list(struct l2cap_conn * conn,l2cap_chan_func_t func,void * data)725 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
726 void *data)
727 {
728 if (!conn)
729 return;
730
731 mutex_lock(&conn->lock);
732 __l2cap_chan_list(conn, func, data);
733 mutex_unlock(&conn->lock);
734 }
735
736 EXPORT_SYMBOL_GPL(l2cap_chan_list);
737
l2cap_conn_update_id_addr(struct work_struct * work)738 static void l2cap_conn_update_id_addr(struct work_struct *work)
739 {
740 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
741 id_addr_timer.work);
742 struct hci_conn *hcon = conn->hcon;
743 struct l2cap_chan *chan;
744
745 mutex_lock(&conn->lock);
746
747 list_for_each_entry(chan, &conn->chan_l, list) {
748 l2cap_chan_lock(chan);
749 bacpy(&chan->dst, &hcon->dst);
750 chan->dst_type = bdaddr_dst_type(hcon);
751 l2cap_chan_unlock(chan);
752 }
753
754 mutex_unlock(&conn->lock);
755 }
756
l2cap_chan_le_connect_reject(struct l2cap_chan * chan)757 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
758 {
759 struct l2cap_conn *conn = chan->conn;
760 struct l2cap_le_conn_rsp rsp;
761 u16 result;
762
763 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
764 result = L2CAP_CR_LE_AUTHORIZATION;
765 else
766 result = L2CAP_CR_LE_BAD_PSM;
767
768 l2cap_state_change(chan, BT_DISCONN);
769
770 rsp.dcid = cpu_to_le16(chan->scid);
771 rsp.mtu = cpu_to_le16(chan->imtu);
772 rsp.mps = cpu_to_le16(chan->mps);
773 rsp.credits = cpu_to_le16(chan->rx_credits);
774 rsp.result = cpu_to_le16(result);
775
776 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
777 &rsp);
778 }
779
l2cap_chan_ecred_connect_reject(struct l2cap_chan * chan)780 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
781 {
782 l2cap_state_change(chan, BT_DISCONN);
783
784 __l2cap_ecred_conn_rsp_defer(chan);
785 }
786
l2cap_chan_connect_reject(struct l2cap_chan * chan)787 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
788 {
789 struct l2cap_conn *conn = chan->conn;
790 struct l2cap_conn_rsp rsp;
791 u16 result;
792
793 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
794 result = L2CAP_CR_SEC_BLOCK;
795 else
796 result = L2CAP_CR_BAD_PSM;
797
798 l2cap_state_change(chan, BT_DISCONN);
799
800 rsp.scid = cpu_to_le16(chan->dcid);
801 rsp.dcid = cpu_to_le16(chan->scid);
802 rsp.result = cpu_to_le16(result);
803 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
804
805 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
806 }
807
l2cap_chan_close(struct l2cap_chan * chan,int reason)808 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
809 {
810 struct l2cap_conn *conn = chan->conn;
811
812 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
813
814 switch (chan->state) {
815 case BT_LISTEN:
816 chan->ops->teardown(chan, 0);
817 break;
818
819 case BT_CONNECTED:
820 case BT_CONFIG:
821 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
822 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
823 l2cap_send_disconn_req(chan, reason);
824 } else
825 l2cap_chan_del(chan, reason);
826 break;
827
828 case BT_CONNECT2:
829 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
830 if (conn->hcon->type == ACL_LINK)
831 l2cap_chan_connect_reject(chan);
832 else if (conn->hcon->type == LE_LINK) {
833 switch (chan->mode) {
834 case L2CAP_MODE_LE_FLOWCTL:
835 l2cap_chan_le_connect_reject(chan);
836 break;
837 case L2CAP_MODE_EXT_FLOWCTL:
838 l2cap_chan_ecred_connect_reject(chan);
839 return;
840 }
841 }
842 }
843
844 l2cap_chan_del(chan, reason);
845 break;
846
847 case BT_CONNECT:
848 case BT_DISCONN:
849 l2cap_chan_del(chan, reason);
850 break;
851
852 default:
853 chan->ops->teardown(chan, 0);
854 break;
855 }
856 }
857 EXPORT_SYMBOL(l2cap_chan_close);
858
l2cap_get_auth_type(struct l2cap_chan * chan)859 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
860 {
861 switch (chan->chan_type) {
862 case L2CAP_CHAN_RAW:
863 switch (chan->sec_level) {
864 case BT_SECURITY_HIGH:
865 case BT_SECURITY_FIPS:
866 return HCI_AT_DEDICATED_BONDING_MITM;
867 case BT_SECURITY_MEDIUM:
868 return HCI_AT_DEDICATED_BONDING;
869 default:
870 return HCI_AT_NO_BONDING;
871 }
872 break;
873 case L2CAP_CHAN_CONN_LESS:
874 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
875 if (chan->sec_level == BT_SECURITY_LOW)
876 chan->sec_level = BT_SECURITY_SDP;
877 }
878 if (chan->sec_level == BT_SECURITY_HIGH ||
879 chan->sec_level == BT_SECURITY_FIPS)
880 return HCI_AT_NO_BONDING_MITM;
881 else
882 return HCI_AT_NO_BONDING;
883 break;
884 case L2CAP_CHAN_CONN_ORIENTED:
885 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
886 if (chan->sec_level == BT_SECURITY_LOW)
887 chan->sec_level = BT_SECURITY_SDP;
888
889 if (chan->sec_level == BT_SECURITY_HIGH ||
890 chan->sec_level == BT_SECURITY_FIPS)
891 return HCI_AT_NO_BONDING_MITM;
892 else
893 return HCI_AT_NO_BONDING;
894 }
895 fallthrough;
896
897 default:
898 switch (chan->sec_level) {
899 case BT_SECURITY_HIGH:
900 case BT_SECURITY_FIPS:
901 return HCI_AT_GENERAL_BONDING_MITM;
902 case BT_SECURITY_MEDIUM:
903 return HCI_AT_GENERAL_BONDING;
904 default:
905 return HCI_AT_NO_BONDING;
906 }
907 break;
908 }
909 }
910
911 /* Service level security */
l2cap_chan_check_security(struct l2cap_chan * chan,bool initiator)912 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
913 {
914 struct l2cap_conn *conn = chan->conn;
915 __u8 auth_type;
916
917 if (conn->hcon->type == LE_LINK)
918 return smp_conn_security(conn->hcon, chan->sec_level);
919
920 auth_type = l2cap_get_auth_type(chan);
921
922 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
923 initiator);
924 }
925
l2cap_get_ident(struct l2cap_conn * conn)926 static u8 l2cap_get_ident(struct l2cap_conn *conn)
927 {
928 u8 id;
929
930 /* Get next available identificator.
931 * 1 - 128 are used by kernel.
932 * 129 - 199 are reserved.
933 * 200 - 254 are used by utilities like l2ping, etc.
934 */
935
936 mutex_lock(&conn->ident_lock);
937
938 if (++conn->tx_ident > 128)
939 conn->tx_ident = 1;
940
941 id = conn->tx_ident;
942
943 mutex_unlock(&conn->ident_lock);
944
945 return id;
946 }
947
l2cap_send_acl(struct l2cap_conn * conn,struct sk_buff * skb,u8 flags)948 static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
949 u8 flags)
950 {
951 /* Check if the hcon still valid before attempting to send */
952 if (hci_conn_valid(conn->hcon->hdev, conn->hcon))
953 hci_send_acl(conn->hchan, skb, flags);
954 else
955 kfree_skb(skb);
956 }
957
l2cap_send_cmd(struct l2cap_conn * conn,u8 ident,u8 code,u16 len,void * data)958 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
959 void *data)
960 {
961 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
962 u8 flags;
963
964 BT_DBG("code 0x%2.2x", code);
965
966 if (!skb)
967 return;
968
969 /* Use NO_FLUSH if supported or we have an LE link (which does
970 * not support auto-flushing packets) */
971 if (lmp_no_flush_capable(conn->hcon->hdev) ||
972 conn->hcon->type == LE_LINK)
973 flags = ACL_START_NO_FLUSH;
974 else
975 flags = ACL_START;
976
977 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
978 skb->priority = HCI_PRIO_MAX;
979
980 l2cap_send_acl(conn, skb, flags);
981 }
982
l2cap_do_send(struct l2cap_chan * chan,struct sk_buff * skb)983 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
984 {
985 struct hci_conn *hcon = chan->conn->hcon;
986 u16 flags;
987
988 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
989 skb->priority);
990
991 /* Use NO_FLUSH for LE links (where this is the only option) or
992 * if the BR/EDR link supports it and flushing has not been
993 * explicitly requested (through FLAG_FLUSHABLE).
994 */
995 if (hcon->type == LE_LINK ||
996 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
997 lmp_no_flush_capable(hcon->hdev)))
998 flags = ACL_START_NO_FLUSH;
999 else
1000 flags = ACL_START;
1001
1002 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1003 hci_send_acl(chan->conn->hchan, skb, flags);
1004 }
1005
__unpack_enhanced_control(u16 enh,struct l2cap_ctrl * control)1006 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
1007 {
1008 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
1009 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
1010
1011 if (enh & L2CAP_CTRL_FRAME_TYPE) {
1012 /* S-Frame */
1013 control->sframe = 1;
1014 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
1015 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1016
1017 control->sar = 0;
1018 control->txseq = 0;
1019 } else {
1020 /* I-Frame */
1021 control->sframe = 0;
1022 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1023 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1024
1025 control->poll = 0;
1026 control->super = 0;
1027 }
1028 }
1029
__unpack_extended_control(u32 ext,struct l2cap_ctrl * control)1030 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1031 {
1032 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1033 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1034
1035 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1036 /* S-Frame */
1037 control->sframe = 1;
1038 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1039 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1040
1041 control->sar = 0;
1042 control->txseq = 0;
1043 } else {
1044 /* I-Frame */
1045 control->sframe = 0;
1046 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1047 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1048
1049 control->poll = 0;
1050 control->super = 0;
1051 }
1052 }
1053
__unpack_control(struct l2cap_chan * chan,struct sk_buff * skb)1054 static inline void __unpack_control(struct l2cap_chan *chan,
1055 struct sk_buff *skb)
1056 {
1057 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1058 __unpack_extended_control(get_unaligned_le32(skb->data),
1059 &bt_cb(skb)->l2cap);
1060 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1061 } else {
1062 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1063 &bt_cb(skb)->l2cap);
1064 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1065 }
1066 }
1067
__pack_extended_control(struct l2cap_ctrl * control)1068 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1069 {
1070 u32 packed;
1071
1072 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1073 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1074
1075 if (control->sframe) {
1076 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1077 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1078 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1079 } else {
1080 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1081 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1082 }
1083
1084 return packed;
1085 }
1086
__pack_enhanced_control(struct l2cap_ctrl * control)1087 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1088 {
1089 u16 packed;
1090
1091 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1092 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1093
1094 if (control->sframe) {
1095 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1096 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1097 packed |= L2CAP_CTRL_FRAME_TYPE;
1098 } else {
1099 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1100 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1101 }
1102
1103 return packed;
1104 }
1105
__pack_control(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb)1106 static inline void __pack_control(struct l2cap_chan *chan,
1107 struct l2cap_ctrl *control,
1108 struct sk_buff *skb)
1109 {
1110 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1111 put_unaligned_le32(__pack_extended_control(control),
1112 skb->data + L2CAP_HDR_SIZE);
1113 } else {
1114 put_unaligned_le16(__pack_enhanced_control(control),
1115 skb->data + L2CAP_HDR_SIZE);
1116 }
1117 }
1118
__ertm_hdr_size(struct l2cap_chan * chan)1119 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1120 {
1121 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1122 return L2CAP_EXT_HDR_SIZE;
1123 else
1124 return L2CAP_ENH_HDR_SIZE;
1125 }
1126
l2cap_create_sframe_pdu(struct l2cap_chan * chan,u32 control)1127 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1128 u32 control)
1129 {
1130 struct sk_buff *skb;
1131 struct l2cap_hdr *lh;
1132 int hlen = __ertm_hdr_size(chan);
1133
1134 if (chan->fcs == L2CAP_FCS_CRC16)
1135 hlen += L2CAP_FCS_SIZE;
1136
1137 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1138
1139 if (!skb)
1140 return ERR_PTR(-ENOMEM);
1141
1142 lh = skb_put(skb, L2CAP_HDR_SIZE);
1143 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1144 lh->cid = cpu_to_le16(chan->dcid);
1145
1146 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1147 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1148 else
1149 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1150
1151 if (chan->fcs == L2CAP_FCS_CRC16) {
1152 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1153 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1154 }
1155
1156 skb->priority = HCI_PRIO_MAX;
1157 return skb;
1158 }
1159
l2cap_send_sframe(struct l2cap_chan * chan,struct l2cap_ctrl * control)1160 static void l2cap_send_sframe(struct l2cap_chan *chan,
1161 struct l2cap_ctrl *control)
1162 {
1163 struct sk_buff *skb;
1164 u32 control_field;
1165
1166 BT_DBG("chan %p, control %p", chan, control);
1167
1168 if (!control->sframe)
1169 return;
1170
1171 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1172 !control->poll)
1173 control->final = 1;
1174
1175 if (control->super == L2CAP_SUPER_RR)
1176 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1177 else if (control->super == L2CAP_SUPER_RNR)
1178 set_bit(CONN_RNR_SENT, &chan->conn_state);
1179
1180 if (control->super != L2CAP_SUPER_SREJ) {
1181 chan->last_acked_seq = control->reqseq;
1182 __clear_ack_timer(chan);
1183 }
1184
1185 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1186 control->final, control->poll, control->super);
1187
1188 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1189 control_field = __pack_extended_control(control);
1190 else
1191 control_field = __pack_enhanced_control(control);
1192
1193 skb = l2cap_create_sframe_pdu(chan, control_field);
1194 if (!IS_ERR(skb))
1195 l2cap_do_send(chan, skb);
1196 }
1197
l2cap_send_rr_or_rnr(struct l2cap_chan * chan,bool poll)1198 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1199 {
1200 struct l2cap_ctrl control;
1201
1202 BT_DBG("chan %p, poll %d", chan, poll);
1203
1204 memset(&control, 0, sizeof(control));
1205 control.sframe = 1;
1206 control.poll = poll;
1207
1208 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1209 control.super = L2CAP_SUPER_RNR;
1210 else
1211 control.super = L2CAP_SUPER_RR;
1212
1213 control.reqseq = chan->buffer_seq;
1214 l2cap_send_sframe(chan, &control);
1215 }
1216
__l2cap_no_conn_pending(struct l2cap_chan * chan)1217 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1218 {
1219 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1220 return true;
1221
1222 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1223 }
1224
l2cap_send_conn_req(struct l2cap_chan * chan)1225 void l2cap_send_conn_req(struct l2cap_chan *chan)
1226 {
1227 struct l2cap_conn *conn = chan->conn;
1228 struct l2cap_conn_req req;
1229
1230 req.scid = cpu_to_le16(chan->scid);
1231 req.psm = chan->psm;
1232
1233 chan->ident = l2cap_get_ident(conn);
1234
1235 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1236
1237 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1238 }
1239
l2cap_chan_ready(struct l2cap_chan * chan)1240 static void l2cap_chan_ready(struct l2cap_chan *chan)
1241 {
1242 /* The channel may have already been flagged as connected in
1243 * case of receiving data before the L2CAP info req/rsp
1244 * procedure is complete.
1245 */
1246 if (chan->state == BT_CONNECTED)
1247 return;
1248
1249 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1250 chan->conf_state = 0;
1251 __clear_chan_timer(chan);
1252
1253 switch (chan->mode) {
1254 case L2CAP_MODE_LE_FLOWCTL:
1255 case L2CAP_MODE_EXT_FLOWCTL:
1256 if (!chan->tx_credits)
1257 chan->ops->suspend(chan);
1258 break;
1259 }
1260
1261 chan->state = BT_CONNECTED;
1262
1263 chan->ops->ready(chan);
1264 }
1265
l2cap_le_connect(struct l2cap_chan * chan)1266 static void l2cap_le_connect(struct l2cap_chan *chan)
1267 {
1268 struct l2cap_conn *conn = chan->conn;
1269 struct l2cap_le_conn_req req;
1270
1271 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1272 return;
1273
1274 if (!chan->imtu)
1275 chan->imtu = chan->conn->mtu;
1276
1277 l2cap_le_flowctl_init(chan, 0);
1278
1279 memset(&req, 0, sizeof(req));
1280 req.psm = chan->psm;
1281 req.scid = cpu_to_le16(chan->scid);
1282 req.mtu = cpu_to_le16(chan->imtu);
1283 req.mps = cpu_to_le16(chan->mps);
1284 req.credits = cpu_to_le16(chan->rx_credits);
1285
1286 chan->ident = l2cap_get_ident(conn);
1287
1288 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1289 sizeof(req), &req);
1290 }
1291
1292 struct l2cap_ecred_conn_data {
1293 struct {
1294 struct l2cap_ecred_conn_req req;
1295 __le16 scid[5];
1296 } __packed pdu;
1297 struct l2cap_chan *chan;
1298 struct pid *pid;
1299 int count;
1300 };
1301
l2cap_ecred_defer_connect(struct l2cap_chan * chan,void * data)1302 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1303 {
1304 struct l2cap_ecred_conn_data *conn = data;
1305 struct pid *pid;
1306
1307 if (chan == conn->chan)
1308 return;
1309
1310 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1311 return;
1312
1313 pid = chan->ops->get_peer_pid(chan);
1314
1315 /* Only add deferred channels with the same PID/PSM */
1316 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1317 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1318 return;
1319
1320 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1321 return;
1322
1323 l2cap_ecred_init(chan, 0);
1324
1325 /* Set the same ident so we can match on the rsp */
1326 chan->ident = conn->chan->ident;
1327
1328 /* Include all channels deferred */
1329 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1330
1331 conn->count++;
1332 }
1333
l2cap_ecred_connect(struct l2cap_chan * chan)1334 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1335 {
1336 struct l2cap_conn *conn = chan->conn;
1337 struct l2cap_ecred_conn_data data;
1338
1339 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1340 return;
1341
1342 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1343 return;
1344
1345 l2cap_ecred_init(chan, 0);
1346
1347 memset(&data, 0, sizeof(data));
1348 data.pdu.req.psm = chan->psm;
1349 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1350 data.pdu.req.mps = cpu_to_le16(chan->mps);
1351 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1352 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1353
1354 chan->ident = l2cap_get_ident(conn);
1355
1356 data.count = 1;
1357 data.chan = chan;
1358 data.pid = chan->ops->get_peer_pid(chan);
1359
1360 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1361
1362 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1363 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1364 &data.pdu);
1365 }
1366
l2cap_le_start(struct l2cap_chan * chan)1367 static void l2cap_le_start(struct l2cap_chan *chan)
1368 {
1369 struct l2cap_conn *conn = chan->conn;
1370
1371 if (!smp_conn_security(conn->hcon, chan->sec_level))
1372 return;
1373
1374 if (!chan->psm) {
1375 l2cap_chan_ready(chan);
1376 return;
1377 }
1378
1379 if (chan->state == BT_CONNECT) {
1380 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1381 l2cap_ecred_connect(chan);
1382 else
1383 l2cap_le_connect(chan);
1384 }
1385 }
1386
l2cap_start_connection(struct l2cap_chan * chan)1387 static void l2cap_start_connection(struct l2cap_chan *chan)
1388 {
1389 if (chan->conn->hcon->type == LE_LINK) {
1390 l2cap_le_start(chan);
1391 } else {
1392 l2cap_send_conn_req(chan);
1393 }
1394 }
1395
l2cap_request_info(struct l2cap_conn * conn)1396 static void l2cap_request_info(struct l2cap_conn *conn)
1397 {
1398 struct l2cap_info_req req;
1399
1400 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1401 return;
1402
1403 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1404
1405 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1406 conn->info_ident = l2cap_get_ident(conn);
1407
1408 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1409
1410 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1411 sizeof(req), &req);
1412 }
1413
l2cap_check_enc_key_size(struct hci_conn * hcon,struct l2cap_chan * chan)1414 static bool l2cap_check_enc_key_size(struct hci_conn *hcon,
1415 struct l2cap_chan *chan)
1416 {
1417 /* The minimum encryption key size needs to be enforced by the
1418 * host stack before establishing any L2CAP connections. The
1419 * specification in theory allows a minimum of 1, but to align
1420 * BR/EDR and LE transports, a minimum of 7 is chosen.
1421 *
1422 * This check might also be called for unencrypted connections
1423 * that have no key size requirements. Ensure that the link is
1424 * actually encrypted before enforcing a key size.
1425 */
1426 int min_key_size = hcon->hdev->min_enc_key_size;
1427
1428 /* On FIPS security level, key size must be 16 bytes */
1429 if (chan->sec_level == BT_SECURITY_FIPS)
1430 min_key_size = 16;
1431
1432 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1433 hcon->enc_key_size >= min_key_size);
1434 }
1435
l2cap_do_start(struct l2cap_chan * chan)1436 static void l2cap_do_start(struct l2cap_chan *chan)
1437 {
1438 struct l2cap_conn *conn = chan->conn;
1439
1440 if (conn->hcon->type == LE_LINK) {
1441 l2cap_le_start(chan);
1442 return;
1443 }
1444
1445 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1446 l2cap_request_info(conn);
1447 return;
1448 }
1449
1450 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1451 return;
1452
1453 if (!l2cap_chan_check_security(chan, true) ||
1454 !__l2cap_no_conn_pending(chan))
1455 return;
1456
1457 if (l2cap_check_enc_key_size(conn->hcon, chan))
1458 l2cap_start_connection(chan);
1459 else
1460 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1461 }
1462
l2cap_mode_supported(__u8 mode,__u32 feat_mask)1463 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1464 {
1465 u32 local_feat_mask = l2cap_feat_mask;
1466 if (!disable_ertm)
1467 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1468
1469 switch (mode) {
1470 case L2CAP_MODE_ERTM:
1471 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1472 case L2CAP_MODE_STREAMING:
1473 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1474 default:
1475 return 0x00;
1476 }
1477 }
1478
l2cap_send_disconn_req(struct l2cap_chan * chan,int err)1479 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1480 {
1481 struct l2cap_conn *conn = chan->conn;
1482 struct l2cap_disconn_req req;
1483
1484 if (!conn)
1485 return;
1486
1487 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1488 __clear_retrans_timer(chan);
1489 __clear_monitor_timer(chan);
1490 __clear_ack_timer(chan);
1491 }
1492
1493 req.dcid = cpu_to_le16(chan->dcid);
1494 req.scid = cpu_to_le16(chan->scid);
1495 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1496 sizeof(req), &req);
1497
1498 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1499 }
1500
1501 /* ---- L2CAP connections ---- */
l2cap_conn_start(struct l2cap_conn * conn)1502 static void l2cap_conn_start(struct l2cap_conn *conn)
1503 {
1504 struct l2cap_chan *chan, *tmp;
1505
1506 BT_DBG("conn %p", conn);
1507
1508 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1509 l2cap_chan_lock(chan);
1510
1511 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1512 l2cap_chan_ready(chan);
1513 l2cap_chan_unlock(chan);
1514 continue;
1515 }
1516
1517 if (chan->state == BT_CONNECT) {
1518 if (!l2cap_chan_check_security(chan, true) ||
1519 !__l2cap_no_conn_pending(chan)) {
1520 l2cap_chan_unlock(chan);
1521 continue;
1522 }
1523
1524 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1525 && test_bit(CONF_STATE2_DEVICE,
1526 &chan->conf_state)) {
1527 l2cap_chan_close(chan, ECONNRESET);
1528 l2cap_chan_unlock(chan);
1529 continue;
1530 }
1531
1532 if (l2cap_check_enc_key_size(conn->hcon, chan))
1533 l2cap_start_connection(chan);
1534 else
1535 l2cap_chan_close(chan, ECONNREFUSED);
1536
1537 } else if (chan->state == BT_CONNECT2) {
1538 struct l2cap_conn_rsp rsp;
1539 char buf[128];
1540 rsp.scid = cpu_to_le16(chan->dcid);
1541 rsp.dcid = cpu_to_le16(chan->scid);
1542
1543 if (l2cap_chan_check_security(chan, false)) {
1544 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1545 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1546 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1547 chan->ops->defer(chan);
1548
1549 } else {
1550 l2cap_state_change(chan, BT_CONFIG);
1551 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1552 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1553 }
1554 } else {
1555 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1556 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1557 }
1558
1559 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1560 sizeof(rsp), &rsp);
1561
1562 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1563 rsp.result != L2CAP_CR_SUCCESS) {
1564 l2cap_chan_unlock(chan);
1565 continue;
1566 }
1567
1568 set_bit(CONF_REQ_SENT, &chan->conf_state);
1569 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1570 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1571 chan->num_conf_req++;
1572 }
1573
1574 l2cap_chan_unlock(chan);
1575 }
1576 }
1577
l2cap_le_conn_ready(struct l2cap_conn * conn)1578 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1579 {
1580 struct hci_conn *hcon = conn->hcon;
1581 struct hci_dev *hdev = hcon->hdev;
1582
1583 BT_DBG("%s conn %p", hdev->name, conn);
1584
1585 /* For outgoing pairing which doesn't necessarily have an
1586 * associated socket (e.g. mgmt_pair_device).
1587 */
1588 if (hcon->out)
1589 smp_conn_security(hcon, hcon->pending_sec_level);
1590
1591 /* For LE peripheral connections, make sure the connection interval
1592 * is in the range of the minimum and maximum interval that has
1593 * been configured for this connection. If not, then trigger
1594 * the connection update procedure.
1595 */
1596 if (hcon->role == HCI_ROLE_SLAVE &&
1597 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1598 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1599 struct l2cap_conn_param_update_req req;
1600
1601 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1602 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1603 req.latency = cpu_to_le16(hcon->le_conn_latency);
1604 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1605
1606 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1607 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1608 }
1609 }
1610
l2cap_conn_ready(struct l2cap_conn * conn)1611 static void l2cap_conn_ready(struct l2cap_conn *conn)
1612 {
1613 struct l2cap_chan *chan;
1614 struct hci_conn *hcon = conn->hcon;
1615
1616 BT_DBG("conn %p", conn);
1617
1618 if (hcon->type == ACL_LINK)
1619 l2cap_request_info(conn);
1620
1621 mutex_lock(&conn->lock);
1622
1623 list_for_each_entry(chan, &conn->chan_l, list) {
1624
1625 l2cap_chan_lock(chan);
1626
1627 if (hcon->type == LE_LINK) {
1628 l2cap_le_start(chan);
1629 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1630 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1631 l2cap_chan_ready(chan);
1632 } else if (chan->state == BT_CONNECT) {
1633 l2cap_do_start(chan);
1634 }
1635
1636 l2cap_chan_unlock(chan);
1637 }
1638
1639 mutex_unlock(&conn->lock);
1640
1641 if (hcon->type == LE_LINK)
1642 l2cap_le_conn_ready(conn);
1643
1644 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1645 }
1646
1647 /* Notify sockets that we cannot guaranty reliability anymore */
l2cap_conn_unreliable(struct l2cap_conn * conn,int err)1648 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1649 {
1650 struct l2cap_chan *chan;
1651
1652 BT_DBG("conn %p", conn);
1653
1654 list_for_each_entry(chan, &conn->chan_l, list) {
1655 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1656 l2cap_chan_set_err(chan, err);
1657 }
1658 }
1659
l2cap_info_timeout(struct work_struct * work)1660 static void l2cap_info_timeout(struct work_struct *work)
1661 {
1662 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1663 info_timer.work);
1664
1665 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1666 conn->info_ident = 0;
1667
1668 mutex_lock(&conn->lock);
1669 l2cap_conn_start(conn);
1670 mutex_unlock(&conn->lock);
1671 }
1672
1673 /*
1674 * l2cap_user
1675 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1676 * callback is called during registration. The ->remove callback is called
1677 * during unregistration.
1678 * An l2cap_user object can either be explicitly unregistered or when the
1679 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1680 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1681 * External modules must own a reference to the l2cap_conn object if they intend
1682 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1683 * any time if they don't.
1684 */
1685
l2cap_register_user(struct l2cap_conn * conn,struct l2cap_user * user)1686 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1687 {
1688 struct hci_dev *hdev = conn->hcon->hdev;
1689 int ret;
1690
1691 /* We need to check whether l2cap_conn is registered. If it is not, we
1692 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1693 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1694 * relies on the parent hci_conn object to be locked. This itself relies
1695 * on the hci_dev object to be locked. So we must lock the hci device
1696 * here, too. */
1697
1698 hci_dev_lock(hdev);
1699
1700 if (!list_empty(&user->list)) {
1701 ret = -EINVAL;
1702 goto out_unlock;
1703 }
1704
1705 /* conn->hchan is NULL after l2cap_conn_del() was called */
1706 if (!conn->hchan) {
1707 ret = -ENODEV;
1708 goto out_unlock;
1709 }
1710
1711 ret = user->probe(conn, user);
1712 if (ret)
1713 goto out_unlock;
1714
1715 list_add(&user->list, &conn->users);
1716 ret = 0;
1717
1718 out_unlock:
1719 hci_dev_unlock(hdev);
1720 return ret;
1721 }
1722 EXPORT_SYMBOL(l2cap_register_user);
1723
l2cap_unregister_user(struct l2cap_conn * conn,struct l2cap_user * user)1724 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1725 {
1726 struct hci_dev *hdev = conn->hcon->hdev;
1727
1728 hci_dev_lock(hdev);
1729
1730 if (list_empty(&user->list))
1731 goto out_unlock;
1732
1733 list_del_init(&user->list);
1734 user->remove(conn, user);
1735
1736 out_unlock:
1737 hci_dev_unlock(hdev);
1738 }
1739 EXPORT_SYMBOL(l2cap_unregister_user);
1740
l2cap_unregister_all_users(struct l2cap_conn * conn)1741 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1742 {
1743 struct l2cap_user *user;
1744
1745 while (!list_empty(&conn->users)) {
1746 user = list_first_entry(&conn->users, struct l2cap_user, list);
1747 list_del_init(&user->list);
1748 user->remove(conn, user);
1749 }
1750 }
1751
l2cap_conn_del(struct hci_conn * hcon,int err)1752 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1753 {
1754 struct l2cap_conn *conn = hcon->l2cap_data;
1755 struct l2cap_chan *chan, *l;
1756
1757 if (!conn)
1758 return;
1759
1760 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1761
1762 mutex_lock(&conn->lock);
1763
1764 kfree_skb(conn->rx_skb);
1765
1766 skb_queue_purge(&conn->pending_rx);
1767
1768 /* We can not call flush_work(&conn->pending_rx_work) here since we
1769 * might block if we are running on a worker from the same workqueue
1770 * pending_rx_work is waiting on.
1771 */
1772 if (work_pending(&conn->pending_rx_work))
1773 cancel_work_sync(&conn->pending_rx_work);
1774
1775 cancel_delayed_work_sync(&conn->id_addr_timer);
1776
1777 l2cap_unregister_all_users(conn);
1778
1779 /* Force the connection to be immediately dropped */
1780 hcon->disc_timeout = 0;
1781
1782 /* Kill channels */
1783 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1784 l2cap_chan_hold(chan);
1785 l2cap_chan_lock(chan);
1786
1787 l2cap_chan_del(chan, err);
1788
1789 chan->ops->close(chan);
1790
1791 l2cap_chan_unlock(chan);
1792 l2cap_chan_put(chan);
1793 }
1794
1795 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1796 cancel_delayed_work_sync(&conn->info_timer);
1797
1798 hci_chan_del(conn->hchan);
1799 conn->hchan = NULL;
1800
1801 hcon->l2cap_data = NULL;
1802 mutex_unlock(&conn->lock);
1803 l2cap_conn_put(conn);
1804 }
1805
l2cap_conn_free(struct kref * ref)1806 static void l2cap_conn_free(struct kref *ref)
1807 {
1808 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1809
1810 hci_conn_put(conn->hcon);
1811 kfree(conn);
1812 }
1813
l2cap_conn_get(struct l2cap_conn * conn)1814 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1815 {
1816 kref_get(&conn->ref);
1817 return conn;
1818 }
1819 EXPORT_SYMBOL(l2cap_conn_get);
1820
l2cap_conn_put(struct l2cap_conn * conn)1821 void l2cap_conn_put(struct l2cap_conn *conn)
1822 {
1823 kref_put(&conn->ref, l2cap_conn_free);
1824 }
1825 EXPORT_SYMBOL(l2cap_conn_put);
1826
1827 /* ---- Socket interface ---- */
1828
1829 /* Find socket with psm and source / destination bdaddr.
1830 * Returns closest match.
1831 */
l2cap_global_chan_by_psm(int state,__le16 psm,bdaddr_t * src,bdaddr_t * dst,u8 link_type)1832 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1833 bdaddr_t *src,
1834 bdaddr_t *dst,
1835 u8 link_type)
1836 {
1837 struct l2cap_chan *c, *tmp, *c1 = NULL;
1838
1839 read_lock(&chan_list_lock);
1840
1841 list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
1842 if (state && c->state != state)
1843 continue;
1844
1845 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1846 continue;
1847
1848 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1849 continue;
1850
1851 if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
1852 int src_match, dst_match;
1853 int src_any, dst_any;
1854
1855 /* Exact match. */
1856 src_match = !bacmp(&c->src, src);
1857 dst_match = !bacmp(&c->dst, dst);
1858 if (src_match && dst_match) {
1859 if (!l2cap_chan_hold_unless_zero(c))
1860 continue;
1861
1862 read_unlock(&chan_list_lock);
1863 return c;
1864 }
1865
1866 /* Closest match */
1867 src_any = !bacmp(&c->src, BDADDR_ANY);
1868 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1869 if ((src_match && dst_any) || (src_any && dst_match) ||
1870 (src_any && dst_any))
1871 c1 = c;
1872 }
1873 }
1874
1875 if (c1)
1876 c1 = l2cap_chan_hold_unless_zero(c1);
1877
1878 read_unlock(&chan_list_lock);
1879
1880 return c1;
1881 }
1882
l2cap_monitor_timeout(struct work_struct * work)1883 static void l2cap_monitor_timeout(struct work_struct *work)
1884 {
1885 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1886 monitor_timer.work);
1887
1888 BT_DBG("chan %p", chan);
1889
1890 l2cap_chan_lock(chan);
1891
1892 if (!chan->conn) {
1893 l2cap_chan_unlock(chan);
1894 l2cap_chan_put(chan);
1895 return;
1896 }
1897
1898 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1899
1900 l2cap_chan_unlock(chan);
1901 l2cap_chan_put(chan);
1902 }
1903
l2cap_retrans_timeout(struct work_struct * work)1904 static void l2cap_retrans_timeout(struct work_struct *work)
1905 {
1906 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1907 retrans_timer.work);
1908
1909 BT_DBG("chan %p", chan);
1910
1911 l2cap_chan_lock(chan);
1912
1913 if (!chan->conn) {
1914 l2cap_chan_unlock(chan);
1915 l2cap_chan_put(chan);
1916 return;
1917 }
1918
1919 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1920 l2cap_chan_unlock(chan);
1921 l2cap_chan_put(chan);
1922 }
1923
l2cap_streaming_send(struct l2cap_chan * chan,struct sk_buff_head * skbs)1924 static void l2cap_streaming_send(struct l2cap_chan *chan,
1925 struct sk_buff_head *skbs)
1926 {
1927 struct sk_buff *skb;
1928 struct l2cap_ctrl *control;
1929
1930 BT_DBG("chan %p, skbs %p", chan, skbs);
1931
1932 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1933
1934 while (!skb_queue_empty(&chan->tx_q)) {
1935
1936 skb = skb_dequeue(&chan->tx_q);
1937
1938 bt_cb(skb)->l2cap.retries = 1;
1939 control = &bt_cb(skb)->l2cap;
1940
1941 control->reqseq = 0;
1942 control->txseq = chan->next_tx_seq;
1943
1944 __pack_control(chan, control, skb);
1945
1946 if (chan->fcs == L2CAP_FCS_CRC16) {
1947 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1948 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1949 }
1950
1951 l2cap_do_send(chan, skb);
1952
1953 BT_DBG("Sent txseq %u", control->txseq);
1954
1955 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1956 chan->frames_sent++;
1957 }
1958 }
1959
l2cap_ertm_send(struct l2cap_chan * chan)1960 static int l2cap_ertm_send(struct l2cap_chan *chan)
1961 {
1962 struct sk_buff *skb, *tx_skb;
1963 struct l2cap_ctrl *control;
1964 int sent = 0;
1965
1966 BT_DBG("chan %p", chan);
1967
1968 if (chan->state != BT_CONNECTED)
1969 return -ENOTCONN;
1970
1971 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1972 return 0;
1973
1974 while (chan->tx_send_head &&
1975 chan->unacked_frames < chan->remote_tx_win &&
1976 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1977
1978 skb = chan->tx_send_head;
1979
1980 bt_cb(skb)->l2cap.retries = 1;
1981 control = &bt_cb(skb)->l2cap;
1982
1983 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1984 control->final = 1;
1985
1986 control->reqseq = chan->buffer_seq;
1987 chan->last_acked_seq = chan->buffer_seq;
1988 control->txseq = chan->next_tx_seq;
1989
1990 __pack_control(chan, control, skb);
1991
1992 if (chan->fcs == L2CAP_FCS_CRC16) {
1993 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1994 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1995 }
1996
1997 /* Clone after data has been modified. Data is assumed to be
1998 read-only (for locking purposes) on cloned sk_buffs.
1999 */
2000 tx_skb = skb_clone(skb, GFP_KERNEL);
2001
2002 if (!tx_skb)
2003 break;
2004
2005 __set_retrans_timer(chan);
2006
2007 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2008 chan->unacked_frames++;
2009 chan->frames_sent++;
2010 sent++;
2011
2012 if (skb_queue_is_last(&chan->tx_q, skb))
2013 chan->tx_send_head = NULL;
2014 else
2015 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2016
2017 l2cap_do_send(chan, tx_skb);
2018 BT_DBG("Sent txseq %u", control->txseq);
2019 }
2020
2021 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2022 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2023
2024 return sent;
2025 }
2026
l2cap_ertm_resend(struct l2cap_chan * chan)2027 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2028 {
2029 struct l2cap_ctrl control;
2030 struct sk_buff *skb;
2031 struct sk_buff *tx_skb;
2032 u16 seq;
2033
2034 BT_DBG("chan %p", chan);
2035
2036 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2037 return;
2038
2039 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2040 seq = l2cap_seq_list_pop(&chan->retrans_list);
2041
2042 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2043 if (!skb) {
2044 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2045 seq);
2046 continue;
2047 }
2048
2049 bt_cb(skb)->l2cap.retries++;
2050 control = bt_cb(skb)->l2cap;
2051
2052 if (chan->max_tx != 0 &&
2053 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2054 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2055 l2cap_send_disconn_req(chan, ECONNRESET);
2056 l2cap_seq_list_clear(&chan->retrans_list);
2057 break;
2058 }
2059
2060 control.reqseq = chan->buffer_seq;
2061 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2062 control.final = 1;
2063 else
2064 control.final = 0;
2065
2066 if (skb_cloned(skb)) {
2067 /* Cloned sk_buffs are read-only, so we need a
2068 * writeable copy
2069 */
2070 tx_skb = skb_copy(skb, GFP_KERNEL);
2071 } else {
2072 tx_skb = skb_clone(skb, GFP_KERNEL);
2073 }
2074
2075 if (!tx_skb) {
2076 l2cap_seq_list_clear(&chan->retrans_list);
2077 break;
2078 }
2079
2080 /* Update skb contents */
2081 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2082 put_unaligned_le32(__pack_extended_control(&control),
2083 tx_skb->data + L2CAP_HDR_SIZE);
2084 } else {
2085 put_unaligned_le16(__pack_enhanced_control(&control),
2086 tx_skb->data + L2CAP_HDR_SIZE);
2087 }
2088
2089 /* Update FCS */
2090 if (chan->fcs == L2CAP_FCS_CRC16) {
2091 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2092 tx_skb->len - L2CAP_FCS_SIZE);
2093 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2094 L2CAP_FCS_SIZE);
2095 }
2096
2097 l2cap_do_send(chan, tx_skb);
2098
2099 BT_DBG("Resent txseq %d", control.txseq);
2100
2101 chan->last_acked_seq = chan->buffer_seq;
2102 }
2103 }
2104
l2cap_retransmit(struct l2cap_chan * chan,struct l2cap_ctrl * control)2105 static void l2cap_retransmit(struct l2cap_chan *chan,
2106 struct l2cap_ctrl *control)
2107 {
2108 BT_DBG("chan %p, control %p", chan, control);
2109
2110 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2111 l2cap_ertm_resend(chan);
2112 }
2113
l2cap_retransmit_all(struct l2cap_chan * chan,struct l2cap_ctrl * control)2114 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2115 struct l2cap_ctrl *control)
2116 {
2117 struct sk_buff *skb;
2118
2119 BT_DBG("chan %p, control %p", chan, control);
2120
2121 if (control->poll)
2122 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2123
2124 l2cap_seq_list_clear(&chan->retrans_list);
2125
2126 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2127 return;
2128
2129 if (chan->unacked_frames) {
2130 skb_queue_walk(&chan->tx_q, skb) {
2131 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2132 skb == chan->tx_send_head)
2133 break;
2134 }
2135
2136 skb_queue_walk_from(&chan->tx_q, skb) {
2137 if (skb == chan->tx_send_head)
2138 break;
2139
2140 l2cap_seq_list_append(&chan->retrans_list,
2141 bt_cb(skb)->l2cap.txseq);
2142 }
2143
2144 l2cap_ertm_resend(chan);
2145 }
2146 }
2147
l2cap_send_ack(struct l2cap_chan * chan)2148 static void l2cap_send_ack(struct l2cap_chan *chan)
2149 {
2150 struct l2cap_ctrl control;
2151 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2152 chan->last_acked_seq);
2153 int threshold;
2154
2155 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2156 chan, chan->last_acked_seq, chan->buffer_seq);
2157
2158 memset(&control, 0, sizeof(control));
2159 control.sframe = 1;
2160
2161 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2162 chan->rx_state == L2CAP_RX_STATE_RECV) {
2163 __clear_ack_timer(chan);
2164 control.super = L2CAP_SUPER_RNR;
2165 control.reqseq = chan->buffer_seq;
2166 l2cap_send_sframe(chan, &control);
2167 } else {
2168 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2169 l2cap_ertm_send(chan);
2170 /* If any i-frames were sent, they included an ack */
2171 if (chan->buffer_seq == chan->last_acked_seq)
2172 frames_to_ack = 0;
2173 }
2174
2175 /* Ack now if the window is 3/4ths full.
2176 * Calculate without mul or div
2177 */
2178 threshold = chan->ack_win;
2179 threshold += threshold << 1;
2180 threshold >>= 2;
2181
2182 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2183 threshold);
2184
2185 if (frames_to_ack >= threshold) {
2186 __clear_ack_timer(chan);
2187 control.super = L2CAP_SUPER_RR;
2188 control.reqseq = chan->buffer_seq;
2189 l2cap_send_sframe(chan, &control);
2190 frames_to_ack = 0;
2191 }
2192
2193 if (frames_to_ack)
2194 __set_ack_timer(chan);
2195 }
2196 }
2197
l2cap_skbuff_fromiovec(struct l2cap_chan * chan,struct msghdr * msg,int len,int count,struct sk_buff * skb)2198 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2199 struct msghdr *msg, int len,
2200 int count, struct sk_buff *skb)
2201 {
2202 struct l2cap_conn *conn = chan->conn;
2203 struct sk_buff **frag;
2204 int sent = 0;
2205
2206 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2207 return -EFAULT;
2208
2209 sent += count;
2210 len -= count;
2211
2212 /* Continuation fragments (no L2CAP header) */
2213 frag = &skb_shinfo(skb)->frag_list;
2214 while (len) {
2215 struct sk_buff *tmp;
2216
2217 count = min_t(unsigned int, conn->mtu, len);
2218
2219 tmp = chan->ops->alloc_skb(chan, 0, count,
2220 msg->msg_flags & MSG_DONTWAIT);
2221 if (IS_ERR(tmp))
2222 return PTR_ERR(tmp);
2223
2224 *frag = tmp;
2225
2226 if (!copy_from_iter_full(skb_put(*frag, count), count,
2227 &msg->msg_iter))
2228 return -EFAULT;
2229
2230 sent += count;
2231 len -= count;
2232
2233 skb->len += (*frag)->len;
2234 skb->data_len += (*frag)->len;
2235
2236 frag = &(*frag)->next;
2237 }
2238
2239 return sent;
2240 }
2241
l2cap_create_connless_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len)2242 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2243 struct msghdr *msg, size_t len)
2244 {
2245 struct l2cap_conn *conn = chan->conn;
2246 struct sk_buff *skb;
2247 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2248 struct l2cap_hdr *lh;
2249
2250 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2251 __le16_to_cpu(chan->psm), len);
2252
2253 count = min_t(unsigned int, (conn->mtu - hlen), len);
2254
2255 skb = chan->ops->alloc_skb(chan, hlen, count,
2256 msg->msg_flags & MSG_DONTWAIT);
2257 if (IS_ERR(skb))
2258 return skb;
2259
2260 /* Create L2CAP header */
2261 lh = skb_put(skb, L2CAP_HDR_SIZE);
2262 lh->cid = cpu_to_le16(chan->dcid);
2263 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2264 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2265
2266 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2267 if (unlikely(err < 0)) {
2268 kfree_skb(skb);
2269 return ERR_PTR(err);
2270 }
2271 return skb;
2272 }
2273
l2cap_create_basic_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len)2274 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2275 struct msghdr *msg, size_t len)
2276 {
2277 struct l2cap_conn *conn = chan->conn;
2278 struct sk_buff *skb;
2279 int err, count;
2280 struct l2cap_hdr *lh;
2281
2282 BT_DBG("chan %p len %zu", chan, len);
2283
2284 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2285
2286 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2287 msg->msg_flags & MSG_DONTWAIT);
2288 if (IS_ERR(skb))
2289 return skb;
2290
2291 /* Create L2CAP header */
2292 lh = skb_put(skb, L2CAP_HDR_SIZE);
2293 lh->cid = cpu_to_le16(chan->dcid);
2294 lh->len = cpu_to_le16(len);
2295
2296 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2297 if (unlikely(err < 0)) {
2298 kfree_skb(skb);
2299 return ERR_PTR(err);
2300 }
2301 return skb;
2302 }
2303
l2cap_create_iframe_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len,u16 sdulen)2304 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2305 struct msghdr *msg, size_t len,
2306 u16 sdulen)
2307 {
2308 struct l2cap_conn *conn = chan->conn;
2309 struct sk_buff *skb;
2310 int err, count, hlen;
2311 struct l2cap_hdr *lh;
2312
2313 BT_DBG("chan %p len %zu", chan, len);
2314
2315 if (!conn)
2316 return ERR_PTR(-ENOTCONN);
2317
2318 hlen = __ertm_hdr_size(chan);
2319
2320 if (sdulen)
2321 hlen += L2CAP_SDULEN_SIZE;
2322
2323 if (chan->fcs == L2CAP_FCS_CRC16)
2324 hlen += L2CAP_FCS_SIZE;
2325
2326 count = min_t(unsigned int, (conn->mtu - hlen), len);
2327
2328 skb = chan->ops->alloc_skb(chan, hlen, count,
2329 msg->msg_flags & MSG_DONTWAIT);
2330 if (IS_ERR(skb))
2331 return skb;
2332
2333 /* Create L2CAP header */
2334 lh = skb_put(skb, L2CAP_HDR_SIZE);
2335 lh->cid = cpu_to_le16(chan->dcid);
2336 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2337
2338 /* Control header is populated later */
2339 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2340 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2341 else
2342 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2343
2344 if (sdulen)
2345 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2346
2347 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2348 if (unlikely(err < 0)) {
2349 kfree_skb(skb);
2350 return ERR_PTR(err);
2351 }
2352
2353 bt_cb(skb)->l2cap.fcs = chan->fcs;
2354 bt_cb(skb)->l2cap.retries = 0;
2355 return skb;
2356 }
2357
l2cap_segment_sdu(struct l2cap_chan * chan,struct sk_buff_head * seg_queue,struct msghdr * msg,size_t len)2358 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2359 struct sk_buff_head *seg_queue,
2360 struct msghdr *msg, size_t len)
2361 {
2362 struct sk_buff *skb;
2363 u16 sdu_len;
2364 size_t pdu_len;
2365 u8 sar;
2366
2367 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2368
2369 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2370 * so fragmented skbs are not used. The HCI layer's handling
2371 * of fragmented skbs is not compatible with ERTM's queueing.
2372 */
2373
2374 /* PDU size is derived from the HCI MTU */
2375 pdu_len = chan->conn->mtu;
2376
2377 /* Constrain PDU size for BR/EDR connections */
2378 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2379
2380 /* Adjust for largest possible L2CAP overhead. */
2381 if (chan->fcs)
2382 pdu_len -= L2CAP_FCS_SIZE;
2383
2384 pdu_len -= __ertm_hdr_size(chan);
2385
2386 /* Remote device may have requested smaller PDUs */
2387 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2388
2389 if (len <= pdu_len) {
2390 sar = L2CAP_SAR_UNSEGMENTED;
2391 sdu_len = 0;
2392 pdu_len = len;
2393 } else {
2394 sar = L2CAP_SAR_START;
2395 sdu_len = len;
2396 }
2397
2398 while (len > 0) {
2399 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2400
2401 if (IS_ERR(skb)) {
2402 __skb_queue_purge(seg_queue);
2403 return PTR_ERR(skb);
2404 }
2405
2406 bt_cb(skb)->l2cap.sar = sar;
2407 __skb_queue_tail(seg_queue, skb);
2408
2409 len -= pdu_len;
2410 if (sdu_len)
2411 sdu_len = 0;
2412
2413 if (len <= pdu_len) {
2414 sar = L2CAP_SAR_END;
2415 pdu_len = len;
2416 } else {
2417 sar = L2CAP_SAR_CONTINUE;
2418 }
2419 }
2420
2421 return 0;
2422 }
2423
l2cap_create_le_flowctl_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len,u16 sdulen)2424 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2425 struct msghdr *msg,
2426 size_t len, u16 sdulen)
2427 {
2428 struct l2cap_conn *conn = chan->conn;
2429 struct sk_buff *skb;
2430 int err, count, hlen;
2431 struct l2cap_hdr *lh;
2432
2433 BT_DBG("chan %p len %zu", chan, len);
2434
2435 if (!conn)
2436 return ERR_PTR(-ENOTCONN);
2437
2438 hlen = L2CAP_HDR_SIZE;
2439
2440 if (sdulen)
2441 hlen += L2CAP_SDULEN_SIZE;
2442
2443 count = min_t(unsigned int, (conn->mtu - hlen), len);
2444
2445 skb = chan->ops->alloc_skb(chan, hlen, count,
2446 msg->msg_flags & MSG_DONTWAIT);
2447 if (IS_ERR(skb))
2448 return skb;
2449
2450 /* Create L2CAP header */
2451 lh = skb_put(skb, L2CAP_HDR_SIZE);
2452 lh->cid = cpu_to_le16(chan->dcid);
2453 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2454
2455 if (sdulen)
2456 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2457
2458 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2459 if (unlikely(err < 0)) {
2460 kfree_skb(skb);
2461 return ERR_PTR(err);
2462 }
2463
2464 return skb;
2465 }
2466
l2cap_segment_le_sdu(struct l2cap_chan * chan,struct sk_buff_head * seg_queue,struct msghdr * msg,size_t len)2467 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2468 struct sk_buff_head *seg_queue,
2469 struct msghdr *msg, size_t len)
2470 {
2471 struct sk_buff *skb;
2472 size_t pdu_len;
2473 u16 sdu_len;
2474
2475 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2476
2477 sdu_len = len;
2478 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2479
2480 while (len > 0) {
2481 if (len <= pdu_len)
2482 pdu_len = len;
2483
2484 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2485 if (IS_ERR(skb)) {
2486 __skb_queue_purge(seg_queue);
2487 return PTR_ERR(skb);
2488 }
2489
2490 __skb_queue_tail(seg_queue, skb);
2491
2492 len -= pdu_len;
2493
2494 if (sdu_len) {
2495 sdu_len = 0;
2496 pdu_len += L2CAP_SDULEN_SIZE;
2497 }
2498 }
2499
2500 return 0;
2501 }
2502
l2cap_le_flowctl_send(struct l2cap_chan * chan)2503 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2504 {
2505 int sent = 0;
2506
2507 BT_DBG("chan %p", chan);
2508
2509 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2510 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2511 chan->tx_credits--;
2512 sent++;
2513 }
2514
2515 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2516 skb_queue_len(&chan->tx_q));
2517 }
2518
l2cap_chan_send(struct l2cap_chan * chan,struct msghdr * msg,size_t len)2519 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2520 {
2521 struct sk_buff *skb;
2522 int err;
2523 struct sk_buff_head seg_queue;
2524
2525 if (!chan->conn)
2526 return -ENOTCONN;
2527
2528 /* Connectionless channel */
2529 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2530 skb = l2cap_create_connless_pdu(chan, msg, len);
2531 if (IS_ERR(skb))
2532 return PTR_ERR(skb);
2533
2534 l2cap_do_send(chan, skb);
2535 return len;
2536 }
2537
2538 switch (chan->mode) {
2539 case L2CAP_MODE_LE_FLOWCTL:
2540 case L2CAP_MODE_EXT_FLOWCTL:
2541 /* Check outgoing MTU */
2542 if (len > chan->omtu)
2543 return -EMSGSIZE;
2544
2545 __skb_queue_head_init(&seg_queue);
2546
2547 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2548
2549 if (chan->state != BT_CONNECTED) {
2550 __skb_queue_purge(&seg_queue);
2551 err = -ENOTCONN;
2552 }
2553
2554 if (err)
2555 return err;
2556
2557 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2558
2559 l2cap_le_flowctl_send(chan);
2560
2561 if (!chan->tx_credits)
2562 chan->ops->suspend(chan);
2563
2564 err = len;
2565
2566 break;
2567
2568 case L2CAP_MODE_BASIC:
2569 /* Check outgoing MTU */
2570 if (len > chan->omtu)
2571 return -EMSGSIZE;
2572
2573 /* Create a basic PDU */
2574 skb = l2cap_create_basic_pdu(chan, msg, len);
2575 if (IS_ERR(skb))
2576 return PTR_ERR(skb);
2577
2578 l2cap_do_send(chan, skb);
2579 err = len;
2580 break;
2581
2582 case L2CAP_MODE_ERTM:
2583 case L2CAP_MODE_STREAMING:
2584 /* Check outgoing MTU */
2585 if (len > chan->omtu) {
2586 err = -EMSGSIZE;
2587 break;
2588 }
2589
2590 __skb_queue_head_init(&seg_queue);
2591
2592 /* Do segmentation before calling in to the state machine,
2593 * since it's possible to block while waiting for memory
2594 * allocation.
2595 */
2596 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2597
2598 if (err)
2599 break;
2600
2601 if (chan->mode == L2CAP_MODE_ERTM)
2602 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2603 else
2604 l2cap_streaming_send(chan, &seg_queue);
2605
2606 err = len;
2607
2608 /* If the skbs were not queued for sending, they'll still be in
2609 * seg_queue and need to be purged.
2610 */
2611 __skb_queue_purge(&seg_queue);
2612 break;
2613
2614 default:
2615 BT_DBG("bad state %1.1x", chan->mode);
2616 err = -EBADFD;
2617 }
2618
2619 return err;
2620 }
2621 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2622
l2cap_send_srej(struct l2cap_chan * chan,u16 txseq)2623 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2624 {
2625 struct l2cap_ctrl control;
2626 u16 seq;
2627
2628 BT_DBG("chan %p, txseq %u", chan, txseq);
2629
2630 memset(&control, 0, sizeof(control));
2631 control.sframe = 1;
2632 control.super = L2CAP_SUPER_SREJ;
2633
2634 for (seq = chan->expected_tx_seq; seq != txseq;
2635 seq = __next_seq(chan, seq)) {
2636 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2637 control.reqseq = seq;
2638 l2cap_send_sframe(chan, &control);
2639 l2cap_seq_list_append(&chan->srej_list, seq);
2640 }
2641 }
2642
2643 chan->expected_tx_seq = __next_seq(chan, txseq);
2644 }
2645
l2cap_send_srej_tail(struct l2cap_chan * chan)2646 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2647 {
2648 struct l2cap_ctrl control;
2649
2650 BT_DBG("chan %p", chan);
2651
2652 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2653 return;
2654
2655 memset(&control, 0, sizeof(control));
2656 control.sframe = 1;
2657 control.super = L2CAP_SUPER_SREJ;
2658 control.reqseq = chan->srej_list.tail;
2659 l2cap_send_sframe(chan, &control);
2660 }
2661
l2cap_send_srej_list(struct l2cap_chan * chan,u16 txseq)2662 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2663 {
2664 struct l2cap_ctrl control;
2665 u16 initial_head;
2666 u16 seq;
2667
2668 BT_DBG("chan %p, txseq %u", chan, txseq);
2669
2670 memset(&control, 0, sizeof(control));
2671 control.sframe = 1;
2672 control.super = L2CAP_SUPER_SREJ;
2673
2674 /* Capture initial list head to allow only one pass through the list. */
2675 initial_head = chan->srej_list.head;
2676
2677 do {
2678 seq = l2cap_seq_list_pop(&chan->srej_list);
2679 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2680 break;
2681
2682 control.reqseq = seq;
2683 l2cap_send_sframe(chan, &control);
2684 l2cap_seq_list_append(&chan->srej_list, seq);
2685 } while (chan->srej_list.head != initial_head);
2686 }
2687
l2cap_process_reqseq(struct l2cap_chan * chan,u16 reqseq)2688 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2689 {
2690 struct sk_buff *acked_skb;
2691 u16 ackseq;
2692
2693 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2694
2695 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2696 return;
2697
2698 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2699 chan->expected_ack_seq, chan->unacked_frames);
2700
2701 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2702 ackseq = __next_seq(chan, ackseq)) {
2703
2704 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2705 if (acked_skb) {
2706 skb_unlink(acked_skb, &chan->tx_q);
2707 kfree_skb(acked_skb);
2708 chan->unacked_frames--;
2709 }
2710 }
2711
2712 chan->expected_ack_seq = reqseq;
2713
2714 if (chan->unacked_frames == 0)
2715 __clear_retrans_timer(chan);
2716
2717 BT_DBG("unacked_frames %u", chan->unacked_frames);
2718 }
2719
l2cap_abort_rx_srej_sent(struct l2cap_chan * chan)2720 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2721 {
2722 BT_DBG("chan %p", chan);
2723
2724 chan->expected_tx_seq = chan->buffer_seq;
2725 l2cap_seq_list_clear(&chan->srej_list);
2726 skb_queue_purge(&chan->srej_q);
2727 chan->rx_state = L2CAP_RX_STATE_RECV;
2728 }
2729
l2cap_tx_state_xmit(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff_head * skbs,u8 event)2730 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2731 struct l2cap_ctrl *control,
2732 struct sk_buff_head *skbs, u8 event)
2733 {
2734 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2735 event);
2736
2737 switch (event) {
2738 case L2CAP_EV_DATA_REQUEST:
2739 if (chan->tx_send_head == NULL)
2740 chan->tx_send_head = skb_peek(skbs);
2741
2742 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2743 l2cap_ertm_send(chan);
2744 break;
2745 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2746 BT_DBG("Enter LOCAL_BUSY");
2747 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2748
2749 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2750 /* The SREJ_SENT state must be aborted if we are to
2751 * enter the LOCAL_BUSY state.
2752 */
2753 l2cap_abort_rx_srej_sent(chan);
2754 }
2755
2756 l2cap_send_ack(chan);
2757
2758 break;
2759 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2760 BT_DBG("Exit LOCAL_BUSY");
2761 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2762
2763 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2764 struct l2cap_ctrl local_control;
2765
2766 memset(&local_control, 0, sizeof(local_control));
2767 local_control.sframe = 1;
2768 local_control.super = L2CAP_SUPER_RR;
2769 local_control.poll = 1;
2770 local_control.reqseq = chan->buffer_seq;
2771 l2cap_send_sframe(chan, &local_control);
2772
2773 chan->retry_count = 1;
2774 __set_monitor_timer(chan);
2775 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2776 }
2777 break;
2778 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2779 l2cap_process_reqseq(chan, control->reqseq);
2780 break;
2781 case L2CAP_EV_EXPLICIT_POLL:
2782 l2cap_send_rr_or_rnr(chan, 1);
2783 chan->retry_count = 1;
2784 __set_monitor_timer(chan);
2785 __clear_ack_timer(chan);
2786 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2787 break;
2788 case L2CAP_EV_RETRANS_TO:
2789 l2cap_send_rr_or_rnr(chan, 1);
2790 chan->retry_count = 1;
2791 __set_monitor_timer(chan);
2792 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2793 break;
2794 case L2CAP_EV_RECV_FBIT:
2795 /* Nothing to process */
2796 break;
2797 default:
2798 break;
2799 }
2800 }
2801
l2cap_tx_state_wait_f(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff_head * skbs,u8 event)2802 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2803 struct l2cap_ctrl *control,
2804 struct sk_buff_head *skbs, u8 event)
2805 {
2806 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2807 event);
2808
2809 switch (event) {
2810 case L2CAP_EV_DATA_REQUEST:
2811 if (chan->tx_send_head == NULL)
2812 chan->tx_send_head = skb_peek(skbs);
2813 /* Queue data, but don't send. */
2814 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2815 break;
2816 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2817 BT_DBG("Enter LOCAL_BUSY");
2818 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2819
2820 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2821 /* The SREJ_SENT state must be aborted if we are to
2822 * enter the LOCAL_BUSY state.
2823 */
2824 l2cap_abort_rx_srej_sent(chan);
2825 }
2826
2827 l2cap_send_ack(chan);
2828
2829 break;
2830 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2831 BT_DBG("Exit LOCAL_BUSY");
2832 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2833
2834 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2835 struct l2cap_ctrl local_control;
2836 memset(&local_control, 0, sizeof(local_control));
2837 local_control.sframe = 1;
2838 local_control.super = L2CAP_SUPER_RR;
2839 local_control.poll = 1;
2840 local_control.reqseq = chan->buffer_seq;
2841 l2cap_send_sframe(chan, &local_control);
2842
2843 chan->retry_count = 1;
2844 __set_monitor_timer(chan);
2845 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2846 }
2847 break;
2848 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2849 l2cap_process_reqseq(chan, control->reqseq);
2850 fallthrough;
2851
2852 case L2CAP_EV_RECV_FBIT:
2853 if (control && control->final) {
2854 __clear_monitor_timer(chan);
2855 if (chan->unacked_frames > 0)
2856 __set_retrans_timer(chan);
2857 chan->retry_count = 0;
2858 chan->tx_state = L2CAP_TX_STATE_XMIT;
2859 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2860 }
2861 break;
2862 case L2CAP_EV_EXPLICIT_POLL:
2863 /* Ignore */
2864 break;
2865 case L2CAP_EV_MONITOR_TO:
2866 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2867 l2cap_send_rr_or_rnr(chan, 1);
2868 __set_monitor_timer(chan);
2869 chan->retry_count++;
2870 } else {
2871 l2cap_send_disconn_req(chan, ECONNABORTED);
2872 }
2873 break;
2874 default:
2875 break;
2876 }
2877 }
2878
l2cap_tx(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff_head * skbs,u8 event)2879 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2880 struct sk_buff_head *skbs, u8 event)
2881 {
2882 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2883 chan, control, skbs, event, chan->tx_state);
2884
2885 switch (chan->tx_state) {
2886 case L2CAP_TX_STATE_XMIT:
2887 l2cap_tx_state_xmit(chan, control, skbs, event);
2888 break;
2889 case L2CAP_TX_STATE_WAIT_F:
2890 l2cap_tx_state_wait_f(chan, control, skbs, event);
2891 break;
2892 default:
2893 /* Ignore event */
2894 break;
2895 }
2896 }
2897
l2cap_pass_to_tx(struct l2cap_chan * chan,struct l2cap_ctrl * control)2898 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2899 struct l2cap_ctrl *control)
2900 {
2901 BT_DBG("chan %p, control %p", chan, control);
2902 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2903 }
2904
l2cap_pass_to_tx_fbit(struct l2cap_chan * chan,struct l2cap_ctrl * control)2905 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2906 struct l2cap_ctrl *control)
2907 {
2908 BT_DBG("chan %p, control %p", chan, control);
2909 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2910 }
2911
2912 /* Copy frame to all raw sockets on that connection */
l2cap_raw_recv(struct l2cap_conn * conn,struct sk_buff * skb)2913 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2914 {
2915 struct sk_buff *nskb;
2916 struct l2cap_chan *chan;
2917
2918 BT_DBG("conn %p", conn);
2919
2920 list_for_each_entry(chan, &conn->chan_l, list) {
2921 if (chan->chan_type != L2CAP_CHAN_RAW)
2922 continue;
2923
2924 /* Don't send frame to the channel it came from */
2925 if (bt_cb(skb)->l2cap.chan == chan)
2926 continue;
2927
2928 nskb = skb_clone(skb, GFP_KERNEL);
2929 if (!nskb)
2930 continue;
2931 if (chan->ops->recv(chan, nskb))
2932 kfree_skb(nskb);
2933 }
2934 }
2935
2936 /* ---- L2CAP signalling commands ---- */
l2cap_build_cmd(struct l2cap_conn * conn,u8 code,u8 ident,u16 dlen,void * data)2937 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2938 u8 ident, u16 dlen, void *data)
2939 {
2940 struct sk_buff *skb, **frag;
2941 struct l2cap_cmd_hdr *cmd;
2942 struct l2cap_hdr *lh;
2943 int len, count;
2944
2945 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2946 conn, code, ident, dlen);
2947
2948 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2949 return NULL;
2950
2951 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2952 count = min_t(unsigned int, conn->mtu, len);
2953
2954 skb = bt_skb_alloc(count, GFP_KERNEL);
2955 if (!skb)
2956 return NULL;
2957
2958 lh = skb_put(skb, L2CAP_HDR_SIZE);
2959 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2960
2961 if (conn->hcon->type == LE_LINK)
2962 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2963 else
2964 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2965
2966 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2967 cmd->code = code;
2968 cmd->ident = ident;
2969 cmd->len = cpu_to_le16(dlen);
2970
2971 if (dlen) {
2972 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2973 skb_put_data(skb, data, count);
2974 data += count;
2975 }
2976
2977 len -= skb->len;
2978
2979 /* Continuation fragments (no L2CAP header) */
2980 frag = &skb_shinfo(skb)->frag_list;
2981 while (len) {
2982 count = min_t(unsigned int, conn->mtu, len);
2983
2984 *frag = bt_skb_alloc(count, GFP_KERNEL);
2985 if (!*frag)
2986 goto fail;
2987
2988 skb_put_data(*frag, data, count);
2989
2990 len -= count;
2991 data += count;
2992
2993 frag = &(*frag)->next;
2994 }
2995
2996 return skb;
2997
2998 fail:
2999 kfree_skb(skb);
3000 return NULL;
3001 }
3002
l2cap_get_conf_opt(void ** ptr,int * type,int * olen,unsigned long * val)3003 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3004 unsigned long *val)
3005 {
3006 struct l2cap_conf_opt *opt = *ptr;
3007 int len;
3008
3009 len = L2CAP_CONF_OPT_SIZE + opt->len;
3010 *ptr += len;
3011
3012 *type = opt->type;
3013 *olen = opt->len;
3014
3015 switch (opt->len) {
3016 case 1:
3017 *val = *((u8 *) opt->val);
3018 break;
3019
3020 case 2:
3021 *val = get_unaligned_le16(opt->val);
3022 break;
3023
3024 case 4:
3025 *val = get_unaligned_le32(opt->val);
3026 break;
3027
3028 default:
3029 *val = (unsigned long) opt->val;
3030 break;
3031 }
3032
3033 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3034 return len;
3035 }
3036
l2cap_add_conf_opt(void ** ptr,u8 type,u8 len,unsigned long val,size_t size)3037 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3038 {
3039 struct l2cap_conf_opt *opt = *ptr;
3040
3041 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3042
3043 if (size < L2CAP_CONF_OPT_SIZE + len)
3044 return;
3045
3046 opt->type = type;
3047 opt->len = len;
3048
3049 switch (len) {
3050 case 1:
3051 *((u8 *) opt->val) = val;
3052 break;
3053
3054 case 2:
3055 put_unaligned_le16(val, opt->val);
3056 break;
3057
3058 case 4:
3059 put_unaligned_le32(val, opt->val);
3060 break;
3061
3062 default:
3063 memcpy(opt->val, (void *) val, len);
3064 break;
3065 }
3066
3067 *ptr += L2CAP_CONF_OPT_SIZE + len;
3068 }
3069
l2cap_add_opt_efs(void ** ptr,struct l2cap_chan * chan,size_t size)3070 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3071 {
3072 struct l2cap_conf_efs efs;
3073
3074 switch (chan->mode) {
3075 case L2CAP_MODE_ERTM:
3076 efs.id = chan->local_id;
3077 efs.stype = chan->local_stype;
3078 efs.msdu = cpu_to_le16(chan->local_msdu);
3079 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3080 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3081 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3082 break;
3083
3084 case L2CAP_MODE_STREAMING:
3085 efs.id = 1;
3086 efs.stype = L2CAP_SERV_BESTEFFORT;
3087 efs.msdu = cpu_to_le16(chan->local_msdu);
3088 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3089 efs.acc_lat = 0;
3090 efs.flush_to = 0;
3091 break;
3092
3093 default:
3094 return;
3095 }
3096
3097 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3098 (unsigned long) &efs, size);
3099 }
3100
l2cap_ack_timeout(struct work_struct * work)3101 static void l2cap_ack_timeout(struct work_struct *work)
3102 {
3103 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3104 ack_timer.work);
3105 u16 frames_to_ack;
3106
3107 BT_DBG("chan %p", chan);
3108
3109 l2cap_chan_lock(chan);
3110
3111 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3112 chan->last_acked_seq);
3113
3114 if (frames_to_ack)
3115 l2cap_send_rr_or_rnr(chan, 0);
3116
3117 l2cap_chan_unlock(chan);
3118 l2cap_chan_put(chan);
3119 }
3120
l2cap_ertm_init(struct l2cap_chan * chan)3121 int l2cap_ertm_init(struct l2cap_chan *chan)
3122 {
3123 int err;
3124
3125 chan->next_tx_seq = 0;
3126 chan->expected_tx_seq = 0;
3127 chan->expected_ack_seq = 0;
3128 chan->unacked_frames = 0;
3129 chan->buffer_seq = 0;
3130 chan->frames_sent = 0;
3131 chan->last_acked_seq = 0;
3132 chan->sdu = NULL;
3133 chan->sdu_last_frag = NULL;
3134 chan->sdu_len = 0;
3135
3136 skb_queue_head_init(&chan->tx_q);
3137
3138 if (chan->mode != L2CAP_MODE_ERTM)
3139 return 0;
3140
3141 chan->rx_state = L2CAP_RX_STATE_RECV;
3142 chan->tx_state = L2CAP_TX_STATE_XMIT;
3143
3144 skb_queue_head_init(&chan->srej_q);
3145
3146 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3147 if (err < 0)
3148 return err;
3149
3150 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3151 if (err < 0)
3152 l2cap_seq_list_free(&chan->srej_list);
3153
3154 return err;
3155 }
3156
l2cap_select_mode(__u8 mode,__u16 remote_feat_mask)3157 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3158 {
3159 switch (mode) {
3160 case L2CAP_MODE_STREAMING:
3161 case L2CAP_MODE_ERTM:
3162 if (l2cap_mode_supported(mode, remote_feat_mask))
3163 return mode;
3164 fallthrough;
3165 default:
3166 return L2CAP_MODE_BASIC;
3167 }
3168 }
3169
__l2cap_ews_supported(struct l2cap_conn * conn)3170 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3171 {
3172 return (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW);
3173 }
3174
__l2cap_efs_supported(struct l2cap_conn * conn)3175 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3176 {
3177 return (conn->feat_mask & L2CAP_FEAT_EXT_FLOW);
3178 }
3179
__l2cap_set_ertm_timeouts(struct l2cap_chan * chan,struct l2cap_conf_rfc * rfc)3180 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3181 struct l2cap_conf_rfc *rfc)
3182 {
3183 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3184 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3185 }
3186
l2cap_txwin_setup(struct l2cap_chan * chan)3187 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3188 {
3189 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3190 __l2cap_ews_supported(chan->conn)) {
3191 /* use extended control field */
3192 set_bit(FLAG_EXT_CTRL, &chan->flags);
3193 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3194 } else {
3195 chan->tx_win = min_t(u16, chan->tx_win,
3196 L2CAP_DEFAULT_TX_WINDOW);
3197 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3198 }
3199 chan->ack_win = chan->tx_win;
3200 }
3201
l2cap_mtu_auto(struct l2cap_chan * chan)3202 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3203 {
3204 struct hci_conn *conn = chan->conn->hcon;
3205
3206 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3207
3208 /* The 2-DH1 packet has between 2 and 56 information bytes
3209 * (including the 2-byte payload header)
3210 */
3211 if (!(conn->pkt_type & HCI_2DH1))
3212 chan->imtu = 54;
3213
3214 /* The 3-DH1 packet has between 2 and 85 information bytes
3215 * (including the 2-byte payload header)
3216 */
3217 if (!(conn->pkt_type & HCI_3DH1))
3218 chan->imtu = 83;
3219
3220 /* The 2-DH3 packet has between 2 and 369 information bytes
3221 * (including the 2-byte payload header)
3222 */
3223 if (!(conn->pkt_type & HCI_2DH3))
3224 chan->imtu = 367;
3225
3226 /* The 3-DH3 packet has between 2 and 554 information bytes
3227 * (including the 2-byte payload header)
3228 */
3229 if (!(conn->pkt_type & HCI_3DH3))
3230 chan->imtu = 552;
3231
3232 /* The 2-DH5 packet has between 2 and 681 information bytes
3233 * (including the 2-byte payload header)
3234 */
3235 if (!(conn->pkt_type & HCI_2DH5))
3236 chan->imtu = 679;
3237
3238 /* The 3-DH5 packet has between 2 and 1023 information bytes
3239 * (including the 2-byte payload header)
3240 */
3241 if (!(conn->pkt_type & HCI_3DH5))
3242 chan->imtu = 1021;
3243 }
3244
l2cap_build_conf_req(struct l2cap_chan * chan,void * data,size_t data_size)3245 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3246 {
3247 struct l2cap_conf_req *req = data;
3248 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3249 void *ptr = req->data;
3250 void *endptr = data + data_size;
3251 u16 size;
3252
3253 BT_DBG("chan %p", chan);
3254
3255 if (chan->num_conf_req || chan->num_conf_rsp)
3256 goto done;
3257
3258 switch (chan->mode) {
3259 case L2CAP_MODE_STREAMING:
3260 case L2CAP_MODE_ERTM:
3261 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3262 break;
3263
3264 if (__l2cap_efs_supported(chan->conn))
3265 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3266
3267 fallthrough;
3268 default:
3269 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3270 break;
3271 }
3272
3273 done:
3274 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3275 if (!chan->imtu)
3276 l2cap_mtu_auto(chan);
3277 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3278 endptr - ptr);
3279 }
3280
3281 switch (chan->mode) {
3282 case L2CAP_MODE_BASIC:
3283 if (disable_ertm)
3284 break;
3285
3286 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3287 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3288 break;
3289
3290 rfc.mode = L2CAP_MODE_BASIC;
3291 rfc.txwin_size = 0;
3292 rfc.max_transmit = 0;
3293 rfc.retrans_timeout = 0;
3294 rfc.monitor_timeout = 0;
3295 rfc.max_pdu_size = 0;
3296
3297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3298 (unsigned long) &rfc, endptr - ptr);
3299 break;
3300
3301 case L2CAP_MODE_ERTM:
3302 rfc.mode = L2CAP_MODE_ERTM;
3303 rfc.max_transmit = chan->max_tx;
3304
3305 __l2cap_set_ertm_timeouts(chan, &rfc);
3306
3307 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3308 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3309 L2CAP_FCS_SIZE);
3310 rfc.max_pdu_size = cpu_to_le16(size);
3311
3312 l2cap_txwin_setup(chan);
3313
3314 rfc.txwin_size = min_t(u16, chan->tx_win,
3315 L2CAP_DEFAULT_TX_WINDOW);
3316
3317 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3318 (unsigned long) &rfc, endptr - ptr);
3319
3320 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3321 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3322
3323 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3324 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3325 chan->tx_win, endptr - ptr);
3326
3327 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3328 if (chan->fcs == L2CAP_FCS_NONE ||
3329 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3330 chan->fcs = L2CAP_FCS_NONE;
3331 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3332 chan->fcs, endptr - ptr);
3333 }
3334 break;
3335
3336 case L2CAP_MODE_STREAMING:
3337 l2cap_txwin_setup(chan);
3338 rfc.mode = L2CAP_MODE_STREAMING;
3339 rfc.txwin_size = 0;
3340 rfc.max_transmit = 0;
3341 rfc.retrans_timeout = 0;
3342 rfc.monitor_timeout = 0;
3343
3344 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3345 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3346 L2CAP_FCS_SIZE);
3347 rfc.max_pdu_size = cpu_to_le16(size);
3348
3349 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3350 (unsigned long) &rfc, endptr - ptr);
3351
3352 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3353 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3354
3355 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3356 if (chan->fcs == L2CAP_FCS_NONE ||
3357 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3358 chan->fcs = L2CAP_FCS_NONE;
3359 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3360 chan->fcs, endptr - ptr);
3361 }
3362 break;
3363 }
3364
3365 req->dcid = cpu_to_le16(chan->dcid);
3366 req->flags = cpu_to_le16(0);
3367
3368 return ptr - data;
3369 }
3370
l2cap_parse_conf_req(struct l2cap_chan * chan,void * data,size_t data_size)3371 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3372 {
3373 struct l2cap_conf_rsp *rsp = data;
3374 void *ptr = rsp->data;
3375 void *endptr = data + data_size;
3376 void *req = chan->conf_req;
3377 int len = chan->conf_len;
3378 int type, hint, olen;
3379 unsigned long val;
3380 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3381 struct l2cap_conf_efs efs;
3382 u8 remote_efs = 0;
3383 u16 mtu = 0;
3384 u16 result = L2CAP_CONF_SUCCESS;
3385 u16 size;
3386
3387 BT_DBG("chan %p", chan);
3388
3389 while (len >= L2CAP_CONF_OPT_SIZE) {
3390 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3391 if (len < 0)
3392 break;
3393
3394 hint = type & L2CAP_CONF_HINT;
3395 type &= L2CAP_CONF_MASK;
3396
3397 switch (type) {
3398 case L2CAP_CONF_MTU:
3399 if (olen != 2)
3400 break;
3401 mtu = val;
3402 break;
3403
3404 case L2CAP_CONF_FLUSH_TO:
3405 if (olen != 2)
3406 break;
3407 chan->flush_to = val;
3408 break;
3409
3410 case L2CAP_CONF_QOS:
3411 break;
3412
3413 case L2CAP_CONF_RFC:
3414 if (olen != sizeof(rfc))
3415 break;
3416 memcpy(&rfc, (void *) val, olen);
3417 break;
3418
3419 case L2CAP_CONF_FCS:
3420 if (olen != 1)
3421 break;
3422 if (val == L2CAP_FCS_NONE)
3423 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3424 break;
3425
3426 case L2CAP_CONF_EFS:
3427 if (olen != sizeof(efs))
3428 break;
3429 remote_efs = 1;
3430 memcpy(&efs, (void *) val, olen);
3431 break;
3432
3433 case L2CAP_CONF_EWS:
3434 if (olen != 2)
3435 break;
3436 return -ECONNREFUSED;
3437
3438 default:
3439 if (hint)
3440 break;
3441 result = L2CAP_CONF_UNKNOWN;
3442 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr);
3443 break;
3444 }
3445 }
3446
3447 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3448 goto done;
3449
3450 switch (chan->mode) {
3451 case L2CAP_MODE_STREAMING:
3452 case L2CAP_MODE_ERTM:
3453 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3454 chan->mode = l2cap_select_mode(rfc.mode,
3455 chan->conn->feat_mask);
3456 break;
3457 }
3458
3459 if (remote_efs) {
3460 if (__l2cap_efs_supported(chan->conn))
3461 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3462 else
3463 return -ECONNREFUSED;
3464 }
3465
3466 if (chan->mode != rfc.mode)
3467 return -ECONNREFUSED;
3468
3469 break;
3470 }
3471
3472 done:
3473 if (chan->mode != rfc.mode) {
3474 result = L2CAP_CONF_UNACCEPT;
3475 rfc.mode = chan->mode;
3476
3477 if (chan->num_conf_rsp == 1)
3478 return -ECONNREFUSED;
3479
3480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3481 (unsigned long) &rfc, endptr - ptr);
3482 }
3483
3484 if (result == L2CAP_CONF_SUCCESS) {
3485 /* Configure output options and let the other side know
3486 * which ones we don't like. */
3487
3488 /* If MTU is not provided in configure request, use the most recently
3489 * explicitly or implicitly accepted value for the other direction,
3490 * or the default value.
3491 */
3492 if (mtu == 0)
3493 mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU;
3494
3495 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3496 result = L2CAP_CONF_UNACCEPT;
3497 else {
3498 chan->omtu = mtu;
3499 set_bit(CONF_MTU_DONE, &chan->conf_state);
3500 }
3501 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3502
3503 if (remote_efs) {
3504 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3505 efs.stype != L2CAP_SERV_NOTRAFIC &&
3506 efs.stype != chan->local_stype) {
3507
3508 result = L2CAP_CONF_UNACCEPT;
3509
3510 if (chan->num_conf_req >= 1)
3511 return -ECONNREFUSED;
3512
3513 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3514 sizeof(efs),
3515 (unsigned long) &efs, endptr - ptr);
3516 } else {
3517 /* Send PENDING Conf Rsp */
3518 result = L2CAP_CONF_PENDING;
3519 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3520 }
3521 }
3522
3523 switch (rfc.mode) {
3524 case L2CAP_MODE_BASIC:
3525 chan->fcs = L2CAP_FCS_NONE;
3526 set_bit(CONF_MODE_DONE, &chan->conf_state);
3527 break;
3528
3529 case L2CAP_MODE_ERTM:
3530 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3531 chan->remote_tx_win = rfc.txwin_size;
3532 else
3533 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3534
3535 chan->remote_max_tx = rfc.max_transmit;
3536
3537 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3538 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3539 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3540 rfc.max_pdu_size = cpu_to_le16(size);
3541 chan->remote_mps = size;
3542
3543 __l2cap_set_ertm_timeouts(chan, &rfc);
3544
3545 set_bit(CONF_MODE_DONE, &chan->conf_state);
3546
3547 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3548 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3549
3550 if (remote_efs &&
3551 test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3552 chan->remote_id = efs.id;
3553 chan->remote_stype = efs.stype;
3554 chan->remote_msdu = le16_to_cpu(efs.msdu);
3555 chan->remote_flush_to =
3556 le32_to_cpu(efs.flush_to);
3557 chan->remote_acc_lat =
3558 le32_to_cpu(efs.acc_lat);
3559 chan->remote_sdu_itime =
3560 le32_to_cpu(efs.sdu_itime);
3561 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3562 sizeof(efs),
3563 (unsigned long) &efs, endptr - ptr);
3564 }
3565 break;
3566
3567 case L2CAP_MODE_STREAMING:
3568 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3569 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3570 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3571 rfc.max_pdu_size = cpu_to_le16(size);
3572 chan->remote_mps = size;
3573
3574 set_bit(CONF_MODE_DONE, &chan->conf_state);
3575
3576 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3577 (unsigned long) &rfc, endptr - ptr);
3578
3579 break;
3580
3581 default:
3582 result = L2CAP_CONF_UNACCEPT;
3583
3584 memset(&rfc, 0, sizeof(rfc));
3585 rfc.mode = chan->mode;
3586 }
3587
3588 if (result == L2CAP_CONF_SUCCESS)
3589 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3590 }
3591 rsp->scid = cpu_to_le16(chan->dcid);
3592 rsp->result = cpu_to_le16(result);
3593 rsp->flags = cpu_to_le16(0);
3594
3595 return ptr - data;
3596 }
3597
l2cap_parse_conf_rsp(struct l2cap_chan * chan,void * rsp,int len,void * data,size_t size,u16 * result)3598 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3599 void *data, size_t size, u16 *result)
3600 {
3601 struct l2cap_conf_req *req = data;
3602 void *ptr = req->data;
3603 void *endptr = data + size;
3604 int type, olen;
3605 unsigned long val;
3606 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3607 struct l2cap_conf_efs efs;
3608
3609 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3610
3611 while (len >= L2CAP_CONF_OPT_SIZE) {
3612 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3613 if (len < 0)
3614 break;
3615
3616 switch (type) {
3617 case L2CAP_CONF_MTU:
3618 if (olen != 2)
3619 break;
3620 if (val < L2CAP_DEFAULT_MIN_MTU) {
3621 *result = L2CAP_CONF_UNACCEPT;
3622 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3623 } else
3624 chan->imtu = val;
3625 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3626 endptr - ptr);
3627 break;
3628
3629 case L2CAP_CONF_FLUSH_TO:
3630 if (olen != 2)
3631 break;
3632 chan->flush_to = val;
3633 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3634 chan->flush_to, endptr - ptr);
3635 break;
3636
3637 case L2CAP_CONF_RFC:
3638 if (olen != sizeof(rfc))
3639 break;
3640 memcpy(&rfc, (void *)val, olen);
3641 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3642 rfc.mode != chan->mode)
3643 return -ECONNREFUSED;
3644 chan->fcs = 0;
3645 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3646 (unsigned long) &rfc, endptr - ptr);
3647 break;
3648
3649 case L2CAP_CONF_EWS:
3650 if (olen != 2)
3651 break;
3652 chan->ack_win = min_t(u16, val, chan->ack_win);
3653 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3654 chan->tx_win, endptr - ptr);
3655 break;
3656
3657 case L2CAP_CONF_EFS:
3658 if (olen != sizeof(efs))
3659 break;
3660 memcpy(&efs, (void *)val, olen);
3661 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3662 efs.stype != L2CAP_SERV_NOTRAFIC &&
3663 efs.stype != chan->local_stype)
3664 return -ECONNREFUSED;
3665 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3666 (unsigned long) &efs, endptr - ptr);
3667 break;
3668
3669 case L2CAP_CONF_FCS:
3670 if (olen != 1)
3671 break;
3672 if (*result == L2CAP_CONF_PENDING)
3673 if (val == L2CAP_FCS_NONE)
3674 set_bit(CONF_RECV_NO_FCS,
3675 &chan->conf_state);
3676 break;
3677 }
3678 }
3679
3680 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3681 return -ECONNREFUSED;
3682
3683 chan->mode = rfc.mode;
3684
3685 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3686 switch (rfc.mode) {
3687 case L2CAP_MODE_ERTM:
3688 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3689 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3690 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3691 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3692 chan->ack_win = min_t(u16, chan->ack_win,
3693 rfc.txwin_size);
3694
3695 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3696 chan->local_msdu = le16_to_cpu(efs.msdu);
3697 chan->local_sdu_itime =
3698 le32_to_cpu(efs.sdu_itime);
3699 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3700 chan->local_flush_to =
3701 le32_to_cpu(efs.flush_to);
3702 }
3703 break;
3704
3705 case L2CAP_MODE_STREAMING:
3706 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3707 }
3708 }
3709
3710 req->dcid = cpu_to_le16(chan->dcid);
3711 req->flags = cpu_to_le16(0);
3712
3713 return ptr - data;
3714 }
3715
l2cap_build_conf_rsp(struct l2cap_chan * chan,void * data,u16 result,u16 flags)3716 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3717 u16 result, u16 flags)
3718 {
3719 struct l2cap_conf_rsp *rsp = data;
3720 void *ptr = rsp->data;
3721
3722 BT_DBG("chan %p", chan);
3723
3724 rsp->scid = cpu_to_le16(chan->dcid);
3725 rsp->result = cpu_to_le16(result);
3726 rsp->flags = cpu_to_le16(flags);
3727
3728 return ptr - data;
3729 }
3730
__l2cap_le_connect_rsp_defer(struct l2cap_chan * chan)3731 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3732 {
3733 struct l2cap_le_conn_rsp rsp;
3734 struct l2cap_conn *conn = chan->conn;
3735
3736 BT_DBG("chan %p", chan);
3737
3738 rsp.dcid = cpu_to_le16(chan->scid);
3739 rsp.mtu = cpu_to_le16(chan->imtu);
3740 rsp.mps = cpu_to_le16(chan->mps);
3741 rsp.credits = cpu_to_le16(chan->rx_credits);
3742 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3743
3744 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3745 &rsp);
3746 }
3747
l2cap_ecred_list_defer(struct l2cap_chan * chan,void * data)3748 static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data)
3749 {
3750 int *result = data;
3751
3752 if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
3753 return;
3754
3755 switch (chan->state) {
3756 case BT_CONNECT2:
3757 /* If channel still pending accept add to result */
3758 (*result)++;
3759 return;
3760 case BT_CONNECTED:
3761 return;
3762 default:
3763 /* If not connected or pending accept it has been refused */
3764 *result = -ECONNREFUSED;
3765 return;
3766 }
3767 }
3768
3769 struct l2cap_ecred_rsp_data {
3770 struct {
3771 struct l2cap_ecred_conn_rsp rsp;
3772 __le16 scid[L2CAP_ECRED_MAX_CID];
3773 } __packed pdu;
3774 int count;
3775 };
3776
l2cap_ecred_rsp_defer(struct l2cap_chan * chan,void * data)3777 static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data)
3778 {
3779 struct l2cap_ecred_rsp_data *rsp = data;
3780
3781 /* Check if channel for outgoing connection or if it wasn't deferred
3782 * since in those cases it must be skipped.
3783 */
3784 if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags) ||
3785 !test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
3786 return;
3787
3788 /* Reset ident so only one response is sent */
3789 chan->ident = 0;
3790
3791 /* Include all channels pending with the same ident */
3792 if (!rsp->pdu.rsp.result)
3793 rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid);
3794 else
3795 l2cap_chan_del(chan, ECONNRESET);
3796 }
3797
__l2cap_ecred_conn_rsp_defer(struct l2cap_chan * chan)3798 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3799 {
3800 struct l2cap_conn *conn = chan->conn;
3801 struct l2cap_ecred_rsp_data data;
3802 u16 id = chan->ident;
3803 int result = 0;
3804
3805 if (!id)
3806 return;
3807
3808 BT_DBG("chan %p id %d", chan, id);
3809
3810 memset(&data, 0, sizeof(data));
3811
3812 data.pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3813 data.pdu.rsp.mps = cpu_to_le16(chan->mps);
3814 data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3815 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3816
3817 /* Verify that all channels are ready */
3818 __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result);
3819
3820 if (result > 0)
3821 return;
3822
3823 if (result < 0)
3824 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION);
3825
3826 /* Build response */
3827 __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data);
3828
3829 l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP,
3830 sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)),
3831 &data.pdu);
3832 }
3833
__l2cap_connect_rsp_defer(struct l2cap_chan * chan)3834 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3835 {
3836 struct l2cap_conn_rsp rsp;
3837 struct l2cap_conn *conn = chan->conn;
3838 u8 buf[128];
3839 u8 rsp_code;
3840
3841 rsp.scid = cpu_to_le16(chan->dcid);
3842 rsp.dcid = cpu_to_le16(chan->scid);
3843 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3844 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3845 rsp_code = L2CAP_CONN_RSP;
3846
3847 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3848
3849 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3850
3851 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3852 return;
3853
3854 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3855 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3856 chan->num_conf_req++;
3857 }
3858
l2cap_conf_rfc_get(struct l2cap_chan * chan,void * rsp,int len)3859 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3860 {
3861 int type, olen;
3862 unsigned long val;
3863 /* Use sane default values in case a misbehaving remote device
3864 * did not send an RFC or extended window size option.
3865 */
3866 u16 txwin_ext = chan->ack_win;
3867 struct l2cap_conf_rfc rfc = {
3868 .mode = chan->mode,
3869 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3870 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3871 .max_pdu_size = cpu_to_le16(chan->imtu),
3872 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3873 };
3874
3875 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3876
3877 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3878 return;
3879
3880 while (len >= L2CAP_CONF_OPT_SIZE) {
3881 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3882 if (len < 0)
3883 break;
3884
3885 switch (type) {
3886 case L2CAP_CONF_RFC:
3887 if (olen != sizeof(rfc))
3888 break;
3889 memcpy(&rfc, (void *)val, olen);
3890 break;
3891 case L2CAP_CONF_EWS:
3892 if (olen != 2)
3893 break;
3894 txwin_ext = val;
3895 break;
3896 }
3897 }
3898
3899 switch (rfc.mode) {
3900 case L2CAP_MODE_ERTM:
3901 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3902 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3903 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3904 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3905 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3906 else
3907 chan->ack_win = min_t(u16, chan->ack_win,
3908 rfc.txwin_size);
3909 break;
3910 case L2CAP_MODE_STREAMING:
3911 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3912 }
3913 }
3914
l2cap_command_rej(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)3915 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3916 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3917 u8 *data)
3918 {
3919 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3920
3921 if (cmd_len < sizeof(*rej))
3922 return -EPROTO;
3923
3924 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3925 return 0;
3926
3927 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3928 cmd->ident == conn->info_ident) {
3929 cancel_delayed_work(&conn->info_timer);
3930
3931 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3932 conn->info_ident = 0;
3933
3934 l2cap_conn_start(conn);
3935 }
3936
3937 return 0;
3938 }
3939
l2cap_connect(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u8 * data,u8 rsp_code)3940 static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
3941 u8 *data, u8 rsp_code)
3942 {
3943 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3944 struct l2cap_conn_rsp rsp;
3945 struct l2cap_chan *chan = NULL, *pchan = NULL;
3946 int result, status = L2CAP_CS_NO_INFO;
3947
3948 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3949 __le16 psm = req->psm;
3950
3951 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3952
3953 /* Check if we have socket listening on psm */
3954 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3955 &conn->hcon->dst, ACL_LINK);
3956 if (!pchan) {
3957 result = L2CAP_CR_BAD_PSM;
3958 goto response;
3959 }
3960
3961 l2cap_chan_lock(pchan);
3962
3963 /* Check if the ACL is secure enough (if not SDP) */
3964 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3965 (!hci_conn_check_link_mode(conn->hcon) ||
3966 !l2cap_check_enc_key_size(conn->hcon, pchan))) {
3967 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3968 result = L2CAP_CR_SEC_BLOCK;
3969 goto response;
3970 }
3971
3972 result = L2CAP_CR_NO_MEM;
3973
3974 /* Check for valid dynamic CID range (as per Erratum 3253) */
3975 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3976 result = L2CAP_CR_INVALID_SCID;
3977 goto response;
3978 }
3979
3980 /* Check if we already have channel with that dcid */
3981 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3982 result = L2CAP_CR_SCID_IN_USE;
3983 goto response;
3984 }
3985
3986 chan = pchan->ops->new_connection(pchan);
3987 if (!chan)
3988 goto response;
3989
3990 /* For certain devices (ex: HID mouse), support for authentication,
3991 * pairing and bonding is optional. For such devices, inorder to avoid
3992 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3993 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3994 */
3995 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3996
3997 bacpy(&chan->src, &conn->hcon->src);
3998 bacpy(&chan->dst, &conn->hcon->dst);
3999 chan->src_type = bdaddr_src_type(conn->hcon);
4000 chan->dst_type = bdaddr_dst_type(conn->hcon);
4001 chan->psm = psm;
4002 chan->dcid = scid;
4003
4004 __l2cap_chan_add(conn, chan);
4005
4006 dcid = chan->scid;
4007
4008 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4009
4010 chan->ident = cmd->ident;
4011
4012 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4013 if (l2cap_chan_check_security(chan, false)) {
4014 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4015 l2cap_state_change(chan, BT_CONNECT2);
4016 result = L2CAP_CR_PEND;
4017 status = L2CAP_CS_AUTHOR_PEND;
4018 chan->ops->defer(chan);
4019 } else {
4020 l2cap_state_change(chan, BT_CONFIG);
4021 result = L2CAP_CR_SUCCESS;
4022 status = L2CAP_CS_NO_INFO;
4023 }
4024 } else {
4025 l2cap_state_change(chan, BT_CONNECT2);
4026 result = L2CAP_CR_PEND;
4027 status = L2CAP_CS_AUTHEN_PEND;
4028 }
4029 } else {
4030 l2cap_state_change(chan, BT_CONNECT2);
4031 result = L2CAP_CR_PEND;
4032 status = L2CAP_CS_NO_INFO;
4033 }
4034
4035 response:
4036 rsp.scid = cpu_to_le16(scid);
4037 rsp.dcid = cpu_to_le16(dcid);
4038 rsp.result = cpu_to_le16(result);
4039 rsp.status = cpu_to_le16(status);
4040 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4041
4042 if (!pchan)
4043 return;
4044
4045 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4046 struct l2cap_info_req info;
4047 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4048
4049 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4050 conn->info_ident = l2cap_get_ident(conn);
4051
4052 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4053
4054 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4055 sizeof(info), &info);
4056 }
4057
4058 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4059 result == L2CAP_CR_SUCCESS) {
4060 u8 buf[128];
4061 set_bit(CONF_REQ_SENT, &chan->conf_state);
4062 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4063 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4064 chan->num_conf_req++;
4065 }
4066
4067 l2cap_chan_unlock(pchan);
4068 l2cap_chan_put(pchan);
4069 }
4070
l2cap_connect_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4071 static int l2cap_connect_req(struct l2cap_conn *conn,
4072 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4073 {
4074 if (cmd_len < sizeof(struct l2cap_conn_req))
4075 return -EPROTO;
4076
4077 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP);
4078 return 0;
4079 }
4080
l2cap_connect_create_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4081 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4082 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4083 u8 *data)
4084 {
4085 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4086 u16 scid, dcid, result, status;
4087 struct l2cap_chan *chan;
4088 u8 req[128];
4089 int err;
4090
4091 if (cmd_len < sizeof(*rsp))
4092 return -EPROTO;
4093
4094 scid = __le16_to_cpu(rsp->scid);
4095 dcid = __le16_to_cpu(rsp->dcid);
4096 result = __le16_to_cpu(rsp->result);
4097 status = __le16_to_cpu(rsp->status);
4098
4099 if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START ||
4100 dcid > L2CAP_CID_DYN_END))
4101 return -EPROTO;
4102
4103 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4104 dcid, scid, result, status);
4105
4106 if (scid) {
4107 chan = __l2cap_get_chan_by_scid(conn, scid);
4108 if (!chan)
4109 return -EBADSLT;
4110 } else {
4111 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4112 if (!chan)
4113 return -EBADSLT;
4114 }
4115
4116 chan = l2cap_chan_hold_unless_zero(chan);
4117 if (!chan)
4118 return -EBADSLT;
4119
4120 err = 0;
4121
4122 l2cap_chan_lock(chan);
4123
4124 switch (result) {
4125 case L2CAP_CR_SUCCESS:
4126 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4127 err = -EBADSLT;
4128 break;
4129 }
4130
4131 l2cap_state_change(chan, BT_CONFIG);
4132 chan->ident = 0;
4133 chan->dcid = dcid;
4134 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4135
4136 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4137 break;
4138
4139 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4140 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4141 chan->num_conf_req++;
4142 break;
4143
4144 case L2CAP_CR_PEND:
4145 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4146 break;
4147
4148 default:
4149 l2cap_chan_del(chan, ECONNREFUSED);
4150 break;
4151 }
4152
4153 l2cap_chan_unlock(chan);
4154 l2cap_chan_put(chan);
4155
4156 return err;
4157 }
4158
set_default_fcs(struct l2cap_chan * chan)4159 static inline void set_default_fcs(struct l2cap_chan *chan)
4160 {
4161 /* FCS is enabled only in ERTM or streaming mode, if one or both
4162 * sides request it.
4163 */
4164 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4165 chan->fcs = L2CAP_FCS_NONE;
4166 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4167 chan->fcs = L2CAP_FCS_CRC16;
4168 }
4169
l2cap_send_efs_conf_rsp(struct l2cap_chan * chan,void * data,u8 ident,u16 flags)4170 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4171 u8 ident, u16 flags)
4172 {
4173 struct l2cap_conn *conn = chan->conn;
4174
4175 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4176 flags);
4177
4178 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4179 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4180
4181 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4182 l2cap_build_conf_rsp(chan, data,
4183 L2CAP_CONF_SUCCESS, flags), data);
4184 }
4185
cmd_reject_invalid_cid(struct l2cap_conn * conn,u8 ident,u16 scid,u16 dcid)4186 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4187 u16 scid, u16 dcid)
4188 {
4189 struct l2cap_cmd_rej_cid rej;
4190
4191 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4192 rej.scid = __cpu_to_le16(scid);
4193 rej.dcid = __cpu_to_le16(dcid);
4194
4195 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4196 }
4197
l2cap_config_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4198 static inline int l2cap_config_req(struct l2cap_conn *conn,
4199 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4200 u8 *data)
4201 {
4202 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4203 u16 dcid, flags;
4204 u8 rsp[64];
4205 struct l2cap_chan *chan;
4206 int len, err = 0;
4207
4208 if (cmd_len < sizeof(*req))
4209 return -EPROTO;
4210
4211 dcid = __le16_to_cpu(req->dcid);
4212 flags = __le16_to_cpu(req->flags);
4213
4214 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4215
4216 chan = l2cap_get_chan_by_scid(conn, dcid);
4217 if (!chan) {
4218 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4219 return 0;
4220 }
4221
4222 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4223 chan->state != BT_CONNECTED) {
4224 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4225 chan->dcid);
4226 goto unlock;
4227 }
4228
4229 /* Reject if config buffer is too small. */
4230 len = cmd_len - sizeof(*req);
4231 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4232 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4233 l2cap_build_conf_rsp(chan, rsp,
4234 L2CAP_CONF_REJECT, flags), rsp);
4235 goto unlock;
4236 }
4237
4238 /* Store config. */
4239 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4240 chan->conf_len += len;
4241
4242 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4243 /* Incomplete config. Send empty response. */
4244 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4245 l2cap_build_conf_rsp(chan, rsp,
4246 L2CAP_CONF_SUCCESS, flags), rsp);
4247 goto unlock;
4248 }
4249
4250 /* Complete config. */
4251 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4252 if (len < 0) {
4253 l2cap_send_disconn_req(chan, ECONNRESET);
4254 goto unlock;
4255 }
4256
4257 chan->ident = cmd->ident;
4258 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4259 if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
4260 chan->num_conf_rsp++;
4261
4262 /* Reset config buffer. */
4263 chan->conf_len = 0;
4264
4265 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4266 goto unlock;
4267
4268 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4269 set_default_fcs(chan);
4270
4271 if (chan->mode == L2CAP_MODE_ERTM ||
4272 chan->mode == L2CAP_MODE_STREAMING)
4273 err = l2cap_ertm_init(chan);
4274
4275 if (err < 0)
4276 l2cap_send_disconn_req(chan, -err);
4277 else
4278 l2cap_chan_ready(chan);
4279
4280 goto unlock;
4281 }
4282
4283 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4284 u8 buf[64];
4285 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4286 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4287 chan->num_conf_req++;
4288 }
4289
4290 /* Got Conf Rsp PENDING from remote side and assume we sent
4291 Conf Rsp PENDING in the code above */
4292 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4293 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4294
4295 /* check compatibility */
4296
4297 /* Send rsp for BR/EDR channel */
4298 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4299 }
4300
4301 unlock:
4302 l2cap_chan_unlock(chan);
4303 l2cap_chan_put(chan);
4304 return err;
4305 }
4306
l2cap_config_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4307 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4308 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4309 u8 *data)
4310 {
4311 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4312 u16 scid, flags, result;
4313 struct l2cap_chan *chan;
4314 int len = cmd_len - sizeof(*rsp);
4315 int err = 0;
4316
4317 if (cmd_len < sizeof(*rsp))
4318 return -EPROTO;
4319
4320 scid = __le16_to_cpu(rsp->scid);
4321 flags = __le16_to_cpu(rsp->flags);
4322 result = __le16_to_cpu(rsp->result);
4323
4324 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4325 result, len);
4326
4327 chan = l2cap_get_chan_by_scid(conn, scid);
4328 if (!chan)
4329 return 0;
4330
4331 switch (result) {
4332 case L2CAP_CONF_SUCCESS:
4333 l2cap_conf_rfc_get(chan, rsp->data, len);
4334 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4335 break;
4336
4337 case L2CAP_CONF_PENDING:
4338 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4339
4340 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4341 char buf[64];
4342
4343 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4344 buf, sizeof(buf), &result);
4345 if (len < 0) {
4346 l2cap_send_disconn_req(chan, ECONNRESET);
4347 goto done;
4348 }
4349
4350 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
4351 }
4352 goto done;
4353
4354 case L2CAP_CONF_UNKNOWN:
4355 case L2CAP_CONF_UNACCEPT:
4356 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4357 char req[64];
4358
4359 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4360 l2cap_send_disconn_req(chan, ECONNRESET);
4361 goto done;
4362 }
4363
4364 /* throw out any old stored conf requests */
4365 result = L2CAP_CONF_SUCCESS;
4366 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4367 req, sizeof(req), &result);
4368 if (len < 0) {
4369 l2cap_send_disconn_req(chan, ECONNRESET);
4370 goto done;
4371 }
4372
4373 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4374 L2CAP_CONF_REQ, len, req);
4375 chan->num_conf_req++;
4376 if (result != L2CAP_CONF_SUCCESS)
4377 goto done;
4378 break;
4379 }
4380 fallthrough;
4381
4382 default:
4383 l2cap_chan_set_err(chan, ECONNRESET);
4384
4385 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4386 l2cap_send_disconn_req(chan, ECONNRESET);
4387 goto done;
4388 }
4389
4390 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4391 goto done;
4392
4393 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4394
4395 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4396 set_default_fcs(chan);
4397
4398 if (chan->mode == L2CAP_MODE_ERTM ||
4399 chan->mode == L2CAP_MODE_STREAMING)
4400 err = l2cap_ertm_init(chan);
4401
4402 if (err < 0)
4403 l2cap_send_disconn_req(chan, -err);
4404 else
4405 l2cap_chan_ready(chan);
4406 }
4407
4408 done:
4409 l2cap_chan_unlock(chan);
4410 l2cap_chan_put(chan);
4411 return err;
4412 }
4413
l2cap_disconnect_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4414 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4415 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4416 u8 *data)
4417 {
4418 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4419 struct l2cap_disconn_rsp rsp;
4420 u16 dcid, scid;
4421 struct l2cap_chan *chan;
4422
4423 if (cmd_len != sizeof(*req))
4424 return -EPROTO;
4425
4426 scid = __le16_to_cpu(req->scid);
4427 dcid = __le16_to_cpu(req->dcid);
4428
4429 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4430
4431 chan = l2cap_get_chan_by_scid(conn, dcid);
4432 if (!chan) {
4433 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4434 return 0;
4435 }
4436
4437 rsp.dcid = cpu_to_le16(chan->scid);
4438 rsp.scid = cpu_to_le16(chan->dcid);
4439 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4440
4441 chan->ops->set_shutdown(chan);
4442
4443 l2cap_chan_del(chan, ECONNRESET);
4444
4445 chan->ops->close(chan);
4446
4447 l2cap_chan_unlock(chan);
4448 l2cap_chan_put(chan);
4449
4450 return 0;
4451 }
4452
l2cap_disconnect_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4453 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4454 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4455 u8 *data)
4456 {
4457 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4458 u16 dcid, scid;
4459 struct l2cap_chan *chan;
4460
4461 if (cmd_len != sizeof(*rsp))
4462 return -EPROTO;
4463
4464 scid = __le16_to_cpu(rsp->scid);
4465 dcid = __le16_to_cpu(rsp->dcid);
4466
4467 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4468
4469 chan = l2cap_get_chan_by_scid(conn, scid);
4470 if (!chan) {
4471 return 0;
4472 }
4473
4474 if (chan->state != BT_DISCONN) {
4475 l2cap_chan_unlock(chan);
4476 l2cap_chan_put(chan);
4477 return 0;
4478 }
4479
4480 l2cap_chan_del(chan, 0);
4481
4482 chan->ops->close(chan);
4483
4484 l2cap_chan_unlock(chan);
4485 l2cap_chan_put(chan);
4486
4487 return 0;
4488 }
4489
l2cap_information_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4490 static inline int l2cap_information_req(struct l2cap_conn *conn,
4491 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4492 u8 *data)
4493 {
4494 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4495 u16 type;
4496
4497 if (cmd_len != sizeof(*req))
4498 return -EPROTO;
4499
4500 type = __le16_to_cpu(req->type);
4501
4502 BT_DBG("type 0x%4.4x", type);
4503
4504 if (type == L2CAP_IT_FEAT_MASK) {
4505 u8 buf[8];
4506 u32 feat_mask = l2cap_feat_mask;
4507 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4508 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4509 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4510 if (!disable_ertm)
4511 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4512 | L2CAP_FEAT_FCS;
4513
4514 put_unaligned_le32(feat_mask, rsp->data);
4515 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4516 buf);
4517 } else if (type == L2CAP_IT_FIXED_CHAN) {
4518 u8 buf[12];
4519 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4520
4521 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4522 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4523 rsp->data[0] = conn->local_fixed_chan;
4524 memset(rsp->data + 1, 0, 7);
4525 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4526 buf);
4527 } else {
4528 struct l2cap_info_rsp rsp;
4529 rsp.type = cpu_to_le16(type);
4530 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4531 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4532 &rsp);
4533 }
4534
4535 return 0;
4536 }
4537
l2cap_information_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4538 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4539 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4540 u8 *data)
4541 {
4542 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4543 u16 type, result;
4544
4545 if (cmd_len < sizeof(*rsp))
4546 return -EPROTO;
4547
4548 type = __le16_to_cpu(rsp->type);
4549 result = __le16_to_cpu(rsp->result);
4550
4551 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4552
4553 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4554 if (cmd->ident != conn->info_ident ||
4555 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4556 return 0;
4557
4558 cancel_delayed_work(&conn->info_timer);
4559
4560 if (result != L2CAP_IR_SUCCESS) {
4561 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4562 conn->info_ident = 0;
4563
4564 l2cap_conn_start(conn);
4565
4566 return 0;
4567 }
4568
4569 switch (type) {
4570 case L2CAP_IT_FEAT_MASK:
4571 conn->feat_mask = get_unaligned_le32(rsp->data);
4572
4573 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4574 struct l2cap_info_req req;
4575 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4576
4577 conn->info_ident = l2cap_get_ident(conn);
4578
4579 l2cap_send_cmd(conn, conn->info_ident,
4580 L2CAP_INFO_REQ, sizeof(req), &req);
4581 } else {
4582 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4583 conn->info_ident = 0;
4584
4585 l2cap_conn_start(conn);
4586 }
4587 break;
4588
4589 case L2CAP_IT_FIXED_CHAN:
4590 conn->remote_fixed_chan = rsp->data[0];
4591 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4592 conn->info_ident = 0;
4593
4594 l2cap_conn_start(conn);
4595 break;
4596 }
4597
4598 return 0;
4599 }
4600
l2cap_conn_param_update_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4601 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4602 struct l2cap_cmd_hdr *cmd,
4603 u16 cmd_len, u8 *data)
4604 {
4605 struct hci_conn *hcon = conn->hcon;
4606 struct l2cap_conn_param_update_req *req;
4607 struct l2cap_conn_param_update_rsp rsp;
4608 u16 min, max, latency, to_multiplier;
4609 int err;
4610
4611 if (hcon->role != HCI_ROLE_MASTER)
4612 return -EINVAL;
4613
4614 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4615 return -EPROTO;
4616
4617 req = (struct l2cap_conn_param_update_req *) data;
4618 min = __le16_to_cpu(req->min);
4619 max = __le16_to_cpu(req->max);
4620 latency = __le16_to_cpu(req->latency);
4621 to_multiplier = __le16_to_cpu(req->to_multiplier);
4622
4623 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4624 min, max, latency, to_multiplier);
4625
4626 memset(&rsp, 0, sizeof(rsp));
4627
4628 err = hci_check_conn_params(min, max, latency, to_multiplier);
4629 if (err)
4630 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4631 else
4632 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4633
4634 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4635 sizeof(rsp), &rsp);
4636
4637 if (!err) {
4638 u8 store_hint;
4639
4640 store_hint = hci_le_conn_update(hcon, min, max, latency,
4641 to_multiplier);
4642 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
4643 store_hint, min, max, latency,
4644 to_multiplier);
4645
4646 }
4647
4648 return 0;
4649 }
4650
l2cap_le_connect_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4651 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
4652 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4653 u8 *data)
4654 {
4655 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
4656 struct hci_conn *hcon = conn->hcon;
4657 u16 dcid, mtu, mps, credits, result;
4658 struct l2cap_chan *chan;
4659 int err, sec_level;
4660
4661 if (cmd_len < sizeof(*rsp))
4662 return -EPROTO;
4663
4664 dcid = __le16_to_cpu(rsp->dcid);
4665 mtu = __le16_to_cpu(rsp->mtu);
4666 mps = __le16_to_cpu(rsp->mps);
4667 credits = __le16_to_cpu(rsp->credits);
4668 result = __le16_to_cpu(rsp->result);
4669
4670 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
4671 dcid < L2CAP_CID_DYN_START ||
4672 dcid > L2CAP_CID_LE_DYN_END))
4673 return -EPROTO;
4674
4675 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
4676 dcid, mtu, mps, credits, result);
4677
4678 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4679 if (!chan)
4680 return -EBADSLT;
4681
4682 err = 0;
4683
4684 l2cap_chan_lock(chan);
4685
4686 switch (result) {
4687 case L2CAP_CR_LE_SUCCESS:
4688 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4689 err = -EBADSLT;
4690 break;
4691 }
4692
4693 chan->ident = 0;
4694 chan->dcid = dcid;
4695 chan->omtu = mtu;
4696 chan->remote_mps = mps;
4697 chan->tx_credits = credits;
4698 l2cap_chan_ready(chan);
4699 break;
4700
4701 case L2CAP_CR_LE_AUTHENTICATION:
4702 case L2CAP_CR_LE_ENCRYPTION:
4703 /* If we already have MITM protection we can't do
4704 * anything.
4705 */
4706 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
4707 l2cap_chan_del(chan, ECONNREFUSED);
4708 break;
4709 }
4710
4711 sec_level = hcon->sec_level + 1;
4712 if (chan->sec_level < sec_level)
4713 chan->sec_level = sec_level;
4714
4715 /* We'll need to send a new Connect Request */
4716 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
4717
4718 smp_conn_security(hcon, chan->sec_level);
4719 break;
4720
4721 default:
4722 l2cap_chan_del(chan, ECONNREFUSED);
4723 break;
4724 }
4725
4726 l2cap_chan_unlock(chan);
4727
4728 return err;
4729 }
4730
l2cap_bredr_sig_cmd(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4731 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4732 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4733 u8 *data)
4734 {
4735 int err = 0;
4736
4737 switch (cmd->code) {
4738 case L2CAP_COMMAND_REJ:
4739 l2cap_command_rej(conn, cmd, cmd_len, data);
4740 break;
4741
4742 case L2CAP_CONN_REQ:
4743 err = l2cap_connect_req(conn, cmd, cmd_len, data);
4744 break;
4745
4746 case L2CAP_CONN_RSP:
4747 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
4748 break;
4749
4750 case L2CAP_CONF_REQ:
4751 err = l2cap_config_req(conn, cmd, cmd_len, data);
4752 break;
4753
4754 case L2CAP_CONF_RSP:
4755 l2cap_config_rsp(conn, cmd, cmd_len, data);
4756 break;
4757
4758 case L2CAP_DISCONN_REQ:
4759 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
4760 break;
4761
4762 case L2CAP_DISCONN_RSP:
4763 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
4764 break;
4765
4766 case L2CAP_ECHO_REQ:
4767 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4768 break;
4769
4770 case L2CAP_ECHO_RSP:
4771 break;
4772
4773 case L2CAP_INFO_REQ:
4774 err = l2cap_information_req(conn, cmd, cmd_len, data);
4775 break;
4776
4777 case L2CAP_INFO_RSP:
4778 l2cap_information_rsp(conn, cmd, cmd_len, data);
4779 break;
4780
4781 default:
4782 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4783 err = -EINVAL;
4784 break;
4785 }
4786
4787 return err;
4788 }
4789
l2cap_le_connect_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4790 static int l2cap_le_connect_req(struct l2cap_conn *conn,
4791 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4792 u8 *data)
4793 {
4794 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
4795 struct l2cap_le_conn_rsp rsp;
4796 struct l2cap_chan *chan, *pchan;
4797 u16 dcid, scid, credits, mtu, mps;
4798 __le16 psm;
4799 u8 result;
4800
4801 if (cmd_len != sizeof(*req))
4802 return -EPROTO;
4803
4804 scid = __le16_to_cpu(req->scid);
4805 mtu = __le16_to_cpu(req->mtu);
4806 mps = __le16_to_cpu(req->mps);
4807 psm = req->psm;
4808 dcid = 0;
4809 credits = 0;
4810
4811 if (mtu < 23 || mps < 23)
4812 return -EPROTO;
4813
4814 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
4815 scid, mtu, mps);
4816
4817 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
4818 * page 1059:
4819 *
4820 * Valid range: 0x0001-0x00ff
4821 *
4822 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
4823 */
4824 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
4825 result = L2CAP_CR_LE_BAD_PSM;
4826 chan = NULL;
4827 goto response;
4828 }
4829
4830 /* Check if we have socket listening on psm */
4831 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4832 &conn->hcon->dst, LE_LINK);
4833 if (!pchan) {
4834 result = L2CAP_CR_LE_BAD_PSM;
4835 chan = NULL;
4836 goto response;
4837 }
4838
4839 l2cap_chan_lock(pchan);
4840
4841 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
4842 SMP_ALLOW_STK)) {
4843 result = pchan->sec_level == BT_SECURITY_MEDIUM ?
4844 L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION;
4845 chan = NULL;
4846 goto response_unlock;
4847 }
4848
4849 /* Check for valid dynamic CID range */
4850 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
4851 result = L2CAP_CR_LE_INVALID_SCID;
4852 chan = NULL;
4853 goto response_unlock;
4854 }
4855
4856 /* Check if we already have channel with that dcid */
4857 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4858 result = L2CAP_CR_LE_SCID_IN_USE;
4859 chan = NULL;
4860 goto response_unlock;
4861 }
4862
4863 chan = pchan->ops->new_connection(pchan);
4864 if (!chan) {
4865 result = L2CAP_CR_LE_NO_MEM;
4866 goto response_unlock;
4867 }
4868
4869 bacpy(&chan->src, &conn->hcon->src);
4870 bacpy(&chan->dst, &conn->hcon->dst);
4871 chan->src_type = bdaddr_src_type(conn->hcon);
4872 chan->dst_type = bdaddr_dst_type(conn->hcon);
4873 chan->psm = psm;
4874 chan->dcid = scid;
4875 chan->omtu = mtu;
4876 chan->remote_mps = mps;
4877
4878 __l2cap_chan_add(conn, chan);
4879
4880 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
4881
4882 dcid = chan->scid;
4883 credits = chan->rx_credits;
4884
4885 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4886
4887 chan->ident = cmd->ident;
4888
4889 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4890 l2cap_state_change(chan, BT_CONNECT2);
4891 /* The following result value is actually not defined
4892 * for LE CoC but we use it to let the function know
4893 * that it should bail out after doing its cleanup
4894 * instead of sending a response.
4895 */
4896 result = L2CAP_CR_PEND;
4897 chan->ops->defer(chan);
4898 } else {
4899 l2cap_chan_ready(chan);
4900 result = L2CAP_CR_LE_SUCCESS;
4901 }
4902
4903 response_unlock:
4904 l2cap_chan_unlock(pchan);
4905 l2cap_chan_put(pchan);
4906
4907 if (result == L2CAP_CR_PEND)
4908 return 0;
4909
4910 response:
4911 if (chan) {
4912 rsp.mtu = cpu_to_le16(chan->imtu);
4913 rsp.mps = cpu_to_le16(chan->mps);
4914 } else {
4915 rsp.mtu = 0;
4916 rsp.mps = 0;
4917 }
4918
4919 rsp.dcid = cpu_to_le16(dcid);
4920 rsp.credits = cpu_to_le16(credits);
4921 rsp.result = cpu_to_le16(result);
4922
4923 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
4924
4925 return 0;
4926 }
4927
l2cap_le_credits(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4928 static inline int l2cap_le_credits(struct l2cap_conn *conn,
4929 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4930 u8 *data)
4931 {
4932 struct l2cap_le_credits *pkt;
4933 struct l2cap_chan *chan;
4934 u16 cid, credits, max_credits;
4935
4936 if (cmd_len != sizeof(*pkt))
4937 return -EPROTO;
4938
4939 pkt = (struct l2cap_le_credits *) data;
4940 cid = __le16_to_cpu(pkt->cid);
4941 credits = __le16_to_cpu(pkt->credits);
4942
4943 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
4944
4945 chan = l2cap_get_chan_by_dcid(conn, cid);
4946 if (!chan)
4947 return -EBADSLT;
4948
4949 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
4950 if (credits > max_credits) {
4951 BT_ERR("LE credits overflow");
4952 l2cap_send_disconn_req(chan, ECONNRESET);
4953
4954 /* Return 0 so that we don't trigger an unnecessary
4955 * command reject packet.
4956 */
4957 goto unlock;
4958 }
4959
4960 chan->tx_credits += credits;
4961
4962 /* Resume sending */
4963 l2cap_le_flowctl_send(chan);
4964
4965 if (chan->tx_credits)
4966 chan->ops->resume(chan);
4967
4968 unlock:
4969 l2cap_chan_unlock(chan);
4970 l2cap_chan_put(chan);
4971
4972 return 0;
4973 }
4974
l2cap_ecred_conn_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4975 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
4976 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4977 u8 *data)
4978 {
4979 struct l2cap_ecred_conn_req *req = (void *) data;
4980 struct {
4981 struct l2cap_ecred_conn_rsp rsp;
4982 __le16 dcid[L2CAP_ECRED_MAX_CID];
4983 } __packed pdu;
4984 struct l2cap_chan *chan, *pchan;
4985 u16 mtu, mps;
4986 __le16 psm;
4987 u8 result, len = 0;
4988 int i, num_scid;
4989 bool defer = false;
4990
4991 if (!enable_ecred)
4992 return -EINVAL;
4993
4994 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
4995 result = L2CAP_CR_LE_INVALID_PARAMS;
4996 goto response;
4997 }
4998
4999 cmd_len -= sizeof(*req);
5000 num_scid = cmd_len / sizeof(u16);
5001
5002 if (num_scid > ARRAY_SIZE(pdu.dcid)) {
5003 result = L2CAP_CR_LE_INVALID_PARAMS;
5004 goto response;
5005 }
5006
5007 mtu = __le16_to_cpu(req->mtu);
5008 mps = __le16_to_cpu(req->mps);
5009
5010 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5011 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5012 goto response;
5013 }
5014
5015 psm = req->psm;
5016
5017 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
5018 * page 1059:
5019 *
5020 * Valid range: 0x0001-0x00ff
5021 *
5022 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
5023 */
5024 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
5025 result = L2CAP_CR_LE_BAD_PSM;
5026 goto response;
5027 }
5028
5029 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5030
5031 memset(&pdu, 0, sizeof(pdu));
5032
5033 /* Check if we have socket listening on psm */
5034 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5035 &conn->hcon->dst, LE_LINK);
5036 if (!pchan) {
5037 result = L2CAP_CR_LE_BAD_PSM;
5038 goto response;
5039 }
5040
5041 l2cap_chan_lock(pchan);
5042
5043 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5044 SMP_ALLOW_STK)) {
5045 result = L2CAP_CR_LE_AUTHENTICATION;
5046 goto unlock;
5047 }
5048
5049 result = L2CAP_CR_LE_SUCCESS;
5050
5051 for (i = 0; i < num_scid; i++) {
5052 u16 scid = __le16_to_cpu(req->scid[i]);
5053
5054 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5055
5056 pdu.dcid[i] = 0x0000;
5057 len += sizeof(*pdu.dcid);
5058
5059 /* Check for valid dynamic CID range */
5060 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5061 result = L2CAP_CR_LE_INVALID_SCID;
5062 continue;
5063 }
5064
5065 /* Check if we already have channel with that dcid */
5066 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5067 result = L2CAP_CR_LE_SCID_IN_USE;
5068 continue;
5069 }
5070
5071 chan = pchan->ops->new_connection(pchan);
5072 if (!chan) {
5073 result = L2CAP_CR_LE_NO_MEM;
5074 continue;
5075 }
5076
5077 bacpy(&chan->src, &conn->hcon->src);
5078 bacpy(&chan->dst, &conn->hcon->dst);
5079 chan->src_type = bdaddr_src_type(conn->hcon);
5080 chan->dst_type = bdaddr_dst_type(conn->hcon);
5081 chan->psm = psm;
5082 chan->dcid = scid;
5083 chan->omtu = mtu;
5084 chan->remote_mps = mps;
5085
5086 __l2cap_chan_add(conn, chan);
5087
5088 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
5089
5090 /* Init response */
5091 if (!pdu.rsp.credits) {
5092 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
5093 pdu.rsp.mps = cpu_to_le16(chan->mps);
5094 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
5095 }
5096
5097 pdu.dcid[i] = cpu_to_le16(chan->scid);
5098
5099 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5100
5101 chan->ident = cmd->ident;
5102 chan->mode = L2CAP_MODE_EXT_FLOWCTL;
5103
5104 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5105 l2cap_state_change(chan, BT_CONNECT2);
5106 defer = true;
5107 chan->ops->defer(chan);
5108 } else {
5109 l2cap_chan_ready(chan);
5110 }
5111 }
5112
5113 unlock:
5114 l2cap_chan_unlock(pchan);
5115 l2cap_chan_put(pchan);
5116
5117 response:
5118 pdu.rsp.result = cpu_to_le16(result);
5119
5120 if (defer)
5121 return 0;
5122
5123 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
5124 sizeof(pdu.rsp) + len, &pdu);
5125
5126 return 0;
5127 }
5128
l2cap_ecred_conn_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5129 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
5130 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5131 u8 *data)
5132 {
5133 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5134 struct hci_conn *hcon = conn->hcon;
5135 u16 mtu, mps, credits, result;
5136 struct l2cap_chan *chan, *tmp;
5137 int err = 0, sec_level;
5138 int i = 0;
5139
5140 if (cmd_len < sizeof(*rsp))
5141 return -EPROTO;
5142
5143 mtu = __le16_to_cpu(rsp->mtu);
5144 mps = __le16_to_cpu(rsp->mps);
5145 credits = __le16_to_cpu(rsp->credits);
5146 result = __le16_to_cpu(rsp->result);
5147
5148 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
5149 result);
5150
5151 cmd_len -= sizeof(*rsp);
5152
5153 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5154 u16 dcid;
5155
5156 if (chan->ident != cmd->ident ||
5157 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
5158 chan->state == BT_CONNECTED)
5159 continue;
5160
5161 l2cap_chan_lock(chan);
5162
5163 /* Check that there is a dcid for each pending channel */
5164 if (cmd_len < sizeof(dcid)) {
5165 l2cap_chan_del(chan, ECONNREFUSED);
5166 l2cap_chan_unlock(chan);
5167 continue;
5168 }
5169
5170 dcid = __le16_to_cpu(rsp->dcid[i++]);
5171 cmd_len -= sizeof(u16);
5172
5173 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
5174
5175 /* Check if dcid is already in use */
5176 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
5177 /* If a device receives a
5178 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
5179 * already-assigned Destination CID, then both the
5180 * original channel and the new channel shall be
5181 * immediately discarded and not used.
5182 */
5183 l2cap_chan_del(chan, ECONNREFUSED);
5184 l2cap_chan_unlock(chan);
5185 chan = __l2cap_get_chan_by_dcid(conn, dcid);
5186 l2cap_chan_lock(chan);
5187 l2cap_chan_del(chan, ECONNRESET);
5188 l2cap_chan_unlock(chan);
5189 continue;
5190 }
5191
5192 switch (result) {
5193 case L2CAP_CR_LE_AUTHENTICATION:
5194 case L2CAP_CR_LE_ENCRYPTION:
5195 /* If we already have MITM protection we can't do
5196 * anything.
5197 */
5198 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5199 l2cap_chan_del(chan, ECONNREFUSED);
5200 break;
5201 }
5202
5203 sec_level = hcon->sec_level + 1;
5204 if (chan->sec_level < sec_level)
5205 chan->sec_level = sec_level;
5206
5207 /* We'll need to send a new Connect Request */
5208 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
5209
5210 smp_conn_security(hcon, chan->sec_level);
5211 break;
5212
5213 case L2CAP_CR_LE_BAD_PSM:
5214 l2cap_chan_del(chan, ECONNREFUSED);
5215 break;
5216
5217 default:
5218 /* If dcid was not set it means channels was refused */
5219 if (!dcid) {
5220 l2cap_chan_del(chan, ECONNREFUSED);
5221 break;
5222 }
5223
5224 chan->ident = 0;
5225 chan->dcid = dcid;
5226 chan->omtu = mtu;
5227 chan->remote_mps = mps;
5228 chan->tx_credits = credits;
5229 l2cap_chan_ready(chan);
5230 break;
5231 }
5232
5233 l2cap_chan_unlock(chan);
5234 }
5235
5236 return err;
5237 }
5238
l2cap_ecred_reconf_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5239 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
5240 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5241 u8 *data)
5242 {
5243 struct l2cap_ecred_reconf_req *req = (void *) data;
5244 struct l2cap_ecred_reconf_rsp rsp;
5245 u16 mtu, mps, result;
5246 struct l2cap_chan *chan;
5247 int i, num_scid;
5248
5249 if (!enable_ecred)
5250 return -EINVAL;
5251
5252 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
5253 result = L2CAP_CR_LE_INVALID_PARAMS;
5254 goto respond;
5255 }
5256
5257 mtu = __le16_to_cpu(req->mtu);
5258 mps = __le16_to_cpu(req->mps);
5259
5260 BT_DBG("mtu %u mps %u", mtu, mps);
5261
5262 if (mtu < L2CAP_ECRED_MIN_MTU) {
5263 result = L2CAP_RECONF_INVALID_MTU;
5264 goto respond;
5265 }
5266
5267 if (mps < L2CAP_ECRED_MIN_MPS) {
5268 result = L2CAP_RECONF_INVALID_MPS;
5269 goto respond;
5270 }
5271
5272 cmd_len -= sizeof(*req);
5273 num_scid = cmd_len / sizeof(u16);
5274 result = L2CAP_RECONF_SUCCESS;
5275
5276 for (i = 0; i < num_scid; i++) {
5277 u16 scid;
5278
5279 scid = __le16_to_cpu(req->scid[i]);
5280 if (!scid)
5281 return -EPROTO;
5282
5283 chan = __l2cap_get_chan_by_dcid(conn, scid);
5284 if (!chan)
5285 continue;
5286
5287 /* If the MTU value is decreased for any of the included
5288 * channels, then the receiver shall disconnect all
5289 * included channels.
5290 */
5291 if (chan->omtu > mtu) {
5292 BT_ERR("chan %p decreased MTU %u -> %u", chan,
5293 chan->omtu, mtu);
5294 result = L2CAP_RECONF_INVALID_MTU;
5295 }
5296
5297 chan->omtu = mtu;
5298 chan->remote_mps = mps;
5299 }
5300
5301 respond:
5302 rsp.result = cpu_to_le16(result);
5303
5304 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
5305 &rsp);
5306
5307 return 0;
5308 }
5309
l2cap_ecred_reconf_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5310 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
5311 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5312 u8 *data)
5313 {
5314 struct l2cap_chan *chan, *tmp;
5315 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5316 u16 result;
5317
5318 if (cmd_len < sizeof(*rsp))
5319 return -EPROTO;
5320
5321 result = __le16_to_cpu(rsp->result);
5322
5323 BT_DBG("result 0x%4.4x", rsp->result);
5324
5325 if (!result)
5326 return 0;
5327
5328 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5329 if (chan->ident != cmd->ident)
5330 continue;
5331
5332 l2cap_chan_del(chan, ECONNRESET);
5333 }
5334
5335 return 0;
5336 }
5337
l2cap_le_command_rej(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5338 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5339 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5340 u8 *data)
5341 {
5342 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5343 struct l2cap_chan *chan;
5344
5345 if (cmd_len < sizeof(*rej))
5346 return -EPROTO;
5347
5348 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5349 if (!chan)
5350 goto done;
5351
5352 chan = l2cap_chan_hold_unless_zero(chan);
5353 if (!chan)
5354 goto done;
5355
5356 l2cap_chan_lock(chan);
5357 l2cap_chan_del(chan, ECONNREFUSED);
5358 l2cap_chan_unlock(chan);
5359 l2cap_chan_put(chan);
5360
5361 done:
5362 return 0;
5363 }
5364
l2cap_le_sig_cmd(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5365 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5366 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5367 u8 *data)
5368 {
5369 int err = 0;
5370
5371 switch (cmd->code) {
5372 case L2CAP_COMMAND_REJ:
5373 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5374 break;
5375
5376 case L2CAP_CONN_PARAM_UPDATE_REQ:
5377 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5378 break;
5379
5380 case L2CAP_CONN_PARAM_UPDATE_RSP:
5381 break;
5382
5383 case L2CAP_LE_CONN_RSP:
5384 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5385 break;
5386
5387 case L2CAP_LE_CONN_REQ:
5388 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5389 break;
5390
5391 case L2CAP_LE_CREDITS:
5392 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5393 break;
5394
5395 case L2CAP_ECRED_CONN_REQ:
5396 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
5397 break;
5398
5399 case L2CAP_ECRED_CONN_RSP:
5400 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
5401 break;
5402
5403 case L2CAP_ECRED_RECONF_REQ:
5404 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
5405 break;
5406
5407 case L2CAP_ECRED_RECONF_RSP:
5408 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
5409 break;
5410
5411 case L2CAP_DISCONN_REQ:
5412 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5413 break;
5414
5415 case L2CAP_DISCONN_RSP:
5416 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5417 break;
5418
5419 default:
5420 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5421 err = -EINVAL;
5422 break;
5423 }
5424
5425 return err;
5426 }
5427
l2cap_le_sig_channel(struct l2cap_conn * conn,struct sk_buff * skb)5428 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5429 struct sk_buff *skb)
5430 {
5431 struct hci_conn *hcon = conn->hcon;
5432 struct l2cap_cmd_hdr *cmd;
5433 u16 len;
5434 int err;
5435
5436 if (hcon->type != LE_LINK)
5437 goto drop;
5438
5439 if (skb->len < L2CAP_CMD_HDR_SIZE)
5440 goto drop;
5441
5442 cmd = (void *) skb->data;
5443 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5444
5445 len = le16_to_cpu(cmd->len);
5446
5447 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5448
5449 if (len != skb->len || !cmd->ident) {
5450 BT_DBG("corrupted command");
5451 goto drop;
5452 }
5453
5454 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5455 if (err) {
5456 struct l2cap_cmd_rej_unk rej;
5457
5458 BT_ERR("Wrong link type (%d)", err);
5459
5460 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5461 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5462 sizeof(rej), &rej);
5463 }
5464
5465 drop:
5466 kfree_skb(skb);
5467 }
5468
l2cap_sig_send_rej(struct l2cap_conn * conn,u16 ident)5469 static inline void l2cap_sig_send_rej(struct l2cap_conn *conn, u16 ident)
5470 {
5471 struct l2cap_cmd_rej_unk rej;
5472
5473 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5474 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
5475 }
5476
l2cap_sig_channel(struct l2cap_conn * conn,struct sk_buff * skb)5477 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5478 struct sk_buff *skb)
5479 {
5480 struct hci_conn *hcon = conn->hcon;
5481 struct l2cap_cmd_hdr *cmd;
5482 int err;
5483
5484 l2cap_raw_recv(conn, skb);
5485
5486 if (hcon->type != ACL_LINK)
5487 goto drop;
5488
5489 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
5490 u16 len;
5491
5492 cmd = (void *) skb->data;
5493 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5494
5495 len = le16_to_cpu(cmd->len);
5496
5497 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
5498 cmd->ident);
5499
5500 if (len > skb->len || !cmd->ident) {
5501 BT_DBG("corrupted command");
5502 l2cap_sig_send_rej(conn, cmd->ident);
5503 skb_pull(skb, len > skb->len ? skb->len : len);
5504 continue;
5505 }
5506
5507 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
5508 if (err) {
5509 BT_ERR("Wrong link type (%d)", err);
5510 l2cap_sig_send_rej(conn, cmd->ident);
5511 }
5512
5513 skb_pull(skb, len);
5514 }
5515
5516 if (skb->len > 0) {
5517 BT_DBG("corrupted command");
5518 l2cap_sig_send_rej(conn, 0);
5519 }
5520
5521 drop:
5522 kfree_skb(skb);
5523 }
5524
l2cap_check_fcs(struct l2cap_chan * chan,struct sk_buff * skb)5525 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5526 {
5527 u16 our_fcs, rcv_fcs;
5528 int hdr_size;
5529
5530 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5531 hdr_size = L2CAP_EXT_HDR_SIZE;
5532 else
5533 hdr_size = L2CAP_ENH_HDR_SIZE;
5534
5535 if (chan->fcs == L2CAP_FCS_CRC16) {
5536 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5537 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5538 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5539
5540 if (our_fcs != rcv_fcs)
5541 return -EBADMSG;
5542 }
5543 return 0;
5544 }
5545
l2cap_send_i_or_rr_or_rnr(struct l2cap_chan * chan)5546 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5547 {
5548 struct l2cap_ctrl control;
5549
5550 BT_DBG("chan %p", chan);
5551
5552 memset(&control, 0, sizeof(control));
5553 control.sframe = 1;
5554 control.final = 1;
5555 control.reqseq = chan->buffer_seq;
5556 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5557
5558 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5559 control.super = L2CAP_SUPER_RNR;
5560 l2cap_send_sframe(chan, &control);
5561 }
5562
5563 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5564 chan->unacked_frames > 0)
5565 __set_retrans_timer(chan);
5566
5567 /* Send pending iframes */
5568 l2cap_ertm_send(chan);
5569
5570 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5571 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5572 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5573 * send it now.
5574 */
5575 control.super = L2CAP_SUPER_RR;
5576 l2cap_send_sframe(chan, &control);
5577 }
5578 }
5579
append_skb_frag(struct sk_buff * skb,struct sk_buff * new_frag,struct sk_buff ** last_frag)5580 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5581 struct sk_buff **last_frag)
5582 {
5583 /* skb->len reflects data in skb as well as all fragments
5584 * skb->data_len reflects only data in fragments
5585 */
5586 if (!skb_has_frag_list(skb))
5587 skb_shinfo(skb)->frag_list = new_frag;
5588
5589 new_frag->next = NULL;
5590
5591 (*last_frag)->next = new_frag;
5592 *last_frag = new_frag;
5593
5594 skb->len += new_frag->len;
5595 skb->data_len += new_frag->len;
5596 skb->truesize += new_frag->truesize;
5597 }
5598
l2cap_reassemble_sdu(struct l2cap_chan * chan,struct sk_buff * skb,struct l2cap_ctrl * control)5599 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5600 struct l2cap_ctrl *control)
5601 {
5602 int err = -EINVAL;
5603
5604 switch (control->sar) {
5605 case L2CAP_SAR_UNSEGMENTED:
5606 if (chan->sdu)
5607 break;
5608
5609 err = chan->ops->recv(chan, skb);
5610 break;
5611
5612 case L2CAP_SAR_START:
5613 if (chan->sdu)
5614 break;
5615
5616 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5617 break;
5618
5619 chan->sdu_len = get_unaligned_le16(skb->data);
5620 skb_pull(skb, L2CAP_SDULEN_SIZE);
5621
5622 if (chan->sdu_len > chan->imtu) {
5623 err = -EMSGSIZE;
5624 break;
5625 }
5626
5627 if (skb->len >= chan->sdu_len)
5628 break;
5629
5630 chan->sdu = skb;
5631 chan->sdu_last_frag = skb;
5632
5633 skb = NULL;
5634 err = 0;
5635 break;
5636
5637 case L2CAP_SAR_CONTINUE:
5638 if (!chan->sdu)
5639 break;
5640
5641 append_skb_frag(chan->sdu, skb,
5642 &chan->sdu_last_frag);
5643 skb = NULL;
5644
5645 if (chan->sdu->len >= chan->sdu_len)
5646 break;
5647
5648 err = 0;
5649 break;
5650
5651 case L2CAP_SAR_END:
5652 if (!chan->sdu)
5653 break;
5654
5655 append_skb_frag(chan->sdu, skb,
5656 &chan->sdu_last_frag);
5657 skb = NULL;
5658
5659 if (chan->sdu->len != chan->sdu_len)
5660 break;
5661
5662 err = chan->ops->recv(chan, chan->sdu);
5663
5664 if (!err) {
5665 /* Reassembly complete */
5666 chan->sdu = NULL;
5667 chan->sdu_last_frag = NULL;
5668 chan->sdu_len = 0;
5669 }
5670 break;
5671 }
5672
5673 if (err) {
5674 kfree_skb(skb);
5675 kfree_skb(chan->sdu);
5676 chan->sdu = NULL;
5677 chan->sdu_last_frag = NULL;
5678 chan->sdu_len = 0;
5679 }
5680
5681 return err;
5682 }
5683
l2cap_resegment(struct l2cap_chan * chan)5684 static int l2cap_resegment(struct l2cap_chan *chan)
5685 {
5686 /* Placeholder */
5687 return 0;
5688 }
5689
l2cap_chan_busy(struct l2cap_chan * chan,int busy)5690 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5691 {
5692 u8 event;
5693
5694 if (chan->mode != L2CAP_MODE_ERTM)
5695 return;
5696
5697 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5698 l2cap_tx(chan, NULL, NULL, event);
5699 }
5700
l2cap_rx_queued_iframes(struct l2cap_chan * chan)5701 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5702 {
5703 int err = 0;
5704 /* Pass sequential frames to l2cap_reassemble_sdu()
5705 * until a gap is encountered.
5706 */
5707
5708 BT_DBG("chan %p", chan);
5709
5710 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5711 struct sk_buff *skb;
5712 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5713 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5714
5715 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5716
5717 if (!skb)
5718 break;
5719
5720 skb_unlink(skb, &chan->srej_q);
5721 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5722 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5723 if (err)
5724 break;
5725 }
5726
5727 if (skb_queue_empty(&chan->srej_q)) {
5728 chan->rx_state = L2CAP_RX_STATE_RECV;
5729 l2cap_send_ack(chan);
5730 }
5731
5732 return err;
5733 }
5734
l2cap_handle_srej(struct l2cap_chan * chan,struct l2cap_ctrl * control)5735 static void l2cap_handle_srej(struct l2cap_chan *chan,
5736 struct l2cap_ctrl *control)
5737 {
5738 struct sk_buff *skb;
5739
5740 BT_DBG("chan %p, control %p", chan, control);
5741
5742 if (control->reqseq == chan->next_tx_seq) {
5743 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5744 l2cap_send_disconn_req(chan, ECONNRESET);
5745 return;
5746 }
5747
5748 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5749
5750 if (skb == NULL) {
5751 BT_DBG("Seq %d not available for retransmission",
5752 control->reqseq);
5753 return;
5754 }
5755
5756 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5757 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5758 l2cap_send_disconn_req(chan, ECONNRESET);
5759 return;
5760 }
5761
5762 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5763
5764 if (control->poll) {
5765 l2cap_pass_to_tx(chan, control);
5766
5767 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5768 l2cap_retransmit(chan, control);
5769 l2cap_ertm_send(chan);
5770
5771 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5772 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5773 chan->srej_save_reqseq = control->reqseq;
5774 }
5775 } else {
5776 l2cap_pass_to_tx_fbit(chan, control);
5777
5778 if (control->final) {
5779 if (chan->srej_save_reqseq != control->reqseq ||
5780 !test_and_clear_bit(CONN_SREJ_ACT,
5781 &chan->conn_state))
5782 l2cap_retransmit(chan, control);
5783 } else {
5784 l2cap_retransmit(chan, control);
5785 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5786 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5787 chan->srej_save_reqseq = control->reqseq;
5788 }
5789 }
5790 }
5791 }
5792
l2cap_handle_rej(struct l2cap_chan * chan,struct l2cap_ctrl * control)5793 static void l2cap_handle_rej(struct l2cap_chan *chan,
5794 struct l2cap_ctrl *control)
5795 {
5796 struct sk_buff *skb;
5797
5798 BT_DBG("chan %p, control %p", chan, control);
5799
5800 if (control->reqseq == chan->next_tx_seq) {
5801 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5802 l2cap_send_disconn_req(chan, ECONNRESET);
5803 return;
5804 }
5805
5806 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5807
5808 if (chan->max_tx && skb &&
5809 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5810 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5811 l2cap_send_disconn_req(chan, ECONNRESET);
5812 return;
5813 }
5814
5815 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5816
5817 l2cap_pass_to_tx(chan, control);
5818
5819 if (control->final) {
5820 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5821 l2cap_retransmit_all(chan, control);
5822 } else {
5823 l2cap_retransmit_all(chan, control);
5824 l2cap_ertm_send(chan);
5825 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5826 set_bit(CONN_REJ_ACT, &chan->conn_state);
5827 }
5828 }
5829
l2cap_classify_txseq(struct l2cap_chan * chan,u16 txseq)5830 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5831 {
5832 BT_DBG("chan %p, txseq %d", chan, txseq);
5833
5834 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5835 chan->expected_tx_seq);
5836
5837 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5838 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5839 chan->tx_win) {
5840 /* See notes below regarding "double poll" and
5841 * invalid packets.
5842 */
5843 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5844 BT_DBG("Invalid/Ignore - after SREJ");
5845 return L2CAP_TXSEQ_INVALID_IGNORE;
5846 } else {
5847 BT_DBG("Invalid - in window after SREJ sent");
5848 return L2CAP_TXSEQ_INVALID;
5849 }
5850 }
5851
5852 if (chan->srej_list.head == txseq) {
5853 BT_DBG("Expected SREJ");
5854 return L2CAP_TXSEQ_EXPECTED_SREJ;
5855 }
5856
5857 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5858 BT_DBG("Duplicate SREJ - txseq already stored");
5859 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5860 }
5861
5862 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5863 BT_DBG("Unexpected SREJ - not requested");
5864 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5865 }
5866 }
5867
5868 if (chan->expected_tx_seq == txseq) {
5869 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5870 chan->tx_win) {
5871 BT_DBG("Invalid - txseq outside tx window");
5872 return L2CAP_TXSEQ_INVALID;
5873 } else {
5874 BT_DBG("Expected");
5875 return L2CAP_TXSEQ_EXPECTED;
5876 }
5877 }
5878
5879 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
5880 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
5881 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5882 return L2CAP_TXSEQ_DUPLICATE;
5883 }
5884
5885 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5886 /* A source of invalid packets is a "double poll" condition,
5887 * where delays cause us to send multiple poll packets. If
5888 * the remote stack receives and processes both polls,
5889 * sequence numbers can wrap around in such a way that a
5890 * resent frame has a sequence number that looks like new data
5891 * with a sequence gap. This would trigger an erroneous SREJ
5892 * request.
5893 *
5894 * Fortunately, this is impossible with a tx window that's
5895 * less than half of the maximum sequence number, which allows
5896 * invalid frames to be safely ignored.
5897 *
5898 * With tx window sizes greater than half of the tx window
5899 * maximum, the frame is invalid and cannot be ignored. This
5900 * causes a disconnect.
5901 */
5902
5903 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5904 BT_DBG("Invalid/Ignore - txseq outside tx window");
5905 return L2CAP_TXSEQ_INVALID_IGNORE;
5906 } else {
5907 BT_DBG("Invalid - txseq outside tx window");
5908 return L2CAP_TXSEQ_INVALID;
5909 }
5910 } else {
5911 BT_DBG("Unexpected - txseq indicates missing frames");
5912 return L2CAP_TXSEQ_UNEXPECTED;
5913 }
5914 }
5915
l2cap_rx_state_recv(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)5916 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5917 struct l2cap_ctrl *control,
5918 struct sk_buff *skb, u8 event)
5919 {
5920 struct l2cap_ctrl local_control;
5921 int err = 0;
5922 bool skb_in_use = false;
5923
5924 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5925 event);
5926
5927 switch (event) {
5928 case L2CAP_EV_RECV_IFRAME:
5929 switch (l2cap_classify_txseq(chan, control->txseq)) {
5930 case L2CAP_TXSEQ_EXPECTED:
5931 l2cap_pass_to_tx(chan, control);
5932
5933 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5934 BT_DBG("Busy, discarding expected seq %d",
5935 control->txseq);
5936 break;
5937 }
5938
5939 chan->expected_tx_seq = __next_seq(chan,
5940 control->txseq);
5941
5942 chan->buffer_seq = chan->expected_tx_seq;
5943 skb_in_use = true;
5944
5945 /* l2cap_reassemble_sdu may free skb, hence invalidate
5946 * control, so make a copy in advance to use it after
5947 * l2cap_reassemble_sdu returns and to avoid the race
5948 * condition, for example:
5949 *
5950 * The current thread calls:
5951 * l2cap_reassemble_sdu
5952 * chan->ops->recv == l2cap_sock_recv_cb
5953 * __sock_queue_rcv_skb
5954 * Another thread calls:
5955 * bt_sock_recvmsg
5956 * skb_recv_datagram
5957 * skb_free_datagram
5958 * Then the current thread tries to access control, but
5959 * it was freed by skb_free_datagram.
5960 */
5961 local_control = *control;
5962 err = l2cap_reassemble_sdu(chan, skb, control);
5963 if (err)
5964 break;
5965
5966 if (local_control.final) {
5967 if (!test_and_clear_bit(CONN_REJ_ACT,
5968 &chan->conn_state)) {
5969 local_control.final = 0;
5970 l2cap_retransmit_all(chan, &local_control);
5971 l2cap_ertm_send(chan);
5972 }
5973 }
5974
5975 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5976 l2cap_send_ack(chan);
5977 break;
5978 case L2CAP_TXSEQ_UNEXPECTED:
5979 l2cap_pass_to_tx(chan, control);
5980
5981 /* Can't issue SREJ frames in the local busy state.
5982 * Drop this frame, it will be seen as missing
5983 * when local busy is exited.
5984 */
5985 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5986 BT_DBG("Busy, discarding unexpected seq %d",
5987 control->txseq);
5988 break;
5989 }
5990
5991 /* There was a gap in the sequence, so an SREJ
5992 * must be sent for each missing frame. The
5993 * current frame is stored for later use.
5994 */
5995 skb_queue_tail(&chan->srej_q, skb);
5996 skb_in_use = true;
5997 BT_DBG("Queued %p (queue len %d)", skb,
5998 skb_queue_len(&chan->srej_q));
5999
6000 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6001 l2cap_seq_list_clear(&chan->srej_list);
6002 l2cap_send_srej(chan, control->txseq);
6003
6004 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6005 break;
6006 case L2CAP_TXSEQ_DUPLICATE:
6007 l2cap_pass_to_tx(chan, control);
6008 break;
6009 case L2CAP_TXSEQ_INVALID_IGNORE:
6010 break;
6011 case L2CAP_TXSEQ_INVALID:
6012 default:
6013 l2cap_send_disconn_req(chan, ECONNRESET);
6014 break;
6015 }
6016 break;
6017 case L2CAP_EV_RECV_RR:
6018 l2cap_pass_to_tx(chan, control);
6019 if (control->final) {
6020 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6021
6022 if (!test_and_clear_bit(CONN_REJ_ACT,
6023 &chan->conn_state)) {
6024 control->final = 0;
6025 l2cap_retransmit_all(chan, control);
6026 }
6027
6028 l2cap_ertm_send(chan);
6029 } else if (control->poll) {
6030 l2cap_send_i_or_rr_or_rnr(chan);
6031 } else {
6032 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6033 &chan->conn_state) &&
6034 chan->unacked_frames)
6035 __set_retrans_timer(chan);
6036
6037 l2cap_ertm_send(chan);
6038 }
6039 break;
6040 case L2CAP_EV_RECV_RNR:
6041 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6042 l2cap_pass_to_tx(chan, control);
6043 if (control && control->poll) {
6044 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6045 l2cap_send_rr_or_rnr(chan, 0);
6046 }
6047 __clear_retrans_timer(chan);
6048 l2cap_seq_list_clear(&chan->retrans_list);
6049 break;
6050 case L2CAP_EV_RECV_REJ:
6051 l2cap_handle_rej(chan, control);
6052 break;
6053 case L2CAP_EV_RECV_SREJ:
6054 l2cap_handle_srej(chan, control);
6055 break;
6056 default:
6057 break;
6058 }
6059
6060 if (skb && !skb_in_use) {
6061 BT_DBG("Freeing %p", skb);
6062 kfree_skb(skb);
6063 }
6064
6065 return err;
6066 }
6067
l2cap_rx_state_srej_sent(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6068 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6069 struct l2cap_ctrl *control,
6070 struct sk_buff *skb, u8 event)
6071 {
6072 int err = 0;
6073 u16 txseq = control->txseq;
6074 bool skb_in_use = false;
6075
6076 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6077 event);
6078
6079 switch (event) {
6080 case L2CAP_EV_RECV_IFRAME:
6081 switch (l2cap_classify_txseq(chan, txseq)) {
6082 case L2CAP_TXSEQ_EXPECTED:
6083 /* Keep frame for reassembly later */
6084 l2cap_pass_to_tx(chan, control);
6085 skb_queue_tail(&chan->srej_q, skb);
6086 skb_in_use = true;
6087 BT_DBG("Queued %p (queue len %d)", skb,
6088 skb_queue_len(&chan->srej_q));
6089
6090 chan->expected_tx_seq = __next_seq(chan, txseq);
6091 break;
6092 case L2CAP_TXSEQ_EXPECTED_SREJ:
6093 l2cap_seq_list_pop(&chan->srej_list);
6094
6095 l2cap_pass_to_tx(chan, control);
6096 skb_queue_tail(&chan->srej_q, skb);
6097 skb_in_use = true;
6098 BT_DBG("Queued %p (queue len %d)", skb,
6099 skb_queue_len(&chan->srej_q));
6100
6101 err = l2cap_rx_queued_iframes(chan);
6102 if (err)
6103 break;
6104
6105 break;
6106 case L2CAP_TXSEQ_UNEXPECTED:
6107 /* Got a frame that can't be reassembled yet.
6108 * Save it for later, and send SREJs to cover
6109 * the missing frames.
6110 */
6111 skb_queue_tail(&chan->srej_q, skb);
6112 skb_in_use = true;
6113 BT_DBG("Queued %p (queue len %d)", skb,
6114 skb_queue_len(&chan->srej_q));
6115
6116 l2cap_pass_to_tx(chan, control);
6117 l2cap_send_srej(chan, control->txseq);
6118 break;
6119 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6120 /* This frame was requested with an SREJ, but
6121 * some expected retransmitted frames are
6122 * missing. Request retransmission of missing
6123 * SREJ'd frames.
6124 */
6125 skb_queue_tail(&chan->srej_q, skb);
6126 skb_in_use = true;
6127 BT_DBG("Queued %p (queue len %d)", skb,
6128 skb_queue_len(&chan->srej_q));
6129
6130 l2cap_pass_to_tx(chan, control);
6131 l2cap_send_srej_list(chan, control->txseq);
6132 break;
6133 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6134 /* We've already queued this frame. Drop this copy. */
6135 l2cap_pass_to_tx(chan, control);
6136 break;
6137 case L2CAP_TXSEQ_DUPLICATE:
6138 /* Expecting a later sequence number, so this frame
6139 * was already received. Ignore it completely.
6140 */
6141 break;
6142 case L2CAP_TXSEQ_INVALID_IGNORE:
6143 break;
6144 case L2CAP_TXSEQ_INVALID:
6145 default:
6146 l2cap_send_disconn_req(chan, ECONNRESET);
6147 break;
6148 }
6149 break;
6150 case L2CAP_EV_RECV_RR:
6151 l2cap_pass_to_tx(chan, control);
6152 if (control->final) {
6153 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6154
6155 if (!test_and_clear_bit(CONN_REJ_ACT,
6156 &chan->conn_state)) {
6157 control->final = 0;
6158 l2cap_retransmit_all(chan, control);
6159 }
6160
6161 l2cap_ertm_send(chan);
6162 } else if (control->poll) {
6163 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6164 &chan->conn_state) &&
6165 chan->unacked_frames) {
6166 __set_retrans_timer(chan);
6167 }
6168
6169 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6170 l2cap_send_srej_tail(chan);
6171 } else {
6172 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6173 &chan->conn_state) &&
6174 chan->unacked_frames)
6175 __set_retrans_timer(chan);
6176
6177 l2cap_send_ack(chan);
6178 }
6179 break;
6180 case L2CAP_EV_RECV_RNR:
6181 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6182 l2cap_pass_to_tx(chan, control);
6183 if (control->poll) {
6184 l2cap_send_srej_tail(chan);
6185 } else {
6186 struct l2cap_ctrl rr_control;
6187 memset(&rr_control, 0, sizeof(rr_control));
6188 rr_control.sframe = 1;
6189 rr_control.super = L2CAP_SUPER_RR;
6190 rr_control.reqseq = chan->buffer_seq;
6191 l2cap_send_sframe(chan, &rr_control);
6192 }
6193
6194 break;
6195 case L2CAP_EV_RECV_REJ:
6196 l2cap_handle_rej(chan, control);
6197 break;
6198 case L2CAP_EV_RECV_SREJ:
6199 l2cap_handle_srej(chan, control);
6200 break;
6201 }
6202
6203 if (skb && !skb_in_use) {
6204 BT_DBG("Freeing %p", skb);
6205 kfree_skb(skb);
6206 }
6207
6208 return err;
6209 }
6210
l2cap_finish_move(struct l2cap_chan * chan)6211 static int l2cap_finish_move(struct l2cap_chan *chan)
6212 {
6213 BT_DBG("chan %p", chan);
6214
6215 chan->rx_state = L2CAP_RX_STATE_RECV;
6216 chan->conn->mtu = chan->conn->hcon->mtu;
6217
6218 return l2cap_resegment(chan);
6219 }
6220
l2cap_rx_state_wait_p(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6221 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6222 struct l2cap_ctrl *control,
6223 struct sk_buff *skb, u8 event)
6224 {
6225 int err;
6226
6227 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6228 event);
6229
6230 if (!control->poll)
6231 return -EPROTO;
6232
6233 l2cap_process_reqseq(chan, control->reqseq);
6234
6235 if (!skb_queue_empty(&chan->tx_q))
6236 chan->tx_send_head = skb_peek(&chan->tx_q);
6237 else
6238 chan->tx_send_head = NULL;
6239
6240 /* Rewind next_tx_seq to the point expected
6241 * by the receiver.
6242 */
6243 chan->next_tx_seq = control->reqseq;
6244 chan->unacked_frames = 0;
6245
6246 err = l2cap_finish_move(chan);
6247 if (err)
6248 return err;
6249
6250 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6251 l2cap_send_i_or_rr_or_rnr(chan);
6252
6253 if (event == L2CAP_EV_RECV_IFRAME)
6254 return -EPROTO;
6255
6256 return l2cap_rx_state_recv(chan, control, NULL, event);
6257 }
6258
l2cap_rx_state_wait_f(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6259 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6260 struct l2cap_ctrl *control,
6261 struct sk_buff *skb, u8 event)
6262 {
6263 int err;
6264
6265 if (!control->final)
6266 return -EPROTO;
6267
6268 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6269
6270 chan->rx_state = L2CAP_RX_STATE_RECV;
6271 l2cap_process_reqseq(chan, control->reqseq);
6272
6273 if (!skb_queue_empty(&chan->tx_q))
6274 chan->tx_send_head = skb_peek(&chan->tx_q);
6275 else
6276 chan->tx_send_head = NULL;
6277
6278 /* Rewind next_tx_seq to the point expected
6279 * by the receiver.
6280 */
6281 chan->next_tx_seq = control->reqseq;
6282 chan->unacked_frames = 0;
6283 chan->conn->mtu = chan->conn->hcon->mtu;
6284
6285 err = l2cap_resegment(chan);
6286
6287 if (!err)
6288 err = l2cap_rx_state_recv(chan, control, skb, event);
6289
6290 return err;
6291 }
6292
__valid_reqseq(struct l2cap_chan * chan,u16 reqseq)6293 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6294 {
6295 /* Make sure reqseq is for a packet that has been sent but not acked */
6296 u16 unacked;
6297
6298 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6299 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6300 }
6301
l2cap_rx(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6302 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6303 struct sk_buff *skb, u8 event)
6304 {
6305 int err = 0;
6306
6307 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6308 control, skb, event, chan->rx_state);
6309
6310 if (__valid_reqseq(chan, control->reqseq)) {
6311 switch (chan->rx_state) {
6312 case L2CAP_RX_STATE_RECV:
6313 err = l2cap_rx_state_recv(chan, control, skb, event);
6314 break;
6315 case L2CAP_RX_STATE_SREJ_SENT:
6316 err = l2cap_rx_state_srej_sent(chan, control, skb,
6317 event);
6318 break;
6319 case L2CAP_RX_STATE_WAIT_P:
6320 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6321 break;
6322 case L2CAP_RX_STATE_WAIT_F:
6323 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6324 break;
6325 default:
6326 /* shut it down */
6327 break;
6328 }
6329 } else {
6330 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6331 control->reqseq, chan->next_tx_seq,
6332 chan->expected_ack_seq);
6333 l2cap_send_disconn_req(chan, ECONNRESET);
6334 }
6335
6336 return err;
6337 }
6338
l2cap_stream_rx(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb)6339 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6340 struct sk_buff *skb)
6341 {
6342 /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store
6343 * the txseq field in advance to use it after l2cap_reassemble_sdu
6344 * returns and to avoid the race condition, for example:
6345 *
6346 * The current thread calls:
6347 * l2cap_reassemble_sdu
6348 * chan->ops->recv == l2cap_sock_recv_cb
6349 * __sock_queue_rcv_skb
6350 * Another thread calls:
6351 * bt_sock_recvmsg
6352 * skb_recv_datagram
6353 * skb_free_datagram
6354 * Then the current thread tries to access control, but it was freed by
6355 * skb_free_datagram.
6356 */
6357 u16 txseq = control->txseq;
6358
6359 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6360 chan->rx_state);
6361
6362 if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) {
6363 l2cap_pass_to_tx(chan, control);
6364
6365 BT_DBG("buffer_seq %u->%u", chan->buffer_seq,
6366 __next_seq(chan, chan->buffer_seq));
6367
6368 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6369
6370 l2cap_reassemble_sdu(chan, skb, control);
6371 } else {
6372 if (chan->sdu) {
6373 kfree_skb(chan->sdu);
6374 chan->sdu = NULL;
6375 }
6376 chan->sdu_last_frag = NULL;
6377 chan->sdu_len = 0;
6378
6379 if (skb) {
6380 BT_DBG("Freeing %p", skb);
6381 kfree_skb(skb);
6382 }
6383 }
6384
6385 chan->last_acked_seq = txseq;
6386 chan->expected_tx_seq = __next_seq(chan, txseq);
6387
6388 return 0;
6389 }
6390
l2cap_data_rcv(struct l2cap_chan * chan,struct sk_buff * skb)6391 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6392 {
6393 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6394 u16 len;
6395 u8 event;
6396
6397 __unpack_control(chan, skb);
6398
6399 len = skb->len;
6400
6401 /*
6402 * We can just drop the corrupted I-frame here.
6403 * Receiver will miss it and start proper recovery
6404 * procedures and ask for retransmission.
6405 */
6406 if (l2cap_check_fcs(chan, skb))
6407 goto drop;
6408
6409 if (!control->sframe && control->sar == L2CAP_SAR_START)
6410 len -= L2CAP_SDULEN_SIZE;
6411
6412 if (chan->fcs == L2CAP_FCS_CRC16)
6413 len -= L2CAP_FCS_SIZE;
6414
6415 if (len > chan->mps) {
6416 l2cap_send_disconn_req(chan, ECONNRESET);
6417 goto drop;
6418 }
6419
6420 if (chan->ops->filter) {
6421 if (chan->ops->filter(chan, skb))
6422 goto drop;
6423 }
6424
6425 if (!control->sframe) {
6426 int err;
6427
6428 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6429 control->sar, control->reqseq, control->final,
6430 control->txseq);
6431
6432 /* Validate F-bit - F=0 always valid, F=1 only
6433 * valid in TX WAIT_F
6434 */
6435 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6436 goto drop;
6437
6438 if (chan->mode != L2CAP_MODE_STREAMING) {
6439 event = L2CAP_EV_RECV_IFRAME;
6440 err = l2cap_rx(chan, control, skb, event);
6441 } else {
6442 err = l2cap_stream_rx(chan, control, skb);
6443 }
6444
6445 if (err)
6446 l2cap_send_disconn_req(chan, ECONNRESET);
6447 } else {
6448 const u8 rx_func_to_event[4] = {
6449 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6450 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6451 };
6452
6453 /* Only I-frames are expected in streaming mode */
6454 if (chan->mode == L2CAP_MODE_STREAMING)
6455 goto drop;
6456
6457 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6458 control->reqseq, control->final, control->poll,
6459 control->super);
6460
6461 if (len != 0) {
6462 BT_ERR("Trailing bytes: %d in sframe", len);
6463 l2cap_send_disconn_req(chan, ECONNRESET);
6464 goto drop;
6465 }
6466
6467 /* Validate F and P bits */
6468 if (control->final && (control->poll ||
6469 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6470 goto drop;
6471
6472 event = rx_func_to_event[control->super];
6473 if (l2cap_rx(chan, control, skb, event))
6474 l2cap_send_disconn_req(chan, ECONNRESET);
6475 }
6476
6477 return 0;
6478
6479 drop:
6480 kfree_skb(skb);
6481 return 0;
6482 }
6483
l2cap_chan_le_send_credits(struct l2cap_chan * chan)6484 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6485 {
6486 struct l2cap_conn *conn = chan->conn;
6487 struct l2cap_le_credits pkt;
6488 u16 return_credits = l2cap_le_rx_credits(chan);
6489
6490 if (chan->rx_credits >= return_credits)
6491 return;
6492
6493 return_credits -= chan->rx_credits;
6494
6495 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6496
6497 chan->rx_credits += return_credits;
6498
6499 pkt.cid = cpu_to_le16(chan->scid);
6500 pkt.credits = cpu_to_le16(return_credits);
6501
6502 chan->ident = l2cap_get_ident(conn);
6503
6504 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6505 }
6506
l2cap_chan_rx_avail(struct l2cap_chan * chan,ssize_t rx_avail)6507 void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail)
6508 {
6509 if (chan->rx_avail == rx_avail)
6510 return;
6511
6512 BT_DBG("chan %p has %zd bytes avail for rx", chan, rx_avail);
6513
6514 chan->rx_avail = rx_avail;
6515
6516 if (chan->state == BT_CONNECTED)
6517 l2cap_chan_le_send_credits(chan);
6518 }
6519
l2cap_ecred_recv(struct l2cap_chan * chan,struct sk_buff * skb)6520 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6521 {
6522 int err;
6523
6524 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6525
6526 /* Wait recv to confirm reception before updating the credits */
6527 err = chan->ops->recv(chan, skb);
6528
6529 if (err < 0 && chan->rx_avail != -1) {
6530 BT_ERR("Queueing received LE L2CAP data failed");
6531 l2cap_send_disconn_req(chan, ECONNRESET);
6532 return err;
6533 }
6534
6535 /* Update credits whenever an SDU is received */
6536 l2cap_chan_le_send_credits(chan);
6537
6538 return err;
6539 }
6540
l2cap_ecred_data_rcv(struct l2cap_chan * chan,struct sk_buff * skb)6541 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6542 {
6543 int err;
6544
6545 if (!chan->rx_credits) {
6546 BT_ERR("No credits to receive LE L2CAP data");
6547 l2cap_send_disconn_req(chan, ECONNRESET);
6548 return -ENOBUFS;
6549 }
6550
6551 if (chan->imtu < skb->len) {
6552 BT_ERR("Too big LE L2CAP PDU");
6553 return -ENOBUFS;
6554 }
6555
6556 chan->rx_credits--;
6557 BT_DBG("chan %p: rx_credits %u -> %u",
6558 chan, chan->rx_credits + 1, chan->rx_credits);
6559
6560 /* Update if remote had run out of credits, this should only happens
6561 * if the remote is not using the entire MPS.
6562 */
6563 if (!chan->rx_credits)
6564 l2cap_chan_le_send_credits(chan);
6565
6566 err = 0;
6567
6568 if (!chan->sdu) {
6569 u16 sdu_len;
6570
6571 sdu_len = get_unaligned_le16(skb->data);
6572 skb_pull(skb, L2CAP_SDULEN_SIZE);
6573
6574 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6575 sdu_len, skb->len, chan->imtu);
6576
6577 if (sdu_len > chan->imtu) {
6578 BT_ERR("Too big LE L2CAP SDU length received");
6579 err = -EMSGSIZE;
6580 goto failed;
6581 }
6582
6583 if (skb->len > sdu_len) {
6584 BT_ERR("Too much LE L2CAP data received");
6585 err = -EINVAL;
6586 goto failed;
6587 }
6588
6589 if (skb->len == sdu_len)
6590 return l2cap_ecred_recv(chan, skb);
6591
6592 chan->sdu = skb;
6593 chan->sdu_len = sdu_len;
6594 chan->sdu_last_frag = skb;
6595
6596 /* Detect if remote is not able to use the selected MPS */
6597 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6598 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6599
6600 /* Adjust the number of credits */
6601 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6602 chan->mps = mps_len;
6603 l2cap_chan_le_send_credits(chan);
6604 }
6605
6606 return 0;
6607 }
6608
6609 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6610 chan->sdu->len, skb->len, chan->sdu_len);
6611
6612 if (chan->sdu->len + skb->len > chan->sdu_len) {
6613 BT_ERR("Too much LE L2CAP data received");
6614 err = -EINVAL;
6615 goto failed;
6616 }
6617
6618 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6619 skb = NULL;
6620
6621 if (chan->sdu->len == chan->sdu_len) {
6622 err = l2cap_ecred_recv(chan, chan->sdu);
6623 if (!err) {
6624 chan->sdu = NULL;
6625 chan->sdu_last_frag = NULL;
6626 chan->sdu_len = 0;
6627 }
6628 }
6629
6630 failed:
6631 if (err) {
6632 kfree_skb(skb);
6633 kfree_skb(chan->sdu);
6634 chan->sdu = NULL;
6635 chan->sdu_last_frag = NULL;
6636 chan->sdu_len = 0;
6637 }
6638
6639 /* We can't return an error here since we took care of the skb
6640 * freeing internally. An error return would cause the caller to
6641 * do a double-free of the skb.
6642 */
6643 return 0;
6644 }
6645
l2cap_data_channel(struct l2cap_conn * conn,u16 cid,struct sk_buff * skb)6646 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6647 struct sk_buff *skb)
6648 {
6649 struct l2cap_chan *chan;
6650
6651 chan = l2cap_get_chan_by_scid(conn, cid);
6652 if (!chan) {
6653 BT_DBG("unknown cid 0x%4.4x", cid);
6654 /* Drop packet and return */
6655 kfree_skb(skb);
6656 return;
6657 }
6658
6659 BT_DBG("chan %p, len %d", chan, skb->len);
6660
6661 /* If we receive data on a fixed channel before the info req/rsp
6662 * procedure is done simply assume that the channel is supported
6663 * and mark it as ready.
6664 */
6665 if (chan->chan_type == L2CAP_CHAN_FIXED)
6666 l2cap_chan_ready(chan);
6667
6668 if (chan->state != BT_CONNECTED)
6669 goto drop;
6670
6671 switch (chan->mode) {
6672 case L2CAP_MODE_LE_FLOWCTL:
6673 case L2CAP_MODE_EXT_FLOWCTL:
6674 if (l2cap_ecred_data_rcv(chan, skb) < 0)
6675 goto drop;
6676
6677 goto done;
6678
6679 case L2CAP_MODE_BASIC:
6680 /* If socket recv buffers overflows we drop data here
6681 * which is *bad* because L2CAP has to be reliable.
6682 * But we don't have any other choice. L2CAP doesn't
6683 * provide flow control mechanism. */
6684
6685 if (chan->imtu < skb->len) {
6686 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6687 goto drop;
6688 }
6689
6690 if (!chan->ops->recv(chan, skb))
6691 goto done;
6692 break;
6693
6694 case L2CAP_MODE_ERTM:
6695 case L2CAP_MODE_STREAMING:
6696 l2cap_data_rcv(chan, skb);
6697 goto done;
6698
6699 default:
6700 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6701 break;
6702 }
6703
6704 drop:
6705 kfree_skb(skb);
6706
6707 done:
6708 l2cap_chan_unlock(chan);
6709 l2cap_chan_put(chan);
6710 }
6711
l2cap_conless_channel(struct l2cap_conn * conn,__le16 psm,struct sk_buff * skb)6712 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6713 struct sk_buff *skb)
6714 {
6715 struct hci_conn *hcon = conn->hcon;
6716 struct l2cap_chan *chan;
6717
6718 if (hcon->type != ACL_LINK)
6719 goto free_skb;
6720
6721 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6722 ACL_LINK);
6723 if (!chan)
6724 goto free_skb;
6725
6726 BT_DBG("chan %p, len %d", chan, skb->len);
6727
6728 l2cap_chan_lock(chan);
6729
6730 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6731 goto drop;
6732
6733 if (chan->imtu < skb->len)
6734 goto drop;
6735
6736 /* Store remote BD_ADDR and PSM for msg_name */
6737 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6738 bt_cb(skb)->l2cap.psm = psm;
6739
6740 if (!chan->ops->recv(chan, skb)) {
6741 l2cap_chan_unlock(chan);
6742 l2cap_chan_put(chan);
6743 return;
6744 }
6745
6746 drop:
6747 l2cap_chan_unlock(chan);
6748 l2cap_chan_put(chan);
6749 free_skb:
6750 kfree_skb(skb);
6751 }
6752
l2cap_recv_frame(struct l2cap_conn * conn,struct sk_buff * skb)6753 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6754 {
6755 struct l2cap_hdr *lh = (void *) skb->data;
6756 struct hci_conn *hcon = conn->hcon;
6757 u16 cid, len;
6758 __le16 psm;
6759
6760 if (hcon->state != BT_CONNECTED) {
6761 BT_DBG("queueing pending rx skb");
6762 skb_queue_tail(&conn->pending_rx, skb);
6763 return;
6764 }
6765
6766 skb_pull(skb, L2CAP_HDR_SIZE);
6767 cid = __le16_to_cpu(lh->cid);
6768 len = __le16_to_cpu(lh->len);
6769
6770 if (len != skb->len) {
6771 kfree_skb(skb);
6772 return;
6773 }
6774
6775 /* Since we can't actively block incoming LE connections we must
6776 * at least ensure that we ignore incoming data from them.
6777 */
6778 if (hcon->type == LE_LINK &&
6779 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst,
6780 bdaddr_dst_type(hcon))) {
6781 kfree_skb(skb);
6782 return;
6783 }
6784
6785 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6786
6787 switch (cid) {
6788 case L2CAP_CID_SIGNALING:
6789 l2cap_sig_channel(conn, skb);
6790 break;
6791
6792 case L2CAP_CID_CONN_LESS:
6793 psm = get_unaligned((__le16 *) skb->data);
6794 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6795 l2cap_conless_channel(conn, psm, skb);
6796 break;
6797
6798 case L2CAP_CID_LE_SIGNALING:
6799 l2cap_le_sig_channel(conn, skb);
6800 break;
6801
6802 default:
6803 l2cap_data_channel(conn, cid, skb);
6804 break;
6805 }
6806 }
6807
process_pending_rx(struct work_struct * work)6808 static void process_pending_rx(struct work_struct *work)
6809 {
6810 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6811 pending_rx_work);
6812 struct sk_buff *skb;
6813
6814 BT_DBG("");
6815
6816 mutex_lock(&conn->lock);
6817
6818 while ((skb = skb_dequeue(&conn->pending_rx)))
6819 l2cap_recv_frame(conn, skb);
6820
6821 mutex_unlock(&conn->lock);
6822 }
6823
l2cap_conn_add(struct hci_conn * hcon)6824 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6825 {
6826 struct l2cap_conn *conn = hcon->l2cap_data;
6827 struct hci_chan *hchan;
6828
6829 if (conn)
6830 return conn;
6831
6832 hchan = hci_chan_create(hcon);
6833 if (!hchan)
6834 return NULL;
6835
6836 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6837 if (!conn) {
6838 hci_chan_del(hchan);
6839 return NULL;
6840 }
6841
6842 kref_init(&conn->ref);
6843 hcon->l2cap_data = conn;
6844 conn->hcon = hci_conn_get(hcon);
6845 conn->hchan = hchan;
6846
6847 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6848
6849 conn->mtu = hcon->mtu;
6850 conn->feat_mask = 0;
6851
6852 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6853
6854 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
6855 (bredr_sc_enabled(hcon->hdev) ||
6856 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
6857 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6858
6859 mutex_init(&conn->ident_lock);
6860 mutex_init(&conn->lock);
6861
6862 INIT_LIST_HEAD(&conn->chan_l);
6863 INIT_LIST_HEAD(&conn->users);
6864
6865 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6866
6867 skb_queue_head_init(&conn->pending_rx);
6868 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6869 INIT_DELAYED_WORK(&conn->id_addr_timer, l2cap_conn_update_id_addr);
6870
6871 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6872
6873 return conn;
6874 }
6875
is_valid_psm(u16 psm,u8 dst_type)6876 static bool is_valid_psm(u16 psm, u8 dst_type)
6877 {
6878 if (!psm)
6879 return false;
6880
6881 if (bdaddr_type_is_le(dst_type))
6882 return (psm <= 0x00ff);
6883
6884 /* PSM must be odd and lsb of upper byte must be 0 */
6885 return ((psm & 0x0101) == 0x0001);
6886 }
6887
6888 struct l2cap_chan_data {
6889 struct l2cap_chan *chan;
6890 struct pid *pid;
6891 int count;
6892 };
6893
l2cap_chan_by_pid(struct l2cap_chan * chan,void * data)6894 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
6895 {
6896 struct l2cap_chan_data *d = data;
6897 struct pid *pid;
6898
6899 if (chan == d->chan)
6900 return;
6901
6902 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
6903 return;
6904
6905 pid = chan->ops->get_peer_pid(chan);
6906
6907 /* Only count deferred channels with the same PID/PSM */
6908 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
6909 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
6910 return;
6911
6912 d->count++;
6913 }
6914
l2cap_chan_connect(struct l2cap_chan * chan,__le16 psm,u16 cid,bdaddr_t * dst,u8 dst_type)6915 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6916 bdaddr_t *dst, u8 dst_type)
6917 {
6918 struct l2cap_conn *conn;
6919 struct hci_conn *hcon;
6920 struct hci_dev *hdev;
6921 int err;
6922
6923 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
6924 dst, dst_type, __le16_to_cpu(psm), chan->mode);
6925
6926 hdev = hci_get_route(dst, &chan->src, chan->src_type);
6927 if (!hdev)
6928 return -EHOSTUNREACH;
6929
6930 hci_dev_lock(hdev);
6931
6932 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6933 chan->chan_type != L2CAP_CHAN_RAW) {
6934 err = -EINVAL;
6935 goto done;
6936 }
6937
6938 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6939 err = -EINVAL;
6940 goto done;
6941 }
6942
6943 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
6944 err = -EINVAL;
6945 goto done;
6946 }
6947
6948 switch (chan->mode) {
6949 case L2CAP_MODE_BASIC:
6950 break;
6951 case L2CAP_MODE_LE_FLOWCTL:
6952 break;
6953 case L2CAP_MODE_EXT_FLOWCTL:
6954 if (!enable_ecred) {
6955 err = -EOPNOTSUPP;
6956 goto done;
6957 }
6958 break;
6959 case L2CAP_MODE_ERTM:
6960 case L2CAP_MODE_STREAMING:
6961 if (!disable_ertm)
6962 break;
6963 fallthrough;
6964 default:
6965 err = -EOPNOTSUPP;
6966 goto done;
6967 }
6968
6969 switch (chan->state) {
6970 case BT_CONNECT:
6971 case BT_CONNECT2:
6972 case BT_CONFIG:
6973 /* Already connecting */
6974 err = 0;
6975 goto done;
6976
6977 case BT_CONNECTED:
6978 /* Already connected */
6979 err = -EISCONN;
6980 goto done;
6981
6982 case BT_OPEN:
6983 case BT_BOUND:
6984 /* Can connect */
6985 break;
6986
6987 default:
6988 err = -EBADFD;
6989 goto done;
6990 }
6991
6992 /* Set destination address and psm */
6993 bacpy(&chan->dst, dst);
6994 chan->dst_type = dst_type;
6995
6996 chan->psm = psm;
6997 chan->dcid = cid;
6998
6999 if (bdaddr_type_is_le(dst_type)) {
7000 /* Convert from L2CAP channel address type to HCI address type
7001 */
7002 if (dst_type == BDADDR_LE_PUBLIC)
7003 dst_type = ADDR_LE_DEV_PUBLIC;
7004 else
7005 dst_type = ADDR_LE_DEV_RANDOM;
7006
7007 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7008 hcon = hci_connect_le(hdev, dst, dst_type, false,
7009 chan->sec_level,
7010 HCI_LE_CONN_TIMEOUT,
7011 HCI_ROLE_SLAVE);
7012 else
7013 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7014 chan->sec_level,
7015 HCI_LE_CONN_TIMEOUT,
7016 CONN_REASON_L2CAP_CHAN);
7017
7018 } else {
7019 u8 auth_type = l2cap_get_auth_type(chan);
7020 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7021 CONN_REASON_L2CAP_CHAN);
7022 }
7023
7024 if (IS_ERR(hcon)) {
7025 err = PTR_ERR(hcon);
7026 goto done;
7027 }
7028
7029 conn = l2cap_conn_add(hcon);
7030 if (!conn) {
7031 hci_conn_drop(hcon);
7032 err = -ENOMEM;
7033 goto done;
7034 }
7035
7036 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7037 struct l2cap_chan_data data;
7038
7039 data.chan = chan;
7040 data.pid = chan->ops->get_peer_pid(chan);
7041 data.count = 1;
7042
7043 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7044
7045 /* Check if there isn't too many channels being connected */
7046 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7047 hci_conn_drop(hcon);
7048 err = -EPROTO;
7049 goto done;
7050 }
7051 }
7052
7053 mutex_lock(&conn->lock);
7054 l2cap_chan_lock(chan);
7055
7056 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7057 hci_conn_drop(hcon);
7058 err = -EBUSY;
7059 goto chan_unlock;
7060 }
7061
7062 /* Update source addr of the socket */
7063 bacpy(&chan->src, &hcon->src);
7064 chan->src_type = bdaddr_src_type(hcon);
7065
7066 __l2cap_chan_add(conn, chan);
7067
7068 /* l2cap_chan_add takes its own ref so we can drop this one */
7069 hci_conn_drop(hcon);
7070
7071 l2cap_state_change(chan, BT_CONNECT);
7072 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7073
7074 /* Release chan->sport so that it can be reused by other
7075 * sockets (as it's only used for listening sockets).
7076 */
7077 write_lock(&chan_list_lock);
7078 chan->sport = 0;
7079 write_unlock(&chan_list_lock);
7080
7081 if (hcon->state == BT_CONNECTED) {
7082 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7083 __clear_chan_timer(chan);
7084 if (l2cap_chan_check_security(chan, true))
7085 l2cap_state_change(chan, BT_CONNECTED);
7086 } else
7087 l2cap_do_start(chan);
7088 }
7089
7090 err = 0;
7091
7092 chan_unlock:
7093 l2cap_chan_unlock(chan);
7094 mutex_unlock(&conn->lock);
7095 done:
7096 hci_dev_unlock(hdev);
7097 hci_dev_put(hdev);
7098 return err;
7099 }
7100 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7101
l2cap_ecred_reconfigure(struct l2cap_chan * chan)7102 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7103 {
7104 struct l2cap_conn *conn = chan->conn;
7105 struct {
7106 struct l2cap_ecred_reconf_req req;
7107 __le16 scid;
7108 } pdu;
7109
7110 pdu.req.mtu = cpu_to_le16(chan->imtu);
7111 pdu.req.mps = cpu_to_le16(chan->mps);
7112 pdu.scid = cpu_to_le16(chan->scid);
7113
7114 chan->ident = l2cap_get_ident(conn);
7115
7116 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
7117 sizeof(pdu), &pdu);
7118 }
7119
l2cap_chan_reconfigure(struct l2cap_chan * chan,__u16 mtu)7120 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
7121 {
7122 if (chan->imtu > mtu)
7123 return -EINVAL;
7124
7125 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
7126
7127 chan->imtu = mtu;
7128
7129 l2cap_ecred_reconfigure(chan);
7130
7131 return 0;
7132 }
7133
7134 /* ---- L2CAP interface with lower layer (HCI) ---- */
7135
l2cap_connect_ind(struct hci_dev * hdev,bdaddr_t * bdaddr)7136 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7137 {
7138 int exact = 0, lm1 = 0, lm2 = 0;
7139 struct l2cap_chan *c;
7140
7141 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7142
7143 /* Find listening sockets and check their link_mode */
7144 read_lock(&chan_list_lock);
7145 list_for_each_entry(c, &chan_list, global_l) {
7146 if (c->state != BT_LISTEN)
7147 continue;
7148
7149 if (!bacmp(&c->src, &hdev->bdaddr)) {
7150 lm1 |= HCI_LM_ACCEPT;
7151 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7152 lm1 |= HCI_LM_MASTER;
7153 exact++;
7154 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7155 lm2 |= HCI_LM_ACCEPT;
7156 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7157 lm2 |= HCI_LM_MASTER;
7158 }
7159 }
7160 read_unlock(&chan_list_lock);
7161
7162 return exact ? lm1 : lm2;
7163 }
7164
7165 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7166 * from an existing channel in the list or from the beginning of the
7167 * global list (by passing NULL as first parameter).
7168 */
l2cap_global_fixed_chan(struct l2cap_chan * c,struct hci_conn * hcon)7169 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7170 struct hci_conn *hcon)
7171 {
7172 u8 src_type = bdaddr_src_type(hcon);
7173
7174 read_lock(&chan_list_lock);
7175
7176 if (c)
7177 c = list_next_entry(c, global_l);
7178 else
7179 c = list_entry(chan_list.next, typeof(*c), global_l);
7180
7181 list_for_each_entry_from(c, &chan_list, global_l) {
7182 if (c->chan_type != L2CAP_CHAN_FIXED)
7183 continue;
7184 if (c->state != BT_LISTEN)
7185 continue;
7186 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7187 continue;
7188 if (src_type != c->src_type)
7189 continue;
7190
7191 c = l2cap_chan_hold_unless_zero(c);
7192 read_unlock(&chan_list_lock);
7193 return c;
7194 }
7195
7196 read_unlock(&chan_list_lock);
7197
7198 return NULL;
7199 }
7200
l2cap_connect_cfm(struct hci_conn * hcon,u8 status)7201 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7202 {
7203 struct hci_dev *hdev = hcon->hdev;
7204 struct l2cap_conn *conn;
7205 struct l2cap_chan *pchan;
7206 u8 dst_type;
7207
7208 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7209 return;
7210
7211 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7212
7213 if (status) {
7214 l2cap_conn_del(hcon, bt_to_errno(status));
7215 return;
7216 }
7217
7218 conn = l2cap_conn_add(hcon);
7219 if (!conn)
7220 return;
7221
7222 dst_type = bdaddr_dst_type(hcon);
7223
7224 /* If device is blocked, do not create channels for it */
7225 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type))
7226 return;
7227
7228 /* Find fixed channels and notify them of the new connection. We
7229 * use multiple individual lookups, continuing each time where
7230 * we left off, because the list lock would prevent calling the
7231 * potentially sleeping l2cap_chan_lock() function.
7232 */
7233 pchan = l2cap_global_fixed_chan(NULL, hcon);
7234 while (pchan) {
7235 struct l2cap_chan *chan, *next;
7236
7237 /* Client fixed channels should override server ones */
7238 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7239 goto next;
7240
7241 l2cap_chan_lock(pchan);
7242 chan = pchan->ops->new_connection(pchan);
7243 if (chan) {
7244 bacpy(&chan->src, &hcon->src);
7245 bacpy(&chan->dst, &hcon->dst);
7246 chan->src_type = bdaddr_src_type(hcon);
7247 chan->dst_type = dst_type;
7248
7249 __l2cap_chan_add(conn, chan);
7250 }
7251
7252 l2cap_chan_unlock(pchan);
7253 next:
7254 next = l2cap_global_fixed_chan(pchan, hcon);
7255 l2cap_chan_put(pchan);
7256 pchan = next;
7257 }
7258
7259 l2cap_conn_ready(conn);
7260 }
7261
l2cap_disconn_ind(struct hci_conn * hcon)7262 int l2cap_disconn_ind(struct hci_conn *hcon)
7263 {
7264 struct l2cap_conn *conn = hcon->l2cap_data;
7265
7266 BT_DBG("hcon %p", hcon);
7267
7268 if (!conn)
7269 return HCI_ERROR_REMOTE_USER_TERM;
7270 return conn->disc_reason;
7271 }
7272
l2cap_disconn_cfm(struct hci_conn * hcon,u8 reason)7273 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7274 {
7275 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7276 return;
7277
7278 BT_DBG("hcon %p reason %d", hcon, reason);
7279
7280 l2cap_conn_del(hcon, bt_to_errno(reason));
7281 }
7282
l2cap_check_encryption(struct l2cap_chan * chan,u8 encrypt)7283 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7284 {
7285 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7286 return;
7287
7288 if (encrypt == 0x00) {
7289 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7290 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7291 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7292 chan->sec_level == BT_SECURITY_FIPS)
7293 l2cap_chan_close(chan, ECONNREFUSED);
7294 } else {
7295 if (chan->sec_level == BT_SECURITY_MEDIUM)
7296 __clear_chan_timer(chan);
7297 }
7298 }
7299
l2cap_security_cfm(struct hci_conn * hcon,u8 status,u8 encrypt)7300 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7301 {
7302 struct l2cap_conn *conn = hcon->l2cap_data;
7303 struct l2cap_chan *chan;
7304
7305 if (!conn)
7306 return;
7307
7308 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7309
7310 mutex_lock(&conn->lock);
7311
7312 list_for_each_entry(chan, &conn->chan_l, list) {
7313 l2cap_chan_lock(chan);
7314
7315 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7316 state_to_string(chan->state));
7317
7318 if (!status && encrypt)
7319 chan->sec_level = hcon->sec_level;
7320
7321 if (!__l2cap_no_conn_pending(chan)) {
7322 l2cap_chan_unlock(chan);
7323 continue;
7324 }
7325
7326 if (!status && (chan->state == BT_CONNECTED ||
7327 chan->state == BT_CONFIG)) {
7328 chan->ops->resume(chan);
7329 l2cap_check_encryption(chan, encrypt);
7330 l2cap_chan_unlock(chan);
7331 continue;
7332 }
7333
7334 if (chan->state == BT_CONNECT) {
7335 if (!status && l2cap_check_enc_key_size(hcon, chan))
7336 l2cap_start_connection(chan);
7337 else
7338 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7339 } else if (chan->state == BT_CONNECT2 &&
7340 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
7341 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
7342 struct l2cap_conn_rsp rsp;
7343 __u16 res, stat;
7344
7345 if (!status && l2cap_check_enc_key_size(hcon, chan)) {
7346 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7347 res = L2CAP_CR_PEND;
7348 stat = L2CAP_CS_AUTHOR_PEND;
7349 chan->ops->defer(chan);
7350 } else {
7351 l2cap_state_change(chan, BT_CONFIG);
7352 res = L2CAP_CR_SUCCESS;
7353 stat = L2CAP_CS_NO_INFO;
7354 }
7355 } else {
7356 l2cap_state_change(chan, BT_DISCONN);
7357 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7358 res = L2CAP_CR_SEC_BLOCK;
7359 stat = L2CAP_CS_NO_INFO;
7360 }
7361
7362 rsp.scid = cpu_to_le16(chan->dcid);
7363 rsp.dcid = cpu_to_le16(chan->scid);
7364 rsp.result = cpu_to_le16(res);
7365 rsp.status = cpu_to_le16(stat);
7366 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7367 sizeof(rsp), &rsp);
7368
7369 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7370 res == L2CAP_CR_SUCCESS) {
7371 char buf[128];
7372 set_bit(CONF_REQ_SENT, &chan->conf_state);
7373 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7374 L2CAP_CONF_REQ,
7375 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7376 buf);
7377 chan->num_conf_req++;
7378 }
7379 }
7380
7381 l2cap_chan_unlock(chan);
7382 }
7383
7384 mutex_unlock(&conn->lock);
7385 }
7386
7387 /* Append fragment into frame respecting the maximum len of rx_skb */
l2cap_recv_frag(struct l2cap_conn * conn,struct sk_buff * skb,u16 len)7388 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb,
7389 u16 len)
7390 {
7391 if (!conn->rx_skb) {
7392 /* Allocate skb for the complete frame (with header) */
7393 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7394 if (!conn->rx_skb)
7395 return -ENOMEM;
7396 /* Init rx_len */
7397 conn->rx_len = len;
7398
7399 skb_set_delivery_time(conn->rx_skb, skb->tstamp,
7400 skb->tstamp_type);
7401 }
7402
7403 /* Copy as much as the rx_skb can hold */
7404 len = min_t(u16, len, skb->len);
7405 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len);
7406 skb_pull(skb, len);
7407 conn->rx_len -= len;
7408
7409 return len;
7410 }
7411
l2cap_recv_len(struct l2cap_conn * conn,struct sk_buff * skb)7412 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb)
7413 {
7414 struct sk_buff *rx_skb;
7415 int len;
7416
7417 /* Append just enough to complete the header */
7418 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len);
7419
7420 /* If header could not be read just continue */
7421 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE)
7422 return len;
7423
7424 rx_skb = conn->rx_skb;
7425 len = get_unaligned_le16(rx_skb->data);
7426
7427 /* Check if rx_skb has enough space to received all fragments */
7428 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) {
7429 /* Update expected len */
7430 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE);
7431 return L2CAP_LEN_SIZE;
7432 }
7433
7434 /* Reset conn->rx_skb since it will need to be reallocated in order to
7435 * fit all fragments.
7436 */
7437 conn->rx_skb = NULL;
7438
7439 /* Reallocates rx_skb using the exact expected length */
7440 len = l2cap_recv_frag(conn, rx_skb,
7441 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE));
7442 kfree_skb(rx_skb);
7443
7444 return len;
7445 }
7446
l2cap_recv_reset(struct l2cap_conn * conn)7447 static void l2cap_recv_reset(struct l2cap_conn *conn)
7448 {
7449 kfree_skb(conn->rx_skb);
7450 conn->rx_skb = NULL;
7451 conn->rx_len = 0;
7452 }
7453
l2cap_conn_hold_unless_zero(struct l2cap_conn * c)7454 struct l2cap_conn *l2cap_conn_hold_unless_zero(struct l2cap_conn *c)
7455 {
7456 if (!c)
7457 return NULL;
7458
7459 BT_DBG("conn %p orig refcnt %u", c, kref_read(&c->ref));
7460
7461 if (!kref_get_unless_zero(&c->ref))
7462 return NULL;
7463
7464 return c;
7465 }
7466
l2cap_recv_acldata(struct hci_conn * hcon,struct sk_buff * skb,u16 flags)7467 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7468 {
7469 struct l2cap_conn *conn;
7470 int len;
7471
7472 /* Lock hdev to access l2cap_data to avoid race with l2cap_conn_del */
7473 hci_dev_lock(hcon->hdev);
7474
7475 conn = hcon->l2cap_data;
7476
7477 if (!conn)
7478 conn = l2cap_conn_add(hcon);
7479
7480 conn = l2cap_conn_hold_unless_zero(conn);
7481
7482 hci_dev_unlock(hcon->hdev);
7483
7484 if (!conn) {
7485 kfree_skb(skb);
7486 return;
7487 }
7488
7489 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
7490
7491 mutex_lock(&conn->lock);
7492
7493 switch (flags) {
7494 case ACL_START:
7495 case ACL_START_NO_FLUSH:
7496 case ACL_COMPLETE:
7497 if (conn->rx_skb) {
7498 BT_ERR("Unexpected start frame (len %d)", skb->len);
7499 l2cap_recv_reset(conn);
7500 l2cap_conn_unreliable(conn, ECOMM);
7501 }
7502
7503 /* Start fragment may not contain the L2CAP length so just
7504 * copy the initial byte when that happens and use conn->mtu as
7505 * expected length.
7506 */
7507 if (skb->len < L2CAP_LEN_SIZE) {
7508 l2cap_recv_frag(conn, skb, conn->mtu);
7509 break;
7510 }
7511
7512 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE;
7513
7514 if (len == skb->len) {
7515 /* Complete frame received */
7516 l2cap_recv_frame(conn, skb);
7517 goto unlock;
7518 }
7519
7520 BT_DBG("Start: total len %d, frag len %u", len, skb->len);
7521
7522 if (skb->len > len) {
7523 BT_ERR("Frame is too long (len %u, expected len %d)",
7524 skb->len, len);
7525 /* PTS test cases L2CAP/COS/CED/BI-14-C and BI-15-C
7526 * (Multiple Signaling Command in one PDU, Data
7527 * Truncated, BR/EDR) send a C-frame to the IUT with
7528 * PDU Length set to 8 and Channel ID set to the
7529 * correct signaling channel for the logical link.
7530 * The Information payload contains one L2CAP_ECHO_REQ
7531 * packet with Data Length set to 0 with 0 octets of
7532 * echo data and one invalid command packet due to
7533 * data truncated in PDU but present in HCI packet.
7534 *
7535 * Shorter the socket buffer to the PDU length to
7536 * allow to process valid commands from the PDU before
7537 * setting the socket unreliable.
7538 */
7539 skb->len = len;
7540 l2cap_recv_frame(conn, skb);
7541 l2cap_conn_unreliable(conn, ECOMM);
7542 goto unlock;
7543 }
7544
7545 /* Append fragment into frame (with header) */
7546 if (l2cap_recv_frag(conn, skb, len) < 0)
7547 goto drop;
7548
7549 break;
7550
7551 case ACL_CONT:
7552 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len);
7553
7554 if (!conn->rx_skb) {
7555 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7556 l2cap_conn_unreliable(conn, ECOMM);
7557 goto drop;
7558 }
7559
7560 /* Complete the L2CAP length if it has not been read */
7561 if (conn->rx_skb->len < L2CAP_LEN_SIZE) {
7562 if (l2cap_recv_len(conn, skb) < 0) {
7563 l2cap_conn_unreliable(conn, ECOMM);
7564 goto drop;
7565 }
7566
7567 /* Header still could not be read just continue */
7568 if (conn->rx_skb->len < L2CAP_LEN_SIZE)
7569 break;
7570 }
7571
7572 if (skb->len > conn->rx_len) {
7573 BT_ERR("Fragment is too long (len %u, expected %u)",
7574 skb->len, conn->rx_len);
7575 l2cap_recv_reset(conn);
7576 l2cap_conn_unreliable(conn, ECOMM);
7577 goto drop;
7578 }
7579
7580 /* Append fragment into frame (with header) */
7581 l2cap_recv_frag(conn, skb, skb->len);
7582
7583 if (!conn->rx_len) {
7584 /* Complete frame received. l2cap_recv_frame
7585 * takes ownership of the skb so set the global
7586 * rx_skb pointer to NULL first.
7587 */
7588 struct sk_buff *rx_skb = conn->rx_skb;
7589 conn->rx_skb = NULL;
7590 l2cap_recv_frame(conn, rx_skb);
7591 }
7592 break;
7593 }
7594
7595 drop:
7596 kfree_skb(skb);
7597 unlock:
7598 mutex_unlock(&conn->lock);
7599 l2cap_conn_put(conn);
7600 }
7601
7602 static struct hci_cb l2cap_cb = {
7603 .name = "L2CAP",
7604 .connect_cfm = l2cap_connect_cfm,
7605 .disconn_cfm = l2cap_disconn_cfm,
7606 .security_cfm = l2cap_security_cfm,
7607 };
7608
l2cap_debugfs_show(struct seq_file * f,void * p)7609 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7610 {
7611 struct l2cap_chan *c;
7612
7613 read_lock(&chan_list_lock);
7614
7615 list_for_each_entry(c, &chan_list, global_l) {
7616 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7617 &c->src, c->src_type, &c->dst, c->dst_type,
7618 c->state, __le16_to_cpu(c->psm),
7619 c->scid, c->dcid, c->imtu, c->omtu,
7620 c->sec_level, c->mode);
7621 }
7622
7623 read_unlock(&chan_list_lock);
7624
7625 return 0;
7626 }
7627
7628 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7629
7630 static struct dentry *l2cap_debugfs;
7631
l2cap_init(void)7632 int __init l2cap_init(void)
7633 {
7634 int err;
7635
7636 err = l2cap_init_sockets();
7637 if (err < 0)
7638 return err;
7639
7640 hci_register_cb(&l2cap_cb);
7641
7642 if (IS_ERR_OR_NULL(bt_debugfs))
7643 return 0;
7644
7645 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7646 NULL, &l2cap_debugfs_fops);
7647
7648 return 0;
7649 }
7650
l2cap_exit(void)7651 void l2cap_exit(void)
7652 {
7653 debugfs_remove(l2cap_debugfs);
7654 hci_unregister_cb(&l2cap_cb);
7655 l2cap_cleanup_sockets();
7656 }
7657
7658 module_param(disable_ertm, bool, 0644);
7659 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7660
7661 module_param(enable_ecred, bool, 0644);
7662 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
7663