2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
50 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
52 static LIST_HEAD(chan_list);
53 static DEFINE_RWLOCK(chan_list_lock);
55 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
65 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67 if (link_type == LE_LINK) {
68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
69 return BDADDR_LE_PUBLIC;
71 return BDADDR_LE_RANDOM;
77 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79 return bdaddr_type(hcon->type, hcon->src_type);
82 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84 return bdaddr_type(hcon->type, hcon->dst_type);
87 /* ---- L2CAP channels ---- */
89 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
94 list_for_each_entry(c, &conn->chan_l, list) {
101 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
104 struct l2cap_chan *c;
106 list_for_each_entry(c, &conn->chan_l, list) {
113 /* Find channel with given SCID.
114 * Returns locked channel. */
115 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 struct l2cap_chan *c;
120 mutex_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
124 mutex_unlock(&conn->chan_lock);
129 /* Find channel with given DCID.
130 * Returns locked channel.
132 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
135 struct l2cap_chan *c;
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_dcid(conn, cid);
141 mutex_unlock(&conn->chan_lock);
146 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
149 struct l2cap_chan *c;
151 list_for_each_entry(c, &conn->chan_l, list) {
152 if (c->ident == ident)
158 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
161 struct l2cap_chan *c;
163 mutex_lock(&conn->chan_lock);
164 c = __l2cap_get_chan_by_ident(conn, ident);
167 mutex_unlock(&conn->chan_lock);
172 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
175 struct l2cap_chan *c;
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
181 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
184 if (c->sport == psm && !bacmp(&c->src, src))
190 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
194 write_lock(&chan_list_lock);
196 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
206 u16 p, start, end, incr;
208 if (chan->src_type == BDADDR_BREDR) {
209 start = L2CAP_PSM_DYN_START;
210 end = L2CAP_PSM_AUTO_END;
213 start = L2CAP_PSM_LE_DYN_START;
214 end = L2CAP_PSM_LE_DYN_END;
219 for (p = start; p <= end; p += incr)
220 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
222 chan->psm = cpu_to_le16(p);
223 chan->sport = cpu_to_le16(p);
230 write_unlock(&chan_list_lock);
233 EXPORT_SYMBOL_GPL(l2cap_add_psm);
235 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
237 write_lock(&chan_list_lock);
239 /* Override the defaults (which are for conn-oriented) */
240 chan->omtu = L2CAP_DEFAULT_MTU;
241 chan->chan_type = L2CAP_CHAN_FIXED;
245 write_unlock(&chan_list_lock);
250 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
254 if (conn->hcon->type == LE_LINK)
255 dyn_end = L2CAP_CID_LE_DYN_END;
257 dyn_end = L2CAP_CID_DYN_END;
259 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
260 if (!__l2cap_get_chan_by_scid(conn, cid))
267 static void l2cap_state_change(struct l2cap_chan *chan, int state)
269 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
270 state_to_string(state));
273 chan->ops->state_change(chan, state, 0);
276 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
280 chan->ops->state_change(chan, chan->state, err);
283 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
285 chan->ops->state_change(chan, chan->state, err);
288 static void __set_retrans_timer(struct l2cap_chan *chan)
290 if (!delayed_work_pending(&chan->monitor_timer) &&
291 chan->retrans_timeout) {
292 l2cap_set_timer(chan, &chan->retrans_timer,
293 msecs_to_jiffies(chan->retrans_timeout));
297 static void __set_monitor_timer(struct l2cap_chan *chan)
299 __clear_retrans_timer(chan);
300 if (chan->monitor_timeout) {
301 l2cap_set_timer(chan, &chan->monitor_timer,
302 msecs_to_jiffies(chan->monitor_timeout));
306 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
311 skb_queue_walk(head, skb) {
312 if (bt_cb(skb)->l2cap.txseq == seq)
319 /* ---- L2CAP sequence number lists ---- */
321 /* For ERTM, ordered lists of sequence numbers must be tracked for
322 * SREJ requests that are received and for frames that are to be
323 * retransmitted. These seq_list functions implement a singly-linked
324 * list in an array, where membership in the list can also be checked
325 * in constant time. Items can also be added to the tail of the list
326 * and removed from the head in constant time, without further memory
330 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
332 size_t alloc_size, i;
334 /* Allocated size is a power of 2 to map sequence numbers
335 * (which may be up to 14 bits) in to a smaller array that is
336 * sized for the negotiated ERTM transmit windows.
338 alloc_size = roundup_pow_of_two(size);
340 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
344 seq_list->mask = alloc_size - 1;
345 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
346 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
347 for (i = 0; i < alloc_size; i++)
348 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
353 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
355 kfree(seq_list->list);
358 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
361 /* Constant-time check for list membership */
362 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
365 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
367 u16 seq = seq_list->head;
368 u16 mask = seq_list->mask;
370 seq_list->head = seq_list->list[seq & mask];
371 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
373 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
381 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
395 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
397 u16 mask = seq_list->mask;
399 /* All appends happen in constant time */
401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
407 seq_list->list[seq_list->tail & mask] = seq;
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
413 static void l2cap_chan_timeout(struct work_struct *work)
415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
417 struct l2cap_conn *conn = chan->conn;
420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
422 mutex_lock(&conn->chan_lock);
423 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
424 * this work. No need to call l2cap_chan_hold(chan) here again.
426 l2cap_chan_lock(chan);
428 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
429 reason = ECONNREFUSED;
430 else if (chan->state == BT_CONNECT &&
431 chan->sec_level != BT_SECURITY_SDP)
432 reason = ECONNREFUSED;
436 l2cap_chan_close(chan, reason);
438 chan->ops->close(chan);
440 l2cap_chan_unlock(chan);
441 l2cap_chan_put(chan);
443 mutex_unlock(&conn->chan_lock);
446 struct l2cap_chan *l2cap_chan_create(void)
448 struct l2cap_chan *chan;
450 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
454 mutex_init(&chan->lock);
456 /* Set default lock nesting level */
457 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
459 write_lock(&chan_list_lock);
460 list_add(&chan->global_l, &chan_list);
461 write_unlock(&chan_list_lock);
463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
465 chan->state = BT_OPEN;
467 kref_init(&chan->kref);
469 /* This flag is cleared in l2cap_chan_ready() */
470 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
472 BT_DBG("chan %p", chan);
476 EXPORT_SYMBOL_GPL(l2cap_chan_create);
478 static void l2cap_chan_destroy(struct kref *kref)
480 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
482 BT_DBG("chan %p", chan);
484 write_lock(&chan_list_lock);
485 list_del(&chan->global_l);
486 write_unlock(&chan_list_lock);
491 void l2cap_chan_hold(struct l2cap_chan *c)
493 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
498 void l2cap_chan_put(struct l2cap_chan *c)
500 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
502 kref_put(&c->kref, l2cap_chan_destroy);
504 EXPORT_SYMBOL_GPL(l2cap_chan_put);
506 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
508 chan->fcs = L2CAP_FCS_CRC16;
509 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
510 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
511 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
512 chan->remote_max_tx = chan->max_tx;
513 chan->remote_tx_win = chan->tx_win;
514 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
515 chan->sec_level = BT_SECURITY_LOW;
516 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
517 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
518 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
519 chan->conf_state = 0;
521 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
523 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
525 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
528 chan->sdu_last_frag = NULL;
530 chan->tx_credits = tx_credits;
531 /* Derive MPS from connection MTU to stop HCI fragmentation */
532 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
533 /* Give enough credits for a full packet */
534 chan->rx_credits = (chan->imtu / chan->mps) + 1;
536 skb_queue_head_init(&chan->tx_q);
539 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
541 l2cap_le_flowctl_init(chan, tx_credits);
543 /* L2CAP implementations shall support a minimum MPS of 64 octets */
544 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
545 chan->mps = L2CAP_ECRED_MIN_MPS;
546 chan->rx_credits = (chan->imtu / chan->mps) + 1;
550 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
552 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
553 __le16_to_cpu(chan->psm), chan->dcid);
555 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
559 switch (chan->chan_type) {
560 case L2CAP_CHAN_CONN_ORIENTED:
561 /* Alloc CID for connection-oriented socket */
562 chan->scid = l2cap_alloc_cid(conn);
563 if (conn->hcon->type == ACL_LINK)
564 chan->omtu = L2CAP_DEFAULT_MTU;
567 case L2CAP_CHAN_CONN_LESS:
568 /* Connectionless socket */
569 chan->scid = L2CAP_CID_CONN_LESS;
570 chan->dcid = L2CAP_CID_CONN_LESS;
571 chan->omtu = L2CAP_DEFAULT_MTU;
574 case L2CAP_CHAN_FIXED:
575 /* Caller will set CID and CID specific MTU values */
579 /* Raw socket can send/recv signalling messages only */
580 chan->scid = L2CAP_CID_SIGNALING;
581 chan->dcid = L2CAP_CID_SIGNALING;
582 chan->omtu = L2CAP_DEFAULT_MTU;
585 chan->local_id = L2CAP_BESTEFFORT_ID;
586 chan->local_stype = L2CAP_SERV_BESTEFFORT;
587 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
588 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
589 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
590 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
592 l2cap_chan_hold(chan);
594 /* Only keep a reference for fixed channels if they requested it */
595 if (chan->chan_type != L2CAP_CHAN_FIXED ||
596 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
597 hci_conn_hold(conn->hcon);
599 list_add(&chan->list, &conn->chan_l);
602 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
604 mutex_lock(&conn->chan_lock);
605 __l2cap_chan_add(conn, chan);
606 mutex_unlock(&conn->chan_lock);
609 void l2cap_chan_del(struct l2cap_chan *chan, int err)
611 struct l2cap_conn *conn = chan->conn;
613 __clear_chan_timer(chan);
615 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
616 state_to_string(chan->state));
618 chan->ops->teardown(chan, err);
621 struct amp_mgr *mgr = conn->hcon->amp_mgr;
622 /* Delete from channel list */
623 list_del(&chan->list);
625 l2cap_chan_put(chan);
629 /* Reference was only held for non-fixed channels or
630 * fixed channels that explicitly requested it using the
631 * FLAG_HOLD_HCI_CONN flag.
633 if (chan->chan_type != L2CAP_CHAN_FIXED ||
634 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
635 hci_conn_drop(conn->hcon);
637 if (mgr && mgr->bredr_chan == chan)
638 mgr->bredr_chan = NULL;
641 if (chan->hs_hchan) {
642 struct hci_chan *hs_hchan = chan->hs_hchan;
644 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
645 amp_disconnect_logical_link(hs_hchan);
648 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
652 case L2CAP_MODE_BASIC:
655 case L2CAP_MODE_LE_FLOWCTL:
656 case L2CAP_MODE_EXT_FLOWCTL:
657 skb_queue_purge(&chan->tx_q);
660 case L2CAP_MODE_ERTM:
661 __clear_retrans_timer(chan);
662 __clear_monitor_timer(chan);
663 __clear_ack_timer(chan);
665 skb_queue_purge(&chan->srej_q);
667 l2cap_seq_list_free(&chan->srej_list);
668 l2cap_seq_list_free(&chan->retrans_list);
671 case L2CAP_MODE_STREAMING:
672 skb_queue_purge(&chan->tx_q);
678 EXPORT_SYMBOL_GPL(l2cap_chan_del);
680 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
683 struct l2cap_chan *chan;
685 list_for_each_entry(chan, &conn->chan_l, list) {
690 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
696 mutex_lock(&conn->chan_lock);
697 __l2cap_chan_list(conn, func, data);
698 mutex_unlock(&conn->chan_lock);
701 EXPORT_SYMBOL_GPL(l2cap_chan_list);
703 static void l2cap_conn_update_id_addr(struct work_struct *work)
705 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
706 id_addr_update_work);
707 struct hci_conn *hcon = conn->hcon;
708 struct l2cap_chan *chan;
710 mutex_lock(&conn->chan_lock);
712 list_for_each_entry(chan, &conn->chan_l, list) {
713 l2cap_chan_lock(chan);
714 bacpy(&chan->dst, &hcon->dst);
715 chan->dst_type = bdaddr_dst_type(hcon);
716 l2cap_chan_unlock(chan);
719 mutex_unlock(&conn->chan_lock);
722 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
724 struct l2cap_conn *conn = chan->conn;
725 struct l2cap_le_conn_rsp rsp;
728 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
729 result = L2CAP_CR_LE_AUTHORIZATION;
731 result = L2CAP_CR_LE_BAD_PSM;
733 l2cap_state_change(chan, BT_DISCONN);
735 rsp.dcid = cpu_to_le16(chan->scid);
736 rsp.mtu = cpu_to_le16(chan->imtu);
737 rsp.mps = cpu_to_le16(chan->mps);
738 rsp.credits = cpu_to_le16(chan->rx_credits);
739 rsp.result = cpu_to_le16(result);
741 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
745 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
747 struct l2cap_conn *conn = chan->conn;
748 struct l2cap_ecred_conn_rsp rsp;
751 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
752 result = L2CAP_CR_LE_AUTHORIZATION;
754 result = L2CAP_CR_LE_BAD_PSM;
756 l2cap_state_change(chan, BT_DISCONN);
758 memset(&rsp, 0, sizeof(rsp));
760 rsp.result = cpu_to_le16(result);
762 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
766 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
768 struct l2cap_conn *conn = chan->conn;
769 struct l2cap_conn_rsp rsp;
772 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
773 result = L2CAP_CR_SEC_BLOCK;
775 result = L2CAP_CR_BAD_PSM;
777 l2cap_state_change(chan, BT_DISCONN);
779 rsp.scid = cpu_to_le16(chan->dcid);
780 rsp.dcid = cpu_to_le16(chan->scid);
781 rsp.result = cpu_to_le16(result);
782 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
784 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
787 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
789 struct l2cap_conn *conn = chan->conn;
791 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
793 switch (chan->state) {
795 chan->ops->teardown(chan, 0);
800 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
801 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
802 l2cap_send_disconn_req(chan, reason);
804 l2cap_chan_del(chan, reason);
808 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
809 if (conn->hcon->type == ACL_LINK)
810 l2cap_chan_connect_reject(chan);
811 else if (conn->hcon->type == LE_LINK) {
812 switch (chan->mode) {
813 case L2CAP_MODE_LE_FLOWCTL:
814 l2cap_chan_le_connect_reject(chan);
816 case L2CAP_MODE_EXT_FLOWCTL:
817 l2cap_chan_ecred_connect_reject(chan);
823 l2cap_chan_del(chan, reason);
828 l2cap_chan_del(chan, reason);
832 chan->ops->teardown(chan, 0);
836 EXPORT_SYMBOL(l2cap_chan_close);
838 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
840 switch (chan->chan_type) {
842 switch (chan->sec_level) {
843 case BT_SECURITY_HIGH:
844 case BT_SECURITY_FIPS:
845 return HCI_AT_DEDICATED_BONDING_MITM;
846 case BT_SECURITY_MEDIUM:
847 return HCI_AT_DEDICATED_BONDING;
849 return HCI_AT_NO_BONDING;
852 case L2CAP_CHAN_CONN_LESS:
853 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
854 if (chan->sec_level == BT_SECURITY_LOW)
855 chan->sec_level = BT_SECURITY_SDP;
857 if (chan->sec_level == BT_SECURITY_HIGH ||
858 chan->sec_level == BT_SECURITY_FIPS)
859 return HCI_AT_NO_BONDING_MITM;
861 return HCI_AT_NO_BONDING;
863 case L2CAP_CHAN_CONN_ORIENTED:
864 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
865 if (chan->sec_level == BT_SECURITY_LOW)
866 chan->sec_level = BT_SECURITY_SDP;
868 if (chan->sec_level == BT_SECURITY_HIGH ||
869 chan->sec_level == BT_SECURITY_FIPS)
870 return HCI_AT_NO_BONDING_MITM;
872 return HCI_AT_NO_BONDING;
877 switch (chan->sec_level) {
878 case BT_SECURITY_HIGH:
879 case BT_SECURITY_FIPS:
880 return HCI_AT_GENERAL_BONDING_MITM;
881 case BT_SECURITY_MEDIUM:
882 return HCI_AT_GENERAL_BONDING;
884 return HCI_AT_NO_BONDING;
890 /* Service level security */
891 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
893 struct l2cap_conn *conn = chan->conn;
896 if (conn->hcon->type == LE_LINK)
897 return smp_conn_security(conn->hcon, chan->sec_level);
899 auth_type = l2cap_get_auth_type(chan);
901 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
905 static u8 l2cap_get_ident(struct l2cap_conn *conn)
909 /* Get next available identificator.
910 * 1 - 128 are used by kernel.
911 * 129 - 199 are reserved.
912 * 200 - 254 are used by utilities like l2ping, etc.
915 mutex_lock(&conn->ident_lock);
917 if (++conn->tx_ident > 128)
922 mutex_unlock(&conn->ident_lock);
927 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
930 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
933 BT_DBG("code 0x%2.2x", code);
938 /* Use NO_FLUSH if supported or we have an LE link (which does
939 * not support auto-flushing packets) */
940 if (lmp_no_flush_capable(conn->hcon->hdev) ||
941 conn->hcon->type == LE_LINK)
942 flags = ACL_START_NO_FLUSH;
946 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
947 skb->priority = HCI_PRIO_MAX;
949 hci_send_acl(conn->hchan, skb, flags);
952 static bool __chan_is_moving(struct l2cap_chan *chan)
954 return chan->move_state != L2CAP_MOVE_STABLE &&
955 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
958 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
960 struct hci_conn *hcon = chan->conn->hcon;
963 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
966 if (chan->hs_hcon && !__chan_is_moving(chan)) {
968 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
975 /* Use NO_FLUSH for LE links (where this is the only option) or
976 * if the BR/EDR link supports it and flushing has not been
977 * explicitly requested (through FLAG_FLUSHABLE).
979 if (hcon->type == LE_LINK ||
980 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
981 lmp_no_flush_capable(hcon->hdev)))
982 flags = ACL_START_NO_FLUSH;
986 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
987 hci_send_acl(chan->conn->hchan, skb, flags);
990 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
992 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
993 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
995 if (enh & L2CAP_CTRL_FRAME_TYPE) {
998 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
999 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1005 control->sframe = 0;
1006 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1007 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1014 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1016 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1017 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1019 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1021 control->sframe = 1;
1022 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1023 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1029 control->sframe = 0;
1030 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1031 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1038 static inline void __unpack_control(struct l2cap_chan *chan,
1039 struct sk_buff *skb)
1041 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1042 __unpack_extended_control(get_unaligned_le32(skb->data),
1043 &bt_cb(skb)->l2cap);
1044 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1046 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1047 &bt_cb(skb)->l2cap);
1048 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1052 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1056 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1057 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1059 if (control->sframe) {
1060 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1061 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1062 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1064 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1065 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1071 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1075 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1076 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1078 if (control->sframe) {
1079 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1080 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1081 packed |= L2CAP_CTRL_FRAME_TYPE;
1083 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1084 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1090 static inline void __pack_control(struct l2cap_chan *chan,
1091 struct l2cap_ctrl *control,
1092 struct sk_buff *skb)
1094 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1095 put_unaligned_le32(__pack_extended_control(control),
1096 skb->data + L2CAP_HDR_SIZE);
1098 put_unaligned_le16(__pack_enhanced_control(control),
1099 skb->data + L2CAP_HDR_SIZE);
1103 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1105 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1106 return L2CAP_EXT_HDR_SIZE;
1108 return L2CAP_ENH_HDR_SIZE;
1111 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1114 struct sk_buff *skb;
1115 struct l2cap_hdr *lh;
1116 int hlen = __ertm_hdr_size(chan);
1118 if (chan->fcs == L2CAP_FCS_CRC16)
1119 hlen += L2CAP_FCS_SIZE;
1121 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1124 return ERR_PTR(-ENOMEM);
1126 lh = skb_put(skb, L2CAP_HDR_SIZE);
1127 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1128 lh->cid = cpu_to_le16(chan->dcid);
1130 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1131 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1133 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1135 if (chan->fcs == L2CAP_FCS_CRC16) {
1136 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1137 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1140 skb->priority = HCI_PRIO_MAX;
1144 static void l2cap_send_sframe(struct l2cap_chan *chan,
1145 struct l2cap_ctrl *control)
1147 struct sk_buff *skb;
1150 BT_DBG("chan %p, control %p", chan, control);
1152 if (!control->sframe)
1155 if (__chan_is_moving(chan))
1158 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1162 if (control->super == L2CAP_SUPER_RR)
1163 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1164 else if (control->super == L2CAP_SUPER_RNR)
1165 set_bit(CONN_RNR_SENT, &chan->conn_state);
1167 if (control->super != L2CAP_SUPER_SREJ) {
1168 chan->last_acked_seq = control->reqseq;
1169 __clear_ack_timer(chan);
1172 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1173 control->final, control->poll, control->super);
1175 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1176 control_field = __pack_extended_control(control);
1178 control_field = __pack_enhanced_control(control);
1180 skb = l2cap_create_sframe_pdu(chan, control_field);
1182 l2cap_do_send(chan, skb);
1185 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1187 struct l2cap_ctrl control;
1189 BT_DBG("chan %p, poll %d", chan, poll);
1191 memset(&control, 0, sizeof(control));
1193 control.poll = poll;
1195 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1196 control.super = L2CAP_SUPER_RNR;
1198 control.super = L2CAP_SUPER_RR;
1200 control.reqseq = chan->buffer_seq;
1201 l2cap_send_sframe(chan, &control);
1204 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1206 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1209 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1212 static bool __amp_capable(struct l2cap_chan *chan)
1214 struct l2cap_conn *conn = chan->conn;
1215 struct hci_dev *hdev;
1216 bool amp_available = false;
1218 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1221 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1224 read_lock(&hci_dev_list_lock);
1225 list_for_each_entry(hdev, &hci_dev_list, list) {
1226 if (hdev->amp_type != AMP_TYPE_BREDR &&
1227 test_bit(HCI_UP, &hdev->flags)) {
1228 amp_available = true;
1232 read_unlock(&hci_dev_list_lock);
1234 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1235 return amp_available;
1240 static bool l2cap_check_efs(struct l2cap_chan *chan)
1242 /* Check EFS parameters */
1246 void l2cap_send_conn_req(struct l2cap_chan *chan)
1248 struct l2cap_conn *conn = chan->conn;
1249 struct l2cap_conn_req req;
1251 req.scid = cpu_to_le16(chan->scid);
1252 req.psm = chan->psm;
1254 chan->ident = l2cap_get_ident(conn);
1256 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1258 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1261 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1263 struct l2cap_create_chan_req req;
1264 req.scid = cpu_to_le16(chan->scid);
1265 req.psm = chan->psm;
1266 req.amp_id = amp_id;
1268 chan->ident = l2cap_get_ident(chan->conn);
1270 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1274 static void l2cap_move_setup(struct l2cap_chan *chan)
1276 struct sk_buff *skb;
1278 BT_DBG("chan %p", chan);
1280 if (chan->mode != L2CAP_MODE_ERTM)
1283 __clear_retrans_timer(chan);
1284 __clear_monitor_timer(chan);
1285 __clear_ack_timer(chan);
1287 chan->retry_count = 0;
1288 skb_queue_walk(&chan->tx_q, skb) {
1289 if (bt_cb(skb)->l2cap.retries)
1290 bt_cb(skb)->l2cap.retries = 1;
1295 chan->expected_tx_seq = chan->buffer_seq;
1297 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1298 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1299 l2cap_seq_list_clear(&chan->retrans_list);
1300 l2cap_seq_list_clear(&chan->srej_list);
1301 skb_queue_purge(&chan->srej_q);
1303 chan->tx_state = L2CAP_TX_STATE_XMIT;
1304 chan->rx_state = L2CAP_RX_STATE_MOVE;
1306 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1309 static void l2cap_move_done(struct l2cap_chan *chan)
1311 u8 move_role = chan->move_role;
1312 BT_DBG("chan %p", chan);
1314 chan->move_state = L2CAP_MOVE_STABLE;
1315 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1317 if (chan->mode != L2CAP_MODE_ERTM)
1320 switch (move_role) {
1321 case L2CAP_MOVE_ROLE_INITIATOR:
1322 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1323 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1325 case L2CAP_MOVE_ROLE_RESPONDER:
1326 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1331 static void l2cap_chan_ready(struct l2cap_chan *chan)
1333 /* The channel may have already been flagged as connected in
1334 * case of receiving data before the L2CAP info req/rsp
1335 * procedure is complete.
1337 if (chan->state == BT_CONNECTED)
1340 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1341 chan->conf_state = 0;
1342 __clear_chan_timer(chan);
1344 switch (chan->mode) {
1345 case L2CAP_MODE_LE_FLOWCTL:
1346 case L2CAP_MODE_EXT_FLOWCTL:
1347 if (!chan->tx_credits)
1348 chan->ops->suspend(chan);
1352 chan->state = BT_CONNECTED;
1354 chan->ops->ready(chan);
1357 static void l2cap_le_connect(struct l2cap_chan *chan)
1359 struct l2cap_conn *conn = chan->conn;
1360 struct l2cap_le_conn_req req;
1362 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1366 chan->imtu = chan->conn->mtu;
1368 l2cap_le_flowctl_init(chan, 0);
1370 req.psm = chan->psm;
1371 req.scid = cpu_to_le16(chan->scid);
1372 req.mtu = cpu_to_le16(chan->imtu);
1373 req.mps = cpu_to_le16(chan->mps);
1374 req.credits = cpu_to_le16(chan->rx_credits);
1376 chan->ident = l2cap_get_ident(conn);
1378 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1382 struct l2cap_ecred_conn_data {
1384 struct l2cap_ecred_conn_req req;
1387 struct l2cap_chan *chan;
1392 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1394 struct l2cap_ecred_conn_data *conn = data;
1397 if (chan == conn->chan)
1400 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1403 pid = chan->ops->get_peer_pid(chan);
1405 /* Only add deferred channels with the same PID/PSM */
1406 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1407 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1410 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1413 l2cap_ecred_init(chan, 0);
1415 /* Set the same ident so we can match on the rsp */
1416 chan->ident = conn->chan->ident;
1418 /* Include all channels deferred */
1419 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1424 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1426 struct l2cap_conn *conn = chan->conn;
1427 struct l2cap_ecred_conn_data data;
1429 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1432 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1435 l2cap_ecred_init(chan, 0);
1437 data.pdu.req.psm = chan->psm;
1438 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1439 data.pdu.req.mps = cpu_to_le16(chan->mps);
1440 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1441 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1443 chan->ident = l2cap_get_ident(conn);
1444 data.pid = chan->ops->get_peer_pid(chan);
1448 data.pid = chan->ops->get_peer_pid(chan);
1450 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1452 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1453 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1457 static void l2cap_le_start(struct l2cap_chan *chan)
1459 struct l2cap_conn *conn = chan->conn;
1461 if (!smp_conn_security(conn->hcon, chan->sec_level))
1465 l2cap_chan_ready(chan);
1469 if (chan->state == BT_CONNECT) {
1470 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1471 l2cap_ecred_connect(chan);
1473 l2cap_le_connect(chan);
1477 static void l2cap_start_connection(struct l2cap_chan *chan)
1479 if (__amp_capable(chan)) {
1480 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1481 a2mp_discover_amp(chan);
1482 } else if (chan->conn->hcon->type == LE_LINK) {
1483 l2cap_le_start(chan);
1485 l2cap_send_conn_req(chan);
1489 static void l2cap_request_info(struct l2cap_conn *conn)
1491 struct l2cap_info_req req;
1493 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1496 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1499 conn->info_ident = l2cap_get_ident(conn);
1501 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1503 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1507 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1509 /* The minimum encryption key size needs to be enforced by the
1510 * host stack before establishing any L2CAP connections. The
1511 * specification in theory allows a minimum of 1, but to align
1512 * BR/EDR and LE transports, a minimum of 7 is chosen.
1514 * This check might also be called for unencrypted connections
1515 * that have no key size requirements. Ensure that the link is
1516 * actually encrypted before enforcing a key size.
1518 int min_key_size = hcon->hdev->min_enc_key_size;
1520 /* On FIPS security level, key size must be 16 bytes */
1521 if (hcon->sec_level == BT_SECURITY_FIPS)
1524 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1525 hcon->enc_key_size >= min_key_size);
1528 static void l2cap_do_start(struct l2cap_chan *chan)
1530 struct l2cap_conn *conn = chan->conn;
1532 if (conn->hcon->type == LE_LINK) {
1533 l2cap_le_start(chan);
1537 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1538 l2cap_request_info(conn);
1542 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1545 if (!l2cap_chan_check_security(chan, true) ||
1546 !__l2cap_no_conn_pending(chan))
1549 if (l2cap_check_enc_key_size(conn->hcon))
1550 l2cap_start_connection(chan);
1552 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1555 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1557 u32 local_feat_mask = l2cap_feat_mask;
1559 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1562 case L2CAP_MODE_ERTM:
1563 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1564 case L2CAP_MODE_STREAMING:
1565 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1571 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1573 struct l2cap_conn *conn = chan->conn;
1574 struct l2cap_disconn_req req;
1579 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1580 __clear_retrans_timer(chan);
1581 __clear_monitor_timer(chan);
1582 __clear_ack_timer(chan);
1585 if (chan->scid == L2CAP_CID_A2MP) {
1586 l2cap_state_change(chan, BT_DISCONN);
1590 req.dcid = cpu_to_le16(chan->dcid);
1591 req.scid = cpu_to_le16(chan->scid);
1592 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1595 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1598 /* ---- L2CAP connections ---- */
1599 static void l2cap_conn_start(struct l2cap_conn *conn)
1601 struct l2cap_chan *chan, *tmp;
1603 BT_DBG("conn %p", conn);
1605 mutex_lock(&conn->chan_lock);
1607 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1608 l2cap_chan_lock(chan);
1610 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1611 l2cap_chan_ready(chan);
1612 l2cap_chan_unlock(chan);
1616 if (chan->state == BT_CONNECT) {
1617 if (!l2cap_chan_check_security(chan, true) ||
1618 !__l2cap_no_conn_pending(chan)) {
1619 l2cap_chan_unlock(chan);
1623 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1624 && test_bit(CONF_STATE2_DEVICE,
1625 &chan->conf_state)) {
1626 l2cap_chan_close(chan, ECONNRESET);
1627 l2cap_chan_unlock(chan);
1631 if (l2cap_check_enc_key_size(conn->hcon))
1632 l2cap_start_connection(chan);
1634 l2cap_chan_close(chan, ECONNREFUSED);
1636 } else if (chan->state == BT_CONNECT2) {
1637 struct l2cap_conn_rsp rsp;
1639 rsp.scid = cpu_to_le16(chan->dcid);
1640 rsp.dcid = cpu_to_le16(chan->scid);
1642 if (l2cap_chan_check_security(chan, false)) {
1643 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1644 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1645 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1646 chan->ops->defer(chan);
1649 l2cap_state_change(chan, BT_CONFIG);
1650 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1651 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1654 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1655 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1658 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1661 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1662 rsp.result != L2CAP_CR_SUCCESS) {
1663 l2cap_chan_unlock(chan);
1667 set_bit(CONF_REQ_SENT, &chan->conf_state);
1668 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1669 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1670 chan->num_conf_req++;
1673 l2cap_chan_unlock(chan);
1676 mutex_unlock(&conn->chan_lock);
1679 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1681 struct hci_conn *hcon = conn->hcon;
1682 struct hci_dev *hdev = hcon->hdev;
1684 BT_DBG("%s conn %p", hdev->name, conn);
1686 /* For outgoing pairing which doesn't necessarily have an
1687 * associated socket (e.g. mgmt_pair_device).
1690 smp_conn_security(hcon, hcon->pending_sec_level);
1692 /* For LE slave connections, make sure the connection interval
1693 * is in the range of the minium and maximum interval that has
1694 * been configured for this connection. If not, then trigger
1695 * the connection update procedure.
1697 if (hcon->role == HCI_ROLE_SLAVE &&
1698 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1699 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1700 struct l2cap_conn_param_update_req req;
1702 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1703 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1704 req.latency = cpu_to_le16(hcon->le_conn_latency);
1705 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1707 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1708 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1712 static void l2cap_conn_ready(struct l2cap_conn *conn)
1714 struct l2cap_chan *chan;
1715 struct hci_conn *hcon = conn->hcon;
1717 BT_DBG("conn %p", conn);
1719 if (hcon->type == ACL_LINK)
1720 l2cap_request_info(conn);
1722 mutex_lock(&conn->chan_lock);
1724 list_for_each_entry(chan, &conn->chan_l, list) {
1726 l2cap_chan_lock(chan);
1728 if (chan->scid == L2CAP_CID_A2MP) {
1729 l2cap_chan_unlock(chan);
1733 if (hcon->type == LE_LINK) {
1734 l2cap_le_start(chan);
1735 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1736 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1737 l2cap_chan_ready(chan);
1738 } else if (chan->state == BT_CONNECT) {
1739 l2cap_do_start(chan);
1742 l2cap_chan_unlock(chan);
1745 mutex_unlock(&conn->chan_lock);
1747 if (hcon->type == LE_LINK)
1748 l2cap_le_conn_ready(conn);
1750 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1753 /* Notify sockets that we cannot guaranty reliability anymore */
1754 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1756 struct l2cap_chan *chan;
1758 BT_DBG("conn %p", conn);
1760 mutex_lock(&conn->chan_lock);
1762 list_for_each_entry(chan, &conn->chan_l, list) {
1763 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1764 l2cap_chan_set_err(chan, err);
1767 mutex_unlock(&conn->chan_lock);
1770 static void l2cap_info_timeout(struct work_struct *work)
1772 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1775 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1776 conn->info_ident = 0;
1778 l2cap_conn_start(conn);
1783 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1784 * callback is called during registration. The ->remove callback is called
1785 * during unregistration.
1786 * An l2cap_user object can either be explicitly unregistered or when the
1787 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1788 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1789 * External modules must own a reference to the l2cap_conn object if they intend
1790 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1791 * any time if they don't.
1794 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1796 struct hci_dev *hdev = conn->hcon->hdev;
1799 /* We need to check whether l2cap_conn is registered. If it is not, we
1800 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1801 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1802 * relies on the parent hci_conn object to be locked. This itself relies
1803 * on the hci_dev object to be locked. So we must lock the hci device
1808 if (!list_empty(&user->list)) {
1813 /* conn->hchan is NULL after l2cap_conn_del() was called */
1819 ret = user->probe(conn, user);
1823 list_add(&user->list, &conn->users);
1827 hci_dev_unlock(hdev);
1830 EXPORT_SYMBOL(l2cap_register_user);
1832 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1834 struct hci_dev *hdev = conn->hcon->hdev;
1838 if (list_empty(&user->list))
1841 list_del_init(&user->list);
1842 user->remove(conn, user);
1845 hci_dev_unlock(hdev);
1847 EXPORT_SYMBOL(l2cap_unregister_user);
1849 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1851 struct l2cap_user *user;
1853 while (!list_empty(&conn->users)) {
1854 user = list_first_entry(&conn->users, struct l2cap_user, list);
1855 list_del_init(&user->list);
1856 user->remove(conn, user);
1860 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1862 struct l2cap_conn *conn = hcon->l2cap_data;
1863 struct l2cap_chan *chan, *l;
1868 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1870 kfree_skb(conn->rx_skb);
1872 skb_queue_purge(&conn->pending_rx);
1874 /* We can not call flush_work(&conn->pending_rx_work) here since we
1875 * might block if we are running on a worker from the same workqueue
1876 * pending_rx_work is waiting on.
1878 if (work_pending(&conn->pending_rx_work))
1879 cancel_work_sync(&conn->pending_rx_work);
1881 if (work_pending(&conn->id_addr_update_work))
1882 cancel_work_sync(&conn->id_addr_update_work);
1884 l2cap_unregister_all_users(conn);
1886 /* Force the connection to be immediately dropped */
1887 hcon->disc_timeout = 0;
1889 mutex_lock(&conn->chan_lock);
1892 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1893 l2cap_chan_hold(chan);
1894 l2cap_chan_lock(chan);
1896 l2cap_chan_del(chan, err);
1898 chan->ops->close(chan);
1900 l2cap_chan_unlock(chan);
1901 l2cap_chan_put(chan);
1904 mutex_unlock(&conn->chan_lock);
1906 hci_chan_del(conn->hchan);
1908 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1909 cancel_delayed_work_sync(&conn->info_timer);
1911 hcon->l2cap_data = NULL;
1913 l2cap_conn_put(conn);
1916 static void l2cap_conn_free(struct kref *ref)
1918 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1920 hci_conn_put(conn->hcon);
1924 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1926 kref_get(&conn->ref);
1929 EXPORT_SYMBOL(l2cap_conn_get);
1931 void l2cap_conn_put(struct l2cap_conn *conn)
1933 kref_put(&conn->ref, l2cap_conn_free);
1935 EXPORT_SYMBOL(l2cap_conn_put);
1937 /* ---- Socket interface ---- */
1939 /* Find socket with psm and source / destination bdaddr.
1940 * Returns closest match.
1942 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1947 struct l2cap_chan *c, *c1 = NULL;
1949 read_lock(&chan_list_lock);
1951 list_for_each_entry(c, &chan_list, global_l) {
1952 if (state && c->state != state)
1955 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1958 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1961 if (c->psm == psm) {
1962 int src_match, dst_match;
1963 int src_any, dst_any;
1966 src_match = !bacmp(&c->src, src);
1967 dst_match = !bacmp(&c->dst, dst);
1968 if (src_match && dst_match) {
1970 read_unlock(&chan_list_lock);
1975 src_any = !bacmp(&c->src, BDADDR_ANY);
1976 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1977 if ((src_match && dst_any) || (src_any && dst_match) ||
1978 (src_any && dst_any))
1984 l2cap_chan_hold(c1);
1986 read_unlock(&chan_list_lock);
1991 static void l2cap_monitor_timeout(struct work_struct *work)
1993 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1994 monitor_timer.work);
1996 BT_DBG("chan %p", chan);
1998 l2cap_chan_lock(chan);
2001 l2cap_chan_unlock(chan);
2002 l2cap_chan_put(chan);
2006 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2008 l2cap_chan_unlock(chan);
2009 l2cap_chan_put(chan);
2012 static void l2cap_retrans_timeout(struct work_struct *work)
2014 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2015 retrans_timer.work);
2017 BT_DBG("chan %p", chan);
2019 l2cap_chan_lock(chan);
2022 l2cap_chan_unlock(chan);
2023 l2cap_chan_put(chan);
2027 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2028 l2cap_chan_unlock(chan);
2029 l2cap_chan_put(chan);
2032 static void l2cap_streaming_send(struct l2cap_chan *chan,
2033 struct sk_buff_head *skbs)
2035 struct sk_buff *skb;
2036 struct l2cap_ctrl *control;
2038 BT_DBG("chan %p, skbs %p", chan, skbs);
2040 if (__chan_is_moving(chan))
2043 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2045 while (!skb_queue_empty(&chan->tx_q)) {
2047 skb = skb_dequeue(&chan->tx_q);
2049 bt_cb(skb)->l2cap.retries = 1;
2050 control = &bt_cb(skb)->l2cap;
2052 control->reqseq = 0;
2053 control->txseq = chan->next_tx_seq;
2055 __pack_control(chan, control, skb);
2057 if (chan->fcs == L2CAP_FCS_CRC16) {
2058 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2059 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2062 l2cap_do_send(chan, skb);
2064 BT_DBG("Sent txseq %u", control->txseq);
2066 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2067 chan->frames_sent++;
2071 static int l2cap_ertm_send(struct l2cap_chan *chan)
2073 struct sk_buff *skb, *tx_skb;
2074 struct l2cap_ctrl *control;
2077 BT_DBG("chan %p", chan);
2079 if (chan->state != BT_CONNECTED)
2082 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2085 if (__chan_is_moving(chan))
2088 while (chan->tx_send_head &&
2089 chan->unacked_frames < chan->remote_tx_win &&
2090 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2092 skb = chan->tx_send_head;
2094 bt_cb(skb)->l2cap.retries = 1;
2095 control = &bt_cb(skb)->l2cap;
2097 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2100 control->reqseq = chan->buffer_seq;
2101 chan->last_acked_seq = chan->buffer_seq;
2102 control->txseq = chan->next_tx_seq;
2104 __pack_control(chan, control, skb);
2106 if (chan->fcs == L2CAP_FCS_CRC16) {
2107 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2108 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2111 /* Clone after data has been modified. Data is assumed to be
2112 read-only (for locking purposes) on cloned sk_buffs.
2114 tx_skb = skb_clone(skb, GFP_KERNEL);
2119 __set_retrans_timer(chan);
2121 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2122 chan->unacked_frames++;
2123 chan->frames_sent++;
2126 if (skb_queue_is_last(&chan->tx_q, skb))
2127 chan->tx_send_head = NULL;
2129 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2131 l2cap_do_send(chan, tx_skb);
2132 BT_DBG("Sent txseq %u", control->txseq);
2135 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2136 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2141 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2143 struct l2cap_ctrl control;
2144 struct sk_buff *skb;
2145 struct sk_buff *tx_skb;
2148 BT_DBG("chan %p", chan);
2150 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2153 if (__chan_is_moving(chan))
2156 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2157 seq = l2cap_seq_list_pop(&chan->retrans_list);
2159 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2161 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2166 bt_cb(skb)->l2cap.retries++;
2167 control = bt_cb(skb)->l2cap;
2169 if (chan->max_tx != 0 &&
2170 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2171 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2172 l2cap_send_disconn_req(chan, ECONNRESET);
2173 l2cap_seq_list_clear(&chan->retrans_list);
2177 control.reqseq = chan->buffer_seq;
2178 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2183 if (skb_cloned(skb)) {
2184 /* Cloned sk_buffs are read-only, so we need a
2187 tx_skb = skb_copy(skb, GFP_KERNEL);
2189 tx_skb = skb_clone(skb, GFP_KERNEL);
2193 l2cap_seq_list_clear(&chan->retrans_list);
2197 /* Update skb contents */
2198 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2199 put_unaligned_le32(__pack_extended_control(&control),
2200 tx_skb->data + L2CAP_HDR_SIZE);
2202 put_unaligned_le16(__pack_enhanced_control(&control),
2203 tx_skb->data + L2CAP_HDR_SIZE);
2207 if (chan->fcs == L2CAP_FCS_CRC16) {
2208 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2209 tx_skb->len - L2CAP_FCS_SIZE);
2210 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2214 l2cap_do_send(chan, tx_skb);
2216 BT_DBG("Resent txseq %d", control.txseq);
2218 chan->last_acked_seq = chan->buffer_seq;
2222 static void l2cap_retransmit(struct l2cap_chan *chan,
2223 struct l2cap_ctrl *control)
2225 BT_DBG("chan %p, control %p", chan, control);
2227 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2228 l2cap_ertm_resend(chan);
2231 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2232 struct l2cap_ctrl *control)
2234 struct sk_buff *skb;
2236 BT_DBG("chan %p, control %p", chan, control);
2239 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2241 l2cap_seq_list_clear(&chan->retrans_list);
2243 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2246 if (chan->unacked_frames) {
2247 skb_queue_walk(&chan->tx_q, skb) {
2248 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2249 skb == chan->tx_send_head)
2253 skb_queue_walk_from(&chan->tx_q, skb) {
2254 if (skb == chan->tx_send_head)
2257 l2cap_seq_list_append(&chan->retrans_list,
2258 bt_cb(skb)->l2cap.txseq);
2261 l2cap_ertm_resend(chan);
2265 static void l2cap_send_ack(struct l2cap_chan *chan)
2267 struct l2cap_ctrl control;
2268 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2269 chan->last_acked_seq);
2272 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2273 chan, chan->last_acked_seq, chan->buffer_seq);
2275 memset(&control, 0, sizeof(control));
2278 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2279 chan->rx_state == L2CAP_RX_STATE_RECV) {
2280 __clear_ack_timer(chan);
2281 control.super = L2CAP_SUPER_RNR;
2282 control.reqseq = chan->buffer_seq;
2283 l2cap_send_sframe(chan, &control);
2285 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2286 l2cap_ertm_send(chan);
2287 /* If any i-frames were sent, they included an ack */
2288 if (chan->buffer_seq == chan->last_acked_seq)
2292 /* Ack now if the window is 3/4ths full.
2293 * Calculate without mul or div
2295 threshold = chan->ack_win;
2296 threshold += threshold << 1;
2299 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2302 if (frames_to_ack >= threshold) {
2303 __clear_ack_timer(chan);
2304 control.super = L2CAP_SUPER_RR;
2305 control.reqseq = chan->buffer_seq;
2306 l2cap_send_sframe(chan, &control);
2311 __set_ack_timer(chan);
2315 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2316 struct msghdr *msg, int len,
2317 int count, struct sk_buff *skb)
2319 struct l2cap_conn *conn = chan->conn;
2320 struct sk_buff **frag;
2323 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2329 /* Continuation fragments (no L2CAP header) */
2330 frag = &skb_shinfo(skb)->frag_list;
2332 struct sk_buff *tmp;
2334 count = min_t(unsigned int, conn->mtu, len);
2336 tmp = chan->ops->alloc_skb(chan, 0, count,
2337 msg->msg_flags & MSG_DONTWAIT);
2339 return PTR_ERR(tmp);
2343 if (!copy_from_iter_full(skb_put(*frag, count), count,
2350 skb->len += (*frag)->len;
2351 skb->data_len += (*frag)->len;
2353 frag = &(*frag)->next;
2359 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2360 struct msghdr *msg, size_t len)
2362 struct l2cap_conn *conn = chan->conn;
2363 struct sk_buff *skb;
2364 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2365 struct l2cap_hdr *lh;
2367 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2368 __le16_to_cpu(chan->psm), len);
2370 count = min_t(unsigned int, (conn->mtu - hlen), len);
2372 skb = chan->ops->alloc_skb(chan, hlen, count,
2373 msg->msg_flags & MSG_DONTWAIT);
2377 /* Create L2CAP header */
2378 lh = skb_put(skb, L2CAP_HDR_SIZE);
2379 lh->cid = cpu_to_le16(chan->dcid);
2380 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2381 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2383 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2384 if (unlikely(err < 0)) {
2386 return ERR_PTR(err);
2391 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2392 struct msghdr *msg, size_t len)
2394 struct l2cap_conn *conn = chan->conn;
2395 struct sk_buff *skb;
2397 struct l2cap_hdr *lh;
2399 BT_DBG("chan %p len %zu", chan, len);
2401 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2403 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2404 msg->msg_flags & MSG_DONTWAIT);
2408 /* Create L2CAP header */
2409 lh = skb_put(skb, L2CAP_HDR_SIZE);
2410 lh->cid = cpu_to_le16(chan->dcid);
2411 lh->len = cpu_to_le16(len);
2413 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2414 if (unlikely(err < 0)) {
2416 return ERR_PTR(err);
2421 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2422 struct msghdr *msg, size_t len,
2425 struct l2cap_conn *conn = chan->conn;
2426 struct sk_buff *skb;
2427 int err, count, hlen;
2428 struct l2cap_hdr *lh;
2430 BT_DBG("chan %p len %zu", chan, len);
2433 return ERR_PTR(-ENOTCONN);
2435 hlen = __ertm_hdr_size(chan);
2438 hlen += L2CAP_SDULEN_SIZE;
2440 if (chan->fcs == L2CAP_FCS_CRC16)
2441 hlen += L2CAP_FCS_SIZE;
2443 count = min_t(unsigned int, (conn->mtu - hlen), len);
2445 skb = chan->ops->alloc_skb(chan, hlen, count,
2446 msg->msg_flags & MSG_DONTWAIT);
2450 /* Create L2CAP header */
2451 lh = skb_put(skb, L2CAP_HDR_SIZE);
2452 lh->cid = cpu_to_le16(chan->dcid);
2453 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2455 /* Control header is populated later */
2456 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2457 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2459 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2462 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2464 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2465 if (unlikely(err < 0)) {
2467 return ERR_PTR(err);
2470 bt_cb(skb)->l2cap.fcs = chan->fcs;
2471 bt_cb(skb)->l2cap.retries = 0;
2475 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2476 struct sk_buff_head *seg_queue,
2477 struct msghdr *msg, size_t len)
2479 struct sk_buff *skb;
2484 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2486 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2487 * so fragmented skbs are not used. The HCI layer's handling
2488 * of fragmented skbs is not compatible with ERTM's queueing.
2491 /* PDU size is derived from the HCI MTU */
2492 pdu_len = chan->conn->mtu;
2494 /* Constrain PDU size for BR/EDR connections */
2496 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2498 /* Adjust for largest possible L2CAP overhead. */
2500 pdu_len -= L2CAP_FCS_SIZE;
2502 pdu_len -= __ertm_hdr_size(chan);
2504 /* Remote device may have requested smaller PDUs */
2505 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2507 if (len <= pdu_len) {
2508 sar = L2CAP_SAR_UNSEGMENTED;
2512 sar = L2CAP_SAR_START;
2517 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2520 __skb_queue_purge(seg_queue);
2521 return PTR_ERR(skb);
2524 bt_cb(skb)->l2cap.sar = sar;
2525 __skb_queue_tail(seg_queue, skb);
2531 if (len <= pdu_len) {
2532 sar = L2CAP_SAR_END;
2535 sar = L2CAP_SAR_CONTINUE;
2542 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2544 size_t len, u16 sdulen)
2546 struct l2cap_conn *conn = chan->conn;
2547 struct sk_buff *skb;
2548 int err, count, hlen;
2549 struct l2cap_hdr *lh;
2551 BT_DBG("chan %p len %zu", chan, len);
2554 return ERR_PTR(-ENOTCONN);
2556 hlen = L2CAP_HDR_SIZE;
2559 hlen += L2CAP_SDULEN_SIZE;
2561 count = min_t(unsigned int, (conn->mtu - hlen), len);
2563 skb = chan->ops->alloc_skb(chan, hlen, count,
2564 msg->msg_flags & MSG_DONTWAIT);
2568 /* Create L2CAP header */
2569 lh = skb_put(skb, L2CAP_HDR_SIZE);
2570 lh->cid = cpu_to_le16(chan->dcid);
2571 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2574 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2576 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2577 if (unlikely(err < 0)) {
2579 return ERR_PTR(err);
2585 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2586 struct sk_buff_head *seg_queue,
2587 struct msghdr *msg, size_t len)
2589 struct sk_buff *skb;
2593 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2596 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2602 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2604 __skb_queue_purge(seg_queue);
2605 return PTR_ERR(skb);
2608 __skb_queue_tail(seg_queue, skb);
2614 pdu_len += L2CAP_SDULEN_SIZE;
2621 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2625 BT_DBG("chan %p", chan);
2627 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2628 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2633 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2634 skb_queue_len(&chan->tx_q));
2637 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2639 struct sk_buff *skb;
2641 struct sk_buff_head seg_queue;
2646 /* Connectionless channel */
2647 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2648 skb = l2cap_create_connless_pdu(chan, msg, len);
2650 return PTR_ERR(skb);
2652 /* Channel lock is released before requesting new skb and then
2653 * reacquired thus we need to recheck channel state.
2655 if (chan->state != BT_CONNECTED) {
2660 l2cap_do_send(chan, skb);
2664 switch (chan->mode) {
2665 case L2CAP_MODE_LE_FLOWCTL:
2666 case L2CAP_MODE_EXT_FLOWCTL:
2667 /* Check outgoing MTU */
2668 if (len > chan->omtu)
2671 __skb_queue_head_init(&seg_queue);
2673 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2675 if (chan->state != BT_CONNECTED) {
2676 __skb_queue_purge(&seg_queue);
2683 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2685 l2cap_le_flowctl_send(chan);
2687 if (!chan->tx_credits)
2688 chan->ops->suspend(chan);
2694 case L2CAP_MODE_BASIC:
2695 /* Check outgoing MTU */
2696 if (len > chan->omtu)
2699 /* Create a basic PDU */
2700 skb = l2cap_create_basic_pdu(chan, msg, len);
2702 return PTR_ERR(skb);
2704 /* Channel lock is released before requesting new skb and then
2705 * reacquired thus we need to recheck channel state.
2707 if (chan->state != BT_CONNECTED) {
2712 l2cap_do_send(chan, skb);
2716 case L2CAP_MODE_ERTM:
2717 case L2CAP_MODE_STREAMING:
2718 /* Check outgoing MTU */
2719 if (len > chan->omtu) {
2724 __skb_queue_head_init(&seg_queue);
2726 /* Do segmentation before calling in to the state machine,
2727 * since it's possible to block while waiting for memory
2730 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2732 /* The channel could have been closed while segmenting,
2733 * check that it is still connected.
2735 if (chan->state != BT_CONNECTED) {
2736 __skb_queue_purge(&seg_queue);
2743 if (chan->mode == L2CAP_MODE_ERTM)
2744 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2746 l2cap_streaming_send(chan, &seg_queue);
2750 /* If the skbs were not queued for sending, they'll still be in
2751 * seg_queue and need to be purged.
2753 __skb_queue_purge(&seg_queue);
2757 BT_DBG("bad state %1.1x", chan->mode);
2763 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2765 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2767 struct l2cap_ctrl control;
2770 BT_DBG("chan %p, txseq %u", chan, txseq);
2772 memset(&control, 0, sizeof(control));
2774 control.super = L2CAP_SUPER_SREJ;
2776 for (seq = chan->expected_tx_seq; seq != txseq;
2777 seq = __next_seq(chan, seq)) {
2778 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2779 control.reqseq = seq;
2780 l2cap_send_sframe(chan, &control);
2781 l2cap_seq_list_append(&chan->srej_list, seq);
2785 chan->expected_tx_seq = __next_seq(chan, txseq);
2788 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2790 struct l2cap_ctrl control;
2792 BT_DBG("chan %p", chan);
2794 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2797 memset(&control, 0, sizeof(control));
2799 control.super = L2CAP_SUPER_SREJ;
2800 control.reqseq = chan->srej_list.tail;
2801 l2cap_send_sframe(chan, &control);
2804 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2806 struct l2cap_ctrl control;
2810 BT_DBG("chan %p, txseq %u", chan, txseq);
2812 memset(&control, 0, sizeof(control));
2814 control.super = L2CAP_SUPER_SREJ;
2816 /* Capture initial list head to allow only one pass through the list. */
2817 initial_head = chan->srej_list.head;
2820 seq = l2cap_seq_list_pop(&chan->srej_list);
2821 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2824 control.reqseq = seq;
2825 l2cap_send_sframe(chan, &control);
2826 l2cap_seq_list_append(&chan->srej_list, seq);
2827 } while (chan->srej_list.head != initial_head);
2830 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2832 struct sk_buff *acked_skb;
2835 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2837 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2840 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2841 chan->expected_ack_seq, chan->unacked_frames);
2843 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2844 ackseq = __next_seq(chan, ackseq)) {
2846 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2848 skb_unlink(acked_skb, &chan->tx_q);
2849 kfree_skb(acked_skb);
2850 chan->unacked_frames--;
2854 chan->expected_ack_seq = reqseq;
2856 if (chan->unacked_frames == 0)
2857 __clear_retrans_timer(chan);
2859 BT_DBG("unacked_frames %u", chan->unacked_frames);
2862 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2864 BT_DBG("chan %p", chan);
2866 chan->expected_tx_seq = chan->buffer_seq;
2867 l2cap_seq_list_clear(&chan->srej_list);
2868 skb_queue_purge(&chan->srej_q);
2869 chan->rx_state = L2CAP_RX_STATE_RECV;
2872 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2873 struct l2cap_ctrl *control,
2874 struct sk_buff_head *skbs, u8 event)
2876 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2880 case L2CAP_EV_DATA_REQUEST:
2881 if (chan->tx_send_head == NULL)
2882 chan->tx_send_head = skb_peek(skbs);
2884 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2885 l2cap_ertm_send(chan);
2887 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2888 BT_DBG("Enter LOCAL_BUSY");
2889 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2891 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2892 /* The SREJ_SENT state must be aborted if we are to
2893 * enter the LOCAL_BUSY state.
2895 l2cap_abort_rx_srej_sent(chan);
2898 l2cap_send_ack(chan);
2901 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2902 BT_DBG("Exit LOCAL_BUSY");
2903 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2905 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2906 struct l2cap_ctrl local_control;
2908 memset(&local_control, 0, sizeof(local_control));
2909 local_control.sframe = 1;
2910 local_control.super = L2CAP_SUPER_RR;
2911 local_control.poll = 1;
2912 local_control.reqseq = chan->buffer_seq;
2913 l2cap_send_sframe(chan, &local_control);
2915 chan->retry_count = 1;
2916 __set_monitor_timer(chan);
2917 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2920 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2921 l2cap_process_reqseq(chan, control->reqseq);
2923 case L2CAP_EV_EXPLICIT_POLL:
2924 l2cap_send_rr_or_rnr(chan, 1);
2925 chan->retry_count = 1;
2926 __set_monitor_timer(chan);
2927 __clear_ack_timer(chan);
2928 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2930 case L2CAP_EV_RETRANS_TO:
2931 l2cap_send_rr_or_rnr(chan, 1);
2932 chan->retry_count = 1;
2933 __set_monitor_timer(chan);
2934 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2936 case L2CAP_EV_RECV_FBIT:
2937 /* Nothing to process */
2944 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2945 struct l2cap_ctrl *control,
2946 struct sk_buff_head *skbs, u8 event)
2948 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2952 case L2CAP_EV_DATA_REQUEST:
2953 if (chan->tx_send_head == NULL)
2954 chan->tx_send_head = skb_peek(skbs);
2955 /* Queue data, but don't send. */
2956 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2958 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2959 BT_DBG("Enter LOCAL_BUSY");
2960 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2962 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2963 /* The SREJ_SENT state must be aborted if we are to
2964 * enter the LOCAL_BUSY state.
2966 l2cap_abort_rx_srej_sent(chan);
2969 l2cap_send_ack(chan);
2972 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2973 BT_DBG("Exit LOCAL_BUSY");
2974 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2976 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2977 struct l2cap_ctrl local_control;
2978 memset(&local_control, 0, sizeof(local_control));
2979 local_control.sframe = 1;
2980 local_control.super = L2CAP_SUPER_RR;
2981 local_control.poll = 1;
2982 local_control.reqseq = chan->buffer_seq;
2983 l2cap_send_sframe(chan, &local_control);
2985 chan->retry_count = 1;
2986 __set_monitor_timer(chan);
2987 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2990 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2991 l2cap_process_reqseq(chan, control->reqseq);
2994 case L2CAP_EV_RECV_FBIT:
2995 if (control && control->final) {
2996 __clear_monitor_timer(chan);
2997 if (chan->unacked_frames > 0)
2998 __set_retrans_timer(chan);
2999 chan->retry_count = 0;
3000 chan->tx_state = L2CAP_TX_STATE_XMIT;
3001 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
3004 case L2CAP_EV_EXPLICIT_POLL:
3007 case L2CAP_EV_MONITOR_TO:
3008 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3009 l2cap_send_rr_or_rnr(chan, 1);
3010 __set_monitor_timer(chan);
3011 chan->retry_count++;
3013 l2cap_send_disconn_req(chan, ECONNABORTED);
3021 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3022 struct sk_buff_head *skbs, u8 event)
3024 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3025 chan, control, skbs, event, chan->tx_state);
3027 switch (chan->tx_state) {
3028 case L2CAP_TX_STATE_XMIT:
3029 l2cap_tx_state_xmit(chan, control, skbs, event);
3031 case L2CAP_TX_STATE_WAIT_F:
3032 l2cap_tx_state_wait_f(chan, control, skbs, event);
3040 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3041 struct l2cap_ctrl *control)
3043 BT_DBG("chan %p, control %p", chan, control);
3044 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3047 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3048 struct l2cap_ctrl *control)
3050 BT_DBG("chan %p, control %p", chan, control);
3051 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3054 /* Copy frame to all raw sockets on that connection */
3055 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3057 struct sk_buff *nskb;
3058 struct l2cap_chan *chan;
3060 BT_DBG("conn %p", conn);
3062 mutex_lock(&conn->chan_lock);
3064 list_for_each_entry(chan, &conn->chan_l, list) {
3065 if (chan->chan_type != L2CAP_CHAN_RAW)
3068 /* Don't send frame to the channel it came from */
3069 if (bt_cb(skb)->l2cap.chan == chan)
3072 nskb = skb_clone(skb, GFP_KERNEL);
3075 if (chan->ops->recv(chan, nskb))
3079 mutex_unlock(&conn->chan_lock);
3082 /* ---- L2CAP signalling commands ---- */
3083 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3084 u8 ident, u16 dlen, void *data)
3086 struct sk_buff *skb, **frag;
3087 struct l2cap_cmd_hdr *cmd;
3088 struct l2cap_hdr *lh;
3091 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3092 conn, code, ident, dlen);
3094 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3097 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3098 count = min_t(unsigned int, conn->mtu, len);
3100 skb = bt_skb_alloc(count, GFP_KERNEL);
3104 lh = skb_put(skb, L2CAP_HDR_SIZE);
3105 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3107 if (conn->hcon->type == LE_LINK)
3108 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3110 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3112 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3115 cmd->len = cpu_to_le16(dlen);
3118 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3119 skb_put_data(skb, data, count);
3125 /* Continuation fragments (no L2CAP header) */
3126 frag = &skb_shinfo(skb)->frag_list;
3128 count = min_t(unsigned int, conn->mtu, len);
3130 *frag = bt_skb_alloc(count, GFP_KERNEL);
3134 skb_put_data(*frag, data, count);
3139 frag = &(*frag)->next;
3149 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3152 struct l2cap_conf_opt *opt = *ptr;
3155 len = L2CAP_CONF_OPT_SIZE + opt->len;
3163 *val = *((u8 *) opt->val);
3167 *val = get_unaligned_le16(opt->val);
3171 *val = get_unaligned_le32(opt->val);
3175 *val = (unsigned long) opt->val;
3179 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3183 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3185 struct l2cap_conf_opt *opt = *ptr;
3187 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3189 if (size < L2CAP_CONF_OPT_SIZE + len)
3197 *((u8 *) opt->val) = val;
3201 put_unaligned_le16(val, opt->val);
3205 put_unaligned_le32(val, opt->val);
3209 memcpy(opt->val, (void *) val, len);
3213 *ptr += L2CAP_CONF_OPT_SIZE + len;
3216 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3218 struct l2cap_conf_efs efs;
3220 switch (chan->mode) {
3221 case L2CAP_MODE_ERTM:
3222 efs.id = chan->local_id;
3223 efs.stype = chan->local_stype;
3224 efs.msdu = cpu_to_le16(chan->local_msdu);
3225 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3226 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3227 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3230 case L2CAP_MODE_STREAMING:
3232 efs.stype = L2CAP_SERV_BESTEFFORT;
3233 efs.msdu = cpu_to_le16(chan->local_msdu);
3234 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3243 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3244 (unsigned long) &efs, size);
3247 static void l2cap_ack_timeout(struct work_struct *work)
3249 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3253 BT_DBG("chan %p", chan);
3255 l2cap_chan_lock(chan);
3257 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3258 chan->last_acked_seq);
3261 l2cap_send_rr_or_rnr(chan, 0);
3263 l2cap_chan_unlock(chan);
3264 l2cap_chan_put(chan);
3267 int l2cap_ertm_init(struct l2cap_chan *chan)
3271 chan->next_tx_seq = 0;
3272 chan->expected_tx_seq = 0;
3273 chan->expected_ack_seq = 0;
3274 chan->unacked_frames = 0;
3275 chan->buffer_seq = 0;
3276 chan->frames_sent = 0;
3277 chan->last_acked_seq = 0;
3279 chan->sdu_last_frag = NULL;
3282 skb_queue_head_init(&chan->tx_q);
3284 chan->local_amp_id = AMP_ID_BREDR;
3285 chan->move_id = AMP_ID_BREDR;
3286 chan->move_state = L2CAP_MOVE_STABLE;
3287 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3289 if (chan->mode != L2CAP_MODE_ERTM)
3292 chan->rx_state = L2CAP_RX_STATE_RECV;
3293 chan->tx_state = L2CAP_TX_STATE_XMIT;
3295 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3296 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3297 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3299 skb_queue_head_init(&chan->srej_q);
3301 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3305 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3307 l2cap_seq_list_free(&chan->srej_list);
3312 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3315 case L2CAP_MODE_STREAMING:
3316 case L2CAP_MODE_ERTM:
3317 if (l2cap_mode_supported(mode, remote_feat_mask))
3321 return L2CAP_MODE_BASIC;
3325 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3327 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3328 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3331 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3333 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3334 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3337 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3338 struct l2cap_conf_rfc *rfc)
3340 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3341 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3343 /* Class 1 devices have must have ERTM timeouts
3344 * exceeding the Link Supervision Timeout. The
3345 * default Link Supervision Timeout for AMP
3346 * controllers is 10 seconds.
3348 * Class 1 devices use 0xffffffff for their
3349 * best-effort flush timeout, so the clamping logic
3350 * will result in a timeout that meets the above
3351 * requirement. ERTM timeouts are 16-bit values, so
3352 * the maximum timeout is 65.535 seconds.
3355 /* Convert timeout to milliseconds and round */
3356 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3358 /* This is the recommended formula for class 2 devices
3359 * that start ERTM timers when packets are sent to the
3362 ertm_to = 3 * ertm_to + 500;
3364 if (ertm_to > 0xffff)
3367 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3368 rfc->monitor_timeout = rfc->retrans_timeout;
3370 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3371 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3375 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3377 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3378 __l2cap_ews_supported(chan->conn)) {
3379 /* use extended control field */
3380 set_bit(FLAG_EXT_CTRL, &chan->flags);
3381 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3383 chan->tx_win = min_t(u16, chan->tx_win,
3384 L2CAP_DEFAULT_TX_WINDOW);
3385 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3387 chan->ack_win = chan->tx_win;
3390 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3392 struct hci_conn *conn = chan->conn->hcon;
3394 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3396 /* The 2-DH1 packet has between 2 and 56 information bytes
3397 * (including the 2-byte payload header)
3399 if (!(conn->pkt_type & HCI_2DH1))
3402 /* The 3-DH1 packet has between 2 and 85 information bytes
3403 * (including the 2-byte payload header)
3405 if (!(conn->pkt_type & HCI_3DH1))
3408 /* The 2-DH3 packet has between 2 and 369 information bytes
3409 * (including the 2-byte payload header)
3411 if (!(conn->pkt_type & HCI_2DH3))
3414 /* The 3-DH3 packet has between 2 and 554 information bytes
3415 * (including the 2-byte payload header)
3417 if (!(conn->pkt_type & HCI_3DH3))
3420 /* The 2-DH5 packet has between 2 and 681 information bytes
3421 * (including the 2-byte payload header)
3423 if (!(conn->pkt_type & HCI_2DH5))
3426 /* The 3-DH5 packet has between 2 and 1023 information bytes
3427 * (including the 2-byte payload header)
3429 if (!(conn->pkt_type & HCI_3DH5))
3433 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3435 struct l2cap_conf_req *req = data;
3436 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3437 void *ptr = req->data;
3438 void *endptr = data + data_size;
3441 BT_DBG("chan %p", chan);
3443 if (chan->num_conf_req || chan->num_conf_rsp)
3446 switch (chan->mode) {
3447 case L2CAP_MODE_STREAMING:
3448 case L2CAP_MODE_ERTM:
3449 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3452 if (__l2cap_efs_supported(chan->conn))
3453 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3457 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3462 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3464 l2cap_mtu_auto(chan);
3465 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3469 switch (chan->mode) {
3470 case L2CAP_MODE_BASIC:
3474 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3475 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3478 rfc.mode = L2CAP_MODE_BASIC;
3480 rfc.max_transmit = 0;
3481 rfc.retrans_timeout = 0;
3482 rfc.monitor_timeout = 0;
3483 rfc.max_pdu_size = 0;
3485 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3486 (unsigned long) &rfc, endptr - ptr);
3489 case L2CAP_MODE_ERTM:
3490 rfc.mode = L2CAP_MODE_ERTM;
3491 rfc.max_transmit = chan->max_tx;
3493 __l2cap_set_ertm_timeouts(chan, &rfc);
3495 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3496 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3498 rfc.max_pdu_size = cpu_to_le16(size);
3500 l2cap_txwin_setup(chan);
3502 rfc.txwin_size = min_t(u16, chan->tx_win,
3503 L2CAP_DEFAULT_TX_WINDOW);
3505 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3506 (unsigned long) &rfc, endptr - ptr);
3508 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3509 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3511 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3512 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3513 chan->tx_win, endptr - ptr);
3515 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3516 if (chan->fcs == L2CAP_FCS_NONE ||
3517 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3518 chan->fcs = L2CAP_FCS_NONE;
3519 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3520 chan->fcs, endptr - ptr);
3524 case L2CAP_MODE_STREAMING:
3525 l2cap_txwin_setup(chan);
3526 rfc.mode = L2CAP_MODE_STREAMING;
3528 rfc.max_transmit = 0;
3529 rfc.retrans_timeout = 0;
3530 rfc.monitor_timeout = 0;
3532 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3533 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3535 rfc.max_pdu_size = cpu_to_le16(size);
3537 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3538 (unsigned long) &rfc, endptr - ptr);
3540 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3541 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3543 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3544 if (chan->fcs == L2CAP_FCS_NONE ||
3545 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3546 chan->fcs = L2CAP_FCS_NONE;
3547 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3548 chan->fcs, endptr - ptr);
3553 req->dcid = cpu_to_le16(chan->dcid);
3554 req->flags = cpu_to_le16(0);
3559 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3561 struct l2cap_conf_rsp *rsp = data;
3562 void *ptr = rsp->data;
3563 void *endptr = data + data_size;
3564 void *req = chan->conf_req;
3565 int len = chan->conf_len;
3566 int type, hint, olen;
3568 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3569 struct l2cap_conf_efs efs;
3571 u16 mtu = L2CAP_DEFAULT_MTU;
3572 u16 result = L2CAP_CONF_SUCCESS;
3575 BT_DBG("chan %p", chan);
3577 while (len >= L2CAP_CONF_OPT_SIZE) {
3578 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3582 hint = type & L2CAP_CONF_HINT;
3583 type &= L2CAP_CONF_MASK;
3586 case L2CAP_CONF_MTU:
3592 case L2CAP_CONF_FLUSH_TO:
3595 chan->flush_to = val;
3598 case L2CAP_CONF_QOS:
3601 case L2CAP_CONF_RFC:
3602 if (olen != sizeof(rfc))
3604 memcpy(&rfc, (void *) val, olen);
3607 case L2CAP_CONF_FCS:
3610 if (val == L2CAP_FCS_NONE)
3611 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3614 case L2CAP_CONF_EFS:
3615 if (olen != sizeof(efs))
3618 memcpy(&efs, (void *) val, olen);
3621 case L2CAP_CONF_EWS:
3624 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3625 return -ECONNREFUSED;
3626 set_bit(FLAG_EXT_CTRL, &chan->flags);
3627 set_bit(CONF_EWS_RECV, &chan->conf_state);
3628 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3629 chan->remote_tx_win = val;
3635 result = L2CAP_CONF_UNKNOWN;
3636 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr);
3641 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3644 switch (chan->mode) {
3645 case L2CAP_MODE_STREAMING:
3646 case L2CAP_MODE_ERTM:
3647 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3648 chan->mode = l2cap_select_mode(rfc.mode,
3649 chan->conn->feat_mask);
3654 if (__l2cap_efs_supported(chan->conn))
3655 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3657 return -ECONNREFUSED;
3660 if (chan->mode != rfc.mode)
3661 return -ECONNREFUSED;
3667 if (chan->mode != rfc.mode) {
3668 result = L2CAP_CONF_UNACCEPT;
3669 rfc.mode = chan->mode;
3671 if (chan->num_conf_rsp == 1)
3672 return -ECONNREFUSED;
3674 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3675 (unsigned long) &rfc, endptr - ptr);
3678 if (result == L2CAP_CONF_SUCCESS) {
3679 /* Configure output options and let the other side know
3680 * which ones we don't like. */
3682 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3683 result = L2CAP_CONF_UNACCEPT;
3686 set_bit(CONF_MTU_DONE, &chan->conf_state);
3688 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3691 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3692 efs.stype != L2CAP_SERV_NOTRAFIC &&
3693 efs.stype != chan->local_stype) {
3695 result = L2CAP_CONF_UNACCEPT;
3697 if (chan->num_conf_req >= 1)
3698 return -ECONNREFUSED;
3700 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3702 (unsigned long) &efs, endptr - ptr);
3704 /* Send PENDING Conf Rsp */
3705 result = L2CAP_CONF_PENDING;
3706 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3711 case L2CAP_MODE_BASIC:
3712 chan->fcs = L2CAP_FCS_NONE;
3713 set_bit(CONF_MODE_DONE, &chan->conf_state);
3716 case L2CAP_MODE_ERTM:
3717 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3718 chan->remote_tx_win = rfc.txwin_size;
3720 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3722 chan->remote_max_tx = rfc.max_transmit;
3724 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3725 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3726 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3727 rfc.max_pdu_size = cpu_to_le16(size);
3728 chan->remote_mps = size;
3730 __l2cap_set_ertm_timeouts(chan, &rfc);
3732 set_bit(CONF_MODE_DONE, &chan->conf_state);
3734 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3735 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3737 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3738 chan->remote_id = efs.id;
3739 chan->remote_stype = efs.stype;
3740 chan->remote_msdu = le16_to_cpu(efs.msdu);
3741 chan->remote_flush_to =
3742 le32_to_cpu(efs.flush_to);
3743 chan->remote_acc_lat =
3744 le32_to_cpu(efs.acc_lat);
3745 chan->remote_sdu_itime =
3746 le32_to_cpu(efs.sdu_itime);
3747 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3749 (unsigned long) &efs, endptr - ptr);
3753 case L2CAP_MODE_STREAMING:
3754 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3755 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3756 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3757 rfc.max_pdu_size = cpu_to_le16(size);
3758 chan->remote_mps = size;
3760 set_bit(CONF_MODE_DONE, &chan->conf_state);
3762 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3763 (unsigned long) &rfc, endptr - ptr);
3768 result = L2CAP_CONF_UNACCEPT;
3770 memset(&rfc, 0, sizeof(rfc));
3771 rfc.mode = chan->mode;
3774 if (result == L2CAP_CONF_SUCCESS)
3775 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3777 rsp->scid = cpu_to_le16(chan->dcid);
3778 rsp->result = cpu_to_le16(result);
3779 rsp->flags = cpu_to_le16(0);
3784 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3785 void *data, size_t size, u16 *result)
3787 struct l2cap_conf_req *req = data;
3788 void *ptr = req->data;
3789 void *endptr = data + size;
3792 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3793 struct l2cap_conf_efs efs;
3795 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3797 while (len >= L2CAP_CONF_OPT_SIZE) {
3798 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3803 case L2CAP_CONF_MTU:
3806 if (val < L2CAP_DEFAULT_MIN_MTU) {
3807 *result = L2CAP_CONF_UNACCEPT;
3808 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3811 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3815 case L2CAP_CONF_FLUSH_TO:
3818 chan->flush_to = val;
3819 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3820 chan->flush_to, endptr - ptr);
3823 case L2CAP_CONF_RFC:
3824 if (olen != sizeof(rfc))
3826 memcpy(&rfc, (void *)val, olen);
3827 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3828 rfc.mode != chan->mode)
3829 return -ECONNREFUSED;
3831 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3832 (unsigned long) &rfc, endptr - ptr);
3835 case L2CAP_CONF_EWS:
3838 chan->ack_win = min_t(u16, val, chan->ack_win);
3839 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3840 chan->tx_win, endptr - ptr);
3843 case L2CAP_CONF_EFS:
3844 if (olen != sizeof(efs))
3846 memcpy(&efs, (void *)val, olen);
3847 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3848 efs.stype != L2CAP_SERV_NOTRAFIC &&
3849 efs.stype != chan->local_stype)
3850 return -ECONNREFUSED;
3851 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3852 (unsigned long) &efs, endptr - ptr);
3855 case L2CAP_CONF_FCS:
3858 if (*result == L2CAP_CONF_PENDING)
3859 if (val == L2CAP_FCS_NONE)
3860 set_bit(CONF_RECV_NO_FCS,
3866 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3867 return -ECONNREFUSED;
3869 chan->mode = rfc.mode;
3871 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3873 case L2CAP_MODE_ERTM:
3874 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3875 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3876 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3877 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3878 chan->ack_win = min_t(u16, chan->ack_win,
3881 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3882 chan->local_msdu = le16_to_cpu(efs.msdu);
3883 chan->local_sdu_itime =
3884 le32_to_cpu(efs.sdu_itime);
3885 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3886 chan->local_flush_to =
3887 le32_to_cpu(efs.flush_to);
3891 case L2CAP_MODE_STREAMING:
3892 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3896 req->dcid = cpu_to_le16(chan->dcid);
3897 req->flags = cpu_to_le16(0);
3902 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3903 u16 result, u16 flags)
3905 struct l2cap_conf_rsp *rsp = data;
3906 void *ptr = rsp->data;
3908 BT_DBG("chan %p", chan);
3910 rsp->scid = cpu_to_le16(chan->dcid);
3911 rsp->result = cpu_to_le16(result);
3912 rsp->flags = cpu_to_le16(flags);
3917 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3919 struct l2cap_le_conn_rsp rsp;
3920 struct l2cap_conn *conn = chan->conn;
3922 BT_DBG("chan %p", chan);
3924 rsp.dcid = cpu_to_le16(chan->scid);
3925 rsp.mtu = cpu_to_le16(chan->imtu);
3926 rsp.mps = cpu_to_le16(chan->mps);
3927 rsp.credits = cpu_to_le16(chan->rx_credits);
3928 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3930 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3934 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3937 struct l2cap_ecred_conn_rsp rsp;
3940 struct l2cap_conn *conn = chan->conn;
3941 u16 ident = chan->ident;
3947 BT_DBG("chan %p ident %d", chan, ident);
3949 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3950 pdu.rsp.mps = cpu_to_le16(chan->mps);
3951 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3952 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3954 mutex_lock(&conn->chan_lock);
3956 list_for_each_entry(chan, &conn->chan_l, list) {
3957 if (chan->ident != ident)
3960 /* Reset ident so only one response is sent */
3963 /* Include all channels pending with the same ident */
3964 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3967 mutex_unlock(&conn->chan_lock);
3969 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3970 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3973 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3975 struct l2cap_conn_rsp rsp;
3976 struct l2cap_conn *conn = chan->conn;
3980 rsp.scid = cpu_to_le16(chan->dcid);
3981 rsp.dcid = cpu_to_le16(chan->scid);
3982 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3983 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3986 rsp_code = L2CAP_CREATE_CHAN_RSP;
3988 rsp_code = L2CAP_CONN_RSP;
3990 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3992 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3994 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3997 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3998 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3999 chan->num_conf_req++;
4002 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
4006 /* Use sane default values in case a misbehaving remote device
4007 * did not send an RFC or extended window size option.
4009 u16 txwin_ext = chan->ack_win;
4010 struct l2cap_conf_rfc rfc = {
4012 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4013 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4014 .max_pdu_size = cpu_to_le16(chan->imtu),
4015 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4018 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4020 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4023 while (len >= L2CAP_CONF_OPT_SIZE) {
4024 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4029 case L2CAP_CONF_RFC:
4030 if (olen != sizeof(rfc))
4032 memcpy(&rfc, (void *)val, olen);
4034 case L2CAP_CONF_EWS:
4043 case L2CAP_MODE_ERTM:
4044 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4045 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4046 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4047 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4048 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4050 chan->ack_win = min_t(u16, chan->ack_win,
4053 case L2CAP_MODE_STREAMING:
4054 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4058 static inline int l2cap_command_rej(struct l2cap_conn *conn,
4059 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4062 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4064 if (cmd_len < sizeof(*rej))
4067 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4070 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4071 cmd->ident == conn->info_ident) {
4072 cancel_delayed_work(&conn->info_timer);
4074 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4075 conn->info_ident = 0;
4077 l2cap_conn_start(conn);
4083 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4084 struct l2cap_cmd_hdr *cmd,
4085 u8 *data, u8 rsp_code, u8 amp_id)
4087 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4088 struct l2cap_conn_rsp rsp;
4089 struct l2cap_chan *chan = NULL, *pchan;
4090 int result, status = L2CAP_CS_NO_INFO;
4092 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4093 __le16 psm = req->psm;
4095 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4097 /* Check if we have socket listening on psm */
4098 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4099 &conn->hcon->dst, ACL_LINK);
4101 result = L2CAP_CR_BAD_PSM;
4105 mutex_lock(&conn->chan_lock);
4106 l2cap_chan_lock(pchan);
4108 /* Check if the ACL is secure enough (if not SDP) */
4109 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4110 !hci_conn_check_link_mode(conn->hcon)) {
4111 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4112 result = L2CAP_CR_SEC_BLOCK;
4116 result = L2CAP_CR_NO_MEM;
4118 /* Check for valid dynamic CID range (as per Erratum 3253) */
4119 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4120 result = L2CAP_CR_INVALID_SCID;
4124 /* Check if we already have channel with that dcid */
4125 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4126 result = L2CAP_CR_SCID_IN_USE;
4130 chan = pchan->ops->new_connection(pchan);
4134 /* For certain devices (ex: HID mouse), support for authentication,
4135 * pairing and bonding is optional. For such devices, inorder to avoid
4136 * the ACL alive for too long after L2CAP disconnection, reset the ACL
4137 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
4139 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4141 bacpy(&chan->src, &conn->hcon->src);
4142 bacpy(&chan->dst, &conn->hcon->dst);
4143 chan->src_type = bdaddr_src_type(conn->hcon);
4144 chan->dst_type = bdaddr_dst_type(conn->hcon);
4147 chan->local_amp_id = amp_id;
4149 __l2cap_chan_add(conn, chan);
4153 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4155 chan->ident = cmd->ident;
4157 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4158 if (l2cap_chan_check_security(chan, false)) {
4159 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4160 l2cap_state_change(chan, BT_CONNECT2);
4161 result = L2CAP_CR_PEND;
4162 status = L2CAP_CS_AUTHOR_PEND;
4163 chan->ops->defer(chan);
4165 /* Force pending result for AMP controllers.
4166 * The connection will succeed after the
4167 * physical link is up.
4169 if (amp_id == AMP_ID_BREDR) {
4170 l2cap_state_change(chan, BT_CONFIG);
4171 result = L2CAP_CR_SUCCESS;
4173 l2cap_state_change(chan, BT_CONNECT2);
4174 result = L2CAP_CR_PEND;
4176 status = L2CAP_CS_NO_INFO;
4179 l2cap_state_change(chan, BT_CONNECT2);
4180 result = L2CAP_CR_PEND;
4181 status = L2CAP_CS_AUTHEN_PEND;
4184 l2cap_state_change(chan, BT_CONNECT2);
4185 result = L2CAP_CR_PEND;
4186 status = L2CAP_CS_NO_INFO;
4190 l2cap_chan_unlock(pchan);
4191 mutex_unlock(&conn->chan_lock);
4192 l2cap_chan_put(pchan);
4195 rsp.scid = cpu_to_le16(scid);
4196 rsp.dcid = cpu_to_le16(dcid);
4197 rsp.result = cpu_to_le16(result);
4198 rsp.status = cpu_to_le16(status);
4199 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4201 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4202 struct l2cap_info_req info;
4203 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4205 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4206 conn->info_ident = l2cap_get_ident(conn);
4208 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4210 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4211 sizeof(info), &info);
4214 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4215 result == L2CAP_CR_SUCCESS) {
4217 set_bit(CONF_REQ_SENT, &chan->conf_state);
4218 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4219 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4220 chan->num_conf_req++;
4226 static int l2cap_connect_req(struct l2cap_conn *conn,
4227 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4229 struct hci_dev *hdev = conn->hcon->hdev;
4230 struct hci_conn *hcon = conn->hcon;
4232 if (cmd_len < sizeof(struct l2cap_conn_req))
4236 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4237 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4238 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
4239 hci_dev_unlock(hdev);
4241 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4245 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4246 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4249 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4250 u16 scid, dcid, result, status;
4251 struct l2cap_chan *chan;
4255 if (cmd_len < sizeof(*rsp))
4258 scid = __le16_to_cpu(rsp->scid);
4259 dcid = __le16_to_cpu(rsp->dcid);
4260 result = __le16_to_cpu(rsp->result);
4261 status = __le16_to_cpu(rsp->status);
4263 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4264 dcid, scid, result, status);
4266 mutex_lock(&conn->chan_lock);
4269 chan = __l2cap_get_chan_by_scid(conn, scid);
4275 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4284 l2cap_chan_lock(chan);
4287 case L2CAP_CR_SUCCESS:
4288 l2cap_state_change(chan, BT_CONFIG);
4291 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4293 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4296 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4297 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4298 chan->num_conf_req++;
4302 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4306 l2cap_chan_del(chan, ECONNREFUSED);
4310 l2cap_chan_unlock(chan);
4313 mutex_unlock(&conn->chan_lock);
4318 static inline void set_default_fcs(struct l2cap_chan *chan)
4320 /* FCS is enabled only in ERTM or streaming mode, if one or both
4323 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4324 chan->fcs = L2CAP_FCS_NONE;
4325 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4326 chan->fcs = L2CAP_FCS_CRC16;
4329 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4330 u8 ident, u16 flags)
4332 struct l2cap_conn *conn = chan->conn;
4334 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4337 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4338 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4340 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4341 l2cap_build_conf_rsp(chan, data,
4342 L2CAP_CONF_SUCCESS, flags), data);
4345 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4348 struct l2cap_cmd_rej_cid rej;
4350 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4351 rej.scid = __cpu_to_le16(scid);
4352 rej.dcid = __cpu_to_le16(dcid);
4354 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4357 static inline int l2cap_config_req(struct l2cap_conn *conn,
4358 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4361 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4364 struct l2cap_chan *chan;
4367 if (cmd_len < sizeof(*req))
4370 dcid = __le16_to_cpu(req->dcid);
4371 flags = __le16_to_cpu(req->flags);
4373 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4375 chan = l2cap_get_chan_by_scid(conn, dcid);
4377 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4381 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4382 chan->state != BT_CONNECTED) {
4383 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4388 /* Reject if config buffer is too small. */
4389 len = cmd_len - sizeof(*req);
4390 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4391 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4392 l2cap_build_conf_rsp(chan, rsp,
4393 L2CAP_CONF_REJECT, flags), rsp);
4398 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4399 chan->conf_len += len;
4401 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4402 /* Incomplete config. Send empty response. */
4403 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4404 l2cap_build_conf_rsp(chan, rsp,
4405 L2CAP_CONF_SUCCESS, flags), rsp);
4409 /* Complete config. */
4410 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4412 l2cap_send_disconn_req(chan, ECONNRESET);
4416 chan->ident = cmd->ident;
4417 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4418 chan->num_conf_rsp++;
4420 /* Reset config buffer. */
4423 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4426 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4427 set_default_fcs(chan);
4429 if (chan->mode == L2CAP_MODE_ERTM ||
4430 chan->mode == L2CAP_MODE_STREAMING)
4431 err = l2cap_ertm_init(chan);
4434 l2cap_send_disconn_req(chan, -err);
4436 l2cap_chan_ready(chan);
4441 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4443 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4444 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4445 chan->num_conf_req++;
4448 /* Got Conf Rsp PENDING from remote side and assume we sent
4449 Conf Rsp PENDING in the code above */
4450 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4451 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4453 /* check compatibility */
4455 /* Send rsp for BR/EDR channel */
4457 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4459 chan->ident = cmd->ident;
4463 l2cap_chan_unlock(chan);
4467 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4468 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4471 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4472 u16 scid, flags, result;
4473 struct l2cap_chan *chan;
4474 int len = cmd_len - sizeof(*rsp);
4477 if (cmd_len < sizeof(*rsp))
4480 scid = __le16_to_cpu(rsp->scid);
4481 flags = __le16_to_cpu(rsp->flags);
4482 result = __le16_to_cpu(rsp->result);
4484 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4487 chan = l2cap_get_chan_by_scid(conn, scid);
4492 case L2CAP_CONF_SUCCESS:
4493 l2cap_conf_rfc_get(chan, rsp->data, len);
4494 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4497 case L2CAP_CONF_PENDING:
4498 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4500 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4503 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4504 buf, sizeof(buf), &result);
4506 l2cap_send_disconn_req(chan, ECONNRESET);
4510 if (!chan->hs_hcon) {
4511 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4514 if (l2cap_check_efs(chan)) {
4515 amp_create_logical_link(chan);
4516 chan->ident = cmd->ident;
4522 case L2CAP_CONF_UNACCEPT:
4523 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4526 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4527 l2cap_send_disconn_req(chan, ECONNRESET);
4531 /* throw out any old stored conf requests */
4532 result = L2CAP_CONF_SUCCESS;
4533 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4534 req, sizeof(req), &result);
4536 l2cap_send_disconn_req(chan, ECONNRESET);
4540 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4541 L2CAP_CONF_REQ, len, req);
4542 chan->num_conf_req++;
4543 if (result != L2CAP_CONF_SUCCESS)
4550 l2cap_chan_set_err(chan, ECONNRESET);
4552 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4553 l2cap_send_disconn_req(chan, ECONNRESET);
4557 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4560 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4562 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4563 set_default_fcs(chan);
4565 if (chan->mode == L2CAP_MODE_ERTM ||
4566 chan->mode == L2CAP_MODE_STREAMING)
4567 err = l2cap_ertm_init(chan);
4570 l2cap_send_disconn_req(chan, -err);
4572 l2cap_chan_ready(chan);
4576 l2cap_chan_unlock(chan);
4580 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4581 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4584 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4585 struct l2cap_disconn_rsp rsp;
4587 struct l2cap_chan *chan;
4589 if (cmd_len != sizeof(*req))
4592 scid = __le16_to_cpu(req->scid);
4593 dcid = __le16_to_cpu(req->dcid);
4595 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4597 mutex_lock(&conn->chan_lock);
4599 chan = __l2cap_get_chan_by_scid(conn, dcid);
4601 mutex_unlock(&conn->chan_lock);
4602 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4606 l2cap_chan_hold(chan);
4607 l2cap_chan_lock(chan);
4609 rsp.dcid = cpu_to_le16(chan->scid);
4610 rsp.scid = cpu_to_le16(chan->dcid);
4611 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4613 chan->ops->set_shutdown(chan);
4615 l2cap_chan_del(chan, ECONNRESET);
4617 chan->ops->close(chan);
4619 l2cap_chan_unlock(chan);
4620 l2cap_chan_put(chan);
4622 mutex_unlock(&conn->chan_lock);
4627 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4628 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4631 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4633 struct l2cap_chan *chan;
4635 if (cmd_len != sizeof(*rsp))
4638 scid = __le16_to_cpu(rsp->scid);
4639 dcid = __le16_to_cpu(rsp->dcid);
4641 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4643 mutex_lock(&conn->chan_lock);
4645 chan = __l2cap_get_chan_by_scid(conn, scid);
4647 mutex_unlock(&conn->chan_lock);
4651 l2cap_chan_hold(chan);
4652 l2cap_chan_lock(chan);
4654 if (chan->state != BT_DISCONN) {
4655 l2cap_chan_unlock(chan);
4656 l2cap_chan_put(chan);
4657 mutex_unlock(&conn->chan_lock);
4661 l2cap_chan_del(chan, 0);
4663 chan->ops->close(chan);
4665 l2cap_chan_unlock(chan);
4666 l2cap_chan_put(chan);
4668 mutex_unlock(&conn->chan_lock);
4673 static inline int l2cap_information_req(struct l2cap_conn *conn,
4674 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4677 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4680 if (cmd_len != sizeof(*req))
4683 type = __le16_to_cpu(req->type);
4685 BT_DBG("type 0x%4.4x", type);
4687 if (type == L2CAP_IT_FEAT_MASK) {
4689 u32 feat_mask = l2cap_feat_mask;
4690 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4691 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4692 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4694 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4696 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4697 feat_mask |= L2CAP_FEAT_EXT_FLOW
4698 | L2CAP_FEAT_EXT_WINDOW;
4700 put_unaligned_le32(feat_mask, rsp->data);
4701 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4703 } else if (type == L2CAP_IT_FIXED_CHAN) {
4705 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4707 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4708 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4709 rsp->data[0] = conn->local_fixed_chan;
4710 memset(rsp->data + 1, 0, 7);
4711 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4714 struct l2cap_info_rsp rsp;
4715 rsp.type = cpu_to_le16(type);
4716 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4717 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4724 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4725 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4728 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4731 if (cmd_len < sizeof(*rsp))
4734 type = __le16_to_cpu(rsp->type);
4735 result = __le16_to_cpu(rsp->result);
4737 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4739 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4740 if (cmd->ident != conn->info_ident ||
4741 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4744 cancel_delayed_work(&conn->info_timer);
4746 if (result != L2CAP_IR_SUCCESS) {
4747 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4748 conn->info_ident = 0;
4750 l2cap_conn_start(conn);
4756 case L2CAP_IT_FEAT_MASK:
4757 conn->feat_mask = get_unaligned_le32(rsp->data);
4759 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4760 struct l2cap_info_req req;
4761 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4763 conn->info_ident = l2cap_get_ident(conn);
4765 l2cap_send_cmd(conn, conn->info_ident,
4766 L2CAP_INFO_REQ, sizeof(req), &req);
4768 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4769 conn->info_ident = 0;
4771 l2cap_conn_start(conn);
4775 case L2CAP_IT_FIXED_CHAN:
4776 conn->remote_fixed_chan = rsp->data[0];
4777 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4778 conn->info_ident = 0;
4780 l2cap_conn_start(conn);
4787 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4788 struct l2cap_cmd_hdr *cmd,
4789 u16 cmd_len, void *data)
4791 struct l2cap_create_chan_req *req = data;
4792 struct l2cap_create_chan_rsp rsp;
4793 struct l2cap_chan *chan;
4794 struct hci_dev *hdev;
4797 if (cmd_len != sizeof(*req))
4800 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4803 psm = le16_to_cpu(req->psm);
4804 scid = le16_to_cpu(req->scid);
4806 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4808 /* For controller id 0 make BR/EDR connection */
4809 if (req->amp_id == AMP_ID_BREDR) {
4810 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4815 /* Validate AMP controller id */
4816 hdev = hci_dev_get(req->amp_id);
4820 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4825 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4828 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4829 struct hci_conn *hs_hcon;
4831 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4835 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4840 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4842 mgr->bredr_chan = chan;
4843 chan->hs_hcon = hs_hcon;
4844 chan->fcs = L2CAP_FCS_NONE;
4845 conn->mtu = hdev->block_mtu;
4854 rsp.scid = cpu_to_le16(scid);
4855 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4856 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4858 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4864 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4866 struct l2cap_move_chan_req req;
4869 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4871 ident = l2cap_get_ident(chan->conn);
4872 chan->ident = ident;
4874 req.icid = cpu_to_le16(chan->scid);
4875 req.dest_amp_id = dest_amp_id;
4877 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4880 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4883 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4885 struct l2cap_move_chan_rsp rsp;
4887 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4889 rsp.icid = cpu_to_le16(chan->dcid);
4890 rsp.result = cpu_to_le16(result);
4892 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4896 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4898 struct l2cap_move_chan_cfm cfm;
4900 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4902 chan->ident = l2cap_get_ident(chan->conn);
4904 cfm.icid = cpu_to_le16(chan->scid);
4905 cfm.result = cpu_to_le16(result);
4907 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4910 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4913 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4915 struct l2cap_move_chan_cfm cfm;
4917 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4919 cfm.icid = cpu_to_le16(icid);
4920 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4922 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4926 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4929 struct l2cap_move_chan_cfm_rsp rsp;
4931 BT_DBG("icid 0x%4.4x", icid);
4933 rsp.icid = cpu_to_le16(icid);
4934 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4937 static void __release_logical_link(struct l2cap_chan *chan)
4939 chan->hs_hchan = NULL;
4940 chan->hs_hcon = NULL;
4942 /* Placeholder - release the logical link */
4945 static void l2cap_logical_fail(struct l2cap_chan *chan)
4947 /* Logical link setup failed */
4948 if (chan->state != BT_CONNECTED) {
4949 /* Create channel failure, disconnect */
4950 l2cap_send_disconn_req(chan, ECONNRESET);
4954 switch (chan->move_role) {
4955 case L2CAP_MOVE_ROLE_RESPONDER:
4956 l2cap_move_done(chan);
4957 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4959 case L2CAP_MOVE_ROLE_INITIATOR:
4960 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4961 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4962 /* Remote has only sent pending or
4963 * success responses, clean up
4965 l2cap_move_done(chan);
4968 /* Other amp move states imply that the move
4969 * has already aborted
4971 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4976 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4977 struct hci_chan *hchan)
4979 struct l2cap_conf_rsp rsp;
4981 chan->hs_hchan = hchan;
4982 chan->hs_hcon->l2cap_data = chan->conn;
4984 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4986 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4989 set_default_fcs(chan);
4991 err = l2cap_ertm_init(chan);
4993 l2cap_send_disconn_req(chan, -err);
4995 l2cap_chan_ready(chan);
4999 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
5000 struct hci_chan *hchan)
5002 chan->hs_hcon = hchan->conn;
5003 chan->hs_hcon->l2cap_data = chan->conn;
5005 BT_DBG("move_state %d", chan->move_state);
5007 switch (chan->move_state) {
5008 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5009 /* Move confirm will be sent after a success
5010 * response is received
5012 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5014 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5015 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5016 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5017 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5018 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5019 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5020 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5021 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5022 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5026 /* Move was not in expected state, free the channel */
5027 __release_logical_link(chan);
5029 chan->move_state = L2CAP_MOVE_STABLE;
5033 /* Call with chan locked */
5034 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5037 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5040 l2cap_logical_fail(chan);
5041 __release_logical_link(chan);
5045 if (chan->state != BT_CONNECTED) {
5046 /* Ignore logical link if channel is on BR/EDR */
5047 if (chan->local_amp_id != AMP_ID_BREDR)
5048 l2cap_logical_finish_create(chan, hchan);
5050 l2cap_logical_finish_move(chan, hchan);
5054 void l2cap_move_start(struct l2cap_chan *chan)
5056 BT_DBG("chan %p", chan);
5058 if (chan->local_amp_id == AMP_ID_BREDR) {
5059 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5061 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5062 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5063 /* Placeholder - start physical link setup */
5065 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5066 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5068 l2cap_move_setup(chan);
5069 l2cap_send_move_chan_req(chan, 0);
5073 static void l2cap_do_create(struct l2cap_chan *chan, int result,
5074 u8 local_amp_id, u8 remote_amp_id)
5076 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5077 local_amp_id, remote_amp_id);
5079 chan->fcs = L2CAP_FCS_NONE;
5081 /* Outgoing channel on AMP */
5082 if (chan->state == BT_CONNECT) {
5083 if (result == L2CAP_CR_SUCCESS) {
5084 chan->local_amp_id = local_amp_id;
5085 l2cap_send_create_chan_req(chan, remote_amp_id);
5087 /* Revert to BR/EDR connect */
5088 l2cap_send_conn_req(chan);
5094 /* Incoming channel on AMP */
5095 if (__l2cap_no_conn_pending(chan)) {
5096 struct l2cap_conn_rsp rsp;
5098 rsp.scid = cpu_to_le16(chan->dcid);
5099 rsp.dcid = cpu_to_le16(chan->scid);
5101 if (result == L2CAP_CR_SUCCESS) {
5102 /* Send successful response */
5103 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5104 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5106 /* Send negative response */
5107 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5108 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5111 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5114 if (result == L2CAP_CR_SUCCESS) {
5115 l2cap_state_change(chan, BT_CONFIG);
5116 set_bit(CONF_REQ_SENT, &chan->conf_state);
5117 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5119 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5120 chan->num_conf_req++;
5125 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5128 l2cap_move_setup(chan);
5129 chan->move_id = local_amp_id;
5130 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5132 l2cap_send_move_chan_req(chan, remote_amp_id);
5135 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5137 struct hci_chan *hchan = NULL;
5139 /* Placeholder - get hci_chan for logical link */
5142 if (hchan->state == BT_CONNECTED) {
5143 /* Logical link is ready to go */
5144 chan->hs_hcon = hchan->conn;
5145 chan->hs_hcon->l2cap_data = chan->conn;
5146 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5147 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5149 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5151 /* Wait for logical link to be ready */
5152 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5155 /* Logical link not available */
5156 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5160 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5162 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5164 if (result == -EINVAL)
5165 rsp_result = L2CAP_MR_BAD_ID;
5167 rsp_result = L2CAP_MR_NOT_ALLOWED;
5169 l2cap_send_move_chan_rsp(chan, rsp_result);
5172 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5173 chan->move_state = L2CAP_MOVE_STABLE;
5175 /* Restart data transmission */
5176 l2cap_ertm_send(chan);
5179 /* Invoke with locked chan */
5180 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5182 u8 local_amp_id = chan->local_amp_id;
5183 u8 remote_amp_id = chan->remote_amp_id;
5185 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5186 chan, result, local_amp_id, remote_amp_id);
5188 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5191 if (chan->state != BT_CONNECTED) {
5192 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5193 } else if (result != L2CAP_MR_SUCCESS) {
5194 l2cap_do_move_cancel(chan, result);
5196 switch (chan->move_role) {
5197 case L2CAP_MOVE_ROLE_INITIATOR:
5198 l2cap_do_move_initiate(chan, local_amp_id,
5201 case L2CAP_MOVE_ROLE_RESPONDER:
5202 l2cap_do_move_respond(chan, result);
5205 l2cap_do_move_cancel(chan, result);
5211 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5212 struct l2cap_cmd_hdr *cmd,
5213 u16 cmd_len, void *data)
5215 struct l2cap_move_chan_req *req = data;
5216 struct l2cap_move_chan_rsp rsp;
5217 struct l2cap_chan *chan;
5219 u16 result = L2CAP_MR_NOT_ALLOWED;
5221 if (cmd_len != sizeof(*req))
5224 icid = le16_to_cpu(req->icid);
5226 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5228 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5231 chan = l2cap_get_chan_by_dcid(conn, icid);
5233 rsp.icid = cpu_to_le16(icid);
5234 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5235 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5240 chan->ident = cmd->ident;
5242 if (chan->scid < L2CAP_CID_DYN_START ||
5243 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5244 (chan->mode != L2CAP_MODE_ERTM &&
5245 chan->mode != L2CAP_MODE_STREAMING)) {
5246 result = L2CAP_MR_NOT_ALLOWED;
5247 goto send_move_response;
5250 if (chan->local_amp_id == req->dest_amp_id) {
5251 result = L2CAP_MR_SAME_ID;
5252 goto send_move_response;
5255 if (req->dest_amp_id != AMP_ID_BREDR) {
5256 struct hci_dev *hdev;
5257 hdev = hci_dev_get(req->dest_amp_id);
5258 if (!hdev || hdev->dev_type != HCI_AMP ||
5259 !test_bit(HCI_UP, &hdev->flags)) {
5263 result = L2CAP_MR_BAD_ID;
5264 goto send_move_response;
5269 /* Detect a move collision. Only send a collision response
5270 * if this side has "lost", otherwise proceed with the move.
5271 * The winner has the larger bd_addr.
5273 if ((__chan_is_moving(chan) ||
5274 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5275 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5276 result = L2CAP_MR_COLLISION;
5277 goto send_move_response;
5280 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5281 l2cap_move_setup(chan);
5282 chan->move_id = req->dest_amp_id;
5284 if (req->dest_amp_id == AMP_ID_BREDR) {
5285 /* Moving to BR/EDR */
5286 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5287 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5288 result = L2CAP_MR_PEND;
5290 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5291 result = L2CAP_MR_SUCCESS;
5294 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5295 /* Placeholder - uncomment when amp functions are available */
5296 /*amp_accept_physical(chan, req->dest_amp_id);*/
5297 result = L2CAP_MR_PEND;
5301 l2cap_send_move_chan_rsp(chan, result);
5303 l2cap_chan_unlock(chan);
5308 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5310 struct l2cap_chan *chan;
5311 struct hci_chan *hchan = NULL;
5313 chan = l2cap_get_chan_by_scid(conn, icid);
5315 l2cap_send_move_chan_cfm_icid(conn, icid);
5319 __clear_chan_timer(chan);
5320 if (result == L2CAP_MR_PEND)
5321 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5323 switch (chan->move_state) {
5324 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5325 /* Move confirm will be sent when logical link
5328 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5330 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5331 if (result == L2CAP_MR_PEND) {
5333 } else if (test_bit(CONN_LOCAL_BUSY,
5334 &chan->conn_state)) {
5335 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5337 /* Logical link is up or moving to BR/EDR,
5340 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5341 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5344 case L2CAP_MOVE_WAIT_RSP:
5346 if (result == L2CAP_MR_SUCCESS) {
5347 /* Remote is ready, send confirm immediately
5348 * after logical link is ready
5350 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5352 /* Both logical link and move success
5353 * are required to confirm
5355 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5358 /* Placeholder - get hci_chan for logical link */
5360 /* Logical link not available */
5361 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5365 /* If the logical link is not yet connected, do not
5366 * send confirmation.
5368 if (hchan->state != BT_CONNECTED)
5371 /* Logical link is already ready to go */
5373 chan->hs_hcon = hchan->conn;
5374 chan->hs_hcon->l2cap_data = chan->conn;
5376 if (result == L2CAP_MR_SUCCESS) {
5377 /* Can confirm now */
5378 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5380 /* Now only need move success
5383 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5386 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5389 /* Any other amp move state means the move failed. */
5390 chan->move_id = chan->local_amp_id;
5391 l2cap_move_done(chan);
5392 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5395 l2cap_chan_unlock(chan);
5398 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5401 struct l2cap_chan *chan;
5403 chan = l2cap_get_chan_by_ident(conn, ident);
5405 /* Could not locate channel, icid is best guess */
5406 l2cap_send_move_chan_cfm_icid(conn, icid);
5410 __clear_chan_timer(chan);
5412 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5413 if (result == L2CAP_MR_COLLISION) {
5414 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5416 /* Cleanup - cancel move */
5417 chan->move_id = chan->local_amp_id;
5418 l2cap_move_done(chan);
5422 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5424 l2cap_chan_unlock(chan);
5427 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5428 struct l2cap_cmd_hdr *cmd,
5429 u16 cmd_len, void *data)
5431 struct l2cap_move_chan_rsp *rsp = data;
5434 if (cmd_len != sizeof(*rsp))
5437 icid = le16_to_cpu(rsp->icid);
5438 result = le16_to_cpu(rsp->result);
5440 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5442 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5443 l2cap_move_continue(conn, icid, result);
5445 l2cap_move_fail(conn, cmd->ident, icid, result);
5450 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5451 struct l2cap_cmd_hdr *cmd,
5452 u16 cmd_len, void *data)
5454 struct l2cap_move_chan_cfm *cfm = data;
5455 struct l2cap_chan *chan;
5458 if (cmd_len != sizeof(*cfm))
5461 icid = le16_to_cpu(cfm->icid);
5462 result = le16_to_cpu(cfm->result);
5464 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5466 chan = l2cap_get_chan_by_dcid(conn, icid);
5468 /* Spec requires a response even if the icid was not found */
5469 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5473 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5474 if (result == L2CAP_MC_CONFIRMED) {
5475 chan->local_amp_id = chan->move_id;
5476 if (chan->local_amp_id == AMP_ID_BREDR)
5477 __release_logical_link(chan);
5479 chan->move_id = chan->local_amp_id;
5482 l2cap_move_done(chan);
5485 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5487 l2cap_chan_unlock(chan);
5492 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5493 struct l2cap_cmd_hdr *cmd,
5494 u16 cmd_len, void *data)
5496 struct l2cap_move_chan_cfm_rsp *rsp = data;
5497 struct l2cap_chan *chan;
5500 if (cmd_len != sizeof(*rsp))
5503 icid = le16_to_cpu(rsp->icid);
5505 BT_DBG("icid 0x%4.4x", icid);
5507 chan = l2cap_get_chan_by_scid(conn, icid);
5511 __clear_chan_timer(chan);
5513 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5514 chan->local_amp_id = chan->move_id;
5516 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5517 __release_logical_link(chan);
5519 l2cap_move_done(chan);
5522 l2cap_chan_unlock(chan);
5527 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5528 struct l2cap_cmd_hdr *cmd,
5529 u16 cmd_len, u8 *data)
5531 struct hci_conn *hcon = conn->hcon;
5532 struct l2cap_conn_param_update_req *req;
5533 struct l2cap_conn_param_update_rsp rsp;
5534 u16 min, max, latency, to_multiplier;
5537 if (hcon->role != HCI_ROLE_MASTER)
5540 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5543 req = (struct l2cap_conn_param_update_req *) data;
5544 min = __le16_to_cpu(req->min);
5545 max = __le16_to_cpu(req->max);
5546 latency = __le16_to_cpu(req->latency);
5547 to_multiplier = __le16_to_cpu(req->to_multiplier);
5549 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5550 min, max, latency, to_multiplier);
5552 memset(&rsp, 0, sizeof(rsp));
5554 err = hci_check_conn_params(min, max, latency, to_multiplier);
5556 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5558 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5560 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5566 store_hint = hci_le_conn_update(hcon, min, max, latency,
5568 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5569 store_hint, min, max, latency,
5577 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5578 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5581 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5582 struct hci_conn *hcon = conn->hcon;
5583 u16 dcid, mtu, mps, credits, result;
5584 struct l2cap_chan *chan;
5587 if (cmd_len < sizeof(*rsp))
5590 dcid = __le16_to_cpu(rsp->dcid);
5591 mtu = __le16_to_cpu(rsp->mtu);
5592 mps = __le16_to_cpu(rsp->mps);
5593 credits = __le16_to_cpu(rsp->credits);
5594 result = __le16_to_cpu(rsp->result);
5596 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5597 dcid < L2CAP_CID_DYN_START ||
5598 dcid > L2CAP_CID_LE_DYN_END))
5601 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5602 dcid, mtu, mps, credits, result);
5604 mutex_lock(&conn->chan_lock);
5606 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5614 l2cap_chan_lock(chan);
5617 case L2CAP_CR_LE_SUCCESS:
5618 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5626 chan->remote_mps = mps;
5627 chan->tx_credits = credits;
5628 l2cap_chan_ready(chan);
5631 case L2CAP_CR_LE_AUTHENTICATION:
5632 case L2CAP_CR_LE_ENCRYPTION:
5633 /* If we already have MITM protection we can't do
5636 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5637 l2cap_chan_del(chan, ECONNREFUSED);
5641 sec_level = hcon->sec_level + 1;
5642 if (chan->sec_level < sec_level)
5643 chan->sec_level = sec_level;
5645 /* We'll need to send a new Connect Request */
5646 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5648 smp_conn_security(hcon, chan->sec_level);
5652 l2cap_chan_del(chan, ECONNREFUSED);
5656 l2cap_chan_unlock(chan);
5659 mutex_unlock(&conn->chan_lock);
5664 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5665 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5670 switch (cmd->code) {
5671 case L2CAP_COMMAND_REJ:
5672 l2cap_command_rej(conn, cmd, cmd_len, data);
5675 case L2CAP_CONN_REQ:
5676 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5679 case L2CAP_CONN_RSP:
5680 case L2CAP_CREATE_CHAN_RSP:
5681 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5684 case L2CAP_CONF_REQ:
5685 err = l2cap_config_req(conn, cmd, cmd_len, data);
5688 case L2CAP_CONF_RSP:
5689 l2cap_config_rsp(conn, cmd, cmd_len, data);
5692 case L2CAP_DISCONN_REQ:
5693 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5696 case L2CAP_DISCONN_RSP:
5697 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5700 case L2CAP_ECHO_REQ:
5701 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5704 case L2CAP_ECHO_RSP:
5707 case L2CAP_INFO_REQ:
5708 err = l2cap_information_req(conn, cmd, cmd_len, data);
5711 case L2CAP_INFO_RSP:
5712 l2cap_information_rsp(conn, cmd, cmd_len, data);
5715 case L2CAP_CREATE_CHAN_REQ:
5716 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5719 case L2CAP_MOVE_CHAN_REQ:
5720 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5723 case L2CAP_MOVE_CHAN_RSP:
5724 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5727 case L2CAP_MOVE_CHAN_CFM:
5728 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5731 case L2CAP_MOVE_CHAN_CFM_RSP:
5732 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5736 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5744 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5745 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5748 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5749 struct l2cap_le_conn_rsp rsp;
5750 struct l2cap_chan *chan, *pchan;
5751 u16 dcid, scid, credits, mtu, mps;
5755 if (cmd_len != sizeof(*req))
5758 scid = __le16_to_cpu(req->scid);
5759 mtu = __le16_to_cpu(req->mtu);
5760 mps = __le16_to_cpu(req->mps);
5765 if (mtu < 23 || mps < 23)
5768 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5771 /* Check if we have socket listening on psm */
5772 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5773 &conn->hcon->dst, LE_LINK);
5775 result = L2CAP_CR_LE_BAD_PSM;
5780 mutex_lock(&conn->chan_lock);
5781 l2cap_chan_lock(pchan);
5783 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5785 result = L2CAP_CR_LE_AUTHENTICATION;
5787 goto response_unlock;
5790 /* Check for valid dynamic CID range */
5791 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5792 result = L2CAP_CR_LE_INVALID_SCID;
5794 goto response_unlock;
5797 /* Check if we already have channel with that dcid */
5798 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5799 result = L2CAP_CR_LE_SCID_IN_USE;
5801 goto response_unlock;
5804 chan = pchan->ops->new_connection(pchan);
5806 result = L2CAP_CR_LE_NO_MEM;
5807 goto response_unlock;
5810 bacpy(&chan->src, &conn->hcon->src);
5811 bacpy(&chan->dst, &conn->hcon->dst);
5812 chan->src_type = bdaddr_src_type(conn->hcon);
5813 chan->dst_type = bdaddr_dst_type(conn->hcon);
5817 chan->remote_mps = mps;
5819 __l2cap_chan_add(conn, chan);
5821 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5824 credits = chan->rx_credits;
5826 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5828 chan->ident = cmd->ident;
5830 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5831 l2cap_state_change(chan, BT_CONNECT2);
5832 /* The following result value is actually not defined
5833 * for LE CoC but we use it to let the function know
5834 * that it should bail out after doing its cleanup
5835 * instead of sending a response.
5837 result = L2CAP_CR_PEND;
5838 chan->ops->defer(chan);
5840 l2cap_chan_ready(chan);
5841 result = L2CAP_CR_LE_SUCCESS;
5845 l2cap_chan_unlock(pchan);
5846 mutex_unlock(&conn->chan_lock);
5847 l2cap_chan_put(pchan);
5849 if (result == L2CAP_CR_PEND)
5854 rsp.mtu = cpu_to_le16(chan->imtu);
5855 rsp.mps = cpu_to_le16(chan->mps);
5861 rsp.dcid = cpu_to_le16(dcid);
5862 rsp.credits = cpu_to_le16(credits);
5863 rsp.result = cpu_to_le16(result);
5865 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5870 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5871 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5874 struct l2cap_le_credits *pkt;
5875 struct l2cap_chan *chan;
5876 u16 cid, credits, max_credits;
5878 if (cmd_len != sizeof(*pkt))
5881 pkt = (struct l2cap_le_credits *) data;
5882 cid = __le16_to_cpu(pkt->cid);
5883 credits = __le16_to_cpu(pkt->credits);
5885 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5887 chan = l2cap_get_chan_by_dcid(conn, cid);
5891 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5892 if (credits > max_credits) {
5893 BT_ERR("LE credits overflow");
5894 l2cap_send_disconn_req(chan, ECONNRESET);
5895 l2cap_chan_unlock(chan);
5897 /* Return 0 so that we don't trigger an unnecessary
5898 * command reject packet.
5903 chan->tx_credits += credits;
5905 /* Resume sending */
5906 l2cap_le_flowctl_send(chan);
5908 if (chan->tx_credits)
5909 chan->ops->resume(chan);
5911 l2cap_chan_unlock(chan);
5916 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5917 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5920 struct l2cap_ecred_conn_req *req = (void *) data;
5922 struct l2cap_ecred_conn_rsp rsp;
5925 struct l2cap_chan *chan, *pchan;
5935 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5936 result = L2CAP_CR_LE_INVALID_PARAMS;
5940 mtu = __le16_to_cpu(req->mtu);
5941 mps = __le16_to_cpu(req->mps);
5943 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5944 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5950 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5952 memset(&pdu, 0, sizeof(pdu));
5954 /* Check if we have socket listening on psm */
5955 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5956 &conn->hcon->dst, LE_LINK);
5958 result = L2CAP_CR_LE_BAD_PSM;
5962 mutex_lock(&conn->chan_lock);
5963 l2cap_chan_lock(pchan);
5965 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5967 result = L2CAP_CR_LE_AUTHENTICATION;
5971 result = L2CAP_CR_LE_SUCCESS;
5972 cmd_len -= sizeof(*req);
5973 num_scid = cmd_len / sizeof(u16);
5975 for (i = 0; i < num_scid; i++) {
5976 u16 scid = __le16_to_cpu(req->scid[i]);
5978 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5980 pdu.dcid[i] = 0x0000;
5981 len += sizeof(*pdu.dcid);
5983 /* Check for valid dynamic CID range */
5984 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5985 result = L2CAP_CR_LE_INVALID_SCID;
5989 /* Check if we already have channel with that dcid */
5990 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5991 result = L2CAP_CR_LE_SCID_IN_USE;
5995 chan = pchan->ops->new_connection(pchan);
5997 result = L2CAP_CR_LE_NO_MEM;
6001 bacpy(&chan->src, &conn->hcon->src);
6002 bacpy(&chan->dst, &conn->hcon->dst);
6003 chan->src_type = bdaddr_src_type(conn->hcon);
6004 chan->dst_type = bdaddr_dst_type(conn->hcon);
6008 chan->remote_mps = mps;
6010 __l2cap_chan_add(conn, chan);
6012 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6015 if (!pdu.rsp.credits) {
6016 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6017 pdu.rsp.mps = cpu_to_le16(chan->mps);
6018 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6021 pdu.dcid[i] = cpu_to_le16(chan->scid);
6023 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6025 chan->ident = cmd->ident;
6027 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6028 l2cap_state_change(chan, BT_CONNECT2);
6030 chan->ops->defer(chan);
6032 l2cap_chan_ready(chan);
6037 l2cap_chan_unlock(pchan);
6038 mutex_unlock(&conn->chan_lock);
6039 l2cap_chan_put(pchan);
6042 pdu.rsp.result = cpu_to_le16(result);
6047 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6048 sizeof(pdu.rsp) + len, &pdu);
6053 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6054 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6057 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6058 struct hci_conn *hcon = conn->hcon;
6059 u16 mtu, mps, credits, result;
6060 struct l2cap_chan *chan;
6061 int err = 0, sec_level;
6064 if (cmd_len < sizeof(*rsp))
6067 mtu = __le16_to_cpu(rsp->mtu);
6068 mps = __le16_to_cpu(rsp->mps);
6069 credits = __le16_to_cpu(rsp->credits);
6070 result = __le16_to_cpu(rsp->result);
6072 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6075 mutex_lock(&conn->chan_lock);
6077 cmd_len -= sizeof(*rsp);
6079 list_for_each_entry(chan, &conn->chan_l, list) {
6082 if (chan->ident != cmd->ident ||
6083 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6084 chan->state == BT_CONNECTED)
6087 l2cap_chan_lock(chan);
6089 /* Check that there is a dcid for each pending channel */
6090 if (cmd_len < sizeof(dcid)) {
6091 l2cap_chan_del(chan, ECONNREFUSED);
6092 l2cap_chan_unlock(chan);
6096 dcid = __le16_to_cpu(rsp->dcid[i++]);
6097 cmd_len -= sizeof(u16);
6099 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6101 /* Check if dcid is already in use */
6102 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6103 /* If a device receives a
6104 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
6105 * already-assigned Destination CID, then both the
6106 * original channel and the new channel shall be
6107 * immediately discarded and not used.
6109 l2cap_chan_del(chan, ECONNREFUSED);
6110 l2cap_chan_unlock(chan);
6111 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6112 l2cap_chan_lock(chan);
6113 l2cap_chan_del(chan, ECONNRESET);
6114 l2cap_chan_unlock(chan);
6119 case L2CAP_CR_LE_AUTHENTICATION:
6120 case L2CAP_CR_LE_ENCRYPTION:
6121 /* If we already have MITM protection we can't do
6124 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6125 l2cap_chan_del(chan, ECONNREFUSED);
6129 sec_level = hcon->sec_level + 1;
6130 if (chan->sec_level < sec_level)
6131 chan->sec_level = sec_level;
6133 /* We'll need to send a new Connect Request */
6134 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6136 smp_conn_security(hcon, chan->sec_level);
6139 case L2CAP_CR_LE_BAD_PSM:
6140 l2cap_chan_del(chan, ECONNREFUSED);
6144 /* If dcid was not set it means channels was refused */
6146 l2cap_chan_del(chan, ECONNREFUSED);
6153 chan->remote_mps = mps;
6154 chan->tx_credits = credits;
6155 l2cap_chan_ready(chan);
6159 l2cap_chan_unlock(chan);
6162 mutex_unlock(&conn->chan_lock);
6167 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6168 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6171 struct l2cap_ecred_reconf_req *req = (void *) data;
6172 struct l2cap_ecred_reconf_rsp rsp;
6173 u16 mtu, mps, result;
6174 struct l2cap_chan *chan;
6180 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6181 result = L2CAP_CR_LE_INVALID_PARAMS;
6185 mtu = __le16_to_cpu(req->mtu);
6186 mps = __le16_to_cpu(req->mps);
6188 BT_DBG("mtu %u mps %u", mtu, mps);
6190 if (mtu < L2CAP_ECRED_MIN_MTU) {
6191 result = L2CAP_RECONF_INVALID_MTU;
6195 if (mps < L2CAP_ECRED_MIN_MPS) {
6196 result = L2CAP_RECONF_INVALID_MPS;
6200 cmd_len -= sizeof(*req);
6201 num_scid = cmd_len / sizeof(u16);
6202 result = L2CAP_RECONF_SUCCESS;
6204 for (i = 0; i < num_scid; i++) {
6207 scid = __le16_to_cpu(req->scid[i]);
6211 chan = __l2cap_get_chan_by_dcid(conn, scid);
6215 /* If the MTU value is decreased for any of the included
6216 * channels, then the receiver shall disconnect all
6217 * included channels.
6219 if (chan->omtu > mtu) {
6220 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6222 result = L2CAP_RECONF_INVALID_MTU;
6226 chan->remote_mps = mps;
6230 rsp.result = cpu_to_le16(result);
6232 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6238 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6239 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6242 struct l2cap_chan *chan;
6243 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6246 if (cmd_len < sizeof(*rsp))
6249 result = __le16_to_cpu(rsp->result);
6251 BT_DBG("result 0x%4.4x", rsp->result);
6256 list_for_each_entry(chan, &conn->chan_l, list) {
6257 if (chan->ident != cmd->ident)
6260 l2cap_chan_del(chan, ECONNRESET);
6266 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6267 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6270 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6271 struct l2cap_chan *chan;
6273 if (cmd_len < sizeof(*rej))
6276 mutex_lock(&conn->chan_lock);
6278 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6282 l2cap_chan_lock(chan);
6283 l2cap_chan_del(chan, ECONNREFUSED);
6284 l2cap_chan_unlock(chan);
6287 mutex_unlock(&conn->chan_lock);
6291 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6292 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6297 switch (cmd->code) {
6298 case L2CAP_COMMAND_REJ:
6299 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6302 case L2CAP_CONN_PARAM_UPDATE_REQ:
6303 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6306 case L2CAP_CONN_PARAM_UPDATE_RSP:
6309 case L2CAP_LE_CONN_RSP:
6310 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6313 case L2CAP_LE_CONN_REQ:
6314 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6317 case L2CAP_LE_CREDITS:
6318 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6321 case L2CAP_ECRED_CONN_REQ:
6322 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6325 case L2CAP_ECRED_CONN_RSP:
6326 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6329 case L2CAP_ECRED_RECONF_REQ:
6330 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6333 case L2CAP_ECRED_RECONF_RSP:
6334 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6337 case L2CAP_DISCONN_REQ:
6338 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6341 case L2CAP_DISCONN_RSP:
6342 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6346 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6354 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6355 struct sk_buff *skb)
6357 struct hci_conn *hcon = conn->hcon;
6358 struct l2cap_cmd_hdr *cmd;
6362 if (hcon->type != LE_LINK)
6365 if (skb->len < L2CAP_CMD_HDR_SIZE)
6368 cmd = (void *) skb->data;
6369 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6371 len = le16_to_cpu(cmd->len);
6373 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6375 if (len != skb->len || !cmd->ident) {
6376 BT_DBG("corrupted command");
6380 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6382 struct l2cap_cmd_rej_unk rej;
6384 BT_ERR("Wrong link type (%d)", err);
6386 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6387 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6395 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6396 struct sk_buff *skb)
6398 struct hci_conn *hcon = conn->hcon;
6399 struct l2cap_cmd_hdr *cmd;
6402 l2cap_raw_recv(conn, skb);
6404 if (hcon->type != ACL_LINK)
6407 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6410 cmd = (void *) skb->data;
6411 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6413 len = le16_to_cpu(cmd->len);
6415 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6418 if (len > skb->len || !cmd->ident) {
6419 BT_DBG("corrupted command");
6423 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6425 struct l2cap_cmd_rej_unk rej;
6427 BT_ERR("Wrong link type (%d)", err);
6429 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6430 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6441 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6443 u16 our_fcs, rcv_fcs;
6446 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6447 hdr_size = L2CAP_EXT_HDR_SIZE;
6449 hdr_size = L2CAP_ENH_HDR_SIZE;
6451 if (chan->fcs == L2CAP_FCS_CRC16) {
6452 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6453 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6454 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6456 if (our_fcs != rcv_fcs)
6462 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6464 struct l2cap_ctrl control;
6466 BT_DBG("chan %p", chan);
6468 memset(&control, 0, sizeof(control));
6471 control.reqseq = chan->buffer_seq;
6472 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6474 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6475 control.super = L2CAP_SUPER_RNR;
6476 l2cap_send_sframe(chan, &control);
6479 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6480 chan->unacked_frames > 0)
6481 __set_retrans_timer(chan);
6483 /* Send pending iframes */
6484 l2cap_ertm_send(chan);
6486 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6487 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6488 /* F-bit wasn't sent in an s-frame or i-frame yet, so
6491 control.super = L2CAP_SUPER_RR;
6492 l2cap_send_sframe(chan, &control);
6496 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6497 struct sk_buff **last_frag)
6499 /* skb->len reflects data in skb as well as all fragments
6500 * skb->data_len reflects only data in fragments
6502 if (!skb_has_frag_list(skb))
6503 skb_shinfo(skb)->frag_list = new_frag;
6505 new_frag->next = NULL;
6507 (*last_frag)->next = new_frag;
6508 *last_frag = new_frag;
6510 skb->len += new_frag->len;
6511 skb->data_len += new_frag->len;
6512 skb->truesize += new_frag->truesize;
6515 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6516 struct l2cap_ctrl *control)
6520 switch (control->sar) {
6521 case L2CAP_SAR_UNSEGMENTED:
6525 err = chan->ops->recv(chan, skb);
6528 case L2CAP_SAR_START:
6532 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6535 chan->sdu_len = get_unaligned_le16(skb->data);
6536 skb_pull(skb, L2CAP_SDULEN_SIZE);
6538 if (chan->sdu_len > chan->imtu) {
6543 if (skb->len >= chan->sdu_len)
6547 chan->sdu_last_frag = skb;
6553 case L2CAP_SAR_CONTINUE:
6557 append_skb_frag(chan->sdu, skb,
6558 &chan->sdu_last_frag);
6561 if (chan->sdu->len >= chan->sdu_len)
6571 append_skb_frag(chan->sdu, skb,
6572 &chan->sdu_last_frag);
6575 if (chan->sdu->len != chan->sdu_len)
6578 err = chan->ops->recv(chan, chan->sdu);
6581 /* Reassembly complete */
6583 chan->sdu_last_frag = NULL;
6591 kfree_skb(chan->sdu);
6593 chan->sdu_last_frag = NULL;
6600 static int l2cap_resegment(struct l2cap_chan *chan)
6606 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6610 if (chan->mode != L2CAP_MODE_ERTM)
6613 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6614 l2cap_tx(chan, NULL, NULL, event);
6617 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6620 /* Pass sequential frames to l2cap_reassemble_sdu()
6621 * until a gap is encountered.
6624 BT_DBG("chan %p", chan);
6626 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6627 struct sk_buff *skb;
6628 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6629 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6631 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6636 skb_unlink(skb, &chan->srej_q);
6637 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6638 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6643 if (skb_queue_empty(&chan->srej_q)) {
6644 chan->rx_state = L2CAP_RX_STATE_RECV;
6645 l2cap_send_ack(chan);
6651 static void l2cap_handle_srej(struct l2cap_chan *chan,
6652 struct l2cap_ctrl *control)
6654 struct sk_buff *skb;
6656 BT_DBG("chan %p, control %p", chan, control);
6658 if (control->reqseq == chan->next_tx_seq) {
6659 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6660 l2cap_send_disconn_req(chan, ECONNRESET);
6664 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6667 BT_DBG("Seq %d not available for retransmission",
6672 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6673 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6674 l2cap_send_disconn_req(chan, ECONNRESET);
6678 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6680 if (control->poll) {
6681 l2cap_pass_to_tx(chan, control);
6683 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6684 l2cap_retransmit(chan, control);
6685 l2cap_ertm_send(chan);
6687 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6688 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6689 chan->srej_save_reqseq = control->reqseq;
6692 l2cap_pass_to_tx_fbit(chan, control);
6694 if (control->final) {
6695 if (chan->srej_save_reqseq != control->reqseq ||
6696 !test_and_clear_bit(CONN_SREJ_ACT,
6698 l2cap_retransmit(chan, control);
6700 l2cap_retransmit(chan, control);
6701 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6702 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6703 chan->srej_save_reqseq = control->reqseq;
6709 static void l2cap_handle_rej(struct l2cap_chan *chan,
6710 struct l2cap_ctrl *control)
6712 struct sk_buff *skb;
6714 BT_DBG("chan %p, control %p", chan, control);
6716 if (control->reqseq == chan->next_tx_seq) {
6717 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6718 l2cap_send_disconn_req(chan, ECONNRESET);
6722 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6724 if (chan->max_tx && skb &&
6725 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6726 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6727 l2cap_send_disconn_req(chan, ECONNRESET);
6731 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6733 l2cap_pass_to_tx(chan, control);
6735 if (control->final) {
6736 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6737 l2cap_retransmit_all(chan, control);
6739 l2cap_retransmit_all(chan, control);
6740 l2cap_ertm_send(chan);
6741 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6742 set_bit(CONN_REJ_ACT, &chan->conn_state);
6746 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6748 BT_DBG("chan %p, txseq %d", chan, txseq);
6750 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6751 chan->expected_tx_seq);
6753 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6754 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6756 /* See notes below regarding "double poll" and
6759 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6760 BT_DBG("Invalid/Ignore - after SREJ");
6761 return L2CAP_TXSEQ_INVALID_IGNORE;
6763 BT_DBG("Invalid - in window after SREJ sent");
6764 return L2CAP_TXSEQ_INVALID;
6768 if (chan->srej_list.head == txseq) {
6769 BT_DBG("Expected SREJ");
6770 return L2CAP_TXSEQ_EXPECTED_SREJ;
6773 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6774 BT_DBG("Duplicate SREJ - txseq already stored");
6775 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6778 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6779 BT_DBG("Unexpected SREJ - not requested");
6780 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6784 if (chan->expected_tx_seq == txseq) {
6785 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6787 BT_DBG("Invalid - txseq outside tx window");
6788 return L2CAP_TXSEQ_INVALID;
6791 return L2CAP_TXSEQ_EXPECTED;
6795 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6796 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6797 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6798 return L2CAP_TXSEQ_DUPLICATE;
6801 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6802 /* A source of invalid packets is a "double poll" condition,
6803 * where delays cause us to send multiple poll packets. If
6804 * the remote stack receives and processes both polls,
6805 * sequence numbers can wrap around in such a way that a
6806 * resent frame has a sequence number that looks like new data
6807 * with a sequence gap. This would trigger an erroneous SREJ
6810 * Fortunately, this is impossible with a tx window that's
6811 * less than half of the maximum sequence number, which allows
6812 * invalid frames to be safely ignored.
6814 * With tx window sizes greater than half of the tx window
6815 * maximum, the frame is invalid and cannot be ignored. This
6816 * causes a disconnect.
6819 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6820 BT_DBG("Invalid/Ignore - txseq outside tx window");
6821 return L2CAP_TXSEQ_INVALID_IGNORE;
6823 BT_DBG("Invalid - txseq outside tx window");
6824 return L2CAP_TXSEQ_INVALID;
6827 BT_DBG("Unexpected - txseq indicates missing frames");
6828 return L2CAP_TXSEQ_UNEXPECTED;
6832 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6833 struct l2cap_ctrl *control,
6834 struct sk_buff *skb, u8 event)
6837 bool skb_in_use = false;
6839 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6843 case L2CAP_EV_RECV_IFRAME:
6844 switch (l2cap_classify_txseq(chan, control->txseq)) {
6845 case L2CAP_TXSEQ_EXPECTED:
6846 l2cap_pass_to_tx(chan, control);
6848 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6849 BT_DBG("Busy, discarding expected seq %d",
6854 chan->expected_tx_seq = __next_seq(chan,
6857 chan->buffer_seq = chan->expected_tx_seq;
6860 err = l2cap_reassemble_sdu(chan, skb, control);
6864 if (control->final) {
6865 if (!test_and_clear_bit(CONN_REJ_ACT,
6866 &chan->conn_state)) {
6868 l2cap_retransmit_all(chan, control);
6869 l2cap_ertm_send(chan);
6873 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6874 l2cap_send_ack(chan);
6876 case L2CAP_TXSEQ_UNEXPECTED:
6877 l2cap_pass_to_tx(chan, control);
6879 /* Can't issue SREJ frames in the local busy state.
6880 * Drop this frame, it will be seen as missing
6881 * when local busy is exited.
6883 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6884 BT_DBG("Busy, discarding unexpected seq %d",
6889 /* There was a gap in the sequence, so an SREJ
6890 * must be sent for each missing frame. The
6891 * current frame is stored for later use.
6893 skb_queue_tail(&chan->srej_q, skb);
6895 BT_DBG("Queued %p (queue len %d)", skb,
6896 skb_queue_len(&chan->srej_q));
6898 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6899 l2cap_seq_list_clear(&chan->srej_list);
6900 l2cap_send_srej(chan, control->txseq);
6902 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6904 case L2CAP_TXSEQ_DUPLICATE:
6905 l2cap_pass_to_tx(chan, control);
6907 case L2CAP_TXSEQ_INVALID_IGNORE:
6909 case L2CAP_TXSEQ_INVALID:
6911 l2cap_send_disconn_req(chan, ECONNRESET);
6915 case L2CAP_EV_RECV_RR:
6916 l2cap_pass_to_tx(chan, control);
6917 if (control->final) {
6918 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6920 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6921 !__chan_is_moving(chan)) {
6923 l2cap_retransmit_all(chan, control);
6926 l2cap_ertm_send(chan);
6927 } else if (control->poll) {
6928 l2cap_send_i_or_rr_or_rnr(chan);
6930 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6931 &chan->conn_state) &&
6932 chan->unacked_frames)
6933 __set_retrans_timer(chan);
6935 l2cap_ertm_send(chan);
6938 case L2CAP_EV_RECV_RNR:
6939 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6940 l2cap_pass_to_tx(chan, control);
6941 if (control && control->poll) {
6942 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6943 l2cap_send_rr_or_rnr(chan, 0);
6945 __clear_retrans_timer(chan);
6946 l2cap_seq_list_clear(&chan->retrans_list);
6948 case L2CAP_EV_RECV_REJ:
6949 l2cap_handle_rej(chan, control);
6951 case L2CAP_EV_RECV_SREJ:
6952 l2cap_handle_srej(chan, control);
6958 if (skb && !skb_in_use) {
6959 BT_DBG("Freeing %p", skb);
6966 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6967 struct l2cap_ctrl *control,
6968 struct sk_buff *skb, u8 event)
6971 u16 txseq = control->txseq;
6972 bool skb_in_use = false;
6974 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6978 case L2CAP_EV_RECV_IFRAME:
6979 switch (l2cap_classify_txseq(chan, txseq)) {
6980 case L2CAP_TXSEQ_EXPECTED:
6981 /* Keep frame for reassembly later */
6982 l2cap_pass_to_tx(chan, control);
6983 skb_queue_tail(&chan->srej_q, skb);
6985 BT_DBG("Queued %p (queue len %d)", skb,
6986 skb_queue_len(&chan->srej_q));
6988 chan->expected_tx_seq = __next_seq(chan, txseq);
6990 case L2CAP_TXSEQ_EXPECTED_SREJ:
6991 l2cap_seq_list_pop(&chan->srej_list);
6993 l2cap_pass_to_tx(chan, control);
6994 skb_queue_tail(&chan->srej_q, skb);
6996 BT_DBG("Queued %p (queue len %d)", skb,
6997 skb_queue_len(&chan->srej_q));
6999 err = l2cap_rx_queued_iframes(chan);
7004 case L2CAP_TXSEQ_UNEXPECTED:
7005 /* Got a frame that can't be reassembled yet.
7006 * Save it for later, and send SREJs to cover
7007 * the missing frames.
7009 skb_queue_tail(&chan->srej_q, skb);
7011 BT_DBG("Queued %p (queue len %d)", skb,
7012 skb_queue_len(&chan->srej_q));
7014 l2cap_pass_to_tx(chan, control);
7015 l2cap_send_srej(chan, control->txseq);
7017 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7018 /* This frame was requested with an SREJ, but
7019 * some expected retransmitted frames are
7020 * missing. Request retransmission of missing
7023 skb_queue_tail(&chan->srej_q, skb);
7025 BT_DBG("Queued %p (queue len %d)", skb,
7026 skb_queue_len(&chan->srej_q));
7028 l2cap_pass_to_tx(chan, control);
7029 l2cap_send_srej_list(chan, control->txseq);
7031 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7032 /* We've already queued this frame. Drop this copy. */
7033 l2cap_pass_to_tx(chan, control);
7035 case L2CAP_TXSEQ_DUPLICATE:
7036 /* Expecting a later sequence number, so this frame
7037 * was already received. Ignore it completely.
7040 case L2CAP_TXSEQ_INVALID_IGNORE:
7042 case L2CAP_TXSEQ_INVALID:
7044 l2cap_send_disconn_req(chan, ECONNRESET);
7048 case L2CAP_EV_RECV_RR:
7049 l2cap_pass_to_tx(chan, control);
7050 if (control->final) {
7051 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7053 if (!test_and_clear_bit(CONN_REJ_ACT,
7054 &chan->conn_state)) {
7056 l2cap_retransmit_all(chan, control);
7059 l2cap_ertm_send(chan);
7060 } else if (control->poll) {
7061 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7062 &chan->conn_state) &&
7063 chan->unacked_frames) {
7064 __set_retrans_timer(chan);
7067 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7068 l2cap_send_srej_tail(chan);
7070 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7071 &chan->conn_state) &&
7072 chan->unacked_frames)
7073 __set_retrans_timer(chan);
7075 l2cap_send_ack(chan);
7078 case L2CAP_EV_RECV_RNR:
7079 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7080 l2cap_pass_to_tx(chan, control);
7081 if (control->poll) {
7082 l2cap_send_srej_tail(chan);
7084 struct l2cap_ctrl rr_control;
7085 memset(&rr_control, 0, sizeof(rr_control));
7086 rr_control.sframe = 1;
7087 rr_control.super = L2CAP_SUPER_RR;
7088 rr_control.reqseq = chan->buffer_seq;
7089 l2cap_send_sframe(chan, &rr_control);
7093 case L2CAP_EV_RECV_REJ:
7094 l2cap_handle_rej(chan, control);
7096 case L2CAP_EV_RECV_SREJ:
7097 l2cap_handle_srej(chan, control);
7101 if (skb && !skb_in_use) {
7102 BT_DBG("Freeing %p", skb);
7109 static int l2cap_finish_move(struct l2cap_chan *chan)
7111 BT_DBG("chan %p", chan);
7113 chan->rx_state = L2CAP_RX_STATE_RECV;
7116 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7118 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7120 return l2cap_resegment(chan);
7123 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7124 struct l2cap_ctrl *control,
7125 struct sk_buff *skb, u8 event)
7129 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7135 l2cap_process_reqseq(chan, control->reqseq);
7137 if (!skb_queue_empty(&chan->tx_q))
7138 chan->tx_send_head = skb_peek(&chan->tx_q);
7140 chan->tx_send_head = NULL;
7142 /* Rewind next_tx_seq to the point expected
7145 chan->next_tx_seq = control->reqseq;
7146 chan->unacked_frames = 0;
7148 err = l2cap_finish_move(chan);
7152 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7153 l2cap_send_i_or_rr_or_rnr(chan);
7155 if (event == L2CAP_EV_RECV_IFRAME)
7158 return l2cap_rx_state_recv(chan, control, NULL, event);
7161 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7162 struct l2cap_ctrl *control,
7163 struct sk_buff *skb, u8 event)
7167 if (!control->final)
7170 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7172 chan->rx_state = L2CAP_RX_STATE_RECV;
7173 l2cap_process_reqseq(chan, control->reqseq);
7175 if (!skb_queue_empty(&chan->tx_q))
7176 chan->tx_send_head = skb_peek(&chan->tx_q);
7178 chan->tx_send_head = NULL;
7180 /* Rewind next_tx_seq to the point expected
7183 chan->next_tx_seq = control->reqseq;
7184 chan->unacked_frames = 0;
7187 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7189 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7191 err = l2cap_resegment(chan);
7194 err = l2cap_rx_state_recv(chan, control, skb, event);
7199 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7201 /* Make sure reqseq is for a packet that has been sent but not acked */
7204 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7205 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7208 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7209 struct sk_buff *skb, u8 event)
7213 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7214 control, skb, event, chan->rx_state);
7216 if (__valid_reqseq(chan, control->reqseq)) {
7217 switch (chan->rx_state) {
7218 case L2CAP_RX_STATE_RECV:
7219 err = l2cap_rx_state_recv(chan, control, skb, event);
7221 case L2CAP_RX_STATE_SREJ_SENT:
7222 err = l2cap_rx_state_srej_sent(chan, control, skb,
7225 case L2CAP_RX_STATE_WAIT_P:
7226 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7228 case L2CAP_RX_STATE_WAIT_F:
7229 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7236 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7237 control->reqseq, chan->next_tx_seq,
7238 chan->expected_ack_seq);
7239 l2cap_send_disconn_req(chan, ECONNRESET);
7245 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7246 struct sk_buff *skb)
7248 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7251 if (l2cap_classify_txseq(chan, control->txseq) ==
7252 L2CAP_TXSEQ_EXPECTED) {
7253 l2cap_pass_to_tx(chan, control);
7255 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
7256 __next_seq(chan, chan->buffer_seq));
7258 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7260 l2cap_reassemble_sdu(chan, skb, control);
7263 kfree_skb(chan->sdu);
7266 chan->sdu_last_frag = NULL;
7270 BT_DBG("Freeing %p", skb);
7275 chan->last_acked_seq = control->txseq;
7276 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7281 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7283 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7287 __unpack_control(chan, skb);
7292 * We can just drop the corrupted I-frame here.
7293 * Receiver will miss it and start proper recovery
7294 * procedures and ask for retransmission.
7296 if (l2cap_check_fcs(chan, skb))
7299 if (!control->sframe && control->sar == L2CAP_SAR_START)
7300 len -= L2CAP_SDULEN_SIZE;
7302 if (chan->fcs == L2CAP_FCS_CRC16)
7303 len -= L2CAP_FCS_SIZE;
7305 if (len > chan->mps) {
7306 l2cap_send_disconn_req(chan, ECONNRESET);
7310 if (chan->ops->filter) {
7311 if (chan->ops->filter(chan, skb))
7315 if (!control->sframe) {
7318 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7319 control->sar, control->reqseq, control->final,
7322 /* Validate F-bit - F=0 always valid, F=1 only
7323 * valid in TX WAIT_F
7325 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7328 if (chan->mode != L2CAP_MODE_STREAMING) {
7329 event = L2CAP_EV_RECV_IFRAME;
7330 err = l2cap_rx(chan, control, skb, event);
7332 err = l2cap_stream_rx(chan, control, skb);
7336 l2cap_send_disconn_req(chan, ECONNRESET);
7338 const u8 rx_func_to_event[4] = {
7339 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7340 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7343 /* Only I-frames are expected in streaming mode */
7344 if (chan->mode == L2CAP_MODE_STREAMING)
7347 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7348 control->reqseq, control->final, control->poll,
7352 BT_ERR("Trailing bytes: %d in sframe", len);
7353 l2cap_send_disconn_req(chan, ECONNRESET);
7357 /* Validate F and P bits */
7358 if (control->final && (control->poll ||
7359 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7362 event = rx_func_to_event[control->super];
7363 if (l2cap_rx(chan, control, skb, event))
7364 l2cap_send_disconn_req(chan, ECONNRESET);
7374 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7376 struct l2cap_conn *conn = chan->conn;
7377 struct l2cap_le_credits pkt;
7380 return_credits = (chan->imtu / chan->mps) + 1;
7382 if (chan->rx_credits >= return_credits)
7385 return_credits -= chan->rx_credits;
7387 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7389 chan->rx_credits += return_credits;
7391 pkt.cid = cpu_to_le16(chan->scid);
7392 pkt.credits = cpu_to_le16(return_credits);
7394 chan->ident = l2cap_get_ident(conn);
7396 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7399 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7403 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7405 /* Wait recv to confirm reception before updating the credits */
7406 err = chan->ops->recv(chan, skb);
7408 /* Update credits whenever an SDU is received */
7409 l2cap_chan_le_send_credits(chan);
7414 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7418 if (!chan->rx_credits) {
7419 BT_ERR("No credits to receive LE L2CAP data");
7420 l2cap_send_disconn_req(chan, ECONNRESET);
7424 if (chan->imtu < skb->len) {
7425 BT_ERR("Too big LE L2CAP PDU");
7430 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7432 /* Update if remote had run out of credits, this should only happens
7433 * if the remote is not using the entire MPS.
7435 if (!chan->rx_credits)
7436 l2cap_chan_le_send_credits(chan);
7443 sdu_len = get_unaligned_le16(skb->data);
7444 skb_pull(skb, L2CAP_SDULEN_SIZE);
7446 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7447 sdu_len, skb->len, chan->imtu);
7449 if (sdu_len > chan->imtu) {
7450 BT_ERR("Too big LE L2CAP SDU length received");
7455 if (skb->len > sdu_len) {
7456 BT_ERR("Too much LE L2CAP data received");
7461 if (skb->len == sdu_len)
7462 return l2cap_ecred_recv(chan, skb);
7465 chan->sdu_len = sdu_len;
7466 chan->sdu_last_frag = skb;
7468 /* Detect if remote is not able to use the selected MPS */
7469 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7470 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7472 /* Adjust the number of credits */
7473 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7474 chan->mps = mps_len;
7475 l2cap_chan_le_send_credits(chan);
7481 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7482 chan->sdu->len, skb->len, chan->sdu_len);
7484 if (chan->sdu->len + skb->len > chan->sdu_len) {
7485 BT_ERR("Too much LE L2CAP data received");
7490 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7493 if (chan->sdu->len == chan->sdu_len) {
7494 err = l2cap_ecred_recv(chan, chan->sdu);
7497 chan->sdu_last_frag = NULL;
7505 kfree_skb(chan->sdu);
7507 chan->sdu_last_frag = NULL;
7511 /* We can't return an error here since we took care of the skb
7512 * freeing internally. An error return would cause the caller to
7513 * do a double-free of the skb.
7518 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7519 struct sk_buff *skb)
7521 struct l2cap_chan *chan;
7523 chan = l2cap_get_chan_by_scid(conn, cid);
7525 if (cid == L2CAP_CID_A2MP) {
7526 chan = a2mp_channel_create(conn, skb);
7532 l2cap_chan_lock(chan);
7534 BT_DBG("unknown cid 0x%4.4x", cid);
7535 /* Drop packet and return */
7541 BT_DBG("chan %p, len %d", chan, skb->len);
7543 /* If we receive data on a fixed channel before the info req/rsp
7544 * procdure is done simply assume that the channel is supported
7545 * and mark it as ready.
7547 if (chan->chan_type == L2CAP_CHAN_FIXED)
7548 l2cap_chan_ready(chan);
7550 if (chan->state != BT_CONNECTED)
7553 switch (chan->mode) {
7554 case L2CAP_MODE_LE_FLOWCTL:
7555 case L2CAP_MODE_EXT_FLOWCTL:
7556 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7561 case L2CAP_MODE_BASIC:
7562 /* If socket recv buffers overflows we drop data here
7563 * which is *bad* because L2CAP has to be reliable.
7564 * But we don't have any other choice. L2CAP doesn't
7565 * provide flow control mechanism. */
7567 if (chan->imtu < skb->len) {
7568 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7572 if (!chan->ops->recv(chan, skb))
7576 case L2CAP_MODE_ERTM:
7577 case L2CAP_MODE_STREAMING:
7578 l2cap_data_rcv(chan, skb);
7582 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7590 l2cap_chan_unlock(chan);
7593 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7594 struct sk_buff *skb)
7596 struct hci_conn *hcon = conn->hcon;
7597 struct l2cap_chan *chan;
7599 if (hcon->type != ACL_LINK)
7602 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7607 BT_DBG("chan %p, len %d", chan, skb->len);
7609 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7612 if (chan->imtu < skb->len)
7615 /* Store remote BD_ADDR and PSM for msg_name */
7616 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7617 bt_cb(skb)->l2cap.psm = psm;
7619 if (!chan->ops->recv(chan, skb)) {
7620 l2cap_chan_put(chan);
7625 l2cap_chan_put(chan);
7630 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7632 struct l2cap_hdr *lh = (void *) skb->data;
7633 struct hci_conn *hcon = conn->hcon;
7637 if (hcon->state != BT_CONNECTED) {
7638 BT_DBG("queueing pending rx skb");
7639 skb_queue_tail(&conn->pending_rx, skb);
7643 skb_pull(skb, L2CAP_HDR_SIZE);
7644 cid = __le16_to_cpu(lh->cid);
7645 len = __le16_to_cpu(lh->len);
7647 if (len != skb->len) {
7652 /* Since we can't actively block incoming LE connections we must
7653 * at least ensure that we ignore incoming data from them.
7655 if (hcon->type == LE_LINK &&
7656 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7657 bdaddr_dst_type(hcon))) {
7662 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7665 case L2CAP_CID_SIGNALING:
7666 l2cap_sig_channel(conn, skb);
7669 case L2CAP_CID_CONN_LESS:
7670 psm = get_unaligned((__le16 *) skb->data);
7671 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7672 l2cap_conless_channel(conn, psm, skb);
7675 case L2CAP_CID_LE_SIGNALING:
7676 l2cap_le_sig_channel(conn, skb);
7680 l2cap_data_channel(conn, cid, skb);
7685 static void process_pending_rx(struct work_struct *work)
7687 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7689 struct sk_buff *skb;
7693 while ((skb = skb_dequeue(&conn->pending_rx)))
7694 l2cap_recv_frame(conn, skb);
7697 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7699 struct l2cap_conn *conn = hcon->l2cap_data;
7700 struct hci_chan *hchan;
7705 hchan = hci_chan_create(hcon);
7709 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7711 hci_chan_del(hchan);
7715 kref_init(&conn->ref);
7716 hcon->l2cap_data = conn;
7717 conn->hcon = hci_conn_get(hcon);
7718 conn->hchan = hchan;
7720 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7722 switch (hcon->type) {
7724 if (hcon->hdev->le_mtu) {
7725 conn->mtu = hcon->hdev->le_mtu;
7730 conn->mtu = hcon->hdev->acl_mtu;
7734 conn->feat_mask = 0;
7736 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7738 if (hcon->type == ACL_LINK &&
7739 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7740 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7742 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7743 (bredr_sc_enabled(hcon->hdev) ||
7744 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7745 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7747 mutex_init(&conn->ident_lock);
7748 mutex_init(&conn->chan_lock);
7750 INIT_LIST_HEAD(&conn->chan_l);
7751 INIT_LIST_HEAD(&conn->users);
7753 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7755 skb_queue_head_init(&conn->pending_rx);
7756 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7757 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7759 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7764 static bool is_valid_psm(u16 psm, u8 dst_type) {
7768 if (bdaddr_type_is_le(dst_type))
7769 return (psm <= 0x00ff);
7771 /* PSM must be odd and lsb of upper byte must be 0 */
7772 return ((psm & 0x0101) == 0x0001);
7775 struct l2cap_chan_data {
7776 struct l2cap_chan *chan;
7781 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7783 struct l2cap_chan_data *d = data;
7786 if (chan == d->chan)
7789 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7792 pid = chan->ops->get_peer_pid(chan);
7794 /* Only count deferred channels with the same PID/PSM */
7795 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7796 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7802 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7803 bdaddr_t *dst, u8 dst_type)
7805 struct l2cap_conn *conn;
7806 struct hci_conn *hcon;
7807 struct hci_dev *hdev;
7810 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7811 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7813 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7815 return -EHOSTUNREACH;
7819 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7820 chan->chan_type != L2CAP_CHAN_RAW) {
7825 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7830 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7835 switch (chan->mode) {
7836 case L2CAP_MODE_BASIC:
7838 case L2CAP_MODE_LE_FLOWCTL:
7840 case L2CAP_MODE_EXT_FLOWCTL:
7841 if (!enable_ecred) {
7846 case L2CAP_MODE_ERTM:
7847 case L2CAP_MODE_STREAMING:
7856 switch (chan->state) {
7860 /* Already connecting */
7865 /* Already connected */
7879 /* Set destination address and psm */
7880 bacpy(&chan->dst, dst);
7881 chan->dst_type = dst_type;
7886 if (bdaddr_type_is_le(dst_type)) {
7887 /* Convert from L2CAP channel address type to HCI address type
7889 if (dst_type == BDADDR_LE_PUBLIC)
7890 dst_type = ADDR_LE_DEV_PUBLIC;
7892 dst_type = ADDR_LE_DEV_RANDOM;
7894 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7895 hcon = hci_connect_le(hdev, dst, dst_type,
7897 HCI_LE_CONN_TIMEOUT,
7898 HCI_ROLE_SLAVE, NULL);
7900 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7902 HCI_LE_CONN_TIMEOUT,
7903 CONN_REASON_L2CAP_CHAN);
7906 u8 auth_type = l2cap_get_auth_type(chan);
7907 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7908 CONN_REASON_L2CAP_CHAN);
7912 err = PTR_ERR(hcon);
7916 conn = l2cap_conn_add(hcon);
7918 hci_conn_drop(hcon);
7923 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7924 struct l2cap_chan_data data;
7927 data.pid = chan->ops->get_peer_pid(chan);
7930 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7932 /* Check if there isn't too many channels being connected */
7933 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7934 hci_conn_drop(hcon);
7940 mutex_lock(&conn->chan_lock);
7941 l2cap_chan_lock(chan);
7943 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7944 hci_conn_drop(hcon);
7949 /* Update source addr of the socket */
7950 bacpy(&chan->src, &hcon->src);
7951 chan->src_type = bdaddr_src_type(hcon);
7953 __l2cap_chan_add(conn, chan);
7955 /* l2cap_chan_add takes its own ref so we can drop this one */
7956 hci_conn_drop(hcon);
7958 l2cap_state_change(chan, BT_CONNECT);
7959 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7961 /* Release chan->sport so that it can be reused by other
7962 * sockets (as it's only used for listening sockets).
7964 write_lock(&chan_list_lock);
7966 write_unlock(&chan_list_lock);
7968 if (hcon->state == BT_CONNECTED) {
7969 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7970 __clear_chan_timer(chan);
7971 if (l2cap_chan_check_security(chan, true))
7972 l2cap_state_change(chan, BT_CONNECTED);
7974 l2cap_do_start(chan);
7980 l2cap_chan_unlock(chan);
7981 mutex_unlock(&conn->chan_lock);
7983 hci_dev_unlock(hdev);
7987 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7989 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7991 struct l2cap_conn *conn = chan->conn;
7993 struct l2cap_ecred_reconf_req req;
7997 pdu.req.mtu = cpu_to_le16(chan->imtu);
7998 pdu.req.mps = cpu_to_le16(chan->mps);
7999 pdu.scid = cpu_to_le16(chan->scid);
8001 chan->ident = l2cap_get_ident(conn);
8003 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
8007 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8009 if (chan->imtu > mtu)
8012 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8016 l2cap_ecred_reconfigure(chan);
8021 /* ---- L2CAP interface with lower layer (HCI) ---- */
8023 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8025 int exact = 0, lm1 = 0, lm2 = 0;
8026 struct l2cap_chan *c;
8028 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8030 /* Find listening sockets and check their link_mode */
8031 read_lock(&chan_list_lock);
8032 list_for_each_entry(c, &chan_list, global_l) {
8033 if (c->state != BT_LISTEN)
8036 if (!bacmp(&c->src, &hdev->bdaddr)) {
8037 lm1 |= HCI_LM_ACCEPT;
8038 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8039 lm1 |= HCI_LM_MASTER;
8041 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8042 lm2 |= HCI_LM_ACCEPT;
8043 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8044 lm2 |= HCI_LM_MASTER;
8047 read_unlock(&chan_list_lock);
8049 return exact ? lm1 : lm2;
8052 /* Find the next fixed channel in BT_LISTEN state, continue iteration
8053 * from an existing channel in the list or from the beginning of the
8054 * global list (by passing NULL as first parameter).
8056 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8057 struct hci_conn *hcon)
8059 u8 src_type = bdaddr_src_type(hcon);
8061 read_lock(&chan_list_lock);
8064 c = list_next_entry(c, global_l);
8066 c = list_entry(chan_list.next, typeof(*c), global_l);
8068 list_for_each_entry_from(c, &chan_list, global_l) {
8069 if (c->chan_type != L2CAP_CHAN_FIXED)
8071 if (c->state != BT_LISTEN)
8073 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8075 if (src_type != c->src_type)
8079 read_unlock(&chan_list_lock);
8083 read_unlock(&chan_list_lock);
8088 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8090 struct hci_dev *hdev = hcon->hdev;
8091 struct l2cap_conn *conn;
8092 struct l2cap_chan *pchan;
8095 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8098 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8101 l2cap_conn_del(hcon, bt_to_errno(status));
8105 conn = l2cap_conn_add(hcon);
8109 dst_type = bdaddr_dst_type(hcon);
8111 /* If device is blocked, do not create channels for it */
8112 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
8115 /* Find fixed channels and notify them of the new connection. We
8116 * use multiple individual lookups, continuing each time where
8117 * we left off, because the list lock would prevent calling the
8118 * potentially sleeping l2cap_chan_lock() function.
8120 pchan = l2cap_global_fixed_chan(NULL, hcon);
8122 struct l2cap_chan *chan, *next;
8124 /* Client fixed channels should override server ones */
8125 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8128 l2cap_chan_lock(pchan);
8129 chan = pchan->ops->new_connection(pchan);
8131 bacpy(&chan->src, &hcon->src);
8132 bacpy(&chan->dst, &hcon->dst);
8133 chan->src_type = bdaddr_src_type(hcon);
8134 chan->dst_type = dst_type;
8136 __l2cap_chan_add(conn, chan);
8139 l2cap_chan_unlock(pchan);
8141 next = l2cap_global_fixed_chan(pchan, hcon);
8142 l2cap_chan_put(pchan);
8146 l2cap_conn_ready(conn);
8149 int l2cap_disconn_ind(struct hci_conn *hcon)
8151 struct l2cap_conn *conn = hcon->l2cap_data;
8153 BT_DBG("hcon %p", hcon);
8156 return HCI_ERROR_REMOTE_USER_TERM;
8157 return conn->disc_reason;
8160 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8162 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8165 BT_DBG("hcon %p reason %d", hcon, reason);
8167 l2cap_conn_del(hcon, bt_to_errno(reason));
8170 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8172 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8175 if (encrypt == 0x00) {
8176 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8177 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8178 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8179 chan->sec_level == BT_SECURITY_FIPS)
8180 l2cap_chan_close(chan, ECONNREFUSED);
8182 if (chan->sec_level == BT_SECURITY_MEDIUM)
8183 __clear_chan_timer(chan);
8187 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8189 struct l2cap_conn *conn = hcon->l2cap_data;
8190 struct l2cap_chan *chan;
8195 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8197 mutex_lock(&conn->chan_lock);
8199 list_for_each_entry(chan, &conn->chan_l, list) {
8200 l2cap_chan_lock(chan);
8202 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8203 state_to_string(chan->state));
8205 if (chan->scid == L2CAP_CID_A2MP) {
8206 l2cap_chan_unlock(chan);
8210 if (!status && encrypt)
8211 chan->sec_level = hcon->sec_level;
8213 if (!__l2cap_no_conn_pending(chan)) {
8214 l2cap_chan_unlock(chan);
8218 if (!status && (chan->state == BT_CONNECTED ||
8219 chan->state == BT_CONFIG)) {
8220 chan->ops->resume(chan);
8221 l2cap_check_encryption(chan, encrypt);
8222 l2cap_chan_unlock(chan);
8226 if (chan->state == BT_CONNECT) {
8227 if (!status && l2cap_check_enc_key_size(hcon))
8228 l2cap_start_connection(chan);
8230 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8231 } else if (chan->state == BT_CONNECT2 &&
8232 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8233 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8234 struct l2cap_conn_rsp rsp;
8237 if (!status && l2cap_check_enc_key_size(hcon)) {
8238 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8239 res = L2CAP_CR_PEND;
8240 stat = L2CAP_CS_AUTHOR_PEND;
8241 chan->ops->defer(chan);
8243 l2cap_state_change(chan, BT_CONFIG);
8244 res = L2CAP_CR_SUCCESS;
8245 stat = L2CAP_CS_NO_INFO;
8248 l2cap_state_change(chan, BT_DISCONN);
8249 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8250 res = L2CAP_CR_SEC_BLOCK;
8251 stat = L2CAP_CS_NO_INFO;
8254 rsp.scid = cpu_to_le16(chan->dcid);
8255 rsp.dcid = cpu_to_le16(chan->scid);
8256 rsp.result = cpu_to_le16(res);
8257 rsp.status = cpu_to_le16(stat);
8258 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8261 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8262 res == L2CAP_CR_SUCCESS) {
8264 set_bit(CONF_REQ_SENT, &chan->conf_state);
8265 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8267 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8269 chan->num_conf_req++;
8273 l2cap_chan_unlock(chan);
8276 mutex_unlock(&conn->chan_lock);
8279 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8281 struct l2cap_conn *conn = hcon->l2cap_data;
8282 struct l2cap_hdr *hdr;
8285 /* For AMP controller do not create l2cap conn */
8286 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8290 conn = l2cap_conn_add(hcon);
8295 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
8299 case ACL_START_NO_FLUSH:
8302 BT_ERR("Unexpected start frame (len %d)", skb->len);
8303 kfree_skb(conn->rx_skb);
8304 conn->rx_skb = NULL;
8306 l2cap_conn_unreliable(conn, ECOMM);
8309 /* Start fragment always begin with Basic L2CAP header */
8310 if (skb->len < L2CAP_HDR_SIZE) {
8311 BT_ERR("Frame is too short (len %d)", skb->len);
8312 l2cap_conn_unreliable(conn, ECOMM);
8316 hdr = (struct l2cap_hdr *) skb->data;
8317 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
8319 if (len == skb->len) {
8320 /* Complete frame received */
8321 l2cap_recv_frame(conn, skb);
8325 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
8327 if (skb->len > len) {
8328 BT_ERR("Frame is too long (len %d, expected len %d)",
8330 l2cap_conn_unreliable(conn, ECOMM);
8334 /* Allocate skb for the complete frame (with header) */
8335 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8339 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8341 conn->rx_len = len - skb->len;
8345 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
8347 if (!conn->rx_len) {
8348 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8349 l2cap_conn_unreliable(conn, ECOMM);
8353 if (skb->len > conn->rx_len) {
8354 BT_ERR("Fragment is too long (len %d, expected %d)",
8355 skb->len, conn->rx_len);
8356 kfree_skb(conn->rx_skb);
8357 conn->rx_skb = NULL;
8359 l2cap_conn_unreliable(conn, ECOMM);
8363 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8365 conn->rx_len -= skb->len;
8367 if (!conn->rx_len) {
8368 /* Complete frame received. l2cap_recv_frame
8369 * takes ownership of the skb so set the global
8370 * rx_skb pointer to NULL first.
8372 struct sk_buff *rx_skb = conn->rx_skb;
8373 conn->rx_skb = NULL;
8374 l2cap_recv_frame(conn, rx_skb);
8383 static struct hci_cb l2cap_cb = {
8385 .connect_cfm = l2cap_connect_cfm,
8386 .disconn_cfm = l2cap_disconn_cfm,
8387 .security_cfm = l2cap_security_cfm,
8390 static int l2cap_debugfs_show(struct seq_file *f, void *p)
8392 struct l2cap_chan *c;
8394 read_lock(&chan_list_lock);
8396 list_for_each_entry(c, &chan_list, global_l) {
8397 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8398 &c->src, c->src_type, &c->dst, c->dst_type,
8399 c->state, __le16_to_cpu(c->psm),
8400 c->scid, c->dcid, c->imtu, c->omtu,
8401 c->sec_level, c->mode);
8404 read_unlock(&chan_list_lock);
8409 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8411 static struct dentry *l2cap_debugfs;
8413 int __init l2cap_init(void)
8417 err = l2cap_init_sockets();
8421 hci_register_cb(&l2cap_cb);
8423 if (IS_ERR_OR_NULL(bt_debugfs))
8426 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8427 NULL, &l2cap_debugfs_fops);
8432 void l2cap_exit(void)
8434 debugfs_remove(l2cap_debugfs);
8435 hci_unregister_cb(&l2cap_cb);
8436 l2cap_cleanup_sockets();
8439 module_param(disable_ertm, bool, 0644);
8440 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8442 module_param(enable_ecred, bool, 0644);
8443 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
projects / linux-2.6-microblaze.git / blob