]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - net/bluetooth/l2cap_core.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
iwlwifi: mvm: fix a few wd_disable comments
[mirror_ubuntu-bionic-kernel.git] / net / bluetooth / l2cap_core.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35
36 #include <net/bluetooth/bluetooth.h>
37 #include <net/bluetooth/hci_core.h>
38 #include <net/bluetooth/l2cap.h>
39
40 #include "smp.h"
41 #include "a2mp.h"
42 #include "amp.h"
43 #include "6lowpan.h"
44
45 bool disable_ertm;
46
47 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
48 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
49
50 static LIST_HEAD(chan_list);
51 static DEFINE_RWLOCK(chan_list_lock);
52
53 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
55
56 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
57 u8 code, u8 ident, u16 dlen, void *data);
58 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 void *data);
60 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
61 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62
63 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
64 struct sk_buff_head *skbs, u8 event);
65
66 static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
67 {
68 if (hcon->type == LE_LINK) {
69 if (type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
71 else
72 return BDADDR_LE_RANDOM;
73 }
74
75 return BDADDR_BREDR;
76 }
77
78 /* ---- L2CAP channels ---- */
79
80 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
81 u16 cid)
82 {
83 struct l2cap_chan *c;
84
85 list_for_each_entry(c, &conn->chan_l, list) {
86 if (c->dcid == cid)
87 return c;
88 }
89 return NULL;
90 }
91
92 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
93 u16 cid)
94 {
95 struct l2cap_chan *c;
96
97 list_for_each_entry(c, &conn->chan_l, list) {
98 if (c->scid == cid)
99 return c;
100 }
101 return NULL;
102 }
103
104 /* Find channel with given SCID.
105 * Returns locked channel. */
106 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
107 u16 cid)
108 {
109 struct l2cap_chan *c;
110
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_scid(conn, cid);
113 if (c)
114 l2cap_chan_lock(c);
115 mutex_unlock(&conn->chan_lock);
116
117 return c;
118 }
119
120 /* Find channel with given DCID.
121 * Returns locked channel.
122 */
123 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
124 u16 cid)
125 {
126 struct l2cap_chan *c;
127
128 mutex_lock(&conn->chan_lock);
129 c = __l2cap_get_chan_by_dcid(conn, cid);
130 if (c)
131 l2cap_chan_lock(c);
132 mutex_unlock(&conn->chan_lock);
133
134 return c;
135 }
136
137 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
138 u8 ident)
139 {
140 struct l2cap_chan *c;
141
142 list_for_each_entry(c, &conn->chan_l, list) {
143 if (c->ident == ident)
144 return c;
145 }
146 return NULL;
147 }
148
149 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 u8 ident)
151 {
152 struct l2cap_chan *c;
153
154 mutex_lock(&conn->chan_lock);
155 c = __l2cap_get_chan_by_ident(conn, ident);
156 if (c)
157 l2cap_chan_lock(c);
158 mutex_unlock(&conn->chan_lock);
159
160 return c;
161 }
162
163 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
164 {
165 struct l2cap_chan *c;
166
167 list_for_each_entry(c, &chan_list, global_l) {
168 if (c->sport == psm && !bacmp(&c->src, src))
169 return c;
170 }
171 return NULL;
172 }
173
174 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
175 {
176 int err;
177
178 write_lock(&chan_list_lock);
179
180 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
181 err = -EADDRINUSE;
182 goto done;
183 }
184
185 if (psm) {
186 chan->psm = psm;
187 chan->sport = psm;
188 err = 0;
189 } else {
190 u16 p;
191
192 err = -EINVAL;
193 for (p = 0x1001; p < 0x1100; p += 2)
194 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
195 chan->psm = cpu_to_le16(p);
196 chan->sport = cpu_to_le16(p);
197 err = 0;
198 break;
199 }
200 }
201
202 done:
203 write_unlock(&chan_list_lock);
204 return err;
205 }
206
207 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
208 {
209 write_lock(&chan_list_lock);
210
211 chan->scid = scid;
212
213 write_unlock(&chan_list_lock);
214
215 return 0;
216 }
217
218 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
219 {
220 u16 cid, dyn_end;
221
222 if (conn->hcon->type == LE_LINK)
223 dyn_end = L2CAP_CID_LE_DYN_END;
224 else
225 dyn_end = L2CAP_CID_DYN_END;
226
227 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
228 if (!__l2cap_get_chan_by_scid(conn, cid))
229 return cid;
230 }
231
232 return 0;
233 }
234
235 static void l2cap_state_change(struct l2cap_chan *chan, int state)
236 {
237 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
238 state_to_string(state));
239
240 chan->state = state;
241 chan->ops->state_change(chan, state, 0);
242 }
243
244 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
245 int state, int err)
246 {
247 chan->state = state;
248 chan->ops->state_change(chan, chan->state, err);
249 }
250
251 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
252 {
253 chan->ops->state_change(chan, chan->state, err);
254 }
255
256 static void __set_retrans_timer(struct l2cap_chan *chan)
257 {
258 if (!delayed_work_pending(&chan->monitor_timer) &&
259 chan->retrans_timeout) {
260 l2cap_set_timer(chan, &chan->retrans_timer,
261 msecs_to_jiffies(chan->retrans_timeout));
262 }
263 }
264
265 static void __set_monitor_timer(struct l2cap_chan *chan)
266 {
267 __clear_retrans_timer(chan);
268 if (chan->monitor_timeout) {
269 l2cap_set_timer(chan, &chan->monitor_timer,
270 msecs_to_jiffies(chan->monitor_timeout));
271 }
272 }
273
274 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
275 u16 seq)
276 {
277 struct sk_buff *skb;
278
279 skb_queue_walk(head, skb) {
280 if (bt_cb(skb)->control.txseq == seq)
281 return skb;
282 }
283
284 return NULL;
285 }
286
287 /* ---- L2CAP sequence number lists ---- */
288
289 /* For ERTM, ordered lists of sequence numbers must be tracked for
290 * SREJ requests that are received and for frames that are to be
291 * retransmitted. These seq_list functions implement a singly-linked
292 * list in an array, where membership in the list can also be checked
293 * in constant time. Items can also be added to the tail of the list
294 * and removed from the head in constant time, without further memory
295 * allocs or frees.
296 */
297
298 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
299 {
300 size_t alloc_size, i;
301
302 /* Allocated size is a power of 2 to map sequence numbers
303 * (which may be up to 14 bits) in to a smaller array that is
304 * sized for the negotiated ERTM transmit windows.
305 */
306 alloc_size = roundup_pow_of_two(size);
307
308 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
309 if (!seq_list->list)
310 return -ENOMEM;
311
312 seq_list->mask = alloc_size - 1;
313 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
314 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
315 for (i = 0; i < alloc_size; i++)
316 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
317
318 return 0;
319 }
320
321 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
322 {
323 kfree(seq_list->list);
324 }
325
326 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
327 u16 seq)
328 {
329 /* Constant-time check for list membership */
330 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
331 }
332
333 static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
334 {
335 u16 mask = seq_list->mask;
336
337 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
338 /* In case someone tries to pop the head of an empty list */
339 return L2CAP_SEQ_LIST_CLEAR;
340 } else if (seq_list->head == seq) {
341 /* Head can be removed in constant time */
342 seq_list->head = seq_list->list[seq & mask];
343 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
344
345 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
346 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
347 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
348 }
349 } else {
350 /* Walk the list to find the sequence number */
351 u16 prev = seq_list->head;
352 while (seq_list->list[prev & mask] != seq) {
353 prev = seq_list->list[prev & mask];
354 if (prev == L2CAP_SEQ_LIST_TAIL)
355 return L2CAP_SEQ_LIST_CLEAR;
356 }
357
358 /* Unlink the number from the list and clear it */
359 seq_list->list[prev & mask] = seq_list->list[seq & mask];
360 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
361 if (seq_list->tail == seq)
362 seq_list->tail = prev;
363 }
364 return seq;
365 }
366
367 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
368 {
369 /* Remove the head in constant time */
370 return l2cap_seq_list_remove(seq_list, seq_list->head);
371 }
372
373 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
374 {
375 u16 i;
376
377 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
378 return;
379
380 for (i = 0; i <= seq_list->mask; i++)
381 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382
383 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
384 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
385 }
386
387 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388 {
389 u16 mask = seq_list->mask;
390
391 /* All appends happen in constant time */
392
393 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
394 return;
395
396 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
397 seq_list->head = seq;
398 else
399 seq_list->list[seq_list->tail & mask] = seq;
400
401 seq_list->tail = seq;
402 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
403 }
404
405 static void l2cap_chan_timeout(struct work_struct *work)
406 {
407 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
408 chan_timer.work);
409 struct l2cap_conn *conn = chan->conn;
410 int reason;
411
412 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
413
414 mutex_lock(&conn->chan_lock);
415 l2cap_chan_lock(chan);
416
417 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
418 reason = ECONNREFUSED;
419 else if (chan->state == BT_CONNECT &&
420 chan->sec_level != BT_SECURITY_SDP)
421 reason = ECONNREFUSED;
422 else
423 reason = ETIMEDOUT;
424
425 l2cap_chan_close(chan, reason);
426
427 l2cap_chan_unlock(chan);
428
429 chan->ops->close(chan);
430 mutex_unlock(&conn->chan_lock);
431
432 l2cap_chan_put(chan);
433 }
434
435 struct l2cap_chan *l2cap_chan_create(void)
436 {
437 struct l2cap_chan *chan;
438
439 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
440 if (!chan)
441 return NULL;
442
443 mutex_init(&chan->lock);
444
445 write_lock(&chan_list_lock);
446 list_add(&chan->global_l, &chan_list);
447 write_unlock(&chan_list_lock);
448
449 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
450
451 chan->state = BT_OPEN;
452
453 kref_init(&chan->kref);
454
455 /* This flag is cleared in l2cap_chan_ready() */
456 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
457
458 BT_DBG("chan %p", chan);
459
460 return chan;
461 }
462
463 static void l2cap_chan_destroy(struct kref *kref)
464 {
465 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
466
467 BT_DBG("chan %p", chan);
468
469 write_lock(&chan_list_lock);
470 list_del(&chan->global_l);
471 write_unlock(&chan_list_lock);
472
473 kfree(chan);
474 }
475
476 void l2cap_chan_hold(struct l2cap_chan *c)
477 {
478 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
479
480 kref_get(&c->kref);
481 }
482
483 void l2cap_chan_put(struct l2cap_chan *c)
484 {
485 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
486
487 kref_put(&c->kref, l2cap_chan_destroy);
488 }
489
490 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
491 {
492 chan->fcs = L2CAP_FCS_CRC16;
493 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
494 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
495 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
496 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
497 chan->sec_level = BT_SECURITY_LOW;
498
499 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
500 }
501
502 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
503 {
504 chan->sdu = NULL;
505 chan->sdu_last_frag = NULL;
506 chan->sdu_len = 0;
507 chan->tx_credits = 0;
508 chan->rx_credits = le_max_credits;
509 chan->mps = min_t(u16, chan->imtu, L2CAP_LE_DEFAULT_MPS);
510
511 skb_queue_head_init(&chan->tx_q);
512 }
513
514 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
515 {
516 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
517 __le16_to_cpu(chan->psm), chan->dcid);
518
519 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
520
521 chan->conn = conn;
522
523 switch (chan->chan_type) {
524 case L2CAP_CHAN_CONN_ORIENTED:
525 if (conn->hcon->type == LE_LINK) {
526 if (chan->dcid == L2CAP_CID_ATT) {
527 chan->omtu = L2CAP_DEFAULT_MTU;
528 chan->scid = L2CAP_CID_ATT;
529 } else {
530 chan->scid = l2cap_alloc_cid(conn);
531 }
532 } else {
533 /* Alloc CID for connection-oriented socket */
534 chan->scid = l2cap_alloc_cid(conn);
535 chan->omtu = L2CAP_DEFAULT_MTU;
536 }
537 break;
538
539 case L2CAP_CHAN_CONN_LESS:
540 /* Connectionless socket */
541 chan->scid = L2CAP_CID_CONN_LESS;
542 chan->dcid = L2CAP_CID_CONN_LESS;
543 chan->omtu = L2CAP_DEFAULT_MTU;
544 break;
545
546 case L2CAP_CHAN_CONN_FIX_A2MP:
547 chan->scid = L2CAP_CID_A2MP;
548 chan->dcid = L2CAP_CID_A2MP;
549 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
550 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
551 break;
552
553 default:
554 /* Raw socket can send/recv signalling messages only */
555 chan->scid = L2CAP_CID_SIGNALING;
556 chan->dcid = L2CAP_CID_SIGNALING;
557 chan->omtu = L2CAP_DEFAULT_MTU;
558 }
559
560 chan->local_id = L2CAP_BESTEFFORT_ID;
561 chan->local_stype = L2CAP_SERV_BESTEFFORT;
562 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
563 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
564 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
565 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
566
567 l2cap_chan_hold(chan);
568
569 hci_conn_hold(conn->hcon);
570
571 list_add(&chan->list, &conn->chan_l);
572 }
573
574 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
575 {
576 mutex_lock(&conn->chan_lock);
577 __l2cap_chan_add(conn, chan);
578 mutex_unlock(&conn->chan_lock);
579 }
580
581 void l2cap_chan_del(struct l2cap_chan *chan, int err)
582 {
583 struct l2cap_conn *conn = chan->conn;
584
585 __clear_chan_timer(chan);
586
587 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
588
589 if (conn) {
590 struct amp_mgr *mgr = conn->hcon->amp_mgr;
591 /* Delete from channel list */
592 list_del(&chan->list);
593
594 l2cap_chan_put(chan);
595
596 chan->conn = NULL;
597
598 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
599 hci_conn_drop(conn->hcon);
600
601 if (mgr && mgr->bredr_chan == chan)
602 mgr->bredr_chan = NULL;
603 }
604
605 if (chan->hs_hchan) {
606 struct hci_chan *hs_hchan = chan->hs_hchan;
607
608 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
609 amp_disconnect_logical_link(hs_hchan);
610 }
611
612 chan->ops->teardown(chan, err);
613
614 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
615 return;
616
617 switch(chan->mode) {
618 case L2CAP_MODE_BASIC:
619 break;
620
621 case L2CAP_MODE_LE_FLOWCTL:
622 skb_queue_purge(&chan->tx_q);
623 break;
624
625 case L2CAP_MODE_ERTM:
626 __clear_retrans_timer(chan);
627 __clear_monitor_timer(chan);
628 __clear_ack_timer(chan);
629
630 skb_queue_purge(&chan->srej_q);
631
632 l2cap_seq_list_free(&chan->srej_list);
633 l2cap_seq_list_free(&chan->retrans_list);
634
635 /* fall through */
636
637 case L2CAP_MODE_STREAMING:
638 skb_queue_purge(&chan->tx_q);
639 break;
640 }
641
642 return;
643 }
644
645 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
646 {
647 struct l2cap_conn *conn = chan->conn;
648 struct l2cap_le_conn_rsp rsp;
649 u16 result;
650
651 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
652 result = L2CAP_CR_AUTHORIZATION;
653 else
654 result = L2CAP_CR_BAD_PSM;
655
656 l2cap_state_change(chan, BT_DISCONN);
657
658 rsp.dcid = cpu_to_le16(chan->scid);
659 rsp.mtu = cpu_to_le16(chan->imtu);
660 rsp.mps = cpu_to_le16(chan->mps);
661 rsp.credits = cpu_to_le16(chan->rx_credits);
662 rsp.result = cpu_to_le16(result);
663
664 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
665 &rsp);
666 }
667
668 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
669 {
670 struct l2cap_conn *conn = chan->conn;
671 struct l2cap_conn_rsp rsp;
672 u16 result;
673
674 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
675 result = L2CAP_CR_SEC_BLOCK;
676 else
677 result = L2CAP_CR_BAD_PSM;
678
679 l2cap_state_change(chan, BT_DISCONN);
680
681 rsp.scid = cpu_to_le16(chan->dcid);
682 rsp.dcid = cpu_to_le16(chan->scid);
683 rsp.result = cpu_to_le16(result);
684 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
685
686 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
687 }
688
689 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
690 {
691 struct l2cap_conn *conn = chan->conn;
692
693 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
694
695 switch (chan->state) {
696 case BT_LISTEN:
697 chan->ops->teardown(chan, 0);
698 break;
699
700 case BT_CONNECTED:
701 case BT_CONFIG:
702 /* ATT uses L2CAP_CHAN_CONN_ORIENTED so we must also
703 * check for chan->psm.
704 */
705 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && chan->psm) {
706 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
707 l2cap_send_disconn_req(chan, reason);
708 } else
709 l2cap_chan_del(chan, reason);
710 break;
711
712 case BT_CONNECT2:
713 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
714 if (conn->hcon->type == ACL_LINK)
715 l2cap_chan_connect_reject(chan);
716 else if (conn->hcon->type == LE_LINK)
717 l2cap_chan_le_connect_reject(chan);
718 }
719
720 l2cap_chan_del(chan, reason);
721 break;
722
723 case BT_CONNECT:
724 case BT_DISCONN:
725 l2cap_chan_del(chan, reason);
726 break;
727
728 default:
729 chan->ops->teardown(chan, 0);
730 break;
731 }
732 }
733
734 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
735 {
736 switch (chan->chan_type) {
737 case L2CAP_CHAN_RAW:
738 switch (chan->sec_level) {
739 case BT_SECURITY_HIGH:
740 return HCI_AT_DEDICATED_BONDING_MITM;
741 case BT_SECURITY_MEDIUM:
742 return HCI_AT_DEDICATED_BONDING;
743 default:
744 return HCI_AT_NO_BONDING;
745 }
746 break;
747 case L2CAP_CHAN_CONN_LESS:
748 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_3DSP)) {
749 if (chan->sec_level == BT_SECURITY_LOW)
750 chan->sec_level = BT_SECURITY_SDP;
751 }
752 if (chan->sec_level == BT_SECURITY_HIGH)
753 return HCI_AT_NO_BONDING_MITM;
754 else
755 return HCI_AT_NO_BONDING;
756 break;
757 case L2CAP_CHAN_CONN_ORIENTED:
758 if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
759 if (chan->sec_level == BT_SECURITY_LOW)
760 chan->sec_level = BT_SECURITY_SDP;
761
762 if (chan->sec_level == BT_SECURITY_HIGH)
763 return HCI_AT_NO_BONDING_MITM;
764 else
765 return HCI_AT_NO_BONDING;
766 }
767 /* fall through */
768 default:
769 switch (chan->sec_level) {
770 case BT_SECURITY_HIGH:
771 return HCI_AT_GENERAL_BONDING_MITM;
772 case BT_SECURITY_MEDIUM:
773 return HCI_AT_GENERAL_BONDING;
774 default:
775 return HCI_AT_NO_BONDING;
776 }
777 break;
778 }
779 }
780
781 /* Service level security */
782 int l2cap_chan_check_security(struct l2cap_chan *chan)
783 {
784 struct l2cap_conn *conn = chan->conn;
785 __u8 auth_type;
786
787 if (conn->hcon->type == LE_LINK)
788 return smp_conn_security(conn->hcon, chan->sec_level);
789
790 auth_type = l2cap_get_auth_type(chan);
791
792 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
793 }
794
795 static u8 l2cap_get_ident(struct l2cap_conn *conn)
796 {
797 u8 id;
798
799 /* Get next available identificator.
800 * 1 - 128 are used by kernel.
801 * 129 - 199 are reserved.
802 * 200 - 254 are used by utilities like l2ping, etc.
803 */
804
805 spin_lock(&conn->lock);
806
807 if (++conn->tx_ident > 128)
808 conn->tx_ident = 1;
809
810 id = conn->tx_ident;
811
812 spin_unlock(&conn->lock);
813
814 return id;
815 }
816
817 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
818 void *data)
819 {
820 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
821 u8 flags;
822
823 BT_DBG("code 0x%2.2x", code);
824
825 if (!skb)
826 return;
827
828 if (lmp_no_flush_capable(conn->hcon->hdev))
829 flags = ACL_START_NO_FLUSH;
830 else
831 flags = ACL_START;
832
833 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
834 skb->priority = HCI_PRIO_MAX;
835
836 hci_send_acl(conn->hchan, skb, flags);
837 }
838
839 static bool __chan_is_moving(struct l2cap_chan *chan)
840 {
841 return chan->move_state != L2CAP_MOVE_STABLE &&
842 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
843 }
844
845 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
846 {
847 struct hci_conn *hcon = chan->conn->hcon;
848 u16 flags;
849
850 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
851 skb->priority);
852
853 if (chan->hs_hcon && !__chan_is_moving(chan)) {
854 if (chan->hs_hchan)
855 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
856 else
857 kfree_skb(skb);
858
859 return;
860 }
861
862 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
863 lmp_no_flush_capable(hcon->hdev))
864 flags = ACL_START_NO_FLUSH;
865 else
866 flags = ACL_START;
867
868 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
869 hci_send_acl(chan->conn->hchan, skb, flags);
870 }
871
872 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
873 {
874 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
875 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
876
877 if (enh & L2CAP_CTRL_FRAME_TYPE) {
878 /* S-Frame */
879 control->sframe = 1;
880 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
881 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
882
883 control->sar = 0;
884 control->txseq = 0;
885 } else {
886 /* I-Frame */
887 control->sframe = 0;
888 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
889 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
890
891 control->poll = 0;
892 control->super = 0;
893 }
894 }
895
896 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
897 {
898 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
899 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
900
901 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
902 /* S-Frame */
903 control->sframe = 1;
904 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
905 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
906
907 control->sar = 0;
908 control->txseq = 0;
909 } else {
910 /* I-Frame */
911 control->sframe = 0;
912 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
913 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
914
915 control->poll = 0;
916 control->super = 0;
917 }
918 }
919
920 static inline void __unpack_control(struct l2cap_chan *chan,
921 struct sk_buff *skb)
922 {
923 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
924 __unpack_extended_control(get_unaligned_le32(skb->data),
925 &bt_cb(skb)->control);
926 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
927 } else {
928 __unpack_enhanced_control(get_unaligned_le16(skb->data),
929 &bt_cb(skb)->control);
930 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
931 }
932 }
933
934 static u32 __pack_extended_control(struct l2cap_ctrl *control)
935 {
936 u32 packed;
937
938 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
939 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
940
941 if (control->sframe) {
942 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
943 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
944 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
945 } else {
946 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
947 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
948 }
949
950 return packed;
951 }
952
953 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
954 {
955 u16 packed;
956
957 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
958 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
959
960 if (control->sframe) {
961 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
962 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
963 packed |= L2CAP_CTRL_FRAME_TYPE;
964 } else {
965 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
966 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
967 }
968
969 return packed;
970 }
971
972 static inline void __pack_control(struct l2cap_chan *chan,
973 struct l2cap_ctrl *control,
974 struct sk_buff *skb)
975 {
976 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
977 put_unaligned_le32(__pack_extended_control(control),
978 skb->data + L2CAP_HDR_SIZE);
979 } else {
980 put_unaligned_le16(__pack_enhanced_control(control),
981 skb->data + L2CAP_HDR_SIZE);
982 }
983 }
984
985 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
986 {
987 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
988 return L2CAP_EXT_HDR_SIZE;
989 else
990 return L2CAP_ENH_HDR_SIZE;
991 }
992
993 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
994 u32 control)
995 {
996 struct sk_buff *skb;
997 struct l2cap_hdr *lh;
998 int hlen = __ertm_hdr_size(chan);
999
1000 if (chan->fcs == L2CAP_FCS_CRC16)
1001 hlen += L2CAP_FCS_SIZE;
1002
1003 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1004
1005 if (!skb)
1006 return ERR_PTR(-ENOMEM);
1007
1008 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1009 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1010 lh->cid = cpu_to_le16(chan->dcid);
1011
1012 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1013 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1014 else
1015 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1016
1017 if (chan->fcs == L2CAP_FCS_CRC16) {
1018 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1019 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1020 }
1021
1022 skb->priority = HCI_PRIO_MAX;
1023 return skb;
1024 }
1025
1026 static void l2cap_send_sframe(struct l2cap_chan *chan,
1027 struct l2cap_ctrl *control)
1028 {
1029 struct sk_buff *skb;
1030 u32 control_field;
1031
1032 BT_DBG("chan %p, control %p", chan, control);
1033
1034 if (!control->sframe)
1035 return;
1036
1037 if (__chan_is_moving(chan))
1038 return;
1039
1040 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1041 !control->poll)
1042 control->final = 1;
1043
1044 if (control->super == L2CAP_SUPER_RR)
1045 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1046 else if (control->super == L2CAP_SUPER_RNR)
1047 set_bit(CONN_RNR_SENT, &chan->conn_state);
1048
1049 if (control->super != L2CAP_SUPER_SREJ) {
1050 chan->last_acked_seq = control->reqseq;
1051 __clear_ack_timer(chan);
1052 }
1053
1054 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1055 control->final, control->poll, control->super);
1056
1057 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1058 control_field = __pack_extended_control(control);
1059 else
1060 control_field = __pack_enhanced_control(control);
1061
1062 skb = l2cap_create_sframe_pdu(chan, control_field);
1063 if (!IS_ERR(skb))
1064 l2cap_do_send(chan, skb);
1065 }
1066
1067 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1068 {
1069 struct l2cap_ctrl control;
1070
1071 BT_DBG("chan %p, poll %d", chan, poll);
1072
1073 memset(&control, 0, sizeof(control));
1074 control.sframe = 1;
1075 control.poll = poll;
1076
1077 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1078 control.super = L2CAP_SUPER_RNR;
1079 else
1080 control.super = L2CAP_SUPER_RR;
1081
1082 control.reqseq = chan->buffer_seq;
1083 l2cap_send_sframe(chan, &control);
1084 }
1085
1086 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1087 {
1088 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1089 }
1090
1091 static bool __amp_capable(struct l2cap_chan *chan)
1092 {
1093 struct l2cap_conn *conn = chan->conn;
1094 struct hci_dev *hdev;
1095 bool amp_available = false;
1096
1097 if (!conn->hs_enabled)
1098 return false;
1099
1100 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1101 return false;
1102
1103 read_lock(&hci_dev_list_lock);
1104 list_for_each_entry(hdev, &hci_dev_list, list) {
1105 if (hdev->amp_type != AMP_TYPE_BREDR &&
1106 test_bit(HCI_UP, &hdev->flags)) {
1107 amp_available = true;
1108 break;
1109 }
1110 }
1111 read_unlock(&hci_dev_list_lock);
1112
1113 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1114 return amp_available;
1115
1116 return false;
1117 }
1118
1119 static bool l2cap_check_efs(struct l2cap_chan *chan)
1120 {
1121 /* Check EFS parameters */
1122 return true;
1123 }
1124
1125 void l2cap_send_conn_req(struct l2cap_chan *chan)
1126 {
1127 struct l2cap_conn *conn = chan->conn;
1128 struct l2cap_conn_req req;
1129
1130 req.scid = cpu_to_le16(chan->scid);
1131 req.psm = chan->psm;
1132
1133 chan->ident = l2cap_get_ident(conn);
1134
1135 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136
1137 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1138 }
1139
1140 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1141 {
1142 struct l2cap_create_chan_req req;
1143 req.scid = cpu_to_le16(chan->scid);
1144 req.psm = chan->psm;
1145 req.amp_id = amp_id;
1146
1147 chan->ident = l2cap_get_ident(chan->conn);
1148
1149 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1150 sizeof(req), &req);
1151 }
1152
1153 static void l2cap_move_setup(struct l2cap_chan *chan)
1154 {
1155 struct sk_buff *skb;
1156
1157 BT_DBG("chan %p", chan);
1158
1159 if (chan->mode != L2CAP_MODE_ERTM)
1160 return;
1161
1162 __clear_retrans_timer(chan);
1163 __clear_monitor_timer(chan);
1164 __clear_ack_timer(chan);
1165
1166 chan->retry_count = 0;
1167 skb_queue_walk(&chan->tx_q, skb) {
1168 if (bt_cb(skb)->control.retries)
1169 bt_cb(skb)->control.retries = 1;
1170 else
1171 break;
1172 }
1173
1174 chan->expected_tx_seq = chan->buffer_seq;
1175
1176 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1177 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1178 l2cap_seq_list_clear(&chan->retrans_list);
1179 l2cap_seq_list_clear(&chan->srej_list);
1180 skb_queue_purge(&chan->srej_q);
1181
1182 chan->tx_state = L2CAP_TX_STATE_XMIT;
1183 chan->rx_state = L2CAP_RX_STATE_MOVE;
1184
1185 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1186 }
1187
1188 static void l2cap_move_done(struct l2cap_chan *chan)
1189 {
1190 u8 move_role = chan->move_role;
1191 BT_DBG("chan %p", chan);
1192
1193 chan->move_state = L2CAP_MOVE_STABLE;
1194 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1195
1196 if (chan->mode != L2CAP_MODE_ERTM)
1197 return;
1198
1199 switch (move_role) {
1200 case L2CAP_MOVE_ROLE_INITIATOR:
1201 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1202 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1203 break;
1204 case L2CAP_MOVE_ROLE_RESPONDER:
1205 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1206 break;
1207 }
1208 }
1209
1210 static void l2cap_chan_ready(struct l2cap_chan *chan)
1211 {
1212 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1213 chan->conf_state = 0;
1214 __clear_chan_timer(chan);
1215
1216 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1217 chan->ops->suspend(chan);
1218
1219 chan->state = BT_CONNECTED;
1220
1221 chan->ops->ready(chan);
1222 }
1223
1224 static void l2cap_le_connect(struct l2cap_chan *chan)
1225 {
1226 struct l2cap_conn *conn = chan->conn;
1227 struct l2cap_le_conn_req req;
1228
1229 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1230 return;
1231
1232 req.psm = chan->psm;
1233 req.scid = cpu_to_le16(chan->scid);
1234 req.mtu = cpu_to_le16(chan->imtu);
1235 req.mps = cpu_to_le16(chan->mps);
1236 req.credits = cpu_to_le16(chan->rx_credits);
1237
1238 chan->ident = l2cap_get_ident(conn);
1239
1240 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1241 sizeof(req), &req);
1242 }
1243
1244 static void l2cap_le_start(struct l2cap_chan *chan)
1245 {
1246 struct l2cap_conn *conn = chan->conn;
1247
1248 if (!smp_conn_security(conn->hcon, chan->sec_level))
1249 return;
1250
1251 if (!chan->psm) {
1252 l2cap_chan_ready(chan);
1253 return;
1254 }
1255
1256 if (chan->state == BT_CONNECT)
1257 l2cap_le_connect(chan);
1258 }
1259
1260 static void l2cap_start_connection(struct l2cap_chan *chan)
1261 {
1262 if (__amp_capable(chan)) {
1263 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1264 a2mp_discover_amp(chan);
1265 } else if (chan->conn->hcon->type == LE_LINK) {
1266 l2cap_le_start(chan);
1267 } else {
1268 l2cap_send_conn_req(chan);
1269 }
1270 }
1271
1272 static void l2cap_do_start(struct l2cap_chan *chan)
1273 {
1274 struct l2cap_conn *conn = chan->conn;
1275
1276 if (conn->hcon->type == LE_LINK) {
1277 l2cap_le_start(chan);
1278 return;
1279 }
1280
1281 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
1282 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1283 return;
1284
1285 if (l2cap_chan_check_security(chan) &&
1286 __l2cap_no_conn_pending(chan)) {
1287 l2cap_start_connection(chan);
1288 }
1289 } else {
1290 struct l2cap_info_req req;
1291 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
1292
1293 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1294 conn->info_ident = l2cap_get_ident(conn);
1295
1296 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1297
1298 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1299 sizeof(req), &req);
1300 }
1301 }
1302
1303 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1304 {
1305 u32 local_feat_mask = l2cap_feat_mask;
1306 if (!disable_ertm)
1307 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1308
1309 switch (mode) {
1310 case L2CAP_MODE_ERTM:
1311 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1312 case L2CAP_MODE_STREAMING:
1313 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1314 default:
1315 return 0x00;
1316 }
1317 }
1318
1319 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1320 {
1321 struct l2cap_conn *conn = chan->conn;
1322 struct l2cap_disconn_req req;
1323
1324 if (!conn)
1325 return;
1326
1327 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1328 __clear_retrans_timer(chan);
1329 __clear_monitor_timer(chan);
1330 __clear_ack_timer(chan);
1331 }
1332
1333 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1334 l2cap_state_change(chan, BT_DISCONN);
1335 return;
1336 }
1337
1338 req.dcid = cpu_to_le16(chan->dcid);
1339 req.scid = cpu_to_le16(chan->scid);
1340 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1341 sizeof(req), &req);
1342
1343 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1344 }
1345
1346 /* ---- L2CAP connections ---- */
1347 static void l2cap_conn_start(struct l2cap_conn *conn)
1348 {
1349 struct l2cap_chan *chan, *tmp;
1350
1351 BT_DBG("conn %p", conn);
1352
1353 mutex_lock(&conn->chan_lock);
1354
1355 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1356 l2cap_chan_lock(chan);
1357
1358 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1359 l2cap_chan_unlock(chan);
1360 continue;
1361 }
1362
1363 if (chan->state == BT_CONNECT) {
1364 if (!l2cap_chan_check_security(chan) ||
1365 !__l2cap_no_conn_pending(chan)) {
1366 l2cap_chan_unlock(chan);
1367 continue;
1368 }
1369
1370 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1371 && test_bit(CONF_STATE2_DEVICE,
1372 &chan->conf_state)) {
1373 l2cap_chan_close(chan, ECONNRESET);
1374 l2cap_chan_unlock(chan);
1375 continue;
1376 }
1377
1378 l2cap_start_connection(chan);
1379
1380 } else if (chan->state == BT_CONNECT2) {
1381 struct l2cap_conn_rsp rsp;
1382 char buf[128];
1383 rsp.scid = cpu_to_le16(chan->dcid);
1384 rsp.dcid = cpu_to_le16(chan->scid);
1385
1386 if (l2cap_chan_check_security(chan)) {
1387 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1388 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1389 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1390 chan->ops->defer(chan);
1391
1392 } else {
1393 l2cap_state_change(chan, BT_CONFIG);
1394 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1395 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
1396 }
1397 } else {
1398 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1399 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1400 }
1401
1402 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1403 sizeof(rsp), &rsp);
1404
1405 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1406 rsp.result != L2CAP_CR_SUCCESS) {
1407 l2cap_chan_unlock(chan);
1408 continue;
1409 }
1410
1411 set_bit(CONF_REQ_SENT, &chan->conf_state);
1412 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1413 l2cap_build_conf_req(chan, buf), buf);
1414 chan->num_conf_req++;
1415 }
1416
1417 l2cap_chan_unlock(chan);
1418 }
1419
1420 mutex_unlock(&conn->chan_lock);
1421 }
1422
1423 /* Find socket with cid and source/destination bdaddr.
1424 * Returns closest match, locked.
1425 */
1426 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1427 bdaddr_t *src,
1428 bdaddr_t *dst)
1429 {
1430 struct l2cap_chan *c, *c1 = NULL;
1431
1432 read_lock(&chan_list_lock);
1433
1434 list_for_each_entry(c, &chan_list, global_l) {
1435 if (state && c->state != state)
1436 continue;
1437
1438 if (c->scid == cid) {
1439 int src_match, dst_match;
1440 int src_any, dst_any;
1441
1442 /* Exact match. */
1443 src_match = !bacmp(&c->src, src);
1444 dst_match = !bacmp(&c->dst, dst);
1445 if (src_match && dst_match) {
1446 read_unlock(&chan_list_lock);
1447 return c;
1448 }
1449
1450 /* Closest match */
1451 src_any = !bacmp(&c->src, BDADDR_ANY);
1452 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1453 if ((src_match && dst_any) || (src_any && dst_match) ||
1454 (src_any && dst_any))
1455 c1 = c;
1456 }
1457 }
1458
1459 read_unlock(&chan_list_lock);
1460
1461 return c1;
1462 }
1463
1464 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1465 {
1466 struct hci_conn *hcon = conn->hcon;
1467 struct l2cap_chan *chan, *pchan;
1468 u8 dst_type;
1469
1470 BT_DBG("");
1471
1472 bt_6lowpan_add_conn(conn);
1473
1474 /* Check if we have socket listening on cid */
1475 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
1476 &hcon->src, &hcon->dst);
1477 if (!pchan)
1478 return;
1479
1480 /* Client ATT sockets should override the server one */
1481 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1482 return;
1483
1484 dst_type = bdaddr_type(hcon, hcon->dst_type);
1485
1486 /* If device is blocked, do not create a channel for it */
1487 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1488 return;
1489
1490 l2cap_chan_lock(pchan);
1491
1492 chan = pchan->ops->new_connection(pchan);
1493 if (!chan)
1494 goto clean;
1495
1496 chan->dcid = L2CAP_CID_ATT;
1497
1498 bacpy(&chan->src, &hcon->src);
1499 bacpy(&chan->dst, &hcon->dst);
1500 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1501 chan->dst_type = dst_type;
1502
1503 __l2cap_chan_add(conn, chan);
1504
1505 clean:
1506 l2cap_chan_unlock(pchan);
1507 }
1508
1509 static void l2cap_conn_ready(struct l2cap_conn *conn)
1510 {
1511 struct l2cap_chan *chan;
1512 struct hci_conn *hcon = conn->hcon;
1513
1514 BT_DBG("conn %p", conn);
1515
1516 /* For outgoing pairing which doesn't necessarily have an
1517 * associated socket (e.g. mgmt_pair_device).
1518 */
1519 if (hcon->out && hcon->type == LE_LINK)
1520 smp_conn_security(hcon, hcon->pending_sec_level);
1521
1522 mutex_lock(&conn->chan_lock);
1523
1524 if (hcon->type == LE_LINK)
1525 l2cap_le_conn_ready(conn);
1526
1527 list_for_each_entry(chan, &conn->chan_l, list) {
1528
1529 l2cap_chan_lock(chan);
1530
1531 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1532 l2cap_chan_unlock(chan);
1533 continue;
1534 }
1535
1536 if (hcon->type == LE_LINK) {
1537 l2cap_le_start(chan);
1538 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1539 l2cap_chan_ready(chan);
1540
1541 } else if (chan->state == BT_CONNECT) {
1542 l2cap_do_start(chan);
1543 }
1544
1545 l2cap_chan_unlock(chan);
1546 }
1547
1548 mutex_unlock(&conn->chan_lock);
1549 }
1550
1551 /* Notify sockets that we cannot guaranty reliability anymore */
1552 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1553 {
1554 struct l2cap_chan *chan;
1555
1556 BT_DBG("conn %p", conn);
1557
1558 mutex_lock(&conn->chan_lock);
1559
1560 list_for_each_entry(chan, &conn->chan_l, list) {
1561 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1562 l2cap_chan_set_err(chan, err);
1563 }
1564
1565 mutex_unlock(&conn->chan_lock);
1566 }
1567
1568 static void l2cap_info_timeout(struct work_struct *work)
1569 {
1570 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1571 info_timer.work);
1572
1573 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1574 conn->info_ident = 0;
1575
1576 l2cap_conn_start(conn);
1577 }
1578
1579 /*
1580 * l2cap_user
1581 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1582 * callback is called during registration. The ->remove callback is called
1583 * during unregistration.
1584 * An l2cap_user object can either be explicitly unregistered or when the
1585 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1586 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1587 * External modules must own a reference to the l2cap_conn object if they intend
1588 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1589 * any time if they don't.
1590 */
1591
1592 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1593 {
1594 struct hci_dev *hdev = conn->hcon->hdev;
1595 int ret;
1596
1597 /* We need to check whether l2cap_conn is registered. If it is not, we
1598 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1599 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1600 * relies on the parent hci_conn object to be locked. This itself relies
1601 * on the hci_dev object to be locked. So we must lock the hci device
1602 * here, too. */
1603
1604 hci_dev_lock(hdev);
1605
1606 if (user->list.next || user->list.prev) {
1607 ret = -EINVAL;
1608 goto out_unlock;
1609 }
1610
1611 /* conn->hchan is NULL after l2cap_conn_del() was called */
1612 if (!conn->hchan) {
1613 ret = -ENODEV;
1614 goto out_unlock;
1615 }
1616
1617 ret = user->probe(conn, user);
1618 if (ret)
1619 goto out_unlock;
1620
1621 list_add(&user->list, &conn->users);
1622 ret = 0;
1623
1624 out_unlock:
1625 hci_dev_unlock(hdev);
1626 return ret;
1627 }
1628 EXPORT_SYMBOL(l2cap_register_user);
1629
1630 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1631 {
1632 struct hci_dev *hdev = conn->hcon->hdev;
1633
1634 hci_dev_lock(hdev);
1635
1636 if (!user->list.next || !user->list.prev)
1637 goto out_unlock;
1638
1639 list_del(&user->list);
1640 user->list.next = NULL;
1641 user->list.prev = NULL;
1642 user->remove(conn, user);
1643
1644 out_unlock:
1645 hci_dev_unlock(hdev);
1646 }
1647 EXPORT_SYMBOL(l2cap_unregister_user);
1648
1649 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1650 {
1651 struct l2cap_user *user;
1652
1653 while (!list_empty(&conn->users)) {
1654 user = list_first_entry(&conn->users, struct l2cap_user, list);
1655 list_del(&user->list);
1656 user->list.next = NULL;
1657 user->list.prev = NULL;
1658 user->remove(conn, user);
1659 }
1660 }
1661
1662 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1663 {
1664 struct l2cap_conn *conn = hcon->l2cap_data;
1665 struct l2cap_chan *chan, *l;
1666
1667 if (!conn)
1668 return;
1669
1670 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1671
1672 kfree_skb(conn->rx_skb);
1673
1674 l2cap_unregister_all_users(conn);
1675
1676 mutex_lock(&conn->chan_lock);
1677
1678 /* Kill channels */
1679 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1680 l2cap_chan_hold(chan);
1681 l2cap_chan_lock(chan);
1682
1683 l2cap_chan_del(chan, err);
1684
1685 l2cap_chan_unlock(chan);
1686
1687 chan->ops->close(chan);
1688 l2cap_chan_put(chan);
1689 }
1690
1691 mutex_unlock(&conn->chan_lock);
1692
1693 hci_chan_del(conn->hchan);
1694
1695 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1696 cancel_delayed_work_sync(&conn->info_timer);
1697
1698 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1699 cancel_delayed_work_sync(&conn->security_timer);
1700 smp_chan_destroy(conn);
1701 }
1702
1703 hcon->l2cap_data = NULL;
1704 conn->hchan = NULL;
1705 l2cap_conn_put(conn);
1706 }
1707
1708 static void security_timeout(struct work_struct *work)
1709 {
1710 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1711 security_timer.work);
1712
1713 BT_DBG("conn %p", conn);
1714
1715 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1716 smp_chan_destroy(conn);
1717 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1718 }
1719 }
1720
1721 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1722 {
1723 struct l2cap_conn *conn = hcon->l2cap_data;
1724 struct hci_chan *hchan;
1725
1726 if (conn)
1727 return conn;
1728
1729 hchan = hci_chan_create(hcon);
1730 if (!hchan)
1731 return NULL;
1732
1733 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
1734 if (!conn) {
1735 hci_chan_del(hchan);
1736 return NULL;
1737 }
1738
1739 kref_init(&conn->ref);
1740 hcon->l2cap_data = conn;
1741 conn->hcon = hcon;
1742 hci_conn_get(conn->hcon);
1743 conn->hchan = hchan;
1744
1745 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1746
1747 switch (hcon->type) {
1748 case LE_LINK:
1749 if (hcon->hdev->le_mtu) {
1750 conn->mtu = hcon->hdev->le_mtu;
1751 break;
1752 }
1753 /* fall through */
1754 default:
1755 conn->mtu = hcon->hdev->acl_mtu;
1756 break;
1757 }
1758
1759 conn->feat_mask = 0;
1760
1761 if (hcon->type == ACL_LINK)
1762 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
1763 &hcon->hdev->dev_flags);
1764
1765 spin_lock_init(&conn->lock);
1766 mutex_init(&conn->chan_lock);
1767
1768 INIT_LIST_HEAD(&conn->chan_l);
1769 INIT_LIST_HEAD(&conn->users);
1770
1771 if (hcon->type == LE_LINK)
1772 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1773 else
1774 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1775
1776 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1777
1778 return conn;
1779 }
1780
1781 static void l2cap_conn_free(struct kref *ref)
1782 {
1783 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1784
1785 hci_conn_put(conn->hcon);
1786 kfree(conn);
1787 }
1788
1789 void l2cap_conn_get(struct l2cap_conn *conn)
1790 {
1791 kref_get(&conn->ref);
1792 }
1793 EXPORT_SYMBOL(l2cap_conn_get);
1794
1795 void l2cap_conn_put(struct l2cap_conn *conn)
1796 {
1797 kref_put(&conn->ref, l2cap_conn_free);
1798 }
1799 EXPORT_SYMBOL(l2cap_conn_put);
1800
1801 /* ---- Socket interface ---- */
1802
1803 /* Find socket with psm and source / destination bdaddr.
1804 * Returns closest match.
1805 */
1806 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1807 bdaddr_t *src,
1808 bdaddr_t *dst,
1809 u8 link_type)
1810 {
1811 struct l2cap_chan *c, *c1 = NULL;
1812
1813 read_lock(&chan_list_lock);
1814
1815 list_for_each_entry(c, &chan_list, global_l) {
1816 if (state && c->state != state)
1817 continue;
1818
1819 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1820 continue;
1821
1822 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1823 continue;
1824
1825 if (c->psm == psm) {
1826 int src_match, dst_match;
1827 int src_any, dst_any;
1828
1829 /* Exact match. */
1830 src_match = !bacmp(&c->src, src);
1831 dst_match = !bacmp(&c->dst, dst);
1832 if (src_match && dst_match) {
1833 read_unlock(&chan_list_lock);
1834 return c;
1835 }
1836
1837 /* Closest match */
1838 src_any = !bacmp(&c->src, BDADDR_ANY);
1839 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1840 if ((src_match && dst_any) || (src_any && dst_match) ||
1841 (src_any && dst_any))
1842 c1 = c;
1843 }
1844 }
1845
1846 read_unlock(&chan_list_lock);
1847
1848 return c1;
1849 }
1850
1851 static bool is_valid_psm(u16 psm, u8 dst_type)
1852 {
1853 if (!psm)
1854 return false;
1855
1856 if (bdaddr_type_is_le(dst_type))
1857 return (psm <= 0x00ff);
1858
1859 /* PSM must be odd and lsb of upper byte must be 0 */
1860 return ((psm & 0x0101) == 0x0001);
1861 }
1862
1863 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1864 bdaddr_t *dst, u8 dst_type)
1865 {
1866 struct l2cap_conn *conn;
1867 struct hci_conn *hcon;
1868 struct hci_dev *hdev;
1869 __u8 auth_type;
1870 int err;
1871
1872 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
1873 dst_type, __le16_to_cpu(psm));
1874
1875 hdev = hci_get_route(dst, &chan->src);
1876 if (!hdev)
1877 return -EHOSTUNREACH;
1878
1879 hci_dev_lock(hdev);
1880
1881 l2cap_chan_lock(chan);
1882
1883 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
1884 chan->chan_type != L2CAP_CHAN_RAW) {
1885 err = -EINVAL;
1886 goto done;
1887 }
1888
1889 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1890 err = -EINVAL;
1891 goto done;
1892 }
1893
1894 switch (chan->mode) {
1895 case L2CAP_MODE_BASIC:
1896 break;
1897 case L2CAP_MODE_LE_FLOWCTL:
1898 l2cap_le_flowctl_init(chan);
1899 break;
1900 case L2CAP_MODE_ERTM:
1901 case L2CAP_MODE_STREAMING:
1902 if (!disable_ertm)
1903 break;
1904 /* fall through */
1905 default:
1906 err = -ENOTSUPP;
1907 goto done;
1908 }
1909
1910 switch (chan->state) {
1911 case BT_CONNECT:
1912 case BT_CONNECT2:
1913 case BT_CONFIG:
1914 /* Already connecting */
1915 err = 0;
1916 goto done;
1917
1918 case BT_CONNECTED:
1919 /* Already connected */
1920 err = -EISCONN;
1921 goto done;
1922
1923 case BT_OPEN:
1924 case BT_BOUND:
1925 /* Can connect */
1926 break;
1927
1928 default:
1929 err = -EBADFD;
1930 goto done;
1931 }
1932
1933 /* Set destination address and psm */
1934 bacpy(&chan->dst, dst);
1935 chan->dst_type = dst_type;
1936
1937 chan->psm = psm;
1938 chan->dcid = cid;
1939
1940 auth_type = l2cap_get_auth_type(chan);
1941
1942 if (bdaddr_type_is_le(dst_type))
1943 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1944 chan->sec_level, auth_type);
1945 else
1946 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1947 chan->sec_level, auth_type);
1948
1949 if (IS_ERR(hcon)) {
1950 err = PTR_ERR(hcon);
1951 goto done;
1952 }
1953
1954 conn = l2cap_conn_add(hcon);
1955 if (!conn) {
1956 hci_conn_drop(hcon);
1957 err = -ENOMEM;
1958 goto done;
1959 }
1960
1961 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1962 hci_conn_drop(hcon);
1963 err = -EBUSY;
1964 goto done;
1965 }
1966
1967 /* Update source addr of the socket */
1968 bacpy(&chan->src, &hcon->src);
1969 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1970
1971 l2cap_chan_unlock(chan);
1972 l2cap_chan_add(conn, chan);
1973 l2cap_chan_lock(chan);
1974
1975 /* l2cap_chan_add takes its own ref so we can drop this one */
1976 hci_conn_drop(hcon);
1977
1978 l2cap_state_change(chan, BT_CONNECT);
1979 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
1980
1981 if (hcon->state == BT_CONNECTED) {
1982 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1983 __clear_chan_timer(chan);
1984 if (l2cap_chan_check_security(chan))
1985 l2cap_state_change(chan, BT_CONNECTED);
1986 } else
1987 l2cap_do_start(chan);
1988 }
1989
1990 err = 0;
1991
1992 done:
1993 l2cap_chan_unlock(chan);
1994 hci_dev_unlock(hdev);
1995 hci_dev_put(hdev);
1996 return err;
1997 }
1998
1999 static void l2cap_monitor_timeout(struct work_struct *work)
2000 {
2001 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2002 monitor_timer.work);
2003
2004 BT_DBG("chan %p", chan);
2005
2006 l2cap_chan_lock(chan);
2007
2008 if (!chan->conn) {
2009 l2cap_chan_unlock(chan);
2010 l2cap_chan_put(chan);
2011 return;
2012 }
2013
2014 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2015
2016 l2cap_chan_unlock(chan);
2017 l2cap_chan_put(chan);
2018 }
2019
2020 static void l2cap_retrans_timeout(struct work_struct *work)
2021 {
2022 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2023 retrans_timer.work);
2024
2025 BT_DBG("chan %p", chan);
2026
2027 l2cap_chan_lock(chan);
2028
2029 if (!chan->conn) {
2030 l2cap_chan_unlock(chan);
2031 l2cap_chan_put(chan);
2032 return;
2033 }
2034
2035 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2036 l2cap_chan_unlock(chan);
2037 l2cap_chan_put(chan);
2038 }
2039
2040 static void l2cap_streaming_send(struct l2cap_chan *chan,
2041 struct sk_buff_head *skbs)
2042 {
2043 struct sk_buff *skb;
2044 struct l2cap_ctrl *control;
2045
2046 BT_DBG("chan %p, skbs %p", chan, skbs);
2047
2048 if (__chan_is_moving(chan))
2049 return;
2050
2051 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2052
2053 while (!skb_queue_empty(&chan->tx_q)) {
2054
2055 skb = skb_dequeue(&chan->tx_q);
2056
2057 bt_cb(skb)->control.retries = 1;
2058 control = &bt_cb(skb)->control;
2059
2060 control->reqseq = 0;
2061 control->txseq = chan->next_tx_seq;
2062
2063 __pack_control(chan, control, skb);
2064
2065 if (chan->fcs == L2CAP_FCS_CRC16) {
2066 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2067 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2068 }
2069
2070 l2cap_do_send(chan, skb);
2071
2072 BT_DBG("Sent txseq %u", control->txseq);
2073
2074 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2075 chan->frames_sent++;
2076 }
2077 }
2078
2079 static int l2cap_ertm_send(struct l2cap_chan *chan)
2080 {
2081 struct sk_buff *skb, *tx_skb;
2082 struct l2cap_ctrl *control;
2083 int sent = 0;
2084
2085 BT_DBG("chan %p", chan);
2086
2087 if (chan->state != BT_CONNECTED)
2088 return -ENOTCONN;
2089
2090 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2091 return 0;
2092
2093 if (__chan_is_moving(chan))
2094 return 0;
2095
2096 while (chan->tx_send_head &&
2097 chan->unacked_frames < chan->remote_tx_win &&
2098 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2099
2100 skb = chan->tx_send_head;
2101
2102 bt_cb(skb)->control.retries = 1;
2103 control = &bt_cb(skb)->control;
2104
2105 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2106 control->final = 1;
2107
2108 control->reqseq = chan->buffer_seq;
2109 chan->last_acked_seq = chan->buffer_seq;
2110 control->txseq = chan->next_tx_seq;
2111
2112 __pack_control(chan, control, skb);
2113
2114 if (chan->fcs == L2CAP_FCS_CRC16) {
2115 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2116 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2117 }
2118
2119 /* Clone after data has been modified. Data is assumed to be
2120 read-only (for locking purposes) on cloned sk_buffs.
2121 */
2122 tx_skb = skb_clone(skb, GFP_KERNEL);
2123
2124 if (!tx_skb)
2125 break;
2126
2127 __set_retrans_timer(chan);
2128
2129 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2130 chan->unacked_frames++;
2131 chan->frames_sent++;
2132 sent++;
2133
2134 if (skb_queue_is_last(&chan->tx_q, skb))
2135 chan->tx_send_head = NULL;
2136 else
2137 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2138
2139 l2cap_do_send(chan, tx_skb);
2140 BT_DBG("Sent txseq %u", control->txseq);
2141 }
2142
2143 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2144 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2145
2146 return sent;
2147 }
2148
2149 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2150 {
2151 struct l2cap_ctrl control;
2152 struct sk_buff *skb;
2153 struct sk_buff *tx_skb;
2154 u16 seq;
2155
2156 BT_DBG("chan %p", chan);
2157
2158 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2159 return;
2160
2161 if (__chan_is_moving(chan))
2162 return;
2163
2164 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2165 seq = l2cap_seq_list_pop(&chan->retrans_list);
2166
2167 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2168 if (!skb) {
2169 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2170 seq);
2171 continue;
2172 }
2173
2174 bt_cb(skb)->control.retries++;
2175 control = bt_cb(skb)->control;
2176
2177 if (chan->max_tx != 0 &&
2178 bt_cb(skb)->control.retries > chan->max_tx) {
2179 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2180 l2cap_send_disconn_req(chan, ECONNRESET);
2181 l2cap_seq_list_clear(&chan->retrans_list);
2182 break;
2183 }
2184
2185 control.reqseq = chan->buffer_seq;
2186 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2187 control.final = 1;
2188 else
2189 control.final = 0;
2190
2191 if (skb_cloned(skb)) {
2192 /* Cloned sk_buffs are read-only, so we need a
2193 * writeable copy
2194 */
2195 tx_skb = skb_copy(skb, GFP_KERNEL);
2196 } else {
2197 tx_skb = skb_clone(skb, GFP_KERNEL);
2198 }
2199
2200 if (!tx_skb) {
2201 l2cap_seq_list_clear(&chan->retrans_list);
2202 break;
2203 }
2204
2205 /* Update skb contents */
2206 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2207 put_unaligned_le32(__pack_extended_control(&control),
2208 tx_skb->data + L2CAP_HDR_SIZE);
2209 } else {
2210 put_unaligned_le16(__pack_enhanced_control(&control),
2211 tx_skb->data + L2CAP_HDR_SIZE);
2212 }
2213
2214 if (chan->fcs == L2CAP_FCS_CRC16) {
2215 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2216 put_unaligned_le16(fcs, skb_put(tx_skb,
2217 L2CAP_FCS_SIZE));
2218 }
2219
2220 l2cap_do_send(chan, tx_skb);
2221
2222 BT_DBG("Resent txseq %d", control.txseq);
2223
2224 chan->last_acked_seq = chan->buffer_seq;
2225 }
2226 }
2227
2228 static void l2cap_retransmit(struct l2cap_chan *chan,
2229 struct l2cap_ctrl *control)
2230 {
2231 BT_DBG("chan %p, control %p", chan, control);
2232
2233 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2234 l2cap_ertm_resend(chan);
2235 }
2236
2237 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2238 struct l2cap_ctrl *control)
2239 {
2240 struct sk_buff *skb;
2241
2242 BT_DBG("chan %p, control %p", chan, control);
2243
2244 if (control->poll)
2245 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2246
2247 l2cap_seq_list_clear(&chan->retrans_list);
2248
2249 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2250 return;
2251
2252 if (chan->unacked_frames) {
2253 skb_queue_walk(&chan->tx_q, skb) {
2254 if (bt_cb(skb)->control.txseq == control->reqseq ||
2255 skb == chan->tx_send_head)
2256 break;
2257 }
2258
2259 skb_queue_walk_from(&chan->tx_q, skb) {
2260 if (skb == chan->tx_send_head)
2261 break;
2262
2263 l2cap_seq_list_append(&chan->retrans_list,
2264 bt_cb(skb)->control.txseq);
2265 }
2266
2267 l2cap_ertm_resend(chan);
2268 }
2269 }
2270
2271 static void l2cap_send_ack(struct l2cap_chan *chan)
2272 {
2273 struct l2cap_ctrl control;
2274 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2275 chan->last_acked_seq);
2276 int threshold;
2277
2278 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2279 chan, chan->last_acked_seq, chan->buffer_seq);
2280
2281 memset(&control, 0, sizeof(control));
2282 control.sframe = 1;
2283
2284 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2285 chan->rx_state == L2CAP_RX_STATE_RECV) {
2286 __clear_ack_timer(chan);
2287 control.super = L2CAP_SUPER_RNR;
2288 control.reqseq = chan->buffer_seq;
2289 l2cap_send_sframe(chan, &control);
2290 } else {
2291 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2292 l2cap_ertm_send(chan);
2293 /* If any i-frames were sent, they included an ack */
2294 if (chan->buffer_seq == chan->last_acked_seq)
2295 frames_to_ack = 0;
2296 }
2297
2298 /* Ack now if the window is 3/4ths full.
2299 * Calculate without mul or div
2300 */
2301 threshold = chan->ack_win;
2302 threshold += threshold << 1;
2303 threshold >>= 2;
2304
2305 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2306 threshold);
2307
2308 if (frames_to_ack >= threshold) {
2309 __clear_ack_timer(chan);
2310 control.super = L2CAP_SUPER_RR;
2311 control.reqseq = chan->buffer_seq;
2312 l2cap_send_sframe(chan, &control);
2313 frames_to_ack = 0;
2314 }
2315
2316 if (frames_to_ack)
2317 __set_ack_timer(chan);
2318 }
2319 }
2320
2321 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2322 struct msghdr *msg, int len,
2323 int count, struct sk_buff *skb)
2324 {
2325 struct l2cap_conn *conn = chan->conn;
2326 struct sk_buff **frag;
2327 int sent = 0;
2328
2329 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
2330 return -EFAULT;
2331
2332 sent += count;
2333 len -= count;
2334
2335 /* Continuation fragments (no L2CAP header) */
2336 frag = &skb_shinfo(skb)->frag_list;
2337 while (len) {
2338 struct sk_buff *tmp;
2339
2340 count = min_t(unsigned int, conn->mtu, len);
2341
2342 tmp = chan->ops->alloc_skb(chan, count,
2343 msg->msg_flags & MSG_DONTWAIT);
2344 if (IS_ERR(tmp))
2345 return PTR_ERR(tmp);
2346
2347 *frag = tmp;
2348
2349 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2350 return -EFAULT;
2351
2352 (*frag)->priority = skb->priority;
2353
2354 sent += count;
2355 len -= count;
2356
2357 skb->len += (*frag)->len;
2358 skb->data_len += (*frag)->len;
2359
2360 frag = &(*frag)->next;
2361 }
2362
2363 return sent;
2364 }
2365
2366 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2367 struct msghdr *msg, size_t len,
2368 u32 priority)
2369 {
2370 struct l2cap_conn *conn = chan->conn;
2371 struct sk_buff *skb;
2372 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2373 struct l2cap_hdr *lh;
2374
2375 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2376 __le16_to_cpu(chan->psm), len, priority);
2377
2378 count = min_t(unsigned int, (conn->mtu - hlen), len);
2379
2380 skb = chan->ops->alloc_skb(chan, count + hlen,
2381 msg->msg_flags & MSG_DONTWAIT);
2382 if (IS_ERR(skb))
2383 return skb;
2384
2385 skb->priority = priority;
2386
2387 /* Create L2CAP header */
2388 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2389 lh->cid = cpu_to_le16(chan->dcid);
2390 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2391 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2392
2393 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2394 if (unlikely(err < 0)) {
2395 kfree_skb(skb);
2396 return ERR_PTR(err);
2397 }
2398 return skb;
2399 }
2400
2401 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2402 struct msghdr *msg, size_t len,
2403 u32 priority)
2404 {
2405 struct l2cap_conn *conn = chan->conn;
2406 struct sk_buff *skb;
2407 int err, count;
2408 struct l2cap_hdr *lh;
2409
2410 BT_DBG("chan %p len %zu", chan, len);
2411
2412 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2413
2414 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
2415 msg->msg_flags & MSG_DONTWAIT);
2416 if (IS_ERR(skb))
2417 return skb;
2418
2419 skb->priority = priority;
2420
2421 /* Create L2CAP header */
2422 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2423 lh->cid = cpu_to_le16(chan->dcid);
2424 lh->len = cpu_to_le16(len);
2425
2426 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2427 if (unlikely(err < 0)) {
2428 kfree_skb(skb);
2429 return ERR_PTR(err);
2430 }
2431 return skb;
2432 }
2433
2434 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2435 struct msghdr *msg, size_t len,
2436 u16 sdulen)
2437 {
2438 struct l2cap_conn *conn = chan->conn;
2439 struct sk_buff *skb;
2440 int err, count, hlen;
2441 struct l2cap_hdr *lh;
2442
2443 BT_DBG("chan %p len %zu", chan, len);
2444
2445 if (!conn)
2446 return ERR_PTR(-ENOTCONN);
2447
2448 hlen = __ertm_hdr_size(chan);
2449
2450 if (sdulen)
2451 hlen += L2CAP_SDULEN_SIZE;
2452
2453 if (chan->fcs == L2CAP_FCS_CRC16)
2454 hlen += L2CAP_FCS_SIZE;
2455
2456 count = min_t(unsigned int, (conn->mtu - hlen), len);
2457
2458 skb = chan->ops->alloc_skb(chan, count + hlen,
2459 msg->msg_flags & MSG_DONTWAIT);
2460 if (IS_ERR(skb))
2461 return skb;
2462
2463 /* Create L2CAP header */
2464 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2465 lh->cid = cpu_to_le16(chan->dcid);
2466 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2467
2468 /* Control header is populated later */
2469 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2470 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2471 else
2472 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2473
2474 if (sdulen)
2475 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2476
2477 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2478 if (unlikely(err < 0)) {
2479 kfree_skb(skb);
2480 return ERR_PTR(err);
2481 }
2482
2483 bt_cb(skb)->control.fcs = chan->fcs;
2484 bt_cb(skb)->control.retries = 0;
2485 return skb;
2486 }
2487
2488 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2489 struct sk_buff_head *seg_queue,
2490 struct msghdr *msg, size_t len)
2491 {
2492 struct sk_buff *skb;
2493 u16 sdu_len;
2494 size_t pdu_len;
2495 u8 sar;
2496
2497 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2498
2499 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2500 * so fragmented skbs are not used. The HCI layer's handling
2501 * of fragmented skbs is not compatible with ERTM's queueing.
2502 */
2503
2504 /* PDU size is derived from the HCI MTU */
2505 pdu_len = chan->conn->mtu;
2506
2507 /* Constrain PDU size for BR/EDR connections */
2508 if (!chan->hs_hcon)
2509 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2510
2511 /* Adjust for largest possible L2CAP overhead. */
2512 if (chan->fcs)
2513 pdu_len -= L2CAP_FCS_SIZE;
2514
2515 pdu_len -= __ertm_hdr_size(chan);
2516
2517 /* Remote device may have requested smaller PDUs */
2518 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2519
2520 if (len <= pdu_len) {
2521 sar = L2CAP_SAR_UNSEGMENTED;
2522 sdu_len = 0;
2523 pdu_len = len;
2524 } else {
2525 sar = L2CAP_SAR_START;
2526 sdu_len = len;
2527 pdu_len -= L2CAP_SDULEN_SIZE;
2528 }
2529
2530 while (len > 0) {
2531 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2532
2533 if (IS_ERR(skb)) {
2534 __skb_queue_purge(seg_queue);
2535 return PTR_ERR(skb);
2536 }
2537
2538 bt_cb(skb)->control.sar = sar;
2539 __skb_queue_tail(seg_queue, skb);
2540
2541 len -= pdu_len;
2542 if (sdu_len) {
2543 sdu_len = 0;
2544 pdu_len += L2CAP_SDULEN_SIZE;
2545 }
2546
2547 if (len <= pdu_len) {
2548 sar = L2CAP_SAR_END;
2549 pdu_len = len;
2550 } else {
2551 sar = L2CAP_SAR_CONTINUE;
2552 }
2553 }
2554
2555 return 0;
2556 }
2557
2558 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2559 struct msghdr *msg,
2560 size_t len, u16 sdulen)
2561 {
2562 struct l2cap_conn *conn = chan->conn;
2563 struct sk_buff *skb;
2564 int err, count, hlen;
2565 struct l2cap_hdr *lh;
2566
2567 BT_DBG("chan %p len %zu", chan, len);
2568
2569 if (!conn)
2570 return ERR_PTR(-ENOTCONN);
2571
2572 hlen = L2CAP_HDR_SIZE;
2573
2574 if (sdulen)
2575 hlen += L2CAP_SDULEN_SIZE;
2576
2577 count = min_t(unsigned int, (conn->mtu - hlen), len);
2578
2579 skb = chan->ops->alloc_skb(chan, count + hlen,
2580 msg->msg_flags & MSG_DONTWAIT);
2581 if (IS_ERR(skb))
2582 return skb;
2583
2584 /* Create L2CAP header */
2585 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2586 lh->cid = cpu_to_le16(chan->dcid);
2587 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2588
2589 if (sdulen)
2590 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2591
2592 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2593 if (unlikely(err < 0)) {
2594 kfree_skb(skb);
2595 return ERR_PTR(err);
2596 }
2597
2598 return skb;
2599 }
2600
2601 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2602 struct sk_buff_head *seg_queue,
2603 struct msghdr *msg, size_t len)
2604 {
2605 struct sk_buff *skb;
2606 size_t pdu_len;
2607 u16 sdu_len;
2608
2609 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2610
2611 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2612
2613 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2614
2615 sdu_len = len;
2616 pdu_len -= L2CAP_SDULEN_SIZE;
2617
2618 while (len > 0) {
2619 if (len <= pdu_len)
2620 pdu_len = len;
2621
2622 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2623 if (IS_ERR(skb)) {
2624 __skb_queue_purge(seg_queue);
2625 return PTR_ERR(skb);
2626 }
2627
2628 __skb_queue_tail(seg_queue, skb);
2629
2630 len -= pdu_len;
2631
2632 if (sdu_len) {
2633 sdu_len = 0;
2634 pdu_len += L2CAP_SDULEN_SIZE;
2635 }
2636 }
2637
2638 return 0;
2639 }
2640
2641 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2642 u32 priority)
2643 {
2644 struct sk_buff *skb;
2645 int err;
2646 struct sk_buff_head seg_queue;
2647
2648 if (!chan->conn)
2649 return -ENOTCONN;
2650
2651 /* Connectionless channel */
2652 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2653 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2654 if (IS_ERR(skb))
2655 return PTR_ERR(skb);
2656
2657 l2cap_do_send(chan, skb);
2658 return len;
2659 }
2660
2661 switch (chan->mode) {
2662 case L2CAP_MODE_LE_FLOWCTL:
2663 /* Check outgoing MTU */
2664 if (len > chan->omtu)
2665 return -EMSGSIZE;
2666
2667 if (!chan->tx_credits)
2668 return -EAGAIN;
2669
2670 __skb_queue_head_init(&seg_queue);
2671
2672 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2673
2674 if (chan->state != BT_CONNECTED) {
2675 __skb_queue_purge(&seg_queue);
2676 err = -ENOTCONN;
2677 }
2678
2679 if (err)
2680 return err;
2681
2682 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2683
2684 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2685 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2686 chan->tx_credits--;
2687 }
2688
2689 if (!chan->tx_credits)
2690 chan->ops->suspend(chan);
2691
2692 err = len;
2693
2694 break;
2695
2696 case L2CAP_MODE_BASIC:
2697 /* Check outgoing MTU */
2698 if (len > chan->omtu)
2699 return -EMSGSIZE;
2700
2701 /* Create a basic PDU */
2702 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2703 if (IS_ERR(skb))
2704 return PTR_ERR(skb);
2705
2706 l2cap_do_send(chan, skb);
2707 err = len;
2708 break;
2709
2710 case L2CAP_MODE_ERTM:
2711 case L2CAP_MODE_STREAMING:
2712 /* Check outgoing MTU */
2713 if (len > chan->omtu) {
2714 err = -EMSGSIZE;
2715 break;
2716 }
2717
2718 __skb_queue_head_init(&seg_queue);
2719
2720 /* Do segmentation before calling in to the state machine,
2721 * since it's possible to block while waiting for memory
2722 * allocation.
2723 */
2724 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2725
2726 /* The channel could have been closed while segmenting,
2727 * check that it is still connected.
2728 */
2729 if (chan->state != BT_CONNECTED) {
2730 __skb_queue_purge(&seg_queue);
2731 err = -ENOTCONN;
2732 }
2733
2734 if (err)
2735 break;
2736
2737 if (chan->mode == L2CAP_MODE_ERTM)
2738 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2739 else
2740 l2cap_streaming_send(chan, &seg_queue);
2741
2742 err = len;
2743
2744 /* If the skbs were not queued for sending, they'll still be in
2745 * seg_queue and need to be purged.
2746 */
2747 __skb_queue_purge(&seg_queue);
2748 break;
2749
2750 default:
2751 BT_DBG("bad state %1.1x", chan->mode);
2752 err = -EBADFD;
2753 }
2754
2755 return err;
2756 }
2757
2758 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2759 {
2760 struct l2cap_ctrl control;
2761 u16 seq;
2762
2763 BT_DBG("chan %p, txseq %u", chan, txseq);
2764
2765 memset(&control, 0, sizeof(control));
2766 control.sframe = 1;
2767 control.super = L2CAP_SUPER_SREJ;
2768
2769 for (seq = chan->expected_tx_seq; seq != txseq;
2770 seq = __next_seq(chan, seq)) {
2771 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2772 control.reqseq = seq;
2773 l2cap_send_sframe(chan, &control);
2774 l2cap_seq_list_append(&chan->srej_list, seq);
2775 }
2776 }
2777
2778 chan->expected_tx_seq = __next_seq(chan, txseq);
2779 }
2780
2781 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2782 {
2783 struct l2cap_ctrl control;
2784
2785 BT_DBG("chan %p", chan);
2786
2787 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2788 return;
2789
2790 memset(&control, 0, sizeof(control));
2791 control.sframe = 1;
2792 control.super = L2CAP_SUPER_SREJ;
2793 control.reqseq = chan->srej_list.tail;
2794 l2cap_send_sframe(chan, &control);
2795 }
2796
2797 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2798 {
2799 struct l2cap_ctrl control;
2800 u16 initial_head;
2801 u16 seq;
2802
2803 BT_DBG("chan %p, txseq %u", chan, txseq);
2804
2805 memset(&control, 0, sizeof(control));
2806 control.sframe = 1;
2807 control.super = L2CAP_SUPER_SREJ;
2808
2809 /* Capture initial list head to allow only one pass through the list. */
2810 initial_head = chan->srej_list.head;
2811
2812 do {
2813 seq = l2cap_seq_list_pop(&chan->srej_list);
2814 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2815 break;
2816
2817 control.reqseq = seq;
2818 l2cap_send_sframe(chan, &control);
2819 l2cap_seq_list_append(&chan->srej_list, seq);
2820 } while (chan->srej_list.head != initial_head);
2821 }
2822
2823 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2824 {
2825 struct sk_buff *acked_skb;
2826 u16 ackseq;
2827
2828 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2829
2830 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2831 return;
2832
2833 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2834 chan->expected_ack_seq, chan->unacked_frames);
2835
2836 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2837 ackseq = __next_seq(chan, ackseq)) {
2838
2839 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2840 if (acked_skb) {
2841 skb_unlink(acked_skb, &chan->tx_q);
2842 kfree_skb(acked_skb);
2843 chan->unacked_frames--;
2844 }
2845 }
2846
2847 chan->expected_ack_seq = reqseq;
2848
2849 if (chan->unacked_frames == 0)
2850 __clear_retrans_timer(chan);
2851
2852 BT_DBG("unacked_frames %u", chan->unacked_frames);
2853 }
2854
2855 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2856 {
2857 BT_DBG("chan %p", chan);
2858
2859 chan->expected_tx_seq = chan->buffer_seq;
2860 l2cap_seq_list_clear(&chan->srej_list);
2861 skb_queue_purge(&chan->srej_q);
2862 chan->rx_state = L2CAP_RX_STATE_RECV;
2863 }
2864
2865 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2866 struct l2cap_ctrl *control,
2867 struct sk_buff_head *skbs, u8 event)
2868 {
2869 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2870 event);
2871
2872 switch (event) {
2873 case L2CAP_EV_DATA_REQUEST:
2874 if (chan->tx_send_head == NULL)
2875 chan->tx_send_head = skb_peek(skbs);
2876
2877 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2878 l2cap_ertm_send(chan);
2879 break;
2880 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2881 BT_DBG("Enter LOCAL_BUSY");
2882 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2883
2884 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2885 /* The SREJ_SENT state must be aborted if we are to
2886 * enter the LOCAL_BUSY state.
2887 */
2888 l2cap_abort_rx_srej_sent(chan);
2889 }
2890
2891 l2cap_send_ack(chan);
2892
2893 break;
2894 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2895 BT_DBG("Exit LOCAL_BUSY");
2896 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2897
2898 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2899 struct l2cap_ctrl local_control;
2900
2901 memset(&local_control, 0, sizeof(local_control));
2902 local_control.sframe = 1;
2903 local_control.super = L2CAP_SUPER_RR;
2904 local_control.poll = 1;
2905 local_control.reqseq = chan->buffer_seq;
2906 l2cap_send_sframe(chan, &local_control);
2907
2908 chan->retry_count = 1;
2909 __set_monitor_timer(chan);
2910 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2911 }
2912 break;
2913 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2914 l2cap_process_reqseq(chan, control->reqseq);
2915 break;
2916 case L2CAP_EV_EXPLICIT_POLL:
2917 l2cap_send_rr_or_rnr(chan, 1);
2918 chan->retry_count = 1;
2919 __set_monitor_timer(chan);
2920 __clear_ack_timer(chan);
2921 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2922 break;
2923 case L2CAP_EV_RETRANS_TO:
2924 l2cap_send_rr_or_rnr(chan, 1);
2925 chan->retry_count = 1;
2926 __set_monitor_timer(chan);
2927 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2928 break;
2929 case L2CAP_EV_RECV_FBIT:
2930 /* Nothing to process */
2931 break;
2932 default:
2933 break;
2934 }
2935 }
2936
2937 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2938 struct l2cap_ctrl *control,
2939 struct sk_buff_head *skbs, u8 event)
2940 {
2941 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2942 event);
2943
2944 switch (event) {
2945 case L2CAP_EV_DATA_REQUEST:
2946 if (chan->tx_send_head == NULL)
2947 chan->tx_send_head = skb_peek(skbs);
2948 /* Queue data, but don't send. */
2949 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2950 break;
2951 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2952 BT_DBG("Enter LOCAL_BUSY");
2953 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2954
2955 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2956 /* The SREJ_SENT state must be aborted if we are to
2957 * enter the LOCAL_BUSY state.
2958 */
2959 l2cap_abort_rx_srej_sent(chan);
2960 }
2961
2962 l2cap_send_ack(chan);
2963
2964 break;
2965 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2966 BT_DBG("Exit LOCAL_BUSY");
2967 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2968
2969 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2970 struct l2cap_ctrl local_control;
2971 memset(&local_control, 0, sizeof(local_control));
2972 local_control.sframe = 1;
2973 local_control.super = L2CAP_SUPER_RR;
2974 local_control.poll = 1;
2975 local_control.reqseq = chan->buffer_seq;
2976 l2cap_send_sframe(chan, &local_control);
2977
2978 chan->retry_count = 1;
2979 __set_monitor_timer(chan);
2980 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2981 }
2982 break;
2983 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2984 l2cap_process_reqseq(chan, control->reqseq);
2985
2986 /* Fall through */
2987
2988 case L2CAP_EV_RECV_FBIT:
2989 if (control && control->final) {
2990 __clear_monitor_timer(chan);
2991 if (chan->unacked_frames > 0)
2992 __set_retrans_timer(chan);
2993 chan->retry_count = 0;
2994 chan->tx_state = L2CAP_TX_STATE_XMIT;
2995 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2996 }
2997 break;
2998 case L2CAP_EV_EXPLICIT_POLL:
2999 /* Ignore */
3000 break;
3001 case L2CAP_EV_MONITOR_TO:
3002 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3003 l2cap_send_rr_or_rnr(chan, 1);
3004 __set_monitor_timer(chan);
3005 chan->retry_count++;
3006 } else {
3007 l2cap_send_disconn_req(chan, ECONNABORTED);
3008 }
3009 break;
3010 default:
3011 break;
3012 }
3013 }
3014
3015 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3016 struct sk_buff_head *skbs, u8 event)
3017 {
3018 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3019 chan, control, skbs, event, chan->tx_state);
3020
3021 switch (chan->tx_state) {
3022 case L2CAP_TX_STATE_XMIT:
3023 l2cap_tx_state_xmit(chan, control, skbs, event);
3024 break;
3025 case L2CAP_TX_STATE_WAIT_F:
3026 l2cap_tx_state_wait_f(chan, control, skbs, event);
3027 break;
3028 default:
3029 /* Ignore event */
3030 break;
3031 }
3032 }
3033
3034 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3035 struct l2cap_ctrl *control)
3036 {
3037 BT_DBG("chan %p, control %p", chan, control);
3038 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3039 }
3040
3041 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3042 struct l2cap_ctrl *control)
3043 {
3044 BT_DBG("chan %p, control %p", chan, control);
3045 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3046 }
3047
3048 /* Copy frame to all raw sockets on that connection */
3049 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3050 {
3051 struct sk_buff *nskb;
3052 struct l2cap_chan *chan;
3053
3054 BT_DBG("conn %p", conn);
3055
3056 mutex_lock(&conn->chan_lock);
3057
3058 list_for_each_entry(chan, &conn->chan_l, list) {
3059 if (chan->chan_type != L2CAP_CHAN_RAW)
3060 continue;
3061
3062 /* Don't send frame to the channel it came from */
3063 if (bt_cb(skb)->chan == chan)
3064 continue;
3065
3066 nskb = skb_clone(skb, GFP_KERNEL);
3067 if (!nskb)
3068 continue;
3069 if (chan->ops->recv(chan, nskb))
3070 kfree_skb(nskb);
3071 }
3072
3073 mutex_unlock(&conn->chan_lock);
3074 }
3075
3076 /* ---- L2CAP signalling commands ---- */
3077 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3078 u8 ident, u16 dlen, void *data)
3079 {
3080 struct sk_buff *skb, **frag;
3081 struct l2cap_cmd_hdr *cmd;
3082 struct l2cap_hdr *lh;
3083 int len, count;
3084
3085 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3086 conn, code, ident, dlen);
3087
3088 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3089 return NULL;
3090
3091 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3092 count = min_t(unsigned int, conn->mtu, len);
3093
3094 skb = bt_skb_alloc(count, GFP_KERNEL);
3095 if (!skb)
3096 return NULL;
3097
3098 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
3099 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3100
3101 if (conn->hcon->type == LE_LINK)
3102 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3103 else
3104 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
3105
3106 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
3107 cmd->code = code;
3108 cmd->ident = ident;
3109 cmd->len = cpu_to_le16(dlen);
3110
3111 if (dlen) {
3112 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3113 memcpy(skb_put(skb, count), data, count);
3114 data += count;
3115 }
3116
3117 len -= skb->len;
3118
3119 /* Continuation fragments (no L2CAP header) */
3120 frag = &skb_shinfo(skb)->frag_list;
3121 while (len) {
3122 count = min_t(unsigned int, conn->mtu, len);
3123
3124 *frag = bt_skb_alloc(count, GFP_KERNEL);
3125 if (!*frag)
3126 goto fail;
3127
3128 memcpy(skb_put(*frag, count), data, count);
3129
3130 len -= count;
3131 data += count;
3132
3133 frag = &(*frag)->next;
3134 }
3135
3136 return skb;
3137
3138 fail:
3139 kfree_skb(skb);
3140 return NULL;
3141 }
3142
3143 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3144 unsigned long *val)
3145 {
3146 struct l2cap_conf_opt *opt = *ptr;
3147 int len;
3148
3149 len = L2CAP_CONF_OPT_SIZE + opt->len;
3150 *ptr += len;
3151
3152 *type = opt->type;
3153 *olen = opt->len;
3154
3155 switch (opt->len) {
3156 case 1:
3157 *val = *((u8 *) opt->val);
3158 break;
3159
3160 case 2:
3161 *val = get_unaligned_le16(opt->val);
3162 break;
3163
3164 case 4:
3165 *val = get_unaligned_le32(opt->val);
3166 break;
3167
3168 default:
3169 *val = (unsigned long) opt->val;
3170 break;
3171 }
3172
3173 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3174 return len;
3175 }
3176
3177 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
3178 {
3179 struct l2cap_conf_opt *opt = *ptr;
3180
3181 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3182
3183 opt->type = type;
3184 opt->len = len;
3185
3186 switch (len) {
3187 case 1:
3188 *((u8 *) opt->val) = val;
3189 break;
3190
3191 case 2:
3192 put_unaligned_le16(val, opt->val);
3193 break;
3194
3195 case 4:
3196 put_unaligned_le32(val, opt->val);
3197 break;
3198
3199 default:
3200 memcpy(opt->val, (void *) val, len);
3201 break;
3202 }
3203
3204 *ptr += L2CAP_CONF_OPT_SIZE + len;
3205 }
3206
3207 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3208 {
3209 struct l2cap_conf_efs efs;
3210
3211 switch (chan->mode) {
3212 case L2CAP_MODE_ERTM:
3213 efs.id = chan->local_id;
3214 efs.stype = chan->local_stype;
3215 efs.msdu = cpu_to_le16(chan->local_msdu);
3216 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3217 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3218 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3219 break;
3220
3221 case L2CAP_MODE_STREAMING:
3222 efs.id = 1;
3223 efs.stype = L2CAP_SERV_BESTEFFORT;
3224 efs.msdu = cpu_to_le16(chan->local_msdu);
3225 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3226 efs.acc_lat = 0;
3227 efs.flush_to = 0;
3228 break;
3229
3230 default:
3231 return;
3232 }
3233
3234 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3235 (unsigned long) &efs);
3236 }
3237
3238 static void l2cap_ack_timeout(struct work_struct *work)
3239 {
3240 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3241 ack_timer.work);
3242 u16 frames_to_ack;
3243
3244 BT_DBG("chan %p", chan);
3245
3246 l2cap_chan_lock(chan);
3247
3248 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3249 chan->last_acked_seq);
3250
3251 if (frames_to_ack)
3252 l2cap_send_rr_or_rnr(chan, 0);
3253
3254 l2cap_chan_unlock(chan);
3255 l2cap_chan_put(chan);
3256 }
3257
3258 int l2cap_ertm_init(struct l2cap_chan *chan)
3259 {
3260 int err;
3261
3262 chan->next_tx_seq = 0;
3263 chan->expected_tx_seq = 0;
3264 chan->expected_ack_seq = 0;
3265 chan->unacked_frames = 0;
3266 chan->buffer_seq = 0;
3267 chan->frames_sent = 0;
3268 chan->last_acked_seq = 0;
3269 chan->sdu = NULL;
3270 chan->sdu_last_frag = NULL;
3271 chan->sdu_len = 0;
3272
3273 skb_queue_head_init(&chan->tx_q);
3274
3275 chan->local_amp_id = AMP_ID_BREDR;
3276 chan->move_id = AMP_ID_BREDR;
3277 chan->move_state = L2CAP_MOVE_STABLE;
3278 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3279
3280 if (chan->mode != L2CAP_MODE_ERTM)
3281 return 0;
3282
3283 chan->rx_state = L2CAP_RX_STATE_RECV;
3284 chan->tx_state = L2CAP_TX_STATE_XMIT;
3285
3286 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3287 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3288 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3289
3290 skb_queue_head_init(&chan->srej_q);
3291
3292 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3293 if (err < 0)
3294 return err;
3295
3296 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3297 if (err < 0)
3298 l2cap_seq_list_free(&chan->srej_list);
3299
3300 return err;
3301 }
3302
3303 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3304 {
3305 switch (mode) {
3306 case L2CAP_MODE_STREAMING:
3307 case L2CAP_MODE_ERTM:
3308 if (l2cap_mode_supported(mode, remote_feat_mask))
3309 return mode;
3310 /* fall through */
3311 default:
3312 return L2CAP_MODE_BASIC;
3313 }
3314 }
3315
3316 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3317 {
3318 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3319 }
3320
3321 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3322 {
3323 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3324 }
3325
3326 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3327 struct l2cap_conf_rfc *rfc)
3328 {
3329 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3330 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3331
3332 /* Class 1 devices have must have ERTM timeouts
3333 * exceeding the Link Supervision Timeout. The
3334 * default Link Supervision Timeout for AMP
3335 * controllers is 10 seconds.
3336 *
3337 * Class 1 devices use 0xffffffff for their
3338 * best-effort flush timeout, so the clamping logic
3339 * will result in a timeout that meets the above
3340 * requirement. ERTM timeouts are 16-bit values, so
3341 * the maximum timeout is 65.535 seconds.
3342 */
3343
3344 /* Convert timeout to milliseconds and round */
3345 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3346
3347 /* This is the recommended formula for class 2 devices
3348 * that start ERTM timers when packets are sent to the
3349 * controller.
3350 */
3351 ertm_to = 3 * ertm_to + 500;
3352
3353 if (ertm_to > 0xffff)
3354 ertm_to = 0xffff;
3355
3356 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3357 rfc->monitor_timeout = rfc->retrans_timeout;
3358 } else {
3359 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3360 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3361 }
3362 }
3363
3364 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3365 {
3366 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3367 __l2cap_ews_supported(chan->conn)) {
3368 /* use extended control field */
3369 set_bit(FLAG_EXT_CTRL, &chan->flags);
3370 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3371 } else {
3372 chan->tx_win = min_t(u16, chan->tx_win,
3373 L2CAP_DEFAULT_TX_WINDOW);
3374 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3375 }
3376 chan->ack_win = chan->tx_win;
3377 }
3378
3379 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3380 {
3381 struct l2cap_conf_req *req = data;
3382 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3383 void *ptr = req->data;
3384 u16 size;
3385
3386 BT_DBG("chan %p", chan);
3387
3388 if (chan->num_conf_req || chan->num_conf_rsp)
3389 goto done;
3390
3391 switch (chan->mode) {
3392 case L2CAP_MODE_STREAMING:
3393 case L2CAP_MODE_ERTM:
3394 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3395 break;
3396
3397 if (__l2cap_efs_supported(chan->conn))
3398 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3399
3400 /* fall through */
3401 default:
3402 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3403 break;
3404 }
3405
3406 done:
3407 if (chan->imtu != L2CAP_DEFAULT_MTU)
3408 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3409
3410 switch (chan->mode) {
3411 case L2CAP_MODE_BASIC:
3412 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3413 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3414 break;
3415
3416 rfc.mode = L2CAP_MODE_BASIC;
3417 rfc.txwin_size = 0;
3418 rfc.max_transmit = 0;
3419 rfc.retrans_timeout = 0;
3420 rfc.monitor_timeout = 0;
3421 rfc.max_pdu_size = 0;
3422
3423 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3424 (unsigned long) &rfc);
3425 break;
3426
3427 case L2CAP_MODE_ERTM:
3428 rfc.mode = L2CAP_MODE_ERTM;
3429 rfc.max_transmit = chan->max_tx;
3430
3431 __l2cap_set_ertm_timeouts(chan, &rfc);
3432
3433 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3434 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3435 L2CAP_FCS_SIZE);
3436 rfc.max_pdu_size = cpu_to_le16(size);
3437
3438 l2cap_txwin_setup(chan);
3439
3440 rfc.txwin_size = min_t(u16, chan->tx_win,
3441 L2CAP_DEFAULT_TX_WINDOW);
3442
3443 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3444 (unsigned long) &rfc);
3445
3446 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3447 l2cap_add_opt_efs(&ptr, chan);
3448
3449 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3450 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3451 chan->tx_win);
3452
3453 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3454 if (chan->fcs == L2CAP_FCS_NONE ||
3455 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3456 chan->fcs = L2CAP_FCS_NONE;
3457 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3458 chan->fcs);
3459 }
3460 break;
3461
3462 case L2CAP_MODE_STREAMING:
3463 l2cap_txwin_setup(chan);
3464 rfc.mode = L2CAP_MODE_STREAMING;
3465 rfc.txwin_size = 0;
3466 rfc.max_transmit = 0;
3467 rfc.retrans_timeout = 0;
3468 rfc.monitor_timeout = 0;
3469
3470 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3471 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3472 L2CAP_FCS_SIZE);
3473 rfc.max_pdu_size = cpu_to_le16(size);
3474
3475 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3476 (unsigned long) &rfc);
3477
3478 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3479 l2cap_add_opt_efs(&ptr, chan);
3480
3481 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3482 if (chan->fcs == L2CAP_FCS_NONE ||
3483 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3484 chan->fcs = L2CAP_FCS_NONE;
3485 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3486 chan->fcs);
3487 }
3488 break;
3489 }
3490
3491 req->dcid = cpu_to_le16(chan->dcid);
3492 req->flags = __constant_cpu_to_le16(0);
3493
3494 return ptr - data;
3495 }
3496
3497 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3498 {
3499 struct l2cap_conf_rsp *rsp = data;
3500 void *ptr = rsp->data;
3501 void *req = chan->conf_req;
3502 int len = chan->conf_len;
3503 int type, hint, olen;
3504 unsigned long val;
3505 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3506 struct l2cap_conf_efs efs;
3507 u8 remote_efs = 0;
3508 u16 mtu = L2CAP_DEFAULT_MTU;
3509 u16 result = L2CAP_CONF_SUCCESS;
3510 u16 size;
3511
3512 BT_DBG("chan %p", chan);
3513
3514 while (len >= L2CAP_CONF_OPT_SIZE) {
3515 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3516
3517 hint = type & L2CAP_CONF_HINT;
3518 type &= L2CAP_CONF_MASK;
3519
3520 switch (type) {
3521 case L2CAP_CONF_MTU:
3522 mtu = val;
3523 break;
3524
3525 case L2CAP_CONF_FLUSH_TO:
3526 chan->flush_to = val;
3527 break;
3528
3529 case L2CAP_CONF_QOS:
3530 break;
3531
3532 case L2CAP_CONF_RFC:
3533 if (olen == sizeof(rfc))
3534 memcpy(&rfc, (void *) val, olen);
3535 break;
3536
3537 case L2CAP_CONF_FCS:
3538 if (val == L2CAP_FCS_NONE)
3539 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3540 break;
3541
3542 case L2CAP_CONF_EFS:
3543 remote_efs = 1;
3544 if (olen == sizeof(efs))
3545 memcpy(&efs, (void *) val, olen);
3546 break;
3547
3548 case L2CAP_CONF_EWS:
3549 if (!chan->conn->hs_enabled)
3550 return -ECONNREFUSED;
3551
3552 set_bit(FLAG_EXT_CTRL, &chan->flags);
3553 set_bit(CONF_EWS_RECV, &chan->conf_state);
3554 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3555 chan->remote_tx_win = val;
3556 break;
3557
3558 default:
3559 if (hint)
3560 break;
3561
3562 result = L2CAP_CONF_UNKNOWN;
3563 *((u8 *) ptr++) = type;
3564 break;
3565 }
3566 }
3567
3568 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3569 goto done;
3570
3571 switch (chan->mode) {
3572 case L2CAP_MODE_STREAMING:
3573 case L2CAP_MODE_ERTM:
3574 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3575 chan->mode = l2cap_select_mode(rfc.mode,
3576 chan->conn->feat_mask);
3577 break;
3578 }
3579
3580 if (remote_efs) {
3581 if (__l2cap_efs_supported(chan->conn))
3582 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3583 else
3584 return -ECONNREFUSED;
3585 }
3586
3587 if (chan->mode != rfc.mode)
3588 return -ECONNREFUSED;
3589
3590 break;
3591 }
3592
3593 done:
3594 if (chan->mode != rfc.mode) {
3595 result = L2CAP_CONF_UNACCEPT;
3596 rfc.mode = chan->mode;
3597
3598 if (chan->num_conf_rsp == 1)
3599 return -ECONNREFUSED;
3600
3601 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3602 (unsigned long) &rfc);
3603 }
3604
3605 if (result == L2CAP_CONF_SUCCESS) {
3606 /* Configure output options and let the other side know
3607 * which ones we don't like. */
3608
3609 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3610 result = L2CAP_CONF_UNACCEPT;
3611 else {
3612 chan->omtu = mtu;
3613 set_bit(CONF_MTU_DONE, &chan->conf_state);
3614 }
3615 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3616
3617 if (remote_efs) {
3618 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3619 efs.stype != L2CAP_SERV_NOTRAFIC &&
3620 efs.stype != chan->local_stype) {
3621
3622 result = L2CAP_CONF_UNACCEPT;
3623
3624 if (chan->num_conf_req >= 1)
3625 return -ECONNREFUSED;
3626
3627 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3628 sizeof(efs),
3629 (unsigned long) &efs);
3630 } else {
3631 /* Send PENDING Conf Rsp */
3632 result = L2CAP_CONF_PENDING;
3633 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3634 }
3635 }
3636
3637 switch (rfc.mode) {
3638 case L2CAP_MODE_BASIC:
3639 chan->fcs = L2CAP_FCS_NONE;
3640 set_bit(CONF_MODE_DONE, &chan->conf_state);
3641 break;
3642
3643 case L2CAP_MODE_ERTM:
3644 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3645 chan->remote_tx_win = rfc.txwin_size;
3646 else
3647 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3648
3649 chan->remote_max_tx = rfc.max_transmit;
3650
3651 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3652 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3653 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3654 rfc.max_pdu_size = cpu_to_le16(size);
3655 chan->remote_mps = size;
3656
3657 __l2cap_set_ertm_timeouts(chan, &rfc);
3658
3659 set_bit(CONF_MODE_DONE, &chan->conf_state);
3660
3661 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3662 sizeof(rfc), (unsigned long) &rfc);
3663
3664 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3665 chan->remote_id = efs.id;
3666 chan->remote_stype = efs.stype;
3667 chan->remote_msdu = le16_to_cpu(efs.msdu);
3668 chan->remote_flush_to =
3669 le32_to_cpu(efs.flush_to);
3670 chan->remote_acc_lat =
3671 le32_to_cpu(efs.acc_lat);
3672 chan->remote_sdu_itime =
3673 le32_to_cpu(efs.sdu_itime);
3674 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3675 sizeof(efs),
3676 (unsigned long) &efs);
3677 }
3678 break;
3679
3680 case L2CAP_MODE_STREAMING:
3681 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3682 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3683 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3684 rfc.max_pdu_size = cpu_to_le16(size);
3685 chan->remote_mps = size;
3686
3687 set_bit(CONF_MODE_DONE, &chan->conf_state);
3688
3689 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3690 (unsigned long) &rfc);
3691
3692 break;
3693
3694 default:
3695 result = L2CAP_CONF_UNACCEPT;
3696
3697 memset(&rfc, 0, sizeof(rfc));
3698 rfc.mode = chan->mode;
3699 }
3700
3701 if (result == L2CAP_CONF_SUCCESS)
3702 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3703 }
3704 rsp->scid = cpu_to_le16(chan->dcid);
3705 rsp->result = cpu_to_le16(result);
3706 rsp->flags = __constant_cpu_to_le16(0);
3707
3708 return ptr - data;
3709 }
3710
3711 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3712 void *data, u16 *result)
3713 {
3714 struct l2cap_conf_req *req = data;
3715 void *ptr = req->data;
3716 int type, olen;
3717 unsigned long val;
3718 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3719 struct l2cap_conf_efs efs;
3720
3721 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3722
3723 while (len >= L2CAP_CONF_OPT_SIZE) {
3724 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3725
3726 switch (type) {
3727 case L2CAP_CONF_MTU:
3728 if (val < L2CAP_DEFAULT_MIN_MTU) {
3729 *result = L2CAP_CONF_UNACCEPT;
3730 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3731 } else
3732 chan->imtu = val;
3733 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3734 break;
3735
3736 case L2CAP_CONF_FLUSH_TO:
3737 chan->flush_to = val;
3738 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3739 2, chan->flush_to);
3740 break;
3741
3742 case L2CAP_CONF_RFC:
3743 if (olen == sizeof(rfc))
3744 memcpy(&rfc, (void *)val, olen);
3745
3746 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3747 rfc.mode != chan->mode)
3748 return -ECONNREFUSED;
3749
3750 chan->fcs = 0;
3751
3752 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3753 sizeof(rfc), (unsigned long) &rfc);
3754 break;
3755
3756 case L2CAP_CONF_EWS:
3757 chan->ack_win = min_t(u16, val, chan->ack_win);
3758 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3759 chan->tx_win);
3760 break;
3761
3762 case L2CAP_CONF_EFS:
3763 if (olen == sizeof(efs))
3764 memcpy(&efs, (void *)val, olen);
3765
3766 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3767 efs.stype != L2CAP_SERV_NOTRAFIC &&
3768 efs.stype != chan->local_stype)
3769 return -ECONNREFUSED;
3770
3771 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3772 (unsigned long) &efs);
3773 break;
3774
3775 case L2CAP_CONF_FCS:
3776 if (*result == L2CAP_CONF_PENDING)
3777 if (val == L2CAP_FCS_NONE)
3778 set_bit(CONF_RECV_NO_FCS,
3779 &chan->conf_state);
3780 break;
3781 }
3782 }
3783
3784 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3785 return -ECONNREFUSED;
3786
3787 chan->mode = rfc.mode;
3788
3789 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3790 switch (rfc.mode) {
3791 case L2CAP_MODE_ERTM:
3792 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3793 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3794 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3795 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3796 chan->ack_win = min_t(u16, chan->ack_win,
3797 rfc.txwin_size);
3798
3799 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3800 chan->local_msdu = le16_to_cpu(efs.msdu);
3801 chan->local_sdu_itime =
3802 le32_to_cpu(efs.sdu_itime);
3803 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3804 chan->local_flush_to =
3805 le32_to_cpu(efs.flush_to);
3806 }
3807 break;
3808
3809 case L2CAP_MODE_STREAMING:
3810 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3811 }
3812 }
3813
3814 req->dcid = cpu_to_le16(chan->dcid);
3815 req->flags = __constant_cpu_to_le16(0);
3816
3817 return ptr - data;
3818 }
3819
3820 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3821 u16 result, u16 flags)
3822 {
3823 struct l2cap_conf_rsp *rsp = data;
3824 void *ptr = rsp->data;
3825
3826 BT_DBG("chan %p", chan);
3827
3828 rsp->scid = cpu_to_le16(chan->dcid);
3829 rsp->result = cpu_to_le16(result);
3830 rsp->flags = cpu_to_le16(flags);
3831
3832 return ptr - data;
3833 }
3834
3835 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3836 {
3837 struct l2cap_le_conn_rsp rsp;
3838 struct l2cap_conn *conn = chan->conn;
3839
3840 BT_DBG("chan %p", chan);
3841
3842 rsp.dcid = cpu_to_le16(chan->scid);
3843 rsp.mtu = cpu_to_le16(chan->imtu);
3844 rsp.mps = cpu_to_le16(chan->mps);
3845 rsp.credits = cpu_to_le16(chan->rx_credits);
3846 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3847
3848 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3849 &rsp);
3850 }
3851
3852 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3853 {
3854 struct l2cap_conn_rsp rsp;
3855 struct l2cap_conn *conn = chan->conn;
3856 u8 buf[128];
3857 u8 rsp_code;
3858
3859 rsp.scid = cpu_to_le16(chan->dcid);
3860 rsp.dcid = cpu_to_le16(chan->scid);
3861 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3862 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3863
3864 if (chan->hs_hcon)
3865 rsp_code = L2CAP_CREATE_CHAN_RSP;
3866 else
3867 rsp_code = L2CAP_CONN_RSP;
3868
3869 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3870
3871 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3872
3873 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3874 return;
3875
3876 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3877 l2cap_build_conf_req(chan, buf), buf);
3878 chan->num_conf_req++;
3879 }
3880
3881 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3882 {
3883 int type, olen;
3884 unsigned long val;
3885 /* Use sane default values in case a misbehaving remote device
3886 * did not send an RFC or extended window size option.
3887 */
3888 u16 txwin_ext = chan->ack_win;
3889 struct l2cap_conf_rfc rfc = {
3890 .mode = chan->mode,
3891 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3892 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3893 .max_pdu_size = cpu_to_le16(chan->imtu),
3894 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3895 };
3896
3897 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3898
3899 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3900 return;
3901
3902 while (len >= L2CAP_CONF_OPT_SIZE) {
3903 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3904
3905 switch (type) {
3906 case L2CAP_CONF_RFC:
3907 if (olen == sizeof(rfc))
3908 memcpy(&rfc, (void *)val, olen);
3909 break;
3910 case L2CAP_CONF_EWS:
3911 txwin_ext = val;
3912 break;
3913 }
3914 }
3915
3916 switch (rfc.mode) {
3917 case L2CAP_MODE_ERTM:
3918 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3919 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3920 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3921 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3922 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3923 else
3924 chan->ack_win = min_t(u16, chan->ack_win,
3925 rfc.txwin_size);
3926 break;
3927 case L2CAP_MODE_STREAMING:
3928 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3929 }
3930 }
3931
3932 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3933 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3934 u8 *data)
3935 {
3936 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3937
3938 if (cmd_len < sizeof(*rej))
3939 return -EPROTO;
3940
3941 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3942 return 0;
3943
3944 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3945 cmd->ident == conn->info_ident) {
3946 cancel_delayed_work(&conn->info_timer);
3947
3948 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3949 conn->info_ident = 0;
3950
3951 l2cap_conn_start(conn);
3952 }
3953
3954 return 0;
3955 }
3956
3957 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3958 struct l2cap_cmd_hdr *cmd,
3959 u8 *data, u8 rsp_code, u8 amp_id)
3960 {
3961 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3962 struct l2cap_conn_rsp rsp;
3963 struct l2cap_chan *chan = NULL, *pchan;
3964 int result, status = L2CAP_CS_NO_INFO;
3965
3966 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3967 __le16 psm = req->psm;
3968
3969 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3970
3971 /* Check if we have socket listening on psm */
3972 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3973 &conn->hcon->dst, ACL_LINK);
3974 if (!pchan) {
3975 result = L2CAP_CR_BAD_PSM;
3976 goto sendresp;
3977 }
3978
3979 mutex_lock(&conn->chan_lock);
3980 l2cap_chan_lock(pchan);
3981
3982 /* Check if the ACL is secure enough (if not SDP) */
3983 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
3984 !hci_conn_check_link_mode(conn->hcon)) {
3985 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3986 result = L2CAP_CR_SEC_BLOCK;
3987 goto response;
3988 }
3989
3990 result = L2CAP_CR_NO_MEM;
3991
3992 /* Check if we already have channel with that dcid */
3993 if (__l2cap_get_chan_by_dcid(conn, scid))
3994 goto response;
3995
3996 chan = pchan->ops->new_connection(pchan);
3997 if (!chan)
3998 goto response;
3999
4000 /* For certain devices (ex: HID mouse), support for authentication,
4001 * pairing and bonding is optional. For such devices, inorder to avoid
4002 * the ACL alive for too long after L2CAP disconnection, reset the ACL
4003 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
4004 */
4005 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4006
4007 bacpy(&chan->src, &conn->hcon->src);
4008 bacpy(&chan->dst, &conn->hcon->dst);
4009 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
4010 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
4011 chan->psm = psm;
4012 chan->dcid = scid;
4013 chan->local_amp_id = amp_id;
4014
4015 __l2cap_chan_add(conn, chan);
4016
4017 dcid = chan->scid;
4018
4019 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4020
4021 chan->ident = cmd->ident;
4022
4023 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4024 if (l2cap_chan_check_security(chan)) {
4025 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4026 l2cap_state_change(chan, BT_CONNECT2);
4027 result = L2CAP_CR_PEND;
4028 status = L2CAP_CS_AUTHOR_PEND;
4029 chan->ops->defer(chan);
4030 } else {
4031 /* Force pending result for AMP controllers.
4032 * The connection will succeed after the
4033 * physical link is up.
4034 */
4035 if (amp_id == AMP_ID_BREDR) {
4036 l2cap_state_change(chan, BT_CONFIG);
4037 result = L2CAP_CR_SUCCESS;
4038 } else {
4039 l2cap_state_change(chan, BT_CONNECT2);
4040 result = L2CAP_CR_PEND;
4041 }
4042 status = L2CAP_CS_NO_INFO;
4043 }
4044 } else {
4045 l2cap_state_change(chan, BT_CONNECT2);
4046 result = L2CAP_CR_PEND;
4047 status = L2CAP_CS_AUTHEN_PEND;
4048 }
4049 } else {
4050 l2cap_state_change(chan, BT_CONNECT2);
4051 result = L2CAP_CR_PEND;
4052 status = L2CAP_CS_NO_INFO;
4053 }
4054
4055 response:
4056 l2cap_chan_unlock(pchan);
4057 mutex_unlock(&conn->chan_lock);
4058
4059 sendresp:
4060 rsp.scid = cpu_to_le16(scid);
4061 rsp.dcid = cpu_to_le16(dcid);
4062 rsp.result = cpu_to_le16(result);
4063 rsp.status = cpu_to_le16(status);
4064 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4065
4066 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4067 struct l2cap_info_req info;
4068 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4069
4070 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4071 conn->info_ident = l2cap_get_ident(conn);
4072
4073 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4074
4075 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4076 sizeof(info), &info);
4077 }
4078
4079 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4080 result == L2CAP_CR_SUCCESS) {
4081 u8 buf[128];
4082 set_bit(CONF_REQ_SENT, &chan->conf_state);
4083 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4084 l2cap_build_conf_req(chan, buf), buf);
4085 chan->num_conf_req++;
4086 }
4087
4088 return chan;
4089 }
4090
4091 static int l2cap_connect_req(struct l2cap_conn *conn,
4092 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4093 {
4094 struct hci_dev *hdev = conn->hcon->hdev;
4095 struct hci_conn *hcon = conn->hcon;
4096
4097 if (cmd_len < sizeof(struct l2cap_conn_req))
4098 return -EPROTO;
4099
4100 hci_dev_lock(hdev);
4101 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
4102 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4103 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
4104 hcon->dst_type, 0, NULL, 0,
4105 hcon->dev_class);
4106 hci_dev_unlock(hdev);
4107
4108 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4109 return 0;
4110 }
4111
4112 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4113 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4114 u8 *data)
4115 {
4116 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4117 u16 scid, dcid, result, status;
4118 struct l2cap_chan *chan;
4119 u8 req[128];
4120 int err;
4121
4122 if (cmd_len < sizeof(*rsp))
4123 return -EPROTO;
4124
4125 scid = __le16_to_cpu(rsp->scid);
4126 dcid = __le16_to_cpu(rsp->dcid);
4127 result = __le16_to_cpu(rsp->result);
4128 status = __le16_to_cpu(rsp->status);
4129
4130 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4131 dcid, scid, result, status);
4132
4133 mutex_lock(&conn->chan_lock);
4134
4135 if (scid) {
4136 chan = __l2cap_get_chan_by_scid(conn, scid);
4137 if (!chan) {
4138 err = -EBADSLT;
4139 goto unlock;
4140 }
4141 } else {
4142 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4143 if (!chan) {
4144 err = -EBADSLT;
4145 goto unlock;
4146 }
4147 }
4148
4149 err = 0;
4150
4151 l2cap_chan_lock(chan);
4152
4153 switch (result) {
4154 case L2CAP_CR_SUCCESS:
4155 l2cap_state_change(chan, BT_CONFIG);
4156 chan->ident = 0;
4157 chan->dcid = dcid;
4158 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4159
4160 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4161 break;
4162
4163 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4164 l2cap_build_conf_req(chan, req), req);
4165 chan->num_conf_req++;
4166 break;
4167
4168 case L2CAP_CR_PEND:
4169 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4170 break;
4171
4172 default:
4173 l2cap_chan_del(chan, ECONNREFUSED);
4174 break;
4175 }
4176
4177 l2cap_chan_unlock(chan);
4178
4179 unlock:
4180 mutex_unlock(&conn->chan_lock);
4181
4182 return err;
4183 }
4184
4185 static inline void set_default_fcs(struct l2cap_chan *chan)
4186 {
4187 /* FCS is enabled only in ERTM or streaming mode, if one or both
4188 * sides request it.
4189 */
4190 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4191 chan->fcs = L2CAP_FCS_NONE;
4192 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4193 chan->fcs = L2CAP_FCS_CRC16;
4194 }
4195
4196 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4197 u8 ident, u16 flags)
4198 {
4199 struct l2cap_conn *conn = chan->conn;
4200
4201 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4202 flags);
4203
4204 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4205 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4206
4207 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4208 l2cap_build_conf_rsp(chan, data,
4209 L2CAP_CONF_SUCCESS, flags), data);
4210 }
4211
4212 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4213 u16 scid, u16 dcid)
4214 {
4215 struct l2cap_cmd_rej_cid rej;
4216
4217 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
4218 rej.scid = __cpu_to_le16(scid);
4219 rej.dcid = __cpu_to_le16(dcid);
4220
4221 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4222 }
4223
4224 static inline int l2cap_config_req(struct l2cap_conn *conn,
4225 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4226 u8 *data)
4227 {
4228 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4229 u16 dcid, flags;
4230 u8 rsp[64];
4231 struct l2cap_chan *chan;
4232 int len, err = 0;
4233
4234 if (cmd_len < sizeof(*req))
4235 return -EPROTO;
4236
4237 dcid = __le16_to_cpu(req->dcid);
4238 flags = __le16_to_cpu(req->flags);
4239
4240 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4241
4242 chan = l2cap_get_chan_by_scid(conn, dcid);
4243 if (!chan) {
4244 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4245 return 0;
4246 }
4247
4248 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4249 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4250 chan->dcid);
4251 goto unlock;
4252 }
4253
4254 /* Reject if config buffer is too small. */
4255 len = cmd_len - sizeof(*req);
4256 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4257 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4258 l2cap_build_conf_rsp(chan, rsp,
4259 L2CAP_CONF_REJECT, flags), rsp);
4260 goto unlock;
4261 }
4262
4263 /* Store config. */
4264 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4265 chan->conf_len += len;
4266
4267 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4268 /* Incomplete config. Send empty response. */
4269 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4270 l2cap_build_conf_rsp(chan, rsp,
4271 L2CAP_CONF_SUCCESS, flags), rsp);
4272 goto unlock;
4273 }
4274
4275 /* Complete config. */
4276 len = l2cap_parse_conf_req(chan, rsp);
4277 if (len < 0) {
4278 l2cap_send_disconn_req(chan, ECONNRESET);
4279 goto unlock;
4280 }
4281
4282 chan->ident = cmd->ident;
4283 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4284 chan->num_conf_rsp++;
4285
4286 /* Reset config buffer. */
4287 chan->conf_len = 0;
4288
4289 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4290 goto unlock;
4291
4292 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4293 set_default_fcs(chan);
4294
4295 if (chan->mode == L2CAP_MODE_ERTM ||
4296 chan->mode == L2CAP_MODE_STREAMING)
4297 err = l2cap_ertm_init(chan);
4298
4299 if (err < 0)
4300 l2cap_send_disconn_req(chan, -err);
4301 else
4302 l2cap_chan_ready(chan);
4303
4304 goto unlock;
4305 }
4306
4307 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4308 u8 buf[64];
4309 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4310 l2cap_build_conf_req(chan, buf), buf);
4311 chan->num_conf_req++;
4312 }
4313
4314 /* Got Conf Rsp PENDING from remote side and asume we sent
4315 Conf Rsp PENDING in the code above */
4316 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4317 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4318
4319 /* check compatibility */
4320
4321 /* Send rsp for BR/EDR channel */
4322 if (!chan->hs_hcon)
4323 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4324 else
4325 chan->ident = cmd->ident;
4326 }
4327
4328 unlock:
4329 l2cap_chan_unlock(chan);
4330 return err;
4331 }
4332
4333 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4334 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4335 u8 *data)
4336 {
4337 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4338 u16 scid, flags, result;
4339 struct l2cap_chan *chan;
4340 int len = cmd_len - sizeof(*rsp);
4341 int err = 0;
4342
4343 if (cmd_len < sizeof(*rsp))
4344 return -EPROTO;
4345
4346 scid = __le16_to_cpu(rsp->scid);
4347 flags = __le16_to_cpu(rsp->flags);
4348 result = __le16_to_cpu(rsp->result);
4349
4350 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4351 result, len);
4352
4353 chan = l2cap_get_chan_by_scid(conn, scid);
4354 if (!chan)
4355 return 0;
4356
4357 switch (result) {
4358 case L2CAP_CONF_SUCCESS:
4359 l2cap_conf_rfc_get(chan, rsp->data, len);
4360 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4361 break;
4362
4363 case L2CAP_CONF_PENDING:
4364 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4365
4366 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4367 char buf[64];
4368
4369 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4370 buf, &result);
4371 if (len < 0) {
4372 l2cap_send_disconn_req(chan, ECONNRESET);
4373 goto done;
4374 }
4375
4376 if (!chan->hs_hcon) {
4377 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4378 0);
4379 } else {
4380 if (l2cap_check_efs(chan)) {
4381 amp_create_logical_link(chan);
4382 chan->ident = cmd->ident;
4383 }
4384 }
4385 }
4386 goto done;
4387
4388 case L2CAP_CONF_UNACCEPT:
4389 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4390 char req[64];
4391
4392 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4393 l2cap_send_disconn_req(chan, ECONNRESET);
4394 goto done;
4395 }
4396
4397 /* throw out any old stored conf requests */
4398 result = L2CAP_CONF_SUCCESS;
4399 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4400 req, &result);
4401 if (len < 0) {
4402 l2cap_send_disconn_req(chan, ECONNRESET);
4403 goto done;
4404 }
4405
4406 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4407 L2CAP_CONF_REQ, len, req);
4408 chan->num_conf_req++;
4409 if (result != L2CAP_CONF_SUCCESS)
4410 goto done;
4411 break;
4412 }
4413
4414 default:
4415 l2cap_chan_set_err(chan, ECONNRESET);
4416
4417 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4418 l2cap_send_disconn_req(chan, ECONNRESET);
4419 goto done;
4420 }
4421
4422 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4423 goto done;
4424
4425 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4426
4427 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4428 set_default_fcs(chan);
4429
4430 if (chan->mode == L2CAP_MODE_ERTM ||
4431 chan->mode == L2CAP_MODE_STREAMING)
4432 err = l2cap_ertm_init(chan);
4433
4434 if (err < 0)
4435 l2cap_send_disconn_req(chan, -err);
4436 else
4437 l2cap_chan_ready(chan);
4438 }
4439
4440 done:
4441 l2cap_chan_unlock(chan);
4442 return err;
4443 }
4444
4445 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4446 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4447 u8 *data)
4448 {
4449 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4450 struct l2cap_disconn_rsp rsp;
4451 u16 dcid, scid;
4452 struct l2cap_chan *chan;
4453
4454 if (cmd_len != sizeof(*req))
4455 return -EPROTO;
4456
4457 scid = __le16_to_cpu(req->scid);
4458 dcid = __le16_to_cpu(req->dcid);
4459
4460 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4461
4462 mutex_lock(&conn->chan_lock);
4463
4464 chan = __l2cap_get_chan_by_scid(conn, dcid);
4465 if (!chan) {
4466 mutex_unlock(&conn->chan_lock);
4467 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4468 return 0;
4469 }
4470
4471 l2cap_chan_lock(chan);
4472
4473 rsp.dcid = cpu_to_le16(chan->scid);
4474 rsp.scid = cpu_to_le16(chan->dcid);
4475 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4476
4477 chan->ops->set_shutdown(chan);
4478
4479 l2cap_chan_hold(chan);
4480 l2cap_chan_del(chan, ECONNRESET);
4481
4482 l2cap_chan_unlock(chan);
4483
4484 chan->ops->close(chan);
4485 l2cap_chan_put(chan);
4486
4487 mutex_unlock(&conn->chan_lock);
4488
4489 return 0;
4490 }
4491
4492 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4493 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4494 u8 *data)
4495 {
4496 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4497 u16 dcid, scid;
4498 struct l2cap_chan *chan;
4499
4500 if (cmd_len != sizeof(*rsp))
4501 return -EPROTO;
4502
4503 scid = __le16_to_cpu(rsp->scid);
4504 dcid = __le16_to_cpu(rsp->dcid);
4505
4506 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4507
4508 mutex_lock(&conn->chan_lock);
4509
4510 chan = __l2cap_get_chan_by_scid(conn, scid);
4511 if (!chan) {
4512 mutex_unlock(&conn->chan_lock);
4513 return 0;
4514 }
4515
4516 l2cap_chan_lock(chan);
4517
4518 l2cap_chan_hold(chan);
4519 l2cap_chan_del(chan, 0);
4520
4521 l2cap_chan_unlock(chan);
4522
4523 chan->ops->close(chan);
4524 l2cap_chan_put(chan);
4525
4526 mutex_unlock(&conn->chan_lock);
4527
4528 return 0;
4529 }
4530
4531 static inline int l2cap_information_req(struct l2cap_conn *conn,
4532 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4533 u8 *data)
4534 {
4535 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4536 u16 type;
4537
4538 if (cmd_len != sizeof(*req))
4539 return -EPROTO;
4540
4541 type = __le16_to_cpu(req->type);
4542
4543 BT_DBG("type 0x%4.4x", type);
4544
4545 if (type == L2CAP_IT_FEAT_MASK) {
4546 u8 buf[8];
4547 u32 feat_mask = l2cap_feat_mask;
4548 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4549 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4550 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4551 if (!disable_ertm)
4552 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4553 | L2CAP_FEAT_FCS;
4554 if (conn->hs_enabled)
4555 feat_mask |= L2CAP_FEAT_EXT_FLOW
4556 | L2CAP_FEAT_EXT_WINDOW;
4557
4558 put_unaligned_le32(feat_mask, rsp->data);
4559 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4560 buf);
4561 } else if (type == L2CAP_IT_FIXED_CHAN) {
4562 u8 buf[12];
4563 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4564
4565 if (conn->hs_enabled)
4566 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4567 else
4568 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4569
4570 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4571 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4572 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
4573 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4574 buf);
4575 } else {
4576 struct l2cap_info_rsp rsp;
4577 rsp.type = cpu_to_le16(type);
4578 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
4579 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4580 &rsp);
4581 }
4582
4583 return 0;
4584 }
4585
4586 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4587 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4588 u8 *data)
4589 {
4590 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4591 u16 type, result;
4592
4593 if (cmd_len < sizeof(*rsp))
4594 return -EPROTO;
4595
4596 type = __le16_to_cpu(rsp->type);
4597 result = __le16_to_cpu(rsp->result);
4598
4599 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4600
4601 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4602 if (cmd->ident != conn->info_ident ||
4603 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4604 return 0;
4605
4606 cancel_delayed_work(&conn->info_timer);
4607
4608 if (result != L2CAP_IR_SUCCESS) {
4609 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4610 conn->info_ident = 0;
4611
4612 l2cap_conn_start(conn);
4613
4614 return 0;
4615 }
4616
4617 switch (type) {
4618 case L2CAP_IT_FEAT_MASK:
4619 conn->feat_mask = get_unaligned_le32(rsp->data);
4620
4621 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4622 struct l2cap_info_req req;
4623 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4624
4625 conn->info_ident = l2cap_get_ident(conn);
4626
4627 l2cap_send_cmd(conn, conn->info_ident,
4628 L2CAP_INFO_REQ, sizeof(req), &req);
4629 } else {
4630 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4631 conn->info_ident = 0;
4632
4633 l2cap_conn_start(conn);
4634 }
4635 break;
4636
4637 case L2CAP_IT_FIXED_CHAN:
4638 conn->fixed_chan_mask = rsp->data[0];
4639 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4640 conn->info_ident = 0;
4641
4642 l2cap_conn_start(conn);
4643 break;
4644 }
4645
4646 return 0;
4647 }
4648
4649 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4650 struct l2cap_cmd_hdr *cmd,
4651 u16 cmd_len, void *data)
4652 {
4653 struct l2cap_create_chan_req *req = data;
4654 struct l2cap_create_chan_rsp rsp;
4655 struct l2cap_chan *chan;
4656 struct hci_dev *hdev;
4657 u16 psm, scid;
4658
4659 if (cmd_len != sizeof(*req))
4660 return -EPROTO;
4661
4662 if (!conn->hs_enabled)
4663 return -EINVAL;
4664
4665 psm = le16_to_cpu(req->psm);
4666 scid = le16_to_cpu(req->scid);
4667
4668 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4669
4670 /* For controller id 0 make BR/EDR connection */
4671 if (req->amp_id == AMP_ID_BREDR) {
4672 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4673 req->amp_id);
4674 return 0;
4675 }
4676
4677 /* Validate AMP controller id */
4678 hdev = hci_dev_get(req->amp_id);
4679 if (!hdev)
4680 goto error;
4681
4682 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4683 hci_dev_put(hdev);
4684 goto error;
4685 }
4686
4687 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4688 req->amp_id);
4689 if (chan) {
4690 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4691 struct hci_conn *hs_hcon;
4692
4693 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4694 &conn->hcon->dst);
4695 if (!hs_hcon) {
4696 hci_dev_put(hdev);
4697 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4698 chan->dcid);
4699 return 0;
4700 }
4701
4702 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4703
4704 mgr->bredr_chan = chan;
4705 chan->hs_hcon = hs_hcon;
4706 chan->fcs = L2CAP_FCS_NONE;
4707 conn->mtu = hdev->block_mtu;
4708 }
4709
4710 hci_dev_put(hdev);
4711
4712 return 0;
4713
4714 error:
4715 rsp.dcid = 0;
4716 rsp.scid = cpu_to_le16(scid);
4717 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4718 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4719
4720 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4721 sizeof(rsp), &rsp);
4722
4723 return 0;
4724 }
4725
4726 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4727 {
4728 struct l2cap_move_chan_req req;
4729 u8 ident;
4730
4731 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4732
4733 ident = l2cap_get_ident(chan->conn);
4734 chan->ident = ident;
4735
4736 req.icid = cpu_to_le16(chan->scid);
4737 req.dest_amp_id = dest_amp_id;
4738
4739 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4740 &req);
4741
4742 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4743 }
4744
4745 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4746 {
4747 struct l2cap_move_chan_rsp rsp;
4748
4749 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4750
4751 rsp.icid = cpu_to_le16(chan->dcid);
4752 rsp.result = cpu_to_le16(result);
4753
4754 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4755 sizeof(rsp), &rsp);
4756 }
4757
4758 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4759 {
4760 struct l2cap_move_chan_cfm cfm;
4761
4762 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4763
4764 chan->ident = l2cap_get_ident(chan->conn);
4765
4766 cfm.icid = cpu_to_le16(chan->scid);
4767 cfm.result = cpu_to_le16(result);
4768
4769 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4770 sizeof(cfm), &cfm);
4771
4772 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4773 }
4774
4775 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4776 {
4777 struct l2cap_move_chan_cfm cfm;
4778
4779 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4780
4781 cfm.icid = cpu_to_le16(icid);
4782 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4783
4784 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4785 sizeof(cfm), &cfm);
4786 }
4787
4788 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4789 u16 icid)
4790 {
4791 struct l2cap_move_chan_cfm_rsp rsp;
4792
4793 BT_DBG("icid 0x%4.4x", icid);
4794
4795 rsp.icid = cpu_to_le16(icid);
4796 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4797 }
4798
4799 static void __release_logical_link(struct l2cap_chan *chan)
4800 {
4801 chan->hs_hchan = NULL;
4802 chan->hs_hcon = NULL;
4803
4804 /* Placeholder - release the logical link */
4805 }
4806
4807 static void l2cap_logical_fail(struct l2cap_chan *chan)
4808 {
4809 /* Logical link setup failed */
4810 if (chan->state != BT_CONNECTED) {
4811 /* Create channel failure, disconnect */
4812 l2cap_send_disconn_req(chan, ECONNRESET);
4813 return;
4814 }
4815
4816 switch (chan->move_role) {
4817 case L2CAP_MOVE_ROLE_RESPONDER:
4818 l2cap_move_done(chan);
4819 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4820 break;
4821 case L2CAP_MOVE_ROLE_INITIATOR:
4822 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4823 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4824 /* Remote has only sent pending or
4825 * success responses, clean up
4826 */
4827 l2cap_move_done(chan);
4828 }
4829
4830 /* Other amp move states imply that the move
4831 * has already aborted
4832 */
4833 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4834 break;
4835 }
4836 }
4837
4838 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4839 struct hci_chan *hchan)
4840 {
4841 struct l2cap_conf_rsp rsp;
4842
4843 chan->hs_hchan = hchan;
4844 chan->hs_hcon->l2cap_data = chan->conn;
4845
4846 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4847
4848 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4849 int err;
4850
4851 set_default_fcs(chan);
4852
4853 err = l2cap_ertm_init(chan);
4854 if (err < 0)
4855 l2cap_send_disconn_req(chan, -err);
4856 else
4857 l2cap_chan_ready(chan);
4858 }
4859 }
4860
4861 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4862 struct hci_chan *hchan)
4863 {
4864 chan->hs_hcon = hchan->conn;
4865 chan->hs_hcon->l2cap_data = chan->conn;
4866
4867 BT_DBG("move_state %d", chan->move_state);
4868
4869 switch (chan->move_state) {
4870 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4871 /* Move confirm will be sent after a success
4872 * response is received
4873 */
4874 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4875 break;
4876 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4877 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4878 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4879 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4880 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4881 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4882 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4883 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4884 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4885 }
4886 break;
4887 default:
4888 /* Move was not in expected state, free the channel */
4889 __release_logical_link(chan);
4890
4891 chan->move_state = L2CAP_MOVE_STABLE;
4892 }
4893 }
4894
4895 /* Call with chan locked */
4896 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4897 u8 status)
4898 {
4899 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4900
4901 if (status) {
4902 l2cap_logical_fail(chan);
4903 __release_logical_link(chan);
4904 return;
4905 }
4906
4907 if (chan->state != BT_CONNECTED) {
4908 /* Ignore logical link if channel is on BR/EDR */
4909 if (chan->local_amp_id != AMP_ID_BREDR)
4910 l2cap_logical_finish_create(chan, hchan);
4911 } else {
4912 l2cap_logical_finish_move(chan, hchan);
4913 }
4914 }
4915
4916 void l2cap_move_start(struct l2cap_chan *chan)
4917 {
4918 BT_DBG("chan %p", chan);
4919
4920 if (chan->local_amp_id == AMP_ID_BREDR) {
4921 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4922 return;
4923 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4924 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4925 /* Placeholder - start physical link setup */
4926 } else {
4927 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4928 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4929 chan->move_id = 0;
4930 l2cap_move_setup(chan);
4931 l2cap_send_move_chan_req(chan, 0);
4932 }
4933 }
4934
4935 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4936 u8 local_amp_id, u8 remote_amp_id)
4937 {
4938 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4939 local_amp_id, remote_amp_id);
4940
4941 chan->fcs = L2CAP_FCS_NONE;
4942
4943 /* Outgoing channel on AMP */
4944 if (chan->state == BT_CONNECT) {
4945 if (result == L2CAP_CR_SUCCESS) {
4946 chan->local_amp_id = local_amp_id;
4947 l2cap_send_create_chan_req(chan, remote_amp_id);
4948 } else {
4949 /* Revert to BR/EDR connect */
4950 l2cap_send_conn_req(chan);
4951 }
4952
4953 return;
4954 }
4955
4956 /* Incoming channel on AMP */
4957 if (__l2cap_no_conn_pending(chan)) {
4958 struct l2cap_conn_rsp rsp;
4959 char buf[128];
4960 rsp.scid = cpu_to_le16(chan->dcid);
4961 rsp.dcid = cpu_to_le16(chan->scid);
4962
4963 if (result == L2CAP_CR_SUCCESS) {
4964 /* Send successful response */
4965 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4966 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4967 } else {
4968 /* Send negative response */
4969 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4970 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4971 }
4972
4973 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4974 sizeof(rsp), &rsp);
4975
4976 if (result == L2CAP_CR_SUCCESS) {
4977 l2cap_state_change(chan, BT_CONFIG);
4978 set_bit(CONF_REQ_SENT, &chan->conf_state);
4979 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4980 L2CAP_CONF_REQ,
4981 l2cap_build_conf_req(chan, buf), buf);
4982 chan->num_conf_req++;
4983 }
4984 }
4985 }
4986
4987 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4988 u8 remote_amp_id)
4989 {
4990 l2cap_move_setup(chan);
4991 chan->move_id = local_amp_id;
4992 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4993
4994 l2cap_send_move_chan_req(chan, remote_amp_id);
4995 }
4996
4997 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4998 {
4999 struct hci_chan *hchan = NULL;
5000
5001 /* Placeholder - get hci_chan for logical link */
5002
5003 if (hchan) {
5004 if (hchan->state == BT_CONNECTED) {
5005 /* Logical link is ready to go */
5006 chan->hs_hcon = hchan->conn;
5007 chan->hs_hcon->l2cap_data = chan->conn;
5008 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5009 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5010
5011 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5012 } else {
5013 /* Wait for logical link to be ready */
5014 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5015 }
5016 } else {
5017 /* Logical link not available */
5018 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5019 }
5020 }
5021
5022 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5023 {
5024 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5025 u8 rsp_result;
5026 if (result == -EINVAL)
5027 rsp_result = L2CAP_MR_BAD_ID;
5028 else
5029 rsp_result = L2CAP_MR_NOT_ALLOWED;
5030
5031 l2cap_send_move_chan_rsp(chan, rsp_result);
5032 }
5033
5034 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5035 chan->move_state = L2CAP_MOVE_STABLE;
5036
5037 /* Restart data transmission */
5038 l2cap_ertm_send(chan);
5039 }
5040
5041 /* Invoke with locked chan */
5042 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5043 {
5044 u8 local_amp_id = chan->local_amp_id;
5045 u8 remote_amp_id = chan->remote_amp_id;
5046
5047 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5048 chan, result, local_amp_id, remote_amp_id);
5049
5050 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
5051 l2cap_chan_unlock(chan);
5052 return;
5053 }
5054
5055 if (chan->state != BT_CONNECTED) {
5056 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5057 } else if (result != L2CAP_MR_SUCCESS) {
5058 l2cap_do_move_cancel(chan, result);
5059 } else {
5060 switch (chan->move_role) {
5061 case L2CAP_MOVE_ROLE_INITIATOR:
5062 l2cap_do_move_initiate(chan, local_amp_id,
5063 remote_amp_id);
5064 break;
5065 case L2CAP_MOVE_ROLE_RESPONDER:
5066 l2cap_do_move_respond(chan, result);
5067 break;
5068 default:
5069 l2cap_do_move_cancel(chan, result);
5070 break;
5071 }
5072 }
5073 }
5074
5075 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5076 struct l2cap_cmd_hdr *cmd,
5077 u16 cmd_len, void *data)
5078 {
5079 struct l2cap_move_chan_req *req = data;
5080 struct l2cap_move_chan_rsp rsp;
5081 struct l2cap_chan *chan;
5082 u16 icid = 0;
5083 u16 result = L2CAP_MR_NOT_ALLOWED;
5084
5085 if (cmd_len != sizeof(*req))
5086 return -EPROTO;
5087
5088 icid = le16_to_cpu(req->icid);
5089
5090 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5091
5092 if (!conn->hs_enabled)
5093 return -EINVAL;
5094
5095 chan = l2cap_get_chan_by_dcid(conn, icid);
5096 if (!chan) {
5097 rsp.icid = cpu_to_le16(icid);
5098 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5099 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5100 sizeof(rsp), &rsp);
5101 return 0;
5102 }
5103
5104 chan->ident = cmd->ident;
5105
5106 if (chan->scid < L2CAP_CID_DYN_START ||
5107 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5108 (chan->mode != L2CAP_MODE_ERTM &&
5109 chan->mode != L2CAP_MODE_STREAMING)) {
5110 result = L2CAP_MR_NOT_ALLOWED;
5111 goto send_move_response;
5112 }
5113
5114 if (chan->local_amp_id == req->dest_amp_id) {
5115 result = L2CAP_MR_SAME_ID;
5116 goto send_move_response;
5117 }
5118
5119 if (req->dest_amp_id != AMP_ID_BREDR) {
5120 struct hci_dev *hdev;
5121 hdev = hci_dev_get(req->dest_amp_id);
5122 if (!hdev || hdev->dev_type != HCI_AMP ||
5123 !test_bit(HCI_UP, &hdev->flags)) {
5124 if (hdev)
5125 hci_dev_put(hdev);
5126
5127 result = L2CAP_MR_BAD_ID;
5128 goto send_move_response;
5129 }
5130 hci_dev_put(hdev);
5131 }
5132
5133 /* Detect a move collision. Only send a collision response
5134 * if this side has "lost", otherwise proceed with the move.
5135 * The winner has the larger bd_addr.
5136 */
5137 if ((__chan_is_moving(chan) ||
5138 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5139 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5140 result = L2CAP_MR_COLLISION;
5141 goto send_move_response;
5142 }
5143
5144 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5145 l2cap_move_setup(chan);
5146 chan->move_id = req->dest_amp_id;
5147 icid = chan->dcid;
5148
5149 if (req->dest_amp_id == AMP_ID_BREDR) {
5150 /* Moving to BR/EDR */
5151 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5152 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5153 result = L2CAP_MR_PEND;
5154 } else {
5155 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5156 result = L2CAP_MR_SUCCESS;
5157 }
5158 } else {
5159 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5160 /* Placeholder - uncomment when amp functions are available */
5161 /*amp_accept_physical(chan, req->dest_amp_id);*/
5162 result = L2CAP_MR_PEND;
5163 }
5164
5165 send_move_response:
5166 l2cap_send_move_chan_rsp(chan, result);
5167
5168 l2cap_chan_unlock(chan);
5169
5170 return 0;
5171 }
5172
5173 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5174 {
5175 struct l2cap_chan *chan;
5176 struct hci_chan *hchan = NULL;
5177
5178 chan = l2cap_get_chan_by_scid(conn, icid);
5179 if (!chan) {
5180 l2cap_send_move_chan_cfm_icid(conn, icid);
5181 return;
5182 }
5183
5184 __clear_chan_timer(chan);
5185 if (result == L2CAP_MR_PEND)
5186 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5187
5188 switch (chan->move_state) {
5189 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5190 /* Move confirm will be sent when logical link
5191 * is complete.
5192 */
5193 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5194 break;
5195 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5196 if (result == L2CAP_MR_PEND) {
5197 break;
5198 } else if (test_bit(CONN_LOCAL_BUSY,
5199 &chan->conn_state)) {
5200 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5201 } else {
5202 /* Logical link is up or moving to BR/EDR,
5203 * proceed with move
5204 */
5205 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5206 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5207 }
5208 break;
5209 case L2CAP_MOVE_WAIT_RSP:
5210 /* Moving to AMP */
5211 if (result == L2CAP_MR_SUCCESS) {
5212 /* Remote is ready, send confirm immediately
5213 * after logical link is ready
5214 */
5215 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5216 } else {
5217 /* Both logical link and move success
5218 * are required to confirm
5219 */
5220 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5221 }
5222
5223 /* Placeholder - get hci_chan for logical link */
5224 if (!hchan) {
5225 /* Logical link not available */
5226 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5227 break;
5228 }
5229
5230 /* If the logical link is not yet connected, do not
5231 * send confirmation.
5232 */
5233 if (hchan->state != BT_CONNECTED)
5234 break;
5235
5236 /* Logical link is already ready to go */
5237
5238 chan->hs_hcon = hchan->conn;
5239 chan->hs_hcon->l2cap_data = chan->conn;
5240
5241 if (result == L2CAP_MR_SUCCESS) {
5242 /* Can confirm now */
5243 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5244 } else {
5245 /* Now only need move success
5246 * to confirm
5247 */
5248 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5249 }
5250
5251 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5252 break;
5253 default:
5254 /* Any other amp move state means the move failed. */
5255 chan->move_id = chan->local_amp_id;
5256 l2cap_move_done(chan);
5257 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5258 }
5259
5260 l2cap_chan_unlock(chan);
5261 }
5262
5263 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5264 u16 result)
5265 {
5266 struct l2cap_chan *chan;
5267
5268 chan = l2cap_get_chan_by_ident(conn, ident);
5269 if (!chan) {
5270 /* Could not locate channel, icid is best guess */
5271 l2cap_send_move_chan_cfm_icid(conn, icid);
5272 return;
5273 }
5274
5275 __clear_chan_timer(chan);
5276
5277 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5278 if (result == L2CAP_MR_COLLISION) {
5279 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5280 } else {
5281 /* Cleanup - cancel move */
5282 chan->move_id = chan->local_amp_id;
5283 l2cap_move_done(chan);
5284 }
5285 }
5286
5287 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5288
5289 l2cap_chan_unlock(chan);
5290 }
5291
5292 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5293 struct l2cap_cmd_hdr *cmd,
5294 u16 cmd_len, void *data)
5295 {
5296 struct l2cap_move_chan_rsp *rsp = data;
5297 u16 icid, result;
5298
5299 if (cmd_len != sizeof(*rsp))
5300 return -EPROTO;
5301
5302 icid = le16_to_cpu(rsp->icid);
5303 result = le16_to_cpu(rsp->result);
5304
5305 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5306
5307 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5308 l2cap_move_continue(conn, icid, result);
5309 else
5310 l2cap_move_fail(conn, cmd->ident, icid, result);
5311
5312 return 0;
5313 }
5314
5315 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5316 struct l2cap_cmd_hdr *cmd,
5317 u16 cmd_len, void *data)
5318 {
5319 struct l2cap_move_chan_cfm *cfm = data;
5320 struct l2cap_chan *chan;
5321 u16 icid, result;
5322
5323 if (cmd_len != sizeof(*cfm))
5324 return -EPROTO;
5325
5326 icid = le16_to_cpu(cfm->icid);
5327 result = le16_to_cpu(cfm->result);
5328
5329 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5330
5331 chan = l2cap_get_chan_by_dcid(conn, icid);
5332 if (!chan) {
5333 /* Spec requires a response even if the icid was not found */
5334 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5335 return 0;
5336 }
5337
5338 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5339 if (result == L2CAP_MC_CONFIRMED) {
5340 chan->local_amp_id = chan->move_id;
5341 if (chan->local_amp_id == AMP_ID_BREDR)
5342 __release_logical_link(chan);
5343 } else {
5344 chan->move_id = chan->local_amp_id;
5345 }
5346
5347 l2cap_move_done(chan);
5348 }
5349
5350 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5351
5352 l2cap_chan_unlock(chan);
5353
5354 return 0;
5355 }
5356
5357 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5358 struct l2cap_cmd_hdr *cmd,
5359 u16 cmd_len, void *data)
5360 {
5361 struct l2cap_move_chan_cfm_rsp *rsp = data;
5362 struct l2cap_chan *chan;
5363 u16 icid;
5364
5365 if (cmd_len != sizeof(*rsp))
5366 return -EPROTO;
5367
5368 icid = le16_to_cpu(rsp->icid);
5369
5370 BT_DBG("icid 0x%4.4x", icid);
5371
5372 chan = l2cap_get_chan_by_scid(conn, icid);
5373 if (!chan)
5374 return 0;
5375
5376 __clear_chan_timer(chan);
5377
5378 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5379 chan->local_amp_id = chan->move_id;
5380
5381 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5382 __release_logical_link(chan);
5383
5384 l2cap_move_done(chan);
5385 }
5386
5387 l2cap_chan_unlock(chan);
5388
5389 return 0;
5390 }
5391
5392 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
5393 u16 to_multiplier)
5394 {
5395 u16 max_latency;
5396
5397 if (min > max || min < 6 || max > 3200)
5398 return -EINVAL;
5399
5400 if (to_multiplier < 10 || to_multiplier > 3200)
5401 return -EINVAL;
5402
5403 if (max >= to_multiplier * 8)
5404 return -EINVAL;
5405
5406 max_latency = (to_multiplier * 8 / max) - 1;
5407 if (latency > 499 || latency > max_latency)
5408 return -EINVAL;
5409
5410 return 0;
5411 }
5412
5413 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5414 struct l2cap_cmd_hdr *cmd,
5415 u16 cmd_len, u8 *data)
5416 {
5417 struct hci_conn *hcon = conn->hcon;
5418 struct l2cap_conn_param_update_req *req;
5419 struct l2cap_conn_param_update_rsp rsp;
5420 u16 min, max, latency, to_multiplier;
5421 int err;
5422
5423 if (!(hcon->link_mode & HCI_LM_MASTER))
5424 return -EINVAL;
5425
5426 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5427 return -EPROTO;
5428
5429 req = (struct l2cap_conn_param_update_req *) data;
5430 min = __le16_to_cpu(req->min);
5431 max = __le16_to_cpu(req->max);
5432 latency = __le16_to_cpu(req->latency);
5433 to_multiplier = __le16_to_cpu(req->to_multiplier);
5434
5435 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5436 min, max, latency, to_multiplier);
5437
5438 memset(&rsp, 0, sizeof(rsp));
5439
5440 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5441 if (err)
5442 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5443 else
5444 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5445
5446 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5447 sizeof(rsp), &rsp);
5448
5449 if (!err)
5450 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5451
5452 return 0;
5453 }
5454
5455 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5456 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5457 u8 *data)
5458 {
5459 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5460 u16 dcid, mtu, mps, credits, result;
5461 struct l2cap_chan *chan;
5462 int err;
5463
5464 if (cmd_len < sizeof(*rsp))
5465 return -EPROTO;
5466
5467 dcid = __le16_to_cpu(rsp->dcid);
5468 mtu = __le16_to_cpu(rsp->mtu);
5469 mps = __le16_to_cpu(rsp->mps);
5470 credits = __le16_to_cpu(rsp->credits);
5471 result = __le16_to_cpu(rsp->result);
5472
5473 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5474 return -EPROTO;
5475
5476 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5477 dcid, mtu, mps, credits, result);
5478
5479 mutex_lock(&conn->chan_lock);
5480
5481 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5482 if (!chan) {
5483 err = -EBADSLT;
5484 goto unlock;
5485 }
5486
5487 err = 0;
5488
5489 l2cap_chan_lock(chan);
5490
5491 switch (result) {
5492 case L2CAP_CR_SUCCESS:
5493 chan->ident = 0;
5494 chan->dcid = dcid;
5495 chan->omtu = mtu;
5496 chan->remote_mps = mps;
5497 chan->tx_credits = credits;
5498 l2cap_chan_ready(chan);
5499 break;
5500
5501 default:
5502 l2cap_chan_del(chan, ECONNREFUSED);
5503 break;
5504 }
5505
5506 l2cap_chan_unlock(chan);
5507
5508 unlock:
5509 mutex_unlock(&conn->chan_lock);
5510
5511 return err;
5512 }
5513
5514 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5515 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5516 u8 *data)
5517 {
5518 int err = 0;
5519
5520 switch (cmd->code) {
5521 case L2CAP_COMMAND_REJ:
5522 l2cap_command_rej(conn, cmd, cmd_len, data);
5523 break;
5524
5525 case L2CAP_CONN_REQ:
5526 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5527 break;
5528
5529 case L2CAP_CONN_RSP:
5530 case L2CAP_CREATE_CHAN_RSP:
5531 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5532 break;
5533
5534 case L2CAP_CONF_REQ:
5535 err = l2cap_config_req(conn, cmd, cmd_len, data);
5536 break;
5537
5538 case L2CAP_CONF_RSP:
5539 l2cap_config_rsp(conn, cmd, cmd_len, data);
5540 break;
5541
5542 case L2CAP_DISCONN_REQ:
5543 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5544 break;
5545
5546 case L2CAP_DISCONN_RSP:
5547 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5548 break;
5549
5550 case L2CAP_ECHO_REQ:
5551 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5552 break;
5553
5554 case L2CAP_ECHO_RSP:
5555 break;
5556
5557 case L2CAP_INFO_REQ:
5558 err = l2cap_information_req(conn, cmd, cmd_len, data);
5559 break;
5560
5561 case L2CAP_INFO_RSP:
5562 l2cap_information_rsp(conn, cmd, cmd_len, data);
5563 break;
5564
5565 case L2CAP_CREATE_CHAN_REQ:
5566 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5567 break;
5568
5569 case L2CAP_MOVE_CHAN_REQ:
5570 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5571 break;
5572
5573 case L2CAP_MOVE_CHAN_RSP:
5574 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5575 break;
5576
5577 case L2CAP_MOVE_CHAN_CFM:
5578 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5579 break;
5580
5581 case L2CAP_MOVE_CHAN_CFM_RSP:
5582 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5583 break;
5584
5585 default:
5586 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5587 err = -EINVAL;
5588 break;
5589 }
5590
5591 return err;
5592 }
5593
5594 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5595 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5596 u8 *data)
5597 {
5598 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5599 struct l2cap_le_conn_rsp rsp;
5600 struct l2cap_chan *chan, *pchan;
5601 u16 dcid, scid, credits, mtu, mps;
5602 __le16 psm;
5603 u8 result;
5604
5605 if (cmd_len != sizeof(*req))
5606 return -EPROTO;
5607
5608 scid = __le16_to_cpu(req->scid);
5609 mtu = __le16_to_cpu(req->mtu);
5610 mps = __le16_to_cpu(req->mps);
5611 psm = req->psm;
5612 dcid = 0;
5613 credits = 0;
5614
5615 if (mtu < 23 || mps < 23)
5616 return -EPROTO;
5617
5618 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5619 scid, mtu, mps);
5620
5621 /* Check if we have socket listening on psm */
5622 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5623 &conn->hcon->dst, LE_LINK);
5624 if (!pchan) {
5625 result = L2CAP_CR_BAD_PSM;
5626 chan = NULL;
5627 goto response;
5628 }
5629
5630 mutex_lock(&conn->chan_lock);
5631 l2cap_chan_lock(pchan);
5632
5633 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5634 result = L2CAP_CR_AUTHENTICATION;
5635 chan = NULL;
5636 goto response_unlock;
5637 }
5638
5639 /* Check if we already have channel with that dcid */
5640 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5641 result = L2CAP_CR_NO_MEM;
5642 chan = NULL;
5643 goto response_unlock;
5644 }
5645
5646 chan = pchan->ops->new_connection(pchan);
5647 if (!chan) {
5648 result = L2CAP_CR_NO_MEM;
5649 goto response_unlock;
5650 }
5651
5652 l2cap_le_flowctl_init(chan);
5653
5654 bacpy(&chan->src, &conn->hcon->src);
5655 bacpy(&chan->dst, &conn->hcon->dst);
5656 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5657 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5658 chan->psm = psm;
5659 chan->dcid = scid;
5660 chan->omtu = mtu;
5661 chan->remote_mps = mps;
5662 chan->tx_credits = __le16_to_cpu(req->credits);
5663
5664 __l2cap_chan_add(conn, chan);
5665 dcid = chan->scid;
5666 credits = chan->rx_credits;
5667
5668 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5669
5670 chan->ident = cmd->ident;
5671
5672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5673 l2cap_state_change(chan, BT_CONNECT2);
5674 result = L2CAP_CR_PEND;
5675 chan->ops->defer(chan);
5676 } else {
5677 l2cap_chan_ready(chan);
5678 result = L2CAP_CR_SUCCESS;
5679 }
5680
5681 response_unlock:
5682 l2cap_chan_unlock(pchan);
5683 mutex_unlock(&conn->chan_lock);
5684
5685 if (result == L2CAP_CR_PEND)
5686 return 0;
5687
5688 response:
5689 if (chan) {
5690 rsp.mtu = cpu_to_le16(chan->imtu);
5691 rsp.mps = cpu_to_le16(chan->mps);
5692 } else {
5693 rsp.mtu = 0;
5694 rsp.mps = 0;
5695 }
5696
5697 rsp.dcid = cpu_to_le16(dcid);
5698 rsp.credits = cpu_to_le16(credits);
5699 rsp.result = cpu_to_le16(result);
5700
5701 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5702
5703 return 0;
5704 }
5705
5706 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5707 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5708 u8 *data)
5709 {
5710 struct l2cap_le_credits *pkt;
5711 struct l2cap_chan *chan;
5712 u16 cid, credits;
5713
5714 if (cmd_len != sizeof(*pkt))
5715 return -EPROTO;
5716
5717 pkt = (struct l2cap_le_credits *) data;
5718 cid = __le16_to_cpu(pkt->cid);
5719 credits = __le16_to_cpu(pkt->credits);
5720
5721 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5722
5723 chan = l2cap_get_chan_by_dcid(conn, cid);
5724 if (!chan)
5725 return -EBADSLT;
5726
5727 chan->tx_credits += credits;
5728
5729 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5730 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5731 chan->tx_credits--;
5732 }
5733
5734 if (chan->tx_credits)
5735 chan->ops->resume(chan);
5736
5737 l2cap_chan_unlock(chan);
5738
5739 return 0;
5740 }
5741
5742 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5743 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5744 u8 *data)
5745 {
5746 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5747 struct l2cap_chan *chan;
5748
5749 if (cmd_len < sizeof(*rej))
5750 return -EPROTO;
5751
5752 mutex_lock(&conn->chan_lock);
5753
5754 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5755 if (!chan)
5756 goto done;
5757
5758 l2cap_chan_lock(chan);
5759 l2cap_chan_del(chan, ECONNREFUSED);
5760 l2cap_chan_unlock(chan);
5761
5762 done:
5763 mutex_unlock(&conn->chan_lock);
5764 return 0;
5765 }
5766
5767 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5768 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5769 u8 *data)
5770 {
5771 int err = 0;
5772
5773 if (!enable_lecoc) {
5774 switch (cmd->code) {
5775 case L2CAP_LE_CONN_REQ:
5776 case L2CAP_LE_CONN_RSP:
5777 case L2CAP_LE_CREDITS:
5778 case L2CAP_DISCONN_REQ:
5779 case L2CAP_DISCONN_RSP:
5780 return -EINVAL;
5781 }
5782 }
5783
5784 switch (cmd->code) {
5785 case L2CAP_COMMAND_REJ:
5786 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5787 break;
5788
5789 case L2CAP_CONN_PARAM_UPDATE_REQ:
5790 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5791 break;
5792
5793 case L2CAP_CONN_PARAM_UPDATE_RSP:
5794 break;
5795
5796 case L2CAP_LE_CONN_RSP:
5797 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5798 break;
5799
5800 case L2CAP_LE_CONN_REQ:
5801 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5802 break;
5803
5804 case L2CAP_LE_CREDITS:
5805 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5806 break;
5807
5808 case L2CAP_DISCONN_REQ:
5809 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5810 break;
5811
5812 case L2CAP_DISCONN_RSP:
5813 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5814 break;
5815
5816 default:
5817 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5818 err = -EINVAL;
5819 break;
5820 }
5821
5822 return err;
5823 }
5824
5825 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5826 struct sk_buff *skb)
5827 {
5828 struct hci_conn *hcon = conn->hcon;
5829 struct l2cap_cmd_hdr *cmd;
5830 u16 len;
5831 int err;
5832
5833 if (hcon->type != LE_LINK)
5834 goto drop;
5835
5836 if (skb->len < L2CAP_CMD_HDR_SIZE)
5837 goto drop;
5838
5839 cmd = (void *) skb->data;
5840 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5841
5842 len = le16_to_cpu(cmd->len);
5843
5844 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5845
5846 if (len != skb->len || !cmd->ident) {
5847 BT_DBG("corrupted command");
5848 goto drop;
5849 }
5850
5851 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5852 if (err) {
5853 struct l2cap_cmd_rej_unk rej;
5854
5855 BT_ERR("Wrong link type (%d)", err);
5856
5857 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5858 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5859 sizeof(rej), &rej);
5860 }
5861
5862 drop:
5863 kfree_skb(skb);
5864 }
5865
5866 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5867 struct sk_buff *skb)
5868 {
5869 struct hci_conn *hcon = conn->hcon;
5870 u8 *data = skb->data;
5871 int len = skb->len;
5872 struct l2cap_cmd_hdr cmd;
5873 int err;
5874
5875 l2cap_raw_recv(conn, skb);
5876
5877 if (hcon->type != ACL_LINK)
5878 goto drop;
5879
5880 while (len >= L2CAP_CMD_HDR_SIZE) {
5881 u16 cmd_len;
5882 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5883 data += L2CAP_CMD_HDR_SIZE;
5884 len -= L2CAP_CMD_HDR_SIZE;
5885
5886 cmd_len = le16_to_cpu(cmd.len);
5887
5888 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5889 cmd.ident);
5890
5891 if (cmd_len > len || !cmd.ident) {
5892 BT_DBG("corrupted command");
5893 break;
5894 }
5895
5896 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5897 if (err) {
5898 struct l2cap_cmd_rej_unk rej;
5899
5900 BT_ERR("Wrong link type (%d)", err);
5901
5902 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5903 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5904 sizeof(rej), &rej);
5905 }
5906
5907 data += cmd_len;
5908 len -= cmd_len;
5909 }
5910
5911 drop:
5912 kfree_skb(skb);
5913 }
5914
5915 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5916 {
5917 u16 our_fcs, rcv_fcs;
5918 int hdr_size;
5919
5920 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5921 hdr_size = L2CAP_EXT_HDR_SIZE;
5922 else
5923 hdr_size = L2CAP_ENH_HDR_SIZE;
5924
5925 if (chan->fcs == L2CAP_FCS_CRC16) {
5926 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5927 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5928 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5929
5930 if (our_fcs != rcv_fcs)
5931 return -EBADMSG;
5932 }
5933 return 0;
5934 }
5935
5936 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5937 {
5938 struct l2cap_ctrl control;
5939
5940 BT_DBG("chan %p", chan);
5941
5942 memset(&control, 0, sizeof(control));
5943 control.sframe = 1;
5944 control.final = 1;
5945 control.reqseq = chan->buffer_seq;
5946 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5947
5948 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5949 control.super = L2CAP_SUPER_RNR;
5950 l2cap_send_sframe(chan, &control);
5951 }
5952
5953 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5954 chan->unacked_frames > 0)
5955 __set_retrans_timer(chan);
5956
5957 /* Send pending iframes */
5958 l2cap_ertm_send(chan);
5959
5960 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5961 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5962 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5963 * send it now.
5964 */
5965 control.super = L2CAP_SUPER_RR;
5966 l2cap_send_sframe(chan, &control);
5967 }
5968 }
5969
5970 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5971 struct sk_buff **last_frag)
5972 {
5973 /* skb->len reflects data in skb as well as all fragments
5974 * skb->data_len reflects only data in fragments
5975 */
5976 if (!skb_has_frag_list(skb))
5977 skb_shinfo(skb)->frag_list = new_frag;
5978
5979 new_frag->next = NULL;
5980
5981 (*last_frag)->next = new_frag;
5982 *last_frag = new_frag;
5983
5984 skb->len += new_frag->len;
5985 skb->data_len += new_frag->len;
5986 skb->truesize += new_frag->truesize;
5987 }
5988
5989 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5990 struct l2cap_ctrl *control)
5991 {
5992 int err = -EINVAL;
5993
5994 switch (control->sar) {
5995 case L2CAP_SAR_UNSEGMENTED:
5996 if (chan->sdu)
5997 break;
5998
5999 err = chan->ops->recv(chan, skb);
6000 break;
6001
6002 case L2CAP_SAR_START:
6003 if (chan->sdu)
6004 break;
6005
6006 chan->sdu_len = get_unaligned_le16(skb->data);
6007 skb_pull(skb, L2CAP_SDULEN_SIZE);
6008
6009 if (chan->sdu_len > chan->imtu) {
6010 err = -EMSGSIZE;
6011 break;
6012 }
6013
6014 if (skb->len >= chan->sdu_len)
6015 break;
6016
6017 chan->sdu = skb;
6018 chan->sdu_last_frag = skb;
6019
6020 skb = NULL;
6021 err = 0;
6022 break;
6023
6024 case L2CAP_SAR_CONTINUE:
6025 if (!chan->sdu)
6026 break;
6027
6028 append_skb_frag(chan->sdu, skb,
6029 &chan->sdu_last_frag);
6030 skb = NULL;
6031
6032 if (chan->sdu->len >= chan->sdu_len)
6033 break;
6034
6035 err = 0;
6036 break;
6037
6038 case L2CAP_SAR_END:
6039 if (!chan->sdu)
6040 break;
6041
6042 append_skb_frag(chan->sdu, skb,
6043 &chan->sdu_last_frag);
6044 skb = NULL;
6045
6046 if (chan->sdu->len != chan->sdu_len)
6047 break;
6048
6049 err = chan->ops->recv(chan, chan->sdu);
6050
6051 if (!err) {
6052 /* Reassembly complete */
6053 chan->sdu = NULL;
6054 chan->sdu_last_frag = NULL;
6055 chan->sdu_len = 0;
6056 }
6057 break;
6058 }
6059
6060 if (err) {
6061 kfree_skb(skb);
6062 kfree_skb(chan->sdu);
6063 chan->sdu = NULL;
6064 chan->sdu_last_frag = NULL;
6065 chan->sdu_len = 0;
6066 }
6067
6068 return err;
6069 }
6070
6071 static int l2cap_resegment(struct l2cap_chan *chan)
6072 {
6073 /* Placeholder */
6074 return 0;
6075 }
6076
6077 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6078 {
6079 u8 event;
6080
6081 if (chan->mode != L2CAP_MODE_ERTM)
6082 return;
6083
6084 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6085 l2cap_tx(chan, NULL, NULL, event);
6086 }
6087
6088 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6089 {
6090 int err = 0;
6091 /* Pass sequential frames to l2cap_reassemble_sdu()
6092 * until a gap is encountered.
6093 */
6094
6095 BT_DBG("chan %p", chan);
6096
6097 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6098 struct sk_buff *skb;
6099 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6100 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6101
6102 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6103
6104 if (!skb)
6105 break;
6106
6107 skb_unlink(skb, &chan->srej_q);
6108 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6109 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
6110 if (err)
6111 break;
6112 }
6113
6114 if (skb_queue_empty(&chan->srej_q)) {
6115 chan->rx_state = L2CAP_RX_STATE_RECV;
6116 l2cap_send_ack(chan);
6117 }
6118
6119 return err;
6120 }
6121
6122 static void l2cap_handle_srej(struct l2cap_chan *chan,
6123 struct l2cap_ctrl *control)
6124 {
6125 struct sk_buff *skb;
6126
6127 BT_DBG("chan %p, control %p", chan, control);
6128
6129 if (control->reqseq == chan->next_tx_seq) {
6130 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6131 l2cap_send_disconn_req(chan, ECONNRESET);
6132 return;
6133 }
6134
6135 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6136
6137 if (skb == NULL) {
6138 BT_DBG("Seq %d not available for retransmission",
6139 control->reqseq);
6140 return;
6141 }
6142
6143 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
6144 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6145 l2cap_send_disconn_req(chan, ECONNRESET);
6146 return;
6147 }
6148
6149 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6150
6151 if (control->poll) {
6152 l2cap_pass_to_tx(chan, control);
6153
6154 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6155 l2cap_retransmit(chan, control);
6156 l2cap_ertm_send(chan);
6157
6158 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6159 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6160 chan->srej_save_reqseq = control->reqseq;
6161 }
6162 } else {
6163 l2cap_pass_to_tx_fbit(chan, control);
6164
6165 if (control->final) {
6166 if (chan->srej_save_reqseq != control->reqseq ||
6167 !test_and_clear_bit(CONN_SREJ_ACT,
6168 &chan->conn_state))
6169 l2cap_retransmit(chan, control);
6170 } else {
6171 l2cap_retransmit(chan, control);
6172 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6173 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6174 chan->srej_save_reqseq = control->reqseq;
6175 }
6176 }
6177 }
6178 }
6179
6180 static void l2cap_handle_rej(struct l2cap_chan *chan,
6181 struct l2cap_ctrl *control)
6182 {
6183 struct sk_buff *skb;
6184
6185 BT_DBG("chan %p, control %p", chan, control);
6186
6187 if (control->reqseq == chan->next_tx_seq) {
6188 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6189 l2cap_send_disconn_req(chan, ECONNRESET);
6190 return;
6191 }
6192
6193 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6194
6195 if (chan->max_tx && skb &&
6196 bt_cb(skb)->control.retries >= chan->max_tx) {
6197 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6198 l2cap_send_disconn_req(chan, ECONNRESET);
6199 return;
6200 }
6201
6202 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6203
6204 l2cap_pass_to_tx(chan, control);
6205
6206 if (control->final) {
6207 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6208 l2cap_retransmit_all(chan, control);
6209 } else {
6210 l2cap_retransmit_all(chan, control);
6211 l2cap_ertm_send(chan);
6212 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6213 set_bit(CONN_REJ_ACT, &chan->conn_state);
6214 }
6215 }
6216
6217 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6218 {
6219 BT_DBG("chan %p, txseq %d", chan, txseq);
6220
6221 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6222 chan->expected_tx_seq);
6223
6224 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6225 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6226 chan->tx_win) {
6227 /* See notes below regarding "double poll" and
6228 * invalid packets.
6229 */
6230 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6231 BT_DBG("Invalid/Ignore - after SREJ");
6232 return L2CAP_TXSEQ_INVALID_IGNORE;
6233 } else {
6234 BT_DBG("Invalid - in window after SREJ sent");
6235 return L2CAP_TXSEQ_INVALID;
6236 }
6237 }
6238
6239 if (chan->srej_list.head == txseq) {
6240 BT_DBG("Expected SREJ");
6241 return L2CAP_TXSEQ_EXPECTED_SREJ;
6242 }
6243
6244 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6245 BT_DBG("Duplicate SREJ - txseq already stored");
6246 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6247 }
6248
6249 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6250 BT_DBG("Unexpected SREJ - not requested");
6251 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6252 }
6253 }
6254
6255 if (chan->expected_tx_seq == txseq) {
6256 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6257 chan->tx_win) {
6258 BT_DBG("Invalid - txseq outside tx window");
6259 return L2CAP_TXSEQ_INVALID;
6260 } else {
6261 BT_DBG("Expected");
6262 return L2CAP_TXSEQ_EXPECTED;
6263 }
6264 }
6265
6266 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6267 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6268 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6269 return L2CAP_TXSEQ_DUPLICATE;
6270 }
6271
6272 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6273 /* A source of invalid packets is a "double poll" condition,
6274 * where delays cause us to send multiple poll packets. If
6275 * the remote stack receives and processes both polls,
6276 * sequence numbers can wrap around in such a way that a
6277 * resent frame has a sequence number that looks like new data
6278 * with a sequence gap. This would trigger an erroneous SREJ
6279 * request.
6280 *
6281 * Fortunately, this is impossible with a tx window that's
6282 * less than half of the maximum sequence number, which allows
6283 * invalid frames to be safely ignored.
6284 *
6285 * With tx window sizes greater than half of the tx window
6286 * maximum, the frame is invalid and cannot be ignored. This
6287 * causes a disconnect.
6288 */
6289
6290 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6291 BT_DBG("Invalid/Ignore - txseq outside tx window");
6292 return L2CAP_TXSEQ_INVALID_IGNORE;
6293 } else {
6294 BT_DBG("Invalid - txseq outside tx window");
6295 return L2CAP_TXSEQ_INVALID;
6296 }
6297 } else {
6298 BT_DBG("Unexpected - txseq indicates missing frames");
6299 return L2CAP_TXSEQ_UNEXPECTED;
6300 }
6301 }
6302
6303 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6304 struct l2cap_ctrl *control,
6305 struct sk_buff *skb, u8 event)
6306 {
6307 int err = 0;
6308 bool skb_in_use = false;
6309
6310 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6311 event);
6312
6313 switch (event) {
6314 case L2CAP_EV_RECV_IFRAME:
6315 switch (l2cap_classify_txseq(chan, control->txseq)) {
6316 case L2CAP_TXSEQ_EXPECTED:
6317 l2cap_pass_to_tx(chan, control);
6318
6319 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6320 BT_DBG("Busy, discarding expected seq %d",
6321 control->txseq);
6322 break;
6323 }
6324
6325 chan->expected_tx_seq = __next_seq(chan,
6326 control->txseq);
6327
6328 chan->buffer_seq = chan->expected_tx_seq;
6329 skb_in_use = true;
6330
6331 err = l2cap_reassemble_sdu(chan, skb, control);
6332 if (err)
6333 break;
6334
6335 if (control->final) {
6336 if (!test_and_clear_bit(CONN_REJ_ACT,
6337 &chan->conn_state)) {
6338 control->final = 0;
6339 l2cap_retransmit_all(chan, control);
6340 l2cap_ertm_send(chan);
6341 }
6342 }
6343
6344 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6345 l2cap_send_ack(chan);
6346 break;
6347 case L2CAP_TXSEQ_UNEXPECTED:
6348 l2cap_pass_to_tx(chan, control);
6349
6350 /* Can't issue SREJ frames in the local busy state.
6351 * Drop this frame, it will be seen as missing
6352 * when local busy is exited.
6353 */
6354 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6355 BT_DBG("Busy, discarding unexpected seq %d",
6356 control->txseq);
6357 break;
6358 }
6359
6360 /* There was a gap in the sequence, so an SREJ
6361 * must be sent for each missing frame. The
6362 * current frame is stored for later use.
6363 */
6364 skb_queue_tail(&chan->srej_q, skb);
6365 skb_in_use = true;
6366 BT_DBG("Queued %p (queue len %d)", skb,
6367 skb_queue_len(&chan->srej_q));
6368
6369 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6370 l2cap_seq_list_clear(&chan->srej_list);
6371 l2cap_send_srej(chan, control->txseq);
6372
6373 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6374 break;
6375 case L2CAP_TXSEQ_DUPLICATE:
6376 l2cap_pass_to_tx(chan, control);
6377 break;
6378 case L2CAP_TXSEQ_INVALID_IGNORE:
6379 break;
6380 case L2CAP_TXSEQ_INVALID:
6381 default:
6382 l2cap_send_disconn_req(chan, ECONNRESET);
6383 break;
6384 }
6385 break;
6386 case L2CAP_EV_RECV_RR:
6387 l2cap_pass_to_tx(chan, control);
6388 if (control->final) {
6389 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6390
6391 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6392 !__chan_is_moving(chan)) {
6393 control->final = 0;
6394 l2cap_retransmit_all(chan, control);
6395 }
6396
6397 l2cap_ertm_send(chan);
6398 } else if (control->poll) {
6399 l2cap_send_i_or_rr_or_rnr(chan);
6400 } else {
6401 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6402 &chan->conn_state) &&
6403 chan->unacked_frames)
6404 __set_retrans_timer(chan);
6405
6406 l2cap_ertm_send(chan);
6407 }
6408 break;
6409 case L2CAP_EV_RECV_RNR:
6410 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6411 l2cap_pass_to_tx(chan, control);
6412 if (control && control->poll) {
6413 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6414 l2cap_send_rr_or_rnr(chan, 0);
6415 }
6416 __clear_retrans_timer(chan);
6417 l2cap_seq_list_clear(&chan->retrans_list);
6418 break;
6419 case L2CAP_EV_RECV_REJ:
6420 l2cap_handle_rej(chan, control);
6421 break;
6422 case L2CAP_EV_RECV_SREJ:
6423 l2cap_handle_srej(chan, control);
6424 break;
6425 default:
6426 break;
6427 }
6428
6429 if (skb && !skb_in_use) {
6430 BT_DBG("Freeing %p", skb);
6431 kfree_skb(skb);
6432 }
6433
6434 return err;
6435 }
6436
6437 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6438 struct l2cap_ctrl *control,
6439 struct sk_buff *skb, u8 event)
6440 {
6441 int err = 0;
6442 u16 txseq = control->txseq;
6443 bool skb_in_use = false;
6444
6445 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6446 event);
6447
6448 switch (event) {
6449 case L2CAP_EV_RECV_IFRAME:
6450 switch (l2cap_classify_txseq(chan, txseq)) {
6451 case L2CAP_TXSEQ_EXPECTED:
6452 /* Keep frame for reassembly later */
6453 l2cap_pass_to_tx(chan, control);
6454 skb_queue_tail(&chan->srej_q, skb);
6455 skb_in_use = true;
6456 BT_DBG("Queued %p (queue len %d)", skb,
6457 skb_queue_len(&chan->srej_q));
6458
6459 chan->expected_tx_seq = __next_seq(chan, txseq);
6460 break;
6461 case L2CAP_TXSEQ_EXPECTED_SREJ:
6462 l2cap_seq_list_pop(&chan->srej_list);
6463
6464 l2cap_pass_to_tx(chan, control);
6465 skb_queue_tail(&chan->srej_q, skb);
6466 skb_in_use = true;
6467 BT_DBG("Queued %p (queue len %d)", skb,
6468 skb_queue_len(&chan->srej_q));
6469
6470 err = l2cap_rx_queued_iframes(chan);
6471 if (err)
6472 break;
6473
6474 break;
6475 case L2CAP_TXSEQ_UNEXPECTED:
6476 /* Got a frame that can't be reassembled yet.
6477 * Save it for later, and send SREJs to cover
6478 * the missing frames.
6479 */
6480 skb_queue_tail(&chan->srej_q, skb);
6481 skb_in_use = true;
6482 BT_DBG("Queued %p (queue len %d)", skb,
6483 skb_queue_len(&chan->srej_q));
6484
6485 l2cap_pass_to_tx(chan, control);
6486 l2cap_send_srej(chan, control->txseq);
6487 break;
6488 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6489 /* This frame was requested with an SREJ, but
6490 * some expected retransmitted frames are
6491 * missing. Request retransmission of missing
6492 * SREJ'd frames.
6493 */
6494 skb_queue_tail(&chan->srej_q, skb);
6495 skb_in_use = true;
6496 BT_DBG("Queued %p (queue len %d)", skb,
6497 skb_queue_len(&chan->srej_q));
6498
6499 l2cap_pass_to_tx(chan, control);
6500 l2cap_send_srej_list(chan, control->txseq);
6501 break;
6502 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6503 /* We've already queued this frame. Drop this copy. */
6504 l2cap_pass_to_tx(chan, control);
6505 break;
6506 case L2CAP_TXSEQ_DUPLICATE:
6507 /* Expecting a later sequence number, so this frame
6508 * was already received. Ignore it completely.
6509 */
6510 break;
6511 case L2CAP_TXSEQ_INVALID_IGNORE:
6512 break;
6513 case L2CAP_TXSEQ_INVALID:
6514 default:
6515 l2cap_send_disconn_req(chan, ECONNRESET);
6516 break;
6517 }
6518 break;
6519 case L2CAP_EV_RECV_RR:
6520 l2cap_pass_to_tx(chan, control);
6521 if (control->final) {
6522 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6523
6524 if (!test_and_clear_bit(CONN_REJ_ACT,
6525 &chan->conn_state)) {
6526 control->final = 0;
6527 l2cap_retransmit_all(chan, control);
6528 }
6529
6530 l2cap_ertm_send(chan);
6531 } else if (control->poll) {
6532 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6533 &chan->conn_state) &&
6534 chan->unacked_frames) {
6535 __set_retrans_timer(chan);
6536 }
6537
6538 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6539 l2cap_send_srej_tail(chan);
6540 } else {
6541 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6542 &chan->conn_state) &&
6543 chan->unacked_frames)
6544 __set_retrans_timer(chan);
6545
6546 l2cap_send_ack(chan);
6547 }
6548 break;
6549 case L2CAP_EV_RECV_RNR:
6550 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6551 l2cap_pass_to_tx(chan, control);
6552 if (control->poll) {
6553 l2cap_send_srej_tail(chan);
6554 } else {
6555 struct l2cap_ctrl rr_control;
6556 memset(&rr_control, 0, sizeof(rr_control));
6557 rr_control.sframe = 1;
6558 rr_control.super = L2CAP_SUPER_RR;
6559 rr_control.reqseq = chan->buffer_seq;
6560 l2cap_send_sframe(chan, &rr_control);
6561 }
6562
6563 break;
6564 case L2CAP_EV_RECV_REJ:
6565 l2cap_handle_rej(chan, control);
6566 break;
6567 case L2CAP_EV_RECV_SREJ:
6568 l2cap_handle_srej(chan, control);
6569 break;
6570 }
6571
6572 if (skb && !skb_in_use) {
6573 BT_DBG("Freeing %p", skb);
6574 kfree_skb(skb);
6575 }
6576
6577 return err;
6578 }
6579
6580 static int l2cap_finish_move(struct l2cap_chan *chan)
6581 {
6582 BT_DBG("chan %p", chan);
6583
6584 chan->rx_state = L2CAP_RX_STATE_RECV;
6585
6586 if (chan->hs_hcon)
6587 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6588 else
6589 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6590
6591 return l2cap_resegment(chan);
6592 }
6593
6594 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6595 struct l2cap_ctrl *control,
6596 struct sk_buff *skb, u8 event)
6597 {
6598 int err;
6599
6600 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6601 event);
6602
6603 if (!control->poll)
6604 return -EPROTO;
6605
6606 l2cap_process_reqseq(chan, control->reqseq);
6607
6608 if (!skb_queue_empty(&chan->tx_q))
6609 chan->tx_send_head = skb_peek(&chan->tx_q);
6610 else
6611 chan->tx_send_head = NULL;
6612
6613 /* Rewind next_tx_seq to the point expected
6614 * by the receiver.
6615 */
6616 chan->next_tx_seq = control->reqseq;
6617 chan->unacked_frames = 0;
6618
6619 err = l2cap_finish_move(chan);
6620 if (err)
6621 return err;
6622
6623 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6624 l2cap_send_i_or_rr_or_rnr(chan);
6625
6626 if (event == L2CAP_EV_RECV_IFRAME)
6627 return -EPROTO;
6628
6629 return l2cap_rx_state_recv(chan, control, NULL, event);
6630 }
6631
6632 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6633 struct l2cap_ctrl *control,
6634 struct sk_buff *skb, u8 event)
6635 {
6636 int err;
6637
6638 if (!control->final)
6639 return -EPROTO;
6640
6641 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6642
6643 chan->rx_state = L2CAP_RX_STATE_RECV;
6644 l2cap_process_reqseq(chan, control->reqseq);
6645
6646 if (!skb_queue_empty(&chan->tx_q))
6647 chan->tx_send_head = skb_peek(&chan->tx_q);
6648 else
6649 chan->tx_send_head = NULL;
6650
6651 /* Rewind next_tx_seq to the point expected
6652 * by the receiver.
6653 */
6654 chan->next_tx_seq = control->reqseq;
6655 chan->unacked_frames = 0;
6656
6657 if (chan->hs_hcon)
6658 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6659 else
6660 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6661
6662 err = l2cap_resegment(chan);
6663
6664 if (!err)
6665 err = l2cap_rx_state_recv(chan, control, skb, event);
6666
6667 return err;
6668 }
6669
6670 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6671 {
6672 /* Make sure reqseq is for a packet that has been sent but not acked */
6673 u16 unacked;
6674
6675 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6676 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6677 }
6678
6679 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6680 struct sk_buff *skb, u8 event)
6681 {
6682 int err = 0;
6683
6684 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6685 control, skb, event, chan->rx_state);
6686
6687 if (__valid_reqseq(chan, control->reqseq)) {
6688 switch (chan->rx_state) {
6689 case L2CAP_RX_STATE_RECV:
6690 err = l2cap_rx_state_recv(chan, control, skb, event);
6691 break;
6692 case L2CAP_RX_STATE_SREJ_SENT:
6693 err = l2cap_rx_state_srej_sent(chan, control, skb,
6694 event);
6695 break;
6696 case L2CAP_RX_STATE_WAIT_P:
6697 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6698 break;
6699 case L2CAP_RX_STATE_WAIT_F:
6700 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6701 break;
6702 default:
6703 /* shut it down */
6704 break;
6705 }
6706 } else {
6707 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6708 control->reqseq, chan->next_tx_seq,
6709 chan->expected_ack_seq);
6710 l2cap_send_disconn_req(chan, ECONNRESET);
6711 }
6712
6713 return err;
6714 }
6715
6716 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6717 struct sk_buff *skb)
6718 {
6719 int err = 0;
6720
6721 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6722 chan->rx_state);
6723
6724 if (l2cap_classify_txseq(chan, control->txseq) ==
6725 L2CAP_TXSEQ_EXPECTED) {
6726 l2cap_pass_to_tx(chan, control);
6727
6728 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6729 __next_seq(chan, chan->buffer_seq));
6730
6731 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6732
6733 l2cap_reassemble_sdu(chan, skb, control);
6734 } else {
6735 if (chan->sdu) {
6736 kfree_skb(chan->sdu);
6737 chan->sdu = NULL;
6738 }
6739 chan->sdu_last_frag = NULL;
6740 chan->sdu_len = 0;
6741
6742 if (skb) {
6743 BT_DBG("Freeing %p", skb);
6744 kfree_skb(skb);
6745 }
6746 }
6747
6748 chan->last_acked_seq = control->txseq;
6749 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6750
6751 return err;
6752 }
6753
6754 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6755 {
6756 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6757 u16 len;
6758 u8 event;
6759
6760 __unpack_control(chan, skb);
6761
6762 len = skb->len;
6763
6764 /*
6765 * We can just drop the corrupted I-frame here.
6766 * Receiver will miss it and start proper recovery
6767 * procedures and ask for retransmission.
6768 */
6769 if (l2cap_check_fcs(chan, skb))
6770 goto drop;
6771
6772 if (!control->sframe && control->sar == L2CAP_SAR_START)
6773 len -= L2CAP_SDULEN_SIZE;
6774
6775 if (chan->fcs == L2CAP_FCS_CRC16)
6776 len -= L2CAP_FCS_SIZE;
6777
6778 if (len > chan->mps) {
6779 l2cap_send_disconn_req(chan, ECONNRESET);
6780 goto drop;
6781 }
6782
6783 if (!control->sframe) {
6784 int err;
6785
6786 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6787 control->sar, control->reqseq, control->final,
6788 control->txseq);
6789
6790 /* Validate F-bit - F=0 always valid, F=1 only
6791 * valid in TX WAIT_F
6792 */
6793 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6794 goto drop;
6795
6796 if (chan->mode != L2CAP_MODE_STREAMING) {
6797 event = L2CAP_EV_RECV_IFRAME;
6798 err = l2cap_rx(chan, control, skb, event);
6799 } else {
6800 err = l2cap_stream_rx(chan, control, skb);
6801 }
6802
6803 if (err)
6804 l2cap_send_disconn_req(chan, ECONNRESET);
6805 } else {
6806 const u8 rx_func_to_event[4] = {
6807 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6808 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6809 };
6810
6811 /* Only I-frames are expected in streaming mode */
6812 if (chan->mode == L2CAP_MODE_STREAMING)
6813 goto drop;
6814
6815 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6816 control->reqseq, control->final, control->poll,
6817 control->super);
6818
6819 if (len != 0) {
6820 BT_ERR("Trailing bytes: %d in sframe", len);
6821 l2cap_send_disconn_req(chan, ECONNRESET);
6822 goto drop;
6823 }
6824
6825 /* Validate F and P bits */
6826 if (control->final && (control->poll ||
6827 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6828 goto drop;
6829
6830 event = rx_func_to_event[control->super];
6831 if (l2cap_rx(chan, control, skb, event))
6832 l2cap_send_disconn_req(chan, ECONNRESET);
6833 }
6834
6835 return 0;
6836
6837 drop:
6838 kfree_skb(skb);
6839 return 0;
6840 }
6841
6842 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6843 {
6844 struct l2cap_conn *conn = chan->conn;
6845 struct l2cap_le_credits pkt;
6846 u16 return_credits;
6847
6848 /* We return more credits to the sender only after the amount of
6849 * credits falls below half of the initial amount.
6850 */
6851 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6852 return;
6853
6854 return_credits = le_max_credits - chan->rx_credits;
6855
6856 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6857
6858 chan->rx_credits += return_credits;
6859
6860 pkt.cid = cpu_to_le16(chan->scid);
6861 pkt.credits = cpu_to_le16(return_credits);
6862
6863 chan->ident = l2cap_get_ident(conn);
6864
6865 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6866 }
6867
6868 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6869 {
6870 int err;
6871
6872 if (!chan->rx_credits) {
6873 BT_ERR("No credits to receive LE L2CAP data");
6874 return -ENOBUFS;
6875 }
6876
6877 if (chan->imtu < skb->len) {
6878 BT_ERR("Too big LE L2CAP PDU");
6879 return -ENOBUFS;
6880 }
6881
6882 chan->rx_credits--;
6883 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6884
6885 l2cap_chan_le_send_credits(chan);
6886
6887 err = 0;
6888
6889 if (!chan->sdu) {
6890 u16 sdu_len;
6891
6892 sdu_len = get_unaligned_le16(skb->data);
6893 skb_pull(skb, L2CAP_SDULEN_SIZE);
6894
6895 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6896 sdu_len, skb->len, chan->imtu);
6897
6898 if (sdu_len > chan->imtu) {
6899 BT_ERR("Too big LE L2CAP SDU length received");
6900 err = -EMSGSIZE;
6901 goto failed;
6902 }
6903
6904 if (skb->len > sdu_len) {
6905 BT_ERR("Too much LE L2CAP data received");
6906 err = -EINVAL;
6907 goto failed;
6908 }
6909
6910 if (skb->len == sdu_len)
6911 return chan->ops->recv(chan, skb);
6912
6913 chan->sdu = skb;
6914 chan->sdu_len = sdu_len;
6915 chan->sdu_last_frag = skb;
6916
6917 return 0;
6918 }
6919
6920 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6921 chan->sdu->len, skb->len, chan->sdu_len);
6922
6923 if (chan->sdu->len + skb->len > chan->sdu_len) {
6924 BT_ERR("Too much LE L2CAP data received");
6925 err = -EINVAL;
6926 goto failed;
6927 }
6928
6929 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6930 skb = NULL;
6931
6932 if (chan->sdu->len == chan->sdu_len) {
6933 err = chan->ops->recv(chan, chan->sdu);
6934 if (!err) {
6935 chan->sdu = NULL;
6936 chan->sdu_last_frag = NULL;
6937 chan->sdu_len = 0;
6938 }
6939 }
6940
6941 failed:
6942 if (err) {
6943 kfree_skb(skb);
6944 kfree_skb(chan->sdu);
6945 chan->sdu = NULL;
6946 chan->sdu_last_frag = NULL;
6947 chan->sdu_len = 0;
6948 }
6949
6950 /* We can't return an error here since we took care of the skb
6951 * freeing internally. An error return would cause the caller to
6952 * do a double-free of the skb.
6953 */
6954 return 0;
6955 }
6956
6957 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6958 struct sk_buff *skb)
6959 {
6960 struct l2cap_chan *chan;
6961
6962 chan = l2cap_get_chan_by_scid(conn, cid);
6963 if (!chan) {
6964 if (cid == L2CAP_CID_A2MP) {
6965 chan = a2mp_channel_create(conn, skb);
6966 if (!chan) {
6967 kfree_skb(skb);
6968 return;
6969 }
6970
6971 l2cap_chan_lock(chan);
6972 } else {
6973 BT_DBG("unknown cid 0x%4.4x", cid);
6974 /* Drop packet and return */
6975 kfree_skb(skb);
6976 return;
6977 }
6978 }
6979
6980 BT_DBG("chan %p, len %d", chan, skb->len);
6981
6982 if (chan->state != BT_CONNECTED)
6983 goto drop;
6984
6985 switch (chan->mode) {
6986 case L2CAP_MODE_LE_FLOWCTL:
6987 if (l2cap_le_data_rcv(chan, skb) < 0)
6988 goto drop;
6989
6990 goto done;
6991
6992 case L2CAP_MODE_BASIC:
6993 /* If socket recv buffers overflows we drop data here
6994 * which is *bad* because L2CAP has to be reliable.
6995 * But we don't have any other choice. L2CAP doesn't
6996 * provide flow control mechanism. */
6997
6998 if (chan->imtu < skb->len)
6999 goto drop;
7000
7001 if (!chan->ops->recv(chan, skb))
7002 goto done;
7003 break;
7004
7005 case L2CAP_MODE_ERTM:
7006 case L2CAP_MODE_STREAMING:
7007 l2cap_data_rcv(chan, skb);
7008 goto done;
7009
7010 default:
7011 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7012 break;
7013 }
7014
7015 drop:
7016 kfree_skb(skb);
7017
7018 done:
7019 l2cap_chan_unlock(chan);
7020 }
7021
7022 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7023 struct sk_buff *skb)
7024 {
7025 struct hci_conn *hcon = conn->hcon;
7026 struct l2cap_chan *chan;
7027
7028 if (hcon->type != ACL_LINK)
7029 goto drop;
7030
7031 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7032 ACL_LINK);
7033 if (!chan)
7034 goto drop;
7035
7036 BT_DBG("chan %p, len %d", chan, skb->len);
7037
7038 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7039 goto drop;
7040
7041 if (chan->imtu < skb->len)
7042 goto drop;
7043
7044 /* Store remote BD_ADDR and PSM for msg_name */
7045 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
7046 bt_cb(skb)->psm = psm;
7047
7048 if (!chan->ops->recv(chan, skb))
7049 return;
7050
7051 drop:
7052 kfree_skb(skb);
7053 }
7054
7055 static void l2cap_att_channel(struct l2cap_conn *conn,
7056 struct sk_buff *skb)
7057 {
7058 struct hci_conn *hcon = conn->hcon;
7059 struct l2cap_chan *chan;
7060
7061 if (hcon->type != LE_LINK)
7062 goto drop;
7063
7064 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
7065 &hcon->src, &hcon->dst);
7066 if (!chan)
7067 goto drop;
7068
7069 BT_DBG("chan %p, len %d", chan, skb->len);
7070
7071 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
7072 goto drop;
7073
7074 if (chan->imtu < skb->len)
7075 goto drop;
7076
7077 if (!chan->ops->recv(chan, skb))
7078 return;
7079
7080 drop:
7081 kfree_skb(skb);
7082 }
7083
7084 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7085 {
7086 struct l2cap_hdr *lh = (void *) skb->data;
7087 u16 cid, len;
7088 __le16 psm;
7089
7090 skb_pull(skb, L2CAP_HDR_SIZE);
7091 cid = __le16_to_cpu(lh->cid);
7092 len = __le16_to_cpu(lh->len);
7093
7094 if (len != skb->len) {
7095 kfree_skb(skb);
7096 return;
7097 }
7098
7099 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7100
7101 switch (cid) {
7102 case L2CAP_CID_SIGNALING:
7103 l2cap_sig_channel(conn, skb);
7104 break;
7105
7106 case L2CAP_CID_CONN_LESS:
7107 psm = get_unaligned((__le16 *) skb->data);
7108 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7109 l2cap_conless_channel(conn, psm, skb);
7110 break;
7111
7112 case L2CAP_CID_ATT:
7113 l2cap_att_channel(conn, skb);
7114 break;
7115
7116 case L2CAP_CID_LE_SIGNALING:
7117 l2cap_le_sig_channel(conn, skb);
7118 break;
7119
7120 case L2CAP_CID_SMP:
7121 if (smp_sig_channel(conn, skb))
7122 l2cap_conn_del(conn->hcon, EACCES);
7123 break;
7124
7125 case L2CAP_FC_6LOWPAN:
7126 bt_6lowpan_recv(conn, skb);
7127 break;
7128
7129 default:
7130 l2cap_data_channel(conn, cid, skb);
7131 break;
7132 }
7133 }
7134
7135 /* ---- L2CAP interface with lower layer (HCI) ---- */
7136
7137 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7138 {
7139 int exact = 0, lm1 = 0, lm2 = 0;
7140 struct l2cap_chan *c;
7141
7142 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7143
7144 /* Find listening sockets and check their link_mode */
7145 read_lock(&chan_list_lock);
7146 list_for_each_entry(c, &chan_list, global_l) {
7147 if (c->state != BT_LISTEN)
7148 continue;
7149
7150 if (!bacmp(&c->src, &hdev->bdaddr)) {
7151 lm1 |= HCI_LM_ACCEPT;
7152 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7153 lm1 |= HCI_LM_MASTER;
7154 exact++;
7155 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7156 lm2 |= HCI_LM_ACCEPT;
7157 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7158 lm2 |= HCI_LM_MASTER;
7159 }
7160 }
7161 read_unlock(&chan_list_lock);
7162
7163 return exact ? lm1 : lm2;
7164 }
7165
7166 void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7167 {
7168 struct l2cap_conn *conn;
7169
7170 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7171
7172 if (!status) {
7173 conn = l2cap_conn_add(hcon);
7174 if (conn)
7175 l2cap_conn_ready(conn);
7176 } else {
7177 l2cap_conn_del(hcon, bt_to_errno(status));
7178 }
7179 }
7180
7181 int l2cap_disconn_ind(struct hci_conn *hcon)
7182 {
7183 struct l2cap_conn *conn = hcon->l2cap_data;
7184
7185 BT_DBG("hcon %p", hcon);
7186
7187 if (!conn)
7188 return HCI_ERROR_REMOTE_USER_TERM;
7189 return conn->disc_reason;
7190 }
7191
7192 void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7193 {
7194 BT_DBG("hcon %p reason %d", hcon, reason);
7195
7196 bt_6lowpan_del_conn(hcon->l2cap_data);
7197
7198 l2cap_conn_del(hcon, bt_to_errno(reason));
7199 }
7200
7201 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7202 {
7203 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7204 return;
7205
7206 if (encrypt == 0x00) {
7207 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7208 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7209 } else if (chan->sec_level == BT_SECURITY_HIGH)
7210 l2cap_chan_close(chan, ECONNREFUSED);
7211 } else {
7212 if (chan->sec_level == BT_SECURITY_MEDIUM)
7213 __clear_chan_timer(chan);
7214 }
7215 }
7216
7217 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7218 {
7219 struct l2cap_conn *conn = hcon->l2cap_data;
7220 struct l2cap_chan *chan;
7221
7222 if (!conn)
7223 return 0;
7224
7225 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7226
7227 if (hcon->type == LE_LINK) {
7228 if (!status && encrypt)
7229 smp_distribute_keys(conn, 0);
7230 cancel_delayed_work(&conn->security_timer);
7231 }
7232
7233 mutex_lock(&conn->chan_lock);
7234
7235 list_for_each_entry(chan, &conn->chan_l, list) {
7236 l2cap_chan_lock(chan);
7237
7238 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7239 state_to_string(chan->state));
7240
7241 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
7242 l2cap_chan_unlock(chan);
7243 continue;
7244 }
7245
7246 if (chan->scid == L2CAP_CID_ATT) {
7247 if (!status && encrypt) {
7248 chan->sec_level = hcon->sec_level;
7249 l2cap_chan_ready(chan);
7250 }
7251
7252 l2cap_chan_unlock(chan);
7253 continue;
7254 }
7255
7256 if (!__l2cap_no_conn_pending(chan)) {
7257 l2cap_chan_unlock(chan);
7258 continue;
7259 }
7260
7261 if (!status && (chan->state == BT_CONNECTED ||
7262 chan->state == BT_CONFIG)) {
7263 chan->ops->resume(chan);
7264 l2cap_check_encryption(chan, encrypt);
7265 l2cap_chan_unlock(chan);
7266 continue;
7267 }
7268
7269 if (chan->state == BT_CONNECT) {
7270 if (!status)
7271 l2cap_start_connection(chan);
7272 else
7273 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7274 } else if (chan->state == BT_CONNECT2) {
7275 struct l2cap_conn_rsp rsp;
7276 __u16 res, stat;
7277
7278 if (!status) {
7279 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7280 res = L2CAP_CR_PEND;
7281 stat = L2CAP_CS_AUTHOR_PEND;
7282 chan->ops->defer(chan);
7283 } else {
7284 l2cap_state_change(chan, BT_CONFIG);
7285 res = L2CAP_CR_SUCCESS;
7286 stat = L2CAP_CS_NO_INFO;
7287 }
7288 } else {
7289 l2cap_state_change(chan, BT_DISCONN);
7290 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7291 res = L2CAP_CR_SEC_BLOCK;
7292 stat = L2CAP_CS_NO_INFO;
7293 }
7294
7295 rsp.scid = cpu_to_le16(chan->dcid);
7296 rsp.dcid = cpu_to_le16(chan->scid);
7297 rsp.result = cpu_to_le16(res);
7298 rsp.status = cpu_to_le16(stat);
7299 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7300 sizeof(rsp), &rsp);
7301
7302 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7303 res == L2CAP_CR_SUCCESS) {
7304 char buf[128];
7305 set_bit(CONF_REQ_SENT, &chan->conf_state);
7306 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7307 L2CAP_CONF_REQ,
7308 l2cap_build_conf_req(chan, buf),
7309 buf);
7310 chan->num_conf_req++;
7311 }
7312 }
7313
7314 l2cap_chan_unlock(chan);
7315 }
7316
7317 mutex_unlock(&conn->chan_lock);
7318
7319 return 0;
7320 }
7321
7322 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7323 {
7324 struct l2cap_conn *conn = hcon->l2cap_data;
7325 struct l2cap_hdr *hdr;
7326 int len;
7327
7328 /* For AMP controller do not create l2cap conn */
7329 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7330 goto drop;
7331
7332 if (!conn)
7333 conn = l2cap_conn_add(hcon);
7334
7335 if (!conn)
7336 goto drop;
7337
7338 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7339
7340 switch (flags) {
7341 case ACL_START:
7342 case ACL_START_NO_FLUSH:
7343 case ACL_COMPLETE:
7344 if (conn->rx_len) {
7345 BT_ERR("Unexpected start frame (len %d)", skb->len);
7346 kfree_skb(conn->rx_skb);
7347 conn->rx_skb = NULL;
7348 conn->rx_len = 0;
7349 l2cap_conn_unreliable(conn, ECOMM);
7350 }
7351
7352 /* Start fragment always begin with Basic L2CAP header */
7353 if (skb->len < L2CAP_HDR_SIZE) {
7354 BT_ERR("Frame is too short (len %d)", skb->len);
7355 l2cap_conn_unreliable(conn, ECOMM);
7356 goto drop;
7357 }
7358
7359 hdr = (struct l2cap_hdr *) skb->data;
7360 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7361
7362 if (len == skb->len) {
7363 /* Complete frame received */
7364 l2cap_recv_frame(conn, skb);
7365 return 0;
7366 }
7367
7368 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7369
7370 if (skb->len > len) {
7371 BT_ERR("Frame is too long (len %d, expected len %d)",
7372 skb->len, len);
7373 l2cap_conn_unreliable(conn, ECOMM);
7374 goto drop;
7375 }
7376
7377 /* Allocate skb for the complete frame (with header) */
7378 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7379 if (!conn->rx_skb)
7380 goto drop;
7381
7382 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7383 skb->len);
7384 conn->rx_len = len - skb->len;
7385 break;
7386
7387 case ACL_CONT:
7388 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7389
7390 if (!conn->rx_len) {
7391 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7392 l2cap_conn_unreliable(conn, ECOMM);
7393 goto drop;
7394 }
7395
7396 if (skb->len > conn->rx_len) {
7397 BT_ERR("Fragment is too long (len %d, expected %d)",
7398 skb->len, conn->rx_len);
7399 kfree_skb(conn->rx_skb);
7400 conn->rx_skb = NULL;
7401 conn->rx_len = 0;
7402 l2cap_conn_unreliable(conn, ECOMM);
7403 goto drop;
7404 }
7405
7406 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7407 skb->len);
7408 conn->rx_len -= skb->len;
7409
7410 if (!conn->rx_len) {
7411 /* Complete frame received. l2cap_recv_frame
7412 * takes ownership of the skb so set the global
7413 * rx_skb pointer to NULL first.
7414 */
7415 struct sk_buff *rx_skb = conn->rx_skb;
7416 conn->rx_skb = NULL;
7417 l2cap_recv_frame(conn, rx_skb);
7418 }
7419 break;
7420 }
7421
7422 drop:
7423 kfree_skb(skb);
7424 return 0;
7425 }
7426
7427 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7428 {
7429 struct l2cap_chan *c;
7430
7431 read_lock(&chan_list_lock);
7432
7433 list_for_each_entry(c, &chan_list, global_l) {
7434 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7435 &c->src, &c->dst,
7436 c->state, __le16_to_cpu(c->psm),
7437 c->scid, c->dcid, c->imtu, c->omtu,
7438 c->sec_level, c->mode);
7439 }
7440
7441 read_unlock(&chan_list_lock);
7442
7443 return 0;
7444 }
7445
7446 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7447 {
7448 return single_open(file, l2cap_debugfs_show, inode->i_private);
7449 }
7450
7451 static const struct file_operations l2cap_debugfs_fops = {
7452 .open = l2cap_debugfs_open,
7453 .read = seq_read,
7454 .llseek = seq_lseek,
7455 .release = single_release,
7456 };
7457
7458 static struct dentry *l2cap_debugfs;
7459
7460 int __init l2cap_init(void)
7461 {
7462 int err;
7463
7464 err = l2cap_init_sockets();
7465 if (err < 0)
7466 return err;
7467
7468 if (IS_ERR_OR_NULL(bt_debugfs))
7469 return 0;
7470
7471 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7472 NULL, &l2cap_debugfs_fops);
7473
7474 debugfs_create_u16("l2cap_le_max_credits", 0466, bt_debugfs,
7475 &le_max_credits);
7476 debugfs_create_u16("l2cap_le_default_mps", 0466, bt_debugfs,
7477 &le_default_mps);
7478
7479 bt_6lowpan_init();
7480
7481 return 0;
7482 }
7483
7484 void l2cap_exit(void)
7485 {
7486 bt_6lowpan_cleanup();
7487 debugfs_remove(l2cap_debugfs);
7488 l2cap_cleanup_sockets();
7489 }
7490
7491 module_param(disable_ertm, bool, 0644);
7492 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
ubuntu-bionic-kernel mirror