2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
54 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
57 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
58 u8 code, u8 ident, u16 dlen, void *data);
59 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
61 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
62 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
64 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
65 struct sk_buff_head *skbs, u8 event);
67 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
69 if (link_type == LE_LINK) {
70 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
73 return BDADDR_LE_RANDOM;
79 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
81 return bdaddr_type(hcon->type, hcon->src_type);
84 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
86 return bdaddr_type(hcon->type, hcon->dst_type);
89 /* ---- L2CAP channels ---- */
91 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
96 list_for_each_entry(c, &conn->chan_l, list) {
103 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
106 struct l2cap_chan *c;
108 list_for_each_entry(c, &conn->chan_l, list) {
115 /* Find channel with given SCID.
116 * Returns locked channel. */
117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
120 struct l2cap_chan *c;
122 mutex_lock(&conn->chan_lock);
123 c = __l2cap_get_chan_by_scid(conn, cid);
126 mutex_unlock(&conn->chan_lock);
131 /* Find channel with given DCID.
132 * Returns locked channel.
134 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
137 struct l2cap_chan *c;
139 mutex_lock(&conn->chan_lock);
140 c = __l2cap_get_chan_by_dcid(conn, cid);
143 mutex_unlock(&conn->chan_lock);
148 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 struct l2cap_chan *c;
153 list_for_each_entry(c, &conn->chan_l, list) {
154 if (c->ident == ident)
160 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
163 struct l2cap_chan *c;
165 mutex_lock(&conn->chan_lock);
166 c = __l2cap_get_chan_by_ident(conn, ident);
169 mutex_unlock(&conn->chan_lock);
174 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
176 struct l2cap_chan *c;
178 list_for_each_entry(c, &chan_list, global_l) {
179 if (c->sport == psm && !bacmp(&c->src, src))
185 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
189 write_lock(&chan_list_lock);
191 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
201 u16 p, start, end, incr;
203 if (chan->src_type == BDADDR_BREDR) {
204 start = L2CAP_PSM_DYN_START;
205 end = L2CAP_PSM_AUTO_END;
208 start = L2CAP_PSM_LE_DYN_START;
209 end = L2CAP_PSM_LE_DYN_END;
214 for (p = start; p <= end; p += incr)
215 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
216 chan->psm = cpu_to_le16(p);
217 chan->sport = cpu_to_le16(p);
224 write_unlock(&chan_list_lock);
227 EXPORT_SYMBOL_GPL(l2cap_add_psm);
229 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
231 write_lock(&chan_list_lock);
233 /* Override the defaults (which are for conn-oriented) */
234 chan->omtu = L2CAP_DEFAULT_MTU;
235 chan->chan_type = L2CAP_CHAN_FIXED;
239 write_unlock(&chan_list_lock);
244 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
248 if (conn->hcon->type == LE_LINK)
249 dyn_end = L2CAP_CID_LE_DYN_END;
251 dyn_end = L2CAP_CID_DYN_END;
253 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
254 if (!__l2cap_get_chan_by_scid(conn, cid))
261 static void l2cap_state_change(struct l2cap_chan *chan, int state)
263 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
264 state_to_string(state));
267 chan->ops->state_change(chan, state, 0);
270 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
274 chan->ops->state_change(chan, chan->state, err);
277 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
279 chan->ops->state_change(chan, chan->state, err);
282 static void __set_retrans_timer(struct l2cap_chan *chan)
284 if (!delayed_work_pending(&chan->monitor_timer) &&
285 chan->retrans_timeout) {
286 l2cap_set_timer(chan, &chan->retrans_timer,
287 msecs_to_jiffies(chan->retrans_timeout));
291 static void __set_monitor_timer(struct l2cap_chan *chan)
293 __clear_retrans_timer(chan);
294 if (chan->monitor_timeout) {
295 l2cap_set_timer(chan, &chan->monitor_timer,
296 msecs_to_jiffies(chan->monitor_timeout));
300 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
305 skb_queue_walk(head, skb) {
306 if (bt_cb(skb)->l2cap.txseq == seq)
313 /* ---- L2CAP sequence number lists ---- */
315 /* For ERTM, ordered lists of sequence numbers must be tracked for
316 * SREJ requests that are received and for frames that are to be
317 * retransmitted. These seq_list functions implement a singly-linked
318 * list in an array, where membership in the list can also be checked
319 * in constant time. Items can also be added to the tail of the list
320 * and removed from the head in constant time, without further memory
324 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
326 size_t alloc_size, i;
328 /* Allocated size is a power of 2 to map sequence numbers
329 * (which may be up to 14 bits) in to a smaller array that is
330 * sized for the negotiated ERTM transmit windows.
332 alloc_size = roundup_pow_of_two(size);
334 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
338 seq_list->mask = alloc_size - 1;
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
341 for (i = 0; i < alloc_size; i++)
342 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
347 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
349 kfree(seq_list->list);
352 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
355 /* Constant-time check for list membership */
356 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
359 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
361 u16 seq = seq_list->head;
362 u16 mask = seq_list->mask;
364 seq_list->head = seq_list->list[seq & mask];
365 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
367 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
368 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
369 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
375 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
379 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
382 for (i = 0; i <= seq_list->mask; i++)
383 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
385 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
386 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
389 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
391 u16 mask = seq_list->mask;
393 /* All appends happen in constant time */
395 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
398 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
399 seq_list->head = seq;
401 seq_list->list[seq_list->tail & mask] = seq;
403 seq_list->tail = seq;
404 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
407 static void l2cap_chan_timeout(struct work_struct *work)
409 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
411 struct l2cap_conn *conn = chan->conn;
414 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
416 mutex_lock(&conn->chan_lock);
417 l2cap_chan_lock(chan);
419 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
420 reason = ECONNREFUSED;
421 else if (chan->state == BT_CONNECT &&
422 chan->sec_level != BT_SECURITY_SDP)
423 reason = ECONNREFUSED;
427 l2cap_chan_close(chan, reason);
429 l2cap_chan_unlock(chan);
431 chan->ops->close(chan);
432 mutex_unlock(&conn->chan_lock);
434 l2cap_chan_put(chan);
437 struct l2cap_chan *l2cap_chan_create(void)
439 struct l2cap_chan *chan;
441 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
445 mutex_init(&chan->lock);
447 /* Set default lock nesting level */
448 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
450 write_lock(&chan_list_lock);
451 list_add(&chan->global_l, &chan_list);
452 write_unlock(&chan_list_lock);
454 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
456 chan->state = BT_OPEN;
458 kref_init(&chan->kref);
460 /* This flag is cleared in l2cap_chan_ready() */
461 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
463 BT_DBG("chan %p", chan);
467 EXPORT_SYMBOL_GPL(l2cap_chan_create);
469 static void l2cap_chan_destroy(struct kref *kref)
471 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
473 BT_DBG("chan %p", chan);
475 write_lock(&chan_list_lock);
476 list_del(&chan->global_l);
477 write_unlock(&chan_list_lock);
482 void l2cap_chan_hold(struct l2cap_chan *c)
484 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
489 void l2cap_chan_put(struct l2cap_chan *c)
491 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
493 kref_put(&c->kref, l2cap_chan_destroy);
495 EXPORT_SYMBOL_GPL(l2cap_chan_put);
497 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
499 chan->fcs = L2CAP_FCS_CRC16;
500 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
501 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
502 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
503 chan->remote_max_tx = chan->max_tx;
504 chan->remote_tx_win = chan->tx_win;
505 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
506 chan->sec_level = BT_SECURITY_LOW;
507 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
508 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
509 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
510 chan->conf_state = 0;
512 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
514 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
516 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
519 chan->sdu_last_frag = NULL;
521 chan->tx_credits = 0;
522 chan->rx_credits = le_max_credits;
523 chan->mps = min_t(u16, chan->imtu, le_default_mps);
525 skb_queue_head_init(&chan->tx_q);
528 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
530 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
531 __le16_to_cpu(chan->psm), chan->dcid);
533 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
537 switch (chan->chan_type) {
538 case L2CAP_CHAN_CONN_ORIENTED:
539 /* Alloc CID for connection-oriented socket */
540 chan->scid = l2cap_alloc_cid(conn);
541 if (conn->hcon->type == ACL_LINK)
542 chan->omtu = L2CAP_DEFAULT_MTU;
545 case L2CAP_CHAN_CONN_LESS:
546 /* Connectionless socket */
547 chan->scid = L2CAP_CID_CONN_LESS;
548 chan->dcid = L2CAP_CID_CONN_LESS;
549 chan->omtu = L2CAP_DEFAULT_MTU;
552 case L2CAP_CHAN_FIXED:
553 /* Caller will set CID and CID specific MTU values */
557 /* Raw socket can send/recv signalling messages only */
558 chan->scid = L2CAP_CID_SIGNALING;
559 chan->dcid = L2CAP_CID_SIGNALING;
560 chan->omtu = L2CAP_DEFAULT_MTU;
563 chan->local_id = L2CAP_BESTEFFORT_ID;
564 chan->local_stype = L2CAP_SERV_BESTEFFORT;
565 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
566 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
567 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
568 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
570 l2cap_chan_hold(chan);
572 /* Only keep a reference for fixed channels if they requested it */
573 if (chan->chan_type != L2CAP_CHAN_FIXED ||
574 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
575 hci_conn_hold(conn->hcon);
577 list_add(&chan->list, &conn->chan_l);
580 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
582 mutex_lock(&conn->chan_lock);
583 __l2cap_chan_add(conn, chan);
584 mutex_unlock(&conn->chan_lock);
587 void l2cap_chan_del(struct l2cap_chan *chan, int err)
589 struct l2cap_conn *conn = chan->conn;
591 __clear_chan_timer(chan);
593 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
594 state_to_string(chan->state));
596 chan->ops->teardown(chan, err);
599 struct amp_mgr *mgr = conn->hcon->amp_mgr;
600 /* Delete from channel list */
601 list_del(&chan->list);
603 l2cap_chan_put(chan);
607 /* Reference was only held for non-fixed channels or
608 * fixed channels that explicitly requested it using the
609 * FLAG_HOLD_HCI_CONN flag.
611 if (chan->chan_type != L2CAP_CHAN_FIXED ||
612 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
613 hci_conn_drop(conn->hcon);
615 if (mgr && mgr->bredr_chan == chan)
616 mgr->bredr_chan = NULL;
619 if (chan->hs_hchan) {
620 struct hci_chan *hs_hchan = chan->hs_hchan;
622 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
623 amp_disconnect_logical_link(hs_hchan);
626 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
630 case L2CAP_MODE_BASIC:
633 case L2CAP_MODE_LE_FLOWCTL:
634 skb_queue_purge(&chan->tx_q);
637 case L2CAP_MODE_ERTM:
638 __clear_retrans_timer(chan);
639 __clear_monitor_timer(chan);
640 __clear_ack_timer(chan);
642 skb_queue_purge(&chan->srej_q);
644 l2cap_seq_list_free(&chan->srej_list);
645 l2cap_seq_list_free(&chan->retrans_list);
649 case L2CAP_MODE_STREAMING:
650 skb_queue_purge(&chan->tx_q);
656 EXPORT_SYMBOL_GPL(l2cap_chan_del);
658 static void l2cap_conn_update_id_addr(struct work_struct *work)
660 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
661 id_addr_update_work);
662 struct hci_conn *hcon = conn->hcon;
663 struct l2cap_chan *chan;
665 mutex_lock(&conn->chan_lock);
667 list_for_each_entry(chan, &conn->chan_l, list) {
668 l2cap_chan_lock(chan);
669 bacpy(&chan->dst, &hcon->dst);
670 chan->dst_type = bdaddr_dst_type(hcon);
671 l2cap_chan_unlock(chan);
674 mutex_unlock(&conn->chan_lock);
677 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
679 struct l2cap_conn *conn = chan->conn;
680 struct l2cap_le_conn_rsp rsp;
683 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
684 result = L2CAP_CR_AUTHORIZATION;
686 result = L2CAP_CR_BAD_PSM;
688 l2cap_state_change(chan, BT_DISCONN);
690 rsp.dcid = cpu_to_le16(chan->scid);
691 rsp.mtu = cpu_to_le16(chan->imtu);
692 rsp.mps = cpu_to_le16(chan->mps);
693 rsp.credits = cpu_to_le16(chan->rx_credits);
694 rsp.result = cpu_to_le16(result);
696 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
700 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
702 struct l2cap_conn *conn = chan->conn;
703 struct l2cap_conn_rsp rsp;
706 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
707 result = L2CAP_CR_SEC_BLOCK;
709 result = L2CAP_CR_BAD_PSM;
711 l2cap_state_change(chan, BT_DISCONN);
713 rsp.scid = cpu_to_le16(chan->dcid);
714 rsp.dcid = cpu_to_le16(chan->scid);
715 rsp.result = cpu_to_le16(result);
716 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
718 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
721 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
723 struct l2cap_conn *conn = chan->conn;
725 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
727 switch (chan->state) {
729 chan->ops->teardown(chan, 0);
734 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
735 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
736 l2cap_send_disconn_req(chan, reason);
738 l2cap_chan_del(chan, reason);
742 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
743 if (conn->hcon->type == ACL_LINK)
744 l2cap_chan_connect_reject(chan);
745 else if (conn->hcon->type == LE_LINK)
746 l2cap_chan_le_connect_reject(chan);
749 l2cap_chan_del(chan, reason);
754 l2cap_chan_del(chan, reason);
758 chan->ops->teardown(chan, 0);
762 EXPORT_SYMBOL(l2cap_chan_close);
764 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
766 switch (chan->chan_type) {
768 switch (chan->sec_level) {
769 case BT_SECURITY_HIGH:
770 case BT_SECURITY_FIPS:
771 return HCI_AT_DEDICATED_BONDING_MITM;
772 case BT_SECURITY_MEDIUM:
773 return HCI_AT_DEDICATED_BONDING;
775 return HCI_AT_NO_BONDING;
778 case L2CAP_CHAN_CONN_LESS:
779 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
780 if (chan->sec_level == BT_SECURITY_LOW)
781 chan->sec_level = BT_SECURITY_SDP;
783 if (chan->sec_level == BT_SECURITY_HIGH ||
784 chan->sec_level == BT_SECURITY_FIPS)
785 return HCI_AT_NO_BONDING_MITM;
787 return HCI_AT_NO_BONDING;
789 case L2CAP_CHAN_CONN_ORIENTED:
790 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
791 if (chan->sec_level == BT_SECURITY_LOW)
792 chan->sec_level = BT_SECURITY_SDP;
794 if (chan->sec_level == BT_SECURITY_HIGH ||
795 chan->sec_level == BT_SECURITY_FIPS)
796 return HCI_AT_NO_BONDING_MITM;
798 return HCI_AT_NO_BONDING;
802 switch (chan->sec_level) {
803 case BT_SECURITY_HIGH:
804 case BT_SECURITY_FIPS:
805 return HCI_AT_GENERAL_BONDING_MITM;
806 case BT_SECURITY_MEDIUM:
807 return HCI_AT_GENERAL_BONDING;
809 return HCI_AT_NO_BONDING;
815 /* Service level security */
816 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
818 struct l2cap_conn *conn = chan->conn;
821 if (conn->hcon->type == LE_LINK)
822 return smp_conn_security(conn->hcon, chan->sec_level);
824 auth_type = l2cap_get_auth_type(chan);
826 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
830 static u8 l2cap_get_ident(struct l2cap_conn *conn)
834 /* Get next available identificator.
835 * 1 - 128 are used by kernel.
836 * 129 - 199 are reserved.
837 * 200 - 254 are used by utilities like l2ping, etc.
840 mutex_lock(&conn->ident_lock);
842 if (++conn->tx_ident > 128)
847 mutex_unlock(&conn->ident_lock);
852 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
855 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
858 BT_DBG("code 0x%2.2x", code);
863 /* Use NO_FLUSH if supported or we have an LE link (which does
864 * not support auto-flushing packets) */
865 if (lmp_no_flush_capable(conn->hcon->hdev) ||
866 conn->hcon->type == LE_LINK)
867 flags = ACL_START_NO_FLUSH;
871 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
872 skb->priority = HCI_PRIO_MAX;
874 hci_send_acl(conn->hchan, skb, flags);
877 static bool __chan_is_moving(struct l2cap_chan *chan)
879 return chan->move_state != L2CAP_MOVE_STABLE &&
880 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
883 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
885 struct hci_conn *hcon = chan->conn->hcon;
888 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
891 if (chan->hs_hcon && !__chan_is_moving(chan)) {
893 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
900 /* Use NO_FLUSH for LE links (where this is the only option) or
901 * if the BR/EDR link supports it and flushing has not been
902 * explicitly requested (through FLAG_FLUSHABLE).
904 if (hcon->type == LE_LINK ||
905 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
906 lmp_no_flush_capable(hcon->hdev)))
907 flags = ACL_START_NO_FLUSH;
911 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
912 hci_send_acl(chan->conn->hchan, skb, flags);
915 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
917 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
918 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
920 if (enh & L2CAP_CTRL_FRAME_TYPE) {
923 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
924 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
931 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
932 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
939 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
941 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
942 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
944 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
947 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
948 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
955 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
956 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
963 static inline void __unpack_control(struct l2cap_chan *chan,
966 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
967 __unpack_extended_control(get_unaligned_le32(skb->data),
969 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
971 __unpack_enhanced_control(get_unaligned_le16(skb->data),
973 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
977 static u32 __pack_extended_control(struct l2cap_ctrl *control)
981 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
982 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
984 if (control->sframe) {
985 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
986 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
987 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
989 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
990 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
996 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1000 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1001 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1003 if (control->sframe) {
1004 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1005 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1006 packed |= L2CAP_CTRL_FRAME_TYPE;
1008 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1009 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1015 static inline void __pack_control(struct l2cap_chan *chan,
1016 struct l2cap_ctrl *control,
1017 struct sk_buff *skb)
1019 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1020 put_unaligned_le32(__pack_extended_control(control),
1021 skb->data + L2CAP_HDR_SIZE);
1023 put_unaligned_le16(__pack_enhanced_control(control),
1024 skb->data + L2CAP_HDR_SIZE);
1028 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1030 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1031 return L2CAP_EXT_HDR_SIZE;
1033 return L2CAP_ENH_HDR_SIZE;
1036 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1039 struct sk_buff *skb;
1040 struct l2cap_hdr *lh;
1041 int hlen = __ertm_hdr_size(chan);
1043 if (chan->fcs == L2CAP_FCS_CRC16)
1044 hlen += L2CAP_FCS_SIZE;
1046 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1049 return ERR_PTR(-ENOMEM);
1051 lh = skb_put(skb, L2CAP_HDR_SIZE);
1052 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1053 lh->cid = cpu_to_le16(chan->dcid);
1055 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1056 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1058 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1060 if (chan->fcs == L2CAP_FCS_CRC16) {
1061 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1062 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1065 skb->priority = HCI_PRIO_MAX;
1069 static void l2cap_send_sframe(struct l2cap_chan *chan,
1070 struct l2cap_ctrl *control)
1072 struct sk_buff *skb;
1075 BT_DBG("chan %p, control %p", chan, control);
1077 if (!control->sframe)
1080 if (__chan_is_moving(chan))
1083 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1087 if (control->super == L2CAP_SUPER_RR)
1088 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1089 else if (control->super == L2CAP_SUPER_RNR)
1090 set_bit(CONN_RNR_SENT, &chan->conn_state);
1092 if (control->super != L2CAP_SUPER_SREJ) {
1093 chan->last_acked_seq = control->reqseq;
1094 __clear_ack_timer(chan);
1097 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1098 control->final, control->poll, control->super);
1100 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1101 control_field = __pack_extended_control(control);
1103 control_field = __pack_enhanced_control(control);
1105 skb = l2cap_create_sframe_pdu(chan, control_field);
1107 l2cap_do_send(chan, skb);
1110 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1112 struct l2cap_ctrl control;
1114 BT_DBG("chan %p, poll %d", chan, poll);
1116 memset(&control, 0, sizeof(control));
1118 control.poll = poll;
1120 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1121 control.super = L2CAP_SUPER_RNR;
1123 control.super = L2CAP_SUPER_RR;
1125 control.reqseq = chan->buffer_seq;
1126 l2cap_send_sframe(chan, &control);
1129 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1131 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1134 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1137 static bool __amp_capable(struct l2cap_chan *chan)
1139 struct l2cap_conn *conn = chan->conn;
1140 struct hci_dev *hdev;
1141 bool amp_available = false;
1143 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1146 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1149 read_lock(&hci_dev_list_lock);
1150 list_for_each_entry(hdev, &hci_dev_list, list) {
1151 if (hdev->amp_type != AMP_TYPE_BREDR &&
1152 test_bit(HCI_UP, &hdev->flags)) {
1153 amp_available = true;
1157 read_unlock(&hci_dev_list_lock);
1159 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1160 return amp_available;
1165 static bool l2cap_check_efs(struct l2cap_chan *chan)
1167 /* Check EFS parameters */
1171 void l2cap_send_conn_req(struct l2cap_chan *chan)
1173 struct l2cap_conn *conn = chan->conn;
1174 struct l2cap_conn_req req;
1176 req.scid = cpu_to_le16(chan->scid);
1177 req.psm = chan->psm;
1179 chan->ident = l2cap_get_ident(conn);
1181 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1183 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1186 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1188 struct l2cap_create_chan_req req;
1189 req.scid = cpu_to_le16(chan->scid);
1190 req.psm = chan->psm;
1191 req.amp_id = amp_id;
1193 chan->ident = l2cap_get_ident(chan->conn);
1195 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1199 static void l2cap_move_setup(struct l2cap_chan *chan)
1201 struct sk_buff *skb;
1203 BT_DBG("chan %p", chan);
1205 if (chan->mode != L2CAP_MODE_ERTM)
1208 __clear_retrans_timer(chan);
1209 __clear_monitor_timer(chan);
1210 __clear_ack_timer(chan);
1212 chan->retry_count = 0;
1213 skb_queue_walk(&chan->tx_q, skb) {
1214 if (bt_cb(skb)->l2cap.retries)
1215 bt_cb(skb)->l2cap.retries = 1;
1220 chan->expected_tx_seq = chan->buffer_seq;
1222 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1223 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1224 l2cap_seq_list_clear(&chan->retrans_list);
1225 l2cap_seq_list_clear(&chan->srej_list);
1226 skb_queue_purge(&chan->srej_q);
1228 chan->tx_state = L2CAP_TX_STATE_XMIT;
1229 chan->rx_state = L2CAP_RX_STATE_MOVE;
1231 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1234 static void l2cap_move_done(struct l2cap_chan *chan)
1236 u8 move_role = chan->move_role;
1237 BT_DBG("chan %p", chan);
1239 chan->move_state = L2CAP_MOVE_STABLE;
1240 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1242 if (chan->mode != L2CAP_MODE_ERTM)
1245 switch (move_role) {
1246 case L2CAP_MOVE_ROLE_INITIATOR:
1247 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1248 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1250 case L2CAP_MOVE_ROLE_RESPONDER:
1251 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1256 static void l2cap_chan_ready(struct l2cap_chan *chan)
1258 /* The channel may have already been flagged as connected in
1259 * case of receiving data before the L2CAP info req/rsp
1260 * procedure is complete.
1262 if (chan->state == BT_CONNECTED)
1265 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1266 chan->conf_state = 0;
1267 __clear_chan_timer(chan);
1269 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1270 chan->ops->suspend(chan);
1272 chan->state = BT_CONNECTED;
1274 chan->ops->ready(chan);
1277 static void l2cap_le_connect(struct l2cap_chan *chan)
1279 struct l2cap_conn *conn = chan->conn;
1280 struct l2cap_le_conn_req req;
1282 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1285 req.psm = chan->psm;
1286 req.scid = cpu_to_le16(chan->scid);
1287 req.mtu = cpu_to_le16(chan->imtu);
1288 req.mps = cpu_to_le16(chan->mps);
1289 req.credits = cpu_to_le16(chan->rx_credits);
1291 chan->ident = l2cap_get_ident(conn);
1293 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1297 static void l2cap_le_start(struct l2cap_chan *chan)
1299 struct l2cap_conn *conn = chan->conn;
1301 if (!smp_conn_security(conn->hcon, chan->sec_level))
1305 l2cap_chan_ready(chan);
1309 if (chan->state == BT_CONNECT)
1310 l2cap_le_connect(chan);
1313 static void l2cap_start_connection(struct l2cap_chan *chan)
1315 if (__amp_capable(chan)) {
1316 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1317 a2mp_discover_amp(chan);
1318 } else if (chan->conn->hcon->type == LE_LINK) {
1319 l2cap_le_start(chan);
1321 l2cap_send_conn_req(chan);
1325 static void l2cap_request_info(struct l2cap_conn *conn)
1327 struct l2cap_info_req req;
1329 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1332 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1334 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1335 conn->info_ident = l2cap_get_ident(conn);
1337 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1339 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1343 static void l2cap_do_start(struct l2cap_chan *chan)
1345 struct l2cap_conn *conn = chan->conn;
1347 if (conn->hcon->type == LE_LINK) {
1348 l2cap_le_start(chan);
1352 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1353 l2cap_request_info(conn);
1357 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1360 if (l2cap_chan_check_security(chan, true) &&
1361 __l2cap_no_conn_pending(chan))
1362 l2cap_start_connection(chan);
1365 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1367 u32 local_feat_mask = l2cap_feat_mask;
1369 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1372 case L2CAP_MODE_ERTM:
1373 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1374 case L2CAP_MODE_STREAMING:
1375 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1381 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1383 struct l2cap_conn *conn = chan->conn;
1384 struct l2cap_disconn_req req;
1389 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1390 __clear_retrans_timer(chan);
1391 __clear_monitor_timer(chan);
1392 __clear_ack_timer(chan);
1395 if (chan->scid == L2CAP_CID_A2MP) {
1396 l2cap_state_change(chan, BT_DISCONN);
1400 req.dcid = cpu_to_le16(chan->dcid);
1401 req.scid = cpu_to_le16(chan->scid);
1402 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1405 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1408 /* ---- L2CAP connections ---- */
1409 static void l2cap_conn_start(struct l2cap_conn *conn)
1411 struct l2cap_chan *chan, *tmp;
1413 BT_DBG("conn %p", conn);
1415 mutex_lock(&conn->chan_lock);
1417 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1418 l2cap_chan_lock(chan);
1420 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1421 l2cap_chan_ready(chan);
1422 l2cap_chan_unlock(chan);
1426 if (chan->state == BT_CONNECT) {
1427 if (!l2cap_chan_check_security(chan, true) ||
1428 !__l2cap_no_conn_pending(chan)) {
1429 l2cap_chan_unlock(chan);
1433 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1434 && test_bit(CONF_STATE2_DEVICE,
1435 &chan->conf_state)) {
1436 l2cap_chan_close(chan, ECONNRESET);
1437 l2cap_chan_unlock(chan);
1441 l2cap_start_connection(chan);
1443 } else if (chan->state == BT_CONNECT2) {
1444 struct l2cap_conn_rsp rsp;
1446 rsp.scid = cpu_to_le16(chan->dcid);
1447 rsp.dcid = cpu_to_le16(chan->scid);
1449 if (l2cap_chan_check_security(chan, false)) {
1450 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1451 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1452 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1453 chan->ops->defer(chan);
1456 l2cap_state_change(chan, BT_CONFIG);
1457 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1458 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1461 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1462 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1465 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1468 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1469 rsp.result != L2CAP_CR_SUCCESS) {
1470 l2cap_chan_unlock(chan);
1474 set_bit(CONF_REQ_SENT, &chan->conf_state);
1475 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1476 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1477 chan->num_conf_req++;
1480 l2cap_chan_unlock(chan);
1483 mutex_unlock(&conn->chan_lock);
1486 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1488 struct hci_conn *hcon = conn->hcon;
1489 struct hci_dev *hdev = hcon->hdev;
1491 BT_DBG("%s conn %p", hdev->name, conn);
1493 /* For outgoing pairing which doesn't necessarily have an
1494 * associated socket (e.g. mgmt_pair_device).
1497 smp_conn_security(hcon, hcon->pending_sec_level);
1499 /* For LE slave connections, make sure the connection interval
1500 * is in the range of the minium and maximum interval that has
1501 * been configured for this connection. If not, then trigger
1502 * the connection update procedure.
1504 if (hcon->role == HCI_ROLE_SLAVE &&
1505 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1506 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1507 struct l2cap_conn_param_update_req req;
1509 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1510 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1511 req.latency = cpu_to_le16(hcon->le_conn_latency);
1512 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1514 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1515 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1519 static void l2cap_conn_ready(struct l2cap_conn *conn)
1521 struct l2cap_chan *chan;
1522 struct hci_conn *hcon = conn->hcon;
1524 BT_DBG("conn %p", conn);
1526 if (hcon->type == ACL_LINK)
1527 l2cap_request_info(conn);
1529 mutex_lock(&conn->chan_lock);
1531 list_for_each_entry(chan, &conn->chan_l, list) {
1533 l2cap_chan_lock(chan);
1535 if (chan->scid == L2CAP_CID_A2MP) {
1536 l2cap_chan_unlock(chan);
1540 if (hcon->type == LE_LINK) {
1541 l2cap_le_start(chan);
1542 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1543 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1544 l2cap_chan_ready(chan);
1545 } else if (chan->state == BT_CONNECT) {
1546 l2cap_do_start(chan);
1549 l2cap_chan_unlock(chan);
1552 mutex_unlock(&conn->chan_lock);
1554 if (hcon->type == LE_LINK)
1555 l2cap_le_conn_ready(conn);
1557 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1560 /* Notify sockets that we cannot guaranty reliability anymore */
1561 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1563 struct l2cap_chan *chan;
1565 BT_DBG("conn %p", conn);
1567 mutex_lock(&conn->chan_lock);
1569 list_for_each_entry(chan, &conn->chan_l, list) {
1570 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1571 l2cap_chan_set_err(chan, err);
1574 mutex_unlock(&conn->chan_lock);
1577 static void l2cap_info_timeout(struct work_struct *work)
1579 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1582 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1583 conn->info_ident = 0;
1585 l2cap_conn_start(conn);
1590 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1591 * callback is called during registration. The ->remove callback is called
1592 * during unregistration.
1593 * An l2cap_user object can either be explicitly unregistered or when the
1594 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1595 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1596 * External modules must own a reference to the l2cap_conn object if they intend
1597 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1598 * any time if they don't.
1601 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1603 struct hci_dev *hdev = conn->hcon->hdev;
1606 /* We need to check whether l2cap_conn is registered. If it is not, we
1607 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1608 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1609 * relies on the parent hci_conn object to be locked. This itself relies
1610 * on the hci_dev object to be locked. So we must lock the hci device
1615 if (!list_empty(&user->list)) {
1620 /* conn->hchan is NULL after l2cap_conn_del() was called */
1626 ret = user->probe(conn, user);
1630 list_add(&user->list, &conn->users);
1634 hci_dev_unlock(hdev);
1637 EXPORT_SYMBOL(l2cap_register_user);
1639 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1641 struct hci_dev *hdev = conn->hcon->hdev;
1645 if (list_empty(&user->list))
1648 list_del_init(&user->list);
1649 user->remove(conn, user);
1652 hci_dev_unlock(hdev);
1654 EXPORT_SYMBOL(l2cap_unregister_user);
1656 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1658 struct l2cap_user *user;
1660 while (!list_empty(&conn->users)) {
1661 user = list_first_entry(&conn->users, struct l2cap_user, list);
1662 list_del_init(&user->list);
1663 user->remove(conn, user);
1667 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1669 struct l2cap_conn *conn = hcon->l2cap_data;
1670 struct l2cap_chan *chan, *l;
1675 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1677 kfree_skb(conn->rx_skb);
1679 skb_queue_purge(&conn->pending_rx);
1681 /* We can not call flush_work(&conn->pending_rx_work) here since we
1682 * might block if we are running on a worker from the same workqueue
1683 * pending_rx_work is waiting on.
1685 if (work_pending(&conn->pending_rx_work))
1686 cancel_work_sync(&conn->pending_rx_work);
1688 if (work_pending(&conn->id_addr_update_work))
1689 cancel_work_sync(&conn->id_addr_update_work);
1691 l2cap_unregister_all_users(conn);
1693 /* Force the connection to be immediately dropped */
1694 hcon->disc_timeout = 0;
1696 mutex_lock(&conn->chan_lock);
1699 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1700 l2cap_chan_hold(chan);
1701 l2cap_chan_lock(chan);
1703 l2cap_chan_del(chan, err);
1705 l2cap_chan_unlock(chan);
1707 chan->ops->close(chan);
1708 l2cap_chan_put(chan);
1711 mutex_unlock(&conn->chan_lock);
1713 hci_chan_del(conn->hchan);
1715 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1716 cancel_delayed_work_sync(&conn->info_timer);
1718 hcon->l2cap_data = NULL;
1720 l2cap_conn_put(conn);
1723 static void l2cap_conn_free(struct kref *ref)
1725 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1727 hci_conn_put(conn->hcon);
1731 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1733 kref_get(&conn->ref);
1736 EXPORT_SYMBOL(l2cap_conn_get);
1738 void l2cap_conn_put(struct l2cap_conn *conn)
1740 kref_put(&conn->ref, l2cap_conn_free);
1742 EXPORT_SYMBOL(l2cap_conn_put);
1744 /* ---- Socket interface ---- */
1746 /* Find socket with psm and source / destination bdaddr.
1747 * Returns closest match.
1749 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1754 struct l2cap_chan *c, *c1 = NULL;
1756 read_lock(&chan_list_lock);
1758 list_for_each_entry(c, &chan_list, global_l) {
1759 if (state && c->state != state)
1762 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1765 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1768 if (c->psm == psm) {
1769 int src_match, dst_match;
1770 int src_any, dst_any;
1773 src_match = !bacmp(&c->src, src);
1774 dst_match = !bacmp(&c->dst, dst);
1775 if (src_match && dst_match) {
1777 read_unlock(&chan_list_lock);
1782 src_any = !bacmp(&c->src, BDADDR_ANY);
1783 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1784 if ((src_match && dst_any) || (src_any && dst_match) ||
1785 (src_any && dst_any))
1791 l2cap_chan_hold(c1);
1793 read_unlock(&chan_list_lock);
1798 static void l2cap_monitor_timeout(struct work_struct *work)
1800 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1801 monitor_timer.work);
1803 BT_DBG("chan %p", chan);
1805 l2cap_chan_lock(chan);
1808 l2cap_chan_unlock(chan);
1809 l2cap_chan_put(chan);
1813 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1815 l2cap_chan_unlock(chan);
1816 l2cap_chan_put(chan);
1819 static void l2cap_retrans_timeout(struct work_struct *work)
1821 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1822 retrans_timer.work);
1824 BT_DBG("chan %p", chan);
1826 l2cap_chan_lock(chan);
1829 l2cap_chan_unlock(chan);
1830 l2cap_chan_put(chan);
1834 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1835 l2cap_chan_unlock(chan);
1836 l2cap_chan_put(chan);
1839 static void l2cap_streaming_send(struct l2cap_chan *chan,
1840 struct sk_buff_head *skbs)
1842 struct sk_buff *skb;
1843 struct l2cap_ctrl *control;
1845 BT_DBG("chan %p, skbs %p", chan, skbs);
1847 if (__chan_is_moving(chan))
1850 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1852 while (!skb_queue_empty(&chan->tx_q)) {
1854 skb = skb_dequeue(&chan->tx_q);
1856 bt_cb(skb)->l2cap.retries = 1;
1857 control = &bt_cb(skb)->l2cap;
1859 control->reqseq = 0;
1860 control->txseq = chan->next_tx_seq;
1862 __pack_control(chan, control, skb);
1864 if (chan->fcs == L2CAP_FCS_CRC16) {
1865 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1866 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1869 l2cap_do_send(chan, skb);
1871 BT_DBG("Sent txseq %u", control->txseq);
1873 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1874 chan->frames_sent++;
1878 static int l2cap_ertm_send(struct l2cap_chan *chan)
1880 struct sk_buff *skb, *tx_skb;
1881 struct l2cap_ctrl *control;
1884 BT_DBG("chan %p", chan);
1886 if (chan->state != BT_CONNECTED)
1889 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1892 if (__chan_is_moving(chan))
1895 while (chan->tx_send_head &&
1896 chan->unacked_frames < chan->remote_tx_win &&
1897 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1899 skb = chan->tx_send_head;
1901 bt_cb(skb)->l2cap.retries = 1;
1902 control = &bt_cb(skb)->l2cap;
1904 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1907 control->reqseq = chan->buffer_seq;
1908 chan->last_acked_seq = chan->buffer_seq;
1909 control->txseq = chan->next_tx_seq;
1911 __pack_control(chan, control, skb);
1913 if (chan->fcs == L2CAP_FCS_CRC16) {
1914 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1915 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1918 /* Clone after data has been modified. Data is assumed to be
1919 read-only (for locking purposes) on cloned sk_buffs.
1921 tx_skb = skb_clone(skb, GFP_KERNEL);
1926 __set_retrans_timer(chan);
1928 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1929 chan->unacked_frames++;
1930 chan->frames_sent++;
1933 if (skb_queue_is_last(&chan->tx_q, skb))
1934 chan->tx_send_head = NULL;
1936 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1938 l2cap_do_send(chan, tx_skb);
1939 BT_DBG("Sent txseq %u", control->txseq);
1942 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1943 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1948 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1950 struct l2cap_ctrl control;
1951 struct sk_buff *skb;
1952 struct sk_buff *tx_skb;
1955 BT_DBG("chan %p", chan);
1957 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1960 if (__chan_is_moving(chan))
1963 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1964 seq = l2cap_seq_list_pop(&chan->retrans_list);
1966 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1968 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1973 bt_cb(skb)->l2cap.retries++;
1974 control = bt_cb(skb)->l2cap;
1976 if (chan->max_tx != 0 &&
1977 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1978 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1979 l2cap_send_disconn_req(chan, ECONNRESET);
1980 l2cap_seq_list_clear(&chan->retrans_list);
1984 control.reqseq = chan->buffer_seq;
1985 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1990 if (skb_cloned(skb)) {
1991 /* Cloned sk_buffs are read-only, so we need a
1994 tx_skb = skb_copy(skb, GFP_KERNEL);
1996 tx_skb = skb_clone(skb, GFP_KERNEL);
2000 l2cap_seq_list_clear(&chan->retrans_list);
2004 /* Update skb contents */
2005 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2006 put_unaligned_le32(__pack_extended_control(&control),
2007 tx_skb->data + L2CAP_HDR_SIZE);
2009 put_unaligned_le16(__pack_enhanced_control(&control),
2010 tx_skb->data + L2CAP_HDR_SIZE);
2014 if (chan->fcs == L2CAP_FCS_CRC16) {
2015 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2016 tx_skb->len - L2CAP_FCS_SIZE);
2017 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2021 l2cap_do_send(chan, tx_skb);
2023 BT_DBG("Resent txseq %d", control.txseq);
2025 chan->last_acked_seq = chan->buffer_seq;
2029 static void l2cap_retransmit(struct l2cap_chan *chan,
2030 struct l2cap_ctrl *control)
2032 BT_DBG("chan %p, control %p", chan, control);
2034 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2035 l2cap_ertm_resend(chan);
2038 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2039 struct l2cap_ctrl *control)
2041 struct sk_buff *skb;
2043 BT_DBG("chan %p, control %p", chan, control);
2046 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2048 l2cap_seq_list_clear(&chan->retrans_list);
2050 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2053 if (chan->unacked_frames) {
2054 skb_queue_walk(&chan->tx_q, skb) {
2055 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2056 skb == chan->tx_send_head)
2060 skb_queue_walk_from(&chan->tx_q, skb) {
2061 if (skb == chan->tx_send_head)
2064 l2cap_seq_list_append(&chan->retrans_list,
2065 bt_cb(skb)->l2cap.txseq);
2068 l2cap_ertm_resend(chan);
2072 static void l2cap_send_ack(struct l2cap_chan *chan)
2074 struct l2cap_ctrl control;
2075 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2076 chan->last_acked_seq);
2079 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2080 chan, chan->last_acked_seq, chan->buffer_seq);
2082 memset(&control, 0, sizeof(control));
2085 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2086 chan->rx_state == L2CAP_RX_STATE_RECV) {
2087 __clear_ack_timer(chan);
2088 control.super = L2CAP_SUPER_RNR;
2089 control.reqseq = chan->buffer_seq;
2090 l2cap_send_sframe(chan, &control);
2092 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2093 l2cap_ertm_send(chan);
2094 /* If any i-frames were sent, they included an ack */
2095 if (chan->buffer_seq == chan->last_acked_seq)
2099 /* Ack now if the window is 3/4ths full.
2100 * Calculate without mul or div
2102 threshold = chan->ack_win;
2103 threshold += threshold << 1;
2106 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2109 if (frames_to_ack >= threshold) {
2110 __clear_ack_timer(chan);
2111 control.super = L2CAP_SUPER_RR;
2112 control.reqseq = chan->buffer_seq;
2113 l2cap_send_sframe(chan, &control);
2118 __set_ack_timer(chan);
2122 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2123 struct msghdr *msg, int len,
2124 int count, struct sk_buff *skb)
2126 struct l2cap_conn *conn = chan->conn;
2127 struct sk_buff **frag;
2130 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2136 /* Continuation fragments (no L2CAP header) */
2137 frag = &skb_shinfo(skb)->frag_list;
2139 struct sk_buff *tmp;
2141 count = min_t(unsigned int, conn->mtu, len);
2143 tmp = chan->ops->alloc_skb(chan, 0, count,
2144 msg->msg_flags & MSG_DONTWAIT);
2146 return PTR_ERR(tmp);
2150 if (!copy_from_iter_full(skb_put(*frag, count), count,
2157 skb->len += (*frag)->len;
2158 skb->data_len += (*frag)->len;
2160 frag = &(*frag)->next;
2166 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2167 struct msghdr *msg, size_t len)
2169 struct l2cap_conn *conn = chan->conn;
2170 struct sk_buff *skb;
2171 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2172 struct l2cap_hdr *lh;
2174 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2175 __le16_to_cpu(chan->psm), len);
2177 count = min_t(unsigned int, (conn->mtu - hlen), len);
2179 skb = chan->ops->alloc_skb(chan, hlen, count,
2180 msg->msg_flags & MSG_DONTWAIT);
2184 /* Create L2CAP header */
2185 lh = skb_put(skb, L2CAP_HDR_SIZE);
2186 lh->cid = cpu_to_le16(chan->dcid);
2187 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2188 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2190 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2191 if (unlikely(err < 0)) {
2193 return ERR_PTR(err);
2198 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2199 struct msghdr *msg, size_t len)
2201 struct l2cap_conn *conn = chan->conn;
2202 struct sk_buff *skb;
2204 struct l2cap_hdr *lh;
2206 BT_DBG("chan %p len %zu", chan, len);
2208 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2210 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2211 msg->msg_flags & MSG_DONTWAIT);
2215 /* Create L2CAP header */
2216 lh = skb_put(skb, L2CAP_HDR_SIZE);
2217 lh->cid = cpu_to_le16(chan->dcid);
2218 lh->len = cpu_to_le16(len);
2220 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2221 if (unlikely(err < 0)) {
2223 return ERR_PTR(err);
2228 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2229 struct msghdr *msg, size_t len,
2232 struct l2cap_conn *conn = chan->conn;
2233 struct sk_buff *skb;
2234 int err, count, hlen;
2235 struct l2cap_hdr *lh;
2237 BT_DBG("chan %p len %zu", chan, len);
2240 return ERR_PTR(-ENOTCONN);
2242 hlen = __ertm_hdr_size(chan);
2245 hlen += L2CAP_SDULEN_SIZE;
2247 if (chan->fcs == L2CAP_FCS_CRC16)
2248 hlen += L2CAP_FCS_SIZE;
2250 count = min_t(unsigned int, (conn->mtu - hlen), len);
2252 skb = chan->ops->alloc_skb(chan, hlen, count,
2253 msg->msg_flags & MSG_DONTWAIT);
2257 /* Create L2CAP header */
2258 lh = skb_put(skb, L2CAP_HDR_SIZE);
2259 lh->cid = cpu_to_le16(chan->dcid);
2260 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2262 /* Control header is populated later */
2263 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2264 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2266 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2269 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2271 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2272 if (unlikely(err < 0)) {
2274 return ERR_PTR(err);
2277 bt_cb(skb)->l2cap.fcs = chan->fcs;
2278 bt_cb(skb)->l2cap.retries = 0;
2282 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2283 struct sk_buff_head *seg_queue,
2284 struct msghdr *msg, size_t len)
2286 struct sk_buff *skb;
2291 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2293 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2294 * so fragmented skbs are not used. The HCI layer's handling
2295 * of fragmented skbs is not compatible with ERTM's queueing.
2298 /* PDU size is derived from the HCI MTU */
2299 pdu_len = chan->conn->mtu;
2301 /* Constrain PDU size for BR/EDR connections */
2303 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2305 /* Adjust for largest possible L2CAP overhead. */
2307 pdu_len -= L2CAP_FCS_SIZE;
2309 pdu_len -= __ertm_hdr_size(chan);
2311 /* Remote device may have requested smaller PDUs */
2312 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2314 if (len <= pdu_len) {
2315 sar = L2CAP_SAR_UNSEGMENTED;
2319 sar = L2CAP_SAR_START;
2324 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2327 __skb_queue_purge(seg_queue);
2328 return PTR_ERR(skb);
2331 bt_cb(skb)->l2cap.sar = sar;
2332 __skb_queue_tail(seg_queue, skb);
2338 if (len <= pdu_len) {
2339 sar = L2CAP_SAR_END;
2342 sar = L2CAP_SAR_CONTINUE;
2349 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2351 size_t len, u16 sdulen)
2353 struct l2cap_conn *conn = chan->conn;
2354 struct sk_buff *skb;
2355 int err, count, hlen;
2356 struct l2cap_hdr *lh;
2358 BT_DBG("chan %p len %zu", chan, len);
2361 return ERR_PTR(-ENOTCONN);
2363 hlen = L2CAP_HDR_SIZE;
2366 hlen += L2CAP_SDULEN_SIZE;
2368 count = min_t(unsigned int, (conn->mtu - hlen), len);
2370 skb = chan->ops->alloc_skb(chan, hlen, count,
2371 msg->msg_flags & MSG_DONTWAIT);
2375 /* Create L2CAP header */
2376 lh = skb_put(skb, L2CAP_HDR_SIZE);
2377 lh->cid = cpu_to_le16(chan->dcid);
2378 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2381 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2383 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2384 if (unlikely(err < 0)) {
2386 return ERR_PTR(err);
2392 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2393 struct sk_buff_head *seg_queue,
2394 struct msghdr *msg, size_t len)
2396 struct sk_buff *skb;
2400 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2403 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2409 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2411 __skb_queue_purge(seg_queue);
2412 return PTR_ERR(skb);
2415 __skb_queue_tail(seg_queue, skb);
2421 pdu_len += L2CAP_SDULEN_SIZE;
2428 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2432 BT_DBG("chan %p", chan);
2434 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2435 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2440 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2441 skb_queue_len(&chan->tx_q));
2444 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2446 struct sk_buff *skb;
2448 struct sk_buff_head seg_queue;
2453 /* Connectionless channel */
2454 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2455 skb = l2cap_create_connless_pdu(chan, msg, len);
2457 return PTR_ERR(skb);
2459 /* Channel lock is released before requesting new skb and then
2460 * reacquired thus we need to recheck channel state.
2462 if (chan->state != BT_CONNECTED) {
2467 l2cap_do_send(chan, skb);
2471 switch (chan->mode) {
2472 case L2CAP_MODE_LE_FLOWCTL:
2473 /* Check outgoing MTU */
2474 if (len > chan->omtu)
2477 __skb_queue_head_init(&seg_queue);
2479 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2481 if (chan->state != BT_CONNECTED) {
2482 __skb_queue_purge(&seg_queue);
2489 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2491 l2cap_le_flowctl_send(chan);
2493 if (!chan->tx_credits)
2494 chan->ops->suspend(chan);
2500 case L2CAP_MODE_BASIC:
2501 /* Check outgoing MTU */
2502 if (len > chan->omtu)
2505 /* Create a basic PDU */
2506 skb = l2cap_create_basic_pdu(chan, msg, len);
2508 return PTR_ERR(skb);
2510 /* Channel lock is released before requesting new skb and then
2511 * reacquired thus we need to recheck channel state.
2513 if (chan->state != BT_CONNECTED) {
2518 l2cap_do_send(chan, skb);
2522 case L2CAP_MODE_ERTM:
2523 case L2CAP_MODE_STREAMING:
2524 /* Check outgoing MTU */
2525 if (len > chan->omtu) {
2530 __skb_queue_head_init(&seg_queue);
2532 /* Do segmentation before calling in to the state machine,
2533 * since it's possible to block while waiting for memory
2536 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2538 /* The channel could have been closed while segmenting,
2539 * check that it is still connected.
2541 if (chan->state != BT_CONNECTED) {
2542 __skb_queue_purge(&seg_queue);
2549 if (chan->mode == L2CAP_MODE_ERTM)
2550 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2552 l2cap_streaming_send(chan, &seg_queue);
2556 /* If the skbs were not queued for sending, they'll still be in
2557 * seg_queue and need to be purged.
2559 __skb_queue_purge(&seg_queue);
2563 BT_DBG("bad state %1.1x", chan->mode);
2569 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2571 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2573 struct l2cap_ctrl control;
2576 BT_DBG("chan %p, txseq %u", chan, txseq);
2578 memset(&control, 0, sizeof(control));
2580 control.super = L2CAP_SUPER_SREJ;
2582 for (seq = chan->expected_tx_seq; seq != txseq;
2583 seq = __next_seq(chan, seq)) {
2584 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2585 control.reqseq = seq;
2586 l2cap_send_sframe(chan, &control);
2587 l2cap_seq_list_append(&chan->srej_list, seq);
2591 chan->expected_tx_seq = __next_seq(chan, txseq);
2594 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2596 struct l2cap_ctrl control;
2598 BT_DBG("chan %p", chan);
2600 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2603 memset(&control, 0, sizeof(control));
2605 control.super = L2CAP_SUPER_SREJ;
2606 control.reqseq = chan->srej_list.tail;
2607 l2cap_send_sframe(chan, &control);
2610 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2612 struct l2cap_ctrl control;
2616 BT_DBG("chan %p, txseq %u", chan, txseq);
2618 memset(&control, 0, sizeof(control));
2620 control.super = L2CAP_SUPER_SREJ;
2622 /* Capture initial list head to allow only one pass through the list. */
2623 initial_head = chan->srej_list.head;
2626 seq = l2cap_seq_list_pop(&chan->srej_list);
2627 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2630 control.reqseq = seq;
2631 l2cap_send_sframe(chan, &control);
2632 l2cap_seq_list_append(&chan->srej_list, seq);
2633 } while (chan->srej_list.head != initial_head);
2636 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2638 struct sk_buff *acked_skb;
2641 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2643 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2646 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2647 chan->expected_ack_seq, chan->unacked_frames);
2649 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2650 ackseq = __next_seq(chan, ackseq)) {
2652 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2654 skb_unlink(acked_skb, &chan->tx_q);
2655 kfree_skb(acked_skb);
2656 chan->unacked_frames--;
2660 chan->expected_ack_seq = reqseq;
2662 if (chan->unacked_frames == 0)
2663 __clear_retrans_timer(chan);
2665 BT_DBG("unacked_frames %u", chan->unacked_frames);
2668 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2670 BT_DBG("chan %p", chan);
2672 chan->expected_tx_seq = chan->buffer_seq;
2673 l2cap_seq_list_clear(&chan->srej_list);
2674 skb_queue_purge(&chan->srej_q);
2675 chan->rx_state = L2CAP_RX_STATE_RECV;
2678 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2679 struct l2cap_ctrl *control,
2680 struct sk_buff_head *skbs, u8 event)
2682 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2686 case L2CAP_EV_DATA_REQUEST:
2687 if (chan->tx_send_head == NULL)
2688 chan->tx_send_head = skb_peek(skbs);
2690 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2691 l2cap_ertm_send(chan);
2693 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2694 BT_DBG("Enter LOCAL_BUSY");
2695 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2697 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2698 /* The SREJ_SENT state must be aborted if we are to
2699 * enter the LOCAL_BUSY state.
2701 l2cap_abort_rx_srej_sent(chan);
2704 l2cap_send_ack(chan);
2707 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2708 BT_DBG("Exit LOCAL_BUSY");
2709 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2711 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2712 struct l2cap_ctrl local_control;
2714 memset(&local_control, 0, sizeof(local_control));
2715 local_control.sframe = 1;
2716 local_control.super = L2CAP_SUPER_RR;
2717 local_control.poll = 1;
2718 local_control.reqseq = chan->buffer_seq;
2719 l2cap_send_sframe(chan, &local_control);
2721 chan->retry_count = 1;
2722 __set_monitor_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2726 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2727 l2cap_process_reqseq(chan, control->reqseq);
2729 case L2CAP_EV_EXPLICIT_POLL:
2730 l2cap_send_rr_or_rnr(chan, 1);
2731 chan->retry_count = 1;
2732 __set_monitor_timer(chan);
2733 __clear_ack_timer(chan);
2734 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2736 case L2CAP_EV_RETRANS_TO:
2737 l2cap_send_rr_or_rnr(chan, 1);
2738 chan->retry_count = 1;
2739 __set_monitor_timer(chan);
2740 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2742 case L2CAP_EV_RECV_FBIT:
2743 /* Nothing to process */
2750 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2751 struct l2cap_ctrl *control,
2752 struct sk_buff_head *skbs, u8 event)
2754 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2758 case L2CAP_EV_DATA_REQUEST:
2759 if (chan->tx_send_head == NULL)
2760 chan->tx_send_head = skb_peek(skbs);
2761 /* Queue data, but don't send. */
2762 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2764 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2765 BT_DBG("Enter LOCAL_BUSY");
2766 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2768 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2769 /* The SREJ_SENT state must be aborted if we are to
2770 * enter the LOCAL_BUSY state.
2772 l2cap_abort_rx_srej_sent(chan);
2775 l2cap_send_ack(chan);
2778 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2779 BT_DBG("Exit LOCAL_BUSY");
2780 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2782 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2783 struct l2cap_ctrl local_control;
2784 memset(&local_control, 0, sizeof(local_control));
2785 local_control.sframe = 1;
2786 local_control.super = L2CAP_SUPER_RR;
2787 local_control.poll = 1;
2788 local_control.reqseq = chan->buffer_seq;
2789 l2cap_send_sframe(chan, &local_control);
2791 chan->retry_count = 1;
2792 __set_monitor_timer(chan);
2793 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2796 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2797 l2cap_process_reqseq(chan, control->reqseq);
2801 case L2CAP_EV_RECV_FBIT:
2802 if (control && control->final) {
2803 __clear_monitor_timer(chan);
2804 if (chan->unacked_frames > 0)
2805 __set_retrans_timer(chan);
2806 chan->retry_count = 0;
2807 chan->tx_state = L2CAP_TX_STATE_XMIT;
2808 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2811 case L2CAP_EV_EXPLICIT_POLL:
2814 case L2CAP_EV_MONITOR_TO:
2815 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2816 l2cap_send_rr_or_rnr(chan, 1);
2817 __set_monitor_timer(chan);
2818 chan->retry_count++;
2820 l2cap_send_disconn_req(chan, ECONNABORTED);
2828 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2829 struct sk_buff_head *skbs, u8 event)
2831 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2832 chan, control, skbs, event, chan->tx_state);
2834 switch (chan->tx_state) {
2835 case L2CAP_TX_STATE_XMIT:
2836 l2cap_tx_state_xmit(chan, control, skbs, event);
2838 case L2CAP_TX_STATE_WAIT_F:
2839 l2cap_tx_state_wait_f(chan, control, skbs, event);
2847 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2848 struct l2cap_ctrl *control)
2850 BT_DBG("chan %p, control %p", chan, control);
2851 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2854 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2855 struct l2cap_ctrl *control)
2857 BT_DBG("chan %p, control %p", chan, control);
2858 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2861 /* Copy frame to all raw sockets on that connection */
2862 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2864 struct sk_buff *nskb;
2865 struct l2cap_chan *chan;
2867 BT_DBG("conn %p", conn);
2869 mutex_lock(&conn->chan_lock);
2871 list_for_each_entry(chan, &conn->chan_l, list) {
2872 if (chan->chan_type != L2CAP_CHAN_RAW)
2875 /* Don't send frame to the channel it came from */
2876 if (bt_cb(skb)->l2cap.chan == chan)
2879 nskb = skb_clone(skb, GFP_KERNEL);
2882 if (chan->ops->recv(chan, nskb))
2886 mutex_unlock(&conn->chan_lock);
2889 /* ---- L2CAP signalling commands ---- */
2890 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2891 u8 ident, u16 dlen, void *data)
2893 struct sk_buff *skb, **frag;
2894 struct l2cap_cmd_hdr *cmd;
2895 struct l2cap_hdr *lh;
2898 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2899 conn, code, ident, dlen);
2901 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2904 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2905 count = min_t(unsigned int, conn->mtu, len);
2907 skb = bt_skb_alloc(count, GFP_KERNEL);
2911 lh = skb_put(skb, L2CAP_HDR_SIZE);
2912 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2914 if (conn->hcon->type == LE_LINK)
2915 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2917 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2919 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2922 cmd->len = cpu_to_le16(dlen);
2925 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2926 skb_put_data(skb, data, count);
2932 /* Continuation fragments (no L2CAP header) */
2933 frag = &skb_shinfo(skb)->frag_list;
2935 count = min_t(unsigned int, conn->mtu, len);
2937 *frag = bt_skb_alloc(count, GFP_KERNEL);
2941 skb_put_data(*frag, data, count);
2946 frag = &(*frag)->next;
2956 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2959 struct l2cap_conf_opt *opt = *ptr;
2962 len = L2CAP_CONF_OPT_SIZE + opt->len;
2970 *val = *((u8 *) opt->val);
2974 *val = get_unaligned_le16(opt->val);
2978 *val = get_unaligned_le32(opt->val);
2982 *val = (unsigned long) opt->val;
2986 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2990 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
2992 struct l2cap_conf_opt *opt = *ptr;
2994 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2996 if (size < L2CAP_CONF_OPT_SIZE + len)
3004 *((u8 *) opt->val) = val;
3008 put_unaligned_le16(val, opt->val);
3012 put_unaligned_le32(val, opt->val);
3016 memcpy(opt->val, (void *) val, len);
3020 *ptr += L2CAP_CONF_OPT_SIZE + len;
3023 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3025 struct l2cap_conf_efs efs;
3027 switch (chan->mode) {
3028 case L2CAP_MODE_ERTM:
3029 efs.id = chan->local_id;
3030 efs.stype = chan->local_stype;
3031 efs.msdu = cpu_to_le16(chan->local_msdu);
3032 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3033 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3034 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3037 case L2CAP_MODE_STREAMING:
3039 efs.stype = L2CAP_SERV_BESTEFFORT;
3040 efs.msdu = cpu_to_le16(chan->local_msdu);
3041 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3050 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3051 (unsigned long) &efs, size);
3054 static void l2cap_ack_timeout(struct work_struct *work)
3056 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3060 BT_DBG("chan %p", chan);
3062 l2cap_chan_lock(chan);
3064 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3065 chan->last_acked_seq);
3068 l2cap_send_rr_or_rnr(chan, 0);
3070 l2cap_chan_unlock(chan);
3071 l2cap_chan_put(chan);
3074 int l2cap_ertm_init(struct l2cap_chan *chan)
3078 chan->next_tx_seq = 0;
3079 chan->expected_tx_seq = 0;
3080 chan->expected_ack_seq = 0;
3081 chan->unacked_frames = 0;
3082 chan->buffer_seq = 0;
3083 chan->frames_sent = 0;
3084 chan->last_acked_seq = 0;
3086 chan->sdu_last_frag = NULL;
3089 skb_queue_head_init(&chan->tx_q);
3091 chan->local_amp_id = AMP_ID_BREDR;
3092 chan->move_id = AMP_ID_BREDR;
3093 chan->move_state = L2CAP_MOVE_STABLE;
3094 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3096 if (chan->mode != L2CAP_MODE_ERTM)
3099 chan->rx_state = L2CAP_RX_STATE_RECV;
3100 chan->tx_state = L2CAP_TX_STATE_XMIT;
3102 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3103 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3104 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3106 skb_queue_head_init(&chan->srej_q);
3108 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3112 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3114 l2cap_seq_list_free(&chan->srej_list);
3119 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3122 case L2CAP_MODE_STREAMING:
3123 case L2CAP_MODE_ERTM:
3124 if (l2cap_mode_supported(mode, remote_feat_mask))
3128 return L2CAP_MODE_BASIC;
3132 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3134 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3135 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3138 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3140 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3141 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3144 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3145 struct l2cap_conf_rfc *rfc)
3147 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3148 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3150 /* Class 1 devices have must have ERTM timeouts
3151 * exceeding the Link Supervision Timeout. The
3152 * default Link Supervision Timeout for AMP
3153 * controllers is 10 seconds.
3155 * Class 1 devices use 0xffffffff for their
3156 * best-effort flush timeout, so the clamping logic
3157 * will result in a timeout that meets the above
3158 * requirement. ERTM timeouts are 16-bit values, so
3159 * the maximum timeout is 65.535 seconds.
3162 /* Convert timeout to milliseconds and round */
3163 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3165 /* This is the recommended formula for class 2 devices
3166 * that start ERTM timers when packets are sent to the
3169 ertm_to = 3 * ertm_to + 500;
3171 if (ertm_to > 0xffff)
3174 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3175 rfc->monitor_timeout = rfc->retrans_timeout;
3177 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3178 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3182 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3184 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3185 __l2cap_ews_supported(chan->conn)) {
3186 /* use extended control field */
3187 set_bit(FLAG_EXT_CTRL, &chan->flags);
3188 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3190 chan->tx_win = min_t(u16, chan->tx_win,
3191 L2CAP_DEFAULT_TX_WINDOW);
3192 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3194 chan->ack_win = chan->tx_win;
3197 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3199 struct l2cap_conf_req *req = data;
3200 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3201 void *ptr = req->data;
3202 void *endptr = data + data_size;
3205 BT_DBG("chan %p", chan);
3207 if (chan->num_conf_req || chan->num_conf_rsp)
3210 switch (chan->mode) {
3211 case L2CAP_MODE_STREAMING:
3212 case L2CAP_MODE_ERTM:
3213 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3216 if (__l2cap_efs_supported(chan->conn))
3217 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3221 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3226 if (chan->imtu != L2CAP_DEFAULT_MTU)
3227 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3229 switch (chan->mode) {
3230 case L2CAP_MODE_BASIC:
3234 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3235 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3238 rfc.mode = L2CAP_MODE_BASIC;
3240 rfc.max_transmit = 0;
3241 rfc.retrans_timeout = 0;
3242 rfc.monitor_timeout = 0;
3243 rfc.max_pdu_size = 0;
3245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3246 (unsigned long) &rfc, endptr - ptr);
3249 case L2CAP_MODE_ERTM:
3250 rfc.mode = L2CAP_MODE_ERTM;
3251 rfc.max_transmit = chan->max_tx;
3253 __l2cap_set_ertm_timeouts(chan, &rfc);
3255 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3256 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3258 rfc.max_pdu_size = cpu_to_le16(size);
3260 l2cap_txwin_setup(chan);
3262 rfc.txwin_size = min_t(u16, chan->tx_win,
3263 L2CAP_DEFAULT_TX_WINDOW);
3265 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3266 (unsigned long) &rfc, endptr - ptr);
3268 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3269 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3271 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3272 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3273 chan->tx_win, endptr - ptr);
3275 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3276 if (chan->fcs == L2CAP_FCS_NONE ||
3277 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3278 chan->fcs = L2CAP_FCS_NONE;
3279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3280 chan->fcs, endptr - ptr);
3284 case L2CAP_MODE_STREAMING:
3285 l2cap_txwin_setup(chan);
3286 rfc.mode = L2CAP_MODE_STREAMING;
3288 rfc.max_transmit = 0;
3289 rfc.retrans_timeout = 0;
3290 rfc.monitor_timeout = 0;
3292 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3293 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3295 rfc.max_pdu_size = cpu_to_le16(size);
3297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3298 (unsigned long) &rfc, endptr - ptr);
3300 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3301 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3303 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3304 if (chan->fcs == L2CAP_FCS_NONE ||
3305 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3306 chan->fcs = L2CAP_FCS_NONE;
3307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3308 chan->fcs, endptr - ptr);
3313 req->dcid = cpu_to_le16(chan->dcid);
3314 req->flags = cpu_to_le16(0);
3319 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3321 struct l2cap_conf_rsp *rsp = data;
3322 void *ptr = rsp->data;
3323 void *endptr = data + data_size;
3324 void *req = chan->conf_req;
3325 int len = chan->conf_len;
3326 int type, hint, olen;
3328 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3329 struct l2cap_conf_efs efs;
3331 u16 mtu = L2CAP_DEFAULT_MTU;
3332 u16 result = L2CAP_CONF_SUCCESS;
3335 BT_DBG("chan %p", chan);
3337 while (len >= L2CAP_CONF_OPT_SIZE) {
3338 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3340 hint = type & L2CAP_CONF_HINT;
3341 type &= L2CAP_CONF_MASK;
3344 case L2CAP_CONF_MTU:
3348 case L2CAP_CONF_FLUSH_TO:
3349 chan->flush_to = val;
3352 case L2CAP_CONF_QOS:
3355 case L2CAP_CONF_RFC:
3356 if (olen == sizeof(rfc))
3357 memcpy(&rfc, (void *) val, olen);
3360 case L2CAP_CONF_FCS:
3361 if (val == L2CAP_FCS_NONE)
3362 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3365 case L2CAP_CONF_EFS:
3367 if (olen == sizeof(efs))
3368 memcpy(&efs, (void *) val, olen);
3371 case L2CAP_CONF_EWS:
3372 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3373 return -ECONNREFUSED;
3375 set_bit(FLAG_EXT_CTRL, &chan->flags);
3376 set_bit(CONF_EWS_RECV, &chan->conf_state);
3377 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3378 chan->remote_tx_win = val;
3385 result = L2CAP_CONF_UNKNOWN;
3386 *((u8 *) ptr++) = type;
3391 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3394 switch (chan->mode) {
3395 case L2CAP_MODE_STREAMING:
3396 case L2CAP_MODE_ERTM:
3397 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3398 chan->mode = l2cap_select_mode(rfc.mode,
3399 chan->conn->feat_mask);
3404 if (__l2cap_efs_supported(chan->conn))
3405 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3407 return -ECONNREFUSED;
3410 if (chan->mode != rfc.mode)
3411 return -ECONNREFUSED;
3417 if (chan->mode != rfc.mode) {
3418 result = L2CAP_CONF_UNACCEPT;
3419 rfc.mode = chan->mode;
3421 if (chan->num_conf_rsp == 1)
3422 return -ECONNREFUSED;
3424 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3425 (unsigned long) &rfc, endptr - ptr);
3428 if (result == L2CAP_CONF_SUCCESS) {
3429 /* Configure output options and let the other side know
3430 * which ones we don't like. */
3432 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3433 result = L2CAP_CONF_UNACCEPT;
3436 set_bit(CONF_MTU_DONE, &chan->conf_state);
3438 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3441 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3442 efs.stype != L2CAP_SERV_NOTRAFIC &&
3443 efs.stype != chan->local_stype) {
3445 result = L2CAP_CONF_UNACCEPT;
3447 if (chan->num_conf_req >= 1)
3448 return -ECONNREFUSED;
3450 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3452 (unsigned long) &efs, endptr - ptr);
3454 /* Send PENDING Conf Rsp */
3455 result = L2CAP_CONF_PENDING;
3456 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3461 case L2CAP_MODE_BASIC:
3462 chan->fcs = L2CAP_FCS_NONE;
3463 set_bit(CONF_MODE_DONE, &chan->conf_state);
3466 case L2CAP_MODE_ERTM:
3467 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3468 chan->remote_tx_win = rfc.txwin_size;
3470 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3472 chan->remote_max_tx = rfc.max_transmit;
3474 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3475 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3476 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3477 rfc.max_pdu_size = cpu_to_le16(size);
3478 chan->remote_mps = size;
3480 __l2cap_set_ertm_timeouts(chan, &rfc);
3482 set_bit(CONF_MODE_DONE, &chan->conf_state);
3484 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3485 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3487 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3488 chan->remote_id = efs.id;
3489 chan->remote_stype = efs.stype;
3490 chan->remote_msdu = le16_to_cpu(efs.msdu);
3491 chan->remote_flush_to =
3492 le32_to_cpu(efs.flush_to);
3493 chan->remote_acc_lat =
3494 le32_to_cpu(efs.acc_lat);
3495 chan->remote_sdu_itime =
3496 le32_to_cpu(efs.sdu_itime);
3497 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3499 (unsigned long) &efs, endptr - ptr);
3503 case L2CAP_MODE_STREAMING:
3504 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3505 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3506 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3507 rfc.max_pdu_size = cpu_to_le16(size);
3508 chan->remote_mps = size;
3510 set_bit(CONF_MODE_DONE, &chan->conf_state);
3512 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3513 (unsigned long) &rfc, endptr - ptr);
3518 result = L2CAP_CONF_UNACCEPT;
3520 memset(&rfc, 0, sizeof(rfc));
3521 rfc.mode = chan->mode;
3524 if (result == L2CAP_CONF_SUCCESS)
3525 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3527 rsp->scid = cpu_to_le16(chan->dcid);
3528 rsp->result = cpu_to_le16(result);
3529 rsp->flags = cpu_to_le16(0);
3534 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3535 void *data, size_t size, u16 *result)
3537 struct l2cap_conf_req *req = data;
3538 void *ptr = req->data;
3539 void *endptr = data + size;
3542 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3543 struct l2cap_conf_efs efs;
3545 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3547 while (len >= L2CAP_CONF_OPT_SIZE) {
3548 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3551 case L2CAP_CONF_MTU:
3552 if (val < L2CAP_DEFAULT_MIN_MTU) {
3553 *result = L2CAP_CONF_UNACCEPT;
3554 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3557 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3560 case L2CAP_CONF_FLUSH_TO:
3561 chan->flush_to = val;
3562 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3563 2, chan->flush_to, endptr - ptr);
3566 case L2CAP_CONF_RFC:
3567 if (olen == sizeof(rfc))
3568 memcpy(&rfc, (void *)val, olen);
3570 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3571 rfc.mode != chan->mode)
3572 return -ECONNREFUSED;
3576 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3577 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3580 case L2CAP_CONF_EWS:
3581 chan->ack_win = min_t(u16, val, chan->ack_win);
3582 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3583 chan->tx_win, endptr - ptr);
3586 case L2CAP_CONF_EFS:
3587 if (olen == sizeof(efs))
3588 memcpy(&efs, (void *)val, olen);
3590 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3591 efs.stype != L2CAP_SERV_NOTRAFIC &&
3592 efs.stype != chan->local_stype)
3593 return -ECONNREFUSED;
3595 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3596 (unsigned long) &efs, endptr - ptr);
3599 case L2CAP_CONF_FCS:
3600 if (*result == L2CAP_CONF_PENDING)
3601 if (val == L2CAP_FCS_NONE)
3602 set_bit(CONF_RECV_NO_FCS,
3608 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3609 return -ECONNREFUSED;
3611 chan->mode = rfc.mode;
3613 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3615 case L2CAP_MODE_ERTM:
3616 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3617 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3618 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3619 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3620 chan->ack_win = min_t(u16, chan->ack_win,
3623 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3624 chan->local_msdu = le16_to_cpu(efs.msdu);
3625 chan->local_sdu_itime =
3626 le32_to_cpu(efs.sdu_itime);
3627 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3628 chan->local_flush_to =
3629 le32_to_cpu(efs.flush_to);
3633 case L2CAP_MODE_STREAMING:
3634 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3638 req->dcid = cpu_to_le16(chan->dcid);
3639 req->flags = cpu_to_le16(0);
3644 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3645 u16 result, u16 flags)
3647 struct l2cap_conf_rsp *rsp = data;
3648 void *ptr = rsp->data;
3650 BT_DBG("chan %p", chan);
3652 rsp->scid = cpu_to_le16(chan->dcid);
3653 rsp->result = cpu_to_le16(result);
3654 rsp->flags = cpu_to_le16(flags);
3659 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3661 struct l2cap_le_conn_rsp rsp;
3662 struct l2cap_conn *conn = chan->conn;
3664 BT_DBG("chan %p", chan);
3666 rsp.dcid = cpu_to_le16(chan->scid);
3667 rsp.mtu = cpu_to_le16(chan->imtu);
3668 rsp.mps = cpu_to_le16(chan->mps);
3669 rsp.credits = cpu_to_le16(chan->rx_credits);
3670 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3672 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3676 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3678 struct l2cap_conn_rsp rsp;
3679 struct l2cap_conn *conn = chan->conn;
3683 rsp.scid = cpu_to_le16(chan->dcid);
3684 rsp.dcid = cpu_to_le16(chan->scid);
3685 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3686 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3689 rsp_code = L2CAP_CREATE_CHAN_RSP;
3691 rsp_code = L2CAP_CONN_RSP;
3693 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3695 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3697 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3700 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3701 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3702 chan->num_conf_req++;
3705 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3709 /* Use sane default values in case a misbehaving remote device
3710 * did not send an RFC or extended window size option.
3712 u16 txwin_ext = chan->ack_win;
3713 struct l2cap_conf_rfc rfc = {
3715 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3716 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3717 .max_pdu_size = cpu_to_le16(chan->imtu),
3718 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3721 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3723 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3726 while (len >= L2CAP_CONF_OPT_SIZE) {
3727 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3730 case L2CAP_CONF_RFC:
3731 if (olen == sizeof(rfc))
3732 memcpy(&rfc, (void *)val, olen);
3734 case L2CAP_CONF_EWS:
3741 case L2CAP_MODE_ERTM:
3742 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3743 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3744 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3745 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3746 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3748 chan->ack_win = min_t(u16, chan->ack_win,
3751 case L2CAP_MODE_STREAMING:
3752 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3756 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3757 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3760 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3762 if (cmd_len < sizeof(*rej))
3765 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3768 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3769 cmd->ident == conn->info_ident) {
3770 cancel_delayed_work(&conn->info_timer);
3772 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3773 conn->info_ident = 0;
3775 l2cap_conn_start(conn);
3781 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3782 struct l2cap_cmd_hdr *cmd,
3783 u8 *data, u8 rsp_code, u8 amp_id)
3785 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3786 struct l2cap_conn_rsp rsp;
3787 struct l2cap_chan *chan = NULL, *pchan;
3788 int result, status = L2CAP_CS_NO_INFO;
3790 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3791 __le16 psm = req->psm;
3793 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3795 /* Check if we have socket listening on psm */
3796 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3797 &conn->hcon->dst, ACL_LINK);
3799 result = L2CAP_CR_BAD_PSM;
3803 mutex_lock(&conn->chan_lock);
3804 l2cap_chan_lock(pchan);
3806 /* Check if the ACL is secure enough (if not SDP) */
3807 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3808 !hci_conn_check_link_mode(conn->hcon)) {
3809 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3810 result = L2CAP_CR_SEC_BLOCK;
3814 result = L2CAP_CR_NO_MEM;
3816 /* Check if we already have channel with that dcid */
3817 if (__l2cap_get_chan_by_dcid(conn, scid))
3820 chan = pchan->ops->new_connection(pchan);
3824 /* For certain devices (ex: HID mouse), support for authentication,
3825 * pairing and bonding is optional. For such devices, inorder to avoid
3826 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3827 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3829 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3831 bacpy(&chan->src, &conn->hcon->src);
3832 bacpy(&chan->dst, &conn->hcon->dst);
3833 chan->src_type = bdaddr_src_type(conn->hcon);
3834 chan->dst_type = bdaddr_dst_type(conn->hcon);
3837 chan->local_amp_id = amp_id;
3839 __l2cap_chan_add(conn, chan);
3843 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3845 chan->ident = cmd->ident;
3847 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3848 if (l2cap_chan_check_security(chan, false)) {
3849 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3850 l2cap_state_change(chan, BT_CONNECT2);
3851 result = L2CAP_CR_PEND;
3852 status = L2CAP_CS_AUTHOR_PEND;
3853 chan->ops->defer(chan);
3855 /* Force pending result for AMP controllers.
3856 * The connection will succeed after the
3857 * physical link is up.
3859 if (amp_id == AMP_ID_BREDR) {
3860 l2cap_state_change(chan, BT_CONFIG);
3861 result = L2CAP_CR_SUCCESS;
3863 l2cap_state_change(chan, BT_CONNECT2);
3864 result = L2CAP_CR_PEND;
3866 status = L2CAP_CS_NO_INFO;
3869 l2cap_state_change(chan, BT_CONNECT2);
3870 result = L2CAP_CR_PEND;
3871 status = L2CAP_CS_AUTHEN_PEND;
3874 l2cap_state_change(chan, BT_CONNECT2);
3875 result = L2CAP_CR_PEND;
3876 status = L2CAP_CS_NO_INFO;
3880 l2cap_chan_unlock(pchan);
3881 mutex_unlock(&conn->chan_lock);
3882 l2cap_chan_put(pchan);
3885 rsp.scid = cpu_to_le16(scid);
3886 rsp.dcid = cpu_to_le16(dcid);
3887 rsp.result = cpu_to_le16(result);
3888 rsp.status = cpu_to_le16(status);
3889 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3891 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3892 struct l2cap_info_req info;
3893 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3895 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3896 conn->info_ident = l2cap_get_ident(conn);
3898 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3900 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3901 sizeof(info), &info);
3904 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3905 result == L2CAP_CR_SUCCESS) {
3907 set_bit(CONF_REQ_SENT, &chan->conf_state);
3908 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3909 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3910 chan->num_conf_req++;
3916 static int l2cap_connect_req(struct l2cap_conn *conn,
3917 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3919 struct hci_dev *hdev = conn->hcon->hdev;
3920 struct hci_conn *hcon = conn->hcon;
3922 if (cmd_len < sizeof(struct l2cap_conn_req))
3926 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3927 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3928 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3929 hci_dev_unlock(hdev);
3931 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3935 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3936 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3939 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3940 u16 scid, dcid, result, status;
3941 struct l2cap_chan *chan;
3945 if (cmd_len < sizeof(*rsp))
3948 scid = __le16_to_cpu(rsp->scid);
3949 dcid = __le16_to_cpu(rsp->dcid);
3950 result = __le16_to_cpu(rsp->result);
3951 status = __le16_to_cpu(rsp->status);
3953 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3954 dcid, scid, result, status);
3956 mutex_lock(&conn->chan_lock);
3959 chan = __l2cap_get_chan_by_scid(conn, scid);
3965 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3974 l2cap_chan_lock(chan);
3977 case L2CAP_CR_SUCCESS:
3978 l2cap_state_change(chan, BT_CONFIG);
3981 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3983 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3986 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3987 l2cap_build_conf_req(chan, req, sizeof(req)), req);
3988 chan->num_conf_req++;
3992 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3996 l2cap_chan_del(chan, ECONNREFUSED);
4000 l2cap_chan_unlock(chan);
4003 mutex_unlock(&conn->chan_lock);
4008 static inline void set_default_fcs(struct l2cap_chan *chan)
4010 /* FCS is enabled only in ERTM or streaming mode, if one or both
4013 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4014 chan->fcs = L2CAP_FCS_NONE;
4015 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4016 chan->fcs = L2CAP_FCS_CRC16;
4019 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4020 u8 ident, u16 flags)
4022 struct l2cap_conn *conn = chan->conn;
4024 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4027 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4028 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4030 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4031 l2cap_build_conf_rsp(chan, data,
4032 L2CAP_CONF_SUCCESS, flags), data);
4035 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4038 struct l2cap_cmd_rej_cid rej;
4040 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4041 rej.scid = __cpu_to_le16(scid);
4042 rej.dcid = __cpu_to_le16(dcid);
4044 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4047 static inline int l2cap_config_req(struct l2cap_conn *conn,
4048 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4051 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4054 struct l2cap_chan *chan;
4057 if (cmd_len < sizeof(*req))
4060 dcid = __le16_to_cpu(req->dcid);
4061 flags = __le16_to_cpu(req->flags);
4063 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4065 chan = l2cap_get_chan_by_scid(conn, dcid);
4067 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4071 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4072 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4077 /* Reject if config buffer is too small. */
4078 len = cmd_len - sizeof(*req);
4079 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4080 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4081 l2cap_build_conf_rsp(chan, rsp,
4082 L2CAP_CONF_REJECT, flags), rsp);
4087 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4088 chan->conf_len += len;
4090 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4091 /* Incomplete config. Send empty response. */
4092 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4093 l2cap_build_conf_rsp(chan, rsp,
4094 L2CAP_CONF_SUCCESS, flags), rsp);
4098 /* Complete config. */
4099 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4101 l2cap_send_disconn_req(chan, ECONNRESET);
4105 chan->ident = cmd->ident;
4106 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4107 chan->num_conf_rsp++;
4109 /* Reset config buffer. */
4112 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4115 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4116 set_default_fcs(chan);
4118 if (chan->mode == L2CAP_MODE_ERTM ||
4119 chan->mode == L2CAP_MODE_STREAMING)
4120 err = l2cap_ertm_init(chan);
4123 l2cap_send_disconn_req(chan, -err);
4125 l2cap_chan_ready(chan);
4130 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4132 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4133 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4134 chan->num_conf_req++;
4137 /* Got Conf Rsp PENDING from remote side and assume we sent
4138 Conf Rsp PENDING in the code above */
4139 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4140 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4142 /* check compatibility */
4144 /* Send rsp for BR/EDR channel */
4146 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4148 chan->ident = cmd->ident;
4152 l2cap_chan_unlock(chan);
4156 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4157 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4160 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4161 u16 scid, flags, result;
4162 struct l2cap_chan *chan;
4163 int len = cmd_len - sizeof(*rsp);
4166 if (cmd_len < sizeof(*rsp))
4169 scid = __le16_to_cpu(rsp->scid);
4170 flags = __le16_to_cpu(rsp->flags);
4171 result = __le16_to_cpu(rsp->result);
4173 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4176 chan = l2cap_get_chan_by_scid(conn, scid);
4181 case L2CAP_CONF_SUCCESS:
4182 l2cap_conf_rfc_get(chan, rsp->data, len);
4183 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4186 case L2CAP_CONF_PENDING:
4187 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4189 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4192 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4193 buf, sizeof(buf), &result);
4195 l2cap_send_disconn_req(chan, ECONNRESET);
4199 if (!chan->hs_hcon) {
4200 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4203 if (l2cap_check_efs(chan)) {
4204 amp_create_logical_link(chan);
4205 chan->ident = cmd->ident;
4211 case L2CAP_CONF_UNACCEPT:
4212 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4215 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4216 l2cap_send_disconn_req(chan, ECONNRESET);
4220 /* throw out any old stored conf requests */
4221 result = L2CAP_CONF_SUCCESS;
4222 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4223 req, sizeof(req), &result);
4225 l2cap_send_disconn_req(chan, ECONNRESET);
4229 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4230 L2CAP_CONF_REQ, len, req);
4231 chan->num_conf_req++;
4232 if (result != L2CAP_CONF_SUCCESS)
4238 l2cap_chan_set_err(chan, ECONNRESET);
4240 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4241 l2cap_send_disconn_req(chan, ECONNRESET);
4245 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4248 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4250 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4251 set_default_fcs(chan);
4253 if (chan->mode == L2CAP_MODE_ERTM ||
4254 chan->mode == L2CAP_MODE_STREAMING)
4255 err = l2cap_ertm_init(chan);
4258 l2cap_send_disconn_req(chan, -err);
4260 l2cap_chan_ready(chan);
4264 l2cap_chan_unlock(chan);
4268 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4269 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4272 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4273 struct l2cap_disconn_rsp rsp;
4275 struct l2cap_chan *chan;
4277 if (cmd_len != sizeof(*req))
4280 scid = __le16_to_cpu(req->scid);
4281 dcid = __le16_to_cpu(req->dcid);
4283 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4285 mutex_lock(&conn->chan_lock);
4287 chan = __l2cap_get_chan_by_scid(conn, dcid);
4289 mutex_unlock(&conn->chan_lock);
4290 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4294 l2cap_chan_lock(chan);
4296 rsp.dcid = cpu_to_le16(chan->scid);
4297 rsp.scid = cpu_to_le16(chan->dcid);
4298 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4300 chan->ops->set_shutdown(chan);
4302 l2cap_chan_hold(chan);
4303 l2cap_chan_del(chan, ECONNRESET);
4305 l2cap_chan_unlock(chan);
4307 chan->ops->close(chan);
4308 l2cap_chan_put(chan);
4310 mutex_unlock(&conn->chan_lock);
4315 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4316 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4319 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4321 struct l2cap_chan *chan;
4323 if (cmd_len != sizeof(*rsp))
4326 scid = __le16_to_cpu(rsp->scid);
4327 dcid = __le16_to_cpu(rsp->dcid);
4329 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4331 mutex_lock(&conn->chan_lock);
4333 chan = __l2cap_get_chan_by_scid(conn, scid);
4335 mutex_unlock(&conn->chan_lock);
4339 l2cap_chan_lock(chan);
4341 l2cap_chan_hold(chan);
4342 l2cap_chan_del(chan, 0);
4344 l2cap_chan_unlock(chan);
4346 chan->ops->close(chan);
4347 l2cap_chan_put(chan);
4349 mutex_unlock(&conn->chan_lock);
4354 static inline int l2cap_information_req(struct l2cap_conn *conn,
4355 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4358 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4361 if (cmd_len != sizeof(*req))
4364 type = __le16_to_cpu(req->type);
4366 BT_DBG("type 0x%4.4x", type);
4368 if (type == L2CAP_IT_FEAT_MASK) {
4370 u32 feat_mask = l2cap_feat_mask;
4371 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4372 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4373 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4375 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4377 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4378 feat_mask |= L2CAP_FEAT_EXT_FLOW
4379 | L2CAP_FEAT_EXT_WINDOW;
4381 put_unaligned_le32(feat_mask, rsp->data);
4382 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4384 } else if (type == L2CAP_IT_FIXED_CHAN) {
4386 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4388 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4389 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4390 rsp->data[0] = conn->local_fixed_chan;
4391 memset(rsp->data + 1, 0, 7);
4392 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4395 struct l2cap_info_rsp rsp;
4396 rsp.type = cpu_to_le16(type);
4397 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4398 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4405 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4406 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4409 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4412 if (cmd_len < sizeof(*rsp))
4415 type = __le16_to_cpu(rsp->type);
4416 result = __le16_to_cpu(rsp->result);
4418 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4420 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4421 if (cmd->ident != conn->info_ident ||
4422 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4425 cancel_delayed_work(&conn->info_timer);
4427 if (result != L2CAP_IR_SUCCESS) {
4428 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4429 conn->info_ident = 0;
4431 l2cap_conn_start(conn);
4437 case L2CAP_IT_FEAT_MASK:
4438 conn->feat_mask = get_unaligned_le32(rsp->data);
4440 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4441 struct l2cap_info_req req;
4442 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4444 conn->info_ident = l2cap_get_ident(conn);
4446 l2cap_send_cmd(conn, conn->info_ident,
4447 L2CAP_INFO_REQ, sizeof(req), &req);
4449 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4450 conn->info_ident = 0;
4452 l2cap_conn_start(conn);
4456 case L2CAP_IT_FIXED_CHAN:
4457 conn->remote_fixed_chan = rsp->data[0];
4458 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4459 conn->info_ident = 0;
4461 l2cap_conn_start(conn);
4468 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4469 struct l2cap_cmd_hdr *cmd,
4470 u16 cmd_len, void *data)
4472 struct l2cap_create_chan_req *req = data;
4473 struct l2cap_create_chan_rsp rsp;
4474 struct l2cap_chan *chan;
4475 struct hci_dev *hdev;
4478 if (cmd_len != sizeof(*req))
4481 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4484 psm = le16_to_cpu(req->psm);
4485 scid = le16_to_cpu(req->scid);
4487 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4489 /* For controller id 0 make BR/EDR connection */
4490 if (req->amp_id == AMP_ID_BREDR) {
4491 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4496 /* Validate AMP controller id */
4497 hdev = hci_dev_get(req->amp_id);
4501 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4506 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4509 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4510 struct hci_conn *hs_hcon;
4512 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4516 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4521 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4523 mgr->bredr_chan = chan;
4524 chan->hs_hcon = hs_hcon;
4525 chan->fcs = L2CAP_FCS_NONE;
4526 conn->mtu = hdev->block_mtu;
4535 rsp.scid = cpu_to_le16(scid);
4536 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4537 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4539 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4545 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4547 struct l2cap_move_chan_req req;
4550 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4552 ident = l2cap_get_ident(chan->conn);
4553 chan->ident = ident;
4555 req.icid = cpu_to_le16(chan->scid);
4556 req.dest_amp_id = dest_amp_id;
4558 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4561 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4564 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4566 struct l2cap_move_chan_rsp rsp;
4568 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4570 rsp.icid = cpu_to_le16(chan->dcid);
4571 rsp.result = cpu_to_le16(result);
4573 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4577 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4579 struct l2cap_move_chan_cfm cfm;
4581 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4583 chan->ident = l2cap_get_ident(chan->conn);
4585 cfm.icid = cpu_to_le16(chan->scid);
4586 cfm.result = cpu_to_le16(result);
4588 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4591 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4594 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4596 struct l2cap_move_chan_cfm cfm;
4598 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4600 cfm.icid = cpu_to_le16(icid);
4601 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4603 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4607 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4610 struct l2cap_move_chan_cfm_rsp rsp;
4612 BT_DBG("icid 0x%4.4x", icid);
4614 rsp.icid = cpu_to_le16(icid);
4615 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4618 static void __release_logical_link(struct l2cap_chan *chan)
4620 chan->hs_hchan = NULL;
4621 chan->hs_hcon = NULL;
4623 /* Placeholder - release the logical link */
4626 static void l2cap_logical_fail(struct l2cap_chan *chan)
4628 /* Logical link setup failed */
4629 if (chan->state != BT_CONNECTED) {
4630 /* Create channel failure, disconnect */
4631 l2cap_send_disconn_req(chan, ECONNRESET);
4635 switch (chan->move_role) {
4636 case L2CAP_MOVE_ROLE_RESPONDER:
4637 l2cap_move_done(chan);
4638 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4640 case L2CAP_MOVE_ROLE_INITIATOR:
4641 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4642 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4643 /* Remote has only sent pending or
4644 * success responses, clean up
4646 l2cap_move_done(chan);
4649 /* Other amp move states imply that the move
4650 * has already aborted
4652 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4657 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4658 struct hci_chan *hchan)
4660 struct l2cap_conf_rsp rsp;
4662 chan->hs_hchan = hchan;
4663 chan->hs_hcon->l2cap_data = chan->conn;
4665 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4667 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4670 set_default_fcs(chan);
4672 err = l2cap_ertm_init(chan);
4674 l2cap_send_disconn_req(chan, -err);
4676 l2cap_chan_ready(chan);
4680 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4681 struct hci_chan *hchan)
4683 chan->hs_hcon = hchan->conn;
4684 chan->hs_hcon->l2cap_data = chan->conn;
4686 BT_DBG("move_state %d", chan->move_state);
4688 switch (chan->move_state) {
4689 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4690 /* Move confirm will be sent after a success
4691 * response is received
4693 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4695 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4696 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4697 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4698 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4699 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4700 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4701 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4702 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4703 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4707 /* Move was not in expected state, free the channel */
4708 __release_logical_link(chan);
4710 chan->move_state = L2CAP_MOVE_STABLE;
4714 /* Call with chan locked */
4715 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4718 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4721 l2cap_logical_fail(chan);
4722 __release_logical_link(chan);
4726 if (chan->state != BT_CONNECTED) {
4727 /* Ignore logical link if channel is on BR/EDR */
4728 if (chan->local_amp_id != AMP_ID_BREDR)
4729 l2cap_logical_finish_create(chan, hchan);
4731 l2cap_logical_finish_move(chan, hchan);
4735 void l2cap_move_start(struct l2cap_chan *chan)
4737 BT_DBG("chan %p", chan);
4739 if (chan->local_amp_id == AMP_ID_BREDR) {
4740 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4742 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4743 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4744 /* Placeholder - start physical link setup */
4746 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4747 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4749 l2cap_move_setup(chan);
4750 l2cap_send_move_chan_req(chan, 0);
4754 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4755 u8 local_amp_id, u8 remote_amp_id)
4757 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4758 local_amp_id, remote_amp_id);
4760 chan->fcs = L2CAP_FCS_NONE;
4762 /* Outgoing channel on AMP */
4763 if (chan->state == BT_CONNECT) {
4764 if (result == L2CAP_CR_SUCCESS) {
4765 chan->local_amp_id = local_amp_id;
4766 l2cap_send_create_chan_req(chan, remote_amp_id);
4768 /* Revert to BR/EDR connect */
4769 l2cap_send_conn_req(chan);
4775 /* Incoming channel on AMP */
4776 if (__l2cap_no_conn_pending(chan)) {
4777 struct l2cap_conn_rsp rsp;
4779 rsp.scid = cpu_to_le16(chan->dcid);
4780 rsp.dcid = cpu_to_le16(chan->scid);
4782 if (result == L2CAP_CR_SUCCESS) {
4783 /* Send successful response */
4784 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4785 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4787 /* Send negative response */
4788 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4789 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4792 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4795 if (result == L2CAP_CR_SUCCESS) {
4796 l2cap_state_change(chan, BT_CONFIG);
4797 set_bit(CONF_REQ_SENT, &chan->conf_state);
4798 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4800 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4801 chan->num_conf_req++;
4806 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4809 l2cap_move_setup(chan);
4810 chan->move_id = local_amp_id;
4811 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4813 l2cap_send_move_chan_req(chan, remote_amp_id);
4816 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4818 struct hci_chan *hchan = NULL;
4820 /* Placeholder - get hci_chan for logical link */
4823 if (hchan->state == BT_CONNECTED) {
4824 /* Logical link is ready to go */
4825 chan->hs_hcon = hchan->conn;
4826 chan->hs_hcon->l2cap_data = chan->conn;
4827 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4828 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4830 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4832 /* Wait for logical link to be ready */
4833 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4836 /* Logical link not available */
4837 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4841 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4843 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4845 if (result == -EINVAL)
4846 rsp_result = L2CAP_MR_BAD_ID;
4848 rsp_result = L2CAP_MR_NOT_ALLOWED;
4850 l2cap_send_move_chan_rsp(chan, rsp_result);
4853 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4854 chan->move_state = L2CAP_MOVE_STABLE;
4856 /* Restart data transmission */
4857 l2cap_ertm_send(chan);
4860 /* Invoke with locked chan */
4861 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4863 u8 local_amp_id = chan->local_amp_id;
4864 u8 remote_amp_id = chan->remote_amp_id;
4866 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4867 chan, result, local_amp_id, remote_amp_id);
4869 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4870 l2cap_chan_unlock(chan);
4874 if (chan->state != BT_CONNECTED) {
4875 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4876 } else if (result != L2CAP_MR_SUCCESS) {
4877 l2cap_do_move_cancel(chan, result);
4879 switch (chan->move_role) {
4880 case L2CAP_MOVE_ROLE_INITIATOR:
4881 l2cap_do_move_initiate(chan, local_amp_id,
4884 case L2CAP_MOVE_ROLE_RESPONDER:
4885 l2cap_do_move_respond(chan, result);
4888 l2cap_do_move_cancel(chan, result);
4894 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4895 struct l2cap_cmd_hdr *cmd,
4896 u16 cmd_len, void *data)
4898 struct l2cap_move_chan_req *req = data;
4899 struct l2cap_move_chan_rsp rsp;
4900 struct l2cap_chan *chan;
4902 u16 result = L2CAP_MR_NOT_ALLOWED;
4904 if (cmd_len != sizeof(*req))
4907 icid = le16_to_cpu(req->icid);
4909 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4911 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4914 chan = l2cap_get_chan_by_dcid(conn, icid);
4916 rsp.icid = cpu_to_le16(icid);
4917 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4918 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4923 chan->ident = cmd->ident;
4925 if (chan->scid < L2CAP_CID_DYN_START ||
4926 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4927 (chan->mode != L2CAP_MODE_ERTM &&
4928 chan->mode != L2CAP_MODE_STREAMING)) {
4929 result = L2CAP_MR_NOT_ALLOWED;
4930 goto send_move_response;
4933 if (chan->local_amp_id == req->dest_amp_id) {
4934 result = L2CAP_MR_SAME_ID;
4935 goto send_move_response;
4938 if (req->dest_amp_id != AMP_ID_BREDR) {
4939 struct hci_dev *hdev;
4940 hdev = hci_dev_get(req->dest_amp_id);
4941 if (!hdev || hdev->dev_type != HCI_AMP ||
4942 !test_bit(HCI_UP, &hdev->flags)) {
4946 result = L2CAP_MR_BAD_ID;
4947 goto send_move_response;
4952 /* Detect a move collision. Only send a collision response
4953 * if this side has "lost", otherwise proceed with the move.
4954 * The winner has the larger bd_addr.
4956 if ((__chan_is_moving(chan) ||
4957 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4958 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4959 result = L2CAP_MR_COLLISION;
4960 goto send_move_response;
4963 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4964 l2cap_move_setup(chan);
4965 chan->move_id = req->dest_amp_id;
4968 if (req->dest_amp_id == AMP_ID_BREDR) {
4969 /* Moving to BR/EDR */
4970 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4971 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4972 result = L2CAP_MR_PEND;
4974 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4975 result = L2CAP_MR_SUCCESS;
4978 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4979 /* Placeholder - uncomment when amp functions are available */
4980 /*amp_accept_physical(chan, req->dest_amp_id);*/
4981 result = L2CAP_MR_PEND;
4985 l2cap_send_move_chan_rsp(chan, result);
4987 l2cap_chan_unlock(chan);
4992 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4994 struct l2cap_chan *chan;
4995 struct hci_chan *hchan = NULL;
4997 chan = l2cap_get_chan_by_scid(conn, icid);
4999 l2cap_send_move_chan_cfm_icid(conn, icid);
5003 __clear_chan_timer(chan);
5004 if (result == L2CAP_MR_PEND)
5005 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5007 switch (chan->move_state) {
5008 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5009 /* Move confirm will be sent when logical link
5012 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5014 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5015 if (result == L2CAP_MR_PEND) {
5017 } else if (test_bit(CONN_LOCAL_BUSY,
5018 &chan->conn_state)) {
5019 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5021 /* Logical link is up or moving to BR/EDR,
5024 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5025 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5028 case L2CAP_MOVE_WAIT_RSP:
5030 if (result == L2CAP_MR_SUCCESS) {
5031 /* Remote is ready, send confirm immediately
5032 * after logical link is ready
5034 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5036 /* Both logical link and move success
5037 * are required to confirm
5039 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5042 /* Placeholder - get hci_chan for logical link */
5044 /* Logical link not available */
5045 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5049 /* If the logical link is not yet connected, do not
5050 * send confirmation.
5052 if (hchan->state != BT_CONNECTED)
5055 /* Logical link is already ready to go */
5057 chan->hs_hcon = hchan->conn;
5058 chan->hs_hcon->l2cap_data = chan->conn;
5060 if (result == L2CAP_MR_SUCCESS) {
5061 /* Can confirm now */
5062 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5064 /* Now only need move success
5067 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5070 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5073 /* Any other amp move state means the move failed. */
5074 chan->move_id = chan->local_amp_id;
5075 l2cap_move_done(chan);
5076 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5079 l2cap_chan_unlock(chan);
5082 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5085 struct l2cap_chan *chan;
5087 chan = l2cap_get_chan_by_ident(conn, ident);
5089 /* Could not locate channel, icid is best guess */
5090 l2cap_send_move_chan_cfm_icid(conn, icid);
5094 __clear_chan_timer(chan);
5096 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5097 if (result == L2CAP_MR_COLLISION) {
5098 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5100 /* Cleanup - cancel move */
5101 chan->move_id = chan->local_amp_id;
5102 l2cap_move_done(chan);
5106 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5108 l2cap_chan_unlock(chan);
5111 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5112 struct l2cap_cmd_hdr *cmd,
5113 u16 cmd_len, void *data)
5115 struct l2cap_move_chan_rsp *rsp = data;
5118 if (cmd_len != sizeof(*rsp))
5121 icid = le16_to_cpu(rsp->icid);
5122 result = le16_to_cpu(rsp->result);
5124 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5126 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5127 l2cap_move_continue(conn, icid, result);
5129 l2cap_move_fail(conn, cmd->ident, icid, result);
5134 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5135 struct l2cap_cmd_hdr *cmd,
5136 u16 cmd_len, void *data)
5138 struct l2cap_move_chan_cfm *cfm = data;
5139 struct l2cap_chan *chan;
5142 if (cmd_len != sizeof(*cfm))
5145 icid = le16_to_cpu(cfm->icid);
5146 result = le16_to_cpu(cfm->result);
5148 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5150 chan = l2cap_get_chan_by_dcid(conn, icid);
5152 /* Spec requires a response even if the icid was not found */
5153 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5157 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5158 if (result == L2CAP_MC_CONFIRMED) {
5159 chan->local_amp_id = chan->move_id;
5160 if (chan->local_amp_id == AMP_ID_BREDR)
5161 __release_logical_link(chan);
5163 chan->move_id = chan->local_amp_id;
5166 l2cap_move_done(chan);
5169 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5171 l2cap_chan_unlock(chan);
5176 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5177 struct l2cap_cmd_hdr *cmd,
5178 u16 cmd_len, void *data)
5180 struct l2cap_move_chan_cfm_rsp *rsp = data;
5181 struct l2cap_chan *chan;
5184 if (cmd_len != sizeof(*rsp))
5187 icid = le16_to_cpu(rsp->icid);
5189 BT_DBG("icid 0x%4.4x", icid);
5191 chan = l2cap_get_chan_by_scid(conn, icid);
5195 __clear_chan_timer(chan);
5197 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5198 chan->local_amp_id = chan->move_id;
5200 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5201 __release_logical_link(chan);
5203 l2cap_move_done(chan);
5206 l2cap_chan_unlock(chan);
5211 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5212 struct l2cap_cmd_hdr *cmd,
5213 u16 cmd_len, u8 *data)
5215 struct hci_conn *hcon = conn->hcon;
5216 struct l2cap_conn_param_update_req *req;
5217 struct l2cap_conn_param_update_rsp rsp;
5218 u16 min, max, latency, to_multiplier;
5221 if (hcon->role != HCI_ROLE_MASTER)
5224 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5227 req = (struct l2cap_conn_param_update_req *) data;
5228 min = __le16_to_cpu(req->min);
5229 max = __le16_to_cpu(req->max);
5230 latency = __le16_to_cpu(req->latency);
5231 to_multiplier = __le16_to_cpu(req->to_multiplier);
5233 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5234 min, max, latency, to_multiplier);
5236 memset(&rsp, 0, sizeof(rsp));
5238 err = hci_check_conn_params(min, max, latency, to_multiplier);
5240 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5242 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5244 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5250 store_hint = hci_le_conn_update(hcon, min, max, latency,
5252 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5253 store_hint, min, max, latency,
5261 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5262 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5265 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5266 struct hci_conn *hcon = conn->hcon;
5267 u16 dcid, mtu, mps, credits, result;
5268 struct l2cap_chan *chan;
5271 if (cmd_len < sizeof(*rsp))
5274 dcid = __le16_to_cpu(rsp->dcid);
5275 mtu = __le16_to_cpu(rsp->mtu);
5276 mps = __le16_to_cpu(rsp->mps);
5277 credits = __le16_to_cpu(rsp->credits);
5278 result = __le16_to_cpu(rsp->result);
5280 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
5281 dcid < L2CAP_CID_DYN_START ||
5282 dcid > L2CAP_CID_LE_DYN_END))
5285 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5286 dcid, mtu, mps, credits, result);
5288 mutex_lock(&conn->chan_lock);
5290 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5298 l2cap_chan_lock(chan);
5301 case L2CAP_CR_SUCCESS:
5302 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5310 chan->remote_mps = mps;
5311 chan->tx_credits = credits;
5312 l2cap_chan_ready(chan);
5315 case L2CAP_CR_AUTHENTICATION:
5316 case L2CAP_CR_ENCRYPTION:
5317 /* If we already have MITM protection we can't do
5320 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5321 l2cap_chan_del(chan, ECONNREFUSED);
5325 sec_level = hcon->sec_level + 1;
5326 if (chan->sec_level < sec_level)
5327 chan->sec_level = sec_level;
5329 /* We'll need to send a new Connect Request */
5330 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5332 smp_conn_security(hcon, chan->sec_level);
5336 l2cap_chan_del(chan, ECONNREFUSED);
5340 l2cap_chan_unlock(chan);
5343 mutex_unlock(&conn->chan_lock);
5348 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5349 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5354 switch (cmd->code) {
5355 case L2CAP_COMMAND_REJ:
5356 l2cap_command_rej(conn, cmd, cmd_len, data);
5359 case L2CAP_CONN_REQ:
5360 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5363 case L2CAP_CONN_RSP:
5364 case L2CAP_CREATE_CHAN_RSP:
5365 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5368 case L2CAP_CONF_REQ:
5369 err = l2cap_config_req(conn, cmd, cmd_len, data);
5372 case L2CAP_CONF_RSP:
5373 l2cap_config_rsp(conn, cmd, cmd_len, data);
5376 case L2CAP_DISCONN_REQ:
5377 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5380 case L2CAP_DISCONN_RSP:
5381 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5384 case L2CAP_ECHO_REQ:
5385 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5388 case L2CAP_ECHO_RSP:
5391 case L2CAP_INFO_REQ:
5392 err = l2cap_information_req(conn, cmd, cmd_len, data);
5395 case L2CAP_INFO_RSP:
5396 l2cap_information_rsp(conn, cmd, cmd_len, data);
5399 case L2CAP_CREATE_CHAN_REQ:
5400 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5403 case L2CAP_MOVE_CHAN_REQ:
5404 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5407 case L2CAP_MOVE_CHAN_RSP:
5408 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5411 case L2CAP_MOVE_CHAN_CFM:
5412 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5415 case L2CAP_MOVE_CHAN_CFM_RSP:
5416 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5420 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5428 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5429 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5432 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5433 struct l2cap_le_conn_rsp rsp;
5434 struct l2cap_chan *chan, *pchan;
5435 u16 dcid, scid, credits, mtu, mps;
5439 if (cmd_len != sizeof(*req))
5442 scid = __le16_to_cpu(req->scid);
5443 mtu = __le16_to_cpu(req->mtu);
5444 mps = __le16_to_cpu(req->mps);
5449 if (mtu < 23 || mps < 23)
5452 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5455 /* Check if we have socket listening on psm */
5456 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5457 &conn->hcon->dst, LE_LINK);
5459 result = L2CAP_CR_BAD_PSM;
5464 mutex_lock(&conn->chan_lock);
5465 l2cap_chan_lock(pchan);
5467 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5469 result = L2CAP_CR_AUTHENTICATION;
5471 goto response_unlock;
5474 /* Check for valid dynamic CID range */
5475 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5476 result = L2CAP_CR_INVALID_SCID;
5478 goto response_unlock;
5481 /* Check if we already have channel with that dcid */
5482 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5483 result = L2CAP_CR_SCID_IN_USE;
5485 goto response_unlock;
5488 chan = pchan->ops->new_connection(pchan);
5490 result = L2CAP_CR_NO_MEM;
5491 goto response_unlock;
5494 l2cap_le_flowctl_init(chan);
5496 bacpy(&chan->src, &conn->hcon->src);
5497 bacpy(&chan->dst, &conn->hcon->dst);
5498 chan->src_type = bdaddr_src_type(conn->hcon);
5499 chan->dst_type = bdaddr_dst_type(conn->hcon);
5503 chan->remote_mps = mps;
5504 chan->tx_credits = __le16_to_cpu(req->credits);
5506 __l2cap_chan_add(conn, chan);
5508 credits = chan->rx_credits;
5510 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5512 chan->ident = cmd->ident;
5514 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5515 l2cap_state_change(chan, BT_CONNECT2);
5516 /* The following result value is actually not defined
5517 * for LE CoC but we use it to let the function know
5518 * that it should bail out after doing its cleanup
5519 * instead of sending a response.
5521 result = L2CAP_CR_PEND;
5522 chan->ops->defer(chan);
5524 l2cap_chan_ready(chan);
5525 result = L2CAP_CR_SUCCESS;
5529 l2cap_chan_unlock(pchan);
5530 mutex_unlock(&conn->chan_lock);
5531 l2cap_chan_put(pchan);
5533 if (result == L2CAP_CR_PEND)
5538 rsp.mtu = cpu_to_le16(chan->imtu);
5539 rsp.mps = cpu_to_le16(chan->mps);
5545 rsp.dcid = cpu_to_le16(dcid);
5546 rsp.credits = cpu_to_le16(credits);
5547 rsp.result = cpu_to_le16(result);
5549 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5554 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5555 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5558 struct l2cap_le_credits *pkt;
5559 struct l2cap_chan *chan;
5560 u16 cid, credits, max_credits;
5562 if (cmd_len != sizeof(*pkt))
5565 pkt = (struct l2cap_le_credits *) data;
5566 cid = __le16_to_cpu(pkt->cid);
5567 credits = __le16_to_cpu(pkt->credits);
5569 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5571 chan = l2cap_get_chan_by_dcid(conn, cid);
5575 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5576 if (credits > max_credits) {
5577 BT_ERR("LE credits overflow");
5578 l2cap_send_disconn_req(chan, ECONNRESET);
5579 l2cap_chan_unlock(chan);
5581 /* Return 0 so that we don't trigger an unnecessary
5582 * command reject packet.
5587 chan->tx_credits += credits;
5589 /* Resume sending */
5590 l2cap_le_flowctl_send(chan);
5592 if (chan->tx_credits)
5593 chan->ops->resume(chan);
5595 l2cap_chan_unlock(chan);
5600 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5601 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5604 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5605 struct l2cap_chan *chan;
5607 if (cmd_len < sizeof(*rej))
5610 mutex_lock(&conn->chan_lock);
5612 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5616 l2cap_chan_lock(chan);
5617 l2cap_chan_del(chan, ECONNREFUSED);
5618 l2cap_chan_unlock(chan);
5621 mutex_unlock(&conn->chan_lock);
5625 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5626 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5631 switch (cmd->code) {
5632 case L2CAP_COMMAND_REJ:
5633 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5636 case L2CAP_CONN_PARAM_UPDATE_REQ:
5637 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5640 case L2CAP_CONN_PARAM_UPDATE_RSP:
5643 case L2CAP_LE_CONN_RSP:
5644 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5647 case L2CAP_LE_CONN_REQ:
5648 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5651 case L2CAP_LE_CREDITS:
5652 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5655 case L2CAP_DISCONN_REQ:
5656 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5659 case L2CAP_DISCONN_RSP:
5660 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5664 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5672 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5673 struct sk_buff *skb)
5675 struct hci_conn *hcon = conn->hcon;
5676 struct l2cap_cmd_hdr *cmd;
5680 if (hcon->type != LE_LINK)
5683 if (skb->len < L2CAP_CMD_HDR_SIZE)
5686 cmd = (void *) skb->data;
5687 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5689 len = le16_to_cpu(cmd->len);
5691 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5693 if (len != skb->len || !cmd->ident) {
5694 BT_DBG("corrupted command");
5698 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5700 struct l2cap_cmd_rej_unk rej;
5702 BT_ERR("Wrong link type (%d)", err);
5704 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5705 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5713 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5714 struct sk_buff *skb)
5716 struct hci_conn *hcon = conn->hcon;
5717 u8 *data = skb->data;
5719 struct l2cap_cmd_hdr cmd;
5722 l2cap_raw_recv(conn, skb);
5724 if (hcon->type != ACL_LINK)
5727 while (len >= L2CAP_CMD_HDR_SIZE) {
5729 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5730 data += L2CAP_CMD_HDR_SIZE;
5731 len -= L2CAP_CMD_HDR_SIZE;
5733 cmd_len = le16_to_cpu(cmd.len);
5735 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5738 if (cmd_len > len || !cmd.ident) {
5739 BT_DBG("corrupted command");
5743 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5745 struct l2cap_cmd_rej_unk rej;
5747 BT_ERR("Wrong link type (%d)", err);
5749 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5750 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5762 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5764 u16 our_fcs, rcv_fcs;
5767 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5768 hdr_size = L2CAP_EXT_HDR_SIZE;
5770 hdr_size = L2CAP_ENH_HDR_SIZE;
5772 if (chan->fcs == L2CAP_FCS_CRC16) {
5773 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5774 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5775 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5777 if (our_fcs != rcv_fcs)
5783 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5785 struct l2cap_ctrl control;
5787 BT_DBG("chan %p", chan);
5789 memset(&control, 0, sizeof(control));
5792 control.reqseq = chan->buffer_seq;
5793 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5795 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5796 control.super = L2CAP_SUPER_RNR;
5797 l2cap_send_sframe(chan, &control);
5800 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5801 chan->unacked_frames > 0)
5802 __set_retrans_timer(chan);
5804 /* Send pending iframes */
5805 l2cap_ertm_send(chan);
5807 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5808 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5809 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5812 control.super = L2CAP_SUPER_RR;
5813 l2cap_send_sframe(chan, &control);
5817 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5818 struct sk_buff **last_frag)
5820 /* skb->len reflects data in skb as well as all fragments
5821 * skb->data_len reflects only data in fragments
5823 if (!skb_has_frag_list(skb))
5824 skb_shinfo(skb)->frag_list = new_frag;
5826 new_frag->next = NULL;
5828 (*last_frag)->next = new_frag;
5829 *last_frag = new_frag;
5831 skb->len += new_frag->len;
5832 skb->data_len += new_frag->len;
5833 skb->truesize += new_frag->truesize;
5836 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5837 struct l2cap_ctrl *control)
5841 switch (control->sar) {
5842 case L2CAP_SAR_UNSEGMENTED:
5846 err = chan->ops->recv(chan, skb);
5849 case L2CAP_SAR_START:
5853 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5856 chan->sdu_len = get_unaligned_le16(skb->data);
5857 skb_pull(skb, L2CAP_SDULEN_SIZE);
5859 if (chan->sdu_len > chan->imtu) {
5864 if (skb->len >= chan->sdu_len)
5868 chan->sdu_last_frag = skb;
5874 case L2CAP_SAR_CONTINUE:
5878 append_skb_frag(chan->sdu, skb,
5879 &chan->sdu_last_frag);
5882 if (chan->sdu->len >= chan->sdu_len)
5892 append_skb_frag(chan->sdu, skb,
5893 &chan->sdu_last_frag);
5896 if (chan->sdu->len != chan->sdu_len)
5899 err = chan->ops->recv(chan, chan->sdu);
5902 /* Reassembly complete */
5904 chan->sdu_last_frag = NULL;
5912 kfree_skb(chan->sdu);
5914 chan->sdu_last_frag = NULL;
5921 static int l2cap_resegment(struct l2cap_chan *chan)
5927 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5931 if (chan->mode != L2CAP_MODE_ERTM)
5934 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5935 l2cap_tx(chan, NULL, NULL, event);
5938 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5941 /* Pass sequential frames to l2cap_reassemble_sdu()
5942 * until a gap is encountered.
5945 BT_DBG("chan %p", chan);
5947 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5948 struct sk_buff *skb;
5949 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5950 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5952 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5957 skb_unlink(skb, &chan->srej_q);
5958 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5959 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5964 if (skb_queue_empty(&chan->srej_q)) {
5965 chan->rx_state = L2CAP_RX_STATE_RECV;
5966 l2cap_send_ack(chan);
5972 static void l2cap_handle_srej(struct l2cap_chan *chan,
5973 struct l2cap_ctrl *control)
5975 struct sk_buff *skb;
5977 BT_DBG("chan %p, control %p", chan, control);
5979 if (control->reqseq == chan->next_tx_seq) {
5980 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5981 l2cap_send_disconn_req(chan, ECONNRESET);
5985 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5988 BT_DBG("Seq %d not available for retransmission",
5993 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5994 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5995 l2cap_send_disconn_req(chan, ECONNRESET);
5999 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6001 if (control->poll) {
6002 l2cap_pass_to_tx(chan, control);
6004 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6005 l2cap_retransmit(chan, control);
6006 l2cap_ertm_send(chan);
6008 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6009 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6010 chan->srej_save_reqseq = control->reqseq;
6013 l2cap_pass_to_tx_fbit(chan, control);
6015 if (control->final) {
6016 if (chan->srej_save_reqseq != control->reqseq ||
6017 !test_and_clear_bit(CONN_SREJ_ACT,
6019 l2cap_retransmit(chan, control);
6021 l2cap_retransmit(chan, control);
6022 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6023 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6024 chan->srej_save_reqseq = control->reqseq;
6030 static void l2cap_handle_rej(struct l2cap_chan *chan,
6031 struct l2cap_ctrl *control)
6033 struct sk_buff *skb;
6035 BT_DBG("chan %p, control %p", chan, control);
6037 if (control->reqseq == chan->next_tx_seq) {
6038 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6039 l2cap_send_disconn_req(chan, ECONNRESET);
6043 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6045 if (chan->max_tx && skb &&
6046 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6047 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6048 l2cap_send_disconn_req(chan, ECONNRESET);
6052 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6054 l2cap_pass_to_tx(chan, control);
6056 if (control->final) {
6057 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6058 l2cap_retransmit_all(chan, control);
6060 l2cap_retransmit_all(chan, control);
6061 l2cap_ertm_send(chan);
6062 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6063 set_bit(CONN_REJ_ACT, &chan->conn_state);
6067 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6069 BT_DBG("chan %p, txseq %d", chan, txseq);
6071 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6072 chan->expected_tx_seq);
6074 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6075 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6077 /* See notes below regarding "double poll" and
6080 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6081 BT_DBG("Invalid/Ignore - after SREJ");
6082 return L2CAP_TXSEQ_INVALID_IGNORE;
6084 BT_DBG("Invalid - in window after SREJ sent");
6085 return L2CAP_TXSEQ_INVALID;
6089 if (chan->srej_list.head == txseq) {
6090 BT_DBG("Expected SREJ");
6091 return L2CAP_TXSEQ_EXPECTED_SREJ;
6094 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6095 BT_DBG("Duplicate SREJ - txseq already stored");
6096 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6099 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6100 BT_DBG("Unexpected SREJ - not requested");
6101 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6105 if (chan->expected_tx_seq == txseq) {
6106 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6108 BT_DBG("Invalid - txseq outside tx window");
6109 return L2CAP_TXSEQ_INVALID;
6112 return L2CAP_TXSEQ_EXPECTED;
6116 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6117 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6118 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6119 return L2CAP_TXSEQ_DUPLICATE;
6122 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6123 /* A source of invalid packets is a "double poll" condition,
6124 * where delays cause us to send multiple poll packets. If
6125 * the remote stack receives and processes both polls,
6126 * sequence numbers can wrap around in such a way that a
6127 * resent frame has a sequence number that looks like new data
6128 * with a sequence gap. This would trigger an erroneous SREJ
6131 * Fortunately, this is impossible with a tx window that's
6132 * less than half of the maximum sequence number, which allows
6133 * invalid frames to be safely ignored.
6135 * With tx window sizes greater than half of the tx window
6136 * maximum, the frame is invalid and cannot be ignored. This
6137 * causes a disconnect.
6140 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6141 BT_DBG("Invalid/Ignore - txseq outside tx window");
6142 return L2CAP_TXSEQ_INVALID_IGNORE;
6144 BT_DBG("Invalid - txseq outside tx window");
6145 return L2CAP_TXSEQ_INVALID;
6148 BT_DBG("Unexpected - txseq indicates missing frames");
6149 return L2CAP_TXSEQ_UNEXPECTED;
6153 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6154 struct l2cap_ctrl *control,
6155 struct sk_buff *skb, u8 event)
6158 bool skb_in_use = false;
6160 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6164 case L2CAP_EV_RECV_IFRAME:
6165 switch (l2cap_classify_txseq(chan, control->txseq)) {
6166 case L2CAP_TXSEQ_EXPECTED:
6167 l2cap_pass_to_tx(chan, control);
6169 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6170 BT_DBG("Busy, discarding expected seq %d",
6175 chan->expected_tx_seq = __next_seq(chan,
6178 chan->buffer_seq = chan->expected_tx_seq;
6181 err = l2cap_reassemble_sdu(chan, skb, control);
6185 if (control->final) {
6186 if (!test_and_clear_bit(CONN_REJ_ACT,
6187 &chan->conn_state)) {
6189 l2cap_retransmit_all(chan, control);
6190 l2cap_ertm_send(chan);
6194 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6195 l2cap_send_ack(chan);
6197 case L2CAP_TXSEQ_UNEXPECTED:
6198 l2cap_pass_to_tx(chan, control);
6200 /* Can't issue SREJ frames in the local busy state.
6201 * Drop this frame, it will be seen as missing
6202 * when local busy is exited.
6204 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6205 BT_DBG("Busy, discarding unexpected seq %d",
6210 /* There was a gap in the sequence, so an SREJ
6211 * must be sent for each missing frame. The
6212 * current frame is stored for later use.
6214 skb_queue_tail(&chan->srej_q, skb);
6216 BT_DBG("Queued %p (queue len %d)", skb,
6217 skb_queue_len(&chan->srej_q));
6219 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6220 l2cap_seq_list_clear(&chan->srej_list);
6221 l2cap_send_srej(chan, control->txseq);
6223 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6225 case L2CAP_TXSEQ_DUPLICATE:
6226 l2cap_pass_to_tx(chan, control);
6228 case L2CAP_TXSEQ_INVALID_IGNORE:
6230 case L2CAP_TXSEQ_INVALID:
6232 l2cap_send_disconn_req(chan, ECONNRESET);
6236 case L2CAP_EV_RECV_RR:
6237 l2cap_pass_to_tx(chan, control);
6238 if (control->final) {
6239 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6241 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6242 !__chan_is_moving(chan)) {
6244 l2cap_retransmit_all(chan, control);
6247 l2cap_ertm_send(chan);
6248 } else if (control->poll) {
6249 l2cap_send_i_or_rr_or_rnr(chan);
6251 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6252 &chan->conn_state) &&
6253 chan->unacked_frames)
6254 __set_retrans_timer(chan);
6256 l2cap_ertm_send(chan);
6259 case L2CAP_EV_RECV_RNR:
6260 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6261 l2cap_pass_to_tx(chan, control);
6262 if (control && control->poll) {
6263 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6264 l2cap_send_rr_or_rnr(chan, 0);
6266 __clear_retrans_timer(chan);
6267 l2cap_seq_list_clear(&chan->retrans_list);
6269 case L2CAP_EV_RECV_REJ:
6270 l2cap_handle_rej(chan, control);
6272 case L2CAP_EV_RECV_SREJ:
6273 l2cap_handle_srej(chan, control);
6279 if (skb && !skb_in_use) {
6280 BT_DBG("Freeing %p", skb);
6287 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6288 struct l2cap_ctrl *control,
6289 struct sk_buff *skb, u8 event)
6292 u16 txseq = control->txseq;
6293 bool skb_in_use = false;
6295 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6299 case L2CAP_EV_RECV_IFRAME:
6300 switch (l2cap_classify_txseq(chan, txseq)) {
6301 case L2CAP_TXSEQ_EXPECTED:
6302 /* Keep frame for reassembly later */
6303 l2cap_pass_to_tx(chan, control);
6304 skb_queue_tail(&chan->srej_q, skb);
6306 BT_DBG("Queued %p (queue len %d)", skb,
6307 skb_queue_len(&chan->srej_q));
6309 chan->expected_tx_seq = __next_seq(chan, txseq);
6311 case L2CAP_TXSEQ_EXPECTED_SREJ:
6312 l2cap_seq_list_pop(&chan->srej_list);
6314 l2cap_pass_to_tx(chan, control);
6315 skb_queue_tail(&chan->srej_q, skb);
6317 BT_DBG("Queued %p (queue len %d)", skb,
6318 skb_queue_len(&chan->srej_q));
6320 err = l2cap_rx_queued_iframes(chan);
6325 case L2CAP_TXSEQ_UNEXPECTED:
6326 /* Got a frame that can't be reassembled yet.
6327 * Save it for later, and send SREJs to cover
6328 * the missing frames.
6330 skb_queue_tail(&chan->srej_q, skb);
6332 BT_DBG("Queued %p (queue len %d)", skb,
6333 skb_queue_len(&chan->srej_q));
6335 l2cap_pass_to_tx(chan, control);
6336 l2cap_send_srej(chan, control->txseq);
6338 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6339 /* This frame was requested with an SREJ, but
6340 * some expected retransmitted frames are
6341 * missing. Request retransmission of missing
6344 skb_queue_tail(&chan->srej_q, skb);
6346 BT_DBG("Queued %p (queue len %d)", skb,
6347 skb_queue_len(&chan->srej_q));
6349 l2cap_pass_to_tx(chan, control);
6350 l2cap_send_srej_list(chan, control->txseq);
6352 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6353 /* We've already queued this frame. Drop this copy. */
6354 l2cap_pass_to_tx(chan, control);
6356 case L2CAP_TXSEQ_DUPLICATE:
6357 /* Expecting a later sequence number, so this frame
6358 * was already received. Ignore it completely.
6361 case L2CAP_TXSEQ_INVALID_IGNORE:
6363 case L2CAP_TXSEQ_INVALID:
6365 l2cap_send_disconn_req(chan, ECONNRESET);
6369 case L2CAP_EV_RECV_RR:
6370 l2cap_pass_to_tx(chan, control);
6371 if (control->final) {
6372 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6374 if (!test_and_clear_bit(CONN_REJ_ACT,
6375 &chan->conn_state)) {
6377 l2cap_retransmit_all(chan, control);
6380 l2cap_ertm_send(chan);
6381 } else if (control->poll) {
6382 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6383 &chan->conn_state) &&
6384 chan->unacked_frames) {
6385 __set_retrans_timer(chan);
6388 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6389 l2cap_send_srej_tail(chan);
6391 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6392 &chan->conn_state) &&
6393 chan->unacked_frames)
6394 __set_retrans_timer(chan);
6396 l2cap_send_ack(chan);
6399 case L2CAP_EV_RECV_RNR:
6400 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6401 l2cap_pass_to_tx(chan, control);
6402 if (control->poll) {
6403 l2cap_send_srej_tail(chan);
6405 struct l2cap_ctrl rr_control;
6406 memset(&rr_control, 0, sizeof(rr_control));
6407 rr_control.sframe = 1;
6408 rr_control.super = L2CAP_SUPER_RR;
6409 rr_control.reqseq = chan->buffer_seq;
6410 l2cap_send_sframe(chan, &rr_control);
6414 case L2CAP_EV_RECV_REJ:
6415 l2cap_handle_rej(chan, control);
6417 case L2CAP_EV_RECV_SREJ:
6418 l2cap_handle_srej(chan, control);
6422 if (skb && !skb_in_use) {
6423 BT_DBG("Freeing %p", skb);
6430 static int l2cap_finish_move(struct l2cap_chan *chan)
6432 BT_DBG("chan %p", chan);
6434 chan->rx_state = L2CAP_RX_STATE_RECV;
6437 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6439 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6441 return l2cap_resegment(chan);
6444 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6445 struct l2cap_ctrl *control,
6446 struct sk_buff *skb, u8 event)
6450 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6456 l2cap_process_reqseq(chan, control->reqseq);
6458 if (!skb_queue_empty(&chan->tx_q))
6459 chan->tx_send_head = skb_peek(&chan->tx_q);
6461 chan->tx_send_head = NULL;
6463 /* Rewind next_tx_seq to the point expected
6466 chan->next_tx_seq = control->reqseq;
6467 chan->unacked_frames = 0;
6469 err = l2cap_finish_move(chan);
6473 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6474 l2cap_send_i_or_rr_or_rnr(chan);
6476 if (event == L2CAP_EV_RECV_IFRAME)
6479 return l2cap_rx_state_recv(chan, control, NULL, event);
6482 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6483 struct l2cap_ctrl *control,
6484 struct sk_buff *skb, u8 event)
6488 if (!control->final)
6491 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6493 chan->rx_state = L2CAP_RX_STATE_RECV;
6494 l2cap_process_reqseq(chan, control->reqseq);
6496 if (!skb_queue_empty(&chan->tx_q))
6497 chan->tx_send_head = skb_peek(&chan->tx_q);
6499 chan->tx_send_head = NULL;
6501 /* Rewind next_tx_seq to the point expected
6504 chan->next_tx_seq = control->reqseq;
6505 chan->unacked_frames = 0;
6508 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6510 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6512 err = l2cap_resegment(chan);
6515 err = l2cap_rx_state_recv(chan, control, skb, event);
6520 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6522 /* Make sure reqseq is for a packet that has been sent but not acked */
6525 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6526 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6529 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6530 struct sk_buff *skb, u8 event)
6534 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6535 control, skb, event, chan->rx_state);
6537 if (__valid_reqseq(chan, control->reqseq)) {
6538 switch (chan->rx_state) {
6539 case L2CAP_RX_STATE_RECV:
6540 err = l2cap_rx_state_recv(chan, control, skb, event);
6542 case L2CAP_RX_STATE_SREJ_SENT:
6543 err = l2cap_rx_state_srej_sent(chan, control, skb,
6546 case L2CAP_RX_STATE_WAIT_P:
6547 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6549 case L2CAP_RX_STATE_WAIT_F:
6550 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6557 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6558 control->reqseq, chan->next_tx_seq,
6559 chan->expected_ack_seq);
6560 l2cap_send_disconn_req(chan, ECONNRESET);
6566 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6567 struct sk_buff *skb)
6569 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6572 if (l2cap_classify_txseq(chan, control->txseq) ==
6573 L2CAP_TXSEQ_EXPECTED) {
6574 l2cap_pass_to_tx(chan, control);
6576 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6577 __next_seq(chan, chan->buffer_seq));
6579 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6581 l2cap_reassemble_sdu(chan, skb, control);
6584 kfree_skb(chan->sdu);
6587 chan->sdu_last_frag = NULL;
6591 BT_DBG("Freeing %p", skb);
6596 chan->last_acked_seq = control->txseq;
6597 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6602 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6604 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6608 __unpack_control(chan, skb);
6613 * We can just drop the corrupted I-frame here.
6614 * Receiver will miss it and start proper recovery
6615 * procedures and ask for retransmission.
6617 if (l2cap_check_fcs(chan, skb))
6620 if (!control->sframe && control->sar == L2CAP_SAR_START)
6621 len -= L2CAP_SDULEN_SIZE;
6623 if (chan->fcs == L2CAP_FCS_CRC16)
6624 len -= L2CAP_FCS_SIZE;
6626 if (len > chan->mps) {
6627 l2cap_send_disconn_req(chan, ECONNRESET);
6631 if ((chan->mode == L2CAP_MODE_ERTM ||
6632 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6635 if (!control->sframe) {
6638 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6639 control->sar, control->reqseq, control->final,
6642 /* Validate F-bit - F=0 always valid, F=1 only
6643 * valid in TX WAIT_F
6645 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6648 if (chan->mode != L2CAP_MODE_STREAMING) {
6649 event = L2CAP_EV_RECV_IFRAME;
6650 err = l2cap_rx(chan, control, skb, event);
6652 err = l2cap_stream_rx(chan, control, skb);
6656 l2cap_send_disconn_req(chan, ECONNRESET);
6658 const u8 rx_func_to_event[4] = {
6659 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6660 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6663 /* Only I-frames are expected in streaming mode */
6664 if (chan->mode == L2CAP_MODE_STREAMING)
6667 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6668 control->reqseq, control->final, control->poll,
6672 BT_ERR("Trailing bytes: %d in sframe", len);
6673 l2cap_send_disconn_req(chan, ECONNRESET);
6677 /* Validate F and P bits */
6678 if (control->final && (control->poll ||
6679 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6682 event = rx_func_to_event[control->super];
6683 if (l2cap_rx(chan, control, skb, event))
6684 l2cap_send_disconn_req(chan, ECONNRESET);
6694 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6696 struct l2cap_conn *conn = chan->conn;
6697 struct l2cap_le_credits pkt;
6700 /* We return more credits to the sender only after the amount of
6701 * credits falls below half of the initial amount.
6703 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6706 return_credits = le_max_credits - chan->rx_credits;
6708 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6710 chan->rx_credits += return_credits;
6712 pkt.cid = cpu_to_le16(chan->scid);
6713 pkt.credits = cpu_to_le16(return_credits);
6715 chan->ident = l2cap_get_ident(conn);
6717 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6720 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6724 if (!chan->rx_credits) {
6725 BT_ERR("No credits to receive LE L2CAP data");
6726 l2cap_send_disconn_req(chan, ECONNRESET);
6730 if (chan->imtu < skb->len) {
6731 BT_ERR("Too big LE L2CAP PDU");
6736 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6738 l2cap_chan_le_send_credits(chan);
6745 sdu_len = get_unaligned_le16(skb->data);
6746 skb_pull(skb, L2CAP_SDULEN_SIZE);
6748 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6749 sdu_len, skb->len, chan->imtu);
6751 if (sdu_len > chan->imtu) {
6752 BT_ERR("Too big LE L2CAP SDU length received");
6757 if (skb->len > sdu_len) {
6758 BT_ERR("Too much LE L2CAP data received");
6763 if (skb->len == sdu_len)
6764 return chan->ops->recv(chan, skb);
6767 chan->sdu_len = sdu_len;
6768 chan->sdu_last_frag = skb;
6773 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6774 chan->sdu->len, skb->len, chan->sdu_len);
6776 if (chan->sdu->len + skb->len > chan->sdu_len) {
6777 BT_ERR("Too much LE L2CAP data received");
6782 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6785 if (chan->sdu->len == chan->sdu_len) {
6786 err = chan->ops->recv(chan, chan->sdu);
6789 chan->sdu_last_frag = NULL;
6797 kfree_skb(chan->sdu);
6799 chan->sdu_last_frag = NULL;
6803 /* We can't return an error here since we took care of the skb
6804 * freeing internally. An error return would cause the caller to
6805 * do a double-free of the skb.
6810 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6811 struct sk_buff *skb)
6813 struct l2cap_chan *chan;
6815 chan = l2cap_get_chan_by_scid(conn, cid);
6817 if (cid == L2CAP_CID_A2MP) {
6818 chan = a2mp_channel_create(conn, skb);
6824 l2cap_chan_lock(chan);
6826 BT_DBG("unknown cid 0x%4.4x", cid);
6827 /* Drop packet and return */
6833 BT_DBG("chan %p, len %d", chan, skb->len);
6835 /* If we receive data on a fixed channel before the info req/rsp
6836 * procdure is done simply assume that the channel is supported
6837 * and mark it as ready.
6839 if (chan->chan_type == L2CAP_CHAN_FIXED)
6840 l2cap_chan_ready(chan);
6842 if (chan->state != BT_CONNECTED)
6845 switch (chan->mode) {
6846 case L2CAP_MODE_LE_FLOWCTL:
6847 if (l2cap_le_data_rcv(chan, skb) < 0)
6852 case L2CAP_MODE_BASIC:
6853 /* If socket recv buffers overflows we drop data here
6854 * which is *bad* because L2CAP has to be reliable.
6855 * But we don't have any other choice. L2CAP doesn't
6856 * provide flow control mechanism. */
6858 if (chan->imtu < skb->len) {
6859 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6863 if (!chan->ops->recv(chan, skb))
6867 case L2CAP_MODE_ERTM:
6868 case L2CAP_MODE_STREAMING:
6869 l2cap_data_rcv(chan, skb);
6873 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6881 l2cap_chan_unlock(chan);
6884 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6885 struct sk_buff *skb)
6887 struct hci_conn *hcon = conn->hcon;
6888 struct l2cap_chan *chan;
6890 if (hcon->type != ACL_LINK)
6893 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6898 BT_DBG("chan %p, len %d", chan, skb->len);
6900 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6903 if (chan->imtu < skb->len)
6906 /* Store remote BD_ADDR and PSM for msg_name */
6907 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6908 bt_cb(skb)->l2cap.psm = psm;
6910 if (!chan->ops->recv(chan, skb)) {
6911 l2cap_chan_put(chan);
6916 l2cap_chan_put(chan);
6921 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6923 struct l2cap_hdr *lh = (void *) skb->data;
6924 struct hci_conn *hcon = conn->hcon;
6928 if (hcon->state != BT_CONNECTED) {
6929 BT_DBG("queueing pending rx skb");
6930 skb_queue_tail(&conn->pending_rx, skb);
6934 skb_pull(skb, L2CAP_HDR_SIZE);
6935 cid = __le16_to_cpu(lh->cid);
6936 len = __le16_to_cpu(lh->len);
6938 if (len != skb->len) {
6943 /* Since we can't actively block incoming LE connections we must
6944 * at least ensure that we ignore incoming data from them.
6946 if (hcon->type == LE_LINK &&
6947 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6948 bdaddr_dst_type(hcon))) {
6953 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6956 case L2CAP_CID_SIGNALING:
6957 l2cap_sig_channel(conn, skb);
6960 case L2CAP_CID_CONN_LESS:
6961 psm = get_unaligned((__le16 *) skb->data);
6962 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6963 l2cap_conless_channel(conn, psm, skb);
6966 case L2CAP_CID_LE_SIGNALING:
6967 l2cap_le_sig_channel(conn, skb);
6971 l2cap_data_channel(conn, cid, skb);
6976 static void process_pending_rx(struct work_struct *work)
6978 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6980 struct sk_buff *skb;
6984 while ((skb = skb_dequeue(&conn->pending_rx)))
6985 l2cap_recv_frame(conn, skb);
6988 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6990 struct l2cap_conn *conn = hcon->l2cap_data;
6991 struct hci_chan *hchan;
6996 hchan = hci_chan_create(hcon);
7000 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7002 hci_chan_del(hchan);
7006 kref_init(&conn->ref);
7007 hcon->l2cap_data = conn;
7008 conn->hcon = hci_conn_get(hcon);
7009 conn->hchan = hchan;
7011 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7013 switch (hcon->type) {
7015 if (hcon->hdev->le_mtu) {
7016 conn->mtu = hcon->hdev->le_mtu;
7021 conn->mtu = hcon->hdev->acl_mtu;
7025 conn->feat_mask = 0;
7027 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7029 if (hcon->type == ACL_LINK &&
7030 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7031 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7033 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7034 (bredr_sc_enabled(hcon->hdev) ||
7035 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7036 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7038 mutex_init(&conn->ident_lock);
7039 mutex_init(&conn->chan_lock);
7041 INIT_LIST_HEAD(&conn->chan_l);
7042 INIT_LIST_HEAD(&conn->users);
7044 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7046 skb_queue_head_init(&conn->pending_rx);
7047 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7048 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7050 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7055 static bool is_valid_psm(u16 psm, u8 dst_type) {
7059 if (bdaddr_type_is_le(dst_type))
7060 return (psm <= 0x00ff);
7062 /* PSM must be odd and lsb of upper byte must be 0 */
7063 return ((psm & 0x0101) == 0x0001);
7066 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7067 bdaddr_t *dst, u8 dst_type)
7069 struct l2cap_conn *conn;
7070 struct hci_conn *hcon;
7071 struct hci_dev *hdev;
7074 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7075 dst_type, __le16_to_cpu(psm));
7077 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7079 return -EHOSTUNREACH;
7083 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7084 chan->chan_type != L2CAP_CHAN_RAW) {
7089 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7094 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7099 switch (chan->mode) {
7100 case L2CAP_MODE_BASIC:
7102 case L2CAP_MODE_LE_FLOWCTL:
7103 l2cap_le_flowctl_init(chan);
7105 case L2CAP_MODE_ERTM:
7106 case L2CAP_MODE_STREAMING:
7115 switch (chan->state) {
7119 /* Already connecting */
7124 /* Already connected */
7138 /* Set destination address and psm */
7139 bacpy(&chan->dst, dst);
7140 chan->dst_type = dst_type;
7145 if (bdaddr_type_is_le(dst_type)) {
7146 /* Convert from L2CAP channel address type to HCI address type
7148 if (dst_type == BDADDR_LE_PUBLIC)
7149 dst_type = ADDR_LE_DEV_PUBLIC;
7151 dst_type = ADDR_LE_DEV_RANDOM;
7153 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7154 hcon = hci_connect_le(hdev, dst, dst_type,
7156 HCI_LE_CONN_TIMEOUT,
7159 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7161 HCI_LE_CONN_TIMEOUT);
7164 u8 auth_type = l2cap_get_auth_type(chan);
7165 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7169 err = PTR_ERR(hcon);
7173 conn = l2cap_conn_add(hcon);
7175 hci_conn_drop(hcon);
7180 mutex_lock(&conn->chan_lock);
7181 l2cap_chan_lock(chan);
7183 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7184 hci_conn_drop(hcon);
7189 /* Update source addr of the socket */
7190 bacpy(&chan->src, &hcon->src);
7191 chan->src_type = bdaddr_src_type(hcon);
7193 __l2cap_chan_add(conn, chan);
7195 /* l2cap_chan_add takes its own ref so we can drop this one */
7196 hci_conn_drop(hcon);
7198 l2cap_state_change(chan, BT_CONNECT);
7199 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7201 /* Release chan->sport so that it can be reused by other
7202 * sockets (as it's only used for listening sockets).
7204 write_lock(&chan_list_lock);
7206 write_unlock(&chan_list_lock);
7208 if (hcon->state == BT_CONNECTED) {
7209 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7210 __clear_chan_timer(chan);
7211 if (l2cap_chan_check_security(chan, true))
7212 l2cap_state_change(chan, BT_CONNECTED);
7214 l2cap_do_start(chan);
7220 l2cap_chan_unlock(chan);
7221 mutex_unlock(&conn->chan_lock);
7223 hci_dev_unlock(hdev);
7227 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7229 /* ---- L2CAP interface with lower layer (HCI) ---- */
7231 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7233 int exact = 0, lm1 = 0, lm2 = 0;
7234 struct l2cap_chan *c;
7236 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7238 /* Find listening sockets and check their link_mode */
7239 read_lock(&chan_list_lock);
7240 list_for_each_entry(c, &chan_list, global_l) {
7241 if (c->state != BT_LISTEN)
7244 if (!bacmp(&c->src, &hdev->bdaddr)) {
7245 lm1 |= HCI_LM_ACCEPT;
7246 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7247 lm1 |= HCI_LM_MASTER;
7249 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7250 lm2 |= HCI_LM_ACCEPT;
7251 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7252 lm2 |= HCI_LM_MASTER;
7255 read_unlock(&chan_list_lock);
7257 return exact ? lm1 : lm2;
7260 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7261 * from an existing channel in the list or from the beginning of the
7262 * global list (by passing NULL as first parameter).
7264 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7265 struct hci_conn *hcon)
7267 u8 src_type = bdaddr_src_type(hcon);
7269 read_lock(&chan_list_lock);
7272 c = list_next_entry(c, global_l);
7274 c = list_entry(chan_list.next, typeof(*c), global_l);
7276 list_for_each_entry_from(c, &chan_list, global_l) {
7277 if (c->chan_type != L2CAP_CHAN_FIXED)
7279 if (c->state != BT_LISTEN)
7281 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7283 if (src_type != c->src_type)
7287 read_unlock(&chan_list_lock);
7291 read_unlock(&chan_list_lock);
7296 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7298 struct hci_dev *hdev = hcon->hdev;
7299 struct l2cap_conn *conn;
7300 struct l2cap_chan *pchan;
7303 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7306 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7309 l2cap_conn_del(hcon, bt_to_errno(status));
7313 conn = l2cap_conn_add(hcon);
7317 dst_type = bdaddr_dst_type(hcon);
7319 /* If device is blocked, do not create channels for it */
7320 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7323 /* Find fixed channels and notify them of the new connection. We
7324 * use multiple individual lookups, continuing each time where
7325 * we left off, because the list lock would prevent calling the
7326 * potentially sleeping l2cap_chan_lock() function.
7328 pchan = l2cap_global_fixed_chan(NULL, hcon);
7330 struct l2cap_chan *chan, *next;
7332 /* Client fixed channels should override server ones */
7333 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7336 l2cap_chan_lock(pchan);
7337 chan = pchan->ops->new_connection(pchan);
7339 bacpy(&chan->src, &hcon->src);
7340 bacpy(&chan->dst, &hcon->dst);
7341 chan->src_type = bdaddr_src_type(hcon);
7342 chan->dst_type = dst_type;
7344 __l2cap_chan_add(conn, chan);
7347 l2cap_chan_unlock(pchan);
7349 next = l2cap_global_fixed_chan(pchan, hcon);
7350 l2cap_chan_put(pchan);
7354 l2cap_conn_ready(conn);
7357 int l2cap_disconn_ind(struct hci_conn *hcon)
7359 struct l2cap_conn *conn = hcon->l2cap_data;
7361 BT_DBG("hcon %p", hcon);
7364 return HCI_ERROR_REMOTE_USER_TERM;
7365 return conn->disc_reason;
7368 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7370 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7373 BT_DBG("hcon %p reason %d", hcon, reason);
7375 l2cap_conn_del(hcon, bt_to_errno(reason));
7378 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7380 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7383 if (encrypt == 0x00) {
7384 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7385 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7386 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7387 chan->sec_level == BT_SECURITY_FIPS)
7388 l2cap_chan_close(chan, ECONNREFUSED);
7390 if (chan->sec_level == BT_SECURITY_MEDIUM)
7391 __clear_chan_timer(chan);
7395 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7397 struct l2cap_conn *conn = hcon->l2cap_data;
7398 struct l2cap_chan *chan;
7403 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7405 mutex_lock(&conn->chan_lock);
7407 list_for_each_entry(chan, &conn->chan_l, list) {
7408 l2cap_chan_lock(chan);
7410 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7411 state_to_string(chan->state));
7413 if (chan->scid == L2CAP_CID_A2MP) {
7414 l2cap_chan_unlock(chan);
7418 if (!status && encrypt)
7419 chan->sec_level = hcon->sec_level;
7421 if (!__l2cap_no_conn_pending(chan)) {
7422 l2cap_chan_unlock(chan);
7426 if (!status && (chan->state == BT_CONNECTED ||
7427 chan->state == BT_CONFIG)) {
7428 chan->ops->resume(chan);
7429 l2cap_check_encryption(chan, encrypt);
7430 l2cap_chan_unlock(chan);
7434 if (chan->state == BT_CONNECT) {
7436 l2cap_start_connection(chan);
7438 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7439 } else if (chan->state == BT_CONNECT2 &&
7440 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7441 struct l2cap_conn_rsp rsp;
7445 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7446 res = L2CAP_CR_PEND;
7447 stat = L2CAP_CS_AUTHOR_PEND;
7448 chan->ops->defer(chan);
7450 l2cap_state_change(chan, BT_CONFIG);
7451 res = L2CAP_CR_SUCCESS;
7452 stat = L2CAP_CS_NO_INFO;
7455 l2cap_state_change(chan, BT_DISCONN);
7456 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7457 res = L2CAP_CR_SEC_BLOCK;
7458 stat = L2CAP_CS_NO_INFO;
7461 rsp.scid = cpu_to_le16(chan->dcid);
7462 rsp.dcid = cpu_to_le16(chan->scid);
7463 rsp.result = cpu_to_le16(res);
7464 rsp.status = cpu_to_le16(stat);
7465 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7468 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7469 res == L2CAP_CR_SUCCESS) {
7471 set_bit(CONF_REQ_SENT, &chan->conf_state);
7472 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7474 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7476 chan->num_conf_req++;
7480 l2cap_chan_unlock(chan);
7483 mutex_unlock(&conn->chan_lock);
7486 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7488 struct l2cap_conn *conn = hcon->l2cap_data;
7489 struct l2cap_hdr *hdr;
7492 /* For AMP controller do not create l2cap conn */
7493 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7497 conn = l2cap_conn_add(hcon);
7502 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7506 case ACL_START_NO_FLUSH:
7509 BT_ERR("Unexpected start frame (len %d)", skb->len);
7510 kfree_skb(conn->rx_skb);
7511 conn->rx_skb = NULL;
7513 l2cap_conn_unreliable(conn, ECOMM);
7516 /* Start fragment always begin with Basic L2CAP header */
7517 if (skb->len < L2CAP_HDR_SIZE) {
7518 BT_ERR("Frame is too short (len %d)", skb->len);
7519 l2cap_conn_unreliable(conn, ECOMM);
7523 hdr = (struct l2cap_hdr *) skb->data;
7524 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7526 if (len == skb->len) {
7527 /* Complete frame received */
7528 l2cap_recv_frame(conn, skb);
7532 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7534 if (skb->len > len) {
7535 BT_ERR("Frame is too long (len %d, expected len %d)",
7537 l2cap_conn_unreliable(conn, ECOMM);
7541 /* Allocate skb for the complete frame (with header) */
7542 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7546 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7548 conn->rx_len = len - skb->len;
7552 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7554 if (!conn->rx_len) {
7555 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7556 l2cap_conn_unreliable(conn, ECOMM);
7560 if (skb->len > conn->rx_len) {
7561 BT_ERR("Fragment is too long (len %d, expected %d)",
7562 skb->len, conn->rx_len);
7563 kfree_skb(conn->rx_skb);
7564 conn->rx_skb = NULL;
7566 l2cap_conn_unreliable(conn, ECOMM);
7570 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7572 conn->rx_len -= skb->len;
7574 if (!conn->rx_len) {
7575 /* Complete frame received. l2cap_recv_frame
7576 * takes ownership of the skb so set the global
7577 * rx_skb pointer to NULL first.
7579 struct sk_buff *rx_skb = conn->rx_skb;
7580 conn->rx_skb = NULL;
7581 l2cap_recv_frame(conn, rx_skb);
7590 static struct hci_cb l2cap_cb = {
7592 .connect_cfm = l2cap_connect_cfm,
7593 .disconn_cfm = l2cap_disconn_cfm,
7594 .security_cfm = l2cap_security_cfm,
7597 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7599 struct l2cap_chan *c;
7601 read_lock(&chan_list_lock);
7603 list_for_each_entry(c, &chan_list, global_l) {
7604 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7605 &c->src, c->src_type, &c->dst, c->dst_type,
7606 c->state, __le16_to_cpu(c->psm),
7607 c->scid, c->dcid, c->imtu, c->omtu,
7608 c->sec_level, c->mode);
7611 read_unlock(&chan_list_lock);
7616 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7618 return single_open(file, l2cap_debugfs_show, inode->i_private);
7621 static const struct file_operations l2cap_debugfs_fops = {
7622 .open = l2cap_debugfs_open,
7624 .llseek = seq_lseek,
7625 .release = single_release,
7628 static struct dentry *l2cap_debugfs;
7630 int __init l2cap_init(void)
7634 err = l2cap_init_sockets();
7638 hci_register_cb(&l2cap_cb);
7640 if (IS_ERR_OR_NULL(bt_debugfs))
7643 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7644 NULL, &l2cap_debugfs_fops);
7646 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7648 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7654 void l2cap_exit(void)
7656 debugfs_remove(l2cap_debugfs);
7657 hci_unregister_cb(&l2cap_cb);
7658 l2cap_cleanup_sockets();
7661 module_param(disable_ertm, bool, 0644);
7662 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / linux-2.6-microblaze.git / blob