2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
50 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
52 static LIST_HEAD(chan_list);
53 static DEFINE_RWLOCK(chan_list_lock);
55 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
65 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67 if (link_type == LE_LINK) {
68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
69 return BDADDR_LE_PUBLIC;
71 return BDADDR_LE_RANDOM;
77 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79 return bdaddr_type(hcon->type, hcon->src_type);
82 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84 return bdaddr_type(hcon->type, hcon->dst_type);
87 /* ---- L2CAP channels ---- */
89 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
94 list_for_each_entry(c, &conn->chan_l, list) {
101 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
104 struct l2cap_chan *c;
106 list_for_each_entry(c, &conn->chan_l, list) {
113 /* Find channel with given SCID.
114 * Returns locked channel. */
115 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 struct l2cap_chan *c;
120 mutex_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
124 mutex_unlock(&conn->chan_lock);
129 /* Find channel with given DCID.
130 * Returns locked channel.
132 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
135 struct l2cap_chan *c;
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_dcid(conn, cid);
141 mutex_unlock(&conn->chan_lock);
146 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
149 struct l2cap_chan *c;
151 list_for_each_entry(c, &conn->chan_l, list) {
152 if (c->ident == ident)
158 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
161 struct l2cap_chan *c;
163 mutex_lock(&conn->chan_lock);
164 c = __l2cap_get_chan_by_ident(conn, ident);
167 mutex_unlock(&conn->chan_lock);
172 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
175 struct l2cap_chan *c;
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
181 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
184 if (c->sport == psm && !bacmp(&c->src, src))
190 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
194 write_lock(&chan_list_lock);
196 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
206 u16 p, start, end, incr;
208 if (chan->src_type == BDADDR_BREDR) {
209 start = L2CAP_PSM_DYN_START;
210 end = L2CAP_PSM_AUTO_END;
213 start = L2CAP_PSM_LE_DYN_START;
214 end = L2CAP_PSM_LE_DYN_END;
219 for (p = start; p <= end; p += incr)
220 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
222 chan->psm = cpu_to_le16(p);
223 chan->sport = cpu_to_le16(p);
230 write_unlock(&chan_list_lock);
233 EXPORT_SYMBOL_GPL(l2cap_add_psm);
235 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
237 write_lock(&chan_list_lock);
239 /* Override the defaults (which are for conn-oriented) */
240 chan->omtu = L2CAP_DEFAULT_MTU;
241 chan->chan_type = L2CAP_CHAN_FIXED;
245 write_unlock(&chan_list_lock);
250 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
254 if (conn->hcon->type == LE_LINK)
255 dyn_end = L2CAP_CID_LE_DYN_END;
257 dyn_end = L2CAP_CID_DYN_END;
259 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
260 if (!__l2cap_get_chan_by_scid(conn, cid))
267 static void l2cap_state_change(struct l2cap_chan *chan, int state)
269 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
270 state_to_string(state));
273 chan->ops->state_change(chan, state, 0);
276 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
280 chan->ops->state_change(chan, chan->state, err);
283 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
285 chan->ops->state_change(chan, chan->state, err);
288 static void __set_retrans_timer(struct l2cap_chan *chan)
290 if (!delayed_work_pending(&chan->monitor_timer) &&
291 chan->retrans_timeout) {
292 l2cap_set_timer(chan, &chan->retrans_timer,
293 msecs_to_jiffies(chan->retrans_timeout));
297 static void __set_monitor_timer(struct l2cap_chan *chan)
299 __clear_retrans_timer(chan);
300 if (chan->monitor_timeout) {
301 l2cap_set_timer(chan, &chan->monitor_timer,
302 msecs_to_jiffies(chan->monitor_timeout));
306 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
311 skb_queue_walk(head, skb) {
312 if (bt_cb(skb)->l2cap.txseq == seq)
319 /* ---- L2CAP sequence number lists ---- */
321 /* For ERTM, ordered lists of sequence numbers must be tracked for
322 * SREJ requests that are received and for frames that are to be
323 * retransmitted. These seq_list functions implement a singly-linked
324 * list in an array, where membership in the list can also be checked
325 * in constant time. Items can also be added to the tail of the list
326 * and removed from the head in constant time, without further memory
330 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
332 size_t alloc_size, i;
334 /* Allocated size is a power of 2 to map sequence numbers
335 * (which may be up to 14 bits) in to a smaller array that is
336 * sized for the negotiated ERTM transmit windows.
338 alloc_size = roundup_pow_of_two(size);
340 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
344 seq_list->mask = alloc_size - 1;
345 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
346 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
347 for (i = 0; i < alloc_size; i++)
348 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
353 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
355 kfree(seq_list->list);
358 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
361 /* Constant-time check for list membership */
362 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
365 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
367 u16 seq = seq_list->head;
368 u16 mask = seq_list->mask;
370 seq_list->head = seq_list->list[seq & mask];
371 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
373 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
381 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
395 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
397 u16 mask = seq_list->mask;
399 /* All appends happen in constant time */
401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
407 seq_list->list[seq_list->tail & mask] = seq;
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
413 static void l2cap_chan_timeout(struct work_struct *work)
415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
417 struct l2cap_conn *conn = chan->conn;
420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
422 mutex_lock(&conn->chan_lock);
423 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
424 * this work. No need to call l2cap_chan_hold(chan) here again.
426 l2cap_chan_lock(chan);
428 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
429 reason = ECONNREFUSED;
430 else if (chan->state == BT_CONNECT &&
431 chan->sec_level != BT_SECURITY_SDP)
432 reason = ECONNREFUSED;
436 l2cap_chan_close(chan, reason);
438 chan->ops->close(chan);
440 l2cap_chan_unlock(chan);
441 l2cap_chan_put(chan);
443 mutex_unlock(&conn->chan_lock);
446 struct l2cap_chan *l2cap_chan_create(void)
448 struct l2cap_chan *chan;
450 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
454 mutex_init(&chan->lock);
456 /* Set default lock nesting level */
457 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
459 write_lock(&chan_list_lock);
460 list_add(&chan->global_l, &chan_list);
461 write_unlock(&chan_list_lock);
463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
465 chan->state = BT_OPEN;
467 kref_init(&chan->kref);
469 /* This flag is cleared in l2cap_chan_ready() */
470 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
472 BT_DBG("chan %p", chan);
476 EXPORT_SYMBOL_GPL(l2cap_chan_create);
478 static void l2cap_chan_destroy(struct kref *kref)
480 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
482 BT_DBG("chan %p", chan);
484 write_lock(&chan_list_lock);
485 list_del(&chan->global_l);
486 write_unlock(&chan_list_lock);
491 void l2cap_chan_hold(struct l2cap_chan *c)
493 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
498 void l2cap_chan_put(struct l2cap_chan *c)
500 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
502 kref_put(&c->kref, l2cap_chan_destroy);
504 EXPORT_SYMBOL_GPL(l2cap_chan_put);
506 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
508 chan->fcs = L2CAP_FCS_CRC16;
509 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
510 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
511 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
512 chan->remote_max_tx = chan->max_tx;
513 chan->remote_tx_win = chan->tx_win;
514 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
515 chan->sec_level = BT_SECURITY_LOW;
516 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
517 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
518 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
519 chan->conf_state = 0;
521 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
523 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
525 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
528 chan->sdu_last_frag = NULL;
530 chan->tx_credits = tx_credits;
531 /* Derive MPS from connection MTU to stop HCI fragmentation */
532 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
533 /* Give enough credits for a full packet */
534 chan->rx_credits = (chan->imtu / chan->mps) + 1;
536 skb_queue_head_init(&chan->tx_q);
539 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
541 l2cap_le_flowctl_init(chan, tx_credits);
543 /* L2CAP implementations shall support a minimum MPS of 64 octets */
544 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
545 chan->mps = L2CAP_ECRED_MIN_MPS;
546 chan->rx_credits = (chan->imtu / chan->mps) + 1;
550 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
552 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
553 __le16_to_cpu(chan->psm), chan->dcid);
555 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
559 switch (chan->chan_type) {
560 case L2CAP_CHAN_CONN_ORIENTED:
561 /* Alloc CID for connection-oriented socket */
562 chan->scid = l2cap_alloc_cid(conn);
563 if (conn->hcon->type == ACL_LINK)
564 chan->omtu = L2CAP_DEFAULT_MTU;
567 case L2CAP_CHAN_CONN_LESS:
568 /* Connectionless socket */
569 chan->scid = L2CAP_CID_CONN_LESS;
570 chan->dcid = L2CAP_CID_CONN_LESS;
571 chan->omtu = L2CAP_DEFAULT_MTU;
574 case L2CAP_CHAN_FIXED:
575 /* Caller will set CID and CID specific MTU values */
579 /* Raw socket can send/recv signalling messages only */
580 chan->scid = L2CAP_CID_SIGNALING;
581 chan->dcid = L2CAP_CID_SIGNALING;
582 chan->omtu = L2CAP_DEFAULT_MTU;
585 chan->local_id = L2CAP_BESTEFFORT_ID;
586 chan->local_stype = L2CAP_SERV_BESTEFFORT;
587 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
588 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
589 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
590 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
592 l2cap_chan_hold(chan);
594 /* Only keep a reference for fixed channels if they requested it */
595 if (chan->chan_type != L2CAP_CHAN_FIXED ||
596 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
597 hci_conn_hold(conn->hcon);
599 list_add(&chan->list, &conn->chan_l);
602 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
604 mutex_lock(&conn->chan_lock);
605 __l2cap_chan_add(conn, chan);
606 mutex_unlock(&conn->chan_lock);
609 void l2cap_chan_del(struct l2cap_chan *chan, int err)
611 struct l2cap_conn *conn = chan->conn;
613 __clear_chan_timer(chan);
615 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
616 state_to_string(chan->state));
618 chan->ops->teardown(chan, err);
621 struct amp_mgr *mgr = conn->hcon->amp_mgr;
622 /* Delete from channel list */
623 list_del(&chan->list);
625 l2cap_chan_put(chan);
629 /* Reference was only held for non-fixed channels or
630 * fixed channels that explicitly requested it using the
631 * FLAG_HOLD_HCI_CONN flag.
633 if (chan->chan_type != L2CAP_CHAN_FIXED ||
634 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
635 hci_conn_drop(conn->hcon);
637 if (mgr && mgr->bredr_chan == chan)
638 mgr->bredr_chan = NULL;
641 if (chan->hs_hchan) {
642 struct hci_chan *hs_hchan = chan->hs_hchan;
644 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
645 amp_disconnect_logical_link(hs_hchan);
648 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
652 case L2CAP_MODE_BASIC:
655 case L2CAP_MODE_LE_FLOWCTL:
656 case L2CAP_MODE_EXT_FLOWCTL:
657 skb_queue_purge(&chan->tx_q);
660 case L2CAP_MODE_ERTM:
661 __clear_retrans_timer(chan);
662 __clear_monitor_timer(chan);
663 __clear_ack_timer(chan);
665 skb_queue_purge(&chan->srej_q);
667 l2cap_seq_list_free(&chan->srej_list);
668 l2cap_seq_list_free(&chan->retrans_list);
671 case L2CAP_MODE_STREAMING:
672 skb_queue_purge(&chan->tx_q);
678 EXPORT_SYMBOL_GPL(l2cap_chan_del);
680 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
683 struct l2cap_chan *chan;
685 list_for_each_entry(chan, &conn->chan_l, list) {
690 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
696 mutex_lock(&conn->chan_lock);
697 __l2cap_chan_list(conn, func, data);
698 mutex_unlock(&conn->chan_lock);
701 EXPORT_SYMBOL_GPL(l2cap_chan_list);
703 static void l2cap_conn_update_id_addr(struct work_struct *work)
705 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
706 id_addr_update_work);
707 struct hci_conn *hcon = conn->hcon;
708 struct l2cap_chan *chan;
710 mutex_lock(&conn->chan_lock);
712 list_for_each_entry(chan, &conn->chan_l, list) {
713 l2cap_chan_lock(chan);
714 bacpy(&chan->dst, &hcon->dst);
715 chan->dst_type = bdaddr_dst_type(hcon);
716 l2cap_chan_unlock(chan);
719 mutex_unlock(&conn->chan_lock);
722 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
724 struct l2cap_conn *conn = chan->conn;
725 struct l2cap_le_conn_rsp rsp;
728 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
729 result = L2CAP_CR_LE_AUTHORIZATION;
731 result = L2CAP_CR_LE_BAD_PSM;
733 l2cap_state_change(chan, BT_DISCONN);
735 rsp.dcid = cpu_to_le16(chan->scid);
736 rsp.mtu = cpu_to_le16(chan->imtu);
737 rsp.mps = cpu_to_le16(chan->mps);
738 rsp.credits = cpu_to_le16(chan->rx_credits);
739 rsp.result = cpu_to_le16(result);
741 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
745 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
747 struct l2cap_conn *conn = chan->conn;
748 struct l2cap_ecred_conn_rsp rsp;
751 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
752 result = L2CAP_CR_LE_AUTHORIZATION;
754 result = L2CAP_CR_LE_BAD_PSM;
756 l2cap_state_change(chan, BT_DISCONN);
758 memset(&rsp, 0, sizeof(rsp));
760 rsp.result = cpu_to_le16(result);
762 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
766 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
768 struct l2cap_conn *conn = chan->conn;
769 struct l2cap_conn_rsp rsp;
772 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
773 result = L2CAP_CR_SEC_BLOCK;
775 result = L2CAP_CR_BAD_PSM;
777 l2cap_state_change(chan, BT_DISCONN);
779 rsp.scid = cpu_to_le16(chan->dcid);
780 rsp.dcid = cpu_to_le16(chan->scid);
781 rsp.result = cpu_to_le16(result);
782 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
784 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
787 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
789 struct l2cap_conn *conn = chan->conn;
791 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
793 switch (chan->state) {
795 chan->ops->teardown(chan, 0);
800 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
801 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
802 l2cap_send_disconn_req(chan, reason);
804 l2cap_chan_del(chan, reason);
808 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
809 if (conn->hcon->type == ACL_LINK)
810 l2cap_chan_connect_reject(chan);
811 else if (conn->hcon->type == LE_LINK) {
812 switch (chan->mode) {
813 case L2CAP_MODE_LE_FLOWCTL:
814 l2cap_chan_le_connect_reject(chan);
816 case L2CAP_MODE_EXT_FLOWCTL:
817 l2cap_chan_ecred_connect_reject(chan);
823 l2cap_chan_del(chan, reason);
828 l2cap_chan_del(chan, reason);
832 chan->ops->teardown(chan, 0);
836 EXPORT_SYMBOL(l2cap_chan_close);
838 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
840 switch (chan->chan_type) {
842 switch (chan->sec_level) {
843 case BT_SECURITY_HIGH:
844 case BT_SECURITY_FIPS:
845 return HCI_AT_DEDICATED_BONDING_MITM;
846 case BT_SECURITY_MEDIUM:
847 return HCI_AT_DEDICATED_BONDING;
849 return HCI_AT_NO_BONDING;
852 case L2CAP_CHAN_CONN_LESS:
853 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
854 if (chan->sec_level == BT_SECURITY_LOW)
855 chan->sec_level = BT_SECURITY_SDP;
857 if (chan->sec_level == BT_SECURITY_HIGH ||
858 chan->sec_level == BT_SECURITY_FIPS)
859 return HCI_AT_NO_BONDING_MITM;
861 return HCI_AT_NO_BONDING;
863 case L2CAP_CHAN_CONN_ORIENTED:
864 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
865 if (chan->sec_level == BT_SECURITY_LOW)
866 chan->sec_level = BT_SECURITY_SDP;
868 if (chan->sec_level == BT_SECURITY_HIGH ||
869 chan->sec_level == BT_SECURITY_FIPS)
870 return HCI_AT_NO_BONDING_MITM;
872 return HCI_AT_NO_BONDING;
877 switch (chan->sec_level) {
878 case BT_SECURITY_HIGH:
879 case BT_SECURITY_FIPS:
880 return HCI_AT_GENERAL_BONDING_MITM;
881 case BT_SECURITY_MEDIUM:
882 return HCI_AT_GENERAL_BONDING;
884 return HCI_AT_NO_BONDING;
890 /* Service level security */
891 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
893 struct l2cap_conn *conn = chan->conn;
896 if (conn->hcon->type == LE_LINK)
897 return smp_conn_security(conn->hcon, chan->sec_level);
899 auth_type = l2cap_get_auth_type(chan);
901 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
905 static u8 l2cap_get_ident(struct l2cap_conn *conn)
909 /* Get next available identificator.
910 * 1 - 128 are used by kernel.
911 * 129 - 199 are reserved.
912 * 200 - 254 are used by utilities like l2ping, etc.
915 mutex_lock(&conn->ident_lock);
917 if (++conn->tx_ident > 128)
922 mutex_unlock(&conn->ident_lock);
927 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
930 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
933 BT_DBG("code 0x%2.2x", code);
938 /* Use NO_FLUSH if supported or we have an LE link (which does
939 * not support auto-flushing packets) */
940 if (lmp_no_flush_capable(conn->hcon->hdev) ||
941 conn->hcon->type == LE_LINK)
942 flags = ACL_START_NO_FLUSH;
946 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
947 skb->priority = HCI_PRIO_MAX;
949 hci_send_acl(conn->hchan, skb, flags);
952 static bool __chan_is_moving(struct l2cap_chan *chan)
954 return chan->move_state != L2CAP_MOVE_STABLE &&
955 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
958 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
960 struct hci_conn *hcon = chan->conn->hcon;
963 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
966 if (chan->hs_hcon && !__chan_is_moving(chan)) {
968 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
975 /* Use NO_FLUSH for LE links (where this is the only option) or
976 * if the BR/EDR link supports it and flushing has not been
977 * explicitly requested (through FLAG_FLUSHABLE).
979 if (hcon->type == LE_LINK ||
980 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
981 lmp_no_flush_capable(hcon->hdev)))
982 flags = ACL_START_NO_FLUSH;
986 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
987 hci_send_acl(chan->conn->hchan, skb, flags);
990 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
992 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
993 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
995 if (enh & L2CAP_CTRL_FRAME_TYPE) {
998 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
999 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1005 control->sframe = 0;
1006 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1007 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1014 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1016 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1017 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1019 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1021 control->sframe = 1;
1022 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1023 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1029 control->sframe = 0;
1030 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1031 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1038 static inline void __unpack_control(struct l2cap_chan *chan,
1039 struct sk_buff *skb)
1041 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1042 __unpack_extended_control(get_unaligned_le32(skb->data),
1043 &bt_cb(skb)->l2cap);
1044 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1046 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1047 &bt_cb(skb)->l2cap);
1048 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1052 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1056 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1057 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1059 if (control->sframe) {
1060 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1061 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1062 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1064 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1065 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1071 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1075 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1076 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1078 if (control->sframe) {
1079 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1080 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1081 packed |= L2CAP_CTRL_FRAME_TYPE;
1083 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1084 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1090 static inline void __pack_control(struct l2cap_chan *chan,
1091 struct l2cap_ctrl *control,
1092 struct sk_buff *skb)
1094 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1095 put_unaligned_le32(__pack_extended_control(control),
1096 skb->data + L2CAP_HDR_SIZE);
1098 put_unaligned_le16(__pack_enhanced_control(control),
1099 skb->data + L2CAP_HDR_SIZE);
1103 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1105 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1106 return L2CAP_EXT_HDR_SIZE;
1108 return L2CAP_ENH_HDR_SIZE;
1111 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1114 struct sk_buff *skb;
1115 struct l2cap_hdr *lh;
1116 int hlen = __ertm_hdr_size(chan);
1118 if (chan->fcs == L2CAP_FCS_CRC16)
1119 hlen += L2CAP_FCS_SIZE;
1121 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1124 return ERR_PTR(-ENOMEM);
1126 lh = skb_put(skb, L2CAP_HDR_SIZE);
1127 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1128 lh->cid = cpu_to_le16(chan->dcid);
1130 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1131 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1133 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1135 if (chan->fcs == L2CAP_FCS_CRC16) {
1136 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1137 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1140 skb->priority = HCI_PRIO_MAX;
1144 static void l2cap_send_sframe(struct l2cap_chan *chan,
1145 struct l2cap_ctrl *control)
1147 struct sk_buff *skb;
1150 BT_DBG("chan %p, control %p", chan, control);
1152 if (!control->sframe)
1155 if (__chan_is_moving(chan))
1158 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1162 if (control->super == L2CAP_SUPER_RR)
1163 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1164 else if (control->super == L2CAP_SUPER_RNR)
1165 set_bit(CONN_RNR_SENT, &chan->conn_state);
1167 if (control->super != L2CAP_SUPER_SREJ) {
1168 chan->last_acked_seq = control->reqseq;
1169 __clear_ack_timer(chan);
1172 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1173 control->final, control->poll, control->super);
1175 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1176 control_field = __pack_extended_control(control);
1178 control_field = __pack_enhanced_control(control);
1180 skb = l2cap_create_sframe_pdu(chan, control_field);
1182 l2cap_do_send(chan, skb);
1185 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1187 struct l2cap_ctrl control;
1189 BT_DBG("chan %p, poll %d", chan, poll);
1191 memset(&control, 0, sizeof(control));
1193 control.poll = poll;
1195 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1196 control.super = L2CAP_SUPER_RNR;
1198 control.super = L2CAP_SUPER_RR;
1200 control.reqseq = chan->buffer_seq;
1201 l2cap_send_sframe(chan, &control);
1204 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1206 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1209 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1212 static bool __amp_capable(struct l2cap_chan *chan)
1214 struct l2cap_conn *conn = chan->conn;
1215 struct hci_dev *hdev;
1216 bool amp_available = false;
1218 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1221 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1224 read_lock(&hci_dev_list_lock);
1225 list_for_each_entry(hdev, &hci_dev_list, list) {
1226 if (hdev->amp_type != AMP_TYPE_BREDR &&
1227 test_bit(HCI_UP, &hdev->flags)) {
1228 amp_available = true;
1232 read_unlock(&hci_dev_list_lock);
1234 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1235 return amp_available;
1240 static bool l2cap_check_efs(struct l2cap_chan *chan)
1242 /* Check EFS parameters */
1246 void l2cap_send_conn_req(struct l2cap_chan *chan)
1248 struct l2cap_conn *conn = chan->conn;
1249 struct l2cap_conn_req req;
1251 req.scid = cpu_to_le16(chan->scid);
1252 req.psm = chan->psm;
1254 chan->ident = l2cap_get_ident(conn);
1256 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1258 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1261 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1263 struct l2cap_create_chan_req req;
1264 req.scid = cpu_to_le16(chan->scid);
1265 req.psm = chan->psm;
1266 req.amp_id = amp_id;
1268 chan->ident = l2cap_get_ident(chan->conn);
1270 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1274 static void l2cap_move_setup(struct l2cap_chan *chan)
1276 struct sk_buff *skb;
1278 BT_DBG("chan %p", chan);
1280 if (chan->mode != L2CAP_MODE_ERTM)
1283 __clear_retrans_timer(chan);
1284 __clear_monitor_timer(chan);
1285 __clear_ack_timer(chan);
1287 chan->retry_count = 0;
1288 skb_queue_walk(&chan->tx_q, skb) {
1289 if (bt_cb(skb)->l2cap.retries)
1290 bt_cb(skb)->l2cap.retries = 1;
1295 chan->expected_tx_seq = chan->buffer_seq;
1297 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1298 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1299 l2cap_seq_list_clear(&chan->retrans_list);
1300 l2cap_seq_list_clear(&chan->srej_list);
1301 skb_queue_purge(&chan->srej_q);
1303 chan->tx_state = L2CAP_TX_STATE_XMIT;
1304 chan->rx_state = L2CAP_RX_STATE_MOVE;
1306 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1309 static void l2cap_move_done(struct l2cap_chan *chan)
1311 u8 move_role = chan->move_role;
1312 BT_DBG("chan %p", chan);
1314 chan->move_state = L2CAP_MOVE_STABLE;
1315 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1317 if (chan->mode != L2CAP_MODE_ERTM)
1320 switch (move_role) {
1321 case L2CAP_MOVE_ROLE_INITIATOR:
1322 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1323 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1325 case L2CAP_MOVE_ROLE_RESPONDER:
1326 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1331 static void l2cap_chan_ready(struct l2cap_chan *chan)
1333 /* The channel may have already been flagged as connected in
1334 * case of receiving data before the L2CAP info req/rsp
1335 * procedure is complete.
1337 if (chan->state == BT_CONNECTED)
1340 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1341 chan->conf_state = 0;
1342 __clear_chan_timer(chan);
1344 switch (chan->mode) {
1345 case L2CAP_MODE_LE_FLOWCTL:
1346 case L2CAP_MODE_EXT_FLOWCTL:
1347 if (!chan->tx_credits)
1348 chan->ops->suspend(chan);
1352 chan->state = BT_CONNECTED;
1354 chan->ops->ready(chan);
1357 static void l2cap_le_connect(struct l2cap_chan *chan)
1359 struct l2cap_conn *conn = chan->conn;
1360 struct l2cap_le_conn_req req;
1362 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1366 chan->imtu = chan->conn->mtu;
1368 l2cap_le_flowctl_init(chan, 0);
1370 req.psm = chan->psm;
1371 req.scid = cpu_to_le16(chan->scid);
1372 req.mtu = cpu_to_le16(chan->imtu);
1373 req.mps = cpu_to_le16(chan->mps);
1374 req.credits = cpu_to_le16(chan->rx_credits);
1376 chan->ident = l2cap_get_ident(conn);
1378 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1382 struct l2cap_ecred_conn_data {
1384 struct l2cap_ecred_conn_req req;
1387 struct l2cap_chan *chan;
1392 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1394 struct l2cap_ecred_conn_data *conn = data;
1397 if (chan == conn->chan)
1400 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1403 pid = chan->ops->get_peer_pid(chan);
1405 /* Only add deferred channels with the same PID/PSM */
1406 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1407 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1410 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1413 l2cap_ecred_init(chan, 0);
1415 /* Set the same ident so we can match on the rsp */
1416 chan->ident = conn->chan->ident;
1418 /* Include all channels deferred */
1419 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1424 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1426 struct l2cap_conn *conn = chan->conn;
1427 struct l2cap_ecred_conn_data data;
1429 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1432 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1435 l2cap_ecred_init(chan, 0);
1437 data.pdu.req.psm = chan->psm;
1438 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1439 data.pdu.req.mps = cpu_to_le16(chan->mps);
1440 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1441 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1443 chan->ident = l2cap_get_ident(conn);
1444 data.pid = chan->ops->get_peer_pid(chan);
1448 data.pid = chan->ops->get_peer_pid(chan);
1450 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1452 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1453 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1457 static void l2cap_le_start(struct l2cap_chan *chan)
1459 struct l2cap_conn *conn = chan->conn;
1461 if (!smp_conn_security(conn->hcon, chan->sec_level))
1465 l2cap_chan_ready(chan);
1469 if (chan->state == BT_CONNECT) {
1470 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1471 l2cap_ecred_connect(chan);
1473 l2cap_le_connect(chan);
1477 static void l2cap_start_connection(struct l2cap_chan *chan)
1479 if (__amp_capable(chan)) {
1480 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1481 a2mp_discover_amp(chan);
1482 } else if (chan->conn->hcon->type == LE_LINK) {
1483 l2cap_le_start(chan);
1485 l2cap_send_conn_req(chan);
1489 static void l2cap_request_info(struct l2cap_conn *conn)
1491 struct l2cap_info_req req;
1493 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1496 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1499 conn->info_ident = l2cap_get_ident(conn);
1501 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1503 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1507 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1509 /* The minimum encryption key size needs to be enforced by the
1510 * host stack before establishing any L2CAP connections. The
1511 * specification in theory allows a minimum of 1, but to align
1512 * BR/EDR and LE transports, a minimum of 7 is chosen.
1514 * This check might also be called for unencrypted connections
1515 * that have no key size requirements. Ensure that the link is
1516 * actually encrypted before enforcing a key size.
1518 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1519 hcon->enc_key_size >= hcon->hdev->min_enc_key_size);
1522 static void l2cap_do_start(struct l2cap_chan *chan)
1524 struct l2cap_conn *conn = chan->conn;
1526 if (conn->hcon->type == LE_LINK) {
1527 l2cap_le_start(chan);
1531 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1532 l2cap_request_info(conn);
1536 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1539 if (!l2cap_chan_check_security(chan, true) ||
1540 !__l2cap_no_conn_pending(chan))
1543 if (l2cap_check_enc_key_size(conn->hcon))
1544 l2cap_start_connection(chan);
1546 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1549 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1551 u32 local_feat_mask = l2cap_feat_mask;
1553 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1556 case L2CAP_MODE_ERTM:
1557 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1558 case L2CAP_MODE_STREAMING:
1559 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1565 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1567 struct l2cap_conn *conn = chan->conn;
1568 struct l2cap_disconn_req req;
1573 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1574 __clear_retrans_timer(chan);
1575 __clear_monitor_timer(chan);
1576 __clear_ack_timer(chan);
1579 if (chan->scid == L2CAP_CID_A2MP) {
1580 l2cap_state_change(chan, BT_DISCONN);
1584 req.dcid = cpu_to_le16(chan->dcid);
1585 req.scid = cpu_to_le16(chan->scid);
1586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1589 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1592 /* ---- L2CAP connections ---- */
1593 static void l2cap_conn_start(struct l2cap_conn *conn)
1595 struct l2cap_chan *chan, *tmp;
1597 BT_DBG("conn %p", conn);
1599 mutex_lock(&conn->chan_lock);
1601 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1602 l2cap_chan_lock(chan);
1604 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1605 l2cap_chan_ready(chan);
1606 l2cap_chan_unlock(chan);
1610 if (chan->state == BT_CONNECT) {
1611 if (!l2cap_chan_check_security(chan, true) ||
1612 !__l2cap_no_conn_pending(chan)) {
1613 l2cap_chan_unlock(chan);
1617 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1618 && test_bit(CONF_STATE2_DEVICE,
1619 &chan->conf_state)) {
1620 l2cap_chan_close(chan, ECONNRESET);
1621 l2cap_chan_unlock(chan);
1625 if (l2cap_check_enc_key_size(conn->hcon))
1626 l2cap_start_connection(chan);
1628 l2cap_chan_close(chan, ECONNREFUSED);
1630 } else if (chan->state == BT_CONNECT2) {
1631 struct l2cap_conn_rsp rsp;
1633 rsp.scid = cpu_to_le16(chan->dcid);
1634 rsp.dcid = cpu_to_le16(chan->scid);
1636 if (l2cap_chan_check_security(chan, false)) {
1637 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1638 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1639 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1640 chan->ops->defer(chan);
1643 l2cap_state_change(chan, BT_CONFIG);
1644 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1645 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1648 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1649 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1655 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1656 rsp.result != L2CAP_CR_SUCCESS) {
1657 l2cap_chan_unlock(chan);
1661 set_bit(CONF_REQ_SENT, &chan->conf_state);
1662 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1663 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1664 chan->num_conf_req++;
1667 l2cap_chan_unlock(chan);
1670 mutex_unlock(&conn->chan_lock);
1673 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1675 struct hci_conn *hcon = conn->hcon;
1676 struct hci_dev *hdev = hcon->hdev;
1678 BT_DBG("%s conn %p", hdev->name, conn);
1680 /* For outgoing pairing which doesn't necessarily have an
1681 * associated socket (e.g. mgmt_pair_device).
1684 smp_conn_security(hcon, hcon->pending_sec_level);
1686 /* For LE slave connections, make sure the connection interval
1687 * is in the range of the minium and maximum interval that has
1688 * been configured for this connection. If not, then trigger
1689 * the connection update procedure.
1691 if (hcon->role == HCI_ROLE_SLAVE &&
1692 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1693 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1694 struct l2cap_conn_param_update_req req;
1696 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1697 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1698 req.latency = cpu_to_le16(hcon->le_conn_latency);
1699 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1701 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1702 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1706 static void l2cap_conn_ready(struct l2cap_conn *conn)
1708 struct l2cap_chan *chan;
1709 struct hci_conn *hcon = conn->hcon;
1711 BT_DBG("conn %p", conn);
1713 if (hcon->type == ACL_LINK)
1714 l2cap_request_info(conn);
1716 mutex_lock(&conn->chan_lock);
1718 list_for_each_entry(chan, &conn->chan_l, list) {
1720 l2cap_chan_lock(chan);
1722 if (chan->scid == L2CAP_CID_A2MP) {
1723 l2cap_chan_unlock(chan);
1727 if (hcon->type == LE_LINK) {
1728 l2cap_le_start(chan);
1729 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1730 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1731 l2cap_chan_ready(chan);
1732 } else if (chan->state == BT_CONNECT) {
1733 l2cap_do_start(chan);
1736 l2cap_chan_unlock(chan);
1739 mutex_unlock(&conn->chan_lock);
1741 if (hcon->type == LE_LINK)
1742 l2cap_le_conn_ready(conn);
1744 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1747 /* Notify sockets that we cannot guaranty reliability anymore */
1748 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1750 struct l2cap_chan *chan;
1752 BT_DBG("conn %p", conn);
1754 mutex_lock(&conn->chan_lock);
1756 list_for_each_entry(chan, &conn->chan_l, list) {
1757 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1758 l2cap_chan_set_err(chan, err);
1761 mutex_unlock(&conn->chan_lock);
1764 static void l2cap_info_timeout(struct work_struct *work)
1766 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1769 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1770 conn->info_ident = 0;
1772 l2cap_conn_start(conn);
1777 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1778 * callback is called during registration. The ->remove callback is called
1779 * during unregistration.
1780 * An l2cap_user object can either be explicitly unregistered or when the
1781 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1782 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1783 * External modules must own a reference to the l2cap_conn object if they intend
1784 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1785 * any time if they don't.
1788 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1790 struct hci_dev *hdev = conn->hcon->hdev;
1793 /* We need to check whether l2cap_conn is registered. If it is not, we
1794 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1795 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1796 * relies on the parent hci_conn object to be locked. This itself relies
1797 * on the hci_dev object to be locked. So we must lock the hci device
1802 if (!list_empty(&user->list)) {
1807 /* conn->hchan is NULL after l2cap_conn_del() was called */
1813 ret = user->probe(conn, user);
1817 list_add(&user->list, &conn->users);
1821 hci_dev_unlock(hdev);
1824 EXPORT_SYMBOL(l2cap_register_user);
1826 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1828 struct hci_dev *hdev = conn->hcon->hdev;
1832 if (list_empty(&user->list))
1835 list_del_init(&user->list);
1836 user->remove(conn, user);
1839 hci_dev_unlock(hdev);
1841 EXPORT_SYMBOL(l2cap_unregister_user);
1843 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1845 struct l2cap_user *user;
1847 while (!list_empty(&conn->users)) {
1848 user = list_first_entry(&conn->users, struct l2cap_user, list);
1849 list_del_init(&user->list);
1850 user->remove(conn, user);
1854 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1856 struct l2cap_conn *conn = hcon->l2cap_data;
1857 struct l2cap_chan *chan, *l;
1862 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1864 kfree_skb(conn->rx_skb);
1866 skb_queue_purge(&conn->pending_rx);
1868 /* We can not call flush_work(&conn->pending_rx_work) here since we
1869 * might block if we are running on a worker from the same workqueue
1870 * pending_rx_work is waiting on.
1872 if (work_pending(&conn->pending_rx_work))
1873 cancel_work_sync(&conn->pending_rx_work);
1875 if (work_pending(&conn->id_addr_update_work))
1876 cancel_work_sync(&conn->id_addr_update_work);
1878 l2cap_unregister_all_users(conn);
1880 /* Force the connection to be immediately dropped */
1881 hcon->disc_timeout = 0;
1883 mutex_lock(&conn->chan_lock);
1886 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1887 l2cap_chan_hold(chan);
1888 l2cap_chan_lock(chan);
1890 l2cap_chan_del(chan, err);
1892 chan->ops->close(chan);
1894 l2cap_chan_unlock(chan);
1895 l2cap_chan_put(chan);
1898 mutex_unlock(&conn->chan_lock);
1900 hci_chan_del(conn->hchan);
1902 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1903 cancel_delayed_work_sync(&conn->info_timer);
1905 hcon->l2cap_data = NULL;
1907 l2cap_conn_put(conn);
1910 static void l2cap_conn_free(struct kref *ref)
1912 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1914 hci_conn_put(conn->hcon);
1918 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1920 kref_get(&conn->ref);
1923 EXPORT_SYMBOL(l2cap_conn_get);
1925 void l2cap_conn_put(struct l2cap_conn *conn)
1927 kref_put(&conn->ref, l2cap_conn_free);
1929 EXPORT_SYMBOL(l2cap_conn_put);
1931 /* ---- Socket interface ---- */
1933 /* Find socket with psm and source / destination bdaddr.
1934 * Returns closest match.
1936 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1941 struct l2cap_chan *c, *c1 = NULL;
1943 read_lock(&chan_list_lock);
1945 list_for_each_entry(c, &chan_list, global_l) {
1946 if (state && c->state != state)
1949 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1952 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1955 if (c->psm == psm) {
1956 int src_match, dst_match;
1957 int src_any, dst_any;
1960 src_match = !bacmp(&c->src, src);
1961 dst_match = !bacmp(&c->dst, dst);
1962 if (src_match && dst_match) {
1964 read_unlock(&chan_list_lock);
1969 src_any = !bacmp(&c->src, BDADDR_ANY);
1970 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1971 if ((src_match && dst_any) || (src_any && dst_match) ||
1972 (src_any && dst_any))
1978 l2cap_chan_hold(c1);
1980 read_unlock(&chan_list_lock);
1985 static void l2cap_monitor_timeout(struct work_struct *work)
1987 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1988 monitor_timer.work);
1990 BT_DBG("chan %p", chan);
1992 l2cap_chan_lock(chan);
1995 l2cap_chan_unlock(chan);
1996 l2cap_chan_put(chan);
2000 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2002 l2cap_chan_unlock(chan);
2003 l2cap_chan_put(chan);
2006 static void l2cap_retrans_timeout(struct work_struct *work)
2008 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2009 retrans_timer.work);
2011 BT_DBG("chan %p", chan);
2013 l2cap_chan_lock(chan);
2016 l2cap_chan_unlock(chan);
2017 l2cap_chan_put(chan);
2021 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2022 l2cap_chan_unlock(chan);
2023 l2cap_chan_put(chan);
2026 static void l2cap_streaming_send(struct l2cap_chan *chan,
2027 struct sk_buff_head *skbs)
2029 struct sk_buff *skb;
2030 struct l2cap_ctrl *control;
2032 BT_DBG("chan %p, skbs %p", chan, skbs);
2034 if (__chan_is_moving(chan))
2037 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2039 while (!skb_queue_empty(&chan->tx_q)) {
2041 skb = skb_dequeue(&chan->tx_q);
2043 bt_cb(skb)->l2cap.retries = 1;
2044 control = &bt_cb(skb)->l2cap;
2046 control->reqseq = 0;
2047 control->txseq = chan->next_tx_seq;
2049 __pack_control(chan, control, skb);
2051 if (chan->fcs == L2CAP_FCS_CRC16) {
2052 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2053 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2056 l2cap_do_send(chan, skb);
2058 BT_DBG("Sent txseq %u", control->txseq);
2060 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2061 chan->frames_sent++;
2065 static int l2cap_ertm_send(struct l2cap_chan *chan)
2067 struct sk_buff *skb, *tx_skb;
2068 struct l2cap_ctrl *control;
2071 BT_DBG("chan %p", chan);
2073 if (chan->state != BT_CONNECTED)
2076 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2079 if (__chan_is_moving(chan))
2082 while (chan->tx_send_head &&
2083 chan->unacked_frames < chan->remote_tx_win &&
2084 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2086 skb = chan->tx_send_head;
2088 bt_cb(skb)->l2cap.retries = 1;
2089 control = &bt_cb(skb)->l2cap;
2091 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2094 control->reqseq = chan->buffer_seq;
2095 chan->last_acked_seq = chan->buffer_seq;
2096 control->txseq = chan->next_tx_seq;
2098 __pack_control(chan, control, skb);
2100 if (chan->fcs == L2CAP_FCS_CRC16) {
2101 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2102 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2105 /* Clone after data has been modified. Data is assumed to be
2106 read-only (for locking purposes) on cloned sk_buffs.
2108 tx_skb = skb_clone(skb, GFP_KERNEL);
2113 __set_retrans_timer(chan);
2115 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2116 chan->unacked_frames++;
2117 chan->frames_sent++;
2120 if (skb_queue_is_last(&chan->tx_q, skb))
2121 chan->tx_send_head = NULL;
2123 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2125 l2cap_do_send(chan, tx_skb);
2126 BT_DBG("Sent txseq %u", control->txseq);
2129 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2130 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2135 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2137 struct l2cap_ctrl control;
2138 struct sk_buff *skb;
2139 struct sk_buff *tx_skb;
2142 BT_DBG("chan %p", chan);
2144 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2147 if (__chan_is_moving(chan))
2150 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2151 seq = l2cap_seq_list_pop(&chan->retrans_list);
2153 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2155 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2160 bt_cb(skb)->l2cap.retries++;
2161 control = bt_cb(skb)->l2cap;
2163 if (chan->max_tx != 0 &&
2164 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2165 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2166 l2cap_send_disconn_req(chan, ECONNRESET);
2167 l2cap_seq_list_clear(&chan->retrans_list);
2171 control.reqseq = chan->buffer_seq;
2172 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2177 if (skb_cloned(skb)) {
2178 /* Cloned sk_buffs are read-only, so we need a
2181 tx_skb = skb_copy(skb, GFP_KERNEL);
2183 tx_skb = skb_clone(skb, GFP_KERNEL);
2187 l2cap_seq_list_clear(&chan->retrans_list);
2191 /* Update skb contents */
2192 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2193 put_unaligned_le32(__pack_extended_control(&control),
2194 tx_skb->data + L2CAP_HDR_SIZE);
2196 put_unaligned_le16(__pack_enhanced_control(&control),
2197 tx_skb->data + L2CAP_HDR_SIZE);
2201 if (chan->fcs == L2CAP_FCS_CRC16) {
2202 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2203 tx_skb->len - L2CAP_FCS_SIZE);
2204 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2208 l2cap_do_send(chan, tx_skb);
2210 BT_DBG("Resent txseq %d", control.txseq);
2212 chan->last_acked_seq = chan->buffer_seq;
2216 static void l2cap_retransmit(struct l2cap_chan *chan,
2217 struct l2cap_ctrl *control)
2219 BT_DBG("chan %p, control %p", chan, control);
2221 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2222 l2cap_ertm_resend(chan);
2225 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2226 struct l2cap_ctrl *control)
2228 struct sk_buff *skb;
2230 BT_DBG("chan %p, control %p", chan, control);
2233 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2235 l2cap_seq_list_clear(&chan->retrans_list);
2237 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2240 if (chan->unacked_frames) {
2241 skb_queue_walk(&chan->tx_q, skb) {
2242 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2243 skb == chan->tx_send_head)
2247 skb_queue_walk_from(&chan->tx_q, skb) {
2248 if (skb == chan->tx_send_head)
2251 l2cap_seq_list_append(&chan->retrans_list,
2252 bt_cb(skb)->l2cap.txseq);
2255 l2cap_ertm_resend(chan);
2259 static void l2cap_send_ack(struct l2cap_chan *chan)
2261 struct l2cap_ctrl control;
2262 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2263 chan->last_acked_seq);
2266 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2267 chan, chan->last_acked_seq, chan->buffer_seq);
2269 memset(&control, 0, sizeof(control));
2272 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2273 chan->rx_state == L2CAP_RX_STATE_RECV) {
2274 __clear_ack_timer(chan);
2275 control.super = L2CAP_SUPER_RNR;
2276 control.reqseq = chan->buffer_seq;
2277 l2cap_send_sframe(chan, &control);
2279 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2280 l2cap_ertm_send(chan);
2281 /* If any i-frames were sent, they included an ack */
2282 if (chan->buffer_seq == chan->last_acked_seq)
2286 /* Ack now if the window is 3/4ths full.
2287 * Calculate without mul or div
2289 threshold = chan->ack_win;
2290 threshold += threshold << 1;
2293 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2296 if (frames_to_ack >= threshold) {
2297 __clear_ack_timer(chan);
2298 control.super = L2CAP_SUPER_RR;
2299 control.reqseq = chan->buffer_seq;
2300 l2cap_send_sframe(chan, &control);
2305 __set_ack_timer(chan);
2309 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2310 struct msghdr *msg, int len,
2311 int count, struct sk_buff *skb)
2313 struct l2cap_conn *conn = chan->conn;
2314 struct sk_buff **frag;
2317 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2323 /* Continuation fragments (no L2CAP header) */
2324 frag = &skb_shinfo(skb)->frag_list;
2326 struct sk_buff *tmp;
2328 count = min_t(unsigned int, conn->mtu, len);
2330 tmp = chan->ops->alloc_skb(chan, 0, count,
2331 msg->msg_flags & MSG_DONTWAIT);
2333 return PTR_ERR(tmp);
2337 if (!copy_from_iter_full(skb_put(*frag, count), count,
2344 skb->len += (*frag)->len;
2345 skb->data_len += (*frag)->len;
2347 frag = &(*frag)->next;
2353 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2354 struct msghdr *msg, size_t len)
2356 struct l2cap_conn *conn = chan->conn;
2357 struct sk_buff *skb;
2358 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2359 struct l2cap_hdr *lh;
2361 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2362 __le16_to_cpu(chan->psm), len);
2364 count = min_t(unsigned int, (conn->mtu - hlen), len);
2366 skb = chan->ops->alloc_skb(chan, hlen, count,
2367 msg->msg_flags & MSG_DONTWAIT);
2371 /* Create L2CAP header */
2372 lh = skb_put(skb, L2CAP_HDR_SIZE);
2373 lh->cid = cpu_to_le16(chan->dcid);
2374 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2375 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2377 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2378 if (unlikely(err < 0)) {
2380 return ERR_PTR(err);
2385 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2386 struct msghdr *msg, size_t len)
2388 struct l2cap_conn *conn = chan->conn;
2389 struct sk_buff *skb;
2391 struct l2cap_hdr *lh;
2393 BT_DBG("chan %p len %zu", chan, len);
2395 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2397 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2398 msg->msg_flags & MSG_DONTWAIT);
2402 /* Create L2CAP header */
2403 lh = skb_put(skb, L2CAP_HDR_SIZE);
2404 lh->cid = cpu_to_le16(chan->dcid);
2405 lh->len = cpu_to_le16(len);
2407 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2408 if (unlikely(err < 0)) {
2410 return ERR_PTR(err);
2415 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2416 struct msghdr *msg, size_t len,
2419 struct l2cap_conn *conn = chan->conn;
2420 struct sk_buff *skb;
2421 int err, count, hlen;
2422 struct l2cap_hdr *lh;
2424 BT_DBG("chan %p len %zu", chan, len);
2427 return ERR_PTR(-ENOTCONN);
2429 hlen = __ertm_hdr_size(chan);
2432 hlen += L2CAP_SDULEN_SIZE;
2434 if (chan->fcs == L2CAP_FCS_CRC16)
2435 hlen += L2CAP_FCS_SIZE;
2437 count = min_t(unsigned int, (conn->mtu - hlen), len);
2439 skb = chan->ops->alloc_skb(chan, hlen, count,
2440 msg->msg_flags & MSG_DONTWAIT);
2444 /* Create L2CAP header */
2445 lh = skb_put(skb, L2CAP_HDR_SIZE);
2446 lh->cid = cpu_to_le16(chan->dcid);
2447 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2449 /* Control header is populated later */
2450 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2451 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2453 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2456 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2458 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2459 if (unlikely(err < 0)) {
2461 return ERR_PTR(err);
2464 bt_cb(skb)->l2cap.fcs = chan->fcs;
2465 bt_cb(skb)->l2cap.retries = 0;
2469 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2470 struct sk_buff_head *seg_queue,
2471 struct msghdr *msg, size_t len)
2473 struct sk_buff *skb;
2478 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2480 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2481 * so fragmented skbs are not used. The HCI layer's handling
2482 * of fragmented skbs is not compatible with ERTM's queueing.
2485 /* PDU size is derived from the HCI MTU */
2486 pdu_len = chan->conn->mtu;
2488 /* Constrain PDU size for BR/EDR connections */
2490 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2492 /* Adjust for largest possible L2CAP overhead. */
2494 pdu_len -= L2CAP_FCS_SIZE;
2496 pdu_len -= __ertm_hdr_size(chan);
2498 /* Remote device may have requested smaller PDUs */
2499 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2501 if (len <= pdu_len) {
2502 sar = L2CAP_SAR_UNSEGMENTED;
2506 sar = L2CAP_SAR_START;
2511 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2514 __skb_queue_purge(seg_queue);
2515 return PTR_ERR(skb);
2518 bt_cb(skb)->l2cap.sar = sar;
2519 __skb_queue_tail(seg_queue, skb);
2525 if (len <= pdu_len) {
2526 sar = L2CAP_SAR_END;
2529 sar = L2CAP_SAR_CONTINUE;
2536 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2538 size_t len, u16 sdulen)
2540 struct l2cap_conn *conn = chan->conn;
2541 struct sk_buff *skb;
2542 int err, count, hlen;
2543 struct l2cap_hdr *lh;
2545 BT_DBG("chan %p len %zu", chan, len);
2548 return ERR_PTR(-ENOTCONN);
2550 hlen = L2CAP_HDR_SIZE;
2553 hlen += L2CAP_SDULEN_SIZE;
2555 count = min_t(unsigned int, (conn->mtu - hlen), len);
2557 skb = chan->ops->alloc_skb(chan, hlen, count,
2558 msg->msg_flags & MSG_DONTWAIT);
2562 /* Create L2CAP header */
2563 lh = skb_put(skb, L2CAP_HDR_SIZE);
2564 lh->cid = cpu_to_le16(chan->dcid);
2565 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2568 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2570 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2571 if (unlikely(err < 0)) {
2573 return ERR_PTR(err);
2579 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2580 struct sk_buff_head *seg_queue,
2581 struct msghdr *msg, size_t len)
2583 struct sk_buff *skb;
2587 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2590 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2596 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2598 __skb_queue_purge(seg_queue);
2599 return PTR_ERR(skb);
2602 __skb_queue_tail(seg_queue, skb);
2608 pdu_len += L2CAP_SDULEN_SIZE;
2615 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2619 BT_DBG("chan %p", chan);
2621 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2622 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2627 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2628 skb_queue_len(&chan->tx_q));
2631 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2633 struct sk_buff *skb;
2635 struct sk_buff_head seg_queue;
2640 /* Connectionless channel */
2641 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2642 skb = l2cap_create_connless_pdu(chan, msg, len);
2644 return PTR_ERR(skb);
2646 /* Channel lock is released before requesting new skb and then
2647 * reacquired thus we need to recheck channel state.
2649 if (chan->state != BT_CONNECTED) {
2654 l2cap_do_send(chan, skb);
2658 switch (chan->mode) {
2659 case L2CAP_MODE_LE_FLOWCTL:
2660 case L2CAP_MODE_EXT_FLOWCTL:
2661 /* Check outgoing MTU */
2662 if (len > chan->omtu)
2665 __skb_queue_head_init(&seg_queue);
2667 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2669 if (chan->state != BT_CONNECTED) {
2670 __skb_queue_purge(&seg_queue);
2677 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2679 l2cap_le_flowctl_send(chan);
2681 if (!chan->tx_credits)
2682 chan->ops->suspend(chan);
2688 case L2CAP_MODE_BASIC:
2689 /* Check outgoing MTU */
2690 if (len > chan->omtu)
2693 /* Create a basic PDU */
2694 skb = l2cap_create_basic_pdu(chan, msg, len);
2696 return PTR_ERR(skb);
2698 /* Channel lock is released before requesting new skb and then
2699 * reacquired thus we need to recheck channel state.
2701 if (chan->state != BT_CONNECTED) {
2706 l2cap_do_send(chan, skb);
2710 case L2CAP_MODE_ERTM:
2711 case L2CAP_MODE_STREAMING:
2712 /* Check outgoing MTU */
2713 if (len > chan->omtu) {
2718 __skb_queue_head_init(&seg_queue);
2720 /* Do segmentation before calling in to the state machine,
2721 * since it's possible to block while waiting for memory
2724 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2726 /* The channel could have been closed while segmenting,
2727 * check that it is still connected.
2729 if (chan->state != BT_CONNECTED) {
2730 __skb_queue_purge(&seg_queue);
2737 if (chan->mode == L2CAP_MODE_ERTM)
2738 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2740 l2cap_streaming_send(chan, &seg_queue);
2744 /* If the skbs were not queued for sending, they'll still be in
2745 * seg_queue and need to be purged.
2747 __skb_queue_purge(&seg_queue);
2751 BT_DBG("bad state %1.1x", chan->mode);
2757 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2759 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2761 struct l2cap_ctrl control;
2764 BT_DBG("chan %p, txseq %u", chan, txseq);
2766 memset(&control, 0, sizeof(control));
2768 control.super = L2CAP_SUPER_SREJ;
2770 for (seq = chan->expected_tx_seq; seq != txseq;
2771 seq = __next_seq(chan, seq)) {
2772 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2773 control.reqseq = seq;
2774 l2cap_send_sframe(chan, &control);
2775 l2cap_seq_list_append(&chan->srej_list, seq);
2779 chan->expected_tx_seq = __next_seq(chan, txseq);
2782 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2784 struct l2cap_ctrl control;
2786 BT_DBG("chan %p", chan);
2788 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2791 memset(&control, 0, sizeof(control));
2793 control.super = L2CAP_SUPER_SREJ;
2794 control.reqseq = chan->srej_list.tail;
2795 l2cap_send_sframe(chan, &control);
2798 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2800 struct l2cap_ctrl control;
2804 BT_DBG("chan %p, txseq %u", chan, txseq);
2806 memset(&control, 0, sizeof(control));
2808 control.super = L2CAP_SUPER_SREJ;
2810 /* Capture initial list head to allow only one pass through the list. */
2811 initial_head = chan->srej_list.head;
2814 seq = l2cap_seq_list_pop(&chan->srej_list);
2815 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2818 control.reqseq = seq;
2819 l2cap_send_sframe(chan, &control);
2820 l2cap_seq_list_append(&chan->srej_list, seq);
2821 } while (chan->srej_list.head != initial_head);
2824 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2826 struct sk_buff *acked_skb;
2829 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2831 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2834 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2835 chan->expected_ack_seq, chan->unacked_frames);
2837 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2838 ackseq = __next_seq(chan, ackseq)) {
2840 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2842 skb_unlink(acked_skb, &chan->tx_q);
2843 kfree_skb(acked_skb);
2844 chan->unacked_frames--;
2848 chan->expected_ack_seq = reqseq;
2850 if (chan->unacked_frames == 0)
2851 __clear_retrans_timer(chan);
2853 BT_DBG("unacked_frames %u", chan->unacked_frames);
2856 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2858 BT_DBG("chan %p", chan);
2860 chan->expected_tx_seq = chan->buffer_seq;
2861 l2cap_seq_list_clear(&chan->srej_list);
2862 skb_queue_purge(&chan->srej_q);
2863 chan->rx_state = L2CAP_RX_STATE_RECV;
2866 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2867 struct l2cap_ctrl *control,
2868 struct sk_buff_head *skbs, u8 event)
2870 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2874 case L2CAP_EV_DATA_REQUEST:
2875 if (chan->tx_send_head == NULL)
2876 chan->tx_send_head = skb_peek(skbs);
2878 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2879 l2cap_ertm_send(chan);
2881 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2882 BT_DBG("Enter LOCAL_BUSY");
2883 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2885 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2886 /* The SREJ_SENT state must be aborted if we are to
2887 * enter the LOCAL_BUSY state.
2889 l2cap_abort_rx_srej_sent(chan);
2892 l2cap_send_ack(chan);
2895 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2896 BT_DBG("Exit LOCAL_BUSY");
2897 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2899 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2900 struct l2cap_ctrl local_control;
2902 memset(&local_control, 0, sizeof(local_control));
2903 local_control.sframe = 1;
2904 local_control.super = L2CAP_SUPER_RR;
2905 local_control.poll = 1;
2906 local_control.reqseq = chan->buffer_seq;
2907 l2cap_send_sframe(chan, &local_control);
2909 chan->retry_count = 1;
2910 __set_monitor_timer(chan);
2911 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2914 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2915 l2cap_process_reqseq(chan, control->reqseq);
2917 case L2CAP_EV_EXPLICIT_POLL:
2918 l2cap_send_rr_or_rnr(chan, 1);
2919 chan->retry_count = 1;
2920 __set_monitor_timer(chan);
2921 __clear_ack_timer(chan);
2922 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2924 case L2CAP_EV_RETRANS_TO:
2925 l2cap_send_rr_or_rnr(chan, 1);
2926 chan->retry_count = 1;
2927 __set_monitor_timer(chan);
2928 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2930 case L2CAP_EV_RECV_FBIT:
2931 /* Nothing to process */
2938 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2939 struct l2cap_ctrl *control,
2940 struct sk_buff_head *skbs, u8 event)
2942 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2946 case L2CAP_EV_DATA_REQUEST:
2947 if (chan->tx_send_head == NULL)
2948 chan->tx_send_head = skb_peek(skbs);
2949 /* Queue data, but don't send. */
2950 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2952 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2953 BT_DBG("Enter LOCAL_BUSY");
2954 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2956 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2957 /* The SREJ_SENT state must be aborted if we are to
2958 * enter the LOCAL_BUSY state.
2960 l2cap_abort_rx_srej_sent(chan);
2963 l2cap_send_ack(chan);
2966 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2967 BT_DBG("Exit LOCAL_BUSY");
2968 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2970 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2971 struct l2cap_ctrl local_control;
2972 memset(&local_control, 0, sizeof(local_control));
2973 local_control.sframe = 1;
2974 local_control.super = L2CAP_SUPER_RR;
2975 local_control.poll = 1;
2976 local_control.reqseq = chan->buffer_seq;
2977 l2cap_send_sframe(chan, &local_control);
2979 chan->retry_count = 1;
2980 __set_monitor_timer(chan);
2981 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2984 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2985 l2cap_process_reqseq(chan, control->reqseq);
2988 case L2CAP_EV_RECV_FBIT:
2989 if (control && control->final) {
2990 __clear_monitor_timer(chan);
2991 if (chan->unacked_frames > 0)
2992 __set_retrans_timer(chan);
2993 chan->retry_count = 0;
2994 chan->tx_state = L2CAP_TX_STATE_XMIT;
2995 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2998 case L2CAP_EV_EXPLICIT_POLL:
3001 case L2CAP_EV_MONITOR_TO:
3002 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3003 l2cap_send_rr_or_rnr(chan, 1);
3004 __set_monitor_timer(chan);
3005 chan->retry_count++;
3007 l2cap_send_disconn_req(chan, ECONNABORTED);
3015 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3016 struct sk_buff_head *skbs, u8 event)
3018 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3019 chan, control, skbs, event, chan->tx_state);
3021 switch (chan->tx_state) {
3022 case L2CAP_TX_STATE_XMIT:
3023 l2cap_tx_state_xmit(chan, control, skbs, event);
3025 case L2CAP_TX_STATE_WAIT_F:
3026 l2cap_tx_state_wait_f(chan, control, skbs, event);
3034 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3035 struct l2cap_ctrl *control)
3037 BT_DBG("chan %p, control %p", chan, control);
3038 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3041 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3042 struct l2cap_ctrl *control)
3044 BT_DBG("chan %p, control %p", chan, control);
3045 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3048 /* Copy frame to all raw sockets on that connection */
3049 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3051 struct sk_buff *nskb;
3052 struct l2cap_chan *chan;
3054 BT_DBG("conn %p", conn);
3056 mutex_lock(&conn->chan_lock);
3058 list_for_each_entry(chan, &conn->chan_l, list) {
3059 if (chan->chan_type != L2CAP_CHAN_RAW)
3062 /* Don't send frame to the channel it came from */
3063 if (bt_cb(skb)->l2cap.chan == chan)
3066 nskb = skb_clone(skb, GFP_KERNEL);
3069 if (chan->ops->recv(chan, nskb))
3073 mutex_unlock(&conn->chan_lock);
3076 /* ---- L2CAP signalling commands ---- */
3077 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3078 u8 ident, u16 dlen, void *data)
3080 struct sk_buff *skb, **frag;
3081 struct l2cap_cmd_hdr *cmd;
3082 struct l2cap_hdr *lh;
3085 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3086 conn, code, ident, dlen);
3088 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3091 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3092 count = min_t(unsigned int, conn->mtu, len);
3094 skb = bt_skb_alloc(count, GFP_KERNEL);
3098 lh = skb_put(skb, L2CAP_HDR_SIZE);
3099 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3101 if (conn->hcon->type == LE_LINK)
3102 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3104 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3106 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3109 cmd->len = cpu_to_le16(dlen);
3112 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3113 skb_put_data(skb, data, count);
3119 /* Continuation fragments (no L2CAP header) */
3120 frag = &skb_shinfo(skb)->frag_list;
3122 count = min_t(unsigned int, conn->mtu, len);
3124 *frag = bt_skb_alloc(count, GFP_KERNEL);
3128 skb_put_data(*frag, data, count);
3133 frag = &(*frag)->next;
3143 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3146 struct l2cap_conf_opt *opt = *ptr;
3149 len = L2CAP_CONF_OPT_SIZE + opt->len;
3157 *val = *((u8 *) opt->val);
3161 *val = get_unaligned_le16(opt->val);
3165 *val = get_unaligned_le32(opt->val);
3169 *val = (unsigned long) opt->val;
3173 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3177 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3179 struct l2cap_conf_opt *opt = *ptr;
3181 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3183 if (size < L2CAP_CONF_OPT_SIZE + len)
3191 *((u8 *) opt->val) = val;
3195 put_unaligned_le16(val, opt->val);
3199 put_unaligned_le32(val, opt->val);
3203 memcpy(opt->val, (void *) val, len);
3207 *ptr += L2CAP_CONF_OPT_SIZE + len;
3210 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3212 struct l2cap_conf_efs efs;
3214 switch (chan->mode) {
3215 case L2CAP_MODE_ERTM:
3216 efs.id = chan->local_id;
3217 efs.stype = chan->local_stype;
3218 efs.msdu = cpu_to_le16(chan->local_msdu);
3219 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3220 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3221 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3224 case L2CAP_MODE_STREAMING:
3226 efs.stype = L2CAP_SERV_BESTEFFORT;
3227 efs.msdu = cpu_to_le16(chan->local_msdu);
3228 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3237 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3238 (unsigned long) &efs, size);
3241 static void l2cap_ack_timeout(struct work_struct *work)
3243 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3247 BT_DBG("chan %p", chan);
3249 l2cap_chan_lock(chan);
3251 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3252 chan->last_acked_seq);
3255 l2cap_send_rr_or_rnr(chan, 0);
3257 l2cap_chan_unlock(chan);
3258 l2cap_chan_put(chan);
3261 int l2cap_ertm_init(struct l2cap_chan *chan)
3265 chan->next_tx_seq = 0;
3266 chan->expected_tx_seq = 0;
3267 chan->expected_ack_seq = 0;
3268 chan->unacked_frames = 0;
3269 chan->buffer_seq = 0;
3270 chan->frames_sent = 0;
3271 chan->last_acked_seq = 0;
3273 chan->sdu_last_frag = NULL;
3276 skb_queue_head_init(&chan->tx_q);
3278 chan->local_amp_id = AMP_ID_BREDR;
3279 chan->move_id = AMP_ID_BREDR;
3280 chan->move_state = L2CAP_MOVE_STABLE;
3281 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3283 if (chan->mode != L2CAP_MODE_ERTM)
3286 chan->rx_state = L2CAP_RX_STATE_RECV;
3287 chan->tx_state = L2CAP_TX_STATE_XMIT;
3289 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3290 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3291 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3293 skb_queue_head_init(&chan->srej_q);
3295 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3299 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3301 l2cap_seq_list_free(&chan->srej_list);
3306 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3309 case L2CAP_MODE_STREAMING:
3310 case L2CAP_MODE_ERTM:
3311 if (l2cap_mode_supported(mode, remote_feat_mask))
3315 return L2CAP_MODE_BASIC;
3319 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3321 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3322 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3325 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3327 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3328 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3331 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3332 struct l2cap_conf_rfc *rfc)
3334 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3335 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3337 /* Class 1 devices have must have ERTM timeouts
3338 * exceeding the Link Supervision Timeout. The
3339 * default Link Supervision Timeout for AMP
3340 * controllers is 10 seconds.
3342 * Class 1 devices use 0xffffffff for their
3343 * best-effort flush timeout, so the clamping logic
3344 * will result in a timeout that meets the above
3345 * requirement. ERTM timeouts are 16-bit values, so
3346 * the maximum timeout is 65.535 seconds.
3349 /* Convert timeout to milliseconds and round */
3350 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3352 /* This is the recommended formula for class 2 devices
3353 * that start ERTM timers when packets are sent to the
3356 ertm_to = 3 * ertm_to + 500;
3358 if (ertm_to > 0xffff)
3361 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3362 rfc->monitor_timeout = rfc->retrans_timeout;
3364 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3365 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3369 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3371 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3372 __l2cap_ews_supported(chan->conn)) {
3373 /* use extended control field */
3374 set_bit(FLAG_EXT_CTRL, &chan->flags);
3375 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3377 chan->tx_win = min_t(u16, chan->tx_win,
3378 L2CAP_DEFAULT_TX_WINDOW);
3379 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3381 chan->ack_win = chan->tx_win;
3384 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3386 struct hci_conn *conn = chan->conn->hcon;
3388 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3390 /* The 2-DH1 packet has between 2 and 56 information bytes
3391 * (including the 2-byte payload header)
3393 if (!(conn->pkt_type & HCI_2DH1))
3396 /* The 3-DH1 packet has between 2 and 85 information bytes
3397 * (including the 2-byte payload header)
3399 if (!(conn->pkt_type & HCI_3DH1))
3402 /* The 2-DH3 packet has between 2 and 369 information bytes
3403 * (including the 2-byte payload header)
3405 if (!(conn->pkt_type & HCI_2DH3))
3408 /* The 3-DH3 packet has between 2 and 554 information bytes
3409 * (including the 2-byte payload header)
3411 if (!(conn->pkt_type & HCI_3DH3))
3414 /* The 2-DH5 packet has between 2 and 681 information bytes
3415 * (including the 2-byte payload header)
3417 if (!(conn->pkt_type & HCI_2DH5))
3420 /* The 3-DH5 packet has between 2 and 1023 information bytes
3421 * (including the 2-byte payload header)
3423 if (!(conn->pkt_type & HCI_3DH5))
3427 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3429 struct l2cap_conf_req *req = data;
3430 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3431 void *ptr = req->data;
3432 void *endptr = data + data_size;
3435 BT_DBG("chan %p", chan);
3437 if (chan->num_conf_req || chan->num_conf_rsp)
3440 switch (chan->mode) {
3441 case L2CAP_MODE_STREAMING:
3442 case L2CAP_MODE_ERTM:
3443 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3446 if (__l2cap_efs_supported(chan->conn))
3447 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3451 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3456 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3458 l2cap_mtu_auto(chan);
3459 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3463 switch (chan->mode) {
3464 case L2CAP_MODE_BASIC:
3468 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3469 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3472 rfc.mode = L2CAP_MODE_BASIC;
3474 rfc.max_transmit = 0;
3475 rfc.retrans_timeout = 0;
3476 rfc.monitor_timeout = 0;
3477 rfc.max_pdu_size = 0;
3479 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3480 (unsigned long) &rfc, endptr - ptr);
3483 case L2CAP_MODE_ERTM:
3484 rfc.mode = L2CAP_MODE_ERTM;
3485 rfc.max_transmit = chan->max_tx;
3487 __l2cap_set_ertm_timeouts(chan, &rfc);
3489 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3490 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3492 rfc.max_pdu_size = cpu_to_le16(size);
3494 l2cap_txwin_setup(chan);
3496 rfc.txwin_size = min_t(u16, chan->tx_win,
3497 L2CAP_DEFAULT_TX_WINDOW);
3499 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3500 (unsigned long) &rfc, endptr - ptr);
3502 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3503 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3505 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3506 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3507 chan->tx_win, endptr - ptr);
3509 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3510 if (chan->fcs == L2CAP_FCS_NONE ||
3511 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3512 chan->fcs = L2CAP_FCS_NONE;
3513 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3514 chan->fcs, endptr - ptr);
3518 case L2CAP_MODE_STREAMING:
3519 l2cap_txwin_setup(chan);
3520 rfc.mode = L2CAP_MODE_STREAMING;
3522 rfc.max_transmit = 0;
3523 rfc.retrans_timeout = 0;
3524 rfc.monitor_timeout = 0;
3526 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3527 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3529 rfc.max_pdu_size = cpu_to_le16(size);
3531 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3532 (unsigned long) &rfc, endptr - ptr);
3534 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3535 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3537 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3538 if (chan->fcs == L2CAP_FCS_NONE ||
3539 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3540 chan->fcs = L2CAP_FCS_NONE;
3541 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3542 chan->fcs, endptr - ptr);
3547 req->dcid = cpu_to_le16(chan->dcid);
3548 req->flags = cpu_to_le16(0);
3553 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3555 struct l2cap_conf_rsp *rsp = data;
3556 void *ptr = rsp->data;
3557 void *endptr = data + data_size;
3558 void *req = chan->conf_req;
3559 int len = chan->conf_len;
3560 int type, hint, olen;
3562 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3563 struct l2cap_conf_efs efs;
3565 u16 mtu = L2CAP_DEFAULT_MTU;
3566 u16 result = L2CAP_CONF_SUCCESS;
3569 BT_DBG("chan %p", chan);
3571 while (len >= L2CAP_CONF_OPT_SIZE) {
3572 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3576 hint = type & L2CAP_CONF_HINT;
3577 type &= L2CAP_CONF_MASK;
3580 case L2CAP_CONF_MTU:
3586 case L2CAP_CONF_FLUSH_TO:
3589 chan->flush_to = val;
3592 case L2CAP_CONF_QOS:
3595 case L2CAP_CONF_RFC:
3596 if (olen != sizeof(rfc))
3598 memcpy(&rfc, (void *) val, olen);
3601 case L2CAP_CONF_FCS:
3604 if (val == L2CAP_FCS_NONE)
3605 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3608 case L2CAP_CONF_EFS:
3609 if (olen != sizeof(efs))
3612 memcpy(&efs, (void *) val, olen);
3615 case L2CAP_CONF_EWS:
3618 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3619 return -ECONNREFUSED;
3620 set_bit(FLAG_EXT_CTRL, &chan->flags);
3621 set_bit(CONF_EWS_RECV, &chan->conf_state);
3622 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3623 chan->remote_tx_win = val;
3629 result = L2CAP_CONF_UNKNOWN;
3630 *((u8 *) ptr++) = type;
3635 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3638 switch (chan->mode) {
3639 case L2CAP_MODE_STREAMING:
3640 case L2CAP_MODE_ERTM:
3641 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3642 chan->mode = l2cap_select_mode(rfc.mode,
3643 chan->conn->feat_mask);
3648 if (__l2cap_efs_supported(chan->conn))
3649 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3651 return -ECONNREFUSED;
3654 if (chan->mode != rfc.mode)
3655 return -ECONNREFUSED;
3661 if (chan->mode != rfc.mode) {
3662 result = L2CAP_CONF_UNACCEPT;
3663 rfc.mode = chan->mode;
3665 if (chan->num_conf_rsp == 1)
3666 return -ECONNREFUSED;
3668 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3669 (unsigned long) &rfc, endptr - ptr);
3672 if (result == L2CAP_CONF_SUCCESS) {
3673 /* Configure output options and let the other side know
3674 * which ones we don't like. */
3676 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3677 result = L2CAP_CONF_UNACCEPT;
3680 set_bit(CONF_MTU_DONE, &chan->conf_state);
3682 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3685 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3686 efs.stype != L2CAP_SERV_NOTRAFIC &&
3687 efs.stype != chan->local_stype) {
3689 result = L2CAP_CONF_UNACCEPT;
3691 if (chan->num_conf_req >= 1)
3692 return -ECONNREFUSED;
3694 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3696 (unsigned long) &efs, endptr - ptr);
3698 /* Send PENDING Conf Rsp */
3699 result = L2CAP_CONF_PENDING;
3700 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3705 case L2CAP_MODE_BASIC:
3706 chan->fcs = L2CAP_FCS_NONE;
3707 set_bit(CONF_MODE_DONE, &chan->conf_state);
3710 case L2CAP_MODE_ERTM:
3711 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3712 chan->remote_tx_win = rfc.txwin_size;
3714 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3716 chan->remote_max_tx = rfc.max_transmit;
3718 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3719 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3720 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3721 rfc.max_pdu_size = cpu_to_le16(size);
3722 chan->remote_mps = size;
3724 __l2cap_set_ertm_timeouts(chan, &rfc);
3726 set_bit(CONF_MODE_DONE, &chan->conf_state);
3728 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3729 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3731 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3732 chan->remote_id = efs.id;
3733 chan->remote_stype = efs.stype;
3734 chan->remote_msdu = le16_to_cpu(efs.msdu);
3735 chan->remote_flush_to =
3736 le32_to_cpu(efs.flush_to);
3737 chan->remote_acc_lat =
3738 le32_to_cpu(efs.acc_lat);
3739 chan->remote_sdu_itime =
3740 le32_to_cpu(efs.sdu_itime);
3741 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3743 (unsigned long) &efs, endptr - ptr);
3747 case L2CAP_MODE_STREAMING:
3748 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3749 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3750 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3751 rfc.max_pdu_size = cpu_to_le16(size);
3752 chan->remote_mps = size;
3754 set_bit(CONF_MODE_DONE, &chan->conf_state);
3756 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3757 (unsigned long) &rfc, endptr - ptr);
3762 result = L2CAP_CONF_UNACCEPT;
3764 memset(&rfc, 0, sizeof(rfc));
3765 rfc.mode = chan->mode;
3768 if (result == L2CAP_CONF_SUCCESS)
3769 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3771 rsp->scid = cpu_to_le16(chan->dcid);
3772 rsp->result = cpu_to_le16(result);
3773 rsp->flags = cpu_to_le16(0);
3778 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3779 void *data, size_t size, u16 *result)
3781 struct l2cap_conf_req *req = data;
3782 void *ptr = req->data;
3783 void *endptr = data + size;
3786 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3787 struct l2cap_conf_efs efs;
3789 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3791 while (len >= L2CAP_CONF_OPT_SIZE) {
3792 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3797 case L2CAP_CONF_MTU:
3800 if (val < L2CAP_DEFAULT_MIN_MTU) {
3801 *result = L2CAP_CONF_UNACCEPT;
3802 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3805 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3809 case L2CAP_CONF_FLUSH_TO:
3812 chan->flush_to = val;
3813 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3814 chan->flush_to, endptr - ptr);
3817 case L2CAP_CONF_RFC:
3818 if (olen != sizeof(rfc))
3820 memcpy(&rfc, (void *)val, olen);
3821 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3822 rfc.mode != chan->mode)
3823 return -ECONNREFUSED;
3825 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3826 (unsigned long) &rfc, endptr - ptr);
3829 case L2CAP_CONF_EWS:
3832 chan->ack_win = min_t(u16, val, chan->ack_win);
3833 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3834 chan->tx_win, endptr - ptr);
3837 case L2CAP_CONF_EFS:
3838 if (olen != sizeof(efs))
3840 memcpy(&efs, (void *)val, olen);
3841 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3842 efs.stype != L2CAP_SERV_NOTRAFIC &&
3843 efs.stype != chan->local_stype)
3844 return -ECONNREFUSED;
3845 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3846 (unsigned long) &efs, endptr - ptr);
3849 case L2CAP_CONF_FCS:
3852 if (*result == L2CAP_CONF_PENDING)
3853 if (val == L2CAP_FCS_NONE)
3854 set_bit(CONF_RECV_NO_FCS,
3860 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3861 return -ECONNREFUSED;
3863 chan->mode = rfc.mode;
3865 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3867 case L2CAP_MODE_ERTM:
3868 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3869 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3870 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3871 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3872 chan->ack_win = min_t(u16, chan->ack_win,
3875 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3876 chan->local_msdu = le16_to_cpu(efs.msdu);
3877 chan->local_sdu_itime =
3878 le32_to_cpu(efs.sdu_itime);
3879 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3880 chan->local_flush_to =
3881 le32_to_cpu(efs.flush_to);
3885 case L2CAP_MODE_STREAMING:
3886 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3890 req->dcid = cpu_to_le16(chan->dcid);
3891 req->flags = cpu_to_le16(0);
3896 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3897 u16 result, u16 flags)
3899 struct l2cap_conf_rsp *rsp = data;
3900 void *ptr = rsp->data;
3902 BT_DBG("chan %p", chan);
3904 rsp->scid = cpu_to_le16(chan->dcid);
3905 rsp->result = cpu_to_le16(result);
3906 rsp->flags = cpu_to_le16(flags);
3911 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3913 struct l2cap_le_conn_rsp rsp;
3914 struct l2cap_conn *conn = chan->conn;
3916 BT_DBG("chan %p", chan);
3918 rsp.dcid = cpu_to_le16(chan->scid);
3919 rsp.mtu = cpu_to_le16(chan->imtu);
3920 rsp.mps = cpu_to_le16(chan->mps);
3921 rsp.credits = cpu_to_le16(chan->rx_credits);
3922 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3924 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3928 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3931 struct l2cap_ecred_conn_rsp rsp;
3934 struct l2cap_conn *conn = chan->conn;
3935 u16 ident = chan->ident;
3941 BT_DBG("chan %p ident %d", chan, ident);
3943 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3944 pdu.rsp.mps = cpu_to_le16(chan->mps);
3945 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3946 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3948 mutex_lock(&conn->chan_lock);
3950 list_for_each_entry(chan, &conn->chan_l, list) {
3951 if (chan->ident != ident)
3954 /* Reset ident so only one response is sent */
3957 /* Include all channels pending with the same ident */
3958 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3961 mutex_unlock(&conn->chan_lock);
3963 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3964 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3967 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3969 struct l2cap_conn_rsp rsp;
3970 struct l2cap_conn *conn = chan->conn;
3974 rsp.scid = cpu_to_le16(chan->dcid);
3975 rsp.dcid = cpu_to_le16(chan->scid);
3976 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3977 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3980 rsp_code = L2CAP_CREATE_CHAN_RSP;
3982 rsp_code = L2CAP_CONN_RSP;
3984 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3986 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3988 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3991 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3992 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3993 chan->num_conf_req++;
3996 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
4000 /* Use sane default values in case a misbehaving remote device
4001 * did not send an RFC or extended window size option.
4003 u16 txwin_ext = chan->ack_win;
4004 struct l2cap_conf_rfc rfc = {
4006 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4007 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4008 .max_pdu_size = cpu_to_le16(chan->imtu),
4009 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4012 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4014 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4017 while (len >= L2CAP_CONF_OPT_SIZE) {
4018 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4023 case L2CAP_CONF_RFC:
4024 if (olen != sizeof(rfc))
4026 memcpy(&rfc, (void *)val, olen);
4028 case L2CAP_CONF_EWS:
4037 case L2CAP_MODE_ERTM:
4038 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4039 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4040 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4041 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4042 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4044 chan->ack_win = min_t(u16, chan->ack_win,
4047 case L2CAP_MODE_STREAMING:
4048 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4052 static inline int l2cap_command_rej(struct l2cap_conn *conn,
4053 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4056 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4058 if (cmd_len < sizeof(*rej))
4061 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4064 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4065 cmd->ident == conn->info_ident) {
4066 cancel_delayed_work(&conn->info_timer);
4068 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4069 conn->info_ident = 0;
4071 l2cap_conn_start(conn);
4077 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4078 struct l2cap_cmd_hdr *cmd,
4079 u8 *data, u8 rsp_code, u8 amp_id)
4081 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4082 struct l2cap_conn_rsp rsp;
4083 struct l2cap_chan *chan = NULL, *pchan;
4084 int result, status = L2CAP_CS_NO_INFO;
4086 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4087 __le16 psm = req->psm;
4089 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4091 /* Check if we have socket listening on psm */
4092 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4093 &conn->hcon->dst, ACL_LINK);
4095 result = L2CAP_CR_BAD_PSM;
4099 mutex_lock(&conn->chan_lock);
4100 l2cap_chan_lock(pchan);
4102 /* Check if the ACL is secure enough (if not SDP) */
4103 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4104 !hci_conn_check_link_mode(conn->hcon)) {
4105 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4106 result = L2CAP_CR_SEC_BLOCK;
4110 result = L2CAP_CR_NO_MEM;
4112 /* Check for valid dynamic CID range (as per Erratum 3253) */
4113 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4114 result = L2CAP_CR_INVALID_SCID;
4118 /* Check if we already have channel with that dcid */
4119 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4120 result = L2CAP_CR_SCID_IN_USE;
4124 chan = pchan->ops->new_connection(pchan);
4128 /* For certain devices (ex: HID mouse), support for authentication,
4129 * pairing and bonding is optional. For such devices, inorder to avoid
4130 * the ACL alive for too long after L2CAP disconnection, reset the ACL
4131 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
4133 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4135 bacpy(&chan->src, &conn->hcon->src);
4136 bacpy(&chan->dst, &conn->hcon->dst);
4137 chan->src_type = bdaddr_src_type(conn->hcon);
4138 chan->dst_type = bdaddr_dst_type(conn->hcon);
4141 chan->local_amp_id = amp_id;
4143 __l2cap_chan_add(conn, chan);
4147 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4149 chan->ident = cmd->ident;
4151 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4152 if (l2cap_chan_check_security(chan, false)) {
4153 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4154 l2cap_state_change(chan, BT_CONNECT2);
4155 result = L2CAP_CR_PEND;
4156 status = L2CAP_CS_AUTHOR_PEND;
4157 chan->ops->defer(chan);
4159 /* Force pending result for AMP controllers.
4160 * The connection will succeed after the
4161 * physical link is up.
4163 if (amp_id == AMP_ID_BREDR) {
4164 l2cap_state_change(chan, BT_CONFIG);
4165 result = L2CAP_CR_SUCCESS;
4167 l2cap_state_change(chan, BT_CONNECT2);
4168 result = L2CAP_CR_PEND;
4170 status = L2CAP_CS_NO_INFO;
4173 l2cap_state_change(chan, BT_CONNECT2);
4174 result = L2CAP_CR_PEND;
4175 status = L2CAP_CS_AUTHEN_PEND;
4178 l2cap_state_change(chan, BT_CONNECT2);
4179 result = L2CAP_CR_PEND;
4180 status = L2CAP_CS_NO_INFO;
4184 l2cap_chan_unlock(pchan);
4185 mutex_unlock(&conn->chan_lock);
4186 l2cap_chan_put(pchan);
4189 rsp.scid = cpu_to_le16(scid);
4190 rsp.dcid = cpu_to_le16(dcid);
4191 rsp.result = cpu_to_le16(result);
4192 rsp.status = cpu_to_le16(status);
4193 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4195 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4196 struct l2cap_info_req info;
4197 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4199 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4200 conn->info_ident = l2cap_get_ident(conn);
4202 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4204 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4205 sizeof(info), &info);
4208 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4209 result == L2CAP_CR_SUCCESS) {
4211 set_bit(CONF_REQ_SENT, &chan->conf_state);
4212 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4213 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4214 chan->num_conf_req++;
4220 static int l2cap_connect_req(struct l2cap_conn *conn,
4221 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4223 struct hci_dev *hdev = conn->hcon->hdev;
4224 struct hci_conn *hcon = conn->hcon;
4226 if (cmd_len < sizeof(struct l2cap_conn_req))
4230 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4231 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4232 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
4233 hci_dev_unlock(hdev);
4235 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4239 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4240 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4243 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4244 u16 scid, dcid, result, status;
4245 struct l2cap_chan *chan;
4249 if (cmd_len < sizeof(*rsp))
4252 scid = __le16_to_cpu(rsp->scid);
4253 dcid = __le16_to_cpu(rsp->dcid);
4254 result = __le16_to_cpu(rsp->result);
4255 status = __le16_to_cpu(rsp->status);
4257 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4258 dcid, scid, result, status);
4260 mutex_lock(&conn->chan_lock);
4263 chan = __l2cap_get_chan_by_scid(conn, scid);
4269 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4278 l2cap_chan_lock(chan);
4281 case L2CAP_CR_SUCCESS:
4282 l2cap_state_change(chan, BT_CONFIG);
4285 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4287 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4290 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4291 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4292 chan->num_conf_req++;
4296 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4300 l2cap_chan_del(chan, ECONNREFUSED);
4304 l2cap_chan_unlock(chan);
4307 mutex_unlock(&conn->chan_lock);
4312 static inline void set_default_fcs(struct l2cap_chan *chan)
4314 /* FCS is enabled only in ERTM or streaming mode, if one or both
4317 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4318 chan->fcs = L2CAP_FCS_NONE;
4319 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4320 chan->fcs = L2CAP_FCS_CRC16;
4323 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4324 u8 ident, u16 flags)
4326 struct l2cap_conn *conn = chan->conn;
4328 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4331 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4332 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4334 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4335 l2cap_build_conf_rsp(chan, data,
4336 L2CAP_CONF_SUCCESS, flags), data);
4339 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4342 struct l2cap_cmd_rej_cid rej;
4344 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4345 rej.scid = __cpu_to_le16(scid);
4346 rej.dcid = __cpu_to_le16(dcid);
4348 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4351 static inline int l2cap_config_req(struct l2cap_conn *conn,
4352 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4355 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4358 struct l2cap_chan *chan;
4361 if (cmd_len < sizeof(*req))
4364 dcid = __le16_to_cpu(req->dcid);
4365 flags = __le16_to_cpu(req->flags);
4367 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4369 chan = l2cap_get_chan_by_scid(conn, dcid);
4371 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4375 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4376 chan->state != BT_CONNECTED) {
4377 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4382 /* Reject if config buffer is too small. */
4383 len = cmd_len - sizeof(*req);
4384 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4385 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4386 l2cap_build_conf_rsp(chan, rsp,
4387 L2CAP_CONF_REJECT, flags), rsp);
4392 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4393 chan->conf_len += len;
4395 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4396 /* Incomplete config. Send empty response. */
4397 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4398 l2cap_build_conf_rsp(chan, rsp,
4399 L2CAP_CONF_SUCCESS, flags), rsp);
4403 /* Complete config. */
4404 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4406 l2cap_send_disconn_req(chan, ECONNRESET);
4410 chan->ident = cmd->ident;
4411 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4412 chan->num_conf_rsp++;
4414 /* Reset config buffer. */
4417 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4420 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4421 set_default_fcs(chan);
4423 if (chan->mode == L2CAP_MODE_ERTM ||
4424 chan->mode == L2CAP_MODE_STREAMING)
4425 err = l2cap_ertm_init(chan);
4428 l2cap_send_disconn_req(chan, -err);
4430 l2cap_chan_ready(chan);
4435 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4437 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4438 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4439 chan->num_conf_req++;
4442 /* Got Conf Rsp PENDING from remote side and assume we sent
4443 Conf Rsp PENDING in the code above */
4444 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4445 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4447 /* check compatibility */
4449 /* Send rsp for BR/EDR channel */
4451 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4453 chan->ident = cmd->ident;
4457 l2cap_chan_unlock(chan);
4461 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4462 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4465 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4466 u16 scid, flags, result;
4467 struct l2cap_chan *chan;
4468 int len = cmd_len - sizeof(*rsp);
4471 if (cmd_len < sizeof(*rsp))
4474 scid = __le16_to_cpu(rsp->scid);
4475 flags = __le16_to_cpu(rsp->flags);
4476 result = __le16_to_cpu(rsp->result);
4478 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4481 chan = l2cap_get_chan_by_scid(conn, scid);
4486 case L2CAP_CONF_SUCCESS:
4487 l2cap_conf_rfc_get(chan, rsp->data, len);
4488 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4491 case L2CAP_CONF_PENDING:
4492 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4494 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4497 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4498 buf, sizeof(buf), &result);
4500 l2cap_send_disconn_req(chan, ECONNRESET);
4504 if (!chan->hs_hcon) {
4505 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4508 if (l2cap_check_efs(chan)) {
4509 amp_create_logical_link(chan);
4510 chan->ident = cmd->ident;
4516 case L2CAP_CONF_UNACCEPT:
4517 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4520 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4521 l2cap_send_disconn_req(chan, ECONNRESET);
4525 /* throw out any old stored conf requests */
4526 result = L2CAP_CONF_SUCCESS;
4527 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4528 req, sizeof(req), &result);
4530 l2cap_send_disconn_req(chan, ECONNRESET);
4534 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4535 L2CAP_CONF_REQ, len, req);
4536 chan->num_conf_req++;
4537 if (result != L2CAP_CONF_SUCCESS)
4544 l2cap_chan_set_err(chan, ECONNRESET);
4546 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4547 l2cap_send_disconn_req(chan, ECONNRESET);
4551 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4554 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4556 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4557 set_default_fcs(chan);
4559 if (chan->mode == L2CAP_MODE_ERTM ||
4560 chan->mode == L2CAP_MODE_STREAMING)
4561 err = l2cap_ertm_init(chan);
4564 l2cap_send_disconn_req(chan, -err);
4566 l2cap_chan_ready(chan);
4570 l2cap_chan_unlock(chan);
4574 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4575 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4578 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4579 struct l2cap_disconn_rsp rsp;
4581 struct l2cap_chan *chan;
4583 if (cmd_len != sizeof(*req))
4586 scid = __le16_to_cpu(req->scid);
4587 dcid = __le16_to_cpu(req->dcid);
4589 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4591 mutex_lock(&conn->chan_lock);
4593 chan = __l2cap_get_chan_by_scid(conn, dcid);
4595 mutex_unlock(&conn->chan_lock);
4596 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4600 l2cap_chan_hold(chan);
4601 l2cap_chan_lock(chan);
4603 rsp.dcid = cpu_to_le16(chan->scid);
4604 rsp.scid = cpu_to_le16(chan->dcid);
4605 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4607 chan->ops->set_shutdown(chan);
4609 l2cap_chan_del(chan, ECONNRESET);
4611 chan->ops->close(chan);
4613 l2cap_chan_unlock(chan);
4614 l2cap_chan_put(chan);
4616 mutex_unlock(&conn->chan_lock);
4621 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4622 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4625 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4627 struct l2cap_chan *chan;
4629 if (cmd_len != sizeof(*rsp))
4632 scid = __le16_to_cpu(rsp->scid);
4633 dcid = __le16_to_cpu(rsp->dcid);
4635 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4637 mutex_lock(&conn->chan_lock);
4639 chan = __l2cap_get_chan_by_scid(conn, scid);
4641 mutex_unlock(&conn->chan_lock);
4645 l2cap_chan_hold(chan);
4646 l2cap_chan_lock(chan);
4648 if (chan->state != BT_DISCONN) {
4649 l2cap_chan_unlock(chan);
4650 l2cap_chan_put(chan);
4651 mutex_unlock(&conn->chan_lock);
4655 l2cap_chan_del(chan, 0);
4657 chan->ops->close(chan);
4659 l2cap_chan_unlock(chan);
4660 l2cap_chan_put(chan);
4662 mutex_unlock(&conn->chan_lock);
4667 static inline int l2cap_information_req(struct l2cap_conn *conn,
4668 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4671 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4674 if (cmd_len != sizeof(*req))
4677 type = __le16_to_cpu(req->type);
4679 BT_DBG("type 0x%4.4x", type);
4681 if (type == L2CAP_IT_FEAT_MASK) {
4683 u32 feat_mask = l2cap_feat_mask;
4684 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4685 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4686 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4688 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4690 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4691 feat_mask |= L2CAP_FEAT_EXT_FLOW
4692 | L2CAP_FEAT_EXT_WINDOW;
4694 put_unaligned_le32(feat_mask, rsp->data);
4695 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4697 } else if (type == L2CAP_IT_FIXED_CHAN) {
4699 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4701 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4702 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4703 rsp->data[0] = conn->local_fixed_chan;
4704 memset(rsp->data + 1, 0, 7);
4705 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4708 struct l2cap_info_rsp rsp;
4709 rsp.type = cpu_to_le16(type);
4710 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4711 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4718 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4719 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4722 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4725 if (cmd_len < sizeof(*rsp))
4728 type = __le16_to_cpu(rsp->type);
4729 result = __le16_to_cpu(rsp->result);
4731 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4733 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4734 if (cmd->ident != conn->info_ident ||
4735 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4738 cancel_delayed_work(&conn->info_timer);
4740 if (result != L2CAP_IR_SUCCESS) {
4741 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4742 conn->info_ident = 0;
4744 l2cap_conn_start(conn);
4750 case L2CAP_IT_FEAT_MASK:
4751 conn->feat_mask = get_unaligned_le32(rsp->data);
4753 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4754 struct l2cap_info_req req;
4755 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4757 conn->info_ident = l2cap_get_ident(conn);
4759 l2cap_send_cmd(conn, conn->info_ident,
4760 L2CAP_INFO_REQ, sizeof(req), &req);
4762 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4763 conn->info_ident = 0;
4765 l2cap_conn_start(conn);
4769 case L2CAP_IT_FIXED_CHAN:
4770 conn->remote_fixed_chan = rsp->data[0];
4771 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4772 conn->info_ident = 0;
4774 l2cap_conn_start(conn);
4781 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4782 struct l2cap_cmd_hdr *cmd,
4783 u16 cmd_len, void *data)
4785 struct l2cap_create_chan_req *req = data;
4786 struct l2cap_create_chan_rsp rsp;
4787 struct l2cap_chan *chan;
4788 struct hci_dev *hdev;
4791 if (cmd_len != sizeof(*req))
4794 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4797 psm = le16_to_cpu(req->psm);
4798 scid = le16_to_cpu(req->scid);
4800 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4802 /* For controller id 0 make BR/EDR connection */
4803 if (req->amp_id == AMP_ID_BREDR) {
4804 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4809 /* Validate AMP controller id */
4810 hdev = hci_dev_get(req->amp_id);
4814 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4819 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4822 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4823 struct hci_conn *hs_hcon;
4825 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4829 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4834 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4836 mgr->bredr_chan = chan;
4837 chan->hs_hcon = hs_hcon;
4838 chan->fcs = L2CAP_FCS_NONE;
4839 conn->mtu = hdev->block_mtu;
4848 rsp.scid = cpu_to_le16(scid);
4849 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4850 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4852 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4858 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4860 struct l2cap_move_chan_req req;
4863 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4865 ident = l2cap_get_ident(chan->conn);
4866 chan->ident = ident;
4868 req.icid = cpu_to_le16(chan->scid);
4869 req.dest_amp_id = dest_amp_id;
4871 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4874 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4877 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4879 struct l2cap_move_chan_rsp rsp;
4881 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4883 rsp.icid = cpu_to_le16(chan->dcid);
4884 rsp.result = cpu_to_le16(result);
4886 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4890 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4892 struct l2cap_move_chan_cfm cfm;
4894 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4896 chan->ident = l2cap_get_ident(chan->conn);
4898 cfm.icid = cpu_to_le16(chan->scid);
4899 cfm.result = cpu_to_le16(result);
4901 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4904 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4907 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4909 struct l2cap_move_chan_cfm cfm;
4911 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4913 cfm.icid = cpu_to_le16(icid);
4914 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4916 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4920 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4923 struct l2cap_move_chan_cfm_rsp rsp;
4925 BT_DBG("icid 0x%4.4x", icid);
4927 rsp.icid = cpu_to_le16(icid);
4928 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4931 static void __release_logical_link(struct l2cap_chan *chan)
4933 chan->hs_hchan = NULL;
4934 chan->hs_hcon = NULL;
4936 /* Placeholder - release the logical link */
4939 static void l2cap_logical_fail(struct l2cap_chan *chan)
4941 /* Logical link setup failed */
4942 if (chan->state != BT_CONNECTED) {
4943 /* Create channel failure, disconnect */
4944 l2cap_send_disconn_req(chan, ECONNRESET);
4948 switch (chan->move_role) {
4949 case L2CAP_MOVE_ROLE_RESPONDER:
4950 l2cap_move_done(chan);
4951 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4953 case L2CAP_MOVE_ROLE_INITIATOR:
4954 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4955 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4956 /* Remote has only sent pending or
4957 * success responses, clean up
4959 l2cap_move_done(chan);
4962 /* Other amp move states imply that the move
4963 * has already aborted
4965 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4970 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4971 struct hci_chan *hchan)
4973 struct l2cap_conf_rsp rsp;
4975 chan->hs_hchan = hchan;
4976 chan->hs_hcon->l2cap_data = chan->conn;
4978 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4980 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4983 set_default_fcs(chan);
4985 err = l2cap_ertm_init(chan);
4987 l2cap_send_disconn_req(chan, -err);
4989 l2cap_chan_ready(chan);
4993 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4994 struct hci_chan *hchan)
4996 chan->hs_hcon = hchan->conn;
4997 chan->hs_hcon->l2cap_data = chan->conn;
4999 BT_DBG("move_state %d", chan->move_state);
5001 switch (chan->move_state) {
5002 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5003 /* Move confirm will be sent after a success
5004 * response is received
5006 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5008 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5009 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5010 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5011 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5012 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5013 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5014 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5015 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5016 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5020 /* Move was not in expected state, free the channel */
5021 __release_logical_link(chan);
5023 chan->move_state = L2CAP_MOVE_STABLE;
5027 /* Call with chan locked */
5028 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5031 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5034 l2cap_logical_fail(chan);
5035 __release_logical_link(chan);
5039 if (chan->state != BT_CONNECTED) {
5040 /* Ignore logical link if channel is on BR/EDR */
5041 if (chan->local_amp_id != AMP_ID_BREDR)
5042 l2cap_logical_finish_create(chan, hchan);
5044 l2cap_logical_finish_move(chan, hchan);
5048 void l2cap_move_start(struct l2cap_chan *chan)
5050 BT_DBG("chan %p", chan);
5052 if (chan->local_amp_id == AMP_ID_BREDR) {
5053 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5055 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5056 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5057 /* Placeholder - start physical link setup */
5059 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5060 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5062 l2cap_move_setup(chan);
5063 l2cap_send_move_chan_req(chan, 0);
5067 static void l2cap_do_create(struct l2cap_chan *chan, int result,
5068 u8 local_amp_id, u8 remote_amp_id)
5070 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5071 local_amp_id, remote_amp_id);
5073 chan->fcs = L2CAP_FCS_NONE;
5075 /* Outgoing channel on AMP */
5076 if (chan->state == BT_CONNECT) {
5077 if (result == L2CAP_CR_SUCCESS) {
5078 chan->local_amp_id = local_amp_id;
5079 l2cap_send_create_chan_req(chan, remote_amp_id);
5081 /* Revert to BR/EDR connect */
5082 l2cap_send_conn_req(chan);
5088 /* Incoming channel on AMP */
5089 if (__l2cap_no_conn_pending(chan)) {
5090 struct l2cap_conn_rsp rsp;
5092 rsp.scid = cpu_to_le16(chan->dcid);
5093 rsp.dcid = cpu_to_le16(chan->scid);
5095 if (result == L2CAP_CR_SUCCESS) {
5096 /* Send successful response */
5097 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5098 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5100 /* Send negative response */
5101 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5102 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5105 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5108 if (result == L2CAP_CR_SUCCESS) {
5109 l2cap_state_change(chan, BT_CONFIG);
5110 set_bit(CONF_REQ_SENT, &chan->conf_state);
5111 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5113 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5114 chan->num_conf_req++;
5119 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5122 l2cap_move_setup(chan);
5123 chan->move_id = local_amp_id;
5124 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5126 l2cap_send_move_chan_req(chan, remote_amp_id);
5129 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5131 struct hci_chan *hchan = NULL;
5133 /* Placeholder - get hci_chan for logical link */
5136 if (hchan->state == BT_CONNECTED) {
5137 /* Logical link is ready to go */
5138 chan->hs_hcon = hchan->conn;
5139 chan->hs_hcon->l2cap_data = chan->conn;
5140 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5141 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5143 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5145 /* Wait for logical link to be ready */
5146 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5149 /* Logical link not available */
5150 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5154 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5156 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5158 if (result == -EINVAL)
5159 rsp_result = L2CAP_MR_BAD_ID;
5161 rsp_result = L2CAP_MR_NOT_ALLOWED;
5163 l2cap_send_move_chan_rsp(chan, rsp_result);
5166 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5167 chan->move_state = L2CAP_MOVE_STABLE;
5169 /* Restart data transmission */
5170 l2cap_ertm_send(chan);
5173 /* Invoke with locked chan */
5174 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5176 u8 local_amp_id = chan->local_amp_id;
5177 u8 remote_amp_id = chan->remote_amp_id;
5179 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5180 chan, result, local_amp_id, remote_amp_id);
5182 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5185 if (chan->state != BT_CONNECTED) {
5186 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5187 } else if (result != L2CAP_MR_SUCCESS) {
5188 l2cap_do_move_cancel(chan, result);
5190 switch (chan->move_role) {
5191 case L2CAP_MOVE_ROLE_INITIATOR:
5192 l2cap_do_move_initiate(chan, local_amp_id,
5195 case L2CAP_MOVE_ROLE_RESPONDER:
5196 l2cap_do_move_respond(chan, result);
5199 l2cap_do_move_cancel(chan, result);
5205 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5206 struct l2cap_cmd_hdr *cmd,
5207 u16 cmd_len, void *data)
5209 struct l2cap_move_chan_req *req = data;
5210 struct l2cap_move_chan_rsp rsp;
5211 struct l2cap_chan *chan;
5213 u16 result = L2CAP_MR_NOT_ALLOWED;
5215 if (cmd_len != sizeof(*req))
5218 icid = le16_to_cpu(req->icid);
5220 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5222 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5225 chan = l2cap_get_chan_by_dcid(conn, icid);
5227 rsp.icid = cpu_to_le16(icid);
5228 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5229 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5234 chan->ident = cmd->ident;
5236 if (chan->scid < L2CAP_CID_DYN_START ||
5237 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5238 (chan->mode != L2CAP_MODE_ERTM &&
5239 chan->mode != L2CAP_MODE_STREAMING)) {
5240 result = L2CAP_MR_NOT_ALLOWED;
5241 goto send_move_response;
5244 if (chan->local_amp_id == req->dest_amp_id) {
5245 result = L2CAP_MR_SAME_ID;
5246 goto send_move_response;
5249 if (req->dest_amp_id != AMP_ID_BREDR) {
5250 struct hci_dev *hdev;
5251 hdev = hci_dev_get(req->dest_amp_id);
5252 if (!hdev || hdev->dev_type != HCI_AMP ||
5253 !test_bit(HCI_UP, &hdev->flags)) {
5257 result = L2CAP_MR_BAD_ID;
5258 goto send_move_response;
5263 /* Detect a move collision. Only send a collision response
5264 * if this side has "lost", otherwise proceed with the move.
5265 * The winner has the larger bd_addr.
5267 if ((__chan_is_moving(chan) ||
5268 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5269 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5270 result = L2CAP_MR_COLLISION;
5271 goto send_move_response;
5274 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5275 l2cap_move_setup(chan);
5276 chan->move_id = req->dest_amp_id;
5278 if (req->dest_amp_id == AMP_ID_BREDR) {
5279 /* Moving to BR/EDR */
5280 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5281 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5282 result = L2CAP_MR_PEND;
5284 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5285 result = L2CAP_MR_SUCCESS;
5288 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5289 /* Placeholder - uncomment when amp functions are available */
5290 /*amp_accept_physical(chan, req->dest_amp_id);*/
5291 result = L2CAP_MR_PEND;
5295 l2cap_send_move_chan_rsp(chan, result);
5297 l2cap_chan_unlock(chan);
5302 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5304 struct l2cap_chan *chan;
5305 struct hci_chan *hchan = NULL;
5307 chan = l2cap_get_chan_by_scid(conn, icid);
5309 l2cap_send_move_chan_cfm_icid(conn, icid);
5313 __clear_chan_timer(chan);
5314 if (result == L2CAP_MR_PEND)
5315 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5317 switch (chan->move_state) {
5318 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5319 /* Move confirm will be sent when logical link
5322 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5324 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5325 if (result == L2CAP_MR_PEND) {
5327 } else if (test_bit(CONN_LOCAL_BUSY,
5328 &chan->conn_state)) {
5329 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5331 /* Logical link is up or moving to BR/EDR,
5334 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5335 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5338 case L2CAP_MOVE_WAIT_RSP:
5340 if (result == L2CAP_MR_SUCCESS) {
5341 /* Remote is ready, send confirm immediately
5342 * after logical link is ready
5344 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5346 /* Both logical link and move success
5347 * are required to confirm
5349 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5352 /* Placeholder - get hci_chan for logical link */
5354 /* Logical link not available */
5355 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5359 /* If the logical link is not yet connected, do not
5360 * send confirmation.
5362 if (hchan->state != BT_CONNECTED)
5365 /* Logical link is already ready to go */
5367 chan->hs_hcon = hchan->conn;
5368 chan->hs_hcon->l2cap_data = chan->conn;
5370 if (result == L2CAP_MR_SUCCESS) {
5371 /* Can confirm now */
5372 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5374 /* Now only need move success
5377 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5380 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5383 /* Any other amp move state means the move failed. */
5384 chan->move_id = chan->local_amp_id;
5385 l2cap_move_done(chan);
5386 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5389 l2cap_chan_unlock(chan);
5392 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5395 struct l2cap_chan *chan;
5397 chan = l2cap_get_chan_by_ident(conn, ident);
5399 /* Could not locate channel, icid is best guess */
5400 l2cap_send_move_chan_cfm_icid(conn, icid);
5404 __clear_chan_timer(chan);
5406 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5407 if (result == L2CAP_MR_COLLISION) {
5408 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5410 /* Cleanup - cancel move */
5411 chan->move_id = chan->local_amp_id;
5412 l2cap_move_done(chan);
5416 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5418 l2cap_chan_unlock(chan);
5421 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5422 struct l2cap_cmd_hdr *cmd,
5423 u16 cmd_len, void *data)
5425 struct l2cap_move_chan_rsp *rsp = data;
5428 if (cmd_len != sizeof(*rsp))
5431 icid = le16_to_cpu(rsp->icid);
5432 result = le16_to_cpu(rsp->result);
5434 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5436 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5437 l2cap_move_continue(conn, icid, result);
5439 l2cap_move_fail(conn, cmd->ident, icid, result);
5444 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5445 struct l2cap_cmd_hdr *cmd,
5446 u16 cmd_len, void *data)
5448 struct l2cap_move_chan_cfm *cfm = data;
5449 struct l2cap_chan *chan;
5452 if (cmd_len != sizeof(*cfm))
5455 icid = le16_to_cpu(cfm->icid);
5456 result = le16_to_cpu(cfm->result);
5458 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5460 chan = l2cap_get_chan_by_dcid(conn, icid);
5462 /* Spec requires a response even if the icid was not found */
5463 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5467 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5468 if (result == L2CAP_MC_CONFIRMED) {
5469 chan->local_amp_id = chan->move_id;
5470 if (chan->local_amp_id == AMP_ID_BREDR)
5471 __release_logical_link(chan);
5473 chan->move_id = chan->local_amp_id;
5476 l2cap_move_done(chan);
5479 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5481 l2cap_chan_unlock(chan);
5486 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5487 struct l2cap_cmd_hdr *cmd,
5488 u16 cmd_len, void *data)
5490 struct l2cap_move_chan_cfm_rsp *rsp = data;
5491 struct l2cap_chan *chan;
5494 if (cmd_len != sizeof(*rsp))
5497 icid = le16_to_cpu(rsp->icid);
5499 BT_DBG("icid 0x%4.4x", icid);
5501 chan = l2cap_get_chan_by_scid(conn, icid);
5505 __clear_chan_timer(chan);
5507 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5508 chan->local_amp_id = chan->move_id;
5510 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5511 __release_logical_link(chan);
5513 l2cap_move_done(chan);
5516 l2cap_chan_unlock(chan);
5521 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5522 struct l2cap_cmd_hdr *cmd,
5523 u16 cmd_len, u8 *data)
5525 struct hci_conn *hcon = conn->hcon;
5526 struct l2cap_conn_param_update_req *req;
5527 struct l2cap_conn_param_update_rsp rsp;
5528 u16 min, max, latency, to_multiplier;
5531 if (hcon->role != HCI_ROLE_MASTER)
5534 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5537 req = (struct l2cap_conn_param_update_req *) data;
5538 min = __le16_to_cpu(req->min);
5539 max = __le16_to_cpu(req->max);
5540 latency = __le16_to_cpu(req->latency);
5541 to_multiplier = __le16_to_cpu(req->to_multiplier);
5543 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5544 min, max, latency, to_multiplier);
5546 memset(&rsp, 0, sizeof(rsp));
5548 err = hci_check_conn_params(min, max, latency, to_multiplier);
5550 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5552 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5554 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5560 store_hint = hci_le_conn_update(hcon, min, max, latency,
5562 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5563 store_hint, min, max, latency,
5571 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5572 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5575 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5576 struct hci_conn *hcon = conn->hcon;
5577 u16 dcid, mtu, mps, credits, result;
5578 struct l2cap_chan *chan;
5581 if (cmd_len < sizeof(*rsp))
5584 dcid = __le16_to_cpu(rsp->dcid);
5585 mtu = __le16_to_cpu(rsp->mtu);
5586 mps = __le16_to_cpu(rsp->mps);
5587 credits = __le16_to_cpu(rsp->credits);
5588 result = __le16_to_cpu(rsp->result);
5590 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5591 dcid < L2CAP_CID_DYN_START ||
5592 dcid > L2CAP_CID_LE_DYN_END))
5595 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5596 dcid, mtu, mps, credits, result);
5598 mutex_lock(&conn->chan_lock);
5600 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5608 l2cap_chan_lock(chan);
5611 case L2CAP_CR_LE_SUCCESS:
5612 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5620 chan->remote_mps = mps;
5621 chan->tx_credits = credits;
5622 l2cap_chan_ready(chan);
5625 case L2CAP_CR_LE_AUTHENTICATION:
5626 case L2CAP_CR_LE_ENCRYPTION:
5627 /* If we already have MITM protection we can't do
5630 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5631 l2cap_chan_del(chan, ECONNREFUSED);
5635 sec_level = hcon->sec_level + 1;
5636 if (chan->sec_level < sec_level)
5637 chan->sec_level = sec_level;
5639 /* We'll need to send a new Connect Request */
5640 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5642 smp_conn_security(hcon, chan->sec_level);
5646 l2cap_chan_del(chan, ECONNREFUSED);
5650 l2cap_chan_unlock(chan);
5653 mutex_unlock(&conn->chan_lock);
5658 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5659 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5664 switch (cmd->code) {
5665 case L2CAP_COMMAND_REJ:
5666 l2cap_command_rej(conn, cmd, cmd_len, data);
5669 case L2CAP_CONN_REQ:
5670 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5673 case L2CAP_CONN_RSP:
5674 case L2CAP_CREATE_CHAN_RSP:
5675 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5678 case L2CAP_CONF_REQ:
5679 err = l2cap_config_req(conn, cmd, cmd_len, data);
5682 case L2CAP_CONF_RSP:
5683 l2cap_config_rsp(conn, cmd, cmd_len, data);
5686 case L2CAP_DISCONN_REQ:
5687 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5690 case L2CAP_DISCONN_RSP:
5691 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5694 case L2CAP_ECHO_REQ:
5695 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5698 case L2CAP_ECHO_RSP:
5701 case L2CAP_INFO_REQ:
5702 err = l2cap_information_req(conn, cmd, cmd_len, data);
5705 case L2CAP_INFO_RSP:
5706 l2cap_information_rsp(conn, cmd, cmd_len, data);
5709 case L2CAP_CREATE_CHAN_REQ:
5710 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5713 case L2CAP_MOVE_CHAN_REQ:
5714 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5717 case L2CAP_MOVE_CHAN_RSP:
5718 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5721 case L2CAP_MOVE_CHAN_CFM:
5722 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5725 case L2CAP_MOVE_CHAN_CFM_RSP:
5726 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5730 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5738 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5739 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5742 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5743 struct l2cap_le_conn_rsp rsp;
5744 struct l2cap_chan *chan, *pchan;
5745 u16 dcid, scid, credits, mtu, mps;
5749 if (cmd_len != sizeof(*req))
5752 scid = __le16_to_cpu(req->scid);
5753 mtu = __le16_to_cpu(req->mtu);
5754 mps = __le16_to_cpu(req->mps);
5759 if (mtu < 23 || mps < 23)
5762 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5765 /* Check if we have socket listening on psm */
5766 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5767 &conn->hcon->dst, LE_LINK);
5769 result = L2CAP_CR_LE_BAD_PSM;
5774 mutex_lock(&conn->chan_lock);
5775 l2cap_chan_lock(pchan);
5777 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5779 result = L2CAP_CR_LE_AUTHENTICATION;
5781 goto response_unlock;
5784 /* Check for valid dynamic CID range */
5785 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5786 result = L2CAP_CR_LE_INVALID_SCID;
5788 goto response_unlock;
5791 /* Check if we already have channel with that dcid */
5792 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5793 result = L2CAP_CR_LE_SCID_IN_USE;
5795 goto response_unlock;
5798 chan = pchan->ops->new_connection(pchan);
5800 result = L2CAP_CR_LE_NO_MEM;
5801 goto response_unlock;
5804 bacpy(&chan->src, &conn->hcon->src);
5805 bacpy(&chan->dst, &conn->hcon->dst);
5806 chan->src_type = bdaddr_src_type(conn->hcon);
5807 chan->dst_type = bdaddr_dst_type(conn->hcon);
5811 chan->remote_mps = mps;
5813 __l2cap_chan_add(conn, chan);
5815 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5818 credits = chan->rx_credits;
5820 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5822 chan->ident = cmd->ident;
5824 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5825 l2cap_state_change(chan, BT_CONNECT2);
5826 /* The following result value is actually not defined
5827 * for LE CoC but we use it to let the function know
5828 * that it should bail out after doing its cleanup
5829 * instead of sending a response.
5831 result = L2CAP_CR_PEND;
5832 chan->ops->defer(chan);
5834 l2cap_chan_ready(chan);
5835 result = L2CAP_CR_LE_SUCCESS;
5839 l2cap_chan_unlock(pchan);
5840 mutex_unlock(&conn->chan_lock);
5841 l2cap_chan_put(pchan);
5843 if (result == L2CAP_CR_PEND)
5848 rsp.mtu = cpu_to_le16(chan->imtu);
5849 rsp.mps = cpu_to_le16(chan->mps);
5855 rsp.dcid = cpu_to_le16(dcid);
5856 rsp.credits = cpu_to_le16(credits);
5857 rsp.result = cpu_to_le16(result);
5859 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5864 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5865 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5868 struct l2cap_le_credits *pkt;
5869 struct l2cap_chan *chan;
5870 u16 cid, credits, max_credits;
5872 if (cmd_len != sizeof(*pkt))
5875 pkt = (struct l2cap_le_credits *) data;
5876 cid = __le16_to_cpu(pkt->cid);
5877 credits = __le16_to_cpu(pkt->credits);
5879 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5881 chan = l2cap_get_chan_by_dcid(conn, cid);
5885 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5886 if (credits > max_credits) {
5887 BT_ERR("LE credits overflow");
5888 l2cap_send_disconn_req(chan, ECONNRESET);
5889 l2cap_chan_unlock(chan);
5891 /* Return 0 so that we don't trigger an unnecessary
5892 * command reject packet.
5897 chan->tx_credits += credits;
5899 /* Resume sending */
5900 l2cap_le_flowctl_send(chan);
5902 if (chan->tx_credits)
5903 chan->ops->resume(chan);
5905 l2cap_chan_unlock(chan);
5910 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5911 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5914 struct l2cap_ecred_conn_req *req = (void *) data;
5916 struct l2cap_ecred_conn_rsp rsp;
5919 struct l2cap_chan *chan, *pchan;
5929 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5930 result = L2CAP_CR_LE_INVALID_PARAMS;
5934 mtu = __le16_to_cpu(req->mtu);
5935 mps = __le16_to_cpu(req->mps);
5937 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5938 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5944 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5946 memset(&pdu, 0, sizeof(pdu));
5948 /* Check if we have socket listening on psm */
5949 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5950 &conn->hcon->dst, LE_LINK);
5952 result = L2CAP_CR_LE_BAD_PSM;
5956 mutex_lock(&conn->chan_lock);
5957 l2cap_chan_lock(pchan);
5959 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5961 result = L2CAP_CR_LE_AUTHENTICATION;
5965 result = L2CAP_CR_LE_SUCCESS;
5966 cmd_len -= sizeof(*req);
5967 num_scid = cmd_len / sizeof(u16);
5969 for (i = 0; i < num_scid; i++) {
5970 u16 scid = __le16_to_cpu(req->scid[i]);
5972 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5974 pdu.dcid[i] = 0x0000;
5975 len += sizeof(*pdu.dcid);
5977 /* Check for valid dynamic CID range */
5978 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5979 result = L2CAP_CR_LE_INVALID_SCID;
5983 /* Check if we already have channel with that dcid */
5984 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5985 result = L2CAP_CR_LE_SCID_IN_USE;
5989 chan = pchan->ops->new_connection(pchan);
5991 result = L2CAP_CR_LE_NO_MEM;
5995 bacpy(&chan->src, &conn->hcon->src);
5996 bacpy(&chan->dst, &conn->hcon->dst);
5997 chan->src_type = bdaddr_src_type(conn->hcon);
5998 chan->dst_type = bdaddr_dst_type(conn->hcon);
6002 chan->remote_mps = mps;
6004 __l2cap_chan_add(conn, chan);
6006 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6009 if (!pdu.rsp.credits) {
6010 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6011 pdu.rsp.mps = cpu_to_le16(chan->mps);
6012 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6015 pdu.dcid[i] = cpu_to_le16(chan->scid);
6017 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6019 chan->ident = cmd->ident;
6021 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6022 l2cap_state_change(chan, BT_CONNECT2);
6024 chan->ops->defer(chan);
6026 l2cap_chan_ready(chan);
6031 l2cap_chan_unlock(pchan);
6032 mutex_unlock(&conn->chan_lock);
6033 l2cap_chan_put(pchan);
6036 pdu.rsp.result = cpu_to_le16(result);
6041 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6042 sizeof(pdu.rsp) + len, &pdu);
6047 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6048 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6051 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6052 struct hci_conn *hcon = conn->hcon;
6053 u16 mtu, mps, credits, result;
6054 struct l2cap_chan *chan;
6055 int err = 0, sec_level;
6058 if (cmd_len < sizeof(*rsp))
6061 mtu = __le16_to_cpu(rsp->mtu);
6062 mps = __le16_to_cpu(rsp->mps);
6063 credits = __le16_to_cpu(rsp->credits);
6064 result = __le16_to_cpu(rsp->result);
6066 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6069 mutex_lock(&conn->chan_lock);
6071 cmd_len -= sizeof(*rsp);
6073 list_for_each_entry(chan, &conn->chan_l, list) {
6076 if (chan->ident != cmd->ident ||
6077 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6078 chan->state == BT_CONNECTED)
6081 l2cap_chan_lock(chan);
6083 /* Check that there is a dcid for each pending channel */
6084 if (cmd_len < sizeof(dcid)) {
6085 l2cap_chan_del(chan, ECONNREFUSED);
6086 l2cap_chan_unlock(chan);
6090 dcid = __le16_to_cpu(rsp->dcid[i++]);
6091 cmd_len -= sizeof(u16);
6093 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6095 /* Check if dcid is already in use */
6096 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6097 /* If a device receives a
6098 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
6099 * already-assigned Destination CID, then both the
6100 * original channel and the new channel shall be
6101 * immediately discarded and not used.
6103 l2cap_chan_del(chan, ECONNREFUSED);
6104 l2cap_chan_unlock(chan);
6105 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6106 l2cap_chan_lock(chan);
6107 l2cap_chan_del(chan, ECONNRESET);
6108 l2cap_chan_unlock(chan);
6113 case L2CAP_CR_LE_AUTHENTICATION:
6114 case L2CAP_CR_LE_ENCRYPTION:
6115 /* If we already have MITM protection we can't do
6118 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6119 l2cap_chan_del(chan, ECONNREFUSED);
6123 sec_level = hcon->sec_level + 1;
6124 if (chan->sec_level < sec_level)
6125 chan->sec_level = sec_level;
6127 /* We'll need to send a new Connect Request */
6128 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6130 smp_conn_security(hcon, chan->sec_level);
6133 case L2CAP_CR_LE_BAD_PSM:
6134 l2cap_chan_del(chan, ECONNREFUSED);
6138 /* If dcid was not set it means channels was refused */
6140 l2cap_chan_del(chan, ECONNREFUSED);
6147 chan->remote_mps = mps;
6148 chan->tx_credits = credits;
6149 l2cap_chan_ready(chan);
6153 l2cap_chan_unlock(chan);
6156 mutex_unlock(&conn->chan_lock);
6161 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6162 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6165 struct l2cap_ecred_reconf_req *req = (void *) data;
6166 struct l2cap_ecred_reconf_rsp rsp;
6167 u16 mtu, mps, result;
6168 struct l2cap_chan *chan;
6174 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6175 result = L2CAP_CR_LE_INVALID_PARAMS;
6179 mtu = __le16_to_cpu(req->mtu);
6180 mps = __le16_to_cpu(req->mps);
6182 BT_DBG("mtu %u mps %u", mtu, mps);
6184 if (mtu < L2CAP_ECRED_MIN_MTU) {
6185 result = L2CAP_RECONF_INVALID_MTU;
6189 if (mps < L2CAP_ECRED_MIN_MPS) {
6190 result = L2CAP_RECONF_INVALID_MPS;
6194 cmd_len -= sizeof(*req);
6195 num_scid = cmd_len / sizeof(u16);
6196 result = L2CAP_RECONF_SUCCESS;
6198 for (i = 0; i < num_scid; i++) {
6201 scid = __le16_to_cpu(req->scid[i]);
6205 chan = __l2cap_get_chan_by_dcid(conn, scid);
6209 /* If the MTU value is decreased for any of the included
6210 * channels, then the receiver shall disconnect all
6211 * included channels.
6213 if (chan->omtu > mtu) {
6214 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6216 result = L2CAP_RECONF_INVALID_MTU;
6220 chan->remote_mps = mps;
6224 rsp.result = cpu_to_le16(result);
6226 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6232 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6233 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6236 struct l2cap_chan *chan;
6237 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6240 if (cmd_len < sizeof(*rsp))
6243 result = __le16_to_cpu(rsp->result);
6245 BT_DBG("result 0x%4.4x", rsp->result);
6250 list_for_each_entry(chan, &conn->chan_l, list) {
6251 if (chan->ident != cmd->ident)
6254 l2cap_chan_del(chan, ECONNRESET);
6260 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6261 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6264 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6265 struct l2cap_chan *chan;
6267 if (cmd_len < sizeof(*rej))
6270 mutex_lock(&conn->chan_lock);
6272 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6276 l2cap_chan_lock(chan);
6277 l2cap_chan_del(chan, ECONNREFUSED);
6278 l2cap_chan_unlock(chan);
6281 mutex_unlock(&conn->chan_lock);
6285 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6286 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6291 switch (cmd->code) {
6292 case L2CAP_COMMAND_REJ:
6293 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6296 case L2CAP_CONN_PARAM_UPDATE_REQ:
6297 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6300 case L2CAP_CONN_PARAM_UPDATE_RSP:
6303 case L2CAP_LE_CONN_RSP:
6304 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6307 case L2CAP_LE_CONN_REQ:
6308 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6311 case L2CAP_LE_CREDITS:
6312 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6315 case L2CAP_ECRED_CONN_REQ:
6316 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6319 case L2CAP_ECRED_CONN_RSP:
6320 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6323 case L2CAP_ECRED_RECONF_REQ:
6324 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6327 case L2CAP_ECRED_RECONF_RSP:
6328 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6331 case L2CAP_DISCONN_REQ:
6332 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6335 case L2CAP_DISCONN_RSP:
6336 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6340 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6348 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6349 struct sk_buff *skb)
6351 struct hci_conn *hcon = conn->hcon;
6352 struct l2cap_cmd_hdr *cmd;
6356 if (hcon->type != LE_LINK)
6359 if (skb->len < L2CAP_CMD_HDR_SIZE)
6362 cmd = (void *) skb->data;
6363 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6365 len = le16_to_cpu(cmd->len);
6367 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6369 if (len != skb->len || !cmd->ident) {
6370 BT_DBG("corrupted command");
6374 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6376 struct l2cap_cmd_rej_unk rej;
6378 BT_ERR("Wrong link type (%d)", err);
6380 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6381 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6389 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6390 struct sk_buff *skb)
6392 struct hci_conn *hcon = conn->hcon;
6393 struct l2cap_cmd_hdr *cmd;
6396 l2cap_raw_recv(conn, skb);
6398 if (hcon->type != ACL_LINK)
6401 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6404 cmd = (void *) skb->data;
6405 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6407 len = le16_to_cpu(cmd->len);
6409 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6412 if (len > skb->len || !cmd->ident) {
6413 BT_DBG("corrupted command");
6417 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6419 struct l2cap_cmd_rej_unk rej;
6421 BT_ERR("Wrong link type (%d)", err);
6423 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6424 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6435 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6437 u16 our_fcs, rcv_fcs;
6440 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6441 hdr_size = L2CAP_EXT_HDR_SIZE;
6443 hdr_size = L2CAP_ENH_HDR_SIZE;
6445 if (chan->fcs == L2CAP_FCS_CRC16) {
6446 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6447 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6448 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6450 if (our_fcs != rcv_fcs)
6456 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6458 struct l2cap_ctrl control;
6460 BT_DBG("chan %p", chan);
6462 memset(&control, 0, sizeof(control));
6465 control.reqseq = chan->buffer_seq;
6466 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6468 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6469 control.super = L2CAP_SUPER_RNR;
6470 l2cap_send_sframe(chan, &control);
6473 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6474 chan->unacked_frames > 0)
6475 __set_retrans_timer(chan);
6477 /* Send pending iframes */
6478 l2cap_ertm_send(chan);
6480 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6481 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6482 /* F-bit wasn't sent in an s-frame or i-frame yet, so
6485 control.super = L2CAP_SUPER_RR;
6486 l2cap_send_sframe(chan, &control);
6490 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6491 struct sk_buff **last_frag)
6493 /* skb->len reflects data in skb as well as all fragments
6494 * skb->data_len reflects only data in fragments
6496 if (!skb_has_frag_list(skb))
6497 skb_shinfo(skb)->frag_list = new_frag;
6499 new_frag->next = NULL;
6501 (*last_frag)->next = new_frag;
6502 *last_frag = new_frag;
6504 skb->len += new_frag->len;
6505 skb->data_len += new_frag->len;
6506 skb->truesize += new_frag->truesize;
6509 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6510 struct l2cap_ctrl *control)
6514 switch (control->sar) {
6515 case L2CAP_SAR_UNSEGMENTED:
6519 err = chan->ops->recv(chan, skb);
6522 case L2CAP_SAR_START:
6526 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6529 chan->sdu_len = get_unaligned_le16(skb->data);
6530 skb_pull(skb, L2CAP_SDULEN_SIZE);
6532 if (chan->sdu_len > chan->imtu) {
6537 if (skb->len >= chan->sdu_len)
6541 chan->sdu_last_frag = skb;
6547 case L2CAP_SAR_CONTINUE:
6551 append_skb_frag(chan->sdu, skb,
6552 &chan->sdu_last_frag);
6555 if (chan->sdu->len >= chan->sdu_len)
6565 append_skb_frag(chan->sdu, skb,
6566 &chan->sdu_last_frag);
6569 if (chan->sdu->len != chan->sdu_len)
6572 err = chan->ops->recv(chan, chan->sdu);
6575 /* Reassembly complete */
6577 chan->sdu_last_frag = NULL;
6585 kfree_skb(chan->sdu);
6587 chan->sdu_last_frag = NULL;
6594 static int l2cap_resegment(struct l2cap_chan *chan)
6600 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6604 if (chan->mode != L2CAP_MODE_ERTM)
6607 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6608 l2cap_tx(chan, NULL, NULL, event);
6611 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6614 /* Pass sequential frames to l2cap_reassemble_sdu()
6615 * until a gap is encountered.
6618 BT_DBG("chan %p", chan);
6620 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6621 struct sk_buff *skb;
6622 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6623 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6625 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6630 skb_unlink(skb, &chan->srej_q);
6631 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6632 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6637 if (skb_queue_empty(&chan->srej_q)) {
6638 chan->rx_state = L2CAP_RX_STATE_RECV;
6639 l2cap_send_ack(chan);
6645 static void l2cap_handle_srej(struct l2cap_chan *chan,
6646 struct l2cap_ctrl *control)
6648 struct sk_buff *skb;
6650 BT_DBG("chan %p, control %p", chan, control);
6652 if (control->reqseq == chan->next_tx_seq) {
6653 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6654 l2cap_send_disconn_req(chan, ECONNRESET);
6658 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6661 BT_DBG("Seq %d not available for retransmission",
6666 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6667 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6668 l2cap_send_disconn_req(chan, ECONNRESET);
6672 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6674 if (control->poll) {
6675 l2cap_pass_to_tx(chan, control);
6677 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6678 l2cap_retransmit(chan, control);
6679 l2cap_ertm_send(chan);
6681 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6682 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6683 chan->srej_save_reqseq = control->reqseq;
6686 l2cap_pass_to_tx_fbit(chan, control);
6688 if (control->final) {
6689 if (chan->srej_save_reqseq != control->reqseq ||
6690 !test_and_clear_bit(CONN_SREJ_ACT,
6692 l2cap_retransmit(chan, control);
6694 l2cap_retransmit(chan, control);
6695 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6696 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6697 chan->srej_save_reqseq = control->reqseq;
6703 static void l2cap_handle_rej(struct l2cap_chan *chan,
6704 struct l2cap_ctrl *control)
6706 struct sk_buff *skb;
6708 BT_DBG("chan %p, control %p", chan, control);
6710 if (control->reqseq == chan->next_tx_seq) {
6711 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6712 l2cap_send_disconn_req(chan, ECONNRESET);
6716 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6718 if (chan->max_tx && skb &&
6719 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6720 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6721 l2cap_send_disconn_req(chan, ECONNRESET);
6725 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6727 l2cap_pass_to_tx(chan, control);
6729 if (control->final) {
6730 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6731 l2cap_retransmit_all(chan, control);
6733 l2cap_retransmit_all(chan, control);
6734 l2cap_ertm_send(chan);
6735 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6736 set_bit(CONN_REJ_ACT, &chan->conn_state);
6740 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6742 BT_DBG("chan %p, txseq %d", chan, txseq);
6744 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6745 chan->expected_tx_seq);
6747 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6748 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6750 /* See notes below regarding "double poll" and
6753 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6754 BT_DBG("Invalid/Ignore - after SREJ");
6755 return L2CAP_TXSEQ_INVALID_IGNORE;
6757 BT_DBG("Invalid - in window after SREJ sent");
6758 return L2CAP_TXSEQ_INVALID;
6762 if (chan->srej_list.head == txseq) {
6763 BT_DBG("Expected SREJ");
6764 return L2CAP_TXSEQ_EXPECTED_SREJ;
6767 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6768 BT_DBG("Duplicate SREJ - txseq already stored");
6769 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6772 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6773 BT_DBG("Unexpected SREJ - not requested");
6774 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6778 if (chan->expected_tx_seq == txseq) {
6779 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6781 BT_DBG("Invalid - txseq outside tx window");
6782 return L2CAP_TXSEQ_INVALID;
6785 return L2CAP_TXSEQ_EXPECTED;
6789 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6790 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6791 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6792 return L2CAP_TXSEQ_DUPLICATE;
6795 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6796 /* A source of invalid packets is a "double poll" condition,
6797 * where delays cause us to send multiple poll packets. If
6798 * the remote stack receives and processes both polls,
6799 * sequence numbers can wrap around in such a way that a
6800 * resent frame has a sequence number that looks like new data
6801 * with a sequence gap. This would trigger an erroneous SREJ
6804 * Fortunately, this is impossible with a tx window that's
6805 * less than half of the maximum sequence number, which allows
6806 * invalid frames to be safely ignored.
6808 * With tx window sizes greater than half of the tx window
6809 * maximum, the frame is invalid and cannot be ignored. This
6810 * causes a disconnect.
6813 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6814 BT_DBG("Invalid/Ignore - txseq outside tx window");
6815 return L2CAP_TXSEQ_INVALID_IGNORE;
6817 BT_DBG("Invalid - txseq outside tx window");
6818 return L2CAP_TXSEQ_INVALID;
6821 BT_DBG("Unexpected - txseq indicates missing frames");
6822 return L2CAP_TXSEQ_UNEXPECTED;
6826 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6827 struct l2cap_ctrl *control,
6828 struct sk_buff *skb, u8 event)
6831 bool skb_in_use = false;
6833 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6837 case L2CAP_EV_RECV_IFRAME:
6838 switch (l2cap_classify_txseq(chan, control->txseq)) {
6839 case L2CAP_TXSEQ_EXPECTED:
6840 l2cap_pass_to_tx(chan, control);
6842 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6843 BT_DBG("Busy, discarding expected seq %d",
6848 chan->expected_tx_seq = __next_seq(chan,
6851 chan->buffer_seq = chan->expected_tx_seq;
6854 err = l2cap_reassemble_sdu(chan, skb, control);
6858 if (control->final) {
6859 if (!test_and_clear_bit(CONN_REJ_ACT,
6860 &chan->conn_state)) {
6862 l2cap_retransmit_all(chan, control);
6863 l2cap_ertm_send(chan);
6867 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6868 l2cap_send_ack(chan);
6870 case L2CAP_TXSEQ_UNEXPECTED:
6871 l2cap_pass_to_tx(chan, control);
6873 /* Can't issue SREJ frames in the local busy state.
6874 * Drop this frame, it will be seen as missing
6875 * when local busy is exited.
6877 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6878 BT_DBG("Busy, discarding unexpected seq %d",
6883 /* There was a gap in the sequence, so an SREJ
6884 * must be sent for each missing frame. The
6885 * current frame is stored for later use.
6887 skb_queue_tail(&chan->srej_q, skb);
6889 BT_DBG("Queued %p (queue len %d)", skb,
6890 skb_queue_len(&chan->srej_q));
6892 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6893 l2cap_seq_list_clear(&chan->srej_list);
6894 l2cap_send_srej(chan, control->txseq);
6896 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6898 case L2CAP_TXSEQ_DUPLICATE:
6899 l2cap_pass_to_tx(chan, control);
6901 case L2CAP_TXSEQ_INVALID_IGNORE:
6903 case L2CAP_TXSEQ_INVALID:
6905 l2cap_send_disconn_req(chan, ECONNRESET);
6909 case L2CAP_EV_RECV_RR:
6910 l2cap_pass_to_tx(chan, control);
6911 if (control->final) {
6912 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6914 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6915 !__chan_is_moving(chan)) {
6917 l2cap_retransmit_all(chan, control);
6920 l2cap_ertm_send(chan);
6921 } else if (control->poll) {
6922 l2cap_send_i_or_rr_or_rnr(chan);
6924 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6925 &chan->conn_state) &&
6926 chan->unacked_frames)
6927 __set_retrans_timer(chan);
6929 l2cap_ertm_send(chan);
6932 case L2CAP_EV_RECV_RNR:
6933 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6934 l2cap_pass_to_tx(chan, control);
6935 if (control && control->poll) {
6936 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6937 l2cap_send_rr_or_rnr(chan, 0);
6939 __clear_retrans_timer(chan);
6940 l2cap_seq_list_clear(&chan->retrans_list);
6942 case L2CAP_EV_RECV_REJ:
6943 l2cap_handle_rej(chan, control);
6945 case L2CAP_EV_RECV_SREJ:
6946 l2cap_handle_srej(chan, control);
6952 if (skb && !skb_in_use) {
6953 BT_DBG("Freeing %p", skb);
6960 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6961 struct l2cap_ctrl *control,
6962 struct sk_buff *skb, u8 event)
6965 u16 txseq = control->txseq;
6966 bool skb_in_use = false;
6968 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6972 case L2CAP_EV_RECV_IFRAME:
6973 switch (l2cap_classify_txseq(chan, txseq)) {
6974 case L2CAP_TXSEQ_EXPECTED:
6975 /* Keep frame for reassembly later */
6976 l2cap_pass_to_tx(chan, control);
6977 skb_queue_tail(&chan->srej_q, skb);
6979 BT_DBG("Queued %p (queue len %d)", skb,
6980 skb_queue_len(&chan->srej_q));
6982 chan->expected_tx_seq = __next_seq(chan, txseq);
6984 case L2CAP_TXSEQ_EXPECTED_SREJ:
6985 l2cap_seq_list_pop(&chan->srej_list);
6987 l2cap_pass_to_tx(chan, control);
6988 skb_queue_tail(&chan->srej_q, skb);
6990 BT_DBG("Queued %p (queue len %d)", skb,
6991 skb_queue_len(&chan->srej_q));
6993 err = l2cap_rx_queued_iframes(chan);
6998 case L2CAP_TXSEQ_UNEXPECTED:
6999 /* Got a frame that can't be reassembled yet.
7000 * Save it for later, and send SREJs to cover
7001 * the missing frames.
7003 skb_queue_tail(&chan->srej_q, skb);
7005 BT_DBG("Queued %p (queue len %d)", skb,
7006 skb_queue_len(&chan->srej_q));
7008 l2cap_pass_to_tx(chan, control);
7009 l2cap_send_srej(chan, control->txseq);
7011 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7012 /* This frame was requested with an SREJ, but
7013 * some expected retransmitted frames are
7014 * missing. Request retransmission of missing
7017 skb_queue_tail(&chan->srej_q, skb);
7019 BT_DBG("Queued %p (queue len %d)", skb,
7020 skb_queue_len(&chan->srej_q));
7022 l2cap_pass_to_tx(chan, control);
7023 l2cap_send_srej_list(chan, control->txseq);
7025 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7026 /* We've already queued this frame. Drop this copy. */
7027 l2cap_pass_to_tx(chan, control);
7029 case L2CAP_TXSEQ_DUPLICATE:
7030 /* Expecting a later sequence number, so this frame
7031 * was already received. Ignore it completely.
7034 case L2CAP_TXSEQ_INVALID_IGNORE:
7036 case L2CAP_TXSEQ_INVALID:
7038 l2cap_send_disconn_req(chan, ECONNRESET);
7042 case L2CAP_EV_RECV_RR:
7043 l2cap_pass_to_tx(chan, control);
7044 if (control->final) {
7045 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7047 if (!test_and_clear_bit(CONN_REJ_ACT,
7048 &chan->conn_state)) {
7050 l2cap_retransmit_all(chan, control);
7053 l2cap_ertm_send(chan);
7054 } else if (control->poll) {
7055 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7056 &chan->conn_state) &&
7057 chan->unacked_frames) {
7058 __set_retrans_timer(chan);
7061 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7062 l2cap_send_srej_tail(chan);
7064 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7065 &chan->conn_state) &&
7066 chan->unacked_frames)
7067 __set_retrans_timer(chan);
7069 l2cap_send_ack(chan);
7072 case L2CAP_EV_RECV_RNR:
7073 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7074 l2cap_pass_to_tx(chan, control);
7075 if (control->poll) {
7076 l2cap_send_srej_tail(chan);
7078 struct l2cap_ctrl rr_control;
7079 memset(&rr_control, 0, sizeof(rr_control));
7080 rr_control.sframe = 1;
7081 rr_control.super = L2CAP_SUPER_RR;
7082 rr_control.reqseq = chan->buffer_seq;
7083 l2cap_send_sframe(chan, &rr_control);
7087 case L2CAP_EV_RECV_REJ:
7088 l2cap_handle_rej(chan, control);
7090 case L2CAP_EV_RECV_SREJ:
7091 l2cap_handle_srej(chan, control);
7095 if (skb && !skb_in_use) {
7096 BT_DBG("Freeing %p", skb);
7103 static int l2cap_finish_move(struct l2cap_chan *chan)
7105 BT_DBG("chan %p", chan);
7107 chan->rx_state = L2CAP_RX_STATE_RECV;
7110 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7112 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7114 return l2cap_resegment(chan);
7117 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7118 struct l2cap_ctrl *control,
7119 struct sk_buff *skb, u8 event)
7123 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7129 l2cap_process_reqseq(chan, control->reqseq);
7131 if (!skb_queue_empty(&chan->tx_q))
7132 chan->tx_send_head = skb_peek(&chan->tx_q);
7134 chan->tx_send_head = NULL;
7136 /* Rewind next_tx_seq to the point expected
7139 chan->next_tx_seq = control->reqseq;
7140 chan->unacked_frames = 0;
7142 err = l2cap_finish_move(chan);
7146 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7147 l2cap_send_i_or_rr_or_rnr(chan);
7149 if (event == L2CAP_EV_RECV_IFRAME)
7152 return l2cap_rx_state_recv(chan, control, NULL, event);
7155 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7156 struct l2cap_ctrl *control,
7157 struct sk_buff *skb, u8 event)
7161 if (!control->final)
7164 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7166 chan->rx_state = L2CAP_RX_STATE_RECV;
7167 l2cap_process_reqseq(chan, control->reqseq);
7169 if (!skb_queue_empty(&chan->tx_q))
7170 chan->tx_send_head = skb_peek(&chan->tx_q);
7172 chan->tx_send_head = NULL;
7174 /* Rewind next_tx_seq to the point expected
7177 chan->next_tx_seq = control->reqseq;
7178 chan->unacked_frames = 0;
7181 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7183 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7185 err = l2cap_resegment(chan);
7188 err = l2cap_rx_state_recv(chan, control, skb, event);
7193 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7195 /* Make sure reqseq is for a packet that has been sent but not acked */
7198 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7199 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7202 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7203 struct sk_buff *skb, u8 event)
7207 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7208 control, skb, event, chan->rx_state);
7210 if (__valid_reqseq(chan, control->reqseq)) {
7211 switch (chan->rx_state) {
7212 case L2CAP_RX_STATE_RECV:
7213 err = l2cap_rx_state_recv(chan, control, skb, event);
7215 case L2CAP_RX_STATE_SREJ_SENT:
7216 err = l2cap_rx_state_srej_sent(chan, control, skb,
7219 case L2CAP_RX_STATE_WAIT_P:
7220 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7222 case L2CAP_RX_STATE_WAIT_F:
7223 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7230 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7231 control->reqseq, chan->next_tx_seq,
7232 chan->expected_ack_seq);
7233 l2cap_send_disconn_req(chan, ECONNRESET);
7239 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7240 struct sk_buff *skb)
7242 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7245 if (l2cap_classify_txseq(chan, control->txseq) ==
7246 L2CAP_TXSEQ_EXPECTED) {
7247 l2cap_pass_to_tx(chan, control);
7249 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
7250 __next_seq(chan, chan->buffer_seq));
7252 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7254 l2cap_reassemble_sdu(chan, skb, control);
7257 kfree_skb(chan->sdu);
7260 chan->sdu_last_frag = NULL;
7264 BT_DBG("Freeing %p", skb);
7269 chan->last_acked_seq = control->txseq;
7270 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7275 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7277 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7281 __unpack_control(chan, skb);
7286 * We can just drop the corrupted I-frame here.
7287 * Receiver will miss it and start proper recovery
7288 * procedures and ask for retransmission.
7290 if (l2cap_check_fcs(chan, skb))
7293 if (!control->sframe && control->sar == L2CAP_SAR_START)
7294 len -= L2CAP_SDULEN_SIZE;
7296 if (chan->fcs == L2CAP_FCS_CRC16)
7297 len -= L2CAP_FCS_SIZE;
7299 if (len > chan->mps) {
7300 l2cap_send_disconn_req(chan, ECONNRESET);
7304 if (chan->ops->filter) {
7305 if (chan->ops->filter(chan, skb))
7309 if (!control->sframe) {
7312 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7313 control->sar, control->reqseq, control->final,
7316 /* Validate F-bit - F=0 always valid, F=1 only
7317 * valid in TX WAIT_F
7319 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7322 if (chan->mode != L2CAP_MODE_STREAMING) {
7323 event = L2CAP_EV_RECV_IFRAME;
7324 err = l2cap_rx(chan, control, skb, event);
7326 err = l2cap_stream_rx(chan, control, skb);
7330 l2cap_send_disconn_req(chan, ECONNRESET);
7332 const u8 rx_func_to_event[4] = {
7333 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7334 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7337 /* Only I-frames are expected in streaming mode */
7338 if (chan->mode == L2CAP_MODE_STREAMING)
7341 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7342 control->reqseq, control->final, control->poll,
7346 BT_ERR("Trailing bytes: %d in sframe", len);
7347 l2cap_send_disconn_req(chan, ECONNRESET);
7351 /* Validate F and P bits */
7352 if (control->final && (control->poll ||
7353 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7356 event = rx_func_to_event[control->super];
7357 if (l2cap_rx(chan, control, skb, event))
7358 l2cap_send_disconn_req(chan, ECONNRESET);
7368 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7370 struct l2cap_conn *conn = chan->conn;
7371 struct l2cap_le_credits pkt;
7374 return_credits = (chan->imtu / chan->mps) + 1;
7376 if (chan->rx_credits >= return_credits)
7379 return_credits -= chan->rx_credits;
7381 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7383 chan->rx_credits += return_credits;
7385 pkt.cid = cpu_to_le16(chan->scid);
7386 pkt.credits = cpu_to_le16(return_credits);
7388 chan->ident = l2cap_get_ident(conn);
7390 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7393 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7397 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7399 /* Wait recv to confirm reception before updating the credits */
7400 err = chan->ops->recv(chan, skb);
7402 /* Update credits whenever an SDU is received */
7403 l2cap_chan_le_send_credits(chan);
7408 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7412 if (!chan->rx_credits) {
7413 BT_ERR("No credits to receive LE L2CAP data");
7414 l2cap_send_disconn_req(chan, ECONNRESET);
7418 if (chan->imtu < skb->len) {
7419 BT_ERR("Too big LE L2CAP PDU");
7424 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7426 /* Update if remote had run out of credits, this should only happens
7427 * if the remote is not using the entire MPS.
7429 if (!chan->rx_credits)
7430 l2cap_chan_le_send_credits(chan);
7437 sdu_len = get_unaligned_le16(skb->data);
7438 skb_pull(skb, L2CAP_SDULEN_SIZE);
7440 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7441 sdu_len, skb->len, chan->imtu);
7443 if (sdu_len > chan->imtu) {
7444 BT_ERR("Too big LE L2CAP SDU length received");
7449 if (skb->len > sdu_len) {
7450 BT_ERR("Too much LE L2CAP data received");
7455 if (skb->len == sdu_len)
7456 return l2cap_ecred_recv(chan, skb);
7459 chan->sdu_len = sdu_len;
7460 chan->sdu_last_frag = skb;
7462 /* Detect if remote is not able to use the selected MPS */
7463 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7464 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7466 /* Adjust the number of credits */
7467 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7468 chan->mps = mps_len;
7469 l2cap_chan_le_send_credits(chan);
7475 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7476 chan->sdu->len, skb->len, chan->sdu_len);
7478 if (chan->sdu->len + skb->len > chan->sdu_len) {
7479 BT_ERR("Too much LE L2CAP data received");
7484 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7487 if (chan->sdu->len == chan->sdu_len) {
7488 err = l2cap_ecred_recv(chan, chan->sdu);
7491 chan->sdu_last_frag = NULL;
7499 kfree_skb(chan->sdu);
7501 chan->sdu_last_frag = NULL;
7505 /* We can't return an error here since we took care of the skb
7506 * freeing internally. An error return would cause the caller to
7507 * do a double-free of the skb.
7512 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7513 struct sk_buff *skb)
7515 struct l2cap_chan *chan;
7517 chan = l2cap_get_chan_by_scid(conn, cid);
7519 if (cid == L2CAP_CID_A2MP) {
7520 chan = a2mp_channel_create(conn, skb);
7526 l2cap_chan_lock(chan);
7528 BT_DBG("unknown cid 0x%4.4x", cid);
7529 /* Drop packet and return */
7535 BT_DBG("chan %p, len %d", chan, skb->len);
7537 /* If we receive data on a fixed channel before the info req/rsp
7538 * procdure is done simply assume that the channel is supported
7539 * and mark it as ready.
7541 if (chan->chan_type == L2CAP_CHAN_FIXED)
7542 l2cap_chan_ready(chan);
7544 if (chan->state != BT_CONNECTED)
7547 switch (chan->mode) {
7548 case L2CAP_MODE_LE_FLOWCTL:
7549 case L2CAP_MODE_EXT_FLOWCTL:
7550 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7555 case L2CAP_MODE_BASIC:
7556 /* If socket recv buffers overflows we drop data here
7557 * which is *bad* because L2CAP has to be reliable.
7558 * But we don't have any other choice. L2CAP doesn't
7559 * provide flow control mechanism. */
7561 if (chan->imtu < skb->len) {
7562 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7566 if (!chan->ops->recv(chan, skb))
7570 case L2CAP_MODE_ERTM:
7571 case L2CAP_MODE_STREAMING:
7572 l2cap_data_rcv(chan, skb);
7576 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7584 l2cap_chan_unlock(chan);
7587 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7588 struct sk_buff *skb)
7590 struct hci_conn *hcon = conn->hcon;
7591 struct l2cap_chan *chan;
7593 if (hcon->type != ACL_LINK)
7596 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7601 BT_DBG("chan %p, len %d", chan, skb->len);
7603 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7606 if (chan->imtu < skb->len)
7609 /* Store remote BD_ADDR and PSM for msg_name */
7610 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7611 bt_cb(skb)->l2cap.psm = psm;
7613 if (!chan->ops->recv(chan, skb)) {
7614 l2cap_chan_put(chan);
7619 l2cap_chan_put(chan);
7624 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7626 struct l2cap_hdr *lh = (void *) skb->data;
7627 struct hci_conn *hcon = conn->hcon;
7631 if (hcon->state != BT_CONNECTED) {
7632 BT_DBG("queueing pending rx skb");
7633 skb_queue_tail(&conn->pending_rx, skb);
7637 skb_pull(skb, L2CAP_HDR_SIZE);
7638 cid = __le16_to_cpu(lh->cid);
7639 len = __le16_to_cpu(lh->len);
7641 if (len != skb->len) {
7646 /* Since we can't actively block incoming LE connections we must
7647 * at least ensure that we ignore incoming data from them.
7649 if (hcon->type == LE_LINK &&
7650 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7651 bdaddr_dst_type(hcon))) {
7656 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7659 case L2CAP_CID_SIGNALING:
7660 l2cap_sig_channel(conn, skb);
7663 case L2CAP_CID_CONN_LESS:
7664 psm = get_unaligned((__le16 *) skb->data);
7665 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7666 l2cap_conless_channel(conn, psm, skb);
7669 case L2CAP_CID_LE_SIGNALING:
7670 l2cap_le_sig_channel(conn, skb);
7674 l2cap_data_channel(conn, cid, skb);
7679 static void process_pending_rx(struct work_struct *work)
7681 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7683 struct sk_buff *skb;
7687 while ((skb = skb_dequeue(&conn->pending_rx)))
7688 l2cap_recv_frame(conn, skb);
7691 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7693 struct l2cap_conn *conn = hcon->l2cap_data;
7694 struct hci_chan *hchan;
7699 hchan = hci_chan_create(hcon);
7703 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7705 hci_chan_del(hchan);
7709 kref_init(&conn->ref);
7710 hcon->l2cap_data = conn;
7711 conn->hcon = hci_conn_get(hcon);
7712 conn->hchan = hchan;
7714 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7716 switch (hcon->type) {
7718 if (hcon->hdev->le_mtu) {
7719 conn->mtu = hcon->hdev->le_mtu;
7724 conn->mtu = hcon->hdev->acl_mtu;
7728 conn->feat_mask = 0;
7730 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7732 if (hcon->type == ACL_LINK &&
7733 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7734 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7736 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7737 (bredr_sc_enabled(hcon->hdev) ||
7738 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7739 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7741 mutex_init(&conn->ident_lock);
7742 mutex_init(&conn->chan_lock);
7744 INIT_LIST_HEAD(&conn->chan_l);
7745 INIT_LIST_HEAD(&conn->users);
7747 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7749 skb_queue_head_init(&conn->pending_rx);
7750 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7751 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7753 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7758 static bool is_valid_psm(u16 psm, u8 dst_type) {
7762 if (bdaddr_type_is_le(dst_type))
7763 return (psm <= 0x00ff);
7765 /* PSM must be odd and lsb of upper byte must be 0 */
7766 return ((psm & 0x0101) == 0x0001);
7769 struct l2cap_chan_data {
7770 struct l2cap_chan *chan;
7775 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7777 struct l2cap_chan_data *d = data;
7780 if (chan == d->chan)
7783 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7786 pid = chan->ops->get_peer_pid(chan);
7788 /* Only count deferred channels with the same PID/PSM */
7789 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7790 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7796 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7797 bdaddr_t *dst, u8 dst_type)
7799 struct l2cap_conn *conn;
7800 struct hci_conn *hcon;
7801 struct hci_dev *hdev;
7804 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7805 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7807 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7809 return -EHOSTUNREACH;
7813 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7814 chan->chan_type != L2CAP_CHAN_RAW) {
7819 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7824 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7829 switch (chan->mode) {
7830 case L2CAP_MODE_BASIC:
7832 case L2CAP_MODE_LE_FLOWCTL:
7834 case L2CAP_MODE_EXT_FLOWCTL:
7835 if (!enable_ecred) {
7840 case L2CAP_MODE_ERTM:
7841 case L2CAP_MODE_STREAMING:
7850 switch (chan->state) {
7854 /* Already connecting */
7859 /* Already connected */
7873 /* Set destination address and psm */
7874 bacpy(&chan->dst, dst);
7875 chan->dst_type = dst_type;
7880 if (bdaddr_type_is_le(dst_type)) {
7881 /* Convert from L2CAP channel address type to HCI address type
7883 if (dst_type == BDADDR_LE_PUBLIC)
7884 dst_type = ADDR_LE_DEV_PUBLIC;
7886 dst_type = ADDR_LE_DEV_RANDOM;
7888 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7889 hcon = hci_connect_le(hdev, dst, dst_type,
7891 HCI_LE_CONN_TIMEOUT,
7892 HCI_ROLE_SLAVE, NULL);
7894 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7896 HCI_LE_CONN_TIMEOUT,
7897 CONN_REASON_L2CAP_CHAN);
7900 u8 auth_type = l2cap_get_auth_type(chan);
7901 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7902 CONN_REASON_L2CAP_CHAN);
7906 err = PTR_ERR(hcon);
7910 conn = l2cap_conn_add(hcon);
7912 hci_conn_drop(hcon);
7917 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7918 struct l2cap_chan_data data;
7921 data.pid = chan->ops->get_peer_pid(chan);
7924 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7926 /* Check if there isn't too many channels being connected */
7927 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7928 hci_conn_drop(hcon);
7934 mutex_lock(&conn->chan_lock);
7935 l2cap_chan_lock(chan);
7937 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7938 hci_conn_drop(hcon);
7943 /* Update source addr of the socket */
7944 bacpy(&chan->src, &hcon->src);
7945 chan->src_type = bdaddr_src_type(hcon);
7947 __l2cap_chan_add(conn, chan);
7949 /* l2cap_chan_add takes its own ref so we can drop this one */
7950 hci_conn_drop(hcon);
7952 l2cap_state_change(chan, BT_CONNECT);
7953 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7955 /* Release chan->sport so that it can be reused by other
7956 * sockets (as it's only used for listening sockets).
7958 write_lock(&chan_list_lock);
7960 write_unlock(&chan_list_lock);
7962 if (hcon->state == BT_CONNECTED) {
7963 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7964 __clear_chan_timer(chan);
7965 if (l2cap_chan_check_security(chan, true))
7966 l2cap_state_change(chan, BT_CONNECTED);
7968 l2cap_do_start(chan);
7974 l2cap_chan_unlock(chan);
7975 mutex_unlock(&conn->chan_lock);
7977 hci_dev_unlock(hdev);
7981 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7983 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7985 struct l2cap_conn *conn = chan->conn;
7987 struct l2cap_ecred_reconf_req req;
7991 pdu.req.mtu = cpu_to_le16(chan->imtu);
7992 pdu.req.mps = cpu_to_le16(chan->mps);
7993 pdu.scid = cpu_to_le16(chan->scid);
7995 chan->ident = l2cap_get_ident(conn);
7997 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
8001 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8003 if (chan->imtu > mtu)
8006 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8010 l2cap_ecred_reconfigure(chan);
8015 /* ---- L2CAP interface with lower layer (HCI) ---- */
8017 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8019 int exact = 0, lm1 = 0, lm2 = 0;
8020 struct l2cap_chan *c;
8022 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8024 /* Find listening sockets and check their link_mode */
8025 read_lock(&chan_list_lock);
8026 list_for_each_entry(c, &chan_list, global_l) {
8027 if (c->state != BT_LISTEN)
8030 if (!bacmp(&c->src, &hdev->bdaddr)) {
8031 lm1 |= HCI_LM_ACCEPT;
8032 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8033 lm1 |= HCI_LM_MASTER;
8035 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8036 lm2 |= HCI_LM_ACCEPT;
8037 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8038 lm2 |= HCI_LM_MASTER;
8041 read_unlock(&chan_list_lock);
8043 return exact ? lm1 : lm2;
8046 /* Find the next fixed channel in BT_LISTEN state, continue iteration
8047 * from an existing channel in the list or from the beginning of the
8048 * global list (by passing NULL as first parameter).
8050 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8051 struct hci_conn *hcon)
8053 u8 src_type = bdaddr_src_type(hcon);
8055 read_lock(&chan_list_lock);
8058 c = list_next_entry(c, global_l);
8060 c = list_entry(chan_list.next, typeof(*c), global_l);
8062 list_for_each_entry_from(c, &chan_list, global_l) {
8063 if (c->chan_type != L2CAP_CHAN_FIXED)
8065 if (c->state != BT_LISTEN)
8067 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8069 if (src_type != c->src_type)
8073 read_unlock(&chan_list_lock);
8077 read_unlock(&chan_list_lock);
8082 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8084 struct hci_dev *hdev = hcon->hdev;
8085 struct l2cap_conn *conn;
8086 struct l2cap_chan *pchan;
8089 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8092 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8095 l2cap_conn_del(hcon, bt_to_errno(status));
8099 conn = l2cap_conn_add(hcon);
8103 dst_type = bdaddr_dst_type(hcon);
8105 /* If device is blocked, do not create channels for it */
8106 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
8109 /* Find fixed channels and notify them of the new connection. We
8110 * use multiple individual lookups, continuing each time where
8111 * we left off, because the list lock would prevent calling the
8112 * potentially sleeping l2cap_chan_lock() function.
8114 pchan = l2cap_global_fixed_chan(NULL, hcon);
8116 struct l2cap_chan *chan, *next;
8118 /* Client fixed channels should override server ones */
8119 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8122 l2cap_chan_lock(pchan);
8123 chan = pchan->ops->new_connection(pchan);
8125 bacpy(&chan->src, &hcon->src);
8126 bacpy(&chan->dst, &hcon->dst);
8127 chan->src_type = bdaddr_src_type(hcon);
8128 chan->dst_type = dst_type;
8130 __l2cap_chan_add(conn, chan);
8133 l2cap_chan_unlock(pchan);
8135 next = l2cap_global_fixed_chan(pchan, hcon);
8136 l2cap_chan_put(pchan);
8140 l2cap_conn_ready(conn);
8143 int l2cap_disconn_ind(struct hci_conn *hcon)
8145 struct l2cap_conn *conn = hcon->l2cap_data;
8147 BT_DBG("hcon %p", hcon);
8150 return HCI_ERROR_REMOTE_USER_TERM;
8151 return conn->disc_reason;
8154 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8156 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8159 BT_DBG("hcon %p reason %d", hcon, reason);
8161 l2cap_conn_del(hcon, bt_to_errno(reason));
8164 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8166 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8169 if (encrypt == 0x00) {
8170 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8171 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8172 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8173 chan->sec_level == BT_SECURITY_FIPS)
8174 l2cap_chan_close(chan, ECONNREFUSED);
8176 if (chan->sec_level == BT_SECURITY_MEDIUM)
8177 __clear_chan_timer(chan);
8181 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8183 struct l2cap_conn *conn = hcon->l2cap_data;
8184 struct l2cap_chan *chan;
8189 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8191 mutex_lock(&conn->chan_lock);
8193 list_for_each_entry(chan, &conn->chan_l, list) {
8194 l2cap_chan_lock(chan);
8196 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8197 state_to_string(chan->state));
8199 if (chan->scid == L2CAP_CID_A2MP) {
8200 l2cap_chan_unlock(chan);
8204 if (!status && encrypt)
8205 chan->sec_level = hcon->sec_level;
8207 if (!__l2cap_no_conn_pending(chan)) {
8208 l2cap_chan_unlock(chan);
8212 if (!status && (chan->state == BT_CONNECTED ||
8213 chan->state == BT_CONFIG)) {
8214 chan->ops->resume(chan);
8215 l2cap_check_encryption(chan, encrypt);
8216 l2cap_chan_unlock(chan);
8220 if (chan->state == BT_CONNECT) {
8221 if (!status && l2cap_check_enc_key_size(hcon))
8222 l2cap_start_connection(chan);
8224 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8225 } else if (chan->state == BT_CONNECT2 &&
8226 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8227 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8228 struct l2cap_conn_rsp rsp;
8231 if (!status && l2cap_check_enc_key_size(hcon)) {
8232 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8233 res = L2CAP_CR_PEND;
8234 stat = L2CAP_CS_AUTHOR_PEND;
8235 chan->ops->defer(chan);
8237 l2cap_state_change(chan, BT_CONFIG);
8238 res = L2CAP_CR_SUCCESS;
8239 stat = L2CAP_CS_NO_INFO;
8242 l2cap_state_change(chan, BT_DISCONN);
8243 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8244 res = L2CAP_CR_SEC_BLOCK;
8245 stat = L2CAP_CS_NO_INFO;
8248 rsp.scid = cpu_to_le16(chan->dcid);
8249 rsp.dcid = cpu_to_le16(chan->scid);
8250 rsp.result = cpu_to_le16(res);
8251 rsp.status = cpu_to_le16(stat);
8252 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8255 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8256 res == L2CAP_CR_SUCCESS) {
8258 set_bit(CONF_REQ_SENT, &chan->conf_state);
8259 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8261 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8263 chan->num_conf_req++;
8267 l2cap_chan_unlock(chan);
8270 mutex_unlock(&conn->chan_lock);
8273 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8275 struct l2cap_conn *conn = hcon->l2cap_data;
8276 struct l2cap_hdr *hdr;
8279 /* For AMP controller do not create l2cap conn */
8280 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8284 conn = l2cap_conn_add(hcon);
8289 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
8293 case ACL_START_NO_FLUSH:
8296 BT_ERR("Unexpected start frame (len %d)", skb->len);
8297 kfree_skb(conn->rx_skb);
8298 conn->rx_skb = NULL;
8300 l2cap_conn_unreliable(conn, ECOMM);
8303 /* Start fragment always begin with Basic L2CAP header */
8304 if (skb->len < L2CAP_HDR_SIZE) {
8305 BT_ERR("Frame is too short (len %d)", skb->len);
8306 l2cap_conn_unreliable(conn, ECOMM);
8310 hdr = (struct l2cap_hdr *) skb->data;
8311 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
8313 if (len == skb->len) {
8314 /* Complete frame received */
8315 l2cap_recv_frame(conn, skb);
8319 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
8321 if (skb->len > len) {
8322 BT_ERR("Frame is too long (len %d, expected len %d)",
8324 l2cap_conn_unreliable(conn, ECOMM);
8328 /* Allocate skb for the complete frame (with header) */
8329 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8333 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8335 conn->rx_len = len - skb->len;
8339 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
8341 if (!conn->rx_len) {
8342 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8343 l2cap_conn_unreliable(conn, ECOMM);
8347 if (skb->len > conn->rx_len) {
8348 BT_ERR("Fragment is too long (len %d, expected %d)",
8349 skb->len, conn->rx_len);
8350 kfree_skb(conn->rx_skb);
8351 conn->rx_skb = NULL;
8353 l2cap_conn_unreliable(conn, ECOMM);
8357 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8359 conn->rx_len -= skb->len;
8361 if (!conn->rx_len) {
8362 /* Complete frame received. l2cap_recv_frame
8363 * takes ownership of the skb so set the global
8364 * rx_skb pointer to NULL first.
8366 struct sk_buff *rx_skb = conn->rx_skb;
8367 conn->rx_skb = NULL;
8368 l2cap_recv_frame(conn, rx_skb);
8377 static struct hci_cb l2cap_cb = {
8379 .connect_cfm = l2cap_connect_cfm,
8380 .disconn_cfm = l2cap_disconn_cfm,
8381 .security_cfm = l2cap_security_cfm,
8384 static int l2cap_debugfs_show(struct seq_file *f, void *p)
8386 struct l2cap_chan *c;
8388 read_lock(&chan_list_lock);
8390 list_for_each_entry(c, &chan_list, global_l) {
8391 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8392 &c->src, c->src_type, &c->dst, c->dst_type,
8393 c->state, __le16_to_cpu(c->psm),
8394 c->scid, c->dcid, c->imtu, c->omtu,
8395 c->sec_level, c->mode);
8398 read_unlock(&chan_list_lock);
8403 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8405 static struct dentry *l2cap_debugfs;
8407 int __init l2cap_init(void)
8411 err = l2cap_init_sockets();
8415 hci_register_cb(&l2cap_cb);
8417 if (IS_ERR_OR_NULL(bt_debugfs))
8420 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8421 NULL, &l2cap_debugfs_fops);
8426 void l2cap_exit(void)
8428 debugfs_remove(l2cap_debugfs);
8429 hci_unregister_cb(&l2cap_cb);
8430 l2cap_cleanup_sockets();
8433 module_param(disable_ertm, bool, 0644);
8434 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8436 module_param(enable_ecred, bool, 0644);
8437 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
projects / linux-2.6-microblaze.git / blob