1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved. 8 9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 10 11 This program is free software; you can redistribute it and/or modify 12 it under the terms of the GNU General Public License version 2 as 13 published by the Free Software Foundation; 14 15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 23 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 26 SOFTWARE IS DISCLAIMED. 27 */ 28 29 /* Bluetooth L2CAP core. */ 30 31 #include <linux/module.h> 32 33 #include <linux/debugfs.h> 34 #include <linux/crc16.h> 35 #include <linux/filter.h> 36 37 #include <net/bluetooth/bluetooth.h> 38 #include <net/bluetooth/hci_core.h> 39 #include <net/bluetooth/l2cap.h> 40 41 #include "smp.h" 42 43 #define LE_FLOWCTL_MAX_CREDITS 65535 44 45 bool disable_ertm; 46 bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED); 47 48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 49 50 static LIST_HEAD(chan_list); 51 static DEFINE_RWLOCK(chan_list_lock); 52 53 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 54 u8 code, u8 ident, u16 dlen, void *data); 55 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 56 void *data); 57 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size); 58 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); 59 60 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 61 struct sk_buff_head *skbs, u8 event); 62 static void l2cap_retrans_timeout(struct work_struct *work); 63 static void l2cap_monitor_timeout(struct work_struct *work); 64 static void l2cap_ack_timeout(struct work_struct *work); 65 66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) 67 { 68 if (link_type == LE_LINK) { 69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 70 return BDADDR_LE_PUBLIC; 71 else 72 return BDADDR_LE_RANDOM; 73 } 74 75 return BDADDR_BREDR; 76 } 77 78 static inline u8 bdaddr_src_type(struct hci_conn *hcon) 79 { 80 return bdaddr_type(hcon->type, hcon->src_type); 81 } 82 83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon) 84 { 85 return bdaddr_type(hcon->type, hcon->dst_type); 86 } 87 88 /* ---- L2CAP channels ---- */ 89 90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 91 u16 cid) 92 { 93 struct l2cap_chan *c; 94 95 list_for_each_entry(c, &conn->chan_l, list) { 96 if (c->dcid == cid) 97 return c; 98 } 99 return NULL; 100 } 101 102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, 103 u16 cid) 104 { 105 struct l2cap_chan *c; 106 107 list_for_each_entry(c, &conn->chan_l, list) { 108 if (c->scid == cid) 109 return c; 110 } 111 return NULL; 112 } 113 114 /* Find channel with given SCID. 115 * Returns a reference locked channel. 116 */ 117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, 118 u16 cid) 119 { 120 struct l2cap_chan *c; 121 122 mutex_lock(&conn->chan_lock); 123 c = __l2cap_get_chan_by_scid(conn, cid); 124 if (c) { 125 /* Only lock if chan reference is not 0 */ 126 c = l2cap_chan_hold_unless_zero(c); 127 if (c) 128 l2cap_chan_lock(c); 129 } 130 mutex_unlock(&conn->chan_lock); 131 132 return c; 133 } 134 135 /* Find channel with given DCID. 136 * Returns a reference locked channel. 137 */ 138 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 139 u16 cid) 140 { 141 struct l2cap_chan *c; 142 143 mutex_lock(&conn->chan_lock); 144 c = __l2cap_get_chan_by_dcid(conn, cid); 145 if (c) { 146 /* Only lock if chan reference is not 0 */ 147 c = l2cap_chan_hold_unless_zero(c); 148 if (c) 149 l2cap_chan_lock(c); 150 } 151 mutex_unlock(&conn->chan_lock); 152 153 return c; 154 } 155 156 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, 157 u8 ident) 158 { 159 struct l2cap_chan *c; 160 161 list_for_each_entry(c, &conn->chan_l, list) { 162 if (c->ident == ident) 163 return c; 164 } 165 return NULL; 166 } 167 168 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src, 169 u8 src_type) 170 { 171 struct l2cap_chan *c; 172 173 list_for_each_entry(c, &chan_list, global_l) { 174 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR) 175 continue; 176 177 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR) 178 continue; 179 180 if (c->sport == psm && !bacmp(&c->src, src)) 181 return c; 182 } 183 return NULL; 184 } 185 186 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm) 187 { 188 int err; 189 190 write_lock(&chan_list_lock); 191 192 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) { 193 err = -EADDRINUSE; 194 goto done; 195 } 196 197 if (psm) { 198 chan->psm = psm; 199 chan->sport = psm; 200 err = 0; 201 } else { 202 u16 p, start, end, incr; 203 204 if (chan->src_type == BDADDR_BREDR) { 205 start = L2CAP_PSM_DYN_START; 206 end = L2CAP_PSM_AUTO_END; 207 incr = 2; 208 } else { 209 start = L2CAP_PSM_LE_DYN_START; 210 end = L2CAP_PSM_LE_DYN_END; 211 incr = 1; 212 } 213 214 err = -EINVAL; 215 for (p = start; p <= end; p += incr) 216 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src, 217 chan->src_type)) { 218 chan->psm = cpu_to_le16(p); 219 chan->sport = cpu_to_le16(p); 220 err = 0; 221 break; 222 } 223 } 224 225 done: 226 write_unlock(&chan_list_lock); 227 return err; 228 } 229 EXPORT_SYMBOL_GPL(l2cap_add_psm); 230 231 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid) 232 { 233 write_lock(&chan_list_lock); 234 235 /* Override the defaults (which are for conn-oriented) */ 236 chan->omtu = L2CAP_DEFAULT_MTU; 237 chan->chan_type = L2CAP_CHAN_FIXED; 238 239 chan->scid = scid; 240 241 write_unlock(&chan_list_lock); 242 243 return 0; 244 } 245 246 static u16 l2cap_alloc_cid(struct l2cap_conn *conn) 247 { 248 u16 cid, dyn_end; 249 250 if (conn->hcon->type == LE_LINK) 251 dyn_end = L2CAP_CID_LE_DYN_END; 252 else 253 dyn_end = L2CAP_CID_DYN_END; 254 255 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) { 256 if (!__l2cap_get_chan_by_scid(conn, cid)) 257 return cid; 258 } 259 260 return 0; 261 } 262 263 static void l2cap_state_change(struct l2cap_chan *chan, int state) 264 { 265 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state), 266 state_to_string(state)); 267 268 chan->state = state; 269 chan->ops->state_change(chan, state, 0); 270 } 271 272 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan, 273 int state, int err) 274 { 275 chan->state = state; 276 chan->ops->state_change(chan, chan->state, err); 277 } 278 279 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err) 280 { 281 chan->ops->state_change(chan, chan->state, err); 282 } 283 284 static void __set_retrans_timer(struct l2cap_chan *chan) 285 { 286 if (!delayed_work_pending(&chan->monitor_timer) && 287 chan->retrans_timeout) { 288 l2cap_set_timer(chan, &chan->retrans_timer, 289 msecs_to_jiffies(chan->retrans_timeout)); 290 } 291 } 292 293 static void __set_monitor_timer(struct l2cap_chan *chan) 294 { 295 __clear_retrans_timer(chan); 296 if (chan->monitor_timeout) { 297 l2cap_set_timer(chan, &chan->monitor_timer, 298 msecs_to_jiffies(chan->monitor_timeout)); 299 } 300 } 301 302 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head, 303 u16 seq) 304 { 305 struct sk_buff *skb; 306 307 skb_queue_walk(head, skb) { 308 if (bt_cb(skb)->l2cap.txseq == seq) 309 return skb; 310 } 311 312 return NULL; 313 } 314 315 /* ---- L2CAP sequence number lists ---- */ 316 317 /* For ERTM, ordered lists of sequence numbers must be tracked for 318 * SREJ requests that are received and for frames that are to be 319 * retransmitted. These seq_list functions implement a singly-linked 320 * list in an array, where membership in the list can also be checked 321 * in constant time. Items can also be added to the tail of the list 322 * and removed from the head in constant time, without further memory 323 * allocs or frees. 324 */ 325 326 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size) 327 { 328 size_t alloc_size, i; 329 330 /* Allocated size is a power of 2 to map sequence numbers 331 * (which may be up to 14 bits) in to a smaller array that is 332 * sized for the negotiated ERTM transmit windows. 333 */ 334 alloc_size = roundup_pow_of_two(size); 335 336 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL); 337 if (!seq_list->list) 338 return -ENOMEM; 339 340 seq_list->mask = alloc_size - 1; 341 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 342 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 343 for (i = 0; i < alloc_size; i++) 344 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 345 346 return 0; 347 } 348 349 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list) 350 { 351 kfree(seq_list->list); 352 } 353 354 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list, 355 u16 seq) 356 { 357 /* Constant-time check for list membership */ 358 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR; 359 } 360 361 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list) 362 { 363 u16 seq = seq_list->head; 364 u16 mask = seq_list->mask; 365 366 seq_list->head = seq_list->list[seq & mask]; 367 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 368 369 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) { 370 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 371 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 372 } 373 374 return seq; 375 } 376 377 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list) 378 { 379 u16 i; 380 381 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) 382 return; 383 384 for (i = 0; i <= seq_list->mask; i++) 385 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 386 387 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 388 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 389 } 390 391 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq) 392 { 393 u16 mask = seq_list->mask; 394 395 /* All appends happen in constant time */ 396 397 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR) 398 return; 399 400 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR) 401 seq_list->head = seq; 402 else 403 seq_list->list[seq_list->tail & mask] = seq; 404 405 seq_list->tail = seq; 406 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL; 407 } 408 409 static void l2cap_chan_timeout(struct work_struct *work) 410 { 411 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 412 chan_timer.work); 413 struct l2cap_conn *conn = chan->conn; 414 int reason; 415 416 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 417 418 if (!conn) 419 return; 420 421 mutex_lock(&conn->chan_lock); 422 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling 423 * this work. No need to call l2cap_chan_hold(chan) here again. 424 */ 425 l2cap_chan_lock(chan); 426 427 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) 428 reason = ECONNREFUSED; 429 else if (chan->state == BT_CONNECT && 430 chan->sec_level != BT_SECURITY_SDP) 431 reason = ECONNREFUSED; 432 else 433 reason = ETIMEDOUT; 434 435 l2cap_chan_close(chan, reason); 436 437 chan->ops->close(chan); 438 439 l2cap_chan_unlock(chan); 440 l2cap_chan_put(chan); 441 442 mutex_unlock(&conn->chan_lock); 443 } 444 445 struct l2cap_chan *l2cap_chan_create(void) 446 { 447 struct l2cap_chan *chan; 448 449 chan = kzalloc(sizeof(*chan), GFP_ATOMIC); 450 if (!chan) 451 return NULL; 452 453 skb_queue_head_init(&chan->tx_q); 454 skb_queue_head_init(&chan->srej_q); 455 mutex_init(&chan->lock); 456 457 /* Set default lock nesting level */ 458 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL); 459 460 /* Available receive buffer space is initially unknown */ 461 chan->rx_avail = -1; 462 463 write_lock(&chan_list_lock); 464 list_add(&chan->global_l, &chan_list); 465 write_unlock(&chan_list_lock); 466 467 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); 468 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); 469 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); 470 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); 471 472 chan->state = BT_OPEN; 473 474 kref_init(&chan->kref); 475 476 /* This flag is cleared in l2cap_chan_ready() */ 477 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 478 479 BT_DBG("chan %p", chan); 480 481 return chan; 482 } 483 EXPORT_SYMBOL_GPL(l2cap_chan_create); 484 485 static void l2cap_chan_destroy(struct kref *kref) 486 { 487 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref); 488 489 BT_DBG("chan %p", chan); 490 491 write_lock(&chan_list_lock); 492 list_del(&chan->global_l); 493 write_unlock(&chan_list_lock); 494 495 kfree(chan); 496 } 497 498 void l2cap_chan_hold(struct l2cap_chan *c) 499 { 500 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 501 502 kref_get(&c->kref); 503 } 504 505 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) 506 { 507 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 508 509 if (!kref_get_unless_zero(&c->kref)) 510 return NULL; 511 512 return c; 513 } 514 515 void l2cap_chan_put(struct l2cap_chan *c) 516 { 517 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 518 519 kref_put(&c->kref, l2cap_chan_destroy); 520 } 521 EXPORT_SYMBOL_GPL(l2cap_chan_put); 522 523 void l2cap_chan_set_defaults(struct l2cap_chan *chan) 524 { 525 chan->fcs = L2CAP_FCS_CRC16; 526 chan->max_tx = L2CAP_DEFAULT_MAX_TX; 527 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW; 528 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 529 chan->remote_max_tx = chan->max_tx; 530 chan->remote_tx_win = chan->tx_win; 531 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW; 532 chan->sec_level = BT_SECURITY_LOW; 533 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 534 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; 535 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; 536 537 chan->conf_state = 0; 538 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 539 540 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 541 } 542 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults); 543 544 static __u16 l2cap_le_rx_credits(struct l2cap_chan *chan) 545 { 546 size_t sdu_len = chan->sdu ? chan->sdu->len : 0; 547 548 if (chan->mps == 0) 549 return 0; 550 551 /* If we don't know the available space in the receiver buffer, give 552 * enough credits for a full packet. 553 */ 554 if (chan->rx_avail == -1) 555 return (chan->imtu / chan->mps) + 1; 556 557 /* If we know how much space is available in the receive buffer, give 558 * out as many credits as would fill the buffer. 559 */ 560 if (chan->rx_avail <= sdu_len) 561 return 0; 562 563 return DIV_ROUND_UP(chan->rx_avail - sdu_len, chan->mps); 564 } 565 566 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) 567 { 568 chan->sdu = NULL; 569 chan->sdu_last_frag = NULL; 570 chan->sdu_len = 0; 571 chan->tx_credits = tx_credits; 572 /* Derive MPS from connection MTU to stop HCI fragmentation */ 573 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE); 574 chan->rx_credits = l2cap_le_rx_credits(chan); 575 576 skb_queue_head_init(&chan->tx_q); 577 } 578 579 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits) 580 { 581 l2cap_le_flowctl_init(chan, tx_credits); 582 583 /* L2CAP implementations shall support a minimum MPS of 64 octets */ 584 if (chan->mps < L2CAP_ECRED_MIN_MPS) { 585 chan->mps = L2CAP_ECRED_MIN_MPS; 586 chan->rx_credits = l2cap_le_rx_credits(chan); 587 } 588 } 589 590 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 591 { 592 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 593 __le16_to_cpu(chan->psm), chan->dcid); 594 595 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 596 597 chan->conn = conn; 598 599 switch (chan->chan_type) { 600 case L2CAP_CHAN_CONN_ORIENTED: 601 /* Alloc CID for connection-oriented socket */ 602 chan->scid = l2cap_alloc_cid(conn); 603 if (conn->hcon->type == ACL_LINK) 604 chan->omtu = L2CAP_DEFAULT_MTU; 605 break; 606 607 case L2CAP_CHAN_CONN_LESS: 608 /* Connectionless socket */ 609 chan->scid = L2CAP_CID_CONN_LESS; 610 chan->dcid = L2CAP_CID_CONN_LESS; 611 chan->omtu = L2CAP_DEFAULT_MTU; 612 break; 613 614 case L2CAP_CHAN_FIXED: 615 /* Caller will set CID and CID specific MTU values */ 616 break; 617 618 default: 619 /* Raw socket can send/recv signalling messages only */ 620 chan->scid = L2CAP_CID_SIGNALING; 621 chan->dcid = L2CAP_CID_SIGNALING; 622 chan->omtu = L2CAP_DEFAULT_MTU; 623 } 624 625 chan->local_id = L2CAP_BESTEFFORT_ID; 626 chan->local_stype = L2CAP_SERV_BESTEFFORT; 627 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE; 628 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME; 629 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 630 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO; 631 632 l2cap_chan_hold(chan); 633 634 /* Only keep a reference for fixed channels if they requested it */ 635 if (chan->chan_type != L2CAP_CHAN_FIXED || 636 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 637 hci_conn_hold(conn->hcon); 638 639 list_add(&chan->list, &conn->chan_l); 640 } 641 642 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 643 { 644 mutex_lock(&conn->chan_lock); 645 __l2cap_chan_add(conn, chan); 646 mutex_unlock(&conn->chan_lock); 647 } 648 649 void l2cap_chan_del(struct l2cap_chan *chan, int err) 650 { 651 struct l2cap_conn *conn = chan->conn; 652 653 __clear_chan_timer(chan); 654 655 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err, 656 state_to_string(chan->state)); 657 658 chan->ops->teardown(chan, err); 659 660 if (conn) { 661 /* Delete from channel list */ 662 list_del(&chan->list); 663 664 l2cap_chan_put(chan); 665 666 chan->conn = NULL; 667 668 /* Reference was only held for non-fixed channels or 669 * fixed channels that explicitly requested it using the 670 * FLAG_HOLD_HCI_CONN flag. 671 */ 672 if (chan->chan_type != L2CAP_CHAN_FIXED || 673 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 674 hci_conn_drop(conn->hcon); 675 } 676 677 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) 678 return; 679 680 switch (chan->mode) { 681 case L2CAP_MODE_BASIC: 682 break; 683 684 case L2CAP_MODE_LE_FLOWCTL: 685 case L2CAP_MODE_EXT_FLOWCTL: 686 skb_queue_purge(&chan->tx_q); 687 break; 688 689 case L2CAP_MODE_ERTM: 690 __clear_retrans_timer(chan); 691 __clear_monitor_timer(chan); 692 __clear_ack_timer(chan); 693 694 skb_queue_purge(&chan->srej_q); 695 696 l2cap_seq_list_free(&chan->srej_list); 697 l2cap_seq_list_free(&chan->retrans_list); 698 fallthrough; 699 700 case L2CAP_MODE_STREAMING: 701 skb_queue_purge(&chan->tx_q); 702 break; 703 } 704 } 705 EXPORT_SYMBOL_GPL(l2cap_chan_del); 706 707 static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id, 708 l2cap_chan_func_t func, void *data) 709 { 710 struct l2cap_chan *chan, *l; 711 712 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 713 if (chan->ident == id) 714 func(chan, data); 715 } 716 } 717 718 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 719 void *data) 720 { 721 struct l2cap_chan *chan; 722 723 list_for_each_entry(chan, &conn->chan_l, list) { 724 func(chan, data); 725 } 726 } 727 728 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 729 void *data) 730 { 731 if (!conn) 732 return; 733 734 mutex_lock(&conn->chan_lock); 735 __l2cap_chan_list(conn, func, data); 736 mutex_unlock(&conn->chan_lock); 737 } 738 739 EXPORT_SYMBOL_GPL(l2cap_chan_list); 740 741 static void l2cap_conn_update_id_addr(struct work_struct *work) 742 { 743 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 744 id_addr_timer.work); 745 struct hci_conn *hcon = conn->hcon; 746 struct l2cap_chan *chan; 747 748 mutex_lock(&conn->chan_lock); 749 750 list_for_each_entry(chan, &conn->chan_l, list) { 751 l2cap_chan_lock(chan); 752 bacpy(&chan->dst, &hcon->dst); 753 chan->dst_type = bdaddr_dst_type(hcon); 754 l2cap_chan_unlock(chan); 755 } 756 757 mutex_unlock(&conn->chan_lock); 758 } 759 760 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) 761 { 762 struct l2cap_conn *conn = chan->conn; 763 struct l2cap_le_conn_rsp rsp; 764 u16 result; 765 766 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 767 result = L2CAP_CR_LE_AUTHORIZATION; 768 else 769 result = L2CAP_CR_LE_BAD_PSM; 770 771 l2cap_state_change(chan, BT_DISCONN); 772 773 rsp.dcid = cpu_to_le16(chan->scid); 774 rsp.mtu = cpu_to_le16(chan->imtu); 775 rsp.mps = cpu_to_le16(chan->mps); 776 rsp.credits = cpu_to_le16(chan->rx_credits); 777 rsp.result = cpu_to_le16(result); 778 779 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 780 &rsp); 781 } 782 783 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan) 784 { 785 l2cap_state_change(chan, BT_DISCONN); 786 787 __l2cap_ecred_conn_rsp_defer(chan); 788 } 789 790 static void l2cap_chan_connect_reject(struct l2cap_chan *chan) 791 { 792 struct l2cap_conn *conn = chan->conn; 793 struct l2cap_conn_rsp rsp; 794 u16 result; 795 796 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 797 result = L2CAP_CR_SEC_BLOCK; 798 else 799 result = L2CAP_CR_BAD_PSM; 800 801 l2cap_state_change(chan, BT_DISCONN); 802 803 rsp.scid = cpu_to_le16(chan->dcid); 804 rsp.dcid = cpu_to_le16(chan->scid); 805 rsp.result = cpu_to_le16(result); 806 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 807 808 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp); 809 } 810 811 void l2cap_chan_close(struct l2cap_chan *chan, int reason) 812 { 813 struct l2cap_conn *conn = chan->conn; 814 815 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 816 817 switch (chan->state) { 818 case BT_LISTEN: 819 chan->ops->teardown(chan, 0); 820 break; 821 822 case BT_CONNECTED: 823 case BT_CONFIG: 824 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 825 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 826 l2cap_send_disconn_req(chan, reason); 827 } else 828 l2cap_chan_del(chan, reason); 829 break; 830 831 case BT_CONNECT2: 832 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 833 if (conn->hcon->type == ACL_LINK) 834 l2cap_chan_connect_reject(chan); 835 else if (conn->hcon->type == LE_LINK) { 836 switch (chan->mode) { 837 case L2CAP_MODE_LE_FLOWCTL: 838 l2cap_chan_le_connect_reject(chan); 839 break; 840 case L2CAP_MODE_EXT_FLOWCTL: 841 l2cap_chan_ecred_connect_reject(chan); 842 return; 843 } 844 } 845 } 846 847 l2cap_chan_del(chan, reason); 848 break; 849 850 case BT_CONNECT: 851 case BT_DISCONN: 852 l2cap_chan_del(chan, reason); 853 break; 854 855 default: 856 chan->ops->teardown(chan, 0); 857 break; 858 } 859 } 860 EXPORT_SYMBOL(l2cap_chan_close); 861 862 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 863 { 864 switch (chan->chan_type) { 865 case L2CAP_CHAN_RAW: 866 switch (chan->sec_level) { 867 case BT_SECURITY_HIGH: 868 case BT_SECURITY_FIPS: 869 return HCI_AT_DEDICATED_BONDING_MITM; 870 case BT_SECURITY_MEDIUM: 871 return HCI_AT_DEDICATED_BONDING; 872 default: 873 return HCI_AT_NO_BONDING; 874 } 875 break; 876 case L2CAP_CHAN_CONN_LESS: 877 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) { 878 if (chan->sec_level == BT_SECURITY_LOW) 879 chan->sec_level = BT_SECURITY_SDP; 880 } 881 if (chan->sec_level == BT_SECURITY_HIGH || 882 chan->sec_level == BT_SECURITY_FIPS) 883 return HCI_AT_NO_BONDING_MITM; 884 else 885 return HCI_AT_NO_BONDING; 886 break; 887 case L2CAP_CHAN_CONN_ORIENTED: 888 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) { 889 if (chan->sec_level == BT_SECURITY_LOW) 890 chan->sec_level = BT_SECURITY_SDP; 891 892 if (chan->sec_level == BT_SECURITY_HIGH || 893 chan->sec_level == BT_SECURITY_FIPS) 894 return HCI_AT_NO_BONDING_MITM; 895 else 896 return HCI_AT_NO_BONDING; 897 } 898 fallthrough; 899 900 default: 901 switch (chan->sec_level) { 902 case BT_SECURITY_HIGH: 903 case BT_SECURITY_FIPS: 904 return HCI_AT_GENERAL_BONDING_MITM; 905 case BT_SECURITY_MEDIUM: 906 return HCI_AT_GENERAL_BONDING; 907 default: 908 return HCI_AT_NO_BONDING; 909 } 910 break; 911 } 912 } 913 914 /* Service level security */ 915 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator) 916 { 917 struct l2cap_conn *conn = chan->conn; 918 __u8 auth_type; 919 920 if (conn->hcon->type == LE_LINK) 921 return smp_conn_security(conn->hcon, chan->sec_level); 922 923 auth_type = l2cap_get_auth_type(chan); 924 925 return hci_conn_security(conn->hcon, chan->sec_level, auth_type, 926 initiator); 927 } 928 929 static u8 l2cap_get_ident(struct l2cap_conn *conn) 930 { 931 u8 id; 932 933 /* Get next available identificator. 934 * 1 - 128 are used by kernel. 935 * 129 - 199 are reserved. 936 * 200 - 254 are used by utilities like l2ping, etc. 937 */ 938 939 mutex_lock(&conn->ident_lock); 940 941 if (++conn->tx_ident > 128) 942 conn->tx_ident = 1; 943 944 id = conn->tx_ident; 945 946 mutex_unlock(&conn->ident_lock); 947 948 return id; 949 } 950 951 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 952 void *data) 953 { 954 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 955 u8 flags; 956 957 BT_DBG("code 0x%2.2x", code); 958 959 if (!skb) 960 return; 961 962 /* Use NO_FLUSH if supported or we have an LE link (which does 963 * not support auto-flushing packets) */ 964 if (lmp_no_flush_capable(conn->hcon->hdev) || 965 conn->hcon->type == LE_LINK) 966 flags = ACL_START_NO_FLUSH; 967 else 968 flags = ACL_START; 969 970 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON; 971 skb->priority = HCI_PRIO_MAX; 972 973 hci_send_acl(conn->hchan, skb, flags); 974 } 975 976 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 977 { 978 struct hci_conn *hcon = chan->conn->hcon; 979 u16 flags; 980 981 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len, 982 skb->priority); 983 984 /* Use NO_FLUSH for LE links (where this is the only option) or 985 * if the BR/EDR link supports it and flushing has not been 986 * explicitly requested (through FLAG_FLUSHABLE). 987 */ 988 if (hcon->type == LE_LINK || 989 (!test_bit(FLAG_FLUSHABLE, &chan->flags) && 990 lmp_no_flush_capable(hcon->hdev))) 991 flags = ACL_START_NO_FLUSH; 992 else 993 flags = ACL_START; 994 995 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 996 hci_send_acl(chan->conn->hchan, skb, flags); 997 } 998 999 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control) 1000 { 1001 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT; 1002 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT; 1003 1004 if (enh & L2CAP_CTRL_FRAME_TYPE) { 1005 /* S-Frame */ 1006 control->sframe = 1; 1007 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT; 1008 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT; 1009 1010 control->sar = 0; 1011 control->txseq = 0; 1012 } else { 1013 /* I-Frame */ 1014 control->sframe = 0; 1015 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT; 1016 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT; 1017 1018 control->poll = 0; 1019 control->super = 0; 1020 } 1021 } 1022 1023 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control) 1024 { 1025 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT; 1026 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT; 1027 1028 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) { 1029 /* S-Frame */ 1030 control->sframe = 1; 1031 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT; 1032 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT; 1033 1034 control->sar = 0; 1035 control->txseq = 0; 1036 } else { 1037 /* I-Frame */ 1038 control->sframe = 0; 1039 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT; 1040 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1041 1042 control->poll = 0; 1043 control->super = 0; 1044 } 1045 } 1046 1047 static inline void __unpack_control(struct l2cap_chan *chan, 1048 struct sk_buff *skb) 1049 { 1050 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1051 __unpack_extended_control(get_unaligned_le32(skb->data), 1052 &bt_cb(skb)->l2cap); 1053 skb_pull(skb, L2CAP_EXT_CTRL_SIZE); 1054 } else { 1055 __unpack_enhanced_control(get_unaligned_le16(skb->data), 1056 &bt_cb(skb)->l2cap); 1057 skb_pull(skb, L2CAP_ENH_CTRL_SIZE); 1058 } 1059 } 1060 1061 static u32 __pack_extended_control(struct l2cap_ctrl *control) 1062 { 1063 u32 packed; 1064 1065 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT; 1066 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT; 1067 1068 if (control->sframe) { 1069 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT; 1070 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT; 1071 packed |= L2CAP_EXT_CTRL_FRAME_TYPE; 1072 } else { 1073 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT; 1074 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1075 } 1076 1077 return packed; 1078 } 1079 1080 static u16 __pack_enhanced_control(struct l2cap_ctrl *control) 1081 { 1082 u16 packed; 1083 1084 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT; 1085 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT; 1086 1087 if (control->sframe) { 1088 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT; 1089 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT; 1090 packed |= L2CAP_CTRL_FRAME_TYPE; 1091 } else { 1092 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT; 1093 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT; 1094 } 1095 1096 return packed; 1097 } 1098 1099 static inline void __pack_control(struct l2cap_chan *chan, 1100 struct l2cap_ctrl *control, 1101 struct sk_buff *skb) 1102 { 1103 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1104 put_unaligned_le32(__pack_extended_control(control), 1105 skb->data + L2CAP_HDR_SIZE); 1106 } else { 1107 put_unaligned_le16(__pack_enhanced_control(control), 1108 skb->data + L2CAP_HDR_SIZE); 1109 } 1110 } 1111 1112 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan) 1113 { 1114 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1115 return L2CAP_EXT_HDR_SIZE; 1116 else 1117 return L2CAP_ENH_HDR_SIZE; 1118 } 1119 1120 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan, 1121 u32 control) 1122 { 1123 struct sk_buff *skb; 1124 struct l2cap_hdr *lh; 1125 int hlen = __ertm_hdr_size(chan); 1126 1127 if (chan->fcs == L2CAP_FCS_CRC16) 1128 hlen += L2CAP_FCS_SIZE; 1129 1130 skb = bt_skb_alloc(hlen, GFP_KERNEL); 1131 1132 if (!skb) 1133 return ERR_PTR(-ENOMEM); 1134 1135 lh = skb_put(skb, L2CAP_HDR_SIZE); 1136 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE); 1137 lh->cid = cpu_to_le16(chan->dcid); 1138 1139 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1140 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 1141 else 1142 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 1143 1144 if (chan->fcs == L2CAP_FCS_CRC16) { 1145 u16 fcs = crc16(0, (u8 *)skb->data, skb->len); 1146 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1147 } 1148 1149 skb->priority = HCI_PRIO_MAX; 1150 return skb; 1151 } 1152 1153 static void l2cap_send_sframe(struct l2cap_chan *chan, 1154 struct l2cap_ctrl *control) 1155 { 1156 struct sk_buff *skb; 1157 u32 control_field; 1158 1159 BT_DBG("chan %p, control %p", chan, control); 1160 1161 if (!control->sframe) 1162 return; 1163 1164 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) && 1165 !control->poll) 1166 control->final = 1; 1167 1168 if (control->super == L2CAP_SUPER_RR) 1169 clear_bit(CONN_RNR_SENT, &chan->conn_state); 1170 else if (control->super == L2CAP_SUPER_RNR) 1171 set_bit(CONN_RNR_SENT, &chan->conn_state); 1172 1173 if (control->super != L2CAP_SUPER_SREJ) { 1174 chan->last_acked_seq = control->reqseq; 1175 __clear_ack_timer(chan); 1176 } 1177 1178 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq, 1179 control->final, control->poll, control->super); 1180 1181 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1182 control_field = __pack_extended_control(control); 1183 else 1184 control_field = __pack_enhanced_control(control); 1185 1186 skb = l2cap_create_sframe_pdu(chan, control_field); 1187 if (!IS_ERR(skb)) 1188 l2cap_do_send(chan, skb); 1189 } 1190 1191 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll) 1192 { 1193 struct l2cap_ctrl control; 1194 1195 BT_DBG("chan %p, poll %d", chan, poll); 1196 1197 memset(&control, 0, sizeof(control)); 1198 control.sframe = 1; 1199 control.poll = poll; 1200 1201 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 1202 control.super = L2CAP_SUPER_RNR; 1203 else 1204 control.super = L2CAP_SUPER_RR; 1205 1206 control.reqseq = chan->buffer_seq; 1207 l2cap_send_sframe(chan, &control); 1208 } 1209 1210 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 1211 { 1212 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 1213 return true; 1214 1215 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state); 1216 } 1217 1218 void l2cap_send_conn_req(struct l2cap_chan *chan) 1219 { 1220 struct l2cap_conn *conn = chan->conn; 1221 struct l2cap_conn_req req; 1222 1223 req.scid = cpu_to_le16(chan->scid); 1224 req.psm = chan->psm; 1225 1226 chan->ident = l2cap_get_ident(conn); 1227 1228 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 1229 1230 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req); 1231 } 1232 1233 static void l2cap_chan_ready(struct l2cap_chan *chan) 1234 { 1235 /* The channel may have already been flagged as connected in 1236 * case of receiving data before the L2CAP info req/rsp 1237 * procedure is complete. 1238 */ 1239 if (chan->state == BT_CONNECTED) 1240 return; 1241 1242 /* This clears all conf flags, including CONF_NOT_COMPLETE */ 1243 chan->conf_state = 0; 1244 __clear_chan_timer(chan); 1245 1246 switch (chan->mode) { 1247 case L2CAP_MODE_LE_FLOWCTL: 1248 case L2CAP_MODE_EXT_FLOWCTL: 1249 if (!chan->tx_credits) 1250 chan->ops->suspend(chan); 1251 break; 1252 } 1253 1254 chan->state = BT_CONNECTED; 1255 1256 chan->ops->ready(chan); 1257 } 1258 1259 static void l2cap_le_connect(struct l2cap_chan *chan) 1260 { 1261 struct l2cap_conn *conn = chan->conn; 1262 struct l2cap_le_conn_req req; 1263 1264 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags)) 1265 return; 1266 1267 if (!chan->imtu) 1268 chan->imtu = chan->conn->mtu; 1269 1270 l2cap_le_flowctl_init(chan, 0); 1271 1272 memset(&req, 0, sizeof(req)); 1273 req.psm = chan->psm; 1274 req.scid = cpu_to_le16(chan->scid); 1275 req.mtu = cpu_to_le16(chan->imtu); 1276 req.mps = cpu_to_le16(chan->mps); 1277 req.credits = cpu_to_le16(chan->rx_credits); 1278 1279 chan->ident = l2cap_get_ident(conn); 1280 1281 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ, 1282 sizeof(req), &req); 1283 } 1284 1285 struct l2cap_ecred_conn_data { 1286 struct { 1287 struct l2cap_ecred_conn_req req; 1288 __le16 scid[5]; 1289 } __packed pdu; 1290 struct l2cap_chan *chan; 1291 struct pid *pid; 1292 int count; 1293 }; 1294 1295 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data) 1296 { 1297 struct l2cap_ecred_conn_data *conn = data; 1298 struct pid *pid; 1299 1300 if (chan == conn->chan) 1301 return; 1302 1303 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags)) 1304 return; 1305 1306 pid = chan->ops->get_peer_pid(chan); 1307 1308 /* Only add deferred channels with the same PID/PSM */ 1309 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident || 1310 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 1311 return; 1312 1313 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1314 return; 1315 1316 l2cap_ecred_init(chan, 0); 1317 1318 /* Set the same ident so we can match on the rsp */ 1319 chan->ident = conn->chan->ident; 1320 1321 /* Include all channels deferred */ 1322 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid); 1323 1324 conn->count++; 1325 } 1326 1327 static void l2cap_ecred_connect(struct l2cap_chan *chan) 1328 { 1329 struct l2cap_conn *conn = chan->conn; 1330 struct l2cap_ecred_conn_data data; 1331 1332 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 1333 return; 1334 1335 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1336 return; 1337 1338 l2cap_ecred_init(chan, 0); 1339 1340 memset(&data, 0, sizeof(data)); 1341 data.pdu.req.psm = chan->psm; 1342 data.pdu.req.mtu = cpu_to_le16(chan->imtu); 1343 data.pdu.req.mps = cpu_to_le16(chan->mps); 1344 data.pdu.req.credits = cpu_to_le16(chan->rx_credits); 1345 data.pdu.scid[0] = cpu_to_le16(chan->scid); 1346 1347 chan->ident = l2cap_get_ident(conn); 1348 1349 data.count = 1; 1350 data.chan = chan; 1351 data.pid = chan->ops->get_peer_pid(chan); 1352 1353 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data); 1354 1355 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ, 1356 sizeof(data.pdu.req) + data.count * sizeof(__le16), 1357 &data.pdu); 1358 } 1359 1360 static void l2cap_le_start(struct l2cap_chan *chan) 1361 { 1362 struct l2cap_conn *conn = chan->conn; 1363 1364 if (!smp_conn_security(conn->hcon, chan->sec_level)) 1365 return; 1366 1367 if (!chan->psm) { 1368 l2cap_chan_ready(chan); 1369 return; 1370 } 1371 1372 if (chan->state == BT_CONNECT) { 1373 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) 1374 l2cap_ecred_connect(chan); 1375 else 1376 l2cap_le_connect(chan); 1377 } 1378 } 1379 1380 static void l2cap_start_connection(struct l2cap_chan *chan) 1381 { 1382 if (chan->conn->hcon->type == LE_LINK) { 1383 l2cap_le_start(chan); 1384 } else { 1385 l2cap_send_conn_req(chan); 1386 } 1387 } 1388 1389 static void l2cap_request_info(struct l2cap_conn *conn) 1390 { 1391 struct l2cap_info_req req; 1392 1393 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1394 return; 1395 1396 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 1397 1398 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 1399 conn->info_ident = l2cap_get_ident(conn); 1400 1401 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 1402 1403 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 1404 sizeof(req), &req); 1405 } 1406 1407 static bool l2cap_check_enc_key_size(struct hci_conn *hcon) 1408 { 1409 /* The minimum encryption key size needs to be enforced by the 1410 * host stack before establishing any L2CAP connections. The 1411 * specification in theory allows a minimum of 1, but to align 1412 * BR/EDR and LE transports, a minimum of 7 is chosen. 1413 * 1414 * This check might also be called for unencrypted connections 1415 * that have no key size requirements. Ensure that the link is 1416 * actually encrypted before enforcing a key size. 1417 */ 1418 int min_key_size = hcon->hdev->min_enc_key_size; 1419 1420 /* On FIPS security level, key size must be 16 bytes */ 1421 if (hcon->sec_level == BT_SECURITY_FIPS) 1422 min_key_size = 16; 1423 1424 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) || 1425 hcon->enc_key_size >= min_key_size); 1426 } 1427 1428 static void l2cap_do_start(struct l2cap_chan *chan) 1429 { 1430 struct l2cap_conn *conn = chan->conn; 1431 1432 if (conn->hcon->type == LE_LINK) { 1433 l2cap_le_start(chan); 1434 return; 1435 } 1436 1437 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) { 1438 l2cap_request_info(conn); 1439 return; 1440 } 1441 1442 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 1443 return; 1444 1445 if (!l2cap_chan_check_security(chan, true) || 1446 !__l2cap_no_conn_pending(chan)) 1447 return; 1448 1449 if (l2cap_check_enc_key_size(conn->hcon)) 1450 l2cap_start_connection(chan); 1451 else 1452 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 1453 } 1454 1455 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask) 1456 { 1457 u32 local_feat_mask = l2cap_feat_mask; 1458 if (!disable_ertm) 1459 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING; 1460 1461 switch (mode) { 1462 case L2CAP_MODE_ERTM: 1463 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask; 1464 case L2CAP_MODE_STREAMING: 1465 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask; 1466 default: 1467 return 0x00; 1468 } 1469 } 1470 1471 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err) 1472 { 1473 struct l2cap_conn *conn = chan->conn; 1474 struct l2cap_disconn_req req; 1475 1476 if (!conn) 1477 return; 1478 1479 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) { 1480 __clear_retrans_timer(chan); 1481 __clear_monitor_timer(chan); 1482 __clear_ack_timer(chan); 1483 } 1484 1485 req.dcid = cpu_to_le16(chan->dcid); 1486 req.scid = cpu_to_le16(chan->scid); 1487 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ, 1488 sizeof(req), &req); 1489 1490 l2cap_state_change_and_error(chan, BT_DISCONN, err); 1491 } 1492 1493 /* ---- L2CAP connections ---- */ 1494 static void l2cap_conn_start(struct l2cap_conn *conn) 1495 { 1496 struct l2cap_chan *chan, *tmp; 1497 1498 BT_DBG("conn %p", conn); 1499 1500 mutex_lock(&conn->chan_lock); 1501 1502 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 1503 l2cap_chan_lock(chan); 1504 1505 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1506 l2cap_chan_ready(chan); 1507 l2cap_chan_unlock(chan); 1508 continue; 1509 } 1510 1511 if (chan->state == BT_CONNECT) { 1512 if (!l2cap_chan_check_security(chan, true) || 1513 !__l2cap_no_conn_pending(chan)) { 1514 l2cap_chan_unlock(chan); 1515 continue; 1516 } 1517 1518 if (!l2cap_mode_supported(chan->mode, conn->feat_mask) 1519 && test_bit(CONF_STATE2_DEVICE, 1520 &chan->conf_state)) { 1521 l2cap_chan_close(chan, ECONNRESET); 1522 l2cap_chan_unlock(chan); 1523 continue; 1524 } 1525 1526 if (l2cap_check_enc_key_size(conn->hcon)) 1527 l2cap_start_connection(chan); 1528 else 1529 l2cap_chan_close(chan, ECONNREFUSED); 1530 1531 } else if (chan->state == BT_CONNECT2) { 1532 struct l2cap_conn_rsp rsp; 1533 char buf[128]; 1534 rsp.scid = cpu_to_le16(chan->dcid); 1535 rsp.dcid = cpu_to_le16(chan->scid); 1536 1537 if (l2cap_chan_check_security(chan, false)) { 1538 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 1539 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1540 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND); 1541 chan->ops->defer(chan); 1542 1543 } else { 1544 l2cap_state_change(chan, BT_CONFIG); 1545 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 1546 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 1547 } 1548 } else { 1549 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1550 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 1551 } 1552 1553 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 1554 sizeof(rsp), &rsp); 1555 1556 if (test_bit(CONF_REQ_SENT, &chan->conf_state) || 1557 rsp.result != L2CAP_CR_SUCCESS) { 1558 l2cap_chan_unlock(chan); 1559 continue; 1560 } 1561 1562 set_bit(CONF_REQ_SENT, &chan->conf_state); 1563 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 1564 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 1565 chan->num_conf_req++; 1566 } 1567 1568 l2cap_chan_unlock(chan); 1569 } 1570 1571 mutex_unlock(&conn->chan_lock); 1572 } 1573 1574 static void l2cap_le_conn_ready(struct l2cap_conn *conn) 1575 { 1576 struct hci_conn *hcon = conn->hcon; 1577 struct hci_dev *hdev = hcon->hdev; 1578 1579 BT_DBG("%s conn %p", hdev->name, conn); 1580 1581 /* For outgoing pairing which doesn't necessarily have an 1582 * associated socket (e.g. mgmt_pair_device). 1583 */ 1584 if (hcon->out) 1585 smp_conn_security(hcon, hcon->pending_sec_level); 1586 1587 /* For LE peripheral connections, make sure the connection interval 1588 * is in the range of the minimum and maximum interval that has 1589 * been configured for this connection. If not, then trigger 1590 * the connection update procedure. 1591 */ 1592 if (hcon->role == HCI_ROLE_SLAVE && 1593 (hcon->le_conn_interval < hcon->le_conn_min_interval || 1594 hcon->le_conn_interval > hcon->le_conn_max_interval)) { 1595 struct l2cap_conn_param_update_req req; 1596 1597 req.min = cpu_to_le16(hcon->le_conn_min_interval); 1598 req.max = cpu_to_le16(hcon->le_conn_max_interval); 1599 req.latency = cpu_to_le16(hcon->le_conn_latency); 1600 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout); 1601 1602 l2cap_send_cmd(conn, l2cap_get_ident(conn), 1603 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req); 1604 } 1605 } 1606 1607 static void l2cap_conn_ready(struct l2cap_conn *conn) 1608 { 1609 struct l2cap_chan *chan; 1610 struct hci_conn *hcon = conn->hcon; 1611 1612 BT_DBG("conn %p", conn); 1613 1614 if (hcon->type == ACL_LINK) 1615 l2cap_request_info(conn); 1616 1617 mutex_lock(&conn->chan_lock); 1618 1619 list_for_each_entry(chan, &conn->chan_l, list) { 1620 1621 l2cap_chan_lock(chan); 1622 1623 if (hcon->type == LE_LINK) { 1624 l2cap_le_start(chan); 1625 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1626 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 1627 l2cap_chan_ready(chan); 1628 } else if (chan->state == BT_CONNECT) { 1629 l2cap_do_start(chan); 1630 } 1631 1632 l2cap_chan_unlock(chan); 1633 } 1634 1635 mutex_unlock(&conn->chan_lock); 1636 1637 if (hcon->type == LE_LINK) 1638 l2cap_le_conn_ready(conn); 1639 1640 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work); 1641 } 1642 1643 /* Notify sockets that we cannot guaranty reliability anymore */ 1644 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err) 1645 { 1646 struct l2cap_chan *chan; 1647 1648 BT_DBG("conn %p", conn); 1649 1650 mutex_lock(&conn->chan_lock); 1651 1652 list_for_each_entry(chan, &conn->chan_l, list) { 1653 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 1654 l2cap_chan_set_err(chan, err); 1655 } 1656 1657 mutex_unlock(&conn->chan_lock); 1658 } 1659 1660 static void l2cap_info_timeout(struct work_struct *work) 1661 { 1662 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1663 info_timer.work); 1664 1665 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 1666 conn->info_ident = 0; 1667 1668 l2cap_conn_start(conn); 1669 } 1670 1671 /* 1672 * l2cap_user 1673 * External modules can register l2cap_user objects on l2cap_conn. The ->probe 1674 * callback is called during registration. The ->remove callback is called 1675 * during unregistration. 1676 * An l2cap_user object can either be explicitly unregistered or when the 1677 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon, 1678 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called. 1679 * External modules must own a reference to the l2cap_conn object if they intend 1680 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at 1681 * any time if they don't. 1682 */ 1683 1684 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) 1685 { 1686 struct hci_dev *hdev = conn->hcon->hdev; 1687 int ret; 1688 1689 /* We need to check whether l2cap_conn is registered. If it is not, we 1690 * must not register the l2cap_user. l2cap_conn_del() is unregisters 1691 * l2cap_conn objects, but doesn't provide its own locking. Instead, it 1692 * relies on the parent hci_conn object to be locked. This itself relies 1693 * on the hci_dev object to be locked. So we must lock the hci device 1694 * here, too. */ 1695 1696 hci_dev_lock(hdev); 1697 1698 if (!list_empty(&user->list)) { 1699 ret = -EINVAL; 1700 goto out_unlock; 1701 } 1702 1703 /* conn->hchan is NULL after l2cap_conn_del() was called */ 1704 if (!conn->hchan) { 1705 ret = -ENODEV; 1706 goto out_unlock; 1707 } 1708 1709 ret = user->probe(conn, user); 1710 if (ret) 1711 goto out_unlock; 1712 1713 list_add(&user->list, &conn->users); 1714 ret = 0; 1715 1716 out_unlock: 1717 hci_dev_unlock(hdev); 1718 return ret; 1719 } 1720 EXPORT_SYMBOL(l2cap_register_user); 1721 1722 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) 1723 { 1724 struct hci_dev *hdev = conn->hcon->hdev; 1725 1726 hci_dev_lock(hdev); 1727 1728 if (list_empty(&user->list)) 1729 goto out_unlock; 1730 1731 list_del_init(&user->list); 1732 user->remove(conn, user); 1733 1734 out_unlock: 1735 hci_dev_unlock(hdev); 1736 } 1737 EXPORT_SYMBOL(l2cap_unregister_user); 1738 1739 static void l2cap_unregister_all_users(struct l2cap_conn *conn) 1740 { 1741 struct l2cap_user *user; 1742 1743 while (!list_empty(&conn->users)) { 1744 user = list_first_entry(&conn->users, struct l2cap_user, list); 1745 list_del_init(&user->list); 1746 user->remove(conn, user); 1747 } 1748 } 1749 1750 static void l2cap_conn_del(struct hci_conn *hcon, int err) 1751 { 1752 struct l2cap_conn *conn = hcon->l2cap_data; 1753 struct l2cap_chan *chan, *l; 1754 1755 if (!conn) 1756 return; 1757 1758 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 1759 1760 kfree_skb(conn->rx_skb); 1761 1762 skb_queue_purge(&conn->pending_rx); 1763 1764 /* We can not call flush_work(&conn->pending_rx_work) here since we 1765 * might block if we are running on a worker from the same workqueue 1766 * pending_rx_work is waiting on. 1767 */ 1768 if (work_pending(&conn->pending_rx_work)) 1769 cancel_work_sync(&conn->pending_rx_work); 1770 1771 cancel_delayed_work_sync(&conn->id_addr_timer); 1772 1773 l2cap_unregister_all_users(conn); 1774 1775 /* Force the connection to be immediately dropped */ 1776 hcon->disc_timeout = 0; 1777 1778 mutex_lock(&conn->chan_lock); 1779 1780 /* Kill channels */ 1781 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 1782 l2cap_chan_hold(chan); 1783 l2cap_chan_lock(chan); 1784 1785 l2cap_chan_del(chan, err); 1786 1787 chan->ops->close(chan); 1788 1789 l2cap_chan_unlock(chan); 1790 l2cap_chan_put(chan); 1791 } 1792 1793 mutex_unlock(&conn->chan_lock); 1794 1795 hci_chan_del(conn->hchan); 1796 1797 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1798 cancel_delayed_work_sync(&conn->info_timer); 1799 1800 hcon->l2cap_data = NULL; 1801 conn->hchan = NULL; 1802 l2cap_conn_put(conn); 1803 } 1804 1805 static void l2cap_conn_free(struct kref *ref) 1806 { 1807 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref); 1808 1809 hci_conn_put(conn->hcon); 1810 kfree(conn); 1811 } 1812 1813 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn) 1814 { 1815 kref_get(&conn->ref); 1816 return conn; 1817 } 1818 EXPORT_SYMBOL(l2cap_conn_get); 1819 1820 void l2cap_conn_put(struct l2cap_conn *conn) 1821 { 1822 kref_put(&conn->ref, l2cap_conn_free); 1823 } 1824 EXPORT_SYMBOL(l2cap_conn_put); 1825 1826 /* ---- Socket interface ---- */ 1827 1828 /* Find socket with psm and source / destination bdaddr. 1829 * Returns closest match. 1830 */ 1831 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 1832 bdaddr_t *src, 1833 bdaddr_t *dst, 1834 u8 link_type) 1835 { 1836 struct l2cap_chan *c, *tmp, *c1 = NULL; 1837 1838 read_lock(&chan_list_lock); 1839 1840 list_for_each_entry_safe(c, tmp, &chan_list, global_l) { 1841 if (state && c->state != state) 1842 continue; 1843 1844 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR) 1845 continue; 1846 1847 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR) 1848 continue; 1849 1850 if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) { 1851 int src_match, dst_match; 1852 int src_any, dst_any; 1853 1854 /* Exact match. */ 1855 src_match = !bacmp(&c->src, src); 1856 dst_match = !bacmp(&c->dst, dst); 1857 if (src_match && dst_match) { 1858 if (!l2cap_chan_hold_unless_zero(c)) 1859 continue; 1860 1861 read_unlock(&chan_list_lock); 1862 return c; 1863 } 1864 1865 /* Closest match */ 1866 src_any = !bacmp(&c->src, BDADDR_ANY); 1867 dst_any = !bacmp(&c->dst, BDADDR_ANY); 1868 if ((src_match && dst_any) || (src_any && dst_match) || 1869 (src_any && dst_any)) 1870 c1 = c; 1871 } 1872 } 1873 1874 if (c1) 1875 c1 = l2cap_chan_hold_unless_zero(c1); 1876 1877 read_unlock(&chan_list_lock); 1878 1879 return c1; 1880 } 1881 1882 static void l2cap_monitor_timeout(struct work_struct *work) 1883 { 1884 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1885 monitor_timer.work); 1886 1887 BT_DBG("chan %p", chan); 1888 1889 l2cap_chan_lock(chan); 1890 1891 if (!chan->conn) { 1892 l2cap_chan_unlock(chan); 1893 l2cap_chan_put(chan); 1894 return; 1895 } 1896 1897 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO); 1898 1899 l2cap_chan_unlock(chan); 1900 l2cap_chan_put(chan); 1901 } 1902 1903 static void l2cap_retrans_timeout(struct work_struct *work) 1904 { 1905 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1906 retrans_timer.work); 1907 1908 BT_DBG("chan %p", chan); 1909 1910 l2cap_chan_lock(chan); 1911 1912 if (!chan->conn) { 1913 l2cap_chan_unlock(chan); 1914 l2cap_chan_put(chan); 1915 return; 1916 } 1917 1918 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO); 1919 l2cap_chan_unlock(chan); 1920 l2cap_chan_put(chan); 1921 } 1922 1923 static void l2cap_streaming_send(struct l2cap_chan *chan, 1924 struct sk_buff_head *skbs) 1925 { 1926 struct sk_buff *skb; 1927 struct l2cap_ctrl *control; 1928 1929 BT_DBG("chan %p, skbs %p", chan, skbs); 1930 1931 skb_queue_splice_tail_init(skbs, &chan->tx_q); 1932 1933 while (!skb_queue_empty(&chan->tx_q)) { 1934 1935 skb = skb_dequeue(&chan->tx_q); 1936 1937 bt_cb(skb)->l2cap.retries = 1; 1938 control = &bt_cb(skb)->l2cap; 1939 1940 control->reqseq = 0; 1941 control->txseq = chan->next_tx_seq; 1942 1943 __pack_control(chan, control, skb); 1944 1945 if (chan->fcs == L2CAP_FCS_CRC16) { 1946 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1947 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1948 } 1949 1950 l2cap_do_send(chan, skb); 1951 1952 BT_DBG("Sent txseq %u", control->txseq); 1953 1954 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 1955 chan->frames_sent++; 1956 } 1957 } 1958 1959 static int l2cap_ertm_send(struct l2cap_chan *chan) 1960 { 1961 struct sk_buff *skb, *tx_skb; 1962 struct l2cap_ctrl *control; 1963 int sent = 0; 1964 1965 BT_DBG("chan %p", chan); 1966 1967 if (chan->state != BT_CONNECTED) 1968 return -ENOTCONN; 1969 1970 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 1971 return 0; 1972 1973 while (chan->tx_send_head && 1974 chan->unacked_frames < chan->remote_tx_win && 1975 chan->tx_state == L2CAP_TX_STATE_XMIT) { 1976 1977 skb = chan->tx_send_head; 1978 1979 bt_cb(skb)->l2cap.retries = 1; 1980 control = &bt_cb(skb)->l2cap; 1981 1982 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 1983 control->final = 1; 1984 1985 control->reqseq = chan->buffer_seq; 1986 chan->last_acked_seq = chan->buffer_seq; 1987 control->txseq = chan->next_tx_seq; 1988 1989 __pack_control(chan, control, skb); 1990 1991 if (chan->fcs == L2CAP_FCS_CRC16) { 1992 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1993 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1994 } 1995 1996 /* Clone after data has been modified. Data is assumed to be 1997 read-only (for locking purposes) on cloned sk_buffs. 1998 */ 1999 tx_skb = skb_clone(skb, GFP_KERNEL); 2000 2001 if (!tx_skb) 2002 break; 2003 2004 __set_retrans_timer(chan); 2005 2006 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 2007 chan->unacked_frames++; 2008 chan->frames_sent++; 2009 sent++; 2010 2011 if (skb_queue_is_last(&chan->tx_q, skb)) 2012 chan->tx_send_head = NULL; 2013 else 2014 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb); 2015 2016 l2cap_do_send(chan, tx_skb); 2017 BT_DBG("Sent txseq %u", control->txseq); 2018 } 2019 2020 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent, 2021 chan->unacked_frames, skb_queue_len(&chan->tx_q)); 2022 2023 return sent; 2024 } 2025 2026 static void l2cap_ertm_resend(struct l2cap_chan *chan) 2027 { 2028 struct l2cap_ctrl control; 2029 struct sk_buff *skb; 2030 struct sk_buff *tx_skb; 2031 u16 seq; 2032 2033 BT_DBG("chan %p", chan); 2034 2035 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2036 return; 2037 2038 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) { 2039 seq = l2cap_seq_list_pop(&chan->retrans_list); 2040 2041 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq); 2042 if (!skb) { 2043 BT_DBG("Error: Can't retransmit seq %d, frame missing", 2044 seq); 2045 continue; 2046 } 2047 2048 bt_cb(skb)->l2cap.retries++; 2049 control = bt_cb(skb)->l2cap; 2050 2051 if (chan->max_tx != 0 && 2052 bt_cb(skb)->l2cap.retries > chan->max_tx) { 2053 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 2054 l2cap_send_disconn_req(chan, ECONNRESET); 2055 l2cap_seq_list_clear(&chan->retrans_list); 2056 break; 2057 } 2058 2059 control.reqseq = chan->buffer_seq; 2060 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 2061 control.final = 1; 2062 else 2063 control.final = 0; 2064 2065 if (skb_cloned(skb)) { 2066 /* Cloned sk_buffs are read-only, so we need a 2067 * writeable copy 2068 */ 2069 tx_skb = skb_copy(skb, GFP_KERNEL); 2070 } else { 2071 tx_skb = skb_clone(skb, GFP_KERNEL); 2072 } 2073 2074 if (!tx_skb) { 2075 l2cap_seq_list_clear(&chan->retrans_list); 2076 break; 2077 } 2078 2079 /* Update skb contents */ 2080 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 2081 put_unaligned_le32(__pack_extended_control(&control), 2082 tx_skb->data + L2CAP_HDR_SIZE); 2083 } else { 2084 put_unaligned_le16(__pack_enhanced_control(&control), 2085 tx_skb->data + L2CAP_HDR_SIZE); 2086 } 2087 2088 /* Update FCS */ 2089 if (chan->fcs == L2CAP_FCS_CRC16) { 2090 u16 fcs = crc16(0, (u8 *) tx_skb->data, 2091 tx_skb->len - L2CAP_FCS_SIZE); 2092 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) - 2093 L2CAP_FCS_SIZE); 2094 } 2095 2096 l2cap_do_send(chan, tx_skb); 2097 2098 BT_DBG("Resent txseq %d", control.txseq); 2099 2100 chan->last_acked_seq = chan->buffer_seq; 2101 } 2102 } 2103 2104 static void l2cap_retransmit(struct l2cap_chan *chan, 2105 struct l2cap_ctrl *control) 2106 { 2107 BT_DBG("chan %p, control %p", chan, control); 2108 2109 l2cap_seq_list_append(&chan->retrans_list, control->reqseq); 2110 l2cap_ertm_resend(chan); 2111 } 2112 2113 static void l2cap_retransmit_all(struct l2cap_chan *chan, 2114 struct l2cap_ctrl *control) 2115 { 2116 struct sk_buff *skb; 2117 2118 BT_DBG("chan %p, control %p", chan, control); 2119 2120 if (control->poll) 2121 set_bit(CONN_SEND_FBIT, &chan->conn_state); 2122 2123 l2cap_seq_list_clear(&chan->retrans_list); 2124 2125 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2126 return; 2127 2128 if (chan->unacked_frames) { 2129 skb_queue_walk(&chan->tx_q, skb) { 2130 if (bt_cb(skb)->l2cap.txseq == control->reqseq || 2131 skb == chan->tx_send_head) 2132 break; 2133 } 2134 2135 skb_queue_walk_from(&chan->tx_q, skb) { 2136 if (skb == chan->tx_send_head) 2137 break; 2138 2139 l2cap_seq_list_append(&chan->retrans_list, 2140 bt_cb(skb)->l2cap.txseq); 2141 } 2142 2143 l2cap_ertm_resend(chan); 2144 } 2145 } 2146 2147 static void l2cap_send_ack(struct l2cap_chan *chan) 2148 { 2149 struct l2cap_ctrl control; 2150 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 2151 chan->last_acked_seq); 2152 int threshold; 2153 2154 BT_DBG("chan %p last_acked_seq %d buffer_seq %d", 2155 chan, chan->last_acked_seq, chan->buffer_seq); 2156 2157 memset(&control, 0, sizeof(control)); 2158 control.sframe = 1; 2159 2160 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 2161 chan->rx_state == L2CAP_RX_STATE_RECV) { 2162 __clear_ack_timer(chan); 2163 control.super = L2CAP_SUPER_RNR; 2164 control.reqseq = chan->buffer_seq; 2165 l2cap_send_sframe(chan, &control); 2166 } else { 2167 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) { 2168 l2cap_ertm_send(chan); 2169 /* If any i-frames were sent, they included an ack */ 2170 if (chan->buffer_seq == chan->last_acked_seq) 2171 frames_to_ack = 0; 2172 } 2173 2174 /* Ack now if the window is 3/4ths full. 2175 * Calculate without mul or div 2176 */ 2177 threshold = chan->ack_win; 2178 threshold += threshold << 1; 2179 threshold >>= 2; 2180 2181 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack, 2182 threshold); 2183 2184 if (frames_to_ack >= threshold) { 2185 __clear_ack_timer(chan); 2186 control.super = L2CAP_SUPER_RR; 2187 control.reqseq = chan->buffer_seq; 2188 l2cap_send_sframe(chan, &control); 2189 frames_to_ack = 0; 2190 } 2191 2192 if (frames_to_ack) 2193 __set_ack_timer(chan); 2194 } 2195 } 2196 2197 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, 2198 struct msghdr *msg, int len, 2199 int count, struct sk_buff *skb) 2200 { 2201 struct l2cap_conn *conn = chan->conn; 2202 struct sk_buff **frag; 2203 int sent = 0; 2204 2205 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter)) 2206 return -EFAULT; 2207 2208 sent += count; 2209 len -= count; 2210 2211 /* Continuation fragments (no L2CAP header) */ 2212 frag = &skb_shinfo(skb)->frag_list; 2213 while (len) { 2214 struct sk_buff *tmp; 2215 2216 count = min_t(unsigned int, conn->mtu, len); 2217 2218 tmp = chan->ops->alloc_skb(chan, 0, count, 2219 msg->msg_flags & MSG_DONTWAIT); 2220 if (IS_ERR(tmp)) 2221 return PTR_ERR(tmp); 2222 2223 *frag = tmp; 2224 2225 if (!copy_from_iter_full(skb_put(*frag, count), count, 2226 &msg->msg_iter)) 2227 return -EFAULT; 2228 2229 sent += count; 2230 len -= count; 2231 2232 skb->len += (*frag)->len; 2233 skb->data_len += (*frag)->len; 2234 2235 frag = &(*frag)->next; 2236 } 2237 2238 return sent; 2239 } 2240 2241 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, 2242 struct msghdr *msg, size_t len) 2243 { 2244 struct l2cap_conn *conn = chan->conn; 2245 struct sk_buff *skb; 2246 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE; 2247 struct l2cap_hdr *lh; 2248 2249 BT_DBG("chan %p psm 0x%2.2x len %zu", chan, 2250 __le16_to_cpu(chan->psm), len); 2251 2252 count = min_t(unsigned int, (conn->mtu - hlen), len); 2253 2254 skb = chan->ops->alloc_skb(chan, hlen, count, 2255 msg->msg_flags & MSG_DONTWAIT); 2256 if (IS_ERR(skb)) 2257 return skb; 2258 2259 /* Create L2CAP header */ 2260 lh = skb_put(skb, L2CAP_HDR_SIZE); 2261 lh->cid = cpu_to_le16(chan->dcid); 2262 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE); 2263 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE)); 2264 2265 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2266 if (unlikely(err < 0)) { 2267 kfree_skb(skb); 2268 return ERR_PTR(err); 2269 } 2270 return skb; 2271 } 2272 2273 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, 2274 struct msghdr *msg, size_t len) 2275 { 2276 struct l2cap_conn *conn = chan->conn; 2277 struct sk_buff *skb; 2278 int err, count; 2279 struct l2cap_hdr *lh; 2280 2281 BT_DBG("chan %p len %zu", chan, len); 2282 2283 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len); 2284 2285 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count, 2286 msg->msg_flags & MSG_DONTWAIT); 2287 if (IS_ERR(skb)) 2288 return skb; 2289 2290 /* Create L2CAP header */ 2291 lh = skb_put(skb, L2CAP_HDR_SIZE); 2292 lh->cid = cpu_to_le16(chan->dcid); 2293 lh->len = cpu_to_le16(len); 2294 2295 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2296 if (unlikely(err < 0)) { 2297 kfree_skb(skb); 2298 return ERR_PTR(err); 2299 } 2300 return skb; 2301 } 2302 2303 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, 2304 struct msghdr *msg, size_t len, 2305 u16 sdulen) 2306 { 2307 struct l2cap_conn *conn = chan->conn; 2308 struct sk_buff *skb; 2309 int err, count, hlen; 2310 struct l2cap_hdr *lh; 2311 2312 BT_DBG("chan %p len %zu", chan, len); 2313 2314 if (!conn) 2315 return ERR_PTR(-ENOTCONN); 2316 2317 hlen = __ertm_hdr_size(chan); 2318 2319 if (sdulen) 2320 hlen += L2CAP_SDULEN_SIZE; 2321 2322 if (chan->fcs == L2CAP_FCS_CRC16) 2323 hlen += L2CAP_FCS_SIZE; 2324 2325 count = min_t(unsigned int, (conn->mtu - hlen), len); 2326 2327 skb = chan->ops->alloc_skb(chan, hlen, count, 2328 msg->msg_flags & MSG_DONTWAIT); 2329 if (IS_ERR(skb)) 2330 return skb; 2331 2332 /* Create L2CAP header */ 2333 lh = skb_put(skb, L2CAP_HDR_SIZE); 2334 lh->cid = cpu_to_le16(chan->dcid); 2335 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2336 2337 /* Control header is populated later */ 2338 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 2339 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 2340 else 2341 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 2342 2343 if (sdulen) 2344 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2345 2346 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2347 if (unlikely(err < 0)) { 2348 kfree_skb(skb); 2349 return ERR_PTR(err); 2350 } 2351 2352 bt_cb(skb)->l2cap.fcs = chan->fcs; 2353 bt_cb(skb)->l2cap.retries = 0; 2354 return skb; 2355 } 2356 2357 static int l2cap_segment_sdu(struct l2cap_chan *chan, 2358 struct sk_buff_head *seg_queue, 2359 struct msghdr *msg, size_t len) 2360 { 2361 struct sk_buff *skb; 2362 u16 sdu_len; 2363 size_t pdu_len; 2364 u8 sar; 2365 2366 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2367 2368 /* It is critical that ERTM PDUs fit in a single HCI fragment, 2369 * so fragmented skbs are not used. The HCI layer's handling 2370 * of fragmented skbs is not compatible with ERTM's queueing. 2371 */ 2372 2373 /* PDU size is derived from the HCI MTU */ 2374 pdu_len = chan->conn->mtu; 2375 2376 /* Constrain PDU size for BR/EDR connections */ 2377 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD); 2378 2379 /* Adjust for largest possible L2CAP overhead. */ 2380 if (chan->fcs) 2381 pdu_len -= L2CAP_FCS_SIZE; 2382 2383 pdu_len -= __ertm_hdr_size(chan); 2384 2385 /* Remote device may have requested smaller PDUs */ 2386 pdu_len = min_t(size_t, pdu_len, chan->remote_mps); 2387 2388 if (len <= pdu_len) { 2389 sar = L2CAP_SAR_UNSEGMENTED; 2390 sdu_len = 0; 2391 pdu_len = len; 2392 } else { 2393 sar = L2CAP_SAR_START; 2394 sdu_len = len; 2395 } 2396 2397 while (len > 0) { 2398 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len); 2399 2400 if (IS_ERR(skb)) { 2401 __skb_queue_purge(seg_queue); 2402 return PTR_ERR(skb); 2403 } 2404 2405 bt_cb(skb)->l2cap.sar = sar; 2406 __skb_queue_tail(seg_queue, skb); 2407 2408 len -= pdu_len; 2409 if (sdu_len) 2410 sdu_len = 0; 2411 2412 if (len <= pdu_len) { 2413 sar = L2CAP_SAR_END; 2414 pdu_len = len; 2415 } else { 2416 sar = L2CAP_SAR_CONTINUE; 2417 } 2418 } 2419 2420 return 0; 2421 } 2422 2423 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan, 2424 struct msghdr *msg, 2425 size_t len, u16 sdulen) 2426 { 2427 struct l2cap_conn *conn = chan->conn; 2428 struct sk_buff *skb; 2429 int err, count, hlen; 2430 struct l2cap_hdr *lh; 2431 2432 BT_DBG("chan %p len %zu", chan, len); 2433 2434 if (!conn) 2435 return ERR_PTR(-ENOTCONN); 2436 2437 hlen = L2CAP_HDR_SIZE; 2438 2439 if (sdulen) 2440 hlen += L2CAP_SDULEN_SIZE; 2441 2442 count = min_t(unsigned int, (conn->mtu - hlen), len); 2443 2444 skb = chan->ops->alloc_skb(chan, hlen, count, 2445 msg->msg_flags & MSG_DONTWAIT); 2446 if (IS_ERR(skb)) 2447 return skb; 2448 2449 /* Create L2CAP header */ 2450 lh = skb_put(skb, L2CAP_HDR_SIZE); 2451 lh->cid = cpu_to_le16(chan->dcid); 2452 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2453 2454 if (sdulen) 2455 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2456 2457 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2458 if (unlikely(err < 0)) { 2459 kfree_skb(skb); 2460 return ERR_PTR(err); 2461 } 2462 2463 return skb; 2464 } 2465 2466 static int l2cap_segment_le_sdu(struct l2cap_chan *chan, 2467 struct sk_buff_head *seg_queue, 2468 struct msghdr *msg, size_t len) 2469 { 2470 struct sk_buff *skb; 2471 size_t pdu_len; 2472 u16 sdu_len; 2473 2474 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2475 2476 sdu_len = len; 2477 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE; 2478 2479 while (len > 0) { 2480 if (len <= pdu_len) 2481 pdu_len = len; 2482 2483 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len); 2484 if (IS_ERR(skb)) { 2485 __skb_queue_purge(seg_queue); 2486 return PTR_ERR(skb); 2487 } 2488 2489 __skb_queue_tail(seg_queue, skb); 2490 2491 len -= pdu_len; 2492 2493 if (sdu_len) { 2494 sdu_len = 0; 2495 pdu_len += L2CAP_SDULEN_SIZE; 2496 } 2497 } 2498 2499 return 0; 2500 } 2501 2502 static void l2cap_le_flowctl_send(struct l2cap_chan *chan) 2503 { 2504 int sent = 0; 2505 2506 BT_DBG("chan %p", chan); 2507 2508 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) { 2509 l2cap_do_send(chan, skb_dequeue(&chan->tx_q)); 2510 chan->tx_credits--; 2511 sent++; 2512 } 2513 2514 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits, 2515 skb_queue_len(&chan->tx_q)); 2516 } 2517 2518 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) 2519 { 2520 struct sk_buff *skb; 2521 int err; 2522 struct sk_buff_head seg_queue; 2523 2524 if (!chan->conn) 2525 return -ENOTCONN; 2526 2527 /* Connectionless channel */ 2528 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) { 2529 skb = l2cap_create_connless_pdu(chan, msg, len); 2530 if (IS_ERR(skb)) 2531 return PTR_ERR(skb); 2532 2533 l2cap_do_send(chan, skb); 2534 return len; 2535 } 2536 2537 switch (chan->mode) { 2538 case L2CAP_MODE_LE_FLOWCTL: 2539 case L2CAP_MODE_EXT_FLOWCTL: 2540 /* Check outgoing MTU */ 2541 if (len > chan->omtu) 2542 return -EMSGSIZE; 2543 2544 __skb_queue_head_init(&seg_queue); 2545 2546 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len); 2547 2548 if (chan->state != BT_CONNECTED) { 2549 __skb_queue_purge(&seg_queue); 2550 err = -ENOTCONN; 2551 } 2552 2553 if (err) 2554 return err; 2555 2556 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q); 2557 2558 l2cap_le_flowctl_send(chan); 2559 2560 if (!chan->tx_credits) 2561 chan->ops->suspend(chan); 2562 2563 err = len; 2564 2565 break; 2566 2567 case L2CAP_MODE_BASIC: 2568 /* Check outgoing MTU */ 2569 if (len > chan->omtu) 2570 return -EMSGSIZE; 2571 2572 /* Create a basic PDU */ 2573 skb = l2cap_create_basic_pdu(chan, msg, len); 2574 if (IS_ERR(skb)) 2575 return PTR_ERR(skb); 2576 2577 l2cap_do_send(chan, skb); 2578 err = len; 2579 break; 2580 2581 case L2CAP_MODE_ERTM: 2582 case L2CAP_MODE_STREAMING: 2583 /* Check outgoing MTU */ 2584 if (len > chan->omtu) { 2585 err = -EMSGSIZE; 2586 break; 2587 } 2588 2589 __skb_queue_head_init(&seg_queue); 2590 2591 /* Do segmentation before calling in to the state machine, 2592 * since it's possible to block while waiting for memory 2593 * allocation. 2594 */ 2595 err = l2cap_segment_sdu(chan, &seg_queue, msg, len); 2596 2597 if (err) 2598 break; 2599 2600 if (chan->mode == L2CAP_MODE_ERTM) 2601 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST); 2602 else 2603 l2cap_streaming_send(chan, &seg_queue); 2604 2605 err = len; 2606 2607 /* If the skbs were not queued for sending, they'll still be in 2608 * seg_queue and need to be purged. 2609 */ 2610 __skb_queue_purge(&seg_queue); 2611 break; 2612 2613 default: 2614 BT_DBG("bad state %1.1x", chan->mode); 2615 err = -EBADFD; 2616 } 2617 2618 return err; 2619 } 2620 EXPORT_SYMBOL_GPL(l2cap_chan_send); 2621 2622 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq) 2623 { 2624 struct l2cap_ctrl control; 2625 u16 seq; 2626 2627 BT_DBG("chan %p, txseq %u", chan, txseq); 2628 2629 memset(&control, 0, sizeof(control)); 2630 control.sframe = 1; 2631 control.super = L2CAP_SUPER_SREJ; 2632 2633 for (seq = chan->expected_tx_seq; seq != txseq; 2634 seq = __next_seq(chan, seq)) { 2635 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) { 2636 control.reqseq = seq; 2637 l2cap_send_sframe(chan, &control); 2638 l2cap_seq_list_append(&chan->srej_list, seq); 2639 } 2640 } 2641 2642 chan->expected_tx_seq = __next_seq(chan, txseq); 2643 } 2644 2645 static void l2cap_send_srej_tail(struct l2cap_chan *chan) 2646 { 2647 struct l2cap_ctrl control; 2648 2649 BT_DBG("chan %p", chan); 2650 2651 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR) 2652 return; 2653 2654 memset(&control, 0, sizeof(control)); 2655 control.sframe = 1; 2656 control.super = L2CAP_SUPER_SREJ; 2657 control.reqseq = chan->srej_list.tail; 2658 l2cap_send_sframe(chan, &control); 2659 } 2660 2661 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq) 2662 { 2663 struct l2cap_ctrl control; 2664 u16 initial_head; 2665 u16 seq; 2666 2667 BT_DBG("chan %p, txseq %u", chan, txseq); 2668 2669 memset(&control, 0, sizeof(control)); 2670 control.sframe = 1; 2671 control.super = L2CAP_SUPER_SREJ; 2672 2673 /* Capture initial list head to allow only one pass through the list. */ 2674 initial_head = chan->srej_list.head; 2675 2676 do { 2677 seq = l2cap_seq_list_pop(&chan->srej_list); 2678 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR) 2679 break; 2680 2681 control.reqseq = seq; 2682 l2cap_send_sframe(chan, &control); 2683 l2cap_seq_list_append(&chan->srej_list, seq); 2684 } while (chan->srej_list.head != initial_head); 2685 } 2686 2687 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq) 2688 { 2689 struct sk_buff *acked_skb; 2690 u16 ackseq; 2691 2692 BT_DBG("chan %p, reqseq %u", chan, reqseq); 2693 2694 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq) 2695 return; 2696 2697 BT_DBG("expected_ack_seq %u, unacked_frames %u", 2698 chan->expected_ack_seq, chan->unacked_frames); 2699 2700 for (ackseq = chan->expected_ack_seq; ackseq != reqseq; 2701 ackseq = __next_seq(chan, ackseq)) { 2702 2703 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq); 2704 if (acked_skb) { 2705 skb_unlink(acked_skb, &chan->tx_q); 2706 kfree_skb(acked_skb); 2707 chan->unacked_frames--; 2708 } 2709 } 2710 2711 chan->expected_ack_seq = reqseq; 2712 2713 if (chan->unacked_frames == 0) 2714 __clear_retrans_timer(chan); 2715 2716 BT_DBG("unacked_frames %u", chan->unacked_frames); 2717 } 2718 2719 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan) 2720 { 2721 BT_DBG("chan %p", chan); 2722 2723 chan->expected_tx_seq = chan->buffer_seq; 2724 l2cap_seq_list_clear(&chan->srej_list); 2725 skb_queue_purge(&chan->srej_q); 2726 chan->rx_state = L2CAP_RX_STATE_RECV; 2727 } 2728 2729 static void l2cap_tx_state_xmit(struct l2cap_chan *chan, 2730 struct l2cap_ctrl *control, 2731 struct sk_buff_head *skbs, u8 event) 2732 { 2733 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2734 event); 2735 2736 switch (event) { 2737 case L2CAP_EV_DATA_REQUEST: 2738 if (chan->tx_send_head == NULL) 2739 chan->tx_send_head = skb_peek(skbs); 2740 2741 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2742 l2cap_ertm_send(chan); 2743 break; 2744 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2745 BT_DBG("Enter LOCAL_BUSY"); 2746 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2747 2748 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2749 /* The SREJ_SENT state must be aborted if we are to 2750 * enter the LOCAL_BUSY state. 2751 */ 2752 l2cap_abort_rx_srej_sent(chan); 2753 } 2754 2755 l2cap_send_ack(chan); 2756 2757 break; 2758 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2759 BT_DBG("Exit LOCAL_BUSY"); 2760 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2761 2762 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2763 struct l2cap_ctrl local_control; 2764 2765 memset(&local_control, 0, sizeof(local_control)); 2766 local_control.sframe = 1; 2767 local_control.super = L2CAP_SUPER_RR; 2768 local_control.poll = 1; 2769 local_control.reqseq = chan->buffer_seq; 2770 l2cap_send_sframe(chan, &local_control); 2771 2772 chan->retry_count = 1; 2773 __set_monitor_timer(chan); 2774 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2775 } 2776 break; 2777 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2778 l2cap_process_reqseq(chan, control->reqseq); 2779 break; 2780 case L2CAP_EV_EXPLICIT_POLL: 2781 l2cap_send_rr_or_rnr(chan, 1); 2782 chan->retry_count = 1; 2783 __set_monitor_timer(chan); 2784 __clear_ack_timer(chan); 2785 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2786 break; 2787 case L2CAP_EV_RETRANS_TO: 2788 l2cap_send_rr_or_rnr(chan, 1); 2789 chan->retry_count = 1; 2790 __set_monitor_timer(chan); 2791 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2792 break; 2793 case L2CAP_EV_RECV_FBIT: 2794 /* Nothing to process */ 2795 break; 2796 default: 2797 break; 2798 } 2799 } 2800 2801 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan, 2802 struct l2cap_ctrl *control, 2803 struct sk_buff_head *skbs, u8 event) 2804 { 2805 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2806 event); 2807 2808 switch (event) { 2809 case L2CAP_EV_DATA_REQUEST: 2810 if (chan->tx_send_head == NULL) 2811 chan->tx_send_head = skb_peek(skbs); 2812 /* Queue data, but don't send. */ 2813 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2814 break; 2815 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2816 BT_DBG("Enter LOCAL_BUSY"); 2817 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2818 2819 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2820 /* The SREJ_SENT state must be aborted if we are to 2821 * enter the LOCAL_BUSY state. 2822 */ 2823 l2cap_abort_rx_srej_sent(chan); 2824 } 2825 2826 l2cap_send_ack(chan); 2827 2828 break; 2829 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2830 BT_DBG("Exit LOCAL_BUSY"); 2831 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2832 2833 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2834 struct l2cap_ctrl local_control; 2835 memset(&local_control, 0, sizeof(local_control)); 2836 local_control.sframe = 1; 2837 local_control.super = L2CAP_SUPER_RR; 2838 local_control.poll = 1; 2839 local_control.reqseq = chan->buffer_seq; 2840 l2cap_send_sframe(chan, &local_control); 2841 2842 chan->retry_count = 1; 2843 __set_monitor_timer(chan); 2844 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2845 } 2846 break; 2847 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2848 l2cap_process_reqseq(chan, control->reqseq); 2849 fallthrough; 2850 2851 case L2CAP_EV_RECV_FBIT: 2852 if (control && control->final) { 2853 __clear_monitor_timer(chan); 2854 if (chan->unacked_frames > 0) 2855 __set_retrans_timer(chan); 2856 chan->retry_count = 0; 2857 chan->tx_state = L2CAP_TX_STATE_XMIT; 2858 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state); 2859 } 2860 break; 2861 case L2CAP_EV_EXPLICIT_POLL: 2862 /* Ignore */ 2863 break; 2864 case L2CAP_EV_MONITOR_TO: 2865 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) { 2866 l2cap_send_rr_or_rnr(chan, 1); 2867 __set_monitor_timer(chan); 2868 chan->retry_count++; 2869 } else { 2870 l2cap_send_disconn_req(chan, ECONNABORTED); 2871 } 2872 break; 2873 default: 2874 break; 2875 } 2876 } 2877 2878 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 2879 struct sk_buff_head *skbs, u8 event) 2880 { 2881 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d", 2882 chan, control, skbs, event, chan->tx_state); 2883 2884 switch (chan->tx_state) { 2885 case L2CAP_TX_STATE_XMIT: 2886 l2cap_tx_state_xmit(chan, control, skbs, event); 2887 break; 2888 case L2CAP_TX_STATE_WAIT_F: 2889 l2cap_tx_state_wait_f(chan, control, skbs, event); 2890 break; 2891 default: 2892 /* Ignore event */ 2893 break; 2894 } 2895 } 2896 2897 static void l2cap_pass_to_tx(struct l2cap_chan *chan, 2898 struct l2cap_ctrl *control) 2899 { 2900 BT_DBG("chan %p, control %p", chan, control); 2901 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT); 2902 } 2903 2904 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan, 2905 struct l2cap_ctrl *control) 2906 { 2907 BT_DBG("chan %p, control %p", chan, control); 2908 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT); 2909 } 2910 2911 /* Copy frame to all raw sockets on that connection */ 2912 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 2913 { 2914 struct sk_buff *nskb; 2915 struct l2cap_chan *chan; 2916 2917 BT_DBG("conn %p", conn); 2918 2919 mutex_lock(&conn->chan_lock); 2920 2921 list_for_each_entry(chan, &conn->chan_l, list) { 2922 if (chan->chan_type != L2CAP_CHAN_RAW) 2923 continue; 2924 2925 /* Don't send frame to the channel it came from */ 2926 if (bt_cb(skb)->l2cap.chan == chan) 2927 continue; 2928 2929 nskb = skb_clone(skb, GFP_KERNEL); 2930 if (!nskb) 2931 continue; 2932 if (chan->ops->recv(chan, nskb)) 2933 kfree_skb(nskb); 2934 } 2935 2936 mutex_unlock(&conn->chan_lock); 2937 } 2938 2939 /* ---- L2CAP signalling commands ---- */ 2940 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, 2941 u8 ident, u16 dlen, void *data) 2942 { 2943 struct sk_buff *skb, **frag; 2944 struct l2cap_cmd_hdr *cmd; 2945 struct l2cap_hdr *lh; 2946 int len, count; 2947 2948 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", 2949 conn, code, ident, dlen); 2950 2951 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) 2952 return NULL; 2953 2954 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; 2955 count = min_t(unsigned int, conn->mtu, len); 2956 2957 skb = bt_skb_alloc(count, GFP_KERNEL); 2958 if (!skb) 2959 return NULL; 2960 2961 lh = skb_put(skb, L2CAP_HDR_SIZE); 2962 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen); 2963 2964 if (conn->hcon->type == LE_LINK) 2965 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING); 2966 else 2967 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING); 2968 2969 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE); 2970 cmd->code = code; 2971 cmd->ident = ident; 2972 cmd->len = cpu_to_le16(dlen); 2973 2974 if (dlen) { 2975 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE; 2976 skb_put_data(skb, data, count); 2977 data += count; 2978 } 2979 2980 len -= skb->len; 2981 2982 /* Continuation fragments (no L2CAP header) */ 2983 frag = &skb_shinfo(skb)->frag_list; 2984 while (len) { 2985 count = min_t(unsigned int, conn->mtu, len); 2986 2987 *frag = bt_skb_alloc(count, GFP_KERNEL); 2988 if (!*frag) 2989 goto fail; 2990 2991 skb_put_data(*frag, data, count); 2992 2993 len -= count; 2994 data += count; 2995 2996 frag = &(*frag)->next; 2997 } 2998 2999 return skb; 3000 3001 fail: 3002 kfree_skb(skb); 3003 return NULL; 3004 } 3005 3006 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, 3007 unsigned long *val) 3008 { 3009 struct l2cap_conf_opt *opt = *ptr; 3010 int len; 3011 3012 len = L2CAP_CONF_OPT_SIZE + opt->len; 3013 *ptr += len; 3014 3015 *type = opt->type; 3016 *olen = opt->len; 3017 3018 switch (opt->len) { 3019 case 1: 3020 *val = *((u8 *) opt->val); 3021 break; 3022 3023 case 2: 3024 *val = get_unaligned_le16(opt->val); 3025 break; 3026 3027 case 4: 3028 *val = get_unaligned_le32(opt->val); 3029 break; 3030 3031 default: 3032 *val = (unsigned long) opt->val; 3033 break; 3034 } 3035 3036 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val); 3037 return len; 3038 } 3039 3040 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size) 3041 { 3042 struct l2cap_conf_opt *opt = *ptr; 3043 3044 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val); 3045 3046 if (size < L2CAP_CONF_OPT_SIZE + len) 3047 return; 3048 3049 opt->type = type; 3050 opt->len = len; 3051 3052 switch (len) { 3053 case 1: 3054 *((u8 *) opt->val) = val; 3055 break; 3056 3057 case 2: 3058 put_unaligned_le16(val, opt->val); 3059 break; 3060 3061 case 4: 3062 put_unaligned_le32(val, opt->val); 3063 break; 3064 3065 default: 3066 memcpy(opt->val, (void *) val, len); 3067 break; 3068 } 3069 3070 *ptr += L2CAP_CONF_OPT_SIZE + len; 3071 } 3072 3073 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size) 3074 { 3075 struct l2cap_conf_efs efs; 3076 3077 switch (chan->mode) { 3078 case L2CAP_MODE_ERTM: 3079 efs.id = chan->local_id; 3080 efs.stype = chan->local_stype; 3081 efs.msdu = cpu_to_le16(chan->local_msdu); 3082 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3083 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT); 3084 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO); 3085 break; 3086 3087 case L2CAP_MODE_STREAMING: 3088 efs.id = 1; 3089 efs.stype = L2CAP_SERV_BESTEFFORT; 3090 efs.msdu = cpu_to_le16(chan->local_msdu); 3091 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3092 efs.acc_lat = 0; 3093 efs.flush_to = 0; 3094 break; 3095 3096 default: 3097 return; 3098 } 3099 3100 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs), 3101 (unsigned long) &efs, size); 3102 } 3103 3104 static void l2cap_ack_timeout(struct work_struct *work) 3105 { 3106 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 3107 ack_timer.work); 3108 u16 frames_to_ack; 3109 3110 BT_DBG("chan %p", chan); 3111 3112 l2cap_chan_lock(chan); 3113 3114 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 3115 chan->last_acked_seq); 3116 3117 if (frames_to_ack) 3118 l2cap_send_rr_or_rnr(chan, 0); 3119 3120 l2cap_chan_unlock(chan); 3121 l2cap_chan_put(chan); 3122 } 3123 3124 int l2cap_ertm_init(struct l2cap_chan *chan) 3125 { 3126 int err; 3127 3128 chan->next_tx_seq = 0; 3129 chan->expected_tx_seq = 0; 3130 chan->expected_ack_seq = 0; 3131 chan->unacked_frames = 0; 3132 chan->buffer_seq = 0; 3133 chan->frames_sent = 0; 3134 chan->last_acked_seq = 0; 3135 chan->sdu = NULL; 3136 chan->sdu_last_frag = NULL; 3137 chan->sdu_len = 0; 3138 3139 skb_queue_head_init(&chan->tx_q); 3140 3141 if (chan->mode != L2CAP_MODE_ERTM) 3142 return 0; 3143 3144 chan->rx_state = L2CAP_RX_STATE_RECV; 3145 chan->tx_state = L2CAP_TX_STATE_XMIT; 3146 3147 skb_queue_head_init(&chan->srej_q); 3148 3149 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); 3150 if (err < 0) 3151 return err; 3152 3153 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win); 3154 if (err < 0) 3155 l2cap_seq_list_free(&chan->srej_list); 3156 3157 return err; 3158 } 3159 3160 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 3161 { 3162 switch (mode) { 3163 case L2CAP_MODE_STREAMING: 3164 case L2CAP_MODE_ERTM: 3165 if (l2cap_mode_supported(mode, remote_feat_mask)) 3166 return mode; 3167 fallthrough; 3168 default: 3169 return L2CAP_MODE_BASIC; 3170 } 3171 } 3172 3173 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn) 3174 { 3175 return (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW); 3176 } 3177 3178 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn) 3179 { 3180 return (conn->feat_mask & L2CAP_FEAT_EXT_FLOW); 3181 } 3182 3183 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan, 3184 struct l2cap_conf_rfc *rfc) 3185 { 3186 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO); 3187 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO); 3188 } 3189 3190 static inline void l2cap_txwin_setup(struct l2cap_chan *chan) 3191 { 3192 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW && 3193 __l2cap_ews_supported(chan->conn)) { 3194 /* use extended control field */ 3195 set_bit(FLAG_EXT_CTRL, &chan->flags); 3196 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; 3197 } else { 3198 chan->tx_win = min_t(u16, chan->tx_win, 3199 L2CAP_DEFAULT_TX_WINDOW); 3200 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 3201 } 3202 chan->ack_win = chan->tx_win; 3203 } 3204 3205 static void l2cap_mtu_auto(struct l2cap_chan *chan) 3206 { 3207 struct hci_conn *conn = chan->conn->hcon; 3208 3209 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3210 3211 /* The 2-DH1 packet has between 2 and 56 information bytes 3212 * (including the 2-byte payload header) 3213 */ 3214 if (!(conn->pkt_type & HCI_2DH1)) 3215 chan->imtu = 54; 3216 3217 /* The 3-DH1 packet has between 2 and 85 information bytes 3218 * (including the 2-byte payload header) 3219 */ 3220 if (!(conn->pkt_type & HCI_3DH1)) 3221 chan->imtu = 83; 3222 3223 /* The 2-DH3 packet has between 2 and 369 information bytes 3224 * (including the 2-byte payload header) 3225 */ 3226 if (!(conn->pkt_type & HCI_2DH3)) 3227 chan->imtu = 367; 3228 3229 /* The 3-DH3 packet has between 2 and 554 information bytes 3230 * (including the 2-byte payload header) 3231 */ 3232 if (!(conn->pkt_type & HCI_3DH3)) 3233 chan->imtu = 552; 3234 3235 /* The 2-DH5 packet has between 2 and 681 information bytes 3236 * (including the 2-byte payload header) 3237 */ 3238 if (!(conn->pkt_type & HCI_2DH5)) 3239 chan->imtu = 679; 3240 3241 /* The 3-DH5 packet has between 2 and 1023 information bytes 3242 * (including the 2-byte payload header) 3243 */ 3244 if (!(conn->pkt_type & HCI_3DH5)) 3245 chan->imtu = 1021; 3246 } 3247 3248 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3249 { 3250 struct l2cap_conf_req *req = data; 3251 struct l2cap_conf_rfc rfc = { .mode = chan->mode }; 3252 void *ptr = req->data; 3253 void *endptr = data + data_size; 3254 u16 size; 3255 3256 BT_DBG("chan %p", chan); 3257 3258 if (chan->num_conf_req || chan->num_conf_rsp) 3259 goto done; 3260 3261 switch (chan->mode) { 3262 case L2CAP_MODE_STREAMING: 3263 case L2CAP_MODE_ERTM: 3264 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) 3265 break; 3266 3267 if (__l2cap_efs_supported(chan->conn)) 3268 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3269 3270 fallthrough; 3271 default: 3272 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask); 3273 break; 3274 } 3275 3276 done: 3277 if (chan->imtu != L2CAP_DEFAULT_MTU) { 3278 if (!chan->imtu) 3279 l2cap_mtu_auto(chan); 3280 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3281 endptr - ptr); 3282 } 3283 3284 switch (chan->mode) { 3285 case L2CAP_MODE_BASIC: 3286 if (disable_ertm) 3287 break; 3288 3289 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) && 3290 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING)) 3291 break; 3292 3293 rfc.mode = L2CAP_MODE_BASIC; 3294 rfc.txwin_size = 0; 3295 rfc.max_transmit = 0; 3296 rfc.retrans_timeout = 0; 3297 rfc.monitor_timeout = 0; 3298 rfc.max_pdu_size = 0; 3299 3300 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3301 (unsigned long) &rfc, endptr - ptr); 3302 break; 3303 3304 case L2CAP_MODE_ERTM: 3305 rfc.mode = L2CAP_MODE_ERTM; 3306 rfc.max_transmit = chan->max_tx; 3307 3308 __l2cap_set_ertm_timeouts(chan, &rfc); 3309 3310 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3311 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3312 L2CAP_FCS_SIZE); 3313 rfc.max_pdu_size = cpu_to_le16(size); 3314 3315 l2cap_txwin_setup(chan); 3316 3317 rfc.txwin_size = min_t(u16, chan->tx_win, 3318 L2CAP_DEFAULT_TX_WINDOW); 3319 3320 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3321 (unsigned long) &rfc, endptr - ptr); 3322 3323 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3324 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3325 3326 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3327 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3328 chan->tx_win, endptr - ptr); 3329 3330 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3331 if (chan->fcs == L2CAP_FCS_NONE || 3332 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3333 chan->fcs = L2CAP_FCS_NONE; 3334 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3335 chan->fcs, endptr - ptr); 3336 } 3337 break; 3338 3339 case L2CAP_MODE_STREAMING: 3340 l2cap_txwin_setup(chan); 3341 rfc.mode = L2CAP_MODE_STREAMING; 3342 rfc.txwin_size = 0; 3343 rfc.max_transmit = 0; 3344 rfc.retrans_timeout = 0; 3345 rfc.monitor_timeout = 0; 3346 3347 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3348 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3349 L2CAP_FCS_SIZE); 3350 rfc.max_pdu_size = cpu_to_le16(size); 3351 3352 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3353 (unsigned long) &rfc, endptr - ptr); 3354 3355 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3356 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3357 3358 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3359 if (chan->fcs == L2CAP_FCS_NONE || 3360 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3361 chan->fcs = L2CAP_FCS_NONE; 3362 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3363 chan->fcs, endptr - ptr); 3364 } 3365 break; 3366 } 3367 3368 req->dcid = cpu_to_le16(chan->dcid); 3369 req->flags = cpu_to_le16(0); 3370 3371 return ptr - data; 3372 } 3373 3374 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3375 { 3376 struct l2cap_conf_rsp *rsp = data; 3377 void *ptr = rsp->data; 3378 void *endptr = data + data_size; 3379 void *req = chan->conf_req; 3380 int len = chan->conf_len; 3381 int type, hint, olen; 3382 unsigned long val; 3383 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3384 struct l2cap_conf_efs efs; 3385 u8 remote_efs = 0; 3386 u16 mtu = L2CAP_DEFAULT_MTU; 3387 u16 result = L2CAP_CONF_SUCCESS; 3388 u16 size; 3389 3390 BT_DBG("chan %p", chan); 3391 3392 while (len >= L2CAP_CONF_OPT_SIZE) { 3393 len -= l2cap_get_conf_opt(&req, &type, &olen, &val); 3394 if (len < 0) 3395 break; 3396 3397 hint = type & L2CAP_CONF_HINT; 3398 type &= L2CAP_CONF_MASK; 3399 3400 switch (type) { 3401 case L2CAP_CONF_MTU: 3402 if (olen != 2) 3403 break; 3404 mtu = val; 3405 break; 3406 3407 case L2CAP_CONF_FLUSH_TO: 3408 if (olen != 2) 3409 break; 3410 chan->flush_to = val; 3411 break; 3412 3413 case L2CAP_CONF_QOS: 3414 break; 3415 3416 case L2CAP_CONF_RFC: 3417 if (olen != sizeof(rfc)) 3418 break; 3419 memcpy(&rfc, (void *) val, olen); 3420 break; 3421 3422 case L2CAP_CONF_FCS: 3423 if (olen != 1) 3424 break; 3425 if (val == L2CAP_FCS_NONE) 3426 set_bit(CONF_RECV_NO_FCS, &chan->conf_state); 3427 break; 3428 3429 case L2CAP_CONF_EFS: 3430 if (olen != sizeof(efs)) 3431 break; 3432 remote_efs = 1; 3433 memcpy(&efs, (void *) val, olen); 3434 break; 3435 3436 case L2CAP_CONF_EWS: 3437 if (olen != 2) 3438 break; 3439 return -ECONNREFUSED; 3440 3441 default: 3442 if (hint) 3443 break; 3444 result = L2CAP_CONF_UNKNOWN; 3445 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr); 3446 break; 3447 } 3448 } 3449 3450 if (chan->num_conf_rsp || chan->num_conf_req > 1) 3451 goto done; 3452 3453 switch (chan->mode) { 3454 case L2CAP_MODE_STREAMING: 3455 case L2CAP_MODE_ERTM: 3456 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) { 3457 chan->mode = l2cap_select_mode(rfc.mode, 3458 chan->conn->feat_mask); 3459 break; 3460 } 3461 3462 if (remote_efs) { 3463 if (__l2cap_efs_supported(chan->conn)) 3464 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3465 else 3466 return -ECONNREFUSED; 3467 } 3468 3469 if (chan->mode != rfc.mode) 3470 return -ECONNREFUSED; 3471 3472 break; 3473 } 3474 3475 done: 3476 if (chan->mode != rfc.mode) { 3477 result = L2CAP_CONF_UNACCEPT; 3478 rfc.mode = chan->mode; 3479 3480 if (chan->num_conf_rsp == 1) 3481 return -ECONNREFUSED; 3482 3483 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3484 (unsigned long) &rfc, endptr - ptr); 3485 } 3486 3487 if (result == L2CAP_CONF_SUCCESS) { 3488 /* Configure output options and let the other side know 3489 * which ones we don't like. */ 3490 3491 if (mtu < L2CAP_DEFAULT_MIN_MTU) 3492 result = L2CAP_CONF_UNACCEPT; 3493 else { 3494 chan->omtu = mtu; 3495 set_bit(CONF_MTU_DONE, &chan->conf_state); 3496 } 3497 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr); 3498 3499 if (remote_efs) { 3500 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3501 efs.stype != L2CAP_SERV_NOTRAFIC && 3502 efs.stype != chan->local_stype) { 3503 3504 result = L2CAP_CONF_UNACCEPT; 3505 3506 if (chan->num_conf_req >= 1) 3507 return -ECONNREFUSED; 3508 3509 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3510 sizeof(efs), 3511 (unsigned long) &efs, endptr - ptr); 3512 } else { 3513 /* Send PENDING Conf Rsp */ 3514 result = L2CAP_CONF_PENDING; 3515 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 3516 } 3517 } 3518 3519 switch (rfc.mode) { 3520 case L2CAP_MODE_BASIC: 3521 chan->fcs = L2CAP_FCS_NONE; 3522 set_bit(CONF_MODE_DONE, &chan->conf_state); 3523 break; 3524 3525 case L2CAP_MODE_ERTM: 3526 if (!test_bit(CONF_EWS_RECV, &chan->conf_state)) 3527 chan->remote_tx_win = rfc.txwin_size; 3528 else 3529 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW; 3530 3531 chan->remote_max_tx = rfc.max_transmit; 3532 3533 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3534 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3535 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3536 rfc.max_pdu_size = cpu_to_le16(size); 3537 chan->remote_mps = size; 3538 3539 __l2cap_set_ertm_timeouts(chan, &rfc); 3540 3541 set_bit(CONF_MODE_DONE, &chan->conf_state); 3542 3543 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3544 sizeof(rfc), (unsigned long) &rfc, endptr - ptr); 3545 3546 if (remote_efs && 3547 test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3548 chan->remote_id = efs.id; 3549 chan->remote_stype = efs.stype; 3550 chan->remote_msdu = le16_to_cpu(efs.msdu); 3551 chan->remote_flush_to = 3552 le32_to_cpu(efs.flush_to); 3553 chan->remote_acc_lat = 3554 le32_to_cpu(efs.acc_lat); 3555 chan->remote_sdu_itime = 3556 le32_to_cpu(efs.sdu_itime); 3557 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3558 sizeof(efs), 3559 (unsigned long) &efs, endptr - ptr); 3560 } 3561 break; 3562 3563 case L2CAP_MODE_STREAMING: 3564 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3565 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3566 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3567 rfc.max_pdu_size = cpu_to_le16(size); 3568 chan->remote_mps = size; 3569 3570 set_bit(CONF_MODE_DONE, &chan->conf_state); 3571 3572 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3573 (unsigned long) &rfc, endptr - ptr); 3574 3575 break; 3576 3577 default: 3578 result = L2CAP_CONF_UNACCEPT; 3579 3580 memset(&rfc, 0, sizeof(rfc)); 3581 rfc.mode = chan->mode; 3582 } 3583 3584 if (result == L2CAP_CONF_SUCCESS) 3585 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 3586 } 3587 rsp->scid = cpu_to_le16(chan->dcid); 3588 rsp->result = cpu_to_le16(result); 3589 rsp->flags = cpu_to_le16(0); 3590 3591 return ptr - data; 3592 } 3593 3594 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, 3595 void *data, size_t size, u16 *result) 3596 { 3597 struct l2cap_conf_req *req = data; 3598 void *ptr = req->data; 3599 void *endptr = data + size; 3600 int type, olen; 3601 unsigned long val; 3602 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3603 struct l2cap_conf_efs efs; 3604 3605 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data); 3606 3607 while (len >= L2CAP_CONF_OPT_SIZE) { 3608 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3609 if (len < 0) 3610 break; 3611 3612 switch (type) { 3613 case L2CAP_CONF_MTU: 3614 if (olen != 2) 3615 break; 3616 if (val < L2CAP_DEFAULT_MIN_MTU) { 3617 *result = L2CAP_CONF_UNACCEPT; 3618 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3619 } else 3620 chan->imtu = val; 3621 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3622 endptr - ptr); 3623 break; 3624 3625 case L2CAP_CONF_FLUSH_TO: 3626 if (olen != 2) 3627 break; 3628 chan->flush_to = val; 3629 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, 3630 chan->flush_to, endptr - ptr); 3631 break; 3632 3633 case L2CAP_CONF_RFC: 3634 if (olen != sizeof(rfc)) 3635 break; 3636 memcpy(&rfc, (void *)val, olen); 3637 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && 3638 rfc.mode != chan->mode) 3639 return -ECONNREFUSED; 3640 chan->fcs = 0; 3641 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3642 (unsigned long) &rfc, endptr - ptr); 3643 break; 3644 3645 case L2CAP_CONF_EWS: 3646 if (olen != 2) 3647 break; 3648 chan->ack_win = min_t(u16, val, chan->ack_win); 3649 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3650 chan->tx_win, endptr - ptr); 3651 break; 3652 3653 case L2CAP_CONF_EFS: 3654 if (olen != sizeof(efs)) 3655 break; 3656 memcpy(&efs, (void *)val, olen); 3657 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3658 efs.stype != L2CAP_SERV_NOTRAFIC && 3659 efs.stype != chan->local_stype) 3660 return -ECONNREFUSED; 3661 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), 3662 (unsigned long) &efs, endptr - ptr); 3663 break; 3664 3665 case L2CAP_CONF_FCS: 3666 if (olen != 1) 3667 break; 3668 if (*result == L2CAP_CONF_PENDING) 3669 if (val == L2CAP_FCS_NONE) 3670 set_bit(CONF_RECV_NO_FCS, 3671 &chan->conf_state); 3672 break; 3673 } 3674 } 3675 3676 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode) 3677 return -ECONNREFUSED; 3678 3679 chan->mode = rfc.mode; 3680 3681 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) { 3682 switch (rfc.mode) { 3683 case L2CAP_MODE_ERTM: 3684 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3685 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3686 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3687 if (!test_bit(FLAG_EXT_CTRL, &chan->flags)) 3688 chan->ack_win = min_t(u16, chan->ack_win, 3689 rfc.txwin_size); 3690 3691 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3692 chan->local_msdu = le16_to_cpu(efs.msdu); 3693 chan->local_sdu_itime = 3694 le32_to_cpu(efs.sdu_itime); 3695 chan->local_acc_lat = le32_to_cpu(efs.acc_lat); 3696 chan->local_flush_to = 3697 le32_to_cpu(efs.flush_to); 3698 } 3699 break; 3700 3701 case L2CAP_MODE_STREAMING: 3702 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3703 } 3704 } 3705 3706 req->dcid = cpu_to_le16(chan->dcid); 3707 req->flags = cpu_to_le16(0); 3708 3709 return ptr - data; 3710 } 3711 3712 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, 3713 u16 result, u16 flags) 3714 { 3715 struct l2cap_conf_rsp *rsp = data; 3716 void *ptr = rsp->data; 3717 3718 BT_DBG("chan %p", chan); 3719 3720 rsp->scid = cpu_to_le16(chan->dcid); 3721 rsp->result = cpu_to_le16(result); 3722 rsp->flags = cpu_to_le16(flags); 3723 3724 return ptr - data; 3725 } 3726 3727 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan) 3728 { 3729 struct l2cap_le_conn_rsp rsp; 3730 struct l2cap_conn *conn = chan->conn; 3731 3732 BT_DBG("chan %p", chan); 3733 3734 rsp.dcid = cpu_to_le16(chan->scid); 3735 rsp.mtu = cpu_to_le16(chan->imtu); 3736 rsp.mps = cpu_to_le16(chan->mps); 3737 rsp.credits = cpu_to_le16(chan->rx_credits); 3738 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3739 3740 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 3741 &rsp); 3742 } 3743 3744 static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data) 3745 { 3746 int *result = data; 3747 3748 if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 3749 return; 3750 3751 switch (chan->state) { 3752 case BT_CONNECT2: 3753 /* If channel still pending accept add to result */ 3754 (*result)++; 3755 return; 3756 case BT_CONNECTED: 3757 return; 3758 default: 3759 /* If not connected or pending accept it has been refused */ 3760 *result = -ECONNREFUSED; 3761 return; 3762 } 3763 } 3764 3765 struct l2cap_ecred_rsp_data { 3766 struct { 3767 struct l2cap_ecred_conn_rsp rsp; 3768 __le16 scid[L2CAP_ECRED_MAX_CID]; 3769 } __packed pdu; 3770 int count; 3771 }; 3772 3773 static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data) 3774 { 3775 struct l2cap_ecred_rsp_data *rsp = data; 3776 3777 if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 3778 return; 3779 3780 /* Reset ident so only one response is sent */ 3781 chan->ident = 0; 3782 3783 /* Include all channels pending with the same ident */ 3784 if (!rsp->pdu.rsp.result) 3785 rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid); 3786 else 3787 l2cap_chan_del(chan, ECONNRESET); 3788 } 3789 3790 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan) 3791 { 3792 struct l2cap_conn *conn = chan->conn; 3793 struct l2cap_ecred_rsp_data data; 3794 u16 id = chan->ident; 3795 int result = 0; 3796 3797 if (!id) 3798 return; 3799 3800 BT_DBG("chan %p id %d", chan, id); 3801 3802 memset(&data, 0, sizeof(data)); 3803 3804 data.pdu.rsp.mtu = cpu_to_le16(chan->imtu); 3805 data.pdu.rsp.mps = cpu_to_le16(chan->mps); 3806 data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits); 3807 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3808 3809 /* Verify that all channels are ready */ 3810 __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result); 3811 3812 if (result > 0) 3813 return; 3814 3815 if (result < 0) 3816 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION); 3817 3818 /* Build response */ 3819 __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data); 3820 3821 l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP, 3822 sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)), 3823 &data.pdu); 3824 } 3825 3826 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) 3827 { 3828 struct l2cap_conn_rsp rsp; 3829 struct l2cap_conn *conn = chan->conn; 3830 u8 buf[128]; 3831 u8 rsp_code; 3832 3833 rsp.scid = cpu_to_le16(chan->dcid); 3834 rsp.dcid = cpu_to_le16(chan->scid); 3835 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 3836 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 3837 rsp_code = L2CAP_CONN_RSP; 3838 3839 BT_DBG("chan %p rsp_code %u", chan, rsp_code); 3840 3841 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp); 3842 3843 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 3844 return; 3845 3846 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3847 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 3848 chan->num_conf_req++; 3849 } 3850 3851 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) 3852 { 3853 int type, olen; 3854 unsigned long val; 3855 /* Use sane default values in case a misbehaving remote device 3856 * did not send an RFC or extended window size option. 3857 */ 3858 u16 txwin_ext = chan->ack_win; 3859 struct l2cap_conf_rfc rfc = { 3860 .mode = chan->mode, 3861 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO), 3862 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO), 3863 .max_pdu_size = cpu_to_le16(chan->imtu), 3864 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW), 3865 }; 3866 3867 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len); 3868 3869 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING)) 3870 return; 3871 3872 while (len >= L2CAP_CONF_OPT_SIZE) { 3873 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3874 if (len < 0) 3875 break; 3876 3877 switch (type) { 3878 case L2CAP_CONF_RFC: 3879 if (olen != sizeof(rfc)) 3880 break; 3881 memcpy(&rfc, (void *)val, olen); 3882 break; 3883 case L2CAP_CONF_EWS: 3884 if (olen != 2) 3885 break; 3886 txwin_ext = val; 3887 break; 3888 } 3889 } 3890 3891 switch (rfc.mode) { 3892 case L2CAP_MODE_ERTM: 3893 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3894 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3895 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3896 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3897 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext); 3898 else 3899 chan->ack_win = min_t(u16, chan->ack_win, 3900 rfc.txwin_size); 3901 break; 3902 case L2CAP_MODE_STREAMING: 3903 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3904 } 3905 } 3906 3907 static inline int l2cap_command_rej(struct l2cap_conn *conn, 3908 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 3909 u8 *data) 3910 { 3911 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 3912 3913 if (cmd_len < sizeof(*rej)) 3914 return -EPROTO; 3915 3916 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) 3917 return 0; 3918 3919 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 3920 cmd->ident == conn->info_ident) { 3921 cancel_delayed_work(&conn->info_timer); 3922 3923 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3924 conn->info_ident = 0; 3925 3926 l2cap_conn_start(conn); 3927 } 3928 3929 return 0; 3930 } 3931 3932 static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, 3933 u8 *data, u8 rsp_code, u8 amp_id) 3934 { 3935 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 3936 struct l2cap_conn_rsp rsp; 3937 struct l2cap_chan *chan = NULL, *pchan = NULL; 3938 int result, status = L2CAP_CS_NO_INFO; 3939 3940 u16 dcid = 0, scid = __le16_to_cpu(req->scid); 3941 __le16 psm = req->psm; 3942 3943 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid); 3944 3945 /* Check if we have socket listening on psm */ 3946 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 3947 &conn->hcon->dst, ACL_LINK); 3948 if (!pchan) { 3949 result = L2CAP_CR_BAD_PSM; 3950 goto response; 3951 } 3952 3953 mutex_lock(&conn->chan_lock); 3954 l2cap_chan_lock(pchan); 3955 3956 /* Check if the ACL is secure enough (if not SDP) */ 3957 if (psm != cpu_to_le16(L2CAP_PSM_SDP) && 3958 !hci_conn_check_link_mode(conn->hcon)) { 3959 conn->disc_reason = HCI_ERROR_AUTH_FAILURE; 3960 result = L2CAP_CR_SEC_BLOCK; 3961 goto response; 3962 } 3963 3964 result = L2CAP_CR_NO_MEM; 3965 3966 /* Check for valid dynamic CID range (as per Erratum 3253) */ 3967 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) { 3968 result = L2CAP_CR_INVALID_SCID; 3969 goto response; 3970 } 3971 3972 /* Check if we already have channel with that dcid */ 3973 if (__l2cap_get_chan_by_dcid(conn, scid)) { 3974 result = L2CAP_CR_SCID_IN_USE; 3975 goto response; 3976 } 3977 3978 chan = pchan->ops->new_connection(pchan); 3979 if (!chan) 3980 goto response; 3981 3982 /* For certain devices (ex: HID mouse), support for authentication, 3983 * pairing and bonding is optional. For such devices, inorder to avoid 3984 * the ACL alive for too long after L2CAP disconnection, reset the ACL 3985 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect. 3986 */ 3987 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 3988 3989 bacpy(&chan->src, &conn->hcon->src); 3990 bacpy(&chan->dst, &conn->hcon->dst); 3991 chan->src_type = bdaddr_src_type(conn->hcon); 3992 chan->dst_type = bdaddr_dst_type(conn->hcon); 3993 chan->psm = psm; 3994 chan->dcid = scid; 3995 3996 __l2cap_chan_add(conn, chan); 3997 3998 dcid = chan->scid; 3999 4000 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 4001 4002 chan->ident = cmd->ident; 4003 4004 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 4005 if (l2cap_chan_check_security(chan, false)) { 4006 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 4007 l2cap_state_change(chan, BT_CONNECT2); 4008 result = L2CAP_CR_PEND; 4009 status = L2CAP_CS_AUTHOR_PEND; 4010 chan->ops->defer(chan); 4011 } else { 4012 /* Force pending result for AMP controllers. 4013 * The connection will succeed after the 4014 * physical link is up. 4015 */ 4016 if (amp_id == AMP_ID_BREDR) { 4017 l2cap_state_change(chan, BT_CONFIG); 4018 result = L2CAP_CR_SUCCESS; 4019 } else { 4020 l2cap_state_change(chan, BT_CONNECT2); 4021 result = L2CAP_CR_PEND; 4022 } 4023 status = L2CAP_CS_NO_INFO; 4024 } 4025 } else { 4026 l2cap_state_change(chan, BT_CONNECT2); 4027 result = L2CAP_CR_PEND; 4028 status = L2CAP_CS_AUTHEN_PEND; 4029 } 4030 } else { 4031 l2cap_state_change(chan, BT_CONNECT2); 4032 result = L2CAP_CR_PEND; 4033 status = L2CAP_CS_NO_INFO; 4034 } 4035 4036 response: 4037 rsp.scid = cpu_to_le16(scid); 4038 rsp.dcid = cpu_to_le16(dcid); 4039 rsp.result = cpu_to_le16(result); 4040 rsp.status = cpu_to_le16(status); 4041 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); 4042 4043 if (!pchan) 4044 return; 4045 4046 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { 4047 struct l2cap_info_req info; 4048 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4049 4050 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 4051 conn->info_ident = l2cap_get_ident(conn); 4052 4053 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 4054 4055 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 4056 sizeof(info), &info); 4057 } 4058 4059 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) && 4060 result == L2CAP_CR_SUCCESS) { 4061 u8 buf[128]; 4062 set_bit(CONF_REQ_SENT, &chan->conf_state); 4063 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4064 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4065 chan->num_conf_req++; 4066 } 4067 4068 l2cap_chan_unlock(pchan); 4069 mutex_unlock(&conn->chan_lock); 4070 l2cap_chan_put(pchan); 4071 } 4072 4073 static int l2cap_connect_req(struct l2cap_conn *conn, 4074 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 4075 { 4076 struct hci_dev *hdev = conn->hcon->hdev; 4077 struct hci_conn *hcon = conn->hcon; 4078 4079 if (cmd_len < sizeof(struct l2cap_conn_req)) 4080 return -EPROTO; 4081 4082 hci_dev_lock(hdev); 4083 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4084 mgmt_device_connected(hdev, hcon, NULL, 0); 4085 hci_dev_unlock(hdev); 4086 4087 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0); 4088 return 0; 4089 } 4090 4091 static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 4092 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4093 u8 *data) 4094 { 4095 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 4096 u16 scid, dcid, result, status; 4097 struct l2cap_chan *chan; 4098 u8 req[128]; 4099 int err; 4100 4101 if (cmd_len < sizeof(*rsp)) 4102 return -EPROTO; 4103 4104 scid = __le16_to_cpu(rsp->scid); 4105 dcid = __le16_to_cpu(rsp->dcid); 4106 result = __le16_to_cpu(rsp->result); 4107 status = __le16_to_cpu(rsp->status); 4108 4109 if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START || 4110 dcid > L2CAP_CID_DYN_END)) 4111 return -EPROTO; 4112 4113 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", 4114 dcid, scid, result, status); 4115 4116 mutex_lock(&conn->chan_lock); 4117 4118 if (scid) { 4119 chan = __l2cap_get_chan_by_scid(conn, scid); 4120 if (!chan) { 4121 err = -EBADSLT; 4122 goto unlock; 4123 } 4124 } else { 4125 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 4126 if (!chan) { 4127 err = -EBADSLT; 4128 goto unlock; 4129 } 4130 } 4131 4132 chan = l2cap_chan_hold_unless_zero(chan); 4133 if (!chan) { 4134 err = -EBADSLT; 4135 goto unlock; 4136 } 4137 4138 err = 0; 4139 4140 l2cap_chan_lock(chan); 4141 4142 switch (result) { 4143 case L2CAP_CR_SUCCESS: 4144 if (__l2cap_get_chan_by_dcid(conn, dcid)) { 4145 err = -EBADSLT; 4146 break; 4147 } 4148 4149 l2cap_state_change(chan, BT_CONFIG); 4150 chan->ident = 0; 4151 chan->dcid = dcid; 4152 clear_bit(CONF_CONNECT_PEND, &chan->conf_state); 4153 4154 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 4155 break; 4156 4157 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4158 l2cap_build_conf_req(chan, req, sizeof(req)), req); 4159 chan->num_conf_req++; 4160 break; 4161 4162 case L2CAP_CR_PEND: 4163 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 4164 break; 4165 4166 default: 4167 l2cap_chan_del(chan, ECONNREFUSED); 4168 break; 4169 } 4170 4171 l2cap_chan_unlock(chan); 4172 l2cap_chan_put(chan); 4173 4174 unlock: 4175 mutex_unlock(&conn->chan_lock); 4176 4177 return err; 4178 } 4179 4180 static inline void set_default_fcs(struct l2cap_chan *chan) 4181 { 4182 /* FCS is enabled only in ERTM or streaming mode, if one or both 4183 * sides request it. 4184 */ 4185 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 4186 chan->fcs = L2CAP_FCS_NONE; 4187 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) 4188 chan->fcs = L2CAP_FCS_CRC16; 4189 } 4190 4191 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data, 4192 u8 ident, u16 flags) 4193 { 4194 struct l2cap_conn *conn = chan->conn; 4195 4196 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident, 4197 flags); 4198 4199 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 4200 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 4201 4202 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP, 4203 l2cap_build_conf_rsp(chan, data, 4204 L2CAP_CONF_SUCCESS, flags), data); 4205 } 4206 4207 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident, 4208 u16 scid, u16 dcid) 4209 { 4210 struct l2cap_cmd_rej_cid rej; 4211 4212 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID); 4213 rej.scid = __cpu_to_le16(scid); 4214 rej.dcid = __cpu_to_le16(dcid); 4215 4216 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 4217 } 4218 4219 static inline int l2cap_config_req(struct l2cap_conn *conn, 4220 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4221 u8 *data) 4222 { 4223 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 4224 u16 dcid, flags; 4225 u8 rsp[64]; 4226 struct l2cap_chan *chan; 4227 int len, err = 0; 4228 4229 if (cmd_len < sizeof(*req)) 4230 return -EPROTO; 4231 4232 dcid = __le16_to_cpu(req->dcid); 4233 flags = __le16_to_cpu(req->flags); 4234 4235 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags); 4236 4237 chan = l2cap_get_chan_by_scid(conn, dcid); 4238 if (!chan) { 4239 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0); 4240 return 0; 4241 } 4242 4243 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && 4244 chan->state != BT_CONNECTED) { 4245 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, 4246 chan->dcid); 4247 goto unlock; 4248 } 4249 4250 /* Reject if config buffer is too small. */ 4251 len = cmd_len - sizeof(*req); 4252 if (chan->conf_len + len > sizeof(chan->conf_req)) { 4253 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4254 l2cap_build_conf_rsp(chan, rsp, 4255 L2CAP_CONF_REJECT, flags), rsp); 4256 goto unlock; 4257 } 4258 4259 /* Store config. */ 4260 memcpy(chan->conf_req + chan->conf_len, req->data, len); 4261 chan->conf_len += len; 4262 4263 if (flags & L2CAP_CONF_FLAG_CONTINUATION) { 4264 /* Incomplete config. Send empty response. */ 4265 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4266 l2cap_build_conf_rsp(chan, rsp, 4267 L2CAP_CONF_SUCCESS, flags), rsp); 4268 goto unlock; 4269 } 4270 4271 /* Complete config. */ 4272 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp)); 4273 if (len < 0) { 4274 l2cap_send_disconn_req(chan, ECONNRESET); 4275 goto unlock; 4276 } 4277 4278 chan->ident = cmd->ident; 4279 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); 4280 if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP) 4281 chan->num_conf_rsp++; 4282 4283 /* Reset config buffer. */ 4284 chan->conf_len = 0; 4285 4286 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) 4287 goto unlock; 4288 4289 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) { 4290 set_default_fcs(chan); 4291 4292 if (chan->mode == L2CAP_MODE_ERTM || 4293 chan->mode == L2CAP_MODE_STREAMING) 4294 err = l2cap_ertm_init(chan); 4295 4296 if (err < 0) 4297 l2cap_send_disconn_req(chan, -err); 4298 else 4299 l2cap_chan_ready(chan); 4300 4301 goto unlock; 4302 } 4303 4304 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) { 4305 u8 buf[64]; 4306 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4307 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4308 chan->num_conf_req++; 4309 } 4310 4311 /* Got Conf Rsp PENDING from remote side and assume we sent 4312 Conf Rsp PENDING in the code above */ 4313 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) && 4314 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4315 4316 /* check compatibility */ 4317 4318 /* Send rsp for BR/EDR channel */ 4319 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags); 4320 } 4321 4322 unlock: 4323 l2cap_chan_unlock(chan); 4324 l2cap_chan_put(chan); 4325 return err; 4326 } 4327 4328 static inline int l2cap_config_rsp(struct l2cap_conn *conn, 4329 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4330 u8 *data) 4331 { 4332 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 4333 u16 scid, flags, result; 4334 struct l2cap_chan *chan; 4335 int len = cmd_len - sizeof(*rsp); 4336 int err = 0; 4337 4338 if (cmd_len < sizeof(*rsp)) 4339 return -EPROTO; 4340 4341 scid = __le16_to_cpu(rsp->scid); 4342 flags = __le16_to_cpu(rsp->flags); 4343 result = __le16_to_cpu(rsp->result); 4344 4345 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags, 4346 result, len); 4347 4348 chan = l2cap_get_chan_by_scid(conn, scid); 4349 if (!chan) 4350 return 0; 4351 4352 switch (result) { 4353 case L2CAP_CONF_SUCCESS: 4354 l2cap_conf_rfc_get(chan, rsp->data, len); 4355 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4356 break; 4357 4358 case L2CAP_CONF_PENDING: 4359 set_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4360 4361 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4362 char buf[64]; 4363 4364 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4365 buf, sizeof(buf), &result); 4366 if (len < 0) { 4367 l2cap_send_disconn_req(chan, ECONNRESET); 4368 goto done; 4369 } 4370 4371 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0); 4372 } 4373 goto done; 4374 4375 case L2CAP_CONF_UNKNOWN: 4376 case L2CAP_CONF_UNACCEPT: 4377 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 4378 char req[64]; 4379 4380 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 4381 l2cap_send_disconn_req(chan, ECONNRESET); 4382 goto done; 4383 } 4384 4385 /* throw out any old stored conf requests */ 4386 result = L2CAP_CONF_SUCCESS; 4387 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4388 req, sizeof(req), &result); 4389 if (len < 0) { 4390 l2cap_send_disconn_req(chan, ECONNRESET); 4391 goto done; 4392 } 4393 4394 l2cap_send_cmd(conn, l2cap_get_ident(conn), 4395 L2CAP_CONF_REQ, len, req); 4396 chan->num_conf_req++; 4397 if (result != L2CAP_CONF_SUCCESS) 4398 goto done; 4399 break; 4400 } 4401 fallthrough; 4402 4403 default: 4404 l2cap_chan_set_err(chan, ECONNRESET); 4405 4406 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT); 4407 l2cap_send_disconn_req(chan, ECONNRESET); 4408 goto done; 4409 } 4410 4411 if (flags & L2CAP_CONF_FLAG_CONTINUATION) 4412 goto done; 4413 4414 set_bit(CONF_INPUT_DONE, &chan->conf_state); 4415 4416 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) { 4417 set_default_fcs(chan); 4418 4419 if (chan->mode == L2CAP_MODE_ERTM || 4420 chan->mode == L2CAP_MODE_STREAMING) 4421 err = l2cap_ertm_init(chan); 4422 4423 if (err < 0) 4424 l2cap_send_disconn_req(chan, -err); 4425 else 4426 l2cap_chan_ready(chan); 4427 } 4428 4429 done: 4430 l2cap_chan_unlock(chan); 4431 l2cap_chan_put(chan); 4432 return err; 4433 } 4434 4435 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, 4436 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4437 u8 *data) 4438 { 4439 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 4440 struct l2cap_disconn_rsp rsp; 4441 u16 dcid, scid; 4442 struct l2cap_chan *chan; 4443 4444 if (cmd_len != sizeof(*req)) 4445 return -EPROTO; 4446 4447 scid = __le16_to_cpu(req->scid); 4448 dcid = __le16_to_cpu(req->dcid); 4449 4450 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); 4451 4452 chan = l2cap_get_chan_by_scid(conn, dcid); 4453 if (!chan) { 4454 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); 4455 return 0; 4456 } 4457 4458 rsp.dcid = cpu_to_le16(chan->scid); 4459 rsp.scid = cpu_to_le16(chan->dcid); 4460 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); 4461 4462 chan->ops->set_shutdown(chan); 4463 4464 l2cap_chan_unlock(chan); 4465 mutex_lock(&conn->chan_lock); 4466 l2cap_chan_lock(chan); 4467 l2cap_chan_del(chan, ECONNRESET); 4468 mutex_unlock(&conn->chan_lock); 4469 4470 chan->ops->close(chan); 4471 4472 l2cap_chan_unlock(chan); 4473 l2cap_chan_put(chan); 4474 4475 return 0; 4476 } 4477 4478 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, 4479 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4480 u8 *data) 4481 { 4482 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 4483 u16 dcid, scid; 4484 struct l2cap_chan *chan; 4485 4486 if (cmd_len != sizeof(*rsp)) 4487 return -EPROTO; 4488 4489 scid = __le16_to_cpu(rsp->scid); 4490 dcid = __le16_to_cpu(rsp->dcid); 4491 4492 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); 4493 4494 chan = l2cap_get_chan_by_scid(conn, scid); 4495 if (!chan) { 4496 return 0; 4497 } 4498 4499 if (chan->state != BT_DISCONN) { 4500 l2cap_chan_unlock(chan); 4501 l2cap_chan_put(chan); 4502 return 0; 4503 } 4504 4505 l2cap_chan_unlock(chan); 4506 mutex_lock(&conn->chan_lock); 4507 l2cap_chan_lock(chan); 4508 l2cap_chan_del(chan, 0); 4509 mutex_unlock(&conn->chan_lock); 4510 4511 chan->ops->close(chan); 4512 4513 l2cap_chan_unlock(chan); 4514 l2cap_chan_put(chan); 4515 4516 return 0; 4517 } 4518 4519 static inline int l2cap_information_req(struct l2cap_conn *conn, 4520 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4521 u8 *data) 4522 { 4523 struct l2cap_info_req *req = (struct l2cap_info_req *) data; 4524 u16 type; 4525 4526 if (cmd_len != sizeof(*req)) 4527 return -EPROTO; 4528 4529 type = __le16_to_cpu(req->type); 4530 4531 BT_DBG("type 0x%4.4x", type); 4532 4533 if (type == L2CAP_IT_FEAT_MASK) { 4534 u8 buf[8]; 4535 u32 feat_mask = l2cap_feat_mask; 4536 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4537 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4538 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4539 if (!disable_ertm) 4540 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 4541 | L2CAP_FEAT_FCS; 4542 4543 put_unaligned_le32(feat_mask, rsp->data); 4544 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4545 buf); 4546 } else if (type == L2CAP_IT_FIXED_CHAN) { 4547 u8 buf[12]; 4548 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4549 4550 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4551 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4552 rsp->data[0] = conn->local_fixed_chan; 4553 memset(rsp->data + 1, 0, 7); 4554 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4555 buf); 4556 } else { 4557 struct l2cap_info_rsp rsp; 4558 rsp.type = cpu_to_le16(type); 4559 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP); 4560 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp), 4561 &rsp); 4562 } 4563 4564 return 0; 4565 } 4566 4567 static inline int l2cap_information_rsp(struct l2cap_conn *conn, 4568 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4569 u8 *data) 4570 { 4571 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; 4572 u16 type, result; 4573 4574 if (cmd_len < sizeof(*rsp)) 4575 return -EPROTO; 4576 4577 type = __le16_to_cpu(rsp->type); 4578 result = __le16_to_cpu(rsp->result); 4579 4580 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 4581 4582 /* L2CAP Info req/rsp are unbound to channels, add extra checks */ 4583 if (cmd->ident != conn->info_ident || 4584 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 4585 return 0; 4586 4587 cancel_delayed_work(&conn->info_timer); 4588 4589 if (result != L2CAP_IR_SUCCESS) { 4590 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4591 conn->info_ident = 0; 4592 4593 l2cap_conn_start(conn); 4594 4595 return 0; 4596 } 4597 4598 switch (type) { 4599 case L2CAP_IT_FEAT_MASK: 4600 conn->feat_mask = get_unaligned_le32(rsp->data); 4601 4602 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) { 4603 struct l2cap_info_req req; 4604 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4605 4606 conn->info_ident = l2cap_get_ident(conn); 4607 4608 l2cap_send_cmd(conn, conn->info_ident, 4609 L2CAP_INFO_REQ, sizeof(req), &req); 4610 } else { 4611 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4612 conn->info_ident = 0; 4613 4614 l2cap_conn_start(conn); 4615 } 4616 break; 4617 4618 case L2CAP_IT_FIXED_CHAN: 4619 conn->remote_fixed_chan = rsp->data[0]; 4620 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4621 conn->info_ident = 0; 4622 4623 l2cap_conn_start(conn); 4624 break; 4625 } 4626 4627 return 0; 4628 } 4629 4630 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, 4631 struct l2cap_cmd_hdr *cmd, 4632 u16 cmd_len, u8 *data) 4633 { 4634 struct hci_conn *hcon = conn->hcon; 4635 struct l2cap_conn_param_update_req *req; 4636 struct l2cap_conn_param_update_rsp rsp; 4637 u16 min, max, latency, to_multiplier; 4638 int err; 4639 4640 if (hcon->role != HCI_ROLE_MASTER) 4641 return -EINVAL; 4642 4643 if (cmd_len != sizeof(struct l2cap_conn_param_update_req)) 4644 return -EPROTO; 4645 4646 req = (struct l2cap_conn_param_update_req *) data; 4647 min = __le16_to_cpu(req->min); 4648 max = __le16_to_cpu(req->max); 4649 latency = __le16_to_cpu(req->latency); 4650 to_multiplier = __le16_to_cpu(req->to_multiplier); 4651 4652 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x", 4653 min, max, latency, to_multiplier); 4654 4655 memset(&rsp, 0, sizeof(rsp)); 4656 4657 if (max > hcon->le_conn_max_interval) { 4658 BT_DBG("requested connection interval exceeds current bounds."); 4659 err = -EINVAL; 4660 } else { 4661 err = hci_check_conn_params(min, max, latency, to_multiplier); 4662 } 4663 4664 if (err) 4665 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); 4666 else 4667 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED); 4668 4669 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP, 4670 sizeof(rsp), &rsp); 4671 4672 if (!err) { 4673 u8 store_hint; 4674 4675 store_hint = hci_le_conn_update(hcon, min, max, latency, 4676 to_multiplier); 4677 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type, 4678 store_hint, min, max, latency, 4679 to_multiplier); 4680 4681 } 4682 4683 return 0; 4684 } 4685 4686 static int l2cap_le_connect_rsp(struct l2cap_conn *conn, 4687 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4688 u8 *data) 4689 { 4690 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data; 4691 struct hci_conn *hcon = conn->hcon; 4692 u16 dcid, mtu, mps, credits, result; 4693 struct l2cap_chan *chan; 4694 int err, sec_level; 4695 4696 if (cmd_len < sizeof(*rsp)) 4697 return -EPROTO; 4698 4699 dcid = __le16_to_cpu(rsp->dcid); 4700 mtu = __le16_to_cpu(rsp->mtu); 4701 mps = __le16_to_cpu(rsp->mps); 4702 credits = __le16_to_cpu(rsp->credits); 4703 result = __le16_to_cpu(rsp->result); 4704 4705 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 || 4706 dcid < L2CAP_CID_DYN_START || 4707 dcid > L2CAP_CID_LE_DYN_END)) 4708 return -EPROTO; 4709 4710 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x", 4711 dcid, mtu, mps, credits, result); 4712 4713 mutex_lock(&conn->chan_lock); 4714 4715 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 4716 if (!chan) { 4717 err = -EBADSLT; 4718 goto unlock; 4719 } 4720 4721 err = 0; 4722 4723 l2cap_chan_lock(chan); 4724 4725 switch (result) { 4726 case L2CAP_CR_LE_SUCCESS: 4727 if (__l2cap_get_chan_by_dcid(conn, dcid)) { 4728 err = -EBADSLT; 4729 break; 4730 } 4731 4732 chan->ident = 0; 4733 chan->dcid = dcid; 4734 chan->omtu = mtu; 4735 chan->remote_mps = mps; 4736 chan->tx_credits = credits; 4737 l2cap_chan_ready(chan); 4738 break; 4739 4740 case L2CAP_CR_LE_AUTHENTICATION: 4741 case L2CAP_CR_LE_ENCRYPTION: 4742 /* If we already have MITM protection we can't do 4743 * anything. 4744 */ 4745 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 4746 l2cap_chan_del(chan, ECONNREFUSED); 4747 break; 4748 } 4749 4750 sec_level = hcon->sec_level + 1; 4751 if (chan->sec_level < sec_level) 4752 chan->sec_level = sec_level; 4753 4754 /* We'll need to send a new Connect Request */ 4755 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags); 4756 4757 smp_conn_security(hcon, chan->sec_level); 4758 break; 4759 4760 default: 4761 l2cap_chan_del(chan, ECONNREFUSED); 4762 break; 4763 } 4764 4765 l2cap_chan_unlock(chan); 4766 4767 unlock: 4768 mutex_unlock(&conn->chan_lock); 4769 4770 return err; 4771 } 4772 4773 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, 4774 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4775 u8 *data) 4776 { 4777 int err = 0; 4778 4779 switch (cmd->code) { 4780 case L2CAP_COMMAND_REJ: 4781 l2cap_command_rej(conn, cmd, cmd_len, data); 4782 break; 4783 4784 case L2CAP_CONN_REQ: 4785 err = l2cap_connect_req(conn, cmd, cmd_len, data); 4786 break; 4787 4788 case L2CAP_CONN_RSP: 4789 l2cap_connect_create_rsp(conn, cmd, cmd_len, data); 4790 break; 4791 4792 case L2CAP_CONF_REQ: 4793 err = l2cap_config_req(conn, cmd, cmd_len, data); 4794 break; 4795 4796 case L2CAP_CONF_RSP: 4797 l2cap_config_rsp(conn, cmd, cmd_len, data); 4798 break; 4799 4800 case L2CAP_DISCONN_REQ: 4801 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 4802 break; 4803 4804 case L2CAP_DISCONN_RSP: 4805 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 4806 break; 4807 4808 case L2CAP_ECHO_REQ: 4809 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data); 4810 break; 4811 4812 case L2CAP_ECHO_RSP: 4813 break; 4814 4815 case L2CAP_INFO_REQ: 4816 err = l2cap_information_req(conn, cmd, cmd_len, data); 4817 break; 4818 4819 case L2CAP_INFO_RSP: 4820 l2cap_information_rsp(conn, cmd, cmd_len, data); 4821 break; 4822 4823 default: 4824 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code); 4825 err = -EINVAL; 4826 break; 4827 } 4828 4829 return err; 4830 } 4831 4832 static int l2cap_le_connect_req(struct l2cap_conn *conn, 4833 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4834 u8 *data) 4835 { 4836 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data; 4837 struct l2cap_le_conn_rsp rsp; 4838 struct l2cap_chan *chan, *pchan; 4839 u16 dcid, scid, credits, mtu, mps; 4840 __le16 psm; 4841 u8 result; 4842 4843 if (cmd_len != sizeof(*req)) 4844 return -EPROTO; 4845 4846 scid = __le16_to_cpu(req->scid); 4847 mtu = __le16_to_cpu(req->mtu); 4848 mps = __le16_to_cpu(req->mps); 4849 psm = req->psm; 4850 dcid = 0; 4851 credits = 0; 4852 4853 if (mtu < 23 || mps < 23) 4854 return -EPROTO; 4855 4856 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), 4857 scid, mtu, mps); 4858 4859 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A 4860 * page 1059: 4861 * 4862 * Valid range: 0x0001-0x00ff 4863 * 4864 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges 4865 */ 4866 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { 4867 result = L2CAP_CR_LE_BAD_PSM; 4868 chan = NULL; 4869 goto response; 4870 } 4871 4872 /* Check if we have socket listening on psm */ 4873 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 4874 &conn->hcon->dst, LE_LINK); 4875 if (!pchan) { 4876 result = L2CAP_CR_LE_BAD_PSM; 4877 chan = NULL; 4878 goto response; 4879 } 4880 4881 mutex_lock(&conn->chan_lock); 4882 l2cap_chan_lock(pchan); 4883 4884 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 4885 SMP_ALLOW_STK)) { 4886 result = L2CAP_CR_LE_AUTHENTICATION; 4887 chan = NULL; 4888 goto response_unlock; 4889 } 4890 4891 /* Check for valid dynamic CID range */ 4892 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 4893 result = L2CAP_CR_LE_INVALID_SCID; 4894 chan = NULL; 4895 goto response_unlock; 4896 } 4897 4898 /* Check if we already have channel with that dcid */ 4899 if (__l2cap_get_chan_by_dcid(conn, scid)) { 4900 result = L2CAP_CR_LE_SCID_IN_USE; 4901 chan = NULL; 4902 goto response_unlock; 4903 } 4904 4905 chan = pchan->ops->new_connection(pchan); 4906 if (!chan) { 4907 result = L2CAP_CR_LE_NO_MEM; 4908 goto response_unlock; 4909 } 4910 4911 bacpy(&chan->src, &conn->hcon->src); 4912 bacpy(&chan->dst, &conn->hcon->dst); 4913 chan->src_type = bdaddr_src_type(conn->hcon); 4914 chan->dst_type = bdaddr_dst_type(conn->hcon); 4915 chan->psm = psm; 4916 chan->dcid = scid; 4917 chan->omtu = mtu; 4918 chan->remote_mps = mps; 4919 4920 __l2cap_chan_add(conn, chan); 4921 4922 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits)); 4923 4924 dcid = chan->scid; 4925 credits = chan->rx_credits; 4926 4927 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 4928 4929 chan->ident = cmd->ident; 4930 4931 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 4932 l2cap_state_change(chan, BT_CONNECT2); 4933 /* The following result value is actually not defined 4934 * for LE CoC but we use it to let the function know 4935 * that it should bail out after doing its cleanup 4936 * instead of sending a response. 4937 */ 4938 result = L2CAP_CR_PEND; 4939 chan->ops->defer(chan); 4940 } else { 4941 l2cap_chan_ready(chan); 4942 result = L2CAP_CR_LE_SUCCESS; 4943 } 4944 4945 response_unlock: 4946 l2cap_chan_unlock(pchan); 4947 mutex_unlock(&conn->chan_lock); 4948 l2cap_chan_put(pchan); 4949 4950 if (result == L2CAP_CR_PEND) 4951 return 0; 4952 4953 response: 4954 if (chan) { 4955 rsp.mtu = cpu_to_le16(chan->imtu); 4956 rsp.mps = cpu_to_le16(chan->mps); 4957 } else { 4958 rsp.mtu = 0; 4959 rsp.mps = 0; 4960 } 4961 4962 rsp.dcid = cpu_to_le16(dcid); 4963 rsp.credits = cpu_to_le16(credits); 4964 rsp.result = cpu_to_le16(result); 4965 4966 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp); 4967 4968 return 0; 4969 } 4970 4971 static inline int l2cap_le_credits(struct l2cap_conn *conn, 4972 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4973 u8 *data) 4974 { 4975 struct l2cap_le_credits *pkt; 4976 struct l2cap_chan *chan; 4977 u16 cid, credits, max_credits; 4978 4979 if (cmd_len != sizeof(*pkt)) 4980 return -EPROTO; 4981 4982 pkt = (struct l2cap_le_credits *) data; 4983 cid = __le16_to_cpu(pkt->cid); 4984 credits = __le16_to_cpu(pkt->credits); 4985 4986 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits); 4987 4988 chan = l2cap_get_chan_by_dcid(conn, cid); 4989 if (!chan) 4990 return -EBADSLT; 4991 4992 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits; 4993 if (credits > max_credits) { 4994 BT_ERR("LE credits overflow"); 4995 l2cap_send_disconn_req(chan, ECONNRESET); 4996 4997 /* Return 0 so that we don't trigger an unnecessary 4998 * command reject packet. 4999 */ 5000 goto unlock; 5001 } 5002 5003 chan->tx_credits += credits; 5004 5005 /* Resume sending */ 5006 l2cap_le_flowctl_send(chan); 5007 5008 if (chan->tx_credits) 5009 chan->ops->resume(chan); 5010 5011 unlock: 5012 l2cap_chan_unlock(chan); 5013 l2cap_chan_put(chan); 5014 5015 return 0; 5016 } 5017 5018 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, 5019 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5020 u8 *data) 5021 { 5022 struct l2cap_ecred_conn_req *req = (void *) data; 5023 struct { 5024 struct l2cap_ecred_conn_rsp rsp; 5025 __le16 dcid[L2CAP_ECRED_MAX_CID]; 5026 } __packed pdu; 5027 struct l2cap_chan *chan, *pchan; 5028 u16 mtu, mps; 5029 __le16 psm; 5030 u8 result, len = 0; 5031 int i, num_scid; 5032 bool defer = false; 5033 5034 if (!enable_ecred) 5035 return -EINVAL; 5036 5037 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) { 5038 result = L2CAP_CR_LE_INVALID_PARAMS; 5039 goto response; 5040 } 5041 5042 cmd_len -= sizeof(*req); 5043 num_scid = cmd_len / sizeof(u16); 5044 5045 if (num_scid > ARRAY_SIZE(pdu.dcid)) { 5046 result = L2CAP_CR_LE_INVALID_PARAMS; 5047 goto response; 5048 } 5049 5050 mtu = __le16_to_cpu(req->mtu); 5051 mps = __le16_to_cpu(req->mps); 5052 5053 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) { 5054 result = L2CAP_CR_LE_UNACCEPT_PARAMS; 5055 goto response; 5056 } 5057 5058 psm = req->psm; 5059 5060 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A 5061 * page 1059: 5062 * 5063 * Valid range: 0x0001-0x00ff 5064 * 5065 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges 5066 */ 5067 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { 5068 result = L2CAP_CR_LE_BAD_PSM; 5069 goto response; 5070 } 5071 5072 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); 5073 5074 memset(&pdu, 0, sizeof(pdu)); 5075 5076 /* Check if we have socket listening on psm */ 5077 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 5078 &conn->hcon->dst, LE_LINK); 5079 if (!pchan) { 5080 result = L2CAP_CR_LE_BAD_PSM; 5081 goto response; 5082 } 5083 5084 mutex_lock(&conn->chan_lock); 5085 l2cap_chan_lock(pchan); 5086 5087 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 5088 SMP_ALLOW_STK)) { 5089 result = L2CAP_CR_LE_AUTHENTICATION; 5090 goto unlock; 5091 } 5092 5093 result = L2CAP_CR_LE_SUCCESS; 5094 5095 for (i = 0; i < num_scid; i++) { 5096 u16 scid = __le16_to_cpu(req->scid[i]); 5097 5098 BT_DBG("scid[%d] 0x%4.4x", i, scid); 5099 5100 pdu.dcid[i] = 0x0000; 5101 len += sizeof(*pdu.dcid); 5102 5103 /* Check for valid dynamic CID range */ 5104 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 5105 result = L2CAP_CR_LE_INVALID_SCID; 5106 continue; 5107 } 5108 5109 /* Check if we already have channel with that dcid */ 5110 if (__l2cap_get_chan_by_dcid(conn, scid)) { 5111 result = L2CAP_CR_LE_SCID_IN_USE; 5112 continue; 5113 } 5114 5115 chan = pchan->ops->new_connection(pchan); 5116 if (!chan) { 5117 result = L2CAP_CR_LE_NO_MEM; 5118 continue; 5119 } 5120 5121 bacpy(&chan->src, &conn->hcon->src); 5122 bacpy(&chan->dst, &conn->hcon->dst); 5123 chan->src_type = bdaddr_src_type(conn->hcon); 5124 chan->dst_type = bdaddr_dst_type(conn->hcon); 5125 chan->psm = psm; 5126 chan->dcid = scid; 5127 chan->omtu = mtu; 5128 chan->remote_mps = mps; 5129 5130 __l2cap_chan_add(conn, chan); 5131 5132 l2cap_ecred_init(chan, __le16_to_cpu(req->credits)); 5133 5134 /* Init response */ 5135 if (!pdu.rsp.credits) { 5136 pdu.rsp.mtu = cpu_to_le16(chan->imtu); 5137 pdu.rsp.mps = cpu_to_le16(chan->mps); 5138 pdu.rsp.credits = cpu_to_le16(chan->rx_credits); 5139 } 5140 5141 pdu.dcid[i] = cpu_to_le16(chan->scid); 5142 5143 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 5144 5145 chan->ident = cmd->ident; 5146 chan->mode = L2CAP_MODE_EXT_FLOWCTL; 5147 5148 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 5149 l2cap_state_change(chan, BT_CONNECT2); 5150 defer = true; 5151 chan->ops->defer(chan); 5152 } else { 5153 l2cap_chan_ready(chan); 5154 } 5155 } 5156 5157 unlock: 5158 l2cap_chan_unlock(pchan); 5159 mutex_unlock(&conn->chan_lock); 5160 l2cap_chan_put(pchan); 5161 5162 response: 5163 pdu.rsp.result = cpu_to_le16(result); 5164 5165 if (defer) 5166 return 0; 5167 5168 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP, 5169 sizeof(pdu.rsp) + len, &pdu); 5170 5171 return 0; 5172 } 5173 5174 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn, 5175 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5176 u8 *data) 5177 { 5178 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 5179 struct hci_conn *hcon = conn->hcon; 5180 u16 mtu, mps, credits, result; 5181 struct l2cap_chan *chan, *tmp; 5182 int err = 0, sec_level; 5183 int i = 0; 5184 5185 if (cmd_len < sizeof(*rsp)) 5186 return -EPROTO; 5187 5188 mtu = __le16_to_cpu(rsp->mtu); 5189 mps = __le16_to_cpu(rsp->mps); 5190 credits = __le16_to_cpu(rsp->credits); 5191 result = __le16_to_cpu(rsp->result); 5192 5193 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits, 5194 result); 5195 5196 mutex_lock(&conn->chan_lock); 5197 5198 cmd_len -= sizeof(*rsp); 5199 5200 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 5201 u16 dcid; 5202 5203 if (chan->ident != cmd->ident || 5204 chan->mode != L2CAP_MODE_EXT_FLOWCTL || 5205 chan->state == BT_CONNECTED) 5206 continue; 5207 5208 l2cap_chan_lock(chan); 5209 5210 /* Check that there is a dcid for each pending channel */ 5211 if (cmd_len < sizeof(dcid)) { 5212 l2cap_chan_del(chan, ECONNREFUSED); 5213 l2cap_chan_unlock(chan); 5214 continue; 5215 } 5216 5217 dcid = __le16_to_cpu(rsp->dcid[i++]); 5218 cmd_len -= sizeof(u16); 5219 5220 BT_DBG("dcid[%d] 0x%4.4x", i, dcid); 5221 5222 /* Check if dcid is already in use */ 5223 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) { 5224 /* If a device receives a 5225 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an 5226 * already-assigned Destination CID, then both the 5227 * original channel and the new channel shall be 5228 * immediately discarded and not used. 5229 */ 5230 l2cap_chan_del(chan, ECONNREFUSED); 5231 l2cap_chan_unlock(chan); 5232 chan = __l2cap_get_chan_by_dcid(conn, dcid); 5233 l2cap_chan_lock(chan); 5234 l2cap_chan_del(chan, ECONNRESET); 5235 l2cap_chan_unlock(chan); 5236 continue; 5237 } 5238 5239 switch (result) { 5240 case L2CAP_CR_LE_AUTHENTICATION: 5241 case L2CAP_CR_LE_ENCRYPTION: 5242 /* If we already have MITM protection we can't do 5243 * anything. 5244 */ 5245 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 5246 l2cap_chan_del(chan, ECONNREFUSED); 5247 break; 5248 } 5249 5250 sec_level = hcon->sec_level + 1; 5251 if (chan->sec_level < sec_level) 5252 chan->sec_level = sec_level; 5253 5254 /* We'll need to send a new Connect Request */ 5255 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags); 5256 5257 smp_conn_security(hcon, chan->sec_level); 5258 break; 5259 5260 case L2CAP_CR_LE_BAD_PSM: 5261 l2cap_chan_del(chan, ECONNREFUSED); 5262 break; 5263 5264 default: 5265 /* If dcid was not set it means channels was refused */ 5266 if (!dcid) { 5267 l2cap_chan_del(chan, ECONNREFUSED); 5268 break; 5269 } 5270 5271 chan->ident = 0; 5272 chan->dcid = dcid; 5273 chan->omtu = mtu; 5274 chan->remote_mps = mps; 5275 chan->tx_credits = credits; 5276 l2cap_chan_ready(chan); 5277 break; 5278 } 5279 5280 l2cap_chan_unlock(chan); 5281 } 5282 5283 mutex_unlock(&conn->chan_lock); 5284 5285 return err; 5286 } 5287 5288 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn, 5289 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5290 u8 *data) 5291 { 5292 struct l2cap_ecred_reconf_req *req = (void *) data; 5293 struct l2cap_ecred_reconf_rsp rsp; 5294 u16 mtu, mps, result; 5295 struct l2cap_chan *chan; 5296 int i, num_scid; 5297 5298 if (!enable_ecred) 5299 return -EINVAL; 5300 5301 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) { 5302 result = L2CAP_CR_LE_INVALID_PARAMS; 5303 goto respond; 5304 } 5305 5306 mtu = __le16_to_cpu(req->mtu); 5307 mps = __le16_to_cpu(req->mps); 5308 5309 BT_DBG("mtu %u mps %u", mtu, mps); 5310 5311 if (mtu < L2CAP_ECRED_MIN_MTU) { 5312 result = L2CAP_RECONF_INVALID_MTU; 5313 goto respond; 5314 } 5315 5316 if (mps < L2CAP_ECRED_MIN_MPS) { 5317 result = L2CAP_RECONF_INVALID_MPS; 5318 goto respond; 5319 } 5320 5321 cmd_len -= sizeof(*req); 5322 num_scid = cmd_len / sizeof(u16); 5323 result = L2CAP_RECONF_SUCCESS; 5324 5325 for (i = 0; i < num_scid; i++) { 5326 u16 scid; 5327 5328 scid = __le16_to_cpu(req->scid[i]); 5329 if (!scid) 5330 return -EPROTO; 5331 5332 chan = __l2cap_get_chan_by_dcid(conn, scid); 5333 if (!chan) 5334 continue; 5335 5336 /* If the MTU value is decreased for any of the included 5337 * channels, then the receiver shall disconnect all 5338 * included channels. 5339 */ 5340 if (chan->omtu > mtu) { 5341 BT_ERR("chan %p decreased MTU %u -> %u", chan, 5342 chan->omtu, mtu); 5343 result = L2CAP_RECONF_INVALID_MTU; 5344 } 5345 5346 chan->omtu = mtu; 5347 chan->remote_mps = mps; 5348 } 5349 5350 respond: 5351 rsp.result = cpu_to_le16(result); 5352 5353 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp), 5354 &rsp); 5355 5356 return 0; 5357 } 5358 5359 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, 5360 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5361 u8 *data) 5362 { 5363 struct l2cap_chan *chan, *tmp; 5364 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 5365 u16 result; 5366 5367 if (cmd_len < sizeof(*rsp)) 5368 return -EPROTO; 5369 5370 result = __le16_to_cpu(rsp->result); 5371 5372 BT_DBG("result 0x%4.4x", rsp->result); 5373 5374 if (!result) 5375 return 0; 5376 5377 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 5378 if (chan->ident != cmd->ident) 5379 continue; 5380 5381 l2cap_chan_del(chan, ECONNRESET); 5382 } 5383 5384 return 0; 5385 } 5386 5387 static inline int l2cap_le_command_rej(struct l2cap_conn *conn, 5388 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5389 u8 *data) 5390 { 5391 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 5392 struct l2cap_chan *chan; 5393 5394 if (cmd_len < sizeof(*rej)) 5395 return -EPROTO; 5396 5397 mutex_lock(&conn->chan_lock); 5398 5399 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 5400 if (!chan) 5401 goto done; 5402 5403 chan = l2cap_chan_hold_unless_zero(chan); 5404 if (!chan) 5405 goto done; 5406 5407 l2cap_chan_lock(chan); 5408 l2cap_chan_del(chan, ECONNREFUSED); 5409 l2cap_chan_unlock(chan); 5410 l2cap_chan_put(chan); 5411 5412 done: 5413 mutex_unlock(&conn->chan_lock); 5414 return 0; 5415 } 5416 5417 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn, 5418 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5419 u8 *data) 5420 { 5421 int err = 0; 5422 5423 switch (cmd->code) { 5424 case L2CAP_COMMAND_REJ: 5425 l2cap_le_command_rej(conn, cmd, cmd_len, data); 5426 break; 5427 5428 case L2CAP_CONN_PARAM_UPDATE_REQ: 5429 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data); 5430 break; 5431 5432 case L2CAP_CONN_PARAM_UPDATE_RSP: 5433 break; 5434 5435 case L2CAP_LE_CONN_RSP: 5436 l2cap_le_connect_rsp(conn, cmd, cmd_len, data); 5437 break; 5438 5439 case L2CAP_LE_CONN_REQ: 5440 err = l2cap_le_connect_req(conn, cmd, cmd_len, data); 5441 break; 5442 5443 case L2CAP_LE_CREDITS: 5444 err = l2cap_le_credits(conn, cmd, cmd_len, data); 5445 break; 5446 5447 case L2CAP_ECRED_CONN_REQ: 5448 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data); 5449 break; 5450 5451 case L2CAP_ECRED_CONN_RSP: 5452 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data); 5453 break; 5454 5455 case L2CAP_ECRED_RECONF_REQ: 5456 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data); 5457 break; 5458 5459 case L2CAP_ECRED_RECONF_RSP: 5460 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data); 5461 break; 5462 5463 case L2CAP_DISCONN_REQ: 5464 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 5465 break; 5466 5467 case L2CAP_DISCONN_RSP: 5468 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 5469 break; 5470 5471 default: 5472 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code); 5473 err = -EINVAL; 5474 break; 5475 } 5476 5477 return err; 5478 } 5479 5480 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn, 5481 struct sk_buff *skb) 5482 { 5483 struct hci_conn *hcon = conn->hcon; 5484 struct l2cap_cmd_hdr *cmd; 5485 u16 len; 5486 int err; 5487 5488 if (hcon->type != LE_LINK) 5489 goto drop; 5490 5491 if (skb->len < L2CAP_CMD_HDR_SIZE) 5492 goto drop; 5493 5494 cmd = (void *) skb->data; 5495 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 5496 5497 len = le16_to_cpu(cmd->len); 5498 5499 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident); 5500 5501 if (len != skb->len || !cmd->ident) { 5502 BT_DBG("corrupted command"); 5503 goto drop; 5504 } 5505 5506 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data); 5507 if (err) { 5508 struct l2cap_cmd_rej_unk rej; 5509 5510 BT_ERR("Wrong link type (%d)", err); 5511 5512 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 5513 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 5514 sizeof(rej), &rej); 5515 } 5516 5517 drop: 5518 kfree_skb(skb); 5519 } 5520 5521 static inline void l2cap_sig_send_rej(struct l2cap_conn *conn, u16 ident) 5522 { 5523 struct l2cap_cmd_rej_unk rej; 5524 5525 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 5526 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 5527 } 5528 5529 static inline void l2cap_sig_channel(struct l2cap_conn *conn, 5530 struct sk_buff *skb) 5531 { 5532 struct hci_conn *hcon = conn->hcon; 5533 struct l2cap_cmd_hdr *cmd; 5534 int err; 5535 5536 l2cap_raw_recv(conn, skb); 5537 5538 if (hcon->type != ACL_LINK) 5539 goto drop; 5540 5541 while (skb->len >= L2CAP_CMD_HDR_SIZE) { 5542 u16 len; 5543 5544 cmd = (void *) skb->data; 5545 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 5546 5547 len = le16_to_cpu(cmd->len); 5548 5549 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, 5550 cmd->ident); 5551 5552 if (len > skb->len || !cmd->ident) { 5553 BT_DBG("corrupted command"); 5554 l2cap_sig_send_rej(conn, cmd->ident); 5555 skb_pull(skb, len > skb->len ? skb->len : len); 5556 continue; 5557 } 5558 5559 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data); 5560 if (err) { 5561 BT_ERR("Wrong link type (%d)", err); 5562 l2cap_sig_send_rej(conn, cmd->ident); 5563 } 5564 5565 skb_pull(skb, len); 5566 } 5567 5568 if (skb->len > 0) { 5569 BT_DBG("corrupted command"); 5570 l2cap_sig_send_rej(conn, 0); 5571 } 5572 5573 drop: 5574 kfree_skb(skb); 5575 } 5576 5577 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb) 5578 { 5579 u16 our_fcs, rcv_fcs; 5580 int hdr_size; 5581 5582 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 5583 hdr_size = L2CAP_EXT_HDR_SIZE; 5584 else 5585 hdr_size = L2CAP_ENH_HDR_SIZE; 5586 5587 if (chan->fcs == L2CAP_FCS_CRC16) { 5588 skb_trim(skb, skb->len - L2CAP_FCS_SIZE); 5589 rcv_fcs = get_unaligned_le16(skb->data + skb->len); 5590 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 5591 5592 if (our_fcs != rcv_fcs) 5593 return -EBADMSG; 5594 } 5595 return 0; 5596 } 5597 5598 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan) 5599 { 5600 struct l2cap_ctrl control; 5601 5602 BT_DBG("chan %p", chan); 5603 5604 memset(&control, 0, sizeof(control)); 5605 control.sframe = 1; 5606 control.final = 1; 5607 control.reqseq = chan->buffer_seq; 5608 set_bit(CONN_SEND_FBIT, &chan->conn_state); 5609 5610 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5611 control.super = L2CAP_SUPER_RNR; 5612 l2cap_send_sframe(chan, &control); 5613 } 5614 5615 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) && 5616 chan->unacked_frames > 0) 5617 __set_retrans_timer(chan); 5618 5619 /* Send pending iframes */ 5620 l2cap_ertm_send(chan); 5621 5622 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 5623 test_bit(CONN_SEND_FBIT, &chan->conn_state)) { 5624 /* F-bit wasn't sent in an s-frame or i-frame yet, so 5625 * send it now. 5626 */ 5627 control.super = L2CAP_SUPER_RR; 5628 l2cap_send_sframe(chan, &control); 5629 } 5630 } 5631 5632 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag, 5633 struct sk_buff **last_frag) 5634 { 5635 /* skb->len reflects data in skb as well as all fragments 5636 * skb->data_len reflects only data in fragments 5637 */ 5638 if (!skb_has_frag_list(skb)) 5639 skb_shinfo(skb)->frag_list = new_frag; 5640 5641 new_frag->next = NULL; 5642 5643 (*last_frag)->next = new_frag; 5644 *last_frag = new_frag; 5645 5646 skb->len += new_frag->len; 5647 skb->data_len += new_frag->len; 5648 skb->truesize += new_frag->truesize; 5649 } 5650 5651 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, 5652 struct l2cap_ctrl *control) 5653 { 5654 int err = -EINVAL; 5655 5656 switch (control->sar) { 5657 case L2CAP_SAR_UNSEGMENTED: 5658 if (chan->sdu) 5659 break; 5660 5661 err = chan->ops->recv(chan, skb); 5662 break; 5663 5664 case L2CAP_SAR_START: 5665 if (chan->sdu) 5666 break; 5667 5668 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE)) 5669 break; 5670 5671 chan->sdu_len = get_unaligned_le16(skb->data); 5672 skb_pull(skb, L2CAP_SDULEN_SIZE); 5673 5674 if (chan->sdu_len > chan->imtu) { 5675 err = -EMSGSIZE; 5676 break; 5677 } 5678 5679 if (skb->len >= chan->sdu_len) 5680 break; 5681 5682 chan->sdu = skb; 5683 chan->sdu_last_frag = skb; 5684 5685 skb = NULL; 5686 err = 0; 5687 break; 5688 5689 case L2CAP_SAR_CONTINUE: 5690 if (!chan->sdu) 5691 break; 5692 5693 append_skb_frag(chan->sdu, skb, 5694 &chan->sdu_last_frag); 5695 skb = NULL; 5696 5697 if (chan->sdu->len >= chan->sdu_len) 5698 break; 5699 5700 err = 0; 5701 break; 5702 5703 case L2CAP_SAR_END: 5704 if (!chan->sdu) 5705 break; 5706 5707 append_skb_frag(chan->sdu, skb, 5708 &chan->sdu_last_frag); 5709 skb = NULL; 5710 5711 if (chan->sdu->len != chan->sdu_len) 5712 break; 5713 5714 err = chan->ops->recv(chan, chan->sdu); 5715 5716 if (!err) { 5717 /* Reassembly complete */ 5718 chan->sdu = NULL; 5719 chan->sdu_last_frag = NULL; 5720 chan->sdu_len = 0; 5721 } 5722 break; 5723 } 5724 5725 if (err) { 5726 kfree_skb(skb); 5727 kfree_skb(chan->sdu); 5728 chan->sdu = NULL; 5729 chan->sdu_last_frag = NULL; 5730 chan->sdu_len = 0; 5731 } 5732 5733 return err; 5734 } 5735 5736 static int l2cap_resegment(struct l2cap_chan *chan) 5737 { 5738 /* Placeholder */ 5739 return 0; 5740 } 5741 5742 void l2cap_chan_busy(struct l2cap_chan *chan, int busy) 5743 { 5744 u8 event; 5745 5746 if (chan->mode != L2CAP_MODE_ERTM) 5747 return; 5748 5749 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR; 5750 l2cap_tx(chan, NULL, NULL, event); 5751 } 5752 5753 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan) 5754 { 5755 int err = 0; 5756 /* Pass sequential frames to l2cap_reassemble_sdu() 5757 * until a gap is encountered. 5758 */ 5759 5760 BT_DBG("chan %p", chan); 5761 5762 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5763 struct sk_buff *skb; 5764 BT_DBG("Searching for skb with txseq %d (queue len %d)", 5765 chan->buffer_seq, skb_queue_len(&chan->srej_q)); 5766 5767 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq); 5768 5769 if (!skb) 5770 break; 5771 5772 skb_unlink(skb, &chan->srej_q); 5773 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 5774 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap); 5775 if (err) 5776 break; 5777 } 5778 5779 if (skb_queue_empty(&chan->srej_q)) { 5780 chan->rx_state = L2CAP_RX_STATE_RECV; 5781 l2cap_send_ack(chan); 5782 } 5783 5784 return err; 5785 } 5786 5787 static void l2cap_handle_srej(struct l2cap_chan *chan, 5788 struct l2cap_ctrl *control) 5789 { 5790 struct sk_buff *skb; 5791 5792 BT_DBG("chan %p, control %p", chan, control); 5793 5794 if (control->reqseq == chan->next_tx_seq) { 5795 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 5796 l2cap_send_disconn_req(chan, ECONNRESET); 5797 return; 5798 } 5799 5800 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 5801 5802 if (skb == NULL) { 5803 BT_DBG("Seq %d not available for retransmission", 5804 control->reqseq); 5805 return; 5806 } 5807 5808 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) { 5809 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 5810 l2cap_send_disconn_req(chan, ECONNRESET); 5811 return; 5812 } 5813 5814 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 5815 5816 if (control->poll) { 5817 l2cap_pass_to_tx(chan, control); 5818 5819 set_bit(CONN_SEND_FBIT, &chan->conn_state); 5820 l2cap_retransmit(chan, control); 5821 l2cap_ertm_send(chan); 5822 5823 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 5824 set_bit(CONN_SREJ_ACT, &chan->conn_state); 5825 chan->srej_save_reqseq = control->reqseq; 5826 } 5827 } else { 5828 l2cap_pass_to_tx_fbit(chan, control); 5829 5830 if (control->final) { 5831 if (chan->srej_save_reqseq != control->reqseq || 5832 !test_and_clear_bit(CONN_SREJ_ACT, 5833 &chan->conn_state)) 5834 l2cap_retransmit(chan, control); 5835 } else { 5836 l2cap_retransmit(chan, control); 5837 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 5838 set_bit(CONN_SREJ_ACT, &chan->conn_state); 5839 chan->srej_save_reqseq = control->reqseq; 5840 } 5841 } 5842 } 5843 } 5844 5845 static void l2cap_handle_rej(struct l2cap_chan *chan, 5846 struct l2cap_ctrl *control) 5847 { 5848 struct sk_buff *skb; 5849 5850 BT_DBG("chan %p, control %p", chan, control); 5851 5852 if (control->reqseq == chan->next_tx_seq) { 5853 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 5854 l2cap_send_disconn_req(chan, ECONNRESET); 5855 return; 5856 } 5857 5858 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 5859 5860 if (chan->max_tx && skb && 5861 bt_cb(skb)->l2cap.retries >= chan->max_tx) { 5862 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 5863 l2cap_send_disconn_req(chan, ECONNRESET); 5864 return; 5865 } 5866 5867 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 5868 5869 l2cap_pass_to_tx(chan, control); 5870 5871 if (control->final) { 5872 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state)) 5873 l2cap_retransmit_all(chan, control); 5874 } else { 5875 l2cap_retransmit_all(chan, control); 5876 l2cap_ertm_send(chan); 5877 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) 5878 set_bit(CONN_REJ_ACT, &chan->conn_state); 5879 } 5880 } 5881 5882 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq) 5883 { 5884 BT_DBG("chan %p, txseq %d", chan, txseq); 5885 5886 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq, 5887 chan->expected_tx_seq); 5888 5889 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 5890 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 5891 chan->tx_win) { 5892 /* See notes below regarding "double poll" and 5893 * invalid packets. 5894 */ 5895 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 5896 BT_DBG("Invalid/Ignore - after SREJ"); 5897 return L2CAP_TXSEQ_INVALID_IGNORE; 5898 } else { 5899 BT_DBG("Invalid - in window after SREJ sent"); 5900 return L2CAP_TXSEQ_INVALID; 5901 } 5902 } 5903 5904 if (chan->srej_list.head == txseq) { 5905 BT_DBG("Expected SREJ"); 5906 return L2CAP_TXSEQ_EXPECTED_SREJ; 5907 } 5908 5909 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) { 5910 BT_DBG("Duplicate SREJ - txseq already stored"); 5911 return L2CAP_TXSEQ_DUPLICATE_SREJ; 5912 } 5913 5914 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) { 5915 BT_DBG("Unexpected SREJ - not requested"); 5916 return L2CAP_TXSEQ_UNEXPECTED_SREJ; 5917 } 5918 } 5919 5920 if (chan->expected_tx_seq == txseq) { 5921 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 5922 chan->tx_win) { 5923 BT_DBG("Invalid - txseq outside tx window"); 5924 return L2CAP_TXSEQ_INVALID; 5925 } else { 5926 BT_DBG("Expected"); 5927 return L2CAP_TXSEQ_EXPECTED; 5928 } 5929 } 5930 5931 if (__seq_offset(chan, txseq, chan->last_acked_seq) < 5932 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) { 5933 BT_DBG("Duplicate - expected_tx_seq later than txseq"); 5934 return L2CAP_TXSEQ_DUPLICATE; 5935 } 5936 5937 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) { 5938 /* A source of invalid packets is a "double poll" condition, 5939 * where delays cause us to send multiple poll packets. If 5940 * the remote stack receives and processes both polls, 5941 * sequence numbers can wrap around in such a way that a 5942 * resent frame has a sequence number that looks like new data 5943 * with a sequence gap. This would trigger an erroneous SREJ 5944 * request. 5945 * 5946 * Fortunately, this is impossible with a tx window that's 5947 * less than half of the maximum sequence number, which allows 5948 * invalid frames to be safely ignored. 5949 * 5950 * With tx window sizes greater than half of the tx window 5951 * maximum, the frame is invalid and cannot be ignored. This 5952 * causes a disconnect. 5953 */ 5954 5955 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 5956 BT_DBG("Invalid/Ignore - txseq outside tx window"); 5957 return L2CAP_TXSEQ_INVALID_IGNORE; 5958 } else { 5959 BT_DBG("Invalid - txseq outside tx window"); 5960 return L2CAP_TXSEQ_INVALID; 5961 } 5962 } else { 5963 BT_DBG("Unexpected - txseq indicates missing frames"); 5964 return L2CAP_TXSEQ_UNEXPECTED; 5965 } 5966 } 5967 5968 static int l2cap_rx_state_recv(struct l2cap_chan *chan, 5969 struct l2cap_ctrl *control, 5970 struct sk_buff *skb, u8 event) 5971 { 5972 struct l2cap_ctrl local_control; 5973 int err = 0; 5974 bool skb_in_use = false; 5975 5976 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 5977 event); 5978 5979 switch (event) { 5980 case L2CAP_EV_RECV_IFRAME: 5981 switch (l2cap_classify_txseq(chan, control->txseq)) { 5982 case L2CAP_TXSEQ_EXPECTED: 5983 l2cap_pass_to_tx(chan, control); 5984 5985 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5986 BT_DBG("Busy, discarding expected seq %d", 5987 control->txseq); 5988 break; 5989 } 5990 5991 chan->expected_tx_seq = __next_seq(chan, 5992 control->txseq); 5993 5994 chan->buffer_seq = chan->expected_tx_seq; 5995 skb_in_use = true; 5996 5997 /* l2cap_reassemble_sdu may free skb, hence invalidate 5998 * control, so make a copy in advance to use it after 5999 * l2cap_reassemble_sdu returns and to avoid the race 6000 * condition, for example: 6001 * 6002 * The current thread calls: 6003 * l2cap_reassemble_sdu 6004 * chan->ops->recv == l2cap_sock_recv_cb 6005 * __sock_queue_rcv_skb 6006 * Another thread calls: 6007 * bt_sock_recvmsg 6008 * skb_recv_datagram 6009 * skb_free_datagram 6010 * Then the current thread tries to access control, but 6011 * it was freed by skb_free_datagram. 6012 */ 6013 local_control = *control; 6014 err = l2cap_reassemble_sdu(chan, skb, control); 6015 if (err) 6016 break; 6017 6018 if (local_control.final) { 6019 if (!test_and_clear_bit(CONN_REJ_ACT, 6020 &chan->conn_state)) { 6021 local_control.final = 0; 6022 l2cap_retransmit_all(chan, &local_control); 6023 l2cap_ertm_send(chan); 6024 } 6025 } 6026 6027 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 6028 l2cap_send_ack(chan); 6029 break; 6030 case L2CAP_TXSEQ_UNEXPECTED: 6031 l2cap_pass_to_tx(chan, control); 6032 6033 /* Can't issue SREJ frames in the local busy state. 6034 * Drop this frame, it will be seen as missing 6035 * when local busy is exited. 6036 */ 6037 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 6038 BT_DBG("Busy, discarding unexpected seq %d", 6039 control->txseq); 6040 break; 6041 } 6042 6043 /* There was a gap in the sequence, so an SREJ 6044 * must be sent for each missing frame. The 6045 * current frame is stored for later use. 6046 */ 6047 skb_queue_tail(&chan->srej_q, skb); 6048 skb_in_use = true; 6049 BT_DBG("Queued %p (queue len %d)", skb, 6050 skb_queue_len(&chan->srej_q)); 6051 6052 clear_bit(CONN_SREJ_ACT, &chan->conn_state); 6053 l2cap_seq_list_clear(&chan->srej_list); 6054 l2cap_send_srej(chan, control->txseq); 6055 6056 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT; 6057 break; 6058 case L2CAP_TXSEQ_DUPLICATE: 6059 l2cap_pass_to_tx(chan, control); 6060 break; 6061 case L2CAP_TXSEQ_INVALID_IGNORE: 6062 break; 6063 case L2CAP_TXSEQ_INVALID: 6064 default: 6065 l2cap_send_disconn_req(chan, ECONNRESET); 6066 break; 6067 } 6068 break; 6069 case L2CAP_EV_RECV_RR: 6070 l2cap_pass_to_tx(chan, control); 6071 if (control->final) { 6072 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6073 6074 if (!test_and_clear_bit(CONN_REJ_ACT, 6075 &chan->conn_state)) { 6076 control->final = 0; 6077 l2cap_retransmit_all(chan, control); 6078 } 6079 6080 l2cap_ertm_send(chan); 6081 } else if (control->poll) { 6082 l2cap_send_i_or_rr_or_rnr(chan); 6083 } else { 6084 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6085 &chan->conn_state) && 6086 chan->unacked_frames) 6087 __set_retrans_timer(chan); 6088 6089 l2cap_ertm_send(chan); 6090 } 6091 break; 6092 case L2CAP_EV_RECV_RNR: 6093 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6094 l2cap_pass_to_tx(chan, control); 6095 if (control && control->poll) { 6096 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6097 l2cap_send_rr_or_rnr(chan, 0); 6098 } 6099 __clear_retrans_timer(chan); 6100 l2cap_seq_list_clear(&chan->retrans_list); 6101 break; 6102 case L2CAP_EV_RECV_REJ: 6103 l2cap_handle_rej(chan, control); 6104 break; 6105 case L2CAP_EV_RECV_SREJ: 6106 l2cap_handle_srej(chan, control); 6107 break; 6108 default: 6109 break; 6110 } 6111 6112 if (skb && !skb_in_use) { 6113 BT_DBG("Freeing %p", skb); 6114 kfree_skb(skb); 6115 } 6116 6117 return err; 6118 } 6119 6120 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan, 6121 struct l2cap_ctrl *control, 6122 struct sk_buff *skb, u8 event) 6123 { 6124 int err = 0; 6125 u16 txseq = control->txseq; 6126 bool skb_in_use = false; 6127 6128 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 6129 event); 6130 6131 switch (event) { 6132 case L2CAP_EV_RECV_IFRAME: 6133 switch (l2cap_classify_txseq(chan, txseq)) { 6134 case L2CAP_TXSEQ_EXPECTED: 6135 /* Keep frame for reassembly later */ 6136 l2cap_pass_to_tx(chan, control); 6137 skb_queue_tail(&chan->srej_q, skb); 6138 skb_in_use = true; 6139 BT_DBG("Queued %p (queue len %d)", skb, 6140 skb_queue_len(&chan->srej_q)); 6141 6142 chan->expected_tx_seq = __next_seq(chan, txseq); 6143 break; 6144 case L2CAP_TXSEQ_EXPECTED_SREJ: 6145 l2cap_seq_list_pop(&chan->srej_list); 6146 6147 l2cap_pass_to_tx(chan, control); 6148 skb_queue_tail(&chan->srej_q, skb); 6149 skb_in_use = true; 6150 BT_DBG("Queued %p (queue len %d)", skb, 6151 skb_queue_len(&chan->srej_q)); 6152 6153 err = l2cap_rx_queued_iframes(chan); 6154 if (err) 6155 break; 6156 6157 break; 6158 case L2CAP_TXSEQ_UNEXPECTED: 6159 /* Got a frame that can't be reassembled yet. 6160 * Save it for later, and send SREJs to cover 6161 * the missing frames. 6162 */ 6163 skb_queue_tail(&chan->srej_q, skb); 6164 skb_in_use = true; 6165 BT_DBG("Queued %p (queue len %d)", skb, 6166 skb_queue_len(&chan->srej_q)); 6167 6168 l2cap_pass_to_tx(chan, control); 6169 l2cap_send_srej(chan, control->txseq); 6170 break; 6171 case L2CAP_TXSEQ_UNEXPECTED_SREJ: 6172 /* This frame was requested with an SREJ, but 6173 * some expected retransmitted frames are 6174 * missing. Request retransmission of missing 6175 * SREJ'd frames. 6176 */ 6177 skb_queue_tail(&chan->srej_q, skb); 6178 skb_in_use = true; 6179 BT_DBG("Queued %p (queue len %d)", skb, 6180 skb_queue_len(&chan->srej_q)); 6181 6182 l2cap_pass_to_tx(chan, control); 6183 l2cap_send_srej_list(chan, control->txseq); 6184 break; 6185 case L2CAP_TXSEQ_DUPLICATE_SREJ: 6186 /* We've already queued this frame. Drop this copy. */ 6187 l2cap_pass_to_tx(chan, control); 6188 break; 6189 case L2CAP_TXSEQ_DUPLICATE: 6190 /* Expecting a later sequence number, so this frame 6191 * was already received. Ignore it completely. 6192 */ 6193 break; 6194 case L2CAP_TXSEQ_INVALID_IGNORE: 6195 break; 6196 case L2CAP_TXSEQ_INVALID: 6197 default: 6198 l2cap_send_disconn_req(chan, ECONNRESET); 6199 break; 6200 } 6201 break; 6202 case L2CAP_EV_RECV_RR: 6203 l2cap_pass_to_tx(chan, control); 6204 if (control->final) { 6205 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6206 6207 if (!test_and_clear_bit(CONN_REJ_ACT, 6208 &chan->conn_state)) { 6209 control->final = 0; 6210 l2cap_retransmit_all(chan, control); 6211 } 6212 6213 l2cap_ertm_send(chan); 6214 } else if (control->poll) { 6215 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6216 &chan->conn_state) && 6217 chan->unacked_frames) { 6218 __set_retrans_timer(chan); 6219 } 6220 6221 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6222 l2cap_send_srej_tail(chan); 6223 } else { 6224 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6225 &chan->conn_state) && 6226 chan->unacked_frames) 6227 __set_retrans_timer(chan); 6228 6229 l2cap_send_ack(chan); 6230 } 6231 break; 6232 case L2CAP_EV_RECV_RNR: 6233 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6234 l2cap_pass_to_tx(chan, control); 6235 if (control->poll) { 6236 l2cap_send_srej_tail(chan); 6237 } else { 6238 struct l2cap_ctrl rr_control; 6239 memset(&rr_control, 0, sizeof(rr_control)); 6240 rr_control.sframe = 1; 6241 rr_control.super = L2CAP_SUPER_RR; 6242 rr_control.reqseq = chan->buffer_seq; 6243 l2cap_send_sframe(chan, &rr_control); 6244 } 6245 6246 break; 6247 case L2CAP_EV_RECV_REJ: 6248 l2cap_handle_rej(chan, control); 6249 break; 6250 case L2CAP_EV_RECV_SREJ: 6251 l2cap_handle_srej(chan, control); 6252 break; 6253 } 6254 6255 if (skb && !skb_in_use) { 6256 BT_DBG("Freeing %p", skb); 6257 kfree_skb(skb); 6258 } 6259 6260 return err; 6261 } 6262 6263 static int l2cap_finish_move(struct l2cap_chan *chan) 6264 { 6265 BT_DBG("chan %p", chan); 6266 6267 chan->rx_state = L2CAP_RX_STATE_RECV; 6268 chan->conn->mtu = chan->conn->hcon->mtu; 6269 6270 return l2cap_resegment(chan); 6271 } 6272 6273 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan, 6274 struct l2cap_ctrl *control, 6275 struct sk_buff *skb, u8 event) 6276 { 6277 int err; 6278 6279 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 6280 event); 6281 6282 if (!control->poll) 6283 return -EPROTO; 6284 6285 l2cap_process_reqseq(chan, control->reqseq); 6286 6287 if (!skb_queue_empty(&chan->tx_q)) 6288 chan->tx_send_head = skb_peek(&chan->tx_q); 6289 else 6290 chan->tx_send_head = NULL; 6291 6292 /* Rewind next_tx_seq to the point expected 6293 * by the receiver. 6294 */ 6295 chan->next_tx_seq = control->reqseq; 6296 chan->unacked_frames = 0; 6297 6298 err = l2cap_finish_move(chan); 6299 if (err) 6300 return err; 6301 6302 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6303 l2cap_send_i_or_rr_or_rnr(chan); 6304 6305 if (event == L2CAP_EV_RECV_IFRAME) 6306 return -EPROTO; 6307 6308 return l2cap_rx_state_recv(chan, control, NULL, event); 6309 } 6310 6311 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan, 6312 struct l2cap_ctrl *control, 6313 struct sk_buff *skb, u8 event) 6314 { 6315 int err; 6316 6317 if (!control->final) 6318 return -EPROTO; 6319 6320 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6321 6322 chan->rx_state = L2CAP_RX_STATE_RECV; 6323 l2cap_process_reqseq(chan, control->reqseq); 6324 6325 if (!skb_queue_empty(&chan->tx_q)) 6326 chan->tx_send_head = skb_peek(&chan->tx_q); 6327 else 6328 chan->tx_send_head = NULL; 6329 6330 /* Rewind next_tx_seq to the point expected 6331 * by the receiver. 6332 */ 6333 chan->next_tx_seq = control->reqseq; 6334 chan->unacked_frames = 0; 6335 chan->conn->mtu = chan->conn->hcon->mtu; 6336 6337 err = l2cap_resegment(chan); 6338 6339 if (!err) 6340 err = l2cap_rx_state_recv(chan, control, skb, event); 6341 6342 return err; 6343 } 6344 6345 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq) 6346 { 6347 /* Make sure reqseq is for a packet that has been sent but not acked */ 6348 u16 unacked; 6349 6350 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq); 6351 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked; 6352 } 6353 6354 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 6355 struct sk_buff *skb, u8 event) 6356 { 6357 int err = 0; 6358 6359 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan, 6360 control, skb, event, chan->rx_state); 6361 6362 if (__valid_reqseq(chan, control->reqseq)) { 6363 switch (chan->rx_state) { 6364 case L2CAP_RX_STATE_RECV: 6365 err = l2cap_rx_state_recv(chan, control, skb, event); 6366 break; 6367 case L2CAP_RX_STATE_SREJ_SENT: 6368 err = l2cap_rx_state_srej_sent(chan, control, skb, 6369 event); 6370 break; 6371 case L2CAP_RX_STATE_WAIT_P: 6372 err = l2cap_rx_state_wait_p(chan, control, skb, event); 6373 break; 6374 case L2CAP_RX_STATE_WAIT_F: 6375 err = l2cap_rx_state_wait_f(chan, control, skb, event); 6376 break; 6377 default: 6378 /* shut it down */ 6379 break; 6380 } 6381 } else { 6382 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d", 6383 control->reqseq, chan->next_tx_seq, 6384 chan->expected_ack_seq); 6385 l2cap_send_disconn_req(chan, ECONNRESET); 6386 } 6387 6388 return err; 6389 } 6390 6391 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 6392 struct sk_buff *skb) 6393 { 6394 /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store 6395 * the txseq field in advance to use it after l2cap_reassemble_sdu 6396 * returns and to avoid the race condition, for example: 6397 * 6398 * The current thread calls: 6399 * l2cap_reassemble_sdu 6400 * chan->ops->recv == l2cap_sock_recv_cb 6401 * __sock_queue_rcv_skb 6402 * Another thread calls: 6403 * bt_sock_recvmsg 6404 * skb_recv_datagram 6405 * skb_free_datagram 6406 * Then the current thread tries to access control, but it was freed by 6407 * skb_free_datagram. 6408 */ 6409 u16 txseq = control->txseq; 6410 6411 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, 6412 chan->rx_state); 6413 6414 if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { 6415 l2cap_pass_to_tx(chan, control); 6416 6417 BT_DBG("buffer_seq %u->%u", chan->buffer_seq, 6418 __next_seq(chan, chan->buffer_seq)); 6419 6420 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 6421 6422 l2cap_reassemble_sdu(chan, skb, control); 6423 } else { 6424 if (chan->sdu) { 6425 kfree_skb(chan->sdu); 6426 chan->sdu = NULL; 6427 } 6428 chan->sdu_last_frag = NULL; 6429 chan->sdu_len = 0; 6430 6431 if (skb) { 6432 BT_DBG("Freeing %p", skb); 6433 kfree_skb(skb); 6434 } 6435 } 6436 6437 chan->last_acked_seq = txseq; 6438 chan->expected_tx_seq = __next_seq(chan, txseq); 6439 6440 return 0; 6441 } 6442 6443 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 6444 { 6445 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap; 6446 u16 len; 6447 u8 event; 6448 6449 __unpack_control(chan, skb); 6450 6451 len = skb->len; 6452 6453 /* 6454 * We can just drop the corrupted I-frame here. 6455 * Receiver will miss it and start proper recovery 6456 * procedures and ask for retransmission. 6457 */ 6458 if (l2cap_check_fcs(chan, skb)) 6459 goto drop; 6460 6461 if (!control->sframe && control->sar == L2CAP_SAR_START) 6462 len -= L2CAP_SDULEN_SIZE; 6463 6464 if (chan->fcs == L2CAP_FCS_CRC16) 6465 len -= L2CAP_FCS_SIZE; 6466 6467 if (len > chan->mps) { 6468 l2cap_send_disconn_req(chan, ECONNRESET); 6469 goto drop; 6470 } 6471 6472 if (chan->ops->filter) { 6473 if (chan->ops->filter(chan, skb)) 6474 goto drop; 6475 } 6476 6477 if (!control->sframe) { 6478 int err; 6479 6480 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d", 6481 control->sar, control->reqseq, control->final, 6482 control->txseq); 6483 6484 /* Validate F-bit - F=0 always valid, F=1 only 6485 * valid in TX WAIT_F 6486 */ 6487 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F) 6488 goto drop; 6489 6490 if (chan->mode != L2CAP_MODE_STREAMING) { 6491 event = L2CAP_EV_RECV_IFRAME; 6492 err = l2cap_rx(chan, control, skb, event); 6493 } else { 6494 err = l2cap_stream_rx(chan, control, skb); 6495 } 6496 6497 if (err) 6498 l2cap_send_disconn_req(chan, ECONNRESET); 6499 } else { 6500 const u8 rx_func_to_event[4] = { 6501 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ, 6502 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ 6503 }; 6504 6505 /* Only I-frames are expected in streaming mode */ 6506 if (chan->mode == L2CAP_MODE_STREAMING) 6507 goto drop; 6508 6509 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d", 6510 control->reqseq, control->final, control->poll, 6511 control->super); 6512 6513 if (len != 0) { 6514 BT_ERR("Trailing bytes: %d in sframe", len); 6515 l2cap_send_disconn_req(chan, ECONNRESET); 6516 goto drop; 6517 } 6518 6519 /* Validate F and P bits */ 6520 if (control->final && (control->poll || 6521 chan->tx_state != L2CAP_TX_STATE_WAIT_F)) 6522 goto drop; 6523 6524 event = rx_func_to_event[control->super]; 6525 if (l2cap_rx(chan, control, skb, event)) 6526 l2cap_send_disconn_req(chan, ECONNRESET); 6527 } 6528 6529 return 0; 6530 6531 drop: 6532 kfree_skb(skb); 6533 return 0; 6534 } 6535 6536 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) 6537 { 6538 struct l2cap_conn *conn = chan->conn; 6539 struct l2cap_le_credits pkt; 6540 u16 return_credits = l2cap_le_rx_credits(chan); 6541 6542 if (chan->rx_credits >= return_credits) 6543 return; 6544 6545 return_credits -= chan->rx_credits; 6546 6547 BT_DBG("chan %p returning %u credits to sender", chan, return_credits); 6548 6549 chan->rx_credits += return_credits; 6550 6551 pkt.cid = cpu_to_le16(chan->scid); 6552 pkt.credits = cpu_to_le16(return_credits); 6553 6554 chan->ident = l2cap_get_ident(conn); 6555 6556 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt); 6557 } 6558 6559 void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail) 6560 { 6561 if (chan->rx_avail == rx_avail) 6562 return; 6563 6564 BT_DBG("chan %p has %zd bytes avail for rx", chan, rx_avail); 6565 6566 chan->rx_avail = rx_avail; 6567 6568 if (chan->state == BT_CONNECTED) 6569 l2cap_chan_le_send_credits(chan); 6570 } 6571 6572 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) 6573 { 6574 int err; 6575 6576 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len); 6577 6578 /* Wait recv to confirm reception before updating the credits */ 6579 err = chan->ops->recv(chan, skb); 6580 6581 if (err < 0 && chan->rx_avail != -1) { 6582 BT_ERR("Queueing received LE L2CAP data failed"); 6583 l2cap_send_disconn_req(chan, ECONNRESET); 6584 return err; 6585 } 6586 6587 /* Update credits whenever an SDU is received */ 6588 l2cap_chan_le_send_credits(chan); 6589 6590 return err; 6591 } 6592 6593 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 6594 { 6595 int err; 6596 6597 if (!chan->rx_credits) { 6598 BT_ERR("No credits to receive LE L2CAP data"); 6599 l2cap_send_disconn_req(chan, ECONNRESET); 6600 return -ENOBUFS; 6601 } 6602 6603 if (chan->imtu < skb->len) { 6604 BT_ERR("Too big LE L2CAP PDU"); 6605 return -ENOBUFS; 6606 } 6607 6608 chan->rx_credits--; 6609 BT_DBG("chan %p: rx_credits %u -> %u", 6610 chan, chan->rx_credits + 1, chan->rx_credits); 6611 6612 /* Update if remote had run out of credits, this should only happens 6613 * if the remote is not using the entire MPS. 6614 */ 6615 if (!chan->rx_credits) 6616 l2cap_chan_le_send_credits(chan); 6617 6618 err = 0; 6619 6620 if (!chan->sdu) { 6621 u16 sdu_len; 6622 6623 sdu_len = get_unaligned_le16(skb->data); 6624 skb_pull(skb, L2CAP_SDULEN_SIZE); 6625 6626 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u", 6627 sdu_len, skb->len, chan->imtu); 6628 6629 if (sdu_len > chan->imtu) { 6630 BT_ERR("Too big LE L2CAP SDU length received"); 6631 err = -EMSGSIZE; 6632 goto failed; 6633 } 6634 6635 if (skb->len > sdu_len) { 6636 BT_ERR("Too much LE L2CAP data received"); 6637 err = -EINVAL; 6638 goto failed; 6639 } 6640 6641 if (skb->len == sdu_len) 6642 return l2cap_ecred_recv(chan, skb); 6643 6644 chan->sdu = skb; 6645 chan->sdu_len = sdu_len; 6646 chan->sdu_last_frag = skb; 6647 6648 /* Detect if remote is not able to use the selected MPS */ 6649 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) { 6650 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE; 6651 6652 /* Adjust the number of credits */ 6653 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len); 6654 chan->mps = mps_len; 6655 l2cap_chan_le_send_credits(chan); 6656 } 6657 6658 return 0; 6659 } 6660 6661 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u", 6662 chan->sdu->len, skb->len, chan->sdu_len); 6663 6664 if (chan->sdu->len + skb->len > chan->sdu_len) { 6665 BT_ERR("Too much LE L2CAP data received"); 6666 err = -EINVAL; 6667 goto failed; 6668 } 6669 6670 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag); 6671 skb = NULL; 6672 6673 if (chan->sdu->len == chan->sdu_len) { 6674 err = l2cap_ecred_recv(chan, chan->sdu); 6675 if (!err) { 6676 chan->sdu = NULL; 6677 chan->sdu_last_frag = NULL; 6678 chan->sdu_len = 0; 6679 } 6680 } 6681 6682 failed: 6683 if (err) { 6684 kfree_skb(skb); 6685 kfree_skb(chan->sdu); 6686 chan->sdu = NULL; 6687 chan->sdu_last_frag = NULL; 6688 chan->sdu_len = 0; 6689 } 6690 6691 /* We can't return an error here since we took care of the skb 6692 * freeing internally. An error return would cause the caller to 6693 * do a double-free of the skb. 6694 */ 6695 return 0; 6696 } 6697 6698 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, 6699 struct sk_buff *skb) 6700 { 6701 struct l2cap_chan *chan; 6702 6703 chan = l2cap_get_chan_by_scid(conn, cid); 6704 if (!chan) { 6705 BT_DBG("unknown cid 0x%4.4x", cid); 6706 /* Drop packet and return */ 6707 kfree_skb(skb); 6708 return; 6709 } 6710 6711 BT_DBG("chan %p, len %d", chan, skb->len); 6712 6713 /* If we receive data on a fixed channel before the info req/rsp 6714 * procedure is done simply assume that the channel is supported 6715 * and mark it as ready. 6716 */ 6717 if (chan->chan_type == L2CAP_CHAN_FIXED) 6718 l2cap_chan_ready(chan); 6719 6720 if (chan->state != BT_CONNECTED) 6721 goto drop; 6722 6723 switch (chan->mode) { 6724 case L2CAP_MODE_LE_FLOWCTL: 6725 case L2CAP_MODE_EXT_FLOWCTL: 6726 if (l2cap_ecred_data_rcv(chan, skb) < 0) 6727 goto drop; 6728 6729 goto done; 6730 6731 case L2CAP_MODE_BASIC: 6732 /* If socket recv buffers overflows we drop data here 6733 * which is *bad* because L2CAP has to be reliable. 6734 * But we don't have any other choice. L2CAP doesn't 6735 * provide flow control mechanism. */ 6736 6737 if (chan->imtu < skb->len) { 6738 BT_ERR("Dropping L2CAP data: receive buffer overflow"); 6739 goto drop; 6740 } 6741 6742 if (!chan->ops->recv(chan, skb)) 6743 goto done; 6744 break; 6745 6746 case L2CAP_MODE_ERTM: 6747 case L2CAP_MODE_STREAMING: 6748 l2cap_data_rcv(chan, skb); 6749 goto done; 6750 6751 default: 6752 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode); 6753 break; 6754 } 6755 6756 drop: 6757 kfree_skb(skb); 6758 6759 done: 6760 l2cap_chan_unlock(chan); 6761 l2cap_chan_put(chan); 6762 } 6763 6764 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, 6765 struct sk_buff *skb) 6766 { 6767 struct hci_conn *hcon = conn->hcon; 6768 struct l2cap_chan *chan; 6769 6770 if (hcon->type != ACL_LINK) 6771 goto free_skb; 6772 6773 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst, 6774 ACL_LINK); 6775 if (!chan) 6776 goto free_skb; 6777 6778 BT_DBG("chan %p, len %d", chan, skb->len); 6779 6780 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED) 6781 goto drop; 6782 6783 if (chan->imtu < skb->len) 6784 goto drop; 6785 6786 /* Store remote BD_ADDR and PSM for msg_name */ 6787 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst); 6788 bt_cb(skb)->l2cap.psm = psm; 6789 6790 if (!chan->ops->recv(chan, skb)) { 6791 l2cap_chan_put(chan); 6792 return; 6793 } 6794 6795 drop: 6796 l2cap_chan_put(chan); 6797 free_skb: 6798 kfree_skb(skb); 6799 } 6800 6801 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 6802 { 6803 struct l2cap_hdr *lh = (void *) skb->data; 6804 struct hci_conn *hcon = conn->hcon; 6805 u16 cid, len; 6806 __le16 psm; 6807 6808 if (hcon->state != BT_CONNECTED) { 6809 BT_DBG("queueing pending rx skb"); 6810 skb_queue_tail(&conn->pending_rx, skb); 6811 return; 6812 } 6813 6814 skb_pull(skb, L2CAP_HDR_SIZE); 6815 cid = __le16_to_cpu(lh->cid); 6816 len = __le16_to_cpu(lh->len); 6817 6818 if (len != skb->len) { 6819 kfree_skb(skb); 6820 return; 6821 } 6822 6823 /* Since we can't actively block incoming LE connections we must 6824 * at least ensure that we ignore incoming data from them. 6825 */ 6826 if (hcon->type == LE_LINK && 6827 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst, 6828 bdaddr_dst_type(hcon))) { 6829 kfree_skb(skb); 6830 return; 6831 } 6832 6833 BT_DBG("len %d, cid 0x%4.4x", len, cid); 6834 6835 switch (cid) { 6836 case L2CAP_CID_SIGNALING: 6837 l2cap_sig_channel(conn, skb); 6838 break; 6839 6840 case L2CAP_CID_CONN_LESS: 6841 psm = get_unaligned((__le16 *) skb->data); 6842 skb_pull(skb, L2CAP_PSMLEN_SIZE); 6843 l2cap_conless_channel(conn, psm, skb); 6844 break; 6845 6846 case L2CAP_CID_LE_SIGNALING: 6847 l2cap_le_sig_channel(conn, skb); 6848 break; 6849 6850 default: 6851 l2cap_data_channel(conn, cid, skb); 6852 break; 6853 } 6854 } 6855 6856 static void process_pending_rx(struct work_struct *work) 6857 { 6858 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 6859 pending_rx_work); 6860 struct sk_buff *skb; 6861 6862 BT_DBG(""); 6863 6864 while ((skb = skb_dequeue(&conn->pending_rx))) 6865 l2cap_recv_frame(conn, skb); 6866 } 6867 6868 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon) 6869 { 6870 struct l2cap_conn *conn = hcon->l2cap_data; 6871 struct hci_chan *hchan; 6872 6873 if (conn) 6874 return conn; 6875 6876 hchan = hci_chan_create(hcon); 6877 if (!hchan) 6878 return NULL; 6879 6880 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 6881 if (!conn) { 6882 hci_chan_del(hchan); 6883 return NULL; 6884 } 6885 6886 kref_init(&conn->ref); 6887 hcon->l2cap_data = conn; 6888 conn->hcon = hci_conn_get(hcon); 6889 conn->hchan = hchan; 6890 6891 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan); 6892 6893 conn->mtu = hcon->mtu; 6894 conn->feat_mask = 0; 6895 6896 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS; 6897 6898 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) && 6899 (bredr_sc_enabled(hcon->hdev) || 6900 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP))) 6901 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR; 6902 6903 mutex_init(&conn->ident_lock); 6904 mutex_init(&conn->chan_lock); 6905 6906 INIT_LIST_HEAD(&conn->chan_l); 6907 INIT_LIST_HEAD(&conn->users); 6908 6909 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout); 6910 6911 skb_queue_head_init(&conn->pending_rx); 6912 INIT_WORK(&conn->pending_rx_work, process_pending_rx); 6913 INIT_DELAYED_WORK(&conn->id_addr_timer, l2cap_conn_update_id_addr); 6914 6915 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 6916 6917 return conn; 6918 } 6919 6920 static bool is_valid_psm(u16 psm, u8 dst_type) 6921 { 6922 if (!psm) 6923 return false; 6924 6925 if (bdaddr_type_is_le(dst_type)) 6926 return (psm <= 0x00ff); 6927 6928 /* PSM must be odd and lsb of upper byte must be 0 */ 6929 return ((psm & 0x0101) == 0x0001); 6930 } 6931 6932 struct l2cap_chan_data { 6933 struct l2cap_chan *chan; 6934 struct pid *pid; 6935 int count; 6936 }; 6937 6938 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data) 6939 { 6940 struct l2cap_chan_data *d = data; 6941 struct pid *pid; 6942 6943 if (chan == d->chan) 6944 return; 6945 6946 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags)) 6947 return; 6948 6949 pid = chan->ops->get_peer_pid(chan); 6950 6951 /* Only count deferred channels with the same PID/PSM */ 6952 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident || 6953 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 6954 return; 6955 6956 d->count++; 6957 } 6958 6959 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, 6960 bdaddr_t *dst, u8 dst_type) 6961 { 6962 struct l2cap_conn *conn; 6963 struct hci_conn *hcon; 6964 struct hci_dev *hdev; 6965 int err; 6966 6967 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src, 6968 dst, dst_type, __le16_to_cpu(psm), chan->mode); 6969 6970 hdev = hci_get_route(dst, &chan->src, chan->src_type); 6971 if (!hdev) 6972 return -EHOSTUNREACH; 6973 6974 hci_dev_lock(hdev); 6975 6976 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid && 6977 chan->chan_type != L2CAP_CHAN_RAW) { 6978 err = -EINVAL; 6979 goto done; 6980 } 6981 6982 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) { 6983 err = -EINVAL; 6984 goto done; 6985 } 6986 6987 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) { 6988 err = -EINVAL; 6989 goto done; 6990 } 6991 6992 switch (chan->mode) { 6993 case L2CAP_MODE_BASIC: 6994 break; 6995 case L2CAP_MODE_LE_FLOWCTL: 6996 break; 6997 case L2CAP_MODE_EXT_FLOWCTL: 6998 if (!enable_ecred) { 6999 err = -EOPNOTSUPP; 7000 goto done; 7001 } 7002 break; 7003 case L2CAP_MODE_ERTM: 7004 case L2CAP_MODE_STREAMING: 7005 if (!disable_ertm) 7006 break; 7007 fallthrough; 7008 default: 7009 err = -EOPNOTSUPP; 7010 goto done; 7011 } 7012 7013 switch (chan->state) { 7014 case BT_CONNECT: 7015 case BT_CONNECT2: 7016 case BT_CONFIG: 7017 /* Already connecting */ 7018 err = 0; 7019 goto done; 7020 7021 case BT_CONNECTED: 7022 /* Already connected */ 7023 err = -EISCONN; 7024 goto done; 7025 7026 case BT_OPEN: 7027 case BT_BOUND: 7028 /* Can connect */ 7029 break; 7030 7031 default: 7032 err = -EBADFD; 7033 goto done; 7034 } 7035 7036 /* Set destination address and psm */ 7037 bacpy(&chan->dst, dst); 7038 chan->dst_type = dst_type; 7039 7040 chan->psm = psm; 7041 chan->dcid = cid; 7042 7043 if (bdaddr_type_is_le(dst_type)) { 7044 /* Convert from L2CAP channel address type to HCI address type 7045 */ 7046 if (dst_type == BDADDR_LE_PUBLIC) 7047 dst_type = ADDR_LE_DEV_PUBLIC; 7048 else 7049 dst_type = ADDR_LE_DEV_RANDOM; 7050 7051 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 7052 hcon = hci_connect_le(hdev, dst, dst_type, false, 7053 chan->sec_level, 7054 HCI_LE_CONN_TIMEOUT, 7055 HCI_ROLE_SLAVE); 7056 else 7057 hcon = hci_connect_le_scan(hdev, dst, dst_type, 7058 chan->sec_level, 7059 HCI_LE_CONN_TIMEOUT, 7060 CONN_REASON_L2CAP_CHAN); 7061 7062 } else { 7063 u8 auth_type = l2cap_get_auth_type(chan); 7064 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type, 7065 CONN_REASON_L2CAP_CHAN); 7066 } 7067 7068 if (IS_ERR(hcon)) { 7069 err = PTR_ERR(hcon); 7070 goto done; 7071 } 7072 7073 conn = l2cap_conn_add(hcon); 7074 if (!conn) { 7075 hci_conn_drop(hcon); 7076 err = -ENOMEM; 7077 goto done; 7078 } 7079 7080 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 7081 struct l2cap_chan_data data; 7082 7083 data.chan = chan; 7084 data.pid = chan->ops->get_peer_pid(chan); 7085 data.count = 1; 7086 7087 l2cap_chan_list(conn, l2cap_chan_by_pid, &data); 7088 7089 /* Check if there isn't too many channels being connected */ 7090 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) { 7091 hci_conn_drop(hcon); 7092 err = -EPROTO; 7093 goto done; 7094 } 7095 } 7096 7097 mutex_lock(&conn->chan_lock); 7098 l2cap_chan_lock(chan); 7099 7100 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) { 7101 hci_conn_drop(hcon); 7102 err = -EBUSY; 7103 goto chan_unlock; 7104 } 7105 7106 /* Update source addr of the socket */ 7107 bacpy(&chan->src, &hcon->src); 7108 chan->src_type = bdaddr_src_type(hcon); 7109 7110 __l2cap_chan_add(conn, chan); 7111 7112 /* l2cap_chan_add takes its own ref so we can drop this one */ 7113 hci_conn_drop(hcon); 7114 7115 l2cap_state_change(chan, BT_CONNECT); 7116 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 7117 7118 /* Release chan->sport so that it can be reused by other 7119 * sockets (as it's only used for listening sockets). 7120 */ 7121 write_lock(&chan_list_lock); 7122 chan->sport = 0; 7123 write_unlock(&chan_list_lock); 7124 7125 if (hcon->state == BT_CONNECTED) { 7126 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 7127 __clear_chan_timer(chan); 7128 if (l2cap_chan_check_security(chan, true)) 7129 l2cap_state_change(chan, BT_CONNECTED); 7130 } else 7131 l2cap_do_start(chan); 7132 } 7133 7134 err = 0; 7135 7136 chan_unlock: 7137 l2cap_chan_unlock(chan); 7138 mutex_unlock(&conn->chan_lock); 7139 done: 7140 hci_dev_unlock(hdev); 7141 hci_dev_put(hdev); 7142 return err; 7143 } 7144 EXPORT_SYMBOL_GPL(l2cap_chan_connect); 7145 7146 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan) 7147 { 7148 struct l2cap_conn *conn = chan->conn; 7149 struct { 7150 struct l2cap_ecred_reconf_req req; 7151 __le16 scid; 7152 } pdu; 7153 7154 pdu.req.mtu = cpu_to_le16(chan->imtu); 7155 pdu.req.mps = cpu_to_le16(chan->mps); 7156 pdu.scid = cpu_to_le16(chan->scid); 7157 7158 chan->ident = l2cap_get_ident(conn); 7159 7160 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ, 7161 sizeof(pdu), &pdu); 7162 } 7163 7164 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu) 7165 { 7166 if (chan->imtu > mtu) 7167 return -EINVAL; 7168 7169 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu); 7170 7171 chan->imtu = mtu; 7172 7173 l2cap_ecred_reconfigure(chan); 7174 7175 return 0; 7176 } 7177 7178 /* ---- L2CAP interface with lower layer (HCI) ---- */ 7179 7180 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr) 7181 { 7182 int exact = 0, lm1 = 0, lm2 = 0; 7183 struct l2cap_chan *c; 7184 7185 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr); 7186 7187 /* Find listening sockets and check their link_mode */ 7188 read_lock(&chan_list_lock); 7189 list_for_each_entry(c, &chan_list, global_l) { 7190 if (c->state != BT_LISTEN) 7191 continue; 7192 7193 if (!bacmp(&c->src, &hdev->bdaddr)) { 7194 lm1 |= HCI_LM_ACCEPT; 7195 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 7196 lm1 |= HCI_LM_MASTER; 7197 exact++; 7198 } else if (!bacmp(&c->src, BDADDR_ANY)) { 7199 lm2 |= HCI_LM_ACCEPT; 7200 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 7201 lm2 |= HCI_LM_MASTER; 7202 } 7203 } 7204 read_unlock(&chan_list_lock); 7205 7206 return exact ? lm1 : lm2; 7207 } 7208 7209 /* Find the next fixed channel in BT_LISTEN state, continue iteration 7210 * from an existing channel in the list or from the beginning of the 7211 * global list (by passing NULL as first parameter). 7212 */ 7213 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, 7214 struct hci_conn *hcon) 7215 { 7216 u8 src_type = bdaddr_src_type(hcon); 7217 7218 read_lock(&chan_list_lock); 7219 7220 if (c) 7221 c = list_next_entry(c, global_l); 7222 else 7223 c = list_entry(chan_list.next, typeof(*c), global_l); 7224 7225 list_for_each_entry_from(c, &chan_list, global_l) { 7226 if (c->chan_type != L2CAP_CHAN_FIXED) 7227 continue; 7228 if (c->state != BT_LISTEN) 7229 continue; 7230 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY)) 7231 continue; 7232 if (src_type != c->src_type) 7233 continue; 7234 7235 c = l2cap_chan_hold_unless_zero(c); 7236 read_unlock(&chan_list_lock); 7237 return c; 7238 } 7239 7240 read_unlock(&chan_list_lock); 7241 7242 return NULL; 7243 } 7244 7245 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 7246 { 7247 struct hci_dev *hdev = hcon->hdev; 7248 struct l2cap_conn *conn; 7249 struct l2cap_chan *pchan; 7250 u8 dst_type; 7251 7252 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7253 return; 7254 7255 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 7256 7257 if (status) { 7258 l2cap_conn_del(hcon, bt_to_errno(status)); 7259 return; 7260 } 7261 7262 conn = l2cap_conn_add(hcon); 7263 if (!conn) 7264 return; 7265 7266 dst_type = bdaddr_dst_type(hcon); 7267 7268 /* If device is blocked, do not create channels for it */ 7269 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type)) 7270 return; 7271 7272 /* Find fixed channels and notify them of the new connection. We 7273 * use multiple individual lookups, continuing each time where 7274 * we left off, because the list lock would prevent calling the 7275 * potentially sleeping l2cap_chan_lock() function. 7276 */ 7277 pchan = l2cap_global_fixed_chan(NULL, hcon); 7278 while (pchan) { 7279 struct l2cap_chan *chan, *next; 7280 7281 /* Client fixed channels should override server ones */ 7282 if (__l2cap_get_chan_by_dcid(conn, pchan->scid)) 7283 goto next; 7284 7285 l2cap_chan_lock(pchan); 7286 chan = pchan->ops->new_connection(pchan); 7287 if (chan) { 7288 bacpy(&chan->src, &hcon->src); 7289 bacpy(&chan->dst, &hcon->dst); 7290 chan->src_type = bdaddr_src_type(hcon); 7291 chan->dst_type = dst_type; 7292 7293 __l2cap_chan_add(conn, chan); 7294 } 7295 7296 l2cap_chan_unlock(pchan); 7297 next: 7298 next = l2cap_global_fixed_chan(pchan, hcon); 7299 l2cap_chan_put(pchan); 7300 pchan = next; 7301 } 7302 7303 l2cap_conn_ready(conn); 7304 } 7305 7306 int l2cap_disconn_ind(struct hci_conn *hcon) 7307 { 7308 struct l2cap_conn *conn = hcon->l2cap_data; 7309 7310 BT_DBG("hcon %p", hcon); 7311 7312 if (!conn) 7313 return HCI_ERROR_REMOTE_USER_TERM; 7314 return conn->disc_reason; 7315 } 7316 7317 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 7318 { 7319 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7320 return; 7321 7322 BT_DBG("hcon %p reason %d", hcon, reason); 7323 7324 l2cap_conn_del(hcon, bt_to_errno(reason)); 7325 } 7326 7327 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 7328 { 7329 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 7330 return; 7331 7332 if (encrypt == 0x00) { 7333 if (chan->sec_level == BT_SECURITY_MEDIUM) { 7334 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT); 7335 } else if (chan->sec_level == BT_SECURITY_HIGH || 7336 chan->sec_level == BT_SECURITY_FIPS) 7337 l2cap_chan_close(chan, ECONNREFUSED); 7338 } else { 7339 if (chan->sec_level == BT_SECURITY_MEDIUM) 7340 __clear_chan_timer(chan); 7341 } 7342 } 7343 7344 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 7345 { 7346 struct l2cap_conn *conn = hcon->l2cap_data; 7347 struct l2cap_chan *chan; 7348 7349 if (!conn) 7350 return; 7351 7352 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt); 7353 7354 mutex_lock(&conn->chan_lock); 7355 7356 list_for_each_entry(chan, &conn->chan_l, list) { 7357 l2cap_chan_lock(chan); 7358 7359 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid, 7360 state_to_string(chan->state)); 7361 7362 if (!status && encrypt) 7363 chan->sec_level = hcon->sec_level; 7364 7365 if (!__l2cap_no_conn_pending(chan)) { 7366 l2cap_chan_unlock(chan); 7367 continue; 7368 } 7369 7370 if (!status && (chan->state == BT_CONNECTED || 7371 chan->state == BT_CONFIG)) { 7372 chan->ops->resume(chan); 7373 l2cap_check_encryption(chan, encrypt); 7374 l2cap_chan_unlock(chan); 7375 continue; 7376 } 7377 7378 if (chan->state == BT_CONNECT) { 7379 if (!status && l2cap_check_enc_key_size(hcon)) 7380 l2cap_start_connection(chan); 7381 else 7382 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 7383 } else if (chan->state == BT_CONNECT2 && 7384 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL || 7385 chan->mode == L2CAP_MODE_LE_FLOWCTL)) { 7386 struct l2cap_conn_rsp rsp; 7387 __u16 res, stat; 7388 7389 if (!status && l2cap_check_enc_key_size(hcon)) { 7390 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 7391 res = L2CAP_CR_PEND; 7392 stat = L2CAP_CS_AUTHOR_PEND; 7393 chan->ops->defer(chan); 7394 } else { 7395 l2cap_state_change(chan, BT_CONFIG); 7396 res = L2CAP_CR_SUCCESS; 7397 stat = L2CAP_CS_NO_INFO; 7398 } 7399 } else { 7400 l2cap_state_change(chan, BT_DISCONN); 7401 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 7402 res = L2CAP_CR_SEC_BLOCK; 7403 stat = L2CAP_CS_NO_INFO; 7404 } 7405 7406 rsp.scid = cpu_to_le16(chan->dcid); 7407 rsp.dcid = cpu_to_le16(chan->scid); 7408 rsp.result = cpu_to_le16(res); 7409 rsp.status = cpu_to_le16(stat); 7410 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 7411 sizeof(rsp), &rsp); 7412 7413 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) && 7414 res == L2CAP_CR_SUCCESS) { 7415 char buf[128]; 7416 set_bit(CONF_REQ_SENT, &chan->conf_state); 7417 l2cap_send_cmd(conn, l2cap_get_ident(conn), 7418 L2CAP_CONF_REQ, 7419 l2cap_build_conf_req(chan, buf, sizeof(buf)), 7420 buf); 7421 chan->num_conf_req++; 7422 } 7423 } 7424 7425 l2cap_chan_unlock(chan); 7426 } 7427 7428 mutex_unlock(&conn->chan_lock); 7429 } 7430 7431 /* Append fragment into frame respecting the maximum len of rx_skb */ 7432 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb, 7433 u16 len) 7434 { 7435 if (!conn->rx_skb) { 7436 /* Allocate skb for the complete frame (with header) */ 7437 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL); 7438 if (!conn->rx_skb) 7439 return -ENOMEM; 7440 /* Init rx_len */ 7441 conn->rx_len = len; 7442 } 7443 7444 /* Copy as much as the rx_skb can hold */ 7445 len = min_t(u16, len, skb->len); 7446 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len); 7447 skb_pull(skb, len); 7448 conn->rx_len -= len; 7449 7450 return len; 7451 } 7452 7453 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb) 7454 { 7455 struct sk_buff *rx_skb; 7456 int len; 7457 7458 /* Append just enough to complete the header */ 7459 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len); 7460 7461 /* If header could not be read just continue */ 7462 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE) 7463 return len; 7464 7465 rx_skb = conn->rx_skb; 7466 len = get_unaligned_le16(rx_skb->data); 7467 7468 /* Check if rx_skb has enough space to received all fragments */ 7469 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) { 7470 /* Update expected len */ 7471 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE); 7472 return L2CAP_LEN_SIZE; 7473 } 7474 7475 /* Reset conn->rx_skb since it will need to be reallocated in order to 7476 * fit all fragments. 7477 */ 7478 conn->rx_skb = NULL; 7479 7480 /* Reallocates rx_skb using the exact expected length */ 7481 len = l2cap_recv_frag(conn, rx_skb, 7482 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE)); 7483 kfree_skb(rx_skb); 7484 7485 return len; 7486 } 7487 7488 static void l2cap_recv_reset(struct l2cap_conn *conn) 7489 { 7490 kfree_skb(conn->rx_skb); 7491 conn->rx_skb = NULL; 7492 conn->rx_len = 0; 7493 } 7494 7495 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 7496 { 7497 struct l2cap_conn *conn = hcon->l2cap_data; 7498 int len; 7499 7500 /* For AMP controller do not create l2cap conn */ 7501 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY) 7502 goto drop; 7503 7504 if (!conn) 7505 conn = l2cap_conn_add(hcon); 7506 7507 if (!conn) 7508 goto drop; 7509 7510 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags); 7511 7512 switch (flags) { 7513 case ACL_START: 7514 case ACL_START_NO_FLUSH: 7515 case ACL_COMPLETE: 7516 if (conn->rx_skb) { 7517 BT_ERR("Unexpected start frame (len %d)", skb->len); 7518 l2cap_recv_reset(conn); 7519 l2cap_conn_unreliable(conn, ECOMM); 7520 } 7521 7522 /* Start fragment may not contain the L2CAP length so just 7523 * copy the initial byte when that happens and use conn->mtu as 7524 * expected length. 7525 */ 7526 if (skb->len < L2CAP_LEN_SIZE) { 7527 l2cap_recv_frag(conn, skb, conn->mtu); 7528 break; 7529 } 7530 7531 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE; 7532 7533 if (len == skb->len) { 7534 /* Complete frame received */ 7535 l2cap_recv_frame(conn, skb); 7536 return; 7537 } 7538 7539 BT_DBG("Start: total len %d, frag len %u", len, skb->len); 7540 7541 if (skb->len > len) { 7542 BT_ERR("Frame is too long (len %u, expected len %d)", 7543 skb->len, len); 7544 l2cap_conn_unreliable(conn, ECOMM); 7545 goto drop; 7546 } 7547 7548 /* Append fragment into frame (with header) */ 7549 if (l2cap_recv_frag(conn, skb, len) < 0) 7550 goto drop; 7551 7552 break; 7553 7554 case ACL_CONT: 7555 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len); 7556 7557 if (!conn->rx_skb) { 7558 BT_ERR("Unexpected continuation frame (len %d)", skb->len); 7559 l2cap_conn_unreliable(conn, ECOMM); 7560 goto drop; 7561 } 7562 7563 /* Complete the L2CAP length if it has not been read */ 7564 if (conn->rx_skb->len < L2CAP_LEN_SIZE) { 7565 if (l2cap_recv_len(conn, skb) < 0) { 7566 l2cap_conn_unreliable(conn, ECOMM); 7567 goto drop; 7568 } 7569 7570 /* Header still could not be read just continue */ 7571 if (conn->rx_skb->len < L2CAP_LEN_SIZE) 7572 break; 7573 } 7574 7575 if (skb->len > conn->rx_len) { 7576 BT_ERR("Fragment is too long (len %u, expected %u)", 7577 skb->len, conn->rx_len); 7578 l2cap_recv_reset(conn); 7579 l2cap_conn_unreliable(conn, ECOMM); 7580 goto drop; 7581 } 7582 7583 /* Append fragment into frame (with header) */ 7584 l2cap_recv_frag(conn, skb, skb->len); 7585 7586 if (!conn->rx_len) { 7587 /* Complete frame received. l2cap_recv_frame 7588 * takes ownership of the skb so set the global 7589 * rx_skb pointer to NULL first. 7590 */ 7591 struct sk_buff *rx_skb = conn->rx_skb; 7592 conn->rx_skb = NULL; 7593 l2cap_recv_frame(conn, rx_skb); 7594 } 7595 break; 7596 } 7597 7598 drop: 7599 kfree_skb(skb); 7600 } 7601 7602 static struct hci_cb l2cap_cb = { 7603 .name = "L2CAP", 7604 .connect_cfm = l2cap_connect_cfm, 7605 .disconn_cfm = l2cap_disconn_cfm, 7606 .security_cfm = l2cap_security_cfm, 7607 }; 7608 7609 static int l2cap_debugfs_show(struct seq_file *f, void *p) 7610 { 7611 struct l2cap_chan *c; 7612 7613 read_lock(&chan_list_lock); 7614 7615 list_for_each_entry(c, &chan_list, global_l) { 7616 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 7617 &c->src, c->src_type, &c->dst, c->dst_type, 7618 c->state, __le16_to_cpu(c->psm), 7619 c->scid, c->dcid, c->imtu, c->omtu, 7620 c->sec_level, c->mode); 7621 } 7622 7623 read_unlock(&chan_list_lock); 7624 7625 return 0; 7626 } 7627 7628 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs); 7629 7630 static struct dentry *l2cap_debugfs; 7631 7632 int __init l2cap_init(void) 7633 { 7634 int err; 7635 7636 err = l2cap_init_sockets(); 7637 if (err < 0) 7638 return err; 7639 7640 hci_register_cb(&l2cap_cb); 7641 7642 if (IS_ERR_OR_NULL(bt_debugfs)) 7643 return 0; 7644 7645 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs, 7646 NULL, &l2cap_debugfs_fops); 7647 7648 return 0; 7649 } 7650 7651 void l2cap_exit(void) 7652 { 7653 debugfs_remove(l2cap_debugfs); 7654 hci_unregister_cb(&l2cap_cb); 7655 l2cap_cleanup_sockets(); 7656 } 7657 7658 module_param(disable_ertm, bool, 0644); 7659 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode"); 7660 7661 module_param(enable_ecred, bool, 0644); 7662 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode"); 7663