1 /* l2cap_br.c - L2CAP BREDR oriented handling */
2
3 /*
4 * Copyright (c) 2016 Intel Corporation
5 *
6 * SPDX-License-Identifier: Apache-2.0
7 */
8
9 #include <zephyr/kernel.h>
10 #include <string.h>
11 #include <errno.h>
12 #include <zephyr/sys/atomic.h>
13 #include <zephyr/sys/byteorder.h>
14 #include <zephyr/sys/iterable_sections.h>
15 #include <zephyr/sys/util.h>
16
17 #include <zephyr/bluetooth/hci.h>
18 #include <zephyr/bluetooth/bluetooth.h>
19 #include <zephyr/bluetooth/conn.h>
20
21 #include "host/buf_view.h"
22 #include "host/hci_core.h"
23 #include "host/conn_internal.h"
24 #include "host/keys.h"
25 #include "l2cap_br_internal.h"
26 #include "avdtp_internal.h"
27 #include "a2dp_internal.h"
28 #include "avctp_internal.h"
29 #include "avrcp_internal.h"
30 #include "rfcomm_internal.h"
31 #include "sdp_internal.h"
32
33 #include <zephyr/logging/log.h>
34 LOG_MODULE_REGISTER(bt_l2cap_br, CONFIG_BT_L2CAP_LOG_LEVEL);
35
36 #define BR_CHAN_RTX(_w) CONTAINER_OF(k_work_delayable_from_work(_w), \
37 struct bt_l2cap_br_chan, rtx_work)
38
39 #define L2CAP_BR_PSM_START 0x0001
40 #define L2CAP_BR_PSM_END 0xffff
41 #define L2CAP_BR_PSM_DYN_START 0x1000
42 #define L2CAP_BR_PSM_DYN_END L2CAP_BR_PSM_END
43
44 #define L2CAP_BR_CID_DYN_START 0x0040
45 #define L2CAP_BR_CID_DYN_END 0xffff
46 #define L2CAP_BR_CID_IS_DYN(_cid) \
47 (_cid >= L2CAP_BR_CID_DYN_START && _cid <= L2CAP_BR_CID_DYN_END)
48
49 #define L2CAP_BR_MIN_MTU 48
50 #define L2CAP_BR_DEFAULT_MTU 672
51
52 #define L2CAP_BR_PSM_SDP 0x0001
53
54 #define L2CAP_BR_INFO_TIMEOUT K_SECONDS(4)
55 #define L2CAP_BR_CFG_TIMEOUT K_SECONDS(4)
56 #define L2CAP_BR_DISCONN_TIMEOUT K_SECONDS(1)
57 #define L2CAP_BR_CONN_TIMEOUT K_SECONDS(40)
58
59 /*
60 * L2CAP extended feature mask:
61 * BR/EDR fixed channel support enabled
62 */
63 #define L2CAP_FEAT_FIXED_CHAN_MASK 0x00000080
64
65 enum {
66 /* Connection oriented channels flags */
67 L2CAP_FLAG_CONN_LCONF_DONE, /* local config accepted by remote */
68 L2CAP_FLAG_CONN_RCONF_DONE, /* remote config accepted by local */
69 L2CAP_FLAG_CONN_ACCEPTOR, /* getting incoming connection req */
70 L2CAP_FLAG_CONN_PENDING, /* remote sent pending result in rsp */
71
72 /* Signaling channel flags */
73 L2CAP_FLAG_SIG_INFO_PENDING, /* retrieving remote l2cap info */
74 L2CAP_FLAG_SIG_INFO_DONE, /* remote l2cap info is done */
75
76 /* fixed channels flags */
77 L2CAP_FLAG_FIXED_CONNECTED, /* fixed connected */
78
79 /* Auth failed, disconnect ACL */
80 L2CAP_FLAG_DISCONNECT_ACL, /* Disconnect ACL */
81 };
82
83 static sys_slist_t br_servers;
84
85
86 /* Pool for outgoing BR/EDR signaling packets, min MTU is 48 */
87 NET_BUF_POOL_FIXED_DEFINE(br_sig_pool, CONFIG_BT_MAX_CONN,
88 BT_L2CAP_BUF_SIZE(L2CAP_BR_MIN_MTU), 8, NULL);
89
90 /* BR/EDR L2CAP signalling channel specific context */
91 struct bt_l2cap_br {
92 /* The channel this context is associated with */
93 struct bt_l2cap_br_chan chan;
94 uint8_t info_ident;
95 /*
96 * 2.1 CHANNEL IDENTIFIERS in
97 * BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 3, Part A.
98 * The range of fixed L2CAP CID is 0x0001 ~ 0x0007 both for LE and BR.
99 * So use one octet buffer to keep the `Fixed channels supported`
100 * of peer device.
101 */
102 uint8_t info_fixed_chan;
103 uint32_t info_feat_mask;
104 };
105
106 static struct bt_l2cap_br bt_l2cap_br_pool[CONFIG_BT_MAX_CONN];
107
bt_l2cap_br_lookup_rx_cid(struct bt_conn * conn,uint16_t cid)108 struct bt_l2cap_chan *bt_l2cap_br_lookup_rx_cid(struct bt_conn *conn,
109 uint16_t cid)
110 {
111 struct bt_l2cap_chan *chan;
112
113 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
114 if (BR_CHAN(chan)->rx.cid == cid) {
115 return chan;
116 }
117 }
118
119 return NULL;
120 }
121
bt_l2cap_br_lookup_tx_cid(struct bt_conn * conn,uint16_t cid)122 struct bt_l2cap_chan *bt_l2cap_br_lookup_tx_cid(struct bt_conn *conn,
123 uint16_t cid)
124 {
125 struct bt_l2cap_chan *chan;
126
127 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
128 if (BR_CHAN(chan)->tx.cid == cid) {
129 return chan;
130 }
131 }
132
133 return NULL;
134 }
135
bt_l2cap_br_get_remote_fixed_chan(struct bt_conn * conn)136 uint8_t bt_l2cap_br_get_remote_fixed_chan(struct bt_conn *conn)
137 {
138 struct bt_l2cap_chan *chan_sig;
139 struct bt_l2cap_br *br_chan_sig;
140
141 chan_sig = bt_l2cap_br_lookup_rx_cid(conn, BT_L2CAP_CID_BR_SIG);
142 if (!chan_sig) {
143 return (uint8_t)0U;
144 }
145
146 br_chan_sig = CONTAINER_OF(chan_sig, struct bt_l2cap_br, chan.chan);
147
148 return br_chan_sig->info_fixed_chan;
149 }
150
151 static struct bt_l2cap_br_chan*
l2cap_br_chan_alloc_cid(struct bt_conn * conn,struct bt_l2cap_chan * chan)152 l2cap_br_chan_alloc_cid(struct bt_conn *conn, struct bt_l2cap_chan *chan)
153 {
154 struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
155 uint16_t cid;
156
157 /*
158 * No action needed if there's already a CID allocated, e.g. in
159 * the case of a fixed channel.
160 */
161 if (br_chan->rx.cid > 0) {
162 return br_chan;
163 }
164
165 /*
166 * L2CAP_BR_CID_DYN_END is 0xffff so we don't check against it since
167 * cid is uint16_t, just check against uint16_t overflow
168 */
169 for (cid = L2CAP_BR_CID_DYN_START; cid; cid++) {
170 if (!bt_l2cap_br_lookup_rx_cid(conn, cid)) {
171 br_chan->rx.cid = cid;
172 return br_chan;
173 }
174 }
175
176 return NULL;
177 }
178
l2cap_br_chan_cleanup(struct bt_l2cap_chan * chan)179 static void l2cap_br_chan_cleanup(struct bt_l2cap_chan *chan)
180 {
181 bt_l2cap_chan_remove(chan->conn, chan);
182 bt_l2cap_br_chan_del(chan);
183 }
184
l2cap_br_chan_destroy(struct bt_l2cap_chan * chan)185 static void l2cap_br_chan_destroy(struct bt_l2cap_chan *chan)
186 {
187 struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
188
189 LOG_DBG("chan %p cid 0x%04x", br_chan, br_chan->rx.cid);
190
191 /* Cancel ongoing work. Since the channel can be re-used after this
192 * we need to sync to make sure that the kernel does not have it
193 * in its queue anymore.
194 *
195 * In the case where we are in the context of executing the rtx_work
196 * item, we don't sync as it will deadlock the workqueue.
197 */
198 struct k_work_q *rtx_work_queue = br_chan->rtx_work.queue;
199
200 if (rtx_work_queue == NULL || k_current_get() != &rtx_work_queue->thread) {
201 k_work_cancel_delayable_sync(&br_chan->rtx_work, &br_chan->rtx_sync);
202 } else {
203 k_work_cancel_delayable(&br_chan->rtx_work);
204 }
205
206 atomic_clear(BR_CHAN(chan)->flags);
207 }
208
l2cap_br_rtx_timeout(struct k_work * work)209 static void l2cap_br_rtx_timeout(struct k_work *work)
210 {
211 struct bt_l2cap_br_chan *chan = BR_CHAN_RTX(work);
212
213 LOG_WRN("chan %p timeout", chan);
214
215 if (chan->rx.cid == BT_L2CAP_CID_BR_SIG) {
216 LOG_DBG("Skip BR/EDR signalling channel ");
217 atomic_clear_bit(chan->flags, L2CAP_FLAG_SIG_INFO_PENDING);
218 return;
219 }
220
221 LOG_DBG("chan %p %s scid 0x%04x", chan, bt_l2cap_chan_state_str(chan->state), chan->rx.cid);
222
223 switch (chan->state) {
224 case BT_L2CAP_CONFIG:
225 bt_l2cap_br_chan_disconnect(&chan->chan);
226 break;
227 case BT_L2CAP_DISCONNECTING:
228 case BT_L2CAP_CONNECTING:
229 l2cap_br_chan_cleanup(&chan->chan);
230 break;
231 default:
232 break;
233 }
234 }
235
l2cap_br_chan_add(struct bt_conn * conn,struct bt_l2cap_chan * chan,bt_l2cap_chan_destroy_t destroy)236 static bool l2cap_br_chan_add(struct bt_conn *conn, struct bt_l2cap_chan *chan,
237 bt_l2cap_chan_destroy_t destroy)
238 {
239 struct bt_l2cap_br_chan *ch = l2cap_br_chan_alloc_cid(conn, chan);
240
241 if (!ch) {
242 LOG_DBG("Unable to allocate L2CAP CID");
243 return false;
244 }
245
246 k_fifo_init(&ch->_pdu_tx_queue);
247
248 /* All dynamic channels have the destroy handler which makes sure that
249 * the RTX work structure is properly released with a cancel sync.
250 * The fixed signal channel is only removed when disconnected and the
251 * disconnected handler is always called from the workqueue itself so
252 * canceling from there should always succeed.
253 */
254 k_work_init_delayable(&ch->rtx_work, l2cap_br_rtx_timeout);
255 bt_l2cap_chan_add(conn, chan, destroy);
256
257 return true;
258 }
259
l2cap_br_get_ident(void)260 static uint8_t l2cap_br_get_ident(void)
261 {
262 static uint8_t ident;
263
264 ident++;
265 /* handle integer overflow (0 is not valid) */
266 if (!ident) {
267 ident++;
268 }
269
270 return ident;
271 }
272
raise_data_ready(struct bt_l2cap_br_chan * br_chan)273 static void raise_data_ready(struct bt_l2cap_br_chan *br_chan)
274 {
275 if (!atomic_set(&br_chan->_pdu_ready_lock, 1)) {
276 sys_slist_append(&br_chan->chan.conn->l2cap_data_ready,
277 &br_chan->_pdu_ready);
278 LOG_DBG("data ready raised");
279 } else {
280 LOG_DBG("data ready already");
281 }
282
283 bt_conn_data_ready(br_chan->chan.conn);
284 }
285
lower_data_ready(struct bt_l2cap_br_chan * br_chan)286 static void lower_data_ready(struct bt_l2cap_br_chan *br_chan)
287 {
288 struct bt_conn *conn = br_chan->chan.conn;
289 __maybe_unused sys_snode_t *s = sys_slist_get(&conn->l2cap_data_ready);
290
291 __ASSERT_NO_MSG(s == &br_chan->_pdu_ready);
292
293 __maybe_unused atomic_t old = atomic_set(&br_chan->_pdu_ready_lock, 0);
294
295 __ASSERT_NO_MSG(old);
296 }
297
cancel_data_ready(struct bt_l2cap_br_chan * br_chan)298 static void cancel_data_ready(struct bt_l2cap_br_chan *br_chan)
299 {
300 struct bt_conn *conn = br_chan->chan.conn;
301
302 sys_slist_find_and_remove(&conn->l2cap_data_ready,
303 &br_chan->_pdu_ready);
304
305 atomic_set(&br_chan->_pdu_ready_lock, 0);
306 }
307
bt_l2cap_br_send_cb(struct bt_conn * conn,uint16_t cid,struct net_buf * buf,bt_conn_tx_cb_t cb,void * user_data)308 int bt_l2cap_br_send_cb(struct bt_conn *conn, uint16_t cid, struct net_buf *buf,
309 bt_conn_tx_cb_t cb, void *user_data)
310 {
311 struct bt_l2cap_hdr *hdr;
312 struct bt_l2cap_chan *ch = bt_l2cap_br_lookup_tx_cid(conn, cid);
313 struct bt_l2cap_br_chan *br_chan;
314
315 if (ch == NULL) {
316 LOG_WRN("CID %d is not found on conn %p", cid, conn);
317 return -ESHUTDOWN;
318 }
319
320 br_chan = CONTAINER_OF(ch, struct bt_l2cap_br_chan, chan);
321
322 LOG_DBG("chan %p buf %p len %u", br_chan, buf, buf->len);
323
324 hdr = net_buf_push(buf, sizeof(*hdr));
325 hdr->len = sys_cpu_to_le16(buf->len - sizeof(*hdr));
326 hdr->cid = sys_cpu_to_le16(cid);
327
328 if (buf->user_data_size < sizeof(struct closure)) {
329 LOG_WRN("not enough room in user_data %d < %d pool %u",
330 buf->user_data_size,
331 CONFIG_BT_CONN_TX_USER_DATA_SIZE,
332 buf->pool_id);
333 return -EINVAL;
334 }
335
336 LOG_DBG("push PDU: cb %p userdata %p", cb, user_data);
337
338 make_closure(buf->user_data, cb, user_data);
339 k_fifo_put(&br_chan->_pdu_tx_queue, buf);
340 raise_data_ready(br_chan);
341
342 return 0;
343 }
344
345 /* Send the buffer and release it in case of failure.
346 * Any other cleanup in failure to send should be handled by the disconnected
347 * handler.
348 */
l2cap_send(struct bt_conn * conn,uint16_t cid,struct net_buf * buf)349 static inline void l2cap_send(struct bt_conn *conn, uint16_t cid,
350 struct net_buf *buf)
351 {
352 if (bt_l2cap_br_send_cb(conn, cid, buf, NULL, NULL)) {
353 net_buf_unref(buf);
354 }
355 }
356
l2cap_br_chan_send_req(struct bt_l2cap_br_chan * chan,struct net_buf * buf,k_timeout_t timeout)357 static void l2cap_br_chan_send_req(struct bt_l2cap_br_chan *chan,
358 struct net_buf *buf, k_timeout_t timeout)
359 {
360
361 if (bt_l2cap_br_send_cb(chan->chan.conn, BT_L2CAP_CID_BR_SIG, buf,
362 NULL, NULL)) {
363 net_buf_unref(buf);
364 return;
365 }
366
367 /* BLUETOOTH SPECIFICATION Version 4.2 [Vol 3, Part A] page 126:
368 *
369 * The value of this timer is implementation-dependent but the minimum
370 * initial value is 1 second and the maximum initial value is 60
371 * seconds. One RTX timer shall exist for each outstanding signaling
372 * request, including each Echo Request. The timer disappears on the
373 * final expiration, when the response is received, or the physical
374 * link is lost.
375 */
376 k_work_reschedule(&chan->rtx_work, timeout);
377 }
378
379 /* L2CAP channel wants to send a PDU */
chan_has_data(struct bt_l2cap_br_chan * br_chan)380 static bool chan_has_data(struct bt_l2cap_br_chan *br_chan)
381 {
382 return !k_fifo_is_empty(&br_chan->_pdu_tx_queue);
383 }
384
l2cap_br_data_pull(struct bt_conn * conn,size_t amount,size_t * length)385 struct net_buf *l2cap_br_data_pull(struct bt_conn *conn,
386 size_t amount,
387 size_t *length)
388 {
389 const sys_snode_t *pdu_ready = sys_slist_peek_head(&conn->l2cap_data_ready);
390
391 if (!pdu_ready) {
392 LOG_DBG("nothing to send on this conn");
393 return NULL;
394 }
395
396 struct bt_l2cap_br_chan *br_chan = CONTAINER_OF(pdu_ready,
397 struct bt_l2cap_br_chan,
398 _pdu_ready);
399
400 /* Leave the PDU buffer in the queue until we have sent all its
401 * fragments.
402 */
403 struct net_buf *pdu = k_fifo_peek_head(&br_chan->_pdu_tx_queue);
404
405 __ASSERT(pdu, "signaled ready but no PDUs in the TX queue");
406
407 if (bt_buf_has_view(pdu)) {
408 LOG_ERR("already have view on %p", pdu);
409 return NULL;
410 }
411
412 /* We can't interleave ACL fragments from different channels for the
413 * same ACL conn -> we have to wait until a full L2 PDU is transferred
414 * before switching channels.
415 */
416 bool last_frag = amount >= pdu->len;
417
418 if (last_frag) {
419 LOG_DBG("last frag, removing %p", pdu);
420 __maybe_unused struct net_buf *b = k_fifo_get(&br_chan->_pdu_tx_queue, K_NO_WAIT);
421
422 __ASSERT_NO_MSG(b == pdu);
423
424 LOG_DBG("chan %p done", br_chan);
425 lower_data_ready(br_chan);
426
427 /* Append channel to list if it still has data */
428 if (chan_has_data(br_chan)) {
429 LOG_DBG("chan %p ready", br_chan);
430 raise_data_ready(br_chan);
431 }
432 }
433
434 *length = pdu->len;
435
436 return pdu;
437 }
438
l2cap_br_get_info(struct bt_l2cap_br * l2cap,uint16_t info_type)439 static void l2cap_br_get_info(struct bt_l2cap_br *l2cap, uint16_t info_type)
440 {
441 struct bt_l2cap_info_req *info;
442 struct net_buf *buf;
443 struct bt_l2cap_sig_hdr *hdr;
444
445 LOG_DBG("info type %u", info_type);
446
447 if (atomic_test_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_PENDING)) {
448 return;
449 }
450
451 switch (info_type) {
452 case BT_L2CAP_INFO_FEAT_MASK:
453 case BT_L2CAP_INFO_FIXED_CHAN:
454 break;
455 default:
456 LOG_WRN("Unsupported info type %u", info_type);
457 return;
458 }
459
460 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
461
462 atomic_set_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_PENDING);
463 l2cap->info_ident = l2cap_br_get_ident();
464
465 hdr = net_buf_add(buf, sizeof(*hdr));
466 hdr->code = BT_L2CAP_INFO_REQ;
467 hdr->ident = l2cap->info_ident;
468 hdr->len = sys_cpu_to_le16(sizeof(*info));
469
470 info = net_buf_add(buf, sizeof(*info));
471 info->type = sys_cpu_to_le16(info_type);
472
473 l2cap_br_chan_send_req(&l2cap->chan, buf, L2CAP_BR_INFO_TIMEOUT);
474 }
475
connect_fixed_channel(struct bt_l2cap_br_chan * chan)476 static void connect_fixed_channel(struct bt_l2cap_br_chan *chan)
477 {
478 if (atomic_test_and_set_bit(chan->flags, L2CAP_FLAG_FIXED_CONNECTED)) {
479 return;
480 }
481
482 if (chan->chan.ops && chan->chan.ops->connected) {
483 chan->chan.ops->connected(&chan->chan);
484 }
485 }
486
connect_optional_fixed_channels(struct bt_l2cap_br * l2cap)487 static void connect_optional_fixed_channels(struct bt_l2cap_br *l2cap)
488 {
489 /* can be change to loop if more BR/EDR fixed channels are added */
490 if (l2cap->info_fixed_chan & BIT(BT_L2CAP_CID_BR_SMP)) {
491 struct bt_l2cap_chan *chan;
492
493 chan = bt_l2cap_br_lookup_rx_cid(l2cap->chan.chan.conn,
494 BT_L2CAP_CID_BR_SMP);
495 if (chan) {
496 connect_fixed_channel(BR_CHAN(chan));
497 }
498 }
499 }
500
l2cap_br_info_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)501 static int l2cap_br_info_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
502 struct net_buf *buf)
503 {
504 struct bt_l2cap_info_rsp *rsp;
505 uint16_t type, result;
506 int err = 0;
507
508 if (atomic_test_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_DONE)) {
509 return 0;
510 }
511
512 if (atomic_test_and_clear_bit(l2cap->chan.flags,
513 L2CAP_FLAG_SIG_INFO_PENDING)) {
514 /*
515 * Release RTX timer since got the response & there's pending
516 * command request.
517 */
518 k_work_cancel_delayable(&l2cap->chan.rtx_work);
519 }
520
521 if (buf->len < sizeof(*rsp)) {
522 LOG_ERR("Too small info rsp packet size");
523 err = -EINVAL;
524 goto done;
525 }
526
527 if (ident != l2cap->info_ident) {
528 LOG_WRN("Idents mismatch");
529 err = -EINVAL;
530 goto done;
531 }
532
533 rsp = net_buf_pull_mem(buf, sizeof(*rsp));
534 result = sys_le16_to_cpu(rsp->result);
535 if (result != BT_L2CAP_INFO_SUCCESS) {
536 LOG_WRN("Result unsuccessful");
537 err = -EINVAL;
538 goto done;
539 }
540
541 type = sys_le16_to_cpu(rsp->type);
542
543 switch (type) {
544 case BT_L2CAP_INFO_FEAT_MASK:
545 if (buf->len < sizeof(uint32_t)) {
546 LOG_ERR("Invalid remote info feat mask");
547 err = -EINVAL;
548 break;
549 }
550 l2cap->info_feat_mask = net_buf_pull_le32(buf);
551 LOG_DBG("remote info mask 0x%08x", l2cap->info_feat_mask);
552
553 if (!(l2cap->info_feat_mask & L2CAP_FEAT_FIXED_CHAN_MASK)) {
554 break;
555 }
556
557 l2cap_br_get_info(l2cap, BT_L2CAP_INFO_FIXED_CHAN);
558 return 0;
559 case BT_L2CAP_INFO_FIXED_CHAN:
560 if (buf->len < sizeof(uint8_t)) {
561 LOG_ERR("Invalid remote info fixed chan");
562 err = -EINVAL;
563 break;
564 }
565 /*
566 * 2.1 CHANNEL IDENTIFIERS in
567 * BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 3, Part A.
568 * The info length of `Fixed channels supported` is 8 octets.
569 * Then the range of fixed L2CAP CID is 0x0001 ~ 0x0007 both for LE and BR.
570 * So use one octet buffer to keep the `Fixed channels supported`
571 * of peer device.
572 */
573 l2cap->info_fixed_chan = net_buf_pull_u8(buf);
574 LOG_DBG("remote fixed channel mask 0x%02x", l2cap->info_fixed_chan);
575
576 connect_optional_fixed_channels(l2cap);
577
578 break;
579 default:
580 LOG_WRN("type 0x%04x unsupported", type);
581 err = -EINVAL;
582 break;
583 }
584 done:
585 atomic_set_bit(l2cap->chan.flags, L2CAP_FLAG_SIG_INFO_DONE);
586 l2cap->info_ident = 0U;
587 return err;
588 }
589
get_fixed_channels_mask(void)590 static uint8_t get_fixed_channels_mask(void)
591 {
592 uint8_t mask = 0U;
593
594 /* this needs to be enhanced if AMP Test Manager support is added */
595 STRUCT_SECTION_FOREACH(bt_l2cap_br_fixed_chan, fchan) {
596 mask |= BIT(fchan->cid);
597 }
598
599 return mask;
600 }
601
l2cap_br_info_req(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)602 static int l2cap_br_info_req(struct bt_l2cap_br *l2cap, uint8_t ident,
603 struct net_buf *buf)
604 {
605 struct bt_conn *conn = l2cap->chan.chan.conn;
606 struct bt_l2cap_info_req *req = (void *)buf->data;
607 struct bt_l2cap_info_rsp *rsp;
608 struct net_buf *rsp_buf;
609 struct bt_l2cap_sig_hdr *hdr_info;
610 uint16_t type;
611
612 if (buf->len < sizeof(*req)) {
613 LOG_ERR("Too small info req packet size");
614 return -EINVAL;
615 }
616
617 rsp_buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
618
619 type = sys_le16_to_cpu(req->type);
620 LOG_DBG("type 0x%04x", type);
621
622 hdr_info = net_buf_add(rsp_buf, sizeof(*hdr_info));
623 hdr_info->code = BT_L2CAP_INFO_RSP;
624 hdr_info->ident = ident;
625
626 rsp = net_buf_add(rsp_buf, sizeof(*rsp));
627
628 switch (type) {
629 case BT_L2CAP_INFO_FEAT_MASK:
630 rsp->type = sys_cpu_to_le16(BT_L2CAP_INFO_FEAT_MASK);
631 rsp->result = sys_cpu_to_le16(BT_L2CAP_INFO_SUCCESS);
632 net_buf_add_le32(rsp_buf, L2CAP_FEAT_FIXED_CHAN_MASK);
633 hdr_info->len = sys_cpu_to_le16(sizeof(*rsp) + sizeof(uint32_t));
634 break;
635 case BT_L2CAP_INFO_FIXED_CHAN:
636 rsp->type = sys_cpu_to_le16(BT_L2CAP_INFO_FIXED_CHAN);
637 rsp->result = sys_cpu_to_le16(BT_L2CAP_INFO_SUCCESS);
638 /* fixed channel mask protocol data is 8 octets wide */
639 (void)memset(net_buf_add(rsp_buf, 8), 0, 8);
640 rsp->data[0] = get_fixed_channels_mask();
641
642 hdr_info->len = sys_cpu_to_le16(sizeof(*rsp) + 8);
643 break;
644 default:
645 rsp->type = req->type;
646 rsp->result = sys_cpu_to_le16(BT_L2CAP_INFO_NOTSUPP);
647 hdr_info->len = sys_cpu_to_le16(sizeof(*rsp));
648 break;
649 }
650
651 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, rsp_buf);
652
653 return 0;
654 }
655
bt_l2cap_br_connected(struct bt_conn * conn)656 void bt_l2cap_br_connected(struct bt_conn *conn)
657 {
658 struct bt_l2cap_chan *chan;
659
660 STRUCT_SECTION_FOREACH(bt_l2cap_br_fixed_chan, fchan) {
661 struct bt_l2cap_br_chan *br_chan;
662
663 if (!fchan->accept) {
664 continue;
665 }
666
667 if (fchan->accept(conn, &chan) < 0) {
668 continue;
669 }
670
671 br_chan = BR_CHAN(chan);
672
673 br_chan->rx.cid = fchan->cid;
674 br_chan->tx.cid = fchan->cid;
675
676 if (!l2cap_br_chan_add(conn, chan, NULL)) {
677 return;
678 }
679
680 /*
681 * other fixed channels will be connected after Information
682 * Response is received
683 */
684 if (fchan->cid == BT_L2CAP_CID_BR_SIG) {
685 struct bt_l2cap_br *sig_ch;
686
687 connect_fixed_channel(br_chan);
688
689 sig_ch = CONTAINER_OF(br_chan, struct bt_l2cap_br, chan);
690 l2cap_br_get_info(sig_ch, BT_L2CAP_INFO_FEAT_MASK);
691 }
692 }
693 }
694
bt_l2cap_br_disconnected(struct bt_conn * conn)695 void bt_l2cap_br_disconnected(struct bt_conn *conn)
696 {
697 struct bt_l2cap_chan *chan, *next;
698
699 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&conn->channels, chan, next, node) {
700 bt_l2cap_br_chan_del(chan);
701 }
702 }
703
l2cap_br_server_lookup_psm(uint16_t psm)704 static struct bt_l2cap_server *l2cap_br_server_lookup_psm(uint16_t psm)
705 {
706 struct bt_l2cap_server *server;
707
708 SYS_SLIST_FOR_EACH_CONTAINER(&br_servers, server, node) {
709 if (server->psm == psm) {
710 return server;
711 }
712 }
713
714 return NULL;
715 }
716
l2cap_br_conf_add_mtu(struct net_buf * buf,const uint16_t mtu)717 static void l2cap_br_conf_add_mtu(struct net_buf *buf, const uint16_t mtu)
718 {
719 net_buf_add_u8(buf, BT_L2CAP_CONF_OPT_MTU);
720 net_buf_add_u8(buf, sizeof(mtu));
721 net_buf_add_le16(buf, mtu);
722 }
723
l2cap_br_conf_add_opt(struct net_buf * buf,const struct bt_l2cap_conf_opt * opt)724 static void l2cap_br_conf_add_opt(struct net_buf *buf, const struct bt_l2cap_conf_opt *opt)
725 {
726 net_buf_add_u8(buf, opt->type & BT_L2CAP_CONF_MASK);
727 net_buf_add_u8(buf, opt->len);
728 net_buf_add_mem(buf, opt->data, opt->len);
729 }
730
l2cap_br_conf(struct bt_l2cap_chan * chan)731 static void l2cap_br_conf(struct bt_l2cap_chan *chan)
732 {
733 struct bt_l2cap_sig_hdr *hdr;
734 struct bt_l2cap_conf_req *conf;
735 struct net_buf *buf;
736
737 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
738
739 hdr = net_buf_add(buf, sizeof(*hdr));
740 hdr->code = BT_L2CAP_CONF_REQ;
741 hdr->ident = l2cap_br_get_ident();
742 conf = net_buf_add(buf, sizeof(*conf));
743 (void)memset(conf, 0, sizeof(*conf));
744
745 conf->dcid = sys_cpu_to_le16(BR_CHAN(chan)->tx.cid);
746 /*
747 * Add MTU option if app set non default BR/EDR L2CAP MTU,
748 * otherwise sent empty configuration data meaning default MTU
749 * to be used.
750 */
751 if (BR_CHAN(chan)->rx.mtu != L2CAP_BR_DEFAULT_MTU) {
752 l2cap_br_conf_add_mtu(buf, BR_CHAN(chan)->rx.mtu);
753 }
754
755 hdr->len = sys_cpu_to_le16(buf->len - sizeof(*hdr));
756
757 /*
758 * TODO:
759 * might be needed to start tracking number of configuration iterations
760 * on both directions
761 */
762 l2cap_br_chan_send_req(BR_CHAN(chan), buf, L2CAP_BR_CFG_TIMEOUT);
763 }
764
765 enum l2cap_br_conn_security_result {
766 L2CAP_CONN_SECURITY_PASSED,
767 L2CAP_CONN_SECURITY_REJECT,
768 L2CAP_CONN_SECURITY_PENDING
769 };
770
771 /*
772 * Security helper against channel connection.
773 * Returns L2CAP_CONN_SECURITY_PASSED if:
774 * - existing security on link is applicable for requested PSM in connection,
775 * - legacy (non SSP) devices connecting with low security requirements,
776 * Returns L2CAP_CONN_SECURITY_PENDING if:
777 * - channel connection process is on hold since there were valid security
778 * conditions triggering authentication indirectly in subcall.
779 * Returns L2CAP_CONN_SECURITY_REJECT if:
780 * - bt_conn_set_security API returns < 0,
781 * - Or, the ACL connection has been encrypted, the security level of link key cannot be upgraded,
782 * and the security level is less than the required security level.
783 */
784
785 static enum l2cap_br_conn_security_result
l2cap_br_conn_security(struct bt_l2cap_chan * chan,const uint16_t psm)786 l2cap_br_conn_security(struct bt_l2cap_chan *chan, const uint16_t psm)
787 {
788 int check;
789 struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
790
791 /* For SDP PSM there's no need to change existing security on link */
792 if (br_chan->required_sec_level == BT_SECURITY_L0) {
793 return L2CAP_CONN_SECURITY_PASSED;
794 }
795
796 /*
797 * No link key needed for legacy devices (pre 2.1) and when low security
798 * level is required.
799 */
800 if (br_chan->required_sec_level == BT_SECURITY_L1 &&
801 !BT_FEAT_HOST_SSP(chan->conn->br.features)) {
802 return L2CAP_CONN_SECURITY_PASSED;
803 }
804
805 switch (br_chan->required_sec_level) {
806 case BT_SECURITY_L4:
807 case BT_SECURITY_L3:
808 case BT_SECURITY_L2:
809 break;
810 default:
811 /*
812 * For non SDP PSM connections GAP's Security Mode 4 requires at
813 * least unauthenticated link key and enabled encryption if
814 * remote supports SSP before any L2CAP CoC traffic. So preset
815 * local to MEDIUM security to trigger it if needed.
816 */
817 if (BT_FEAT_HOST_SSP(chan->conn->br.features)) {
818 br_chan->required_sec_level = BT_SECURITY_L2;
819 }
820 break;
821 }
822
823 if (chan->conn->sec_level < br_chan->required_sec_level &&
824 chan->conn->encrypt && chan->conn->br.link_key &&
825 (chan->conn->br.link_key->flags & BT_LINK_KEY_AUTHENTICATED)) {
826 /*
827 * If the ACL link has been encrypted and it has a authenticated link key, it means
828 * the pairing procedure has been done. And the security level of the link key can
829 * not be upgraded. In this case, if `conn->sec_level` is less than the required
830 * security level of the L2CAP channel, reject the L2CAP conn request.
831 */
832 return L2CAP_CONN_SECURITY_REJECT;
833 }
834
835 check = bt_conn_set_security(chan->conn, br_chan->required_sec_level);
836
837 /*
838 * Check case when on existing connection security level already covers
839 * channel (service) security requirements against link security and
840 * bt_conn_set_security API returns 0 what implies also there was no
841 * need to trigger authentication.
842 */
843 if (check == 0 &&
844 chan->conn->sec_level >= br_chan->required_sec_level) {
845 return L2CAP_CONN_SECURITY_PASSED;
846 }
847
848 /*
849 * If 'check' still holds 0, it means local host just sent HCI
850 * authentication command to start procedure to increase link security
851 * since service/profile requires that.
852 */
853 if (check == 0) {
854 /*
855 * General Bonding refers to the process of performing bonding
856 * during connection setup or channel establishment procedures
857 * as a precursor to accessing a service.
858 * For current case, it is dedicated bonding.
859 */
860 atomic_set_bit(chan->conn->flags, BT_CONN_BR_GENERAL_BONDING);
861 return L2CAP_CONN_SECURITY_PENDING;
862 }
863
864 /*
865 * For any other values in 'check' it means there was internal
866 * validation condition forbidding to start authentication at this
867 * moment.
868 */
869 return L2CAP_CONN_SECURITY_REJECT;
870 }
871
l2cap_br_conn_rsp_sent_cb(struct bt_conn * conn,void * user_data,int err)872 static void l2cap_br_conn_rsp_sent_cb(struct bt_conn *conn, void *user_data, int err)
873 {
874 uint16_t scid = POINTER_TO_UINT(user_data);
875 struct bt_l2cap_chan *chan;
876
877 chan = bt_l2cap_br_lookup_tx_cid(conn, scid);
878 if (!chan) {
879 return;
880 }
881
882 /* Check whether the ACL connection needs to be disconnected. */
883 if (atomic_test_and_clear_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_DISCONNECT_ACL)) {
884 bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
885 }
886 }
887
l2cap_br_send_conn_rsp(struct bt_conn * conn,uint16_t scid,uint16_t dcid,uint8_t ident,uint16_t result)888 static void l2cap_br_send_conn_rsp(struct bt_conn *conn, uint16_t scid,
889 uint16_t dcid, uint8_t ident, uint16_t result)
890 {
891 struct net_buf *buf;
892 struct bt_l2cap_conn_rsp *rsp;
893 struct bt_l2cap_sig_hdr *hdr;
894
895 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
896
897 hdr = net_buf_add(buf, sizeof(*hdr));
898 hdr->code = BT_L2CAP_CONN_RSP;
899 hdr->ident = ident;
900 hdr->len = sys_cpu_to_le16(sizeof(*rsp));
901
902 rsp = net_buf_add(buf, sizeof(*rsp));
903 rsp->dcid = sys_cpu_to_le16(dcid);
904 rsp->scid = sys_cpu_to_le16(scid);
905 rsp->result = sys_cpu_to_le16(result);
906
907 if (result == BT_L2CAP_BR_PENDING) {
908 rsp->status = sys_cpu_to_le16(BT_L2CAP_CS_AUTHEN_PEND);
909 } else {
910 rsp->status = sys_cpu_to_le16(BT_L2CAP_CS_NO_INFO);
911 }
912
913 if (bt_l2cap_br_send_cb(conn, BT_L2CAP_CID_BR_SIG, buf, l2cap_br_conn_rsp_sent_cb,
914 UINT_TO_POINTER(scid))) {
915 net_buf_unref(buf);
916 }
917 }
918
l2cap_br_conn_req_reply(struct bt_l2cap_chan * chan,uint16_t result)919 static int l2cap_br_conn_req_reply(struct bt_l2cap_chan *chan, uint16_t result)
920 {
921 /* Send response to connection request only when in acceptor role */
922 if (!atomic_test_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_ACCEPTOR)) {
923 return -ESRCH;
924 }
925
926 l2cap_br_send_conn_rsp(chan->conn, BR_CHAN(chan)->tx.cid,
927 BR_CHAN(chan)->rx.cid, BR_CHAN(chan)->ident, result);
928 BR_CHAN(chan)->ident = 0U;
929
930 return 0;
931 }
932
933 #if defined(CONFIG_BT_L2CAP_DYNAMIC_CHANNEL) && defined(CONFIG_BT_L2CAP_LOG_LEVEL_DBG)
bt_l2cap_br_chan_set_state_debug(struct bt_l2cap_chan * chan,bt_l2cap_chan_state_t state,const char * func,int line)934 void bt_l2cap_br_chan_set_state_debug(struct bt_l2cap_chan *chan,
935 bt_l2cap_chan_state_t state,
936 const char *func, int line)
937 {
938 struct bt_l2cap_br_chan *br_chan;
939
940 br_chan = BR_CHAN(chan);
941
942 LOG_DBG("chan %p psm 0x%04x %s -> %s", chan, br_chan->psm,
943 bt_l2cap_chan_state_str(br_chan->state), bt_l2cap_chan_state_str(state));
944
945 /* check transitions validness */
946 switch (state) {
947 case BT_L2CAP_DISCONNECTED:
948 /* regardless of old state always allows this state */
949 break;
950 case BT_L2CAP_CONNECTING:
951 if (br_chan->state != BT_L2CAP_DISCONNECTED) {
952 LOG_WRN("%s()%d: invalid transition", func, line);
953 }
954 break;
955 case BT_L2CAP_CONFIG:
956 if (br_chan->state != BT_L2CAP_CONNECTING) {
957 LOG_WRN("%s()%d: invalid transition", func, line);
958 }
959 break;
960 case BT_L2CAP_CONNECTED:
961 if (br_chan->state != BT_L2CAP_CONFIG &&
962 br_chan->state != BT_L2CAP_CONNECTING) {
963 LOG_WRN("%s()%d: invalid transition", func, line);
964 }
965 break;
966 case BT_L2CAP_DISCONNECTING:
967 if (br_chan->state != BT_L2CAP_CONFIG &&
968 br_chan->state != BT_L2CAP_CONNECTED) {
969 LOG_WRN("%s()%d: invalid transition", func, line);
970 }
971 break;
972 default:
973 LOG_ERR("%s()%d: unknown (%u) state was set", func, line, state);
974 return;
975 }
976
977 br_chan->state = state;
978 }
979 #else
bt_l2cap_br_chan_set_state(struct bt_l2cap_chan * chan,bt_l2cap_chan_state_t state)980 void bt_l2cap_br_chan_set_state(struct bt_l2cap_chan *chan,
981 bt_l2cap_chan_state_t state)
982 {
983 BR_CHAN(chan)->state = state;
984 }
985 #endif /* CONFIG_BT_L2CAP_LOG_LEVEL_DBG && CONFIG_BT_L2CAP_DYNAMIC_CHANNEL*/
986
bt_l2cap_br_chan_del(struct bt_l2cap_chan * chan)987 void bt_l2cap_br_chan_del(struct bt_l2cap_chan *chan)
988 {
989 const struct bt_l2cap_chan_ops *ops = chan->ops;
990 struct bt_l2cap_br_chan *br_chan = CONTAINER_OF(chan, struct bt_l2cap_br_chan, chan);
991
992 LOG_DBG("conn %p chan %p", chan->conn, chan);
993
994 if (!chan->conn) {
995 goto destroy;
996 }
997
998 cancel_data_ready(br_chan);
999
1000 /* Remove buffers on the PDU TX queue. */
1001 while (chan_has_data(br_chan)) {
1002 struct net_buf *buf = k_fifo_get(&br_chan->_pdu_tx_queue, K_NO_WAIT);
1003
1004 net_buf_unref(buf);
1005 }
1006
1007 if (ops->disconnected) {
1008 ops->disconnected(chan);
1009 }
1010
1011 chan->conn = NULL;
1012
1013 destroy:
1014 #if defined(CONFIG_BT_L2CAP_DYNAMIC_CHANNEL)
1015 /* Reset internal members of common channel */
1016 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_DISCONNECTED);
1017 BR_CHAN(chan)->psm = 0U;
1018 #endif
1019 if (chan->destroy) {
1020 chan->destroy(chan);
1021 }
1022
1023 if (ops->released) {
1024 ops->released(chan);
1025 }
1026 }
1027
l2cap_br_conn_req(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)1028 static void l2cap_br_conn_req(struct bt_l2cap_br *l2cap, uint8_t ident,
1029 struct net_buf *buf)
1030 {
1031 struct bt_conn *conn = l2cap->chan.chan.conn;
1032 struct bt_l2cap_chan *chan;
1033 struct bt_l2cap_server *server;
1034 struct bt_l2cap_conn_req *req = (void *)buf->data;
1035 uint16_t psm, scid, result;
1036 struct bt_l2cap_br_chan *br_chan;
1037
1038 if (buf->len < sizeof(*req)) {
1039 LOG_ERR("Too small L2CAP conn req packet size");
1040 return;
1041 }
1042
1043 psm = sys_le16_to_cpu(req->psm);
1044 scid = sys_le16_to_cpu(req->scid);
1045
1046 LOG_DBG("psm 0x%02x scid 0x%04x", psm, scid);
1047
1048 /* Check if there is a server registered */
1049 server = l2cap_br_server_lookup_psm(psm);
1050 if (!server) {
1051 result = BT_L2CAP_BR_ERR_PSM_NOT_SUPP;
1052 goto no_chan;
1053 }
1054
1055 /*
1056 * Report security violation for non SDP channel without encryption when
1057 * remote supports SSP.
1058 */
1059 if (server->sec_level != BT_SECURITY_L0 &&
1060 BT_FEAT_HOST_SSP(conn->br.features) && !conn->encrypt) {
1061 result = BT_L2CAP_BR_ERR_SEC_BLOCK;
1062 goto no_chan;
1063 }
1064
1065 if (!L2CAP_BR_CID_IS_DYN(scid)) {
1066 result = BT_L2CAP_BR_ERR_INVALID_SCID;
1067 goto no_chan;
1068 }
1069
1070 chan = bt_l2cap_br_lookup_tx_cid(conn, scid);
1071 if (chan) {
1072 /*
1073 * we have a chan here but this is due to SCID being already in
1074 * use so it is not channel we are suppose to pass to
1075 * l2cap_br_conn_req_reply as wrong DCID would be used
1076 */
1077 result = BT_L2CAP_BR_ERR_SCID_IN_USE;
1078 goto no_chan;
1079 }
1080
1081 /*
1082 * Request server to accept the new connection and allocate the
1083 * channel. If no free channels available for PSM server reply with
1084 * proper result and quit since chan pointer is uninitialized then.
1085 */
1086 if (server->accept(conn, server, &chan) < 0) {
1087 result = BT_L2CAP_BR_ERR_NO_RESOURCES;
1088 goto no_chan;
1089 }
1090
1091 br_chan = BR_CHAN(chan);
1092 br_chan->required_sec_level = server->sec_level;
1093
1094 l2cap_br_chan_add(conn, chan, l2cap_br_chan_destroy);
1095 BR_CHAN(chan)->tx.cid = scid;
1096 br_chan->ident = ident;
1097 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_CONNECTING);
1098 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_ACCEPTOR);
1099
1100 /* Disable fragmentation of l2cap rx pdu */
1101 BR_CHAN(chan)->rx.mtu = MIN(BR_CHAN(chan)->rx.mtu, BT_L2CAP_RX_MTU);
1102
1103 switch (l2cap_br_conn_security(chan, psm)) {
1104 case L2CAP_CONN_SECURITY_PENDING:
1105 result = BT_L2CAP_BR_PENDING;
1106 /* TODO: auth timeout */
1107 break;
1108 case L2CAP_CONN_SECURITY_PASSED:
1109 result = BT_L2CAP_BR_SUCCESS;
1110 break;
1111 case L2CAP_CONN_SECURITY_REJECT:
1112 default:
1113 result = BT_L2CAP_BR_ERR_SEC_BLOCK;
1114 /* Set disconnect ACL flag. */
1115 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_DISCONNECT_ACL);
1116 break;
1117 }
1118 /* Reply on connection request as acceptor */
1119 l2cap_br_conn_req_reply(chan, result);
1120
1121 if (result != BT_L2CAP_BR_SUCCESS) {
1122 /* Disconnect link when security rules were violated */
1123 if (result == BT_L2CAP_BR_ERR_SEC_BLOCK) {
1124 /*
1125 * Disconnect the ACL after the packet of response has been sent.
1126 * The `L2CAP_FLAG_DISCONNECT_ACL` is used to flag whether ACL disconnect
1127 * request needs to be sent when the L2CAP conn rsp sent out callback is
1128 * triggered.
1129 */
1130 } else if (result == BT_L2CAP_BR_PENDING) {
1131 /* Recover the ident when conn is pending */
1132 br_chan->ident = ident;
1133 }
1134
1135 return;
1136 }
1137
1138 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_CONFIG);
1139 l2cap_br_conf(chan);
1140 return;
1141
1142 no_chan:
1143 l2cap_br_send_conn_rsp(conn, scid, 0, ident, result);
1144 }
1145
l2cap_br_conf_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,uint16_t len,struct net_buf * buf)1146 static void l2cap_br_conf_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
1147 uint16_t len, struct net_buf *buf)
1148 {
1149 struct bt_conn *conn = l2cap->chan.chan.conn;
1150 struct bt_l2cap_chan *chan;
1151 struct bt_l2cap_conf_rsp *rsp = (void *)buf->data;
1152 uint16_t flags, scid, result, opt_len;
1153 struct bt_l2cap_br_chan *br_chan;
1154
1155 if (buf->len < sizeof(*rsp)) {
1156 LOG_ERR("Too small L2CAP conf rsp packet size");
1157 return;
1158 }
1159
1160 flags = sys_le16_to_cpu(rsp->flags);
1161 scid = sys_le16_to_cpu(rsp->scid);
1162 result = sys_le16_to_cpu(rsp->result);
1163 opt_len = len - sizeof(*rsp);
1164
1165 LOG_DBG("scid 0x%04x flags 0x%02x result 0x%02x len %u", scid, flags, result, opt_len);
1166
1167 chan = bt_l2cap_br_lookup_rx_cid(conn, scid);
1168 if (!chan) {
1169 LOG_ERR("channel mismatch!");
1170 return;
1171 }
1172
1173 br_chan = BR_CHAN(chan);
1174
1175 /* Release RTX work since got the response */
1176 k_work_cancel_delayable(&br_chan->rtx_work);
1177
1178 /*
1179 * TODO: handle other results than success and parse response data if
1180 * available
1181 */
1182 switch (result) {
1183 case BT_L2CAP_CONF_SUCCESS:
1184 atomic_set_bit(br_chan->flags, L2CAP_FLAG_CONN_LCONF_DONE);
1185
1186 if (br_chan->state == BT_L2CAP_CONFIG &&
1187 atomic_test_bit(br_chan->flags,
1188 L2CAP_FLAG_CONN_RCONF_DONE)) {
1189 LOG_DBG("scid 0x%04x rx MTU %u dcid 0x%04x tx MTU %u", br_chan->rx.cid,
1190 br_chan->rx.mtu, br_chan->tx.cid, br_chan->tx.mtu);
1191
1192 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_CONNECTED);
1193 if (chan->ops && chan->ops->connected) {
1194 chan->ops->connected(chan);
1195 }
1196 }
1197 break;
1198 default:
1199 /* currently disconnect channel on non success result */
1200 bt_l2cap_chan_disconnect(chan);
1201 break;
1202 }
1203 }
1204
bt_l2cap_br_allocate_psm(uint16_t * psm)1205 static int bt_l2cap_br_allocate_psm(uint16_t *psm)
1206 {
1207 /* DYN_END is UINT16_MAX, so to be able to do a psm <= DYN_END comparison
1208 * we need to use uint32_t as the type.
1209 */
1210 static uint32_t allocated_psm = L2CAP_BR_PSM_DYN_START;
1211
1212 if (allocated_psm < L2CAP_BR_PSM_DYN_END) {
1213 allocated_psm = allocated_psm + 1;
1214 } else {
1215 goto failed;
1216 }
1217
1218 for (; allocated_psm <= L2CAP_BR_PSM_DYN_END; allocated_psm++) {
1219 /* Bluetooth Core Specification Version 6.0 | Vol 3, Part A, section 4.2
1220 *
1221 * The PSM field is at least two octets in length. All PSM values shall have
1222 * the least significant bit of the most significant octet equal to 0 and the
1223 * least significant bit of all other octets equal to 1.
1224 */
1225 if ((allocated_psm & 0x0101) != 0x0001) {
1226 continue;
1227 }
1228
1229 if (l2cap_br_server_lookup_psm((uint16_t)allocated_psm)) {
1230 LOG_DBG("PSM 0x%04x has been used", allocated_psm);
1231 continue;
1232 }
1233
1234 LOG_DBG("Allocated PSM 0x%04x for new server", allocated_psm);
1235 *psm = (uint16_t)allocated_psm;
1236 return 0;
1237 }
1238
1239 failed:
1240 LOG_WRN("No free dynamic PSMs available");
1241 return -EADDRNOTAVAIL;
1242 }
1243
bt_l2cap_br_get_max_sec_level(void)1244 bt_security_t bt_l2cap_br_get_max_sec_level(void)
1245 {
1246 struct bt_l2cap_server *server;
1247 bt_security_t sec_level = BT_SECURITY_L0;
1248
1249 SYS_SLIST_FOR_EACH_CONTAINER(&br_servers, server, node) {
1250 if (sec_level < server->sec_level) {
1251 sec_level = server->sec_level;
1252 }
1253 }
1254
1255 return sec_level;
1256 }
1257
bt_l2cap_br_server_register(struct bt_l2cap_server * server)1258 int bt_l2cap_br_server_register(struct bt_l2cap_server *server)
1259 {
1260 int err;
1261
1262 if (!server->accept) {
1263 return -EINVAL;
1264 }
1265
1266 if (server->sec_level > BT_SECURITY_L4) {
1267 return -EINVAL;
1268 } else if (server->sec_level == BT_SECURITY_L0 &&
1269 server->psm != L2CAP_BR_PSM_SDP) {
1270 server->sec_level = BT_SECURITY_L1;
1271 }
1272
1273 if (!server->psm) {
1274 err = bt_l2cap_br_allocate_psm(&server->psm);
1275 if (err) {
1276 return err;
1277 }
1278 } else {
1279 /* PSM must be odd and lsb of upper byte must be 0 */
1280 if ((server->psm & 0x0101) != 0x0001) {
1281 LOG_WRN("PSM must be odd and lsb of upper byte must be 0");
1282 return -EINVAL;
1283 }
1284
1285 /* Check if given PSM is already in use */
1286 if (l2cap_br_server_lookup_psm(server->psm)) {
1287 LOG_WRN("PSM already registered");
1288 return -EADDRINUSE;
1289 }
1290 }
1291
1292 LOG_DBG("PSM 0x%04x", server->psm);
1293
1294 sys_slist_append(&br_servers, &server->node);
1295
1296 return 0;
1297 }
1298
l2cap_br_send_reject(struct bt_conn * conn,uint8_t ident,uint16_t reason,void * data,uint8_t data_len)1299 static void l2cap_br_send_reject(struct bt_conn *conn, uint8_t ident,
1300 uint16_t reason, void *data, uint8_t data_len)
1301 {
1302 struct bt_l2cap_cmd_reject *rej;
1303 struct bt_l2cap_sig_hdr *hdr;
1304 struct net_buf *buf;
1305
1306 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1307
1308 hdr = net_buf_add(buf, sizeof(*hdr));
1309 hdr->code = BT_L2CAP_CMD_REJECT;
1310 hdr->ident = ident;
1311 hdr->len = sys_cpu_to_le16(sizeof(*rej) + data_len);
1312
1313 rej = net_buf_add(buf, sizeof(*rej));
1314 rej->reason = sys_cpu_to_le16(reason);
1315
1316 /*
1317 * optional data if available must be already in little-endian format
1318 * made by caller.and be compliant with Core 4.2 [Vol 3, Part A, 4.1,
1319 * table 4.4]
1320 */
1321 if (data) {
1322 net_buf_add_mem(buf, data, data_len);
1323 }
1324
1325 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, buf);
1326 }
1327
l2cap_br_conf_opt_mtu(struct bt_l2cap_chan * chan,struct net_buf * buf,size_t len)1328 static uint16_t l2cap_br_conf_opt_mtu(struct bt_l2cap_chan *chan,
1329 struct net_buf *buf, size_t len)
1330 {
1331 uint16_t mtu, result = BT_L2CAP_CONF_SUCCESS;
1332 struct bt_l2cap_conf_opt_mtu *opt_mtu;
1333
1334 /* Core 4.2 [Vol 3, Part A, 5.1] MTU payload length */
1335 if (len != sizeof(*opt_mtu)) {
1336 LOG_ERR("tx MTU length %zu invalid", len);
1337 result = BT_L2CAP_CONF_REJECT;
1338 goto done;
1339 }
1340
1341 opt_mtu = (struct bt_l2cap_conf_opt_mtu *)buf->data;
1342
1343 mtu = sys_le16_to_cpu(opt_mtu->mtu);
1344 if (mtu < L2CAP_BR_MIN_MTU) {
1345 result = BT_L2CAP_CONF_UNACCEPT;
1346 BR_CHAN(chan)->tx.mtu = L2CAP_BR_MIN_MTU;
1347 opt_mtu->mtu = sys_cpu_to_le16(L2CAP_BR_MIN_MTU);
1348 LOG_DBG("tx MTU %u invalid", mtu);
1349 goto done;
1350 }
1351
1352 BR_CHAN(chan)->tx.mtu = mtu;
1353 LOG_DBG("tx MTU %u", mtu);
1354 done:
1355 return result;
1356 }
1357
l2cap_br_conf_opt_flush_timeout(struct bt_l2cap_chan * chan,struct net_buf * buf,size_t len)1358 static uint16_t l2cap_br_conf_opt_flush_timeout(struct bt_l2cap_chan *chan,
1359 struct net_buf *buf, size_t len)
1360 {
1361 uint16_t result = BT_L2CAP_CONF_SUCCESS;
1362 struct bt_l2cap_conf_opt_flush_timeout *opt_to;
1363
1364 if (len != sizeof(*opt_to)) {
1365 LOG_ERR("qos frame length %zu invalid", len);
1366 result = BT_L2CAP_CONF_REJECT;
1367 goto done;
1368 }
1369
1370 opt_to = (struct bt_l2cap_conf_opt_flush_timeout *)buf->data;
1371
1372 LOG_DBG("Flush timeout %u", opt_to->timeout);
1373
1374 opt_to->timeout = sys_cpu_to_le16(0xFFFF);
1375 result = BT_L2CAP_CONF_UNACCEPT;
1376 done:
1377 return result;
1378 }
1379
l2cap_br_conf_opt_qos(struct bt_l2cap_chan * chan,struct net_buf * buf,size_t len)1380 static uint16_t l2cap_br_conf_opt_qos(struct bt_l2cap_chan *chan,
1381 struct net_buf *buf, size_t len)
1382 {
1383 uint16_t result = BT_L2CAP_CONF_SUCCESS;
1384 struct bt_l2cap_conf_opt_qos *opt_qos;
1385
1386 if (len != sizeof(*opt_qos)) {
1387 LOG_ERR("qos frame length %zu invalid", len);
1388 result = BT_L2CAP_CONF_REJECT;
1389 goto done;
1390 }
1391
1392 opt_qos = (struct bt_l2cap_conf_opt_qos *)buf->data;
1393
1394 LOG_DBG("QOS Type %u", opt_qos->service_type);
1395
1396 if (opt_qos->service_type == BT_L2CAP_QOS_TYPE_GUARANTEED) {
1397 /* Set to default value */
1398 result = BT_L2CAP_CONF_UNACCEPT;
1399 opt_qos->flags = 0x00;
1400 /* do not care */
1401 opt_qos->token_rate = sys_cpu_to_le32(0x00000000);
1402 /* no token bucket is needed */
1403 opt_qos->token_bucket_size = sys_cpu_to_le32(0x00000000);
1404 /* do not care */
1405 opt_qos->peak_bandwidth = sys_cpu_to_le32(0x00000000);
1406 /* do not care */
1407 opt_qos->latency = sys_cpu_to_le32(0xFFFFFFFF);
1408 /* do not care */
1409 opt_qos->delay_variation = sys_cpu_to_le32(0xFFFFFFFF);
1410 }
1411
1412 done:
1413 return result;
1414 }
1415
l2cap_br_conf_opt_ret_fc(struct bt_l2cap_chan * chan,struct net_buf * buf,size_t len)1416 static uint16_t l2cap_br_conf_opt_ret_fc(struct bt_l2cap_chan *chan,
1417 struct net_buf *buf, size_t len)
1418 {
1419 uint16_t result = BT_L2CAP_CONF_SUCCESS;
1420 struct bt_l2cap_conf_opt_ret_fc *opt_ret_fc;
1421
1422 if (len != sizeof(*opt_ret_fc)) {
1423 LOG_ERR("ret_fc frame length %zu invalid", len);
1424 result = BT_L2CAP_CONF_REJECT;
1425 goto done;
1426 }
1427
1428 opt_ret_fc = (struct bt_l2cap_conf_opt_ret_fc *)buf->data;
1429
1430 LOG_DBG("ret_fc mode %u", opt_ret_fc->mode);
1431
1432 if (opt_ret_fc->mode != BT_L2CAP_RET_FC_MODE_BASIC) {
1433 /* Set to default value */
1434 result = BT_L2CAP_CONF_UNACCEPT;
1435 opt_ret_fc->mode = BT_L2CAP_RET_FC_MODE_BASIC;
1436 }
1437
1438 done:
1439 return result;
1440 }
1441
l2cap_br_conf_opt_fcs(struct bt_l2cap_chan * chan,struct net_buf * buf,size_t len)1442 static uint16_t l2cap_br_conf_opt_fcs(struct bt_l2cap_chan *chan,
1443 struct net_buf *buf, size_t len)
1444 {
1445 uint16_t result = BT_L2CAP_CONF_SUCCESS;
1446 struct bt_l2cap_conf_opt_fcs *opt_fcs;
1447
1448 if (len != sizeof(*opt_fcs)) {
1449 LOG_ERR("fcs frame length %zu invalid", len);
1450 result = BT_L2CAP_CONF_REJECT;
1451 goto done;
1452 }
1453
1454 opt_fcs = (struct bt_l2cap_conf_opt_fcs *)buf->data;
1455
1456 LOG_DBG("FCS type %u", opt_fcs->type);
1457
1458 if (opt_fcs->type != BT_L2CAP_FCS_TYPE_NO) {
1459 /* Set to default value */
1460 result = BT_L2CAP_CONF_UNACCEPT;
1461 opt_fcs->type = BT_L2CAP_FCS_TYPE_NO;
1462 }
1463
1464 done:
1465 return result;
1466 }
1467
l2cap_br_conf_req(struct bt_l2cap_br * l2cap,uint8_t ident,uint16_t len,struct net_buf * buf)1468 static void l2cap_br_conf_req(struct bt_l2cap_br *l2cap, uint8_t ident,
1469 uint16_t len, struct net_buf *buf)
1470 {
1471 struct bt_conn *conn = l2cap->chan.chan.conn;
1472 struct bt_l2cap_chan *chan;
1473 struct bt_l2cap_conf_req *req;
1474 struct bt_l2cap_sig_hdr *hdr;
1475 struct bt_l2cap_conf_rsp *rsp;
1476 struct bt_l2cap_conf_opt *opt = NULL;
1477 uint16_t flags, dcid, opt_len, hint, result = BT_L2CAP_CONF_SUCCESS;
1478
1479 if (buf->len < sizeof(*req)) {
1480 LOG_ERR("Too small L2CAP conf req packet size");
1481 return;
1482 }
1483
1484 req = net_buf_pull_mem(buf, sizeof(*req));
1485 flags = sys_le16_to_cpu(req->flags);
1486 dcid = sys_le16_to_cpu(req->dcid);
1487 opt_len = len - sizeof(*req);
1488
1489 LOG_DBG("dcid 0x%04x flags 0x%02x len %u", dcid, flags, opt_len);
1490
1491 chan = bt_l2cap_br_lookup_rx_cid(conn, dcid);
1492 if (!chan) {
1493 LOG_ERR("rx channel mismatch!");
1494 struct bt_l2cap_cmd_reject_cid_data data = {
1495 .scid = req->dcid,
1496 .dcid = 0,
1497 };
1498
1499 l2cap_br_send_reject(conn, ident, BT_L2CAP_REJ_INVALID_CID,
1500 &data, sizeof(data));
1501 return;
1502 }
1503
1504 if (!opt_len) {
1505 LOG_DBG("tx default MTU %u", L2CAP_BR_DEFAULT_MTU);
1506 BR_CHAN(chan)->tx.mtu = L2CAP_BR_DEFAULT_MTU;
1507 goto send_rsp;
1508 }
1509
1510 while (buf->len >= sizeof(*opt)) {
1511 opt = net_buf_pull_mem(buf, sizeof(*opt));
1512
1513 /* make sure opt object can get safe dereference in iteration */
1514 if (buf->len < opt->len) {
1515 LOG_ERR("Received too short option data");
1516 result = BT_L2CAP_CONF_REJECT;
1517 break;
1518 }
1519
1520 hint = opt->type & BT_L2CAP_CONF_HINT;
1521
1522 switch (opt->type & BT_L2CAP_CONF_MASK) {
1523 case BT_L2CAP_CONF_OPT_MTU:
1524 /* getting MTU modifies buf internals */
1525 result = l2cap_br_conf_opt_mtu(chan, buf, opt->len);
1526 /*
1527 * MTU is done. For now bailout the loop but later on
1528 * there can be a need to continue checking next options
1529 * that are after MTU value and then goto is not proper
1530 * way out here.
1531 */
1532 goto send_rsp;
1533 case BT_L2CAP_CONF_OPT_FLUSH_TIMEOUT:
1534 result = l2cap_br_conf_opt_flush_timeout(chan, buf, opt->len);
1535 if (result != BT_L2CAP_CONF_SUCCESS) {
1536 goto send_rsp;
1537 }
1538 break;
1539 case BT_L2CAP_CONF_OPT_QOS:
1540 result = l2cap_br_conf_opt_qos(chan, buf, opt->len);
1541 if (result != BT_L2CAP_CONF_SUCCESS) {
1542 goto send_rsp;
1543 }
1544 break;
1545 case BT_L2CAP_CONF_OPT_RET_FC:
1546 result = l2cap_br_conf_opt_ret_fc(chan, buf, opt->len);
1547 if (result != BT_L2CAP_CONF_SUCCESS) {
1548 goto send_rsp;
1549 }
1550 break;
1551 case BT_L2CAP_CONF_OPT_FCS:
1552 result = l2cap_br_conf_opt_fcs(chan, buf, opt->len);
1553 if (result != BT_L2CAP_CONF_SUCCESS) {
1554 goto send_rsp;
1555 }
1556 break;
1557 case BT_L2CAP_CONF_OPT_EXT_FLOW_SPEC:
1558 __fallthrough;
1559 case BT_L2CAP_CONF_OPT_EXT_WIN_SIZE:
1560 result = BT_L2CAP_CONF_REJECT;
1561 goto send_rsp;
1562 default:
1563 if (!hint) {
1564 LOG_DBG("option %u not handled", opt->type);
1565 result = BT_L2CAP_CONF_UNKNOWN_OPT;
1566 goto send_rsp;
1567 }
1568 break;
1569 }
1570
1571 /* Update buffer to point at next option */
1572 net_buf_pull(buf, opt->len);
1573 }
1574
1575 send_rsp:
1576 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1577
1578 hdr = net_buf_add(buf, sizeof(*hdr));
1579 hdr->code = BT_L2CAP_CONF_RSP;
1580 hdr->ident = ident;
1581 rsp = net_buf_add(buf, sizeof(*rsp));
1582 (void)memset(rsp, 0, sizeof(*rsp));
1583
1584 rsp->result = sys_cpu_to_le16(result);
1585 rsp->scid = sys_cpu_to_le16(BR_CHAN(chan)->tx.cid);
1586
1587 /*
1588 * Core 5.4, Vol 3, Part A, section 4.5.
1589 * When used in the L2CAP_CONFIGURATION_RSP packet,
1590 * the continuation flag shall be set to one if the
1591 * flag is set to one in the Request, except for
1592 * those error conditions more appropriate for an
1593 * L2CAP_COMMAND_REJECT_RSP packet.
1594 */
1595 rsp->flags = sys_cpu_to_le16(flags & BT_L2CAP_CONF_FLAGS_MASK);
1596
1597 /*
1598 * TODO: If options other than MTU became meaningful then processing
1599 * the options chain need to be modified and taken into account when
1600 * sending back to peer.
1601 */
1602 if ((result == BT_L2CAP_CONF_UNKNOWN_OPT) || (result == BT_L2CAP_CONF_UNACCEPT)) {
1603 if (opt) {
1604 l2cap_br_conf_add_opt(buf, opt);
1605 }
1606 }
1607
1608 hdr->len = sys_cpu_to_le16(buf->len - sizeof(*hdr));
1609
1610 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, buf);
1611
1612 if (result != BT_L2CAP_CONF_SUCCESS) {
1613 return;
1614 }
1615
1616 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_RCONF_DONE);
1617
1618 if (atomic_test_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_LCONF_DONE) &&
1619 BR_CHAN(chan)->state == BT_L2CAP_CONFIG) {
1620 LOG_DBG("scid 0x%04x rx MTU %u dcid 0x%04x tx MTU %u", BR_CHAN(chan)->rx.cid,
1621 BR_CHAN(chan)->rx.mtu, BR_CHAN(chan)->tx.cid, BR_CHAN(chan)->tx.mtu);
1622
1623 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_CONNECTED);
1624 if (chan->ops && chan->ops->connected) {
1625 chan->ops->connected(chan);
1626 }
1627 }
1628 }
1629
l2cap_br_remove_tx_cid(struct bt_conn * conn,uint16_t cid)1630 static struct bt_l2cap_br_chan *l2cap_br_remove_tx_cid(struct bt_conn *conn,
1631 uint16_t cid)
1632 {
1633 struct bt_l2cap_chan *chan;
1634 sys_snode_t *prev = NULL;
1635
1636 /* Protect fixed channels against accidental removal */
1637 if (!L2CAP_BR_CID_IS_DYN(cid)) {
1638 return NULL;
1639 }
1640
1641 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
1642 if (BR_CHAN(chan)->tx.cid == cid) {
1643 sys_slist_remove(&conn->channels, prev, &chan->node);
1644 return BR_CHAN(chan);
1645 }
1646
1647 prev = &chan->node;
1648 }
1649
1650 return NULL;
1651 }
1652
l2cap_br_disconn_req(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)1653 static void l2cap_br_disconn_req(struct bt_l2cap_br *l2cap, uint8_t ident,
1654 struct net_buf *buf)
1655 {
1656 struct bt_conn *conn = l2cap->chan.chan.conn;
1657 struct bt_l2cap_br_chan *chan;
1658 struct bt_l2cap_disconn_req *req = (void *)buf->data;
1659 struct bt_l2cap_disconn_rsp *rsp;
1660 struct bt_l2cap_sig_hdr *hdr;
1661 uint16_t scid, dcid;
1662
1663 if (buf->len < sizeof(*req)) {
1664 LOG_ERR("Too small disconn req packet size");
1665 return;
1666 }
1667
1668 dcid = sys_le16_to_cpu(req->dcid);
1669 scid = sys_le16_to_cpu(req->scid);
1670
1671 LOG_DBG("scid 0x%04x dcid 0x%04x", dcid, scid);
1672
1673 chan = l2cap_br_remove_tx_cid(conn, scid);
1674 if (!chan) {
1675 struct bt_l2cap_cmd_reject_cid_data data;
1676
1677 data.scid = req->scid;
1678 data.dcid = req->dcid;
1679 l2cap_br_send_reject(conn, ident, BT_L2CAP_REJ_INVALID_CID,
1680 &data, sizeof(data));
1681 return;
1682 }
1683
1684 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1685
1686 hdr = net_buf_add(buf, sizeof(*hdr));
1687 hdr->code = BT_L2CAP_DISCONN_RSP;
1688 hdr->ident = ident;
1689 hdr->len = sys_cpu_to_le16(sizeof(*rsp));
1690
1691 rsp = net_buf_add(buf, sizeof(*rsp));
1692 rsp->dcid = sys_cpu_to_le16(chan->rx.cid);
1693 rsp->scid = sys_cpu_to_le16(chan->tx.cid);
1694
1695 bt_l2cap_br_chan_del(&chan->chan);
1696
1697 l2cap_send(conn, BT_L2CAP_CID_BR_SIG, buf);
1698 }
1699
l2cap_br_connected(struct bt_l2cap_chan * chan)1700 static void l2cap_br_connected(struct bt_l2cap_chan *chan)
1701 {
1702 LOG_DBG("ch %p cid 0x%04x", BR_CHAN(chan), BR_CHAN(chan)->rx.cid);
1703 }
1704
l2cap_br_disconnected(struct bt_l2cap_chan * chan)1705 static void l2cap_br_disconnected(struct bt_l2cap_chan *chan)
1706 {
1707 struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
1708
1709 LOG_DBG("ch %p cid 0x%04x", br_chan, br_chan->rx.cid);
1710
1711 if (atomic_test_and_clear_bit(br_chan->flags,
1712 L2CAP_FLAG_SIG_INFO_PENDING)) {
1713 /* Cancel RTX work on signal channel.
1714 * Disconnected callback is always called from system workqueue
1715 * so this should always succeed.
1716 */
1717 (void)k_work_cancel_delayable(&br_chan->rtx_work);
1718 }
1719 }
1720
bt_l2cap_br_chan_disconnect(struct bt_l2cap_chan * chan)1721 int bt_l2cap_br_chan_disconnect(struct bt_l2cap_chan *chan)
1722 {
1723 struct bt_conn *conn = chan->conn;
1724 struct net_buf *buf;
1725 struct bt_l2cap_disconn_req *req;
1726 struct bt_l2cap_sig_hdr *hdr;
1727 struct bt_l2cap_br_chan *br_chan;
1728
1729 if (!conn) {
1730 return -ENOTCONN;
1731 }
1732
1733 br_chan = BR_CHAN(chan);
1734
1735 if (br_chan->state == BT_L2CAP_DISCONNECTING) {
1736 return -EALREADY;
1737 }
1738
1739 LOG_DBG("chan %p scid 0x%04x dcid 0x%04x", chan, br_chan->rx.cid, br_chan->tx.cid);
1740
1741 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1742
1743 hdr = net_buf_add(buf, sizeof(*hdr));
1744 hdr->code = BT_L2CAP_DISCONN_REQ;
1745 hdr->ident = l2cap_br_get_ident();
1746 hdr->len = sys_cpu_to_le16(sizeof(*req));
1747
1748 req = net_buf_add(buf, sizeof(*req));
1749 req->dcid = sys_cpu_to_le16(br_chan->tx.cid);
1750 req->scid = sys_cpu_to_le16(br_chan->rx.cid);
1751
1752 l2cap_br_chan_send_req(br_chan, buf, L2CAP_BR_DISCONN_TIMEOUT);
1753 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_DISCONNECTING);
1754
1755 return 0;
1756 }
1757
l2cap_br_disconn_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)1758 static void l2cap_br_disconn_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
1759 struct net_buf *buf)
1760 {
1761 struct bt_conn *conn = l2cap->chan.chan.conn;
1762 struct bt_l2cap_br_chan *chan;
1763 struct bt_l2cap_disconn_rsp *rsp = (void *)buf->data;
1764 uint16_t dcid, scid;
1765
1766 if (buf->len < sizeof(*rsp)) {
1767 LOG_ERR("Too small disconn rsp packet size");
1768 return;
1769 }
1770
1771 dcid = sys_le16_to_cpu(rsp->dcid);
1772 scid = sys_le16_to_cpu(rsp->scid);
1773
1774 LOG_DBG("dcid 0x%04x scid 0x%04x", dcid, scid);
1775
1776 chan = l2cap_br_remove_tx_cid(conn, dcid);
1777 if (!chan) {
1778 LOG_WRN("No dcid 0x%04x channel found", dcid);
1779 return;
1780 }
1781
1782 bt_l2cap_br_chan_del(&chan->chan);
1783 }
1784
bt_l2cap_br_chan_connect(struct bt_conn * conn,struct bt_l2cap_chan * chan,uint16_t psm)1785 int bt_l2cap_br_chan_connect(struct bt_conn *conn, struct bt_l2cap_chan *chan,
1786 uint16_t psm)
1787 {
1788 struct net_buf *buf;
1789 struct bt_l2cap_sig_hdr *hdr;
1790 struct bt_l2cap_conn_req *req;
1791 struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
1792
1793 if (!psm) {
1794 return -EINVAL;
1795 }
1796
1797 if (br_chan->psm) {
1798 return -EEXIST;
1799 }
1800
1801 /* PSM must be odd and lsb of upper byte must be 0 */
1802 if ((psm & 0x0101) != 0x0001) {
1803 return -EINVAL;
1804 }
1805
1806 if (br_chan->required_sec_level > BT_SECURITY_L4) {
1807 return -EINVAL;
1808 } else if (br_chan->required_sec_level == BT_SECURITY_L0 &&
1809 psm != L2CAP_BR_PSM_SDP) {
1810 br_chan->required_sec_level = BT_SECURITY_L1;
1811 }
1812
1813 switch (br_chan->state) {
1814 case BT_L2CAP_CONNECTED:
1815 /* Already connected */
1816 return -EISCONN;
1817 case BT_L2CAP_DISCONNECTED:
1818 /* Can connect */
1819 break;
1820 case BT_L2CAP_CONFIG:
1821 case BT_L2CAP_DISCONNECTING:
1822 default:
1823 /* Bad context */
1824 return -EBUSY;
1825 }
1826
1827 if (!l2cap_br_chan_add(conn, chan, l2cap_br_chan_destroy)) {
1828 return -ENOMEM;
1829 }
1830
1831 br_chan->psm = psm;
1832 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_CONNECTING);
1833 atomic_set_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_PENDING);
1834
1835 switch (l2cap_br_conn_security(chan, psm)) {
1836 case L2CAP_CONN_SECURITY_PENDING:
1837 /*
1838 * Authentication was triggered, wait with sending request on
1839 * connection security changed callback context.
1840 */
1841 return 0;
1842 case L2CAP_CONN_SECURITY_PASSED:
1843 break;
1844 case L2CAP_CONN_SECURITY_REJECT:
1845 default:
1846 l2cap_br_chan_cleanup(chan);
1847 return -EIO;
1848 }
1849
1850 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
1851
1852 hdr = net_buf_add(buf, sizeof(*hdr));
1853 hdr->code = BT_L2CAP_CONN_REQ;
1854 hdr->ident = l2cap_br_get_ident();
1855 hdr->len = sys_cpu_to_le16(sizeof(*req));
1856
1857 req = net_buf_add(buf, sizeof(*req));
1858 req->psm = sys_cpu_to_le16(psm);
1859 req->scid = sys_cpu_to_le16(BR_CHAN(chan)->rx.cid);
1860
1861 l2cap_br_chan_send_req(BR_CHAN(chan), buf, L2CAP_BR_CONN_TIMEOUT);
1862
1863 return 0;
1864 }
1865
l2cap_br_conn_rsp(struct bt_l2cap_br * l2cap,uint8_t ident,struct net_buf * buf)1866 static void l2cap_br_conn_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
1867 struct net_buf *buf)
1868 {
1869 struct bt_conn *conn = l2cap->chan.chan.conn;
1870 struct bt_l2cap_chan *chan;
1871 struct bt_l2cap_conn_rsp *rsp = (void *)buf->data;
1872 uint16_t dcid, scid, result, status;
1873 struct bt_l2cap_br_chan *br_chan;
1874
1875 if (buf->len < sizeof(*rsp)) {
1876 LOG_ERR("Too small L2CAP conn rsp packet size");
1877 return;
1878 }
1879
1880 dcid = sys_le16_to_cpu(rsp->dcid);
1881 scid = sys_le16_to_cpu(rsp->scid);
1882 result = sys_le16_to_cpu(rsp->result);
1883 status = sys_le16_to_cpu(rsp->status);
1884
1885 LOG_DBG("dcid 0x%04x scid 0x%04x result %u status %u", dcid, scid, result, status);
1886
1887 chan = bt_l2cap_br_lookup_rx_cid(conn, scid);
1888 if (!chan) {
1889 LOG_ERR("No scid 0x%04x channel found", scid);
1890 return;
1891 }
1892
1893 br_chan = BR_CHAN(chan);
1894
1895 /* Release RTX work since got the response */
1896 k_work_cancel_delayable(&br_chan->rtx_work);
1897
1898 if (br_chan->state != BT_L2CAP_CONNECTING) {
1899 LOG_DBG("Invalid channel %p state %s", chan,
1900 bt_l2cap_chan_state_str(br_chan->state));
1901 return;
1902 }
1903
1904 switch (result) {
1905 case BT_L2CAP_BR_SUCCESS:
1906 br_chan->ident = 0U;
1907 BR_CHAN(chan)->tx.cid = dcid;
1908 l2cap_br_conf(chan);
1909 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_CONFIG);
1910 atomic_clear_bit(BR_CHAN(chan)->flags, L2CAP_FLAG_CONN_PENDING);
1911 break;
1912 case BT_L2CAP_BR_PENDING:
1913 k_work_reschedule(&br_chan->rtx_work, L2CAP_BR_CONN_TIMEOUT);
1914 break;
1915 default:
1916 l2cap_br_chan_cleanup(chan);
1917 break;
1918 }
1919 }
1920
bt_l2cap_br_chan_send_cb(struct bt_l2cap_chan * chan,struct net_buf * buf,bt_conn_tx_cb_t cb,void * user_data)1921 int bt_l2cap_br_chan_send_cb(struct bt_l2cap_chan *chan, struct net_buf *buf, bt_conn_tx_cb_t cb,
1922 void *user_data)
1923 {
1924 struct bt_l2cap_br_chan *br_chan;
1925
1926 if (!buf || !chan) {
1927 return -EINVAL;
1928 }
1929
1930 br_chan = BR_CHAN(chan);
1931
1932 LOG_DBG("chan %p buf %p len %zu", chan, buf, net_buf_frags_len(buf));
1933
1934 if (!chan->conn || chan->conn->state != BT_CONN_CONNECTED) {
1935 return -ENOTCONN;
1936 }
1937
1938 if (atomic_test_bit(chan->status, BT_L2CAP_STATUS_SHUTDOWN)) {
1939 return -ESHUTDOWN;
1940 }
1941
1942 if (buf->len > br_chan->tx.mtu) {
1943 return -EMSGSIZE;
1944 }
1945
1946 return bt_l2cap_br_send_cb(br_chan->chan.conn, br_chan->tx.cid, buf, cb, user_data);
1947 }
1948
bt_l2cap_br_chan_send(struct bt_l2cap_chan * chan,struct net_buf * buf)1949 int bt_l2cap_br_chan_send(struct bt_l2cap_chan *chan, struct net_buf *buf)
1950 {
1951 return bt_l2cap_br_chan_send_cb(chan, buf, NULL, NULL);
1952 }
1953
l2cap_br_sig_handle(struct bt_l2cap_br * l2cap,struct bt_l2cap_sig_hdr * hdr,struct net_buf * buf)1954 static void l2cap_br_sig_handle(struct bt_l2cap_br *l2cap, struct bt_l2cap_sig_hdr *hdr,
1955 struct net_buf *buf)
1956 {
1957 uint16_t len;
1958 struct net_buf_simple_state state;
1959
1960 len = sys_le16_to_cpu(hdr->len);
1961
1962 net_buf_simple_save(&buf->b, &state);
1963
1964 switch (hdr->code) {
1965 case BT_L2CAP_INFO_RSP:
1966 l2cap_br_info_rsp(l2cap, hdr->ident, buf);
1967 break;
1968 case BT_L2CAP_INFO_REQ:
1969 l2cap_br_info_req(l2cap, hdr->ident, buf);
1970 break;
1971 case BT_L2CAP_DISCONN_REQ:
1972 l2cap_br_disconn_req(l2cap, hdr->ident, buf);
1973 break;
1974 case BT_L2CAP_CONN_REQ:
1975 l2cap_br_conn_req(l2cap, hdr->ident, buf);
1976 break;
1977 case BT_L2CAP_CONF_RSP:
1978 l2cap_br_conf_rsp(l2cap, hdr->ident, len, buf);
1979 break;
1980 case BT_L2CAP_CONF_REQ:
1981 l2cap_br_conf_req(l2cap, hdr->ident, len, buf);
1982 break;
1983 case BT_L2CAP_DISCONN_RSP:
1984 l2cap_br_disconn_rsp(l2cap, hdr->ident, buf);
1985 break;
1986 case BT_L2CAP_CONN_RSP:
1987 l2cap_br_conn_rsp(l2cap, hdr->ident, buf);
1988 break;
1989 default:
1990 LOG_WRN("Unknown/Unsupported L2CAP PDU code 0x%02x", hdr->code);
1991 l2cap_br_send_reject(l2cap->chan.chan.conn, hdr->ident,
1992 BT_L2CAP_REJ_NOT_UNDERSTOOD, NULL, 0);
1993 break;
1994 }
1995
1996 net_buf_simple_restore(&buf->b, &state);
1997 (void)net_buf_pull_mem(buf, len);
1998 }
1999
l2cap_br_recv(struct bt_l2cap_chan * chan,struct net_buf * buf)2000 static int l2cap_br_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
2001 {
2002 struct bt_l2cap_br *l2cap = CONTAINER_OF(chan, struct bt_l2cap_br, chan.chan);
2003 struct bt_l2cap_sig_hdr *hdr;
2004 uint16_t len;
2005
2006 while (buf->len > 0) {
2007 if (buf->len < sizeof(*hdr)) {
2008 LOG_ERR("Too small L2CAP signaling PDU");
2009 return 0;
2010 }
2011
2012 hdr = net_buf_pull_mem(buf, sizeof(*hdr));
2013 len = sys_le16_to_cpu(hdr->len);
2014
2015 LOG_DBG("Signaling code 0x%02x ident %u len %u", hdr->code, hdr->ident, len);
2016
2017 if (buf->len < len) {
2018 LOG_ERR("L2CAP length is short (%u < %u)", buf->len, len);
2019 return 0;
2020 }
2021
2022 if (!hdr->ident) {
2023 LOG_ERR("Invalid ident value in L2CAP PDU");
2024 (void)net_buf_pull_mem(buf, len);
2025 continue;
2026 }
2027
2028 l2cap_br_sig_handle(l2cap, hdr, buf);
2029 }
2030
2031 return 0;
2032 }
2033
l2cap_br_conn_pend(struct bt_l2cap_chan * chan,uint8_t status)2034 static void l2cap_br_conn_pend(struct bt_l2cap_chan *chan, uint8_t status)
2035 {
2036 struct net_buf *buf;
2037 struct bt_l2cap_sig_hdr *hdr;
2038 struct bt_l2cap_conn_req *req;
2039
2040 if (BR_CHAN(chan)->state != BT_L2CAP_CONNECTING) {
2041 return;
2042 }
2043
2044 LOG_DBG("chan %p status 0x%02x encr 0x%02x", chan, status, chan->conn->encrypt);
2045
2046 if (status) {
2047 /*
2048 * Security procedure status is non-zero so respond with
2049 * security violation only as channel acceptor.
2050 */
2051 l2cap_br_conn_req_reply(chan, BT_L2CAP_BR_ERR_SEC_BLOCK);
2052
2053 /* Release channel allocated to outgoing connection request */
2054 if (atomic_test_bit(BR_CHAN(chan)->flags,
2055 L2CAP_FLAG_CONN_PENDING)) {
2056 l2cap_br_chan_cleanup(chan);
2057 }
2058
2059 return;
2060 }
2061
2062 if (!chan->conn->encrypt) {
2063 return;
2064 }
2065
2066 /*
2067 * For incoming connection state send confirming outstanding
2068 * response and initiate configuration request.
2069 */
2070 if (l2cap_br_conn_req_reply(chan, BT_L2CAP_BR_SUCCESS) == 0) {
2071 bt_l2cap_br_chan_set_state(chan, BT_L2CAP_CONFIG);
2072 /*
2073 * Initialize config request since remote needs to know
2074 * local MTU segmentation.
2075 */
2076 l2cap_br_conf(chan);
2077 } else if (atomic_test_and_clear_bit(BR_CHAN(chan)->flags,
2078 L2CAP_FLAG_CONN_PENDING)) {
2079 buf = bt_l2cap_create_pdu(&br_sig_pool, 0);
2080
2081 hdr = net_buf_add(buf, sizeof(*hdr));
2082 hdr->code = BT_L2CAP_CONN_REQ;
2083 hdr->ident = l2cap_br_get_ident();
2084 hdr->len = sys_cpu_to_le16(sizeof(*req));
2085
2086 req = net_buf_add(buf, sizeof(*req));
2087 req->psm = sys_cpu_to_le16(BR_CHAN(chan)->psm);
2088 req->scid = sys_cpu_to_le16(BR_CHAN(chan)->rx.cid);
2089
2090 l2cap_br_chan_send_req(BR_CHAN(chan), buf,
2091 L2CAP_BR_CONN_TIMEOUT);
2092 }
2093 }
2094
l2cap_br_encrypt_change(struct bt_conn * conn,uint8_t hci_status)2095 void l2cap_br_encrypt_change(struct bt_conn *conn, uint8_t hci_status)
2096 {
2097 struct bt_l2cap_chan *chan;
2098
2099 SYS_SLIST_FOR_EACH_CONTAINER(&conn->channels, chan, node) {
2100 l2cap_br_conn_pend(chan, hci_status);
2101
2102 if (chan->ops && chan->ops->encrypt_change) {
2103 chan->ops->encrypt_change(chan, hci_status);
2104 }
2105 }
2106 }
2107
check_fixed_channel(struct bt_l2cap_chan * chan)2108 static void check_fixed_channel(struct bt_l2cap_chan *chan)
2109 {
2110 struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
2111
2112 if (br_chan->rx.cid < L2CAP_BR_CID_DYN_START) {
2113 connect_fixed_channel(br_chan);
2114 }
2115 }
2116
bt_l2cap_br_recv(struct bt_conn * conn,struct net_buf * buf)2117 void bt_l2cap_br_recv(struct bt_conn *conn, struct net_buf *buf)
2118 {
2119 struct bt_l2cap_hdr *hdr;
2120 struct bt_l2cap_chan *chan;
2121 uint16_t cid;
2122
2123 if (buf->len < sizeof(*hdr)) {
2124 LOG_ERR("Too small L2CAP PDU received");
2125 net_buf_unref(buf);
2126 return;
2127 }
2128
2129 hdr = net_buf_pull_mem(buf, sizeof(*hdr));
2130 cid = sys_le16_to_cpu(hdr->cid);
2131
2132 chan = bt_l2cap_br_lookup_rx_cid(conn, cid);
2133 if (!chan) {
2134 LOG_WRN("Ignoring data for unknown channel ID 0x%04x", cid);
2135 net_buf_unref(buf);
2136 return;
2137 }
2138
2139 /*
2140 * if data was received for fixed channel before Information
2141 * Response we connect channel here.
2142 */
2143 check_fixed_channel(chan);
2144
2145 chan->ops->recv(chan, buf);
2146 net_buf_unref(buf);
2147 }
2148
l2cap_br_accept(struct bt_conn * conn,struct bt_l2cap_chan ** chan)2149 static int l2cap_br_accept(struct bt_conn *conn, struct bt_l2cap_chan **chan)
2150 {
2151 int i;
2152 static const struct bt_l2cap_chan_ops ops = {
2153 .connected = l2cap_br_connected,
2154 .disconnected = l2cap_br_disconnected,
2155 .recv = l2cap_br_recv,
2156 };
2157
2158 LOG_DBG("conn %p handle %u", conn, conn->handle);
2159
2160 for (i = 0; i < ARRAY_SIZE(bt_l2cap_br_pool); i++) {
2161 struct bt_l2cap_br *l2cap = &bt_l2cap_br_pool[i];
2162
2163 if (l2cap->chan.chan.conn) {
2164 continue;
2165 }
2166
2167 l2cap->chan.chan.ops = &ops;
2168 *chan = &l2cap->chan.chan;
2169 atomic_set(l2cap->chan.flags, 0);
2170 return 0;
2171 }
2172
2173 LOG_ERR("No available L2CAP context for conn %p", conn);
2174
2175 return -ENOMEM;
2176 }
2177
2178 BT_L2CAP_BR_CHANNEL_DEFINE(br_fixed_chan, BT_L2CAP_CID_BR_SIG, l2cap_br_accept);
2179
bt_l2cap_br_init(void)2180 void bt_l2cap_br_init(void)
2181 {
2182 sys_slist_init(&br_servers);
2183
2184 if (IS_ENABLED(CONFIG_BT_RFCOMM)) {
2185 bt_rfcomm_init();
2186 }
2187
2188 if (IS_ENABLED(CONFIG_BT_AVDTP)) {
2189 bt_avdtp_init();
2190 }
2191
2192 if (IS_ENABLED(CONFIG_BT_AVCTP)) {
2193 bt_avctp_init();
2194 }
2195
2196 bt_sdp_init();
2197
2198 if (IS_ENABLED(CONFIG_BT_A2DP)) {
2199 bt_a2dp_init();
2200 }
2201
2202 if (IS_ENABLED(CONFIG_BT_AVRCP)) {
2203 bt_avrcp_init();
2204 }
2205 }
2206
