1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 Copyright (c) 2012 Code Aurora Forum. All rights reserved. 8 9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 10 11 This program is free software; you can redistribute it and/or modify 12 it under the terms of the GNU General Public License version 2 as 13 published by the Free Software Foundation; 14 15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 23 24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 26 SOFTWARE IS DISCLAIMED. 27 */ 28 29 /* Bluetooth L2CAP core. */ 30 31 #include <linux/module.h> 32 33 #include <linux/debugfs.h> 34 #include <linux/crc16.h> 35 #include <linux/filter.h> 36 37 #include <net/bluetooth/bluetooth.h> 38 #include <net/bluetooth/hci_core.h> 39 #include <net/bluetooth/l2cap.h> 40 41 #include "smp.h" 42 43 #define LE_FLOWCTL_MAX_CREDITS 65535 44 45 bool disable_ertm; 46 bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED); 47 48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD; 49 50 static LIST_HEAD(chan_list); 51 static DEFINE_RWLOCK(chan_list_lock); 52 53 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, 54 u8 code, u8 ident, u16 dlen, void *data); 55 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 56 void *data); 57 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size); 58 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); 59 60 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 61 struct sk_buff_head *skbs, u8 event); 62 static void l2cap_retrans_timeout(struct work_struct *work); 63 static void l2cap_monitor_timeout(struct work_struct *work); 64 static void l2cap_ack_timeout(struct work_struct *work); 65 66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) 67 { 68 if (link_type == LE_LINK) { 69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 70 return BDADDR_LE_PUBLIC; 71 else 72 return BDADDR_LE_RANDOM; 73 } 74 75 return BDADDR_BREDR; 76 } 77 78 static inline u8 bdaddr_src_type(struct hci_conn *hcon) 79 { 80 return bdaddr_type(hcon->type, hcon->src_type); 81 } 82 83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon) 84 { 85 return bdaddr_type(hcon->type, hcon->dst_type); 86 } 87 88 /* ---- L2CAP channels ---- */ 89 90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 91 u16 cid) 92 { 93 struct l2cap_chan *c; 94 95 list_for_each_entry(c, &conn->chan_l, list) { 96 if (c->dcid == cid) 97 return c; 98 } 99 return NULL; 100 } 101 102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, 103 u16 cid) 104 { 105 struct l2cap_chan *c; 106 107 list_for_each_entry(c, &conn->chan_l, list) { 108 if (c->scid == cid) 109 return c; 110 } 111 return NULL; 112 } 113 114 /* Find channel with given SCID. 115 * Returns a reference locked channel. 116 */ 117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, 118 u16 cid) 119 { 120 struct l2cap_chan *c; 121 122 c = __l2cap_get_chan_by_scid(conn, cid); 123 if (c) { 124 /* Only lock if chan reference is not 0 */ 125 c = l2cap_chan_hold_unless_zero(c); 126 if (c) 127 l2cap_chan_lock(c); 128 } 129 130 return c; 131 } 132 133 /* Find channel with given DCID. 134 * Returns a reference locked channel. 135 */ 136 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 137 u16 cid) 138 { 139 struct l2cap_chan *c; 140 141 c = __l2cap_get_chan_by_dcid(conn, cid); 142 if (c) { 143 /* Only lock if chan reference is not 0 */ 144 c = l2cap_chan_hold_unless_zero(c); 145 if (c) 146 l2cap_chan_lock(c); 147 } 148 149 return c; 150 } 151 152 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, 153 u8 ident) 154 { 155 struct l2cap_chan *c; 156 157 list_for_each_entry(c, &conn->chan_l, list) { 158 if (c->ident == ident) 159 return c; 160 } 161 return NULL; 162 } 163 164 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src, 165 u8 src_type) 166 { 167 struct l2cap_chan *c; 168 169 list_for_each_entry(c, &chan_list, global_l) { 170 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR) 171 continue; 172 173 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR) 174 continue; 175 176 if (c->sport == psm && !bacmp(&c->src, src)) 177 return c; 178 } 179 return NULL; 180 } 181 182 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm) 183 { 184 int err; 185 186 write_lock(&chan_list_lock); 187 188 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) { 189 err = -EADDRINUSE; 190 goto done; 191 } 192 193 if (psm) { 194 chan->psm = psm; 195 chan->sport = psm; 196 err = 0; 197 } else { 198 u16 p, start, end, incr; 199 200 if (chan->src_type == BDADDR_BREDR) { 201 start = L2CAP_PSM_DYN_START; 202 end = L2CAP_PSM_AUTO_END; 203 incr = 2; 204 } else { 205 start = L2CAP_PSM_LE_DYN_START; 206 end = L2CAP_PSM_LE_DYN_END; 207 incr = 1; 208 } 209 210 err = -EINVAL; 211 for (p = start; p <= end; p += incr) 212 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src, 213 chan->src_type)) { 214 chan->psm = cpu_to_le16(p); 215 chan->sport = cpu_to_le16(p); 216 err = 0; 217 break; 218 } 219 } 220 221 done: 222 write_unlock(&chan_list_lock); 223 return err; 224 } 225 EXPORT_SYMBOL_GPL(l2cap_add_psm); 226 227 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid) 228 { 229 write_lock(&chan_list_lock); 230 231 /* Override the defaults (which are for conn-oriented) */ 232 chan->omtu = L2CAP_DEFAULT_MTU; 233 chan->chan_type = L2CAP_CHAN_FIXED; 234 235 chan->scid = scid; 236 237 write_unlock(&chan_list_lock); 238 239 return 0; 240 } 241 242 static u16 l2cap_alloc_cid(struct l2cap_conn *conn) 243 { 244 u16 cid, dyn_end; 245 246 if (conn->hcon->type == LE_LINK) 247 dyn_end = L2CAP_CID_LE_DYN_END; 248 else 249 dyn_end = L2CAP_CID_DYN_END; 250 251 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) { 252 if (!__l2cap_get_chan_by_scid(conn, cid)) 253 return cid; 254 } 255 256 return 0; 257 } 258 259 static void l2cap_state_change(struct l2cap_chan *chan, int state) 260 { 261 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state), 262 state_to_string(state)); 263 264 chan->state = state; 265 chan->ops->state_change(chan, state, 0); 266 } 267 268 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan, 269 int state, int err) 270 { 271 chan->state = state; 272 chan->ops->state_change(chan, chan->state, err); 273 } 274 275 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err) 276 { 277 chan->ops->state_change(chan, chan->state, err); 278 } 279 280 static void __set_retrans_timer(struct l2cap_chan *chan) 281 { 282 if (!delayed_work_pending(&chan->monitor_timer) && 283 chan->retrans_timeout) { 284 l2cap_set_timer(chan, &chan->retrans_timer, 285 msecs_to_jiffies(chan->retrans_timeout)); 286 } 287 } 288 289 static void __set_monitor_timer(struct l2cap_chan *chan) 290 { 291 __clear_retrans_timer(chan); 292 if (chan->monitor_timeout) { 293 l2cap_set_timer(chan, &chan->monitor_timer, 294 msecs_to_jiffies(chan->monitor_timeout)); 295 } 296 } 297 298 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head, 299 u16 seq) 300 { 301 struct sk_buff *skb; 302 303 skb_queue_walk(head, skb) { 304 if (bt_cb(skb)->l2cap.txseq == seq) 305 return skb; 306 } 307 308 return NULL; 309 } 310 311 /* ---- L2CAP sequence number lists ---- */ 312 313 /* For ERTM, ordered lists of sequence numbers must be tracked for 314 * SREJ requests that are received and for frames that are to be 315 * retransmitted. These seq_list functions implement a singly-linked 316 * list in an array, where membership in the list can also be checked 317 * in constant time. Items can also be added to the tail of the list 318 * and removed from the head in constant time, without further memory 319 * allocs or frees. 320 */ 321 322 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size) 323 { 324 size_t alloc_size, i; 325 326 /* Allocated size is a power of 2 to map sequence numbers 327 * (which may be up to 14 bits) in to a smaller array that is 328 * sized for the negotiated ERTM transmit windows. 329 */ 330 alloc_size = roundup_pow_of_two(size); 331 332 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL); 333 if (!seq_list->list) 334 return -ENOMEM; 335 336 seq_list->mask = alloc_size - 1; 337 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 339 for (i = 0; i < alloc_size; i++) 340 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 341 342 return 0; 343 } 344 345 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list) 346 { 347 kfree(seq_list->list); 348 } 349 350 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list, 351 u16 seq) 352 { 353 /* Constant-time check for list membership */ 354 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR; 355 } 356 357 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list) 358 { 359 u16 seq = seq_list->head; 360 u16 mask = seq_list->mask; 361 362 seq_list->head = seq_list->list[seq & mask]; 363 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR; 364 365 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) { 366 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 367 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 368 } 369 370 return seq; 371 } 372 373 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list) 374 { 375 u16 i; 376 377 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) 378 return; 379 380 for (i = 0; i <= seq_list->mask; i++) 381 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR; 382 383 seq_list->head = L2CAP_SEQ_LIST_CLEAR; 384 seq_list->tail = L2CAP_SEQ_LIST_CLEAR; 385 } 386 387 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq) 388 { 389 u16 mask = seq_list->mask; 390 391 /* All appends happen in constant time */ 392 393 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR) 394 return; 395 396 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR) 397 seq_list->head = seq; 398 else 399 seq_list->list[seq_list->tail & mask] = seq; 400 401 seq_list->tail = seq; 402 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL; 403 } 404 405 static void l2cap_chan_timeout(struct work_struct *work) 406 { 407 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 408 chan_timer.work); 409 struct l2cap_conn *conn = chan->conn; 410 int reason; 411 412 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 413 414 if (!conn) 415 return; 416 417 mutex_lock(&conn->lock); 418 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling 419 * this work. No need to call l2cap_chan_hold(chan) here again. 420 */ 421 l2cap_chan_lock(chan); 422 423 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) 424 reason = ECONNREFUSED; 425 else if (chan->state == BT_CONNECT && 426 chan->sec_level != BT_SECURITY_SDP) 427 reason = ECONNREFUSED; 428 else 429 reason = ETIMEDOUT; 430 431 l2cap_chan_close(chan, reason); 432 433 chan->ops->close(chan); 434 435 l2cap_chan_unlock(chan); 436 l2cap_chan_put(chan); 437 438 mutex_unlock(&conn->lock); 439 } 440 441 struct l2cap_chan *l2cap_chan_create(void) 442 { 443 struct l2cap_chan *chan; 444 445 chan = kzalloc(sizeof(*chan), GFP_ATOMIC); 446 if (!chan) 447 return NULL; 448 449 skb_queue_head_init(&chan->tx_q); 450 skb_queue_head_init(&chan->srej_q); 451 mutex_init(&chan->lock); 452 453 /* Set default lock nesting level */ 454 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL); 455 456 /* Available receive buffer space is initially unknown */ 457 chan->rx_avail = -1; 458 459 write_lock(&chan_list_lock); 460 list_add(&chan->global_l, &chan_list); 461 write_unlock(&chan_list_lock); 462 463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); 464 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); 465 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); 466 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); 467 468 chan->state = BT_OPEN; 469 470 kref_init(&chan->kref); 471 472 /* This flag is cleared in l2cap_chan_ready() */ 473 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 474 475 BT_DBG("chan %p", chan); 476 477 return chan; 478 } 479 EXPORT_SYMBOL_GPL(l2cap_chan_create); 480 481 static void l2cap_chan_destroy(struct kref *kref) 482 { 483 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref); 484 485 BT_DBG("chan %p", chan); 486 487 write_lock(&chan_list_lock); 488 list_del(&chan->global_l); 489 write_unlock(&chan_list_lock); 490 491 kfree(chan); 492 } 493 494 void l2cap_chan_hold(struct l2cap_chan *c) 495 { 496 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 497 498 kref_get(&c->kref); 499 } 500 EXPORT_SYMBOL_GPL(l2cap_chan_hold); 501 502 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) 503 { 504 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 505 506 if (!kref_get_unless_zero(&c->kref)) 507 return NULL; 508 509 return c; 510 } 511 512 void l2cap_chan_put(struct l2cap_chan *c) 513 { 514 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); 515 516 kref_put(&c->kref, l2cap_chan_destroy); 517 } 518 EXPORT_SYMBOL_GPL(l2cap_chan_put); 519 520 void l2cap_chan_set_defaults(struct l2cap_chan *chan) 521 { 522 chan->fcs = L2CAP_FCS_CRC16; 523 chan->max_tx = L2CAP_DEFAULT_MAX_TX; 524 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW; 525 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 526 chan->remote_max_tx = chan->max_tx; 527 chan->remote_tx_win = chan->tx_win; 528 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW; 529 chan->sec_level = BT_SECURITY_LOW; 530 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 531 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO; 532 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO; 533 534 chan->conf_state = 0; 535 set_bit(CONF_NOT_COMPLETE, &chan->conf_state); 536 537 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 538 } 539 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults); 540 541 static __u16 l2cap_le_rx_credits(struct l2cap_chan *chan) 542 { 543 size_t sdu_len = chan->sdu ? chan->sdu->len : 0; 544 545 if (chan->mps == 0) 546 return 0; 547 548 /* If we don't know the available space in the receiver buffer, give 549 * enough credits for a full packet. 550 */ 551 if (chan->rx_avail == -1) 552 return (chan->imtu / chan->mps) + 1; 553 554 /* If we know how much space is available in the receive buffer, give 555 * out as many credits as would fill the buffer. 556 */ 557 if (chan->rx_avail <= sdu_len) 558 return 0; 559 560 return DIV_ROUND_UP(chan->rx_avail - sdu_len, chan->mps); 561 } 562 563 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits) 564 { 565 chan->sdu = NULL; 566 chan->sdu_last_frag = NULL; 567 chan->sdu_len = 0; 568 chan->tx_credits = tx_credits; 569 /* Derive MPS from connection MTU to stop HCI fragmentation */ 570 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE); 571 chan->rx_credits = l2cap_le_rx_credits(chan); 572 573 skb_queue_head_init(&chan->tx_q); 574 } 575 576 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits) 577 { 578 l2cap_le_flowctl_init(chan, tx_credits); 579 580 /* L2CAP implementations shall support a minimum MPS of 64 octets */ 581 if (chan->mps < L2CAP_ECRED_MIN_MPS) { 582 chan->mps = L2CAP_ECRED_MIN_MPS; 583 chan->rx_credits = l2cap_le_rx_credits(chan); 584 } 585 } 586 587 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 588 { 589 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 590 __le16_to_cpu(chan->psm), chan->dcid); 591 592 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 593 594 chan->conn = conn; 595 596 switch (chan->chan_type) { 597 case L2CAP_CHAN_CONN_ORIENTED: 598 /* Alloc CID for connection-oriented socket */ 599 chan->scid = l2cap_alloc_cid(conn); 600 if (conn->hcon->type == ACL_LINK) 601 chan->omtu = L2CAP_DEFAULT_MTU; 602 break; 603 604 case L2CAP_CHAN_CONN_LESS: 605 /* Connectionless socket */ 606 chan->scid = L2CAP_CID_CONN_LESS; 607 chan->dcid = L2CAP_CID_CONN_LESS; 608 chan->omtu = L2CAP_DEFAULT_MTU; 609 break; 610 611 case L2CAP_CHAN_FIXED: 612 /* Caller will set CID and CID specific MTU values */ 613 break; 614 615 default: 616 /* Raw socket can send/recv signalling messages only */ 617 chan->scid = L2CAP_CID_SIGNALING; 618 chan->dcid = L2CAP_CID_SIGNALING; 619 chan->omtu = L2CAP_DEFAULT_MTU; 620 } 621 622 chan->local_id = L2CAP_BESTEFFORT_ID; 623 chan->local_stype = L2CAP_SERV_BESTEFFORT; 624 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE; 625 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME; 626 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 627 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO; 628 629 l2cap_chan_hold(chan); 630 631 /* Only keep a reference for fixed channels if they requested it */ 632 if (chan->chan_type != L2CAP_CHAN_FIXED || 633 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 634 hci_conn_hold(conn->hcon); 635 636 /* Append to the list since the order matters for ECRED */ 637 list_add_tail(&chan->list, &conn->chan_l); 638 } 639 640 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 641 { 642 mutex_lock(&conn->lock); 643 __l2cap_chan_add(conn, chan); 644 mutex_unlock(&conn->lock); 645 } 646 647 void l2cap_chan_del(struct l2cap_chan *chan, int err) 648 { 649 struct l2cap_conn *conn = chan->conn; 650 651 __clear_chan_timer(chan); 652 653 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err, 654 state_to_string(chan->state)); 655 656 chan->ops->teardown(chan, err); 657 658 if (conn) { 659 /* Delete from channel list */ 660 list_del(&chan->list); 661 662 l2cap_chan_put(chan); 663 664 chan->conn = NULL; 665 666 /* Reference was only held for non-fixed channels or 667 * fixed channels that explicitly requested it using the 668 * FLAG_HOLD_HCI_CONN flag. 669 */ 670 if (chan->chan_type != L2CAP_CHAN_FIXED || 671 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags)) 672 hci_conn_drop(conn->hcon); 673 } 674 675 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) 676 return; 677 678 switch (chan->mode) { 679 case L2CAP_MODE_BASIC: 680 break; 681 682 case L2CAP_MODE_LE_FLOWCTL: 683 case L2CAP_MODE_EXT_FLOWCTL: 684 skb_queue_purge(&chan->tx_q); 685 break; 686 687 case L2CAP_MODE_ERTM: 688 __clear_retrans_timer(chan); 689 __clear_monitor_timer(chan); 690 __clear_ack_timer(chan); 691 692 skb_queue_purge(&chan->srej_q); 693 694 l2cap_seq_list_free(&chan->srej_list); 695 l2cap_seq_list_free(&chan->retrans_list); 696 fallthrough; 697 698 case L2CAP_MODE_STREAMING: 699 skb_queue_purge(&chan->tx_q); 700 break; 701 } 702 } 703 EXPORT_SYMBOL_GPL(l2cap_chan_del); 704 705 static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id, 706 l2cap_chan_func_t func, void *data) 707 { 708 struct l2cap_chan *chan, *l; 709 710 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 711 if (chan->ident == id) 712 func(chan, data); 713 } 714 } 715 716 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 717 void *data) 718 { 719 struct l2cap_chan *chan; 720 721 list_for_each_entry(chan, &conn->chan_l, list) { 722 func(chan, data); 723 } 724 } 725 726 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, 727 void *data) 728 { 729 if (!conn) 730 return; 731 732 mutex_lock(&conn->lock); 733 __l2cap_chan_list(conn, func, data); 734 mutex_unlock(&conn->lock); 735 } 736 737 EXPORT_SYMBOL_GPL(l2cap_chan_list); 738 739 static void l2cap_conn_update_id_addr(struct work_struct *work) 740 { 741 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 742 id_addr_timer.work); 743 struct hci_conn *hcon = conn->hcon; 744 struct l2cap_chan *chan; 745 746 mutex_lock(&conn->lock); 747 748 list_for_each_entry(chan, &conn->chan_l, list) { 749 l2cap_chan_lock(chan); 750 bacpy(&chan->dst, &hcon->dst); 751 chan->dst_type = bdaddr_dst_type(hcon); 752 l2cap_chan_unlock(chan); 753 } 754 755 mutex_unlock(&conn->lock); 756 } 757 758 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) 759 { 760 struct l2cap_conn *conn = chan->conn; 761 struct l2cap_le_conn_rsp rsp; 762 u16 result; 763 764 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 765 result = L2CAP_CR_LE_AUTHORIZATION; 766 else 767 result = L2CAP_CR_LE_BAD_PSM; 768 769 l2cap_state_change(chan, BT_DISCONN); 770 771 rsp.dcid = cpu_to_le16(chan->scid); 772 rsp.mtu = cpu_to_le16(chan->imtu); 773 rsp.mps = cpu_to_le16(chan->mps); 774 rsp.credits = cpu_to_le16(chan->rx_credits); 775 rsp.result = cpu_to_le16(result); 776 777 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 778 &rsp); 779 } 780 781 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan) 782 { 783 l2cap_state_change(chan, BT_DISCONN); 784 785 __l2cap_ecred_conn_rsp_defer(chan); 786 } 787 788 static void l2cap_chan_connect_reject(struct l2cap_chan *chan) 789 { 790 struct l2cap_conn *conn = chan->conn; 791 struct l2cap_conn_rsp rsp; 792 u16 result; 793 794 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 795 result = L2CAP_CR_SEC_BLOCK; 796 else 797 result = L2CAP_CR_BAD_PSM; 798 799 l2cap_state_change(chan, BT_DISCONN); 800 801 rsp.scid = cpu_to_le16(chan->dcid); 802 rsp.dcid = cpu_to_le16(chan->scid); 803 rsp.result = cpu_to_le16(result); 804 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 805 806 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp); 807 } 808 809 void l2cap_chan_close(struct l2cap_chan *chan, int reason) 810 { 811 struct l2cap_conn *conn = chan->conn; 812 813 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 814 815 switch (chan->state) { 816 case BT_LISTEN: 817 chan->ops->teardown(chan, 0); 818 break; 819 820 case BT_CONNECTED: 821 case BT_CONFIG: 822 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 823 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 824 l2cap_send_disconn_req(chan, reason); 825 } else 826 l2cap_chan_del(chan, reason); 827 break; 828 829 case BT_CONNECT2: 830 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) { 831 if (conn->hcon->type == ACL_LINK) 832 l2cap_chan_connect_reject(chan); 833 else if (conn->hcon->type == LE_LINK) { 834 switch (chan->mode) { 835 case L2CAP_MODE_LE_FLOWCTL: 836 l2cap_chan_le_connect_reject(chan); 837 break; 838 case L2CAP_MODE_EXT_FLOWCTL: 839 l2cap_chan_ecred_connect_reject(chan); 840 return; 841 } 842 } 843 } 844 845 l2cap_chan_del(chan, reason); 846 break; 847 848 case BT_CONNECT: 849 case BT_DISCONN: 850 l2cap_chan_del(chan, reason); 851 break; 852 853 default: 854 chan->ops->teardown(chan, 0); 855 break; 856 } 857 } 858 EXPORT_SYMBOL(l2cap_chan_close); 859 860 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan) 861 { 862 switch (chan->chan_type) { 863 case L2CAP_CHAN_RAW: 864 switch (chan->sec_level) { 865 case BT_SECURITY_HIGH: 866 case BT_SECURITY_FIPS: 867 return HCI_AT_DEDICATED_BONDING_MITM; 868 case BT_SECURITY_MEDIUM: 869 return HCI_AT_DEDICATED_BONDING; 870 default: 871 return HCI_AT_NO_BONDING; 872 } 873 break; 874 case L2CAP_CHAN_CONN_LESS: 875 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) { 876 if (chan->sec_level == BT_SECURITY_LOW) 877 chan->sec_level = BT_SECURITY_SDP; 878 } 879 if (chan->sec_level == BT_SECURITY_HIGH || 880 chan->sec_level == BT_SECURITY_FIPS) 881 return HCI_AT_NO_BONDING_MITM; 882 else 883 return HCI_AT_NO_BONDING; 884 break; 885 case L2CAP_CHAN_CONN_ORIENTED: 886 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) { 887 if (chan->sec_level == BT_SECURITY_LOW) 888 chan->sec_level = BT_SECURITY_SDP; 889 890 if (chan->sec_level == BT_SECURITY_HIGH || 891 chan->sec_level == BT_SECURITY_FIPS) 892 return HCI_AT_NO_BONDING_MITM; 893 else 894 return HCI_AT_NO_BONDING; 895 } 896 fallthrough; 897 898 default: 899 switch (chan->sec_level) { 900 case BT_SECURITY_HIGH: 901 case BT_SECURITY_FIPS: 902 return HCI_AT_GENERAL_BONDING_MITM; 903 case BT_SECURITY_MEDIUM: 904 return HCI_AT_GENERAL_BONDING; 905 default: 906 return HCI_AT_NO_BONDING; 907 } 908 break; 909 } 910 } 911 912 /* Service level security */ 913 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator) 914 { 915 struct l2cap_conn *conn = chan->conn; 916 __u8 auth_type; 917 918 if (conn->hcon->type == LE_LINK) 919 return smp_conn_security(conn->hcon, chan->sec_level); 920 921 auth_type = l2cap_get_auth_type(chan); 922 923 return hci_conn_security(conn->hcon, chan->sec_level, auth_type, 924 initiator); 925 } 926 927 static u8 l2cap_get_ident(struct l2cap_conn *conn) 928 { 929 u8 id; 930 931 /* Get next available identificator. 932 * 1 - 128 are used by kernel. 933 * 129 - 199 are reserved. 934 * 200 - 254 are used by utilities like l2ping, etc. 935 */ 936 937 mutex_lock(&conn->ident_lock); 938 939 if (++conn->tx_ident > 128) 940 conn->tx_ident = 1; 941 942 id = conn->tx_ident; 943 944 mutex_unlock(&conn->ident_lock); 945 946 return id; 947 } 948 949 static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb, 950 u8 flags) 951 { 952 /* Check if the hcon still valid before attempting to send */ 953 if (hci_conn_valid(conn->hcon->hdev, conn->hcon)) 954 hci_send_acl(conn->hchan, skb, flags); 955 else 956 kfree_skb(skb); 957 } 958 959 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, 960 void *data) 961 { 962 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data); 963 u8 flags; 964 965 BT_DBG("code 0x%2.2x", code); 966 967 if (!skb) 968 return; 969 970 /* Use NO_FLUSH if supported or we have an LE link (which does 971 * not support auto-flushing packets) */ 972 if (lmp_no_flush_capable(conn->hcon->hdev) || 973 conn->hcon->type == LE_LINK) 974 flags = ACL_START_NO_FLUSH; 975 else 976 flags = ACL_START; 977 978 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON; 979 skb->priority = HCI_PRIO_MAX; 980 981 l2cap_send_acl(conn, skb, flags); 982 } 983 984 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb) 985 { 986 struct hci_conn *hcon = chan->conn->hcon; 987 u16 flags; 988 989 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len, 990 skb->priority); 991 992 /* Use NO_FLUSH for LE links (where this is the only option) or 993 * if the BR/EDR link supports it and flushing has not been 994 * explicitly requested (through FLAG_FLUSHABLE). 995 */ 996 if (hcon->type == LE_LINK || 997 (!test_bit(FLAG_FLUSHABLE, &chan->flags) && 998 lmp_no_flush_capable(hcon->hdev))) 999 flags = ACL_START_NO_FLUSH; 1000 else 1001 flags = ACL_START; 1002 1003 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1004 hci_send_acl(chan->conn->hchan, skb, flags); 1005 } 1006 1007 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control) 1008 { 1009 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT; 1010 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT; 1011 1012 if (enh & L2CAP_CTRL_FRAME_TYPE) { 1013 /* S-Frame */ 1014 control->sframe = 1; 1015 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT; 1016 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT; 1017 1018 control->sar = 0; 1019 control->txseq = 0; 1020 } else { 1021 /* I-Frame */ 1022 control->sframe = 0; 1023 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT; 1024 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT; 1025 1026 control->poll = 0; 1027 control->super = 0; 1028 } 1029 } 1030 1031 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control) 1032 { 1033 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT; 1034 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT; 1035 1036 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) { 1037 /* S-Frame */ 1038 control->sframe = 1; 1039 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT; 1040 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT; 1041 1042 control->sar = 0; 1043 control->txseq = 0; 1044 } else { 1045 /* I-Frame */ 1046 control->sframe = 0; 1047 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT; 1048 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1049 1050 control->poll = 0; 1051 control->super = 0; 1052 } 1053 } 1054 1055 static inline void __unpack_control(struct l2cap_chan *chan, 1056 struct sk_buff *skb) 1057 { 1058 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1059 __unpack_extended_control(get_unaligned_le32(skb->data), 1060 &bt_cb(skb)->l2cap); 1061 skb_pull(skb, L2CAP_EXT_CTRL_SIZE); 1062 } else { 1063 __unpack_enhanced_control(get_unaligned_le16(skb->data), 1064 &bt_cb(skb)->l2cap); 1065 skb_pull(skb, L2CAP_ENH_CTRL_SIZE); 1066 } 1067 } 1068 1069 static u32 __pack_extended_control(struct l2cap_ctrl *control) 1070 { 1071 u32 packed; 1072 1073 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT; 1074 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT; 1075 1076 if (control->sframe) { 1077 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT; 1078 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT; 1079 packed |= L2CAP_EXT_CTRL_FRAME_TYPE; 1080 } else { 1081 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT; 1082 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT; 1083 } 1084 1085 return packed; 1086 } 1087 1088 static u16 __pack_enhanced_control(struct l2cap_ctrl *control) 1089 { 1090 u16 packed; 1091 1092 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT; 1093 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT; 1094 1095 if (control->sframe) { 1096 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT; 1097 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT; 1098 packed |= L2CAP_CTRL_FRAME_TYPE; 1099 } else { 1100 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT; 1101 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT; 1102 } 1103 1104 return packed; 1105 } 1106 1107 static inline void __pack_control(struct l2cap_chan *chan, 1108 struct l2cap_ctrl *control, 1109 struct sk_buff *skb) 1110 { 1111 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 1112 put_unaligned_le32(__pack_extended_control(control), 1113 skb->data + L2CAP_HDR_SIZE); 1114 } else { 1115 put_unaligned_le16(__pack_enhanced_control(control), 1116 skb->data + L2CAP_HDR_SIZE); 1117 } 1118 } 1119 1120 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan) 1121 { 1122 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1123 return L2CAP_EXT_HDR_SIZE; 1124 else 1125 return L2CAP_ENH_HDR_SIZE; 1126 } 1127 1128 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan, 1129 u32 control) 1130 { 1131 struct sk_buff *skb; 1132 struct l2cap_hdr *lh; 1133 int hlen = __ertm_hdr_size(chan); 1134 1135 if (chan->fcs == L2CAP_FCS_CRC16) 1136 hlen += L2CAP_FCS_SIZE; 1137 1138 skb = bt_skb_alloc(hlen, GFP_KERNEL); 1139 1140 if (!skb) 1141 return ERR_PTR(-ENOMEM); 1142 1143 lh = skb_put(skb, L2CAP_HDR_SIZE); 1144 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE); 1145 lh->cid = cpu_to_le16(chan->dcid); 1146 1147 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1148 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 1149 else 1150 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 1151 1152 if (chan->fcs == L2CAP_FCS_CRC16) { 1153 u16 fcs = crc16(0, (u8 *)skb->data, skb->len); 1154 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1155 } 1156 1157 skb->priority = HCI_PRIO_MAX; 1158 return skb; 1159 } 1160 1161 static void l2cap_send_sframe(struct l2cap_chan *chan, 1162 struct l2cap_ctrl *control) 1163 { 1164 struct sk_buff *skb; 1165 u32 control_field; 1166 1167 BT_DBG("chan %p, control %p", chan, control); 1168 1169 if (!control->sframe) 1170 return; 1171 1172 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) && 1173 !control->poll) 1174 control->final = 1; 1175 1176 if (control->super == L2CAP_SUPER_RR) 1177 clear_bit(CONN_RNR_SENT, &chan->conn_state); 1178 else if (control->super == L2CAP_SUPER_RNR) 1179 set_bit(CONN_RNR_SENT, &chan->conn_state); 1180 1181 if (control->super != L2CAP_SUPER_SREJ) { 1182 chan->last_acked_seq = control->reqseq; 1183 __clear_ack_timer(chan); 1184 } 1185 1186 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq, 1187 control->final, control->poll, control->super); 1188 1189 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 1190 control_field = __pack_extended_control(control); 1191 else 1192 control_field = __pack_enhanced_control(control); 1193 1194 skb = l2cap_create_sframe_pdu(chan, control_field); 1195 if (!IS_ERR(skb)) 1196 l2cap_do_send(chan, skb); 1197 } 1198 1199 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll) 1200 { 1201 struct l2cap_ctrl control; 1202 1203 BT_DBG("chan %p, poll %d", chan, poll); 1204 1205 memset(&control, 0, sizeof(control)); 1206 control.sframe = 1; 1207 control.poll = poll; 1208 1209 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 1210 control.super = L2CAP_SUPER_RNR; 1211 else 1212 control.super = L2CAP_SUPER_RR; 1213 1214 control.reqseq = chan->buffer_seq; 1215 l2cap_send_sframe(chan, &control); 1216 } 1217 1218 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan) 1219 { 1220 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 1221 return true; 1222 1223 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state); 1224 } 1225 1226 void l2cap_send_conn_req(struct l2cap_chan *chan) 1227 { 1228 struct l2cap_conn *conn = chan->conn; 1229 struct l2cap_conn_req req; 1230 1231 req.scid = cpu_to_le16(chan->scid); 1232 req.psm = chan->psm; 1233 1234 chan->ident = l2cap_get_ident(conn); 1235 1236 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 1237 1238 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req); 1239 } 1240 1241 static void l2cap_chan_ready(struct l2cap_chan *chan) 1242 { 1243 /* The channel may have already been flagged as connected in 1244 * case of receiving data before the L2CAP info req/rsp 1245 * procedure is complete. 1246 */ 1247 if (chan->state == BT_CONNECTED) 1248 return; 1249 1250 /* This clears all conf flags, including CONF_NOT_COMPLETE */ 1251 chan->conf_state = 0; 1252 __clear_chan_timer(chan); 1253 1254 switch (chan->mode) { 1255 case L2CAP_MODE_LE_FLOWCTL: 1256 case L2CAP_MODE_EXT_FLOWCTL: 1257 if (!chan->tx_credits) 1258 chan->ops->suspend(chan); 1259 break; 1260 } 1261 1262 chan->state = BT_CONNECTED; 1263 1264 chan->ops->ready(chan); 1265 } 1266 1267 static void l2cap_le_connect(struct l2cap_chan *chan) 1268 { 1269 struct l2cap_conn *conn = chan->conn; 1270 struct l2cap_le_conn_req req; 1271 1272 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags)) 1273 return; 1274 1275 if (!chan->imtu) 1276 chan->imtu = chan->conn->mtu; 1277 1278 l2cap_le_flowctl_init(chan, 0); 1279 1280 memset(&req, 0, sizeof(req)); 1281 req.psm = chan->psm; 1282 req.scid = cpu_to_le16(chan->scid); 1283 req.mtu = cpu_to_le16(chan->imtu); 1284 req.mps = cpu_to_le16(chan->mps); 1285 req.credits = cpu_to_le16(chan->rx_credits); 1286 1287 chan->ident = l2cap_get_ident(conn); 1288 1289 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ, 1290 sizeof(req), &req); 1291 } 1292 1293 struct l2cap_ecred_conn_data { 1294 struct { 1295 struct l2cap_ecred_conn_req_hdr req; 1296 __le16 scid[5]; 1297 } __packed pdu; 1298 struct l2cap_chan *chan; 1299 struct pid *pid; 1300 int count; 1301 }; 1302 1303 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data) 1304 { 1305 struct l2cap_ecred_conn_data *conn = data; 1306 struct pid *pid; 1307 1308 if (chan == conn->chan) 1309 return; 1310 1311 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags)) 1312 return; 1313 1314 pid = chan->ops->get_peer_pid(chan); 1315 1316 /* Only add deferred channels with the same PID/PSM */ 1317 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident || 1318 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 1319 return; 1320 1321 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1322 return; 1323 1324 l2cap_ecred_init(chan, 0); 1325 1326 /* Set the same ident so we can match on the rsp */ 1327 chan->ident = conn->chan->ident; 1328 1329 /* Include all channels deferred */ 1330 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid); 1331 1332 conn->count++; 1333 } 1334 1335 static void l2cap_ecred_connect(struct l2cap_chan *chan) 1336 { 1337 struct l2cap_conn *conn = chan->conn; 1338 struct l2cap_ecred_conn_data data; 1339 1340 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) 1341 return; 1342 1343 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 1344 return; 1345 1346 l2cap_ecred_init(chan, 0); 1347 1348 memset(&data, 0, sizeof(data)); 1349 data.pdu.req.psm = chan->psm; 1350 data.pdu.req.mtu = cpu_to_le16(chan->imtu); 1351 data.pdu.req.mps = cpu_to_le16(chan->mps); 1352 data.pdu.req.credits = cpu_to_le16(chan->rx_credits); 1353 data.pdu.scid[0] = cpu_to_le16(chan->scid); 1354 1355 chan->ident = l2cap_get_ident(conn); 1356 1357 data.count = 1; 1358 data.chan = chan; 1359 data.pid = chan->ops->get_peer_pid(chan); 1360 1361 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data); 1362 1363 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ, 1364 sizeof(data.pdu.req) + data.count * sizeof(__le16), 1365 &data.pdu); 1366 } 1367 1368 static void l2cap_le_start(struct l2cap_chan *chan) 1369 { 1370 struct l2cap_conn *conn = chan->conn; 1371 1372 if (!smp_conn_security(conn->hcon, chan->sec_level)) 1373 return; 1374 1375 if (!chan->psm) { 1376 l2cap_chan_ready(chan); 1377 return; 1378 } 1379 1380 if (chan->state == BT_CONNECT) { 1381 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) 1382 l2cap_ecred_connect(chan); 1383 else 1384 l2cap_le_connect(chan); 1385 } 1386 } 1387 1388 static void l2cap_start_connection(struct l2cap_chan *chan) 1389 { 1390 if (chan->conn->hcon->type == LE_LINK) { 1391 l2cap_le_start(chan); 1392 } else { 1393 l2cap_send_conn_req(chan); 1394 } 1395 } 1396 1397 static void l2cap_request_info(struct l2cap_conn *conn) 1398 { 1399 struct l2cap_info_req req; 1400 1401 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1402 return; 1403 1404 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 1405 1406 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 1407 conn->info_ident = l2cap_get_ident(conn); 1408 1409 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 1410 1411 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 1412 sizeof(req), &req); 1413 } 1414 1415 static bool l2cap_check_enc_key_size(struct hci_conn *hcon, 1416 struct l2cap_chan *chan) 1417 { 1418 /* The minimum encryption key size needs to be enforced by the 1419 * host stack before establishing any L2CAP connections. The 1420 * specification in theory allows a minimum of 1, but to align 1421 * BR/EDR and LE transports, a minimum of 7 is chosen. 1422 * 1423 * This check might also be called for unencrypted connections 1424 * that have no key size requirements. Ensure that the link is 1425 * actually encrypted before enforcing a key size. 1426 */ 1427 int min_key_size = hcon->hdev->min_enc_key_size; 1428 1429 /* On FIPS security level, key size must be 16 bytes */ 1430 if (chan->sec_level == BT_SECURITY_FIPS) 1431 min_key_size = 16; 1432 1433 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) || 1434 hcon->enc_key_size >= min_key_size); 1435 } 1436 1437 static void l2cap_do_start(struct l2cap_chan *chan) 1438 { 1439 struct l2cap_conn *conn = chan->conn; 1440 1441 if (conn->hcon->type == LE_LINK) { 1442 l2cap_le_start(chan); 1443 return; 1444 } 1445 1446 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) { 1447 l2cap_request_info(conn); 1448 return; 1449 } 1450 1451 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 1452 return; 1453 1454 if (!l2cap_chan_check_security(chan, true) || 1455 !__l2cap_no_conn_pending(chan)) 1456 return; 1457 1458 if (l2cap_check_enc_key_size(conn->hcon, chan)) 1459 l2cap_start_connection(chan); 1460 else 1461 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 1462 } 1463 1464 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask) 1465 { 1466 u32 local_feat_mask = l2cap_feat_mask; 1467 if (!disable_ertm) 1468 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING; 1469 1470 switch (mode) { 1471 case L2CAP_MODE_ERTM: 1472 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask; 1473 case L2CAP_MODE_STREAMING: 1474 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask; 1475 default: 1476 return 0x00; 1477 } 1478 } 1479 1480 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err) 1481 { 1482 struct l2cap_conn *conn = chan->conn; 1483 struct l2cap_disconn_req req; 1484 1485 if (!conn) 1486 return; 1487 1488 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) { 1489 __clear_retrans_timer(chan); 1490 __clear_monitor_timer(chan); 1491 __clear_ack_timer(chan); 1492 } 1493 1494 req.dcid = cpu_to_le16(chan->dcid); 1495 req.scid = cpu_to_le16(chan->scid); 1496 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ, 1497 sizeof(req), &req); 1498 1499 l2cap_state_change_and_error(chan, BT_DISCONN, err); 1500 } 1501 1502 /* ---- L2CAP connections ---- */ 1503 static void l2cap_conn_start(struct l2cap_conn *conn) 1504 { 1505 struct l2cap_chan *chan, *tmp; 1506 1507 BT_DBG("conn %p", conn); 1508 1509 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 1510 l2cap_chan_lock(chan); 1511 1512 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1513 l2cap_chan_ready(chan); 1514 l2cap_chan_unlock(chan); 1515 continue; 1516 } 1517 1518 if (chan->state == BT_CONNECT) { 1519 if (!l2cap_chan_check_security(chan, true) || 1520 !__l2cap_no_conn_pending(chan)) { 1521 l2cap_chan_unlock(chan); 1522 continue; 1523 } 1524 1525 if (!l2cap_mode_supported(chan->mode, conn->feat_mask) 1526 && test_bit(CONF_STATE2_DEVICE, 1527 &chan->conf_state)) { 1528 l2cap_chan_close(chan, ECONNRESET); 1529 l2cap_chan_unlock(chan); 1530 continue; 1531 } 1532 1533 if (l2cap_check_enc_key_size(conn->hcon, chan)) 1534 l2cap_start_connection(chan); 1535 else 1536 l2cap_chan_close(chan, ECONNREFUSED); 1537 1538 } else if (chan->state == BT_CONNECT2) { 1539 struct l2cap_conn_rsp rsp; 1540 char buf[128]; 1541 rsp.scid = cpu_to_le16(chan->dcid); 1542 rsp.dcid = cpu_to_le16(chan->scid); 1543 1544 if (l2cap_chan_check_security(chan, false)) { 1545 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 1546 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1547 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND); 1548 chan->ops->defer(chan); 1549 1550 } else { 1551 l2cap_state_change(chan, BT_CONFIG); 1552 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 1553 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 1554 } 1555 } else { 1556 rsp.result = cpu_to_le16(L2CAP_CR_PEND); 1557 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND); 1558 } 1559 1560 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 1561 sizeof(rsp), &rsp); 1562 1563 if (test_bit(CONF_REQ_SENT, &chan->conf_state) || 1564 rsp.result != L2CAP_CR_SUCCESS) { 1565 l2cap_chan_unlock(chan); 1566 continue; 1567 } 1568 1569 set_bit(CONF_REQ_SENT, &chan->conf_state); 1570 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 1571 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 1572 chan->num_conf_req++; 1573 } 1574 1575 l2cap_chan_unlock(chan); 1576 } 1577 } 1578 1579 static void l2cap_le_conn_ready(struct l2cap_conn *conn) 1580 { 1581 struct hci_conn *hcon = conn->hcon; 1582 struct hci_dev *hdev = hcon->hdev; 1583 1584 BT_DBG("%s conn %p", hdev->name, conn); 1585 1586 /* For outgoing pairing which doesn't necessarily have an 1587 * associated socket (e.g. mgmt_pair_device). 1588 */ 1589 if (hcon->out) 1590 smp_conn_security(hcon, hcon->pending_sec_level); 1591 1592 /* For LE peripheral connections, make sure the connection interval 1593 * is in the range of the minimum and maximum interval that has 1594 * been configured for this connection. If not, then trigger 1595 * the connection update procedure. 1596 */ 1597 if (hcon->role == HCI_ROLE_SLAVE && 1598 (hcon->le_conn_interval < hcon->le_conn_min_interval || 1599 hcon->le_conn_interval > hcon->le_conn_max_interval)) { 1600 struct l2cap_conn_param_update_req req; 1601 1602 req.min = cpu_to_le16(hcon->le_conn_min_interval); 1603 req.max = cpu_to_le16(hcon->le_conn_max_interval); 1604 req.latency = cpu_to_le16(hcon->le_conn_latency); 1605 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout); 1606 1607 l2cap_send_cmd(conn, l2cap_get_ident(conn), 1608 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req); 1609 } 1610 } 1611 1612 static void l2cap_conn_ready(struct l2cap_conn *conn) 1613 { 1614 struct l2cap_chan *chan; 1615 struct hci_conn *hcon = conn->hcon; 1616 1617 BT_DBG("conn %p", conn); 1618 1619 if (hcon->type == ACL_LINK) 1620 l2cap_request_info(conn); 1621 1622 mutex_lock(&conn->lock); 1623 1624 list_for_each_entry(chan, &conn->chan_l, list) { 1625 1626 l2cap_chan_lock(chan); 1627 1628 if (hcon->type == LE_LINK) { 1629 l2cap_le_start(chan); 1630 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1631 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 1632 l2cap_chan_ready(chan); 1633 } else if (chan->state == BT_CONNECT) { 1634 l2cap_do_start(chan); 1635 } 1636 1637 l2cap_chan_unlock(chan); 1638 } 1639 1640 mutex_unlock(&conn->lock); 1641 1642 if (hcon->type == LE_LINK) 1643 l2cap_le_conn_ready(conn); 1644 1645 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work); 1646 } 1647 1648 /* Notify sockets that we cannot guaranty reliability anymore */ 1649 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err) 1650 { 1651 struct l2cap_chan *chan; 1652 1653 BT_DBG("conn %p", conn); 1654 1655 list_for_each_entry(chan, &conn->chan_l, list) { 1656 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 1657 l2cap_chan_set_err(chan, err); 1658 } 1659 } 1660 1661 static void l2cap_info_timeout(struct work_struct *work) 1662 { 1663 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 1664 info_timer.work); 1665 1666 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 1667 conn->info_ident = 0; 1668 1669 mutex_lock(&conn->lock); 1670 l2cap_conn_start(conn); 1671 mutex_unlock(&conn->lock); 1672 } 1673 1674 /* 1675 * l2cap_user 1676 * External modules can register l2cap_user objects on l2cap_conn. The ->probe 1677 * callback is called during registration. The ->remove callback is called 1678 * during unregistration. 1679 * An l2cap_user object can either be explicitly unregistered or when the 1680 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon, 1681 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called. 1682 * External modules must own a reference to the l2cap_conn object if they intend 1683 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at 1684 * any time if they don't. 1685 */ 1686 1687 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user) 1688 { 1689 struct hci_dev *hdev = conn->hcon->hdev; 1690 int ret; 1691 1692 /* We need to check whether l2cap_conn is registered. If it is not, we 1693 * must not register the l2cap_user. l2cap_conn_del() is unregisters 1694 * l2cap_conn objects, but doesn't provide its own locking. Instead, it 1695 * relies on the parent hci_conn object to be locked. This itself relies 1696 * on the hci_dev object to be locked. So we must lock the hci device 1697 * here, too. */ 1698 1699 hci_dev_lock(hdev); 1700 1701 if (!list_empty(&user->list)) { 1702 ret = -EINVAL; 1703 goto out_unlock; 1704 } 1705 1706 /* conn->hchan is NULL after l2cap_conn_del() was called */ 1707 if (!conn->hchan) { 1708 ret = -ENODEV; 1709 goto out_unlock; 1710 } 1711 1712 ret = user->probe(conn, user); 1713 if (ret) 1714 goto out_unlock; 1715 1716 list_add(&user->list, &conn->users); 1717 ret = 0; 1718 1719 out_unlock: 1720 hci_dev_unlock(hdev); 1721 return ret; 1722 } 1723 EXPORT_SYMBOL(l2cap_register_user); 1724 1725 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user) 1726 { 1727 struct hci_dev *hdev = conn->hcon->hdev; 1728 1729 hci_dev_lock(hdev); 1730 1731 if (list_empty(&user->list)) 1732 goto out_unlock; 1733 1734 list_del_init(&user->list); 1735 user->remove(conn, user); 1736 1737 out_unlock: 1738 hci_dev_unlock(hdev); 1739 } 1740 EXPORT_SYMBOL(l2cap_unregister_user); 1741 1742 static void l2cap_unregister_all_users(struct l2cap_conn *conn) 1743 { 1744 struct l2cap_user *user; 1745 1746 while (!list_empty(&conn->users)) { 1747 user = list_first_entry(&conn->users, struct l2cap_user, list); 1748 list_del_init(&user->list); 1749 user->remove(conn, user); 1750 } 1751 } 1752 1753 static void l2cap_conn_del(struct hci_conn *hcon, int err) 1754 { 1755 struct l2cap_conn *conn = hcon->l2cap_data; 1756 struct l2cap_chan *chan, *l; 1757 1758 if (!conn) 1759 return; 1760 1761 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); 1762 1763 mutex_lock(&conn->lock); 1764 1765 kfree_skb(conn->rx_skb); 1766 1767 skb_queue_purge(&conn->pending_rx); 1768 1769 /* We can not call flush_work(&conn->pending_rx_work) here since we 1770 * might block if we are running on a worker from the same workqueue 1771 * pending_rx_work is waiting on. 1772 */ 1773 if (work_pending(&conn->pending_rx_work)) 1774 cancel_work_sync(&conn->pending_rx_work); 1775 1776 cancel_delayed_work_sync(&conn->id_addr_timer); 1777 1778 l2cap_unregister_all_users(conn); 1779 1780 /* Force the connection to be immediately dropped */ 1781 hcon->disc_timeout = 0; 1782 1783 /* Kill channels */ 1784 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 1785 l2cap_chan_hold(chan); 1786 l2cap_chan_lock(chan); 1787 1788 l2cap_chan_del(chan, err); 1789 1790 chan->ops->close(chan); 1791 1792 l2cap_chan_unlock(chan); 1793 l2cap_chan_put(chan); 1794 } 1795 1796 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1797 cancel_delayed_work_sync(&conn->info_timer); 1798 1799 hci_chan_del(conn->hchan); 1800 conn->hchan = NULL; 1801 1802 hcon->l2cap_data = NULL; 1803 mutex_unlock(&conn->lock); 1804 l2cap_conn_put(conn); 1805 } 1806 1807 static void l2cap_conn_free(struct kref *ref) 1808 { 1809 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref); 1810 1811 hci_conn_put(conn->hcon); 1812 kfree(conn); 1813 } 1814 1815 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn) 1816 { 1817 kref_get(&conn->ref); 1818 return conn; 1819 } 1820 EXPORT_SYMBOL(l2cap_conn_get); 1821 1822 void l2cap_conn_put(struct l2cap_conn *conn) 1823 { 1824 kref_put(&conn->ref, l2cap_conn_free); 1825 } 1826 EXPORT_SYMBOL(l2cap_conn_put); 1827 1828 /* ---- Socket interface ---- */ 1829 1830 /* Find socket with psm and source / destination bdaddr. 1831 * Returns closest match. 1832 */ 1833 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 1834 bdaddr_t *src, 1835 bdaddr_t *dst, 1836 u8 link_type) 1837 { 1838 struct l2cap_chan *c, *tmp, *c1 = NULL; 1839 1840 read_lock(&chan_list_lock); 1841 1842 list_for_each_entry_safe(c, tmp, &chan_list, global_l) { 1843 if (state && c->state != state) 1844 continue; 1845 1846 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR) 1847 continue; 1848 1849 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR) 1850 continue; 1851 1852 if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) { 1853 int src_match, dst_match; 1854 int src_any, dst_any; 1855 1856 /* Exact match. */ 1857 src_match = !bacmp(&c->src, src); 1858 dst_match = !bacmp(&c->dst, dst); 1859 if (src_match && dst_match) { 1860 if (!l2cap_chan_hold_unless_zero(c)) 1861 continue; 1862 1863 read_unlock(&chan_list_lock); 1864 return c; 1865 } 1866 1867 /* Closest match */ 1868 src_any = !bacmp(&c->src, BDADDR_ANY); 1869 dst_any = !bacmp(&c->dst, BDADDR_ANY); 1870 if ((src_match && dst_any) || (src_any && dst_match) || 1871 (src_any && dst_any)) 1872 c1 = c; 1873 } 1874 } 1875 1876 if (c1) 1877 c1 = l2cap_chan_hold_unless_zero(c1); 1878 1879 read_unlock(&chan_list_lock); 1880 1881 return c1; 1882 } 1883 1884 static void l2cap_monitor_timeout(struct work_struct *work) 1885 { 1886 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1887 monitor_timer.work); 1888 1889 BT_DBG("chan %p", chan); 1890 1891 l2cap_chan_lock(chan); 1892 1893 if (!chan->conn) { 1894 l2cap_chan_unlock(chan); 1895 l2cap_chan_put(chan); 1896 return; 1897 } 1898 1899 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO); 1900 1901 l2cap_chan_unlock(chan); 1902 l2cap_chan_put(chan); 1903 } 1904 1905 static void l2cap_retrans_timeout(struct work_struct *work) 1906 { 1907 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 1908 retrans_timer.work); 1909 1910 BT_DBG("chan %p", chan); 1911 1912 l2cap_chan_lock(chan); 1913 1914 if (!chan->conn) { 1915 l2cap_chan_unlock(chan); 1916 l2cap_chan_put(chan); 1917 return; 1918 } 1919 1920 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO); 1921 l2cap_chan_unlock(chan); 1922 l2cap_chan_put(chan); 1923 } 1924 1925 static void l2cap_streaming_send(struct l2cap_chan *chan, 1926 struct sk_buff_head *skbs) 1927 { 1928 struct sk_buff *skb; 1929 struct l2cap_ctrl *control; 1930 1931 BT_DBG("chan %p, skbs %p", chan, skbs); 1932 1933 skb_queue_splice_tail_init(skbs, &chan->tx_q); 1934 1935 while (!skb_queue_empty(&chan->tx_q)) { 1936 1937 skb = skb_dequeue(&chan->tx_q); 1938 1939 bt_cb(skb)->l2cap.retries = 1; 1940 control = &bt_cb(skb)->l2cap; 1941 1942 control->reqseq = 0; 1943 control->txseq = chan->next_tx_seq; 1944 1945 __pack_control(chan, control, skb); 1946 1947 if (chan->fcs == L2CAP_FCS_CRC16) { 1948 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1949 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1950 } 1951 1952 l2cap_do_send(chan, skb); 1953 1954 BT_DBG("Sent txseq %u", control->txseq); 1955 1956 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 1957 chan->frames_sent++; 1958 } 1959 } 1960 1961 static int l2cap_ertm_send(struct l2cap_chan *chan) 1962 { 1963 struct sk_buff *skb, *tx_skb; 1964 struct l2cap_ctrl *control; 1965 int sent = 0; 1966 1967 BT_DBG("chan %p", chan); 1968 1969 if (chan->state != BT_CONNECTED) 1970 return -ENOTCONN; 1971 1972 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 1973 return 0; 1974 1975 while (chan->tx_send_head && 1976 chan->unacked_frames < chan->remote_tx_win && 1977 chan->tx_state == L2CAP_TX_STATE_XMIT) { 1978 1979 skb = chan->tx_send_head; 1980 1981 bt_cb(skb)->l2cap.retries = 1; 1982 control = &bt_cb(skb)->l2cap; 1983 1984 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 1985 control->final = 1; 1986 1987 control->reqseq = chan->buffer_seq; 1988 chan->last_acked_seq = chan->buffer_seq; 1989 control->txseq = chan->next_tx_seq; 1990 1991 __pack_control(chan, control, skb); 1992 1993 if (chan->fcs == L2CAP_FCS_CRC16) { 1994 u16 fcs = crc16(0, (u8 *) skb->data, skb->len); 1995 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE)); 1996 } 1997 1998 /* Clone after data has been modified. Data is assumed to be 1999 read-only (for locking purposes) on cloned sk_buffs. 2000 */ 2001 tx_skb = skb_clone(skb, GFP_KERNEL); 2002 2003 if (!tx_skb) 2004 break; 2005 2006 __set_retrans_timer(chan); 2007 2008 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq); 2009 chan->unacked_frames++; 2010 chan->frames_sent++; 2011 sent++; 2012 2013 if (skb_queue_is_last(&chan->tx_q, skb)) 2014 chan->tx_send_head = NULL; 2015 else 2016 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb); 2017 2018 l2cap_do_send(chan, tx_skb); 2019 BT_DBG("Sent txseq %u", control->txseq); 2020 } 2021 2022 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent, 2023 chan->unacked_frames, skb_queue_len(&chan->tx_q)); 2024 2025 return sent; 2026 } 2027 2028 static void l2cap_ertm_resend(struct l2cap_chan *chan) 2029 { 2030 struct l2cap_ctrl control; 2031 struct sk_buff *skb; 2032 struct sk_buff *tx_skb; 2033 u16 seq; 2034 2035 BT_DBG("chan %p", chan); 2036 2037 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2038 return; 2039 2040 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) { 2041 seq = l2cap_seq_list_pop(&chan->retrans_list); 2042 2043 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq); 2044 if (!skb) { 2045 BT_DBG("Error: Can't retransmit seq %d, frame missing", 2046 seq); 2047 continue; 2048 } 2049 2050 bt_cb(skb)->l2cap.retries++; 2051 control = bt_cb(skb)->l2cap; 2052 2053 if (chan->max_tx != 0 && 2054 bt_cb(skb)->l2cap.retries > chan->max_tx) { 2055 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 2056 l2cap_send_disconn_req(chan, ECONNRESET); 2057 l2cap_seq_list_clear(&chan->retrans_list); 2058 break; 2059 } 2060 2061 control.reqseq = chan->buffer_seq; 2062 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state)) 2063 control.final = 1; 2064 else 2065 control.final = 0; 2066 2067 if (skb_cloned(skb)) { 2068 /* Cloned sk_buffs are read-only, so we need a 2069 * writeable copy 2070 */ 2071 tx_skb = skb_copy(skb, GFP_KERNEL); 2072 } else { 2073 tx_skb = skb_clone(skb, GFP_KERNEL); 2074 } 2075 2076 if (!tx_skb) { 2077 l2cap_seq_list_clear(&chan->retrans_list); 2078 break; 2079 } 2080 2081 /* Update skb contents */ 2082 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) { 2083 put_unaligned_le32(__pack_extended_control(&control), 2084 tx_skb->data + L2CAP_HDR_SIZE); 2085 } else { 2086 put_unaligned_le16(__pack_enhanced_control(&control), 2087 tx_skb->data + L2CAP_HDR_SIZE); 2088 } 2089 2090 /* Update FCS */ 2091 if (chan->fcs == L2CAP_FCS_CRC16) { 2092 u16 fcs = crc16(0, (u8 *) tx_skb->data, 2093 tx_skb->len - L2CAP_FCS_SIZE); 2094 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) - 2095 L2CAP_FCS_SIZE); 2096 } 2097 2098 l2cap_do_send(chan, tx_skb); 2099 2100 BT_DBG("Resent txseq %d", control.txseq); 2101 2102 chan->last_acked_seq = chan->buffer_seq; 2103 } 2104 } 2105 2106 static void l2cap_retransmit(struct l2cap_chan *chan, 2107 struct l2cap_ctrl *control) 2108 { 2109 BT_DBG("chan %p, control %p", chan, control); 2110 2111 l2cap_seq_list_append(&chan->retrans_list, control->reqseq); 2112 l2cap_ertm_resend(chan); 2113 } 2114 2115 static void l2cap_retransmit_all(struct l2cap_chan *chan, 2116 struct l2cap_ctrl *control) 2117 { 2118 struct sk_buff *skb; 2119 2120 BT_DBG("chan %p, control %p", chan, control); 2121 2122 if (control->poll) 2123 set_bit(CONN_SEND_FBIT, &chan->conn_state); 2124 2125 l2cap_seq_list_clear(&chan->retrans_list); 2126 2127 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) 2128 return; 2129 2130 if (chan->unacked_frames) { 2131 skb_queue_walk(&chan->tx_q, skb) { 2132 if (bt_cb(skb)->l2cap.txseq == control->reqseq || 2133 skb == chan->tx_send_head) 2134 break; 2135 } 2136 2137 skb_queue_walk_from(&chan->tx_q, skb) { 2138 if (skb == chan->tx_send_head) 2139 break; 2140 2141 l2cap_seq_list_append(&chan->retrans_list, 2142 bt_cb(skb)->l2cap.txseq); 2143 } 2144 2145 l2cap_ertm_resend(chan); 2146 } 2147 } 2148 2149 static void l2cap_send_ack(struct l2cap_chan *chan) 2150 { 2151 struct l2cap_ctrl control; 2152 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 2153 chan->last_acked_seq); 2154 int threshold; 2155 2156 BT_DBG("chan %p last_acked_seq %d buffer_seq %d", 2157 chan, chan->last_acked_seq, chan->buffer_seq); 2158 2159 memset(&control, 0, sizeof(control)); 2160 control.sframe = 1; 2161 2162 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 2163 chan->rx_state == L2CAP_RX_STATE_RECV) { 2164 __clear_ack_timer(chan); 2165 control.super = L2CAP_SUPER_RNR; 2166 control.reqseq = chan->buffer_seq; 2167 l2cap_send_sframe(chan, &control); 2168 } else { 2169 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) { 2170 l2cap_ertm_send(chan); 2171 /* If any i-frames were sent, they included an ack */ 2172 if (chan->buffer_seq == chan->last_acked_seq) 2173 frames_to_ack = 0; 2174 } 2175 2176 /* Ack now if the window is 3/4ths full. 2177 * Calculate without mul or div 2178 */ 2179 threshold = chan->ack_win; 2180 threshold += threshold << 1; 2181 threshold >>= 2; 2182 2183 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack, 2184 threshold); 2185 2186 if (frames_to_ack >= threshold) { 2187 __clear_ack_timer(chan); 2188 control.super = L2CAP_SUPER_RR; 2189 control.reqseq = chan->buffer_seq; 2190 l2cap_send_sframe(chan, &control); 2191 frames_to_ack = 0; 2192 } 2193 2194 if (frames_to_ack) 2195 __set_ack_timer(chan); 2196 } 2197 } 2198 2199 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan, 2200 struct msghdr *msg, int len, 2201 int count, struct sk_buff *skb) 2202 { 2203 struct l2cap_conn *conn = chan->conn; 2204 struct sk_buff **frag; 2205 int sent = 0; 2206 2207 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter)) 2208 return -EFAULT; 2209 2210 sent += count; 2211 len -= count; 2212 2213 /* Continuation fragments (no L2CAP header) */ 2214 frag = &skb_shinfo(skb)->frag_list; 2215 while (len) { 2216 struct sk_buff *tmp; 2217 2218 count = min_t(unsigned int, conn->mtu, len); 2219 2220 tmp = chan->ops->alloc_skb(chan, 0, count, 2221 msg->msg_flags & MSG_DONTWAIT); 2222 if (IS_ERR(tmp)) 2223 return PTR_ERR(tmp); 2224 2225 *frag = tmp; 2226 2227 if (!copy_from_iter_full(skb_put(*frag, count), count, 2228 &msg->msg_iter)) 2229 return -EFAULT; 2230 2231 sent += count; 2232 len -= count; 2233 2234 skb->len += (*frag)->len; 2235 skb->data_len += (*frag)->len; 2236 2237 frag = &(*frag)->next; 2238 } 2239 2240 return sent; 2241 } 2242 2243 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, 2244 struct msghdr *msg, size_t len) 2245 { 2246 struct l2cap_conn *conn = chan->conn; 2247 struct sk_buff *skb; 2248 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE; 2249 struct l2cap_hdr *lh; 2250 2251 BT_DBG("chan %p psm 0x%2.2x len %zu", chan, 2252 __le16_to_cpu(chan->psm), len); 2253 2254 count = min_t(unsigned int, (conn->mtu - hlen), len); 2255 2256 skb = chan->ops->alloc_skb(chan, hlen, count, 2257 msg->msg_flags & MSG_DONTWAIT); 2258 if (IS_ERR(skb)) 2259 return skb; 2260 2261 /* Create L2CAP header */ 2262 lh = skb_put(skb, L2CAP_HDR_SIZE); 2263 lh->cid = cpu_to_le16(chan->dcid); 2264 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE); 2265 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE)); 2266 2267 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2268 if (unlikely(err < 0)) { 2269 kfree_skb(skb); 2270 return ERR_PTR(err); 2271 } 2272 return skb; 2273 } 2274 2275 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, 2276 struct msghdr *msg, size_t len) 2277 { 2278 struct l2cap_conn *conn = chan->conn; 2279 struct sk_buff *skb; 2280 int err, count; 2281 struct l2cap_hdr *lh; 2282 2283 BT_DBG("chan %p len %zu", chan, len); 2284 2285 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len); 2286 2287 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count, 2288 msg->msg_flags & MSG_DONTWAIT); 2289 if (IS_ERR(skb)) 2290 return skb; 2291 2292 /* Create L2CAP header */ 2293 lh = skb_put(skb, L2CAP_HDR_SIZE); 2294 lh->cid = cpu_to_le16(chan->dcid); 2295 lh->len = cpu_to_le16(len); 2296 2297 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2298 if (unlikely(err < 0)) { 2299 kfree_skb(skb); 2300 return ERR_PTR(err); 2301 } 2302 return skb; 2303 } 2304 2305 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, 2306 struct msghdr *msg, size_t len, 2307 u16 sdulen) 2308 { 2309 struct l2cap_conn *conn = chan->conn; 2310 struct sk_buff *skb; 2311 int err, count, hlen; 2312 struct l2cap_hdr *lh; 2313 2314 BT_DBG("chan %p len %zu", chan, len); 2315 2316 if (!conn) 2317 return ERR_PTR(-ENOTCONN); 2318 2319 hlen = __ertm_hdr_size(chan); 2320 2321 if (sdulen) 2322 hlen += L2CAP_SDULEN_SIZE; 2323 2324 if (chan->fcs == L2CAP_FCS_CRC16) 2325 hlen += L2CAP_FCS_SIZE; 2326 2327 count = min_t(unsigned int, (conn->mtu - hlen), len); 2328 2329 skb = chan->ops->alloc_skb(chan, hlen, count, 2330 msg->msg_flags & MSG_DONTWAIT); 2331 if (IS_ERR(skb)) 2332 return skb; 2333 2334 /* Create L2CAP header */ 2335 lh = skb_put(skb, L2CAP_HDR_SIZE); 2336 lh->cid = cpu_to_le16(chan->dcid); 2337 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2338 2339 /* Control header is populated later */ 2340 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 2341 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE)); 2342 else 2343 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE)); 2344 2345 if (sdulen) 2346 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2347 2348 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2349 if (unlikely(err < 0)) { 2350 kfree_skb(skb); 2351 return ERR_PTR(err); 2352 } 2353 2354 bt_cb(skb)->l2cap.fcs = chan->fcs; 2355 bt_cb(skb)->l2cap.retries = 0; 2356 return skb; 2357 } 2358 2359 static int l2cap_segment_sdu(struct l2cap_chan *chan, 2360 struct sk_buff_head *seg_queue, 2361 struct msghdr *msg, size_t len) 2362 { 2363 struct sk_buff *skb; 2364 u16 sdu_len; 2365 size_t pdu_len; 2366 u8 sar; 2367 2368 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2369 2370 /* It is critical that ERTM PDUs fit in a single HCI fragment, 2371 * so fragmented skbs are not used. The HCI layer's handling 2372 * of fragmented skbs is not compatible with ERTM's queueing. 2373 */ 2374 2375 /* PDU size is derived from the HCI MTU */ 2376 pdu_len = chan->conn->mtu; 2377 2378 /* Constrain PDU size for BR/EDR connections */ 2379 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD); 2380 2381 /* Adjust for largest possible L2CAP overhead. */ 2382 if (chan->fcs) 2383 pdu_len -= L2CAP_FCS_SIZE; 2384 2385 pdu_len -= __ertm_hdr_size(chan); 2386 2387 /* Remote device may have requested smaller PDUs */ 2388 pdu_len = min_t(size_t, pdu_len, chan->remote_mps); 2389 2390 if (len <= pdu_len) { 2391 sar = L2CAP_SAR_UNSEGMENTED; 2392 sdu_len = 0; 2393 pdu_len = len; 2394 } else { 2395 sar = L2CAP_SAR_START; 2396 sdu_len = len; 2397 } 2398 2399 while (len > 0) { 2400 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len); 2401 2402 if (IS_ERR(skb)) { 2403 __skb_queue_purge(seg_queue); 2404 return PTR_ERR(skb); 2405 } 2406 2407 bt_cb(skb)->l2cap.sar = sar; 2408 __skb_queue_tail(seg_queue, skb); 2409 2410 len -= pdu_len; 2411 if (sdu_len) 2412 sdu_len = 0; 2413 2414 if (len <= pdu_len) { 2415 sar = L2CAP_SAR_END; 2416 pdu_len = len; 2417 } else { 2418 sar = L2CAP_SAR_CONTINUE; 2419 } 2420 } 2421 2422 return 0; 2423 } 2424 2425 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan, 2426 struct msghdr *msg, 2427 size_t len, u16 sdulen) 2428 { 2429 struct l2cap_conn *conn = chan->conn; 2430 struct sk_buff *skb; 2431 int err, count, hlen; 2432 struct l2cap_hdr *lh; 2433 2434 BT_DBG("chan %p len %zu", chan, len); 2435 2436 if (!conn) 2437 return ERR_PTR(-ENOTCONN); 2438 2439 hlen = L2CAP_HDR_SIZE; 2440 2441 if (sdulen) 2442 hlen += L2CAP_SDULEN_SIZE; 2443 2444 count = min_t(unsigned int, (conn->mtu - hlen), len); 2445 2446 skb = chan->ops->alloc_skb(chan, hlen, count, 2447 msg->msg_flags & MSG_DONTWAIT); 2448 if (IS_ERR(skb)) 2449 return skb; 2450 2451 /* Create L2CAP header */ 2452 lh = skb_put(skb, L2CAP_HDR_SIZE); 2453 lh->cid = cpu_to_le16(chan->dcid); 2454 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE)); 2455 2456 if (sdulen) 2457 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE)); 2458 2459 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb); 2460 if (unlikely(err < 0)) { 2461 kfree_skb(skb); 2462 return ERR_PTR(err); 2463 } 2464 2465 return skb; 2466 } 2467 2468 static int l2cap_segment_le_sdu(struct l2cap_chan *chan, 2469 struct sk_buff_head *seg_queue, 2470 struct msghdr *msg, size_t len) 2471 { 2472 struct sk_buff *skb; 2473 size_t pdu_len; 2474 u16 sdu_len; 2475 2476 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); 2477 2478 sdu_len = len; 2479 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE; 2480 2481 while (len > 0) { 2482 if (len <= pdu_len) 2483 pdu_len = len; 2484 2485 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len); 2486 if (IS_ERR(skb)) { 2487 __skb_queue_purge(seg_queue); 2488 return PTR_ERR(skb); 2489 } 2490 2491 __skb_queue_tail(seg_queue, skb); 2492 2493 len -= pdu_len; 2494 2495 if (sdu_len) { 2496 sdu_len = 0; 2497 pdu_len += L2CAP_SDULEN_SIZE; 2498 } 2499 } 2500 2501 return 0; 2502 } 2503 2504 static void l2cap_le_flowctl_send(struct l2cap_chan *chan) 2505 { 2506 int sent = 0; 2507 2508 BT_DBG("chan %p", chan); 2509 2510 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) { 2511 l2cap_do_send(chan, skb_dequeue(&chan->tx_q)); 2512 chan->tx_credits--; 2513 sent++; 2514 } 2515 2516 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits, 2517 skb_queue_len(&chan->tx_q)); 2518 } 2519 2520 static void l2cap_tx_timestamp(struct sk_buff *skb, 2521 const struct sockcm_cookie *sockc, 2522 size_t len) 2523 { 2524 struct sock *sk = skb ? skb->sk : NULL; 2525 2526 if (sk && sk->sk_type == SOCK_STREAM) 2527 hci_setup_tx_timestamp(skb, len, sockc); 2528 else 2529 hci_setup_tx_timestamp(skb, 1, sockc); 2530 } 2531 2532 static void l2cap_tx_timestamp_seg(struct sk_buff_head *queue, 2533 const struct sockcm_cookie *sockc, 2534 size_t len) 2535 { 2536 struct sk_buff *skb = skb_peek(queue); 2537 struct sock *sk = skb ? skb->sk : NULL; 2538 2539 if (sk && sk->sk_type == SOCK_STREAM) 2540 l2cap_tx_timestamp(skb_peek_tail(queue), sockc, len); 2541 else 2542 l2cap_tx_timestamp(skb, sockc, len); 2543 } 2544 2545 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len, 2546 const struct sockcm_cookie *sockc) 2547 { 2548 struct sk_buff *skb; 2549 int err; 2550 struct sk_buff_head seg_queue; 2551 2552 if (!chan->conn) 2553 return -ENOTCONN; 2554 2555 /* Connectionless channel */ 2556 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) { 2557 skb = l2cap_create_connless_pdu(chan, msg, len); 2558 if (IS_ERR(skb)) 2559 return PTR_ERR(skb); 2560 2561 l2cap_tx_timestamp(skb, sockc, len); 2562 2563 l2cap_do_send(chan, skb); 2564 return len; 2565 } 2566 2567 switch (chan->mode) { 2568 case L2CAP_MODE_LE_FLOWCTL: 2569 case L2CAP_MODE_EXT_FLOWCTL: 2570 /* Check outgoing MTU */ 2571 if (len > chan->omtu) 2572 return -EMSGSIZE; 2573 2574 __skb_queue_head_init(&seg_queue); 2575 2576 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len); 2577 2578 if (chan->state != BT_CONNECTED) { 2579 __skb_queue_purge(&seg_queue); 2580 err = -ENOTCONN; 2581 } 2582 2583 if (err) 2584 return err; 2585 2586 l2cap_tx_timestamp_seg(&seg_queue, sockc, len); 2587 2588 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q); 2589 2590 l2cap_le_flowctl_send(chan); 2591 2592 if (!chan->tx_credits) 2593 chan->ops->suspend(chan); 2594 2595 err = len; 2596 2597 break; 2598 2599 case L2CAP_MODE_BASIC: 2600 /* Check outgoing MTU */ 2601 if (len > chan->omtu) 2602 return -EMSGSIZE; 2603 2604 /* Create a basic PDU */ 2605 skb = l2cap_create_basic_pdu(chan, msg, len); 2606 if (IS_ERR(skb)) 2607 return PTR_ERR(skb); 2608 2609 l2cap_tx_timestamp(skb, sockc, len); 2610 2611 l2cap_do_send(chan, skb); 2612 err = len; 2613 break; 2614 2615 case L2CAP_MODE_ERTM: 2616 case L2CAP_MODE_STREAMING: 2617 /* Check outgoing MTU */ 2618 if (len > chan->omtu) { 2619 err = -EMSGSIZE; 2620 break; 2621 } 2622 2623 __skb_queue_head_init(&seg_queue); 2624 2625 /* Do segmentation before calling in to the state machine, 2626 * since it's possible to block while waiting for memory 2627 * allocation. 2628 */ 2629 err = l2cap_segment_sdu(chan, &seg_queue, msg, len); 2630 2631 if (err) 2632 break; 2633 2634 if (chan->mode == L2CAP_MODE_ERTM) { 2635 /* TODO: ERTM mode timestamping */ 2636 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST); 2637 } else { 2638 l2cap_tx_timestamp_seg(&seg_queue, sockc, len); 2639 l2cap_streaming_send(chan, &seg_queue); 2640 } 2641 2642 err = len; 2643 2644 /* If the skbs were not queued for sending, they'll still be in 2645 * seg_queue and need to be purged. 2646 */ 2647 __skb_queue_purge(&seg_queue); 2648 break; 2649 2650 default: 2651 BT_DBG("bad state %1.1x", chan->mode); 2652 err = -EBADFD; 2653 } 2654 2655 return err; 2656 } 2657 EXPORT_SYMBOL_GPL(l2cap_chan_send); 2658 2659 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq) 2660 { 2661 struct l2cap_ctrl control; 2662 u16 seq; 2663 2664 BT_DBG("chan %p, txseq %u", chan, txseq); 2665 2666 memset(&control, 0, sizeof(control)); 2667 control.sframe = 1; 2668 control.super = L2CAP_SUPER_SREJ; 2669 2670 for (seq = chan->expected_tx_seq; seq != txseq; 2671 seq = __next_seq(chan, seq)) { 2672 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) { 2673 control.reqseq = seq; 2674 l2cap_send_sframe(chan, &control); 2675 l2cap_seq_list_append(&chan->srej_list, seq); 2676 } 2677 } 2678 2679 chan->expected_tx_seq = __next_seq(chan, txseq); 2680 } 2681 2682 static void l2cap_send_srej_tail(struct l2cap_chan *chan) 2683 { 2684 struct l2cap_ctrl control; 2685 2686 BT_DBG("chan %p", chan); 2687 2688 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR) 2689 return; 2690 2691 memset(&control, 0, sizeof(control)); 2692 control.sframe = 1; 2693 control.super = L2CAP_SUPER_SREJ; 2694 control.reqseq = chan->srej_list.tail; 2695 l2cap_send_sframe(chan, &control); 2696 } 2697 2698 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq) 2699 { 2700 struct l2cap_ctrl control; 2701 u16 initial_head; 2702 u16 seq; 2703 2704 BT_DBG("chan %p, txseq %u", chan, txseq); 2705 2706 memset(&control, 0, sizeof(control)); 2707 control.sframe = 1; 2708 control.super = L2CAP_SUPER_SREJ; 2709 2710 /* Capture initial list head to allow only one pass through the list. */ 2711 initial_head = chan->srej_list.head; 2712 2713 do { 2714 seq = l2cap_seq_list_pop(&chan->srej_list); 2715 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR) 2716 break; 2717 2718 control.reqseq = seq; 2719 l2cap_send_sframe(chan, &control); 2720 l2cap_seq_list_append(&chan->srej_list, seq); 2721 } while (chan->srej_list.head != initial_head); 2722 } 2723 2724 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq) 2725 { 2726 struct sk_buff *acked_skb; 2727 u16 ackseq; 2728 2729 BT_DBG("chan %p, reqseq %u", chan, reqseq); 2730 2731 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq) 2732 return; 2733 2734 BT_DBG("expected_ack_seq %u, unacked_frames %u", 2735 chan->expected_ack_seq, chan->unacked_frames); 2736 2737 for (ackseq = chan->expected_ack_seq; ackseq != reqseq; 2738 ackseq = __next_seq(chan, ackseq)) { 2739 2740 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq); 2741 if (acked_skb) { 2742 skb_unlink(acked_skb, &chan->tx_q); 2743 kfree_skb(acked_skb); 2744 chan->unacked_frames--; 2745 } 2746 } 2747 2748 chan->expected_ack_seq = reqseq; 2749 2750 if (chan->unacked_frames == 0) 2751 __clear_retrans_timer(chan); 2752 2753 BT_DBG("unacked_frames %u", chan->unacked_frames); 2754 } 2755 2756 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan) 2757 { 2758 BT_DBG("chan %p", chan); 2759 2760 chan->expected_tx_seq = chan->buffer_seq; 2761 l2cap_seq_list_clear(&chan->srej_list); 2762 skb_queue_purge(&chan->srej_q); 2763 chan->rx_state = L2CAP_RX_STATE_RECV; 2764 } 2765 2766 static void l2cap_tx_state_xmit(struct l2cap_chan *chan, 2767 struct l2cap_ctrl *control, 2768 struct sk_buff_head *skbs, u8 event) 2769 { 2770 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2771 event); 2772 2773 switch (event) { 2774 case L2CAP_EV_DATA_REQUEST: 2775 if (chan->tx_send_head == NULL) 2776 chan->tx_send_head = skb_peek(skbs); 2777 2778 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2779 l2cap_ertm_send(chan); 2780 break; 2781 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2782 BT_DBG("Enter LOCAL_BUSY"); 2783 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2784 2785 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2786 /* The SREJ_SENT state must be aborted if we are to 2787 * enter the LOCAL_BUSY state. 2788 */ 2789 l2cap_abort_rx_srej_sent(chan); 2790 } 2791 2792 l2cap_send_ack(chan); 2793 2794 break; 2795 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2796 BT_DBG("Exit LOCAL_BUSY"); 2797 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2798 2799 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2800 struct l2cap_ctrl local_control; 2801 2802 memset(&local_control, 0, sizeof(local_control)); 2803 local_control.sframe = 1; 2804 local_control.super = L2CAP_SUPER_RR; 2805 local_control.poll = 1; 2806 local_control.reqseq = chan->buffer_seq; 2807 l2cap_send_sframe(chan, &local_control); 2808 2809 chan->retry_count = 1; 2810 __set_monitor_timer(chan); 2811 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2812 } 2813 break; 2814 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2815 l2cap_process_reqseq(chan, control->reqseq); 2816 break; 2817 case L2CAP_EV_EXPLICIT_POLL: 2818 l2cap_send_rr_or_rnr(chan, 1); 2819 chan->retry_count = 1; 2820 __set_monitor_timer(chan); 2821 __clear_ack_timer(chan); 2822 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2823 break; 2824 case L2CAP_EV_RETRANS_TO: 2825 l2cap_send_rr_or_rnr(chan, 1); 2826 chan->retry_count = 1; 2827 __set_monitor_timer(chan); 2828 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2829 break; 2830 case L2CAP_EV_RECV_FBIT: 2831 /* Nothing to process */ 2832 break; 2833 default: 2834 break; 2835 } 2836 } 2837 2838 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan, 2839 struct l2cap_ctrl *control, 2840 struct sk_buff_head *skbs, u8 event) 2841 { 2842 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs, 2843 event); 2844 2845 switch (event) { 2846 case L2CAP_EV_DATA_REQUEST: 2847 if (chan->tx_send_head == NULL) 2848 chan->tx_send_head = skb_peek(skbs); 2849 /* Queue data, but don't send. */ 2850 skb_queue_splice_tail_init(skbs, &chan->tx_q); 2851 break; 2852 case L2CAP_EV_LOCAL_BUSY_DETECTED: 2853 BT_DBG("Enter LOCAL_BUSY"); 2854 set_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2855 2856 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 2857 /* The SREJ_SENT state must be aborted if we are to 2858 * enter the LOCAL_BUSY state. 2859 */ 2860 l2cap_abort_rx_srej_sent(chan); 2861 } 2862 2863 l2cap_send_ack(chan); 2864 2865 break; 2866 case L2CAP_EV_LOCAL_BUSY_CLEAR: 2867 BT_DBG("Exit LOCAL_BUSY"); 2868 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state); 2869 2870 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) { 2871 struct l2cap_ctrl local_control; 2872 memset(&local_control, 0, sizeof(local_control)); 2873 local_control.sframe = 1; 2874 local_control.super = L2CAP_SUPER_RR; 2875 local_control.poll = 1; 2876 local_control.reqseq = chan->buffer_seq; 2877 l2cap_send_sframe(chan, &local_control); 2878 2879 chan->retry_count = 1; 2880 __set_monitor_timer(chan); 2881 chan->tx_state = L2CAP_TX_STATE_WAIT_F; 2882 } 2883 break; 2884 case L2CAP_EV_RECV_REQSEQ_AND_FBIT: 2885 l2cap_process_reqseq(chan, control->reqseq); 2886 fallthrough; 2887 2888 case L2CAP_EV_RECV_FBIT: 2889 if (control && control->final) { 2890 __clear_monitor_timer(chan); 2891 if (chan->unacked_frames > 0) 2892 __set_retrans_timer(chan); 2893 chan->retry_count = 0; 2894 chan->tx_state = L2CAP_TX_STATE_XMIT; 2895 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state); 2896 } 2897 break; 2898 case L2CAP_EV_EXPLICIT_POLL: 2899 /* Ignore */ 2900 break; 2901 case L2CAP_EV_MONITOR_TO: 2902 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) { 2903 l2cap_send_rr_or_rnr(chan, 1); 2904 __set_monitor_timer(chan); 2905 chan->retry_count++; 2906 } else { 2907 l2cap_send_disconn_req(chan, ECONNABORTED); 2908 } 2909 break; 2910 default: 2911 break; 2912 } 2913 } 2914 2915 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 2916 struct sk_buff_head *skbs, u8 event) 2917 { 2918 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d", 2919 chan, control, skbs, event, chan->tx_state); 2920 2921 switch (chan->tx_state) { 2922 case L2CAP_TX_STATE_XMIT: 2923 l2cap_tx_state_xmit(chan, control, skbs, event); 2924 break; 2925 case L2CAP_TX_STATE_WAIT_F: 2926 l2cap_tx_state_wait_f(chan, control, skbs, event); 2927 break; 2928 default: 2929 /* Ignore event */ 2930 break; 2931 } 2932 } 2933 2934 static void l2cap_pass_to_tx(struct l2cap_chan *chan, 2935 struct l2cap_ctrl *control) 2936 { 2937 BT_DBG("chan %p, control %p", chan, control); 2938 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT); 2939 } 2940 2941 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan, 2942 struct l2cap_ctrl *control) 2943 { 2944 BT_DBG("chan %p, control %p", chan, control); 2945 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT); 2946 } 2947 2948 /* Copy frame to all raw sockets on that connection */ 2949 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb) 2950 { 2951 struct sk_buff *nskb; 2952 struct l2cap_chan *chan; 2953 2954 BT_DBG("conn %p", conn); 2955 2956 list_for_each_entry(chan, &conn->chan_l, list) { 2957 if (chan->chan_type != L2CAP_CHAN_RAW) 2958 continue; 2959 2960 /* Don't send frame to the channel it came from */ 2961 if (bt_cb(skb)->l2cap.chan == chan) 2962 continue; 2963 2964 nskb = skb_clone(skb, GFP_KERNEL); 2965 if (!nskb) 2966 continue; 2967 if (chan->ops->recv(chan, nskb)) 2968 kfree_skb(nskb); 2969 } 2970 } 2971 2972 /* ---- L2CAP signalling commands ---- */ 2973 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, 2974 u8 ident, u16 dlen, void *data) 2975 { 2976 struct sk_buff *skb, **frag; 2977 struct l2cap_cmd_hdr *cmd; 2978 struct l2cap_hdr *lh; 2979 int len, count; 2980 2981 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", 2982 conn, code, ident, dlen); 2983 2984 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) 2985 return NULL; 2986 2987 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; 2988 count = min_t(unsigned int, conn->mtu, len); 2989 2990 skb = bt_skb_alloc(count, GFP_KERNEL); 2991 if (!skb) 2992 return NULL; 2993 2994 lh = skb_put(skb, L2CAP_HDR_SIZE); 2995 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen); 2996 2997 if (conn->hcon->type == LE_LINK) 2998 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING); 2999 else 3000 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING); 3001 3002 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE); 3003 cmd->code = code; 3004 cmd->ident = ident; 3005 cmd->len = cpu_to_le16(dlen); 3006 3007 if (dlen) { 3008 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE; 3009 skb_put_data(skb, data, count); 3010 data += count; 3011 } 3012 3013 len -= skb->len; 3014 3015 /* Continuation fragments (no L2CAP header) */ 3016 frag = &skb_shinfo(skb)->frag_list; 3017 while (len) { 3018 count = min_t(unsigned int, conn->mtu, len); 3019 3020 *frag = bt_skb_alloc(count, GFP_KERNEL); 3021 if (!*frag) 3022 goto fail; 3023 3024 skb_put_data(*frag, data, count); 3025 3026 len -= count; 3027 data += count; 3028 3029 frag = &(*frag)->next; 3030 } 3031 3032 return skb; 3033 3034 fail: 3035 kfree_skb(skb); 3036 return NULL; 3037 } 3038 3039 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, 3040 unsigned long *val) 3041 { 3042 struct l2cap_conf_opt *opt = *ptr; 3043 int len; 3044 3045 len = L2CAP_CONF_OPT_SIZE + opt->len; 3046 *ptr += len; 3047 3048 *type = opt->type; 3049 *olen = opt->len; 3050 3051 switch (opt->len) { 3052 case 1: 3053 *val = *((u8 *) opt->val); 3054 break; 3055 3056 case 2: 3057 *val = get_unaligned_le16(opt->val); 3058 break; 3059 3060 case 4: 3061 *val = get_unaligned_le32(opt->val); 3062 break; 3063 3064 default: 3065 *val = (unsigned long) opt->val; 3066 break; 3067 } 3068 3069 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val); 3070 return len; 3071 } 3072 3073 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size) 3074 { 3075 struct l2cap_conf_opt *opt = *ptr; 3076 3077 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val); 3078 3079 if (size < L2CAP_CONF_OPT_SIZE + len) 3080 return; 3081 3082 opt->type = type; 3083 opt->len = len; 3084 3085 switch (len) { 3086 case 1: 3087 *((u8 *) opt->val) = val; 3088 break; 3089 3090 case 2: 3091 put_unaligned_le16(val, opt->val); 3092 break; 3093 3094 case 4: 3095 put_unaligned_le32(val, opt->val); 3096 break; 3097 3098 default: 3099 memcpy(opt->val, (void *) val, len); 3100 break; 3101 } 3102 3103 *ptr += L2CAP_CONF_OPT_SIZE + len; 3104 } 3105 3106 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size) 3107 { 3108 struct l2cap_conf_efs efs; 3109 3110 switch (chan->mode) { 3111 case L2CAP_MODE_ERTM: 3112 efs.id = chan->local_id; 3113 efs.stype = chan->local_stype; 3114 efs.msdu = cpu_to_le16(chan->local_msdu); 3115 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3116 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT); 3117 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO); 3118 break; 3119 3120 case L2CAP_MODE_STREAMING: 3121 efs.id = 1; 3122 efs.stype = L2CAP_SERV_BESTEFFORT; 3123 efs.msdu = cpu_to_le16(chan->local_msdu); 3124 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime); 3125 efs.acc_lat = 0; 3126 efs.flush_to = 0; 3127 break; 3128 3129 default: 3130 return; 3131 } 3132 3133 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs), 3134 (unsigned long) &efs, size); 3135 } 3136 3137 static void l2cap_ack_timeout(struct work_struct *work) 3138 { 3139 struct l2cap_chan *chan = container_of(work, struct l2cap_chan, 3140 ack_timer.work); 3141 u16 frames_to_ack; 3142 3143 BT_DBG("chan %p", chan); 3144 3145 l2cap_chan_lock(chan); 3146 3147 frames_to_ack = __seq_offset(chan, chan->buffer_seq, 3148 chan->last_acked_seq); 3149 3150 if (frames_to_ack) 3151 l2cap_send_rr_or_rnr(chan, 0); 3152 3153 l2cap_chan_unlock(chan); 3154 l2cap_chan_put(chan); 3155 } 3156 3157 int l2cap_ertm_init(struct l2cap_chan *chan) 3158 { 3159 int err; 3160 3161 chan->next_tx_seq = 0; 3162 chan->expected_tx_seq = 0; 3163 chan->expected_ack_seq = 0; 3164 chan->unacked_frames = 0; 3165 chan->buffer_seq = 0; 3166 chan->frames_sent = 0; 3167 chan->last_acked_seq = 0; 3168 chan->sdu = NULL; 3169 chan->sdu_last_frag = NULL; 3170 chan->sdu_len = 0; 3171 3172 skb_queue_head_init(&chan->tx_q); 3173 3174 if (chan->mode != L2CAP_MODE_ERTM) 3175 return 0; 3176 3177 chan->rx_state = L2CAP_RX_STATE_RECV; 3178 chan->tx_state = L2CAP_TX_STATE_XMIT; 3179 3180 skb_queue_head_init(&chan->srej_q); 3181 3182 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); 3183 if (err < 0) 3184 return err; 3185 3186 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win); 3187 if (err < 0) 3188 l2cap_seq_list_free(&chan->srej_list); 3189 3190 return err; 3191 } 3192 3193 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 3194 { 3195 switch (mode) { 3196 case L2CAP_MODE_STREAMING: 3197 case L2CAP_MODE_ERTM: 3198 if (l2cap_mode_supported(mode, remote_feat_mask)) 3199 return mode; 3200 fallthrough; 3201 default: 3202 return L2CAP_MODE_BASIC; 3203 } 3204 } 3205 3206 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn) 3207 { 3208 return (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW); 3209 } 3210 3211 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn) 3212 { 3213 return (conn->feat_mask & L2CAP_FEAT_EXT_FLOW); 3214 } 3215 3216 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan, 3217 struct l2cap_conf_rfc *rfc) 3218 { 3219 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO); 3220 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO); 3221 } 3222 3223 static inline void l2cap_txwin_setup(struct l2cap_chan *chan) 3224 { 3225 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW && 3226 __l2cap_ews_supported(chan->conn)) { 3227 /* use extended control field */ 3228 set_bit(FLAG_EXT_CTRL, &chan->flags); 3229 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; 3230 } else { 3231 chan->tx_win = min_t(u16, chan->tx_win, 3232 L2CAP_DEFAULT_TX_WINDOW); 3233 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW; 3234 } 3235 chan->ack_win = chan->tx_win; 3236 } 3237 3238 static void l2cap_mtu_auto(struct l2cap_chan *chan) 3239 { 3240 struct hci_conn *conn = chan->conn->hcon; 3241 3242 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3243 3244 /* The 2-DH1 packet has between 2 and 56 information bytes 3245 * (including the 2-byte payload header) 3246 */ 3247 if (!(conn->pkt_type & HCI_2DH1)) 3248 chan->imtu = 54; 3249 3250 /* The 3-DH1 packet has between 2 and 85 information bytes 3251 * (including the 2-byte payload header) 3252 */ 3253 if (!(conn->pkt_type & HCI_3DH1)) 3254 chan->imtu = 83; 3255 3256 /* The 2-DH3 packet has between 2 and 369 information bytes 3257 * (including the 2-byte payload header) 3258 */ 3259 if (!(conn->pkt_type & HCI_2DH3)) 3260 chan->imtu = 367; 3261 3262 /* The 3-DH3 packet has between 2 and 554 information bytes 3263 * (including the 2-byte payload header) 3264 */ 3265 if (!(conn->pkt_type & HCI_3DH3)) 3266 chan->imtu = 552; 3267 3268 /* The 2-DH5 packet has between 2 and 681 information bytes 3269 * (including the 2-byte payload header) 3270 */ 3271 if (!(conn->pkt_type & HCI_2DH5)) 3272 chan->imtu = 679; 3273 3274 /* The 3-DH5 packet has between 2 and 1023 information bytes 3275 * (including the 2-byte payload header) 3276 */ 3277 if (!(conn->pkt_type & HCI_3DH5)) 3278 chan->imtu = 1021; 3279 } 3280 3281 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3282 { 3283 struct l2cap_conf_req *req = data; 3284 struct l2cap_conf_rfc rfc = { .mode = chan->mode }; 3285 void *ptr = req->data; 3286 void *endptr = data + data_size; 3287 u16 size; 3288 3289 BT_DBG("chan %p", chan); 3290 3291 if (chan->num_conf_req || chan->num_conf_rsp) 3292 goto done; 3293 3294 switch (chan->mode) { 3295 case L2CAP_MODE_STREAMING: 3296 case L2CAP_MODE_ERTM: 3297 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) 3298 break; 3299 3300 if (__l2cap_efs_supported(chan->conn)) 3301 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3302 3303 fallthrough; 3304 default: 3305 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask); 3306 break; 3307 } 3308 3309 done: 3310 if (chan->imtu != L2CAP_DEFAULT_MTU) { 3311 if (!chan->imtu) 3312 l2cap_mtu_auto(chan); 3313 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3314 endptr - ptr); 3315 } 3316 3317 switch (chan->mode) { 3318 case L2CAP_MODE_BASIC: 3319 if (disable_ertm) 3320 break; 3321 3322 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) && 3323 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING)) 3324 break; 3325 3326 rfc.mode = L2CAP_MODE_BASIC; 3327 rfc.txwin_size = 0; 3328 rfc.max_transmit = 0; 3329 rfc.retrans_timeout = 0; 3330 rfc.monitor_timeout = 0; 3331 rfc.max_pdu_size = 0; 3332 3333 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3334 (unsigned long) &rfc, endptr - ptr); 3335 break; 3336 3337 case L2CAP_MODE_ERTM: 3338 rfc.mode = L2CAP_MODE_ERTM; 3339 rfc.max_transmit = chan->max_tx; 3340 3341 __l2cap_set_ertm_timeouts(chan, &rfc); 3342 3343 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3344 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3345 L2CAP_FCS_SIZE); 3346 rfc.max_pdu_size = cpu_to_le16(size); 3347 3348 l2cap_txwin_setup(chan); 3349 3350 rfc.txwin_size = min_t(u16, chan->tx_win, 3351 L2CAP_DEFAULT_TX_WINDOW); 3352 3353 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3354 (unsigned long) &rfc, endptr - ptr); 3355 3356 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3357 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3358 3359 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3360 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3361 chan->tx_win, endptr - ptr); 3362 3363 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3364 if (chan->fcs == L2CAP_FCS_NONE || 3365 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3366 chan->fcs = L2CAP_FCS_NONE; 3367 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3368 chan->fcs, endptr - ptr); 3369 } 3370 break; 3371 3372 case L2CAP_MODE_STREAMING: 3373 l2cap_txwin_setup(chan); 3374 rfc.mode = L2CAP_MODE_STREAMING; 3375 rfc.txwin_size = 0; 3376 rfc.max_transmit = 0; 3377 rfc.retrans_timeout = 0; 3378 rfc.monitor_timeout = 0; 3379 3380 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu - 3381 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE - 3382 L2CAP_FCS_SIZE); 3383 rfc.max_pdu_size = cpu_to_le16(size); 3384 3385 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3386 (unsigned long) &rfc, endptr - ptr); 3387 3388 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) 3389 l2cap_add_opt_efs(&ptr, chan, endptr - ptr); 3390 3391 if (chan->conn->feat_mask & L2CAP_FEAT_FCS) 3392 if (chan->fcs == L2CAP_FCS_NONE || 3393 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) { 3394 chan->fcs = L2CAP_FCS_NONE; 3395 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, 3396 chan->fcs, endptr - ptr); 3397 } 3398 break; 3399 } 3400 3401 req->dcid = cpu_to_le16(chan->dcid); 3402 req->flags = cpu_to_le16(0); 3403 3404 return ptr - data; 3405 } 3406 3407 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size) 3408 { 3409 struct l2cap_conf_rsp *rsp = data; 3410 void *ptr = rsp->data; 3411 void *endptr = data + data_size; 3412 void *req = chan->conf_req; 3413 int len = chan->conf_len; 3414 int type, hint, olen; 3415 unsigned long val; 3416 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3417 struct l2cap_conf_efs efs; 3418 u8 remote_efs = 0; 3419 u16 mtu = 0; 3420 u16 result = L2CAP_CONF_SUCCESS; 3421 u16 size; 3422 3423 BT_DBG("chan %p", chan); 3424 3425 while (len >= L2CAP_CONF_OPT_SIZE) { 3426 len -= l2cap_get_conf_opt(&req, &type, &olen, &val); 3427 if (len < 0) 3428 break; 3429 3430 hint = type & L2CAP_CONF_HINT; 3431 type &= L2CAP_CONF_MASK; 3432 3433 switch (type) { 3434 case L2CAP_CONF_MTU: 3435 if (olen != 2) 3436 break; 3437 mtu = val; 3438 break; 3439 3440 case L2CAP_CONF_FLUSH_TO: 3441 if (olen != 2) 3442 break; 3443 chan->flush_to = val; 3444 break; 3445 3446 case L2CAP_CONF_QOS: 3447 break; 3448 3449 case L2CAP_CONF_RFC: 3450 if (olen != sizeof(rfc)) 3451 break; 3452 memcpy(&rfc, (void *) val, olen); 3453 break; 3454 3455 case L2CAP_CONF_FCS: 3456 if (olen != 1) 3457 break; 3458 if (val == L2CAP_FCS_NONE) 3459 set_bit(CONF_RECV_NO_FCS, &chan->conf_state); 3460 break; 3461 3462 case L2CAP_CONF_EFS: 3463 if (olen != sizeof(efs)) 3464 break; 3465 remote_efs = 1; 3466 memcpy(&efs, (void *) val, olen); 3467 break; 3468 3469 case L2CAP_CONF_EWS: 3470 if (olen != 2) 3471 break; 3472 return -ECONNREFUSED; 3473 3474 default: 3475 if (hint) 3476 break; 3477 result = L2CAP_CONF_UNKNOWN; 3478 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr); 3479 break; 3480 } 3481 } 3482 3483 if (chan->num_conf_rsp || chan->num_conf_req > 1) 3484 goto done; 3485 3486 switch (chan->mode) { 3487 case L2CAP_MODE_STREAMING: 3488 case L2CAP_MODE_ERTM: 3489 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) { 3490 chan->mode = l2cap_select_mode(rfc.mode, 3491 chan->conn->feat_mask); 3492 break; 3493 } 3494 3495 if (remote_efs) { 3496 if (__l2cap_efs_supported(chan->conn)) 3497 set_bit(FLAG_EFS_ENABLE, &chan->flags); 3498 else 3499 return -ECONNREFUSED; 3500 } 3501 3502 if (chan->mode != rfc.mode) 3503 return -ECONNREFUSED; 3504 3505 break; 3506 } 3507 3508 done: 3509 if (chan->mode != rfc.mode) { 3510 result = L2CAP_CONF_UNACCEPT; 3511 rfc.mode = chan->mode; 3512 3513 if (chan->num_conf_rsp == 1) 3514 return -ECONNREFUSED; 3515 3516 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3517 (unsigned long) &rfc, endptr - ptr); 3518 } 3519 3520 if (result == L2CAP_CONF_SUCCESS) { 3521 /* Configure output options and let the other side know 3522 * which ones we don't like. */ 3523 3524 /* If MTU is not provided in configure request, try adjusting it 3525 * to the current output MTU if it has been set 3526 * 3527 * Bluetooth Core 6.1, Vol 3, Part A, Section 4.5 3528 * 3529 * Each configuration parameter value (if any is present) in an 3530 * L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a 3531 * configuration parameter value that has been sent (or, in case 3532 * of default values, implied) in the corresponding 3533 * L2CAP_CONFIGURATION_REQ packet. 3534 */ 3535 if (!mtu) { 3536 /* Only adjust for ERTM channels as for older modes the 3537 * remote stack may not be able to detect that the 3538 * adjustment causing it to silently drop packets. 3539 */ 3540 if (chan->mode == L2CAP_MODE_ERTM && 3541 chan->omtu && chan->omtu != L2CAP_DEFAULT_MTU) 3542 mtu = chan->omtu; 3543 else 3544 mtu = L2CAP_DEFAULT_MTU; 3545 } 3546 3547 if (mtu < L2CAP_DEFAULT_MIN_MTU) 3548 result = L2CAP_CONF_UNACCEPT; 3549 else { 3550 chan->omtu = mtu; 3551 set_bit(CONF_MTU_DONE, &chan->conf_state); 3552 } 3553 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr); 3554 3555 if (remote_efs) { 3556 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3557 efs.stype != L2CAP_SERV_NOTRAFIC && 3558 efs.stype != chan->local_stype) { 3559 3560 result = L2CAP_CONF_UNACCEPT; 3561 3562 if (chan->num_conf_req >= 1) 3563 return -ECONNREFUSED; 3564 3565 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3566 sizeof(efs), 3567 (unsigned long) &efs, endptr - ptr); 3568 } else { 3569 /* Send PENDING Conf Rsp */ 3570 result = L2CAP_CONF_PENDING; 3571 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 3572 } 3573 } 3574 3575 switch (rfc.mode) { 3576 case L2CAP_MODE_BASIC: 3577 chan->fcs = L2CAP_FCS_NONE; 3578 set_bit(CONF_MODE_DONE, &chan->conf_state); 3579 break; 3580 3581 case L2CAP_MODE_ERTM: 3582 if (!test_bit(CONF_EWS_RECV, &chan->conf_state)) 3583 chan->remote_tx_win = rfc.txwin_size; 3584 else 3585 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW; 3586 3587 chan->remote_max_tx = rfc.max_transmit; 3588 3589 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3590 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3591 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3592 rfc.max_pdu_size = cpu_to_le16(size); 3593 chan->remote_mps = size; 3594 3595 __l2cap_set_ertm_timeouts(chan, &rfc); 3596 3597 set_bit(CONF_MODE_DONE, &chan->conf_state); 3598 3599 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, 3600 sizeof(rfc), (unsigned long) &rfc, endptr - ptr); 3601 3602 if (remote_efs && 3603 test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3604 chan->remote_id = efs.id; 3605 chan->remote_stype = efs.stype; 3606 chan->remote_msdu = le16_to_cpu(efs.msdu); 3607 chan->remote_flush_to = 3608 le32_to_cpu(efs.flush_to); 3609 chan->remote_acc_lat = 3610 le32_to_cpu(efs.acc_lat); 3611 chan->remote_sdu_itime = 3612 le32_to_cpu(efs.sdu_itime); 3613 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, 3614 sizeof(efs), 3615 (unsigned long) &efs, endptr - ptr); 3616 } 3617 break; 3618 3619 case L2CAP_MODE_STREAMING: 3620 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size), 3621 chan->conn->mtu - L2CAP_EXT_HDR_SIZE - 3622 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE); 3623 rfc.max_pdu_size = cpu_to_le16(size); 3624 chan->remote_mps = size; 3625 3626 set_bit(CONF_MODE_DONE, &chan->conf_state); 3627 3628 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3629 (unsigned long) &rfc, endptr - ptr); 3630 3631 break; 3632 3633 default: 3634 result = L2CAP_CONF_UNACCEPT; 3635 3636 memset(&rfc, 0, sizeof(rfc)); 3637 rfc.mode = chan->mode; 3638 } 3639 3640 if (result == L2CAP_CONF_SUCCESS) 3641 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 3642 } 3643 rsp->scid = cpu_to_le16(chan->dcid); 3644 rsp->result = cpu_to_le16(result); 3645 rsp->flags = cpu_to_le16(0); 3646 3647 return ptr - data; 3648 } 3649 3650 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, 3651 void *data, size_t size, u16 *result) 3652 { 3653 struct l2cap_conf_req *req = data; 3654 void *ptr = req->data; 3655 void *endptr = data + size; 3656 int type, olen; 3657 unsigned long val; 3658 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; 3659 struct l2cap_conf_efs efs; 3660 3661 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data); 3662 3663 while (len >= L2CAP_CONF_OPT_SIZE) { 3664 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3665 if (len < 0) 3666 break; 3667 3668 switch (type) { 3669 case L2CAP_CONF_MTU: 3670 if (olen != 2) 3671 break; 3672 if (val < L2CAP_DEFAULT_MIN_MTU) { 3673 *result = L2CAP_CONF_UNACCEPT; 3674 chan->imtu = L2CAP_DEFAULT_MIN_MTU; 3675 } else 3676 chan->imtu = val; 3677 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, 3678 endptr - ptr); 3679 break; 3680 3681 case L2CAP_CONF_FLUSH_TO: 3682 if (olen != 2) 3683 break; 3684 chan->flush_to = val; 3685 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, 3686 chan->flush_to, endptr - ptr); 3687 break; 3688 3689 case L2CAP_CONF_RFC: 3690 if (olen != sizeof(rfc)) 3691 break; 3692 memcpy(&rfc, (void *)val, olen); 3693 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && 3694 rfc.mode != chan->mode) 3695 return -ECONNREFUSED; 3696 chan->fcs = 0; 3697 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), 3698 (unsigned long) &rfc, endptr - ptr); 3699 break; 3700 3701 case L2CAP_CONF_EWS: 3702 if (olen != 2) 3703 break; 3704 chan->ack_win = min_t(u16, val, chan->ack_win); 3705 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, 3706 chan->tx_win, endptr - ptr); 3707 break; 3708 3709 case L2CAP_CONF_EFS: 3710 if (olen != sizeof(efs)) 3711 break; 3712 memcpy(&efs, (void *)val, olen); 3713 if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3714 efs.stype != L2CAP_SERV_NOTRAFIC && 3715 efs.stype != chan->local_stype) 3716 return -ECONNREFUSED; 3717 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), 3718 (unsigned long) &efs, endptr - ptr); 3719 break; 3720 3721 case L2CAP_CONF_FCS: 3722 if (olen != 1) 3723 break; 3724 if (*result == L2CAP_CONF_PENDING) 3725 if (val == L2CAP_FCS_NONE) 3726 set_bit(CONF_RECV_NO_FCS, 3727 &chan->conf_state); 3728 break; 3729 } 3730 } 3731 3732 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode) 3733 return -ECONNREFUSED; 3734 3735 chan->mode = rfc.mode; 3736 3737 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) { 3738 switch (rfc.mode) { 3739 case L2CAP_MODE_ERTM: 3740 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3741 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3742 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3743 if (!test_bit(FLAG_EXT_CTRL, &chan->flags)) 3744 chan->ack_win = min_t(u16, chan->ack_win, 3745 rfc.txwin_size); 3746 3747 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { 3748 chan->local_msdu = le16_to_cpu(efs.msdu); 3749 chan->local_sdu_itime = 3750 le32_to_cpu(efs.sdu_itime); 3751 chan->local_acc_lat = le32_to_cpu(efs.acc_lat); 3752 chan->local_flush_to = 3753 le32_to_cpu(efs.flush_to); 3754 } 3755 break; 3756 3757 case L2CAP_MODE_STREAMING: 3758 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3759 } 3760 } 3761 3762 req->dcid = cpu_to_le16(chan->dcid); 3763 req->flags = cpu_to_le16(0); 3764 3765 return ptr - data; 3766 } 3767 3768 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, 3769 u16 result, u16 flags) 3770 { 3771 struct l2cap_conf_rsp *rsp = data; 3772 void *ptr = rsp->data; 3773 3774 BT_DBG("chan %p", chan); 3775 3776 rsp->scid = cpu_to_le16(chan->dcid); 3777 rsp->result = cpu_to_le16(result); 3778 rsp->flags = cpu_to_le16(flags); 3779 3780 return ptr - data; 3781 } 3782 3783 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan) 3784 { 3785 struct l2cap_le_conn_rsp rsp; 3786 struct l2cap_conn *conn = chan->conn; 3787 3788 BT_DBG("chan %p", chan); 3789 3790 rsp.dcid = cpu_to_le16(chan->scid); 3791 rsp.mtu = cpu_to_le16(chan->imtu); 3792 rsp.mps = cpu_to_le16(chan->mps); 3793 rsp.credits = cpu_to_le16(chan->rx_credits); 3794 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3795 3796 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), 3797 &rsp); 3798 } 3799 3800 static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data) 3801 { 3802 int *result = data; 3803 3804 if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags)) 3805 return; 3806 3807 switch (chan->state) { 3808 case BT_CONNECT2: 3809 /* If channel still pending accept add to result */ 3810 (*result)++; 3811 return; 3812 case BT_CONNECTED: 3813 return; 3814 default: 3815 /* If not connected or pending accept it has been refused */ 3816 *result = -ECONNREFUSED; 3817 return; 3818 } 3819 } 3820 3821 struct l2cap_ecred_rsp_data { 3822 struct { 3823 struct l2cap_ecred_conn_rsp_hdr rsp; 3824 __le16 scid[L2CAP_ECRED_MAX_CID]; 3825 } __packed pdu; 3826 int count; 3827 }; 3828 3829 static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data) 3830 { 3831 struct l2cap_ecred_rsp_data *rsp = data; 3832 struct l2cap_ecred_conn_rsp *rsp_flex = 3833 container_of(&rsp->pdu.rsp, struct l2cap_ecred_conn_rsp, hdr); 3834 3835 /* Check if channel for outgoing connection or if it wasn't deferred 3836 * since in those cases it must be skipped. 3837 */ 3838 if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags) || 3839 !test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags)) 3840 return; 3841 3842 /* Reset ident so only one response is sent */ 3843 chan->ident = 0; 3844 3845 /* Include all channels pending with the same ident */ 3846 if (!rsp->pdu.rsp.result) 3847 rsp_flex->dcid[rsp->count++] = cpu_to_le16(chan->scid); 3848 else 3849 l2cap_chan_del(chan, ECONNRESET); 3850 } 3851 3852 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan) 3853 { 3854 struct l2cap_conn *conn = chan->conn; 3855 struct l2cap_ecred_rsp_data data; 3856 u16 id = chan->ident; 3857 int result = 0; 3858 3859 if (!id) 3860 return; 3861 3862 BT_DBG("chan %p id %d", chan, id); 3863 3864 memset(&data, 0, sizeof(data)); 3865 3866 data.pdu.rsp.mtu = cpu_to_le16(chan->imtu); 3867 data.pdu.rsp.mps = cpu_to_le16(chan->mps); 3868 data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits); 3869 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); 3870 3871 /* Verify that all channels are ready */ 3872 __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result); 3873 3874 if (result > 0) 3875 return; 3876 3877 if (result < 0) 3878 data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION); 3879 3880 /* Build response */ 3881 __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data); 3882 3883 l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP, 3884 sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)), 3885 &data.pdu); 3886 } 3887 3888 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) 3889 { 3890 struct l2cap_conn_rsp rsp; 3891 struct l2cap_conn *conn = chan->conn; 3892 u8 buf[128]; 3893 u8 rsp_code; 3894 3895 rsp.scid = cpu_to_le16(chan->dcid); 3896 rsp.dcid = cpu_to_le16(chan->scid); 3897 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); 3898 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO); 3899 rsp_code = L2CAP_CONN_RSP; 3900 3901 BT_DBG("chan %p rsp_code %u", chan, rsp_code); 3902 3903 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp); 3904 3905 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 3906 return; 3907 3908 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 3909 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 3910 chan->num_conf_req++; 3911 } 3912 3913 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) 3914 { 3915 int type, olen; 3916 unsigned long val; 3917 /* Use sane default values in case a misbehaving remote device 3918 * did not send an RFC or extended window size option. 3919 */ 3920 u16 txwin_ext = chan->ack_win; 3921 struct l2cap_conf_rfc rfc = { 3922 .mode = chan->mode, 3923 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO), 3924 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO), 3925 .max_pdu_size = cpu_to_le16(chan->imtu), 3926 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW), 3927 }; 3928 3929 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len); 3930 3931 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING)) 3932 return; 3933 3934 while (len >= L2CAP_CONF_OPT_SIZE) { 3935 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); 3936 if (len < 0) 3937 break; 3938 3939 switch (type) { 3940 case L2CAP_CONF_RFC: 3941 if (olen != sizeof(rfc)) 3942 break; 3943 memcpy(&rfc, (void *)val, olen); 3944 break; 3945 case L2CAP_CONF_EWS: 3946 if (olen != 2) 3947 break; 3948 txwin_ext = val; 3949 break; 3950 } 3951 } 3952 3953 switch (rfc.mode) { 3954 case L2CAP_MODE_ERTM: 3955 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout); 3956 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout); 3957 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3958 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 3959 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext); 3960 else 3961 chan->ack_win = min_t(u16, chan->ack_win, 3962 rfc.txwin_size); 3963 break; 3964 case L2CAP_MODE_STREAMING: 3965 chan->mps = le16_to_cpu(rfc.max_pdu_size); 3966 } 3967 } 3968 3969 static inline int l2cap_command_rej(struct l2cap_conn *conn, 3970 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 3971 u8 *data) 3972 { 3973 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 3974 3975 if (cmd_len < sizeof(*rej)) 3976 return -EPROTO; 3977 3978 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) 3979 return 0; 3980 3981 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 3982 cmd->ident == conn->info_ident) { 3983 cancel_delayed_work(&conn->info_timer); 3984 3985 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3986 conn->info_ident = 0; 3987 3988 l2cap_conn_start(conn); 3989 } 3990 3991 return 0; 3992 } 3993 3994 static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, 3995 u8 *data, u8 rsp_code) 3996 { 3997 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; 3998 struct l2cap_conn_rsp rsp; 3999 struct l2cap_chan *chan = NULL, *pchan = NULL; 4000 int result, status = L2CAP_CS_NO_INFO; 4001 4002 u16 dcid = 0, scid = __le16_to_cpu(req->scid); 4003 __le16 psm = req->psm; 4004 4005 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid); 4006 4007 /* Check if we have socket listening on psm */ 4008 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 4009 &conn->hcon->dst, ACL_LINK); 4010 if (!pchan) { 4011 result = L2CAP_CR_BAD_PSM; 4012 goto response; 4013 } 4014 4015 l2cap_chan_lock(pchan); 4016 4017 /* Check if the ACL is secure enough (if not SDP) */ 4018 if (psm != cpu_to_le16(L2CAP_PSM_SDP) && 4019 (!hci_conn_check_link_mode(conn->hcon) || 4020 !l2cap_check_enc_key_size(conn->hcon, pchan))) { 4021 conn->disc_reason = HCI_ERROR_AUTH_FAILURE; 4022 result = L2CAP_CR_SEC_BLOCK; 4023 goto response; 4024 } 4025 4026 result = L2CAP_CR_NO_MEM; 4027 4028 /* Check for valid dynamic CID range (as per Erratum 3253) */ 4029 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) { 4030 result = L2CAP_CR_INVALID_SCID; 4031 goto response; 4032 } 4033 4034 /* Check if we already have channel with that dcid */ 4035 if (__l2cap_get_chan_by_dcid(conn, scid)) { 4036 result = L2CAP_CR_SCID_IN_USE; 4037 goto response; 4038 } 4039 4040 chan = pchan->ops->new_connection(pchan); 4041 if (!chan) 4042 goto response; 4043 4044 /* For certain devices (ex: HID mouse), support for authentication, 4045 * pairing and bonding is optional. For such devices, inorder to avoid 4046 * the ACL alive for too long after L2CAP disconnection, reset the ACL 4047 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect. 4048 */ 4049 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4050 4051 bacpy(&chan->src, &conn->hcon->src); 4052 bacpy(&chan->dst, &conn->hcon->dst); 4053 chan->src_type = bdaddr_src_type(conn->hcon); 4054 chan->dst_type = bdaddr_dst_type(conn->hcon); 4055 chan->psm = psm; 4056 chan->dcid = scid; 4057 4058 __l2cap_chan_add(conn, chan); 4059 4060 dcid = chan->scid; 4061 4062 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 4063 4064 chan->ident = cmd->ident; 4065 4066 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) { 4067 if (l2cap_chan_check_security(chan, false)) { 4068 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 4069 l2cap_state_change(chan, BT_CONNECT2); 4070 result = L2CAP_CR_PEND; 4071 status = L2CAP_CS_AUTHOR_PEND; 4072 chan->ops->defer(chan); 4073 } else { 4074 l2cap_state_change(chan, BT_CONFIG); 4075 result = L2CAP_CR_SUCCESS; 4076 status = L2CAP_CS_NO_INFO; 4077 } 4078 } else { 4079 l2cap_state_change(chan, BT_CONNECT2); 4080 result = L2CAP_CR_PEND; 4081 status = L2CAP_CS_AUTHEN_PEND; 4082 } 4083 } else { 4084 l2cap_state_change(chan, BT_CONNECT2); 4085 result = L2CAP_CR_PEND; 4086 status = L2CAP_CS_NO_INFO; 4087 } 4088 4089 response: 4090 rsp.scid = cpu_to_le16(scid); 4091 rsp.dcid = cpu_to_le16(dcid); 4092 rsp.result = cpu_to_le16(result); 4093 rsp.status = cpu_to_le16(status); 4094 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); 4095 4096 if (!pchan) 4097 return; 4098 4099 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { 4100 struct l2cap_info_req info; 4101 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4102 4103 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 4104 conn->info_ident = l2cap_get_ident(conn); 4105 4106 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); 4107 4108 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ, 4109 sizeof(info), &info); 4110 } 4111 4112 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) && 4113 result == L2CAP_CR_SUCCESS) { 4114 u8 buf[128]; 4115 set_bit(CONF_REQ_SENT, &chan->conf_state); 4116 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4117 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4118 chan->num_conf_req++; 4119 } 4120 4121 l2cap_chan_unlock(pchan); 4122 l2cap_chan_put(pchan); 4123 } 4124 4125 static int l2cap_connect_req(struct l2cap_conn *conn, 4126 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) 4127 { 4128 if (cmd_len < sizeof(struct l2cap_conn_req)) 4129 return -EPROTO; 4130 4131 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP); 4132 return 0; 4133 } 4134 4135 static int l2cap_connect_create_rsp(struct l2cap_conn *conn, 4136 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4137 u8 *data) 4138 { 4139 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; 4140 u16 scid, dcid, result, status; 4141 struct l2cap_chan *chan; 4142 u8 req[128]; 4143 int err; 4144 4145 if (cmd_len < sizeof(*rsp)) 4146 return -EPROTO; 4147 4148 scid = __le16_to_cpu(rsp->scid); 4149 dcid = __le16_to_cpu(rsp->dcid); 4150 result = __le16_to_cpu(rsp->result); 4151 status = __le16_to_cpu(rsp->status); 4152 4153 if (result == L2CAP_CR_SUCCESS && (dcid < L2CAP_CID_DYN_START || 4154 dcid > L2CAP_CID_DYN_END)) 4155 return -EPROTO; 4156 4157 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", 4158 dcid, scid, result, status); 4159 4160 if (scid) { 4161 chan = __l2cap_get_chan_by_scid(conn, scid); 4162 if (!chan) 4163 return -EBADSLT; 4164 } else { 4165 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 4166 if (!chan) 4167 return -EBADSLT; 4168 } 4169 4170 chan = l2cap_chan_hold_unless_zero(chan); 4171 if (!chan) 4172 return -EBADSLT; 4173 4174 err = 0; 4175 4176 l2cap_chan_lock(chan); 4177 4178 switch (result) { 4179 case L2CAP_CR_SUCCESS: 4180 if (__l2cap_get_chan_by_dcid(conn, dcid)) { 4181 err = -EBADSLT; 4182 break; 4183 } 4184 4185 l2cap_state_change(chan, BT_CONFIG); 4186 chan->ident = 0; 4187 chan->dcid = dcid; 4188 clear_bit(CONF_CONNECT_PEND, &chan->conf_state); 4189 4190 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) 4191 break; 4192 4193 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4194 l2cap_build_conf_req(chan, req, sizeof(req)), req); 4195 chan->num_conf_req++; 4196 break; 4197 4198 case L2CAP_CR_PEND: 4199 set_bit(CONF_CONNECT_PEND, &chan->conf_state); 4200 break; 4201 4202 default: 4203 l2cap_chan_del(chan, ECONNREFUSED); 4204 break; 4205 } 4206 4207 l2cap_chan_unlock(chan); 4208 l2cap_chan_put(chan); 4209 4210 return err; 4211 } 4212 4213 static inline void set_default_fcs(struct l2cap_chan *chan) 4214 { 4215 /* FCS is enabled only in ERTM or streaming mode, if one or both 4216 * sides request it. 4217 */ 4218 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING) 4219 chan->fcs = L2CAP_FCS_NONE; 4220 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) 4221 chan->fcs = L2CAP_FCS_CRC16; 4222 } 4223 4224 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data, 4225 u8 ident, u16 flags) 4226 { 4227 struct l2cap_conn *conn = chan->conn; 4228 4229 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident, 4230 flags); 4231 4232 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state); 4233 set_bit(CONF_OUTPUT_DONE, &chan->conf_state); 4234 4235 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP, 4236 l2cap_build_conf_rsp(chan, data, 4237 L2CAP_CONF_SUCCESS, flags), data); 4238 } 4239 4240 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident, 4241 u16 scid, u16 dcid) 4242 { 4243 struct l2cap_cmd_rej_cid rej; 4244 4245 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID); 4246 rej.scid = __cpu_to_le16(scid); 4247 rej.dcid = __cpu_to_le16(dcid); 4248 4249 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 4250 } 4251 4252 static inline int l2cap_config_req(struct l2cap_conn *conn, 4253 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4254 u8 *data) 4255 { 4256 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data; 4257 u16 dcid, flags; 4258 u8 rsp[64]; 4259 struct l2cap_chan *chan; 4260 int len, err = 0; 4261 4262 if (cmd_len < sizeof(*req)) 4263 return -EPROTO; 4264 4265 dcid = __le16_to_cpu(req->dcid); 4266 flags = __le16_to_cpu(req->flags); 4267 4268 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags); 4269 4270 chan = l2cap_get_chan_by_scid(conn, dcid); 4271 if (!chan) { 4272 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0); 4273 return 0; 4274 } 4275 4276 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && 4277 chan->state != BT_CONNECTED) { 4278 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, 4279 chan->dcid); 4280 goto unlock; 4281 } 4282 4283 /* Reject if config buffer is too small. */ 4284 len = cmd_len - sizeof(*req); 4285 if (chan->conf_len + len > sizeof(chan->conf_req)) { 4286 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4287 l2cap_build_conf_rsp(chan, rsp, 4288 L2CAP_CONF_REJECT, flags), rsp); 4289 goto unlock; 4290 } 4291 4292 /* Store config. */ 4293 memcpy(chan->conf_req + chan->conf_len, req->data, len); 4294 chan->conf_len += len; 4295 4296 if (flags & L2CAP_CONF_FLAG_CONTINUATION) { 4297 /* Incomplete config. Send empty response. */ 4298 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, 4299 l2cap_build_conf_rsp(chan, rsp, 4300 L2CAP_CONF_SUCCESS, flags), rsp); 4301 goto unlock; 4302 } 4303 4304 /* Complete config. */ 4305 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp)); 4306 if (len < 0) { 4307 l2cap_send_disconn_req(chan, ECONNRESET); 4308 goto unlock; 4309 } 4310 4311 chan->ident = cmd->ident; 4312 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); 4313 if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP) 4314 chan->num_conf_rsp++; 4315 4316 /* Reset config buffer. */ 4317 chan->conf_len = 0; 4318 4319 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) 4320 goto unlock; 4321 4322 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) { 4323 set_default_fcs(chan); 4324 4325 if (chan->mode == L2CAP_MODE_ERTM || 4326 chan->mode == L2CAP_MODE_STREAMING) 4327 err = l2cap_ertm_init(chan); 4328 4329 if (err < 0) 4330 l2cap_send_disconn_req(chan, -err); 4331 else 4332 l2cap_chan_ready(chan); 4333 4334 goto unlock; 4335 } 4336 4337 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) { 4338 u8 buf[64]; 4339 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ, 4340 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf); 4341 chan->num_conf_req++; 4342 } 4343 4344 /* Got Conf Rsp PENDING from remote side and assume we sent 4345 Conf Rsp PENDING in the code above */ 4346 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) && 4347 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4348 4349 /* check compatibility */ 4350 4351 /* Send rsp for BR/EDR channel */ 4352 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags); 4353 } 4354 4355 unlock: 4356 l2cap_chan_unlock(chan); 4357 l2cap_chan_put(chan); 4358 return err; 4359 } 4360 4361 static inline int l2cap_config_rsp(struct l2cap_conn *conn, 4362 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4363 u8 *data) 4364 { 4365 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; 4366 u16 scid, flags, result; 4367 struct l2cap_chan *chan; 4368 int len = cmd_len - sizeof(*rsp); 4369 int err = 0; 4370 4371 if (cmd_len < sizeof(*rsp)) 4372 return -EPROTO; 4373 4374 scid = __le16_to_cpu(rsp->scid); 4375 flags = __le16_to_cpu(rsp->flags); 4376 result = __le16_to_cpu(rsp->result); 4377 4378 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags, 4379 result, len); 4380 4381 chan = l2cap_get_chan_by_scid(conn, scid); 4382 if (!chan) 4383 return 0; 4384 4385 switch (result) { 4386 case L2CAP_CONF_SUCCESS: 4387 l2cap_conf_rfc_get(chan, rsp->data, len); 4388 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4389 break; 4390 4391 case L2CAP_CONF_PENDING: 4392 set_bit(CONF_REM_CONF_PEND, &chan->conf_state); 4393 4394 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { 4395 char buf[64]; 4396 4397 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4398 buf, sizeof(buf), &result); 4399 if (len < 0) { 4400 l2cap_send_disconn_req(chan, ECONNRESET); 4401 goto done; 4402 } 4403 4404 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident, 0); 4405 } 4406 goto done; 4407 4408 case L2CAP_CONF_UNKNOWN: 4409 case L2CAP_CONF_UNACCEPT: 4410 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) { 4411 char req[64]; 4412 4413 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { 4414 l2cap_send_disconn_req(chan, ECONNRESET); 4415 goto done; 4416 } 4417 4418 /* throw out any old stored conf requests */ 4419 result = L2CAP_CONF_SUCCESS; 4420 len = l2cap_parse_conf_rsp(chan, rsp->data, len, 4421 req, sizeof(req), &result); 4422 if (len < 0) { 4423 l2cap_send_disconn_req(chan, ECONNRESET); 4424 goto done; 4425 } 4426 4427 l2cap_send_cmd(conn, l2cap_get_ident(conn), 4428 L2CAP_CONF_REQ, len, req); 4429 chan->num_conf_req++; 4430 if (result != L2CAP_CONF_SUCCESS) 4431 goto done; 4432 break; 4433 } 4434 fallthrough; 4435 4436 default: 4437 l2cap_chan_set_err(chan, ECONNRESET); 4438 4439 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT); 4440 l2cap_send_disconn_req(chan, ECONNRESET); 4441 goto done; 4442 } 4443 4444 if (flags & L2CAP_CONF_FLAG_CONTINUATION) 4445 goto done; 4446 4447 set_bit(CONF_INPUT_DONE, &chan->conf_state); 4448 4449 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) { 4450 set_default_fcs(chan); 4451 4452 if (chan->mode == L2CAP_MODE_ERTM || 4453 chan->mode == L2CAP_MODE_STREAMING) 4454 err = l2cap_ertm_init(chan); 4455 4456 if (err < 0) 4457 l2cap_send_disconn_req(chan, -err); 4458 else 4459 l2cap_chan_ready(chan); 4460 } 4461 4462 done: 4463 l2cap_chan_unlock(chan); 4464 l2cap_chan_put(chan); 4465 return err; 4466 } 4467 4468 static inline int l2cap_disconnect_req(struct l2cap_conn *conn, 4469 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4470 u8 *data) 4471 { 4472 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; 4473 struct l2cap_disconn_rsp rsp; 4474 u16 dcid, scid; 4475 struct l2cap_chan *chan; 4476 4477 if (cmd_len != sizeof(*req)) 4478 return -EPROTO; 4479 4480 scid = __le16_to_cpu(req->scid); 4481 dcid = __le16_to_cpu(req->dcid); 4482 4483 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); 4484 4485 chan = l2cap_get_chan_by_scid(conn, dcid); 4486 if (!chan) { 4487 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); 4488 return 0; 4489 } 4490 4491 rsp.dcid = cpu_to_le16(chan->scid); 4492 rsp.scid = cpu_to_le16(chan->dcid); 4493 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); 4494 4495 chan->ops->set_shutdown(chan); 4496 4497 l2cap_chan_del(chan, ECONNRESET); 4498 4499 chan->ops->close(chan); 4500 4501 l2cap_chan_unlock(chan); 4502 l2cap_chan_put(chan); 4503 4504 return 0; 4505 } 4506 4507 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, 4508 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4509 u8 *data) 4510 { 4511 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; 4512 u16 dcid, scid; 4513 struct l2cap_chan *chan; 4514 4515 if (cmd_len != sizeof(*rsp)) 4516 return -EPROTO; 4517 4518 scid = __le16_to_cpu(rsp->scid); 4519 dcid = __le16_to_cpu(rsp->dcid); 4520 4521 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); 4522 4523 chan = l2cap_get_chan_by_scid(conn, scid); 4524 if (!chan) { 4525 return 0; 4526 } 4527 4528 if (chan->state != BT_DISCONN) { 4529 l2cap_chan_unlock(chan); 4530 l2cap_chan_put(chan); 4531 return 0; 4532 } 4533 4534 l2cap_chan_del(chan, 0); 4535 4536 chan->ops->close(chan); 4537 4538 l2cap_chan_unlock(chan); 4539 l2cap_chan_put(chan); 4540 4541 return 0; 4542 } 4543 4544 static inline int l2cap_information_req(struct l2cap_conn *conn, 4545 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4546 u8 *data) 4547 { 4548 struct l2cap_info_req *req = (struct l2cap_info_req *) data; 4549 u16 type; 4550 4551 if (cmd_len != sizeof(*req)) 4552 return -EPROTO; 4553 4554 type = __le16_to_cpu(req->type); 4555 4556 BT_DBG("type 0x%4.4x", type); 4557 4558 if (type == L2CAP_IT_FEAT_MASK) { 4559 u8 buf[8]; 4560 u32 feat_mask = l2cap_feat_mask; 4561 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4562 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK); 4563 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4564 if (!disable_ertm) 4565 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING 4566 | L2CAP_FEAT_FCS; 4567 4568 put_unaligned_le32(feat_mask, rsp->data); 4569 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4570 buf); 4571 } else if (type == L2CAP_IT_FIXED_CHAN) { 4572 u8 buf[12]; 4573 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf; 4574 4575 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4576 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS); 4577 rsp->data[0] = conn->local_fixed_chan; 4578 memset(rsp->data + 1, 0, 7); 4579 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf), 4580 buf); 4581 } else { 4582 struct l2cap_info_rsp rsp; 4583 rsp.type = cpu_to_le16(type); 4584 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP); 4585 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp), 4586 &rsp); 4587 } 4588 4589 return 0; 4590 } 4591 4592 static inline int l2cap_information_rsp(struct l2cap_conn *conn, 4593 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4594 u8 *data) 4595 { 4596 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; 4597 u16 type, result; 4598 4599 if (cmd_len < sizeof(*rsp)) 4600 return -EPROTO; 4601 4602 type = __le16_to_cpu(rsp->type); 4603 result = __le16_to_cpu(rsp->result); 4604 4605 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result); 4606 4607 /* L2CAP Info req/rsp are unbound to channels, add extra checks */ 4608 if (cmd->ident != conn->info_ident || 4609 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 4610 return 0; 4611 4612 cancel_delayed_work(&conn->info_timer); 4613 4614 if (result != L2CAP_IR_SUCCESS) { 4615 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4616 conn->info_ident = 0; 4617 4618 l2cap_conn_start(conn); 4619 4620 return 0; 4621 } 4622 4623 switch (type) { 4624 case L2CAP_IT_FEAT_MASK: 4625 conn->feat_mask = get_unaligned_le32(rsp->data); 4626 4627 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) { 4628 struct l2cap_info_req req; 4629 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN); 4630 4631 conn->info_ident = l2cap_get_ident(conn); 4632 4633 l2cap_send_cmd(conn, conn->info_ident, 4634 L2CAP_INFO_REQ, sizeof(req), &req); 4635 } else { 4636 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4637 conn->info_ident = 0; 4638 4639 l2cap_conn_start(conn); 4640 } 4641 break; 4642 4643 case L2CAP_IT_FIXED_CHAN: 4644 conn->remote_fixed_chan = rsp->data[0]; 4645 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 4646 conn->info_ident = 0; 4647 4648 l2cap_conn_start(conn); 4649 break; 4650 } 4651 4652 return 0; 4653 } 4654 4655 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, 4656 struct l2cap_cmd_hdr *cmd, 4657 u16 cmd_len, u8 *data) 4658 { 4659 struct hci_conn *hcon = conn->hcon; 4660 struct l2cap_conn_param_update_req *req; 4661 struct l2cap_conn_param_update_rsp rsp; 4662 u16 min, max, latency, to_multiplier; 4663 int err; 4664 4665 if (hcon->role != HCI_ROLE_MASTER) 4666 return -EINVAL; 4667 4668 if (cmd_len != sizeof(struct l2cap_conn_param_update_req)) 4669 return -EPROTO; 4670 4671 req = (struct l2cap_conn_param_update_req *) data; 4672 min = __le16_to_cpu(req->min); 4673 max = __le16_to_cpu(req->max); 4674 latency = __le16_to_cpu(req->latency); 4675 to_multiplier = __le16_to_cpu(req->to_multiplier); 4676 4677 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x", 4678 min, max, latency, to_multiplier); 4679 4680 memset(&rsp, 0, sizeof(rsp)); 4681 4682 err = hci_check_conn_params(min, max, latency, to_multiplier); 4683 if (err) 4684 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); 4685 else 4686 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED); 4687 4688 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP, 4689 sizeof(rsp), &rsp); 4690 4691 if (!err) { 4692 u8 store_hint; 4693 4694 store_hint = hci_le_conn_update(hcon, min, max, latency, 4695 to_multiplier); 4696 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type, 4697 store_hint, min, max, latency, 4698 to_multiplier); 4699 4700 } 4701 4702 return 0; 4703 } 4704 4705 static int l2cap_le_connect_rsp(struct l2cap_conn *conn, 4706 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4707 u8 *data) 4708 { 4709 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data; 4710 struct hci_conn *hcon = conn->hcon; 4711 u16 dcid, mtu, mps, credits, result; 4712 struct l2cap_chan *chan; 4713 int err, sec_level; 4714 4715 if (cmd_len < sizeof(*rsp)) 4716 return -EPROTO; 4717 4718 dcid = __le16_to_cpu(rsp->dcid); 4719 mtu = __le16_to_cpu(rsp->mtu); 4720 mps = __le16_to_cpu(rsp->mps); 4721 credits = __le16_to_cpu(rsp->credits); 4722 result = __le16_to_cpu(rsp->result); 4723 4724 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 || 4725 dcid < L2CAP_CID_DYN_START || 4726 dcid > L2CAP_CID_LE_DYN_END)) 4727 return -EPROTO; 4728 4729 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x", 4730 dcid, mtu, mps, credits, result); 4731 4732 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 4733 if (!chan) 4734 return -EBADSLT; 4735 4736 err = 0; 4737 4738 l2cap_chan_lock(chan); 4739 4740 switch (result) { 4741 case L2CAP_CR_LE_SUCCESS: 4742 if (__l2cap_get_chan_by_dcid(conn, dcid)) { 4743 err = -EBADSLT; 4744 break; 4745 } 4746 4747 chan->ident = 0; 4748 chan->dcid = dcid; 4749 chan->omtu = mtu; 4750 chan->remote_mps = mps; 4751 chan->tx_credits = credits; 4752 l2cap_chan_ready(chan); 4753 break; 4754 4755 case L2CAP_CR_LE_AUTHENTICATION: 4756 case L2CAP_CR_LE_ENCRYPTION: 4757 /* If we already have MITM protection we can't do 4758 * anything. 4759 */ 4760 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 4761 l2cap_chan_del(chan, ECONNREFUSED); 4762 break; 4763 } 4764 4765 sec_level = hcon->sec_level + 1; 4766 if (chan->sec_level < sec_level) 4767 chan->sec_level = sec_level; 4768 4769 /* We'll need to send a new Connect Request */ 4770 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags); 4771 4772 smp_conn_security(hcon, chan->sec_level); 4773 break; 4774 4775 default: 4776 l2cap_chan_del(chan, ECONNREFUSED); 4777 break; 4778 } 4779 4780 l2cap_chan_unlock(chan); 4781 4782 return err; 4783 } 4784 4785 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, 4786 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4787 u8 *data) 4788 { 4789 int err = 0; 4790 4791 switch (cmd->code) { 4792 case L2CAP_COMMAND_REJ: 4793 l2cap_command_rej(conn, cmd, cmd_len, data); 4794 break; 4795 4796 case L2CAP_CONN_REQ: 4797 err = l2cap_connect_req(conn, cmd, cmd_len, data); 4798 break; 4799 4800 case L2CAP_CONN_RSP: 4801 l2cap_connect_create_rsp(conn, cmd, cmd_len, data); 4802 break; 4803 4804 case L2CAP_CONF_REQ: 4805 err = l2cap_config_req(conn, cmd, cmd_len, data); 4806 break; 4807 4808 case L2CAP_CONF_RSP: 4809 l2cap_config_rsp(conn, cmd, cmd_len, data); 4810 break; 4811 4812 case L2CAP_DISCONN_REQ: 4813 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 4814 break; 4815 4816 case L2CAP_DISCONN_RSP: 4817 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 4818 break; 4819 4820 case L2CAP_ECHO_REQ: 4821 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data); 4822 break; 4823 4824 case L2CAP_ECHO_RSP: 4825 break; 4826 4827 case L2CAP_INFO_REQ: 4828 err = l2cap_information_req(conn, cmd, cmd_len, data); 4829 break; 4830 4831 case L2CAP_INFO_RSP: 4832 l2cap_information_rsp(conn, cmd, cmd_len, data); 4833 break; 4834 4835 default: 4836 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code); 4837 err = -EINVAL; 4838 break; 4839 } 4840 4841 return err; 4842 } 4843 4844 static int l2cap_le_connect_req(struct l2cap_conn *conn, 4845 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4846 u8 *data) 4847 { 4848 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data; 4849 struct l2cap_le_conn_rsp rsp; 4850 struct l2cap_chan *chan, *pchan; 4851 u16 dcid, scid, credits, mtu, mps; 4852 __le16 psm; 4853 u8 result; 4854 4855 if (cmd_len != sizeof(*req)) 4856 return -EPROTO; 4857 4858 scid = __le16_to_cpu(req->scid); 4859 mtu = __le16_to_cpu(req->mtu); 4860 mps = __le16_to_cpu(req->mps); 4861 psm = req->psm; 4862 dcid = 0; 4863 credits = 0; 4864 4865 if (mtu < 23 || mps < 23) 4866 return -EPROTO; 4867 4868 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), 4869 scid, mtu, mps); 4870 4871 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A 4872 * page 1059: 4873 * 4874 * Valid range: 0x0001-0x00ff 4875 * 4876 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges 4877 */ 4878 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { 4879 result = L2CAP_CR_LE_BAD_PSM; 4880 chan = NULL; 4881 goto response; 4882 } 4883 4884 /* Check if we have socket listening on psm */ 4885 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 4886 &conn->hcon->dst, LE_LINK); 4887 if (!pchan) { 4888 result = L2CAP_CR_LE_BAD_PSM; 4889 chan = NULL; 4890 goto response; 4891 } 4892 4893 l2cap_chan_lock(pchan); 4894 4895 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 4896 SMP_ALLOW_STK)) { 4897 result = pchan->sec_level == BT_SECURITY_MEDIUM ? 4898 L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION; 4899 chan = NULL; 4900 goto response_unlock; 4901 } 4902 4903 /* Check for valid dynamic CID range */ 4904 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 4905 result = L2CAP_CR_LE_INVALID_SCID; 4906 chan = NULL; 4907 goto response_unlock; 4908 } 4909 4910 /* Check if we already have channel with that dcid */ 4911 if (__l2cap_get_chan_by_dcid(conn, scid)) { 4912 result = L2CAP_CR_LE_SCID_IN_USE; 4913 chan = NULL; 4914 goto response_unlock; 4915 } 4916 4917 chan = pchan->ops->new_connection(pchan); 4918 if (!chan) { 4919 result = L2CAP_CR_LE_NO_MEM; 4920 goto response_unlock; 4921 } 4922 4923 bacpy(&chan->src, &conn->hcon->src); 4924 bacpy(&chan->dst, &conn->hcon->dst); 4925 chan->src_type = bdaddr_src_type(conn->hcon); 4926 chan->dst_type = bdaddr_dst_type(conn->hcon); 4927 chan->psm = psm; 4928 chan->dcid = scid; 4929 chan->omtu = mtu; 4930 chan->remote_mps = mps; 4931 4932 __l2cap_chan_add(conn, chan); 4933 4934 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits)); 4935 4936 dcid = chan->scid; 4937 credits = chan->rx_credits; 4938 4939 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 4940 4941 chan->ident = cmd->ident; 4942 4943 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 4944 l2cap_state_change(chan, BT_CONNECT2); 4945 /* The following result value is actually not defined 4946 * for LE CoC but we use it to let the function know 4947 * that it should bail out after doing its cleanup 4948 * instead of sending a response. 4949 */ 4950 result = L2CAP_CR_PEND; 4951 chan->ops->defer(chan); 4952 } else { 4953 l2cap_chan_ready(chan); 4954 result = L2CAP_CR_LE_SUCCESS; 4955 } 4956 4957 response_unlock: 4958 l2cap_chan_unlock(pchan); 4959 l2cap_chan_put(pchan); 4960 4961 if (result == L2CAP_CR_PEND) 4962 return 0; 4963 4964 response: 4965 if (chan) { 4966 rsp.mtu = cpu_to_le16(chan->imtu); 4967 rsp.mps = cpu_to_le16(chan->mps); 4968 } else { 4969 rsp.mtu = 0; 4970 rsp.mps = 0; 4971 } 4972 4973 rsp.dcid = cpu_to_le16(dcid); 4974 rsp.credits = cpu_to_le16(credits); 4975 rsp.result = cpu_to_le16(result); 4976 4977 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp); 4978 4979 return 0; 4980 } 4981 4982 static inline int l2cap_le_credits(struct l2cap_conn *conn, 4983 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 4984 u8 *data) 4985 { 4986 struct l2cap_le_credits *pkt; 4987 struct l2cap_chan *chan; 4988 u16 cid, credits, max_credits; 4989 4990 if (cmd_len != sizeof(*pkt)) 4991 return -EPROTO; 4992 4993 pkt = (struct l2cap_le_credits *) data; 4994 cid = __le16_to_cpu(pkt->cid); 4995 credits = __le16_to_cpu(pkt->credits); 4996 4997 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits); 4998 4999 chan = l2cap_get_chan_by_dcid(conn, cid); 5000 if (!chan) 5001 return -EBADSLT; 5002 5003 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits; 5004 if (credits > max_credits) { 5005 BT_ERR("LE credits overflow"); 5006 l2cap_send_disconn_req(chan, ECONNRESET); 5007 5008 /* Return 0 so that we don't trigger an unnecessary 5009 * command reject packet. 5010 */ 5011 goto unlock; 5012 } 5013 5014 chan->tx_credits += credits; 5015 5016 /* Resume sending */ 5017 l2cap_le_flowctl_send(chan); 5018 5019 if (chan->tx_credits) 5020 chan->ops->resume(chan); 5021 5022 unlock: 5023 l2cap_chan_unlock(chan); 5024 l2cap_chan_put(chan); 5025 5026 return 0; 5027 } 5028 5029 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, 5030 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5031 u8 *data) 5032 { 5033 struct l2cap_ecred_conn_req *req = (void *) data; 5034 DEFINE_RAW_FLEX(struct l2cap_ecred_conn_rsp, pdu, dcid, L2CAP_ECRED_MAX_CID); 5035 struct l2cap_chan *chan, *pchan; 5036 u16 mtu, mps; 5037 __le16 psm; 5038 u8 result, len = 0; 5039 int i, num_scid; 5040 bool defer = false; 5041 5042 if (!enable_ecred) 5043 return -EINVAL; 5044 5045 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) { 5046 result = L2CAP_CR_LE_INVALID_PARAMS; 5047 goto response; 5048 } 5049 5050 cmd_len -= sizeof(*req); 5051 num_scid = cmd_len / sizeof(u16); 5052 5053 if (num_scid > L2CAP_ECRED_MAX_CID) { 5054 result = L2CAP_CR_LE_INVALID_PARAMS; 5055 goto response; 5056 } 5057 5058 mtu = __le16_to_cpu(req->mtu); 5059 mps = __le16_to_cpu(req->mps); 5060 5061 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) { 5062 result = L2CAP_CR_LE_UNACCEPT_PARAMS; 5063 goto response; 5064 } 5065 5066 psm = req->psm; 5067 5068 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A 5069 * page 1059: 5070 * 5071 * Valid range: 0x0001-0x00ff 5072 * 5073 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges 5074 */ 5075 if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { 5076 result = L2CAP_CR_LE_BAD_PSM; 5077 goto response; 5078 } 5079 5080 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); 5081 5082 memset(pdu, 0, sizeof(*pdu)); 5083 5084 /* Check if we have socket listening on psm */ 5085 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, 5086 &conn->hcon->dst, LE_LINK); 5087 if (!pchan) { 5088 result = L2CAP_CR_LE_BAD_PSM; 5089 goto response; 5090 } 5091 5092 l2cap_chan_lock(pchan); 5093 5094 if (!smp_sufficient_security(conn->hcon, pchan->sec_level, 5095 SMP_ALLOW_STK)) { 5096 result = L2CAP_CR_LE_AUTHENTICATION; 5097 goto unlock; 5098 } 5099 5100 result = L2CAP_CR_LE_SUCCESS; 5101 5102 for (i = 0; i < num_scid; i++) { 5103 u16 scid = __le16_to_cpu(req->scid[i]); 5104 5105 BT_DBG("scid[%d] 0x%4.4x", i, scid); 5106 5107 pdu->dcid[i] = 0x0000; 5108 len += sizeof(*pdu->dcid); 5109 5110 /* Check for valid dynamic CID range */ 5111 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { 5112 result = L2CAP_CR_LE_INVALID_SCID; 5113 continue; 5114 } 5115 5116 /* Check if we already have channel with that dcid */ 5117 if (__l2cap_get_chan_by_dcid(conn, scid)) { 5118 result = L2CAP_CR_LE_SCID_IN_USE; 5119 continue; 5120 } 5121 5122 chan = pchan->ops->new_connection(pchan); 5123 if (!chan) { 5124 result = L2CAP_CR_LE_NO_MEM; 5125 continue; 5126 } 5127 5128 bacpy(&chan->src, &conn->hcon->src); 5129 bacpy(&chan->dst, &conn->hcon->dst); 5130 chan->src_type = bdaddr_src_type(conn->hcon); 5131 chan->dst_type = bdaddr_dst_type(conn->hcon); 5132 chan->psm = psm; 5133 chan->dcid = scid; 5134 chan->omtu = mtu; 5135 chan->remote_mps = mps; 5136 5137 __l2cap_chan_add(conn, chan); 5138 5139 l2cap_ecred_init(chan, __le16_to_cpu(req->credits)); 5140 5141 /* Init response */ 5142 if (!pdu->credits) { 5143 pdu->mtu = cpu_to_le16(chan->imtu); 5144 pdu->mps = cpu_to_le16(chan->mps); 5145 pdu->credits = cpu_to_le16(chan->rx_credits); 5146 } 5147 5148 pdu->dcid[i] = cpu_to_le16(chan->scid); 5149 5150 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 5151 5152 chan->ident = cmd->ident; 5153 chan->mode = L2CAP_MODE_EXT_FLOWCTL; 5154 5155 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 5156 l2cap_state_change(chan, BT_CONNECT2); 5157 defer = true; 5158 chan->ops->defer(chan); 5159 } else { 5160 l2cap_chan_ready(chan); 5161 } 5162 } 5163 5164 unlock: 5165 l2cap_chan_unlock(pchan); 5166 l2cap_chan_put(pchan); 5167 5168 response: 5169 pdu->result = cpu_to_le16(result); 5170 5171 if (defer) 5172 return 0; 5173 5174 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP, 5175 sizeof(*pdu) + len, pdu); 5176 5177 return 0; 5178 } 5179 5180 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn, 5181 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5182 u8 *data) 5183 { 5184 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 5185 struct hci_conn *hcon = conn->hcon; 5186 u16 mtu, mps, credits, result; 5187 struct l2cap_chan *chan, *tmp; 5188 int err = 0, sec_level; 5189 int i = 0; 5190 5191 if (cmd_len < sizeof(*rsp)) 5192 return -EPROTO; 5193 5194 mtu = __le16_to_cpu(rsp->mtu); 5195 mps = __le16_to_cpu(rsp->mps); 5196 credits = __le16_to_cpu(rsp->credits); 5197 result = __le16_to_cpu(rsp->result); 5198 5199 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits, 5200 result); 5201 5202 cmd_len -= sizeof(*rsp); 5203 5204 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 5205 u16 dcid; 5206 5207 if (chan->ident != cmd->ident || 5208 chan->mode != L2CAP_MODE_EXT_FLOWCTL || 5209 chan->state == BT_CONNECTED) 5210 continue; 5211 5212 l2cap_chan_lock(chan); 5213 5214 /* Check that there is a dcid for each pending channel */ 5215 if (cmd_len < sizeof(dcid)) { 5216 l2cap_chan_del(chan, ECONNREFUSED); 5217 l2cap_chan_unlock(chan); 5218 continue; 5219 } 5220 5221 dcid = __le16_to_cpu(rsp->dcid[i++]); 5222 cmd_len -= sizeof(u16); 5223 5224 BT_DBG("dcid[%d] 0x%4.4x", i, dcid); 5225 5226 /* Check if dcid is already in use */ 5227 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) { 5228 /* If a device receives a 5229 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an 5230 * already-assigned Destination CID, then both the 5231 * original channel and the new channel shall be 5232 * immediately discarded and not used. 5233 */ 5234 l2cap_chan_del(chan, ECONNREFUSED); 5235 l2cap_chan_unlock(chan); 5236 chan = __l2cap_get_chan_by_dcid(conn, dcid); 5237 l2cap_chan_lock(chan); 5238 l2cap_chan_del(chan, ECONNRESET); 5239 l2cap_chan_unlock(chan); 5240 continue; 5241 } 5242 5243 switch (result) { 5244 case L2CAP_CR_LE_AUTHENTICATION: 5245 case L2CAP_CR_LE_ENCRYPTION: 5246 /* If we already have MITM protection we can't do 5247 * anything. 5248 */ 5249 if (hcon->sec_level > BT_SECURITY_MEDIUM) { 5250 l2cap_chan_del(chan, ECONNREFUSED); 5251 break; 5252 } 5253 5254 sec_level = hcon->sec_level + 1; 5255 if (chan->sec_level < sec_level) 5256 chan->sec_level = sec_level; 5257 5258 /* We'll need to send a new Connect Request */ 5259 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags); 5260 5261 smp_conn_security(hcon, chan->sec_level); 5262 break; 5263 5264 case L2CAP_CR_LE_BAD_PSM: 5265 l2cap_chan_del(chan, ECONNREFUSED); 5266 break; 5267 5268 default: 5269 /* If dcid was not set it means channels was refused */ 5270 if (!dcid) { 5271 l2cap_chan_del(chan, ECONNREFUSED); 5272 break; 5273 } 5274 5275 chan->ident = 0; 5276 chan->dcid = dcid; 5277 chan->omtu = mtu; 5278 chan->remote_mps = mps; 5279 chan->tx_credits = credits; 5280 l2cap_chan_ready(chan); 5281 break; 5282 } 5283 5284 l2cap_chan_unlock(chan); 5285 } 5286 5287 return err; 5288 } 5289 5290 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn, 5291 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5292 u8 *data) 5293 { 5294 struct l2cap_ecred_reconf_req *req = (void *) data; 5295 struct l2cap_ecred_reconf_rsp rsp; 5296 u16 mtu, mps, result; 5297 struct l2cap_chan *chan; 5298 int i, num_scid; 5299 5300 if (!enable_ecred) 5301 return -EINVAL; 5302 5303 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) { 5304 result = L2CAP_CR_LE_INVALID_PARAMS; 5305 goto respond; 5306 } 5307 5308 mtu = __le16_to_cpu(req->mtu); 5309 mps = __le16_to_cpu(req->mps); 5310 5311 BT_DBG("mtu %u mps %u", mtu, mps); 5312 5313 if (mtu < L2CAP_ECRED_MIN_MTU) { 5314 result = L2CAP_RECONF_INVALID_MTU; 5315 goto respond; 5316 } 5317 5318 if (mps < L2CAP_ECRED_MIN_MPS) { 5319 result = L2CAP_RECONF_INVALID_MPS; 5320 goto respond; 5321 } 5322 5323 cmd_len -= sizeof(*req); 5324 num_scid = cmd_len / sizeof(u16); 5325 result = L2CAP_RECONF_SUCCESS; 5326 5327 for (i = 0; i < num_scid; i++) { 5328 u16 scid; 5329 5330 scid = __le16_to_cpu(req->scid[i]); 5331 if (!scid) 5332 return -EPROTO; 5333 5334 chan = __l2cap_get_chan_by_dcid(conn, scid); 5335 if (!chan) 5336 continue; 5337 5338 /* If the MTU value is decreased for any of the included 5339 * channels, then the receiver shall disconnect all 5340 * included channels. 5341 */ 5342 if (chan->omtu > mtu) { 5343 BT_ERR("chan %p decreased MTU %u -> %u", chan, 5344 chan->omtu, mtu); 5345 result = L2CAP_RECONF_INVALID_MTU; 5346 } 5347 5348 chan->omtu = mtu; 5349 chan->remote_mps = mps; 5350 } 5351 5352 respond: 5353 rsp.result = cpu_to_le16(result); 5354 5355 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp), 5356 &rsp); 5357 5358 return 0; 5359 } 5360 5361 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, 5362 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5363 u8 *data) 5364 { 5365 struct l2cap_chan *chan, *tmp; 5366 struct l2cap_ecred_conn_rsp *rsp = (void *) data; 5367 u16 result; 5368 5369 if (cmd_len < sizeof(*rsp)) 5370 return -EPROTO; 5371 5372 result = __le16_to_cpu(rsp->result); 5373 5374 BT_DBG("result 0x%4.4x", rsp->result); 5375 5376 if (!result) 5377 return 0; 5378 5379 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 5380 if (chan->ident != cmd->ident) 5381 continue; 5382 5383 l2cap_chan_del(chan, ECONNRESET); 5384 } 5385 5386 return 0; 5387 } 5388 5389 static inline int l2cap_le_command_rej(struct l2cap_conn *conn, 5390 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5391 u8 *data) 5392 { 5393 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; 5394 struct l2cap_chan *chan; 5395 5396 if (cmd_len < sizeof(*rej)) 5397 return -EPROTO; 5398 5399 chan = __l2cap_get_chan_by_ident(conn, cmd->ident); 5400 if (!chan) 5401 goto done; 5402 5403 chan = l2cap_chan_hold_unless_zero(chan); 5404 if (!chan) 5405 goto done; 5406 5407 l2cap_chan_lock(chan); 5408 l2cap_chan_del(chan, ECONNREFUSED); 5409 l2cap_chan_unlock(chan); 5410 l2cap_chan_put(chan); 5411 5412 done: 5413 return 0; 5414 } 5415 5416 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn, 5417 struct l2cap_cmd_hdr *cmd, u16 cmd_len, 5418 u8 *data) 5419 { 5420 int err = 0; 5421 5422 switch (cmd->code) { 5423 case L2CAP_COMMAND_REJ: 5424 l2cap_le_command_rej(conn, cmd, cmd_len, data); 5425 break; 5426 5427 case L2CAP_CONN_PARAM_UPDATE_REQ: 5428 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data); 5429 break; 5430 5431 case L2CAP_CONN_PARAM_UPDATE_RSP: 5432 break; 5433 5434 case L2CAP_LE_CONN_RSP: 5435 l2cap_le_connect_rsp(conn, cmd, cmd_len, data); 5436 break; 5437 5438 case L2CAP_LE_CONN_REQ: 5439 err = l2cap_le_connect_req(conn, cmd, cmd_len, data); 5440 break; 5441 5442 case L2CAP_LE_CREDITS: 5443 err = l2cap_le_credits(conn, cmd, cmd_len, data); 5444 break; 5445 5446 case L2CAP_ECRED_CONN_REQ: 5447 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data); 5448 break; 5449 5450 case L2CAP_ECRED_CONN_RSP: 5451 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data); 5452 break; 5453 5454 case L2CAP_ECRED_RECONF_REQ: 5455 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data); 5456 break; 5457 5458 case L2CAP_ECRED_RECONF_RSP: 5459 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data); 5460 break; 5461 5462 case L2CAP_DISCONN_REQ: 5463 err = l2cap_disconnect_req(conn, cmd, cmd_len, data); 5464 break; 5465 5466 case L2CAP_DISCONN_RSP: 5467 l2cap_disconnect_rsp(conn, cmd, cmd_len, data); 5468 break; 5469 5470 default: 5471 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code); 5472 err = -EINVAL; 5473 break; 5474 } 5475 5476 return err; 5477 } 5478 5479 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn, 5480 struct sk_buff *skb) 5481 { 5482 struct hci_conn *hcon = conn->hcon; 5483 struct l2cap_cmd_hdr *cmd; 5484 u16 len; 5485 int err; 5486 5487 if (hcon->type != LE_LINK) 5488 goto drop; 5489 5490 if (skb->len < L2CAP_CMD_HDR_SIZE) 5491 goto drop; 5492 5493 cmd = (void *) skb->data; 5494 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 5495 5496 len = le16_to_cpu(cmd->len); 5497 5498 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident); 5499 5500 if (len != skb->len || !cmd->ident) { 5501 BT_DBG("corrupted command"); 5502 goto drop; 5503 } 5504 5505 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data); 5506 if (err) { 5507 struct l2cap_cmd_rej_unk rej; 5508 5509 BT_ERR("Wrong link type (%d)", err); 5510 5511 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 5512 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ, 5513 sizeof(rej), &rej); 5514 } 5515 5516 drop: 5517 kfree_skb(skb); 5518 } 5519 5520 static inline void l2cap_sig_send_rej(struct l2cap_conn *conn, u16 ident) 5521 { 5522 struct l2cap_cmd_rej_unk rej; 5523 5524 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD); 5525 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); 5526 } 5527 5528 static inline void l2cap_sig_channel(struct l2cap_conn *conn, 5529 struct sk_buff *skb) 5530 { 5531 struct hci_conn *hcon = conn->hcon; 5532 struct l2cap_cmd_hdr *cmd; 5533 int err; 5534 5535 l2cap_raw_recv(conn, skb); 5536 5537 if (hcon->type != ACL_LINK) 5538 goto drop; 5539 5540 while (skb->len >= L2CAP_CMD_HDR_SIZE) { 5541 u16 len; 5542 5543 cmd = (void *) skb->data; 5544 skb_pull(skb, L2CAP_CMD_HDR_SIZE); 5545 5546 len = le16_to_cpu(cmd->len); 5547 5548 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, 5549 cmd->ident); 5550 5551 if (len > skb->len || !cmd->ident) { 5552 BT_DBG("corrupted command"); 5553 l2cap_sig_send_rej(conn, cmd->ident); 5554 skb_pull(skb, len > skb->len ? skb->len : len); 5555 continue; 5556 } 5557 5558 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data); 5559 if (err) { 5560 BT_ERR("Wrong link type (%d)", err); 5561 l2cap_sig_send_rej(conn, cmd->ident); 5562 } 5563 5564 skb_pull(skb, len); 5565 } 5566 5567 if (skb->len > 0) { 5568 BT_DBG("corrupted command"); 5569 l2cap_sig_send_rej(conn, 0); 5570 } 5571 5572 drop: 5573 kfree_skb(skb); 5574 } 5575 5576 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb) 5577 { 5578 u16 our_fcs, rcv_fcs; 5579 int hdr_size; 5580 5581 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) 5582 hdr_size = L2CAP_EXT_HDR_SIZE; 5583 else 5584 hdr_size = L2CAP_ENH_HDR_SIZE; 5585 5586 if (chan->fcs == L2CAP_FCS_CRC16) { 5587 skb_trim(skb, skb->len - L2CAP_FCS_SIZE); 5588 rcv_fcs = get_unaligned_le16(skb->data + skb->len); 5589 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size); 5590 5591 if (our_fcs != rcv_fcs) 5592 return -EBADMSG; 5593 } 5594 return 0; 5595 } 5596 5597 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan) 5598 { 5599 struct l2cap_ctrl control; 5600 5601 BT_DBG("chan %p", chan); 5602 5603 memset(&control, 0, sizeof(control)); 5604 control.sframe = 1; 5605 control.final = 1; 5606 control.reqseq = chan->buffer_seq; 5607 set_bit(CONN_SEND_FBIT, &chan->conn_state); 5608 5609 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5610 control.super = L2CAP_SUPER_RNR; 5611 l2cap_send_sframe(chan, &control); 5612 } 5613 5614 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) && 5615 chan->unacked_frames > 0) 5616 __set_retrans_timer(chan); 5617 5618 /* Send pending iframes */ 5619 l2cap_ertm_send(chan); 5620 5621 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) && 5622 test_bit(CONN_SEND_FBIT, &chan->conn_state)) { 5623 /* F-bit wasn't sent in an s-frame or i-frame yet, so 5624 * send it now. 5625 */ 5626 control.super = L2CAP_SUPER_RR; 5627 l2cap_send_sframe(chan, &control); 5628 } 5629 } 5630 5631 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag, 5632 struct sk_buff **last_frag) 5633 { 5634 /* skb->len reflects data in skb as well as all fragments 5635 * skb->data_len reflects only data in fragments 5636 */ 5637 if (!skb_has_frag_list(skb)) 5638 skb_shinfo(skb)->frag_list = new_frag; 5639 5640 new_frag->next = NULL; 5641 5642 (*last_frag)->next = new_frag; 5643 *last_frag = new_frag; 5644 5645 skb->len += new_frag->len; 5646 skb->data_len += new_frag->len; 5647 skb->truesize += new_frag->truesize; 5648 } 5649 5650 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb, 5651 struct l2cap_ctrl *control) 5652 { 5653 int err = -EINVAL; 5654 5655 switch (control->sar) { 5656 case L2CAP_SAR_UNSEGMENTED: 5657 if (chan->sdu) 5658 break; 5659 5660 err = chan->ops->recv(chan, skb); 5661 break; 5662 5663 case L2CAP_SAR_START: 5664 if (chan->sdu) 5665 break; 5666 5667 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE)) 5668 break; 5669 5670 chan->sdu_len = get_unaligned_le16(skb->data); 5671 skb_pull(skb, L2CAP_SDULEN_SIZE); 5672 5673 if (chan->sdu_len > chan->imtu) { 5674 err = -EMSGSIZE; 5675 break; 5676 } 5677 5678 if (skb->len >= chan->sdu_len) 5679 break; 5680 5681 chan->sdu = skb; 5682 chan->sdu_last_frag = skb; 5683 5684 skb = NULL; 5685 err = 0; 5686 break; 5687 5688 case L2CAP_SAR_CONTINUE: 5689 if (!chan->sdu) 5690 break; 5691 5692 append_skb_frag(chan->sdu, skb, 5693 &chan->sdu_last_frag); 5694 skb = NULL; 5695 5696 if (chan->sdu->len >= chan->sdu_len) 5697 break; 5698 5699 err = 0; 5700 break; 5701 5702 case L2CAP_SAR_END: 5703 if (!chan->sdu) 5704 break; 5705 5706 append_skb_frag(chan->sdu, skb, 5707 &chan->sdu_last_frag); 5708 skb = NULL; 5709 5710 if (chan->sdu->len != chan->sdu_len) 5711 break; 5712 5713 err = chan->ops->recv(chan, chan->sdu); 5714 5715 if (!err) { 5716 /* Reassembly complete */ 5717 chan->sdu = NULL; 5718 chan->sdu_last_frag = NULL; 5719 chan->sdu_len = 0; 5720 } 5721 break; 5722 } 5723 5724 if (err) { 5725 kfree_skb(skb); 5726 kfree_skb(chan->sdu); 5727 chan->sdu = NULL; 5728 chan->sdu_last_frag = NULL; 5729 chan->sdu_len = 0; 5730 } 5731 5732 return err; 5733 } 5734 5735 static int l2cap_resegment(struct l2cap_chan *chan) 5736 { 5737 /* Placeholder */ 5738 return 0; 5739 } 5740 5741 void l2cap_chan_busy(struct l2cap_chan *chan, int busy) 5742 { 5743 u8 event; 5744 5745 if (chan->mode != L2CAP_MODE_ERTM) 5746 return; 5747 5748 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR; 5749 l2cap_tx(chan, NULL, NULL, event); 5750 } 5751 5752 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan) 5753 { 5754 int err = 0; 5755 /* Pass sequential frames to l2cap_reassemble_sdu() 5756 * until a gap is encountered. 5757 */ 5758 5759 BT_DBG("chan %p", chan); 5760 5761 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5762 struct sk_buff *skb; 5763 BT_DBG("Searching for skb with txseq %d (queue len %d)", 5764 chan->buffer_seq, skb_queue_len(&chan->srej_q)); 5765 5766 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq); 5767 5768 if (!skb) 5769 break; 5770 5771 skb_unlink(skb, &chan->srej_q); 5772 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 5773 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap); 5774 if (err) 5775 break; 5776 } 5777 5778 if (skb_queue_empty(&chan->srej_q)) { 5779 chan->rx_state = L2CAP_RX_STATE_RECV; 5780 l2cap_send_ack(chan); 5781 } 5782 5783 return err; 5784 } 5785 5786 static void l2cap_handle_srej(struct l2cap_chan *chan, 5787 struct l2cap_ctrl *control) 5788 { 5789 struct sk_buff *skb; 5790 5791 BT_DBG("chan %p, control %p", chan, control); 5792 5793 if (control->reqseq == chan->next_tx_seq) { 5794 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 5795 l2cap_send_disconn_req(chan, ECONNRESET); 5796 return; 5797 } 5798 5799 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 5800 5801 if (skb == NULL) { 5802 BT_DBG("Seq %d not available for retransmission", 5803 control->reqseq); 5804 return; 5805 } 5806 5807 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) { 5808 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 5809 l2cap_send_disconn_req(chan, ECONNRESET); 5810 return; 5811 } 5812 5813 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 5814 5815 if (control->poll) { 5816 l2cap_pass_to_tx(chan, control); 5817 5818 set_bit(CONN_SEND_FBIT, &chan->conn_state); 5819 l2cap_retransmit(chan, control); 5820 l2cap_ertm_send(chan); 5821 5822 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 5823 set_bit(CONN_SREJ_ACT, &chan->conn_state); 5824 chan->srej_save_reqseq = control->reqseq; 5825 } 5826 } else { 5827 l2cap_pass_to_tx_fbit(chan, control); 5828 5829 if (control->final) { 5830 if (chan->srej_save_reqseq != control->reqseq || 5831 !test_and_clear_bit(CONN_SREJ_ACT, 5832 &chan->conn_state)) 5833 l2cap_retransmit(chan, control); 5834 } else { 5835 l2cap_retransmit(chan, control); 5836 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) { 5837 set_bit(CONN_SREJ_ACT, &chan->conn_state); 5838 chan->srej_save_reqseq = control->reqseq; 5839 } 5840 } 5841 } 5842 } 5843 5844 static void l2cap_handle_rej(struct l2cap_chan *chan, 5845 struct l2cap_ctrl *control) 5846 { 5847 struct sk_buff *skb; 5848 5849 BT_DBG("chan %p, control %p", chan, control); 5850 5851 if (control->reqseq == chan->next_tx_seq) { 5852 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq); 5853 l2cap_send_disconn_req(chan, ECONNRESET); 5854 return; 5855 } 5856 5857 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq); 5858 5859 if (chan->max_tx && skb && 5860 bt_cb(skb)->l2cap.retries >= chan->max_tx) { 5861 BT_DBG("Retry limit exceeded (%d)", chan->max_tx); 5862 l2cap_send_disconn_req(chan, ECONNRESET); 5863 return; 5864 } 5865 5866 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 5867 5868 l2cap_pass_to_tx(chan, control); 5869 5870 if (control->final) { 5871 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state)) 5872 l2cap_retransmit_all(chan, control); 5873 } else { 5874 l2cap_retransmit_all(chan, control); 5875 l2cap_ertm_send(chan); 5876 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) 5877 set_bit(CONN_REJ_ACT, &chan->conn_state); 5878 } 5879 } 5880 5881 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq) 5882 { 5883 BT_DBG("chan %p, txseq %d", chan, txseq); 5884 5885 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq, 5886 chan->expected_tx_seq); 5887 5888 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) { 5889 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 5890 chan->tx_win) { 5891 /* See notes below regarding "double poll" and 5892 * invalid packets. 5893 */ 5894 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 5895 BT_DBG("Invalid/Ignore - after SREJ"); 5896 return L2CAP_TXSEQ_INVALID_IGNORE; 5897 } else { 5898 BT_DBG("Invalid - in window after SREJ sent"); 5899 return L2CAP_TXSEQ_INVALID; 5900 } 5901 } 5902 5903 if (chan->srej_list.head == txseq) { 5904 BT_DBG("Expected SREJ"); 5905 return L2CAP_TXSEQ_EXPECTED_SREJ; 5906 } 5907 5908 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) { 5909 BT_DBG("Duplicate SREJ - txseq already stored"); 5910 return L2CAP_TXSEQ_DUPLICATE_SREJ; 5911 } 5912 5913 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) { 5914 BT_DBG("Unexpected SREJ - not requested"); 5915 return L2CAP_TXSEQ_UNEXPECTED_SREJ; 5916 } 5917 } 5918 5919 if (chan->expected_tx_seq == txseq) { 5920 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= 5921 chan->tx_win) { 5922 BT_DBG("Invalid - txseq outside tx window"); 5923 return L2CAP_TXSEQ_INVALID; 5924 } else { 5925 BT_DBG("Expected"); 5926 return L2CAP_TXSEQ_EXPECTED; 5927 } 5928 } 5929 5930 if (__seq_offset(chan, txseq, chan->last_acked_seq) < 5931 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) { 5932 BT_DBG("Duplicate - expected_tx_seq later than txseq"); 5933 return L2CAP_TXSEQ_DUPLICATE; 5934 } 5935 5936 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) { 5937 /* A source of invalid packets is a "double poll" condition, 5938 * where delays cause us to send multiple poll packets. If 5939 * the remote stack receives and processes both polls, 5940 * sequence numbers can wrap around in such a way that a 5941 * resent frame has a sequence number that looks like new data 5942 * with a sequence gap. This would trigger an erroneous SREJ 5943 * request. 5944 * 5945 * Fortunately, this is impossible with a tx window that's 5946 * less than half of the maximum sequence number, which allows 5947 * invalid frames to be safely ignored. 5948 * 5949 * With tx window sizes greater than half of the tx window 5950 * maximum, the frame is invalid and cannot be ignored. This 5951 * causes a disconnect. 5952 */ 5953 5954 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) { 5955 BT_DBG("Invalid/Ignore - txseq outside tx window"); 5956 return L2CAP_TXSEQ_INVALID_IGNORE; 5957 } else { 5958 BT_DBG("Invalid - txseq outside tx window"); 5959 return L2CAP_TXSEQ_INVALID; 5960 } 5961 } else { 5962 BT_DBG("Unexpected - txseq indicates missing frames"); 5963 return L2CAP_TXSEQ_UNEXPECTED; 5964 } 5965 } 5966 5967 static int l2cap_rx_state_recv(struct l2cap_chan *chan, 5968 struct l2cap_ctrl *control, 5969 struct sk_buff *skb, u8 event) 5970 { 5971 struct l2cap_ctrl local_control; 5972 int err = 0; 5973 bool skb_in_use = false; 5974 5975 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 5976 event); 5977 5978 switch (event) { 5979 case L2CAP_EV_RECV_IFRAME: 5980 switch (l2cap_classify_txseq(chan, control->txseq)) { 5981 case L2CAP_TXSEQ_EXPECTED: 5982 l2cap_pass_to_tx(chan, control); 5983 5984 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 5985 BT_DBG("Busy, discarding expected seq %d", 5986 control->txseq); 5987 break; 5988 } 5989 5990 chan->expected_tx_seq = __next_seq(chan, 5991 control->txseq); 5992 5993 chan->buffer_seq = chan->expected_tx_seq; 5994 skb_in_use = true; 5995 5996 /* l2cap_reassemble_sdu may free skb, hence invalidate 5997 * control, so make a copy in advance to use it after 5998 * l2cap_reassemble_sdu returns and to avoid the race 5999 * condition, for example: 6000 * 6001 * The current thread calls: 6002 * l2cap_reassemble_sdu 6003 * chan->ops->recv == l2cap_sock_recv_cb 6004 * __sock_queue_rcv_skb 6005 * Another thread calls: 6006 * bt_sock_recvmsg 6007 * skb_recv_datagram 6008 * skb_free_datagram 6009 * Then the current thread tries to access control, but 6010 * it was freed by skb_free_datagram. 6011 */ 6012 local_control = *control; 6013 err = l2cap_reassemble_sdu(chan, skb, control); 6014 if (err) 6015 break; 6016 6017 if (local_control.final) { 6018 if (!test_and_clear_bit(CONN_REJ_ACT, 6019 &chan->conn_state)) { 6020 local_control.final = 0; 6021 l2cap_retransmit_all(chan, &local_control); 6022 l2cap_ertm_send(chan); 6023 } 6024 } 6025 6026 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) 6027 l2cap_send_ack(chan); 6028 break; 6029 case L2CAP_TXSEQ_UNEXPECTED: 6030 l2cap_pass_to_tx(chan, control); 6031 6032 /* Can't issue SREJ frames in the local busy state. 6033 * Drop this frame, it will be seen as missing 6034 * when local busy is exited. 6035 */ 6036 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) { 6037 BT_DBG("Busy, discarding unexpected seq %d", 6038 control->txseq); 6039 break; 6040 } 6041 6042 /* There was a gap in the sequence, so an SREJ 6043 * must be sent for each missing frame. The 6044 * current frame is stored for later use. 6045 */ 6046 skb_queue_tail(&chan->srej_q, skb); 6047 skb_in_use = true; 6048 BT_DBG("Queued %p (queue len %d)", skb, 6049 skb_queue_len(&chan->srej_q)); 6050 6051 clear_bit(CONN_SREJ_ACT, &chan->conn_state); 6052 l2cap_seq_list_clear(&chan->srej_list); 6053 l2cap_send_srej(chan, control->txseq); 6054 6055 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT; 6056 break; 6057 case L2CAP_TXSEQ_DUPLICATE: 6058 l2cap_pass_to_tx(chan, control); 6059 break; 6060 case L2CAP_TXSEQ_INVALID_IGNORE: 6061 break; 6062 case L2CAP_TXSEQ_INVALID: 6063 default: 6064 l2cap_send_disconn_req(chan, ECONNRESET); 6065 break; 6066 } 6067 break; 6068 case L2CAP_EV_RECV_RR: 6069 l2cap_pass_to_tx(chan, control); 6070 if (control->final) { 6071 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6072 6073 if (!test_and_clear_bit(CONN_REJ_ACT, 6074 &chan->conn_state)) { 6075 control->final = 0; 6076 l2cap_retransmit_all(chan, control); 6077 } 6078 6079 l2cap_ertm_send(chan); 6080 } else if (control->poll) { 6081 l2cap_send_i_or_rr_or_rnr(chan); 6082 } else { 6083 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6084 &chan->conn_state) && 6085 chan->unacked_frames) 6086 __set_retrans_timer(chan); 6087 6088 l2cap_ertm_send(chan); 6089 } 6090 break; 6091 case L2CAP_EV_RECV_RNR: 6092 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6093 l2cap_pass_to_tx(chan, control); 6094 if (control && control->poll) { 6095 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6096 l2cap_send_rr_or_rnr(chan, 0); 6097 } 6098 __clear_retrans_timer(chan); 6099 l2cap_seq_list_clear(&chan->retrans_list); 6100 break; 6101 case L2CAP_EV_RECV_REJ: 6102 l2cap_handle_rej(chan, control); 6103 break; 6104 case L2CAP_EV_RECV_SREJ: 6105 l2cap_handle_srej(chan, control); 6106 break; 6107 default: 6108 break; 6109 } 6110 6111 if (skb && !skb_in_use) { 6112 BT_DBG("Freeing %p", skb); 6113 kfree_skb(skb); 6114 } 6115 6116 return err; 6117 } 6118 6119 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan, 6120 struct l2cap_ctrl *control, 6121 struct sk_buff *skb, u8 event) 6122 { 6123 int err = 0; 6124 u16 txseq = control->txseq; 6125 bool skb_in_use = false; 6126 6127 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 6128 event); 6129 6130 switch (event) { 6131 case L2CAP_EV_RECV_IFRAME: 6132 switch (l2cap_classify_txseq(chan, txseq)) { 6133 case L2CAP_TXSEQ_EXPECTED: 6134 /* Keep frame for reassembly later */ 6135 l2cap_pass_to_tx(chan, control); 6136 skb_queue_tail(&chan->srej_q, skb); 6137 skb_in_use = true; 6138 BT_DBG("Queued %p (queue len %d)", skb, 6139 skb_queue_len(&chan->srej_q)); 6140 6141 chan->expected_tx_seq = __next_seq(chan, txseq); 6142 break; 6143 case L2CAP_TXSEQ_EXPECTED_SREJ: 6144 l2cap_seq_list_pop(&chan->srej_list); 6145 6146 l2cap_pass_to_tx(chan, control); 6147 skb_queue_tail(&chan->srej_q, skb); 6148 skb_in_use = true; 6149 BT_DBG("Queued %p (queue len %d)", skb, 6150 skb_queue_len(&chan->srej_q)); 6151 6152 err = l2cap_rx_queued_iframes(chan); 6153 if (err) 6154 break; 6155 6156 break; 6157 case L2CAP_TXSEQ_UNEXPECTED: 6158 /* Got a frame that can't be reassembled yet. 6159 * Save it for later, and send SREJs to cover 6160 * the missing frames. 6161 */ 6162 skb_queue_tail(&chan->srej_q, skb); 6163 skb_in_use = true; 6164 BT_DBG("Queued %p (queue len %d)", skb, 6165 skb_queue_len(&chan->srej_q)); 6166 6167 l2cap_pass_to_tx(chan, control); 6168 l2cap_send_srej(chan, control->txseq); 6169 break; 6170 case L2CAP_TXSEQ_UNEXPECTED_SREJ: 6171 /* This frame was requested with an SREJ, but 6172 * some expected retransmitted frames are 6173 * missing. Request retransmission of missing 6174 * SREJ'd frames. 6175 */ 6176 skb_queue_tail(&chan->srej_q, skb); 6177 skb_in_use = true; 6178 BT_DBG("Queued %p (queue len %d)", skb, 6179 skb_queue_len(&chan->srej_q)); 6180 6181 l2cap_pass_to_tx(chan, control); 6182 l2cap_send_srej_list(chan, control->txseq); 6183 break; 6184 case L2CAP_TXSEQ_DUPLICATE_SREJ: 6185 /* We've already queued this frame. Drop this copy. */ 6186 l2cap_pass_to_tx(chan, control); 6187 break; 6188 case L2CAP_TXSEQ_DUPLICATE: 6189 /* Expecting a later sequence number, so this frame 6190 * was already received. Ignore it completely. 6191 */ 6192 break; 6193 case L2CAP_TXSEQ_INVALID_IGNORE: 6194 break; 6195 case L2CAP_TXSEQ_INVALID: 6196 default: 6197 l2cap_send_disconn_req(chan, ECONNRESET); 6198 break; 6199 } 6200 break; 6201 case L2CAP_EV_RECV_RR: 6202 l2cap_pass_to_tx(chan, control); 6203 if (control->final) { 6204 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6205 6206 if (!test_and_clear_bit(CONN_REJ_ACT, 6207 &chan->conn_state)) { 6208 control->final = 0; 6209 l2cap_retransmit_all(chan, control); 6210 } 6211 6212 l2cap_ertm_send(chan); 6213 } else if (control->poll) { 6214 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6215 &chan->conn_state) && 6216 chan->unacked_frames) { 6217 __set_retrans_timer(chan); 6218 } 6219 6220 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6221 l2cap_send_srej_tail(chan); 6222 } else { 6223 if (test_and_clear_bit(CONN_REMOTE_BUSY, 6224 &chan->conn_state) && 6225 chan->unacked_frames) 6226 __set_retrans_timer(chan); 6227 6228 l2cap_send_ack(chan); 6229 } 6230 break; 6231 case L2CAP_EV_RECV_RNR: 6232 set_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6233 l2cap_pass_to_tx(chan, control); 6234 if (control->poll) { 6235 l2cap_send_srej_tail(chan); 6236 } else { 6237 struct l2cap_ctrl rr_control; 6238 memset(&rr_control, 0, sizeof(rr_control)); 6239 rr_control.sframe = 1; 6240 rr_control.super = L2CAP_SUPER_RR; 6241 rr_control.reqseq = chan->buffer_seq; 6242 l2cap_send_sframe(chan, &rr_control); 6243 } 6244 6245 break; 6246 case L2CAP_EV_RECV_REJ: 6247 l2cap_handle_rej(chan, control); 6248 break; 6249 case L2CAP_EV_RECV_SREJ: 6250 l2cap_handle_srej(chan, control); 6251 break; 6252 } 6253 6254 if (skb && !skb_in_use) { 6255 BT_DBG("Freeing %p", skb); 6256 kfree_skb(skb); 6257 } 6258 6259 return err; 6260 } 6261 6262 static int l2cap_finish_move(struct l2cap_chan *chan) 6263 { 6264 BT_DBG("chan %p", chan); 6265 6266 chan->rx_state = L2CAP_RX_STATE_RECV; 6267 chan->conn->mtu = chan->conn->hcon->mtu; 6268 6269 return l2cap_resegment(chan); 6270 } 6271 6272 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan, 6273 struct l2cap_ctrl *control, 6274 struct sk_buff *skb, u8 event) 6275 { 6276 int err; 6277 6278 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb, 6279 event); 6280 6281 if (!control->poll) 6282 return -EPROTO; 6283 6284 l2cap_process_reqseq(chan, control->reqseq); 6285 6286 if (!skb_queue_empty(&chan->tx_q)) 6287 chan->tx_send_head = skb_peek(&chan->tx_q); 6288 else 6289 chan->tx_send_head = NULL; 6290 6291 /* Rewind next_tx_seq to the point expected 6292 * by the receiver. 6293 */ 6294 chan->next_tx_seq = control->reqseq; 6295 chan->unacked_frames = 0; 6296 6297 err = l2cap_finish_move(chan); 6298 if (err) 6299 return err; 6300 6301 set_bit(CONN_SEND_FBIT, &chan->conn_state); 6302 l2cap_send_i_or_rr_or_rnr(chan); 6303 6304 if (event == L2CAP_EV_RECV_IFRAME) 6305 return -EPROTO; 6306 6307 return l2cap_rx_state_recv(chan, control, NULL, event); 6308 } 6309 6310 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan, 6311 struct l2cap_ctrl *control, 6312 struct sk_buff *skb, u8 event) 6313 { 6314 int err; 6315 6316 if (!control->final) 6317 return -EPROTO; 6318 6319 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state); 6320 6321 chan->rx_state = L2CAP_RX_STATE_RECV; 6322 l2cap_process_reqseq(chan, control->reqseq); 6323 6324 if (!skb_queue_empty(&chan->tx_q)) 6325 chan->tx_send_head = skb_peek(&chan->tx_q); 6326 else 6327 chan->tx_send_head = NULL; 6328 6329 /* Rewind next_tx_seq to the point expected 6330 * by the receiver. 6331 */ 6332 chan->next_tx_seq = control->reqseq; 6333 chan->unacked_frames = 0; 6334 chan->conn->mtu = chan->conn->hcon->mtu; 6335 6336 err = l2cap_resegment(chan); 6337 6338 if (!err) 6339 err = l2cap_rx_state_recv(chan, control, skb, event); 6340 6341 return err; 6342 } 6343 6344 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq) 6345 { 6346 /* Make sure reqseq is for a packet that has been sent but not acked */ 6347 u16 unacked; 6348 6349 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq); 6350 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked; 6351 } 6352 6353 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 6354 struct sk_buff *skb, u8 event) 6355 { 6356 int err = 0; 6357 6358 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan, 6359 control, skb, event, chan->rx_state); 6360 6361 if (__valid_reqseq(chan, control->reqseq)) { 6362 switch (chan->rx_state) { 6363 case L2CAP_RX_STATE_RECV: 6364 err = l2cap_rx_state_recv(chan, control, skb, event); 6365 break; 6366 case L2CAP_RX_STATE_SREJ_SENT: 6367 err = l2cap_rx_state_srej_sent(chan, control, skb, 6368 event); 6369 break; 6370 case L2CAP_RX_STATE_WAIT_P: 6371 err = l2cap_rx_state_wait_p(chan, control, skb, event); 6372 break; 6373 case L2CAP_RX_STATE_WAIT_F: 6374 err = l2cap_rx_state_wait_f(chan, control, skb, event); 6375 break; 6376 default: 6377 /* shut it down */ 6378 break; 6379 } 6380 } else { 6381 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d", 6382 control->reqseq, chan->next_tx_seq, 6383 chan->expected_ack_seq); 6384 l2cap_send_disconn_req(chan, ECONNRESET); 6385 } 6386 6387 return err; 6388 } 6389 6390 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, 6391 struct sk_buff *skb) 6392 { 6393 /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store 6394 * the txseq field in advance to use it after l2cap_reassemble_sdu 6395 * returns and to avoid the race condition, for example: 6396 * 6397 * The current thread calls: 6398 * l2cap_reassemble_sdu 6399 * chan->ops->recv == l2cap_sock_recv_cb 6400 * __sock_queue_rcv_skb 6401 * Another thread calls: 6402 * bt_sock_recvmsg 6403 * skb_recv_datagram 6404 * skb_free_datagram 6405 * Then the current thread tries to access control, but it was freed by 6406 * skb_free_datagram. 6407 */ 6408 u16 txseq = control->txseq; 6409 6410 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, 6411 chan->rx_state); 6412 6413 if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { 6414 l2cap_pass_to_tx(chan, control); 6415 6416 BT_DBG("buffer_seq %u->%u", chan->buffer_seq, 6417 __next_seq(chan, chan->buffer_seq)); 6418 6419 chan->buffer_seq = __next_seq(chan, chan->buffer_seq); 6420 6421 l2cap_reassemble_sdu(chan, skb, control); 6422 } else { 6423 if (chan->sdu) { 6424 kfree_skb(chan->sdu); 6425 chan->sdu = NULL; 6426 } 6427 chan->sdu_last_frag = NULL; 6428 chan->sdu_len = 0; 6429 6430 if (skb) { 6431 BT_DBG("Freeing %p", skb); 6432 kfree_skb(skb); 6433 } 6434 } 6435 6436 chan->last_acked_seq = txseq; 6437 chan->expected_tx_seq = __next_seq(chan, txseq); 6438 6439 return 0; 6440 } 6441 6442 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 6443 { 6444 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap; 6445 u16 len; 6446 u8 event; 6447 6448 __unpack_control(chan, skb); 6449 6450 len = skb->len; 6451 6452 /* 6453 * We can just drop the corrupted I-frame here. 6454 * Receiver will miss it and start proper recovery 6455 * procedures and ask for retransmission. 6456 */ 6457 if (l2cap_check_fcs(chan, skb)) 6458 goto drop; 6459 6460 if (!control->sframe && control->sar == L2CAP_SAR_START) 6461 len -= L2CAP_SDULEN_SIZE; 6462 6463 if (chan->fcs == L2CAP_FCS_CRC16) 6464 len -= L2CAP_FCS_SIZE; 6465 6466 if (len > chan->mps) { 6467 l2cap_send_disconn_req(chan, ECONNRESET); 6468 goto drop; 6469 } 6470 6471 if (chan->ops->filter) { 6472 if (chan->ops->filter(chan, skb)) 6473 goto drop; 6474 } 6475 6476 if (!control->sframe) { 6477 int err; 6478 6479 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d", 6480 control->sar, control->reqseq, control->final, 6481 control->txseq); 6482 6483 /* Validate F-bit - F=0 always valid, F=1 only 6484 * valid in TX WAIT_F 6485 */ 6486 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F) 6487 goto drop; 6488 6489 if (chan->mode != L2CAP_MODE_STREAMING) { 6490 event = L2CAP_EV_RECV_IFRAME; 6491 err = l2cap_rx(chan, control, skb, event); 6492 } else { 6493 err = l2cap_stream_rx(chan, control, skb); 6494 } 6495 6496 if (err) 6497 l2cap_send_disconn_req(chan, ECONNRESET); 6498 } else { 6499 const u8 rx_func_to_event[4] = { 6500 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ, 6501 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ 6502 }; 6503 6504 /* Only I-frames are expected in streaming mode */ 6505 if (chan->mode == L2CAP_MODE_STREAMING) 6506 goto drop; 6507 6508 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d", 6509 control->reqseq, control->final, control->poll, 6510 control->super); 6511 6512 if (len != 0) { 6513 BT_ERR("Trailing bytes: %d in sframe", len); 6514 l2cap_send_disconn_req(chan, ECONNRESET); 6515 goto drop; 6516 } 6517 6518 /* Validate F and P bits */ 6519 if (control->final && (control->poll || 6520 chan->tx_state != L2CAP_TX_STATE_WAIT_F)) 6521 goto drop; 6522 6523 event = rx_func_to_event[control->super]; 6524 if (l2cap_rx(chan, control, skb, event)) 6525 l2cap_send_disconn_req(chan, ECONNRESET); 6526 } 6527 6528 return 0; 6529 6530 drop: 6531 kfree_skb(skb); 6532 return 0; 6533 } 6534 6535 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan) 6536 { 6537 struct l2cap_conn *conn = chan->conn; 6538 struct l2cap_le_credits pkt; 6539 u16 return_credits = l2cap_le_rx_credits(chan); 6540 6541 if (chan->rx_credits >= return_credits) 6542 return; 6543 6544 return_credits -= chan->rx_credits; 6545 6546 BT_DBG("chan %p returning %u credits to sender", chan, return_credits); 6547 6548 chan->rx_credits += return_credits; 6549 6550 pkt.cid = cpu_to_le16(chan->scid); 6551 pkt.credits = cpu_to_le16(return_credits); 6552 6553 chan->ident = l2cap_get_ident(conn); 6554 6555 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt); 6556 } 6557 6558 void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail) 6559 { 6560 if (chan->rx_avail == rx_avail) 6561 return; 6562 6563 BT_DBG("chan %p has %zd bytes avail for rx", chan, rx_avail); 6564 6565 chan->rx_avail = rx_avail; 6566 6567 if (chan->state == BT_CONNECTED) 6568 l2cap_chan_le_send_credits(chan); 6569 } 6570 6571 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb) 6572 { 6573 int err; 6574 6575 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len); 6576 6577 /* Wait recv to confirm reception before updating the credits */ 6578 err = chan->ops->recv(chan, skb); 6579 6580 if (err < 0 && chan->rx_avail != -1) { 6581 BT_ERR("Queueing received LE L2CAP data failed"); 6582 l2cap_send_disconn_req(chan, ECONNRESET); 6583 return err; 6584 } 6585 6586 /* Update credits whenever an SDU is received */ 6587 l2cap_chan_le_send_credits(chan); 6588 6589 return err; 6590 } 6591 6592 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb) 6593 { 6594 int err; 6595 6596 if (!chan->rx_credits) { 6597 BT_ERR("No credits to receive LE L2CAP data"); 6598 l2cap_send_disconn_req(chan, ECONNRESET); 6599 return -ENOBUFS; 6600 } 6601 6602 if (chan->imtu < skb->len) { 6603 BT_ERR("Too big LE L2CAP PDU"); 6604 return -ENOBUFS; 6605 } 6606 6607 chan->rx_credits--; 6608 BT_DBG("chan %p: rx_credits %u -> %u", 6609 chan, chan->rx_credits + 1, chan->rx_credits); 6610 6611 /* Update if remote had run out of credits, this should only happens 6612 * if the remote is not using the entire MPS. 6613 */ 6614 if (!chan->rx_credits) 6615 l2cap_chan_le_send_credits(chan); 6616 6617 err = 0; 6618 6619 if (!chan->sdu) { 6620 u16 sdu_len; 6621 6622 sdu_len = get_unaligned_le16(skb->data); 6623 skb_pull(skb, L2CAP_SDULEN_SIZE); 6624 6625 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u", 6626 sdu_len, skb->len, chan->imtu); 6627 6628 if (sdu_len > chan->imtu) { 6629 BT_ERR("Too big LE L2CAP SDU length received"); 6630 err = -EMSGSIZE; 6631 goto failed; 6632 } 6633 6634 if (skb->len > sdu_len) { 6635 BT_ERR("Too much LE L2CAP data received"); 6636 err = -EINVAL; 6637 goto failed; 6638 } 6639 6640 if (skb->len == sdu_len) 6641 return l2cap_ecred_recv(chan, skb); 6642 6643 chan->sdu = skb; 6644 chan->sdu_len = sdu_len; 6645 chan->sdu_last_frag = skb; 6646 6647 /* Detect if remote is not able to use the selected MPS */ 6648 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) { 6649 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE; 6650 6651 /* Adjust the number of credits */ 6652 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len); 6653 chan->mps = mps_len; 6654 l2cap_chan_le_send_credits(chan); 6655 } 6656 6657 return 0; 6658 } 6659 6660 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u", 6661 chan->sdu->len, skb->len, chan->sdu_len); 6662 6663 if (chan->sdu->len + skb->len > chan->sdu_len) { 6664 BT_ERR("Too much LE L2CAP data received"); 6665 err = -EINVAL; 6666 goto failed; 6667 } 6668 6669 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag); 6670 skb = NULL; 6671 6672 if (chan->sdu->len == chan->sdu_len) { 6673 err = l2cap_ecred_recv(chan, chan->sdu); 6674 if (!err) { 6675 chan->sdu = NULL; 6676 chan->sdu_last_frag = NULL; 6677 chan->sdu_len = 0; 6678 } 6679 } 6680 6681 failed: 6682 if (err) { 6683 kfree_skb(skb); 6684 kfree_skb(chan->sdu); 6685 chan->sdu = NULL; 6686 chan->sdu_last_frag = NULL; 6687 chan->sdu_len = 0; 6688 } 6689 6690 /* We can't return an error here since we took care of the skb 6691 * freeing internally. An error return would cause the caller to 6692 * do a double-free of the skb. 6693 */ 6694 return 0; 6695 } 6696 6697 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, 6698 struct sk_buff *skb) 6699 { 6700 struct l2cap_chan *chan; 6701 6702 chan = l2cap_get_chan_by_scid(conn, cid); 6703 if (!chan) { 6704 BT_DBG("unknown cid 0x%4.4x", cid); 6705 /* Drop packet and return */ 6706 kfree_skb(skb); 6707 return; 6708 } 6709 6710 BT_DBG("chan %p, len %d", chan, skb->len); 6711 6712 /* If we receive data on a fixed channel before the info req/rsp 6713 * procedure is done simply assume that the channel is supported 6714 * and mark it as ready. 6715 */ 6716 if (chan->chan_type == L2CAP_CHAN_FIXED) 6717 l2cap_chan_ready(chan); 6718 6719 if (chan->state != BT_CONNECTED) 6720 goto drop; 6721 6722 switch (chan->mode) { 6723 case L2CAP_MODE_LE_FLOWCTL: 6724 case L2CAP_MODE_EXT_FLOWCTL: 6725 if (l2cap_ecred_data_rcv(chan, skb) < 0) 6726 goto drop; 6727 6728 goto done; 6729 6730 case L2CAP_MODE_BASIC: 6731 /* If socket recv buffers overflows we drop data here 6732 * which is *bad* because L2CAP has to be reliable. 6733 * But we don't have any other choice. L2CAP doesn't 6734 * provide flow control mechanism. */ 6735 6736 if (chan->imtu < skb->len) { 6737 BT_ERR("Dropping L2CAP data: receive buffer overflow"); 6738 goto drop; 6739 } 6740 6741 if (!chan->ops->recv(chan, skb)) 6742 goto done; 6743 break; 6744 6745 case L2CAP_MODE_ERTM: 6746 case L2CAP_MODE_STREAMING: 6747 l2cap_data_rcv(chan, skb); 6748 goto done; 6749 6750 default: 6751 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode); 6752 break; 6753 } 6754 6755 drop: 6756 kfree_skb(skb); 6757 6758 done: 6759 l2cap_chan_unlock(chan); 6760 l2cap_chan_put(chan); 6761 } 6762 6763 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, 6764 struct sk_buff *skb) 6765 { 6766 struct hci_conn *hcon = conn->hcon; 6767 struct l2cap_chan *chan; 6768 6769 if (hcon->type != ACL_LINK) 6770 goto free_skb; 6771 6772 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst, 6773 ACL_LINK); 6774 if (!chan) 6775 goto free_skb; 6776 6777 BT_DBG("chan %p, len %d", chan, skb->len); 6778 6779 l2cap_chan_lock(chan); 6780 6781 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED) 6782 goto drop; 6783 6784 if (chan->imtu < skb->len) 6785 goto drop; 6786 6787 /* Store remote BD_ADDR and PSM for msg_name */ 6788 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst); 6789 bt_cb(skb)->l2cap.psm = psm; 6790 6791 if (!chan->ops->recv(chan, skb)) { 6792 l2cap_chan_unlock(chan); 6793 l2cap_chan_put(chan); 6794 return; 6795 } 6796 6797 drop: 6798 l2cap_chan_unlock(chan); 6799 l2cap_chan_put(chan); 6800 free_skb: 6801 kfree_skb(skb); 6802 } 6803 6804 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) 6805 { 6806 struct l2cap_hdr *lh = (void *) skb->data; 6807 struct hci_conn *hcon = conn->hcon; 6808 u16 cid, len; 6809 __le16 psm; 6810 6811 if (hcon->state != BT_CONNECTED) { 6812 BT_DBG("queueing pending rx skb"); 6813 skb_queue_tail(&conn->pending_rx, skb); 6814 return; 6815 } 6816 6817 skb_pull(skb, L2CAP_HDR_SIZE); 6818 cid = __le16_to_cpu(lh->cid); 6819 len = __le16_to_cpu(lh->len); 6820 6821 if (len != skb->len) { 6822 kfree_skb(skb); 6823 return; 6824 } 6825 6826 /* Since we can't actively block incoming LE connections we must 6827 * at least ensure that we ignore incoming data from them. 6828 */ 6829 if (hcon->type == LE_LINK && 6830 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst, 6831 bdaddr_dst_type(hcon))) { 6832 kfree_skb(skb); 6833 return; 6834 } 6835 6836 BT_DBG("len %d, cid 0x%4.4x", len, cid); 6837 6838 switch (cid) { 6839 case L2CAP_CID_SIGNALING: 6840 l2cap_sig_channel(conn, skb); 6841 break; 6842 6843 case L2CAP_CID_CONN_LESS: 6844 psm = get_unaligned((__le16 *) skb->data); 6845 skb_pull(skb, L2CAP_PSMLEN_SIZE); 6846 l2cap_conless_channel(conn, psm, skb); 6847 break; 6848 6849 case L2CAP_CID_LE_SIGNALING: 6850 l2cap_le_sig_channel(conn, skb); 6851 break; 6852 6853 default: 6854 l2cap_data_channel(conn, cid, skb); 6855 break; 6856 } 6857 } 6858 6859 static void process_pending_rx(struct work_struct *work) 6860 { 6861 struct l2cap_conn *conn = container_of(work, struct l2cap_conn, 6862 pending_rx_work); 6863 struct sk_buff *skb; 6864 6865 BT_DBG(""); 6866 6867 mutex_lock(&conn->lock); 6868 6869 while ((skb = skb_dequeue(&conn->pending_rx))) 6870 l2cap_recv_frame(conn, skb); 6871 6872 mutex_unlock(&conn->lock); 6873 } 6874 6875 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon) 6876 { 6877 struct l2cap_conn *conn = hcon->l2cap_data; 6878 struct hci_chan *hchan; 6879 6880 if (conn) 6881 return conn; 6882 6883 hchan = hci_chan_create(hcon); 6884 if (!hchan) 6885 return NULL; 6886 6887 conn = kzalloc(sizeof(*conn), GFP_KERNEL); 6888 if (!conn) { 6889 hci_chan_del(hchan); 6890 return NULL; 6891 } 6892 6893 kref_init(&conn->ref); 6894 hcon->l2cap_data = conn; 6895 conn->hcon = hci_conn_get(hcon); 6896 conn->hchan = hchan; 6897 6898 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan); 6899 6900 conn->mtu = hcon->mtu; 6901 conn->feat_mask = 0; 6902 6903 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS; 6904 6905 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) && 6906 (bredr_sc_enabled(hcon->hdev) || 6907 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP))) 6908 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR; 6909 6910 mutex_init(&conn->ident_lock); 6911 mutex_init(&conn->lock); 6912 6913 INIT_LIST_HEAD(&conn->chan_l); 6914 INIT_LIST_HEAD(&conn->users); 6915 6916 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout); 6917 6918 skb_queue_head_init(&conn->pending_rx); 6919 INIT_WORK(&conn->pending_rx_work, process_pending_rx); 6920 INIT_DELAYED_WORK(&conn->id_addr_timer, l2cap_conn_update_id_addr); 6921 6922 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 6923 6924 return conn; 6925 } 6926 6927 static bool is_valid_psm(u16 psm, u8 dst_type) 6928 { 6929 if (!psm) 6930 return false; 6931 6932 if (bdaddr_type_is_le(dst_type)) 6933 return (psm <= 0x00ff); 6934 6935 /* PSM must be odd and lsb of upper byte must be 0 */ 6936 return ((psm & 0x0101) == 0x0001); 6937 } 6938 6939 struct l2cap_chan_data { 6940 struct l2cap_chan *chan; 6941 struct pid *pid; 6942 int count; 6943 }; 6944 6945 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data) 6946 { 6947 struct l2cap_chan_data *d = data; 6948 struct pid *pid; 6949 6950 if (chan == d->chan) 6951 return; 6952 6953 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags)) 6954 return; 6955 6956 pid = chan->ops->get_peer_pid(chan); 6957 6958 /* Only count deferred channels with the same PID/PSM */ 6959 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident || 6960 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT) 6961 return; 6962 6963 d->count++; 6964 } 6965 6966 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, 6967 bdaddr_t *dst, u8 dst_type, u16 timeout) 6968 { 6969 struct l2cap_conn *conn; 6970 struct hci_conn *hcon; 6971 struct hci_dev *hdev; 6972 int err; 6973 6974 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src, 6975 dst, dst_type, __le16_to_cpu(psm), chan->mode); 6976 6977 hdev = hci_get_route(dst, &chan->src, chan->src_type); 6978 if (!hdev) 6979 return -EHOSTUNREACH; 6980 6981 hci_dev_lock(hdev); 6982 6983 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid && 6984 chan->chan_type != L2CAP_CHAN_RAW) { 6985 err = -EINVAL; 6986 goto done; 6987 } 6988 6989 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) { 6990 err = -EINVAL; 6991 goto done; 6992 } 6993 6994 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) { 6995 err = -EINVAL; 6996 goto done; 6997 } 6998 6999 switch (chan->mode) { 7000 case L2CAP_MODE_BASIC: 7001 break; 7002 case L2CAP_MODE_LE_FLOWCTL: 7003 break; 7004 case L2CAP_MODE_EXT_FLOWCTL: 7005 if (!enable_ecred) { 7006 err = -EOPNOTSUPP; 7007 goto done; 7008 } 7009 break; 7010 case L2CAP_MODE_ERTM: 7011 case L2CAP_MODE_STREAMING: 7012 if (!disable_ertm) 7013 break; 7014 fallthrough; 7015 default: 7016 err = -EOPNOTSUPP; 7017 goto done; 7018 } 7019 7020 switch (chan->state) { 7021 case BT_CONNECT: 7022 case BT_CONNECT2: 7023 case BT_CONFIG: 7024 /* Already connecting */ 7025 err = 0; 7026 goto done; 7027 7028 case BT_CONNECTED: 7029 /* Already connected */ 7030 err = -EISCONN; 7031 goto done; 7032 7033 case BT_OPEN: 7034 case BT_BOUND: 7035 /* Can connect */ 7036 break; 7037 7038 default: 7039 err = -EBADFD; 7040 goto done; 7041 } 7042 7043 /* Set destination address and psm */ 7044 bacpy(&chan->dst, dst); 7045 chan->dst_type = dst_type; 7046 7047 chan->psm = psm; 7048 chan->dcid = cid; 7049 7050 if (bdaddr_type_is_le(dst_type)) { 7051 /* Convert from L2CAP channel address type to HCI address type 7052 */ 7053 if (dst_type == BDADDR_LE_PUBLIC) 7054 dst_type = ADDR_LE_DEV_PUBLIC; 7055 else 7056 dst_type = ADDR_LE_DEV_RANDOM; 7057 7058 if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) 7059 hcon = hci_connect_le(hdev, dst, dst_type, false, 7060 chan->sec_level, timeout, 7061 HCI_ROLE_SLAVE, 0, 0); 7062 else 7063 hcon = hci_connect_le_scan(hdev, dst, dst_type, 7064 chan->sec_level, timeout, 7065 CONN_REASON_L2CAP_CHAN); 7066 7067 } else { 7068 u8 auth_type = l2cap_get_auth_type(chan); 7069 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type, 7070 CONN_REASON_L2CAP_CHAN, timeout); 7071 } 7072 7073 if (IS_ERR(hcon)) { 7074 err = PTR_ERR(hcon); 7075 goto done; 7076 } 7077 7078 conn = l2cap_conn_add(hcon); 7079 if (!conn) { 7080 hci_conn_drop(hcon); 7081 err = -ENOMEM; 7082 goto done; 7083 } 7084 7085 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 7086 struct l2cap_chan_data data; 7087 7088 data.chan = chan; 7089 data.pid = chan->ops->get_peer_pid(chan); 7090 data.count = 1; 7091 7092 l2cap_chan_list(conn, l2cap_chan_by_pid, &data); 7093 7094 /* Check if there isn't too many channels being connected */ 7095 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) { 7096 hci_conn_drop(hcon); 7097 err = -EPROTO; 7098 goto done; 7099 } 7100 } 7101 7102 mutex_lock(&conn->lock); 7103 l2cap_chan_lock(chan); 7104 7105 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) { 7106 hci_conn_drop(hcon); 7107 err = -EBUSY; 7108 goto chan_unlock; 7109 } 7110 7111 /* Update source addr of the socket */ 7112 bacpy(&chan->src, &hcon->src); 7113 chan->src_type = bdaddr_src_type(hcon); 7114 7115 __l2cap_chan_add(conn, chan); 7116 7117 /* l2cap_chan_add takes its own ref so we can drop this one */ 7118 hci_conn_drop(hcon); 7119 7120 l2cap_state_change(chan, BT_CONNECT); 7121 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan)); 7122 7123 /* Release chan->sport so that it can be reused by other 7124 * sockets (as it's only used for listening sockets). 7125 */ 7126 write_lock(&chan_list_lock); 7127 chan->sport = 0; 7128 write_unlock(&chan_list_lock); 7129 7130 if (hcon->state == BT_CONNECTED) { 7131 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 7132 __clear_chan_timer(chan); 7133 if (l2cap_chan_check_security(chan, true)) 7134 l2cap_state_change(chan, BT_CONNECTED); 7135 } else 7136 l2cap_do_start(chan); 7137 } 7138 7139 err = 0; 7140 7141 chan_unlock: 7142 l2cap_chan_unlock(chan); 7143 mutex_unlock(&conn->lock); 7144 done: 7145 hci_dev_unlock(hdev); 7146 hci_dev_put(hdev); 7147 return err; 7148 } 7149 EXPORT_SYMBOL_GPL(l2cap_chan_connect); 7150 7151 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan) 7152 { 7153 struct l2cap_conn *conn = chan->conn; 7154 DEFINE_RAW_FLEX(struct l2cap_ecred_reconf_req, pdu, scid, 1); 7155 7156 pdu->mtu = cpu_to_le16(chan->imtu); 7157 pdu->mps = cpu_to_le16(chan->mps); 7158 pdu->scid[0] = cpu_to_le16(chan->scid); 7159 7160 chan->ident = l2cap_get_ident(conn); 7161 7162 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ, 7163 sizeof(pdu), &pdu); 7164 } 7165 7166 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu) 7167 { 7168 if (chan->imtu > mtu) 7169 return -EINVAL; 7170 7171 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu); 7172 7173 chan->imtu = mtu; 7174 7175 l2cap_ecred_reconfigure(chan); 7176 7177 return 0; 7178 } 7179 7180 /* ---- L2CAP interface with lower layer (HCI) ---- */ 7181 7182 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr) 7183 { 7184 int exact = 0, lm1 = 0, lm2 = 0; 7185 struct l2cap_chan *c; 7186 7187 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr); 7188 7189 /* Find listening sockets and check their link_mode */ 7190 read_lock(&chan_list_lock); 7191 list_for_each_entry(c, &chan_list, global_l) { 7192 if (c->state != BT_LISTEN) 7193 continue; 7194 7195 if (!bacmp(&c->src, &hdev->bdaddr)) { 7196 lm1 |= HCI_LM_ACCEPT; 7197 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 7198 lm1 |= HCI_LM_MASTER; 7199 exact++; 7200 } else if (!bacmp(&c->src, BDADDR_ANY)) { 7201 lm2 |= HCI_LM_ACCEPT; 7202 if (test_bit(FLAG_ROLE_SWITCH, &c->flags)) 7203 lm2 |= HCI_LM_MASTER; 7204 } 7205 } 7206 read_unlock(&chan_list_lock); 7207 7208 return exact ? lm1 : lm2; 7209 } 7210 7211 /* Find the next fixed channel in BT_LISTEN state, continue iteration 7212 * from an existing channel in the list or from the beginning of the 7213 * global list (by passing NULL as first parameter). 7214 */ 7215 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, 7216 struct hci_conn *hcon) 7217 { 7218 u8 src_type = bdaddr_src_type(hcon); 7219 7220 read_lock(&chan_list_lock); 7221 7222 if (c) 7223 c = list_next_entry(c, global_l); 7224 else 7225 c = list_entry(chan_list.next, typeof(*c), global_l); 7226 7227 list_for_each_entry_from(c, &chan_list, global_l) { 7228 if (c->chan_type != L2CAP_CHAN_FIXED) 7229 continue; 7230 if (c->state != BT_LISTEN) 7231 continue; 7232 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY)) 7233 continue; 7234 if (src_type != c->src_type) 7235 continue; 7236 7237 c = l2cap_chan_hold_unless_zero(c); 7238 read_unlock(&chan_list_lock); 7239 return c; 7240 } 7241 7242 read_unlock(&chan_list_lock); 7243 7244 return NULL; 7245 } 7246 7247 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 7248 { 7249 struct hci_dev *hdev = hcon->hdev; 7250 struct l2cap_conn *conn; 7251 struct l2cap_chan *pchan; 7252 u8 dst_type; 7253 7254 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7255 return; 7256 7257 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 7258 7259 if (status) { 7260 l2cap_conn_del(hcon, bt_to_errno(status)); 7261 return; 7262 } 7263 7264 conn = l2cap_conn_add(hcon); 7265 if (!conn) 7266 return; 7267 7268 dst_type = bdaddr_dst_type(hcon); 7269 7270 /* If device is blocked, do not create channels for it */ 7271 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type)) 7272 return; 7273 7274 /* Find fixed channels and notify them of the new connection. We 7275 * use multiple individual lookups, continuing each time where 7276 * we left off, because the list lock would prevent calling the 7277 * potentially sleeping l2cap_chan_lock() function. 7278 */ 7279 pchan = l2cap_global_fixed_chan(NULL, hcon); 7280 while (pchan) { 7281 struct l2cap_chan *chan, *next; 7282 7283 /* Client fixed channels should override server ones */ 7284 if (__l2cap_get_chan_by_dcid(conn, pchan->scid)) 7285 goto next; 7286 7287 l2cap_chan_lock(pchan); 7288 chan = pchan->ops->new_connection(pchan); 7289 if (chan) { 7290 bacpy(&chan->src, &hcon->src); 7291 bacpy(&chan->dst, &hcon->dst); 7292 chan->src_type = bdaddr_src_type(hcon); 7293 chan->dst_type = dst_type; 7294 7295 __l2cap_chan_add(conn, chan); 7296 } 7297 7298 l2cap_chan_unlock(pchan); 7299 next: 7300 next = l2cap_global_fixed_chan(pchan, hcon); 7301 l2cap_chan_put(pchan); 7302 pchan = next; 7303 } 7304 7305 l2cap_conn_ready(conn); 7306 } 7307 7308 int l2cap_disconn_ind(struct hci_conn *hcon) 7309 { 7310 struct l2cap_conn *conn = hcon->l2cap_data; 7311 7312 BT_DBG("hcon %p", hcon); 7313 7314 if (!conn) 7315 return HCI_ERROR_REMOTE_USER_TERM; 7316 return conn->disc_reason; 7317 } 7318 7319 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 7320 { 7321 if (hcon->type != ACL_LINK && hcon->type != LE_LINK) 7322 return; 7323 7324 BT_DBG("hcon %p reason %d", hcon, reason); 7325 7326 l2cap_conn_del(hcon, bt_to_errno(reason)); 7327 } 7328 7329 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt) 7330 { 7331 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) 7332 return; 7333 7334 if (encrypt == 0x00) { 7335 if (chan->sec_level == BT_SECURITY_MEDIUM) { 7336 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT); 7337 } else if (chan->sec_level == BT_SECURITY_HIGH || 7338 chan->sec_level == BT_SECURITY_FIPS) 7339 l2cap_chan_close(chan, ECONNREFUSED); 7340 } else { 7341 if (chan->sec_level == BT_SECURITY_MEDIUM) 7342 __clear_chan_timer(chan); 7343 } 7344 } 7345 7346 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 7347 { 7348 struct l2cap_conn *conn = hcon->l2cap_data; 7349 struct l2cap_chan *chan; 7350 7351 if (!conn) 7352 return; 7353 7354 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt); 7355 7356 mutex_lock(&conn->lock); 7357 7358 list_for_each_entry(chan, &conn->chan_l, list) { 7359 l2cap_chan_lock(chan); 7360 7361 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid, 7362 state_to_string(chan->state)); 7363 7364 if (!status && encrypt) 7365 chan->sec_level = hcon->sec_level; 7366 7367 if (!__l2cap_no_conn_pending(chan)) { 7368 l2cap_chan_unlock(chan); 7369 continue; 7370 } 7371 7372 if (!status && (chan->state == BT_CONNECTED || 7373 chan->state == BT_CONFIG)) { 7374 chan->ops->resume(chan); 7375 l2cap_check_encryption(chan, encrypt); 7376 l2cap_chan_unlock(chan); 7377 continue; 7378 } 7379 7380 if (chan->state == BT_CONNECT) { 7381 if (!status && l2cap_check_enc_key_size(hcon, chan)) 7382 l2cap_start_connection(chan); 7383 else 7384 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 7385 } else if (chan->state == BT_CONNECT2 && 7386 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL || 7387 chan->mode == L2CAP_MODE_LE_FLOWCTL)) { 7388 struct l2cap_conn_rsp rsp; 7389 __u16 res, stat; 7390 7391 if (!status && l2cap_check_enc_key_size(hcon, chan)) { 7392 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 7393 res = L2CAP_CR_PEND; 7394 stat = L2CAP_CS_AUTHOR_PEND; 7395 chan->ops->defer(chan); 7396 } else { 7397 l2cap_state_change(chan, BT_CONFIG); 7398 res = L2CAP_CR_SUCCESS; 7399 stat = L2CAP_CS_NO_INFO; 7400 } 7401 } else { 7402 l2cap_state_change(chan, BT_DISCONN); 7403 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 7404 res = L2CAP_CR_SEC_BLOCK; 7405 stat = L2CAP_CS_NO_INFO; 7406 } 7407 7408 rsp.scid = cpu_to_le16(chan->dcid); 7409 rsp.dcid = cpu_to_le16(chan->scid); 7410 rsp.result = cpu_to_le16(res); 7411 rsp.status = cpu_to_le16(stat); 7412 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, 7413 sizeof(rsp), &rsp); 7414 7415 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) && 7416 res == L2CAP_CR_SUCCESS) { 7417 char buf[128]; 7418 set_bit(CONF_REQ_SENT, &chan->conf_state); 7419 l2cap_send_cmd(conn, l2cap_get_ident(conn), 7420 L2CAP_CONF_REQ, 7421 l2cap_build_conf_req(chan, buf, sizeof(buf)), 7422 buf); 7423 chan->num_conf_req++; 7424 } 7425 } 7426 7427 l2cap_chan_unlock(chan); 7428 } 7429 7430 mutex_unlock(&conn->lock); 7431 } 7432 7433 /* Append fragment into frame respecting the maximum len of rx_skb */ 7434 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb, 7435 u16 len) 7436 { 7437 if (!conn->rx_skb) { 7438 /* Allocate skb for the complete frame (with header) */ 7439 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL); 7440 if (!conn->rx_skb) 7441 return -ENOMEM; 7442 /* Init rx_len */ 7443 conn->rx_len = len; 7444 7445 skb_set_delivery_time(conn->rx_skb, skb->tstamp, 7446 skb->tstamp_type); 7447 } 7448 7449 /* Copy as much as the rx_skb can hold */ 7450 len = min_t(u16, len, skb->len); 7451 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len); 7452 skb_pull(skb, len); 7453 conn->rx_len -= len; 7454 7455 return len; 7456 } 7457 7458 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb) 7459 { 7460 struct sk_buff *rx_skb; 7461 int len; 7462 7463 /* Append just enough to complete the header */ 7464 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len); 7465 7466 /* If header could not be read just continue */ 7467 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE) 7468 return len; 7469 7470 rx_skb = conn->rx_skb; 7471 len = get_unaligned_le16(rx_skb->data); 7472 7473 /* Check if rx_skb has enough space to received all fragments */ 7474 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) { 7475 /* Update expected len */ 7476 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE); 7477 return L2CAP_LEN_SIZE; 7478 } 7479 7480 /* Reset conn->rx_skb since it will need to be reallocated in order to 7481 * fit all fragments. 7482 */ 7483 conn->rx_skb = NULL; 7484 7485 /* Reallocates rx_skb using the exact expected length */ 7486 len = l2cap_recv_frag(conn, rx_skb, 7487 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE)); 7488 kfree_skb(rx_skb); 7489 7490 return len; 7491 } 7492 7493 static void l2cap_recv_reset(struct l2cap_conn *conn) 7494 { 7495 kfree_skb(conn->rx_skb); 7496 conn->rx_skb = NULL; 7497 conn->rx_len = 0; 7498 } 7499 7500 struct l2cap_conn *l2cap_conn_hold_unless_zero(struct l2cap_conn *c) 7501 { 7502 if (!c) 7503 return NULL; 7504 7505 BT_DBG("conn %p orig refcnt %u", c, kref_read(&c->ref)); 7506 7507 if (!kref_get_unless_zero(&c->ref)) 7508 return NULL; 7509 7510 return c; 7511 } 7512 7513 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 7514 { 7515 struct l2cap_conn *conn; 7516 int len; 7517 7518 /* Lock hdev to access l2cap_data to avoid race with l2cap_conn_del */ 7519 hci_dev_lock(hcon->hdev); 7520 7521 conn = hcon->l2cap_data; 7522 7523 if (!conn) 7524 conn = l2cap_conn_add(hcon); 7525 7526 conn = l2cap_conn_hold_unless_zero(conn); 7527 7528 hci_dev_unlock(hcon->hdev); 7529 7530 if (!conn) { 7531 kfree_skb(skb); 7532 return; 7533 } 7534 7535 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags); 7536 7537 mutex_lock(&conn->lock); 7538 7539 switch (flags) { 7540 case ACL_START: 7541 case ACL_START_NO_FLUSH: 7542 case ACL_COMPLETE: 7543 if (conn->rx_skb) { 7544 BT_ERR("Unexpected start frame (len %d)", skb->len); 7545 l2cap_recv_reset(conn); 7546 l2cap_conn_unreliable(conn, ECOMM); 7547 } 7548 7549 /* Start fragment may not contain the L2CAP length so just 7550 * copy the initial byte when that happens and use conn->mtu as 7551 * expected length. 7552 */ 7553 if (skb->len < L2CAP_LEN_SIZE) { 7554 l2cap_recv_frag(conn, skb, conn->mtu); 7555 break; 7556 } 7557 7558 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE; 7559 7560 if (len == skb->len) { 7561 /* Complete frame received */ 7562 l2cap_recv_frame(conn, skb); 7563 goto unlock; 7564 } 7565 7566 BT_DBG("Start: total len %d, frag len %u", len, skb->len); 7567 7568 if (skb->len > len) { 7569 BT_ERR("Frame is too long (len %u, expected len %d)", 7570 skb->len, len); 7571 /* PTS test cases L2CAP/COS/CED/BI-14-C and BI-15-C 7572 * (Multiple Signaling Command in one PDU, Data 7573 * Truncated, BR/EDR) send a C-frame to the IUT with 7574 * PDU Length set to 8 and Channel ID set to the 7575 * correct signaling channel for the logical link. 7576 * The Information payload contains one L2CAP_ECHO_REQ 7577 * packet with Data Length set to 0 with 0 octets of 7578 * echo data and one invalid command packet due to 7579 * data truncated in PDU but present in HCI packet. 7580 * 7581 * Shorter the socket buffer to the PDU length to 7582 * allow to process valid commands from the PDU before 7583 * setting the socket unreliable. 7584 */ 7585 skb->len = len; 7586 l2cap_recv_frame(conn, skb); 7587 l2cap_conn_unreliable(conn, ECOMM); 7588 goto unlock; 7589 } 7590 7591 /* Append fragment into frame (with header) */ 7592 if (l2cap_recv_frag(conn, skb, len) < 0) 7593 goto drop; 7594 7595 break; 7596 7597 case ACL_CONT: 7598 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len); 7599 7600 if (!conn->rx_skb) { 7601 BT_ERR("Unexpected continuation frame (len %d)", skb->len); 7602 l2cap_conn_unreliable(conn, ECOMM); 7603 goto drop; 7604 } 7605 7606 /* Complete the L2CAP length if it has not been read */ 7607 if (conn->rx_skb->len < L2CAP_LEN_SIZE) { 7608 if (l2cap_recv_len(conn, skb) < 0) { 7609 l2cap_conn_unreliable(conn, ECOMM); 7610 goto drop; 7611 } 7612 7613 /* Header still could not be read just continue */ 7614 if (conn->rx_skb->len < L2CAP_LEN_SIZE) 7615 break; 7616 } 7617 7618 if (skb->len > conn->rx_len) { 7619 BT_ERR("Fragment is too long (len %u, expected %u)", 7620 skb->len, conn->rx_len); 7621 l2cap_recv_reset(conn); 7622 l2cap_conn_unreliable(conn, ECOMM); 7623 goto drop; 7624 } 7625 7626 /* Append fragment into frame (with header) */ 7627 l2cap_recv_frag(conn, skb, skb->len); 7628 7629 if (!conn->rx_len) { 7630 /* Complete frame received. l2cap_recv_frame 7631 * takes ownership of the skb so set the global 7632 * rx_skb pointer to NULL first. 7633 */ 7634 struct sk_buff *rx_skb = conn->rx_skb; 7635 conn->rx_skb = NULL; 7636 l2cap_recv_frame(conn, rx_skb); 7637 } 7638 break; 7639 } 7640 7641 drop: 7642 kfree_skb(skb); 7643 unlock: 7644 mutex_unlock(&conn->lock); 7645 l2cap_conn_put(conn); 7646 } 7647 7648 static struct hci_cb l2cap_cb = { 7649 .name = "L2CAP", 7650 .connect_cfm = l2cap_connect_cfm, 7651 .disconn_cfm = l2cap_disconn_cfm, 7652 .security_cfm = l2cap_security_cfm, 7653 }; 7654 7655 static int l2cap_debugfs_show(struct seq_file *f, void *p) 7656 { 7657 struct l2cap_chan *c; 7658 7659 read_lock(&chan_list_lock); 7660 7661 list_for_each_entry(c, &chan_list, global_l) { 7662 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n", 7663 &c->src, c->src_type, &c->dst, c->dst_type, 7664 c->state, __le16_to_cpu(c->psm), 7665 c->scid, c->dcid, c->imtu, c->omtu, 7666 c->sec_level, c->mode); 7667 } 7668 7669 read_unlock(&chan_list_lock); 7670 7671 return 0; 7672 } 7673 7674 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs); 7675 7676 static struct dentry *l2cap_debugfs; 7677 7678 int __init l2cap_init(void) 7679 { 7680 int err; 7681 7682 err = l2cap_init_sockets(); 7683 if (err < 0) 7684 return err; 7685 7686 hci_register_cb(&l2cap_cb); 7687 7688 if (IS_ERR_OR_NULL(bt_debugfs)) 7689 return 0; 7690 7691 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs, 7692 NULL, &l2cap_debugfs_fops); 7693 7694 return 0; 7695 } 7696 7697 void l2cap_exit(void) 7698 { 7699 debugfs_remove(l2cap_debugfs); 7700 hci_unregister_cb(&l2cap_cb); 7701 l2cap_cleanup_sockets(); 7702 } 7703 7704 module_param(disable_ertm, bool, 0644); 7705 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode"); 7706 7707 module_param(enable_ecred, bool, 0644); 7708 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode"); 7709