1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved. 8 9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 10 11 This program is free software; you can redistribute it and/or modify 12 it under the terms of the GNU General Public License version 2 as 13 published by the Free Software Foundation; 14 15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 23 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 26 SOFTWARE IS DISCLAIMED. 27 */ 28 29 /* Bluetooth L2CAP core. */ 30 31 #include <linux/module.h> 32 33 #include <linux/debugfs.h> 34 #include <linux/crc16.h> 35 #include <linux/filter.h> 36 37 #include <net/bluetooth/bluetooth.h> 38 #include <net/bluetooth/hci_core.h> 39 #include <net/bluetooth/l2cap.h> 40 41 #include "smp.h" 42 #include "a2mp.h" 43 #include "amp.h" 44 45 #define LE_FLOWCTL_MAX_CREDITS 65535 46 47 bool disable_ertm; 48 bool enable_ecred; 49 50 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 51 52 static LIST_HEAD(chan_list); 53 static DEFINE_RWLOCK(chan_list_lock); 54 55 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 56 u8 code, u8 ident, u16 dlen, void *data); 57 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 58 void *data); 59 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size); 60 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); 61 62 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 63 struct sk_buff_head *skbs, u8 event); 64 65 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) 66 { 67 if (link_type == LE_LINK) { 68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 69 return BDADDR_LE_PUBLIC; 70 else 71 return BDADDR_LE_RANDOM; 72 } 73 74 return BDADDR_BREDR; 75 } 76 77 static inline u8 bdaddr_src_type(struct hci_conn *hcon) 78 { 79 return bdaddr_type(hcon->type, hcon->src_type); 80 } 81 82 static inline u8 bdaddr_dst_type(struct hci_conn *hcon) 83 { 84 return bdaddr_type(hcon->type, hcon->dst_type); 85 } 86 87 /* ---- L2CAP channels ---- */ 88 89 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 90 u16 cid) 91 { 92 struct l2cap_chan *c; 93 94 list_for_each_entry(c, &conn->chan_l, list) { 95 if (c->dcid == cid) 96 return c; 97 } 98 return NULL; 99 } 100 101 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, 102 u16 cid) 103 { 104 struct l2cap_chan *c; 105 106 list_for_each_entry(c, &conn->chan_l, list) { 107 if (c->scid == cid) 108 return c; 109 } 110 return NULL; 111 } 112 113 /* Find channel with given SCID. 114 * Returns a reference locked channel. 115 */ 116 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, 117 u16 cid) 118 { 119 struct l2cap_chan *c; 120 121 mutex_lock(&conn->chan_lock); 122 c = __l2cap_get_chan_by_scid(conn, cid); 123 if (c) { 124 /* Only lock if chan reference is not 0 */ 125 c = l2cap_chan_hold_unless_zero(c); 126 if (c) 127 l2cap_chan_lock(c); 128 } 129 mutex_unlock(&conn->chan_lock); 130 131 return c; 132 } 133 134 /* Find channel with given DCID. 135 * Returns a reference locked channel. 136 */ 137 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 138 u16 cid) 139 { 140 struct l2cap_chan *c; 141 142 mutex_lock(&conn->chan_lock); 143 c = __l2cap_get_chan_by_dcid(conn, cid); 144 if (c) { 145 /* Only lock if chan reference is not 0 */ 146 c = l2cap_chan_hold_unless_zero(c); 147 if (c) 148 l2cap_chan_lock(c); 149 } 150 mutex_unlock(&conn->chan_lock); 151 152 return c; 153 } 154 155 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, 156 u8 ident) 157 { 158 struct l2cap_chan *c; 159 160 list_for_each_entry(c, &conn->chan_l, list) { 161 if (c->ident == ident) 162 return c; 163 } 164 return NULL; 165 } 166 167 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, 168 u8 ident) 169 { 170 struct l2cap_chan *c; 171 172 mutex_lock(&conn->chan_lock); 173 c = __l2cap_get_chan_by_ident(conn, ident); 174 if (c) { 175 /* Only lock if chan reference is not 0 */ 176 c = l2cap_chan_hold_unless_zero(c); 177 if (c) 178 l2cap_chan_lock(c); 179 } 180 mutex_unlock(&conn->chan_lock); 181 182 return c; 183 } 184 185 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src, 186 u8 src_type) 187 { 188 struct l2cap_chan *c; 189 190 list_for_each_entry(c, &chan_list, global_l) { 191 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR) 192 continue; 193 194 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR) 195 continue; 196 197 if (c->sport == psm && !bacmp(&c->src, src)) 198 return c; 199 } 200 return NULL; 201 } 202 203 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm) 204 { 205 int err; 206 207 write_lock(&chan_list_lock); 208 209 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) { 210 err = -EADDRINUSE; 211 goto done; 212 } 213 214 if (psm) { 215 chan->psm = psm; 216 chan->sport = psm; 217 err = 0; 218 } else { 219 u16 p, start, end, incr; 220 221 if (chan->src_type == BDADDR_BREDR) { 222 start = L2CAP_PSM_DYN_START; 223 end = L2CAP_PSM_AUTO_END; 224 incr = 2; 225 } else { 226 start = L2CAP_PSM_LE_DYN_START; 227 end = L2CAP_PSM_LE_DYN_END; 228 incr = 1; 229 } 230 231 err = -EINVAL; 232 for (p = start; p <= end; p += incr) 233 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src, 234 chan->src_type)) { 235 chan->psm = cpu_to_le16(p); 236 chan->sport = cpu_to_le16(p); 237 err = 0; 238 break; 239 } 240 } 241 242 done: 243 write_unlock(&chan_list_lock); 244 return err; 245 } 246 EXPORT_SYMBOL_GPL(l2cap_add_psm); 247 248 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid) 249 { 250 write_lock(&chan_list_lock); 251 252 /* Override the defaults (which are for conn-oriented) */ 253 chan->omtu = L2CAP_DEFAULT_MTU; 254 chan->chan_type = L2CAP_CHAN_FIXED; 255 256 chan->scid = scid; 257 258 write_unlock(&chan_list_lock); 259 260 return 0; 261 } 262 263 static u16 l2cap_alloc_cid(struct l2cap_conn *conn) 264 { 265 u16 cid, dyn_end; 266 267 if (conn->hcon->type == LE_LINK) 268 dyn_end = L2CAP_CID_LE_DYN_END; 269 else 270 dyn_end = L2CAP_CID_DYN_END; 271 272 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) { 273 if (!__l2cap_get_chan_by_scid(conn, cid)) 274 return cid; 275 } 276 277 return 0; 278 } 279 280 static void l2cap_state_change(struct l2cap_chan *chan, int state) 281 { 282 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state), 283 state_to_string(state)); 284 285 chan->state = state; 286 chan->ops->state_change(chan, state, 0); 287 } 288 289 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan, 290 int state, int err) 291 { 292 chan->state = state; 293 chan->ops->state_change(chan, chan->state, err); 294 } 295 296 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err) 297 { 298 chan->ops->state_change(chan, chan->state, err); 299 } 300 301 static void __set_retrans_timer(struct l2cap_chan *chan) 302 { 303 if (!delayed_work_pending(&chan->monitor_timer) && 304 chan->retrans_timeout) { 305 l2cap_set_timer(chan, &chan->retrans_timer, 306 msecs_to_jiffies(chan->retrans_timeout)); 307 } 308 } 309 310 static void __set_monitor_timer(struct l2cap_chan *chan) 311 { 312 __clear_retrans_timer(chan); 313 if (chan->monitor_timeout) { 314 l2cap_set_timer(chan, &chan->monitor_timer, 315 msecs_to_jiffies(chan->monitor_timeout)); 316 } 317 } 318 319 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head, 320 u16 seq) 321 { 322 struct sk_buff *skb; 323 324 skb_queue_walk(head, skb) { 325 if (bt_cb(skb)->l2cap.txseq == seq) 326 return skb; 327 } 328 329 return NULL; 330 } 331 332 /* ---- L2CAP sequence number lists ---- */ 333 334 /* For ERTM, ordered lists of sequence numbers must be tracked for 335 * SREJ requests that are received and for frames that are to be 336 * retransmitted. These seq_list functions implement a singly-linked 337 * list in an array, where membership in the list can also be checked 338 * in constant time. Items can also be added to the tail of the list 339 * and removed from the head in constant time, without further memory 340 * allocs or frees. 341 */ 342 343 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size) 344 { 345 size_t alloc_size, i; 346 347 /* Allocated size is a power of 2 to map sequence numbers 348 * (which may be up to 14 bits) in to a smaller array that is 349 * sized for the negotiated ERTM transmit windows. 350 */ 351 alloc_size = roundup_pow_of_two(size); 352 353 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL); 354 if (!seq_list->list) 355 return -ENOMEM; 356 357 seq_list->mask = alloc_size - 1; 358 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 359 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 360 for (i = 0; i < alloc_size; i++) 361 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 362 363 return 0; 364 } 365 366 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list) 367 { 368 kfree(seq_list->list); 369 } 370 371 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list, 372 u16 seq) 373 { 374 /* Constant-time check for list membership */ 375 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR; 376 } 377 378 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list) 379 { 380 u16 seq = seq_list->head; 381 u16 mask = seq_list->mask; 382 383 seq_list->head = seq_list->list[seq & mask]; 384 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 385 386 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) { 387 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 388 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 389 } 390 391 return seq; 392 } 393 394 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list) 395 { 396 u16 i; 397 398 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) 399 return; 400 401 for (i = 0; i <= seq_list->mask; i++) 402 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 403 404 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 405 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 406 } 407 408 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq) 409 { 410 u16 mask = seq_list->mask; 411 412 /* All appends happen in constant time */ 413 414 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR) 415 return; 416 417 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR) 418 seq_list->head = seq; 419 else 420 seq_list->list[seq_list->tail & mask] = seq; 421 422 seq_list->tail = seq; 423 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL; 424 } 425 426 static void l2cap_chan_timeout(struct work_struct *work) 427 { 428 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 429 chan_timer.work); 430 struct l2cap_conn *conn = chan->conn; 431 int reason; 432 433 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 434 435 mutex_lock(&conn->chan_lock); 436 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling 437 * this work. No need to call l2cap_chan_hold(chan) here again. 438 */ 439 l2cap_chan_lock(chan); 440 441 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) 442 reason = ECONNREFUSED; 443 else if (chan->state == BT_CONNECT && 444 chan->sec_level != BT_SECURITY_SDP) 445 reason = ECONNREFUSED; 446 else 447 reason = ETIMEDOUT; 448 449 l2cap_chan_close(chan, reason); 450 451 chan->ops->close(chan); 452 453 l2cap_chan_unlock(chan); 454 l2cap_chan_put(chan); 455 456 mutex_unlock(&conn->chan_lock); 457 } 458 459 struct l2cap_chan *l2cap_chan_create(void) 460 { 461 struct l2cap_chan *chan; 462 463 chan = kzalloc(sizeof(*chan), GFP_ATOMIC); 464 if (!chan) 465 return NULL; 466 467 skb_queue_head_init(&chan->tx_q); 468 skb_queue_head_init(&chan->srej_q); 469 mutex_init(&chan->lock); 470 471 /* Set default lock nesting level */ 472 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL); 473 474 write_lock(&chan_list_lock); 475 list_add(&chan->global_l, &chan_list); 476 write_unlock(&chan_list_lock); 477 478 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); 479 480 chan->state = BT_OPEN; 481 482 kref_init(&chan->kref); 483 484 /* This flag is cleared in l2cap_chan_ready() */ 485 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 486 487 BT_DBG("chan %p", chan); 488 489 return chan; 490 } 491 EXPORT_SYMBOL_GPL(l2cap_chan_create); 492 493 static void l2cap_chan_destroy(struct kref *kref) 494 { 495 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref); 496 497 BT_DBG("chan %p", chan); 498 499 write_lock(&chan_list_lock); 500 list_del(&chan->global_l); 501 write_unlock(&chan_list_lock); 502 503 kfree(chan); 504 } 505 506 void l2cap_chan_hold(struct l2cap_chan *c) 507 { 508 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 509 510 kref_get(&c->kref); 511 } 512 513 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) 514 { 515 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 516 517 if (!kref_get_unless_zero(&c->kref)) 518 return NULL; 519 520 return c; 521 } 522 523 void l2cap_chan_put(struct l2cap_chan *c) 524 { 525 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 526 527 kref_put(&c->kref, l2cap_chan_destroy); 528 } 529 EXPORT_SYMBOL_GPL(l2cap_chan_put); 530 531 void l2cap_chan_set_defaults(struct l2cap_chan *chan) 532 { 533 chan->fcs = L2CAP_FCS_CRC16; 534 chan->max_tx = L2CAP_DEFAULT_MAX_TX; 535 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW; 536 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 537 chan->remote_max_tx = chan->max_tx; 538 chan->remote_tx_win = chan->tx_win; 539 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW; 540 chan->sec_level = BT_SECURITY_LOW; 541 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 542 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; 543 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; 544 545 chan->conf_state = 0; 546 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 547 548 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 549 } 550 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults); 551 552 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) 553 { 554 chan->sdu = NULL; 555 chan->sdu_last_frag = NULL; 556 chan->sdu_len = 0; 557 chan->tx_credits = tx_credits; 558 /* Derive MPS from connection MTU to stop HCI fragmentation */ 559 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE); 560 /* Give enough credits for a full packet */ 561 chan->rx_credits = (chan->imtu / chan->mps) + 1; 562 563 skb_queue_head_init(&chan->tx_q); 564 } 565 566 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits) 567 { 568 l2cap_le_flowctl_init(chan, tx_credits); 569 570 /* L2CAP implementations shall support a minimum MPS of 64 octets */ 571 if (chan->mps < L2CAP_ECRED_MIN_MPS) { 572 chan->mps = L2CAP_ECRED_MIN_MPS; 573 chan->rx_credits = (chan->imtu / chan->mps) + 1; 574 } 575 } 576 577 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 578 { 579 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 580 __le16_to_cpu(chan->psm), chan->dcid); 581 582 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 583 584 chan->conn = conn; 585 586 switch (chan->chan_type) { 587 case L2CAP_CHAN_CONN_ORIENTED: 588 /* Alloc CID for connection-oriented socket */ 589 chan->scid = l2cap_alloc_cid(conn); 590 if (conn->hcon->type == ACL_LINK) 591 chan->omtu = L2CAP_DEFAULT_MTU; 592 break; 593 594 case L2CAP_CHAN_CONN_LESS: 595 /* Connectionless socket */ 596 chan->scid = L2CAP_CID_CONN_LESS; 597 chan->dcid = L2CAP_CID_CONN_LESS; 598 chan->omtu = L2CAP_DEFAULT_MTU; 599 break; 600 601 case L2CAP_CHAN_FIXED: 602 /* Caller will set CID and CID specific MTU values */ 603 break; 604 605 default: 606 /* Raw socket can send/recv signalling messages only */ 607 chan->scid = L2CAP_CID_SIGNALING; 608 chan->dcid = L2CAP_CID_SIGNALING; 609 chan->omtu = L2CAP_DEFAULT_MTU; 610 } 611 612 chan->local_id = L2CAP_BESTEFFORT_ID; 613 chan->local_stype = L2CAP_SERV_BESTEFFORT; 614 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE; 615 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME; 616 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 617 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO; 618 619 l2cap_chan_hold(chan); 620 621 /* Only keep a reference for fixed channels if they requested it */ 622 if (chan->chan_type != L2CAP_CHAN_FIXED || 623 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 624 hci_conn_hold(conn->hcon); 625 626 list_add(&chan->list, &conn->chan_l); 627 } 628 629 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 630 { 631 mutex_lock(&conn->chan_lock); 632 __l2cap_chan_add(conn, chan); 633 mutex_unlock(&conn->chan_lock); 634 } 635 636 void l2cap_chan_del(struct l2cap_chan *chan, int err) 637 { 638 struct l2cap_conn *conn = chan->conn; 639 640 __clear_chan_timer(chan); 641 642 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err, 643 state_to_string(chan->state)); 644 645 chan->ops->teardown(chan, err); 646 647 if (conn) { 648 struct amp_mgr *mgr = conn->hcon->amp_mgr; 649 /* Delete from channel list */ 650 list_del(&chan->list); 651 652 l2cap_chan_put(chan); 653 654 chan->conn = NULL; 655 656 /* Reference was only held for non-fixed channels or 657 * fixed channels that explicitly requested it using the 658 * FLAG_HOLD_HCI_CONN flag. 659 */ 660 if (chan->chan_type != L2CAP_CHAN_FIXED || 661 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 662 hci_conn_drop(conn->hcon); 663 664 if (mgr && mgr->bredr_chan == chan) 665 mgr->bredr_chan = NULL; 666 } 667 668 if (chan->hs_hchan) { 669 struct hci_chan *hs_hchan = chan->hs_hchan; 670 671 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan); 672 amp_disconnect_logical_link(hs_hchan); 673 } 674 675 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) 676 return; 677 678 switch (chan->mode) { 679 case L2CAP_MODE_BASIC: 680 break; 681 682 case L2CAP_MODE_LE_FLOWCTL: 683 case L2CAP_MODE_EXT_FLOWCTL: 684 skb_queue_purge(&chan->tx_q); 685 break; 686 687 case L2CAP_MODE_ERTM: 688 __clear_retrans_timer(chan); 689 __clear_monitor_timer(chan); 690 __clear_ack_timer(chan); 691 692 skb_queue_purge(&chan->srej_q); 693 694 l2cap_seq_list_free(&chan->srej_list); 695 l2cap_seq_list_free(&chan->retrans_list); 696 fallthrough; 697 698 case L2CAP_MODE_STREAMING: 699 skb_queue_purge(&chan->tx_q); 700 break; 701 } 702 } 703 EXPORT_SYMBOL_GPL(l2cap_chan_del); 704 705 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 706 void *data) 707 { 708 struct l2cap_chan *chan; 709 710 list_for_each_entry(chan, &conn->chan_l, list) { 711 func(chan, data); 712 } 713 } 714 715 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 716 void *data) 717 { 718 if (!conn) 719 return; 720 721 mutex_lock(&conn->chan_lock); 722 __l2cap_chan_list(conn, func, data); 723 mutex_unlock(&conn->chan_lock); 724 } 725 726 EXPORT_SYMBOL_GPL(l2cap_chan_list); 727 728 static void l2cap_conn_update_id_addr(struct work_struct *work) 729 { 730 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 731 id_addr_update_work); 732 struct hci_conn *hcon = conn->hcon; 733 struct l2cap_chan *chan; 734 735 mutex_lock(&conn->chan_lock); 736 737 list_for_each_entry(chan, &conn->chan_l, list) { 738 l2cap_chan_lock(chan); 739 bacpy(&chan->dst, &hcon->dst); 740 chan->dst_type = bdaddr_dst_type(hcon); 741 l2cap_chan_unlock(chan); 742 } 743 744 mutex_unlock(&conn->chan_lock); 745 } 746 747 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) 748 { 749 struct l2cap_conn *conn = chan->conn; 750 struct l2cap_le_conn_rsp rsp; 751 u16 result; 752 753 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 754 result = L2CAP_CR_LE_AUTHORIZATION; 755 else 756 result = L2CAP_CR_LE_BAD_PSM; 757 758 l2cap_state_change(chan, BT_DISCONN); 759 760 rsp.dcid = cpu_to_le16(chan->scid); 761 rsp.mtu = cpu_to_le16(chan->imtu); 762 rsp.mps = cpu_to_le16(chan->mps); 763 rsp.credits = cpu_to_le16(chan->rx_credits); 764 rsp.result = cpu_to_le16(result); 765 766 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 767 &rsp); 768 } 769 770 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan) 771 { 772 struct l2cap_conn *conn = chan->conn; 773 struct l2cap_ecred_conn_rsp rsp; 774 u16 result; 775 776 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 777 result = L2CAP_CR_LE_AUTHORIZATION; 778 else 779 result = L2CAP_CR_LE_BAD_PSM; 780 781 l2cap_state_change(chan, BT_DISCONN); 782 783 memset(&rsp, 0, sizeof(rsp)); 784 785 rsp.result = cpu_to_le16(result); 786 787 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 788 &rsp); 789 } 790 791 static void l2cap_chan_connect_reject(struct l2cap_chan *chan) 792 { 793 struct l2cap_conn *conn = chan->conn; 794 struct l2cap_conn_rsp rsp; 795 u16 result; 796 797 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 798 result = L2CAP_CR_SEC_BLOCK; 799 else 800 result = L2CAP_CR_BAD_PSM; 801 802 l2cap_state_change(chan, BT_DISCONN); 803 804 rsp.scid = cpu_to_le16(chan->dcid); 805 rsp.dcid = cpu_to_le16(chan->scid); 806 rsp.result = cpu_to_le16(result); 807 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 808 809 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp); 810 } 811 812 void l2cap_chan_close(struct l2cap_chan *chan, int reason) 813 { 814 struct l2cap_conn *conn = chan->conn; 815 816 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 817 818 switch (chan->state) { 819 case BT_LISTEN: 820 chan->ops->teardown(chan, 0); 821 break; 822 823 case BT_CONNECTED: 824 case BT_CONFIG: 825 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 826 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 827 l2cap_send_disconn_req(chan, reason); 828 } else 829 l2cap_chan_del(chan, reason); 830 break; 831 832 case BT_CONNECT2: 833 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 834 if (conn->hcon->type == ACL_LINK) 835 l2cap_chan_connect_reject(chan); 836 else if (conn->hcon->type == LE_LINK) { 837 switch (chan->mode) { 838 case L2CAP_MODE_LE_FLOWCTL: 839 l2cap_chan_le_connect_reject(chan); 840 break; 841 case L2CAP_MODE_EXT_FLOWCTL: 842 l2cap_chan_ecred_connect_reject(chan); 843 break; 844 } 845 } 846 } 847 848 l2cap_chan_del(chan, reason); 849 break; 850 851 case BT_CONNECT: 852 case BT_DISCONN: 853 l2cap_chan_del(chan, reason); 854 break; 855 856 default: 857 chan->ops->teardown(chan, 0); 858 break; 859 } 860 } 861 EXPORT_SYMBOL(l2cap_chan_close); 862 863 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 864 { 865 switch (chan->chan_type) { 866 case L2CAP_CHAN_RAW: 867 switch (chan->sec_level) { 868 case BT_SECURITY_HIGH: 869 case BT_SECURITY_FIPS: 870 return HCI_AT_DEDICATED_BONDING_MITM; 871 case BT_SECURITY_MEDIUM: 872 return HCI_AT_DEDICATED_BONDING; 873 default: 874 return HCI_AT_NO_BONDING; 875 } 876 break; 877 case L2CAP_CHAN_CONN_LESS: 878 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) { 879 if (chan->sec_level == BT_SECURITY_LOW) 880 chan->sec_level = BT_SECURITY_SDP; 881 } 882 if (chan->sec_level == BT_SECURITY_HIGH || 883 chan->sec_level == BT_SECURITY_FIPS) 884 return HCI_AT_NO_BONDING_MITM; 885 else 886 return HCI_AT_NO_BONDING; 887 break; 888 case L2CAP_CHAN_CONN_ORIENTED: 889 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) { 890 if (chan->sec_level == BT_SECURITY_LOW) 891 chan->sec_level = BT_SECURITY_SDP; 892 893 if (chan->sec_level == BT_SECURITY_HIGH || 894 chan->sec_level == BT_SECURITY_FIPS) 895 return HCI_AT_NO_BONDING_MITM; 896 else 897 return HCI_AT_NO_BONDING; 898 } 899 fallthrough; 900 901 default: 902 switch (chan->sec_level) { 903 case BT_SECURITY_HIGH: 904 case BT_SECURITY_FIPS: 905 return HCI_AT_GENERAL_BONDING_MITM; 906 case BT_SECURITY_MEDIUM: 907 return HCI_AT_GENERAL_BONDING; 908 default: 909 return HCI_AT_NO_BONDING; 910 } 911 break; 912 } 913 } 914 915 /* Service level security */ 916 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator) 917 { 918 struct l2cap_conn *conn = chan->conn; 919 __u8 auth_type; 920 921 if (conn->hcon->type == LE_LINK) 922 return smp_conn_security(conn->hcon, chan->sec_level); 923 924 auth_type = l2cap_get_auth_type(chan); 925 926 return hci_conn_security(conn->hcon, chan->sec_level, auth_type, 927 initiator); 928 } 929 930 static u8 l2cap_get_ident(struct l2cap_conn *conn) 931 { 932 u8 id; 933 934 /* Get next available identificator. 935 * 1 - 128 are used by kernel. 936 * 129 - 199 are reserved. 937 * 200 - 254 are used by utilities like l2ping, etc. 938 */ 939 940 mutex_lock(&conn->ident_lock); 941 942 if (++conn->tx_ident > 128) 943 conn->tx_ident = 1; 944 945 id = conn->tx_ident; 946 947 mutex_unlock(&conn->ident_lock); 948 949 return id; 950 } 951 952 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 953 void *data) 954 { 955 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 956 u8 flags; 957 958 BT_DBG("code 0x%2.2x", code); 959 960 if (!skb) 961 return; 962 963 /* Use NO_FLUSH if supported or we have an LE link (which does 964 * not support auto-flushing packets) */ 965 if (lmp_no_flush_capable(conn->hcon->hdev) || 966 conn->hcon->type == LE_LINK) 967 flags = ACL_START_NO_FLUSH; 968 else 969 flags = ACL_START; 970 971 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON; 972 skb->priority = HCI_PRIO_MAX; 973 974 hci_send_acl(conn->hchan, skb, flags); 975 } 976 977 static bool __chan_is_moving(struct l2cap_chan *chan) 978 { 979 return chan->move_state != L2CAP_MOVE_STABLE && 980 chan->move_state != L2CAP_MOVE_WAIT_PREPARE; 981 } 982 983 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 984 { 985 struct hci_conn *hcon = chan->conn->hcon; 986 u16 flags; 987 988 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len, 989 skb->priority); 990 991 if (chan->hs_hcon && !__chan_is_moving(chan)) { 992 if (chan->hs_hchan) 993 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE); 994 else 995 kfree_skb(skb); 996 997 return; 998 } 999 1000 /* Use NO_FLUSH for LE links (where this is the only option) or 1001 * if the BR/EDR link supports it and flushing has not been 1002 * explicitly requested (through FLAG_FLUSHABLE). 1003 */ 1004 if (hcon->type == LE_LINK || 1005 (!test_bit(FLAG_FLUSHABLE, &chan->flags) && 1006 lmp_no_flush_capable(hcon->hdev))) 1007 flags = ACL_START_NO_FLUSH; 1008 else 1009 flags = ACL_START; 1010 1011 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1012 hci_send_acl(chan->conn->hchan, skb, flags); 1013 } 1014 1015 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control) 1016 { 1017 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT; 1018 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT; 1019 1020 if (enh & L2CAP_CTRL_FRAME_TYPE) { 1021 /* S-Frame */ 1022 control->sframe = 1; 1023 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT; 1024 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT; 1025 1026 control->sar = 0; 1027 control->txseq = 0; 1028 } else { 1029 /* I-Frame */ 1030 control->sframe = 0; 1031 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT; 1032 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT; 1033 1034 control->poll = 0; 1035 control->super = 0; 1036 } 1037 } 1038 1039 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control) 1040 { 1041 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT; 1042 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT; 1043 1044 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) { 1045 /* S-Frame */ 1046 control->sframe = 1; 1047 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT; 1048 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT; 1049 1050 control->sar = 0; 1051 control->txseq = 0; 1052 } else { 1053 /* I-Frame */ 1054 control->sframe = 0; 1055 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT; 1056 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1057 1058 control->poll = 0; 1059 control->super = 0; 1060 } 1061 } 1062 1063 static inline void __unpack_control(struct l2cap_chan *chan, 1064 struct sk_buff *skb) 1065 { 1066 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1067 __unpack_extended_control(get_unaligned_le32(skb->data), 1068 &bt_cb(skb)->l2cap); 1069 skb_pull(skb, L2CAP_EXT_CTRL_SIZE); 1070 } else { 1071 __unpack_enhanced_control(get_unaligned_le16(skb->data), 1072 &bt_cb(skb)->l2cap); 1073 skb_pull(skb, L2CAP_ENH_CTRL_SIZE); 1074 } 1075 } 1076 1077 static u32 __pack_extended_control(struct l2cap_ctrl *control) 1078 { 1079 u32 packed; 1080 1081 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT; 1082 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT; 1083 1084 if (control->sframe) { 1085 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT; 1086 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT; 1087 packed |= L2CAP_EXT_CTRL_FRAME_TYPE; 1088 } else { 1089 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT; 1090 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1091 } 1092 1093 return packed; 1094 } 1095 1096 static u16 __pack_enhanced_control(struct l2cap_ctrl *control) 1097 { 1098 u16 packed; 1099 1100 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT; 1101 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT; 1102 1103 if (control->sframe) { 1104 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT; 1105 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT; 1106 packed |= L2CAP_CTRL_FRAME_TYPE; 1107 } else { 1108 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT; 1109 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT; 1110 } 1111 1112 return packed; 1113 } 1114 1115 static inline void __pack_control(struct l2cap_chan *chan, 1116 struct l2cap_ctrl *control, 1117 struct sk_buff *skb) 1118 { 1119 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1120 put_unaligned_le32(__pack_extended_control(control), 1121 skb->data + L2CAP_HDR_SIZE); 1122 } else { 1123 put_unaligned_le16(__pack_enhanced_control(control), 1124 skb->data + L2CAP_HDR_SIZE); 1125 } 1126 } 1127 1128 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan) 1129 { 1130 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1131 return L2CAP_EXT_HDR_SIZE; 1132 else 1133 return L2CAP_ENH_HDR_SIZE; 1134 } 1135 1136 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan, 1137 u32 control) 1138 { 1139 struct sk_buff *skb; 1140 struct l2cap_hdr *lh; 1141 int hlen = __ertm_hdr_size(chan); 1142 1143 if (chan->fcs == L2CAP_FCS_CRC16) 1144 hlen += L2CAP_FCS_SIZE; 1145 1146 skb = bt_skb_alloc(hlen, GFP_KERNEL); 1147 1148 if (!skb) 1149 return ERR_PTR(-ENOMEM); 1150 1151 lh = skb_put(skb, L2CAP_HDR_SIZE); 1152 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE); 1153 lh->cid = cpu_to_le16(chan->dcid); 1154 1155 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1156 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 1157 else 1158 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 1159 1160 if (chan->fcs == L2CAP_FCS_CRC16) { 1161 u16 fcs = crc16(0, (u8 *)skb->data, skb->len); 1162 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1163 } 1164 1165 skb->priority = HCI_PRIO_MAX; 1166 return skb; 1167 } 1168 1169 static void l2cap_send_sframe(struct l2cap_chan *chan, 1170 struct l2cap_ctrl *control) 1171 { 1172 struct sk_buff *skb; 1173 u32 control_field; 1174 1175 BT_DBG("chan %p, control %p", chan, control); 1176 1177 if (!control->sframe) 1178 return; 1179 1180 if (__chan_is_moving(chan)) 1181 return; 1182 1183 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) && 1184 !control->poll) 1185 control->final = 1; 1186 1187 if (control->super == L2CAP_SUPER_RR) 1188 clear_bit(CONN_RNR_SENT, &chan->conn_state); 1189 else if (control->super == L2CAP_SUPER_RNR) 1190 set_bit(CONN_RNR_SENT, &chan->conn_state); 1191 1192 if (control->super != L2CAP_SUPER_SREJ) { 1193 chan->last_acked_seq = control->reqseq; 1194 __clear_ack_timer(chan); 1195 } 1196 1197 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq, 1198 control->final, control->poll, control->super); 1199 1200 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1201 control_field = __pack_extended_control(control); 1202 else 1203 control_field = __pack_enhanced_control(control); 1204 1205 skb = l2cap_create_sframe_pdu(chan, control_field); 1206 if (!IS_ERR(skb)) 1207 l2cap_do_send(chan, skb); 1208 } 1209 1210 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll) 1211 { 1212 struct l2cap_ctrl control; 1213 1214 BT_DBG("chan %p, poll %d", chan, poll); 1215 1216 memset(&control, 0, sizeof(control)); 1217 control.sframe = 1; 1218 control.poll = poll; 1219 1220 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 1221 control.super = L2CAP_SUPER_RNR; 1222 else 1223 control.super = L2CAP_SUPER_RR; 1224 1225 control.reqseq = chan->buffer_seq; 1226 l2cap_send_sframe(chan, &control); 1227 } 1228 1229 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 1230 { 1231 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 1232 return true; 1233 1234 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state); 1235 } 1236 1237 static bool __amp_capable(struct l2cap_chan *chan) 1238 { 1239 struct l2cap_conn *conn = chan->conn; 1240 struct hci_dev *hdev; 1241 bool amp_available = false; 1242 1243 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP)) 1244 return false; 1245 1246 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP)) 1247 return false; 1248 1249 read_lock(&hci_dev_list_lock); 1250 list_for_each_entry(hdev, &hci_dev_list, list) { 1251 if (hdev->amp_type != AMP_TYPE_BREDR && 1252 test_bit(HCI_UP, &hdev->flags)) { 1253 amp_available = true; 1254 break; 1255 } 1256 } 1257 read_unlock(&hci_dev_list_lock); 1258 1259 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED) 1260 return amp_available; 1261 1262 return false; 1263 } 1264 1265 static bool l2cap_check_efs(struct l2cap_chan *chan) 1266 { 1267 /* Check EFS parameters */ 1268 return true; 1269 } 1270 1271 void l2cap_send_conn_req(struct l2cap_chan *chan) 1272 { 1273 struct l2cap_conn *conn = chan->conn; 1274 struct l2cap_conn_req req; 1275 1276 req.scid = cpu_to_le16(chan->scid); 1277 req.psm = chan->psm; 1278 1279 chan->ident = l2cap_get_ident(conn); 1280 1281 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 1282 1283 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req); 1284 } 1285 1286 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id) 1287 { 1288 struct l2cap_create_chan_req req; 1289 req.scid = cpu_to_le16(chan->scid); 1290 req.psm = chan->psm; 1291 req.amp_id = amp_id; 1292 1293 chan->ident = l2cap_get_ident(chan->conn); 1294 1295 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ, 1296 sizeof(req), &req); 1297 } 1298 1299 static void l2cap_move_setup(struct l2cap_chan *chan) 1300 { 1301 struct sk_buff *skb; 1302 1303 BT_DBG("chan %p", chan); 1304 1305 if (chan->mode != L2CAP_MODE_ERTM) 1306 return; 1307 1308 __clear_retrans_timer(chan); 1309 __clear_monitor_timer(chan); 1310 __clear_ack_timer(chan); 1311 1312 chan->retry_count = 0; 1313 skb_queue_walk(&chan->tx_q, skb) { 1314 if (bt_cb(skb)->l2cap.retries) 1315 bt_cb(skb)->l2cap.retries = 1; 1316 else 1317 break; 1318 } 1319 1320 chan->expected_tx_seq = chan->buffer_seq; 1321 1322 clear_bit(CONN_REJ_ACT, &chan->conn_state); 1323 clear_bit(CONN_SREJ_ACT, &chan->conn_state); 1324 l2cap_seq_list_clear(&chan->retrans_list); 1325 l2cap_seq_list_clear(&chan->srej_list); 1326 skb_queue_purge(&chan->srej_q); 1327 1328 chan->tx_state = L2CAP_TX_STATE_XMIT; 1329 chan->rx_state = L2CAP_RX_STATE_MOVE; 1330 1331 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 1332 } 1333 1334 static void l2cap_move_done(struct l2cap_chan *chan) 1335 { 1336 u8 move_role = chan->move_role; 1337 BT_DBG("chan %p", chan); 1338 1339 chan->move_state = L2CAP_MOVE_STABLE; 1340 chan->move_role = L2CAP_MOVE_ROLE_NONE; 1341 1342 if (chan->mode != L2CAP_MODE_ERTM) 1343 return; 1344 1345 switch (move_role) { 1346 case L2CAP_MOVE_ROLE_INITIATOR: 1347 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL); 1348 chan->rx_state = L2CAP_RX_STATE_WAIT_F; 1349 break; 1350 case L2CAP_MOVE_ROLE_RESPONDER: 1351 chan->rx_state = L2CAP_RX_STATE_WAIT_P; 1352 break; 1353 } 1354 } 1355 1356 static void l2cap_chan_ready(struct l2cap_chan *chan) 1357 { 1358 /* The channel may have already been flagged as connected in 1359 * case of receiving data before the L2CAP info req/rsp 1360 * procedure is complete. 1361 */ 1362 if (chan->state == BT_CONNECTED) 1363 return; 1364 1365 /* This clears all conf flags, including CONF_NOT_COMPLETE */ 1366 chan->conf_state = 0; 1367 __clear_chan_timer(chan); 1368 1369 switch (chan->mode) { 1370 case L2CAP_MODE_LE_FLOWCTL: 1371 case L2CAP_MODE_EXT_FLOWCTL: 1372 if (!chan->tx_credits) 1373 chan->ops->suspend(chan); 1374 break; 1375 } 1376 1377 chan->state = BT_CONNECTED; 1378 1379 chan->ops->ready(chan); 1380 } 1381 1382 static void l2cap_le_connect(struct l2cap_chan *chan) 1383 { 1384 struct l2cap_conn *conn = chan->conn; 1385 struct l2cap_le_conn_req req; 1386 1387 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags)) 1388 return; 1389 1390 if (!chan->imtu) 1391 chan->imtu = chan->conn->mtu; 1392 1393 l2cap_le_flowctl_init(chan, 0); 1394 1395 memset(&req, 0, sizeof(req)); 1396 req.psm = chan->psm; 1397 req.scid = cpu_to_le16(chan->scid); 1398 req.mtu = cpu_to_le16(chan->imtu); 1399 req.mps = cpu_to_le16(chan->mps); 1400 req.credits = cpu_to_le16(chan->rx_credits); 1401 1402 chan->ident = l2cap_get_ident(conn); 1403 1404 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ, 1405 sizeof(req), &req); 1406 } 1407 1408 struct l2cap_ecred_conn_data { 1409 struct { 1410 struct l2cap_ecred_conn_req req; 1411 __le16 scid[5]; 1412 } __packed pdu; 1413 struct l2cap_chan *chan; 1414 struct pid *pid; 1415 int count; 1416 }; 1417 1418 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data) 1419 { 1420 struct l2cap_ecred_conn_data *conn = data; 1421 struct pid *pid; 1422 1423 if (chan == conn->chan) 1424 return; 1425 1426 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags)) 1427 return; 1428 1429 pid = chan->ops->get_peer_pid(chan); 1430 1431 /* Only add deferred channels with the same PID/PSM */ 1432 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident || 1433 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 1434 return; 1435 1436 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1437 return; 1438 1439 l2cap_ecred_init(chan, 0); 1440 1441 /* Set the same ident so we can match on the rsp */ 1442 chan->ident = conn->chan->ident; 1443 1444 /* Include all channels deferred */ 1445 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid); 1446 1447 conn->count++; 1448 } 1449 1450 static void l2cap_ecred_connect(struct l2cap_chan *chan) 1451 { 1452 struct l2cap_conn *conn = chan->conn; 1453 struct l2cap_ecred_conn_data data; 1454 1455 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 1456 return; 1457 1458 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1459 return; 1460 1461 l2cap_ecred_init(chan, 0); 1462 1463 memset(&data, 0, sizeof(data)); 1464 data.pdu.req.psm = chan->psm; 1465 data.pdu.req.mtu = cpu_to_le16(chan->imtu); 1466 data.pdu.req.mps = cpu_to_le16(chan->mps); 1467 data.pdu.req.credits = cpu_to_le16(chan->rx_credits); 1468 data.pdu.scid[0] = cpu_to_le16(chan->scid); 1469 1470 chan->ident = l2cap_get_ident(conn); 1471 1472 data.count = 1; 1473 data.chan = chan; 1474 data.pid = chan->ops->get_peer_pid(chan); 1475 1476 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data); 1477 1478 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ, 1479 sizeof(data.pdu.req) + data.count * sizeof(__le16), 1480 &data.pdu); 1481 } 1482 1483 static void l2cap_le_start(struct l2cap_chan *chan) 1484 { 1485 struct l2cap_conn *conn = chan->conn; 1486 1487 if (!smp_conn_security(conn->hcon, chan->sec_level)) 1488 return; 1489 1490 if (!chan->psm) { 1491 l2cap_chan_ready(chan); 1492 return; 1493 } 1494 1495 if (chan->state == BT_CONNECT) { 1496 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) 1497 l2cap_ecred_connect(chan); 1498 else 1499 l2cap_le_connect(chan); 1500 } 1501 } 1502 1503 static void l2cap_start_connection(struct l2cap_chan *chan) 1504 { 1505 if (__amp_capable(chan)) { 1506 BT_DBG("chan %p AMP capable: discover AMPs", chan); 1507 a2mp_discover_amp(chan); 1508 } else if (chan->conn->hcon->type == LE_LINK) { 1509 l2cap_le_start(chan); 1510 } else { 1511 l2cap_send_conn_req(chan); 1512 } 1513 } 1514 1515 static void l2cap_request_info(struct l2cap_conn *conn) 1516 { 1517 struct l2cap_info_req req; 1518 1519 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1520 return; 1521 1522 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 1523 1524 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 1525 conn->info_ident = l2cap_get_ident(conn); 1526 1527 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 1528 1529 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 1530 sizeof(req), &req); 1531 } 1532 1533 static bool l2cap_check_enc_key_size(struct hci_conn *hcon) 1534 { 1535 /* The minimum encryption key size needs to be enforced by the 1536 * host stack before establishing any L2CAP connections. The 1537 * specification in theory allows a minimum of 1, but to align 1538 * BR/EDR and LE transports, a minimum of 7 is chosen. 1539 * 1540 * This check might also be called for unencrypted connections 1541 * that have no key size requirements. Ensure that the link is 1542 * actually encrypted before enforcing a key size. 1543 */ 1544 int min_key_size = hcon->hdev->min_enc_key_size; 1545 1546 /* On FIPS security level, key size must be 16 bytes */ 1547 if (hcon->sec_level == BT_SECURITY_FIPS) 1548 min_key_size = 16; 1549 1550 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) || 1551 hcon->enc_key_size >= min_key_size); 1552 } 1553 1554 static void l2cap_do_start(struct l2cap_chan *chan) 1555 { 1556 struct l2cap_conn *conn = chan->conn; 1557 1558 if (conn->hcon->type == LE_LINK) { 1559 l2cap_le_start(chan); 1560 return; 1561 } 1562 1563 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) { 1564 l2cap_request_info(conn); 1565 return; 1566 } 1567 1568 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 1569 return; 1570 1571 if (!l2cap_chan_check_security(chan, true) || 1572 !__l2cap_no_conn_pending(chan)) 1573 return; 1574 1575 if (l2cap_check_enc_key_size(conn->hcon)) 1576 l2cap_start_connection(chan); 1577 else 1578 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 1579 } 1580 1581 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask) 1582 { 1583 u32 local_feat_mask = l2cap_feat_mask; 1584 if (!disable_ertm) 1585 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING; 1586 1587 switch (mode) { 1588 case L2CAP_MODE_ERTM: 1589 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask; 1590 case L2CAP_MODE_STREAMING: 1591 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask; 1592 default: 1593 return 0x00; 1594 } 1595 } 1596 1597 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err) 1598 { 1599 struct l2cap_conn *conn = chan->conn; 1600 struct l2cap_disconn_req req; 1601 1602 if (!conn) 1603 return; 1604 1605 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) { 1606 __clear_retrans_timer(chan); 1607 __clear_monitor_timer(chan); 1608 __clear_ack_timer(chan); 1609 } 1610 1611 if (chan->scid == L2CAP_CID_A2MP) { 1612 l2cap_state_change(chan, BT_DISCONN); 1613 return; 1614 } 1615 1616 req.dcid = cpu_to_le16(chan->dcid); 1617 req.scid = cpu_to_le16(chan->scid); 1618 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ, 1619 sizeof(req), &req); 1620 1621 l2cap_state_change_and_error(chan, BT_DISCONN, err); 1622 } 1623 1624 /* ---- L2CAP connections ---- */ 1625 static void l2cap_conn_start(struct l2cap_conn *conn) 1626 { 1627 struct l2cap_chan *chan, *tmp; 1628 1629 BT_DBG("conn %p", conn); 1630 1631 mutex_lock(&conn->chan_lock); 1632 1633 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 1634 l2cap_chan_lock(chan); 1635 1636 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1637 l2cap_chan_ready(chan); 1638 l2cap_chan_unlock(chan); 1639 continue; 1640 } 1641 1642 if (chan->state == BT_CONNECT) { 1643 if (!l2cap_chan_check_security(chan, true) || 1644 !__l2cap_no_conn_pending(chan)) { 1645 l2cap_chan_unlock(chan); 1646 continue; 1647 } 1648 1649 if (!l2cap_mode_supported(chan->mode, conn->feat_mask) 1650 && test_bit(CONF_STATE2_DEVICE, 1651 &chan->conf_state)) { 1652 l2cap_chan_close(chan, ECONNRESET); 1653 l2cap_chan_unlock(chan); 1654 continue; 1655 } 1656 1657 if (l2cap_check_enc_key_size(conn->hcon)) 1658 l2cap_start_connection(chan); 1659 else 1660 l2cap_chan_close(chan, ECONNREFUSED); 1661 1662 } else if (chan->state == BT_CONNECT2) { 1663 struct l2cap_conn_rsp rsp; 1664 char buf[128]; 1665 rsp.scid = cpu_to_le16(chan->dcid); 1666 rsp.dcid = cpu_to_le16(chan->scid); 1667 1668 if (l2cap_chan_check_security(chan, false)) { 1669 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 1670 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1671 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND); 1672 chan->ops->defer(chan); 1673 1674 } else { 1675 l2cap_state_change(chan, BT_CONFIG); 1676 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 1677 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 1678 } 1679 } else { 1680 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1681 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 1682 } 1683 1684 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 1685 sizeof(rsp), &rsp); 1686 1687 if (test_bit(CONF_REQ_SENT, &chan->conf_state) || 1688 rsp.result != L2CAP_CR_SUCCESS) { 1689 l2cap_chan_unlock(chan); 1690 continue; 1691 } 1692 1693 set_bit(CONF_REQ_SENT, &chan->conf_state); 1694 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 1695 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 1696 chan->num_conf_req++; 1697 } 1698 1699 l2cap_chan_unlock(chan); 1700 } 1701 1702 mutex_unlock(&conn->chan_lock); 1703 } 1704 1705 static void l2cap_le_conn_ready(struct l2cap_conn *conn) 1706 { 1707 struct hci_conn *hcon = conn->hcon; 1708 struct hci_dev *hdev = hcon->hdev; 1709 1710 BT_DBG("%s conn %p", hdev->name, conn); 1711 1712 /* For outgoing pairing which doesn't necessarily have an 1713 * associated socket (e.g. mgmt_pair_device). 1714 */ 1715 if (hcon->out) 1716 smp_conn_security(hcon, hcon->pending_sec_level); 1717 1718 /* For LE peripheral connections, make sure the connection interval 1719 * is in the range of the minimum and maximum interval that has 1720 * been configured for this connection. If not, then trigger 1721 * the connection update procedure. 1722 */ 1723 if (hcon->role == HCI_ROLE_SLAVE && 1724 (hcon->le_conn_interval < hcon->le_conn_min_interval || 1725 hcon->le_conn_interval > hcon->le_conn_max_interval)) { 1726 struct l2cap_conn_param_update_req req; 1727 1728 req.min = cpu_to_le16(hcon->le_conn_min_interval); 1729 req.max = cpu_to_le16(hcon->le_conn_max_interval); 1730 req.latency = cpu_to_le16(hcon->le_conn_latency); 1731 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout); 1732 1733 l2cap_send_cmd(conn, l2cap_get_ident(conn), 1734 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req); 1735 } 1736 } 1737 1738 static void l2cap_conn_ready(struct l2cap_conn *conn) 1739 { 1740 struct l2cap_chan *chan; 1741 struct hci_conn *hcon = conn->hcon; 1742 1743 BT_DBG("conn %p", conn); 1744 1745 if (hcon->type == ACL_LINK) 1746 l2cap_request_info(conn); 1747 1748 mutex_lock(&conn->chan_lock); 1749 1750 list_for_each_entry(chan, &conn->chan_l, list) { 1751 1752 l2cap_chan_lock(chan); 1753 1754 if (chan->scid == L2CAP_CID_A2MP) { 1755 l2cap_chan_unlock(chan); 1756 continue; 1757 } 1758 1759 if (hcon->type == LE_LINK) { 1760 l2cap_le_start(chan); 1761 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1762 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 1763 l2cap_chan_ready(chan); 1764 } else if (chan->state == BT_CONNECT) { 1765 l2cap_do_start(chan); 1766 } 1767 1768 l2cap_chan_unlock(chan); 1769 } 1770 1771 mutex_unlock(&conn->chan_lock); 1772 1773 if (hcon->type == LE_LINK) 1774 l2cap_le_conn_ready(conn); 1775 1776 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work); 1777 } 1778 1779 /* Notify sockets that we cannot guaranty reliability anymore */ 1780 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err) 1781 { 1782 struct l2cap_chan *chan; 1783 1784 BT_DBG("conn %p", conn); 1785 1786 mutex_lock(&conn->chan_lock); 1787 1788 list_for_each_entry(chan, &conn->chan_l, list) { 1789 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 1790 l2cap_chan_set_err(chan, err); 1791 } 1792 1793 mutex_unlock(&conn->chan_lock); 1794 } 1795 1796 static void l2cap_info_timeout(struct work_struct *work) 1797 { 1798 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1799 info_timer.work); 1800 1801 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 1802 conn->info_ident = 0; 1803 1804 l2cap_conn_start(conn); 1805 } 1806 1807 /* 1808 * l2cap_user 1809 * External modules can register l2cap_user objects on l2cap_conn. The ->probe 1810 * callback is called during registration. The ->remove callback is called 1811 * during unregistration. 1812 * An l2cap_user object can either be explicitly unregistered or when the 1813 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon, 1814 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called. 1815 * External modules must own a reference to the l2cap_conn object if they intend 1816 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at 1817 * any time if they don't. 1818 */ 1819 1820 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) 1821 { 1822 struct hci_dev *hdev = conn->hcon->hdev; 1823 int ret; 1824 1825 /* We need to check whether l2cap_conn is registered. If it is not, we 1826 * must not register the l2cap_user. l2cap_conn_del() is unregisters 1827 * l2cap_conn objects, but doesn't provide its own locking. Instead, it 1828 * relies on the parent hci_conn object to be locked. This itself relies 1829 * on the hci_dev object to be locked. So we must lock the hci device 1830 * here, too. */ 1831 1832 hci_dev_lock(hdev); 1833 1834 if (!list_empty(&user->list)) { 1835 ret = -EINVAL; 1836 goto out_unlock; 1837 } 1838 1839 /* conn->hchan is NULL after l2cap_conn_del() was called */ 1840 if (!conn->hchan) { 1841 ret = -ENODEV; 1842 goto out_unlock; 1843 } 1844 1845 ret = user->probe(conn, user); 1846 if (ret) 1847 goto out_unlock; 1848 1849 list_add(&user->list, &conn->users); 1850 ret = 0; 1851 1852 out_unlock: 1853 hci_dev_unlock(hdev); 1854 return ret; 1855 } 1856 EXPORT_SYMBOL(l2cap_register_user); 1857 1858 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) 1859 { 1860 struct hci_dev *hdev = conn->hcon->hdev; 1861 1862 hci_dev_lock(hdev); 1863 1864 if (list_empty(&user->list)) 1865 goto out_unlock; 1866 1867 list_del_init(&user->list); 1868 user->remove(conn, user); 1869 1870 out_unlock: 1871 hci_dev_unlock(hdev); 1872 } 1873 EXPORT_SYMBOL(l2cap_unregister_user); 1874 1875 static void l2cap_unregister_all_users(struct l2cap_conn *conn) 1876 { 1877 struct l2cap_user *user; 1878 1879 while (!list_empty(&conn->users)) { 1880 user = list_first_entry(&conn->users, struct l2cap_user, list); 1881 list_del_init(&user->list); 1882 user->remove(conn, user); 1883 } 1884 } 1885 1886 static void l2cap_conn_del(struct hci_conn *hcon, int err) 1887 { 1888 struct l2cap_conn *conn = hcon->l2cap_data; 1889 struct l2cap_chan *chan, *l; 1890 1891 if (!conn) 1892 return; 1893 1894 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 1895 1896 kfree_skb(conn->rx_skb); 1897 1898 skb_queue_purge(&conn->pending_rx); 1899 1900 /* We can not call flush_work(&conn->pending_rx_work) here since we 1901 * might block if we are running on a worker from the same workqueue 1902 * pending_rx_work is waiting on. 1903 */ 1904 if (work_pending(&conn->pending_rx_work)) 1905 cancel_work_sync(&conn->pending_rx_work); 1906 1907 if (work_pending(&conn->id_addr_update_work)) 1908 cancel_work_sync(&conn->id_addr_update_work); 1909 1910 l2cap_unregister_all_users(conn); 1911 1912 /* Force the connection to be immediately dropped */ 1913 hcon->disc_timeout = 0; 1914 1915 mutex_lock(&conn->chan_lock); 1916 1917 /* Kill channels */ 1918 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 1919 l2cap_chan_hold(chan); 1920 l2cap_chan_lock(chan); 1921 1922 l2cap_chan_del(chan, err); 1923 1924 chan->ops->close(chan); 1925 1926 l2cap_chan_unlock(chan); 1927 l2cap_chan_put(chan); 1928 } 1929 1930 mutex_unlock(&conn->chan_lock); 1931 1932 hci_chan_del(conn->hchan); 1933 1934 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1935 cancel_delayed_work_sync(&conn->info_timer); 1936 1937 hcon->l2cap_data = NULL; 1938 conn->hchan = NULL; 1939 l2cap_conn_put(conn); 1940 } 1941 1942 static void l2cap_conn_free(struct kref *ref) 1943 { 1944 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref); 1945 1946 hci_conn_put(conn->hcon); 1947 kfree(conn); 1948 } 1949 1950 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn) 1951 { 1952 kref_get(&conn->ref); 1953 return conn; 1954 } 1955 EXPORT_SYMBOL(l2cap_conn_get); 1956 1957 void l2cap_conn_put(struct l2cap_conn *conn) 1958 { 1959 kref_put(&conn->ref, l2cap_conn_free); 1960 } 1961 EXPORT_SYMBOL(l2cap_conn_put); 1962 1963 /* ---- Socket interface ---- */ 1964 1965 /* Find socket with psm and source / destination bdaddr. 1966 * Returns closest match. 1967 */ 1968 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 1969 bdaddr_t *src, 1970 bdaddr_t *dst, 1971 u8 link_type) 1972 { 1973 struct l2cap_chan *c, *tmp, *c1 = NULL; 1974 1975 read_lock(&chan_list_lock); 1976 1977 list_for_each_entry_safe(c, tmp, &chan_list, global_l) { 1978 if (state && c->state != state) 1979 continue; 1980 1981 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR) 1982 continue; 1983 1984 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR) 1985 continue; 1986 1987 if (c->psm == psm) { 1988 int src_match, dst_match; 1989 int src_any, dst_any; 1990 1991 /* Exact match. */ 1992 src_match = !bacmp(&c->src, src); 1993 dst_match = !bacmp(&c->dst, dst); 1994 if (src_match && dst_match) { 1995 if (!l2cap_chan_hold_unless_zero(c)) 1996 continue; 1997 1998 read_unlock(&chan_list_lock); 1999 return c; 2000 } 2001 2002 /* Closest match */ 2003 src_any = !bacmp(&c->src, BDADDR_ANY); 2004 dst_any = !bacmp(&c->dst, BDADDR_ANY); 2005 if ((src_match && dst_any) || (src_any && dst_match) || 2006 (src_any && dst_any)) 2007 c1 = c; 2008 } 2009 } 2010 2011 if (c1) 2012 c1 = l2cap_chan_hold_unless_zero(c1); 2013 2014 read_unlock(&chan_list_lock); 2015 2016 return c1; 2017 } 2018 2019 static void l2cap_monitor_timeout(struct work_struct *work) 2020 { 2021 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 2022 monitor_timer.work); 2023 2024 BT_DBG("chan %p", chan); 2025 2026 l2cap_chan_lock(chan); 2027 2028 if (!chan->conn) { 2029 l2cap_chan_unlock(chan); 2030 l2cap_chan_put(chan); 2031 return; 2032 } 2033 2034 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO); 2035 2036 l2cap_chan_unlock(chan); 2037 l2cap_chan_put(chan); 2038 } 2039 2040 static void l2cap_retrans_timeout(struct work_struct *work) 2041 { 2042 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 2043 retrans_timer.work); 2044 2045 BT_DBG("chan %p", chan); 2046 2047 l2cap_chan_lock(chan); 2048 2049 if (!chan->conn) { 2050 l2cap_chan_unlock(chan); 2051 l2cap_chan_put(chan); 2052 return; 2053 } 2054 2055 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO); 2056 l2cap_chan_unlock(chan); 2057 l2cap_chan_put(chan); 2058 } 2059 2060 static void l2cap_streaming_send(struct l2cap_chan *chan, 2061 struct sk_buff_head *skbs) 2062 { 2063 struct sk_buff *skb; 2064 struct l2cap_ctrl *control; 2065 2066 BT_DBG("chan %p, skbs %p", chan, skbs); 2067 2068 if (__chan_is_moving(chan)) 2069 return; 2070 2071 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2072 2073 while (!skb_queue_empty(&chan->tx_q)) { 2074 2075 skb = skb_dequeue(&chan->tx_q); 2076 2077 bt_cb(skb)->l2cap.retries = 1; 2078 control = &bt_cb(skb)->l2cap; 2079 2080 control->reqseq = 0; 2081 control->txseq = chan->next_tx_seq; 2082 2083 __pack_control(chan, control, skb); 2084 2085 if (chan->fcs == L2CAP_FCS_CRC16) { 2086 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 2087 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 2088 } 2089 2090 l2cap_do_send(chan, skb); 2091 2092 BT_DBG("Sent txseq %u", control->txseq); 2093 2094 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 2095 chan->frames_sent++; 2096 } 2097 } 2098 2099 static int l2cap_ertm_send(struct l2cap_chan *chan) 2100 { 2101 struct sk_buff *skb, *tx_skb; 2102 struct l2cap_ctrl *control; 2103 int sent = 0; 2104 2105 BT_DBG("chan %p", chan); 2106 2107 if (chan->state != BT_CONNECTED) 2108 return -ENOTCONN; 2109 2110 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2111 return 0; 2112 2113 if (__chan_is_moving(chan)) 2114 return 0; 2115 2116 while (chan->tx_send_head && 2117 chan->unacked_frames < chan->remote_tx_win && 2118 chan->tx_state == L2CAP_TX_STATE_XMIT) { 2119 2120 skb = chan->tx_send_head; 2121 2122 bt_cb(skb)->l2cap.retries = 1; 2123 control = &bt_cb(skb)->l2cap; 2124 2125 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 2126 control->final = 1; 2127 2128 control->reqseq = chan->buffer_seq; 2129 chan->last_acked_seq = chan->buffer_seq; 2130 control->txseq = chan->next_tx_seq; 2131 2132 __pack_control(chan, control, skb); 2133 2134 if (chan->fcs == L2CAP_FCS_CRC16) { 2135 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 2136 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 2137 } 2138 2139 /* Clone after data has been modified. Data is assumed to be 2140 read-only (for locking purposes) on cloned sk_buffs. 2141 */ 2142 tx_skb = skb_clone(skb, GFP_KERNEL); 2143 2144 if (!tx_skb) 2145 break; 2146 2147 __set_retrans_timer(chan); 2148 2149 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 2150 chan->unacked_frames++; 2151 chan->frames_sent++; 2152 sent++; 2153 2154 if (skb_queue_is_last(&chan->tx_q, skb)) 2155 chan->tx_send_head = NULL; 2156 else 2157 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb); 2158 2159 l2cap_do_send(chan, tx_skb); 2160 BT_DBG("Sent txseq %u", control->txseq); 2161 } 2162 2163 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent, 2164 chan->unacked_frames, skb_queue_len(&chan->tx_q)); 2165 2166 return sent; 2167 } 2168 2169 static void l2cap_ertm_resend(struct l2cap_chan *chan) 2170 { 2171 struct l2cap_ctrl control; 2172 struct sk_buff *skb; 2173 struct sk_buff *tx_skb; 2174 u16 seq; 2175 2176 BT_DBG("chan %p", chan); 2177 2178 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2179 return; 2180 2181 if (__chan_is_moving(chan)) 2182 return; 2183 2184 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) { 2185 seq = l2cap_seq_list_pop(&chan->retrans_list); 2186 2187 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq); 2188 if (!skb) { 2189 BT_DBG("Error: Can't retransmit seq %d, frame missing", 2190 seq); 2191 continue; 2192 } 2193 2194 bt_cb(skb)->l2cap.retries++; 2195 control = bt_cb(skb)->l2cap; 2196 2197 if (chan->max_tx != 0 && 2198 bt_cb(skb)->l2cap.retries > chan->max_tx) { 2199 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 2200 l2cap_send_disconn_req(chan, ECONNRESET); 2201 l2cap_seq_list_clear(&chan->retrans_list); 2202 break; 2203 } 2204 2205 control.reqseq = chan->buffer_seq; 2206 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 2207 control.final = 1; 2208 else 2209 control.final = 0; 2210 2211 if (skb_cloned(skb)) { 2212 /* Cloned sk_buffs are read-only, so we need a 2213 * writeable copy 2214 */ 2215 tx_skb = skb_copy(skb, GFP_KERNEL); 2216 } else { 2217 tx_skb = skb_clone(skb, GFP_KERNEL); 2218 } 2219 2220 if (!tx_skb) { 2221 l2cap_seq_list_clear(&chan->retrans_list); 2222 break; 2223 } 2224 2225 /* Update skb contents */ 2226 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 2227 put_unaligned_le32(__pack_extended_control(&control), 2228 tx_skb->data + L2CAP_HDR_SIZE); 2229 } else { 2230 put_unaligned_le16(__pack_enhanced_control(&control), 2231 tx_skb->data + L2CAP_HDR_SIZE); 2232 } 2233 2234 /* Update FCS */ 2235 if (chan->fcs == L2CAP_FCS_CRC16) { 2236 u16 fcs = crc16(0, (u8 *) tx_skb->data, 2237 tx_skb->len - L2CAP_FCS_SIZE); 2238 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) - 2239 L2CAP_FCS_SIZE); 2240 } 2241 2242 l2cap_do_send(chan, tx_skb); 2243 2244 BT_DBG("Resent txseq %d", control.txseq); 2245 2246 chan->last_acked_seq = chan->buffer_seq; 2247 } 2248 } 2249 2250 static void l2cap_retransmit(struct l2cap_chan *chan, 2251 struct l2cap_ctrl *control) 2252 { 2253 BT_DBG("chan %p, control %p", chan, control); 2254 2255 l2cap_seq_list_append(&chan->retrans_list, control->reqseq); 2256 l2cap_ertm_resend(chan); 2257 } 2258 2259 static void l2cap_retransmit_all(struct l2cap_chan *chan, 2260 struct l2cap_ctrl *control) 2261 { 2262 struct sk_buff *skb; 2263 2264 BT_DBG("chan %p, control %p", chan, control); 2265 2266 if (control->poll) 2267 set_bit(CONN_SEND_FBIT, &chan->conn_state); 2268 2269 l2cap_seq_list_clear(&chan->retrans_list); 2270 2271 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2272 return; 2273 2274 if (chan->unacked_frames) { 2275 skb_queue_walk(&chan->tx_q, skb) { 2276 if (bt_cb(skb)->l2cap.txseq == control->reqseq || 2277 skb == chan->tx_send_head) 2278 break; 2279 } 2280 2281 skb_queue_walk_from(&chan->tx_q, skb) { 2282 if (skb == chan->tx_send_head) 2283 break; 2284 2285 l2cap_seq_list_append(&chan->retrans_list, 2286 bt_cb(skb)->l2cap.txseq); 2287 } 2288 2289 l2cap_ertm_resend(chan); 2290 } 2291 } 2292 2293 static void l2cap_send_ack(struct l2cap_chan *chan) 2294 { 2295 struct l2cap_ctrl control; 2296 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 2297 chan->last_acked_seq); 2298 int threshold; 2299 2300 BT_DBG("chan %p last_acked_seq %d buffer_seq %d", 2301 chan, chan->last_acked_seq, chan->buffer_seq); 2302 2303 memset(&control, 0, sizeof(control)); 2304 control.sframe = 1; 2305 2306 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 2307 chan->rx_state == L2CAP_RX_STATE_RECV) { 2308 __clear_ack_timer(chan); 2309 control.super = L2CAP_SUPER_RNR; 2310 control.reqseq = chan->buffer_seq; 2311 l2cap_send_sframe(chan, &control); 2312 } else { 2313 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) { 2314 l2cap_ertm_send(chan); 2315 /* If any i-frames were sent, they included an ack */ 2316 if (chan->buffer_seq == chan->last_acked_seq) 2317 frames_to_ack = 0; 2318 } 2319 2320 /* Ack now if the window is 3/4ths full. 2321 * Calculate without mul or div 2322 */ 2323 threshold = chan->ack_win; 2324 threshold += threshold << 1; 2325 threshold >>= 2; 2326 2327 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack, 2328 threshold); 2329 2330 if (frames_to_ack >= threshold) { 2331 __clear_ack_timer(chan); 2332 control.super = L2CAP_SUPER_RR; 2333 control.reqseq = chan->buffer_seq; 2334 l2cap_send_sframe(chan, &control); 2335 frames_to_ack = 0; 2336 } 2337 2338 if (frames_to_ack) 2339 __set_ack_timer(chan); 2340 } 2341 } 2342 2343 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, 2344 struct msghdr *msg, int len, 2345 int count, struct sk_buff *skb) 2346 { 2347 struct l2cap_conn *conn = chan->conn; 2348 struct sk_buff **frag; 2349 int sent = 0; 2350 2351 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter)) 2352 return -EFAULT; 2353 2354 sent += count; 2355 len -= count; 2356 2357 /* Continuation fragments (no L2CAP header) */ 2358 frag = &skb_shinfo(skb)->frag_list; 2359 while (len) { 2360 struct sk_buff *tmp; 2361 2362 count = min_t(unsigned int, conn->mtu, len); 2363 2364 tmp = chan->ops->alloc_skb(chan, 0, count, 2365 msg->msg_flags & MSG_DONTWAIT); 2366 if (IS_ERR(tmp)) 2367 return PTR_ERR(tmp); 2368 2369 *frag = tmp; 2370 2371 if (!copy_from_iter_full(skb_put(*frag, count), count, 2372 &msg->msg_iter)) 2373 return -EFAULT; 2374 2375 sent += count; 2376 len -= count; 2377 2378 skb->len += (*frag)->len; 2379 skb->data_len += (*frag)->len; 2380 2381 frag = &(*frag)->next; 2382 } 2383 2384 return sent; 2385 } 2386 2387 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, 2388 struct msghdr *msg, size_t len) 2389 { 2390 struct l2cap_conn *conn = chan->conn; 2391 struct sk_buff *skb; 2392 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE; 2393 struct l2cap_hdr *lh; 2394 2395 BT_DBG("chan %p psm 0x%2.2x len %zu", chan, 2396 __le16_to_cpu(chan->psm), len); 2397 2398 count = min_t(unsigned int, (conn->mtu - hlen), len); 2399 2400 skb = chan->ops->alloc_skb(chan, hlen, count, 2401 msg->msg_flags & MSG_DONTWAIT); 2402 if (IS_ERR(skb)) 2403 return skb; 2404 2405 /* Create L2CAP header */ 2406 lh = skb_put(skb, L2CAP_HDR_SIZE); 2407 lh->cid = cpu_to_le16(chan->dcid); 2408 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE); 2409 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE)); 2410 2411 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2412 if (unlikely(err < 0)) { 2413 kfree_skb(skb); 2414 return ERR_PTR(err); 2415 } 2416 return skb; 2417 } 2418 2419 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, 2420 struct msghdr *msg, size_t len) 2421 { 2422 struct l2cap_conn *conn = chan->conn; 2423 struct sk_buff *skb; 2424 int err, count; 2425 struct l2cap_hdr *lh; 2426 2427 BT_DBG("chan %p len %zu", chan, len); 2428 2429 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len); 2430 2431 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count, 2432 msg->msg_flags & MSG_DONTWAIT); 2433 if (IS_ERR(skb)) 2434 return skb; 2435 2436 /* Create L2CAP header */ 2437 lh = skb_put(skb, L2CAP_HDR_SIZE); 2438 lh->cid = cpu_to_le16(chan->dcid); 2439 lh->len = cpu_to_le16(len); 2440 2441 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2442 if (unlikely(err < 0)) { 2443 kfree_skb(skb); 2444 return ERR_PTR(err); 2445 } 2446 return skb; 2447 } 2448 2449 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, 2450 struct msghdr *msg, size_t len, 2451 u16 sdulen) 2452 { 2453 struct l2cap_conn *conn = chan->conn; 2454 struct sk_buff *skb; 2455 int err, count, hlen; 2456 struct l2cap_hdr *lh; 2457 2458 BT_DBG("chan %p len %zu", chan, len); 2459 2460 if (!conn) 2461 return ERR_PTR(-ENOTCONN); 2462 2463 hlen = __ertm_hdr_size(chan); 2464 2465 if (sdulen) 2466 hlen += L2CAP_SDULEN_SIZE; 2467 2468 if (chan->fcs == L2CAP_FCS_CRC16) 2469 hlen += L2CAP_FCS_SIZE; 2470 2471 count = min_t(unsigned int, (conn->mtu - hlen), len); 2472 2473 skb = chan->ops->alloc_skb(chan, hlen, count, 2474 msg->msg_flags & MSG_DONTWAIT); 2475 if (IS_ERR(skb)) 2476 return skb; 2477 2478 /* Create L2CAP header */ 2479 lh = skb_put(skb, L2CAP_HDR_SIZE); 2480 lh->cid = cpu_to_le16(chan->dcid); 2481 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2482 2483 /* Control header is populated later */ 2484 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 2485 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 2486 else 2487 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 2488 2489 if (sdulen) 2490 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2491 2492 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2493 if (unlikely(err < 0)) { 2494 kfree_skb(skb); 2495 return ERR_PTR(err); 2496 } 2497 2498 bt_cb(skb)->l2cap.fcs = chan->fcs; 2499 bt_cb(skb)->l2cap.retries = 0; 2500 return skb; 2501 } 2502 2503 static int l2cap_segment_sdu(struct l2cap_chan *chan, 2504 struct sk_buff_head *seg_queue, 2505 struct msghdr *msg, size_t len) 2506 { 2507 struct sk_buff *skb; 2508 u16 sdu_len; 2509 size_t pdu_len; 2510 u8 sar; 2511 2512 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2513 2514 /* It is critical that ERTM PDUs fit in a single HCI fragment, 2515 * so fragmented skbs are not used. The HCI layer's handling 2516 * of fragmented skbs is not compatible with ERTM's queueing. 2517 */ 2518 2519 /* PDU size is derived from the HCI MTU */ 2520 pdu_len = chan->conn->mtu; 2521 2522 /* Constrain PDU size for BR/EDR connections */ 2523 if (!chan->hs_hcon) 2524 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD); 2525 2526 /* Adjust for largest possible L2CAP overhead. */ 2527 if (chan->fcs) 2528 pdu_len -= L2CAP_FCS_SIZE; 2529 2530 pdu_len -= __ertm_hdr_size(chan); 2531 2532 /* Remote device may have requested smaller PDUs */ 2533 pdu_len = min_t(size_t, pdu_len, chan->remote_mps); 2534 2535 if (len <= pdu_len) { 2536 sar = L2CAP_SAR_UNSEGMENTED; 2537 sdu_len = 0; 2538 pdu_len = len; 2539 } else { 2540 sar = L2CAP_SAR_START; 2541 sdu_len = len; 2542 } 2543 2544 while (len > 0) { 2545 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len); 2546 2547 if (IS_ERR(skb)) { 2548 __skb_queue_purge(seg_queue); 2549 return PTR_ERR(skb); 2550 } 2551 2552 bt_cb(skb)->l2cap.sar = sar; 2553 __skb_queue_tail(seg_queue, skb); 2554 2555 len -= pdu_len; 2556 if (sdu_len) 2557 sdu_len = 0; 2558 2559 if (len <= pdu_len) { 2560 sar = L2CAP_SAR_END; 2561 pdu_len = len; 2562 } else { 2563 sar = L2CAP_SAR_CONTINUE; 2564 } 2565 } 2566 2567 return 0; 2568 } 2569 2570 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan, 2571 struct msghdr *msg, 2572 size_t len, u16 sdulen) 2573 { 2574 struct l2cap_conn *conn = chan->conn; 2575 struct sk_buff *skb; 2576 int err, count, hlen; 2577 struct l2cap_hdr *lh; 2578 2579 BT_DBG("chan %p len %zu", chan, len); 2580 2581 if (!conn) 2582 return ERR_PTR(-ENOTCONN); 2583 2584 hlen = L2CAP_HDR_SIZE; 2585 2586 if (sdulen) 2587 hlen += L2CAP_SDULEN_SIZE; 2588 2589 count = min_t(unsigned int, (conn->mtu - hlen), len); 2590 2591 skb = chan->ops->alloc_skb(chan, hlen, count, 2592 msg->msg_flags & MSG_DONTWAIT); 2593 if (IS_ERR(skb)) 2594 return skb; 2595 2596 /* Create L2CAP header */ 2597 lh = skb_put(skb, L2CAP_HDR_SIZE); 2598 lh->cid = cpu_to_le16(chan->dcid); 2599 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2600 2601 if (sdulen) 2602 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2603 2604 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2605 if (unlikely(err < 0)) { 2606 kfree_skb(skb); 2607 return ERR_PTR(err); 2608 } 2609 2610 return skb; 2611 } 2612 2613 static int l2cap_segment_le_sdu(struct l2cap_chan *chan, 2614 struct sk_buff_head *seg_queue, 2615 struct msghdr *msg, size_t len) 2616 { 2617 struct sk_buff *skb; 2618 size_t pdu_len; 2619 u16 sdu_len; 2620 2621 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2622 2623 sdu_len = len; 2624 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE; 2625 2626 while (len > 0) { 2627 if (len <= pdu_len) 2628 pdu_len = len; 2629 2630 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len); 2631 if (IS_ERR(skb)) { 2632 __skb_queue_purge(seg_queue); 2633 return PTR_ERR(skb); 2634 } 2635 2636 __skb_queue_tail(seg_queue, skb); 2637 2638 len -= pdu_len; 2639 2640 if (sdu_len) { 2641 sdu_len = 0; 2642 pdu_len += L2CAP_SDULEN_SIZE; 2643 } 2644 } 2645 2646 return 0; 2647 } 2648 2649 static void l2cap_le_flowctl_send(struct l2cap_chan *chan) 2650 { 2651 int sent = 0; 2652 2653 BT_DBG("chan %p", chan); 2654 2655 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) { 2656 l2cap_do_send(chan, skb_dequeue(&chan->tx_q)); 2657 chan->tx_credits--; 2658 sent++; 2659 } 2660 2661 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits, 2662 skb_queue_len(&chan->tx_q)); 2663 } 2664 2665 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) 2666 { 2667 struct sk_buff *skb; 2668 int err; 2669 struct sk_buff_head seg_queue; 2670 2671 if (!chan->conn) 2672 return -ENOTCONN; 2673 2674 /* Connectionless channel */ 2675 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) { 2676 skb = l2cap_create_connless_pdu(chan, msg, len); 2677 if (IS_ERR(skb)) 2678 return PTR_ERR(skb); 2679 2680 /* Channel lock is released before requesting new skb and then 2681 * reacquired thus we need to recheck channel state. 2682 */ 2683 if (chan->state != BT_CONNECTED) { 2684 kfree_skb(skb); 2685 return -ENOTCONN; 2686 } 2687 2688 l2cap_do_send(chan, skb); 2689 return len; 2690 } 2691 2692 switch (chan->mode) { 2693 case L2CAP_MODE_LE_FLOWCTL: 2694 case L2CAP_MODE_EXT_FLOWCTL: 2695 /* Check outgoing MTU */ 2696 if (len > chan->omtu) 2697 return -EMSGSIZE; 2698 2699 __skb_queue_head_init(&seg_queue); 2700 2701 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len); 2702 2703 if (chan->state != BT_CONNECTED) { 2704 __skb_queue_purge(&seg_queue); 2705 err = -ENOTCONN; 2706 } 2707 2708 if (err) 2709 return err; 2710 2711 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q); 2712 2713 l2cap_le_flowctl_send(chan); 2714 2715 if (!chan->tx_credits) 2716 chan->ops->suspend(chan); 2717 2718 err = len; 2719 2720 break; 2721 2722 case L2CAP_MODE_BASIC: 2723 /* Check outgoing MTU */ 2724 if (len > chan->omtu) 2725 return -EMSGSIZE; 2726 2727 /* Create a basic PDU */ 2728 skb = l2cap_create_basic_pdu(chan, msg, len); 2729 if (IS_ERR(skb)) 2730 return PTR_ERR(skb); 2731 2732 /* Channel lock is released before requesting new skb and then 2733 * reacquired thus we need to recheck channel state. 2734 */ 2735 if (chan->state != BT_CONNECTED) { 2736 kfree_skb(skb); 2737 return -ENOTCONN; 2738 } 2739 2740 l2cap_do_send(chan, skb); 2741 err = len; 2742 break; 2743 2744 case L2CAP_MODE_ERTM: 2745 case L2CAP_MODE_STREAMING: 2746 /* Check outgoing MTU */ 2747 if (len > chan->omtu) { 2748 err = -EMSGSIZE; 2749 break; 2750 } 2751 2752 __skb_queue_head_init(&seg_queue); 2753 2754 /* Do segmentation before calling in to the state machine, 2755 * since it's possible to block while waiting for memory 2756 * allocation. 2757 */ 2758 err = l2cap_segment_sdu(chan, &seg_queue, msg, len); 2759 2760 /* The channel could have been closed while segmenting, 2761 * check that it is still connected. 2762 */ 2763 if (chan->state != BT_CONNECTED) { 2764 __skb_queue_purge(&seg_queue); 2765 err = -ENOTCONN; 2766 } 2767 2768 if (err) 2769 break; 2770 2771 if (chan->mode == L2CAP_MODE_ERTM) 2772 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST); 2773 else 2774 l2cap_streaming_send(chan, &seg_queue); 2775 2776 err = len; 2777 2778 /* If the skbs were not queued for sending, they'll still be in 2779 * seg_queue and need to be purged. 2780 */ 2781 __skb_queue_purge(&seg_queue); 2782 break; 2783 2784 default: 2785 BT_DBG("bad state %1.1x", chan->mode); 2786 err = -EBADFD; 2787 } 2788 2789 return err; 2790 } 2791 EXPORT_SYMBOL_GPL(l2cap_chan_send); 2792 2793 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq) 2794 { 2795 struct l2cap_ctrl control; 2796 u16 seq; 2797 2798 BT_DBG("chan %p, txseq %u", chan, txseq); 2799 2800 memset(&control, 0, sizeof(control)); 2801 control.sframe = 1; 2802 control.super = L2CAP_SUPER_SREJ; 2803 2804 for (seq = chan->expected_tx_seq; seq != txseq; 2805 seq = __next_seq(chan, seq)) { 2806 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) { 2807 control.reqseq = seq; 2808 l2cap_send_sframe(chan, &control); 2809 l2cap_seq_list_append(&chan->srej_list, seq); 2810 } 2811 } 2812 2813 chan->expected_tx_seq = __next_seq(chan, txseq); 2814 } 2815 2816 static void l2cap_send_srej_tail(struct l2cap_chan *chan) 2817 { 2818 struct l2cap_ctrl control; 2819 2820 BT_DBG("chan %p", chan); 2821 2822 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR) 2823 return; 2824 2825 memset(&control, 0, sizeof(control)); 2826 control.sframe = 1; 2827 control.super = L2CAP_SUPER_SREJ; 2828 control.reqseq = chan->srej_list.tail; 2829 l2cap_send_sframe(chan, &control); 2830 } 2831 2832 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq) 2833 { 2834 struct l2cap_ctrl control; 2835 u16 initial_head; 2836 u16 seq; 2837 2838 BT_DBG("chan %p, txseq %u", chan, txseq); 2839 2840 memset(&control, 0, sizeof(control)); 2841 control.sframe = 1; 2842 control.super = L2CAP_SUPER_SREJ; 2843 2844 /* Capture initial list head to allow only one pass through the list. */ 2845 initial_head = chan->srej_list.head; 2846 2847 do { 2848 seq = l2cap_seq_list_pop(&chan->srej_list); 2849 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR) 2850 break; 2851 2852 control.reqseq = seq; 2853 l2cap_send_sframe(chan, &control); 2854 l2cap_seq_list_append(&chan->srej_list, seq); 2855 } while (chan->srej_list.head != initial_head); 2856 } 2857 2858 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq) 2859 { 2860 struct sk_buff *acked_skb; 2861 u16 ackseq; 2862 2863 BT_DBG("chan %p, reqseq %u", chan, reqseq); 2864 2865 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq) 2866 return; 2867 2868 BT_DBG("expected_ack_seq %u, unacked_frames %u", 2869 chan->expected_ack_seq, chan->unacked_frames); 2870 2871 for (ackseq = chan->expected_ack_seq; ackseq != reqseq; 2872 ackseq = __next_seq(chan, ackseq)) { 2873 2874 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq); 2875 if (acked_skb) { 2876 skb_unlink(acked_skb, &chan->tx_q); 2877 kfree_skb(acked_skb); 2878 chan->unacked_frames--; 2879 } 2880 } 2881 2882 chan->expected_ack_seq = reqseq; 2883 2884 if (chan->unacked_frames == 0) 2885 __clear_retrans_timer(chan); 2886 2887 BT_DBG("unacked_frames %u", chan->unacked_frames); 2888 } 2889 2890 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan) 2891 { 2892 BT_DBG("chan %p", chan); 2893 2894 chan->expected_tx_seq = chan->buffer_seq; 2895 l2cap_seq_list_clear(&chan->srej_list); 2896 skb_queue_purge(&chan->srej_q); 2897 chan->rx_state = L2CAP_RX_STATE_RECV; 2898 } 2899 2900 static void l2cap_tx_state_xmit(struct l2cap_chan *chan, 2901 struct l2cap_ctrl *control, 2902 struct sk_buff_head *skbs, u8 event) 2903 { 2904 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2905 event); 2906 2907 switch (event) { 2908 case L2CAP_EV_DATA_REQUEST: 2909 if (chan->tx_send_head == NULL) 2910 chan->tx_send_head = skb_peek(skbs); 2911 2912 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2913 l2cap_ertm_send(chan); 2914 break; 2915 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2916 BT_DBG("Enter LOCAL_BUSY"); 2917 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2918 2919 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2920 /* The SREJ_SENT state must be aborted if we are to 2921 * enter the LOCAL_BUSY state. 2922 */ 2923 l2cap_abort_rx_srej_sent(chan); 2924 } 2925 2926 l2cap_send_ack(chan); 2927 2928 break; 2929 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2930 BT_DBG("Exit LOCAL_BUSY"); 2931 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2932 2933 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2934 struct l2cap_ctrl local_control; 2935 2936 memset(&local_control, 0, sizeof(local_control)); 2937 local_control.sframe = 1; 2938 local_control.super = L2CAP_SUPER_RR; 2939 local_control.poll = 1; 2940 local_control.reqseq = chan->buffer_seq; 2941 l2cap_send_sframe(chan, &local_control); 2942 2943 chan->retry_count = 1; 2944 __set_monitor_timer(chan); 2945 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2946 } 2947 break; 2948 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2949 l2cap_process_reqseq(chan, control->reqseq); 2950 break; 2951 case L2CAP_EV_EXPLICIT_POLL: 2952 l2cap_send_rr_or_rnr(chan, 1); 2953 chan->retry_count = 1; 2954 __set_monitor_timer(chan); 2955 __clear_ack_timer(chan); 2956 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2957 break; 2958 case L2CAP_EV_RETRANS_TO: 2959 l2cap_send_rr_or_rnr(chan, 1); 2960 chan->retry_count = 1; 2961 __set_monitor_timer(chan); 2962 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2963 break; 2964 case L2CAP_EV_RECV_FBIT: 2965 /* Nothing to process */ 2966 break; 2967 default: 2968 break; 2969 } 2970 } 2971 2972 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan, 2973 struct l2cap_ctrl *control, 2974 struct sk_buff_head *skbs, u8 event) 2975 { 2976 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2977 event); 2978 2979 switch (event) { 2980 case L2CAP_EV_DATA_REQUEST: 2981 if (chan->tx_send_head == NULL) 2982 chan->tx_send_head = skb_peek(skbs); 2983 /* Queue data, but don't send. */ 2984 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2985 break; 2986 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2987 BT_DBG("Enter LOCAL_BUSY"); 2988 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2989 2990 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2991 /* The SREJ_SENT state must be aborted if we are to 2992 * enter the LOCAL_BUSY state. 2993 */ 2994 l2cap_abort_rx_srej_sent(chan); 2995 } 2996 2997 l2cap_send_ack(chan); 2998 2999 break; 3000 case L2CAP_EV_LOCAL_BUSY_CLEAR: 3001 BT_DBG("Exit LOCAL_BUSY"); 3002 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 3003 3004 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 3005 struct l2cap_ctrl local_control; 3006 memset(&local_control, 0, sizeof(local_control)); 3007 local_control.sframe = 1; 3008 local_control.super = L2CAP_SUPER_RR; 3009 local_control.poll = 1; 3010 local_control.reqseq = chan->buffer_seq; 3011 l2cap_send_sframe(chan, &local_control); 3012 3013 chan->retry_count = 1; 3014 __set_monitor_timer(chan); 3015 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 3016 } 3017 break; 3018 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 3019 l2cap_process_reqseq(chan, control->reqseq); 3020 fallthrough; 3021 3022 case L2CAP_EV_RECV_FBIT: 3023 if (control && control->final) { 3024 __clear_monitor_timer(chan); 3025 if (chan->unacked_frames > 0) 3026 __set_retrans_timer(chan); 3027 chan->retry_count = 0; 3028 chan->tx_state = L2CAP_TX_STATE_XMIT; 3029 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state); 3030 } 3031 break; 3032 case L2CAP_EV_EXPLICIT_POLL: 3033 /* Ignore */ 3034 break; 3035 case L2CAP_EV_MONITOR_TO: 3036 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) { 3037 l2cap_send_rr_or_rnr(chan, 1); 3038 __set_monitor_timer(chan); 3039 chan->retry_count++; 3040 } else { 3041 l2cap_send_disconn_req(chan, ECONNABORTED); 3042 } 3043 break; 3044 default: 3045 break; 3046 } 3047 } 3048 3049 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 3050 struct sk_buff_head *skbs, u8 event) 3051 { 3052 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d", 3053 chan, control, skbs, event, chan->tx_state); 3054 3055 switch (chan->tx_state) { 3056 case L2CAP_TX_STATE_XMIT: 3057 l2cap_tx_state_xmit(chan, control, skbs, event); 3058 break; 3059 case L2CAP_TX_STATE_WAIT_F: 3060 l2cap_tx_state_wait_f(chan, control, skbs, event); 3061 break; 3062 default: 3063 /* Ignore event */ 3064 break; 3065 } 3066 } 3067 3068 static void l2cap_pass_to_tx(struct l2cap_chan *chan, 3069 struct l2cap_ctrl *control) 3070 { 3071 BT_DBG("chan %p, control %p", chan, control); 3072 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT); 3073 } 3074 3075 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan, 3076 struct l2cap_ctrl *control) 3077 { 3078 BT_DBG("chan %p, control %p", chan, control); 3079 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT); 3080 } 3081 3082 /* Copy frame to all raw sockets on that connection */ 3083 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 3084 { 3085 struct sk_buff *nskb; 3086 struct l2cap_chan *chan; 3087 3088 BT_DBG("conn %p", conn); 3089 3090 mutex_lock(&conn->chan_lock); 3091 3092 list_for_each_entry(chan, &conn->chan_l, list) { 3093 if (chan->chan_type != L2CAP_CHAN_RAW) 3094 continue; 3095 3096 /* Don't send frame to the channel it came from */ 3097 if (bt_cb(skb)->l2cap.chan == chan) 3098 continue; 3099 3100 nskb = skb_clone(skb, GFP_KERNEL); 3101 if (!nskb) 3102 continue; 3103 if (chan->ops->recv(chan, nskb)) 3104 kfree_skb(nskb); 3105 } 3106 3107 mutex_unlock(&conn->chan_lock); 3108 } 3109 3110 /* ---- L2CAP signalling commands ---- */ 3111 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, 3112 u8 ident, u16 dlen, void *data) 3113 { 3114 struct sk_buff *skb, **frag; 3115 struct l2cap_cmd_hdr *cmd; 3116 struct l2cap_hdr *lh; 3117 int len, count; 3118 3119 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", 3120 conn, code, ident, dlen); 3121 3122 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) 3123 return NULL; 3124 3125 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; 3126 count = min_t(unsigned int, conn->mtu, len); 3127 3128 skb = bt_skb_alloc(count, GFP_KERNEL); 3129 if (!skb) 3130 return NULL; 3131 3132 lh = skb_put(skb, L2CAP_HDR_SIZE); 3133 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen); 3134 3135 if (conn->hcon->type == LE_LINK) 3136 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING); 3137 else 3138 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING); 3139 3140 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE); 3141 cmd->code = code; 3142 cmd->ident = ident; 3143 cmd->len = cpu_to_le16(dlen); 3144 3145 if (dlen) { 3146 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE; 3147 skb_put_data(skb, data, count); 3148 data += count; 3149 } 3150 3151 len -= skb->len; 3152 3153 /* Continuation fragments (no L2CAP header) */ 3154 frag = &skb_shinfo(skb)->frag_list; 3155 while (len) { 3156 count = min_t(unsigned int, conn->mtu, len); 3157 3158 *frag = bt_skb_alloc(count, GFP_KERNEL); 3159 if (!*frag) 3160 goto fail; 3161 3162 skb_put_data(*frag, data, count); 3163 3164 len -= count; 3165 data += count; 3166 3167 frag = &(*frag)->next; 3168 } 3169 3170 return skb; 3171 3172 fail: 3173 kfree_skb(skb); 3174 return NULL; 3175 } 3176 3177 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, 3178 unsigned long *val) 3179 { 3180 struct l2cap_conf_opt *opt = *ptr; 3181 int len; 3182 3183 len = L2CAP_CONF_OPT_SIZE + opt->len; 3184 *ptr += len; 3185 3186 *type = opt->type; 3187 *olen = opt->len; 3188 3189 switch (opt->len) { 3190 case 1: 3191 *val = *((u8 *) opt->val); 3192 break; 3193 3194 case 2: 3195 *val = get_unaligned_le16(opt->val); 3196 break; 3197 3198 case 4: 3199 *val = get_unaligned_le32(opt->val); 3200 break; 3201 3202 default: 3203 *val = (unsigned long) opt->val; 3204 break; 3205 } 3206 3207 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val); 3208 return len; 3209 } 3210 3211 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size) 3212 { 3213 struct l2cap_conf_opt *opt = *ptr; 3214 3215 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val); 3216 3217 if (size < L2CAP_CONF_OPT_SIZE + len) 3218 return; 3219 3220 opt->type = type; 3221 opt->len = len; 3222 3223 switch (len) { 3224 case 1: 3225 *((u8 *) opt->val) = val; 3226 break; 3227 3228 case 2: 3229 put_unaligned_le16(val, opt->val); 3230 break; 3231 3232 case 4: 3233 put_unaligned_le32(val, opt->val); 3234 break; 3235 3236 default: 3237 memcpy(opt->val, (void *) val, len); 3238 break; 3239 } 3240 3241 *ptr += L2CAP_CONF_OPT_SIZE + len; 3242 } 3243 3244 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size) 3245 { 3246 struct l2cap_conf_efs efs; 3247 3248 switch (chan->mode) { 3249 case L2CAP_MODE_ERTM: 3250 efs.id = chan->local_id; 3251 efs.stype = chan->local_stype; 3252 efs.msdu = cpu_to_le16(chan->local_msdu); 3253 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3254 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT); 3255 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO); 3256 break; 3257 3258 case L2CAP_MODE_STREAMING: 3259 efs.id = 1; 3260 efs.stype = L2CAP_SERV_BESTEFFORT; 3261 efs.msdu = cpu_to_le16(chan->local_msdu); 3262 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3263 efs.acc_lat = 0; 3264 efs.flush_to = 0; 3265 break; 3266 3267 default: 3268 return; 3269 } 3270 3271 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs), 3272 (unsigned long) &efs, size); 3273 } 3274 3275 static void l2cap_ack_timeout(struct work_struct *work) 3276 { 3277 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 3278 ack_timer.work); 3279 u16 frames_to_ack; 3280 3281 BT_DBG("chan %p", chan); 3282 3283 l2cap_chan_lock(chan); 3284 3285 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 3286 chan->last_acked_seq); 3287 3288 if (frames_to_ack) 3289 l2cap_send_rr_or_rnr(chan, 0); 3290 3291 l2cap_chan_unlock(chan); 3292 l2cap_chan_put(chan); 3293 } 3294 3295 int l2cap_ertm_init(struct l2cap_chan *chan) 3296 { 3297 int err; 3298 3299 chan->next_tx_seq = 0; 3300 chan->expected_tx_seq = 0; 3301 chan->expected_ack_seq = 0; 3302 chan->unacked_frames = 0; 3303 chan->buffer_seq = 0; 3304 chan->frames_sent = 0; 3305 chan->last_acked_seq = 0; 3306 chan->sdu = NULL; 3307 chan->sdu_last_frag = NULL; 3308 chan->sdu_len = 0; 3309 3310 skb_queue_head_init(&chan->tx_q); 3311 3312 chan->local_amp_id = AMP_ID_BREDR; 3313 chan->move_id = AMP_ID_BREDR; 3314 chan->move_state = L2CAP_MOVE_STABLE; 3315 chan->move_role = L2CAP_MOVE_ROLE_NONE; 3316 3317 if (chan->mode != L2CAP_MODE_ERTM) 3318 return 0; 3319 3320 chan->rx_state = L2CAP_RX_STATE_RECV; 3321 chan->tx_state = L2CAP_TX_STATE_XMIT; 3322 3323 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); 3324 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); 3325 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); 3326 3327 skb_queue_head_init(&chan->srej_q); 3328 3329 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); 3330 if (err < 0) 3331 return err; 3332 3333 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win); 3334 if (err < 0) 3335 l2cap_seq_list_free(&chan->srej_list); 3336 3337 return err; 3338 } 3339 3340 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 3341 { 3342 switch (mode) { 3343 case L2CAP_MODE_STREAMING: 3344 case L2CAP_MODE_ERTM: 3345 if (l2cap_mode_supported(mode, remote_feat_mask)) 3346 return mode; 3347 fallthrough; 3348 default: 3349 return L2CAP_MODE_BASIC; 3350 } 3351 } 3352 3353 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn) 3354 { 3355 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) && 3356 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW)); 3357 } 3358 3359 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn) 3360 { 3361 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) && 3362 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW)); 3363 } 3364 3365 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan, 3366 struct l2cap_conf_rfc *rfc) 3367 { 3368 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) { 3369 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to; 3370 3371 /* Class 1 devices have must have ERTM timeouts 3372 * exceeding the Link Supervision Timeout. The 3373 * default Link Supervision Timeout for AMP 3374 * controllers is 10 seconds. 3375 * 3376 * Class 1 devices use 0xffffffff for their 3377 * best-effort flush timeout, so the clamping logic 3378 * will result in a timeout that meets the above 3379 * requirement. ERTM timeouts are 16-bit values, so 3380 * the maximum timeout is 65.535 seconds. 3381 */ 3382 3383 /* Convert timeout to milliseconds and round */ 3384 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000); 3385 3386 /* This is the recommended formula for class 2 devices 3387 * that start ERTM timers when packets are sent to the 3388 * controller. 3389 */ 3390 ertm_to = 3 * ertm_to + 500; 3391 3392 if (ertm_to > 0xffff) 3393 ertm_to = 0xffff; 3394 3395 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to); 3396 rfc->monitor_timeout = rfc->retrans_timeout; 3397 } else { 3398 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO); 3399 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO); 3400 } 3401 } 3402 3403 static inline void l2cap_txwin_setup(struct l2cap_chan *chan) 3404 { 3405 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW && 3406 __l2cap_ews_supported(chan->conn)) { 3407 /* use extended control field */ 3408 set_bit(FLAG_EXT_CTRL, &chan->flags); 3409 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; 3410 } else { 3411 chan->tx_win = min_t(u16, chan->tx_win, 3412 L2CAP_DEFAULT_TX_WINDOW); 3413 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 3414 } 3415 chan->ack_win = chan->tx_win; 3416 } 3417 3418 static void l2cap_mtu_auto(struct l2cap_chan *chan) 3419 { 3420 struct hci_conn *conn = chan->conn->hcon; 3421 3422 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3423 3424 /* The 2-DH1 packet has between 2 and 56 information bytes 3425 * (including the 2-byte payload header) 3426 */ 3427 if (!(conn->pkt_type & HCI_2DH1)) 3428 chan->imtu = 54; 3429 3430 /* The 3-DH1 packet has between 2 and 85 information bytes 3431 * (including the 2-byte payload header) 3432 */ 3433 if (!(conn->pkt_type & HCI_3DH1)) 3434 chan->imtu = 83; 3435 3436 /* The 2-DH3 packet has between 2 and 369 information bytes 3437 * (including the 2-byte payload header) 3438 */ 3439 if (!(conn->pkt_type & HCI_2DH3)) 3440 chan->imtu = 367; 3441 3442 /* The 3-DH3 packet has between 2 and 554 information bytes 3443 * (including the 2-byte payload header) 3444 */ 3445 if (!(conn->pkt_type & HCI_3DH3)) 3446 chan->imtu = 552; 3447 3448 /* The 2-DH5 packet has between 2 and 681 information bytes 3449 * (including the 2-byte payload header) 3450 */ 3451 if (!(conn->pkt_type & HCI_2DH5)) 3452 chan->imtu = 679; 3453 3454 /* The 3-DH5 packet has between 2 and 1023 information bytes 3455 * (including the 2-byte payload header) 3456 */ 3457 if (!(conn->pkt_type & HCI_3DH5)) 3458 chan->imtu = 1021; 3459 } 3460 3461 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3462 { 3463 struct l2cap_conf_req *req = data; 3464 struct l2cap_conf_rfc rfc = { .mode = chan->mode }; 3465 void *ptr = req->data; 3466 void *endptr = data + data_size; 3467 u16 size; 3468 3469 BT_DBG("chan %p", chan); 3470 3471 if (chan->num_conf_req || chan->num_conf_rsp) 3472 goto done; 3473 3474 switch (chan->mode) { 3475 case L2CAP_MODE_STREAMING: 3476 case L2CAP_MODE_ERTM: 3477 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) 3478 break; 3479 3480 if (__l2cap_efs_supported(chan->conn)) 3481 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3482 3483 fallthrough; 3484 default: 3485 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask); 3486 break; 3487 } 3488 3489 done: 3490 if (chan->imtu != L2CAP_DEFAULT_MTU) { 3491 if (!chan->imtu) 3492 l2cap_mtu_auto(chan); 3493 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3494 endptr - ptr); 3495 } 3496 3497 switch (chan->mode) { 3498 case L2CAP_MODE_BASIC: 3499 if (disable_ertm) 3500 break; 3501 3502 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) && 3503 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING)) 3504 break; 3505 3506 rfc.mode = L2CAP_MODE_BASIC; 3507 rfc.txwin_size = 0; 3508 rfc.max_transmit = 0; 3509 rfc.retrans_timeout = 0; 3510 rfc.monitor_timeout = 0; 3511 rfc.max_pdu_size = 0; 3512 3513 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3514 (unsigned long) &rfc, endptr - ptr); 3515 break; 3516 3517 case L2CAP_MODE_ERTM: 3518 rfc.mode = L2CAP_MODE_ERTM; 3519 rfc.max_transmit = chan->max_tx; 3520 3521 __l2cap_set_ertm_timeouts(chan, &rfc); 3522 3523 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3524 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3525 L2CAP_FCS_SIZE); 3526 rfc.max_pdu_size = cpu_to_le16(size); 3527 3528 l2cap_txwin_setup(chan); 3529 3530 rfc.txwin_size = min_t(u16, chan->tx_win, 3531 L2CAP_DEFAULT_TX_WINDOW); 3532 3533 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3534 (unsigned long) &rfc, endptr - ptr); 3535 3536 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3537 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3538 3539 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3540 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3541 chan->tx_win, endptr - ptr); 3542 3543 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3544 if (chan->fcs == L2CAP_FCS_NONE || 3545 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3546 chan->fcs = L2CAP_FCS_NONE; 3547 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3548 chan->fcs, endptr - ptr); 3549 } 3550 break; 3551 3552 case L2CAP_MODE_STREAMING: 3553 l2cap_txwin_setup(chan); 3554 rfc.mode = L2CAP_MODE_STREAMING; 3555 rfc.txwin_size = 0; 3556 rfc.max_transmit = 0; 3557 rfc.retrans_timeout = 0; 3558 rfc.monitor_timeout = 0; 3559 3560 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3561 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3562 L2CAP_FCS_SIZE); 3563 rfc.max_pdu_size = cpu_to_le16(size); 3564 3565 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3566 (unsigned long) &rfc, endptr - ptr); 3567 3568 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3569 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3570 3571 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3572 if (chan->fcs == L2CAP_FCS_NONE || 3573 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3574 chan->fcs = L2CAP_FCS_NONE; 3575 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3576 chan->fcs, endptr - ptr); 3577 } 3578 break; 3579 } 3580 3581 req->dcid = cpu_to_le16(chan->dcid); 3582 req->flags = cpu_to_le16(0); 3583 3584 return ptr - data; 3585 } 3586 3587 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3588 { 3589 struct l2cap_conf_rsp *rsp = data; 3590 void *ptr = rsp->data; 3591 void *endptr = data + data_size; 3592 void *req = chan->conf_req; 3593 int len = chan->conf_len; 3594 int type, hint, olen; 3595 unsigned long val; 3596 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3597 struct l2cap_conf_efs efs; 3598 u8 remote_efs = 0; 3599 u16 mtu = L2CAP_DEFAULT_MTU; 3600 u16 result = L2CAP_CONF_SUCCESS; 3601 u16 size; 3602 3603 BT_DBG("chan %p", chan); 3604 3605 while (len >= L2CAP_CONF_OPT_SIZE) { 3606 len -= l2cap_get_conf_opt(&req, &type, &olen, &val); 3607 if (len < 0) 3608 break; 3609 3610 hint = type & L2CAP_CONF_HINT; 3611 type &= L2CAP_CONF_MASK; 3612 3613 switch (type) { 3614 case L2CAP_CONF_MTU: 3615 if (olen != 2) 3616 break; 3617 mtu = val; 3618 break; 3619 3620 case L2CAP_CONF_FLUSH_TO: 3621 if (olen != 2) 3622 break; 3623 chan->flush_to = val; 3624 break; 3625 3626 case L2CAP_CONF_QOS: 3627 break; 3628 3629 case L2CAP_CONF_RFC: 3630 if (olen != sizeof(rfc)) 3631 break; 3632 memcpy(&rfc, (void *) val, olen); 3633 break; 3634 3635 case L2CAP_CONF_FCS: 3636 if (olen != 1) 3637 break; 3638 if (val == L2CAP_FCS_NONE) 3639 set_bit(CONF_RECV_NO_FCS, &chan->conf_state); 3640 break; 3641 3642 case L2CAP_CONF_EFS: 3643 if (olen != sizeof(efs)) 3644 break; 3645 remote_efs = 1; 3646 memcpy(&efs, (void *) val, olen); 3647 break; 3648 3649 case L2CAP_CONF_EWS: 3650 if (olen != 2) 3651 break; 3652 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP)) 3653 return -ECONNREFUSED; 3654 set_bit(FLAG_EXT_CTRL, &chan->flags); 3655 set_bit(CONF_EWS_RECV, &chan->conf_state); 3656 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; 3657 chan->remote_tx_win = val; 3658 break; 3659 3660 default: 3661 if (hint) 3662 break; 3663 result = L2CAP_CONF_UNKNOWN; 3664 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr); 3665 break; 3666 } 3667 } 3668 3669 if (chan->num_conf_rsp || chan->num_conf_req > 1) 3670 goto done; 3671 3672 switch (chan->mode) { 3673 case L2CAP_MODE_STREAMING: 3674 case L2CAP_MODE_ERTM: 3675 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) { 3676 chan->mode = l2cap_select_mode(rfc.mode, 3677 chan->conn->feat_mask); 3678 break; 3679 } 3680 3681 if (remote_efs) { 3682 if (__l2cap_efs_supported(chan->conn)) 3683 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3684 else 3685 return -ECONNREFUSED; 3686 } 3687 3688 if (chan->mode != rfc.mode) 3689 return -ECONNREFUSED; 3690 3691 break; 3692 } 3693 3694 done: 3695 if (chan->mode != rfc.mode) { 3696 result = L2CAP_CONF_UNACCEPT; 3697 rfc.mode = chan->mode; 3698 3699 if (chan->num_conf_rsp == 1) 3700 return -ECONNREFUSED; 3701 3702 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3703 (unsigned long) &rfc, endptr - ptr); 3704 } 3705 3706 if (result == L2CAP_CONF_SUCCESS) { 3707 /* Configure output options and let the other side know 3708 * which ones we don't like. */ 3709 3710 if (mtu < L2CAP_DEFAULT_MIN_MTU) 3711 result = L2CAP_CONF_UNACCEPT; 3712 else { 3713 chan->omtu = mtu; 3714 set_bit(CONF_MTU_DONE, &chan->conf_state); 3715 } 3716 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr); 3717 3718 if (remote_efs) { 3719 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3720 efs.stype != L2CAP_SERV_NOTRAFIC && 3721 efs.stype != chan->local_stype) { 3722 3723 result = L2CAP_CONF_UNACCEPT; 3724 3725 if (chan->num_conf_req >= 1) 3726 return -ECONNREFUSED; 3727 3728 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3729 sizeof(efs), 3730 (unsigned long) &efs, endptr - ptr); 3731 } else { 3732 /* Send PENDING Conf Rsp */ 3733 result = L2CAP_CONF_PENDING; 3734 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 3735 } 3736 } 3737 3738 switch (rfc.mode) { 3739 case L2CAP_MODE_BASIC: 3740 chan->fcs = L2CAP_FCS_NONE; 3741 set_bit(CONF_MODE_DONE, &chan->conf_state); 3742 break; 3743 3744 case L2CAP_MODE_ERTM: 3745 if (!test_bit(CONF_EWS_RECV, &chan->conf_state)) 3746 chan->remote_tx_win = rfc.txwin_size; 3747 else 3748 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW; 3749 3750 chan->remote_max_tx = rfc.max_transmit; 3751 3752 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3753 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3754 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3755 rfc.max_pdu_size = cpu_to_le16(size); 3756 chan->remote_mps = size; 3757 3758 __l2cap_set_ertm_timeouts(chan, &rfc); 3759 3760 set_bit(CONF_MODE_DONE, &chan->conf_state); 3761 3762 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3763 sizeof(rfc), (unsigned long) &rfc, endptr - ptr); 3764 3765 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3766 chan->remote_id = efs.id; 3767 chan->remote_stype = efs.stype; 3768 chan->remote_msdu = le16_to_cpu(efs.msdu); 3769 chan->remote_flush_to = 3770 le32_to_cpu(efs.flush_to); 3771 chan->remote_acc_lat = 3772 le32_to_cpu(efs.acc_lat); 3773 chan->remote_sdu_itime = 3774 le32_to_cpu(efs.sdu_itime); 3775 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3776 sizeof(efs), 3777 (unsigned long) &efs, endptr - ptr); 3778 } 3779 break; 3780 3781 case L2CAP_MODE_STREAMING: 3782 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3783 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3784 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3785 rfc.max_pdu_size = cpu_to_le16(size); 3786 chan->remote_mps = size; 3787 3788 set_bit(CONF_MODE_DONE, &chan->conf_state); 3789 3790 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3791 (unsigned long) &rfc, endptr - ptr); 3792 3793 break; 3794 3795 default: 3796 result = L2CAP_CONF_UNACCEPT; 3797 3798 memset(&rfc, 0, sizeof(rfc)); 3799 rfc.mode = chan->mode; 3800 } 3801 3802 if (result == L2CAP_CONF_SUCCESS) 3803 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 3804 } 3805 rsp->scid = cpu_to_le16(chan->dcid); 3806 rsp->result = cpu_to_le16(result); 3807 rsp->flags = cpu_to_le16(0); 3808 3809 return ptr - data; 3810 } 3811 3812 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, 3813 void *data, size_t size, u16 *result) 3814 { 3815 struct l2cap_conf_req *req = data; 3816 void *ptr = req->data; 3817 void *endptr = data + size; 3818 int type, olen; 3819 unsigned long val; 3820 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3821 struct l2cap_conf_efs efs; 3822 3823 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data); 3824 3825 while (len >= L2CAP_CONF_OPT_SIZE) { 3826 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3827 if (len < 0) 3828 break; 3829 3830 switch (type) { 3831 case L2CAP_CONF_MTU: 3832 if (olen != 2) 3833 break; 3834 if (val < L2CAP_DEFAULT_MIN_MTU) { 3835 *result = L2CAP_CONF_UNACCEPT; 3836 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3837 } else 3838 chan->imtu = val; 3839 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3840 endptr - ptr); 3841 break; 3842 3843 case L2CAP_CONF_FLUSH_TO: 3844 if (olen != 2) 3845 break; 3846 chan->flush_to = val; 3847 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, 3848 chan->flush_to, endptr - ptr); 3849 break; 3850 3851 case L2CAP_CONF_RFC: 3852 if (olen != sizeof(rfc)) 3853 break; 3854 memcpy(&rfc, (void *)val, olen); 3855 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && 3856 rfc.mode != chan->mode) 3857 return -ECONNREFUSED; 3858 chan->fcs = 0; 3859 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3860 (unsigned long) &rfc, endptr - ptr); 3861 break; 3862 3863 case L2CAP_CONF_EWS: 3864 if (olen != 2) 3865 break; 3866 chan->ack_win = min_t(u16, val, chan->ack_win); 3867 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3868 chan->tx_win, endptr - ptr); 3869 break; 3870 3871 case L2CAP_CONF_EFS: 3872 if (olen != sizeof(efs)) 3873 break; 3874 memcpy(&efs, (void *)val, olen); 3875 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3876 efs.stype != L2CAP_SERV_NOTRAFIC && 3877 efs.stype != chan->local_stype) 3878 return -ECONNREFUSED; 3879 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), 3880 (unsigned long) &efs, endptr - ptr); 3881 break; 3882 3883 case L2CAP_CONF_FCS: 3884 if (olen != 1) 3885 break; 3886 if (*result == L2CAP_CONF_PENDING) 3887 if (val == L2CAP_FCS_NONE) 3888 set_bit(CONF_RECV_NO_FCS, 3889 &chan->conf_state); 3890 break; 3891 } 3892 } 3893 3894 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode) 3895 return -ECONNREFUSED; 3896 3897 chan->mode = rfc.mode; 3898 3899 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) { 3900 switch (rfc.mode) { 3901 case L2CAP_MODE_ERTM: 3902 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3903 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3904 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3905 if (!test_bit(FLAG_EXT_CTRL, &chan->flags)) 3906 chan->ack_win = min_t(u16, chan->ack_win, 3907 rfc.txwin_size); 3908 3909 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3910 chan->local_msdu = le16_to_cpu(efs.msdu); 3911 chan->local_sdu_itime = 3912 le32_to_cpu(efs.sdu_itime); 3913 chan->local_acc_lat = le32_to_cpu(efs.acc_lat); 3914 chan->local_flush_to = 3915 le32_to_cpu(efs.flush_to); 3916 } 3917 break; 3918 3919 case L2CAP_MODE_STREAMING: 3920 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3921 } 3922 } 3923 3924 req->dcid = cpu_to_le16(chan->dcid); 3925 req->flags = cpu_to_le16(0); 3926 3927 return ptr - data; 3928 } 3929 3930 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, 3931 u16 result, u16 flags) 3932 { 3933 struct l2cap_conf_rsp *rsp = data; 3934 void *ptr = rsp->data; 3935 3936 BT_DBG("chan %p", chan); 3937 3938 rsp->scid = cpu_to_le16(chan->dcid); 3939 rsp->result = cpu_to_le16(result); 3940 rsp->flags = cpu_to_le16(flags); 3941 3942 return ptr - data; 3943 } 3944 3945 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan) 3946 { 3947 struct l2cap_le_conn_rsp rsp; 3948 struct l2cap_conn *conn = chan->conn; 3949 3950 BT_DBG("chan %p", chan); 3951 3952 rsp.dcid = cpu_to_le16(chan->scid); 3953 rsp.mtu = cpu_to_le16(chan->imtu); 3954 rsp.mps = cpu_to_le16(chan->mps); 3955 rsp.credits = cpu_to_le16(chan->rx_credits); 3956 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3957 3958 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 3959 &rsp); 3960 } 3961 3962 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan) 3963 { 3964 struct { 3965 struct l2cap_ecred_conn_rsp rsp; 3966 __le16 dcid[5]; 3967 } __packed pdu; 3968 struct l2cap_conn *conn = chan->conn; 3969 u16 ident = chan->ident; 3970 int i = 0; 3971 3972 if (!ident) 3973 return; 3974 3975 BT_DBG("chan %p ident %d", chan, ident); 3976 3977 pdu.rsp.mtu = cpu_to_le16(chan->imtu); 3978 pdu.rsp.mps = cpu_to_le16(chan->mps); 3979 pdu.rsp.credits = cpu_to_le16(chan->rx_credits); 3980 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3981 3982 mutex_lock(&conn->chan_lock); 3983 3984 list_for_each_entry(chan, &conn->chan_l, list) { 3985 if (chan->ident != ident) 3986 continue; 3987 3988 /* Reset ident so only one response is sent */ 3989 chan->ident = 0; 3990 3991 /* Include all channels pending with the same ident */ 3992 pdu.dcid[i++] = cpu_to_le16(chan->scid); 3993 } 3994 3995 mutex_unlock(&conn->chan_lock); 3996 3997 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP, 3998 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu); 3999 } 4000 4001 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) 4002 { 4003 struct l2cap_conn_rsp rsp; 4004 struct l2cap_conn *conn = chan->conn; 4005 u8 buf[128]; 4006 u8 rsp_code; 4007 4008 rsp.scid = cpu_to_le16(chan->dcid); 4009 rsp.dcid = cpu_to_le16(chan->scid); 4010 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 4011 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 4012 4013 if (chan->hs_hcon) 4014 rsp_code = L2CAP_CREATE_CHAN_RSP; 4015 else 4016 rsp_code = L2CAP_CONN_RSP; 4017 4018 BT_DBG("chan %p rsp_code %u", chan, rsp_code); 4019 4020 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp); 4021 4022 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 4023 return; 4024 4025 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4026 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4027 chan->num_conf_req++; 4028 } 4029 4030 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) 4031 { 4032 int type, olen; 4033 unsigned long val; 4034 /* Use sane default values in case a misbehaving remote device 4035 * did not send an RFC or extended window size option. 4036 */ 4037 u16 txwin_ext = chan->ack_win; 4038 struct l2cap_conf_rfc rfc = { 4039 .mode = chan->mode, 4040 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO), 4041 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO), 4042 .max_pdu_size = cpu_to_le16(chan->imtu), 4043 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW), 4044 }; 4045 4046 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len); 4047 4048 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING)) 4049 return; 4050 4051 while (len >= L2CAP_CONF_OPT_SIZE) { 4052 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 4053 if (len < 0) 4054 break; 4055 4056 switch (type) { 4057 case L2CAP_CONF_RFC: 4058 if (olen != sizeof(rfc)) 4059 break; 4060 memcpy(&rfc, (void *)val, olen); 4061 break; 4062 case L2CAP_CONF_EWS: 4063 if (olen != 2) 4064 break; 4065 txwin_ext = val; 4066 break; 4067 } 4068 } 4069 4070 switch (rfc.mode) { 4071 case L2CAP_MODE_ERTM: 4072 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 4073 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 4074 chan->mps = le16_to_cpu(rfc.max_pdu_size); 4075 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 4076 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext); 4077 else 4078 chan->ack_win = min_t(u16, chan->ack_win, 4079 rfc.txwin_size); 4080 break; 4081 case L2CAP_MODE_STREAMING: 4082 chan->mps = le16_to_cpu(rfc.max_pdu_size); 4083 } 4084 } 4085 4086 static inline int l2cap_command_rej(struct l2cap_conn *conn, 4087 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4088 u8 *data) 4089 { 4090 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 4091 4092 if (cmd_len < sizeof(*rej)) 4093 return -EPROTO; 4094 4095 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) 4096 return 0; 4097 4098 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 4099 cmd->ident == conn->info_ident) { 4100 cancel_delayed_work(&conn->info_timer); 4101 4102 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4103 conn->info_ident = 0; 4104 4105 l2cap_conn_start(conn); 4106 } 4107 4108 return 0; 4109 } 4110 4111 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, 4112 struct l2cap_cmd_hdr *cmd, 4113 u8 *data, u8 rsp_code, u8 amp_id) 4114 { 4115 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 4116 struct l2cap_conn_rsp rsp; 4117 struct l2cap_chan *chan = NULL, *pchan; 4118 int result, status = L2CAP_CS_NO_INFO; 4119 4120 u16 dcid = 0, scid = __le16_to_cpu(req->scid); 4121 __le16 psm = req->psm; 4122 4123 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid); 4124 4125 /* Check if we have socket listening on psm */ 4126 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 4127 &conn->hcon->dst, ACL_LINK); 4128 if (!pchan) { 4129 result = L2CAP_CR_BAD_PSM; 4130 goto sendresp; 4131 } 4132 4133 mutex_lock(&conn->chan_lock); 4134 l2cap_chan_lock(pchan); 4135 4136 /* Check if the ACL is secure enough (if not SDP) */ 4137 if (psm != cpu_to_le16(L2CAP_PSM_SDP) && 4138 !hci_conn_check_link_mode(conn->hcon)) { 4139 conn->disc_reason = HCI_ERROR_AUTH_FAILURE; 4140 result = L2CAP_CR_SEC_BLOCK; 4141 goto response; 4142 } 4143 4144 result = L2CAP_CR_NO_MEM; 4145 4146 /* Check for valid dynamic CID range (as per Erratum 3253) */ 4147 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) { 4148 result = L2CAP_CR_INVALID_SCID; 4149 goto response; 4150 } 4151 4152 /* Check if we already have channel with that dcid */ 4153 if (__l2cap_get_chan_by_dcid(conn, scid)) { 4154 result = L2CAP_CR_SCID_IN_USE; 4155 goto response; 4156 } 4157 4158 chan = pchan->ops->new_connection(pchan); 4159 if (!chan) 4160 goto response; 4161 4162 /* For certain devices (ex: HID mouse), support for authentication, 4163 * pairing and bonding is optional. For such devices, inorder to avoid 4164 * the ACL alive for too long after L2CAP disconnection, reset the ACL 4165 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect. 4166 */ 4167 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4168 4169 bacpy(&chan->src, &conn->hcon->src); 4170 bacpy(&chan->dst, &conn->hcon->dst); 4171 chan->src_type = bdaddr_src_type(conn->hcon); 4172 chan->dst_type = bdaddr_dst_type(conn->hcon); 4173 chan->psm = psm; 4174 chan->dcid = scid; 4175 chan->local_amp_id = amp_id; 4176 4177 __l2cap_chan_add(conn, chan); 4178 4179 dcid = chan->scid; 4180 4181 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 4182 4183 chan->ident = cmd->ident; 4184 4185 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 4186 if (l2cap_chan_check_security(chan, false)) { 4187 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 4188 l2cap_state_change(chan, BT_CONNECT2); 4189 result = L2CAP_CR_PEND; 4190 status = L2CAP_CS_AUTHOR_PEND; 4191 chan->ops->defer(chan); 4192 } else { 4193 /* Force pending result for AMP controllers. 4194 * The connection will succeed after the 4195 * physical link is up. 4196 */ 4197 if (amp_id == AMP_ID_BREDR) { 4198 l2cap_state_change(chan, BT_CONFIG); 4199 result = L2CAP_CR_SUCCESS; 4200 } else { 4201 l2cap_state_change(chan, BT_CONNECT2); 4202 result = L2CAP_CR_PEND; 4203 } 4204 status = L2CAP_CS_NO_INFO; 4205 } 4206 } else { 4207 l2cap_state_change(chan, BT_CONNECT2); 4208 result = L2CAP_CR_PEND; 4209 status = L2CAP_CS_AUTHEN_PEND; 4210 } 4211 } else { 4212 l2cap_state_change(chan, BT_CONNECT2); 4213 result = L2CAP_CR_PEND; 4214 status = L2CAP_CS_NO_INFO; 4215 } 4216 4217 response: 4218 l2cap_chan_unlock(pchan); 4219 mutex_unlock(&conn->chan_lock); 4220 l2cap_chan_put(pchan); 4221 4222 sendresp: 4223 rsp.scid = cpu_to_le16(scid); 4224 rsp.dcid = cpu_to_le16(dcid); 4225 rsp.result = cpu_to_le16(result); 4226 rsp.status = cpu_to_le16(status); 4227 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); 4228 4229 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { 4230 struct l2cap_info_req info; 4231 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4232 4233 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 4234 conn->info_ident = l2cap_get_ident(conn); 4235 4236 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 4237 4238 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 4239 sizeof(info), &info); 4240 } 4241 4242 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) && 4243 result == L2CAP_CR_SUCCESS) { 4244 u8 buf[128]; 4245 set_bit(CONF_REQ_SENT, &chan->conf_state); 4246 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4247 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4248 chan->num_conf_req++; 4249 } 4250 4251 return chan; 4252 } 4253 4254 static int l2cap_connect_req(struct l2cap_conn *conn, 4255 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 4256 { 4257 struct hci_dev *hdev = conn->hcon->hdev; 4258 struct hci_conn *hcon = conn->hcon; 4259 4260 if (cmd_len < sizeof(struct l2cap_conn_req)) 4261 return -EPROTO; 4262 4263 hci_dev_lock(hdev); 4264 if (hci_dev_test_flag(hdev, HCI_MGMT) && 4265 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) 4266 mgmt_device_connected(hdev, hcon, NULL, 0); 4267 hci_dev_unlock(hdev); 4268 4269 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0); 4270 return 0; 4271 } 4272 4273 static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 4274 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4275 u8 *data) 4276 { 4277 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 4278 u16 scid, dcid, result, status; 4279 struct l2cap_chan *chan; 4280 u8 req[128]; 4281 int err; 4282 4283 if (cmd_len < sizeof(*rsp)) 4284 return -EPROTO; 4285 4286 scid = __le16_to_cpu(rsp->scid); 4287 dcid = __le16_to_cpu(rsp->dcid); 4288 result = __le16_to_cpu(rsp->result); 4289 status = __le16_to_cpu(rsp->status); 4290 4291 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", 4292 dcid, scid, result, status); 4293 4294 mutex_lock(&conn->chan_lock); 4295 4296 if (scid) { 4297 chan = __l2cap_get_chan_by_scid(conn, scid); 4298 if (!chan) { 4299 err = -EBADSLT; 4300 goto unlock; 4301 } 4302 } else { 4303 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 4304 if (!chan) { 4305 err = -EBADSLT; 4306 goto unlock; 4307 } 4308 } 4309 4310 err = 0; 4311 4312 l2cap_chan_lock(chan); 4313 4314 switch (result) { 4315 case L2CAP_CR_SUCCESS: 4316 l2cap_state_change(chan, BT_CONFIG); 4317 chan->ident = 0; 4318 chan->dcid = dcid; 4319 clear_bit(CONF_CONNECT_PEND, &chan->conf_state); 4320 4321 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 4322 break; 4323 4324 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4325 l2cap_build_conf_req(chan, req, sizeof(req)), req); 4326 chan->num_conf_req++; 4327 break; 4328 4329 case L2CAP_CR_PEND: 4330 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 4331 break; 4332 4333 default: 4334 l2cap_chan_del(chan, ECONNREFUSED); 4335 break; 4336 } 4337 4338 l2cap_chan_unlock(chan); 4339 4340 unlock: 4341 mutex_unlock(&conn->chan_lock); 4342 4343 return err; 4344 } 4345 4346 static inline void set_default_fcs(struct l2cap_chan *chan) 4347 { 4348 /* FCS is enabled only in ERTM or streaming mode, if one or both 4349 * sides request it. 4350 */ 4351 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 4352 chan->fcs = L2CAP_FCS_NONE; 4353 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) 4354 chan->fcs = L2CAP_FCS_CRC16; 4355 } 4356 4357 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data, 4358 u8 ident, u16 flags) 4359 { 4360 struct l2cap_conn *conn = chan->conn; 4361 4362 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident, 4363 flags); 4364 4365 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 4366 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 4367 4368 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP, 4369 l2cap_build_conf_rsp(chan, data, 4370 L2CAP_CONF_SUCCESS, flags), data); 4371 } 4372 4373 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident, 4374 u16 scid, u16 dcid) 4375 { 4376 struct l2cap_cmd_rej_cid rej; 4377 4378 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID); 4379 rej.scid = __cpu_to_le16(scid); 4380 rej.dcid = __cpu_to_le16(dcid); 4381 4382 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 4383 } 4384 4385 static inline int l2cap_config_req(struct l2cap_conn *conn, 4386 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4387 u8 *data) 4388 { 4389 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 4390 u16 dcid, flags; 4391 u8 rsp[64]; 4392 struct l2cap_chan *chan; 4393 int len, err = 0; 4394 4395 if (cmd_len < sizeof(*req)) 4396 return -EPROTO; 4397 4398 dcid = __le16_to_cpu(req->dcid); 4399 flags = __le16_to_cpu(req->flags); 4400 4401 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags); 4402 4403 chan = l2cap_get_chan_by_scid(conn, dcid); 4404 if (!chan) { 4405 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0); 4406 return 0; 4407 } 4408 4409 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && 4410 chan->state != BT_CONNECTED) { 4411 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, 4412 chan->dcid); 4413 goto unlock; 4414 } 4415 4416 /* Reject if config buffer is too small. */ 4417 len = cmd_len - sizeof(*req); 4418 if (chan->conf_len + len > sizeof(chan->conf_req)) { 4419 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4420 l2cap_build_conf_rsp(chan, rsp, 4421 L2CAP_CONF_REJECT, flags), rsp); 4422 goto unlock; 4423 } 4424 4425 /* Store config. */ 4426 memcpy(chan->conf_req + chan->conf_len, req->data, len); 4427 chan->conf_len += len; 4428 4429 if (flags & L2CAP_CONF_FLAG_CONTINUATION) { 4430 /* Incomplete config. Send empty response. */ 4431 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4432 l2cap_build_conf_rsp(chan, rsp, 4433 L2CAP_CONF_SUCCESS, flags), rsp); 4434 goto unlock; 4435 } 4436 4437 /* Complete config. */ 4438 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp)); 4439 if (len < 0) { 4440 l2cap_send_disconn_req(chan, ECONNRESET); 4441 goto unlock; 4442 } 4443 4444 chan->ident = cmd->ident; 4445 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); 4446 chan->num_conf_rsp++; 4447 4448 /* Reset config buffer. */ 4449 chan->conf_len = 0; 4450 4451 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) 4452 goto unlock; 4453 4454 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) { 4455 set_default_fcs(chan); 4456 4457 if (chan->mode == L2CAP_MODE_ERTM || 4458 chan->mode == L2CAP_MODE_STREAMING) 4459 err = l2cap_ertm_init(chan); 4460 4461 if (err < 0) 4462 l2cap_send_disconn_req(chan, -err); 4463 else 4464 l2cap_chan_ready(chan); 4465 4466 goto unlock; 4467 } 4468 4469 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) { 4470 u8 buf[64]; 4471 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4472 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4473 chan->num_conf_req++; 4474 } 4475 4476 /* Got Conf Rsp PENDING from remote side and assume we sent 4477 Conf Rsp PENDING in the code above */ 4478 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) && 4479 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4480 4481 /* check compatibility */ 4482 4483 /* Send rsp for BR/EDR channel */ 4484 if (!chan->hs_hcon) 4485 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags); 4486 else 4487 chan->ident = cmd->ident; 4488 } 4489 4490 unlock: 4491 l2cap_chan_unlock(chan); 4492 l2cap_chan_put(chan); 4493 return err; 4494 } 4495 4496 static inline int l2cap_config_rsp(struct l2cap_conn *conn, 4497 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4498 u8 *data) 4499 { 4500 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 4501 u16 scid, flags, result; 4502 struct l2cap_chan *chan; 4503 int len = cmd_len - sizeof(*rsp); 4504 int err = 0; 4505 4506 if (cmd_len < sizeof(*rsp)) 4507 return -EPROTO; 4508 4509 scid = __le16_to_cpu(rsp->scid); 4510 flags = __le16_to_cpu(rsp->flags); 4511 result = __le16_to_cpu(rsp->result); 4512 4513 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags, 4514 result, len); 4515 4516 chan = l2cap_get_chan_by_scid(conn, scid); 4517 if (!chan) 4518 return 0; 4519 4520 switch (result) { 4521 case L2CAP_CONF_SUCCESS: 4522 l2cap_conf_rfc_get(chan, rsp->data, len); 4523 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4524 break; 4525 4526 case L2CAP_CONF_PENDING: 4527 set_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4528 4529 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4530 char buf[64]; 4531 4532 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4533 buf, sizeof(buf), &result); 4534 if (len < 0) { 4535 l2cap_send_disconn_req(chan, ECONNRESET); 4536 goto done; 4537 } 4538 4539 if (!chan->hs_hcon) { 4540 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 4541 0); 4542 } else { 4543 if (l2cap_check_efs(chan)) { 4544 amp_create_logical_link(chan); 4545 chan->ident = cmd->ident; 4546 } 4547 } 4548 } 4549 goto done; 4550 4551 case L2CAP_CONF_UNKNOWN: 4552 case L2CAP_CONF_UNACCEPT: 4553 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 4554 char req[64]; 4555 4556 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 4557 l2cap_send_disconn_req(chan, ECONNRESET); 4558 goto done; 4559 } 4560 4561 /* throw out any old stored conf requests */ 4562 result = L2CAP_CONF_SUCCESS; 4563 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4564 req, sizeof(req), &result); 4565 if (len < 0) { 4566 l2cap_send_disconn_req(chan, ECONNRESET); 4567 goto done; 4568 } 4569 4570 l2cap_send_cmd(conn, l2cap_get_ident(conn), 4571 L2CAP_CONF_REQ, len, req); 4572 chan->num_conf_req++; 4573 if (result != L2CAP_CONF_SUCCESS) 4574 goto done; 4575 break; 4576 } 4577 fallthrough; 4578 4579 default: 4580 l2cap_chan_set_err(chan, ECONNRESET); 4581 4582 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT); 4583 l2cap_send_disconn_req(chan, ECONNRESET); 4584 goto done; 4585 } 4586 4587 if (flags & L2CAP_CONF_FLAG_CONTINUATION) 4588 goto done; 4589 4590 set_bit(CONF_INPUT_DONE, &chan->conf_state); 4591 4592 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) { 4593 set_default_fcs(chan); 4594 4595 if (chan->mode == L2CAP_MODE_ERTM || 4596 chan->mode == L2CAP_MODE_STREAMING) 4597 err = l2cap_ertm_init(chan); 4598 4599 if (err < 0) 4600 l2cap_send_disconn_req(chan, -err); 4601 else 4602 l2cap_chan_ready(chan); 4603 } 4604 4605 done: 4606 l2cap_chan_unlock(chan); 4607 l2cap_chan_put(chan); 4608 return err; 4609 } 4610 4611 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, 4612 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4613 u8 *data) 4614 { 4615 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 4616 struct l2cap_disconn_rsp rsp; 4617 u16 dcid, scid; 4618 struct l2cap_chan *chan; 4619 4620 if (cmd_len != sizeof(*req)) 4621 return -EPROTO; 4622 4623 scid = __le16_to_cpu(req->scid); 4624 dcid = __le16_to_cpu(req->dcid); 4625 4626 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); 4627 4628 mutex_lock(&conn->chan_lock); 4629 4630 chan = __l2cap_get_chan_by_scid(conn, dcid); 4631 if (!chan) { 4632 mutex_unlock(&conn->chan_lock); 4633 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); 4634 return 0; 4635 } 4636 4637 l2cap_chan_hold(chan); 4638 l2cap_chan_lock(chan); 4639 4640 rsp.dcid = cpu_to_le16(chan->scid); 4641 rsp.scid = cpu_to_le16(chan->dcid); 4642 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); 4643 4644 chan->ops->set_shutdown(chan); 4645 4646 l2cap_chan_del(chan, ECONNRESET); 4647 4648 chan->ops->close(chan); 4649 4650 l2cap_chan_unlock(chan); 4651 l2cap_chan_put(chan); 4652 4653 mutex_unlock(&conn->chan_lock); 4654 4655 return 0; 4656 } 4657 4658 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, 4659 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4660 u8 *data) 4661 { 4662 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 4663 u16 dcid, scid; 4664 struct l2cap_chan *chan; 4665 4666 if (cmd_len != sizeof(*rsp)) 4667 return -EPROTO; 4668 4669 scid = __le16_to_cpu(rsp->scid); 4670 dcid = __le16_to_cpu(rsp->dcid); 4671 4672 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); 4673 4674 mutex_lock(&conn->chan_lock); 4675 4676 chan = __l2cap_get_chan_by_scid(conn, scid); 4677 if (!chan) { 4678 mutex_unlock(&conn->chan_lock); 4679 return 0; 4680 } 4681 4682 l2cap_chan_hold(chan); 4683 l2cap_chan_lock(chan); 4684 4685 if (chan->state != BT_DISCONN) { 4686 l2cap_chan_unlock(chan); 4687 l2cap_chan_put(chan); 4688 mutex_unlock(&conn->chan_lock); 4689 return 0; 4690 } 4691 4692 l2cap_chan_del(chan, 0); 4693 4694 chan->ops->close(chan); 4695 4696 l2cap_chan_unlock(chan); 4697 l2cap_chan_put(chan); 4698 4699 mutex_unlock(&conn->chan_lock); 4700 4701 return 0; 4702 } 4703 4704 static inline int l2cap_information_req(struct l2cap_conn *conn, 4705 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4706 u8 *data) 4707 { 4708 struct l2cap_info_req *req = (struct l2cap_info_req *) data; 4709 u16 type; 4710 4711 if (cmd_len != sizeof(*req)) 4712 return -EPROTO; 4713 4714 type = __le16_to_cpu(req->type); 4715 4716 BT_DBG("type 0x%4.4x", type); 4717 4718 if (type == L2CAP_IT_FEAT_MASK) { 4719 u8 buf[8]; 4720 u32 feat_mask = l2cap_feat_mask; 4721 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4722 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4723 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4724 if (!disable_ertm) 4725 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 4726 | L2CAP_FEAT_FCS; 4727 if (conn->local_fixed_chan & L2CAP_FC_A2MP) 4728 feat_mask |= L2CAP_FEAT_EXT_FLOW 4729 | L2CAP_FEAT_EXT_WINDOW; 4730 4731 put_unaligned_le32(feat_mask, rsp->data); 4732 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4733 buf); 4734 } else if (type == L2CAP_IT_FIXED_CHAN) { 4735 u8 buf[12]; 4736 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4737 4738 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4739 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4740 rsp->data[0] = conn->local_fixed_chan; 4741 memset(rsp->data + 1, 0, 7); 4742 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4743 buf); 4744 } else { 4745 struct l2cap_info_rsp rsp; 4746 rsp.type = cpu_to_le16(type); 4747 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP); 4748 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp), 4749 &rsp); 4750 } 4751 4752 return 0; 4753 } 4754 4755 static inline int l2cap_information_rsp(struct l2cap_conn *conn, 4756 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4757 u8 *data) 4758 { 4759 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; 4760 u16 type, result; 4761 4762 if (cmd_len < sizeof(*rsp)) 4763 return -EPROTO; 4764 4765 type = __le16_to_cpu(rsp->type); 4766 result = __le16_to_cpu(rsp->result); 4767 4768 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 4769 4770 /* L2CAP Info req/rsp are unbound to channels, add extra checks */ 4771 if (cmd->ident != conn->info_ident || 4772 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 4773 return 0; 4774 4775 cancel_delayed_work(&conn->info_timer); 4776 4777 if (result != L2CAP_IR_SUCCESS) { 4778 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4779 conn->info_ident = 0; 4780 4781 l2cap_conn_start(conn); 4782 4783 return 0; 4784 } 4785 4786 switch (type) { 4787 case L2CAP_IT_FEAT_MASK: 4788 conn->feat_mask = get_unaligned_le32(rsp->data); 4789 4790 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) { 4791 struct l2cap_info_req req; 4792 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4793 4794 conn->info_ident = l2cap_get_ident(conn); 4795 4796 l2cap_send_cmd(conn, conn->info_ident, 4797 L2CAP_INFO_REQ, sizeof(req), &req); 4798 } else { 4799 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4800 conn->info_ident = 0; 4801 4802 l2cap_conn_start(conn); 4803 } 4804 break; 4805 4806 case L2CAP_IT_FIXED_CHAN: 4807 conn->remote_fixed_chan = rsp->data[0]; 4808 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4809 conn->info_ident = 0; 4810 4811 l2cap_conn_start(conn); 4812 break; 4813 } 4814 4815 return 0; 4816 } 4817 4818 static int l2cap_create_channel_req(struct l2cap_conn *conn, 4819 struct l2cap_cmd_hdr *cmd, 4820 u16 cmd_len, void *data) 4821 { 4822 struct l2cap_create_chan_req *req = data; 4823 struct l2cap_create_chan_rsp rsp; 4824 struct l2cap_chan *chan; 4825 struct hci_dev *hdev; 4826 u16 psm, scid; 4827 4828 if (cmd_len != sizeof(*req)) 4829 return -EPROTO; 4830 4831 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP)) 4832 return -EINVAL; 4833 4834 psm = le16_to_cpu(req->psm); 4835 scid = le16_to_cpu(req->scid); 4836 4837 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id); 4838 4839 /* For controller id 0 make BR/EDR connection */ 4840 if (req->amp_id == AMP_ID_BREDR) { 4841 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP, 4842 req->amp_id); 4843 return 0; 4844 } 4845 4846 /* Validate AMP controller id */ 4847 hdev = hci_dev_get(req->amp_id); 4848 if (!hdev) 4849 goto error; 4850 4851 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) { 4852 hci_dev_put(hdev); 4853 goto error; 4854 } 4855 4856 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP, 4857 req->amp_id); 4858 if (chan) { 4859 struct amp_mgr *mgr = conn->hcon->amp_mgr; 4860 struct hci_conn *hs_hcon; 4861 4862 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, 4863 &conn->hcon->dst); 4864 if (!hs_hcon) { 4865 hci_dev_put(hdev); 4866 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, 4867 chan->dcid); 4868 return 0; 4869 } 4870 4871 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon); 4872 4873 mgr->bredr_chan = chan; 4874 chan->hs_hcon = hs_hcon; 4875 chan->fcs = L2CAP_FCS_NONE; 4876 conn->mtu = hdev->block_mtu; 4877 } 4878 4879 hci_dev_put(hdev); 4880 4881 return 0; 4882 4883 error: 4884 rsp.dcid = 0; 4885 rsp.scid = cpu_to_le16(scid); 4886 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP); 4887 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 4888 4889 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP, 4890 sizeof(rsp), &rsp); 4891 4892 return 0; 4893 } 4894 4895 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id) 4896 { 4897 struct l2cap_move_chan_req req; 4898 u8 ident; 4899 4900 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id); 4901 4902 ident = l2cap_get_ident(chan->conn); 4903 chan->ident = ident; 4904 4905 req.icid = cpu_to_le16(chan->scid); 4906 req.dest_amp_id = dest_amp_id; 4907 4908 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req), 4909 &req); 4910 4911 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT); 4912 } 4913 4914 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result) 4915 { 4916 struct l2cap_move_chan_rsp rsp; 4917 4918 BT_DBG("chan %p, result 0x%4.4x", chan, result); 4919 4920 rsp.icid = cpu_to_le16(chan->dcid); 4921 rsp.result = cpu_to_le16(result); 4922 4923 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP, 4924 sizeof(rsp), &rsp); 4925 } 4926 4927 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result) 4928 { 4929 struct l2cap_move_chan_cfm cfm; 4930 4931 BT_DBG("chan %p, result 0x%4.4x", chan, result); 4932 4933 chan->ident = l2cap_get_ident(chan->conn); 4934 4935 cfm.icid = cpu_to_le16(chan->scid); 4936 cfm.result = cpu_to_le16(result); 4937 4938 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM, 4939 sizeof(cfm), &cfm); 4940 4941 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT); 4942 } 4943 4944 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid) 4945 { 4946 struct l2cap_move_chan_cfm cfm; 4947 4948 BT_DBG("conn %p, icid 0x%4.4x", conn, icid); 4949 4950 cfm.icid = cpu_to_le16(icid); 4951 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED); 4952 4953 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM, 4954 sizeof(cfm), &cfm); 4955 } 4956 4957 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident, 4958 u16 icid) 4959 { 4960 struct l2cap_move_chan_cfm_rsp rsp; 4961 4962 BT_DBG("icid 0x%4.4x", icid); 4963 4964 rsp.icid = cpu_to_le16(icid); 4965 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp); 4966 } 4967 4968 static void __release_logical_link(struct l2cap_chan *chan) 4969 { 4970 chan->hs_hchan = NULL; 4971 chan->hs_hcon = NULL; 4972 4973 /* Placeholder - release the logical link */ 4974 } 4975 4976 static void l2cap_logical_fail(struct l2cap_chan *chan) 4977 { 4978 /* Logical link setup failed */ 4979 if (chan->state != BT_CONNECTED) { 4980 /* Create channel failure, disconnect */ 4981 l2cap_send_disconn_req(chan, ECONNRESET); 4982 return; 4983 } 4984 4985 switch (chan->move_role) { 4986 case L2CAP_MOVE_ROLE_RESPONDER: 4987 l2cap_move_done(chan); 4988 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP); 4989 break; 4990 case L2CAP_MOVE_ROLE_INITIATOR: 4991 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP || 4992 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) { 4993 /* Remote has only sent pending or 4994 * success responses, clean up 4995 */ 4996 l2cap_move_done(chan); 4997 } 4998 4999 /* Other amp move states imply that the move 5000 * has already aborted 5001 */ 5002 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); 5003 break; 5004 } 5005 } 5006 5007 static void l2cap_logical_finish_create(struct l2cap_chan *chan, 5008 struct hci_chan *hchan) 5009 { 5010 struct l2cap_conf_rsp rsp; 5011 5012 chan->hs_hchan = hchan; 5013 chan->hs_hcon->l2cap_data = chan->conn; 5014 5015 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0); 5016 5017 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) { 5018 int err; 5019 5020 set_default_fcs(chan); 5021 5022 err = l2cap_ertm_init(chan); 5023 if (err < 0) 5024 l2cap_send_disconn_req(chan, -err); 5025 else 5026 l2cap_chan_ready(chan); 5027 } 5028 } 5029 5030 static void l2cap_logical_finish_move(struct l2cap_chan *chan, 5031 struct hci_chan *hchan) 5032 { 5033 chan->hs_hcon = hchan->conn; 5034 chan->hs_hcon->l2cap_data = chan->conn; 5035 5036 BT_DBG("move_state %d", chan->move_state); 5037 5038 switch (chan->move_state) { 5039 case L2CAP_MOVE_WAIT_LOGICAL_COMP: 5040 /* Move confirm will be sent after a success 5041 * response is received 5042 */ 5043 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS; 5044 break; 5045 case L2CAP_MOVE_WAIT_LOGICAL_CFM: 5046 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5047 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY; 5048 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) { 5049 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP; 5050 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED); 5051 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) { 5052 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM; 5053 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS); 5054 } 5055 break; 5056 default: 5057 /* Move was not in expected state, free the channel */ 5058 __release_logical_link(chan); 5059 5060 chan->move_state = L2CAP_MOVE_STABLE; 5061 } 5062 } 5063 5064 /* Call with chan locked */ 5065 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan, 5066 u8 status) 5067 { 5068 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status); 5069 5070 if (status) { 5071 l2cap_logical_fail(chan); 5072 __release_logical_link(chan); 5073 return; 5074 } 5075 5076 if (chan->state != BT_CONNECTED) { 5077 /* Ignore logical link if channel is on BR/EDR */ 5078 if (chan->local_amp_id != AMP_ID_BREDR) 5079 l2cap_logical_finish_create(chan, hchan); 5080 } else { 5081 l2cap_logical_finish_move(chan, hchan); 5082 } 5083 } 5084 5085 void l2cap_move_start(struct l2cap_chan *chan) 5086 { 5087 BT_DBG("chan %p", chan); 5088 5089 if (chan->local_amp_id == AMP_ID_BREDR) { 5090 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED) 5091 return; 5092 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR; 5093 chan->move_state = L2CAP_MOVE_WAIT_PREPARE; 5094 /* Placeholder - start physical link setup */ 5095 } else { 5096 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR; 5097 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS; 5098 chan->move_id = 0; 5099 l2cap_move_setup(chan); 5100 l2cap_send_move_chan_req(chan, 0); 5101 } 5102 } 5103 5104 static void l2cap_do_create(struct l2cap_chan *chan, int result, 5105 u8 local_amp_id, u8 remote_amp_id) 5106 { 5107 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state), 5108 local_amp_id, remote_amp_id); 5109 5110 chan->fcs = L2CAP_FCS_NONE; 5111 5112 /* Outgoing channel on AMP */ 5113 if (chan->state == BT_CONNECT) { 5114 if (result == L2CAP_CR_SUCCESS) { 5115 chan->local_amp_id = local_amp_id; 5116 l2cap_send_create_chan_req(chan, remote_amp_id); 5117 } else { 5118 /* Revert to BR/EDR connect */ 5119 l2cap_send_conn_req(chan); 5120 } 5121 5122 return; 5123 } 5124 5125 /* Incoming channel on AMP */ 5126 if (__l2cap_no_conn_pending(chan)) { 5127 struct l2cap_conn_rsp rsp; 5128 char buf[128]; 5129 rsp.scid = cpu_to_le16(chan->dcid); 5130 rsp.dcid = cpu_to_le16(chan->scid); 5131 5132 if (result == L2CAP_CR_SUCCESS) { 5133 /* Send successful response */ 5134 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 5135 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 5136 } else { 5137 /* Send negative response */ 5138 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM); 5139 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 5140 } 5141 5142 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP, 5143 sizeof(rsp), &rsp); 5144 5145 if (result == L2CAP_CR_SUCCESS) { 5146 l2cap_state_change(chan, BT_CONFIG); 5147 set_bit(CONF_REQ_SENT, &chan->conf_state); 5148 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn), 5149 L2CAP_CONF_REQ, 5150 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 5151 chan->num_conf_req++; 5152 } 5153 } 5154 } 5155 5156 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id, 5157 u8 remote_amp_id) 5158 { 5159 l2cap_move_setup(chan); 5160 chan->move_id = local_amp_id; 5161 chan->move_state = L2CAP_MOVE_WAIT_RSP; 5162 5163 l2cap_send_move_chan_req(chan, remote_amp_id); 5164 } 5165 5166 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result) 5167 { 5168 struct hci_chan *hchan = NULL; 5169 5170 /* Placeholder - get hci_chan for logical link */ 5171 5172 if (hchan) { 5173 if (hchan->state == BT_CONNECTED) { 5174 /* Logical link is ready to go */ 5175 chan->hs_hcon = hchan->conn; 5176 chan->hs_hcon->l2cap_data = chan->conn; 5177 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM; 5178 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS); 5179 5180 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS); 5181 } else { 5182 /* Wait for logical link to be ready */ 5183 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM; 5184 } 5185 } else { 5186 /* Logical link not available */ 5187 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED); 5188 } 5189 } 5190 5191 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result) 5192 { 5193 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) { 5194 u8 rsp_result; 5195 if (result == -EINVAL) 5196 rsp_result = L2CAP_MR_BAD_ID; 5197 else 5198 rsp_result = L2CAP_MR_NOT_ALLOWED; 5199 5200 l2cap_send_move_chan_rsp(chan, rsp_result); 5201 } 5202 5203 chan->move_role = L2CAP_MOVE_ROLE_NONE; 5204 chan->move_state = L2CAP_MOVE_STABLE; 5205 5206 /* Restart data transmission */ 5207 l2cap_ertm_send(chan); 5208 } 5209 5210 /* Invoke with locked chan */ 5211 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result) 5212 { 5213 u8 local_amp_id = chan->local_amp_id; 5214 u8 remote_amp_id = chan->remote_amp_id; 5215 5216 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d", 5217 chan, result, local_amp_id, remote_amp_id); 5218 5219 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) 5220 return; 5221 5222 if (chan->state != BT_CONNECTED) { 5223 l2cap_do_create(chan, result, local_amp_id, remote_amp_id); 5224 } else if (result != L2CAP_MR_SUCCESS) { 5225 l2cap_do_move_cancel(chan, result); 5226 } else { 5227 switch (chan->move_role) { 5228 case L2CAP_MOVE_ROLE_INITIATOR: 5229 l2cap_do_move_initiate(chan, local_amp_id, 5230 remote_amp_id); 5231 break; 5232 case L2CAP_MOVE_ROLE_RESPONDER: 5233 l2cap_do_move_respond(chan, result); 5234 break; 5235 default: 5236 l2cap_do_move_cancel(chan, result); 5237 break; 5238 } 5239 } 5240 } 5241 5242 static inline int l2cap_move_channel_req(struct l2cap_conn *conn, 5243 struct l2cap_cmd_hdr *cmd, 5244 u16 cmd_len, void *data) 5245 { 5246 struct l2cap_move_chan_req *req = data; 5247 struct l2cap_move_chan_rsp rsp; 5248 struct l2cap_chan *chan; 5249 u16 icid = 0; 5250 u16 result = L2CAP_MR_NOT_ALLOWED; 5251 5252 if (cmd_len != sizeof(*req)) 5253 return -EPROTO; 5254 5255 icid = le16_to_cpu(req->icid); 5256 5257 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id); 5258 5259 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP)) 5260 return -EINVAL; 5261 5262 chan = l2cap_get_chan_by_dcid(conn, icid); 5263 if (!chan) { 5264 rsp.icid = cpu_to_le16(icid); 5265 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED); 5266 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP, 5267 sizeof(rsp), &rsp); 5268 return 0; 5269 } 5270 5271 chan->ident = cmd->ident; 5272 5273 if (chan->scid < L2CAP_CID_DYN_START || 5274 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY || 5275 (chan->mode != L2CAP_MODE_ERTM && 5276 chan->mode != L2CAP_MODE_STREAMING)) { 5277 result = L2CAP_MR_NOT_ALLOWED; 5278 goto send_move_response; 5279 } 5280 5281 if (chan->local_amp_id == req->dest_amp_id) { 5282 result = L2CAP_MR_SAME_ID; 5283 goto send_move_response; 5284 } 5285 5286 if (req->dest_amp_id != AMP_ID_BREDR) { 5287 struct hci_dev *hdev; 5288 hdev = hci_dev_get(req->dest_amp_id); 5289 if (!hdev || hdev->dev_type != HCI_AMP || 5290 !test_bit(HCI_UP, &hdev->flags)) { 5291 if (hdev) 5292 hci_dev_put(hdev); 5293 5294 result = L2CAP_MR_BAD_ID; 5295 goto send_move_response; 5296 } 5297 hci_dev_put(hdev); 5298 } 5299 5300 /* Detect a move collision. Only send a collision response 5301 * if this side has "lost", otherwise proceed with the move. 5302 * The winner has the larger bd_addr. 5303 */ 5304 if ((__chan_is_moving(chan) || 5305 chan->move_role != L2CAP_MOVE_ROLE_NONE) && 5306 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) { 5307 result = L2CAP_MR_COLLISION; 5308 goto send_move_response; 5309 } 5310 5311 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER; 5312 l2cap_move_setup(chan); 5313 chan->move_id = req->dest_amp_id; 5314 5315 if (req->dest_amp_id == AMP_ID_BREDR) { 5316 /* Moving to BR/EDR */ 5317 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5318 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY; 5319 result = L2CAP_MR_PEND; 5320 } else { 5321 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM; 5322 result = L2CAP_MR_SUCCESS; 5323 } 5324 } else { 5325 chan->move_state = L2CAP_MOVE_WAIT_PREPARE; 5326 /* Placeholder - uncomment when amp functions are available */ 5327 /*amp_accept_physical(chan, req->dest_amp_id);*/ 5328 result = L2CAP_MR_PEND; 5329 } 5330 5331 send_move_response: 5332 l2cap_send_move_chan_rsp(chan, result); 5333 5334 l2cap_chan_unlock(chan); 5335 l2cap_chan_put(chan); 5336 5337 return 0; 5338 } 5339 5340 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result) 5341 { 5342 struct l2cap_chan *chan; 5343 struct hci_chan *hchan = NULL; 5344 5345 chan = l2cap_get_chan_by_scid(conn, icid); 5346 if (!chan) { 5347 l2cap_send_move_chan_cfm_icid(conn, icid); 5348 return; 5349 } 5350 5351 __clear_chan_timer(chan); 5352 if (result == L2CAP_MR_PEND) 5353 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT); 5354 5355 switch (chan->move_state) { 5356 case L2CAP_MOVE_WAIT_LOGICAL_COMP: 5357 /* Move confirm will be sent when logical link 5358 * is complete. 5359 */ 5360 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM; 5361 break; 5362 case L2CAP_MOVE_WAIT_RSP_SUCCESS: 5363 if (result == L2CAP_MR_PEND) { 5364 break; 5365 } else if (test_bit(CONN_LOCAL_BUSY, 5366 &chan->conn_state)) { 5367 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY; 5368 } else { 5369 /* Logical link is up or moving to BR/EDR, 5370 * proceed with move 5371 */ 5372 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP; 5373 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED); 5374 } 5375 break; 5376 case L2CAP_MOVE_WAIT_RSP: 5377 /* Moving to AMP */ 5378 if (result == L2CAP_MR_SUCCESS) { 5379 /* Remote is ready, send confirm immediately 5380 * after logical link is ready 5381 */ 5382 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM; 5383 } else { 5384 /* Both logical link and move success 5385 * are required to confirm 5386 */ 5387 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP; 5388 } 5389 5390 /* Placeholder - get hci_chan for logical link */ 5391 if (!hchan) { 5392 /* Logical link not available */ 5393 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); 5394 break; 5395 } 5396 5397 /* If the logical link is not yet connected, do not 5398 * send confirmation. 5399 */ 5400 if (hchan->state != BT_CONNECTED) 5401 break; 5402 5403 /* Logical link is already ready to go */ 5404 5405 chan->hs_hcon = hchan->conn; 5406 chan->hs_hcon->l2cap_data = chan->conn; 5407 5408 if (result == L2CAP_MR_SUCCESS) { 5409 /* Can confirm now */ 5410 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED); 5411 } else { 5412 /* Now only need move success 5413 * to confirm 5414 */ 5415 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS; 5416 } 5417 5418 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS); 5419 break; 5420 default: 5421 /* Any other amp move state means the move failed. */ 5422 chan->move_id = chan->local_amp_id; 5423 l2cap_move_done(chan); 5424 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); 5425 } 5426 5427 l2cap_chan_unlock(chan); 5428 l2cap_chan_put(chan); 5429 } 5430 5431 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid, 5432 u16 result) 5433 { 5434 struct l2cap_chan *chan; 5435 5436 chan = l2cap_get_chan_by_ident(conn, ident); 5437 if (!chan) { 5438 /* Could not locate channel, icid is best guess */ 5439 l2cap_send_move_chan_cfm_icid(conn, icid); 5440 return; 5441 } 5442 5443 __clear_chan_timer(chan); 5444 5445 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) { 5446 if (result == L2CAP_MR_COLLISION) { 5447 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER; 5448 } else { 5449 /* Cleanup - cancel move */ 5450 chan->move_id = chan->local_amp_id; 5451 l2cap_move_done(chan); 5452 } 5453 } 5454 5455 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); 5456 5457 l2cap_chan_unlock(chan); 5458 l2cap_chan_put(chan); 5459 } 5460 5461 static int l2cap_move_channel_rsp(struct l2cap_conn *conn, 5462 struct l2cap_cmd_hdr *cmd, 5463 u16 cmd_len, void *data) 5464 { 5465 struct l2cap_move_chan_rsp *rsp = data; 5466 u16 icid, result; 5467 5468 if (cmd_len != sizeof(*rsp)) 5469 return -EPROTO; 5470 5471 icid = le16_to_cpu(rsp->icid); 5472 result = le16_to_cpu(rsp->result); 5473 5474 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result); 5475 5476 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND) 5477 l2cap_move_continue(conn, icid, result); 5478 else 5479 l2cap_move_fail(conn, cmd->ident, icid, result); 5480 5481 return 0; 5482 } 5483 5484 static int l2cap_move_channel_confirm(struct l2cap_conn *conn, 5485 struct l2cap_cmd_hdr *cmd, 5486 u16 cmd_len, void *data) 5487 { 5488 struct l2cap_move_chan_cfm *cfm = data; 5489 struct l2cap_chan *chan; 5490 u16 icid, result; 5491 5492 if (cmd_len != sizeof(*cfm)) 5493 return -EPROTO; 5494 5495 icid = le16_to_cpu(cfm->icid); 5496 result = le16_to_cpu(cfm->result); 5497 5498 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result); 5499 5500 chan = l2cap_get_chan_by_dcid(conn, icid); 5501 if (!chan) { 5502 /* Spec requires a response even if the icid was not found */ 5503 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid); 5504 return 0; 5505 } 5506 5507 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) { 5508 if (result == L2CAP_MC_CONFIRMED) { 5509 chan->local_amp_id = chan->move_id; 5510 if (chan->local_amp_id == AMP_ID_BREDR) 5511 __release_logical_link(chan); 5512 } else { 5513 chan->move_id = chan->local_amp_id; 5514 } 5515 5516 l2cap_move_done(chan); 5517 } 5518 5519 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid); 5520 5521 l2cap_chan_unlock(chan); 5522 l2cap_chan_put(chan); 5523 5524 return 0; 5525 } 5526 5527 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn, 5528 struct l2cap_cmd_hdr *cmd, 5529 u16 cmd_len, void *data) 5530 { 5531 struct l2cap_move_chan_cfm_rsp *rsp = data; 5532 struct l2cap_chan *chan; 5533 u16 icid; 5534 5535 if (cmd_len != sizeof(*rsp)) 5536 return -EPROTO; 5537 5538 icid = le16_to_cpu(rsp->icid); 5539 5540 BT_DBG("icid 0x%4.4x", icid); 5541 5542 chan = l2cap_get_chan_by_scid(conn, icid); 5543 if (!chan) 5544 return 0; 5545 5546 __clear_chan_timer(chan); 5547 5548 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) { 5549 chan->local_amp_id = chan->move_id; 5550 5551 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan) 5552 __release_logical_link(chan); 5553 5554 l2cap_move_done(chan); 5555 } 5556 5557 l2cap_chan_unlock(chan); 5558 l2cap_chan_put(chan); 5559 5560 return 0; 5561 } 5562 5563 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, 5564 struct l2cap_cmd_hdr *cmd, 5565 u16 cmd_len, u8 *data) 5566 { 5567 struct hci_conn *hcon = conn->hcon; 5568 struct l2cap_conn_param_update_req *req; 5569 struct l2cap_conn_param_update_rsp rsp; 5570 u16 min, max, latency, to_multiplier; 5571 int err; 5572 5573 if (hcon->role != HCI_ROLE_MASTER) 5574 return -EINVAL; 5575 5576 if (cmd_len != sizeof(struct l2cap_conn_param_update_req)) 5577 return -EPROTO; 5578 5579 req = (struct l2cap_conn_param_update_req *) data; 5580 min = __le16_to_cpu(req->min); 5581 max = __le16_to_cpu(req->max); 5582 latency = __le16_to_cpu(req->latency); 5583 to_multiplier = __le16_to_cpu(req->to_multiplier); 5584 5585 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x", 5586 min, max, latency, to_multiplier); 5587 5588 memset(&rsp, 0, sizeof(rsp)); 5589 5590 err = hci_check_conn_params(min, max, latency, to_multiplier); 5591 if (err) 5592 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); 5593 else 5594 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED); 5595 5596 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP, 5597 sizeof(rsp), &rsp); 5598 5599 if (!err) { 5600 u8 store_hint; 5601 5602 store_hint = hci_le_conn_update(hcon, min, max, latency, 5603 to_multiplier); 5604 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type, 5605 store_hint, min, max, latency, 5606 to_multiplier); 5607 5608 } 5609 5610 return 0; 5611 } 5612 5613 static int l2cap_le_connect_rsp(struct l2cap_conn *conn, 5614 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5615 u8 *data) 5616 { 5617 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data; 5618 struct hci_conn *hcon = conn->hcon; 5619 u16 dcid, mtu, mps, credits, result; 5620 struct l2cap_chan *chan; 5621 int err, sec_level; 5622 5623 if (cmd_len < sizeof(*rsp)) 5624 return -EPROTO; 5625 5626 dcid = __le16_to_cpu(rsp->dcid); 5627 mtu = __le16_to_cpu(rsp->mtu); 5628 mps = __le16_to_cpu(rsp->mps); 5629 credits = __le16_to_cpu(rsp->credits); 5630 result = __le16_to_cpu(rsp->result); 5631 5632 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 || 5633 dcid < L2CAP_CID_DYN_START || 5634 dcid > L2CAP_CID_LE_DYN_END)) 5635 return -EPROTO; 5636 5637 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x", 5638 dcid, mtu, mps, credits, result); 5639 5640 mutex_lock(&conn->chan_lock); 5641 5642 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 5643 if (!chan) { 5644 err = -EBADSLT; 5645 goto unlock; 5646 } 5647 5648 err = 0; 5649 5650 l2cap_chan_lock(chan); 5651 5652 switch (result) { 5653 case L2CAP_CR_LE_SUCCESS: 5654 if (__l2cap_get_chan_by_dcid(conn, dcid)) { 5655 err = -EBADSLT; 5656 break; 5657 } 5658 5659 chan->ident = 0; 5660 chan->dcid = dcid; 5661 chan->omtu = mtu; 5662 chan->remote_mps = mps; 5663 chan->tx_credits = credits; 5664 l2cap_chan_ready(chan); 5665 break; 5666 5667 case L2CAP_CR_LE_AUTHENTICATION: 5668 case L2CAP_CR_LE_ENCRYPTION: 5669 /* If we already have MITM protection we can't do 5670 * anything. 5671 */ 5672 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 5673 l2cap_chan_del(chan, ECONNREFUSED); 5674 break; 5675 } 5676 5677 sec_level = hcon->sec_level + 1; 5678 if (chan->sec_level < sec_level) 5679 chan->sec_level = sec_level; 5680 5681 /* We'll need to send a new Connect Request */ 5682 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags); 5683 5684 smp_conn_security(hcon, chan->sec_level); 5685 break; 5686 5687 default: 5688 l2cap_chan_del(chan, ECONNREFUSED); 5689 break; 5690 } 5691 5692 l2cap_chan_unlock(chan); 5693 5694 unlock: 5695 mutex_unlock(&conn->chan_lock); 5696 5697 return err; 5698 } 5699 5700 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, 5701 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5702 u8 *data) 5703 { 5704 int err = 0; 5705 5706 switch (cmd->code) { 5707 case L2CAP_COMMAND_REJ: 5708 l2cap_command_rej(conn, cmd, cmd_len, data); 5709 break; 5710 5711 case L2CAP_CONN_REQ: 5712 err = l2cap_connect_req(conn, cmd, cmd_len, data); 5713 break; 5714 5715 case L2CAP_CONN_RSP: 5716 case L2CAP_CREATE_CHAN_RSP: 5717 l2cap_connect_create_rsp(conn, cmd, cmd_len, data); 5718 break; 5719 5720 case L2CAP_CONF_REQ: 5721 err = l2cap_config_req(conn, cmd, cmd_len, data); 5722 break; 5723 5724 case L2CAP_CONF_RSP: 5725 l2cap_config_rsp(conn, cmd, cmd_len, data); 5726 break; 5727 5728 case L2CAP_DISCONN_REQ: 5729 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 5730 break; 5731 5732 case L2CAP_DISCONN_RSP: 5733 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 5734 break; 5735 5736 case L2CAP_ECHO_REQ: 5737 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data); 5738 break; 5739 5740 case L2CAP_ECHO_RSP: 5741 break; 5742 5743 case L2CAP_INFO_REQ: 5744 err = l2cap_information_req(conn, cmd, cmd_len, data); 5745 break; 5746 5747 case L2CAP_INFO_RSP: 5748 l2cap_information_rsp(conn, cmd, cmd_len, data); 5749 break; 5750 5751 case L2CAP_CREATE_CHAN_REQ: 5752 err = l2cap_create_channel_req(conn, cmd, cmd_len, data); 5753 break; 5754 5755 case L2CAP_MOVE_CHAN_REQ: 5756 err = l2cap_move_channel_req(conn, cmd, cmd_len, data); 5757 break; 5758 5759 case L2CAP_MOVE_CHAN_RSP: 5760 l2cap_move_channel_rsp(conn, cmd, cmd_len, data); 5761 break; 5762 5763 case L2CAP_MOVE_CHAN_CFM: 5764 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data); 5765 break; 5766 5767 case L2CAP_MOVE_CHAN_CFM_RSP: 5768 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data); 5769 break; 5770 5771 default: 5772 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code); 5773 err = -EINVAL; 5774 break; 5775 } 5776 5777 return err; 5778 } 5779 5780 static int l2cap_le_connect_req(struct l2cap_conn *conn, 5781 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5782 u8 *data) 5783 { 5784 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data; 5785 struct l2cap_le_conn_rsp rsp; 5786 struct l2cap_chan *chan, *pchan; 5787 u16 dcid, scid, credits, mtu, mps; 5788 __le16 psm; 5789 u8 result; 5790 5791 if (cmd_len != sizeof(*req)) 5792 return -EPROTO; 5793 5794 scid = __le16_to_cpu(req->scid); 5795 mtu = __le16_to_cpu(req->mtu); 5796 mps = __le16_to_cpu(req->mps); 5797 psm = req->psm; 5798 dcid = 0; 5799 credits = 0; 5800 5801 if (mtu < 23 || mps < 23) 5802 return -EPROTO; 5803 5804 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), 5805 scid, mtu, mps); 5806 5807 /* Check if we have socket listening on psm */ 5808 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 5809 &conn->hcon->dst, LE_LINK); 5810 if (!pchan) { 5811 result = L2CAP_CR_LE_BAD_PSM; 5812 chan = NULL; 5813 goto response; 5814 } 5815 5816 mutex_lock(&conn->chan_lock); 5817 l2cap_chan_lock(pchan); 5818 5819 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 5820 SMP_ALLOW_STK)) { 5821 result = L2CAP_CR_LE_AUTHENTICATION; 5822 chan = NULL; 5823 goto response_unlock; 5824 } 5825 5826 /* Check for valid dynamic CID range */ 5827 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 5828 result = L2CAP_CR_LE_INVALID_SCID; 5829 chan = NULL; 5830 goto response_unlock; 5831 } 5832 5833 /* Check if we already have channel with that dcid */ 5834 if (__l2cap_get_chan_by_dcid(conn, scid)) { 5835 result = L2CAP_CR_LE_SCID_IN_USE; 5836 chan = NULL; 5837 goto response_unlock; 5838 } 5839 5840 chan = pchan->ops->new_connection(pchan); 5841 if (!chan) { 5842 result = L2CAP_CR_LE_NO_MEM; 5843 goto response_unlock; 5844 } 5845 5846 bacpy(&chan->src, &conn->hcon->src); 5847 bacpy(&chan->dst, &conn->hcon->dst); 5848 chan->src_type = bdaddr_src_type(conn->hcon); 5849 chan->dst_type = bdaddr_dst_type(conn->hcon); 5850 chan->psm = psm; 5851 chan->dcid = scid; 5852 chan->omtu = mtu; 5853 chan->remote_mps = mps; 5854 5855 __l2cap_chan_add(conn, chan); 5856 5857 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits)); 5858 5859 dcid = chan->scid; 5860 credits = chan->rx_credits; 5861 5862 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 5863 5864 chan->ident = cmd->ident; 5865 5866 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 5867 l2cap_state_change(chan, BT_CONNECT2); 5868 /* The following result value is actually not defined 5869 * for LE CoC but we use it to let the function know 5870 * that it should bail out after doing its cleanup 5871 * instead of sending a response. 5872 */ 5873 result = L2CAP_CR_PEND; 5874 chan->ops->defer(chan); 5875 } else { 5876 l2cap_chan_ready(chan); 5877 result = L2CAP_CR_LE_SUCCESS; 5878 } 5879 5880 response_unlock: 5881 l2cap_chan_unlock(pchan); 5882 mutex_unlock(&conn->chan_lock); 5883 l2cap_chan_put(pchan); 5884 5885 if (result == L2CAP_CR_PEND) 5886 return 0; 5887 5888 response: 5889 if (chan) { 5890 rsp.mtu = cpu_to_le16(chan->imtu); 5891 rsp.mps = cpu_to_le16(chan->mps); 5892 } else { 5893 rsp.mtu = 0; 5894 rsp.mps = 0; 5895 } 5896 5897 rsp.dcid = cpu_to_le16(dcid); 5898 rsp.credits = cpu_to_le16(credits); 5899 rsp.result = cpu_to_le16(result); 5900 5901 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp); 5902 5903 return 0; 5904 } 5905 5906 static inline int l2cap_le_credits(struct l2cap_conn *conn, 5907 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5908 u8 *data) 5909 { 5910 struct l2cap_le_credits *pkt; 5911 struct l2cap_chan *chan; 5912 u16 cid, credits, max_credits; 5913 5914 if (cmd_len != sizeof(*pkt)) 5915 return -EPROTO; 5916 5917 pkt = (struct l2cap_le_credits *) data; 5918 cid = __le16_to_cpu(pkt->cid); 5919 credits = __le16_to_cpu(pkt->credits); 5920 5921 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits); 5922 5923 chan = l2cap_get_chan_by_dcid(conn, cid); 5924 if (!chan) 5925 return -EBADSLT; 5926 5927 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits; 5928 if (credits > max_credits) { 5929 BT_ERR("LE credits overflow"); 5930 l2cap_send_disconn_req(chan, ECONNRESET); 5931 5932 /* Return 0 so that we don't trigger an unnecessary 5933 * command reject packet. 5934 */ 5935 goto unlock; 5936 } 5937 5938 chan->tx_credits += credits; 5939 5940 /* Resume sending */ 5941 l2cap_le_flowctl_send(chan); 5942 5943 if (chan->tx_credits) 5944 chan->ops->resume(chan); 5945 5946 unlock: 5947 l2cap_chan_unlock(chan); 5948 l2cap_chan_put(chan); 5949 5950 return 0; 5951 } 5952 5953 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, 5954 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5955 u8 *data) 5956 { 5957 struct l2cap_ecred_conn_req *req = (void *) data; 5958 struct { 5959 struct l2cap_ecred_conn_rsp rsp; 5960 __le16 dcid[L2CAP_ECRED_MAX_CID]; 5961 } __packed pdu; 5962 struct l2cap_chan *chan, *pchan; 5963 u16 mtu, mps; 5964 __le16 psm; 5965 u8 result, len = 0; 5966 int i, num_scid; 5967 bool defer = false; 5968 5969 if (!enable_ecred) 5970 return -EINVAL; 5971 5972 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) { 5973 result = L2CAP_CR_LE_INVALID_PARAMS; 5974 goto response; 5975 } 5976 5977 cmd_len -= sizeof(*req); 5978 num_scid = cmd_len / sizeof(u16); 5979 5980 if (num_scid > ARRAY_SIZE(pdu.dcid)) { 5981 result = L2CAP_CR_LE_INVALID_PARAMS; 5982 goto response; 5983 } 5984 5985 mtu = __le16_to_cpu(req->mtu); 5986 mps = __le16_to_cpu(req->mps); 5987 5988 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) { 5989 result = L2CAP_CR_LE_UNACCEPT_PARAMS; 5990 goto response; 5991 } 5992 5993 psm = req->psm; 5994 5995 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); 5996 5997 memset(&pdu, 0, sizeof(pdu)); 5998 5999 /* Check if we have socket listening on psm */ 6000 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 6001 &conn->hcon->dst, LE_LINK); 6002 if (!pchan) { 6003 result = L2CAP_CR_LE_BAD_PSM; 6004 goto response; 6005 } 6006 6007 mutex_lock(&conn->chan_lock); 6008 l2cap_chan_lock(pchan); 6009 6010 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 6011 SMP_ALLOW_STK)) { 6012 result = L2CAP_CR_LE_AUTHENTICATION; 6013 goto unlock; 6014 } 6015 6016 result = L2CAP_CR_LE_SUCCESS; 6017 6018 for (i = 0; i < num_scid; i++) { 6019 u16 scid = __le16_to_cpu(req->scid[i]); 6020 6021 BT_DBG("scid[%d] 0x%4.4x", i, scid); 6022 6023 pdu.dcid[i] = 0x0000; 6024 len += sizeof(*pdu.dcid); 6025 6026 /* Check for valid dynamic CID range */ 6027 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 6028 result = L2CAP_CR_LE_INVALID_SCID; 6029 continue; 6030 } 6031 6032 /* Check if we already have channel with that dcid */ 6033 if (__l2cap_get_chan_by_dcid(conn, scid)) { 6034 result = L2CAP_CR_LE_SCID_IN_USE; 6035 continue; 6036 } 6037 6038 chan = pchan->ops->new_connection(pchan); 6039 if (!chan) { 6040 result = L2CAP_CR_LE_NO_MEM; 6041 continue; 6042 } 6043 6044 bacpy(&chan->src, &conn->hcon->src); 6045 bacpy(&chan->dst, &conn->hcon->dst); 6046 chan->src_type = bdaddr_src_type(conn->hcon); 6047 chan->dst_type = bdaddr_dst_type(conn->hcon); 6048 chan->psm = psm; 6049 chan->dcid = scid; 6050 chan->omtu = mtu; 6051 chan->remote_mps = mps; 6052 6053 __l2cap_chan_add(conn, chan); 6054 6055 l2cap_ecred_init(chan, __le16_to_cpu(req->credits)); 6056 6057 /* Init response */ 6058 if (!pdu.rsp.credits) { 6059 pdu.rsp.mtu = cpu_to_le16(chan->imtu); 6060 pdu.rsp.mps = cpu_to_le16(chan->mps); 6061 pdu.rsp.credits = cpu_to_le16(chan->rx_credits); 6062 } 6063 6064 pdu.dcid[i] = cpu_to_le16(chan->scid); 6065 6066 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 6067 6068 chan->ident = cmd->ident; 6069 6070 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 6071 l2cap_state_change(chan, BT_CONNECT2); 6072 defer = true; 6073 chan->ops->defer(chan); 6074 } else { 6075 l2cap_chan_ready(chan); 6076 } 6077 } 6078 6079 unlock: 6080 l2cap_chan_unlock(pchan); 6081 mutex_unlock(&conn->chan_lock); 6082 l2cap_chan_put(pchan); 6083 6084 response: 6085 pdu.rsp.result = cpu_to_le16(result); 6086 6087 if (defer) 6088 return 0; 6089 6090 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP, 6091 sizeof(pdu.rsp) + len, &pdu); 6092 6093 return 0; 6094 } 6095 6096 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn, 6097 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 6098 u8 *data) 6099 { 6100 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 6101 struct hci_conn *hcon = conn->hcon; 6102 u16 mtu, mps, credits, result; 6103 struct l2cap_chan *chan, *tmp; 6104 int err = 0, sec_level; 6105 int i = 0; 6106 6107 if (cmd_len < sizeof(*rsp)) 6108 return -EPROTO; 6109 6110 mtu = __le16_to_cpu(rsp->mtu); 6111 mps = __le16_to_cpu(rsp->mps); 6112 credits = __le16_to_cpu(rsp->credits); 6113 result = __le16_to_cpu(rsp->result); 6114 6115 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits, 6116 result); 6117 6118 mutex_lock(&conn->chan_lock); 6119 6120 cmd_len -= sizeof(*rsp); 6121 6122 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 6123 u16 dcid; 6124 6125 if (chan->ident != cmd->ident || 6126 chan->mode != L2CAP_MODE_EXT_FLOWCTL || 6127 chan->state == BT_CONNECTED) 6128 continue; 6129 6130 l2cap_chan_lock(chan); 6131 6132 /* Check that there is a dcid for each pending channel */ 6133 if (cmd_len < sizeof(dcid)) { 6134 l2cap_chan_del(chan, ECONNREFUSED); 6135 l2cap_chan_unlock(chan); 6136 continue; 6137 } 6138 6139 dcid = __le16_to_cpu(rsp->dcid[i++]); 6140 cmd_len -= sizeof(u16); 6141 6142 BT_DBG("dcid[%d] 0x%4.4x", i, dcid); 6143 6144 /* Check if dcid is already in use */ 6145 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) { 6146 /* If a device receives a 6147 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an 6148 * already-assigned Destination CID, then both the 6149 * original channel and the new channel shall be 6150 * immediately discarded and not used. 6151 */ 6152 l2cap_chan_del(chan, ECONNREFUSED); 6153 l2cap_chan_unlock(chan); 6154 chan = __l2cap_get_chan_by_dcid(conn, dcid); 6155 l2cap_chan_lock(chan); 6156 l2cap_chan_del(chan, ECONNRESET); 6157 l2cap_chan_unlock(chan); 6158 continue; 6159 } 6160 6161 switch (result) { 6162 case L2CAP_CR_LE_AUTHENTICATION: 6163 case L2CAP_CR_LE_ENCRYPTION: 6164 /* If we already have MITM protection we can't do 6165 * anything. 6166 */ 6167 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 6168 l2cap_chan_del(chan, ECONNREFUSED); 6169 break; 6170 } 6171 6172 sec_level = hcon->sec_level + 1; 6173 if (chan->sec_level < sec_level) 6174 chan->sec_level = sec_level; 6175 6176 /* We'll need to send a new Connect Request */ 6177 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags); 6178 6179 smp_conn_security(hcon, chan->sec_level); 6180 break; 6181 6182 case L2CAP_CR_LE_BAD_PSM: 6183 l2cap_chan_del(chan, ECONNREFUSED); 6184 break; 6185 6186 default: 6187 /* If dcid was not set it means channels was refused */ 6188 if (!dcid) { 6189 l2cap_chan_del(chan, ECONNREFUSED); 6190 break; 6191 } 6192 6193 chan->ident = 0; 6194 chan->dcid = dcid; 6195 chan->omtu = mtu; 6196 chan->remote_mps = mps; 6197 chan->tx_credits = credits; 6198 l2cap_chan_ready(chan); 6199 break; 6200 } 6201 6202 l2cap_chan_unlock(chan); 6203 } 6204 6205 mutex_unlock(&conn->chan_lock); 6206 6207 return err; 6208 } 6209 6210 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn, 6211 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 6212 u8 *data) 6213 { 6214 struct l2cap_ecred_reconf_req *req = (void *) data; 6215 struct l2cap_ecred_reconf_rsp rsp; 6216 u16 mtu, mps, result; 6217 struct l2cap_chan *chan; 6218 int i, num_scid; 6219 6220 if (!enable_ecred) 6221 return -EINVAL; 6222 6223 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) { 6224 result = L2CAP_CR_LE_INVALID_PARAMS; 6225 goto respond; 6226 } 6227 6228 mtu = __le16_to_cpu(req->mtu); 6229 mps = __le16_to_cpu(req->mps); 6230 6231 BT_DBG("mtu %u mps %u", mtu, mps); 6232 6233 if (mtu < L2CAP_ECRED_MIN_MTU) { 6234 result = L2CAP_RECONF_INVALID_MTU; 6235 goto respond; 6236 } 6237 6238 if (mps < L2CAP_ECRED_MIN_MPS) { 6239 result = L2CAP_RECONF_INVALID_MPS; 6240 goto respond; 6241 } 6242 6243 cmd_len -= sizeof(*req); 6244 num_scid = cmd_len / sizeof(u16); 6245 result = L2CAP_RECONF_SUCCESS; 6246 6247 for (i = 0; i < num_scid; i++) { 6248 u16 scid; 6249 6250 scid = __le16_to_cpu(req->scid[i]); 6251 if (!scid) 6252 return -EPROTO; 6253 6254 chan = __l2cap_get_chan_by_dcid(conn, scid); 6255 if (!chan) 6256 continue; 6257 6258 /* If the MTU value is decreased for any of the included 6259 * channels, then the receiver shall disconnect all 6260 * included channels. 6261 */ 6262 if (chan->omtu > mtu) { 6263 BT_ERR("chan %p decreased MTU %u -> %u", chan, 6264 chan->omtu, mtu); 6265 result = L2CAP_RECONF_INVALID_MTU; 6266 } 6267 6268 chan->omtu = mtu; 6269 chan->remote_mps = mps; 6270 } 6271 6272 respond: 6273 rsp.result = cpu_to_le16(result); 6274 6275 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp), 6276 &rsp); 6277 6278 return 0; 6279 } 6280 6281 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, 6282 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 6283 u8 *data) 6284 { 6285 struct l2cap_chan *chan, *tmp; 6286 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 6287 u16 result; 6288 6289 if (cmd_len < sizeof(*rsp)) 6290 return -EPROTO; 6291 6292 result = __le16_to_cpu(rsp->result); 6293 6294 BT_DBG("result 0x%4.4x", rsp->result); 6295 6296 if (!result) 6297 return 0; 6298 6299 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 6300 if (chan->ident != cmd->ident) 6301 continue; 6302 6303 l2cap_chan_del(chan, ECONNRESET); 6304 } 6305 6306 return 0; 6307 } 6308 6309 static inline int l2cap_le_command_rej(struct l2cap_conn *conn, 6310 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 6311 u8 *data) 6312 { 6313 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 6314 struct l2cap_chan *chan; 6315 6316 if (cmd_len < sizeof(*rej)) 6317 return -EPROTO; 6318 6319 mutex_lock(&conn->chan_lock); 6320 6321 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 6322 if (!chan) 6323 goto done; 6324 6325 l2cap_chan_lock(chan); 6326 l2cap_chan_del(chan, ECONNREFUSED); 6327 l2cap_chan_unlock(chan); 6328 6329 done: 6330 mutex_unlock(&conn->chan_lock); 6331 return 0; 6332 } 6333 6334 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn, 6335 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 6336 u8 *data) 6337 { 6338 int err = 0; 6339 6340 switch (cmd->code) { 6341 case L2CAP_COMMAND_REJ: 6342 l2cap_le_command_rej(conn, cmd, cmd_len, data); 6343 break; 6344 6345 case L2CAP_CONN_PARAM_UPDATE_REQ: 6346 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data); 6347 break; 6348 6349 case L2CAP_CONN_PARAM_UPDATE_RSP: 6350 break; 6351 6352 case L2CAP_LE_CONN_RSP: 6353 l2cap_le_connect_rsp(conn, cmd, cmd_len, data); 6354 break; 6355 6356 case L2CAP_LE_CONN_REQ: 6357 err = l2cap_le_connect_req(conn, cmd, cmd_len, data); 6358 break; 6359 6360 case L2CAP_LE_CREDITS: 6361 err = l2cap_le_credits(conn, cmd, cmd_len, data); 6362 break; 6363 6364 case L2CAP_ECRED_CONN_REQ: 6365 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data); 6366 break; 6367 6368 case L2CAP_ECRED_CONN_RSP: 6369 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data); 6370 break; 6371 6372 case L2CAP_ECRED_RECONF_REQ: 6373 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data); 6374 break; 6375 6376 case L2CAP_ECRED_RECONF_RSP: 6377 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data); 6378 break; 6379 6380 case L2CAP_DISCONN_REQ: 6381 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 6382 break; 6383 6384 case L2CAP_DISCONN_RSP: 6385 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 6386 break; 6387 6388 default: 6389 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code); 6390 err = -EINVAL; 6391 break; 6392 } 6393 6394 return err; 6395 } 6396 6397 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn, 6398 struct sk_buff *skb) 6399 { 6400 struct hci_conn *hcon = conn->hcon; 6401 struct l2cap_cmd_hdr *cmd; 6402 u16 len; 6403 int err; 6404 6405 if (hcon->type != LE_LINK) 6406 goto drop; 6407 6408 if (skb->len < L2CAP_CMD_HDR_SIZE) 6409 goto drop; 6410 6411 cmd = (void *) skb->data; 6412 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 6413 6414 len = le16_to_cpu(cmd->len); 6415 6416 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident); 6417 6418 if (len != skb->len || !cmd->ident) { 6419 BT_DBG("corrupted command"); 6420 goto drop; 6421 } 6422 6423 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data); 6424 if (err) { 6425 struct l2cap_cmd_rej_unk rej; 6426 6427 BT_ERR("Wrong link type (%d)", err); 6428 6429 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 6430 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 6431 sizeof(rej), &rej); 6432 } 6433 6434 drop: 6435 kfree_skb(skb); 6436 } 6437 6438 static inline void l2cap_sig_channel(struct l2cap_conn *conn, 6439 struct sk_buff *skb) 6440 { 6441 struct hci_conn *hcon = conn->hcon; 6442 struct l2cap_cmd_hdr *cmd; 6443 int err; 6444 6445 l2cap_raw_recv(conn, skb); 6446 6447 if (hcon->type != ACL_LINK) 6448 goto drop; 6449 6450 while (skb->len >= L2CAP_CMD_HDR_SIZE) { 6451 u16 len; 6452 6453 cmd = (void *) skb->data; 6454 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 6455 6456 len = le16_to_cpu(cmd->len); 6457 6458 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, 6459 cmd->ident); 6460 6461 if (len > skb->len || !cmd->ident) { 6462 BT_DBG("corrupted command"); 6463 break; 6464 } 6465 6466 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data); 6467 if (err) { 6468 struct l2cap_cmd_rej_unk rej; 6469 6470 BT_ERR("Wrong link type (%d)", err); 6471 6472 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 6473 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 6474 sizeof(rej), &rej); 6475 } 6476 6477 skb_pull(skb, len); 6478 } 6479 6480 drop: 6481 kfree_skb(skb); 6482 } 6483 6484 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb) 6485 { 6486 u16 our_fcs, rcv_fcs; 6487 int hdr_size; 6488 6489 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 6490 hdr_size = L2CAP_EXT_HDR_SIZE; 6491 else 6492 hdr_size = L2CAP_ENH_HDR_SIZE; 6493 6494 if (chan->fcs == L2CAP_FCS_CRC16) { 6495 skb_trim(skb, skb->len - L2CAP_FCS_SIZE); 6496 rcv_fcs = get_unaligned_le16(skb->data + skb->len); 6497 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 6498 6499 if (our_fcs != rcv_fcs) 6500 return -EBADMSG; 6501 } 6502 return 0; 6503 } 6504 6505 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan) 6506 { 6507 struct l2cap_ctrl control; 6508 6509 BT_DBG("chan %p", chan); 6510 6511 memset(&control, 0, sizeof(control)); 6512 control.sframe = 1; 6513 control.final = 1; 6514 control.reqseq = chan->buffer_seq; 6515 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6516 6517 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 6518 control.super = L2CAP_SUPER_RNR; 6519 l2cap_send_sframe(chan, &control); 6520 } 6521 6522 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) && 6523 chan->unacked_frames > 0) 6524 __set_retrans_timer(chan); 6525 6526 /* Send pending iframes */ 6527 l2cap_ertm_send(chan); 6528 6529 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 6530 test_bit(CONN_SEND_FBIT, &chan->conn_state)) { 6531 /* F-bit wasn't sent in an s-frame or i-frame yet, so 6532 * send it now. 6533 */ 6534 control.super = L2CAP_SUPER_RR; 6535 l2cap_send_sframe(chan, &control); 6536 } 6537 } 6538 6539 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag, 6540 struct sk_buff **last_frag) 6541 { 6542 /* skb->len reflects data in skb as well as all fragments 6543 * skb->data_len reflects only data in fragments 6544 */ 6545 if (!skb_has_frag_list(skb)) 6546 skb_shinfo(skb)->frag_list = new_frag; 6547 6548 new_frag->next = NULL; 6549 6550 (*last_frag)->next = new_frag; 6551 *last_frag = new_frag; 6552 6553 skb->len += new_frag->len; 6554 skb->data_len += new_frag->len; 6555 skb->truesize += new_frag->truesize; 6556 } 6557 6558 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, 6559 struct l2cap_ctrl *control) 6560 { 6561 int err = -EINVAL; 6562 6563 switch (control->sar) { 6564 case L2CAP_SAR_UNSEGMENTED: 6565 if (chan->sdu) 6566 break; 6567 6568 err = chan->ops->recv(chan, skb); 6569 break; 6570 6571 case L2CAP_SAR_START: 6572 if (chan->sdu) 6573 break; 6574 6575 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE)) 6576 break; 6577 6578 chan->sdu_len = get_unaligned_le16(skb->data); 6579 skb_pull(skb, L2CAP_SDULEN_SIZE); 6580 6581 if (chan->sdu_len > chan->imtu) { 6582 err = -EMSGSIZE; 6583 break; 6584 } 6585 6586 if (skb->len >= chan->sdu_len) 6587 break; 6588 6589 chan->sdu = skb; 6590 chan->sdu_last_frag = skb; 6591 6592 skb = NULL; 6593 err = 0; 6594 break; 6595 6596 case L2CAP_SAR_CONTINUE: 6597 if (!chan->sdu) 6598 break; 6599 6600 append_skb_frag(chan->sdu, skb, 6601 &chan->sdu_last_frag); 6602 skb = NULL; 6603 6604 if (chan->sdu->len >= chan->sdu_len) 6605 break; 6606 6607 err = 0; 6608 break; 6609 6610 case L2CAP_SAR_END: 6611 if (!chan->sdu) 6612 break; 6613 6614 append_skb_frag(chan->sdu, skb, 6615 &chan->sdu_last_frag); 6616 skb = NULL; 6617 6618 if (chan->sdu->len != chan->sdu_len) 6619 break; 6620 6621 err = chan->ops->recv(chan, chan->sdu); 6622 6623 if (!err) { 6624 /* Reassembly complete */ 6625 chan->sdu = NULL; 6626 chan->sdu_last_frag = NULL; 6627 chan->sdu_len = 0; 6628 } 6629 break; 6630 } 6631 6632 if (err) { 6633 kfree_skb(skb); 6634 kfree_skb(chan->sdu); 6635 chan->sdu = NULL; 6636 chan->sdu_last_frag = NULL; 6637 chan->sdu_len = 0; 6638 } 6639 6640 return err; 6641 } 6642 6643 static int l2cap_resegment(struct l2cap_chan *chan) 6644 { 6645 /* Placeholder */ 6646 return 0; 6647 } 6648 6649 void l2cap_chan_busy(struct l2cap_chan *chan, int busy) 6650 { 6651 u8 event; 6652 6653 if (chan->mode != L2CAP_MODE_ERTM) 6654 return; 6655 6656 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR; 6657 l2cap_tx(chan, NULL, NULL, event); 6658 } 6659 6660 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan) 6661 { 6662 int err = 0; 6663 /* Pass sequential frames to l2cap_reassemble_sdu() 6664 * until a gap is encountered. 6665 */ 6666 6667 BT_DBG("chan %p", chan); 6668 6669 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 6670 struct sk_buff *skb; 6671 BT_DBG("Searching for skb with txseq %d (queue len %d)", 6672 chan->buffer_seq, skb_queue_len(&chan->srej_q)); 6673 6674 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq); 6675 6676 if (!skb) 6677 break; 6678 6679 skb_unlink(skb, &chan->srej_q); 6680 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 6681 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap); 6682 if (err) 6683 break; 6684 } 6685 6686 if (skb_queue_empty(&chan->srej_q)) { 6687 chan->rx_state = L2CAP_RX_STATE_RECV; 6688 l2cap_send_ack(chan); 6689 } 6690 6691 return err; 6692 } 6693 6694 static void l2cap_handle_srej(struct l2cap_chan *chan, 6695 struct l2cap_ctrl *control) 6696 { 6697 struct sk_buff *skb; 6698 6699 BT_DBG("chan %p, control %p", chan, control); 6700 6701 if (control->reqseq == chan->next_tx_seq) { 6702 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 6703 l2cap_send_disconn_req(chan, ECONNRESET); 6704 return; 6705 } 6706 6707 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 6708 6709 if (skb == NULL) { 6710 BT_DBG("Seq %d not available for retransmission", 6711 control->reqseq); 6712 return; 6713 } 6714 6715 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) { 6716 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 6717 l2cap_send_disconn_req(chan, ECONNRESET); 6718 return; 6719 } 6720 6721 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6722 6723 if (control->poll) { 6724 l2cap_pass_to_tx(chan, control); 6725 6726 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6727 l2cap_retransmit(chan, control); 6728 l2cap_ertm_send(chan); 6729 6730 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 6731 set_bit(CONN_SREJ_ACT, &chan->conn_state); 6732 chan->srej_save_reqseq = control->reqseq; 6733 } 6734 } else { 6735 l2cap_pass_to_tx_fbit(chan, control); 6736 6737 if (control->final) { 6738 if (chan->srej_save_reqseq != control->reqseq || 6739 !test_and_clear_bit(CONN_SREJ_ACT, 6740 &chan->conn_state)) 6741 l2cap_retransmit(chan, control); 6742 } else { 6743 l2cap_retransmit(chan, control); 6744 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 6745 set_bit(CONN_SREJ_ACT, &chan->conn_state); 6746 chan->srej_save_reqseq = control->reqseq; 6747 } 6748 } 6749 } 6750 } 6751 6752 static void l2cap_handle_rej(struct l2cap_chan *chan, 6753 struct l2cap_ctrl *control) 6754 { 6755 struct sk_buff *skb; 6756 6757 BT_DBG("chan %p, control %p", chan, control); 6758 6759 if (control->reqseq == chan->next_tx_seq) { 6760 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 6761 l2cap_send_disconn_req(chan, ECONNRESET); 6762 return; 6763 } 6764 6765 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 6766 6767 if (chan->max_tx && skb && 6768 bt_cb(skb)->l2cap.retries >= chan->max_tx) { 6769 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 6770 l2cap_send_disconn_req(chan, ECONNRESET); 6771 return; 6772 } 6773 6774 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6775 6776 l2cap_pass_to_tx(chan, control); 6777 6778 if (control->final) { 6779 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state)) 6780 l2cap_retransmit_all(chan, control); 6781 } else { 6782 l2cap_retransmit_all(chan, control); 6783 l2cap_ertm_send(chan); 6784 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) 6785 set_bit(CONN_REJ_ACT, &chan->conn_state); 6786 } 6787 } 6788 6789 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq) 6790 { 6791 BT_DBG("chan %p, txseq %d", chan, txseq); 6792 6793 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq, 6794 chan->expected_tx_seq); 6795 6796 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 6797 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 6798 chan->tx_win) { 6799 /* See notes below regarding "double poll" and 6800 * invalid packets. 6801 */ 6802 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 6803 BT_DBG("Invalid/Ignore - after SREJ"); 6804 return L2CAP_TXSEQ_INVALID_IGNORE; 6805 } else { 6806 BT_DBG("Invalid - in window after SREJ sent"); 6807 return L2CAP_TXSEQ_INVALID; 6808 } 6809 } 6810 6811 if (chan->srej_list.head == txseq) { 6812 BT_DBG("Expected SREJ"); 6813 return L2CAP_TXSEQ_EXPECTED_SREJ; 6814 } 6815 6816 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) { 6817 BT_DBG("Duplicate SREJ - txseq already stored"); 6818 return L2CAP_TXSEQ_DUPLICATE_SREJ; 6819 } 6820 6821 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) { 6822 BT_DBG("Unexpected SREJ - not requested"); 6823 return L2CAP_TXSEQ_UNEXPECTED_SREJ; 6824 } 6825 } 6826 6827 if (chan->expected_tx_seq == txseq) { 6828 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 6829 chan->tx_win) { 6830 BT_DBG("Invalid - txseq outside tx window"); 6831 return L2CAP_TXSEQ_INVALID; 6832 } else { 6833 BT_DBG("Expected"); 6834 return L2CAP_TXSEQ_EXPECTED; 6835 } 6836 } 6837 6838 if (__seq_offset(chan, txseq, chan->last_acked_seq) < 6839 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) { 6840 BT_DBG("Duplicate - expected_tx_seq later than txseq"); 6841 return L2CAP_TXSEQ_DUPLICATE; 6842 } 6843 6844 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) { 6845 /* A source of invalid packets is a "double poll" condition, 6846 * where delays cause us to send multiple poll packets. If 6847 * the remote stack receives and processes both polls, 6848 * sequence numbers can wrap around in such a way that a 6849 * resent frame has a sequence number that looks like new data 6850 * with a sequence gap. This would trigger an erroneous SREJ 6851 * request. 6852 * 6853 * Fortunately, this is impossible with a tx window that's 6854 * less than half of the maximum sequence number, which allows 6855 * invalid frames to be safely ignored. 6856 * 6857 * With tx window sizes greater than half of the tx window 6858 * maximum, the frame is invalid and cannot be ignored. This 6859 * causes a disconnect. 6860 */ 6861 6862 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 6863 BT_DBG("Invalid/Ignore - txseq outside tx window"); 6864 return L2CAP_TXSEQ_INVALID_IGNORE; 6865 } else { 6866 BT_DBG("Invalid - txseq outside tx window"); 6867 return L2CAP_TXSEQ_INVALID; 6868 } 6869 } else { 6870 BT_DBG("Unexpected - txseq indicates missing frames"); 6871 return L2CAP_TXSEQ_UNEXPECTED; 6872 } 6873 } 6874 6875 static int l2cap_rx_state_recv(struct l2cap_chan *chan, 6876 struct l2cap_ctrl *control, 6877 struct sk_buff *skb, u8 event) 6878 { 6879 int err = 0; 6880 bool skb_in_use = false; 6881 6882 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 6883 event); 6884 6885 switch (event) { 6886 case L2CAP_EV_RECV_IFRAME: 6887 switch (l2cap_classify_txseq(chan, control->txseq)) { 6888 case L2CAP_TXSEQ_EXPECTED: 6889 l2cap_pass_to_tx(chan, control); 6890 6891 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 6892 BT_DBG("Busy, discarding expected seq %d", 6893 control->txseq); 6894 break; 6895 } 6896 6897 chan->expected_tx_seq = __next_seq(chan, 6898 control->txseq); 6899 6900 chan->buffer_seq = chan->expected_tx_seq; 6901 skb_in_use = true; 6902 6903 err = l2cap_reassemble_sdu(chan, skb, control); 6904 if (err) 6905 break; 6906 6907 if (control->final) { 6908 if (!test_and_clear_bit(CONN_REJ_ACT, 6909 &chan->conn_state)) { 6910 control->final = 0; 6911 l2cap_retransmit_all(chan, control); 6912 l2cap_ertm_send(chan); 6913 } 6914 } 6915 6916 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 6917 l2cap_send_ack(chan); 6918 break; 6919 case L2CAP_TXSEQ_UNEXPECTED: 6920 l2cap_pass_to_tx(chan, control); 6921 6922 /* Can't issue SREJ frames in the local busy state. 6923 * Drop this frame, it will be seen as missing 6924 * when local busy is exited. 6925 */ 6926 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 6927 BT_DBG("Busy, discarding unexpected seq %d", 6928 control->txseq); 6929 break; 6930 } 6931 6932 /* There was a gap in the sequence, so an SREJ 6933 * must be sent for each missing frame. The 6934 * current frame is stored for later use. 6935 */ 6936 skb_queue_tail(&chan->srej_q, skb); 6937 skb_in_use = true; 6938 BT_DBG("Queued %p (queue len %d)", skb, 6939 skb_queue_len(&chan->srej_q)); 6940 6941 clear_bit(CONN_SREJ_ACT, &chan->conn_state); 6942 l2cap_seq_list_clear(&chan->srej_list); 6943 l2cap_send_srej(chan, control->txseq); 6944 6945 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT; 6946 break; 6947 case L2CAP_TXSEQ_DUPLICATE: 6948 l2cap_pass_to_tx(chan, control); 6949 break; 6950 case L2CAP_TXSEQ_INVALID_IGNORE: 6951 break; 6952 case L2CAP_TXSEQ_INVALID: 6953 default: 6954 l2cap_send_disconn_req(chan, ECONNRESET); 6955 break; 6956 } 6957 break; 6958 case L2CAP_EV_RECV_RR: 6959 l2cap_pass_to_tx(chan, control); 6960 if (control->final) { 6961 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6962 6963 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) && 6964 !__chan_is_moving(chan)) { 6965 control->final = 0; 6966 l2cap_retransmit_all(chan, control); 6967 } 6968 6969 l2cap_ertm_send(chan); 6970 } else if (control->poll) { 6971 l2cap_send_i_or_rr_or_rnr(chan); 6972 } else { 6973 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6974 &chan->conn_state) && 6975 chan->unacked_frames) 6976 __set_retrans_timer(chan); 6977 6978 l2cap_ertm_send(chan); 6979 } 6980 break; 6981 case L2CAP_EV_RECV_RNR: 6982 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6983 l2cap_pass_to_tx(chan, control); 6984 if (control && control->poll) { 6985 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6986 l2cap_send_rr_or_rnr(chan, 0); 6987 } 6988 __clear_retrans_timer(chan); 6989 l2cap_seq_list_clear(&chan->retrans_list); 6990 break; 6991 case L2CAP_EV_RECV_REJ: 6992 l2cap_handle_rej(chan, control); 6993 break; 6994 case L2CAP_EV_RECV_SREJ: 6995 l2cap_handle_srej(chan, control); 6996 break; 6997 default: 6998 break; 6999 } 7000 7001 if (skb && !skb_in_use) { 7002 BT_DBG("Freeing %p", skb); 7003 kfree_skb(skb); 7004 } 7005 7006 return err; 7007 } 7008 7009 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan, 7010 struct l2cap_ctrl *control, 7011 struct sk_buff *skb, u8 event) 7012 { 7013 int err = 0; 7014 u16 txseq = control->txseq; 7015 bool skb_in_use = false; 7016 7017 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 7018 event); 7019 7020 switch (event) { 7021 case L2CAP_EV_RECV_IFRAME: 7022 switch (l2cap_classify_txseq(chan, txseq)) { 7023 case L2CAP_TXSEQ_EXPECTED: 7024 /* Keep frame for reassembly later */ 7025 l2cap_pass_to_tx(chan, control); 7026 skb_queue_tail(&chan->srej_q, skb); 7027 skb_in_use = true; 7028 BT_DBG("Queued %p (queue len %d)", skb, 7029 skb_queue_len(&chan->srej_q)); 7030 7031 chan->expected_tx_seq = __next_seq(chan, txseq); 7032 break; 7033 case L2CAP_TXSEQ_EXPECTED_SREJ: 7034 l2cap_seq_list_pop(&chan->srej_list); 7035 7036 l2cap_pass_to_tx(chan, control); 7037 skb_queue_tail(&chan->srej_q, skb); 7038 skb_in_use = true; 7039 BT_DBG("Queued %p (queue len %d)", skb, 7040 skb_queue_len(&chan->srej_q)); 7041 7042 err = l2cap_rx_queued_iframes(chan); 7043 if (err) 7044 break; 7045 7046 break; 7047 case L2CAP_TXSEQ_UNEXPECTED: 7048 /* Got a frame that can't be reassembled yet. 7049 * Save it for later, and send SREJs to cover 7050 * the missing frames. 7051 */ 7052 skb_queue_tail(&chan->srej_q, skb); 7053 skb_in_use = true; 7054 BT_DBG("Queued %p (queue len %d)", skb, 7055 skb_queue_len(&chan->srej_q)); 7056 7057 l2cap_pass_to_tx(chan, control); 7058 l2cap_send_srej(chan, control->txseq); 7059 break; 7060 case L2CAP_TXSEQ_UNEXPECTED_SREJ: 7061 /* This frame was requested with an SREJ, but 7062 * some expected retransmitted frames are 7063 * missing. Request retransmission of missing 7064 * SREJ'd frames. 7065 */ 7066 skb_queue_tail(&chan->srej_q, skb); 7067 skb_in_use = true; 7068 BT_DBG("Queued %p (queue len %d)", skb, 7069 skb_queue_len(&chan->srej_q)); 7070 7071 l2cap_pass_to_tx(chan, control); 7072 l2cap_send_srej_list(chan, control->txseq); 7073 break; 7074 case L2CAP_TXSEQ_DUPLICATE_SREJ: 7075 /* We've already queued this frame. Drop this copy. */ 7076 l2cap_pass_to_tx(chan, control); 7077 break; 7078 case L2CAP_TXSEQ_DUPLICATE: 7079 /* Expecting a later sequence number, so this frame 7080 * was already received. Ignore it completely. 7081 */ 7082 break; 7083 case L2CAP_TXSEQ_INVALID_IGNORE: 7084 break; 7085 case L2CAP_TXSEQ_INVALID: 7086 default: 7087 l2cap_send_disconn_req(chan, ECONNRESET); 7088 break; 7089 } 7090 break; 7091 case L2CAP_EV_RECV_RR: 7092 l2cap_pass_to_tx(chan, control); 7093 if (control->final) { 7094 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 7095 7096 if (!test_and_clear_bit(CONN_REJ_ACT, 7097 &chan->conn_state)) { 7098 control->final = 0; 7099 l2cap_retransmit_all(chan, control); 7100 } 7101 7102 l2cap_ertm_send(chan); 7103 } else if (control->poll) { 7104 if (test_and_clear_bit(CONN_REMOTE_BUSY, 7105 &chan->conn_state) && 7106 chan->unacked_frames) { 7107 __set_retrans_timer(chan); 7108 } 7109 7110 set_bit(CONN_SEND_FBIT, &chan->conn_state); 7111 l2cap_send_srej_tail(chan); 7112 } else { 7113 if (test_and_clear_bit(CONN_REMOTE_BUSY, 7114 &chan->conn_state) && 7115 chan->unacked_frames) 7116 __set_retrans_timer(chan); 7117 7118 l2cap_send_ack(chan); 7119 } 7120 break; 7121 case L2CAP_EV_RECV_RNR: 7122 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 7123 l2cap_pass_to_tx(chan, control); 7124 if (control->poll) { 7125 l2cap_send_srej_tail(chan); 7126 } else { 7127 struct l2cap_ctrl rr_control; 7128 memset(&rr_control, 0, sizeof(rr_control)); 7129 rr_control.sframe = 1; 7130 rr_control.super = L2CAP_SUPER_RR; 7131 rr_control.reqseq = chan->buffer_seq; 7132 l2cap_send_sframe(chan, &rr_control); 7133 } 7134 7135 break; 7136 case L2CAP_EV_RECV_REJ: 7137 l2cap_handle_rej(chan, control); 7138 break; 7139 case L2CAP_EV_RECV_SREJ: 7140 l2cap_handle_srej(chan, control); 7141 break; 7142 } 7143 7144 if (skb && !skb_in_use) { 7145 BT_DBG("Freeing %p", skb); 7146 kfree_skb(skb); 7147 } 7148 7149 return err; 7150 } 7151 7152 static int l2cap_finish_move(struct l2cap_chan *chan) 7153 { 7154 BT_DBG("chan %p", chan); 7155 7156 chan->rx_state = L2CAP_RX_STATE_RECV; 7157 7158 if (chan->hs_hcon) 7159 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu; 7160 else 7161 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu; 7162 7163 return l2cap_resegment(chan); 7164 } 7165 7166 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan, 7167 struct l2cap_ctrl *control, 7168 struct sk_buff *skb, u8 event) 7169 { 7170 int err; 7171 7172 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 7173 event); 7174 7175 if (!control->poll) 7176 return -EPROTO; 7177 7178 l2cap_process_reqseq(chan, control->reqseq); 7179 7180 if (!skb_queue_empty(&chan->tx_q)) 7181 chan->tx_send_head = skb_peek(&chan->tx_q); 7182 else 7183 chan->tx_send_head = NULL; 7184 7185 /* Rewind next_tx_seq to the point expected 7186 * by the receiver. 7187 */ 7188 chan->next_tx_seq = control->reqseq; 7189 chan->unacked_frames = 0; 7190 7191 err = l2cap_finish_move(chan); 7192 if (err) 7193 return err; 7194 7195 set_bit(CONN_SEND_FBIT, &chan->conn_state); 7196 l2cap_send_i_or_rr_or_rnr(chan); 7197 7198 if (event == L2CAP_EV_RECV_IFRAME) 7199 return -EPROTO; 7200 7201 return l2cap_rx_state_recv(chan, control, NULL, event); 7202 } 7203 7204 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan, 7205 struct l2cap_ctrl *control, 7206 struct sk_buff *skb, u8 event) 7207 { 7208 int err; 7209 7210 if (!control->final) 7211 return -EPROTO; 7212 7213 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 7214 7215 chan->rx_state = L2CAP_RX_STATE_RECV; 7216 l2cap_process_reqseq(chan, control->reqseq); 7217 7218 if (!skb_queue_empty(&chan->tx_q)) 7219 chan->tx_send_head = skb_peek(&chan->tx_q); 7220 else 7221 chan->tx_send_head = NULL; 7222 7223 /* Rewind next_tx_seq to the point expected 7224 * by the receiver. 7225 */ 7226 chan->next_tx_seq = control->reqseq; 7227 chan->unacked_frames = 0; 7228 7229 if (chan->hs_hcon) 7230 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu; 7231 else 7232 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu; 7233 7234 err = l2cap_resegment(chan); 7235 7236 if (!err) 7237 err = l2cap_rx_state_recv(chan, control, skb, event); 7238 7239 return err; 7240 } 7241 7242 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq) 7243 { 7244 /* Make sure reqseq is for a packet that has been sent but not acked */ 7245 u16 unacked; 7246 7247 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq); 7248 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked; 7249 } 7250 7251 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 7252 struct sk_buff *skb, u8 event) 7253 { 7254 int err = 0; 7255 7256 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan, 7257 control, skb, event, chan->rx_state); 7258 7259 if (__valid_reqseq(chan, control->reqseq)) { 7260 switch (chan->rx_state) { 7261 case L2CAP_RX_STATE_RECV: 7262 err = l2cap_rx_state_recv(chan, control, skb, event); 7263 break; 7264 case L2CAP_RX_STATE_SREJ_SENT: 7265 err = l2cap_rx_state_srej_sent(chan, control, skb, 7266 event); 7267 break; 7268 case L2CAP_RX_STATE_WAIT_P: 7269 err = l2cap_rx_state_wait_p(chan, control, skb, event); 7270 break; 7271 case L2CAP_RX_STATE_WAIT_F: 7272 err = l2cap_rx_state_wait_f(chan, control, skb, event); 7273 break; 7274 default: 7275 /* shut it down */ 7276 break; 7277 } 7278 } else { 7279 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d", 7280 control->reqseq, chan->next_tx_seq, 7281 chan->expected_ack_seq); 7282 l2cap_send_disconn_req(chan, ECONNRESET); 7283 } 7284 7285 return err; 7286 } 7287 7288 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 7289 struct sk_buff *skb) 7290 { 7291 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, 7292 chan->rx_state); 7293 7294 if (l2cap_classify_txseq(chan, control->txseq) == 7295 L2CAP_TXSEQ_EXPECTED) { 7296 l2cap_pass_to_tx(chan, control); 7297 7298 BT_DBG("buffer_seq %u->%u", chan->buffer_seq, 7299 __next_seq(chan, chan->buffer_seq)); 7300 7301 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 7302 7303 l2cap_reassemble_sdu(chan, skb, control); 7304 } else { 7305 if (chan->sdu) { 7306 kfree_skb(chan->sdu); 7307 chan->sdu = NULL; 7308 } 7309 chan->sdu_last_frag = NULL; 7310 chan->sdu_len = 0; 7311 7312 if (skb) { 7313 BT_DBG("Freeing %p", skb); 7314 kfree_skb(skb); 7315 } 7316 } 7317 7318 chan->last_acked_seq = control->txseq; 7319 chan->expected_tx_seq = __next_seq(chan, control->txseq); 7320 7321 return 0; 7322 } 7323 7324 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 7325 { 7326 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap; 7327 u16 len; 7328 u8 event; 7329 7330 __unpack_control(chan, skb); 7331 7332 len = skb->len; 7333 7334 /* 7335 * We can just drop the corrupted I-frame here. 7336 * Receiver will miss it and start proper recovery 7337 * procedures and ask for retransmission. 7338 */ 7339 if (l2cap_check_fcs(chan, skb)) 7340 goto drop; 7341 7342 if (!control->sframe && control->sar == L2CAP_SAR_START) 7343 len -= L2CAP_SDULEN_SIZE; 7344 7345 if (chan->fcs == L2CAP_FCS_CRC16) 7346 len -= L2CAP_FCS_SIZE; 7347 7348 if (len > chan->mps) { 7349 l2cap_send_disconn_req(chan, ECONNRESET); 7350 goto drop; 7351 } 7352 7353 if (chan->ops->filter) { 7354 if (chan->ops->filter(chan, skb)) 7355 goto drop; 7356 } 7357 7358 if (!control->sframe) { 7359 int err; 7360 7361 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d", 7362 control->sar, control->reqseq, control->final, 7363 control->txseq); 7364 7365 /* Validate F-bit - F=0 always valid, F=1 only 7366 * valid in TX WAIT_F 7367 */ 7368 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F) 7369 goto drop; 7370 7371 if (chan->mode != L2CAP_MODE_STREAMING) { 7372 event = L2CAP_EV_RECV_IFRAME; 7373 err = l2cap_rx(chan, control, skb, event); 7374 } else { 7375 err = l2cap_stream_rx(chan, control, skb); 7376 } 7377 7378 if (err) 7379 l2cap_send_disconn_req(chan, ECONNRESET); 7380 } else { 7381 const u8 rx_func_to_event[4] = { 7382 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ, 7383 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ 7384 }; 7385 7386 /* Only I-frames are expected in streaming mode */ 7387 if (chan->mode == L2CAP_MODE_STREAMING) 7388 goto drop; 7389 7390 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d", 7391 control->reqseq, control->final, control->poll, 7392 control->super); 7393 7394 if (len != 0) { 7395 BT_ERR("Trailing bytes: %d in sframe", len); 7396 l2cap_send_disconn_req(chan, ECONNRESET); 7397 goto drop; 7398 } 7399 7400 /* Validate F and P bits */ 7401 if (control->final && (control->poll || 7402 chan->tx_state != L2CAP_TX_STATE_WAIT_F)) 7403 goto drop; 7404 7405 event = rx_func_to_event[control->super]; 7406 if (l2cap_rx(chan, control, skb, event)) 7407 l2cap_send_disconn_req(chan, ECONNRESET); 7408 } 7409 7410 return 0; 7411 7412 drop: 7413 kfree_skb(skb); 7414 return 0; 7415 } 7416 7417 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) 7418 { 7419 struct l2cap_conn *conn = chan->conn; 7420 struct l2cap_le_credits pkt; 7421 u16 return_credits; 7422 7423 return_credits = (chan->imtu / chan->mps) + 1; 7424 7425 if (chan->rx_credits >= return_credits) 7426 return; 7427 7428 return_credits -= chan->rx_credits; 7429 7430 BT_DBG("chan %p returning %u credits to sender", chan, return_credits); 7431 7432 chan->rx_credits += return_credits; 7433 7434 pkt.cid = cpu_to_le16(chan->scid); 7435 pkt.credits = cpu_to_le16(return_credits); 7436 7437 chan->ident = l2cap_get_ident(conn); 7438 7439 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt); 7440 } 7441 7442 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) 7443 { 7444 int err; 7445 7446 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len); 7447 7448 /* Wait recv to confirm reception before updating the credits */ 7449 err = chan->ops->recv(chan, skb); 7450 7451 /* Update credits whenever an SDU is received */ 7452 l2cap_chan_le_send_credits(chan); 7453 7454 return err; 7455 } 7456 7457 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 7458 { 7459 int err; 7460 7461 if (!chan->rx_credits) { 7462 BT_ERR("No credits to receive LE L2CAP data"); 7463 l2cap_send_disconn_req(chan, ECONNRESET); 7464 return -ENOBUFS; 7465 } 7466 7467 if (chan->imtu < skb->len) { 7468 BT_ERR("Too big LE L2CAP PDU"); 7469 return -ENOBUFS; 7470 } 7471 7472 chan->rx_credits--; 7473 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits); 7474 7475 /* Update if remote had run out of credits, this should only happens 7476 * if the remote is not using the entire MPS. 7477 */ 7478 if (!chan->rx_credits) 7479 l2cap_chan_le_send_credits(chan); 7480 7481 err = 0; 7482 7483 if (!chan->sdu) { 7484 u16 sdu_len; 7485 7486 sdu_len = get_unaligned_le16(skb->data); 7487 skb_pull(skb, L2CAP_SDULEN_SIZE); 7488 7489 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u", 7490 sdu_len, skb->len, chan->imtu); 7491 7492 if (sdu_len > chan->imtu) { 7493 BT_ERR("Too big LE L2CAP SDU length received"); 7494 err = -EMSGSIZE; 7495 goto failed; 7496 } 7497 7498 if (skb->len > sdu_len) { 7499 BT_ERR("Too much LE L2CAP data received"); 7500 err = -EINVAL; 7501 goto failed; 7502 } 7503 7504 if (skb->len == sdu_len) 7505 return l2cap_ecred_recv(chan, skb); 7506 7507 chan->sdu = skb; 7508 chan->sdu_len = sdu_len; 7509 chan->sdu_last_frag = skb; 7510 7511 /* Detect if remote is not able to use the selected MPS */ 7512 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) { 7513 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE; 7514 7515 /* Adjust the number of credits */ 7516 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len); 7517 chan->mps = mps_len; 7518 l2cap_chan_le_send_credits(chan); 7519 } 7520 7521 return 0; 7522 } 7523 7524 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u", 7525 chan->sdu->len, skb->len, chan->sdu_len); 7526 7527 if (chan->sdu->len + skb->len > chan->sdu_len) { 7528 BT_ERR("Too much LE L2CAP data received"); 7529 err = -EINVAL; 7530 goto failed; 7531 } 7532 7533 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag); 7534 skb = NULL; 7535 7536 if (chan->sdu->len == chan->sdu_len) { 7537 err = l2cap_ecred_recv(chan, chan->sdu); 7538 if (!err) { 7539 chan->sdu = NULL; 7540 chan->sdu_last_frag = NULL; 7541 chan->sdu_len = 0; 7542 } 7543 } 7544 7545 failed: 7546 if (err) { 7547 kfree_skb(skb); 7548 kfree_skb(chan->sdu); 7549 chan->sdu = NULL; 7550 chan->sdu_last_frag = NULL; 7551 chan->sdu_len = 0; 7552 } 7553 7554 /* We can't return an error here since we took care of the skb 7555 * freeing internally. An error return would cause the caller to 7556 * do a double-free of the skb. 7557 */ 7558 return 0; 7559 } 7560 7561 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, 7562 struct sk_buff *skb) 7563 { 7564 struct l2cap_chan *chan; 7565 7566 chan = l2cap_get_chan_by_scid(conn, cid); 7567 if (!chan) { 7568 if (cid == L2CAP_CID_A2MP) { 7569 chan = a2mp_channel_create(conn, skb); 7570 if (!chan) { 7571 kfree_skb(skb); 7572 return; 7573 } 7574 7575 l2cap_chan_lock(chan); 7576 } else { 7577 BT_DBG("unknown cid 0x%4.4x", cid); 7578 /* Drop packet and return */ 7579 kfree_skb(skb); 7580 return; 7581 } 7582 } 7583 7584 BT_DBG("chan %p, len %d", chan, skb->len); 7585 7586 /* If we receive data on a fixed channel before the info req/rsp 7587 * procedure is done simply assume that the channel is supported 7588 * and mark it as ready. 7589 */ 7590 if (chan->chan_type == L2CAP_CHAN_FIXED) 7591 l2cap_chan_ready(chan); 7592 7593 if (chan->state != BT_CONNECTED) 7594 goto drop; 7595 7596 switch (chan->mode) { 7597 case L2CAP_MODE_LE_FLOWCTL: 7598 case L2CAP_MODE_EXT_FLOWCTL: 7599 if (l2cap_ecred_data_rcv(chan, skb) < 0) 7600 goto drop; 7601 7602 goto done; 7603 7604 case L2CAP_MODE_BASIC: 7605 /* If socket recv buffers overflows we drop data here 7606 * which is *bad* because L2CAP has to be reliable. 7607 * But we don't have any other choice. L2CAP doesn't 7608 * provide flow control mechanism. */ 7609 7610 if (chan->imtu < skb->len) { 7611 BT_ERR("Dropping L2CAP data: receive buffer overflow"); 7612 goto drop; 7613 } 7614 7615 if (!chan->ops->recv(chan, skb)) 7616 goto done; 7617 break; 7618 7619 case L2CAP_MODE_ERTM: 7620 case L2CAP_MODE_STREAMING: 7621 l2cap_data_rcv(chan, skb); 7622 goto done; 7623 7624 default: 7625 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode); 7626 break; 7627 } 7628 7629 drop: 7630 kfree_skb(skb); 7631 7632 done: 7633 l2cap_chan_unlock(chan); 7634 l2cap_chan_put(chan); 7635 } 7636 7637 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, 7638 struct sk_buff *skb) 7639 { 7640 struct hci_conn *hcon = conn->hcon; 7641 struct l2cap_chan *chan; 7642 7643 if (hcon->type != ACL_LINK) 7644 goto free_skb; 7645 7646 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst, 7647 ACL_LINK); 7648 if (!chan) 7649 goto free_skb; 7650 7651 BT_DBG("chan %p, len %d", chan, skb->len); 7652 7653 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED) 7654 goto drop; 7655 7656 if (chan->imtu < skb->len) 7657 goto drop; 7658 7659 /* Store remote BD_ADDR and PSM for msg_name */ 7660 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst); 7661 bt_cb(skb)->l2cap.psm = psm; 7662 7663 if (!chan->ops->recv(chan, skb)) { 7664 l2cap_chan_put(chan); 7665 return; 7666 } 7667 7668 drop: 7669 l2cap_chan_put(chan); 7670 free_skb: 7671 kfree_skb(skb); 7672 } 7673 7674 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 7675 { 7676 struct l2cap_hdr *lh = (void *) skb->data; 7677 struct hci_conn *hcon = conn->hcon; 7678 u16 cid, len; 7679 __le16 psm; 7680 7681 if (hcon->state != BT_CONNECTED) { 7682 BT_DBG("queueing pending rx skb"); 7683 skb_queue_tail(&conn->pending_rx, skb); 7684 return; 7685 } 7686 7687 skb_pull(skb, L2CAP_HDR_SIZE); 7688 cid = __le16_to_cpu(lh->cid); 7689 len = __le16_to_cpu(lh->len); 7690 7691 if (len != skb->len) { 7692 kfree_skb(skb); 7693 return; 7694 } 7695 7696 /* Since we can't actively block incoming LE connections we must 7697 * at least ensure that we ignore incoming data from them. 7698 */ 7699 if (hcon->type == LE_LINK && 7700 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst, 7701 bdaddr_dst_type(hcon))) { 7702 kfree_skb(skb); 7703 return; 7704 } 7705 7706 BT_DBG("len %d, cid 0x%4.4x", len, cid); 7707 7708 switch (cid) { 7709 case L2CAP_CID_SIGNALING: 7710 l2cap_sig_channel(conn, skb); 7711 break; 7712 7713 case L2CAP_CID_CONN_LESS: 7714 psm = get_unaligned((__le16 *) skb->data); 7715 skb_pull(skb, L2CAP_PSMLEN_SIZE); 7716 l2cap_conless_channel(conn, psm, skb); 7717 break; 7718 7719 case L2CAP_CID_LE_SIGNALING: 7720 l2cap_le_sig_channel(conn, skb); 7721 break; 7722 7723 default: 7724 l2cap_data_channel(conn, cid, skb); 7725 break; 7726 } 7727 } 7728 7729 static void process_pending_rx(struct work_struct *work) 7730 { 7731 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 7732 pending_rx_work); 7733 struct sk_buff *skb; 7734 7735 BT_DBG(""); 7736 7737 while ((skb = skb_dequeue(&conn->pending_rx))) 7738 l2cap_recv_frame(conn, skb); 7739 } 7740 7741 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon) 7742 { 7743 struct l2cap_conn *conn = hcon->l2cap_data; 7744 struct hci_chan *hchan; 7745 7746 if (conn) 7747 return conn; 7748 7749 hchan = hci_chan_create(hcon); 7750 if (!hchan) 7751 return NULL; 7752 7753 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 7754 if (!conn) { 7755 hci_chan_del(hchan); 7756 return NULL; 7757 } 7758 7759 kref_init(&conn->ref); 7760 hcon->l2cap_data = conn; 7761 conn->hcon = hci_conn_get(hcon); 7762 conn->hchan = hchan; 7763 7764 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan); 7765 7766 switch (hcon->type) { 7767 case LE_LINK: 7768 if (hcon->hdev->le_mtu) { 7769 conn->mtu = hcon->hdev->le_mtu; 7770 break; 7771 } 7772 fallthrough; 7773 default: 7774 conn->mtu = hcon->hdev->acl_mtu; 7775 break; 7776 } 7777 7778 conn->feat_mask = 0; 7779 7780 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS; 7781 7782 if (hcon->type == ACL_LINK && 7783 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED)) 7784 conn->local_fixed_chan |= L2CAP_FC_A2MP; 7785 7786 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) && 7787 (bredr_sc_enabled(hcon->hdev) || 7788 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP))) 7789 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR; 7790 7791 mutex_init(&conn->ident_lock); 7792 mutex_init(&conn->chan_lock); 7793 7794 INIT_LIST_HEAD(&conn->chan_l); 7795 INIT_LIST_HEAD(&conn->users); 7796 7797 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout); 7798 7799 skb_queue_head_init(&conn->pending_rx); 7800 INIT_WORK(&conn->pending_rx_work, process_pending_rx); 7801 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr); 7802 7803 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 7804 7805 return conn; 7806 } 7807 7808 static bool is_valid_psm(u16 psm, u8 dst_type) 7809 { 7810 if (!psm) 7811 return false; 7812 7813 if (bdaddr_type_is_le(dst_type)) 7814 return (psm <= 0x00ff); 7815 7816 /* PSM must be odd and lsb of upper byte must be 0 */ 7817 return ((psm & 0x0101) == 0x0001); 7818 } 7819 7820 struct l2cap_chan_data { 7821 struct l2cap_chan *chan; 7822 struct pid *pid; 7823 int count; 7824 }; 7825 7826 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data) 7827 { 7828 struct l2cap_chan_data *d = data; 7829 struct pid *pid; 7830 7831 if (chan == d->chan) 7832 return; 7833 7834 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags)) 7835 return; 7836 7837 pid = chan->ops->get_peer_pid(chan); 7838 7839 /* Only count deferred channels with the same PID/PSM */ 7840 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident || 7841 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 7842 return; 7843 7844 d->count++; 7845 } 7846 7847 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, 7848 bdaddr_t *dst, u8 dst_type) 7849 { 7850 struct l2cap_conn *conn; 7851 struct hci_conn *hcon; 7852 struct hci_dev *hdev; 7853 int err; 7854 7855 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src, 7856 dst, dst_type, __le16_to_cpu(psm), chan->mode); 7857 7858 hdev = hci_get_route(dst, &chan->src, chan->src_type); 7859 if (!hdev) 7860 return -EHOSTUNREACH; 7861 7862 hci_dev_lock(hdev); 7863 7864 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid && 7865 chan->chan_type != L2CAP_CHAN_RAW) { 7866 err = -EINVAL; 7867 goto done; 7868 } 7869 7870 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) { 7871 err = -EINVAL; 7872 goto done; 7873 } 7874 7875 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) { 7876 err = -EINVAL; 7877 goto done; 7878 } 7879 7880 switch (chan->mode) { 7881 case L2CAP_MODE_BASIC: 7882 break; 7883 case L2CAP_MODE_LE_FLOWCTL: 7884 break; 7885 case L2CAP_MODE_EXT_FLOWCTL: 7886 if (!enable_ecred) { 7887 err = -EOPNOTSUPP; 7888 goto done; 7889 } 7890 break; 7891 case L2CAP_MODE_ERTM: 7892 case L2CAP_MODE_STREAMING: 7893 if (!disable_ertm) 7894 break; 7895 fallthrough; 7896 default: 7897 err = -EOPNOTSUPP; 7898 goto done; 7899 } 7900 7901 switch (chan->state) { 7902 case BT_CONNECT: 7903 case BT_CONNECT2: 7904 case BT_CONFIG: 7905 /* Already connecting */ 7906 err = 0; 7907 goto done; 7908 7909 case BT_CONNECTED: 7910 /* Already connected */ 7911 err = -EISCONN; 7912 goto done; 7913 7914 case BT_OPEN: 7915 case BT_BOUND: 7916 /* Can connect */ 7917 break; 7918 7919 default: 7920 err = -EBADFD; 7921 goto done; 7922 } 7923 7924 /* Set destination address and psm */ 7925 bacpy(&chan->dst, dst); 7926 chan->dst_type = dst_type; 7927 7928 chan->psm = psm; 7929 chan->dcid = cid; 7930 7931 if (bdaddr_type_is_le(dst_type)) { 7932 /* Convert from L2CAP channel address type to HCI address type 7933 */ 7934 if (dst_type == BDADDR_LE_PUBLIC) 7935 dst_type = ADDR_LE_DEV_PUBLIC; 7936 else 7937 dst_type = ADDR_LE_DEV_RANDOM; 7938 7939 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 7940 hcon = hci_connect_le(hdev, dst, dst_type, false, 7941 chan->sec_level, 7942 HCI_LE_CONN_TIMEOUT, 7943 HCI_ROLE_SLAVE); 7944 else 7945 hcon = hci_connect_le_scan(hdev, dst, dst_type, 7946 chan->sec_level, 7947 HCI_LE_CONN_TIMEOUT, 7948 CONN_REASON_L2CAP_CHAN); 7949 7950 } else { 7951 u8 auth_type = l2cap_get_auth_type(chan); 7952 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type, 7953 CONN_REASON_L2CAP_CHAN); 7954 } 7955 7956 if (IS_ERR(hcon)) { 7957 err = PTR_ERR(hcon); 7958 goto done; 7959 } 7960 7961 conn = l2cap_conn_add(hcon); 7962 if (!conn) { 7963 hci_conn_drop(hcon); 7964 err = -ENOMEM; 7965 goto done; 7966 } 7967 7968 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 7969 struct l2cap_chan_data data; 7970 7971 data.chan = chan; 7972 data.pid = chan->ops->get_peer_pid(chan); 7973 data.count = 1; 7974 7975 l2cap_chan_list(conn, l2cap_chan_by_pid, &data); 7976 7977 /* Check if there isn't too many channels being connected */ 7978 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) { 7979 hci_conn_drop(hcon); 7980 err = -EPROTO; 7981 goto done; 7982 } 7983 } 7984 7985 mutex_lock(&conn->chan_lock); 7986 l2cap_chan_lock(chan); 7987 7988 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) { 7989 hci_conn_drop(hcon); 7990 err = -EBUSY; 7991 goto chan_unlock; 7992 } 7993 7994 /* Update source addr of the socket */ 7995 bacpy(&chan->src, &hcon->src); 7996 chan->src_type = bdaddr_src_type(hcon); 7997 7998 __l2cap_chan_add(conn, chan); 7999 8000 /* l2cap_chan_add takes its own ref so we can drop this one */ 8001 hci_conn_drop(hcon); 8002 8003 l2cap_state_change(chan, BT_CONNECT); 8004 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 8005 8006 /* Release chan->sport so that it can be reused by other 8007 * sockets (as it's only used for listening sockets). 8008 */ 8009 write_lock(&chan_list_lock); 8010 chan->sport = 0; 8011 write_unlock(&chan_list_lock); 8012 8013 if (hcon->state == BT_CONNECTED) { 8014 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 8015 __clear_chan_timer(chan); 8016 if (l2cap_chan_check_security(chan, true)) 8017 l2cap_state_change(chan, BT_CONNECTED); 8018 } else 8019 l2cap_do_start(chan); 8020 } 8021 8022 err = 0; 8023 8024 chan_unlock: 8025 l2cap_chan_unlock(chan); 8026 mutex_unlock(&conn->chan_lock); 8027 done: 8028 hci_dev_unlock(hdev); 8029 hci_dev_put(hdev); 8030 return err; 8031 } 8032 EXPORT_SYMBOL_GPL(l2cap_chan_connect); 8033 8034 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan) 8035 { 8036 struct l2cap_conn *conn = chan->conn; 8037 struct { 8038 struct l2cap_ecred_reconf_req req; 8039 __le16 scid; 8040 } pdu; 8041 8042 pdu.req.mtu = cpu_to_le16(chan->imtu); 8043 pdu.req.mps = cpu_to_le16(chan->mps); 8044 pdu.scid = cpu_to_le16(chan->scid); 8045 8046 chan->ident = l2cap_get_ident(conn); 8047 8048 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ, 8049 sizeof(pdu), &pdu); 8050 } 8051 8052 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu) 8053 { 8054 if (chan->imtu > mtu) 8055 return -EINVAL; 8056 8057 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu); 8058 8059 chan->imtu = mtu; 8060 8061 l2cap_ecred_reconfigure(chan); 8062 8063 return 0; 8064 } 8065 8066 /* ---- L2CAP interface with lower layer (HCI) ---- */ 8067 8068 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr) 8069 { 8070 int exact = 0, lm1 = 0, lm2 = 0; 8071 struct l2cap_chan *c; 8072 8073 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr); 8074 8075 /* Find listening sockets and check their link_mode */ 8076 read_lock(&chan_list_lock); 8077 list_for_each_entry(c, &chan_list, global_l) { 8078 if (c->state != BT_LISTEN) 8079 continue; 8080 8081 if (!bacmp(&c->src, &hdev->bdaddr)) { 8082 lm1 |= HCI_LM_ACCEPT; 8083 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 8084 lm1 |= HCI_LM_MASTER; 8085 exact++; 8086 } else if (!bacmp(&c->src, BDADDR_ANY)) { 8087 lm2 |= HCI_LM_ACCEPT; 8088 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 8089 lm2 |= HCI_LM_MASTER; 8090 } 8091 } 8092 read_unlock(&chan_list_lock); 8093 8094 return exact ? lm1 : lm2; 8095 } 8096 8097 /* Find the next fixed channel in BT_LISTEN state, continue iteration 8098 * from an existing channel in the list or from the beginning of the 8099 * global list (by passing NULL as first parameter). 8100 */ 8101 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, 8102 struct hci_conn *hcon) 8103 { 8104 u8 src_type = bdaddr_src_type(hcon); 8105 8106 read_lock(&chan_list_lock); 8107 8108 if (c) 8109 c = list_next_entry(c, global_l); 8110 else 8111 c = list_entry(chan_list.next, typeof(*c), global_l); 8112 8113 list_for_each_entry_from(c, &chan_list, global_l) { 8114 if (c->chan_type != L2CAP_CHAN_FIXED) 8115 continue; 8116 if (c->state != BT_LISTEN) 8117 continue; 8118 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY)) 8119 continue; 8120 if (src_type != c->src_type) 8121 continue; 8122 8123 c = l2cap_chan_hold_unless_zero(c); 8124 read_unlock(&chan_list_lock); 8125 return c; 8126 } 8127 8128 read_unlock(&chan_list_lock); 8129 8130 return NULL; 8131 } 8132 8133 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 8134 { 8135 struct hci_dev *hdev = hcon->hdev; 8136 struct l2cap_conn *conn; 8137 struct l2cap_chan *pchan; 8138 u8 dst_type; 8139 8140 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 8141 return; 8142 8143 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 8144 8145 if (status) { 8146 l2cap_conn_del(hcon, bt_to_errno(status)); 8147 return; 8148 } 8149 8150 conn = l2cap_conn_add(hcon); 8151 if (!conn) 8152 return; 8153 8154 dst_type = bdaddr_dst_type(hcon); 8155 8156 /* If device is blocked, do not create channels for it */ 8157 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type)) 8158 return; 8159 8160 /* Find fixed channels and notify them of the new connection. We 8161 * use multiple individual lookups, continuing each time where 8162 * we left off, because the list lock would prevent calling the 8163 * potentially sleeping l2cap_chan_lock() function. 8164 */ 8165 pchan = l2cap_global_fixed_chan(NULL, hcon); 8166 while (pchan) { 8167 struct l2cap_chan *chan, *next; 8168 8169 /* Client fixed channels should override server ones */ 8170 if (__l2cap_get_chan_by_dcid(conn, pchan->scid)) 8171 goto next; 8172 8173 l2cap_chan_lock(pchan); 8174 chan = pchan->ops->new_connection(pchan); 8175 if (chan) { 8176 bacpy(&chan->src, &hcon->src); 8177 bacpy(&chan->dst, &hcon->dst); 8178 chan->src_type = bdaddr_src_type(hcon); 8179 chan->dst_type = dst_type; 8180 8181 __l2cap_chan_add(conn, chan); 8182 } 8183 8184 l2cap_chan_unlock(pchan); 8185 next: 8186 next = l2cap_global_fixed_chan(pchan, hcon); 8187 l2cap_chan_put(pchan); 8188 pchan = next; 8189 } 8190 8191 l2cap_conn_ready(conn); 8192 } 8193 8194 int l2cap_disconn_ind(struct hci_conn *hcon) 8195 { 8196 struct l2cap_conn *conn = hcon->l2cap_data; 8197 8198 BT_DBG("hcon %p", hcon); 8199 8200 if (!conn) 8201 return HCI_ERROR_REMOTE_USER_TERM; 8202 return conn->disc_reason; 8203 } 8204 8205 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 8206 { 8207 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 8208 return; 8209 8210 BT_DBG("hcon %p reason %d", hcon, reason); 8211 8212 l2cap_conn_del(hcon, bt_to_errno(reason)); 8213 } 8214 8215 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 8216 { 8217 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 8218 return; 8219 8220 if (encrypt == 0x00) { 8221 if (chan->sec_level == BT_SECURITY_MEDIUM) { 8222 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT); 8223 } else if (chan->sec_level == BT_SECURITY_HIGH || 8224 chan->sec_level == BT_SECURITY_FIPS) 8225 l2cap_chan_close(chan, ECONNREFUSED); 8226 } else { 8227 if (chan->sec_level == BT_SECURITY_MEDIUM) 8228 __clear_chan_timer(chan); 8229 } 8230 } 8231 8232 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 8233 { 8234 struct l2cap_conn *conn = hcon->l2cap_data; 8235 struct l2cap_chan *chan; 8236 8237 if (!conn) 8238 return; 8239 8240 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt); 8241 8242 mutex_lock(&conn->chan_lock); 8243 8244 list_for_each_entry(chan, &conn->chan_l, list) { 8245 l2cap_chan_lock(chan); 8246 8247 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid, 8248 state_to_string(chan->state)); 8249 8250 if (chan->scid == L2CAP_CID_A2MP) { 8251 l2cap_chan_unlock(chan); 8252 continue; 8253 } 8254 8255 if (!status && encrypt) 8256 chan->sec_level = hcon->sec_level; 8257 8258 if (!__l2cap_no_conn_pending(chan)) { 8259 l2cap_chan_unlock(chan); 8260 continue; 8261 } 8262 8263 if (!status && (chan->state == BT_CONNECTED || 8264 chan->state == BT_CONFIG)) { 8265 chan->ops->resume(chan); 8266 l2cap_check_encryption(chan, encrypt); 8267 l2cap_chan_unlock(chan); 8268 continue; 8269 } 8270 8271 if (chan->state == BT_CONNECT) { 8272 if (!status && l2cap_check_enc_key_size(hcon)) 8273 l2cap_start_connection(chan); 8274 else 8275 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 8276 } else if (chan->state == BT_CONNECT2 && 8277 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL || 8278 chan->mode == L2CAP_MODE_LE_FLOWCTL)) { 8279 struct l2cap_conn_rsp rsp; 8280 __u16 res, stat; 8281 8282 if (!status && l2cap_check_enc_key_size(hcon)) { 8283 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 8284 res = L2CAP_CR_PEND; 8285 stat = L2CAP_CS_AUTHOR_PEND; 8286 chan->ops->defer(chan); 8287 } else { 8288 l2cap_state_change(chan, BT_CONFIG); 8289 res = L2CAP_CR_SUCCESS; 8290 stat = L2CAP_CS_NO_INFO; 8291 } 8292 } else { 8293 l2cap_state_change(chan, BT_DISCONN); 8294 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 8295 res = L2CAP_CR_SEC_BLOCK; 8296 stat = L2CAP_CS_NO_INFO; 8297 } 8298 8299 rsp.scid = cpu_to_le16(chan->dcid); 8300 rsp.dcid = cpu_to_le16(chan->scid); 8301 rsp.result = cpu_to_le16(res); 8302 rsp.status = cpu_to_le16(stat); 8303 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 8304 sizeof(rsp), &rsp); 8305 8306 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) && 8307 res == L2CAP_CR_SUCCESS) { 8308 char buf[128]; 8309 set_bit(CONF_REQ_SENT, &chan->conf_state); 8310 l2cap_send_cmd(conn, l2cap_get_ident(conn), 8311 L2CAP_CONF_REQ, 8312 l2cap_build_conf_req(chan, buf, sizeof(buf)), 8313 buf); 8314 chan->num_conf_req++; 8315 } 8316 } 8317 8318 l2cap_chan_unlock(chan); 8319 } 8320 8321 mutex_unlock(&conn->chan_lock); 8322 } 8323 8324 /* Append fragment into frame respecting the maximum len of rx_skb */ 8325 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb, 8326 u16 len) 8327 { 8328 if (!conn->rx_skb) { 8329 /* Allocate skb for the complete frame (with header) */ 8330 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL); 8331 if (!conn->rx_skb) 8332 return -ENOMEM; 8333 /* Init rx_len */ 8334 conn->rx_len = len; 8335 } 8336 8337 /* Copy as much as the rx_skb can hold */ 8338 len = min_t(u16, len, skb->len); 8339 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len); 8340 skb_pull(skb, len); 8341 conn->rx_len -= len; 8342 8343 return len; 8344 } 8345 8346 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb) 8347 { 8348 struct sk_buff *rx_skb; 8349 int len; 8350 8351 /* Append just enough to complete the header */ 8352 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len); 8353 8354 /* If header could not be read just continue */ 8355 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE) 8356 return len; 8357 8358 rx_skb = conn->rx_skb; 8359 len = get_unaligned_le16(rx_skb->data); 8360 8361 /* Check if rx_skb has enough space to received all fragments */ 8362 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) { 8363 /* Update expected len */ 8364 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE); 8365 return L2CAP_LEN_SIZE; 8366 } 8367 8368 /* Reset conn->rx_skb since it will need to be reallocated in order to 8369 * fit all fragments. 8370 */ 8371 conn->rx_skb = NULL; 8372 8373 /* Reallocates rx_skb using the exact expected length */ 8374 len = l2cap_recv_frag(conn, rx_skb, 8375 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE)); 8376 kfree_skb(rx_skb); 8377 8378 return len; 8379 } 8380 8381 static void l2cap_recv_reset(struct l2cap_conn *conn) 8382 { 8383 kfree_skb(conn->rx_skb); 8384 conn->rx_skb = NULL; 8385 conn->rx_len = 0; 8386 } 8387 8388 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 8389 { 8390 struct l2cap_conn *conn = hcon->l2cap_data; 8391 int len; 8392 8393 /* For AMP controller do not create l2cap conn */ 8394 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY) 8395 goto drop; 8396 8397 if (!conn) 8398 conn = l2cap_conn_add(hcon); 8399 8400 if (!conn) 8401 goto drop; 8402 8403 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags); 8404 8405 switch (flags) { 8406 case ACL_START: 8407 case ACL_START_NO_FLUSH: 8408 case ACL_COMPLETE: 8409 if (conn->rx_skb) { 8410 BT_ERR("Unexpected start frame (len %d)", skb->len); 8411 l2cap_recv_reset(conn); 8412 l2cap_conn_unreliable(conn, ECOMM); 8413 } 8414 8415 /* Start fragment may not contain the L2CAP length so just 8416 * copy the initial byte when that happens and use conn->mtu as 8417 * expected length. 8418 */ 8419 if (skb->len < L2CAP_LEN_SIZE) { 8420 if (l2cap_recv_frag(conn, skb, conn->mtu) < 0) 8421 goto drop; 8422 return; 8423 } 8424 8425 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE; 8426 8427 if (len == skb->len) { 8428 /* Complete frame received */ 8429 l2cap_recv_frame(conn, skb); 8430 return; 8431 } 8432 8433 BT_DBG("Start: total len %d, frag len %u", len, skb->len); 8434 8435 if (skb->len > len) { 8436 BT_ERR("Frame is too long (len %u, expected len %d)", 8437 skb->len, len); 8438 l2cap_conn_unreliable(conn, ECOMM); 8439 goto drop; 8440 } 8441 8442 /* Append fragment into frame (with header) */ 8443 if (l2cap_recv_frag(conn, skb, len) < 0) 8444 goto drop; 8445 8446 break; 8447 8448 case ACL_CONT: 8449 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len); 8450 8451 if (!conn->rx_skb) { 8452 BT_ERR("Unexpected continuation frame (len %d)", skb->len); 8453 l2cap_conn_unreliable(conn, ECOMM); 8454 goto drop; 8455 } 8456 8457 /* Complete the L2CAP length if it has not been read */ 8458 if (conn->rx_skb->len < L2CAP_LEN_SIZE) { 8459 if (l2cap_recv_len(conn, skb) < 0) { 8460 l2cap_conn_unreliable(conn, ECOMM); 8461 goto drop; 8462 } 8463 8464 /* Header still could not be read just continue */ 8465 if (conn->rx_skb->len < L2CAP_LEN_SIZE) 8466 return; 8467 } 8468 8469 if (skb->len > conn->rx_len) { 8470 BT_ERR("Fragment is too long (len %u, expected %u)", 8471 skb->len, conn->rx_len); 8472 l2cap_recv_reset(conn); 8473 l2cap_conn_unreliable(conn, ECOMM); 8474 goto drop; 8475 } 8476 8477 /* Append fragment into frame (with header) */ 8478 l2cap_recv_frag(conn, skb, skb->len); 8479 8480 if (!conn->rx_len) { 8481 /* Complete frame received. l2cap_recv_frame 8482 * takes ownership of the skb so set the global 8483 * rx_skb pointer to NULL first. 8484 */ 8485 struct sk_buff *rx_skb = conn->rx_skb; 8486 conn->rx_skb = NULL; 8487 l2cap_recv_frame(conn, rx_skb); 8488 } 8489 break; 8490 } 8491 8492 drop: 8493 kfree_skb(skb); 8494 } 8495 8496 static struct hci_cb l2cap_cb = { 8497 .name = "L2CAP", 8498 .connect_cfm = l2cap_connect_cfm, 8499 .disconn_cfm = l2cap_disconn_cfm, 8500 .security_cfm = l2cap_security_cfm, 8501 }; 8502 8503 static int l2cap_debugfs_show(struct seq_file *f, void *p) 8504 { 8505 struct l2cap_chan *c; 8506 8507 read_lock(&chan_list_lock); 8508 8509 list_for_each_entry(c, &chan_list, global_l) { 8510 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 8511 &c->src, c->src_type, &c->dst, c->dst_type, 8512 c->state, __le16_to_cpu(c->psm), 8513 c->scid, c->dcid, c->imtu, c->omtu, 8514 c->sec_level, c->mode); 8515 } 8516 8517 read_unlock(&chan_list_lock); 8518 8519 return 0; 8520 } 8521 8522 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs); 8523 8524 static struct dentry *l2cap_debugfs; 8525 8526 int __init l2cap_init(void) 8527 { 8528 int err; 8529 8530 err = l2cap_init_sockets(); 8531 if (err < 0) 8532 return err; 8533 8534 hci_register_cb(&l2cap_cb); 8535 8536 if (IS_ERR_OR_NULL(bt_debugfs)) 8537 return 0; 8538 8539 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs, 8540 NULL, &l2cap_debugfs_fops); 8541 8542 return 0; 8543 } 8544 8545 void l2cap_exit(void) 8546 { 8547 debugfs_remove(l2cap_debugfs); 8548 hci_unregister_cb(&l2cap_cb); 8549 l2cap_cleanup_sockets(); 8550 } 8551 8552 module_param(disable_ertm, bool, 0644); 8553 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode"); 8554 8555 module_param(enable_ecred, bool, 0644); 8556 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode"); 8557