]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - net/bluetooth/l2cap_core.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'please-pull-mce' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras
[mirror_ubuntu-zesty-kernel.git] / net / bluetooth / l2cap_core.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/types.h>
34 #include <linux/capability.h>
35 #include <linux/errno.h>
36 #include <linux/kernel.h>
37 #include <linux/sched.h>
38 #include <linux/slab.h>
39 #include <linux/poll.h>
40 #include <linux/fcntl.h>
41 #include <linux/init.h>
42 #include <linux/interrupt.h>
43 #include <linux/socket.h>
44 #include <linux/skbuff.h>
45 #include <linux/list.h>
46 #include <linux/device.h>
47 #include <linux/debugfs.h>
48 #include <linux/seq_file.h>
49 #include <linux/uaccess.h>
50 #include <linux/crc16.h>
51 #include <net/sock.h>
52
53 #include <asm/unaligned.h>
54
55 #include <net/bluetooth/bluetooth.h>
56 #include <net/bluetooth/hci_core.h>
57 #include <net/bluetooth/l2cap.h>
58 #include <net/bluetooth/smp.h>
59
60 bool disable_ertm;
61
62 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
63 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
64
65 static LIST_HEAD(chan_list);
66 static DEFINE_RWLOCK(chan_list_lock);
67
68 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
69 u8 code, u8 ident, u16 dlen, void *data);
70 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
71 void *data);
72 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
73 static void l2cap_send_disconn_req(struct l2cap_conn *conn,
74 struct l2cap_chan *chan, int err);
75
76 /* ---- L2CAP channels ---- */
77
78 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
79 {
80 struct l2cap_chan *c;
81
82 list_for_each_entry(c, &conn->chan_l, list) {
83 if (c->dcid == cid)
84 return c;
85 }
86 return NULL;
87 }
88
89 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
90 {
91 struct l2cap_chan *c;
92
93 list_for_each_entry(c, &conn->chan_l, list) {
94 if (c->scid == cid)
95 return c;
96 }
97 return NULL;
98 }
99
100 /* Find channel with given SCID.
101 * Returns locked channel. */
102 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
103 {
104 struct l2cap_chan *c;
105
106 mutex_lock(&conn->chan_lock);
107 c = __l2cap_get_chan_by_scid(conn, cid);
108 if (c)
109 l2cap_chan_lock(c);
110 mutex_unlock(&conn->chan_lock);
111
112 return c;
113 }
114
115 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
116 {
117 struct l2cap_chan *c;
118
119 list_for_each_entry(c, &conn->chan_l, list) {
120 if (c->ident == ident)
121 return c;
122 }
123 return NULL;
124 }
125
126 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
127 {
128 struct l2cap_chan *c;
129
130 list_for_each_entry(c, &chan_list, global_l) {
131 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
132 return c;
133 }
134 return NULL;
135 }
136
137 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
138 {
139 int err;
140
141 write_lock(&chan_list_lock);
142
143 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
144 err = -EADDRINUSE;
145 goto done;
146 }
147
148 if (psm) {
149 chan->psm = psm;
150 chan->sport = psm;
151 err = 0;
152 } else {
153 u16 p;
154
155 err = -EINVAL;
156 for (p = 0x1001; p < 0x1100; p += 2)
157 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
158 chan->psm = cpu_to_le16(p);
159 chan->sport = cpu_to_le16(p);
160 err = 0;
161 break;
162 }
163 }
164
165 done:
166 write_unlock(&chan_list_lock);
167 return err;
168 }
169
170 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
171 {
172 write_lock(&chan_list_lock);
173
174 chan->scid = scid;
175
176 write_unlock(&chan_list_lock);
177
178 return 0;
179 }
180
181 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
182 {
183 u16 cid = L2CAP_CID_DYN_START;
184
185 for (; cid < L2CAP_CID_DYN_END; cid++) {
186 if (!__l2cap_get_chan_by_scid(conn, cid))
187 return cid;
188 }
189
190 return 0;
191 }
192
193 static void __l2cap_state_change(struct l2cap_chan *chan, int state)
194 {
195 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
196 state_to_string(state));
197
198 chan->state = state;
199 chan->ops->state_change(chan->data, state);
200 }
201
202 static void l2cap_state_change(struct l2cap_chan *chan, int state)
203 {
204 struct sock *sk = chan->sk;
205
206 lock_sock(sk);
207 __l2cap_state_change(chan, state);
208 release_sock(sk);
209 }
210
211 static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
212 {
213 struct sock *sk = chan->sk;
214
215 sk->sk_err = err;
216 }
217
218 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
219 {
220 struct sock *sk = chan->sk;
221
222 lock_sock(sk);
223 __l2cap_chan_set_err(chan, err);
224 release_sock(sk);
225 }
226
227 /* ---- L2CAP sequence number lists ---- */
228
229 /* For ERTM, ordered lists of sequence numbers must be tracked for
230 * SREJ requests that are received and for frames that are to be
231 * retransmitted. These seq_list functions implement a singly-linked
232 * list in an array, where membership in the list can also be checked
233 * in constant time. Items can also be added to the tail of the list
234 * and removed from the head in constant time, without further memory
235 * allocs or frees.
236 */
237
238 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
239 {
240 size_t alloc_size, i;
241
242 /* Allocated size is a power of 2 to map sequence numbers
243 * (which may be up to 14 bits) in to a smaller array that is
244 * sized for the negotiated ERTM transmit windows.
245 */
246 alloc_size = roundup_pow_of_two(size);
247
248 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
249 if (!seq_list->list)
250 return -ENOMEM;
251
252 seq_list->mask = alloc_size - 1;
253 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
254 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
255 for (i = 0; i < alloc_size; i++)
256 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
257
258 return 0;
259 }
260
261 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
262 {
263 kfree(seq_list->list);
264 }
265
266 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
267 u16 seq)
268 {
269 /* Constant-time check for list membership */
270 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
271 }
272
273 static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
274 {
275 u16 mask = seq_list->mask;
276
277 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
278 /* In case someone tries to pop the head of an empty list */
279 return L2CAP_SEQ_LIST_CLEAR;
280 } else if (seq_list->head == seq) {
281 /* Head can be removed in constant time */
282 seq_list->head = seq_list->list[seq & mask];
283 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
284
285 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
286 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
287 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
288 }
289 } else {
290 /* Walk the list to find the sequence number */
291 u16 prev = seq_list->head;
292 while (seq_list->list[prev & mask] != seq) {
293 prev = seq_list->list[prev & mask];
294 if (prev == L2CAP_SEQ_LIST_TAIL)
295 return L2CAP_SEQ_LIST_CLEAR;
296 }
297
298 /* Unlink the number from the list and clear it */
299 seq_list->list[prev & mask] = seq_list->list[seq & mask];
300 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
301 if (seq_list->tail == seq)
302 seq_list->tail = prev;
303 }
304 return seq;
305 }
306
307 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
308 {
309 /* Remove the head in constant time */
310 return l2cap_seq_list_remove(seq_list, seq_list->head);
311 }
312
313 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
314 {
315 u16 i;
316
317 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
318 return;
319
320 for (i = 0; i <= seq_list->mask; i++)
321 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
322
323 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
324 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
325 }
326
327 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
328 {
329 u16 mask = seq_list->mask;
330
331 /* All appends happen in constant time */
332
333 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
334 return;
335
336 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
337 seq_list->head = seq;
338 else
339 seq_list->list[seq_list->tail & mask] = seq;
340
341 seq_list->tail = seq;
342 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
343 }
344
345 static void l2cap_chan_timeout(struct work_struct *work)
346 {
347 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
348 chan_timer.work);
349 struct l2cap_conn *conn = chan->conn;
350 int reason;
351
352 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
353
354 mutex_lock(&conn->chan_lock);
355 l2cap_chan_lock(chan);
356
357 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
358 reason = ECONNREFUSED;
359 else if (chan->state == BT_CONNECT &&
360 chan->sec_level != BT_SECURITY_SDP)
361 reason = ECONNREFUSED;
362 else
363 reason = ETIMEDOUT;
364
365 l2cap_chan_close(chan, reason);
366
367 l2cap_chan_unlock(chan);
368
369 chan->ops->close(chan->data);
370 mutex_unlock(&conn->chan_lock);
371
372 l2cap_chan_put(chan);
373 }
374
375 struct l2cap_chan *l2cap_chan_create(void)
376 {
377 struct l2cap_chan *chan;
378
379 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
380 if (!chan)
381 return NULL;
382
383 mutex_init(&chan->lock);
384
385 write_lock(&chan_list_lock);
386 list_add(&chan->global_l, &chan_list);
387 write_unlock(&chan_list_lock);
388
389 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
390
391 chan->state = BT_OPEN;
392
393 atomic_set(&chan->refcnt, 1);
394
395 BT_DBG("chan %p", chan);
396
397 return chan;
398 }
399
400 void l2cap_chan_destroy(struct l2cap_chan *chan)
401 {
402 write_lock(&chan_list_lock);
403 list_del(&chan->global_l);
404 write_unlock(&chan_list_lock);
405
406 l2cap_chan_put(chan);
407 }
408
409 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
410 {
411 chan->fcs = L2CAP_FCS_CRC16;
412 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
413 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
414 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
415 chan->sec_level = BT_SECURITY_LOW;
416
417 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
418 }
419
420 static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
421 {
422 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
423 __le16_to_cpu(chan->psm), chan->dcid);
424
425 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
426
427 chan->conn = conn;
428
429 switch (chan->chan_type) {
430 case L2CAP_CHAN_CONN_ORIENTED:
431 if (conn->hcon->type == LE_LINK) {
432 /* LE connection */
433 chan->omtu = L2CAP_LE_DEFAULT_MTU;
434 chan->scid = L2CAP_CID_LE_DATA;
435 chan->dcid = L2CAP_CID_LE_DATA;
436 } else {
437 /* Alloc CID for connection-oriented socket */
438 chan->scid = l2cap_alloc_cid(conn);
439 chan->omtu = L2CAP_DEFAULT_MTU;
440 }
441 break;
442
443 case L2CAP_CHAN_CONN_LESS:
444 /* Connectionless socket */
445 chan->scid = L2CAP_CID_CONN_LESS;
446 chan->dcid = L2CAP_CID_CONN_LESS;
447 chan->omtu = L2CAP_DEFAULT_MTU;
448 break;
449
450 default:
451 /* Raw socket can send/recv signalling messages only */
452 chan->scid = L2CAP_CID_SIGNALING;
453 chan->dcid = L2CAP_CID_SIGNALING;
454 chan->omtu = L2CAP_DEFAULT_MTU;
455 }
456
457 chan->local_id = L2CAP_BESTEFFORT_ID;
458 chan->local_stype = L2CAP_SERV_BESTEFFORT;
459 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
460 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
461 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
462 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
463
464 l2cap_chan_hold(chan);
465
466 list_add(&chan->list, &conn->chan_l);
467 }
468
469 static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
470 {
471 mutex_lock(&conn->chan_lock);
472 __l2cap_chan_add(conn, chan);
473 mutex_unlock(&conn->chan_lock);
474 }
475
476 static void l2cap_chan_del(struct l2cap_chan *chan, int err)
477 {
478 struct sock *sk = chan->sk;
479 struct l2cap_conn *conn = chan->conn;
480 struct sock *parent = bt_sk(sk)->parent;
481
482 __clear_chan_timer(chan);
483
484 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
485
486 if (conn) {
487 /* Delete from channel list */
488 list_del(&chan->list);
489
490 l2cap_chan_put(chan);
491
492 chan->conn = NULL;
493 hci_conn_put(conn->hcon);
494 }
495
496 lock_sock(sk);
497
498 __l2cap_state_change(chan, BT_CLOSED);
499 sock_set_flag(sk, SOCK_ZAPPED);
500
501 if (err)
502 __l2cap_chan_set_err(chan, err);
503
504 if (parent) {
505 bt_accept_unlink(sk);
506 parent->sk_data_ready(parent, 0);
507 } else
508 sk->sk_state_change(sk);
509
510 release_sock(sk);
511
512 if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) &&
513 test_bit(CONF_INPUT_DONE, &chan->conf_state)))
514 return;
515
516 skb_queue_purge(&chan->tx_q);
517
518 if (chan->mode == L2CAP_MODE_ERTM) {
519 struct srej_list *l, *tmp;
520
521 __clear_retrans_timer(chan);
522 __clear_monitor_timer(chan);
523 __clear_ack_timer(chan);
524
525 skb_queue_purge(&chan->srej_q);
526
527 l2cap_seq_list_free(&chan->srej_list);
528 l2cap_seq_list_free(&chan->retrans_list);
529 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
530 list_del(&l->list);
531 kfree(l);
532 }
533 }
534 }
535
536 static void l2cap_chan_cleanup_listen(struct sock *parent)
537 {
538 struct sock *sk;
539
540 BT_DBG("parent %p", parent);
541
542 /* Close not yet accepted channels */
543 while ((sk = bt_accept_dequeue(parent, NULL))) {
544 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
545
546 l2cap_chan_lock(chan);
547 __clear_chan_timer(chan);
548 l2cap_chan_close(chan, ECONNRESET);
549 l2cap_chan_unlock(chan);
550
551 chan->ops->close(chan->data);
552 }
553 }
554
555 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
556 {
557 struct l2cap_conn *conn = chan->conn;
558 struct sock *sk = chan->sk;
559
560 BT_DBG("chan %p state %s sk %p", chan,
561 state_to_string(chan->state), sk);
562
563 switch (chan->state) {
564 case BT_LISTEN:
565 lock_sock(sk);
566 l2cap_chan_cleanup_listen(sk);
567
568 __l2cap_state_change(chan, BT_CLOSED);
569 sock_set_flag(sk, SOCK_ZAPPED);
570 release_sock(sk);
571 break;
572
573 case BT_CONNECTED:
574 case BT_CONFIG:
575 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
576 conn->hcon->type == ACL_LINK) {
577 __set_chan_timer(chan, sk->sk_sndtimeo);
578 l2cap_send_disconn_req(conn, chan, reason);
579 } else
580 l2cap_chan_del(chan, reason);
581 break;
582
583 case BT_CONNECT2:
584 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
585 conn->hcon->type == ACL_LINK) {
586 struct l2cap_conn_rsp rsp;
587 __u16 result;
588
589 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
590 result = L2CAP_CR_SEC_BLOCK;
591 else
592 result = L2CAP_CR_BAD_PSM;
593 l2cap_state_change(chan, BT_DISCONN);
594
595 rsp.scid = cpu_to_le16(chan->dcid);
596 rsp.dcid = cpu_to_le16(chan->scid);
597 rsp.result = cpu_to_le16(result);
598 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
599 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
600 sizeof(rsp), &rsp);
601 }
602
603 l2cap_chan_del(chan, reason);
604 break;
605
606 case BT_CONNECT:
607 case BT_DISCONN:
608 l2cap_chan_del(chan, reason);
609 break;
610
611 default:
612 lock_sock(sk);
613 sock_set_flag(sk, SOCK_ZAPPED);
614 release_sock(sk);
615 break;
616 }
617 }
618
619 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
620 {
621 if (chan->chan_type == L2CAP_CHAN_RAW) {
622 switch (chan->sec_level) {
623 case BT_SECURITY_HIGH:
624 return HCI_AT_DEDICATED_BONDING_MITM;
625 case BT_SECURITY_MEDIUM:
626 return HCI_AT_DEDICATED_BONDING;
627 default:
628 return HCI_AT_NO_BONDING;
629 }
630 } else if (chan->psm == cpu_to_le16(0x0001)) {
631 if (chan->sec_level == BT_SECURITY_LOW)
632 chan->sec_level = BT_SECURITY_SDP;
633
634 if (chan->sec_level == BT_SECURITY_HIGH)
635 return HCI_AT_NO_BONDING_MITM;
636 else
637 return HCI_AT_NO_BONDING;
638 } else {
639 switch (chan->sec_level) {
640 case BT_SECURITY_HIGH:
641 return HCI_AT_GENERAL_BONDING_MITM;
642 case BT_SECURITY_MEDIUM:
643 return HCI_AT_GENERAL_BONDING;
644 default:
645 return HCI_AT_NO_BONDING;
646 }
647 }
648 }
649
650 /* Service level security */
651 int l2cap_chan_check_security(struct l2cap_chan *chan)
652 {
653 struct l2cap_conn *conn = chan->conn;
654 __u8 auth_type;
655
656 auth_type = l2cap_get_auth_type(chan);
657
658 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
659 }
660
661 static u8 l2cap_get_ident(struct l2cap_conn *conn)
662 {
663 u8 id;
664
665 /* Get next available identificator.
666 * 1 - 128 are used by kernel.
667 * 129 - 199 are reserved.
668 * 200 - 254 are used by utilities like l2ping, etc.
669 */
670
671 spin_lock(&conn->lock);
672
673 if (++conn->tx_ident > 128)
674 conn->tx_ident = 1;
675
676 id = conn->tx_ident;
677
678 spin_unlock(&conn->lock);
679
680 return id;
681 }
682
683 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
684 {
685 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
686 u8 flags;
687
688 BT_DBG("code 0x%2.2x", code);
689
690 if (!skb)
691 return;
692
693 if (lmp_no_flush_capable(conn->hcon->hdev))
694 flags = ACL_START_NO_FLUSH;
695 else
696 flags = ACL_START;
697
698 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
699 skb->priority = HCI_PRIO_MAX;
700
701 hci_send_acl(conn->hchan, skb, flags);
702 }
703
704 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
705 {
706 struct hci_conn *hcon = chan->conn->hcon;
707 u16 flags;
708
709 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
710 skb->priority);
711
712 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
713 lmp_no_flush_capable(hcon->hdev))
714 flags = ACL_START_NO_FLUSH;
715 else
716 flags = ACL_START;
717
718 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
719 hci_send_acl(chan->conn->hchan, skb, flags);
720 }
721
722 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
723 {
724 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
725 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
726
727 if (enh & L2CAP_CTRL_FRAME_TYPE) {
728 /* S-Frame */
729 control->sframe = 1;
730 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
731 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
732
733 control->sar = 0;
734 control->txseq = 0;
735 } else {
736 /* I-Frame */
737 control->sframe = 0;
738 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
739 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
740
741 control->poll = 0;
742 control->super = 0;
743 }
744 }
745
746 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
747 {
748 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
749 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
750
751 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
752 /* S-Frame */
753 control->sframe = 1;
754 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
755 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
756
757 control->sar = 0;
758 control->txseq = 0;
759 } else {
760 /* I-Frame */
761 control->sframe = 0;
762 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
763 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
764
765 control->poll = 0;
766 control->super = 0;
767 }
768 }
769
770 static inline void __unpack_control(struct l2cap_chan *chan,
771 struct sk_buff *skb)
772 {
773 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
774 __unpack_extended_control(get_unaligned_le32(skb->data),
775 &bt_cb(skb)->control);
776 } else {
777 __unpack_enhanced_control(get_unaligned_le16(skb->data),
778 &bt_cb(skb)->control);
779 }
780 }
781
782 static u32 __pack_extended_control(struct l2cap_ctrl *control)
783 {
784 u32 packed;
785
786 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
787 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
788
789 if (control->sframe) {
790 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
791 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
792 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
793 } else {
794 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
795 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
796 }
797
798 return packed;
799 }
800
801 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
802 {
803 u16 packed;
804
805 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
806 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
807
808 if (control->sframe) {
809 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
810 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
811 packed |= L2CAP_CTRL_FRAME_TYPE;
812 } else {
813 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
814 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
815 }
816
817 return packed;
818 }
819
820 static inline void __pack_control(struct l2cap_chan *chan,
821 struct l2cap_ctrl *control,
822 struct sk_buff *skb)
823 {
824 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
825 put_unaligned_le32(__pack_extended_control(control),
826 skb->data + L2CAP_HDR_SIZE);
827 } else {
828 put_unaligned_le16(__pack_enhanced_control(control),
829 skb->data + L2CAP_HDR_SIZE);
830 }
831 }
832
833 static inline void l2cap_send_sframe(struct l2cap_chan *chan, u32 control)
834 {
835 struct sk_buff *skb;
836 struct l2cap_hdr *lh;
837 struct l2cap_conn *conn = chan->conn;
838 int count, hlen;
839
840 if (chan->state != BT_CONNECTED)
841 return;
842
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
844 hlen = L2CAP_EXT_HDR_SIZE;
845 else
846 hlen = L2CAP_ENH_HDR_SIZE;
847
848 if (chan->fcs == L2CAP_FCS_CRC16)
849 hlen += L2CAP_FCS_SIZE;
850
851 BT_DBG("chan %p, control 0x%8.8x", chan, control);
852
853 count = min_t(unsigned int, conn->mtu, hlen);
854
855 control |= __set_sframe(chan);
856
857 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
858 control |= __set_ctrl_final(chan);
859
860 if (test_and_clear_bit(CONN_SEND_PBIT, &chan->conn_state))
861 control |= __set_ctrl_poll(chan);
862
863 skb = bt_skb_alloc(count, GFP_ATOMIC);
864 if (!skb)
865 return;
866
867 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
868 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
869 lh->cid = cpu_to_le16(chan->dcid);
870
871 __put_control(chan, control, skb_put(skb, __ctrl_size(chan)));
872
873 if (chan->fcs == L2CAP_FCS_CRC16) {
874 u16 fcs = crc16(0, (u8 *)lh, count - L2CAP_FCS_SIZE);
875 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
876 }
877
878 skb->priority = HCI_PRIO_MAX;
879 l2cap_do_send(chan, skb);
880 }
881
882 static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u32 control)
883 {
884 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
885 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
886 set_bit(CONN_RNR_SENT, &chan->conn_state);
887 } else
888 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
889
890 control |= __set_reqseq(chan, chan->buffer_seq);
891
892 l2cap_send_sframe(chan, control);
893 }
894
895 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
896 {
897 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
898 }
899
900 static void l2cap_send_conn_req(struct l2cap_chan *chan)
901 {
902 struct l2cap_conn *conn = chan->conn;
903 struct l2cap_conn_req req;
904
905 req.scid = cpu_to_le16(chan->scid);
906 req.psm = chan->psm;
907
908 chan->ident = l2cap_get_ident(conn);
909
910 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
911
912 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
913 }
914
915 static void l2cap_chan_ready(struct l2cap_chan *chan)
916 {
917 struct sock *sk = chan->sk;
918 struct sock *parent;
919
920 lock_sock(sk);
921
922 parent = bt_sk(sk)->parent;
923
924 BT_DBG("sk %p, parent %p", sk, parent);
925
926 chan->conf_state = 0;
927 __clear_chan_timer(chan);
928
929 __l2cap_state_change(chan, BT_CONNECTED);
930 sk->sk_state_change(sk);
931
932 if (parent)
933 parent->sk_data_ready(parent, 0);
934
935 release_sock(sk);
936 }
937
938 static void l2cap_do_start(struct l2cap_chan *chan)
939 {
940 struct l2cap_conn *conn = chan->conn;
941
942 if (conn->hcon->type == LE_LINK) {
943 l2cap_chan_ready(chan);
944 return;
945 }
946
947 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
948 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
949 return;
950
951 if (l2cap_chan_check_security(chan) &&
952 __l2cap_no_conn_pending(chan))
953 l2cap_send_conn_req(chan);
954 } else {
955 struct l2cap_info_req req;
956 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
957
958 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
959 conn->info_ident = l2cap_get_ident(conn);
960
961 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
962
963 l2cap_send_cmd(conn, conn->info_ident,
964 L2CAP_INFO_REQ, sizeof(req), &req);
965 }
966 }
967
968 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
969 {
970 u32 local_feat_mask = l2cap_feat_mask;
971 if (!disable_ertm)
972 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
973
974 switch (mode) {
975 case L2CAP_MODE_ERTM:
976 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
977 case L2CAP_MODE_STREAMING:
978 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
979 default:
980 return 0x00;
981 }
982 }
983
984 static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
985 {
986 struct sock *sk = chan->sk;
987 struct l2cap_disconn_req req;
988
989 if (!conn)
990 return;
991
992 if (chan->mode == L2CAP_MODE_ERTM) {
993 __clear_retrans_timer(chan);
994 __clear_monitor_timer(chan);
995 __clear_ack_timer(chan);
996 }
997
998 req.dcid = cpu_to_le16(chan->dcid);
999 req.scid = cpu_to_le16(chan->scid);
1000 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1001 L2CAP_DISCONN_REQ, sizeof(req), &req);
1002
1003 lock_sock(sk);
1004 __l2cap_state_change(chan, BT_DISCONN);
1005 __l2cap_chan_set_err(chan, err);
1006 release_sock(sk);
1007 }
1008
1009 /* ---- L2CAP connections ---- */
1010 static void l2cap_conn_start(struct l2cap_conn *conn)
1011 {
1012 struct l2cap_chan *chan, *tmp;
1013
1014 BT_DBG("conn %p", conn);
1015
1016 mutex_lock(&conn->chan_lock);
1017
1018 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1019 struct sock *sk = chan->sk;
1020
1021 l2cap_chan_lock(chan);
1022
1023 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1024 l2cap_chan_unlock(chan);
1025 continue;
1026 }
1027
1028 if (chan->state == BT_CONNECT) {
1029 if (!l2cap_chan_check_security(chan) ||
1030 !__l2cap_no_conn_pending(chan)) {
1031 l2cap_chan_unlock(chan);
1032 continue;
1033 }
1034
1035 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1036 && test_bit(CONF_STATE2_DEVICE,
1037 &chan->conf_state)) {
1038 l2cap_chan_close(chan, ECONNRESET);
1039 l2cap_chan_unlock(chan);
1040 continue;
1041 }
1042
1043 l2cap_send_conn_req(chan);
1044
1045 } else if (chan->state == BT_CONNECT2) {
1046 struct l2cap_conn_rsp rsp;
1047 char buf[128];
1048 rsp.scid = cpu_to_le16(chan->dcid);
1049 rsp.dcid = cpu_to_le16(chan->scid);
1050
1051 if (l2cap_chan_check_security(chan)) {
1052 lock_sock(sk);
1053 if (test_bit(BT_SK_DEFER_SETUP,
1054 &bt_sk(sk)->flags)) {
1055 struct sock *parent = bt_sk(sk)->parent;
1056 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1057 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1058 if (parent)
1059 parent->sk_data_ready(parent, 0);
1060
1061 } else {
1062 __l2cap_state_change(chan, BT_CONFIG);
1063 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1064 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1065 }
1066 release_sock(sk);
1067 } else {
1068 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1069 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1070 }
1071
1072 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1073 sizeof(rsp), &rsp);
1074
1075 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1076 rsp.result != L2CAP_CR_SUCCESS) {
1077 l2cap_chan_unlock(chan);
1078 continue;
1079 }
1080
1081 set_bit(CONF_REQ_SENT, &chan->conf_state);
1082 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1083 l2cap_build_conf_req(chan, buf), buf);
1084 chan->num_conf_req++;
1085 }
1086
1087 l2cap_chan_unlock(chan);
1088 }
1089
1090 mutex_unlock(&conn->chan_lock);
1091 }
1092
1093 /* Find socket with cid and source/destination bdaddr.
1094 * Returns closest match, locked.
1095 */
1096 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1097 bdaddr_t *src,
1098 bdaddr_t *dst)
1099 {
1100 struct l2cap_chan *c, *c1 = NULL;
1101
1102 read_lock(&chan_list_lock);
1103
1104 list_for_each_entry(c, &chan_list, global_l) {
1105 struct sock *sk = c->sk;
1106
1107 if (state && c->state != state)
1108 continue;
1109
1110 if (c->scid == cid) {
1111 int src_match, dst_match;
1112 int src_any, dst_any;
1113
1114 /* Exact match. */
1115 src_match = !bacmp(&bt_sk(sk)->src, src);
1116 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1117 if (src_match && dst_match) {
1118 read_unlock(&chan_list_lock);
1119 return c;
1120 }
1121
1122 /* Closest match */
1123 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1124 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1125 if ((src_match && dst_any) || (src_any && dst_match) ||
1126 (src_any && dst_any))
1127 c1 = c;
1128 }
1129 }
1130
1131 read_unlock(&chan_list_lock);
1132
1133 return c1;
1134 }
1135
1136 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1137 {
1138 struct sock *parent, *sk;
1139 struct l2cap_chan *chan, *pchan;
1140
1141 BT_DBG("");
1142
1143 /* Check if we have socket listening on cid */
1144 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
1145 conn->src, conn->dst);
1146 if (!pchan)
1147 return;
1148
1149 parent = pchan->sk;
1150
1151 lock_sock(parent);
1152
1153 /* Check for backlog size */
1154 if (sk_acceptq_is_full(parent)) {
1155 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1156 goto clean;
1157 }
1158
1159 chan = pchan->ops->new_connection(pchan->data);
1160 if (!chan)
1161 goto clean;
1162
1163 sk = chan->sk;
1164
1165 hci_conn_hold(conn->hcon);
1166
1167 bacpy(&bt_sk(sk)->src, conn->src);
1168 bacpy(&bt_sk(sk)->dst, conn->dst);
1169
1170 bt_accept_enqueue(parent, sk);
1171
1172 l2cap_chan_add(conn, chan);
1173
1174 __set_chan_timer(chan, sk->sk_sndtimeo);
1175
1176 __l2cap_state_change(chan, BT_CONNECTED);
1177 parent->sk_data_ready(parent, 0);
1178
1179 clean:
1180 release_sock(parent);
1181 }
1182
1183 static void l2cap_conn_ready(struct l2cap_conn *conn)
1184 {
1185 struct l2cap_chan *chan;
1186
1187 BT_DBG("conn %p", conn);
1188
1189 if (!conn->hcon->out && conn->hcon->type == LE_LINK)
1190 l2cap_le_conn_ready(conn);
1191
1192 if (conn->hcon->out && conn->hcon->type == LE_LINK)
1193 smp_conn_security(conn, conn->hcon->pending_sec_level);
1194
1195 mutex_lock(&conn->chan_lock);
1196
1197 list_for_each_entry(chan, &conn->chan_l, list) {
1198
1199 l2cap_chan_lock(chan);
1200
1201 if (conn->hcon->type == LE_LINK) {
1202 if (smp_conn_security(conn, chan->sec_level))
1203 l2cap_chan_ready(chan);
1204
1205 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1206 struct sock *sk = chan->sk;
1207 __clear_chan_timer(chan);
1208 lock_sock(sk);
1209 __l2cap_state_change(chan, BT_CONNECTED);
1210 sk->sk_state_change(sk);
1211 release_sock(sk);
1212
1213 } else if (chan->state == BT_CONNECT)
1214 l2cap_do_start(chan);
1215
1216 l2cap_chan_unlock(chan);
1217 }
1218
1219 mutex_unlock(&conn->chan_lock);
1220 }
1221
1222 /* Notify sockets that we cannot guaranty reliability anymore */
1223 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1224 {
1225 struct l2cap_chan *chan;
1226
1227 BT_DBG("conn %p", conn);
1228
1229 mutex_lock(&conn->chan_lock);
1230
1231 list_for_each_entry(chan, &conn->chan_l, list) {
1232 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1233 __l2cap_chan_set_err(chan, err);
1234 }
1235
1236 mutex_unlock(&conn->chan_lock);
1237 }
1238
1239 static void l2cap_info_timeout(struct work_struct *work)
1240 {
1241 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1242 info_timer.work);
1243
1244 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1245 conn->info_ident = 0;
1246
1247 l2cap_conn_start(conn);
1248 }
1249
1250 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1251 {
1252 struct l2cap_conn *conn = hcon->l2cap_data;
1253 struct l2cap_chan *chan, *l;
1254
1255 if (!conn)
1256 return;
1257
1258 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1259
1260 kfree_skb(conn->rx_skb);
1261
1262 mutex_lock(&conn->chan_lock);
1263
1264 /* Kill channels */
1265 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1266 l2cap_chan_hold(chan);
1267 l2cap_chan_lock(chan);
1268
1269 l2cap_chan_del(chan, err);
1270
1271 l2cap_chan_unlock(chan);
1272
1273 chan->ops->close(chan->data);
1274 l2cap_chan_put(chan);
1275 }
1276
1277 mutex_unlock(&conn->chan_lock);
1278
1279 hci_chan_del(conn->hchan);
1280
1281 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1282 cancel_delayed_work_sync(&conn->info_timer);
1283
1284 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1285 cancel_delayed_work_sync(&conn->security_timer);
1286 smp_chan_destroy(conn);
1287 }
1288
1289 hcon->l2cap_data = NULL;
1290 kfree(conn);
1291 }
1292
1293 static void security_timeout(struct work_struct *work)
1294 {
1295 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1296 security_timer.work);
1297
1298 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1299 }
1300
1301 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1302 {
1303 struct l2cap_conn *conn = hcon->l2cap_data;
1304 struct hci_chan *hchan;
1305
1306 if (conn || status)
1307 return conn;
1308
1309 hchan = hci_chan_create(hcon);
1310 if (!hchan)
1311 return NULL;
1312
1313 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
1314 if (!conn) {
1315 hci_chan_del(hchan);
1316 return NULL;
1317 }
1318
1319 hcon->l2cap_data = conn;
1320 conn->hcon = hcon;
1321 conn->hchan = hchan;
1322
1323 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1324
1325 if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
1326 conn->mtu = hcon->hdev->le_mtu;
1327 else
1328 conn->mtu = hcon->hdev->acl_mtu;
1329
1330 conn->src = &hcon->hdev->bdaddr;
1331 conn->dst = &hcon->dst;
1332
1333 conn->feat_mask = 0;
1334
1335 spin_lock_init(&conn->lock);
1336 mutex_init(&conn->chan_lock);
1337
1338 INIT_LIST_HEAD(&conn->chan_l);
1339
1340 if (hcon->type == LE_LINK)
1341 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1342 else
1343 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1344
1345 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1346
1347 return conn;
1348 }
1349
1350 /* ---- Socket interface ---- */
1351
1352 /* Find socket with psm and source / destination bdaddr.
1353 * Returns closest match.
1354 */
1355 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1356 bdaddr_t *src,
1357 bdaddr_t *dst)
1358 {
1359 struct l2cap_chan *c, *c1 = NULL;
1360
1361 read_lock(&chan_list_lock);
1362
1363 list_for_each_entry(c, &chan_list, global_l) {
1364 struct sock *sk = c->sk;
1365
1366 if (state && c->state != state)
1367 continue;
1368
1369 if (c->psm == psm) {
1370 int src_match, dst_match;
1371 int src_any, dst_any;
1372
1373 /* Exact match. */
1374 src_match = !bacmp(&bt_sk(sk)->src, src);
1375 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1376 if (src_match && dst_match) {
1377 read_unlock(&chan_list_lock);
1378 return c;
1379 }
1380
1381 /* Closest match */
1382 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1383 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1384 if ((src_match && dst_any) || (src_any && dst_match) ||
1385 (src_any && dst_any))
1386 c1 = c;
1387 }
1388 }
1389
1390 read_unlock(&chan_list_lock);
1391
1392 return c1;
1393 }
1394
1395 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1396 bdaddr_t *dst, u8 dst_type)
1397 {
1398 struct sock *sk = chan->sk;
1399 bdaddr_t *src = &bt_sk(sk)->src;
1400 struct l2cap_conn *conn;
1401 struct hci_conn *hcon;
1402 struct hci_dev *hdev;
1403 __u8 auth_type;
1404 int err;
1405
1406 BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
1407 dst_type, __le16_to_cpu(chan->psm));
1408
1409 hdev = hci_get_route(dst, src);
1410 if (!hdev)
1411 return -EHOSTUNREACH;
1412
1413 hci_dev_lock(hdev);
1414
1415 l2cap_chan_lock(chan);
1416
1417 /* PSM must be odd and lsb of upper byte must be 0 */
1418 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1419 chan->chan_type != L2CAP_CHAN_RAW) {
1420 err = -EINVAL;
1421 goto done;
1422 }
1423
1424 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1425 err = -EINVAL;
1426 goto done;
1427 }
1428
1429 switch (chan->mode) {
1430 case L2CAP_MODE_BASIC:
1431 break;
1432 case L2CAP_MODE_ERTM:
1433 case L2CAP_MODE_STREAMING:
1434 if (!disable_ertm)
1435 break;
1436 /* fall through */
1437 default:
1438 err = -ENOTSUPP;
1439 goto done;
1440 }
1441
1442 lock_sock(sk);
1443
1444 switch (sk->sk_state) {
1445 case BT_CONNECT:
1446 case BT_CONNECT2:
1447 case BT_CONFIG:
1448 /* Already connecting */
1449 err = 0;
1450 release_sock(sk);
1451 goto done;
1452
1453 case BT_CONNECTED:
1454 /* Already connected */
1455 err = -EISCONN;
1456 release_sock(sk);
1457 goto done;
1458
1459 case BT_OPEN:
1460 case BT_BOUND:
1461 /* Can connect */
1462 break;
1463
1464 default:
1465 err = -EBADFD;
1466 release_sock(sk);
1467 goto done;
1468 }
1469
1470 /* Set destination address and psm */
1471 bacpy(&bt_sk(sk)->dst, dst);
1472
1473 release_sock(sk);
1474
1475 chan->psm = psm;
1476 chan->dcid = cid;
1477
1478 auth_type = l2cap_get_auth_type(chan);
1479
1480 if (chan->dcid == L2CAP_CID_LE_DATA)
1481 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1482 chan->sec_level, auth_type);
1483 else
1484 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1485 chan->sec_level, auth_type);
1486
1487 if (IS_ERR(hcon)) {
1488 err = PTR_ERR(hcon);
1489 goto done;
1490 }
1491
1492 conn = l2cap_conn_add(hcon, 0);
1493 if (!conn) {
1494 hci_conn_put(hcon);
1495 err = -ENOMEM;
1496 goto done;
1497 }
1498
1499 if (hcon->type == LE_LINK) {
1500 err = 0;
1501
1502 if (!list_empty(&conn->chan_l)) {
1503 err = -EBUSY;
1504 hci_conn_put(hcon);
1505 }
1506
1507 if (err)
1508 goto done;
1509 }
1510
1511 /* Update source addr of the socket */
1512 bacpy(src, conn->src);
1513
1514 l2cap_chan_unlock(chan);
1515 l2cap_chan_add(conn, chan);
1516 l2cap_chan_lock(chan);
1517
1518 l2cap_state_change(chan, BT_CONNECT);
1519 __set_chan_timer(chan, sk->sk_sndtimeo);
1520
1521 if (hcon->state == BT_CONNECTED) {
1522 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1523 __clear_chan_timer(chan);
1524 if (l2cap_chan_check_security(chan))
1525 l2cap_state_change(chan, BT_CONNECTED);
1526 } else
1527 l2cap_do_start(chan);
1528 }
1529
1530 err = 0;
1531
1532 done:
1533 l2cap_chan_unlock(chan);
1534 hci_dev_unlock(hdev);
1535 hci_dev_put(hdev);
1536 return err;
1537 }
1538
1539 int __l2cap_wait_ack(struct sock *sk)
1540 {
1541 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1542 DECLARE_WAITQUEUE(wait, current);
1543 int err = 0;
1544 int timeo = HZ/5;
1545
1546 add_wait_queue(sk_sleep(sk), &wait);
1547 set_current_state(TASK_INTERRUPTIBLE);
1548 while (chan->unacked_frames > 0 && chan->conn) {
1549 if (!timeo)
1550 timeo = HZ/5;
1551
1552 if (signal_pending(current)) {
1553 err = sock_intr_errno(timeo);
1554 break;
1555 }
1556
1557 release_sock(sk);
1558 timeo = schedule_timeout(timeo);
1559 lock_sock(sk);
1560 set_current_state(TASK_INTERRUPTIBLE);
1561
1562 err = sock_error(sk);
1563 if (err)
1564 break;
1565 }
1566 set_current_state(TASK_RUNNING);
1567 remove_wait_queue(sk_sleep(sk), &wait);
1568 return err;
1569 }
1570
1571 static void l2cap_monitor_timeout(struct work_struct *work)
1572 {
1573 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1574 monitor_timer.work);
1575
1576 BT_DBG("chan %p", chan);
1577
1578 l2cap_chan_lock(chan);
1579
1580 if (chan->retry_count >= chan->remote_max_tx) {
1581 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1582 l2cap_chan_unlock(chan);
1583 l2cap_chan_put(chan);
1584 return;
1585 }
1586
1587 chan->retry_count++;
1588 __set_monitor_timer(chan);
1589
1590 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1591 l2cap_chan_unlock(chan);
1592 l2cap_chan_put(chan);
1593 }
1594
1595 static void l2cap_retrans_timeout(struct work_struct *work)
1596 {
1597 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1598 retrans_timer.work);
1599
1600 BT_DBG("chan %p", chan);
1601
1602 l2cap_chan_lock(chan);
1603
1604 chan->retry_count = 1;
1605 __set_monitor_timer(chan);
1606
1607 set_bit(CONN_WAIT_F, &chan->conn_state);
1608
1609 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1610
1611 l2cap_chan_unlock(chan);
1612 l2cap_chan_put(chan);
1613 }
1614
1615 static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
1616 {
1617 struct sk_buff *skb;
1618
1619 while ((skb = skb_peek(&chan->tx_q)) &&
1620 chan->unacked_frames) {
1621 if (bt_cb(skb)->control.txseq == chan->expected_ack_seq)
1622 break;
1623
1624 skb = skb_dequeue(&chan->tx_q);
1625 kfree_skb(skb);
1626
1627 chan->unacked_frames--;
1628 }
1629
1630 if (!chan->unacked_frames)
1631 __clear_retrans_timer(chan);
1632 }
1633
1634 static void l2cap_streaming_send(struct l2cap_chan *chan)
1635 {
1636 struct sk_buff *skb;
1637 u32 control;
1638 u16 fcs;
1639
1640 while ((skb = skb_dequeue(&chan->tx_q))) {
1641 control = __get_control(chan, skb->data + L2CAP_HDR_SIZE);
1642 control |= __set_txseq(chan, chan->next_tx_seq);
1643 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1644 __put_control(chan, control, skb->data + L2CAP_HDR_SIZE);
1645
1646 if (chan->fcs == L2CAP_FCS_CRC16) {
1647 fcs = crc16(0, (u8 *)skb->data,
1648 skb->len - L2CAP_FCS_SIZE);
1649 put_unaligned_le16(fcs,
1650 skb->data + skb->len - L2CAP_FCS_SIZE);
1651 }
1652
1653 l2cap_do_send(chan, skb);
1654
1655 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1656 }
1657 }
1658
1659 static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u16 tx_seq)
1660 {
1661 struct sk_buff *skb, *tx_skb;
1662 u16 fcs;
1663 u32 control;
1664
1665 skb = skb_peek(&chan->tx_q);
1666 if (!skb)
1667 return;
1668
1669 while (bt_cb(skb)->control.txseq != tx_seq) {
1670 if (skb_queue_is_last(&chan->tx_q, skb))
1671 return;
1672
1673 skb = skb_queue_next(&chan->tx_q, skb);
1674 }
1675
1676 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1677 chan->remote_max_tx) {
1678 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1679 return;
1680 }
1681
1682 tx_skb = skb_clone(skb, GFP_ATOMIC);
1683 bt_cb(skb)->control.retries++;
1684
1685 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1686 control &= __get_sar_mask(chan);
1687
1688 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1689 control |= __set_ctrl_final(chan);
1690
1691 control |= __set_reqseq(chan, chan->buffer_seq);
1692 control |= __set_txseq(chan, tx_seq);
1693
1694 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1695
1696 if (chan->fcs == L2CAP_FCS_CRC16) {
1697 fcs = crc16(0, (u8 *)tx_skb->data,
1698 tx_skb->len - L2CAP_FCS_SIZE);
1699 put_unaligned_le16(fcs,
1700 tx_skb->data + tx_skb->len - L2CAP_FCS_SIZE);
1701 }
1702
1703 l2cap_do_send(chan, tx_skb);
1704 }
1705
1706 static int l2cap_ertm_send(struct l2cap_chan *chan)
1707 {
1708 struct sk_buff *skb, *tx_skb;
1709 u16 fcs;
1710 u32 control;
1711 int nsent = 0;
1712
1713 if (chan->state != BT_CONNECTED)
1714 return -ENOTCONN;
1715
1716 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1717 return 0;
1718
1719 while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
1720
1721 if (bt_cb(skb)->control.retries == chan->remote_max_tx &&
1722 chan->remote_max_tx) {
1723 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1724 break;
1725 }
1726
1727 tx_skb = skb_clone(skb, GFP_ATOMIC);
1728
1729 bt_cb(skb)->control.retries++;
1730
1731 control = __get_control(chan, tx_skb->data + L2CAP_HDR_SIZE);
1732 control &= __get_sar_mask(chan);
1733
1734 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1735 control |= __set_ctrl_final(chan);
1736
1737 control |= __set_reqseq(chan, chan->buffer_seq);
1738 control |= __set_txseq(chan, chan->next_tx_seq);
1739 control |= __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
1740
1741 __put_control(chan, control, tx_skb->data + L2CAP_HDR_SIZE);
1742
1743 if (chan->fcs == L2CAP_FCS_CRC16) {
1744 fcs = crc16(0, (u8 *)skb->data,
1745 tx_skb->len - L2CAP_FCS_SIZE);
1746 put_unaligned_le16(fcs, skb->data +
1747 tx_skb->len - L2CAP_FCS_SIZE);
1748 }
1749
1750 l2cap_do_send(chan, tx_skb);
1751
1752 __set_retrans_timer(chan);
1753
1754 bt_cb(skb)->control.txseq = chan->next_tx_seq;
1755
1756 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1757
1758 if (bt_cb(skb)->control.retries == 1) {
1759 chan->unacked_frames++;
1760
1761 if (!nsent++)
1762 __clear_ack_timer(chan);
1763 }
1764
1765 chan->frames_sent++;
1766
1767 if (skb_queue_is_last(&chan->tx_q, skb))
1768 chan->tx_send_head = NULL;
1769 else
1770 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1771 }
1772
1773 return nsent;
1774 }
1775
1776 static int l2cap_retransmit_frames(struct l2cap_chan *chan)
1777 {
1778 int ret;
1779
1780 if (!skb_queue_empty(&chan->tx_q))
1781 chan->tx_send_head = chan->tx_q.next;
1782
1783 chan->next_tx_seq = chan->expected_ack_seq;
1784 ret = l2cap_ertm_send(chan);
1785 return ret;
1786 }
1787
1788 static void __l2cap_send_ack(struct l2cap_chan *chan)
1789 {
1790 u32 control = 0;
1791
1792 control |= __set_reqseq(chan, chan->buffer_seq);
1793
1794 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
1795 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
1796 set_bit(CONN_RNR_SENT, &chan->conn_state);
1797 l2cap_send_sframe(chan, control);
1798 return;
1799 }
1800
1801 if (l2cap_ertm_send(chan) > 0)
1802 return;
1803
1804 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
1805 l2cap_send_sframe(chan, control);
1806 }
1807
1808 static void l2cap_send_ack(struct l2cap_chan *chan)
1809 {
1810 __clear_ack_timer(chan);
1811 __l2cap_send_ack(chan);
1812 }
1813
1814 static void l2cap_send_srejtail(struct l2cap_chan *chan)
1815 {
1816 struct srej_list *tail;
1817 u32 control;
1818
1819 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
1820 control |= __set_ctrl_final(chan);
1821
1822 tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
1823 control |= __set_reqseq(chan, tail->tx_seq);
1824
1825 l2cap_send_sframe(chan, control);
1826 }
1827
1828 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
1829 struct msghdr *msg, int len,
1830 int count, struct sk_buff *skb)
1831 {
1832 struct l2cap_conn *conn = chan->conn;
1833 struct sk_buff **frag;
1834 int sent = 0;
1835
1836 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1837 return -EFAULT;
1838
1839 sent += count;
1840 len -= count;
1841
1842 /* Continuation fragments (no L2CAP header) */
1843 frag = &skb_shinfo(skb)->frag_list;
1844 while (len) {
1845 struct sk_buff *tmp;
1846
1847 count = min_t(unsigned int, conn->mtu, len);
1848
1849 tmp = chan->ops->alloc_skb(chan, count,
1850 msg->msg_flags & MSG_DONTWAIT);
1851 if (IS_ERR(tmp))
1852 return PTR_ERR(tmp);
1853
1854 *frag = tmp;
1855
1856 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1857 return -EFAULT;
1858
1859 (*frag)->priority = skb->priority;
1860
1861 sent += count;
1862 len -= count;
1863
1864 skb->len += (*frag)->len;
1865 skb->data_len += (*frag)->len;
1866
1867 frag = &(*frag)->next;
1868 }
1869
1870 return sent;
1871 }
1872
1873 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
1874 struct msghdr *msg, size_t len,
1875 u32 priority)
1876 {
1877 struct l2cap_conn *conn = chan->conn;
1878 struct sk_buff *skb;
1879 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
1880 struct l2cap_hdr *lh;
1881
1882 BT_DBG("chan %p len %d priority %u", chan, (int)len, priority);
1883
1884 count = min_t(unsigned int, (conn->mtu - hlen), len);
1885
1886 skb = chan->ops->alloc_skb(chan, count + hlen,
1887 msg->msg_flags & MSG_DONTWAIT);
1888 if (IS_ERR(skb))
1889 return skb;
1890
1891 skb->priority = priority;
1892
1893 /* Create L2CAP header */
1894 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1895 lh->cid = cpu_to_le16(chan->dcid);
1896 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
1897 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
1898
1899 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1900 if (unlikely(err < 0)) {
1901 kfree_skb(skb);
1902 return ERR_PTR(err);
1903 }
1904 return skb;
1905 }
1906
1907 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
1908 struct msghdr *msg, size_t len,
1909 u32 priority)
1910 {
1911 struct l2cap_conn *conn = chan->conn;
1912 struct sk_buff *skb;
1913 int err, count;
1914 struct l2cap_hdr *lh;
1915
1916 BT_DBG("chan %p len %d", chan, (int)len);
1917
1918 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
1919
1920 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
1921 msg->msg_flags & MSG_DONTWAIT);
1922 if (IS_ERR(skb))
1923 return skb;
1924
1925 skb->priority = priority;
1926
1927 /* Create L2CAP header */
1928 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1929 lh->cid = cpu_to_le16(chan->dcid);
1930 lh->len = cpu_to_le16(len);
1931
1932 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1933 if (unlikely(err < 0)) {
1934 kfree_skb(skb);
1935 return ERR_PTR(err);
1936 }
1937 return skb;
1938 }
1939
1940 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
1941 struct msghdr *msg, size_t len,
1942 u16 sdulen)
1943 {
1944 struct l2cap_conn *conn = chan->conn;
1945 struct sk_buff *skb;
1946 int err, count, hlen;
1947 struct l2cap_hdr *lh;
1948
1949 BT_DBG("chan %p len %d", chan, (int)len);
1950
1951 if (!conn)
1952 return ERR_PTR(-ENOTCONN);
1953
1954 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1955 hlen = L2CAP_EXT_HDR_SIZE;
1956 else
1957 hlen = L2CAP_ENH_HDR_SIZE;
1958
1959 if (sdulen)
1960 hlen += L2CAP_SDULEN_SIZE;
1961
1962 if (chan->fcs == L2CAP_FCS_CRC16)
1963 hlen += L2CAP_FCS_SIZE;
1964
1965 count = min_t(unsigned int, (conn->mtu - hlen), len);
1966
1967 skb = chan->ops->alloc_skb(chan, count + hlen,
1968 msg->msg_flags & MSG_DONTWAIT);
1969 if (IS_ERR(skb))
1970 return skb;
1971
1972 /* Create L2CAP header */
1973 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1974 lh->cid = cpu_to_le16(chan->dcid);
1975 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1976
1977 __put_control(chan, 0, skb_put(skb, __ctrl_size(chan)));
1978
1979 if (sdulen)
1980 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
1981
1982 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
1983 if (unlikely(err < 0)) {
1984 kfree_skb(skb);
1985 return ERR_PTR(err);
1986 }
1987
1988 if (chan->fcs == L2CAP_FCS_CRC16)
1989 put_unaligned_le16(0, skb_put(skb, L2CAP_FCS_SIZE));
1990
1991 bt_cb(skb)->control.retries = 0;
1992 return skb;
1993 }
1994
1995 static int l2cap_segment_sdu(struct l2cap_chan *chan,
1996 struct sk_buff_head *seg_queue,
1997 struct msghdr *msg, size_t len)
1998 {
1999 struct sk_buff *skb;
2000 u16 sdu_len;
2001 size_t pdu_len;
2002 int err = 0;
2003 u8 sar;
2004
2005 BT_DBG("chan %p, msg %p, len %d", chan, msg, (int)len);
2006
2007 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2008 * so fragmented skbs are not used. The HCI layer's handling
2009 * of fragmented skbs is not compatible with ERTM's queueing.
2010 */
2011
2012 /* PDU size is derived from the HCI MTU */
2013 pdu_len = chan->conn->mtu;
2014
2015 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2016
2017 /* Adjust for largest possible L2CAP overhead. */
2018 pdu_len -= L2CAP_EXT_HDR_SIZE + L2CAP_FCS_SIZE;
2019
2020 /* Remote device may have requested smaller PDUs */
2021 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2022
2023 if (len <= pdu_len) {
2024 sar = L2CAP_SAR_UNSEGMENTED;
2025 sdu_len = 0;
2026 pdu_len = len;
2027 } else {
2028 sar = L2CAP_SAR_START;
2029 sdu_len = len;
2030 pdu_len -= L2CAP_SDULEN_SIZE;
2031 }
2032
2033 while (len > 0) {
2034 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2035
2036 if (IS_ERR(skb)) {
2037 __skb_queue_purge(seg_queue);
2038 return PTR_ERR(skb);
2039 }
2040
2041 bt_cb(skb)->control.sar = sar;
2042 __skb_queue_tail(seg_queue, skb);
2043
2044 len -= pdu_len;
2045 if (sdu_len) {
2046 sdu_len = 0;
2047 pdu_len += L2CAP_SDULEN_SIZE;
2048 }
2049
2050 if (len <= pdu_len) {
2051 sar = L2CAP_SAR_END;
2052 pdu_len = len;
2053 } else {
2054 sar = L2CAP_SAR_CONTINUE;
2055 }
2056 }
2057
2058 return err;
2059 }
2060
2061 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2062 u32 priority)
2063 {
2064 struct sk_buff *skb;
2065 int err;
2066 struct sk_buff_head seg_queue;
2067
2068 /* Connectionless channel */
2069 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2070 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2071 if (IS_ERR(skb))
2072 return PTR_ERR(skb);
2073
2074 l2cap_do_send(chan, skb);
2075 return len;
2076 }
2077
2078 switch (chan->mode) {
2079 case L2CAP_MODE_BASIC:
2080 /* Check outgoing MTU */
2081 if (len > chan->omtu)
2082 return -EMSGSIZE;
2083
2084 /* Create a basic PDU */
2085 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2086 if (IS_ERR(skb))
2087 return PTR_ERR(skb);
2088
2089 l2cap_do_send(chan, skb);
2090 err = len;
2091 break;
2092
2093 case L2CAP_MODE_ERTM:
2094 case L2CAP_MODE_STREAMING:
2095 /* Check outgoing MTU */
2096 if (len > chan->omtu) {
2097 err = -EMSGSIZE;
2098 break;
2099 }
2100
2101 __skb_queue_head_init(&seg_queue);
2102
2103 /* Do segmentation before calling in to the state machine,
2104 * since it's possible to block while waiting for memory
2105 * allocation.
2106 */
2107 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2108
2109 /* The channel could have been closed while segmenting,
2110 * check that it is still connected.
2111 */
2112 if (chan->state != BT_CONNECTED) {
2113 __skb_queue_purge(&seg_queue);
2114 err = -ENOTCONN;
2115 }
2116
2117 if (err)
2118 break;
2119
2120 if (chan->mode == L2CAP_MODE_ERTM && chan->tx_send_head == NULL)
2121 chan->tx_send_head = seg_queue.next;
2122 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2123
2124 if (chan->mode == L2CAP_MODE_ERTM)
2125 err = l2cap_ertm_send(chan);
2126 else
2127 l2cap_streaming_send(chan);
2128
2129 if (err >= 0)
2130 err = len;
2131
2132 /* If the skbs were not queued for sending, they'll still be in
2133 * seg_queue and need to be purged.
2134 */
2135 __skb_queue_purge(&seg_queue);
2136 break;
2137
2138 default:
2139 BT_DBG("bad state %1.1x", chan->mode);
2140 err = -EBADFD;
2141 }
2142
2143 return err;
2144 }
2145
2146 /* Copy frame to all raw sockets on that connection */
2147 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2148 {
2149 struct sk_buff *nskb;
2150 struct l2cap_chan *chan;
2151
2152 BT_DBG("conn %p", conn);
2153
2154 mutex_lock(&conn->chan_lock);
2155
2156 list_for_each_entry(chan, &conn->chan_l, list) {
2157 struct sock *sk = chan->sk;
2158 if (chan->chan_type != L2CAP_CHAN_RAW)
2159 continue;
2160
2161 /* Don't send frame to the socket it came from */
2162 if (skb->sk == sk)
2163 continue;
2164 nskb = skb_clone(skb, GFP_ATOMIC);
2165 if (!nskb)
2166 continue;
2167
2168 if (chan->ops->recv(chan->data, nskb))
2169 kfree_skb(nskb);
2170 }
2171
2172 mutex_unlock(&conn->chan_lock);
2173 }
2174
2175 /* ---- L2CAP signalling commands ---- */
2176 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2177 u8 code, u8 ident, u16 dlen, void *data)
2178 {
2179 struct sk_buff *skb, **frag;
2180 struct l2cap_cmd_hdr *cmd;
2181 struct l2cap_hdr *lh;
2182 int len, count;
2183
2184 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2185 conn, code, ident, dlen);
2186
2187 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2188 count = min_t(unsigned int, conn->mtu, len);
2189
2190 skb = bt_skb_alloc(count, GFP_ATOMIC);
2191 if (!skb)
2192 return NULL;
2193
2194 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2195 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2196
2197 if (conn->hcon->type == LE_LINK)
2198 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2199 else
2200 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2201
2202 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2203 cmd->code = code;
2204 cmd->ident = ident;
2205 cmd->len = cpu_to_le16(dlen);
2206
2207 if (dlen) {
2208 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2209 memcpy(skb_put(skb, count), data, count);
2210 data += count;
2211 }
2212
2213 len -= skb->len;
2214
2215 /* Continuation fragments (no L2CAP header) */
2216 frag = &skb_shinfo(skb)->frag_list;
2217 while (len) {
2218 count = min_t(unsigned int, conn->mtu, len);
2219
2220 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2221 if (!*frag)
2222 goto fail;
2223
2224 memcpy(skb_put(*frag, count), data, count);
2225
2226 len -= count;
2227 data += count;
2228
2229 frag = &(*frag)->next;
2230 }
2231
2232 return skb;
2233
2234 fail:
2235 kfree_skb(skb);
2236 return NULL;
2237 }
2238
2239 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2240 {
2241 struct l2cap_conf_opt *opt = *ptr;
2242 int len;
2243
2244 len = L2CAP_CONF_OPT_SIZE + opt->len;
2245 *ptr += len;
2246
2247 *type = opt->type;
2248 *olen = opt->len;
2249
2250 switch (opt->len) {
2251 case 1:
2252 *val = *((u8 *) opt->val);
2253 break;
2254
2255 case 2:
2256 *val = get_unaligned_le16(opt->val);
2257 break;
2258
2259 case 4:
2260 *val = get_unaligned_le32(opt->val);
2261 break;
2262
2263 default:
2264 *val = (unsigned long) opt->val;
2265 break;
2266 }
2267
2268 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2269 return len;
2270 }
2271
2272 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2273 {
2274 struct l2cap_conf_opt *opt = *ptr;
2275
2276 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2277
2278 opt->type = type;
2279 opt->len = len;
2280
2281 switch (len) {
2282 case 1:
2283 *((u8 *) opt->val) = val;
2284 break;
2285
2286 case 2:
2287 put_unaligned_le16(val, opt->val);
2288 break;
2289
2290 case 4:
2291 put_unaligned_le32(val, opt->val);
2292 break;
2293
2294 default:
2295 memcpy(opt->val, (void *) val, len);
2296 break;
2297 }
2298
2299 *ptr += L2CAP_CONF_OPT_SIZE + len;
2300 }
2301
2302 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2303 {
2304 struct l2cap_conf_efs efs;
2305
2306 switch (chan->mode) {
2307 case L2CAP_MODE_ERTM:
2308 efs.id = chan->local_id;
2309 efs.stype = chan->local_stype;
2310 efs.msdu = cpu_to_le16(chan->local_msdu);
2311 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2312 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2313 efs.flush_to = cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
2314 break;
2315
2316 case L2CAP_MODE_STREAMING:
2317 efs.id = 1;
2318 efs.stype = L2CAP_SERV_BESTEFFORT;
2319 efs.msdu = cpu_to_le16(chan->local_msdu);
2320 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2321 efs.acc_lat = 0;
2322 efs.flush_to = 0;
2323 break;
2324
2325 default:
2326 return;
2327 }
2328
2329 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
2330 (unsigned long) &efs);
2331 }
2332
2333 static void l2cap_ack_timeout(struct work_struct *work)
2334 {
2335 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2336 ack_timer.work);
2337
2338 BT_DBG("chan %p", chan);
2339
2340 l2cap_chan_lock(chan);
2341
2342 __l2cap_send_ack(chan);
2343
2344 l2cap_chan_unlock(chan);
2345
2346 l2cap_chan_put(chan);
2347 }
2348
2349 static inline int l2cap_ertm_init(struct l2cap_chan *chan)
2350 {
2351 int err;
2352
2353 chan->next_tx_seq = 0;
2354 chan->expected_tx_seq = 0;
2355 chan->expected_ack_seq = 0;
2356 chan->unacked_frames = 0;
2357 chan->buffer_seq = 0;
2358 chan->num_acked = 0;
2359 chan->frames_sent = 0;
2360 chan->last_acked_seq = 0;
2361 chan->sdu = NULL;
2362 chan->sdu_last_frag = NULL;
2363 chan->sdu_len = 0;
2364
2365 skb_queue_head_init(&chan->tx_q);
2366
2367 if (chan->mode != L2CAP_MODE_ERTM)
2368 return 0;
2369
2370 chan->rx_state = L2CAP_RX_STATE_RECV;
2371 chan->tx_state = L2CAP_TX_STATE_XMIT;
2372
2373 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
2374 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
2375 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
2376
2377 skb_queue_head_init(&chan->srej_q);
2378
2379 INIT_LIST_HEAD(&chan->srej_l);
2380 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
2381 if (err < 0)
2382 return err;
2383
2384 return l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
2385 }
2386
2387 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2388 {
2389 switch (mode) {
2390 case L2CAP_MODE_STREAMING:
2391 case L2CAP_MODE_ERTM:
2392 if (l2cap_mode_supported(mode, remote_feat_mask))
2393 return mode;
2394 /* fall through */
2395 default:
2396 return L2CAP_MODE_BASIC;
2397 }
2398 }
2399
2400 static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
2401 {
2402 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
2403 }
2404
2405 static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
2406 {
2407 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
2408 }
2409
2410 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
2411 {
2412 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
2413 __l2cap_ews_supported(chan)) {
2414 /* use extended control field */
2415 set_bit(FLAG_EXT_CTRL, &chan->flags);
2416 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2417 } else {
2418 chan->tx_win = min_t(u16, chan->tx_win,
2419 L2CAP_DEFAULT_TX_WINDOW);
2420 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
2421 }
2422 }
2423
2424 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
2425 {
2426 struct l2cap_conf_req *req = data;
2427 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
2428 void *ptr = req->data;
2429 u16 size;
2430
2431 BT_DBG("chan %p", chan);
2432
2433 if (chan->num_conf_req || chan->num_conf_rsp)
2434 goto done;
2435
2436 switch (chan->mode) {
2437 case L2CAP_MODE_STREAMING:
2438 case L2CAP_MODE_ERTM:
2439 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
2440 break;
2441
2442 if (__l2cap_efs_supported(chan))
2443 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2444
2445 /* fall through */
2446 default:
2447 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
2448 break;
2449 }
2450
2451 done:
2452 if (chan->imtu != L2CAP_DEFAULT_MTU)
2453 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2454
2455 switch (chan->mode) {
2456 case L2CAP_MODE_BASIC:
2457 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
2458 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
2459 break;
2460
2461 rfc.mode = L2CAP_MODE_BASIC;
2462 rfc.txwin_size = 0;
2463 rfc.max_transmit = 0;
2464 rfc.retrans_timeout = 0;
2465 rfc.monitor_timeout = 0;
2466 rfc.max_pdu_size = 0;
2467
2468 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2469 (unsigned long) &rfc);
2470 break;
2471
2472 case L2CAP_MODE_ERTM:
2473 rfc.mode = L2CAP_MODE_ERTM;
2474 rfc.max_transmit = chan->max_tx;
2475 rfc.retrans_timeout = 0;
2476 rfc.monitor_timeout = 0;
2477
2478 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2479 L2CAP_EXT_HDR_SIZE -
2480 L2CAP_SDULEN_SIZE -
2481 L2CAP_FCS_SIZE);
2482 rfc.max_pdu_size = cpu_to_le16(size);
2483
2484 l2cap_txwin_setup(chan);
2485
2486 rfc.txwin_size = min_t(u16, chan->tx_win,
2487 L2CAP_DEFAULT_TX_WINDOW);
2488
2489 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2490 (unsigned long) &rfc);
2491
2492 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2493 l2cap_add_opt_efs(&ptr, chan);
2494
2495 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2496 break;
2497
2498 if (chan->fcs == L2CAP_FCS_NONE ||
2499 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2500 chan->fcs = L2CAP_FCS_NONE;
2501 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2502 }
2503
2504 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2505 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2506 chan->tx_win);
2507 break;
2508
2509 case L2CAP_MODE_STREAMING:
2510 rfc.mode = L2CAP_MODE_STREAMING;
2511 rfc.txwin_size = 0;
2512 rfc.max_transmit = 0;
2513 rfc.retrans_timeout = 0;
2514 rfc.monitor_timeout = 0;
2515
2516 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
2517 L2CAP_EXT_HDR_SIZE -
2518 L2CAP_SDULEN_SIZE -
2519 L2CAP_FCS_SIZE);
2520 rfc.max_pdu_size = cpu_to_le16(size);
2521
2522 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2523 (unsigned long) &rfc);
2524
2525 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
2526 l2cap_add_opt_efs(&ptr, chan);
2527
2528 if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
2529 break;
2530
2531 if (chan->fcs == L2CAP_FCS_NONE ||
2532 test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
2533 chan->fcs = L2CAP_FCS_NONE;
2534 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
2535 }
2536 break;
2537 }
2538
2539 req->dcid = cpu_to_le16(chan->dcid);
2540 req->flags = cpu_to_le16(0);
2541
2542 return ptr - data;
2543 }
2544
2545 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
2546 {
2547 struct l2cap_conf_rsp *rsp = data;
2548 void *ptr = rsp->data;
2549 void *req = chan->conf_req;
2550 int len = chan->conf_len;
2551 int type, hint, olen;
2552 unsigned long val;
2553 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2554 struct l2cap_conf_efs efs;
2555 u8 remote_efs = 0;
2556 u16 mtu = L2CAP_DEFAULT_MTU;
2557 u16 result = L2CAP_CONF_SUCCESS;
2558 u16 size;
2559
2560 BT_DBG("chan %p", chan);
2561
2562 while (len >= L2CAP_CONF_OPT_SIZE) {
2563 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2564
2565 hint = type & L2CAP_CONF_HINT;
2566 type &= L2CAP_CONF_MASK;
2567
2568 switch (type) {
2569 case L2CAP_CONF_MTU:
2570 mtu = val;
2571 break;
2572
2573 case L2CAP_CONF_FLUSH_TO:
2574 chan->flush_to = val;
2575 break;
2576
2577 case L2CAP_CONF_QOS:
2578 break;
2579
2580 case L2CAP_CONF_RFC:
2581 if (olen == sizeof(rfc))
2582 memcpy(&rfc, (void *) val, olen);
2583 break;
2584
2585 case L2CAP_CONF_FCS:
2586 if (val == L2CAP_FCS_NONE)
2587 set_bit(CONF_NO_FCS_RECV, &chan->conf_state);
2588 break;
2589
2590 case L2CAP_CONF_EFS:
2591 remote_efs = 1;
2592 if (olen == sizeof(efs))
2593 memcpy(&efs, (void *) val, olen);
2594 break;
2595
2596 case L2CAP_CONF_EWS:
2597 if (!enable_hs)
2598 return -ECONNREFUSED;
2599
2600 set_bit(FLAG_EXT_CTRL, &chan->flags);
2601 set_bit(CONF_EWS_RECV, &chan->conf_state);
2602 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2603 chan->remote_tx_win = val;
2604 break;
2605
2606 default:
2607 if (hint)
2608 break;
2609
2610 result = L2CAP_CONF_UNKNOWN;
2611 *((u8 *) ptr++) = type;
2612 break;
2613 }
2614 }
2615
2616 if (chan->num_conf_rsp || chan->num_conf_req > 1)
2617 goto done;
2618
2619 switch (chan->mode) {
2620 case L2CAP_MODE_STREAMING:
2621 case L2CAP_MODE_ERTM:
2622 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
2623 chan->mode = l2cap_select_mode(rfc.mode,
2624 chan->conn->feat_mask);
2625 break;
2626 }
2627
2628 if (remote_efs) {
2629 if (__l2cap_efs_supported(chan))
2630 set_bit(FLAG_EFS_ENABLE, &chan->flags);
2631 else
2632 return -ECONNREFUSED;
2633 }
2634
2635 if (chan->mode != rfc.mode)
2636 return -ECONNREFUSED;
2637
2638 break;
2639 }
2640
2641 done:
2642 if (chan->mode != rfc.mode) {
2643 result = L2CAP_CONF_UNACCEPT;
2644 rfc.mode = chan->mode;
2645
2646 if (chan->num_conf_rsp == 1)
2647 return -ECONNREFUSED;
2648
2649 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2650 sizeof(rfc), (unsigned long) &rfc);
2651 }
2652
2653 if (result == L2CAP_CONF_SUCCESS) {
2654 /* Configure output options and let the other side know
2655 * which ones we don't like. */
2656
2657 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2658 result = L2CAP_CONF_UNACCEPT;
2659 else {
2660 chan->omtu = mtu;
2661 set_bit(CONF_MTU_DONE, &chan->conf_state);
2662 }
2663 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
2664
2665 if (remote_efs) {
2666 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2667 efs.stype != L2CAP_SERV_NOTRAFIC &&
2668 efs.stype != chan->local_stype) {
2669
2670 result = L2CAP_CONF_UNACCEPT;
2671
2672 if (chan->num_conf_req >= 1)
2673 return -ECONNREFUSED;
2674
2675 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2676 sizeof(efs),
2677 (unsigned long) &efs);
2678 } else {
2679 /* Send PENDING Conf Rsp */
2680 result = L2CAP_CONF_PENDING;
2681 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
2682 }
2683 }
2684
2685 switch (rfc.mode) {
2686 case L2CAP_MODE_BASIC:
2687 chan->fcs = L2CAP_FCS_NONE;
2688 set_bit(CONF_MODE_DONE, &chan->conf_state);
2689 break;
2690
2691 case L2CAP_MODE_ERTM:
2692 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
2693 chan->remote_tx_win = rfc.txwin_size;
2694 else
2695 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
2696
2697 chan->remote_max_tx = rfc.max_transmit;
2698
2699 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2700 chan->conn->mtu -
2701 L2CAP_EXT_HDR_SIZE -
2702 L2CAP_SDULEN_SIZE -
2703 L2CAP_FCS_SIZE);
2704 rfc.max_pdu_size = cpu_to_le16(size);
2705 chan->remote_mps = size;
2706
2707 rfc.retrans_timeout =
2708 __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2709 rfc.monitor_timeout =
2710 __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2711
2712 set_bit(CONF_MODE_DONE, &chan->conf_state);
2713
2714 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2715 sizeof(rfc), (unsigned long) &rfc);
2716
2717 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2718 chan->remote_id = efs.id;
2719 chan->remote_stype = efs.stype;
2720 chan->remote_msdu = le16_to_cpu(efs.msdu);
2721 chan->remote_flush_to =
2722 le32_to_cpu(efs.flush_to);
2723 chan->remote_acc_lat =
2724 le32_to_cpu(efs.acc_lat);
2725 chan->remote_sdu_itime =
2726 le32_to_cpu(efs.sdu_itime);
2727 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2728 sizeof(efs), (unsigned long) &efs);
2729 }
2730 break;
2731
2732 case L2CAP_MODE_STREAMING:
2733 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
2734 chan->conn->mtu -
2735 L2CAP_EXT_HDR_SIZE -
2736 L2CAP_SDULEN_SIZE -
2737 L2CAP_FCS_SIZE);
2738 rfc.max_pdu_size = cpu_to_le16(size);
2739 chan->remote_mps = size;
2740
2741 set_bit(CONF_MODE_DONE, &chan->conf_state);
2742
2743 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2744 sizeof(rfc), (unsigned long) &rfc);
2745
2746 break;
2747
2748 default:
2749 result = L2CAP_CONF_UNACCEPT;
2750
2751 memset(&rfc, 0, sizeof(rfc));
2752 rfc.mode = chan->mode;
2753 }
2754
2755 if (result == L2CAP_CONF_SUCCESS)
2756 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
2757 }
2758 rsp->scid = cpu_to_le16(chan->dcid);
2759 rsp->result = cpu_to_le16(result);
2760 rsp->flags = cpu_to_le16(0x0000);
2761
2762 return ptr - data;
2763 }
2764
2765 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
2766 {
2767 struct l2cap_conf_req *req = data;
2768 void *ptr = req->data;
2769 int type, olen;
2770 unsigned long val;
2771 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
2772 struct l2cap_conf_efs efs;
2773
2774 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
2775
2776 while (len >= L2CAP_CONF_OPT_SIZE) {
2777 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2778
2779 switch (type) {
2780 case L2CAP_CONF_MTU:
2781 if (val < L2CAP_DEFAULT_MIN_MTU) {
2782 *result = L2CAP_CONF_UNACCEPT;
2783 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2784 } else
2785 chan->imtu = val;
2786 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
2787 break;
2788
2789 case L2CAP_CONF_FLUSH_TO:
2790 chan->flush_to = val;
2791 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2792 2, chan->flush_to);
2793 break;
2794
2795 case L2CAP_CONF_RFC:
2796 if (olen == sizeof(rfc))
2797 memcpy(&rfc, (void *)val, olen);
2798
2799 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2800 rfc.mode != chan->mode)
2801 return -ECONNREFUSED;
2802
2803 chan->fcs = 0;
2804
2805 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2806 sizeof(rfc), (unsigned long) &rfc);
2807 break;
2808
2809 case L2CAP_CONF_EWS:
2810 chan->tx_win = min_t(u16, val,
2811 L2CAP_DEFAULT_EXT_WINDOW);
2812 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2813 chan->tx_win);
2814 break;
2815
2816 case L2CAP_CONF_EFS:
2817 if (olen == sizeof(efs))
2818 memcpy(&efs, (void *)val, olen);
2819
2820 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2821 efs.stype != L2CAP_SERV_NOTRAFIC &&
2822 efs.stype != chan->local_stype)
2823 return -ECONNREFUSED;
2824
2825 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
2826 sizeof(efs), (unsigned long) &efs);
2827 break;
2828 }
2829 }
2830
2831 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
2832 return -ECONNREFUSED;
2833
2834 chan->mode = rfc.mode;
2835
2836 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
2837 switch (rfc.mode) {
2838 case L2CAP_MODE_ERTM:
2839 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2840 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2841 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2842
2843 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
2844 chan->local_msdu = le16_to_cpu(efs.msdu);
2845 chan->local_sdu_itime =
2846 le32_to_cpu(efs.sdu_itime);
2847 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
2848 chan->local_flush_to =
2849 le32_to_cpu(efs.flush_to);
2850 }
2851 break;
2852
2853 case L2CAP_MODE_STREAMING:
2854 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2855 }
2856 }
2857
2858 req->dcid = cpu_to_le16(chan->dcid);
2859 req->flags = cpu_to_le16(0x0000);
2860
2861 return ptr - data;
2862 }
2863
2864 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
2865 {
2866 struct l2cap_conf_rsp *rsp = data;
2867 void *ptr = rsp->data;
2868
2869 BT_DBG("chan %p", chan);
2870
2871 rsp->scid = cpu_to_le16(chan->dcid);
2872 rsp->result = cpu_to_le16(result);
2873 rsp->flags = cpu_to_le16(flags);
2874
2875 return ptr - data;
2876 }
2877
2878 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
2879 {
2880 struct l2cap_conn_rsp rsp;
2881 struct l2cap_conn *conn = chan->conn;
2882 u8 buf[128];
2883
2884 rsp.scid = cpu_to_le16(chan->dcid);
2885 rsp.dcid = cpu_to_le16(chan->scid);
2886 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
2887 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
2888 l2cap_send_cmd(conn, chan->ident,
2889 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
2890
2891 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
2892 return;
2893
2894 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
2895 l2cap_build_conf_req(chan, buf), buf);
2896 chan->num_conf_req++;
2897 }
2898
2899 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
2900 {
2901 int type, olen;
2902 unsigned long val;
2903 struct l2cap_conf_rfc rfc;
2904
2905 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
2906
2907 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
2908 return;
2909
2910 while (len >= L2CAP_CONF_OPT_SIZE) {
2911 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2912
2913 switch (type) {
2914 case L2CAP_CONF_RFC:
2915 if (olen == sizeof(rfc))
2916 memcpy(&rfc, (void *)val, olen);
2917 goto done;
2918 }
2919 }
2920
2921 /* Use sane default values in case a misbehaving remote device
2922 * did not send an RFC option.
2923 */
2924 rfc.mode = chan->mode;
2925 rfc.retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
2926 rfc.monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
2927 rfc.max_pdu_size = cpu_to_le16(chan->imtu);
2928
2929 BT_ERR("Expected RFC option was not found, using defaults");
2930
2931 done:
2932 switch (rfc.mode) {
2933 case L2CAP_MODE_ERTM:
2934 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2935 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
2936 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2937 break;
2938 case L2CAP_MODE_STREAMING:
2939 chan->mps = le16_to_cpu(rfc.max_pdu_size);
2940 }
2941 }
2942
2943 static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2944 {
2945 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
2946
2947 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
2948 return 0;
2949
2950 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2951 cmd->ident == conn->info_ident) {
2952 cancel_delayed_work(&conn->info_timer);
2953
2954 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2955 conn->info_ident = 0;
2956
2957 l2cap_conn_start(conn);
2958 }
2959
2960 return 0;
2961 }
2962
2963 static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2964 {
2965 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2966 struct l2cap_conn_rsp rsp;
2967 struct l2cap_chan *chan = NULL, *pchan;
2968 struct sock *parent, *sk = NULL;
2969 int result, status = L2CAP_CS_NO_INFO;
2970
2971 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
2972 __le16 psm = req->psm;
2973
2974 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
2975
2976 /* Check if we have socket listening on psm */
2977 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
2978 if (!pchan) {
2979 result = L2CAP_CR_BAD_PSM;
2980 goto sendresp;
2981 }
2982
2983 parent = pchan->sk;
2984
2985 mutex_lock(&conn->chan_lock);
2986 lock_sock(parent);
2987
2988 /* Check if the ACL is secure enough (if not SDP) */
2989 if (psm != cpu_to_le16(0x0001) &&
2990 !hci_conn_check_link_mode(conn->hcon)) {
2991 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
2992 result = L2CAP_CR_SEC_BLOCK;
2993 goto response;
2994 }
2995
2996 result = L2CAP_CR_NO_MEM;
2997
2998 /* Check for backlog size */
2999 if (sk_acceptq_is_full(parent)) {
3000 BT_DBG("backlog full %d", parent->sk_ack_backlog);
3001 goto response;
3002 }
3003
3004 chan = pchan->ops->new_connection(pchan->data);
3005 if (!chan)
3006 goto response;
3007
3008 sk = chan->sk;
3009
3010 /* Check if we already have channel with that dcid */
3011 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3012 sock_set_flag(sk, SOCK_ZAPPED);
3013 chan->ops->close(chan->data);
3014 goto response;
3015 }
3016
3017 hci_conn_hold(conn->hcon);
3018
3019 bacpy(&bt_sk(sk)->src, conn->src);
3020 bacpy(&bt_sk(sk)->dst, conn->dst);
3021 chan->psm = psm;
3022 chan->dcid = scid;
3023
3024 bt_accept_enqueue(parent, sk);
3025
3026 __l2cap_chan_add(conn, chan);
3027
3028 dcid = chan->scid;
3029
3030 __set_chan_timer(chan, sk->sk_sndtimeo);
3031
3032 chan->ident = cmd->ident;
3033
3034 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3035 if (l2cap_chan_check_security(chan)) {
3036 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
3037 __l2cap_state_change(chan, BT_CONNECT2);
3038 result = L2CAP_CR_PEND;
3039 status = L2CAP_CS_AUTHOR_PEND;
3040 parent->sk_data_ready(parent, 0);
3041 } else {
3042 __l2cap_state_change(chan, BT_CONFIG);
3043 result = L2CAP_CR_SUCCESS;
3044 status = L2CAP_CS_NO_INFO;
3045 }
3046 } else {
3047 __l2cap_state_change(chan, BT_CONNECT2);
3048 result = L2CAP_CR_PEND;
3049 status = L2CAP_CS_AUTHEN_PEND;
3050 }
3051 } else {
3052 __l2cap_state_change(chan, BT_CONNECT2);
3053 result = L2CAP_CR_PEND;
3054 status = L2CAP_CS_NO_INFO;
3055 }
3056
3057 response:
3058 release_sock(parent);
3059 mutex_unlock(&conn->chan_lock);
3060
3061 sendresp:
3062 rsp.scid = cpu_to_le16(scid);
3063 rsp.dcid = cpu_to_le16(dcid);
3064 rsp.result = cpu_to_le16(result);
3065 rsp.status = cpu_to_le16(status);
3066 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
3067
3068 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3069 struct l2cap_info_req info;
3070 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3071
3072 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3073 conn->info_ident = l2cap_get_ident(conn);
3074
3075 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3076
3077 l2cap_send_cmd(conn, conn->info_ident,
3078 L2CAP_INFO_REQ, sizeof(info), &info);
3079 }
3080
3081 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3082 result == L2CAP_CR_SUCCESS) {
3083 u8 buf[128];
3084 set_bit(CONF_REQ_SENT, &chan->conf_state);
3085 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3086 l2cap_build_conf_req(chan, buf), buf);
3087 chan->num_conf_req++;
3088 }
3089
3090 return 0;
3091 }
3092
3093 static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3094 {
3095 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3096 u16 scid, dcid, result, status;
3097 struct l2cap_chan *chan;
3098 u8 req[128];
3099 int err;
3100
3101 scid = __le16_to_cpu(rsp->scid);
3102 dcid = __le16_to_cpu(rsp->dcid);
3103 result = __le16_to_cpu(rsp->result);
3104 status = __le16_to_cpu(rsp->status);
3105
3106 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3107 dcid, scid, result, status);
3108
3109 mutex_lock(&conn->chan_lock);
3110
3111 if (scid) {
3112 chan = __l2cap_get_chan_by_scid(conn, scid);
3113 if (!chan) {
3114 err = -EFAULT;
3115 goto unlock;
3116 }
3117 } else {
3118 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3119 if (!chan) {
3120 err = -EFAULT;
3121 goto unlock;
3122 }
3123 }
3124
3125 err = 0;
3126
3127 l2cap_chan_lock(chan);
3128
3129 switch (result) {
3130 case L2CAP_CR_SUCCESS:
3131 l2cap_state_change(chan, BT_CONFIG);
3132 chan->ident = 0;
3133 chan->dcid = dcid;
3134 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3135
3136 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3137 break;
3138
3139 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3140 l2cap_build_conf_req(chan, req), req);
3141 chan->num_conf_req++;
3142 break;
3143
3144 case L2CAP_CR_PEND:
3145 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3146 break;
3147
3148 default:
3149 l2cap_chan_del(chan, ECONNREFUSED);
3150 break;
3151 }
3152
3153 l2cap_chan_unlock(chan);
3154
3155 unlock:
3156 mutex_unlock(&conn->chan_lock);
3157
3158 return err;
3159 }
3160
3161 static inline void set_default_fcs(struct l2cap_chan *chan)
3162 {
3163 /* FCS is enabled only in ERTM or streaming mode, if one or both
3164 * sides request it.
3165 */
3166 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3167 chan->fcs = L2CAP_FCS_NONE;
3168 else if (!test_bit(CONF_NO_FCS_RECV, &chan->conf_state))
3169 chan->fcs = L2CAP_FCS_CRC16;
3170 }
3171
3172 static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3173 {
3174 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3175 u16 dcid, flags;
3176 u8 rsp[64];
3177 struct l2cap_chan *chan;
3178 int len, err = 0;
3179
3180 dcid = __le16_to_cpu(req->dcid);
3181 flags = __le16_to_cpu(req->flags);
3182
3183 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3184
3185 chan = l2cap_get_chan_by_scid(conn, dcid);
3186 if (!chan)
3187 return -ENOENT;
3188
3189 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
3190 struct l2cap_cmd_rej_cid rej;
3191
3192 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
3193 rej.scid = cpu_to_le16(chan->scid);
3194 rej.dcid = cpu_to_le16(chan->dcid);
3195
3196 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3197 sizeof(rej), &rej);
3198 goto unlock;
3199 }
3200
3201 /* Reject if config buffer is too small. */
3202 len = cmd_len - sizeof(*req);
3203 if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
3204 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3205 l2cap_build_conf_rsp(chan, rsp,
3206 L2CAP_CONF_REJECT, flags), rsp);
3207 goto unlock;
3208 }
3209
3210 /* Store config. */
3211 memcpy(chan->conf_req + chan->conf_len, req->data, len);
3212 chan->conf_len += len;
3213
3214 if (flags & 0x0001) {
3215 /* Incomplete config. Send empty response. */
3216 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3217 l2cap_build_conf_rsp(chan, rsp,
3218 L2CAP_CONF_SUCCESS, 0x0001), rsp);
3219 goto unlock;
3220 }
3221
3222 /* Complete config. */
3223 len = l2cap_parse_conf_req(chan, rsp);
3224 if (len < 0) {
3225 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3226 goto unlock;
3227 }
3228
3229 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
3230 chan->num_conf_rsp++;
3231
3232 /* Reset config buffer. */
3233 chan->conf_len = 0;
3234
3235 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
3236 goto unlock;
3237
3238 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
3239 set_default_fcs(chan);
3240
3241 l2cap_state_change(chan, BT_CONNECTED);
3242
3243 if (chan->mode == L2CAP_MODE_ERTM ||
3244 chan->mode == L2CAP_MODE_STREAMING)
3245 err = l2cap_ertm_init(chan);
3246
3247 if (err < 0)
3248 l2cap_send_disconn_req(chan->conn, chan, -err);
3249 else
3250 l2cap_chan_ready(chan);
3251
3252 goto unlock;
3253 }
3254
3255 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
3256 u8 buf[64];
3257 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3258 l2cap_build_conf_req(chan, buf), buf);
3259 chan->num_conf_req++;
3260 }
3261
3262 /* Got Conf Rsp PENDING from remote side and asume we sent
3263 Conf Rsp PENDING in the code above */
3264 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
3265 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3266
3267 /* check compatibility */
3268
3269 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3270 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3271
3272 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3273 l2cap_build_conf_rsp(chan, rsp,
3274 L2CAP_CONF_SUCCESS, 0x0000), rsp);
3275 }
3276
3277 unlock:
3278 l2cap_chan_unlock(chan);
3279 return err;
3280 }
3281
3282 static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3283 {
3284 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3285 u16 scid, flags, result;
3286 struct l2cap_chan *chan;
3287 int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
3288 int err = 0;
3289
3290 scid = __le16_to_cpu(rsp->scid);
3291 flags = __le16_to_cpu(rsp->flags);
3292 result = __le16_to_cpu(rsp->result);
3293
3294 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
3295 result, len);
3296
3297 chan = l2cap_get_chan_by_scid(conn, scid);
3298 if (!chan)
3299 return 0;
3300
3301 switch (result) {
3302 case L2CAP_CONF_SUCCESS:
3303 l2cap_conf_rfc_get(chan, rsp->data, len);
3304 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3305 break;
3306
3307 case L2CAP_CONF_PENDING:
3308 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
3309
3310 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
3311 char buf[64];
3312
3313 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3314 buf, &result);
3315 if (len < 0) {
3316 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3317 goto done;
3318 }
3319
3320 /* check compatibility */
3321
3322 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3323 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3324
3325 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3326 l2cap_build_conf_rsp(chan, buf,
3327 L2CAP_CONF_SUCCESS, 0x0000), buf);
3328 }
3329 goto done;
3330
3331 case L2CAP_CONF_UNACCEPT:
3332 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
3333 char req[64];
3334
3335 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
3336 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3337 goto done;
3338 }
3339
3340 /* throw out any old stored conf requests */
3341 result = L2CAP_CONF_SUCCESS;
3342 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
3343 req, &result);
3344 if (len < 0) {
3345 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3346 goto done;
3347 }
3348
3349 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3350 L2CAP_CONF_REQ, len, req);
3351 chan->num_conf_req++;
3352 if (result != L2CAP_CONF_SUCCESS)
3353 goto done;
3354 break;
3355 }
3356
3357 default:
3358 l2cap_chan_set_err(chan, ECONNRESET);
3359
3360 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
3361 l2cap_send_disconn_req(conn, chan, ECONNRESET);
3362 goto done;
3363 }
3364
3365 if (flags & 0x01)
3366 goto done;
3367
3368 set_bit(CONF_INPUT_DONE, &chan->conf_state);
3369
3370 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
3371 set_default_fcs(chan);
3372
3373 l2cap_state_change(chan, BT_CONNECTED);
3374 if (chan->mode == L2CAP_MODE_ERTM ||
3375 chan->mode == L2CAP_MODE_STREAMING)
3376 err = l2cap_ertm_init(chan);
3377
3378 if (err < 0)
3379 l2cap_send_disconn_req(chan->conn, chan, -err);
3380 else
3381 l2cap_chan_ready(chan);
3382 }
3383
3384 done:
3385 l2cap_chan_unlock(chan);
3386 return err;
3387 }
3388
3389 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3390 {
3391 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3392 struct l2cap_disconn_rsp rsp;
3393 u16 dcid, scid;
3394 struct l2cap_chan *chan;
3395 struct sock *sk;
3396
3397 scid = __le16_to_cpu(req->scid);
3398 dcid = __le16_to_cpu(req->dcid);
3399
3400 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3401
3402 mutex_lock(&conn->chan_lock);
3403
3404 chan = __l2cap_get_chan_by_scid(conn, dcid);
3405 if (!chan) {
3406 mutex_unlock(&conn->chan_lock);
3407 return 0;
3408 }
3409
3410 l2cap_chan_lock(chan);
3411
3412 sk = chan->sk;
3413
3414 rsp.dcid = cpu_to_le16(chan->scid);
3415 rsp.scid = cpu_to_le16(chan->dcid);
3416 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3417
3418 lock_sock(sk);
3419 sk->sk_shutdown = SHUTDOWN_MASK;
3420 release_sock(sk);
3421
3422 l2cap_chan_hold(chan);
3423 l2cap_chan_del(chan, ECONNRESET);
3424
3425 l2cap_chan_unlock(chan);
3426
3427 chan->ops->close(chan->data);
3428 l2cap_chan_put(chan);
3429
3430 mutex_unlock(&conn->chan_lock);
3431
3432 return 0;
3433 }
3434
3435 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3436 {
3437 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3438 u16 dcid, scid;
3439 struct l2cap_chan *chan;
3440
3441 scid = __le16_to_cpu(rsp->scid);
3442 dcid = __le16_to_cpu(rsp->dcid);
3443
3444 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3445
3446 mutex_lock(&conn->chan_lock);
3447
3448 chan = __l2cap_get_chan_by_scid(conn, scid);
3449 if (!chan) {
3450 mutex_unlock(&conn->chan_lock);
3451 return 0;
3452 }
3453
3454 l2cap_chan_lock(chan);
3455
3456 l2cap_chan_hold(chan);
3457 l2cap_chan_del(chan, 0);
3458
3459 l2cap_chan_unlock(chan);
3460
3461 chan->ops->close(chan->data);
3462 l2cap_chan_put(chan);
3463
3464 mutex_unlock(&conn->chan_lock);
3465
3466 return 0;
3467 }
3468
3469 static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3470 {
3471 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
3472 u16 type;
3473
3474 type = __le16_to_cpu(req->type);
3475
3476 BT_DBG("type 0x%4.4x", type);
3477
3478 if (type == L2CAP_IT_FEAT_MASK) {
3479 u8 buf[8];
3480 u32 feat_mask = l2cap_feat_mask;
3481 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3482 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3483 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3484 if (!disable_ertm)
3485 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3486 | L2CAP_FEAT_FCS;
3487 if (enable_hs)
3488 feat_mask |= L2CAP_FEAT_EXT_FLOW
3489 | L2CAP_FEAT_EXT_WINDOW;
3490
3491 put_unaligned_le32(feat_mask, rsp->data);
3492 l2cap_send_cmd(conn, cmd->ident,
3493 L2CAP_INFO_RSP, sizeof(buf), buf);
3494 } else if (type == L2CAP_IT_FIXED_CHAN) {
3495 u8 buf[12];
3496 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3497
3498 if (enable_hs)
3499 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
3500 else
3501 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
3502
3503 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3504 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3505 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
3506 l2cap_send_cmd(conn, cmd->ident,
3507 L2CAP_INFO_RSP, sizeof(buf), buf);
3508 } else {
3509 struct l2cap_info_rsp rsp;
3510 rsp.type = cpu_to_le16(type);
3511 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3512 l2cap_send_cmd(conn, cmd->ident,
3513 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3514 }
3515
3516 return 0;
3517 }
3518
3519 static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3520 {
3521 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3522 u16 type, result;
3523
3524 type = __le16_to_cpu(rsp->type);
3525 result = __le16_to_cpu(rsp->result);
3526
3527 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3528
3529 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
3530 if (cmd->ident != conn->info_ident ||
3531 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3532 return 0;
3533
3534 cancel_delayed_work(&conn->info_timer);
3535
3536 if (result != L2CAP_IR_SUCCESS) {
3537 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3538 conn->info_ident = 0;
3539
3540 l2cap_conn_start(conn);
3541
3542 return 0;
3543 }
3544
3545 switch (type) {
3546 case L2CAP_IT_FEAT_MASK:
3547 conn->feat_mask = get_unaligned_le32(rsp->data);
3548
3549 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
3550 struct l2cap_info_req req;
3551 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3552
3553 conn->info_ident = l2cap_get_ident(conn);
3554
3555 l2cap_send_cmd(conn, conn->info_ident,
3556 L2CAP_INFO_REQ, sizeof(req), &req);
3557 } else {
3558 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3559 conn->info_ident = 0;
3560
3561 l2cap_conn_start(conn);
3562 }
3563 break;
3564
3565 case L2CAP_IT_FIXED_CHAN:
3566 conn->fixed_chan_mask = rsp->data[0];
3567 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3568 conn->info_ident = 0;
3569
3570 l2cap_conn_start(conn);
3571 break;
3572 }
3573
3574 return 0;
3575 }
3576
3577 static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
3578 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3579 void *data)
3580 {
3581 struct l2cap_create_chan_req *req = data;
3582 struct l2cap_create_chan_rsp rsp;
3583 u16 psm, scid;
3584
3585 if (cmd_len != sizeof(*req))
3586 return -EPROTO;
3587
3588 if (!enable_hs)
3589 return -EINVAL;
3590
3591 psm = le16_to_cpu(req->psm);
3592 scid = le16_to_cpu(req->scid);
3593
3594 BT_DBG("psm %d, scid %d, amp_id %d", psm, scid, req->amp_id);
3595
3596 /* Placeholder: Always reject */
3597 rsp.dcid = 0;
3598 rsp.scid = cpu_to_le16(scid);
3599 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
3600 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3601
3602 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
3603 sizeof(rsp), &rsp);
3604
3605 return 0;
3606 }
3607
3608 static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
3609 struct l2cap_cmd_hdr *cmd, void *data)
3610 {
3611 BT_DBG("conn %p", conn);
3612
3613 return l2cap_connect_rsp(conn, cmd, data);
3614 }
3615
3616 static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
3617 u16 icid, u16 result)
3618 {
3619 struct l2cap_move_chan_rsp rsp;
3620
3621 BT_DBG("icid %d, result %d", icid, result);
3622
3623 rsp.icid = cpu_to_le16(icid);
3624 rsp.result = cpu_to_le16(result);
3625
3626 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
3627 }
3628
3629 static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
3630 struct l2cap_chan *chan, u16 icid, u16 result)
3631 {
3632 struct l2cap_move_chan_cfm cfm;
3633 u8 ident;
3634
3635 BT_DBG("icid %d, result %d", icid, result);
3636
3637 ident = l2cap_get_ident(conn);
3638 if (chan)
3639 chan->ident = ident;
3640
3641 cfm.icid = cpu_to_le16(icid);
3642 cfm.result = cpu_to_le16(result);
3643
3644 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
3645 }
3646
3647 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
3648 u16 icid)
3649 {
3650 struct l2cap_move_chan_cfm_rsp rsp;
3651
3652 BT_DBG("icid %d", icid);
3653
3654 rsp.icid = cpu_to_le16(icid);
3655 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
3656 }
3657
3658 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
3659 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3660 {
3661 struct l2cap_move_chan_req *req = data;
3662 u16 icid = 0;
3663 u16 result = L2CAP_MR_NOT_ALLOWED;
3664
3665 if (cmd_len != sizeof(*req))
3666 return -EPROTO;
3667
3668 icid = le16_to_cpu(req->icid);
3669
3670 BT_DBG("icid %d, dest_amp_id %d", icid, req->dest_amp_id);
3671
3672 if (!enable_hs)
3673 return -EINVAL;
3674
3675 /* Placeholder: Always refuse */
3676 l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
3677
3678 return 0;
3679 }
3680
3681 static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
3682 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3683 {
3684 struct l2cap_move_chan_rsp *rsp = data;
3685 u16 icid, result;
3686
3687 if (cmd_len != sizeof(*rsp))
3688 return -EPROTO;
3689
3690 icid = le16_to_cpu(rsp->icid);
3691 result = le16_to_cpu(rsp->result);
3692
3693 BT_DBG("icid %d, result %d", icid, result);
3694
3695 /* Placeholder: Always unconfirmed */
3696 l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
3697
3698 return 0;
3699 }
3700
3701 static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
3702 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3703 {
3704 struct l2cap_move_chan_cfm *cfm = data;
3705 u16 icid, result;
3706
3707 if (cmd_len != sizeof(*cfm))
3708 return -EPROTO;
3709
3710 icid = le16_to_cpu(cfm->icid);
3711 result = le16_to_cpu(cfm->result);
3712
3713 BT_DBG("icid %d, result %d", icid, result);
3714
3715 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
3716
3717 return 0;
3718 }
3719
3720 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
3721 struct l2cap_cmd_hdr *cmd, u16 cmd_len, void *data)
3722 {
3723 struct l2cap_move_chan_cfm_rsp *rsp = data;
3724 u16 icid;
3725
3726 if (cmd_len != sizeof(*rsp))
3727 return -EPROTO;
3728
3729 icid = le16_to_cpu(rsp->icid);
3730
3731 BT_DBG("icid %d", icid);
3732
3733 return 0;
3734 }
3735
3736 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
3737 u16 to_multiplier)
3738 {
3739 u16 max_latency;
3740
3741 if (min > max || min < 6 || max > 3200)
3742 return -EINVAL;
3743
3744 if (to_multiplier < 10 || to_multiplier > 3200)
3745 return -EINVAL;
3746
3747 if (max >= to_multiplier * 8)
3748 return -EINVAL;
3749
3750 max_latency = (to_multiplier * 8 / max) - 1;
3751 if (latency > 499 || latency > max_latency)
3752 return -EINVAL;
3753
3754 return 0;
3755 }
3756
3757 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
3758 struct l2cap_cmd_hdr *cmd, u8 *data)
3759 {
3760 struct hci_conn *hcon = conn->hcon;
3761 struct l2cap_conn_param_update_req *req;
3762 struct l2cap_conn_param_update_rsp rsp;
3763 u16 min, max, latency, to_multiplier, cmd_len;
3764 int err;
3765
3766 if (!(hcon->link_mode & HCI_LM_MASTER))
3767 return -EINVAL;
3768
3769 cmd_len = __le16_to_cpu(cmd->len);
3770 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
3771 return -EPROTO;
3772
3773 req = (struct l2cap_conn_param_update_req *) data;
3774 min = __le16_to_cpu(req->min);
3775 max = __le16_to_cpu(req->max);
3776 latency = __le16_to_cpu(req->latency);
3777 to_multiplier = __le16_to_cpu(req->to_multiplier);
3778
3779 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
3780 min, max, latency, to_multiplier);
3781
3782 memset(&rsp, 0, sizeof(rsp));
3783
3784 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
3785 if (err)
3786 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
3787 else
3788 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
3789
3790 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
3791 sizeof(rsp), &rsp);
3792
3793 if (!err)
3794 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
3795
3796 return 0;
3797 }
3798
3799 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
3800 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3801 {
3802 int err = 0;
3803
3804 switch (cmd->code) {
3805 case L2CAP_COMMAND_REJ:
3806 l2cap_command_rej(conn, cmd, data);
3807 break;
3808
3809 case L2CAP_CONN_REQ:
3810 err = l2cap_connect_req(conn, cmd, data);
3811 break;
3812
3813 case L2CAP_CONN_RSP:
3814 err = l2cap_connect_rsp(conn, cmd, data);
3815 break;
3816
3817 case L2CAP_CONF_REQ:
3818 err = l2cap_config_req(conn, cmd, cmd_len, data);
3819 break;
3820
3821 case L2CAP_CONF_RSP:
3822 err = l2cap_config_rsp(conn, cmd, data);
3823 break;
3824
3825 case L2CAP_DISCONN_REQ:
3826 err = l2cap_disconnect_req(conn, cmd, data);
3827 break;
3828
3829 case L2CAP_DISCONN_RSP:
3830 err = l2cap_disconnect_rsp(conn, cmd, data);
3831 break;
3832
3833 case L2CAP_ECHO_REQ:
3834 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
3835 break;
3836
3837 case L2CAP_ECHO_RSP:
3838 break;
3839
3840 case L2CAP_INFO_REQ:
3841 err = l2cap_information_req(conn, cmd, data);
3842 break;
3843
3844 case L2CAP_INFO_RSP:
3845 err = l2cap_information_rsp(conn, cmd, data);
3846 break;
3847
3848 case L2CAP_CREATE_CHAN_REQ:
3849 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
3850 break;
3851
3852 case L2CAP_CREATE_CHAN_RSP:
3853 err = l2cap_create_channel_rsp(conn, cmd, data);
3854 break;
3855
3856 case L2CAP_MOVE_CHAN_REQ:
3857 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
3858 break;
3859
3860 case L2CAP_MOVE_CHAN_RSP:
3861 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
3862 break;
3863
3864 case L2CAP_MOVE_CHAN_CFM:
3865 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
3866 break;
3867
3868 case L2CAP_MOVE_CHAN_CFM_RSP:
3869 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
3870 break;
3871
3872 default:
3873 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
3874 err = -EINVAL;
3875 break;
3876 }
3877
3878 return err;
3879 }
3880
3881 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
3882 struct l2cap_cmd_hdr *cmd, u8 *data)
3883 {
3884 switch (cmd->code) {
3885 case L2CAP_COMMAND_REJ:
3886 return 0;
3887
3888 case L2CAP_CONN_PARAM_UPDATE_REQ:
3889 return l2cap_conn_param_update_req(conn, cmd, data);
3890
3891 case L2CAP_CONN_PARAM_UPDATE_RSP:
3892 return 0;
3893
3894 default:
3895 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
3896 return -EINVAL;
3897 }
3898 }
3899
3900 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
3901 struct sk_buff *skb)
3902 {
3903 u8 *data = skb->data;
3904 int len = skb->len;
3905 struct l2cap_cmd_hdr cmd;
3906 int err;
3907
3908 l2cap_raw_recv(conn, skb);
3909
3910 while (len >= L2CAP_CMD_HDR_SIZE) {
3911 u16 cmd_len;
3912 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3913 data += L2CAP_CMD_HDR_SIZE;
3914 len -= L2CAP_CMD_HDR_SIZE;
3915
3916 cmd_len = le16_to_cpu(cmd.len);
3917
3918 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
3919
3920 if (cmd_len > len || !cmd.ident) {
3921 BT_DBG("corrupted command");
3922 break;
3923 }
3924
3925 if (conn->hcon->type == LE_LINK)
3926 err = l2cap_le_sig_cmd(conn, &cmd, data);
3927 else
3928 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
3929
3930 if (err) {
3931 struct l2cap_cmd_rej_unk rej;
3932
3933 BT_ERR("Wrong link type (%d)", err);
3934
3935 /* FIXME: Map err to a valid reason */
3936 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
3937 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3938 }
3939
3940 data += cmd_len;
3941 len -= cmd_len;
3942 }
3943
3944 kfree_skb(skb);
3945 }
3946
3947 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
3948 {
3949 u16 our_fcs, rcv_fcs;
3950 int hdr_size;
3951
3952 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3953 hdr_size = L2CAP_EXT_HDR_SIZE;
3954 else
3955 hdr_size = L2CAP_ENH_HDR_SIZE;
3956
3957 if (chan->fcs == L2CAP_FCS_CRC16) {
3958 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
3959 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3960 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3961
3962 if (our_fcs != rcv_fcs)
3963 return -EBADMSG;
3964 }
3965 return 0;
3966 }
3967
3968 static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
3969 {
3970 u32 control = 0;
3971
3972 chan->frames_sent = 0;
3973
3974 control |= __set_reqseq(chan, chan->buffer_seq);
3975
3976 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
3977 control |= __set_ctrl_super(chan, L2CAP_SUPER_RNR);
3978 l2cap_send_sframe(chan, control);
3979 set_bit(CONN_RNR_SENT, &chan->conn_state);
3980 }
3981
3982 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
3983 l2cap_retransmit_frames(chan);
3984
3985 l2cap_ertm_send(chan);
3986
3987 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
3988 chan->frames_sent == 0) {
3989 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
3990 l2cap_send_sframe(chan, control);
3991 }
3992 }
3993
3994 static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u16 tx_seq, u8 sar)
3995 {
3996 struct sk_buff *next_skb;
3997 int tx_seq_offset, next_tx_seq_offset;
3998
3999 bt_cb(skb)->control.txseq = tx_seq;
4000 bt_cb(skb)->control.sar = sar;
4001
4002 next_skb = skb_peek(&chan->srej_q);
4003
4004 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
4005
4006 while (next_skb) {
4007 if (bt_cb(next_skb)->control.txseq == tx_seq)
4008 return -EINVAL;
4009
4010 next_tx_seq_offset = __seq_offset(chan,
4011 bt_cb(next_skb)->control.txseq, chan->buffer_seq);
4012
4013 if (next_tx_seq_offset > tx_seq_offset) {
4014 __skb_queue_before(&chan->srej_q, next_skb, skb);
4015 return 0;
4016 }
4017
4018 if (skb_queue_is_last(&chan->srej_q, next_skb))
4019 next_skb = NULL;
4020 else
4021 next_skb = skb_queue_next(&chan->srej_q, next_skb);
4022 }
4023
4024 __skb_queue_tail(&chan->srej_q, skb);
4025
4026 return 0;
4027 }
4028
4029 static void append_skb_frag(struct sk_buff *skb,
4030 struct sk_buff *new_frag, struct sk_buff **last_frag)
4031 {
4032 /* skb->len reflects data in skb as well as all fragments
4033 * skb->data_len reflects only data in fragments
4034 */
4035 if (!skb_has_frag_list(skb))
4036 skb_shinfo(skb)->frag_list = new_frag;
4037
4038 new_frag->next = NULL;
4039
4040 (*last_frag)->next = new_frag;
4041 *last_frag = new_frag;
4042
4043 skb->len += new_frag->len;
4044 skb->data_len += new_frag->len;
4045 skb->truesize += new_frag->truesize;
4046 }
4047
4048 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u32 control)
4049 {
4050 int err = -EINVAL;
4051
4052 switch (__get_ctrl_sar(chan, control)) {
4053 case L2CAP_SAR_UNSEGMENTED:
4054 if (chan->sdu)
4055 break;
4056
4057 err = chan->ops->recv(chan->data, skb);
4058 break;
4059
4060 case L2CAP_SAR_START:
4061 if (chan->sdu)
4062 break;
4063
4064 chan->sdu_len = get_unaligned_le16(skb->data);
4065 skb_pull(skb, L2CAP_SDULEN_SIZE);
4066
4067 if (chan->sdu_len > chan->imtu) {
4068 err = -EMSGSIZE;
4069 break;
4070 }
4071
4072 if (skb->len >= chan->sdu_len)
4073 break;
4074
4075 chan->sdu = skb;
4076 chan->sdu_last_frag = skb;
4077
4078 skb = NULL;
4079 err = 0;
4080 break;
4081
4082 case L2CAP_SAR_CONTINUE:
4083 if (!chan->sdu)
4084 break;
4085
4086 append_skb_frag(chan->sdu, skb,
4087 &chan->sdu_last_frag);
4088 skb = NULL;
4089
4090 if (chan->sdu->len >= chan->sdu_len)
4091 break;
4092
4093 err = 0;
4094 break;
4095
4096 case L2CAP_SAR_END:
4097 if (!chan->sdu)
4098 break;
4099
4100 append_skb_frag(chan->sdu, skb,
4101 &chan->sdu_last_frag);
4102 skb = NULL;
4103
4104 if (chan->sdu->len != chan->sdu_len)
4105 break;
4106
4107 err = chan->ops->recv(chan->data, chan->sdu);
4108
4109 if (!err) {
4110 /* Reassembly complete */
4111 chan->sdu = NULL;
4112 chan->sdu_last_frag = NULL;
4113 chan->sdu_len = 0;
4114 }
4115 break;
4116 }
4117
4118 if (err) {
4119 kfree_skb(skb);
4120 kfree_skb(chan->sdu);
4121 chan->sdu = NULL;
4122 chan->sdu_last_frag = NULL;
4123 chan->sdu_len = 0;
4124 }
4125
4126 return err;
4127 }
4128
4129 static void l2cap_ertm_enter_local_busy(struct l2cap_chan *chan)
4130 {
4131 BT_DBG("chan %p, Enter local busy", chan);
4132
4133 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4134 l2cap_seq_list_clear(&chan->srej_list);
4135
4136 __set_ack_timer(chan);
4137 }
4138
4139 static void l2cap_ertm_exit_local_busy(struct l2cap_chan *chan)
4140 {
4141 u32 control;
4142
4143 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4144 goto done;
4145
4146 control = __set_reqseq(chan, chan->buffer_seq);
4147 control |= __set_ctrl_poll(chan);
4148 control |= __set_ctrl_super(chan, L2CAP_SUPER_RR);
4149 l2cap_send_sframe(chan, control);
4150 chan->retry_count = 1;
4151
4152 __clear_retrans_timer(chan);
4153 __set_monitor_timer(chan);
4154
4155 set_bit(CONN_WAIT_F, &chan->conn_state);
4156
4157 done:
4158 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
4159 clear_bit(CONN_RNR_SENT, &chan->conn_state);
4160
4161 BT_DBG("chan %p, Exit local busy", chan);
4162 }
4163
4164 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
4165 {
4166 if (chan->mode == L2CAP_MODE_ERTM) {
4167 if (busy)
4168 l2cap_ertm_enter_local_busy(chan);
4169 else
4170 l2cap_ertm_exit_local_busy(chan);
4171 }
4172 }
4173
4174 static void l2cap_check_srej_gap(struct l2cap_chan *chan, u16 tx_seq)
4175 {
4176 struct sk_buff *skb;
4177 u32 control;
4178
4179 while ((skb = skb_peek(&chan->srej_q)) &&
4180 !test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4181 int err;
4182
4183 if (bt_cb(skb)->control.txseq != tx_seq)
4184 break;
4185
4186 skb = skb_dequeue(&chan->srej_q);
4187 control = __set_ctrl_sar(chan, bt_cb(skb)->control.sar);
4188 err = l2cap_reassemble_sdu(chan, skb, control);
4189
4190 if (err < 0) {
4191 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4192 break;
4193 }
4194
4195 chan->buffer_seq_srej = __next_seq(chan, chan->buffer_seq_srej);
4196 tx_seq = __next_seq(chan, tx_seq);
4197 }
4198 }
4199
4200 static void l2cap_resend_srejframe(struct l2cap_chan *chan, u16 tx_seq)
4201 {
4202 struct srej_list *l, *tmp;
4203 u32 control;
4204
4205 list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
4206 if (l->tx_seq == tx_seq) {
4207 list_del(&l->list);
4208 kfree(l);
4209 return;
4210 }
4211 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
4212 control |= __set_reqseq(chan, l->tx_seq);
4213 l2cap_send_sframe(chan, control);
4214 list_del(&l->list);
4215 list_add_tail(&l->list, &chan->srej_l);
4216 }
4217 }
4218
4219 static int l2cap_send_srejframe(struct l2cap_chan *chan, u16 tx_seq)
4220 {
4221 struct srej_list *new;
4222 u32 control;
4223
4224 while (tx_seq != chan->expected_tx_seq) {
4225 control = __set_ctrl_super(chan, L2CAP_SUPER_SREJ);
4226 control |= __set_reqseq(chan, chan->expected_tx_seq);
4227 l2cap_seq_list_append(&chan->srej_list, chan->expected_tx_seq);
4228 l2cap_send_sframe(chan, control);
4229
4230 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
4231 if (!new)
4232 return -ENOMEM;
4233
4234 new->tx_seq = chan->expected_tx_seq;
4235
4236 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4237
4238 list_add_tail(&new->list, &chan->srej_l);
4239 }
4240
4241 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4242
4243 return 0;
4244 }
4245
4246 static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4247 {
4248 u16 tx_seq = __get_txseq(chan, rx_control);
4249 u16 req_seq = __get_reqseq(chan, rx_control);
4250 u8 sar = __get_ctrl_sar(chan, rx_control);
4251 int tx_seq_offset, expected_tx_seq_offset;
4252 int num_to_ack = (chan->tx_win/6) + 1;
4253 int err = 0;
4254
4255 BT_DBG("chan %p len %d tx_seq %d rx_control 0x%8.8x", chan, skb->len,
4256 tx_seq, rx_control);
4257
4258 if (__is_ctrl_final(chan, rx_control) &&
4259 test_bit(CONN_WAIT_F, &chan->conn_state)) {
4260 __clear_monitor_timer(chan);
4261 if (chan->unacked_frames > 0)
4262 __set_retrans_timer(chan);
4263 clear_bit(CONN_WAIT_F, &chan->conn_state);
4264 }
4265
4266 chan->expected_ack_seq = req_seq;
4267 l2cap_drop_acked_frames(chan);
4268
4269 tx_seq_offset = __seq_offset(chan, tx_seq, chan->buffer_seq);
4270
4271 /* invalid tx_seq */
4272 if (tx_seq_offset >= chan->tx_win) {
4273 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4274 goto drop;
4275 }
4276
4277 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4278 if (!test_bit(CONN_RNR_SENT, &chan->conn_state))
4279 l2cap_send_ack(chan);
4280 goto drop;
4281 }
4282
4283 if (tx_seq == chan->expected_tx_seq)
4284 goto expected;
4285
4286 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4287 struct srej_list *first;
4288
4289 first = list_first_entry(&chan->srej_l,
4290 struct srej_list, list);
4291 if (tx_seq == first->tx_seq) {
4292 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
4293 l2cap_check_srej_gap(chan, tx_seq);
4294
4295 list_del(&first->list);
4296 kfree(first);
4297
4298 if (list_empty(&chan->srej_l)) {
4299 chan->buffer_seq = chan->buffer_seq_srej;
4300 clear_bit(CONN_SREJ_SENT, &chan->conn_state);
4301 l2cap_send_ack(chan);
4302 BT_DBG("chan %p, Exit SREJ_SENT", chan);
4303 }
4304 } else {
4305 struct srej_list *l;
4306
4307 /* duplicated tx_seq */
4308 if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
4309 goto drop;
4310
4311 list_for_each_entry(l, &chan->srej_l, list) {
4312 if (l->tx_seq == tx_seq) {
4313 l2cap_resend_srejframe(chan, tx_seq);
4314 return 0;
4315 }
4316 }
4317
4318 err = l2cap_send_srejframe(chan, tx_seq);
4319 if (err < 0) {
4320 l2cap_send_disconn_req(chan->conn, chan, -err);
4321 return err;
4322 }
4323 }
4324 } else {
4325 expected_tx_seq_offset = __seq_offset(chan,
4326 chan->expected_tx_seq, chan->buffer_seq);
4327
4328 /* duplicated tx_seq */
4329 if (tx_seq_offset < expected_tx_seq_offset)
4330 goto drop;
4331
4332 set_bit(CONN_SREJ_SENT, &chan->conn_state);
4333
4334 BT_DBG("chan %p, Enter SREJ", chan);
4335
4336 INIT_LIST_HEAD(&chan->srej_l);
4337 chan->buffer_seq_srej = chan->buffer_seq;
4338
4339 __skb_queue_head_init(&chan->srej_q);
4340 l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
4341
4342 /* Set P-bit only if there are some I-frames to ack. */
4343 if (__clear_ack_timer(chan))
4344 set_bit(CONN_SEND_PBIT, &chan->conn_state);
4345
4346 err = l2cap_send_srejframe(chan, tx_seq);
4347 if (err < 0) {
4348 l2cap_send_disconn_req(chan->conn, chan, -err);
4349 return err;
4350 }
4351 }
4352 return 0;
4353
4354 expected:
4355 chan->expected_tx_seq = __next_seq(chan, chan->expected_tx_seq);
4356
4357 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4358 bt_cb(skb)->control.txseq = tx_seq;
4359 bt_cb(skb)->control.sar = sar;
4360 __skb_queue_tail(&chan->srej_q, skb);
4361 return 0;
4362 }
4363
4364 err = l2cap_reassemble_sdu(chan, skb, rx_control);
4365 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
4366
4367 if (err < 0) {
4368 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4369 return err;
4370 }
4371
4372 if (__is_ctrl_final(chan, rx_control)) {
4373 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4374 l2cap_retransmit_frames(chan);
4375 }
4376
4377
4378 chan->num_acked = (chan->num_acked + 1) % num_to_ack;
4379 if (chan->num_acked == num_to_ack - 1)
4380 l2cap_send_ack(chan);
4381 else
4382 __set_ack_timer(chan);
4383
4384 return 0;
4385
4386 drop:
4387 kfree_skb(skb);
4388 return 0;
4389 }
4390
4391 static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u32 rx_control)
4392 {
4393 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan,
4394 __get_reqseq(chan, rx_control), rx_control);
4395
4396 chan->expected_ack_seq = __get_reqseq(chan, rx_control);
4397 l2cap_drop_acked_frames(chan);
4398
4399 if (__is_ctrl_poll(chan, rx_control)) {
4400 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4401 if (test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4402 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4403 (chan->unacked_frames > 0))
4404 __set_retrans_timer(chan);
4405
4406 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4407 l2cap_send_srejtail(chan);
4408 } else {
4409 l2cap_send_i_or_rr_or_rnr(chan);
4410 }
4411
4412 } else if (__is_ctrl_final(chan, rx_control)) {
4413 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4414
4415 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4416 l2cap_retransmit_frames(chan);
4417
4418 } else {
4419 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
4420 (chan->unacked_frames > 0))
4421 __set_retrans_timer(chan);
4422
4423 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4424 if (test_bit(CONN_SREJ_SENT, &chan->conn_state))
4425 l2cap_send_ack(chan);
4426 else
4427 l2cap_ertm_send(chan);
4428 }
4429 }
4430
4431 static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u32 rx_control)
4432 {
4433 u16 tx_seq = __get_reqseq(chan, rx_control);
4434
4435 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4436
4437 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4438
4439 chan->expected_ack_seq = tx_seq;
4440 l2cap_drop_acked_frames(chan);
4441
4442 if (__is_ctrl_final(chan, rx_control)) {
4443 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
4444 l2cap_retransmit_frames(chan);
4445 } else {
4446 l2cap_retransmit_frames(chan);
4447
4448 if (test_bit(CONN_WAIT_F, &chan->conn_state))
4449 set_bit(CONN_REJ_ACT, &chan->conn_state);
4450 }
4451 }
4452 static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u32 rx_control)
4453 {
4454 u16 tx_seq = __get_reqseq(chan, rx_control);
4455
4456 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4457
4458 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4459
4460 if (__is_ctrl_poll(chan, rx_control)) {
4461 chan->expected_ack_seq = tx_seq;
4462 l2cap_drop_acked_frames(chan);
4463
4464 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4465 l2cap_retransmit_one_frame(chan, tx_seq);
4466
4467 l2cap_ertm_send(chan);
4468
4469 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4470 chan->srej_save_reqseq = tx_seq;
4471 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4472 }
4473 } else if (__is_ctrl_final(chan, rx_control)) {
4474 if (test_bit(CONN_SREJ_ACT, &chan->conn_state) &&
4475 chan->srej_save_reqseq == tx_seq)
4476 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
4477 else
4478 l2cap_retransmit_one_frame(chan, tx_seq);
4479 } else {
4480 l2cap_retransmit_one_frame(chan, tx_seq);
4481 if (test_bit(CONN_WAIT_F, &chan->conn_state)) {
4482 chan->srej_save_reqseq = tx_seq;
4483 set_bit(CONN_SREJ_ACT, &chan->conn_state);
4484 }
4485 }
4486 }
4487
4488 static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u32 rx_control)
4489 {
4490 u16 tx_seq = __get_reqseq(chan, rx_control);
4491
4492 BT_DBG("chan %p, req_seq %d ctrl 0x%8.8x", chan, tx_seq, rx_control);
4493
4494 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
4495 chan->expected_ack_seq = tx_seq;
4496 l2cap_drop_acked_frames(chan);
4497
4498 if (__is_ctrl_poll(chan, rx_control))
4499 set_bit(CONN_SEND_FBIT, &chan->conn_state);
4500
4501 if (!test_bit(CONN_SREJ_SENT, &chan->conn_state)) {
4502 __clear_retrans_timer(chan);
4503 if (__is_ctrl_poll(chan, rx_control))
4504 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
4505 return;
4506 }
4507
4508 if (__is_ctrl_poll(chan, rx_control)) {
4509 l2cap_send_srejtail(chan);
4510 } else {
4511 rx_control = __set_ctrl_super(chan, L2CAP_SUPER_RR);
4512 l2cap_send_sframe(chan, rx_control);
4513 }
4514 }
4515
4516 static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u32 rx_control, struct sk_buff *skb)
4517 {
4518 BT_DBG("chan %p rx_control 0x%8.8x len %d", chan, rx_control, skb->len);
4519
4520 if (__is_ctrl_final(chan, rx_control) &&
4521 test_bit(CONN_WAIT_F, &chan->conn_state)) {
4522 __clear_monitor_timer(chan);
4523 if (chan->unacked_frames > 0)
4524 __set_retrans_timer(chan);
4525 clear_bit(CONN_WAIT_F, &chan->conn_state);
4526 }
4527
4528 switch (__get_ctrl_super(chan, rx_control)) {
4529 case L2CAP_SUPER_RR:
4530 l2cap_data_channel_rrframe(chan, rx_control);
4531 break;
4532
4533 case L2CAP_SUPER_REJ:
4534 l2cap_data_channel_rejframe(chan, rx_control);
4535 break;
4536
4537 case L2CAP_SUPER_SREJ:
4538 l2cap_data_channel_srejframe(chan, rx_control);
4539 break;
4540
4541 case L2CAP_SUPER_RNR:
4542 l2cap_data_channel_rnrframe(chan, rx_control);
4543 break;
4544 }
4545
4546 kfree_skb(skb);
4547 return 0;
4548 }
4549
4550 static int l2cap_ertm_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
4551 {
4552 u32 control;
4553 u16 req_seq;
4554 int len, next_tx_seq_offset, req_seq_offset;
4555
4556 __unpack_control(chan, skb);
4557
4558 control = __get_control(chan, skb->data);
4559 skb_pull(skb, __ctrl_size(chan));
4560 len = skb->len;
4561
4562 /*
4563 * We can just drop the corrupted I-frame here.
4564 * Receiver will miss it and start proper recovery
4565 * procedures and ask retransmission.
4566 */
4567 if (l2cap_check_fcs(chan, skb))
4568 goto drop;
4569
4570 if (__is_sar_start(chan, control) && !__is_sframe(chan, control))
4571 len -= L2CAP_SDULEN_SIZE;
4572
4573 if (chan->fcs == L2CAP_FCS_CRC16)
4574 len -= L2CAP_FCS_SIZE;
4575
4576 if (len > chan->mps) {
4577 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4578 goto drop;
4579 }
4580
4581 req_seq = __get_reqseq(chan, control);
4582
4583 req_seq_offset = __seq_offset(chan, req_seq, chan->expected_ack_seq);
4584
4585 next_tx_seq_offset = __seq_offset(chan, chan->next_tx_seq,
4586 chan->expected_ack_seq);
4587
4588 /* check for invalid req-seq */
4589 if (req_seq_offset > next_tx_seq_offset) {
4590 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4591 goto drop;
4592 }
4593
4594 if (!__is_sframe(chan, control)) {
4595 if (len < 0) {
4596 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4597 goto drop;
4598 }
4599
4600 l2cap_data_channel_iframe(chan, control, skb);
4601 } else {
4602 if (len != 0) {
4603 BT_ERR("%d", len);
4604 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4605 goto drop;
4606 }
4607
4608 l2cap_data_channel_sframe(chan, control, skb);
4609 }
4610
4611 return 0;
4612
4613 drop:
4614 kfree_skb(skb);
4615 return 0;
4616 }
4617
4618 static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4619 {
4620 struct l2cap_chan *chan;
4621 u32 control;
4622 u16 tx_seq;
4623 int len;
4624
4625 chan = l2cap_get_chan_by_scid(conn, cid);
4626 if (!chan) {
4627 BT_DBG("unknown cid 0x%4.4x", cid);
4628 /* Drop packet and return */
4629 kfree_skb(skb);
4630 return 0;
4631 }
4632
4633 BT_DBG("chan %p, len %d", chan, skb->len);
4634
4635 if (chan->state != BT_CONNECTED)
4636 goto drop;
4637
4638 switch (chan->mode) {
4639 case L2CAP_MODE_BASIC:
4640 /* If socket recv buffers overflows we drop data here
4641 * which is *bad* because L2CAP has to be reliable.
4642 * But we don't have any other choice. L2CAP doesn't
4643 * provide flow control mechanism. */
4644
4645 if (chan->imtu < skb->len)
4646 goto drop;
4647
4648 if (!chan->ops->recv(chan->data, skb))
4649 goto done;
4650 break;
4651
4652 case L2CAP_MODE_ERTM:
4653 l2cap_ertm_data_rcv(chan, skb);
4654
4655 goto done;
4656
4657 case L2CAP_MODE_STREAMING:
4658 control = __get_control(chan, skb->data);
4659 skb_pull(skb, __ctrl_size(chan));
4660 len = skb->len;
4661
4662 if (l2cap_check_fcs(chan, skb))
4663 goto drop;
4664
4665 if (__is_sar_start(chan, control))
4666 len -= L2CAP_SDULEN_SIZE;
4667
4668 if (chan->fcs == L2CAP_FCS_CRC16)
4669 len -= L2CAP_FCS_SIZE;
4670
4671 if (len > chan->mps || len < 0 || __is_sframe(chan, control))
4672 goto drop;
4673
4674 tx_seq = __get_txseq(chan, control);
4675
4676 if (chan->expected_tx_seq != tx_seq) {
4677 /* Frame(s) missing - must discard partial SDU */
4678 kfree_skb(chan->sdu);
4679 chan->sdu = NULL;
4680 chan->sdu_last_frag = NULL;
4681 chan->sdu_len = 0;
4682
4683 /* TODO: Notify userland of missing data */
4684 }
4685
4686 chan->expected_tx_seq = __next_seq(chan, tx_seq);
4687
4688 if (l2cap_reassemble_sdu(chan, skb, control) == -EMSGSIZE)
4689 l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
4690
4691 goto done;
4692
4693 default:
4694 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
4695 break;
4696 }
4697
4698 drop:
4699 kfree_skb(skb);
4700
4701 done:
4702 l2cap_chan_unlock(chan);
4703
4704 return 0;
4705 }
4706
4707 static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
4708 {
4709 struct l2cap_chan *chan;
4710
4711 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
4712 if (!chan)
4713 goto drop;
4714
4715 BT_DBG("chan %p, len %d", chan, skb->len);
4716
4717 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4718 goto drop;
4719
4720 if (chan->imtu < skb->len)
4721 goto drop;
4722
4723 if (!chan->ops->recv(chan->data, skb))
4724 return 0;
4725
4726 drop:
4727 kfree_skb(skb);
4728
4729 return 0;
4730 }
4731
4732 static inline int l2cap_att_channel(struct l2cap_conn *conn, u16 cid,
4733 struct sk_buff *skb)
4734 {
4735 struct l2cap_chan *chan;
4736
4737 chan = l2cap_global_chan_by_scid(0, cid, conn->src, conn->dst);
4738 if (!chan)
4739 goto drop;
4740
4741 BT_DBG("chan %p, len %d", chan, skb->len);
4742
4743 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
4744 goto drop;
4745
4746 if (chan->imtu < skb->len)
4747 goto drop;
4748
4749 if (!chan->ops->recv(chan->data, skb))
4750 return 0;
4751
4752 drop:
4753 kfree_skb(skb);
4754
4755 return 0;
4756 }
4757
4758 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4759 {
4760 struct l2cap_hdr *lh = (void *) skb->data;
4761 u16 cid, len;
4762 __le16 psm;
4763
4764 skb_pull(skb, L2CAP_HDR_SIZE);
4765 cid = __le16_to_cpu(lh->cid);
4766 len = __le16_to_cpu(lh->len);
4767
4768 if (len != skb->len) {
4769 kfree_skb(skb);
4770 return;
4771 }
4772
4773 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4774
4775 switch (cid) {
4776 case L2CAP_CID_LE_SIGNALING:
4777 case L2CAP_CID_SIGNALING:
4778 l2cap_sig_channel(conn, skb);
4779 break;
4780
4781 case L2CAP_CID_CONN_LESS:
4782 psm = get_unaligned((__le16 *) skb->data);
4783 skb_pull(skb, 2);
4784 l2cap_conless_channel(conn, psm, skb);
4785 break;
4786
4787 case L2CAP_CID_LE_DATA:
4788 l2cap_att_channel(conn, cid, skb);
4789 break;
4790
4791 case L2CAP_CID_SMP:
4792 if (smp_sig_channel(conn, skb))
4793 l2cap_conn_del(conn->hcon, EACCES);
4794 break;
4795
4796 default:
4797 l2cap_data_channel(conn, cid, skb);
4798 break;
4799 }
4800 }
4801
4802 /* ---- L2CAP interface with lower layer (HCI) ---- */
4803
4804 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
4805 {
4806 int exact = 0, lm1 = 0, lm2 = 0;
4807 struct l2cap_chan *c;
4808
4809 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4810
4811 /* Find listening sockets and check their link_mode */
4812 read_lock(&chan_list_lock);
4813 list_for_each_entry(c, &chan_list, global_l) {
4814 struct sock *sk = c->sk;
4815
4816 if (c->state != BT_LISTEN)
4817 continue;
4818
4819 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
4820 lm1 |= HCI_LM_ACCEPT;
4821 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4822 lm1 |= HCI_LM_MASTER;
4823 exact++;
4824 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4825 lm2 |= HCI_LM_ACCEPT;
4826 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
4827 lm2 |= HCI_LM_MASTER;
4828 }
4829 }
4830 read_unlock(&chan_list_lock);
4831
4832 return exact ? lm1 : lm2;
4833 }
4834
4835 int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4836 {
4837 struct l2cap_conn *conn;
4838
4839 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4840
4841 if (!status) {
4842 conn = l2cap_conn_add(hcon, status);
4843 if (conn)
4844 l2cap_conn_ready(conn);
4845 } else
4846 l2cap_conn_del(hcon, bt_to_errno(status));
4847
4848 return 0;
4849 }
4850
4851 int l2cap_disconn_ind(struct hci_conn *hcon)
4852 {
4853 struct l2cap_conn *conn = hcon->l2cap_data;
4854
4855 BT_DBG("hcon %p", hcon);
4856
4857 if (!conn)
4858 return HCI_ERROR_REMOTE_USER_TERM;
4859 return conn->disc_reason;
4860 }
4861
4862 int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4863 {
4864 BT_DBG("hcon %p reason %d", hcon, reason);
4865
4866 l2cap_conn_del(hcon, bt_to_errno(reason));
4867 return 0;
4868 }
4869
4870 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4871 {
4872 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
4873 return;
4874
4875 if (encrypt == 0x00) {
4876 if (chan->sec_level == BT_SECURITY_MEDIUM) {
4877 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
4878 } else if (chan->sec_level == BT_SECURITY_HIGH)
4879 l2cap_chan_close(chan, ECONNREFUSED);
4880 } else {
4881 if (chan->sec_level == BT_SECURITY_MEDIUM)
4882 __clear_chan_timer(chan);
4883 }
4884 }
4885
4886 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4887 {
4888 struct l2cap_conn *conn = hcon->l2cap_data;
4889 struct l2cap_chan *chan;
4890
4891 if (!conn)
4892 return 0;
4893
4894 BT_DBG("conn %p", conn);
4895
4896 if (hcon->type == LE_LINK) {
4897 if (!status && encrypt)
4898 smp_distribute_keys(conn, 0);
4899 cancel_delayed_work(&conn->security_timer);
4900 }
4901
4902 mutex_lock(&conn->chan_lock);
4903
4904 list_for_each_entry(chan, &conn->chan_l, list) {
4905 l2cap_chan_lock(chan);
4906
4907 BT_DBG("chan->scid %d", chan->scid);
4908
4909 if (chan->scid == L2CAP_CID_LE_DATA) {
4910 if (!status && encrypt) {
4911 chan->sec_level = hcon->sec_level;
4912 l2cap_chan_ready(chan);
4913 }
4914
4915 l2cap_chan_unlock(chan);
4916 continue;
4917 }
4918
4919 if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
4920 l2cap_chan_unlock(chan);
4921 continue;
4922 }
4923
4924 if (!status && (chan->state == BT_CONNECTED ||
4925 chan->state == BT_CONFIG)) {
4926 struct sock *sk = chan->sk;
4927
4928 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
4929 sk->sk_state_change(sk);
4930
4931 l2cap_check_encryption(chan, encrypt);
4932 l2cap_chan_unlock(chan);
4933 continue;
4934 }
4935
4936 if (chan->state == BT_CONNECT) {
4937 if (!status) {
4938 l2cap_send_conn_req(chan);
4939 } else {
4940 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4941 }
4942 } else if (chan->state == BT_CONNECT2) {
4943 struct sock *sk = chan->sk;
4944 struct l2cap_conn_rsp rsp;
4945 __u16 res, stat;
4946
4947 lock_sock(sk);
4948
4949 if (!status) {
4950 if (test_bit(BT_SK_DEFER_SETUP,
4951 &bt_sk(sk)->flags)) {
4952 struct sock *parent = bt_sk(sk)->parent;
4953 res = L2CAP_CR_PEND;
4954 stat = L2CAP_CS_AUTHOR_PEND;
4955 if (parent)
4956 parent->sk_data_ready(parent, 0);
4957 } else {
4958 __l2cap_state_change(chan, BT_CONFIG);
4959 res = L2CAP_CR_SUCCESS;
4960 stat = L2CAP_CS_NO_INFO;
4961 }
4962 } else {
4963 __l2cap_state_change(chan, BT_DISCONN);
4964 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
4965 res = L2CAP_CR_SEC_BLOCK;
4966 stat = L2CAP_CS_NO_INFO;
4967 }
4968
4969 release_sock(sk);
4970
4971 rsp.scid = cpu_to_le16(chan->dcid);
4972 rsp.dcid = cpu_to_le16(chan->scid);
4973 rsp.result = cpu_to_le16(res);
4974 rsp.status = cpu_to_le16(stat);
4975 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
4976 sizeof(rsp), &rsp);
4977 }
4978
4979 l2cap_chan_unlock(chan);
4980 }
4981
4982 mutex_unlock(&conn->chan_lock);
4983
4984 return 0;
4985 }
4986
4987 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4988 {
4989 struct l2cap_conn *conn = hcon->l2cap_data;
4990
4991 if (!conn)
4992 conn = l2cap_conn_add(hcon, 0);
4993
4994 if (!conn)
4995 goto drop;
4996
4997 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4998
4999 if (!(flags & ACL_CONT)) {
5000 struct l2cap_hdr *hdr;
5001 int len;
5002
5003 if (conn->rx_len) {
5004 BT_ERR("Unexpected start frame (len %d)", skb->len);
5005 kfree_skb(conn->rx_skb);
5006 conn->rx_skb = NULL;
5007 conn->rx_len = 0;
5008 l2cap_conn_unreliable(conn, ECOMM);
5009 }
5010
5011 /* Start fragment always begin with Basic L2CAP header */
5012 if (skb->len < L2CAP_HDR_SIZE) {
5013 BT_ERR("Frame is too short (len %d)", skb->len);
5014 l2cap_conn_unreliable(conn, ECOMM);
5015 goto drop;
5016 }
5017
5018 hdr = (struct l2cap_hdr *) skb->data;
5019 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
5020
5021 if (len == skb->len) {
5022 /* Complete frame received */
5023 l2cap_recv_frame(conn, skb);
5024 return 0;
5025 }
5026
5027 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
5028
5029 if (skb->len > len) {
5030 BT_ERR("Frame is too long (len %d, expected len %d)",
5031 skb->len, len);
5032 l2cap_conn_unreliable(conn, ECOMM);
5033 goto drop;
5034 }
5035
5036 /* Allocate skb for the complete frame (with header) */
5037 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
5038 if (!conn->rx_skb)
5039 goto drop;
5040
5041 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
5042 skb->len);
5043 conn->rx_len = len - skb->len;
5044 } else {
5045 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
5046
5047 if (!conn->rx_len) {
5048 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
5049 l2cap_conn_unreliable(conn, ECOMM);
5050 goto drop;
5051 }
5052
5053 if (skb->len > conn->rx_len) {
5054 BT_ERR("Fragment is too long (len %d, expected %d)",
5055 skb->len, conn->rx_len);
5056 kfree_skb(conn->rx_skb);
5057 conn->rx_skb = NULL;
5058 conn->rx_len = 0;
5059 l2cap_conn_unreliable(conn, ECOMM);
5060 goto drop;
5061 }
5062
5063 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
5064 skb->len);
5065 conn->rx_len -= skb->len;
5066
5067 if (!conn->rx_len) {
5068 /* Complete frame received */
5069 l2cap_recv_frame(conn, conn->rx_skb);
5070 conn->rx_skb = NULL;
5071 }
5072 }
5073
5074 drop:
5075 kfree_skb(skb);
5076 return 0;
5077 }
5078
5079 static int l2cap_debugfs_show(struct seq_file *f, void *p)
5080 {
5081 struct l2cap_chan *c;
5082
5083 read_lock(&chan_list_lock);
5084
5085 list_for_each_entry(c, &chan_list, global_l) {
5086 struct sock *sk = c->sk;
5087
5088 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
5089 batostr(&bt_sk(sk)->src),
5090 batostr(&bt_sk(sk)->dst),
5091 c->state, __le16_to_cpu(c->psm),
5092 c->scid, c->dcid, c->imtu, c->omtu,
5093 c->sec_level, c->mode);
5094 }
5095
5096 read_unlock(&chan_list_lock);
5097
5098 return 0;
5099 }
5100
5101 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
5102 {
5103 return single_open(file, l2cap_debugfs_show, inode->i_private);
5104 }
5105
5106 static const struct file_operations l2cap_debugfs_fops = {
5107 .open = l2cap_debugfs_open,
5108 .read = seq_read,
5109 .llseek = seq_lseek,
5110 .release = single_release,
5111 };
5112
5113 static struct dentry *l2cap_debugfs;
5114
5115 int __init l2cap_init(void)
5116 {
5117 int err;
5118
5119 err = l2cap_init_sockets();
5120 if (err < 0)
5121 return err;
5122
5123 if (bt_debugfs) {
5124 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
5125 bt_debugfs, NULL, &l2cap_debugfs_fops);
5126 if (!l2cap_debugfs)
5127 BT_ERR("Failed to create L2CAP debug file");
5128 }
5129
5130 return 0;
5131 }
5132
5133 void l2cap_exit(void)
5134 {
5135 debugfs_remove(l2cap_debugfs);
5136 l2cap_cleanup_sockets();
5137 }
5138
5139 module_param(disable_ertm, bool, 0644);
5140 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
ubuntu-zesty-kernel mirror