1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
36
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
40
41 #include "smp.h"
42
43 #define LE_FLOWCTL_MAX_CREDITS 65535
44
45 bool disable_ertm;
46 bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED);
47
48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49
50 static LIST_HEAD(chan_list);
51 static DEFINE_RWLOCK(chan_list_lock);
52
53 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
54 u8 code, u8 ident, u16 dlen, void *data);
55 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
56 void *data);
57 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
58 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
59
60 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
61 struct sk_buff_head *skbs, u8 event);
62 static void l2cap_retrans_timeout(struct work_struct *work);
63 static void l2cap_monitor_timeout(struct work_struct *work);
64 static void l2cap_ack_timeout(struct work_struct *work);
65
bdaddr_type(u8 link_type,u8 bdaddr_type)66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67 {
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76 }
77
bdaddr_src_type(struct hci_conn * hcon)78 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79 {
80 return bdaddr_type(hcon->type, hcon->src_type);
81 }
82
bdaddr_dst_type(struct hci_conn * hcon)83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84 {
85 return bdaddr_type(hcon->type, hcon->dst_type);
86 }
87
88 /* ---- L2CAP channels ---- */
89
__l2cap_get_chan_by_dcid(struct l2cap_conn * conn,u16 cid)90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
91 u16 cid)
92 {
93 struct l2cap_chan *c;
94
95 list_for_each_entry(c, &conn->chan_l, list) {
96 if (c->dcid == cid)
97 return c;
98 }
99 return NULL;
100 }
101
__l2cap_get_chan_by_scid(struct l2cap_conn * conn,u16 cid)102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 u16 cid)
104 {
105 struct l2cap_chan *c;
106
107 list_for_each_entry(c, &conn->chan_l, list) {
108 if (c->scid == cid)
109 return c;
110 }
111 return NULL;
112 }
113
114 /* Find channel with given SCID.
115 * Returns a reference locked channel.
116 */
l2cap_get_chan_by_scid(struct l2cap_conn * conn,u16 cid)117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 u16 cid)
119 {
120 struct l2cap_chan *c;
121
122 c = __l2cap_get_chan_by_scid(conn, cid);
123 if (c) {
124 /* Only lock if chan reference is not 0 */
125 c = l2cap_chan_hold_unless_zero(c);
126 if (c)
127 l2cap_chan_lock(c);
128 }
129
130 return c;
131 }
132
133 /* Find channel with given DCID.
134 * Returns a reference locked channel.
135 */
l2cap_get_chan_by_dcid(struct l2cap_conn * conn,u16 cid)136 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
137 u16 cid)
138 {
139 struct l2cap_chan *c;
140
141 c = __l2cap_get_chan_by_dcid(conn, cid);
142 if (c) {
143 /* Only lock if chan reference is not 0 */
144 c = l2cap_chan_hold_unless_zero(c);
145 if (c)
146 l2cap_chan_lock(c);
147 }
148
149 return c;
150 }
151
__l2cap_get_chan_by_ident(struct l2cap_conn * conn,u8 ident)152 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
153 u8 ident)
154 {
155 struct l2cap_chan *c;
156
157 list_for_each_entry(c, &conn->chan_l, list) {
158 if (c->ident == ident)
159 return c;
160 }
161 return NULL;
162 }
163
__l2cap_global_chan_by_addr(__le16 psm,bdaddr_t * src,u8 src_type)164 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
165 u8 src_type)
166 {
167 struct l2cap_chan *c;
168
169 list_for_each_entry(c, &chan_list, global_l) {
170 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
171 continue;
172
173 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
174 continue;
175
176 if (c->sport == psm && !bacmp(&c->src, src))
177 return c;
178 }
179 return NULL;
180 }
181
l2cap_add_psm(struct l2cap_chan * chan,bdaddr_t * src,__le16 psm)182 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
183 {
184 int err;
185
186 write_lock(&chan_list_lock);
187
188 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
189 err = -EADDRINUSE;
190 goto done;
191 }
192
193 if (psm) {
194 chan->psm = psm;
195 chan->sport = psm;
196 err = 0;
197 } else {
198 u16 p, start, end, incr;
199
200 if (chan->src_type == BDADDR_BREDR) {
201 start = L2CAP_PSM_DYN_START;
202 end = L2CAP_PSM_AUTO_END;
203 incr = 2;
204 } else {
205 start = L2CAP_PSM_LE_DYN_START;
206 end = L2CAP_PSM_LE_DYN_END;
207 incr = 1;
208 }
209
210 err = -EINVAL;
211 for (p = start; p <= end; p += incr)
212 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
213 chan->src_type)) {
214 chan->psm = cpu_to_le16(p);
215 chan->sport = cpu_to_le16(p);
216 err = 0;
217 break;
218 }
219 }
220
221 done:
222 write_unlock(&chan_list_lock);
223 return err;
224 }
225 EXPORT_SYMBOL_GPL(l2cap_add_psm);
226
l2cap_add_scid(struct l2cap_chan * chan,__u16 scid)227 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
228 {
229 write_lock(&chan_list_lock);
230
231 /* Override the defaults (which are for conn-oriented) */
232 chan->omtu = L2CAP_DEFAULT_MTU;
233 chan->chan_type = L2CAP_CHAN_FIXED;
234
235 chan->scid = scid;
236
237 write_unlock(&chan_list_lock);
238
239 return 0;
240 }
241
l2cap_alloc_cid(struct l2cap_conn * conn)242 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
243 {
244 u16 cid, dyn_end;
245
246 if (conn->hcon->type == LE_LINK)
247 dyn_end = L2CAP_CID_LE_DYN_END;
248 else
249 dyn_end = L2CAP_CID_DYN_END;
250
251 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
252 if (!__l2cap_get_chan_by_scid(conn, cid))
253 return cid;
254 }
255
256 return 0;
257 }
258
l2cap_state_change(struct l2cap_chan * chan,int state)259 static void l2cap_state_change(struct l2cap_chan *chan, int state)
260 {
261 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
262 state_to_string(state));
263
264 chan->state = state;
265 chan->ops->state_change(chan, state, 0);
266 }
267
l2cap_state_change_and_error(struct l2cap_chan * chan,int state,int err)268 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
269 int state, int err)
270 {
271 chan->state = state;
272 chan->ops->state_change(chan, chan->state, err);
273 }
274
l2cap_chan_set_err(struct l2cap_chan * chan,int err)275 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
276 {
277 chan->ops->state_change(chan, chan->state, err);
278 }
279
__set_retrans_timer(struct l2cap_chan * chan)280 static void __set_retrans_timer(struct l2cap_chan *chan)
281 {
282 if (!delayed_work_pending(&chan->monitor_timer) &&
283 chan->retrans_timeout) {
284 l2cap_set_timer(chan, &chan->retrans_timer,
285 msecs_to_jiffies(chan->retrans_timeout));
286 }
287 }
288
__set_monitor_timer(struct l2cap_chan * chan)289 static void __set_monitor_timer(struct l2cap_chan *chan)
290 {
291 __clear_retrans_timer(chan);
292 if (chan->monitor_timeout) {
293 l2cap_set_timer(chan, &chan->monitor_timer,
294 msecs_to_jiffies(chan->monitor_timeout));
295 }
296 }
297
l2cap_ertm_seq_in_queue(struct sk_buff_head * head,u16 seq)298 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
299 u16 seq)
300 {
301 struct sk_buff *skb;
302
303 skb_queue_walk(head, skb) {
304 if (bt_cb(skb)->l2cap.txseq == seq)
305 return skb;
306 }
307
308 return NULL;
309 }
310
311 /* ---- L2CAP sequence number lists ---- */
312
313 /* For ERTM, ordered lists of sequence numbers must be tracked for
314 * SREJ requests that are received and for frames that are to be
315 * retransmitted. These seq_list functions implement a singly-linked
316 * list in an array, where membership in the list can also be checked
317 * in constant time. Items can also be added to the tail of the list
318 * and removed from the head in constant time, without further memory
319 * allocs or frees.
320 */
321
l2cap_seq_list_init(struct l2cap_seq_list * seq_list,u16 size)322 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
323 {
324 size_t alloc_size, i;
325
326 /* Allocated size is a power of 2 to map sequence numbers
327 * (which may be up to 14 bits) in to a smaller array that is
328 * sized for the negotiated ERTM transmit windows.
329 */
330 alloc_size = roundup_pow_of_two(size);
331
332 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
333 if (!seq_list->list)
334 return -ENOMEM;
335
336 seq_list->mask = alloc_size - 1;
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
339 for (i = 0; i < alloc_size; i++)
340 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
341
342 return 0;
343 }
344
l2cap_seq_list_free(struct l2cap_seq_list * seq_list)345 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
346 {
347 kfree(seq_list->list);
348 }
349
l2cap_seq_list_contains(struct l2cap_seq_list * seq_list,u16 seq)350 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
351 u16 seq)
352 {
353 /* Constant-time check for list membership */
354 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
355 }
356
l2cap_seq_list_pop(struct l2cap_seq_list * seq_list)357 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
358 {
359 u16 seq = seq_list->head;
360 u16 mask = seq_list->mask;
361
362 seq_list->head = seq_list->list[seq & mask];
363 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
364
365 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
366 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
367 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
368 }
369
370 return seq;
371 }
372
l2cap_seq_list_clear(struct l2cap_seq_list * seq_list)373 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
374 {
375 u16 i;
376
377 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
378 return;
379
380 for (i = 0; i <= seq_list->mask; i++)
381 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382
383 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
384 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
385 }
386
l2cap_seq_list_append(struct l2cap_seq_list * seq_list,u16 seq)387 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388 {
389 u16 mask = seq_list->mask;
390
391 /* All appends happen in constant time */
392
393 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
394 return;
395
396 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
397 seq_list->head = seq;
398 else
399 seq_list->list[seq_list->tail & mask] = seq;
400
401 seq_list->tail = seq;
402 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
403 }
404
l2cap_chan_timeout(struct work_struct * work)405 static void l2cap_chan_timeout(struct work_struct *work)
406 {
407 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
408 chan_timer.work);
409 struct l2cap_conn *conn = chan->conn;
410 int reason;
411
412 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
413
414 if (!conn)
415 return;
416
417 mutex_lock(&conn->lock);
418 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
419 * this work. No need to call l2cap_chan_hold(chan) here again.
420 */
421 l2cap_chan_lock(chan);
422
423 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
424 reason = ECONNREFUSED;
425 else if (chan->state == BT_CONNECT &&
426 chan->sec_level != BT_SECURITY_SDP)
427 reason = ECONNREFUSED;
428 else
429 reason = ETIMEDOUT;
430
431 l2cap_chan_close(chan, reason);
432
433 chan->ops->close(chan);
434
435 l2cap_chan_unlock(chan);
436 l2cap_chan_put(chan);
437
438 mutex_unlock(&conn->lock);
439 }
440
l2cap_chan_create(void)441 struct l2cap_chan *l2cap_chan_create(void)
442 {
443 struct l2cap_chan *chan;
444
445 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
446 if (!chan)
447 return NULL;
448
449 skb_queue_head_init(&chan->tx_q);
450 skb_queue_head_init(&chan->srej_q);
451 mutex_init(&chan->lock);
452
453 /* Set default lock nesting level */
454 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
455
456 /* Available receive buffer space is initially unknown */
457 chan->rx_avail = -1;
458
459 write_lock(&chan_list_lock);
460 list_add(&chan->global_l, &chan_list);
461 write_unlock(&chan_list_lock);
462
463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
464 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
465 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
466 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
467
468 chan->state = BT_OPEN;
469
470 kref_init(&chan->kref);
471
472 /* This flag is cleared in l2cap_chan_ready() */
473 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
474
475 BT_DBG("chan %p", chan);
476
477 return chan;
478 }
479 EXPORT_SYMBOL_GPL(l2cap_chan_create);
480
l2cap_chan_destroy(struct kref * kref)481 static void l2cap_chan_destroy(struct kref *kref)
482 {
483 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
484
485 BT_DBG("chan %p", chan);
486
487 write_lock(&chan_list_lock);
488 list_del(&chan->global_l);
489 write_unlock(&chan_list_lock);
490
491 kfree(chan);
492 }
493
l2cap_chan_hold(struct l2cap_chan * c)494 void l2cap_chan_hold(struct l2cap_chan *c)
495 {
496 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
497
498 kref_get(&c->kref);
499 }
500
l2cap_chan_hold_unless_zero(struct l2cap_chan * c)501 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)
502 {
503 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
504
505 if (!kref_get_unless_zero(&c->kref))
506 return NULL;
507
508 return c;
509 }
510
l2cap_chan_put(struct l2cap_chan * c)511 void l2cap_chan_put(struct l2cap_chan *c)
512 {
513 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
514
515 kref_put(&c->kref, l2cap_chan_destroy);
516 }
517 EXPORT_SYMBOL_GPL(l2cap_chan_put);
518
l2cap_chan_set_defaults(struct l2cap_chan * chan)519 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
520 {
521 chan->fcs = L2CAP_FCS_CRC16;
522 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
523 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
524 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
525 chan->remote_max_tx = chan->max_tx;
526 chan->remote_tx_win = chan->tx_win;
527 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
528 chan->sec_level = BT_SECURITY_LOW;
529 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
530 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
531 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
532
533 chan->conf_state = 0;
534 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
535
536 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
537 }
538 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
539
l2cap_le_rx_credits(struct l2cap_chan * chan)540 static __u16 l2cap_le_rx_credits(struct l2cap_chan *chan)
541 {
542 size_t sdu_len = chan->sdu ? chan->sdu->len : 0;
543
544 if (chan->mps == 0)
545 return 0;
546
547 /* If we don't know the available space in the receiver buffer, give
548 * enough credits for a full packet.
549 */
550 if (chan->rx_avail == -1)
551 return (chan->imtu / chan->mps) + 1;
552
553 /* If we know how much space is available in the receive buffer, give
554 * out as many credits as would fill the buffer.
555 */
556 if (chan->rx_avail <= sdu_len)
557 return 0;
558
559 return DIV_ROUND_UP(chan->rx_avail - sdu_len, chan->mps);
560 }
561
l2cap_le_flowctl_init(struct l2cap_chan * chan,u16 tx_credits)562 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
563 {
564 chan->sdu = NULL;
565 chan->sdu_last_frag = NULL;
566 chan->sdu_len = 0;
567 chan->tx_credits = tx_credits;
568 /* Derive MPS from connection MTU to stop HCI fragmentation */
569 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
570 chan->rx_credits = l2cap_le_rx_credits(chan);
571
572 skb_queue_head_init(&chan->tx_q);
573 }
574
l2cap_ecred_init(struct l2cap_chan * chan,u16 tx_credits)575 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
576 {
577 l2cap_le_flowctl_init(chan, tx_credits);
578
579 /* L2CAP implementations shall support a minimum MPS of 64 octets */
580 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
581 chan->mps = L2CAP_ECRED_MIN_MPS;
582 chan->rx_credits = l2cap_le_rx_credits(chan);
583 }
584 }
585
__l2cap_chan_add(struct l2cap_conn * conn,struct l2cap_chan * chan)586 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
587 {
588 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
589 __le16_to_cpu(chan->psm), chan->dcid);
590
591 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
592
593 chan->conn = conn;
594
595 switch (chan->chan_type) {
596 case L2CAP_CHAN_CONN_ORIENTED:
597 /* Alloc CID for connection-oriented socket */
598 chan->scid = l2cap_alloc_cid(conn);
599 if (conn->hcon->type == ACL_LINK)
600 chan->omtu = L2CAP_DEFAULT_MTU;
601 break;
602
603 case L2CAP_CHAN_CONN_LESS:
604 /* Connectionless socket */
605 chan->scid = L2CAP_CID_CONN_LESS;
606 chan->dcid = L2CAP_CID_CONN_LESS;
607 chan->omtu = L2CAP_DEFAULT_MTU;
608 break;
609
610 case L2CAP_CHAN_FIXED:
611 /* Caller will set CID and CID specific MTU values */
612 break;
613
614 default:
615 /* Raw socket can send/recv signalling messages only */
616 chan->scid = L2CAP_CID_SIGNALING;
617 chan->dcid = L2CAP_CID_SIGNALING;
618 chan->omtu = L2CAP_DEFAULT_MTU;
619 }
620
621 chan->local_id = L2CAP_BESTEFFORT_ID;
622 chan->local_stype = L2CAP_SERV_BESTEFFORT;
623 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
624 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
625 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
626 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
627
628 l2cap_chan_hold(chan);
629
630 /* Only keep a reference for fixed channels if they requested it */
631 if (chan->chan_type != L2CAP_CHAN_FIXED ||
632 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
633 hci_conn_hold(conn->hcon);
634
635 /* Append to the list since the order matters for ECRED */
636 list_add_tail(&chan->list, &conn->chan_l);
637 }
638
l2cap_chan_add(struct l2cap_conn * conn,struct l2cap_chan * chan)639 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
640 {
641 mutex_lock(&conn->lock);
642 __l2cap_chan_add(conn, chan);
643 mutex_unlock(&conn->lock);
644 }
645
l2cap_chan_del(struct l2cap_chan * chan,int err)646 void l2cap_chan_del(struct l2cap_chan *chan, int err)
647 {
648 struct l2cap_conn *conn = chan->conn;
649
650 __clear_chan_timer(chan);
651
652 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
653 state_to_string(chan->state));
654
655 chan->ops->teardown(chan, err);
656
657 if (conn) {
658 /* Delete from channel list */
659 list_del(&chan->list);
660
661 l2cap_chan_put(chan);
662
663 chan->conn = NULL;
664
665 /* Reference was only held for non-fixed channels or
666 * fixed channels that explicitly requested it using the
667 * FLAG_HOLD_HCI_CONN flag.
668 */
669 if (chan->chan_type != L2CAP_CHAN_FIXED ||
670 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
671 hci_conn_drop(conn->hcon);
672 }
673
674 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
675 return;
676
677 switch (chan->mode) {
678 case L2CAP_MODE_BASIC:
679 break;
680
681 case L2CAP_MODE_LE_FLOWCTL:
682 case L2CAP_MODE_EXT_FLOWCTL:
683 skb_queue_purge(&chan->tx_q);
684 break;
685
686 case L2CAP_MODE_ERTM:
687 __clear_retrans_timer(chan);
688 __clear_monitor_timer(chan);
689 __clear_ack_timer(chan);
690
691 skb_queue_purge(&chan->srej_q);
692
693 l2cap_seq_list_free(&chan->srej_list);
694 l2cap_seq_list_free(&chan->retrans_list);
695 fallthrough;
696
697 case L2CAP_MODE_STREAMING:
698 skb_queue_purge(&chan->tx_q);
699 break;
700 }
701 }
702 EXPORT_SYMBOL_GPL(l2cap_chan_del);
703
__l2cap_chan_list_id(struct l2cap_conn * conn,u16 id,l2cap_chan_func_t func,void * data)704 static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id,
705 l2cap_chan_func_t func, void *data)
706 {
707 struct l2cap_chan *chan, *l;
708
709 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
710 if (chan->ident == id)
711 func(chan, data);
712 }
713 }
714
__l2cap_chan_list(struct l2cap_conn * conn,l2cap_chan_func_t func,void * data)715 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
716 void *data)
717 {
718 struct l2cap_chan *chan;
719
720 list_for_each_entry(chan, &conn->chan_l, list) {
721 func(chan, data);
722 }
723 }
724
l2cap_chan_list(struct l2cap_conn * conn,l2cap_chan_func_t func,void * data)725 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
726 void *data)
727 {
728 if (!conn)
729 return;
730
731 mutex_lock(&conn->lock);
732 __l2cap_chan_list(conn, func, data);
733 mutex_unlock(&conn->lock);
734 }
735
736 EXPORT_SYMBOL_GPL(l2cap_chan_list);
737
l2cap_conn_update_id_addr(struct work_struct * work)738 static void l2cap_conn_update_id_addr(struct work_struct *work)
739 {
740 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
741 id_addr_timer.work);
742 struct hci_conn *hcon = conn->hcon;
743 struct l2cap_chan *chan;
744
745 mutex_lock(&conn->lock);
746
747 list_for_each_entry(chan, &conn->chan_l, list) {
748 l2cap_chan_lock(chan);
749 bacpy(&chan->dst, &hcon->dst);
750 chan->dst_type = bdaddr_dst_type(hcon);
751 l2cap_chan_unlock(chan);
752 }
753
754 mutex_unlock(&conn->lock);
755 }
756
l2cap_chan_le_connect_reject(struct l2cap_chan * chan)757 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
758 {
759 struct l2cap_conn *conn = chan->conn;
760 struct l2cap_le_conn_rsp rsp;
761 u16 result;
762
763 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
764 result = L2CAP_CR_LE_AUTHORIZATION;
765 else
766 result = L2CAP_CR_LE_BAD_PSM;
767
768 l2cap_state_change(chan, BT_DISCONN);
769
770 rsp.dcid = cpu_to_le16(chan->scid);
771 rsp.mtu = cpu_to_le16(chan->imtu);
772 rsp.mps = cpu_to_le16(chan->mps);
773 rsp.credits = cpu_to_le16(chan->rx_credits);
774 rsp.result = cpu_to_le16(result);
775
776 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
777 &rsp);
778 }
779
l2cap_chan_ecred_connect_reject(struct l2cap_chan * chan)780 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
781 {
782 l2cap_state_change(chan, BT_DISCONN);
783
784 __l2cap_ecred_conn_rsp_defer(chan);
785 }
786
l2cap_chan_connect_reject(struct l2cap_chan * chan)787 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
788 {
789 struct l2cap_conn *conn = chan->conn;
790 struct l2cap_conn_rsp rsp;
791 u16 result;
792
793 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
794 result = L2CAP_CR_SEC_BLOCK;
795 else
796 result = L2CAP_CR_BAD_PSM;
797
798 l2cap_state_change(chan, BT_DISCONN);
799
800 rsp.scid = cpu_to_le16(chan->dcid);
801 rsp.dcid = cpu_to_le16(chan->scid);
802 rsp.result = cpu_to_le16(result);
803 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
804
805 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
806 }
807
l2cap_chan_close(struct l2cap_chan * chan,int reason)808 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
809 {
810 struct l2cap_conn *conn = chan->conn;
811
812 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
813
814 switch (chan->state) {
815 case BT_LISTEN:
816 chan->ops->teardown(chan, 0);
817 break;
818
819 case BT_CONNECTED:
820 case BT_CONFIG:
821 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
822 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
823 l2cap_send_disconn_req(chan, reason);
824 } else
825 l2cap_chan_del(chan, reason);
826 break;
827
828 case BT_CONNECT2:
829 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
830 if (conn->hcon->type == ACL_LINK)
831 l2cap_chan_connect_reject(chan);
832 else if (conn->hcon->type == LE_LINK) {
833 switch (chan->mode) {
834 case L2CAP_MODE_LE_FLOWCTL:
835 l2cap_chan_le_connect_reject(chan);
836 break;
837 case L2CAP_MODE_EXT_FLOWCTL:
838 l2cap_chan_ecred_connect_reject(chan);
839 return;
840 }
841 }
842 }
843
844 l2cap_chan_del(chan, reason);
845 break;
846
847 case BT_CONNECT:
848 case BT_DISCONN:
849 l2cap_chan_del(chan, reason);
850 break;
851
852 default:
853 chan->ops->teardown(chan, 0);
854 break;
855 }
856 }
857 EXPORT_SYMBOL(l2cap_chan_close);
858
l2cap_get_auth_type(struct l2cap_chan * chan)859 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
860 {
861 switch (chan->chan_type) {
862 case L2CAP_CHAN_RAW:
863 switch (chan->sec_level) {
864 case BT_SECURITY_HIGH:
865 case BT_SECURITY_FIPS:
866 return HCI_AT_DEDICATED_BONDING_MITM;
867 case BT_SECURITY_MEDIUM:
868 return HCI_AT_DEDICATED_BONDING;
869 default:
870 return HCI_AT_NO_BONDING;
871 }
872 break;
873 case L2CAP_CHAN_CONN_LESS:
874 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
875 if (chan->sec_level == BT_SECURITY_LOW)
876 chan->sec_level = BT_SECURITY_SDP;
877 }
878 if (chan->sec_level == BT_SECURITY_HIGH ||
879 chan->sec_level == BT_SECURITY_FIPS)
880 return HCI_AT_NO_BONDING_MITM;
881 else
882 return HCI_AT_NO_BONDING;
883 break;
884 case L2CAP_CHAN_CONN_ORIENTED:
885 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
886 if (chan->sec_level == BT_SECURITY_LOW)
887 chan->sec_level = BT_SECURITY_SDP;
888
889 if (chan->sec_level == BT_SECURITY_HIGH ||
890 chan->sec_level == BT_SECURITY_FIPS)
891 return HCI_AT_NO_BONDING_MITM;
892 else
893 return HCI_AT_NO_BONDING;
894 }
895 fallthrough;
896
897 default:
898 switch (chan->sec_level) {
899 case BT_SECURITY_HIGH:
900 case BT_SECURITY_FIPS:
901 return HCI_AT_GENERAL_BONDING_MITM;
902 case BT_SECURITY_MEDIUM:
903 return HCI_AT_GENERAL_BONDING;
904 default:
905 return HCI_AT_NO_BONDING;
906 }
907 break;
908 }
909 }
910
911 /* Service level security */
l2cap_chan_check_security(struct l2cap_chan * chan,bool initiator)912 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
913 {
914 struct l2cap_conn *conn = chan->conn;
915 __u8 auth_type;
916
917 if (conn->hcon->type == LE_LINK)
918 return smp_conn_security(conn->hcon, chan->sec_level);
919
920 auth_type = l2cap_get_auth_type(chan);
921
922 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
923 initiator);
924 }
925
l2cap_get_ident(struct l2cap_conn * conn)926 static u8 l2cap_get_ident(struct l2cap_conn *conn)
927 {
928 u8 id;
929
930 /* Get next available identificator.
931 * 1 - 128 are used by kernel.
932 * 129 - 199 are reserved.
933 * 200 - 254 are used by utilities like l2ping, etc.
934 */
935
936 mutex_lock(&conn->ident_lock);
937
938 if (++conn->tx_ident > 128)
939 conn->tx_ident = 1;
940
941 id = conn->tx_ident;
942
943 mutex_unlock(&conn->ident_lock);
944
945 return id;
946 }
947
l2cap_send_acl(struct l2cap_conn * conn,struct sk_buff * skb,u8 flags)948 static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
949 u8 flags)
950 {
951 /* Check if the hcon still valid before attempting to send */
952 if (hci_conn_valid(conn->hcon->hdev, conn->hcon))
953 hci_send_acl(conn->hchan, skb, flags);
954 else
955 kfree_skb(skb);
956 }
957
l2cap_send_cmd(struct l2cap_conn * conn,u8 ident,u8 code,u16 len,void * data)958 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
959 void *data)
960 {
961 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
962 u8 flags;
963
964 BT_DBG("code 0x%2.2x", code);
965
966 if (!skb)
967 return;
968
969 /* Use NO_FLUSH if supported or we have an LE link (which does
970 * not support auto-flushing packets) */
971 if (lmp_no_flush_capable(conn->hcon->hdev) ||
972 conn->hcon->type == LE_LINK)
973 flags = ACL_START_NO_FLUSH;
974 else
975 flags = ACL_START;
976
977 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
978 skb->priority = HCI_PRIO_MAX;
979
980 l2cap_send_acl(conn, skb, flags);
981 }
982
l2cap_do_send(struct l2cap_chan * chan,struct sk_buff * skb)983 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
984 {
985 struct hci_conn *hcon = chan->conn->hcon;
986 u16 flags;
987
988 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
989 skb->priority);
990
991 /* Use NO_FLUSH for LE links (where this is the only option) or
992 * if the BR/EDR link supports it and flushing has not been
993 * explicitly requested (through FLAG_FLUSHABLE).
994 */
995 if (hcon->type == LE_LINK ||
996 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
997 lmp_no_flush_capable(hcon->hdev)))
998 flags = ACL_START_NO_FLUSH;
999 else
1000 flags = ACL_START;
1001
1002 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1003 hci_send_acl(chan->conn->hchan, skb, flags);
1004 }
1005
__unpack_enhanced_control(u16 enh,struct l2cap_ctrl * control)1006 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
1007 {
1008 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
1009 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
1010
1011 if (enh & L2CAP_CTRL_FRAME_TYPE) {
1012 /* S-Frame */
1013 control->sframe = 1;
1014 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
1015 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1016
1017 control->sar = 0;
1018 control->txseq = 0;
1019 } else {
1020 /* I-Frame */
1021 control->sframe = 0;
1022 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1023 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1024
1025 control->poll = 0;
1026 control->super = 0;
1027 }
1028 }
1029
__unpack_extended_control(u32 ext,struct l2cap_ctrl * control)1030 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1031 {
1032 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1033 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1034
1035 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1036 /* S-Frame */
1037 control->sframe = 1;
1038 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1039 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1040
1041 control->sar = 0;
1042 control->txseq = 0;
1043 } else {
1044 /* I-Frame */
1045 control->sframe = 0;
1046 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1047 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1048
1049 control->poll = 0;
1050 control->super = 0;
1051 }
1052 }
1053
__unpack_control(struct l2cap_chan * chan,struct sk_buff * skb)1054 static inline void __unpack_control(struct l2cap_chan *chan,
1055 struct sk_buff *skb)
1056 {
1057 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1058 __unpack_extended_control(get_unaligned_le32(skb->data),
1059 &bt_cb(skb)->l2cap);
1060 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1061 } else {
1062 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1063 &bt_cb(skb)->l2cap);
1064 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1065 }
1066 }
1067
__pack_extended_control(struct l2cap_ctrl * control)1068 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1069 {
1070 u32 packed;
1071
1072 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1073 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1074
1075 if (control->sframe) {
1076 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1077 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1078 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1079 } else {
1080 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1081 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1082 }
1083
1084 return packed;
1085 }
1086
__pack_enhanced_control(struct l2cap_ctrl * control)1087 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1088 {
1089 u16 packed;
1090
1091 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1092 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1093
1094 if (control->sframe) {
1095 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1096 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1097 packed |= L2CAP_CTRL_FRAME_TYPE;
1098 } else {
1099 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1100 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1101 }
1102
1103 return packed;
1104 }
1105
__pack_control(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb)1106 static inline void __pack_control(struct l2cap_chan *chan,
1107 struct l2cap_ctrl *control,
1108 struct sk_buff *skb)
1109 {
1110 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1111 put_unaligned_le32(__pack_extended_control(control),
1112 skb->data + L2CAP_HDR_SIZE);
1113 } else {
1114 put_unaligned_le16(__pack_enhanced_control(control),
1115 skb->data + L2CAP_HDR_SIZE);
1116 }
1117 }
1118
__ertm_hdr_size(struct l2cap_chan * chan)1119 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1120 {
1121 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1122 return L2CAP_EXT_HDR_SIZE;
1123 else
1124 return L2CAP_ENH_HDR_SIZE;
1125 }
1126
l2cap_create_sframe_pdu(struct l2cap_chan * chan,u32 control)1127 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1128 u32 control)
1129 {
1130 struct sk_buff *skb;
1131 struct l2cap_hdr *lh;
1132 int hlen = __ertm_hdr_size(chan);
1133
1134 if (chan->fcs == L2CAP_FCS_CRC16)
1135 hlen += L2CAP_FCS_SIZE;
1136
1137 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1138
1139 if (!skb)
1140 return ERR_PTR(-ENOMEM);
1141
1142 lh = skb_put(skb, L2CAP_HDR_SIZE);
1143 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1144 lh->cid = cpu_to_le16(chan->dcid);
1145
1146 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1147 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1148 else
1149 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1150
1151 if (chan->fcs == L2CAP_FCS_CRC16) {
1152 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1153 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1154 }
1155
1156 skb->priority = HCI_PRIO_MAX;
1157 return skb;
1158 }
1159
l2cap_send_sframe(struct l2cap_chan * chan,struct l2cap_ctrl * control)1160 static void l2cap_send_sframe(struct l2cap_chan *chan,
1161 struct l2cap_ctrl *control)
1162 {
1163 struct sk_buff *skb;
1164 u32 control_field;
1165
1166 BT_DBG("chan %p, control %p", chan, control);
1167
1168 if (!control->sframe)
1169 return;
1170
1171 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1172 !control->poll)
1173 control->final = 1;
1174
1175 if (control->super == L2CAP_SUPER_RR)
1176 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1177 else if (control->super == L2CAP_SUPER_RNR)
1178 set_bit(CONN_RNR_SENT, &chan->conn_state);
1179
1180 if (control->super != L2CAP_SUPER_SREJ) {
1181 chan->last_acked_seq = control->reqseq;
1182 __clear_ack_timer(chan);
1183 }
1184
1185 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1186 control->final, control->poll, control->super);
1187
1188 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1189 control_field = __pack_extended_control(control);
1190 else
1191 control_field = __pack_enhanced_control(control);
1192
1193 skb = l2cap_create_sframe_pdu(chan, control_field);
1194 if (!IS_ERR(skb))
1195 l2cap_do_send(chan, skb);
1196 }
1197
l2cap_send_rr_or_rnr(struct l2cap_chan * chan,bool poll)1198 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1199 {
1200 struct l2cap_ctrl control;
1201
1202 BT_DBG("chan %p, poll %d", chan, poll);
1203
1204 memset(&control, 0, sizeof(control));
1205 control.sframe = 1;
1206 control.poll = poll;
1207
1208 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1209 control.super = L2CAP_SUPER_RNR;
1210 else
1211 control.super = L2CAP_SUPER_RR;
1212
1213 control.reqseq = chan->buffer_seq;
1214 l2cap_send_sframe(chan, &control);
1215 }
1216
__l2cap_no_conn_pending(struct l2cap_chan * chan)1217 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1218 {
1219 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1220 return true;
1221
1222 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1223 }
1224
l2cap_send_conn_req(struct l2cap_chan * chan)1225 void l2cap_send_conn_req(struct l2cap_chan *chan)
1226 {
1227 struct l2cap_conn *conn = chan->conn;
1228 struct l2cap_conn_req req;
1229
1230 req.scid = cpu_to_le16(chan->scid);
1231 req.psm = chan->psm;
1232
1233 chan->ident = l2cap_get_ident(conn);
1234
1235 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1236
1237 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1238 }
1239
l2cap_chan_ready(struct l2cap_chan * chan)1240 static void l2cap_chan_ready(struct l2cap_chan *chan)
1241 {
1242 /* The channel may have already been flagged as connected in
1243 * case of receiving data before the L2CAP info req/rsp
1244 * procedure is complete.
1245 */
1246 if (chan->state == BT_CONNECTED)
1247 return;
1248
1249 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1250 chan->conf_state = 0;
1251 __clear_chan_timer(chan);
1252
1253 switch (chan->mode) {
1254 case L2CAP_MODE_LE_FLOWCTL:
1255 case L2CAP_MODE_EXT_FLOWCTL:
1256 if (!chan->tx_credits)
1257 chan->ops->suspend(chan);
1258 break;
1259 }
1260
1261 chan->state = BT_CONNECTED;
1262
1263 chan->ops->ready(chan);
1264 }
1265
l2cap_le_connect(struct l2cap_chan * chan)1266 static void l2cap_le_connect(struct l2cap_chan *chan)
1267 {
1268 struct l2cap_conn *conn = chan->conn;
1269 struct l2cap_le_conn_req req;
1270
1271 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1272 return;
1273
1274 if (!chan->imtu)
1275 chan->imtu = chan->conn->mtu;
1276
1277 l2cap_le_flowctl_init(chan, 0);
1278
1279 memset(&req, 0, sizeof(req));
1280 req.psm = chan->psm;
1281 req.scid = cpu_to_le16(chan->scid);
1282 req.mtu = cpu_to_le16(chan->imtu);
1283 req.mps = cpu_to_le16(chan->mps);
1284 req.credits = cpu_to_le16(chan->rx_credits);
1285
1286 chan->ident = l2cap_get_ident(conn);
1287
1288 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1289 sizeof(req), &req);
1290 }
1291
1292 struct l2cap_ecred_conn_data {
1293 struct {
1294 struct l2cap_ecred_conn_req req;
1295 __le16 scid[5];
1296 } __packed pdu;
1297 struct l2cap_chan *chan;
1298 struct pid *pid;
1299 int count;
1300 };
1301
l2cap_ecred_defer_connect(struct l2cap_chan * chan,void * data)1302 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1303 {
1304 struct l2cap_ecred_conn_data *conn = data;
1305 struct pid *pid;
1306
1307 if (chan == conn->chan)
1308 return;
1309
1310 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1311 return;
1312
1313 pid = chan->ops->get_peer_pid(chan);
1314
1315 /* Only add deferred channels with the same PID/PSM */
1316 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1317 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1318 return;
1319
1320 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1321 return;
1322
1323 l2cap_ecred_init(chan, 0);
1324
1325 /* Set the same ident so we can match on the rsp */
1326 chan->ident = conn->chan->ident;
1327
1328 /* Include all channels deferred */
1329 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1330
1331 conn->count++;
1332 }
1333
l2cap_ecred_connect(struct l2cap_chan * chan)1334 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1335 {
1336 struct l2cap_conn *conn = chan->conn;
1337 struct l2cap_ecred_conn_data data;
1338
1339 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1340 return;
1341
1342 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1343 return;
1344
1345 l2cap_ecred_init(chan, 0);
1346
1347 memset(&data, 0, sizeof(data));
1348 data.pdu.req.psm = chan->psm;
1349 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1350 data.pdu.req.mps = cpu_to_le16(chan->mps);
1351 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1352 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1353
1354 chan->ident = l2cap_get_ident(conn);
1355
1356 data.count = 1;
1357 data.chan = chan;
1358 data.pid = chan->ops->get_peer_pid(chan);
1359
1360 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1361
1362 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1363 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1364 &data.pdu);
1365 }
1366
l2cap_le_start(struct l2cap_chan * chan)1367 static void l2cap_le_start(struct l2cap_chan *chan)
1368 {
1369 struct l2cap_conn *conn = chan->conn;
1370
1371 if (!smp_conn_security(conn->hcon, chan->sec_level))
1372 return;
1373
1374 if (!chan->psm) {
1375 l2cap_chan_ready(chan);
1376 return;
1377 }
1378
1379 if (chan->state == BT_CONNECT) {
1380 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1381 l2cap_ecred_connect(chan);
1382 else
1383 l2cap_le_connect(chan);
1384 }
1385 }
1386
l2cap_start_connection(struct l2cap_chan * chan)1387 static void l2cap_start_connection(struct l2cap_chan *chan)
1388 {
1389 if (chan->conn->hcon->type == LE_LINK) {
1390 l2cap_le_start(chan);
1391 } else {
1392 l2cap_send_conn_req(chan);
1393 }
1394 }
1395
l2cap_request_info(struct l2cap_conn * conn)1396 static void l2cap_request_info(struct l2cap_conn *conn)
1397 {
1398 struct l2cap_info_req req;
1399
1400 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1401 return;
1402
1403 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1404
1405 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1406 conn->info_ident = l2cap_get_ident(conn);
1407
1408 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1409
1410 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1411 sizeof(req), &req);
1412 }
1413
l2cap_check_enc_key_size(struct hci_conn * hcon,struct l2cap_chan * chan)1414 static bool l2cap_check_enc_key_size(struct hci_conn *hcon,
1415 struct l2cap_chan *chan)
1416 {
1417 /* The minimum encryption key size needs to be enforced by the
1418 * host stack before establishing any L2CAP connections. The
1419 * specification in theory allows a minimum of 1, but to align
1420 * BR/EDR and LE transports, a minimum of 7 is chosen.
1421 *
1422 * This check might also be called for unencrypted connections
1423 * that have no key size requirements. Ensure that the link is
1424 * actually encrypted before enforcing a key size.
1425 */
1426 int min_key_size = hcon->hdev->min_enc_key_size;
1427
1428 /* On FIPS security level, key size must be 16 bytes */
1429 if (chan->sec_level == BT_SECURITY_FIPS)
1430 min_key_size = 16;
1431
1432 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1433 hcon->enc_key_size >= min_key_size);
1434 }
1435
l2cap_do_start(struct l2cap_chan * chan)1436 static void l2cap_do_start(struct l2cap_chan *chan)
1437 {
1438 struct l2cap_conn *conn = chan->conn;
1439
1440 if (conn->hcon->type == LE_LINK) {
1441 l2cap_le_start(chan);
1442 return;
1443 }
1444
1445 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1446 l2cap_request_info(conn);
1447 return;
1448 }
1449
1450 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1451 return;
1452
1453 if (!l2cap_chan_check_security(chan, true) ||
1454 !__l2cap_no_conn_pending(chan))
1455 return;
1456
1457 if (l2cap_check_enc_key_size(conn->hcon, chan))
1458 l2cap_start_connection(chan);
1459 else
1460 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1461 }
1462
l2cap_mode_supported(__u8 mode,__u32 feat_mask)1463 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1464 {
1465 u32 local_feat_mask = l2cap_feat_mask;
1466 if (!disable_ertm)
1467 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1468
1469 switch (mode) {
1470 case L2CAP_MODE_ERTM:
1471 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1472 case L2CAP_MODE_STREAMING:
1473 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1474 default:
1475 return 0x00;
1476 }
1477 }
1478
l2cap_send_disconn_req(struct l2cap_chan * chan,int err)1479 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1480 {
1481 struct l2cap_conn *conn = chan->conn;
1482 struct l2cap_disconn_req req;
1483
1484 if (!conn)
1485 return;
1486
1487 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1488 __clear_retrans_timer(chan);
1489 __clear_monitor_timer(chan);
1490 __clear_ack_timer(chan);
1491 }
1492
1493 req.dcid = cpu_to_le16(chan->dcid);
1494 req.scid = cpu_to_le16(chan->scid);
1495 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1496 sizeof(req), &req);
1497
1498 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1499 }
1500
1501 /* ---- L2CAP connections ---- */
l2cap_conn_start(struct l2cap_conn * conn)1502 static void l2cap_conn_start(struct l2cap_conn *conn)
1503 {
1504 struct l2cap_chan *chan, *tmp;
1505
1506 BT_DBG("conn %p", conn);
1507
1508 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1509 l2cap_chan_lock(chan);
1510
1511 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1512 l2cap_chan_ready(chan);
1513 l2cap_chan_unlock(chan);
1514 continue;
1515 }
1516
1517 if (chan->state == BT_CONNECT) {
1518 if (!l2cap_chan_check_security(chan, true) ||
1519 !__l2cap_no_conn_pending(chan)) {
1520 l2cap_chan_unlock(chan);
1521 continue;
1522 }
1523
1524 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1525 && test_bit(CONF_STATE2_DEVICE,
1526 &chan->conf_state)) {
1527 l2cap_chan_close(chan, ECONNRESET);
1528 l2cap_chan_unlock(chan);
1529 continue;
1530 }
1531
1532 if (l2cap_check_enc_key_size(conn->hcon, chan))
1533 l2cap_start_connection(chan);
1534 else
1535 l2cap_chan_close(chan, ECONNREFUSED);
1536
1537 } else if (chan->state == BT_CONNECT2) {
1538 struct l2cap_conn_rsp rsp;
1539 char buf[128];
1540 rsp.scid = cpu_to_le16(chan->dcid);
1541 rsp.dcid = cpu_to_le16(chan->scid);
1542
1543 if (l2cap_chan_check_security(chan, false)) {
1544 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1545 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1546 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1547 chan->ops->defer(chan);
1548
1549 } else {
1550 l2cap_state_change(chan, BT_CONFIG);
1551 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1552 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1553 }
1554 } else {
1555 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1556 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1557 }
1558
1559 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1560 sizeof(rsp), &rsp);
1561
1562 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1563 rsp.result != L2CAP_CR_SUCCESS) {
1564 l2cap_chan_unlock(chan);
1565 continue;
1566 }
1567
1568 set_bit(CONF_REQ_SENT, &chan->conf_state);
1569 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1570 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1571 chan->num_conf_req++;
1572 }
1573
1574 l2cap_chan_unlock(chan);
1575 }
1576 }
1577
l2cap_le_conn_ready(struct l2cap_conn * conn)1578 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1579 {
1580 struct hci_conn *hcon = conn->hcon;
1581 struct hci_dev *hdev = hcon->hdev;
1582
1583 BT_DBG("%s conn %p", hdev->name, conn);
1584
1585 /* For outgoing pairing which doesn't necessarily have an
1586 * associated socket (e.g. mgmt_pair_device).
1587 */
1588 if (hcon->out)
1589 smp_conn_security(hcon, hcon->pending_sec_level);
1590
1591 /* For LE peripheral connections, make sure the connection interval
1592 * is in the range of the minimum and maximum interval that has
1593 * been configured for this connection. If not, then trigger
1594 * the connection update procedure.
1595 */
1596 if (hcon->role == HCI_ROLE_SLAVE &&
1597 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1598 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1599 struct l2cap_conn_param_update_req req;
1600
1601 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1602 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1603 req.latency = cpu_to_le16(hcon->le_conn_latency);
1604 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1605
1606 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1607 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1608 }
1609 }
1610
l2cap_conn_ready(struct l2cap_conn * conn)1611 static void l2cap_conn_ready(struct l2cap_conn *conn)
1612 {
1613 struct l2cap_chan *chan;
1614 struct hci_conn *hcon = conn->hcon;
1615
1616 BT_DBG("conn %p", conn);
1617
1618 if (hcon->type == ACL_LINK)
1619 l2cap_request_info(conn);
1620
1621 mutex_lock(&conn->lock);
1622
1623 list_for_each_entry(chan, &conn->chan_l, list) {
1624
1625 l2cap_chan_lock(chan);
1626
1627 if (hcon->type == LE_LINK) {
1628 l2cap_le_start(chan);
1629 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1630 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1631 l2cap_chan_ready(chan);
1632 } else if (chan->state == BT_CONNECT) {
1633 l2cap_do_start(chan);
1634 }
1635
1636 l2cap_chan_unlock(chan);
1637 }
1638
1639 mutex_unlock(&conn->lock);
1640
1641 if (hcon->type == LE_LINK)
1642 l2cap_le_conn_ready(conn);
1643
1644 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1645 }
1646
1647 /* Notify sockets that we cannot guaranty reliability anymore */
l2cap_conn_unreliable(struct l2cap_conn * conn,int err)1648 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1649 {
1650 struct l2cap_chan *chan;
1651
1652 BT_DBG("conn %p", conn);
1653
1654 list_for_each_entry(chan, &conn->chan_l, list) {
1655 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1656 l2cap_chan_set_err(chan, err);
1657 }
1658 }
1659
l2cap_info_timeout(struct work_struct * work)1660 static void l2cap_info_timeout(struct work_struct *work)
1661 {
1662 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1663 info_timer.work);
1664
1665 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1666 conn->info_ident = 0;
1667
1668 mutex_lock(&conn->lock);
1669 l2cap_conn_start(conn);
1670 mutex_unlock(&conn->lock);
1671 }
1672
1673 /*
1674 * l2cap_user
1675 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1676 * callback is called during registration. The ->remove callback is called
1677 * during unregistration.
1678 * An l2cap_user object can either be explicitly unregistered or when the
1679 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1680 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1681 * External modules must own a reference to the l2cap_conn object if they intend
1682 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1683 * any time if they don't.
1684 */
1685
l2cap_register_user(struct l2cap_conn * conn,struct l2cap_user * user)1686 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1687 {
1688 struct hci_dev *hdev = conn->hcon->hdev;
1689 int ret;
1690
1691 /* We need to check whether l2cap_conn is registered. If it is not, we
1692 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1693 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1694 * relies on the parent hci_conn object to be locked. This itself relies
1695 * on the hci_dev object to be locked. So we must lock the hci device
1696 * here, too. */
1697
1698 hci_dev_lock(hdev);
1699
1700 if (!list_empty(&user->list)) {
1701 ret = -EINVAL;
1702 goto out_unlock;
1703 }
1704
1705 /* conn->hchan is NULL after l2cap_conn_del() was called */
1706 if (!conn->hchan) {
1707 ret = -ENODEV;
1708 goto out_unlock;
1709 }
1710
1711 ret = user->probe(conn, user);
1712 if (ret)
1713 goto out_unlock;
1714
1715 list_add(&user->list, &conn->users);
1716 ret = 0;
1717
1718 out_unlock:
1719 hci_dev_unlock(hdev);
1720 return ret;
1721 }
1722 EXPORT_SYMBOL(l2cap_register_user);
1723
l2cap_unregister_user(struct l2cap_conn * conn,struct l2cap_user * user)1724 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1725 {
1726 struct hci_dev *hdev = conn->hcon->hdev;
1727
1728 hci_dev_lock(hdev);
1729
1730 if (list_empty(&user->list))
1731 goto out_unlock;
1732
1733 list_del_init(&user->list);
1734 user->remove(conn, user);
1735
1736 out_unlock:
1737 hci_dev_unlock(hdev);
1738 }
1739 EXPORT_SYMBOL(l2cap_unregister_user);
1740
l2cap_unregister_all_users(struct l2cap_conn * conn)1741 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1742 {
1743 struct l2cap_user *user;
1744
1745 while (!list_empty(&conn->users)) {
1746 user = list_first_entry(&conn->users, struct l2cap_user, list);
1747 list_del_init(&user->list);
1748 user->remove(conn, user);
1749 }
1750 }
1751
l2cap_conn_del(struct hci_conn * hcon,int err)1752 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1753 {
1754 struct l2cap_conn *conn = hcon->l2cap_data;
1755 struct l2cap_chan *chan, *l;
1756
1757 if (!conn)
1758 return;
1759
1760 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1761
1762 mutex_lock(&conn->lock);
1763
1764 kfree_skb(conn->rx_skb);
1765
1766 skb_queue_purge(&conn->pending_rx);
1767
1768 /* We can not call flush_work(&conn->pending_rx_work) here since we
1769 * might block if we are running on a worker from the same workqueue
1770 * pending_rx_work is waiting on.
1771 */
1772 if (work_pending(&conn->pending_rx_work))
1773 cancel_work_sync(&conn->pending_rx_work);
1774
1775 cancel_delayed_work_sync(&conn->id_addr_timer);
1776
1777 l2cap_unregister_all_users(conn);
1778
1779 /* Force the connection to be immediately dropped */
1780 hcon->disc_timeout = 0;
1781
1782 /* Kill channels */
1783 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1784 l2cap_chan_hold(chan);
1785 l2cap_chan_lock(chan);
1786
1787 l2cap_chan_del(chan, err);
1788
1789 chan->ops->close(chan);
1790
1791 l2cap_chan_unlock(chan);
1792 l2cap_chan_put(chan);
1793 }
1794
1795 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1796 cancel_delayed_work_sync(&conn->info_timer);
1797
1798 hci_chan_del(conn->hchan);
1799 conn->hchan = NULL;
1800
1801 hcon->l2cap_data = NULL;
1802 mutex_unlock(&conn->lock);
1803 l2cap_conn_put(conn);
1804 }
1805
l2cap_conn_free(struct kref * ref)1806 static void l2cap_conn_free(struct kref *ref)
1807 {
1808 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1809
1810 hci_conn_put(conn->hcon);
1811 kfree(conn);
1812 }
1813
l2cap_conn_get(struct l2cap_conn * conn)1814 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1815 {
1816 kref_get(&conn->ref);
1817 return conn;
1818 }
1819 EXPORT_SYMBOL(l2cap_conn_get);
1820
l2cap_conn_put(struct l2cap_conn * conn)1821 void l2cap_conn_put(struct l2cap_conn *conn)
1822 {
1823 kref_put(&conn->ref, l2cap_conn_free);
1824 }
1825 EXPORT_SYMBOL(l2cap_conn_put);
1826
1827 /* ---- Socket interface ---- */
1828
1829 /* Find socket with psm and source / destination bdaddr.
1830 * Returns closest match.
1831 */
l2cap_global_chan_by_psm(int state,__le16 psm,bdaddr_t * src,bdaddr_t * dst,u8 link_type)1832 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1833 bdaddr_t *src,
1834 bdaddr_t *dst,
1835 u8 link_type)
1836 {
1837 struct l2cap_chan *c, *tmp, *c1 = NULL;
1838
1839 read_lock(&chan_list_lock);
1840
1841 list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
1842 if (state && c->state != state)
1843 continue;
1844
1845 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1846 continue;
1847
1848 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1849 continue;
1850
1851 if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
1852 int src_match, dst_match;
1853 int src_any, dst_any;
1854
1855 /* Exact match. */
1856 src_match = !bacmp(&c->src, src);
1857 dst_match = !bacmp(&c->dst, dst);
1858 if (src_match && dst_match) {
1859 if (!l2cap_chan_hold_unless_zero(c))
1860 continue;
1861
1862 read_unlock(&chan_list_lock);
1863 return c;
1864 }
1865
1866 /* Closest match */
1867 src_any = !bacmp(&c->src, BDADDR_ANY);
1868 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1869 if ((src_match && dst_any) || (src_any && dst_match) ||
1870 (src_any && dst_any))
1871 c1 = c;
1872 }
1873 }
1874
1875 if (c1)
1876 c1 = l2cap_chan_hold_unless_zero(c1);
1877
1878 read_unlock(&chan_list_lock);
1879
1880 return c1;
1881 }
1882
l2cap_monitor_timeout(struct work_struct * work)1883 static void l2cap_monitor_timeout(struct work_struct *work)
1884 {
1885 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1886 monitor_timer.work);
1887
1888 BT_DBG("chan %p", chan);
1889
1890 l2cap_chan_lock(chan);
1891
1892 if (!chan->conn) {
1893 l2cap_chan_unlock(chan);
1894 l2cap_chan_put(chan);
1895 return;
1896 }
1897
1898 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1899
1900 l2cap_chan_unlock(chan);
1901 l2cap_chan_put(chan);
1902 }
1903
l2cap_retrans_timeout(struct work_struct * work)1904 static void l2cap_retrans_timeout(struct work_struct *work)
1905 {
1906 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1907 retrans_timer.work);
1908
1909 BT_DBG("chan %p", chan);
1910
1911 l2cap_chan_lock(chan);
1912
1913 if (!chan->conn) {
1914 l2cap_chan_unlock(chan);
1915 l2cap_chan_put(chan);
1916 return;
1917 }
1918
1919 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1920 l2cap_chan_unlock(chan);
1921 l2cap_chan_put(chan);
1922 }
1923
l2cap_streaming_send(struct l2cap_chan * chan,struct sk_buff_head * skbs)1924 static void l2cap_streaming_send(struct l2cap_chan *chan,
1925 struct sk_buff_head *skbs)
1926 {
1927 struct sk_buff *skb;
1928 struct l2cap_ctrl *control;
1929
1930 BT_DBG("chan %p, skbs %p", chan, skbs);
1931
1932 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1933
1934 while (!skb_queue_empty(&chan->tx_q)) {
1935
1936 skb = skb_dequeue(&chan->tx_q);
1937
1938 bt_cb(skb)->l2cap.retries = 1;
1939 control = &bt_cb(skb)->l2cap;
1940
1941 control->reqseq = 0;
1942 control->txseq = chan->next_tx_seq;
1943
1944 __pack_control(chan, control, skb);
1945
1946 if (chan->fcs == L2CAP_FCS_CRC16) {
1947 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1948 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1949 }
1950
1951 l2cap_do_send(chan, skb);
1952
1953 BT_DBG("Sent txseq %u", control->txseq);
1954
1955 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1956 chan->frames_sent++;
1957 }
1958 }
1959
l2cap_ertm_send(struct l2cap_chan * chan)1960 static int l2cap_ertm_send(struct l2cap_chan *chan)
1961 {
1962 struct sk_buff *skb, *tx_skb;
1963 struct l2cap_ctrl *control;
1964 int sent = 0;
1965
1966 BT_DBG("chan %p", chan);
1967
1968 if (chan->state != BT_CONNECTED)
1969 return -ENOTCONN;
1970
1971 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1972 return 0;
1973
1974 while (chan->tx_send_head &&
1975 chan->unacked_frames < chan->remote_tx_win &&
1976 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1977
1978 skb = chan->tx_send_head;
1979
1980 bt_cb(skb)->l2cap.retries = 1;
1981 control = &bt_cb(skb)->l2cap;
1982
1983 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1984 control->final = 1;
1985
1986 control->reqseq = chan->buffer_seq;
1987 chan->last_acked_seq = chan->buffer_seq;
1988 control->txseq = chan->next_tx_seq;
1989
1990 __pack_control(chan, control, skb);
1991
1992 if (chan->fcs == L2CAP_FCS_CRC16) {
1993 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1994 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1995 }
1996
1997 /* Clone after data has been modified. Data is assumed to be
1998 read-only (for locking purposes) on cloned sk_buffs.
1999 */
2000 tx_skb = skb_clone(skb, GFP_KERNEL);
2001
2002 if (!tx_skb)
2003 break;
2004
2005 __set_retrans_timer(chan);
2006
2007 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2008 chan->unacked_frames++;
2009 chan->frames_sent++;
2010 sent++;
2011
2012 if (skb_queue_is_last(&chan->tx_q, skb))
2013 chan->tx_send_head = NULL;
2014 else
2015 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2016
2017 l2cap_do_send(chan, tx_skb);
2018 BT_DBG("Sent txseq %u", control->txseq);
2019 }
2020
2021 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2022 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2023
2024 return sent;
2025 }
2026
l2cap_ertm_resend(struct l2cap_chan * chan)2027 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2028 {
2029 struct l2cap_ctrl control;
2030 struct sk_buff *skb;
2031 struct sk_buff *tx_skb;
2032 u16 seq;
2033
2034 BT_DBG("chan %p", chan);
2035
2036 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2037 return;
2038
2039 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2040 seq = l2cap_seq_list_pop(&chan->retrans_list);
2041
2042 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2043 if (!skb) {
2044 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2045 seq);
2046 continue;
2047 }
2048
2049 bt_cb(skb)->l2cap.retries++;
2050 control = bt_cb(skb)->l2cap;
2051
2052 if (chan->max_tx != 0 &&
2053 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2054 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2055 l2cap_send_disconn_req(chan, ECONNRESET);
2056 l2cap_seq_list_clear(&chan->retrans_list);
2057 break;
2058 }
2059
2060 control.reqseq = chan->buffer_seq;
2061 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2062 control.final = 1;
2063 else
2064 control.final = 0;
2065
2066 if (skb_cloned(skb)) {
2067 /* Cloned sk_buffs are read-only, so we need a
2068 * writeable copy
2069 */
2070 tx_skb = skb_copy(skb, GFP_KERNEL);
2071 } else {
2072 tx_skb = skb_clone(skb, GFP_KERNEL);
2073 }
2074
2075 if (!tx_skb) {
2076 l2cap_seq_list_clear(&chan->retrans_list);
2077 break;
2078 }
2079
2080 /* Update skb contents */
2081 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2082 put_unaligned_le32(__pack_extended_control(&control),
2083 tx_skb->data + L2CAP_HDR_SIZE);
2084 } else {
2085 put_unaligned_le16(__pack_enhanced_control(&control),
2086 tx_skb->data + L2CAP_HDR_SIZE);
2087 }
2088
2089 /* Update FCS */
2090 if (chan->fcs == L2CAP_FCS_CRC16) {
2091 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2092 tx_skb->len - L2CAP_FCS_SIZE);
2093 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2094 L2CAP_FCS_SIZE);
2095 }
2096
2097 l2cap_do_send(chan, tx_skb);
2098
2099 BT_DBG("Resent txseq %d", control.txseq);
2100
2101 chan->last_acked_seq = chan->buffer_seq;
2102 }
2103 }
2104
l2cap_retransmit(struct l2cap_chan * chan,struct l2cap_ctrl * control)2105 static void l2cap_retransmit(struct l2cap_chan *chan,
2106 struct l2cap_ctrl *control)
2107 {
2108 BT_DBG("chan %p, control %p", chan, control);
2109
2110 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2111 l2cap_ertm_resend(chan);
2112 }
2113
l2cap_retransmit_all(struct l2cap_chan * chan,struct l2cap_ctrl * control)2114 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2115 struct l2cap_ctrl *control)
2116 {
2117 struct sk_buff *skb;
2118
2119 BT_DBG("chan %p, control %p", chan, control);
2120
2121 if (control->poll)
2122 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2123
2124 l2cap_seq_list_clear(&chan->retrans_list);
2125
2126 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2127 return;
2128
2129 if (chan->unacked_frames) {
2130 skb_queue_walk(&chan->tx_q, skb) {
2131 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2132 skb == chan->tx_send_head)
2133 break;
2134 }
2135
2136 skb_queue_walk_from(&chan->tx_q, skb) {
2137 if (skb == chan->tx_send_head)
2138 break;
2139
2140 l2cap_seq_list_append(&chan->retrans_list,
2141 bt_cb(skb)->l2cap.txseq);
2142 }
2143
2144 l2cap_ertm_resend(chan);
2145 }
2146 }
2147
l2cap_send_ack(struct l2cap_chan * chan)2148 static void l2cap_send_ack(struct l2cap_chan *chan)
2149 {
2150 struct l2cap_ctrl control;
2151 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2152 chan->last_acked_seq);
2153 int threshold;
2154
2155 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2156 chan, chan->last_acked_seq, chan->buffer_seq);
2157
2158 memset(&control, 0, sizeof(control));
2159 control.sframe = 1;
2160
2161 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2162 chan->rx_state == L2CAP_RX_STATE_RECV) {
2163 __clear_ack_timer(chan);
2164 control.super = L2CAP_SUPER_RNR;
2165 control.reqseq = chan->buffer_seq;
2166 l2cap_send_sframe(chan, &control);
2167 } else {
2168 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2169 l2cap_ertm_send(chan);
2170 /* If any i-frames were sent, they included an ack */
2171 if (chan->buffer_seq == chan->last_acked_seq)
2172 frames_to_ack = 0;
2173 }
2174
2175 /* Ack now if the window is 3/4ths full.
2176 * Calculate without mul or div
2177 */
2178 threshold = chan->ack_win;
2179 threshold += threshold << 1;
2180 threshold >>= 2;
2181
2182 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2183 threshold);
2184
2185 if (frames_to_ack >= threshold) {
2186 __clear_ack_timer(chan);
2187 control.super = L2CAP_SUPER_RR;
2188 control.reqseq = chan->buffer_seq;
2189 l2cap_send_sframe(chan, &control);
2190 frames_to_ack = 0;
2191 }
2192
2193 if (frames_to_ack)
2194 __set_ack_timer(chan);
2195 }
2196 }
2197
l2cap_skbuff_fromiovec(struct l2cap_chan * chan,struct msghdr * msg,int len,int count,struct sk_buff * skb)2198 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2199 struct msghdr *msg, int len,
2200 int count, struct sk_buff *skb)
2201 {
2202 struct l2cap_conn *conn = chan->conn;
2203 struct sk_buff **frag;
2204 int sent = 0;
2205
2206 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2207 return -EFAULT;
2208
2209 sent += count;
2210 len -= count;
2211
2212 /* Continuation fragments (no L2CAP header) */
2213 frag = &skb_shinfo(skb)->frag_list;
2214 while (len) {
2215 struct sk_buff *tmp;
2216
2217 count = min_t(unsigned int, conn->mtu, len);
2218
2219 tmp = chan->ops->alloc_skb(chan, 0, count,
2220 msg->msg_flags & MSG_DONTWAIT);
2221 if (IS_ERR(tmp))
2222 return PTR_ERR(tmp);
2223
2224 *frag = tmp;
2225
2226 if (!copy_from_iter_full(skb_put(*frag, count), count,
2227 &msg->msg_iter))
2228 return -EFAULT;
2229
2230 sent += count;
2231 len -= count;
2232
2233 skb->len += (*frag)->len;
2234 skb->data_len += (*frag)->len;
2235
2236 frag = &(*frag)->next;
2237 }
2238
2239 return sent;
2240 }
2241
l2cap_create_connless_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len)2242 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2243 struct msghdr *msg, size_t len)
2244 {
2245 struct l2cap_conn *conn = chan->conn;
2246 struct sk_buff *skb;
2247 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2248 struct l2cap_hdr *lh;
2249
2250 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2251 __le16_to_cpu(chan->psm), len);
2252
2253 count = min_t(unsigned int, (conn->mtu - hlen), len);
2254
2255 skb = chan->ops->alloc_skb(chan, hlen, count,
2256 msg->msg_flags & MSG_DONTWAIT);
2257 if (IS_ERR(skb))
2258 return skb;
2259
2260 /* Create L2CAP header */
2261 lh = skb_put(skb, L2CAP_HDR_SIZE);
2262 lh->cid = cpu_to_le16(chan->dcid);
2263 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2264 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2265
2266 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2267 if (unlikely(err < 0)) {
2268 kfree_skb(skb);
2269 return ERR_PTR(err);
2270 }
2271 return skb;
2272 }
2273
l2cap_create_basic_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len)2274 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2275 struct msghdr *msg, size_t len)
2276 {
2277 struct l2cap_conn *conn = chan->conn;
2278 struct sk_buff *skb;
2279 int err, count;
2280 struct l2cap_hdr *lh;
2281
2282 BT_DBG("chan %p len %zu", chan, len);
2283
2284 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2285
2286 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2287 msg->msg_flags & MSG_DONTWAIT);
2288 if (IS_ERR(skb))
2289 return skb;
2290
2291 /* Create L2CAP header */
2292 lh = skb_put(skb, L2CAP_HDR_SIZE);
2293 lh->cid = cpu_to_le16(chan->dcid);
2294 lh->len = cpu_to_le16(len);
2295
2296 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2297 if (unlikely(err < 0)) {
2298 kfree_skb(skb);
2299 return ERR_PTR(err);
2300 }
2301 return skb;
2302 }
2303
l2cap_create_iframe_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len,u16 sdulen)2304 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2305 struct msghdr *msg, size_t len,
2306 u16 sdulen)
2307 {
2308 struct l2cap_conn *conn = chan->conn;
2309 struct sk_buff *skb;
2310 int err, count, hlen;
2311 struct l2cap_hdr *lh;
2312
2313 BT_DBG("chan %p len %zu", chan, len);
2314
2315 if (!conn)
2316 return ERR_PTR(-ENOTCONN);
2317
2318 hlen = __ertm_hdr_size(chan);
2319
2320 if (sdulen)
2321 hlen += L2CAP_SDULEN_SIZE;
2322
2323 if (chan->fcs == L2CAP_FCS_CRC16)
2324 hlen += L2CAP_FCS_SIZE;
2325
2326 count = min_t(unsigned int, (conn->mtu - hlen), len);
2327
2328 skb = chan->ops->alloc_skb(chan, hlen, count,
2329 msg->msg_flags & MSG_DONTWAIT);
2330 if (IS_ERR(skb))
2331 return skb;
2332
2333 /* Create L2CAP header */
2334 lh = skb_put(skb, L2CAP_HDR_SIZE);
2335 lh->cid = cpu_to_le16(chan->dcid);
2336 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2337
2338 /* Control header is populated later */
2339 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2340 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2341 else
2342 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2343
2344 if (sdulen)
2345 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2346
2347 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2348 if (unlikely(err < 0)) {
2349 kfree_skb(skb);
2350 return ERR_PTR(err);
2351 }
2352
2353 bt_cb(skb)->l2cap.fcs = chan->fcs;
2354 bt_cb(skb)->l2cap.retries = 0;
2355 return skb;
2356 }
2357
l2cap_segment_sdu(struct l2cap_chan * chan,struct sk_buff_head * seg_queue,struct msghdr * msg,size_t len)2358 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2359 struct sk_buff_head *seg_queue,
2360 struct msghdr *msg, size_t len)
2361 {
2362 struct sk_buff *skb;
2363 u16 sdu_len;
2364 size_t pdu_len;
2365 u8 sar;
2366
2367 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2368
2369 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2370 * so fragmented skbs are not used. The HCI layer's handling
2371 * of fragmented skbs is not compatible with ERTM's queueing.
2372 */
2373
2374 /* PDU size is derived from the HCI MTU */
2375 pdu_len = chan->conn->mtu;
2376
2377 /* Constrain PDU size for BR/EDR connections */
2378 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2379
2380 /* Adjust for largest possible L2CAP overhead. */
2381 if (chan->fcs)
2382 pdu_len -= L2CAP_FCS_SIZE;
2383
2384 pdu_len -= __ertm_hdr_size(chan);
2385
2386 /* Remote device may have requested smaller PDUs */
2387 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2388
2389 if (len <= pdu_len) {
2390 sar = L2CAP_SAR_UNSEGMENTED;
2391 sdu_len = 0;
2392 pdu_len = len;
2393 } else {
2394 sar = L2CAP_SAR_START;
2395 sdu_len = len;
2396 }
2397
2398 while (len > 0) {
2399 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2400
2401 if (IS_ERR(skb)) {
2402 __skb_queue_purge(seg_queue);
2403 return PTR_ERR(skb);
2404 }
2405
2406 bt_cb(skb)->l2cap.sar = sar;
2407 __skb_queue_tail(seg_queue, skb);
2408
2409 len -= pdu_len;
2410 if (sdu_len)
2411 sdu_len = 0;
2412
2413 if (len <= pdu_len) {
2414 sar = L2CAP_SAR_END;
2415 pdu_len = len;
2416 } else {
2417 sar = L2CAP_SAR_CONTINUE;
2418 }
2419 }
2420
2421 return 0;
2422 }
2423
l2cap_create_le_flowctl_pdu(struct l2cap_chan * chan,struct msghdr * msg,size_t len,u16 sdulen)2424 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2425 struct msghdr *msg,
2426 size_t len, u16 sdulen)
2427 {
2428 struct l2cap_conn *conn = chan->conn;
2429 struct sk_buff *skb;
2430 int err, count, hlen;
2431 struct l2cap_hdr *lh;
2432
2433 BT_DBG("chan %p len %zu", chan, len);
2434
2435 if (!conn)
2436 return ERR_PTR(-ENOTCONN);
2437
2438 hlen = L2CAP_HDR_SIZE;
2439
2440 if (sdulen)
2441 hlen += L2CAP_SDULEN_SIZE;
2442
2443 count = min_t(unsigned int, (conn->mtu - hlen), len);
2444
2445 skb = chan->ops->alloc_skb(chan, hlen, count,
2446 msg->msg_flags & MSG_DONTWAIT);
2447 if (IS_ERR(skb))
2448 return skb;
2449
2450 /* Create L2CAP header */
2451 lh = skb_put(skb, L2CAP_HDR_SIZE);
2452 lh->cid = cpu_to_le16(chan->dcid);
2453 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2454
2455 if (sdulen)
2456 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2457
2458 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2459 if (unlikely(err < 0)) {
2460 kfree_skb(skb);
2461 return ERR_PTR(err);
2462 }
2463
2464 return skb;
2465 }
2466
l2cap_segment_le_sdu(struct l2cap_chan * chan,struct sk_buff_head * seg_queue,struct msghdr * msg,size_t len)2467 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2468 struct sk_buff_head *seg_queue,
2469 struct msghdr *msg, size_t len)
2470 {
2471 struct sk_buff *skb;
2472 size_t pdu_len;
2473 u16 sdu_len;
2474
2475 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2476
2477 sdu_len = len;
2478 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2479
2480 while (len > 0) {
2481 if (len <= pdu_len)
2482 pdu_len = len;
2483
2484 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2485 if (IS_ERR(skb)) {
2486 __skb_queue_purge(seg_queue);
2487 return PTR_ERR(skb);
2488 }
2489
2490 __skb_queue_tail(seg_queue, skb);
2491
2492 len -= pdu_len;
2493
2494 if (sdu_len) {
2495 sdu_len = 0;
2496 pdu_len += L2CAP_SDULEN_SIZE;
2497 }
2498 }
2499
2500 return 0;
2501 }
2502
l2cap_le_flowctl_send(struct l2cap_chan * chan)2503 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2504 {
2505 int sent = 0;
2506
2507 BT_DBG("chan %p", chan);
2508
2509 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2510 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2511 chan->tx_credits--;
2512 sent++;
2513 }
2514
2515 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2516 skb_queue_len(&chan->tx_q));
2517 }
2518
l2cap_chan_send(struct l2cap_chan * chan,struct msghdr * msg,size_t len)2519 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2520 {
2521 struct sk_buff *skb;
2522 int err;
2523 struct sk_buff_head seg_queue;
2524
2525 if (!chan->conn)
2526 return -ENOTCONN;
2527
2528 /* Connectionless channel */
2529 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2530 skb = l2cap_create_connless_pdu(chan, msg, len);
2531 if (IS_ERR(skb))
2532 return PTR_ERR(skb);
2533
2534 l2cap_do_send(chan, skb);
2535 return len;
2536 }
2537
2538 switch (chan->mode) {
2539 case L2CAP_MODE_LE_FLOWCTL:
2540 case L2CAP_MODE_EXT_FLOWCTL:
2541 /* Check outgoing MTU */
2542 if (len > chan->omtu)
2543 return -EMSGSIZE;
2544
2545 __skb_queue_head_init(&seg_queue);
2546
2547 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2548
2549 if (chan->state != BT_CONNECTED) {
2550 __skb_queue_purge(&seg_queue);
2551 err = -ENOTCONN;
2552 }
2553
2554 if (err)
2555 return err;
2556
2557 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2558
2559 l2cap_le_flowctl_send(chan);
2560
2561 if (!chan->tx_credits)
2562 chan->ops->suspend(chan);
2563
2564 err = len;
2565
2566 break;
2567
2568 case L2CAP_MODE_BASIC:
2569 /* Check outgoing MTU */
2570 if (len > chan->omtu)
2571 return -EMSGSIZE;
2572
2573 /* Create a basic PDU */
2574 skb = l2cap_create_basic_pdu(chan, msg, len);
2575 if (IS_ERR(skb))
2576 return PTR_ERR(skb);
2577
2578 l2cap_do_send(chan, skb);
2579 err = len;
2580 break;
2581
2582 case L2CAP_MODE_ERTM:
2583 case L2CAP_MODE_STREAMING:
2584 /* Check outgoing MTU */
2585 if (len > chan->omtu) {
2586 err = -EMSGSIZE;
2587 break;
2588 }
2589
2590 __skb_queue_head_init(&seg_queue);
2591
2592 /* Do segmentation before calling in to the state machine,
2593 * since it's possible to block while waiting for memory
2594 * allocation.
2595 */
2596 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2597
2598 if (err)
2599 break;
2600
2601 if (chan->mode == L2CAP_MODE_ERTM)
2602 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2603 else
2604 l2cap_streaming_send(chan, &seg_queue);
2605
2606 err = len;
2607
2608 /* If the skbs were not queued for sending, they'll still be in
2609 * seg_queue and need to be purged.
2610 */
2611 __skb_queue_purge(&seg_queue);
2612 break;
2613
2614 default:
2615 BT_DBG("bad state %1.1x", chan->mode);
2616 err = -EBADFD;
2617 }
2618
2619 return err;
2620 }
2621 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2622
l2cap_send_srej(struct l2cap_chan * chan,u16 txseq)2623 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2624 {
2625 struct l2cap_ctrl control;
2626 u16 seq;
2627
2628 BT_DBG("chan %p, txseq %u", chan, txseq);
2629
2630 memset(&control, 0, sizeof(control));
2631 control.sframe = 1;
2632 control.super = L2CAP_SUPER_SREJ;
2633
2634 for (seq = chan->expected_tx_seq; seq != txseq;
2635 seq = __next_seq(chan, seq)) {
2636 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2637 control.reqseq = seq;
2638 l2cap_send_sframe(chan, &control);
2639 l2cap_seq_list_append(&chan->srej_list, seq);
2640 }
2641 }
2642
2643 chan->expected_tx_seq = __next_seq(chan, txseq);
2644 }
2645
l2cap_send_srej_tail(struct l2cap_chan * chan)2646 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2647 {
2648 struct l2cap_ctrl control;
2649
2650 BT_DBG("chan %p", chan);
2651
2652 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2653 return;
2654
2655 memset(&control, 0, sizeof(control));
2656 control.sframe = 1;
2657 control.super = L2CAP_SUPER_SREJ;
2658 control.reqseq = chan->srej_list.tail;
2659 l2cap_send_sframe(chan, &control);
2660 }
2661
l2cap_send_srej_list(struct l2cap_chan * chan,u16 txseq)2662 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2663 {
2664 struct l2cap_ctrl control;
2665 u16 initial_head;
2666 u16 seq;
2667
2668 BT_DBG("chan %p, txseq %u", chan, txseq);
2669
2670 memset(&control, 0, sizeof(control));
2671 control.sframe = 1;
2672 control.super = L2CAP_SUPER_SREJ;
2673
2674 /* Capture initial list head to allow only one pass through the list. */
2675 initial_head = chan->srej_list.head;
2676
2677 do {
2678 seq = l2cap_seq_list_pop(&chan->srej_list);
2679 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2680 break;
2681
2682 control.reqseq = seq;
2683 l2cap_send_sframe(chan, &control);
2684 l2cap_seq_list_append(&chan->srej_list, seq);
2685 } while (chan->srej_list.head != initial_head);
2686 }
2687
l2cap_process_reqseq(struct l2cap_chan * chan,u16 reqseq)2688 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2689 {
2690 struct sk_buff *acked_skb;
2691 u16 ackseq;
2692
2693 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2694
2695 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2696 return;
2697
2698 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2699 chan->expected_ack_seq, chan->unacked_frames);
2700
2701 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2702 ackseq = __next_seq(chan, ackseq)) {
2703
2704 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2705 if (acked_skb) {
2706 skb_unlink(acked_skb, &chan->tx_q);
2707 kfree_skb(acked_skb);
2708 chan->unacked_frames--;
2709 }
2710 }
2711
2712 chan->expected_ack_seq = reqseq;
2713
2714 if (chan->unacked_frames == 0)
2715 __clear_retrans_timer(chan);
2716
2717 BT_DBG("unacked_frames %u", chan->unacked_frames);
2718 }
2719
l2cap_abort_rx_srej_sent(struct l2cap_chan * chan)2720 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2721 {
2722 BT_DBG("chan %p", chan);
2723
2724 chan->expected_tx_seq = chan->buffer_seq;
2725 l2cap_seq_list_clear(&chan->srej_list);
2726 skb_queue_purge(&chan->srej_q);
2727 chan->rx_state = L2CAP_RX_STATE_RECV;
2728 }
2729
l2cap_tx_state_xmit(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff_head * skbs,u8 event)2730 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2731 struct l2cap_ctrl *control,
2732 struct sk_buff_head *skbs, u8 event)
2733 {
2734 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2735 event);
2736
2737 switch (event) {
2738 case L2CAP_EV_DATA_REQUEST:
2739 if (chan->tx_send_head == NULL)
2740 chan->tx_send_head = skb_peek(skbs);
2741
2742 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2743 l2cap_ertm_send(chan);
2744 break;
2745 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2746 BT_DBG("Enter LOCAL_BUSY");
2747 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2748
2749 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2750 /* The SREJ_SENT state must be aborted if we are to
2751 * enter the LOCAL_BUSY state.
2752 */
2753 l2cap_abort_rx_srej_sent(chan);
2754 }
2755
2756 l2cap_send_ack(chan);
2757
2758 break;
2759 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2760 BT_DBG("Exit LOCAL_BUSY");
2761 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2762
2763 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2764 struct l2cap_ctrl local_control;
2765
2766 memset(&local_control, 0, sizeof(local_control));
2767 local_control.sframe = 1;
2768 local_control.super = L2CAP_SUPER_RR;
2769 local_control.poll = 1;
2770 local_control.reqseq = chan->buffer_seq;
2771 l2cap_send_sframe(chan, &local_control);
2772
2773 chan->retry_count = 1;
2774 __set_monitor_timer(chan);
2775 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2776 }
2777 break;
2778 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2779 l2cap_process_reqseq(chan, control->reqseq);
2780 break;
2781 case L2CAP_EV_EXPLICIT_POLL:
2782 l2cap_send_rr_or_rnr(chan, 1);
2783 chan->retry_count = 1;
2784 __set_monitor_timer(chan);
2785 __clear_ack_timer(chan);
2786 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2787 break;
2788 case L2CAP_EV_RETRANS_TO:
2789 l2cap_send_rr_or_rnr(chan, 1);
2790 chan->retry_count = 1;
2791 __set_monitor_timer(chan);
2792 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2793 break;
2794 case L2CAP_EV_RECV_FBIT:
2795 /* Nothing to process */
2796 break;
2797 default:
2798 break;
2799 }
2800 }
2801
l2cap_tx_state_wait_f(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff_head * skbs,u8 event)2802 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2803 struct l2cap_ctrl *control,
2804 struct sk_buff_head *skbs, u8 event)
2805 {
2806 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2807 event);
2808
2809 switch (event) {
2810 case L2CAP_EV_DATA_REQUEST:
2811 if (chan->tx_send_head == NULL)
2812 chan->tx_send_head = skb_peek(skbs);
2813 /* Queue data, but don't send. */
2814 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2815 break;
2816 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2817 BT_DBG("Enter LOCAL_BUSY");
2818 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2819
2820 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2821 /* The SREJ_SENT state must be aborted if we are to
2822 * enter the LOCAL_BUSY state.
2823 */
2824 l2cap_abort_rx_srej_sent(chan);
2825 }
2826
2827 l2cap_send_ack(chan);
2828
2829 break;
2830 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2831 BT_DBG("Exit LOCAL_BUSY");
2832 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2833
2834 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2835 struct l2cap_ctrl local_control;
2836 memset(&local_control, 0, sizeof(local_control));
2837 local_control.sframe = 1;
2838 local_control.super = L2CAP_SUPER_RR;
2839 local_control.poll = 1;
2840 local_control.reqseq = chan->buffer_seq;
2841 l2cap_send_sframe(chan, &local_control);
2842
2843 chan->retry_count = 1;
2844 __set_monitor_timer(chan);
2845 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2846 }
2847 break;
2848 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2849 l2cap_process_reqseq(chan, control->reqseq);
2850 fallthrough;
2851
2852 case L2CAP_EV_RECV_FBIT:
2853 if (control && control->final) {
2854 __clear_monitor_timer(chan);
2855 if (chan->unacked_frames > 0)
2856 __set_retrans_timer(chan);
2857 chan->retry_count = 0;
2858 chan->tx_state = L2CAP_TX_STATE_XMIT;
2859 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2860 }
2861 break;
2862 case L2CAP_EV_EXPLICIT_POLL:
2863 /* Ignore */
2864 break;
2865 case L2CAP_EV_MONITOR_TO:
2866 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2867 l2cap_send_rr_or_rnr(chan, 1);
2868 __set_monitor_timer(chan);
2869 chan->retry_count++;
2870 } else {
2871 l2cap_send_disconn_req(chan, ECONNABORTED);
2872 }
2873 break;
2874 default:
2875 break;
2876 }
2877 }
2878
l2cap_tx(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff_head * skbs,u8 event)2879 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2880 struct sk_buff_head *skbs, u8 event)
2881 {
2882 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2883 chan, control, skbs, event, chan->tx_state);
2884
2885 switch (chan->tx_state) {
2886 case L2CAP_TX_STATE_XMIT:
2887 l2cap_tx_state_xmit(chan, control, skbs, event);
2888 break;
2889 case L2CAP_TX_STATE_WAIT_F:
2890 l2cap_tx_state_wait_f(chan, control, skbs, event);
2891 break;
2892 default:
2893 /* Ignore event */
2894 break;
2895 }
2896 }
2897
l2cap_pass_to_tx(struct l2cap_chan * chan,struct l2cap_ctrl * control)2898 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2899 struct l2cap_ctrl *control)
2900 {
2901 BT_DBG("chan %p, control %p", chan, control);
2902 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2903 }
2904
l2cap_pass_to_tx_fbit(struct l2cap_chan * chan,struct l2cap_ctrl * control)2905 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2906 struct l2cap_ctrl *control)
2907 {
2908 BT_DBG("chan %p, control %p", chan, control);
2909 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2910 }
2911
2912 /* Copy frame to all raw sockets on that connection */
l2cap_raw_recv(struct l2cap_conn * conn,struct sk_buff * skb)2913 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2914 {
2915 struct sk_buff *nskb;
2916 struct l2cap_chan *chan;
2917
2918 BT_DBG("conn %p", conn);
2919
2920 list_for_each_entry(chan, &conn->chan_l, list) {
2921 if (chan->chan_type != L2CAP_CHAN_RAW)
2922 continue;
2923
2924 /* Don't send frame to the channel it came from */
2925 if (bt_cb(skb)->l2cap.chan == chan)
2926 continue;
2927
2928 nskb = skb_clone(skb, GFP_KERNEL);
2929 if (!nskb)
2930 continue;
2931 if (chan->ops->recv(chan, nskb))
2932 kfree_skb(nskb);
2933 }
2934 }
2935
2936 /* ---- L2CAP signalling commands ---- */
l2cap_build_cmd(struct l2cap_conn * conn,u8 code,u8 ident,u16 dlen,void * data)2937 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2938 u8 ident, u16 dlen, void *data)
2939 {
2940 struct sk_buff *skb, **frag;
2941 struct l2cap_cmd_hdr *cmd;
2942 struct l2cap_hdr *lh;
2943 int len, count;
2944
2945 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2946 conn, code, ident, dlen);
2947
2948 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2949 return NULL;
2950
2951 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2952 count = min_t(unsigned int, conn->mtu, len);
2953
2954 skb = bt_skb_alloc(count, GFP_KERNEL);
2955 if (!skb)
2956 return NULL;
2957
2958 lh = skb_put(skb, L2CAP_HDR_SIZE);
2959 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2960
2961 if (conn->hcon->type == LE_LINK)
2962 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2963 else
2964 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2965
2966 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2967 cmd->code = code;
2968 cmd->ident = ident;
2969 cmd->len = cpu_to_le16(dlen);
2970
2971 if (dlen) {
2972 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2973 skb_put_data(skb, data, count);
2974 data += count;
2975 }
2976
2977 len -= skb->len;
2978
2979 /* Continuation fragments (no L2CAP header) */
2980 frag = &skb_shinfo(skb)->frag_list;
2981 while (len) {
2982 count = min_t(unsigned int, conn->mtu, len);
2983
2984 *frag = bt_skb_alloc(count, GFP_KERNEL);
2985 if (!*frag)
2986 goto fail;
2987
2988 skb_put_data(*frag, data, count);
2989
2990 len -= count;
2991 data += count;
2992
2993 frag = &(*frag)->next;
2994 }
2995
2996 return skb;
2997
2998 fail:
2999 kfree_skb(skb);
3000 return NULL;
3001 }
3002
l2cap_get_conf_opt(void ** ptr,int * type,int * olen,unsigned long * val)3003 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3004 unsigned long *val)
3005 {
3006 struct l2cap_conf_opt *opt = *ptr;
3007 int len;
3008
3009 len = L2CAP_CONF_OPT_SIZE + opt->len;
3010 *ptr += len;
3011
3012 *type = opt->type;
3013 *olen = opt->len;
3014
3015 switch (opt->len) {
3016 case 1:
3017 *val = *((u8 *) opt->val);
3018 break;
3019
3020 case 2:
3021 *val = get_unaligned_le16(opt->val);
3022 break;
3023
3024 case 4:
3025 *val = get_unaligned_le32(opt->val);
3026 break;
3027
3028 default:
3029 *val = (unsigned long) opt->val;
3030 break;
3031 }
3032
3033 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3034 return len;
3035 }
3036
l2cap_add_conf_opt(void ** ptr,u8 type,u8 len,unsigned long val,size_t size)3037 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3038 {
3039 struct l2cap_conf_opt *opt = *ptr;
3040
3041 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3042
3043 if (size < L2CAP_CONF_OPT_SIZE + len)
3044 return;
3045
3046 opt->type = type;
3047 opt->len = len;
3048
3049 switch (len) {
3050 case 1:
3051 *((u8 *) opt->val) = val;
3052 break;
3053
3054 case 2:
3055 put_unaligned_le16(val, opt->val);
3056 break;
3057
3058 case 4:
3059 put_unaligned_le32(val, opt->val);
3060 break;
3061
3062 default:
3063 memcpy(opt->val, (void *) val, len);
3064 break;
3065 }
3066
3067 *ptr += L2CAP_CONF_OPT_SIZE + len;
3068 }
3069
l2cap_add_opt_efs(void ** ptr,struct l2cap_chan * chan,size_t size)3070 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3071 {
3072 struct l2cap_conf_efs efs;
3073
3074 switch (chan->mode) {
3075 case L2CAP_MODE_ERTM:
3076 efs.id = chan->local_id;
3077 efs.stype = chan->local_stype;
3078 efs.msdu = cpu_to_le16(chan->local_msdu);
3079 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3080 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3081 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3082 break;
3083
3084 case L2CAP_MODE_STREAMING:
3085 efs.id = 1;
3086 efs.stype = L2CAP_SERV_BESTEFFORT;
3087 efs.msdu = cpu_to_le16(chan->local_msdu);
3088 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3089 efs.acc_lat = 0;
3090 efs.flush_to = 0;
3091 break;
3092
3093 default:
3094 return;
3095 }
3096
3097 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3098 (unsigned long) &efs, size);
3099 }
3100
l2cap_ack_timeout(struct work_struct * work)3101 static void l2cap_ack_timeout(struct work_struct *work)
3102 {
3103 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3104 ack_timer.work);
3105 u16 frames_to_ack;
3106
3107 BT_DBG("chan %p", chan);
3108
3109 l2cap_chan_lock(chan);
3110
3111 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3112 chan->last_acked_seq);
3113
3114 if (frames_to_ack)
3115 l2cap_send_rr_or_rnr(chan, 0);
3116
3117 l2cap_chan_unlock(chan);
3118 l2cap_chan_put(chan);
3119 }
3120
l2cap_ertm_init(struct l2cap_chan * chan)3121 int l2cap_ertm_init(struct l2cap_chan *chan)
3122 {
3123 int err;
3124
3125 chan->next_tx_seq = 0;
3126 chan->expected_tx_seq = 0;
3127 chan->expected_ack_seq = 0;
3128 chan->unacked_frames = 0;
3129 chan->buffer_seq = 0;
3130 chan->frames_sent = 0;
3131 chan->last_acked_seq = 0;
3132 chan->sdu = NULL;
3133 chan->sdu_last_frag = NULL;
3134 chan->sdu_len = 0;
3135
3136 skb_queue_head_init(&chan->tx_q);
3137
3138 if (chan->mode != L2CAP_MODE_ERTM)
3139 return 0;
3140
3141 chan->rx_state = L2CAP_RX_STATE_RECV;
3142 chan->tx_state = L2CAP_TX_STATE_XMIT;
3143
3144 skb_queue_head_init(&chan->srej_q);
3145
3146 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3147 if (err < 0)
3148 return err;
3149
3150 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3151 if (err < 0)
3152 l2cap_seq_list_free(&chan->srej_list);
3153
3154 return err;
3155 }
3156
l2cap_select_mode(__u8 mode,__u16 remote_feat_mask)3157 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3158 {
3159 switch (mode) {
3160 case L2CAP_MODE_STREAMING:
3161 case L2CAP_MODE_ERTM:
3162 if (l2cap_mode_supported(mode, remote_feat_mask))
3163 return mode;
3164 fallthrough;
3165 default:
3166 return L2CAP_MODE_BASIC;
3167 }
3168 }
3169
__l2cap_ews_supported(struct l2cap_conn * conn)3170 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3171 {
3172 return (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW);
3173 }
3174
__l2cap_efs_supported(struct l2cap_conn * conn)3175 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3176 {
3177 return (conn->feat_mask & L2CAP_FEAT_EXT_FLOW);
3178 }
3179
__l2cap_set_ertm_timeouts(struct l2cap_chan * chan,struct l2cap_conf_rfc * rfc)3180 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3181 struct l2cap_conf_rfc *rfc)
3182 {
3183 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3184 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3185 }
3186
l2cap_txwin_setup(struct l2cap_chan * chan)3187 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3188 {
3189 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3190 __l2cap_ews_supported(chan->conn)) {
3191 /* use extended control field */
3192 set_bit(FLAG_EXT_CTRL, &chan->flags);
3193 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3194 } else {
3195 chan->tx_win = min_t(u16, chan->tx_win,
3196 L2CAP_DEFAULT_TX_WINDOW);
3197 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3198 }
3199 chan->ack_win = chan->tx_win;
3200 }
3201
l2cap_mtu_auto(struct l2cap_chan * chan)3202 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3203 {
3204 struct hci_conn *conn = chan->conn->hcon;
3205
3206 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3207
3208 /* The 2-DH1 packet has between 2 and 56 information bytes
3209 * (including the 2-byte payload header)
3210 */
3211 if (!(conn->pkt_type & HCI_2DH1))
3212 chan->imtu = 54;
3213
3214 /* The 3-DH1 packet has between 2 and 85 information bytes
3215 * (including the 2-byte payload header)
3216 */
3217 if (!(conn->pkt_type & HCI_3DH1))
3218 chan->imtu = 83;
3219
3220 /* The 2-DH3 packet has between 2 and 369 information bytes
3221 * (including the 2-byte payload header)
3222 */
3223 if (!(conn->pkt_type & HCI_2DH3))
3224 chan->imtu = 367;
3225
3226 /* The 3-DH3 packet has between 2 and 554 information bytes
3227 * (including the 2-byte payload header)
3228 */
3229 if (!(conn->pkt_type & HCI_3DH3))
3230 chan->imtu = 552;
3231
3232 /* The 2-DH5 packet has between 2 and 681 information bytes
3233 * (including the 2-byte payload header)
3234 */
3235 if (!(conn->pkt_type & HCI_2DH5))
3236 chan->imtu = 679;
3237
3238 /* The 3-DH5 packet has between 2 and 1023 information bytes
3239 * (including the 2-byte payload header)
3240 */
3241 if (!(conn->pkt_type & HCI_3DH5))
3242 chan->imtu = 1021;
3243 }
3244
l2cap_build_conf_req(struct l2cap_chan * chan,void * data,size_t data_size)3245 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3246 {
3247 struct l2cap_conf_req *req = data;
3248 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3249 void *ptr = req->data;
3250 void *endptr = data + data_size;
3251 u16 size;
3252
3253 BT_DBG("chan %p", chan);
3254
3255 if (chan->num_conf_req || chan->num_conf_rsp)
3256 goto done;
3257
3258 switch (chan->mode) {
3259 case L2CAP_MODE_STREAMING:
3260 case L2CAP_MODE_ERTM:
3261 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3262 break;
3263
3264 if (__l2cap_efs_supported(chan->conn))
3265 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3266
3267 fallthrough;
3268 default:
3269 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3270 break;
3271 }
3272
3273 done:
3274 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3275 if (!chan->imtu)
3276 l2cap_mtu_auto(chan);
3277 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3278 endptr - ptr);
3279 }
3280
3281 switch (chan->mode) {
3282 case L2CAP_MODE_BASIC:
3283 if (disable_ertm)
3284 break;
3285
3286 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3287 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3288 break;
3289
3290 rfc.mode = L2CAP_MODE_BASIC;
3291 rfc.txwin_size = 0;
3292 rfc.max_transmit = 0;
3293 rfc.retrans_timeout = 0;
3294 rfc.monitor_timeout = 0;
3295 rfc.max_pdu_size = 0;
3296
3297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3298 (unsigned long) &rfc, endptr - ptr);
3299 break;
3300
3301 case L2CAP_MODE_ERTM:
3302 rfc.mode = L2CAP_MODE_ERTM;
3303 rfc.max_transmit = chan->max_tx;
3304
3305 __l2cap_set_ertm_timeouts(chan, &rfc);
3306
3307 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3308 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3309 L2CAP_FCS_SIZE);
3310 rfc.max_pdu_size = cpu_to_le16(size);
3311
3312 l2cap_txwin_setup(chan);
3313
3314 rfc.txwin_size = min_t(u16, chan->tx_win,
3315 L2CAP_DEFAULT_TX_WINDOW);
3316
3317 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3318 (unsigned long) &rfc, endptr - ptr);
3319
3320 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3321 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3322
3323 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3324 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3325 chan->tx_win, endptr - ptr);
3326
3327 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3328 if (chan->fcs == L2CAP_FCS_NONE ||
3329 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3330 chan->fcs = L2CAP_FCS_NONE;
3331 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3332 chan->fcs, endptr - ptr);
3333 }
3334 break;
3335
3336 case L2CAP_MODE_STREAMING:
3337 l2cap_txwin_setup(chan);
3338 rfc.mode = L2CAP_MODE_STREAMING;
3339 rfc.txwin_size = 0;
3340 rfc.max_transmit = 0;
3341 rfc.retrans_timeout = 0;
3342 rfc.monitor_timeout = 0;
3343
3344 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3345 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3346 L2CAP_FCS_SIZE);
3347 rfc.max_pdu_size = cpu_to_le16(size);
3348
3349 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3350 (unsigned long) &rfc, endptr - ptr);
3351
3352 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3353 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3354
3355 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3356 if (chan->fcs == L2CAP_FCS_NONE ||
3357 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3358 chan->fcs = L2CAP_FCS_NONE;
3359 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3360 chan->fcs, endptr - ptr);
3361 }
3362 break;
3363 }
3364
3365 req->dcid = cpu_to_le16(chan->dcid);
3366 req->flags = cpu_to_le16(0);
3367
3368 return ptr - data;
3369 }
3370
l2cap_parse_conf_req(struct l2cap_chan * chan,void * data,size_t data_size)3371 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3372 {
3373 struct l2cap_conf_rsp *rsp = data;
3374 void *ptr = rsp->data;
3375 void *endptr = data + data_size;
3376 void *req = chan->conf_req;
3377 int len = chan->conf_len;
3378 int type, hint, olen;
3379 unsigned long val;
3380 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3381 struct l2cap_conf_efs efs;
3382 u8 remote_efs = 0;
3383 u16 mtu = L2CAP_DEFAULT_MTU;
3384 u16 result = L2CAP_CONF_SUCCESS;
3385 u16 size;
3386
3387 BT_DBG("chan %p", chan);
3388
3389 while (len >= L2CAP_CONF_OPT_SIZE) {
3390 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3391 if (len < 0)
3392 break;
3393
3394 hint = type & L2CAP_CONF_HINT;
3395 type &= L2CAP_CONF_MASK;
3396
3397 switch (type) {
3398 case L2CAP_CONF_MTU:
3399 if (olen != 2)
3400 break;
3401 mtu = val;
3402 break;
3403
3404 case L2CAP_CONF_FLUSH_TO:
3405 if (olen != 2)
3406 break;
3407 chan->flush_to = val;
3408 break;
3409
3410 case L2CAP_CONF_QOS:
3411 break;
3412
3413 case L2CAP_CONF_RFC:
3414 if (olen != sizeof(rfc))
3415 break;
3416 memcpy(&rfc, (void *) val, olen);
3417 break;
3418
3419 case L2CAP_CONF_FCS:
3420 if (olen != 1)
3421 break;
3422 if (val == L2CAP_FCS_NONE)
3423 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3424 break;
3425
3426 case L2CAP_CONF_EFS:
3427 if (olen != sizeof(efs))
3428 break;
3429 remote_efs = 1;
3430 memcpy(&efs, (void *) val, olen);
3431 break;
3432
3433 case L2CAP_CONF_EWS:
3434 if (olen != 2)
3435 break;
3436 return -ECONNREFUSED;
3437
3438 default:
3439 if (hint)
3440 break;
3441 result = L2CAP_CONF_UNKNOWN;
3442 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr);
3443 break;
3444 }
3445 }
3446
3447 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3448 goto done;
3449
3450 switch (chan->mode) {
3451 case L2CAP_MODE_STREAMING:
3452 case L2CAP_MODE_ERTM:
3453 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3454 chan->mode = l2cap_select_mode(rfc.mode,
3455 chan->conn->feat_mask);
3456 break;
3457 }
3458
3459 if (remote_efs) {
3460 if (__l2cap_efs_supported(chan->conn))
3461 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3462 else
3463 return -ECONNREFUSED;
3464 }
3465
3466 if (chan->mode != rfc.mode)
3467 return -ECONNREFUSED;
3468
3469 break;
3470 }
3471
3472 done:
3473 if (chan->mode != rfc.mode) {
3474 result = L2CAP_CONF_UNACCEPT;
3475 rfc.mode = chan->mode;
3476
3477 if (chan->num_conf_rsp == 1)
3478 return -ECONNREFUSED;
3479
3480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3481 (unsigned long) &rfc, endptr - ptr);
3482 }
3483
3484 if (result == L2CAP_CONF_SUCCESS) {
3485 /* Configure output options and let the other side know
3486 * which ones we don't like. */
3487
3488 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3489 result = L2CAP_CONF_UNACCEPT;
3490 else {
3491 chan->omtu = mtu;
3492 set_bit(CONF_MTU_DONE, &chan->conf_state);
3493 }
3494 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3495
3496 if (remote_efs) {
3497 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3498 efs.stype != L2CAP_SERV_NOTRAFIC &&
3499 efs.stype != chan->local_stype) {
3500
3501 result = L2CAP_CONF_UNACCEPT;
3502
3503 if (chan->num_conf_req >= 1)
3504 return -ECONNREFUSED;
3505
3506 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3507 sizeof(efs),
3508 (unsigned long) &efs, endptr - ptr);
3509 } else {
3510 /* Send PENDING Conf Rsp */
3511 result = L2CAP_CONF_PENDING;
3512 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3513 }
3514 }
3515
3516 switch (rfc.mode) {
3517 case L2CAP_MODE_BASIC:
3518 chan->fcs = L2CAP_FCS_NONE;
3519 set_bit(CONF_MODE_DONE, &chan->conf_state);
3520 break;
3521
3522 case L2CAP_MODE_ERTM:
3523 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3524 chan->remote_tx_win = rfc.txwin_size;
3525 else
3526 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3527
3528 chan->remote_max_tx = rfc.max_transmit;
3529
3530 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3531 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3532 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3533 rfc.max_pdu_size = cpu_to_le16(size);
3534 chan->remote_mps = size;
3535
3536 __l2cap_set_ertm_timeouts(chan, &rfc);
3537
3538 set_bit(CONF_MODE_DONE, &chan->conf_state);
3539
3540 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3541 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3542
3543 if (remote_efs &&
3544 test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3545 chan->remote_id = efs.id;
3546 chan->remote_stype = efs.stype;
3547 chan->remote_msdu = le16_to_cpu(efs.msdu);
3548 chan->remote_flush_to =
3549 le32_to_cpu(efs.flush_to);
3550 chan->remote_acc_lat =
3551 le32_to_cpu(efs.acc_lat);
3552 chan->remote_sdu_itime =
3553 le32_to_cpu(efs.sdu_itime);
3554 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3555 sizeof(efs),
3556 (unsigned long) &efs, endptr - ptr);
3557 }
3558 break;
3559
3560 case L2CAP_MODE_STREAMING:
3561 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3562 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3563 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3564 rfc.max_pdu_size = cpu_to_le16(size);
3565 chan->remote_mps = size;
3566
3567 set_bit(CONF_MODE_DONE, &chan->conf_state);
3568
3569 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3570 (unsigned long) &rfc, endptr - ptr);
3571
3572 break;
3573
3574 default:
3575 result = L2CAP_CONF_UNACCEPT;
3576
3577 memset(&rfc, 0, sizeof(rfc));
3578 rfc.mode = chan->mode;
3579 }
3580
3581 if (result == L2CAP_CONF_SUCCESS)
3582 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3583 }
3584 rsp->scid = cpu_to_le16(chan->dcid);
3585 rsp->result = cpu_to_le16(result);
3586 rsp->flags = cpu_to_le16(0);
3587
3588 return ptr - data;
3589 }
3590
l2cap_parse_conf_rsp(struct l2cap_chan * chan,void * rsp,int len,void * data,size_t size,u16 * result)3591 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3592 void *data, size_t size, u16 *result)
3593 {
3594 struct l2cap_conf_req *req = data;
3595 void *ptr = req->data;
3596 void *endptr = data + size;
3597 int type, olen;
3598 unsigned long val;
3599 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3600 struct l2cap_conf_efs efs;
3601
3602 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3603
3604 while (len >= L2CAP_CONF_OPT_SIZE) {
3605 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3606 if (len < 0)
3607 break;
3608
3609 switch (type) {
3610 case L2CAP_CONF_MTU:
3611 if (olen != 2)
3612 break;
3613 if (val < L2CAP_DEFAULT_MIN_MTU) {
3614 *result = L2CAP_CONF_UNACCEPT;
3615 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3616 } else
3617 chan->imtu = val;
3618 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3619 endptr - ptr);
3620 break;
3621
3622 case L2CAP_CONF_FLUSH_TO:
3623 if (olen != 2)
3624 break;
3625 chan->flush_to = val;
3626 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3627 chan->flush_to, endptr - ptr);
3628 break;
3629
3630 case L2CAP_CONF_RFC:
3631 if (olen != sizeof(rfc))
3632 break;
3633 memcpy(&rfc, (void *)val, olen);
3634 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3635 rfc.mode != chan->mode)
3636 return -ECONNREFUSED;
3637 chan->fcs = 0;
3638 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3639 (unsigned long) &rfc, endptr - ptr);
3640 break;
3641
3642 case L2CAP_CONF_EWS:
3643 if (olen != 2)
3644 break;
3645 chan->ack_win = min_t(u16, val, chan->ack_win);
3646 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3647 chan->tx_win, endptr - ptr);
3648 break;
3649
3650 case L2CAP_CONF_EFS:
3651 if (olen != sizeof(efs))
3652 break;
3653 memcpy(&efs, (void *)val, olen);
3654 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3655 efs.stype != L2CAP_SERV_NOTRAFIC &&
3656 efs.stype != chan->local_stype)
3657 return -ECONNREFUSED;
3658 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3659 (unsigned long) &efs, endptr - ptr);
3660 break;
3661
3662 case L2CAP_CONF_FCS:
3663 if (olen != 1)
3664 break;
3665 if (*result == L2CAP_CONF_PENDING)
3666 if (val == L2CAP_FCS_NONE)
3667 set_bit(CONF_RECV_NO_FCS,
3668 &chan->conf_state);
3669 break;
3670 }
3671 }
3672
3673 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3674 return -ECONNREFUSED;
3675
3676 chan->mode = rfc.mode;
3677
3678 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3679 switch (rfc.mode) {
3680 case L2CAP_MODE_ERTM:
3681 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3682 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3683 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3684 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3685 chan->ack_win = min_t(u16, chan->ack_win,
3686 rfc.txwin_size);
3687
3688 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3689 chan->local_msdu = le16_to_cpu(efs.msdu);
3690 chan->local_sdu_itime =
3691 le32_to_cpu(efs.sdu_itime);
3692 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3693 chan->local_flush_to =
3694 le32_to_cpu(efs.flush_to);
3695 }
3696 break;
3697
3698 case L2CAP_MODE_STREAMING:
3699 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3700 }
3701 }
3702
3703 req->dcid = cpu_to_le16(chan->dcid);
3704 req->flags = cpu_to_le16(0);
3705
3706 return ptr - data;
3707 }
3708
l2cap_build_conf_rsp(struct l2cap_chan * chan,void * data,u16 result,u16 flags)3709 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3710 u16 result, u16 flags)
3711 {
3712 struct l2cap_conf_rsp *rsp = data;
3713 void *ptr = rsp->data;
3714
3715 BT_DBG("chan %p", chan);
3716
3717 rsp->scid = cpu_to_le16(chan->dcid);
3718 rsp->result = cpu_to_le16(result);
3719 rsp->flags = cpu_to_le16(flags);
3720
3721 return ptr - data;
3722 }
3723
__l2cap_le_connect_rsp_defer(struct l2cap_chan * chan)3724 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3725 {
3726 struct l2cap_le_conn_rsp rsp;
3727 struct l2cap_conn *conn = chan->conn;
3728
3729 BT_DBG("chan %p", chan);
3730
3731 rsp.dcid = cpu_to_le16(chan->scid);
3732 rsp.mtu = cpu_to_le16(chan->imtu);
3733 rsp.mps = cpu_to_le16(chan->mps);
3734 rsp.credits = cpu_to_le16(chan->rx_credits);
3735 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3736
3737 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3738 &rsp);
3739 }
3740
l2cap_ecred_list_defer(struct l2cap_chan * chan,void * data)3741 static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data)
3742 {
3743 int *result = data;
3744
3745 if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
3746 return;
3747
3748 switch (chan->state) {
3749 case BT_CONNECT2:
3750 /* If channel still pending accept add to result */
3751 (*result)++;
3752 return;
3753 case BT_CONNECTED:
3754 return;
3755 default:
3756 /* If not connected or pending accept it has been refused */
3757 *result = -ECONNREFUSED;
3758 return;
3759 }
3760 }
3761
3762 struct l2cap_ecred_rsp_data {
3763 struct {
3764 struct l2cap_ecred_conn_rsp rsp;
3765 __le16 scid[L2CAP_ECRED_MAX_CID];
3766 } __packed pdu;
3767 int count;
3768 };
3769
l2cap_ecred_rsp_defer(struct l2cap_chan * chan,void * data)3770 static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data)
3771 {
3772 struct l2cap_ecred_rsp_data *rsp = data;
3773
3774 /* Check if channel for outgoing connection or if it wasn't deferred
3775 * since in those cases it must be skipped.
3776 */
3777 if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags) ||
3778 !test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
3779 return;
3780
3781 /* Reset ident so only one response is sent */
3782 chan->ident = 0;
3783
3784 /* Include all channels pending with the same ident */
3785 if (!rsp->pdu.rsp.result)
3786 rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid);
3787 else
3788 l2cap_chan_del(chan, ECONNRESET);
3789 }
3790
__l2cap_ecred_conn_rsp_defer(struct l2cap_chan * chan)3791 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3792 {
3793 struct l2cap_conn *conn = chan->conn;
3794 struct l2cap_ecred_rsp_data data;
3795 u16 id = chan->ident;
3796 int result = 0;
3797
3798 if (!id)
3799 return;
3800
3801 BT_DBG("chan %p id %d", chan, id);
3802
3803 memset(&data, 0, sizeof(data));
3804
3805 data.pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3806 data.pdu.rsp.mps = cpu_to_le16(chan->mps);
3807 data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3808 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3809
3810 /* Verify that all channels are ready */
3811 __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result);
3812
3813 if (result > 0)
3814 return;
3815
3816 if (result < 0)
3817 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION);
3818
3819 /* Build response */
3820 __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data);
3821
3822 l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP,
3823 sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)),
3824 &data.pdu);
3825 }
3826
__l2cap_connect_rsp_defer(struct l2cap_chan * chan)3827 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3828 {
3829 struct l2cap_conn_rsp rsp;
3830 struct l2cap_conn *conn = chan->conn;
3831 u8 buf[128];
3832 u8 rsp_code;
3833
3834 rsp.scid = cpu_to_le16(chan->dcid);
3835 rsp.dcid = cpu_to_le16(chan->scid);
3836 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3837 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3838 rsp_code = L2CAP_CONN_RSP;
3839
3840 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3841
3842 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3843
3844 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3845 return;
3846
3847 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3848 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3849 chan->num_conf_req++;
3850 }
3851
l2cap_conf_rfc_get(struct l2cap_chan * chan,void * rsp,int len)3852 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3853 {
3854 int type, olen;
3855 unsigned long val;
3856 /* Use sane default values in case a misbehaving remote device
3857 * did not send an RFC or extended window size option.
3858 */
3859 u16 txwin_ext = chan->ack_win;
3860 struct l2cap_conf_rfc rfc = {
3861 .mode = chan->mode,
3862 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3863 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3864 .max_pdu_size = cpu_to_le16(chan->imtu),
3865 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3866 };
3867
3868 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3869
3870 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3871 return;
3872
3873 while (len >= L2CAP_CONF_OPT_SIZE) {
3874 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3875 if (len < 0)
3876 break;
3877
3878 switch (type) {
3879 case L2CAP_CONF_RFC:
3880 if (olen != sizeof(rfc))
3881 break;
3882 memcpy(&rfc, (void *)val, olen);
3883 break;
3884 case L2CAP_CONF_EWS:
3885 if (olen != 2)
3886 break;
3887 txwin_ext = val;
3888 break;
3889 }
3890 }
3891
3892 switch (rfc.mode) {
3893 case L2CAP_MODE_ERTM:
3894 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3895 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3896 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3897 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3898 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3899 else
3900 chan->ack_win = min_t(u16, chan->ack_win,
3901 rfc.txwin_size);
3902 break;
3903 case L2CAP_MODE_STREAMING:
3904 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3905 }
3906 }
3907
l2cap_command_rej(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)3908 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3909 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3910 u8 *data)
3911 {
3912 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3913
3914 if (cmd_len < sizeof(*rej))
3915 return -EPROTO;
3916
3917 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3918 return 0;
3919
3920 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3921 cmd->ident == conn->info_ident) {
3922 cancel_delayed_work(&conn->info_timer);
3923
3924 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3925 conn->info_ident = 0;
3926
3927 l2cap_conn_start(conn);
3928 }
3929
3930 return 0;
3931 }
3932
l2cap_connect(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u8 * data,u8 rsp_code)3933 static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
3934 u8 *data, u8 rsp_code)
3935 {
3936 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3937 struct l2cap_conn_rsp rsp;
3938 struct l2cap_chan *chan = NULL, *pchan = NULL;
3939 int result, status = L2CAP_CS_NO_INFO;
3940
3941 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3942 __le16 psm = req->psm;
3943
3944 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3945
3946 /* Check if we have socket listening on psm */
3947 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3948 &conn->hcon->dst, ACL_LINK);
3949 if (!pchan) {
3950 result = L2CAP_CR_BAD_PSM;
3951 goto response;
3952 }
3953
3954 l2cap_chan_lock(pchan);
3955
3956 /* Check if the ACL is secure enough (if not SDP) */
3957 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3958 (!hci_conn_check_link_mode(conn->hcon) ||
3959 !l2cap_check_enc_key_size(conn->hcon, pchan))) {
3960 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3961 result = L2CAP_CR_SEC_BLOCK;
3962 goto response;
3963 }
3964
3965 result = L2CAP_CR_NO_MEM;
3966
3967 /* Check for valid dynamic CID range (as per Erratum 3253) */
3968 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3969 result = L2CAP_CR_INVALID_SCID;
3970 goto response;
3971 }
3972
3973 /* Check if we already have channel with that dcid */
3974 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3975 result = L2CAP_CR_SCID_IN_USE;
3976 goto response;
3977 }
3978
3979 chan = pchan->ops->new_connection(pchan);
3980 if (!chan)
3981 goto response;
3982
3983 /* For certain devices (ex: HID mouse), support for authentication,
3984 * pairing and bonding is optional. For such devices, inorder to avoid
3985 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3986 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3987 */
3988 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3989
3990 bacpy(&chan->src, &conn->hcon->src);
3991 bacpy(&chan->dst, &conn->hcon->dst);
3992 chan->src_type = bdaddr_src_type(conn->hcon);
3993 chan->dst_type = bdaddr_dst_type(conn->hcon);
3994 chan->psm = psm;
3995 chan->dcid = scid;
3996
3997 __l2cap_chan_add(conn, chan);
3998
3999 dcid = chan->scid;
4000
4001 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4002
4003 chan->ident = cmd->ident;
4004
4005 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4006 if (l2cap_chan_check_security(chan, false)) {
4007 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4008 l2cap_state_change(chan, BT_CONNECT2);
4009 result = L2CAP_CR_PEND;
4010 status = L2CAP_CS_AUTHOR_PEND;
4011 chan->ops->defer(chan);
4012 } else {
4013 l2cap_state_change(chan, BT_CONFIG);
4014 result = L2CAP_CR_SUCCESS;
4015 status = L2CAP_CS_NO_INFO;
4016 }
4017 } else {
4018 l2cap_state_change(chan, BT_CONNECT2);
4019 result = L2CAP_CR_PEND;
4020 status = L2CAP_CS_AUTHEN_PEND;
4021 }
4022 } else {
4023 l2cap_state_change(chan, BT_CONNECT2);
4024 result = L2CAP_CR_PEND;
4025 status = L2CAP_CS_NO_INFO;
4026 }
4027
4028 response:
4029 rsp.scid = cpu_to_le16(scid);
4030 rsp.dcid = cpu_to_le16(dcid);
4031 rsp.result = cpu_to_le16(result);
4032 rsp.status = cpu_to_le16(status);
4033 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4034
4035 if (!pchan)
4036 return;
4037
4038 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4039 struct l2cap_info_req info;
4040 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4041
4042 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4043 conn->info_ident = l2cap_get_ident(conn);
4044
4045 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4046
4047 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4048 sizeof(info), &info);
4049 }
4050
4051 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4052 result == L2CAP_CR_SUCCESS) {
4053 u8 buf[128];
4054 set_bit(CONF_REQ_SENT, &chan->conf_state);
4055 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4056 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4057 chan->num_conf_req++;
4058 }
4059
4060 l2cap_chan_unlock(pchan);
4061 l2cap_chan_put(pchan);
4062 }
4063
l2cap_connect_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4064 static int l2cap_connect_req(struct l2cap_conn *conn,
4065 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4066 {
4067 if (cmd_len < sizeof(struct l2cap_conn_req))
4068 return -EPROTO;
4069
4070 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP);
4071 return 0;
4072 }
4073
l2cap_connect_create_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4074 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4075 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4076 u8 *data)
4077 {
4078 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4079 u16 scid, dcid, result, status;
4080 struct l2cap_chan *chan;
4081 u8 req[128];
4082 int err;
4083
4084 if (cmd_len < sizeof(*rsp))
4085 return -EPROTO;
4086
4087 scid = __le16_to_cpu(rsp->scid);
4088 dcid = __le16_to_cpu(rsp->dcid);
4089 result = __le16_to_cpu(rsp->result);
4090 status = __le16_to_cpu(rsp->status);
4091
4092 if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START ||
4093 dcid > L2CAP_CID_DYN_END))
4094 return -EPROTO;
4095
4096 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4097 dcid, scid, result, status);
4098
4099 if (scid) {
4100 chan = __l2cap_get_chan_by_scid(conn, scid);
4101 if (!chan)
4102 return -EBADSLT;
4103 } else {
4104 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4105 if (!chan)
4106 return -EBADSLT;
4107 }
4108
4109 chan = l2cap_chan_hold_unless_zero(chan);
4110 if (!chan)
4111 return -EBADSLT;
4112
4113 err = 0;
4114
4115 l2cap_chan_lock(chan);
4116
4117 switch (result) {
4118 case L2CAP_CR_SUCCESS:
4119 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4120 err = -EBADSLT;
4121 break;
4122 }
4123
4124 l2cap_state_change(chan, BT_CONFIG);
4125 chan->ident = 0;
4126 chan->dcid = dcid;
4127 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4128
4129 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4130 break;
4131
4132 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4133 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4134 chan->num_conf_req++;
4135 break;
4136
4137 case L2CAP_CR_PEND:
4138 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4139 break;
4140
4141 default:
4142 l2cap_chan_del(chan, ECONNREFUSED);
4143 break;
4144 }
4145
4146 l2cap_chan_unlock(chan);
4147 l2cap_chan_put(chan);
4148
4149 return err;
4150 }
4151
set_default_fcs(struct l2cap_chan * chan)4152 static inline void set_default_fcs(struct l2cap_chan *chan)
4153 {
4154 /* FCS is enabled only in ERTM or streaming mode, if one or both
4155 * sides request it.
4156 */
4157 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4158 chan->fcs = L2CAP_FCS_NONE;
4159 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4160 chan->fcs = L2CAP_FCS_CRC16;
4161 }
4162
l2cap_send_efs_conf_rsp(struct l2cap_chan * chan,void * data,u8 ident,u16 flags)4163 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4164 u8 ident, u16 flags)
4165 {
4166 struct l2cap_conn *conn = chan->conn;
4167
4168 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4169 flags);
4170
4171 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4172 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4173
4174 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4175 l2cap_build_conf_rsp(chan, data,
4176 L2CAP_CONF_SUCCESS, flags), data);
4177 }
4178
cmd_reject_invalid_cid(struct l2cap_conn * conn,u8 ident,u16 scid,u16 dcid)4179 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4180 u16 scid, u16 dcid)
4181 {
4182 struct l2cap_cmd_rej_cid rej;
4183
4184 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4185 rej.scid = __cpu_to_le16(scid);
4186 rej.dcid = __cpu_to_le16(dcid);
4187
4188 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4189 }
4190
l2cap_config_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4191 static inline int l2cap_config_req(struct l2cap_conn *conn,
4192 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4193 u8 *data)
4194 {
4195 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4196 u16 dcid, flags;
4197 u8 rsp[64];
4198 struct l2cap_chan *chan;
4199 int len, err = 0;
4200
4201 if (cmd_len < sizeof(*req))
4202 return -EPROTO;
4203
4204 dcid = __le16_to_cpu(req->dcid);
4205 flags = __le16_to_cpu(req->flags);
4206
4207 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4208
4209 chan = l2cap_get_chan_by_scid(conn, dcid);
4210 if (!chan) {
4211 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4212 return 0;
4213 }
4214
4215 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4216 chan->state != BT_CONNECTED) {
4217 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4218 chan->dcid);
4219 goto unlock;
4220 }
4221
4222 /* Reject if config buffer is too small. */
4223 len = cmd_len - sizeof(*req);
4224 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4225 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4226 l2cap_build_conf_rsp(chan, rsp,
4227 L2CAP_CONF_REJECT, flags), rsp);
4228 goto unlock;
4229 }
4230
4231 /* Store config. */
4232 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4233 chan->conf_len += len;
4234
4235 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4236 /* Incomplete config. Send empty response. */
4237 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4238 l2cap_build_conf_rsp(chan, rsp,
4239 L2CAP_CONF_SUCCESS, flags), rsp);
4240 goto unlock;
4241 }
4242
4243 /* Complete config. */
4244 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4245 if (len < 0) {
4246 l2cap_send_disconn_req(chan, ECONNRESET);
4247 goto unlock;
4248 }
4249
4250 chan->ident = cmd->ident;
4251 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4252 if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
4253 chan->num_conf_rsp++;
4254
4255 /* Reset config buffer. */
4256 chan->conf_len = 0;
4257
4258 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4259 goto unlock;
4260
4261 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4262 set_default_fcs(chan);
4263
4264 if (chan->mode == L2CAP_MODE_ERTM ||
4265 chan->mode == L2CAP_MODE_STREAMING)
4266 err = l2cap_ertm_init(chan);
4267
4268 if (err < 0)
4269 l2cap_send_disconn_req(chan, -err);
4270 else
4271 l2cap_chan_ready(chan);
4272
4273 goto unlock;
4274 }
4275
4276 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4277 u8 buf[64];
4278 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4279 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4280 chan->num_conf_req++;
4281 }
4282
4283 /* Got Conf Rsp PENDING from remote side and assume we sent
4284 Conf Rsp PENDING in the code above */
4285 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4286 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4287
4288 /* check compatibility */
4289
4290 /* Send rsp for BR/EDR channel */
4291 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4292 }
4293
4294 unlock:
4295 l2cap_chan_unlock(chan);
4296 l2cap_chan_put(chan);
4297 return err;
4298 }
4299
l2cap_config_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4300 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4301 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4302 u8 *data)
4303 {
4304 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4305 u16 scid, flags, result;
4306 struct l2cap_chan *chan;
4307 int len = cmd_len - sizeof(*rsp);
4308 int err = 0;
4309
4310 if (cmd_len < sizeof(*rsp))
4311 return -EPROTO;
4312
4313 scid = __le16_to_cpu(rsp->scid);
4314 flags = __le16_to_cpu(rsp->flags);
4315 result = __le16_to_cpu(rsp->result);
4316
4317 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4318 result, len);
4319
4320 chan = l2cap_get_chan_by_scid(conn, scid);
4321 if (!chan)
4322 return 0;
4323
4324 switch (result) {
4325 case L2CAP_CONF_SUCCESS:
4326 l2cap_conf_rfc_get(chan, rsp->data, len);
4327 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4328 break;
4329
4330 case L2CAP_CONF_PENDING:
4331 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4332
4333 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4334 char buf[64];
4335
4336 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4337 buf, sizeof(buf), &result);
4338 if (len < 0) {
4339 l2cap_send_disconn_req(chan, ECONNRESET);
4340 goto done;
4341 }
4342
4343 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0);
4344 }
4345 goto done;
4346
4347 case L2CAP_CONF_UNKNOWN:
4348 case L2CAP_CONF_UNACCEPT:
4349 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4350 char req[64];
4351
4352 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4353 l2cap_send_disconn_req(chan, ECONNRESET);
4354 goto done;
4355 }
4356
4357 /* throw out any old stored conf requests */
4358 result = L2CAP_CONF_SUCCESS;
4359 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4360 req, sizeof(req), &result);
4361 if (len < 0) {
4362 l2cap_send_disconn_req(chan, ECONNRESET);
4363 goto done;
4364 }
4365
4366 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4367 L2CAP_CONF_REQ, len, req);
4368 chan->num_conf_req++;
4369 if (result != L2CAP_CONF_SUCCESS)
4370 goto done;
4371 break;
4372 }
4373 fallthrough;
4374
4375 default:
4376 l2cap_chan_set_err(chan, ECONNRESET);
4377
4378 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4379 l2cap_send_disconn_req(chan, ECONNRESET);
4380 goto done;
4381 }
4382
4383 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4384 goto done;
4385
4386 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4387
4388 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4389 set_default_fcs(chan);
4390
4391 if (chan->mode == L2CAP_MODE_ERTM ||
4392 chan->mode == L2CAP_MODE_STREAMING)
4393 err = l2cap_ertm_init(chan);
4394
4395 if (err < 0)
4396 l2cap_send_disconn_req(chan, -err);
4397 else
4398 l2cap_chan_ready(chan);
4399 }
4400
4401 done:
4402 l2cap_chan_unlock(chan);
4403 l2cap_chan_put(chan);
4404 return err;
4405 }
4406
l2cap_disconnect_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4407 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4408 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4409 u8 *data)
4410 {
4411 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4412 struct l2cap_disconn_rsp rsp;
4413 u16 dcid, scid;
4414 struct l2cap_chan *chan;
4415
4416 if (cmd_len != sizeof(*req))
4417 return -EPROTO;
4418
4419 scid = __le16_to_cpu(req->scid);
4420 dcid = __le16_to_cpu(req->dcid);
4421
4422 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4423
4424 chan = l2cap_get_chan_by_scid(conn, dcid);
4425 if (!chan) {
4426 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4427 return 0;
4428 }
4429
4430 rsp.dcid = cpu_to_le16(chan->scid);
4431 rsp.scid = cpu_to_le16(chan->dcid);
4432 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4433
4434 chan->ops->set_shutdown(chan);
4435
4436 l2cap_chan_del(chan, ECONNRESET);
4437
4438 chan->ops->close(chan);
4439
4440 l2cap_chan_unlock(chan);
4441 l2cap_chan_put(chan);
4442
4443 return 0;
4444 }
4445
l2cap_disconnect_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4446 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4447 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4448 u8 *data)
4449 {
4450 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4451 u16 dcid, scid;
4452 struct l2cap_chan *chan;
4453
4454 if (cmd_len != sizeof(*rsp))
4455 return -EPROTO;
4456
4457 scid = __le16_to_cpu(rsp->scid);
4458 dcid = __le16_to_cpu(rsp->dcid);
4459
4460 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4461
4462 chan = l2cap_get_chan_by_scid(conn, scid);
4463 if (!chan) {
4464 return 0;
4465 }
4466
4467 if (chan->state != BT_DISCONN) {
4468 l2cap_chan_unlock(chan);
4469 l2cap_chan_put(chan);
4470 return 0;
4471 }
4472
4473 l2cap_chan_del(chan, 0);
4474
4475 chan->ops->close(chan);
4476
4477 l2cap_chan_unlock(chan);
4478 l2cap_chan_put(chan);
4479
4480 return 0;
4481 }
4482
l2cap_information_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4483 static inline int l2cap_information_req(struct l2cap_conn *conn,
4484 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4485 u8 *data)
4486 {
4487 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4488 u16 type;
4489
4490 if (cmd_len != sizeof(*req))
4491 return -EPROTO;
4492
4493 type = __le16_to_cpu(req->type);
4494
4495 BT_DBG("type 0x%4.4x", type);
4496
4497 if (type == L2CAP_IT_FEAT_MASK) {
4498 u8 buf[8];
4499 u32 feat_mask = l2cap_feat_mask;
4500 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4501 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4502 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4503 if (!disable_ertm)
4504 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4505 | L2CAP_FEAT_FCS;
4506
4507 put_unaligned_le32(feat_mask, rsp->data);
4508 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4509 buf);
4510 } else if (type == L2CAP_IT_FIXED_CHAN) {
4511 u8 buf[12];
4512 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4513
4514 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4515 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4516 rsp->data[0] = conn->local_fixed_chan;
4517 memset(rsp->data + 1, 0, 7);
4518 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4519 buf);
4520 } else {
4521 struct l2cap_info_rsp rsp;
4522 rsp.type = cpu_to_le16(type);
4523 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4524 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4525 &rsp);
4526 }
4527
4528 return 0;
4529 }
4530
l2cap_information_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4531 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4532 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4533 u8 *data)
4534 {
4535 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4536 u16 type, result;
4537
4538 if (cmd_len < sizeof(*rsp))
4539 return -EPROTO;
4540
4541 type = __le16_to_cpu(rsp->type);
4542 result = __le16_to_cpu(rsp->result);
4543
4544 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4545
4546 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4547 if (cmd->ident != conn->info_ident ||
4548 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4549 return 0;
4550
4551 cancel_delayed_work(&conn->info_timer);
4552
4553 if (result != L2CAP_IR_SUCCESS) {
4554 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4555 conn->info_ident = 0;
4556
4557 l2cap_conn_start(conn);
4558
4559 return 0;
4560 }
4561
4562 switch (type) {
4563 case L2CAP_IT_FEAT_MASK:
4564 conn->feat_mask = get_unaligned_le32(rsp->data);
4565
4566 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4567 struct l2cap_info_req req;
4568 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4569
4570 conn->info_ident = l2cap_get_ident(conn);
4571
4572 l2cap_send_cmd(conn, conn->info_ident,
4573 L2CAP_INFO_REQ, sizeof(req), &req);
4574 } else {
4575 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4576 conn->info_ident = 0;
4577
4578 l2cap_conn_start(conn);
4579 }
4580 break;
4581
4582 case L2CAP_IT_FIXED_CHAN:
4583 conn->remote_fixed_chan = rsp->data[0];
4584 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4585 conn->info_ident = 0;
4586
4587 l2cap_conn_start(conn);
4588 break;
4589 }
4590
4591 return 0;
4592 }
4593
l2cap_conn_param_update_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4594 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
4595 struct l2cap_cmd_hdr *cmd,
4596 u16 cmd_len, u8 *data)
4597 {
4598 struct hci_conn *hcon = conn->hcon;
4599 struct l2cap_conn_param_update_req *req;
4600 struct l2cap_conn_param_update_rsp rsp;
4601 u16 min, max, latency, to_multiplier;
4602 int err;
4603
4604 if (hcon->role != HCI_ROLE_MASTER)
4605 return -EINVAL;
4606
4607 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
4608 return -EPROTO;
4609
4610 req = (struct l2cap_conn_param_update_req *) data;
4611 min = __le16_to_cpu(req->min);
4612 max = __le16_to_cpu(req->max);
4613 latency = __le16_to_cpu(req->latency);
4614 to_multiplier = __le16_to_cpu(req->to_multiplier);
4615
4616 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
4617 min, max, latency, to_multiplier);
4618
4619 memset(&rsp, 0, sizeof(rsp));
4620
4621 err = hci_check_conn_params(min, max, latency, to_multiplier);
4622 if (err)
4623 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
4624 else
4625 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
4626
4627 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
4628 sizeof(rsp), &rsp);
4629
4630 if (!err) {
4631 u8 store_hint;
4632
4633 store_hint = hci_le_conn_update(hcon, min, max, latency,
4634 to_multiplier);
4635 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
4636 store_hint, min, max, latency,
4637 to_multiplier);
4638
4639 }
4640
4641 return 0;
4642 }
4643
l2cap_le_connect_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4644 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
4645 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4646 u8 *data)
4647 {
4648 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
4649 struct hci_conn *hcon = conn->hcon;
4650 u16 dcid, mtu, mps, credits, result;
4651 struct l2cap_chan *chan;
4652 int err, sec_level;
4653
4654 if (cmd_len < sizeof(*rsp))
4655 return -EPROTO;
4656
4657 dcid = __le16_to_cpu(rsp->dcid);
4658 mtu = __le16_to_cpu(rsp->mtu);
4659 mps = __le16_to_cpu(rsp->mps);
4660 credits = __le16_to_cpu(rsp->credits);
4661 result = __le16_to_cpu(rsp->result);
4662
4663 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
4664 dcid < L2CAP_CID_DYN_START ||
4665 dcid > L2CAP_CID_LE_DYN_END))
4666 return -EPROTO;
4667
4668 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
4669 dcid, mtu, mps, credits, result);
4670
4671 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4672 if (!chan)
4673 return -EBADSLT;
4674
4675 err = 0;
4676
4677 l2cap_chan_lock(chan);
4678
4679 switch (result) {
4680 case L2CAP_CR_LE_SUCCESS:
4681 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
4682 err = -EBADSLT;
4683 break;
4684 }
4685
4686 chan->ident = 0;
4687 chan->dcid = dcid;
4688 chan->omtu = mtu;
4689 chan->remote_mps = mps;
4690 chan->tx_credits = credits;
4691 l2cap_chan_ready(chan);
4692 break;
4693
4694 case L2CAP_CR_LE_AUTHENTICATION:
4695 case L2CAP_CR_LE_ENCRYPTION:
4696 /* If we already have MITM protection we can't do
4697 * anything.
4698 */
4699 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
4700 l2cap_chan_del(chan, ECONNREFUSED);
4701 break;
4702 }
4703
4704 sec_level = hcon->sec_level + 1;
4705 if (chan->sec_level < sec_level)
4706 chan->sec_level = sec_level;
4707
4708 /* We'll need to send a new Connect Request */
4709 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
4710
4711 smp_conn_security(hcon, chan->sec_level);
4712 break;
4713
4714 default:
4715 l2cap_chan_del(chan, ECONNREFUSED);
4716 break;
4717 }
4718
4719 l2cap_chan_unlock(chan);
4720
4721 return err;
4722 }
4723
l2cap_bredr_sig_cmd(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4724 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
4725 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4726 u8 *data)
4727 {
4728 int err = 0;
4729
4730 switch (cmd->code) {
4731 case L2CAP_COMMAND_REJ:
4732 l2cap_command_rej(conn, cmd, cmd_len, data);
4733 break;
4734
4735 case L2CAP_CONN_REQ:
4736 err = l2cap_connect_req(conn, cmd, cmd_len, data);
4737 break;
4738
4739 case L2CAP_CONN_RSP:
4740 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
4741 break;
4742
4743 case L2CAP_CONF_REQ:
4744 err = l2cap_config_req(conn, cmd, cmd_len, data);
4745 break;
4746
4747 case L2CAP_CONF_RSP:
4748 l2cap_config_rsp(conn, cmd, cmd_len, data);
4749 break;
4750
4751 case L2CAP_DISCONN_REQ:
4752 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
4753 break;
4754
4755 case L2CAP_DISCONN_RSP:
4756 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
4757 break;
4758
4759 case L2CAP_ECHO_REQ:
4760 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
4761 break;
4762
4763 case L2CAP_ECHO_RSP:
4764 break;
4765
4766 case L2CAP_INFO_REQ:
4767 err = l2cap_information_req(conn, cmd, cmd_len, data);
4768 break;
4769
4770 case L2CAP_INFO_RSP:
4771 l2cap_information_rsp(conn, cmd, cmd_len, data);
4772 break;
4773
4774 default:
4775 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
4776 err = -EINVAL;
4777 break;
4778 }
4779
4780 return err;
4781 }
4782
l2cap_le_connect_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4783 static int l2cap_le_connect_req(struct l2cap_conn *conn,
4784 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4785 u8 *data)
4786 {
4787 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
4788 struct l2cap_le_conn_rsp rsp;
4789 struct l2cap_chan *chan, *pchan;
4790 u16 dcid, scid, credits, mtu, mps;
4791 __le16 psm;
4792 u8 result;
4793
4794 if (cmd_len != sizeof(*req))
4795 return -EPROTO;
4796
4797 scid = __le16_to_cpu(req->scid);
4798 mtu = __le16_to_cpu(req->mtu);
4799 mps = __le16_to_cpu(req->mps);
4800 psm = req->psm;
4801 dcid = 0;
4802 credits = 0;
4803
4804 if (mtu < 23 || mps < 23)
4805 return -EPROTO;
4806
4807 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
4808 scid, mtu, mps);
4809
4810 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
4811 * page 1059:
4812 *
4813 * Valid range: 0x0001-0x00ff
4814 *
4815 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
4816 */
4817 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
4818 result = L2CAP_CR_LE_BAD_PSM;
4819 chan = NULL;
4820 goto response;
4821 }
4822
4823 /* Check if we have socket listening on psm */
4824 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4825 &conn->hcon->dst, LE_LINK);
4826 if (!pchan) {
4827 result = L2CAP_CR_LE_BAD_PSM;
4828 chan = NULL;
4829 goto response;
4830 }
4831
4832 l2cap_chan_lock(pchan);
4833
4834 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
4835 SMP_ALLOW_STK)) {
4836 result = pchan->sec_level == BT_SECURITY_MEDIUM ?
4837 L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION;
4838 chan = NULL;
4839 goto response_unlock;
4840 }
4841
4842 /* Check for valid dynamic CID range */
4843 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
4844 result = L2CAP_CR_LE_INVALID_SCID;
4845 chan = NULL;
4846 goto response_unlock;
4847 }
4848
4849 /* Check if we already have channel with that dcid */
4850 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4851 result = L2CAP_CR_LE_SCID_IN_USE;
4852 chan = NULL;
4853 goto response_unlock;
4854 }
4855
4856 chan = pchan->ops->new_connection(pchan);
4857 if (!chan) {
4858 result = L2CAP_CR_LE_NO_MEM;
4859 goto response_unlock;
4860 }
4861
4862 bacpy(&chan->src, &conn->hcon->src);
4863 bacpy(&chan->dst, &conn->hcon->dst);
4864 chan->src_type = bdaddr_src_type(conn->hcon);
4865 chan->dst_type = bdaddr_dst_type(conn->hcon);
4866 chan->psm = psm;
4867 chan->dcid = scid;
4868 chan->omtu = mtu;
4869 chan->remote_mps = mps;
4870
4871 __l2cap_chan_add(conn, chan);
4872
4873 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
4874
4875 dcid = chan->scid;
4876 credits = chan->rx_credits;
4877
4878 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4879
4880 chan->ident = cmd->ident;
4881
4882 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4883 l2cap_state_change(chan, BT_CONNECT2);
4884 /* The following result value is actually not defined
4885 * for LE CoC but we use it to let the function know
4886 * that it should bail out after doing its cleanup
4887 * instead of sending a response.
4888 */
4889 result = L2CAP_CR_PEND;
4890 chan->ops->defer(chan);
4891 } else {
4892 l2cap_chan_ready(chan);
4893 result = L2CAP_CR_LE_SUCCESS;
4894 }
4895
4896 response_unlock:
4897 l2cap_chan_unlock(pchan);
4898 l2cap_chan_put(pchan);
4899
4900 if (result == L2CAP_CR_PEND)
4901 return 0;
4902
4903 response:
4904 if (chan) {
4905 rsp.mtu = cpu_to_le16(chan->imtu);
4906 rsp.mps = cpu_to_le16(chan->mps);
4907 } else {
4908 rsp.mtu = 0;
4909 rsp.mps = 0;
4910 }
4911
4912 rsp.dcid = cpu_to_le16(dcid);
4913 rsp.credits = cpu_to_le16(credits);
4914 rsp.result = cpu_to_le16(result);
4915
4916 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
4917
4918 return 0;
4919 }
4920
l2cap_le_credits(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4921 static inline int l2cap_le_credits(struct l2cap_conn *conn,
4922 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4923 u8 *data)
4924 {
4925 struct l2cap_le_credits *pkt;
4926 struct l2cap_chan *chan;
4927 u16 cid, credits, max_credits;
4928
4929 if (cmd_len != sizeof(*pkt))
4930 return -EPROTO;
4931
4932 pkt = (struct l2cap_le_credits *) data;
4933 cid = __le16_to_cpu(pkt->cid);
4934 credits = __le16_to_cpu(pkt->credits);
4935
4936 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
4937
4938 chan = l2cap_get_chan_by_dcid(conn, cid);
4939 if (!chan)
4940 return -EBADSLT;
4941
4942 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
4943 if (credits > max_credits) {
4944 BT_ERR("LE credits overflow");
4945 l2cap_send_disconn_req(chan, ECONNRESET);
4946
4947 /* Return 0 so that we don't trigger an unnecessary
4948 * command reject packet.
4949 */
4950 goto unlock;
4951 }
4952
4953 chan->tx_credits += credits;
4954
4955 /* Resume sending */
4956 l2cap_le_flowctl_send(chan);
4957
4958 if (chan->tx_credits)
4959 chan->ops->resume(chan);
4960
4961 unlock:
4962 l2cap_chan_unlock(chan);
4963 l2cap_chan_put(chan);
4964
4965 return 0;
4966 }
4967
l2cap_ecred_conn_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)4968 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
4969 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4970 u8 *data)
4971 {
4972 struct l2cap_ecred_conn_req *req = (void *) data;
4973 struct {
4974 struct l2cap_ecred_conn_rsp rsp;
4975 __le16 dcid[L2CAP_ECRED_MAX_CID];
4976 } __packed pdu;
4977 struct l2cap_chan *chan, *pchan;
4978 u16 mtu, mps;
4979 __le16 psm;
4980 u8 result, len = 0;
4981 int i, num_scid;
4982 bool defer = false;
4983
4984 if (!enable_ecred)
4985 return -EINVAL;
4986
4987 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
4988 result = L2CAP_CR_LE_INVALID_PARAMS;
4989 goto response;
4990 }
4991
4992 cmd_len -= sizeof(*req);
4993 num_scid = cmd_len / sizeof(u16);
4994
4995 if (num_scid > ARRAY_SIZE(pdu.dcid)) {
4996 result = L2CAP_CR_LE_INVALID_PARAMS;
4997 goto response;
4998 }
4999
5000 mtu = __le16_to_cpu(req->mtu);
5001 mps = __le16_to_cpu(req->mps);
5002
5003 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5004 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5005 goto response;
5006 }
5007
5008 psm = req->psm;
5009
5010 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
5011 * page 1059:
5012 *
5013 * Valid range: 0x0001-0x00ff
5014 *
5015 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
5016 */
5017 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
5018 result = L2CAP_CR_LE_BAD_PSM;
5019 goto response;
5020 }
5021
5022 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5023
5024 memset(&pdu, 0, sizeof(pdu));
5025
5026 /* Check if we have socket listening on psm */
5027 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5028 &conn->hcon->dst, LE_LINK);
5029 if (!pchan) {
5030 result = L2CAP_CR_LE_BAD_PSM;
5031 goto response;
5032 }
5033
5034 l2cap_chan_lock(pchan);
5035
5036 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5037 SMP_ALLOW_STK)) {
5038 result = L2CAP_CR_LE_AUTHENTICATION;
5039 goto unlock;
5040 }
5041
5042 result = L2CAP_CR_LE_SUCCESS;
5043
5044 for (i = 0; i < num_scid; i++) {
5045 u16 scid = __le16_to_cpu(req->scid[i]);
5046
5047 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5048
5049 pdu.dcid[i] = 0x0000;
5050 len += sizeof(*pdu.dcid);
5051
5052 /* Check for valid dynamic CID range */
5053 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5054 result = L2CAP_CR_LE_INVALID_SCID;
5055 continue;
5056 }
5057
5058 /* Check if we already have channel with that dcid */
5059 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5060 result = L2CAP_CR_LE_SCID_IN_USE;
5061 continue;
5062 }
5063
5064 chan = pchan->ops->new_connection(pchan);
5065 if (!chan) {
5066 result = L2CAP_CR_LE_NO_MEM;
5067 continue;
5068 }
5069
5070 bacpy(&chan->src, &conn->hcon->src);
5071 bacpy(&chan->dst, &conn->hcon->dst);
5072 chan->src_type = bdaddr_src_type(conn->hcon);
5073 chan->dst_type = bdaddr_dst_type(conn->hcon);
5074 chan->psm = psm;
5075 chan->dcid = scid;
5076 chan->omtu = mtu;
5077 chan->remote_mps = mps;
5078
5079 __l2cap_chan_add(conn, chan);
5080
5081 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
5082
5083 /* Init response */
5084 if (!pdu.rsp.credits) {
5085 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
5086 pdu.rsp.mps = cpu_to_le16(chan->mps);
5087 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
5088 }
5089
5090 pdu.dcid[i] = cpu_to_le16(chan->scid);
5091
5092 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5093
5094 chan->ident = cmd->ident;
5095 chan->mode = L2CAP_MODE_EXT_FLOWCTL;
5096
5097 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5098 l2cap_state_change(chan, BT_CONNECT2);
5099 defer = true;
5100 chan->ops->defer(chan);
5101 } else {
5102 l2cap_chan_ready(chan);
5103 }
5104 }
5105
5106 unlock:
5107 l2cap_chan_unlock(pchan);
5108 l2cap_chan_put(pchan);
5109
5110 response:
5111 pdu.rsp.result = cpu_to_le16(result);
5112
5113 if (defer)
5114 return 0;
5115
5116 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
5117 sizeof(pdu.rsp) + len, &pdu);
5118
5119 return 0;
5120 }
5121
l2cap_ecred_conn_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5122 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
5123 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5124 u8 *data)
5125 {
5126 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5127 struct hci_conn *hcon = conn->hcon;
5128 u16 mtu, mps, credits, result;
5129 struct l2cap_chan *chan, *tmp;
5130 int err = 0, sec_level;
5131 int i = 0;
5132
5133 if (cmd_len < sizeof(*rsp))
5134 return -EPROTO;
5135
5136 mtu = __le16_to_cpu(rsp->mtu);
5137 mps = __le16_to_cpu(rsp->mps);
5138 credits = __le16_to_cpu(rsp->credits);
5139 result = __le16_to_cpu(rsp->result);
5140
5141 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
5142 result);
5143
5144 cmd_len -= sizeof(*rsp);
5145
5146 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5147 u16 dcid;
5148
5149 if (chan->ident != cmd->ident ||
5150 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
5151 chan->state == BT_CONNECTED)
5152 continue;
5153
5154 l2cap_chan_lock(chan);
5155
5156 /* Check that there is a dcid for each pending channel */
5157 if (cmd_len < sizeof(dcid)) {
5158 l2cap_chan_del(chan, ECONNREFUSED);
5159 l2cap_chan_unlock(chan);
5160 continue;
5161 }
5162
5163 dcid = __le16_to_cpu(rsp->dcid[i++]);
5164 cmd_len -= sizeof(u16);
5165
5166 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
5167
5168 /* Check if dcid is already in use */
5169 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
5170 /* If a device receives a
5171 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
5172 * already-assigned Destination CID, then both the
5173 * original channel and the new channel shall be
5174 * immediately discarded and not used.
5175 */
5176 l2cap_chan_del(chan, ECONNREFUSED);
5177 l2cap_chan_unlock(chan);
5178 chan = __l2cap_get_chan_by_dcid(conn, dcid);
5179 l2cap_chan_lock(chan);
5180 l2cap_chan_del(chan, ECONNRESET);
5181 l2cap_chan_unlock(chan);
5182 continue;
5183 }
5184
5185 switch (result) {
5186 case L2CAP_CR_LE_AUTHENTICATION:
5187 case L2CAP_CR_LE_ENCRYPTION:
5188 /* If we already have MITM protection we can't do
5189 * anything.
5190 */
5191 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5192 l2cap_chan_del(chan, ECONNREFUSED);
5193 break;
5194 }
5195
5196 sec_level = hcon->sec_level + 1;
5197 if (chan->sec_level < sec_level)
5198 chan->sec_level = sec_level;
5199
5200 /* We'll need to send a new Connect Request */
5201 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
5202
5203 smp_conn_security(hcon, chan->sec_level);
5204 break;
5205
5206 case L2CAP_CR_LE_BAD_PSM:
5207 l2cap_chan_del(chan, ECONNREFUSED);
5208 break;
5209
5210 default:
5211 /* If dcid was not set it means channels was refused */
5212 if (!dcid) {
5213 l2cap_chan_del(chan, ECONNREFUSED);
5214 break;
5215 }
5216
5217 chan->ident = 0;
5218 chan->dcid = dcid;
5219 chan->omtu = mtu;
5220 chan->remote_mps = mps;
5221 chan->tx_credits = credits;
5222 l2cap_chan_ready(chan);
5223 break;
5224 }
5225
5226 l2cap_chan_unlock(chan);
5227 }
5228
5229 return err;
5230 }
5231
l2cap_ecred_reconf_req(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5232 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
5233 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5234 u8 *data)
5235 {
5236 struct l2cap_ecred_reconf_req *req = (void *) data;
5237 struct l2cap_ecred_reconf_rsp rsp;
5238 u16 mtu, mps, result;
5239 struct l2cap_chan *chan;
5240 int i, num_scid;
5241
5242 if (!enable_ecred)
5243 return -EINVAL;
5244
5245 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
5246 result = L2CAP_CR_LE_INVALID_PARAMS;
5247 goto respond;
5248 }
5249
5250 mtu = __le16_to_cpu(req->mtu);
5251 mps = __le16_to_cpu(req->mps);
5252
5253 BT_DBG("mtu %u mps %u", mtu, mps);
5254
5255 if (mtu < L2CAP_ECRED_MIN_MTU) {
5256 result = L2CAP_RECONF_INVALID_MTU;
5257 goto respond;
5258 }
5259
5260 if (mps < L2CAP_ECRED_MIN_MPS) {
5261 result = L2CAP_RECONF_INVALID_MPS;
5262 goto respond;
5263 }
5264
5265 cmd_len -= sizeof(*req);
5266 num_scid = cmd_len / sizeof(u16);
5267 result = L2CAP_RECONF_SUCCESS;
5268
5269 for (i = 0; i < num_scid; i++) {
5270 u16 scid;
5271
5272 scid = __le16_to_cpu(req->scid[i]);
5273 if (!scid)
5274 return -EPROTO;
5275
5276 chan = __l2cap_get_chan_by_dcid(conn, scid);
5277 if (!chan)
5278 continue;
5279
5280 /* If the MTU value is decreased for any of the included
5281 * channels, then the receiver shall disconnect all
5282 * included channels.
5283 */
5284 if (chan->omtu > mtu) {
5285 BT_ERR("chan %p decreased MTU %u -> %u", chan,
5286 chan->omtu, mtu);
5287 result = L2CAP_RECONF_INVALID_MTU;
5288 }
5289
5290 chan->omtu = mtu;
5291 chan->remote_mps = mps;
5292 }
5293
5294 respond:
5295 rsp.result = cpu_to_le16(result);
5296
5297 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
5298 &rsp);
5299
5300 return 0;
5301 }
5302
l2cap_ecred_reconf_rsp(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5303 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
5304 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5305 u8 *data)
5306 {
5307 struct l2cap_chan *chan, *tmp;
5308 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
5309 u16 result;
5310
5311 if (cmd_len < sizeof(*rsp))
5312 return -EPROTO;
5313
5314 result = __le16_to_cpu(rsp->result);
5315
5316 BT_DBG("result 0x%4.4x", rsp->result);
5317
5318 if (!result)
5319 return 0;
5320
5321 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
5322 if (chan->ident != cmd->ident)
5323 continue;
5324
5325 l2cap_chan_del(chan, ECONNRESET);
5326 }
5327
5328 return 0;
5329 }
5330
l2cap_le_command_rej(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5331 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5332 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5333 u8 *data)
5334 {
5335 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5336 struct l2cap_chan *chan;
5337
5338 if (cmd_len < sizeof(*rej))
5339 return -EPROTO;
5340
5341 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5342 if (!chan)
5343 goto done;
5344
5345 chan = l2cap_chan_hold_unless_zero(chan);
5346 if (!chan)
5347 goto done;
5348
5349 l2cap_chan_lock(chan);
5350 l2cap_chan_del(chan, ECONNREFUSED);
5351 l2cap_chan_unlock(chan);
5352 l2cap_chan_put(chan);
5353
5354 done:
5355 return 0;
5356 }
5357
l2cap_le_sig_cmd(struct l2cap_conn * conn,struct l2cap_cmd_hdr * cmd,u16 cmd_len,u8 * data)5358 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5359 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5360 u8 *data)
5361 {
5362 int err = 0;
5363
5364 switch (cmd->code) {
5365 case L2CAP_COMMAND_REJ:
5366 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5367 break;
5368
5369 case L2CAP_CONN_PARAM_UPDATE_REQ:
5370 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5371 break;
5372
5373 case L2CAP_CONN_PARAM_UPDATE_RSP:
5374 break;
5375
5376 case L2CAP_LE_CONN_RSP:
5377 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5378 break;
5379
5380 case L2CAP_LE_CONN_REQ:
5381 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5382 break;
5383
5384 case L2CAP_LE_CREDITS:
5385 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5386 break;
5387
5388 case L2CAP_ECRED_CONN_REQ:
5389 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
5390 break;
5391
5392 case L2CAP_ECRED_CONN_RSP:
5393 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
5394 break;
5395
5396 case L2CAP_ECRED_RECONF_REQ:
5397 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
5398 break;
5399
5400 case L2CAP_ECRED_RECONF_RSP:
5401 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
5402 break;
5403
5404 case L2CAP_DISCONN_REQ:
5405 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5406 break;
5407
5408 case L2CAP_DISCONN_RSP:
5409 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5410 break;
5411
5412 default:
5413 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5414 err = -EINVAL;
5415 break;
5416 }
5417
5418 return err;
5419 }
5420
l2cap_le_sig_channel(struct l2cap_conn * conn,struct sk_buff * skb)5421 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5422 struct sk_buff *skb)
5423 {
5424 struct hci_conn *hcon = conn->hcon;
5425 struct l2cap_cmd_hdr *cmd;
5426 u16 len;
5427 int err;
5428
5429 if (hcon->type != LE_LINK)
5430 goto drop;
5431
5432 if (skb->len < L2CAP_CMD_HDR_SIZE)
5433 goto drop;
5434
5435 cmd = (void *) skb->data;
5436 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5437
5438 len = le16_to_cpu(cmd->len);
5439
5440 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5441
5442 if (len != skb->len || !cmd->ident) {
5443 BT_DBG("corrupted command");
5444 goto drop;
5445 }
5446
5447 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5448 if (err) {
5449 struct l2cap_cmd_rej_unk rej;
5450
5451 BT_ERR("Wrong link type (%d)", err);
5452
5453 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5454 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5455 sizeof(rej), &rej);
5456 }
5457
5458 drop:
5459 kfree_skb(skb);
5460 }
5461
l2cap_sig_send_rej(struct l2cap_conn * conn,u16 ident)5462 static inline void l2cap_sig_send_rej(struct l2cap_conn *conn, u16 ident)
5463 {
5464 struct l2cap_cmd_rej_unk rej;
5465
5466 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5467 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
5468 }
5469
l2cap_sig_channel(struct l2cap_conn * conn,struct sk_buff * skb)5470 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5471 struct sk_buff *skb)
5472 {
5473 struct hci_conn *hcon = conn->hcon;
5474 struct l2cap_cmd_hdr *cmd;
5475 int err;
5476
5477 l2cap_raw_recv(conn, skb);
5478
5479 if (hcon->type != ACL_LINK)
5480 goto drop;
5481
5482 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
5483 u16 len;
5484
5485 cmd = (void *) skb->data;
5486 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5487
5488 len = le16_to_cpu(cmd->len);
5489
5490 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
5491 cmd->ident);
5492
5493 if (len > skb->len || !cmd->ident) {
5494 BT_DBG("corrupted command");
5495 l2cap_sig_send_rej(conn, cmd->ident);
5496 skb_pull(skb, len > skb->len ? skb->len : len);
5497 continue;
5498 }
5499
5500 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
5501 if (err) {
5502 BT_ERR("Wrong link type (%d)", err);
5503 l2cap_sig_send_rej(conn, cmd->ident);
5504 }
5505
5506 skb_pull(skb, len);
5507 }
5508
5509 if (skb->len > 0) {
5510 BT_DBG("corrupted command");
5511 l2cap_sig_send_rej(conn, 0);
5512 }
5513
5514 drop:
5515 kfree_skb(skb);
5516 }
5517
l2cap_check_fcs(struct l2cap_chan * chan,struct sk_buff * skb)5518 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5519 {
5520 u16 our_fcs, rcv_fcs;
5521 int hdr_size;
5522
5523 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5524 hdr_size = L2CAP_EXT_HDR_SIZE;
5525 else
5526 hdr_size = L2CAP_ENH_HDR_SIZE;
5527
5528 if (chan->fcs == L2CAP_FCS_CRC16) {
5529 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5530 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5531 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5532
5533 if (our_fcs != rcv_fcs)
5534 return -EBADMSG;
5535 }
5536 return 0;
5537 }
5538
l2cap_send_i_or_rr_or_rnr(struct l2cap_chan * chan)5539 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5540 {
5541 struct l2cap_ctrl control;
5542
5543 BT_DBG("chan %p", chan);
5544
5545 memset(&control, 0, sizeof(control));
5546 control.sframe = 1;
5547 control.final = 1;
5548 control.reqseq = chan->buffer_seq;
5549 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5550
5551 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5552 control.super = L2CAP_SUPER_RNR;
5553 l2cap_send_sframe(chan, &control);
5554 }
5555
5556 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5557 chan->unacked_frames > 0)
5558 __set_retrans_timer(chan);
5559
5560 /* Send pending iframes */
5561 l2cap_ertm_send(chan);
5562
5563 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5564 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5565 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5566 * send it now.
5567 */
5568 control.super = L2CAP_SUPER_RR;
5569 l2cap_send_sframe(chan, &control);
5570 }
5571 }
5572
append_skb_frag(struct sk_buff * skb,struct sk_buff * new_frag,struct sk_buff ** last_frag)5573 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5574 struct sk_buff **last_frag)
5575 {
5576 /* skb->len reflects data in skb as well as all fragments
5577 * skb->data_len reflects only data in fragments
5578 */
5579 if (!skb_has_frag_list(skb))
5580 skb_shinfo(skb)->frag_list = new_frag;
5581
5582 new_frag->next = NULL;
5583
5584 (*last_frag)->next = new_frag;
5585 *last_frag = new_frag;
5586
5587 skb->len += new_frag->len;
5588 skb->data_len += new_frag->len;
5589 skb->truesize += new_frag->truesize;
5590 }
5591
l2cap_reassemble_sdu(struct l2cap_chan * chan,struct sk_buff * skb,struct l2cap_ctrl * control)5592 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5593 struct l2cap_ctrl *control)
5594 {
5595 int err = -EINVAL;
5596
5597 switch (control->sar) {
5598 case L2CAP_SAR_UNSEGMENTED:
5599 if (chan->sdu)
5600 break;
5601
5602 err = chan->ops->recv(chan, skb);
5603 break;
5604
5605 case L2CAP_SAR_START:
5606 if (chan->sdu)
5607 break;
5608
5609 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5610 break;
5611
5612 chan->sdu_len = get_unaligned_le16(skb->data);
5613 skb_pull(skb, L2CAP_SDULEN_SIZE);
5614
5615 if (chan->sdu_len > chan->imtu) {
5616 err = -EMSGSIZE;
5617 break;
5618 }
5619
5620 if (skb->len >= chan->sdu_len)
5621 break;
5622
5623 chan->sdu = skb;
5624 chan->sdu_last_frag = skb;
5625
5626 skb = NULL;
5627 err = 0;
5628 break;
5629
5630 case L2CAP_SAR_CONTINUE:
5631 if (!chan->sdu)
5632 break;
5633
5634 append_skb_frag(chan->sdu, skb,
5635 &chan->sdu_last_frag);
5636 skb = NULL;
5637
5638 if (chan->sdu->len >= chan->sdu_len)
5639 break;
5640
5641 err = 0;
5642 break;
5643
5644 case L2CAP_SAR_END:
5645 if (!chan->sdu)
5646 break;
5647
5648 append_skb_frag(chan->sdu, skb,
5649 &chan->sdu_last_frag);
5650 skb = NULL;
5651
5652 if (chan->sdu->len != chan->sdu_len)
5653 break;
5654
5655 err = chan->ops->recv(chan, chan->sdu);
5656
5657 if (!err) {
5658 /* Reassembly complete */
5659 chan->sdu = NULL;
5660 chan->sdu_last_frag = NULL;
5661 chan->sdu_len = 0;
5662 }
5663 break;
5664 }
5665
5666 if (err) {
5667 kfree_skb(skb);
5668 kfree_skb(chan->sdu);
5669 chan->sdu = NULL;
5670 chan->sdu_last_frag = NULL;
5671 chan->sdu_len = 0;
5672 }
5673
5674 return err;
5675 }
5676
l2cap_resegment(struct l2cap_chan * chan)5677 static int l2cap_resegment(struct l2cap_chan *chan)
5678 {
5679 /* Placeholder */
5680 return 0;
5681 }
5682
l2cap_chan_busy(struct l2cap_chan * chan,int busy)5683 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5684 {
5685 u8 event;
5686
5687 if (chan->mode != L2CAP_MODE_ERTM)
5688 return;
5689
5690 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5691 l2cap_tx(chan, NULL, NULL, event);
5692 }
5693
l2cap_rx_queued_iframes(struct l2cap_chan * chan)5694 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5695 {
5696 int err = 0;
5697 /* Pass sequential frames to l2cap_reassemble_sdu()
5698 * until a gap is encountered.
5699 */
5700
5701 BT_DBG("chan %p", chan);
5702
5703 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5704 struct sk_buff *skb;
5705 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5706 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5707
5708 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5709
5710 if (!skb)
5711 break;
5712
5713 skb_unlink(skb, &chan->srej_q);
5714 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5715 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5716 if (err)
5717 break;
5718 }
5719
5720 if (skb_queue_empty(&chan->srej_q)) {
5721 chan->rx_state = L2CAP_RX_STATE_RECV;
5722 l2cap_send_ack(chan);
5723 }
5724
5725 return err;
5726 }
5727
l2cap_handle_srej(struct l2cap_chan * chan,struct l2cap_ctrl * control)5728 static void l2cap_handle_srej(struct l2cap_chan *chan,
5729 struct l2cap_ctrl *control)
5730 {
5731 struct sk_buff *skb;
5732
5733 BT_DBG("chan %p, control %p", chan, control);
5734
5735 if (control->reqseq == chan->next_tx_seq) {
5736 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5737 l2cap_send_disconn_req(chan, ECONNRESET);
5738 return;
5739 }
5740
5741 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5742
5743 if (skb == NULL) {
5744 BT_DBG("Seq %d not available for retransmission",
5745 control->reqseq);
5746 return;
5747 }
5748
5749 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5750 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5751 l2cap_send_disconn_req(chan, ECONNRESET);
5752 return;
5753 }
5754
5755 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5756
5757 if (control->poll) {
5758 l2cap_pass_to_tx(chan, control);
5759
5760 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5761 l2cap_retransmit(chan, control);
5762 l2cap_ertm_send(chan);
5763
5764 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5765 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5766 chan->srej_save_reqseq = control->reqseq;
5767 }
5768 } else {
5769 l2cap_pass_to_tx_fbit(chan, control);
5770
5771 if (control->final) {
5772 if (chan->srej_save_reqseq != control->reqseq ||
5773 !test_and_clear_bit(CONN_SREJ_ACT,
5774 &chan->conn_state))
5775 l2cap_retransmit(chan, control);
5776 } else {
5777 l2cap_retransmit(chan, control);
5778 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5779 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5780 chan->srej_save_reqseq = control->reqseq;
5781 }
5782 }
5783 }
5784 }
5785
l2cap_handle_rej(struct l2cap_chan * chan,struct l2cap_ctrl * control)5786 static void l2cap_handle_rej(struct l2cap_chan *chan,
5787 struct l2cap_ctrl *control)
5788 {
5789 struct sk_buff *skb;
5790
5791 BT_DBG("chan %p, control %p", chan, control);
5792
5793 if (control->reqseq == chan->next_tx_seq) {
5794 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5795 l2cap_send_disconn_req(chan, ECONNRESET);
5796 return;
5797 }
5798
5799 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5800
5801 if (chan->max_tx && skb &&
5802 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5803 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5804 l2cap_send_disconn_req(chan, ECONNRESET);
5805 return;
5806 }
5807
5808 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5809
5810 l2cap_pass_to_tx(chan, control);
5811
5812 if (control->final) {
5813 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5814 l2cap_retransmit_all(chan, control);
5815 } else {
5816 l2cap_retransmit_all(chan, control);
5817 l2cap_ertm_send(chan);
5818 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5819 set_bit(CONN_REJ_ACT, &chan->conn_state);
5820 }
5821 }
5822
l2cap_classify_txseq(struct l2cap_chan * chan,u16 txseq)5823 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5824 {
5825 BT_DBG("chan %p, txseq %d", chan, txseq);
5826
5827 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5828 chan->expected_tx_seq);
5829
5830 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5831 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5832 chan->tx_win) {
5833 /* See notes below regarding "double poll" and
5834 * invalid packets.
5835 */
5836 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5837 BT_DBG("Invalid/Ignore - after SREJ");
5838 return L2CAP_TXSEQ_INVALID_IGNORE;
5839 } else {
5840 BT_DBG("Invalid - in window after SREJ sent");
5841 return L2CAP_TXSEQ_INVALID;
5842 }
5843 }
5844
5845 if (chan->srej_list.head == txseq) {
5846 BT_DBG("Expected SREJ");
5847 return L2CAP_TXSEQ_EXPECTED_SREJ;
5848 }
5849
5850 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5851 BT_DBG("Duplicate SREJ - txseq already stored");
5852 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5853 }
5854
5855 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5856 BT_DBG("Unexpected SREJ - not requested");
5857 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5858 }
5859 }
5860
5861 if (chan->expected_tx_seq == txseq) {
5862 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5863 chan->tx_win) {
5864 BT_DBG("Invalid - txseq outside tx window");
5865 return L2CAP_TXSEQ_INVALID;
5866 } else {
5867 BT_DBG("Expected");
5868 return L2CAP_TXSEQ_EXPECTED;
5869 }
5870 }
5871
5872 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
5873 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
5874 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5875 return L2CAP_TXSEQ_DUPLICATE;
5876 }
5877
5878 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5879 /* A source of invalid packets is a "double poll" condition,
5880 * where delays cause us to send multiple poll packets. If
5881 * the remote stack receives and processes both polls,
5882 * sequence numbers can wrap around in such a way that a
5883 * resent frame has a sequence number that looks like new data
5884 * with a sequence gap. This would trigger an erroneous SREJ
5885 * request.
5886 *
5887 * Fortunately, this is impossible with a tx window that's
5888 * less than half of the maximum sequence number, which allows
5889 * invalid frames to be safely ignored.
5890 *
5891 * With tx window sizes greater than half of the tx window
5892 * maximum, the frame is invalid and cannot be ignored. This
5893 * causes a disconnect.
5894 */
5895
5896 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5897 BT_DBG("Invalid/Ignore - txseq outside tx window");
5898 return L2CAP_TXSEQ_INVALID_IGNORE;
5899 } else {
5900 BT_DBG("Invalid - txseq outside tx window");
5901 return L2CAP_TXSEQ_INVALID;
5902 }
5903 } else {
5904 BT_DBG("Unexpected - txseq indicates missing frames");
5905 return L2CAP_TXSEQ_UNEXPECTED;
5906 }
5907 }
5908
l2cap_rx_state_recv(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)5909 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5910 struct l2cap_ctrl *control,
5911 struct sk_buff *skb, u8 event)
5912 {
5913 struct l2cap_ctrl local_control;
5914 int err = 0;
5915 bool skb_in_use = false;
5916
5917 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5918 event);
5919
5920 switch (event) {
5921 case L2CAP_EV_RECV_IFRAME:
5922 switch (l2cap_classify_txseq(chan, control->txseq)) {
5923 case L2CAP_TXSEQ_EXPECTED:
5924 l2cap_pass_to_tx(chan, control);
5925
5926 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5927 BT_DBG("Busy, discarding expected seq %d",
5928 control->txseq);
5929 break;
5930 }
5931
5932 chan->expected_tx_seq = __next_seq(chan,
5933 control->txseq);
5934
5935 chan->buffer_seq = chan->expected_tx_seq;
5936 skb_in_use = true;
5937
5938 /* l2cap_reassemble_sdu may free skb, hence invalidate
5939 * control, so make a copy in advance to use it after
5940 * l2cap_reassemble_sdu returns and to avoid the race
5941 * condition, for example:
5942 *
5943 * The current thread calls:
5944 * l2cap_reassemble_sdu
5945 * chan->ops->recv == l2cap_sock_recv_cb
5946 * __sock_queue_rcv_skb
5947 * Another thread calls:
5948 * bt_sock_recvmsg
5949 * skb_recv_datagram
5950 * skb_free_datagram
5951 * Then the current thread tries to access control, but
5952 * it was freed by skb_free_datagram.
5953 */
5954 local_control = *control;
5955 err = l2cap_reassemble_sdu(chan, skb, control);
5956 if (err)
5957 break;
5958
5959 if (local_control.final) {
5960 if (!test_and_clear_bit(CONN_REJ_ACT,
5961 &chan->conn_state)) {
5962 local_control.final = 0;
5963 l2cap_retransmit_all(chan, &local_control);
5964 l2cap_ertm_send(chan);
5965 }
5966 }
5967
5968 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5969 l2cap_send_ack(chan);
5970 break;
5971 case L2CAP_TXSEQ_UNEXPECTED:
5972 l2cap_pass_to_tx(chan, control);
5973
5974 /* Can't issue SREJ frames in the local busy state.
5975 * Drop this frame, it will be seen as missing
5976 * when local busy is exited.
5977 */
5978 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5979 BT_DBG("Busy, discarding unexpected seq %d",
5980 control->txseq);
5981 break;
5982 }
5983
5984 /* There was a gap in the sequence, so an SREJ
5985 * must be sent for each missing frame. The
5986 * current frame is stored for later use.
5987 */
5988 skb_queue_tail(&chan->srej_q, skb);
5989 skb_in_use = true;
5990 BT_DBG("Queued %p (queue len %d)", skb,
5991 skb_queue_len(&chan->srej_q));
5992
5993 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5994 l2cap_seq_list_clear(&chan->srej_list);
5995 l2cap_send_srej(chan, control->txseq);
5996
5997 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5998 break;
5999 case L2CAP_TXSEQ_DUPLICATE:
6000 l2cap_pass_to_tx(chan, control);
6001 break;
6002 case L2CAP_TXSEQ_INVALID_IGNORE:
6003 break;
6004 case L2CAP_TXSEQ_INVALID:
6005 default:
6006 l2cap_send_disconn_req(chan, ECONNRESET);
6007 break;
6008 }
6009 break;
6010 case L2CAP_EV_RECV_RR:
6011 l2cap_pass_to_tx(chan, control);
6012 if (control->final) {
6013 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6014
6015 if (!test_and_clear_bit(CONN_REJ_ACT,
6016 &chan->conn_state)) {
6017 control->final = 0;
6018 l2cap_retransmit_all(chan, control);
6019 }
6020
6021 l2cap_ertm_send(chan);
6022 } else if (control->poll) {
6023 l2cap_send_i_or_rr_or_rnr(chan);
6024 } else {
6025 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6026 &chan->conn_state) &&
6027 chan->unacked_frames)
6028 __set_retrans_timer(chan);
6029
6030 l2cap_ertm_send(chan);
6031 }
6032 break;
6033 case L2CAP_EV_RECV_RNR:
6034 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6035 l2cap_pass_to_tx(chan, control);
6036 if (control && control->poll) {
6037 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6038 l2cap_send_rr_or_rnr(chan, 0);
6039 }
6040 __clear_retrans_timer(chan);
6041 l2cap_seq_list_clear(&chan->retrans_list);
6042 break;
6043 case L2CAP_EV_RECV_REJ:
6044 l2cap_handle_rej(chan, control);
6045 break;
6046 case L2CAP_EV_RECV_SREJ:
6047 l2cap_handle_srej(chan, control);
6048 break;
6049 default:
6050 break;
6051 }
6052
6053 if (skb && !skb_in_use) {
6054 BT_DBG("Freeing %p", skb);
6055 kfree_skb(skb);
6056 }
6057
6058 return err;
6059 }
6060
l2cap_rx_state_srej_sent(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6061 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6062 struct l2cap_ctrl *control,
6063 struct sk_buff *skb, u8 event)
6064 {
6065 int err = 0;
6066 u16 txseq = control->txseq;
6067 bool skb_in_use = false;
6068
6069 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6070 event);
6071
6072 switch (event) {
6073 case L2CAP_EV_RECV_IFRAME:
6074 switch (l2cap_classify_txseq(chan, txseq)) {
6075 case L2CAP_TXSEQ_EXPECTED:
6076 /* Keep frame for reassembly later */
6077 l2cap_pass_to_tx(chan, control);
6078 skb_queue_tail(&chan->srej_q, skb);
6079 skb_in_use = true;
6080 BT_DBG("Queued %p (queue len %d)", skb,
6081 skb_queue_len(&chan->srej_q));
6082
6083 chan->expected_tx_seq = __next_seq(chan, txseq);
6084 break;
6085 case L2CAP_TXSEQ_EXPECTED_SREJ:
6086 l2cap_seq_list_pop(&chan->srej_list);
6087
6088 l2cap_pass_to_tx(chan, control);
6089 skb_queue_tail(&chan->srej_q, skb);
6090 skb_in_use = true;
6091 BT_DBG("Queued %p (queue len %d)", skb,
6092 skb_queue_len(&chan->srej_q));
6093
6094 err = l2cap_rx_queued_iframes(chan);
6095 if (err)
6096 break;
6097
6098 break;
6099 case L2CAP_TXSEQ_UNEXPECTED:
6100 /* Got a frame that can't be reassembled yet.
6101 * Save it for later, and send SREJs to cover
6102 * the missing frames.
6103 */
6104 skb_queue_tail(&chan->srej_q, skb);
6105 skb_in_use = true;
6106 BT_DBG("Queued %p (queue len %d)", skb,
6107 skb_queue_len(&chan->srej_q));
6108
6109 l2cap_pass_to_tx(chan, control);
6110 l2cap_send_srej(chan, control->txseq);
6111 break;
6112 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6113 /* This frame was requested with an SREJ, but
6114 * some expected retransmitted frames are
6115 * missing. Request retransmission of missing
6116 * SREJ'd frames.
6117 */
6118 skb_queue_tail(&chan->srej_q, skb);
6119 skb_in_use = true;
6120 BT_DBG("Queued %p (queue len %d)", skb,
6121 skb_queue_len(&chan->srej_q));
6122
6123 l2cap_pass_to_tx(chan, control);
6124 l2cap_send_srej_list(chan, control->txseq);
6125 break;
6126 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6127 /* We've already queued this frame. Drop this copy. */
6128 l2cap_pass_to_tx(chan, control);
6129 break;
6130 case L2CAP_TXSEQ_DUPLICATE:
6131 /* Expecting a later sequence number, so this frame
6132 * was already received. Ignore it completely.
6133 */
6134 break;
6135 case L2CAP_TXSEQ_INVALID_IGNORE:
6136 break;
6137 case L2CAP_TXSEQ_INVALID:
6138 default:
6139 l2cap_send_disconn_req(chan, ECONNRESET);
6140 break;
6141 }
6142 break;
6143 case L2CAP_EV_RECV_RR:
6144 l2cap_pass_to_tx(chan, control);
6145 if (control->final) {
6146 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6147
6148 if (!test_and_clear_bit(CONN_REJ_ACT,
6149 &chan->conn_state)) {
6150 control->final = 0;
6151 l2cap_retransmit_all(chan, control);
6152 }
6153
6154 l2cap_ertm_send(chan);
6155 } else if (control->poll) {
6156 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6157 &chan->conn_state) &&
6158 chan->unacked_frames) {
6159 __set_retrans_timer(chan);
6160 }
6161
6162 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6163 l2cap_send_srej_tail(chan);
6164 } else {
6165 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6166 &chan->conn_state) &&
6167 chan->unacked_frames)
6168 __set_retrans_timer(chan);
6169
6170 l2cap_send_ack(chan);
6171 }
6172 break;
6173 case L2CAP_EV_RECV_RNR:
6174 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6175 l2cap_pass_to_tx(chan, control);
6176 if (control->poll) {
6177 l2cap_send_srej_tail(chan);
6178 } else {
6179 struct l2cap_ctrl rr_control;
6180 memset(&rr_control, 0, sizeof(rr_control));
6181 rr_control.sframe = 1;
6182 rr_control.super = L2CAP_SUPER_RR;
6183 rr_control.reqseq = chan->buffer_seq;
6184 l2cap_send_sframe(chan, &rr_control);
6185 }
6186
6187 break;
6188 case L2CAP_EV_RECV_REJ:
6189 l2cap_handle_rej(chan, control);
6190 break;
6191 case L2CAP_EV_RECV_SREJ:
6192 l2cap_handle_srej(chan, control);
6193 break;
6194 }
6195
6196 if (skb && !skb_in_use) {
6197 BT_DBG("Freeing %p", skb);
6198 kfree_skb(skb);
6199 }
6200
6201 return err;
6202 }
6203
l2cap_finish_move(struct l2cap_chan * chan)6204 static int l2cap_finish_move(struct l2cap_chan *chan)
6205 {
6206 BT_DBG("chan %p", chan);
6207
6208 chan->rx_state = L2CAP_RX_STATE_RECV;
6209 chan->conn->mtu = chan->conn->hcon->mtu;
6210
6211 return l2cap_resegment(chan);
6212 }
6213
l2cap_rx_state_wait_p(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6214 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6215 struct l2cap_ctrl *control,
6216 struct sk_buff *skb, u8 event)
6217 {
6218 int err;
6219
6220 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6221 event);
6222
6223 if (!control->poll)
6224 return -EPROTO;
6225
6226 l2cap_process_reqseq(chan, control->reqseq);
6227
6228 if (!skb_queue_empty(&chan->tx_q))
6229 chan->tx_send_head = skb_peek(&chan->tx_q);
6230 else
6231 chan->tx_send_head = NULL;
6232
6233 /* Rewind next_tx_seq to the point expected
6234 * by the receiver.
6235 */
6236 chan->next_tx_seq = control->reqseq;
6237 chan->unacked_frames = 0;
6238
6239 err = l2cap_finish_move(chan);
6240 if (err)
6241 return err;
6242
6243 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6244 l2cap_send_i_or_rr_or_rnr(chan);
6245
6246 if (event == L2CAP_EV_RECV_IFRAME)
6247 return -EPROTO;
6248
6249 return l2cap_rx_state_recv(chan, control, NULL, event);
6250 }
6251
l2cap_rx_state_wait_f(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6252 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6253 struct l2cap_ctrl *control,
6254 struct sk_buff *skb, u8 event)
6255 {
6256 int err;
6257
6258 if (!control->final)
6259 return -EPROTO;
6260
6261 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6262
6263 chan->rx_state = L2CAP_RX_STATE_RECV;
6264 l2cap_process_reqseq(chan, control->reqseq);
6265
6266 if (!skb_queue_empty(&chan->tx_q))
6267 chan->tx_send_head = skb_peek(&chan->tx_q);
6268 else
6269 chan->tx_send_head = NULL;
6270
6271 /* Rewind next_tx_seq to the point expected
6272 * by the receiver.
6273 */
6274 chan->next_tx_seq = control->reqseq;
6275 chan->unacked_frames = 0;
6276 chan->conn->mtu = chan->conn->hcon->mtu;
6277
6278 err = l2cap_resegment(chan);
6279
6280 if (!err)
6281 err = l2cap_rx_state_recv(chan, control, skb, event);
6282
6283 return err;
6284 }
6285
__valid_reqseq(struct l2cap_chan * chan,u16 reqseq)6286 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6287 {
6288 /* Make sure reqseq is for a packet that has been sent but not acked */
6289 u16 unacked;
6290
6291 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6292 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6293 }
6294
l2cap_rx(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb,u8 event)6295 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6296 struct sk_buff *skb, u8 event)
6297 {
6298 int err = 0;
6299
6300 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6301 control, skb, event, chan->rx_state);
6302
6303 if (__valid_reqseq(chan, control->reqseq)) {
6304 switch (chan->rx_state) {
6305 case L2CAP_RX_STATE_RECV:
6306 err = l2cap_rx_state_recv(chan, control, skb, event);
6307 break;
6308 case L2CAP_RX_STATE_SREJ_SENT:
6309 err = l2cap_rx_state_srej_sent(chan, control, skb,
6310 event);
6311 break;
6312 case L2CAP_RX_STATE_WAIT_P:
6313 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6314 break;
6315 case L2CAP_RX_STATE_WAIT_F:
6316 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6317 break;
6318 default:
6319 /* shut it down */
6320 break;
6321 }
6322 } else {
6323 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6324 control->reqseq, chan->next_tx_seq,
6325 chan->expected_ack_seq);
6326 l2cap_send_disconn_req(chan, ECONNRESET);
6327 }
6328
6329 return err;
6330 }
6331
l2cap_stream_rx(struct l2cap_chan * chan,struct l2cap_ctrl * control,struct sk_buff * skb)6332 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6333 struct sk_buff *skb)
6334 {
6335 /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store
6336 * the txseq field in advance to use it after l2cap_reassemble_sdu
6337 * returns and to avoid the race condition, for example:
6338 *
6339 * The current thread calls:
6340 * l2cap_reassemble_sdu
6341 * chan->ops->recv == l2cap_sock_recv_cb
6342 * __sock_queue_rcv_skb
6343 * Another thread calls:
6344 * bt_sock_recvmsg
6345 * skb_recv_datagram
6346 * skb_free_datagram
6347 * Then the current thread tries to access control, but it was freed by
6348 * skb_free_datagram.
6349 */
6350 u16 txseq = control->txseq;
6351
6352 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6353 chan->rx_state);
6354
6355 if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) {
6356 l2cap_pass_to_tx(chan, control);
6357
6358 BT_DBG("buffer_seq %u->%u", chan->buffer_seq,
6359 __next_seq(chan, chan->buffer_seq));
6360
6361 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6362
6363 l2cap_reassemble_sdu(chan, skb, control);
6364 } else {
6365 if (chan->sdu) {
6366 kfree_skb(chan->sdu);
6367 chan->sdu = NULL;
6368 }
6369 chan->sdu_last_frag = NULL;
6370 chan->sdu_len = 0;
6371
6372 if (skb) {
6373 BT_DBG("Freeing %p", skb);
6374 kfree_skb(skb);
6375 }
6376 }
6377
6378 chan->last_acked_seq = txseq;
6379 chan->expected_tx_seq = __next_seq(chan, txseq);
6380
6381 return 0;
6382 }
6383
l2cap_data_rcv(struct l2cap_chan * chan,struct sk_buff * skb)6384 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6385 {
6386 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6387 u16 len;
6388 u8 event;
6389
6390 __unpack_control(chan, skb);
6391
6392 len = skb->len;
6393
6394 /*
6395 * We can just drop the corrupted I-frame here.
6396 * Receiver will miss it and start proper recovery
6397 * procedures and ask for retransmission.
6398 */
6399 if (l2cap_check_fcs(chan, skb))
6400 goto drop;
6401
6402 if (!control->sframe && control->sar == L2CAP_SAR_START)
6403 len -= L2CAP_SDULEN_SIZE;
6404
6405 if (chan->fcs == L2CAP_FCS_CRC16)
6406 len -= L2CAP_FCS_SIZE;
6407
6408 if (len > chan->mps) {
6409 l2cap_send_disconn_req(chan, ECONNRESET);
6410 goto drop;
6411 }
6412
6413 if (chan->ops->filter) {
6414 if (chan->ops->filter(chan, skb))
6415 goto drop;
6416 }
6417
6418 if (!control->sframe) {
6419 int err;
6420
6421 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6422 control->sar, control->reqseq, control->final,
6423 control->txseq);
6424
6425 /* Validate F-bit - F=0 always valid, F=1 only
6426 * valid in TX WAIT_F
6427 */
6428 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6429 goto drop;
6430
6431 if (chan->mode != L2CAP_MODE_STREAMING) {
6432 event = L2CAP_EV_RECV_IFRAME;
6433 err = l2cap_rx(chan, control, skb, event);
6434 } else {
6435 err = l2cap_stream_rx(chan, control, skb);
6436 }
6437
6438 if (err)
6439 l2cap_send_disconn_req(chan, ECONNRESET);
6440 } else {
6441 const u8 rx_func_to_event[4] = {
6442 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6443 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6444 };
6445
6446 /* Only I-frames are expected in streaming mode */
6447 if (chan->mode == L2CAP_MODE_STREAMING)
6448 goto drop;
6449
6450 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6451 control->reqseq, control->final, control->poll,
6452 control->super);
6453
6454 if (len != 0) {
6455 BT_ERR("Trailing bytes: %d in sframe", len);
6456 l2cap_send_disconn_req(chan, ECONNRESET);
6457 goto drop;
6458 }
6459
6460 /* Validate F and P bits */
6461 if (control->final && (control->poll ||
6462 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6463 goto drop;
6464
6465 event = rx_func_to_event[control->super];
6466 if (l2cap_rx(chan, control, skb, event))
6467 l2cap_send_disconn_req(chan, ECONNRESET);
6468 }
6469
6470 return 0;
6471
6472 drop:
6473 kfree_skb(skb);
6474 return 0;
6475 }
6476
l2cap_chan_le_send_credits(struct l2cap_chan * chan)6477 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6478 {
6479 struct l2cap_conn *conn = chan->conn;
6480 struct l2cap_le_credits pkt;
6481 u16 return_credits = l2cap_le_rx_credits(chan);
6482
6483 if (chan->rx_credits >= return_credits)
6484 return;
6485
6486 return_credits -= chan->rx_credits;
6487
6488 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6489
6490 chan->rx_credits += return_credits;
6491
6492 pkt.cid = cpu_to_le16(chan->scid);
6493 pkt.credits = cpu_to_le16(return_credits);
6494
6495 chan->ident = l2cap_get_ident(conn);
6496
6497 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6498 }
6499
l2cap_chan_rx_avail(struct l2cap_chan * chan,ssize_t rx_avail)6500 void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail)
6501 {
6502 if (chan->rx_avail == rx_avail)
6503 return;
6504
6505 BT_DBG("chan %p has %zd bytes avail for rx", chan, rx_avail);
6506
6507 chan->rx_avail = rx_avail;
6508
6509 if (chan->state == BT_CONNECTED)
6510 l2cap_chan_le_send_credits(chan);
6511 }
6512
l2cap_ecred_recv(struct l2cap_chan * chan,struct sk_buff * skb)6513 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6514 {
6515 int err;
6516
6517 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6518
6519 /* Wait recv to confirm reception before updating the credits */
6520 err = chan->ops->recv(chan, skb);
6521
6522 if (err < 0 && chan->rx_avail != -1) {
6523 BT_ERR("Queueing received LE L2CAP data failed");
6524 l2cap_send_disconn_req(chan, ECONNRESET);
6525 return err;
6526 }
6527
6528 /* Update credits whenever an SDU is received */
6529 l2cap_chan_le_send_credits(chan);
6530
6531 return err;
6532 }
6533
l2cap_ecred_data_rcv(struct l2cap_chan * chan,struct sk_buff * skb)6534 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6535 {
6536 int err;
6537
6538 if (!chan->rx_credits) {
6539 BT_ERR("No credits to receive LE L2CAP data");
6540 l2cap_send_disconn_req(chan, ECONNRESET);
6541 return -ENOBUFS;
6542 }
6543
6544 if (chan->imtu < skb->len) {
6545 BT_ERR("Too big LE L2CAP PDU");
6546 return -ENOBUFS;
6547 }
6548
6549 chan->rx_credits--;
6550 BT_DBG("chan %p: rx_credits %u -> %u",
6551 chan, chan->rx_credits + 1, chan->rx_credits);
6552
6553 /* Update if remote had run out of credits, this should only happens
6554 * if the remote is not using the entire MPS.
6555 */
6556 if (!chan->rx_credits)
6557 l2cap_chan_le_send_credits(chan);
6558
6559 err = 0;
6560
6561 if (!chan->sdu) {
6562 u16 sdu_len;
6563
6564 sdu_len = get_unaligned_le16(skb->data);
6565 skb_pull(skb, L2CAP_SDULEN_SIZE);
6566
6567 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6568 sdu_len, skb->len, chan->imtu);
6569
6570 if (sdu_len > chan->imtu) {
6571 BT_ERR("Too big LE L2CAP SDU length received");
6572 err = -EMSGSIZE;
6573 goto failed;
6574 }
6575
6576 if (skb->len > sdu_len) {
6577 BT_ERR("Too much LE L2CAP data received");
6578 err = -EINVAL;
6579 goto failed;
6580 }
6581
6582 if (skb->len == sdu_len)
6583 return l2cap_ecred_recv(chan, skb);
6584
6585 chan->sdu = skb;
6586 chan->sdu_len = sdu_len;
6587 chan->sdu_last_frag = skb;
6588
6589 /* Detect if remote is not able to use the selected MPS */
6590 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6591 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6592
6593 /* Adjust the number of credits */
6594 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6595 chan->mps = mps_len;
6596 l2cap_chan_le_send_credits(chan);
6597 }
6598
6599 return 0;
6600 }
6601
6602 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6603 chan->sdu->len, skb->len, chan->sdu_len);
6604
6605 if (chan->sdu->len + skb->len > chan->sdu_len) {
6606 BT_ERR("Too much LE L2CAP data received");
6607 err = -EINVAL;
6608 goto failed;
6609 }
6610
6611 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6612 skb = NULL;
6613
6614 if (chan->sdu->len == chan->sdu_len) {
6615 err = l2cap_ecred_recv(chan, chan->sdu);
6616 if (!err) {
6617 chan->sdu = NULL;
6618 chan->sdu_last_frag = NULL;
6619 chan->sdu_len = 0;
6620 }
6621 }
6622
6623 failed:
6624 if (err) {
6625 kfree_skb(skb);
6626 kfree_skb(chan->sdu);
6627 chan->sdu = NULL;
6628 chan->sdu_last_frag = NULL;
6629 chan->sdu_len = 0;
6630 }
6631
6632 /* We can't return an error here since we took care of the skb
6633 * freeing internally. An error return would cause the caller to
6634 * do a double-free of the skb.
6635 */
6636 return 0;
6637 }
6638
l2cap_data_channel(struct l2cap_conn * conn,u16 cid,struct sk_buff * skb)6639 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6640 struct sk_buff *skb)
6641 {
6642 struct l2cap_chan *chan;
6643
6644 chan = l2cap_get_chan_by_scid(conn, cid);
6645 if (!chan) {
6646 BT_DBG("unknown cid 0x%4.4x", cid);
6647 /* Drop packet and return */
6648 kfree_skb(skb);
6649 return;
6650 }
6651
6652 BT_DBG("chan %p, len %d", chan, skb->len);
6653
6654 /* If we receive data on a fixed channel before the info req/rsp
6655 * procedure is done simply assume that the channel is supported
6656 * and mark it as ready.
6657 */
6658 if (chan->chan_type == L2CAP_CHAN_FIXED)
6659 l2cap_chan_ready(chan);
6660
6661 if (chan->state != BT_CONNECTED)
6662 goto drop;
6663
6664 switch (chan->mode) {
6665 case L2CAP_MODE_LE_FLOWCTL:
6666 case L2CAP_MODE_EXT_FLOWCTL:
6667 if (l2cap_ecred_data_rcv(chan, skb) < 0)
6668 goto drop;
6669
6670 goto done;
6671
6672 case L2CAP_MODE_BASIC:
6673 /* If socket recv buffers overflows we drop data here
6674 * which is *bad* because L2CAP has to be reliable.
6675 * But we don't have any other choice. L2CAP doesn't
6676 * provide flow control mechanism. */
6677
6678 if (chan->imtu < skb->len) {
6679 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6680 goto drop;
6681 }
6682
6683 if (!chan->ops->recv(chan, skb))
6684 goto done;
6685 break;
6686
6687 case L2CAP_MODE_ERTM:
6688 case L2CAP_MODE_STREAMING:
6689 l2cap_data_rcv(chan, skb);
6690 goto done;
6691
6692 default:
6693 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6694 break;
6695 }
6696
6697 drop:
6698 kfree_skb(skb);
6699
6700 done:
6701 l2cap_chan_unlock(chan);
6702 l2cap_chan_put(chan);
6703 }
6704
l2cap_conless_channel(struct l2cap_conn * conn,__le16 psm,struct sk_buff * skb)6705 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6706 struct sk_buff *skb)
6707 {
6708 struct hci_conn *hcon = conn->hcon;
6709 struct l2cap_chan *chan;
6710
6711 if (hcon->type != ACL_LINK)
6712 goto free_skb;
6713
6714 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6715 ACL_LINK);
6716 if (!chan)
6717 goto free_skb;
6718
6719 BT_DBG("chan %p, len %d", chan, skb->len);
6720
6721 l2cap_chan_lock(chan);
6722
6723 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6724 goto drop;
6725
6726 if (chan->imtu < skb->len)
6727 goto drop;
6728
6729 /* Store remote BD_ADDR and PSM for msg_name */
6730 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6731 bt_cb(skb)->l2cap.psm = psm;
6732
6733 if (!chan->ops->recv(chan, skb)) {
6734 l2cap_chan_unlock(chan);
6735 l2cap_chan_put(chan);
6736 return;
6737 }
6738
6739 drop:
6740 l2cap_chan_unlock(chan);
6741 l2cap_chan_put(chan);
6742 free_skb:
6743 kfree_skb(skb);
6744 }
6745
l2cap_recv_frame(struct l2cap_conn * conn,struct sk_buff * skb)6746 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6747 {
6748 struct l2cap_hdr *lh = (void *) skb->data;
6749 struct hci_conn *hcon = conn->hcon;
6750 u16 cid, len;
6751 __le16 psm;
6752
6753 if (hcon->state != BT_CONNECTED) {
6754 BT_DBG("queueing pending rx skb");
6755 skb_queue_tail(&conn->pending_rx, skb);
6756 return;
6757 }
6758
6759 skb_pull(skb, L2CAP_HDR_SIZE);
6760 cid = __le16_to_cpu(lh->cid);
6761 len = __le16_to_cpu(lh->len);
6762
6763 if (len != skb->len) {
6764 kfree_skb(skb);
6765 return;
6766 }
6767
6768 /* Since we can't actively block incoming LE connections we must
6769 * at least ensure that we ignore incoming data from them.
6770 */
6771 if (hcon->type == LE_LINK &&
6772 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst,
6773 bdaddr_dst_type(hcon))) {
6774 kfree_skb(skb);
6775 return;
6776 }
6777
6778 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6779
6780 switch (cid) {
6781 case L2CAP_CID_SIGNALING:
6782 l2cap_sig_channel(conn, skb);
6783 break;
6784
6785 case L2CAP_CID_CONN_LESS:
6786 psm = get_unaligned((__le16 *) skb->data);
6787 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6788 l2cap_conless_channel(conn, psm, skb);
6789 break;
6790
6791 case L2CAP_CID_LE_SIGNALING:
6792 l2cap_le_sig_channel(conn, skb);
6793 break;
6794
6795 default:
6796 l2cap_data_channel(conn, cid, skb);
6797 break;
6798 }
6799 }
6800
process_pending_rx(struct work_struct * work)6801 static void process_pending_rx(struct work_struct *work)
6802 {
6803 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6804 pending_rx_work);
6805 struct sk_buff *skb;
6806
6807 BT_DBG("");
6808
6809 mutex_lock(&conn->lock);
6810
6811 while ((skb = skb_dequeue(&conn->pending_rx)))
6812 l2cap_recv_frame(conn, skb);
6813
6814 mutex_unlock(&conn->lock);
6815 }
6816
l2cap_conn_add(struct hci_conn * hcon)6817 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6818 {
6819 struct l2cap_conn *conn = hcon->l2cap_data;
6820 struct hci_chan *hchan;
6821
6822 if (conn)
6823 return conn;
6824
6825 hchan = hci_chan_create(hcon);
6826 if (!hchan)
6827 return NULL;
6828
6829 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6830 if (!conn) {
6831 hci_chan_del(hchan);
6832 return NULL;
6833 }
6834
6835 kref_init(&conn->ref);
6836 hcon->l2cap_data = conn;
6837 conn->hcon = hci_conn_get(hcon);
6838 conn->hchan = hchan;
6839
6840 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6841
6842 conn->mtu = hcon->mtu;
6843 conn->feat_mask = 0;
6844
6845 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6846
6847 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
6848 (bredr_sc_enabled(hcon->hdev) ||
6849 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
6850 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6851
6852 mutex_init(&conn->ident_lock);
6853 mutex_init(&conn->lock);
6854
6855 INIT_LIST_HEAD(&conn->chan_l);
6856 INIT_LIST_HEAD(&conn->users);
6857
6858 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
6859
6860 skb_queue_head_init(&conn->pending_rx);
6861 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
6862 INIT_DELAYED_WORK(&conn->id_addr_timer, l2cap_conn_update_id_addr);
6863
6864 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
6865
6866 return conn;
6867 }
6868
is_valid_psm(u16 psm,u8 dst_type)6869 static bool is_valid_psm(u16 psm, u8 dst_type)
6870 {
6871 if (!psm)
6872 return false;
6873
6874 if (bdaddr_type_is_le(dst_type))
6875 return (psm <= 0x00ff);
6876
6877 /* PSM must be odd and lsb of upper byte must be 0 */
6878 return ((psm & 0x0101) == 0x0001);
6879 }
6880
6881 struct l2cap_chan_data {
6882 struct l2cap_chan *chan;
6883 struct pid *pid;
6884 int count;
6885 };
6886
l2cap_chan_by_pid(struct l2cap_chan * chan,void * data)6887 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
6888 {
6889 struct l2cap_chan_data *d = data;
6890 struct pid *pid;
6891
6892 if (chan == d->chan)
6893 return;
6894
6895 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
6896 return;
6897
6898 pid = chan->ops->get_peer_pid(chan);
6899
6900 /* Only count deferred channels with the same PID/PSM */
6901 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
6902 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
6903 return;
6904
6905 d->count++;
6906 }
6907
l2cap_chan_connect(struct l2cap_chan * chan,__le16 psm,u16 cid,bdaddr_t * dst,u8 dst_type)6908 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
6909 bdaddr_t *dst, u8 dst_type)
6910 {
6911 struct l2cap_conn *conn;
6912 struct hci_conn *hcon;
6913 struct hci_dev *hdev;
6914 int err;
6915
6916 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
6917 dst, dst_type, __le16_to_cpu(psm), chan->mode);
6918
6919 hdev = hci_get_route(dst, &chan->src, chan->src_type);
6920 if (!hdev)
6921 return -EHOSTUNREACH;
6922
6923 hci_dev_lock(hdev);
6924
6925 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
6926 chan->chan_type != L2CAP_CHAN_RAW) {
6927 err = -EINVAL;
6928 goto done;
6929 }
6930
6931 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
6932 err = -EINVAL;
6933 goto done;
6934 }
6935
6936 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
6937 err = -EINVAL;
6938 goto done;
6939 }
6940
6941 switch (chan->mode) {
6942 case L2CAP_MODE_BASIC:
6943 break;
6944 case L2CAP_MODE_LE_FLOWCTL:
6945 break;
6946 case L2CAP_MODE_EXT_FLOWCTL:
6947 if (!enable_ecred) {
6948 err = -EOPNOTSUPP;
6949 goto done;
6950 }
6951 break;
6952 case L2CAP_MODE_ERTM:
6953 case L2CAP_MODE_STREAMING:
6954 if (!disable_ertm)
6955 break;
6956 fallthrough;
6957 default:
6958 err = -EOPNOTSUPP;
6959 goto done;
6960 }
6961
6962 switch (chan->state) {
6963 case BT_CONNECT:
6964 case BT_CONNECT2:
6965 case BT_CONFIG:
6966 /* Already connecting */
6967 err = 0;
6968 goto done;
6969
6970 case BT_CONNECTED:
6971 /* Already connected */
6972 err = -EISCONN;
6973 goto done;
6974
6975 case BT_OPEN:
6976 case BT_BOUND:
6977 /* Can connect */
6978 break;
6979
6980 default:
6981 err = -EBADFD;
6982 goto done;
6983 }
6984
6985 /* Set destination address and psm */
6986 bacpy(&chan->dst, dst);
6987 chan->dst_type = dst_type;
6988
6989 chan->psm = psm;
6990 chan->dcid = cid;
6991
6992 if (bdaddr_type_is_le(dst_type)) {
6993 /* Convert from L2CAP channel address type to HCI address type
6994 */
6995 if (dst_type == BDADDR_LE_PUBLIC)
6996 dst_type = ADDR_LE_DEV_PUBLIC;
6997 else
6998 dst_type = ADDR_LE_DEV_RANDOM;
6999
7000 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7001 hcon = hci_connect_le(hdev, dst, dst_type, false,
7002 chan->sec_level,
7003 HCI_LE_CONN_TIMEOUT,
7004 HCI_ROLE_SLAVE);
7005 else
7006 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7007 chan->sec_level,
7008 HCI_LE_CONN_TIMEOUT,
7009 CONN_REASON_L2CAP_CHAN);
7010
7011 } else {
7012 u8 auth_type = l2cap_get_auth_type(chan);
7013 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7014 CONN_REASON_L2CAP_CHAN);
7015 }
7016
7017 if (IS_ERR(hcon)) {
7018 err = PTR_ERR(hcon);
7019 goto done;
7020 }
7021
7022 conn = l2cap_conn_add(hcon);
7023 if (!conn) {
7024 hci_conn_drop(hcon);
7025 err = -ENOMEM;
7026 goto done;
7027 }
7028
7029 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7030 struct l2cap_chan_data data;
7031
7032 data.chan = chan;
7033 data.pid = chan->ops->get_peer_pid(chan);
7034 data.count = 1;
7035
7036 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7037
7038 /* Check if there isn't too many channels being connected */
7039 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7040 hci_conn_drop(hcon);
7041 err = -EPROTO;
7042 goto done;
7043 }
7044 }
7045
7046 mutex_lock(&conn->lock);
7047 l2cap_chan_lock(chan);
7048
7049 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7050 hci_conn_drop(hcon);
7051 err = -EBUSY;
7052 goto chan_unlock;
7053 }
7054
7055 /* Update source addr of the socket */
7056 bacpy(&chan->src, &hcon->src);
7057 chan->src_type = bdaddr_src_type(hcon);
7058
7059 __l2cap_chan_add(conn, chan);
7060
7061 /* l2cap_chan_add takes its own ref so we can drop this one */
7062 hci_conn_drop(hcon);
7063
7064 l2cap_state_change(chan, BT_CONNECT);
7065 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7066
7067 /* Release chan->sport so that it can be reused by other
7068 * sockets (as it's only used for listening sockets).
7069 */
7070 write_lock(&chan_list_lock);
7071 chan->sport = 0;
7072 write_unlock(&chan_list_lock);
7073
7074 if (hcon->state == BT_CONNECTED) {
7075 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7076 __clear_chan_timer(chan);
7077 if (l2cap_chan_check_security(chan, true))
7078 l2cap_state_change(chan, BT_CONNECTED);
7079 } else
7080 l2cap_do_start(chan);
7081 }
7082
7083 err = 0;
7084
7085 chan_unlock:
7086 l2cap_chan_unlock(chan);
7087 mutex_unlock(&conn->lock);
7088 done:
7089 hci_dev_unlock(hdev);
7090 hci_dev_put(hdev);
7091 return err;
7092 }
7093 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7094
l2cap_ecred_reconfigure(struct l2cap_chan * chan)7095 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7096 {
7097 struct l2cap_conn *conn = chan->conn;
7098 struct {
7099 struct l2cap_ecred_reconf_req req;
7100 __le16 scid;
7101 } pdu;
7102
7103 pdu.req.mtu = cpu_to_le16(chan->imtu);
7104 pdu.req.mps = cpu_to_le16(chan->mps);
7105 pdu.scid = cpu_to_le16(chan->scid);
7106
7107 chan->ident = l2cap_get_ident(conn);
7108
7109 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
7110 sizeof(pdu), &pdu);
7111 }
7112
l2cap_chan_reconfigure(struct l2cap_chan * chan,__u16 mtu)7113 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
7114 {
7115 if (chan->imtu > mtu)
7116 return -EINVAL;
7117
7118 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
7119
7120 chan->imtu = mtu;
7121
7122 l2cap_ecred_reconfigure(chan);
7123
7124 return 0;
7125 }
7126
7127 /* ---- L2CAP interface with lower layer (HCI) ---- */
7128
l2cap_connect_ind(struct hci_dev * hdev,bdaddr_t * bdaddr)7129 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7130 {
7131 int exact = 0, lm1 = 0, lm2 = 0;
7132 struct l2cap_chan *c;
7133
7134 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7135
7136 /* Find listening sockets and check their link_mode */
7137 read_lock(&chan_list_lock);
7138 list_for_each_entry(c, &chan_list, global_l) {
7139 if (c->state != BT_LISTEN)
7140 continue;
7141
7142 if (!bacmp(&c->src, &hdev->bdaddr)) {
7143 lm1 |= HCI_LM_ACCEPT;
7144 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7145 lm1 |= HCI_LM_MASTER;
7146 exact++;
7147 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7148 lm2 |= HCI_LM_ACCEPT;
7149 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7150 lm2 |= HCI_LM_MASTER;
7151 }
7152 }
7153 read_unlock(&chan_list_lock);
7154
7155 return exact ? lm1 : lm2;
7156 }
7157
7158 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7159 * from an existing channel in the list or from the beginning of the
7160 * global list (by passing NULL as first parameter).
7161 */
l2cap_global_fixed_chan(struct l2cap_chan * c,struct hci_conn * hcon)7162 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7163 struct hci_conn *hcon)
7164 {
7165 u8 src_type = bdaddr_src_type(hcon);
7166
7167 read_lock(&chan_list_lock);
7168
7169 if (c)
7170 c = list_next_entry(c, global_l);
7171 else
7172 c = list_entry(chan_list.next, typeof(*c), global_l);
7173
7174 list_for_each_entry_from(c, &chan_list, global_l) {
7175 if (c->chan_type != L2CAP_CHAN_FIXED)
7176 continue;
7177 if (c->state != BT_LISTEN)
7178 continue;
7179 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7180 continue;
7181 if (src_type != c->src_type)
7182 continue;
7183
7184 c = l2cap_chan_hold_unless_zero(c);
7185 read_unlock(&chan_list_lock);
7186 return c;
7187 }
7188
7189 read_unlock(&chan_list_lock);
7190
7191 return NULL;
7192 }
7193
l2cap_connect_cfm(struct hci_conn * hcon,u8 status)7194 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7195 {
7196 struct hci_dev *hdev = hcon->hdev;
7197 struct l2cap_conn *conn;
7198 struct l2cap_chan *pchan;
7199 u8 dst_type;
7200
7201 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7202 return;
7203
7204 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7205
7206 if (status) {
7207 l2cap_conn_del(hcon, bt_to_errno(status));
7208 return;
7209 }
7210
7211 conn = l2cap_conn_add(hcon);
7212 if (!conn)
7213 return;
7214
7215 dst_type = bdaddr_dst_type(hcon);
7216
7217 /* If device is blocked, do not create channels for it */
7218 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type))
7219 return;
7220
7221 /* Find fixed channels and notify them of the new connection. We
7222 * use multiple individual lookups, continuing each time where
7223 * we left off, because the list lock would prevent calling the
7224 * potentially sleeping l2cap_chan_lock() function.
7225 */
7226 pchan = l2cap_global_fixed_chan(NULL, hcon);
7227 while (pchan) {
7228 struct l2cap_chan *chan, *next;
7229
7230 /* Client fixed channels should override server ones */
7231 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7232 goto next;
7233
7234 l2cap_chan_lock(pchan);
7235 chan = pchan->ops->new_connection(pchan);
7236 if (chan) {
7237 bacpy(&chan->src, &hcon->src);
7238 bacpy(&chan->dst, &hcon->dst);
7239 chan->src_type = bdaddr_src_type(hcon);
7240 chan->dst_type = dst_type;
7241
7242 __l2cap_chan_add(conn, chan);
7243 }
7244
7245 l2cap_chan_unlock(pchan);
7246 next:
7247 next = l2cap_global_fixed_chan(pchan, hcon);
7248 l2cap_chan_put(pchan);
7249 pchan = next;
7250 }
7251
7252 l2cap_conn_ready(conn);
7253 }
7254
l2cap_disconn_ind(struct hci_conn * hcon)7255 int l2cap_disconn_ind(struct hci_conn *hcon)
7256 {
7257 struct l2cap_conn *conn = hcon->l2cap_data;
7258
7259 BT_DBG("hcon %p", hcon);
7260
7261 if (!conn)
7262 return HCI_ERROR_REMOTE_USER_TERM;
7263 return conn->disc_reason;
7264 }
7265
l2cap_disconn_cfm(struct hci_conn * hcon,u8 reason)7266 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7267 {
7268 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7269 return;
7270
7271 BT_DBG("hcon %p reason %d", hcon, reason);
7272
7273 l2cap_conn_del(hcon, bt_to_errno(reason));
7274 }
7275
l2cap_check_encryption(struct l2cap_chan * chan,u8 encrypt)7276 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7277 {
7278 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7279 return;
7280
7281 if (encrypt == 0x00) {
7282 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7283 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7284 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7285 chan->sec_level == BT_SECURITY_FIPS)
7286 l2cap_chan_close(chan, ECONNREFUSED);
7287 } else {
7288 if (chan->sec_level == BT_SECURITY_MEDIUM)
7289 __clear_chan_timer(chan);
7290 }
7291 }
7292
l2cap_security_cfm(struct hci_conn * hcon,u8 status,u8 encrypt)7293 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7294 {
7295 struct l2cap_conn *conn = hcon->l2cap_data;
7296 struct l2cap_chan *chan;
7297
7298 if (!conn)
7299 return;
7300
7301 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7302
7303 mutex_lock(&conn->lock);
7304
7305 list_for_each_entry(chan, &conn->chan_l, list) {
7306 l2cap_chan_lock(chan);
7307
7308 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7309 state_to_string(chan->state));
7310
7311 if (!status && encrypt)
7312 chan->sec_level = hcon->sec_level;
7313
7314 if (!__l2cap_no_conn_pending(chan)) {
7315 l2cap_chan_unlock(chan);
7316 continue;
7317 }
7318
7319 if (!status && (chan->state == BT_CONNECTED ||
7320 chan->state == BT_CONFIG)) {
7321 chan->ops->resume(chan);
7322 l2cap_check_encryption(chan, encrypt);
7323 l2cap_chan_unlock(chan);
7324 continue;
7325 }
7326
7327 if (chan->state == BT_CONNECT) {
7328 if (!status && l2cap_check_enc_key_size(hcon, chan))
7329 l2cap_start_connection(chan);
7330 else
7331 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7332 } else if (chan->state == BT_CONNECT2 &&
7333 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
7334 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
7335 struct l2cap_conn_rsp rsp;
7336 __u16 res, stat;
7337
7338 if (!status && l2cap_check_enc_key_size(hcon, chan)) {
7339 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7340 res = L2CAP_CR_PEND;
7341 stat = L2CAP_CS_AUTHOR_PEND;
7342 chan->ops->defer(chan);
7343 } else {
7344 l2cap_state_change(chan, BT_CONFIG);
7345 res = L2CAP_CR_SUCCESS;
7346 stat = L2CAP_CS_NO_INFO;
7347 }
7348 } else {
7349 l2cap_state_change(chan, BT_DISCONN);
7350 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7351 res = L2CAP_CR_SEC_BLOCK;
7352 stat = L2CAP_CS_NO_INFO;
7353 }
7354
7355 rsp.scid = cpu_to_le16(chan->dcid);
7356 rsp.dcid = cpu_to_le16(chan->scid);
7357 rsp.result = cpu_to_le16(res);
7358 rsp.status = cpu_to_le16(stat);
7359 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7360 sizeof(rsp), &rsp);
7361
7362 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7363 res == L2CAP_CR_SUCCESS) {
7364 char buf[128];
7365 set_bit(CONF_REQ_SENT, &chan->conf_state);
7366 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7367 L2CAP_CONF_REQ,
7368 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7369 buf);
7370 chan->num_conf_req++;
7371 }
7372 }
7373
7374 l2cap_chan_unlock(chan);
7375 }
7376
7377 mutex_unlock(&conn->lock);
7378 }
7379
7380 /* Append fragment into frame respecting the maximum len of rx_skb */
l2cap_recv_frag(struct l2cap_conn * conn,struct sk_buff * skb,u16 len)7381 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb,
7382 u16 len)
7383 {
7384 if (!conn->rx_skb) {
7385 /* Allocate skb for the complete frame (with header) */
7386 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7387 if (!conn->rx_skb)
7388 return -ENOMEM;
7389 /* Init rx_len */
7390 conn->rx_len = len;
7391
7392 skb_set_delivery_time(conn->rx_skb, skb->tstamp,
7393 skb->tstamp_type);
7394 }
7395
7396 /* Copy as much as the rx_skb can hold */
7397 len = min_t(u16, len, skb->len);
7398 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len);
7399 skb_pull(skb, len);
7400 conn->rx_len -= len;
7401
7402 return len;
7403 }
7404
l2cap_recv_len(struct l2cap_conn * conn,struct sk_buff * skb)7405 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb)
7406 {
7407 struct sk_buff *rx_skb;
7408 int len;
7409
7410 /* Append just enough to complete the header */
7411 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len);
7412
7413 /* If header could not be read just continue */
7414 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE)
7415 return len;
7416
7417 rx_skb = conn->rx_skb;
7418 len = get_unaligned_le16(rx_skb->data);
7419
7420 /* Check if rx_skb has enough space to received all fragments */
7421 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) {
7422 /* Update expected len */
7423 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE);
7424 return L2CAP_LEN_SIZE;
7425 }
7426
7427 /* Reset conn->rx_skb since it will need to be reallocated in order to
7428 * fit all fragments.
7429 */
7430 conn->rx_skb = NULL;
7431
7432 /* Reallocates rx_skb using the exact expected length */
7433 len = l2cap_recv_frag(conn, rx_skb,
7434 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE));
7435 kfree_skb(rx_skb);
7436
7437 return len;
7438 }
7439
l2cap_recv_reset(struct l2cap_conn * conn)7440 static void l2cap_recv_reset(struct l2cap_conn *conn)
7441 {
7442 kfree_skb(conn->rx_skb);
7443 conn->rx_skb = NULL;
7444 conn->rx_len = 0;
7445 }
7446
l2cap_conn_hold_unless_zero(struct l2cap_conn * c)7447 struct l2cap_conn *l2cap_conn_hold_unless_zero(struct l2cap_conn *c)
7448 {
7449 if (!c)
7450 return NULL;
7451
7452 BT_DBG("conn %p orig refcnt %u", c, kref_read(&c->ref));
7453
7454 if (!kref_get_unless_zero(&c->ref))
7455 return NULL;
7456
7457 return c;
7458 }
7459
l2cap_recv_acldata(struct hci_conn * hcon,struct sk_buff * skb,u16 flags)7460 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7461 {
7462 struct l2cap_conn *conn;
7463 int len;
7464
7465 /* Lock hdev to access l2cap_data to avoid race with l2cap_conn_del */
7466 hci_dev_lock(hcon->hdev);
7467
7468 conn = hcon->l2cap_data;
7469
7470 if (!conn)
7471 conn = l2cap_conn_add(hcon);
7472
7473 conn = l2cap_conn_hold_unless_zero(conn);
7474
7475 hci_dev_unlock(hcon->hdev);
7476
7477 if (!conn) {
7478 kfree_skb(skb);
7479 return;
7480 }
7481
7482 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
7483
7484 mutex_lock(&conn->lock);
7485
7486 switch (flags) {
7487 case ACL_START:
7488 case ACL_START_NO_FLUSH:
7489 case ACL_COMPLETE:
7490 if (conn->rx_skb) {
7491 BT_ERR("Unexpected start frame (len %d)", skb->len);
7492 l2cap_recv_reset(conn);
7493 l2cap_conn_unreliable(conn, ECOMM);
7494 }
7495
7496 /* Start fragment may not contain the L2CAP length so just
7497 * copy the initial byte when that happens and use conn->mtu as
7498 * expected length.
7499 */
7500 if (skb->len < L2CAP_LEN_SIZE) {
7501 l2cap_recv_frag(conn, skb, conn->mtu);
7502 break;
7503 }
7504
7505 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE;
7506
7507 if (len == skb->len) {
7508 /* Complete frame received */
7509 l2cap_recv_frame(conn, skb);
7510 goto unlock;
7511 }
7512
7513 BT_DBG("Start: total len %d, frag len %u", len, skb->len);
7514
7515 if (skb->len > len) {
7516 BT_ERR("Frame is too long (len %u, expected len %d)",
7517 skb->len, len);
7518 /* PTS test cases L2CAP/COS/CED/BI-14-C and BI-15-C
7519 * (Multiple Signaling Command in one PDU, Data
7520 * Truncated, BR/EDR) send a C-frame to the IUT with
7521 * PDU Length set to 8 and Channel ID set to the
7522 * correct signaling channel for the logical link.
7523 * The Information payload contains one L2CAP_ECHO_REQ
7524 * packet with Data Length set to 0 with 0 octets of
7525 * echo data and one invalid command packet due to
7526 * data truncated in PDU but present in HCI packet.
7527 *
7528 * Shorter the socket buffer to the PDU length to
7529 * allow to process valid commands from the PDU before
7530 * setting the socket unreliable.
7531 */
7532 skb->len = len;
7533 l2cap_recv_frame(conn, skb);
7534 l2cap_conn_unreliable(conn, ECOMM);
7535 goto unlock;
7536 }
7537
7538 /* Append fragment into frame (with header) */
7539 if (l2cap_recv_frag(conn, skb, len) < 0)
7540 goto drop;
7541
7542 break;
7543
7544 case ACL_CONT:
7545 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len);
7546
7547 if (!conn->rx_skb) {
7548 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7549 l2cap_conn_unreliable(conn, ECOMM);
7550 goto drop;
7551 }
7552
7553 /* Complete the L2CAP length if it has not been read */
7554 if (conn->rx_skb->len < L2CAP_LEN_SIZE) {
7555 if (l2cap_recv_len(conn, skb) < 0) {
7556 l2cap_conn_unreliable(conn, ECOMM);
7557 goto drop;
7558 }
7559
7560 /* Header still could not be read just continue */
7561 if (conn->rx_skb->len < L2CAP_LEN_SIZE)
7562 break;
7563 }
7564
7565 if (skb->len > conn->rx_len) {
7566 BT_ERR("Fragment is too long (len %u, expected %u)",
7567 skb->len, conn->rx_len);
7568 l2cap_recv_reset(conn);
7569 l2cap_conn_unreliable(conn, ECOMM);
7570 goto drop;
7571 }
7572
7573 /* Append fragment into frame (with header) */
7574 l2cap_recv_frag(conn, skb, skb->len);
7575
7576 if (!conn->rx_len) {
7577 /* Complete frame received. l2cap_recv_frame
7578 * takes ownership of the skb so set the global
7579 * rx_skb pointer to NULL first.
7580 */
7581 struct sk_buff *rx_skb = conn->rx_skb;
7582 conn->rx_skb = NULL;
7583 l2cap_recv_frame(conn, rx_skb);
7584 }
7585 break;
7586 }
7587
7588 drop:
7589 kfree_skb(skb);
7590 unlock:
7591 mutex_unlock(&conn->lock);
7592 l2cap_conn_put(conn);
7593 }
7594
7595 static struct hci_cb l2cap_cb = {
7596 .name = "L2CAP",
7597 .connect_cfm = l2cap_connect_cfm,
7598 .disconn_cfm = l2cap_disconn_cfm,
7599 .security_cfm = l2cap_security_cfm,
7600 };
7601
l2cap_debugfs_show(struct seq_file * f,void * p)7602 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7603 {
7604 struct l2cap_chan *c;
7605
7606 read_lock(&chan_list_lock);
7607
7608 list_for_each_entry(c, &chan_list, global_l) {
7609 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7610 &c->src, c->src_type, &c->dst, c->dst_type,
7611 c->state, __le16_to_cpu(c->psm),
7612 c->scid, c->dcid, c->imtu, c->omtu,
7613 c->sec_level, c->mode);
7614 }
7615
7616 read_unlock(&chan_list_lock);
7617
7618 return 0;
7619 }
7620
7621 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7622
7623 static struct dentry *l2cap_debugfs;
7624
l2cap_init(void)7625 int __init l2cap_init(void)
7626 {
7627 int err;
7628
7629 err = l2cap_init_sockets();
7630 if (err < 0)
7631 return err;
7632
7633 hci_register_cb(&l2cap_cb);
7634
7635 if (IS_ERR_OR_NULL(bt_debugfs))
7636 return 0;
7637
7638 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7639 NULL, &l2cap_debugfs_fops);
7640
7641 return 0;
7642 }
7643
l2cap_exit(void)7644 void l2cap_exit(void)
7645 {
7646 debugfs_remove(l2cap_debugfs);
7647 hci_unregister_cb(&l2cap_cb);
7648 l2cap_cleanup_sockets();
7649 }
7650
7651 module_param(disable_ertm, bool, 0644);
7652 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
7653
7654 module_param(enable_ecred, bool, 0644);
7655 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
7656