1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved. 8 9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 10 11 This program is free software; you can redistribute it and/or modify 12 it under the terms of the GNU General Public License version 2 as 13 published by the Free Software Foundation; 14 15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 23 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 26 SOFTWARE IS DISCLAIMED. 27 */ 28 29 /* Bluetooth L2CAP core. */ 30 31 #include <linux/module.h> 32 33 #include <linux/debugfs.h> 34 #include <linux/crc16.h> 35 #include <linux/filter.h> 36 37 #include <net/bluetooth/bluetooth.h> 38 #include <net/bluetooth/hci_core.h> 39 #include <net/bluetooth/l2cap.h> 40 41 #include "smp.h" 42 43 #define LE_FLOWCTL_MAX_CREDITS 65535 44 45 bool disable_ertm; 46 bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED); 47 48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 49 50 static LIST_HEAD(chan_list); 51 static DEFINE_RWLOCK(chan_list_lock); 52 53 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 54 u8 code, u8 ident, u16 dlen, void *data); 55 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 56 void *data); 57 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size); 58 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); 59 60 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 61 struct sk_buff_head *skbs, u8 event); 62 static void l2cap_retrans_timeout(struct work_struct *work); 63 static void l2cap_monitor_timeout(struct work_struct *work); 64 static void l2cap_ack_timeout(struct work_struct *work); 65 66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) 67 { 68 if (link_type == LE_LINK) { 69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 70 return BDADDR_LE_PUBLIC; 71 else 72 return BDADDR_LE_RANDOM; 73 } 74 75 return BDADDR_BREDR; 76 } 77 78 static inline u8 bdaddr_src_type(struct hci_conn *hcon) 79 { 80 return bdaddr_type(hcon->type, hcon->src_type); 81 } 82 83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon) 84 { 85 return bdaddr_type(hcon->type, hcon->dst_type); 86 } 87 88 /* ---- L2CAP channels ---- */ 89 90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 91 u16 cid) 92 { 93 struct l2cap_chan *c; 94 95 list_for_each_entry(c, &conn->chan_l, list) { 96 if (c->dcid == cid) 97 return c; 98 } 99 return NULL; 100 } 101 102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, 103 u16 cid) 104 { 105 struct l2cap_chan *c; 106 107 list_for_each_entry(c, &conn->chan_l, list) { 108 if (c->scid == cid) 109 return c; 110 } 111 return NULL; 112 } 113 114 /* Find channel with given SCID. 115 * Returns a reference locked channel. 116 */ 117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, 118 u16 cid) 119 { 120 struct l2cap_chan *c; 121 122 mutex_lock(&conn->chan_lock); 123 c = __l2cap_get_chan_by_scid(conn, cid); 124 if (c) { 125 /* Only lock if chan reference is not 0 */ 126 c = l2cap_chan_hold_unless_zero(c); 127 if (c) 128 l2cap_chan_lock(c); 129 } 130 mutex_unlock(&conn->chan_lock); 131 132 return c; 133 } 134 135 /* Find channel with given DCID. 136 * Returns a reference locked channel. 137 */ 138 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 139 u16 cid) 140 { 141 struct l2cap_chan *c; 142 143 mutex_lock(&conn->chan_lock); 144 c = __l2cap_get_chan_by_dcid(conn, cid); 145 if (c) { 146 /* Only lock if chan reference is not 0 */ 147 c = l2cap_chan_hold_unless_zero(c); 148 if (c) 149 l2cap_chan_lock(c); 150 } 151 mutex_unlock(&conn->chan_lock); 152 153 return c; 154 } 155 156 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, 157 u8 ident) 158 { 159 struct l2cap_chan *c; 160 161 list_for_each_entry(c, &conn->chan_l, list) { 162 if (c->ident == ident) 163 return c; 164 } 165 return NULL; 166 } 167 168 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src, 169 u8 src_type) 170 { 171 struct l2cap_chan *c; 172 173 list_for_each_entry(c, &chan_list, global_l) { 174 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR) 175 continue; 176 177 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR) 178 continue; 179 180 if (c->sport == psm && !bacmp(&c->src, src)) 181 return c; 182 } 183 return NULL; 184 } 185 186 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm) 187 { 188 int err; 189 190 write_lock(&chan_list_lock); 191 192 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) { 193 err = -EADDRINUSE; 194 goto done; 195 } 196 197 if (psm) { 198 chan->psm = psm; 199 chan->sport = psm; 200 err = 0; 201 } else { 202 u16 p, start, end, incr; 203 204 if (chan->src_type == BDADDR_BREDR) { 205 start = L2CAP_PSM_DYN_START; 206 end = L2CAP_PSM_AUTO_END; 207 incr = 2; 208 } else { 209 start = L2CAP_PSM_LE_DYN_START; 210 end = L2CAP_PSM_LE_DYN_END; 211 incr = 1; 212 } 213 214 err = -EINVAL; 215 for (p = start; p <= end; p += incr) 216 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src, 217 chan->src_type)) { 218 chan->psm = cpu_to_le16(p); 219 chan->sport = cpu_to_le16(p); 220 err = 0; 221 break; 222 } 223 } 224 225 done: 226 write_unlock(&chan_list_lock); 227 return err; 228 } 229 EXPORT_SYMBOL_GPL(l2cap_add_psm); 230 231 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid) 232 { 233 write_lock(&chan_list_lock); 234 235 /* Override the defaults (which are for conn-oriented) */ 236 chan->omtu = L2CAP_DEFAULT_MTU; 237 chan->chan_type = L2CAP_CHAN_FIXED; 238 239 chan->scid = scid; 240 241 write_unlock(&chan_list_lock); 242 243 return 0; 244 } 245 246 static u16 l2cap_alloc_cid(struct l2cap_conn *conn) 247 { 248 u16 cid, dyn_end; 249 250 if (conn->hcon->type == LE_LINK) 251 dyn_end = L2CAP_CID_LE_DYN_END; 252 else 253 dyn_end = L2CAP_CID_DYN_END; 254 255 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) { 256 if (!__l2cap_get_chan_by_scid(conn, cid)) 257 return cid; 258 } 259 260 return 0; 261 } 262 263 static void l2cap_state_change(struct l2cap_chan *chan, int state) 264 { 265 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state), 266 state_to_string(state)); 267 268 chan->state = state; 269 chan->ops->state_change(chan, state, 0); 270 } 271 272 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan, 273 int state, int err) 274 { 275 chan->state = state; 276 chan->ops->state_change(chan, chan->state, err); 277 } 278 279 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err) 280 { 281 chan->ops->state_change(chan, chan->state, err); 282 } 283 284 static void __set_retrans_timer(struct l2cap_chan *chan) 285 { 286 if (!delayed_work_pending(&chan->monitor_timer) && 287 chan->retrans_timeout) { 288 l2cap_set_timer(chan, &chan->retrans_timer, 289 msecs_to_jiffies(chan->retrans_timeout)); 290 } 291 } 292 293 static void __set_monitor_timer(struct l2cap_chan *chan) 294 { 295 __clear_retrans_timer(chan); 296 if (chan->monitor_timeout) { 297 l2cap_set_timer(chan, &chan->monitor_timer, 298 msecs_to_jiffies(chan->monitor_timeout)); 299 } 300 } 301 302 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head, 303 u16 seq) 304 { 305 struct sk_buff *skb; 306 307 skb_queue_walk(head, skb) { 308 if (bt_cb(skb)->l2cap.txseq == seq) 309 return skb; 310 } 311 312 return NULL; 313 } 314 315 /* ---- L2CAP sequence number lists ---- */ 316 317 /* For ERTM, ordered lists of sequence numbers must be tracked for 318 * SREJ requests that are received and for frames that are to be 319 * retransmitted. These seq_list functions implement a singly-linked 320 * list in an array, where membership in the list can also be checked 321 * in constant time. Items can also be added to the tail of the list 322 * and removed from the head in constant time, without further memory 323 * allocs or frees. 324 */ 325 326 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size) 327 { 328 size_t alloc_size, i; 329 330 /* Allocated size is a power of 2 to map sequence numbers 331 * (which may be up to 14 bits) in to a smaller array that is 332 * sized for the negotiated ERTM transmit windows. 333 */ 334 alloc_size = roundup_pow_of_two(size); 335 336 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL); 337 if (!seq_list->list) 338 return -ENOMEM; 339 340 seq_list->mask = alloc_size - 1; 341 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 342 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 343 for (i = 0; i < alloc_size; i++) 344 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 345 346 return 0; 347 } 348 349 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list) 350 { 351 kfree(seq_list->list); 352 } 353 354 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list, 355 u16 seq) 356 { 357 /* Constant-time check for list membership */ 358 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR; 359 } 360 361 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list) 362 { 363 u16 seq = seq_list->head; 364 u16 mask = seq_list->mask; 365 366 seq_list->head = seq_list->list[seq & mask]; 367 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 368 369 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) { 370 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 371 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 372 } 373 374 return seq; 375 } 376 377 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list) 378 { 379 u16 i; 380 381 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) 382 return; 383 384 for (i = 0; i <= seq_list->mask; i++) 385 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 386 387 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 388 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 389 } 390 391 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq) 392 { 393 u16 mask = seq_list->mask; 394 395 /* All appends happen in constant time */ 396 397 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR) 398 return; 399 400 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR) 401 seq_list->head = seq; 402 else 403 seq_list->list[seq_list->tail & mask] = seq; 404 405 seq_list->tail = seq; 406 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL; 407 } 408 409 static void l2cap_chan_timeout(struct work_struct *work) 410 { 411 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 412 chan_timer.work); 413 struct l2cap_conn *conn = chan->conn; 414 int reason; 415 416 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 417 418 mutex_lock(&conn->chan_lock); 419 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling 420 * this work. No need to call l2cap_chan_hold(chan) here again. 421 */ 422 l2cap_chan_lock(chan); 423 424 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) 425 reason = ECONNREFUSED; 426 else if (chan->state == BT_CONNECT && 427 chan->sec_level != BT_SECURITY_SDP) 428 reason = ECONNREFUSED; 429 else 430 reason = ETIMEDOUT; 431 432 l2cap_chan_close(chan, reason); 433 434 chan->ops->close(chan); 435 436 l2cap_chan_unlock(chan); 437 l2cap_chan_put(chan); 438 439 mutex_unlock(&conn->chan_lock); 440 } 441 442 struct l2cap_chan *l2cap_chan_create(void) 443 { 444 struct l2cap_chan *chan; 445 446 chan = kzalloc(sizeof(*chan), GFP_ATOMIC); 447 if (!chan) 448 return NULL; 449 450 skb_queue_head_init(&chan->tx_q); 451 skb_queue_head_init(&chan->srej_q); 452 mutex_init(&chan->lock); 453 454 /* Set default lock nesting level */ 455 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL); 456 457 write_lock(&chan_list_lock); 458 list_add(&chan->global_l, &chan_list); 459 write_unlock(&chan_list_lock); 460 461 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); 462 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); 463 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); 464 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); 465 466 chan->state = BT_OPEN; 467 468 kref_init(&chan->kref); 469 470 /* This flag is cleared in l2cap_chan_ready() */ 471 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 472 473 BT_DBG("chan %p", chan); 474 475 return chan; 476 } 477 EXPORT_SYMBOL_GPL(l2cap_chan_create); 478 479 static void l2cap_chan_destroy(struct kref *kref) 480 { 481 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref); 482 483 BT_DBG("chan %p", chan); 484 485 write_lock(&chan_list_lock); 486 list_del(&chan->global_l); 487 write_unlock(&chan_list_lock); 488 489 kfree(chan); 490 } 491 492 void l2cap_chan_hold(struct l2cap_chan *c) 493 { 494 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 495 496 kref_get(&c->kref); 497 } 498 499 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) 500 { 501 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 502 503 if (!kref_get_unless_zero(&c->kref)) 504 return NULL; 505 506 return c; 507 } 508 509 void l2cap_chan_put(struct l2cap_chan *c) 510 { 511 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 512 513 kref_put(&c->kref, l2cap_chan_destroy); 514 } 515 EXPORT_SYMBOL_GPL(l2cap_chan_put); 516 517 void l2cap_chan_set_defaults(struct l2cap_chan *chan) 518 { 519 chan->fcs = L2CAP_FCS_CRC16; 520 chan->max_tx = L2CAP_DEFAULT_MAX_TX; 521 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW; 522 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 523 chan->remote_max_tx = chan->max_tx; 524 chan->remote_tx_win = chan->tx_win; 525 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW; 526 chan->sec_level = BT_SECURITY_LOW; 527 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 528 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; 529 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; 530 531 chan->conf_state = 0; 532 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 533 534 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 535 } 536 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults); 537 538 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) 539 { 540 chan->sdu = NULL; 541 chan->sdu_last_frag = NULL; 542 chan->sdu_len = 0; 543 chan->tx_credits = tx_credits; 544 /* Derive MPS from connection MTU to stop HCI fragmentation */ 545 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE); 546 /* Give enough credits for a full packet */ 547 chan->rx_credits = (chan->imtu / chan->mps) + 1; 548 549 skb_queue_head_init(&chan->tx_q); 550 } 551 552 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits) 553 { 554 l2cap_le_flowctl_init(chan, tx_credits); 555 556 /* L2CAP implementations shall support a minimum MPS of 64 octets */ 557 if (chan->mps < L2CAP_ECRED_MIN_MPS) { 558 chan->mps = L2CAP_ECRED_MIN_MPS; 559 chan->rx_credits = (chan->imtu / chan->mps) + 1; 560 } 561 } 562 563 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 564 { 565 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 566 __le16_to_cpu(chan->psm), chan->dcid); 567 568 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 569 570 chan->conn = conn; 571 572 switch (chan->chan_type) { 573 case L2CAP_CHAN_CONN_ORIENTED: 574 /* Alloc CID for connection-oriented socket */ 575 chan->scid = l2cap_alloc_cid(conn); 576 if (conn->hcon->type == ACL_LINK) 577 chan->omtu = L2CAP_DEFAULT_MTU; 578 break; 579 580 case L2CAP_CHAN_CONN_LESS: 581 /* Connectionless socket */ 582 chan->scid = L2CAP_CID_CONN_LESS; 583 chan->dcid = L2CAP_CID_CONN_LESS; 584 chan->omtu = L2CAP_DEFAULT_MTU; 585 break; 586 587 case L2CAP_CHAN_FIXED: 588 /* Caller will set CID and CID specific MTU values */ 589 break; 590 591 default: 592 /* Raw socket can send/recv signalling messages only */ 593 chan->scid = L2CAP_CID_SIGNALING; 594 chan->dcid = L2CAP_CID_SIGNALING; 595 chan->omtu = L2CAP_DEFAULT_MTU; 596 } 597 598 chan->local_id = L2CAP_BESTEFFORT_ID; 599 chan->local_stype = L2CAP_SERV_BESTEFFORT; 600 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE; 601 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME; 602 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 603 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO; 604 605 l2cap_chan_hold(chan); 606 607 /* Only keep a reference for fixed channels if they requested it */ 608 if (chan->chan_type != L2CAP_CHAN_FIXED || 609 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 610 hci_conn_hold(conn->hcon); 611 612 list_add(&chan->list, &conn->chan_l); 613 } 614 615 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 616 { 617 mutex_lock(&conn->chan_lock); 618 __l2cap_chan_add(conn, chan); 619 mutex_unlock(&conn->chan_lock); 620 } 621 622 void l2cap_chan_del(struct l2cap_chan *chan, int err) 623 { 624 struct l2cap_conn *conn = chan->conn; 625 626 __clear_chan_timer(chan); 627 628 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err, 629 state_to_string(chan->state)); 630 631 chan->ops->teardown(chan, err); 632 633 if (conn) { 634 /* Delete from channel list */ 635 list_del(&chan->list); 636 637 l2cap_chan_put(chan); 638 639 chan->conn = NULL; 640 641 /* Reference was only held for non-fixed channels or 642 * fixed channels that explicitly requested it using the 643 * FLAG_HOLD_HCI_CONN flag. 644 */ 645 if (chan->chan_type != L2CAP_CHAN_FIXED || 646 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 647 hci_conn_drop(conn->hcon); 648 } 649 650 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) 651 return; 652 653 switch (chan->mode) { 654 case L2CAP_MODE_BASIC: 655 break; 656 657 case L2CAP_MODE_LE_FLOWCTL: 658 case L2CAP_MODE_EXT_FLOWCTL: 659 skb_queue_purge(&chan->tx_q); 660 break; 661 662 case L2CAP_MODE_ERTM: 663 __clear_retrans_timer(chan); 664 __clear_monitor_timer(chan); 665 __clear_ack_timer(chan); 666 667 skb_queue_purge(&chan->srej_q); 668 669 l2cap_seq_list_free(&chan->srej_list); 670 l2cap_seq_list_free(&chan->retrans_list); 671 fallthrough; 672 673 case L2CAP_MODE_STREAMING: 674 skb_queue_purge(&chan->tx_q); 675 break; 676 } 677 } 678 EXPORT_SYMBOL_GPL(l2cap_chan_del); 679 680 static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id, 681 l2cap_chan_func_t func, void *data) 682 { 683 struct l2cap_chan *chan, *l; 684 685 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 686 if (chan->ident == id) 687 func(chan, data); 688 } 689 } 690 691 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 692 void *data) 693 { 694 struct l2cap_chan *chan; 695 696 list_for_each_entry(chan, &conn->chan_l, list) { 697 func(chan, data); 698 } 699 } 700 701 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 702 void *data) 703 { 704 if (!conn) 705 return; 706 707 mutex_lock(&conn->chan_lock); 708 __l2cap_chan_list(conn, func, data); 709 mutex_unlock(&conn->chan_lock); 710 } 711 712 EXPORT_SYMBOL_GPL(l2cap_chan_list); 713 714 static void l2cap_conn_update_id_addr(struct work_struct *work) 715 { 716 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 717 id_addr_timer.work); 718 struct hci_conn *hcon = conn->hcon; 719 struct l2cap_chan *chan; 720 721 mutex_lock(&conn->chan_lock); 722 723 list_for_each_entry(chan, &conn->chan_l, list) { 724 l2cap_chan_lock(chan); 725 bacpy(&chan->dst, &hcon->dst); 726 chan->dst_type = bdaddr_dst_type(hcon); 727 l2cap_chan_unlock(chan); 728 } 729 730 mutex_unlock(&conn->chan_lock); 731 } 732 733 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) 734 { 735 struct l2cap_conn *conn = chan->conn; 736 struct l2cap_le_conn_rsp rsp; 737 u16 result; 738 739 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 740 result = L2CAP_CR_LE_AUTHORIZATION; 741 else 742 result = L2CAP_CR_LE_BAD_PSM; 743 744 l2cap_state_change(chan, BT_DISCONN); 745 746 rsp.dcid = cpu_to_le16(chan->scid); 747 rsp.mtu = cpu_to_le16(chan->imtu); 748 rsp.mps = cpu_to_le16(chan->mps); 749 rsp.credits = cpu_to_le16(chan->rx_credits); 750 rsp.result = cpu_to_le16(result); 751 752 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 753 &rsp); 754 } 755 756 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan) 757 { 758 l2cap_state_change(chan, BT_DISCONN); 759 760 __l2cap_ecred_conn_rsp_defer(chan); 761 } 762 763 static void l2cap_chan_connect_reject(struct l2cap_chan *chan) 764 { 765 struct l2cap_conn *conn = chan->conn; 766 struct l2cap_conn_rsp rsp; 767 u16 result; 768 769 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 770 result = L2CAP_CR_SEC_BLOCK; 771 else 772 result = L2CAP_CR_BAD_PSM; 773 774 l2cap_state_change(chan, BT_DISCONN); 775 776 rsp.scid = cpu_to_le16(chan->dcid); 777 rsp.dcid = cpu_to_le16(chan->scid); 778 rsp.result = cpu_to_le16(result); 779 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 780 781 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp); 782 } 783 784 void l2cap_chan_close(struct l2cap_chan *chan, int reason) 785 { 786 struct l2cap_conn *conn = chan->conn; 787 788 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 789 790 switch (chan->state) { 791 case BT_LISTEN: 792 chan->ops->teardown(chan, 0); 793 break; 794 795 case BT_CONNECTED: 796 case BT_CONFIG: 797 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 798 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 799 l2cap_send_disconn_req(chan, reason); 800 } else 801 l2cap_chan_del(chan, reason); 802 break; 803 804 case BT_CONNECT2: 805 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 806 if (conn->hcon->type == ACL_LINK) 807 l2cap_chan_connect_reject(chan); 808 else if (conn->hcon->type == LE_LINK) { 809 switch (chan->mode) { 810 case L2CAP_MODE_LE_FLOWCTL: 811 l2cap_chan_le_connect_reject(chan); 812 break; 813 case L2CAP_MODE_EXT_FLOWCTL: 814 l2cap_chan_ecred_connect_reject(chan); 815 return; 816 } 817 } 818 } 819 820 l2cap_chan_del(chan, reason); 821 break; 822 823 case BT_CONNECT: 824 case BT_DISCONN: 825 l2cap_chan_del(chan, reason); 826 break; 827 828 default: 829 chan->ops->teardown(chan, 0); 830 break; 831 } 832 } 833 EXPORT_SYMBOL(l2cap_chan_close); 834 835 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 836 { 837 switch (chan->chan_type) { 838 case L2CAP_CHAN_RAW: 839 switch (chan->sec_level) { 840 case BT_SECURITY_HIGH: 841 case BT_SECURITY_FIPS: 842 return HCI_AT_DEDICATED_BONDING_MITM; 843 case BT_SECURITY_MEDIUM: 844 return HCI_AT_DEDICATED_BONDING; 845 default: 846 return HCI_AT_NO_BONDING; 847 } 848 break; 849 case L2CAP_CHAN_CONN_LESS: 850 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) { 851 if (chan->sec_level == BT_SECURITY_LOW) 852 chan->sec_level = BT_SECURITY_SDP; 853 } 854 if (chan->sec_level == BT_SECURITY_HIGH || 855 chan->sec_level == BT_SECURITY_FIPS) 856 return HCI_AT_NO_BONDING_MITM; 857 else 858 return HCI_AT_NO_BONDING; 859 break; 860 case L2CAP_CHAN_CONN_ORIENTED: 861 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) { 862 if (chan->sec_level == BT_SECURITY_LOW) 863 chan->sec_level = BT_SECURITY_SDP; 864 865 if (chan->sec_level == BT_SECURITY_HIGH || 866 chan->sec_level == BT_SECURITY_FIPS) 867 return HCI_AT_NO_BONDING_MITM; 868 else 869 return HCI_AT_NO_BONDING; 870 } 871 fallthrough; 872 873 default: 874 switch (chan->sec_level) { 875 case BT_SECURITY_HIGH: 876 case BT_SECURITY_FIPS: 877 return HCI_AT_GENERAL_BONDING_MITM; 878 case BT_SECURITY_MEDIUM: 879 return HCI_AT_GENERAL_BONDING; 880 default: 881 return HCI_AT_NO_BONDING; 882 } 883 break; 884 } 885 } 886 887 /* Service level security */ 888 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator) 889 { 890 struct l2cap_conn *conn = chan->conn; 891 __u8 auth_type; 892 893 if (conn->hcon->type == LE_LINK) 894 return smp_conn_security(conn->hcon, chan->sec_level); 895 896 auth_type = l2cap_get_auth_type(chan); 897 898 return hci_conn_security(conn->hcon, chan->sec_level, auth_type, 899 initiator); 900 } 901 902 static u8 l2cap_get_ident(struct l2cap_conn *conn) 903 { 904 u8 id; 905 906 /* Get next available identificator. 907 * 1 - 128 are used by kernel. 908 * 129 - 199 are reserved. 909 * 200 - 254 are used by utilities like l2ping, etc. 910 */ 911 912 mutex_lock(&conn->ident_lock); 913 914 if (++conn->tx_ident > 128) 915 conn->tx_ident = 1; 916 917 id = conn->tx_ident; 918 919 mutex_unlock(&conn->ident_lock); 920 921 return id; 922 } 923 924 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 925 void *data) 926 { 927 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 928 u8 flags; 929 930 BT_DBG("code 0x%2.2x", code); 931 932 if (!skb) 933 return; 934 935 /* Use NO_FLUSH if supported or we have an LE link (which does 936 * not support auto-flushing packets) */ 937 if (lmp_no_flush_capable(conn->hcon->hdev) || 938 conn->hcon->type == LE_LINK) 939 flags = ACL_START_NO_FLUSH; 940 else 941 flags = ACL_START; 942 943 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON; 944 skb->priority = HCI_PRIO_MAX; 945 946 hci_send_acl(conn->hchan, skb, flags); 947 } 948 949 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 950 { 951 struct hci_conn *hcon = chan->conn->hcon; 952 u16 flags; 953 954 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len, 955 skb->priority); 956 957 /* Use NO_FLUSH for LE links (where this is the only option) or 958 * if the BR/EDR link supports it and flushing has not been 959 * explicitly requested (through FLAG_FLUSHABLE). 960 */ 961 if (hcon->type == LE_LINK || 962 (!test_bit(FLAG_FLUSHABLE, &chan->flags) && 963 lmp_no_flush_capable(hcon->hdev))) 964 flags = ACL_START_NO_FLUSH; 965 else 966 flags = ACL_START; 967 968 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 969 hci_send_acl(chan->conn->hchan, skb, flags); 970 } 971 972 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control) 973 { 974 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT; 975 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT; 976 977 if (enh & L2CAP_CTRL_FRAME_TYPE) { 978 /* S-Frame */ 979 control->sframe = 1; 980 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT; 981 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT; 982 983 control->sar = 0; 984 control->txseq = 0; 985 } else { 986 /* I-Frame */ 987 control->sframe = 0; 988 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT; 989 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT; 990 991 control->poll = 0; 992 control->super = 0; 993 } 994 } 995 996 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control) 997 { 998 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT; 999 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT; 1000 1001 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) { 1002 /* S-Frame */ 1003 control->sframe = 1; 1004 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT; 1005 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT; 1006 1007 control->sar = 0; 1008 control->txseq = 0; 1009 } else { 1010 /* I-Frame */ 1011 control->sframe = 0; 1012 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT; 1013 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1014 1015 control->poll = 0; 1016 control->super = 0; 1017 } 1018 } 1019 1020 static inline void __unpack_control(struct l2cap_chan *chan, 1021 struct sk_buff *skb) 1022 { 1023 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1024 __unpack_extended_control(get_unaligned_le32(skb->data), 1025 &bt_cb(skb)->l2cap); 1026 skb_pull(skb, L2CAP_EXT_CTRL_SIZE); 1027 } else { 1028 __unpack_enhanced_control(get_unaligned_le16(skb->data), 1029 &bt_cb(skb)->l2cap); 1030 skb_pull(skb, L2CAP_ENH_CTRL_SIZE); 1031 } 1032 } 1033 1034 static u32 __pack_extended_control(struct l2cap_ctrl *control) 1035 { 1036 u32 packed; 1037 1038 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT; 1039 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT; 1040 1041 if (control->sframe) { 1042 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT; 1043 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT; 1044 packed |= L2CAP_EXT_CTRL_FRAME_TYPE; 1045 } else { 1046 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT; 1047 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1048 } 1049 1050 return packed; 1051 } 1052 1053 static u16 __pack_enhanced_control(struct l2cap_ctrl *control) 1054 { 1055 u16 packed; 1056 1057 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT; 1058 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT; 1059 1060 if (control->sframe) { 1061 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT; 1062 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT; 1063 packed |= L2CAP_CTRL_FRAME_TYPE; 1064 } else { 1065 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT; 1066 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT; 1067 } 1068 1069 return packed; 1070 } 1071 1072 static inline void __pack_control(struct l2cap_chan *chan, 1073 struct l2cap_ctrl *control, 1074 struct sk_buff *skb) 1075 { 1076 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1077 put_unaligned_le32(__pack_extended_control(control), 1078 skb->data + L2CAP_HDR_SIZE); 1079 } else { 1080 put_unaligned_le16(__pack_enhanced_control(control), 1081 skb->data + L2CAP_HDR_SIZE); 1082 } 1083 } 1084 1085 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan) 1086 { 1087 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1088 return L2CAP_EXT_HDR_SIZE; 1089 else 1090 return L2CAP_ENH_HDR_SIZE; 1091 } 1092 1093 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan, 1094 u32 control) 1095 { 1096 struct sk_buff *skb; 1097 struct l2cap_hdr *lh; 1098 int hlen = __ertm_hdr_size(chan); 1099 1100 if (chan->fcs == L2CAP_FCS_CRC16) 1101 hlen += L2CAP_FCS_SIZE; 1102 1103 skb = bt_skb_alloc(hlen, GFP_KERNEL); 1104 1105 if (!skb) 1106 return ERR_PTR(-ENOMEM); 1107 1108 lh = skb_put(skb, L2CAP_HDR_SIZE); 1109 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE); 1110 lh->cid = cpu_to_le16(chan->dcid); 1111 1112 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1113 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 1114 else 1115 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 1116 1117 if (chan->fcs == L2CAP_FCS_CRC16) { 1118 u16 fcs = crc16(0, (u8 *)skb->data, skb->len); 1119 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1120 } 1121 1122 skb->priority = HCI_PRIO_MAX; 1123 return skb; 1124 } 1125 1126 static void l2cap_send_sframe(struct l2cap_chan *chan, 1127 struct l2cap_ctrl *control) 1128 { 1129 struct sk_buff *skb; 1130 u32 control_field; 1131 1132 BT_DBG("chan %p, control %p", chan, control); 1133 1134 if (!control->sframe) 1135 return; 1136 1137 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) && 1138 !control->poll) 1139 control->final = 1; 1140 1141 if (control->super == L2CAP_SUPER_RR) 1142 clear_bit(CONN_RNR_SENT, &chan->conn_state); 1143 else if (control->super == L2CAP_SUPER_RNR) 1144 set_bit(CONN_RNR_SENT, &chan->conn_state); 1145 1146 if (control->super != L2CAP_SUPER_SREJ) { 1147 chan->last_acked_seq = control->reqseq; 1148 __clear_ack_timer(chan); 1149 } 1150 1151 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq, 1152 control->final, control->poll, control->super); 1153 1154 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1155 control_field = __pack_extended_control(control); 1156 else 1157 control_field = __pack_enhanced_control(control); 1158 1159 skb = l2cap_create_sframe_pdu(chan, control_field); 1160 if (!IS_ERR(skb)) 1161 l2cap_do_send(chan, skb); 1162 } 1163 1164 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll) 1165 { 1166 struct l2cap_ctrl control; 1167 1168 BT_DBG("chan %p, poll %d", chan, poll); 1169 1170 memset(&control, 0, sizeof(control)); 1171 control.sframe = 1; 1172 control.poll = poll; 1173 1174 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 1175 control.super = L2CAP_SUPER_RNR; 1176 else 1177 control.super = L2CAP_SUPER_RR; 1178 1179 control.reqseq = chan->buffer_seq; 1180 l2cap_send_sframe(chan, &control); 1181 } 1182 1183 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 1184 { 1185 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 1186 return true; 1187 1188 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state); 1189 } 1190 1191 void l2cap_send_conn_req(struct l2cap_chan *chan) 1192 { 1193 struct l2cap_conn *conn = chan->conn; 1194 struct l2cap_conn_req req; 1195 1196 req.scid = cpu_to_le16(chan->scid); 1197 req.psm = chan->psm; 1198 1199 chan->ident = l2cap_get_ident(conn); 1200 1201 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 1202 1203 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req); 1204 } 1205 1206 static void l2cap_chan_ready(struct l2cap_chan *chan) 1207 { 1208 /* The channel may have already been flagged as connected in 1209 * case of receiving data before the L2CAP info req/rsp 1210 * procedure is complete. 1211 */ 1212 if (chan->state == BT_CONNECTED) 1213 return; 1214 1215 /* This clears all conf flags, including CONF_NOT_COMPLETE */ 1216 chan->conf_state = 0; 1217 __clear_chan_timer(chan); 1218 1219 switch (chan->mode) { 1220 case L2CAP_MODE_LE_FLOWCTL: 1221 case L2CAP_MODE_EXT_FLOWCTL: 1222 if (!chan->tx_credits) 1223 chan->ops->suspend(chan); 1224 break; 1225 } 1226 1227 chan->state = BT_CONNECTED; 1228 1229 chan->ops->ready(chan); 1230 } 1231 1232 static void l2cap_le_connect(struct l2cap_chan *chan) 1233 { 1234 struct l2cap_conn *conn = chan->conn; 1235 struct l2cap_le_conn_req req; 1236 1237 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags)) 1238 return; 1239 1240 if (!chan->imtu) 1241 chan->imtu = chan->conn->mtu; 1242 1243 l2cap_le_flowctl_init(chan, 0); 1244 1245 memset(&req, 0, sizeof(req)); 1246 req.psm = chan->psm; 1247 req.scid = cpu_to_le16(chan->scid); 1248 req.mtu = cpu_to_le16(chan->imtu); 1249 req.mps = cpu_to_le16(chan->mps); 1250 req.credits = cpu_to_le16(chan->rx_credits); 1251 1252 chan->ident = l2cap_get_ident(conn); 1253 1254 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ, 1255 sizeof(req), &req); 1256 } 1257 1258 struct l2cap_ecred_conn_data { 1259 struct { 1260 struct l2cap_ecred_conn_req req; 1261 __le16 scid[5]; 1262 } __packed pdu; 1263 struct l2cap_chan *chan; 1264 struct pid *pid; 1265 int count; 1266 }; 1267 1268 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data) 1269 { 1270 struct l2cap_ecred_conn_data *conn = data; 1271 struct pid *pid; 1272 1273 if (chan == conn->chan) 1274 return; 1275 1276 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags)) 1277 return; 1278 1279 pid = chan->ops->get_peer_pid(chan); 1280 1281 /* Only add deferred channels with the same PID/PSM */ 1282 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident || 1283 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 1284 return; 1285 1286 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1287 return; 1288 1289 l2cap_ecred_init(chan, 0); 1290 1291 /* Set the same ident so we can match on the rsp */ 1292 chan->ident = conn->chan->ident; 1293 1294 /* Include all channels deferred */ 1295 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid); 1296 1297 conn->count++; 1298 } 1299 1300 static void l2cap_ecred_connect(struct l2cap_chan *chan) 1301 { 1302 struct l2cap_conn *conn = chan->conn; 1303 struct l2cap_ecred_conn_data data; 1304 1305 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 1306 return; 1307 1308 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1309 return; 1310 1311 l2cap_ecred_init(chan, 0); 1312 1313 memset(&data, 0, sizeof(data)); 1314 data.pdu.req.psm = chan->psm; 1315 data.pdu.req.mtu = cpu_to_le16(chan->imtu); 1316 data.pdu.req.mps = cpu_to_le16(chan->mps); 1317 data.pdu.req.credits = cpu_to_le16(chan->rx_credits); 1318 data.pdu.scid[0] = cpu_to_le16(chan->scid); 1319 1320 chan->ident = l2cap_get_ident(conn); 1321 1322 data.count = 1; 1323 data.chan = chan; 1324 data.pid = chan->ops->get_peer_pid(chan); 1325 1326 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data); 1327 1328 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ, 1329 sizeof(data.pdu.req) + data.count * sizeof(__le16), 1330 &data.pdu); 1331 } 1332 1333 static void l2cap_le_start(struct l2cap_chan *chan) 1334 { 1335 struct l2cap_conn *conn = chan->conn; 1336 1337 if (!smp_conn_security(conn->hcon, chan->sec_level)) 1338 return; 1339 1340 if (!chan->psm) { 1341 l2cap_chan_ready(chan); 1342 return; 1343 } 1344 1345 if (chan->state == BT_CONNECT) { 1346 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) 1347 l2cap_ecred_connect(chan); 1348 else 1349 l2cap_le_connect(chan); 1350 } 1351 } 1352 1353 static void l2cap_start_connection(struct l2cap_chan *chan) 1354 { 1355 if (chan->conn->hcon->type == LE_LINK) { 1356 l2cap_le_start(chan); 1357 } else { 1358 l2cap_send_conn_req(chan); 1359 } 1360 } 1361 1362 static void l2cap_request_info(struct l2cap_conn *conn) 1363 { 1364 struct l2cap_info_req req; 1365 1366 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1367 return; 1368 1369 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 1370 1371 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 1372 conn->info_ident = l2cap_get_ident(conn); 1373 1374 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 1375 1376 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 1377 sizeof(req), &req); 1378 } 1379 1380 static bool l2cap_check_enc_key_size(struct hci_conn *hcon) 1381 { 1382 /* The minimum encryption key size needs to be enforced by the 1383 * host stack before establishing any L2CAP connections. The 1384 * specification in theory allows a minimum of 1, but to align 1385 * BR/EDR and LE transports, a minimum of 7 is chosen. 1386 * 1387 * This check might also be called for unencrypted connections 1388 * that have no key size requirements. Ensure that the link is 1389 * actually encrypted before enforcing a key size. 1390 */ 1391 int min_key_size = hcon->hdev->min_enc_key_size; 1392 1393 /* On FIPS security level, key size must be 16 bytes */ 1394 if (hcon->sec_level == BT_SECURITY_FIPS) 1395 min_key_size = 16; 1396 1397 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) || 1398 hcon->enc_key_size >= min_key_size); 1399 } 1400 1401 static void l2cap_do_start(struct l2cap_chan *chan) 1402 { 1403 struct l2cap_conn *conn = chan->conn; 1404 1405 if (conn->hcon->type == LE_LINK) { 1406 l2cap_le_start(chan); 1407 return; 1408 } 1409 1410 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) { 1411 l2cap_request_info(conn); 1412 return; 1413 } 1414 1415 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 1416 return; 1417 1418 if (!l2cap_chan_check_security(chan, true) || 1419 !__l2cap_no_conn_pending(chan)) 1420 return; 1421 1422 if (l2cap_check_enc_key_size(conn->hcon)) 1423 l2cap_start_connection(chan); 1424 else 1425 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 1426 } 1427 1428 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask) 1429 { 1430 u32 local_feat_mask = l2cap_feat_mask; 1431 if (!disable_ertm) 1432 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING; 1433 1434 switch (mode) { 1435 case L2CAP_MODE_ERTM: 1436 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask; 1437 case L2CAP_MODE_STREAMING: 1438 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask; 1439 default: 1440 return 0x00; 1441 } 1442 } 1443 1444 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err) 1445 { 1446 struct l2cap_conn *conn = chan->conn; 1447 struct l2cap_disconn_req req; 1448 1449 if (!conn) 1450 return; 1451 1452 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) { 1453 __clear_retrans_timer(chan); 1454 __clear_monitor_timer(chan); 1455 __clear_ack_timer(chan); 1456 } 1457 1458 req.dcid = cpu_to_le16(chan->dcid); 1459 req.scid = cpu_to_le16(chan->scid); 1460 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ, 1461 sizeof(req), &req); 1462 1463 l2cap_state_change_and_error(chan, BT_DISCONN, err); 1464 } 1465 1466 /* ---- L2CAP connections ---- */ 1467 static void l2cap_conn_start(struct l2cap_conn *conn) 1468 { 1469 struct l2cap_chan *chan, *tmp; 1470 1471 BT_DBG("conn %p", conn); 1472 1473 mutex_lock(&conn->chan_lock); 1474 1475 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 1476 l2cap_chan_lock(chan); 1477 1478 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1479 l2cap_chan_ready(chan); 1480 l2cap_chan_unlock(chan); 1481 continue; 1482 } 1483 1484 if (chan->state == BT_CONNECT) { 1485 if (!l2cap_chan_check_security(chan, true) || 1486 !__l2cap_no_conn_pending(chan)) { 1487 l2cap_chan_unlock(chan); 1488 continue; 1489 } 1490 1491 if (!l2cap_mode_supported(chan->mode, conn->feat_mask) 1492 && test_bit(CONF_STATE2_DEVICE, 1493 &chan->conf_state)) { 1494 l2cap_chan_close(chan, ECONNRESET); 1495 l2cap_chan_unlock(chan); 1496 continue; 1497 } 1498 1499 if (l2cap_check_enc_key_size(conn->hcon)) 1500 l2cap_start_connection(chan); 1501 else 1502 l2cap_chan_close(chan, ECONNREFUSED); 1503 1504 } else if (chan->state == BT_CONNECT2) { 1505 struct l2cap_conn_rsp rsp; 1506 char buf[128]; 1507 rsp.scid = cpu_to_le16(chan->dcid); 1508 rsp.dcid = cpu_to_le16(chan->scid); 1509 1510 if (l2cap_chan_check_security(chan, false)) { 1511 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 1512 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1513 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND); 1514 chan->ops->defer(chan); 1515 1516 } else { 1517 l2cap_state_change(chan, BT_CONFIG); 1518 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 1519 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 1520 } 1521 } else { 1522 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1523 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 1524 } 1525 1526 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 1527 sizeof(rsp), &rsp); 1528 1529 if (test_bit(CONF_REQ_SENT, &chan->conf_state) || 1530 rsp.result != L2CAP_CR_SUCCESS) { 1531 l2cap_chan_unlock(chan); 1532 continue; 1533 } 1534 1535 set_bit(CONF_REQ_SENT, &chan->conf_state); 1536 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 1537 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 1538 chan->num_conf_req++; 1539 } 1540 1541 l2cap_chan_unlock(chan); 1542 } 1543 1544 mutex_unlock(&conn->chan_lock); 1545 } 1546 1547 static void l2cap_le_conn_ready(struct l2cap_conn *conn) 1548 { 1549 struct hci_conn *hcon = conn->hcon; 1550 struct hci_dev *hdev = hcon->hdev; 1551 1552 BT_DBG("%s conn %p", hdev->name, conn); 1553 1554 /* For outgoing pairing which doesn't necessarily have an 1555 * associated socket (e.g. mgmt_pair_device). 1556 */ 1557 if (hcon->out) 1558 smp_conn_security(hcon, hcon->pending_sec_level); 1559 1560 /* For LE peripheral connections, make sure the connection interval 1561 * is in the range of the minimum and maximum interval that has 1562 * been configured for this connection. If not, then trigger 1563 * the connection update procedure. 1564 */ 1565 if (hcon->role == HCI_ROLE_SLAVE && 1566 (hcon->le_conn_interval < hcon->le_conn_min_interval || 1567 hcon->le_conn_interval > hcon->le_conn_max_interval)) { 1568 struct l2cap_conn_param_update_req req; 1569 1570 req.min = cpu_to_le16(hcon->le_conn_min_interval); 1571 req.max = cpu_to_le16(hcon->le_conn_max_interval); 1572 req.latency = cpu_to_le16(hcon->le_conn_latency); 1573 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout); 1574 1575 l2cap_send_cmd(conn, l2cap_get_ident(conn), 1576 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req); 1577 } 1578 } 1579 1580 static void l2cap_conn_ready(struct l2cap_conn *conn) 1581 { 1582 struct l2cap_chan *chan; 1583 struct hci_conn *hcon = conn->hcon; 1584 1585 BT_DBG("conn %p", conn); 1586 1587 if (hcon->type == ACL_LINK) 1588 l2cap_request_info(conn); 1589 1590 mutex_lock(&conn->chan_lock); 1591 1592 list_for_each_entry(chan, &conn->chan_l, list) { 1593 1594 l2cap_chan_lock(chan); 1595 1596 if (hcon->type == LE_LINK) { 1597 l2cap_le_start(chan); 1598 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1599 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 1600 l2cap_chan_ready(chan); 1601 } else if (chan->state == BT_CONNECT) { 1602 l2cap_do_start(chan); 1603 } 1604 1605 l2cap_chan_unlock(chan); 1606 } 1607 1608 mutex_unlock(&conn->chan_lock); 1609 1610 if (hcon->type == LE_LINK) 1611 l2cap_le_conn_ready(conn); 1612 1613 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work); 1614 } 1615 1616 /* Notify sockets that we cannot guaranty reliability anymore */ 1617 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err) 1618 { 1619 struct l2cap_chan *chan; 1620 1621 BT_DBG("conn %p", conn); 1622 1623 mutex_lock(&conn->chan_lock); 1624 1625 list_for_each_entry(chan, &conn->chan_l, list) { 1626 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 1627 l2cap_chan_set_err(chan, err); 1628 } 1629 1630 mutex_unlock(&conn->chan_lock); 1631 } 1632 1633 static void l2cap_info_timeout(struct work_struct *work) 1634 { 1635 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1636 info_timer.work); 1637 1638 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 1639 conn->info_ident = 0; 1640 1641 l2cap_conn_start(conn); 1642 } 1643 1644 /* 1645 * l2cap_user 1646 * External modules can register l2cap_user objects on l2cap_conn. The ->probe 1647 * callback is called during registration. The ->remove callback is called 1648 * during unregistration. 1649 * An l2cap_user object can either be explicitly unregistered or when the 1650 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon, 1651 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called. 1652 * External modules must own a reference to the l2cap_conn object if they intend 1653 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at 1654 * any time if they don't. 1655 */ 1656 1657 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) 1658 { 1659 struct hci_dev *hdev = conn->hcon->hdev; 1660 int ret; 1661 1662 /* We need to check whether l2cap_conn is registered. If it is not, we 1663 * must not register the l2cap_user. l2cap_conn_del() is unregisters 1664 * l2cap_conn objects, but doesn't provide its own locking. Instead, it 1665 * relies on the parent hci_conn object to be locked. This itself relies 1666 * on the hci_dev object to be locked. So we must lock the hci device 1667 * here, too. */ 1668 1669 hci_dev_lock(hdev); 1670 1671 if (!list_empty(&user->list)) { 1672 ret = -EINVAL; 1673 goto out_unlock; 1674 } 1675 1676 /* conn->hchan is NULL after l2cap_conn_del() was called */ 1677 if (!conn->hchan) { 1678 ret = -ENODEV; 1679 goto out_unlock; 1680 } 1681 1682 ret = user->probe(conn, user); 1683 if (ret) 1684 goto out_unlock; 1685 1686 list_add(&user->list, &conn->users); 1687 ret = 0; 1688 1689 out_unlock: 1690 hci_dev_unlock(hdev); 1691 return ret; 1692 } 1693 EXPORT_SYMBOL(l2cap_register_user); 1694 1695 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) 1696 { 1697 struct hci_dev *hdev = conn->hcon->hdev; 1698 1699 hci_dev_lock(hdev); 1700 1701 if (list_empty(&user->list)) 1702 goto out_unlock; 1703 1704 list_del_init(&user->list); 1705 user->remove(conn, user); 1706 1707 out_unlock: 1708 hci_dev_unlock(hdev); 1709 } 1710 EXPORT_SYMBOL(l2cap_unregister_user); 1711 1712 static void l2cap_unregister_all_users(struct l2cap_conn *conn) 1713 { 1714 struct l2cap_user *user; 1715 1716 while (!list_empty(&conn->users)) { 1717 user = list_first_entry(&conn->users, struct l2cap_user, list); 1718 list_del_init(&user->list); 1719 user->remove(conn, user); 1720 } 1721 } 1722 1723 static void l2cap_conn_del(struct hci_conn *hcon, int err) 1724 { 1725 struct l2cap_conn *conn = hcon->l2cap_data; 1726 struct l2cap_chan *chan, *l; 1727 1728 if (!conn) 1729 return; 1730 1731 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 1732 1733 kfree_skb(conn->rx_skb); 1734 1735 skb_queue_purge(&conn->pending_rx); 1736 1737 /* We can not call flush_work(&conn->pending_rx_work) here since we 1738 * might block if we are running on a worker from the same workqueue 1739 * pending_rx_work is waiting on. 1740 */ 1741 if (work_pending(&conn->pending_rx_work)) 1742 cancel_work_sync(&conn->pending_rx_work); 1743 1744 cancel_delayed_work_sync(&conn->id_addr_timer); 1745 1746 l2cap_unregister_all_users(conn); 1747 1748 /* Force the connection to be immediately dropped */ 1749 hcon->disc_timeout = 0; 1750 1751 mutex_lock(&conn->chan_lock); 1752 1753 /* Kill channels */ 1754 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 1755 l2cap_chan_hold(chan); 1756 l2cap_chan_lock(chan); 1757 1758 l2cap_chan_del(chan, err); 1759 1760 chan->ops->close(chan); 1761 1762 l2cap_chan_unlock(chan); 1763 l2cap_chan_put(chan); 1764 } 1765 1766 mutex_unlock(&conn->chan_lock); 1767 1768 hci_chan_del(conn->hchan); 1769 1770 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1771 cancel_delayed_work_sync(&conn->info_timer); 1772 1773 hcon->l2cap_data = NULL; 1774 conn->hchan = NULL; 1775 l2cap_conn_put(conn); 1776 } 1777 1778 static void l2cap_conn_free(struct kref *ref) 1779 { 1780 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref); 1781 1782 hci_conn_put(conn->hcon); 1783 kfree(conn); 1784 } 1785 1786 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn) 1787 { 1788 kref_get(&conn->ref); 1789 return conn; 1790 } 1791 EXPORT_SYMBOL(l2cap_conn_get); 1792 1793 void l2cap_conn_put(struct l2cap_conn *conn) 1794 { 1795 kref_put(&conn->ref, l2cap_conn_free); 1796 } 1797 EXPORT_SYMBOL(l2cap_conn_put); 1798 1799 /* ---- Socket interface ---- */ 1800 1801 /* Find socket with psm and source / destination bdaddr. 1802 * Returns closest match. 1803 */ 1804 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 1805 bdaddr_t *src, 1806 bdaddr_t *dst, 1807 u8 link_type) 1808 { 1809 struct l2cap_chan *c, *tmp, *c1 = NULL; 1810 1811 read_lock(&chan_list_lock); 1812 1813 list_for_each_entry_safe(c, tmp, &chan_list, global_l) { 1814 if (state && c->state != state) 1815 continue; 1816 1817 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR) 1818 continue; 1819 1820 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR) 1821 continue; 1822 1823 if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) { 1824 int src_match, dst_match; 1825 int src_any, dst_any; 1826 1827 /* Exact match. */ 1828 src_match = !bacmp(&c->src, src); 1829 dst_match = !bacmp(&c->dst, dst); 1830 if (src_match && dst_match) { 1831 if (!l2cap_chan_hold_unless_zero(c)) 1832 continue; 1833 1834 read_unlock(&chan_list_lock); 1835 return c; 1836 } 1837 1838 /* Closest match */ 1839 src_any = !bacmp(&c->src, BDADDR_ANY); 1840 dst_any = !bacmp(&c->dst, BDADDR_ANY); 1841 if ((src_match && dst_any) || (src_any && dst_match) || 1842 (src_any && dst_any)) 1843 c1 = c; 1844 } 1845 } 1846 1847 if (c1) 1848 c1 = l2cap_chan_hold_unless_zero(c1); 1849 1850 read_unlock(&chan_list_lock); 1851 1852 return c1; 1853 } 1854 1855 static void l2cap_monitor_timeout(struct work_struct *work) 1856 { 1857 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1858 monitor_timer.work); 1859 1860 BT_DBG("chan %p", chan); 1861 1862 l2cap_chan_lock(chan); 1863 1864 if (!chan->conn) { 1865 l2cap_chan_unlock(chan); 1866 l2cap_chan_put(chan); 1867 return; 1868 } 1869 1870 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO); 1871 1872 l2cap_chan_unlock(chan); 1873 l2cap_chan_put(chan); 1874 } 1875 1876 static void l2cap_retrans_timeout(struct work_struct *work) 1877 { 1878 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1879 retrans_timer.work); 1880 1881 BT_DBG("chan %p", chan); 1882 1883 l2cap_chan_lock(chan); 1884 1885 if (!chan->conn) { 1886 l2cap_chan_unlock(chan); 1887 l2cap_chan_put(chan); 1888 return; 1889 } 1890 1891 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO); 1892 l2cap_chan_unlock(chan); 1893 l2cap_chan_put(chan); 1894 } 1895 1896 static void l2cap_streaming_send(struct l2cap_chan *chan, 1897 struct sk_buff_head *skbs) 1898 { 1899 struct sk_buff *skb; 1900 struct l2cap_ctrl *control; 1901 1902 BT_DBG("chan %p, skbs %p", chan, skbs); 1903 1904 skb_queue_splice_tail_init(skbs, &chan->tx_q); 1905 1906 while (!skb_queue_empty(&chan->tx_q)) { 1907 1908 skb = skb_dequeue(&chan->tx_q); 1909 1910 bt_cb(skb)->l2cap.retries = 1; 1911 control = &bt_cb(skb)->l2cap; 1912 1913 control->reqseq = 0; 1914 control->txseq = chan->next_tx_seq; 1915 1916 __pack_control(chan, control, skb); 1917 1918 if (chan->fcs == L2CAP_FCS_CRC16) { 1919 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1920 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1921 } 1922 1923 l2cap_do_send(chan, skb); 1924 1925 BT_DBG("Sent txseq %u", control->txseq); 1926 1927 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 1928 chan->frames_sent++; 1929 } 1930 } 1931 1932 static int l2cap_ertm_send(struct l2cap_chan *chan) 1933 { 1934 struct sk_buff *skb, *tx_skb; 1935 struct l2cap_ctrl *control; 1936 int sent = 0; 1937 1938 BT_DBG("chan %p", chan); 1939 1940 if (chan->state != BT_CONNECTED) 1941 return -ENOTCONN; 1942 1943 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 1944 return 0; 1945 1946 while (chan->tx_send_head && 1947 chan->unacked_frames < chan->remote_tx_win && 1948 chan->tx_state == L2CAP_TX_STATE_XMIT) { 1949 1950 skb = chan->tx_send_head; 1951 1952 bt_cb(skb)->l2cap.retries = 1; 1953 control = &bt_cb(skb)->l2cap; 1954 1955 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 1956 control->final = 1; 1957 1958 control->reqseq = chan->buffer_seq; 1959 chan->last_acked_seq = chan->buffer_seq; 1960 control->txseq = chan->next_tx_seq; 1961 1962 __pack_control(chan, control, skb); 1963 1964 if (chan->fcs == L2CAP_FCS_CRC16) { 1965 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1966 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1967 } 1968 1969 /* Clone after data has been modified. Data is assumed to be 1970 read-only (for locking purposes) on cloned sk_buffs. 1971 */ 1972 tx_skb = skb_clone(skb, GFP_KERNEL); 1973 1974 if (!tx_skb) 1975 break; 1976 1977 __set_retrans_timer(chan); 1978 1979 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 1980 chan->unacked_frames++; 1981 chan->frames_sent++; 1982 sent++; 1983 1984 if (skb_queue_is_last(&chan->tx_q, skb)) 1985 chan->tx_send_head = NULL; 1986 else 1987 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb); 1988 1989 l2cap_do_send(chan, tx_skb); 1990 BT_DBG("Sent txseq %u", control->txseq); 1991 } 1992 1993 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent, 1994 chan->unacked_frames, skb_queue_len(&chan->tx_q)); 1995 1996 return sent; 1997 } 1998 1999 static void l2cap_ertm_resend(struct l2cap_chan *chan) 2000 { 2001 struct l2cap_ctrl control; 2002 struct sk_buff *skb; 2003 struct sk_buff *tx_skb; 2004 u16 seq; 2005 2006 BT_DBG("chan %p", chan); 2007 2008 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2009 return; 2010 2011 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) { 2012 seq = l2cap_seq_list_pop(&chan->retrans_list); 2013 2014 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq); 2015 if (!skb) { 2016 BT_DBG("Error: Can't retransmit seq %d, frame missing", 2017 seq); 2018 continue; 2019 } 2020 2021 bt_cb(skb)->l2cap.retries++; 2022 control = bt_cb(skb)->l2cap; 2023 2024 if (chan->max_tx != 0 && 2025 bt_cb(skb)->l2cap.retries > chan->max_tx) { 2026 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 2027 l2cap_send_disconn_req(chan, ECONNRESET); 2028 l2cap_seq_list_clear(&chan->retrans_list); 2029 break; 2030 } 2031 2032 control.reqseq = chan->buffer_seq; 2033 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 2034 control.final = 1; 2035 else 2036 control.final = 0; 2037 2038 if (skb_cloned(skb)) { 2039 /* Cloned sk_buffs are read-only, so we need a 2040 * writeable copy 2041 */ 2042 tx_skb = skb_copy(skb, GFP_KERNEL); 2043 } else { 2044 tx_skb = skb_clone(skb, GFP_KERNEL); 2045 } 2046 2047 if (!tx_skb) { 2048 l2cap_seq_list_clear(&chan->retrans_list); 2049 break; 2050 } 2051 2052 /* Update skb contents */ 2053 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 2054 put_unaligned_le32(__pack_extended_control(&control), 2055 tx_skb->data + L2CAP_HDR_SIZE); 2056 } else { 2057 put_unaligned_le16(__pack_enhanced_control(&control), 2058 tx_skb->data + L2CAP_HDR_SIZE); 2059 } 2060 2061 /* Update FCS */ 2062 if (chan->fcs == L2CAP_FCS_CRC16) { 2063 u16 fcs = crc16(0, (u8 *) tx_skb->data, 2064 tx_skb->len - L2CAP_FCS_SIZE); 2065 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) - 2066 L2CAP_FCS_SIZE); 2067 } 2068 2069 l2cap_do_send(chan, tx_skb); 2070 2071 BT_DBG("Resent txseq %d", control.txseq); 2072 2073 chan->last_acked_seq = chan->buffer_seq; 2074 } 2075 } 2076 2077 static void l2cap_retransmit(struct l2cap_chan *chan, 2078 struct l2cap_ctrl *control) 2079 { 2080 BT_DBG("chan %p, control %p", chan, control); 2081 2082 l2cap_seq_list_append(&chan->retrans_list, control->reqseq); 2083 l2cap_ertm_resend(chan); 2084 } 2085 2086 static void l2cap_retransmit_all(struct l2cap_chan *chan, 2087 struct l2cap_ctrl *control) 2088 { 2089 struct sk_buff *skb; 2090 2091 BT_DBG("chan %p, control %p", chan, control); 2092 2093 if (control->poll) 2094 set_bit(CONN_SEND_FBIT, &chan->conn_state); 2095 2096 l2cap_seq_list_clear(&chan->retrans_list); 2097 2098 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2099 return; 2100 2101 if (chan->unacked_frames) { 2102 skb_queue_walk(&chan->tx_q, skb) { 2103 if (bt_cb(skb)->l2cap.txseq == control->reqseq || 2104 skb == chan->tx_send_head) 2105 break; 2106 } 2107 2108 skb_queue_walk_from(&chan->tx_q, skb) { 2109 if (skb == chan->tx_send_head) 2110 break; 2111 2112 l2cap_seq_list_append(&chan->retrans_list, 2113 bt_cb(skb)->l2cap.txseq); 2114 } 2115 2116 l2cap_ertm_resend(chan); 2117 } 2118 } 2119 2120 static void l2cap_send_ack(struct l2cap_chan *chan) 2121 { 2122 struct l2cap_ctrl control; 2123 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 2124 chan->last_acked_seq); 2125 int threshold; 2126 2127 BT_DBG("chan %p last_acked_seq %d buffer_seq %d", 2128 chan, chan->last_acked_seq, chan->buffer_seq); 2129 2130 memset(&control, 0, sizeof(control)); 2131 control.sframe = 1; 2132 2133 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 2134 chan->rx_state == L2CAP_RX_STATE_RECV) { 2135 __clear_ack_timer(chan); 2136 control.super = L2CAP_SUPER_RNR; 2137 control.reqseq = chan->buffer_seq; 2138 l2cap_send_sframe(chan, &control); 2139 } else { 2140 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) { 2141 l2cap_ertm_send(chan); 2142 /* If any i-frames were sent, they included an ack */ 2143 if (chan->buffer_seq == chan->last_acked_seq) 2144 frames_to_ack = 0; 2145 } 2146 2147 /* Ack now if the window is 3/4ths full. 2148 * Calculate without mul or div 2149 */ 2150 threshold = chan->ack_win; 2151 threshold += threshold << 1; 2152 threshold >>= 2; 2153 2154 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack, 2155 threshold); 2156 2157 if (frames_to_ack >= threshold) { 2158 __clear_ack_timer(chan); 2159 control.super = L2CAP_SUPER_RR; 2160 control.reqseq = chan->buffer_seq; 2161 l2cap_send_sframe(chan, &control); 2162 frames_to_ack = 0; 2163 } 2164 2165 if (frames_to_ack) 2166 __set_ack_timer(chan); 2167 } 2168 } 2169 2170 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, 2171 struct msghdr *msg, int len, 2172 int count, struct sk_buff *skb) 2173 { 2174 struct l2cap_conn *conn = chan->conn; 2175 struct sk_buff **frag; 2176 int sent = 0; 2177 2178 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter)) 2179 return -EFAULT; 2180 2181 sent += count; 2182 len -= count; 2183 2184 /* Continuation fragments (no L2CAP header) */ 2185 frag = &skb_shinfo(skb)->frag_list; 2186 while (len) { 2187 struct sk_buff *tmp; 2188 2189 count = min_t(unsigned int, conn->mtu, len); 2190 2191 tmp = chan->ops->alloc_skb(chan, 0, count, 2192 msg->msg_flags & MSG_DONTWAIT); 2193 if (IS_ERR(tmp)) 2194 return PTR_ERR(tmp); 2195 2196 *frag = tmp; 2197 2198 if (!copy_from_iter_full(skb_put(*frag, count), count, 2199 &msg->msg_iter)) 2200 return -EFAULT; 2201 2202 sent += count; 2203 len -= count; 2204 2205 skb->len += (*frag)->len; 2206 skb->data_len += (*frag)->len; 2207 2208 frag = &(*frag)->next; 2209 } 2210 2211 return sent; 2212 } 2213 2214 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, 2215 struct msghdr *msg, size_t len) 2216 { 2217 struct l2cap_conn *conn = chan->conn; 2218 struct sk_buff *skb; 2219 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE; 2220 struct l2cap_hdr *lh; 2221 2222 BT_DBG("chan %p psm 0x%2.2x len %zu", chan, 2223 __le16_to_cpu(chan->psm), len); 2224 2225 count = min_t(unsigned int, (conn->mtu - hlen), len); 2226 2227 skb = chan->ops->alloc_skb(chan, hlen, count, 2228 msg->msg_flags & MSG_DONTWAIT); 2229 if (IS_ERR(skb)) 2230 return skb; 2231 2232 /* Create L2CAP header */ 2233 lh = skb_put(skb, L2CAP_HDR_SIZE); 2234 lh->cid = cpu_to_le16(chan->dcid); 2235 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE); 2236 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE)); 2237 2238 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2239 if (unlikely(err < 0)) { 2240 kfree_skb(skb); 2241 return ERR_PTR(err); 2242 } 2243 return skb; 2244 } 2245 2246 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, 2247 struct msghdr *msg, size_t len) 2248 { 2249 struct l2cap_conn *conn = chan->conn; 2250 struct sk_buff *skb; 2251 int err, count; 2252 struct l2cap_hdr *lh; 2253 2254 BT_DBG("chan %p len %zu", chan, len); 2255 2256 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len); 2257 2258 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count, 2259 msg->msg_flags & MSG_DONTWAIT); 2260 if (IS_ERR(skb)) 2261 return skb; 2262 2263 /* Create L2CAP header */ 2264 lh = skb_put(skb, L2CAP_HDR_SIZE); 2265 lh->cid = cpu_to_le16(chan->dcid); 2266 lh->len = cpu_to_le16(len); 2267 2268 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2269 if (unlikely(err < 0)) { 2270 kfree_skb(skb); 2271 return ERR_PTR(err); 2272 } 2273 return skb; 2274 } 2275 2276 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, 2277 struct msghdr *msg, size_t len, 2278 u16 sdulen) 2279 { 2280 struct l2cap_conn *conn = chan->conn; 2281 struct sk_buff *skb; 2282 int err, count, hlen; 2283 struct l2cap_hdr *lh; 2284 2285 BT_DBG("chan %p len %zu", chan, len); 2286 2287 if (!conn) 2288 return ERR_PTR(-ENOTCONN); 2289 2290 hlen = __ertm_hdr_size(chan); 2291 2292 if (sdulen) 2293 hlen += L2CAP_SDULEN_SIZE; 2294 2295 if (chan->fcs == L2CAP_FCS_CRC16) 2296 hlen += L2CAP_FCS_SIZE; 2297 2298 count = min_t(unsigned int, (conn->mtu - hlen), len); 2299 2300 skb = chan->ops->alloc_skb(chan, hlen, count, 2301 msg->msg_flags & MSG_DONTWAIT); 2302 if (IS_ERR(skb)) 2303 return skb; 2304 2305 /* Create L2CAP header */ 2306 lh = skb_put(skb, L2CAP_HDR_SIZE); 2307 lh->cid = cpu_to_le16(chan->dcid); 2308 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2309 2310 /* Control header is populated later */ 2311 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 2312 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 2313 else 2314 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 2315 2316 if (sdulen) 2317 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2318 2319 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2320 if (unlikely(err < 0)) { 2321 kfree_skb(skb); 2322 return ERR_PTR(err); 2323 } 2324 2325 bt_cb(skb)->l2cap.fcs = chan->fcs; 2326 bt_cb(skb)->l2cap.retries = 0; 2327 return skb; 2328 } 2329 2330 static int l2cap_segment_sdu(struct l2cap_chan *chan, 2331 struct sk_buff_head *seg_queue, 2332 struct msghdr *msg, size_t len) 2333 { 2334 struct sk_buff *skb; 2335 u16 sdu_len; 2336 size_t pdu_len; 2337 u8 sar; 2338 2339 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2340 2341 /* It is critical that ERTM PDUs fit in a single HCI fragment, 2342 * so fragmented skbs are not used. The HCI layer's handling 2343 * of fragmented skbs is not compatible with ERTM's queueing. 2344 */ 2345 2346 /* PDU size is derived from the HCI MTU */ 2347 pdu_len = chan->conn->mtu; 2348 2349 /* Constrain PDU size for BR/EDR connections */ 2350 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD); 2351 2352 /* Adjust for largest possible L2CAP overhead. */ 2353 if (chan->fcs) 2354 pdu_len -= L2CAP_FCS_SIZE; 2355 2356 pdu_len -= __ertm_hdr_size(chan); 2357 2358 /* Remote device may have requested smaller PDUs */ 2359 pdu_len = min_t(size_t, pdu_len, chan->remote_mps); 2360 2361 if (len <= pdu_len) { 2362 sar = L2CAP_SAR_UNSEGMENTED; 2363 sdu_len = 0; 2364 pdu_len = len; 2365 } else { 2366 sar = L2CAP_SAR_START; 2367 sdu_len = len; 2368 } 2369 2370 while (len > 0) { 2371 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len); 2372 2373 if (IS_ERR(skb)) { 2374 __skb_queue_purge(seg_queue); 2375 return PTR_ERR(skb); 2376 } 2377 2378 bt_cb(skb)->l2cap.sar = sar; 2379 __skb_queue_tail(seg_queue, skb); 2380 2381 len -= pdu_len; 2382 if (sdu_len) 2383 sdu_len = 0; 2384 2385 if (len <= pdu_len) { 2386 sar = L2CAP_SAR_END; 2387 pdu_len = len; 2388 } else { 2389 sar = L2CAP_SAR_CONTINUE; 2390 } 2391 } 2392 2393 return 0; 2394 } 2395 2396 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan, 2397 struct msghdr *msg, 2398 size_t len, u16 sdulen) 2399 { 2400 struct l2cap_conn *conn = chan->conn; 2401 struct sk_buff *skb; 2402 int err, count, hlen; 2403 struct l2cap_hdr *lh; 2404 2405 BT_DBG("chan %p len %zu", chan, len); 2406 2407 if (!conn) 2408 return ERR_PTR(-ENOTCONN); 2409 2410 hlen = L2CAP_HDR_SIZE; 2411 2412 if (sdulen) 2413 hlen += L2CAP_SDULEN_SIZE; 2414 2415 count = min_t(unsigned int, (conn->mtu - hlen), len); 2416 2417 skb = chan->ops->alloc_skb(chan, hlen, count, 2418 msg->msg_flags & MSG_DONTWAIT); 2419 if (IS_ERR(skb)) 2420 return skb; 2421 2422 /* Create L2CAP header */ 2423 lh = skb_put(skb, L2CAP_HDR_SIZE); 2424 lh->cid = cpu_to_le16(chan->dcid); 2425 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2426 2427 if (sdulen) 2428 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2429 2430 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2431 if (unlikely(err < 0)) { 2432 kfree_skb(skb); 2433 return ERR_PTR(err); 2434 } 2435 2436 return skb; 2437 } 2438 2439 static int l2cap_segment_le_sdu(struct l2cap_chan *chan, 2440 struct sk_buff_head *seg_queue, 2441 struct msghdr *msg, size_t len) 2442 { 2443 struct sk_buff *skb; 2444 size_t pdu_len; 2445 u16 sdu_len; 2446 2447 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2448 2449 sdu_len = len; 2450 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE; 2451 2452 while (len > 0) { 2453 if (len <= pdu_len) 2454 pdu_len = len; 2455 2456 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len); 2457 if (IS_ERR(skb)) { 2458 __skb_queue_purge(seg_queue); 2459 return PTR_ERR(skb); 2460 } 2461 2462 __skb_queue_tail(seg_queue, skb); 2463 2464 len -= pdu_len; 2465 2466 if (sdu_len) { 2467 sdu_len = 0; 2468 pdu_len += L2CAP_SDULEN_SIZE; 2469 } 2470 } 2471 2472 return 0; 2473 } 2474 2475 static void l2cap_le_flowctl_send(struct l2cap_chan *chan) 2476 { 2477 int sent = 0; 2478 2479 BT_DBG("chan %p", chan); 2480 2481 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) { 2482 l2cap_do_send(chan, skb_dequeue(&chan->tx_q)); 2483 chan->tx_credits--; 2484 sent++; 2485 } 2486 2487 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits, 2488 skb_queue_len(&chan->tx_q)); 2489 } 2490 2491 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) 2492 { 2493 struct sk_buff *skb; 2494 int err; 2495 struct sk_buff_head seg_queue; 2496 2497 if (!chan->conn) 2498 return -ENOTCONN; 2499 2500 /* Connectionless channel */ 2501 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) { 2502 skb = l2cap_create_connless_pdu(chan, msg, len); 2503 if (IS_ERR(skb)) 2504 return PTR_ERR(skb); 2505 2506 l2cap_do_send(chan, skb); 2507 return len; 2508 } 2509 2510 switch (chan->mode) { 2511 case L2CAP_MODE_LE_FLOWCTL: 2512 case L2CAP_MODE_EXT_FLOWCTL: 2513 /* Check outgoing MTU */ 2514 if (len > chan->omtu) 2515 return -EMSGSIZE; 2516 2517 __skb_queue_head_init(&seg_queue); 2518 2519 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len); 2520 2521 if (chan->state != BT_CONNECTED) { 2522 __skb_queue_purge(&seg_queue); 2523 err = -ENOTCONN; 2524 } 2525 2526 if (err) 2527 return err; 2528 2529 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q); 2530 2531 l2cap_le_flowctl_send(chan); 2532 2533 if (!chan->tx_credits) 2534 chan->ops->suspend(chan); 2535 2536 err = len; 2537 2538 break; 2539 2540 case L2CAP_MODE_BASIC: 2541 /* Check outgoing MTU */ 2542 if (len > chan->omtu) 2543 return -EMSGSIZE; 2544 2545 /* Create a basic PDU */ 2546 skb = l2cap_create_basic_pdu(chan, msg, len); 2547 if (IS_ERR(skb)) 2548 return PTR_ERR(skb); 2549 2550 l2cap_do_send(chan, skb); 2551 err = len; 2552 break; 2553 2554 case L2CAP_MODE_ERTM: 2555 case L2CAP_MODE_STREAMING: 2556 /* Check outgoing MTU */ 2557 if (len > chan->omtu) { 2558 err = -EMSGSIZE; 2559 break; 2560 } 2561 2562 __skb_queue_head_init(&seg_queue); 2563 2564 /* Do segmentation before calling in to the state machine, 2565 * since it's possible to block while waiting for memory 2566 * allocation. 2567 */ 2568 err = l2cap_segment_sdu(chan, &seg_queue, msg, len); 2569 2570 if (err) 2571 break; 2572 2573 if (chan->mode == L2CAP_MODE_ERTM) 2574 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST); 2575 else 2576 l2cap_streaming_send(chan, &seg_queue); 2577 2578 err = len; 2579 2580 /* If the skbs were not queued for sending, they'll still be in 2581 * seg_queue and need to be purged. 2582 */ 2583 __skb_queue_purge(&seg_queue); 2584 break; 2585 2586 default: 2587 BT_DBG("bad state %1.1x", chan->mode); 2588 err = -EBADFD; 2589 } 2590 2591 return err; 2592 } 2593 EXPORT_SYMBOL_GPL(l2cap_chan_send); 2594 2595 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq) 2596 { 2597 struct l2cap_ctrl control; 2598 u16 seq; 2599 2600 BT_DBG("chan %p, txseq %u", chan, txseq); 2601 2602 memset(&control, 0, sizeof(control)); 2603 control.sframe = 1; 2604 control.super = L2CAP_SUPER_SREJ; 2605 2606 for (seq = chan->expected_tx_seq; seq != txseq; 2607 seq = __next_seq(chan, seq)) { 2608 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) { 2609 control.reqseq = seq; 2610 l2cap_send_sframe(chan, &control); 2611 l2cap_seq_list_append(&chan->srej_list, seq); 2612 } 2613 } 2614 2615 chan->expected_tx_seq = __next_seq(chan, txseq); 2616 } 2617 2618 static void l2cap_send_srej_tail(struct l2cap_chan *chan) 2619 { 2620 struct l2cap_ctrl control; 2621 2622 BT_DBG("chan %p", chan); 2623 2624 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR) 2625 return; 2626 2627 memset(&control, 0, sizeof(control)); 2628 control.sframe = 1; 2629 control.super = L2CAP_SUPER_SREJ; 2630 control.reqseq = chan->srej_list.tail; 2631 l2cap_send_sframe(chan, &control); 2632 } 2633 2634 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq) 2635 { 2636 struct l2cap_ctrl control; 2637 u16 initial_head; 2638 u16 seq; 2639 2640 BT_DBG("chan %p, txseq %u", chan, txseq); 2641 2642 memset(&control, 0, sizeof(control)); 2643 control.sframe = 1; 2644 control.super = L2CAP_SUPER_SREJ; 2645 2646 /* Capture initial list head to allow only one pass through the list. */ 2647 initial_head = chan->srej_list.head; 2648 2649 do { 2650 seq = l2cap_seq_list_pop(&chan->srej_list); 2651 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR) 2652 break; 2653 2654 control.reqseq = seq; 2655 l2cap_send_sframe(chan, &control); 2656 l2cap_seq_list_append(&chan->srej_list, seq); 2657 } while (chan->srej_list.head != initial_head); 2658 } 2659 2660 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq) 2661 { 2662 struct sk_buff *acked_skb; 2663 u16 ackseq; 2664 2665 BT_DBG("chan %p, reqseq %u", chan, reqseq); 2666 2667 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq) 2668 return; 2669 2670 BT_DBG("expected_ack_seq %u, unacked_frames %u", 2671 chan->expected_ack_seq, chan->unacked_frames); 2672 2673 for (ackseq = chan->expected_ack_seq; ackseq != reqseq; 2674 ackseq = __next_seq(chan, ackseq)) { 2675 2676 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq); 2677 if (acked_skb) { 2678 skb_unlink(acked_skb, &chan->tx_q); 2679 kfree_skb(acked_skb); 2680 chan->unacked_frames--; 2681 } 2682 } 2683 2684 chan->expected_ack_seq = reqseq; 2685 2686 if (chan->unacked_frames == 0) 2687 __clear_retrans_timer(chan); 2688 2689 BT_DBG("unacked_frames %u", chan->unacked_frames); 2690 } 2691 2692 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan) 2693 { 2694 BT_DBG("chan %p", chan); 2695 2696 chan->expected_tx_seq = chan->buffer_seq; 2697 l2cap_seq_list_clear(&chan->srej_list); 2698 skb_queue_purge(&chan->srej_q); 2699 chan->rx_state = L2CAP_RX_STATE_RECV; 2700 } 2701 2702 static void l2cap_tx_state_xmit(struct l2cap_chan *chan, 2703 struct l2cap_ctrl *control, 2704 struct sk_buff_head *skbs, u8 event) 2705 { 2706 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2707 event); 2708 2709 switch (event) { 2710 case L2CAP_EV_DATA_REQUEST: 2711 if (chan->tx_send_head == NULL) 2712 chan->tx_send_head = skb_peek(skbs); 2713 2714 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2715 l2cap_ertm_send(chan); 2716 break; 2717 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2718 BT_DBG("Enter LOCAL_BUSY"); 2719 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2720 2721 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2722 /* The SREJ_SENT state must be aborted if we are to 2723 * enter the LOCAL_BUSY state. 2724 */ 2725 l2cap_abort_rx_srej_sent(chan); 2726 } 2727 2728 l2cap_send_ack(chan); 2729 2730 break; 2731 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2732 BT_DBG("Exit LOCAL_BUSY"); 2733 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2734 2735 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2736 struct l2cap_ctrl local_control; 2737 2738 memset(&local_control, 0, sizeof(local_control)); 2739 local_control.sframe = 1; 2740 local_control.super = L2CAP_SUPER_RR; 2741 local_control.poll = 1; 2742 local_control.reqseq = chan->buffer_seq; 2743 l2cap_send_sframe(chan, &local_control); 2744 2745 chan->retry_count = 1; 2746 __set_monitor_timer(chan); 2747 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2748 } 2749 break; 2750 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2751 l2cap_process_reqseq(chan, control->reqseq); 2752 break; 2753 case L2CAP_EV_EXPLICIT_POLL: 2754 l2cap_send_rr_or_rnr(chan, 1); 2755 chan->retry_count = 1; 2756 __set_monitor_timer(chan); 2757 __clear_ack_timer(chan); 2758 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2759 break; 2760 case L2CAP_EV_RETRANS_TO: 2761 l2cap_send_rr_or_rnr(chan, 1); 2762 chan->retry_count = 1; 2763 __set_monitor_timer(chan); 2764 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2765 break; 2766 case L2CAP_EV_RECV_FBIT: 2767 /* Nothing to process */ 2768 break; 2769 default: 2770 break; 2771 } 2772 } 2773 2774 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan, 2775 struct l2cap_ctrl *control, 2776 struct sk_buff_head *skbs, u8 event) 2777 { 2778 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2779 event); 2780 2781 switch (event) { 2782 case L2CAP_EV_DATA_REQUEST: 2783 if (chan->tx_send_head == NULL) 2784 chan->tx_send_head = skb_peek(skbs); 2785 /* Queue data, but don't send. */ 2786 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2787 break; 2788 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2789 BT_DBG("Enter LOCAL_BUSY"); 2790 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2791 2792 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2793 /* The SREJ_SENT state must be aborted if we are to 2794 * enter the LOCAL_BUSY state. 2795 */ 2796 l2cap_abort_rx_srej_sent(chan); 2797 } 2798 2799 l2cap_send_ack(chan); 2800 2801 break; 2802 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2803 BT_DBG("Exit LOCAL_BUSY"); 2804 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2805 2806 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2807 struct l2cap_ctrl local_control; 2808 memset(&local_control, 0, sizeof(local_control)); 2809 local_control.sframe = 1; 2810 local_control.super = L2CAP_SUPER_RR; 2811 local_control.poll = 1; 2812 local_control.reqseq = chan->buffer_seq; 2813 l2cap_send_sframe(chan, &local_control); 2814 2815 chan->retry_count = 1; 2816 __set_monitor_timer(chan); 2817 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2818 } 2819 break; 2820 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2821 l2cap_process_reqseq(chan, control->reqseq); 2822 fallthrough; 2823 2824 case L2CAP_EV_RECV_FBIT: 2825 if (control && control->final) { 2826 __clear_monitor_timer(chan); 2827 if (chan->unacked_frames > 0) 2828 __set_retrans_timer(chan); 2829 chan->retry_count = 0; 2830 chan->tx_state = L2CAP_TX_STATE_XMIT; 2831 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state); 2832 } 2833 break; 2834 case L2CAP_EV_EXPLICIT_POLL: 2835 /* Ignore */ 2836 break; 2837 case L2CAP_EV_MONITOR_TO: 2838 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) { 2839 l2cap_send_rr_or_rnr(chan, 1); 2840 __set_monitor_timer(chan); 2841 chan->retry_count++; 2842 } else { 2843 l2cap_send_disconn_req(chan, ECONNABORTED); 2844 } 2845 break; 2846 default: 2847 break; 2848 } 2849 } 2850 2851 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 2852 struct sk_buff_head *skbs, u8 event) 2853 { 2854 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d", 2855 chan, control, skbs, event, chan->tx_state); 2856 2857 switch (chan->tx_state) { 2858 case L2CAP_TX_STATE_XMIT: 2859 l2cap_tx_state_xmit(chan, control, skbs, event); 2860 break; 2861 case L2CAP_TX_STATE_WAIT_F: 2862 l2cap_tx_state_wait_f(chan, control, skbs, event); 2863 break; 2864 default: 2865 /* Ignore event */ 2866 break; 2867 } 2868 } 2869 2870 static void l2cap_pass_to_tx(struct l2cap_chan *chan, 2871 struct l2cap_ctrl *control) 2872 { 2873 BT_DBG("chan %p, control %p", chan, control); 2874 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT); 2875 } 2876 2877 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan, 2878 struct l2cap_ctrl *control) 2879 { 2880 BT_DBG("chan %p, control %p", chan, control); 2881 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT); 2882 } 2883 2884 /* Copy frame to all raw sockets on that connection */ 2885 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 2886 { 2887 struct sk_buff *nskb; 2888 struct l2cap_chan *chan; 2889 2890 BT_DBG("conn %p", conn); 2891 2892 mutex_lock(&conn->chan_lock); 2893 2894 list_for_each_entry(chan, &conn->chan_l, list) { 2895 if (chan->chan_type != L2CAP_CHAN_RAW) 2896 continue; 2897 2898 /* Don't send frame to the channel it came from */ 2899 if (bt_cb(skb)->l2cap.chan == chan) 2900 continue; 2901 2902 nskb = skb_clone(skb, GFP_KERNEL); 2903 if (!nskb) 2904 continue; 2905 if (chan->ops->recv(chan, nskb)) 2906 kfree_skb(nskb); 2907 } 2908 2909 mutex_unlock(&conn->chan_lock); 2910 } 2911 2912 /* ---- L2CAP signalling commands ---- */ 2913 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, 2914 u8 ident, u16 dlen, void *data) 2915 { 2916 struct sk_buff *skb, **frag; 2917 struct l2cap_cmd_hdr *cmd; 2918 struct l2cap_hdr *lh; 2919 int len, count; 2920 2921 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", 2922 conn, code, ident, dlen); 2923 2924 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) 2925 return NULL; 2926 2927 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; 2928 count = min_t(unsigned int, conn->mtu, len); 2929 2930 skb = bt_skb_alloc(count, GFP_KERNEL); 2931 if (!skb) 2932 return NULL; 2933 2934 lh = skb_put(skb, L2CAP_HDR_SIZE); 2935 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen); 2936 2937 if (conn->hcon->type == LE_LINK) 2938 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING); 2939 else 2940 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING); 2941 2942 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE); 2943 cmd->code = code; 2944 cmd->ident = ident; 2945 cmd->len = cpu_to_le16(dlen); 2946 2947 if (dlen) { 2948 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE; 2949 skb_put_data(skb, data, count); 2950 data += count; 2951 } 2952 2953 len -= skb->len; 2954 2955 /* Continuation fragments (no L2CAP header) */ 2956 frag = &skb_shinfo(skb)->frag_list; 2957 while (len) { 2958 count = min_t(unsigned int, conn->mtu, len); 2959 2960 *frag = bt_skb_alloc(count, GFP_KERNEL); 2961 if (!*frag) 2962 goto fail; 2963 2964 skb_put_data(*frag, data, count); 2965 2966 len -= count; 2967 data += count; 2968 2969 frag = &(*frag)->next; 2970 } 2971 2972 return skb; 2973 2974 fail: 2975 kfree_skb(skb); 2976 return NULL; 2977 } 2978 2979 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, 2980 unsigned long *val) 2981 { 2982 struct l2cap_conf_opt *opt = *ptr; 2983 int len; 2984 2985 len = L2CAP_CONF_OPT_SIZE + opt->len; 2986 *ptr += len; 2987 2988 *type = opt->type; 2989 *olen = opt->len; 2990 2991 switch (opt->len) { 2992 case 1: 2993 *val = *((u8 *) opt->val); 2994 break; 2995 2996 case 2: 2997 *val = get_unaligned_le16(opt->val); 2998 break; 2999 3000 case 4: 3001 *val = get_unaligned_le32(opt->val); 3002 break; 3003 3004 default: 3005 *val = (unsigned long) opt->val; 3006 break; 3007 } 3008 3009 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val); 3010 return len; 3011 } 3012 3013 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size) 3014 { 3015 struct l2cap_conf_opt *opt = *ptr; 3016 3017 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val); 3018 3019 if (size < L2CAP_CONF_OPT_SIZE + len) 3020 return; 3021 3022 opt->type = type; 3023 opt->len = len; 3024 3025 switch (len) { 3026 case 1: 3027 *((u8 *) opt->val) = val; 3028 break; 3029 3030 case 2: 3031 put_unaligned_le16(val, opt->val); 3032 break; 3033 3034 case 4: 3035 put_unaligned_le32(val, opt->val); 3036 break; 3037 3038 default: 3039 memcpy(opt->val, (void *) val, len); 3040 break; 3041 } 3042 3043 *ptr += L2CAP_CONF_OPT_SIZE + len; 3044 } 3045 3046 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size) 3047 { 3048 struct l2cap_conf_efs efs; 3049 3050 switch (chan->mode) { 3051 case L2CAP_MODE_ERTM: 3052 efs.id = chan->local_id; 3053 efs.stype = chan->local_stype; 3054 efs.msdu = cpu_to_le16(chan->local_msdu); 3055 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3056 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT); 3057 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO); 3058 break; 3059 3060 case L2CAP_MODE_STREAMING: 3061 efs.id = 1; 3062 efs.stype = L2CAP_SERV_BESTEFFORT; 3063 efs.msdu = cpu_to_le16(chan->local_msdu); 3064 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3065 efs.acc_lat = 0; 3066 efs.flush_to = 0; 3067 break; 3068 3069 default: 3070 return; 3071 } 3072 3073 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs), 3074 (unsigned long) &efs, size); 3075 } 3076 3077 static void l2cap_ack_timeout(struct work_struct *work) 3078 { 3079 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 3080 ack_timer.work); 3081 u16 frames_to_ack; 3082 3083 BT_DBG("chan %p", chan); 3084 3085 l2cap_chan_lock(chan); 3086 3087 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 3088 chan->last_acked_seq); 3089 3090 if (frames_to_ack) 3091 l2cap_send_rr_or_rnr(chan, 0); 3092 3093 l2cap_chan_unlock(chan); 3094 l2cap_chan_put(chan); 3095 } 3096 3097 int l2cap_ertm_init(struct l2cap_chan *chan) 3098 { 3099 int err; 3100 3101 chan->next_tx_seq = 0; 3102 chan->expected_tx_seq = 0; 3103 chan->expected_ack_seq = 0; 3104 chan->unacked_frames = 0; 3105 chan->buffer_seq = 0; 3106 chan->frames_sent = 0; 3107 chan->last_acked_seq = 0; 3108 chan->sdu = NULL; 3109 chan->sdu_last_frag = NULL; 3110 chan->sdu_len = 0; 3111 3112 skb_queue_head_init(&chan->tx_q); 3113 3114 if (chan->mode != L2CAP_MODE_ERTM) 3115 return 0; 3116 3117 chan->rx_state = L2CAP_RX_STATE_RECV; 3118 chan->tx_state = L2CAP_TX_STATE_XMIT; 3119 3120 skb_queue_head_init(&chan->srej_q); 3121 3122 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); 3123 if (err < 0) 3124 return err; 3125 3126 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win); 3127 if (err < 0) 3128 l2cap_seq_list_free(&chan->srej_list); 3129 3130 return err; 3131 } 3132 3133 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 3134 { 3135 switch (mode) { 3136 case L2CAP_MODE_STREAMING: 3137 case L2CAP_MODE_ERTM: 3138 if (l2cap_mode_supported(mode, remote_feat_mask)) 3139 return mode; 3140 fallthrough; 3141 default: 3142 return L2CAP_MODE_BASIC; 3143 } 3144 } 3145 3146 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn) 3147 { 3148 return (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW); 3149 } 3150 3151 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn) 3152 { 3153 return (conn->feat_mask & L2CAP_FEAT_EXT_FLOW); 3154 } 3155 3156 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan, 3157 struct l2cap_conf_rfc *rfc) 3158 { 3159 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO); 3160 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO); 3161 } 3162 3163 static inline void l2cap_txwin_setup(struct l2cap_chan *chan) 3164 { 3165 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW && 3166 __l2cap_ews_supported(chan->conn)) { 3167 /* use extended control field */ 3168 set_bit(FLAG_EXT_CTRL, &chan->flags); 3169 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; 3170 } else { 3171 chan->tx_win = min_t(u16, chan->tx_win, 3172 L2CAP_DEFAULT_TX_WINDOW); 3173 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 3174 } 3175 chan->ack_win = chan->tx_win; 3176 } 3177 3178 static void l2cap_mtu_auto(struct l2cap_chan *chan) 3179 { 3180 struct hci_conn *conn = chan->conn->hcon; 3181 3182 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3183 3184 /* The 2-DH1 packet has between 2 and 56 information bytes 3185 * (including the 2-byte payload header) 3186 */ 3187 if (!(conn->pkt_type & HCI_2DH1)) 3188 chan->imtu = 54; 3189 3190 /* The 3-DH1 packet has between 2 and 85 information bytes 3191 * (including the 2-byte payload header) 3192 */ 3193 if (!(conn->pkt_type & HCI_3DH1)) 3194 chan->imtu = 83; 3195 3196 /* The 2-DH3 packet has between 2 and 369 information bytes 3197 * (including the 2-byte payload header) 3198 */ 3199 if (!(conn->pkt_type & HCI_2DH3)) 3200 chan->imtu = 367; 3201 3202 /* The 3-DH3 packet has between 2 and 554 information bytes 3203 * (including the 2-byte payload header) 3204 */ 3205 if (!(conn->pkt_type & HCI_3DH3)) 3206 chan->imtu = 552; 3207 3208 /* The 2-DH5 packet has between 2 and 681 information bytes 3209 * (including the 2-byte payload header) 3210 */ 3211 if (!(conn->pkt_type & HCI_2DH5)) 3212 chan->imtu = 679; 3213 3214 /* The 3-DH5 packet has between 2 and 1023 information bytes 3215 * (including the 2-byte payload header) 3216 */ 3217 if (!(conn->pkt_type & HCI_3DH5)) 3218 chan->imtu = 1021; 3219 } 3220 3221 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3222 { 3223 struct l2cap_conf_req *req = data; 3224 struct l2cap_conf_rfc rfc = { .mode = chan->mode }; 3225 void *ptr = req->data; 3226 void *endptr = data + data_size; 3227 u16 size; 3228 3229 BT_DBG("chan %p", chan); 3230 3231 if (chan->num_conf_req || chan->num_conf_rsp) 3232 goto done; 3233 3234 switch (chan->mode) { 3235 case L2CAP_MODE_STREAMING: 3236 case L2CAP_MODE_ERTM: 3237 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) 3238 break; 3239 3240 if (__l2cap_efs_supported(chan->conn)) 3241 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3242 3243 fallthrough; 3244 default: 3245 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask); 3246 break; 3247 } 3248 3249 done: 3250 if (chan->imtu != L2CAP_DEFAULT_MTU) { 3251 if (!chan->imtu) 3252 l2cap_mtu_auto(chan); 3253 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3254 endptr - ptr); 3255 } 3256 3257 switch (chan->mode) { 3258 case L2CAP_MODE_BASIC: 3259 if (disable_ertm) 3260 break; 3261 3262 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) && 3263 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING)) 3264 break; 3265 3266 rfc.mode = L2CAP_MODE_BASIC; 3267 rfc.txwin_size = 0; 3268 rfc.max_transmit = 0; 3269 rfc.retrans_timeout = 0; 3270 rfc.monitor_timeout = 0; 3271 rfc.max_pdu_size = 0; 3272 3273 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3274 (unsigned long) &rfc, endptr - ptr); 3275 break; 3276 3277 case L2CAP_MODE_ERTM: 3278 rfc.mode = L2CAP_MODE_ERTM; 3279 rfc.max_transmit = chan->max_tx; 3280 3281 __l2cap_set_ertm_timeouts(chan, &rfc); 3282 3283 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3284 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3285 L2CAP_FCS_SIZE); 3286 rfc.max_pdu_size = cpu_to_le16(size); 3287 3288 l2cap_txwin_setup(chan); 3289 3290 rfc.txwin_size = min_t(u16, chan->tx_win, 3291 L2CAP_DEFAULT_TX_WINDOW); 3292 3293 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3294 (unsigned long) &rfc, endptr - ptr); 3295 3296 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3297 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3298 3299 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3300 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3301 chan->tx_win, endptr - ptr); 3302 3303 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3304 if (chan->fcs == L2CAP_FCS_NONE || 3305 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3306 chan->fcs = L2CAP_FCS_NONE; 3307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3308 chan->fcs, endptr - ptr); 3309 } 3310 break; 3311 3312 case L2CAP_MODE_STREAMING: 3313 l2cap_txwin_setup(chan); 3314 rfc.mode = L2CAP_MODE_STREAMING; 3315 rfc.txwin_size = 0; 3316 rfc.max_transmit = 0; 3317 rfc.retrans_timeout = 0; 3318 rfc.monitor_timeout = 0; 3319 3320 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3321 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3322 L2CAP_FCS_SIZE); 3323 rfc.max_pdu_size = cpu_to_le16(size); 3324 3325 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3326 (unsigned long) &rfc, endptr - ptr); 3327 3328 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3329 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3330 3331 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3332 if (chan->fcs == L2CAP_FCS_NONE || 3333 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3334 chan->fcs = L2CAP_FCS_NONE; 3335 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3336 chan->fcs, endptr - ptr); 3337 } 3338 break; 3339 } 3340 3341 req->dcid = cpu_to_le16(chan->dcid); 3342 req->flags = cpu_to_le16(0); 3343 3344 return ptr - data; 3345 } 3346 3347 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3348 { 3349 struct l2cap_conf_rsp *rsp = data; 3350 void *ptr = rsp->data; 3351 void *endptr = data + data_size; 3352 void *req = chan->conf_req; 3353 int len = chan->conf_len; 3354 int type, hint, olen; 3355 unsigned long val; 3356 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3357 struct l2cap_conf_efs efs; 3358 u8 remote_efs = 0; 3359 u16 mtu = L2CAP_DEFAULT_MTU; 3360 u16 result = L2CAP_CONF_SUCCESS; 3361 u16 size; 3362 3363 BT_DBG("chan %p", chan); 3364 3365 while (len >= L2CAP_CONF_OPT_SIZE) { 3366 len -= l2cap_get_conf_opt(&req, &type, &olen, &val); 3367 if (len < 0) 3368 break; 3369 3370 hint = type & L2CAP_CONF_HINT; 3371 type &= L2CAP_CONF_MASK; 3372 3373 switch (type) { 3374 case L2CAP_CONF_MTU: 3375 if (olen != 2) 3376 break; 3377 mtu = val; 3378 break; 3379 3380 case L2CAP_CONF_FLUSH_TO: 3381 if (olen != 2) 3382 break; 3383 chan->flush_to = val; 3384 break; 3385 3386 case L2CAP_CONF_QOS: 3387 break; 3388 3389 case L2CAP_CONF_RFC: 3390 if (olen != sizeof(rfc)) 3391 break; 3392 memcpy(&rfc, (void *) val, olen); 3393 break; 3394 3395 case L2CAP_CONF_FCS: 3396 if (olen != 1) 3397 break; 3398 if (val == L2CAP_FCS_NONE) 3399 set_bit(CONF_RECV_NO_FCS, &chan->conf_state); 3400 break; 3401 3402 case L2CAP_CONF_EFS: 3403 if (olen != sizeof(efs)) 3404 break; 3405 remote_efs = 1; 3406 memcpy(&efs, (void *) val, olen); 3407 break; 3408 3409 case L2CAP_CONF_EWS: 3410 if (olen != 2) 3411 break; 3412 return -ECONNREFUSED; 3413 3414 default: 3415 if (hint) 3416 break; 3417 result = L2CAP_CONF_UNKNOWN; 3418 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr); 3419 break; 3420 } 3421 } 3422 3423 if (chan->num_conf_rsp || chan->num_conf_req > 1) 3424 goto done; 3425 3426 switch (chan->mode) { 3427 case L2CAP_MODE_STREAMING: 3428 case L2CAP_MODE_ERTM: 3429 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) { 3430 chan->mode = l2cap_select_mode(rfc.mode, 3431 chan->conn->feat_mask); 3432 break; 3433 } 3434 3435 if (remote_efs) { 3436 if (__l2cap_efs_supported(chan->conn)) 3437 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3438 else 3439 return -ECONNREFUSED; 3440 } 3441 3442 if (chan->mode != rfc.mode) 3443 return -ECONNREFUSED; 3444 3445 break; 3446 } 3447 3448 done: 3449 if (chan->mode != rfc.mode) { 3450 result = L2CAP_CONF_UNACCEPT; 3451 rfc.mode = chan->mode; 3452 3453 if (chan->num_conf_rsp == 1) 3454 return -ECONNREFUSED; 3455 3456 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3457 (unsigned long) &rfc, endptr - ptr); 3458 } 3459 3460 if (result == L2CAP_CONF_SUCCESS) { 3461 /* Configure output options and let the other side know 3462 * which ones we don't like. */ 3463 3464 if (mtu < L2CAP_DEFAULT_MIN_MTU) 3465 result = L2CAP_CONF_UNACCEPT; 3466 else { 3467 chan->omtu = mtu; 3468 set_bit(CONF_MTU_DONE, &chan->conf_state); 3469 } 3470 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr); 3471 3472 if (remote_efs) { 3473 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3474 efs.stype != L2CAP_SERV_NOTRAFIC && 3475 efs.stype != chan->local_stype) { 3476 3477 result = L2CAP_CONF_UNACCEPT; 3478 3479 if (chan->num_conf_req >= 1) 3480 return -ECONNREFUSED; 3481 3482 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3483 sizeof(efs), 3484 (unsigned long) &efs, endptr - ptr); 3485 } else { 3486 /* Send PENDING Conf Rsp */ 3487 result = L2CAP_CONF_PENDING; 3488 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 3489 } 3490 } 3491 3492 switch (rfc.mode) { 3493 case L2CAP_MODE_BASIC: 3494 chan->fcs = L2CAP_FCS_NONE; 3495 set_bit(CONF_MODE_DONE, &chan->conf_state); 3496 break; 3497 3498 case L2CAP_MODE_ERTM: 3499 if (!test_bit(CONF_EWS_RECV, &chan->conf_state)) 3500 chan->remote_tx_win = rfc.txwin_size; 3501 else 3502 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW; 3503 3504 chan->remote_max_tx = rfc.max_transmit; 3505 3506 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3507 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3508 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3509 rfc.max_pdu_size = cpu_to_le16(size); 3510 chan->remote_mps = size; 3511 3512 __l2cap_set_ertm_timeouts(chan, &rfc); 3513 3514 set_bit(CONF_MODE_DONE, &chan->conf_state); 3515 3516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3517 sizeof(rfc), (unsigned long) &rfc, endptr - ptr); 3518 3519 if (remote_efs && 3520 test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3521 chan->remote_id = efs.id; 3522 chan->remote_stype = efs.stype; 3523 chan->remote_msdu = le16_to_cpu(efs.msdu); 3524 chan->remote_flush_to = 3525 le32_to_cpu(efs.flush_to); 3526 chan->remote_acc_lat = 3527 le32_to_cpu(efs.acc_lat); 3528 chan->remote_sdu_itime = 3529 le32_to_cpu(efs.sdu_itime); 3530 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3531 sizeof(efs), 3532 (unsigned long) &efs, endptr - ptr); 3533 } 3534 break; 3535 3536 case L2CAP_MODE_STREAMING: 3537 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3538 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3539 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3540 rfc.max_pdu_size = cpu_to_le16(size); 3541 chan->remote_mps = size; 3542 3543 set_bit(CONF_MODE_DONE, &chan->conf_state); 3544 3545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3546 (unsigned long) &rfc, endptr - ptr); 3547 3548 break; 3549 3550 default: 3551 result = L2CAP_CONF_UNACCEPT; 3552 3553 memset(&rfc, 0, sizeof(rfc)); 3554 rfc.mode = chan->mode; 3555 } 3556 3557 if (result == L2CAP_CONF_SUCCESS) 3558 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 3559 } 3560 rsp->scid = cpu_to_le16(chan->dcid); 3561 rsp->result = cpu_to_le16(result); 3562 rsp->flags = cpu_to_le16(0); 3563 3564 return ptr - data; 3565 } 3566 3567 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, 3568 void *data, size_t size, u16 *result) 3569 { 3570 struct l2cap_conf_req *req = data; 3571 void *ptr = req->data; 3572 void *endptr = data + size; 3573 int type, olen; 3574 unsigned long val; 3575 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3576 struct l2cap_conf_efs efs; 3577 3578 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data); 3579 3580 while (len >= L2CAP_CONF_OPT_SIZE) { 3581 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3582 if (len < 0) 3583 break; 3584 3585 switch (type) { 3586 case L2CAP_CONF_MTU: 3587 if (olen != 2) 3588 break; 3589 if (val < L2CAP_DEFAULT_MIN_MTU) { 3590 *result = L2CAP_CONF_UNACCEPT; 3591 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3592 } else 3593 chan->imtu = val; 3594 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3595 endptr - ptr); 3596 break; 3597 3598 case L2CAP_CONF_FLUSH_TO: 3599 if (olen != 2) 3600 break; 3601 chan->flush_to = val; 3602 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, 3603 chan->flush_to, endptr - ptr); 3604 break; 3605 3606 case L2CAP_CONF_RFC: 3607 if (olen != sizeof(rfc)) 3608 break; 3609 memcpy(&rfc, (void *)val, olen); 3610 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && 3611 rfc.mode != chan->mode) 3612 return -ECONNREFUSED; 3613 chan->fcs = 0; 3614 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3615 (unsigned long) &rfc, endptr - ptr); 3616 break; 3617 3618 case L2CAP_CONF_EWS: 3619 if (olen != 2) 3620 break; 3621 chan->ack_win = min_t(u16, val, chan->ack_win); 3622 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3623 chan->tx_win, endptr - ptr); 3624 break; 3625 3626 case L2CAP_CONF_EFS: 3627 if (olen != sizeof(efs)) 3628 break; 3629 memcpy(&efs, (void *)val, olen); 3630 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3631 efs.stype != L2CAP_SERV_NOTRAFIC && 3632 efs.stype != chan->local_stype) 3633 return -ECONNREFUSED; 3634 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), 3635 (unsigned long) &efs, endptr - ptr); 3636 break; 3637 3638 case L2CAP_CONF_FCS: 3639 if (olen != 1) 3640 break; 3641 if (*result == L2CAP_CONF_PENDING) 3642 if (val == L2CAP_FCS_NONE) 3643 set_bit(CONF_RECV_NO_FCS, 3644 &chan->conf_state); 3645 break; 3646 } 3647 } 3648 3649 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode) 3650 return -ECONNREFUSED; 3651 3652 chan->mode = rfc.mode; 3653 3654 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) { 3655 switch (rfc.mode) { 3656 case L2CAP_MODE_ERTM: 3657 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3658 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3659 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3660 if (!test_bit(FLAG_EXT_CTRL, &chan->flags)) 3661 chan->ack_win = min_t(u16, chan->ack_win, 3662 rfc.txwin_size); 3663 3664 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3665 chan->local_msdu = le16_to_cpu(efs.msdu); 3666 chan->local_sdu_itime = 3667 le32_to_cpu(efs.sdu_itime); 3668 chan->local_acc_lat = le32_to_cpu(efs.acc_lat); 3669 chan->local_flush_to = 3670 le32_to_cpu(efs.flush_to); 3671 } 3672 break; 3673 3674 case L2CAP_MODE_STREAMING: 3675 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3676 } 3677 } 3678 3679 req->dcid = cpu_to_le16(chan->dcid); 3680 req->flags = cpu_to_le16(0); 3681 3682 return ptr - data; 3683 } 3684 3685 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, 3686 u16 result, u16 flags) 3687 { 3688 struct l2cap_conf_rsp *rsp = data; 3689 void *ptr = rsp->data; 3690 3691 BT_DBG("chan %p", chan); 3692 3693 rsp->scid = cpu_to_le16(chan->dcid); 3694 rsp->result = cpu_to_le16(result); 3695 rsp->flags = cpu_to_le16(flags); 3696 3697 return ptr - data; 3698 } 3699 3700 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan) 3701 { 3702 struct l2cap_le_conn_rsp rsp; 3703 struct l2cap_conn *conn = chan->conn; 3704 3705 BT_DBG("chan %p", chan); 3706 3707 rsp.dcid = cpu_to_le16(chan->scid); 3708 rsp.mtu = cpu_to_le16(chan->imtu); 3709 rsp.mps = cpu_to_le16(chan->mps); 3710 rsp.credits = cpu_to_le16(chan->rx_credits); 3711 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3712 3713 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 3714 &rsp); 3715 } 3716 3717 static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data) 3718 { 3719 int *result = data; 3720 3721 if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 3722 return; 3723 3724 switch (chan->state) { 3725 case BT_CONNECT2: 3726 /* If channel still pending accept add to result */ 3727 (*result)++; 3728 return; 3729 case BT_CONNECTED: 3730 return; 3731 default: 3732 /* If not connected or pending accept it has been refused */ 3733 *result = -ECONNREFUSED; 3734 return; 3735 } 3736 } 3737 3738 struct l2cap_ecred_rsp_data { 3739 struct { 3740 struct l2cap_ecred_conn_rsp rsp; 3741 __le16 scid[L2CAP_ECRED_MAX_CID]; 3742 } __packed pdu; 3743 int count; 3744 }; 3745 3746 static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data) 3747 { 3748 struct l2cap_ecred_rsp_data *rsp = data; 3749 3750 if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 3751 return; 3752 3753 /* Reset ident so only one response is sent */ 3754 chan->ident = 0; 3755 3756 /* Include all channels pending with the same ident */ 3757 if (!rsp->pdu.rsp.result) 3758 rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid); 3759 else 3760 l2cap_chan_del(chan, ECONNRESET); 3761 } 3762 3763 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan) 3764 { 3765 struct l2cap_conn *conn = chan->conn; 3766 struct l2cap_ecred_rsp_data data; 3767 u16 id = chan->ident; 3768 int result = 0; 3769 3770 if (!id) 3771 return; 3772 3773 BT_DBG("chan %p id %d", chan, id); 3774 3775 memset(&data, 0, sizeof(data)); 3776 3777 data.pdu.rsp.mtu = cpu_to_le16(chan->imtu); 3778 data.pdu.rsp.mps = cpu_to_le16(chan->mps); 3779 data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits); 3780 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3781 3782 /* Verify that all channels are ready */ 3783 __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result); 3784 3785 if (result > 0) 3786 return; 3787 3788 if (result < 0) 3789 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION); 3790 3791 /* Build response */ 3792 __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data); 3793 3794 l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP, 3795 sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)), 3796 &data.pdu); 3797 } 3798 3799 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) 3800 { 3801 struct l2cap_conn_rsp rsp; 3802 struct l2cap_conn *conn = chan->conn; 3803 u8 buf[128]; 3804 u8 rsp_code; 3805 3806 rsp.scid = cpu_to_le16(chan->dcid); 3807 rsp.dcid = cpu_to_le16(chan->scid); 3808 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 3809 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 3810 rsp_code = L2CAP_CONN_RSP; 3811 3812 BT_DBG("chan %p rsp_code %u", chan, rsp_code); 3813 3814 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp); 3815 3816 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 3817 return; 3818 3819 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3820 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 3821 chan->num_conf_req++; 3822 } 3823 3824 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) 3825 { 3826 int type, olen; 3827 unsigned long val; 3828 /* Use sane default values in case a misbehaving remote device 3829 * did not send an RFC or extended window size option. 3830 */ 3831 u16 txwin_ext = chan->ack_win; 3832 struct l2cap_conf_rfc rfc = { 3833 .mode = chan->mode, 3834 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO), 3835 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO), 3836 .max_pdu_size = cpu_to_le16(chan->imtu), 3837 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW), 3838 }; 3839 3840 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len); 3841 3842 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING)) 3843 return; 3844 3845 while (len >= L2CAP_CONF_OPT_SIZE) { 3846 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3847 if (len < 0) 3848 break; 3849 3850 switch (type) { 3851 case L2CAP_CONF_RFC: 3852 if (olen != sizeof(rfc)) 3853 break; 3854 memcpy(&rfc, (void *)val, olen); 3855 break; 3856 case L2CAP_CONF_EWS: 3857 if (olen != 2) 3858 break; 3859 txwin_ext = val; 3860 break; 3861 } 3862 } 3863 3864 switch (rfc.mode) { 3865 case L2CAP_MODE_ERTM: 3866 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3867 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3868 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3869 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3870 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext); 3871 else 3872 chan->ack_win = min_t(u16, chan->ack_win, 3873 rfc.txwin_size); 3874 break; 3875 case L2CAP_MODE_STREAMING: 3876 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3877 } 3878 } 3879 3880 static inline int l2cap_command_rej(struct l2cap_conn *conn, 3881 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 3882 u8 *data) 3883 { 3884 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 3885 3886 if (cmd_len < sizeof(*rej)) 3887 return -EPROTO; 3888 3889 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) 3890 return 0; 3891 3892 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 3893 cmd->ident == conn->info_ident) { 3894 cancel_delayed_work(&conn->info_timer); 3895 3896 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3897 conn->info_ident = 0; 3898 3899 l2cap_conn_start(conn); 3900 } 3901 3902 return 0; 3903 } 3904 3905 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, 3906 struct l2cap_cmd_hdr *cmd, 3907 u8 *data, u8 rsp_code, u8 amp_id) 3908 { 3909 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 3910 struct l2cap_conn_rsp rsp; 3911 struct l2cap_chan *chan = NULL, *pchan; 3912 int result, status = L2CAP_CS_NO_INFO; 3913 3914 u16 dcid = 0, scid = __le16_to_cpu(req->scid); 3915 __le16 psm = req->psm; 3916 3917 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid); 3918 3919 /* Check if we have socket listening on psm */ 3920 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 3921 &conn->hcon->dst, ACL_LINK); 3922 if (!pchan) { 3923 result = L2CAP_CR_BAD_PSM; 3924 goto sendresp; 3925 } 3926 3927 mutex_lock(&conn->chan_lock); 3928 l2cap_chan_lock(pchan); 3929 3930 /* Check if the ACL is secure enough (if not SDP) */ 3931 if (psm != cpu_to_le16(L2CAP_PSM_SDP) && 3932 !hci_conn_check_link_mode(conn->hcon)) { 3933 conn->disc_reason = HCI_ERROR_AUTH_FAILURE; 3934 result = L2CAP_CR_SEC_BLOCK; 3935 goto response; 3936 } 3937 3938 result = L2CAP_CR_NO_MEM; 3939 3940 /* Check for valid dynamic CID range (as per Erratum 3253) */ 3941 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) { 3942 result = L2CAP_CR_INVALID_SCID; 3943 goto response; 3944 } 3945 3946 /* Check if we already have channel with that dcid */ 3947 if (__l2cap_get_chan_by_dcid(conn, scid)) { 3948 result = L2CAP_CR_SCID_IN_USE; 3949 goto response; 3950 } 3951 3952 chan = pchan->ops->new_connection(pchan); 3953 if (!chan) 3954 goto response; 3955 3956 /* For certain devices (ex: HID mouse), support for authentication, 3957 * pairing and bonding is optional. For such devices, inorder to avoid 3958 * the ACL alive for too long after L2CAP disconnection, reset the ACL 3959 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect. 3960 */ 3961 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 3962 3963 bacpy(&chan->src, &conn->hcon->src); 3964 bacpy(&chan->dst, &conn->hcon->dst); 3965 chan->src_type = bdaddr_src_type(conn->hcon); 3966 chan->dst_type = bdaddr_dst_type(conn->hcon); 3967 chan->psm = psm; 3968 chan->dcid = scid; 3969 3970 __l2cap_chan_add(conn, chan); 3971 3972 dcid = chan->scid; 3973 3974 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 3975 3976 chan->ident = cmd->ident; 3977 3978 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 3979 if (l2cap_chan_check_security(chan, false)) { 3980 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 3981 l2cap_state_change(chan, BT_CONNECT2); 3982 result = L2CAP_CR_PEND; 3983 status = L2CAP_CS_AUTHOR_PEND; 3984 chan->ops->defer(chan); 3985 } else { 3986 /* Force pending result for AMP controllers. 3987 * The connection will succeed after the 3988 * physical link is up. 3989 */ 3990 if (amp_id == AMP_ID_BREDR) { 3991 l2cap_state_change(chan, BT_CONFIG); 3992 result = L2CAP_CR_SUCCESS; 3993 } else { 3994 l2cap_state_change(chan, BT_CONNECT2); 3995 result = L2CAP_CR_PEND; 3996 } 3997 status = L2CAP_CS_NO_INFO; 3998 } 3999 } else { 4000 l2cap_state_change(chan, BT_CONNECT2); 4001 result = L2CAP_CR_PEND; 4002 status = L2CAP_CS_AUTHEN_PEND; 4003 } 4004 } else { 4005 l2cap_state_change(chan, BT_CONNECT2); 4006 result = L2CAP_CR_PEND; 4007 status = L2CAP_CS_NO_INFO; 4008 } 4009 4010 response: 4011 l2cap_chan_unlock(pchan); 4012 mutex_unlock(&conn->chan_lock); 4013 l2cap_chan_put(pchan); 4014 4015 sendresp: 4016 rsp.scid = cpu_to_le16(scid); 4017 rsp.dcid = cpu_to_le16(dcid); 4018 rsp.result = cpu_to_le16(result); 4019 rsp.status = cpu_to_le16(status); 4020 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); 4021 4022 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { 4023 struct l2cap_info_req info; 4024 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4025 4026 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 4027 conn->info_ident = l2cap_get_ident(conn); 4028 4029 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 4030 4031 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 4032 sizeof(info), &info); 4033 } 4034 4035 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) && 4036 result == L2CAP_CR_SUCCESS) { 4037 u8 buf[128]; 4038 set_bit(CONF_REQ_SENT, &chan->conf_state); 4039 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4040 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4041 chan->num_conf_req++; 4042 } 4043 4044 return chan; 4045 } 4046 4047 static int l2cap_connect_req(struct l2cap_conn *conn, 4048 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 4049 { 4050 struct hci_dev *hdev = conn->hcon->hdev; 4051 struct hci_conn *hcon = conn->hcon; 4052 4053 if (cmd_len < sizeof(struct l2cap_conn_req)) 4054 return -EPROTO; 4055 4056 hci_dev_lock(hdev); 4057 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4058 mgmt_device_connected(hdev, hcon, NULL, 0); 4059 hci_dev_unlock(hdev); 4060 4061 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0); 4062 return 0; 4063 } 4064 4065 static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 4066 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4067 u8 *data) 4068 { 4069 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 4070 u16 scid, dcid, result, status; 4071 struct l2cap_chan *chan; 4072 u8 req[128]; 4073 int err; 4074 4075 if (cmd_len < sizeof(*rsp)) 4076 return -EPROTO; 4077 4078 scid = __le16_to_cpu(rsp->scid); 4079 dcid = __le16_to_cpu(rsp->dcid); 4080 result = __le16_to_cpu(rsp->result); 4081 status = __le16_to_cpu(rsp->status); 4082 4083 if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START || 4084 dcid > L2CAP_CID_DYN_END)) 4085 return -EPROTO; 4086 4087 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", 4088 dcid, scid, result, status); 4089 4090 mutex_lock(&conn->chan_lock); 4091 4092 if (scid) { 4093 chan = __l2cap_get_chan_by_scid(conn, scid); 4094 if (!chan) { 4095 err = -EBADSLT; 4096 goto unlock; 4097 } 4098 } else { 4099 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 4100 if (!chan) { 4101 err = -EBADSLT; 4102 goto unlock; 4103 } 4104 } 4105 4106 chan = l2cap_chan_hold_unless_zero(chan); 4107 if (!chan) { 4108 err = -EBADSLT; 4109 goto unlock; 4110 } 4111 4112 err = 0; 4113 4114 l2cap_chan_lock(chan); 4115 4116 switch (result) { 4117 case L2CAP_CR_SUCCESS: 4118 if (__l2cap_get_chan_by_dcid(conn, dcid)) { 4119 err = -EBADSLT; 4120 break; 4121 } 4122 4123 l2cap_state_change(chan, BT_CONFIG); 4124 chan->ident = 0; 4125 chan->dcid = dcid; 4126 clear_bit(CONF_CONNECT_PEND, &chan->conf_state); 4127 4128 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 4129 break; 4130 4131 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4132 l2cap_build_conf_req(chan, req, sizeof(req)), req); 4133 chan->num_conf_req++; 4134 break; 4135 4136 case L2CAP_CR_PEND: 4137 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 4138 break; 4139 4140 default: 4141 l2cap_chan_del(chan, ECONNREFUSED); 4142 break; 4143 } 4144 4145 l2cap_chan_unlock(chan); 4146 l2cap_chan_put(chan); 4147 4148 unlock: 4149 mutex_unlock(&conn->chan_lock); 4150 4151 return err; 4152 } 4153 4154 static inline void set_default_fcs(struct l2cap_chan *chan) 4155 { 4156 /* FCS is enabled only in ERTM or streaming mode, if one or both 4157 * sides request it. 4158 */ 4159 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 4160 chan->fcs = L2CAP_FCS_NONE; 4161 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) 4162 chan->fcs = L2CAP_FCS_CRC16; 4163 } 4164 4165 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data, 4166 u8 ident, u16 flags) 4167 { 4168 struct l2cap_conn *conn = chan->conn; 4169 4170 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident, 4171 flags); 4172 4173 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 4174 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 4175 4176 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP, 4177 l2cap_build_conf_rsp(chan, data, 4178 L2CAP_CONF_SUCCESS, flags), data); 4179 } 4180 4181 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident, 4182 u16 scid, u16 dcid) 4183 { 4184 struct l2cap_cmd_rej_cid rej; 4185 4186 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID); 4187 rej.scid = __cpu_to_le16(scid); 4188 rej.dcid = __cpu_to_le16(dcid); 4189 4190 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 4191 } 4192 4193 static inline int l2cap_config_req(struct l2cap_conn *conn, 4194 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4195 u8 *data) 4196 { 4197 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 4198 u16 dcid, flags; 4199 u8 rsp[64]; 4200 struct l2cap_chan *chan; 4201 int len, err = 0; 4202 4203 if (cmd_len < sizeof(*req)) 4204 return -EPROTO; 4205 4206 dcid = __le16_to_cpu(req->dcid); 4207 flags = __le16_to_cpu(req->flags); 4208 4209 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags); 4210 4211 chan = l2cap_get_chan_by_scid(conn, dcid); 4212 if (!chan) { 4213 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0); 4214 return 0; 4215 } 4216 4217 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && 4218 chan->state != BT_CONNECTED) { 4219 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, 4220 chan->dcid); 4221 goto unlock; 4222 } 4223 4224 /* Reject if config buffer is too small. */ 4225 len = cmd_len - sizeof(*req); 4226 if (chan->conf_len + len > sizeof(chan->conf_req)) { 4227 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4228 l2cap_build_conf_rsp(chan, rsp, 4229 L2CAP_CONF_REJECT, flags), rsp); 4230 goto unlock; 4231 } 4232 4233 /* Store config. */ 4234 memcpy(chan->conf_req + chan->conf_len, req->data, len); 4235 chan->conf_len += len; 4236 4237 if (flags & L2CAP_CONF_FLAG_CONTINUATION) { 4238 /* Incomplete config. Send empty response. */ 4239 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4240 l2cap_build_conf_rsp(chan, rsp, 4241 L2CAP_CONF_SUCCESS, flags), rsp); 4242 goto unlock; 4243 } 4244 4245 /* Complete config. */ 4246 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp)); 4247 if (len < 0) { 4248 l2cap_send_disconn_req(chan, ECONNRESET); 4249 goto unlock; 4250 } 4251 4252 chan->ident = cmd->ident; 4253 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); 4254 if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP) 4255 chan->num_conf_rsp++; 4256 4257 /* Reset config buffer. */ 4258 chan->conf_len = 0; 4259 4260 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) 4261 goto unlock; 4262 4263 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) { 4264 set_default_fcs(chan); 4265 4266 if (chan->mode == L2CAP_MODE_ERTM || 4267 chan->mode == L2CAP_MODE_STREAMING) 4268 err = l2cap_ertm_init(chan); 4269 4270 if (err < 0) 4271 l2cap_send_disconn_req(chan, -err); 4272 else 4273 l2cap_chan_ready(chan); 4274 4275 goto unlock; 4276 } 4277 4278 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) { 4279 u8 buf[64]; 4280 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4281 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4282 chan->num_conf_req++; 4283 } 4284 4285 /* Got Conf Rsp PENDING from remote side and assume we sent 4286 Conf Rsp PENDING in the code above */ 4287 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) && 4288 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4289 4290 /* check compatibility */ 4291 4292 /* Send rsp for BR/EDR channel */ 4293 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags); 4294 } 4295 4296 unlock: 4297 l2cap_chan_unlock(chan); 4298 l2cap_chan_put(chan); 4299 return err; 4300 } 4301 4302 static inline int l2cap_config_rsp(struct l2cap_conn *conn, 4303 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4304 u8 *data) 4305 { 4306 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 4307 u16 scid, flags, result; 4308 struct l2cap_chan *chan; 4309 int len = cmd_len - sizeof(*rsp); 4310 int err = 0; 4311 4312 if (cmd_len < sizeof(*rsp)) 4313 return -EPROTO; 4314 4315 scid = __le16_to_cpu(rsp->scid); 4316 flags = __le16_to_cpu(rsp->flags); 4317 result = __le16_to_cpu(rsp->result); 4318 4319 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags, 4320 result, len); 4321 4322 chan = l2cap_get_chan_by_scid(conn, scid); 4323 if (!chan) 4324 return 0; 4325 4326 switch (result) { 4327 case L2CAP_CONF_SUCCESS: 4328 l2cap_conf_rfc_get(chan, rsp->data, len); 4329 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4330 break; 4331 4332 case L2CAP_CONF_PENDING: 4333 set_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4334 4335 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4336 char buf[64]; 4337 4338 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4339 buf, sizeof(buf), &result); 4340 if (len < 0) { 4341 l2cap_send_disconn_req(chan, ECONNRESET); 4342 goto done; 4343 } 4344 4345 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0); 4346 } 4347 goto done; 4348 4349 case L2CAP_CONF_UNKNOWN: 4350 case L2CAP_CONF_UNACCEPT: 4351 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 4352 char req[64]; 4353 4354 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 4355 l2cap_send_disconn_req(chan, ECONNRESET); 4356 goto done; 4357 } 4358 4359 /* throw out any old stored conf requests */ 4360 result = L2CAP_CONF_SUCCESS; 4361 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4362 req, sizeof(req), &result); 4363 if (len < 0) { 4364 l2cap_send_disconn_req(chan, ECONNRESET); 4365 goto done; 4366 } 4367 4368 l2cap_send_cmd(conn, l2cap_get_ident(conn), 4369 L2CAP_CONF_REQ, len, req); 4370 chan->num_conf_req++; 4371 if (result != L2CAP_CONF_SUCCESS) 4372 goto done; 4373 break; 4374 } 4375 fallthrough; 4376 4377 default: 4378 l2cap_chan_set_err(chan, ECONNRESET); 4379 4380 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT); 4381 l2cap_send_disconn_req(chan, ECONNRESET); 4382 goto done; 4383 } 4384 4385 if (flags & L2CAP_CONF_FLAG_CONTINUATION) 4386 goto done; 4387 4388 set_bit(CONF_INPUT_DONE, &chan->conf_state); 4389 4390 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) { 4391 set_default_fcs(chan); 4392 4393 if (chan->mode == L2CAP_MODE_ERTM || 4394 chan->mode == L2CAP_MODE_STREAMING) 4395 err = l2cap_ertm_init(chan); 4396 4397 if (err < 0) 4398 l2cap_send_disconn_req(chan, -err); 4399 else 4400 l2cap_chan_ready(chan); 4401 } 4402 4403 done: 4404 l2cap_chan_unlock(chan); 4405 l2cap_chan_put(chan); 4406 return err; 4407 } 4408 4409 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, 4410 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4411 u8 *data) 4412 { 4413 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 4414 struct l2cap_disconn_rsp rsp; 4415 u16 dcid, scid; 4416 struct l2cap_chan *chan; 4417 4418 if (cmd_len != sizeof(*req)) 4419 return -EPROTO; 4420 4421 scid = __le16_to_cpu(req->scid); 4422 dcid = __le16_to_cpu(req->dcid); 4423 4424 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); 4425 4426 chan = l2cap_get_chan_by_scid(conn, dcid); 4427 if (!chan) { 4428 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); 4429 return 0; 4430 } 4431 4432 rsp.dcid = cpu_to_le16(chan->scid); 4433 rsp.scid = cpu_to_le16(chan->dcid); 4434 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); 4435 4436 chan->ops->set_shutdown(chan); 4437 4438 l2cap_chan_unlock(chan); 4439 mutex_lock(&conn->chan_lock); 4440 l2cap_chan_lock(chan); 4441 l2cap_chan_del(chan, ECONNRESET); 4442 mutex_unlock(&conn->chan_lock); 4443 4444 chan->ops->close(chan); 4445 4446 l2cap_chan_unlock(chan); 4447 l2cap_chan_put(chan); 4448 4449 return 0; 4450 } 4451 4452 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, 4453 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4454 u8 *data) 4455 { 4456 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 4457 u16 dcid, scid; 4458 struct l2cap_chan *chan; 4459 4460 if (cmd_len != sizeof(*rsp)) 4461 return -EPROTO; 4462 4463 scid = __le16_to_cpu(rsp->scid); 4464 dcid = __le16_to_cpu(rsp->dcid); 4465 4466 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); 4467 4468 chan = l2cap_get_chan_by_scid(conn, scid); 4469 if (!chan) { 4470 return 0; 4471 } 4472 4473 if (chan->state != BT_DISCONN) { 4474 l2cap_chan_unlock(chan); 4475 l2cap_chan_put(chan); 4476 return 0; 4477 } 4478 4479 l2cap_chan_unlock(chan); 4480 mutex_lock(&conn->chan_lock); 4481 l2cap_chan_lock(chan); 4482 l2cap_chan_del(chan, 0); 4483 mutex_unlock(&conn->chan_lock); 4484 4485 chan->ops->close(chan); 4486 4487 l2cap_chan_unlock(chan); 4488 l2cap_chan_put(chan); 4489 4490 return 0; 4491 } 4492 4493 static inline int l2cap_information_req(struct l2cap_conn *conn, 4494 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4495 u8 *data) 4496 { 4497 struct l2cap_info_req *req = (struct l2cap_info_req *) data; 4498 u16 type; 4499 4500 if (cmd_len != sizeof(*req)) 4501 return -EPROTO; 4502 4503 type = __le16_to_cpu(req->type); 4504 4505 BT_DBG("type 0x%4.4x", type); 4506 4507 if (type == L2CAP_IT_FEAT_MASK) { 4508 u8 buf[8]; 4509 u32 feat_mask = l2cap_feat_mask; 4510 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4511 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4512 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4513 if (!disable_ertm) 4514 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 4515 | L2CAP_FEAT_FCS; 4516 4517 put_unaligned_le32(feat_mask, rsp->data); 4518 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4519 buf); 4520 } else if (type == L2CAP_IT_FIXED_CHAN) { 4521 u8 buf[12]; 4522 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4523 4524 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4525 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4526 rsp->data[0] = conn->local_fixed_chan; 4527 memset(rsp->data + 1, 0, 7); 4528 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4529 buf); 4530 } else { 4531 struct l2cap_info_rsp rsp; 4532 rsp.type = cpu_to_le16(type); 4533 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP); 4534 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp), 4535 &rsp); 4536 } 4537 4538 return 0; 4539 } 4540 4541 static inline int l2cap_information_rsp(struct l2cap_conn *conn, 4542 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4543 u8 *data) 4544 { 4545 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; 4546 u16 type, result; 4547 4548 if (cmd_len < sizeof(*rsp)) 4549 return -EPROTO; 4550 4551 type = __le16_to_cpu(rsp->type); 4552 result = __le16_to_cpu(rsp->result); 4553 4554 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 4555 4556 /* L2CAP Info req/rsp are unbound to channels, add extra checks */ 4557 if (cmd->ident != conn->info_ident || 4558 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 4559 return 0; 4560 4561 cancel_delayed_work(&conn->info_timer); 4562 4563 if (result != L2CAP_IR_SUCCESS) { 4564 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4565 conn->info_ident = 0; 4566 4567 l2cap_conn_start(conn); 4568 4569 return 0; 4570 } 4571 4572 switch (type) { 4573 case L2CAP_IT_FEAT_MASK: 4574 conn->feat_mask = get_unaligned_le32(rsp->data); 4575 4576 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) { 4577 struct l2cap_info_req req; 4578 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4579 4580 conn->info_ident = l2cap_get_ident(conn); 4581 4582 l2cap_send_cmd(conn, conn->info_ident, 4583 L2CAP_INFO_REQ, sizeof(req), &req); 4584 } else { 4585 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4586 conn->info_ident = 0; 4587 4588 l2cap_conn_start(conn); 4589 } 4590 break; 4591 4592 case L2CAP_IT_FIXED_CHAN: 4593 conn->remote_fixed_chan = rsp->data[0]; 4594 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4595 conn->info_ident = 0; 4596 4597 l2cap_conn_start(conn); 4598 break; 4599 } 4600 4601 return 0; 4602 } 4603 4604 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, 4605 struct l2cap_cmd_hdr *cmd, 4606 u16 cmd_len, u8 *data) 4607 { 4608 struct hci_conn *hcon = conn->hcon; 4609 struct l2cap_conn_param_update_req *req; 4610 struct l2cap_conn_param_update_rsp rsp; 4611 u16 min, max, latency, to_multiplier; 4612 int err; 4613 4614 if (hcon->role != HCI_ROLE_MASTER) 4615 return -EINVAL; 4616 4617 if (cmd_len != sizeof(struct l2cap_conn_param_update_req)) 4618 return -EPROTO; 4619 4620 req = (struct l2cap_conn_param_update_req *) data; 4621 min = __le16_to_cpu(req->min); 4622 max = __le16_to_cpu(req->max); 4623 latency = __le16_to_cpu(req->latency); 4624 to_multiplier = __le16_to_cpu(req->to_multiplier); 4625 4626 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x", 4627 min, max, latency, to_multiplier); 4628 4629 memset(&rsp, 0, sizeof(rsp)); 4630 4631 if (max > hcon->le_conn_max_interval) { 4632 BT_DBG("requested connection interval exceeds current bounds."); 4633 err = -EINVAL; 4634 } else { 4635 err = hci_check_conn_params(min, max, latency, to_multiplier); 4636 } 4637 4638 if (err) 4639 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); 4640 else 4641 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED); 4642 4643 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP, 4644 sizeof(rsp), &rsp); 4645 4646 if (!err) { 4647 u8 store_hint; 4648 4649 store_hint = hci_le_conn_update(hcon, min, max, latency, 4650 to_multiplier); 4651 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type, 4652 store_hint, min, max, latency, 4653 to_multiplier); 4654 4655 } 4656 4657 return 0; 4658 } 4659 4660 static int l2cap_le_connect_rsp(struct l2cap_conn *conn, 4661 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4662 u8 *data) 4663 { 4664 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data; 4665 struct hci_conn *hcon = conn->hcon; 4666 u16 dcid, mtu, mps, credits, result; 4667 struct l2cap_chan *chan; 4668 int err, sec_level; 4669 4670 if (cmd_len < sizeof(*rsp)) 4671 return -EPROTO; 4672 4673 dcid = __le16_to_cpu(rsp->dcid); 4674 mtu = __le16_to_cpu(rsp->mtu); 4675 mps = __le16_to_cpu(rsp->mps); 4676 credits = __le16_to_cpu(rsp->credits); 4677 result = __le16_to_cpu(rsp->result); 4678 4679 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 || 4680 dcid < L2CAP_CID_DYN_START || 4681 dcid > L2CAP_CID_LE_DYN_END)) 4682 return -EPROTO; 4683 4684 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x", 4685 dcid, mtu, mps, credits, result); 4686 4687 mutex_lock(&conn->chan_lock); 4688 4689 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 4690 if (!chan) { 4691 err = -EBADSLT; 4692 goto unlock; 4693 } 4694 4695 err = 0; 4696 4697 l2cap_chan_lock(chan); 4698 4699 switch (result) { 4700 case L2CAP_CR_LE_SUCCESS: 4701 if (__l2cap_get_chan_by_dcid(conn, dcid)) { 4702 err = -EBADSLT; 4703 break; 4704 } 4705 4706 chan->ident = 0; 4707 chan->dcid = dcid; 4708 chan->omtu = mtu; 4709 chan->remote_mps = mps; 4710 chan->tx_credits = credits; 4711 l2cap_chan_ready(chan); 4712 break; 4713 4714 case L2CAP_CR_LE_AUTHENTICATION: 4715 case L2CAP_CR_LE_ENCRYPTION: 4716 /* If we already have MITM protection we can't do 4717 * anything. 4718 */ 4719 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 4720 l2cap_chan_del(chan, ECONNREFUSED); 4721 break; 4722 } 4723 4724 sec_level = hcon->sec_level + 1; 4725 if (chan->sec_level < sec_level) 4726 chan->sec_level = sec_level; 4727 4728 /* We'll need to send a new Connect Request */ 4729 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags); 4730 4731 smp_conn_security(hcon, chan->sec_level); 4732 break; 4733 4734 default: 4735 l2cap_chan_del(chan, ECONNREFUSED); 4736 break; 4737 } 4738 4739 l2cap_chan_unlock(chan); 4740 4741 unlock: 4742 mutex_unlock(&conn->chan_lock); 4743 4744 return err; 4745 } 4746 4747 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, 4748 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4749 u8 *data) 4750 { 4751 int err = 0; 4752 4753 switch (cmd->code) { 4754 case L2CAP_COMMAND_REJ: 4755 l2cap_command_rej(conn, cmd, cmd_len, data); 4756 break; 4757 4758 case L2CAP_CONN_REQ: 4759 err = l2cap_connect_req(conn, cmd, cmd_len, data); 4760 break; 4761 4762 case L2CAP_CONN_RSP: 4763 l2cap_connect_create_rsp(conn, cmd, cmd_len, data); 4764 break; 4765 4766 case L2CAP_CONF_REQ: 4767 err = l2cap_config_req(conn, cmd, cmd_len, data); 4768 break; 4769 4770 case L2CAP_CONF_RSP: 4771 l2cap_config_rsp(conn, cmd, cmd_len, data); 4772 break; 4773 4774 case L2CAP_DISCONN_REQ: 4775 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 4776 break; 4777 4778 case L2CAP_DISCONN_RSP: 4779 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 4780 break; 4781 4782 case L2CAP_ECHO_REQ: 4783 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data); 4784 break; 4785 4786 case L2CAP_ECHO_RSP: 4787 break; 4788 4789 case L2CAP_INFO_REQ: 4790 err = l2cap_information_req(conn, cmd, cmd_len, data); 4791 break; 4792 4793 case L2CAP_INFO_RSP: 4794 l2cap_information_rsp(conn, cmd, cmd_len, data); 4795 break; 4796 4797 default: 4798 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code); 4799 err = -EINVAL; 4800 break; 4801 } 4802 4803 return err; 4804 } 4805 4806 static int l2cap_le_connect_req(struct l2cap_conn *conn, 4807 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4808 u8 *data) 4809 { 4810 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data; 4811 struct l2cap_le_conn_rsp rsp; 4812 struct l2cap_chan *chan, *pchan; 4813 u16 dcid, scid, credits, mtu, mps; 4814 __le16 psm; 4815 u8 result; 4816 4817 if (cmd_len != sizeof(*req)) 4818 return -EPROTO; 4819 4820 scid = __le16_to_cpu(req->scid); 4821 mtu = __le16_to_cpu(req->mtu); 4822 mps = __le16_to_cpu(req->mps); 4823 psm = req->psm; 4824 dcid = 0; 4825 credits = 0; 4826 4827 if (mtu < 23 || mps < 23) 4828 return -EPROTO; 4829 4830 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), 4831 scid, mtu, mps); 4832 4833 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A 4834 * page 1059: 4835 * 4836 * Valid range: 0x0001-0x00ff 4837 * 4838 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges 4839 */ 4840 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { 4841 result = L2CAP_CR_LE_BAD_PSM; 4842 chan = NULL; 4843 goto response; 4844 } 4845 4846 /* Check if we have socket listening on psm */ 4847 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 4848 &conn->hcon->dst, LE_LINK); 4849 if (!pchan) { 4850 result = L2CAP_CR_LE_BAD_PSM; 4851 chan = NULL; 4852 goto response; 4853 } 4854 4855 mutex_lock(&conn->chan_lock); 4856 l2cap_chan_lock(pchan); 4857 4858 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 4859 SMP_ALLOW_STK)) { 4860 result = L2CAP_CR_LE_AUTHENTICATION; 4861 chan = NULL; 4862 goto response_unlock; 4863 } 4864 4865 /* Check for valid dynamic CID range */ 4866 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 4867 result = L2CAP_CR_LE_INVALID_SCID; 4868 chan = NULL; 4869 goto response_unlock; 4870 } 4871 4872 /* Check if we already have channel with that dcid */ 4873 if (__l2cap_get_chan_by_dcid(conn, scid)) { 4874 result = L2CAP_CR_LE_SCID_IN_USE; 4875 chan = NULL; 4876 goto response_unlock; 4877 } 4878 4879 chan = pchan->ops->new_connection(pchan); 4880 if (!chan) { 4881 result = L2CAP_CR_LE_NO_MEM; 4882 goto response_unlock; 4883 } 4884 4885 bacpy(&chan->src, &conn->hcon->src); 4886 bacpy(&chan->dst, &conn->hcon->dst); 4887 chan->src_type = bdaddr_src_type(conn->hcon); 4888 chan->dst_type = bdaddr_dst_type(conn->hcon); 4889 chan->psm = psm; 4890 chan->dcid = scid; 4891 chan->omtu = mtu; 4892 chan->remote_mps = mps; 4893 4894 __l2cap_chan_add(conn, chan); 4895 4896 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits)); 4897 4898 dcid = chan->scid; 4899 credits = chan->rx_credits; 4900 4901 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 4902 4903 chan->ident = cmd->ident; 4904 4905 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 4906 l2cap_state_change(chan, BT_CONNECT2); 4907 /* The following result value is actually not defined 4908 * for LE CoC but we use it to let the function know 4909 * that it should bail out after doing its cleanup 4910 * instead of sending a response. 4911 */ 4912 result = L2CAP_CR_PEND; 4913 chan->ops->defer(chan); 4914 } else { 4915 l2cap_chan_ready(chan); 4916 result = L2CAP_CR_LE_SUCCESS; 4917 } 4918 4919 response_unlock: 4920 l2cap_chan_unlock(pchan); 4921 mutex_unlock(&conn->chan_lock); 4922 l2cap_chan_put(pchan); 4923 4924 if (result == L2CAP_CR_PEND) 4925 return 0; 4926 4927 response: 4928 if (chan) { 4929 rsp.mtu = cpu_to_le16(chan->imtu); 4930 rsp.mps = cpu_to_le16(chan->mps); 4931 } else { 4932 rsp.mtu = 0; 4933 rsp.mps = 0; 4934 } 4935 4936 rsp.dcid = cpu_to_le16(dcid); 4937 rsp.credits = cpu_to_le16(credits); 4938 rsp.result = cpu_to_le16(result); 4939 4940 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp); 4941 4942 return 0; 4943 } 4944 4945 static inline int l2cap_le_credits(struct l2cap_conn *conn, 4946 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4947 u8 *data) 4948 { 4949 struct l2cap_le_credits *pkt; 4950 struct l2cap_chan *chan; 4951 u16 cid, credits, max_credits; 4952 4953 if (cmd_len != sizeof(*pkt)) 4954 return -EPROTO; 4955 4956 pkt = (struct l2cap_le_credits *) data; 4957 cid = __le16_to_cpu(pkt->cid); 4958 credits = __le16_to_cpu(pkt->credits); 4959 4960 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits); 4961 4962 chan = l2cap_get_chan_by_dcid(conn, cid); 4963 if (!chan) 4964 return -EBADSLT; 4965 4966 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits; 4967 if (credits > max_credits) { 4968 BT_ERR("LE credits overflow"); 4969 l2cap_send_disconn_req(chan, ECONNRESET); 4970 4971 /* Return 0 so that we don't trigger an unnecessary 4972 * command reject packet. 4973 */ 4974 goto unlock; 4975 } 4976 4977 chan->tx_credits += credits; 4978 4979 /* Resume sending */ 4980 l2cap_le_flowctl_send(chan); 4981 4982 if (chan->tx_credits) 4983 chan->ops->resume(chan); 4984 4985 unlock: 4986 l2cap_chan_unlock(chan); 4987 l2cap_chan_put(chan); 4988 4989 return 0; 4990 } 4991 4992 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, 4993 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4994 u8 *data) 4995 { 4996 struct l2cap_ecred_conn_req *req = (void *) data; 4997 struct { 4998 struct l2cap_ecred_conn_rsp rsp; 4999 __le16 dcid[L2CAP_ECRED_MAX_CID]; 5000 } __packed pdu; 5001 struct l2cap_chan *chan, *pchan; 5002 u16 mtu, mps; 5003 __le16 psm; 5004 u8 result, len = 0; 5005 int i, num_scid; 5006 bool defer = false; 5007 5008 if (!enable_ecred) 5009 return -EINVAL; 5010 5011 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) { 5012 result = L2CAP_CR_LE_INVALID_PARAMS; 5013 goto response; 5014 } 5015 5016 cmd_len -= sizeof(*req); 5017 num_scid = cmd_len / sizeof(u16); 5018 5019 if (num_scid > ARRAY_SIZE(pdu.dcid)) { 5020 result = L2CAP_CR_LE_INVALID_PARAMS; 5021 goto response; 5022 } 5023 5024 mtu = __le16_to_cpu(req->mtu); 5025 mps = __le16_to_cpu(req->mps); 5026 5027 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) { 5028 result = L2CAP_CR_LE_UNACCEPT_PARAMS; 5029 goto response; 5030 } 5031 5032 psm = req->psm; 5033 5034 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A 5035 * page 1059: 5036 * 5037 * Valid range: 0x0001-0x00ff 5038 * 5039 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges 5040 */ 5041 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { 5042 result = L2CAP_CR_LE_BAD_PSM; 5043 goto response; 5044 } 5045 5046 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); 5047 5048 memset(&pdu, 0, sizeof(pdu)); 5049 5050 /* Check if we have socket listening on psm */ 5051 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 5052 &conn->hcon->dst, LE_LINK); 5053 if (!pchan) { 5054 result = L2CAP_CR_LE_BAD_PSM; 5055 goto response; 5056 } 5057 5058 mutex_lock(&conn->chan_lock); 5059 l2cap_chan_lock(pchan); 5060 5061 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 5062 SMP_ALLOW_STK)) { 5063 result = L2CAP_CR_LE_AUTHENTICATION; 5064 goto unlock; 5065 } 5066 5067 result = L2CAP_CR_LE_SUCCESS; 5068 5069 for (i = 0; i < num_scid; i++) { 5070 u16 scid = __le16_to_cpu(req->scid[i]); 5071 5072 BT_DBG("scid[%d] 0x%4.4x", i, scid); 5073 5074 pdu.dcid[i] = 0x0000; 5075 len += sizeof(*pdu.dcid); 5076 5077 /* Check for valid dynamic CID range */ 5078 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 5079 result = L2CAP_CR_LE_INVALID_SCID; 5080 continue; 5081 } 5082 5083 /* Check if we already have channel with that dcid */ 5084 if (__l2cap_get_chan_by_dcid(conn, scid)) { 5085 result = L2CAP_CR_LE_SCID_IN_USE; 5086 continue; 5087 } 5088 5089 chan = pchan->ops->new_connection(pchan); 5090 if (!chan) { 5091 result = L2CAP_CR_LE_NO_MEM; 5092 continue; 5093 } 5094 5095 bacpy(&chan->src, &conn->hcon->src); 5096 bacpy(&chan->dst, &conn->hcon->dst); 5097 chan->src_type = bdaddr_src_type(conn->hcon); 5098 chan->dst_type = bdaddr_dst_type(conn->hcon); 5099 chan->psm = psm; 5100 chan->dcid = scid; 5101 chan->omtu = mtu; 5102 chan->remote_mps = mps; 5103 5104 __l2cap_chan_add(conn, chan); 5105 5106 l2cap_ecred_init(chan, __le16_to_cpu(req->credits)); 5107 5108 /* Init response */ 5109 if (!pdu.rsp.credits) { 5110 pdu.rsp.mtu = cpu_to_le16(chan->imtu); 5111 pdu.rsp.mps = cpu_to_le16(chan->mps); 5112 pdu.rsp.credits = cpu_to_le16(chan->rx_credits); 5113 } 5114 5115 pdu.dcid[i] = cpu_to_le16(chan->scid); 5116 5117 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 5118 5119 chan->ident = cmd->ident; 5120 chan->mode = L2CAP_MODE_EXT_FLOWCTL; 5121 5122 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 5123 l2cap_state_change(chan, BT_CONNECT2); 5124 defer = true; 5125 chan->ops->defer(chan); 5126 } else { 5127 l2cap_chan_ready(chan); 5128 } 5129 } 5130 5131 unlock: 5132 l2cap_chan_unlock(pchan); 5133 mutex_unlock(&conn->chan_lock); 5134 l2cap_chan_put(pchan); 5135 5136 response: 5137 pdu.rsp.result = cpu_to_le16(result); 5138 5139 if (defer) 5140 return 0; 5141 5142 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP, 5143 sizeof(pdu.rsp) + len, &pdu); 5144 5145 return 0; 5146 } 5147 5148 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn, 5149 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5150 u8 *data) 5151 { 5152 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 5153 struct hci_conn *hcon = conn->hcon; 5154 u16 mtu, mps, credits, result; 5155 struct l2cap_chan *chan, *tmp; 5156 int err = 0, sec_level; 5157 int i = 0; 5158 5159 if (cmd_len < sizeof(*rsp)) 5160 return -EPROTO; 5161 5162 mtu = __le16_to_cpu(rsp->mtu); 5163 mps = __le16_to_cpu(rsp->mps); 5164 credits = __le16_to_cpu(rsp->credits); 5165 result = __le16_to_cpu(rsp->result); 5166 5167 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits, 5168 result); 5169 5170 mutex_lock(&conn->chan_lock); 5171 5172 cmd_len -= sizeof(*rsp); 5173 5174 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 5175 u16 dcid; 5176 5177 if (chan->ident != cmd->ident || 5178 chan->mode != L2CAP_MODE_EXT_FLOWCTL || 5179 chan->state == BT_CONNECTED) 5180 continue; 5181 5182 l2cap_chan_lock(chan); 5183 5184 /* Check that there is a dcid for each pending channel */ 5185 if (cmd_len < sizeof(dcid)) { 5186 l2cap_chan_del(chan, ECONNREFUSED); 5187 l2cap_chan_unlock(chan); 5188 continue; 5189 } 5190 5191 dcid = __le16_to_cpu(rsp->dcid[i++]); 5192 cmd_len -= sizeof(u16); 5193 5194 BT_DBG("dcid[%d] 0x%4.4x", i, dcid); 5195 5196 /* Check if dcid is already in use */ 5197 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) { 5198 /* If a device receives a 5199 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an 5200 * already-assigned Destination CID, then both the 5201 * original channel and the new channel shall be 5202 * immediately discarded and not used. 5203 */ 5204 l2cap_chan_del(chan, ECONNREFUSED); 5205 l2cap_chan_unlock(chan); 5206 chan = __l2cap_get_chan_by_dcid(conn, dcid); 5207 l2cap_chan_lock(chan); 5208 l2cap_chan_del(chan, ECONNRESET); 5209 l2cap_chan_unlock(chan); 5210 continue; 5211 } 5212 5213 switch (result) { 5214 case L2CAP_CR_LE_AUTHENTICATION: 5215 case L2CAP_CR_LE_ENCRYPTION: 5216 /* If we already have MITM protection we can't do 5217 * anything. 5218 */ 5219 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 5220 l2cap_chan_del(chan, ECONNREFUSED); 5221 break; 5222 } 5223 5224 sec_level = hcon->sec_level + 1; 5225 if (chan->sec_level < sec_level) 5226 chan->sec_level = sec_level; 5227 5228 /* We'll need to send a new Connect Request */ 5229 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags); 5230 5231 smp_conn_security(hcon, chan->sec_level); 5232 break; 5233 5234 case L2CAP_CR_LE_BAD_PSM: 5235 l2cap_chan_del(chan, ECONNREFUSED); 5236 break; 5237 5238 default: 5239 /* If dcid was not set it means channels was refused */ 5240 if (!dcid) { 5241 l2cap_chan_del(chan, ECONNREFUSED); 5242 break; 5243 } 5244 5245 chan->ident = 0; 5246 chan->dcid = dcid; 5247 chan->omtu = mtu; 5248 chan->remote_mps = mps; 5249 chan->tx_credits = credits; 5250 l2cap_chan_ready(chan); 5251 break; 5252 } 5253 5254 l2cap_chan_unlock(chan); 5255 } 5256 5257 mutex_unlock(&conn->chan_lock); 5258 5259 return err; 5260 } 5261 5262 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn, 5263 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5264 u8 *data) 5265 { 5266 struct l2cap_ecred_reconf_req *req = (void *) data; 5267 struct l2cap_ecred_reconf_rsp rsp; 5268 u16 mtu, mps, result; 5269 struct l2cap_chan *chan; 5270 int i, num_scid; 5271 5272 if (!enable_ecred) 5273 return -EINVAL; 5274 5275 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) { 5276 result = L2CAP_CR_LE_INVALID_PARAMS; 5277 goto respond; 5278 } 5279 5280 mtu = __le16_to_cpu(req->mtu); 5281 mps = __le16_to_cpu(req->mps); 5282 5283 BT_DBG("mtu %u mps %u", mtu, mps); 5284 5285 if (mtu < L2CAP_ECRED_MIN_MTU) { 5286 result = L2CAP_RECONF_INVALID_MTU; 5287 goto respond; 5288 } 5289 5290 if (mps < L2CAP_ECRED_MIN_MPS) { 5291 result = L2CAP_RECONF_INVALID_MPS; 5292 goto respond; 5293 } 5294 5295 cmd_len -= sizeof(*req); 5296 num_scid = cmd_len / sizeof(u16); 5297 result = L2CAP_RECONF_SUCCESS; 5298 5299 for (i = 0; i < num_scid; i++) { 5300 u16 scid; 5301 5302 scid = __le16_to_cpu(req->scid[i]); 5303 if (!scid) 5304 return -EPROTO; 5305 5306 chan = __l2cap_get_chan_by_dcid(conn, scid); 5307 if (!chan) 5308 continue; 5309 5310 /* If the MTU value is decreased for any of the included 5311 * channels, then the receiver shall disconnect all 5312 * included channels. 5313 */ 5314 if (chan->omtu > mtu) { 5315 BT_ERR("chan %p decreased MTU %u -> %u", chan, 5316 chan->omtu, mtu); 5317 result = L2CAP_RECONF_INVALID_MTU; 5318 } 5319 5320 chan->omtu = mtu; 5321 chan->remote_mps = mps; 5322 } 5323 5324 respond: 5325 rsp.result = cpu_to_le16(result); 5326 5327 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp), 5328 &rsp); 5329 5330 return 0; 5331 } 5332 5333 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, 5334 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5335 u8 *data) 5336 { 5337 struct l2cap_chan *chan, *tmp; 5338 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 5339 u16 result; 5340 5341 if (cmd_len < sizeof(*rsp)) 5342 return -EPROTO; 5343 5344 result = __le16_to_cpu(rsp->result); 5345 5346 BT_DBG("result 0x%4.4x", rsp->result); 5347 5348 if (!result) 5349 return 0; 5350 5351 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 5352 if (chan->ident != cmd->ident) 5353 continue; 5354 5355 l2cap_chan_del(chan, ECONNRESET); 5356 } 5357 5358 return 0; 5359 } 5360 5361 static inline int l2cap_le_command_rej(struct l2cap_conn *conn, 5362 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5363 u8 *data) 5364 { 5365 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 5366 struct l2cap_chan *chan; 5367 5368 if (cmd_len < sizeof(*rej)) 5369 return -EPROTO; 5370 5371 mutex_lock(&conn->chan_lock); 5372 5373 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 5374 if (!chan) 5375 goto done; 5376 5377 chan = l2cap_chan_hold_unless_zero(chan); 5378 if (!chan) 5379 goto done; 5380 5381 l2cap_chan_lock(chan); 5382 l2cap_chan_del(chan, ECONNREFUSED); 5383 l2cap_chan_unlock(chan); 5384 l2cap_chan_put(chan); 5385 5386 done: 5387 mutex_unlock(&conn->chan_lock); 5388 return 0; 5389 } 5390 5391 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn, 5392 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5393 u8 *data) 5394 { 5395 int err = 0; 5396 5397 switch (cmd->code) { 5398 case L2CAP_COMMAND_REJ: 5399 l2cap_le_command_rej(conn, cmd, cmd_len, data); 5400 break; 5401 5402 case L2CAP_CONN_PARAM_UPDATE_REQ: 5403 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data); 5404 break; 5405 5406 case L2CAP_CONN_PARAM_UPDATE_RSP: 5407 break; 5408 5409 case L2CAP_LE_CONN_RSP: 5410 l2cap_le_connect_rsp(conn, cmd, cmd_len, data); 5411 break; 5412 5413 case L2CAP_LE_CONN_REQ: 5414 err = l2cap_le_connect_req(conn, cmd, cmd_len, data); 5415 break; 5416 5417 case L2CAP_LE_CREDITS: 5418 err = l2cap_le_credits(conn, cmd, cmd_len, data); 5419 break; 5420 5421 case L2CAP_ECRED_CONN_REQ: 5422 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data); 5423 break; 5424 5425 case L2CAP_ECRED_CONN_RSP: 5426 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data); 5427 break; 5428 5429 case L2CAP_ECRED_RECONF_REQ: 5430 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data); 5431 break; 5432 5433 case L2CAP_ECRED_RECONF_RSP: 5434 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data); 5435 break; 5436 5437 case L2CAP_DISCONN_REQ: 5438 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 5439 break; 5440 5441 case L2CAP_DISCONN_RSP: 5442 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 5443 break; 5444 5445 default: 5446 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code); 5447 err = -EINVAL; 5448 break; 5449 } 5450 5451 return err; 5452 } 5453 5454 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn, 5455 struct sk_buff *skb) 5456 { 5457 struct hci_conn *hcon = conn->hcon; 5458 struct l2cap_cmd_hdr *cmd; 5459 u16 len; 5460 int err; 5461 5462 if (hcon->type != LE_LINK) 5463 goto drop; 5464 5465 if (skb->len < L2CAP_CMD_HDR_SIZE) 5466 goto drop; 5467 5468 cmd = (void *) skb->data; 5469 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 5470 5471 len = le16_to_cpu(cmd->len); 5472 5473 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident); 5474 5475 if (len != skb->len || !cmd->ident) { 5476 BT_DBG("corrupted command"); 5477 goto drop; 5478 } 5479 5480 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data); 5481 if (err) { 5482 struct l2cap_cmd_rej_unk rej; 5483 5484 BT_ERR("Wrong link type (%d)", err); 5485 5486 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 5487 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 5488 sizeof(rej), &rej); 5489 } 5490 5491 drop: 5492 kfree_skb(skb); 5493 } 5494 5495 static inline void l2cap_sig_send_rej(struct l2cap_conn *conn, u16 ident) 5496 { 5497 struct l2cap_cmd_rej_unk rej; 5498 5499 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 5500 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 5501 } 5502 5503 static inline void l2cap_sig_channel(struct l2cap_conn *conn, 5504 struct sk_buff *skb) 5505 { 5506 struct hci_conn *hcon = conn->hcon; 5507 struct l2cap_cmd_hdr *cmd; 5508 int err; 5509 5510 l2cap_raw_recv(conn, skb); 5511 5512 if (hcon->type != ACL_LINK) 5513 goto drop; 5514 5515 while (skb->len >= L2CAP_CMD_HDR_SIZE) { 5516 u16 len; 5517 5518 cmd = (void *) skb->data; 5519 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 5520 5521 len = le16_to_cpu(cmd->len); 5522 5523 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, 5524 cmd->ident); 5525 5526 if (len > skb->len || !cmd->ident) { 5527 BT_DBG("corrupted command"); 5528 l2cap_sig_send_rej(conn, cmd->ident); 5529 skb_pull(skb, len > skb->len ? skb->len : len); 5530 continue; 5531 } 5532 5533 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data); 5534 if (err) { 5535 BT_ERR("Wrong link type (%d)", err); 5536 l2cap_sig_send_rej(conn, cmd->ident); 5537 } 5538 5539 skb_pull(skb, len); 5540 } 5541 5542 if (skb->len > 0) { 5543 BT_DBG("corrupted command"); 5544 l2cap_sig_send_rej(conn, 0); 5545 } 5546 5547 drop: 5548 kfree_skb(skb); 5549 } 5550 5551 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb) 5552 { 5553 u16 our_fcs, rcv_fcs; 5554 int hdr_size; 5555 5556 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 5557 hdr_size = L2CAP_EXT_HDR_SIZE; 5558 else 5559 hdr_size = L2CAP_ENH_HDR_SIZE; 5560 5561 if (chan->fcs == L2CAP_FCS_CRC16) { 5562 skb_trim(skb, skb->len - L2CAP_FCS_SIZE); 5563 rcv_fcs = get_unaligned_le16(skb->data + skb->len); 5564 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 5565 5566 if (our_fcs != rcv_fcs) 5567 return -EBADMSG; 5568 } 5569 return 0; 5570 } 5571 5572 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan) 5573 { 5574 struct l2cap_ctrl control; 5575 5576 BT_DBG("chan %p", chan); 5577 5578 memset(&control, 0, sizeof(control)); 5579 control.sframe = 1; 5580 control.final = 1; 5581 control.reqseq = chan->buffer_seq; 5582 set_bit(CONN_SEND_FBIT, &chan->conn_state); 5583 5584 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5585 control.super = L2CAP_SUPER_RNR; 5586 l2cap_send_sframe(chan, &control); 5587 } 5588 5589 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) && 5590 chan->unacked_frames > 0) 5591 __set_retrans_timer(chan); 5592 5593 /* Send pending iframes */ 5594 l2cap_ertm_send(chan); 5595 5596 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 5597 test_bit(CONN_SEND_FBIT, &chan->conn_state)) { 5598 /* F-bit wasn't sent in an s-frame or i-frame yet, so 5599 * send it now. 5600 */ 5601 control.super = L2CAP_SUPER_RR; 5602 l2cap_send_sframe(chan, &control); 5603 } 5604 } 5605 5606 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag, 5607 struct sk_buff **last_frag) 5608 { 5609 /* skb->len reflects data in skb as well as all fragments 5610 * skb->data_len reflects only data in fragments 5611 */ 5612 if (!skb_has_frag_list(skb)) 5613 skb_shinfo(skb)->frag_list = new_frag; 5614 5615 new_frag->next = NULL; 5616 5617 (*last_frag)->next = new_frag; 5618 *last_frag = new_frag; 5619 5620 skb->len += new_frag->len; 5621 skb->data_len += new_frag->len; 5622 skb->truesize += new_frag->truesize; 5623 } 5624 5625 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, 5626 struct l2cap_ctrl *control) 5627 { 5628 int err = -EINVAL; 5629 5630 switch (control->sar) { 5631 case L2CAP_SAR_UNSEGMENTED: 5632 if (chan->sdu) 5633 break; 5634 5635 err = chan->ops->recv(chan, skb); 5636 break; 5637 5638 case L2CAP_SAR_START: 5639 if (chan->sdu) 5640 break; 5641 5642 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE)) 5643 break; 5644 5645 chan->sdu_len = get_unaligned_le16(skb->data); 5646 skb_pull(skb, L2CAP_SDULEN_SIZE); 5647 5648 if (chan->sdu_len > chan->imtu) { 5649 err = -EMSGSIZE; 5650 break; 5651 } 5652 5653 if (skb->len >= chan->sdu_len) 5654 break; 5655 5656 chan->sdu = skb; 5657 chan->sdu_last_frag = skb; 5658 5659 skb = NULL; 5660 err = 0; 5661 break; 5662 5663 case L2CAP_SAR_CONTINUE: 5664 if (!chan->sdu) 5665 break; 5666 5667 append_skb_frag(chan->sdu, skb, 5668 &chan->sdu_last_frag); 5669 skb = NULL; 5670 5671 if (chan->sdu->len >= chan->sdu_len) 5672 break; 5673 5674 err = 0; 5675 break; 5676 5677 case L2CAP_SAR_END: 5678 if (!chan->sdu) 5679 break; 5680 5681 append_skb_frag(chan->sdu, skb, 5682 &chan->sdu_last_frag); 5683 skb = NULL; 5684 5685 if (chan->sdu->len != chan->sdu_len) 5686 break; 5687 5688 err = chan->ops->recv(chan, chan->sdu); 5689 5690 if (!err) { 5691 /* Reassembly complete */ 5692 chan->sdu = NULL; 5693 chan->sdu_last_frag = NULL; 5694 chan->sdu_len = 0; 5695 } 5696 break; 5697 } 5698 5699 if (err) { 5700 kfree_skb(skb); 5701 kfree_skb(chan->sdu); 5702 chan->sdu = NULL; 5703 chan->sdu_last_frag = NULL; 5704 chan->sdu_len = 0; 5705 } 5706 5707 return err; 5708 } 5709 5710 static int l2cap_resegment(struct l2cap_chan *chan) 5711 { 5712 /* Placeholder */ 5713 return 0; 5714 } 5715 5716 void l2cap_chan_busy(struct l2cap_chan *chan, int busy) 5717 { 5718 u8 event; 5719 5720 if (chan->mode != L2CAP_MODE_ERTM) 5721 return; 5722 5723 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR; 5724 l2cap_tx(chan, NULL, NULL, event); 5725 } 5726 5727 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan) 5728 { 5729 int err = 0; 5730 /* Pass sequential frames to l2cap_reassemble_sdu() 5731 * until a gap is encountered. 5732 */ 5733 5734 BT_DBG("chan %p", chan); 5735 5736 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5737 struct sk_buff *skb; 5738 BT_DBG("Searching for skb with txseq %d (queue len %d)", 5739 chan->buffer_seq, skb_queue_len(&chan->srej_q)); 5740 5741 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq); 5742 5743 if (!skb) 5744 break; 5745 5746 skb_unlink(skb, &chan->srej_q); 5747 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 5748 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap); 5749 if (err) 5750 break; 5751 } 5752 5753 if (skb_queue_empty(&chan->srej_q)) { 5754 chan->rx_state = L2CAP_RX_STATE_RECV; 5755 l2cap_send_ack(chan); 5756 } 5757 5758 return err; 5759 } 5760 5761 static void l2cap_handle_srej(struct l2cap_chan *chan, 5762 struct l2cap_ctrl *control) 5763 { 5764 struct sk_buff *skb; 5765 5766 BT_DBG("chan %p, control %p", chan, control); 5767 5768 if (control->reqseq == chan->next_tx_seq) { 5769 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 5770 l2cap_send_disconn_req(chan, ECONNRESET); 5771 return; 5772 } 5773 5774 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 5775 5776 if (skb == NULL) { 5777 BT_DBG("Seq %d not available for retransmission", 5778 control->reqseq); 5779 return; 5780 } 5781 5782 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) { 5783 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 5784 l2cap_send_disconn_req(chan, ECONNRESET); 5785 return; 5786 } 5787 5788 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 5789 5790 if (control->poll) { 5791 l2cap_pass_to_tx(chan, control); 5792 5793 set_bit(CONN_SEND_FBIT, &chan->conn_state); 5794 l2cap_retransmit(chan, control); 5795 l2cap_ertm_send(chan); 5796 5797 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 5798 set_bit(CONN_SREJ_ACT, &chan->conn_state); 5799 chan->srej_save_reqseq = control->reqseq; 5800 } 5801 } else { 5802 l2cap_pass_to_tx_fbit(chan, control); 5803 5804 if (control->final) { 5805 if (chan->srej_save_reqseq != control->reqseq || 5806 !test_and_clear_bit(CONN_SREJ_ACT, 5807 &chan->conn_state)) 5808 l2cap_retransmit(chan, control); 5809 } else { 5810 l2cap_retransmit(chan, control); 5811 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 5812 set_bit(CONN_SREJ_ACT, &chan->conn_state); 5813 chan->srej_save_reqseq = control->reqseq; 5814 } 5815 } 5816 } 5817 } 5818 5819 static void l2cap_handle_rej(struct l2cap_chan *chan, 5820 struct l2cap_ctrl *control) 5821 { 5822 struct sk_buff *skb; 5823 5824 BT_DBG("chan %p, control %p", chan, control); 5825 5826 if (control->reqseq == chan->next_tx_seq) { 5827 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 5828 l2cap_send_disconn_req(chan, ECONNRESET); 5829 return; 5830 } 5831 5832 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 5833 5834 if (chan->max_tx && skb && 5835 bt_cb(skb)->l2cap.retries >= chan->max_tx) { 5836 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 5837 l2cap_send_disconn_req(chan, ECONNRESET); 5838 return; 5839 } 5840 5841 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 5842 5843 l2cap_pass_to_tx(chan, control); 5844 5845 if (control->final) { 5846 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state)) 5847 l2cap_retransmit_all(chan, control); 5848 } else { 5849 l2cap_retransmit_all(chan, control); 5850 l2cap_ertm_send(chan); 5851 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) 5852 set_bit(CONN_REJ_ACT, &chan->conn_state); 5853 } 5854 } 5855 5856 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq) 5857 { 5858 BT_DBG("chan %p, txseq %d", chan, txseq); 5859 5860 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq, 5861 chan->expected_tx_seq); 5862 5863 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 5864 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 5865 chan->tx_win) { 5866 /* See notes below regarding "double poll" and 5867 * invalid packets. 5868 */ 5869 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 5870 BT_DBG("Invalid/Ignore - after SREJ"); 5871 return L2CAP_TXSEQ_INVALID_IGNORE; 5872 } else { 5873 BT_DBG("Invalid - in window after SREJ sent"); 5874 return L2CAP_TXSEQ_INVALID; 5875 } 5876 } 5877 5878 if (chan->srej_list.head == txseq) { 5879 BT_DBG("Expected SREJ"); 5880 return L2CAP_TXSEQ_EXPECTED_SREJ; 5881 } 5882 5883 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) { 5884 BT_DBG("Duplicate SREJ - txseq already stored"); 5885 return L2CAP_TXSEQ_DUPLICATE_SREJ; 5886 } 5887 5888 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) { 5889 BT_DBG("Unexpected SREJ - not requested"); 5890 return L2CAP_TXSEQ_UNEXPECTED_SREJ; 5891 } 5892 } 5893 5894 if (chan->expected_tx_seq == txseq) { 5895 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 5896 chan->tx_win) { 5897 BT_DBG("Invalid - txseq outside tx window"); 5898 return L2CAP_TXSEQ_INVALID; 5899 } else { 5900 BT_DBG("Expected"); 5901 return L2CAP_TXSEQ_EXPECTED; 5902 } 5903 } 5904 5905 if (__seq_offset(chan, txseq, chan->last_acked_seq) < 5906 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) { 5907 BT_DBG("Duplicate - expected_tx_seq later than txseq"); 5908 return L2CAP_TXSEQ_DUPLICATE; 5909 } 5910 5911 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) { 5912 /* A source of invalid packets is a "double poll" condition, 5913 * where delays cause us to send multiple poll packets. If 5914 * the remote stack receives and processes both polls, 5915 * sequence numbers can wrap around in such a way that a 5916 * resent frame has a sequence number that looks like new data 5917 * with a sequence gap. This would trigger an erroneous SREJ 5918 * request. 5919 * 5920 * Fortunately, this is impossible with a tx window that's 5921 * less than half of the maximum sequence number, which allows 5922 * invalid frames to be safely ignored. 5923 * 5924 * With tx window sizes greater than half of the tx window 5925 * maximum, the frame is invalid and cannot be ignored. This 5926 * causes a disconnect. 5927 */ 5928 5929 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 5930 BT_DBG("Invalid/Ignore - txseq outside tx window"); 5931 return L2CAP_TXSEQ_INVALID_IGNORE; 5932 } else { 5933 BT_DBG("Invalid - txseq outside tx window"); 5934 return L2CAP_TXSEQ_INVALID; 5935 } 5936 } else { 5937 BT_DBG("Unexpected - txseq indicates missing frames"); 5938 return L2CAP_TXSEQ_UNEXPECTED; 5939 } 5940 } 5941 5942 static int l2cap_rx_state_recv(struct l2cap_chan *chan, 5943 struct l2cap_ctrl *control, 5944 struct sk_buff *skb, u8 event) 5945 { 5946 struct l2cap_ctrl local_control; 5947 int err = 0; 5948 bool skb_in_use = false; 5949 5950 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 5951 event); 5952 5953 switch (event) { 5954 case L2CAP_EV_RECV_IFRAME: 5955 switch (l2cap_classify_txseq(chan, control->txseq)) { 5956 case L2CAP_TXSEQ_EXPECTED: 5957 l2cap_pass_to_tx(chan, control); 5958 5959 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5960 BT_DBG("Busy, discarding expected seq %d", 5961 control->txseq); 5962 break; 5963 } 5964 5965 chan->expected_tx_seq = __next_seq(chan, 5966 control->txseq); 5967 5968 chan->buffer_seq = chan->expected_tx_seq; 5969 skb_in_use = true; 5970 5971 /* l2cap_reassemble_sdu may free skb, hence invalidate 5972 * control, so make a copy in advance to use it after 5973 * l2cap_reassemble_sdu returns and to avoid the race 5974 * condition, for example: 5975 * 5976 * The current thread calls: 5977 * l2cap_reassemble_sdu 5978 * chan->ops->recv == l2cap_sock_recv_cb 5979 * __sock_queue_rcv_skb 5980 * Another thread calls: 5981 * bt_sock_recvmsg 5982 * skb_recv_datagram 5983 * skb_free_datagram 5984 * Then the current thread tries to access control, but 5985 * it was freed by skb_free_datagram. 5986 */ 5987 local_control = *control; 5988 err = l2cap_reassemble_sdu(chan, skb, control); 5989 if (err) 5990 break; 5991 5992 if (local_control.final) { 5993 if (!test_and_clear_bit(CONN_REJ_ACT, 5994 &chan->conn_state)) { 5995 local_control.final = 0; 5996 l2cap_retransmit_all(chan, &local_control); 5997 l2cap_ertm_send(chan); 5998 } 5999 } 6000 6001 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 6002 l2cap_send_ack(chan); 6003 break; 6004 case L2CAP_TXSEQ_UNEXPECTED: 6005 l2cap_pass_to_tx(chan, control); 6006 6007 /* Can't issue SREJ frames in the local busy state. 6008 * Drop this frame, it will be seen as missing 6009 * when local busy is exited. 6010 */ 6011 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 6012 BT_DBG("Busy, discarding unexpected seq %d", 6013 control->txseq); 6014 break; 6015 } 6016 6017 /* There was a gap in the sequence, so an SREJ 6018 * must be sent for each missing frame. The 6019 * current frame is stored for later use. 6020 */ 6021 skb_queue_tail(&chan->srej_q, skb); 6022 skb_in_use = true; 6023 BT_DBG("Queued %p (queue len %d)", skb, 6024 skb_queue_len(&chan->srej_q)); 6025 6026 clear_bit(CONN_SREJ_ACT, &chan->conn_state); 6027 l2cap_seq_list_clear(&chan->srej_list); 6028 l2cap_send_srej(chan, control->txseq); 6029 6030 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT; 6031 break; 6032 case L2CAP_TXSEQ_DUPLICATE: 6033 l2cap_pass_to_tx(chan, control); 6034 break; 6035 case L2CAP_TXSEQ_INVALID_IGNORE: 6036 break; 6037 case L2CAP_TXSEQ_INVALID: 6038 default: 6039 l2cap_send_disconn_req(chan, ECONNRESET); 6040 break; 6041 } 6042 break; 6043 case L2CAP_EV_RECV_RR: 6044 l2cap_pass_to_tx(chan, control); 6045 if (control->final) { 6046 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6047 6048 if (!test_and_clear_bit(CONN_REJ_ACT, 6049 &chan->conn_state)) { 6050 control->final = 0; 6051 l2cap_retransmit_all(chan, control); 6052 } 6053 6054 l2cap_ertm_send(chan); 6055 } else if (control->poll) { 6056 l2cap_send_i_or_rr_or_rnr(chan); 6057 } else { 6058 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6059 &chan->conn_state) && 6060 chan->unacked_frames) 6061 __set_retrans_timer(chan); 6062 6063 l2cap_ertm_send(chan); 6064 } 6065 break; 6066 case L2CAP_EV_RECV_RNR: 6067 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6068 l2cap_pass_to_tx(chan, control); 6069 if (control && control->poll) { 6070 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6071 l2cap_send_rr_or_rnr(chan, 0); 6072 } 6073 __clear_retrans_timer(chan); 6074 l2cap_seq_list_clear(&chan->retrans_list); 6075 break; 6076 case L2CAP_EV_RECV_REJ: 6077 l2cap_handle_rej(chan, control); 6078 break; 6079 case L2CAP_EV_RECV_SREJ: 6080 l2cap_handle_srej(chan, control); 6081 break; 6082 default: 6083 break; 6084 } 6085 6086 if (skb && !skb_in_use) { 6087 BT_DBG("Freeing %p", skb); 6088 kfree_skb(skb); 6089 } 6090 6091 return err; 6092 } 6093 6094 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan, 6095 struct l2cap_ctrl *control, 6096 struct sk_buff *skb, u8 event) 6097 { 6098 int err = 0; 6099 u16 txseq = control->txseq; 6100 bool skb_in_use = false; 6101 6102 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 6103 event); 6104 6105 switch (event) { 6106 case L2CAP_EV_RECV_IFRAME: 6107 switch (l2cap_classify_txseq(chan, txseq)) { 6108 case L2CAP_TXSEQ_EXPECTED: 6109 /* Keep frame for reassembly later */ 6110 l2cap_pass_to_tx(chan, control); 6111 skb_queue_tail(&chan->srej_q, skb); 6112 skb_in_use = true; 6113 BT_DBG("Queued %p (queue len %d)", skb, 6114 skb_queue_len(&chan->srej_q)); 6115 6116 chan->expected_tx_seq = __next_seq(chan, txseq); 6117 break; 6118 case L2CAP_TXSEQ_EXPECTED_SREJ: 6119 l2cap_seq_list_pop(&chan->srej_list); 6120 6121 l2cap_pass_to_tx(chan, control); 6122 skb_queue_tail(&chan->srej_q, skb); 6123 skb_in_use = true; 6124 BT_DBG("Queued %p (queue len %d)", skb, 6125 skb_queue_len(&chan->srej_q)); 6126 6127 err = l2cap_rx_queued_iframes(chan); 6128 if (err) 6129 break; 6130 6131 break; 6132 case L2CAP_TXSEQ_UNEXPECTED: 6133 /* Got a frame that can't be reassembled yet. 6134 * Save it for later, and send SREJs to cover 6135 * the missing frames. 6136 */ 6137 skb_queue_tail(&chan->srej_q, skb); 6138 skb_in_use = true; 6139 BT_DBG("Queued %p (queue len %d)", skb, 6140 skb_queue_len(&chan->srej_q)); 6141 6142 l2cap_pass_to_tx(chan, control); 6143 l2cap_send_srej(chan, control->txseq); 6144 break; 6145 case L2CAP_TXSEQ_UNEXPECTED_SREJ: 6146 /* This frame was requested with an SREJ, but 6147 * some expected retransmitted frames are 6148 * missing. Request retransmission of missing 6149 * SREJ'd frames. 6150 */ 6151 skb_queue_tail(&chan->srej_q, skb); 6152 skb_in_use = true; 6153 BT_DBG("Queued %p (queue len %d)", skb, 6154 skb_queue_len(&chan->srej_q)); 6155 6156 l2cap_pass_to_tx(chan, control); 6157 l2cap_send_srej_list(chan, control->txseq); 6158 break; 6159 case L2CAP_TXSEQ_DUPLICATE_SREJ: 6160 /* We've already queued this frame. Drop this copy. */ 6161 l2cap_pass_to_tx(chan, control); 6162 break; 6163 case L2CAP_TXSEQ_DUPLICATE: 6164 /* Expecting a later sequence number, so this frame 6165 * was already received. Ignore it completely. 6166 */ 6167 break; 6168 case L2CAP_TXSEQ_INVALID_IGNORE: 6169 break; 6170 case L2CAP_TXSEQ_INVALID: 6171 default: 6172 l2cap_send_disconn_req(chan, ECONNRESET); 6173 break; 6174 } 6175 break; 6176 case L2CAP_EV_RECV_RR: 6177 l2cap_pass_to_tx(chan, control); 6178 if (control->final) { 6179 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6180 6181 if (!test_and_clear_bit(CONN_REJ_ACT, 6182 &chan->conn_state)) { 6183 control->final = 0; 6184 l2cap_retransmit_all(chan, control); 6185 } 6186 6187 l2cap_ertm_send(chan); 6188 } else if (control->poll) { 6189 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6190 &chan->conn_state) && 6191 chan->unacked_frames) { 6192 __set_retrans_timer(chan); 6193 } 6194 6195 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6196 l2cap_send_srej_tail(chan); 6197 } else { 6198 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6199 &chan->conn_state) && 6200 chan->unacked_frames) 6201 __set_retrans_timer(chan); 6202 6203 l2cap_send_ack(chan); 6204 } 6205 break; 6206 case L2CAP_EV_RECV_RNR: 6207 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6208 l2cap_pass_to_tx(chan, control); 6209 if (control->poll) { 6210 l2cap_send_srej_tail(chan); 6211 } else { 6212 struct l2cap_ctrl rr_control; 6213 memset(&rr_control, 0, sizeof(rr_control)); 6214 rr_control.sframe = 1; 6215 rr_control.super = L2CAP_SUPER_RR; 6216 rr_control.reqseq = chan->buffer_seq; 6217 l2cap_send_sframe(chan, &rr_control); 6218 } 6219 6220 break; 6221 case L2CAP_EV_RECV_REJ: 6222 l2cap_handle_rej(chan, control); 6223 break; 6224 case L2CAP_EV_RECV_SREJ: 6225 l2cap_handle_srej(chan, control); 6226 break; 6227 } 6228 6229 if (skb && !skb_in_use) { 6230 BT_DBG("Freeing %p", skb); 6231 kfree_skb(skb); 6232 } 6233 6234 return err; 6235 } 6236 6237 static int l2cap_finish_move(struct l2cap_chan *chan) 6238 { 6239 BT_DBG("chan %p", chan); 6240 6241 chan->rx_state = L2CAP_RX_STATE_RECV; 6242 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu; 6243 6244 return l2cap_resegment(chan); 6245 } 6246 6247 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan, 6248 struct l2cap_ctrl *control, 6249 struct sk_buff *skb, u8 event) 6250 { 6251 int err; 6252 6253 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 6254 event); 6255 6256 if (!control->poll) 6257 return -EPROTO; 6258 6259 l2cap_process_reqseq(chan, control->reqseq); 6260 6261 if (!skb_queue_empty(&chan->tx_q)) 6262 chan->tx_send_head = skb_peek(&chan->tx_q); 6263 else 6264 chan->tx_send_head = NULL; 6265 6266 /* Rewind next_tx_seq to the point expected 6267 * by the receiver. 6268 */ 6269 chan->next_tx_seq = control->reqseq; 6270 chan->unacked_frames = 0; 6271 6272 err = l2cap_finish_move(chan); 6273 if (err) 6274 return err; 6275 6276 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6277 l2cap_send_i_or_rr_or_rnr(chan); 6278 6279 if (event == L2CAP_EV_RECV_IFRAME) 6280 return -EPROTO; 6281 6282 return l2cap_rx_state_recv(chan, control, NULL, event); 6283 } 6284 6285 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan, 6286 struct l2cap_ctrl *control, 6287 struct sk_buff *skb, u8 event) 6288 { 6289 int err; 6290 6291 if (!control->final) 6292 return -EPROTO; 6293 6294 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6295 6296 chan->rx_state = L2CAP_RX_STATE_RECV; 6297 l2cap_process_reqseq(chan, control->reqseq); 6298 6299 if (!skb_queue_empty(&chan->tx_q)) 6300 chan->tx_send_head = skb_peek(&chan->tx_q); 6301 else 6302 chan->tx_send_head = NULL; 6303 6304 /* Rewind next_tx_seq to the point expected 6305 * by the receiver. 6306 */ 6307 chan->next_tx_seq = control->reqseq; 6308 chan->unacked_frames = 0; 6309 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu; 6310 6311 err = l2cap_resegment(chan); 6312 6313 if (!err) 6314 err = l2cap_rx_state_recv(chan, control, skb, event); 6315 6316 return err; 6317 } 6318 6319 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq) 6320 { 6321 /* Make sure reqseq is for a packet that has been sent but not acked */ 6322 u16 unacked; 6323 6324 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq); 6325 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked; 6326 } 6327 6328 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 6329 struct sk_buff *skb, u8 event) 6330 { 6331 int err = 0; 6332 6333 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan, 6334 control, skb, event, chan->rx_state); 6335 6336 if (__valid_reqseq(chan, control->reqseq)) { 6337 switch (chan->rx_state) { 6338 case L2CAP_RX_STATE_RECV: 6339 err = l2cap_rx_state_recv(chan, control, skb, event); 6340 break; 6341 case L2CAP_RX_STATE_SREJ_SENT: 6342 err = l2cap_rx_state_srej_sent(chan, control, skb, 6343 event); 6344 break; 6345 case L2CAP_RX_STATE_WAIT_P: 6346 err = l2cap_rx_state_wait_p(chan, control, skb, event); 6347 break; 6348 case L2CAP_RX_STATE_WAIT_F: 6349 err = l2cap_rx_state_wait_f(chan, control, skb, event); 6350 break; 6351 default: 6352 /* shut it down */ 6353 break; 6354 } 6355 } else { 6356 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d", 6357 control->reqseq, chan->next_tx_seq, 6358 chan->expected_ack_seq); 6359 l2cap_send_disconn_req(chan, ECONNRESET); 6360 } 6361 6362 return err; 6363 } 6364 6365 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 6366 struct sk_buff *skb) 6367 { 6368 /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store 6369 * the txseq field in advance to use it after l2cap_reassemble_sdu 6370 * returns and to avoid the race condition, for example: 6371 * 6372 * The current thread calls: 6373 * l2cap_reassemble_sdu 6374 * chan->ops->recv == l2cap_sock_recv_cb 6375 * __sock_queue_rcv_skb 6376 * Another thread calls: 6377 * bt_sock_recvmsg 6378 * skb_recv_datagram 6379 * skb_free_datagram 6380 * Then the current thread tries to access control, but it was freed by 6381 * skb_free_datagram. 6382 */ 6383 u16 txseq = control->txseq; 6384 6385 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, 6386 chan->rx_state); 6387 6388 if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { 6389 l2cap_pass_to_tx(chan, control); 6390 6391 BT_DBG("buffer_seq %u->%u", chan->buffer_seq, 6392 __next_seq(chan, chan->buffer_seq)); 6393 6394 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 6395 6396 l2cap_reassemble_sdu(chan, skb, control); 6397 } else { 6398 if (chan->sdu) { 6399 kfree_skb(chan->sdu); 6400 chan->sdu = NULL; 6401 } 6402 chan->sdu_last_frag = NULL; 6403 chan->sdu_len = 0; 6404 6405 if (skb) { 6406 BT_DBG("Freeing %p", skb); 6407 kfree_skb(skb); 6408 } 6409 } 6410 6411 chan->last_acked_seq = txseq; 6412 chan->expected_tx_seq = __next_seq(chan, txseq); 6413 6414 return 0; 6415 } 6416 6417 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 6418 { 6419 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap; 6420 u16 len; 6421 u8 event; 6422 6423 __unpack_control(chan, skb); 6424 6425 len = skb->len; 6426 6427 /* 6428 * We can just drop the corrupted I-frame here. 6429 * Receiver will miss it and start proper recovery 6430 * procedures and ask for retransmission. 6431 */ 6432 if (l2cap_check_fcs(chan, skb)) 6433 goto drop; 6434 6435 if (!control->sframe && control->sar == L2CAP_SAR_START) 6436 len -= L2CAP_SDULEN_SIZE; 6437 6438 if (chan->fcs == L2CAP_FCS_CRC16) 6439 len -= L2CAP_FCS_SIZE; 6440 6441 if (len > chan->mps) { 6442 l2cap_send_disconn_req(chan, ECONNRESET); 6443 goto drop; 6444 } 6445 6446 if (chan->ops->filter) { 6447 if (chan->ops->filter(chan, skb)) 6448 goto drop; 6449 } 6450 6451 if (!control->sframe) { 6452 int err; 6453 6454 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d", 6455 control->sar, control->reqseq, control->final, 6456 control->txseq); 6457 6458 /* Validate F-bit - F=0 always valid, F=1 only 6459 * valid in TX WAIT_F 6460 */ 6461 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F) 6462 goto drop; 6463 6464 if (chan->mode != L2CAP_MODE_STREAMING) { 6465 event = L2CAP_EV_RECV_IFRAME; 6466 err = l2cap_rx(chan, control, skb, event); 6467 } else { 6468 err = l2cap_stream_rx(chan, control, skb); 6469 } 6470 6471 if (err) 6472 l2cap_send_disconn_req(chan, ECONNRESET); 6473 } else { 6474 const u8 rx_func_to_event[4] = { 6475 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ, 6476 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ 6477 }; 6478 6479 /* Only I-frames are expected in streaming mode */ 6480 if (chan->mode == L2CAP_MODE_STREAMING) 6481 goto drop; 6482 6483 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d", 6484 control->reqseq, control->final, control->poll, 6485 control->super); 6486 6487 if (len != 0) { 6488 BT_ERR("Trailing bytes: %d in sframe", len); 6489 l2cap_send_disconn_req(chan, ECONNRESET); 6490 goto drop; 6491 } 6492 6493 /* Validate F and P bits */ 6494 if (control->final && (control->poll || 6495 chan->tx_state != L2CAP_TX_STATE_WAIT_F)) 6496 goto drop; 6497 6498 event = rx_func_to_event[control->super]; 6499 if (l2cap_rx(chan, control, skb, event)) 6500 l2cap_send_disconn_req(chan, ECONNRESET); 6501 } 6502 6503 return 0; 6504 6505 drop: 6506 kfree_skb(skb); 6507 return 0; 6508 } 6509 6510 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) 6511 { 6512 struct l2cap_conn *conn = chan->conn; 6513 struct l2cap_le_credits pkt; 6514 u16 return_credits; 6515 6516 return_credits = (chan->imtu / chan->mps) + 1; 6517 6518 if (chan->rx_credits >= return_credits) 6519 return; 6520 6521 return_credits -= chan->rx_credits; 6522 6523 BT_DBG("chan %p returning %u credits to sender", chan, return_credits); 6524 6525 chan->rx_credits += return_credits; 6526 6527 pkt.cid = cpu_to_le16(chan->scid); 6528 pkt.credits = cpu_to_le16(return_credits); 6529 6530 chan->ident = l2cap_get_ident(conn); 6531 6532 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt); 6533 } 6534 6535 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) 6536 { 6537 int err; 6538 6539 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len); 6540 6541 /* Wait recv to confirm reception before updating the credits */ 6542 err = chan->ops->recv(chan, skb); 6543 6544 /* Update credits whenever an SDU is received */ 6545 l2cap_chan_le_send_credits(chan); 6546 6547 return err; 6548 } 6549 6550 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 6551 { 6552 int err; 6553 6554 if (!chan->rx_credits) { 6555 BT_ERR("No credits to receive LE L2CAP data"); 6556 l2cap_send_disconn_req(chan, ECONNRESET); 6557 return -ENOBUFS; 6558 } 6559 6560 if (chan->imtu < skb->len) { 6561 BT_ERR("Too big LE L2CAP PDU"); 6562 return -ENOBUFS; 6563 } 6564 6565 chan->rx_credits--; 6566 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits); 6567 6568 /* Update if remote had run out of credits, this should only happens 6569 * if the remote is not using the entire MPS. 6570 */ 6571 if (!chan->rx_credits) 6572 l2cap_chan_le_send_credits(chan); 6573 6574 err = 0; 6575 6576 if (!chan->sdu) { 6577 u16 sdu_len; 6578 6579 sdu_len = get_unaligned_le16(skb->data); 6580 skb_pull(skb, L2CAP_SDULEN_SIZE); 6581 6582 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u", 6583 sdu_len, skb->len, chan->imtu); 6584 6585 if (sdu_len > chan->imtu) { 6586 BT_ERR("Too big LE L2CAP SDU length received"); 6587 err = -EMSGSIZE; 6588 goto failed; 6589 } 6590 6591 if (skb->len > sdu_len) { 6592 BT_ERR("Too much LE L2CAP data received"); 6593 err = -EINVAL; 6594 goto failed; 6595 } 6596 6597 if (skb->len == sdu_len) 6598 return l2cap_ecred_recv(chan, skb); 6599 6600 chan->sdu = skb; 6601 chan->sdu_len = sdu_len; 6602 chan->sdu_last_frag = skb; 6603 6604 /* Detect if remote is not able to use the selected MPS */ 6605 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) { 6606 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE; 6607 6608 /* Adjust the number of credits */ 6609 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len); 6610 chan->mps = mps_len; 6611 l2cap_chan_le_send_credits(chan); 6612 } 6613 6614 return 0; 6615 } 6616 6617 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u", 6618 chan->sdu->len, skb->len, chan->sdu_len); 6619 6620 if (chan->sdu->len + skb->len > chan->sdu_len) { 6621 BT_ERR("Too much LE L2CAP data received"); 6622 err = -EINVAL; 6623 goto failed; 6624 } 6625 6626 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag); 6627 skb = NULL; 6628 6629 if (chan->sdu->len == chan->sdu_len) { 6630 err = l2cap_ecred_recv(chan, chan->sdu); 6631 if (!err) { 6632 chan->sdu = NULL; 6633 chan->sdu_last_frag = NULL; 6634 chan->sdu_len = 0; 6635 } 6636 } 6637 6638 failed: 6639 if (err) { 6640 kfree_skb(skb); 6641 kfree_skb(chan->sdu); 6642 chan->sdu = NULL; 6643 chan->sdu_last_frag = NULL; 6644 chan->sdu_len = 0; 6645 } 6646 6647 /* We can't return an error here since we took care of the skb 6648 * freeing internally. An error return would cause the caller to 6649 * do a double-free of the skb. 6650 */ 6651 return 0; 6652 } 6653 6654 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, 6655 struct sk_buff *skb) 6656 { 6657 struct l2cap_chan *chan; 6658 6659 chan = l2cap_get_chan_by_scid(conn, cid); 6660 if (!chan) { 6661 BT_DBG("unknown cid 0x%4.4x", cid); 6662 /* Drop packet and return */ 6663 kfree_skb(skb); 6664 return; 6665 } 6666 6667 BT_DBG("chan %p, len %d", chan, skb->len); 6668 6669 /* If we receive data on a fixed channel before the info req/rsp 6670 * procedure is done simply assume that the channel is supported 6671 * and mark it as ready. 6672 */ 6673 if (chan->chan_type == L2CAP_CHAN_FIXED) 6674 l2cap_chan_ready(chan); 6675 6676 if (chan->state != BT_CONNECTED) 6677 goto drop; 6678 6679 switch (chan->mode) { 6680 case L2CAP_MODE_LE_FLOWCTL: 6681 case L2CAP_MODE_EXT_FLOWCTL: 6682 if (l2cap_ecred_data_rcv(chan, skb) < 0) 6683 goto drop; 6684 6685 goto done; 6686 6687 case L2CAP_MODE_BASIC: 6688 /* If socket recv buffers overflows we drop data here 6689 * which is *bad* because L2CAP has to be reliable. 6690 * But we don't have any other choice. L2CAP doesn't 6691 * provide flow control mechanism. */ 6692 6693 if (chan->imtu < skb->len) { 6694 BT_ERR("Dropping L2CAP data: receive buffer overflow"); 6695 goto drop; 6696 } 6697 6698 if (!chan->ops->recv(chan, skb)) 6699 goto done; 6700 break; 6701 6702 case L2CAP_MODE_ERTM: 6703 case L2CAP_MODE_STREAMING: 6704 l2cap_data_rcv(chan, skb); 6705 goto done; 6706 6707 default: 6708 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode); 6709 break; 6710 } 6711 6712 drop: 6713 kfree_skb(skb); 6714 6715 done: 6716 l2cap_chan_unlock(chan); 6717 l2cap_chan_put(chan); 6718 } 6719 6720 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, 6721 struct sk_buff *skb) 6722 { 6723 struct hci_conn *hcon = conn->hcon; 6724 struct l2cap_chan *chan; 6725 6726 if (hcon->type != ACL_LINK) 6727 goto free_skb; 6728 6729 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst, 6730 ACL_LINK); 6731 if (!chan) 6732 goto free_skb; 6733 6734 BT_DBG("chan %p, len %d", chan, skb->len); 6735 6736 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED) 6737 goto drop; 6738 6739 if (chan->imtu < skb->len) 6740 goto drop; 6741 6742 /* Store remote BD_ADDR and PSM for msg_name */ 6743 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst); 6744 bt_cb(skb)->l2cap.psm = psm; 6745 6746 if (!chan->ops->recv(chan, skb)) { 6747 l2cap_chan_put(chan); 6748 return; 6749 } 6750 6751 drop: 6752 l2cap_chan_put(chan); 6753 free_skb: 6754 kfree_skb(skb); 6755 } 6756 6757 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 6758 { 6759 struct l2cap_hdr *lh = (void *) skb->data; 6760 struct hci_conn *hcon = conn->hcon; 6761 u16 cid, len; 6762 __le16 psm; 6763 6764 if (hcon->state != BT_CONNECTED) { 6765 BT_DBG("queueing pending rx skb"); 6766 skb_queue_tail(&conn->pending_rx, skb); 6767 return; 6768 } 6769 6770 skb_pull(skb, L2CAP_HDR_SIZE); 6771 cid = __le16_to_cpu(lh->cid); 6772 len = __le16_to_cpu(lh->len); 6773 6774 if (len != skb->len) { 6775 kfree_skb(skb); 6776 return; 6777 } 6778 6779 /* Since we can't actively block incoming LE connections we must 6780 * at least ensure that we ignore incoming data from them. 6781 */ 6782 if (hcon->type == LE_LINK && 6783 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst, 6784 bdaddr_dst_type(hcon))) { 6785 kfree_skb(skb); 6786 return; 6787 } 6788 6789 BT_DBG("len %d, cid 0x%4.4x", len, cid); 6790 6791 switch (cid) { 6792 case L2CAP_CID_SIGNALING: 6793 l2cap_sig_channel(conn, skb); 6794 break; 6795 6796 case L2CAP_CID_CONN_LESS: 6797 psm = get_unaligned((__le16 *) skb->data); 6798 skb_pull(skb, L2CAP_PSMLEN_SIZE); 6799 l2cap_conless_channel(conn, psm, skb); 6800 break; 6801 6802 case L2CAP_CID_LE_SIGNALING: 6803 l2cap_le_sig_channel(conn, skb); 6804 break; 6805 6806 default: 6807 l2cap_data_channel(conn, cid, skb); 6808 break; 6809 } 6810 } 6811 6812 static void process_pending_rx(struct work_struct *work) 6813 { 6814 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 6815 pending_rx_work); 6816 struct sk_buff *skb; 6817 6818 BT_DBG(""); 6819 6820 while ((skb = skb_dequeue(&conn->pending_rx))) 6821 l2cap_recv_frame(conn, skb); 6822 } 6823 6824 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon) 6825 { 6826 struct l2cap_conn *conn = hcon->l2cap_data; 6827 struct hci_chan *hchan; 6828 6829 if (conn) 6830 return conn; 6831 6832 hchan = hci_chan_create(hcon); 6833 if (!hchan) 6834 return NULL; 6835 6836 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 6837 if (!conn) { 6838 hci_chan_del(hchan); 6839 return NULL; 6840 } 6841 6842 kref_init(&conn->ref); 6843 hcon->l2cap_data = conn; 6844 conn->hcon = hci_conn_get(hcon); 6845 conn->hchan = hchan; 6846 6847 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan); 6848 6849 switch (hcon->type) { 6850 case LE_LINK: 6851 if (hcon->hdev->le_mtu) { 6852 conn->mtu = hcon->hdev->le_mtu; 6853 break; 6854 } 6855 fallthrough; 6856 default: 6857 conn->mtu = hcon->hdev->acl_mtu; 6858 break; 6859 } 6860 6861 conn->feat_mask = 0; 6862 6863 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS; 6864 6865 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) && 6866 (bredr_sc_enabled(hcon->hdev) || 6867 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP))) 6868 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR; 6869 6870 mutex_init(&conn->ident_lock); 6871 mutex_init(&conn->chan_lock); 6872 6873 INIT_LIST_HEAD(&conn->chan_l); 6874 INIT_LIST_HEAD(&conn->users); 6875 6876 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout); 6877 6878 skb_queue_head_init(&conn->pending_rx); 6879 INIT_WORK(&conn->pending_rx_work, process_pending_rx); 6880 INIT_DELAYED_WORK(&conn->id_addr_timer, l2cap_conn_update_id_addr); 6881 6882 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 6883 6884 return conn; 6885 } 6886 6887 static bool is_valid_psm(u16 psm, u8 dst_type) 6888 { 6889 if (!psm) 6890 return false; 6891 6892 if (bdaddr_type_is_le(dst_type)) 6893 return (psm <= 0x00ff); 6894 6895 /* PSM must be odd and lsb of upper byte must be 0 */ 6896 return ((psm & 0x0101) == 0x0001); 6897 } 6898 6899 struct l2cap_chan_data { 6900 struct l2cap_chan *chan; 6901 struct pid *pid; 6902 int count; 6903 }; 6904 6905 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data) 6906 { 6907 struct l2cap_chan_data *d = data; 6908 struct pid *pid; 6909 6910 if (chan == d->chan) 6911 return; 6912 6913 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags)) 6914 return; 6915 6916 pid = chan->ops->get_peer_pid(chan); 6917 6918 /* Only count deferred channels with the same PID/PSM */ 6919 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident || 6920 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 6921 return; 6922 6923 d->count++; 6924 } 6925 6926 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, 6927 bdaddr_t *dst, u8 dst_type, u16 timeout) 6928 { 6929 struct l2cap_conn *conn; 6930 struct hci_conn *hcon; 6931 struct hci_dev *hdev; 6932 int err; 6933 6934 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src, 6935 dst, dst_type, __le16_to_cpu(psm), chan->mode); 6936 6937 hdev = hci_get_route(dst, &chan->src, chan->src_type); 6938 if (!hdev) 6939 return -EHOSTUNREACH; 6940 6941 hci_dev_lock(hdev); 6942 6943 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid && 6944 chan->chan_type != L2CAP_CHAN_RAW) { 6945 err = -EINVAL; 6946 goto done; 6947 } 6948 6949 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) { 6950 err = -EINVAL; 6951 goto done; 6952 } 6953 6954 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) { 6955 err = -EINVAL; 6956 goto done; 6957 } 6958 6959 switch (chan->mode) { 6960 case L2CAP_MODE_BASIC: 6961 break; 6962 case L2CAP_MODE_LE_FLOWCTL: 6963 break; 6964 case L2CAP_MODE_EXT_FLOWCTL: 6965 if (!enable_ecred) { 6966 err = -EOPNOTSUPP; 6967 goto done; 6968 } 6969 break; 6970 case L2CAP_MODE_ERTM: 6971 case L2CAP_MODE_STREAMING: 6972 if (!disable_ertm) 6973 break; 6974 fallthrough; 6975 default: 6976 err = -EOPNOTSUPP; 6977 goto done; 6978 } 6979 6980 switch (chan->state) { 6981 case BT_CONNECT: 6982 case BT_CONNECT2: 6983 case BT_CONFIG: 6984 /* Already connecting */ 6985 err = 0; 6986 goto done; 6987 6988 case BT_CONNECTED: 6989 /* Already connected */ 6990 err = -EISCONN; 6991 goto done; 6992 6993 case BT_OPEN: 6994 case BT_BOUND: 6995 /* Can connect */ 6996 break; 6997 6998 default: 6999 err = -EBADFD; 7000 goto done; 7001 } 7002 7003 /* Set destination address and psm */ 7004 bacpy(&chan->dst, dst); 7005 chan->dst_type = dst_type; 7006 7007 chan->psm = psm; 7008 chan->dcid = cid; 7009 7010 if (bdaddr_type_is_le(dst_type)) { 7011 /* Convert from L2CAP channel address type to HCI address type 7012 */ 7013 if (dst_type == BDADDR_LE_PUBLIC) 7014 dst_type = ADDR_LE_DEV_PUBLIC; 7015 else 7016 dst_type = ADDR_LE_DEV_RANDOM; 7017 7018 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 7019 hcon = hci_connect_le(hdev, dst, dst_type, false, 7020 chan->sec_level, timeout, 7021 HCI_ROLE_SLAVE); 7022 else 7023 hcon = hci_connect_le_scan(hdev, dst, dst_type, 7024 chan->sec_level, timeout, 7025 CONN_REASON_L2CAP_CHAN); 7026 7027 } else { 7028 u8 auth_type = l2cap_get_auth_type(chan); 7029 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type, 7030 CONN_REASON_L2CAP_CHAN, timeout); 7031 } 7032 7033 if (IS_ERR(hcon)) { 7034 err = PTR_ERR(hcon); 7035 goto done; 7036 } 7037 7038 conn = l2cap_conn_add(hcon); 7039 if (!conn) { 7040 hci_conn_drop(hcon); 7041 err = -ENOMEM; 7042 goto done; 7043 } 7044 7045 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 7046 struct l2cap_chan_data data; 7047 7048 data.chan = chan; 7049 data.pid = chan->ops->get_peer_pid(chan); 7050 data.count = 1; 7051 7052 l2cap_chan_list(conn, l2cap_chan_by_pid, &data); 7053 7054 /* Check if there isn't too many channels being connected */ 7055 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) { 7056 hci_conn_drop(hcon); 7057 err = -EPROTO; 7058 goto done; 7059 } 7060 } 7061 7062 mutex_lock(&conn->chan_lock); 7063 l2cap_chan_lock(chan); 7064 7065 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) { 7066 hci_conn_drop(hcon); 7067 err = -EBUSY; 7068 goto chan_unlock; 7069 } 7070 7071 /* Update source addr of the socket */ 7072 bacpy(&chan->src, &hcon->src); 7073 chan->src_type = bdaddr_src_type(hcon); 7074 7075 __l2cap_chan_add(conn, chan); 7076 7077 /* l2cap_chan_add takes its own ref so we can drop this one */ 7078 hci_conn_drop(hcon); 7079 7080 l2cap_state_change(chan, BT_CONNECT); 7081 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 7082 7083 /* Release chan->sport so that it can be reused by other 7084 * sockets (as it's only used for listening sockets). 7085 */ 7086 write_lock(&chan_list_lock); 7087 chan->sport = 0; 7088 write_unlock(&chan_list_lock); 7089 7090 if (hcon->state == BT_CONNECTED) { 7091 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 7092 __clear_chan_timer(chan); 7093 if (l2cap_chan_check_security(chan, true)) 7094 l2cap_state_change(chan, BT_CONNECTED); 7095 } else 7096 l2cap_do_start(chan); 7097 } 7098 7099 err = 0; 7100 7101 chan_unlock: 7102 l2cap_chan_unlock(chan); 7103 mutex_unlock(&conn->chan_lock); 7104 done: 7105 hci_dev_unlock(hdev); 7106 hci_dev_put(hdev); 7107 return err; 7108 } 7109 EXPORT_SYMBOL_GPL(l2cap_chan_connect); 7110 7111 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan) 7112 { 7113 struct l2cap_conn *conn = chan->conn; 7114 struct { 7115 struct l2cap_ecred_reconf_req req; 7116 __le16 scid; 7117 } pdu; 7118 7119 pdu.req.mtu = cpu_to_le16(chan->imtu); 7120 pdu.req.mps = cpu_to_le16(chan->mps); 7121 pdu.scid = cpu_to_le16(chan->scid); 7122 7123 chan->ident = l2cap_get_ident(conn); 7124 7125 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ, 7126 sizeof(pdu), &pdu); 7127 } 7128 7129 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu) 7130 { 7131 if (chan->imtu > mtu) 7132 return -EINVAL; 7133 7134 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu); 7135 7136 chan->imtu = mtu; 7137 7138 l2cap_ecred_reconfigure(chan); 7139 7140 return 0; 7141 } 7142 7143 /* ---- L2CAP interface with lower layer (HCI) ---- */ 7144 7145 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr) 7146 { 7147 int exact = 0, lm1 = 0, lm2 = 0; 7148 struct l2cap_chan *c; 7149 7150 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr); 7151 7152 /* Find listening sockets and check their link_mode */ 7153 read_lock(&chan_list_lock); 7154 list_for_each_entry(c, &chan_list, global_l) { 7155 if (c->state != BT_LISTEN) 7156 continue; 7157 7158 if (!bacmp(&c->src, &hdev->bdaddr)) { 7159 lm1 |= HCI_LM_ACCEPT; 7160 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 7161 lm1 |= HCI_LM_MASTER; 7162 exact++; 7163 } else if (!bacmp(&c->src, BDADDR_ANY)) { 7164 lm2 |= HCI_LM_ACCEPT; 7165 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 7166 lm2 |= HCI_LM_MASTER; 7167 } 7168 } 7169 read_unlock(&chan_list_lock); 7170 7171 return exact ? lm1 : lm2; 7172 } 7173 7174 /* Find the next fixed channel in BT_LISTEN state, continue iteration 7175 * from an existing channel in the list or from the beginning of the 7176 * global list (by passing NULL as first parameter). 7177 */ 7178 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, 7179 struct hci_conn *hcon) 7180 { 7181 u8 src_type = bdaddr_src_type(hcon); 7182 7183 read_lock(&chan_list_lock); 7184 7185 if (c) 7186 c = list_next_entry(c, global_l); 7187 else 7188 c = list_entry(chan_list.next, typeof(*c), global_l); 7189 7190 list_for_each_entry_from(c, &chan_list, global_l) { 7191 if (c->chan_type != L2CAP_CHAN_FIXED) 7192 continue; 7193 if (c->state != BT_LISTEN) 7194 continue; 7195 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY)) 7196 continue; 7197 if (src_type != c->src_type) 7198 continue; 7199 7200 c = l2cap_chan_hold_unless_zero(c); 7201 read_unlock(&chan_list_lock); 7202 return c; 7203 } 7204 7205 read_unlock(&chan_list_lock); 7206 7207 return NULL; 7208 } 7209 7210 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 7211 { 7212 struct hci_dev *hdev = hcon->hdev; 7213 struct l2cap_conn *conn; 7214 struct l2cap_chan *pchan; 7215 u8 dst_type; 7216 7217 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7218 return; 7219 7220 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 7221 7222 if (status) { 7223 l2cap_conn_del(hcon, bt_to_errno(status)); 7224 return; 7225 } 7226 7227 conn = l2cap_conn_add(hcon); 7228 if (!conn) 7229 return; 7230 7231 dst_type = bdaddr_dst_type(hcon); 7232 7233 /* If device is blocked, do not create channels for it */ 7234 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type)) 7235 return; 7236 7237 /* Find fixed channels and notify them of the new connection. We 7238 * use multiple individual lookups, continuing each time where 7239 * we left off, because the list lock would prevent calling the 7240 * potentially sleeping l2cap_chan_lock() function. 7241 */ 7242 pchan = l2cap_global_fixed_chan(NULL, hcon); 7243 while (pchan) { 7244 struct l2cap_chan *chan, *next; 7245 7246 /* Client fixed channels should override server ones */ 7247 if (__l2cap_get_chan_by_dcid(conn, pchan->scid)) 7248 goto next; 7249 7250 l2cap_chan_lock(pchan); 7251 chan = pchan->ops->new_connection(pchan); 7252 if (chan) { 7253 bacpy(&chan->src, &hcon->src); 7254 bacpy(&chan->dst, &hcon->dst); 7255 chan->src_type = bdaddr_src_type(hcon); 7256 chan->dst_type = dst_type; 7257 7258 __l2cap_chan_add(conn, chan); 7259 } 7260 7261 l2cap_chan_unlock(pchan); 7262 next: 7263 next = l2cap_global_fixed_chan(pchan, hcon); 7264 l2cap_chan_put(pchan); 7265 pchan = next; 7266 } 7267 7268 l2cap_conn_ready(conn); 7269 } 7270 7271 int l2cap_disconn_ind(struct hci_conn *hcon) 7272 { 7273 struct l2cap_conn *conn = hcon->l2cap_data; 7274 7275 BT_DBG("hcon %p", hcon); 7276 7277 if (!conn) 7278 return HCI_ERROR_REMOTE_USER_TERM; 7279 return conn->disc_reason; 7280 } 7281 7282 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 7283 { 7284 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7285 return; 7286 7287 BT_DBG("hcon %p reason %d", hcon, reason); 7288 7289 l2cap_conn_del(hcon, bt_to_errno(reason)); 7290 } 7291 7292 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 7293 { 7294 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 7295 return; 7296 7297 if (encrypt == 0x00) { 7298 if (chan->sec_level == BT_SECURITY_MEDIUM) { 7299 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT); 7300 } else if (chan->sec_level == BT_SECURITY_HIGH || 7301 chan->sec_level == BT_SECURITY_FIPS) 7302 l2cap_chan_close(chan, ECONNREFUSED); 7303 } else { 7304 if (chan->sec_level == BT_SECURITY_MEDIUM) 7305 __clear_chan_timer(chan); 7306 } 7307 } 7308 7309 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 7310 { 7311 struct l2cap_conn *conn = hcon->l2cap_data; 7312 struct l2cap_chan *chan; 7313 7314 if (!conn) 7315 return; 7316 7317 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt); 7318 7319 mutex_lock(&conn->chan_lock); 7320 7321 list_for_each_entry(chan, &conn->chan_l, list) { 7322 l2cap_chan_lock(chan); 7323 7324 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid, 7325 state_to_string(chan->state)); 7326 7327 if (!status && encrypt) 7328 chan->sec_level = hcon->sec_level; 7329 7330 if (!__l2cap_no_conn_pending(chan)) { 7331 l2cap_chan_unlock(chan); 7332 continue; 7333 } 7334 7335 if (!status && (chan->state == BT_CONNECTED || 7336 chan->state == BT_CONFIG)) { 7337 chan->ops->resume(chan); 7338 l2cap_check_encryption(chan, encrypt); 7339 l2cap_chan_unlock(chan); 7340 continue; 7341 } 7342 7343 if (chan->state == BT_CONNECT) { 7344 if (!status && l2cap_check_enc_key_size(hcon)) 7345 l2cap_start_connection(chan); 7346 else 7347 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 7348 } else if (chan->state == BT_CONNECT2 && 7349 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL || 7350 chan->mode == L2CAP_MODE_LE_FLOWCTL)) { 7351 struct l2cap_conn_rsp rsp; 7352 __u16 res, stat; 7353 7354 if (!status && l2cap_check_enc_key_size(hcon)) { 7355 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 7356 res = L2CAP_CR_PEND; 7357 stat = L2CAP_CS_AUTHOR_PEND; 7358 chan->ops->defer(chan); 7359 } else { 7360 l2cap_state_change(chan, BT_CONFIG); 7361 res = L2CAP_CR_SUCCESS; 7362 stat = L2CAP_CS_NO_INFO; 7363 } 7364 } else { 7365 l2cap_state_change(chan, BT_DISCONN); 7366 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 7367 res = L2CAP_CR_SEC_BLOCK; 7368 stat = L2CAP_CS_NO_INFO; 7369 } 7370 7371 rsp.scid = cpu_to_le16(chan->dcid); 7372 rsp.dcid = cpu_to_le16(chan->scid); 7373 rsp.result = cpu_to_le16(res); 7374 rsp.status = cpu_to_le16(stat); 7375 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 7376 sizeof(rsp), &rsp); 7377 7378 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) && 7379 res == L2CAP_CR_SUCCESS) { 7380 char buf[128]; 7381 set_bit(CONF_REQ_SENT, &chan->conf_state); 7382 l2cap_send_cmd(conn, l2cap_get_ident(conn), 7383 L2CAP_CONF_REQ, 7384 l2cap_build_conf_req(chan, buf, sizeof(buf)), 7385 buf); 7386 chan->num_conf_req++; 7387 } 7388 } 7389 7390 l2cap_chan_unlock(chan); 7391 } 7392 7393 mutex_unlock(&conn->chan_lock); 7394 } 7395 7396 /* Append fragment into frame respecting the maximum len of rx_skb */ 7397 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb, 7398 u16 len) 7399 { 7400 if (!conn->rx_skb) { 7401 /* Allocate skb for the complete frame (with header) */ 7402 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL); 7403 if (!conn->rx_skb) 7404 return -ENOMEM; 7405 /* Init rx_len */ 7406 conn->rx_len = len; 7407 } 7408 7409 /* Copy as much as the rx_skb can hold */ 7410 len = min_t(u16, len, skb->len); 7411 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len); 7412 skb_pull(skb, len); 7413 conn->rx_len -= len; 7414 7415 return len; 7416 } 7417 7418 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb) 7419 { 7420 struct sk_buff *rx_skb; 7421 int len; 7422 7423 /* Append just enough to complete the header */ 7424 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len); 7425 7426 /* If header could not be read just continue */ 7427 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE) 7428 return len; 7429 7430 rx_skb = conn->rx_skb; 7431 len = get_unaligned_le16(rx_skb->data); 7432 7433 /* Check if rx_skb has enough space to received all fragments */ 7434 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) { 7435 /* Update expected len */ 7436 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE); 7437 return L2CAP_LEN_SIZE; 7438 } 7439 7440 /* Reset conn->rx_skb since it will need to be reallocated in order to 7441 * fit all fragments. 7442 */ 7443 conn->rx_skb = NULL; 7444 7445 /* Reallocates rx_skb using the exact expected length */ 7446 len = l2cap_recv_frag(conn, rx_skb, 7447 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE)); 7448 kfree_skb(rx_skb); 7449 7450 return len; 7451 } 7452 7453 static void l2cap_recv_reset(struct l2cap_conn *conn) 7454 { 7455 kfree_skb(conn->rx_skb); 7456 conn->rx_skb = NULL; 7457 conn->rx_len = 0; 7458 } 7459 7460 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 7461 { 7462 struct l2cap_conn *conn = hcon->l2cap_data; 7463 int len; 7464 7465 /* For AMP controller do not create l2cap conn */ 7466 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY) 7467 goto drop; 7468 7469 if (!conn) 7470 conn = l2cap_conn_add(hcon); 7471 7472 if (!conn) 7473 goto drop; 7474 7475 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags); 7476 7477 switch (flags) { 7478 case ACL_START: 7479 case ACL_START_NO_FLUSH: 7480 case ACL_COMPLETE: 7481 if (conn->rx_skb) { 7482 BT_ERR("Unexpected start frame (len %d)", skb->len); 7483 l2cap_recv_reset(conn); 7484 l2cap_conn_unreliable(conn, ECOMM); 7485 } 7486 7487 /* Start fragment may not contain the L2CAP length so just 7488 * copy the initial byte when that happens and use conn->mtu as 7489 * expected length. 7490 */ 7491 if (skb->len < L2CAP_LEN_SIZE) { 7492 l2cap_recv_frag(conn, skb, conn->mtu); 7493 break; 7494 } 7495 7496 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE; 7497 7498 if (len == skb->len) { 7499 /* Complete frame received */ 7500 l2cap_recv_frame(conn, skb); 7501 return; 7502 } 7503 7504 BT_DBG("Start: total len %d, frag len %u", len, skb->len); 7505 7506 if (skb->len > len) { 7507 BT_ERR("Frame is too long (len %u, expected len %d)", 7508 skb->len, len); 7509 l2cap_conn_unreliable(conn, ECOMM); 7510 goto drop; 7511 } 7512 7513 /* Append fragment into frame (with header) */ 7514 if (l2cap_recv_frag(conn, skb, len) < 0) 7515 goto drop; 7516 7517 break; 7518 7519 case ACL_CONT: 7520 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len); 7521 7522 if (!conn->rx_skb) { 7523 BT_ERR("Unexpected continuation frame (len %d)", skb->len); 7524 l2cap_conn_unreliable(conn, ECOMM); 7525 goto drop; 7526 } 7527 7528 /* Complete the L2CAP length if it has not been read */ 7529 if (conn->rx_skb->len < L2CAP_LEN_SIZE) { 7530 if (l2cap_recv_len(conn, skb) < 0) { 7531 l2cap_conn_unreliable(conn, ECOMM); 7532 goto drop; 7533 } 7534 7535 /* Header still could not be read just continue */ 7536 if (conn->rx_skb->len < L2CAP_LEN_SIZE) 7537 break; 7538 } 7539 7540 if (skb->len > conn->rx_len) { 7541 BT_ERR("Fragment is too long (len %u, expected %u)", 7542 skb->len, conn->rx_len); 7543 l2cap_recv_reset(conn); 7544 l2cap_conn_unreliable(conn, ECOMM); 7545 goto drop; 7546 } 7547 7548 /* Append fragment into frame (with header) */ 7549 l2cap_recv_frag(conn, skb, skb->len); 7550 7551 if (!conn->rx_len) { 7552 /* Complete frame received. l2cap_recv_frame 7553 * takes ownership of the skb so set the global 7554 * rx_skb pointer to NULL first. 7555 */ 7556 struct sk_buff *rx_skb = conn->rx_skb; 7557 conn->rx_skb = NULL; 7558 l2cap_recv_frame(conn, rx_skb); 7559 } 7560 break; 7561 } 7562 7563 drop: 7564 kfree_skb(skb); 7565 } 7566 7567 static struct hci_cb l2cap_cb = { 7568 .name = "L2CAP", 7569 .connect_cfm = l2cap_connect_cfm, 7570 .disconn_cfm = l2cap_disconn_cfm, 7571 .security_cfm = l2cap_security_cfm, 7572 }; 7573 7574 static int l2cap_debugfs_show(struct seq_file *f, void *p) 7575 { 7576 struct l2cap_chan *c; 7577 7578 read_lock(&chan_list_lock); 7579 7580 list_for_each_entry(c, &chan_list, global_l) { 7581 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 7582 &c->src, c->src_type, &c->dst, c->dst_type, 7583 c->state, __le16_to_cpu(c->psm), 7584 c->scid, c->dcid, c->imtu, c->omtu, 7585 c->sec_level, c->mode); 7586 } 7587 7588 read_unlock(&chan_list_lock); 7589 7590 return 0; 7591 } 7592 7593 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs); 7594 7595 static struct dentry *l2cap_debugfs; 7596 7597 int __init l2cap_init(void) 7598 { 7599 int err; 7600 7601 err = l2cap_init_sockets(); 7602 if (err < 0) 7603 return err; 7604 7605 hci_register_cb(&l2cap_cb); 7606 7607 if (IS_ERR_OR_NULL(bt_debugfs)) 7608 return 0; 7609 7610 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs, 7611 NULL, &l2cap_debugfs_fops); 7612 7613 return 0; 7614 } 7615 7616 void l2cap_exit(void) 7617 { 7618 debugfs_remove(l2cap_debugfs); 7619 hci_unregister_cb(&l2cap_cb); 7620 l2cap_cleanup_sockets(); 7621 } 7622 7623 module_param(disable_ertm, bool, 0644); 7624 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode"); 7625 7626 module_param(enable_ecred, bool, 0644); 7627 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode"); 7628