1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved. 8 9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 10 11 This program is free software; you can redistribute it and/or modify 12 it under the terms of the GNU General Public License version 2 as 13 published by the Free Software Foundation; 14 15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 23 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 26 SOFTWARE IS DISCLAIMED. 27 */ 28 29 /* Bluetooth L2CAP core. */ 30 31 #include <linux/module.h> 32 33 #include <linux/debugfs.h> 34 #include <linux/crc16.h> 35 36 #include <net/bluetooth/bluetooth.h> 37 #include <net/bluetooth/hci_core.h> 38 #include <net/bluetooth/l2cap.h> 39 #include <net/bluetooth/smp.h> 40 #include <net/bluetooth/a2mp.h> 41 42 bool disable_ertm; 43 44 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN; 45 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, }; 46 47 static LIST_HEAD(chan_list); 48 static DEFINE_RWLOCK(chan_list_lock); 49 50 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 51 u8 code, u8 ident, u16 dlen, void *data); 52 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 53 void *data); 54 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data); 55 static void l2cap_send_disconn_req(struct l2cap_conn *conn, 56 struct l2cap_chan *chan, int err); 57 58 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 59 struct sk_buff_head *skbs, u8 event); 60 61 /* ---- L2CAP channels ---- */ 62 63 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 64 { 65 struct l2cap_chan *c; 66 67 list_for_each_entry(c, &conn->chan_l, list) { 68 if (c->dcid == cid) 69 return c; 70 } 71 return NULL; 72 } 73 74 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid) 75 { 76 struct l2cap_chan *c; 77 78 list_for_each_entry(c, &conn->chan_l, list) { 79 if (c->scid == cid) 80 return c; 81 } 82 return NULL; 83 } 84 85 /* Find channel with given SCID. 86 * Returns locked channel. */ 87 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid) 88 { 89 struct l2cap_chan *c; 90 91 mutex_lock(&conn->chan_lock); 92 c = __l2cap_get_chan_by_scid(conn, cid); 93 if (c) 94 l2cap_chan_lock(c); 95 mutex_unlock(&conn->chan_lock); 96 97 return c; 98 } 99 100 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident) 101 { 102 struct l2cap_chan *c; 103 104 list_for_each_entry(c, &conn->chan_l, list) { 105 if (c->ident == ident) 106 return c; 107 } 108 return NULL; 109 } 110 111 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src) 112 { 113 struct l2cap_chan *c; 114 115 list_for_each_entry(c, &chan_list, global_l) { 116 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src)) 117 return c; 118 } 119 return NULL; 120 } 121 122 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm) 123 { 124 int err; 125 126 write_lock(&chan_list_lock); 127 128 if (psm && __l2cap_global_chan_by_addr(psm, src)) { 129 err = -EADDRINUSE; 130 goto done; 131 } 132 133 if (psm) { 134 chan->psm = psm; 135 chan->sport = psm; 136 err = 0; 137 } else { 138 u16 p; 139 140 err = -EINVAL; 141 for (p = 0x1001; p < 0x1100; p += 2) 142 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) { 143 chan->psm = cpu_to_le16(p); 144 chan->sport = cpu_to_le16(p); 145 err = 0; 146 break; 147 } 148 } 149 150 done: 151 write_unlock(&chan_list_lock); 152 return err; 153 } 154 155 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid) 156 { 157 write_lock(&chan_list_lock); 158 159 chan->scid = scid; 160 161 write_unlock(&chan_list_lock); 162 163 return 0; 164 } 165 166 static u16 l2cap_alloc_cid(struct l2cap_conn *conn) 167 { 168 u16 cid = L2CAP_CID_DYN_START; 169 170 for (; cid < L2CAP_CID_DYN_END; cid++) { 171 if (!__l2cap_get_chan_by_scid(conn, cid)) 172 return cid; 173 } 174 175 return 0; 176 } 177 178 static void __l2cap_state_change(struct l2cap_chan *chan, int state) 179 { 180 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state), 181 state_to_string(state)); 182 183 chan->state = state; 184 chan->ops->state_change(chan, state); 185 } 186 187 static void l2cap_state_change(struct l2cap_chan *chan, int state) 188 { 189 struct sock *sk = chan->sk; 190 191 lock_sock(sk); 192 __l2cap_state_change(chan, state); 193 release_sock(sk); 194 } 195 196 static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err) 197 { 198 struct sock *sk = chan->sk; 199 200 sk->sk_err = err; 201 } 202 203 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err) 204 { 205 struct sock *sk = chan->sk; 206 207 lock_sock(sk); 208 __l2cap_chan_set_err(chan, err); 209 release_sock(sk); 210 } 211 212 static void __set_retrans_timer(struct l2cap_chan *chan) 213 { 214 if (!delayed_work_pending(&chan->monitor_timer) && 215 chan->retrans_timeout) { 216 l2cap_set_timer(chan, &chan->retrans_timer, 217 msecs_to_jiffies(chan->retrans_timeout)); 218 } 219 } 220 221 static void __set_monitor_timer(struct l2cap_chan *chan) 222 { 223 __clear_retrans_timer(chan); 224 if (chan->monitor_timeout) { 225 l2cap_set_timer(chan, &chan->monitor_timer, 226 msecs_to_jiffies(chan->monitor_timeout)); 227 } 228 } 229 230 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head, 231 u16 seq) 232 { 233 struct sk_buff *skb; 234 235 skb_queue_walk(head, skb) { 236 if (bt_cb(skb)->control.txseq == seq) 237 return skb; 238 } 239 240 return NULL; 241 } 242 243 /* ---- L2CAP sequence number lists ---- */ 244 245 /* For ERTM, ordered lists of sequence numbers must be tracked for 246 * SREJ requests that are received and for frames that are to be 247 * retransmitted. These seq_list functions implement a singly-linked 248 * list in an array, where membership in the list can also be checked 249 * in constant time. Items can also be added to the tail of the list 250 * and removed from the head in constant time, without further memory 251 * allocs or frees. 252 */ 253 254 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size) 255 { 256 size_t alloc_size, i; 257 258 /* Allocated size is a power of 2 to map sequence numbers 259 * (which may be up to 14 bits) in to a smaller array that is 260 * sized for the negotiated ERTM transmit windows. 261 */ 262 alloc_size = roundup_pow_of_two(size); 263 264 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL); 265 if (!seq_list->list) 266 return -ENOMEM; 267 268 seq_list->mask = alloc_size - 1; 269 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 270 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 271 for (i = 0; i < alloc_size; i++) 272 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 273 274 return 0; 275 } 276 277 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list) 278 { 279 kfree(seq_list->list); 280 } 281 282 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list, 283 u16 seq) 284 { 285 /* Constant-time check for list membership */ 286 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR; 287 } 288 289 static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq) 290 { 291 u16 mask = seq_list->mask; 292 293 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) { 294 /* In case someone tries to pop the head of an empty list */ 295 return L2CAP_SEQ_LIST_CLEAR; 296 } else if (seq_list->head == seq) { 297 /* Head can be removed in constant time */ 298 seq_list->head = seq_list->list[seq & mask]; 299 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 300 301 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) { 302 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 303 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 304 } 305 } else { 306 /* Walk the list to find the sequence number */ 307 u16 prev = seq_list->head; 308 while (seq_list->list[prev & mask] != seq) { 309 prev = seq_list->list[prev & mask]; 310 if (prev == L2CAP_SEQ_LIST_TAIL) 311 return L2CAP_SEQ_LIST_CLEAR; 312 } 313 314 /* Unlink the number from the list and clear it */ 315 seq_list->list[prev & mask] = seq_list->list[seq & mask]; 316 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 317 if (seq_list->tail == seq) 318 seq_list->tail = prev; 319 } 320 return seq; 321 } 322 323 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list) 324 { 325 /* Remove the head in constant time */ 326 return l2cap_seq_list_remove(seq_list, seq_list->head); 327 } 328 329 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list) 330 { 331 u16 i; 332 333 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) 334 return; 335 336 for (i = 0; i <= seq_list->mask; i++) 337 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 338 339 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 341 } 342 343 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq) 344 { 345 u16 mask = seq_list->mask; 346 347 /* All appends happen in constant time */ 348 349 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR) 350 return; 351 352 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR) 353 seq_list->head = seq; 354 else 355 seq_list->list[seq_list->tail & mask] = seq; 356 357 seq_list->tail = seq; 358 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL; 359 } 360 361 static void l2cap_chan_timeout(struct work_struct *work) 362 { 363 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 364 chan_timer.work); 365 struct l2cap_conn *conn = chan->conn; 366 int reason; 367 368 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 369 370 mutex_lock(&conn->chan_lock); 371 l2cap_chan_lock(chan); 372 373 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) 374 reason = ECONNREFUSED; 375 else if (chan->state == BT_CONNECT && 376 chan->sec_level != BT_SECURITY_SDP) 377 reason = ECONNREFUSED; 378 else 379 reason = ETIMEDOUT; 380 381 l2cap_chan_close(chan, reason); 382 383 l2cap_chan_unlock(chan); 384 385 chan->ops->close(chan); 386 mutex_unlock(&conn->chan_lock); 387 388 l2cap_chan_put(chan); 389 } 390 391 struct l2cap_chan *l2cap_chan_create(void) 392 { 393 struct l2cap_chan *chan; 394 395 chan = kzalloc(sizeof(*chan), GFP_ATOMIC); 396 if (!chan) 397 return NULL; 398 399 mutex_init(&chan->lock); 400 401 write_lock(&chan_list_lock); 402 list_add(&chan->global_l, &chan_list); 403 write_unlock(&chan_list_lock); 404 405 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); 406 407 chan->state = BT_OPEN; 408 409 kref_init(&chan->kref); 410 411 /* This flag is cleared in l2cap_chan_ready() */ 412 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 413 414 BT_DBG("chan %p", chan); 415 416 return chan; 417 } 418 419 static void l2cap_chan_destroy(struct kref *kref) 420 { 421 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref); 422 423 BT_DBG("chan %p", chan); 424 425 write_lock(&chan_list_lock); 426 list_del(&chan->global_l); 427 write_unlock(&chan_list_lock); 428 429 kfree(chan); 430 } 431 432 void l2cap_chan_hold(struct l2cap_chan *c) 433 { 434 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount)); 435 436 kref_get(&c->kref); 437 } 438 439 void l2cap_chan_put(struct l2cap_chan *c) 440 { 441 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount)); 442 443 kref_put(&c->kref, l2cap_chan_destroy); 444 } 445 446 void l2cap_chan_set_defaults(struct l2cap_chan *chan) 447 { 448 chan->fcs = L2CAP_FCS_CRC16; 449 chan->max_tx = L2CAP_DEFAULT_MAX_TX; 450 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW; 451 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 452 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW; 453 chan->sec_level = BT_SECURITY_LOW; 454 455 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 456 } 457 458 static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 459 { 460 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 461 __le16_to_cpu(chan->psm), chan->dcid); 462 463 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 464 465 chan->conn = conn; 466 467 switch (chan->chan_type) { 468 case L2CAP_CHAN_CONN_ORIENTED: 469 if (conn->hcon->type == LE_LINK) { 470 /* LE connection */ 471 chan->omtu = L2CAP_DEFAULT_MTU; 472 chan->scid = L2CAP_CID_LE_DATA; 473 chan->dcid = L2CAP_CID_LE_DATA; 474 } else { 475 /* Alloc CID for connection-oriented socket */ 476 chan->scid = l2cap_alloc_cid(conn); 477 chan->omtu = L2CAP_DEFAULT_MTU; 478 } 479 break; 480 481 case L2CAP_CHAN_CONN_LESS: 482 /* Connectionless socket */ 483 chan->scid = L2CAP_CID_CONN_LESS; 484 chan->dcid = L2CAP_CID_CONN_LESS; 485 chan->omtu = L2CAP_DEFAULT_MTU; 486 break; 487 488 case L2CAP_CHAN_CONN_FIX_A2MP: 489 chan->scid = L2CAP_CID_A2MP; 490 chan->dcid = L2CAP_CID_A2MP; 491 chan->omtu = L2CAP_A2MP_DEFAULT_MTU; 492 chan->imtu = L2CAP_A2MP_DEFAULT_MTU; 493 break; 494 495 default: 496 /* Raw socket can send/recv signalling messages only */ 497 chan->scid = L2CAP_CID_SIGNALING; 498 chan->dcid = L2CAP_CID_SIGNALING; 499 chan->omtu = L2CAP_DEFAULT_MTU; 500 } 501 502 chan->local_id = L2CAP_BESTEFFORT_ID; 503 chan->local_stype = L2CAP_SERV_BESTEFFORT; 504 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE; 505 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME; 506 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 507 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO; 508 509 l2cap_chan_hold(chan); 510 511 list_add(&chan->list, &conn->chan_l); 512 } 513 514 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 515 { 516 mutex_lock(&conn->chan_lock); 517 __l2cap_chan_add(conn, chan); 518 mutex_unlock(&conn->chan_lock); 519 } 520 521 void l2cap_chan_del(struct l2cap_chan *chan, int err) 522 { 523 struct l2cap_conn *conn = chan->conn; 524 525 __clear_chan_timer(chan); 526 527 BT_DBG("chan %p, conn %p, err %d", chan, conn, err); 528 529 if (conn) { 530 /* Delete from channel list */ 531 list_del(&chan->list); 532 533 l2cap_chan_put(chan); 534 535 chan->conn = NULL; 536 537 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP) 538 hci_conn_put(conn->hcon); 539 } 540 541 if (chan->ops->teardown) 542 chan->ops->teardown(chan, err); 543 544 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) 545 return; 546 547 switch(chan->mode) { 548 case L2CAP_MODE_BASIC: 549 break; 550 551 case L2CAP_MODE_ERTM: 552 __clear_retrans_timer(chan); 553 __clear_monitor_timer(chan); 554 __clear_ack_timer(chan); 555 556 skb_queue_purge(&chan->srej_q); 557 558 l2cap_seq_list_free(&chan->srej_list); 559 l2cap_seq_list_free(&chan->retrans_list); 560 561 /* fall through */ 562 563 case L2CAP_MODE_STREAMING: 564 skb_queue_purge(&chan->tx_q); 565 break; 566 } 567 568 return; 569 } 570 571 void l2cap_chan_close(struct l2cap_chan *chan, int reason) 572 { 573 struct l2cap_conn *conn = chan->conn; 574 struct sock *sk = chan->sk; 575 576 BT_DBG("chan %p state %s sk %p", chan, 577 state_to_string(chan->state), sk); 578 579 switch (chan->state) { 580 case BT_LISTEN: 581 if (chan->ops->teardown) 582 chan->ops->teardown(chan, 0); 583 break; 584 585 case BT_CONNECTED: 586 case BT_CONFIG: 587 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && 588 conn->hcon->type == ACL_LINK) { 589 __set_chan_timer(chan, sk->sk_sndtimeo); 590 l2cap_send_disconn_req(conn, chan, reason); 591 } else 592 l2cap_chan_del(chan, reason); 593 break; 594 595 case BT_CONNECT2: 596 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && 597 conn->hcon->type == ACL_LINK) { 598 struct l2cap_conn_rsp rsp; 599 __u16 result; 600 601 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) 602 result = L2CAP_CR_SEC_BLOCK; 603 else 604 result = L2CAP_CR_BAD_PSM; 605 l2cap_state_change(chan, BT_DISCONN); 606 607 rsp.scid = cpu_to_le16(chan->dcid); 608 rsp.dcid = cpu_to_le16(chan->scid); 609 rsp.result = cpu_to_le16(result); 610 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO); 611 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 612 sizeof(rsp), &rsp); 613 } 614 615 l2cap_chan_del(chan, reason); 616 break; 617 618 case BT_CONNECT: 619 case BT_DISCONN: 620 l2cap_chan_del(chan, reason); 621 break; 622 623 default: 624 if (chan->ops->teardown) 625 chan->ops->teardown(chan, 0); 626 break; 627 } 628 } 629 630 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 631 { 632 if (chan->chan_type == L2CAP_CHAN_RAW) { 633 switch (chan->sec_level) { 634 case BT_SECURITY_HIGH: 635 return HCI_AT_DEDICATED_BONDING_MITM; 636 case BT_SECURITY_MEDIUM: 637 return HCI_AT_DEDICATED_BONDING; 638 default: 639 return HCI_AT_NO_BONDING; 640 } 641 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) { 642 if (chan->sec_level == BT_SECURITY_LOW) 643 chan->sec_level = BT_SECURITY_SDP; 644 645 if (chan->sec_level == BT_SECURITY_HIGH) 646 return HCI_AT_NO_BONDING_MITM; 647 else 648 return HCI_AT_NO_BONDING; 649 } else { 650 switch (chan->sec_level) { 651 case BT_SECURITY_HIGH: 652 return HCI_AT_GENERAL_BONDING_MITM; 653 case BT_SECURITY_MEDIUM: 654 return HCI_AT_GENERAL_BONDING; 655 default: 656 return HCI_AT_NO_BONDING; 657 } 658 } 659 } 660 661 /* Service level security */ 662 int l2cap_chan_check_security(struct l2cap_chan *chan) 663 { 664 struct l2cap_conn *conn = chan->conn; 665 __u8 auth_type; 666 667 auth_type = l2cap_get_auth_type(chan); 668 669 return hci_conn_security(conn->hcon, chan->sec_level, auth_type); 670 } 671 672 static u8 l2cap_get_ident(struct l2cap_conn *conn) 673 { 674 u8 id; 675 676 /* Get next available identificator. 677 * 1 - 128 are used by kernel. 678 * 129 - 199 are reserved. 679 * 200 - 254 are used by utilities like l2ping, etc. 680 */ 681 682 spin_lock(&conn->lock); 683 684 if (++conn->tx_ident > 128) 685 conn->tx_ident = 1; 686 687 id = conn->tx_ident; 688 689 spin_unlock(&conn->lock); 690 691 return id; 692 } 693 694 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data) 695 { 696 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 697 u8 flags; 698 699 BT_DBG("code 0x%2.2x", code); 700 701 if (!skb) 702 return; 703 704 if (lmp_no_flush_capable(conn->hcon->hdev)) 705 flags = ACL_START_NO_FLUSH; 706 else 707 flags = ACL_START; 708 709 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON; 710 skb->priority = HCI_PRIO_MAX; 711 712 hci_send_acl(conn->hchan, skb, flags); 713 } 714 715 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 716 { 717 struct hci_conn *hcon = chan->conn->hcon; 718 u16 flags; 719 720 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len, 721 skb->priority); 722 723 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) && 724 lmp_no_flush_capable(hcon->hdev)) 725 flags = ACL_START_NO_FLUSH; 726 else 727 flags = ACL_START; 728 729 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 730 hci_send_acl(chan->conn->hchan, skb, flags); 731 } 732 733 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control) 734 { 735 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT; 736 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT; 737 738 if (enh & L2CAP_CTRL_FRAME_TYPE) { 739 /* S-Frame */ 740 control->sframe = 1; 741 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT; 742 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT; 743 744 control->sar = 0; 745 control->txseq = 0; 746 } else { 747 /* I-Frame */ 748 control->sframe = 0; 749 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT; 750 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT; 751 752 control->poll = 0; 753 control->super = 0; 754 } 755 } 756 757 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control) 758 { 759 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT; 760 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT; 761 762 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) { 763 /* S-Frame */ 764 control->sframe = 1; 765 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT; 766 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT; 767 768 control->sar = 0; 769 control->txseq = 0; 770 } else { 771 /* I-Frame */ 772 control->sframe = 0; 773 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT; 774 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT; 775 776 control->poll = 0; 777 control->super = 0; 778 } 779 } 780 781 static inline void __unpack_control(struct l2cap_chan *chan, 782 struct sk_buff *skb) 783 { 784 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 785 __unpack_extended_control(get_unaligned_le32(skb->data), 786 &bt_cb(skb)->control); 787 skb_pull(skb, L2CAP_EXT_CTRL_SIZE); 788 } else { 789 __unpack_enhanced_control(get_unaligned_le16(skb->data), 790 &bt_cb(skb)->control); 791 skb_pull(skb, L2CAP_ENH_CTRL_SIZE); 792 } 793 } 794 795 static u32 __pack_extended_control(struct l2cap_ctrl *control) 796 { 797 u32 packed; 798 799 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT; 800 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT; 801 802 if (control->sframe) { 803 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT; 804 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT; 805 packed |= L2CAP_EXT_CTRL_FRAME_TYPE; 806 } else { 807 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT; 808 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT; 809 } 810 811 return packed; 812 } 813 814 static u16 __pack_enhanced_control(struct l2cap_ctrl *control) 815 { 816 u16 packed; 817 818 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT; 819 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT; 820 821 if (control->sframe) { 822 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT; 823 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT; 824 packed |= L2CAP_CTRL_FRAME_TYPE; 825 } else { 826 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT; 827 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT; 828 } 829 830 return packed; 831 } 832 833 static inline void __pack_control(struct l2cap_chan *chan, 834 struct l2cap_ctrl *control, 835 struct sk_buff *skb) 836 { 837 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 838 put_unaligned_le32(__pack_extended_control(control), 839 skb->data + L2CAP_HDR_SIZE); 840 } else { 841 put_unaligned_le16(__pack_enhanced_control(control), 842 skb->data + L2CAP_HDR_SIZE); 843 } 844 } 845 846 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan) 847 { 848 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 849 return L2CAP_EXT_HDR_SIZE; 850 else 851 return L2CAP_ENH_HDR_SIZE; 852 } 853 854 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan, 855 u32 control) 856 { 857 struct sk_buff *skb; 858 struct l2cap_hdr *lh; 859 int hlen = __ertm_hdr_size(chan); 860 861 if (chan->fcs == L2CAP_FCS_CRC16) 862 hlen += L2CAP_FCS_SIZE; 863 864 skb = bt_skb_alloc(hlen, GFP_KERNEL); 865 866 if (!skb) 867 return ERR_PTR(-ENOMEM); 868 869 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 870 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE); 871 lh->cid = cpu_to_le16(chan->dcid); 872 873 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 874 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 875 else 876 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 877 878 if (chan->fcs == L2CAP_FCS_CRC16) { 879 u16 fcs = crc16(0, (u8 *)skb->data, skb->len); 880 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 881 } 882 883 skb->priority = HCI_PRIO_MAX; 884 return skb; 885 } 886 887 static void l2cap_send_sframe(struct l2cap_chan *chan, 888 struct l2cap_ctrl *control) 889 { 890 struct sk_buff *skb; 891 u32 control_field; 892 893 BT_DBG("chan %p, control %p", chan, control); 894 895 if (!control->sframe) 896 return; 897 898 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) && 899 !control->poll) 900 control->final = 1; 901 902 if (control->super == L2CAP_SUPER_RR) 903 clear_bit(CONN_RNR_SENT, &chan->conn_state); 904 else if (control->super == L2CAP_SUPER_RNR) 905 set_bit(CONN_RNR_SENT, &chan->conn_state); 906 907 if (control->super != L2CAP_SUPER_SREJ) { 908 chan->last_acked_seq = control->reqseq; 909 __clear_ack_timer(chan); 910 } 911 912 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq, 913 control->final, control->poll, control->super); 914 915 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 916 control_field = __pack_extended_control(control); 917 else 918 control_field = __pack_enhanced_control(control); 919 920 skb = l2cap_create_sframe_pdu(chan, control_field); 921 if (!IS_ERR(skb)) 922 l2cap_do_send(chan, skb); 923 } 924 925 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll) 926 { 927 struct l2cap_ctrl control; 928 929 BT_DBG("chan %p, poll %d", chan, poll); 930 931 memset(&control, 0, sizeof(control)); 932 control.sframe = 1; 933 control.poll = poll; 934 935 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 936 control.super = L2CAP_SUPER_RNR; 937 else 938 control.super = L2CAP_SUPER_RR; 939 940 control.reqseq = chan->buffer_seq; 941 l2cap_send_sframe(chan, &control); 942 } 943 944 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 945 { 946 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state); 947 } 948 949 static void l2cap_send_conn_req(struct l2cap_chan *chan) 950 { 951 struct l2cap_conn *conn = chan->conn; 952 struct l2cap_conn_req req; 953 954 req.scid = cpu_to_le16(chan->scid); 955 req.psm = chan->psm; 956 957 chan->ident = l2cap_get_ident(conn); 958 959 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 960 961 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req); 962 } 963 964 static void l2cap_chan_ready(struct l2cap_chan *chan) 965 { 966 /* This clears all conf flags, including CONF_NOT_COMPLETE */ 967 chan->conf_state = 0; 968 __clear_chan_timer(chan); 969 970 chan->state = BT_CONNECTED; 971 972 chan->ops->ready(chan); 973 } 974 975 static void l2cap_do_start(struct l2cap_chan *chan) 976 { 977 struct l2cap_conn *conn = chan->conn; 978 979 if (conn->hcon->type == LE_LINK) { 980 l2cap_chan_ready(chan); 981 return; 982 } 983 984 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) { 985 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 986 return; 987 988 if (l2cap_chan_check_security(chan) && 989 __l2cap_no_conn_pending(chan)) 990 l2cap_send_conn_req(chan); 991 } else { 992 struct l2cap_info_req req; 993 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK); 994 995 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 996 conn->info_ident = l2cap_get_ident(conn); 997 998 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 999 1000 l2cap_send_cmd(conn, conn->info_ident, 1001 L2CAP_INFO_REQ, sizeof(req), &req); 1002 } 1003 } 1004 1005 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask) 1006 { 1007 u32 local_feat_mask = l2cap_feat_mask; 1008 if (!disable_ertm) 1009 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING; 1010 1011 switch (mode) { 1012 case L2CAP_MODE_ERTM: 1013 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask; 1014 case L2CAP_MODE_STREAMING: 1015 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask; 1016 default: 1017 return 0x00; 1018 } 1019 } 1020 1021 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err) 1022 { 1023 struct sock *sk = chan->sk; 1024 struct l2cap_disconn_req req; 1025 1026 if (!conn) 1027 return; 1028 1029 if (chan->mode == L2CAP_MODE_ERTM) { 1030 __clear_retrans_timer(chan); 1031 __clear_monitor_timer(chan); 1032 __clear_ack_timer(chan); 1033 } 1034 1035 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 1036 __l2cap_state_change(chan, BT_DISCONN); 1037 return; 1038 } 1039 1040 req.dcid = cpu_to_le16(chan->dcid); 1041 req.scid = cpu_to_le16(chan->scid); 1042 l2cap_send_cmd(conn, l2cap_get_ident(conn), 1043 L2CAP_DISCONN_REQ, sizeof(req), &req); 1044 1045 lock_sock(sk); 1046 __l2cap_state_change(chan, BT_DISCONN); 1047 __l2cap_chan_set_err(chan, err); 1048 release_sock(sk); 1049 } 1050 1051 /* ---- L2CAP connections ---- */ 1052 static void l2cap_conn_start(struct l2cap_conn *conn) 1053 { 1054 struct l2cap_chan *chan, *tmp; 1055 1056 BT_DBG("conn %p", conn); 1057 1058 mutex_lock(&conn->chan_lock); 1059 1060 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 1061 struct sock *sk = chan->sk; 1062 1063 l2cap_chan_lock(chan); 1064 1065 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1066 l2cap_chan_unlock(chan); 1067 continue; 1068 } 1069 1070 if (chan->state == BT_CONNECT) { 1071 if (!l2cap_chan_check_security(chan) || 1072 !__l2cap_no_conn_pending(chan)) { 1073 l2cap_chan_unlock(chan); 1074 continue; 1075 } 1076 1077 if (!l2cap_mode_supported(chan->mode, conn->feat_mask) 1078 && test_bit(CONF_STATE2_DEVICE, 1079 &chan->conf_state)) { 1080 l2cap_chan_close(chan, ECONNRESET); 1081 l2cap_chan_unlock(chan); 1082 continue; 1083 } 1084 1085 l2cap_send_conn_req(chan); 1086 1087 } else if (chan->state == BT_CONNECT2) { 1088 struct l2cap_conn_rsp rsp; 1089 char buf[128]; 1090 rsp.scid = cpu_to_le16(chan->dcid); 1091 rsp.dcid = cpu_to_le16(chan->scid); 1092 1093 if (l2cap_chan_check_security(chan)) { 1094 lock_sock(sk); 1095 if (test_bit(BT_SK_DEFER_SETUP, 1096 &bt_sk(sk)->flags)) { 1097 struct sock *parent = bt_sk(sk)->parent; 1098 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND); 1099 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND); 1100 if (parent) 1101 parent->sk_data_ready(parent, 0); 1102 1103 } else { 1104 __l2cap_state_change(chan, BT_CONFIG); 1105 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS); 1106 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO); 1107 } 1108 release_sock(sk); 1109 } else { 1110 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND); 1111 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 1112 } 1113 1114 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 1115 sizeof(rsp), &rsp); 1116 1117 if (test_bit(CONF_REQ_SENT, &chan->conf_state) || 1118 rsp.result != L2CAP_CR_SUCCESS) { 1119 l2cap_chan_unlock(chan); 1120 continue; 1121 } 1122 1123 set_bit(CONF_REQ_SENT, &chan->conf_state); 1124 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 1125 l2cap_build_conf_req(chan, buf), buf); 1126 chan->num_conf_req++; 1127 } 1128 1129 l2cap_chan_unlock(chan); 1130 } 1131 1132 mutex_unlock(&conn->chan_lock); 1133 } 1134 1135 /* Find socket with cid and source/destination bdaddr. 1136 * Returns closest match, locked. 1137 */ 1138 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid, 1139 bdaddr_t *src, 1140 bdaddr_t *dst) 1141 { 1142 struct l2cap_chan *c, *c1 = NULL; 1143 1144 read_lock(&chan_list_lock); 1145 1146 list_for_each_entry(c, &chan_list, global_l) { 1147 struct sock *sk = c->sk; 1148 1149 if (state && c->state != state) 1150 continue; 1151 1152 if (c->scid == cid) { 1153 int src_match, dst_match; 1154 int src_any, dst_any; 1155 1156 /* Exact match. */ 1157 src_match = !bacmp(&bt_sk(sk)->src, src); 1158 dst_match = !bacmp(&bt_sk(sk)->dst, dst); 1159 if (src_match && dst_match) { 1160 read_unlock(&chan_list_lock); 1161 return c; 1162 } 1163 1164 /* Closest match */ 1165 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY); 1166 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY); 1167 if ((src_match && dst_any) || (src_any && dst_match) || 1168 (src_any && dst_any)) 1169 c1 = c; 1170 } 1171 } 1172 1173 read_unlock(&chan_list_lock); 1174 1175 return c1; 1176 } 1177 1178 static void l2cap_le_conn_ready(struct l2cap_conn *conn) 1179 { 1180 struct sock *parent, *sk; 1181 struct l2cap_chan *chan, *pchan; 1182 1183 BT_DBG(""); 1184 1185 /* Check if we have socket listening on cid */ 1186 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA, 1187 conn->src, conn->dst); 1188 if (!pchan) 1189 return; 1190 1191 parent = pchan->sk; 1192 1193 lock_sock(parent); 1194 1195 chan = pchan->ops->new_connection(pchan); 1196 if (!chan) 1197 goto clean; 1198 1199 sk = chan->sk; 1200 1201 hci_conn_hold(conn->hcon); 1202 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 1203 1204 bacpy(&bt_sk(sk)->src, conn->src); 1205 bacpy(&bt_sk(sk)->dst, conn->dst); 1206 1207 bt_accept_enqueue(parent, sk); 1208 1209 l2cap_chan_add(conn, chan); 1210 1211 l2cap_chan_ready(chan); 1212 1213 clean: 1214 release_sock(parent); 1215 } 1216 1217 static void l2cap_conn_ready(struct l2cap_conn *conn) 1218 { 1219 struct l2cap_chan *chan; 1220 struct hci_conn *hcon = conn->hcon; 1221 1222 BT_DBG("conn %p", conn); 1223 1224 if (!hcon->out && hcon->type == LE_LINK) 1225 l2cap_le_conn_ready(conn); 1226 1227 if (hcon->out && hcon->type == LE_LINK) 1228 smp_conn_security(hcon, hcon->pending_sec_level); 1229 1230 mutex_lock(&conn->chan_lock); 1231 1232 list_for_each_entry(chan, &conn->chan_l, list) { 1233 1234 l2cap_chan_lock(chan); 1235 1236 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 1237 l2cap_chan_unlock(chan); 1238 continue; 1239 } 1240 1241 if (hcon->type == LE_LINK) { 1242 if (smp_conn_security(hcon, chan->sec_level)) 1243 l2cap_chan_ready(chan); 1244 1245 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1246 struct sock *sk = chan->sk; 1247 __clear_chan_timer(chan); 1248 lock_sock(sk); 1249 __l2cap_state_change(chan, BT_CONNECTED); 1250 sk->sk_state_change(sk); 1251 release_sock(sk); 1252 1253 } else if (chan->state == BT_CONNECT) 1254 l2cap_do_start(chan); 1255 1256 l2cap_chan_unlock(chan); 1257 } 1258 1259 mutex_unlock(&conn->chan_lock); 1260 } 1261 1262 /* Notify sockets that we cannot guaranty reliability anymore */ 1263 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err) 1264 { 1265 struct l2cap_chan *chan; 1266 1267 BT_DBG("conn %p", conn); 1268 1269 mutex_lock(&conn->chan_lock); 1270 1271 list_for_each_entry(chan, &conn->chan_l, list) { 1272 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 1273 __l2cap_chan_set_err(chan, err); 1274 } 1275 1276 mutex_unlock(&conn->chan_lock); 1277 } 1278 1279 static void l2cap_info_timeout(struct work_struct *work) 1280 { 1281 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1282 info_timer.work); 1283 1284 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 1285 conn->info_ident = 0; 1286 1287 l2cap_conn_start(conn); 1288 } 1289 1290 static void l2cap_conn_del(struct hci_conn *hcon, int err) 1291 { 1292 struct l2cap_conn *conn = hcon->l2cap_data; 1293 struct l2cap_chan *chan, *l; 1294 1295 if (!conn) 1296 return; 1297 1298 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 1299 1300 kfree_skb(conn->rx_skb); 1301 1302 mutex_lock(&conn->chan_lock); 1303 1304 /* Kill channels */ 1305 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 1306 l2cap_chan_hold(chan); 1307 l2cap_chan_lock(chan); 1308 1309 l2cap_chan_del(chan, err); 1310 1311 l2cap_chan_unlock(chan); 1312 1313 chan->ops->close(chan); 1314 l2cap_chan_put(chan); 1315 } 1316 1317 mutex_unlock(&conn->chan_lock); 1318 1319 hci_chan_del(conn->hchan); 1320 1321 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1322 cancel_delayed_work_sync(&conn->info_timer); 1323 1324 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) { 1325 cancel_delayed_work_sync(&conn->security_timer); 1326 smp_chan_destroy(conn); 1327 } 1328 1329 hcon->l2cap_data = NULL; 1330 kfree(conn); 1331 } 1332 1333 static void security_timeout(struct work_struct *work) 1334 { 1335 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1336 security_timer.work); 1337 1338 BT_DBG("conn %p", conn); 1339 1340 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) { 1341 smp_chan_destroy(conn); 1342 l2cap_conn_del(conn->hcon, ETIMEDOUT); 1343 } 1344 } 1345 1346 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status) 1347 { 1348 struct l2cap_conn *conn = hcon->l2cap_data; 1349 struct hci_chan *hchan; 1350 1351 if (conn || status) 1352 return conn; 1353 1354 hchan = hci_chan_create(hcon); 1355 if (!hchan) 1356 return NULL; 1357 1358 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC); 1359 if (!conn) { 1360 hci_chan_del(hchan); 1361 return NULL; 1362 } 1363 1364 hcon->l2cap_data = conn; 1365 conn->hcon = hcon; 1366 conn->hchan = hchan; 1367 1368 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan); 1369 1370 if (hcon->hdev->le_mtu && hcon->type == LE_LINK) 1371 conn->mtu = hcon->hdev->le_mtu; 1372 else 1373 conn->mtu = hcon->hdev->acl_mtu; 1374 1375 conn->src = &hcon->hdev->bdaddr; 1376 conn->dst = &hcon->dst; 1377 1378 conn->feat_mask = 0; 1379 1380 spin_lock_init(&conn->lock); 1381 mutex_init(&conn->chan_lock); 1382 1383 INIT_LIST_HEAD(&conn->chan_l); 1384 1385 if (hcon->type == LE_LINK) 1386 INIT_DELAYED_WORK(&conn->security_timer, security_timeout); 1387 else 1388 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout); 1389 1390 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 1391 1392 return conn; 1393 } 1394 1395 /* ---- Socket interface ---- */ 1396 1397 /* Find socket with psm and source / destination bdaddr. 1398 * Returns closest match. 1399 */ 1400 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 1401 bdaddr_t *src, 1402 bdaddr_t *dst) 1403 { 1404 struct l2cap_chan *c, *c1 = NULL; 1405 1406 read_lock(&chan_list_lock); 1407 1408 list_for_each_entry(c, &chan_list, global_l) { 1409 struct sock *sk = c->sk; 1410 1411 if (state && c->state != state) 1412 continue; 1413 1414 if (c->psm == psm) { 1415 int src_match, dst_match; 1416 int src_any, dst_any; 1417 1418 /* Exact match. */ 1419 src_match = !bacmp(&bt_sk(sk)->src, src); 1420 dst_match = !bacmp(&bt_sk(sk)->dst, dst); 1421 if (src_match && dst_match) { 1422 read_unlock(&chan_list_lock); 1423 return c; 1424 } 1425 1426 /* Closest match */ 1427 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY); 1428 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY); 1429 if ((src_match && dst_any) || (src_any && dst_match) || 1430 (src_any && dst_any)) 1431 c1 = c; 1432 } 1433 } 1434 1435 read_unlock(&chan_list_lock); 1436 1437 return c1; 1438 } 1439 1440 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, 1441 bdaddr_t *dst, u8 dst_type) 1442 { 1443 struct sock *sk = chan->sk; 1444 bdaddr_t *src = &bt_sk(sk)->src; 1445 struct l2cap_conn *conn; 1446 struct hci_conn *hcon; 1447 struct hci_dev *hdev; 1448 __u8 auth_type; 1449 int err; 1450 1451 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst), 1452 dst_type, __le16_to_cpu(psm)); 1453 1454 hdev = hci_get_route(dst, src); 1455 if (!hdev) 1456 return -EHOSTUNREACH; 1457 1458 hci_dev_lock(hdev); 1459 1460 l2cap_chan_lock(chan); 1461 1462 /* PSM must be odd and lsb of upper byte must be 0 */ 1463 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid && 1464 chan->chan_type != L2CAP_CHAN_RAW) { 1465 err = -EINVAL; 1466 goto done; 1467 } 1468 1469 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) { 1470 err = -EINVAL; 1471 goto done; 1472 } 1473 1474 switch (chan->mode) { 1475 case L2CAP_MODE_BASIC: 1476 break; 1477 case L2CAP_MODE_ERTM: 1478 case L2CAP_MODE_STREAMING: 1479 if (!disable_ertm) 1480 break; 1481 /* fall through */ 1482 default: 1483 err = -ENOTSUPP; 1484 goto done; 1485 } 1486 1487 switch (chan->state) { 1488 case BT_CONNECT: 1489 case BT_CONNECT2: 1490 case BT_CONFIG: 1491 /* Already connecting */ 1492 err = 0; 1493 goto done; 1494 1495 case BT_CONNECTED: 1496 /* Already connected */ 1497 err = -EISCONN; 1498 goto done; 1499 1500 case BT_OPEN: 1501 case BT_BOUND: 1502 /* Can connect */ 1503 break; 1504 1505 default: 1506 err = -EBADFD; 1507 goto done; 1508 } 1509 1510 /* Set destination address and psm */ 1511 lock_sock(sk); 1512 bacpy(&bt_sk(sk)->dst, dst); 1513 release_sock(sk); 1514 1515 chan->psm = psm; 1516 chan->dcid = cid; 1517 1518 auth_type = l2cap_get_auth_type(chan); 1519 1520 if (chan->dcid == L2CAP_CID_LE_DATA) 1521 hcon = hci_connect(hdev, LE_LINK, dst, dst_type, 1522 chan->sec_level, auth_type); 1523 else 1524 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type, 1525 chan->sec_level, auth_type); 1526 1527 if (IS_ERR(hcon)) { 1528 err = PTR_ERR(hcon); 1529 goto done; 1530 } 1531 1532 conn = l2cap_conn_add(hcon, 0); 1533 if (!conn) { 1534 hci_conn_put(hcon); 1535 err = -ENOMEM; 1536 goto done; 1537 } 1538 1539 if (hcon->type == LE_LINK) { 1540 err = 0; 1541 1542 if (!list_empty(&conn->chan_l)) { 1543 err = -EBUSY; 1544 hci_conn_put(hcon); 1545 } 1546 1547 if (err) 1548 goto done; 1549 } 1550 1551 /* Update source addr of the socket */ 1552 bacpy(src, conn->src); 1553 1554 l2cap_chan_unlock(chan); 1555 l2cap_chan_add(conn, chan); 1556 l2cap_chan_lock(chan); 1557 1558 l2cap_state_change(chan, BT_CONNECT); 1559 __set_chan_timer(chan, sk->sk_sndtimeo); 1560 1561 if (hcon->state == BT_CONNECTED) { 1562 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1563 __clear_chan_timer(chan); 1564 if (l2cap_chan_check_security(chan)) 1565 l2cap_state_change(chan, BT_CONNECTED); 1566 } else 1567 l2cap_do_start(chan); 1568 } 1569 1570 err = 0; 1571 1572 done: 1573 l2cap_chan_unlock(chan); 1574 hci_dev_unlock(hdev); 1575 hci_dev_put(hdev); 1576 return err; 1577 } 1578 1579 int __l2cap_wait_ack(struct sock *sk) 1580 { 1581 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1582 DECLARE_WAITQUEUE(wait, current); 1583 int err = 0; 1584 int timeo = HZ/5; 1585 1586 add_wait_queue(sk_sleep(sk), &wait); 1587 set_current_state(TASK_INTERRUPTIBLE); 1588 while (chan->unacked_frames > 0 && chan->conn) { 1589 if (!timeo) 1590 timeo = HZ/5; 1591 1592 if (signal_pending(current)) { 1593 err = sock_intr_errno(timeo); 1594 break; 1595 } 1596 1597 release_sock(sk); 1598 timeo = schedule_timeout(timeo); 1599 lock_sock(sk); 1600 set_current_state(TASK_INTERRUPTIBLE); 1601 1602 err = sock_error(sk); 1603 if (err) 1604 break; 1605 } 1606 set_current_state(TASK_RUNNING); 1607 remove_wait_queue(sk_sleep(sk), &wait); 1608 return err; 1609 } 1610 1611 static void l2cap_monitor_timeout(struct work_struct *work) 1612 { 1613 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1614 monitor_timer.work); 1615 1616 BT_DBG("chan %p", chan); 1617 1618 l2cap_chan_lock(chan); 1619 1620 if (!chan->conn) { 1621 l2cap_chan_unlock(chan); 1622 l2cap_chan_put(chan); 1623 return; 1624 } 1625 1626 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO); 1627 1628 l2cap_chan_unlock(chan); 1629 l2cap_chan_put(chan); 1630 } 1631 1632 static void l2cap_retrans_timeout(struct work_struct *work) 1633 { 1634 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1635 retrans_timer.work); 1636 1637 BT_DBG("chan %p", chan); 1638 1639 l2cap_chan_lock(chan); 1640 1641 if (!chan->conn) { 1642 l2cap_chan_unlock(chan); 1643 l2cap_chan_put(chan); 1644 return; 1645 } 1646 1647 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO); 1648 l2cap_chan_unlock(chan); 1649 l2cap_chan_put(chan); 1650 } 1651 1652 static void l2cap_streaming_send(struct l2cap_chan *chan, 1653 struct sk_buff_head *skbs) 1654 { 1655 struct sk_buff *skb; 1656 struct l2cap_ctrl *control; 1657 1658 BT_DBG("chan %p, skbs %p", chan, skbs); 1659 1660 skb_queue_splice_tail_init(skbs, &chan->tx_q); 1661 1662 while (!skb_queue_empty(&chan->tx_q)) { 1663 1664 skb = skb_dequeue(&chan->tx_q); 1665 1666 bt_cb(skb)->control.retries = 1; 1667 control = &bt_cb(skb)->control; 1668 1669 control->reqseq = 0; 1670 control->txseq = chan->next_tx_seq; 1671 1672 __pack_control(chan, control, skb); 1673 1674 if (chan->fcs == L2CAP_FCS_CRC16) { 1675 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1676 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1677 } 1678 1679 l2cap_do_send(chan, skb); 1680 1681 BT_DBG("Sent txseq %u", control->txseq); 1682 1683 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 1684 chan->frames_sent++; 1685 } 1686 } 1687 1688 static int l2cap_ertm_send(struct l2cap_chan *chan) 1689 { 1690 struct sk_buff *skb, *tx_skb; 1691 struct l2cap_ctrl *control; 1692 int sent = 0; 1693 1694 BT_DBG("chan %p", chan); 1695 1696 if (chan->state != BT_CONNECTED) 1697 return -ENOTCONN; 1698 1699 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 1700 return 0; 1701 1702 while (chan->tx_send_head && 1703 chan->unacked_frames < chan->remote_tx_win && 1704 chan->tx_state == L2CAP_TX_STATE_XMIT) { 1705 1706 skb = chan->tx_send_head; 1707 1708 bt_cb(skb)->control.retries = 1; 1709 control = &bt_cb(skb)->control; 1710 1711 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 1712 control->final = 1; 1713 1714 control->reqseq = chan->buffer_seq; 1715 chan->last_acked_seq = chan->buffer_seq; 1716 control->txseq = chan->next_tx_seq; 1717 1718 __pack_control(chan, control, skb); 1719 1720 if (chan->fcs == L2CAP_FCS_CRC16) { 1721 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1722 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1723 } 1724 1725 /* Clone after data has been modified. Data is assumed to be 1726 read-only (for locking purposes) on cloned sk_buffs. 1727 */ 1728 tx_skb = skb_clone(skb, GFP_KERNEL); 1729 1730 if (!tx_skb) 1731 break; 1732 1733 __set_retrans_timer(chan); 1734 1735 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 1736 chan->unacked_frames++; 1737 chan->frames_sent++; 1738 sent++; 1739 1740 if (skb_queue_is_last(&chan->tx_q, skb)) 1741 chan->tx_send_head = NULL; 1742 else 1743 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb); 1744 1745 l2cap_do_send(chan, tx_skb); 1746 BT_DBG("Sent txseq %u", control->txseq); 1747 } 1748 1749 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent, 1750 chan->unacked_frames, skb_queue_len(&chan->tx_q)); 1751 1752 return sent; 1753 } 1754 1755 static void l2cap_ertm_resend(struct l2cap_chan *chan) 1756 { 1757 struct l2cap_ctrl control; 1758 struct sk_buff *skb; 1759 struct sk_buff *tx_skb; 1760 u16 seq; 1761 1762 BT_DBG("chan %p", chan); 1763 1764 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 1765 return; 1766 1767 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) { 1768 seq = l2cap_seq_list_pop(&chan->retrans_list); 1769 1770 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq); 1771 if (!skb) { 1772 BT_DBG("Error: Can't retransmit seq %d, frame missing", 1773 seq); 1774 continue; 1775 } 1776 1777 bt_cb(skb)->control.retries++; 1778 control = bt_cb(skb)->control; 1779 1780 if (chan->max_tx != 0 && 1781 bt_cb(skb)->control.retries > chan->max_tx) { 1782 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 1783 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 1784 l2cap_seq_list_clear(&chan->retrans_list); 1785 break; 1786 } 1787 1788 control.reqseq = chan->buffer_seq; 1789 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 1790 control.final = 1; 1791 else 1792 control.final = 0; 1793 1794 if (skb_cloned(skb)) { 1795 /* Cloned sk_buffs are read-only, so we need a 1796 * writeable copy 1797 */ 1798 tx_skb = skb_copy(skb, GFP_ATOMIC); 1799 } else { 1800 tx_skb = skb_clone(skb, GFP_ATOMIC); 1801 } 1802 1803 if (!tx_skb) { 1804 l2cap_seq_list_clear(&chan->retrans_list); 1805 break; 1806 } 1807 1808 /* Update skb contents */ 1809 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1810 put_unaligned_le32(__pack_extended_control(&control), 1811 tx_skb->data + L2CAP_HDR_SIZE); 1812 } else { 1813 put_unaligned_le16(__pack_enhanced_control(&control), 1814 tx_skb->data + L2CAP_HDR_SIZE); 1815 } 1816 1817 if (chan->fcs == L2CAP_FCS_CRC16) { 1818 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len); 1819 put_unaligned_le16(fcs, skb_put(tx_skb, 1820 L2CAP_FCS_SIZE)); 1821 } 1822 1823 l2cap_do_send(chan, tx_skb); 1824 1825 BT_DBG("Resent txseq %d", control.txseq); 1826 1827 chan->last_acked_seq = chan->buffer_seq; 1828 } 1829 } 1830 1831 static void l2cap_retransmit(struct l2cap_chan *chan, 1832 struct l2cap_ctrl *control) 1833 { 1834 BT_DBG("chan %p, control %p", chan, control); 1835 1836 l2cap_seq_list_append(&chan->retrans_list, control->reqseq); 1837 l2cap_ertm_resend(chan); 1838 } 1839 1840 static void l2cap_retransmit_all(struct l2cap_chan *chan, 1841 struct l2cap_ctrl *control) 1842 { 1843 struct sk_buff *skb; 1844 1845 BT_DBG("chan %p, control %p", chan, control); 1846 1847 if (control->poll) 1848 set_bit(CONN_SEND_FBIT, &chan->conn_state); 1849 1850 l2cap_seq_list_clear(&chan->retrans_list); 1851 1852 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 1853 return; 1854 1855 if (chan->unacked_frames) { 1856 skb_queue_walk(&chan->tx_q, skb) { 1857 if (bt_cb(skb)->control.txseq == control->reqseq || 1858 skb == chan->tx_send_head) 1859 break; 1860 } 1861 1862 skb_queue_walk_from(&chan->tx_q, skb) { 1863 if (skb == chan->tx_send_head) 1864 break; 1865 1866 l2cap_seq_list_append(&chan->retrans_list, 1867 bt_cb(skb)->control.txseq); 1868 } 1869 1870 l2cap_ertm_resend(chan); 1871 } 1872 } 1873 1874 static void l2cap_send_ack(struct l2cap_chan *chan) 1875 { 1876 struct l2cap_ctrl control; 1877 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 1878 chan->last_acked_seq); 1879 int threshold; 1880 1881 BT_DBG("chan %p last_acked_seq %d buffer_seq %d", 1882 chan, chan->last_acked_seq, chan->buffer_seq); 1883 1884 memset(&control, 0, sizeof(control)); 1885 control.sframe = 1; 1886 1887 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 1888 chan->rx_state == L2CAP_RX_STATE_RECV) { 1889 __clear_ack_timer(chan); 1890 control.super = L2CAP_SUPER_RNR; 1891 control.reqseq = chan->buffer_seq; 1892 l2cap_send_sframe(chan, &control); 1893 } else { 1894 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) { 1895 l2cap_ertm_send(chan); 1896 /* If any i-frames were sent, they included an ack */ 1897 if (chan->buffer_seq == chan->last_acked_seq) 1898 frames_to_ack = 0; 1899 } 1900 1901 /* Ack now if the window is 3/4ths full. 1902 * Calculate without mul or div 1903 */ 1904 threshold = chan->ack_win; 1905 threshold += threshold << 1; 1906 threshold >>= 2; 1907 1908 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack, 1909 threshold); 1910 1911 if (frames_to_ack >= threshold) { 1912 __clear_ack_timer(chan); 1913 control.super = L2CAP_SUPER_RR; 1914 control.reqseq = chan->buffer_seq; 1915 l2cap_send_sframe(chan, &control); 1916 frames_to_ack = 0; 1917 } 1918 1919 if (frames_to_ack) 1920 __set_ack_timer(chan); 1921 } 1922 } 1923 1924 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, 1925 struct msghdr *msg, int len, 1926 int count, struct sk_buff *skb) 1927 { 1928 struct l2cap_conn *conn = chan->conn; 1929 struct sk_buff **frag; 1930 int sent = 0; 1931 1932 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count)) 1933 return -EFAULT; 1934 1935 sent += count; 1936 len -= count; 1937 1938 /* Continuation fragments (no L2CAP header) */ 1939 frag = &skb_shinfo(skb)->frag_list; 1940 while (len) { 1941 struct sk_buff *tmp; 1942 1943 count = min_t(unsigned int, conn->mtu, len); 1944 1945 tmp = chan->ops->alloc_skb(chan, count, 1946 msg->msg_flags & MSG_DONTWAIT); 1947 if (IS_ERR(tmp)) 1948 return PTR_ERR(tmp); 1949 1950 *frag = tmp; 1951 1952 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count)) 1953 return -EFAULT; 1954 1955 (*frag)->priority = skb->priority; 1956 1957 sent += count; 1958 len -= count; 1959 1960 skb->len += (*frag)->len; 1961 skb->data_len += (*frag)->len; 1962 1963 frag = &(*frag)->next; 1964 } 1965 1966 return sent; 1967 } 1968 1969 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, 1970 struct msghdr *msg, size_t len, 1971 u32 priority) 1972 { 1973 struct l2cap_conn *conn = chan->conn; 1974 struct sk_buff *skb; 1975 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE; 1976 struct l2cap_hdr *lh; 1977 1978 BT_DBG("chan %p len %zu priority %u", chan, len, priority); 1979 1980 count = min_t(unsigned int, (conn->mtu - hlen), len); 1981 1982 skb = chan->ops->alloc_skb(chan, count + hlen, 1983 msg->msg_flags & MSG_DONTWAIT); 1984 if (IS_ERR(skb)) 1985 return skb; 1986 1987 skb->priority = priority; 1988 1989 /* Create L2CAP header */ 1990 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 1991 lh->cid = cpu_to_le16(chan->dcid); 1992 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE); 1993 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE)); 1994 1995 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 1996 if (unlikely(err < 0)) { 1997 kfree_skb(skb); 1998 return ERR_PTR(err); 1999 } 2000 return skb; 2001 } 2002 2003 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, 2004 struct msghdr *msg, size_t len, 2005 u32 priority) 2006 { 2007 struct l2cap_conn *conn = chan->conn; 2008 struct sk_buff *skb; 2009 int err, count; 2010 struct l2cap_hdr *lh; 2011 2012 BT_DBG("chan %p len %zu", chan, len); 2013 2014 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len); 2015 2016 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE, 2017 msg->msg_flags & MSG_DONTWAIT); 2018 if (IS_ERR(skb)) 2019 return skb; 2020 2021 skb->priority = priority; 2022 2023 /* Create L2CAP header */ 2024 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 2025 lh->cid = cpu_to_le16(chan->dcid); 2026 lh->len = cpu_to_le16(len); 2027 2028 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2029 if (unlikely(err < 0)) { 2030 kfree_skb(skb); 2031 return ERR_PTR(err); 2032 } 2033 return skb; 2034 } 2035 2036 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, 2037 struct msghdr *msg, size_t len, 2038 u16 sdulen) 2039 { 2040 struct l2cap_conn *conn = chan->conn; 2041 struct sk_buff *skb; 2042 int err, count, hlen; 2043 struct l2cap_hdr *lh; 2044 2045 BT_DBG("chan %p len %zu", chan, len); 2046 2047 if (!conn) 2048 return ERR_PTR(-ENOTCONN); 2049 2050 hlen = __ertm_hdr_size(chan); 2051 2052 if (sdulen) 2053 hlen += L2CAP_SDULEN_SIZE; 2054 2055 if (chan->fcs == L2CAP_FCS_CRC16) 2056 hlen += L2CAP_FCS_SIZE; 2057 2058 count = min_t(unsigned int, (conn->mtu - hlen), len); 2059 2060 skb = chan->ops->alloc_skb(chan, count + hlen, 2061 msg->msg_flags & MSG_DONTWAIT); 2062 if (IS_ERR(skb)) 2063 return skb; 2064 2065 /* Create L2CAP header */ 2066 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 2067 lh->cid = cpu_to_le16(chan->dcid); 2068 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2069 2070 /* Control header is populated later */ 2071 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 2072 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 2073 else 2074 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 2075 2076 if (sdulen) 2077 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2078 2079 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2080 if (unlikely(err < 0)) { 2081 kfree_skb(skb); 2082 return ERR_PTR(err); 2083 } 2084 2085 bt_cb(skb)->control.fcs = chan->fcs; 2086 bt_cb(skb)->control.retries = 0; 2087 return skb; 2088 } 2089 2090 static int l2cap_segment_sdu(struct l2cap_chan *chan, 2091 struct sk_buff_head *seg_queue, 2092 struct msghdr *msg, size_t len) 2093 { 2094 struct sk_buff *skb; 2095 u16 sdu_len; 2096 size_t pdu_len; 2097 u8 sar; 2098 2099 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2100 2101 /* It is critical that ERTM PDUs fit in a single HCI fragment, 2102 * so fragmented skbs are not used. The HCI layer's handling 2103 * of fragmented skbs is not compatible with ERTM's queueing. 2104 */ 2105 2106 /* PDU size is derived from the HCI MTU */ 2107 pdu_len = chan->conn->mtu; 2108 2109 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD); 2110 2111 /* Adjust for largest possible L2CAP overhead. */ 2112 if (chan->fcs) 2113 pdu_len -= L2CAP_FCS_SIZE; 2114 2115 pdu_len -= __ertm_hdr_size(chan); 2116 2117 /* Remote device may have requested smaller PDUs */ 2118 pdu_len = min_t(size_t, pdu_len, chan->remote_mps); 2119 2120 if (len <= pdu_len) { 2121 sar = L2CAP_SAR_UNSEGMENTED; 2122 sdu_len = 0; 2123 pdu_len = len; 2124 } else { 2125 sar = L2CAP_SAR_START; 2126 sdu_len = len; 2127 pdu_len -= L2CAP_SDULEN_SIZE; 2128 } 2129 2130 while (len > 0) { 2131 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len); 2132 2133 if (IS_ERR(skb)) { 2134 __skb_queue_purge(seg_queue); 2135 return PTR_ERR(skb); 2136 } 2137 2138 bt_cb(skb)->control.sar = sar; 2139 __skb_queue_tail(seg_queue, skb); 2140 2141 len -= pdu_len; 2142 if (sdu_len) { 2143 sdu_len = 0; 2144 pdu_len += L2CAP_SDULEN_SIZE; 2145 } 2146 2147 if (len <= pdu_len) { 2148 sar = L2CAP_SAR_END; 2149 pdu_len = len; 2150 } else { 2151 sar = L2CAP_SAR_CONTINUE; 2152 } 2153 } 2154 2155 return 0; 2156 } 2157 2158 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len, 2159 u32 priority) 2160 { 2161 struct sk_buff *skb; 2162 int err; 2163 struct sk_buff_head seg_queue; 2164 2165 /* Connectionless channel */ 2166 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) { 2167 skb = l2cap_create_connless_pdu(chan, msg, len, priority); 2168 if (IS_ERR(skb)) 2169 return PTR_ERR(skb); 2170 2171 l2cap_do_send(chan, skb); 2172 return len; 2173 } 2174 2175 switch (chan->mode) { 2176 case L2CAP_MODE_BASIC: 2177 /* Check outgoing MTU */ 2178 if (len > chan->omtu) 2179 return -EMSGSIZE; 2180 2181 /* Create a basic PDU */ 2182 skb = l2cap_create_basic_pdu(chan, msg, len, priority); 2183 if (IS_ERR(skb)) 2184 return PTR_ERR(skb); 2185 2186 l2cap_do_send(chan, skb); 2187 err = len; 2188 break; 2189 2190 case L2CAP_MODE_ERTM: 2191 case L2CAP_MODE_STREAMING: 2192 /* Check outgoing MTU */ 2193 if (len > chan->omtu) { 2194 err = -EMSGSIZE; 2195 break; 2196 } 2197 2198 __skb_queue_head_init(&seg_queue); 2199 2200 /* Do segmentation before calling in to the state machine, 2201 * since it's possible to block while waiting for memory 2202 * allocation. 2203 */ 2204 err = l2cap_segment_sdu(chan, &seg_queue, msg, len); 2205 2206 /* The channel could have been closed while segmenting, 2207 * check that it is still connected. 2208 */ 2209 if (chan->state != BT_CONNECTED) { 2210 __skb_queue_purge(&seg_queue); 2211 err = -ENOTCONN; 2212 } 2213 2214 if (err) 2215 break; 2216 2217 if (chan->mode == L2CAP_MODE_ERTM) 2218 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST); 2219 else 2220 l2cap_streaming_send(chan, &seg_queue); 2221 2222 err = len; 2223 2224 /* If the skbs were not queued for sending, they'll still be in 2225 * seg_queue and need to be purged. 2226 */ 2227 __skb_queue_purge(&seg_queue); 2228 break; 2229 2230 default: 2231 BT_DBG("bad state %1.1x", chan->mode); 2232 err = -EBADFD; 2233 } 2234 2235 return err; 2236 } 2237 2238 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq) 2239 { 2240 struct l2cap_ctrl control; 2241 u16 seq; 2242 2243 BT_DBG("chan %p, txseq %u", chan, txseq); 2244 2245 memset(&control, 0, sizeof(control)); 2246 control.sframe = 1; 2247 control.super = L2CAP_SUPER_SREJ; 2248 2249 for (seq = chan->expected_tx_seq; seq != txseq; 2250 seq = __next_seq(chan, seq)) { 2251 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) { 2252 control.reqseq = seq; 2253 l2cap_send_sframe(chan, &control); 2254 l2cap_seq_list_append(&chan->srej_list, seq); 2255 } 2256 } 2257 2258 chan->expected_tx_seq = __next_seq(chan, txseq); 2259 } 2260 2261 static void l2cap_send_srej_tail(struct l2cap_chan *chan) 2262 { 2263 struct l2cap_ctrl control; 2264 2265 BT_DBG("chan %p", chan); 2266 2267 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR) 2268 return; 2269 2270 memset(&control, 0, sizeof(control)); 2271 control.sframe = 1; 2272 control.super = L2CAP_SUPER_SREJ; 2273 control.reqseq = chan->srej_list.tail; 2274 l2cap_send_sframe(chan, &control); 2275 } 2276 2277 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq) 2278 { 2279 struct l2cap_ctrl control; 2280 u16 initial_head; 2281 u16 seq; 2282 2283 BT_DBG("chan %p, txseq %u", chan, txseq); 2284 2285 memset(&control, 0, sizeof(control)); 2286 control.sframe = 1; 2287 control.super = L2CAP_SUPER_SREJ; 2288 2289 /* Capture initial list head to allow only one pass through the list. */ 2290 initial_head = chan->srej_list.head; 2291 2292 do { 2293 seq = l2cap_seq_list_pop(&chan->srej_list); 2294 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR) 2295 break; 2296 2297 control.reqseq = seq; 2298 l2cap_send_sframe(chan, &control); 2299 l2cap_seq_list_append(&chan->srej_list, seq); 2300 } while (chan->srej_list.head != initial_head); 2301 } 2302 2303 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq) 2304 { 2305 struct sk_buff *acked_skb; 2306 u16 ackseq; 2307 2308 BT_DBG("chan %p, reqseq %u", chan, reqseq); 2309 2310 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq) 2311 return; 2312 2313 BT_DBG("expected_ack_seq %u, unacked_frames %u", 2314 chan->expected_ack_seq, chan->unacked_frames); 2315 2316 for (ackseq = chan->expected_ack_seq; ackseq != reqseq; 2317 ackseq = __next_seq(chan, ackseq)) { 2318 2319 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq); 2320 if (acked_skb) { 2321 skb_unlink(acked_skb, &chan->tx_q); 2322 kfree_skb(acked_skb); 2323 chan->unacked_frames--; 2324 } 2325 } 2326 2327 chan->expected_ack_seq = reqseq; 2328 2329 if (chan->unacked_frames == 0) 2330 __clear_retrans_timer(chan); 2331 2332 BT_DBG("unacked_frames %u", chan->unacked_frames); 2333 } 2334 2335 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan) 2336 { 2337 BT_DBG("chan %p", chan); 2338 2339 chan->expected_tx_seq = chan->buffer_seq; 2340 l2cap_seq_list_clear(&chan->srej_list); 2341 skb_queue_purge(&chan->srej_q); 2342 chan->rx_state = L2CAP_RX_STATE_RECV; 2343 } 2344 2345 static void l2cap_tx_state_xmit(struct l2cap_chan *chan, 2346 struct l2cap_ctrl *control, 2347 struct sk_buff_head *skbs, u8 event) 2348 { 2349 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2350 event); 2351 2352 switch (event) { 2353 case L2CAP_EV_DATA_REQUEST: 2354 if (chan->tx_send_head == NULL) 2355 chan->tx_send_head = skb_peek(skbs); 2356 2357 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2358 l2cap_ertm_send(chan); 2359 break; 2360 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2361 BT_DBG("Enter LOCAL_BUSY"); 2362 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2363 2364 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2365 /* The SREJ_SENT state must be aborted if we are to 2366 * enter the LOCAL_BUSY state. 2367 */ 2368 l2cap_abort_rx_srej_sent(chan); 2369 } 2370 2371 l2cap_send_ack(chan); 2372 2373 break; 2374 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2375 BT_DBG("Exit LOCAL_BUSY"); 2376 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2377 2378 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2379 struct l2cap_ctrl local_control; 2380 2381 memset(&local_control, 0, sizeof(local_control)); 2382 local_control.sframe = 1; 2383 local_control.super = L2CAP_SUPER_RR; 2384 local_control.poll = 1; 2385 local_control.reqseq = chan->buffer_seq; 2386 l2cap_send_sframe(chan, &local_control); 2387 2388 chan->retry_count = 1; 2389 __set_monitor_timer(chan); 2390 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2391 } 2392 break; 2393 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2394 l2cap_process_reqseq(chan, control->reqseq); 2395 break; 2396 case L2CAP_EV_EXPLICIT_POLL: 2397 l2cap_send_rr_or_rnr(chan, 1); 2398 chan->retry_count = 1; 2399 __set_monitor_timer(chan); 2400 __clear_ack_timer(chan); 2401 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2402 break; 2403 case L2CAP_EV_RETRANS_TO: 2404 l2cap_send_rr_or_rnr(chan, 1); 2405 chan->retry_count = 1; 2406 __set_monitor_timer(chan); 2407 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2408 break; 2409 case L2CAP_EV_RECV_FBIT: 2410 /* Nothing to process */ 2411 break; 2412 default: 2413 break; 2414 } 2415 } 2416 2417 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan, 2418 struct l2cap_ctrl *control, 2419 struct sk_buff_head *skbs, u8 event) 2420 { 2421 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2422 event); 2423 2424 switch (event) { 2425 case L2CAP_EV_DATA_REQUEST: 2426 if (chan->tx_send_head == NULL) 2427 chan->tx_send_head = skb_peek(skbs); 2428 /* Queue data, but don't send. */ 2429 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2430 break; 2431 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2432 BT_DBG("Enter LOCAL_BUSY"); 2433 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2434 2435 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2436 /* The SREJ_SENT state must be aborted if we are to 2437 * enter the LOCAL_BUSY state. 2438 */ 2439 l2cap_abort_rx_srej_sent(chan); 2440 } 2441 2442 l2cap_send_ack(chan); 2443 2444 break; 2445 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2446 BT_DBG("Exit LOCAL_BUSY"); 2447 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2448 2449 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2450 struct l2cap_ctrl local_control; 2451 memset(&local_control, 0, sizeof(local_control)); 2452 local_control.sframe = 1; 2453 local_control.super = L2CAP_SUPER_RR; 2454 local_control.poll = 1; 2455 local_control.reqseq = chan->buffer_seq; 2456 l2cap_send_sframe(chan, &local_control); 2457 2458 chan->retry_count = 1; 2459 __set_monitor_timer(chan); 2460 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2461 } 2462 break; 2463 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2464 l2cap_process_reqseq(chan, control->reqseq); 2465 2466 /* Fall through */ 2467 2468 case L2CAP_EV_RECV_FBIT: 2469 if (control && control->final) { 2470 __clear_monitor_timer(chan); 2471 if (chan->unacked_frames > 0) 2472 __set_retrans_timer(chan); 2473 chan->retry_count = 0; 2474 chan->tx_state = L2CAP_TX_STATE_XMIT; 2475 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state); 2476 } 2477 break; 2478 case L2CAP_EV_EXPLICIT_POLL: 2479 /* Ignore */ 2480 break; 2481 case L2CAP_EV_MONITOR_TO: 2482 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) { 2483 l2cap_send_rr_or_rnr(chan, 1); 2484 __set_monitor_timer(chan); 2485 chan->retry_count++; 2486 } else { 2487 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED); 2488 } 2489 break; 2490 default: 2491 break; 2492 } 2493 } 2494 2495 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 2496 struct sk_buff_head *skbs, u8 event) 2497 { 2498 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d", 2499 chan, control, skbs, event, chan->tx_state); 2500 2501 switch (chan->tx_state) { 2502 case L2CAP_TX_STATE_XMIT: 2503 l2cap_tx_state_xmit(chan, control, skbs, event); 2504 break; 2505 case L2CAP_TX_STATE_WAIT_F: 2506 l2cap_tx_state_wait_f(chan, control, skbs, event); 2507 break; 2508 default: 2509 /* Ignore event */ 2510 break; 2511 } 2512 } 2513 2514 static void l2cap_pass_to_tx(struct l2cap_chan *chan, 2515 struct l2cap_ctrl *control) 2516 { 2517 BT_DBG("chan %p, control %p", chan, control); 2518 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT); 2519 } 2520 2521 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan, 2522 struct l2cap_ctrl *control) 2523 { 2524 BT_DBG("chan %p, control %p", chan, control); 2525 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT); 2526 } 2527 2528 /* Copy frame to all raw sockets on that connection */ 2529 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 2530 { 2531 struct sk_buff *nskb; 2532 struct l2cap_chan *chan; 2533 2534 BT_DBG("conn %p", conn); 2535 2536 mutex_lock(&conn->chan_lock); 2537 2538 list_for_each_entry(chan, &conn->chan_l, list) { 2539 struct sock *sk = chan->sk; 2540 if (chan->chan_type != L2CAP_CHAN_RAW) 2541 continue; 2542 2543 /* Don't send frame to the socket it came from */ 2544 if (skb->sk == sk) 2545 continue; 2546 nskb = skb_clone(skb, GFP_ATOMIC); 2547 if (!nskb) 2548 continue; 2549 2550 if (chan->ops->recv(chan, nskb)) 2551 kfree_skb(nskb); 2552 } 2553 2554 mutex_unlock(&conn->chan_lock); 2555 } 2556 2557 /* ---- L2CAP signalling commands ---- */ 2558 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, 2559 u8 ident, u16 dlen, void *data) 2560 { 2561 struct sk_buff *skb, **frag; 2562 struct l2cap_cmd_hdr *cmd; 2563 struct l2cap_hdr *lh; 2564 int len, count; 2565 2566 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", 2567 conn, code, ident, dlen); 2568 2569 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; 2570 count = min_t(unsigned int, conn->mtu, len); 2571 2572 skb = bt_skb_alloc(count, GFP_ATOMIC); 2573 if (!skb) 2574 return NULL; 2575 2576 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); 2577 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen); 2578 2579 if (conn->hcon->type == LE_LINK) 2580 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING); 2581 else 2582 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING); 2583 2584 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE); 2585 cmd->code = code; 2586 cmd->ident = ident; 2587 cmd->len = cpu_to_le16(dlen); 2588 2589 if (dlen) { 2590 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE; 2591 memcpy(skb_put(skb, count), data, count); 2592 data += count; 2593 } 2594 2595 len -= skb->len; 2596 2597 /* Continuation fragments (no L2CAP header) */ 2598 frag = &skb_shinfo(skb)->frag_list; 2599 while (len) { 2600 count = min_t(unsigned int, conn->mtu, len); 2601 2602 *frag = bt_skb_alloc(count, GFP_ATOMIC); 2603 if (!*frag) 2604 goto fail; 2605 2606 memcpy(skb_put(*frag, count), data, count); 2607 2608 len -= count; 2609 data += count; 2610 2611 frag = &(*frag)->next; 2612 } 2613 2614 return skb; 2615 2616 fail: 2617 kfree_skb(skb); 2618 return NULL; 2619 } 2620 2621 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val) 2622 { 2623 struct l2cap_conf_opt *opt = *ptr; 2624 int len; 2625 2626 len = L2CAP_CONF_OPT_SIZE + opt->len; 2627 *ptr += len; 2628 2629 *type = opt->type; 2630 *olen = opt->len; 2631 2632 switch (opt->len) { 2633 case 1: 2634 *val = *((u8 *) opt->val); 2635 break; 2636 2637 case 2: 2638 *val = get_unaligned_le16(opt->val); 2639 break; 2640 2641 case 4: 2642 *val = get_unaligned_le32(opt->val); 2643 break; 2644 2645 default: 2646 *val = (unsigned long) opt->val; 2647 break; 2648 } 2649 2650 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val); 2651 return len; 2652 } 2653 2654 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val) 2655 { 2656 struct l2cap_conf_opt *opt = *ptr; 2657 2658 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val); 2659 2660 opt->type = type; 2661 opt->len = len; 2662 2663 switch (len) { 2664 case 1: 2665 *((u8 *) opt->val) = val; 2666 break; 2667 2668 case 2: 2669 put_unaligned_le16(val, opt->val); 2670 break; 2671 2672 case 4: 2673 put_unaligned_le32(val, opt->val); 2674 break; 2675 2676 default: 2677 memcpy(opt->val, (void *) val, len); 2678 break; 2679 } 2680 2681 *ptr += L2CAP_CONF_OPT_SIZE + len; 2682 } 2683 2684 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan) 2685 { 2686 struct l2cap_conf_efs efs; 2687 2688 switch (chan->mode) { 2689 case L2CAP_MODE_ERTM: 2690 efs.id = chan->local_id; 2691 efs.stype = chan->local_stype; 2692 efs.msdu = cpu_to_le16(chan->local_msdu); 2693 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 2694 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT); 2695 efs.flush_to = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO); 2696 break; 2697 2698 case L2CAP_MODE_STREAMING: 2699 efs.id = 1; 2700 efs.stype = L2CAP_SERV_BESTEFFORT; 2701 efs.msdu = cpu_to_le16(chan->local_msdu); 2702 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 2703 efs.acc_lat = 0; 2704 efs.flush_to = 0; 2705 break; 2706 2707 default: 2708 return; 2709 } 2710 2711 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs), 2712 (unsigned long) &efs); 2713 } 2714 2715 static void l2cap_ack_timeout(struct work_struct *work) 2716 { 2717 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 2718 ack_timer.work); 2719 u16 frames_to_ack; 2720 2721 BT_DBG("chan %p", chan); 2722 2723 l2cap_chan_lock(chan); 2724 2725 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 2726 chan->last_acked_seq); 2727 2728 if (frames_to_ack) 2729 l2cap_send_rr_or_rnr(chan, 0); 2730 2731 l2cap_chan_unlock(chan); 2732 l2cap_chan_put(chan); 2733 } 2734 2735 int l2cap_ertm_init(struct l2cap_chan *chan) 2736 { 2737 int err; 2738 2739 chan->next_tx_seq = 0; 2740 chan->expected_tx_seq = 0; 2741 chan->expected_ack_seq = 0; 2742 chan->unacked_frames = 0; 2743 chan->buffer_seq = 0; 2744 chan->frames_sent = 0; 2745 chan->last_acked_seq = 0; 2746 chan->sdu = NULL; 2747 chan->sdu_last_frag = NULL; 2748 chan->sdu_len = 0; 2749 2750 skb_queue_head_init(&chan->tx_q); 2751 2752 if (chan->mode != L2CAP_MODE_ERTM) 2753 return 0; 2754 2755 chan->rx_state = L2CAP_RX_STATE_RECV; 2756 chan->tx_state = L2CAP_TX_STATE_XMIT; 2757 2758 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); 2759 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); 2760 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); 2761 2762 skb_queue_head_init(&chan->srej_q); 2763 2764 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); 2765 if (err < 0) 2766 return err; 2767 2768 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win); 2769 if (err < 0) 2770 l2cap_seq_list_free(&chan->srej_list); 2771 2772 return err; 2773 } 2774 2775 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 2776 { 2777 switch (mode) { 2778 case L2CAP_MODE_STREAMING: 2779 case L2CAP_MODE_ERTM: 2780 if (l2cap_mode_supported(mode, remote_feat_mask)) 2781 return mode; 2782 /* fall through */ 2783 default: 2784 return L2CAP_MODE_BASIC; 2785 } 2786 } 2787 2788 static inline bool __l2cap_ews_supported(struct l2cap_chan *chan) 2789 { 2790 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW; 2791 } 2792 2793 static inline bool __l2cap_efs_supported(struct l2cap_chan *chan) 2794 { 2795 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW; 2796 } 2797 2798 static inline void l2cap_txwin_setup(struct l2cap_chan *chan) 2799 { 2800 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW && 2801 __l2cap_ews_supported(chan)) { 2802 /* use extended control field */ 2803 set_bit(FLAG_EXT_CTRL, &chan->flags); 2804 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; 2805 } else { 2806 chan->tx_win = min_t(u16, chan->tx_win, 2807 L2CAP_DEFAULT_TX_WINDOW); 2808 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 2809 } 2810 chan->ack_win = chan->tx_win; 2811 } 2812 2813 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data) 2814 { 2815 struct l2cap_conf_req *req = data; 2816 struct l2cap_conf_rfc rfc = { .mode = chan->mode }; 2817 void *ptr = req->data; 2818 u16 size; 2819 2820 BT_DBG("chan %p", chan); 2821 2822 if (chan->num_conf_req || chan->num_conf_rsp) 2823 goto done; 2824 2825 switch (chan->mode) { 2826 case L2CAP_MODE_STREAMING: 2827 case L2CAP_MODE_ERTM: 2828 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) 2829 break; 2830 2831 if (__l2cap_efs_supported(chan)) 2832 set_bit(FLAG_EFS_ENABLE, &chan->flags); 2833 2834 /* fall through */ 2835 default: 2836 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask); 2837 break; 2838 } 2839 2840 done: 2841 if (chan->imtu != L2CAP_DEFAULT_MTU) 2842 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu); 2843 2844 switch (chan->mode) { 2845 case L2CAP_MODE_BASIC: 2846 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) && 2847 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING)) 2848 break; 2849 2850 rfc.mode = L2CAP_MODE_BASIC; 2851 rfc.txwin_size = 0; 2852 rfc.max_transmit = 0; 2853 rfc.retrans_timeout = 0; 2854 rfc.monitor_timeout = 0; 2855 rfc.max_pdu_size = 0; 2856 2857 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 2858 (unsigned long) &rfc); 2859 break; 2860 2861 case L2CAP_MODE_ERTM: 2862 rfc.mode = L2CAP_MODE_ERTM; 2863 rfc.max_transmit = chan->max_tx; 2864 rfc.retrans_timeout = 0; 2865 rfc.monitor_timeout = 0; 2866 2867 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 2868 L2CAP_EXT_HDR_SIZE - 2869 L2CAP_SDULEN_SIZE - 2870 L2CAP_FCS_SIZE); 2871 rfc.max_pdu_size = cpu_to_le16(size); 2872 2873 l2cap_txwin_setup(chan); 2874 2875 rfc.txwin_size = min_t(u16, chan->tx_win, 2876 L2CAP_DEFAULT_TX_WINDOW); 2877 2878 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 2879 (unsigned long) &rfc); 2880 2881 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 2882 l2cap_add_opt_efs(&ptr, chan); 2883 2884 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS)) 2885 break; 2886 2887 if (chan->fcs == L2CAP_FCS_NONE || 2888 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) { 2889 chan->fcs = L2CAP_FCS_NONE; 2890 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 2891 } 2892 2893 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 2894 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 2895 chan->tx_win); 2896 break; 2897 2898 case L2CAP_MODE_STREAMING: 2899 l2cap_txwin_setup(chan); 2900 rfc.mode = L2CAP_MODE_STREAMING; 2901 rfc.txwin_size = 0; 2902 rfc.max_transmit = 0; 2903 rfc.retrans_timeout = 0; 2904 rfc.monitor_timeout = 0; 2905 2906 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 2907 L2CAP_EXT_HDR_SIZE - 2908 L2CAP_SDULEN_SIZE - 2909 L2CAP_FCS_SIZE); 2910 rfc.max_pdu_size = cpu_to_le16(size); 2911 2912 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 2913 (unsigned long) &rfc); 2914 2915 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 2916 l2cap_add_opt_efs(&ptr, chan); 2917 2918 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS)) 2919 break; 2920 2921 if (chan->fcs == L2CAP_FCS_NONE || 2922 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) { 2923 chan->fcs = L2CAP_FCS_NONE; 2924 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs); 2925 } 2926 break; 2927 } 2928 2929 req->dcid = cpu_to_le16(chan->dcid); 2930 req->flags = __constant_cpu_to_le16(0); 2931 2932 return ptr - data; 2933 } 2934 2935 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data) 2936 { 2937 struct l2cap_conf_rsp *rsp = data; 2938 void *ptr = rsp->data; 2939 void *req = chan->conf_req; 2940 int len = chan->conf_len; 2941 int type, hint, olen; 2942 unsigned long val; 2943 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 2944 struct l2cap_conf_efs efs; 2945 u8 remote_efs = 0; 2946 u16 mtu = L2CAP_DEFAULT_MTU; 2947 u16 result = L2CAP_CONF_SUCCESS; 2948 u16 size; 2949 2950 BT_DBG("chan %p", chan); 2951 2952 while (len >= L2CAP_CONF_OPT_SIZE) { 2953 len -= l2cap_get_conf_opt(&req, &type, &olen, &val); 2954 2955 hint = type & L2CAP_CONF_HINT; 2956 type &= L2CAP_CONF_MASK; 2957 2958 switch (type) { 2959 case L2CAP_CONF_MTU: 2960 mtu = val; 2961 break; 2962 2963 case L2CAP_CONF_FLUSH_TO: 2964 chan->flush_to = val; 2965 break; 2966 2967 case L2CAP_CONF_QOS: 2968 break; 2969 2970 case L2CAP_CONF_RFC: 2971 if (olen == sizeof(rfc)) 2972 memcpy(&rfc, (void *) val, olen); 2973 break; 2974 2975 case L2CAP_CONF_FCS: 2976 if (val == L2CAP_FCS_NONE) 2977 set_bit(CONF_NO_FCS_RECV, &chan->conf_state); 2978 break; 2979 2980 case L2CAP_CONF_EFS: 2981 remote_efs = 1; 2982 if (olen == sizeof(efs)) 2983 memcpy(&efs, (void *) val, olen); 2984 break; 2985 2986 case L2CAP_CONF_EWS: 2987 if (!enable_hs) 2988 return -ECONNREFUSED; 2989 2990 set_bit(FLAG_EXT_CTRL, &chan->flags); 2991 set_bit(CONF_EWS_RECV, &chan->conf_state); 2992 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; 2993 chan->remote_tx_win = val; 2994 break; 2995 2996 default: 2997 if (hint) 2998 break; 2999 3000 result = L2CAP_CONF_UNKNOWN; 3001 *((u8 *) ptr++) = type; 3002 break; 3003 } 3004 } 3005 3006 if (chan->num_conf_rsp || chan->num_conf_req > 1) 3007 goto done; 3008 3009 switch (chan->mode) { 3010 case L2CAP_MODE_STREAMING: 3011 case L2CAP_MODE_ERTM: 3012 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) { 3013 chan->mode = l2cap_select_mode(rfc.mode, 3014 chan->conn->feat_mask); 3015 break; 3016 } 3017 3018 if (remote_efs) { 3019 if (__l2cap_efs_supported(chan)) 3020 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3021 else 3022 return -ECONNREFUSED; 3023 } 3024 3025 if (chan->mode != rfc.mode) 3026 return -ECONNREFUSED; 3027 3028 break; 3029 } 3030 3031 done: 3032 if (chan->mode != rfc.mode) { 3033 result = L2CAP_CONF_UNACCEPT; 3034 rfc.mode = chan->mode; 3035 3036 if (chan->num_conf_rsp == 1) 3037 return -ECONNREFUSED; 3038 3039 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3040 sizeof(rfc), (unsigned long) &rfc); 3041 } 3042 3043 if (result == L2CAP_CONF_SUCCESS) { 3044 /* Configure output options and let the other side know 3045 * which ones we don't like. */ 3046 3047 if (mtu < L2CAP_DEFAULT_MIN_MTU) 3048 result = L2CAP_CONF_UNACCEPT; 3049 else { 3050 chan->omtu = mtu; 3051 set_bit(CONF_MTU_DONE, &chan->conf_state); 3052 } 3053 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu); 3054 3055 if (remote_efs) { 3056 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3057 efs.stype != L2CAP_SERV_NOTRAFIC && 3058 efs.stype != chan->local_stype) { 3059 3060 result = L2CAP_CONF_UNACCEPT; 3061 3062 if (chan->num_conf_req >= 1) 3063 return -ECONNREFUSED; 3064 3065 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3066 sizeof(efs), 3067 (unsigned long) &efs); 3068 } else { 3069 /* Send PENDING Conf Rsp */ 3070 result = L2CAP_CONF_PENDING; 3071 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 3072 } 3073 } 3074 3075 switch (rfc.mode) { 3076 case L2CAP_MODE_BASIC: 3077 chan->fcs = L2CAP_FCS_NONE; 3078 set_bit(CONF_MODE_DONE, &chan->conf_state); 3079 break; 3080 3081 case L2CAP_MODE_ERTM: 3082 if (!test_bit(CONF_EWS_RECV, &chan->conf_state)) 3083 chan->remote_tx_win = rfc.txwin_size; 3084 else 3085 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW; 3086 3087 chan->remote_max_tx = rfc.max_transmit; 3088 3089 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3090 chan->conn->mtu - 3091 L2CAP_EXT_HDR_SIZE - 3092 L2CAP_SDULEN_SIZE - 3093 L2CAP_FCS_SIZE); 3094 rfc.max_pdu_size = cpu_to_le16(size); 3095 chan->remote_mps = size; 3096 3097 rfc.retrans_timeout = 3098 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO); 3099 rfc.monitor_timeout = 3100 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO); 3101 3102 set_bit(CONF_MODE_DONE, &chan->conf_state); 3103 3104 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3105 sizeof(rfc), (unsigned long) &rfc); 3106 3107 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3108 chan->remote_id = efs.id; 3109 chan->remote_stype = efs.stype; 3110 chan->remote_msdu = le16_to_cpu(efs.msdu); 3111 chan->remote_flush_to = 3112 le32_to_cpu(efs.flush_to); 3113 chan->remote_acc_lat = 3114 le32_to_cpu(efs.acc_lat); 3115 chan->remote_sdu_itime = 3116 le32_to_cpu(efs.sdu_itime); 3117 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3118 sizeof(efs), (unsigned long) &efs); 3119 } 3120 break; 3121 3122 case L2CAP_MODE_STREAMING: 3123 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3124 chan->conn->mtu - 3125 L2CAP_EXT_HDR_SIZE - 3126 L2CAP_SDULEN_SIZE - 3127 L2CAP_FCS_SIZE); 3128 rfc.max_pdu_size = cpu_to_le16(size); 3129 chan->remote_mps = size; 3130 3131 set_bit(CONF_MODE_DONE, &chan->conf_state); 3132 3133 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3134 sizeof(rfc), (unsigned long) &rfc); 3135 3136 break; 3137 3138 default: 3139 result = L2CAP_CONF_UNACCEPT; 3140 3141 memset(&rfc, 0, sizeof(rfc)); 3142 rfc.mode = chan->mode; 3143 } 3144 3145 if (result == L2CAP_CONF_SUCCESS) 3146 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 3147 } 3148 rsp->scid = cpu_to_le16(chan->dcid); 3149 rsp->result = cpu_to_le16(result); 3150 rsp->flags = __constant_cpu_to_le16(0); 3151 3152 return ptr - data; 3153 } 3154 3155 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result) 3156 { 3157 struct l2cap_conf_req *req = data; 3158 void *ptr = req->data; 3159 int type, olen; 3160 unsigned long val; 3161 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3162 struct l2cap_conf_efs efs; 3163 3164 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data); 3165 3166 while (len >= L2CAP_CONF_OPT_SIZE) { 3167 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3168 3169 switch (type) { 3170 case L2CAP_CONF_MTU: 3171 if (val < L2CAP_DEFAULT_MIN_MTU) { 3172 *result = L2CAP_CONF_UNACCEPT; 3173 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3174 } else 3175 chan->imtu = val; 3176 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu); 3177 break; 3178 3179 case L2CAP_CONF_FLUSH_TO: 3180 chan->flush_to = val; 3181 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 3182 2, chan->flush_to); 3183 break; 3184 3185 case L2CAP_CONF_RFC: 3186 if (olen == sizeof(rfc)) 3187 memcpy(&rfc, (void *)val, olen); 3188 3189 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && 3190 rfc.mode != chan->mode) 3191 return -ECONNREFUSED; 3192 3193 chan->fcs = 0; 3194 3195 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3196 sizeof(rfc), (unsigned long) &rfc); 3197 break; 3198 3199 case L2CAP_CONF_EWS: 3200 chan->ack_win = min_t(u16, val, chan->ack_win); 3201 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3202 chan->tx_win); 3203 break; 3204 3205 case L2CAP_CONF_EFS: 3206 if (olen == sizeof(efs)) 3207 memcpy(&efs, (void *)val, olen); 3208 3209 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3210 efs.stype != L2CAP_SERV_NOTRAFIC && 3211 efs.stype != chan->local_stype) 3212 return -ECONNREFUSED; 3213 3214 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3215 sizeof(efs), (unsigned long) &efs); 3216 break; 3217 } 3218 } 3219 3220 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode) 3221 return -ECONNREFUSED; 3222 3223 chan->mode = rfc.mode; 3224 3225 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) { 3226 switch (rfc.mode) { 3227 case L2CAP_MODE_ERTM: 3228 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3229 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3230 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3231 if (!test_bit(FLAG_EXT_CTRL, &chan->flags)) 3232 chan->ack_win = min_t(u16, chan->ack_win, 3233 rfc.txwin_size); 3234 3235 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3236 chan->local_msdu = le16_to_cpu(efs.msdu); 3237 chan->local_sdu_itime = 3238 le32_to_cpu(efs.sdu_itime); 3239 chan->local_acc_lat = le32_to_cpu(efs.acc_lat); 3240 chan->local_flush_to = 3241 le32_to_cpu(efs.flush_to); 3242 } 3243 break; 3244 3245 case L2CAP_MODE_STREAMING: 3246 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3247 } 3248 } 3249 3250 req->dcid = cpu_to_le16(chan->dcid); 3251 req->flags = __constant_cpu_to_le16(0); 3252 3253 return ptr - data; 3254 } 3255 3256 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags) 3257 { 3258 struct l2cap_conf_rsp *rsp = data; 3259 void *ptr = rsp->data; 3260 3261 BT_DBG("chan %p", chan); 3262 3263 rsp->scid = cpu_to_le16(chan->dcid); 3264 rsp->result = cpu_to_le16(result); 3265 rsp->flags = cpu_to_le16(flags); 3266 3267 return ptr - data; 3268 } 3269 3270 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) 3271 { 3272 struct l2cap_conn_rsp rsp; 3273 struct l2cap_conn *conn = chan->conn; 3274 u8 buf[128]; 3275 3276 rsp.scid = cpu_to_le16(chan->dcid); 3277 rsp.dcid = cpu_to_le16(chan->scid); 3278 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS); 3279 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO); 3280 l2cap_send_cmd(conn, chan->ident, 3281 L2CAP_CONN_RSP, sizeof(rsp), &rsp); 3282 3283 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 3284 return; 3285 3286 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3287 l2cap_build_conf_req(chan, buf), buf); 3288 chan->num_conf_req++; 3289 } 3290 3291 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) 3292 { 3293 int type, olen; 3294 unsigned long val; 3295 /* Use sane default values in case a misbehaving remote device 3296 * did not send an RFC or extended window size option. 3297 */ 3298 u16 txwin_ext = chan->ack_win; 3299 struct l2cap_conf_rfc rfc = { 3300 .mode = chan->mode, 3301 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO), 3302 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO), 3303 .max_pdu_size = cpu_to_le16(chan->imtu), 3304 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW), 3305 }; 3306 3307 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len); 3308 3309 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING)) 3310 return; 3311 3312 while (len >= L2CAP_CONF_OPT_SIZE) { 3313 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3314 3315 switch (type) { 3316 case L2CAP_CONF_RFC: 3317 if (olen == sizeof(rfc)) 3318 memcpy(&rfc, (void *)val, olen); 3319 break; 3320 case L2CAP_CONF_EWS: 3321 txwin_ext = val; 3322 break; 3323 } 3324 } 3325 3326 switch (rfc.mode) { 3327 case L2CAP_MODE_ERTM: 3328 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3329 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3330 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3331 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3332 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext); 3333 else 3334 chan->ack_win = min_t(u16, chan->ack_win, 3335 rfc.txwin_size); 3336 break; 3337 case L2CAP_MODE_STREAMING: 3338 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3339 } 3340 } 3341 3342 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3343 { 3344 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 3345 3346 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) 3347 return 0; 3348 3349 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 3350 cmd->ident == conn->info_ident) { 3351 cancel_delayed_work(&conn->info_timer); 3352 3353 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3354 conn->info_ident = 0; 3355 3356 l2cap_conn_start(conn); 3357 } 3358 3359 return 0; 3360 } 3361 3362 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3363 { 3364 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 3365 struct l2cap_conn_rsp rsp; 3366 struct l2cap_chan *chan = NULL, *pchan; 3367 struct sock *parent, *sk = NULL; 3368 int result, status = L2CAP_CS_NO_INFO; 3369 3370 u16 dcid = 0, scid = __le16_to_cpu(req->scid); 3371 __le16 psm = req->psm; 3372 3373 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid); 3374 3375 /* Check if we have socket listening on psm */ 3376 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst); 3377 if (!pchan) { 3378 result = L2CAP_CR_BAD_PSM; 3379 goto sendresp; 3380 } 3381 3382 parent = pchan->sk; 3383 3384 mutex_lock(&conn->chan_lock); 3385 lock_sock(parent); 3386 3387 /* Check if the ACL is secure enough (if not SDP) */ 3388 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) && 3389 !hci_conn_check_link_mode(conn->hcon)) { 3390 conn->disc_reason = HCI_ERROR_AUTH_FAILURE; 3391 result = L2CAP_CR_SEC_BLOCK; 3392 goto response; 3393 } 3394 3395 result = L2CAP_CR_NO_MEM; 3396 3397 /* Check if we already have channel with that dcid */ 3398 if (__l2cap_get_chan_by_dcid(conn, scid)) 3399 goto response; 3400 3401 chan = pchan->ops->new_connection(pchan); 3402 if (!chan) 3403 goto response; 3404 3405 sk = chan->sk; 3406 3407 hci_conn_hold(conn->hcon); 3408 3409 bacpy(&bt_sk(sk)->src, conn->src); 3410 bacpy(&bt_sk(sk)->dst, conn->dst); 3411 chan->psm = psm; 3412 chan->dcid = scid; 3413 3414 bt_accept_enqueue(parent, sk); 3415 3416 __l2cap_chan_add(conn, chan); 3417 3418 dcid = chan->scid; 3419 3420 __set_chan_timer(chan, sk->sk_sndtimeo); 3421 3422 chan->ident = cmd->ident; 3423 3424 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 3425 if (l2cap_chan_check_security(chan)) { 3426 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 3427 __l2cap_state_change(chan, BT_CONNECT2); 3428 result = L2CAP_CR_PEND; 3429 status = L2CAP_CS_AUTHOR_PEND; 3430 parent->sk_data_ready(parent, 0); 3431 } else { 3432 __l2cap_state_change(chan, BT_CONFIG); 3433 result = L2CAP_CR_SUCCESS; 3434 status = L2CAP_CS_NO_INFO; 3435 } 3436 } else { 3437 __l2cap_state_change(chan, BT_CONNECT2); 3438 result = L2CAP_CR_PEND; 3439 status = L2CAP_CS_AUTHEN_PEND; 3440 } 3441 } else { 3442 __l2cap_state_change(chan, BT_CONNECT2); 3443 result = L2CAP_CR_PEND; 3444 status = L2CAP_CS_NO_INFO; 3445 } 3446 3447 response: 3448 release_sock(parent); 3449 mutex_unlock(&conn->chan_lock); 3450 3451 sendresp: 3452 rsp.scid = cpu_to_le16(scid); 3453 rsp.dcid = cpu_to_le16(dcid); 3454 rsp.result = cpu_to_le16(result); 3455 rsp.status = cpu_to_le16(status); 3456 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp); 3457 3458 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { 3459 struct l2cap_info_req info; 3460 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK); 3461 3462 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 3463 conn->info_ident = l2cap_get_ident(conn); 3464 3465 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 3466 3467 l2cap_send_cmd(conn, conn->info_ident, 3468 L2CAP_INFO_REQ, sizeof(info), &info); 3469 } 3470 3471 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) && 3472 result == L2CAP_CR_SUCCESS) { 3473 u8 buf[128]; 3474 set_bit(CONF_REQ_SENT, &chan->conf_state); 3475 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3476 l2cap_build_conf_req(chan, buf), buf); 3477 chan->num_conf_req++; 3478 } 3479 3480 return 0; 3481 } 3482 3483 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3484 { 3485 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 3486 u16 scid, dcid, result, status; 3487 struct l2cap_chan *chan; 3488 u8 req[128]; 3489 int err; 3490 3491 scid = __le16_to_cpu(rsp->scid); 3492 dcid = __le16_to_cpu(rsp->dcid); 3493 result = __le16_to_cpu(rsp->result); 3494 status = __le16_to_cpu(rsp->status); 3495 3496 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", 3497 dcid, scid, result, status); 3498 3499 mutex_lock(&conn->chan_lock); 3500 3501 if (scid) { 3502 chan = __l2cap_get_chan_by_scid(conn, scid); 3503 if (!chan) { 3504 err = -EFAULT; 3505 goto unlock; 3506 } 3507 } else { 3508 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 3509 if (!chan) { 3510 err = -EFAULT; 3511 goto unlock; 3512 } 3513 } 3514 3515 err = 0; 3516 3517 l2cap_chan_lock(chan); 3518 3519 switch (result) { 3520 case L2CAP_CR_SUCCESS: 3521 l2cap_state_change(chan, BT_CONFIG); 3522 chan->ident = 0; 3523 chan->dcid = dcid; 3524 clear_bit(CONF_CONNECT_PEND, &chan->conf_state); 3525 3526 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 3527 break; 3528 3529 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3530 l2cap_build_conf_req(chan, req), req); 3531 chan->num_conf_req++; 3532 break; 3533 3534 case L2CAP_CR_PEND: 3535 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 3536 break; 3537 3538 default: 3539 l2cap_chan_del(chan, ECONNREFUSED); 3540 break; 3541 } 3542 3543 l2cap_chan_unlock(chan); 3544 3545 unlock: 3546 mutex_unlock(&conn->chan_lock); 3547 3548 return err; 3549 } 3550 3551 static inline void set_default_fcs(struct l2cap_chan *chan) 3552 { 3553 /* FCS is enabled only in ERTM or streaming mode, if one or both 3554 * sides request it. 3555 */ 3556 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 3557 chan->fcs = L2CAP_FCS_NONE; 3558 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) 3559 chan->fcs = L2CAP_FCS_CRC16; 3560 } 3561 3562 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 3563 { 3564 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 3565 u16 dcid, flags; 3566 u8 rsp[64]; 3567 struct l2cap_chan *chan; 3568 int len, err = 0; 3569 3570 dcid = __le16_to_cpu(req->dcid); 3571 flags = __le16_to_cpu(req->flags); 3572 3573 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags); 3574 3575 chan = l2cap_get_chan_by_scid(conn, dcid); 3576 if (!chan) 3577 return -ENOENT; 3578 3579 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) { 3580 struct l2cap_cmd_rej_cid rej; 3581 3582 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID); 3583 rej.scid = cpu_to_le16(chan->scid); 3584 rej.dcid = cpu_to_le16(chan->dcid); 3585 3586 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 3587 sizeof(rej), &rej); 3588 goto unlock; 3589 } 3590 3591 /* Reject if config buffer is too small. */ 3592 len = cmd_len - sizeof(*req); 3593 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) { 3594 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 3595 l2cap_build_conf_rsp(chan, rsp, 3596 L2CAP_CONF_REJECT, flags), rsp); 3597 goto unlock; 3598 } 3599 3600 /* Store config. */ 3601 memcpy(chan->conf_req + chan->conf_len, req->data, len); 3602 chan->conf_len += len; 3603 3604 if (flags & L2CAP_CONF_FLAG_CONTINUATION) { 3605 /* Incomplete config. Send empty response. */ 3606 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 3607 l2cap_build_conf_rsp(chan, rsp, 3608 L2CAP_CONF_SUCCESS, flags), rsp); 3609 goto unlock; 3610 } 3611 3612 /* Complete config. */ 3613 len = l2cap_parse_conf_req(chan, rsp); 3614 if (len < 0) { 3615 l2cap_send_disconn_req(conn, chan, ECONNRESET); 3616 goto unlock; 3617 } 3618 3619 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); 3620 chan->num_conf_rsp++; 3621 3622 /* Reset config buffer. */ 3623 chan->conf_len = 0; 3624 3625 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) 3626 goto unlock; 3627 3628 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) { 3629 set_default_fcs(chan); 3630 3631 if (chan->mode == L2CAP_MODE_ERTM || 3632 chan->mode == L2CAP_MODE_STREAMING) 3633 err = l2cap_ertm_init(chan); 3634 3635 if (err < 0) 3636 l2cap_send_disconn_req(chan->conn, chan, -err); 3637 else 3638 l2cap_chan_ready(chan); 3639 3640 goto unlock; 3641 } 3642 3643 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) { 3644 u8 buf[64]; 3645 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3646 l2cap_build_conf_req(chan, buf), buf); 3647 chan->num_conf_req++; 3648 } 3649 3650 /* Got Conf Rsp PENDING from remote side and asume we sent 3651 Conf Rsp PENDING in the code above */ 3652 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) && 3653 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 3654 3655 /* check compatibility */ 3656 3657 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 3658 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 3659 3660 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 3661 l2cap_build_conf_rsp(chan, rsp, 3662 L2CAP_CONF_SUCCESS, flags), rsp); 3663 } 3664 3665 unlock: 3666 l2cap_chan_unlock(chan); 3667 return err; 3668 } 3669 3670 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3671 { 3672 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 3673 u16 scid, flags, result; 3674 struct l2cap_chan *chan; 3675 int len = le16_to_cpu(cmd->len) - sizeof(*rsp); 3676 int err = 0; 3677 3678 scid = __le16_to_cpu(rsp->scid); 3679 flags = __le16_to_cpu(rsp->flags); 3680 result = __le16_to_cpu(rsp->result); 3681 3682 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags, 3683 result, len); 3684 3685 chan = l2cap_get_chan_by_scid(conn, scid); 3686 if (!chan) 3687 return 0; 3688 3689 switch (result) { 3690 case L2CAP_CONF_SUCCESS: 3691 l2cap_conf_rfc_get(chan, rsp->data, len); 3692 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state); 3693 break; 3694 3695 case L2CAP_CONF_PENDING: 3696 set_bit(CONF_REM_CONF_PEND, &chan->conf_state); 3697 3698 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 3699 char buf[64]; 3700 3701 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 3702 buf, &result); 3703 if (len < 0) { 3704 l2cap_send_disconn_req(conn, chan, ECONNRESET); 3705 goto done; 3706 } 3707 3708 /* check compatibility */ 3709 3710 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 3711 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 3712 3713 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 3714 l2cap_build_conf_rsp(chan, buf, 3715 L2CAP_CONF_SUCCESS, 0x0000), buf); 3716 } 3717 goto done; 3718 3719 case L2CAP_CONF_UNACCEPT: 3720 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 3721 char req[64]; 3722 3723 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 3724 l2cap_send_disconn_req(conn, chan, ECONNRESET); 3725 goto done; 3726 } 3727 3728 /* throw out any old stored conf requests */ 3729 result = L2CAP_CONF_SUCCESS; 3730 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 3731 req, &result); 3732 if (len < 0) { 3733 l2cap_send_disconn_req(conn, chan, ECONNRESET); 3734 goto done; 3735 } 3736 3737 l2cap_send_cmd(conn, l2cap_get_ident(conn), 3738 L2CAP_CONF_REQ, len, req); 3739 chan->num_conf_req++; 3740 if (result != L2CAP_CONF_SUCCESS) 3741 goto done; 3742 break; 3743 } 3744 3745 default: 3746 l2cap_chan_set_err(chan, ECONNRESET); 3747 3748 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT); 3749 l2cap_send_disconn_req(conn, chan, ECONNRESET); 3750 goto done; 3751 } 3752 3753 if (flags & L2CAP_CONF_FLAG_CONTINUATION) 3754 goto done; 3755 3756 set_bit(CONF_INPUT_DONE, &chan->conf_state); 3757 3758 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) { 3759 set_default_fcs(chan); 3760 3761 if (chan->mode == L2CAP_MODE_ERTM || 3762 chan->mode == L2CAP_MODE_STREAMING) 3763 err = l2cap_ertm_init(chan); 3764 3765 if (err < 0) 3766 l2cap_send_disconn_req(chan->conn, chan, -err); 3767 else 3768 l2cap_chan_ready(chan); 3769 } 3770 3771 done: 3772 l2cap_chan_unlock(chan); 3773 return err; 3774 } 3775 3776 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3777 { 3778 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 3779 struct l2cap_disconn_rsp rsp; 3780 u16 dcid, scid; 3781 struct l2cap_chan *chan; 3782 struct sock *sk; 3783 3784 scid = __le16_to_cpu(req->scid); 3785 dcid = __le16_to_cpu(req->dcid); 3786 3787 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); 3788 3789 mutex_lock(&conn->chan_lock); 3790 3791 chan = __l2cap_get_chan_by_scid(conn, dcid); 3792 if (!chan) { 3793 mutex_unlock(&conn->chan_lock); 3794 return 0; 3795 } 3796 3797 l2cap_chan_lock(chan); 3798 3799 sk = chan->sk; 3800 3801 rsp.dcid = cpu_to_le16(chan->scid); 3802 rsp.scid = cpu_to_le16(chan->dcid); 3803 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); 3804 3805 lock_sock(sk); 3806 sk->sk_shutdown = SHUTDOWN_MASK; 3807 release_sock(sk); 3808 3809 l2cap_chan_hold(chan); 3810 l2cap_chan_del(chan, ECONNRESET); 3811 3812 l2cap_chan_unlock(chan); 3813 3814 chan->ops->close(chan); 3815 l2cap_chan_put(chan); 3816 3817 mutex_unlock(&conn->chan_lock); 3818 3819 return 0; 3820 } 3821 3822 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3823 { 3824 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 3825 u16 dcid, scid; 3826 struct l2cap_chan *chan; 3827 3828 scid = __le16_to_cpu(rsp->scid); 3829 dcid = __le16_to_cpu(rsp->dcid); 3830 3831 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); 3832 3833 mutex_lock(&conn->chan_lock); 3834 3835 chan = __l2cap_get_chan_by_scid(conn, scid); 3836 if (!chan) { 3837 mutex_unlock(&conn->chan_lock); 3838 return 0; 3839 } 3840 3841 l2cap_chan_lock(chan); 3842 3843 l2cap_chan_hold(chan); 3844 l2cap_chan_del(chan, 0); 3845 3846 l2cap_chan_unlock(chan); 3847 3848 chan->ops->close(chan); 3849 l2cap_chan_put(chan); 3850 3851 mutex_unlock(&conn->chan_lock); 3852 3853 return 0; 3854 } 3855 3856 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3857 { 3858 struct l2cap_info_req *req = (struct l2cap_info_req *) data; 3859 u16 type; 3860 3861 type = __le16_to_cpu(req->type); 3862 3863 BT_DBG("type 0x%4.4x", type); 3864 3865 if (type == L2CAP_IT_FEAT_MASK) { 3866 u8 buf[8]; 3867 u32 feat_mask = l2cap_feat_mask; 3868 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 3869 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK); 3870 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS); 3871 if (!disable_ertm) 3872 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 3873 | L2CAP_FEAT_FCS; 3874 if (enable_hs) 3875 feat_mask |= L2CAP_FEAT_EXT_FLOW 3876 | L2CAP_FEAT_EXT_WINDOW; 3877 3878 put_unaligned_le32(feat_mask, rsp->data); 3879 l2cap_send_cmd(conn, cmd->ident, 3880 L2CAP_INFO_RSP, sizeof(buf), buf); 3881 } else if (type == L2CAP_IT_FIXED_CHAN) { 3882 u8 buf[12]; 3883 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 3884 3885 if (enable_hs) 3886 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP; 3887 else 3888 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP; 3889 3890 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN); 3891 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS); 3892 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan)); 3893 l2cap_send_cmd(conn, cmd->ident, 3894 L2CAP_INFO_RSP, sizeof(buf), buf); 3895 } else { 3896 struct l2cap_info_rsp rsp; 3897 rsp.type = cpu_to_le16(type); 3898 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP); 3899 l2cap_send_cmd(conn, cmd->ident, 3900 L2CAP_INFO_RSP, sizeof(rsp), &rsp); 3901 } 3902 3903 return 0; 3904 } 3905 3906 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data) 3907 { 3908 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; 3909 u16 type, result; 3910 3911 type = __le16_to_cpu(rsp->type); 3912 result = __le16_to_cpu(rsp->result); 3913 3914 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 3915 3916 /* L2CAP Info req/rsp are unbound to channels, add extra checks */ 3917 if (cmd->ident != conn->info_ident || 3918 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 3919 return 0; 3920 3921 cancel_delayed_work(&conn->info_timer); 3922 3923 if (result != L2CAP_IR_SUCCESS) { 3924 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3925 conn->info_ident = 0; 3926 3927 l2cap_conn_start(conn); 3928 3929 return 0; 3930 } 3931 3932 switch (type) { 3933 case L2CAP_IT_FEAT_MASK: 3934 conn->feat_mask = get_unaligned_le32(rsp->data); 3935 3936 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) { 3937 struct l2cap_info_req req; 3938 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN); 3939 3940 conn->info_ident = l2cap_get_ident(conn); 3941 3942 l2cap_send_cmd(conn, conn->info_ident, 3943 L2CAP_INFO_REQ, sizeof(req), &req); 3944 } else { 3945 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3946 conn->info_ident = 0; 3947 3948 l2cap_conn_start(conn); 3949 } 3950 break; 3951 3952 case L2CAP_IT_FIXED_CHAN: 3953 conn->fixed_chan_mask = rsp->data[0]; 3954 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3955 conn->info_ident = 0; 3956 3957 l2cap_conn_start(conn); 3958 break; 3959 } 3960 3961 return 0; 3962 } 3963 3964 static inline int l2cap_create_channel_req(struct l2cap_conn *conn, 3965 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 3966 void *data) 3967 { 3968 struct l2cap_create_chan_req *req = data; 3969 struct l2cap_create_chan_rsp rsp; 3970 u16 psm, scid; 3971 3972 if (cmd_len != sizeof(*req)) 3973 return -EPROTO; 3974 3975 if (!enable_hs) 3976 return -EINVAL; 3977 3978 psm = le16_to_cpu(req->psm); 3979 scid = le16_to_cpu(req->scid); 3980 3981 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id); 3982 3983 /* Placeholder: Always reject */ 3984 rsp.dcid = 0; 3985 rsp.scid = cpu_to_le16(scid); 3986 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM); 3987 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO); 3988 3989 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP, 3990 sizeof(rsp), &rsp); 3991 3992 return 0; 3993 } 3994 3995 static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn, 3996 struct l2cap_cmd_hdr *cmd, void *data) 3997 { 3998 BT_DBG("conn %p", conn); 3999 4000 return l2cap_connect_rsp(conn, cmd, data); 4001 } 4002 4003 static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident, 4004 u16 icid, u16 result) 4005 { 4006 struct l2cap_move_chan_rsp rsp; 4007 4008 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result); 4009 4010 rsp.icid = cpu_to_le16(icid); 4011 rsp.result = cpu_to_le16(result); 4012 4013 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp); 4014 } 4015 4016 static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn, 4017 struct l2cap_chan *chan, 4018 u16 icid, u16 result) 4019 { 4020 struct l2cap_move_chan_cfm cfm; 4021 u8 ident; 4022 4023 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result); 4024 4025 ident = l2cap_get_ident(conn); 4026 if (chan) 4027 chan->ident = ident; 4028 4029 cfm.icid = cpu_to_le16(icid); 4030 cfm.result = cpu_to_le16(result); 4031 4032 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm); 4033 } 4034 4035 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident, 4036 u16 icid) 4037 { 4038 struct l2cap_move_chan_cfm_rsp rsp; 4039 4040 BT_DBG("icid 0x%4.4x", icid); 4041 4042 rsp.icid = cpu_to_le16(icid); 4043 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp); 4044 } 4045 4046 static inline int l2cap_move_channel_req(struct l2cap_conn *conn, 4047 struct l2cap_cmd_hdr *cmd, 4048 u16 cmd_len, void *data) 4049 { 4050 struct l2cap_move_chan_req *req = data; 4051 u16 icid = 0; 4052 u16 result = L2CAP_MR_NOT_ALLOWED; 4053 4054 if (cmd_len != sizeof(*req)) 4055 return -EPROTO; 4056 4057 icid = le16_to_cpu(req->icid); 4058 4059 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id); 4060 4061 if (!enable_hs) 4062 return -EINVAL; 4063 4064 /* Placeholder: Always refuse */ 4065 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result); 4066 4067 return 0; 4068 } 4069 4070 static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn, 4071 struct l2cap_cmd_hdr *cmd, 4072 u16 cmd_len, void *data) 4073 { 4074 struct l2cap_move_chan_rsp *rsp = data; 4075 u16 icid, result; 4076 4077 if (cmd_len != sizeof(*rsp)) 4078 return -EPROTO; 4079 4080 icid = le16_to_cpu(rsp->icid); 4081 result = le16_to_cpu(rsp->result); 4082 4083 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result); 4084 4085 /* Placeholder: Always unconfirmed */ 4086 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED); 4087 4088 return 0; 4089 } 4090 4091 static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn, 4092 struct l2cap_cmd_hdr *cmd, 4093 u16 cmd_len, void *data) 4094 { 4095 struct l2cap_move_chan_cfm *cfm = data; 4096 u16 icid, result; 4097 4098 if (cmd_len != sizeof(*cfm)) 4099 return -EPROTO; 4100 4101 icid = le16_to_cpu(cfm->icid); 4102 result = le16_to_cpu(cfm->result); 4103 4104 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result); 4105 4106 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid); 4107 4108 return 0; 4109 } 4110 4111 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn, 4112 struct l2cap_cmd_hdr *cmd, 4113 u16 cmd_len, void *data) 4114 { 4115 struct l2cap_move_chan_cfm_rsp *rsp = data; 4116 u16 icid; 4117 4118 if (cmd_len != sizeof(*rsp)) 4119 return -EPROTO; 4120 4121 icid = le16_to_cpu(rsp->icid); 4122 4123 BT_DBG("icid 0x%4.4x", icid); 4124 4125 return 0; 4126 } 4127 4128 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency, 4129 u16 to_multiplier) 4130 { 4131 u16 max_latency; 4132 4133 if (min > max || min < 6 || max > 3200) 4134 return -EINVAL; 4135 4136 if (to_multiplier < 10 || to_multiplier > 3200) 4137 return -EINVAL; 4138 4139 if (max >= to_multiplier * 8) 4140 return -EINVAL; 4141 4142 max_latency = (to_multiplier * 8 / max) - 1; 4143 if (latency > 499 || latency > max_latency) 4144 return -EINVAL; 4145 4146 return 0; 4147 } 4148 4149 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, 4150 struct l2cap_cmd_hdr *cmd, u8 *data) 4151 { 4152 struct hci_conn *hcon = conn->hcon; 4153 struct l2cap_conn_param_update_req *req; 4154 struct l2cap_conn_param_update_rsp rsp; 4155 u16 min, max, latency, to_multiplier, cmd_len; 4156 int err; 4157 4158 if (!(hcon->link_mode & HCI_LM_MASTER)) 4159 return -EINVAL; 4160 4161 cmd_len = __le16_to_cpu(cmd->len); 4162 if (cmd_len != sizeof(struct l2cap_conn_param_update_req)) 4163 return -EPROTO; 4164 4165 req = (struct l2cap_conn_param_update_req *) data; 4166 min = __le16_to_cpu(req->min); 4167 max = __le16_to_cpu(req->max); 4168 latency = __le16_to_cpu(req->latency); 4169 to_multiplier = __le16_to_cpu(req->to_multiplier); 4170 4171 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x", 4172 min, max, latency, to_multiplier); 4173 4174 memset(&rsp, 0, sizeof(rsp)); 4175 4176 err = l2cap_check_conn_param(min, max, latency, to_multiplier); 4177 if (err) 4178 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); 4179 else 4180 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED); 4181 4182 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP, 4183 sizeof(rsp), &rsp); 4184 4185 if (!err) 4186 hci_le_conn_update(hcon, min, max, latency, to_multiplier); 4187 4188 return 0; 4189 } 4190 4191 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, 4192 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 4193 { 4194 int err = 0; 4195 4196 switch (cmd->code) { 4197 case L2CAP_COMMAND_REJ: 4198 l2cap_command_rej(conn, cmd, data); 4199 break; 4200 4201 case L2CAP_CONN_REQ: 4202 err = l2cap_connect_req(conn, cmd, data); 4203 break; 4204 4205 case L2CAP_CONN_RSP: 4206 err = l2cap_connect_rsp(conn, cmd, data); 4207 break; 4208 4209 case L2CAP_CONF_REQ: 4210 err = l2cap_config_req(conn, cmd, cmd_len, data); 4211 break; 4212 4213 case L2CAP_CONF_RSP: 4214 err = l2cap_config_rsp(conn, cmd, data); 4215 break; 4216 4217 case L2CAP_DISCONN_REQ: 4218 err = l2cap_disconnect_req(conn, cmd, data); 4219 break; 4220 4221 case L2CAP_DISCONN_RSP: 4222 err = l2cap_disconnect_rsp(conn, cmd, data); 4223 break; 4224 4225 case L2CAP_ECHO_REQ: 4226 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data); 4227 break; 4228 4229 case L2CAP_ECHO_RSP: 4230 break; 4231 4232 case L2CAP_INFO_REQ: 4233 err = l2cap_information_req(conn, cmd, data); 4234 break; 4235 4236 case L2CAP_INFO_RSP: 4237 err = l2cap_information_rsp(conn, cmd, data); 4238 break; 4239 4240 case L2CAP_CREATE_CHAN_REQ: 4241 err = l2cap_create_channel_req(conn, cmd, cmd_len, data); 4242 break; 4243 4244 case L2CAP_CREATE_CHAN_RSP: 4245 err = l2cap_create_channel_rsp(conn, cmd, data); 4246 break; 4247 4248 case L2CAP_MOVE_CHAN_REQ: 4249 err = l2cap_move_channel_req(conn, cmd, cmd_len, data); 4250 break; 4251 4252 case L2CAP_MOVE_CHAN_RSP: 4253 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data); 4254 break; 4255 4256 case L2CAP_MOVE_CHAN_CFM: 4257 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data); 4258 break; 4259 4260 case L2CAP_MOVE_CHAN_CFM_RSP: 4261 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data); 4262 break; 4263 4264 default: 4265 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code); 4266 err = -EINVAL; 4267 break; 4268 } 4269 4270 return err; 4271 } 4272 4273 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn, 4274 struct l2cap_cmd_hdr *cmd, u8 *data) 4275 { 4276 switch (cmd->code) { 4277 case L2CAP_COMMAND_REJ: 4278 return 0; 4279 4280 case L2CAP_CONN_PARAM_UPDATE_REQ: 4281 return l2cap_conn_param_update_req(conn, cmd, data); 4282 4283 case L2CAP_CONN_PARAM_UPDATE_RSP: 4284 return 0; 4285 4286 default: 4287 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code); 4288 return -EINVAL; 4289 } 4290 } 4291 4292 static inline void l2cap_sig_channel(struct l2cap_conn *conn, 4293 struct sk_buff *skb) 4294 { 4295 u8 *data = skb->data; 4296 int len = skb->len; 4297 struct l2cap_cmd_hdr cmd; 4298 int err; 4299 4300 l2cap_raw_recv(conn, skb); 4301 4302 while (len >= L2CAP_CMD_HDR_SIZE) { 4303 u16 cmd_len; 4304 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE); 4305 data += L2CAP_CMD_HDR_SIZE; 4306 len -= L2CAP_CMD_HDR_SIZE; 4307 4308 cmd_len = le16_to_cpu(cmd.len); 4309 4310 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident); 4311 4312 if (cmd_len > len || !cmd.ident) { 4313 BT_DBG("corrupted command"); 4314 break; 4315 } 4316 4317 if (conn->hcon->type == LE_LINK) 4318 err = l2cap_le_sig_cmd(conn, &cmd, data); 4319 else 4320 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data); 4321 4322 if (err) { 4323 struct l2cap_cmd_rej_unk rej; 4324 4325 BT_ERR("Wrong link type (%d)", err); 4326 4327 /* FIXME: Map err to a valid reason */ 4328 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 4329 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 4330 } 4331 4332 data += cmd_len; 4333 len -= cmd_len; 4334 } 4335 4336 kfree_skb(skb); 4337 } 4338 4339 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb) 4340 { 4341 u16 our_fcs, rcv_fcs; 4342 int hdr_size; 4343 4344 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 4345 hdr_size = L2CAP_EXT_HDR_SIZE; 4346 else 4347 hdr_size = L2CAP_ENH_HDR_SIZE; 4348 4349 if (chan->fcs == L2CAP_FCS_CRC16) { 4350 skb_trim(skb, skb->len - L2CAP_FCS_SIZE); 4351 rcv_fcs = get_unaligned_le16(skb->data + skb->len); 4352 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 4353 4354 if (our_fcs != rcv_fcs) 4355 return -EBADMSG; 4356 } 4357 return 0; 4358 } 4359 4360 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan) 4361 { 4362 struct l2cap_ctrl control; 4363 4364 BT_DBG("chan %p", chan); 4365 4366 memset(&control, 0, sizeof(control)); 4367 control.sframe = 1; 4368 control.final = 1; 4369 control.reqseq = chan->buffer_seq; 4370 set_bit(CONN_SEND_FBIT, &chan->conn_state); 4371 4372 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 4373 control.super = L2CAP_SUPER_RNR; 4374 l2cap_send_sframe(chan, &control); 4375 } 4376 4377 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) && 4378 chan->unacked_frames > 0) 4379 __set_retrans_timer(chan); 4380 4381 /* Send pending iframes */ 4382 l2cap_ertm_send(chan); 4383 4384 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 4385 test_bit(CONN_SEND_FBIT, &chan->conn_state)) { 4386 /* F-bit wasn't sent in an s-frame or i-frame yet, so 4387 * send it now. 4388 */ 4389 control.super = L2CAP_SUPER_RR; 4390 l2cap_send_sframe(chan, &control); 4391 } 4392 } 4393 4394 static void append_skb_frag(struct sk_buff *skb, 4395 struct sk_buff *new_frag, struct sk_buff **last_frag) 4396 { 4397 /* skb->len reflects data in skb as well as all fragments 4398 * skb->data_len reflects only data in fragments 4399 */ 4400 if (!skb_has_frag_list(skb)) 4401 skb_shinfo(skb)->frag_list = new_frag; 4402 4403 new_frag->next = NULL; 4404 4405 (*last_frag)->next = new_frag; 4406 *last_frag = new_frag; 4407 4408 skb->len += new_frag->len; 4409 skb->data_len += new_frag->len; 4410 skb->truesize += new_frag->truesize; 4411 } 4412 4413 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, 4414 struct l2cap_ctrl *control) 4415 { 4416 int err = -EINVAL; 4417 4418 switch (control->sar) { 4419 case L2CAP_SAR_UNSEGMENTED: 4420 if (chan->sdu) 4421 break; 4422 4423 err = chan->ops->recv(chan, skb); 4424 break; 4425 4426 case L2CAP_SAR_START: 4427 if (chan->sdu) 4428 break; 4429 4430 chan->sdu_len = get_unaligned_le16(skb->data); 4431 skb_pull(skb, L2CAP_SDULEN_SIZE); 4432 4433 if (chan->sdu_len > chan->imtu) { 4434 err = -EMSGSIZE; 4435 break; 4436 } 4437 4438 if (skb->len >= chan->sdu_len) 4439 break; 4440 4441 chan->sdu = skb; 4442 chan->sdu_last_frag = skb; 4443 4444 skb = NULL; 4445 err = 0; 4446 break; 4447 4448 case L2CAP_SAR_CONTINUE: 4449 if (!chan->sdu) 4450 break; 4451 4452 append_skb_frag(chan->sdu, skb, 4453 &chan->sdu_last_frag); 4454 skb = NULL; 4455 4456 if (chan->sdu->len >= chan->sdu_len) 4457 break; 4458 4459 err = 0; 4460 break; 4461 4462 case L2CAP_SAR_END: 4463 if (!chan->sdu) 4464 break; 4465 4466 append_skb_frag(chan->sdu, skb, 4467 &chan->sdu_last_frag); 4468 skb = NULL; 4469 4470 if (chan->sdu->len != chan->sdu_len) 4471 break; 4472 4473 err = chan->ops->recv(chan, chan->sdu); 4474 4475 if (!err) { 4476 /* Reassembly complete */ 4477 chan->sdu = NULL; 4478 chan->sdu_last_frag = NULL; 4479 chan->sdu_len = 0; 4480 } 4481 break; 4482 } 4483 4484 if (err) { 4485 kfree_skb(skb); 4486 kfree_skb(chan->sdu); 4487 chan->sdu = NULL; 4488 chan->sdu_last_frag = NULL; 4489 chan->sdu_len = 0; 4490 } 4491 4492 return err; 4493 } 4494 4495 void l2cap_chan_busy(struct l2cap_chan *chan, int busy) 4496 { 4497 u8 event; 4498 4499 if (chan->mode != L2CAP_MODE_ERTM) 4500 return; 4501 4502 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR; 4503 l2cap_tx(chan, NULL, NULL, event); 4504 } 4505 4506 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan) 4507 { 4508 int err = 0; 4509 /* Pass sequential frames to l2cap_reassemble_sdu() 4510 * until a gap is encountered. 4511 */ 4512 4513 BT_DBG("chan %p", chan); 4514 4515 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 4516 struct sk_buff *skb; 4517 BT_DBG("Searching for skb with txseq %d (queue len %d)", 4518 chan->buffer_seq, skb_queue_len(&chan->srej_q)); 4519 4520 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq); 4521 4522 if (!skb) 4523 break; 4524 4525 skb_unlink(skb, &chan->srej_q); 4526 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 4527 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control); 4528 if (err) 4529 break; 4530 } 4531 4532 if (skb_queue_empty(&chan->srej_q)) { 4533 chan->rx_state = L2CAP_RX_STATE_RECV; 4534 l2cap_send_ack(chan); 4535 } 4536 4537 return err; 4538 } 4539 4540 static void l2cap_handle_srej(struct l2cap_chan *chan, 4541 struct l2cap_ctrl *control) 4542 { 4543 struct sk_buff *skb; 4544 4545 BT_DBG("chan %p, control %p", chan, control); 4546 4547 if (control->reqseq == chan->next_tx_seq) { 4548 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 4549 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 4550 return; 4551 } 4552 4553 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 4554 4555 if (skb == NULL) { 4556 BT_DBG("Seq %d not available for retransmission", 4557 control->reqseq); 4558 return; 4559 } 4560 4561 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) { 4562 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 4563 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 4564 return; 4565 } 4566 4567 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 4568 4569 if (control->poll) { 4570 l2cap_pass_to_tx(chan, control); 4571 4572 set_bit(CONN_SEND_FBIT, &chan->conn_state); 4573 l2cap_retransmit(chan, control); 4574 l2cap_ertm_send(chan); 4575 4576 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 4577 set_bit(CONN_SREJ_ACT, &chan->conn_state); 4578 chan->srej_save_reqseq = control->reqseq; 4579 } 4580 } else { 4581 l2cap_pass_to_tx_fbit(chan, control); 4582 4583 if (control->final) { 4584 if (chan->srej_save_reqseq != control->reqseq || 4585 !test_and_clear_bit(CONN_SREJ_ACT, 4586 &chan->conn_state)) 4587 l2cap_retransmit(chan, control); 4588 } else { 4589 l2cap_retransmit(chan, control); 4590 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 4591 set_bit(CONN_SREJ_ACT, &chan->conn_state); 4592 chan->srej_save_reqseq = control->reqseq; 4593 } 4594 } 4595 } 4596 } 4597 4598 static void l2cap_handle_rej(struct l2cap_chan *chan, 4599 struct l2cap_ctrl *control) 4600 { 4601 struct sk_buff *skb; 4602 4603 BT_DBG("chan %p, control %p", chan, control); 4604 4605 if (control->reqseq == chan->next_tx_seq) { 4606 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 4607 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 4608 return; 4609 } 4610 4611 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 4612 4613 if (chan->max_tx && skb && 4614 bt_cb(skb)->control.retries >= chan->max_tx) { 4615 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 4616 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 4617 return; 4618 } 4619 4620 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 4621 4622 l2cap_pass_to_tx(chan, control); 4623 4624 if (control->final) { 4625 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state)) 4626 l2cap_retransmit_all(chan, control); 4627 } else { 4628 l2cap_retransmit_all(chan, control); 4629 l2cap_ertm_send(chan); 4630 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) 4631 set_bit(CONN_REJ_ACT, &chan->conn_state); 4632 } 4633 } 4634 4635 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq) 4636 { 4637 BT_DBG("chan %p, txseq %d", chan, txseq); 4638 4639 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq, 4640 chan->expected_tx_seq); 4641 4642 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 4643 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 4644 chan->tx_win) { 4645 /* See notes below regarding "double poll" and 4646 * invalid packets. 4647 */ 4648 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 4649 BT_DBG("Invalid/Ignore - after SREJ"); 4650 return L2CAP_TXSEQ_INVALID_IGNORE; 4651 } else { 4652 BT_DBG("Invalid - in window after SREJ sent"); 4653 return L2CAP_TXSEQ_INVALID; 4654 } 4655 } 4656 4657 if (chan->srej_list.head == txseq) { 4658 BT_DBG("Expected SREJ"); 4659 return L2CAP_TXSEQ_EXPECTED_SREJ; 4660 } 4661 4662 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) { 4663 BT_DBG("Duplicate SREJ - txseq already stored"); 4664 return L2CAP_TXSEQ_DUPLICATE_SREJ; 4665 } 4666 4667 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) { 4668 BT_DBG("Unexpected SREJ - not requested"); 4669 return L2CAP_TXSEQ_UNEXPECTED_SREJ; 4670 } 4671 } 4672 4673 if (chan->expected_tx_seq == txseq) { 4674 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 4675 chan->tx_win) { 4676 BT_DBG("Invalid - txseq outside tx window"); 4677 return L2CAP_TXSEQ_INVALID; 4678 } else { 4679 BT_DBG("Expected"); 4680 return L2CAP_TXSEQ_EXPECTED; 4681 } 4682 } 4683 4684 if (__seq_offset(chan, txseq, chan->last_acked_seq) < 4685 __seq_offset(chan, chan->expected_tx_seq, 4686 chan->last_acked_seq)){ 4687 BT_DBG("Duplicate - expected_tx_seq later than txseq"); 4688 return L2CAP_TXSEQ_DUPLICATE; 4689 } 4690 4691 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) { 4692 /* A source of invalid packets is a "double poll" condition, 4693 * where delays cause us to send multiple poll packets. If 4694 * the remote stack receives and processes both polls, 4695 * sequence numbers can wrap around in such a way that a 4696 * resent frame has a sequence number that looks like new data 4697 * with a sequence gap. This would trigger an erroneous SREJ 4698 * request. 4699 * 4700 * Fortunately, this is impossible with a tx window that's 4701 * less than half of the maximum sequence number, which allows 4702 * invalid frames to be safely ignored. 4703 * 4704 * With tx window sizes greater than half of the tx window 4705 * maximum, the frame is invalid and cannot be ignored. This 4706 * causes a disconnect. 4707 */ 4708 4709 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 4710 BT_DBG("Invalid/Ignore - txseq outside tx window"); 4711 return L2CAP_TXSEQ_INVALID_IGNORE; 4712 } else { 4713 BT_DBG("Invalid - txseq outside tx window"); 4714 return L2CAP_TXSEQ_INVALID; 4715 } 4716 } else { 4717 BT_DBG("Unexpected - txseq indicates missing frames"); 4718 return L2CAP_TXSEQ_UNEXPECTED; 4719 } 4720 } 4721 4722 static int l2cap_rx_state_recv(struct l2cap_chan *chan, 4723 struct l2cap_ctrl *control, 4724 struct sk_buff *skb, u8 event) 4725 { 4726 int err = 0; 4727 bool skb_in_use = 0; 4728 4729 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 4730 event); 4731 4732 switch (event) { 4733 case L2CAP_EV_RECV_IFRAME: 4734 switch (l2cap_classify_txseq(chan, control->txseq)) { 4735 case L2CAP_TXSEQ_EXPECTED: 4736 l2cap_pass_to_tx(chan, control); 4737 4738 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 4739 BT_DBG("Busy, discarding expected seq %d", 4740 control->txseq); 4741 break; 4742 } 4743 4744 chan->expected_tx_seq = __next_seq(chan, 4745 control->txseq); 4746 4747 chan->buffer_seq = chan->expected_tx_seq; 4748 skb_in_use = 1; 4749 4750 err = l2cap_reassemble_sdu(chan, skb, control); 4751 if (err) 4752 break; 4753 4754 if (control->final) { 4755 if (!test_and_clear_bit(CONN_REJ_ACT, 4756 &chan->conn_state)) { 4757 control->final = 0; 4758 l2cap_retransmit_all(chan, control); 4759 l2cap_ertm_send(chan); 4760 } 4761 } 4762 4763 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 4764 l2cap_send_ack(chan); 4765 break; 4766 case L2CAP_TXSEQ_UNEXPECTED: 4767 l2cap_pass_to_tx(chan, control); 4768 4769 /* Can't issue SREJ frames in the local busy state. 4770 * Drop this frame, it will be seen as missing 4771 * when local busy is exited. 4772 */ 4773 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 4774 BT_DBG("Busy, discarding unexpected seq %d", 4775 control->txseq); 4776 break; 4777 } 4778 4779 /* There was a gap in the sequence, so an SREJ 4780 * must be sent for each missing frame. The 4781 * current frame is stored for later use. 4782 */ 4783 skb_queue_tail(&chan->srej_q, skb); 4784 skb_in_use = 1; 4785 BT_DBG("Queued %p (queue len %d)", skb, 4786 skb_queue_len(&chan->srej_q)); 4787 4788 clear_bit(CONN_SREJ_ACT, &chan->conn_state); 4789 l2cap_seq_list_clear(&chan->srej_list); 4790 l2cap_send_srej(chan, control->txseq); 4791 4792 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT; 4793 break; 4794 case L2CAP_TXSEQ_DUPLICATE: 4795 l2cap_pass_to_tx(chan, control); 4796 break; 4797 case L2CAP_TXSEQ_INVALID_IGNORE: 4798 break; 4799 case L2CAP_TXSEQ_INVALID: 4800 default: 4801 l2cap_send_disconn_req(chan->conn, chan, 4802 ECONNRESET); 4803 break; 4804 } 4805 break; 4806 case L2CAP_EV_RECV_RR: 4807 l2cap_pass_to_tx(chan, control); 4808 if (control->final) { 4809 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 4810 4811 if (!test_and_clear_bit(CONN_REJ_ACT, 4812 &chan->conn_state)) { 4813 control->final = 0; 4814 l2cap_retransmit_all(chan, control); 4815 } 4816 4817 l2cap_ertm_send(chan); 4818 } else if (control->poll) { 4819 l2cap_send_i_or_rr_or_rnr(chan); 4820 } else { 4821 if (test_and_clear_bit(CONN_REMOTE_BUSY, 4822 &chan->conn_state) && 4823 chan->unacked_frames) 4824 __set_retrans_timer(chan); 4825 4826 l2cap_ertm_send(chan); 4827 } 4828 break; 4829 case L2CAP_EV_RECV_RNR: 4830 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 4831 l2cap_pass_to_tx(chan, control); 4832 if (control && control->poll) { 4833 set_bit(CONN_SEND_FBIT, &chan->conn_state); 4834 l2cap_send_rr_or_rnr(chan, 0); 4835 } 4836 __clear_retrans_timer(chan); 4837 l2cap_seq_list_clear(&chan->retrans_list); 4838 break; 4839 case L2CAP_EV_RECV_REJ: 4840 l2cap_handle_rej(chan, control); 4841 break; 4842 case L2CAP_EV_RECV_SREJ: 4843 l2cap_handle_srej(chan, control); 4844 break; 4845 default: 4846 break; 4847 } 4848 4849 if (skb && !skb_in_use) { 4850 BT_DBG("Freeing %p", skb); 4851 kfree_skb(skb); 4852 } 4853 4854 return err; 4855 } 4856 4857 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan, 4858 struct l2cap_ctrl *control, 4859 struct sk_buff *skb, u8 event) 4860 { 4861 int err = 0; 4862 u16 txseq = control->txseq; 4863 bool skb_in_use = 0; 4864 4865 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 4866 event); 4867 4868 switch (event) { 4869 case L2CAP_EV_RECV_IFRAME: 4870 switch (l2cap_classify_txseq(chan, txseq)) { 4871 case L2CAP_TXSEQ_EXPECTED: 4872 /* Keep frame for reassembly later */ 4873 l2cap_pass_to_tx(chan, control); 4874 skb_queue_tail(&chan->srej_q, skb); 4875 skb_in_use = 1; 4876 BT_DBG("Queued %p (queue len %d)", skb, 4877 skb_queue_len(&chan->srej_q)); 4878 4879 chan->expected_tx_seq = __next_seq(chan, txseq); 4880 break; 4881 case L2CAP_TXSEQ_EXPECTED_SREJ: 4882 l2cap_seq_list_pop(&chan->srej_list); 4883 4884 l2cap_pass_to_tx(chan, control); 4885 skb_queue_tail(&chan->srej_q, skb); 4886 skb_in_use = 1; 4887 BT_DBG("Queued %p (queue len %d)", skb, 4888 skb_queue_len(&chan->srej_q)); 4889 4890 err = l2cap_rx_queued_iframes(chan); 4891 if (err) 4892 break; 4893 4894 break; 4895 case L2CAP_TXSEQ_UNEXPECTED: 4896 /* Got a frame that can't be reassembled yet. 4897 * Save it for later, and send SREJs to cover 4898 * the missing frames. 4899 */ 4900 skb_queue_tail(&chan->srej_q, skb); 4901 skb_in_use = 1; 4902 BT_DBG("Queued %p (queue len %d)", skb, 4903 skb_queue_len(&chan->srej_q)); 4904 4905 l2cap_pass_to_tx(chan, control); 4906 l2cap_send_srej(chan, control->txseq); 4907 break; 4908 case L2CAP_TXSEQ_UNEXPECTED_SREJ: 4909 /* This frame was requested with an SREJ, but 4910 * some expected retransmitted frames are 4911 * missing. Request retransmission of missing 4912 * SREJ'd frames. 4913 */ 4914 skb_queue_tail(&chan->srej_q, skb); 4915 skb_in_use = 1; 4916 BT_DBG("Queued %p (queue len %d)", skb, 4917 skb_queue_len(&chan->srej_q)); 4918 4919 l2cap_pass_to_tx(chan, control); 4920 l2cap_send_srej_list(chan, control->txseq); 4921 break; 4922 case L2CAP_TXSEQ_DUPLICATE_SREJ: 4923 /* We've already queued this frame. Drop this copy. */ 4924 l2cap_pass_to_tx(chan, control); 4925 break; 4926 case L2CAP_TXSEQ_DUPLICATE: 4927 /* Expecting a later sequence number, so this frame 4928 * was already received. Ignore it completely. 4929 */ 4930 break; 4931 case L2CAP_TXSEQ_INVALID_IGNORE: 4932 break; 4933 case L2CAP_TXSEQ_INVALID: 4934 default: 4935 l2cap_send_disconn_req(chan->conn, chan, 4936 ECONNRESET); 4937 break; 4938 } 4939 break; 4940 case L2CAP_EV_RECV_RR: 4941 l2cap_pass_to_tx(chan, control); 4942 if (control->final) { 4943 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 4944 4945 if (!test_and_clear_bit(CONN_REJ_ACT, 4946 &chan->conn_state)) { 4947 control->final = 0; 4948 l2cap_retransmit_all(chan, control); 4949 } 4950 4951 l2cap_ertm_send(chan); 4952 } else if (control->poll) { 4953 if (test_and_clear_bit(CONN_REMOTE_BUSY, 4954 &chan->conn_state) && 4955 chan->unacked_frames) { 4956 __set_retrans_timer(chan); 4957 } 4958 4959 set_bit(CONN_SEND_FBIT, &chan->conn_state); 4960 l2cap_send_srej_tail(chan); 4961 } else { 4962 if (test_and_clear_bit(CONN_REMOTE_BUSY, 4963 &chan->conn_state) && 4964 chan->unacked_frames) 4965 __set_retrans_timer(chan); 4966 4967 l2cap_send_ack(chan); 4968 } 4969 break; 4970 case L2CAP_EV_RECV_RNR: 4971 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 4972 l2cap_pass_to_tx(chan, control); 4973 if (control->poll) { 4974 l2cap_send_srej_tail(chan); 4975 } else { 4976 struct l2cap_ctrl rr_control; 4977 memset(&rr_control, 0, sizeof(rr_control)); 4978 rr_control.sframe = 1; 4979 rr_control.super = L2CAP_SUPER_RR; 4980 rr_control.reqseq = chan->buffer_seq; 4981 l2cap_send_sframe(chan, &rr_control); 4982 } 4983 4984 break; 4985 case L2CAP_EV_RECV_REJ: 4986 l2cap_handle_rej(chan, control); 4987 break; 4988 case L2CAP_EV_RECV_SREJ: 4989 l2cap_handle_srej(chan, control); 4990 break; 4991 } 4992 4993 if (skb && !skb_in_use) { 4994 BT_DBG("Freeing %p", skb); 4995 kfree_skb(skb); 4996 } 4997 4998 return err; 4999 } 5000 5001 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq) 5002 { 5003 /* Make sure reqseq is for a packet that has been sent but not acked */ 5004 u16 unacked; 5005 5006 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq); 5007 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked; 5008 } 5009 5010 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 5011 struct sk_buff *skb, u8 event) 5012 { 5013 int err = 0; 5014 5015 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan, 5016 control, skb, event, chan->rx_state); 5017 5018 if (__valid_reqseq(chan, control->reqseq)) { 5019 switch (chan->rx_state) { 5020 case L2CAP_RX_STATE_RECV: 5021 err = l2cap_rx_state_recv(chan, control, skb, event); 5022 break; 5023 case L2CAP_RX_STATE_SREJ_SENT: 5024 err = l2cap_rx_state_srej_sent(chan, control, skb, 5025 event); 5026 break; 5027 default: 5028 /* shut it down */ 5029 break; 5030 } 5031 } else { 5032 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d", 5033 control->reqseq, chan->next_tx_seq, 5034 chan->expected_ack_seq); 5035 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 5036 } 5037 5038 return err; 5039 } 5040 5041 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 5042 struct sk_buff *skb) 5043 { 5044 int err = 0; 5045 5046 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, 5047 chan->rx_state); 5048 5049 if (l2cap_classify_txseq(chan, control->txseq) == 5050 L2CAP_TXSEQ_EXPECTED) { 5051 l2cap_pass_to_tx(chan, control); 5052 5053 BT_DBG("buffer_seq %d->%d", chan->buffer_seq, 5054 __next_seq(chan, chan->buffer_seq)); 5055 5056 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 5057 5058 l2cap_reassemble_sdu(chan, skb, control); 5059 } else { 5060 if (chan->sdu) { 5061 kfree_skb(chan->sdu); 5062 chan->sdu = NULL; 5063 } 5064 chan->sdu_last_frag = NULL; 5065 chan->sdu_len = 0; 5066 5067 if (skb) { 5068 BT_DBG("Freeing %p", skb); 5069 kfree_skb(skb); 5070 } 5071 } 5072 5073 chan->last_acked_seq = control->txseq; 5074 chan->expected_tx_seq = __next_seq(chan, control->txseq); 5075 5076 return err; 5077 } 5078 5079 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 5080 { 5081 struct l2cap_ctrl *control = &bt_cb(skb)->control; 5082 u16 len; 5083 u8 event; 5084 5085 __unpack_control(chan, skb); 5086 5087 len = skb->len; 5088 5089 /* 5090 * We can just drop the corrupted I-frame here. 5091 * Receiver will miss it and start proper recovery 5092 * procedures and ask for retransmission. 5093 */ 5094 if (l2cap_check_fcs(chan, skb)) 5095 goto drop; 5096 5097 if (!control->sframe && control->sar == L2CAP_SAR_START) 5098 len -= L2CAP_SDULEN_SIZE; 5099 5100 if (chan->fcs == L2CAP_FCS_CRC16) 5101 len -= L2CAP_FCS_SIZE; 5102 5103 if (len > chan->mps) { 5104 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 5105 goto drop; 5106 } 5107 5108 if (!control->sframe) { 5109 int err; 5110 5111 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d", 5112 control->sar, control->reqseq, control->final, 5113 control->txseq); 5114 5115 /* Validate F-bit - F=0 always valid, F=1 only 5116 * valid in TX WAIT_F 5117 */ 5118 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F) 5119 goto drop; 5120 5121 if (chan->mode != L2CAP_MODE_STREAMING) { 5122 event = L2CAP_EV_RECV_IFRAME; 5123 err = l2cap_rx(chan, control, skb, event); 5124 } else { 5125 err = l2cap_stream_rx(chan, control, skb); 5126 } 5127 5128 if (err) 5129 l2cap_send_disconn_req(chan->conn, chan, 5130 ECONNRESET); 5131 } else { 5132 const u8 rx_func_to_event[4] = { 5133 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ, 5134 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ 5135 }; 5136 5137 /* Only I-frames are expected in streaming mode */ 5138 if (chan->mode == L2CAP_MODE_STREAMING) 5139 goto drop; 5140 5141 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d", 5142 control->reqseq, control->final, control->poll, 5143 control->super); 5144 5145 if (len != 0) { 5146 BT_ERR("%d", len); 5147 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 5148 goto drop; 5149 } 5150 5151 /* Validate F and P bits */ 5152 if (control->final && (control->poll || 5153 chan->tx_state != L2CAP_TX_STATE_WAIT_F)) 5154 goto drop; 5155 5156 event = rx_func_to_event[control->super]; 5157 if (l2cap_rx(chan, control, skb, event)) 5158 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET); 5159 } 5160 5161 return 0; 5162 5163 drop: 5164 kfree_skb(skb); 5165 return 0; 5166 } 5167 5168 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, 5169 struct sk_buff *skb) 5170 { 5171 struct l2cap_chan *chan; 5172 5173 chan = l2cap_get_chan_by_scid(conn, cid); 5174 if (!chan) { 5175 if (cid == L2CAP_CID_A2MP) { 5176 chan = a2mp_channel_create(conn, skb); 5177 if (!chan) { 5178 kfree_skb(skb); 5179 return; 5180 } 5181 5182 l2cap_chan_lock(chan); 5183 } else { 5184 BT_DBG("unknown cid 0x%4.4x", cid); 5185 /* Drop packet and return */ 5186 kfree_skb(skb); 5187 return; 5188 } 5189 } 5190 5191 BT_DBG("chan %p, len %d", chan, skb->len); 5192 5193 if (chan->state != BT_CONNECTED) 5194 goto drop; 5195 5196 switch (chan->mode) { 5197 case L2CAP_MODE_BASIC: 5198 /* If socket recv buffers overflows we drop data here 5199 * which is *bad* because L2CAP has to be reliable. 5200 * But we don't have any other choice. L2CAP doesn't 5201 * provide flow control mechanism. */ 5202 5203 if (chan->imtu < skb->len) 5204 goto drop; 5205 5206 if (!chan->ops->recv(chan, skb)) 5207 goto done; 5208 break; 5209 5210 case L2CAP_MODE_ERTM: 5211 case L2CAP_MODE_STREAMING: 5212 l2cap_data_rcv(chan, skb); 5213 goto done; 5214 5215 default: 5216 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode); 5217 break; 5218 } 5219 5220 drop: 5221 kfree_skb(skb); 5222 5223 done: 5224 l2cap_chan_unlock(chan); 5225 } 5226 5227 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, 5228 struct sk_buff *skb) 5229 { 5230 struct l2cap_chan *chan; 5231 5232 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst); 5233 if (!chan) 5234 goto drop; 5235 5236 BT_DBG("chan %p, len %d", chan, skb->len); 5237 5238 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED) 5239 goto drop; 5240 5241 if (chan->imtu < skb->len) 5242 goto drop; 5243 5244 if (!chan->ops->recv(chan, skb)) 5245 return; 5246 5247 drop: 5248 kfree_skb(skb); 5249 } 5250 5251 static void l2cap_att_channel(struct l2cap_conn *conn, u16 cid, 5252 struct sk_buff *skb) 5253 { 5254 struct l2cap_chan *chan; 5255 5256 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst); 5257 if (!chan) 5258 goto drop; 5259 5260 BT_DBG("chan %p, len %d", chan, skb->len); 5261 5262 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED) 5263 goto drop; 5264 5265 if (chan->imtu < skb->len) 5266 goto drop; 5267 5268 if (!chan->ops->recv(chan, skb)) 5269 return; 5270 5271 drop: 5272 kfree_skb(skb); 5273 } 5274 5275 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 5276 { 5277 struct l2cap_hdr *lh = (void *) skb->data; 5278 u16 cid, len; 5279 __le16 psm; 5280 5281 skb_pull(skb, L2CAP_HDR_SIZE); 5282 cid = __le16_to_cpu(lh->cid); 5283 len = __le16_to_cpu(lh->len); 5284 5285 if (len != skb->len) { 5286 kfree_skb(skb); 5287 return; 5288 } 5289 5290 BT_DBG("len %d, cid 0x%4.4x", len, cid); 5291 5292 switch (cid) { 5293 case L2CAP_CID_LE_SIGNALING: 5294 case L2CAP_CID_SIGNALING: 5295 l2cap_sig_channel(conn, skb); 5296 break; 5297 5298 case L2CAP_CID_CONN_LESS: 5299 psm = get_unaligned((__le16 *) skb->data); 5300 skb_pull(skb, L2CAP_PSMLEN_SIZE); 5301 l2cap_conless_channel(conn, psm, skb); 5302 break; 5303 5304 case L2CAP_CID_LE_DATA: 5305 l2cap_att_channel(conn, cid, skb); 5306 break; 5307 5308 case L2CAP_CID_SMP: 5309 if (smp_sig_channel(conn, skb)) 5310 l2cap_conn_del(conn->hcon, EACCES); 5311 break; 5312 5313 default: 5314 l2cap_data_channel(conn, cid, skb); 5315 break; 5316 } 5317 } 5318 5319 /* ---- L2CAP interface with lower layer (HCI) ---- */ 5320 5321 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr) 5322 { 5323 int exact = 0, lm1 = 0, lm2 = 0; 5324 struct l2cap_chan *c; 5325 5326 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 5327 5328 /* Find listening sockets and check their link_mode */ 5329 read_lock(&chan_list_lock); 5330 list_for_each_entry(c, &chan_list, global_l) { 5331 struct sock *sk = c->sk; 5332 5333 if (c->state != BT_LISTEN) 5334 continue; 5335 5336 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) { 5337 lm1 |= HCI_LM_ACCEPT; 5338 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 5339 lm1 |= HCI_LM_MASTER; 5340 exact++; 5341 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) { 5342 lm2 |= HCI_LM_ACCEPT; 5343 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 5344 lm2 |= HCI_LM_MASTER; 5345 } 5346 } 5347 read_unlock(&chan_list_lock); 5348 5349 return exact ? lm1 : lm2; 5350 } 5351 5352 void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 5353 { 5354 struct l2cap_conn *conn; 5355 5356 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status); 5357 5358 if (!status) { 5359 conn = l2cap_conn_add(hcon, status); 5360 if (conn) 5361 l2cap_conn_ready(conn); 5362 } else 5363 l2cap_conn_del(hcon, bt_to_errno(status)); 5364 5365 } 5366 5367 int l2cap_disconn_ind(struct hci_conn *hcon) 5368 { 5369 struct l2cap_conn *conn = hcon->l2cap_data; 5370 5371 BT_DBG("hcon %p", hcon); 5372 5373 if (!conn) 5374 return HCI_ERROR_REMOTE_USER_TERM; 5375 return conn->disc_reason; 5376 } 5377 5378 void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 5379 { 5380 BT_DBG("hcon %p reason %d", hcon, reason); 5381 5382 l2cap_conn_del(hcon, bt_to_errno(reason)); 5383 } 5384 5385 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 5386 { 5387 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 5388 return; 5389 5390 if (encrypt == 0x00) { 5391 if (chan->sec_level == BT_SECURITY_MEDIUM) { 5392 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT); 5393 } else if (chan->sec_level == BT_SECURITY_HIGH) 5394 l2cap_chan_close(chan, ECONNREFUSED); 5395 } else { 5396 if (chan->sec_level == BT_SECURITY_MEDIUM) 5397 __clear_chan_timer(chan); 5398 } 5399 } 5400 5401 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 5402 { 5403 struct l2cap_conn *conn = hcon->l2cap_data; 5404 struct l2cap_chan *chan; 5405 5406 if (!conn) 5407 return 0; 5408 5409 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt); 5410 5411 if (hcon->type == LE_LINK) { 5412 if (!status && encrypt) 5413 smp_distribute_keys(conn, 0); 5414 cancel_delayed_work(&conn->security_timer); 5415 } 5416 5417 mutex_lock(&conn->chan_lock); 5418 5419 list_for_each_entry(chan, &conn->chan_l, list) { 5420 l2cap_chan_lock(chan); 5421 5422 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid, 5423 state_to_string(chan->state)); 5424 5425 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) { 5426 l2cap_chan_unlock(chan); 5427 continue; 5428 } 5429 5430 if (chan->scid == L2CAP_CID_LE_DATA) { 5431 if (!status && encrypt) { 5432 chan->sec_level = hcon->sec_level; 5433 l2cap_chan_ready(chan); 5434 } 5435 5436 l2cap_chan_unlock(chan); 5437 continue; 5438 } 5439 5440 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) { 5441 l2cap_chan_unlock(chan); 5442 continue; 5443 } 5444 5445 if (!status && (chan->state == BT_CONNECTED || 5446 chan->state == BT_CONFIG)) { 5447 struct sock *sk = chan->sk; 5448 5449 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 5450 sk->sk_state_change(sk); 5451 5452 l2cap_check_encryption(chan, encrypt); 5453 l2cap_chan_unlock(chan); 5454 continue; 5455 } 5456 5457 if (chan->state == BT_CONNECT) { 5458 if (!status) { 5459 l2cap_send_conn_req(chan); 5460 } else { 5461 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 5462 } 5463 } else if (chan->state == BT_CONNECT2) { 5464 struct sock *sk = chan->sk; 5465 struct l2cap_conn_rsp rsp; 5466 __u16 res, stat; 5467 5468 lock_sock(sk); 5469 5470 if (!status) { 5471 if (test_bit(BT_SK_DEFER_SETUP, 5472 &bt_sk(sk)->flags)) { 5473 struct sock *parent = bt_sk(sk)->parent; 5474 res = L2CAP_CR_PEND; 5475 stat = L2CAP_CS_AUTHOR_PEND; 5476 if (parent) 5477 parent->sk_data_ready(parent, 0); 5478 } else { 5479 __l2cap_state_change(chan, BT_CONFIG); 5480 res = L2CAP_CR_SUCCESS; 5481 stat = L2CAP_CS_NO_INFO; 5482 } 5483 } else { 5484 __l2cap_state_change(chan, BT_DISCONN); 5485 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 5486 res = L2CAP_CR_SEC_BLOCK; 5487 stat = L2CAP_CS_NO_INFO; 5488 } 5489 5490 release_sock(sk); 5491 5492 rsp.scid = cpu_to_le16(chan->dcid); 5493 rsp.dcid = cpu_to_le16(chan->scid); 5494 rsp.result = cpu_to_le16(res); 5495 rsp.status = cpu_to_le16(stat); 5496 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 5497 sizeof(rsp), &rsp); 5498 5499 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) && 5500 res == L2CAP_CR_SUCCESS) { 5501 char buf[128]; 5502 set_bit(CONF_REQ_SENT, &chan->conf_state); 5503 l2cap_send_cmd(conn, l2cap_get_ident(conn), 5504 L2CAP_CONF_REQ, 5505 l2cap_build_conf_req(chan, buf), 5506 buf); 5507 chan->num_conf_req++; 5508 } 5509 } 5510 5511 l2cap_chan_unlock(chan); 5512 } 5513 5514 mutex_unlock(&conn->chan_lock); 5515 5516 return 0; 5517 } 5518 5519 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 5520 { 5521 struct l2cap_conn *conn = hcon->l2cap_data; 5522 5523 if (!conn) 5524 conn = l2cap_conn_add(hcon, 0); 5525 5526 if (!conn) 5527 goto drop; 5528 5529 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags); 5530 5531 if (!(flags & ACL_CONT)) { 5532 struct l2cap_hdr *hdr; 5533 int len; 5534 5535 if (conn->rx_len) { 5536 BT_ERR("Unexpected start frame (len %d)", skb->len); 5537 kfree_skb(conn->rx_skb); 5538 conn->rx_skb = NULL; 5539 conn->rx_len = 0; 5540 l2cap_conn_unreliable(conn, ECOMM); 5541 } 5542 5543 /* Start fragment always begin with Basic L2CAP header */ 5544 if (skb->len < L2CAP_HDR_SIZE) { 5545 BT_ERR("Frame is too short (len %d)", skb->len); 5546 l2cap_conn_unreliable(conn, ECOMM); 5547 goto drop; 5548 } 5549 5550 hdr = (struct l2cap_hdr *) skb->data; 5551 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE; 5552 5553 if (len == skb->len) { 5554 /* Complete frame received */ 5555 l2cap_recv_frame(conn, skb); 5556 return 0; 5557 } 5558 5559 BT_DBG("Start: total len %d, frag len %d", len, skb->len); 5560 5561 if (skb->len > len) { 5562 BT_ERR("Frame is too long (len %d, expected len %d)", 5563 skb->len, len); 5564 l2cap_conn_unreliable(conn, ECOMM); 5565 goto drop; 5566 } 5567 5568 /* Allocate skb for the complete frame (with header) */ 5569 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC); 5570 if (!conn->rx_skb) 5571 goto drop; 5572 5573 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 5574 skb->len); 5575 conn->rx_len = len - skb->len; 5576 } else { 5577 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len); 5578 5579 if (!conn->rx_len) { 5580 BT_ERR("Unexpected continuation frame (len %d)", skb->len); 5581 l2cap_conn_unreliable(conn, ECOMM); 5582 goto drop; 5583 } 5584 5585 if (skb->len > conn->rx_len) { 5586 BT_ERR("Fragment is too long (len %d, expected %d)", 5587 skb->len, conn->rx_len); 5588 kfree_skb(conn->rx_skb); 5589 conn->rx_skb = NULL; 5590 conn->rx_len = 0; 5591 l2cap_conn_unreliable(conn, ECOMM); 5592 goto drop; 5593 } 5594 5595 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), 5596 skb->len); 5597 conn->rx_len -= skb->len; 5598 5599 if (!conn->rx_len) { 5600 /* Complete frame received */ 5601 l2cap_recv_frame(conn, conn->rx_skb); 5602 conn->rx_skb = NULL; 5603 } 5604 } 5605 5606 drop: 5607 kfree_skb(skb); 5608 return 0; 5609 } 5610 5611 static int l2cap_debugfs_show(struct seq_file *f, void *p) 5612 { 5613 struct l2cap_chan *c; 5614 5615 read_lock(&chan_list_lock); 5616 5617 list_for_each_entry(c, &chan_list, global_l) { 5618 struct sock *sk = c->sk; 5619 5620 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 5621 batostr(&bt_sk(sk)->src), 5622 batostr(&bt_sk(sk)->dst), 5623 c->state, __le16_to_cpu(c->psm), 5624 c->scid, c->dcid, c->imtu, c->omtu, 5625 c->sec_level, c->mode); 5626 } 5627 5628 read_unlock(&chan_list_lock); 5629 5630 return 0; 5631 } 5632 5633 static int l2cap_debugfs_open(struct inode *inode, struct file *file) 5634 { 5635 return single_open(file, l2cap_debugfs_show, inode->i_private); 5636 } 5637 5638 static const struct file_operations l2cap_debugfs_fops = { 5639 .open = l2cap_debugfs_open, 5640 .read = seq_read, 5641 .llseek = seq_lseek, 5642 .release = single_release, 5643 }; 5644 5645 static struct dentry *l2cap_debugfs; 5646 5647 int __init l2cap_init(void) 5648 { 5649 int err; 5650 5651 err = l2cap_init_sockets(); 5652 if (err < 0) 5653 return err; 5654 5655 if (bt_debugfs) { 5656 l2cap_debugfs = debugfs_create_file("l2cap", 0444, 5657 bt_debugfs, NULL, &l2cap_debugfs_fops); 5658 if (!l2cap_debugfs) 5659 BT_ERR("Failed to create L2CAP debug file"); 5660 } 5661 5662 return 0; 5663 } 5664 5665 void l2cap_exit(void) 5666 { 5667 debugfs_remove(l2cap_debugfs); 5668 l2cap_cleanup_sockets(); 5669 } 5670 5671 module_param(disable_ertm, bool, 0644); 5672 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode"); 5673