projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Fix confusion between parent and child channel for 6lowpan
[deliverable/linux.git] / net / bluetooth / l2cap_core.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35
36 #include <net/bluetooth/bluetooth.h>
37 #include <net/bluetooth/hci_core.h>
38 #include <net/bluetooth/l2cap.h>
39
40 #include "smp.h"
41 #include "a2mp.h"
42 #include "amp.h"
43
44 #define LE_FLOWCTL_MAX_CREDITS 65535
45
46 bool disable_ertm;
47
48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
49 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS, };
50
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
53
54 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
57 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
58 u8 code, u8 ident, u16 dlen, void *data);
59 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
60 void *data);
61 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
62 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
63
64 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
65 struct sk_buff_head *skbs, u8 event);
66
67 static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
68 {
69 if (hcon->type == LE_LINK) {
70 if (type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
72 else
73 return BDADDR_LE_RANDOM;
74 }
75
76 return BDADDR_BREDR;
77 }
78
79 /* ---- L2CAP channels ---- */
80
81 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
82 u16 cid)
83 {
84 struct l2cap_chan *c;
85
86 list_for_each_entry(c, &conn->chan_l, list) {
87 if (c->dcid == cid)
88 return c;
89 }
90 return NULL;
91 }
92
93 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 u16 cid)
95 {
96 struct l2cap_chan *c;
97
98 list_for_each_entry(c, &conn->chan_l, list) {
99 if (c->scid == cid)
100 return c;
101 }
102 return NULL;
103 }
104
105 /* Find channel with given SCID.
106 * Returns locked channel. */
107 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
108 u16 cid)
109 {
110 struct l2cap_chan *c;
111
112 mutex_lock(&conn->chan_lock);
113 c = __l2cap_get_chan_by_scid(conn, cid);
114 if (c)
115 l2cap_chan_lock(c);
116 mutex_unlock(&conn->chan_lock);
117
118 return c;
119 }
120
121 /* Find channel with given DCID.
122 * Returns locked channel.
123 */
124 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
125 u16 cid)
126 {
127 struct l2cap_chan *c;
128
129 mutex_lock(&conn->chan_lock);
130 c = __l2cap_get_chan_by_dcid(conn, cid);
131 if (c)
132 l2cap_chan_lock(c);
133 mutex_unlock(&conn->chan_lock);
134
135 return c;
136 }
137
138 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
139 u8 ident)
140 {
141 struct l2cap_chan *c;
142
143 list_for_each_entry(c, &conn->chan_l, list) {
144 if (c->ident == ident)
145 return c;
146 }
147 return NULL;
148 }
149
150 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 u8 ident)
152 {
153 struct l2cap_chan *c;
154
155 mutex_lock(&conn->chan_lock);
156 c = __l2cap_get_chan_by_ident(conn, ident);
157 if (c)
158 l2cap_chan_lock(c);
159 mutex_unlock(&conn->chan_lock);
160
161 return c;
162 }
163
164 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
165 {
166 struct l2cap_chan *c;
167
168 list_for_each_entry(c, &chan_list, global_l) {
169 if (c->sport == psm && !bacmp(&c->src, src))
170 return c;
171 }
172 return NULL;
173 }
174
175 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
176 {
177 int err;
178
179 write_lock(&chan_list_lock);
180
181 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
182 err = -EADDRINUSE;
183 goto done;
184 }
185
186 if (psm) {
187 chan->psm = psm;
188 chan->sport = psm;
189 err = 0;
190 } else {
191 u16 p;
192
193 err = -EINVAL;
194 for (p = 0x1001; p < 0x1100; p += 2)
195 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
196 chan->psm = cpu_to_le16(p);
197 chan->sport = cpu_to_le16(p);
198 err = 0;
199 break;
200 }
201 }
202
203 done:
204 write_unlock(&chan_list_lock);
205 return err;
206 }
207 EXPORT_SYMBOL_GPL(l2cap_add_psm);
208
209 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210 {
211 write_lock(&chan_list_lock);
212
213 chan->scid = scid;
214
215 write_unlock(&chan_list_lock);
216
217 return 0;
218 }
219
220 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
221 {
222 u16 cid, dyn_end;
223
224 if (conn->hcon->type == LE_LINK)
225 dyn_end = L2CAP_CID_LE_DYN_END;
226 else
227 dyn_end = L2CAP_CID_DYN_END;
228
229 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
230 if (!__l2cap_get_chan_by_scid(conn, cid))
231 return cid;
232 }
233
234 return 0;
235 }
236
237 static void l2cap_state_change(struct l2cap_chan *chan, int state)
238 {
239 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
240 state_to_string(state));
241
242 chan->state = state;
243 chan->ops->state_change(chan, state, 0);
244 }
245
246 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
247 int state, int err)
248 {
249 chan->state = state;
250 chan->ops->state_change(chan, chan->state, err);
251 }
252
253 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
254 {
255 chan->ops->state_change(chan, chan->state, err);
256 }
257
258 static void __set_retrans_timer(struct l2cap_chan *chan)
259 {
260 if (!delayed_work_pending(&chan->monitor_timer) &&
261 chan->retrans_timeout) {
262 l2cap_set_timer(chan, &chan->retrans_timer,
263 msecs_to_jiffies(chan->retrans_timeout));
264 }
265 }
266
267 static void __set_monitor_timer(struct l2cap_chan *chan)
268 {
269 __clear_retrans_timer(chan);
270 if (chan->monitor_timeout) {
271 l2cap_set_timer(chan, &chan->monitor_timer,
272 msecs_to_jiffies(chan->monitor_timeout));
273 }
274 }
275
276 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
277 u16 seq)
278 {
279 struct sk_buff *skb;
280
281 skb_queue_walk(head, skb) {
282 if (bt_cb(skb)->control.txseq == seq)
283 return skb;
284 }
285
286 return NULL;
287 }
288
289 /* ---- L2CAP sequence number lists ---- */
290
291 /* For ERTM, ordered lists of sequence numbers must be tracked for
292 * SREJ requests that are received and for frames that are to be
293 * retransmitted. These seq_list functions implement a singly-linked
294 * list in an array, where membership in the list can also be checked
295 * in constant time. Items can also be added to the tail of the list
296 * and removed from the head in constant time, without further memory
297 * allocs or frees.
298 */
299
300 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
301 {
302 size_t alloc_size, i;
303
304 /* Allocated size is a power of 2 to map sequence numbers
305 * (which may be up to 14 bits) in to a smaller array that is
306 * sized for the negotiated ERTM transmit windows.
307 */
308 alloc_size = roundup_pow_of_two(size);
309
310 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
311 if (!seq_list->list)
312 return -ENOMEM;
313
314 seq_list->mask = alloc_size - 1;
315 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
316 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
317 for (i = 0; i < alloc_size; i++)
318 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
319
320 return 0;
321 }
322
323 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
324 {
325 kfree(seq_list->list);
326 }
327
328 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
329 u16 seq)
330 {
331 /* Constant-time check for list membership */
332 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
333 }
334
335 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
336 {
337 u16 seq = seq_list->head;
338 u16 mask = seq_list->mask;
339
340 seq_list->head = seq_list->list[seq & mask];
341 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
342
343 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
346 }
347
348 return seq;
349 }
350
351 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
352 {
353 u16 i;
354
355 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
356 return;
357
358 for (i = 0; i <= seq_list->mask; i++)
359 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
360
361 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
362 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
363 }
364
365 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
366 {
367 u16 mask = seq_list->mask;
368
369 /* All appends happen in constant time */
370
371 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
372 return;
373
374 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
375 seq_list->head = seq;
376 else
377 seq_list->list[seq_list->tail & mask] = seq;
378
379 seq_list->tail = seq;
380 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
381 }
382
383 static void l2cap_chan_timeout(struct work_struct *work)
384 {
385 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
386 chan_timer.work);
387 struct l2cap_conn *conn = chan->conn;
388 int reason;
389
390 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
391
392 mutex_lock(&conn->chan_lock);
393 l2cap_chan_lock(chan);
394
395 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
396 reason = ECONNREFUSED;
397 else if (chan->state == BT_CONNECT &&
398 chan->sec_level != BT_SECURITY_SDP)
399 reason = ECONNREFUSED;
400 else
401 reason = ETIMEDOUT;
402
403 l2cap_chan_close(chan, reason);
404
405 l2cap_chan_unlock(chan);
406
407 chan->ops->close(chan);
408 mutex_unlock(&conn->chan_lock);
409
410 l2cap_chan_put(chan);
411 }
412
413 struct l2cap_chan *l2cap_chan_create(void)
414 {
415 struct l2cap_chan *chan;
416
417 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
418 if (!chan)
419 return NULL;
420
421 mutex_init(&chan->lock);
422
423 write_lock(&chan_list_lock);
424 list_add(&chan->global_l, &chan_list);
425 write_unlock(&chan_list_lock);
426
427 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
428
429 chan->state = BT_OPEN;
430
431 kref_init(&chan->kref);
432
433 /* This flag is cleared in l2cap_chan_ready() */
434 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
435
436 BT_DBG("chan %p", chan);
437
438 return chan;
439 }
440 EXPORT_SYMBOL_GPL(l2cap_chan_create);
441
442 static void l2cap_chan_destroy(struct kref *kref)
443 {
444 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
445
446 BT_DBG("chan %p", chan);
447
448 write_lock(&chan_list_lock);
449 list_del(&chan->global_l);
450 write_unlock(&chan_list_lock);
451
452 kfree(chan);
453 }
454
455 void l2cap_chan_hold(struct l2cap_chan *c)
456 {
457 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
458
459 kref_get(&c->kref);
460 }
461
462 void l2cap_chan_put(struct l2cap_chan *c)
463 {
464 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
465
466 kref_put(&c->kref, l2cap_chan_destroy);
467 }
468 EXPORT_SYMBOL_GPL(l2cap_chan_put);
469
470 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
471 {
472 chan->fcs = L2CAP_FCS_CRC16;
473 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
474 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
475 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
476 chan->remote_max_tx = chan->max_tx;
477 chan->remote_tx_win = chan->tx_win;
478 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
479 chan->sec_level = BT_SECURITY_LOW;
480 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
481 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
482 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
483 chan->conf_state = 0;
484
485 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
486 }
487 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
488
489 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
490 {
491 chan->sdu = NULL;
492 chan->sdu_last_frag = NULL;
493 chan->sdu_len = 0;
494 chan->tx_credits = 0;
495 chan->rx_credits = le_max_credits;
496 chan->mps = min_t(u16, chan->imtu, le_default_mps);
497
498 skb_queue_head_init(&chan->tx_q);
499 }
500
501 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
502 {
503 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
504 __le16_to_cpu(chan->psm), chan->dcid);
505
506 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
507
508 chan->conn = conn;
509
510 switch (chan->chan_type) {
511 case L2CAP_CHAN_CONN_ORIENTED:
512 /* Alloc CID for connection-oriented socket */
513 chan->scid = l2cap_alloc_cid(conn);
514 if (conn->hcon->type == ACL_LINK)
515 chan->omtu = L2CAP_DEFAULT_MTU;
516 break;
517
518 case L2CAP_CHAN_CONN_LESS:
519 /* Connectionless socket */
520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
522 chan->omtu = L2CAP_DEFAULT_MTU;
523 break;
524
525 case L2CAP_CHAN_FIXED:
526 /* Caller will set CID and CID specific MTU values */
527 break;
528
529 default:
530 /* Raw socket can send/recv signalling messages only */
531 chan->scid = L2CAP_CID_SIGNALING;
532 chan->dcid = L2CAP_CID_SIGNALING;
533 chan->omtu = L2CAP_DEFAULT_MTU;
534 }
535
536 chan->local_id = L2CAP_BESTEFFORT_ID;
537 chan->local_stype = L2CAP_SERV_BESTEFFORT;
538 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
539 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
540 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
541 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
542
543 l2cap_chan_hold(chan);
544
545 hci_conn_hold(conn->hcon);
546
547 list_add(&chan->list, &conn->chan_l);
548 }
549
550 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
551 {
552 mutex_lock(&conn->chan_lock);
553 __l2cap_chan_add(conn, chan);
554 mutex_unlock(&conn->chan_lock);
555 }
556
557 void l2cap_chan_del(struct l2cap_chan *chan, int err)
558 {
559 struct l2cap_conn *conn = chan->conn;
560
561 __clear_chan_timer(chan);
562
563 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
564
565 if (conn) {
566 struct amp_mgr *mgr = conn->hcon->amp_mgr;
567 /* Delete from channel list */
568 list_del(&chan->list);
569
570 l2cap_chan_put(chan);
571
572 chan->conn = NULL;
573
574 if (chan->scid != L2CAP_CID_A2MP)
575 hci_conn_drop(conn->hcon);
576
577 if (mgr && mgr->bredr_chan == chan)
578 mgr->bredr_chan = NULL;
579 }
580
581 if (chan->hs_hchan) {
582 struct hci_chan *hs_hchan = chan->hs_hchan;
583
584 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
585 amp_disconnect_logical_link(hs_hchan);
586 }
587
588 chan->ops->teardown(chan, err);
589
590 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
591 return;
592
593 switch(chan->mode) {
594 case L2CAP_MODE_BASIC:
595 break;
596
597 case L2CAP_MODE_LE_FLOWCTL:
598 skb_queue_purge(&chan->tx_q);
599 break;
600
601 case L2CAP_MODE_ERTM:
602 __clear_retrans_timer(chan);
603 __clear_monitor_timer(chan);
604 __clear_ack_timer(chan);
605
606 skb_queue_purge(&chan->srej_q);
607
608 l2cap_seq_list_free(&chan->srej_list);
609 l2cap_seq_list_free(&chan->retrans_list);
610
611 /* fall through */
612
613 case L2CAP_MODE_STREAMING:
614 skb_queue_purge(&chan->tx_q);
615 break;
616 }
617
618 return;
619 }
620 EXPORT_SYMBOL_GPL(l2cap_chan_del);
621
622 void l2cap_conn_update_id_addr(struct hci_conn *hcon)
623 {
624 struct l2cap_conn *conn = hcon->l2cap_data;
625 struct l2cap_chan *chan;
626
627 mutex_lock(&conn->chan_lock);
628
629 list_for_each_entry(chan, &conn->chan_l, list) {
630 l2cap_chan_lock(chan);
631 bacpy(&chan->dst, &hcon->dst);
632 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
633 l2cap_chan_unlock(chan);
634 }
635
636 mutex_unlock(&conn->chan_lock);
637 }
638
639 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
640 {
641 struct l2cap_conn *conn = chan->conn;
642 struct l2cap_le_conn_rsp rsp;
643 u16 result;
644
645 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
646 result = L2CAP_CR_AUTHORIZATION;
647 else
648 result = L2CAP_CR_BAD_PSM;
649
650 l2cap_state_change(chan, BT_DISCONN);
651
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.mtu = cpu_to_le16(chan->imtu);
654 rsp.mps = cpu_to_le16(chan->mps);
655 rsp.credits = cpu_to_le16(chan->rx_credits);
656 rsp.result = cpu_to_le16(result);
657
658 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
659 &rsp);
660 }
661
662 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
663 {
664 struct l2cap_conn *conn = chan->conn;
665 struct l2cap_conn_rsp rsp;
666 u16 result;
667
668 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
669 result = L2CAP_CR_SEC_BLOCK;
670 else
671 result = L2CAP_CR_BAD_PSM;
672
673 l2cap_state_change(chan, BT_DISCONN);
674
675 rsp.scid = cpu_to_le16(chan->dcid);
676 rsp.dcid = cpu_to_le16(chan->scid);
677 rsp.result = cpu_to_le16(result);
678 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
679
680 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
681 }
682
683 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
684 {
685 struct l2cap_conn *conn = chan->conn;
686
687 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
688
689 switch (chan->state) {
690 case BT_LISTEN:
691 chan->ops->teardown(chan, 0);
692 break;
693
694 case BT_CONNECTED:
695 case BT_CONFIG:
696 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
697 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
698 l2cap_send_disconn_req(chan, reason);
699 } else
700 l2cap_chan_del(chan, reason);
701 break;
702
703 case BT_CONNECT2:
704 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
705 if (conn->hcon->type == ACL_LINK)
706 l2cap_chan_connect_reject(chan);
707 else if (conn->hcon->type == LE_LINK)
708 l2cap_chan_le_connect_reject(chan);
709 }
710
711 l2cap_chan_del(chan, reason);
712 break;
713
714 case BT_CONNECT:
715 case BT_DISCONN:
716 l2cap_chan_del(chan, reason);
717 break;
718
719 default:
720 chan->ops->teardown(chan, 0);
721 break;
722 }
723 }
724 EXPORT_SYMBOL(l2cap_chan_close);
725
726 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
727 {
728 switch (chan->chan_type) {
729 case L2CAP_CHAN_RAW:
730 switch (chan->sec_level) {
731 case BT_SECURITY_HIGH:
732 case BT_SECURITY_FIPS:
733 return HCI_AT_DEDICATED_BONDING_MITM;
734 case BT_SECURITY_MEDIUM:
735 return HCI_AT_DEDICATED_BONDING;
736 default:
737 return HCI_AT_NO_BONDING;
738 }
739 break;
740 case L2CAP_CHAN_CONN_LESS:
741 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
742 if (chan->sec_level == BT_SECURITY_LOW)
743 chan->sec_level = BT_SECURITY_SDP;
744 }
745 if (chan->sec_level == BT_SECURITY_HIGH ||
746 chan->sec_level == BT_SECURITY_FIPS)
747 return HCI_AT_NO_BONDING_MITM;
748 else
749 return HCI_AT_NO_BONDING;
750 break;
751 case L2CAP_CHAN_CONN_ORIENTED:
752 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
753 if (chan->sec_level == BT_SECURITY_LOW)
754 chan->sec_level = BT_SECURITY_SDP;
755
756 if (chan->sec_level == BT_SECURITY_HIGH ||
757 chan->sec_level == BT_SECURITY_FIPS)
758 return HCI_AT_NO_BONDING_MITM;
759 else
760 return HCI_AT_NO_BONDING;
761 }
762 /* fall through */
763 default:
764 switch (chan->sec_level) {
765 case BT_SECURITY_HIGH:
766 case BT_SECURITY_FIPS:
767 return HCI_AT_GENERAL_BONDING_MITM;
768 case BT_SECURITY_MEDIUM:
769 return HCI_AT_GENERAL_BONDING;
770 default:
771 return HCI_AT_NO_BONDING;
772 }
773 break;
774 }
775 }
776
777 /* Service level security */
778 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
779 {
780 struct l2cap_conn *conn = chan->conn;
781 __u8 auth_type;
782
783 if (conn->hcon->type == LE_LINK)
784 return smp_conn_security(conn->hcon, chan->sec_level);
785
786 auth_type = l2cap_get_auth_type(chan);
787
788 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
789 initiator);
790 }
791
792 static u8 l2cap_get_ident(struct l2cap_conn *conn)
793 {
794 u8 id;
795
796 /* Get next available identificator.
797 * 1 - 128 are used by kernel.
798 * 129 - 199 are reserved.
799 * 200 - 254 are used by utilities like l2ping, etc.
800 */
801
802 mutex_lock(&conn->ident_lock);
803
804 if (++conn->tx_ident > 128)
805 conn->tx_ident = 1;
806
807 id = conn->tx_ident;
808
809 mutex_unlock(&conn->ident_lock);
810
811 return id;
812 }
813
814 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
815 void *data)
816 {
817 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
818 u8 flags;
819
820 BT_DBG("code 0x%2.2x", code);
821
822 if (!skb)
823 return;
824
825 if (lmp_no_flush_capable(conn->hcon->hdev))
826 flags = ACL_START_NO_FLUSH;
827 else
828 flags = ACL_START;
829
830 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
831 skb->priority = HCI_PRIO_MAX;
832
833 hci_send_acl(conn->hchan, skb, flags);
834 }
835
836 static bool __chan_is_moving(struct l2cap_chan *chan)
837 {
838 return chan->move_state != L2CAP_MOVE_STABLE &&
839 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
840 }
841
842 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
843 {
844 struct hci_conn *hcon = chan->conn->hcon;
845 u16 flags;
846
847 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
848 skb->priority);
849
850 if (chan->hs_hcon && !__chan_is_moving(chan)) {
851 if (chan->hs_hchan)
852 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
853 else
854 kfree_skb(skb);
855
856 return;
857 }
858
859 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
860 lmp_no_flush_capable(hcon->hdev))
861 flags = ACL_START_NO_FLUSH;
862 else
863 flags = ACL_START;
864
865 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
866 hci_send_acl(chan->conn->hchan, skb, flags);
867 }
868
869 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
870 {
871 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
872 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
873
874 if (enh & L2CAP_CTRL_FRAME_TYPE) {
875 /* S-Frame */
876 control->sframe = 1;
877 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
878 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
879
880 control->sar = 0;
881 control->txseq = 0;
882 } else {
883 /* I-Frame */
884 control->sframe = 0;
885 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
886 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
887
888 control->poll = 0;
889 control->super = 0;
890 }
891 }
892
893 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
894 {
895 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
896 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
897
898 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
899 /* S-Frame */
900 control->sframe = 1;
901 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
902 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
903
904 control->sar = 0;
905 control->txseq = 0;
906 } else {
907 /* I-Frame */
908 control->sframe = 0;
909 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
910 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
911
912 control->poll = 0;
913 control->super = 0;
914 }
915 }
916
917 static inline void __unpack_control(struct l2cap_chan *chan,
918 struct sk_buff *skb)
919 {
920 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
921 __unpack_extended_control(get_unaligned_le32(skb->data),
922 &bt_cb(skb)->control);
923 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
924 } else {
925 __unpack_enhanced_control(get_unaligned_le16(skb->data),
926 &bt_cb(skb)->control);
927 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
928 }
929 }
930
931 static u32 __pack_extended_control(struct l2cap_ctrl *control)
932 {
933 u32 packed;
934
935 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
936 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
937
938 if (control->sframe) {
939 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
940 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
941 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
942 } else {
943 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
944 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
945 }
946
947 return packed;
948 }
949
950 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
951 {
952 u16 packed;
953
954 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
955 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
956
957 if (control->sframe) {
958 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
959 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
960 packed |= L2CAP_CTRL_FRAME_TYPE;
961 } else {
962 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
963 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
964 }
965
966 return packed;
967 }
968
969 static inline void __pack_control(struct l2cap_chan *chan,
970 struct l2cap_ctrl *control,
971 struct sk_buff *skb)
972 {
973 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
974 put_unaligned_le32(__pack_extended_control(control),
975 skb->data + L2CAP_HDR_SIZE);
976 } else {
977 put_unaligned_le16(__pack_enhanced_control(control),
978 skb->data + L2CAP_HDR_SIZE);
979 }
980 }
981
982 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
983 {
984 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
985 return L2CAP_EXT_HDR_SIZE;
986 else
987 return L2CAP_ENH_HDR_SIZE;
988 }
989
990 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
991 u32 control)
992 {
993 struct sk_buff *skb;
994 struct l2cap_hdr *lh;
995 int hlen = __ertm_hdr_size(chan);
996
997 if (chan->fcs == L2CAP_FCS_CRC16)
998 hlen += L2CAP_FCS_SIZE;
999
1000 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1001
1002 if (!skb)
1003 return ERR_PTR(-ENOMEM);
1004
1005 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1006 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1007 lh->cid = cpu_to_le16(chan->dcid);
1008
1009 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1010 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1011 else
1012 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1013
1014 if (chan->fcs == L2CAP_FCS_CRC16) {
1015 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1016 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1017 }
1018
1019 skb->priority = HCI_PRIO_MAX;
1020 return skb;
1021 }
1022
1023 static void l2cap_send_sframe(struct l2cap_chan *chan,
1024 struct l2cap_ctrl *control)
1025 {
1026 struct sk_buff *skb;
1027 u32 control_field;
1028
1029 BT_DBG("chan %p, control %p", chan, control);
1030
1031 if (!control->sframe)
1032 return;
1033
1034 if (__chan_is_moving(chan))
1035 return;
1036
1037 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1038 !control->poll)
1039 control->final = 1;
1040
1041 if (control->super == L2CAP_SUPER_RR)
1042 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1043 else if (control->super == L2CAP_SUPER_RNR)
1044 set_bit(CONN_RNR_SENT, &chan->conn_state);
1045
1046 if (control->super != L2CAP_SUPER_SREJ) {
1047 chan->last_acked_seq = control->reqseq;
1048 __clear_ack_timer(chan);
1049 }
1050
1051 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1052 control->final, control->poll, control->super);
1053
1054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 control_field = __pack_extended_control(control);
1056 else
1057 control_field = __pack_enhanced_control(control);
1058
1059 skb = l2cap_create_sframe_pdu(chan, control_field);
1060 if (!IS_ERR(skb))
1061 l2cap_do_send(chan, skb);
1062 }
1063
1064 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1065 {
1066 struct l2cap_ctrl control;
1067
1068 BT_DBG("chan %p, poll %d", chan, poll);
1069
1070 memset(&control, 0, sizeof(control));
1071 control.sframe = 1;
1072 control.poll = poll;
1073
1074 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1075 control.super = L2CAP_SUPER_RNR;
1076 else
1077 control.super = L2CAP_SUPER_RR;
1078
1079 control.reqseq = chan->buffer_seq;
1080 l2cap_send_sframe(chan, &control);
1081 }
1082
1083 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1084 {
1085 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1086 }
1087
1088 static bool __amp_capable(struct l2cap_chan *chan)
1089 {
1090 struct l2cap_conn *conn = chan->conn;
1091 struct hci_dev *hdev;
1092 bool amp_available = false;
1093
1094 if (!conn->hs_enabled)
1095 return false;
1096
1097 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1098 return false;
1099
1100 read_lock(&hci_dev_list_lock);
1101 list_for_each_entry(hdev, &hci_dev_list, list) {
1102 if (hdev->amp_type != AMP_TYPE_BREDR &&
1103 test_bit(HCI_UP, &hdev->flags)) {
1104 amp_available = true;
1105 break;
1106 }
1107 }
1108 read_unlock(&hci_dev_list_lock);
1109
1110 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1111 return amp_available;
1112
1113 return false;
1114 }
1115
1116 static bool l2cap_check_efs(struct l2cap_chan *chan)
1117 {
1118 /* Check EFS parameters */
1119 return true;
1120 }
1121
1122 void l2cap_send_conn_req(struct l2cap_chan *chan)
1123 {
1124 struct l2cap_conn *conn = chan->conn;
1125 struct l2cap_conn_req req;
1126
1127 req.scid = cpu_to_le16(chan->scid);
1128 req.psm = chan->psm;
1129
1130 chan->ident = l2cap_get_ident(conn);
1131
1132 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1133
1134 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1135 }
1136
1137 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1138 {
1139 struct l2cap_create_chan_req req;
1140 req.scid = cpu_to_le16(chan->scid);
1141 req.psm = chan->psm;
1142 req.amp_id = amp_id;
1143
1144 chan->ident = l2cap_get_ident(chan->conn);
1145
1146 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1147 sizeof(req), &req);
1148 }
1149
1150 static void l2cap_move_setup(struct l2cap_chan *chan)
1151 {
1152 struct sk_buff *skb;
1153
1154 BT_DBG("chan %p", chan);
1155
1156 if (chan->mode != L2CAP_MODE_ERTM)
1157 return;
1158
1159 __clear_retrans_timer(chan);
1160 __clear_monitor_timer(chan);
1161 __clear_ack_timer(chan);
1162
1163 chan->retry_count = 0;
1164 skb_queue_walk(&chan->tx_q, skb) {
1165 if (bt_cb(skb)->control.retries)
1166 bt_cb(skb)->control.retries = 1;
1167 else
1168 break;
1169 }
1170
1171 chan->expected_tx_seq = chan->buffer_seq;
1172
1173 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1174 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1175 l2cap_seq_list_clear(&chan->retrans_list);
1176 l2cap_seq_list_clear(&chan->srej_list);
1177 skb_queue_purge(&chan->srej_q);
1178
1179 chan->tx_state = L2CAP_TX_STATE_XMIT;
1180 chan->rx_state = L2CAP_RX_STATE_MOVE;
1181
1182 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1183 }
1184
1185 static void l2cap_move_done(struct l2cap_chan *chan)
1186 {
1187 u8 move_role = chan->move_role;
1188 BT_DBG("chan %p", chan);
1189
1190 chan->move_state = L2CAP_MOVE_STABLE;
1191 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1192
1193 if (chan->mode != L2CAP_MODE_ERTM)
1194 return;
1195
1196 switch (move_role) {
1197 case L2CAP_MOVE_ROLE_INITIATOR:
1198 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1199 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1200 break;
1201 case L2CAP_MOVE_ROLE_RESPONDER:
1202 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1203 break;
1204 }
1205 }
1206
1207 static void l2cap_chan_ready(struct l2cap_chan *chan)
1208 {
1209 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1210 chan->conf_state = 0;
1211 __clear_chan_timer(chan);
1212
1213 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1214 chan->ops->suspend(chan);
1215
1216 chan->state = BT_CONNECTED;
1217
1218 chan->ops->ready(chan);
1219 }
1220
1221 static void l2cap_le_connect(struct l2cap_chan *chan)
1222 {
1223 struct l2cap_conn *conn = chan->conn;
1224 struct l2cap_le_conn_req req;
1225
1226 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1227 return;
1228
1229 req.psm = chan->psm;
1230 req.scid = cpu_to_le16(chan->scid);
1231 req.mtu = cpu_to_le16(chan->imtu);
1232 req.mps = cpu_to_le16(chan->mps);
1233 req.credits = cpu_to_le16(chan->rx_credits);
1234
1235 chan->ident = l2cap_get_ident(conn);
1236
1237 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1238 sizeof(req), &req);
1239 }
1240
1241 static void l2cap_le_start(struct l2cap_chan *chan)
1242 {
1243 struct l2cap_conn *conn = chan->conn;
1244
1245 if (!smp_conn_security(conn->hcon, chan->sec_level))
1246 return;
1247
1248 if (!chan->psm) {
1249 l2cap_chan_ready(chan);
1250 return;
1251 }
1252
1253 if (chan->state == BT_CONNECT)
1254 l2cap_le_connect(chan);
1255 }
1256
1257 static void l2cap_start_connection(struct l2cap_chan *chan)
1258 {
1259 if (__amp_capable(chan)) {
1260 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1261 a2mp_discover_amp(chan);
1262 } else if (chan->conn->hcon->type == LE_LINK) {
1263 l2cap_le_start(chan);
1264 } else {
1265 l2cap_send_conn_req(chan);
1266 }
1267 }
1268
1269 static void l2cap_do_start(struct l2cap_chan *chan)
1270 {
1271 struct l2cap_conn *conn = chan->conn;
1272
1273 if (conn->hcon->type == LE_LINK) {
1274 l2cap_le_start(chan);
1275 return;
1276 }
1277
1278 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
1279 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1280 return;
1281
1282 if (l2cap_chan_check_security(chan, true) &&
1283 __l2cap_no_conn_pending(chan)) {
1284 l2cap_start_connection(chan);
1285 }
1286 } else {
1287 struct l2cap_info_req req;
1288 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1289
1290 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1291 conn->info_ident = l2cap_get_ident(conn);
1292
1293 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1294
1295 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1296 sizeof(req), &req);
1297 }
1298 }
1299
1300 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1301 {
1302 u32 local_feat_mask = l2cap_feat_mask;
1303 if (!disable_ertm)
1304 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1305
1306 switch (mode) {
1307 case L2CAP_MODE_ERTM:
1308 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1309 case L2CAP_MODE_STREAMING:
1310 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1311 default:
1312 return 0x00;
1313 }
1314 }
1315
1316 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1317 {
1318 struct l2cap_conn *conn = chan->conn;
1319 struct l2cap_disconn_req req;
1320
1321 if (!conn)
1322 return;
1323
1324 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1325 __clear_retrans_timer(chan);
1326 __clear_monitor_timer(chan);
1327 __clear_ack_timer(chan);
1328 }
1329
1330 if (chan->scid == L2CAP_CID_A2MP) {
1331 l2cap_state_change(chan, BT_DISCONN);
1332 return;
1333 }
1334
1335 req.dcid = cpu_to_le16(chan->dcid);
1336 req.scid = cpu_to_le16(chan->scid);
1337 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1338 sizeof(req), &req);
1339
1340 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1341 }
1342
1343 /* ---- L2CAP connections ---- */
1344 static void l2cap_conn_start(struct l2cap_conn *conn)
1345 {
1346 struct l2cap_chan *chan, *tmp;
1347
1348 BT_DBG("conn %p", conn);
1349
1350 mutex_lock(&conn->chan_lock);
1351
1352 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1353 l2cap_chan_lock(chan);
1354
1355 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1356 l2cap_chan_unlock(chan);
1357 continue;
1358 }
1359
1360 if (chan->state == BT_CONNECT) {
1361 if (!l2cap_chan_check_security(chan, true) ||
1362 !__l2cap_no_conn_pending(chan)) {
1363 l2cap_chan_unlock(chan);
1364 continue;
1365 }
1366
1367 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1368 && test_bit(CONF_STATE2_DEVICE,
1369 &chan->conf_state)) {
1370 l2cap_chan_close(chan, ECONNRESET);
1371 l2cap_chan_unlock(chan);
1372 continue;
1373 }
1374
1375 l2cap_start_connection(chan);
1376
1377 } else if (chan->state == BT_CONNECT2) {
1378 struct l2cap_conn_rsp rsp;
1379 char buf[128];
1380 rsp.scid = cpu_to_le16(chan->dcid);
1381 rsp.dcid = cpu_to_le16(chan->scid);
1382
1383 if (l2cap_chan_check_security(chan, false)) {
1384 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1385 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1386 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1387 chan->ops->defer(chan);
1388
1389 } else {
1390 l2cap_state_change(chan, BT_CONFIG);
1391 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1392 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1393 }
1394 } else {
1395 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1396 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1397 }
1398
1399 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1400 sizeof(rsp), &rsp);
1401
1402 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1403 rsp.result != L2CAP_CR_SUCCESS) {
1404 l2cap_chan_unlock(chan);
1405 continue;
1406 }
1407
1408 set_bit(CONF_REQ_SENT, &chan->conf_state);
1409 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1410 l2cap_build_conf_req(chan, buf), buf);
1411 chan->num_conf_req++;
1412 }
1413
1414 l2cap_chan_unlock(chan);
1415 }
1416
1417 mutex_unlock(&conn->chan_lock);
1418 }
1419
1420 /* Find socket with cid and source/destination bdaddr.
1421 * Returns closest match, locked.
1422 */
1423 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1424 bdaddr_t *src,
1425 bdaddr_t *dst)
1426 {
1427 struct l2cap_chan *c, *c1 = NULL;
1428
1429 read_lock(&chan_list_lock);
1430
1431 list_for_each_entry(c, &chan_list, global_l) {
1432 if (state && c->state != state)
1433 continue;
1434
1435 if (c->scid == cid) {
1436 int src_match, dst_match;
1437 int src_any, dst_any;
1438
1439 /* Exact match. */
1440 src_match = !bacmp(&c->src, src);
1441 dst_match = !bacmp(&c->dst, dst);
1442 if (src_match && dst_match) {
1443 read_unlock(&chan_list_lock);
1444 return c;
1445 }
1446
1447 /* Closest match */
1448 src_any = !bacmp(&c->src, BDADDR_ANY);
1449 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1450 if ((src_match && dst_any) || (src_any && dst_match) ||
1451 (src_any && dst_any))
1452 c1 = c;
1453 }
1454 }
1455
1456 read_unlock(&chan_list_lock);
1457
1458 return c1;
1459 }
1460
1461 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1462 {
1463 struct hci_conn *hcon = conn->hcon;
1464 struct hci_dev *hdev = hcon->hdev;
1465 struct l2cap_chan *chan, *pchan;
1466 u8 dst_type;
1467
1468 BT_DBG("");
1469
1470 /* Check if we have socket listening on cid */
1471 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
1472 &hcon->src, &hcon->dst);
1473 if (!pchan)
1474 return;
1475
1476 /* Client ATT sockets should override the server one */
1477 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1478 return;
1479
1480 dst_type = bdaddr_type(hcon, hcon->dst_type);
1481
1482 /* If device is blocked, do not create a channel for it */
1483 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
1484 return;
1485
1486 /* For LE slave connections, make sure the connection interval
1487 * is in the range of the minium and maximum interval that has
1488 * been configured for this connection. If not, then trigger
1489 * the connection update procedure.
1490 */
1491 if (hcon->role == HCI_ROLE_SLAVE &&
1492 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1493 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1494 struct l2cap_conn_param_update_req req;
1495
1496 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1497 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1498 req.latency = cpu_to_le16(hcon->le_conn_latency);
1499 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1500
1501 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1502 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1503 }
1504
1505 l2cap_chan_lock(pchan);
1506
1507 chan = pchan->ops->new_connection(pchan);
1508 if (!chan)
1509 goto clean;
1510
1511 bacpy(&chan->src, &hcon->src);
1512 bacpy(&chan->dst, &hcon->dst);
1513 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1514 chan->dst_type = dst_type;
1515
1516 __l2cap_chan_add(conn, chan);
1517
1518 clean:
1519 l2cap_chan_unlock(pchan);
1520 }
1521
1522 static void l2cap_conn_ready(struct l2cap_conn *conn)
1523 {
1524 struct l2cap_chan *chan;
1525 struct hci_conn *hcon = conn->hcon;
1526
1527 BT_DBG("conn %p", conn);
1528
1529 /* For outgoing pairing which doesn't necessarily have an
1530 * associated socket (e.g. mgmt_pair_device).
1531 */
1532 if (hcon->out && hcon->type == LE_LINK)
1533 smp_conn_security(hcon, hcon->pending_sec_level);
1534
1535 mutex_lock(&conn->chan_lock);
1536
1537 if (hcon->type == LE_LINK)
1538 l2cap_le_conn_ready(conn);
1539
1540 list_for_each_entry(chan, &conn->chan_l, list) {
1541
1542 l2cap_chan_lock(chan);
1543
1544 if (chan->scid == L2CAP_CID_A2MP) {
1545 l2cap_chan_unlock(chan);
1546 continue;
1547 }
1548
1549 if (hcon->type == LE_LINK) {
1550 l2cap_le_start(chan);
1551 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1552 l2cap_chan_ready(chan);
1553
1554 } else if (chan->state == BT_CONNECT) {
1555 l2cap_do_start(chan);
1556 }
1557
1558 l2cap_chan_unlock(chan);
1559 }
1560
1561 mutex_unlock(&conn->chan_lock);
1562
1563 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1564 }
1565
1566 /* Notify sockets that we cannot guaranty reliability anymore */
1567 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1568 {
1569 struct l2cap_chan *chan;
1570
1571 BT_DBG("conn %p", conn);
1572
1573 mutex_lock(&conn->chan_lock);
1574
1575 list_for_each_entry(chan, &conn->chan_l, list) {
1576 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1577 l2cap_chan_set_err(chan, err);
1578 }
1579
1580 mutex_unlock(&conn->chan_lock);
1581 }
1582
1583 static void l2cap_info_timeout(struct work_struct *work)
1584 {
1585 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1586 info_timer.work);
1587
1588 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1589 conn->info_ident = 0;
1590
1591 l2cap_conn_start(conn);
1592 }
1593
1594 /*
1595 * l2cap_user
1596 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1597 * callback is called during registration. The ->remove callback is called
1598 * during unregistration.
1599 * An l2cap_user object can either be explicitly unregistered or when the
1600 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1601 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1602 * External modules must own a reference to the l2cap_conn object if they intend
1603 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1604 * any time if they don't.
1605 */
1606
1607 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1608 {
1609 struct hci_dev *hdev = conn->hcon->hdev;
1610 int ret;
1611
1612 /* We need to check whether l2cap_conn is registered. If it is not, we
1613 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1614 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1615 * relies on the parent hci_conn object to be locked. This itself relies
1616 * on the hci_dev object to be locked. So we must lock the hci device
1617 * here, too. */
1618
1619 hci_dev_lock(hdev);
1620
1621 if (user->list.next || user->list.prev) {
1622 ret = -EINVAL;
1623 goto out_unlock;
1624 }
1625
1626 /* conn->hchan is NULL after l2cap_conn_del() was called */
1627 if (!conn->hchan) {
1628 ret = -ENODEV;
1629 goto out_unlock;
1630 }
1631
1632 ret = user->probe(conn, user);
1633 if (ret)
1634 goto out_unlock;
1635
1636 list_add(&user->list, &conn->users);
1637 ret = 0;
1638
1639 out_unlock:
1640 hci_dev_unlock(hdev);
1641 return ret;
1642 }
1643 EXPORT_SYMBOL(l2cap_register_user);
1644
1645 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1646 {
1647 struct hci_dev *hdev = conn->hcon->hdev;
1648
1649 hci_dev_lock(hdev);
1650
1651 if (!user->list.next || !user->list.prev)
1652 goto out_unlock;
1653
1654 list_del(&user->list);
1655 user->list.next = NULL;
1656 user->list.prev = NULL;
1657 user->remove(conn, user);
1658
1659 out_unlock:
1660 hci_dev_unlock(hdev);
1661 }
1662 EXPORT_SYMBOL(l2cap_unregister_user);
1663
1664 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1665 {
1666 struct l2cap_user *user;
1667
1668 while (!list_empty(&conn->users)) {
1669 user = list_first_entry(&conn->users, struct l2cap_user, list);
1670 list_del(&user->list);
1671 user->list.next = NULL;
1672 user->list.prev = NULL;
1673 user->remove(conn, user);
1674 }
1675 }
1676
1677 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1678 {
1679 struct l2cap_conn *conn = hcon->l2cap_data;
1680 struct l2cap_chan *chan, *l;
1681
1682 if (!conn)
1683 return;
1684
1685 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1686
1687 kfree_skb(conn->rx_skb);
1688
1689 skb_queue_purge(&conn->pending_rx);
1690
1691 /* We can not call flush_work(&conn->pending_rx_work) here since we
1692 * might block if we are running on a worker from the same workqueue
1693 * pending_rx_work is waiting on.
1694 */
1695 if (work_pending(&conn->pending_rx_work))
1696 cancel_work_sync(&conn->pending_rx_work);
1697
1698 l2cap_unregister_all_users(conn);
1699
1700 mutex_lock(&conn->chan_lock);
1701
1702 /* Kill channels */
1703 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1704 l2cap_chan_hold(chan);
1705 l2cap_chan_lock(chan);
1706
1707 l2cap_chan_del(chan, err);
1708
1709 l2cap_chan_unlock(chan);
1710
1711 chan->ops->close(chan);
1712 l2cap_chan_put(chan);
1713 }
1714
1715 mutex_unlock(&conn->chan_lock);
1716
1717 hci_chan_del(conn->hchan);
1718
1719 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1720 cancel_delayed_work_sync(&conn->info_timer);
1721
1722 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1723 cancel_delayed_work_sync(&conn->security_timer);
1724 smp_chan_destroy(conn);
1725 }
1726
1727 hcon->l2cap_data = NULL;
1728 conn->hchan = NULL;
1729 l2cap_conn_put(conn);
1730 }
1731
1732 static void security_timeout(struct work_struct *work)
1733 {
1734 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1735 security_timer.work);
1736
1737 BT_DBG("conn %p", conn);
1738
1739 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1740 smp_chan_destroy(conn);
1741 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1742 }
1743 }
1744
1745 static void l2cap_conn_free(struct kref *ref)
1746 {
1747 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1748
1749 hci_conn_put(conn->hcon);
1750 kfree(conn);
1751 }
1752
1753 void l2cap_conn_get(struct l2cap_conn *conn)
1754 {
1755 kref_get(&conn->ref);
1756 }
1757 EXPORT_SYMBOL(l2cap_conn_get);
1758
1759 void l2cap_conn_put(struct l2cap_conn *conn)
1760 {
1761 kref_put(&conn->ref, l2cap_conn_free);
1762 }
1763 EXPORT_SYMBOL(l2cap_conn_put);
1764
1765 /* ---- Socket interface ---- */
1766
1767 /* Find socket with psm and source / destination bdaddr.
1768 * Returns closest match.
1769 */
1770 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1771 bdaddr_t *src,
1772 bdaddr_t *dst,
1773 u8 link_type)
1774 {
1775 struct l2cap_chan *c, *c1 = NULL;
1776
1777 read_lock(&chan_list_lock);
1778
1779 list_for_each_entry(c, &chan_list, global_l) {
1780 if (state && c->state != state)
1781 continue;
1782
1783 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1784 continue;
1785
1786 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1787 continue;
1788
1789 if (c->psm == psm) {
1790 int src_match, dst_match;
1791 int src_any, dst_any;
1792
1793 /* Exact match. */
1794 src_match = !bacmp(&c->src, src);
1795 dst_match = !bacmp(&c->dst, dst);
1796 if (src_match && dst_match) {
1797 read_unlock(&chan_list_lock);
1798 return c;
1799 }
1800
1801 /* Closest match */
1802 src_any = !bacmp(&c->src, BDADDR_ANY);
1803 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1804 if ((src_match && dst_any) || (src_any && dst_match) ||
1805 (src_any && dst_any))
1806 c1 = c;
1807 }
1808 }
1809
1810 read_unlock(&chan_list_lock);
1811
1812 return c1;
1813 }
1814
1815 static void l2cap_monitor_timeout(struct work_struct *work)
1816 {
1817 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1818 monitor_timer.work);
1819
1820 BT_DBG("chan %p", chan);
1821
1822 l2cap_chan_lock(chan);
1823
1824 if (!chan->conn) {
1825 l2cap_chan_unlock(chan);
1826 l2cap_chan_put(chan);
1827 return;
1828 }
1829
1830 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1831
1832 l2cap_chan_unlock(chan);
1833 l2cap_chan_put(chan);
1834 }
1835
1836 static void l2cap_retrans_timeout(struct work_struct *work)
1837 {
1838 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1839 retrans_timer.work);
1840
1841 BT_DBG("chan %p", chan);
1842
1843 l2cap_chan_lock(chan);
1844
1845 if (!chan->conn) {
1846 l2cap_chan_unlock(chan);
1847 l2cap_chan_put(chan);
1848 return;
1849 }
1850
1851 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1852 l2cap_chan_unlock(chan);
1853 l2cap_chan_put(chan);
1854 }
1855
1856 static void l2cap_streaming_send(struct l2cap_chan *chan,
1857 struct sk_buff_head *skbs)
1858 {
1859 struct sk_buff *skb;
1860 struct l2cap_ctrl *control;
1861
1862 BT_DBG("chan %p, skbs %p", chan, skbs);
1863
1864 if (__chan_is_moving(chan))
1865 return;
1866
1867 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1868
1869 while (!skb_queue_empty(&chan->tx_q)) {
1870
1871 skb = skb_dequeue(&chan->tx_q);
1872
1873 bt_cb(skb)->control.retries = 1;
1874 control = &bt_cb(skb)->control;
1875
1876 control->reqseq = 0;
1877 control->txseq = chan->next_tx_seq;
1878
1879 __pack_control(chan, control, skb);
1880
1881 if (chan->fcs == L2CAP_FCS_CRC16) {
1882 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1883 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1884 }
1885
1886 l2cap_do_send(chan, skb);
1887
1888 BT_DBG("Sent txseq %u", control->txseq);
1889
1890 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1891 chan->frames_sent++;
1892 }
1893 }
1894
1895 static int l2cap_ertm_send(struct l2cap_chan *chan)
1896 {
1897 struct sk_buff *skb, *tx_skb;
1898 struct l2cap_ctrl *control;
1899 int sent = 0;
1900
1901 BT_DBG("chan %p", chan);
1902
1903 if (chan->state != BT_CONNECTED)
1904 return -ENOTCONN;
1905
1906 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1907 return 0;
1908
1909 if (__chan_is_moving(chan))
1910 return 0;
1911
1912 while (chan->tx_send_head &&
1913 chan->unacked_frames < chan->remote_tx_win &&
1914 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1915
1916 skb = chan->tx_send_head;
1917
1918 bt_cb(skb)->control.retries = 1;
1919 control = &bt_cb(skb)->control;
1920
1921 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1922 control->final = 1;
1923
1924 control->reqseq = chan->buffer_seq;
1925 chan->last_acked_seq = chan->buffer_seq;
1926 control->txseq = chan->next_tx_seq;
1927
1928 __pack_control(chan, control, skb);
1929
1930 if (chan->fcs == L2CAP_FCS_CRC16) {
1931 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1932 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1933 }
1934
1935 /* Clone after data has been modified. Data is assumed to be
1936 read-only (for locking purposes) on cloned sk_buffs.
1937 */
1938 tx_skb = skb_clone(skb, GFP_KERNEL);
1939
1940 if (!tx_skb)
1941 break;
1942
1943 __set_retrans_timer(chan);
1944
1945 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1946 chan->unacked_frames++;
1947 chan->frames_sent++;
1948 sent++;
1949
1950 if (skb_queue_is_last(&chan->tx_q, skb))
1951 chan->tx_send_head = NULL;
1952 else
1953 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1954
1955 l2cap_do_send(chan, tx_skb);
1956 BT_DBG("Sent txseq %u", control->txseq);
1957 }
1958
1959 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1960 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1961
1962 return sent;
1963 }
1964
1965 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1966 {
1967 struct l2cap_ctrl control;
1968 struct sk_buff *skb;
1969 struct sk_buff *tx_skb;
1970 u16 seq;
1971
1972 BT_DBG("chan %p", chan);
1973
1974 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1975 return;
1976
1977 if (__chan_is_moving(chan))
1978 return;
1979
1980 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1981 seq = l2cap_seq_list_pop(&chan->retrans_list);
1982
1983 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1984 if (!skb) {
1985 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1986 seq);
1987 continue;
1988 }
1989
1990 bt_cb(skb)->control.retries++;
1991 control = bt_cb(skb)->control;
1992
1993 if (chan->max_tx != 0 &&
1994 bt_cb(skb)->control.retries > chan->max_tx) {
1995 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1996 l2cap_send_disconn_req(chan, ECONNRESET);
1997 l2cap_seq_list_clear(&chan->retrans_list);
1998 break;
1999 }
2000
2001 control.reqseq = chan->buffer_seq;
2002 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2003 control.final = 1;
2004 else
2005 control.final = 0;
2006
2007 if (skb_cloned(skb)) {
2008 /* Cloned sk_buffs are read-only, so we need a
2009 * writeable copy
2010 */
2011 tx_skb = skb_copy(skb, GFP_KERNEL);
2012 } else {
2013 tx_skb = skb_clone(skb, GFP_KERNEL);
2014 }
2015
2016 if (!tx_skb) {
2017 l2cap_seq_list_clear(&chan->retrans_list);
2018 break;
2019 }
2020
2021 /* Update skb contents */
2022 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2023 put_unaligned_le32(__pack_extended_control(&control),
2024 tx_skb->data + L2CAP_HDR_SIZE);
2025 } else {
2026 put_unaligned_le16(__pack_enhanced_control(&control),
2027 tx_skb->data + L2CAP_HDR_SIZE);
2028 }
2029
2030 if (chan->fcs == L2CAP_FCS_CRC16) {
2031 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2032 put_unaligned_le16(fcs, skb_put(tx_skb,
2033 L2CAP_FCS_SIZE));
2034 }
2035
2036 l2cap_do_send(chan, tx_skb);
2037
2038 BT_DBG("Resent txseq %d", control.txseq);
2039
2040 chan->last_acked_seq = chan->buffer_seq;
2041 }
2042 }
2043
2044 static void l2cap_retransmit(struct l2cap_chan *chan,
2045 struct l2cap_ctrl *control)
2046 {
2047 BT_DBG("chan %p, control %p", chan, control);
2048
2049 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2050 l2cap_ertm_resend(chan);
2051 }
2052
2053 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2054 struct l2cap_ctrl *control)
2055 {
2056 struct sk_buff *skb;
2057
2058 BT_DBG("chan %p, control %p", chan, control);
2059
2060 if (control->poll)
2061 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2062
2063 l2cap_seq_list_clear(&chan->retrans_list);
2064
2065 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2066 return;
2067
2068 if (chan->unacked_frames) {
2069 skb_queue_walk(&chan->tx_q, skb) {
2070 if (bt_cb(skb)->control.txseq == control->reqseq ||
2071 skb == chan->tx_send_head)
2072 break;
2073 }
2074
2075 skb_queue_walk_from(&chan->tx_q, skb) {
2076 if (skb == chan->tx_send_head)
2077 break;
2078
2079 l2cap_seq_list_append(&chan->retrans_list,
2080 bt_cb(skb)->control.txseq);
2081 }
2082
2083 l2cap_ertm_resend(chan);
2084 }
2085 }
2086
2087 static void l2cap_send_ack(struct l2cap_chan *chan)
2088 {
2089 struct l2cap_ctrl control;
2090 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2091 chan->last_acked_seq);
2092 int threshold;
2093
2094 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2095 chan, chan->last_acked_seq, chan->buffer_seq);
2096
2097 memset(&control, 0, sizeof(control));
2098 control.sframe = 1;
2099
2100 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2101 chan->rx_state == L2CAP_RX_STATE_RECV) {
2102 __clear_ack_timer(chan);
2103 control.super = L2CAP_SUPER_RNR;
2104 control.reqseq = chan->buffer_seq;
2105 l2cap_send_sframe(chan, &control);
2106 } else {
2107 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2108 l2cap_ertm_send(chan);
2109 /* If any i-frames were sent, they included an ack */
2110 if (chan->buffer_seq == chan->last_acked_seq)
2111 frames_to_ack = 0;
2112 }
2113
2114 /* Ack now if the window is 3/4ths full.
2115 * Calculate without mul or div
2116 */
2117 threshold = chan->ack_win;
2118 threshold += threshold << 1;
2119 threshold >>= 2;
2120
2121 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2122 threshold);
2123
2124 if (frames_to_ack >= threshold) {
2125 __clear_ack_timer(chan);
2126 control.super = L2CAP_SUPER_RR;
2127 control.reqseq = chan->buffer_seq;
2128 l2cap_send_sframe(chan, &control);
2129 frames_to_ack = 0;
2130 }
2131
2132 if (frames_to_ack)
2133 __set_ack_timer(chan);
2134 }
2135 }
2136
2137 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2138 struct msghdr *msg, int len,
2139 int count, struct sk_buff *skb)
2140 {
2141 struct l2cap_conn *conn = chan->conn;
2142 struct sk_buff **frag;
2143 int sent = 0;
2144
2145 if (chan->ops->memcpy_fromiovec(chan, skb_put(skb, count),
2146 msg->msg_iov, count))
2147 return -EFAULT;
2148
2149 sent += count;
2150 len -= count;
2151
2152 /* Continuation fragments (no L2CAP header) */
2153 frag = &skb_shinfo(skb)->frag_list;
2154 while (len) {
2155 struct sk_buff *tmp;
2156
2157 count = min_t(unsigned int, conn->mtu, len);
2158
2159 tmp = chan->ops->alloc_skb(chan, 0, count,
2160 msg->msg_flags & MSG_DONTWAIT);
2161 if (IS_ERR(tmp))
2162 return PTR_ERR(tmp);
2163
2164 *frag = tmp;
2165
2166 if (chan->ops->memcpy_fromiovec(chan, skb_put(*frag, count),
2167 msg->msg_iov, count))
2168 return -EFAULT;
2169
2170 sent += count;
2171 len -= count;
2172
2173 skb->len += (*frag)->len;
2174 skb->data_len += (*frag)->len;
2175
2176 frag = &(*frag)->next;
2177 }
2178
2179 return sent;
2180 }
2181
2182 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2183 struct msghdr *msg, size_t len)
2184 {
2185 struct l2cap_conn *conn = chan->conn;
2186 struct sk_buff *skb;
2187 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2188 struct l2cap_hdr *lh;
2189
2190 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2191 __le16_to_cpu(chan->psm), len);
2192
2193 count = min_t(unsigned int, (conn->mtu - hlen), len);
2194
2195 skb = chan->ops->alloc_skb(chan, hlen, count,
2196 msg->msg_flags & MSG_DONTWAIT);
2197 if (IS_ERR(skb))
2198 return skb;
2199
2200 /* Create L2CAP header */
2201 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2202 lh->cid = cpu_to_le16(chan->dcid);
2203 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2204 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2205
2206 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2207 if (unlikely(err < 0)) {
2208 kfree_skb(skb);
2209 return ERR_PTR(err);
2210 }
2211 return skb;
2212 }
2213
2214 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2215 struct msghdr *msg, size_t len)
2216 {
2217 struct l2cap_conn *conn = chan->conn;
2218 struct sk_buff *skb;
2219 int err, count;
2220 struct l2cap_hdr *lh;
2221
2222 BT_DBG("chan %p len %zu", chan, len);
2223
2224 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2225
2226 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2227 msg->msg_flags & MSG_DONTWAIT);
2228 if (IS_ERR(skb))
2229 return skb;
2230
2231 /* Create L2CAP header */
2232 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2233 lh->cid = cpu_to_le16(chan->dcid);
2234 lh->len = cpu_to_le16(len);
2235
2236 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2237 if (unlikely(err < 0)) {
2238 kfree_skb(skb);
2239 return ERR_PTR(err);
2240 }
2241 return skb;
2242 }
2243
2244 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2245 struct msghdr *msg, size_t len,
2246 u16 sdulen)
2247 {
2248 struct l2cap_conn *conn = chan->conn;
2249 struct sk_buff *skb;
2250 int err, count, hlen;
2251 struct l2cap_hdr *lh;
2252
2253 BT_DBG("chan %p len %zu", chan, len);
2254
2255 if (!conn)
2256 return ERR_PTR(-ENOTCONN);
2257
2258 hlen = __ertm_hdr_size(chan);
2259
2260 if (sdulen)
2261 hlen += L2CAP_SDULEN_SIZE;
2262
2263 if (chan->fcs == L2CAP_FCS_CRC16)
2264 hlen += L2CAP_FCS_SIZE;
2265
2266 count = min_t(unsigned int, (conn->mtu - hlen), len);
2267
2268 skb = chan->ops->alloc_skb(chan, hlen, count,
2269 msg->msg_flags & MSG_DONTWAIT);
2270 if (IS_ERR(skb))
2271 return skb;
2272
2273 /* Create L2CAP header */
2274 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2275 lh->cid = cpu_to_le16(chan->dcid);
2276 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2277
2278 /* Control header is populated later */
2279 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2280 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2281 else
2282 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2283
2284 if (sdulen)
2285 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2286
2287 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2288 if (unlikely(err < 0)) {
2289 kfree_skb(skb);
2290 return ERR_PTR(err);
2291 }
2292
2293 bt_cb(skb)->control.fcs = chan->fcs;
2294 bt_cb(skb)->control.retries = 0;
2295 return skb;
2296 }
2297
2298 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2299 struct sk_buff_head *seg_queue,
2300 struct msghdr *msg, size_t len)
2301 {
2302 struct sk_buff *skb;
2303 u16 sdu_len;
2304 size_t pdu_len;
2305 u8 sar;
2306
2307 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2308
2309 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2310 * so fragmented skbs are not used. The HCI layer's handling
2311 * of fragmented skbs is not compatible with ERTM's queueing.
2312 */
2313
2314 /* PDU size is derived from the HCI MTU */
2315 pdu_len = chan->conn->mtu;
2316
2317 /* Constrain PDU size for BR/EDR connections */
2318 if (!chan->hs_hcon)
2319 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2320
2321 /* Adjust for largest possible L2CAP overhead. */
2322 if (chan->fcs)
2323 pdu_len -= L2CAP_FCS_SIZE;
2324
2325 pdu_len -= __ertm_hdr_size(chan);
2326
2327 /* Remote device may have requested smaller PDUs */
2328 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2329
2330 if (len <= pdu_len) {
2331 sar = L2CAP_SAR_UNSEGMENTED;
2332 sdu_len = 0;
2333 pdu_len = len;
2334 } else {
2335 sar = L2CAP_SAR_START;
2336 sdu_len = len;
2337 pdu_len -= L2CAP_SDULEN_SIZE;
2338 }
2339
2340 while (len > 0) {
2341 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2342
2343 if (IS_ERR(skb)) {
2344 __skb_queue_purge(seg_queue);
2345 return PTR_ERR(skb);
2346 }
2347
2348 bt_cb(skb)->control.sar = sar;
2349 __skb_queue_tail(seg_queue, skb);
2350
2351 len -= pdu_len;
2352 if (sdu_len) {
2353 sdu_len = 0;
2354 pdu_len += L2CAP_SDULEN_SIZE;
2355 }
2356
2357 if (len <= pdu_len) {
2358 sar = L2CAP_SAR_END;
2359 pdu_len = len;
2360 } else {
2361 sar = L2CAP_SAR_CONTINUE;
2362 }
2363 }
2364
2365 return 0;
2366 }
2367
2368 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2369 struct msghdr *msg,
2370 size_t len, u16 sdulen)
2371 {
2372 struct l2cap_conn *conn = chan->conn;
2373 struct sk_buff *skb;
2374 int err, count, hlen;
2375 struct l2cap_hdr *lh;
2376
2377 BT_DBG("chan %p len %zu", chan, len);
2378
2379 if (!conn)
2380 return ERR_PTR(-ENOTCONN);
2381
2382 hlen = L2CAP_HDR_SIZE;
2383
2384 if (sdulen)
2385 hlen += L2CAP_SDULEN_SIZE;
2386
2387 count = min_t(unsigned int, (conn->mtu - hlen), len);
2388
2389 skb = chan->ops->alloc_skb(chan, hlen, count,
2390 msg->msg_flags & MSG_DONTWAIT);
2391 if (IS_ERR(skb))
2392 return skb;
2393
2394 /* Create L2CAP header */
2395 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2396 lh->cid = cpu_to_le16(chan->dcid);
2397 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2398
2399 if (sdulen)
2400 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2401
2402 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2403 if (unlikely(err < 0)) {
2404 kfree_skb(skb);
2405 return ERR_PTR(err);
2406 }
2407
2408 return skb;
2409 }
2410
2411 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2412 struct sk_buff_head *seg_queue,
2413 struct msghdr *msg, size_t len)
2414 {
2415 struct sk_buff *skb;
2416 size_t pdu_len;
2417 u16 sdu_len;
2418
2419 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2420
2421 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2422
2423 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2424
2425 sdu_len = len;
2426 pdu_len -= L2CAP_SDULEN_SIZE;
2427
2428 while (len > 0) {
2429 if (len <= pdu_len)
2430 pdu_len = len;
2431
2432 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2433 if (IS_ERR(skb)) {
2434 __skb_queue_purge(seg_queue);
2435 return PTR_ERR(skb);
2436 }
2437
2438 __skb_queue_tail(seg_queue, skb);
2439
2440 len -= pdu_len;
2441
2442 if (sdu_len) {
2443 sdu_len = 0;
2444 pdu_len += L2CAP_SDULEN_SIZE;
2445 }
2446 }
2447
2448 return 0;
2449 }
2450
2451 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2452 {
2453 struct sk_buff *skb;
2454 int err;
2455 struct sk_buff_head seg_queue;
2456
2457 if (!chan->conn)
2458 return -ENOTCONN;
2459
2460 /* Connectionless channel */
2461 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2462 skb = l2cap_create_connless_pdu(chan, msg, len);
2463 if (IS_ERR(skb))
2464 return PTR_ERR(skb);
2465
2466 /* Channel lock is released before requesting new skb and then
2467 * reacquired thus we need to recheck channel state.
2468 */
2469 if (chan->state != BT_CONNECTED) {
2470 kfree_skb(skb);
2471 return -ENOTCONN;
2472 }
2473
2474 l2cap_do_send(chan, skb);
2475 return len;
2476 }
2477
2478 switch (chan->mode) {
2479 case L2CAP_MODE_LE_FLOWCTL:
2480 /* Check outgoing MTU */
2481 if (len > chan->omtu)
2482 return -EMSGSIZE;
2483
2484 if (!chan->tx_credits)
2485 return -EAGAIN;
2486
2487 __skb_queue_head_init(&seg_queue);
2488
2489 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2490
2491 if (chan->state != BT_CONNECTED) {
2492 __skb_queue_purge(&seg_queue);
2493 err = -ENOTCONN;
2494 }
2495
2496 if (err)
2497 return err;
2498
2499 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2500
2501 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2502 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2503 chan->tx_credits--;
2504 }
2505
2506 if (!chan->tx_credits)
2507 chan->ops->suspend(chan);
2508
2509 err = len;
2510
2511 break;
2512
2513 case L2CAP_MODE_BASIC:
2514 /* Check outgoing MTU */
2515 if (len > chan->omtu)
2516 return -EMSGSIZE;
2517
2518 /* Create a basic PDU */
2519 skb = l2cap_create_basic_pdu(chan, msg, len);
2520 if (IS_ERR(skb))
2521 return PTR_ERR(skb);
2522
2523 /* Channel lock is released before requesting new skb and then
2524 * reacquired thus we need to recheck channel state.
2525 */
2526 if (chan->state != BT_CONNECTED) {
2527 kfree_skb(skb);
2528 return -ENOTCONN;
2529 }
2530
2531 l2cap_do_send(chan, skb);
2532 err = len;
2533 break;
2534
2535 case L2CAP_MODE_ERTM:
2536 case L2CAP_MODE_STREAMING:
2537 /* Check outgoing MTU */
2538 if (len > chan->omtu) {
2539 err = -EMSGSIZE;
2540 break;
2541 }
2542
2543 __skb_queue_head_init(&seg_queue);
2544
2545 /* Do segmentation before calling in to the state machine,
2546 * since it's possible to block while waiting for memory
2547 * allocation.
2548 */
2549 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2550
2551 /* The channel could have been closed while segmenting,
2552 * check that it is still connected.
2553 */
2554 if (chan->state != BT_CONNECTED) {
2555 __skb_queue_purge(&seg_queue);
2556 err = -ENOTCONN;
2557 }
2558
2559 if (err)
2560 break;
2561
2562 if (chan->mode == L2CAP_MODE_ERTM)
2563 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2564 else
2565 l2cap_streaming_send(chan, &seg_queue);
2566
2567 err = len;
2568
2569 /* If the skbs were not queued for sending, they'll still be in
2570 * seg_queue and need to be purged.
2571 */
2572 __skb_queue_purge(&seg_queue);
2573 break;
2574
2575 default:
2576 BT_DBG("bad state %1.1x", chan->mode);
2577 err = -EBADFD;
2578 }
2579
2580 return err;
2581 }
2582 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2583
2584 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2585 {
2586 struct l2cap_ctrl control;
2587 u16 seq;
2588
2589 BT_DBG("chan %p, txseq %u", chan, txseq);
2590
2591 memset(&control, 0, sizeof(control));
2592 control.sframe = 1;
2593 control.super = L2CAP_SUPER_SREJ;
2594
2595 for (seq = chan->expected_tx_seq; seq != txseq;
2596 seq = __next_seq(chan, seq)) {
2597 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2598 control.reqseq = seq;
2599 l2cap_send_sframe(chan, &control);
2600 l2cap_seq_list_append(&chan->srej_list, seq);
2601 }
2602 }
2603
2604 chan->expected_tx_seq = __next_seq(chan, txseq);
2605 }
2606
2607 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2608 {
2609 struct l2cap_ctrl control;
2610
2611 BT_DBG("chan %p", chan);
2612
2613 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2614 return;
2615
2616 memset(&control, 0, sizeof(control));
2617 control.sframe = 1;
2618 control.super = L2CAP_SUPER_SREJ;
2619 control.reqseq = chan->srej_list.tail;
2620 l2cap_send_sframe(chan, &control);
2621 }
2622
2623 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2624 {
2625 struct l2cap_ctrl control;
2626 u16 initial_head;
2627 u16 seq;
2628
2629 BT_DBG("chan %p, txseq %u", chan, txseq);
2630
2631 memset(&control, 0, sizeof(control));
2632 control.sframe = 1;
2633 control.super = L2CAP_SUPER_SREJ;
2634
2635 /* Capture initial list head to allow only one pass through the list. */
2636 initial_head = chan->srej_list.head;
2637
2638 do {
2639 seq = l2cap_seq_list_pop(&chan->srej_list);
2640 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2641 break;
2642
2643 control.reqseq = seq;
2644 l2cap_send_sframe(chan, &control);
2645 l2cap_seq_list_append(&chan->srej_list, seq);
2646 } while (chan->srej_list.head != initial_head);
2647 }
2648
2649 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2650 {
2651 struct sk_buff *acked_skb;
2652 u16 ackseq;
2653
2654 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2655
2656 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2657 return;
2658
2659 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2660 chan->expected_ack_seq, chan->unacked_frames);
2661
2662 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2663 ackseq = __next_seq(chan, ackseq)) {
2664
2665 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2666 if (acked_skb) {
2667 skb_unlink(acked_skb, &chan->tx_q);
2668 kfree_skb(acked_skb);
2669 chan->unacked_frames--;
2670 }
2671 }
2672
2673 chan->expected_ack_seq = reqseq;
2674
2675 if (chan->unacked_frames == 0)
2676 __clear_retrans_timer(chan);
2677
2678 BT_DBG("unacked_frames %u", chan->unacked_frames);
2679 }
2680
2681 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2682 {
2683 BT_DBG("chan %p", chan);
2684
2685 chan->expected_tx_seq = chan->buffer_seq;
2686 l2cap_seq_list_clear(&chan->srej_list);
2687 skb_queue_purge(&chan->srej_q);
2688 chan->rx_state = L2CAP_RX_STATE_RECV;
2689 }
2690
2691 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2692 struct l2cap_ctrl *control,
2693 struct sk_buff_head *skbs, u8 event)
2694 {
2695 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2696 event);
2697
2698 switch (event) {
2699 case L2CAP_EV_DATA_REQUEST:
2700 if (chan->tx_send_head == NULL)
2701 chan->tx_send_head = skb_peek(skbs);
2702
2703 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2704 l2cap_ertm_send(chan);
2705 break;
2706 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2707 BT_DBG("Enter LOCAL_BUSY");
2708 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2709
2710 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2711 /* The SREJ_SENT state must be aborted if we are to
2712 * enter the LOCAL_BUSY state.
2713 */
2714 l2cap_abort_rx_srej_sent(chan);
2715 }
2716
2717 l2cap_send_ack(chan);
2718
2719 break;
2720 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2721 BT_DBG("Exit LOCAL_BUSY");
2722 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2723
2724 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2725 struct l2cap_ctrl local_control;
2726
2727 memset(&local_control, 0, sizeof(local_control));
2728 local_control.sframe = 1;
2729 local_control.super = L2CAP_SUPER_RR;
2730 local_control.poll = 1;
2731 local_control.reqseq = chan->buffer_seq;
2732 l2cap_send_sframe(chan, &local_control);
2733
2734 chan->retry_count = 1;
2735 __set_monitor_timer(chan);
2736 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2737 }
2738 break;
2739 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2740 l2cap_process_reqseq(chan, control->reqseq);
2741 break;
2742 case L2CAP_EV_EXPLICIT_POLL:
2743 l2cap_send_rr_or_rnr(chan, 1);
2744 chan->retry_count = 1;
2745 __set_monitor_timer(chan);
2746 __clear_ack_timer(chan);
2747 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2748 break;
2749 case L2CAP_EV_RETRANS_TO:
2750 l2cap_send_rr_or_rnr(chan, 1);
2751 chan->retry_count = 1;
2752 __set_monitor_timer(chan);
2753 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2754 break;
2755 case L2CAP_EV_RECV_FBIT:
2756 /* Nothing to process */
2757 break;
2758 default:
2759 break;
2760 }
2761 }
2762
2763 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2764 struct l2cap_ctrl *control,
2765 struct sk_buff_head *skbs, u8 event)
2766 {
2767 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2768 event);
2769
2770 switch (event) {
2771 case L2CAP_EV_DATA_REQUEST:
2772 if (chan->tx_send_head == NULL)
2773 chan->tx_send_head = skb_peek(skbs);
2774 /* Queue data, but don't send. */
2775 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2776 break;
2777 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2778 BT_DBG("Enter LOCAL_BUSY");
2779 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2780
2781 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2782 /* The SREJ_SENT state must be aborted if we are to
2783 * enter the LOCAL_BUSY state.
2784 */
2785 l2cap_abort_rx_srej_sent(chan);
2786 }
2787
2788 l2cap_send_ack(chan);
2789
2790 break;
2791 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2792 BT_DBG("Exit LOCAL_BUSY");
2793 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2794
2795 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2796 struct l2cap_ctrl local_control;
2797 memset(&local_control, 0, sizeof(local_control));
2798 local_control.sframe = 1;
2799 local_control.super = L2CAP_SUPER_RR;
2800 local_control.poll = 1;
2801 local_control.reqseq = chan->buffer_seq;
2802 l2cap_send_sframe(chan, &local_control);
2803
2804 chan->retry_count = 1;
2805 __set_monitor_timer(chan);
2806 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2807 }
2808 break;
2809 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2810 l2cap_process_reqseq(chan, control->reqseq);
2811
2812 /* Fall through */
2813
2814 case L2CAP_EV_RECV_FBIT:
2815 if (control && control->final) {
2816 __clear_monitor_timer(chan);
2817 if (chan->unacked_frames > 0)
2818 __set_retrans_timer(chan);
2819 chan->retry_count = 0;
2820 chan->tx_state = L2CAP_TX_STATE_XMIT;
2821 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2822 }
2823 break;
2824 case L2CAP_EV_EXPLICIT_POLL:
2825 /* Ignore */
2826 break;
2827 case L2CAP_EV_MONITOR_TO:
2828 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2829 l2cap_send_rr_or_rnr(chan, 1);
2830 __set_monitor_timer(chan);
2831 chan->retry_count++;
2832 } else {
2833 l2cap_send_disconn_req(chan, ECONNABORTED);
2834 }
2835 break;
2836 default:
2837 break;
2838 }
2839 }
2840
2841 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2842 struct sk_buff_head *skbs, u8 event)
2843 {
2844 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2845 chan, control, skbs, event, chan->tx_state);
2846
2847 switch (chan->tx_state) {
2848 case L2CAP_TX_STATE_XMIT:
2849 l2cap_tx_state_xmit(chan, control, skbs, event);
2850 break;
2851 case L2CAP_TX_STATE_WAIT_F:
2852 l2cap_tx_state_wait_f(chan, control, skbs, event);
2853 break;
2854 default:
2855 /* Ignore event */
2856 break;
2857 }
2858 }
2859
2860 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2861 struct l2cap_ctrl *control)
2862 {
2863 BT_DBG("chan %p, control %p", chan, control);
2864 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2865 }
2866
2867 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2868 struct l2cap_ctrl *control)
2869 {
2870 BT_DBG("chan %p, control %p", chan, control);
2871 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2872 }
2873
2874 /* Copy frame to all raw sockets on that connection */
2875 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2876 {
2877 struct sk_buff *nskb;
2878 struct l2cap_chan *chan;
2879
2880 BT_DBG("conn %p", conn);
2881
2882 mutex_lock(&conn->chan_lock);
2883
2884 list_for_each_entry(chan, &conn->chan_l, list) {
2885 if (chan->chan_type != L2CAP_CHAN_RAW)
2886 continue;
2887
2888 /* Don't send frame to the channel it came from */
2889 if (bt_cb(skb)->chan == chan)
2890 continue;
2891
2892 nskb = skb_clone(skb, GFP_KERNEL);
2893 if (!nskb)
2894 continue;
2895 if (chan->ops->recv(chan, nskb))
2896 kfree_skb(nskb);
2897 }
2898
2899 mutex_unlock(&conn->chan_lock);
2900 }
2901
2902 /* ---- L2CAP signalling commands ---- */
2903 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2904 u8 ident, u16 dlen, void *data)
2905 {
2906 struct sk_buff *skb, **frag;
2907 struct l2cap_cmd_hdr *cmd;
2908 struct l2cap_hdr *lh;
2909 int len, count;
2910
2911 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2912 conn, code, ident, dlen);
2913
2914 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2915 return NULL;
2916
2917 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2918 count = min_t(unsigned int, conn->mtu, len);
2919
2920 skb = bt_skb_alloc(count, GFP_KERNEL);
2921 if (!skb)
2922 return NULL;
2923
2924 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2925 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2926
2927 if (conn->hcon->type == LE_LINK)
2928 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2929 else
2930 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2931
2932 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2933 cmd->code = code;
2934 cmd->ident = ident;
2935 cmd->len = cpu_to_le16(dlen);
2936
2937 if (dlen) {
2938 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2939 memcpy(skb_put(skb, count), data, count);
2940 data += count;
2941 }
2942
2943 len -= skb->len;
2944
2945 /* Continuation fragments (no L2CAP header) */
2946 frag = &skb_shinfo(skb)->frag_list;
2947 while (len) {
2948 count = min_t(unsigned int, conn->mtu, len);
2949
2950 *frag = bt_skb_alloc(count, GFP_KERNEL);
2951 if (!*frag)
2952 goto fail;
2953
2954 memcpy(skb_put(*frag, count), data, count);
2955
2956 len -= count;
2957 data += count;
2958
2959 frag = &(*frag)->next;
2960 }
2961
2962 return skb;
2963
2964 fail:
2965 kfree_skb(skb);
2966 return NULL;
2967 }
2968
2969 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2970 unsigned long *val)
2971 {
2972 struct l2cap_conf_opt *opt = *ptr;
2973 int len;
2974
2975 len = L2CAP_CONF_OPT_SIZE + opt->len;
2976 *ptr += len;
2977
2978 *type = opt->type;
2979 *olen = opt->len;
2980
2981 switch (opt->len) {
2982 case 1:
2983 *val = *((u8 *) opt->val);
2984 break;
2985
2986 case 2:
2987 *val = get_unaligned_le16(opt->val);
2988 break;
2989
2990 case 4:
2991 *val = get_unaligned_le32(opt->val);
2992 break;
2993
2994 default:
2995 *val = (unsigned long) opt->val;
2996 break;
2997 }
2998
2999 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3000 return len;
3001 }
3002
3003 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
3004 {
3005 struct l2cap_conf_opt *opt = *ptr;
3006
3007 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3008
3009 opt->type = type;
3010 opt->len = len;
3011
3012 switch (len) {
3013 case 1:
3014 *((u8 *) opt->val) = val;
3015 break;
3016
3017 case 2:
3018 put_unaligned_le16(val, opt->val);
3019 break;
3020
3021 case 4:
3022 put_unaligned_le32(val, opt->val);
3023 break;
3024
3025 default:
3026 memcpy(opt->val, (void *) val, len);
3027 break;
3028 }
3029
3030 *ptr += L2CAP_CONF_OPT_SIZE + len;
3031 }
3032
3033 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3034 {
3035 struct l2cap_conf_efs efs;
3036
3037 switch (chan->mode) {
3038 case L2CAP_MODE_ERTM:
3039 efs.id = chan->local_id;
3040 efs.stype = chan->local_stype;
3041 efs.msdu = cpu_to_le16(chan->local_msdu);
3042 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3043 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3044 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3045 break;
3046
3047 case L2CAP_MODE_STREAMING:
3048 efs.id = 1;
3049 efs.stype = L2CAP_SERV_BESTEFFORT;
3050 efs.msdu = cpu_to_le16(chan->local_msdu);
3051 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3052 efs.acc_lat = 0;
3053 efs.flush_to = 0;
3054 break;
3055
3056 default:
3057 return;
3058 }
3059
3060 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3061 (unsigned long) &efs);
3062 }
3063
3064 static void l2cap_ack_timeout(struct work_struct *work)
3065 {
3066 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3067 ack_timer.work);
3068 u16 frames_to_ack;
3069
3070 BT_DBG("chan %p", chan);
3071
3072 l2cap_chan_lock(chan);
3073
3074 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3075 chan->last_acked_seq);
3076
3077 if (frames_to_ack)
3078 l2cap_send_rr_or_rnr(chan, 0);
3079
3080 l2cap_chan_unlock(chan);
3081 l2cap_chan_put(chan);
3082 }
3083
3084 int l2cap_ertm_init(struct l2cap_chan *chan)
3085 {
3086 int err;
3087
3088 chan->next_tx_seq = 0;
3089 chan->expected_tx_seq = 0;
3090 chan->expected_ack_seq = 0;
3091 chan->unacked_frames = 0;
3092 chan->buffer_seq = 0;
3093 chan->frames_sent = 0;
3094 chan->last_acked_seq = 0;
3095 chan->sdu = NULL;
3096 chan->sdu_last_frag = NULL;
3097 chan->sdu_len = 0;
3098
3099 skb_queue_head_init(&chan->tx_q);
3100
3101 chan->local_amp_id = AMP_ID_BREDR;
3102 chan->move_id = AMP_ID_BREDR;
3103 chan->move_state = L2CAP_MOVE_STABLE;
3104 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3105
3106 if (chan->mode != L2CAP_MODE_ERTM)
3107 return 0;
3108
3109 chan->rx_state = L2CAP_RX_STATE_RECV;
3110 chan->tx_state = L2CAP_TX_STATE_XMIT;
3111
3112 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3113 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3114 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3115
3116 skb_queue_head_init(&chan->srej_q);
3117
3118 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3119 if (err < 0)
3120 return err;
3121
3122 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3123 if (err < 0)
3124 l2cap_seq_list_free(&chan->srej_list);
3125
3126 return err;
3127 }
3128
3129 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3130 {
3131 switch (mode) {
3132 case L2CAP_MODE_STREAMING:
3133 case L2CAP_MODE_ERTM:
3134 if (l2cap_mode_supported(mode, remote_feat_mask))
3135 return mode;
3136 /* fall through */
3137 default:
3138 return L2CAP_MODE_BASIC;
3139 }
3140 }
3141
3142 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3143 {
3144 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3145 }
3146
3147 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3148 {
3149 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3150 }
3151
3152 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3153 struct l2cap_conf_rfc *rfc)
3154 {
3155 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3156 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3157
3158 /* Class 1 devices have must have ERTM timeouts
3159 * exceeding the Link Supervision Timeout. The
3160 * default Link Supervision Timeout for AMP
3161 * controllers is 10 seconds.
3162 *
3163 * Class 1 devices use 0xffffffff for their
3164 * best-effort flush timeout, so the clamping logic
3165 * will result in a timeout that meets the above
3166 * requirement. ERTM timeouts are 16-bit values, so
3167 * the maximum timeout is 65.535 seconds.
3168 */
3169
3170 /* Convert timeout to milliseconds and round */
3171 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3172
3173 /* This is the recommended formula for class 2 devices
3174 * that start ERTM timers when packets are sent to the
3175 * controller.
3176 */
3177 ertm_to = 3 * ertm_to + 500;
3178
3179 if (ertm_to > 0xffff)
3180 ertm_to = 0xffff;
3181
3182 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3183 rfc->monitor_timeout = rfc->retrans_timeout;
3184 } else {
3185 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3186 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3187 }
3188 }
3189
3190 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3191 {
3192 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3193 __l2cap_ews_supported(chan->conn)) {
3194 /* use extended control field */
3195 set_bit(FLAG_EXT_CTRL, &chan->flags);
3196 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3197 } else {
3198 chan->tx_win = min_t(u16, chan->tx_win,
3199 L2CAP_DEFAULT_TX_WINDOW);
3200 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3201 }
3202 chan->ack_win = chan->tx_win;
3203 }
3204
3205 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3206 {
3207 struct l2cap_conf_req *req = data;
3208 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3209 void *ptr = req->data;
3210 u16 size;
3211
3212 BT_DBG("chan %p", chan);
3213
3214 if (chan->num_conf_req || chan->num_conf_rsp)
3215 goto done;
3216
3217 switch (chan->mode) {
3218 case L2CAP_MODE_STREAMING:
3219 case L2CAP_MODE_ERTM:
3220 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3221 break;
3222
3223 if (__l2cap_efs_supported(chan->conn))
3224 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3225
3226 /* fall through */
3227 default:
3228 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3229 break;
3230 }
3231
3232 done:
3233 if (chan->imtu != L2CAP_DEFAULT_MTU)
3234 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3235
3236 switch (chan->mode) {
3237 case L2CAP_MODE_BASIC:
3238 if (disable_ertm)
3239 break;
3240
3241 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3242 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3243 break;
3244
3245 rfc.mode = L2CAP_MODE_BASIC;
3246 rfc.txwin_size = 0;
3247 rfc.max_transmit = 0;
3248 rfc.retrans_timeout = 0;
3249 rfc.monitor_timeout = 0;
3250 rfc.max_pdu_size = 0;
3251
3252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3253 (unsigned long) &rfc);
3254 break;
3255
3256 case L2CAP_MODE_ERTM:
3257 rfc.mode = L2CAP_MODE_ERTM;
3258 rfc.max_transmit = chan->max_tx;
3259
3260 __l2cap_set_ertm_timeouts(chan, &rfc);
3261
3262 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3263 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3264 L2CAP_FCS_SIZE);
3265 rfc.max_pdu_size = cpu_to_le16(size);
3266
3267 l2cap_txwin_setup(chan);
3268
3269 rfc.txwin_size = min_t(u16, chan->tx_win,
3270 L2CAP_DEFAULT_TX_WINDOW);
3271
3272 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3273 (unsigned long) &rfc);
3274
3275 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3276 l2cap_add_opt_efs(&ptr, chan);
3277
3278 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3280 chan->tx_win);
3281
3282 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3283 if (chan->fcs == L2CAP_FCS_NONE ||
3284 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3285 chan->fcs = L2CAP_FCS_NONE;
3286 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3287 chan->fcs);
3288 }
3289 break;
3290
3291 case L2CAP_MODE_STREAMING:
3292 l2cap_txwin_setup(chan);
3293 rfc.mode = L2CAP_MODE_STREAMING;
3294 rfc.txwin_size = 0;
3295 rfc.max_transmit = 0;
3296 rfc.retrans_timeout = 0;
3297 rfc.monitor_timeout = 0;
3298
3299 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3300 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3301 L2CAP_FCS_SIZE);
3302 rfc.max_pdu_size = cpu_to_le16(size);
3303
3304 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3305 (unsigned long) &rfc);
3306
3307 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3308 l2cap_add_opt_efs(&ptr, chan);
3309
3310 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3311 if (chan->fcs == L2CAP_FCS_NONE ||
3312 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3313 chan->fcs = L2CAP_FCS_NONE;
3314 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3315 chan->fcs);
3316 }
3317 break;
3318 }
3319
3320 req->dcid = cpu_to_le16(chan->dcid);
3321 req->flags = cpu_to_le16(0);
3322
3323 return ptr - data;
3324 }
3325
3326 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3327 {
3328 struct l2cap_conf_rsp *rsp = data;
3329 void *ptr = rsp->data;
3330 void *req = chan->conf_req;
3331 int len = chan->conf_len;
3332 int type, hint, olen;
3333 unsigned long val;
3334 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3335 struct l2cap_conf_efs efs;
3336 u8 remote_efs = 0;
3337 u16 mtu = L2CAP_DEFAULT_MTU;
3338 u16 result = L2CAP_CONF_SUCCESS;
3339 u16 size;
3340
3341 BT_DBG("chan %p", chan);
3342
3343 while (len >= L2CAP_CONF_OPT_SIZE) {
3344 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3345
3346 hint = type & L2CAP_CONF_HINT;
3347 type &= L2CAP_CONF_MASK;
3348
3349 switch (type) {
3350 case L2CAP_CONF_MTU:
3351 mtu = val;
3352 break;
3353
3354 case L2CAP_CONF_FLUSH_TO:
3355 chan->flush_to = val;
3356 break;
3357
3358 case L2CAP_CONF_QOS:
3359 break;
3360
3361 case L2CAP_CONF_RFC:
3362 if (olen == sizeof(rfc))
3363 memcpy(&rfc, (void *) val, olen);
3364 break;
3365
3366 case L2CAP_CONF_FCS:
3367 if (val == L2CAP_FCS_NONE)
3368 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3369 break;
3370
3371 case L2CAP_CONF_EFS:
3372 remote_efs = 1;
3373 if (olen == sizeof(efs))
3374 memcpy(&efs, (void *) val, olen);
3375 break;
3376
3377 case L2CAP_CONF_EWS:
3378 if (!chan->conn->hs_enabled)
3379 return -ECONNREFUSED;
3380
3381 set_bit(FLAG_EXT_CTRL, &chan->flags);
3382 set_bit(CONF_EWS_RECV, &chan->conf_state);
3383 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3384 chan->remote_tx_win = val;
3385 break;
3386
3387 default:
3388 if (hint)
3389 break;
3390
3391 result = L2CAP_CONF_UNKNOWN;
3392 *((u8 *) ptr++) = type;
3393 break;
3394 }
3395 }
3396
3397 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3398 goto done;
3399
3400 switch (chan->mode) {
3401 case L2CAP_MODE_STREAMING:
3402 case L2CAP_MODE_ERTM:
3403 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3404 chan->mode = l2cap_select_mode(rfc.mode,
3405 chan->conn->feat_mask);
3406 break;
3407 }
3408
3409 if (remote_efs) {
3410 if (__l2cap_efs_supported(chan->conn))
3411 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3412 else
3413 return -ECONNREFUSED;
3414 }
3415
3416 if (chan->mode != rfc.mode)
3417 return -ECONNREFUSED;
3418
3419 break;
3420 }
3421
3422 done:
3423 if (chan->mode != rfc.mode) {
3424 result = L2CAP_CONF_UNACCEPT;
3425 rfc.mode = chan->mode;
3426
3427 if (chan->num_conf_rsp == 1)
3428 return -ECONNREFUSED;
3429
3430 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3431 (unsigned long) &rfc);
3432 }
3433
3434 if (result == L2CAP_CONF_SUCCESS) {
3435 /* Configure output options and let the other side know
3436 * which ones we don't like. */
3437
3438 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3439 result = L2CAP_CONF_UNACCEPT;
3440 else {
3441 chan->omtu = mtu;
3442 set_bit(CONF_MTU_DONE, &chan->conf_state);
3443 }
3444 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3445
3446 if (remote_efs) {
3447 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3448 efs.stype != L2CAP_SERV_NOTRAFIC &&
3449 efs.stype != chan->local_stype) {
3450
3451 result = L2CAP_CONF_UNACCEPT;
3452
3453 if (chan->num_conf_req >= 1)
3454 return -ECONNREFUSED;
3455
3456 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3457 sizeof(efs),
3458 (unsigned long) &efs);
3459 } else {
3460 /* Send PENDING Conf Rsp */
3461 result = L2CAP_CONF_PENDING;
3462 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3463 }
3464 }
3465
3466 switch (rfc.mode) {
3467 case L2CAP_MODE_BASIC:
3468 chan->fcs = L2CAP_FCS_NONE;
3469 set_bit(CONF_MODE_DONE, &chan->conf_state);
3470 break;
3471
3472 case L2CAP_MODE_ERTM:
3473 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3474 chan->remote_tx_win = rfc.txwin_size;
3475 else
3476 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3477
3478 chan->remote_max_tx = rfc.max_transmit;
3479
3480 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3481 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3482 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3483 rfc.max_pdu_size = cpu_to_le16(size);
3484 chan->remote_mps = size;
3485
3486 __l2cap_set_ertm_timeouts(chan, &rfc);
3487
3488 set_bit(CONF_MODE_DONE, &chan->conf_state);
3489
3490 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3491 sizeof(rfc), (unsigned long) &rfc);
3492
3493 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3494 chan->remote_id = efs.id;
3495 chan->remote_stype = efs.stype;
3496 chan->remote_msdu = le16_to_cpu(efs.msdu);
3497 chan->remote_flush_to =
3498 le32_to_cpu(efs.flush_to);
3499 chan->remote_acc_lat =
3500 le32_to_cpu(efs.acc_lat);
3501 chan->remote_sdu_itime =
3502 le32_to_cpu(efs.sdu_itime);
3503 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3504 sizeof(efs),
3505 (unsigned long) &efs);
3506 }
3507 break;
3508
3509 case L2CAP_MODE_STREAMING:
3510 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3511 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3512 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3513 rfc.max_pdu_size = cpu_to_le16(size);
3514 chan->remote_mps = size;
3515
3516 set_bit(CONF_MODE_DONE, &chan->conf_state);
3517
3518 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3519 (unsigned long) &rfc);
3520
3521 break;
3522
3523 default:
3524 result = L2CAP_CONF_UNACCEPT;
3525
3526 memset(&rfc, 0, sizeof(rfc));
3527 rfc.mode = chan->mode;
3528 }
3529
3530 if (result == L2CAP_CONF_SUCCESS)
3531 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3532 }
3533 rsp->scid = cpu_to_le16(chan->dcid);
3534 rsp->result = cpu_to_le16(result);
3535 rsp->flags = cpu_to_le16(0);
3536
3537 return ptr - data;
3538 }
3539
3540 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3541 void *data, u16 *result)
3542 {
3543 struct l2cap_conf_req *req = data;
3544 void *ptr = req->data;
3545 int type, olen;
3546 unsigned long val;
3547 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3548 struct l2cap_conf_efs efs;
3549
3550 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3551
3552 while (len >= L2CAP_CONF_OPT_SIZE) {
3553 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3554
3555 switch (type) {
3556 case L2CAP_CONF_MTU:
3557 if (val < L2CAP_DEFAULT_MIN_MTU) {
3558 *result = L2CAP_CONF_UNACCEPT;
3559 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3560 } else
3561 chan->imtu = val;
3562 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3563 break;
3564
3565 case L2CAP_CONF_FLUSH_TO:
3566 chan->flush_to = val;
3567 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3568 2, chan->flush_to);
3569 break;
3570
3571 case L2CAP_CONF_RFC:
3572 if (olen == sizeof(rfc))
3573 memcpy(&rfc, (void *)val, olen);
3574
3575 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3576 rfc.mode != chan->mode)
3577 return -ECONNREFUSED;
3578
3579 chan->fcs = 0;
3580
3581 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3582 sizeof(rfc), (unsigned long) &rfc);
3583 break;
3584
3585 case L2CAP_CONF_EWS:
3586 chan->ack_win = min_t(u16, val, chan->ack_win);
3587 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3588 chan->tx_win);
3589 break;
3590
3591 case L2CAP_CONF_EFS:
3592 if (olen == sizeof(efs))
3593 memcpy(&efs, (void *)val, olen);
3594
3595 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3596 efs.stype != L2CAP_SERV_NOTRAFIC &&
3597 efs.stype != chan->local_stype)
3598 return -ECONNREFUSED;
3599
3600 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3601 (unsigned long) &efs);
3602 break;
3603
3604 case L2CAP_CONF_FCS:
3605 if (*result == L2CAP_CONF_PENDING)
3606 if (val == L2CAP_FCS_NONE)
3607 set_bit(CONF_RECV_NO_FCS,
3608 &chan->conf_state);
3609 break;
3610 }
3611 }
3612
3613 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3614 return -ECONNREFUSED;
3615
3616 chan->mode = rfc.mode;
3617
3618 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3619 switch (rfc.mode) {
3620 case L2CAP_MODE_ERTM:
3621 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3622 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3623 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3624 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3625 chan->ack_win = min_t(u16, chan->ack_win,
3626 rfc.txwin_size);
3627
3628 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3629 chan->local_msdu = le16_to_cpu(efs.msdu);
3630 chan->local_sdu_itime =
3631 le32_to_cpu(efs.sdu_itime);
3632 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3633 chan->local_flush_to =
3634 le32_to_cpu(efs.flush_to);
3635 }
3636 break;
3637
3638 case L2CAP_MODE_STREAMING:
3639 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3640 }
3641 }
3642
3643 req->dcid = cpu_to_le16(chan->dcid);
3644 req->flags = cpu_to_le16(0);
3645
3646 return ptr - data;
3647 }
3648
3649 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3650 u16 result, u16 flags)
3651 {
3652 struct l2cap_conf_rsp *rsp = data;
3653 void *ptr = rsp->data;
3654
3655 BT_DBG("chan %p", chan);
3656
3657 rsp->scid = cpu_to_le16(chan->dcid);
3658 rsp->result = cpu_to_le16(result);
3659 rsp->flags = cpu_to_le16(flags);
3660
3661 return ptr - data;
3662 }
3663
3664 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3665 {
3666 struct l2cap_le_conn_rsp rsp;
3667 struct l2cap_conn *conn = chan->conn;
3668
3669 BT_DBG("chan %p", chan);
3670
3671 rsp.dcid = cpu_to_le16(chan->scid);
3672 rsp.mtu = cpu_to_le16(chan->imtu);
3673 rsp.mps = cpu_to_le16(chan->mps);
3674 rsp.credits = cpu_to_le16(chan->rx_credits);
3675 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3676
3677 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3678 &rsp);
3679 }
3680
3681 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3682 {
3683 struct l2cap_conn_rsp rsp;
3684 struct l2cap_conn *conn = chan->conn;
3685 u8 buf[128];
3686 u8 rsp_code;
3687
3688 rsp.scid = cpu_to_le16(chan->dcid);
3689 rsp.dcid = cpu_to_le16(chan->scid);
3690 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3691 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3692
3693 if (chan->hs_hcon)
3694 rsp_code = L2CAP_CREATE_CHAN_RSP;
3695 else
3696 rsp_code = L2CAP_CONN_RSP;
3697
3698 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3699
3700 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3701
3702 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3703 return;
3704
3705 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3706 l2cap_build_conf_req(chan, buf), buf);
3707 chan->num_conf_req++;
3708 }
3709
3710 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3711 {
3712 int type, olen;
3713 unsigned long val;
3714 /* Use sane default values in case a misbehaving remote device
3715 * did not send an RFC or extended window size option.
3716 */
3717 u16 txwin_ext = chan->ack_win;
3718 struct l2cap_conf_rfc rfc = {
3719 .mode = chan->mode,
3720 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3721 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3722 .max_pdu_size = cpu_to_le16(chan->imtu),
3723 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3724 };
3725
3726 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3727
3728 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3729 return;
3730
3731 while (len >= L2CAP_CONF_OPT_SIZE) {
3732 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3733
3734 switch (type) {
3735 case L2CAP_CONF_RFC:
3736 if (olen == sizeof(rfc))
3737 memcpy(&rfc, (void *)val, olen);
3738 break;
3739 case L2CAP_CONF_EWS:
3740 txwin_ext = val;
3741 break;
3742 }
3743 }
3744
3745 switch (rfc.mode) {
3746 case L2CAP_MODE_ERTM:
3747 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3748 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3749 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3750 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3751 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3752 else
3753 chan->ack_win = min_t(u16, chan->ack_win,
3754 rfc.txwin_size);
3755 break;
3756 case L2CAP_MODE_STREAMING:
3757 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3758 }
3759 }
3760
3761 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3762 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3763 u8 *data)
3764 {
3765 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3766
3767 if (cmd_len < sizeof(*rej))
3768 return -EPROTO;
3769
3770 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3771 return 0;
3772
3773 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3774 cmd->ident == conn->info_ident) {
3775 cancel_delayed_work(&conn->info_timer);
3776
3777 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3778 conn->info_ident = 0;
3779
3780 l2cap_conn_start(conn);
3781 }
3782
3783 return 0;
3784 }
3785
3786 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3787 struct l2cap_cmd_hdr *cmd,
3788 u8 *data, u8 rsp_code, u8 amp_id)
3789 {
3790 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3791 struct l2cap_conn_rsp rsp;
3792 struct l2cap_chan *chan = NULL, *pchan;
3793 int result, status = L2CAP_CS_NO_INFO;
3794
3795 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3796 __le16 psm = req->psm;
3797
3798 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3799
3800 /* Check if we have socket listening on psm */
3801 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3802 &conn->hcon->dst, ACL_LINK);
3803 if (!pchan) {
3804 result = L2CAP_CR_BAD_PSM;
3805 goto sendresp;
3806 }
3807
3808 mutex_lock(&conn->chan_lock);
3809 l2cap_chan_lock(pchan);
3810
3811 /* Check if the ACL is secure enough (if not SDP) */
3812 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3813 !hci_conn_check_link_mode(conn->hcon)) {
3814 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3815 result = L2CAP_CR_SEC_BLOCK;
3816 goto response;
3817 }
3818
3819 result = L2CAP_CR_NO_MEM;
3820
3821 /* Check if we already have channel with that dcid */
3822 if (__l2cap_get_chan_by_dcid(conn, scid))
3823 goto response;
3824
3825 chan = pchan->ops->new_connection(pchan);
3826 if (!chan)
3827 goto response;
3828
3829 /* For certain devices (ex: HID mouse), support for authentication,
3830 * pairing and bonding is optional. For such devices, inorder to avoid
3831 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3832 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3833 */
3834 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3835
3836 bacpy(&chan->src, &conn->hcon->src);
3837 bacpy(&chan->dst, &conn->hcon->dst);
3838 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3839 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
3840 chan->psm = psm;
3841 chan->dcid = scid;
3842 chan->local_amp_id = amp_id;
3843
3844 __l2cap_chan_add(conn, chan);
3845
3846 dcid = chan->scid;
3847
3848 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3849
3850 chan->ident = cmd->ident;
3851
3852 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3853 if (l2cap_chan_check_security(chan, false)) {
3854 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3855 l2cap_state_change(chan, BT_CONNECT2);
3856 result = L2CAP_CR_PEND;
3857 status = L2CAP_CS_AUTHOR_PEND;
3858 chan->ops->defer(chan);
3859 } else {
3860 /* Force pending result for AMP controllers.
3861 * The connection will succeed after the
3862 * physical link is up.
3863 */
3864 if (amp_id == AMP_ID_BREDR) {
3865 l2cap_state_change(chan, BT_CONFIG);
3866 result = L2CAP_CR_SUCCESS;
3867 } else {
3868 l2cap_state_change(chan, BT_CONNECT2);
3869 result = L2CAP_CR_PEND;
3870 }
3871 status = L2CAP_CS_NO_INFO;
3872 }
3873 } else {
3874 l2cap_state_change(chan, BT_CONNECT2);
3875 result = L2CAP_CR_PEND;
3876 status = L2CAP_CS_AUTHEN_PEND;
3877 }
3878 } else {
3879 l2cap_state_change(chan, BT_CONNECT2);
3880 result = L2CAP_CR_PEND;
3881 status = L2CAP_CS_NO_INFO;
3882 }
3883
3884 response:
3885 l2cap_chan_unlock(pchan);
3886 mutex_unlock(&conn->chan_lock);
3887
3888 sendresp:
3889 rsp.scid = cpu_to_le16(scid);
3890 rsp.dcid = cpu_to_le16(dcid);
3891 rsp.result = cpu_to_le16(result);
3892 rsp.status = cpu_to_le16(status);
3893 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3894
3895 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3896 struct l2cap_info_req info;
3897 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3898
3899 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3900 conn->info_ident = l2cap_get_ident(conn);
3901
3902 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3903
3904 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3905 sizeof(info), &info);
3906 }
3907
3908 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3909 result == L2CAP_CR_SUCCESS) {
3910 u8 buf[128];
3911 set_bit(CONF_REQ_SENT, &chan->conf_state);
3912 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3913 l2cap_build_conf_req(chan, buf), buf);
3914 chan->num_conf_req++;
3915 }
3916
3917 return chan;
3918 }
3919
3920 static int l2cap_connect_req(struct l2cap_conn *conn,
3921 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3922 {
3923 struct hci_dev *hdev = conn->hcon->hdev;
3924 struct hci_conn *hcon = conn->hcon;
3925
3926 if (cmd_len < sizeof(struct l2cap_conn_req))
3927 return -EPROTO;
3928
3929 hci_dev_lock(hdev);
3930 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3931 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3932 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3933 hcon->dst_type, 0, NULL, 0,
3934 hcon->dev_class);
3935 hci_dev_unlock(hdev);
3936
3937 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3938 return 0;
3939 }
3940
3941 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3942 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3943 u8 *data)
3944 {
3945 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3946 u16 scid, dcid, result, status;
3947 struct l2cap_chan *chan;
3948 u8 req[128];
3949 int err;
3950
3951 if (cmd_len < sizeof(*rsp))
3952 return -EPROTO;
3953
3954 scid = __le16_to_cpu(rsp->scid);
3955 dcid = __le16_to_cpu(rsp->dcid);
3956 result = __le16_to_cpu(rsp->result);
3957 status = __le16_to_cpu(rsp->status);
3958
3959 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3960 dcid, scid, result, status);
3961
3962 mutex_lock(&conn->chan_lock);
3963
3964 if (scid) {
3965 chan = __l2cap_get_chan_by_scid(conn, scid);
3966 if (!chan) {
3967 err = -EBADSLT;
3968 goto unlock;
3969 }
3970 } else {
3971 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3972 if (!chan) {
3973 err = -EBADSLT;
3974 goto unlock;
3975 }
3976 }
3977
3978 err = 0;
3979
3980 l2cap_chan_lock(chan);
3981
3982 switch (result) {
3983 case L2CAP_CR_SUCCESS:
3984 l2cap_state_change(chan, BT_CONFIG);
3985 chan->ident = 0;
3986 chan->dcid = dcid;
3987 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3988
3989 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3990 break;
3991
3992 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3993 l2cap_build_conf_req(chan, req), req);
3994 chan->num_conf_req++;
3995 break;
3996
3997 case L2CAP_CR_PEND:
3998 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3999 break;
4000
4001 default:
4002 l2cap_chan_del(chan, ECONNREFUSED);
4003 break;
4004 }
4005
4006 l2cap_chan_unlock(chan);
4007
4008 unlock:
4009 mutex_unlock(&conn->chan_lock);
4010
4011 return err;
4012 }
4013
4014 static inline void set_default_fcs(struct l2cap_chan *chan)
4015 {
4016 /* FCS is enabled only in ERTM or streaming mode, if one or both
4017 * sides request it.
4018 */
4019 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4020 chan->fcs = L2CAP_FCS_NONE;
4021 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4022 chan->fcs = L2CAP_FCS_CRC16;
4023 }
4024
4025 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4026 u8 ident, u16 flags)
4027 {
4028 struct l2cap_conn *conn = chan->conn;
4029
4030 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4031 flags);
4032
4033 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4034 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4035
4036 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4037 l2cap_build_conf_rsp(chan, data,
4038 L2CAP_CONF_SUCCESS, flags), data);
4039 }
4040
4041 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4042 u16 scid, u16 dcid)
4043 {
4044 struct l2cap_cmd_rej_cid rej;
4045
4046 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4047 rej.scid = __cpu_to_le16(scid);
4048 rej.dcid = __cpu_to_le16(dcid);
4049
4050 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4051 }
4052
4053 static inline int l2cap_config_req(struct l2cap_conn *conn,
4054 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4055 u8 *data)
4056 {
4057 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4058 u16 dcid, flags;
4059 u8 rsp[64];
4060 struct l2cap_chan *chan;
4061 int len, err = 0;
4062
4063 if (cmd_len < sizeof(*req))
4064 return -EPROTO;
4065
4066 dcid = __le16_to_cpu(req->dcid);
4067 flags = __le16_to_cpu(req->flags);
4068
4069 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4070
4071 chan = l2cap_get_chan_by_scid(conn, dcid);
4072 if (!chan) {
4073 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4074 return 0;
4075 }
4076
4077 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4078 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4079 chan->dcid);
4080 goto unlock;
4081 }
4082
4083 /* Reject if config buffer is too small. */
4084 len = cmd_len - sizeof(*req);
4085 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4086 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4087 l2cap_build_conf_rsp(chan, rsp,
4088 L2CAP_CONF_REJECT, flags), rsp);
4089 goto unlock;
4090 }
4091
4092 /* Store config. */
4093 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4094 chan->conf_len += len;
4095
4096 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4097 /* Incomplete config. Send empty response. */
4098 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4099 l2cap_build_conf_rsp(chan, rsp,
4100 L2CAP_CONF_SUCCESS, flags), rsp);
4101 goto unlock;
4102 }
4103
4104 /* Complete config. */
4105 len = l2cap_parse_conf_req(chan, rsp);
4106 if (len < 0) {
4107 l2cap_send_disconn_req(chan, ECONNRESET);
4108 goto unlock;
4109 }
4110
4111 chan->ident = cmd->ident;
4112 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4113 chan->num_conf_rsp++;
4114
4115 /* Reset config buffer. */
4116 chan->conf_len = 0;
4117
4118 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4119 goto unlock;
4120
4121 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4122 set_default_fcs(chan);
4123
4124 if (chan->mode == L2CAP_MODE_ERTM ||
4125 chan->mode == L2CAP_MODE_STREAMING)
4126 err = l2cap_ertm_init(chan);
4127
4128 if (err < 0)
4129 l2cap_send_disconn_req(chan, -err);
4130 else
4131 l2cap_chan_ready(chan);
4132
4133 goto unlock;
4134 }
4135
4136 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4137 u8 buf[64];
4138 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4139 l2cap_build_conf_req(chan, buf), buf);
4140 chan->num_conf_req++;
4141 }
4142
4143 /* Got Conf Rsp PENDING from remote side and asume we sent
4144 Conf Rsp PENDING in the code above */
4145 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4146 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4147
4148 /* check compatibility */
4149
4150 /* Send rsp for BR/EDR channel */
4151 if (!chan->hs_hcon)
4152 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4153 else
4154 chan->ident = cmd->ident;
4155 }
4156
4157 unlock:
4158 l2cap_chan_unlock(chan);
4159 return err;
4160 }
4161
4162 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4163 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4164 u8 *data)
4165 {
4166 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4167 u16 scid, flags, result;
4168 struct l2cap_chan *chan;
4169 int len = cmd_len - sizeof(*rsp);
4170 int err = 0;
4171
4172 if (cmd_len < sizeof(*rsp))
4173 return -EPROTO;
4174
4175 scid = __le16_to_cpu(rsp->scid);
4176 flags = __le16_to_cpu(rsp->flags);
4177 result = __le16_to_cpu(rsp->result);
4178
4179 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4180 result, len);
4181
4182 chan = l2cap_get_chan_by_scid(conn, scid);
4183 if (!chan)
4184 return 0;
4185
4186 switch (result) {
4187 case L2CAP_CONF_SUCCESS:
4188 l2cap_conf_rfc_get(chan, rsp->data, len);
4189 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4190 break;
4191
4192 case L2CAP_CONF_PENDING:
4193 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4194
4195 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4196 char buf[64];
4197
4198 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4199 buf, &result);
4200 if (len < 0) {
4201 l2cap_send_disconn_req(chan, ECONNRESET);
4202 goto done;
4203 }
4204
4205 if (!chan->hs_hcon) {
4206 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4207 0);
4208 } else {
4209 if (l2cap_check_efs(chan)) {
4210 amp_create_logical_link(chan);
4211 chan->ident = cmd->ident;
4212 }
4213 }
4214 }
4215 goto done;
4216
4217 case L2CAP_CONF_UNACCEPT:
4218 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4219 char req[64];
4220
4221 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4222 l2cap_send_disconn_req(chan, ECONNRESET);
4223 goto done;
4224 }
4225
4226 /* throw out any old stored conf requests */
4227 result = L2CAP_CONF_SUCCESS;
4228 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4229 req, &result);
4230 if (len < 0) {
4231 l2cap_send_disconn_req(chan, ECONNRESET);
4232 goto done;
4233 }
4234
4235 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4236 L2CAP_CONF_REQ, len, req);
4237 chan->num_conf_req++;
4238 if (result != L2CAP_CONF_SUCCESS)
4239 goto done;
4240 break;
4241 }
4242
4243 default:
4244 l2cap_chan_set_err(chan, ECONNRESET);
4245
4246 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4247 l2cap_send_disconn_req(chan, ECONNRESET);
4248 goto done;
4249 }
4250
4251 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4252 goto done;
4253
4254 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4255
4256 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4257 set_default_fcs(chan);
4258
4259 if (chan->mode == L2CAP_MODE_ERTM ||
4260 chan->mode == L2CAP_MODE_STREAMING)
4261 err = l2cap_ertm_init(chan);
4262
4263 if (err < 0)
4264 l2cap_send_disconn_req(chan, -err);
4265 else
4266 l2cap_chan_ready(chan);
4267 }
4268
4269 done:
4270 l2cap_chan_unlock(chan);
4271 return err;
4272 }
4273
4274 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4275 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4276 u8 *data)
4277 {
4278 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4279 struct l2cap_disconn_rsp rsp;
4280 u16 dcid, scid;
4281 struct l2cap_chan *chan;
4282
4283 if (cmd_len != sizeof(*req))
4284 return -EPROTO;
4285
4286 scid = __le16_to_cpu(req->scid);
4287 dcid = __le16_to_cpu(req->dcid);
4288
4289 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4290
4291 mutex_lock(&conn->chan_lock);
4292
4293 chan = __l2cap_get_chan_by_scid(conn, dcid);
4294 if (!chan) {
4295 mutex_unlock(&conn->chan_lock);
4296 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4297 return 0;
4298 }
4299
4300 l2cap_chan_lock(chan);
4301
4302 rsp.dcid = cpu_to_le16(chan->scid);
4303 rsp.scid = cpu_to_le16(chan->dcid);
4304 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4305
4306 chan->ops->set_shutdown(chan);
4307
4308 l2cap_chan_hold(chan);
4309 l2cap_chan_del(chan, ECONNRESET);
4310
4311 l2cap_chan_unlock(chan);
4312
4313 chan->ops->close(chan);
4314 l2cap_chan_put(chan);
4315
4316 mutex_unlock(&conn->chan_lock);
4317
4318 return 0;
4319 }
4320
4321 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4322 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4323 u8 *data)
4324 {
4325 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4326 u16 dcid, scid;
4327 struct l2cap_chan *chan;
4328
4329 if (cmd_len != sizeof(*rsp))
4330 return -EPROTO;
4331
4332 scid = __le16_to_cpu(rsp->scid);
4333 dcid = __le16_to_cpu(rsp->dcid);
4334
4335 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4336
4337 mutex_lock(&conn->chan_lock);
4338
4339 chan = __l2cap_get_chan_by_scid(conn, scid);
4340 if (!chan) {
4341 mutex_unlock(&conn->chan_lock);
4342 return 0;
4343 }
4344
4345 l2cap_chan_lock(chan);
4346
4347 l2cap_chan_hold(chan);
4348 l2cap_chan_del(chan, 0);
4349
4350 l2cap_chan_unlock(chan);
4351
4352 chan->ops->close(chan);
4353 l2cap_chan_put(chan);
4354
4355 mutex_unlock(&conn->chan_lock);
4356
4357 return 0;
4358 }
4359
4360 static inline int l2cap_information_req(struct l2cap_conn *conn,
4361 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4362 u8 *data)
4363 {
4364 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4365 u16 type;
4366
4367 if (cmd_len != sizeof(*req))
4368 return -EPROTO;
4369
4370 type = __le16_to_cpu(req->type);
4371
4372 BT_DBG("type 0x%4.4x", type);
4373
4374 if (type == L2CAP_IT_FEAT_MASK) {
4375 u8 buf[8];
4376 u32 feat_mask = l2cap_feat_mask;
4377 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4378 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4379 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4380 if (!disable_ertm)
4381 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4382 | L2CAP_FEAT_FCS;
4383 if (conn->hs_enabled)
4384 feat_mask |= L2CAP_FEAT_EXT_FLOW
4385 | L2CAP_FEAT_EXT_WINDOW;
4386
4387 put_unaligned_le32(feat_mask, rsp->data);
4388 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4389 buf);
4390 } else if (type == L2CAP_IT_FIXED_CHAN) {
4391 u8 buf[12];
4392 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4393
4394 if (conn->hs_enabled)
4395 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4396 else
4397 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4398
4399 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4400 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4401 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
4402 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4403 buf);
4404 } else {
4405 struct l2cap_info_rsp rsp;
4406 rsp.type = cpu_to_le16(type);
4407 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4408 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4409 &rsp);
4410 }
4411
4412 return 0;
4413 }
4414
4415 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4416 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4417 u8 *data)
4418 {
4419 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4420 u16 type, result;
4421
4422 if (cmd_len < sizeof(*rsp))
4423 return -EPROTO;
4424
4425 type = __le16_to_cpu(rsp->type);
4426 result = __le16_to_cpu(rsp->result);
4427
4428 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4429
4430 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4431 if (cmd->ident != conn->info_ident ||
4432 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4433 return 0;
4434
4435 cancel_delayed_work(&conn->info_timer);
4436
4437 if (result != L2CAP_IR_SUCCESS) {
4438 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4439 conn->info_ident = 0;
4440
4441 l2cap_conn_start(conn);
4442
4443 return 0;
4444 }
4445
4446 switch (type) {
4447 case L2CAP_IT_FEAT_MASK:
4448 conn->feat_mask = get_unaligned_le32(rsp->data);
4449
4450 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4451 struct l2cap_info_req req;
4452 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4453
4454 conn->info_ident = l2cap_get_ident(conn);
4455
4456 l2cap_send_cmd(conn, conn->info_ident,
4457 L2CAP_INFO_REQ, sizeof(req), &req);
4458 } else {
4459 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4460 conn->info_ident = 0;
4461
4462 l2cap_conn_start(conn);
4463 }
4464 break;
4465
4466 case L2CAP_IT_FIXED_CHAN:
4467 conn->fixed_chan_mask = rsp->data[0];
4468 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4469 conn->info_ident = 0;
4470
4471 l2cap_conn_start(conn);
4472 break;
4473 }
4474
4475 return 0;
4476 }
4477
4478 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4479 struct l2cap_cmd_hdr *cmd,
4480 u16 cmd_len, void *data)
4481 {
4482 struct l2cap_create_chan_req *req = data;
4483 struct l2cap_create_chan_rsp rsp;
4484 struct l2cap_chan *chan;
4485 struct hci_dev *hdev;
4486 u16 psm, scid;
4487
4488 if (cmd_len != sizeof(*req))
4489 return -EPROTO;
4490
4491 if (!conn->hs_enabled)
4492 return -EINVAL;
4493
4494 psm = le16_to_cpu(req->psm);
4495 scid = le16_to_cpu(req->scid);
4496
4497 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4498
4499 /* For controller id 0 make BR/EDR connection */
4500 if (req->amp_id == AMP_ID_BREDR) {
4501 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4502 req->amp_id);
4503 return 0;
4504 }
4505
4506 /* Validate AMP controller id */
4507 hdev = hci_dev_get(req->amp_id);
4508 if (!hdev)
4509 goto error;
4510
4511 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4512 hci_dev_put(hdev);
4513 goto error;
4514 }
4515
4516 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4517 req->amp_id);
4518 if (chan) {
4519 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4520 struct hci_conn *hs_hcon;
4521
4522 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4523 &conn->hcon->dst);
4524 if (!hs_hcon) {
4525 hci_dev_put(hdev);
4526 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4527 chan->dcid);
4528 return 0;
4529 }
4530
4531 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4532
4533 mgr->bredr_chan = chan;
4534 chan->hs_hcon = hs_hcon;
4535 chan->fcs = L2CAP_FCS_NONE;
4536 conn->mtu = hdev->block_mtu;
4537 }
4538
4539 hci_dev_put(hdev);
4540
4541 return 0;
4542
4543 error:
4544 rsp.dcid = 0;
4545 rsp.scid = cpu_to_le16(scid);
4546 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4547 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4548
4549 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4550 sizeof(rsp), &rsp);
4551
4552 return 0;
4553 }
4554
4555 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4556 {
4557 struct l2cap_move_chan_req req;
4558 u8 ident;
4559
4560 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4561
4562 ident = l2cap_get_ident(chan->conn);
4563 chan->ident = ident;
4564
4565 req.icid = cpu_to_le16(chan->scid);
4566 req.dest_amp_id = dest_amp_id;
4567
4568 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4569 &req);
4570
4571 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4572 }
4573
4574 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4575 {
4576 struct l2cap_move_chan_rsp rsp;
4577
4578 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4579
4580 rsp.icid = cpu_to_le16(chan->dcid);
4581 rsp.result = cpu_to_le16(result);
4582
4583 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4584 sizeof(rsp), &rsp);
4585 }
4586
4587 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4588 {
4589 struct l2cap_move_chan_cfm cfm;
4590
4591 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4592
4593 chan->ident = l2cap_get_ident(chan->conn);
4594
4595 cfm.icid = cpu_to_le16(chan->scid);
4596 cfm.result = cpu_to_le16(result);
4597
4598 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4599 sizeof(cfm), &cfm);
4600
4601 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4602 }
4603
4604 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4605 {
4606 struct l2cap_move_chan_cfm cfm;
4607
4608 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4609
4610 cfm.icid = cpu_to_le16(icid);
4611 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4612
4613 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4614 sizeof(cfm), &cfm);
4615 }
4616
4617 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4618 u16 icid)
4619 {
4620 struct l2cap_move_chan_cfm_rsp rsp;
4621
4622 BT_DBG("icid 0x%4.4x", icid);
4623
4624 rsp.icid = cpu_to_le16(icid);
4625 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4626 }
4627
4628 static void __release_logical_link(struct l2cap_chan *chan)
4629 {
4630 chan->hs_hchan = NULL;
4631 chan->hs_hcon = NULL;
4632
4633 /* Placeholder - release the logical link */
4634 }
4635
4636 static void l2cap_logical_fail(struct l2cap_chan *chan)
4637 {
4638 /* Logical link setup failed */
4639 if (chan->state != BT_CONNECTED) {
4640 /* Create channel failure, disconnect */
4641 l2cap_send_disconn_req(chan, ECONNRESET);
4642 return;
4643 }
4644
4645 switch (chan->move_role) {
4646 case L2CAP_MOVE_ROLE_RESPONDER:
4647 l2cap_move_done(chan);
4648 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4649 break;
4650 case L2CAP_MOVE_ROLE_INITIATOR:
4651 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4652 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4653 /* Remote has only sent pending or
4654 * success responses, clean up
4655 */
4656 l2cap_move_done(chan);
4657 }
4658
4659 /* Other amp move states imply that the move
4660 * has already aborted
4661 */
4662 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4663 break;
4664 }
4665 }
4666
4667 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4668 struct hci_chan *hchan)
4669 {
4670 struct l2cap_conf_rsp rsp;
4671
4672 chan->hs_hchan = hchan;
4673 chan->hs_hcon->l2cap_data = chan->conn;
4674
4675 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4676
4677 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4678 int err;
4679
4680 set_default_fcs(chan);
4681
4682 err = l2cap_ertm_init(chan);
4683 if (err < 0)
4684 l2cap_send_disconn_req(chan, -err);
4685 else
4686 l2cap_chan_ready(chan);
4687 }
4688 }
4689
4690 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4691 struct hci_chan *hchan)
4692 {
4693 chan->hs_hcon = hchan->conn;
4694 chan->hs_hcon->l2cap_data = chan->conn;
4695
4696 BT_DBG("move_state %d", chan->move_state);
4697
4698 switch (chan->move_state) {
4699 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4700 /* Move confirm will be sent after a success
4701 * response is received
4702 */
4703 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4704 break;
4705 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4706 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4707 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4708 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4709 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4710 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4711 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4712 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4713 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4714 }
4715 break;
4716 default:
4717 /* Move was not in expected state, free the channel */
4718 __release_logical_link(chan);
4719
4720 chan->move_state = L2CAP_MOVE_STABLE;
4721 }
4722 }
4723
4724 /* Call with chan locked */
4725 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4726 u8 status)
4727 {
4728 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4729
4730 if (status) {
4731 l2cap_logical_fail(chan);
4732 __release_logical_link(chan);
4733 return;
4734 }
4735
4736 if (chan->state != BT_CONNECTED) {
4737 /* Ignore logical link if channel is on BR/EDR */
4738 if (chan->local_amp_id != AMP_ID_BREDR)
4739 l2cap_logical_finish_create(chan, hchan);
4740 } else {
4741 l2cap_logical_finish_move(chan, hchan);
4742 }
4743 }
4744
4745 void l2cap_move_start(struct l2cap_chan *chan)
4746 {
4747 BT_DBG("chan %p", chan);
4748
4749 if (chan->local_amp_id == AMP_ID_BREDR) {
4750 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4751 return;
4752 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4753 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4754 /* Placeholder - start physical link setup */
4755 } else {
4756 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4757 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4758 chan->move_id = 0;
4759 l2cap_move_setup(chan);
4760 l2cap_send_move_chan_req(chan, 0);
4761 }
4762 }
4763
4764 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4765 u8 local_amp_id, u8 remote_amp_id)
4766 {
4767 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4768 local_amp_id, remote_amp_id);
4769
4770 chan->fcs = L2CAP_FCS_NONE;
4771
4772 /* Outgoing channel on AMP */
4773 if (chan->state == BT_CONNECT) {
4774 if (result == L2CAP_CR_SUCCESS) {
4775 chan->local_amp_id = local_amp_id;
4776 l2cap_send_create_chan_req(chan, remote_amp_id);
4777 } else {
4778 /* Revert to BR/EDR connect */
4779 l2cap_send_conn_req(chan);
4780 }
4781
4782 return;
4783 }
4784
4785 /* Incoming channel on AMP */
4786 if (__l2cap_no_conn_pending(chan)) {
4787 struct l2cap_conn_rsp rsp;
4788 char buf[128];
4789 rsp.scid = cpu_to_le16(chan->dcid);
4790 rsp.dcid = cpu_to_le16(chan->scid);
4791
4792 if (result == L2CAP_CR_SUCCESS) {
4793 /* Send successful response */
4794 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4795 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4796 } else {
4797 /* Send negative response */
4798 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4799 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4800 }
4801
4802 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4803 sizeof(rsp), &rsp);
4804
4805 if (result == L2CAP_CR_SUCCESS) {
4806 l2cap_state_change(chan, BT_CONFIG);
4807 set_bit(CONF_REQ_SENT, &chan->conf_state);
4808 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4809 L2CAP_CONF_REQ,
4810 l2cap_build_conf_req(chan, buf), buf);
4811 chan->num_conf_req++;
4812 }
4813 }
4814 }
4815
4816 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4817 u8 remote_amp_id)
4818 {
4819 l2cap_move_setup(chan);
4820 chan->move_id = local_amp_id;
4821 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4822
4823 l2cap_send_move_chan_req(chan, remote_amp_id);
4824 }
4825
4826 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4827 {
4828 struct hci_chan *hchan = NULL;
4829
4830 /* Placeholder - get hci_chan for logical link */
4831
4832 if (hchan) {
4833 if (hchan->state == BT_CONNECTED) {
4834 /* Logical link is ready to go */
4835 chan->hs_hcon = hchan->conn;
4836 chan->hs_hcon->l2cap_data = chan->conn;
4837 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4838 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4839
4840 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4841 } else {
4842 /* Wait for logical link to be ready */
4843 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4844 }
4845 } else {
4846 /* Logical link not available */
4847 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4848 }
4849 }
4850
4851 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4852 {
4853 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4854 u8 rsp_result;
4855 if (result == -EINVAL)
4856 rsp_result = L2CAP_MR_BAD_ID;
4857 else
4858 rsp_result = L2CAP_MR_NOT_ALLOWED;
4859
4860 l2cap_send_move_chan_rsp(chan, rsp_result);
4861 }
4862
4863 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4864 chan->move_state = L2CAP_MOVE_STABLE;
4865
4866 /* Restart data transmission */
4867 l2cap_ertm_send(chan);
4868 }
4869
4870 /* Invoke with locked chan */
4871 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4872 {
4873 u8 local_amp_id = chan->local_amp_id;
4874 u8 remote_amp_id = chan->remote_amp_id;
4875
4876 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4877 chan, result, local_amp_id, remote_amp_id);
4878
4879 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4880 l2cap_chan_unlock(chan);
4881 return;
4882 }
4883
4884 if (chan->state != BT_CONNECTED) {
4885 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4886 } else if (result != L2CAP_MR_SUCCESS) {
4887 l2cap_do_move_cancel(chan, result);
4888 } else {
4889 switch (chan->move_role) {
4890 case L2CAP_MOVE_ROLE_INITIATOR:
4891 l2cap_do_move_initiate(chan, local_amp_id,
4892 remote_amp_id);
4893 break;
4894 case L2CAP_MOVE_ROLE_RESPONDER:
4895 l2cap_do_move_respond(chan, result);
4896 break;
4897 default:
4898 l2cap_do_move_cancel(chan, result);
4899 break;
4900 }
4901 }
4902 }
4903
4904 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4905 struct l2cap_cmd_hdr *cmd,
4906 u16 cmd_len, void *data)
4907 {
4908 struct l2cap_move_chan_req *req = data;
4909 struct l2cap_move_chan_rsp rsp;
4910 struct l2cap_chan *chan;
4911 u16 icid = 0;
4912 u16 result = L2CAP_MR_NOT_ALLOWED;
4913
4914 if (cmd_len != sizeof(*req))
4915 return -EPROTO;
4916
4917 icid = le16_to_cpu(req->icid);
4918
4919 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4920
4921 if (!conn->hs_enabled)
4922 return -EINVAL;
4923
4924 chan = l2cap_get_chan_by_dcid(conn, icid);
4925 if (!chan) {
4926 rsp.icid = cpu_to_le16(icid);
4927 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4928 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4929 sizeof(rsp), &rsp);
4930 return 0;
4931 }
4932
4933 chan->ident = cmd->ident;
4934
4935 if (chan->scid < L2CAP_CID_DYN_START ||
4936 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4937 (chan->mode != L2CAP_MODE_ERTM &&
4938 chan->mode != L2CAP_MODE_STREAMING)) {
4939 result = L2CAP_MR_NOT_ALLOWED;
4940 goto send_move_response;
4941 }
4942
4943 if (chan->local_amp_id == req->dest_amp_id) {
4944 result = L2CAP_MR_SAME_ID;
4945 goto send_move_response;
4946 }
4947
4948 if (req->dest_amp_id != AMP_ID_BREDR) {
4949 struct hci_dev *hdev;
4950 hdev = hci_dev_get(req->dest_amp_id);
4951 if (!hdev || hdev->dev_type != HCI_AMP ||
4952 !test_bit(HCI_UP, &hdev->flags)) {
4953 if (hdev)
4954 hci_dev_put(hdev);
4955
4956 result = L2CAP_MR_BAD_ID;
4957 goto send_move_response;
4958 }
4959 hci_dev_put(hdev);
4960 }
4961
4962 /* Detect a move collision. Only send a collision response
4963 * if this side has "lost", otherwise proceed with the move.
4964 * The winner has the larger bd_addr.
4965 */
4966 if ((__chan_is_moving(chan) ||
4967 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4968 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4969 result = L2CAP_MR_COLLISION;
4970 goto send_move_response;
4971 }
4972
4973 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4974 l2cap_move_setup(chan);
4975 chan->move_id = req->dest_amp_id;
4976 icid = chan->dcid;
4977
4978 if (req->dest_amp_id == AMP_ID_BREDR) {
4979 /* Moving to BR/EDR */
4980 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4981 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4982 result = L2CAP_MR_PEND;
4983 } else {
4984 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4985 result = L2CAP_MR_SUCCESS;
4986 }
4987 } else {
4988 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4989 /* Placeholder - uncomment when amp functions are available */
4990 /*amp_accept_physical(chan, req->dest_amp_id);*/
4991 result = L2CAP_MR_PEND;
4992 }
4993
4994 send_move_response:
4995 l2cap_send_move_chan_rsp(chan, result);
4996
4997 l2cap_chan_unlock(chan);
4998
4999 return 0;
5000 }
5001
5002 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5003 {
5004 struct l2cap_chan *chan;
5005 struct hci_chan *hchan = NULL;
5006
5007 chan = l2cap_get_chan_by_scid(conn, icid);
5008 if (!chan) {
5009 l2cap_send_move_chan_cfm_icid(conn, icid);
5010 return;
5011 }
5012
5013 __clear_chan_timer(chan);
5014 if (result == L2CAP_MR_PEND)
5015 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5016
5017 switch (chan->move_state) {
5018 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5019 /* Move confirm will be sent when logical link
5020 * is complete.
5021 */
5022 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5023 break;
5024 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5025 if (result == L2CAP_MR_PEND) {
5026 break;
5027 } else if (test_bit(CONN_LOCAL_BUSY,
5028 &chan->conn_state)) {
5029 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5030 } else {
5031 /* Logical link is up or moving to BR/EDR,
5032 * proceed with move
5033 */
5034 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5035 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5036 }
5037 break;
5038 case L2CAP_MOVE_WAIT_RSP:
5039 /* Moving to AMP */
5040 if (result == L2CAP_MR_SUCCESS) {
5041 /* Remote is ready, send confirm immediately
5042 * after logical link is ready
5043 */
5044 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5045 } else {
5046 /* Both logical link and move success
5047 * are required to confirm
5048 */
5049 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5050 }
5051
5052 /* Placeholder - get hci_chan for logical link */
5053 if (!hchan) {
5054 /* Logical link not available */
5055 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5056 break;
5057 }
5058
5059 /* If the logical link is not yet connected, do not
5060 * send confirmation.
5061 */
5062 if (hchan->state != BT_CONNECTED)
5063 break;
5064
5065 /* Logical link is already ready to go */
5066
5067 chan->hs_hcon = hchan->conn;
5068 chan->hs_hcon->l2cap_data = chan->conn;
5069
5070 if (result == L2CAP_MR_SUCCESS) {
5071 /* Can confirm now */
5072 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5073 } else {
5074 /* Now only need move success
5075 * to confirm
5076 */
5077 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5078 }
5079
5080 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5081 break;
5082 default:
5083 /* Any other amp move state means the move failed. */
5084 chan->move_id = chan->local_amp_id;
5085 l2cap_move_done(chan);
5086 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5087 }
5088
5089 l2cap_chan_unlock(chan);
5090 }
5091
5092 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5093 u16 result)
5094 {
5095 struct l2cap_chan *chan;
5096
5097 chan = l2cap_get_chan_by_ident(conn, ident);
5098 if (!chan) {
5099 /* Could not locate channel, icid is best guess */
5100 l2cap_send_move_chan_cfm_icid(conn, icid);
5101 return;
5102 }
5103
5104 __clear_chan_timer(chan);
5105
5106 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5107 if (result == L2CAP_MR_COLLISION) {
5108 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5109 } else {
5110 /* Cleanup - cancel move */
5111 chan->move_id = chan->local_amp_id;
5112 l2cap_move_done(chan);
5113 }
5114 }
5115
5116 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5117
5118 l2cap_chan_unlock(chan);
5119 }
5120
5121 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5122 struct l2cap_cmd_hdr *cmd,
5123 u16 cmd_len, void *data)
5124 {
5125 struct l2cap_move_chan_rsp *rsp = data;
5126 u16 icid, result;
5127
5128 if (cmd_len != sizeof(*rsp))
5129 return -EPROTO;
5130
5131 icid = le16_to_cpu(rsp->icid);
5132 result = le16_to_cpu(rsp->result);
5133
5134 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5135
5136 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5137 l2cap_move_continue(conn, icid, result);
5138 else
5139 l2cap_move_fail(conn, cmd->ident, icid, result);
5140
5141 return 0;
5142 }
5143
5144 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5145 struct l2cap_cmd_hdr *cmd,
5146 u16 cmd_len, void *data)
5147 {
5148 struct l2cap_move_chan_cfm *cfm = data;
5149 struct l2cap_chan *chan;
5150 u16 icid, result;
5151
5152 if (cmd_len != sizeof(*cfm))
5153 return -EPROTO;
5154
5155 icid = le16_to_cpu(cfm->icid);
5156 result = le16_to_cpu(cfm->result);
5157
5158 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5159
5160 chan = l2cap_get_chan_by_dcid(conn, icid);
5161 if (!chan) {
5162 /* Spec requires a response even if the icid was not found */
5163 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5164 return 0;
5165 }
5166
5167 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5168 if (result == L2CAP_MC_CONFIRMED) {
5169 chan->local_amp_id = chan->move_id;
5170 if (chan->local_amp_id == AMP_ID_BREDR)
5171 __release_logical_link(chan);
5172 } else {
5173 chan->move_id = chan->local_amp_id;
5174 }
5175
5176 l2cap_move_done(chan);
5177 }
5178
5179 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5180
5181 l2cap_chan_unlock(chan);
5182
5183 return 0;
5184 }
5185
5186 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5187 struct l2cap_cmd_hdr *cmd,
5188 u16 cmd_len, void *data)
5189 {
5190 struct l2cap_move_chan_cfm_rsp *rsp = data;
5191 struct l2cap_chan *chan;
5192 u16 icid;
5193
5194 if (cmd_len != sizeof(*rsp))
5195 return -EPROTO;
5196
5197 icid = le16_to_cpu(rsp->icid);
5198
5199 BT_DBG("icid 0x%4.4x", icid);
5200
5201 chan = l2cap_get_chan_by_scid(conn, icid);
5202 if (!chan)
5203 return 0;
5204
5205 __clear_chan_timer(chan);
5206
5207 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5208 chan->local_amp_id = chan->move_id;
5209
5210 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5211 __release_logical_link(chan);
5212
5213 l2cap_move_done(chan);
5214 }
5215
5216 l2cap_chan_unlock(chan);
5217
5218 return 0;
5219 }
5220
5221 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5222 struct l2cap_cmd_hdr *cmd,
5223 u16 cmd_len, u8 *data)
5224 {
5225 struct hci_conn *hcon = conn->hcon;
5226 struct l2cap_conn_param_update_req *req;
5227 struct l2cap_conn_param_update_rsp rsp;
5228 u16 min, max, latency, to_multiplier;
5229 int err;
5230
5231 if (hcon->role != HCI_ROLE_MASTER)
5232 return -EINVAL;
5233
5234 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5235 return -EPROTO;
5236
5237 req = (struct l2cap_conn_param_update_req *) data;
5238 min = __le16_to_cpu(req->min);
5239 max = __le16_to_cpu(req->max);
5240 latency = __le16_to_cpu(req->latency);
5241 to_multiplier = __le16_to_cpu(req->to_multiplier);
5242
5243 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5244 min, max, latency, to_multiplier);
5245
5246 memset(&rsp, 0, sizeof(rsp));
5247
5248 err = hci_check_conn_params(min, max, latency, to_multiplier);
5249 if (err)
5250 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5251 else
5252 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5253
5254 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5255 sizeof(rsp), &rsp);
5256
5257 if (!err) {
5258 u8 store_hint;
5259
5260 store_hint = hci_le_conn_update(hcon, min, max, latency,
5261 to_multiplier);
5262 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5263 store_hint, min, max, latency,
5264 to_multiplier);
5265
5266 }
5267
5268 return 0;
5269 }
5270
5271 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5272 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5273 u8 *data)
5274 {
5275 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5276 u16 dcid, mtu, mps, credits, result;
5277 struct l2cap_chan *chan;
5278 int err;
5279
5280 if (cmd_len < sizeof(*rsp))
5281 return -EPROTO;
5282
5283 dcid = __le16_to_cpu(rsp->dcid);
5284 mtu = __le16_to_cpu(rsp->mtu);
5285 mps = __le16_to_cpu(rsp->mps);
5286 credits = __le16_to_cpu(rsp->credits);
5287 result = __le16_to_cpu(rsp->result);
5288
5289 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5290 return -EPROTO;
5291
5292 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5293 dcid, mtu, mps, credits, result);
5294
5295 mutex_lock(&conn->chan_lock);
5296
5297 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5298 if (!chan) {
5299 err = -EBADSLT;
5300 goto unlock;
5301 }
5302
5303 err = 0;
5304
5305 l2cap_chan_lock(chan);
5306
5307 switch (result) {
5308 case L2CAP_CR_SUCCESS:
5309 chan->ident = 0;
5310 chan->dcid = dcid;
5311 chan->omtu = mtu;
5312 chan->remote_mps = mps;
5313 chan->tx_credits = credits;
5314 l2cap_chan_ready(chan);
5315 break;
5316
5317 default:
5318 l2cap_chan_del(chan, ECONNREFUSED);
5319 break;
5320 }
5321
5322 l2cap_chan_unlock(chan);
5323
5324 unlock:
5325 mutex_unlock(&conn->chan_lock);
5326
5327 return err;
5328 }
5329
5330 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5331 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5332 u8 *data)
5333 {
5334 int err = 0;
5335
5336 switch (cmd->code) {
5337 case L2CAP_COMMAND_REJ:
5338 l2cap_command_rej(conn, cmd, cmd_len, data);
5339 break;
5340
5341 case L2CAP_CONN_REQ:
5342 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5343 break;
5344
5345 case L2CAP_CONN_RSP:
5346 case L2CAP_CREATE_CHAN_RSP:
5347 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5348 break;
5349
5350 case L2CAP_CONF_REQ:
5351 err = l2cap_config_req(conn, cmd, cmd_len, data);
5352 break;
5353
5354 case L2CAP_CONF_RSP:
5355 l2cap_config_rsp(conn, cmd, cmd_len, data);
5356 break;
5357
5358 case L2CAP_DISCONN_REQ:
5359 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5360 break;
5361
5362 case L2CAP_DISCONN_RSP:
5363 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5364 break;
5365
5366 case L2CAP_ECHO_REQ:
5367 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5368 break;
5369
5370 case L2CAP_ECHO_RSP:
5371 break;
5372
5373 case L2CAP_INFO_REQ:
5374 err = l2cap_information_req(conn, cmd, cmd_len, data);
5375 break;
5376
5377 case L2CAP_INFO_RSP:
5378 l2cap_information_rsp(conn, cmd, cmd_len, data);
5379 break;
5380
5381 case L2CAP_CREATE_CHAN_REQ:
5382 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5383 break;
5384
5385 case L2CAP_MOVE_CHAN_REQ:
5386 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5387 break;
5388
5389 case L2CAP_MOVE_CHAN_RSP:
5390 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5391 break;
5392
5393 case L2CAP_MOVE_CHAN_CFM:
5394 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5395 break;
5396
5397 case L2CAP_MOVE_CHAN_CFM_RSP:
5398 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5399 break;
5400
5401 default:
5402 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5403 err = -EINVAL;
5404 break;
5405 }
5406
5407 return err;
5408 }
5409
5410 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5411 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5412 u8 *data)
5413 {
5414 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5415 struct l2cap_le_conn_rsp rsp;
5416 struct l2cap_chan *chan, *pchan;
5417 u16 dcid, scid, credits, mtu, mps;
5418 __le16 psm;
5419 u8 result;
5420
5421 if (cmd_len != sizeof(*req))
5422 return -EPROTO;
5423
5424 scid = __le16_to_cpu(req->scid);
5425 mtu = __le16_to_cpu(req->mtu);
5426 mps = __le16_to_cpu(req->mps);
5427 psm = req->psm;
5428 dcid = 0;
5429 credits = 0;
5430
5431 if (mtu < 23 || mps < 23)
5432 return -EPROTO;
5433
5434 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5435 scid, mtu, mps);
5436
5437 /* Check if we have socket listening on psm */
5438 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5439 &conn->hcon->dst, LE_LINK);
5440 if (!pchan) {
5441 result = L2CAP_CR_BAD_PSM;
5442 chan = NULL;
5443 goto response;
5444 }
5445
5446 mutex_lock(&conn->chan_lock);
5447 l2cap_chan_lock(pchan);
5448
5449 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5450 result = L2CAP_CR_AUTHENTICATION;
5451 chan = NULL;
5452 goto response_unlock;
5453 }
5454
5455 /* Check if we already have channel with that dcid */
5456 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5457 result = L2CAP_CR_NO_MEM;
5458 chan = NULL;
5459 goto response_unlock;
5460 }
5461
5462 chan = pchan->ops->new_connection(pchan);
5463 if (!chan) {
5464 result = L2CAP_CR_NO_MEM;
5465 goto response_unlock;
5466 }
5467
5468 l2cap_le_flowctl_init(chan);
5469
5470 bacpy(&chan->src, &conn->hcon->src);
5471 bacpy(&chan->dst, &conn->hcon->dst);
5472 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5473 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5474 chan->psm = psm;
5475 chan->dcid = scid;
5476 chan->omtu = mtu;
5477 chan->remote_mps = mps;
5478 chan->tx_credits = __le16_to_cpu(req->credits);
5479
5480 __l2cap_chan_add(conn, chan);
5481 dcid = chan->scid;
5482 credits = chan->rx_credits;
5483
5484 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5485
5486 chan->ident = cmd->ident;
5487
5488 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5489 l2cap_state_change(chan, BT_CONNECT2);
5490 result = L2CAP_CR_PEND;
5491 chan->ops->defer(chan);
5492 } else {
5493 l2cap_chan_ready(chan);
5494 result = L2CAP_CR_SUCCESS;
5495 }
5496
5497 response_unlock:
5498 l2cap_chan_unlock(pchan);
5499 mutex_unlock(&conn->chan_lock);
5500
5501 if (result == L2CAP_CR_PEND)
5502 return 0;
5503
5504 response:
5505 if (chan) {
5506 rsp.mtu = cpu_to_le16(chan->imtu);
5507 rsp.mps = cpu_to_le16(chan->mps);
5508 } else {
5509 rsp.mtu = 0;
5510 rsp.mps = 0;
5511 }
5512
5513 rsp.dcid = cpu_to_le16(dcid);
5514 rsp.credits = cpu_to_le16(credits);
5515 rsp.result = cpu_to_le16(result);
5516
5517 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5518
5519 return 0;
5520 }
5521
5522 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5523 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5524 u8 *data)
5525 {
5526 struct l2cap_le_credits *pkt;
5527 struct l2cap_chan *chan;
5528 u16 cid, credits, max_credits;
5529
5530 if (cmd_len != sizeof(*pkt))
5531 return -EPROTO;
5532
5533 pkt = (struct l2cap_le_credits *) data;
5534 cid = __le16_to_cpu(pkt->cid);
5535 credits = __le16_to_cpu(pkt->credits);
5536
5537 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5538
5539 chan = l2cap_get_chan_by_dcid(conn, cid);
5540 if (!chan)
5541 return -EBADSLT;
5542
5543 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5544 if (credits > max_credits) {
5545 BT_ERR("LE credits overflow");
5546 l2cap_send_disconn_req(chan, ECONNRESET);
5547
5548 /* Return 0 so that we don't trigger an unnecessary
5549 * command reject packet.
5550 */
5551 return 0;
5552 }
5553
5554 chan->tx_credits += credits;
5555
5556 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5557 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5558 chan->tx_credits--;
5559 }
5560
5561 if (chan->tx_credits)
5562 chan->ops->resume(chan);
5563
5564 l2cap_chan_unlock(chan);
5565
5566 return 0;
5567 }
5568
5569 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5570 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5571 u8 *data)
5572 {
5573 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5574 struct l2cap_chan *chan;
5575
5576 if (cmd_len < sizeof(*rej))
5577 return -EPROTO;
5578
5579 mutex_lock(&conn->chan_lock);
5580
5581 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5582 if (!chan)
5583 goto done;
5584
5585 l2cap_chan_lock(chan);
5586 l2cap_chan_del(chan, ECONNREFUSED);
5587 l2cap_chan_unlock(chan);
5588
5589 done:
5590 mutex_unlock(&conn->chan_lock);
5591 return 0;
5592 }
5593
5594 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5595 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5596 u8 *data)
5597 {
5598 int err = 0;
5599
5600 switch (cmd->code) {
5601 case L2CAP_COMMAND_REJ:
5602 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5603 break;
5604
5605 case L2CAP_CONN_PARAM_UPDATE_REQ:
5606 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5607 break;
5608
5609 case L2CAP_CONN_PARAM_UPDATE_RSP:
5610 break;
5611
5612 case L2CAP_LE_CONN_RSP:
5613 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5614 break;
5615
5616 case L2CAP_LE_CONN_REQ:
5617 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5618 break;
5619
5620 case L2CAP_LE_CREDITS:
5621 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5622 break;
5623
5624 case L2CAP_DISCONN_REQ:
5625 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5626 break;
5627
5628 case L2CAP_DISCONN_RSP:
5629 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5630 break;
5631
5632 default:
5633 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5634 err = -EINVAL;
5635 break;
5636 }
5637
5638 return err;
5639 }
5640
5641 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5642 struct sk_buff *skb)
5643 {
5644 struct hci_conn *hcon = conn->hcon;
5645 struct l2cap_cmd_hdr *cmd;
5646 u16 len;
5647 int err;
5648
5649 if (hcon->type != LE_LINK)
5650 goto drop;
5651
5652 if (skb->len < L2CAP_CMD_HDR_SIZE)
5653 goto drop;
5654
5655 cmd = (void *) skb->data;
5656 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5657
5658 len = le16_to_cpu(cmd->len);
5659
5660 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5661
5662 if (len != skb->len || !cmd->ident) {
5663 BT_DBG("corrupted command");
5664 goto drop;
5665 }
5666
5667 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5668 if (err) {
5669 struct l2cap_cmd_rej_unk rej;
5670
5671 BT_ERR("Wrong link type (%d)", err);
5672
5673 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5674 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5675 sizeof(rej), &rej);
5676 }
5677
5678 drop:
5679 kfree_skb(skb);
5680 }
5681
5682 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5683 struct sk_buff *skb)
5684 {
5685 struct hci_conn *hcon = conn->hcon;
5686 u8 *data = skb->data;
5687 int len = skb->len;
5688 struct l2cap_cmd_hdr cmd;
5689 int err;
5690
5691 l2cap_raw_recv(conn, skb);
5692
5693 if (hcon->type != ACL_LINK)
5694 goto drop;
5695
5696 while (len >= L2CAP_CMD_HDR_SIZE) {
5697 u16 cmd_len;
5698 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5699 data += L2CAP_CMD_HDR_SIZE;
5700 len -= L2CAP_CMD_HDR_SIZE;
5701
5702 cmd_len = le16_to_cpu(cmd.len);
5703
5704 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5705 cmd.ident);
5706
5707 if (cmd_len > len || !cmd.ident) {
5708 BT_DBG("corrupted command");
5709 break;
5710 }
5711
5712 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5713 if (err) {
5714 struct l2cap_cmd_rej_unk rej;
5715
5716 BT_ERR("Wrong link type (%d)", err);
5717
5718 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5719 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5720 sizeof(rej), &rej);
5721 }
5722
5723 data += cmd_len;
5724 len -= cmd_len;
5725 }
5726
5727 drop:
5728 kfree_skb(skb);
5729 }
5730
5731 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5732 {
5733 u16 our_fcs, rcv_fcs;
5734 int hdr_size;
5735
5736 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5737 hdr_size = L2CAP_EXT_HDR_SIZE;
5738 else
5739 hdr_size = L2CAP_ENH_HDR_SIZE;
5740
5741 if (chan->fcs == L2CAP_FCS_CRC16) {
5742 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5743 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5744 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5745
5746 if (our_fcs != rcv_fcs)
5747 return -EBADMSG;
5748 }
5749 return 0;
5750 }
5751
5752 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5753 {
5754 struct l2cap_ctrl control;
5755
5756 BT_DBG("chan %p", chan);
5757
5758 memset(&control, 0, sizeof(control));
5759 control.sframe = 1;
5760 control.final = 1;
5761 control.reqseq = chan->buffer_seq;
5762 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5763
5764 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5765 control.super = L2CAP_SUPER_RNR;
5766 l2cap_send_sframe(chan, &control);
5767 }
5768
5769 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5770 chan->unacked_frames > 0)
5771 __set_retrans_timer(chan);
5772
5773 /* Send pending iframes */
5774 l2cap_ertm_send(chan);
5775
5776 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5777 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5778 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5779 * send it now.
5780 */
5781 control.super = L2CAP_SUPER_RR;
5782 l2cap_send_sframe(chan, &control);
5783 }
5784 }
5785
5786 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5787 struct sk_buff **last_frag)
5788 {
5789 /* skb->len reflects data in skb as well as all fragments
5790 * skb->data_len reflects only data in fragments
5791 */
5792 if (!skb_has_frag_list(skb))
5793 skb_shinfo(skb)->frag_list = new_frag;
5794
5795 new_frag->next = NULL;
5796
5797 (*last_frag)->next = new_frag;
5798 *last_frag = new_frag;
5799
5800 skb->len += new_frag->len;
5801 skb->data_len += new_frag->len;
5802 skb->truesize += new_frag->truesize;
5803 }
5804
5805 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5806 struct l2cap_ctrl *control)
5807 {
5808 int err = -EINVAL;
5809
5810 switch (control->sar) {
5811 case L2CAP_SAR_UNSEGMENTED:
5812 if (chan->sdu)
5813 break;
5814
5815 err = chan->ops->recv(chan, skb);
5816 break;
5817
5818 case L2CAP_SAR_START:
5819 if (chan->sdu)
5820 break;
5821
5822 chan->sdu_len = get_unaligned_le16(skb->data);
5823 skb_pull(skb, L2CAP_SDULEN_SIZE);
5824
5825 if (chan->sdu_len > chan->imtu) {
5826 err = -EMSGSIZE;
5827 break;
5828 }
5829
5830 if (skb->len >= chan->sdu_len)
5831 break;
5832
5833 chan->sdu = skb;
5834 chan->sdu_last_frag = skb;
5835
5836 skb = NULL;
5837 err = 0;
5838 break;
5839
5840 case L2CAP_SAR_CONTINUE:
5841 if (!chan->sdu)
5842 break;
5843
5844 append_skb_frag(chan->sdu, skb,
5845 &chan->sdu_last_frag);
5846 skb = NULL;
5847
5848 if (chan->sdu->len >= chan->sdu_len)
5849 break;
5850
5851 err = 0;
5852 break;
5853
5854 case L2CAP_SAR_END:
5855 if (!chan->sdu)
5856 break;
5857
5858 append_skb_frag(chan->sdu, skb,
5859 &chan->sdu_last_frag);
5860 skb = NULL;
5861
5862 if (chan->sdu->len != chan->sdu_len)
5863 break;
5864
5865 err = chan->ops->recv(chan, chan->sdu);
5866
5867 if (!err) {
5868 /* Reassembly complete */
5869 chan->sdu = NULL;
5870 chan->sdu_last_frag = NULL;
5871 chan->sdu_len = 0;
5872 }
5873 break;
5874 }
5875
5876 if (err) {
5877 kfree_skb(skb);
5878 kfree_skb(chan->sdu);
5879 chan->sdu = NULL;
5880 chan->sdu_last_frag = NULL;
5881 chan->sdu_len = 0;
5882 }
5883
5884 return err;
5885 }
5886
5887 static int l2cap_resegment(struct l2cap_chan *chan)
5888 {
5889 /* Placeholder */
5890 return 0;
5891 }
5892
5893 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5894 {
5895 u8 event;
5896
5897 if (chan->mode != L2CAP_MODE_ERTM)
5898 return;
5899
5900 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5901 l2cap_tx(chan, NULL, NULL, event);
5902 }
5903
5904 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5905 {
5906 int err = 0;
5907 /* Pass sequential frames to l2cap_reassemble_sdu()
5908 * until a gap is encountered.
5909 */
5910
5911 BT_DBG("chan %p", chan);
5912
5913 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5914 struct sk_buff *skb;
5915 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5916 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5917
5918 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5919
5920 if (!skb)
5921 break;
5922
5923 skb_unlink(skb, &chan->srej_q);
5924 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5925 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5926 if (err)
5927 break;
5928 }
5929
5930 if (skb_queue_empty(&chan->srej_q)) {
5931 chan->rx_state = L2CAP_RX_STATE_RECV;
5932 l2cap_send_ack(chan);
5933 }
5934
5935 return err;
5936 }
5937
5938 static void l2cap_handle_srej(struct l2cap_chan *chan,
5939 struct l2cap_ctrl *control)
5940 {
5941 struct sk_buff *skb;
5942
5943 BT_DBG("chan %p, control %p", chan, control);
5944
5945 if (control->reqseq == chan->next_tx_seq) {
5946 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5947 l2cap_send_disconn_req(chan, ECONNRESET);
5948 return;
5949 }
5950
5951 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5952
5953 if (skb == NULL) {
5954 BT_DBG("Seq %d not available for retransmission",
5955 control->reqseq);
5956 return;
5957 }
5958
5959 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5960 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5961 l2cap_send_disconn_req(chan, ECONNRESET);
5962 return;
5963 }
5964
5965 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5966
5967 if (control->poll) {
5968 l2cap_pass_to_tx(chan, control);
5969
5970 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5971 l2cap_retransmit(chan, control);
5972 l2cap_ertm_send(chan);
5973
5974 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5975 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5976 chan->srej_save_reqseq = control->reqseq;
5977 }
5978 } else {
5979 l2cap_pass_to_tx_fbit(chan, control);
5980
5981 if (control->final) {
5982 if (chan->srej_save_reqseq != control->reqseq ||
5983 !test_and_clear_bit(CONN_SREJ_ACT,
5984 &chan->conn_state))
5985 l2cap_retransmit(chan, control);
5986 } else {
5987 l2cap_retransmit(chan, control);
5988 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5989 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5990 chan->srej_save_reqseq = control->reqseq;
5991 }
5992 }
5993 }
5994 }
5995
5996 static void l2cap_handle_rej(struct l2cap_chan *chan,
5997 struct l2cap_ctrl *control)
5998 {
5999 struct sk_buff *skb;
6000
6001 BT_DBG("chan %p, control %p", chan, control);
6002
6003 if (control->reqseq == chan->next_tx_seq) {
6004 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6005 l2cap_send_disconn_req(chan, ECONNRESET);
6006 return;
6007 }
6008
6009 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6010
6011 if (chan->max_tx && skb &&
6012 bt_cb(skb)->control.retries >= chan->max_tx) {
6013 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6014 l2cap_send_disconn_req(chan, ECONNRESET);
6015 return;
6016 }
6017
6018 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6019
6020 l2cap_pass_to_tx(chan, control);
6021
6022 if (control->final) {
6023 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6024 l2cap_retransmit_all(chan, control);
6025 } else {
6026 l2cap_retransmit_all(chan, control);
6027 l2cap_ertm_send(chan);
6028 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6029 set_bit(CONN_REJ_ACT, &chan->conn_state);
6030 }
6031 }
6032
6033 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6034 {
6035 BT_DBG("chan %p, txseq %d", chan, txseq);
6036
6037 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6038 chan->expected_tx_seq);
6039
6040 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6041 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6042 chan->tx_win) {
6043 /* See notes below regarding "double poll" and
6044 * invalid packets.
6045 */
6046 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6047 BT_DBG("Invalid/Ignore - after SREJ");
6048 return L2CAP_TXSEQ_INVALID_IGNORE;
6049 } else {
6050 BT_DBG("Invalid - in window after SREJ sent");
6051 return L2CAP_TXSEQ_INVALID;
6052 }
6053 }
6054
6055 if (chan->srej_list.head == txseq) {
6056 BT_DBG("Expected SREJ");
6057 return L2CAP_TXSEQ_EXPECTED_SREJ;
6058 }
6059
6060 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6061 BT_DBG("Duplicate SREJ - txseq already stored");
6062 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6063 }
6064
6065 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6066 BT_DBG("Unexpected SREJ - not requested");
6067 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6068 }
6069 }
6070
6071 if (chan->expected_tx_seq == txseq) {
6072 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6073 chan->tx_win) {
6074 BT_DBG("Invalid - txseq outside tx window");
6075 return L2CAP_TXSEQ_INVALID;
6076 } else {
6077 BT_DBG("Expected");
6078 return L2CAP_TXSEQ_EXPECTED;
6079 }
6080 }
6081
6082 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6083 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6084 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6085 return L2CAP_TXSEQ_DUPLICATE;
6086 }
6087
6088 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6089 /* A source of invalid packets is a "double poll" condition,
6090 * where delays cause us to send multiple poll packets. If
6091 * the remote stack receives and processes both polls,
6092 * sequence numbers can wrap around in such a way that a
6093 * resent frame has a sequence number that looks like new data
6094 * with a sequence gap. This would trigger an erroneous SREJ
6095 * request.
6096 *
6097 * Fortunately, this is impossible with a tx window that's
6098 * less than half of the maximum sequence number, which allows
6099 * invalid frames to be safely ignored.
6100 *
6101 * With tx window sizes greater than half of the tx window
6102 * maximum, the frame is invalid and cannot be ignored. This
6103 * causes a disconnect.
6104 */
6105
6106 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6107 BT_DBG("Invalid/Ignore - txseq outside tx window");
6108 return L2CAP_TXSEQ_INVALID_IGNORE;
6109 } else {
6110 BT_DBG("Invalid - txseq outside tx window");
6111 return L2CAP_TXSEQ_INVALID;
6112 }
6113 } else {
6114 BT_DBG("Unexpected - txseq indicates missing frames");
6115 return L2CAP_TXSEQ_UNEXPECTED;
6116 }
6117 }
6118
6119 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6120 struct l2cap_ctrl *control,
6121 struct sk_buff *skb, u8 event)
6122 {
6123 int err = 0;
6124 bool skb_in_use = false;
6125
6126 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6127 event);
6128
6129 switch (event) {
6130 case L2CAP_EV_RECV_IFRAME:
6131 switch (l2cap_classify_txseq(chan, control->txseq)) {
6132 case L2CAP_TXSEQ_EXPECTED:
6133 l2cap_pass_to_tx(chan, control);
6134
6135 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6136 BT_DBG("Busy, discarding expected seq %d",
6137 control->txseq);
6138 break;
6139 }
6140
6141 chan->expected_tx_seq = __next_seq(chan,
6142 control->txseq);
6143
6144 chan->buffer_seq = chan->expected_tx_seq;
6145 skb_in_use = true;
6146
6147 err = l2cap_reassemble_sdu(chan, skb, control);
6148 if (err)
6149 break;
6150
6151 if (control->final) {
6152 if (!test_and_clear_bit(CONN_REJ_ACT,
6153 &chan->conn_state)) {
6154 control->final = 0;
6155 l2cap_retransmit_all(chan, control);
6156 l2cap_ertm_send(chan);
6157 }
6158 }
6159
6160 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6161 l2cap_send_ack(chan);
6162 break;
6163 case L2CAP_TXSEQ_UNEXPECTED:
6164 l2cap_pass_to_tx(chan, control);
6165
6166 /* Can't issue SREJ frames in the local busy state.
6167 * Drop this frame, it will be seen as missing
6168 * when local busy is exited.
6169 */
6170 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6171 BT_DBG("Busy, discarding unexpected seq %d",
6172 control->txseq);
6173 break;
6174 }
6175
6176 /* There was a gap in the sequence, so an SREJ
6177 * must be sent for each missing frame. The
6178 * current frame is stored for later use.
6179 */
6180 skb_queue_tail(&chan->srej_q, skb);
6181 skb_in_use = true;
6182 BT_DBG("Queued %p (queue len %d)", skb,
6183 skb_queue_len(&chan->srej_q));
6184
6185 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6186 l2cap_seq_list_clear(&chan->srej_list);
6187 l2cap_send_srej(chan, control->txseq);
6188
6189 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6190 break;
6191 case L2CAP_TXSEQ_DUPLICATE:
6192 l2cap_pass_to_tx(chan, control);
6193 break;
6194 case L2CAP_TXSEQ_INVALID_IGNORE:
6195 break;
6196 case L2CAP_TXSEQ_INVALID:
6197 default:
6198 l2cap_send_disconn_req(chan, ECONNRESET);
6199 break;
6200 }
6201 break;
6202 case L2CAP_EV_RECV_RR:
6203 l2cap_pass_to_tx(chan, control);
6204 if (control->final) {
6205 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6206
6207 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6208 !__chan_is_moving(chan)) {
6209 control->final = 0;
6210 l2cap_retransmit_all(chan, control);
6211 }
6212
6213 l2cap_ertm_send(chan);
6214 } else if (control->poll) {
6215 l2cap_send_i_or_rr_or_rnr(chan);
6216 } else {
6217 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6218 &chan->conn_state) &&
6219 chan->unacked_frames)
6220 __set_retrans_timer(chan);
6221
6222 l2cap_ertm_send(chan);
6223 }
6224 break;
6225 case L2CAP_EV_RECV_RNR:
6226 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6227 l2cap_pass_to_tx(chan, control);
6228 if (control && control->poll) {
6229 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6230 l2cap_send_rr_or_rnr(chan, 0);
6231 }
6232 __clear_retrans_timer(chan);
6233 l2cap_seq_list_clear(&chan->retrans_list);
6234 break;
6235 case L2CAP_EV_RECV_REJ:
6236 l2cap_handle_rej(chan, control);
6237 break;
6238 case L2CAP_EV_RECV_SREJ:
6239 l2cap_handle_srej(chan, control);
6240 break;
6241 default:
6242 break;
6243 }
6244
6245 if (skb && !skb_in_use) {
6246 BT_DBG("Freeing %p", skb);
6247 kfree_skb(skb);
6248 }
6249
6250 return err;
6251 }
6252
6253 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6254 struct l2cap_ctrl *control,
6255 struct sk_buff *skb, u8 event)
6256 {
6257 int err = 0;
6258 u16 txseq = control->txseq;
6259 bool skb_in_use = false;
6260
6261 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6262 event);
6263
6264 switch (event) {
6265 case L2CAP_EV_RECV_IFRAME:
6266 switch (l2cap_classify_txseq(chan, txseq)) {
6267 case L2CAP_TXSEQ_EXPECTED:
6268 /* Keep frame for reassembly later */
6269 l2cap_pass_to_tx(chan, control);
6270 skb_queue_tail(&chan->srej_q, skb);
6271 skb_in_use = true;
6272 BT_DBG("Queued %p (queue len %d)", skb,
6273 skb_queue_len(&chan->srej_q));
6274
6275 chan->expected_tx_seq = __next_seq(chan, txseq);
6276 break;
6277 case L2CAP_TXSEQ_EXPECTED_SREJ:
6278 l2cap_seq_list_pop(&chan->srej_list);
6279
6280 l2cap_pass_to_tx(chan, control);
6281 skb_queue_tail(&chan->srej_q, skb);
6282 skb_in_use = true;
6283 BT_DBG("Queued %p (queue len %d)", skb,
6284 skb_queue_len(&chan->srej_q));
6285
6286 err = l2cap_rx_queued_iframes(chan);
6287 if (err)
6288 break;
6289
6290 break;
6291 case L2CAP_TXSEQ_UNEXPECTED:
6292 /* Got a frame that can't be reassembled yet.
6293 * Save it for later, and send SREJs to cover
6294 * the missing frames.
6295 */
6296 skb_queue_tail(&chan->srej_q, skb);
6297 skb_in_use = true;
6298 BT_DBG("Queued %p (queue len %d)", skb,
6299 skb_queue_len(&chan->srej_q));
6300
6301 l2cap_pass_to_tx(chan, control);
6302 l2cap_send_srej(chan, control->txseq);
6303 break;
6304 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6305 /* This frame was requested with an SREJ, but
6306 * some expected retransmitted frames are
6307 * missing. Request retransmission of missing
6308 * SREJ'd frames.
6309 */
6310 skb_queue_tail(&chan->srej_q, skb);
6311 skb_in_use = true;
6312 BT_DBG("Queued %p (queue len %d)", skb,
6313 skb_queue_len(&chan->srej_q));
6314
6315 l2cap_pass_to_tx(chan, control);
6316 l2cap_send_srej_list(chan, control->txseq);
6317 break;
6318 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6319 /* We've already queued this frame. Drop this copy. */
6320 l2cap_pass_to_tx(chan, control);
6321 break;
6322 case L2CAP_TXSEQ_DUPLICATE:
6323 /* Expecting a later sequence number, so this frame
6324 * was already received. Ignore it completely.
6325 */
6326 break;
6327 case L2CAP_TXSEQ_INVALID_IGNORE:
6328 break;
6329 case L2CAP_TXSEQ_INVALID:
6330 default:
6331 l2cap_send_disconn_req(chan, ECONNRESET);
6332 break;
6333 }
6334 break;
6335 case L2CAP_EV_RECV_RR:
6336 l2cap_pass_to_tx(chan, control);
6337 if (control->final) {
6338 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6339
6340 if (!test_and_clear_bit(CONN_REJ_ACT,
6341 &chan->conn_state)) {
6342 control->final = 0;
6343 l2cap_retransmit_all(chan, control);
6344 }
6345
6346 l2cap_ertm_send(chan);
6347 } else if (control->poll) {
6348 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6349 &chan->conn_state) &&
6350 chan->unacked_frames) {
6351 __set_retrans_timer(chan);
6352 }
6353
6354 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6355 l2cap_send_srej_tail(chan);
6356 } else {
6357 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6358 &chan->conn_state) &&
6359 chan->unacked_frames)
6360 __set_retrans_timer(chan);
6361
6362 l2cap_send_ack(chan);
6363 }
6364 break;
6365 case L2CAP_EV_RECV_RNR:
6366 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6367 l2cap_pass_to_tx(chan, control);
6368 if (control->poll) {
6369 l2cap_send_srej_tail(chan);
6370 } else {
6371 struct l2cap_ctrl rr_control;
6372 memset(&rr_control, 0, sizeof(rr_control));
6373 rr_control.sframe = 1;
6374 rr_control.super = L2CAP_SUPER_RR;
6375 rr_control.reqseq = chan->buffer_seq;
6376 l2cap_send_sframe(chan, &rr_control);
6377 }
6378
6379 break;
6380 case L2CAP_EV_RECV_REJ:
6381 l2cap_handle_rej(chan, control);
6382 break;
6383 case L2CAP_EV_RECV_SREJ:
6384 l2cap_handle_srej(chan, control);
6385 break;
6386 }
6387
6388 if (skb && !skb_in_use) {
6389 BT_DBG("Freeing %p", skb);
6390 kfree_skb(skb);
6391 }
6392
6393 return err;
6394 }
6395
6396 static int l2cap_finish_move(struct l2cap_chan *chan)
6397 {
6398 BT_DBG("chan %p", chan);
6399
6400 chan->rx_state = L2CAP_RX_STATE_RECV;
6401
6402 if (chan->hs_hcon)
6403 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6404 else
6405 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6406
6407 return l2cap_resegment(chan);
6408 }
6409
6410 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6411 struct l2cap_ctrl *control,
6412 struct sk_buff *skb, u8 event)
6413 {
6414 int err;
6415
6416 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6417 event);
6418
6419 if (!control->poll)
6420 return -EPROTO;
6421
6422 l2cap_process_reqseq(chan, control->reqseq);
6423
6424 if (!skb_queue_empty(&chan->tx_q))
6425 chan->tx_send_head = skb_peek(&chan->tx_q);
6426 else
6427 chan->tx_send_head = NULL;
6428
6429 /* Rewind next_tx_seq to the point expected
6430 * by the receiver.
6431 */
6432 chan->next_tx_seq = control->reqseq;
6433 chan->unacked_frames = 0;
6434
6435 err = l2cap_finish_move(chan);
6436 if (err)
6437 return err;
6438
6439 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6440 l2cap_send_i_or_rr_or_rnr(chan);
6441
6442 if (event == L2CAP_EV_RECV_IFRAME)
6443 return -EPROTO;
6444
6445 return l2cap_rx_state_recv(chan, control, NULL, event);
6446 }
6447
6448 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6449 struct l2cap_ctrl *control,
6450 struct sk_buff *skb, u8 event)
6451 {
6452 int err;
6453
6454 if (!control->final)
6455 return -EPROTO;
6456
6457 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6458
6459 chan->rx_state = L2CAP_RX_STATE_RECV;
6460 l2cap_process_reqseq(chan, control->reqseq);
6461
6462 if (!skb_queue_empty(&chan->tx_q))
6463 chan->tx_send_head = skb_peek(&chan->tx_q);
6464 else
6465 chan->tx_send_head = NULL;
6466
6467 /* Rewind next_tx_seq to the point expected
6468 * by the receiver.
6469 */
6470 chan->next_tx_seq = control->reqseq;
6471 chan->unacked_frames = 0;
6472
6473 if (chan->hs_hcon)
6474 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6475 else
6476 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6477
6478 err = l2cap_resegment(chan);
6479
6480 if (!err)
6481 err = l2cap_rx_state_recv(chan, control, skb, event);
6482
6483 return err;
6484 }
6485
6486 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6487 {
6488 /* Make sure reqseq is for a packet that has been sent but not acked */
6489 u16 unacked;
6490
6491 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6492 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6493 }
6494
6495 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6496 struct sk_buff *skb, u8 event)
6497 {
6498 int err = 0;
6499
6500 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6501 control, skb, event, chan->rx_state);
6502
6503 if (__valid_reqseq(chan, control->reqseq)) {
6504 switch (chan->rx_state) {
6505 case L2CAP_RX_STATE_RECV:
6506 err = l2cap_rx_state_recv(chan, control, skb, event);
6507 break;
6508 case L2CAP_RX_STATE_SREJ_SENT:
6509 err = l2cap_rx_state_srej_sent(chan, control, skb,
6510 event);
6511 break;
6512 case L2CAP_RX_STATE_WAIT_P:
6513 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6514 break;
6515 case L2CAP_RX_STATE_WAIT_F:
6516 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6517 break;
6518 default:
6519 /* shut it down */
6520 break;
6521 }
6522 } else {
6523 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6524 control->reqseq, chan->next_tx_seq,
6525 chan->expected_ack_seq);
6526 l2cap_send_disconn_req(chan, ECONNRESET);
6527 }
6528
6529 return err;
6530 }
6531
6532 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6533 struct sk_buff *skb)
6534 {
6535 int err = 0;
6536
6537 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6538 chan->rx_state);
6539
6540 if (l2cap_classify_txseq(chan, control->txseq) ==
6541 L2CAP_TXSEQ_EXPECTED) {
6542 l2cap_pass_to_tx(chan, control);
6543
6544 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6545 __next_seq(chan, chan->buffer_seq));
6546
6547 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6548
6549 l2cap_reassemble_sdu(chan, skb, control);
6550 } else {
6551 if (chan->sdu) {
6552 kfree_skb(chan->sdu);
6553 chan->sdu = NULL;
6554 }
6555 chan->sdu_last_frag = NULL;
6556 chan->sdu_len = 0;
6557
6558 if (skb) {
6559 BT_DBG("Freeing %p", skb);
6560 kfree_skb(skb);
6561 }
6562 }
6563
6564 chan->last_acked_seq = control->txseq;
6565 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6566
6567 return err;
6568 }
6569
6570 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6571 {
6572 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6573 u16 len;
6574 u8 event;
6575
6576 __unpack_control(chan, skb);
6577
6578 len = skb->len;
6579
6580 /*
6581 * We can just drop the corrupted I-frame here.
6582 * Receiver will miss it and start proper recovery
6583 * procedures and ask for retransmission.
6584 */
6585 if (l2cap_check_fcs(chan, skb))
6586 goto drop;
6587
6588 if (!control->sframe && control->sar == L2CAP_SAR_START)
6589 len -= L2CAP_SDULEN_SIZE;
6590
6591 if (chan->fcs == L2CAP_FCS_CRC16)
6592 len -= L2CAP_FCS_SIZE;
6593
6594 if (len > chan->mps) {
6595 l2cap_send_disconn_req(chan, ECONNRESET);
6596 goto drop;
6597 }
6598
6599 if (!control->sframe) {
6600 int err;
6601
6602 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6603 control->sar, control->reqseq, control->final,
6604 control->txseq);
6605
6606 /* Validate F-bit - F=0 always valid, F=1 only
6607 * valid in TX WAIT_F
6608 */
6609 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6610 goto drop;
6611
6612 if (chan->mode != L2CAP_MODE_STREAMING) {
6613 event = L2CAP_EV_RECV_IFRAME;
6614 err = l2cap_rx(chan, control, skb, event);
6615 } else {
6616 err = l2cap_stream_rx(chan, control, skb);
6617 }
6618
6619 if (err)
6620 l2cap_send_disconn_req(chan, ECONNRESET);
6621 } else {
6622 const u8 rx_func_to_event[4] = {
6623 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6624 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6625 };
6626
6627 /* Only I-frames are expected in streaming mode */
6628 if (chan->mode == L2CAP_MODE_STREAMING)
6629 goto drop;
6630
6631 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6632 control->reqseq, control->final, control->poll,
6633 control->super);
6634
6635 if (len != 0) {
6636 BT_ERR("Trailing bytes: %d in sframe", len);
6637 l2cap_send_disconn_req(chan, ECONNRESET);
6638 goto drop;
6639 }
6640
6641 /* Validate F and P bits */
6642 if (control->final && (control->poll ||
6643 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6644 goto drop;
6645
6646 event = rx_func_to_event[control->super];
6647 if (l2cap_rx(chan, control, skb, event))
6648 l2cap_send_disconn_req(chan, ECONNRESET);
6649 }
6650
6651 return 0;
6652
6653 drop:
6654 kfree_skb(skb);
6655 return 0;
6656 }
6657
6658 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6659 {
6660 struct l2cap_conn *conn = chan->conn;
6661 struct l2cap_le_credits pkt;
6662 u16 return_credits;
6663
6664 /* We return more credits to the sender only after the amount of
6665 * credits falls below half of the initial amount.
6666 */
6667 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6668 return;
6669
6670 return_credits = le_max_credits - chan->rx_credits;
6671
6672 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6673
6674 chan->rx_credits += return_credits;
6675
6676 pkt.cid = cpu_to_le16(chan->scid);
6677 pkt.credits = cpu_to_le16(return_credits);
6678
6679 chan->ident = l2cap_get_ident(conn);
6680
6681 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6682 }
6683
6684 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6685 {
6686 int err;
6687
6688 if (!chan->rx_credits) {
6689 BT_ERR("No credits to receive LE L2CAP data");
6690 l2cap_send_disconn_req(chan, ECONNRESET);
6691 return -ENOBUFS;
6692 }
6693
6694 if (chan->imtu < skb->len) {
6695 BT_ERR("Too big LE L2CAP PDU");
6696 return -ENOBUFS;
6697 }
6698
6699 chan->rx_credits--;
6700 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6701
6702 l2cap_chan_le_send_credits(chan);
6703
6704 err = 0;
6705
6706 if (!chan->sdu) {
6707 u16 sdu_len;
6708
6709 sdu_len = get_unaligned_le16(skb->data);
6710 skb_pull(skb, L2CAP_SDULEN_SIZE);
6711
6712 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6713 sdu_len, skb->len, chan->imtu);
6714
6715 if (sdu_len > chan->imtu) {
6716 BT_ERR("Too big LE L2CAP SDU length received");
6717 err = -EMSGSIZE;
6718 goto failed;
6719 }
6720
6721 if (skb->len > sdu_len) {
6722 BT_ERR("Too much LE L2CAP data received");
6723 err = -EINVAL;
6724 goto failed;
6725 }
6726
6727 if (skb->len == sdu_len)
6728 return chan->ops->recv(chan, skb);
6729
6730 chan->sdu = skb;
6731 chan->sdu_len = sdu_len;
6732 chan->sdu_last_frag = skb;
6733
6734 return 0;
6735 }
6736
6737 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6738 chan->sdu->len, skb->len, chan->sdu_len);
6739
6740 if (chan->sdu->len + skb->len > chan->sdu_len) {
6741 BT_ERR("Too much LE L2CAP data received");
6742 err = -EINVAL;
6743 goto failed;
6744 }
6745
6746 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6747 skb = NULL;
6748
6749 if (chan->sdu->len == chan->sdu_len) {
6750 err = chan->ops->recv(chan, chan->sdu);
6751 if (!err) {
6752 chan->sdu = NULL;
6753 chan->sdu_last_frag = NULL;
6754 chan->sdu_len = 0;
6755 }
6756 }
6757
6758 failed:
6759 if (err) {
6760 kfree_skb(skb);
6761 kfree_skb(chan->sdu);
6762 chan->sdu = NULL;
6763 chan->sdu_last_frag = NULL;
6764 chan->sdu_len = 0;
6765 }
6766
6767 /* We can't return an error here since we took care of the skb
6768 * freeing internally. An error return would cause the caller to
6769 * do a double-free of the skb.
6770 */
6771 return 0;
6772 }
6773
6774 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6775 struct sk_buff *skb)
6776 {
6777 struct l2cap_chan *chan;
6778
6779 chan = l2cap_get_chan_by_scid(conn, cid);
6780 if (!chan) {
6781 if (cid == L2CAP_CID_A2MP) {
6782 chan = a2mp_channel_create(conn, skb);
6783 if (!chan) {
6784 kfree_skb(skb);
6785 return;
6786 }
6787
6788 l2cap_chan_lock(chan);
6789 } else {
6790 BT_DBG("unknown cid 0x%4.4x", cid);
6791 /* Drop packet and return */
6792 kfree_skb(skb);
6793 return;
6794 }
6795 }
6796
6797 BT_DBG("chan %p, len %d", chan, skb->len);
6798
6799 if (chan->state != BT_CONNECTED)
6800 goto drop;
6801
6802 switch (chan->mode) {
6803 case L2CAP_MODE_LE_FLOWCTL:
6804 if (l2cap_le_data_rcv(chan, skb) < 0)
6805 goto drop;
6806
6807 goto done;
6808
6809 case L2CAP_MODE_BASIC:
6810 /* If socket recv buffers overflows we drop data here
6811 * which is *bad* because L2CAP has to be reliable.
6812 * But we don't have any other choice. L2CAP doesn't
6813 * provide flow control mechanism. */
6814
6815 if (chan->imtu < skb->len) {
6816 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6817 goto drop;
6818 }
6819
6820 if (!chan->ops->recv(chan, skb))
6821 goto done;
6822 break;
6823
6824 case L2CAP_MODE_ERTM:
6825 case L2CAP_MODE_STREAMING:
6826 l2cap_data_rcv(chan, skb);
6827 goto done;
6828
6829 default:
6830 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6831 break;
6832 }
6833
6834 drop:
6835 kfree_skb(skb);
6836
6837 done:
6838 l2cap_chan_unlock(chan);
6839 }
6840
6841 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6842 struct sk_buff *skb)
6843 {
6844 struct hci_conn *hcon = conn->hcon;
6845 struct l2cap_chan *chan;
6846
6847 if (hcon->type != ACL_LINK)
6848 goto drop;
6849
6850 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6851 ACL_LINK);
6852 if (!chan)
6853 goto drop;
6854
6855 BT_DBG("chan %p, len %d", chan, skb->len);
6856
6857 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6858 goto drop;
6859
6860 if (chan->imtu < skb->len)
6861 goto drop;
6862
6863 /* Store remote BD_ADDR and PSM for msg_name */
6864 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
6865 bt_cb(skb)->psm = psm;
6866
6867 if (!chan->ops->recv(chan, skb))
6868 return;
6869
6870 drop:
6871 kfree_skb(skb);
6872 }
6873
6874 static void l2cap_att_channel(struct l2cap_conn *conn,
6875 struct sk_buff *skb)
6876 {
6877 struct hci_conn *hcon = conn->hcon;
6878 struct l2cap_chan *chan;
6879
6880 if (hcon->type != LE_LINK)
6881 goto drop;
6882
6883 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
6884 &hcon->src, &hcon->dst);
6885 if (!chan)
6886 goto drop;
6887
6888 BT_DBG("chan %p, len %d", chan, skb->len);
6889
6890 if (chan->imtu < skb->len)
6891 goto drop;
6892
6893 if (!chan->ops->recv(chan, skb))
6894 return;
6895
6896 drop:
6897 kfree_skb(skb);
6898 }
6899
6900 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6901 {
6902 struct l2cap_hdr *lh = (void *) skb->data;
6903 struct hci_conn *hcon = conn->hcon;
6904 u16 cid, len;
6905 __le16 psm;
6906
6907 if (hcon->state != BT_CONNECTED) {
6908 BT_DBG("queueing pending rx skb");
6909 skb_queue_tail(&conn->pending_rx, skb);
6910 return;
6911 }
6912
6913 skb_pull(skb, L2CAP_HDR_SIZE);
6914 cid = __le16_to_cpu(lh->cid);
6915 len = __le16_to_cpu(lh->len);
6916
6917 if (len != skb->len) {
6918 kfree_skb(skb);
6919 return;
6920 }
6921
6922 /* Since we can't actively block incoming LE connections we must
6923 * at least ensure that we ignore incoming data from them.
6924 */
6925 if (hcon->type == LE_LINK &&
6926 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6927 bdaddr_type(hcon, hcon->dst_type))) {
6928 kfree_skb(skb);
6929 return;
6930 }
6931
6932 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6933
6934 switch (cid) {
6935 case L2CAP_CID_SIGNALING:
6936 l2cap_sig_channel(conn, skb);
6937 break;
6938
6939 case L2CAP_CID_CONN_LESS:
6940 psm = get_unaligned((__le16 *) skb->data);
6941 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6942 l2cap_conless_channel(conn, psm, skb);
6943 break;
6944
6945 case L2CAP_CID_ATT:
6946 l2cap_att_channel(conn, skb);
6947 break;
6948
6949 case L2CAP_CID_LE_SIGNALING:
6950 l2cap_le_sig_channel(conn, skb);
6951 break;
6952
6953 case L2CAP_CID_SMP:
6954 if (smp_sig_channel(conn, skb))
6955 l2cap_conn_del(conn->hcon, EACCES);
6956 break;
6957
6958 default:
6959 l2cap_data_channel(conn, cid, skb);
6960 break;
6961 }
6962 }
6963
6964 static void process_pending_rx(struct work_struct *work)
6965 {
6966 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6967 pending_rx_work);
6968 struct sk_buff *skb;
6969
6970 BT_DBG("");
6971
6972 while ((skb = skb_dequeue(&conn->pending_rx)))
6973 l2cap_recv_frame(conn, skb);
6974 }
6975
6976 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6977 {
6978 struct l2cap_conn *conn = hcon->l2cap_data;
6979 struct hci_chan *hchan;
6980
6981 if (conn)
6982 return conn;
6983
6984 hchan = hci_chan_create(hcon);
6985 if (!hchan)
6986 return NULL;
6987
6988 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6989 if (!conn) {
6990 hci_chan_del(hchan);
6991 return NULL;
6992 }
6993
6994 kref_init(&conn->ref);
6995 hcon->l2cap_data = conn;
6996 conn->hcon = hcon;
6997 hci_conn_get(conn->hcon);
6998 conn->hchan = hchan;
6999
7000 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7001
7002 switch (hcon->type) {
7003 case LE_LINK:
7004 if (hcon->hdev->le_mtu) {
7005 conn->mtu = hcon->hdev->le_mtu;
7006 break;
7007 }
7008 /* fall through */
7009 default:
7010 conn->mtu = hcon->hdev->acl_mtu;
7011 break;
7012 }
7013
7014 conn->feat_mask = 0;
7015
7016 if (hcon->type == ACL_LINK)
7017 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
7018 &hcon->hdev->dev_flags);
7019
7020 mutex_init(&conn->ident_lock);
7021 mutex_init(&conn->chan_lock);
7022
7023 INIT_LIST_HEAD(&conn->chan_l);
7024 INIT_LIST_HEAD(&conn->users);
7025
7026 if (hcon->type == LE_LINK)
7027 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
7028 else
7029 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7030
7031 skb_queue_head_init(&conn->pending_rx);
7032 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7033
7034 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7035
7036 return conn;
7037 }
7038
7039 static bool is_valid_psm(u16 psm, u8 dst_type) {
7040 if (!psm)
7041 return false;
7042
7043 if (bdaddr_type_is_le(dst_type))
7044 return (psm <= 0x00ff);
7045
7046 /* PSM must be odd and lsb of upper byte must be 0 */
7047 return ((psm & 0x0101) == 0x0001);
7048 }
7049
7050 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7051 bdaddr_t *dst, u8 dst_type)
7052 {
7053 struct l2cap_conn *conn;
7054 struct hci_conn *hcon;
7055 struct hci_dev *hdev;
7056 int err;
7057
7058 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7059 dst_type, __le16_to_cpu(psm));
7060
7061 hdev = hci_get_route(dst, &chan->src);
7062 if (!hdev)
7063 return -EHOSTUNREACH;
7064
7065 hci_dev_lock(hdev);
7066
7067 l2cap_chan_lock(chan);
7068
7069 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7070 chan->chan_type != L2CAP_CHAN_RAW) {
7071 err = -EINVAL;
7072 goto done;
7073 }
7074
7075 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7076 err = -EINVAL;
7077 goto done;
7078 }
7079
7080 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7081 err = -EINVAL;
7082 goto done;
7083 }
7084
7085 switch (chan->mode) {
7086 case L2CAP_MODE_BASIC:
7087 break;
7088 case L2CAP_MODE_LE_FLOWCTL:
7089 l2cap_le_flowctl_init(chan);
7090 break;
7091 case L2CAP_MODE_ERTM:
7092 case L2CAP_MODE_STREAMING:
7093 if (!disable_ertm)
7094 break;
7095 /* fall through */
7096 default:
7097 err = -EOPNOTSUPP;
7098 goto done;
7099 }
7100
7101 switch (chan->state) {
7102 case BT_CONNECT:
7103 case BT_CONNECT2:
7104 case BT_CONFIG:
7105 /* Already connecting */
7106 err = 0;
7107 goto done;
7108
7109 case BT_CONNECTED:
7110 /* Already connected */
7111 err = -EISCONN;
7112 goto done;
7113
7114 case BT_OPEN:
7115 case BT_BOUND:
7116 /* Can connect */
7117 break;
7118
7119 default:
7120 err = -EBADFD;
7121 goto done;
7122 }
7123
7124 /* Set destination address and psm */
7125 bacpy(&chan->dst, dst);
7126 chan->dst_type = dst_type;
7127
7128 chan->psm = psm;
7129 chan->dcid = cid;
7130
7131 if (bdaddr_type_is_le(dst_type)) {
7132 u8 role;
7133
7134 /* Convert from L2CAP channel address type to HCI address type
7135 */
7136 if (dst_type == BDADDR_LE_PUBLIC)
7137 dst_type = ADDR_LE_DEV_PUBLIC;
7138 else
7139 dst_type = ADDR_LE_DEV_RANDOM;
7140
7141 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7142 role = HCI_ROLE_SLAVE;
7143 else
7144 role = HCI_ROLE_MASTER;
7145
7146 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
7147 HCI_LE_CONN_TIMEOUT, role);
7148 } else {
7149 u8 auth_type = l2cap_get_auth_type(chan);
7150 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7151 }
7152
7153 if (IS_ERR(hcon)) {
7154 err = PTR_ERR(hcon);
7155 goto done;
7156 }
7157
7158 conn = l2cap_conn_add(hcon);
7159 if (!conn) {
7160 hci_conn_drop(hcon);
7161 err = -ENOMEM;
7162 goto done;
7163 }
7164
7165 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7166 hci_conn_drop(hcon);
7167 err = -EBUSY;
7168 goto done;
7169 }
7170
7171 /* Update source addr of the socket */
7172 bacpy(&chan->src, &hcon->src);
7173 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7174
7175 l2cap_chan_unlock(chan);
7176 l2cap_chan_add(conn, chan);
7177 l2cap_chan_lock(chan);
7178
7179 /* l2cap_chan_add takes its own ref so we can drop this one */
7180 hci_conn_drop(hcon);
7181
7182 l2cap_state_change(chan, BT_CONNECT);
7183 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7184
7185 /* Release chan->sport so that it can be reused by other
7186 * sockets (as it's only used for listening sockets).
7187 */
7188 write_lock(&chan_list_lock);
7189 chan->sport = 0;
7190 write_unlock(&chan_list_lock);
7191
7192 if (hcon->state == BT_CONNECTED) {
7193 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7194 __clear_chan_timer(chan);
7195 if (l2cap_chan_check_security(chan, true))
7196 l2cap_state_change(chan, BT_CONNECTED);
7197 } else
7198 l2cap_do_start(chan);
7199 }
7200
7201 err = 0;
7202
7203 done:
7204 l2cap_chan_unlock(chan);
7205 hci_dev_unlock(hdev);
7206 hci_dev_put(hdev);
7207 return err;
7208 }
7209 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7210
7211 /* ---- L2CAP interface with lower layer (HCI) ---- */
7212
7213 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7214 {
7215 int exact = 0, lm1 = 0, lm2 = 0;
7216 struct l2cap_chan *c;
7217
7218 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7219
7220 /* Find listening sockets and check their link_mode */
7221 read_lock(&chan_list_lock);
7222 list_for_each_entry(c, &chan_list, global_l) {
7223 if (c->state != BT_LISTEN)
7224 continue;
7225
7226 if (!bacmp(&c->src, &hdev->bdaddr)) {
7227 lm1 |= HCI_LM_ACCEPT;
7228 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7229 lm1 |= HCI_LM_MASTER;
7230 exact++;
7231 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7232 lm2 |= HCI_LM_ACCEPT;
7233 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7234 lm2 |= HCI_LM_MASTER;
7235 }
7236 }
7237 read_unlock(&chan_list_lock);
7238
7239 return exact ? lm1 : lm2;
7240 }
7241
7242 void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7243 {
7244 struct l2cap_conn *conn;
7245
7246 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7247
7248 if (!status) {
7249 conn = l2cap_conn_add(hcon);
7250 if (conn)
7251 l2cap_conn_ready(conn);
7252 } else {
7253 l2cap_conn_del(hcon, bt_to_errno(status));
7254 }
7255 }
7256
7257 int l2cap_disconn_ind(struct hci_conn *hcon)
7258 {
7259 struct l2cap_conn *conn = hcon->l2cap_data;
7260
7261 BT_DBG("hcon %p", hcon);
7262
7263 if (!conn)
7264 return HCI_ERROR_REMOTE_USER_TERM;
7265 return conn->disc_reason;
7266 }
7267
7268 void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7269 {
7270 BT_DBG("hcon %p reason %d", hcon, reason);
7271
7272 l2cap_conn_del(hcon, bt_to_errno(reason));
7273 }
7274
7275 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7276 {
7277 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7278 return;
7279
7280 if (encrypt == 0x00) {
7281 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7282 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7283 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7284 chan->sec_level == BT_SECURITY_FIPS)
7285 l2cap_chan_close(chan, ECONNREFUSED);
7286 } else {
7287 if (chan->sec_level == BT_SECURITY_MEDIUM)
7288 __clear_chan_timer(chan);
7289 }
7290 }
7291
7292 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7293 {
7294 struct l2cap_conn *conn = hcon->l2cap_data;
7295 struct l2cap_chan *chan;
7296
7297 if (!conn)
7298 return 0;
7299
7300 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7301
7302 if (hcon->type == LE_LINK) {
7303 if (!status && encrypt)
7304 smp_distribute_keys(conn);
7305 cancel_delayed_work(&conn->security_timer);
7306 }
7307
7308 mutex_lock(&conn->chan_lock);
7309
7310 list_for_each_entry(chan, &conn->chan_l, list) {
7311 l2cap_chan_lock(chan);
7312
7313 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7314 state_to_string(chan->state));
7315
7316 if (chan->scid == L2CAP_CID_A2MP) {
7317 l2cap_chan_unlock(chan);
7318 continue;
7319 }
7320
7321 if (chan->scid == L2CAP_CID_ATT) {
7322 if (!status && encrypt) {
7323 chan->sec_level = hcon->sec_level;
7324 l2cap_chan_ready(chan);
7325 }
7326
7327 l2cap_chan_unlock(chan);
7328 continue;
7329 }
7330
7331 if (!__l2cap_no_conn_pending(chan)) {
7332 l2cap_chan_unlock(chan);
7333 continue;
7334 }
7335
7336 if (!status && (chan->state == BT_CONNECTED ||
7337 chan->state == BT_CONFIG)) {
7338 chan->ops->resume(chan);
7339 l2cap_check_encryption(chan, encrypt);
7340 l2cap_chan_unlock(chan);
7341 continue;
7342 }
7343
7344 if (chan->state == BT_CONNECT) {
7345 if (!status)
7346 l2cap_start_connection(chan);
7347 else
7348 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7349 } else if (chan->state == BT_CONNECT2) {
7350 struct l2cap_conn_rsp rsp;
7351 __u16 res, stat;
7352
7353 if (!status) {
7354 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7355 res = L2CAP_CR_PEND;
7356 stat = L2CAP_CS_AUTHOR_PEND;
7357 chan->ops->defer(chan);
7358 } else {
7359 l2cap_state_change(chan, BT_CONFIG);
7360 res = L2CAP_CR_SUCCESS;
7361 stat = L2CAP_CS_NO_INFO;
7362 }
7363 } else {
7364 l2cap_state_change(chan, BT_DISCONN);
7365 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7366 res = L2CAP_CR_SEC_BLOCK;
7367 stat = L2CAP_CS_NO_INFO;
7368 }
7369
7370 rsp.scid = cpu_to_le16(chan->dcid);
7371 rsp.dcid = cpu_to_le16(chan->scid);
7372 rsp.result = cpu_to_le16(res);
7373 rsp.status = cpu_to_le16(stat);
7374 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7375 sizeof(rsp), &rsp);
7376
7377 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7378 res == L2CAP_CR_SUCCESS) {
7379 char buf[128];
7380 set_bit(CONF_REQ_SENT, &chan->conf_state);
7381 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7382 L2CAP_CONF_REQ,
7383 l2cap_build_conf_req(chan, buf),
7384 buf);
7385 chan->num_conf_req++;
7386 }
7387 }
7388
7389 l2cap_chan_unlock(chan);
7390 }
7391
7392 mutex_unlock(&conn->chan_lock);
7393
7394 return 0;
7395 }
7396
7397 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7398 {
7399 struct l2cap_conn *conn = hcon->l2cap_data;
7400 struct l2cap_hdr *hdr;
7401 int len;
7402
7403 /* For AMP controller do not create l2cap conn */
7404 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7405 goto drop;
7406
7407 if (!conn)
7408 conn = l2cap_conn_add(hcon);
7409
7410 if (!conn)
7411 goto drop;
7412
7413 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7414
7415 switch (flags) {
7416 case ACL_START:
7417 case ACL_START_NO_FLUSH:
7418 case ACL_COMPLETE:
7419 if (conn->rx_len) {
7420 BT_ERR("Unexpected start frame (len %d)", skb->len);
7421 kfree_skb(conn->rx_skb);
7422 conn->rx_skb = NULL;
7423 conn->rx_len = 0;
7424 l2cap_conn_unreliable(conn, ECOMM);
7425 }
7426
7427 /* Start fragment always begin with Basic L2CAP header */
7428 if (skb->len < L2CAP_HDR_SIZE) {
7429 BT_ERR("Frame is too short (len %d)", skb->len);
7430 l2cap_conn_unreliable(conn, ECOMM);
7431 goto drop;
7432 }
7433
7434 hdr = (struct l2cap_hdr *) skb->data;
7435 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7436
7437 if (len == skb->len) {
7438 /* Complete frame received */
7439 l2cap_recv_frame(conn, skb);
7440 return 0;
7441 }
7442
7443 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7444
7445 if (skb->len > len) {
7446 BT_ERR("Frame is too long (len %d, expected len %d)",
7447 skb->len, len);
7448 l2cap_conn_unreliable(conn, ECOMM);
7449 goto drop;
7450 }
7451
7452 /* Allocate skb for the complete frame (with header) */
7453 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7454 if (!conn->rx_skb)
7455 goto drop;
7456
7457 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7458 skb->len);
7459 conn->rx_len = len - skb->len;
7460 break;
7461
7462 case ACL_CONT:
7463 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7464
7465 if (!conn->rx_len) {
7466 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7467 l2cap_conn_unreliable(conn, ECOMM);
7468 goto drop;
7469 }
7470
7471 if (skb->len > conn->rx_len) {
7472 BT_ERR("Fragment is too long (len %d, expected %d)",
7473 skb->len, conn->rx_len);
7474 kfree_skb(conn->rx_skb);
7475 conn->rx_skb = NULL;
7476 conn->rx_len = 0;
7477 l2cap_conn_unreliable(conn, ECOMM);
7478 goto drop;
7479 }
7480
7481 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7482 skb->len);
7483 conn->rx_len -= skb->len;
7484
7485 if (!conn->rx_len) {
7486 /* Complete frame received. l2cap_recv_frame
7487 * takes ownership of the skb so set the global
7488 * rx_skb pointer to NULL first.
7489 */
7490 struct sk_buff *rx_skb = conn->rx_skb;
7491 conn->rx_skb = NULL;
7492 l2cap_recv_frame(conn, rx_skb);
7493 }
7494 break;
7495 }
7496
7497 drop:
7498 kfree_skb(skb);
7499 return 0;
7500 }
7501
7502 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7503 {
7504 struct l2cap_chan *c;
7505
7506 read_lock(&chan_list_lock);
7507
7508 list_for_each_entry(c, &chan_list, global_l) {
7509 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7510 &c->src, &c->dst,
7511 c->state, __le16_to_cpu(c->psm),
7512 c->scid, c->dcid, c->imtu, c->omtu,
7513 c->sec_level, c->mode);
7514 }
7515
7516 read_unlock(&chan_list_lock);
7517
7518 return 0;
7519 }
7520
7521 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7522 {
7523 return single_open(file, l2cap_debugfs_show, inode->i_private);
7524 }
7525
7526 static const struct file_operations l2cap_debugfs_fops = {
7527 .open = l2cap_debugfs_open,
7528 .read = seq_read,
7529 .llseek = seq_lseek,
7530 .release = single_release,
7531 };
7532
7533 static struct dentry *l2cap_debugfs;
7534
7535 int __init l2cap_init(void)
7536 {
7537 int err;
7538
7539 err = l2cap_init_sockets();
7540 if (err < 0)
7541 return err;
7542
7543 if (IS_ERR_OR_NULL(bt_debugfs))
7544 return 0;
7545
7546 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7547 NULL, &l2cap_debugfs_fops);
7548
7549 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7550 &le_max_credits);
7551 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7552 &le_default_mps);
7553
7554 return 0;
7555 }
7556
7557 void l2cap_exit(void)
7558 {
7559 debugfs_remove(l2cap_debugfs);
7560 l2cap_cleanup_sockets();
7561 }
7562
7563 module_param(disable_ertm, bool, 0644);
7564 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux kernel - Deliverables
This page took 0.260586 seconds and 6 git commands to generate.