mk-rootfs.sh

hc

2023-12-11 072de836f53be56a70cecf70b43ae43b7ce17376

 kernel/net/bluetooth/l2cap_core.c
..
..
@@ -45,14 +45,12 @@
45
45
 #define LE_FLOWCTL_MAX_CREDITS 65535
46
46
 
47
47
 bool disable_ertm;
48
+bool enable_ecred;
48
49
 
49
50
 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50
51
 
51
52
 static LIST_HEAD(chan_list);
52
53
 static DEFINE_RWLOCK(chan_list_lock);
53
-
54
-static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55
-static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56
54
 
57
55
 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
58
56
 				       u8 code, u8 ident, u16 dlen, void *data);
..
..
@@ -63,6 +61,9 @@
63
61
 
64
62
 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
65
63
 		     struct sk_buff_head *skbs, u8 event);
64
+static void l2cap_retrans_timeout(struct work_struct *work);
65
+static void l2cap_monitor_timeout(struct work_struct *work);
66
+static void l2cap_ack_timeout(struct work_struct *work);
66
67
 
67
68
 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
68
69
 {
..
..
@@ -113,7 +114,8 @@
113
114
 }
114
115
 
115
116
 /* Find channel with given SCID.
116
- * Returns locked channel. */
117
+ * Returns a reference locked channel.
118
+ */
117
119
 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118
120
 						 u16 cid)
119
121
 {
..
..
@@ -121,15 +123,19 @@
121
123
 
122
124
 	mutex_lock(&conn->chan_lock);
123
125
 	c = __l2cap_get_chan_by_scid(conn, cid);
124
-	if (c)
125
-		l2cap_chan_lock(c);
126
+	if (c) {
127
+		/* Only lock if chan reference is not 0 */
128
+		c = l2cap_chan_hold_unless_zero(c);
129
+		if (c)
130
+			l2cap_chan_lock(c);
131
+	}
126
132
 	mutex_unlock(&conn->chan_lock);
127
133
 
128
134
 	return c;
129
135
 }
130
136
 
131
137
 /* Find channel with given DCID.
132
- * Returns locked channel.
138
+ * Returns a reference locked channel.
133
139
  */
134
140
 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
135
141
 						 u16 cid)
..
..
@@ -138,8 +144,12 @@
138
144
 
139
145
 	mutex_lock(&conn->chan_lock);
140
146
 	c = __l2cap_get_chan_by_dcid(conn, cid);
141
-	if (c)
142
-		l2cap_chan_lock(c);
147
+	if (c) {
148
+		/* Only lock if chan reference is not 0 */
149
+		c = l2cap_chan_hold_unless_zero(c);
150
+		if (c)
151
+			l2cap_chan_lock(c);
152
+	}
143
153
 	mutex_unlock(&conn->chan_lock);
144
154
 
145
155
 	return c;
..
..
@@ -164,18 +174,29 @@
164
174
 
165
175
 	mutex_lock(&conn->chan_lock);
166
176
 	c = __l2cap_get_chan_by_ident(conn, ident);
167
-	if (c)
168
-		l2cap_chan_lock(c);
177
+	if (c) {
178
+		/* Only lock if chan reference is not 0 */
179
+		c = l2cap_chan_hold_unless_zero(c);
180
+		if (c)
181
+			l2cap_chan_lock(c);
182
+	}
169
183
 	mutex_unlock(&conn->chan_lock);
170
184
 
171
185
 	return c;
172
186
 }
173
187
 
174
-static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
188
+static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
189
+						      u8 src_type)
175
190
 {
176
191
 	struct l2cap_chan *c;
177
192
 
178
193
 	list_for_each_entry(c, &chan_list, global_l) {
194
+		if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
195
+			continue;
196
+
197
+		if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
198
+			continue;
199
+
179
200
 		if (c->sport == psm && !bacmp(&c->src, src))
180
201
 			return c;
181
202
 	}
..
..
@@ -188,7 +209,7 @@
188
209
 
189
210
 	write_lock(&chan_list_lock);
190
211
 
191
-	if (psm && __l2cap_global_chan_by_addr(psm, src)) {
212
+	if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
192
213
 		err = -EADDRINUSE;
193
214
 		goto done;
194
215
 	}
..
..
@@ -212,7 +233,8 @@
212
233
 
213
234
 		err = -EINVAL;
214
235
 		for (p = start; p <= end; p += incr)
215
-			if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
236
+			if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
237
+							 chan->src_type)) {
216
238
 				chan->psm   = cpu_to_le16(p);
217
239
 				chan->sport = cpu_to_le16(p);
218
240
 				err = 0;
..
..
@@ -457,6 +479,9 @@
457
479
 	write_unlock(&chan_list_lock);
458
480
 
459
481
 	INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
482
+	INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
483
+	INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
484
+	INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
460
485
 
461
486
 	chan->state = BT_OPEN;
462
487
 
..
..
@@ -491,6 +516,16 @@
491
516
 	kref_get(&c->kref);
492
517
 }
493
518
 
519
+struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)
520
+{
521
+	BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
522
+
523
+	if (!kref_get_unless_zero(&c->kref))
524
+		return NULL;
525
+
526
+	return c;
527
+}
528
+
494
529
 void l2cap_chan_put(struct l2cap_chan *c)
495
530
 {
496
531
 	BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
..
..
@@ -520,16 +555,29 @@
520
555
 }
521
556
 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
522
557
 
523
-static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
558
+static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
524
559
 {
525
560
 	chan->sdu = NULL;
526
561
 	chan->sdu_last_frag = NULL;
527
562
 	chan->sdu_len = 0;
528
-	chan->tx_credits = 0;
529
-	chan->rx_credits = le_max_credits;
530
-	chan->mps = min_t(u16, chan->imtu, le_default_mps);
563
+	chan->tx_credits = tx_credits;
564
+	/* Derive MPS from connection MTU to stop HCI fragmentation */
565
+	chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
566
+	/* Give enough credits for a full packet */
567
+	chan->rx_credits = (chan->imtu / chan->mps) + 1;
531
568
 
532
569
 	skb_queue_head_init(&chan->tx_q);
570
+}
571
+
572
+static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
573
+{
574
+	l2cap_le_flowctl_init(chan, tx_credits);
575
+
576
+	/* L2CAP implementations shall support a minimum MPS of 64 octets */
577
+	if (chan->mps < L2CAP_ECRED_MIN_MPS) {
578
+		chan->mps = L2CAP_ECRED_MIN_MPS;
579
+		chan->rx_credits = (chan->imtu / chan->mps) + 1;
580
+	}
533
581
 }
534
582
 
535
583
 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
..
..
@@ -638,6 +686,7 @@
638
686
 		break;
639
687
 
640
688
 	case L2CAP_MODE_LE_FLOWCTL:
689
+	case L2CAP_MODE_EXT_FLOWCTL:
641
690
 		skb_queue_purge(&chan->tx_q);
642
691
 		break;
643
692
 
..
..
@@ -650,8 +699,7 @@
650
699
 
651
700
 		l2cap_seq_list_free(&chan->srej_list);
652
701
 		l2cap_seq_list_free(&chan->retrans_list);
653
-
654
-		/* fall through */
702
+		fallthrough;
655
703
 
656
704
 	case L2CAP_MODE_STREAMING:
657
705
 		skb_queue_purge(&chan->tx_q);
..
..
@@ -661,6 +709,29 @@
661
709
 	return;
662
710
 }
663
711
 EXPORT_SYMBOL_GPL(l2cap_chan_del);
712
+
713
+static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
714
+			      void *data)
715
+{
716
+	struct l2cap_chan *chan;
717
+
718
+	list_for_each_entry(chan, &conn->chan_l, list) {
719
+		func(chan, data);
720
+	}
721
+}
722
+
723
+void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
724
+		     void *data)
725
+{
726
+	if (!conn)
727
+		return;
728
+
729
+	mutex_lock(&conn->chan_lock);
730
+	__l2cap_chan_list(conn, func, data);
731
+	mutex_unlock(&conn->chan_lock);
732
+}
733
+
734
+EXPORT_SYMBOL_GPL(l2cap_chan_list);
664
735
 
665
736
 static void l2cap_conn_update_id_addr(struct work_struct *work)
666
737
 {
..
..
@@ -688,9 +759,9 @@
688
759
 	u16 result;
689
760
 
690
761
 	if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
691
-		result = L2CAP_CR_AUTHORIZATION;
762
+		result = L2CAP_CR_LE_AUTHORIZATION;
692
763
 	else
693
-		result = L2CAP_CR_BAD_PSM;
764
+		result = L2CAP_CR_LE_BAD_PSM;
694
765
 
695
766
 	l2cap_state_change(chan, BT_DISCONN);
696
767
 
..
..
@@ -698,6 +769,27 @@
698
769
 	rsp.mtu     = cpu_to_le16(chan->imtu);
699
770
 	rsp.mps     = cpu_to_le16(chan->mps);
700
771
 	rsp.credits = cpu_to_le16(chan->rx_credits);
772
+	rsp.result  = cpu_to_le16(result);
773
+
774
+	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
775
+		       &rsp);
776
+}
777
+
778
+static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
779
+{
780
+	struct l2cap_conn *conn = chan->conn;
781
+	struct l2cap_ecred_conn_rsp rsp;
782
+	u16 result;
783
+
784
+	if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
785
+		result = L2CAP_CR_LE_AUTHORIZATION;
786
+	else
787
+		result = L2CAP_CR_LE_BAD_PSM;
788
+
789
+	l2cap_state_change(chan, BT_DISCONN);
790
+
791
+	memset(&rsp, 0, sizeof(rsp));
792
+
701
793
 	rsp.result  = cpu_to_le16(result);
702
794
 
703
795
 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
..
..
@@ -749,8 +841,16 @@
749
841
 		if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
750
842
 			if (conn->hcon->type == ACL_LINK)
751
843
 				l2cap_chan_connect_reject(chan);
752
-			else if (conn->hcon->type == LE_LINK)
753
-				l2cap_chan_le_connect_reject(chan);
844
+			else if (conn->hcon->type == LE_LINK) {
845
+				switch (chan->mode) {
846
+				case L2CAP_MODE_LE_FLOWCTL:
847
+					l2cap_chan_le_connect_reject(chan);
848
+					break;
849
+				case L2CAP_MODE_EXT_FLOWCTL:
850
+					l2cap_chan_ecred_connect_reject(chan);
851
+					break;
852
+				}
853
+			}
754
854
 		}
755
855
 
756
856
 		l2cap_chan_del(chan, reason);
..
..
@@ -804,7 +904,8 @@
804
904
 			else
805
905
 				return HCI_AT_NO_BONDING;
806
906
 		}
807
-		/* fall through */
907
+		fallthrough;
908
+
808
909
 	default:
809
910
 		switch (chan->sec_level) {
810
911
 		case BT_SECURITY_HIGH:
..
..
@@ -1273,8 +1374,13 @@
1273
1374
 	chan->conf_state = 0;
1274
1375
 	__clear_chan_timer(chan);
1275
1376
 
1276
-	if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1277
-		chan->ops->suspend(chan);
1377
+	switch (chan->mode) {
1378
+	case L2CAP_MODE_LE_FLOWCTL:
1379
+	case L2CAP_MODE_EXT_FLOWCTL:
1380
+		if (!chan->tx_credits)
1381
+			chan->ops->suspend(chan);
1382
+		break;
1383
+	}
1278
1384
 
1279
1385
 	chan->state = BT_CONNECTED;
1280
1386
 
..
..
@@ -1289,6 +1395,11 @@
1289
1395
 	if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1290
1396
 		return;
1291
1397
 
1398
+	if (!chan->imtu)
1399
+		chan->imtu = chan->conn->mtu;
1400
+
1401
+	l2cap_le_flowctl_init(chan, 0);
1402
+
1292
1403
 	req.psm     = chan->psm;
1293
1404
 	req.scid    = cpu_to_le16(chan->scid);
1294
1405
 	req.mtu     = cpu_to_le16(chan->imtu);
..
..
@@ -1299,6 +1410,82 @@
1299
1410
 
1300
1411
 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1301
1412
 		       sizeof(req), &req);
1413
+}
1414
+
1415
+struct l2cap_ecred_conn_data {
1416
+	struct {
1417
+		struct l2cap_ecred_conn_req req;
1418
+		__le16 scid[5];
1419
+	} __packed pdu;
1420
+	struct l2cap_chan *chan;
1421
+	struct pid *pid;
1422
+	int count;
1423
+};
1424
+
1425
+static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1426
+{
1427
+	struct l2cap_ecred_conn_data *conn = data;
1428
+	struct pid *pid;
1429
+
1430
+	if (chan == conn->chan)
1431
+		return;
1432
+
1433
+	if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1434
+		return;
1435
+
1436
+	pid = chan->ops->get_peer_pid(chan);
1437
+
1438
+	/* Only add deferred channels with the same PID/PSM */
1439
+	if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1440
+	    chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1441
+		return;
1442
+
1443
+	if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1444
+		return;
1445
+
1446
+	l2cap_ecred_init(chan, 0);
1447
+
1448
+	/* Set the same ident so we can match on the rsp */
1449
+	chan->ident = conn->chan->ident;
1450
+
1451
+	/* Include all channels deferred */
1452
+	conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1453
+
1454
+	conn->count++;
1455
+}
1456
+
1457
+static void l2cap_ecred_connect(struct l2cap_chan *chan)
1458
+{
1459
+	struct l2cap_conn *conn = chan->conn;
1460
+	struct l2cap_ecred_conn_data data;
1461
+
1462
+	if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1463
+		return;
1464
+
1465
+	if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1466
+		return;
1467
+
1468
+	l2cap_ecred_init(chan, 0);
1469
+
1470
+	memset(&data, 0, sizeof(data));
1471
+	data.pdu.req.psm     = chan->psm;
1472
+	data.pdu.req.mtu     = cpu_to_le16(chan->imtu);
1473
+	data.pdu.req.mps     = cpu_to_le16(chan->mps);
1474
+	data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1475
+	data.pdu.scid[0]     = cpu_to_le16(chan->scid);
1476
+
1477
+	chan->ident = l2cap_get_ident(conn);
1478
+	data.pid = chan->ops->get_peer_pid(chan);
1479
+
1480
+	data.count = 1;
1481
+	data.chan = chan;
1482
+	data.pid = chan->ops->get_peer_pid(chan);
1483
+
1484
+	__l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1485
+
1486
+	l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1487
+		       sizeof(data.pdu.req) + data.count * sizeof(__le16),
1488
+		       &data.pdu);
1302
1489
 }
1303
1490
 
1304
1491
 static void l2cap_le_start(struct l2cap_chan *chan)
..
..
@@ -1313,8 +1500,12 @@
1313
1500
 		return;
1314
1501
 	}
1315
1502
 
1316
-	if (chan->state == BT_CONNECT)
1317
-		l2cap_le_connect(chan);
1503
+	if (chan->state == BT_CONNECT) {
1504
+		if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1505
+			l2cap_ecred_connect(chan);
1506
+		else
1507
+			l2cap_le_connect(chan);
1508
+	}
1318
1509
 }
1319
1510
 
1320
1511
 static void l2cap_start_connection(struct l2cap_chan *chan)
..
..
@@ -1359,7 +1550,7 @@
1359
1550
 	 * actually encrypted before enforcing a key size.
1360
1551
 	 */
1361
1552
 	return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1362
-		hcon->enc_key_size >= HCI_MIN_ENC_KEY_SIZE);
1553
+		hcon->enc_key_size >= hcon->hdev->min_enc_key_size);
1363
1554
 }
1364
1555
 
1365
1556
 static void l2cap_do_start(struct l2cap_chan *chan)
..
..
@@ -1526,8 +1717,8 @@
1526
1717
 	if (hcon->out)
1527
1718
 		smp_conn_security(hcon, hcon->pending_sec_level);
1528
1719
 
1529
-	/* For LE slave connections, make sure the connection interval
1530
-	 * is in the range of the minium and maximum interval that has
1720
+	/* For LE peripheral connections, make sure the connection interval
1721
+	 * is in the range of the minimum and maximum interval that has
1531
1722
 	 * been configured for this connection. If not, then trigger
1532
1723
 	 * the connection update procedure.
1533
1724
 	 */
..
..
@@ -1781,11 +1972,11 @@
1781
1972
 						   bdaddr_t *dst,
1782
1973
 						   u8 link_type)
1783
1974
 {
1784
-	struct l2cap_chan *c, *c1 = NULL;
1975
+	struct l2cap_chan *c, *tmp, *c1 = NULL;
1785
1976
 
1786
1977
 	read_lock(&chan_list_lock);
1787
1978
 
1788
-	list_for_each_entry(c, &chan_list, global_l) {
1979
+	list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
1789
1980
 		if (state && c->state != state)
1790
1981
 			continue;
1791
1982
 
..
..
@@ -1795,7 +1986,7 @@
1795
1986
 		if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1796
1987
 			continue;
1797
1988
 
1798
-		if (c->psm == psm) {
1989
+		if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
1799
1990
 			int src_match, dst_match;
1800
1991
 			int src_any, dst_any;
1801
1992
 
..
..
@@ -1803,7 +1994,9 @@
1803
1994
 			src_match = !bacmp(&c->src, src);
1804
1995
 			dst_match = !bacmp(&c->dst, dst);
1805
1996
 			if (src_match && dst_match) {
1806
-				l2cap_chan_hold(c);
1997
+				if (!l2cap_chan_hold_unless_zero(c))
1998
+					continue;
1999
+
1807
2000
 				read_unlock(&chan_list_lock);
1808
2001
 				return c;
1809
2002
 			}
..
..
@@ -1818,7 +2011,7 @@
1818
2011
 	}
1819
2012
 
1820
2013
 	if (c1)
1821
-		l2cap_chan_hold(c1);
2014
+		c1 = l2cap_chan_hold_unless_zero(c1);
1822
2015
 
1823
2016
 	read_unlock(&chan_list_lock);
1824
2017
 
..
..
@@ -2500,6 +2693,7 @@
2500
2693
 
2501
2694
 	switch (chan->mode) {
2502
2695
 	case L2CAP_MODE_LE_FLOWCTL:
2696
+	case L2CAP_MODE_EXT_FLOWCTL:
2503
2697
 		/* Check outgoing MTU */
2504
2698
 		if (len > chan->omtu)
2505
2699
 			return -EMSGSIZE;
..
..
@@ -2825,8 +3019,7 @@
2825
3019
 		break;
2826
3020
 	case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2827
3021
 		l2cap_process_reqseq(chan, control->reqseq);
2828
-
2829
-		/* Fall through */
3022
+		fallthrough;
2830
3023
 
2831
3024
 	case L2CAP_EV_RECV_FBIT:
2832
3025
 		if (control && control->final) {
..
..
@@ -3129,10 +3322,6 @@
3129
3322
 	chan->rx_state = L2CAP_RX_STATE_RECV;
3130
3323
 	chan->tx_state = L2CAP_TX_STATE_XMIT;
3131
3324
 
3132
-	INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3133
-	INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3134
-	INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3135
-
3136
3325
 	skb_queue_head_init(&chan->srej_q);
3137
3326
 
3138
3327
 	err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
..
..
@@ -3153,7 +3342,7 @@
3153
3342
 	case L2CAP_MODE_ERTM:
3154
3343
 		if (l2cap_mode_supported(mode, remote_feat_mask))
3155
3344
 			return mode;
3156
-		/* fall through */
3345
+		fallthrough;
3157
3346
 	default:
3158
3347
 		return L2CAP_MODE_BASIC;
3159
3348
 	}
..
..
@@ -3224,6 +3413,49 @@
3224
3413
 	chan->ack_win = chan->tx_win;
3225
3414
 }
3226
3415
 
3416
+static void l2cap_mtu_auto(struct l2cap_chan *chan)
3417
+{
3418
+	struct hci_conn *conn = chan->conn->hcon;
3419
+
3420
+	chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3421
+
3422
+	/* The 2-DH1 packet has between 2 and 56 information bytes
3423
+	 * (including the 2-byte payload header)
3424
+	 */
3425
+	if (!(conn->pkt_type & HCI_2DH1))
3426
+		chan->imtu = 54;
3427
+
3428
+	/* The 3-DH1 packet has between 2 and 85 information bytes
3429
+	 * (including the 2-byte payload header)
3430
+	 */
3431
+	if (!(conn->pkt_type & HCI_3DH1))
3432
+		chan->imtu = 83;
3433
+
3434
+	/* The 2-DH3 packet has between 2 and 369 information bytes
3435
+	 * (including the 2-byte payload header)
3436
+	 */
3437
+	if (!(conn->pkt_type & HCI_2DH3))
3438
+		chan->imtu = 367;
3439
+
3440
+	/* The 3-DH3 packet has between 2 and 554 information bytes
3441
+	 * (including the 2-byte payload header)
3442
+	 */
3443
+	if (!(conn->pkt_type & HCI_3DH3))
3444
+		chan->imtu = 552;
3445
+
3446
+	/* The 2-DH5 packet has between 2 and 681 information bytes
3447
+	 * (including the 2-byte payload header)
3448
+	 */
3449
+	if (!(conn->pkt_type & HCI_2DH5))
3450
+		chan->imtu = 679;
3451
+
3452
+	/* The 3-DH5 packet has between 2 and 1023 information bytes
3453
+	 * (including the 2-byte payload header)
3454
+	 */
3455
+	if (!(conn->pkt_type & HCI_3DH5))
3456
+		chan->imtu = 1021;
3457
+}
3458
+
3227
3459
 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3228
3460
 {
3229
3461
 	struct l2cap_conf_req *req = data;
..
..
@@ -3246,15 +3478,19 @@
3246
3478
 		if (__l2cap_efs_supported(chan->conn))
3247
3479
 			set_bit(FLAG_EFS_ENABLE, &chan->flags);
3248
3480
 
3249
-		/* fall through */
3481
+		fallthrough;
3250
3482
 	default:
3251
3483
 		chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3252
3484
 		break;
3253
3485
 	}
3254
3486
 
3255
3487
 done:
3256
-	if (chan->imtu != L2CAP_DEFAULT_MTU)
3257
-		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3488
+	if (chan->imtu != L2CAP_DEFAULT_MTU) {
3489
+		if (!chan->imtu)
3490
+			l2cap_mtu_auto(chan);
3491
+		l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3492
+				   endptr - ptr);
3493
+	}
3258
3494
 
3259
3495
 	switch (chan->mode) {
3260
3496
 	case L2CAP_MODE_BASIC:
..
..
@@ -3524,7 +3760,8 @@
3524
3760
 			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3525
3761
 					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3526
3762
 
3527
-			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3763
+			if (remote_efs &&
3764
+			    test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3528
3765
 				chan->remote_id = efs.id;
3529
3766
 				chan->remote_stype = efs.stype;
3530
3767
 				chan->remote_msdu = le16_to_cpu(efs.msdu);
..
..
@@ -3715,10 +3952,49 @@
3715
3952
 	rsp.mtu     = cpu_to_le16(chan->imtu);
3716
3953
 	rsp.mps     = cpu_to_le16(chan->mps);
3717
3954
 	rsp.credits = cpu_to_le16(chan->rx_credits);
3718
-	rsp.result  = cpu_to_le16(L2CAP_CR_SUCCESS);
3955
+	rsp.result  = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3719
3956
 
3720
3957
 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3721
3958
 		       &rsp);
3959
+}
3960
+
3961
+void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3962
+{
3963
+	struct {
3964
+		struct l2cap_ecred_conn_rsp rsp;
3965
+		__le16 dcid[5];
3966
+	} __packed pdu;
3967
+	struct l2cap_conn *conn = chan->conn;
3968
+	u16 ident = chan->ident;
3969
+	int i = 0;
3970
+
3971
+	if (!ident)
3972
+		return;
3973
+
3974
+	BT_DBG("chan %p ident %d", chan, ident);
3975
+
3976
+	pdu.rsp.mtu     = cpu_to_le16(chan->imtu);
3977
+	pdu.rsp.mps     = cpu_to_le16(chan->mps);
3978
+	pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3979
+	pdu.rsp.result  = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3980
+
3981
+	mutex_lock(&conn->chan_lock);
3982
+
3983
+	list_for_each_entry(chan, &conn->chan_l, list) {
3984
+		if (chan->ident != ident)
3985
+			continue;
3986
+
3987
+		/* Reset ident so only one response is sent */
3988
+		chan->ident = 0;
3989
+
3990
+		/* Include all channels pending with the same ident */
3991
+		pdu.dcid[i++] = cpu_to_le16(chan->scid);
3992
+	}
3993
+
3994
+	mutex_unlock(&conn->chan_lock);
3995
+
3996
+	l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3997
+			sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3722
3998
 }
3723
3999
 
3724
4000
 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
..
..
@@ -3866,9 +4142,17 @@
3866
4142
 
3867
4143
 	result = L2CAP_CR_NO_MEM;
3868
4144
 
3869
-	/* Check if we already have channel with that dcid */
3870
-	if (__l2cap_get_chan_by_dcid(conn, scid))
4145
+	/* Check for valid dynamic CID range (as per Erratum 3253) */
4146
+	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4147
+		result = L2CAP_CR_INVALID_SCID;
3871
4148
 		goto response;
4149
+	}
4150
+
4151
+	/* Check if we already have channel with that dcid */
4152
+	if (__l2cap_get_chan_by_dcid(conn, scid)) {
4153
+		result = L2CAP_CR_SCID_IN_USE;
4154
+		goto response;
4155
+	}
3872
4156
 
3873
4157
 	chan = pchan->ops->new_connection(pchan);
3874
4158
 	if (!chan)
..
..
@@ -4022,6 +4306,12 @@
4022
4306
 		}
4023
4307
 	}
4024
4308
 
4309
+	chan = l2cap_chan_hold_unless_zero(chan);
4310
+	if (!chan) {
4311
+		err = -EBADSLT;
4312
+		goto unlock;
4313
+	}
4314
+
4025
4315
 	err = 0;
4026
4316
 
4027
4317
 	l2cap_chan_lock(chan);
..
..
@@ -4051,6 +4341,7 @@
4051
4341
 	}
4052
4342
 
4053
4343
 	l2cap_chan_unlock(chan);
4344
+	l2cap_chan_put(chan);
4054
4345
 
4055
4346
 unlock:
4056
4347
 	mutex_unlock(&conn->chan_lock);
..
..
@@ -4158,7 +4449,8 @@
4158
4449
 
4159
4450
 	chan->ident = cmd->ident;
4160
4451
 	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4161
-	chan->num_conf_rsp++;
4452
+	if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
4453
+		chan->num_conf_rsp++;
4162
4454
 
4163
4455
 	/* Reset config buffer. */
4164
4456
 	chan->conf_len = 0;
..
..
@@ -4204,6 +4496,7 @@
4204
4496
 
4205
4497
 unlock:
4206
4498
 	l2cap_chan_unlock(chan);
4499
+	l2cap_chan_put(chan);
4207
4500
 	return err;
4208
4501
 }
4209
4502
 
..
..
@@ -4287,6 +4580,7 @@
4287
4580
 				goto done;
4288
4581
 			break;
4289
4582
 		}
4583
+		fallthrough;
4290
4584
 
4291
4585
 	default:
4292
4586
 		l2cap_chan_set_err(chan, ECONNRESET);
..
..
@@ -4316,6 +4610,7 @@
4316
4610
 
4317
4611
 done:
4318
4612
 	l2cap_chan_unlock(chan);
4613
+	l2cap_chan_put(chan);
4319
4614
 	return err;
4320
4615
 }
4321
4616
 
..
..
@@ -5022,7 +5317,6 @@
5022
5317
 	chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5023
5318
 	l2cap_move_setup(chan);
5024
5319
 	chan->move_id = req->dest_amp_id;
5025
-	icid = chan->dcid;
5026
5320
 
5027
5321
 	if (req->dest_amp_id == AMP_ID_BREDR) {
5028
5322
 		/* Moving to BR/EDR */
..
..
@@ -5044,6 +5338,7 @@
5044
5338
 	l2cap_send_move_chan_rsp(chan, result);
5045
5339
 
5046
5340
 	l2cap_chan_unlock(chan);
5341
+	l2cap_chan_put(chan);
5047
5342
 
5048
5343
 	return 0;
5049
5344
 }
..
..
@@ -5136,6 +5431,7 @@
5136
5431
 	}
5137
5432
 
5138
5433
 	l2cap_chan_unlock(chan);
5434
+	l2cap_chan_put(chan);
5139
5435
 }
5140
5436
 
5141
5437
 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
..
..
@@ -5165,6 +5461,7 @@
5165
5461
 	l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5166
5462
 
5167
5463
 	l2cap_chan_unlock(chan);
5464
+	l2cap_chan_put(chan);
5168
5465
 }
5169
5466
 
5170
5467
 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
..
..
@@ -5228,6 +5525,7 @@
5228
5525
 	l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5229
5526
 
5230
5527
 	l2cap_chan_unlock(chan);
5528
+	l2cap_chan_put(chan);
5231
5529
 
5232
5530
 	return 0;
5233
5531
 }
..
..
@@ -5263,6 +5561,7 @@
5263
5561
 	}
5264
5562
 
5265
5563
 	l2cap_chan_unlock(chan);
5564
+	l2cap_chan_put(chan);
5266
5565
 
5267
5566
 	return 0;
5268
5567
 }
..
..
@@ -5336,7 +5635,7 @@
5336
5635
 	credits = __le16_to_cpu(rsp->credits);
5337
5636
 	result  = __le16_to_cpu(rsp->result);
5338
5637
 
5339
-	if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
5638
+	if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5340
5639
 					   dcid < L2CAP_CID_DYN_START ||
5341
5640
 					   dcid > L2CAP_CID_LE_DYN_END))
5342
5641
 		return -EPROTO;
..
..
@@ -5357,7 +5656,7 @@
5357
5656
 	l2cap_chan_lock(chan);
5358
5657
 
5359
5658
 	switch (result) {
5360
-	case L2CAP_CR_SUCCESS:
5659
+	case L2CAP_CR_LE_SUCCESS:
5361
5660
 		if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5362
5661
 			err = -EBADSLT;
5363
5662
 			break;
..
..
@@ -5371,8 +5670,8 @@
5371
5670
 		l2cap_chan_ready(chan);
5372
5671
 		break;
5373
5672
 
5374
-	case L2CAP_CR_AUTHENTICATION:
5375
-	case L2CAP_CR_ENCRYPTION:
5673
+	case L2CAP_CR_LE_AUTHENTICATION:
5674
+	case L2CAP_CR_LE_ENCRYPTION:
5376
5675
 		/* If we already have MITM protection we can't do
5377
5676
 		 * anything.
5378
5677
 		 */
..
..
@@ -5511,11 +5810,24 @@
5511
5810
 	BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5512
5811
 	       scid, mtu, mps);
5513
5812
 
5813
+	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
5814
+	 * page 1059:
5815
+	 *
5816
+	 * Valid range: 0x0001-0x00ff
5817
+	 *
5818
+	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
5819
+	 */
5820
+	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
5821
+		result = L2CAP_CR_LE_BAD_PSM;
5822
+		chan = NULL;
5823
+		goto response;
5824
+	}
5825
+
5514
5826
 	/* Check if we have socket listening on psm */
5515
5827
 	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5516
5828
 					 &conn->hcon->dst, LE_LINK);
5517
5829
 	if (!pchan) {
5518
-		result = L2CAP_CR_BAD_PSM;
5830
+		result = L2CAP_CR_LE_BAD_PSM;
5519
5831
 		chan = NULL;
5520
5832
 		goto response;
5521
5833
 	}
..
..
@@ -5525,32 +5837,30 @@
5525
5837
 
5526
5838
 	if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5527
5839
 				     SMP_ALLOW_STK)) {
5528
-		result = L2CAP_CR_AUTHENTICATION;
5840
+		result = L2CAP_CR_LE_AUTHENTICATION;
5529
5841
 		chan = NULL;
5530
5842
 		goto response_unlock;
5531
5843
 	}
5532
5844
 
5533
5845
 	/* Check for valid dynamic CID range */
5534
5846
 	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5535
-		result = L2CAP_CR_INVALID_SCID;
5847
+		result = L2CAP_CR_LE_INVALID_SCID;
5536
5848
 		chan = NULL;
5537
5849
 		goto response_unlock;
5538
5850
 	}
5539
5851
 
5540
5852
 	/* Check if we already have channel with that dcid */
5541
5853
 	if (__l2cap_get_chan_by_dcid(conn, scid)) {
5542
-		result = L2CAP_CR_SCID_IN_USE;
5854
+		result = L2CAP_CR_LE_SCID_IN_USE;
5543
5855
 		chan = NULL;
5544
5856
 		goto response_unlock;
5545
5857
 	}
5546
5858
 
5547
5859
 	chan = pchan->ops->new_connection(pchan);
5548
5860
 	if (!chan) {
5549
-		result = L2CAP_CR_NO_MEM;
5861
+		result = L2CAP_CR_LE_NO_MEM;
5550
5862
 		goto response_unlock;
5551
5863
 	}
5552
-
5553
-	l2cap_le_flowctl_init(chan);
5554
5864
 
5555
5865
 	bacpy(&chan->src, &conn->hcon->src);
5556
5866
 	bacpy(&chan->dst, &conn->hcon->dst);
..
..
@@ -5560,9 +5870,11 @@
5560
5870
 	chan->dcid = scid;
5561
5871
 	chan->omtu = mtu;
5562
5872
 	chan->remote_mps = mps;
5563
-	chan->tx_credits = __le16_to_cpu(req->credits);
5564
5873
 
5565
5874
 	__l2cap_chan_add(conn, chan);
5875
+
5876
+	l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5877
+
5566
5878
 	dcid = chan->scid;
5567
5879
 	credits = chan->rx_credits;
5568
5880
 
..
..
@@ -5581,7 +5893,7 @@
5581
5893
 		chan->ops->defer(chan);
5582
5894
 	} else {
5583
5895
 		l2cap_chan_ready(chan);
5584
-		result = L2CAP_CR_SUCCESS;
5896
+		result = L2CAP_CR_LE_SUCCESS;
5585
5897
 	}
5586
5898
 
5587
5899
 response_unlock:
..
..
@@ -5635,12 +5947,11 @@
5635
5947
 	if (credits > max_credits) {
5636
5948
 		BT_ERR("LE credits overflow");
5637
5949
 		l2cap_send_disconn_req(chan, ECONNRESET);
5638
-		l2cap_chan_unlock(chan);
5639
5950
 
5640
5951
 		/* Return 0 so that we don't trigger an unnecessary
5641
5952
 		 * command reject packet.
5642
5953
 		 */
5643
-		return 0;
5954
+		goto unlock;
5644
5955
 	}
5645
5956
 
5646
5957
 	chan->tx_credits += credits;
..
..
@@ -5651,7 +5962,371 @@
5651
5962
 	if (chan->tx_credits)
5652
5963
 		chan->ops->resume(chan);
5653
5964
 
5965
+unlock:
5654
5966
 	l2cap_chan_unlock(chan);
5967
+	l2cap_chan_put(chan);
5968
+
5969
+	return 0;
5970
+}
5971
+
5972
+static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5973
+				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5974
+				       u8 *data)
5975
+{
5976
+	struct l2cap_ecred_conn_req *req = (void *) data;
5977
+	struct {
5978
+		struct l2cap_ecred_conn_rsp rsp;
5979
+		__le16 dcid[5];
5980
+	} __packed pdu;
5981
+	struct l2cap_chan *chan, *pchan;
5982
+	u16 mtu, mps;
5983
+	__le16 psm;
5984
+	u8 result, len = 0;
5985
+	int i, num_scid;
5986
+	bool defer = false;
5987
+
5988
+	if (!enable_ecred)
5989
+		return -EINVAL;
5990
+
5991
+	if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5992
+		result = L2CAP_CR_LE_INVALID_PARAMS;
5993
+		goto response;
5994
+	}
5995
+
5996
+	mtu  = __le16_to_cpu(req->mtu);
5997
+	mps  = __le16_to_cpu(req->mps);
5998
+
5999
+	if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
6000
+		result = L2CAP_CR_LE_UNACCEPT_PARAMS;
6001
+		goto response;
6002
+	}
6003
+
6004
+	psm  = req->psm;
6005
+
6006
+	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
6007
+	 * page 1059:
6008
+	 *
6009
+	 * Valid range: 0x0001-0x00ff
6010
+	 *
6011
+	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
6012
+	 */
6013
+	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
6014
+		result = L2CAP_CR_LE_BAD_PSM;
6015
+		goto response;
6016
+	}
6017
+
6018
+	BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
6019
+
6020
+	memset(&pdu, 0, sizeof(pdu));
6021
+
6022
+	/* Check if we have socket listening on psm */
6023
+	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
6024
+					 &conn->hcon->dst, LE_LINK);
6025
+	if (!pchan) {
6026
+		result = L2CAP_CR_LE_BAD_PSM;
6027
+		goto response;
6028
+	}
6029
+
6030
+	mutex_lock(&conn->chan_lock);
6031
+	l2cap_chan_lock(pchan);
6032
+
6033
+	if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
6034
+				     SMP_ALLOW_STK)) {
6035
+		result = L2CAP_CR_LE_AUTHENTICATION;
6036
+		goto unlock;
6037
+	}
6038
+
6039
+	result = L2CAP_CR_LE_SUCCESS;
6040
+	cmd_len -= sizeof(*req);
6041
+	num_scid = cmd_len / sizeof(u16);
6042
+
6043
+	for (i = 0; i < num_scid; i++) {
6044
+		u16 scid = __le16_to_cpu(req->scid[i]);
6045
+
6046
+		BT_DBG("scid[%d] 0x%4.4x", i, scid);
6047
+
6048
+		pdu.dcid[i] = 0x0000;
6049
+		len += sizeof(*pdu.dcid);
6050
+
6051
+		/* Check for valid dynamic CID range */
6052
+		if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
6053
+			result = L2CAP_CR_LE_INVALID_SCID;
6054
+			continue;
6055
+		}
6056
+
6057
+		/* Check if we already have channel with that dcid */
6058
+		if (__l2cap_get_chan_by_dcid(conn, scid)) {
6059
+			result = L2CAP_CR_LE_SCID_IN_USE;
6060
+			continue;
6061
+		}
6062
+
6063
+		chan = pchan->ops->new_connection(pchan);
6064
+		if (!chan) {
6065
+			result = L2CAP_CR_LE_NO_MEM;
6066
+			continue;
6067
+		}
6068
+
6069
+		bacpy(&chan->src, &conn->hcon->src);
6070
+		bacpy(&chan->dst, &conn->hcon->dst);
6071
+		chan->src_type = bdaddr_src_type(conn->hcon);
6072
+		chan->dst_type = bdaddr_dst_type(conn->hcon);
6073
+		chan->psm  = psm;
6074
+		chan->dcid = scid;
6075
+		chan->omtu = mtu;
6076
+		chan->remote_mps = mps;
6077
+
6078
+		__l2cap_chan_add(conn, chan);
6079
+
6080
+		l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6081
+
6082
+		/* Init response */
6083
+		if (!pdu.rsp.credits) {
6084
+			pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6085
+			pdu.rsp.mps = cpu_to_le16(chan->mps);
6086
+			pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6087
+		}
6088
+
6089
+		pdu.dcid[i] = cpu_to_le16(chan->scid);
6090
+
6091
+		__set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6092
+
6093
+		chan->ident = cmd->ident;
6094
+
6095
+		if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6096
+			l2cap_state_change(chan, BT_CONNECT2);
6097
+			defer = true;
6098
+			chan->ops->defer(chan);
6099
+		} else {
6100
+			l2cap_chan_ready(chan);
6101
+		}
6102
+	}
6103
+
6104
+unlock:
6105
+	l2cap_chan_unlock(pchan);
6106
+	mutex_unlock(&conn->chan_lock);
6107
+	l2cap_chan_put(pchan);
6108
+
6109
+response:
6110
+	pdu.rsp.result = cpu_to_le16(result);
6111
+
6112
+	if (defer)
6113
+		return 0;
6114
+
6115
+	l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6116
+		       sizeof(pdu.rsp) + len, &pdu);
6117
+
6118
+	return 0;
6119
+}
6120
+
6121
+static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6122
+				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6123
+				       u8 *data)
6124
+{
6125
+	struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6126
+	struct hci_conn *hcon = conn->hcon;
6127
+	u16 mtu, mps, credits, result;
6128
+	struct l2cap_chan *chan, *tmp;
6129
+	int err = 0, sec_level;
6130
+	int i = 0;
6131
+
6132
+	if (cmd_len < sizeof(*rsp))
6133
+		return -EPROTO;
6134
+
6135
+	mtu     = __le16_to_cpu(rsp->mtu);
6136
+	mps     = __le16_to_cpu(rsp->mps);
6137
+	credits = __le16_to_cpu(rsp->credits);
6138
+	result  = __le16_to_cpu(rsp->result);
6139
+
6140
+	BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6141
+	       result);
6142
+
6143
+	mutex_lock(&conn->chan_lock);
6144
+
6145
+	cmd_len -= sizeof(*rsp);
6146
+
6147
+	list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6148
+		u16 dcid;
6149
+
6150
+		if (chan->ident != cmd->ident ||
6151
+		    chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6152
+		    chan->state == BT_CONNECTED)
6153
+			continue;
6154
+
6155
+		l2cap_chan_lock(chan);
6156
+
6157
+		/* Check that there is a dcid for each pending channel */
6158
+		if (cmd_len < sizeof(dcid)) {
6159
+			l2cap_chan_del(chan, ECONNREFUSED);
6160
+			l2cap_chan_unlock(chan);
6161
+			continue;
6162
+		}
6163
+
6164
+		dcid = __le16_to_cpu(rsp->dcid[i++]);
6165
+		cmd_len -= sizeof(u16);
6166
+
6167
+		BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6168
+
6169
+		/* Check if dcid is already in use */
6170
+		if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6171
+			/* If a device receives a
6172
+			 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
6173
+			 * already-assigned Destination CID, then both the
6174
+			 * original channel and the new channel shall be
6175
+			 * immediately discarded and not used.
6176
+			 */
6177
+			l2cap_chan_del(chan, ECONNREFUSED);
6178
+			l2cap_chan_unlock(chan);
6179
+			chan = __l2cap_get_chan_by_dcid(conn, dcid);
6180
+			l2cap_chan_lock(chan);
6181
+			l2cap_chan_del(chan, ECONNRESET);
6182
+			l2cap_chan_unlock(chan);
6183
+			continue;
6184
+		}
6185
+
6186
+		switch (result) {
6187
+		case L2CAP_CR_LE_AUTHENTICATION:
6188
+		case L2CAP_CR_LE_ENCRYPTION:
6189
+			/* If we already have MITM protection we can't do
6190
+			 * anything.
6191
+			 */
6192
+			if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6193
+				l2cap_chan_del(chan, ECONNREFUSED);
6194
+				break;
6195
+			}
6196
+
6197
+			sec_level = hcon->sec_level + 1;
6198
+			if (chan->sec_level < sec_level)
6199
+				chan->sec_level = sec_level;
6200
+
6201
+			/* We'll need to send a new Connect Request */
6202
+			clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6203
+
6204
+			smp_conn_security(hcon, chan->sec_level);
6205
+			break;
6206
+
6207
+		case L2CAP_CR_LE_BAD_PSM:
6208
+			l2cap_chan_del(chan, ECONNREFUSED);
6209
+			break;
6210
+
6211
+		default:
6212
+			/* If dcid was not set it means channels was refused */
6213
+			if (!dcid) {
6214
+				l2cap_chan_del(chan, ECONNREFUSED);
6215
+				break;
6216
+			}
6217
+
6218
+			chan->ident = 0;
6219
+			chan->dcid = dcid;
6220
+			chan->omtu = mtu;
6221
+			chan->remote_mps = mps;
6222
+			chan->tx_credits = credits;
6223
+			l2cap_chan_ready(chan);
6224
+			break;
6225
+		}
6226
+
6227
+		l2cap_chan_unlock(chan);
6228
+	}
6229
+
6230
+	mutex_unlock(&conn->chan_lock);
6231
+
6232
+	return err;
6233
+}
6234
+
6235
+static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6236
+					 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6237
+					 u8 *data)
6238
+{
6239
+	struct l2cap_ecred_reconf_req *req = (void *) data;
6240
+	struct l2cap_ecred_reconf_rsp rsp;
6241
+	u16 mtu, mps, result;
6242
+	struct l2cap_chan *chan;
6243
+	int i, num_scid;
6244
+
6245
+	if (!enable_ecred)
6246
+		return -EINVAL;
6247
+
6248
+	if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6249
+		result = L2CAP_CR_LE_INVALID_PARAMS;
6250
+		goto respond;
6251
+	}
6252
+
6253
+	mtu = __le16_to_cpu(req->mtu);
6254
+	mps = __le16_to_cpu(req->mps);
6255
+
6256
+	BT_DBG("mtu %u mps %u", mtu, mps);
6257
+
6258
+	if (mtu < L2CAP_ECRED_MIN_MTU) {
6259
+		result = L2CAP_RECONF_INVALID_MTU;
6260
+		goto respond;
6261
+	}
6262
+
6263
+	if (mps < L2CAP_ECRED_MIN_MPS) {
6264
+		result = L2CAP_RECONF_INVALID_MPS;
6265
+		goto respond;
6266
+	}
6267
+
6268
+	cmd_len -= sizeof(*req);
6269
+	num_scid = cmd_len / sizeof(u16);
6270
+	result = L2CAP_RECONF_SUCCESS;
6271
+
6272
+	for (i = 0; i < num_scid; i++) {
6273
+		u16 scid;
6274
+
6275
+		scid = __le16_to_cpu(req->scid[i]);
6276
+		if (!scid)
6277
+			return -EPROTO;
6278
+
6279
+		chan = __l2cap_get_chan_by_dcid(conn, scid);
6280
+		if (!chan)
6281
+			continue;
6282
+
6283
+		/* If the MTU value is decreased for any of the included
6284
+		 * channels, then the receiver shall disconnect all
6285
+		 * included channels.
6286
+		 */
6287
+		if (chan->omtu > mtu) {
6288
+			BT_ERR("chan %p decreased MTU %u -> %u", chan,
6289
+			       chan->omtu, mtu);
6290
+			result = L2CAP_RECONF_INVALID_MTU;
6291
+		}
6292
+
6293
+		chan->omtu = mtu;
6294
+		chan->remote_mps = mps;
6295
+	}
6296
+
6297
+respond:
6298
+	rsp.result = cpu_to_le16(result);
6299
+
6300
+	l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6301
+		       &rsp);
6302
+
6303
+	return 0;
6304
+}
6305
+
6306
+static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6307
+					 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6308
+					 u8 *data)
6309
+{
6310
+	struct l2cap_chan *chan, *tmp;
6311
+	struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6312
+	u16 result;
6313
+
6314
+	if (cmd_len < sizeof(*rsp))
6315
+		return -EPROTO;
6316
+
6317
+	result = __le16_to_cpu(rsp->result);
6318
+
6319
+	BT_DBG("result 0x%4.4x", rsp->result);
6320
+
6321
+	if (!result)
6322
+		return 0;
6323
+
6324
+	list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6325
+		if (chan->ident != cmd->ident)
6326
+			continue;
6327
+
6328
+		l2cap_chan_del(chan, ECONNRESET);
6329
+	}
5655
6330
 
5656
6331
 	return 0;
5657
6332
 }
..
..
@@ -5709,6 +6384,22 @@
5709
6384
 
5710
6385
 	case L2CAP_LE_CREDITS:
5711
6386
 		err = l2cap_le_credits(conn, cmd, cmd_len, data);
6387
+		break;
6388
+
6389
+	case L2CAP_ECRED_CONN_REQ:
6390
+		err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6391
+		break;
6392
+
6393
+	case L2CAP_ECRED_CONN_RSP:
6394
+		err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6395
+		break;
6396
+
6397
+	case L2CAP_ECRED_RECONF_REQ:
6398
+		err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6399
+		break;
6400
+
6401
+	case L2CAP_ECRED_RECONF_RSP:
6402
+		err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
5712
6403
 		break;
5713
6404
 
5714
6405
 	case L2CAP_DISCONN_REQ:
..
..
@@ -5773,9 +6464,7 @@
5773
6464
 				     struct sk_buff *skb)
5774
6465
 {
5775
6466
 	struct hci_conn *hcon = conn->hcon;
5776
-	u8 *data = skb->data;
5777
-	int len = skb->len;
5778
-	struct l2cap_cmd_hdr cmd;
6467
+	struct l2cap_cmd_hdr *cmd;
5779
6468
 	int err;
5780
6469
 
5781
6470
 	l2cap_raw_recv(conn, skb);
..
..
@@ -5783,35 +6472,34 @@
5783
6472
 	if (hcon->type != ACL_LINK)
5784
6473
 		goto drop;
5785
6474
 
5786
-	while (len >= L2CAP_CMD_HDR_SIZE) {
5787
-		u16 cmd_len;
5788
-		memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5789
-		data += L2CAP_CMD_HDR_SIZE;
5790
-		len  -= L2CAP_CMD_HDR_SIZE;
6475
+	while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6476
+		u16 len;
5791
6477
 
5792
-		cmd_len = le16_to_cpu(cmd.len);
6478
+		cmd = (void *) skb->data;
6479
+		skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5793
6480
 
5794
-		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5795
-		       cmd.ident);
6481
+		len = le16_to_cpu(cmd->len);
5796
6482
 
5797
-		if (cmd_len > len || !cmd.ident) {
6483
+		BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6484
+		       cmd->ident);
6485
+
6486
+		if (len > skb->len || !cmd->ident) {
5798
6487
 			BT_DBG("corrupted command");
5799
6488
 			break;
5800
6489
 		}
5801
6490
 
5802
-		err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
6491
+		err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
5803
6492
 		if (err) {
5804
6493
 			struct l2cap_cmd_rej_unk rej;
5805
6494
 
5806
6495
 			BT_ERR("Wrong link type (%d)", err);
5807
6496
 
5808
6497
 			rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5809
-			l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
6498
+			l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5810
6499
 				       sizeof(rej), &rej);
5811
6500
 		}
5812
6501
 
5813
-		data += cmd_len;
5814
-		len  -= cmd_len;
6502
+		skb_pull(skb, len);
5815
6503
 	}
5816
6504
 
5817
6505
 drop:
..
..
@@ -6213,6 +6901,7 @@
6213
6901
 			       struct l2cap_ctrl *control,
6214
6902
 			       struct sk_buff *skb, u8 event)
6215
6903
 {
6904
+	struct l2cap_ctrl local_control;
6216
6905
 	int err = 0;
6217
6906
 	bool skb_in_use = false;
6218
6907
 
..
..
@@ -6237,15 +6926,32 @@
6237
6926
 			chan->buffer_seq = chan->expected_tx_seq;
6238
6927
 			skb_in_use = true;
6239
6928
 
6929
+			/* l2cap_reassemble_sdu may free skb, hence invalidate
6930
+			 * control, so make a copy in advance to use it after
6931
+			 * l2cap_reassemble_sdu returns and to avoid the race
6932
+			 * condition, for example:
6933
+			 *
6934
+			 * The current thread calls:
6935
+			 *   l2cap_reassemble_sdu
6936
+			 *     chan->ops->recv == l2cap_sock_recv_cb
6937
+			 *       __sock_queue_rcv_skb
6938
+			 * Another thread calls:
6939
+			 *   bt_sock_recvmsg
6940
+			 *     skb_recv_datagram
6941
+			 *     skb_free_datagram
6942
+			 * Then the current thread tries to access control, but
6943
+			 * it was freed by skb_free_datagram.
6944
+			 */
6945
+			local_control = *control;
6240
6946
 			err = l2cap_reassemble_sdu(chan, skb, control);
6241
6947
 			if (err)
6242
6948
 				break;
6243
6949
 
6244
-			if (control->final) {
6950
+			if (local_control.final) {
6245
6951
 				if (!test_and_clear_bit(CONN_REJ_ACT,
6246
6952
 							&chan->conn_state)) {
6247
-					control->final = 0;
6248
-					l2cap_retransmit_all(chan, control);
6953
+					local_control.final = 0;
6954
+					l2cap_retransmit_all(chan, &local_control);
6249
6955
 					l2cap_ertm_send(chan);
6250
6956
 				}
6251
6957
 			}
..
..
@@ -6625,11 +7331,27 @@
6625
7331
 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6626
7332
 			   struct sk_buff *skb)
6627
7333
 {
7334
+	/* l2cap_reassemble_sdu may free skb, hence invalidate control, so store
7335
+	 * the txseq field in advance to use it after l2cap_reassemble_sdu
7336
+	 * returns and to avoid the race condition, for example:
7337
+	 *
7338
+	 * The current thread calls:
7339
+	 *   l2cap_reassemble_sdu
7340
+	 *     chan->ops->recv == l2cap_sock_recv_cb
7341
+	 *       __sock_queue_rcv_skb
7342
+	 * Another thread calls:
7343
+	 *   bt_sock_recvmsg
7344
+	 *     skb_recv_datagram
7345
+	 *     skb_free_datagram
7346
+	 * Then the current thread tries to access control, but it was freed by
7347
+	 * skb_free_datagram.
7348
+	 */
7349
+	u16 txseq = control->txseq;
7350
+
6628
7351
 	BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6629
7352
 	       chan->rx_state);
6630
7353
 
6631
-	if (l2cap_classify_txseq(chan, control->txseq) ==
6632
-	    L2CAP_TXSEQ_EXPECTED) {
7354
+	if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) {
6633
7355
 		l2cap_pass_to_tx(chan, control);
6634
7356
 
6635
7357
 		BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
..
..
@@ -6652,8 +7374,8 @@
6652
7374
 		}
6653
7375
 	}
6654
7376
 
6655
-	chan->last_acked_seq = control->txseq;
6656
-	chan->expected_tx_seq = __next_seq(chan, control->txseq);
7377
+	chan->last_acked_seq = txseq;
7378
+	chan->expected_tx_seq = __next_seq(chan, txseq);
6657
7379
 
6658
7380
 	return 0;
6659
7381
 }
..
..
@@ -6757,13 +7479,12 @@
6757
7479
 	struct l2cap_le_credits pkt;
6758
7480
 	u16 return_credits;
6759
7481
 
6760
-	/* We return more credits to the sender only after the amount of
6761
-	 * credits falls below half of the initial amount.
6762
-	 */
6763
-	if (chan->rx_credits >= (le_max_credits + 1) / 2)
7482
+	return_credits = (chan->imtu / chan->mps) + 1;
7483
+
7484
+	if (chan->rx_credits >= return_credits)
6764
7485
 		return;
6765
7486
 
6766
-	return_credits = le_max_credits - chan->rx_credits;
7487
+	return_credits -= chan->rx_credits;
6767
7488
 
6768
7489
 	BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6769
7490
 
..
..
@@ -6777,7 +7498,22 @@
6777
7498
 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6778
7499
 }
6779
7500
 
6780
-static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7501
+static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7502
+{
7503
+	int err;
7504
+
7505
+	BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7506
+
7507
+	/* Wait recv to confirm reception before updating the credits */
7508
+	err = chan->ops->recv(chan, skb);
7509
+
7510
+	/* Update credits whenever an SDU is received */
7511
+	l2cap_chan_le_send_credits(chan);
7512
+
7513
+	return err;
7514
+}
7515
+
7516
+static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6781
7517
 {
6782
7518
 	int err;
6783
7519
 
..
..
@@ -6795,7 +7531,11 @@
6795
7531
 	chan->rx_credits--;
6796
7532
 	BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6797
7533
 
6798
-	l2cap_chan_le_send_credits(chan);
7534
+	/* Update if remote had run out of credits, this should only happens
7535
+	 * if the remote is not using the entire MPS.
7536
+	 */
7537
+	if (!chan->rx_credits)
7538
+		l2cap_chan_le_send_credits(chan);
6799
7539
 
6800
7540
 	err = 0;
6801
7541
 
..
..
@@ -6821,7 +7561,7 @@
6821
7561
 		}
6822
7562
 
6823
7563
 		if (skb->len == sdu_len)
6824
-			return chan->ops->recv(chan, skb);
7564
+			return l2cap_ecred_recv(chan, skb);
6825
7565
 
6826
7566
 		chan->sdu = skb;
6827
7567
 		chan->sdu_len = sdu_len;
..
..
@@ -6853,7 +7593,7 @@
6853
7593
 	skb = NULL;
6854
7594
 
6855
7595
 	if (chan->sdu->len == chan->sdu_len) {
6856
-		err = chan->ops->recv(chan, chan->sdu);
7596
+		err = l2cap_ecred_recv(chan, chan->sdu);
6857
7597
 		if (!err) {
6858
7598
 			chan->sdu = NULL;
6859
7599
 			chan->sdu_last_frag = NULL;
..
..
@@ -6891,6 +7631,7 @@
6891
7631
 				return;
6892
7632
 			}
6893
7633
 
7634
+			l2cap_chan_hold(chan);
6894
7635
 			l2cap_chan_lock(chan);
6895
7636
 		} else {
6896
7637
 			BT_DBG("unknown cid 0x%4.4x", cid);
..
..
@@ -6903,7 +7644,7 @@
6903
7644
 	BT_DBG("chan %p, len %d", chan, skb->len);
6904
7645
 
6905
7646
 	/* If we receive data on a fixed channel before the info req/rsp
6906
-	 * procdure is done simply assume that the channel is supported
7647
+	 * procedure is done simply assume that the channel is supported
6907
7648
 	 * and mark it as ready.
6908
7649
 	 */
6909
7650
 	if (chan->chan_type == L2CAP_CHAN_FIXED)
..
..
@@ -6914,7 +7655,8 @@
6914
7655
 
6915
7656
 	switch (chan->mode) {
6916
7657
 	case L2CAP_MODE_LE_FLOWCTL:
6917
-		if (l2cap_le_data_rcv(chan, skb) < 0)
7658
+	case L2CAP_MODE_EXT_FLOWCTL:
7659
+		if (l2cap_ecred_data_rcv(chan, skb) < 0)
6918
7660
 			goto drop;
6919
7661
 
6920
7662
 		goto done;
..
..
@@ -6949,6 +7691,7 @@
6949
7691
 
6950
7692
 done:
6951
7693
 	l2cap_chan_unlock(chan);
7694
+	l2cap_chan_put(chan);
6952
7695
 }
6953
7696
 
6954
7697
 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
..
..
@@ -7086,7 +7829,7 @@
7086
7829
 			conn->mtu = hcon->hdev->le_mtu;
7087
7830
 			break;
7088
7831
 		}
7089
-		/* fall through */
7832
+		fallthrough;
7090
7833
 	default:
7091
7834
 		conn->mtu = hcon->hdev->acl_mtu;
7092
7835
 		break;
..
..
@@ -7133,6 +7876,33 @@
7133
7876
 	return ((psm & 0x0101) == 0x0001);
7134
7877
 }
7135
7878
 
7879
+struct l2cap_chan_data {
7880
+	struct l2cap_chan *chan;
7881
+	struct pid *pid;
7882
+	int count;
7883
+};
7884
+
7885
+static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7886
+{
7887
+	struct l2cap_chan_data *d = data;
7888
+	struct pid *pid;
7889
+
7890
+	if (chan == d->chan)
7891
+		return;
7892
+
7893
+	if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7894
+		return;
7895
+
7896
+	pid = chan->ops->get_peer_pid(chan);
7897
+
7898
+	/* Only count deferred channels with the same PID/PSM */
7899
+	if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7900
+	    chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7901
+		return;
7902
+
7903
+	d->count++;
7904
+}
7905
+
7136
7906
 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7137
7907
 		       bdaddr_t *dst, u8 dst_type)
7138
7908
 {
..
..
@@ -7141,8 +7911,8 @@
7141
7911
 	struct hci_dev *hdev;
7142
7912
 	int err;
7143
7913
 
7144
-	BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7145
-	       dst_type, __le16_to_cpu(psm));
7914
+	BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7915
+	       dst, dst_type, __le16_to_cpu(psm), chan->mode);
7146
7916
 
7147
7917
 	hdev = hci_get_route(dst, &chan->src, chan->src_type);
7148
7918
 	if (!hdev)
..
..
@@ -7170,13 +7940,18 @@
7170
7940
 	case L2CAP_MODE_BASIC:
7171
7941
 		break;
7172
7942
 	case L2CAP_MODE_LE_FLOWCTL:
7173
-		l2cap_le_flowctl_init(chan);
7943
+		break;
7944
+	case L2CAP_MODE_EXT_FLOWCTL:
7945
+		if (!enable_ecred) {
7946
+			err = -EOPNOTSUPP;
7947
+			goto done;
7948
+		}
7174
7949
 		break;
7175
7950
 	case L2CAP_MODE_ERTM:
7176
7951
 	case L2CAP_MODE_STREAMING:
7177
7952
 		if (!disable_ertm)
7178
7953
 			break;
7179
-		/* fall through */
7954
+		fallthrough;
7180
7955
 	default:
7181
7956
 		err = -EOPNOTSUPP;
7182
7957
 		goto done;
..
..
@@ -7228,11 +8003,13 @@
7228
8003
 		else
7229
8004
 			hcon = hci_connect_le_scan(hdev, dst, dst_type,
7230
8005
 						   chan->sec_level,
7231
-						   HCI_LE_CONN_TIMEOUT);
8006
+						   HCI_LE_CONN_TIMEOUT,
8007
+						   CONN_REASON_L2CAP_CHAN);
7232
8008
 
7233
8009
 	} else {
7234
8010
 		u8 auth_type = l2cap_get_auth_type(chan);
7235
-		hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
8011
+		hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
8012
+				       CONN_REASON_L2CAP_CHAN);
7236
8013
 	}
7237
8014
 
7238
8015
 	if (IS_ERR(hcon)) {
..
..
@@ -7245,6 +8022,23 @@
7245
8022
 		hci_conn_drop(hcon);
7246
8023
 		err = -ENOMEM;
7247
8024
 		goto done;
8025
+	}
8026
+
8027
+	if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
8028
+		struct l2cap_chan_data data;
8029
+
8030
+		data.chan = chan;
8031
+		data.pid = chan->ops->get_peer_pid(chan);
8032
+		data.count = 1;
8033
+
8034
+		l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
8035
+
8036
+		/* Check if there isn't too many channels being connected */
8037
+		if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
8038
+			hci_conn_drop(hcon);
8039
+			err = -EPROTO;
8040
+			goto done;
8041
+		}
7248
8042
 	}
7249
8043
 
7250
8044
 	mutex_lock(&conn->chan_lock);
..
..
@@ -7295,6 +8089,38 @@
7295
8089
 	return err;
7296
8090
 }
7297
8091
 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
8092
+
8093
+static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
8094
+{
8095
+	struct l2cap_conn *conn = chan->conn;
8096
+	struct {
8097
+		struct l2cap_ecred_reconf_req req;
8098
+		__le16 scid;
8099
+	} pdu;
8100
+
8101
+	pdu.req.mtu = cpu_to_le16(chan->imtu);
8102
+	pdu.req.mps = cpu_to_le16(chan->mps);
8103
+	pdu.scid    = cpu_to_le16(chan->scid);
8104
+
8105
+	chan->ident = l2cap_get_ident(conn);
8106
+
8107
+	l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
8108
+		       sizeof(pdu), &pdu);
8109
+}
8110
+
8111
+int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8112
+{
8113
+	if (chan->imtu > mtu)
8114
+		return -EINVAL;
8115
+
8116
+	BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8117
+
8118
+	chan->imtu = mtu;
8119
+
8120
+	l2cap_ecred_reconfigure(chan);
8121
+
8122
+	return 0;
8123
+}
7298
8124
 
7299
8125
 /* ---- L2CAP interface with lower layer (HCI) ---- */
7300
8126
 
..
..
@@ -7353,7 +8179,7 @@
7353
8179
 		if (src_type != c->src_type)
7354
8180
 			continue;
7355
8181
 
7356
-		l2cap_chan_hold(c);
8182
+		c = l2cap_chan_hold_unless_zero(c);
7357
8183
 		read_unlock(&chan_list_lock);
7358
8184
 		return c;
7359
8185
 	}
..
..
@@ -7507,7 +8333,8 @@
7507
8333
 			else
7508
8334
 				__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7509
8335
 		} else if (chan->state == BT_CONNECT2 &&
7510
-			   chan->mode != L2CAP_MODE_LE_FLOWCTL) {
8336
+			   !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8337
+			     chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
7511
8338
 			struct l2cap_conn_rsp rsp;
7512
8339
 			__u16 res, stat;
7513
8340
 
..
..
@@ -7683,17 +8510,7 @@
7683
8510
 	return 0;
7684
8511
 }
7685
8512
 
7686
-static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7687
-{
7688
-	return single_open(file, l2cap_debugfs_show, inode->i_private);
7689
-}
7690
-
7691
-static const struct file_operations l2cap_debugfs_fops = {
7692
-	.open		= l2cap_debugfs_open,
7693
-	.read		= seq_read,
7694
-	.llseek		= seq_lseek,
7695
-	.release	= single_release,
7696
-};
8513
+DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7697
8514
 
7698
8515
 static struct dentry *l2cap_debugfs;
7699
8516
 
..
..
@@ -7713,11 +8530,6 @@
7713
8530
 	l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7714
8531
 					    NULL, &l2cap_debugfs_fops);
7715
8532
 
7716
-	debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7717
-			   &le_max_credits);
7718
-	debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7719
-			   &le_default_mps);
7720
-
7721
8533
 	return 0;
7722
8534
 }
7723
8535
 
..
..
@@ -7730,3 +8542,6 @@
7730
8542
 
7731
8543
 module_param(disable_ertm, bool, 0644);
7732
8544
 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8545
+
8546
+module_param(enable_ecred, bool, 0644);
8547
+MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");