search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'locks-v3.16-2' of git://git.samba.org/jlayton/linux
[linux/fpc-iii.git] / net / bluetooth / l2cap_core.c
blob6eabbe05fe54fe8ecc39707a05350439d99ce830
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
8
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
14
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
27 */
28
29 /* Bluetooth L2CAP core. */
30
31 #include <linux/module.h>
32
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35
36 #include <net/bluetooth/bluetooth.h>
37 #include <net/bluetooth/hci_core.h>
38 #include <net/bluetooth/l2cap.h>
39
40 #include "smp.h"
41 #include "a2mp.h"
42 #include "amp.h"
43 #include "6lowpan.h"
44
45 #define LE_FLOWCTL_MAX_CREDITS 65535
46
47 bool disable_ertm;
48
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP | L2CAP_FC_CONNLESS, };
51
52 static LIST_HEAD(chan_list);
53 static DEFINE_RWLOCK(chan_list_lock);
54
55 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
56 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
57
58 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
59 u8 code, u8 ident, u16 dlen, void *data);
60 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
61 void *data);
62 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
63 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
64
65 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
66 struct sk_buff_head *skbs, u8 event);
67
68 static inline __u8 bdaddr_type(struct hci_conn *hcon, __u8 type)
69 {
70 if (hcon->type == LE_LINK) {
71 if (type == ADDR_LE_DEV_PUBLIC)
72 return BDADDR_LE_PUBLIC;
73 else
74 return BDADDR_LE_RANDOM;
75 }
76
77 return BDADDR_BREDR;
78 }
79
80 /* ---- L2CAP channels ---- */
81
82 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
83 u16 cid)
84 {
85 struct l2cap_chan *c;
86
87 list_for_each_entry(c, &conn->chan_l, list) {
88 if (c->dcid == cid)
89 return c;
90 }
91 return NULL;
92 }
93
94 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
95 u16 cid)
96 {
97 struct l2cap_chan *c;
98
99 list_for_each_entry(c, &conn->chan_l, list) {
100 if (c->scid == cid)
101 return c;
102 }
103 return NULL;
104 }
105
106 /* Find channel with given SCID.
107 * Returns locked channel. */
108 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
109 u16 cid)
110 {
111 struct l2cap_chan *c;
112
113 mutex_lock(&conn->chan_lock);
114 c = __l2cap_get_chan_by_scid(conn, cid);
115 if (c)
116 l2cap_chan_lock(c);
117 mutex_unlock(&conn->chan_lock);
118
119 return c;
120 }
121
122 /* Find channel with given DCID.
123 * Returns locked channel.
124 */
125 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
126 u16 cid)
127 {
128 struct l2cap_chan *c;
129
130 mutex_lock(&conn->chan_lock);
131 c = __l2cap_get_chan_by_dcid(conn, cid);
132 if (c)
133 l2cap_chan_lock(c);
134 mutex_unlock(&conn->chan_lock);
135
136 return c;
137 }
138
139 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
140 u8 ident)
141 {
142 struct l2cap_chan *c;
143
144 list_for_each_entry(c, &conn->chan_l, list) {
145 if (c->ident == ident)
146 return c;
147 }
148 return NULL;
149 }
150
151 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
152 u8 ident)
153 {
154 struct l2cap_chan *c;
155
156 mutex_lock(&conn->chan_lock);
157 c = __l2cap_get_chan_by_ident(conn, ident);
158 if (c)
159 l2cap_chan_lock(c);
160 mutex_unlock(&conn->chan_lock);
161
162 return c;
163 }
164
165 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
166 {
167 struct l2cap_chan *c;
168
169 list_for_each_entry(c, &chan_list, global_l) {
170 if (c->sport == psm && !bacmp(&c->src, src))
171 return c;
172 }
173 return NULL;
174 }
175
176 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
177 {
178 int err;
179
180 write_lock(&chan_list_lock);
181
182 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
183 err = -EADDRINUSE;
184 goto done;
185 }
186
187 if (psm) {
188 chan->psm = psm;
189 chan->sport = psm;
190 err = 0;
191 } else {
192 u16 p;
193
194 err = -EINVAL;
195 for (p = 0x1001; p < 0x1100; p += 2)
196 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
197 chan->psm = cpu_to_le16(p);
198 chan->sport = cpu_to_le16(p);
199 err = 0;
200 break;
201 }
202 }
203
204 done:
205 write_unlock(&chan_list_lock);
206 return err;
207 }
208
209 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
210 {
211 write_lock(&chan_list_lock);
212
213 chan->scid = scid;
214
215 write_unlock(&chan_list_lock);
216
217 return 0;
218 }
219
220 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
221 {
222 u16 cid, dyn_end;
223
224 if (conn->hcon->type == LE_LINK)
225 dyn_end = L2CAP_CID_LE_DYN_END;
226 else
227 dyn_end = L2CAP_CID_DYN_END;
228
229 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
230 if (!__l2cap_get_chan_by_scid(conn, cid))
231 return cid;
232 }
233
234 return 0;
235 }
236
237 static void l2cap_state_change(struct l2cap_chan *chan, int state)
238 {
239 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
240 state_to_string(state));
241
242 chan->state = state;
243 chan->ops->state_change(chan, state, 0);
244 }
245
246 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
247 int state, int err)
248 {
249 chan->state = state;
250 chan->ops->state_change(chan, chan->state, err);
251 }
252
253 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
254 {
255 chan->ops->state_change(chan, chan->state, err);
256 }
257
258 static void __set_retrans_timer(struct l2cap_chan *chan)
259 {
260 if (!delayed_work_pending(&chan->monitor_timer) &&
261 chan->retrans_timeout) {
262 l2cap_set_timer(chan, &chan->retrans_timer,
263 msecs_to_jiffies(chan->retrans_timeout));
264 }
265 }
266
267 static void __set_monitor_timer(struct l2cap_chan *chan)
268 {
269 __clear_retrans_timer(chan);
270 if (chan->monitor_timeout) {
271 l2cap_set_timer(chan, &chan->monitor_timer,
272 msecs_to_jiffies(chan->monitor_timeout));
273 }
274 }
275
276 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
277 u16 seq)
278 {
279 struct sk_buff *skb;
280
281 skb_queue_walk(head, skb) {
282 if (bt_cb(skb)->control.txseq == seq)
283 return skb;
284 }
285
286 return NULL;
287 }
288
289 /* ---- L2CAP sequence number lists ---- */
290
291 /* For ERTM, ordered lists of sequence numbers must be tracked for
292 * SREJ requests that are received and for frames that are to be
293 * retransmitted. These seq_list functions implement a singly-linked
294 * list in an array, where membership in the list can also be checked
295 * in constant time. Items can also be added to the tail of the list
296 * and removed from the head in constant time, without further memory
297 * allocs or frees.
298 */
299
300 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
301 {
302 size_t alloc_size, i;
303
304 /* Allocated size is a power of 2 to map sequence numbers
305 * (which may be up to 14 bits) in to a smaller array that is
306 * sized for the negotiated ERTM transmit windows.
307 */
308 alloc_size = roundup_pow_of_two(size);
309
310 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
311 if (!seq_list->list)
312 return -ENOMEM;
313
314 seq_list->mask = alloc_size - 1;
315 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
316 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
317 for (i = 0; i < alloc_size; i++)
318 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
319
320 return 0;
321 }
322
323 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
324 {
325 kfree(seq_list->list);
326 }
327
328 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
329 u16 seq)
330 {
331 /* Constant-time check for list membership */
332 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
333 }
334
335 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
336 {
337 u16 seq = seq_list->head;
338 u16 mask = seq_list->mask;
339
340 seq_list->head = seq_list->list[seq & mask];
341 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
342
343 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
346 }
347
348 return seq;
349 }
350
351 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
352 {
353 u16 i;
354
355 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
356 return;
357
358 for (i = 0; i <= seq_list->mask; i++)
359 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
360
361 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
362 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
363 }
364
365 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
366 {
367 u16 mask = seq_list->mask;
368
369 /* All appends happen in constant time */
370
371 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
372 return;
373
374 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
375 seq_list->head = seq;
376 else
377 seq_list->list[seq_list->tail & mask] = seq;
378
379 seq_list->tail = seq;
380 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
381 }
382
383 static void l2cap_chan_timeout(struct work_struct *work)
384 {
385 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
386 chan_timer.work);
387 struct l2cap_conn *conn = chan->conn;
388 int reason;
389
390 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
391
392 mutex_lock(&conn->chan_lock);
393 l2cap_chan_lock(chan);
394
395 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
396 reason = ECONNREFUSED;
397 else if (chan->state == BT_CONNECT &&
398 chan->sec_level != BT_SECURITY_SDP)
399 reason = ECONNREFUSED;
400 else
401 reason = ETIMEDOUT;
402
403 l2cap_chan_close(chan, reason);
404
405 l2cap_chan_unlock(chan);
406
407 chan->ops->close(chan);
408 mutex_unlock(&conn->chan_lock);
409
410 l2cap_chan_put(chan);
411 }
412
413 struct l2cap_chan *l2cap_chan_create(void)
414 {
415 struct l2cap_chan *chan;
416
417 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
418 if (!chan)
419 return NULL;
420
421 mutex_init(&chan->lock);
422
423 write_lock(&chan_list_lock);
424 list_add(&chan->global_l, &chan_list);
425 write_unlock(&chan_list_lock);
426
427 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
428
429 chan->state = BT_OPEN;
430
431 kref_init(&chan->kref);
432
433 /* This flag is cleared in l2cap_chan_ready() */
434 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
435
436 BT_DBG("chan %p", chan);
437
438 return chan;
439 }
440
441 static void l2cap_chan_destroy(struct kref *kref)
442 {
443 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
444
445 BT_DBG("chan %p", chan);
446
447 write_lock(&chan_list_lock);
448 list_del(&chan->global_l);
449 write_unlock(&chan_list_lock);
450
451 kfree(chan);
452 }
453
454 void l2cap_chan_hold(struct l2cap_chan *c)
455 {
456 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
457
458 kref_get(&c->kref);
459 }
460
461 void l2cap_chan_put(struct l2cap_chan *c)
462 {
463 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
464
465 kref_put(&c->kref, l2cap_chan_destroy);
466 }
467
468 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
469 {
470 chan->fcs = L2CAP_FCS_CRC16;
471 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
472 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
473 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
474 chan->remote_max_tx = chan->max_tx;
475 chan->remote_tx_win = chan->tx_win;
476 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
477 chan->sec_level = BT_SECURITY_LOW;
478 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
479 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
480 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
481 chan->conf_state = 0;
482
483 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
484 }
485
486 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
487 {
488 chan->sdu = NULL;
489 chan->sdu_last_frag = NULL;
490 chan->sdu_len = 0;
491 chan->tx_credits = 0;
492 chan->rx_credits = le_max_credits;
493 chan->mps = min_t(u16, chan->imtu, le_default_mps);
494
495 skb_queue_head_init(&chan->tx_q);
496 }
497
498 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
499 {
500 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
501 __le16_to_cpu(chan->psm), chan->dcid);
502
503 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
504
505 chan->conn = conn;
506
507 switch (chan->chan_type) {
508 case L2CAP_CHAN_CONN_ORIENTED:
509 /* Alloc CID for connection-oriented socket */
510 chan->scid = l2cap_alloc_cid(conn);
511 if (conn->hcon->type == ACL_LINK)
512 chan->omtu = L2CAP_DEFAULT_MTU;
513 break;
514
515 case L2CAP_CHAN_CONN_LESS:
516 /* Connectionless socket */
517 chan->scid = L2CAP_CID_CONN_LESS;
518 chan->dcid = L2CAP_CID_CONN_LESS;
519 chan->omtu = L2CAP_DEFAULT_MTU;
520 break;
521
522 case L2CAP_CHAN_FIXED:
523 /* Caller will set CID and CID specific MTU values */
524 break;
525
526 default:
527 /* Raw socket can send/recv signalling messages only */
528 chan->scid = L2CAP_CID_SIGNALING;
529 chan->dcid = L2CAP_CID_SIGNALING;
530 chan->omtu = L2CAP_DEFAULT_MTU;
531 }
532
533 chan->local_id = L2CAP_BESTEFFORT_ID;
534 chan->local_stype = L2CAP_SERV_BESTEFFORT;
535 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
536 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
537 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
538 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
539
540 l2cap_chan_hold(chan);
541
542 hci_conn_hold(conn->hcon);
543
544 list_add(&chan->list, &conn->chan_l);
545 }
546
547 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
548 {
549 mutex_lock(&conn->chan_lock);
550 __l2cap_chan_add(conn, chan);
551 mutex_unlock(&conn->chan_lock);
552 }
553
554 void l2cap_chan_del(struct l2cap_chan *chan, int err)
555 {
556 struct l2cap_conn *conn = chan->conn;
557
558 __clear_chan_timer(chan);
559
560 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
561
562 if (conn) {
563 struct amp_mgr *mgr = conn->hcon->amp_mgr;
564 /* Delete from channel list */
565 list_del(&chan->list);
566
567 l2cap_chan_put(chan);
568
569 chan->conn = NULL;
570
571 if (chan->scid != L2CAP_CID_A2MP)
572 hci_conn_drop(conn->hcon);
573
574 if (mgr && mgr->bredr_chan == chan)
575 mgr->bredr_chan = NULL;
576 }
577
578 if (chan->hs_hchan) {
579 struct hci_chan *hs_hchan = chan->hs_hchan;
580
581 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
582 amp_disconnect_logical_link(hs_hchan);
583 }
584
585 chan->ops->teardown(chan, err);
586
587 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
588 return;
589
590 switch(chan->mode) {
591 case L2CAP_MODE_BASIC:
592 break;
593
594 case L2CAP_MODE_LE_FLOWCTL:
595 skb_queue_purge(&chan->tx_q);
596 break;
597
598 case L2CAP_MODE_ERTM:
599 __clear_retrans_timer(chan);
600 __clear_monitor_timer(chan);
601 __clear_ack_timer(chan);
602
603 skb_queue_purge(&chan->srej_q);
604
605 l2cap_seq_list_free(&chan->srej_list);
606 l2cap_seq_list_free(&chan->retrans_list);
607
608 /* fall through */
609
610 case L2CAP_MODE_STREAMING:
611 skb_queue_purge(&chan->tx_q);
612 break;
613 }
614
615 return;
616 }
617
618 void l2cap_conn_update_id_addr(struct hci_conn *hcon)
619 {
620 struct l2cap_conn *conn = hcon->l2cap_data;
621 struct l2cap_chan *chan;
622
623 mutex_lock(&conn->chan_lock);
624
625 list_for_each_entry(chan, &conn->chan_l, list) {
626 l2cap_chan_lock(chan);
627 bacpy(&chan->dst, &hcon->dst);
628 chan->dst_type = bdaddr_type(hcon, hcon->dst_type);
629 l2cap_chan_unlock(chan);
630 }
631
632 mutex_unlock(&conn->chan_lock);
633 }
634
635 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
636 {
637 struct l2cap_conn *conn = chan->conn;
638 struct l2cap_le_conn_rsp rsp;
639 u16 result;
640
641 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
642 result = L2CAP_CR_AUTHORIZATION;
643 else
644 result = L2CAP_CR_BAD_PSM;
645
646 l2cap_state_change(chan, BT_DISCONN);
647
648 rsp.dcid = cpu_to_le16(chan->scid);
649 rsp.mtu = cpu_to_le16(chan->imtu);
650 rsp.mps = cpu_to_le16(chan->mps);
651 rsp.credits = cpu_to_le16(chan->rx_credits);
652 rsp.result = cpu_to_le16(result);
653
654 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
655 &rsp);
656 }
657
658 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
659 {
660 struct l2cap_conn *conn = chan->conn;
661 struct l2cap_conn_rsp rsp;
662 u16 result;
663
664 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
665 result = L2CAP_CR_SEC_BLOCK;
666 else
667 result = L2CAP_CR_BAD_PSM;
668
669 l2cap_state_change(chan, BT_DISCONN);
670
671 rsp.scid = cpu_to_le16(chan->dcid);
672 rsp.dcid = cpu_to_le16(chan->scid);
673 rsp.result = cpu_to_le16(result);
674 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
675
676 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
677 }
678
679 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
680 {
681 struct l2cap_conn *conn = chan->conn;
682
683 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
684
685 switch (chan->state) {
686 case BT_LISTEN:
687 chan->ops->teardown(chan, 0);
688 break;
689
690 case BT_CONNECTED:
691 case BT_CONFIG:
692 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
693 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
694 l2cap_send_disconn_req(chan, reason);
695 } else
696 l2cap_chan_del(chan, reason);
697 break;
698
699 case BT_CONNECT2:
700 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
701 if (conn->hcon->type == ACL_LINK)
702 l2cap_chan_connect_reject(chan);
703 else if (conn->hcon->type == LE_LINK)
704 l2cap_chan_le_connect_reject(chan);
705 }
706
707 l2cap_chan_del(chan, reason);
708 break;
709
710 case BT_CONNECT:
711 case BT_DISCONN:
712 l2cap_chan_del(chan, reason);
713 break;
714
715 default:
716 chan->ops->teardown(chan, 0);
717 break;
718 }
719 }
720
721 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
722 {
723 switch (chan->chan_type) {
724 case L2CAP_CHAN_RAW:
725 switch (chan->sec_level) {
726 case BT_SECURITY_HIGH:
727 case BT_SECURITY_FIPS:
728 return HCI_AT_DEDICATED_BONDING_MITM;
729 case BT_SECURITY_MEDIUM:
730 return HCI_AT_DEDICATED_BONDING;
731 default:
732 return HCI_AT_NO_BONDING;
733 }
734 break;
735 case L2CAP_CHAN_CONN_LESS:
736 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
737 if (chan->sec_level == BT_SECURITY_LOW)
738 chan->sec_level = BT_SECURITY_SDP;
739 }
740 if (chan->sec_level == BT_SECURITY_HIGH ||
741 chan->sec_level == BT_SECURITY_FIPS)
742 return HCI_AT_NO_BONDING_MITM;
743 else
744 return HCI_AT_NO_BONDING;
745 break;
746 case L2CAP_CHAN_CONN_ORIENTED:
747 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
748 if (chan->sec_level == BT_SECURITY_LOW)
749 chan->sec_level = BT_SECURITY_SDP;
750
751 if (chan->sec_level == BT_SECURITY_HIGH ||
752 chan->sec_level == BT_SECURITY_FIPS)
753 return HCI_AT_NO_BONDING_MITM;
754 else
755 return HCI_AT_NO_BONDING;
756 }
757 /* fall through */
758 default:
759 switch (chan->sec_level) {
760 case BT_SECURITY_HIGH:
761 case BT_SECURITY_FIPS:
762 return HCI_AT_GENERAL_BONDING_MITM;
763 case BT_SECURITY_MEDIUM:
764 return HCI_AT_GENERAL_BONDING;
765 default:
766 return HCI_AT_NO_BONDING;
767 }
768 break;
769 }
770 }
771
772 /* Service level security */
773 int l2cap_chan_check_security(struct l2cap_chan *chan)
774 {
775 struct l2cap_conn *conn = chan->conn;
776 __u8 auth_type;
777
778 if (conn->hcon->type == LE_LINK)
779 return smp_conn_security(conn->hcon, chan->sec_level);
780
781 auth_type = l2cap_get_auth_type(chan);
782
783 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
784 }
785
786 static u8 l2cap_get_ident(struct l2cap_conn *conn)
787 {
788 u8 id;
789
790 /* Get next available identificator.
791 * 1 - 128 are used by kernel.
792 * 129 - 199 are reserved.
793 * 200 - 254 are used by utilities like l2ping, etc.
794 */
795
796 spin_lock(&conn->lock);
797
798 if (++conn->tx_ident > 128)
799 conn->tx_ident = 1;
800
801 id = conn->tx_ident;
802
803 spin_unlock(&conn->lock);
804
805 return id;
806 }
807
808 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
809 void *data)
810 {
811 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
812 u8 flags;
813
814 BT_DBG("code 0x%2.2x", code);
815
816 if (!skb)
817 return;
818
819 if (lmp_no_flush_capable(conn->hcon->hdev))
820 flags = ACL_START_NO_FLUSH;
821 else
822 flags = ACL_START;
823
824 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
825 skb->priority = HCI_PRIO_MAX;
826
827 hci_send_acl(conn->hchan, skb, flags);
828 }
829
830 static bool __chan_is_moving(struct l2cap_chan *chan)
831 {
832 return chan->move_state != L2CAP_MOVE_STABLE &&
833 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
834 }
835
836 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
837 {
838 struct hci_conn *hcon = chan->conn->hcon;
839 u16 flags;
840
841 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
842 skb->priority);
843
844 if (chan->hs_hcon && !__chan_is_moving(chan)) {
845 if (chan->hs_hchan)
846 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
847 else
848 kfree_skb(skb);
849
850 return;
851 }
852
853 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
854 lmp_no_flush_capable(hcon->hdev))
855 flags = ACL_START_NO_FLUSH;
856 else
857 flags = ACL_START;
858
859 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
860 hci_send_acl(chan->conn->hchan, skb, flags);
861 }
862
863 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
864 {
865 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
866 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
867
868 if (enh & L2CAP_CTRL_FRAME_TYPE) {
869 /* S-Frame */
870 control->sframe = 1;
871 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
872 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
873
874 control->sar = 0;
875 control->txseq = 0;
876 } else {
877 /* I-Frame */
878 control->sframe = 0;
879 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
880 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
881
882 control->poll = 0;
883 control->super = 0;
884 }
885 }
886
887 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
888 {
889 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
890 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
891
892 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
893 /* S-Frame */
894 control->sframe = 1;
895 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
896 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
897
898 control->sar = 0;
899 control->txseq = 0;
900 } else {
901 /* I-Frame */
902 control->sframe = 0;
903 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
904 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
905
906 control->poll = 0;
907 control->super = 0;
908 }
909 }
910
911 static inline void __unpack_control(struct l2cap_chan *chan,
912 struct sk_buff *skb)
913 {
914 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
915 __unpack_extended_control(get_unaligned_le32(skb->data),
916 &bt_cb(skb)->control);
917 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
918 } else {
919 __unpack_enhanced_control(get_unaligned_le16(skb->data),
920 &bt_cb(skb)->control);
921 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
922 }
923 }
924
925 static u32 __pack_extended_control(struct l2cap_ctrl *control)
926 {
927 u32 packed;
928
929 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
930 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
931
932 if (control->sframe) {
933 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
934 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
935 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
936 } else {
937 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
938 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
939 }
940
941 return packed;
942 }
943
944 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
945 {
946 u16 packed;
947
948 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
949 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
950
951 if (control->sframe) {
952 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
953 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
954 packed |= L2CAP_CTRL_FRAME_TYPE;
955 } else {
956 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
957 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
958 }
959
960 return packed;
961 }
962
963 static inline void __pack_control(struct l2cap_chan *chan,
964 struct l2cap_ctrl *control,
965 struct sk_buff *skb)
966 {
967 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
968 put_unaligned_le32(__pack_extended_control(control),
969 skb->data + L2CAP_HDR_SIZE);
970 } else {
971 put_unaligned_le16(__pack_enhanced_control(control),
972 skb->data + L2CAP_HDR_SIZE);
973 }
974 }
975
976 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
977 {
978 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
979 return L2CAP_EXT_HDR_SIZE;
980 else
981 return L2CAP_ENH_HDR_SIZE;
982 }
983
984 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
985 u32 control)
986 {
987 struct sk_buff *skb;
988 struct l2cap_hdr *lh;
989 int hlen = __ertm_hdr_size(chan);
990
991 if (chan->fcs == L2CAP_FCS_CRC16)
992 hlen += L2CAP_FCS_SIZE;
993
994 skb = bt_skb_alloc(hlen, GFP_KERNEL);
995
996 if (!skb)
997 return ERR_PTR(-ENOMEM);
998
999 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1000 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1001 lh->cid = cpu_to_le16(chan->dcid);
1002
1003 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1004 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1005 else
1006 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1007
1008 if (chan->fcs == L2CAP_FCS_CRC16) {
1009 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1010 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1011 }
1012
1013 skb->priority = HCI_PRIO_MAX;
1014 return skb;
1015 }
1016
1017 static void l2cap_send_sframe(struct l2cap_chan *chan,
1018 struct l2cap_ctrl *control)
1019 {
1020 struct sk_buff *skb;
1021 u32 control_field;
1022
1023 BT_DBG("chan %p, control %p", chan, control);
1024
1025 if (!control->sframe)
1026 return;
1027
1028 if (__chan_is_moving(chan))
1029 return;
1030
1031 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1032 !control->poll)
1033 control->final = 1;
1034
1035 if (control->super == L2CAP_SUPER_RR)
1036 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1037 else if (control->super == L2CAP_SUPER_RNR)
1038 set_bit(CONN_RNR_SENT, &chan->conn_state);
1039
1040 if (control->super != L2CAP_SUPER_SREJ) {
1041 chan->last_acked_seq = control->reqseq;
1042 __clear_ack_timer(chan);
1043 }
1044
1045 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1046 control->final, control->poll, control->super);
1047
1048 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1049 control_field = __pack_extended_control(control);
1050 else
1051 control_field = __pack_enhanced_control(control);
1052
1053 skb = l2cap_create_sframe_pdu(chan, control_field);
1054 if (!IS_ERR(skb))
1055 l2cap_do_send(chan, skb);
1056 }
1057
1058 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1059 {
1060 struct l2cap_ctrl control;
1061
1062 BT_DBG("chan %p, poll %d", chan, poll);
1063
1064 memset(&control, 0, sizeof(control));
1065 control.sframe = 1;
1066 control.poll = poll;
1067
1068 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1069 control.super = L2CAP_SUPER_RNR;
1070 else
1071 control.super = L2CAP_SUPER_RR;
1072
1073 control.reqseq = chan->buffer_seq;
1074 l2cap_send_sframe(chan, &control);
1075 }
1076
1077 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1078 {
1079 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1080 }
1081
1082 static bool __amp_capable(struct l2cap_chan *chan)
1083 {
1084 struct l2cap_conn *conn = chan->conn;
1085 struct hci_dev *hdev;
1086 bool amp_available = false;
1087
1088 if (!conn->hs_enabled)
1089 return false;
1090
1091 if (!(conn->fixed_chan_mask & L2CAP_FC_A2MP))
1092 return false;
1093
1094 read_lock(&hci_dev_list_lock);
1095 list_for_each_entry(hdev, &hci_dev_list, list) {
1096 if (hdev->amp_type != AMP_TYPE_BREDR &&
1097 test_bit(HCI_UP, &hdev->flags)) {
1098 amp_available = true;
1099 break;
1100 }
1101 }
1102 read_unlock(&hci_dev_list_lock);
1103
1104 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1105 return amp_available;
1106
1107 return false;
1108 }
1109
1110 static bool l2cap_check_efs(struct l2cap_chan *chan)
1111 {
1112 /* Check EFS parameters */
1113 return true;
1114 }
1115
1116 void l2cap_send_conn_req(struct l2cap_chan *chan)
1117 {
1118 struct l2cap_conn *conn = chan->conn;
1119 struct l2cap_conn_req req;
1120
1121 req.scid = cpu_to_le16(chan->scid);
1122 req.psm = chan->psm;
1123
1124 chan->ident = l2cap_get_ident(conn);
1125
1126 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1127
1128 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1129 }
1130
1131 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1132 {
1133 struct l2cap_create_chan_req req;
1134 req.scid = cpu_to_le16(chan->scid);
1135 req.psm = chan->psm;
1136 req.amp_id = amp_id;
1137
1138 chan->ident = l2cap_get_ident(chan->conn);
1139
1140 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1141 sizeof(req), &req);
1142 }
1143
1144 static void l2cap_move_setup(struct l2cap_chan *chan)
1145 {
1146 struct sk_buff *skb;
1147
1148 BT_DBG("chan %p", chan);
1149
1150 if (chan->mode != L2CAP_MODE_ERTM)
1151 return;
1152
1153 __clear_retrans_timer(chan);
1154 __clear_monitor_timer(chan);
1155 __clear_ack_timer(chan);
1156
1157 chan->retry_count = 0;
1158 skb_queue_walk(&chan->tx_q, skb) {
1159 if (bt_cb(skb)->control.retries)
1160 bt_cb(skb)->control.retries = 1;
1161 else
1162 break;
1163 }
1164
1165 chan->expected_tx_seq = chan->buffer_seq;
1166
1167 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1168 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1169 l2cap_seq_list_clear(&chan->retrans_list);
1170 l2cap_seq_list_clear(&chan->srej_list);
1171 skb_queue_purge(&chan->srej_q);
1172
1173 chan->tx_state = L2CAP_TX_STATE_XMIT;
1174 chan->rx_state = L2CAP_RX_STATE_MOVE;
1175
1176 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1177 }
1178
1179 static void l2cap_move_done(struct l2cap_chan *chan)
1180 {
1181 u8 move_role = chan->move_role;
1182 BT_DBG("chan %p", chan);
1183
1184 chan->move_state = L2CAP_MOVE_STABLE;
1185 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1186
1187 if (chan->mode != L2CAP_MODE_ERTM)
1188 return;
1189
1190 switch (move_role) {
1191 case L2CAP_MOVE_ROLE_INITIATOR:
1192 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1193 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1194 break;
1195 case L2CAP_MOVE_ROLE_RESPONDER:
1196 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1197 break;
1198 }
1199 }
1200
1201 static void l2cap_chan_ready(struct l2cap_chan *chan)
1202 {
1203 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1204 chan->conf_state = 0;
1205 __clear_chan_timer(chan);
1206
1207 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1208 chan->ops->suspend(chan);
1209
1210 chan->state = BT_CONNECTED;
1211
1212 chan->ops->ready(chan);
1213 }
1214
1215 static void l2cap_le_connect(struct l2cap_chan *chan)
1216 {
1217 struct l2cap_conn *conn = chan->conn;
1218 struct l2cap_le_conn_req req;
1219
1220 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1221 return;
1222
1223 req.psm = chan->psm;
1224 req.scid = cpu_to_le16(chan->scid);
1225 req.mtu = cpu_to_le16(chan->imtu);
1226 req.mps = cpu_to_le16(chan->mps);
1227 req.credits = cpu_to_le16(chan->rx_credits);
1228
1229 chan->ident = l2cap_get_ident(conn);
1230
1231 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1232 sizeof(req), &req);
1233 }
1234
1235 static void l2cap_le_start(struct l2cap_chan *chan)
1236 {
1237 struct l2cap_conn *conn = chan->conn;
1238
1239 if (!smp_conn_security(conn->hcon, chan->sec_level))
1240 return;
1241
1242 if (!chan->psm) {
1243 l2cap_chan_ready(chan);
1244 return;
1245 }
1246
1247 if (chan->state == BT_CONNECT)
1248 l2cap_le_connect(chan);
1249 }
1250
1251 static void l2cap_start_connection(struct l2cap_chan *chan)
1252 {
1253 if (__amp_capable(chan)) {
1254 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1255 a2mp_discover_amp(chan);
1256 } else if (chan->conn->hcon->type == LE_LINK) {
1257 l2cap_le_start(chan);
1258 } else {
1259 l2cap_send_conn_req(chan);
1260 }
1261 }
1262
1263 static void l2cap_do_start(struct l2cap_chan *chan)
1264 {
1265 struct l2cap_conn *conn = chan->conn;
1266
1267 if (conn->hcon->type == LE_LINK) {
1268 l2cap_le_start(chan);
1269 return;
1270 }
1271
1272 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
1273 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1274 return;
1275
1276 if (l2cap_chan_check_security(chan) &&
1277 __l2cap_no_conn_pending(chan)) {
1278 l2cap_start_connection(chan);
1279 }
1280 } else {
1281 struct l2cap_info_req req;
1282 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1283
1284 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1285 conn->info_ident = l2cap_get_ident(conn);
1286
1287 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1288
1289 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1290 sizeof(req), &req);
1291 }
1292 }
1293
1294 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1295 {
1296 u32 local_feat_mask = l2cap_feat_mask;
1297 if (!disable_ertm)
1298 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1299
1300 switch (mode) {
1301 case L2CAP_MODE_ERTM:
1302 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1303 case L2CAP_MODE_STREAMING:
1304 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1305 default:
1306 return 0x00;
1307 }
1308 }
1309
1310 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1311 {
1312 struct l2cap_conn *conn = chan->conn;
1313 struct l2cap_disconn_req req;
1314
1315 if (!conn)
1316 return;
1317
1318 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1319 __clear_retrans_timer(chan);
1320 __clear_monitor_timer(chan);
1321 __clear_ack_timer(chan);
1322 }
1323
1324 if (chan->scid == L2CAP_CID_A2MP) {
1325 l2cap_state_change(chan, BT_DISCONN);
1326 return;
1327 }
1328
1329 req.dcid = cpu_to_le16(chan->dcid);
1330 req.scid = cpu_to_le16(chan->scid);
1331 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1332 sizeof(req), &req);
1333
1334 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1335 }
1336
1337 /* ---- L2CAP connections ---- */
1338 static void l2cap_conn_start(struct l2cap_conn *conn)
1339 {
1340 struct l2cap_chan *chan, *tmp;
1341
1342 BT_DBG("conn %p", conn);
1343
1344 mutex_lock(&conn->chan_lock);
1345
1346 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1347 l2cap_chan_lock(chan);
1348
1349 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1350 l2cap_chan_unlock(chan);
1351 continue;
1352 }
1353
1354 if (chan->state == BT_CONNECT) {
1355 if (!l2cap_chan_check_security(chan) ||
1356 !__l2cap_no_conn_pending(chan)) {
1357 l2cap_chan_unlock(chan);
1358 continue;
1359 }
1360
1361 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1362 && test_bit(CONF_STATE2_DEVICE,
1363 &chan->conf_state)) {
1364 l2cap_chan_close(chan, ECONNRESET);
1365 l2cap_chan_unlock(chan);
1366 continue;
1367 }
1368
1369 l2cap_start_connection(chan);
1370
1371 } else if (chan->state == BT_CONNECT2) {
1372 struct l2cap_conn_rsp rsp;
1373 char buf[128];
1374 rsp.scid = cpu_to_le16(chan->dcid);
1375 rsp.dcid = cpu_to_le16(chan->scid);
1376
1377 if (l2cap_chan_check_security(chan)) {
1378 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1379 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1380 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1381 chan->ops->defer(chan);
1382
1383 } else {
1384 l2cap_state_change(chan, BT_CONFIG);
1385 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1386 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1387 }
1388 } else {
1389 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1390 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1391 }
1392
1393 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1394 sizeof(rsp), &rsp);
1395
1396 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1397 rsp.result != L2CAP_CR_SUCCESS) {
1398 l2cap_chan_unlock(chan);
1399 continue;
1400 }
1401
1402 set_bit(CONF_REQ_SENT, &chan->conf_state);
1403 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1404 l2cap_build_conf_req(chan, buf), buf);
1405 chan->num_conf_req++;
1406 }
1407
1408 l2cap_chan_unlock(chan);
1409 }
1410
1411 mutex_unlock(&conn->chan_lock);
1412 }
1413
1414 /* Find socket with cid and source/destination bdaddr.
1415 * Returns closest match, locked.
1416 */
1417 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1418 bdaddr_t *src,
1419 bdaddr_t *dst)
1420 {
1421 struct l2cap_chan *c, *c1 = NULL;
1422
1423 read_lock(&chan_list_lock);
1424
1425 list_for_each_entry(c, &chan_list, global_l) {
1426 if (state && c->state != state)
1427 continue;
1428
1429 if (c->scid == cid) {
1430 int src_match, dst_match;
1431 int src_any, dst_any;
1432
1433 /* Exact match. */
1434 src_match = !bacmp(&c->src, src);
1435 dst_match = !bacmp(&c->dst, dst);
1436 if (src_match && dst_match) {
1437 read_unlock(&chan_list_lock);
1438 return c;
1439 }
1440
1441 /* Closest match */
1442 src_any = !bacmp(&c->src, BDADDR_ANY);
1443 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1444 if ((src_match && dst_any) || (src_any && dst_match) ||
1445 (src_any && dst_any))
1446 c1 = c;
1447 }
1448 }
1449
1450 read_unlock(&chan_list_lock);
1451
1452 return c1;
1453 }
1454
1455 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1456 {
1457 struct hci_conn *hcon = conn->hcon;
1458 struct l2cap_chan *chan, *pchan;
1459 u8 dst_type;
1460
1461 BT_DBG("");
1462
1463 bt_6lowpan_add_conn(conn);
1464
1465 /* Check if we have socket listening on cid */
1466 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
1467 &hcon->src, &hcon->dst);
1468 if (!pchan)
1469 return;
1470
1471 /* Client ATT sockets should override the server one */
1472 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1473 return;
1474
1475 dst_type = bdaddr_type(hcon, hcon->dst_type);
1476
1477 /* If device is blocked, do not create a channel for it */
1478 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, dst_type))
1479 return;
1480
1481 l2cap_chan_lock(pchan);
1482
1483 chan = pchan->ops->new_connection(pchan);
1484 if (!chan)
1485 goto clean;
1486
1487 bacpy(&chan->src, &hcon->src);
1488 bacpy(&chan->dst, &hcon->dst);
1489 chan->src_type = bdaddr_type(hcon, hcon->src_type);
1490 chan->dst_type = dst_type;
1491
1492 __l2cap_chan_add(conn, chan);
1493
1494 clean:
1495 l2cap_chan_unlock(pchan);
1496 }
1497
1498 static void l2cap_conn_ready(struct l2cap_conn *conn)
1499 {
1500 struct l2cap_chan *chan;
1501 struct hci_conn *hcon = conn->hcon;
1502
1503 BT_DBG("conn %p", conn);
1504
1505 /* For outgoing pairing which doesn't necessarily have an
1506 * associated socket (e.g. mgmt_pair_device).
1507 */
1508 if (hcon->out && hcon->type == LE_LINK)
1509 smp_conn_security(hcon, hcon->pending_sec_level);
1510
1511 mutex_lock(&conn->chan_lock);
1512
1513 if (hcon->type == LE_LINK)
1514 l2cap_le_conn_ready(conn);
1515
1516 list_for_each_entry(chan, &conn->chan_l, list) {
1517
1518 l2cap_chan_lock(chan);
1519
1520 if (chan->scid == L2CAP_CID_A2MP) {
1521 l2cap_chan_unlock(chan);
1522 continue;
1523 }
1524
1525 if (hcon->type == LE_LINK) {
1526 l2cap_le_start(chan);
1527 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1528 l2cap_chan_ready(chan);
1529
1530 } else if (chan->state == BT_CONNECT) {
1531 l2cap_do_start(chan);
1532 }
1533
1534 l2cap_chan_unlock(chan);
1535 }
1536
1537 mutex_unlock(&conn->chan_lock);
1538
1539 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1540 }
1541
1542 /* Notify sockets that we cannot guaranty reliability anymore */
1543 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1544 {
1545 struct l2cap_chan *chan;
1546
1547 BT_DBG("conn %p", conn);
1548
1549 mutex_lock(&conn->chan_lock);
1550
1551 list_for_each_entry(chan, &conn->chan_l, list) {
1552 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1553 l2cap_chan_set_err(chan, err);
1554 }
1555
1556 mutex_unlock(&conn->chan_lock);
1557 }
1558
1559 static void l2cap_info_timeout(struct work_struct *work)
1560 {
1561 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1562 info_timer.work);
1563
1564 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1565 conn->info_ident = 0;
1566
1567 l2cap_conn_start(conn);
1568 }
1569
1570 /*
1571 * l2cap_user
1572 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1573 * callback is called during registration. The ->remove callback is called
1574 * during unregistration.
1575 * An l2cap_user object can either be explicitly unregistered or when the
1576 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1577 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1578 * External modules must own a reference to the l2cap_conn object if they intend
1579 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1580 * any time if they don't.
1581 */
1582
1583 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1584 {
1585 struct hci_dev *hdev = conn->hcon->hdev;
1586 int ret;
1587
1588 /* We need to check whether l2cap_conn is registered. If it is not, we
1589 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1590 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1591 * relies on the parent hci_conn object to be locked. This itself relies
1592 * on the hci_dev object to be locked. So we must lock the hci device
1593 * here, too. */
1594
1595 hci_dev_lock(hdev);
1596
1597 if (user->list.next || user->list.prev) {
1598 ret = -EINVAL;
1599 goto out_unlock;
1600 }
1601
1602 /* conn->hchan is NULL after l2cap_conn_del() was called */
1603 if (!conn->hchan) {
1604 ret = -ENODEV;
1605 goto out_unlock;
1606 }
1607
1608 ret = user->probe(conn, user);
1609 if (ret)
1610 goto out_unlock;
1611
1612 list_add(&user->list, &conn->users);
1613 ret = 0;
1614
1615 out_unlock:
1616 hci_dev_unlock(hdev);
1617 return ret;
1618 }
1619 EXPORT_SYMBOL(l2cap_register_user);
1620
1621 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1622 {
1623 struct hci_dev *hdev = conn->hcon->hdev;
1624
1625 hci_dev_lock(hdev);
1626
1627 if (!user->list.next || !user->list.prev)
1628 goto out_unlock;
1629
1630 list_del(&user->list);
1631 user->list.next = NULL;
1632 user->list.prev = NULL;
1633 user->remove(conn, user);
1634
1635 out_unlock:
1636 hci_dev_unlock(hdev);
1637 }
1638 EXPORT_SYMBOL(l2cap_unregister_user);
1639
1640 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1641 {
1642 struct l2cap_user *user;
1643
1644 while (!list_empty(&conn->users)) {
1645 user = list_first_entry(&conn->users, struct l2cap_user, list);
1646 list_del(&user->list);
1647 user->list.next = NULL;
1648 user->list.prev = NULL;
1649 user->remove(conn, user);
1650 }
1651 }
1652
1653 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1654 {
1655 struct l2cap_conn *conn = hcon->l2cap_data;
1656 struct l2cap_chan *chan, *l;
1657
1658 if (!conn)
1659 return;
1660
1661 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1662
1663 kfree_skb(conn->rx_skb);
1664
1665 skb_queue_purge(&conn->pending_rx);
1666 flush_work(&conn->pending_rx_work);
1667
1668 l2cap_unregister_all_users(conn);
1669
1670 mutex_lock(&conn->chan_lock);
1671
1672 /* Kill channels */
1673 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1674 l2cap_chan_hold(chan);
1675 l2cap_chan_lock(chan);
1676
1677 l2cap_chan_del(chan, err);
1678
1679 l2cap_chan_unlock(chan);
1680
1681 chan->ops->close(chan);
1682 l2cap_chan_put(chan);
1683 }
1684
1685 mutex_unlock(&conn->chan_lock);
1686
1687 hci_chan_del(conn->hchan);
1688
1689 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1690 cancel_delayed_work_sync(&conn->info_timer);
1691
1692 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1693 cancel_delayed_work_sync(&conn->security_timer);
1694 smp_chan_destroy(conn);
1695 }
1696
1697 hcon->l2cap_data = NULL;
1698 conn->hchan = NULL;
1699 l2cap_conn_put(conn);
1700 }
1701
1702 static void security_timeout(struct work_struct *work)
1703 {
1704 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1705 security_timer.work);
1706
1707 BT_DBG("conn %p", conn);
1708
1709 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1710 smp_chan_destroy(conn);
1711 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1712 }
1713 }
1714
1715 static void l2cap_conn_free(struct kref *ref)
1716 {
1717 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1718
1719 hci_conn_put(conn->hcon);
1720 kfree(conn);
1721 }
1722
1723 void l2cap_conn_get(struct l2cap_conn *conn)
1724 {
1725 kref_get(&conn->ref);
1726 }
1727 EXPORT_SYMBOL(l2cap_conn_get);
1728
1729 void l2cap_conn_put(struct l2cap_conn *conn)
1730 {
1731 kref_put(&conn->ref, l2cap_conn_free);
1732 }
1733 EXPORT_SYMBOL(l2cap_conn_put);
1734
1735 /* ---- Socket interface ---- */
1736
1737 /* Find socket with psm and source / destination bdaddr.
1738 * Returns closest match.
1739 */
1740 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1741 bdaddr_t *src,
1742 bdaddr_t *dst,
1743 u8 link_type)
1744 {
1745 struct l2cap_chan *c, *c1 = NULL;
1746
1747 read_lock(&chan_list_lock);
1748
1749 list_for_each_entry(c, &chan_list, global_l) {
1750 if (state && c->state != state)
1751 continue;
1752
1753 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1754 continue;
1755
1756 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1757 continue;
1758
1759 if (c->psm == psm) {
1760 int src_match, dst_match;
1761 int src_any, dst_any;
1762
1763 /* Exact match. */
1764 src_match = !bacmp(&c->src, src);
1765 dst_match = !bacmp(&c->dst, dst);
1766 if (src_match && dst_match) {
1767 read_unlock(&chan_list_lock);
1768 return c;
1769 }
1770
1771 /* Closest match */
1772 src_any = !bacmp(&c->src, BDADDR_ANY);
1773 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1774 if ((src_match && dst_any) || (src_any && dst_match) ||
1775 (src_any && dst_any))
1776 c1 = c;
1777 }
1778 }
1779
1780 read_unlock(&chan_list_lock);
1781
1782 return c1;
1783 }
1784
1785 static void l2cap_monitor_timeout(struct work_struct *work)
1786 {
1787 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1788 monitor_timer.work);
1789
1790 BT_DBG("chan %p", chan);
1791
1792 l2cap_chan_lock(chan);
1793
1794 if (!chan->conn) {
1795 l2cap_chan_unlock(chan);
1796 l2cap_chan_put(chan);
1797 return;
1798 }
1799
1800 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1801
1802 l2cap_chan_unlock(chan);
1803 l2cap_chan_put(chan);
1804 }
1805
1806 static void l2cap_retrans_timeout(struct work_struct *work)
1807 {
1808 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1809 retrans_timer.work);
1810
1811 BT_DBG("chan %p", chan);
1812
1813 l2cap_chan_lock(chan);
1814
1815 if (!chan->conn) {
1816 l2cap_chan_unlock(chan);
1817 l2cap_chan_put(chan);
1818 return;
1819 }
1820
1821 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1822 l2cap_chan_unlock(chan);
1823 l2cap_chan_put(chan);
1824 }
1825
1826 static void l2cap_streaming_send(struct l2cap_chan *chan,
1827 struct sk_buff_head *skbs)
1828 {
1829 struct sk_buff *skb;
1830 struct l2cap_ctrl *control;
1831
1832 BT_DBG("chan %p, skbs %p", chan, skbs);
1833
1834 if (__chan_is_moving(chan))
1835 return;
1836
1837 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1838
1839 while (!skb_queue_empty(&chan->tx_q)) {
1840
1841 skb = skb_dequeue(&chan->tx_q);
1842
1843 bt_cb(skb)->control.retries = 1;
1844 control = &bt_cb(skb)->control;
1845
1846 control->reqseq = 0;
1847 control->txseq = chan->next_tx_seq;
1848
1849 __pack_control(chan, control, skb);
1850
1851 if (chan->fcs == L2CAP_FCS_CRC16) {
1852 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1853 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1854 }
1855
1856 l2cap_do_send(chan, skb);
1857
1858 BT_DBG("Sent txseq %u", control->txseq);
1859
1860 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1861 chan->frames_sent++;
1862 }
1863 }
1864
1865 static int l2cap_ertm_send(struct l2cap_chan *chan)
1866 {
1867 struct sk_buff *skb, *tx_skb;
1868 struct l2cap_ctrl *control;
1869 int sent = 0;
1870
1871 BT_DBG("chan %p", chan);
1872
1873 if (chan->state != BT_CONNECTED)
1874 return -ENOTCONN;
1875
1876 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1877 return 0;
1878
1879 if (__chan_is_moving(chan))
1880 return 0;
1881
1882 while (chan->tx_send_head &&
1883 chan->unacked_frames < chan->remote_tx_win &&
1884 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1885
1886 skb = chan->tx_send_head;
1887
1888 bt_cb(skb)->control.retries = 1;
1889 control = &bt_cb(skb)->control;
1890
1891 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1892 control->final = 1;
1893
1894 control->reqseq = chan->buffer_seq;
1895 chan->last_acked_seq = chan->buffer_seq;
1896 control->txseq = chan->next_tx_seq;
1897
1898 __pack_control(chan, control, skb);
1899
1900 if (chan->fcs == L2CAP_FCS_CRC16) {
1901 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1902 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1903 }
1904
1905 /* Clone after data has been modified. Data is assumed to be
1906 read-only (for locking purposes) on cloned sk_buffs.
1907 */
1908 tx_skb = skb_clone(skb, GFP_KERNEL);
1909
1910 if (!tx_skb)
1911 break;
1912
1913 __set_retrans_timer(chan);
1914
1915 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1916 chan->unacked_frames++;
1917 chan->frames_sent++;
1918 sent++;
1919
1920 if (skb_queue_is_last(&chan->tx_q, skb))
1921 chan->tx_send_head = NULL;
1922 else
1923 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1924
1925 l2cap_do_send(chan, tx_skb);
1926 BT_DBG("Sent txseq %u", control->txseq);
1927 }
1928
1929 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1930 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1931
1932 return sent;
1933 }
1934
1935 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1936 {
1937 struct l2cap_ctrl control;
1938 struct sk_buff *skb;
1939 struct sk_buff *tx_skb;
1940 u16 seq;
1941
1942 BT_DBG("chan %p", chan);
1943
1944 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1945 return;
1946
1947 if (__chan_is_moving(chan))
1948 return;
1949
1950 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1951 seq = l2cap_seq_list_pop(&chan->retrans_list);
1952
1953 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1954 if (!skb) {
1955 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1956 seq);
1957 continue;
1958 }
1959
1960 bt_cb(skb)->control.retries++;
1961 control = bt_cb(skb)->control;
1962
1963 if (chan->max_tx != 0 &&
1964 bt_cb(skb)->control.retries > chan->max_tx) {
1965 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1966 l2cap_send_disconn_req(chan, ECONNRESET);
1967 l2cap_seq_list_clear(&chan->retrans_list);
1968 break;
1969 }
1970
1971 control.reqseq = chan->buffer_seq;
1972 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1973 control.final = 1;
1974 else
1975 control.final = 0;
1976
1977 if (skb_cloned(skb)) {
1978 /* Cloned sk_buffs are read-only, so we need a
1979 * writeable copy
1980 */
1981 tx_skb = skb_copy(skb, GFP_KERNEL);
1982 } else {
1983 tx_skb = skb_clone(skb, GFP_KERNEL);
1984 }
1985
1986 if (!tx_skb) {
1987 l2cap_seq_list_clear(&chan->retrans_list);
1988 break;
1989 }
1990
1991 /* Update skb contents */
1992 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1993 put_unaligned_le32(__pack_extended_control(&control),
1994 tx_skb->data + L2CAP_HDR_SIZE);
1995 } else {
1996 put_unaligned_le16(__pack_enhanced_control(&control),
1997 tx_skb->data + L2CAP_HDR_SIZE);
1998 }
1999
2000 if (chan->fcs == L2CAP_FCS_CRC16) {
2001 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2002 put_unaligned_le16(fcs, skb_put(tx_skb,
2003 L2CAP_FCS_SIZE));
2004 }
2005
2006 l2cap_do_send(chan, tx_skb);
2007
2008 BT_DBG("Resent txseq %d", control.txseq);
2009
2010 chan->last_acked_seq = chan->buffer_seq;
2011 }
2012 }
2013
2014 static void l2cap_retransmit(struct l2cap_chan *chan,
2015 struct l2cap_ctrl *control)
2016 {
2017 BT_DBG("chan %p, control %p", chan, control);
2018
2019 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2020 l2cap_ertm_resend(chan);
2021 }
2022
2023 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2024 struct l2cap_ctrl *control)
2025 {
2026 struct sk_buff *skb;
2027
2028 BT_DBG("chan %p, control %p", chan, control);
2029
2030 if (control->poll)
2031 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2032
2033 l2cap_seq_list_clear(&chan->retrans_list);
2034
2035 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2036 return;
2037
2038 if (chan->unacked_frames) {
2039 skb_queue_walk(&chan->tx_q, skb) {
2040 if (bt_cb(skb)->control.txseq == control->reqseq ||
2041 skb == chan->tx_send_head)
2042 break;
2043 }
2044
2045 skb_queue_walk_from(&chan->tx_q, skb) {
2046 if (skb == chan->tx_send_head)
2047 break;
2048
2049 l2cap_seq_list_append(&chan->retrans_list,
2050 bt_cb(skb)->control.txseq);
2051 }
2052
2053 l2cap_ertm_resend(chan);
2054 }
2055 }
2056
2057 static void l2cap_send_ack(struct l2cap_chan *chan)
2058 {
2059 struct l2cap_ctrl control;
2060 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2061 chan->last_acked_seq);
2062 int threshold;
2063
2064 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2065 chan, chan->last_acked_seq, chan->buffer_seq);
2066
2067 memset(&control, 0, sizeof(control));
2068 control.sframe = 1;
2069
2070 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2071 chan->rx_state == L2CAP_RX_STATE_RECV) {
2072 __clear_ack_timer(chan);
2073 control.super = L2CAP_SUPER_RNR;
2074 control.reqseq = chan->buffer_seq;
2075 l2cap_send_sframe(chan, &control);
2076 } else {
2077 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2078 l2cap_ertm_send(chan);
2079 /* If any i-frames were sent, they included an ack */
2080 if (chan->buffer_seq == chan->last_acked_seq)
2081 frames_to_ack = 0;
2082 }
2083
2084 /* Ack now if the window is 3/4ths full.
2085 * Calculate without mul or div
2086 */
2087 threshold = chan->ack_win;
2088 threshold += threshold << 1;
2089 threshold >>= 2;
2090
2091 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2092 threshold);
2093
2094 if (frames_to_ack >= threshold) {
2095 __clear_ack_timer(chan);
2096 control.super = L2CAP_SUPER_RR;
2097 control.reqseq = chan->buffer_seq;
2098 l2cap_send_sframe(chan, &control);
2099 frames_to_ack = 0;
2100 }
2101
2102 if (frames_to_ack)
2103 __set_ack_timer(chan);
2104 }
2105 }
2106
2107 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2108 struct msghdr *msg, int len,
2109 int count, struct sk_buff *skb)
2110 {
2111 struct l2cap_conn *conn = chan->conn;
2112 struct sk_buff **frag;
2113 int sent = 0;
2114
2115 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
2116 return -EFAULT;
2117
2118 sent += count;
2119 len -= count;
2120
2121 /* Continuation fragments (no L2CAP header) */
2122 frag = &skb_shinfo(skb)->frag_list;
2123 while (len) {
2124 struct sk_buff *tmp;
2125
2126 count = min_t(unsigned int, conn->mtu, len);
2127
2128 tmp = chan->ops->alloc_skb(chan, count,
2129 msg->msg_flags & MSG_DONTWAIT);
2130 if (IS_ERR(tmp))
2131 return PTR_ERR(tmp);
2132
2133 *frag = tmp;
2134
2135 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2136 return -EFAULT;
2137
2138 (*frag)->priority = skb->priority;
2139
2140 sent += count;
2141 len -= count;
2142
2143 skb->len += (*frag)->len;
2144 skb->data_len += (*frag)->len;
2145
2146 frag = &(*frag)->next;
2147 }
2148
2149 return sent;
2150 }
2151
2152 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2153 struct msghdr *msg, size_t len,
2154 u32 priority)
2155 {
2156 struct l2cap_conn *conn = chan->conn;
2157 struct sk_buff *skb;
2158 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2159 struct l2cap_hdr *lh;
2160
2161 BT_DBG("chan %p psm 0x%2.2x len %zu priority %u", chan,
2162 __le16_to_cpu(chan->psm), len, priority);
2163
2164 count = min_t(unsigned int, (conn->mtu - hlen), len);
2165
2166 skb = chan->ops->alloc_skb(chan, count + hlen,
2167 msg->msg_flags & MSG_DONTWAIT);
2168 if (IS_ERR(skb))
2169 return skb;
2170
2171 skb->priority = priority;
2172
2173 /* Create L2CAP header */
2174 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2175 lh->cid = cpu_to_le16(chan->dcid);
2176 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2177 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2178
2179 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2180 if (unlikely(err < 0)) {
2181 kfree_skb(skb);
2182 return ERR_PTR(err);
2183 }
2184 return skb;
2185 }
2186
2187 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2188 struct msghdr *msg, size_t len,
2189 u32 priority)
2190 {
2191 struct l2cap_conn *conn = chan->conn;
2192 struct sk_buff *skb;
2193 int err, count;
2194 struct l2cap_hdr *lh;
2195
2196 BT_DBG("chan %p len %zu", chan, len);
2197
2198 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2199
2200 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
2201 msg->msg_flags & MSG_DONTWAIT);
2202 if (IS_ERR(skb))
2203 return skb;
2204
2205 skb->priority = priority;
2206
2207 /* Create L2CAP header */
2208 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2209 lh->cid = cpu_to_le16(chan->dcid);
2210 lh->len = cpu_to_le16(len);
2211
2212 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2213 if (unlikely(err < 0)) {
2214 kfree_skb(skb);
2215 return ERR_PTR(err);
2216 }
2217 return skb;
2218 }
2219
2220 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2221 struct msghdr *msg, size_t len,
2222 u16 sdulen)
2223 {
2224 struct l2cap_conn *conn = chan->conn;
2225 struct sk_buff *skb;
2226 int err, count, hlen;
2227 struct l2cap_hdr *lh;
2228
2229 BT_DBG("chan %p len %zu", chan, len);
2230
2231 if (!conn)
2232 return ERR_PTR(-ENOTCONN);
2233
2234 hlen = __ertm_hdr_size(chan);
2235
2236 if (sdulen)
2237 hlen += L2CAP_SDULEN_SIZE;
2238
2239 if (chan->fcs == L2CAP_FCS_CRC16)
2240 hlen += L2CAP_FCS_SIZE;
2241
2242 count = min_t(unsigned int, (conn->mtu - hlen), len);
2243
2244 skb = chan->ops->alloc_skb(chan, count + hlen,
2245 msg->msg_flags & MSG_DONTWAIT);
2246 if (IS_ERR(skb))
2247 return skb;
2248
2249 /* Create L2CAP header */
2250 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2251 lh->cid = cpu_to_le16(chan->dcid);
2252 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2253
2254 /* Control header is populated later */
2255 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2256 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2257 else
2258 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2259
2260 if (sdulen)
2261 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2262
2263 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2264 if (unlikely(err < 0)) {
2265 kfree_skb(skb);
2266 return ERR_PTR(err);
2267 }
2268
2269 bt_cb(skb)->control.fcs = chan->fcs;
2270 bt_cb(skb)->control.retries = 0;
2271 return skb;
2272 }
2273
2274 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2275 struct sk_buff_head *seg_queue,
2276 struct msghdr *msg, size_t len)
2277 {
2278 struct sk_buff *skb;
2279 u16 sdu_len;
2280 size_t pdu_len;
2281 u8 sar;
2282
2283 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2284
2285 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2286 * so fragmented skbs are not used. The HCI layer's handling
2287 * of fragmented skbs is not compatible with ERTM's queueing.
2288 */
2289
2290 /* PDU size is derived from the HCI MTU */
2291 pdu_len = chan->conn->mtu;
2292
2293 /* Constrain PDU size for BR/EDR connections */
2294 if (!chan->hs_hcon)
2295 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2296
2297 /* Adjust for largest possible L2CAP overhead. */
2298 if (chan->fcs)
2299 pdu_len -= L2CAP_FCS_SIZE;
2300
2301 pdu_len -= __ertm_hdr_size(chan);
2302
2303 /* Remote device may have requested smaller PDUs */
2304 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2305
2306 if (len <= pdu_len) {
2307 sar = L2CAP_SAR_UNSEGMENTED;
2308 sdu_len = 0;
2309 pdu_len = len;
2310 } else {
2311 sar = L2CAP_SAR_START;
2312 sdu_len = len;
2313 pdu_len -= L2CAP_SDULEN_SIZE;
2314 }
2315
2316 while (len > 0) {
2317 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2318
2319 if (IS_ERR(skb)) {
2320 __skb_queue_purge(seg_queue);
2321 return PTR_ERR(skb);
2322 }
2323
2324 bt_cb(skb)->control.sar = sar;
2325 __skb_queue_tail(seg_queue, skb);
2326
2327 len -= pdu_len;
2328 if (sdu_len) {
2329 sdu_len = 0;
2330 pdu_len += L2CAP_SDULEN_SIZE;
2331 }
2332
2333 if (len <= pdu_len) {
2334 sar = L2CAP_SAR_END;
2335 pdu_len = len;
2336 } else {
2337 sar = L2CAP_SAR_CONTINUE;
2338 }
2339 }
2340
2341 return 0;
2342 }
2343
2344 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2345 struct msghdr *msg,
2346 size_t len, u16 sdulen)
2347 {
2348 struct l2cap_conn *conn = chan->conn;
2349 struct sk_buff *skb;
2350 int err, count, hlen;
2351 struct l2cap_hdr *lh;
2352
2353 BT_DBG("chan %p len %zu", chan, len);
2354
2355 if (!conn)
2356 return ERR_PTR(-ENOTCONN);
2357
2358 hlen = L2CAP_HDR_SIZE;
2359
2360 if (sdulen)
2361 hlen += L2CAP_SDULEN_SIZE;
2362
2363 count = min_t(unsigned int, (conn->mtu - hlen), len);
2364
2365 skb = chan->ops->alloc_skb(chan, count + hlen,
2366 msg->msg_flags & MSG_DONTWAIT);
2367 if (IS_ERR(skb))
2368 return skb;
2369
2370 /* Create L2CAP header */
2371 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2372 lh->cid = cpu_to_le16(chan->dcid);
2373 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2374
2375 if (sdulen)
2376 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2377
2378 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2379 if (unlikely(err < 0)) {
2380 kfree_skb(skb);
2381 return ERR_PTR(err);
2382 }
2383
2384 return skb;
2385 }
2386
2387 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2388 struct sk_buff_head *seg_queue,
2389 struct msghdr *msg, size_t len)
2390 {
2391 struct sk_buff *skb;
2392 size_t pdu_len;
2393 u16 sdu_len;
2394
2395 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2396
2397 pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE;
2398
2399 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2400
2401 sdu_len = len;
2402 pdu_len -= L2CAP_SDULEN_SIZE;
2403
2404 while (len > 0) {
2405 if (len <= pdu_len)
2406 pdu_len = len;
2407
2408 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2409 if (IS_ERR(skb)) {
2410 __skb_queue_purge(seg_queue);
2411 return PTR_ERR(skb);
2412 }
2413
2414 __skb_queue_tail(seg_queue, skb);
2415
2416 len -= pdu_len;
2417
2418 if (sdu_len) {
2419 sdu_len = 0;
2420 pdu_len += L2CAP_SDULEN_SIZE;
2421 }
2422 }
2423
2424 return 0;
2425 }
2426
2427 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2428 u32 priority)
2429 {
2430 struct sk_buff *skb;
2431 int err;
2432 struct sk_buff_head seg_queue;
2433
2434 if (!chan->conn)
2435 return -ENOTCONN;
2436
2437 /* Connectionless channel */
2438 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2439 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2440 if (IS_ERR(skb))
2441 return PTR_ERR(skb);
2442
2443 /* Channel lock is released before requesting new skb and then
2444 * reacquired thus we need to recheck channel state.
2445 */
2446 if (chan->state != BT_CONNECTED) {
2447 kfree_skb(skb);
2448 return -ENOTCONN;
2449 }
2450
2451 l2cap_do_send(chan, skb);
2452 return len;
2453 }
2454
2455 switch (chan->mode) {
2456 case L2CAP_MODE_LE_FLOWCTL:
2457 /* Check outgoing MTU */
2458 if (len > chan->omtu)
2459 return -EMSGSIZE;
2460
2461 if (!chan->tx_credits)
2462 return -EAGAIN;
2463
2464 __skb_queue_head_init(&seg_queue);
2465
2466 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2467
2468 if (chan->state != BT_CONNECTED) {
2469 __skb_queue_purge(&seg_queue);
2470 err = -ENOTCONN;
2471 }
2472
2473 if (err)
2474 return err;
2475
2476 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2477
2478 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2479 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2480 chan->tx_credits--;
2481 }
2482
2483 if (!chan->tx_credits)
2484 chan->ops->suspend(chan);
2485
2486 err = len;
2487
2488 break;
2489
2490 case L2CAP_MODE_BASIC:
2491 /* Check outgoing MTU */
2492 if (len > chan->omtu)
2493 return -EMSGSIZE;
2494
2495 /* Create a basic PDU */
2496 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2497 if (IS_ERR(skb))
2498 return PTR_ERR(skb);
2499
2500 /* Channel lock is released before requesting new skb and then
2501 * reacquired thus we need to recheck channel state.
2502 */
2503 if (chan->state != BT_CONNECTED) {
2504 kfree_skb(skb);
2505 return -ENOTCONN;
2506 }
2507
2508 l2cap_do_send(chan, skb);
2509 err = len;
2510 break;
2511
2512 case L2CAP_MODE_ERTM:
2513 case L2CAP_MODE_STREAMING:
2514 /* Check outgoing MTU */
2515 if (len > chan->omtu) {
2516 err = -EMSGSIZE;
2517 break;
2518 }
2519
2520 __skb_queue_head_init(&seg_queue);
2521
2522 /* Do segmentation before calling in to the state machine,
2523 * since it's possible to block while waiting for memory
2524 * allocation.
2525 */
2526 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2527
2528 /* The channel could have been closed while segmenting,
2529 * check that it is still connected.
2530 */
2531 if (chan->state != BT_CONNECTED) {
2532 __skb_queue_purge(&seg_queue);
2533 err = -ENOTCONN;
2534 }
2535
2536 if (err)
2537 break;
2538
2539 if (chan->mode == L2CAP_MODE_ERTM)
2540 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2541 else
2542 l2cap_streaming_send(chan, &seg_queue);
2543
2544 err = len;
2545
2546 /* If the skbs were not queued for sending, they'll still be in
2547 * seg_queue and need to be purged.
2548 */
2549 __skb_queue_purge(&seg_queue);
2550 break;
2551
2552 default:
2553 BT_DBG("bad state %1.1x", chan->mode);
2554 err = -EBADFD;
2555 }
2556
2557 return err;
2558 }
2559
2560 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2561 {
2562 struct l2cap_ctrl control;
2563 u16 seq;
2564
2565 BT_DBG("chan %p, txseq %u", chan, txseq);
2566
2567 memset(&control, 0, sizeof(control));
2568 control.sframe = 1;
2569 control.super = L2CAP_SUPER_SREJ;
2570
2571 for (seq = chan->expected_tx_seq; seq != txseq;
2572 seq = __next_seq(chan, seq)) {
2573 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2574 control.reqseq = seq;
2575 l2cap_send_sframe(chan, &control);
2576 l2cap_seq_list_append(&chan->srej_list, seq);
2577 }
2578 }
2579
2580 chan->expected_tx_seq = __next_seq(chan, txseq);
2581 }
2582
2583 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2584 {
2585 struct l2cap_ctrl control;
2586
2587 BT_DBG("chan %p", chan);
2588
2589 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2590 return;
2591
2592 memset(&control, 0, sizeof(control));
2593 control.sframe = 1;
2594 control.super = L2CAP_SUPER_SREJ;
2595 control.reqseq = chan->srej_list.tail;
2596 l2cap_send_sframe(chan, &control);
2597 }
2598
2599 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2600 {
2601 struct l2cap_ctrl control;
2602 u16 initial_head;
2603 u16 seq;
2604
2605 BT_DBG("chan %p, txseq %u", chan, txseq);
2606
2607 memset(&control, 0, sizeof(control));
2608 control.sframe = 1;
2609 control.super = L2CAP_SUPER_SREJ;
2610
2611 /* Capture initial list head to allow only one pass through the list. */
2612 initial_head = chan->srej_list.head;
2613
2614 do {
2615 seq = l2cap_seq_list_pop(&chan->srej_list);
2616 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2617 break;
2618
2619 control.reqseq = seq;
2620 l2cap_send_sframe(chan, &control);
2621 l2cap_seq_list_append(&chan->srej_list, seq);
2622 } while (chan->srej_list.head != initial_head);
2623 }
2624
2625 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2626 {
2627 struct sk_buff *acked_skb;
2628 u16 ackseq;
2629
2630 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2631
2632 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2633 return;
2634
2635 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2636 chan->expected_ack_seq, chan->unacked_frames);
2637
2638 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2639 ackseq = __next_seq(chan, ackseq)) {
2640
2641 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2642 if (acked_skb) {
2643 skb_unlink(acked_skb, &chan->tx_q);
2644 kfree_skb(acked_skb);
2645 chan->unacked_frames--;
2646 }
2647 }
2648
2649 chan->expected_ack_seq = reqseq;
2650
2651 if (chan->unacked_frames == 0)
2652 __clear_retrans_timer(chan);
2653
2654 BT_DBG("unacked_frames %u", chan->unacked_frames);
2655 }
2656
2657 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2658 {
2659 BT_DBG("chan %p", chan);
2660
2661 chan->expected_tx_seq = chan->buffer_seq;
2662 l2cap_seq_list_clear(&chan->srej_list);
2663 skb_queue_purge(&chan->srej_q);
2664 chan->rx_state = L2CAP_RX_STATE_RECV;
2665 }
2666
2667 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2668 struct l2cap_ctrl *control,
2669 struct sk_buff_head *skbs, u8 event)
2670 {
2671 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2672 event);
2673
2674 switch (event) {
2675 case L2CAP_EV_DATA_REQUEST:
2676 if (chan->tx_send_head == NULL)
2677 chan->tx_send_head = skb_peek(skbs);
2678
2679 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2680 l2cap_ertm_send(chan);
2681 break;
2682 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2683 BT_DBG("Enter LOCAL_BUSY");
2684 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2685
2686 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2687 /* The SREJ_SENT state must be aborted if we are to
2688 * enter the LOCAL_BUSY state.
2689 */
2690 l2cap_abort_rx_srej_sent(chan);
2691 }
2692
2693 l2cap_send_ack(chan);
2694
2695 break;
2696 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2697 BT_DBG("Exit LOCAL_BUSY");
2698 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2699
2700 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2701 struct l2cap_ctrl local_control;
2702
2703 memset(&local_control, 0, sizeof(local_control));
2704 local_control.sframe = 1;
2705 local_control.super = L2CAP_SUPER_RR;
2706 local_control.poll = 1;
2707 local_control.reqseq = chan->buffer_seq;
2708 l2cap_send_sframe(chan, &local_control);
2709
2710 chan->retry_count = 1;
2711 __set_monitor_timer(chan);
2712 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2713 }
2714 break;
2715 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2716 l2cap_process_reqseq(chan, control->reqseq);
2717 break;
2718 case L2CAP_EV_EXPLICIT_POLL:
2719 l2cap_send_rr_or_rnr(chan, 1);
2720 chan->retry_count = 1;
2721 __set_monitor_timer(chan);
2722 __clear_ack_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2724 break;
2725 case L2CAP_EV_RETRANS_TO:
2726 l2cap_send_rr_or_rnr(chan, 1);
2727 chan->retry_count = 1;
2728 __set_monitor_timer(chan);
2729 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2730 break;
2731 case L2CAP_EV_RECV_FBIT:
2732 /* Nothing to process */
2733 break;
2734 default:
2735 break;
2736 }
2737 }
2738
2739 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2740 struct l2cap_ctrl *control,
2741 struct sk_buff_head *skbs, u8 event)
2742 {
2743 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2744 event);
2745
2746 switch (event) {
2747 case L2CAP_EV_DATA_REQUEST:
2748 if (chan->tx_send_head == NULL)
2749 chan->tx_send_head = skb_peek(skbs);
2750 /* Queue data, but don't send. */
2751 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2752 break;
2753 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2754 BT_DBG("Enter LOCAL_BUSY");
2755 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2756
2757 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2758 /* The SREJ_SENT state must be aborted if we are to
2759 * enter the LOCAL_BUSY state.
2760 */
2761 l2cap_abort_rx_srej_sent(chan);
2762 }
2763
2764 l2cap_send_ack(chan);
2765
2766 break;
2767 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2768 BT_DBG("Exit LOCAL_BUSY");
2769 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2770
2771 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2772 struct l2cap_ctrl local_control;
2773 memset(&local_control, 0, sizeof(local_control));
2774 local_control.sframe = 1;
2775 local_control.super = L2CAP_SUPER_RR;
2776 local_control.poll = 1;
2777 local_control.reqseq = chan->buffer_seq;
2778 l2cap_send_sframe(chan, &local_control);
2779
2780 chan->retry_count = 1;
2781 __set_monitor_timer(chan);
2782 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2783 }
2784 break;
2785 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2786 l2cap_process_reqseq(chan, control->reqseq);
2787
2788 /* Fall through */
2789
2790 case L2CAP_EV_RECV_FBIT:
2791 if (control && control->final) {
2792 __clear_monitor_timer(chan);
2793 if (chan->unacked_frames > 0)
2794 __set_retrans_timer(chan);
2795 chan->retry_count = 0;
2796 chan->tx_state = L2CAP_TX_STATE_XMIT;
2797 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2798 }
2799 break;
2800 case L2CAP_EV_EXPLICIT_POLL:
2801 /* Ignore */
2802 break;
2803 case L2CAP_EV_MONITOR_TO:
2804 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2805 l2cap_send_rr_or_rnr(chan, 1);
2806 __set_monitor_timer(chan);
2807 chan->retry_count++;
2808 } else {
2809 l2cap_send_disconn_req(chan, ECONNABORTED);
2810 }
2811 break;
2812 default:
2813 break;
2814 }
2815 }
2816
2817 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2818 struct sk_buff_head *skbs, u8 event)
2819 {
2820 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2821 chan, control, skbs, event, chan->tx_state);
2822
2823 switch (chan->tx_state) {
2824 case L2CAP_TX_STATE_XMIT:
2825 l2cap_tx_state_xmit(chan, control, skbs, event);
2826 break;
2827 case L2CAP_TX_STATE_WAIT_F:
2828 l2cap_tx_state_wait_f(chan, control, skbs, event);
2829 break;
2830 default:
2831 /* Ignore event */
2832 break;
2833 }
2834 }
2835
2836 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2837 struct l2cap_ctrl *control)
2838 {
2839 BT_DBG("chan %p, control %p", chan, control);
2840 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2841 }
2842
2843 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2844 struct l2cap_ctrl *control)
2845 {
2846 BT_DBG("chan %p, control %p", chan, control);
2847 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2848 }
2849
2850 /* Copy frame to all raw sockets on that connection */
2851 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2852 {
2853 struct sk_buff *nskb;
2854 struct l2cap_chan *chan;
2855
2856 BT_DBG("conn %p", conn);
2857
2858 mutex_lock(&conn->chan_lock);
2859
2860 list_for_each_entry(chan, &conn->chan_l, list) {
2861 if (chan->chan_type != L2CAP_CHAN_RAW)
2862 continue;
2863
2864 /* Don't send frame to the channel it came from */
2865 if (bt_cb(skb)->chan == chan)
2866 continue;
2867
2868 nskb = skb_clone(skb, GFP_KERNEL);
2869 if (!nskb)
2870 continue;
2871 if (chan->ops->recv(chan, nskb))
2872 kfree_skb(nskb);
2873 }
2874
2875 mutex_unlock(&conn->chan_lock);
2876 }
2877
2878 /* ---- L2CAP signalling commands ---- */
2879 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2880 u8 ident, u16 dlen, void *data)
2881 {
2882 struct sk_buff *skb, **frag;
2883 struct l2cap_cmd_hdr *cmd;
2884 struct l2cap_hdr *lh;
2885 int len, count;
2886
2887 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2888 conn, code, ident, dlen);
2889
2890 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2891 return NULL;
2892
2893 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2894 count = min_t(unsigned int, conn->mtu, len);
2895
2896 skb = bt_skb_alloc(count, GFP_KERNEL);
2897 if (!skb)
2898 return NULL;
2899
2900 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2901 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2902
2903 if (conn->hcon->type == LE_LINK)
2904 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2905 else
2906 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2907
2908 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2909 cmd->code = code;
2910 cmd->ident = ident;
2911 cmd->len = cpu_to_le16(dlen);
2912
2913 if (dlen) {
2914 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2915 memcpy(skb_put(skb, count), data, count);
2916 data += count;
2917 }
2918
2919 len -= skb->len;
2920
2921 /* Continuation fragments (no L2CAP header) */
2922 frag = &skb_shinfo(skb)->frag_list;
2923 while (len) {
2924 count = min_t(unsigned int, conn->mtu, len);
2925
2926 *frag = bt_skb_alloc(count, GFP_KERNEL);
2927 if (!*frag)
2928 goto fail;
2929
2930 memcpy(skb_put(*frag, count), data, count);
2931
2932 len -= count;
2933 data += count;
2934
2935 frag = &(*frag)->next;
2936 }
2937
2938 return skb;
2939
2940 fail:
2941 kfree_skb(skb);
2942 return NULL;
2943 }
2944
2945 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2946 unsigned long *val)
2947 {
2948 struct l2cap_conf_opt *opt = *ptr;
2949 int len;
2950
2951 len = L2CAP_CONF_OPT_SIZE + opt->len;
2952 *ptr += len;
2953
2954 *type = opt->type;
2955 *olen = opt->len;
2956
2957 switch (opt->len) {
2958 case 1:
2959 *val = *((u8 *) opt->val);
2960 break;
2961
2962 case 2:
2963 *val = get_unaligned_le16(opt->val);
2964 break;
2965
2966 case 4:
2967 *val = get_unaligned_le32(opt->val);
2968 break;
2969
2970 default:
2971 *val = (unsigned long) opt->val;
2972 break;
2973 }
2974
2975 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2976 return len;
2977 }
2978
2979 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2980 {
2981 struct l2cap_conf_opt *opt = *ptr;
2982
2983 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2984
2985 opt->type = type;
2986 opt->len = len;
2987
2988 switch (len) {
2989 case 1:
2990 *((u8 *) opt->val) = val;
2991 break;
2992
2993 case 2:
2994 put_unaligned_le16(val, opt->val);
2995 break;
2996
2997 case 4:
2998 put_unaligned_le32(val, opt->val);
2999 break;
3000
3001 default:
3002 memcpy(opt->val, (void *) val, len);
3003 break;
3004 }
3005
3006 *ptr += L2CAP_CONF_OPT_SIZE + len;
3007 }
3008
3009 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3010 {
3011 struct l2cap_conf_efs efs;
3012
3013 switch (chan->mode) {
3014 case L2CAP_MODE_ERTM:
3015 efs.id = chan->local_id;
3016 efs.stype = chan->local_stype;
3017 efs.msdu = cpu_to_le16(chan->local_msdu);
3018 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3019 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3020 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3021 break;
3022
3023 case L2CAP_MODE_STREAMING:
3024 efs.id = 1;
3025 efs.stype = L2CAP_SERV_BESTEFFORT;
3026 efs.msdu = cpu_to_le16(chan->local_msdu);
3027 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3028 efs.acc_lat = 0;
3029 efs.flush_to = 0;
3030 break;
3031
3032 default:
3033 return;
3034 }
3035
3036 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3037 (unsigned long) &efs);
3038 }
3039
3040 static void l2cap_ack_timeout(struct work_struct *work)
3041 {
3042 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3043 ack_timer.work);
3044 u16 frames_to_ack;
3045
3046 BT_DBG("chan %p", chan);
3047
3048 l2cap_chan_lock(chan);
3049
3050 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3051 chan->last_acked_seq);
3052
3053 if (frames_to_ack)
3054 l2cap_send_rr_or_rnr(chan, 0);
3055
3056 l2cap_chan_unlock(chan);
3057 l2cap_chan_put(chan);
3058 }
3059
3060 int l2cap_ertm_init(struct l2cap_chan *chan)
3061 {
3062 int err;
3063
3064 chan->next_tx_seq = 0;
3065 chan->expected_tx_seq = 0;
3066 chan->expected_ack_seq = 0;
3067 chan->unacked_frames = 0;
3068 chan->buffer_seq = 0;
3069 chan->frames_sent = 0;
3070 chan->last_acked_seq = 0;
3071 chan->sdu = NULL;
3072 chan->sdu_last_frag = NULL;
3073 chan->sdu_len = 0;
3074
3075 skb_queue_head_init(&chan->tx_q);
3076
3077 chan->local_amp_id = AMP_ID_BREDR;
3078 chan->move_id = AMP_ID_BREDR;
3079 chan->move_state = L2CAP_MOVE_STABLE;
3080 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3081
3082 if (chan->mode != L2CAP_MODE_ERTM)
3083 return 0;
3084
3085 chan->rx_state = L2CAP_RX_STATE_RECV;
3086 chan->tx_state = L2CAP_TX_STATE_XMIT;
3087
3088 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3089 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3090 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3091
3092 skb_queue_head_init(&chan->srej_q);
3093
3094 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3095 if (err < 0)
3096 return err;
3097
3098 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3099 if (err < 0)
3100 l2cap_seq_list_free(&chan->srej_list);
3101
3102 return err;
3103 }
3104
3105 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3106 {
3107 switch (mode) {
3108 case L2CAP_MODE_STREAMING:
3109 case L2CAP_MODE_ERTM:
3110 if (l2cap_mode_supported(mode, remote_feat_mask))
3111 return mode;
3112 /* fall through */
3113 default:
3114 return L2CAP_MODE_BASIC;
3115 }
3116 }
3117
3118 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3119 {
3120 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3121 }
3122
3123 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3124 {
3125 return conn->hs_enabled && conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3126 }
3127
3128 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3129 struct l2cap_conf_rfc *rfc)
3130 {
3131 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3132 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3133
3134 /* Class 1 devices have must have ERTM timeouts
3135 * exceeding the Link Supervision Timeout. The
3136 * default Link Supervision Timeout for AMP
3137 * controllers is 10 seconds.
3138 *
3139 * Class 1 devices use 0xffffffff for their
3140 * best-effort flush timeout, so the clamping logic
3141 * will result in a timeout that meets the above
3142 * requirement. ERTM timeouts are 16-bit values, so
3143 * the maximum timeout is 65.535 seconds.
3144 */
3145
3146 /* Convert timeout to milliseconds and round */
3147 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3148
3149 /* This is the recommended formula for class 2 devices
3150 * that start ERTM timers when packets are sent to the
3151 * controller.
3152 */
3153 ertm_to = 3 * ertm_to + 500;
3154
3155 if (ertm_to > 0xffff)
3156 ertm_to = 0xffff;
3157
3158 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3159 rfc->monitor_timeout = rfc->retrans_timeout;
3160 } else {
3161 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3162 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3163 }
3164 }
3165
3166 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3167 {
3168 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3169 __l2cap_ews_supported(chan->conn)) {
3170 /* use extended control field */
3171 set_bit(FLAG_EXT_CTRL, &chan->flags);
3172 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3173 } else {
3174 chan->tx_win = min_t(u16, chan->tx_win,
3175 L2CAP_DEFAULT_TX_WINDOW);
3176 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3177 }
3178 chan->ack_win = chan->tx_win;
3179 }
3180
3181 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3182 {
3183 struct l2cap_conf_req *req = data;
3184 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3185 void *ptr = req->data;
3186 u16 size;
3187
3188 BT_DBG("chan %p", chan);
3189
3190 if (chan->num_conf_req || chan->num_conf_rsp)
3191 goto done;
3192
3193 switch (chan->mode) {
3194 case L2CAP_MODE_STREAMING:
3195 case L2CAP_MODE_ERTM:
3196 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3197 break;
3198
3199 if (__l2cap_efs_supported(chan->conn))
3200 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3201
3202 /* fall through */
3203 default:
3204 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3205 break;
3206 }
3207
3208 done:
3209 if (chan->imtu != L2CAP_DEFAULT_MTU)
3210 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3211
3212 switch (chan->mode) {
3213 case L2CAP_MODE_BASIC:
3214 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3215 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3216 break;
3217
3218 rfc.mode = L2CAP_MODE_BASIC;
3219 rfc.txwin_size = 0;
3220 rfc.max_transmit = 0;
3221 rfc.retrans_timeout = 0;
3222 rfc.monitor_timeout = 0;
3223 rfc.max_pdu_size = 0;
3224
3225 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3226 (unsigned long) &rfc);
3227 break;
3228
3229 case L2CAP_MODE_ERTM:
3230 rfc.mode = L2CAP_MODE_ERTM;
3231 rfc.max_transmit = chan->max_tx;
3232
3233 __l2cap_set_ertm_timeouts(chan, &rfc);
3234
3235 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3236 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3237 L2CAP_FCS_SIZE);
3238 rfc.max_pdu_size = cpu_to_le16(size);
3239
3240 l2cap_txwin_setup(chan);
3241
3242 rfc.txwin_size = min_t(u16, chan->tx_win,
3243 L2CAP_DEFAULT_TX_WINDOW);
3244
3245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3246 (unsigned long) &rfc);
3247
3248 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3249 l2cap_add_opt_efs(&ptr, chan);
3250
3251 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3253 chan->tx_win);
3254
3255 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3256 if (chan->fcs == L2CAP_FCS_NONE ||
3257 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3258 chan->fcs = L2CAP_FCS_NONE;
3259 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3260 chan->fcs);
3261 }
3262 break;
3263
3264 case L2CAP_MODE_STREAMING:
3265 l2cap_txwin_setup(chan);
3266 rfc.mode = L2CAP_MODE_STREAMING;
3267 rfc.txwin_size = 0;
3268 rfc.max_transmit = 0;
3269 rfc.retrans_timeout = 0;
3270 rfc.monitor_timeout = 0;
3271
3272 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3273 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3274 L2CAP_FCS_SIZE);
3275 rfc.max_pdu_size = cpu_to_le16(size);
3276
3277 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3278 (unsigned long) &rfc);
3279
3280 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3281 l2cap_add_opt_efs(&ptr, chan);
3282
3283 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3284 if (chan->fcs == L2CAP_FCS_NONE ||
3285 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3286 chan->fcs = L2CAP_FCS_NONE;
3287 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3288 chan->fcs);
3289 }
3290 break;
3291 }
3292
3293 req->dcid = cpu_to_le16(chan->dcid);
3294 req->flags = cpu_to_le16(0);
3295
3296 return ptr - data;
3297 }
3298
3299 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3300 {
3301 struct l2cap_conf_rsp *rsp = data;
3302 void *ptr = rsp->data;
3303 void *req = chan->conf_req;
3304 int len = chan->conf_len;
3305 int type, hint, olen;
3306 unsigned long val;
3307 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3308 struct l2cap_conf_efs efs;
3309 u8 remote_efs = 0;
3310 u16 mtu = L2CAP_DEFAULT_MTU;
3311 u16 result = L2CAP_CONF_SUCCESS;
3312 u16 size;
3313
3314 BT_DBG("chan %p", chan);
3315
3316 while (len >= L2CAP_CONF_OPT_SIZE) {
3317 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3318
3319 hint = type & L2CAP_CONF_HINT;
3320 type &= L2CAP_CONF_MASK;
3321
3322 switch (type) {
3323 case L2CAP_CONF_MTU:
3324 mtu = val;
3325 break;
3326
3327 case L2CAP_CONF_FLUSH_TO:
3328 chan->flush_to = val;
3329 break;
3330
3331 case L2CAP_CONF_QOS:
3332 break;
3333
3334 case L2CAP_CONF_RFC:
3335 if (olen == sizeof(rfc))
3336 memcpy(&rfc, (void *) val, olen);
3337 break;
3338
3339 case L2CAP_CONF_FCS:
3340 if (val == L2CAP_FCS_NONE)
3341 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3342 break;
3343
3344 case L2CAP_CONF_EFS:
3345 remote_efs = 1;
3346 if (olen == sizeof(efs))
3347 memcpy(&efs, (void *) val, olen);
3348 break;
3349
3350 case L2CAP_CONF_EWS:
3351 if (!chan->conn->hs_enabled)
3352 return -ECONNREFUSED;
3353
3354 set_bit(FLAG_EXT_CTRL, &chan->flags);
3355 set_bit(CONF_EWS_RECV, &chan->conf_state);
3356 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3357 chan->remote_tx_win = val;
3358 break;
3359
3360 default:
3361 if (hint)
3362 break;
3363
3364 result = L2CAP_CONF_UNKNOWN;
3365 *((u8 *) ptr++) = type;
3366 break;
3367 }
3368 }
3369
3370 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3371 goto done;
3372
3373 switch (chan->mode) {
3374 case L2CAP_MODE_STREAMING:
3375 case L2CAP_MODE_ERTM:
3376 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3377 chan->mode = l2cap_select_mode(rfc.mode,
3378 chan->conn->feat_mask);
3379 break;
3380 }
3381
3382 if (remote_efs) {
3383 if (__l2cap_efs_supported(chan->conn))
3384 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3385 else
3386 return -ECONNREFUSED;
3387 }
3388
3389 if (chan->mode != rfc.mode)
3390 return -ECONNREFUSED;
3391
3392 break;
3393 }
3394
3395 done:
3396 if (chan->mode != rfc.mode) {
3397 result = L2CAP_CONF_UNACCEPT;
3398 rfc.mode = chan->mode;
3399
3400 if (chan->num_conf_rsp == 1)
3401 return -ECONNREFUSED;
3402
3403 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3404 (unsigned long) &rfc);
3405 }
3406
3407 if (result == L2CAP_CONF_SUCCESS) {
3408 /* Configure output options and let the other side know
3409 * which ones we don't like. */
3410
3411 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3412 result = L2CAP_CONF_UNACCEPT;
3413 else {
3414 chan->omtu = mtu;
3415 set_bit(CONF_MTU_DONE, &chan->conf_state);
3416 }
3417 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3418
3419 if (remote_efs) {
3420 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3421 efs.stype != L2CAP_SERV_NOTRAFIC &&
3422 efs.stype != chan->local_stype) {
3423
3424 result = L2CAP_CONF_UNACCEPT;
3425
3426 if (chan->num_conf_req >= 1)
3427 return -ECONNREFUSED;
3428
3429 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3430 sizeof(efs),
3431 (unsigned long) &efs);
3432 } else {
3433 /* Send PENDING Conf Rsp */
3434 result = L2CAP_CONF_PENDING;
3435 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3436 }
3437 }
3438
3439 switch (rfc.mode) {
3440 case L2CAP_MODE_BASIC:
3441 chan->fcs = L2CAP_FCS_NONE;
3442 set_bit(CONF_MODE_DONE, &chan->conf_state);
3443 break;
3444
3445 case L2CAP_MODE_ERTM:
3446 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3447 chan->remote_tx_win = rfc.txwin_size;
3448 else
3449 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3450
3451 chan->remote_max_tx = rfc.max_transmit;
3452
3453 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3454 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3455 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3456 rfc.max_pdu_size = cpu_to_le16(size);
3457 chan->remote_mps = size;
3458
3459 __l2cap_set_ertm_timeouts(chan, &rfc);
3460
3461 set_bit(CONF_MODE_DONE, &chan->conf_state);
3462
3463 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3464 sizeof(rfc), (unsigned long) &rfc);
3465
3466 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3467 chan->remote_id = efs.id;
3468 chan->remote_stype = efs.stype;
3469 chan->remote_msdu = le16_to_cpu(efs.msdu);
3470 chan->remote_flush_to =
3471 le32_to_cpu(efs.flush_to);
3472 chan->remote_acc_lat =
3473 le32_to_cpu(efs.acc_lat);
3474 chan->remote_sdu_itime =
3475 le32_to_cpu(efs.sdu_itime);
3476 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3477 sizeof(efs),
3478 (unsigned long) &efs);
3479 }
3480 break;
3481
3482 case L2CAP_MODE_STREAMING:
3483 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3484 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3485 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3486 rfc.max_pdu_size = cpu_to_le16(size);
3487 chan->remote_mps = size;
3488
3489 set_bit(CONF_MODE_DONE, &chan->conf_state);
3490
3491 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3492 (unsigned long) &rfc);
3493
3494 break;
3495
3496 default:
3497 result = L2CAP_CONF_UNACCEPT;
3498
3499 memset(&rfc, 0, sizeof(rfc));
3500 rfc.mode = chan->mode;
3501 }
3502
3503 if (result == L2CAP_CONF_SUCCESS)
3504 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3505 }
3506 rsp->scid = cpu_to_le16(chan->dcid);
3507 rsp->result = cpu_to_le16(result);
3508 rsp->flags = cpu_to_le16(0);
3509
3510 return ptr - data;
3511 }
3512
3513 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3514 void *data, u16 *result)
3515 {
3516 struct l2cap_conf_req *req = data;
3517 void *ptr = req->data;
3518 int type, olen;
3519 unsigned long val;
3520 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3521 struct l2cap_conf_efs efs;
3522
3523 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3524
3525 while (len >= L2CAP_CONF_OPT_SIZE) {
3526 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3527
3528 switch (type) {
3529 case L2CAP_CONF_MTU:
3530 if (val < L2CAP_DEFAULT_MIN_MTU) {
3531 *result = L2CAP_CONF_UNACCEPT;
3532 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3533 } else
3534 chan->imtu = val;
3535 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3536 break;
3537
3538 case L2CAP_CONF_FLUSH_TO:
3539 chan->flush_to = val;
3540 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3541 2, chan->flush_to);
3542 break;
3543
3544 case L2CAP_CONF_RFC:
3545 if (olen == sizeof(rfc))
3546 memcpy(&rfc, (void *)val, olen);
3547
3548 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3549 rfc.mode != chan->mode)
3550 return -ECONNREFUSED;
3551
3552 chan->fcs = 0;
3553
3554 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3555 sizeof(rfc), (unsigned long) &rfc);
3556 break;
3557
3558 case L2CAP_CONF_EWS:
3559 chan->ack_win = min_t(u16, val, chan->ack_win);
3560 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3561 chan->tx_win);
3562 break;
3563
3564 case L2CAP_CONF_EFS:
3565 if (olen == sizeof(efs))
3566 memcpy(&efs, (void *)val, olen);
3567
3568 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3569 efs.stype != L2CAP_SERV_NOTRAFIC &&
3570 efs.stype != chan->local_stype)
3571 return -ECONNREFUSED;
3572
3573 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3574 (unsigned long) &efs);
3575 break;
3576
3577 case L2CAP_CONF_FCS:
3578 if (*result == L2CAP_CONF_PENDING)
3579 if (val == L2CAP_FCS_NONE)
3580 set_bit(CONF_RECV_NO_FCS,
3581 &chan->conf_state);
3582 break;
3583 }
3584 }
3585
3586 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3587 return -ECONNREFUSED;
3588
3589 chan->mode = rfc.mode;
3590
3591 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3592 switch (rfc.mode) {
3593 case L2CAP_MODE_ERTM:
3594 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3595 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3596 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3597 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3598 chan->ack_win = min_t(u16, chan->ack_win,
3599 rfc.txwin_size);
3600
3601 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3602 chan->local_msdu = le16_to_cpu(efs.msdu);
3603 chan->local_sdu_itime =
3604 le32_to_cpu(efs.sdu_itime);
3605 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3606 chan->local_flush_to =
3607 le32_to_cpu(efs.flush_to);
3608 }
3609 break;
3610
3611 case L2CAP_MODE_STREAMING:
3612 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3613 }
3614 }
3615
3616 req->dcid = cpu_to_le16(chan->dcid);
3617 req->flags = cpu_to_le16(0);
3618
3619 return ptr - data;
3620 }
3621
3622 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3623 u16 result, u16 flags)
3624 {
3625 struct l2cap_conf_rsp *rsp = data;
3626 void *ptr = rsp->data;
3627
3628 BT_DBG("chan %p", chan);
3629
3630 rsp->scid = cpu_to_le16(chan->dcid);
3631 rsp->result = cpu_to_le16(result);
3632 rsp->flags = cpu_to_le16(flags);
3633
3634 return ptr - data;
3635 }
3636
3637 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3638 {
3639 struct l2cap_le_conn_rsp rsp;
3640 struct l2cap_conn *conn = chan->conn;
3641
3642 BT_DBG("chan %p", chan);
3643
3644 rsp.dcid = cpu_to_le16(chan->scid);
3645 rsp.mtu = cpu_to_le16(chan->imtu);
3646 rsp.mps = cpu_to_le16(chan->mps);
3647 rsp.credits = cpu_to_le16(chan->rx_credits);
3648 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3649
3650 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3651 &rsp);
3652 }
3653
3654 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3655 {
3656 struct l2cap_conn_rsp rsp;
3657 struct l2cap_conn *conn = chan->conn;
3658 u8 buf[128];
3659 u8 rsp_code;
3660
3661 rsp.scid = cpu_to_le16(chan->dcid);
3662 rsp.dcid = cpu_to_le16(chan->scid);
3663 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3664 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3665
3666 if (chan->hs_hcon)
3667 rsp_code = L2CAP_CREATE_CHAN_RSP;
3668 else
3669 rsp_code = L2CAP_CONN_RSP;
3670
3671 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3672
3673 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3674
3675 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3676 return;
3677
3678 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3679 l2cap_build_conf_req(chan, buf), buf);
3680 chan->num_conf_req++;
3681 }
3682
3683 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3684 {
3685 int type, olen;
3686 unsigned long val;
3687 /* Use sane default values in case a misbehaving remote device
3688 * did not send an RFC or extended window size option.
3689 */
3690 u16 txwin_ext = chan->ack_win;
3691 struct l2cap_conf_rfc rfc = {
3692 .mode = chan->mode,
3693 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3694 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3695 .max_pdu_size = cpu_to_le16(chan->imtu),
3696 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3697 };
3698
3699 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3700
3701 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3702 return;
3703
3704 while (len >= L2CAP_CONF_OPT_SIZE) {
3705 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3706
3707 switch (type) {
3708 case L2CAP_CONF_RFC:
3709 if (olen == sizeof(rfc))
3710 memcpy(&rfc, (void *)val, olen);
3711 break;
3712 case L2CAP_CONF_EWS:
3713 txwin_ext = val;
3714 break;
3715 }
3716 }
3717
3718 switch (rfc.mode) {
3719 case L2CAP_MODE_ERTM:
3720 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3721 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3722 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3723 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3724 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3725 else
3726 chan->ack_win = min_t(u16, chan->ack_win,
3727 rfc.txwin_size);
3728 break;
3729 case L2CAP_MODE_STREAMING:
3730 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3731 }
3732 }
3733
3734 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3735 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3736 u8 *data)
3737 {
3738 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3739
3740 if (cmd_len < sizeof(*rej))
3741 return -EPROTO;
3742
3743 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3744 return 0;
3745
3746 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3747 cmd->ident == conn->info_ident) {
3748 cancel_delayed_work(&conn->info_timer);
3749
3750 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3751 conn->info_ident = 0;
3752
3753 l2cap_conn_start(conn);
3754 }
3755
3756 return 0;
3757 }
3758
3759 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3760 struct l2cap_cmd_hdr *cmd,
3761 u8 *data, u8 rsp_code, u8 amp_id)
3762 {
3763 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3764 struct l2cap_conn_rsp rsp;
3765 struct l2cap_chan *chan = NULL, *pchan;
3766 int result, status = L2CAP_CS_NO_INFO;
3767
3768 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3769 __le16 psm = req->psm;
3770
3771 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3772
3773 /* Check if we have socket listening on psm */
3774 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3775 &conn->hcon->dst, ACL_LINK);
3776 if (!pchan) {
3777 result = L2CAP_CR_BAD_PSM;
3778 goto sendresp;
3779 }
3780
3781 mutex_lock(&conn->chan_lock);
3782 l2cap_chan_lock(pchan);
3783
3784 /* Check if the ACL is secure enough (if not SDP) */
3785 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3786 !hci_conn_check_link_mode(conn->hcon)) {
3787 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3788 result = L2CAP_CR_SEC_BLOCK;
3789 goto response;
3790 }
3791
3792 result = L2CAP_CR_NO_MEM;
3793
3794 /* Check if we already have channel with that dcid */
3795 if (__l2cap_get_chan_by_dcid(conn, scid))
3796 goto response;
3797
3798 chan = pchan->ops->new_connection(pchan);
3799 if (!chan)
3800 goto response;
3801
3802 /* For certain devices (ex: HID mouse), support for authentication,
3803 * pairing and bonding is optional. For such devices, inorder to avoid
3804 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3805 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3806 */
3807 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3808
3809 bacpy(&chan->src, &conn->hcon->src);
3810 bacpy(&chan->dst, &conn->hcon->dst);
3811 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
3812 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
3813 chan->psm = psm;
3814 chan->dcid = scid;
3815 chan->local_amp_id = amp_id;
3816
3817 __l2cap_chan_add(conn, chan);
3818
3819 dcid = chan->scid;
3820
3821 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3822
3823 chan->ident = cmd->ident;
3824
3825 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3826 if (l2cap_chan_check_security(chan)) {
3827 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3828 l2cap_state_change(chan, BT_CONNECT2);
3829 result = L2CAP_CR_PEND;
3830 status = L2CAP_CS_AUTHOR_PEND;
3831 chan->ops->defer(chan);
3832 } else {
3833 /* Force pending result for AMP controllers.
3834 * The connection will succeed after the
3835 * physical link is up.
3836 */
3837 if (amp_id == AMP_ID_BREDR) {
3838 l2cap_state_change(chan, BT_CONFIG);
3839 result = L2CAP_CR_SUCCESS;
3840 } else {
3841 l2cap_state_change(chan, BT_CONNECT2);
3842 result = L2CAP_CR_PEND;
3843 }
3844 status = L2CAP_CS_NO_INFO;
3845 }
3846 } else {
3847 l2cap_state_change(chan, BT_CONNECT2);
3848 result = L2CAP_CR_PEND;
3849 status = L2CAP_CS_AUTHEN_PEND;
3850 }
3851 } else {
3852 l2cap_state_change(chan, BT_CONNECT2);
3853 result = L2CAP_CR_PEND;
3854 status = L2CAP_CS_NO_INFO;
3855 }
3856
3857 response:
3858 l2cap_chan_unlock(pchan);
3859 mutex_unlock(&conn->chan_lock);
3860
3861 sendresp:
3862 rsp.scid = cpu_to_le16(scid);
3863 rsp.dcid = cpu_to_le16(dcid);
3864 rsp.result = cpu_to_le16(result);
3865 rsp.status = cpu_to_le16(status);
3866 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3867
3868 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3869 struct l2cap_info_req info;
3870 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3871
3872 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3873 conn->info_ident = l2cap_get_ident(conn);
3874
3875 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3876
3877 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3878 sizeof(info), &info);
3879 }
3880
3881 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3882 result == L2CAP_CR_SUCCESS) {
3883 u8 buf[128];
3884 set_bit(CONF_REQ_SENT, &chan->conf_state);
3885 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3886 l2cap_build_conf_req(chan, buf), buf);
3887 chan->num_conf_req++;
3888 }
3889
3890 return chan;
3891 }
3892
3893 static int l2cap_connect_req(struct l2cap_conn *conn,
3894 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3895 {
3896 struct hci_dev *hdev = conn->hcon->hdev;
3897 struct hci_conn *hcon = conn->hcon;
3898
3899 if (cmd_len < sizeof(struct l2cap_conn_req))
3900 return -EPROTO;
3901
3902 hci_dev_lock(hdev);
3903 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3904 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3905 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3906 hcon->dst_type, 0, NULL, 0,
3907 hcon->dev_class);
3908 hci_dev_unlock(hdev);
3909
3910 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3911 return 0;
3912 }
3913
3914 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3915 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3916 u8 *data)
3917 {
3918 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3919 u16 scid, dcid, result, status;
3920 struct l2cap_chan *chan;
3921 u8 req[128];
3922 int err;
3923
3924 if (cmd_len < sizeof(*rsp))
3925 return -EPROTO;
3926
3927 scid = __le16_to_cpu(rsp->scid);
3928 dcid = __le16_to_cpu(rsp->dcid);
3929 result = __le16_to_cpu(rsp->result);
3930 status = __le16_to_cpu(rsp->status);
3931
3932 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3933 dcid, scid, result, status);
3934
3935 mutex_lock(&conn->chan_lock);
3936
3937 if (scid) {
3938 chan = __l2cap_get_chan_by_scid(conn, scid);
3939 if (!chan) {
3940 err = -EBADSLT;
3941 goto unlock;
3942 }
3943 } else {
3944 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3945 if (!chan) {
3946 err = -EBADSLT;
3947 goto unlock;
3948 }
3949 }
3950
3951 err = 0;
3952
3953 l2cap_chan_lock(chan);
3954
3955 switch (result) {
3956 case L2CAP_CR_SUCCESS:
3957 l2cap_state_change(chan, BT_CONFIG);
3958 chan->ident = 0;
3959 chan->dcid = dcid;
3960 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3961
3962 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3963 break;
3964
3965 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3966 l2cap_build_conf_req(chan, req), req);
3967 chan->num_conf_req++;
3968 break;
3969
3970 case L2CAP_CR_PEND:
3971 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3972 break;
3973
3974 default:
3975 l2cap_chan_del(chan, ECONNREFUSED);
3976 break;
3977 }
3978
3979 l2cap_chan_unlock(chan);
3980
3981 unlock:
3982 mutex_unlock(&conn->chan_lock);
3983
3984 return err;
3985 }
3986
3987 static inline void set_default_fcs(struct l2cap_chan *chan)
3988 {
3989 /* FCS is enabled only in ERTM or streaming mode, if one or both
3990 * sides request it.
3991 */
3992 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3993 chan->fcs = L2CAP_FCS_NONE;
3994 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
3995 chan->fcs = L2CAP_FCS_CRC16;
3996 }
3997
3998 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3999 u8 ident, u16 flags)
4000 {
4001 struct l2cap_conn *conn = chan->conn;
4002
4003 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4004 flags);
4005
4006 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4007 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4008
4009 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4010 l2cap_build_conf_rsp(chan, data,
4011 L2CAP_CONF_SUCCESS, flags), data);
4012 }
4013
4014 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4015 u16 scid, u16 dcid)
4016 {
4017 struct l2cap_cmd_rej_cid rej;
4018
4019 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4020 rej.scid = __cpu_to_le16(scid);
4021 rej.dcid = __cpu_to_le16(dcid);
4022
4023 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4024 }
4025
4026 static inline int l2cap_config_req(struct l2cap_conn *conn,
4027 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4028 u8 *data)
4029 {
4030 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4031 u16 dcid, flags;
4032 u8 rsp[64];
4033 struct l2cap_chan *chan;
4034 int len, err = 0;
4035
4036 if (cmd_len < sizeof(*req))
4037 return -EPROTO;
4038
4039 dcid = __le16_to_cpu(req->dcid);
4040 flags = __le16_to_cpu(req->flags);
4041
4042 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4043
4044 chan = l2cap_get_chan_by_scid(conn, dcid);
4045 if (!chan) {
4046 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4047 return 0;
4048 }
4049
4050 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4051 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4052 chan->dcid);
4053 goto unlock;
4054 }
4055
4056 /* Reject if config buffer is too small. */
4057 len = cmd_len - sizeof(*req);
4058 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4059 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4060 l2cap_build_conf_rsp(chan, rsp,
4061 L2CAP_CONF_REJECT, flags), rsp);
4062 goto unlock;
4063 }
4064
4065 /* Store config. */
4066 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4067 chan->conf_len += len;
4068
4069 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4070 /* Incomplete config. Send empty response. */
4071 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4072 l2cap_build_conf_rsp(chan, rsp,
4073 L2CAP_CONF_SUCCESS, flags), rsp);
4074 goto unlock;
4075 }
4076
4077 /* Complete config. */
4078 len = l2cap_parse_conf_req(chan, rsp);
4079 if (len < 0) {
4080 l2cap_send_disconn_req(chan, ECONNRESET);
4081 goto unlock;
4082 }
4083
4084 chan->ident = cmd->ident;
4085 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4086 chan->num_conf_rsp++;
4087
4088 /* Reset config buffer. */
4089 chan->conf_len = 0;
4090
4091 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4092 goto unlock;
4093
4094 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4095 set_default_fcs(chan);
4096
4097 if (chan->mode == L2CAP_MODE_ERTM ||
4098 chan->mode == L2CAP_MODE_STREAMING)
4099 err = l2cap_ertm_init(chan);
4100
4101 if (err < 0)
4102 l2cap_send_disconn_req(chan, -err);
4103 else
4104 l2cap_chan_ready(chan);
4105
4106 goto unlock;
4107 }
4108
4109 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4110 u8 buf[64];
4111 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4112 l2cap_build_conf_req(chan, buf), buf);
4113 chan->num_conf_req++;
4114 }
4115
4116 /* Got Conf Rsp PENDING from remote side and asume we sent
4117 Conf Rsp PENDING in the code above */
4118 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4119 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4120
4121 /* check compatibility */
4122
4123 /* Send rsp for BR/EDR channel */
4124 if (!chan->hs_hcon)
4125 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4126 else
4127 chan->ident = cmd->ident;
4128 }
4129
4130 unlock:
4131 l2cap_chan_unlock(chan);
4132 return err;
4133 }
4134
4135 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4136 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4137 u8 *data)
4138 {
4139 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4140 u16 scid, flags, result;
4141 struct l2cap_chan *chan;
4142 int len = cmd_len - sizeof(*rsp);
4143 int err = 0;
4144
4145 if (cmd_len < sizeof(*rsp))
4146 return -EPROTO;
4147
4148 scid = __le16_to_cpu(rsp->scid);
4149 flags = __le16_to_cpu(rsp->flags);
4150 result = __le16_to_cpu(rsp->result);
4151
4152 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4153 result, len);
4154
4155 chan = l2cap_get_chan_by_scid(conn, scid);
4156 if (!chan)
4157 return 0;
4158
4159 switch (result) {
4160 case L2CAP_CONF_SUCCESS:
4161 l2cap_conf_rfc_get(chan, rsp->data, len);
4162 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4163 break;
4164
4165 case L2CAP_CONF_PENDING:
4166 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4167
4168 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4169 char buf[64];
4170
4171 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4172 buf, &result);
4173 if (len < 0) {
4174 l2cap_send_disconn_req(chan, ECONNRESET);
4175 goto done;
4176 }
4177
4178 if (!chan->hs_hcon) {
4179 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4180 0);
4181 } else {
4182 if (l2cap_check_efs(chan)) {
4183 amp_create_logical_link(chan);
4184 chan->ident = cmd->ident;
4185 }
4186 }
4187 }
4188 goto done;
4189
4190 case L2CAP_CONF_UNACCEPT:
4191 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4192 char req[64];
4193
4194 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4195 l2cap_send_disconn_req(chan, ECONNRESET);
4196 goto done;
4197 }
4198
4199 /* throw out any old stored conf requests */
4200 result = L2CAP_CONF_SUCCESS;
4201 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4202 req, &result);
4203 if (len < 0) {
4204 l2cap_send_disconn_req(chan, ECONNRESET);
4205 goto done;
4206 }
4207
4208 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4209 L2CAP_CONF_REQ, len, req);
4210 chan->num_conf_req++;
4211 if (result != L2CAP_CONF_SUCCESS)
4212 goto done;
4213 break;
4214 }
4215
4216 default:
4217 l2cap_chan_set_err(chan, ECONNRESET);
4218
4219 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4220 l2cap_send_disconn_req(chan, ECONNRESET);
4221 goto done;
4222 }
4223
4224 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4225 goto done;
4226
4227 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4228
4229 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4230 set_default_fcs(chan);
4231
4232 if (chan->mode == L2CAP_MODE_ERTM ||
4233 chan->mode == L2CAP_MODE_STREAMING)
4234 err = l2cap_ertm_init(chan);
4235
4236 if (err < 0)
4237 l2cap_send_disconn_req(chan, -err);
4238 else
4239 l2cap_chan_ready(chan);
4240 }
4241
4242 done:
4243 l2cap_chan_unlock(chan);
4244 return err;
4245 }
4246
4247 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4248 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4249 u8 *data)
4250 {
4251 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4252 struct l2cap_disconn_rsp rsp;
4253 u16 dcid, scid;
4254 struct l2cap_chan *chan;
4255
4256 if (cmd_len != sizeof(*req))
4257 return -EPROTO;
4258
4259 scid = __le16_to_cpu(req->scid);
4260 dcid = __le16_to_cpu(req->dcid);
4261
4262 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4263
4264 mutex_lock(&conn->chan_lock);
4265
4266 chan = __l2cap_get_chan_by_scid(conn, dcid);
4267 if (!chan) {
4268 mutex_unlock(&conn->chan_lock);
4269 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4270 return 0;
4271 }
4272
4273 l2cap_chan_lock(chan);
4274
4275 rsp.dcid = cpu_to_le16(chan->scid);
4276 rsp.scid = cpu_to_le16(chan->dcid);
4277 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4278
4279 chan->ops->set_shutdown(chan);
4280
4281 l2cap_chan_hold(chan);
4282 l2cap_chan_del(chan, ECONNRESET);
4283
4284 l2cap_chan_unlock(chan);
4285
4286 chan->ops->close(chan);
4287 l2cap_chan_put(chan);
4288
4289 mutex_unlock(&conn->chan_lock);
4290
4291 return 0;
4292 }
4293
4294 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4295 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4296 u8 *data)
4297 {
4298 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4299 u16 dcid, scid;
4300 struct l2cap_chan *chan;
4301
4302 if (cmd_len != sizeof(*rsp))
4303 return -EPROTO;
4304
4305 scid = __le16_to_cpu(rsp->scid);
4306 dcid = __le16_to_cpu(rsp->dcid);
4307
4308 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4309
4310 mutex_lock(&conn->chan_lock);
4311
4312 chan = __l2cap_get_chan_by_scid(conn, scid);
4313 if (!chan) {
4314 mutex_unlock(&conn->chan_lock);
4315 return 0;
4316 }
4317
4318 l2cap_chan_lock(chan);
4319
4320 l2cap_chan_hold(chan);
4321 l2cap_chan_del(chan, 0);
4322
4323 l2cap_chan_unlock(chan);
4324
4325 chan->ops->close(chan);
4326 l2cap_chan_put(chan);
4327
4328 mutex_unlock(&conn->chan_lock);
4329
4330 return 0;
4331 }
4332
4333 static inline int l2cap_information_req(struct l2cap_conn *conn,
4334 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4335 u8 *data)
4336 {
4337 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4338 u16 type;
4339
4340 if (cmd_len != sizeof(*req))
4341 return -EPROTO;
4342
4343 type = __le16_to_cpu(req->type);
4344
4345 BT_DBG("type 0x%4.4x", type);
4346
4347 if (type == L2CAP_IT_FEAT_MASK) {
4348 u8 buf[8];
4349 u32 feat_mask = l2cap_feat_mask;
4350 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4351 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4352 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4353 if (!disable_ertm)
4354 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4355 | L2CAP_FEAT_FCS;
4356 if (conn->hs_enabled)
4357 feat_mask |= L2CAP_FEAT_EXT_FLOW
4358 | L2CAP_FEAT_EXT_WINDOW;
4359
4360 put_unaligned_le32(feat_mask, rsp->data);
4361 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4362 buf);
4363 } else if (type == L2CAP_IT_FIXED_CHAN) {
4364 u8 buf[12];
4365 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4366
4367 if (conn->hs_enabled)
4368 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4369 else
4370 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4371
4372 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4373 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4374 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
4375 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4376 buf);
4377 } else {
4378 struct l2cap_info_rsp rsp;
4379 rsp.type = cpu_to_le16(type);
4380 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4381 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4382 &rsp);
4383 }
4384
4385 return 0;
4386 }
4387
4388 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4389 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4390 u8 *data)
4391 {
4392 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4393 u16 type, result;
4394
4395 if (cmd_len < sizeof(*rsp))
4396 return -EPROTO;
4397
4398 type = __le16_to_cpu(rsp->type);
4399 result = __le16_to_cpu(rsp->result);
4400
4401 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4402
4403 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4404 if (cmd->ident != conn->info_ident ||
4405 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4406 return 0;
4407
4408 cancel_delayed_work(&conn->info_timer);
4409
4410 if (result != L2CAP_IR_SUCCESS) {
4411 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4412 conn->info_ident = 0;
4413
4414 l2cap_conn_start(conn);
4415
4416 return 0;
4417 }
4418
4419 switch (type) {
4420 case L2CAP_IT_FEAT_MASK:
4421 conn->feat_mask = get_unaligned_le32(rsp->data);
4422
4423 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4424 struct l2cap_info_req req;
4425 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4426
4427 conn->info_ident = l2cap_get_ident(conn);
4428
4429 l2cap_send_cmd(conn, conn->info_ident,
4430 L2CAP_INFO_REQ, sizeof(req), &req);
4431 } else {
4432 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4433 conn->info_ident = 0;
4434
4435 l2cap_conn_start(conn);
4436 }
4437 break;
4438
4439 case L2CAP_IT_FIXED_CHAN:
4440 conn->fixed_chan_mask = rsp->data[0];
4441 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4442 conn->info_ident = 0;
4443
4444 l2cap_conn_start(conn);
4445 break;
4446 }
4447
4448 return 0;
4449 }
4450
4451 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4452 struct l2cap_cmd_hdr *cmd,
4453 u16 cmd_len, void *data)
4454 {
4455 struct l2cap_create_chan_req *req = data;
4456 struct l2cap_create_chan_rsp rsp;
4457 struct l2cap_chan *chan;
4458 struct hci_dev *hdev;
4459 u16 psm, scid;
4460
4461 if (cmd_len != sizeof(*req))
4462 return -EPROTO;
4463
4464 if (!conn->hs_enabled)
4465 return -EINVAL;
4466
4467 psm = le16_to_cpu(req->psm);
4468 scid = le16_to_cpu(req->scid);
4469
4470 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4471
4472 /* For controller id 0 make BR/EDR connection */
4473 if (req->amp_id == AMP_ID_BREDR) {
4474 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4475 req->amp_id);
4476 return 0;
4477 }
4478
4479 /* Validate AMP controller id */
4480 hdev = hci_dev_get(req->amp_id);
4481 if (!hdev)
4482 goto error;
4483
4484 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4485 hci_dev_put(hdev);
4486 goto error;
4487 }
4488
4489 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4490 req->amp_id);
4491 if (chan) {
4492 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4493 struct hci_conn *hs_hcon;
4494
4495 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4496 &conn->hcon->dst);
4497 if (!hs_hcon) {
4498 hci_dev_put(hdev);
4499 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4500 chan->dcid);
4501 return 0;
4502 }
4503
4504 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4505
4506 mgr->bredr_chan = chan;
4507 chan->hs_hcon = hs_hcon;
4508 chan->fcs = L2CAP_FCS_NONE;
4509 conn->mtu = hdev->block_mtu;
4510 }
4511
4512 hci_dev_put(hdev);
4513
4514 return 0;
4515
4516 error:
4517 rsp.dcid = 0;
4518 rsp.scid = cpu_to_le16(scid);
4519 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4520 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4521
4522 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4523 sizeof(rsp), &rsp);
4524
4525 return 0;
4526 }
4527
4528 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4529 {
4530 struct l2cap_move_chan_req req;
4531 u8 ident;
4532
4533 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4534
4535 ident = l2cap_get_ident(chan->conn);
4536 chan->ident = ident;
4537
4538 req.icid = cpu_to_le16(chan->scid);
4539 req.dest_amp_id = dest_amp_id;
4540
4541 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4542 &req);
4543
4544 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4545 }
4546
4547 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4548 {
4549 struct l2cap_move_chan_rsp rsp;
4550
4551 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4552
4553 rsp.icid = cpu_to_le16(chan->dcid);
4554 rsp.result = cpu_to_le16(result);
4555
4556 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4557 sizeof(rsp), &rsp);
4558 }
4559
4560 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4561 {
4562 struct l2cap_move_chan_cfm cfm;
4563
4564 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4565
4566 chan->ident = l2cap_get_ident(chan->conn);
4567
4568 cfm.icid = cpu_to_le16(chan->scid);
4569 cfm.result = cpu_to_le16(result);
4570
4571 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4572 sizeof(cfm), &cfm);
4573
4574 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4575 }
4576
4577 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4578 {
4579 struct l2cap_move_chan_cfm cfm;
4580
4581 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4582
4583 cfm.icid = cpu_to_le16(icid);
4584 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4585
4586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4587 sizeof(cfm), &cfm);
4588 }
4589
4590 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4591 u16 icid)
4592 {
4593 struct l2cap_move_chan_cfm_rsp rsp;
4594
4595 BT_DBG("icid 0x%4.4x", icid);
4596
4597 rsp.icid = cpu_to_le16(icid);
4598 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4599 }
4600
4601 static void __release_logical_link(struct l2cap_chan *chan)
4602 {
4603 chan->hs_hchan = NULL;
4604 chan->hs_hcon = NULL;
4605
4606 /* Placeholder - release the logical link */
4607 }
4608
4609 static void l2cap_logical_fail(struct l2cap_chan *chan)
4610 {
4611 /* Logical link setup failed */
4612 if (chan->state != BT_CONNECTED) {
4613 /* Create channel failure, disconnect */
4614 l2cap_send_disconn_req(chan, ECONNRESET);
4615 return;
4616 }
4617
4618 switch (chan->move_role) {
4619 case L2CAP_MOVE_ROLE_RESPONDER:
4620 l2cap_move_done(chan);
4621 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4622 break;
4623 case L2CAP_MOVE_ROLE_INITIATOR:
4624 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4625 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4626 /* Remote has only sent pending or
4627 * success responses, clean up
4628 */
4629 l2cap_move_done(chan);
4630 }
4631
4632 /* Other amp move states imply that the move
4633 * has already aborted
4634 */
4635 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4636 break;
4637 }
4638 }
4639
4640 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4641 struct hci_chan *hchan)
4642 {
4643 struct l2cap_conf_rsp rsp;
4644
4645 chan->hs_hchan = hchan;
4646 chan->hs_hcon->l2cap_data = chan->conn;
4647
4648 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4649
4650 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4651 int err;
4652
4653 set_default_fcs(chan);
4654
4655 err = l2cap_ertm_init(chan);
4656 if (err < 0)
4657 l2cap_send_disconn_req(chan, -err);
4658 else
4659 l2cap_chan_ready(chan);
4660 }
4661 }
4662
4663 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4664 struct hci_chan *hchan)
4665 {
4666 chan->hs_hcon = hchan->conn;
4667 chan->hs_hcon->l2cap_data = chan->conn;
4668
4669 BT_DBG("move_state %d", chan->move_state);
4670
4671 switch (chan->move_state) {
4672 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4673 /* Move confirm will be sent after a success
4674 * response is received
4675 */
4676 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4677 break;
4678 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4679 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4680 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4681 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4682 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4683 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4684 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4685 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4686 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4687 }
4688 break;
4689 default:
4690 /* Move was not in expected state, free the channel */
4691 __release_logical_link(chan);
4692
4693 chan->move_state = L2CAP_MOVE_STABLE;
4694 }
4695 }
4696
4697 /* Call with chan locked */
4698 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4699 u8 status)
4700 {
4701 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4702
4703 if (status) {
4704 l2cap_logical_fail(chan);
4705 __release_logical_link(chan);
4706 return;
4707 }
4708
4709 if (chan->state != BT_CONNECTED) {
4710 /* Ignore logical link if channel is on BR/EDR */
4711 if (chan->local_amp_id != AMP_ID_BREDR)
4712 l2cap_logical_finish_create(chan, hchan);
4713 } else {
4714 l2cap_logical_finish_move(chan, hchan);
4715 }
4716 }
4717
4718 void l2cap_move_start(struct l2cap_chan *chan)
4719 {
4720 BT_DBG("chan %p", chan);
4721
4722 if (chan->local_amp_id == AMP_ID_BREDR) {
4723 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4724 return;
4725 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4726 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4727 /* Placeholder - start physical link setup */
4728 } else {
4729 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4730 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4731 chan->move_id = 0;
4732 l2cap_move_setup(chan);
4733 l2cap_send_move_chan_req(chan, 0);
4734 }
4735 }
4736
4737 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4738 u8 local_amp_id, u8 remote_amp_id)
4739 {
4740 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4741 local_amp_id, remote_amp_id);
4742
4743 chan->fcs = L2CAP_FCS_NONE;
4744
4745 /* Outgoing channel on AMP */
4746 if (chan->state == BT_CONNECT) {
4747 if (result == L2CAP_CR_SUCCESS) {
4748 chan->local_amp_id = local_amp_id;
4749 l2cap_send_create_chan_req(chan, remote_amp_id);
4750 } else {
4751 /* Revert to BR/EDR connect */
4752 l2cap_send_conn_req(chan);
4753 }
4754
4755 return;
4756 }
4757
4758 /* Incoming channel on AMP */
4759 if (__l2cap_no_conn_pending(chan)) {
4760 struct l2cap_conn_rsp rsp;
4761 char buf[128];
4762 rsp.scid = cpu_to_le16(chan->dcid);
4763 rsp.dcid = cpu_to_le16(chan->scid);
4764
4765 if (result == L2CAP_CR_SUCCESS) {
4766 /* Send successful response */
4767 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4768 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4769 } else {
4770 /* Send negative response */
4771 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4772 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4773 }
4774
4775 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4776 sizeof(rsp), &rsp);
4777
4778 if (result == L2CAP_CR_SUCCESS) {
4779 l2cap_state_change(chan, BT_CONFIG);
4780 set_bit(CONF_REQ_SENT, &chan->conf_state);
4781 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4782 L2CAP_CONF_REQ,
4783 l2cap_build_conf_req(chan, buf), buf);
4784 chan->num_conf_req++;
4785 }
4786 }
4787 }
4788
4789 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4790 u8 remote_amp_id)
4791 {
4792 l2cap_move_setup(chan);
4793 chan->move_id = local_amp_id;
4794 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4795
4796 l2cap_send_move_chan_req(chan, remote_amp_id);
4797 }
4798
4799 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4800 {
4801 struct hci_chan *hchan = NULL;
4802
4803 /* Placeholder - get hci_chan for logical link */
4804
4805 if (hchan) {
4806 if (hchan->state == BT_CONNECTED) {
4807 /* Logical link is ready to go */
4808 chan->hs_hcon = hchan->conn;
4809 chan->hs_hcon->l2cap_data = chan->conn;
4810 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4811 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4812
4813 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4814 } else {
4815 /* Wait for logical link to be ready */
4816 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4817 }
4818 } else {
4819 /* Logical link not available */
4820 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4821 }
4822 }
4823
4824 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4825 {
4826 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4827 u8 rsp_result;
4828 if (result == -EINVAL)
4829 rsp_result = L2CAP_MR_BAD_ID;
4830 else
4831 rsp_result = L2CAP_MR_NOT_ALLOWED;
4832
4833 l2cap_send_move_chan_rsp(chan, rsp_result);
4834 }
4835
4836 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4837 chan->move_state = L2CAP_MOVE_STABLE;
4838
4839 /* Restart data transmission */
4840 l2cap_ertm_send(chan);
4841 }
4842
4843 /* Invoke with locked chan */
4844 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4845 {
4846 u8 local_amp_id = chan->local_amp_id;
4847 u8 remote_amp_id = chan->remote_amp_id;
4848
4849 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4850 chan, result, local_amp_id, remote_amp_id);
4851
4852 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4853 l2cap_chan_unlock(chan);
4854 return;
4855 }
4856
4857 if (chan->state != BT_CONNECTED) {
4858 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4859 } else if (result != L2CAP_MR_SUCCESS) {
4860 l2cap_do_move_cancel(chan, result);
4861 } else {
4862 switch (chan->move_role) {
4863 case L2CAP_MOVE_ROLE_INITIATOR:
4864 l2cap_do_move_initiate(chan, local_amp_id,
4865 remote_amp_id);
4866 break;
4867 case L2CAP_MOVE_ROLE_RESPONDER:
4868 l2cap_do_move_respond(chan, result);
4869 break;
4870 default:
4871 l2cap_do_move_cancel(chan, result);
4872 break;
4873 }
4874 }
4875 }
4876
4877 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4878 struct l2cap_cmd_hdr *cmd,
4879 u16 cmd_len, void *data)
4880 {
4881 struct l2cap_move_chan_req *req = data;
4882 struct l2cap_move_chan_rsp rsp;
4883 struct l2cap_chan *chan;
4884 u16 icid = 0;
4885 u16 result = L2CAP_MR_NOT_ALLOWED;
4886
4887 if (cmd_len != sizeof(*req))
4888 return -EPROTO;
4889
4890 icid = le16_to_cpu(req->icid);
4891
4892 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4893
4894 if (!conn->hs_enabled)
4895 return -EINVAL;
4896
4897 chan = l2cap_get_chan_by_dcid(conn, icid);
4898 if (!chan) {
4899 rsp.icid = cpu_to_le16(icid);
4900 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4901 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4902 sizeof(rsp), &rsp);
4903 return 0;
4904 }
4905
4906 chan->ident = cmd->ident;
4907
4908 if (chan->scid < L2CAP_CID_DYN_START ||
4909 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4910 (chan->mode != L2CAP_MODE_ERTM &&
4911 chan->mode != L2CAP_MODE_STREAMING)) {
4912 result = L2CAP_MR_NOT_ALLOWED;
4913 goto send_move_response;
4914 }
4915
4916 if (chan->local_amp_id == req->dest_amp_id) {
4917 result = L2CAP_MR_SAME_ID;
4918 goto send_move_response;
4919 }
4920
4921 if (req->dest_amp_id != AMP_ID_BREDR) {
4922 struct hci_dev *hdev;
4923 hdev = hci_dev_get(req->dest_amp_id);
4924 if (!hdev || hdev->dev_type != HCI_AMP ||
4925 !test_bit(HCI_UP, &hdev->flags)) {
4926 if (hdev)
4927 hci_dev_put(hdev);
4928
4929 result = L2CAP_MR_BAD_ID;
4930 goto send_move_response;
4931 }
4932 hci_dev_put(hdev);
4933 }
4934
4935 /* Detect a move collision. Only send a collision response
4936 * if this side has "lost", otherwise proceed with the move.
4937 * The winner has the larger bd_addr.
4938 */
4939 if ((__chan_is_moving(chan) ||
4940 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4941 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4942 result = L2CAP_MR_COLLISION;
4943 goto send_move_response;
4944 }
4945
4946 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4947 l2cap_move_setup(chan);
4948 chan->move_id = req->dest_amp_id;
4949 icid = chan->dcid;
4950
4951 if (req->dest_amp_id == AMP_ID_BREDR) {
4952 /* Moving to BR/EDR */
4953 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4954 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4955 result = L2CAP_MR_PEND;
4956 } else {
4957 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4958 result = L2CAP_MR_SUCCESS;
4959 }
4960 } else {
4961 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4962 /* Placeholder - uncomment when amp functions are available */
4963 /*amp_accept_physical(chan, req->dest_amp_id);*/
4964 result = L2CAP_MR_PEND;
4965 }
4966
4967 send_move_response:
4968 l2cap_send_move_chan_rsp(chan, result);
4969
4970 l2cap_chan_unlock(chan);
4971
4972 return 0;
4973 }
4974
4975 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4976 {
4977 struct l2cap_chan *chan;
4978 struct hci_chan *hchan = NULL;
4979
4980 chan = l2cap_get_chan_by_scid(conn, icid);
4981 if (!chan) {
4982 l2cap_send_move_chan_cfm_icid(conn, icid);
4983 return;
4984 }
4985
4986 __clear_chan_timer(chan);
4987 if (result == L2CAP_MR_PEND)
4988 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4989
4990 switch (chan->move_state) {
4991 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4992 /* Move confirm will be sent when logical link
4993 * is complete.
4994 */
4995 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4996 break;
4997 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4998 if (result == L2CAP_MR_PEND) {
4999 break;
5000 } else if (test_bit(CONN_LOCAL_BUSY,
5001 &chan->conn_state)) {
5002 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5003 } else {
5004 /* Logical link is up or moving to BR/EDR,
5005 * proceed with move
5006 */
5007 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5008 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5009 }
5010 break;
5011 case L2CAP_MOVE_WAIT_RSP:
5012 /* Moving to AMP */
5013 if (result == L2CAP_MR_SUCCESS) {
5014 /* Remote is ready, send confirm immediately
5015 * after logical link is ready
5016 */
5017 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5018 } else {
5019 /* Both logical link and move success
5020 * are required to confirm
5021 */
5022 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5023 }
5024
5025 /* Placeholder - get hci_chan for logical link */
5026 if (!hchan) {
5027 /* Logical link not available */
5028 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5029 break;
5030 }
5031
5032 /* If the logical link is not yet connected, do not
5033 * send confirmation.
5034 */
5035 if (hchan->state != BT_CONNECTED)
5036 break;
5037
5038 /* Logical link is already ready to go */
5039
5040 chan->hs_hcon = hchan->conn;
5041 chan->hs_hcon->l2cap_data = chan->conn;
5042
5043 if (result == L2CAP_MR_SUCCESS) {
5044 /* Can confirm now */
5045 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5046 } else {
5047 /* Now only need move success
5048 * to confirm
5049 */
5050 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5051 }
5052
5053 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5054 break;
5055 default:
5056 /* Any other amp move state means the move failed. */
5057 chan->move_id = chan->local_amp_id;
5058 l2cap_move_done(chan);
5059 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5060 }
5061
5062 l2cap_chan_unlock(chan);
5063 }
5064
5065 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5066 u16 result)
5067 {
5068 struct l2cap_chan *chan;
5069
5070 chan = l2cap_get_chan_by_ident(conn, ident);
5071 if (!chan) {
5072 /* Could not locate channel, icid is best guess */
5073 l2cap_send_move_chan_cfm_icid(conn, icid);
5074 return;
5075 }
5076
5077 __clear_chan_timer(chan);
5078
5079 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5080 if (result == L2CAP_MR_COLLISION) {
5081 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5082 } else {
5083 /* Cleanup - cancel move */
5084 chan->move_id = chan->local_amp_id;
5085 l2cap_move_done(chan);
5086 }
5087 }
5088
5089 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5090
5091 l2cap_chan_unlock(chan);
5092 }
5093
5094 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5095 struct l2cap_cmd_hdr *cmd,
5096 u16 cmd_len, void *data)
5097 {
5098 struct l2cap_move_chan_rsp *rsp = data;
5099 u16 icid, result;
5100
5101 if (cmd_len != sizeof(*rsp))
5102 return -EPROTO;
5103
5104 icid = le16_to_cpu(rsp->icid);
5105 result = le16_to_cpu(rsp->result);
5106
5107 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5108
5109 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5110 l2cap_move_continue(conn, icid, result);
5111 else
5112 l2cap_move_fail(conn, cmd->ident, icid, result);
5113
5114 return 0;
5115 }
5116
5117 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5118 struct l2cap_cmd_hdr *cmd,
5119 u16 cmd_len, void *data)
5120 {
5121 struct l2cap_move_chan_cfm *cfm = data;
5122 struct l2cap_chan *chan;
5123 u16 icid, result;
5124
5125 if (cmd_len != sizeof(*cfm))
5126 return -EPROTO;
5127
5128 icid = le16_to_cpu(cfm->icid);
5129 result = le16_to_cpu(cfm->result);
5130
5131 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5132
5133 chan = l2cap_get_chan_by_dcid(conn, icid);
5134 if (!chan) {
5135 /* Spec requires a response even if the icid was not found */
5136 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5137 return 0;
5138 }
5139
5140 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5141 if (result == L2CAP_MC_CONFIRMED) {
5142 chan->local_amp_id = chan->move_id;
5143 if (chan->local_amp_id == AMP_ID_BREDR)
5144 __release_logical_link(chan);
5145 } else {
5146 chan->move_id = chan->local_amp_id;
5147 }
5148
5149 l2cap_move_done(chan);
5150 }
5151
5152 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5153
5154 l2cap_chan_unlock(chan);
5155
5156 return 0;
5157 }
5158
5159 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5160 struct l2cap_cmd_hdr *cmd,
5161 u16 cmd_len, void *data)
5162 {
5163 struct l2cap_move_chan_cfm_rsp *rsp = data;
5164 struct l2cap_chan *chan;
5165 u16 icid;
5166
5167 if (cmd_len != sizeof(*rsp))
5168 return -EPROTO;
5169
5170 icid = le16_to_cpu(rsp->icid);
5171
5172 BT_DBG("icid 0x%4.4x", icid);
5173
5174 chan = l2cap_get_chan_by_scid(conn, icid);
5175 if (!chan)
5176 return 0;
5177
5178 __clear_chan_timer(chan);
5179
5180 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5181 chan->local_amp_id = chan->move_id;
5182
5183 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5184 __release_logical_link(chan);
5185
5186 l2cap_move_done(chan);
5187 }
5188
5189 l2cap_chan_unlock(chan);
5190
5191 return 0;
5192 }
5193
5194 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
5195 u16 to_multiplier)
5196 {
5197 u16 max_latency;
5198
5199 if (min > max || min < 6 || max > 3200)
5200 return -EINVAL;
5201
5202 if (to_multiplier < 10 || to_multiplier > 3200)
5203 return -EINVAL;
5204
5205 if (max >= to_multiplier * 8)
5206 return -EINVAL;
5207
5208 max_latency = (to_multiplier * 8 / max) - 1;
5209 if (latency > 499 || latency > max_latency)
5210 return -EINVAL;
5211
5212 return 0;
5213 }
5214
5215 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5216 struct l2cap_cmd_hdr *cmd,
5217 u16 cmd_len, u8 *data)
5218 {
5219 struct hci_conn *hcon = conn->hcon;
5220 struct l2cap_conn_param_update_req *req;
5221 struct l2cap_conn_param_update_rsp rsp;
5222 u16 min, max, latency, to_multiplier;
5223 int err;
5224
5225 if (!(hcon->link_mode & HCI_LM_MASTER))
5226 return -EINVAL;
5227
5228 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5229 return -EPROTO;
5230
5231 req = (struct l2cap_conn_param_update_req *) data;
5232 min = __le16_to_cpu(req->min);
5233 max = __le16_to_cpu(req->max);
5234 latency = __le16_to_cpu(req->latency);
5235 to_multiplier = __le16_to_cpu(req->to_multiplier);
5236
5237 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5238 min, max, latency, to_multiplier);
5239
5240 memset(&rsp, 0, sizeof(rsp));
5241
5242 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5243 if (err)
5244 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5245 else
5246 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5247
5248 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5249 sizeof(rsp), &rsp);
5250
5251 if (!err)
5252 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5253
5254 return 0;
5255 }
5256
5257 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5258 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5259 u8 *data)
5260 {
5261 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5262 u16 dcid, mtu, mps, credits, result;
5263 struct l2cap_chan *chan;
5264 int err;
5265
5266 if (cmd_len < sizeof(*rsp))
5267 return -EPROTO;
5268
5269 dcid = __le16_to_cpu(rsp->dcid);
5270 mtu = __le16_to_cpu(rsp->mtu);
5271 mps = __le16_to_cpu(rsp->mps);
5272 credits = __le16_to_cpu(rsp->credits);
5273 result = __le16_to_cpu(rsp->result);
5274
5275 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5276 return -EPROTO;
5277
5278 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5279 dcid, mtu, mps, credits, result);
5280
5281 mutex_lock(&conn->chan_lock);
5282
5283 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5284 if (!chan) {
5285 err = -EBADSLT;
5286 goto unlock;
5287 }
5288
5289 err = 0;
5290
5291 l2cap_chan_lock(chan);
5292
5293 switch (result) {
5294 case L2CAP_CR_SUCCESS:
5295 chan->ident = 0;
5296 chan->dcid = dcid;
5297 chan->omtu = mtu;
5298 chan->remote_mps = mps;
5299 chan->tx_credits = credits;
5300 l2cap_chan_ready(chan);
5301 break;
5302
5303 default:
5304 l2cap_chan_del(chan, ECONNREFUSED);
5305 break;
5306 }
5307
5308 l2cap_chan_unlock(chan);
5309
5310 unlock:
5311 mutex_unlock(&conn->chan_lock);
5312
5313 return err;
5314 }
5315
5316 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5317 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5318 u8 *data)
5319 {
5320 int err = 0;
5321
5322 switch (cmd->code) {
5323 case L2CAP_COMMAND_REJ:
5324 l2cap_command_rej(conn, cmd, cmd_len, data);
5325 break;
5326
5327 case L2CAP_CONN_REQ:
5328 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5329 break;
5330
5331 case L2CAP_CONN_RSP:
5332 case L2CAP_CREATE_CHAN_RSP:
5333 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5334 break;
5335
5336 case L2CAP_CONF_REQ:
5337 err = l2cap_config_req(conn, cmd, cmd_len, data);
5338 break;
5339
5340 case L2CAP_CONF_RSP:
5341 l2cap_config_rsp(conn, cmd, cmd_len, data);
5342 break;
5343
5344 case L2CAP_DISCONN_REQ:
5345 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5346 break;
5347
5348 case L2CAP_DISCONN_RSP:
5349 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5350 break;
5351
5352 case L2CAP_ECHO_REQ:
5353 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5354 break;
5355
5356 case L2CAP_ECHO_RSP:
5357 break;
5358
5359 case L2CAP_INFO_REQ:
5360 err = l2cap_information_req(conn, cmd, cmd_len, data);
5361 break;
5362
5363 case L2CAP_INFO_RSP:
5364 l2cap_information_rsp(conn, cmd, cmd_len, data);
5365 break;
5366
5367 case L2CAP_CREATE_CHAN_REQ:
5368 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5369 break;
5370
5371 case L2CAP_MOVE_CHAN_REQ:
5372 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5373 break;
5374
5375 case L2CAP_MOVE_CHAN_RSP:
5376 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5377 break;
5378
5379 case L2CAP_MOVE_CHAN_CFM:
5380 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5381 break;
5382
5383 case L2CAP_MOVE_CHAN_CFM_RSP:
5384 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5385 break;
5386
5387 default:
5388 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5389 err = -EINVAL;
5390 break;
5391 }
5392
5393 return err;
5394 }
5395
5396 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5397 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5398 u8 *data)
5399 {
5400 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5401 struct l2cap_le_conn_rsp rsp;
5402 struct l2cap_chan *chan, *pchan;
5403 u16 dcid, scid, credits, mtu, mps;
5404 __le16 psm;
5405 u8 result;
5406
5407 if (cmd_len != sizeof(*req))
5408 return -EPROTO;
5409
5410 scid = __le16_to_cpu(req->scid);
5411 mtu = __le16_to_cpu(req->mtu);
5412 mps = __le16_to_cpu(req->mps);
5413 psm = req->psm;
5414 dcid = 0;
5415 credits = 0;
5416
5417 if (mtu < 23 || mps < 23)
5418 return -EPROTO;
5419
5420 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5421 scid, mtu, mps);
5422
5423 /* Check if we have socket listening on psm */
5424 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5425 &conn->hcon->dst, LE_LINK);
5426 if (!pchan) {
5427 result = L2CAP_CR_BAD_PSM;
5428 chan = NULL;
5429 goto response;
5430 }
5431
5432 mutex_lock(&conn->chan_lock);
5433 l2cap_chan_lock(pchan);
5434
5435 if (!smp_sufficient_security(conn->hcon, pchan->sec_level)) {
5436 result = L2CAP_CR_AUTHENTICATION;
5437 chan = NULL;
5438 goto response_unlock;
5439 }
5440
5441 /* Check if we already have channel with that dcid */
5442 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5443 result = L2CAP_CR_NO_MEM;
5444 chan = NULL;
5445 goto response_unlock;
5446 }
5447
5448 chan = pchan->ops->new_connection(pchan);
5449 if (!chan) {
5450 result = L2CAP_CR_NO_MEM;
5451 goto response_unlock;
5452 }
5453
5454 l2cap_le_flowctl_init(chan);
5455
5456 bacpy(&chan->src, &conn->hcon->src);
5457 bacpy(&chan->dst, &conn->hcon->dst);
5458 chan->src_type = bdaddr_type(conn->hcon, conn->hcon->src_type);
5459 chan->dst_type = bdaddr_type(conn->hcon, conn->hcon->dst_type);
5460 chan->psm = psm;
5461 chan->dcid = scid;
5462 chan->omtu = mtu;
5463 chan->remote_mps = mps;
5464 chan->tx_credits = __le16_to_cpu(req->credits);
5465
5466 __l2cap_chan_add(conn, chan);
5467 dcid = chan->scid;
5468 credits = chan->rx_credits;
5469
5470 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5471
5472 chan->ident = cmd->ident;
5473
5474 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5475 l2cap_state_change(chan, BT_CONNECT2);
5476 result = L2CAP_CR_PEND;
5477 chan->ops->defer(chan);
5478 } else {
5479 l2cap_chan_ready(chan);
5480 result = L2CAP_CR_SUCCESS;
5481 }
5482
5483 response_unlock:
5484 l2cap_chan_unlock(pchan);
5485 mutex_unlock(&conn->chan_lock);
5486
5487 if (result == L2CAP_CR_PEND)
5488 return 0;
5489
5490 response:
5491 if (chan) {
5492 rsp.mtu = cpu_to_le16(chan->imtu);
5493 rsp.mps = cpu_to_le16(chan->mps);
5494 } else {
5495 rsp.mtu = 0;
5496 rsp.mps = 0;
5497 }
5498
5499 rsp.dcid = cpu_to_le16(dcid);
5500 rsp.credits = cpu_to_le16(credits);
5501 rsp.result = cpu_to_le16(result);
5502
5503 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5504
5505 return 0;
5506 }
5507
5508 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5509 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5510 u8 *data)
5511 {
5512 struct l2cap_le_credits *pkt;
5513 struct l2cap_chan *chan;
5514 u16 cid, credits, max_credits;
5515
5516 if (cmd_len != sizeof(*pkt))
5517 return -EPROTO;
5518
5519 pkt = (struct l2cap_le_credits *) data;
5520 cid = __le16_to_cpu(pkt->cid);
5521 credits = __le16_to_cpu(pkt->credits);
5522
5523 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5524
5525 chan = l2cap_get_chan_by_dcid(conn, cid);
5526 if (!chan)
5527 return -EBADSLT;
5528
5529 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5530 if (credits > max_credits) {
5531 BT_ERR("LE credits overflow");
5532 l2cap_send_disconn_req(chan, ECONNRESET);
5533
5534 /* Return 0 so that we don't trigger an unnecessary
5535 * command reject packet.
5536 */
5537 return 0;
5538 }
5539
5540 chan->tx_credits += credits;
5541
5542 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5543 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5544 chan->tx_credits--;
5545 }
5546
5547 if (chan->tx_credits)
5548 chan->ops->resume(chan);
5549
5550 l2cap_chan_unlock(chan);
5551
5552 return 0;
5553 }
5554
5555 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5556 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5557 u8 *data)
5558 {
5559 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5560 struct l2cap_chan *chan;
5561
5562 if (cmd_len < sizeof(*rej))
5563 return -EPROTO;
5564
5565 mutex_lock(&conn->chan_lock);
5566
5567 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5568 if (!chan)
5569 goto done;
5570
5571 l2cap_chan_lock(chan);
5572 l2cap_chan_del(chan, ECONNREFUSED);
5573 l2cap_chan_unlock(chan);
5574
5575 done:
5576 mutex_unlock(&conn->chan_lock);
5577 return 0;
5578 }
5579
5580 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5581 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5582 u8 *data)
5583 {
5584 int err = 0;
5585
5586 switch (cmd->code) {
5587 case L2CAP_COMMAND_REJ:
5588 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5589 break;
5590
5591 case L2CAP_CONN_PARAM_UPDATE_REQ:
5592 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5593 break;
5594
5595 case L2CAP_CONN_PARAM_UPDATE_RSP:
5596 break;
5597
5598 case L2CAP_LE_CONN_RSP:
5599 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5600 break;
5601
5602 case L2CAP_LE_CONN_REQ:
5603 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5604 break;
5605
5606 case L2CAP_LE_CREDITS:
5607 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5608 break;
5609
5610 case L2CAP_DISCONN_REQ:
5611 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5612 break;
5613
5614 case L2CAP_DISCONN_RSP:
5615 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5616 break;
5617
5618 default:
5619 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5620 err = -EINVAL;
5621 break;
5622 }
5623
5624 return err;
5625 }
5626
5627 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5628 struct sk_buff *skb)
5629 {
5630 struct hci_conn *hcon = conn->hcon;
5631 struct l2cap_cmd_hdr *cmd;
5632 u16 len;
5633 int err;
5634
5635 if (hcon->type != LE_LINK)
5636 goto drop;
5637
5638 if (skb->len < L2CAP_CMD_HDR_SIZE)
5639 goto drop;
5640
5641 cmd = (void *) skb->data;
5642 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5643
5644 len = le16_to_cpu(cmd->len);
5645
5646 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5647
5648 if (len != skb->len || !cmd->ident) {
5649 BT_DBG("corrupted command");
5650 goto drop;
5651 }
5652
5653 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5654 if (err) {
5655 struct l2cap_cmd_rej_unk rej;
5656
5657 BT_ERR("Wrong link type (%d)", err);
5658
5659 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5660 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5661 sizeof(rej), &rej);
5662 }
5663
5664 drop:
5665 kfree_skb(skb);
5666 }
5667
5668 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5669 struct sk_buff *skb)
5670 {
5671 struct hci_conn *hcon = conn->hcon;
5672 u8 *data = skb->data;
5673 int len = skb->len;
5674 struct l2cap_cmd_hdr cmd;
5675 int err;
5676
5677 l2cap_raw_recv(conn, skb);
5678
5679 if (hcon->type != ACL_LINK)
5680 goto drop;
5681
5682 while (len >= L2CAP_CMD_HDR_SIZE) {
5683 u16 cmd_len;
5684 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5685 data += L2CAP_CMD_HDR_SIZE;
5686 len -= L2CAP_CMD_HDR_SIZE;
5687
5688 cmd_len = le16_to_cpu(cmd.len);
5689
5690 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5691 cmd.ident);
5692
5693 if (cmd_len > len || !cmd.ident) {
5694 BT_DBG("corrupted command");
5695 break;
5696 }
5697
5698 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5699 if (err) {
5700 struct l2cap_cmd_rej_unk rej;
5701
5702 BT_ERR("Wrong link type (%d)", err);
5703
5704 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5705 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5706 sizeof(rej), &rej);
5707 }
5708
5709 data += cmd_len;
5710 len -= cmd_len;
5711 }
5712
5713 drop:
5714 kfree_skb(skb);
5715 }
5716
5717 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5718 {
5719 u16 our_fcs, rcv_fcs;
5720 int hdr_size;
5721
5722 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5723 hdr_size = L2CAP_EXT_HDR_SIZE;
5724 else
5725 hdr_size = L2CAP_ENH_HDR_SIZE;
5726
5727 if (chan->fcs == L2CAP_FCS_CRC16) {
5728 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5729 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5730 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5731
5732 if (our_fcs != rcv_fcs)
5733 return -EBADMSG;
5734 }
5735 return 0;
5736 }
5737
5738 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5739 {
5740 struct l2cap_ctrl control;
5741
5742 BT_DBG("chan %p", chan);
5743
5744 memset(&control, 0, sizeof(control));
5745 control.sframe = 1;
5746 control.final = 1;
5747 control.reqseq = chan->buffer_seq;
5748 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5749
5750 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5751 control.super = L2CAP_SUPER_RNR;
5752 l2cap_send_sframe(chan, &control);
5753 }
5754
5755 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5756 chan->unacked_frames > 0)
5757 __set_retrans_timer(chan);
5758
5759 /* Send pending iframes */
5760 l2cap_ertm_send(chan);
5761
5762 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5763 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5764 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5765 * send it now.
5766 */
5767 control.super = L2CAP_SUPER_RR;
5768 l2cap_send_sframe(chan, &control);
5769 }
5770 }
5771
5772 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5773 struct sk_buff **last_frag)
5774 {
5775 /* skb->len reflects data in skb as well as all fragments
5776 * skb->data_len reflects only data in fragments
5777 */
5778 if (!skb_has_frag_list(skb))
5779 skb_shinfo(skb)->frag_list = new_frag;
5780
5781 new_frag->next = NULL;
5782
5783 (*last_frag)->next = new_frag;
5784 *last_frag = new_frag;
5785
5786 skb->len += new_frag->len;
5787 skb->data_len += new_frag->len;
5788 skb->truesize += new_frag->truesize;
5789 }
5790
5791 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5792 struct l2cap_ctrl *control)
5793 {
5794 int err = -EINVAL;
5795
5796 switch (control->sar) {
5797 case L2CAP_SAR_UNSEGMENTED:
5798 if (chan->sdu)
5799 break;
5800
5801 err = chan->ops->recv(chan, skb);
5802 break;
5803
5804 case L2CAP_SAR_START:
5805 if (chan->sdu)
5806 break;
5807
5808 chan->sdu_len = get_unaligned_le16(skb->data);
5809 skb_pull(skb, L2CAP_SDULEN_SIZE);
5810
5811 if (chan->sdu_len > chan->imtu) {
5812 err = -EMSGSIZE;
5813 break;
5814 }
5815
5816 if (skb->len >= chan->sdu_len)
5817 break;
5818
5819 chan->sdu = skb;
5820 chan->sdu_last_frag = skb;
5821
5822 skb = NULL;
5823 err = 0;
5824 break;
5825
5826 case L2CAP_SAR_CONTINUE:
5827 if (!chan->sdu)
5828 break;
5829
5830 append_skb_frag(chan->sdu, skb,
5831 &chan->sdu_last_frag);
5832 skb = NULL;
5833
5834 if (chan->sdu->len >= chan->sdu_len)
5835 break;
5836
5837 err = 0;
5838 break;
5839
5840 case L2CAP_SAR_END:
5841 if (!chan->sdu)
5842 break;
5843
5844 append_skb_frag(chan->sdu, skb,
5845 &chan->sdu_last_frag);
5846 skb = NULL;
5847
5848 if (chan->sdu->len != chan->sdu_len)
5849 break;
5850
5851 err = chan->ops->recv(chan, chan->sdu);
5852
5853 if (!err) {
5854 /* Reassembly complete */
5855 chan->sdu = NULL;
5856 chan->sdu_last_frag = NULL;
5857 chan->sdu_len = 0;
5858 }
5859 break;
5860 }
5861
5862 if (err) {
5863 kfree_skb(skb);
5864 kfree_skb(chan->sdu);
5865 chan->sdu = NULL;
5866 chan->sdu_last_frag = NULL;
5867 chan->sdu_len = 0;
5868 }
5869
5870 return err;
5871 }
5872
5873 static int l2cap_resegment(struct l2cap_chan *chan)
5874 {
5875 /* Placeholder */
5876 return 0;
5877 }
5878
5879 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5880 {
5881 u8 event;
5882
5883 if (chan->mode != L2CAP_MODE_ERTM)
5884 return;
5885
5886 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5887 l2cap_tx(chan, NULL, NULL, event);
5888 }
5889
5890 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5891 {
5892 int err = 0;
5893 /* Pass sequential frames to l2cap_reassemble_sdu()
5894 * until a gap is encountered.
5895 */
5896
5897 BT_DBG("chan %p", chan);
5898
5899 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5900 struct sk_buff *skb;
5901 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5902 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5903
5904 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5905
5906 if (!skb)
5907 break;
5908
5909 skb_unlink(skb, &chan->srej_q);
5910 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5911 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5912 if (err)
5913 break;
5914 }
5915
5916 if (skb_queue_empty(&chan->srej_q)) {
5917 chan->rx_state = L2CAP_RX_STATE_RECV;
5918 l2cap_send_ack(chan);
5919 }
5920
5921 return err;
5922 }
5923
5924 static void l2cap_handle_srej(struct l2cap_chan *chan,
5925 struct l2cap_ctrl *control)
5926 {
5927 struct sk_buff *skb;
5928
5929 BT_DBG("chan %p, control %p", chan, control);
5930
5931 if (control->reqseq == chan->next_tx_seq) {
5932 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5933 l2cap_send_disconn_req(chan, ECONNRESET);
5934 return;
5935 }
5936
5937 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5938
5939 if (skb == NULL) {
5940 BT_DBG("Seq %d not available for retransmission",
5941 control->reqseq);
5942 return;
5943 }
5944
5945 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5946 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5947 l2cap_send_disconn_req(chan, ECONNRESET);
5948 return;
5949 }
5950
5951 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5952
5953 if (control->poll) {
5954 l2cap_pass_to_tx(chan, control);
5955
5956 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5957 l2cap_retransmit(chan, control);
5958 l2cap_ertm_send(chan);
5959
5960 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5961 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5962 chan->srej_save_reqseq = control->reqseq;
5963 }
5964 } else {
5965 l2cap_pass_to_tx_fbit(chan, control);
5966
5967 if (control->final) {
5968 if (chan->srej_save_reqseq != control->reqseq ||
5969 !test_and_clear_bit(CONN_SREJ_ACT,
5970 &chan->conn_state))
5971 l2cap_retransmit(chan, control);
5972 } else {
5973 l2cap_retransmit(chan, control);
5974 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5975 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5976 chan->srej_save_reqseq = control->reqseq;
5977 }
5978 }
5979 }
5980 }
5981
5982 static void l2cap_handle_rej(struct l2cap_chan *chan,
5983 struct l2cap_ctrl *control)
5984 {
5985 struct sk_buff *skb;
5986
5987 BT_DBG("chan %p, control %p", chan, control);
5988
5989 if (control->reqseq == chan->next_tx_seq) {
5990 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5991 l2cap_send_disconn_req(chan, ECONNRESET);
5992 return;
5993 }
5994
5995 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5996
5997 if (chan->max_tx && skb &&
5998 bt_cb(skb)->control.retries >= chan->max_tx) {
5999 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6000 l2cap_send_disconn_req(chan, ECONNRESET);
6001 return;
6002 }
6003
6004 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6005
6006 l2cap_pass_to_tx(chan, control);
6007
6008 if (control->final) {
6009 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6010 l2cap_retransmit_all(chan, control);
6011 } else {
6012 l2cap_retransmit_all(chan, control);
6013 l2cap_ertm_send(chan);
6014 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6015 set_bit(CONN_REJ_ACT, &chan->conn_state);
6016 }
6017 }
6018
6019 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6020 {
6021 BT_DBG("chan %p, txseq %d", chan, txseq);
6022
6023 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6024 chan->expected_tx_seq);
6025
6026 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6027 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6028 chan->tx_win) {
6029 /* See notes below regarding "double poll" and
6030 * invalid packets.
6031 */
6032 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6033 BT_DBG("Invalid/Ignore - after SREJ");
6034 return L2CAP_TXSEQ_INVALID_IGNORE;
6035 } else {
6036 BT_DBG("Invalid - in window after SREJ sent");
6037 return L2CAP_TXSEQ_INVALID;
6038 }
6039 }
6040
6041 if (chan->srej_list.head == txseq) {
6042 BT_DBG("Expected SREJ");
6043 return L2CAP_TXSEQ_EXPECTED_SREJ;
6044 }
6045
6046 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6047 BT_DBG("Duplicate SREJ - txseq already stored");
6048 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6049 }
6050
6051 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6052 BT_DBG("Unexpected SREJ - not requested");
6053 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6054 }
6055 }
6056
6057 if (chan->expected_tx_seq == txseq) {
6058 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6059 chan->tx_win) {
6060 BT_DBG("Invalid - txseq outside tx window");
6061 return L2CAP_TXSEQ_INVALID;
6062 } else {
6063 BT_DBG("Expected");
6064 return L2CAP_TXSEQ_EXPECTED;
6065 }
6066 }
6067
6068 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6069 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6070 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6071 return L2CAP_TXSEQ_DUPLICATE;
6072 }
6073
6074 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6075 /* A source of invalid packets is a "double poll" condition,
6076 * where delays cause us to send multiple poll packets. If
6077 * the remote stack receives and processes both polls,
6078 * sequence numbers can wrap around in such a way that a
6079 * resent frame has a sequence number that looks like new data
6080 * with a sequence gap. This would trigger an erroneous SREJ
6081 * request.
6082 *
6083 * Fortunately, this is impossible with a tx window that's
6084 * less than half of the maximum sequence number, which allows
6085 * invalid frames to be safely ignored.
6086 *
6087 * With tx window sizes greater than half of the tx window
6088 * maximum, the frame is invalid and cannot be ignored. This
6089 * causes a disconnect.
6090 */
6091
6092 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6093 BT_DBG("Invalid/Ignore - txseq outside tx window");
6094 return L2CAP_TXSEQ_INVALID_IGNORE;
6095 } else {
6096 BT_DBG("Invalid - txseq outside tx window");
6097 return L2CAP_TXSEQ_INVALID;
6098 }
6099 } else {
6100 BT_DBG("Unexpected - txseq indicates missing frames");
6101 return L2CAP_TXSEQ_UNEXPECTED;
6102 }
6103 }
6104
6105 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6106 struct l2cap_ctrl *control,
6107 struct sk_buff *skb, u8 event)
6108 {
6109 int err = 0;
6110 bool skb_in_use = false;
6111
6112 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6113 event);
6114
6115 switch (event) {
6116 case L2CAP_EV_RECV_IFRAME:
6117 switch (l2cap_classify_txseq(chan, control->txseq)) {
6118 case L2CAP_TXSEQ_EXPECTED:
6119 l2cap_pass_to_tx(chan, control);
6120
6121 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6122 BT_DBG("Busy, discarding expected seq %d",
6123 control->txseq);
6124 break;
6125 }
6126
6127 chan->expected_tx_seq = __next_seq(chan,
6128 control->txseq);
6129
6130 chan->buffer_seq = chan->expected_tx_seq;
6131 skb_in_use = true;
6132
6133 err = l2cap_reassemble_sdu(chan, skb, control);
6134 if (err)
6135 break;
6136
6137 if (control->final) {
6138 if (!test_and_clear_bit(CONN_REJ_ACT,
6139 &chan->conn_state)) {
6140 control->final = 0;
6141 l2cap_retransmit_all(chan, control);
6142 l2cap_ertm_send(chan);
6143 }
6144 }
6145
6146 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6147 l2cap_send_ack(chan);
6148 break;
6149 case L2CAP_TXSEQ_UNEXPECTED:
6150 l2cap_pass_to_tx(chan, control);
6151
6152 /* Can't issue SREJ frames in the local busy state.
6153 * Drop this frame, it will be seen as missing
6154 * when local busy is exited.
6155 */
6156 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6157 BT_DBG("Busy, discarding unexpected seq %d",
6158 control->txseq);
6159 break;
6160 }
6161
6162 /* There was a gap in the sequence, so an SREJ
6163 * must be sent for each missing frame. The
6164 * current frame is stored for later use.
6165 */
6166 skb_queue_tail(&chan->srej_q, skb);
6167 skb_in_use = true;
6168 BT_DBG("Queued %p (queue len %d)", skb,
6169 skb_queue_len(&chan->srej_q));
6170
6171 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6172 l2cap_seq_list_clear(&chan->srej_list);
6173 l2cap_send_srej(chan, control->txseq);
6174
6175 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6176 break;
6177 case L2CAP_TXSEQ_DUPLICATE:
6178 l2cap_pass_to_tx(chan, control);
6179 break;
6180 case L2CAP_TXSEQ_INVALID_IGNORE:
6181 break;
6182 case L2CAP_TXSEQ_INVALID:
6183 default:
6184 l2cap_send_disconn_req(chan, ECONNRESET);
6185 break;
6186 }
6187 break;
6188 case L2CAP_EV_RECV_RR:
6189 l2cap_pass_to_tx(chan, control);
6190 if (control->final) {
6191 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6192
6193 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6194 !__chan_is_moving(chan)) {
6195 control->final = 0;
6196 l2cap_retransmit_all(chan, control);
6197 }
6198
6199 l2cap_ertm_send(chan);
6200 } else if (control->poll) {
6201 l2cap_send_i_or_rr_or_rnr(chan);
6202 } else {
6203 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6204 &chan->conn_state) &&
6205 chan->unacked_frames)
6206 __set_retrans_timer(chan);
6207
6208 l2cap_ertm_send(chan);
6209 }
6210 break;
6211 case L2CAP_EV_RECV_RNR:
6212 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6213 l2cap_pass_to_tx(chan, control);
6214 if (control && control->poll) {
6215 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6216 l2cap_send_rr_or_rnr(chan, 0);
6217 }
6218 __clear_retrans_timer(chan);
6219 l2cap_seq_list_clear(&chan->retrans_list);
6220 break;
6221 case L2CAP_EV_RECV_REJ:
6222 l2cap_handle_rej(chan, control);
6223 break;
6224 case L2CAP_EV_RECV_SREJ:
6225 l2cap_handle_srej(chan, control);
6226 break;
6227 default:
6228 break;
6229 }
6230
6231 if (skb && !skb_in_use) {
6232 BT_DBG("Freeing %p", skb);
6233 kfree_skb(skb);
6234 }
6235
6236 return err;
6237 }
6238
6239 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6240 struct l2cap_ctrl *control,
6241 struct sk_buff *skb, u8 event)
6242 {
6243 int err = 0;
6244 u16 txseq = control->txseq;
6245 bool skb_in_use = false;
6246
6247 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6248 event);
6249
6250 switch (event) {
6251 case L2CAP_EV_RECV_IFRAME:
6252 switch (l2cap_classify_txseq(chan, txseq)) {
6253 case L2CAP_TXSEQ_EXPECTED:
6254 /* Keep frame for reassembly later */
6255 l2cap_pass_to_tx(chan, control);
6256 skb_queue_tail(&chan->srej_q, skb);
6257 skb_in_use = true;
6258 BT_DBG("Queued %p (queue len %d)", skb,
6259 skb_queue_len(&chan->srej_q));
6260
6261 chan->expected_tx_seq = __next_seq(chan, txseq);
6262 break;
6263 case L2CAP_TXSEQ_EXPECTED_SREJ:
6264 l2cap_seq_list_pop(&chan->srej_list);
6265
6266 l2cap_pass_to_tx(chan, control);
6267 skb_queue_tail(&chan->srej_q, skb);
6268 skb_in_use = true;
6269 BT_DBG("Queued %p (queue len %d)", skb,
6270 skb_queue_len(&chan->srej_q));
6271
6272 err = l2cap_rx_queued_iframes(chan);
6273 if (err)
6274 break;
6275
6276 break;
6277 case L2CAP_TXSEQ_UNEXPECTED:
6278 /* Got a frame that can't be reassembled yet.
6279 * Save it for later, and send SREJs to cover
6280 * the missing frames.
6281 */
6282 skb_queue_tail(&chan->srej_q, skb);
6283 skb_in_use = true;
6284 BT_DBG("Queued %p (queue len %d)", skb,
6285 skb_queue_len(&chan->srej_q));
6286
6287 l2cap_pass_to_tx(chan, control);
6288 l2cap_send_srej(chan, control->txseq);
6289 break;
6290 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6291 /* This frame was requested with an SREJ, but
6292 * some expected retransmitted frames are
6293 * missing. Request retransmission of missing
6294 * SREJ'd frames.
6295 */
6296 skb_queue_tail(&chan->srej_q, skb);
6297 skb_in_use = true;
6298 BT_DBG("Queued %p (queue len %d)", skb,
6299 skb_queue_len(&chan->srej_q));
6300
6301 l2cap_pass_to_tx(chan, control);
6302 l2cap_send_srej_list(chan, control->txseq);
6303 break;
6304 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6305 /* We've already queued this frame. Drop this copy. */
6306 l2cap_pass_to_tx(chan, control);
6307 break;
6308 case L2CAP_TXSEQ_DUPLICATE:
6309 /* Expecting a later sequence number, so this frame
6310 * was already received. Ignore it completely.
6311 */
6312 break;
6313 case L2CAP_TXSEQ_INVALID_IGNORE:
6314 break;
6315 case L2CAP_TXSEQ_INVALID:
6316 default:
6317 l2cap_send_disconn_req(chan, ECONNRESET);
6318 break;
6319 }
6320 break;
6321 case L2CAP_EV_RECV_RR:
6322 l2cap_pass_to_tx(chan, control);
6323 if (control->final) {
6324 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6325
6326 if (!test_and_clear_bit(CONN_REJ_ACT,
6327 &chan->conn_state)) {
6328 control->final = 0;
6329 l2cap_retransmit_all(chan, control);
6330 }
6331
6332 l2cap_ertm_send(chan);
6333 } else if (control->poll) {
6334 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6335 &chan->conn_state) &&
6336 chan->unacked_frames) {
6337 __set_retrans_timer(chan);
6338 }
6339
6340 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6341 l2cap_send_srej_tail(chan);
6342 } else {
6343 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6344 &chan->conn_state) &&
6345 chan->unacked_frames)
6346 __set_retrans_timer(chan);
6347
6348 l2cap_send_ack(chan);
6349 }
6350 break;
6351 case L2CAP_EV_RECV_RNR:
6352 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6353 l2cap_pass_to_tx(chan, control);
6354 if (control->poll) {
6355 l2cap_send_srej_tail(chan);
6356 } else {
6357 struct l2cap_ctrl rr_control;
6358 memset(&rr_control, 0, sizeof(rr_control));
6359 rr_control.sframe = 1;
6360 rr_control.super = L2CAP_SUPER_RR;
6361 rr_control.reqseq = chan->buffer_seq;
6362 l2cap_send_sframe(chan, &rr_control);
6363 }
6364
6365 break;
6366 case L2CAP_EV_RECV_REJ:
6367 l2cap_handle_rej(chan, control);
6368 break;
6369 case L2CAP_EV_RECV_SREJ:
6370 l2cap_handle_srej(chan, control);
6371 break;
6372 }
6373
6374 if (skb && !skb_in_use) {
6375 BT_DBG("Freeing %p", skb);
6376 kfree_skb(skb);
6377 }
6378
6379 return err;
6380 }
6381
6382 static int l2cap_finish_move(struct l2cap_chan *chan)
6383 {
6384 BT_DBG("chan %p", chan);
6385
6386 chan->rx_state = L2CAP_RX_STATE_RECV;
6387
6388 if (chan->hs_hcon)
6389 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6390 else
6391 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6392
6393 return l2cap_resegment(chan);
6394 }
6395
6396 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6397 struct l2cap_ctrl *control,
6398 struct sk_buff *skb, u8 event)
6399 {
6400 int err;
6401
6402 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6403 event);
6404
6405 if (!control->poll)
6406 return -EPROTO;
6407
6408 l2cap_process_reqseq(chan, control->reqseq);
6409
6410 if (!skb_queue_empty(&chan->tx_q))
6411 chan->tx_send_head = skb_peek(&chan->tx_q);
6412 else
6413 chan->tx_send_head = NULL;
6414
6415 /* Rewind next_tx_seq to the point expected
6416 * by the receiver.
6417 */
6418 chan->next_tx_seq = control->reqseq;
6419 chan->unacked_frames = 0;
6420
6421 err = l2cap_finish_move(chan);
6422 if (err)
6423 return err;
6424
6425 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6426 l2cap_send_i_or_rr_or_rnr(chan);
6427
6428 if (event == L2CAP_EV_RECV_IFRAME)
6429 return -EPROTO;
6430
6431 return l2cap_rx_state_recv(chan, control, NULL, event);
6432 }
6433
6434 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6435 struct l2cap_ctrl *control,
6436 struct sk_buff *skb, u8 event)
6437 {
6438 int err;
6439
6440 if (!control->final)
6441 return -EPROTO;
6442
6443 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6444
6445 chan->rx_state = L2CAP_RX_STATE_RECV;
6446 l2cap_process_reqseq(chan, control->reqseq);
6447
6448 if (!skb_queue_empty(&chan->tx_q))
6449 chan->tx_send_head = skb_peek(&chan->tx_q);
6450 else
6451 chan->tx_send_head = NULL;
6452
6453 /* Rewind next_tx_seq to the point expected
6454 * by the receiver.
6455 */
6456 chan->next_tx_seq = control->reqseq;
6457 chan->unacked_frames = 0;
6458
6459 if (chan->hs_hcon)
6460 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6461 else
6462 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6463
6464 err = l2cap_resegment(chan);
6465
6466 if (!err)
6467 err = l2cap_rx_state_recv(chan, control, skb, event);
6468
6469 return err;
6470 }
6471
6472 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6473 {
6474 /* Make sure reqseq is for a packet that has been sent but not acked */
6475 u16 unacked;
6476
6477 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6478 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6479 }
6480
6481 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6482 struct sk_buff *skb, u8 event)
6483 {
6484 int err = 0;
6485
6486 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6487 control, skb, event, chan->rx_state);
6488
6489 if (__valid_reqseq(chan, control->reqseq)) {
6490 switch (chan->rx_state) {
6491 case L2CAP_RX_STATE_RECV:
6492 err = l2cap_rx_state_recv(chan, control, skb, event);
6493 break;
6494 case L2CAP_RX_STATE_SREJ_SENT:
6495 err = l2cap_rx_state_srej_sent(chan, control, skb,
6496 event);
6497 break;
6498 case L2CAP_RX_STATE_WAIT_P:
6499 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6500 break;
6501 case L2CAP_RX_STATE_WAIT_F:
6502 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6503 break;
6504 default:
6505 /* shut it down */
6506 break;
6507 }
6508 } else {
6509 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6510 control->reqseq, chan->next_tx_seq,
6511 chan->expected_ack_seq);
6512 l2cap_send_disconn_req(chan, ECONNRESET);
6513 }
6514
6515 return err;
6516 }
6517
6518 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6519 struct sk_buff *skb)
6520 {
6521 int err = 0;
6522
6523 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6524 chan->rx_state);
6525
6526 if (l2cap_classify_txseq(chan, control->txseq) ==
6527 L2CAP_TXSEQ_EXPECTED) {
6528 l2cap_pass_to_tx(chan, control);
6529
6530 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6531 __next_seq(chan, chan->buffer_seq));
6532
6533 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6534
6535 l2cap_reassemble_sdu(chan, skb, control);
6536 } else {
6537 if (chan->sdu) {
6538 kfree_skb(chan->sdu);
6539 chan->sdu = NULL;
6540 }
6541 chan->sdu_last_frag = NULL;
6542 chan->sdu_len = 0;
6543
6544 if (skb) {
6545 BT_DBG("Freeing %p", skb);
6546 kfree_skb(skb);
6547 }
6548 }
6549
6550 chan->last_acked_seq = control->txseq;
6551 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6552
6553 return err;
6554 }
6555
6556 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6557 {
6558 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6559 u16 len;
6560 u8 event;
6561
6562 __unpack_control(chan, skb);
6563
6564 len = skb->len;
6565
6566 /*
6567 * We can just drop the corrupted I-frame here.
6568 * Receiver will miss it and start proper recovery
6569 * procedures and ask for retransmission.
6570 */
6571 if (l2cap_check_fcs(chan, skb))
6572 goto drop;
6573
6574 if (!control->sframe && control->sar == L2CAP_SAR_START)
6575 len -= L2CAP_SDULEN_SIZE;
6576
6577 if (chan->fcs == L2CAP_FCS_CRC16)
6578 len -= L2CAP_FCS_SIZE;
6579
6580 if (len > chan->mps) {
6581 l2cap_send_disconn_req(chan, ECONNRESET);
6582 goto drop;
6583 }
6584
6585 if (!control->sframe) {
6586 int err;
6587
6588 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6589 control->sar, control->reqseq, control->final,
6590 control->txseq);
6591
6592 /* Validate F-bit - F=0 always valid, F=1 only
6593 * valid in TX WAIT_F
6594 */
6595 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6596 goto drop;
6597
6598 if (chan->mode != L2CAP_MODE_STREAMING) {
6599 event = L2CAP_EV_RECV_IFRAME;
6600 err = l2cap_rx(chan, control, skb, event);
6601 } else {
6602 err = l2cap_stream_rx(chan, control, skb);
6603 }
6604
6605 if (err)
6606 l2cap_send_disconn_req(chan, ECONNRESET);
6607 } else {
6608 const u8 rx_func_to_event[4] = {
6609 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6610 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6611 };
6612
6613 /* Only I-frames are expected in streaming mode */
6614 if (chan->mode == L2CAP_MODE_STREAMING)
6615 goto drop;
6616
6617 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6618 control->reqseq, control->final, control->poll,
6619 control->super);
6620
6621 if (len != 0) {
6622 BT_ERR("Trailing bytes: %d in sframe", len);
6623 l2cap_send_disconn_req(chan, ECONNRESET);
6624 goto drop;
6625 }
6626
6627 /* Validate F and P bits */
6628 if (control->final && (control->poll ||
6629 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6630 goto drop;
6631
6632 event = rx_func_to_event[control->super];
6633 if (l2cap_rx(chan, control, skb, event))
6634 l2cap_send_disconn_req(chan, ECONNRESET);
6635 }
6636
6637 return 0;
6638
6639 drop:
6640 kfree_skb(skb);
6641 return 0;
6642 }
6643
6644 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6645 {
6646 struct l2cap_conn *conn = chan->conn;
6647 struct l2cap_le_credits pkt;
6648 u16 return_credits;
6649
6650 /* We return more credits to the sender only after the amount of
6651 * credits falls below half of the initial amount.
6652 */
6653 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6654 return;
6655
6656 return_credits = le_max_credits - chan->rx_credits;
6657
6658 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6659
6660 chan->rx_credits += return_credits;
6661
6662 pkt.cid = cpu_to_le16(chan->scid);
6663 pkt.credits = cpu_to_le16(return_credits);
6664
6665 chan->ident = l2cap_get_ident(conn);
6666
6667 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6668 }
6669
6670 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6671 {
6672 int err;
6673
6674 if (!chan->rx_credits) {
6675 BT_ERR("No credits to receive LE L2CAP data");
6676 l2cap_send_disconn_req(chan, ECONNRESET);
6677 return -ENOBUFS;
6678 }
6679
6680 if (chan->imtu < skb->len) {
6681 BT_ERR("Too big LE L2CAP PDU");
6682 return -ENOBUFS;
6683 }
6684
6685 chan->rx_credits--;
6686 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6687
6688 l2cap_chan_le_send_credits(chan);
6689
6690 err = 0;
6691
6692 if (!chan->sdu) {
6693 u16 sdu_len;
6694
6695 sdu_len = get_unaligned_le16(skb->data);
6696 skb_pull(skb, L2CAP_SDULEN_SIZE);
6697
6698 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6699 sdu_len, skb->len, chan->imtu);
6700
6701 if (sdu_len > chan->imtu) {
6702 BT_ERR("Too big LE L2CAP SDU length received");
6703 err = -EMSGSIZE;
6704 goto failed;
6705 }
6706
6707 if (skb->len > sdu_len) {
6708 BT_ERR("Too much LE L2CAP data received");
6709 err = -EINVAL;
6710 goto failed;
6711 }
6712
6713 if (skb->len == sdu_len)
6714 return chan->ops->recv(chan, skb);
6715
6716 chan->sdu = skb;
6717 chan->sdu_len = sdu_len;
6718 chan->sdu_last_frag = skb;
6719
6720 return 0;
6721 }
6722
6723 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6724 chan->sdu->len, skb->len, chan->sdu_len);
6725
6726 if (chan->sdu->len + skb->len > chan->sdu_len) {
6727 BT_ERR("Too much LE L2CAP data received");
6728 err = -EINVAL;
6729 goto failed;
6730 }
6731
6732 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6733 skb = NULL;
6734
6735 if (chan->sdu->len == chan->sdu_len) {
6736 err = chan->ops->recv(chan, chan->sdu);
6737 if (!err) {
6738 chan->sdu = NULL;
6739 chan->sdu_last_frag = NULL;
6740 chan->sdu_len = 0;
6741 }
6742 }
6743
6744 failed:
6745 if (err) {
6746 kfree_skb(skb);
6747 kfree_skb(chan->sdu);
6748 chan->sdu = NULL;
6749 chan->sdu_last_frag = NULL;
6750 chan->sdu_len = 0;
6751 }
6752
6753 /* We can't return an error here since we took care of the skb
6754 * freeing internally. An error return would cause the caller to
6755 * do a double-free of the skb.
6756 */
6757 return 0;
6758 }
6759
6760 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6761 struct sk_buff *skb)
6762 {
6763 struct l2cap_chan *chan;
6764
6765 chan = l2cap_get_chan_by_scid(conn, cid);
6766 if (!chan) {
6767 if (cid == L2CAP_CID_A2MP) {
6768 chan = a2mp_channel_create(conn, skb);
6769 if (!chan) {
6770 kfree_skb(skb);
6771 return;
6772 }
6773
6774 l2cap_chan_lock(chan);
6775 } else {
6776 BT_DBG("unknown cid 0x%4.4x", cid);
6777 /* Drop packet and return */
6778 kfree_skb(skb);
6779 return;
6780 }
6781 }
6782
6783 BT_DBG("chan %p, len %d", chan, skb->len);
6784
6785 if (chan->state != BT_CONNECTED)
6786 goto drop;
6787
6788 switch (chan->mode) {
6789 case L2CAP_MODE_LE_FLOWCTL:
6790 if (l2cap_le_data_rcv(chan, skb) < 0)
6791 goto drop;
6792
6793 goto done;
6794
6795 case L2CAP_MODE_BASIC:
6796 /* If socket recv buffers overflows we drop data here
6797 * which is *bad* because L2CAP has to be reliable.
6798 * But we don't have any other choice. L2CAP doesn't
6799 * provide flow control mechanism. */
6800
6801 if (chan->imtu < skb->len) {
6802 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6803 goto drop;
6804 }
6805
6806 if (!chan->ops->recv(chan, skb))
6807 goto done;
6808 break;
6809
6810 case L2CAP_MODE_ERTM:
6811 case L2CAP_MODE_STREAMING:
6812 l2cap_data_rcv(chan, skb);
6813 goto done;
6814
6815 default:
6816 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6817 break;
6818 }
6819
6820 drop:
6821 kfree_skb(skb);
6822
6823 done:
6824 l2cap_chan_unlock(chan);
6825 }
6826
6827 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6828 struct sk_buff *skb)
6829 {
6830 struct hci_conn *hcon = conn->hcon;
6831 struct l2cap_chan *chan;
6832
6833 if (hcon->type != ACL_LINK)
6834 goto drop;
6835
6836 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6837 ACL_LINK);
6838 if (!chan)
6839 goto drop;
6840
6841 BT_DBG("chan %p, len %d", chan, skb->len);
6842
6843 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6844 goto drop;
6845
6846 if (chan->imtu < skb->len)
6847 goto drop;
6848
6849 /* Store remote BD_ADDR and PSM for msg_name */
6850 bacpy(&bt_cb(skb)->bdaddr, &hcon->dst);
6851 bt_cb(skb)->psm = psm;
6852
6853 if (!chan->ops->recv(chan, skb))
6854 return;
6855
6856 drop:
6857 kfree_skb(skb);
6858 }
6859
6860 static void l2cap_att_channel(struct l2cap_conn *conn,
6861 struct sk_buff *skb)
6862 {
6863 struct hci_conn *hcon = conn->hcon;
6864 struct l2cap_chan *chan;
6865
6866 if (hcon->type != LE_LINK)
6867 goto drop;
6868
6869 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
6870 &hcon->src, &hcon->dst);
6871 if (!chan)
6872 goto drop;
6873
6874 BT_DBG("chan %p, len %d", chan, skb->len);
6875
6876 if (hci_blacklist_lookup(hcon->hdev, &hcon->dst, hcon->dst_type))
6877 goto drop;
6878
6879 if (chan->imtu < skb->len)
6880 goto drop;
6881
6882 if (!chan->ops->recv(chan, skb))
6883 return;
6884
6885 drop:
6886 kfree_skb(skb);
6887 }
6888
6889 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6890 {
6891 struct l2cap_hdr *lh = (void *) skb->data;
6892 struct hci_conn *hcon = conn->hcon;
6893 u16 cid, len;
6894 __le16 psm;
6895
6896 if (hcon->state != BT_CONNECTED) {
6897 BT_DBG("queueing pending rx skb");
6898 skb_queue_tail(&conn->pending_rx, skb);
6899 return;
6900 }
6901
6902 skb_pull(skb, L2CAP_HDR_SIZE);
6903 cid = __le16_to_cpu(lh->cid);
6904 len = __le16_to_cpu(lh->len);
6905
6906 if (len != skb->len) {
6907 kfree_skb(skb);
6908 return;
6909 }
6910
6911 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6912
6913 switch (cid) {
6914 case L2CAP_CID_SIGNALING:
6915 l2cap_sig_channel(conn, skb);
6916 break;
6917
6918 case L2CAP_CID_CONN_LESS:
6919 psm = get_unaligned((__le16 *) skb->data);
6920 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6921 l2cap_conless_channel(conn, psm, skb);
6922 break;
6923
6924 case L2CAP_CID_ATT:
6925 l2cap_att_channel(conn, skb);
6926 break;
6927
6928 case L2CAP_CID_LE_SIGNALING:
6929 l2cap_le_sig_channel(conn, skb);
6930 break;
6931
6932 case L2CAP_CID_SMP:
6933 if (smp_sig_channel(conn, skb))
6934 l2cap_conn_del(conn->hcon, EACCES);
6935 break;
6936
6937 case L2CAP_FC_6LOWPAN:
6938 bt_6lowpan_recv(conn, skb);
6939 break;
6940
6941 default:
6942 l2cap_data_channel(conn, cid, skb);
6943 break;
6944 }
6945 }
6946
6947 static void process_pending_rx(struct work_struct *work)
6948 {
6949 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6950 pending_rx_work);
6951 struct sk_buff *skb;
6952
6953 BT_DBG("");
6954
6955 while ((skb = skb_dequeue(&conn->pending_rx)))
6956 l2cap_recv_frame(conn, skb);
6957 }
6958
6959 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6960 {
6961 struct l2cap_conn *conn = hcon->l2cap_data;
6962 struct hci_chan *hchan;
6963
6964 if (conn)
6965 return conn;
6966
6967 hchan = hci_chan_create(hcon);
6968 if (!hchan)
6969 return NULL;
6970
6971 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
6972 if (!conn) {
6973 hci_chan_del(hchan);
6974 return NULL;
6975 }
6976
6977 kref_init(&conn->ref);
6978 hcon->l2cap_data = conn;
6979 conn->hcon = hcon;
6980 hci_conn_get(conn->hcon);
6981 conn->hchan = hchan;
6982
6983 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6984
6985 switch (hcon->type) {
6986 case LE_LINK:
6987 if (hcon->hdev->le_mtu) {
6988 conn->mtu = hcon->hdev->le_mtu;
6989 break;
6990 }
6991 /* fall through */
6992 default:
6993 conn->mtu = hcon->hdev->acl_mtu;
6994 break;
6995 }
6996
6997 conn->feat_mask = 0;
6998
6999 if (hcon->type == ACL_LINK)
7000 conn->hs_enabled = test_bit(HCI_HS_ENABLED,
7001 &hcon->hdev->dev_flags);
7002
7003 spin_lock_init(&conn->lock);
7004 mutex_init(&conn->chan_lock);
7005
7006 INIT_LIST_HEAD(&conn->chan_l);
7007 INIT_LIST_HEAD(&conn->users);
7008
7009 if (hcon->type == LE_LINK)
7010 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
7011 else
7012 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7013
7014 skb_queue_head_init(&conn->pending_rx);
7015 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7016
7017 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7018
7019 return conn;
7020 }
7021
7022 static bool is_valid_psm(u16 psm, u8 dst_type) {
7023 if (!psm)
7024 return false;
7025
7026 if (bdaddr_type_is_le(dst_type))
7027 return (psm <= 0x00ff);
7028
7029 /* PSM must be odd and lsb of upper byte must be 0 */
7030 return ((psm & 0x0101) == 0x0001);
7031 }
7032
7033 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7034 bdaddr_t *dst, u8 dst_type)
7035 {
7036 struct l2cap_conn *conn;
7037 struct hci_conn *hcon;
7038 struct hci_dev *hdev;
7039 __u8 auth_type;
7040 int err;
7041
7042 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7043 dst_type, __le16_to_cpu(psm));
7044
7045 hdev = hci_get_route(dst, &chan->src);
7046 if (!hdev)
7047 return -EHOSTUNREACH;
7048
7049 hci_dev_lock(hdev);
7050
7051 l2cap_chan_lock(chan);
7052
7053 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7054 chan->chan_type != L2CAP_CHAN_RAW) {
7055 err = -EINVAL;
7056 goto done;
7057 }
7058
7059 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7060 err = -EINVAL;
7061 goto done;
7062 }
7063
7064 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7065 err = -EINVAL;
7066 goto done;
7067 }
7068
7069 switch (chan->mode) {
7070 case L2CAP_MODE_BASIC:
7071 break;
7072 case L2CAP_MODE_LE_FLOWCTL:
7073 l2cap_le_flowctl_init(chan);
7074 break;
7075 case L2CAP_MODE_ERTM:
7076 case L2CAP_MODE_STREAMING:
7077 if (!disable_ertm)
7078 break;
7079 /* fall through */
7080 default:
7081 err = -ENOTSUPP;
7082 goto done;
7083 }
7084
7085 switch (chan->state) {
7086 case BT_CONNECT:
7087 case BT_CONNECT2:
7088 case BT_CONFIG:
7089 /* Already connecting */
7090 err = 0;
7091 goto done;
7092
7093 case BT_CONNECTED:
7094 /* Already connected */
7095 err = -EISCONN;
7096 goto done;
7097
7098 case BT_OPEN:
7099 case BT_BOUND:
7100 /* Can connect */
7101 break;
7102
7103 default:
7104 err = -EBADFD;
7105 goto done;
7106 }
7107
7108 /* Set destination address and psm */
7109 bacpy(&chan->dst, dst);
7110 chan->dst_type = dst_type;
7111
7112 chan->psm = psm;
7113 chan->dcid = cid;
7114
7115 auth_type = l2cap_get_auth_type(chan);
7116
7117 if (bdaddr_type_is_le(dst_type)) {
7118 /* Convert from L2CAP channel address type to HCI address type
7119 */
7120 if (dst_type == BDADDR_LE_PUBLIC)
7121 dst_type = ADDR_LE_DEV_PUBLIC;
7122 else
7123 dst_type = ADDR_LE_DEV_RANDOM;
7124
7125 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
7126 auth_type);
7127 } else {
7128 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7129 }
7130
7131 if (IS_ERR(hcon)) {
7132 err = PTR_ERR(hcon);
7133 goto done;
7134 }
7135
7136 conn = l2cap_conn_add(hcon);
7137 if (!conn) {
7138 hci_conn_drop(hcon);
7139 err = -ENOMEM;
7140 goto done;
7141 }
7142
7143 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7144 hci_conn_drop(hcon);
7145 err = -EBUSY;
7146 goto done;
7147 }
7148
7149 /* Update source addr of the socket */
7150 bacpy(&chan->src, &hcon->src);
7151 chan->src_type = bdaddr_type(hcon, hcon->src_type);
7152
7153 l2cap_chan_unlock(chan);
7154 l2cap_chan_add(conn, chan);
7155 l2cap_chan_lock(chan);
7156
7157 /* l2cap_chan_add takes its own ref so we can drop this one */
7158 hci_conn_drop(hcon);
7159
7160 l2cap_state_change(chan, BT_CONNECT);
7161 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7162
7163 /* Release chan->sport so that it can be reused by other
7164 * sockets (as it's only used for listening sockets).
7165 */
7166 write_lock(&chan_list_lock);
7167 chan->sport = 0;
7168 write_unlock(&chan_list_lock);
7169
7170 if (hcon->state == BT_CONNECTED) {
7171 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7172 __clear_chan_timer(chan);
7173 if (l2cap_chan_check_security(chan))
7174 l2cap_state_change(chan, BT_CONNECTED);
7175 } else
7176 l2cap_do_start(chan);
7177 }
7178
7179 err = 0;
7180
7181 done:
7182 l2cap_chan_unlock(chan);
7183 hci_dev_unlock(hdev);
7184 hci_dev_put(hdev);
7185 return err;
7186 }
7187
7188 /* ---- L2CAP interface with lower layer (HCI) ---- */
7189
7190 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7191 {
7192 int exact = 0, lm1 = 0, lm2 = 0;
7193 struct l2cap_chan *c;
7194
7195 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7196
7197 /* Find listening sockets and check their link_mode */
7198 read_lock(&chan_list_lock);
7199 list_for_each_entry(c, &chan_list, global_l) {
7200 if (c->state != BT_LISTEN)
7201 continue;
7202
7203 if (!bacmp(&c->src, &hdev->bdaddr)) {
7204 lm1 |= HCI_LM_ACCEPT;
7205 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7206 lm1 |= HCI_LM_MASTER;
7207 exact++;
7208 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7209 lm2 |= HCI_LM_ACCEPT;
7210 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7211 lm2 |= HCI_LM_MASTER;
7212 }
7213 }
7214 read_unlock(&chan_list_lock);
7215
7216 return exact ? lm1 : lm2;
7217 }
7218
7219 void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7220 {
7221 struct l2cap_conn *conn;
7222
7223 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7224
7225 if (!status) {
7226 conn = l2cap_conn_add(hcon);
7227 if (conn)
7228 l2cap_conn_ready(conn);
7229 } else {
7230 l2cap_conn_del(hcon, bt_to_errno(status));
7231 }
7232 }
7233
7234 int l2cap_disconn_ind(struct hci_conn *hcon)
7235 {
7236 struct l2cap_conn *conn = hcon->l2cap_data;
7237
7238 BT_DBG("hcon %p", hcon);
7239
7240 if (!conn)
7241 return HCI_ERROR_REMOTE_USER_TERM;
7242 return conn->disc_reason;
7243 }
7244
7245 void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7246 {
7247 BT_DBG("hcon %p reason %d", hcon, reason);
7248
7249 bt_6lowpan_del_conn(hcon->l2cap_data);
7250
7251 l2cap_conn_del(hcon, bt_to_errno(reason));
7252 }
7253
7254 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7255 {
7256 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7257 return;
7258
7259 if (encrypt == 0x00) {
7260 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7261 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7262 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7263 chan->sec_level == BT_SECURITY_FIPS)
7264 l2cap_chan_close(chan, ECONNREFUSED);
7265 } else {
7266 if (chan->sec_level == BT_SECURITY_MEDIUM)
7267 __clear_chan_timer(chan);
7268 }
7269 }
7270
7271 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7272 {
7273 struct l2cap_conn *conn = hcon->l2cap_data;
7274 struct l2cap_chan *chan;
7275
7276 if (!conn)
7277 return 0;
7278
7279 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7280
7281 if (hcon->type == LE_LINK) {
7282 if (!status && encrypt)
7283 smp_distribute_keys(conn);
7284 cancel_delayed_work(&conn->security_timer);
7285 }
7286
7287 mutex_lock(&conn->chan_lock);
7288
7289 list_for_each_entry(chan, &conn->chan_l, list) {
7290 l2cap_chan_lock(chan);
7291
7292 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7293 state_to_string(chan->state));
7294
7295 if (chan->scid == L2CAP_CID_A2MP) {
7296 l2cap_chan_unlock(chan);
7297 continue;
7298 }
7299
7300 if (chan->scid == L2CAP_CID_ATT) {
7301 if (!status && encrypt) {
7302 chan->sec_level = hcon->sec_level;
7303 l2cap_chan_ready(chan);
7304 }
7305
7306 l2cap_chan_unlock(chan);
7307 continue;
7308 }
7309
7310 if (!__l2cap_no_conn_pending(chan)) {
7311 l2cap_chan_unlock(chan);
7312 continue;
7313 }
7314
7315 if (!status && (chan->state == BT_CONNECTED ||
7316 chan->state == BT_CONFIG)) {
7317 chan->ops->resume(chan);
7318 l2cap_check_encryption(chan, encrypt);
7319 l2cap_chan_unlock(chan);
7320 continue;
7321 }
7322
7323 if (chan->state == BT_CONNECT) {
7324 if (!status)
7325 l2cap_start_connection(chan);
7326 else
7327 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7328 } else if (chan->state == BT_CONNECT2) {
7329 struct l2cap_conn_rsp rsp;
7330 __u16 res, stat;
7331
7332 if (!status) {
7333 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7334 res = L2CAP_CR_PEND;
7335 stat = L2CAP_CS_AUTHOR_PEND;
7336 chan->ops->defer(chan);
7337 } else {
7338 l2cap_state_change(chan, BT_CONFIG);
7339 res = L2CAP_CR_SUCCESS;
7340 stat = L2CAP_CS_NO_INFO;
7341 }
7342 } else {
7343 l2cap_state_change(chan, BT_DISCONN);
7344 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7345 res = L2CAP_CR_SEC_BLOCK;
7346 stat = L2CAP_CS_NO_INFO;
7347 }
7348
7349 rsp.scid = cpu_to_le16(chan->dcid);
7350 rsp.dcid = cpu_to_le16(chan->scid);
7351 rsp.result = cpu_to_le16(res);
7352 rsp.status = cpu_to_le16(stat);
7353 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7354 sizeof(rsp), &rsp);
7355
7356 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7357 res == L2CAP_CR_SUCCESS) {
7358 char buf[128];
7359 set_bit(CONF_REQ_SENT, &chan->conf_state);
7360 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7361 L2CAP_CONF_REQ,
7362 l2cap_build_conf_req(chan, buf),
7363 buf);
7364 chan->num_conf_req++;
7365 }
7366 }
7367
7368 l2cap_chan_unlock(chan);
7369 }
7370
7371 mutex_unlock(&conn->chan_lock);
7372
7373 return 0;
7374 }
7375
7376 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7377 {
7378 struct l2cap_conn *conn = hcon->l2cap_data;
7379 struct l2cap_hdr *hdr;
7380 int len;
7381
7382 /* For AMP controller do not create l2cap conn */
7383 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7384 goto drop;
7385
7386 if (!conn)
7387 conn = l2cap_conn_add(hcon);
7388
7389 if (!conn)
7390 goto drop;
7391
7392 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7393
7394 switch (flags) {
7395 case ACL_START:
7396 case ACL_START_NO_FLUSH:
7397 case ACL_COMPLETE:
7398 if (conn->rx_len) {
7399 BT_ERR("Unexpected start frame (len %d)", skb->len);
7400 kfree_skb(conn->rx_skb);
7401 conn->rx_skb = NULL;
7402 conn->rx_len = 0;
7403 l2cap_conn_unreliable(conn, ECOMM);
7404 }
7405
7406 /* Start fragment always begin with Basic L2CAP header */
7407 if (skb->len < L2CAP_HDR_SIZE) {
7408 BT_ERR("Frame is too short (len %d)", skb->len);
7409 l2cap_conn_unreliable(conn, ECOMM);
7410 goto drop;
7411 }
7412
7413 hdr = (struct l2cap_hdr *) skb->data;
7414 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7415
7416 if (len == skb->len) {
7417 /* Complete frame received */
7418 l2cap_recv_frame(conn, skb);
7419 return 0;
7420 }
7421
7422 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7423
7424 if (skb->len > len) {
7425 BT_ERR("Frame is too long (len %d, expected len %d)",
7426 skb->len, len);
7427 l2cap_conn_unreliable(conn, ECOMM);
7428 goto drop;
7429 }
7430
7431 /* Allocate skb for the complete frame (with header) */
7432 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7433 if (!conn->rx_skb)
7434 goto drop;
7435
7436 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7437 skb->len);
7438 conn->rx_len = len - skb->len;
7439 break;
7440
7441 case ACL_CONT:
7442 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7443
7444 if (!conn->rx_len) {
7445 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7446 l2cap_conn_unreliable(conn, ECOMM);
7447 goto drop;
7448 }
7449
7450 if (skb->len > conn->rx_len) {
7451 BT_ERR("Fragment is too long (len %d, expected %d)",
7452 skb->len, conn->rx_len);
7453 kfree_skb(conn->rx_skb);
7454 conn->rx_skb = NULL;
7455 conn->rx_len = 0;
7456 l2cap_conn_unreliable(conn, ECOMM);
7457 goto drop;
7458 }
7459
7460 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7461 skb->len);
7462 conn->rx_len -= skb->len;
7463
7464 if (!conn->rx_len) {
7465 /* Complete frame received. l2cap_recv_frame
7466 * takes ownership of the skb so set the global
7467 * rx_skb pointer to NULL first.
7468 */
7469 struct sk_buff *rx_skb = conn->rx_skb;
7470 conn->rx_skb = NULL;
7471 l2cap_recv_frame(conn, rx_skb);
7472 }
7473 break;
7474 }
7475
7476 drop:
7477 kfree_skb(skb);
7478 return 0;
7479 }
7480
7481 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7482 {
7483 struct l2cap_chan *c;
7484
7485 read_lock(&chan_list_lock);
7486
7487 list_for_each_entry(c, &chan_list, global_l) {
7488 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7489 &c->src, &c->dst,
7490 c->state, __le16_to_cpu(c->psm),
7491 c->scid, c->dcid, c->imtu, c->omtu,
7492 c->sec_level, c->mode);
7493 }
7494
7495 read_unlock(&chan_list_lock);
7496
7497 return 0;
7498 }
7499
7500 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7501 {
7502 return single_open(file, l2cap_debugfs_show, inode->i_private);
7503 }
7504
7505 static const struct file_operations l2cap_debugfs_fops = {
7506 .open = l2cap_debugfs_open,
7507 .read = seq_read,
7508 .llseek = seq_lseek,
7509 .release = single_release,
7510 };
7511
7512 static struct dentry *l2cap_debugfs;
7513
7514 int __init l2cap_init(void)
7515 {
7516 int err;
7517
7518 err = l2cap_init_sockets();
7519 if (err < 0)
7520 return err;
7521
7522 if (IS_ERR_OR_NULL(bt_debugfs))
7523 return 0;
7524
7525 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7526 NULL, &l2cap_debugfs_fops);
7527
7528 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7529 &le_max_credits);
7530 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7531 &le_default_mps);
7532
7533 bt_6lowpan_init();
7534
7535 return 0;
7536 }
7537
7538 void l2cap_exit(void)
7539 {
7540 bt_6lowpan_cleanup();
7541 debugfs_remove(l2cap_debugfs);
7542 l2cap_cleanup_sockets();
7543 }
7544
7545 module_param(disable_ertm, bool, 0644);
7546 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Linux with added FPC-III support