]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - net/bluetooth/l2cap_core.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
dccp: defer ccid_hc_tx_delete() at dismantle time
[mirror_ubuntu-artful-kernel.git] / net / bluetooth / l2cap_core.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
36
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
40
41 #include "smp.h"
42 #include "a2mp.h"
43 #include "amp.h"
44
45 #define LE_FLOWCTL_MAX_CREDITS 65535
46
47 bool disable_ertm;
48
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
53
54 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
57 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
58 u8 code, u8 ident, u16 dlen, void *data);
59 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
60 void *data);
61 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
62 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
63
64 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
65 struct sk_buff_head *skbs, u8 event);
66
67 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
68 {
69 if (link_type == LE_LINK) {
70 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77 }
78
79 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
80 {
81 return bdaddr_type(hcon->type, hcon->src_type);
82 }
83
84 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
85 {
86 return bdaddr_type(hcon->type, hcon->dst_type);
87 }
88
89 /* ---- L2CAP channels ---- */
90
91 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
92 u16 cid)
93 {
94 struct l2cap_chan *c;
95
96 list_for_each_entry(c, &conn->chan_l, list) {
97 if (c->dcid == cid)
98 return c;
99 }
100 return NULL;
101 }
102
103 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
104 u16 cid)
105 {
106 struct l2cap_chan *c;
107
108 list_for_each_entry(c, &conn->chan_l, list) {
109 if (c->scid == cid)
110 return c;
111 }
112 return NULL;
113 }
114
115 /* Find channel with given SCID.
116 * Returns locked channel. */
117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 u16 cid)
119 {
120 struct l2cap_chan *c;
121
122 mutex_lock(&conn->chan_lock);
123 c = __l2cap_get_chan_by_scid(conn, cid);
124 if (c)
125 l2cap_chan_lock(c);
126 mutex_unlock(&conn->chan_lock);
127
128 return c;
129 }
130
131 /* Find channel with given DCID.
132 * Returns locked channel.
133 */
134 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
135 u16 cid)
136 {
137 struct l2cap_chan *c;
138
139 mutex_lock(&conn->chan_lock);
140 c = __l2cap_get_chan_by_dcid(conn, cid);
141 if (c)
142 l2cap_chan_lock(c);
143 mutex_unlock(&conn->chan_lock);
144
145 return c;
146 }
147
148 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
149 u8 ident)
150 {
151 struct l2cap_chan *c;
152
153 list_for_each_entry(c, &conn->chan_l, list) {
154 if (c->ident == ident)
155 return c;
156 }
157 return NULL;
158 }
159
160 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
161 u8 ident)
162 {
163 struct l2cap_chan *c;
164
165 mutex_lock(&conn->chan_lock);
166 c = __l2cap_get_chan_by_ident(conn, ident);
167 if (c)
168 l2cap_chan_lock(c);
169 mutex_unlock(&conn->chan_lock);
170
171 return c;
172 }
173
174 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
175 {
176 struct l2cap_chan *c;
177
178 list_for_each_entry(c, &chan_list, global_l) {
179 if (c->sport == psm && !bacmp(&c->src, src))
180 return c;
181 }
182 return NULL;
183 }
184
185 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
186 {
187 int err;
188
189 write_lock(&chan_list_lock);
190
191 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
192 err = -EADDRINUSE;
193 goto done;
194 }
195
196 if (psm) {
197 chan->psm = psm;
198 chan->sport = psm;
199 err = 0;
200 } else {
201 u16 p, start, end, incr;
202
203 if (chan->src_type == BDADDR_BREDR) {
204 start = L2CAP_PSM_DYN_START;
205 end = L2CAP_PSM_AUTO_END;
206 incr = 2;
207 } else {
208 start = L2CAP_PSM_LE_DYN_START;
209 end = L2CAP_PSM_LE_DYN_END;
210 incr = 1;
211 }
212
213 err = -EINVAL;
214 for (p = start; p <= end; p += incr)
215 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
216 chan->psm = cpu_to_le16(p);
217 chan->sport = cpu_to_le16(p);
218 err = 0;
219 break;
220 }
221 }
222
223 done:
224 write_unlock(&chan_list_lock);
225 return err;
226 }
227 EXPORT_SYMBOL_GPL(l2cap_add_psm);
228
229 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
230 {
231 write_lock(&chan_list_lock);
232
233 /* Override the defaults (which are for conn-oriented) */
234 chan->omtu = L2CAP_DEFAULT_MTU;
235 chan->chan_type = L2CAP_CHAN_FIXED;
236
237 chan->scid = scid;
238
239 write_unlock(&chan_list_lock);
240
241 return 0;
242 }
243
244 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
245 {
246 u16 cid, dyn_end;
247
248 if (conn->hcon->type == LE_LINK)
249 dyn_end = L2CAP_CID_LE_DYN_END;
250 else
251 dyn_end = L2CAP_CID_DYN_END;
252
253 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
254 if (!__l2cap_get_chan_by_scid(conn, cid))
255 return cid;
256 }
257
258 return 0;
259 }
260
261 static void l2cap_state_change(struct l2cap_chan *chan, int state)
262 {
263 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
264 state_to_string(state));
265
266 chan->state = state;
267 chan->ops->state_change(chan, state, 0);
268 }
269
270 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
271 int state, int err)
272 {
273 chan->state = state;
274 chan->ops->state_change(chan, chan->state, err);
275 }
276
277 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
278 {
279 chan->ops->state_change(chan, chan->state, err);
280 }
281
282 static void __set_retrans_timer(struct l2cap_chan *chan)
283 {
284 if (!delayed_work_pending(&chan->monitor_timer) &&
285 chan->retrans_timeout) {
286 l2cap_set_timer(chan, &chan->retrans_timer,
287 msecs_to_jiffies(chan->retrans_timeout));
288 }
289 }
290
291 static void __set_monitor_timer(struct l2cap_chan *chan)
292 {
293 __clear_retrans_timer(chan);
294 if (chan->monitor_timeout) {
295 l2cap_set_timer(chan, &chan->monitor_timer,
296 msecs_to_jiffies(chan->monitor_timeout));
297 }
298 }
299
300 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
301 u16 seq)
302 {
303 struct sk_buff *skb;
304
305 skb_queue_walk(head, skb) {
306 if (bt_cb(skb)->l2cap.txseq == seq)
307 return skb;
308 }
309
310 return NULL;
311 }
312
313 /* ---- L2CAP sequence number lists ---- */
314
315 /* For ERTM, ordered lists of sequence numbers must be tracked for
316 * SREJ requests that are received and for frames that are to be
317 * retransmitted. These seq_list functions implement a singly-linked
318 * list in an array, where membership in the list can also be checked
319 * in constant time. Items can also be added to the tail of the list
320 * and removed from the head in constant time, without further memory
321 * allocs or frees.
322 */
323
324 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
325 {
326 size_t alloc_size, i;
327
328 /* Allocated size is a power of 2 to map sequence numbers
329 * (which may be up to 14 bits) in to a smaller array that is
330 * sized for the negotiated ERTM transmit windows.
331 */
332 alloc_size = roundup_pow_of_two(size);
333
334 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
335 if (!seq_list->list)
336 return -ENOMEM;
337
338 seq_list->mask = alloc_size - 1;
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
341 for (i = 0; i < alloc_size; i++)
342 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
343
344 return 0;
345 }
346
347 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
348 {
349 kfree(seq_list->list);
350 }
351
352 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
353 u16 seq)
354 {
355 /* Constant-time check for list membership */
356 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
357 }
358
359 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
360 {
361 u16 seq = seq_list->head;
362 u16 mask = seq_list->mask;
363
364 seq_list->head = seq_list->list[seq & mask];
365 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
366
367 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
368 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
369 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
370 }
371
372 return seq;
373 }
374
375 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
376 {
377 u16 i;
378
379 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
380 return;
381
382 for (i = 0; i <= seq_list->mask; i++)
383 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
384
385 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
386 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
387 }
388
389 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
390 {
391 u16 mask = seq_list->mask;
392
393 /* All appends happen in constant time */
394
395 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
396 return;
397
398 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
399 seq_list->head = seq;
400 else
401 seq_list->list[seq_list->tail & mask] = seq;
402
403 seq_list->tail = seq;
404 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
405 }
406
407 static void l2cap_chan_timeout(struct work_struct *work)
408 {
409 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
410 chan_timer.work);
411 struct l2cap_conn *conn = chan->conn;
412 int reason;
413
414 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
415
416 mutex_lock(&conn->chan_lock);
417 l2cap_chan_lock(chan);
418
419 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
420 reason = ECONNREFUSED;
421 else if (chan->state == BT_CONNECT &&
422 chan->sec_level != BT_SECURITY_SDP)
423 reason = ECONNREFUSED;
424 else
425 reason = ETIMEDOUT;
426
427 l2cap_chan_close(chan, reason);
428
429 l2cap_chan_unlock(chan);
430
431 chan->ops->close(chan);
432 mutex_unlock(&conn->chan_lock);
433
434 l2cap_chan_put(chan);
435 }
436
437 struct l2cap_chan *l2cap_chan_create(void)
438 {
439 struct l2cap_chan *chan;
440
441 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
442 if (!chan)
443 return NULL;
444
445 mutex_init(&chan->lock);
446
447 /* Set default lock nesting level */
448 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
449
450 write_lock(&chan_list_lock);
451 list_add(&chan->global_l, &chan_list);
452 write_unlock(&chan_list_lock);
453
454 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
455
456 chan->state = BT_OPEN;
457
458 kref_init(&chan->kref);
459
460 /* This flag is cleared in l2cap_chan_ready() */
461 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
462
463 BT_DBG("chan %p", chan);
464
465 return chan;
466 }
467 EXPORT_SYMBOL_GPL(l2cap_chan_create);
468
469 static void l2cap_chan_destroy(struct kref *kref)
470 {
471 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
472
473 BT_DBG("chan %p", chan);
474
475 write_lock(&chan_list_lock);
476 list_del(&chan->global_l);
477 write_unlock(&chan_list_lock);
478
479 kfree(chan);
480 }
481
482 void l2cap_chan_hold(struct l2cap_chan *c)
483 {
484 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
485
486 kref_get(&c->kref);
487 }
488
489 void l2cap_chan_put(struct l2cap_chan *c)
490 {
491 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
492
493 kref_put(&c->kref, l2cap_chan_destroy);
494 }
495 EXPORT_SYMBOL_GPL(l2cap_chan_put);
496
497 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
498 {
499 chan->fcs = L2CAP_FCS_CRC16;
500 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
501 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
502 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
503 chan->remote_max_tx = chan->max_tx;
504 chan->remote_tx_win = chan->tx_win;
505 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
506 chan->sec_level = BT_SECURITY_LOW;
507 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
508 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
509 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
510 chan->conf_state = 0;
511
512 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
513 }
514 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
515
516 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
517 {
518 chan->sdu = NULL;
519 chan->sdu_last_frag = NULL;
520 chan->sdu_len = 0;
521 chan->tx_credits = 0;
522 chan->rx_credits = le_max_credits;
523 chan->mps = min_t(u16, chan->imtu, le_default_mps);
524
525 skb_queue_head_init(&chan->tx_q);
526 }
527
528 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
529 {
530 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
531 __le16_to_cpu(chan->psm), chan->dcid);
532
533 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
534
535 chan->conn = conn;
536
537 switch (chan->chan_type) {
538 case L2CAP_CHAN_CONN_ORIENTED:
539 /* Alloc CID for connection-oriented socket */
540 chan->scid = l2cap_alloc_cid(conn);
541 if (conn->hcon->type == ACL_LINK)
542 chan->omtu = L2CAP_DEFAULT_MTU;
543 break;
544
545 case L2CAP_CHAN_CONN_LESS:
546 /* Connectionless socket */
547 chan->scid = L2CAP_CID_CONN_LESS;
548 chan->dcid = L2CAP_CID_CONN_LESS;
549 chan->omtu = L2CAP_DEFAULT_MTU;
550 break;
551
552 case L2CAP_CHAN_FIXED:
553 /* Caller will set CID and CID specific MTU values */
554 break;
555
556 default:
557 /* Raw socket can send/recv signalling messages only */
558 chan->scid = L2CAP_CID_SIGNALING;
559 chan->dcid = L2CAP_CID_SIGNALING;
560 chan->omtu = L2CAP_DEFAULT_MTU;
561 }
562
563 chan->local_id = L2CAP_BESTEFFORT_ID;
564 chan->local_stype = L2CAP_SERV_BESTEFFORT;
565 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
566 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
567 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
568 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
569
570 l2cap_chan_hold(chan);
571
572 /* Only keep a reference for fixed channels if they requested it */
573 if (chan->chan_type != L2CAP_CHAN_FIXED ||
574 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
575 hci_conn_hold(conn->hcon);
576
577 list_add(&chan->list, &conn->chan_l);
578 }
579
580 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
581 {
582 mutex_lock(&conn->chan_lock);
583 __l2cap_chan_add(conn, chan);
584 mutex_unlock(&conn->chan_lock);
585 }
586
587 void l2cap_chan_del(struct l2cap_chan *chan, int err)
588 {
589 struct l2cap_conn *conn = chan->conn;
590
591 __clear_chan_timer(chan);
592
593 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
594 state_to_string(chan->state));
595
596 chan->ops->teardown(chan, err);
597
598 if (conn) {
599 struct amp_mgr *mgr = conn->hcon->amp_mgr;
600 /* Delete from channel list */
601 list_del(&chan->list);
602
603 l2cap_chan_put(chan);
604
605 chan->conn = NULL;
606
607 /* Reference was only held for non-fixed channels or
608 * fixed channels that explicitly requested it using the
609 * FLAG_HOLD_HCI_CONN flag.
610 */
611 if (chan->chan_type != L2CAP_CHAN_FIXED ||
612 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
613 hci_conn_drop(conn->hcon);
614
615 if (mgr && mgr->bredr_chan == chan)
616 mgr->bredr_chan = NULL;
617 }
618
619 if (chan->hs_hchan) {
620 struct hci_chan *hs_hchan = chan->hs_hchan;
621
622 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
623 amp_disconnect_logical_link(hs_hchan);
624 }
625
626 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
627 return;
628
629 switch(chan->mode) {
630 case L2CAP_MODE_BASIC:
631 break;
632
633 case L2CAP_MODE_LE_FLOWCTL:
634 skb_queue_purge(&chan->tx_q);
635 break;
636
637 case L2CAP_MODE_ERTM:
638 __clear_retrans_timer(chan);
639 __clear_monitor_timer(chan);
640 __clear_ack_timer(chan);
641
642 skb_queue_purge(&chan->srej_q);
643
644 l2cap_seq_list_free(&chan->srej_list);
645 l2cap_seq_list_free(&chan->retrans_list);
646
647 /* fall through */
648
649 case L2CAP_MODE_STREAMING:
650 skb_queue_purge(&chan->tx_q);
651 break;
652 }
653
654 return;
655 }
656 EXPORT_SYMBOL_GPL(l2cap_chan_del);
657
658 static void l2cap_conn_update_id_addr(struct work_struct *work)
659 {
660 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
661 id_addr_update_work);
662 struct hci_conn *hcon = conn->hcon;
663 struct l2cap_chan *chan;
664
665 mutex_lock(&conn->chan_lock);
666
667 list_for_each_entry(chan, &conn->chan_l, list) {
668 l2cap_chan_lock(chan);
669 bacpy(&chan->dst, &hcon->dst);
670 chan->dst_type = bdaddr_dst_type(hcon);
671 l2cap_chan_unlock(chan);
672 }
673
674 mutex_unlock(&conn->chan_lock);
675 }
676
677 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
678 {
679 struct l2cap_conn *conn = chan->conn;
680 struct l2cap_le_conn_rsp rsp;
681 u16 result;
682
683 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
684 result = L2CAP_CR_AUTHORIZATION;
685 else
686 result = L2CAP_CR_BAD_PSM;
687
688 l2cap_state_change(chan, BT_DISCONN);
689
690 rsp.dcid = cpu_to_le16(chan->scid);
691 rsp.mtu = cpu_to_le16(chan->imtu);
692 rsp.mps = cpu_to_le16(chan->mps);
693 rsp.credits = cpu_to_le16(chan->rx_credits);
694 rsp.result = cpu_to_le16(result);
695
696 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
697 &rsp);
698 }
699
700 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
701 {
702 struct l2cap_conn *conn = chan->conn;
703 struct l2cap_conn_rsp rsp;
704 u16 result;
705
706 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
707 result = L2CAP_CR_SEC_BLOCK;
708 else
709 result = L2CAP_CR_BAD_PSM;
710
711 l2cap_state_change(chan, BT_DISCONN);
712
713 rsp.scid = cpu_to_le16(chan->dcid);
714 rsp.dcid = cpu_to_le16(chan->scid);
715 rsp.result = cpu_to_le16(result);
716 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
717
718 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
719 }
720
721 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
722 {
723 struct l2cap_conn *conn = chan->conn;
724
725 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
726
727 switch (chan->state) {
728 case BT_LISTEN:
729 chan->ops->teardown(chan, 0);
730 break;
731
732 case BT_CONNECTED:
733 case BT_CONFIG:
734 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
735 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
736 l2cap_send_disconn_req(chan, reason);
737 } else
738 l2cap_chan_del(chan, reason);
739 break;
740
741 case BT_CONNECT2:
742 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
743 if (conn->hcon->type == ACL_LINK)
744 l2cap_chan_connect_reject(chan);
745 else if (conn->hcon->type == LE_LINK)
746 l2cap_chan_le_connect_reject(chan);
747 }
748
749 l2cap_chan_del(chan, reason);
750 break;
751
752 case BT_CONNECT:
753 case BT_DISCONN:
754 l2cap_chan_del(chan, reason);
755 break;
756
757 default:
758 chan->ops->teardown(chan, 0);
759 break;
760 }
761 }
762 EXPORT_SYMBOL(l2cap_chan_close);
763
764 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
765 {
766 switch (chan->chan_type) {
767 case L2CAP_CHAN_RAW:
768 switch (chan->sec_level) {
769 case BT_SECURITY_HIGH:
770 case BT_SECURITY_FIPS:
771 return HCI_AT_DEDICATED_BONDING_MITM;
772 case BT_SECURITY_MEDIUM:
773 return HCI_AT_DEDICATED_BONDING;
774 default:
775 return HCI_AT_NO_BONDING;
776 }
777 break;
778 case L2CAP_CHAN_CONN_LESS:
779 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
780 if (chan->sec_level == BT_SECURITY_LOW)
781 chan->sec_level = BT_SECURITY_SDP;
782 }
783 if (chan->sec_level == BT_SECURITY_HIGH ||
784 chan->sec_level == BT_SECURITY_FIPS)
785 return HCI_AT_NO_BONDING_MITM;
786 else
787 return HCI_AT_NO_BONDING;
788 break;
789 case L2CAP_CHAN_CONN_ORIENTED:
790 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
791 if (chan->sec_level == BT_SECURITY_LOW)
792 chan->sec_level = BT_SECURITY_SDP;
793
794 if (chan->sec_level == BT_SECURITY_HIGH ||
795 chan->sec_level == BT_SECURITY_FIPS)
796 return HCI_AT_NO_BONDING_MITM;
797 else
798 return HCI_AT_NO_BONDING;
799 }
800 /* fall through */
801 default:
802 switch (chan->sec_level) {
803 case BT_SECURITY_HIGH:
804 case BT_SECURITY_FIPS:
805 return HCI_AT_GENERAL_BONDING_MITM;
806 case BT_SECURITY_MEDIUM:
807 return HCI_AT_GENERAL_BONDING;
808 default:
809 return HCI_AT_NO_BONDING;
810 }
811 break;
812 }
813 }
814
815 /* Service level security */
816 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
817 {
818 struct l2cap_conn *conn = chan->conn;
819 __u8 auth_type;
820
821 if (conn->hcon->type == LE_LINK)
822 return smp_conn_security(conn->hcon, chan->sec_level);
823
824 auth_type = l2cap_get_auth_type(chan);
825
826 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
827 initiator);
828 }
829
830 static u8 l2cap_get_ident(struct l2cap_conn *conn)
831 {
832 u8 id;
833
834 /* Get next available identificator.
835 * 1 - 128 are used by kernel.
836 * 129 - 199 are reserved.
837 * 200 - 254 are used by utilities like l2ping, etc.
838 */
839
840 mutex_lock(&conn->ident_lock);
841
842 if (++conn->tx_ident > 128)
843 conn->tx_ident = 1;
844
845 id = conn->tx_ident;
846
847 mutex_unlock(&conn->ident_lock);
848
849 return id;
850 }
851
852 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
853 void *data)
854 {
855 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
856 u8 flags;
857
858 BT_DBG("code 0x%2.2x", code);
859
860 if (!skb)
861 return;
862
863 /* Use NO_FLUSH if supported or we have an LE link (which does
864 * not support auto-flushing packets) */
865 if (lmp_no_flush_capable(conn->hcon->hdev) ||
866 conn->hcon->type == LE_LINK)
867 flags = ACL_START_NO_FLUSH;
868 else
869 flags = ACL_START;
870
871 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
872 skb->priority = HCI_PRIO_MAX;
873
874 hci_send_acl(conn->hchan, skb, flags);
875 }
876
877 static bool __chan_is_moving(struct l2cap_chan *chan)
878 {
879 return chan->move_state != L2CAP_MOVE_STABLE &&
880 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
881 }
882
883 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
884 {
885 struct hci_conn *hcon = chan->conn->hcon;
886 u16 flags;
887
888 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
889 skb->priority);
890
891 if (chan->hs_hcon && !__chan_is_moving(chan)) {
892 if (chan->hs_hchan)
893 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
894 else
895 kfree_skb(skb);
896
897 return;
898 }
899
900 /* Use NO_FLUSH for LE links (where this is the only option) or
901 * if the BR/EDR link supports it and flushing has not been
902 * explicitly requested (through FLAG_FLUSHABLE).
903 */
904 if (hcon->type == LE_LINK ||
905 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
906 lmp_no_flush_capable(hcon->hdev)))
907 flags = ACL_START_NO_FLUSH;
908 else
909 flags = ACL_START;
910
911 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
912 hci_send_acl(chan->conn->hchan, skb, flags);
913 }
914
915 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
916 {
917 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
918 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
919
920 if (enh & L2CAP_CTRL_FRAME_TYPE) {
921 /* S-Frame */
922 control->sframe = 1;
923 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
924 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
925
926 control->sar = 0;
927 control->txseq = 0;
928 } else {
929 /* I-Frame */
930 control->sframe = 0;
931 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
932 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
933
934 control->poll = 0;
935 control->super = 0;
936 }
937 }
938
939 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
940 {
941 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
942 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
943
944 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
945 /* S-Frame */
946 control->sframe = 1;
947 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
948 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
949
950 control->sar = 0;
951 control->txseq = 0;
952 } else {
953 /* I-Frame */
954 control->sframe = 0;
955 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
956 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
957
958 control->poll = 0;
959 control->super = 0;
960 }
961 }
962
963 static inline void __unpack_control(struct l2cap_chan *chan,
964 struct sk_buff *skb)
965 {
966 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
967 __unpack_extended_control(get_unaligned_le32(skb->data),
968 &bt_cb(skb)->l2cap);
969 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
970 } else {
971 __unpack_enhanced_control(get_unaligned_le16(skb->data),
972 &bt_cb(skb)->l2cap);
973 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
974 }
975 }
976
977 static u32 __pack_extended_control(struct l2cap_ctrl *control)
978 {
979 u32 packed;
980
981 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
982 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
983
984 if (control->sframe) {
985 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
986 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
987 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
988 } else {
989 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
990 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
991 }
992
993 return packed;
994 }
995
996 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
997 {
998 u16 packed;
999
1000 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1001 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1002
1003 if (control->sframe) {
1004 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1005 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1006 packed |= L2CAP_CTRL_FRAME_TYPE;
1007 } else {
1008 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1009 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1010 }
1011
1012 return packed;
1013 }
1014
1015 static inline void __pack_control(struct l2cap_chan *chan,
1016 struct l2cap_ctrl *control,
1017 struct sk_buff *skb)
1018 {
1019 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1020 put_unaligned_le32(__pack_extended_control(control),
1021 skb->data + L2CAP_HDR_SIZE);
1022 } else {
1023 put_unaligned_le16(__pack_enhanced_control(control),
1024 skb->data + L2CAP_HDR_SIZE);
1025 }
1026 }
1027
1028 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1029 {
1030 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1031 return L2CAP_EXT_HDR_SIZE;
1032 else
1033 return L2CAP_ENH_HDR_SIZE;
1034 }
1035
1036 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1037 u32 control)
1038 {
1039 struct sk_buff *skb;
1040 struct l2cap_hdr *lh;
1041 int hlen = __ertm_hdr_size(chan);
1042
1043 if (chan->fcs == L2CAP_FCS_CRC16)
1044 hlen += L2CAP_FCS_SIZE;
1045
1046 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1047
1048 if (!skb)
1049 return ERR_PTR(-ENOMEM);
1050
1051 lh = skb_put(skb, L2CAP_HDR_SIZE);
1052 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1053 lh->cid = cpu_to_le16(chan->dcid);
1054
1055 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1056 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1057 else
1058 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1059
1060 if (chan->fcs == L2CAP_FCS_CRC16) {
1061 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1062 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1063 }
1064
1065 skb->priority = HCI_PRIO_MAX;
1066 return skb;
1067 }
1068
1069 static void l2cap_send_sframe(struct l2cap_chan *chan,
1070 struct l2cap_ctrl *control)
1071 {
1072 struct sk_buff *skb;
1073 u32 control_field;
1074
1075 BT_DBG("chan %p, control %p", chan, control);
1076
1077 if (!control->sframe)
1078 return;
1079
1080 if (__chan_is_moving(chan))
1081 return;
1082
1083 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1084 !control->poll)
1085 control->final = 1;
1086
1087 if (control->super == L2CAP_SUPER_RR)
1088 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1089 else if (control->super == L2CAP_SUPER_RNR)
1090 set_bit(CONN_RNR_SENT, &chan->conn_state);
1091
1092 if (control->super != L2CAP_SUPER_SREJ) {
1093 chan->last_acked_seq = control->reqseq;
1094 __clear_ack_timer(chan);
1095 }
1096
1097 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1098 control->final, control->poll, control->super);
1099
1100 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1101 control_field = __pack_extended_control(control);
1102 else
1103 control_field = __pack_enhanced_control(control);
1104
1105 skb = l2cap_create_sframe_pdu(chan, control_field);
1106 if (!IS_ERR(skb))
1107 l2cap_do_send(chan, skb);
1108 }
1109
1110 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1111 {
1112 struct l2cap_ctrl control;
1113
1114 BT_DBG("chan %p, poll %d", chan, poll);
1115
1116 memset(&control, 0, sizeof(control));
1117 control.sframe = 1;
1118 control.poll = poll;
1119
1120 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1121 control.super = L2CAP_SUPER_RNR;
1122 else
1123 control.super = L2CAP_SUPER_RR;
1124
1125 control.reqseq = chan->buffer_seq;
1126 l2cap_send_sframe(chan, &control);
1127 }
1128
1129 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1130 {
1131 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1132 return true;
1133
1134 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1135 }
1136
1137 static bool __amp_capable(struct l2cap_chan *chan)
1138 {
1139 struct l2cap_conn *conn = chan->conn;
1140 struct hci_dev *hdev;
1141 bool amp_available = false;
1142
1143 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1144 return false;
1145
1146 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1147 return false;
1148
1149 read_lock(&hci_dev_list_lock);
1150 list_for_each_entry(hdev, &hci_dev_list, list) {
1151 if (hdev->amp_type != AMP_TYPE_BREDR &&
1152 test_bit(HCI_UP, &hdev->flags)) {
1153 amp_available = true;
1154 break;
1155 }
1156 }
1157 read_unlock(&hci_dev_list_lock);
1158
1159 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1160 return amp_available;
1161
1162 return false;
1163 }
1164
1165 static bool l2cap_check_efs(struct l2cap_chan *chan)
1166 {
1167 /* Check EFS parameters */
1168 return true;
1169 }
1170
1171 void l2cap_send_conn_req(struct l2cap_chan *chan)
1172 {
1173 struct l2cap_conn *conn = chan->conn;
1174 struct l2cap_conn_req req;
1175
1176 req.scid = cpu_to_le16(chan->scid);
1177 req.psm = chan->psm;
1178
1179 chan->ident = l2cap_get_ident(conn);
1180
1181 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1182
1183 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1184 }
1185
1186 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1187 {
1188 struct l2cap_create_chan_req req;
1189 req.scid = cpu_to_le16(chan->scid);
1190 req.psm = chan->psm;
1191 req.amp_id = amp_id;
1192
1193 chan->ident = l2cap_get_ident(chan->conn);
1194
1195 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1196 sizeof(req), &req);
1197 }
1198
1199 static void l2cap_move_setup(struct l2cap_chan *chan)
1200 {
1201 struct sk_buff *skb;
1202
1203 BT_DBG("chan %p", chan);
1204
1205 if (chan->mode != L2CAP_MODE_ERTM)
1206 return;
1207
1208 __clear_retrans_timer(chan);
1209 __clear_monitor_timer(chan);
1210 __clear_ack_timer(chan);
1211
1212 chan->retry_count = 0;
1213 skb_queue_walk(&chan->tx_q, skb) {
1214 if (bt_cb(skb)->l2cap.retries)
1215 bt_cb(skb)->l2cap.retries = 1;
1216 else
1217 break;
1218 }
1219
1220 chan->expected_tx_seq = chan->buffer_seq;
1221
1222 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1223 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1224 l2cap_seq_list_clear(&chan->retrans_list);
1225 l2cap_seq_list_clear(&chan->srej_list);
1226 skb_queue_purge(&chan->srej_q);
1227
1228 chan->tx_state = L2CAP_TX_STATE_XMIT;
1229 chan->rx_state = L2CAP_RX_STATE_MOVE;
1230
1231 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1232 }
1233
1234 static void l2cap_move_done(struct l2cap_chan *chan)
1235 {
1236 u8 move_role = chan->move_role;
1237 BT_DBG("chan %p", chan);
1238
1239 chan->move_state = L2CAP_MOVE_STABLE;
1240 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1241
1242 if (chan->mode != L2CAP_MODE_ERTM)
1243 return;
1244
1245 switch (move_role) {
1246 case L2CAP_MOVE_ROLE_INITIATOR:
1247 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1248 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1249 break;
1250 case L2CAP_MOVE_ROLE_RESPONDER:
1251 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1252 break;
1253 }
1254 }
1255
1256 static void l2cap_chan_ready(struct l2cap_chan *chan)
1257 {
1258 /* The channel may have already been flagged as connected in
1259 * case of receiving data before the L2CAP info req/rsp
1260 * procedure is complete.
1261 */
1262 if (chan->state == BT_CONNECTED)
1263 return;
1264
1265 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1266 chan->conf_state = 0;
1267 __clear_chan_timer(chan);
1268
1269 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1270 chan->ops->suspend(chan);
1271
1272 chan->state = BT_CONNECTED;
1273
1274 chan->ops->ready(chan);
1275 }
1276
1277 static void l2cap_le_connect(struct l2cap_chan *chan)
1278 {
1279 struct l2cap_conn *conn = chan->conn;
1280 struct l2cap_le_conn_req req;
1281
1282 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1283 return;
1284
1285 req.psm = chan->psm;
1286 req.scid = cpu_to_le16(chan->scid);
1287 req.mtu = cpu_to_le16(chan->imtu);
1288 req.mps = cpu_to_le16(chan->mps);
1289 req.credits = cpu_to_le16(chan->rx_credits);
1290
1291 chan->ident = l2cap_get_ident(conn);
1292
1293 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1294 sizeof(req), &req);
1295 }
1296
1297 static void l2cap_le_start(struct l2cap_chan *chan)
1298 {
1299 struct l2cap_conn *conn = chan->conn;
1300
1301 if (!smp_conn_security(conn->hcon, chan->sec_level))
1302 return;
1303
1304 if (!chan->psm) {
1305 l2cap_chan_ready(chan);
1306 return;
1307 }
1308
1309 if (chan->state == BT_CONNECT)
1310 l2cap_le_connect(chan);
1311 }
1312
1313 static void l2cap_start_connection(struct l2cap_chan *chan)
1314 {
1315 if (__amp_capable(chan)) {
1316 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1317 a2mp_discover_amp(chan);
1318 } else if (chan->conn->hcon->type == LE_LINK) {
1319 l2cap_le_start(chan);
1320 } else {
1321 l2cap_send_conn_req(chan);
1322 }
1323 }
1324
1325 static void l2cap_request_info(struct l2cap_conn *conn)
1326 {
1327 struct l2cap_info_req req;
1328
1329 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1330 return;
1331
1332 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1333
1334 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1335 conn->info_ident = l2cap_get_ident(conn);
1336
1337 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1338
1339 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1340 sizeof(req), &req);
1341 }
1342
1343 static void l2cap_do_start(struct l2cap_chan *chan)
1344 {
1345 struct l2cap_conn *conn = chan->conn;
1346
1347 if (conn->hcon->type == LE_LINK) {
1348 l2cap_le_start(chan);
1349 return;
1350 }
1351
1352 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1353 l2cap_request_info(conn);
1354 return;
1355 }
1356
1357 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1358 return;
1359
1360 if (l2cap_chan_check_security(chan, true) &&
1361 __l2cap_no_conn_pending(chan))
1362 l2cap_start_connection(chan);
1363 }
1364
1365 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1366 {
1367 u32 local_feat_mask = l2cap_feat_mask;
1368 if (!disable_ertm)
1369 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1370
1371 switch (mode) {
1372 case L2CAP_MODE_ERTM:
1373 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1374 case L2CAP_MODE_STREAMING:
1375 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1376 default:
1377 return 0x00;
1378 }
1379 }
1380
1381 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1382 {
1383 struct l2cap_conn *conn = chan->conn;
1384 struct l2cap_disconn_req req;
1385
1386 if (!conn)
1387 return;
1388
1389 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1390 __clear_retrans_timer(chan);
1391 __clear_monitor_timer(chan);
1392 __clear_ack_timer(chan);
1393 }
1394
1395 if (chan->scid == L2CAP_CID_A2MP) {
1396 l2cap_state_change(chan, BT_DISCONN);
1397 return;
1398 }
1399
1400 req.dcid = cpu_to_le16(chan->dcid);
1401 req.scid = cpu_to_le16(chan->scid);
1402 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1403 sizeof(req), &req);
1404
1405 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1406 }
1407
1408 /* ---- L2CAP connections ---- */
1409 static void l2cap_conn_start(struct l2cap_conn *conn)
1410 {
1411 struct l2cap_chan *chan, *tmp;
1412
1413 BT_DBG("conn %p", conn);
1414
1415 mutex_lock(&conn->chan_lock);
1416
1417 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1418 l2cap_chan_lock(chan);
1419
1420 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1421 l2cap_chan_ready(chan);
1422 l2cap_chan_unlock(chan);
1423 continue;
1424 }
1425
1426 if (chan->state == BT_CONNECT) {
1427 if (!l2cap_chan_check_security(chan, true) ||
1428 !__l2cap_no_conn_pending(chan)) {
1429 l2cap_chan_unlock(chan);
1430 continue;
1431 }
1432
1433 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1434 && test_bit(CONF_STATE2_DEVICE,
1435 &chan->conf_state)) {
1436 l2cap_chan_close(chan, ECONNRESET);
1437 l2cap_chan_unlock(chan);
1438 continue;
1439 }
1440
1441 l2cap_start_connection(chan);
1442
1443 } else if (chan->state == BT_CONNECT2) {
1444 struct l2cap_conn_rsp rsp;
1445 char buf[128];
1446 rsp.scid = cpu_to_le16(chan->dcid);
1447 rsp.dcid = cpu_to_le16(chan->scid);
1448
1449 if (l2cap_chan_check_security(chan, false)) {
1450 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1451 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1452 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1453 chan->ops->defer(chan);
1454
1455 } else {
1456 l2cap_state_change(chan, BT_CONFIG);
1457 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1458 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1459 }
1460 } else {
1461 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1462 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1463 }
1464
1465 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1466 sizeof(rsp), &rsp);
1467
1468 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1469 rsp.result != L2CAP_CR_SUCCESS) {
1470 l2cap_chan_unlock(chan);
1471 continue;
1472 }
1473
1474 set_bit(CONF_REQ_SENT, &chan->conf_state);
1475 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1476 l2cap_build_conf_req(chan, buf), buf);
1477 chan->num_conf_req++;
1478 }
1479
1480 l2cap_chan_unlock(chan);
1481 }
1482
1483 mutex_unlock(&conn->chan_lock);
1484 }
1485
1486 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1487 {
1488 struct hci_conn *hcon = conn->hcon;
1489 struct hci_dev *hdev = hcon->hdev;
1490
1491 BT_DBG("%s conn %p", hdev->name, conn);
1492
1493 /* For outgoing pairing which doesn't necessarily have an
1494 * associated socket (e.g. mgmt_pair_device).
1495 */
1496 if (hcon->out)
1497 smp_conn_security(hcon, hcon->pending_sec_level);
1498
1499 /* For LE slave connections, make sure the connection interval
1500 * is in the range of the minium and maximum interval that has
1501 * been configured for this connection. If not, then trigger
1502 * the connection update procedure.
1503 */
1504 if (hcon->role == HCI_ROLE_SLAVE &&
1505 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1506 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1507 struct l2cap_conn_param_update_req req;
1508
1509 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1510 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1511 req.latency = cpu_to_le16(hcon->le_conn_latency);
1512 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1513
1514 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1515 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1516 }
1517 }
1518
1519 static void l2cap_conn_ready(struct l2cap_conn *conn)
1520 {
1521 struct l2cap_chan *chan;
1522 struct hci_conn *hcon = conn->hcon;
1523
1524 BT_DBG("conn %p", conn);
1525
1526 if (hcon->type == ACL_LINK)
1527 l2cap_request_info(conn);
1528
1529 mutex_lock(&conn->chan_lock);
1530
1531 list_for_each_entry(chan, &conn->chan_l, list) {
1532
1533 l2cap_chan_lock(chan);
1534
1535 if (chan->scid == L2CAP_CID_A2MP) {
1536 l2cap_chan_unlock(chan);
1537 continue;
1538 }
1539
1540 if (hcon->type == LE_LINK) {
1541 l2cap_le_start(chan);
1542 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1543 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1544 l2cap_chan_ready(chan);
1545 } else if (chan->state == BT_CONNECT) {
1546 l2cap_do_start(chan);
1547 }
1548
1549 l2cap_chan_unlock(chan);
1550 }
1551
1552 mutex_unlock(&conn->chan_lock);
1553
1554 if (hcon->type == LE_LINK)
1555 l2cap_le_conn_ready(conn);
1556
1557 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1558 }
1559
1560 /* Notify sockets that we cannot guaranty reliability anymore */
1561 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1562 {
1563 struct l2cap_chan *chan;
1564
1565 BT_DBG("conn %p", conn);
1566
1567 mutex_lock(&conn->chan_lock);
1568
1569 list_for_each_entry(chan, &conn->chan_l, list) {
1570 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1571 l2cap_chan_set_err(chan, err);
1572 }
1573
1574 mutex_unlock(&conn->chan_lock);
1575 }
1576
1577 static void l2cap_info_timeout(struct work_struct *work)
1578 {
1579 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1580 info_timer.work);
1581
1582 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1583 conn->info_ident = 0;
1584
1585 l2cap_conn_start(conn);
1586 }
1587
1588 /*
1589 * l2cap_user
1590 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1591 * callback is called during registration. The ->remove callback is called
1592 * during unregistration.
1593 * An l2cap_user object can either be explicitly unregistered or when the
1594 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1595 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1596 * External modules must own a reference to the l2cap_conn object if they intend
1597 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1598 * any time if they don't.
1599 */
1600
1601 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1602 {
1603 struct hci_dev *hdev = conn->hcon->hdev;
1604 int ret;
1605
1606 /* We need to check whether l2cap_conn is registered. If it is not, we
1607 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1608 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1609 * relies on the parent hci_conn object to be locked. This itself relies
1610 * on the hci_dev object to be locked. So we must lock the hci device
1611 * here, too. */
1612
1613 hci_dev_lock(hdev);
1614
1615 if (!list_empty(&user->list)) {
1616 ret = -EINVAL;
1617 goto out_unlock;
1618 }
1619
1620 /* conn->hchan is NULL after l2cap_conn_del() was called */
1621 if (!conn->hchan) {
1622 ret = -ENODEV;
1623 goto out_unlock;
1624 }
1625
1626 ret = user->probe(conn, user);
1627 if (ret)
1628 goto out_unlock;
1629
1630 list_add(&user->list, &conn->users);
1631 ret = 0;
1632
1633 out_unlock:
1634 hci_dev_unlock(hdev);
1635 return ret;
1636 }
1637 EXPORT_SYMBOL(l2cap_register_user);
1638
1639 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1640 {
1641 struct hci_dev *hdev = conn->hcon->hdev;
1642
1643 hci_dev_lock(hdev);
1644
1645 if (list_empty(&user->list))
1646 goto out_unlock;
1647
1648 list_del_init(&user->list);
1649 user->remove(conn, user);
1650
1651 out_unlock:
1652 hci_dev_unlock(hdev);
1653 }
1654 EXPORT_SYMBOL(l2cap_unregister_user);
1655
1656 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1657 {
1658 struct l2cap_user *user;
1659
1660 while (!list_empty(&conn->users)) {
1661 user = list_first_entry(&conn->users, struct l2cap_user, list);
1662 list_del_init(&user->list);
1663 user->remove(conn, user);
1664 }
1665 }
1666
1667 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1668 {
1669 struct l2cap_conn *conn = hcon->l2cap_data;
1670 struct l2cap_chan *chan, *l;
1671
1672 if (!conn)
1673 return;
1674
1675 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1676
1677 kfree_skb(conn->rx_skb);
1678
1679 skb_queue_purge(&conn->pending_rx);
1680
1681 /* We can not call flush_work(&conn->pending_rx_work) here since we
1682 * might block if we are running on a worker from the same workqueue
1683 * pending_rx_work is waiting on.
1684 */
1685 if (work_pending(&conn->pending_rx_work))
1686 cancel_work_sync(&conn->pending_rx_work);
1687
1688 if (work_pending(&conn->id_addr_update_work))
1689 cancel_work_sync(&conn->id_addr_update_work);
1690
1691 l2cap_unregister_all_users(conn);
1692
1693 /* Force the connection to be immediately dropped */
1694 hcon->disc_timeout = 0;
1695
1696 mutex_lock(&conn->chan_lock);
1697
1698 /* Kill channels */
1699 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1700 l2cap_chan_hold(chan);
1701 l2cap_chan_lock(chan);
1702
1703 l2cap_chan_del(chan, err);
1704
1705 l2cap_chan_unlock(chan);
1706
1707 chan->ops->close(chan);
1708 l2cap_chan_put(chan);
1709 }
1710
1711 mutex_unlock(&conn->chan_lock);
1712
1713 hci_chan_del(conn->hchan);
1714
1715 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1716 cancel_delayed_work_sync(&conn->info_timer);
1717
1718 hcon->l2cap_data = NULL;
1719 conn->hchan = NULL;
1720 l2cap_conn_put(conn);
1721 }
1722
1723 static void l2cap_conn_free(struct kref *ref)
1724 {
1725 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1726
1727 hci_conn_put(conn->hcon);
1728 kfree(conn);
1729 }
1730
1731 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1732 {
1733 kref_get(&conn->ref);
1734 return conn;
1735 }
1736 EXPORT_SYMBOL(l2cap_conn_get);
1737
1738 void l2cap_conn_put(struct l2cap_conn *conn)
1739 {
1740 kref_put(&conn->ref, l2cap_conn_free);
1741 }
1742 EXPORT_SYMBOL(l2cap_conn_put);
1743
1744 /* ---- Socket interface ---- */
1745
1746 /* Find socket with psm and source / destination bdaddr.
1747 * Returns closest match.
1748 */
1749 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1750 bdaddr_t *src,
1751 bdaddr_t *dst,
1752 u8 link_type)
1753 {
1754 struct l2cap_chan *c, *c1 = NULL;
1755
1756 read_lock(&chan_list_lock);
1757
1758 list_for_each_entry(c, &chan_list, global_l) {
1759 if (state && c->state != state)
1760 continue;
1761
1762 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1763 continue;
1764
1765 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1766 continue;
1767
1768 if (c->psm == psm) {
1769 int src_match, dst_match;
1770 int src_any, dst_any;
1771
1772 /* Exact match. */
1773 src_match = !bacmp(&c->src, src);
1774 dst_match = !bacmp(&c->dst, dst);
1775 if (src_match && dst_match) {
1776 l2cap_chan_hold(c);
1777 read_unlock(&chan_list_lock);
1778 return c;
1779 }
1780
1781 /* Closest match */
1782 src_any = !bacmp(&c->src, BDADDR_ANY);
1783 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1784 if ((src_match && dst_any) || (src_any && dst_match) ||
1785 (src_any && dst_any))
1786 c1 = c;
1787 }
1788 }
1789
1790 if (c1)
1791 l2cap_chan_hold(c1);
1792
1793 read_unlock(&chan_list_lock);
1794
1795 return c1;
1796 }
1797
1798 static void l2cap_monitor_timeout(struct work_struct *work)
1799 {
1800 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1801 monitor_timer.work);
1802
1803 BT_DBG("chan %p", chan);
1804
1805 l2cap_chan_lock(chan);
1806
1807 if (!chan->conn) {
1808 l2cap_chan_unlock(chan);
1809 l2cap_chan_put(chan);
1810 return;
1811 }
1812
1813 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1814
1815 l2cap_chan_unlock(chan);
1816 l2cap_chan_put(chan);
1817 }
1818
1819 static void l2cap_retrans_timeout(struct work_struct *work)
1820 {
1821 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1822 retrans_timer.work);
1823
1824 BT_DBG("chan %p", chan);
1825
1826 l2cap_chan_lock(chan);
1827
1828 if (!chan->conn) {
1829 l2cap_chan_unlock(chan);
1830 l2cap_chan_put(chan);
1831 return;
1832 }
1833
1834 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1835 l2cap_chan_unlock(chan);
1836 l2cap_chan_put(chan);
1837 }
1838
1839 static void l2cap_streaming_send(struct l2cap_chan *chan,
1840 struct sk_buff_head *skbs)
1841 {
1842 struct sk_buff *skb;
1843 struct l2cap_ctrl *control;
1844
1845 BT_DBG("chan %p, skbs %p", chan, skbs);
1846
1847 if (__chan_is_moving(chan))
1848 return;
1849
1850 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1851
1852 while (!skb_queue_empty(&chan->tx_q)) {
1853
1854 skb = skb_dequeue(&chan->tx_q);
1855
1856 bt_cb(skb)->l2cap.retries = 1;
1857 control = &bt_cb(skb)->l2cap;
1858
1859 control->reqseq = 0;
1860 control->txseq = chan->next_tx_seq;
1861
1862 __pack_control(chan, control, skb);
1863
1864 if (chan->fcs == L2CAP_FCS_CRC16) {
1865 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1866 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1867 }
1868
1869 l2cap_do_send(chan, skb);
1870
1871 BT_DBG("Sent txseq %u", control->txseq);
1872
1873 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1874 chan->frames_sent++;
1875 }
1876 }
1877
1878 static int l2cap_ertm_send(struct l2cap_chan *chan)
1879 {
1880 struct sk_buff *skb, *tx_skb;
1881 struct l2cap_ctrl *control;
1882 int sent = 0;
1883
1884 BT_DBG("chan %p", chan);
1885
1886 if (chan->state != BT_CONNECTED)
1887 return -ENOTCONN;
1888
1889 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1890 return 0;
1891
1892 if (__chan_is_moving(chan))
1893 return 0;
1894
1895 while (chan->tx_send_head &&
1896 chan->unacked_frames < chan->remote_tx_win &&
1897 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1898
1899 skb = chan->tx_send_head;
1900
1901 bt_cb(skb)->l2cap.retries = 1;
1902 control = &bt_cb(skb)->l2cap;
1903
1904 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1905 control->final = 1;
1906
1907 control->reqseq = chan->buffer_seq;
1908 chan->last_acked_seq = chan->buffer_seq;
1909 control->txseq = chan->next_tx_seq;
1910
1911 __pack_control(chan, control, skb);
1912
1913 if (chan->fcs == L2CAP_FCS_CRC16) {
1914 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1915 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1916 }
1917
1918 /* Clone after data has been modified. Data is assumed to be
1919 read-only (for locking purposes) on cloned sk_buffs.
1920 */
1921 tx_skb = skb_clone(skb, GFP_KERNEL);
1922
1923 if (!tx_skb)
1924 break;
1925
1926 __set_retrans_timer(chan);
1927
1928 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1929 chan->unacked_frames++;
1930 chan->frames_sent++;
1931 sent++;
1932
1933 if (skb_queue_is_last(&chan->tx_q, skb))
1934 chan->tx_send_head = NULL;
1935 else
1936 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1937
1938 l2cap_do_send(chan, tx_skb);
1939 BT_DBG("Sent txseq %u", control->txseq);
1940 }
1941
1942 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1943 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1944
1945 return sent;
1946 }
1947
1948 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1949 {
1950 struct l2cap_ctrl control;
1951 struct sk_buff *skb;
1952 struct sk_buff *tx_skb;
1953 u16 seq;
1954
1955 BT_DBG("chan %p", chan);
1956
1957 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1958 return;
1959
1960 if (__chan_is_moving(chan))
1961 return;
1962
1963 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1964 seq = l2cap_seq_list_pop(&chan->retrans_list);
1965
1966 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1967 if (!skb) {
1968 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1969 seq);
1970 continue;
1971 }
1972
1973 bt_cb(skb)->l2cap.retries++;
1974 control = bt_cb(skb)->l2cap;
1975
1976 if (chan->max_tx != 0 &&
1977 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1978 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1979 l2cap_send_disconn_req(chan, ECONNRESET);
1980 l2cap_seq_list_clear(&chan->retrans_list);
1981 break;
1982 }
1983
1984 control.reqseq = chan->buffer_seq;
1985 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1986 control.final = 1;
1987 else
1988 control.final = 0;
1989
1990 if (skb_cloned(skb)) {
1991 /* Cloned sk_buffs are read-only, so we need a
1992 * writeable copy
1993 */
1994 tx_skb = skb_copy(skb, GFP_KERNEL);
1995 } else {
1996 tx_skb = skb_clone(skb, GFP_KERNEL);
1997 }
1998
1999 if (!tx_skb) {
2000 l2cap_seq_list_clear(&chan->retrans_list);
2001 break;
2002 }
2003
2004 /* Update skb contents */
2005 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2006 put_unaligned_le32(__pack_extended_control(&control),
2007 tx_skb->data + L2CAP_HDR_SIZE);
2008 } else {
2009 put_unaligned_le16(__pack_enhanced_control(&control),
2010 tx_skb->data + L2CAP_HDR_SIZE);
2011 }
2012
2013 /* Update FCS */
2014 if (chan->fcs == L2CAP_FCS_CRC16) {
2015 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2016 tx_skb->len - L2CAP_FCS_SIZE);
2017 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2018 L2CAP_FCS_SIZE);
2019 }
2020
2021 l2cap_do_send(chan, tx_skb);
2022
2023 BT_DBG("Resent txseq %d", control.txseq);
2024
2025 chan->last_acked_seq = chan->buffer_seq;
2026 }
2027 }
2028
2029 static void l2cap_retransmit(struct l2cap_chan *chan,
2030 struct l2cap_ctrl *control)
2031 {
2032 BT_DBG("chan %p, control %p", chan, control);
2033
2034 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2035 l2cap_ertm_resend(chan);
2036 }
2037
2038 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2039 struct l2cap_ctrl *control)
2040 {
2041 struct sk_buff *skb;
2042
2043 BT_DBG("chan %p, control %p", chan, control);
2044
2045 if (control->poll)
2046 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2047
2048 l2cap_seq_list_clear(&chan->retrans_list);
2049
2050 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2051 return;
2052
2053 if (chan->unacked_frames) {
2054 skb_queue_walk(&chan->tx_q, skb) {
2055 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2056 skb == chan->tx_send_head)
2057 break;
2058 }
2059
2060 skb_queue_walk_from(&chan->tx_q, skb) {
2061 if (skb == chan->tx_send_head)
2062 break;
2063
2064 l2cap_seq_list_append(&chan->retrans_list,
2065 bt_cb(skb)->l2cap.txseq);
2066 }
2067
2068 l2cap_ertm_resend(chan);
2069 }
2070 }
2071
2072 static void l2cap_send_ack(struct l2cap_chan *chan)
2073 {
2074 struct l2cap_ctrl control;
2075 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2076 chan->last_acked_seq);
2077 int threshold;
2078
2079 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2080 chan, chan->last_acked_seq, chan->buffer_seq);
2081
2082 memset(&control, 0, sizeof(control));
2083 control.sframe = 1;
2084
2085 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2086 chan->rx_state == L2CAP_RX_STATE_RECV) {
2087 __clear_ack_timer(chan);
2088 control.super = L2CAP_SUPER_RNR;
2089 control.reqseq = chan->buffer_seq;
2090 l2cap_send_sframe(chan, &control);
2091 } else {
2092 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2093 l2cap_ertm_send(chan);
2094 /* If any i-frames were sent, they included an ack */
2095 if (chan->buffer_seq == chan->last_acked_seq)
2096 frames_to_ack = 0;
2097 }
2098
2099 /* Ack now if the window is 3/4ths full.
2100 * Calculate without mul or div
2101 */
2102 threshold = chan->ack_win;
2103 threshold += threshold << 1;
2104 threshold >>= 2;
2105
2106 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2107 threshold);
2108
2109 if (frames_to_ack >= threshold) {
2110 __clear_ack_timer(chan);
2111 control.super = L2CAP_SUPER_RR;
2112 control.reqseq = chan->buffer_seq;
2113 l2cap_send_sframe(chan, &control);
2114 frames_to_ack = 0;
2115 }
2116
2117 if (frames_to_ack)
2118 __set_ack_timer(chan);
2119 }
2120 }
2121
2122 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2123 struct msghdr *msg, int len,
2124 int count, struct sk_buff *skb)
2125 {
2126 struct l2cap_conn *conn = chan->conn;
2127 struct sk_buff **frag;
2128 int sent = 0;
2129
2130 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2131 return -EFAULT;
2132
2133 sent += count;
2134 len -= count;
2135
2136 /* Continuation fragments (no L2CAP header) */
2137 frag = &skb_shinfo(skb)->frag_list;
2138 while (len) {
2139 struct sk_buff *tmp;
2140
2141 count = min_t(unsigned int, conn->mtu, len);
2142
2143 tmp = chan->ops->alloc_skb(chan, 0, count,
2144 msg->msg_flags & MSG_DONTWAIT);
2145 if (IS_ERR(tmp))
2146 return PTR_ERR(tmp);
2147
2148 *frag = tmp;
2149
2150 if (!copy_from_iter_full(skb_put(*frag, count), count,
2151 &msg->msg_iter))
2152 return -EFAULT;
2153
2154 sent += count;
2155 len -= count;
2156
2157 skb->len += (*frag)->len;
2158 skb->data_len += (*frag)->len;
2159
2160 frag = &(*frag)->next;
2161 }
2162
2163 return sent;
2164 }
2165
2166 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2167 struct msghdr *msg, size_t len)
2168 {
2169 struct l2cap_conn *conn = chan->conn;
2170 struct sk_buff *skb;
2171 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2172 struct l2cap_hdr *lh;
2173
2174 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2175 __le16_to_cpu(chan->psm), len);
2176
2177 count = min_t(unsigned int, (conn->mtu - hlen), len);
2178
2179 skb = chan->ops->alloc_skb(chan, hlen, count,
2180 msg->msg_flags & MSG_DONTWAIT);
2181 if (IS_ERR(skb))
2182 return skb;
2183
2184 /* Create L2CAP header */
2185 lh = skb_put(skb, L2CAP_HDR_SIZE);
2186 lh->cid = cpu_to_le16(chan->dcid);
2187 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2188 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2189
2190 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2191 if (unlikely(err < 0)) {
2192 kfree_skb(skb);
2193 return ERR_PTR(err);
2194 }
2195 return skb;
2196 }
2197
2198 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2199 struct msghdr *msg, size_t len)
2200 {
2201 struct l2cap_conn *conn = chan->conn;
2202 struct sk_buff *skb;
2203 int err, count;
2204 struct l2cap_hdr *lh;
2205
2206 BT_DBG("chan %p len %zu", chan, len);
2207
2208 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2209
2210 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2211 msg->msg_flags & MSG_DONTWAIT);
2212 if (IS_ERR(skb))
2213 return skb;
2214
2215 /* Create L2CAP header */
2216 lh = skb_put(skb, L2CAP_HDR_SIZE);
2217 lh->cid = cpu_to_le16(chan->dcid);
2218 lh->len = cpu_to_le16(len);
2219
2220 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2221 if (unlikely(err < 0)) {
2222 kfree_skb(skb);
2223 return ERR_PTR(err);
2224 }
2225 return skb;
2226 }
2227
2228 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2229 struct msghdr *msg, size_t len,
2230 u16 sdulen)
2231 {
2232 struct l2cap_conn *conn = chan->conn;
2233 struct sk_buff *skb;
2234 int err, count, hlen;
2235 struct l2cap_hdr *lh;
2236
2237 BT_DBG("chan %p len %zu", chan, len);
2238
2239 if (!conn)
2240 return ERR_PTR(-ENOTCONN);
2241
2242 hlen = __ertm_hdr_size(chan);
2243
2244 if (sdulen)
2245 hlen += L2CAP_SDULEN_SIZE;
2246
2247 if (chan->fcs == L2CAP_FCS_CRC16)
2248 hlen += L2CAP_FCS_SIZE;
2249
2250 count = min_t(unsigned int, (conn->mtu - hlen), len);
2251
2252 skb = chan->ops->alloc_skb(chan, hlen, count,
2253 msg->msg_flags & MSG_DONTWAIT);
2254 if (IS_ERR(skb))
2255 return skb;
2256
2257 /* Create L2CAP header */
2258 lh = skb_put(skb, L2CAP_HDR_SIZE);
2259 lh->cid = cpu_to_le16(chan->dcid);
2260 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2261
2262 /* Control header is populated later */
2263 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2264 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2265 else
2266 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2267
2268 if (sdulen)
2269 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2270
2271 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2272 if (unlikely(err < 0)) {
2273 kfree_skb(skb);
2274 return ERR_PTR(err);
2275 }
2276
2277 bt_cb(skb)->l2cap.fcs = chan->fcs;
2278 bt_cb(skb)->l2cap.retries = 0;
2279 return skb;
2280 }
2281
2282 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2283 struct sk_buff_head *seg_queue,
2284 struct msghdr *msg, size_t len)
2285 {
2286 struct sk_buff *skb;
2287 u16 sdu_len;
2288 size_t pdu_len;
2289 u8 sar;
2290
2291 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2292
2293 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2294 * so fragmented skbs are not used. The HCI layer's handling
2295 * of fragmented skbs is not compatible with ERTM's queueing.
2296 */
2297
2298 /* PDU size is derived from the HCI MTU */
2299 pdu_len = chan->conn->mtu;
2300
2301 /* Constrain PDU size for BR/EDR connections */
2302 if (!chan->hs_hcon)
2303 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2304
2305 /* Adjust for largest possible L2CAP overhead. */
2306 if (chan->fcs)
2307 pdu_len -= L2CAP_FCS_SIZE;
2308
2309 pdu_len -= __ertm_hdr_size(chan);
2310
2311 /* Remote device may have requested smaller PDUs */
2312 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2313
2314 if (len <= pdu_len) {
2315 sar = L2CAP_SAR_UNSEGMENTED;
2316 sdu_len = 0;
2317 pdu_len = len;
2318 } else {
2319 sar = L2CAP_SAR_START;
2320 sdu_len = len;
2321 }
2322
2323 while (len > 0) {
2324 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2325
2326 if (IS_ERR(skb)) {
2327 __skb_queue_purge(seg_queue);
2328 return PTR_ERR(skb);
2329 }
2330
2331 bt_cb(skb)->l2cap.sar = sar;
2332 __skb_queue_tail(seg_queue, skb);
2333
2334 len -= pdu_len;
2335 if (sdu_len)
2336 sdu_len = 0;
2337
2338 if (len <= pdu_len) {
2339 sar = L2CAP_SAR_END;
2340 pdu_len = len;
2341 } else {
2342 sar = L2CAP_SAR_CONTINUE;
2343 }
2344 }
2345
2346 return 0;
2347 }
2348
2349 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2350 struct msghdr *msg,
2351 size_t len, u16 sdulen)
2352 {
2353 struct l2cap_conn *conn = chan->conn;
2354 struct sk_buff *skb;
2355 int err, count, hlen;
2356 struct l2cap_hdr *lh;
2357
2358 BT_DBG("chan %p len %zu", chan, len);
2359
2360 if (!conn)
2361 return ERR_PTR(-ENOTCONN);
2362
2363 hlen = L2CAP_HDR_SIZE;
2364
2365 if (sdulen)
2366 hlen += L2CAP_SDULEN_SIZE;
2367
2368 count = min_t(unsigned int, (conn->mtu - hlen), len);
2369
2370 skb = chan->ops->alloc_skb(chan, hlen, count,
2371 msg->msg_flags & MSG_DONTWAIT);
2372 if (IS_ERR(skb))
2373 return skb;
2374
2375 /* Create L2CAP header */
2376 lh = skb_put(skb, L2CAP_HDR_SIZE);
2377 lh->cid = cpu_to_le16(chan->dcid);
2378 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2379
2380 if (sdulen)
2381 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2382
2383 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2384 if (unlikely(err < 0)) {
2385 kfree_skb(skb);
2386 return ERR_PTR(err);
2387 }
2388
2389 return skb;
2390 }
2391
2392 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2393 struct sk_buff_head *seg_queue,
2394 struct msghdr *msg, size_t len)
2395 {
2396 struct sk_buff *skb;
2397 size_t pdu_len;
2398 u16 sdu_len;
2399
2400 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2401
2402 sdu_len = len;
2403 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2404
2405 while (len > 0) {
2406 if (len <= pdu_len)
2407 pdu_len = len;
2408
2409 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2410 if (IS_ERR(skb)) {
2411 __skb_queue_purge(seg_queue);
2412 return PTR_ERR(skb);
2413 }
2414
2415 __skb_queue_tail(seg_queue, skb);
2416
2417 len -= pdu_len;
2418
2419 if (sdu_len) {
2420 sdu_len = 0;
2421 pdu_len += L2CAP_SDULEN_SIZE;
2422 }
2423 }
2424
2425 return 0;
2426 }
2427
2428 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2429 {
2430 int sent = 0;
2431
2432 BT_DBG("chan %p", chan);
2433
2434 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2435 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2436 chan->tx_credits--;
2437 sent++;
2438 }
2439
2440 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2441 skb_queue_len(&chan->tx_q));
2442 }
2443
2444 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2445 {
2446 struct sk_buff *skb;
2447 int err;
2448 struct sk_buff_head seg_queue;
2449
2450 if (!chan->conn)
2451 return -ENOTCONN;
2452
2453 /* Connectionless channel */
2454 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2455 skb = l2cap_create_connless_pdu(chan, msg, len);
2456 if (IS_ERR(skb))
2457 return PTR_ERR(skb);
2458
2459 /* Channel lock is released before requesting new skb and then
2460 * reacquired thus we need to recheck channel state.
2461 */
2462 if (chan->state != BT_CONNECTED) {
2463 kfree_skb(skb);
2464 return -ENOTCONN;
2465 }
2466
2467 l2cap_do_send(chan, skb);
2468 return len;
2469 }
2470
2471 switch (chan->mode) {
2472 case L2CAP_MODE_LE_FLOWCTL:
2473 /* Check outgoing MTU */
2474 if (len > chan->omtu)
2475 return -EMSGSIZE;
2476
2477 __skb_queue_head_init(&seg_queue);
2478
2479 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2480
2481 if (chan->state != BT_CONNECTED) {
2482 __skb_queue_purge(&seg_queue);
2483 err = -ENOTCONN;
2484 }
2485
2486 if (err)
2487 return err;
2488
2489 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2490
2491 l2cap_le_flowctl_send(chan);
2492
2493 if (!chan->tx_credits)
2494 chan->ops->suspend(chan);
2495
2496 err = len;
2497
2498 break;
2499
2500 case L2CAP_MODE_BASIC:
2501 /* Check outgoing MTU */
2502 if (len > chan->omtu)
2503 return -EMSGSIZE;
2504
2505 /* Create a basic PDU */
2506 skb = l2cap_create_basic_pdu(chan, msg, len);
2507 if (IS_ERR(skb))
2508 return PTR_ERR(skb);
2509
2510 /* Channel lock is released before requesting new skb and then
2511 * reacquired thus we need to recheck channel state.
2512 */
2513 if (chan->state != BT_CONNECTED) {
2514 kfree_skb(skb);
2515 return -ENOTCONN;
2516 }
2517
2518 l2cap_do_send(chan, skb);
2519 err = len;
2520 break;
2521
2522 case L2CAP_MODE_ERTM:
2523 case L2CAP_MODE_STREAMING:
2524 /* Check outgoing MTU */
2525 if (len > chan->omtu) {
2526 err = -EMSGSIZE;
2527 break;
2528 }
2529
2530 __skb_queue_head_init(&seg_queue);
2531
2532 /* Do segmentation before calling in to the state machine,
2533 * since it's possible to block while waiting for memory
2534 * allocation.
2535 */
2536 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2537
2538 /* The channel could have been closed while segmenting,
2539 * check that it is still connected.
2540 */
2541 if (chan->state != BT_CONNECTED) {
2542 __skb_queue_purge(&seg_queue);
2543 err = -ENOTCONN;
2544 }
2545
2546 if (err)
2547 break;
2548
2549 if (chan->mode == L2CAP_MODE_ERTM)
2550 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2551 else
2552 l2cap_streaming_send(chan, &seg_queue);
2553
2554 err = len;
2555
2556 /* If the skbs were not queued for sending, they'll still be in
2557 * seg_queue and need to be purged.
2558 */
2559 __skb_queue_purge(&seg_queue);
2560 break;
2561
2562 default:
2563 BT_DBG("bad state %1.1x", chan->mode);
2564 err = -EBADFD;
2565 }
2566
2567 return err;
2568 }
2569 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2570
2571 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2572 {
2573 struct l2cap_ctrl control;
2574 u16 seq;
2575
2576 BT_DBG("chan %p, txseq %u", chan, txseq);
2577
2578 memset(&control, 0, sizeof(control));
2579 control.sframe = 1;
2580 control.super = L2CAP_SUPER_SREJ;
2581
2582 for (seq = chan->expected_tx_seq; seq != txseq;
2583 seq = __next_seq(chan, seq)) {
2584 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2585 control.reqseq = seq;
2586 l2cap_send_sframe(chan, &control);
2587 l2cap_seq_list_append(&chan->srej_list, seq);
2588 }
2589 }
2590
2591 chan->expected_tx_seq = __next_seq(chan, txseq);
2592 }
2593
2594 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2595 {
2596 struct l2cap_ctrl control;
2597
2598 BT_DBG("chan %p", chan);
2599
2600 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2601 return;
2602
2603 memset(&control, 0, sizeof(control));
2604 control.sframe = 1;
2605 control.super = L2CAP_SUPER_SREJ;
2606 control.reqseq = chan->srej_list.tail;
2607 l2cap_send_sframe(chan, &control);
2608 }
2609
2610 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2611 {
2612 struct l2cap_ctrl control;
2613 u16 initial_head;
2614 u16 seq;
2615
2616 BT_DBG("chan %p, txseq %u", chan, txseq);
2617
2618 memset(&control, 0, sizeof(control));
2619 control.sframe = 1;
2620 control.super = L2CAP_SUPER_SREJ;
2621
2622 /* Capture initial list head to allow only one pass through the list. */
2623 initial_head = chan->srej_list.head;
2624
2625 do {
2626 seq = l2cap_seq_list_pop(&chan->srej_list);
2627 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2628 break;
2629
2630 control.reqseq = seq;
2631 l2cap_send_sframe(chan, &control);
2632 l2cap_seq_list_append(&chan->srej_list, seq);
2633 } while (chan->srej_list.head != initial_head);
2634 }
2635
2636 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2637 {
2638 struct sk_buff *acked_skb;
2639 u16 ackseq;
2640
2641 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2642
2643 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2644 return;
2645
2646 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2647 chan->expected_ack_seq, chan->unacked_frames);
2648
2649 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2650 ackseq = __next_seq(chan, ackseq)) {
2651
2652 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2653 if (acked_skb) {
2654 skb_unlink(acked_skb, &chan->tx_q);
2655 kfree_skb(acked_skb);
2656 chan->unacked_frames--;
2657 }
2658 }
2659
2660 chan->expected_ack_seq = reqseq;
2661
2662 if (chan->unacked_frames == 0)
2663 __clear_retrans_timer(chan);
2664
2665 BT_DBG("unacked_frames %u", chan->unacked_frames);
2666 }
2667
2668 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2669 {
2670 BT_DBG("chan %p", chan);
2671
2672 chan->expected_tx_seq = chan->buffer_seq;
2673 l2cap_seq_list_clear(&chan->srej_list);
2674 skb_queue_purge(&chan->srej_q);
2675 chan->rx_state = L2CAP_RX_STATE_RECV;
2676 }
2677
2678 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2679 struct l2cap_ctrl *control,
2680 struct sk_buff_head *skbs, u8 event)
2681 {
2682 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2683 event);
2684
2685 switch (event) {
2686 case L2CAP_EV_DATA_REQUEST:
2687 if (chan->tx_send_head == NULL)
2688 chan->tx_send_head = skb_peek(skbs);
2689
2690 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2691 l2cap_ertm_send(chan);
2692 break;
2693 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2694 BT_DBG("Enter LOCAL_BUSY");
2695 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2696
2697 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2698 /* The SREJ_SENT state must be aborted if we are to
2699 * enter the LOCAL_BUSY state.
2700 */
2701 l2cap_abort_rx_srej_sent(chan);
2702 }
2703
2704 l2cap_send_ack(chan);
2705
2706 break;
2707 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2708 BT_DBG("Exit LOCAL_BUSY");
2709 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2710
2711 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2712 struct l2cap_ctrl local_control;
2713
2714 memset(&local_control, 0, sizeof(local_control));
2715 local_control.sframe = 1;
2716 local_control.super = L2CAP_SUPER_RR;
2717 local_control.poll = 1;
2718 local_control.reqseq = chan->buffer_seq;
2719 l2cap_send_sframe(chan, &local_control);
2720
2721 chan->retry_count = 1;
2722 __set_monitor_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2724 }
2725 break;
2726 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2727 l2cap_process_reqseq(chan, control->reqseq);
2728 break;
2729 case L2CAP_EV_EXPLICIT_POLL:
2730 l2cap_send_rr_or_rnr(chan, 1);
2731 chan->retry_count = 1;
2732 __set_monitor_timer(chan);
2733 __clear_ack_timer(chan);
2734 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2735 break;
2736 case L2CAP_EV_RETRANS_TO:
2737 l2cap_send_rr_or_rnr(chan, 1);
2738 chan->retry_count = 1;
2739 __set_monitor_timer(chan);
2740 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2741 break;
2742 case L2CAP_EV_RECV_FBIT:
2743 /* Nothing to process */
2744 break;
2745 default:
2746 break;
2747 }
2748 }
2749
2750 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2751 struct l2cap_ctrl *control,
2752 struct sk_buff_head *skbs, u8 event)
2753 {
2754 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2755 event);
2756
2757 switch (event) {
2758 case L2CAP_EV_DATA_REQUEST:
2759 if (chan->tx_send_head == NULL)
2760 chan->tx_send_head = skb_peek(skbs);
2761 /* Queue data, but don't send. */
2762 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2763 break;
2764 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2765 BT_DBG("Enter LOCAL_BUSY");
2766 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2767
2768 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2769 /* The SREJ_SENT state must be aborted if we are to
2770 * enter the LOCAL_BUSY state.
2771 */
2772 l2cap_abort_rx_srej_sent(chan);
2773 }
2774
2775 l2cap_send_ack(chan);
2776
2777 break;
2778 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2779 BT_DBG("Exit LOCAL_BUSY");
2780 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2781
2782 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2783 struct l2cap_ctrl local_control;
2784 memset(&local_control, 0, sizeof(local_control));
2785 local_control.sframe = 1;
2786 local_control.super = L2CAP_SUPER_RR;
2787 local_control.poll = 1;
2788 local_control.reqseq = chan->buffer_seq;
2789 l2cap_send_sframe(chan, &local_control);
2790
2791 chan->retry_count = 1;
2792 __set_monitor_timer(chan);
2793 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2794 }
2795 break;
2796 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2797 l2cap_process_reqseq(chan, control->reqseq);
2798
2799 /* Fall through */
2800
2801 case L2CAP_EV_RECV_FBIT:
2802 if (control && control->final) {
2803 __clear_monitor_timer(chan);
2804 if (chan->unacked_frames > 0)
2805 __set_retrans_timer(chan);
2806 chan->retry_count = 0;
2807 chan->tx_state = L2CAP_TX_STATE_XMIT;
2808 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2809 }
2810 break;
2811 case L2CAP_EV_EXPLICIT_POLL:
2812 /* Ignore */
2813 break;
2814 case L2CAP_EV_MONITOR_TO:
2815 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2816 l2cap_send_rr_or_rnr(chan, 1);
2817 __set_monitor_timer(chan);
2818 chan->retry_count++;
2819 } else {
2820 l2cap_send_disconn_req(chan, ECONNABORTED);
2821 }
2822 break;
2823 default:
2824 break;
2825 }
2826 }
2827
2828 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2829 struct sk_buff_head *skbs, u8 event)
2830 {
2831 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2832 chan, control, skbs, event, chan->tx_state);
2833
2834 switch (chan->tx_state) {
2835 case L2CAP_TX_STATE_XMIT:
2836 l2cap_tx_state_xmit(chan, control, skbs, event);
2837 break;
2838 case L2CAP_TX_STATE_WAIT_F:
2839 l2cap_tx_state_wait_f(chan, control, skbs, event);
2840 break;
2841 default:
2842 /* Ignore event */
2843 break;
2844 }
2845 }
2846
2847 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2848 struct l2cap_ctrl *control)
2849 {
2850 BT_DBG("chan %p, control %p", chan, control);
2851 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2852 }
2853
2854 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2855 struct l2cap_ctrl *control)
2856 {
2857 BT_DBG("chan %p, control %p", chan, control);
2858 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2859 }
2860
2861 /* Copy frame to all raw sockets on that connection */
2862 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2863 {
2864 struct sk_buff *nskb;
2865 struct l2cap_chan *chan;
2866
2867 BT_DBG("conn %p", conn);
2868
2869 mutex_lock(&conn->chan_lock);
2870
2871 list_for_each_entry(chan, &conn->chan_l, list) {
2872 if (chan->chan_type != L2CAP_CHAN_RAW)
2873 continue;
2874
2875 /* Don't send frame to the channel it came from */
2876 if (bt_cb(skb)->l2cap.chan == chan)
2877 continue;
2878
2879 nskb = skb_clone(skb, GFP_KERNEL);
2880 if (!nskb)
2881 continue;
2882 if (chan->ops->recv(chan, nskb))
2883 kfree_skb(nskb);
2884 }
2885
2886 mutex_unlock(&conn->chan_lock);
2887 }
2888
2889 /* ---- L2CAP signalling commands ---- */
2890 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2891 u8 ident, u16 dlen, void *data)
2892 {
2893 struct sk_buff *skb, **frag;
2894 struct l2cap_cmd_hdr *cmd;
2895 struct l2cap_hdr *lh;
2896 int len, count;
2897
2898 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2899 conn, code, ident, dlen);
2900
2901 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2902 return NULL;
2903
2904 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2905 count = min_t(unsigned int, conn->mtu, len);
2906
2907 skb = bt_skb_alloc(count, GFP_KERNEL);
2908 if (!skb)
2909 return NULL;
2910
2911 lh = skb_put(skb, L2CAP_HDR_SIZE);
2912 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2913
2914 if (conn->hcon->type == LE_LINK)
2915 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2916 else
2917 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2918
2919 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2920 cmd->code = code;
2921 cmd->ident = ident;
2922 cmd->len = cpu_to_le16(dlen);
2923
2924 if (dlen) {
2925 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2926 skb_put_data(skb, data, count);
2927 data += count;
2928 }
2929
2930 len -= skb->len;
2931
2932 /* Continuation fragments (no L2CAP header) */
2933 frag = &skb_shinfo(skb)->frag_list;
2934 while (len) {
2935 count = min_t(unsigned int, conn->mtu, len);
2936
2937 *frag = bt_skb_alloc(count, GFP_KERNEL);
2938 if (!*frag)
2939 goto fail;
2940
2941 skb_put_data(*frag, data, count);
2942
2943 len -= count;
2944 data += count;
2945
2946 frag = &(*frag)->next;
2947 }
2948
2949 return skb;
2950
2951 fail:
2952 kfree_skb(skb);
2953 return NULL;
2954 }
2955
2956 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2957 unsigned long *val)
2958 {
2959 struct l2cap_conf_opt *opt = *ptr;
2960 int len;
2961
2962 len = L2CAP_CONF_OPT_SIZE + opt->len;
2963 *ptr += len;
2964
2965 *type = opt->type;
2966 *olen = opt->len;
2967
2968 switch (opt->len) {
2969 case 1:
2970 *val = *((u8 *) opt->val);
2971 break;
2972
2973 case 2:
2974 *val = get_unaligned_le16(opt->val);
2975 break;
2976
2977 case 4:
2978 *val = get_unaligned_le32(opt->val);
2979 break;
2980
2981 default:
2982 *val = (unsigned long) opt->val;
2983 break;
2984 }
2985
2986 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2987 return len;
2988 }
2989
2990 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2991 {
2992 struct l2cap_conf_opt *opt = *ptr;
2993
2994 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2995
2996 opt->type = type;
2997 opt->len = len;
2998
2999 switch (len) {
3000 case 1:
3001 *((u8 *) opt->val) = val;
3002 break;
3003
3004 case 2:
3005 put_unaligned_le16(val, opt->val);
3006 break;
3007
3008 case 4:
3009 put_unaligned_le32(val, opt->val);
3010 break;
3011
3012 default:
3013 memcpy(opt->val, (void *) val, len);
3014 break;
3015 }
3016
3017 *ptr += L2CAP_CONF_OPT_SIZE + len;
3018 }
3019
3020 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3021 {
3022 struct l2cap_conf_efs efs;
3023
3024 switch (chan->mode) {
3025 case L2CAP_MODE_ERTM:
3026 efs.id = chan->local_id;
3027 efs.stype = chan->local_stype;
3028 efs.msdu = cpu_to_le16(chan->local_msdu);
3029 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3030 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3031 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3032 break;
3033
3034 case L2CAP_MODE_STREAMING:
3035 efs.id = 1;
3036 efs.stype = L2CAP_SERV_BESTEFFORT;
3037 efs.msdu = cpu_to_le16(chan->local_msdu);
3038 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3039 efs.acc_lat = 0;
3040 efs.flush_to = 0;
3041 break;
3042
3043 default:
3044 return;
3045 }
3046
3047 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3048 (unsigned long) &efs);
3049 }
3050
3051 static void l2cap_ack_timeout(struct work_struct *work)
3052 {
3053 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3054 ack_timer.work);
3055 u16 frames_to_ack;
3056
3057 BT_DBG("chan %p", chan);
3058
3059 l2cap_chan_lock(chan);
3060
3061 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3062 chan->last_acked_seq);
3063
3064 if (frames_to_ack)
3065 l2cap_send_rr_or_rnr(chan, 0);
3066
3067 l2cap_chan_unlock(chan);
3068 l2cap_chan_put(chan);
3069 }
3070
3071 int l2cap_ertm_init(struct l2cap_chan *chan)
3072 {
3073 int err;
3074
3075 chan->next_tx_seq = 0;
3076 chan->expected_tx_seq = 0;
3077 chan->expected_ack_seq = 0;
3078 chan->unacked_frames = 0;
3079 chan->buffer_seq = 0;
3080 chan->frames_sent = 0;
3081 chan->last_acked_seq = 0;
3082 chan->sdu = NULL;
3083 chan->sdu_last_frag = NULL;
3084 chan->sdu_len = 0;
3085
3086 skb_queue_head_init(&chan->tx_q);
3087
3088 chan->local_amp_id = AMP_ID_BREDR;
3089 chan->move_id = AMP_ID_BREDR;
3090 chan->move_state = L2CAP_MOVE_STABLE;
3091 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3092
3093 if (chan->mode != L2CAP_MODE_ERTM)
3094 return 0;
3095
3096 chan->rx_state = L2CAP_RX_STATE_RECV;
3097 chan->tx_state = L2CAP_TX_STATE_XMIT;
3098
3099 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3100 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3101 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3102
3103 skb_queue_head_init(&chan->srej_q);
3104
3105 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3106 if (err < 0)
3107 return err;
3108
3109 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3110 if (err < 0)
3111 l2cap_seq_list_free(&chan->srej_list);
3112
3113 return err;
3114 }
3115
3116 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3117 {
3118 switch (mode) {
3119 case L2CAP_MODE_STREAMING:
3120 case L2CAP_MODE_ERTM:
3121 if (l2cap_mode_supported(mode, remote_feat_mask))
3122 return mode;
3123 /* fall through */
3124 default:
3125 return L2CAP_MODE_BASIC;
3126 }
3127 }
3128
3129 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3130 {
3131 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3132 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3133 }
3134
3135 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3136 {
3137 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3138 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3139 }
3140
3141 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3142 struct l2cap_conf_rfc *rfc)
3143 {
3144 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3145 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3146
3147 /* Class 1 devices have must have ERTM timeouts
3148 * exceeding the Link Supervision Timeout. The
3149 * default Link Supervision Timeout for AMP
3150 * controllers is 10 seconds.
3151 *
3152 * Class 1 devices use 0xffffffff for their
3153 * best-effort flush timeout, so the clamping logic
3154 * will result in a timeout that meets the above
3155 * requirement. ERTM timeouts are 16-bit values, so
3156 * the maximum timeout is 65.535 seconds.
3157 */
3158
3159 /* Convert timeout to milliseconds and round */
3160 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3161
3162 /* This is the recommended formula for class 2 devices
3163 * that start ERTM timers when packets are sent to the
3164 * controller.
3165 */
3166 ertm_to = 3 * ertm_to + 500;
3167
3168 if (ertm_to > 0xffff)
3169 ertm_to = 0xffff;
3170
3171 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3172 rfc->monitor_timeout = rfc->retrans_timeout;
3173 } else {
3174 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3175 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3176 }
3177 }
3178
3179 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3180 {
3181 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3182 __l2cap_ews_supported(chan->conn)) {
3183 /* use extended control field */
3184 set_bit(FLAG_EXT_CTRL, &chan->flags);
3185 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3186 } else {
3187 chan->tx_win = min_t(u16, chan->tx_win,
3188 L2CAP_DEFAULT_TX_WINDOW);
3189 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3190 }
3191 chan->ack_win = chan->tx_win;
3192 }
3193
3194 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3195 {
3196 struct l2cap_conf_req *req = data;
3197 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3198 void *ptr = req->data;
3199 u16 size;
3200
3201 BT_DBG("chan %p", chan);
3202
3203 if (chan->num_conf_req || chan->num_conf_rsp)
3204 goto done;
3205
3206 switch (chan->mode) {
3207 case L2CAP_MODE_STREAMING:
3208 case L2CAP_MODE_ERTM:
3209 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3210 break;
3211
3212 if (__l2cap_efs_supported(chan->conn))
3213 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3214
3215 /* fall through */
3216 default:
3217 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3218 break;
3219 }
3220
3221 done:
3222 if (chan->imtu != L2CAP_DEFAULT_MTU)
3223 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3224
3225 switch (chan->mode) {
3226 case L2CAP_MODE_BASIC:
3227 if (disable_ertm)
3228 break;
3229
3230 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3231 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3232 break;
3233
3234 rfc.mode = L2CAP_MODE_BASIC;
3235 rfc.txwin_size = 0;
3236 rfc.max_transmit = 0;
3237 rfc.retrans_timeout = 0;
3238 rfc.monitor_timeout = 0;
3239 rfc.max_pdu_size = 0;
3240
3241 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3242 (unsigned long) &rfc);
3243 break;
3244
3245 case L2CAP_MODE_ERTM:
3246 rfc.mode = L2CAP_MODE_ERTM;
3247 rfc.max_transmit = chan->max_tx;
3248
3249 __l2cap_set_ertm_timeouts(chan, &rfc);
3250
3251 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3252 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3253 L2CAP_FCS_SIZE);
3254 rfc.max_pdu_size = cpu_to_le16(size);
3255
3256 l2cap_txwin_setup(chan);
3257
3258 rfc.txwin_size = min_t(u16, chan->tx_win,
3259 L2CAP_DEFAULT_TX_WINDOW);
3260
3261 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3262 (unsigned long) &rfc);
3263
3264 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3265 l2cap_add_opt_efs(&ptr, chan);
3266
3267 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3268 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3269 chan->tx_win);
3270
3271 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3272 if (chan->fcs == L2CAP_FCS_NONE ||
3273 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3274 chan->fcs = L2CAP_FCS_NONE;
3275 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3276 chan->fcs);
3277 }
3278 break;
3279
3280 case L2CAP_MODE_STREAMING:
3281 l2cap_txwin_setup(chan);
3282 rfc.mode = L2CAP_MODE_STREAMING;
3283 rfc.txwin_size = 0;
3284 rfc.max_transmit = 0;
3285 rfc.retrans_timeout = 0;
3286 rfc.monitor_timeout = 0;
3287
3288 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3289 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3290 L2CAP_FCS_SIZE);
3291 rfc.max_pdu_size = cpu_to_le16(size);
3292
3293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3294 (unsigned long) &rfc);
3295
3296 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3297 l2cap_add_opt_efs(&ptr, chan);
3298
3299 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3300 if (chan->fcs == L2CAP_FCS_NONE ||
3301 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3302 chan->fcs = L2CAP_FCS_NONE;
3303 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3304 chan->fcs);
3305 }
3306 break;
3307 }
3308
3309 req->dcid = cpu_to_le16(chan->dcid);
3310 req->flags = cpu_to_le16(0);
3311
3312 return ptr - data;
3313 }
3314
3315 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3316 {
3317 struct l2cap_conf_rsp *rsp = data;
3318 void *ptr = rsp->data;
3319 void *req = chan->conf_req;
3320 int len = chan->conf_len;
3321 int type, hint, olen;
3322 unsigned long val;
3323 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3324 struct l2cap_conf_efs efs;
3325 u8 remote_efs = 0;
3326 u16 mtu = L2CAP_DEFAULT_MTU;
3327 u16 result = L2CAP_CONF_SUCCESS;
3328 u16 size;
3329
3330 BT_DBG("chan %p", chan);
3331
3332 while (len >= L2CAP_CONF_OPT_SIZE) {
3333 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3334
3335 hint = type & L2CAP_CONF_HINT;
3336 type &= L2CAP_CONF_MASK;
3337
3338 switch (type) {
3339 case L2CAP_CONF_MTU:
3340 mtu = val;
3341 break;
3342
3343 case L2CAP_CONF_FLUSH_TO:
3344 chan->flush_to = val;
3345 break;
3346
3347 case L2CAP_CONF_QOS:
3348 break;
3349
3350 case L2CAP_CONF_RFC:
3351 if (olen == sizeof(rfc))
3352 memcpy(&rfc, (void *) val, olen);
3353 break;
3354
3355 case L2CAP_CONF_FCS:
3356 if (val == L2CAP_FCS_NONE)
3357 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3358 break;
3359
3360 case L2CAP_CONF_EFS:
3361 remote_efs = 1;
3362 if (olen == sizeof(efs))
3363 memcpy(&efs, (void *) val, olen);
3364 break;
3365
3366 case L2CAP_CONF_EWS:
3367 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3368 return -ECONNREFUSED;
3369
3370 set_bit(FLAG_EXT_CTRL, &chan->flags);
3371 set_bit(CONF_EWS_RECV, &chan->conf_state);
3372 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3373 chan->remote_tx_win = val;
3374 break;
3375
3376 default:
3377 if (hint)
3378 break;
3379
3380 result = L2CAP_CONF_UNKNOWN;
3381 *((u8 *) ptr++) = type;
3382 break;
3383 }
3384 }
3385
3386 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3387 goto done;
3388
3389 switch (chan->mode) {
3390 case L2CAP_MODE_STREAMING:
3391 case L2CAP_MODE_ERTM:
3392 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3393 chan->mode = l2cap_select_mode(rfc.mode,
3394 chan->conn->feat_mask);
3395 break;
3396 }
3397
3398 if (remote_efs) {
3399 if (__l2cap_efs_supported(chan->conn))
3400 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3401 else
3402 return -ECONNREFUSED;
3403 }
3404
3405 if (chan->mode != rfc.mode)
3406 return -ECONNREFUSED;
3407
3408 break;
3409 }
3410
3411 done:
3412 if (chan->mode != rfc.mode) {
3413 result = L2CAP_CONF_UNACCEPT;
3414 rfc.mode = chan->mode;
3415
3416 if (chan->num_conf_rsp == 1)
3417 return -ECONNREFUSED;
3418
3419 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3420 (unsigned long) &rfc);
3421 }
3422
3423 if (result == L2CAP_CONF_SUCCESS) {
3424 /* Configure output options and let the other side know
3425 * which ones we don't like. */
3426
3427 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3428 result = L2CAP_CONF_UNACCEPT;
3429 else {
3430 chan->omtu = mtu;
3431 set_bit(CONF_MTU_DONE, &chan->conf_state);
3432 }
3433 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3434
3435 if (remote_efs) {
3436 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3437 efs.stype != L2CAP_SERV_NOTRAFIC &&
3438 efs.stype != chan->local_stype) {
3439
3440 result = L2CAP_CONF_UNACCEPT;
3441
3442 if (chan->num_conf_req >= 1)
3443 return -ECONNREFUSED;
3444
3445 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3446 sizeof(efs),
3447 (unsigned long) &efs);
3448 } else {
3449 /* Send PENDING Conf Rsp */
3450 result = L2CAP_CONF_PENDING;
3451 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3452 }
3453 }
3454
3455 switch (rfc.mode) {
3456 case L2CAP_MODE_BASIC:
3457 chan->fcs = L2CAP_FCS_NONE;
3458 set_bit(CONF_MODE_DONE, &chan->conf_state);
3459 break;
3460
3461 case L2CAP_MODE_ERTM:
3462 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3463 chan->remote_tx_win = rfc.txwin_size;
3464 else
3465 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3466
3467 chan->remote_max_tx = rfc.max_transmit;
3468
3469 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3470 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3471 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3472 rfc.max_pdu_size = cpu_to_le16(size);
3473 chan->remote_mps = size;
3474
3475 __l2cap_set_ertm_timeouts(chan, &rfc);
3476
3477 set_bit(CONF_MODE_DONE, &chan->conf_state);
3478
3479 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3480 sizeof(rfc), (unsigned long) &rfc);
3481
3482 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3483 chan->remote_id = efs.id;
3484 chan->remote_stype = efs.stype;
3485 chan->remote_msdu = le16_to_cpu(efs.msdu);
3486 chan->remote_flush_to =
3487 le32_to_cpu(efs.flush_to);
3488 chan->remote_acc_lat =
3489 le32_to_cpu(efs.acc_lat);
3490 chan->remote_sdu_itime =
3491 le32_to_cpu(efs.sdu_itime);
3492 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3493 sizeof(efs),
3494 (unsigned long) &efs);
3495 }
3496 break;
3497
3498 case L2CAP_MODE_STREAMING:
3499 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3500 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3501 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3502 rfc.max_pdu_size = cpu_to_le16(size);
3503 chan->remote_mps = size;
3504
3505 set_bit(CONF_MODE_DONE, &chan->conf_state);
3506
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3508 (unsigned long) &rfc);
3509
3510 break;
3511
3512 default:
3513 result = L2CAP_CONF_UNACCEPT;
3514
3515 memset(&rfc, 0, sizeof(rfc));
3516 rfc.mode = chan->mode;
3517 }
3518
3519 if (result == L2CAP_CONF_SUCCESS)
3520 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3521 }
3522 rsp->scid = cpu_to_le16(chan->dcid);
3523 rsp->result = cpu_to_le16(result);
3524 rsp->flags = cpu_to_le16(0);
3525
3526 return ptr - data;
3527 }
3528
3529 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3530 void *data, u16 *result)
3531 {
3532 struct l2cap_conf_req *req = data;
3533 void *ptr = req->data;
3534 int type, olen;
3535 unsigned long val;
3536 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3537 struct l2cap_conf_efs efs;
3538
3539 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3540
3541 while (len >= L2CAP_CONF_OPT_SIZE) {
3542 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3543
3544 switch (type) {
3545 case L2CAP_CONF_MTU:
3546 if (val < L2CAP_DEFAULT_MIN_MTU) {
3547 *result = L2CAP_CONF_UNACCEPT;
3548 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3549 } else
3550 chan->imtu = val;
3551 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3552 break;
3553
3554 case L2CAP_CONF_FLUSH_TO:
3555 chan->flush_to = val;
3556 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3557 2, chan->flush_to);
3558 break;
3559
3560 case L2CAP_CONF_RFC:
3561 if (olen == sizeof(rfc))
3562 memcpy(&rfc, (void *)val, olen);
3563
3564 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3565 rfc.mode != chan->mode)
3566 return -ECONNREFUSED;
3567
3568 chan->fcs = 0;
3569
3570 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3571 sizeof(rfc), (unsigned long) &rfc);
3572 break;
3573
3574 case L2CAP_CONF_EWS:
3575 chan->ack_win = min_t(u16, val, chan->ack_win);
3576 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3577 chan->tx_win);
3578 break;
3579
3580 case L2CAP_CONF_EFS:
3581 if (olen == sizeof(efs))
3582 memcpy(&efs, (void *)val, olen);
3583
3584 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3585 efs.stype != L2CAP_SERV_NOTRAFIC &&
3586 efs.stype != chan->local_stype)
3587 return -ECONNREFUSED;
3588
3589 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3590 (unsigned long) &efs);
3591 break;
3592
3593 case L2CAP_CONF_FCS:
3594 if (*result == L2CAP_CONF_PENDING)
3595 if (val == L2CAP_FCS_NONE)
3596 set_bit(CONF_RECV_NO_FCS,
3597 &chan->conf_state);
3598 break;
3599 }
3600 }
3601
3602 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3603 return -ECONNREFUSED;
3604
3605 chan->mode = rfc.mode;
3606
3607 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3608 switch (rfc.mode) {
3609 case L2CAP_MODE_ERTM:
3610 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3611 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3612 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3613 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3614 chan->ack_win = min_t(u16, chan->ack_win,
3615 rfc.txwin_size);
3616
3617 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3618 chan->local_msdu = le16_to_cpu(efs.msdu);
3619 chan->local_sdu_itime =
3620 le32_to_cpu(efs.sdu_itime);
3621 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3622 chan->local_flush_to =
3623 le32_to_cpu(efs.flush_to);
3624 }
3625 break;
3626
3627 case L2CAP_MODE_STREAMING:
3628 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3629 }
3630 }
3631
3632 req->dcid = cpu_to_le16(chan->dcid);
3633 req->flags = cpu_to_le16(0);
3634
3635 return ptr - data;
3636 }
3637
3638 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3639 u16 result, u16 flags)
3640 {
3641 struct l2cap_conf_rsp *rsp = data;
3642 void *ptr = rsp->data;
3643
3644 BT_DBG("chan %p", chan);
3645
3646 rsp->scid = cpu_to_le16(chan->dcid);
3647 rsp->result = cpu_to_le16(result);
3648 rsp->flags = cpu_to_le16(flags);
3649
3650 return ptr - data;
3651 }
3652
3653 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3654 {
3655 struct l2cap_le_conn_rsp rsp;
3656 struct l2cap_conn *conn = chan->conn;
3657
3658 BT_DBG("chan %p", chan);
3659
3660 rsp.dcid = cpu_to_le16(chan->scid);
3661 rsp.mtu = cpu_to_le16(chan->imtu);
3662 rsp.mps = cpu_to_le16(chan->mps);
3663 rsp.credits = cpu_to_le16(chan->rx_credits);
3664 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3665
3666 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3667 &rsp);
3668 }
3669
3670 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3671 {
3672 struct l2cap_conn_rsp rsp;
3673 struct l2cap_conn *conn = chan->conn;
3674 u8 buf[128];
3675 u8 rsp_code;
3676
3677 rsp.scid = cpu_to_le16(chan->dcid);
3678 rsp.dcid = cpu_to_le16(chan->scid);
3679 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3680 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3681
3682 if (chan->hs_hcon)
3683 rsp_code = L2CAP_CREATE_CHAN_RSP;
3684 else
3685 rsp_code = L2CAP_CONN_RSP;
3686
3687 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3688
3689 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3690
3691 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3692 return;
3693
3694 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3695 l2cap_build_conf_req(chan, buf), buf);
3696 chan->num_conf_req++;
3697 }
3698
3699 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3700 {
3701 int type, olen;
3702 unsigned long val;
3703 /* Use sane default values in case a misbehaving remote device
3704 * did not send an RFC or extended window size option.
3705 */
3706 u16 txwin_ext = chan->ack_win;
3707 struct l2cap_conf_rfc rfc = {
3708 .mode = chan->mode,
3709 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3710 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3711 .max_pdu_size = cpu_to_le16(chan->imtu),
3712 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3713 };
3714
3715 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3716
3717 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3718 return;
3719
3720 while (len >= L2CAP_CONF_OPT_SIZE) {
3721 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3722
3723 switch (type) {
3724 case L2CAP_CONF_RFC:
3725 if (olen == sizeof(rfc))
3726 memcpy(&rfc, (void *)val, olen);
3727 break;
3728 case L2CAP_CONF_EWS:
3729 txwin_ext = val;
3730 break;
3731 }
3732 }
3733
3734 switch (rfc.mode) {
3735 case L2CAP_MODE_ERTM:
3736 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3737 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3738 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3739 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3740 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3741 else
3742 chan->ack_win = min_t(u16, chan->ack_win,
3743 rfc.txwin_size);
3744 break;
3745 case L2CAP_MODE_STREAMING:
3746 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3747 }
3748 }
3749
3750 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3751 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3752 u8 *data)
3753 {
3754 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3755
3756 if (cmd_len < sizeof(*rej))
3757 return -EPROTO;
3758
3759 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3760 return 0;
3761
3762 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3763 cmd->ident == conn->info_ident) {
3764 cancel_delayed_work(&conn->info_timer);
3765
3766 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3767 conn->info_ident = 0;
3768
3769 l2cap_conn_start(conn);
3770 }
3771
3772 return 0;
3773 }
3774
3775 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3776 struct l2cap_cmd_hdr *cmd,
3777 u8 *data, u8 rsp_code, u8 amp_id)
3778 {
3779 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3780 struct l2cap_conn_rsp rsp;
3781 struct l2cap_chan *chan = NULL, *pchan;
3782 int result, status = L2CAP_CS_NO_INFO;
3783
3784 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3785 __le16 psm = req->psm;
3786
3787 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3788
3789 /* Check if we have socket listening on psm */
3790 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3791 &conn->hcon->dst, ACL_LINK);
3792 if (!pchan) {
3793 result = L2CAP_CR_BAD_PSM;
3794 goto sendresp;
3795 }
3796
3797 mutex_lock(&conn->chan_lock);
3798 l2cap_chan_lock(pchan);
3799
3800 /* Check if the ACL is secure enough (if not SDP) */
3801 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3802 !hci_conn_check_link_mode(conn->hcon)) {
3803 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3804 result = L2CAP_CR_SEC_BLOCK;
3805 goto response;
3806 }
3807
3808 result = L2CAP_CR_NO_MEM;
3809
3810 /* Check if we already have channel with that dcid */
3811 if (__l2cap_get_chan_by_dcid(conn, scid))
3812 goto response;
3813
3814 chan = pchan->ops->new_connection(pchan);
3815 if (!chan)
3816 goto response;
3817
3818 /* For certain devices (ex: HID mouse), support for authentication,
3819 * pairing and bonding is optional. For such devices, inorder to avoid
3820 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3821 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3822 */
3823 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3824
3825 bacpy(&chan->src, &conn->hcon->src);
3826 bacpy(&chan->dst, &conn->hcon->dst);
3827 chan->src_type = bdaddr_src_type(conn->hcon);
3828 chan->dst_type = bdaddr_dst_type(conn->hcon);
3829 chan->psm = psm;
3830 chan->dcid = scid;
3831 chan->local_amp_id = amp_id;
3832
3833 __l2cap_chan_add(conn, chan);
3834
3835 dcid = chan->scid;
3836
3837 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3838
3839 chan->ident = cmd->ident;
3840
3841 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3842 if (l2cap_chan_check_security(chan, false)) {
3843 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3844 l2cap_state_change(chan, BT_CONNECT2);
3845 result = L2CAP_CR_PEND;
3846 status = L2CAP_CS_AUTHOR_PEND;
3847 chan->ops->defer(chan);
3848 } else {
3849 /* Force pending result for AMP controllers.
3850 * The connection will succeed after the
3851 * physical link is up.
3852 */
3853 if (amp_id == AMP_ID_BREDR) {
3854 l2cap_state_change(chan, BT_CONFIG);
3855 result = L2CAP_CR_SUCCESS;
3856 } else {
3857 l2cap_state_change(chan, BT_CONNECT2);
3858 result = L2CAP_CR_PEND;
3859 }
3860 status = L2CAP_CS_NO_INFO;
3861 }
3862 } else {
3863 l2cap_state_change(chan, BT_CONNECT2);
3864 result = L2CAP_CR_PEND;
3865 status = L2CAP_CS_AUTHEN_PEND;
3866 }
3867 } else {
3868 l2cap_state_change(chan, BT_CONNECT2);
3869 result = L2CAP_CR_PEND;
3870 status = L2CAP_CS_NO_INFO;
3871 }
3872
3873 response:
3874 l2cap_chan_unlock(pchan);
3875 mutex_unlock(&conn->chan_lock);
3876 l2cap_chan_put(pchan);
3877
3878 sendresp:
3879 rsp.scid = cpu_to_le16(scid);
3880 rsp.dcid = cpu_to_le16(dcid);
3881 rsp.result = cpu_to_le16(result);
3882 rsp.status = cpu_to_le16(status);
3883 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3884
3885 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3886 struct l2cap_info_req info;
3887 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3888
3889 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3890 conn->info_ident = l2cap_get_ident(conn);
3891
3892 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3893
3894 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3895 sizeof(info), &info);
3896 }
3897
3898 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3899 result == L2CAP_CR_SUCCESS) {
3900 u8 buf[128];
3901 set_bit(CONF_REQ_SENT, &chan->conf_state);
3902 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3903 l2cap_build_conf_req(chan, buf), buf);
3904 chan->num_conf_req++;
3905 }
3906
3907 return chan;
3908 }
3909
3910 static int l2cap_connect_req(struct l2cap_conn *conn,
3911 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3912 {
3913 struct hci_dev *hdev = conn->hcon->hdev;
3914 struct hci_conn *hcon = conn->hcon;
3915
3916 if (cmd_len < sizeof(struct l2cap_conn_req))
3917 return -EPROTO;
3918
3919 hci_dev_lock(hdev);
3920 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3921 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3922 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3923 hci_dev_unlock(hdev);
3924
3925 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3926 return 0;
3927 }
3928
3929 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3930 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3931 u8 *data)
3932 {
3933 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3934 u16 scid, dcid, result, status;
3935 struct l2cap_chan *chan;
3936 u8 req[128];
3937 int err;
3938
3939 if (cmd_len < sizeof(*rsp))
3940 return -EPROTO;
3941
3942 scid = __le16_to_cpu(rsp->scid);
3943 dcid = __le16_to_cpu(rsp->dcid);
3944 result = __le16_to_cpu(rsp->result);
3945 status = __le16_to_cpu(rsp->status);
3946
3947 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3948 dcid, scid, result, status);
3949
3950 mutex_lock(&conn->chan_lock);
3951
3952 if (scid) {
3953 chan = __l2cap_get_chan_by_scid(conn, scid);
3954 if (!chan) {
3955 err = -EBADSLT;
3956 goto unlock;
3957 }
3958 } else {
3959 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3960 if (!chan) {
3961 err = -EBADSLT;
3962 goto unlock;
3963 }
3964 }
3965
3966 err = 0;
3967
3968 l2cap_chan_lock(chan);
3969
3970 switch (result) {
3971 case L2CAP_CR_SUCCESS:
3972 l2cap_state_change(chan, BT_CONFIG);
3973 chan->ident = 0;
3974 chan->dcid = dcid;
3975 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3976
3977 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3978 break;
3979
3980 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3981 l2cap_build_conf_req(chan, req), req);
3982 chan->num_conf_req++;
3983 break;
3984
3985 case L2CAP_CR_PEND:
3986 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3987 break;
3988
3989 default:
3990 l2cap_chan_del(chan, ECONNREFUSED);
3991 break;
3992 }
3993
3994 l2cap_chan_unlock(chan);
3995
3996 unlock:
3997 mutex_unlock(&conn->chan_lock);
3998
3999 return err;
4000 }
4001
4002 static inline void set_default_fcs(struct l2cap_chan *chan)
4003 {
4004 /* FCS is enabled only in ERTM or streaming mode, if one or both
4005 * sides request it.
4006 */
4007 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4008 chan->fcs = L2CAP_FCS_NONE;
4009 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4010 chan->fcs = L2CAP_FCS_CRC16;
4011 }
4012
4013 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4014 u8 ident, u16 flags)
4015 {
4016 struct l2cap_conn *conn = chan->conn;
4017
4018 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4019 flags);
4020
4021 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4022 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4023
4024 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4025 l2cap_build_conf_rsp(chan, data,
4026 L2CAP_CONF_SUCCESS, flags), data);
4027 }
4028
4029 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4030 u16 scid, u16 dcid)
4031 {
4032 struct l2cap_cmd_rej_cid rej;
4033
4034 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4035 rej.scid = __cpu_to_le16(scid);
4036 rej.dcid = __cpu_to_le16(dcid);
4037
4038 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4039 }
4040
4041 static inline int l2cap_config_req(struct l2cap_conn *conn,
4042 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4043 u8 *data)
4044 {
4045 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4046 u16 dcid, flags;
4047 u8 rsp[64];
4048 struct l2cap_chan *chan;
4049 int len, err = 0;
4050
4051 if (cmd_len < sizeof(*req))
4052 return -EPROTO;
4053
4054 dcid = __le16_to_cpu(req->dcid);
4055 flags = __le16_to_cpu(req->flags);
4056
4057 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4058
4059 chan = l2cap_get_chan_by_scid(conn, dcid);
4060 if (!chan) {
4061 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4062 return 0;
4063 }
4064
4065 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4066 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4067 chan->dcid);
4068 goto unlock;
4069 }
4070
4071 /* Reject if config buffer is too small. */
4072 len = cmd_len - sizeof(*req);
4073 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4074 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4075 l2cap_build_conf_rsp(chan, rsp,
4076 L2CAP_CONF_REJECT, flags), rsp);
4077 goto unlock;
4078 }
4079
4080 /* Store config. */
4081 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4082 chan->conf_len += len;
4083
4084 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4085 /* Incomplete config. Send empty response. */
4086 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4087 l2cap_build_conf_rsp(chan, rsp,
4088 L2CAP_CONF_SUCCESS, flags), rsp);
4089 goto unlock;
4090 }
4091
4092 /* Complete config. */
4093 len = l2cap_parse_conf_req(chan, rsp);
4094 if (len < 0) {
4095 l2cap_send_disconn_req(chan, ECONNRESET);
4096 goto unlock;
4097 }
4098
4099 chan->ident = cmd->ident;
4100 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4101 chan->num_conf_rsp++;
4102
4103 /* Reset config buffer. */
4104 chan->conf_len = 0;
4105
4106 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4107 goto unlock;
4108
4109 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4110 set_default_fcs(chan);
4111
4112 if (chan->mode == L2CAP_MODE_ERTM ||
4113 chan->mode == L2CAP_MODE_STREAMING)
4114 err = l2cap_ertm_init(chan);
4115
4116 if (err < 0)
4117 l2cap_send_disconn_req(chan, -err);
4118 else
4119 l2cap_chan_ready(chan);
4120
4121 goto unlock;
4122 }
4123
4124 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4125 u8 buf[64];
4126 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4127 l2cap_build_conf_req(chan, buf), buf);
4128 chan->num_conf_req++;
4129 }
4130
4131 /* Got Conf Rsp PENDING from remote side and assume we sent
4132 Conf Rsp PENDING in the code above */
4133 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4134 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4135
4136 /* check compatibility */
4137
4138 /* Send rsp for BR/EDR channel */
4139 if (!chan->hs_hcon)
4140 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4141 else
4142 chan->ident = cmd->ident;
4143 }
4144
4145 unlock:
4146 l2cap_chan_unlock(chan);
4147 return err;
4148 }
4149
4150 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4151 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4152 u8 *data)
4153 {
4154 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4155 u16 scid, flags, result;
4156 struct l2cap_chan *chan;
4157 int len = cmd_len - sizeof(*rsp);
4158 int err = 0;
4159
4160 if (cmd_len < sizeof(*rsp))
4161 return -EPROTO;
4162
4163 scid = __le16_to_cpu(rsp->scid);
4164 flags = __le16_to_cpu(rsp->flags);
4165 result = __le16_to_cpu(rsp->result);
4166
4167 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4168 result, len);
4169
4170 chan = l2cap_get_chan_by_scid(conn, scid);
4171 if (!chan)
4172 return 0;
4173
4174 switch (result) {
4175 case L2CAP_CONF_SUCCESS:
4176 l2cap_conf_rfc_get(chan, rsp->data, len);
4177 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4178 break;
4179
4180 case L2CAP_CONF_PENDING:
4181 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4182
4183 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4184 char buf[64];
4185
4186 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4187 buf, &result);
4188 if (len < 0) {
4189 l2cap_send_disconn_req(chan, ECONNRESET);
4190 goto done;
4191 }
4192
4193 if (!chan->hs_hcon) {
4194 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4195 0);
4196 } else {
4197 if (l2cap_check_efs(chan)) {
4198 amp_create_logical_link(chan);
4199 chan->ident = cmd->ident;
4200 }
4201 }
4202 }
4203 goto done;
4204
4205 case L2CAP_CONF_UNACCEPT:
4206 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4207 char req[64];
4208
4209 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4210 l2cap_send_disconn_req(chan, ECONNRESET);
4211 goto done;
4212 }
4213
4214 /* throw out any old stored conf requests */
4215 result = L2CAP_CONF_SUCCESS;
4216 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4217 req, &result);
4218 if (len < 0) {
4219 l2cap_send_disconn_req(chan, ECONNRESET);
4220 goto done;
4221 }
4222
4223 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4224 L2CAP_CONF_REQ, len, req);
4225 chan->num_conf_req++;
4226 if (result != L2CAP_CONF_SUCCESS)
4227 goto done;
4228 break;
4229 }
4230
4231 default:
4232 l2cap_chan_set_err(chan, ECONNRESET);
4233
4234 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4235 l2cap_send_disconn_req(chan, ECONNRESET);
4236 goto done;
4237 }
4238
4239 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4240 goto done;
4241
4242 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4243
4244 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4245 set_default_fcs(chan);
4246
4247 if (chan->mode == L2CAP_MODE_ERTM ||
4248 chan->mode == L2CAP_MODE_STREAMING)
4249 err = l2cap_ertm_init(chan);
4250
4251 if (err < 0)
4252 l2cap_send_disconn_req(chan, -err);
4253 else
4254 l2cap_chan_ready(chan);
4255 }
4256
4257 done:
4258 l2cap_chan_unlock(chan);
4259 return err;
4260 }
4261
4262 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4263 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4264 u8 *data)
4265 {
4266 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4267 struct l2cap_disconn_rsp rsp;
4268 u16 dcid, scid;
4269 struct l2cap_chan *chan;
4270
4271 if (cmd_len != sizeof(*req))
4272 return -EPROTO;
4273
4274 scid = __le16_to_cpu(req->scid);
4275 dcid = __le16_to_cpu(req->dcid);
4276
4277 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4278
4279 mutex_lock(&conn->chan_lock);
4280
4281 chan = __l2cap_get_chan_by_scid(conn, dcid);
4282 if (!chan) {
4283 mutex_unlock(&conn->chan_lock);
4284 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4285 return 0;
4286 }
4287
4288 l2cap_chan_lock(chan);
4289
4290 rsp.dcid = cpu_to_le16(chan->scid);
4291 rsp.scid = cpu_to_le16(chan->dcid);
4292 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4293
4294 chan->ops->set_shutdown(chan);
4295
4296 l2cap_chan_hold(chan);
4297 l2cap_chan_del(chan, ECONNRESET);
4298
4299 l2cap_chan_unlock(chan);
4300
4301 chan->ops->close(chan);
4302 l2cap_chan_put(chan);
4303
4304 mutex_unlock(&conn->chan_lock);
4305
4306 return 0;
4307 }
4308
4309 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4310 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4311 u8 *data)
4312 {
4313 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4314 u16 dcid, scid;
4315 struct l2cap_chan *chan;
4316
4317 if (cmd_len != sizeof(*rsp))
4318 return -EPROTO;
4319
4320 scid = __le16_to_cpu(rsp->scid);
4321 dcid = __le16_to_cpu(rsp->dcid);
4322
4323 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4324
4325 mutex_lock(&conn->chan_lock);
4326
4327 chan = __l2cap_get_chan_by_scid(conn, scid);
4328 if (!chan) {
4329 mutex_unlock(&conn->chan_lock);
4330 return 0;
4331 }
4332
4333 l2cap_chan_lock(chan);
4334
4335 l2cap_chan_hold(chan);
4336 l2cap_chan_del(chan, 0);
4337
4338 l2cap_chan_unlock(chan);
4339
4340 chan->ops->close(chan);
4341 l2cap_chan_put(chan);
4342
4343 mutex_unlock(&conn->chan_lock);
4344
4345 return 0;
4346 }
4347
4348 static inline int l2cap_information_req(struct l2cap_conn *conn,
4349 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4350 u8 *data)
4351 {
4352 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4353 u16 type;
4354
4355 if (cmd_len != sizeof(*req))
4356 return -EPROTO;
4357
4358 type = __le16_to_cpu(req->type);
4359
4360 BT_DBG("type 0x%4.4x", type);
4361
4362 if (type == L2CAP_IT_FEAT_MASK) {
4363 u8 buf[8];
4364 u32 feat_mask = l2cap_feat_mask;
4365 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4366 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4367 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4368 if (!disable_ertm)
4369 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4370 | L2CAP_FEAT_FCS;
4371 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4372 feat_mask |= L2CAP_FEAT_EXT_FLOW
4373 | L2CAP_FEAT_EXT_WINDOW;
4374
4375 put_unaligned_le32(feat_mask, rsp->data);
4376 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4377 buf);
4378 } else if (type == L2CAP_IT_FIXED_CHAN) {
4379 u8 buf[12];
4380 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4381
4382 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4383 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4384 rsp->data[0] = conn->local_fixed_chan;
4385 memset(rsp->data + 1, 0, 7);
4386 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4387 buf);
4388 } else {
4389 struct l2cap_info_rsp rsp;
4390 rsp.type = cpu_to_le16(type);
4391 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4392 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4393 &rsp);
4394 }
4395
4396 return 0;
4397 }
4398
4399 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4400 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4401 u8 *data)
4402 {
4403 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4404 u16 type, result;
4405
4406 if (cmd_len < sizeof(*rsp))
4407 return -EPROTO;
4408
4409 type = __le16_to_cpu(rsp->type);
4410 result = __le16_to_cpu(rsp->result);
4411
4412 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4413
4414 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4415 if (cmd->ident != conn->info_ident ||
4416 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4417 return 0;
4418
4419 cancel_delayed_work(&conn->info_timer);
4420
4421 if (result != L2CAP_IR_SUCCESS) {
4422 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4423 conn->info_ident = 0;
4424
4425 l2cap_conn_start(conn);
4426
4427 return 0;
4428 }
4429
4430 switch (type) {
4431 case L2CAP_IT_FEAT_MASK:
4432 conn->feat_mask = get_unaligned_le32(rsp->data);
4433
4434 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4435 struct l2cap_info_req req;
4436 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4437
4438 conn->info_ident = l2cap_get_ident(conn);
4439
4440 l2cap_send_cmd(conn, conn->info_ident,
4441 L2CAP_INFO_REQ, sizeof(req), &req);
4442 } else {
4443 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4444 conn->info_ident = 0;
4445
4446 l2cap_conn_start(conn);
4447 }
4448 break;
4449
4450 case L2CAP_IT_FIXED_CHAN:
4451 conn->remote_fixed_chan = rsp->data[0];
4452 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4453 conn->info_ident = 0;
4454
4455 l2cap_conn_start(conn);
4456 break;
4457 }
4458
4459 return 0;
4460 }
4461
4462 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4463 struct l2cap_cmd_hdr *cmd,
4464 u16 cmd_len, void *data)
4465 {
4466 struct l2cap_create_chan_req *req = data;
4467 struct l2cap_create_chan_rsp rsp;
4468 struct l2cap_chan *chan;
4469 struct hci_dev *hdev;
4470 u16 psm, scid;
4471
4472 if (cmd_len != sizeof(*req))
4473 return -EPROTO;
4474
4475 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4476 return -EINVAL;
4477
4478 psm = le16_to_cpu(req->psm);
4479 scid = le16_to_cpu(req->scid);
4480
4481 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4482
4483 /* For controller id 0 make BR/EDR connection */
4484 if (req->amp_id == AMP_ID_BREDR) {
4485 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4486 req->amp_id);
4487 return 0;
4488 }
4489
4490 /* Validate AMP controller id */
4491 hdev = hci_dev_get(req->amp_id);
4492 if (!hdev)
4493 goto error;
4494
4495 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4496 hci_dev_put(hdev);
4497 goto error;
4498 }
4499
4500 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4501 req->amp_id);
4502 if (chan) {
4503 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4504 struct hci_conn *hs_hcon;
4505
4506 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4507 &conn->hcon->dst);
4508 if (!hs_hcon) {
4509 hci_dev_put(hdev);
4510 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4511 chan->dcid);
4512 return 0;
4513 }
4514
4515 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4516
4517 mgr->bredr_chan = chan;
4518 chan->hs_hcon = hs_hcon;
4519 chan->fcs = L2CAP_FCS_NONE;
4520 conn->mtu = hdev->block_mtu;
4521 }
4522
4523 hci_dev_put(hdev);
4524
4525 return 0;
4526
4527 error:
4528 rsp.dcid = 0;
4529 rsp.scid = cpu_to_le16(scid);
4530 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4531 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4532
4533 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4534 sizeof(rsp), &rsp);
4535
4536 return 0;
4537 }
4538
4539 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4540 {
4541 struct l2cap_move_chan_req req;
4542 u8 ident;
4543
4544 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4545
4546 ident = l2cap_get_ident(chan->conn);
4547 chan->ident = ident;
4548
4549 req.icid = cpu_to_le16(chan->scid);
4550 req.dest_amp_id = dest_amp_id;
4551
4552 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4553 &req);
4554
4555 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4556 }
4557
4558 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4559 {
4560 struct l2cap_move_chan_rsp rsp;
4561
4562 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4563
4564 rsp.icid = cpu_to_le16(chan->dcid);
4565 rsp.result = cpu_to_le16(result);
4566
4567 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4568 sizeof(rsp), &rsp);
4569 }
4570
4571 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4572 {
4573 struct l2cap_move_chan_cfm cfm;
4574
4575 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4576
4577 chan->ident = l2cap_get_ident(chan->conn);
4578
4579 cfm.icid = cpu_to_le16(chan->scid);
4580 cfm.result = cpu_to_le16(result);
4581
4582 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4583 sizeof(cfm), &cfm);
4584
4585 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4586 }
4587
4588 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4589 {
4590 struct l2cap_move_chan_cfm cfm;
4591
4592 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4593
4594 cfm.icid = cpu_to_le16(icid);
4595 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4596
4597 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4598 sizeof(cfm), &cfm);
4599 }
4600
4601 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4602 u16 icid)
4603 {
4604 struct l2cap_move_chan_cfm_rsp rsp;
4605
4606 BT_DBG("icid 0x%4.4x", icid);
4607
4608 rsp.icid = cpu_to_le16(icid);
4609 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4610 }
4611
4612 static void __release_logical_link(struct l2cap_chan *chan)
4613 {
4614 chan->hs_hchan = NULL;
4615 chan->hs_hcon = NULL;
4616
4617 /* Placeholder - release the logical link */
4618 }
4619
4620 static void l2cap_logical_fail(struct l2cap_chan *chan)
4621 {
4622 /* Logical link setup failed */
4623 if (chan->state != BT_CONNECTED) {
4624 /* Create channel failure, disconnect */
4625 l2cap_send_disconn_req(chan, ECONNRESET);
4626 return;
4627 }
4628
4629 switch (chan->move_role) {
4630 case L2CAP_MOVE_ROLE_RESPONDER:
4631 l2cap_move_done(chan);
4632 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4633 break;
4634 case L2CAP_MOVE_ROLE_INITIATOR:
4635 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4636 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4637 /* Remote has only sent pending or
4638 * success responses, clean up
4639 */
4640 l2cap_move_done(chan);
4641 }
4642
4643 /* Other amp move states imply that the move
4644 * has already aborted
4645 */
4646 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4647 break;
4648 }
4649 }
4650
4651 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4652 struct hci_chan *hchan)
4653 {
4654 struct l2cap_conf_rsp rsp;
4655
4656 chan->hs_hchan = hchan;
4657 chan->hs_hcon->l2cap_data = chan->conn;
4658
4659 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4660
4661 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4662 int err;
4663
4664 set_default_fcs(chan);
4665
4666 err = l2cap_ertm_init(chan);
4667 if (err < 0)
4668 l2cap_send_disconn_req(chan, -err);
4669 else
4670 l2cap_chan_ready(chan);
4671 }
4672 }
4673
4674 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4675 struct hci_chan *hchan)
4676 {
4677 chan->hs_hcon = hchan->conn;
4678 chan->hs_hcon->l2cap_data = chan->conn;
4679
4680 BT_DBG("move_state %d", chan->move_state);
4681
4682 switch (chan->move_state) {
4683 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4684 /* Move confirm will be sent after a success
4685 * response is received
4686 */
4687 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4688 break;
4689 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4690 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4691 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4692 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4693 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4694 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4695 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4696 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4697 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4698 }
4699 break;
4700 default:
4701 /* Move was not in expected state, free the channel */
4702 __release_logical_link(chan);
4703
4704 chan->move_state = L2CAP_MOVE_STABLE;
4705 }
4706 }
4707
4708 /* Call with chan locked */
4709 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4710 u8 status)
4711 {
4712 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4713
4714 if (status) {
4715 l2cap_logical_fail(chan);
4716 __release_logical_link(chan);
4717 return;
4718 }
4719
4720 if (chan->state != BT_CONNECTED) {
4721 /* Ignore logical link if channel is on BR/EDR */
4722 if (chan->local_amp_id != AMP_ID_BREDR)
4723 l2cap_logical_finish_create(chan, hchan);
4724 } else {
4725 l2cap_logical_finish_move(chan, hchan);
4726 }
4727 }
4728
4729 void l2cap_move_start(struct l2cap_chan *chan)
4730 {
4731 BT_DBG("chan %p", chan);
4732
4733 if (chan->local_amp_id == AMP_ID_BREDR) {
4734 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4735 return;
4736 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4737 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4738 /* Placeholder - start physical link setup */
4739 } else {
4740 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4741 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4742 chan->move_id = 0;
4743 l2cap_move_setup(chan);
4744 l2cap_send_move_chan_req(chan, 0);
4745 }
4746 }
4747
4748 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4749 u8 local_amp_id, u8 remote_amp_id)
4750 {
4751 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4752 local_amp_id, remote_amp_id);
4753
4754 chan->fcs = L2CAP_FCS_NONE;
4755
4756 /* Outgoing channel on AMP */
4757 if (chan->state == BT_CONNECT) {
4758 if (result == L2CAP_CR_SUCCESS) {
4759 chan->local_amp_id = local_amp_id;
4760 l2cap_send_create_chan_req(chan, remote_amp_id);
4761 } else {
4762 /* Revert to BR/EDR connect */
4763 l2cap_send_conn_req(chan);
4764 }
4765
4766 return;
4767 }
4768
4769 /* Incoming channel on AMP */
4770 if (__l2cap_no_conn_pending(chan)) {
4771 struct l2cap_conn_rsp rsp;
4772 char buf[128];
4773 rsp.scid = cpu_to_le16(chan->dcid);
4774 rsp.dcid = cpu_to_le16(chan->scid);
4775
4776 if (result == L2CAP_CR_SUCCESS) {
4777 /* Send successful response */
4778 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4779 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4780 } else {
4781 /* Send negative response */
4782 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4783 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4784 }
4785
4786 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4787 sizeof(rsp), &rsp);
4788
4789 if (result == L2CAP_CR_SUCCESS) {
4790 l2cap_state_change(chan, BT_CONFIG);
4791 set_bit(CONF_REQ_SENT, &chan->conf_state);
4792 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4793 L2CAP_CONF_REQ,
4794 l2cap_build_conf_req(chan, buf), buf);
4795 chan->num_conf_req++;
4796 }
4797 }
4798 }
4799
4800 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4801 u8 remote_amp_id)
4802 {
4803 l2cap_move_setup(chan);
4804 chan->move_id = local_amp_id;
4805 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4806
4807 l2cap_send_move_chan_req(chan, remote_amp_id);
4808 }
4809
4810 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4811 {
4812 struct hci_chan *hchan = NULL;
4813
4814 /* Placeholder - get hci_chan for logical link */
4815
4816 if (hchan) {
4817 if (hchan->state == BT_CONNECTED) {
4818 /* Logical link is ready to go */
4819 chan->hs_hcon = hchan->conn;
4820 chan->hs_hcon->l2cap_data = chan->conn;
4821 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4822 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4823
4824 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4825 } else {
4826 /* Wait for logical link to be ready */
4827 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4828 }
4829 } else {
4830 /* Logical link not available */
4831 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4832 }
4833 }
4834
4835 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4836 {
4837 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4838 u8 rsp_result;
4839 if (result == -EINVAL)
4840 rsp_result = L2CAP_MR_BAD_ID;
4841 else
4842 rsp_result = L2CAP_MR_NOT_ALLOWED;
4843
4844 l2cap_send_move_chan_rsp(chan, rsp_result);
4845 }
4846
4847 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4848 chan->move_state = L2CAP_MOVE_STABLE;
4849
4850 /* Restart data transmission */
4851 l2cap_ertm_send(chan);
4852 }
4853
4854 /* Invoke with locked chan */
4855 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4856 {
4857 u8 local_amp_id = chan->local_amp_id;
4858 u8 remote_amp_id = chan->remote_amp_id;
4859
4860 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4861 chan, result, local_amp_id, remote_amp_id);
4862
4863 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4864 l2cap_chan_unlock(chan);
4865 return;
4866 }
4867
4868 if (chan->state != BT_CONNECTED) {
4869 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4870 } else if (result != L2CAP_MR_SUCCESS) {
4871 l2cap_do_move_cancel(chan, result);
4872 } else {
4873 switch (chan->move_role) {
4874 case L2CAP_MOVE_ROLE_INITIATOR:
4875 l2cap_do_move_initiate(chan, local_amp_id,
4876 remote_amp_id);
4877 break;
4878 case L2CAP_MOVE_ROLE_RESPONDER:
4879 l2cap_do_move_respond(chan, result);
4880 break;
4881 default:
4882 l2cap_do_move_cancel(chan, result);
4883 break;
4884 }
4885 }
4886 }
4887
4888 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4889 struct l2cap_cmd_hdr *cmd,
4890 u16 cmd_len, void *data)
4891 {
4892 struct l2cap_move_chan_req *req = data;
4893 struct l2cap_move_chan_rsp rsp;
4894 struct l2cap_chan *chan;
4895 u16 icid = 0;
4896 u16 result = L2CAP_MR_NOT_ALLOWED;
4897
4898 if (cmd_len != sizeof(*req))
4899 return -EPROTO;
4900
4901 icid = le16_to_cpu(req->icid);
4902
4903 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4904
4905 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4906 return -EINVAL;
4907
4908 chan = l2cap_get_chan_by_dcid(conn, icid);
4909 if (!chan) {
4910 rsp.icid = cpu_to_le16(icid);
4911 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4912 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4913 sizeof(rsp), &rsp);
4914 return 0;
4915 }
4916
4917 chan->ident = cmd->ident;
4918
4919 if (chan->scid < L2CAP_CID_DYN_START ||
4920 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4921 (chan->mode != L2CAP_MODE_ERTM &&
4922 chan->mode != L2CAP_MODE_STREAMING)) {
4923 result = L2CAP_MR_NOT_ALLOWED;
4924 goto send_move_response;
4925 }
4926
4927 if (chan->local_amp_id == req->dest_amp_id) {
4928 result = L2CAP_MR_SAME_ID;
4929 goto send_move_response;
4930 }
4931
4932 if (req->dest_amp_id != AMP_ID_BREDR) {
4933 struct hci_dev *hdev;
4934 hdev = hci_dev_get(req->dest_amp_id);
4935 if (!hdev || hdev->dev_type != HCI_AMP ||
4936 !test_bit(HCI_UP, &hdev->flags)) {
4937 if (hdev)
4938 hci_dev_put(hdev);
4939
4940 result = L2CAP_MR_BAD_ID;
4941 goto send_move_response;
4942 }
4943 hci_dev_put(hdev);
4944 }
4945
4946 /* Detect a move collision. Only send a collision response
4947 * if this side has "lost", otherwise proceed with the move.
4948 * The winner has the larger bd_addr.
4949 */
4950 if ((__chan_is_moving(chan) ||
4951 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4952 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4953 result = L2CAP_MR_COLLISION;
4954 goto send_move_response;
4955 }
4956
4957 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4958 l2cap_move_setup(chan);
4959 chan->move_id = req->dest_amp_id;
4960 icid = chan->dcid;
4961
4962 if (req->dest_amp_id == AMP_ID_BREDR) {
4963 /* Moving to BR/EDR */
4964 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4965 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4966 result = L2CAP_MR_PEND;
4967 } else {
4968 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4969 result = L2CAP_MR_SUCCESS;
4970 }
4971 } else {
4972 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4973 /* Placeholder - uncomment when amp functions are available */
4974 /*amp_accept_physical(chan, req->dest_amp_id);*/
4975 result = L2CAP_MR_PEND;
4976 }
4977
4978 send_move_response:
4979 l2cap_send_move_chan_rsp(chan, result);
4980
4981 l2cap_chan_unlock(chan);
4982
4983 return 0;
4984 }
4985
4986 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4987 {
4988 struct l2cap_chan *chan;
4989 struct hci_chan *hchan = NULL;
4990
4991 chan = l2cap_get_chan_by_scid(conn, icid);
4992 if (!chan) {
4993 l2cap_send_move_chan_cfm_icid(conn, icid);
4994 return;
4995 }
4996
4997 __clear_chan_timer(chan);
4998 if (result == L2CAP_MR_PEND)
4999 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5000
5001 switch (chan->move_state) {
5002 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5003 /* Move confirm will be sent when logical link
5004 * is complete.
5005 */
5006 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5007 break;
5008 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5009 if (result == L2CAP_MR_PEND) {
5010 break;
5011 } else if (test_bit(CONN_LOCAL_BUSY,
5012 &chan->conn_state)) {
5013 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5014 } else {
5015 /* Logical link is up or moving to BR/EDR,
5016 * proceed with move
5017 */
5018 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5019 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5020 }
5021 break;
5022 case L2CAP_MOVE_WAIT_RSP:
5023 /* Moving to AMP */
5024 if (result == L2CAP_MR_SUCCESS) {
5025 /* Remote is ready, send confirm immediately
5026 * after logical link is ready
5027 */
5028 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5029 } else {
5030 /* Both logical link and move success
5031 * are required to confirm
5032 */
5033 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5034 }
5035
5036 /* Placeholder - get hci_chan for logical link */
5037 if (!hchan) {
5038 /* Logical link not available */
5039 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5040 break;
5041 }
5042
5043 /* If the logical link is not yet connected, do not
5044 * send confirmation.
5045 */
5046 if (hchan->state != BT_CONNECTED)
5047 break;
5048
5049 /* Logical link is already ready to go */
5050
5051 chan->hs_hcon = hchan->conn;
5052 chan->hs_hcon->l2cap_data = chan->conn;
5053
5054 if (result == L2CAP_MR_SUCCESS) {
5055 /* Can confirm now */
5056 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5057 } else {
5058 /* Now only need move success
5059 * to confirm
5060 */
5061 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5062 }
5063
5064 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5065 break;
5066 default:
5067 /* Any other amp move state means the move failed. */
5068 chan->move_id = chan->local_amp_id;
5069 l2cap_move_done(chan);
5070 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5071 }
5072
5073 l2cap_chan_unlock(chan);
5074 }
5075
5076 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5077 u16 result)
5078 {
5079 struct l2cap_chan *chan;
5080
5081 chan = l2cap_get_chan_by_ident(conn, ident);
5082 if (!chan) {
5083 /* Could not locate channel, icid is best guess */
5084 l2cap_send_move_chan_cfm_icid(conn, icid);
5085 return;
5086 }
5087
5088 __clear_chan_timer(chan);
5089
5090 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5091 if (result == L2CAP_MR_COLLISION) {
5092 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5093 } else {
5094 /* Cleanup - cancel move */
5095 chan->move_id = chan->local_amp_id;
5096 l2cap_move_done(chan);
5097 }
5098 }
5099
5100 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5101
5102 l2cap_chan_unlock(chan);
5103 }
5104
5105 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5106 struct l2cap_cmd_hdr *cmd,
5107 u16 cmd_len, void *data)
5108 {
5109 struct l2cap_move_chan_rsp *rsp = data;
5110 u16 icid, result;
5111
5112 if (cmd_len != sizeof(*rsp))
5113 return -EPROTO;
5114
5115 icid = le16_to_cpu(rsp->icid);
5116 result = le16_to_cpu(rsp->result);
5117
5118 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5119
5120 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5121 l2cap_move_continue(conn, icid, result);
5122 else
5123 l2cap_move_fail(conn, cmd->ident, icid, result);
5124
5125 return 0;
5126 }
5127
5128 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5129 struct l2cap_cmd_hdr *cmd,
5130 u16 cmd_len, void *data)
5131 {
5132 struct l2cap_move_chan_cfm *cfm = data;
5133 struct l2cap_chan *chan;
5134 u16 icid, result;
5135
5136 if (cmd_len != sizeof(*cfm))
5137 return -EPROTO;
5138
5139 icid = le16_to_cpu(cfm->icid);
5140 result = le16_to_cpu(cfm->result);
5141
5142 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5143
5144 chan = l2cap_get_chan_by_dcid(conn, icid);
5145 if (!chan) {
5146 /* Spec requires a response even if the icid was not found */
5147 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5148 return 0;
5149 }
5150
5151 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5152 if (result == L2CAP_MC_CONFIRMED) {
5153 chan->local_amp_id = chan->move_id;
5154 if (chan->local_amp_id == AMP_ID_BREDR)
5155 __release_logical_link(chan);
5156 } else {
5157 chan->move_id = chan->local_amp_id;
5158 }
5159
5160 l2cap_move_done(chan);
5161 }
5162
5163 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5164
5165 l2cap_chan_unlock(chan);
5166
5167 return 0;
5168 }
5169
5170 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5171 struct l2cap_cmd_hdr *cmd,
5172 u16 cmd_len, void *data)
5173 {
5174 struct l2cap_move_chan_cfm_rsp *rsp = data;
5175 struct l2cap_chan *chan;
5176 u16 icid;
5177
5178 if (cmd_len != sizeof(*rsp))
5179 return -EPROTO;
5180
5181 icid = le16_to_cpu(rsp->icid);
5182
5183 BT_DBG("icid 0x%4.4x", icid);
5184
5185 chan = l2cap_get_chan_by_scid(conn, icid);
5186 if (!chan)
5187 return 0;
5188
5189 __clear_chan_timer(chan);
5190
5191 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5192 chan->local_amp_id = chan->move_id;
5193
5194 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5195 __release_logical_link(chan);
5196
5197 l2cap_move_done(chan);
5198 }
5199
5200 l2cap_chan_unlock(chan);
5201
5202 return 0;
5203 }
5204
5205 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5206 struct l2cap_cmd_hdr *cmd,
5207 u16 cmd_len, u8 *data)
5208 {
5209 struct hci_conn *hcon = conn->hcon;
5210 struct l2cap_conn_param_update_req *req;
5211 struct l2cap_conn_param_update_rsp rsp;
5212 u16 min, max, latency, to_multiplier;
5213 int err;
5214
5215 if (hcon->role != HCI_ROLE_MASTER)
5216 return -EINVAL;
5217
5218 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5219 return -EPROTO;
5220
5221 req = (struct l2cap_conn_param_update_req *) data;
5222 min = __le16_to_cpu(req->min);
5223 max = __le16_to_cpu(req->max);
5224 latency = __le16_to_cpu(req->latency);
5225 to_multiplier = __le16_to_cpu(req->to_multiplier);
5226
5227 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5228 min, max, latency, to_multiplier);
5229
5230 memset(&rsp, 0, sizeof(rsp));
5231
5232 err = hci_check_conn_params(min, max, latency, to_multiplier);
5233 if (err)
5234 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5235 else
5236 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5237
5238 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5239 sizeof(rsp), &rsp);
5240
5241 if (!err) {
5242 u8 store_hint;
5243
5244 store_hint = hci_le_conn_update(hcon, min, max, latency,
5245 to_multiplier);
5246 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5247 store_hint, min, max, latency,
5248 to_multiplier);
5249
5250 }
5251
5252 return 0;
5253 }
5254
5255 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5256 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5257 u8 *data)
5258 {
5259 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5260 struct hci_conn *hcon = conn->hcon;
5261 u16 dcid, mtu, mps, credits, result;
5262 struct l2cap_chan *chan;
5263 int err, sec_level;
5264
5265 if (cmd_len < sizeof(*rsp))
5266 return -EPROTO;
5267
5268 dcid = __le16_to_cpu(rsp->dcid);
5269 mtu = __le16_to_cpu(rsp->mtu);
5270 mps = __le16_to_cpu(rsp->mps);
5271 credits = __le16_to_cpu(rsp->credits);
5272 result = __le16_to_cpu(rsp->result);
5273
5274 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
5275 dcid < L2CAP_CID_DYN_START ||
5276 dcid > L2CAP_CID_LE_DYN_END))
5277 return -EPROTO;
5278
5279 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5280 dcid, mtu, mps, credits, result);
5281
5282 mutex_lock(&conn->chan_lock);
5283
5284 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5285 if (!chan) {
5286 err = -EBADSLT;
5287 goto unlock;
5288 }
5289
5290 err = 0;
5291
5292 l2cap_chan_lock(chan);
5293
5294 switch (result) {
5295 case L2CAP_CR_SUCCESS:
5296 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5297 err = -EBADSLT;
5298 break;
5299 }
5300
5301 chan->ident = 0;
5302 chan->dcid = dcid;
5303 chan->omtu = mtu;
5304 chan->remote_mps = mps;
5305 chan->tx_credits = credits;
5306 l2cap_chan_ready(chan);
5307 break;
5308
5309 case L2CAP_CR_AUTHENTICATION:
5310 case L2CAP_CR_ENCRYPTION:
5311 /* If we already have MITM protection we can't do
5312 * anything.
5313 */
5314 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5315 l2cap_chan_del(chan, ECONNREFUSED);
5316 break;
5317 }
5318
5319 sec_level = hcon->sec_level + 1;
5320 if (chan->sec_level < sec_level)
5321 chan->sec_level = sec_level;
5322
5323 /* We'll need to send a new Connect Request */
5324 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5325
5326 smp_conn_security(hcon, chan->sec_level);
5327 break;
5328
5329 default:
5330 l2cap_chan_del(chan, ECONNREFUSED);
5331 break;
5332 }
5333
5334 l2cap_chan_unlock(chan);
5335
5336 unlock:
5337 mutex_unlock(&conn->chan_lock);
5338
5339 return err;
5340 }
5341
5342 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5343 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5344 u8 *data)
5345 {
5346 int err = 0;
5347
5348 switch (cmd->code) {
5349 case L2CAP_COMMAND_REJ:
5350 l2cap_command_rej(conn, cmd, cmd_len, data);
5351 break;
5352
5353 case L2CAP_CONN_REQ:
5354 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5355 break;
5356
5357 case L2CAP_CONN_RSP:
5358 case L2CAP_CREATE_CHAN_RSP:
5359 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5360 break;
5361
5362 case L2CAP_CONF_REQ:
5363 err = l2cap_config_req(conn, cmd, cmd_len, data);
5364 break;
5365
5366 case L2CAP_CONF_RSP:
5367 l2cap_config_rsp(conn, cmd, cmd_len, data);
5368 break;
5369
5370 case L2CAP_DISCONN_REQ:
5371 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5372 break;
5373
5374 case L2CAP_DISCONN_RSP:
5375 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5376 break;
5377
5378 case L2CAP_ECHO_REQ:
5379 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5380 break;
5381
5382 case L2CAP_ECHO_RSP:
5383 break;
5384
5385 case L2CAP_INFO_REQ:
5386 err = l2cap_information_req(conn, cmd, cmd_len, data);
5387 break;
5388
5389 case L2CAP_INFO_RSP:
5390 l2cap_information_rsp(conn, cmd, cmd_len, data);
5391 break;
5392
5393 case L2CAP_CREATE_CHAN_REQ:
5394 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5395 break;
5396
5397 case L2CAP_MOVE_CHAN_REQ:
5398 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5399 break;
5400
5401 case L2CAP_MOVE_CHAN_RSP:
5402 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5403 break;
5404
5405 case L2CAP_MOVE_CHAN_CFM:
5406 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5407 break;
5408
5409 case L2CAP_MOVE_CHAN_CFM_RSP:
5410 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5411 break;
5412
5413 default:
5414 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5415 err = -EINVAL;
5416 break;
5417 }
5418
5419 return err;
5420 }
5421
5422 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5423 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5424 u8 *data)
5425 {
5426 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5427 struct l2cap_le_conn_rsp rsp;
5428 struct l2cap_chan *chan, *pchan;
5429 u16 dcid, scid, credits, mtu, mps;
5430 __le16 psm;
5431 u8 result;
5432
5433 if (cmd_len != sizeof(*req))
5434 return -EPROTO;
5435
5436 scid = __le16_to_cpu(req->scid);
5437 mtu = __le16_to_cpu(req->mtu);
5438 mps = __le16_to_cpu(req->mps);
5439 psm = req->psm;
5440 dcid = 0;
5441 credits = 0;
5442
5443 if (mtu < 23 || mps < 23)
5444 return -EPROTO;
5445
5446 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5447 scid, mtu, mps);
5448
5449 /* Check if we have socket listening on psm */
5450 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5451 &conn->hcon->dst, LE_LINK);
5452 if (!pchan) {
5453 result = L2CAP_CR_BAD_PSM;
5454 chan = NULL;
5455 goto response;
5456 }
5457
5458 mutex_lock(&conn->chan_lock);
5459 l2cap_chan_lock(pchan);
5460
5461 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5462 SMP_ALLOW_STK)) {
5463 result = L2CAP_CR_AUTHENTICATION;
5464 chan = NULL;
5465 goto response_unlock;
5466 }
5467
5468 /* Check for valid dynamic CID range */
5469 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5470 result = L2CAP_CR_INVALID_SCID;
5471 chan = NULL;
5472 goto response_unlock;
5473 }
5474
5475 /* Check if we already have channel with that dcid */
5476 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5477 result = L2CAP_CR_SCID_IN_USE;
5478 chan = NULL;
5479 goto response_unlock;
5480 }
5481
5482 chan = pchan->ops->new_connection(pchan);
5483 if (!chan) {
5484 result = L2CAP_CR_NO_MEM;
5485 goto response_unlock;
5486 }
5487
5488 l2cap_le_flowctl_init(chan);
5489
5490 bacpy(&chan->src, &conn->hcon->src);
5491 bacpy(&chan->dst, &conn->hcon->dst);
5492 chan->src_type = bdaddr_src_type(conn->hcon);
5493 chan->dst_type = bdaddr_dst_type(conn->hcon);
5494 chan->psm = psm;
5495 chan->dcid = scid;
5496 chan->omtu = mtu;
5497 chan->remote_mps = mps;
5498 chan->tx_credits = __le16_to_cpu(req->credits);
5499
5500 __l2cap_chan_add(conn, chan);
5501 dcid = chan->scid;
5502 credits = chan->rx_credits;
5503
5504 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5505
5506 chan->ident = cmd->ident;
5507
5508 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5509 l2cap_state_change(chan, BT_CONNECT2);
5510 /* The following result value is actually not defined
5511 * for LE CoC but we use it to let the function know
5512 * that it should bail out after doing its cleanup
5513 * instead of sending a response.
5514 */
5515 result = L2CAP_CR_PEND;
5516 chan->ops->defer(chan);
5517 } else {
5518 l2cap_chan_ready(chan);
5519 result = L2CAP_CR_SUCCESS;
5520 }
5521
5522 response_unlock:
5523 l2cap_chan_unlock(pchan);
5524 mutex_unlock(&conn->chan_lock);
5525 l2cap_chan_put(pchan);
5526
5527 if (result == L2CAP_CR_PEND)
5528 return 0;
5529
5530 response:
5531 if (chan) {
5532 rsp.mtu = cpu_to_le16(chan->imtu);
5533 rsp.mps = cpu_to_le16(chan->mps);
5534 } else {
5535 rsp.mtu = 0;
5536 rsp.mps = 0;
5537 }
5538
5539 rsp.dcid = cpu_to_le16(dcid);
5540 rsp.credits = cpu_to_le16(credits);
5541 rsp.result = cpu_to_le16(result);
5542
5543 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5544
5545 return 0;
5546 }
5547
5548 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5549 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5550 u8 *data)
5551 {
5552 struct l2cap_le_credits *pkt;
5553 struct l2cap_chan *chan;
5554 u16 cid, credits, max_credits;
5555
5556 if (cmd_len != sizeof(*pkt))
5557 return -EPROTO;
5558
5559 pkt = (struct l2cap_le_credits *) data;
5560 cid = __le16_to_cpu(pkt->cid);
5561 credits = __le16_to_cpu(pkt->credits);
5562
5563 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5564
5565 chan = l2cap_get_chan_by_dcid(conn, cid);
5566 if (!chan)
5567 return -EBADSLT;
5568
5569 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5570 if (credits > max_credits) {
5571 BT_ERR("LE credits overflow");
5572 l2cap_send_disconn_req(chan, ECONNRESET);
5573 l2cap_chan_unlock(chan);
5574
5575 /* Return 0 so that we don't trigger an unnecessary
5576 * command reject packet.
5577 */
5578 return 0;
5579 }
5580
5581 chan->tx_credits += credits;
5582
5583 /* Resume sending */
5584 l2cap_le_flowctl_send(chan);
5585
5586 if (chan->tx_credits)
5587 chan->ops->resume(chan);
5588
5589 l2cap_chan_unlock(chan);
5590
5591 return 0;
5592 }
5593
5594 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5595 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5596 u8 *data)
5597 {
5598 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5599 struct l2cap_chan *chan;
5600
5601 if (cmd_len < sizeof(*rej))
5602 return -EPROTO;
5603
5604 mutex_lock(&conn->chan_lock);
5605
5606 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5607 if (!chan)
5608 goto done;
5609
5610 l2cap_chan_lock(chan);
5611 l2cap_chan_del(chan, ECONNREFUSED);
5612 l2cap_chan_unlock(chan);
5613
5614 done:
5615 mutex_unlock(&conn->chan_lock);
5616 return 0;
5617 }
5618
5619 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5620 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5621 u8 *data)
5622 {
5623 int err = 0;
5624
5625 switch (cmd->code) {
5626 case L2CAP_COMMAND_REJ:
5627 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5628 break;
5629
5630 case L2CAP_CONN_PARAM_UPDATE_REQ:
5631 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5632 break;
5633
5634 case L2CAP_CONN_PARAM_UPDATE_RSP:
5635 break;
5636
5637 case L2CAP_LE_CONN_RSP:
5638 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5639 break;
5640
5641 case L2CAP_LE_CONN_REQ:
5642 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5643 break;
5644
5645 case L2CAP_LE_CREDITS:
5646 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5647 break;
5648
5649 case L2CAP_DISCONN_REQ:
5650 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5651 break;
5652
5653 case L2CAP_DISCONN_RSP:
5654 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5655 break;
5656
5657 default:
5658 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5659 err = -EINVAL;
5660 break;
5661 }
5662
5663 return err;
5664 }
5665
5666 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5667 struct sk_buff *skb)
5668 {
5669 struct hci_conn *hcon = conn->hcon;
5670 struct l2cap_cmd_hdr *cmd;
5671 u16 len;
5672 int err;
5673
5674 if (hcon->type != LE_LINK)
5675 goto drop;
5676
5677 if (skb->len < L2CAP_CMD_HDR_SIZE)
5678 goto drop;
5679
5680 cmd = (void *) skb->data;
5681 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5682
5683 len = le16_to_cpu(cmd->len);
5684
5685 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5686
5687 if (len != skb->len || !cmd->ident) {
5688 BT_DBG("corrupted command");
5689 goto drop;
5690 }
5691
5692 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5693 if (err) {
5694 struct l2cap_cmd_rej_unk rej;
5695
5696 BT_ERR("Wrong link type (%d)", err);
5697
5698 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5699 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5700 sizeof(rej), &rej);
5701 }
5702
5703 drop:
5704 kfree_skb(skb);
5705 }
5706
5707 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5708 struct sk_buff *skb)
5709 {
5710 struct hci_conn *hcon = conn->hcon;
5711 u8 *data = skb->data;
5712 int len = skb->len;
5713 struct l2cap_cmd_hdr cmd;
5714 int err;
5715
5716 l2cap_raw_recv(conn, skb);
5717
5718 if (hcon->type != ACL_LINK)
5719 goto drop;
5720
5721 while (len >= L2CAP_CMD_HDR_SIZE) {
5722 u16 cmd_len;
5723 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5724 data += L2CAP_CMD_HDR_SIZE;
5725 len -= L2CAP_CMD_HDR_SIZE;
5726
5727 cmd_len = le16_to_cpu(cmd.len);
5728
5729 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5730 cmd.ident);
5731
5732 if (cmd_len > len || !cmd.ident) {
5733 BT_DBG("corrupted command");
5734 break;
5735 }
5736
5737 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5738 if (err) {
5739 struct l2cap_cmd_rej_unk rej;
5740
5741 BT_ERR("Wrong link type (%d)", err);
5742
5743 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5744 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5745 sizeof(rej), &rej);
5746 }
5747
5748 data += cmd_len;
5749 len -= cmd_len;
5750 }
5751
5752 drop:
5753 kfree_skb(skb);
5754 }
5755
5756 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5757 {
5758 u16 our_fcs, rcv_fcs;
5759 int hdr_size;
5760
5761 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5762 hdr_size = L2CAP_EXT_HDR_SIZE;
5763 else
5764 hdr_size = L2CAP_ENH_HDR_SIZE;
5765
5766 if (chan->fcs == L2CAP_FCS_CRC16) {
5767 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5768 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5769 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5770
5771 if (our_fcs != rcv_fcs)
5772 return -EBADMSG;
5773 }
5774 return 0;
5775 }
5776
5777 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5778 {
5779 struct l2cap_ctrl control;
5780
5781 BT_DBG("chan %p", chan);
5782
5783 memset(&control, 0, sizeof(control));
5784 control.sframe = 1;
5785 control.final = 1;
5786 control.reqseq = chan->buffer_seq;
5787 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5788
5789 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5790 control.super = L2CAP_SUPER_RNR;
5791 l2cap_send_sframe(chan, &control);
5792 }
5793
5794 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5795 chan->unacked_frames > 0)
5796 __set_retrans_timer(chan);
5797
5798 /* Send pending iframes */
5799 l2cap_ertm_send(chan);
5800
5801 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5802 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5803 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5804 * send it now.
5805 */
5806 control.super = L2CAP_SUPER_RR;
5807 l2cap_send_sframe(chan, &control);
5808 }
5809 }
5810
5811 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5812 struct sk_buff **last_frag)
5813 {
5814 /* skb->len reflects data in skb as well as all fragments
5815 * skb->data_len reflects only data in fragments
5816 */
5817 if (!skb_has_frag_list(skb))
5818 skb_shinfo(skb)->frag_list = new_frag;
5819
5820 new_frag->next = NULL;
5821
5822 (*last_frag)->next = new_frag;
5823 *last_frag = new_frag;
5824
5825 skb->len += new_frag->len;
5826 skb->data_len += new_frag->len;
5827 skb->truesize += new_frag->truesize;
5828 }
5829
5830 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5831 struct l2cap_ctrl *control)
5832 {
5833 int err = -EINVAL;
5834
5835 switch (control->sar) {
5836 case L2CAP_SAR_UNSEGMENTED:
5837 if (chan->sdu)
5838 break;
5839
5840 err = chan->ops->recv(chan, skb);
5841 break;
5842
5843 case L2CAP_SAR_START:
5844 if (chan->sdu)
5845 break;
5846
5847 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5848 break;
5849
5850 chan->sdu_len = get_unaligned_le16(skb->data);
5851 skb_pull(skb, L2CAP_SDULEN_SIZE);
5852
5853 if (chan->sdu_len > chan->imtu) {
5854 err = -EMSGSIZE;
5855 break;
5856 }
5857
5858 if (skb->len >= chan->sdu_len)
5859 break;
5860
5861 chan->sdu = skb;
5862 chan->sdu_last_frag = skb;
5863
5864 skb = NULL;
5865 err = 0;
5866 break;
5867
5868 case L2CAP_SAR_CONTINUE:
5869 if (!chan->sdu)
5870 break;
5871
5872 append_skb_frag(chan->sdu, skb,
5873 &chan->sdu_last_frag);
5874 skb = NULL;
5875
5876 if (chan->sdu->len >= chan->sdu_len)
5877 break;
5878
5879 err = 0;
5880 break;
5881
5882 case L2CAP_SAR_END:
5883 if (!chan->sdu)
5884 break;
5885
5886 append_skb_frag(chan->sdu, skb,
5887 &chan->sdu_last_frag);
5888 skb = NULL;
5889
5890 if (chan->sdu->len != chan->sdu_len)
5891 break;
5892
5893 err = chan->ops->recv(chan, chan->sdu);
5894
5895 if (!err) {
5896 /* Reassembly complete */
5897 chan->sdu = NULL;
5898 chan->sdu_last_frag = NULL;
5899 chan->sdu_len = 0;
5900 }
5901 break;
5902 }
5903
5904 if (err) {
5905 kfree_skb(skb);
5906 kfree_skb(chan->sdu);
5907 chan->sdu = NULL;
5908 chan->sdu_last_frag = NULL;
5909 chan->sdu_len = 0;
5910 }
5911
5912 return err;
5913 }
5914
5915 static int l2cap_resegment(struct l2cap_chan *chan)
5916 {
5917 /* Placeholder */
5918 return 0;
5919 }
5920
5921 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5922 {
5923 u8 event;
5924
5925 if (chan->mode != L2CAP_MODE_ERTM)
5926 return;
5927
5928 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5929 l2cap_tx(chan, NULL, NULL, event);
5930 }
5931
5932 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5933 {
5934 int err = 0;
5935 /* Pass sequential frames to l2cap_reassemble_sdu()
5936 * until a gap is encountered.
5937 */
5938
5939 BT_DBG("chan %p", chan);
5940
5941 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5942 struct sk_buff *skb;
5943 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5944 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5945
5946 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5947
5948 if (!skb)
5949 break;
5950
5951 skb_unlink(skb, &chan->srej_q);
5952 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5953 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5954 if (err)
5955 break;
5956 }
5957
5958 if (skb_queue_empty(&chan->srej_q)) {
5959 chan->rx_state = L2CAP_RX_STATE_RECV;
5960 l2cap_send_ack(chan);
5961 }
5962
5963 return err;
5964 }
5965
5966 static void l2cap_handle_srej(struct l2cap_chan *chan,
5967 struct l2cap_ctrl *control)
5968 {
5969 struct sk_buff *skb;
5970
5971 BT_DBG("chan %p, control %p", chan, control);
5972
5973 if (control->reqseq == chan->next_tx_seq) {
5974 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5975 l2cap_send_disconn_req(chan, ECONNRESET);
5976 return;
5977 }
5978
5979 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5980
5981 if (skb == NULL) {
5982 BT_DBG("Seq %d not available for retransmission",
5983 control->reqseq);
5984 return;
5985 }
5986
5987 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5988 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5989 l2cap_send_disconn_req(chan, ECONNRESET);
5990 return;
5991 }
5992
5993 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5994
5995 if (control->poll) {
5996 l2cap_pass_to_tx(chan, control);
5997
5998 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5999 l2cap_retransmit(chan, control);
6000 l2cap_ertm_send(chan);
6001
6002 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6003 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6004 chan->srej_save_reqseq = control->reqseq;
6005 }
6006 } else {
6007 l2cap_pass_to_tx_fbit(chan, control);
6008
6009 if (control->final) {
6010 if (chan->srej_save_reqseq != control->reqseq ||
6011 !test_and_clear_bit(CONN_SREJ_ACT,
6012 &chan->conn_state))
6013 l2cap_retransmit(chan, control);
6014 } else {
6015 l2cap_retransmit(chan, control);
6016 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6017 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6018 chan->srej_save_reqseq = control->reqseq;
6019 }
6020 }
6021 }
6022 }
6023
6024 static void l2cap_handle_rej(struct l2cap_chan *chan,
6025 struct l2cap_ctrl *control)
6026 {
6027 struct sk_buff *skb;
6028
6029 BT_DBG("chan %p, control %p", chan, control);
6030
6031 if (control->reqseq == chan->next_tx_seq) {
6032 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6033 l2cap_send_disconn_req(chan, ECONNRESET);
6034 return;
6035 }
6036
6037 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6038
6039 if (chan->max_tx && skb &&
6040 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6041 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6042 l2cap_send_disconn_req(chan, ECONNRESET);
6043 return;
6044 }
6045
6046 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6047
6048 l2cap_pass_to_tx(chan, control);
6049
6050 if (control->final) {
6051 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6052 l2cap_retransmit_all(chan, control);
6053 } else {
6054 l2cap_retransmit_all(chan, control);
6055 l2cap_ertm_send(chan);
6056 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6057 set_bit(CONN_REJ_ACT, &chan->conn_state);
6058 }
6059 }
6060
6061 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6062 {
6063 BT_DBG("chan %p, txseq %d", chan, txseq);
6064
6065 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6066 chan->expected_tx_seq);
6067
6068 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6069 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6070 chan->tx_win) {
6071 /* See notes below regarding "double poll" and
6072 * invalid packets.
6073 */
6074 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6075 BT_DBG("Invalid/Ignore - after SREJ");
6076 return L2CAP_TXSEQ_INVALID_IGNORE;
6077 } else {
6078 BT_DBG("Invalid - in window after SREJ sent");
6079 return L2CAP_TXSEQ_INVALID;
6080 }
6081 }
6082
6083 if (chan->srej_list.head == txseq) {
6084 BT_DBG("Expected SREJ");
6085 return L2CAP_TXSEQ_EXPECTED_SREJ;
6086 }
6087
6088 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6089 BT_DBG("Duplicate SREJ - txseq already stored");
6090 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6091 }
6092
6093 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6094 BT_DBG("Unexpected SREJ - not requested");
6095 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6096 }
6097 }
6098
6099 if (chan->expected_tx_seq == txseq) {
6100 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6101 chan->tx_win) {
6102 BT_DBG("Invalid - txseq outside tx window");
6103 return L2CAP_TXSEQ_INVALID;
6104 } else {
6105 BT_DBG("Expected");
6106 return L2CAP_TXSEQ_EXPECTED;
6107 }
6108 }
6109
6110 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6111 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6112 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6113 return L2CAP_TXSEQ_DUPLICATE;
6114 }
6115
6116 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6117 /* A source of invalid packets is a "double poll" condition,
6118 * where delays cause us to send multiple poll packets. If
6119 * the remote stack receives and processes both polls,
6120 * sequence numbers can wrap around in such a way that a
6121 * resent frame has a sequence number that looks like new data
6122 * with a sequence gap. This would trigger an erroneous SREJ
6123 * request.
6124 *
6125 * Fortunately, this is impossible with a tx window that's
6126 * less than half of the maximum sequence number, which allows
6127 * invalid frames to be safely ignored.
6128 *
6129 * With tx window sizes greater than half of the tx window
6130 * maximum, the frame is invalid and cannot be ignored. This
6131 * causes a disconnect.
6132 */
6133
6134 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6135 BT_DBG("Invalid/Ignore - txseq outside tx window");
6136 return L2CAP_TXSEQ_INVALID_IGNORE;
6137 } else {
6138 BT_DBG("Invalid - txseq outside tx window");
6139 return L2CAP_TXSEQ_INVALID;
6140 }
6141 } else {
6142 BT_DBG("Unexpected - txseq indicates missing frames");
6143 return L2CAP_TXSEQ_UNEXPECTED;
6144 }
6145 }
6146
6147 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6148 struct l2cap_ctrl *control,
6149 struct sk_buff *skb, u8 event)
6150 {
6151 int err = 0;
6152 bool skb_in_use = false;
6153
6154 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6155 event);
6156
6157 switch (event) {
6158 case L2CAP_EV_RECV_IFRAME:
6159 switch (l2cap_classify_txseq(chan, control->txseq)) {
6160 case L2CAP_TXSEQ_EXPECTED:
6161 l2cap_pass_to_tx(chan, control);
6162
6163 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6164 BT_DBG("Busy, discarding expected seq %d",
6165 control->txseq);
6166 break;
6167 }
6168
6169 chan->expected_tx_seq = __next_seq(chan,
6170 control->txseq);
6171
6172 chan->buffer_seq = chan->expected_tx_seq;
6173 skb_in_use = true;
6174
6175 err = l2cap_reassemble_sdu(chan, skb, control);
6176 if (err)
6177 break;
6178
6179 if (control->final) {
6180 if (!test_and_clear_bit(CONN_REJ_ACT,
6181 &chan->conn_state)) {
6182 control->final = 0;
6183 l2cap_retransmit_all(chan, control);
6184 l2cap_ertm_send(chan);
6185 }
6186 }
6187
6188 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6189 l2cap_send_ack(chan);
6190 break;
6191 case L2CAP_TXSEQ_UNEXPECTED:
6192 l2cap_pass_to_tx(chan, control);
6193
6194 /* Can't issue SREJ frames in the local busy state.
6195 * Drop this frame, it will be seen as missing
6196 * when local busy is exited.
6197 */
6198 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6199 BT_DBG("Busy, discarding unexpected seq %d",
6200 control->txseq);
6201 break;
6202 }
6203
6204 /* There was a gap in the sequence, so an SREJ
6205 * must be sent for each missing frame. The
6206 * current frame is stored for later use.
6207 */
6208 skb_queue_tail(&chan->srej_q, skb);
6209 skb_in_use = true;
6210 BT_DBG("Queued %p (queue len %d)", skb,
6211 skb_queue_len(&chan->srej_q));
6212
6213 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6214 l2cap_seq_list_clear(&chan->srej_list);
6215 l2cap_send_srej(chan, control->txseq);
6216
6217 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6218 break;
6219 case L2CAP_TXSEQ_DUPLICATE:
6220 l2cap_pass_to_tx(chan, control);
6221 break;
6222 case L2CAP_TXSEQ_INVALID_IGNORE:
6223 break;
6224 case L2CAP_TXSEQ_INVALID:
6225 default:
6226 l2cap_send_disconn_req(chan, ECONNRESET);
6227 break;
6228 }
6229 break;
6230 case L2CAP_EV_RECV_RR:
6231 l2cap_pass_to_tx(chan, control);
6232 if (control->final) {
6233 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6234
6235 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6236 !__chan_is_moving(chan)) {
6237 control->final = 0;
6238 l2cap_retransmit_all(chan, control);
6239 }
6240
6241 l2cap_ertm_send(chan);
6242 } else if (control->poll) {
6243 l2cap_send_i_or_rr_or_rnr(chan);
6244 } else {
6245 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6246 &chan->conn_state) &&
6247 chan->unacked_frames)
6248 __set_retrans_timer(chan);
6249
6250 l2cap_ertm_send(chan);
6251 }
6252 break;
6253 case L2CAP_EV_RECV_RNR:
6254 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6255 l2cap_pass_to_tx(chan, control);
6256 if (control && control->poll) {
6257 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6258 l2cap_send_rr_or_rnr(chan, 0);
6259 }
6260 __clear_retrans_timer(chan);
6261 l2cap_seq_list_clear(&chan->retrans_list);
6262 break;
6263 case L2CAP_EV_RECV_REJ:
6264 l2cap_handle_rej(chan, control);
6265 break;
6266 case L2CAP_EV_RECV_SREJ:
6267 l2cap_handle_srej(chan, control);
6268 break;
6269 default:
6270 break;
6271 }
6272
6273 if (skb && !skb_in_use) {
6274 BT_DBG("Freeing %p", skb);
6275 kfree_skb(skb);
6276 }
6277
6278 return err;
6279 }
6280
6281 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6282 struct l2cap_ctrl *control,
6283 struct sk_buff *skb, u8 event)
6284 {
6285 int err = 0;
6286 u16 txseq = control->txseq;
6287 bool skb_in_use = false;
6288
6289 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6290 event);
6291
6292 switch (event) {
6293 case L2CAP_EV_RECV_IFRAME:
6294 switch (l2cap_classify_txseq(chan, txseq)) {
6295 case L2CAP_TXSEQ_EXPECTED:
6296 /* Keep frame for reassembly later */
6297 l2cap_pass_to_tx(chan, control);
6298 skb_queue_tail(&chan->srej_q, skb);
6299 skb_in_use = true;
6300 BT_DBG("Queued %p (queue len %d)", skb,
6301 skb_queue_len(&chan->srej_q));
6302
6303 chan->expected_tx_seq = __next_seq(chan, txseq);
6304 break;
6305 case L2CAP_TXSEQ_EXPECTED_SREJ:
6306 l2cap_seq_list_pop(&chan->srej_list);
6307
6308 l2cap_pass_to_tx(chan, control);
6309 skb_queue_tail(&chan->srej_q, skb);
6310 skb_in_use = true;
6311 BT_DBG("Queued %p (queue len %d)", skb,
6312 skb_queue_len(&chan->srej_q));
6313
6314 err = l2cap_rx_queued_iframes(chan);
6315 if (err)
6316 break;
6317
6318 break;
6319 case L2CAP_TXSEQ_UNEXPECTED:
6320 /* Got a frame that can't be reassembled yet.
6321 * Save it for later, and send SREJs to cover
6322 * the missing frames.
6323 */
6324 skb_queue_tail(&chan->srej_q, skb);
6325 skb_in_use = true;
6326 BT_DBG("Queued %p (queue len %d)", skb,
6327 skb_queue_len(&chan->srej_q));
6328
6329 l2cap_pass_to_tx(chan, control);
6330 l2cap_send_srej(chan, control->txseq);
6331 break;
6332 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6333 /* This frame was requested with an SREJ, but
6334 * some expected retransmitted frames are
6335 * missing. Request retransmission of missing
6336 * SREJ'd frames.
6337 */
6338 skb_queue_tail(&chan->srej_q, skb);
6339 skb_in_use = true;
6340 BT_DBG("Queued %p (queue len %d)", skb,
6341 skb_queue_len(&chan->srej_q));
6342
6343 l2cap_pass_to_tx(chan, control);
6344 l2cap_send_srej_list(chan, control->txseq);
6345 break;
6346 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6347 /* We've already queued this frame. Drop this copy. */
6348 l2cap_pass_to_tx(chan, control);
6349 break;
6350 case L2CAP_TXSEQ_DUPLICATE:
6351 /* Expecting a later sequence number, so this frame
6352 * was already received. Ignore it completely.
6353 */
6354 break;
6355 case L2CAP_TXSEQ_INVALID_IGNORE:
6356 break;
6357 case L2CAP_TXSEQ_INVALID:
6358 default:
6359 l2cap_send_disconn_req(chan, ECONNRESET);
6360 break;
6361 }
6362 break;
6363 case L2CAP_EV_RECV_RR:
6364 l2cap_pass_to_tx(chan, control);
6365 if (control->final) {
6366 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6367
6368 if (!test_and_clear_bit(CONN_REJ_ACT,
6369 &chan->conn_state)) {
6370 control->final = 0;
6371 l2cap_retransmit_all(chan, control);
6372 }
6373
6374 l2cap_ertm_send(chan);
6375 } else if (control->poll) {
6376 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6377 &chan->conn_state) &&
6378 chan->unacked_frames) {
6379 __set_retrans_timer(chan);
6380 }
6381
6382 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6383 l2cap_send_srej_tail(chan);
6384 } else {
6385 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6386 &chan->conn_state) &&
6387 chan->unacked_frames)
6388 __set_retrans_timer(chan);
6389
6390 l2cap_send_ack(chan);
6391 }
6392 break;
6393 case L2CAP_EV_RECV_RNR:
6394 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6395 l2cap_pass_to_tx(chan, control);
6396 if (control->poll) {
6397 l2cap_send_srej_tail(chan);
6398 } else {
6399 struct l2cap_ctrl rr_control;
6400 memset(&rr_control, 0, sizeof(rr_control));
6401 rr_control.sframe = 1;
6402 rr_control.super = L2CAP_SUPER_RR;
6403 rr_control.reqseq = chan->buffer_seq;
6404 l2cap_send_sframe(chan, &rr_control);
6405 }
6406
6407 break;
6408 case L2CAP_EV_RECV_REJ:
6409 l2cap_handle_rej(chan, control);
6410 break;
6411 case L2CAP_EV_RECV_SREJ:
6412 l2cap_handle_srej(chan, control);
6413 break;
6414 }
6415
6416 if (skb && !skb_in_use) {
6417 BT_DBG("Freeing %p", skb);
6418 kfree_skb(skb);
6419 }
6420
6421 return err;
6422 }
6423
6424 static int l2cap_finish_move(struct l2cap_chan *chan)
6425 {
6426 BT_DBG("chan %p", chan);
6427
6428 chan->rx_state = L2CAP_RX_STATE_RECV;
6429
6430 if (chan->hs_hcon)
6431 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6432 else
6433 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6434
6435 return l2cap_resegment(chan);
6436 }
6437
6438 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6439 struct l2cap_ctrl *control,
6440 struct sk_buff *skb, u8 event)
6441 {
6442 int err;
6443
6444 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6445 event);
6446
6447 if (!control->poll)
6448 return -EPROTO;
6449
6450 l2cap_process_reqseq(chan, control->reqseq);
6451
6452 if (!skb_queue_empty(&chan->tx_q))
6453 chan->tx_send_head = skb_peek(&chan->tx_q);
6454 else
6455 chan->tx_send_head = NULL;
6456
6457 /* Rewind next_tx_seq to the point expected
6458 * by the receiver.
6459 */
6460 chan->next_tx_seq = control->reqseq;
6461 chan->unacked_frames = 0;
6462
6463 err = l2cap_finish_move(chan);
6464 if (err)
6465 return err;
6466
6467 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6468 l2cap_send_i_or_rr_or_rnr(chan);
6469
6470 if (event == L2CAP_EV_RECV_IFRAME)
6471 return -EPROTO;
6472
6473 return l2cap_rx_state_recv(chan, control, NULL, event);
6474 }
6475
6476 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6477 struct l2cap_ctrl *control,
6478 struct sk_buff *skb, u8 event)
6479 {
6480 int err;
6481
6482 if (!control->final)
6483 return -EPROTO;
6484
6485 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6486
6487 chan->rx_state = L2CAP_RX_STATE_RECV;
6488 l2cap_process_reqseq(chan, control->reqseq);
6489
6490 if (!skb_queue_empty(&chan->tx_q))
6491 chan->tx_send_head = skb_peek(&chan->tx_q);
6492 else
6493 chan->tx_send_head = NULL;
6494
6495 /* Rewind next_tx_seq to the point expected
6496 * by the receiver.
6497 */
6498 chan->next_tx_seq = control->reqseq;
6499 chan->unacked_frames = 0;
6500
6501 if (chan->hs_hcon)
6502 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6503 else
6504 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6505
6506 err = l2cap_resegment(chan);
6507
6508 if (!err)
6509 err = l2cap_rx_state_recv(chan, control, skb, event);
6510
6511 return err;
6512 }
6513
6514 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6515 {
6516 /* Make sure reqseq is for a packet that has been sent but not acked */
6517 u16 unacked;
6518
6519 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6520 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6521 }
6522
6523 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6524 struct sk_buff *skb, u8 event)
6525 {
6526 int err = 0;
6527
6528 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6529 control, skb, event, chan->rx_state);
6530
6531 if (__valid_reqseq(chan, control->reqseq)) {
6532 switch (chan->rx_state) {
6533 case L2CAP_RX_STATE_RECV:
6534 err = l2cap_rx_state_recv(chan, control, skb, event);
6535 break;
6536 case L2CAP_RX_STATE_SREJ_SENT:
6537 err = l2cap_rx_state_srej_sent(chan, control, skb,
6538 event);
6539 break;
6540 case L2CAP_RX_STATE_WAIT_P:
6541 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6542 break;
6543 case L2CAP_RX_STATE_WAIT_F:
6544 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6545 break;
6546 default:
6547 /* shut it down */
6548 break;
6549 }
6550 } else {
6551 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6552 control->reqseq, chan->next_tx_seq,
6553 chan->expected_ack_seq);
6554 l2cap_send_disconn_req(chan, ECONNRESET);
6555 }
6556
6557 return err;
6558 }
6559
6560 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6561 struct sk_buff *skb)
6562 {
6563 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6564 chan->rx_state);
6565
6566 if (l2cap_classify_txseq(chan, control->txseq) ==
6567 L2CAP_TXSEQ_EXPECTED) {
6568 l2cap_pass_to_tx(chan, control);
6569
6570 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6571 __next_seq(chan, chan->buffer_seq));
6572
6573 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6574
6575 l2cap_reassemble_sdu(chan, skb, control);
6576 } else {
6577 if (chan->sdu) {
6578 kfree_skb(chan->sdu);
6579 chan->sdu = NULL;
6580 }
6581 chan->sdu_last_frag = NULL;
6582 chan->sdu_len = 0;
6583
6584 if (skb) {
6585 BT_DBG("Freeing %p", skb);
6586 kfree_skb(skb);
6587 }
6588 }
6589
6590 chan->last_acked_seq = control->txseq;
6591 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6592
6593 return 0;
6594 }
6595
6596 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6597 {
6598 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6599 u16 len;
6600 u8 event;
6601
6602 __unpack_control(chan, skb);
6603
6604 len = skb->len;
6605
6606 /*
6607 * We can just drop the corrupted I-frame here.
6608 * Receiver will miss it and start proper recovery
6609 * procedures and ask for retransmission.
6610 */
6611 if (l2cap_check_fcs(chan, skb))
6612 goto drop;
6613
6614 if (!control->sframe && control->sar == L2CAP_SAR_START)
6615 len -= L2CAP_SDULEN_SIZE;
6616
6617 if (chan->fcs == L2CAP_FCS_CRC16)
6618 len -= L2CAP_FCS_SIZE;
6619
6620 if (len > chan->mps) {
6621 l2cap_send_disconn_req(chan, ECONNRESET);
6622 goto drop;
6623 }
6624
6625 if ((chan->mode == L2CAP_MODE_ERTM ||
6626 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6627 goto drop;
6628
6629 if (!control->sframe) {
6630 int err;
6631
6632 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6633 control->sar, control->reqseq, control->final,
6634 control->txseq);
6635
6636 /* Validate F-bit - F=0 always valid, F=1 only
6637 * valid in TX WAIT_F
6638 */
6639 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6640 goto drop;
6641
6642 if (chan->mode != L2CAP_MODE_STREAMING) {
6643 event = L2CAP_EV_RECV_IFRAME;
6644 err = l2cap_rx(chan, control, skb, event);
6645 } else {
6646 err = l2cap_stream_rx(chan, control, skb);
6647 }
6648
6649 if (err)
6650 l2cap_send_disconn_req(chan, ECONNRESET);
6651 } else {
6652 const u8 rx_func_to_event[4] = {
6653 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6654 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6655 };
6656
6657 /* Only I-frames are expected in streaming mode */
6658 if (chan->mode == L2CAP_MODE_STREAMING)
6659 goto drop;
6660
6661 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6662 control->reqseq, control->final, control->poll,
6663 control->super);
6664
6665 if (len != 0) {
6666 BT_ERR("Trailing bytes: %d in sframe", len);
6667 l2cap_send_disconn_req(chan, ECONNRESET);
6668 goto drop;
6669 }
6670
6671 /* Validate F and P bits */
6672 if (control->final && (control->poll ||
6673 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6674 goto drop;
6675
6676 event = rx_func_to_event[control->super];
6677 if (l2cap_rx(chan, control, skb, event))
6678 l2cap_send_disconn_req(chan, ECONNRESET);
6679 }
6680
6681 return 0;
6682
6683 drop:
6684 kfree_skb(skb);
6685 return 0;
6686 }
6687
6688 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6689 {
6690 struct l2cap_conn *conn = chan->conn;
6691 struct l2cap_le_credits pkt;
6692 u16 return_credits;
6693
6694 /* We return more credits to the sender only after the amount of
6695 * credits falls below half of the initial amount.
6696 */
6697 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6698 return;
6699
6700 return_credits = le_max_credits - chan->rx_credits;
6701
6702 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6703
6704 chan->rx_credits += return_credits;
6705
6706 pkt.cid = cpu_to_le16(chan->scid);
6707 pkt.credits = cpu_to_le16(return_credits);
6708
6709 chan->ident = l2cap_get_ident(conn);
6710
6711 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6712 }
6713
6714 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6715 {
6716 int err;
6717
6718 if (!chan->rx_credits) {
6719 BT_ERR("No credits to receive LE L2CAP data");
6720 l2cap_send_disconn_req(chan, ECONNRESET);
6721 return -ENOBUFS;
6722 }
6723
6724 if (chan->imtu < skb->len) {
6725 BT_ERR("Too big LE L2CAP PDU");
6726 return -ENOBUFS;
6727 }
6728
6729 chan->rx_credits--;
6730 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6731
6732 l2cap_chan_le_send_credits(chan);
6733
6734 err = 0;
6735
6736 if (!chan->sdu) {
6737 u16 sdu_len;
6738
6739 sdu_len = get_unaligned_le16(skb->data);
6740 skb_pull(skb, L2CAP_SDULEN_SIZE);
6741
6742 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6743 sdu_len, skb->len, chan->imtu);
6744
6745 if (sdu_len > chan->imtu) {
6746 BT_ERR("Too big LE L2CAP SDU length received");
6747 err = -EMSGSIZE;
6748 goto failed;
6749 }
6750
6751 if (skb->len > sdu_len) {
6752 BT_ERR("Too much LE L2CAP data received");
6753 err = -EINVAL;
6754 goto failed;
6755 }
6756
6757 if (skb->len == sdu_len)
6758 return chan->ops->recv(chan, skb);
6759
6760 chan->sdu = skb;
6761 chan->sdu_len = sdu_len;
6762 chan->sdu_last_frag = skb;
6763
6764 return 0;
6765 }
6766
6767 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6768 chan->sdu->len, skb->len, chan->sdu_len);
6769
6770 if (chan->sdu->len + skb->len > chan->sdu_len) {
6771 BT_ERR("Too much LE L2CAP data received");
6772 err = -EINVAL;
6773 goto failed;
6774 }
6775
6776 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6777 skb = NULL;
6778
6779 if (chan->sdu->len == chan->sdu_len) {
6780 err = chan->ops->recv(chan, chan->sdu);
6781 if (!err) {
6782 chan->sdu = NULL;
6783 chan->sdu_last_frag = NULL;
6784 chan->sdu_len = 0;
6785 }
6786 }
6787
6788 failed:
6789 if (err) {
6790 kfree_skb(skb);
6791 kfree_skb(chan->sdu);
6792 chan->sdu = NULL;
6793 chan->sdu_last_frag = NULL;
6794 chan->sdu_len = 0;
6795 }
6796
6797 /* We can't return an error here since we took care of the skb
6798 * freeing internally. An error return would cause the caller to
6799 * do a double-free of the skb.
6800 */
6801 return 0;
6802 }
6803
6804 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6805 struct sk_buff *skb)
6806 {
6807 struct l2cap_chan *chan;
6808
6809 chan = l2cap_get_chan_by_scid(conn, cid);
6810 if (!chan) {
6811 if (cid == L2CAP_CID_A2MP) {
6812 chan = a2mp_channel_create(conn, skb);
6813 if (!chan) {
6814 kfree_skb(skb);
6815 return;
6816 }
6817
6818 l2cap_chan_lock(chan);
6819 } else {
6820 BT_DBG("unknown cid 0x%4.4x", cid);
6821 /* Drop packet and return */
6822 kfree_skb(skb);
6823 return;
6824 }
6825 }
6826
6827 BT_DBG("chan %p, len %d", chan, skb->len);
6828
6829 /* If we receive data on a fixed channel before the info req/rsp
6830 * procdure is done simply assume that the channel is supported
6831 * and mark it as ready.
6832 */
6833 if (chan->chan_type == L2CAP_CHAN_FIXED)
6834 l2cap_chan_ready(chan);
6835
6836 if (chan->state != BT_CONNECTED)
6837 goto drop;
6838
6839 switch (chan->mode) {
6840 case L2CAP_MODE_LE_FLOWCTL:
6841 if (l2cap_le_data_rcv(chan, skb) < 0)
6842 goto drop;
6843
6844 goto done;
6845
6846 case L2CAP_MODE_BASIC:
6847 /* If socket recv buffers overflows we drop data here
6848 * which is *bad* because L2CAP has to be reliable.
6849 * But we don't have any other choice. L2CAP doesn't
6850 * provide flow control mechanism. */
6851
6852 if (chan->imtu < skb->len) {
6853 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6854 goto drop;
6855 }
6856
6857 if (!chan->ops->recv(chan, skb))
6858 goto done;
6859 break;
6860
6861 case L2CAP_MODE_ERTM:
6862 case L2CAP_MODE_STREAMING:
6863 l2cap_data_rcv(chan, skb);
6864 goto done;
6865
6866 default:
6867 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6868 break;
6869 }
6870
6871 drop:
6872 kfree_skb(skb);
6873
6874 done:
6875 l2cap_chan_unlock(chan);
6876 }
6877
6878 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6879 struct sk_buff *skb)
6880 {
6881 struct hci_conn *hcon = conn->hcon;
6882 struct l2cap_chan *chan;
6883
6884 if (hcon->type != ACL_LINK)
6885 goto free_skb;
6886
6887 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6888 ACL_LINK);
6889 if (!chan)
6890 goto free_skb;
6891
6892 BT_DBG("chan %p, len %d", chan, skb->len);
6893
6894 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6895 goto drop;
6896
6897 if (chan->imtu < skb->len)
6898 goto drop;
6899
6900 /* Store remote BD_ADDR and PSM for msg_name */
6901 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6902 bt_cb(skb)->l2cap.psm = psm;
6903
6904 if (!chan->ops->recv(chan, skb)) {
6905 l2cap_chan_put(chan);
6906 return;
6907 }
6908
6909 drop:
6910 l2cap_chan_put(chan);
6911 free_skb:
6912 kfree_skb(skb);
6913 }
6914
6915 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6916 {
6917 struct l2cap_hdr *lh = (void *) skb->data;
6918 struct hci_conn *hcon = conn->hcon;
6919 u16 cid, len;
6920 __le16 psm;
6921
6922 if (hcon->state != BT_CONNECTED) {
6923 BT_DBG("queueing pending rx skb");
6924 skb_queue_tail(&conn->pending_rx, skb);
6925 return;
6926 }
6927
6928 skb_pull(skb, L2CAP_HDR_SIZE);
6929 cid = __le16_to_cpu(lh->cid);
6930 len = __le16_to_cpu(lh->len);
6931
6932 if (len != skb->len) {
6933 kfree_skb(skb);
6934 return;
6935 }
6936
6937 /* Since we can't actively block incoming LE connections we must
6938 * at least ensure that we ignore incoming data from them.
6939 */
6940 if (hcon->type == LE_LINK &&
6941 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6942 bdaddr_dst_type(hcon))) {
6943 kfree_skb(skb);
6944 return;
6945 }
6946
6947 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6948
6949 switch (cid) {
6950 case L2CAP_CID_SIGNALING:
6951 l2cap_sig_channel(conn, skb);
6952 break;
6953
6954 case L2CAP_CID_CONN_LESS:
6955 psm = get_unaligned((__le16 *) skb->data);
6956 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6957 l2cap_conless_channel(conn, psm, skb);
6958 break;
6959
6960 case L2CAP_CID_LE_SIGNALING:
6961 l2cap_le_sig_channel(conn, skb);
6962 break;
6963
6964 default:
6965 l2cap_data_channel(conn, cid, skb);
6966 break;
6967 }
6968 }
6969
6970 static void process_pending_rx(struct work_struct *work)
6971 {
6972 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6973 pending_rx_work);
6974 struct sk_buff *skb;
6975
6976 BT_DBG("");
6977
6978 while ((skb = skb_dequeue(&conn->pending_rx)))
6979 l2cap_recv_frame(conn, skb);
6980 }
6981
6982 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6983 {
6984 struct l2cap_conn *conn = hcon->l2cap_data;
6985 struct hci_chan *hchan;
6986
6987 if (conn)
6988 return conn;
6989
6990 hchan = hci_chan_create(hcon);
6991 if (!hchan)
6992 return NULL;
6993
6994 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6995 if (!conn) {
6996 hci_chan_del(hchan);
6997 return NULL;
6998 }
6999
7000 kref_init(&conn->ref);
7001 hcon->l2cap_data = conn;
7002 conn->hcon = hci_conn_get(hcon);
7003 conn->hchan = hchan;
7004
7005 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7006
7007 switch (hcon->type) {
7008 case LE_LINK:
7009 if (hcon->hdev->le_mtu) {
7010 conn->mtu = hcon->hdev->le_mtu;
7011 break;
7012 }
7013 /* fall through */
7014 default:
7015 conn->mtu = hcon->hdev->acl_mtu;
7016 break;
7017 }
7018
7019 conn->feat_mask = 0;
7020
7021 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7022
7023 if (hcon->type == ACL_LINK &&
7024 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7025 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7026
7027 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7028 (bredr_sc_enabled(hcon->hdev) ||
7029 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7030 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7031
7032 mutex_init(&conn->ident_lock);
7033 mutex_init(&conn->chan_lock);
7034
7035 INIT_LIST_HEAD(&conn->chan_l);
7036 INIT_LIST_HEAD(&conn->users);
7037
7038 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7039
7040 skb_queue_head_init(&conn->pending_rx);
7041 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7042 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7043
7044 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7045
7046 return conn;
7047 }
7048
7049 static bool is_valid_psm(u16 psm, u8 dst_type) {
7050 if (!psm)
7051 return false;
7052
7053 if (bdaddr_type_is_le(dst_type))
7054 return (psm <= 0x00ff);
7055
7056 /* PSM must be odd and lsb of upper byte must be 0 */
7057 return ((psm & 0x0101) == 0x0001);
7058 }
7059
7060 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7061 bdaddr_t *dst, u8 dst_type)
7062 {
7063 struct l2cap_conn *conn;
7064 struct hci_conn *hcon;
7065 struct hci_dev *hdev;
7066 int err;
7067
7068 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7069 dst_type, __le16_to_cpu(psm));
7070
7071 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7072 if (!hdev)
7073 return -EHOSTUNREACH;
7074
7075 hci_dev_lock(hdev);
7076
7077 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7078 chan->chan_type != L2CAP_CHAN_RAW) {
7079 err = -EINVAL;
7080 goto done;
7081 }
7082
7083 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7084 err = -EINVAL;
7085 goto done;
7086 }
7087
7088 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7089 err = -EINVAL;
7090 goto done;
7091 }
7092
7093 switch (chan->mode) {
7094 case L2CAP_MODE_BASIC:
7095 break;
7096 case L2CAP_MODE_LE_FLOWCTL:
7097 l2cap_le_flowctl_init(chan);
7098 break;
7099 case L2CAP_MODE_ERTM:
7100 case L2CAP_MODE_STREAMING:
7101 if (!disable_ertm)
7102 break;
7103 /* fall through */
7104 default:
7105 err = -EOPNOTSUPP;
7106 goto done;
7107 }
7108
7109 switch (chan->state) {
7110 case BT_CONNECT:
7111 case BT_CONNECT2:
7112 case BT_CONFIG:
7113 /* Already connecting */
7114 err = 0;
7115 goto done;
7116
7117 case BT_CONNECTED:
7118 /* Already connected */
7119 err = -EISCONN;
7120 goto done;
7121
7122 case BT_OPEN:
7123 case BT_BOUND:
7124 /* Can connect */
7125 break;
7126
7127 default:
7128 err = -EBADFD;
7129 goto done;
7130 }
7131
7132 /* Set destination address and psm */
7133 bacpy(&chan->dst, dst);
7134 chan->dst_type = dst_type;
7135
7136 chan->psm = psm;
7137 chan->dcid = cid;
7138
7139 if (bdaddr_type_is_le(dst_type)) {
7140 /* Convert from L2CAP channel address type to HCI address type
7141 */
7142 if (dst_type == BDADDR_LE_PUBLIC)
7143 dst_type = ADDR_LE_DEV_PUBLIC;
7144 else
7145 dst_type = ADDR_LE_DEV_RANDOM;
7146
7147 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7148 hcon = hci_connect_le(hdev, dst, dst_type,
7149 chan->sec_level,
7150 HCI_LE_CONN_TIMEOUT,
7151 HCI_ROLE_SLAVE);
7152 else
7153 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7154 chan->sec_level,
7155 HCI_LE_CONN_TIMEOUT);
7156
7157 } else {
7158 u8 auth_type = l2cap_get_auth_type(chan);
7159 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7160 }
7161
7162 if (IS_ERR(hcon)) {
7163 err = PTR_ERR(hcon);
7164 goto done;
7165 }
7166
7167 conn = l2cap_conn_add(hcon);
7168 if (!conn) {
7169 hci_conn_drop(hcon);
7170 err = -ENOMEM;
7171 goto done;
7172 }
7173
7174 mutex_lock(&conn->chan_lock);
7175 l2cap_chan_lock(chan);
7176
7177 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7178 hci_conn_drop(hcon);
7179 err = -EBUSY;
7180 goto chan_unlock;
7181 }
7182
7183 /* Update source addr of the socket */
7184 bacpy(&chan->src, &hcon->src);
7185 chan->src_type = bdaddr_src_type(hcon);
7186
7187 __l2cap_chan_add(conn, chan);
7188
7189 /* l2cap_chan_add takes its own ref so we can drop this one */
7190 hci_conn_drop(hcon);
7191
7192 l2cap_state_change(chan, BT_CONNECT);
7193 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7194
7195 /* Release chan->sport so that it can be reused by other
7196 * sockets (as it's only used for listening sockets).
7197 */
7198 write_lock(&chan_list_lock);
7199 chan->sport = 0;
7200 write_unlock(&chan_list_lock);
7201
7202 if (hcon->state == BT_CONNECTED) {
7203 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7204 __clear_chan_timer(chan);
7205 if (l2cap_chan_check_security(chan, true))
7206 l2cap_state_change(chan, BT_CONNECTED);
7207 } else
7208 l2cap_do_start(chan);
7209 }
7210
7211 err = 0;
7212
7213 chan_unlock:
7214 l2cap_chan_unlock(chan);
7215 mutex_unlock(&conn->chan_lock);
7216 done:
7217 hci_dev_unlock(hdev);
7218 hci_dev_put(hdev);
7219 return err;
7220 }
7221 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7222
7223 /* ---- L2CAP interface with lower layer (HCI) ---- */
7224
7225 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7226 {
7227 int exact = 0, lm1 = 0, lm2 = 0;
7228 struct l2cap_chan *c;
7229
7230 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7231
7232 /* Find listening sockets and check their link_mode */
7233 read_lock(&chan_list_lock);
7234 list_for_each_entry(c, &chan_list, global_l) {
7235 if (c->state != BT_LISTEN)
7236 continue;
7237
7238 if (!bacmp(&c->src, &hdev->bdaddr)) {
7239 lm1 |= HCI_LM_ACCEPT;
7240 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7241 lm1 |= HCI_LM_MASTER;
7242 exact++;
7243 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7244 lm2 |= HCI_LM_ACCEPT;
7245 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7246 lm2 |= HCI_LM_MASTER;
7247 }
7248 }
7249 read_unlock(&chan_list_lock);
7250
7251 return exact ? lm1 : lm2;
7252 }
7253
7254 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7255 * from an existing channel in the list or from the beginning of the
7256 * global list (by passing NULL as first parameter).
7257 */
7258 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7259 struct hci_conn *hcon)
7260 {
7261 u8 src_type = bdaddr_src_type(hcon);
7262
7263 read_lock(&chan_list_lock);
7264
7265 if (c)
7266 c = list_next_entry(c, global_l);
7267 else
7268 c = list_entry(chan_list.next, typeof(*c), global_l);
7269
7270 list_for_each_entry_from(c, &chan_list, global_l) {
7271 if (c->chan_type != L2CAP_CHAN_FIXED)
7272 continue;
7273 if (c->state != BT_LISTEN)
7274 continue;
7275 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7276 continue;
7277 if (src_type != c->src_type)
7278 continue;
7279
7280 l2cap_chan_hold(c);
7281 read_unlock(&chan_list_lock);
7282 return c;
7283 }
7284
7285 read_unlock(&chan_list_lock);
7286
7287 return NULL;
7288 }
7289
7290 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7291 {
7292 struct hci_dev *hdev = hcon->hdev;
7293 struct l2cap_conn *conn;
7294 struct l2cap_chan *pchan;
7295 u8 dst_type;
7296
7297 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7298 return;
7299
7300 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7301
7302 if (status) {
7303 l2cap_conn_del(hcon, bt_to_errno(status));
7304 return;
7305 }
7306
7307 conn = l2cap_conn_add(hcon);
7308 if (!conn)
7309 return;
7310
7311 dst_type = bdaddr_dst_type(hcon);
7312
7313 /* If device is blocked, do not create channels for it */
7314 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7315 return;
7316
7317 /* Find fixed channels and notify them of the new connection. We
7318 * use multiple individual lookups, continuing each time where
7319 * we left off, because the list lock would prevent calling the
7320 * potentially sleeping l2cap_chan_lock() function.
7321 */
7322 pchan = l2cap_global_fixed_chan(NULL, hcon);
7323 while (pchan) {
7324 struct l2cap_chan *chan, *next;
7325
7326 /* Client fixed channels should override server ones */
7327 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7328 goto next;
7329
7330 l2cap_chan_lock(pchan);
7331 chan = pchan->ops->new_connection(pchan);
7332 if (chan) {
7333 bacpy(&chan->src, &hcon->src);
7334 bacpy(&chan->dst, &hcon->dst);
7335 chan->src_type = bdaddr_src_type(hcon);
7336 chan->dst_type = dst_type;
7337
7338 __l2cap_chan_add(conn, chan);
7339 }
7340
7341 l2cap_chan_unlock(pchan);
7342 next:
7343 next = l2cap_global_fixed_chan(pchan, hcon);
7344 l2cap_chan_put(pchan);
7345 pchan = next;
7346 }
7347
7348 l2cap_conn_ready(conn);
7349 }
7350
7351 int l2cap_disconn_ind(struct hci_conn *hcon)
7352 {
7353 struct l2cap_conn *conn = hcon->l2cap_data;
7354
7355 BT_DBG("hcon %p", hcon);
7356
7357 if (!conn)
7358 return HCI_ERROR_REMOTE_USER_TERM;
7359 return conn->disc_reason;
7360 }
7361
7362 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7363 {
7364 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7365 return;
7366
7367 BT_DBG("hcon %p reason %d", hcon, reason);
7368
7369 l2cap_conn_del(hcon, bt_to_errno(reason));
7370 }
7371
7372 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7373 {
7374 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7375 return;
7376
7377 if (encrypt == 0x00) {
7378 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7379 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7380 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7381 chan->sec_level == BT_SECURITY_FIPS)
7382 l2cap_chan_close(chan, ECONNREFUSED);
7383 } else {
7384 if (chan->sec_level == BT_SECURITY_MEDIUM)
7385 __clear_chan_timer(chan);
7386 }
7387 }
7388
7389 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7390 {
7391 struct l2cap_conn *conn = hcon->l2cap_data;
7392 struct l2cap_chan *chan;
7393
7394 if (!conn)
7395 return;
7396
7397 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7398
7399 mutex_lock(&conn->chan_lock);
7400
7401 list_for_each_entry(chan, &conn->chan_l, list) {
7402 l2cap_chan_lock(chan);
7403
7404 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7405 state_to_string(chan->state));
7406
7407 if (chan->scid == L2CAP_CID_A2MP) {
7408 l2cap_chan_unlock(chan);
7409 continue;
7410 }
7411
7412 if (!status && encrypt)
7413 chan->sec_level = hcon->sec_level;
7414
7415 if (!__l2cap_no_conn_pending(chan)) {
7416 l2cap_chan_unlock(chan);
7417 continue;
7418 }
7419
7420 if (!status && (chan->state == BT_CONNECTED ||
7421 chan->state == BT_CONFIG)) {
7422 chan->ops->resume(chan);
7423 l2cap_check_encryption(chan, encrypt);
7424 l2cap_chan_unlock(chan);
7425 continue;
7426 }
7427
7428 if (chan->state == BT_CONNECT) {
7429 if (!status)
7430 l2cap_start_connection(chan);
7431 else
7432 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7433 } else if (chan->state == BT_CONNECT2 &&
7434 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7435 struct l2cap_conn_rsp rsp;
7436 __u16 res, stat;
7437
7438 if (!status) {
7439 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7440 res = L2CAP_CR_PEND;
7441 stat = L2CAP_CS_AUTHOR_PEND;
7442 chan->ops->defer(chan);
7443 } else {
7444 l2cap_state_change(chan, BT_CONFIG);
7445 res = L2CAP_CR_SUCCESS;
7446 stat = L2CAP_CS_NO_INFO;
7447 }
7448 } else {
7449 l2cap_state_change(chan, BT_DISCONN);
7450 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7451 res = L2CAP_CR_SEC_BLOCK;
7452 stat = L2CAP_CS_NO_INFO;
7453 }
7454
7455 rsp.scid = cpu_to_le16(chan->dcid);
7456 rsp.dcid = cpu_to_le16(chan->scid);
7457 rsp.result = cpu_to_le16(res);
7458 rsp.status = cpu_to_le16(stat);
7459 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7460 sizeof(rsp), &rsp);
7461
7462 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7463 res == L2CAP_CR_SUCCESS) {
7464 char buf[128];
7465 set_bit(CONF_REQ_SENT, &chan->conf_state);
7466 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7467 L2CAP_CONF_REQ,
7468 l2cap_build_conf_req(chan, buf),
7469 buf);
7470 chan->num_conf_req++;
7471 }
7472 }
7473
7474 l2cap_chan_unlock(chan);
7475 }
7476
7477 mutex_unlock(&conn->chan_lock);
7478 }
7479
7480 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7481 {
7482 struct l2cap_conn *conn = hcon->l2cap_data;
7483 struct l2cap_hdr *hdr;
7484 int len;
7485
7486 /* For AMP controller do not create l2cap conn */
7487 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7488 goto drop;
7489
7490 if (!conn)
7491 conn = l2cap_conn_add(hcon);
7492
7493 if (!conn)
7494 goto drop;
7495
7496 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7497
7498 switch (flags) {
7499 case ACL_START:
7500 case ACL_START_NO_FLUSH:
7501 case ACL_COMPLETE:
7502 if (conn->rx_len) {
7503 BT_ERR("Unexpected start frame (len %d)", skb->len);
7504 kfree_skb(conn->rx_skb);
7505 conn->rx_skb = NULL;
7506 conn->rx_len = 0;
7507 l2cap_conn_unreliable(conn, ECOMM);
7508 }
7509
7510 /* Start fragment always begin with Basic L2CAP header */
7511 if (skb->len < L2CAP_HDR_SIZE) {
7512 BT_ERR("Frame is too short (len %d)", skb->len);
7513 l2cap_conn_unreliable(conn, ECOMM);
7514 goto drop;
7515 }
7516
7517 hdr = (struct l2cap_hdr *) skb->data;
7518 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7519
7520 if (len == skb->len) {
7521 /* Complete frame received */
7522 l2cap_recv_frame(conn, skb);
7523 return;
7524 }
7525
7526 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7527
7528 if (skb->len > len) {
7529 BT_ERR("Frame is too long (len %d, expected len %d)",
7530 skb->len, len);
7531 l2cap_conn_unreliable(conn, ECOMM);
7532 goto drop;
7533 }
7534
7535 /* Allocate skb for the complete frame (with header) */
7536 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7537 if (!conn->rx_skb)
7538 goto drop;
7539
7540 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7541 skb->len);
7542 conn->rx_len = len - skb->len;
7543 break;
7544
7545 case ACL_CONT:
7546 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7547
7548 if (!conn->rx_len) {
7549 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7550 l2cap_conn_unreliable(conn, ECOMM);
7551 goto drop;
7552 }
7553
7554 if (skb->len > conn->rx_len) {
7555 BT_ERR("Fragment is too long (len %d, expected %d)",
7556 skb->len, conn->rx_len);
7557 kfree_skb(conn->rx_skb);
7558 conn->rx_skb = NULL;
7559 conn->rx_len = 0;
7560 l2cap_conn_unreliable(conn, ECOMM);
7561 goto drop;
7562 }
7563
7564 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7565 skb->len);
7566 conn->rx_len -= skb->len;
7567
7568 if (!conn->rx_len) {
7569 /* Complete frame received. l2cap_recv_frame
7570 * takes ownership of the skb so set the global
7571 * rx_skb pointer to NULL first.
7572 */
7573 struct sk_buff *rx_skb = conn->rx_skb;
7574 conn->rx_skb = NULL;
7575 l2cap_recv_frame(conn, rx_skb);
7576 }
7577 break;
7578 }
7579
7580 drop:
7581 kfree_skb(skb);
7582 }
7583
7584 static struct hci_cb l2cap_cb = {
7585 .name = "L2CAP",
7586 .connect_cfm = l2cap_connect_cfm,
7587 .disconn_cfm = l2cap_disconn_cfm,
7588 .security_cfm = l2cap_security_cfm,
7589 };
7590
7591 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7592 {
7593 struct l2cap_chan *c;
7594
7595 read_lock(&chan_list_lock);
7596
7597 list_for_each_entry(c, &chan_list, global_l) {
7598 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7599 &c->src, c->src_type, &c->dst, c->dst_type,
7600 c->state, __le16_to_cpu(c->psm),
7601 c->scid, c->dcid, c->imtu, c->omtu,
7602 c->sec_level, c->mode);
7603 }
7604
7605 read_unlock(&chan_list_lock);
7606
7607 return 0;
7608 }
7609
7610 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7611 {
7612 return single_open(file, l2cap_debugfs_show, inode->i_private);
7613 }
7614
7615 static const struct file_operations l2cap_debugfs_fops = {
7616 .open = l2cap_debugfs_open,
7617 .read = seq_read,
7618 .llseek = seq_lseek,
7619 .release = single_release,
7620 };
7621
7622 static struct dentry *l2cap_debugfs;
7623
7624 int __init l2cap_init(void)
7625 {
7626 int err;
7627
7628 err = l2cap_init_sockets();
7629 if (err < 0)
7630 return err;
7631
7632 hci_register_cb(&l2cap_cb);
7633
7634 if (IS_ERR_OR_NULL(bt_debugfs))
7635 return 0;
7636
7637 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7638 NULL, &l2cap_debugfs_fops);
7639
7640 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7641 &le_max_credits);
7642 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7643 &le_default_mps);
7644
7645 return 0;
7646 }
7647
7648 void l2cap_exit(void)
7649 {
7650 debugfs_remove(l2cap_debugfs);
7651 hci_unregister_cb(&l2cap_cb);
7652 l2cap_cleanup_sockets();
7653 }
7654
7655 module_param(disable_ertm, bool, 0644);
7656 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Ubuntu Artful kernel mirror