blob: 60298975d5c45620f21ca5fe161da1a9fdf55eec [file] [log] [blame]
/*
BlueZ - Bluetooth protocol stack for Linux
Copyright (C) 2000-2001 Qualcomm Incorporated
Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
Copyright (C) 2010 Google Inc.
Copyright (C) 2011 ProFUSION Embedded Systems
Copyright (c) 2012 Code Aurora Forum. All rights reserved.
Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation;
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
SOFTWARE IS DISCLAIMED.
*/
/* Bluetooth L2CAP core. */
#include <linux/module.h>
#include <linux/debugfs.h>
#include <linux/crc16.h>
#include <linux/filter.h>
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
#include "smp.h"
#include "a2mp.h"
#include "amp.h"
#define LE_FLOWCTL_MAX_CREDITS 65535
bool disable_ertm;
bool enable_ecred = IS_ENABLED(CONFIG_BT_LE_L2CAP_ECRED);
static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
static LIST_HEAD(chan_list);
static DEFINE_RWLOCK(chan_list_lock);
static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
u8 code, u8 ident, u16 dlen, void *data);
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
void *data);
static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
struct sk_buff_head *skbs, u8 event);
static void l2cap_retrans_timeout(struct work_struct *work);
static void l2cap_monitor_timeout(struct work_struct *work);
static void l2cap_ack_timeout(struct work_struct *work);
static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
{
if (link_type == LE_LINK) {
if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
return BDADDR_LE_PUBLIC;
else
return BDADDR_LE_RANDOM;
}
return BDADDR_BREDR;
}
static inline u8 bdaddr_src_type(struct hci_conn *hcon)
{
return bdaddr_type(hcon->type, hcon->src_type);
}
static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
{
return bdaddr_type(hcon->type, hcon->dst_type);
}
/* ---- L2CAP channels ---- */
static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
u16 cid)
{
struct l2cap_chan *c;
list_for_each_entry(c, &conn->chan_l, list) {
if (c->dcid == cid)
return c;
}
return NULL;
}
static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
u16 cid)
{
struct l2cap_chan *c;
list_for_each_entry(c, &conn->chan_l, list) {
if (c->scid == cid)
return c;
}
return NULL;
}
/* Find channel with given SCID.
* Returns a reference locked channel.
*/
static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
u16 cid)
{
struct l2cap_chan *c;
mutex_lock(&conn->chan_lock);
c = __l2cap_get_chan_by_scid(conn, cid);
if (c) {
/* Only lock if chan reference is not 0 */
c = l2cap_chan_hold_unless_zero(c);
if (c)
l2cap_chan_lock(c);
}
mutex_unlock(&conn->chan_lock);
return c;
}
/* Find channel with given DCID.
* Returns a reference locked channel.
*/
static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
u16 cid)
{
struct l2cap_chan *c;
mutex_lock(&conn->chan_lock);
c = __l2cap_get_chan_by_dcid(conn, cid);
if (c) {
/* Only lock if chan reference is not 0 */
c = l2cap_chan_hold_unless_zero(c);
if (c)
l2cap_chan_lock(c);
}
mutex_unlock(&conn->chan_lock);
return c;
}
static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
u8 ident)
{
struct l2cap_chan *c;
list_for_each_entry(c, &conn->chan_l, list) {
if (c->ident == ident)
return c;
}
return NULL;
}
static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
u8 ident)
{
struct l2cap_chan *c;
mutex_lock(&conn->chan_lock);
c = __l2cap_get_chan_by_ident(conn, ident);
if (c) {
/* Only lock if chan reference is not 0 */
c = l2cap_chan_hold_unless_zero(c);
if (c)
l2cap_chan_lock(c);
}
mutex_unlock(&conn->chan_lock);
return c;
}
static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
u8 src_type)
{
struct l2cap_chan *c;
list_for_each_entry(c, &chan_list, global_l) {
if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
continue;
if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
continue;
if (c->sport == psm && !bacmp(&c->src, src))
return c;
}
return NULL;
}
int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
{
int err;
write_lock(&chan_list_lock);
if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
err = -EADDRINUSE;
goto done;
}
if (psm) {
chan->psm = psm;
chan->sport = psm;
err = 0;
} else {
u16 p, start, end, incr;
if (chan->src_type == BDADDR_BREDR) {
start = L2CAP_PSM_DYN_START;
end = L2CAP_PSM_AUTO_END;
incr = 2;
} else {
start = L2CAP_PSM_LE_DYN_START;
end = L2CAP_PSM_LE_DYN_END;
incr = 1;
}
err = -EINVAL;
for (p = start; p <= end; p += incr)
if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
chan->src_type)) {
chan->psm = cpu_to_le16(p);
chan->sport = cpu_to_le16(p);
err = 0;
break;
}
}
done:
write_unlock(&chan_list_lock);
return err;
}
EXPORT_SYMBOL_GPL(l2cap_add_psm);
int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
{
write_lock(&chan_list_lock);
/* Override the defaults (which are for conn-oriented) */
chan->omtu = L2CAP_DEFAULT_MTU;
chan->chan_type = L2CAP_CHAN_FIXED;
chan->scid = scid;
write_unlock(&chan_list_lock);
return 0;
}
static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
{
u16 cid, dyn_end;
if (conn->hcon->type == LE_LINK)
dyn_end = L2CAP_CID_LE_DYN_END;
else
dyn_end = L2CAP_CID_DYN_END;
for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
if (!__l2cap_get_chan_by_scid(conn, cid))
return cid;
}
return 0;
}
static void l2cap_state_change(struct l2cap_chan *chan, int state)
{
BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
state_to_string(state));
chan->state = state;
chan->ops->state_change(chan, state, 0);
}
static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
int state, int err)
{
chan->state = state;
chan->ops->state_change(chan, chan->state, err);
}
static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
{
chan->ops->state_change(chan, chan->state, err);
}
static void __set_retrans_timer(struct l2cap_chan *chan)
{
if (!delayed_work_pending(&chan->monitor_timer) &&
chan->retrans_timeout) {
l2cap_set_timer(chan, &chan->retrans_timer,
msecs_to_jiffies(chan->retrans_timeout));
}
}
static void __set_monitor_timer(struct l2cap_chan *chan)
{
__clear_retrans_timer(chan);
if (chan->monitor_timeout) {
l2cap_set_timer(chan, &chan->monitor_timer,
msecs_to_jiffies(chan->monitor_timeout));
}
}
static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
u16 seq)
{
struct sk_buff *skb;
skb_queue_walk(head, skb) {
if (bt_cb(skb)->l2cap.txseq == seq)
return skb;
}
return NULL;
}
/* ---- L2CAP sequence number lists ---- */
/* For ERTM, ordered lists of sequence numbers must be tracked for
* SREJ requests that are received and for frames that are to be
* retransmitted. These seq_list functions implement a singly-linked
* list in an array, where membership in the list can also be checked
* in constant time. Items can also be added to the tail of the list
* and removed from the head in constant time, without further memory
* allocs or frees.
*/
static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
{
size_t alloc_size, i;
/* Allocated size is a power of 2 to map sequence numbers
* (which may be up to 14 bits) in to a smaller array that is
* sized for the negotiated ERTM transmit windows.
*/
alloc_size = roundup_pow_of_two(size);
seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
if (!seq_list->list)
return -ENOMEM;
seq_list->mask = alloc_size - 1;
seq_list->head = L2CAP_SEQ_LIST_CLEAR;
seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
for (i = 0; i < alloc_size; i++)
seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
return 0;
}
static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
{
kfree(seq_list->list);
}
static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
u16 seq)
{
/* Constant-time check for list membership */
return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
}
static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
{
u16 seq = seq_list->head;
u16 mask = seq_list->mask;
seq_list->head = seq_list->list[seq & mask];
seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
seq_list->head = L2CAP_SEQ_LIST_CLEAR;
seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
}
return seq;
}
static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
{
u16 i;
if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
return;
for (i = 0; i <= seq_list->mask; i++)
seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
seq_list->head = L2CAP_SEQ_LIST_CLEAR;
seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
}
static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
{
u16 mask = seq_list->mask;
/* All appends happen in constant time */
if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
return;
if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
seq_list->head = seq;
else
seq_list->list[seq_list->tail & mask] = seq;
seq_list->tail = seq;
seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
}
static void l2cap_chan_timeout(struct work_struct *work)
{
struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
chan_timer.work);
struct l2cap_conn *conn = chan->conn;
int reason;
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
mutex_lock(&conn->chan_lock);
/* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
* this work. No need to call l2cap_chan_hold(chan) here again.
*/
l2cap_chan_lock(chan);
if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
reason = ECONNREFUSED;
else if (chan->state == BT_CONNECT &&
chan->sec_level != BT_SECURITY_SDP)
reason = ECONNREFUSED;
else
reason = ETIMEDOUT;
l2cap_chan_close(chan, reason);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
}
struct l2cap_chan *l2cap_chan_create(void)
{
struct l2cap_chan *chan;
chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
if (!chan)
return NULL;
skb_queue_head_init(&chan->tx_q);
skb_queue_head_init(&chan->srej_q);
mutex_init(&chan->lock);
/* Set default lock nesting level */
atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
write_lock(&chan_list_lock);
list_add(&chan->global_l, &chan_list);
write_unlock(&chan_list_lock);
INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
chan->state = BT_OPEN;
kref_init(&chan->kref);
/* This flag is cleared in l2cap_chan_ready() */
set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
BT_DBG("chan %p", chan);
return chan;
}
EXPORT_SYMBOL_GPL(l2cap_chan_create);
static void l2cap_chan_destroy(struct kref *kref)
{
struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
BT_DBG("chan %p", chan);
write_lock(&chan_list_lock);
list_del(&chan->global_l);
write_unlock(&chan_list_lock);
kfree(chan);
}
void l2cap_chan_hold(struct l2cap_chan *c)
{
BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
kref_get(&c->kref);
}
struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)
{
BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
if (!kref_get_unless_zero(&c->kref))
return NULL;
return c;
}
void l2cap_chan_put(struct l2cap_chan *c)
{
BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
kref_put(&c->kref, l2cap_chan_destroy);
}
EXPORT_SYMBOL_GPL(l2cap_chan_put);
void l2cap_chan_set_defaults(struct l2cap_chan *chan)
{
chan->fcs = L2CAP_FCS_CRC16;
chan->max_tx = L2CAP_DEFAULT_MAX_TX;
chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
chan->remote_max_tx = chan->max_tx;
chan->remote_tx_win = chan->tx_win;
chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
chan->sec_level = BT_SECURITY_LOW;
chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
chan->conf_state = 0;
set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
}
EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
{
chan->sdu = NULL;
chan->sdu_last_frag = NULL;
chan->sdu_len = 0;
chan->tx_credits = tx_credits;
/* Derive MPS from connection MTU to stop HCI fragmentation */
chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
/* Give enough credits for a full packet */
chan->rx_credits = (chan->imtu / chan->mps) + 1;
skb_queue_head_init(&chan->tx_q);
}
static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
{
l2cap_le_flowctl_init(chan, tx_credits);
/* L2CAP implementations shall support a minimum MPS of 64 octets */
if (chan->mps < L2CAP_ECRED_MIN_MPS) {
chan->mps = L2CAP_ECRED_MIN_MPS;
chan->rx_credits = (chan->imtu / chan->mps) + 1;
}
}
void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
{
BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
__le16_to_cpu(chan->psm), chan->dcid);
conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
chan->conn = conn;
switch (chan->chan_type) {
case L2CAP_CHAN_CONN_ORIENTED:
/* Alloc CID for connection-oriented socket */
chan->scid = l2cap_alloc_cid(conn);
if (conn->hcon->type == ACL_LINK)
chan->omtu = L2CAP_DEFAULT_MTU;
break;
case L2CAP_CHAN_CONN_LESS:
/* Connectionless socket */
chan->scid = L2CAP_CID_CONN_LESS;
chan->dcid = L2CAP_CID_CONN_LESS;
chan->omtu = L2CAP_DEFAULT_MTU;
break;
case L2CAP_CHAN_FIXED:
/* Caller will set CID and CID specific MTU values */
break;
default:
/* Raw socket can send/recv signalling messages only */
chan->scid = L2CAP_CID_SIGNALING;
chan->dcid = L2CAP_CID_SIGNALING;
chan->omtu = L2CAP_DEFAULT_MTU;
}
chan->local_id = L2CAP_BESTEFFORT_ID;
chan->local_stype = L2CAP_SERV_BESTEFFORT;
chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
l2cap_chan_hold(chan);
/* Only keep a reference for fixed channels if they requested it */
if (chan->chan_type != L2CAP_CHAN_FIXED ||
test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
hci_conn_hold(conn->hcon);
list_add(&chan->list, &conn->chan_l);
}
void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
{
mutex_lock(&conn->chan_lock);
__l2cap_chan_add(conn, chan);
mutex_unlock(&conn->chan_lock);
}
void l2cap_chan_del(struct l2cap_chan *chan, int err)
{
struct l2cap_conn *conn = chan->conn;
__clear_chan_timer(chan);
BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
state_to_string(chan->state));
chan->ops->teardown(chan, err);
if (conn) {
struct amp_mgr *mgr = conn->hcon->amp_mgr;
/* Delete from channel list */
list_del(&chan->list);
l2cap_chan_put(chan);
chan->conn = NULL;
/* Reference was only held for non-fixed channels or
* fixed channels that explicitly requested it using the
* FLAG_HOLD_HCI_CONN flag.
*/
if (chan->chan_type != L2CAP_CHAN_FIXED ||
test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
hci_conn_drop(conn->hcon);
if (mgr && mgr->bredr_chan == chan)
mgr->bredr_chan = NULL;
}
if (chan->hs_hchan) {
struct hci_chan *hs_hchan = chan->hs_hchan;
BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
amp_disconnect_logical_link(hs_hchan);
}
if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
return;
switch (chan->mode) {
case L2CAP_MODE_BASIC:
break;
case L2CAP_MODE_LE_FLOWCTL:
case L2CAP_MODE_EXT_FLOWCTL:
skb_queue_purge(&chan->tx_q);
break;
case L2CAP_MODE_ERTM:
__clear_retrans_timer(chan);
__clear_monitor_timer(chan);
__clear_ack_timer(chan);
skb_queue_purge(&chan->srej_q);
l2cap_seq_list_free(&chan->srej_list);
l2cap_seq_list_free(&chan->retrans_list);
fallthrough;
case L2CAP_MODE_STREAMING:
skb_queue_purge(&chan->tx_q);
break;
}
}
EXPORT_SYMBOL_GPL(l2cap_chan_del);
static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id,
l2cap_chan_func_t func, void *data)
{
struct l2cap_chan *chan, *l;
list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
if (chan->ident == id)
func(chan, data);
}
}
static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
void *data)
{
struct l2cap_chan *chan;
list_for_each_entry(chan, &conn->chan_l, list) {
func(chan, data);
}
}
void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
void *data)
{
if (!conn)
return;
mutex_lock(&conn->chan_lock);
__l2cap_chan_list(conn, func, data);
mutex_unlock(&conn->chan_lock);
}
EXPORT_SYMBOL_GPL(l2cap_chan_list);
static void l2cap_conn_update_id_addr(struct work_struct *work)
{
struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
id_addr_timer.work);
struct hci_conn *hcon = conn->hcon;
struct l2cap_chan *chan;
mutex_lock(&conn->chan_lock);
list_for_each_entry(chan, &conn->chan_l, list) {
l2cap_chan_lock(chan);
bacpy(&chan->dst, &hcon->dst);
chan->dst_type = bdaddr_dst_type(hcon);
l2cap_chan_unlock(chan);
}
mutex_unlock(&conn->chan_lock);
}
static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
struct l2cap_le_conn_rsp rsp;
u16 result;
if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
result = L2CAP_CR_LE_AUTHORIZATION;
else
result = L2CAP_CR_LE_BAD_PSM;
l2cap_state_change(chan, BT_DISCONN);
rsp.dcid = cpu_to_le16(chan->scid);
rsp.mtu = cpu_to_le16(chan->imtu);
rsp.mps = cpu_to_le16(chan->mps);
rsp.credits = cpu_to_le16(chan->rx_credits);
rsp.result = cpu_to_le16(result);
l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
&rsp);
}
static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
{
l2cap_state_change(chan, BT_DISCONN);
__l2cap_ecred_conn_rsp_defer(chan);
}
static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
struct l2cap_conn_rsp rsp;
u16 result;
if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
result = L2CAP_CR_SEC_BLOCK;
else
result = L2CAP_CR_BAD_PSM;
l2cap_state_change(chan, BT_DISCONN);
rsp.scid = cpu_to_le16(chan->dcid);
rsp.dcid = cpu_to_le16(chan->scid);
rsp.result = cpu_to_le16(result);
rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
}
void l2cap_chan_close(struct l2cap_chan *chan, int reason)
{
struct l2cap_conn *conn = chan->conn;
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
switch (chan->state) {
case BT_LISTEN:
chan->ops->teardown(chan, 0);
break;
case BT_CONNECTED:
case BT_CONFIG:
if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
__set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
l2cap_send_disconn_req(chan, reason);
} else
l2cap_chan_del(chan, reason);
break;
case BT_CONNECT2:
if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
if (conn->hcon->type == ACL_LINK)
l2cap_chan_connect_reject(chan);
else if (conn->hcon->type == LE_LINK) {
switch (chan->mode) {
case L2CAP_MODE_LE_FLOWCTL:
l2cap_chan_le_connect_reject(chan);
break;
case L2CAP_MODE_EXT_FLOWCTL:
l2cap_chan_ecred_connect_reject(chan);
return;
}
}
}
l2cap_chan_del(chan, reason);
break;
case BT_CONNECT:
case BT_DISCONN:
l2cap_chan_del(chan, reason);
break;
default:
chan->ops->teardown(chan, 0);
break;
}
}
EXPORT_SYMBOL(l2cap_chan_close);
static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
{
switch (chan->chan_type) {
case L2CAP_CHAN_RAW:
switch (chan->sec_level) {
case BT_SECURITY_HIGH:
case BT_SECURITY_FIPS:
return HCI_AT_DEDICATED_BONDING_MITM;
case BT_SECURITY_MEDIUM:
return HCI_AT_DEDICATED_BONDING;
default:
return HCI_AT_NO_BONDING;
}
break;
case L2CAP_CHAN_CONN_LESS:
if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
if (chan->sec_level == BT_SECURITY_LOW)
chan->sec_level = BT_SECURITY_SDP;
}
if (chan->sec_level == BT_SECURITY_HIGH ||
chan->sec_level == BT_SECURITY_FIPS)
return HCI_AT_NO_BONDING_MITM;
else
return HCI_AT_NO_BONDING;
break;
case L2CAP_CHAN_CONN_ORIENTED:
if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
if (chan->sec_level == BT_SECURITY_LOW)
chan->sec_level = BT_SECURITY_SDP;
if (chan->sec_level == BT_SECURITY_HIGH ||
chan->sec_level == BT_SECURITY_FIPS)
return HCI_AT_NO_BONDING_MITM;
else
return HCI_AT_NO_BONDING;
}
fallthrough;
default:
switch (chan->sec_level) {
case BT_SECURITY_HIGH:
case BT_SECURITY_FIPS:
return HCI_AT_GENERAL_BONDING_MITM;
case BT_SECURITY_MEDIUM:
return HCI_AT_GENERAL_BONDING;
default:
return HCI_AT_NO_BONDING;
}
break;
}
}
/* Service level security */
int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
{
struct l2cap_conn *conn = chan->conn;
__u8 auth_type;
if (conn->hcon->type == LE_LINK)
return smp_conn_security(conn->hcon, chan->sec_level);
auth_type = l2cap_get_auth_type(chan);
return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
initiator);
}
static u8 l2cap_get_ident(struct l2cap_conn *conn)
{
u8 id;
/* Get next available identificator.
* 1 - 128 are used by kernel.
* 129 - 199 are reserved.
* 200 - 254 are used by utilities like l2ping, etc.
*/
mutex_lock(&conn->ident_lock);
if (++conn->tx_ident > 128)
conn->tx_ident = 1;
id = conn->tx_ident;
mutex_unlock(&conn->ident_lock);
return id;
}
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
void *data)
{
struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
u8 flags;
BT_DBG("code 0x%2.2x", code);
if (!skb)
return;
/* Use NO_FLUSH if supported or we have an LE link (which does
* not support auto-flushing packets) */
if (lmp_no_flush_capable(conn->hcon->hdev) ||
conn->hcon->type == LE_LINK)
flags = ACL_START_NO_FLUSH;
else
flags = ACL_START;
bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
skb->priority = HCI_PRIO_MAX;
hci_send_acl(conn->hchan, skb, flags);
}
static bool __chan_is_moving(struct l2cap_chan *chan)
{
return chan->move_state != L2CAP_MOVE_STABLE &&
chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
}
static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
{
struct hci_conn *hcon = chan->conn->hcon;
u16 flags;
BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
skb->priority);
if (chan->hs_hcon && !__chan_is_moving(chan)) {
if (chan->hs_hchan)
hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
else
kfree_skb(skb);
return;
}
/* Use NO_FLUSH for LE links (where this is the only option) or
* if the BR/EDR link supports it and flushing has not been
* explicitly requested (through FLAG_FLUSHABLE).
*/
if (hcon->type == LE_LINK ||
(!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
lmp_no_flush_capable(hcon->hdev)))
flags = ACL_START_NO_FLUSH;
else
flags = ACL_START;
bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
hci_send_acl(chan->conn->hchan, skb, flags);
}
static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
{
control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
if (enh & L2CAP_CTRL_FRAME_TYPE) {
/* S-Frame */
control->sframe = 1;
control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
control->sar = 0;
control->txseq = 0;
} else {
/* I-Frame */
control->sframe = 0;
control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
control->poll = 0;
control->super = 0;
}
}
static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
{
control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
/* S-Frame */
control->sframe = 1;
control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
control->sar = 0;
control->txseq = 0;
} else {
/* I-Frame */
control->sframe = 0;
control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
control->poll = 0;
control->super = 0;
}
}
static inline void __unpack_control(struct l2cap_chan *chan,
struct sk_buff *skb)
{
if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
__unpack_extended_control(get_unaligned_le32(skb->data),
&bt_cb(skb)->l2cap);
skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
} else {
__unpack_enhanced_control(get_unaligned_le16(skb->data),
&bt_cb(skb)->l2cap);
skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
}
}
static u32 __pack_extended_control(struct l2cap_ctrl *control)
{
u32 packed;
packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
if (control->sframe) {
packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
} else {
packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
}
return packed;
}
static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
{
u16 packed;
packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
if (control->sframe) {
packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
packed |= L2CAP_CTRL_FRAME_TYPE;
} else {
packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
}
return packed;
}
static inline void __pack_control(struct l2cap_chan *chan,
struct l2cap_ctrl *control,
struct sk_buff *skb)
{
if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
put_unaligned_le32(__pack_extended_control(control),
skb->data + L2CAP_HDR_SIZE);
} else {
put_unaligned_le16(__pack_enhanced_control(control),
skb->data + L2CAP_HDR_SIZE);
}
}
static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
{
if (test_bit(FLAG_EXT_CTRL, &chan->flags))
return L2CAP_EXT_HDR_SIZE;
else
return L2CAP_ENH_HDR_SIZE;
}
static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
u32 control)
{
struct sk_buff *skb;
struct l2cap_hdr *lh;
int hlen = __ertm_hdr_size(chan);
if (chan->fcs == L2CAP_FCS_CRC16)
hlen += L2CAP_FCS_SIZE;
skb = bt_skb_alloc(hlen, GFP_KERNEL);
if (!skb)
return ERR_PTR(-ENOMEM);
lh = skb_put(skb, L2CAP_HDR_SIZE);
lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
lh->cid = cpu_to_le16(chan->dcid);
if (test_bit(FLAG_EXT_CTRL, &chan->flags))
put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
else
put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
if (chan->fcs == L2CAP_FCS_CRC16) {
u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
}
skb->priority = HCI_PRIO_MAX;
return skb;
}
static void l2cap_send_sframe(struct l2cap_chan *chan,
struct l2cap_ctrl *control)
{
struct sk_buff *skb;
u32 control_field;
BT_DBG("chan %p, control %p", chan, control);
if (!control->sframe)
return;
if (__chan_is_moving(chan))
return;
if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
!control->poll)
control->final = 1;
if (control->super == L2CAP_SUPER_RR)
clear_bit(CONN_RNR_SENT, &chan->conn_state);
else if (control->super == L2CAP_SUPER_RNR)
set_bit(CONN_RNR_SENT, &chan->conn_state);
if (control->super != L2CAP_SUPER_SREJ) {
chan->last_acked_seq = control->reqseq;
__clear_ack_timer(chan);
}
BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
control->final, control->poll, control->super);
if (test_bit(FLAG_EXT_CTRL, &chan->flags))
control_field = __pack_extended_control(control);
else
control_field = __pack_enhanced_control(control);
skb = l2cap_create_sframe_pdu(chan, control_field);
if (!IS_ERR(skb))
l2cap_do_send(chan, skb);
}
static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
{
struct l2cap_ctrl control;
BT_DBG("chan %p, poll %d", chan, poll);
memset(&control, 0, sizeof(control));
control.sframe = 1;
control.poll = poll;
if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
control.super = L2CAP_SUPER_RNR;
else
control.super = L2CAP_SUPER_RR;
control.reqseq = chan->buffer_seq;
l2cap_send_sframe(chan, &control);
}
static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
{
if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
return true;
return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
}
static bool __amp_capable(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
struct hci_dev *hdev;
bool amp_available = false;
if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
return false;
if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
return false;
read_lock(&hci_dev_list_lock);
list_for_each_entry(hdev, &hci_dev_list, list) {
if (hdev->amp_type != AMP_TYPE_BREDR &&
test_bit(HCI_UP, &hdev->flags)) {
amp_available = true;
break;
}
}
read_unlock(&hci_dev_list_lock);
if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
return amp_available;
return false;
}
static bool l2cap_check_efs(struct l2cap_chan *chan)
{
/* Check EFS parameters */
return true;
}
void l2cap_send_conn_req(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
struct l2cap_conn_req req;
req.scid = cpu_to_le16(chan->scid);
req.psm = chan->psm;
chan->ident = l2cap_get_ident(conn);
set_bit(CONF_CONNECT_PEND, &chan->conf_state);
l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
}
static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
{
struct l2cap_create_chan_req req;
req.scid = cpu_to_le16(chan->scid);
req.psm = chan->psm;
req.amp_id = amp_id;
chan->ident = l2cap_get_ident(chan->conn);
l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
sizeof(req), &req);
}
static void l2cap_move_setup(struct l2cap_chan *chan)
{
struct sk_buff *skb;
BT_DBG("chan %p", chan);
if (chan->mode != L2CAP_MODE_ERTM)
return;
__clear_retrans_timer(chan);
__clear_monitor_timer(chan);
__clear_ack_timer(chan);
chan->retry_count = 0;
skb_queue_walk(&chan->tx_q, skb) {
if (bt_cb(skb)->l2cap.retries)
bt_cb(skb)->l2cap.retries = 1;
else
break;
}
chan->expected_tx_seq = chan->buffer_seq;
clear_bit(CONN_REJ_ACT, &chan->conn_state);
clear_bit(CONN_SREJ_ACT, &chan->conn_state);
l2cap_seq_list_clear(&chan->retrans_list);
l2cap_seq_list_clear(&chan->srej_list);
skb_queue_purge(&chan->srej_q);
chan->tx_state = L2CAP_TX_STATE_XMIT;
chan->rx_state = L2CAP_RX_STATE_MOVE;
set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
}
static void l2cap_move_done(struct l2cap_chan *chan)
{
u8 move_role = chan->move_role;
BT_DBG("chan %p", chan);
chan->move_state = L2CAP_MOVE_STABLE;
chan->move_role = L2CAP_MOVE_ROLE_NONE;
if (chan->mode != L2CAP_MODE_ERTM)
return;
switch (move_role) {
case L2CAP_MOVE_ROLE_INITIATOR:
l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
chan->rx_state = L2CAP_RX_STATE_WAIT_F;
break;
case L2CAP_MOVE_ROLE_RESPONDER:
chan->rx_state = L2CAP_RX_STATE_WAIT_P;
break;
}
}
static void l2cap_chan_ready(struct l2cap_chan *chan)
{
/* The channel may have already been flagged as connected in
* case of receiving data before the L2CAP info req/rsp
* procedure is complete.
*/
if (chan->state == BT_CONNECTED)
return;
/* This clears all conf flags, including CONF_NOT_COMPLETE */
chan->conf_state = 0;
__clear_chan_timer(chan);
switch (chan->mode) {
case L2CAP_MODE_LE_FLOWCTL:
case L2CAP_MODE_EXT_FLOWCTL:
if (!chan->tx_credits)
chan->ops->suspend(chan);
break;
}
chan->state = BT_CONNECTED;
chan->ops->ready(chan);
}
static void l2cap_le_connect(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
struct l2cap_le_conn_req req;
if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
return;
if (!chan->imtu)
chan->imtu = chan->conn->mtu;
l2cap_le_flowctl_init(chan, 0);
memset(&req, 0, sizeof(req));
req.psm = chan->psm;
req.scid = cpu_to_le16(chan->scid);
req.mtu = cpu_to_le16(chan->imtu);
req.mps = cpu_to_le16(chan->mps);
req.credits = cpu_to_le16(chan->rx_credits);
chan->ident = l2cap_get_ident(conn);
l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
sizeof(req), &req);
}
struct l2cap_ecred_conn_data {
struct {
struct l2cap_ecred_conn_req req;
__le16 scid[5];
} __packed pdu;
struct l2cap_chan *chan;
struct pid *pid;
int count;
};
static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
{
struct l2cap_ecred_conn_data *conn = data;
struct pid *pid;
if (chan == conn->chan)
return;
if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
return;
pid = chan->ops->get_peer_pid(chan);
/* Only add deferred channels with the same PID/PSM */
if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
return;
if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
return;
l2cap_ecred_init(chan, 0);
/* Set the same ident so we can match on the rsp */
chan->ident = conn->chan->ident;
/* Include all channels deferred */
conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
conn->count++;
}
static void l2cap_ecred_connect(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
struct l2cap_ecred_conn_data data;
if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
return;
if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
return;
l2cap_ecred_init(chan, 0);
memset(&data, 0, sizeof(data));
data.pdu.req.psm = chan->psm;
data.pdu.req.mtu = cpu_to_le16(chan->imtu);
data.pdu.req.mps = cpu_to_le16(chan->mps);
data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
data.pdu.scid[0] = cpu_to_le16(chan->scid);
chan->ident = l2cap_get_ident(conn);
data.count = 1;
data.chan = chan;
data.pid = chan->ops->get_peer_pid(chan);
__l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
sizeof(data.pdu.req) + data.count * sizeof(__le16),
&data.pdu);
}
static void l2cap_le_start(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
if (!smp_conn_security(conn->hcon, chan->sec_level))
return;
if (!chan->psm) {
l2cap_chan_ready(chan);
return;
}
if (chan->state == BT_CONNECT) {
if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
l2cap_ecred_connect(chan);
else
l2cap_le_connect(chan);
}
}
static void l2cap_start_connection(struct l2cap_chan *chan)
{
if (__amp_capable(chan)) {
BT_DBG("chan %p AMP capable: discover AMPs", chan);
a2mp_discover_amp(chan);
} else if (chan->conn->hcon->type == LE_LINK) {
l2cap_le_start(chan);
} else {
l2cap_send_conn_req(chan);
}
}
static void l2cap_request_info(struct l2cap_conn *conn)
{
struct l2cap_info_req req;
if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
return;
req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
conn->info_ident = l2cap_get_ident(conn);
schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
sizeof(req), &req);
}
static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
{
/* The minimum encryption key size needs to be enforced by the
* host stack before establishing any L2CAP connections. The
* specification in theory allows a minimum of 1, but to align
* BR/EDR and LE transports, a minimum of 7 is chosen.
*
* This check might also be called for unencrypted connections
* that have no key size requirements. Ensure that the link is
* actually encrypted before enforcing a key size.
*/
int min_key_size = hcon->hdev->min_enc_key_size;
/* On FIPS security level, key size must be 16 bytes */
if (hcon->sec_level == BT_SECURITY_FIPS)
min_key_size = 16;
return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
hcon->enc_key_size >= min_key_size);
}
static void l2cap_do_start(struct l2cap_chan *chan)
{
struct l2cap_conn *conn = chan->conn;
if (conn->hcon->type == LE_LINK) {
l2cap_le_start(chan);
return;
}
if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
l2cap_request_info(conn);
return;
}
if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
return;
if (!l2cap_chan_check_security(chan, true) ||
!__l2cap_no_conn_pending(chan))
return;
if (l2cap_check_enc_key_size(conn->hcon))
l2cap_start_connection(chan);
else
__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
}
static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
{
u32 local_feat_mask = l2cap_feat_mask;
if (!disable_ertm)
local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
switch (mode) {
case L2CAP_MODE_ERTM:
return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
case L2CAP_MODE_STREAMING:
return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
default:
return 0x00;
}
}
static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
{
struct l2cap_conn *conn = chan->conn;
struct l2cap_disconn_req req;
if (!conn)
return;
if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
__clear_retrans_timer(chan);
__clear_monitor_timer(chan);
__clear_ack_timer(chan);
}
if (chan->scid == L2CAP_CID_A2MP) {
l2cap_state_change(chan, BT_DISCONN);
return;
}
req.dcid = cpu_to_le16(chan->dcid);
req.scid = cpu_to_le16(chan->scid);
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
sizeof(req), &req);
l2cap_state_change_and_error(chan, BT_DISCONN, err);
}
/* ---- L2CAP connections ---- */
static void l2cap_conn_start(struct l2cap_conn *conn)
{
struct l2cap_chan *chan, *tmp;
BT_DBG("conn %p", conn);
mutex_lock(&conn->chan_lock);
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
l2cap_chan_lock(chan);
if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
l2cap_chan_ready(chan);
l2cap_chan_unlock(chan);
continue;
}
if (chan->state == BT_CONNECT) {
if (!l2cap_chan_check_security(chan, true) ||
!__l2cap_no_conn_pending(chan)) {
l2cap_chan_unlock(chan);
continue;
}
if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
&& test_bit(CONF_STATE2_DEVICE,
&chan->conf_state)) {
l2cap_chan_close(chan, ECONNRESET);
l2cap_chan_unlock(chan);
continue;
}
if (l2cap_check_enc_key_size(conn->hcon))
l2cap_start_connection(chan);
else
l2cap_chan_close(chan, ECONNREFUSED);
} else if (chan->state == BT_CONNECT2) {
struct l2cap_conn_rsp rsp;
char buf[128];
rsp.scid = cpu_to_le16(chan->dcid);
rsp.dcid = cpu_to_le16(chan->scid);
if (l2cap_chan_check_security(chan, false)) {
if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
rsp.result = cpu_to_le16(L2CAP_CR_PEND);
rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
chan->ops->defer(chan);
} else {
l2cap_state_change(chan, BT_CONFIG);
rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
}
} else {
rsp.result = cpu_to_le16(L2CAP_CR_PEND);
rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
}
l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
sizeof(rsp), &rsp);
if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
rsp.result != L2CAP_CR_SUCCESS) {
l2cap_chan_unlock(chan);
continue;
}
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
l2cap_chan_unlock(chan);
}
mutex_unlock(&conn->chan_lock);
}
static void l2cap_le_conn_ready(struct l2cap_conn *conn)
{
struct hci_conn *hcon = conn->hcon;
struct hci_dev *hdev = hcon->hdev;
BT_DBG("%s conn %p", hdev->name, conn);
/* For outgoing pairing which doesn't necessarily have an
* associated socket (e.g. mgmt_pair_device).
*/
if (hcon->out)
smp_conn_security(hcon, hcon->pending_sec_level);
/* For LE peripheral connections, make sure the connection interval
* is in the range of the minimum and maximum interval that has
* been configured for this connection. If not, then trigger
* the connection update procedure.
*/
if (hcon->role == HCI_ROLE_SLAVE &&
(hcon->le_conn_interval < hcon->le_conn_min_interval ||
hcon->le_conn_interval > hcon->le_conn_max_interval)) {
struct l2cap_conn_param_update_req req;
req.min = cpu_to_le16(hcon->le_conn_min_interval);
req.max = cpu_to_le16(hcon->le_conn_max_interval);
req.latency = cpu_to_le16(hcon->le_conn_latency);
req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
l2cap_send_cmd(conn, l2cap_get_ident(conn),
L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
}
}
static void l2cap_conn_ready(struct l2cap_conn *conn)
{
struct l2cap_chan *chan;
struct hci_conn *hcon = conn->hcon;
BT_DBG("conn %p", conn);
if (hcon->type == ACL_LINK)
l2cap_request_info(conn);
mutex_lock(&conn->chan_lock);
list_for_each_entry(chan, &conn->chan_l, list) {
l2cap_chan_lock(chan);
if (chan->scid == L2CAP_CID_A2MP) {
l2cap_chan_unlock(chan);
continue;
}
if (hcon->type == LE_LINK) {
l2cap_le_start(chan);
} else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
l2cap_chan_ready(chan);
} else if (chan->state == BT_CONNECT) {
l2cap_do_start(chan);
}
l2cap_chan_unlock(chan);
}
mutex_unlock(&conn->chan_lock);
if (hcon->type == LE_LINK)
l2cap_le_conn_ready(conn);
queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
}
/* Notify sockets that we cannot guaranty reliability anymore */
static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
{
struct l2cap_chan *chan;
BT_DBG("conn %p", conn);
mutex_lock(&conn->chan_lock);
list_for_each_entry(chan, &conn->chan_l, list) {
if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
l2cap_chan_set_err(chan, err);
}
mutex_unlock(&conn->chan_lock);
}
static void l2cap_info_timeout(struct work_struct *work)
{
struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
info_timer.work);
conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
conn->info_ident = 0;
l2cap_conn_start(conn);
}
/*
* l2cap_user
* External modules can register l2cap_user objects on l2cap_conn. The ->probe
* callback is called during registration. The ->remove callback is called
* during unregistration.
* An l2cap_user object can either be explicitly unregistered or when the
* underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
* l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
* External modules must own a reference to the l2cap_conn object if they intend
* to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
* any time if they don't.
*/
int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
{
struct hci_dev *hdev = conn->hcon->hdev;
int ret;
/* We need to check whether l2cap_conn is registered. If it is not, we
* must not register the l2cap_user. l2cap_conn_del() is unregisters
* l2cap_conn objects, but doesn't provide its own locking. Instead, it
* relies on the parent hci_conn object to be locked. This itself relies
* on the hci_dev object to be locked. So we must lock the hci device
* here, too. */
hci_dev_lock(hdev);
if (!list_empty(&user->list)) {
ret = -EINVAL;
goto out_unlock;
}
/* conn->hchan is NULL after l2cap_conn_del() was called */
if (!conn->hchan) {
ret = -ENODEV;
goto out_unlock;
}
ret = user->probe(conn, user);
if (ret)
goto out_unlock;
list_add(&user->list, &conn->users);
ret = 0;
out_unlock:
hci_dev_unlock(hdev);
return ret;
}
EXPORT_SYMBOL(l2cap_register_user);
void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
{
struct hci_dev *hdev = conn->hcon->hdev;
hci_dev_lock(hdev);
if (list_empty(&user->list))
goto out_unlock;
list_del_init(&user->list);
user->remove(conn, user);
out_unlock:
hci_dev_unlock(hdev);
}
EXPORT_SYMBOL(l2cap_unregister_user);
static void l2cap_unregister_all_users(struct l2cap_conn *conn)
{
struct l2cap_user *user;
while (!list_empty(&conn->users)) {
user = list_first_entry(&conn->users, struct l2cap_user, list);
list_del_init(&user->list);
user->remove(conn, user);
}
}
static void l2cap_conn_del(struct hci_conn *hcon, int err)
{
struct l2cap_conn *conn = hcon->l2cap_data;
struct l2cap_chan *chan, *l;
if (!conn)
return;
BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
kfree_skb(conn->rx_skb);
skb_queue_purge(&conn->pending_rx);
/* We can not call flush_work(&conn->pending_rx_work) here since we
* might block if we are running on a worker from the same workqueue
* pending_rx_work is waiting on.
*/
if (work_pending(&conn->pending_rx_work))
cancel_work_sync(&conn->pending_rx_work);
cancel_delayed_work_sync(&conn->id_addr_timer);
l2cap_unregister_all_users(conn);
/* Force the connection to be immediately dropped */
hcon->disc_timeout = 0;
mutex_lock(&conn->chan_lock);
/* Kill channels */
list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
l2cap_chan_del(chan, err);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
mutex_unlock(&conn->chan_lock);
hci_chan_del(conn->hchan);
if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
cancel_delayed_work_sync(&conn->info_timer);
hcon->l2cap_data = NULL;
conn->hchan = NULL;
l2cap_conn_put(conn);
}
static void l2cap_conn_free(struct kref *ref)
{
struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
hci_conn_put(conn->hcon);
kfree(conn);
}
struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
{
kref_get(&conn->ref);
return conn;
}
EXPORT_SYMBOL(l2cap_conn_get);
void l2cap_conn_put(struct l2cap_conn *conn)
{
kref_put(&conn->ref, l2cap_conn_free);
}
EXPORT_SYMBOL(l2cap_conn_put);
/* ---- Socket interface ---- */
/* Find socket with psm and source / destination bdaddr.
* Returns closest match.
*/
static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
bdaddr_t *src,
bdaddr_t *dst,
u8 link_type)
{
struct l2cap_chan *c, *tmp, *c1 = NULL;
read_lock(&chan_list_lock);
list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
if (state && c->state != state)
continue;
if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
continue;
if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
continue;
if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
int src_match, dst_match;
int src_any, dst_any;
/* Exact match. */
src_match = !bacmp(&c->src, src);
dst_match = !bacmp(&c->dst, dst);
if (src_match && dst_match) {
if (!l2cap_chan_hold_unless_zero(c))
continue;
read_unlock(&chan_list_lock);
return c;
}
/* Closest match */
src_any = !bacmp(&c->src, BDADDR_ANY);
dst_any = !bacmp(&c->dst, BDADDR_ANY);
if ((src_match && dst_any) || (src_any && dst_match) ||
(src_any && dst_any))
c1 = c;
}
}
if (c1)
c1 = l2cap_chan_hold_unless_zero(c1);
read_unlock(&chan_list_lock);
return c1;
}
static void l2cap_monitor_timeout(struct work_struct *work)
{
struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
monitor_timer.work);
BT_DBG("chan %p", chan);
l2cap_chan_lock(chan);
if (!chan->conn) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
return;
}
l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
static void l2cap_retrans_timeout(struct work_struct *work)
{
struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
retrans_timer.work);
BT_DBG("chan %p", chan);
l2cap_chan_lock(chan);
if (!chan->conn) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
return;
}
l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
static void l2cap_streaming_send(struct l2cap_chan *chan,
struct sk_buff_head *skbs)
{
struct sk_buff *skb;
struct l2cap_ctrl *control;
BT_DBG("chan %p, skbs %p", chan, skbs);
if (__chan_is_moving(chan))
return;
skb_queue_splice_tail_init(skbs, &chan->tx_q);
while (!skb_queue_empty(&chan->tx_q)) {
skb = skb_dequeue(&chan->tx_q);
bt_cb(skb)->l2cap.retries = 1;
control = &bt_cb(skb)->l2cap;
control->reqseq = 0;
control->txseq = chan->next_tx_seq;
__pack_control(chan, control, skb);
if (chan->fcs == L2CAP_FCS_CRC16) {
u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
}
l2cap_do_send(chan, skb);
BT_DBG("Sent txseq %u", control->txseq);
chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
chan->frames_sent++;
}
}
static int l2cap_ertm_send(struct l2cap_chan *chan)
{
struct sk_buff *skb, *tx_skb;
struct l2cap_ctrl *control;
int sent = 0;
BT_DBG("chan %p", chan);
if (chan->state != BT_CONNECTED)
return -ENOTCONN;
if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
return 0;
if (__chan_is_moving(chan))
return 0;
while (chan->tx_send_head &&
chan->unacked_frames < chan->remote_tx_win &&
chan->tx_state == L2CAP_TX_STATE_XMIT) {
skb = chan->tx_send_head;
bt_cb(skb)->l2cap.retries = 1;
control = &bt_cb(skb)->l2cap;
if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
control->final = 1;
control->reqseq = chan->buffer_seq;
chan->last_acked_seq = chan->buffer_seq;
control->txseq = chan->next_tx_seq;
__pack_control(chan, control, skb);
if (chan->fcs == L2CAP_FCS_CRC16) {
u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
}
/* Clone after data has been modified. Data is assumed to be
read-only (for locking purposes) on cloned sk_buffs.
*/
tx_skb = skb_clone(skb, GFP_KERNEL);
if (!tx_skb)
break;
__set_retrans_timer(chan);
chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
chan->unacked_frames++;
chan->frames_sent++;
sent++;
if (skb_queue_is_last(&chan->tx_q, skb))
chan->tx_send_head = NULL;
else
chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
l2cap_do_send(chan, tx_skb);
BT_DBG("Sent txseq %u", control->txseq);
}
BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
chan->unacked_frames, skb_queue_len(&chan->tx_q));
return sent;
}
static void l2cap_ertm_resend(struct l2cap_chan *chan)
{
struct l2cap_ctrl control;
struct sk_buff *skb;
struct sk_buff *tx_skb;
u16 seq;
BT_DBG("chan %p", chan);
if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
return;
if (__chan_is_moving(chan))
return;
while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
seq = l2cap_seq_list_pop(&chan->retrans_list);
skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
if (!skb) {
BT_DBG("Error: Can't retransmit seq %d, frame missing",
seq);
continue;
}
bt_cb(skb)->l2cap.retries++;
control = bt_cb(skb)->l2cap;
if (chan->max_tx != 0 &&
bt_cb(skb)->l2cap.retries > chan->max_tx) {
BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
l2cap_send_disconn_req(chan, ECONNRESET);
l2cap_seq_list_clear(&chan->retrans_list);
break;
}
control.reqseq = chan->buffer_seq;
if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
control.final = 1;
else
control.final = 0;
if (skb_cloned(skb)) {
/* Cloned sk_buffs are read-only, so we need a
* writeable copy
*/
tx_skb = skb_copy(skb, GFP_KERNEL);
} else {
tx_skb = skb_clone(skb, GFP_KERNEL);
}
if (!tx_skb) {
l2cap_seq_list_clear(&chan->retrans_list);
break;
}
/* Update skb contents */
if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
put_unaligned_le32(__pack_extended_control(&control),
tx_skb->data + L2CAP_HDR_SIZE);
} else {
put_unaligned_le16(__pack_enhanced_control(&control),
tx_skb->data + L2CAP_HDR_SIZE);
}
/* Update FCS */
if (chan->fcs == L2CAP_FCS_CRC16) {
u16 fcs = crc16(0, (u8 *) tx_skb->data,
tx_skb->len - L2CAP_FCS_SIZE);
put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
L2CAP_FCS_SIZE);
}
l2cap_do_send(chan, tx_skb);
BT_DBG("Resent txseq %d", control.txseq);
chan->last_acked_seq = chan->buffer_seq;
}
}
static void l2cap_retransmit(struct l2cap_chan *chan,
struct l2cap_ctrl *control)
{
BT_DBG("chan %p, control %p", chan, control);
l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
l2cap_ertm_resend(chan);
}
static void l2cap_retransmit_all(struct l2cap_chan *chan,
struct l2cap_ctrl *control)
{
struct sk_buff *skb;
BT_DBG("chan %p, control %p", chan, control);
if (control->poll)
set_bit(CONN_SEND_FBIT, &chan->conn_state);
l2cap_seq_list_clear(&chan->retrans_list);
if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
return;
if (chan->unacked_frames) {
skb_queue_walk(&chan->tx_q, skb) {
if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
skb == chan->tx_send_head)
break;
}
skb_queue_walk_from(&chan->tx_q, skb) {
if (skb == chan->tx_send_head)
break;
l2cap_seq_list_append(&chan->retrans_list,
bt_cb(skb)->l2cap.txseq);
}
l2cap_ertm_resend(chan);
}
}
static void l2cap_send_ack(struct l2cap_chan *chan)
{
struct l2cap_ctrl control;
u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
chan->last_acked_seq);
int threshold;
BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
chan, chan->last_acked_seq, chan->buffer_seq);
memset(&control, 0, sizeof(control));
control.sframe = 1;
if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
chan->rx_state == L2CAP_RX_STATE_RECV) {
__clear_ack_timer(chan);
control.super = L2CAP_SUPER_RNR;
control.reqseq = chan->buffer_seq;
l2cap_send_sframe(chan, &control);
} else {
if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
l2cap_ertm_send(chan);
/* If any i-frames were sent, they included an ack */
if (chan->buffer_seq == chan->last_acked_seq)
frames_to_ack = 0;
}
/* Ack now if the window is 3/4ths full.
* Calculate without mul or div
*/
threshold = chan->ack_win;
threshold += threshold << 1;
threshold >>= 2;
BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
threshold);
if (frames_to_ack >= threshold) {
__clear_ack_timer(chan);
control.super = L2CAP_SUPER_RR;
control.reqseq = chan->buffer_seq;
l2cap_send_sframe(chan, &control);
frames_to_ack = 0;
}
if (frames_to_ack)
__set_ack_timer(chan);
}
}
static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
struct msghdr *msg, int len,
int count, struct sk_buff *skb)
{
struct l2cap_conn *conn = chan->conn;
struct sk_buff **frag;
int sent = 0;
if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
return -EFAULT;
sent += count;
len -= count;
/* Continuation fragments (no L2CAP header) */
frag = &skb_shinfo(skb)->frag_list;
while (len) {
struct sk_buff *tmp;
count = min_t(unsigned int, conn->mtu, len);
tmp = chan->ops->alloc_skb(chan, 0, count,
msg->msg_flags & MSG_DONTWAIT);
if (IS_ERR(tmp))
return PTR_ERR(tmp);
*frag = tmp;
if (!copy_from_iter_full(skb_put(*frag, count), count,
&msg->msg_iter))
return -EFAULT;
sent += count;
len -= count;
skb->len += (*frag)->len;
skb->data_len += (*frag)->len;
frag = &(*frag)->next;
}
return sent;
}
static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
struct msghdr *msg, size_t len)
{
struct l2cap_conn *conn = chan->conn;
struct sk_buff *skb;
int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
struct l2cap_hdr *lh;
BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
__le16_to_cpu(chan->psm), len);
count = min_t(unsigned int, (conn->mtu - hlen), len);
skb = chan->ops->alloc_skb(chan, hlen, count,
msg->msg_flags & MSG_DONTWAIT);
if (IS_ERR(skb))
return skb;
/* Create L2CAP header */
lh = skb_put(skb, L2CAP_HDR_SIZE);
lh->cid = cpu_to_le16(chan->dcid);
lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
if (unlikely(err < 0)) {
kfree_skb(skb);
return ERR_PTR(err);
}
return skb;
}
static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
struct msghdr *msg, size_t len)
{
struct l2cap_conn *conn = chan->conn;
struct sk_buff *skb;
int err, count;
struct l2cap_hdr *lh;
BT_DBG("chan %p len %zu", chan, len);
count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
msg->msg_flags & MSG_DONTWAIT);
if (IS_ERR(skb))
return skb;
/* Create L2CAP header */
lh = skb_put(skb, L2CAP_HDR_SIZE);
lh->cid = cpu_to_le16(chan->dcid);
lh->len = cpu_to_le16(len);
err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
if (unlikely(err < 0)) {
kfree_skb(skb);
return ERR_PTR(err);
}
return skb;
}
static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
struct msghdr *msg, size_t len,
u16 sdulen)
{
struct l2cap_conn *conn = chan->conn;
struct sk_buff *skb;
int err, count, hlen;
struct l2cap_hdr *lh;
BT_DBG("chan %p len %zu", chan, len);
if (!conn)
return ERR_PTR(-ENOTCONN);
hlen = __ertm_hdr_size(chan);
if (sdulen)
hlen += L2CAP_SDULEN_SIZE;
if (chan->fcs == L2CAP_FCS_CRC16)
hlen += L2CAP_FCS_SIZE;
count = min_t(unsigned int, (conn->mtu - hlen), len);
skb = chan->ops->alloc_skb(chan, hlen, count,
msg->msg_flags & MSG_DONTWAIT);
if (IS_ERR(skb))
return skb;
/* Create L2CAP header */
lh = skb_put(skb, L2CAP_HDR_SIZE);
lh->cid = cpu_to_le16(chan->dcid);
lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
/* Control header is populated later */
if (test_bit(FLAG_EXT_CTRL, &chan->flags))
put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
else
put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
if (sdulen)
put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
if (unlikely(err < 0)) {
kfree_skb(skb);
return ERR_PTR(err);
}
bt_cb(skb)->l2cap.fcs = chan->fcs;
bt_cb(skb)->l2cap.retries = 0;
return skb;
}
static int l2cap_segment_sdu(struct l2cap_chan *chan,
struct sk_buff_head *seg_queue,
struct msghdr *msg, size_t len)
{
struct sk_buff *skb;
u16 sdu_len;
size_t pdu_len;
u8 sar;
BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
/* It is critical that ERTM PDUs fit in a single HCI fragment,
* so fragmented skbs are not used. The HCI layer's handling
* of fragmented skbs is not compatible with ERTM's queueing.
*/
/* PDU size is derived from the HCI MTU */
pdu_len = chan->conn->mtu;
/* Constrain PDU size for BR/EDR connections */
if (!chan->hs_hcon)
pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
/* Adjust for largest possible L2CAP overhead. */
if (chan->fcs)
pdu_len -= L2CAP_FCS_SIZE;
pdu_len -= __ertm_hdr_size(chan);
/* Remote device may have requested smaller PDUs */
pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
if (len <= pdu_len) {
sar = L2CAP_SAR_UNSEGMENTED;
sdu_len = 0;
pdu_len = len;
} else {
sar = L2CAP_SAR_START;
sdu_len = len;
}
while (len > 0) {
skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
if (IS_ERR(skb)) {
__skb_queue_purge(seg_queue);
return PTR_ERR(skb);
}
bt_cb(skb)->l2cap.sar = sar;
__skb_queue_tail(seg_queue, skb);
len -= pdu_len;
if (sdu_len)
sdu_len = 0;
if (len <= pdu_len) {
sar = L2CAP_SAR_END;
pdu_len = len;
} else {
sar = L2CAP_SAR_CONTINUE;
}
}
return 0;
}
static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
struct msghdr *msg,
size_t len, u16 sdulen)
{
struct l2cap_conn *conn = chan->conn;
struct sk_buff *skb;
int err, count, hlen;
struct l2cap_hdr *lh;
BT_DBG("chan %p len %zu", chan, len);
if (!conn)
return ERR_PTR(-ENOTCONN);
hlen = L2CAP_HDR_SIZE;
if (sdulen)
hlen += L2CAP_SDULEN_SIZE;
count = min_t(unsigned int, (conn->mtu - hlen), len);
skb = chan->ops->alloc_skb(chan, hlen, count,
msg->msg_flags & MSG_DONTWAIT);
if (IS_ERR(skb))
return skb;
/* Create L2CAP header */
lh = skb_put(skb, L2CAP_HDR_SIZE);
lh->cid = cpu_to_le16(chan->dcid);
lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
if (sdulen)
put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
if (unlikely(err < 0)) {
kfree_skb(skb);
return ERR_PTR(err);
}
return skb;
}
static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
struct sk_buff_head *seg_queue,
struct msghdr *msg, size_t len)
{
struct sk_buff *skb;
size_t pdu_len;
u16 sdu_len;
BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
sdu_len = len;
pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
while (len > 0) {
if (len <= pdu_len)
pdu_len = len;
skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
if (IS_ERR(skb)) {
__skb_queue_purge(seg_queue);
return PTR_ERR(skb);
}
__skb_queue_tail(seg_queue, skb);
len -= pdu_len;
if (sdu_len) {
sdu_len = 0;
pdu_len += L2CAP_SDULEN_SIZE;
}
}
return 0;
}
static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
{
int sent = 0;
BT_DBG("chan %p", chan);
while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
chan->tx_credits--;
sent++;
}
BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
skb_queue_len(&chan->tx_q));
}
int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
{
struct sk_buff *skb;
int err;
struct sk_buff_head seg_queue;
if (!chan->conn)
return -ENOTCONN;
/* Connectionless channel */
if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
skb = l2cap_create_connless_pdu(chan, msg, len);
if (IS_ERR(skb))
return PTR_ERR(skb);
l2cap_do_send(chan, skb);
return len;
}
switch (chan->mode) {
case L2CAP_MODE_LE_FLOWCTL:
case L2CAP_MODE_EXT_FLOWCTL:
/* Check outgoing MTU */
if (len > chan->omtu)
return -EMSGSIZE;
__skb_queue_head_init(&seg_queue);
err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
if (chan->state != BT_CONNECTED) {
__skb_queue_purge(&seg_queue);
err = -ENOTCONN;
}
if (err)
return err;
skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
l2cap_le_flowctl_send(chan);
if (!chan->tx_credits)
chan->ops->suspend(chan);
err = len;
break;
case L2CAP_MODE_BASIC:
/* Check outgoing MTU */
if (len > chan->omtu)
return -EMSGSIZE;
/* Create a basic PDU */
skb = l2cap_create_basic_pdu(chan, msg, len);
if (IS_ERR(skb))
return PTR_ERR(skb);
l2cap_do_send(chan, skb);
err = len;
break;
case L2CAP_MODE_ERTM:
case L2CAP_MODE_STREAMING:
/* Check outgoing MTU */
if (len > chan->omtu) {
err = -EMSGSIZE;
break;
}
__skb_queue_head_init(&seg_queue);
/* Do segmentation before calling in to the state machine,
* since it's possible to block while waiting for memory
* allocation.
*/
err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
if (err)
break;
if (chan->mode == L2CAP_MODE_ERTM)
l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
else
l2cap_streaming_send(chan, &seg_queue);
err = len;
/* If the skbs were not queued for sending, they'll still be in
* seg_queue and need to be purged.
*/
__skb_queue_purge(&seg_queue);
break;
default:
BT_DBG("bad state %1.1x", chan->mode);
err = -EBADFD;
}
return err;
}
EXPORT_SYMBOL_GPL(l2cap_chan_send);
static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
{
struct l2cap_ctrl control;
u16 seq;
BT_DBG("chan %p, txseq %u", chan, txseq);
memset(&control, 0, sizeof(control));
control.sframe = 1;
control.super = L2CAP_SUPER_SREJ;
for (seq = chan->expected_tx_seq; seq != txseq;
seq = __next_seq(chan, seq)) {
if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
control.reqseq = seq;
l2cap_send_sframe(chan, &control);
l2cap_seq_list_append(&chan->srej_list, seq);
}
}
chan->expected_tx_seq = __next_seq(chan, txseq);
}
static void l2cap_send_srej_tail(struct l2cap_chan *chan)
{
struct l2cap_ctrl control;
BT_DBG("chan %p", chan);
if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
return;
memset(&control, 0, sizeof(control));
control.sframe = 1;
control.super = L2CAP_SUPER_SREJ;
control.reqseq = chan->srej_list.tail;
l2cap_send_sframe(chan, &control);
}
static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
{
struct l2cap_ctrl control;
u16 initial_head;
u16 seq;
BT_DBG("chan %p, txseq %u", chan, txseq);
memset(&control, 0, sizeof(control));
control.sframe = 1;
control.super = L2CAP_SUPER_SREJ;
/* Capture initial list head to allow only one pass through the list. */
initial_head = chan->srej_list.head;
do {
seq = l2cap_seq_list_pop(&chan->srej_list);
if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
break;
control.reqseq = seq;
l2cap_send_sframe(chan, &control);
l2cap_seq_list_append(&chan->srej_list, seq);
} while (chan->srej_list.head != initial_head);
}
static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
{
struct sk_buff *acked_skb;
u16 ackseq;
BT_DBG("chan %p, reqseq %u", chan, reqseq);
if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
return;
BT_DBG("expected_ack_seq %u, unacked_frames %u",
chan->expected_ack_seq, chan->unacked_frames);
for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
ackseq = __next_seq(chan, ackseq)) {
acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
if (acked_skb) {
skb_unlink(acked_skb, &chan->tx_q);
kfree_skb(acked_skb);
chan->unacked_frames--;
}
}
chan->expected_ack_seq = reqseq;
if (chan->unacked_frames == 0)
__clear_retrans_timer(chan);
BT_DBG("unacked_frames %u", chan->unacked_frames);
}
static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
{
BT_DBG("chan %p", chan);
chan->expected_tx_seq = chan->buffer_seq;
l2cap_seq_list_clear(&chan->srej_list);
skb_queue_purge(&chan->srej_q);
chan->rx_state = L2CAP_RX_STATE_RECV;
}
static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
struct l2cap_ctrl *control,
struct sk_buff_head *skbs, u8 event)
{
BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
event);
switch (event) {
case L2CAP_EV_DATA_REQUEST:
if (chan->tx_send_head == NULL)
chan->tx_send_head = skb_peek(skbs);
skb_queue_splice_tail_init(skbs, &chan->tx_q);
l2cap_ertm_send(chan);
break;
case L2CAP_EV_LOCAL_BUSY_DETECTED:
BT_DBG("Enter LOCAL_BUSY");
set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
/* The SREJ_SENT state must be aborted if we are to
* enter the LOCAL_BUSY state.
*/
l2cap_abort_rx_srej_sent(chan);
}
l2cap_send_ack(chan);
break;
case L2CAP_EV_LOCAL_BUSY_CLEAR:
BT_DBG("Exit LOCAL_BUSY");
clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
struct l2cap_ctrl local_control;
memset(&local_control, 0, sizeof(local_control));
local_control.sframe = 1;
local_control.super = L2CAP_SUPER_RR;
local_control.poll = 1;
local_control.reqseq = chan->buffer_seq;
l2cap_send_sframe(chan, &local_control);
chan->retry_count = 1;
__set_monitor_timer(chan);
chan->tx_state = L2CAP_TX_STATE_WAIT_F;
}
break;
case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
l2cap_process_reqseq(chan, control->reqseq);
break;
case L2CAP_EV_EXPLICIT_POLL:
l2cap_send_rr_or_rnr(chan, 1);
chan->retry_count = 1;
__set_monitor_timer(chan);
__clear_ack_timer(chan);
chan->tx_state = L2CAP_TX_STATE_WAIT_F;
break;
case L2CAP_EV_RETRANS_TO:
l2cap_send_rr_or_rnr(chan, 1);
chan->retry_count = 1;
__set_monitor_timer(chan);
chan->tx_state = L2CAP_TX_STATE_WAIT_F;
break;
case L2CAP_EV_RECV_FBIT:
/* Nothing to process */
break;
default:
break;
}
}
static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
struct l2cap_ctrl *control,
struct sk_buff_head *skbs, u8 event)
{
BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
event);
switch (event) {
case L2CAP_EV_DATA_REQUEST:
if (chan->tx_send_head == NULL)
chan->tx_send_head = skb_peek(skbs);
/* Queue data, but don't send. */
skb_queue_splice_tail_init(skbs, &chan->tx_q);
break;
case L2CAP_EV_LOCAL_BUSY_DETECTED:
BT_DBG("Enter LOCAL_BUSY");
set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
/* The SREJ_SENT state must be aborted if we are to
* enter the LOCAL_BUSY state.
*/
l2cap_abort_rx_srej_sent(chan);
}
l2cap_send_ack(chan);
break;
case L2CAP_EV_LOCAL_BUSY_CLEAR:
BT_DBG("Exit LOCAL_BUSY");
clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
struct l2cap_ctrl local_control;
memset(&local_control, 0, sizeof(local_control));
local_control.sframe = 1;
local_control.super = L2CAP_SUPER_RR;
local_control.poll = 1;
local_control.reqseq = chan->buffer_seq;
l2cap_send_sframe(chan, &local_control);
chan->retry_count = 1;
__set_monitor_timer(chan);
chan->tx_state = L2CAP_TX_STATE_WAIT_F;
}
break;
case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
l2cap_process_reqseq(chan, control->reqseq);
fallthrough;
case L2CAP_EV_RECV_FBIT:
if (control && control->final) {
__clear_monitor_timer(chan);
if (chan->unacked_frames > 0)
__set_retrans_timer(chan);
chan->retry_count = 0;
chan->tx_state = L2CAP_TX_STATE_XMIT;
BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
}
break;
case L2CAP_EV_EXPLICIT_POLL:
/* Ignore */
break;
case L2CAP_EV_MONITOR_TO:
if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
l2cap_send_rr_or_rnr(chan, 1);
__set_monitor_timer(chan);
chan->retry_count++;
} else {
l2cap_send_disconn_req(chan, ECONNABORTED);
}
break;
default:
break;
}
}
static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
struct sk_buff_head *skbs, u8 event)
{
BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
chan, control, skbs, event, chan->tx_state);
switch (chan->tx_state) {
case L2CAP_TX_STATE_XMIT:
l2cap_tx_state_xmit(chan, control, skbs, event);
break;
case L2CAP_TX_STATE_WAIT_F:
l2cap_tx_state_wait_f(chan, control, skbs, event);
break;
default:
/* Ignore event */
break;
}
}
static void l2cap_pass_to_tx(struct l2cap_chan *chan,
struct l2cap_ctrl *control)
{
BT_DBG("chan %p, control %p", chan, control);
l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
}
static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
struct l2cap_ctrl *control)
{
BT_DBG("chan %p, control %p", chan, control);
l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
}
/* Copy frame to all raw sockets on that connection */
static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
{
struct sk_buff *nskb;
struct l2cap_chan *chan;
BT_DBG("conn %p", conn);
mutex_lock(&conn->chan_lock);
list_for_each_entry(chan, &conn->chan_l, list) {
if (chan->chan_type != L2CAP_CHAN_RAW)
continue;
/* Don't send frame to the channel it came from */
if (bt_cb(skb)->l2cap.chan == chan)
continue;
nskb = skb_clone(skb, GFP_KERNEL);
if (!nskb)
continue;
if (chan->ops->recv(chan, nskb))
kfree_skb(nskb);
}
mutex_unlock(&conn->chan_lock);
}
/* ---- L2CAP signalling commands ---- */
static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
u8 ident, u16 dlen, void *data)
{
struct sk_buff *skb, **frag;
struct l2cap_cmd_hdr *cmd;
struct l2cap_hdr *lh;
int len, count;
BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
conn, code, ident, dlen);
if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
return NULL;
len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
count = min_t(unsigned int, conn->mtu, len);
skb = bt_skb_alloc(count, GFP_KERNEL);
if (!skb)
return NULL;
lh = skb_put(skb, L2CAP_HDR_SIZE);
lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
if (conn->hcon->type == LE_LINK)
lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
else
lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
cmd->code = code;
cmd->ident = ident;
cmd->len = cpu_to_le16(dlen);
if (dlen) {
count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
skb_put_data(skb, data, count);
data += count;
}
len -= skb->len;
/* Continuation fragments (no L2CAP header) */
frag = &skb_shinfo(skb)->frag_list;
while (len) {
count = min_t(unsigned int, conn->mtu, len);
*frag = bt_skb_alloc(count, GFP_KERNEL);
if (!*frag)
goto fail;
skb_put_data(*frag, data, count);
len -= count;
data += count;