2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
54 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
55 u8 code, u8 ident, u16 dlen, void *data);
56 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
58 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
59 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
61 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
62 struct sk_buff_head *skbs, u8 event);
64 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
66 if (link_type == LE_LINK) {
67 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
68 return BDADDR_LE_PUBLIC;
70 return BDADDR_LE_RANDOM;
76 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
78 return bdaddr_type(hcon->type, hcon->src_type);
81 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
83 return bdaddr_type(hcon->type, hcon->dst_type);
86 /* ---- L2CAP channels ---- */
88 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
93 list_for_each_entry(c, &conn->chan_l, list) {
100 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 struct l2cap_chan *c;
105 list_for_each_entry(c, &conn->chan_l, list) {
112 /* Find channel with given SCID.
113 * Returns locked channel. */
114 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
117 struct l2cap_chan *c;
119 mutex_lock(&conn->chan_lock);
120 c = __l2cap_get_chan_by_scid(conn, cid);
123 mutex_unlock(&conn->chan_lock);
128 /* Find channel with given DCID.
129 * Returns locked channel.
131 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
134 struct l2cap_chan *c;
136 mutex_lock(&conn->chan_lock);
137 c = __l2cap_get_chan_by_dcid(conn, cid);
140 mutex_unlock(&conn->chan_lock);
145 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
148 struct l2cap_chan *c;
150 list_for_each_entry(c, &conn->chan_l, list) {
151 if (c->ident == ident)
157 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
160 struct l2cap_chan *c;
162 mutex_lock(&conn->chan_lock);
163 c = __l2cap_get_chan_by_ident(conn, ident);
166 mutex_unlock(&conn->chan_lock);
171 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
173 struct l2cap_chan *c;
175 list_for_each_entry(c, &chan_list, global_l) {
176 if (c->sport == psm && !bacmp(&c->src, src))
182 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
186 write_lock(&chan_list_lock);
188 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
198 u16 p, start, end, incr;
200 if (chan->src_type == BDADDR_BREDR) {
201 start = L2CAP_PSM_DYN_START;
202 end = L2CAP_PSM_AUTO_END;
205 start = L2CAP_PSM_LE_DYN_START;
206 end = L2CAP_PSM_LE_DYN_END;
211 for (p = start; p <= end; p += incr)
212 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
213 chan->psm = cpu_to_le16(p);
214 chan->sport = cpu_to_le16(p);
221 write_unlock(&chan_list_lock);
224 EXPORT_SYMBOL_GPL(l2cap_add_psm);
226 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
228 write_lock(&chan_list_lock);
230 /* Override the defaults (which are for conn-oriented) */
231 chan->omtu = L2CAP_DEFAULT_MTU;
232 chan->chan_type = L2CAP_CHAN_FIXED;
236 write_unlock(&chan_list_lock);
241 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
245 if (conn->hcon->type == LE_LINK)
246 dyn_end = L2CAP_CID_LE_DYN_END;
248 dyn_end = L2CAP_CID_DYN_END;
250 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
251 if (!__l2cap_get_chan_by_scid(conn, cid))
258 static void l2cap_state_change(struct l2cap_chan *chan, int state)
260 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
261 state_to_string(state));
264 chan->ops->state_change(chan, state, 0);
267 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
271 chan->ops->state_change(chan, chan->state, err);
274 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
276 chan->ops->state_change(chan, chan->state, err);
279 static void __set_retrans_timer(struct l2cap_chan *chan)
281 if (!delayed_work_pending(&chan->monitor_timer) &&
282 chan->retrans_timeout) {
283 l2cap_set_timer(chan, &chan->retrans_timer,
284 msecs_to_jiffies(chan->retrans_timeout));
288 static void __set_monitor_timer(struct l2cap_chan *chan)
290 __clear_retrans_timer(chan);
291 if (chan->monitor_timeout) {
292 l2cap_set_timer(chan, &chan->monitor_timer,
293 msecs_to_jiffies(chan->monitor_timeout));
297 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
302 skb_queue_walk(head, skb) {
303 if (bt_cb(skb)->l2cap.txseq == seq)
310 /* ---- L2CAP sequence number lists ---- */
312 /* For ERTM, ordered lists of sequence numbers must be tracked for
313 * SREJ requests that are received and for frames that are to be
314 * retransmitted. These seq_list functions implement a singly-linked
315 * list in an array, where membership in the list can also be checked
316 * in constant time. Items can also be added to the tail of the list
317 * and removed from the head in constant time, without further memory
321 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
323 size_t alloc_size, i;
325 /* Allocated size is a power of 2 to map sequence numbers
326 * (which may be up to 14 bits) in to a smaller array that is
327 * sized for the negotiated ERTM transmit windows.
329 alloc_size = roundup_pow_of_two(size);
331 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
335 seq_list->mask = alloc_size - 1;
336 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
337 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
338 for (i = 0; i < alloc_size; i++)
339 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
344 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
346 kfree(seq_list->list);
349 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
352 /* Constant-time check for list membership */
353 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
356 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
358 u16 seq = seq_list->head;
359 u16 mask = seq_list->mask;
361 seq_list->head = seq_list->list[seq & mask];
362 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
364 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
372 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
376 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
379 for (i = 0; i <= seq_list->mask; i++)
380 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
383 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
386 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388 u16 mask = seq_list->mask;
390 /* All appends happen in constant time */
392 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
395 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
396 seq_list->head = seq;
398 seq_list->list[seq_list->tail & mask] = seq;
400 seq_list->tail = seq;
401 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
404 static void l2cap_chan_timeout(struct work_struct *work)
406 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
408 struct l2cap_conn *conn = chan->conn;
411 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
413 mutex_lock(&conn->chan_lock);
414 l2cap_chan_lock(chan);
416 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
417 reason = ECONNREFUSED;
418 else if (chan->state == BT_CONNECT &&
419 chan->sec_level != BT_SECURITY_SDP)
420 reason = ECONNREFUSED;
424 l2cap_chan_close(chan, reason);
426 l2cap_chan_unlock(chan);
428 chan->ops->close(chan);
429 mutex_unlock(&conn->chan_lock);
431 l2cap_chan_put(chan);
434 struct l2cap_chan *l2cap_chan_create(void)
436 struct l2cap_chan *chan;
438 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
442 mutex_init(&chan->lock);
444 /* Set default lock nesting level */
445 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
447 write_lock(&chan_list_lock);
448 list_add(&chan->global_l, &chan_list);
449 write_unlock(&chan_list_lock);
451 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
453 chan->state = BT_OPEN;
455 kref_init(&chan->kref);
457 /* This flag is cleared in l2cap_chan_ready() */
458 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
460 BT_DBG("chan %p", chan);
464 EXPORT_SYMBOL_GPL(l2cap_chan_create);
466 static void l2cap_chan_destroy(struct kref *kref)
468 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
470 BT_DBG("chan %p", chan);
472 write_lock(&chan_list_lock);
473 list_del(&chan->global_l);
474 write_unlock(&chan_list_lock);
479 void l2cap_chan_hold(struct l2cap_chan *c)
481 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
486 void l2cap_chan_put(struct l2cap_chan *c)
488 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
490 kref_put(&c->kref, l2cap_chan_destroy);
492 EXPORT_SYMBOL_GPL(l2cap_chan_put);
494 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
496 chan->fcs = L2CAP_FCS_CRC16;
497 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
498 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
499 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
500 chan->remote_max_tx = chan->max_tx;
501 chan->remote_tx_win = chan->tx_win;
502 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
503 chan->sec_level = BT_SECURITY_LOW;
504 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
505 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
506 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
507 chan->conf_state = 0;
509 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
511 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
513 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
516 chan->sdu_last_frag = NULL;
518 chan->tx_credits = 0;
519 /* Derive MPS from connection MTU to stop HCI fragmentation */
520 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
521 /* Give enough credits for a full packet */
522 chan->rx_credits = (chan->imtu / chan->mps) + 1;
524 skb_queue_head_init(&chan->tx_q);
527 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
529 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
530 __le16_to_cpu(chan->psm), chan->dcid);
532 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
536 switch (chan->chan_type) {
537 case L2CAP_CHAN_CONN_ORIENTED:
538 /* Alloc CID for connection-oriented socket */
539 chan->scid = l2cap_alloc_cid(conn);
540 if (conn->hcon->type == ACL_LINK)
541 chan->omtu = L2CAP_DEFAULT_MTU;
544 case L2CAP_CHAN_CONN_LESS:
545 /* Connectionless socket */
546 chan->scid = L2CAP_CID_CONN_LESS;
547 chan->dcid = L2CAP_CID_CONN_LESS;
548 chan->omtu = L2CAP_DEFAULT_MTU;
551 case L2CAP_CHAN_FIXED:
552 /* Caller will set CID and CID specific MTU values */
556 /* Raw socket can send/recv signalling messages only */
557 chan->scid = L2CAP_CID_SIGNALING;
558 chan->dcid = L2CAP_CID_SIGNALING;
559 chan->omtu = L2CAP_DEFAULT_MTU;
562 chan->local_id = L2CAP_BESTEFFORT_ID;
563 chan->local_stype = L2CAP_SERV_BESTEFFORT;
564 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
565 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
566 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
567 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
569 l2cap_chan_hold(chan);
571 /* Only keep a reference for fixed channels if they requested it */
572 if (chan->chan_type != L2CAP_CHAN_FIXED ||
573 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
574 hci_conn_hold(conn->hcon);
576 list_add(&chan->list, &conn->chan_l);
579 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
581 mutex_lock(&conn->chan_lock);
582 __l2cap_chan_add(conn, chan);
583 mutex_unlock(&conn->chan_lock);
586 void l2cap_chan_del(struct l2cap_chan *chan, int err)
588 struct l2cap_conn *conn = chan->conn;
590 __clear_chan_timer(chan);
592 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
593 state_to_string(chan->state));
595 chan->ops->teardown(chan, err);
598 struct amp_mgr *mgr = conn->hcon->amp_mgr;
599 /* Delete from channel list */
600 list_del(&chan->list);
602 l2cap_chan_put(chan);
606 /* Reference was only held for non-fixed channels or
607 * fixed channels that explicitly requested it using the
608 * FLAG_HOLD_HCI_CONN flag.
610 if (chan->chan_type != L2CAP_CHAN_FIXED ||
611 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
612 hci_conn_drop(conn->hcon);
614 if (mgr && mgr->bredr_chan == chan)
615 mgr->bredr_chan = NULL;
618 if (chan->hs_hchan) {
619 struct hci_chan *hs_hchan = chan->hs_hchan;
621 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
622 amp_disconnect_logical_link(hs_hchan);
625 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
629 case L2CAP_MODE_BASIC:
632 case L2CAP_MODE_LE_FLOWCTL:
633 skb_queue_purge(&chan->tx_q);
636 case L2CAP_MODE_ERTM:
637 __clear_retrans_timer(chan);
638 __clear_monitor_timer(chan);
639 __clear_ack_timer(chan);
641 skb_queue_purge(&chan->srej_q);
643 l2cap_seq_list_free(&chan->srej_list);
644 l2cap_seq_list_free(&chan->retrans_list);
648 case L2CAP_MODE_STREAMING:
649 skb_queue_purge(&chan->tx_q);
655 EXPORT_SYMBOL_GPL(l2cap_chan_del);
657 static void l2cap_conn_update_id_addr(struct work_struct *work)
659 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
660 id_addr_update_work);
661 struct hci_conn *hcon = conn->hcon;
662 struct l2cap_chan *chan;
664 mutex_lock(&conn->chan_lock);
666 list_for_each_entry(chan, &conn->chan_l, list) {
667 l2cap_chan_lock(chan);
668 bacpy(&chan->dst, &hcon->dst);
669 chan->dst_type = bdaddr_dst_type(hcon);
670 l2cap_chan_unlock(chan);
673 mutex_unlock(&conn->chan_lock);
676 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
678 struct l2cap_conn *conn = chan->conn;
679 struct l2cap_le_conn_rsp rsp;
682 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
683 result = L2CAP_CR_LE_AUTHORIZATION;
685 result = L2CAP_CR_LE_BAD_PSM;
687 l2cap_state_change(chan, BT_DISCONN);
689 rsp.dcid = cpu_to_le16(chan->scid);
690 rsp.mtu = cpu_to_le16(chan->imtu);
691 rsp.mps = cpu_to_le16(chan->mps);
692 rsp.credits = cpu_to_le16(chan->rx_credits);
693 rsp.result = cpu_to_le16(result);
695 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
699 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
701 struct l2cap_conn *conn = chan->conn;
702 struct l2cap_conn_rsp rsp;
705 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
706 result = L2CAP_CR_SEC_BLOCK;
708 result = L2CAP_CR_BAD_PSM;
710 l2cap_state_change(chan, BT_DISCONN);
712 rsp.scid = cpu_to_le16(chan->dcid);
713 rsp.dcid = cpu_to_le16(chan->scid);
714 rsp.result = cpu_to_le16(result);
715 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
717 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
720 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
722 struct l2cap_conn *conn = chan->conn;
724 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
726 switch (chan->state) {
728 chan->ops->teardown(chan, 0);
733 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
734 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
735 l2cap_send_disconn_req(chan, reason);
737 l2cap_chan_del(chan, reason);
741 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
742 if (conn->hcon->type == ACL_LINK)
743 l2cap_chan_connect_reject(chan);
744 else if (conn->hcon->type == LE_LINK)
745 l2cap_chan_le_connect_reject(chan);
748 l2cap_chan_del(chan, reason);
753 l2cap_chan_del(chan, reason);
757 chan->ops->teardown(chan, 0);
761 EXPORT_SYMBOL(l2cap_chan_close);
763 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
765 switch (chan->chan_type) {
767 switch (chan->sec_level) {
768 case BT_SECURITY_HIGH:
769 case BT_SECURITY_FIPS:
770 return HCI_AT_DEDICATED_BONDING_MITM;
771 case BT_SECURITY_MEDIUM:
772 return HCI_AT_DEDICATED_BONDING;
774 return HCI_AT_NO_BONDING;
777 case L2CAP_CHAN_CONN_LESS:
778 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
779 if (chan->sec_level == BT_SECURITY_LOW)
780 chan->sec_level = BT_SECURITY_SDP;
782 if (chan->sec_level == BT_SECURITY_HIGH ||
783 chan->sec_level == BT_SECURITY_FIPS)
784 return HCI_AT_NO_BONDING_MITM;
786 return HCI_AT_NO_BONDING;
788 case L2CAP_CHAN_CONN_ORIENTED:
789 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
790 if (chan->sec_level == BT_SECURITY_LOW)
791 chan->sec_level = BT_SECURITY_SDP;
793 if (chan->sec_level == BT_SECURITY_HIGH ||
794 chan->sec_level == BT_SECURITY_FIPS)
795 return HCI_AT_NO_BONDING_MITM;
797 return HCI_AT_NO_BONDING;
801 switch (chan->sec_level) {
802 case BT_SECURITY_HIGH:
803 case BT_SECURITY_FIPS:
804 return HCI_AT_GENERAL_BONDING_MITM;
805 case BT_SECURITY_MEDIUM:
806 return HCI_AT_GENERAL_BONDING;
808 return HCI_AT_NO_BONDING;
814 /* Service level security */
815 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
817 struct l2cap_conn *conn = chan->conn;
820 if (conn->hcon->type == LE_LINK)
821 return smp_conn_security(conn->hcon, chan->sec_level);
823 auth_type = l2cap_get_auth_type(chan);
825 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
829 static u8 l2cap_get_ident(struct l2cap_conn *conn)
833 /* Get next available identificator.
834 * 1 - 128 are used by kernel.
835 * 129 - 199 are reserved.
836 * 200 - 254 are used by utilities like l2ping, etc.
839 mutex_lock(&conn->ident_lock);
841 if (++conn->tx_ident > 128)
846 mutex_unlock(&conn->ident_lock);
851 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
854 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
857 BT_DBG("code 0x%2.2x", code);
862 /* Use NO_FLUSH if supported or we have an LE link (which does
863 * not support auto-flushing packets) */
864 if (lmp_no_flush_capable(conn->hcon->hdev) ||
865 conn->hcon->type == LE_LINK)
866 flags = ACL_START_NO_FLUSH;
870 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
871 skb->priority = HCI_PRIO_MAX;
873 hci_send_acl(conn->hchan, skb, flags);
876 static bool __chan_is_moving(struct l2cap_chan *chan)
878 return chan->move_state != L2CAP_MOVE_STABLE &&
879 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
882 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
884 struct hci_conn *hcon = chan->conn->hcon;
887 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
890 if (chan->hs_hcon && !__chan_is_moving(chan)) {
892 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
899 /* Use NO_FLUSH for LE links (where this is the only option) or
900 * if the BR/EDR link supports it and flushing has not been
901 * explicitly requested (through FLAG_FLUSHABLE).
903 if (hcon->type == LE_LINK ||
904 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
905 lmp_no_flush_capable(hcon->hdev)))
906 flags = ACL_START_NO_FLUSH;
910 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
911 hci_send_acl(chan->conn->hchan, skb, flags);
914 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
916 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
917 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
919 if (enh & L2CAP_CTRL_FRAME_TYPE) {
922 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
923 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
930 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
931 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
938 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
940 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
941 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
943 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
946 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
947 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
954 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
955 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
962 static inline void __unpack_control(struct l2cap_chan *chan,
965 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
966 __unpack_extended_control(get_unaligned_le32(skb->data),
968 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
970 __unpack_enhanced_control(get_unaligned_le16(skb->data),
972 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
976 static u32 __pack_extended_control(struct l2cap_ctrl *control)
980 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
981 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
983 if (control->sframe) {
984 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
985 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
986 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
988 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
989 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
995 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
999 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1000 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1002 if (control->sframe) {
1003 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1004 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1005 packed |= L2CAP_CTRL_FRAME_TYPE;
1007 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1008 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1014 static inline void __pack_control(struct l2cap_chan *chan,
1015 struct l2cap_ctrl *control,
1016 struct sk_buff *skb)
1018 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1019 put_unaligned_le32(__pack_extended_control(control),
1020 skb->data + L2CAP_HDR_SIZE);
1022 put_unaligned_le16(__pack_enhanced_control(control),
1023 skb->data + L2CAP_HDR_SIZE);
1027 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1029 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1030 return L2CAP_EXT_HDR_SIZE;
1032 return L2CAP_ENH_HDR_SIZE;
1035 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1038 struct sk_buff *skb;
1039 struct l2cap_hdr *lh;
1040 int hlen = __ertm_hdr_size(chan);
1042 if (chan->fcs == L2CAP_FCS_CRC16)
1043 hlen += L2CAP_FCS_SIZE;
1045 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1048 return ERR_PTR(-ENOMEM);
1050 lh = skb_put(skb, L2CAP_HDR_SIZE);
1051 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1052 lh->cid = cpu_to_le16(chan->dcid);
1054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1057 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1059 if (chan->fcs == L2CAP_FCS_CRC16) {
1060 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1061 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1064 skb->priority = HCI_PRIO_MAX;
1068 static void l2cap_send_sframe(struct l2cap_chan *chan,
1069 struct l2cap_ctrl *control)
1071 struct sk_buff *skb;
1074 BT_DBG("chan %p, control %p", chan, control);
1076 if (!control->sframe)
1079 if (__chan_is_moving(chan))
1082 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1086 if (control->super == L2CAP_SUPER_RR)
1087 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1088 else if (control->super == L2CAP_SUPER_RNR)
1089 set_bit(CONN_RNR_SENT, &chan->conn_state);
1091 if (control->super != L2CAP_SUPER_SREJ) {
1092 chan->last_acked_seq = control->reqseq;
1093 __clear_ack_timer(chan);
1096 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1097 control->final, control->poll, control->super);
1099 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1100 control_field = __pack_extended_control(control);
1102 control_field = __pack_enhanced_control(control);
1104 skb = l2cap_create_sframe_pdu(chan, control_field);
1106 l2cap_do_send(chan, skb);
1109 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1111 struct l2cap_ctrl control;
1113 BT_DBG("chan %p, poll %d", chan, poll);
1115 memset(&control, 0, sizeof(control));
1117 control.poll = poll;
1119 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1120 control.super = L2CAP_SUPER_RNR;
1122 control.super = L2CAP_SUPER_RR;
1124 control.reqseq = chan->buffer_seq;
1125 l2cap_send_sframe(chan, &control);
1128 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1130 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1133 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136 static bool __amp_capable(struct l2cap_chan *chan)
1138 struct l2cap_conn *conn = chan->conn;
1139 struct hci_dev *hdev;
1140 bool amp_available = false;
1142 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1145 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1148 read_lock(&hci_dev_list_lock);
1149 list_for_each_entry(hdev, &hci_dev_list, list) {
1150 if (hdev->amp_type != AMP_TYPE_BREDR &&
1151 test_bit(HCI_UP, &hdev->flags)) {
1152 amp_available = true;
1156 read_unlock(&hci_dev_list_lock);
1158 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1159 return amp_available;
1164 static bool l2cap_check_efs(struct l2cap_chan *chan)
1166 /* Check EFS parameters */
1170 void l2cap_send_conn_req(struct l2cap_chan *chan)
1172 struct l2cap_conn *conn = chan->conn;
1173 struct l2cap_conn_req req;
1175 req.scid = cpu_to_le16(chan->scid);
1176 req.psm = chan->psm;
1178 chan->ident = l2cap_get_ident(conn);
1180 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1182 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1185 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1187 struct l2cap_create_chan_req req;
1188 req.scid = cpu_to_le16(chan->scid);
1189 req.psm = chan->psm;
1190 req.amp_id = amp_id;
1192 chan->ident = l2cap_get_ident(chan->conn);
1194 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1198 static void l2cap_move_setup(struct l2cap_chan *chan)
1200 struct sk_buff *skb;
1202 BT_DBG("chan %p", chan);
1204 if (chan->mode != L2CAP_MODE_ERTM)
1207 __clear_retrans_timer(chan);
1208 __clear_monitor_timer(chan);
1209 __clear_ack_timer(chan);
1211 chan->retry_count = 0;
1212 skb_queue_walk(&chan->tx_q, skb) {
1213 if (bt_cb(skb)->l2cap.retries)
1214 bt_cb(skb)->l2cap.retries = 1;
1219 chan->expected_tx_seq = chan->buffer_seq;
1221 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1222 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1223 l2cap_seq_list_clear(&chan->retrans_list);
1224 l2cap_seq_list_clear(&chan->srej_list);
1225 skb_queue_purge(&chan->srej_q);
1227 chan->tx_state = L2CAP_TX_STATE_XMIT;
1228 chan->rx_state = L2CAP_RX_STATE_MOVE;
1230 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1233 static void l2cap_move_done(struct l2cap_chan *chan)
1235 u8 move_role = chan->move_role;
1236 BT_DBG("chan %p", chan);
1238 chan->move_state = L2CAP_MOVE_STABLE;
1239 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1241 if (chan->mode != L2CAP_MODE_ERTM)
1244 switch (move_role) {
1245 case L2CAP_MOVE_ROLE_INITIATOR:
1246 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1247 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1249 case L2CAP_MOVE_ROLE_RESPONDER:
1250 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1255 static void l2cap_chan_ready(struct l2cap_chan *chan)
1257 /* The channel may have already been flagged as connected in
1258 * case of receiving data before the L2CAP info req/rsp
1259 * procedure is complete.
1261 if (chan->state == BT_CONNECTED)
1264 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1265 chan->conf_state = 0;
1266 __clear_chan_timer(chan);
1268 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1269 chan->ops->suspend(chan);
1271 chan->state = BT_CONNECTED;
1273 chan->ops->ready(chan);
1276 static void l2cap_le_connect(struct l2cap_chan *chan)
1278 struct l2cap_conn *conn = chan->conn;
1279 struct l2cap_le_conn_req req;
1281 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1284 l2cap_le_flowctl_init(chan);
1286 req.psm = chan->psm;
1287 req.scid = cpu_to_le16(chan->scid);
1288 req.mtu = cpu_to_le16(chan->imtu);
1289 req.mps = cpu_to_le16(chan->mps);
1290 req.credits = cpu_to_le16(chan->rx_credits);
1292 chan->ident = l2cap_get_ident(conn);
1294 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1298 static void l2cap_le_start(struct l2cap_chan *chan)
1300 struct l2cap_conn *conn = chan->conn;
1302 if (!smp_conn_security(conn->hcon, chan->sec_level))
1306 l2cap_chan_ready(chan);
1310 if (chan->state == BT_CONNECT)
1311 l2cap_le_connect(chan);
1314 static void l2cap_start_connection(struct l2cap_chan *chan)
1316 if (__amp_capable(chan)) {
1317 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1318 a2mp_discover_amp(chan);
1319 } else if (chan->conn->hcon->type == LE_LINK) {
1320 l2cap_le_start(chan);
1322 l2cap_send_conn_req(chan);
1326 static void l2cap_request_info(struct l2cap_conn *conn)
1328 struct l2cap_info_req req;
1330 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1333 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1335 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1336 conn->info_ident = l2cap_get_ident(conn);
1338 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1340 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1344 static void l2cap_do_start(struct l2cap_chan *chan)
1346 struct l2cap_conn *conn = chan->conn;
1348 if (conn->hcon->type == LE_LINK) {
1349 l2cap_le_start(chan);
1353 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1354 l2cap_request_info(conn);
1358 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1361 if (l2cap_chan_check_security(chan, true) &&
1362 __l2cap_no_conn_pending(chan))
1363 l2cap_start_connection(chan);
1366 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1368 u32 local_feat_mask = l2cap_feat_mask;
1370 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1373 case L2CAP_MODE_ERTM:
1374 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1375 case L2CAP_MODE_STREAMING:
1376 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1382 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1384 struct l2cap_conn *conn = chan->conn;
1385 struct l2cap_disconn_req req;
1390 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1391 __clear_retrans_timer(chan);
1392 __clear_monitor_timer(chan);
1393 __clear_ack_timer(chan);
1396 if (chan->scid == L2CAP_CID_A2MP) {
1397 l2cap_state_change(chan, BT_DISCONN);
1401 req.dcid = cpu_to_le16(chan->dcid);
1402 req.scid = cpu_to_le16(chan->scid);
1403 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1406 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1409 /* ---- L2CAP connections ---- */
1410 static void l2cap_conn_start(struct l2cap_conn *conn)
1412 struct l2cap_chan *chan, *tmp;
1414 BT_DBG("conn %p", conn);
1416 mutex_lock(&conn->chan_lock);
1418 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1419 l2cap_chan_lock(chan);
1421 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1422 l2cap_chan_ready(chan);
1423 l2cap_chan_unlock(chan);
1427 if (chan->state == BT_CONNECT) {
1428 if (!l2cap_chan_check_security(chan, true) ||
1429 !__l2cap_no_conn_pending(chan)) {
1430 l2cap_chan_unlock(chan);
1434 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1435 && test_bit(CONF_STATE2_DEVICE,
1436 &chan->conf_state)) {
1437 l2cap_chan_close(chan, ECONNRESET);
1438 l2cap_chan_unlock(chan);
1442 l2cap_start_connection(chan);
1444 } else if (chan->state == BT_CONNECT2) {
1445 struct l2cap_conn_rsp rsp;
1447 rsp.scid = cpu_to_le16(chan->dcid);
1448 rsp.dcid = cpu_to_le16(chan->scid);
1450 if (l2cap_chan_check_security(chan, false)) {
1451 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1452 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1453 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1454 chan->ops->defer(chan);
1457 l2cap_state_change(chan, BT_CONFIG);
1458 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1459 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1462 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1463 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1469 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1470 rsp.result != L2CAP_CR_SUCCESS) {
1471 l2cap_chan_unlock(chan);
1475 set_bit(CONF_REQ_SENT, &chan->conf_state);
1476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1477 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1478 chan->num_conf_req++;
1481 l2cap_chan_unlock(chan);
1484 mutex_unlock(&conn->chan_lock);
1487 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1489 struct hci_conn *hcon = conn->hcon;
1490 struct hci_dev *hdev = hcon->hdev;
1492 BT_DBG("%s conn %p", hdev->name, conn);
1494 /* For outgoing pairing which doesn't necessarily have an
1495 * associated socket (e.g. mgmt_pair_device).
1498 smp_conn_security(hcon, hcon->pending_sec_level);
1500 /* For LE slave connections, make sure the connection interval
1501 * is in the range of the minium and maximum interval that has
1502 * been configured for this connection. If not, then trigger
1503 * the connection update procedure.
1505 if (hcon->role == HCI_ROLE_SLAVE &&
1506 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1507 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1508 struct l2cap_conn_param_update_req req;
1510 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1511 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1512 req.latency = cpu_to_le16(hcon->le_conn_latency);
1513 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1515 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1516 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1520 static void l2cap_conn_ready(struct l2cap_conn *conn)
1522 struct l2cap_chan *chan;
1523 struct hci_conn *hcon = conn->hcon;
1525 BT_DBG("conn %p", conn);
1527 if (hcon->type == ACL_LINK)
1528 l2cap_request_info(conn);
1530 mutex_lock(&conn->chan_lock);
1532 list_for_each_entry(chan, &conn->chan_l, list) {
1534 l2cap_chan_lock(chan);
1536 if (chan->scid == L2CAP_CID_A2MP) {
1537 l2cap_chan_unlock(chan);
1541 if (hcon->type == LE_LINK) {
1542 l2cap_le_start(chan);
1543 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1544 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1545 l2cap_chan_ready(chan);
1546 } else if (chan->state == BT_CONNECT) {
1547 l2cap_do_start(chan);
1550 l2cap_chan_unlock(chan);
1553 mutex_unlock(&conn->chan_lock);
1555 if (hcon->type == LE_LINK)
1556 l2cap_le_conn_ready(conn);
1558 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1561 /* Notify sockets that we cannot guaranty reliability anymore */
1562 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1564 struct l2cap_chan *chan;
1566 BT_DBG("conn %p", conn);
1568 mutex_lock(&conn->chan_lock);
1570 list_for_each_entry(chan, &conn->chan_l, list) {
1571 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1572 l2cap_chan_set_err(chan, err);
1575 mutex_unlock(&conn->chan_lock);
1578 static void l2cap_info_timeout(struct work_struct *work)
1580 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1583 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1584 conn->info_ident = 0;
1586 l2cap_conn_start(conn);
1591 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1592 * callback is called during registration. The ->remove callback is called
1593 * during unregistration.
1594 * An l2cap_user object can either be explicitly unregistered or when the
1595 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1596 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1597 * External modules must own a reference to the l2cap_conn object if they intend
1598 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1599 * any time if they don't.
1602 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1604 struct hci_dev *hdev = conn->hcon->hdev;
1607 /* We need to check whether l2cap_conn is registered. If it is not, we
1608 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1609 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1610 * relies on the parent hci_conn object to be locked. This itself relies
1611 * on the hci_dev object to be locked. So we must lock the hci device
1616 if (!list_empty(&user->list)) {
1621 /* conn->hchan is NULL after l2cap_conn_del() was called */
1627 ret = user->probe(conn, user);
1631 list_add(&user->list, &conn->users);
1635 hci_dev_unlock(hdev);
1638 EXPORT_SYMBOL(l2cap_register_user);
1640 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1642 struct hci_dev *hdev = conn->hcon->hdev;
1646 if (list_empty(&user->list))
1649 list_del_init(&user->list);
1650 user->remove(conn, user);
1653 hci_dev_unlock(hdev);
1655 EXPORT_SYMBOL(l2cap_unregister_user);
1657 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1659 struct l2cap_user *user;
1661 while (!list_empty(&conn->users)) {
1662 user = list_first_entry(&conn->users, struct l2cap_user, list);
1663 list_del_init(&user->list);
1664 user->remove(conn, user);
1668 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1670 struct l2cap_conn *conn = hcon->l2cap_data;
1671 struct l2cap_chan *chan, *l;
1676 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1678 kfree_skb(conn->rx_skb);
1680 skb_queue_purge(&conn->pending_rx);
1682 /* We can not call flush_work(&conn->pending_rx_work) here since we
1683 * might block if we are running on a worker from the same workqueue
1684 * pending_rx_work is waiting on.
1686 if (work_pending(&conn->pending_rx_work))
1687 cancel_work_sync(&conn->pending_rx_work);
1689 if (work_pending(&conn->id_addr_update_work))
1690 cancel_work_sync(&conn->id_addr_update_work);
1692 l2cap_unregister_all_users(conn);
1694 /* Force the connection to be immediately dropped */
1695 hcon->disc_timeout = 0;
1697 mutex_lock(&conn->chan_lock);
1700 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1701 l2cap_chan_hold(chan);
1702 l2cap_chan_lock(chan);
1704 l2cap_chan_del(chan, err);
1706 l2cap_chan_unlock(chan);
1708 chan->ops->close(chan);
1709 l2cap_chan_put(chan);
1712 mutex_unlock(&conn->chan_lock);
1714 hci_chan_del(conn->hchan);
1716 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1717 cancel_delayed_work_sync(&conn->info_timer);
1719 hcon->l2cap_data = NULL;
1721 l2cap_conn_put(conn);
1724 static void l2cap_conn_free(struct kref *ref)
1726 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1728 hci_conn_put(conn->hcon);
1732 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1734 kref_get(&conn->ref);
1737 EXPORT_SYMBOL(l2cap_conn_get);
1739 void l2cap_conn_put(struct l2cap_conn *conn)
1741 kref_put(&conn->ref, l2cap_conn_free);
1743 EXPORT_SYMBOL(l2cap_conn_put);
1745 /* ---- Socket interface ---- */
1747 /* Find socket with psm and source / destination bdaddr.
1748 * Returns closest match.
1750 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1755 struct l2cap_chan *c, *c1 = NULL;
1757 read_lock(&chan_list_lock);
1759 list_for_each_entry(c, &chan_list, global_l) {
1760 if (state && c->state != state)
1763 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1766 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1769 if (c->psm == psm) {
1770 int src_match, dst_match;
1771 int src_any, dst_any;
1774 src_match = !bacmp(&c->src, src);
1775 dst_match = !bacmp(&c->dst, dst);
1776 if (src_match && dst_match) {
1778 read_unlock(&chan_list_lock);
1783 src_any = !bacmp(&c->src, BDADDR_ANY);
1784 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1785 if ((src_match && dst_any) || (src_any && dst_match) ||
1786 (src_any && dst_any))
1792 l2cap_chan_hold(c1);
1794 read_unlock(&chan_list_lock);
1799 static void l2cap_monitor_timeout(struct work_struct *work)
1801 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1802 monitor_timer.work);
1804 BT_DBG("chan %p", chan);
1806 l2cap_chan_lock(chan);
1809 l2cap_chan_unlock(chan);
1810 l2cap_chan_put(chan);
1814 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1816 l2cap_chan_unlock(chan);
1817 l2cap_chan_put(chan);
1820 static void l2cap_retrans_timeout(struct work_struct *work)
1822 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1823 retrans_timer.work);
1825 BT_DBG("chan %p", chan);
1827 l2cap_chan_lock(chan);
1830 l2cap_chan_unlock(chan);
1831 l2cap_chan_put(chan);
1835 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1836 l2cap_chan_unlock(chan);
1837 l2cap_chan_put(chan);
1840 static void l2cap_streaming_send(struct l2cap_chan *chan,
1841 struct sk_buff_head *skbs)
1843 struct sk_buff *skb;
1844 struct l2cap_ctrl *control;
1846 BT_DBG("chan %p, skbs %p", chan, skbs);
1848 if (__chan_is_moving(chan))
1851 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1853 while (!skb_queue_empty(&chan->tx_q)) {
1855 skb = skb_dequeue(&chan->tx_q);
1857 bt_cb(skb)->l2cap.retries = 1;
1858 control = &bt_cb(skb)->l2cap;
1860 control->reqseq = 0;
1861 control->txseq = chan->next_tx_seq;
1863 __pack_control(chan, control, skb);
1865 if (chan->fcs == L2CAP_FCS_CRC16) {
1866 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1867 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1870 l2cap_do_send(chan, skb);
1872 BT_DBG("Sent txseq %u", control->txseq);
1874 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1875 chan->frames_sent++;
1879 static int l2cap_ertm_send(struct l2cap_chan *chan)
1881 struct sk_buff *skb, *tx_skb;
1882 struct l2cap_ctrl *control;
1885 BT_DBG("chan %p", chan);
1887 if (chan->state != BT_CONNECTED)
1890 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1893 if (__chan_is_moving(chan))
1896 while (chan->tx_send_head &&
1897 chan->unacked_frames < chan->remote_tx_win &&
1898 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1900 skb = chan->tx_send_head;
1902 bt_cb(skb)->l2cap.retries = 1;
1903 control = &bt_cb(skb)->l2cap;
1905 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1908 control->reqseq = chan->buffer_seq;
1909 chan->last_acked_seq = chan->buffer_seq;
1910 control->txseq = chan->next_tx_seq;
1912 __pack_control(chan, control, skb);
1914 if (chan->fcs == L2CAP_FCS_CRC16) {
1915 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1916 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1919 /* Clone after data has been modified. Data is assumed to be
1920 read-only (for locking purposes) on cloned sk_buffs.
1922 tx_skb = skb_clone(skb, GFP_KERNEL);
1927 __set_retrans_timer(chan);
1929 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1930 chan->unacked_frames++;
1931 chan->frames_sent++;
1934 if (skb_queue_is_last(&chan->tx_q, skb))
1935 chan->tx_send_head = NULL;
1937 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1939 l2cap_do_send(chan, tx_skb);
1940 BT_DBG("Sent txseq %u", control->txseq);
1943 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1944 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1949 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1951 struct l2cap_ctrl control;
1952 struct sk_buff *skb;
1953 struct sk_buff *tx_skb;
1956 BT_DBG("chan %p", chan);
1958 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1961 if (__chan_is_moving(chan))
1964 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1965 seq = l2cap_seq_list_pop(&chan->retrans_list);
1967 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1969 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1974 bt_cb(skb)->l2cap.retries++;
1975 control = bt_cb(skb)->l2cap;
1977 if (chan->max_tx != 0 &&
1978 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1979 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1980 l2cap_send_disconn_req(chan, ECONNRESET);
1981 l2cap_seq_list_clear(&chan->retrans_list);
1985 control.reqseq = chan->buffer_seq;
1986 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1991 if (skb_cloned(skb)) {
1992 /* Cloned sk_buffs are read-only, so we need a
1995 tx_skb = skb_copy(skb, GFP_KERNEL);
1997 tx_skb = skb_clone(skb, GFP_KERNEL);
2001 l2cap_seq_list_clear(&chan->retrans_list);
2005 /* Update skb contents */
2006 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2007 put_unaligned_le32(__pack_extended_control(&control),
2008 tx_skb->data + L2CAP_HDR_SIZE);
2010 put_unaligned_le16(__pack_enhanced_control(&control),
2011 tx_skb->data + L2CAP_HDR_SIZE);
2015 if (chan->fcs == L2CAP_FCS_CRC16) {
2016 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2017 tx_skb->len - L2CAP_FCS_SIZE);
2018 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2022 l2cap_do_send(chan, tx_skb);
2024 BT_DBG("Resent txseq %d", control.txseq);
2026 chan->last_acked_seq = chan->buffer_seq;
2030 static void l2cap_retransmit(struct l2cap_chan *chan,
2031 struct l2cap_ctrl *control)
2033 BT_DBG("chan %p, control %p", chan, control);
2035 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2036 l2cap_ertm_resend(chan);
2039 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2040 struct l2cap_ctrl *control)
2042 struct sk_buff *skb;
2044 BT_DBG("chan %p, control %p", chan, control);
2047 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2049 l2cap_seq_list_clear(&chan->retrans_list);
2051 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2054 if (chan->unacked_frames) {
2055 skb_queue_walk(&chan->tx_q, skb) {
2056 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2057 skb == chan->tx_send_head)
2061 skb_queue_walk_from(&chan->tx_q, skb) {
2062 if (skb == chan->tx_send_head)
2065 l2cap_seq_list_append(&chan->retrans_list,
2066 bt_cb(skb)->l2cap.txseq);
2069 l2cap_ertm_resend(chan);
2073 static void l2cap_send_ack(struct l2cap_chan *chan)
2075 struct l2cap_ctrl control;
2076 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2077 chan->last_acked_seq);
2080 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2081 chan, chan->last_acked_seq, chan->buffer_seq);
2083 memset(&control, 0, sizeof(control));
2086 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2087 chan->rx_state == L2CAP_RX_STATE_RECV) {
2088 __clear_ack_timer(chan);
2089 control.super = L2CAP_SUPER_RNR;
2090 control.reqseq = chan->buffer_seq;
2091 l2cap_send_sframe(chan, &control);
2093 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2094 l2cap_ertm_send(chan);
2095 /* If any i-frames were sent, they included an ack */
2096 if (chan->buffer_seq == chan->last_acked_seq)
2100 /* Ack now if the window is 3/4ths full.
2101 * Calculate without mul or div
2103 threshold = chan->ack_win;
2104 threshold += threshold << 1;
2107 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2110 if (frames_to_ack >= threshold) {
2111 __clear_ack_timer(chan);
2112 control.super = L2CAP_SUPER_RR;
2113 control.reqseq = chan->buffer_seq;
2114 l2cap_send_sframe(chan, &control);
2119 __set_ack_timer(chan);
2123 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2124 struct msghdr *msg, int len,
2125 int count, struct sk_buff *skb)
2127 struct l2cap_conn *conn = chan->conn;
2128 struct sk_buff **frag;
2131 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2137 /* Continuation fragments (no L2CAP header) */
2138 frag = &skb_shinfo(skb)->frag_list;
2140 struct sk_buff *tmp;
2142 count = min_t(unsigned int, conn->mtu, len);
2144 tmp = chan->ops->alloc_skb(chan, 0, count,
2145 msg->msg_flags & MSG_DONTWAIT);
2147 return PTR_ERR(tmp);
2151 if (!copy_from_iter_full(skb_put(*frag, count), count,
2158 skb->len += (*frag)->len;
2159 skb->data_len += (*frag)->len;
2161 frag = &(*frag)->next;
2167 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2168 struct msghdr *msg, size_t len)
2170 struct l2cap_conn *conn = chan->conn;
2171 struct sk_buff *skb;
2172 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2173 struct l2cap_hdr *lh;
2175 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2176 __le16_to_cpu(chan->psm), len);
2178 count = min_t(unsigned int, (conn->mtu - hlen), len);
2180 skb = chan->ops->alloc_skb(chan, hlen, count,
2181 msg->msg_flags & MSG_DONTWAIT);
2185 /* Create L2CAP header */
2186 lh = skb_put(skb, L2CAP_HDR_SIZE);
2187 lh->cid = cpu_to_le16(chan->dcid);
2188 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2189 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2191 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2192 if (unlikely(err < 0)) {
2194 return ERR_PTR(err);
2199 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2200 struct msghdr *msg, size_t len)
2202 struct l2cap_conn *conn = chan->conn;
2203 struct sk_buff *skb;
2205 struct l2cap_hdr *lh;
2207 BT_DBG("chan %p len %zu", chan, len);
2209 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2211 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2212 msg->msg_flags & MSG_DONTWAIT);
2216 /* Create L2CAP header */
2217 lh = skb_put(skb, L2CAP_HDR_SIZE);
2218 lh->cid = cpu_to_le16(chan->dcid);
2219 lh->len = cpu_to_le16(len);
2221 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2222 if (unlikely(err < 0)) {
2224 return ERR_PTR(err);
2229 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2230 struct msghdr *msg, size_t len,
2233 struct l2cap_conn *conn = chan->conn;
2234 struct sk_buff *skb;
2235 int err, count, hlen;
2236 struct l2cap_hdr *lh;
2238 BT_DBG("chan %p len %zu", chan, len);
2241 return ERR_PTR(-ENOTCONN);
2243 hlen = __ertm_hdr_size(chan);
2246 hlen += L2CAP_SDULEN_SIZE;
2248 if (chan->fcs == L2CAP_FCS_CRC16)
2249 hlen += L2CAP_FCS_SIZE;
2251 count = min_t(unsigned int, (conn->mtu - hlen), len);
2253 skb = chan->ops->alloc_skb(chan, hlen, count,
2254 msg->msg_flags & MSG_DONTWAIT);
2258 /* Create L2CAP header */
2259 lh = skb_put(skb, L2CAP_HDR_SIZE);
2260 lh->cid = cpu_to_le16(chan->dcid);
2261 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2263 /* Control header is populated later */
2264 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2265 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2267 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2270 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2272 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2273 if (unlikely(err < 0)) {
2275 return ERR_PTR(err);
2278 bt_cb(skb)->l2cap.fcs = chan->fcs;
2279 bt_cb(skb)->l2cap.retries = 0;
2283 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2284 struct sk_buff_head *seg_queue,
2285 struct msghdr *msg, size_t len)
2287 struct sk_buff *skb;
2292 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2294 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2295 * so fragmented skbs are not used. The HCI layer's handling
2296 * of fragmented skbs is not compatible with ERTM's queueing.
2299 /* PDU size is derived from the HCI MTU */
2300 pdu_len = chan->conn->mtu;
2302 /* Constrain PDU size for BR/EDR connections */
2304 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2306 /* Adjust for largest possible L2CAP overhead. */
2308 pdu_len -= L2CAP_FCS_SIZE;
2310 pdu_len -= __ertm_hdr_size(chan);
2312 /* Remote device may have requested smaller PDUs */
2313 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2315 if (len <= pdu_len) {
2316 sar = L2CAP_SAR_UNSEGMENTED;
2320 sar = L2CAP_SAR_START;
2325 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2328 __skb_queue_purge(seg_queue);
2329 return PTR_ERR(skb);
2332 bt_cb(skb)->l2cap.sar = sar;
2333 __skb_queue_tail(seg_queue, skb);
2339 if (len <= pdu_len) {
2340 sar = L2CAP_SAR_END;
2343 sar = L2CAP_SAR_CONTINUE;
2350 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2352 size_t len, u16 sdulen)
2354 struct l2cap_conn *conn = chan->conn;
2355 struct sk_buff *skb;
2356 int err, count, hlen;
2357 struct l2cap_hdr *lh;
2359 BT_DBG("chan %p len %zu", chan, len);
2362 return ERR_PTR(-ENOTCONN);
2364 hlen = L2CAP_HDR_SIZE;
2367 hlen += L2CAP_SDULEN_SIZE;
2369 count = min_t(unsigned int, (conn->mtu - hlen), len);
2371 skb = chan->ops->alloc_skb(chan, hlen, count,
2372 msg->msg_flags & MSG_DONTWAIT);
2376 /* Create L2CAP header */
2377 lh = skb_put(skb, L2CAP_HDR_SIZE);
2378 lh->cid = cpu_to_le16(chan->dcid);
2379 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2382 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2384 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2385 if (unlikely(err < 0)) {
2387 return ERR_PTR(err);
2393 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2394 struct sk_buff_head *seg_queue,
2395 struct msghdr *msg, size_t len)
2397 struct sk_buff *skb;
2401 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2404 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2410 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2412 __skb_queue_purge(seg_queue);
2413 return PTR_ERR(skb);
2416 __skb_queue_tail(seg_queue, skb);
2422 pdu_len += L2CAP_SDULEN_SIZE;
2429 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2433 BT_DBG("chan %p", chan);
2435 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2436 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2441 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2442 skb_queue_len(&chan->tx_q));
2445 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2447 struct sk_buff *skb;
2449 struct sk_buff_head seg_queue;
2454 /* Connectionless channel */
2455 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2456 skb = l2cap_create_connless_pdu(chan, msg, len);
2458 return PTR_ERR(skb);
2460 /* Channel lock is released before requesting new skb and then
2461 * reacquired thus we need to recheck channel state.
2463 if (chan->state != BT_CONNECTED) {
2468 l2cap_do_send(chan, skb);
2472 switch (chan->mode) {
2473 case L2CAP_MODE_LE_FLOWCTL:
2474 /* Check outgoing MTU */
2475 if (len > chan->omtu)
2478 __skb_queue_head_init(&seg_queue);
2480 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2482 if (chan->state != BT_CONNECTED) {
2483 __skb_queue_purge(&seg_queue);
2490 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2492 l2cap_le_flowctl_send(chan);
2494 if (!chan->tx_credits)
2495 chan->ops->suspend(chan);
2501 case L2CAP_MODE_BASIC:
2502 /* Check outgoing MTU */
2503 if (len > chan->omtu)
2506 /* Create a basic PDU */
2507 skb = l2cap_create_basic_pdu(chan, msg, len);
2509 return PTR_ERR(skb);
2511 /* Channel lock is released before requesting new skb and then
2512 * reacquired thus we need to recheck channel state.
2514 if (chan->state != BT_CONNECTED) {
2519 l2cap_do_send(chan, skb);
2523 case L2CAP_MODE_ERTM:
2524 case L2CAP_MODE_STREAMING:
2525 /* Check outgoing MTU */
2526 if (len > chan->omtu) {
2531 __skb_queue_head_init(&seg_queue);
2533 /* Do segmentation before calling in to the state machine,
2534 * since it's possible to block while waiting for memory
2537 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2539 /* The channel could have been closed while segmenting,
2540 * check that it is still connected.
2542 if (chan->state != BT_CONNECTED) {
2543 __skb_queue_purge(&seg_queue);
2550 if (chan->mode == L2CAP_MODE_ERTM)
2551 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2553 l2cap_streaming_send(chan, &seg_queue);
2557 /* If the skbs were not queued for sending, they'll still be in
2558 * seg_queue and need to be purged.
2560 __skb_queue_purge(&seg_queue);
2564 BT_DBG("bad state %1.1x", chan->mode);
2570 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2572 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2574 struct l2cap_ctrl control;
2577 BT_DBG("chan %p, txseq %u", chan, txseq);
2579 memset(&control, 0, sizeof(control));
2581 control.super = L2CAP_SUPER_SREJ;
2583 for (seq = chan->expected_tx_seq; seq != txseq;
2584 seq = __next_seq(chan, seq)) {
2585 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2586 control.reqseq = seq;
2587 l2cap_send_sframe(chan, &control);
2588 l2cap_seq_list_append(&chan->srej_list, seq);
2592 chan->expected_tx_seq = __next_seq(chan, txseq);
2595 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2597 struct l2cap_ctrl control;
2599 BT_DBG("chan %p", chan);
2601 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2604 memset(&control, 0, sizeof(control));
2606 control.super = L2CAP_SUPER_SREJ;
2607 control.reqseq = chan->srej_list.tail;
2608 l2cap_send_sframe(chan, &control);
2611 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2613 struct l2cap_ctrl control;
2617 BT_DBG("chan %p, txseq %u", chan, txseq);
2619 memset(&control, 0, sizeof(control));
2621 control.super = L2CAP_SUPER_SREJ;
2623 /* Capture initial list head to allow only one pass through the list. */
2624 initial_head = chan->srej_list.head;
2627 seq = l2cap_seq_list_pop(&chan->srej_list);
2628 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2631 control.reqseq = seq;
2632 l2cap_send_sframe(chan, &control);
2633 l2cap_seq_list_append(&chan->srej_list, seq);
2634 } while (chan->srej_list.head != initial_head);
2637 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2639 struct sk_buff *acked_skb;
2642 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2644 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2647 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2648 chan->expected_ack_seq, chan->unacked_frames);
2650 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2651 ackseq = __next_seq(chan, ackseq)) {
2653 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2655 skb_unlink(acked_skb, &chan->tx_q);
2656 kfree_skb(acked_skb);
2657 chan->unacked_frames--;
2661 chan->expected_ack_seq = reqseq;
2663 if (chan->unacked_frames == 0)
2664 __clear_retrans_timer(chan);
2666 BT_DBG("unacked_frames %u", chan->unacked_frames);
2669 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2671 BT_DBG("chan %p", chan);
2673 chan->expected_tx_seq = chan->buffer_seq;
2674 l2cap_seq_list_clear(&chan->srej_list);
2675 skb_queue_purge(&chan->srej_q);
2676 chan->rx_state = L2CAP_RX_STATE_RECV;
2679 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2680 struct l2cap_ctrl *control,
2681 struct sk_buff_head *skbs, u8 event)
2683 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2687 case L2CAP_EV_DATA_REQUEST:
2688 if (chan->tx_send_head == NULL)
2689 chan->tx_send_head = skb_peek(skbs);
2691 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2692 l2cap_ertm_send(chan);
2694 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2695 BT_DBG("Enter LOCAL_BUSY");
2696 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2698 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2699 /* The SREJ_SENT state must be aborted if we are to
2700 * enter the LOCAL_BUSY state.
2702 l2cap_abort_rx_srej_sent(chan);
2705 l2cap_send_ack(chan);
2708 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2709 BT_DBG("Exit LOCAL_BUSY");
2710 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2712 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2713 struct l2cap_ctrl local_control;
2715 memset(&local_control, 0, sizeof(local_control));
2716 local_control.sframe = 1;
2717 local_control.super = L2CAP_SUPER_RR;
2718 local_control.poll = 1;
2719 local_control.reqseq = chan->buffer_seq;
2720 l2cap_send_sframe(chan, &local_control);
2722 chan->retry_count = 1;
2723 __set_monitor_timer(chan);
2724 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2727 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2728 l2cap_process_reqseq(chan, control->reqseq);
2730 case L2CAP_EV_EXPLICIT_POLL:
2731 l2cap_send_rr_or_rnr(chan, 1);
2732 chan->retry_count = 1;
2733 __set_monitor_timer(chan);
2734 __clear_ack_timer(chan);
2735 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2737 case L2CAP_EV_RETRANS_TO:
2738 l2cap_send_rr_or_rnr(chan, 1);
2739 chan->retry_count = 1;
2740 __set_monitor_timer(chan);
2741 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2743 case L2CAP_EV_RECV_FBIT:
2744 /* Nothing to process */
2751 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2752 struct l2cap_ctrl *control,
2753 struct sk_buff_head *skbs, u8 event)
2755 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2759 case L2CAP_EV_DATA_REQUEST:
2760 if (chan->tx_send_head == NULL)
2761 chan->tx_send_head = skb_peek(skbs);
2762 /* Queue data, but don't send. */
2763 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2765 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2766 BT_DBG("Enter LOCAL_BUSY");
2767 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2769 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2770 /* The SREJ_SENT state must be aborted if we are to
2771 * enter the LOCAL_BUSY state.
2773 l2cap_abort_rx_srej_sent(chan);
2776 l2cap_send_ack(chan);
2779 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2780 BT_DBG("Exit LOCAL_BUSY");
2781 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2783 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2784 struct l2cap_ctrl local_control;
2785 memset(&local_control, 0, sizeof(local_control));
2786 local_control.sframe = 1;
2787 local_control.super = L2CAP_SUPER_RR;
2788 local_control.poll = 1;
2789 local_control.reqseq = chan->buffer_seq;
2790 l2cap_send_sframe(chan, &local_control);
2792 chan->retry_count = 1;
2793 __set_monitor_timer(chan);
2794 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2797 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2798 l2cap_process_reqseq(chan, control->reqseq);
2802 case L2CAP_EV_RECV_FBIT:
2803 if (control && control->final) {
2804 __clear_monitor_timer(chan);
2805 if (chan->unacked_frames > 0)
2806 __set_retrans_timer(chan);
2807 chan->retry_count = 0;
2808 chan->tx_state = L2CAP_TX_STATE_XMIT;
2809 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2812 case L2CAP_EV_EXPLICIT_POLL:
2815 case L2CAP_EV_MONITOR_TO:
2816 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2817 l2cap_send_rr_or_rnr(chan, 1);
2818 __set_monitor_timer(chan);
2819 chan->retry_count++;
2821 l2cap_send_disconn_req(chan, ECONNABORTED);
2829 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2830 struct sk_buff_head *skbs, u8 event)
2832 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2833 chan, control, skbs, event, chan->tx_state);
2835 switch (chan->tx_state) {
2836 case L2CAP_TX_STATE_XMIT:
2837 l2cap_tx_state_xmit(chan, control, skbs, event);
2839 case L2CAP_TX_STATE_WAIT_F:
2840 l2cap_tx_state_wait_f(chan, control, skbs, event);
2848 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2849 struct l2cap_ctrl *control)
2851 BT_DBG("chan %p, control %p", chan, control);
2852 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2855 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2856 struct l2cap_ctrl *control)
2858 BT_DBG("chan %p, control %p", chan, control);
2859 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2862 /* Copy frame to all raw sockets on that connection */
2863 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2865 struct sk_buff *nskb;
2866 struct l2cap_chan *chan;
2868 BT_DBG("conn %p", conn);
2870 mutex_lock(&conn->chan_lock);
2872 list_for_each_entry(chan, &conn->chan_l, list) {
2873 if (chan->chan_type != L2CAP_CHAN_RAW)
2876 /* Don't send frame to the channel it came from */
2877 if (bt_cb(skb)->l2cap.chan == chan)
2880 nskb = skb_clone(skb, GFP_KERNEL);
2883 if (chan->ops->recv(chan, nskb))
2887 mutex_unlock(&conn->chan_lock);
2890 /* ---- L2CAP signalling commands ---- */
2891 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2892 u8 ident, u16 dlen, void *data)
2894 struct sk_buff *skb, **frag;
2895 struct l2cap_cmd_hdr *cmd;
2896 struct l2cap_hdr *lh;
2899 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2900 conn, code, ident, dlen);
2902 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2905 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2906 count = min_t(unsigned int, conn->mtu, len);
2908 skb = bt_skb_alloc(count, GFP_KERNEL);
2912 lh = skb_put(skb, L2CAP_HDR_SIZE);
2913 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2915 if (conn->hcon->type == LE_LINK)
2916 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2918 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2920 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2923 cmd->len = cpu_to_le16(dlen);
2926 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2927 skb_put_data(skb, data, count);
2933 /* Continuation fragments (no L2CAP header) */
2934 frag = &skb_shinfo(skb)->frag_list;
2936 count = min_t(unsigned int, conn->mtu, len);
2938 *frag = bt_skb_alloc(count, GFP_KERNEL);
2942 skb_put_data(*frag, data, count);
2947 frag = &(*frag)->next;
2957 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2960 struct l2cap_conf_opt *opt = *ptr;
2963 len = L2CAP_CONF_OPT_SIZE + opt->len;
2971 *val = *((u8 *) opt->val);
2975 *val = get_unaligned_le16(opt->val);
2979 *val = get_unaligned_le32(opt->val);
2983 *val = (unsigned long) opt->val;
2987 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2991 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
2993 struct l2cap_conf_opt *opt = *ptr;
2995 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2997 if (size < L2CAP_CONF_OPT_SIZE + len)
3005 *((u8 *) opt->val) = val;
3009 put_unaligned_le16(val, opt->val);
3013 put_unaligned_le32(val, opt->val);
3017 memcpy(opt->val, (void *) val, len);
3021 *ptr += L2CAP_CONF_OPT_SIZE + len;
3024 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3026 struct l2cap_conf_efs efs;
3028 switch (chan->mode) {
3029 case L2CAP_MODE_ERTM:
3030 efs.id = chan->local_id;
3031 efs.stype = chan->local_stype;
3032 efs.msdu = cpu_to_le16(chan->local_msdu);
3033 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3034 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3035 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3038 case L2CAP_MODE_STREAMING:
3040 efs.stype = L2CAP_SERV_BESTEFFORT;
3041 efs.msdu = cpu_to_le16(chan->local_msdu);
3042 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3051 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3052 (unsigned long) &efs, size);
3055 static void l2cap_ack_timeout(struct work_struct *work)
3057 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3061 BT_DBG("chan %p", chan);
3063 l2cap_chan_lock(chan);
3065 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3066 chan->last_acked_seq);
3069 l2cap_send_rr_or_rnr(chan, 0);
3071 l2cap_chan_unlock(chan);
3072 l2cap_chan_put(chan);
3075 int l2cap_ertm_init(struct l2cap_chan *chan)
3079 chan->next_tx_seq = 0;
3080 chan->expected_tx_seq = 0;
3081 chan->expected_ack_seq = 0;
3082 chan->unacked_frames = 0;
3083 chan->buffer_seq = 0;
3084 chan->frames_sent = 0;
3085 chan->last_acked_seq = 0;
3087 chan->sdu_last_frag = NULL;
3090 skb_queue_head_init(&chan->tx_q);
3092 chan->local_amp_id = AMP_ID_BREDR;
3093 chan->move_id = AMP_ID_BREDR;
3094 chan->move_state = L2CAP_MOVE_STABLE;
3095 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3097 if (chan->mode != L2CAP_MODE_ERTM)
3100 chan->rx_state = L2CAP_RX_STATE_RECV;
3101 chan->tx_state = L2CAP_TX_STATE_XMIT;
3103 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3104 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3105 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3107 skb_queue_head_init(&chan->srej_q);
3109 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3113 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3115 l2cap_seq_list_free(&chan->srej_list);
3120 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3123 case L2CAP_MODE_STREAMING:
3124 case L2CAP_MODE_ERTM:
3125 if (l2cap_mode_supported(mode, remote_feat_mask))
3129 return L2CAP_MODE_BASIC;
3133 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3135 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3136 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3139 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3141 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3142 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3145 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3146 struct l2cap_conf_rfc *rfc)
3148 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3149 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3151 /* Class 1 devices have must have ERTM timeouts
3152 * exceeding the Link Supervision Timeout. The
3153 * default Link Supervision Timeout for AMP
3154 * controllers is 10 seconds.
3156 * Class 1 devices use 0xffffffff for their
3157 * best-effort flush timeout, so the clamping logic
3158 * will result in a timeout that meets the above
3159 * requirement. ERTM timeouts are 16-bit values, so
3160 * the maximum timeout is 65.535 seconds.
3163 /* Convert timeout to milliseconds and round */
3164 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3166 /* This is the recommended formula for class 2 devices
3167 * that start ERTM timers when packets are sent to the
3170 ertm_to = 3 * ertm_to + 500;
3172 if (ertm_to > 0xffff)
3175 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3176 rfc->monitor_timeout = rfc->retrans_timeout;
3178 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3179 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3183 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3185 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3186 __l2cap_ews_supported(chan->conn)) {
3187 /* use extended control field */
3188 set_bit(FLAG_EXT_CTRL, &chan->flags);
3189 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3191 chan->tx_win = min_t(u16, chan->tx_win,
3192 L2CAP_DEFAULT_TX_WINDOW);
3193 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3195 chan->ack_win = chan->tx_win;
3198 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3200 struct l2cap_conf_req *req = data;
3201 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3202 void *ptr = req->data;
3203 void *endptr = data + data_size;
3206 BT_DBG("chan %p", chan);
3208 if (chan->num_conf_req || chan->num_conf_rsp)
3211 switch (chan->mode) {
3212 case L2CAP_MODE_STREAMING:
3213 case L2CAP_MODE_ERTM:
3214 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3217 if (__l2cap_efs_supported(chan->conn))
3218 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3222 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3227 if (chan->imtu != L2CAP_DEFAULT_MTU)
3228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3230 switch (chan->mode) {
3231 case L2CAP_MODE_BASIC:
3235 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3236 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3239 rfc.mode = L2CAP_MODE_BASIC;
3241 rfc.max_transmit = 0;
3242 rfc.retrans_timeout = 0;
3243 rfc.monitor_timeout = 0;
3244 rfc.max_pdu_size = 0;
3246 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3247 (unsigned long) &rfc, endptr - ptr);
3250 case L2CAP_MODE_ERTM:
3251 rfc.mode = L2CAP_MODE_ERTM;
3252 rfc.max_transmit = chan->max_tx;
3254 __l2cap_set_ertm_timeouts(chan, &rfc);
3256 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3257 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3259 rfc.max_pdu_size = cpu_to_le16(size);
3261 l2cap_txwin_setup(chan);
3263 rfc.txwin_size = min_t(u16, chan->tx_win,
3264 L2CAP_DEFAULT_TX_WINDOW);
3266 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3267 (unsigned long) &rfc, endptr - ptr);
3269 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3270 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3272 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3273 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3274 chan->tx_win, endptr - ptr);
3276 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3277 if (chan->fcs == L2CAP_FCS_NONE ||
3278 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3279 chan->fcs = L2CAP_FCS_NONE;
3280 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3281 chan->fcs, endptr - ptr);
3285 case L2CAP_MODE_STREAMING:
3286 l2cap_txwin_setup(chan);
3287 rfc.mode = L2CAP_MODE_STREAMING;
3289 rfc.max_transmit = 0;
3290 rfc.retrans_timeout = 0;
3291 rfc.monitor_timeout = 0;
3293 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3294 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3296 rfc.max_pdu_size = cpu_to_le16(size);
3298 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3299 (unsigned long) &rfc, endptr - ptr);
3301 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3302 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3304 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3305 if (chan->fcs == L2CAP_FCS_NONE ||
3306 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3307 chan->fcs = L2CAP_FCS_NONE;
3308 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3309 chan->fcs, endptr - ptr);
3314 req->dcid = cpu_to_le16(chan->dcid);
3315 req->flags = cpu_to_le16(0);
3320 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3322 struct l2cap_conf_rsp *rsp = data;
3323 void *ptr = rsp->data;
3324 void *endptr = data + data_size;
3325 void *req = chan->conf_req;
3326 int len = chan->conf_len;
3327 int type, hint, olen;
3329 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3330 struct l2cap_conf_efs efs;
3332 u16 mtu = L2CAP_DEFAULT_MTU;
3333 u16 result = L2CAP_CONF_SUCCESS;
3336 BT_DBG("chan %p", chan);
3338 while (len >= L2CAP_CONF_OPT_SIZE) {
3339 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3341 hint = type & L2CAP_CONF_HINT;
3342 type &= L2CAP_CONF_MASK;
3345 case L2CAP_CONF_MTU:
3349 case L2CAP_CONF_FLUSH_TO:
3350 chan->flush_to = val;
3353 case L2CAP_CONF_QOS:
3356 case L2CAP_CONF_RFC:
3357 if (olen == sizeof(rfc))
3358 memcpy(&rfc, (void *) val, olen);
3361 case L2CAP_CONF_FCS:
3362 if (val == L2CAP_FCS_NONE)
3363 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3366 case L2CAP_CONF_EFS:
3367 if (olen == sizeof(efs)) {
3369 memcpy(&efs, (void *) val, olen);
3373 case L2CAP_CONF_EWS:
3374 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3375 return -ECONNREFUSED;
3377 set_bit(FLAG_EXT_CTRL, &chan->flags);
3378 set_bit(CONF_EWS_RECV, &chan->conf_state);
3379 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3380 chan->remote_tx_win = val;
3387 result = L2CAP_CONF_UNKNOWN;
3388 *((u8 *) ptr++) = type;
3393 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3396 switch (chan->mode) {
3397 case L2CAP_MODE_STREAMING:
3398 case L2CAP_MODE_ERTM:
3399 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3400 chan->mode = l2cap_select_mode(rfc.mode,
3401 chan->conn->feat_mask);
3406 if (__l2cap_efs_supported(chan->conn))
3407 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3409 return -ECONNREFUSED;
3412 if (chan->mode != rfc.mode)
3413 return -ECONNREFUSED;
3419 if (chan->mode != rfc.mode) {
3420 result = L2CAP_CONF_UNACCEPT;
3421 rfc.mode = chan->mode;
3423 if (chan->num_conf_rsp == 1)
3424 return -ECONNREFUSED;
3426 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3427 (unsigned long) &rfc, endptr - ptr);
3430 if (result == L2CAP_CONF_SUCCESS) {
3431 /* Configure output options and let the other side know
3432 * which ones we don't like. */
3434 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3435 result = L2CAP_CONF_UNACCEPT;
3438 set_bit(CONF_MTU_DONE, &chan->conf_state);
3440 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3443 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3444 efs.stype != L2CAP_SERV_NOTRAFIC &&
3445 efs.stype != chan->local_stype) {
3447 result = L2CAP_CONF_UNACCEPT;
3449 if (chan->num_conf_req >= 1)
3450 return -ECONNREFUSED;
3452 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3454 (unsigned long) &efs, endptr - ptr);
3456 /* Send PENDING Conf Rsp */
3457 result = L2CAP_CONF_PENDING;
3458 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3463 case L2CAP_MODE_BASIC:
3464 chan->fcs = L2CAP_FCS_NONE;
3465 set_bit(CONF_MODE_DONE, &chan->conf_state);
3468 case L2CAP_MODE_ERTM:
3469 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3470 chan->remote_tx_win = rfc.txwin_size;
3472 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3474 chan->remote_max_tx = rfc.max_transmit;
3476 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3477 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3478 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3479 rfc.max_pdu_size = cpu_to_le16(size);
3480 chan->remote_mps = size;
3482 __l2cap_set_ertm_timeouts(chan, &rfc);
3484 set_bit(CONF_MODE_DONE, &chan->conf_state);
3486 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3487 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3489 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3490 chan->remote_id = efs.id;
3491 chan->remote_stype = efs.stype;
3492 chan->remote_msdu = le16_to_cpu(efs.msdu);
3493 chan->remote_flush_to =
3494 le32_to_cpu(efs.flush_to);
3495 chan->remote_acc_lat =
3496 le32_to_cpu(efs.acc_lat);
3497 chan->remote_sdu_itime =
3498 le32_to_cpu(efs.sdu_itime);
3499 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3501 (unsigned long) &efs, endptr - ptr);
3505 case L2CAP_MODE_STREAMING:
3506 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3507 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3508 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3509 rfc.max_pdu_size = cpu_to_le16(size);
3510 chan->remote_mps = size;
3512 set_bit(CONF_MODE_DONE, &chan->conf_state);
3514 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3515 (unsigned long) &rfc, endptr - ptr);
3520 result = L2CAP_CONF_UNACCEPT;
3522 memset(&rfc, 0, sizeof(rfc));
3523 rfc.mode = chan->mode;
3526 if (result == L2CAP_CONF_SUCCESS)
3527 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3529 rsp->scid = cpu_to_le16(chan->dcid);
3530 rsp->result = cpu_to_le16(result);
3531 rsp->flags = cpu_to_le16(0);
3536 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3537 void *data, size_t size, u16 *result)
3539 struct l2cap_conf_req *req = data;
3540 void *ptr = req->data;
3541 void *endptr = data + size;
3544 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3545 struct l2cap_conf_efs efs;
3547 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3549 while (len >= L2CAP_CONF_OPT_SIZE) {
3550 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3553 case L2CAP_CONF_MTU:
3554 if (val < L2CAP_DEFAULT_MIN_MTU) {
3555 *result = L2CAP_CONF_UNACCEPT;
3556 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3559 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3562 case L2CAP_CONF_FLUSH_TO:
3563 chan->flush_to = val;
3564 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3565 2, chan->flush_to, endptr - ptr);
3568 case L2CAP_CONF_RFC:
3569 if (olen == sizeof(rfc))
3570 memcpy(&rfc, (void *)val, olen);
3572 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3573 rfc.mode != chan->mode)
3574 return -ECONNREFUSED;
3578 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3579 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3582 case L2CAP_CONF_EWS:
3583 chan->ack_win = min_t(u16, val, chan->ack_win);
3584 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3585 chan->tx_win, endptr - ptr);
3588 case L2CAP_CONF_EFS:
3589 if (olen == sizeof(efs)) {
3590 memcpy(&efs, (void *)val, olen);
3592 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3593 efs.stype != L2CAP_SERV_NOTRAFIC &&
3594 efs.stype != chan->local_stype)
3595 return -ECONNREFUSED;
3597 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3598 (unsigned long) &efs, endptr - ptr);
3602 case L2CAP_CONF_FCS:
3603 if (*result == L2CAP_CONF_PENDING)
3604 if (val == L2CAP_FCS_NONE)
3605 set_bit(CONF_RECV_NO_FCS,
3611 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3612 return -ECONNREFUSED;
3614 chan->mode = rfc.mode;
3616 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3618 case L2CAP_MODE_ERTM:
3619 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3620 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3621 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3622 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3623 chan->ack_win = min_t(u16, chan->ack_win,
3626 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3627 chan->local_msdu = le16_to_cpu(efs.msdu);
3628 chan->local_sdu_itime =
3629 le32_to_cpu(efs.sdu_itime);
3630 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3631 chan->local_flush_to =
3632 le32_to_cpu(efs.flush_to);
3636 case L2CAP_MODE_STREAMING:
3637 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3641 req->dcid = cpu_to_le16(chan->dcid);
3642 req->flags = cpu_to_le16(0);
3647 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3648 u16 result, u16 flags)
3650 struct l2cap_conf_rsp *rsp = data;
3651 void *ptr = rsp->data;
3653 BT_DBG("chan %p", chan);
3655 rsp->scid = cpu_to_le16(chan->dcid);
3656 rsp->result = cpu_to_le16(result);
3657 rsp->flags = cpu_to_le16(flags);
3662 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3664 struct l2cap_le_conn_rsp rsp;
3665 struct l2cap_conn *conn = chan->conn;
3667 BT_DBG("chan %p", chan);
3669 rsp.dcid = cpu_to_le16(chan->scid);
3670 rsp.mtu = cpu_to_le16(chan->imtu);
3671 rsp.mps = cpu_to_le16(chan->mps);
3672 rsp.credits = cpu_to_le16(chan->rx_credits);
3673 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3675 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3679 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3681 struct l2cap_conn_rsp rsp;
3682 struct l2cap_conn *conn = chan->conn;
3686 rsp.scid = cpu_to_le16(chan->dcid);
3687 rsp.dcid = cpu_to_le16(chan->scid);
3688 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3689 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3692 rsp_code = L2CAP_CREATE_CHAN_RSP;
3694 rsp_code = L2CAP_CONN_RSP;
3696 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3698 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3700 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3703 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3704 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3705 chan->num_conf_req++;
3708 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3712 /* Use sane default values in case a misbehaving remote device
3713 * did not send an RFC or extended window size option.
3715 u16 txwin_ext = chan->ack_win;
3716 struct l2cap_conf_rfc rfc = {
3718 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3719 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3720 .max_pdu_size = cpu_to_le16(chan->imtu),
3721 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3724 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3726 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3729 while (len >= L2CAP_CONF_OPT_SIZE) {
3730 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3733 case L2CAP_CONF_RFC:
3734 if (olen == sizeof(rfc))
3735 memcpy(&rfc, (void *)val, olen);
3737 case L2CAP_CONF_EWS:
3744 case L2CAP_MODE_ERTM:
3745 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3746 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3747 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3748 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3749 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3751 chan->ack_win = min_t(u16, chan->ack_win,
3754 case L2CAP_MODE_STREAMING:
3755 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3759 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3760 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3763 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3765 if (cmd_len < sizeof(*rej))
3768 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3771 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3772 cmd->ident == conn->info_ident) {
3773 cancel_delayed_work(&conn->info_timer);
3775 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3776 conn->info_ident = 0;
3778 l2cap_conn_start(conn);
3784 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3785 struct l2cap_cmd_hdr *cmd,
3786 u8 *data, u8 rsp_code, u8 amp_id)
3788 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3789 struct l2cap_conn_rsp rsp;
3790 struct l2cap_chan *chan = NULL, *pchan;
3791 int result, status = L2CAP_CS_NO_INFO;
3793 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3794 __le16 psm = req->psm;
3796 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3798 /* Check if we have socket listening on psm */
3799 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3800 &conn->hcon->dst, ACL_LINK);
3802 result = L2CAP_CR_BAD_PSM;
3806 mutex_lock(&conn->chan_lock);
3807 l2cap_chan_lock(pchan);
3809 /* Check if the ACL is secure enough (if not SDP) */
3810 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3811 !hci_conn_check_link_mode(conn->hcon)) {
3812 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3813 result = L2CAP_CR_SEC_BLOCK;
3817 result = L2CAP_CR_NO_MEM;
3819 /* Check for valid dynamic CID range (as per Erratum 3253) */
3820 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3821 result = L2CAP_CR_INVALID_SCID;
3825 /* Check if we already have channel with that dcid */
3826 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3827 result = L2CAP_CR_SCID_IN_USE;
3831 chan = pchan->ops->new_connection(pchan);
3835 /* For certain devices (ex: HID mouse), support for authentication,
3836 * pairing and bonding is optional. For such devices, inorder to avoid
3837 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3838 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3840 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3842 bacpy(&chan->src, &conn->hcon->src);
3843 bacpy(&chan->dst, &conn->hcon->dst);
3844 chan->src_type = bdaddr_src_type(conn->hcon);
3845 chan->dst_type = bdaddr_dst_type(conn->hcon);
3848 chan->local_amp_id = amp_id;
3850 __l2cap_chan_add(conn, chan);
3854 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3856 chan->ident = cmd->ident;
3858 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3859 if (l2cap_chan_check_security(chan, false)) {
3860 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3861 l2cap_state_change(chan, BT_CONNECT2);
3862 result = L2CAP_CR_PEND;
3863 status = L2CAP_CS_AUTHOR_PEND;
3864 chan->ops->defer(chan);
3866 /* Force pending result for AMP controllers.
3867 * The connection will succeed after the
3868 * physical link is up.
3870 if (amp_id == AMP_ID_BREDR) {
3871 l2cap_state_change(chan, BT_CONFIG);
3872 result = L2CAP_CR_SUCCESS;
3874 l2cap_state_change(chan, BT_CONNECT2);
3875 result = L2CAP_CR_PEND;
3877 status = L2CAP_CS_NO_INFO;
3880 l2cap_state_change(chan, BT_CONNECT2);
3881 result = L2CAP_CR_PEND;
3882 status = L2CAP_CS_AUTHEN_PEND;
3885 l2cap_state_change(chan, BT_CONNECT2);
3886 result = L2CAP_CR_PEND;
3887 status = L2CAP_CS_NO_INFO;
3891 l2cap_chan_unlock(pchan);
3892 mutex_unlock(&conn->chan_lock);
3893 l2cap_chan_put(pchan);
3896 rsp.scid = cpu_to_le16(scid);
3897 rsp.dcid = cpu_to_le16(dcid);
3898 rsp.result = cpu_to_le16(result);
3899 rsp.status = cpu_to_le16(status);
3900 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3902 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3903 struct l2cap_info_req info;
3904 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3906 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3907 conn->info_ident = l2cap_get_ident(conn);
3909 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3911 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3912 sizeof(info), &info);
3915 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3916 result == L2CAP_CR_SUCCESS) {
3918 set_bit(CONF_REQ_SENT, &chan->conf_state);
3919 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3920 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3921 chan->num_conf_req++;
3927 static int l2cap_connect_req(struct l2cap_conn *conn,
3928 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3930 struct hci_dev *hdev = conn->hcon->hdev;
3931 struct hci_conn *hcon = conn->hcon;
3933 if (cmd_len < sizeof(struct l2cap_conn_req))
3937 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3938 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3939 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3940 hci_dev_unlock(hdev);
3942 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3946 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3947 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3950 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3951 u16 scid, dcid, result, status;
3952 struct l2cap_chan *chan;
3956 if (cmd_len < sizeof(*rsp))
3959 scid = __le16_to_cpu(rsp->scid);
3960 dcid = __le16_to_cpu(rsp->dcid);
3961 result = __le16_to_cpu(rsp->result);
3962 status = __le16_to_cpu(rsp->status);
3964 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3965 dcid, scid, result, status);
3967 mutex_lock(&conn->chan_lock);
3970 chan = __l2cap_get_chan_by_scid(conn, scid);
3976 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3985 l2cap_chan_lock(chan);
3988 case L2CAP_CR_SUCCESS:
3989 l2cap_state_change(chan, BT_CONFIG);
3992 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3994 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3997 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3998 l2cap_build_conf_req(chan, req, sizeof(req)), req);
3999 chan->num_conf_req++;
4003 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4007 l2cap_chan_del(chan, ECONNREFUSED);
4011 l2cap_chan_unlock(chan);
4014 mutex_unlock(&conn->chan_lock);
4019 static inline void set_default_fcs(struct l2cap_chan *chan)
4021 /* FCS is enabled only in ERTM or streaming mode, if one or both
4024 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4025 chan->fcs = L2CAP_FCS_NONE;
4026 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4027 chan->fcs = L2CAP_FCS_CRC16;
4030 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4031 u8 ident, u16 flags)
4033 struct l2cap_conn *conn = chan->conn;
4035 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4038 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4039 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4041 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4042 l2cap_build_conf_rsp(chan, data,
4043 L2CAP_CONF_SUCCESS, flags), data);
4046 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4049 struct l2cap_cmd_rej_cid rej;
4051 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4052 rej.scid = __cpu_to_le16(scid);
4053 rej.dcid = __cpu_to_le16(dcid);
4055 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4058 static inline int l2cap_config_req(struct l2cap_conn *conn,
4059 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4062 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4065 struct l2cap_chan *chan;
4068 if (cmd_len < sizeof(*req))
4071 dcid = __le16_to_cpu(req->dcid);
4072 flags = __le16_to_cpu(req->flags);
4074 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4076 chan = l2cap_get_chan_by_scid(conn, dcid);
4078 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4082 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4083 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4088 /* Reject if config buffer is too small. */
4089 len = cmd_len - sizeof(*req);
4090 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4091 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4092 l2cap_build_conf_rsp(chan, rsp,
4093 L2CAP_CONF_REJECT, flags), rsp);
4098 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4099 chan->conf_len += len;
4101 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4102 /* Incomplete config. Send empty response. */
4103 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4104 l2cap_build_conf_rsp(chan, rsp,
4105 L2CAP_CONF_SUCCESS, flags), rsp);
4109 /* Complete config. */
4110 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4112 l2cap_send_disconn_req(chan, ECONNRESET);
4116 chan->ident = cmd->ident;
4117 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4118 chan->num_conf_rsp++;
4120 /* Reset config buffer. */
4123 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4126 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4127 set_default_fcs(chan);
4129 if (chan->mode == L2CAP_MODE_ERTM ||
4130 chan->mode == L2CAP_MODE_STREAMING)
4131 err = l2cap_ertm_init(chan);
4134 l2cap_send_disconn_req(chan, -err);
4136 l2cap_chan_ready(chan);
4141 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4143 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4144 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4145 chan->num_conf_req++;
4148 /* Got Conf Rsp PENDING from remote side and assume we sent
4149 Conf Rsp PENDING in the code above */
4150 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4151 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4153 /* check compatibility */
4155 /* Send rsp for BR/EDR channel */
4157 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4159 chan->ident = cmd->ident;
4163 l2cap_chan_unlock(chan);
4167 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4168 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4171 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4172 u16 scid, flags, result;
4173 struct l2cap_chan *chan;
4174 int len = cmd_len - sizeof(*rsp);
4177 if (cmd_len < sizeof(*rsp))
4180 scid = __le16_to_cpu(rsp->scid);
4181 flags = __le16_to_cpu(rsp->flags);
4182 result = __le16_to_cpu(rsp->result);
4184 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4187 chan = l2cap_get_chan_by_scid(conn, scid);
4192 case L2CAP_CONF_SUCCESS:
4193 l2cap_conf_rfc_get(chan, rsp->data, len);
4194 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4197 case L2CAP_CONF_PENDING:
4198 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4200 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4203 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4204 buf, sizeof(buf), &result);
4206 l2cap_send_disconn_req(chan, ECONNRESET);
4210 if (!chan->hs_hcon) {
4211 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4214 if (l2cap_check_efs(chan)) {
4215 amp_create_logical_link(chan);
4216 chan->ident = cmd->ident;
4222 case L2CAP_CONF_UNACCEPT:
4223 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4226 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4227 l2cap_send_disconn_req(chan, ECONNRESET);
4231 /* throw out any old stored conf requests */
4232 result = L2CAP_CONF_SUCCESS;
4233 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4234 req, sizeof(req), &result);
4236 l2cap_send_disconn_req(chan, ECONNRESET);
4240 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4241 L2CAP_CONF_REQ, len, req);
4242 chan->num_conf_req++;
4243 if (result != L2CAP_CONF_SUCCESS)
4249 l2cap_chan_set_err(chan, ECONNRESET);
4251 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4252 l2cap_send_disconn_req(chan, ECONNRESET);
4256 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4259 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4261 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4262 set_default_fcs(chan);
4264 if (chan->mode == L2CAP_MODE_ERTM ||
4265 chan->mode == L2CAP_MODE_STREAMING)
4266 err = l2cap_ertm_init(chan);
4269 l2cap_send_disconn_req(chan, -err);
4271 l2cap_chan_ready(chan);
4275 l2cap_chan_unlock(chan);
4279 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4280 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4283 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4284 struct l2cap_disconn_rsp rsp;
4286 struct l2cap_chan *chan;
4288 if (cmd_len != sizeof(*req))
4291 scid = __le16_to_cpu(req->scid);
4292 dcid = __le16_to_cpu(req->dcid);
4294 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4296 mutex_lock(&conn->chan_lock);
4298 chan = __l2cap_get_chan_by_scid(conn, dcid);
4300 mutex_unlock(&conn->chan_lock);
4301 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4305 l2cap_chan_lock(chan);
4307 rsp.dcid = cpu_to_le16(chan->scid);
4308 rsp.scid = cpu_to_le16(chan->dcid);
4309 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4311 chan->ops->set_shutdown(chan);
4313 l2cap_chan_hold(chan);
4314 l2cap_chan_del(chan, ECONNRESET);
4316 l2cap_chan_unlock(chan);
4318 chan->ops->close(chan);
4319 l2cap_chan_put(chan);
4321 mutex_unlock(&conn->chan_lock);
4326 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4327 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4330 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4332 struct l2cap_chan *chan;
4334 if (cmd_len != sizeof(*rsp))
4337 scid = __le16_to_cpu(rsp->scid);
4338 dcid = __le16_to_cpu(rsp->dcid);
4340 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4342 mutex_lock(&conn->chan_lock);
4344 chan = __l2cap_get_chan_by_scid(conn, scid);
4346 mutex_unlock(&conn->chan_lock);
4350 l2cap_chan_lock(chan);
4352 l2cap_chan_hold(chan);
4353 l2cap_chan_del(chan, 0);
4355 l2cap_chan_unlock(chan);
4357 chan->ops->close(chan);
4358 l2cap_chan_put(chan);
4360 mutex_unlock(&conn->chan_lock);
4365 static inline int l2cap_information_req(struct l2cap_conn *conn,
4366 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4369 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4372 if (cmd_len != sizeof(*req))
4375 type = __le16_to_cpu(req->type);
4377 BT_DBG("type 0x%4.4x", type);
4379 if (type == L2CAP_IT_FEAT_MASK) {
4381 u32 feat_mask = l2cap_feat_mask;
4382 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4383 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4384 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4386 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4388 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4389 feat_mask |= L2CAP_FEAT_EXT_FLOW
4390 | L2CAP_FEAT_EXT_WINDOW;
4392 put_unaligned_le32(feat_mask, rsp->data);
4393 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4395 } else if (type == L2CAP_IT_FIXED_CHAN) {
4397 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4399 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4400 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4401 rsp->data[0] = conn->local_fixed_chan;
4402 memset(rsp->data + 1, 0, 7);
4403 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4406 struct l2cap_info_rsp rsp;
4407 rsp.type = cpu_to_le16(type);
4408 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4409 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4416 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4417 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4420 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4423 if (cmd_len < sizeof(*rsp))
4426 type = __le16_to_cpu(rsp->type);
4427 result = __le16_to_cpu(rsp->result);
4429 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4431 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4432 if (cmd->ident != conn->info_ident ||
4433 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4436 cancel_delayed_work(&conn->info_timer);
4438 if (result != L2CAP_IR_SUCCESS) {
4439 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4440 conn->info_ident = 0;
4442 l2cap_conn_start(conn);
4448 case L2CAP_IT_FEAT_MASK:
4449 conn->feat_mask = get_unaligned_le32(rsp->data);
4451 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4452 struct l2cap_info_req req;
4453 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4455 conn->info_ident = l2cap_get_ident(conn);
4457 l2cap_send_cmd(conn, conn->info_ident,
4458 L2CAP_INFO_REQ, sizeof(req), &req);
4460 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4461 conn->info_ident = 0;
4463 l2cap_conn_start(conn);
4467 case L2CAP_IT_FIXED_CHAN:
4468 conn->remote_fixed_chan = rsp->data[0];
4469 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4470 conn->info_ident = 0;
4472 l2cap_conn_start(conn);
4479 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4480 struct l2cap_cmd_hdr *cmd,
4481 u16 cmd_len, void *data)
4483 struct l2cap_create_chan_req *req = data;
4484 struct l2cap_create_chan_rsp rsp;
4485 struct l2cap_chan *chan;
4486 struct hci_dev *hdev;
4489 if (cmd_len != sizeof(*req))
4492 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4495 psm = le16_to_cpu(req->psm);
4496 scid = le16_to_cpu(req->scid);
4498 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4500 /* For controller id 0 make BR/EDR connection */
4501 if (req->amp_id == AMP_ID_BREDR) {
4502 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4507 /* Validate AMP controller id */
4508 hdev = hci_dev_get(req->amp_id);
4512 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4517 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4520 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4521 struct hci_conn *hs_hcon;
4523 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4527 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4532 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4534 mgr->bredr_chan = chan;
4535 chan->hs_hcon = hs_hcon;
4536 chan->fcs = L2CAP_FCS_NONE;
4537 conn->mtu = hdev->block_mtu;
4546 rsp.scid = cpu_to_le16(scid);
4547 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4548 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4550 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4556 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4558 struct l2cap_move_chan_req req;
4561 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4563 ident = l2cap_get_ident(chan->conn);
4564 chan->ident = ident;
4566 req.icid = cpu_to_le16(chan->scid);
4567 req.dest_amp_id = dest_amp_id;
4569 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4572 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4575 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4577 struct l2cap_move_chan_rsp rsp;
4579 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4581 rsp.icid = cpu_to_le16(chan->dcid);
4582 rsp.result = cpu_to_le16(result);
4584 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4588 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4590 struct l2cap_move_chan_cfm cfm;
4592 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4594 chan->ident = l2cap_get_ident(chan->conn);
4596 cfm.icid = cpu_to_le16(chan->scid);
4597 cfm.result = cpu_to_le16(result);
4599 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4602 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4605 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4607 struct l2cap_move_chan_cfm cfm;
4609 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4611 cfm.icid = cpu_to_le16(icid);
4612 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4614 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4618 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4621 struct l2cap_move_chan_cfm_rsp rsp;
4623 BT_DBG("icid 0x%4.4x", icid);
4625 rsp.icid = cpu_to_le16(icid);
4626 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4629 static void __release_logical_link(struct l2cap_chan *chan)
4631 chan->hs_hchan = NULL;
4632 chan->hs_hcon = NULL;
4634 /* Placeholder - release the logical link */
4637 static void l2cap_logical_fail(struct l2cap_chan *chan)
4639 /* Logical link setup failed */
4640 if (chan->state != BT_CONNECTED) {
4641 /* Create channel failure, disconnect */
4642 l2cap_send_disconn_req(chan, ECONNRESET);
4646 switch (chan->move_role) {
4647 case L2CAP_MOVE_ROLE_RESPONDER:
4648 l2cap_move_done(chan);
4649 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4651 case L2CAP_MOVE_ROLE_INITIATOR:
4652 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4653 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4654 /* Remote has only sent pending or
4655 * success responses, clean up
4657 l2cap_move_done(chan);
4660 /* Other amp move states imply that the move
4661 * has already aborted
4663 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4668 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4669 struct hci_chan *hchan)
4671 struct l2cap_conf_rsp rsp;
4673 chan->hs_hchan = hchan;
4674 chan->hs_hcon->l2cap_data = chan->conn;
4676 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4678 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4681 set_default_fcs(chan);
4683 err = l2cap_ertm_init(chan);
4685 l2cap_send_disconn_req(chan, -err);
4687 l2cap_chan_ready(chan);
4691 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4692 struct hci_chan *hchan)
4694 chan->hs_hcon = hchan->conn;
4695 chan->hs_hcon->l2cap_data = chan->conn;
4697 BT_DBG("move_state %d", chan->move_state);
4699 switch (chan->move_state) {
4700 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4701 /* Move confirm will be sent after a success
4702 * response is received
4704 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4706 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4707 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4708 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4709 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4710 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4711 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4712 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4713 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4714 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4718 /* Move was not in expected state, free the channel */
4719 __release_logical_link(chan);
4721 chan->move_state = L2CAP_MOVE_STABLE;
4725 /* Call with chan locked */
4726 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4729 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4732 l2cap_logical_fail(chan);
4733 __release_logical_link(chan);
4737 if (chan->state != BT_CONNECTED) {
4738 /* Ignore logical link if channel is on BR/EDR */
4739 if (chan->local_amp_id != AMP_ID_BREDR)
4740 l2cap_logical_finish_create(chan, hchan);
4742 l2cap_logical_finish_move(chan, hchan);
4746 void l2cap_move_start(struct l2cap_chan *chan)
4748 BT_DBG("chan %p", chan);
4750 if (chan->local_amp_id == AMP_ID_BREDR) {
4751 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4753 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4754 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4755 /* Placeholder - start physical link setup */
4757 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4758 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4760 l2cap_move_setup(chan);
4761 l2cap_send_move_chan_req(chan, 0);
4765 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4766 u8 local_amp_id, u8 remote_amp_id)
4768 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4769 local_amp_id, remote_amp_id);
4771 chan->fcs = L2CAP_FCS_NONE;
4773 /* Outgoing channel on AMP */
4774 if (chan->state == BT_CONNECT) {
4775 if (result == L2CAP_CR_SUCCESS) {
4776 chan->local_amp_id = local_amp_id;
4777 l2cap_send_create_chan_req(chan, remote_amp_id);
4779 /* Revert to BR/EDR connect */
4780 l2cap_send_conn_req(chan);
4786 /* Incoming channel on AMP */
4787 if (__l2cap_no_conn_pending(chan)) {
4788 struct l2cap_conn_rsp rsp;
4790 rsp.scid = cpu_to_le16(chan->dcid);
4791 rsp.dcid = cpu_to_le16(chan->scid);
4793 if (result == L2CAP_CR_SUCCESS) {
4794 /* Send successful response */
4795 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4796 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4798 /* Send negative response */
4799 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4800 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4803 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4806 if (result == L2CAP_CR_SUCCESS) {
4807 l2cap_state_change(chan, BT_CONFIG);
4808 set_bit(CONF_REQ_SENT, &chan->conf_state);
4809 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4811 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4812 chan->num_conf_req++;
4817 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4820 l2cap_move_setup(chan);
4821 chan->move_id = local_amp_id;
4822 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4824 l2cap_send_move_chan_req(chan, remote_amp_id);
4827 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4829 struct hci_chan *hchan = NULL;
4831 /* Placeholder - get hci_chan for logical link */
4834 if (hchan->state == BT_CONNECTED) {
4835 /* Logical link is ready to go */
4836 chan->hs_hcon = hchan->conn;
4837 chan->hs_hcon->l2cap_data = chan->conn;
4838 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4839 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4841 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4843 /* Wait for logical link to be ready */
4844 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4847 /* Logical link not available */
4848 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4852 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4854 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4856 if (result == -EINVAL)
4857 rsp_result = L2CAP_MR_BAD_ID;
4859 rsp_result = L2CAP_MR_NOT_ALLOWED;
4861 l2cap_send_move_chan_rsp(chan, rsp_result);
4864 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4865 chan->move_state = L2CAP_MOVE_STABLE;
4867 /* Restart data transmission */
4868 l2cap_ertm_send(chan);
4871 /* Invoke with locked chan */
4872 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4874 u8 local_amp_id = chan->local_amp_id;
4875 u8 remote_amp_id = chan->remote_amp_id;
4877 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4878 chan, result, local_amp_id, remote_amp_id);
4880 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4881 l2cap_chan_unlock(chan);
4885 if (chan->state != BT_CONNECTED) {
4886 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4887 } else if (result != L2CAP_MR_SUCCESS) {
4888 l2cap_do_move_cancel(chan, result);
4890 switch (chan->move_role) {
4891 case L2CAP_MOVE_ROLE_INITIATOR:
4892 l2cap_do_move_initiate(chan, local_amp_id,
4895 case L2CAP_MOVE_ROLE_RESPONDER:
4896 l2cap_do_move_respond(chan, result);
4899 l2cap_do_move_cancel(chan, result);
4905 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4906 struct l2cap_cmd_hdr *cmd,
4907 u16 cmd_len, void *data)
4909 struct l2cap_move_chan_req *req = data;
4910 struct l2cap_move_chan_rsp rsp;
4911 struct l2cap_chan *chan;
4913 u16 result = L2CAP_MR_NOT_ALLOWED;
4915 if (cmd_len != sizeof(*req))
4918 icid = le16_to_cpu(req->icid);
4920 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4922 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4925 chan = l2cap_get_chan_by_dcid(conn, icid);
4927 rsp.icid = cpu_to_le16(icid);
4928 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4929 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4934 chan->ident = cmd->ident;
4936 if (chan->scid < L2CAP_CID_DYN_START ||
4937 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4938 (chan->mode != L2CAP_MODE_ERTM &&
4939 chan->mode != L2CAP_MODE_STREAMING)) {
4940 result = L2CAP_MR_NOT_ALLOWED;
4941 goto send_move_response;
4944 if (chan->local_amp_id == req->dest_amp_id) {
4945 result = L2CAP_MR_SAME_ID;
4946 goto send_move_response;
4949 if (req->dest_amp_id != AMP_ID_BREDR) {
4950 struct hci_dev *hdev;
4951 hdev = hci_dev_get(req->dest_amp_id);
4952 if (!hdev || hdev->dev_type != HCI_AMP ||
4953 !test_bit(HCI_UP, &hdev->flags)) {
4957 result = L2CAP_MR_BAD_ID;
4958 goto send_move_response;
4963 /* Detect a move collision. Only send a collision response
4964 * if this side has "lost", otherwise proceed with the move.
4965 * The winner has the larger bd_addr.
4967 if ((__chan_is_moving(chan) ||
4968 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4969 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4970 result = L2CAP_MR_COLLISION;
4971 goto send_move_response;
4974 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4975 l2cap_move_setup(chan);
4976 chan->move_id = req->dest_amp_id;
4979 if (req->dest_amp_id == AMP_ID_BREDR) {
4980 /* Moving to BR/EDR */
4981 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4982 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4983 result = L2CAP_MR_PEND;
4985 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4986 result = L2CAP_MR_SUCCESS;
4989 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4990 /* Placeholder - uncomment when amp functions are available */
4991 /*amp_accept_physical(chan, req->dest_amp_id);*/
4992 result = L2CAP_MR_PEND;
4996 l2cap_send_move_chan_rsp(chan, result);
4998 l2cap_chan_unlock(chan);
5003 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5005 struct l2cap_chan *chan;
5006 struct hci_chan *hchan = NULL;
5008 chan = l2cap_get_chan_by_scid(conn, icid);
5010 l2cap_send_move_chan_cfm_icid(conn, icid);
5014 __clear_chan_timer(chan);
5015 if (result == L2CAP_MR_PEND)
5016 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5018 switch (chan->move_state) {
5019 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5020 /* Move confirm will be sent when logical link
5023 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5025 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5026 if (result == L2CAP_MR_PEND) {
5028 } else if (test_bit(CONN_LOCAL_BUSY,
5029 &chan->conn_state)) {
5030 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5032 /* Logical link is up or moving to BR/EDR,
5035 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5036 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5039 case L2CAP_MOVE_WAIT_RSP:
5041 if (result == L2CAP_MR_SUCCESS) {
5042 /* Remote is ready, send confirm immediately
5043 * after logical link is ready
5045 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5047 /* Both logical link and move success
5048 * are required to confirm
5050 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5053 /* Placeholder - get hci_chan for logical link */
5055 /* Logical link not available */
5056 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5060 /* If the logical link is not yet connected, do not
5061 * send confirmation.
5063 if (hchan->state != BT_CONNECTED)
5066 /* Logical link is already ready to go */
5068 chan->hs_hcon = hchan->conn;
5069 chan->hs_hcon->l2cap_data = chan->conn;
5071 if (result == L2CAP_MR_SUCCESS) {
5072 /* Can confirm now */
5073 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5075 /* Now only need move success
5078 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5081 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5084 /* Any other amp move state means the move failed. */
5085 chan->move_id = chan->local_amp_id;
5086 l2cap_move_done(chan);
5087 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5090 l2cap_chan_unlock(chan);
5093 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5096 struct l2cap_chan *chan;
5098 chan = l2cap_get_chan_by_ident(conn, ident);
5100 /* Could not locate channel, icid is best guess */
5101 l2cap_send_move_chan_cfm_icid(conn, icid);
5105 __clear_chan_timer(chan);
5107 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5108 if (result == L2CAP_MR_COLLISION) {
5109 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5111 /* Cleanup - cancel move */
5112 chan->move_id = chan->local_amp_id;
5113 l2cap_move_done(chan);
5117 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5119 l2cap_chan_unlock(chan);
5122 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5123 struct l2cap_cmd_hdr *cmd,
5124 u16 cmd_len, void *data)
5126 struct l2cap_move_chan_rsp *rsp = data;
5129 if (cmd_len != sizeof(*rsp))
5132 icid = le16_to_cpu(rsp->icid);
5133 result = le16_to_cpu(rsp->result);
5135 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5137 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5138 l2cap_move_continue(conn, icid, result);
5140 l2cap_move_fail(conn, cmd->ident, icid, result);
5145 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5146 struct l2cap_cmd_hdr *cmd,
5147 u16 cmd_len, void *data)
5149 struct l2cap_move_chan_cfm *cfm = data;
5150 struct l2cap_chan *chan;
5153 if (cmd_len != sizeof(*cfm))
5156 icid = le16_to_cpu(cfm->icid);
5157 result = le16_to_cpu(cfm->result);
5159 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5161 chan = l2cap_get_chan_by_dcid(conn, icid);
5163 /* Spec requires a response even if the icid was not found */
5164 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5168 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5169 if (result == L2CAP_MC_CONFIRMED) {
5170 chan->local_amp_id = chan->move_id;
5171 if (chan->local_amp_id == AMP_ID_BREDR)
5172 __release_logical_link(chan);
5174 chan->move_id = chan->local_amp_id;
5177 l2cap_move_done(chan);
5180 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5182 l2cap_chan_unlock(chan);
5187 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5188 struct l2cap_cmd_hdr *cmd,
5189 u16 cmd_len, void *data)
5191 struct l2cap_move_chan_cfm_rsp *rsp = data;
5192 struct l2cap_chan *chan;
5195 if (cmd_len != sizeof(*rsp))
5198 icid = le16_to_cpu(rsp->icid);
5200 BT_DBG("icid 0x%4.4x", icid);
5202 chan = l2cap_get_chan_by_scid(conn, icid);
5206 __clear_chan_timer(chan);
5208 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5209 chan->local_amp_id = chan->move_id;
5211 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5212 __release_logical_link(chan);
5214 l2cap_move_done(chan);
5217 l2cap_chan_unlock(chan);
5222 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5223 struct l2cap_cmd_hdr *cmd,
5224 u16 cmd_len, u8 *data)
5226 struct hci_conn *hcon = conn->hcon;
5227 struct l2cap_conn_param_update_req *req;
5228 struct l2cap_conn_param_update_rsp rsp;
5229 u16 min, max, latency, to_multiplier;
5232 if (hcon->role != HCI_ROLE_MASTER)
5235 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5238 req = (struct l2cap_conn_param_update_req *) data;
5239 min = __le16_to_cpu(req->min);
5240 max = __le16_to_cpu(req->max);
5241 latency = __le16_to_cpu(req->latency);
5242 to_multiplier = __le16_to_cpu(req->to_multiplier);
5244 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5245 min, max, latency, to_multiplier);
5247 memset(&rsp, 0, sizeof(rsp));
5249 err = hci_check_conn_params(min, max, latency, to_multiplier);
5251 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5253 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5255 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5261 store_hint = hci_le_conn_update(hcon, min, max, latency,
5263 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5264 store_hint, min, max, latency,
5272 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5273 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5276 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5277 struct hci_conn *hcon = conn->hcon;
5278 u16 dcid, mtu, mps, credits, result;
5279 struct l2cap_chan *chan;
5282 if (cmd_len < sizeof(*rsp))
5285 dcid = __le16_to_cpu(rsp->dcid);
5286 mtu = __le16_to_cpu(rsp->mtu);
5287 mps = __le16_to_cpu(rsp->mps);
5288 credits = __le16_to_cpu(rsp->credits);
5289 result = __le16_to_cpu(rsp->result);
5291 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5292 dcid < L2CAP_CID_DYN_START ||
5293 dcid > L2CAP_CID_LE_DYN_END))
5296 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5297 dcid, mtu, mps, credits, result);
5299 mutex_lock(&conn->chan_lock);
5301 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5309 l2cap_chan_lock(chan);
5312 case L2CAP_CR_LE_SUCCESS:
5313 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5321 chan->remote_mps = mps;
5322 chan->tx_credits = credits;
5323 l2cap_chan_ready(chan);
5326 case L2CAP_CR_LE_AUTHENTICATION:
5327 case L2CAP_CR_LE_ENCRYPTION:
5328 /* If we already have MITM protection we can't do
5331 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5332 l2cap_chan_del(chan, ECONNREFUSED);
5336 sec_level = hcon->sec_level + 1;
5337 if (chan->sec_level < sec_level)
5338 chan->sec_level = sec_level;
5340 /* We'll need to send a new Connect Request */
5341 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5343 smp_conn_security(hcon, chan->sec_level);
5347 l2cap_chan_del(chan, ECONNREFUSED);
5351 l2cap_chan_unlock(chan);
5354 mutex_unlock(&conn->chan_lock);
5359 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5360 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5365 switch (cmd->code) {
5366 case L2CAP_COMMAND_REJ:
5367 l2cap_command_rej(conn, cmd, cmd_len, data);
5370 case L2CAP_CONN_REQ:
5371 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5374 case L2CAP_CONN_RSP:
5375 case L2CAP_CREATE_CHAN_RSP:
5376 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5379 case L2CAP_CONF_REQ:
5380 err = l2cap_config_req(conn, cmd, cmd_len, data);
5383 case L2CAP_CONF_RSP:
5384 l2cap_config_rsp(conn, cmd, cmd_len, data);
5387 case L2CAP_DISCONN_REQ:
5388 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5391 case L2CAP_DISCONN_RSP:
5392 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5395 case L2CAP_ECHO_REQ:
5396 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5399 case L2CAP_ECHO_RSP:
5402 case L2CAP_INFO_REQ:
5403 err = l2cap_information_req(conn, cmd, cmd_len, data);
5406 case L2CAP_INFO_RSP:
5407 l2cap_information_rsp(conn, cmd, cmd_len, data);
5410 case L2CAP_CREATE_CHAN_REQ:
5411 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5414 case L2CAP_MOVE_CHAN_REQ:
5415 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5418 case L2CAP_MOVE_CHAN_RSP:
5419 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5422 case L2CAP_MOVE_CHAN_CFM:
5423 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5426 case L2CAP_MOVE_CHAN_CFM_RSP:
5427 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5431 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5439 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5440 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5443 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5444 struct l2cap_le_conn_rsp rsp;
5445 struct l2cap_chan *chan, *pchan;
5446 u16 dcid, scid, credits, mtu, mps;
5450 if (cmd_len != sizeof(*req))
5453 scid = __le16_to_cpu(req->scid);
5454 mtu = __le16_to_cpu(req->mtu);
5455 mps = __le16_to_cpu(req->mps);
5460 if (mtu < 23 || mps < 23)
5463 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5466 /* Check if we have socket listening on psm */
5467 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5468 &conn->hcon->dst, LE_LINK);
5470 result = L2CAP_CR_LE_BAD_PSM;
5475 mutex_lock(&conn->chan_lock);
5476 l2cap_chan_lock(pchan);
5478 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5480 result = L2CAP_CR_LE_AUTHENTICATION;
5482 goto response_unlock;
5485 /* Check for valid dynamic CID range */
5486 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5487 result = L2CAP_CR_LE_INVALID_SCID;
5489 goto response_unlock;
5492 /* Check if we already have channel with that dcid */
5493 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5494 result = L2CAP_CR_LE_SCID_IN_USE;
5496 goto response_unlock;
5499 chan = pchan->ops->new_connection(pchan);
5501 result = L2CAP_CR_LE_NO_MEM;
5502 goto response_unlock;
5505 bacpy(&chan->src, &conn->hcon->src);
5506 bacpy(&chan->dst, &conn->hcon->dst);
5507 chan->src_type = bdaddr_src_type(conn->hcon);
5508 chan->dst_type = bdaddr_dst_type(conn->hcon);
5512 chan->remote_mps = mps;
5513 chan->tx_credits = __le16_to_cpu(req->credits);
5515 __l2cap_chan_add(conn, chan);
5517 l2cap_le_flowctl_init(chan);
5520 credits = chan->rx_credits;
5522 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5524 chan->ident = cmd->ident;
5526 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5527 l2cap_state_change(chan, BT_CONNECT2);
5528 /* The following result value is actually not defined
5529 * for LE CoC but we use it to let the function know
5530 * that it should bail out after doing its cleanup
5531 * instead of sending a response.
5533 result = L2CAP_CR_PEND;
5534 chan->ops->defer(chan);
5536 l2cap_chan_ready(chan);
5537 result = L2CAP_CR_LE_SUCCESS;
5541 l2cap_chan_unlock(pchan);
5542 mutex_unlock(&conn->chan_lock);
5543 l2cap_chan_put(pchan);
5545 if (result == L2CAP_CR_PEND)
5550 rsp.mtu = cpu_to_le16(chan->imtu);
5551 rsp.mps = cpu_to_le16(chan->mps);
5557 rsp.dcid = cpu_to_le16(dcid);
5558 rsp.credits = cpu_to_le16(credits);
5559 rsp.result = cpu_to_le16(result);
5561 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5566 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5567 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5570 struct l2cap_le_credits *pkt;
5571 struct l2cap_chan *chan;
5572 u16 cid, credits, max_credits;
5574 if (cmd_len != sizeof(*pkt))
5577 pkt = (struct l2cap_le_credits *) data;
5578 cid = __le16_to_cpu(pkt->cid);
5579 credits = __le16_to_cpu(pkt->credits);
5581 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5583 chan = l2cap_get_chan_by_dcid(conn, cid);
5587 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5588 if (credits > max_credits) {
5589 BT_ERR("LE credits overflow");
5590 l2cap_send_disconn_req(chan, ECONNRESET);
5591 l2cap_chan_unlock(chan);
5593 /* Return 0 so that we don't trigger an unnecessary
5594 * command reject packet.
5599 chan->tx_credits += credits;
5601 /* Resume sending */
5602 l2cap_le_flowctl_send(chan);
5604 if (chan->tx_credits)
5605 chan->ops->resume(chan);
5607 l2cap_chan_unlock(chan);
5612 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5613 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5616 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5617 struct l2cap_chan *chan;
5619 if (cmd_len < sizeof(*rej))
5622 mutex_lock(&conn->chan_lock);
5624 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5628 l2cap_chan_lock(chan);
5629 l2cap_chan_del(chan, ECONNREFUSED);
5630 l2cap_chan_unlock(chan);
5633 mutex_unlock(&conn->chan_lock);
5637 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5638 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5643 switch (cmd->code) {
5644 case L2CAP_COMMAND_REJ:
5645 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5648 case L2CAP_CONN_PARAM_UPDATE_REQ:
5649 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5652 case L2CAP_CONN_PARAM_UPDATE_RSP:
5655 case L2CAP_LE_CONN_RSP:
5656 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5659 case L2CAP_LE_CONN_REQ:
5660 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5663 case L2CAP_LE_CREDITS:
5664 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5667 case L2CAP_DISCONN_REQ:
5668 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5671 case L2CAP_DISCONN_RSP:
5672 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5676 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5684 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5685 struct sk_buff *skb)
5687 struct hci_conn *hcon = conn->hcon;
5688 struct l2cap_cmd_hdr *cmd;
5692 if (hcon->type != LE_LINK)
5695 if (skb->len < L2CAP_CMD_HDR_SIZE)
5698 cmd = (void *) skb->data;
5699 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5701 len = le16_to_cpu(cmd->len);
5703 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5705 if (len != skb->len || !cmd->ident) {
5706 BT_DBG("corrupted command");
5710 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5712 struct l2cap_cmd_rej_unk rej;
5714 BT_ERR("Wrong link type (%d)", err);
5716 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5717 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5725 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5726 struct sk_buff *skb)
5728 struct hci_conn *hcon = conn->hcon;
5729 u8 *data = skb->data;
5731 struct l2cap_cmd_hdr cmd;
5734 l2cap_raw_recv(conn, skb);
5736 if (hcon->type != ACL_LINK)
5739 while (len >= L2CAP_CMD_HDR_SIZE) {
5741 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5742 data += L2CAP_CMD_HDR_SIZE;
5743 len -= L2CAP_CMD_HDR_SIZE;
5745 cmd_len = le16_to_cpu(cmd.len);
5747 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5750 if (cmd_len > len || !cmd.ident) {
5751 BT_DBG("corrupted command");
5755 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5757 struct l2cap_cmd_rej_unk rej;
5759 BT_ERR("Wrong link type (%d)", err);
5761 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5762 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5774 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5776 u16 our_fcs, rcv_fcs;
5779 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5780 hdr_size = L2CAP_EXT_HDR_SIZE;
5782 hdr_size = L2CAP_ENH_HDR_SIZE;
5784 if (chan->fcs == L2CAP_FCS_CRC16) {
5785 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5786 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5787 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5789 if (our_fcs != rcv_fcs)
5795 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5797 struct l2cap_ctrl control;
5799 BT_DBG("chan %p", chan);
5801 memset(&control, 0, sizeof(control));
5804 control.reqseq = chan->buffer_seq;
5805 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5807 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5808 control.super = L2CAP_SUPER_RNR;
5809 l2cap_send_sframe(chan, &control);
5812 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5813 chan->unacked_frames > 0)
5814 __set_retrans_timer(chan);
5816 /* Send pending iframes */
5817 l2cap_ertm_send(chan);
5819 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5820 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5821 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5824 control.super = L2CAP_SUPER_RR;
5825 l2cap_send_sframe(chan, &control);
5829 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5830 struct sk_buff **last_frag)
5832 /* skb->len reflects data in skb as well as all fragments
5833 * skb->data_len reflects only data in fragments
5835 if (!skb_has_frag_list(skb))
5836 skb_shinfo(skb)->frag_list = new_frag;
5838 new_frag->next = NULL;
5840 (*last_frag)->next = new_frag;
5841 *last_frag = new_frag;
5843 skb->len += new_frag->len;
5844 skb->data_len += new_frag->len;
5845 skb->truesize += new_frag->truesize;
5848 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5849 struct l2cap_ctrl *control)
5853 switch (control->sar) {
5854 case L2CAP_SAR_UNSEGMENTED:
5858 err = chan->ops->recv(chan, skb);
5861 case L2CAP_SAR_START:
5865 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5868 chan->sdu_len = get_unaligned_le16(skb->data);
5869 skb_pull(skb, L2CAP_SDULEN_SIZE);
5871 if (chan->sdu_len > chan->imtu) {
5876 if (skb->len >= chan->sdu_len)
5880 chan->sdu_last_frag = skb;
5886 case L2CAP_SAR_CONTINUE:
5890 append_skb_frag(chan->sdu, skb,
5891 &chan->sdu_last_frag);
5894 if (chan->sdu->len >= chan->sdu_len)
5904 append_skb_frag(chan->sdu, skb,
5905 &chan->sdu_last_frag);
5908 if (chan->sdu->len != chan->sdu_len)
5911 err = chan->ops->recv(chan, chan->sdu);
5914 /* Reassembly complete */
5916 chan->sdu_last_frag = NULL;
5924 kfree_skb(chan->sdu);
5926 chan->sdu_last_frag = NULL;
5933 static int l2cap_resegment(struct l2cap_chan *chan)
5939 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5943 if (chan->mode != L2CAP_MODE_ERTM)
5946 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5947 l2cap_tx(chan, NULL, NULL, event);
5950 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5953 /* Pass sequential frames to l2cap_reassemble_sdu()
5954 * until a gap is encountered.
5957 BT_DBG("chan %p", chan);
5959 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5960 struct sk_buff *skb;
5961 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5962 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5964 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5969 skb_unlink(skb, &chan->srej_q);
5970 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5971 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5976 if (skb_queue_empty(&chan->srej_q)) {
5977 chan->rx_state = L2CAP_RX_STATE_RECV;
5978 l2cap_send_ack(chan);
5984 static void l2cap_handle_srej(struct l2cap_chan *chan,
5985 struct l2cap_ctrl *control)
5987 struct sk_buff *skb;
5989 BT_DBG("chan %p, control %p", chan, control);
5991 if (control->reqseq == chan->next_tx_seq) {
5992 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5993 l2cap_send_disconn_req(chan, ECONNRESET);
5997 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6000 BT_DBG("Seq %d not available for retransmission",
6005 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6006 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6007 l2cap_send_disconn_req(chan, ECONNRESET);
6011 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6013 if (control->poll) {
6014 l2cap_pass_to_tx(chan, control);
6016 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6017 l2cap_retransmit(chan, control);
6018 l2cap_ertm_send(chan);
6020 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6021 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6022 chan->srej_save_reqseq = control->reqseq;
6025 l2cap_pass_to_tx_fbit(chan, control);
6027 if (control->final) {
6028 if (chan->srej_save_reqseq != control->reqseq ||
6029 !test_and_clear_bit(CONN_SREJ_ACT,
6031 l2cap_retransmit(chan, control);
6033 l2cap_retransmit(chan, control);
6034 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6035 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6036 chan->srej_save_reqseq = control->reqseq;
6042 static void l2cap_handle_rej(struct l2cap_chan *chan,
6043 struct l2cap_ctrl *control)
6045 struct sk_buff *skb;
6047 BT_DBG("chan %p, control %p", chan, control);
6049 if (control->reqseq == chan->next_tx_seq) {
6050 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6051 l2cap_send_disconn_req(chan, ECONNRESET);
6055 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6057 if (chan->max_tx && skb &&
6058 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6059 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6060 l2cap_send_disconn_req(chan, ECONNRESET);
6064 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6066 l2cap_pass_to_tx(chan, control);
6068 if (control->final) {
6069 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6070 l2cap_retransmit_all(chan, control);
6072 l2cap_retransmit_all(chan, control);
6073 l2cap_ertm_send(chan);
6074 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6075 set_bit(CONN_REJ_ACT, &chan->conn_state);
6079 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6081 BT_DBG("chan %p, txseq %d", chan, txseq);
6083 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6084 chan->expected_tx_seq);
6086 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6087 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6089 /* See notes below regarding "double poll" and
6092 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6093 BT_DBG("Invalid/Ignore - after SREJ");
6094 return L2CAP_TXSEQ_INVALID_IGNORE;
6096 BT_DBG("Invalid - in window after SREJ sent");
6097 return L2CAP_TXSEQ_INVALID;
6101 if (chan->srej_list.head == txseq) {
6102 BT_DBG("Expected SREJ");
6103 return L2CAP_TXSEQ_EXPECTED_SREJ;
6106 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6107 BT_DBG("Duplicate SREJ - txseq already stored");
6108 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6111 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6112 BT_DBG("Unexpected SREJ - not requested");
6113 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6117 if (chan->expected_tx_seq == txseq) {
6118 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6120 BT_DBG("Invalid - txseq outside tx window");
6121 return L2CAP_TXSEQ_INVALID;
6124 return L2CAP_TXSEQ_EXPECTED;
6128 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6129 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6130 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6131 return L2CAP_TXSEQ_DUPLICATE;
6134 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6135 /* A source of invalid packets is a "double poll" condition,
6136 * where delays cause us to send multiple poll packets. If
6137 * the remote stack receives and processes both polls,
6138 * sequence numbers can wrap around in such a way that a
6139 * resent frame has a sequence number that looks like new data
6140 * with a sequence gap. This would trigger an erroneous SREJ
6143 * Fortunately, this is impossible with a tx window that's
6144 * less than half of the maximum sequence number, which allows
6145 * invalid frames to be safely ignored.
6147 * With tx window sizes greater than half of the tx window
6148 * maximum, the frame is invalid and cannot be ignored. This
6149 * causes a disconnect.
6152 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6153 BT_DBG("Invalid/Ignore - txseq outside tx window");
6154 return L2CAP_TXSEQ_INVALID_IGNORE;
6156 BT_DBG("Invalid - txseq outside tx window");
6157 return L2CAP_TXSEQ_INVALID;
6160 BT_DBG("Unexpected - txseq indicates missing frames");
6161 return L2CAP_TXSEQ_UNEXPECTED;
6165 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6166 struct l2cap_ctrl *control,
6167 struct sk_buff *skb, u8 event)
6170 bool skb_in_use = false;
6172 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6176 case L2CAP_EV_RECV_IFRAME:
6177 switch (l2cap_classify_txseq(chan, control->txseq)) {
6178 case L2CAP_TXSEQ_EXPECTED:
6179 l2cap_pass_to_tx(chan, control);
6181 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6182 BT_DBG("Busy, discarding expected seq %d",
6187 chan->expected_tx_seq = __next_seq(chan,
6190 chan->buffer_seq = chan->expected_tx_seq;
6193 err = l2cap_reassemble_sdu(chan, skb, control);
6197 if (control->final) {
6198 if (!test_and_clear_bit(CONN_REJ_ACT,
6199 &chan->conn_state)) {
6201 l2cap_retransmit_all(chan, control);
6202 l2cap_ertm_send(chan);
6206 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6207 l2cap_send_ack(chan);
6209 case L2CAP_TXSEQ_UNEXPECTED:
6210 l2cap_pass_to_tx(chan, control);
6212 /* Can't issue SREJ frames in the local busy state.
6213 * Drop this frame, it will be seen as missing
6214 * when local busy is exited.
6216 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6217 BT_DBG("Busy, discarding unexpected seq %d",
6222 /* There was a gap in the sequence, so an SREJ
6223 * must be sent for each missing frame. The
6224 * current frame is stored for later use.
6226 skb_queue_tail(&chan->srej_q, skb);
6228 BT_DBG("Queued %p (queue len %d)", skb,
6229 skb_queue_len(&chan->srej_q));
6231 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6232 l2cap_seq_list_clear(&chan->srej_list);
6233 l2cap_send_srej(chan, control->txseq);
6235 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6237 case L2CAP_TXSEQ_DUPLICATE:
6238 l2cap_pass_to_tx(chan, control);
6240 case L2CAP_TXSEQ_INVALID_IGNORE:
6242 case L2CAP_TXSEQ_INVALID:
6244 l2cap_send_disconn_req(chan, ECONNRESET);
6248 case L2CAP_EV_RECV_RR:
6249 l2cap_pass_to_tx(chan, control);
6250 if (control->final) {
6251 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6253 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6254 !__chan_is_moving(chan)) {
6256 l2cap_retransmit_all(chan, control);
6259 l2cap_ertm_send(chan);
6260 } else if (control->poll) {
6261 l2cap_send_i_or_rr_or_rnr(chan);
6263 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6264 &chan->conn_state) &&
6265 chan->unacked_frames)
6266 __set_retrans_timer(chan);
6268 l2cap_ertm_send(chan);
6271 case L2CAP_EV_RECV_RNR:
6272 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6273 l2cap_pass_to_tx(chan, control);
6274 if (control && control->poll) {
6275 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6276 l2cap_send_rr_or_rnr(chan, 0);
6278 __clear_retrans_timer(chan);
6279 l2cap_seq_list_clear(&chan->retrans_list);
6281 case L2CAP_EV_RECV_REJ:
6282 l2cap_handle_rej(chan, control);
6284 case L2CAP_EV_RECV_SREJ:
6285 l2cap_handle_srej(chan, control);
6291 if (skb && !skb_in_use) {
6292 BT_DBG("Freeing %p", skb);
6299 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6300 struct l2cap_ctrl *control,
6301 struct sk_buff *skb, u8 event)
6304 u16 txseq = control->txseq;
6305 bool skb_in_use = false;
6307 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6311 case L2CAP_EV_RECV_IFRAME:
6312 switch (l2cap_classify_txseq(chan, txseq)) {
6313 case L2CAP_TXSEQ_EXPECTED:
6314 /* Keep frame for reassembly later */
6315 l2cap_pass_to_tx(chan, control);
6316 skb_queue_tail(&chan->srej_q, skb);
6318 BT_DBG("Queued %p (queue len %d)", skb,
6319 skb_queue_len(&chan->srej_q));
6321 chan->expected_tx_seq = __next_seq(chan, txseq);
6323 case L2CAP_TXSEQ_EXPECTED_SREJ:
6324 l2cap_seq_list_pop(&chan->srej_list);
6326 l2cap_pass_to_tx(chan, control);
6327 skb_queue_tail(&chan->srej_q, skb);
6329 BT_DBG("Queued %p (queue len %d)", skb,
6330 skb_queue_len(&chan->srej_q));
6332 err = l2cap_rx_queued_iframes(chan);
6337 case L2CAP_TXSEQ_UNEXPECTED:
6338 /* Got a frame that can't be reassembled yet.
6339 * Save it for later, and send SREJs to cover
6340 * the missing frames.
6342 skb_queue_tail(&chan->srej_q, skb);
6344 BT_DBG("Queued %p (queue len %d)", skb,
6345 skb_queue_len(&chan->srej_q));
6347 l2cap_pass_to_tx(chan, control);
6348 l2cap_send_srej(chan, control->txseq);
6350 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6351 /* This frame was requested with an SREJ, but
6352 * some expected retransmitted frames are
6353 * missing. Request retransmission of missing
6356 skb_queue_tail(&chan->srej_q, skb);
6358 BT_DBG("Queued %p (queue len %d)", skb,
6359 skb_queue_len(&chan->srej_q));
6361 l2cap_pass_to_tx(chan, control);
6362 l2cap_send_srej_list(chan, control->txseq);
6364 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6365 /* We've already queued this frame. Drop this copy. */
6366 l2cap_pass_to_tx(chan, control);
6368 case L2CAP_TXSEQ_DUPLICATE:
6369 /* Expecting a later sequence number, so this frame
6370 * was already received. Ignore it completely.
6373 case L2CAP_TXSEQ_INVALID_IGNORE:
6375 case L2CAP_TXSEQ_INVALID:
6377 l2cap_send_disconn_req(chan, ECONNRESET);
6381 case L2CAP_EV_RECV_RR:
6382 l2cap_pass_to_tx(chan, control);
6383 if (control->final) {
6384 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6386 if (!test_and_clear_bit(CONN_REJ_ACT,
6387 &chan->conn_state)) {
6389 l2cap_retransmit_all(chan, control);
6392 l2cap_ertm_send(chan);
6393 } else if (control->poll) {
6394 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6395 &chan->conn_state) &&
6396 chan->unacked_frames) {
6397 __set_retrans_timer(chan);
6400 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6401 l2cap_send_srej_tail(chan);
6403 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6404 &chan->conn_state) &&
6405 chan->unacked_frames)
6406 __set_retrans_timer(chan);
6408 l2cap_send_ack(chan);
6411 case L2CAP_EV_RECV_RNR:
6412 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6413 l2cap_pass_to_tx(chan, control);
6414 if (control->poll) {
6415 l2cap_send_srej_tail(chan);
6417 struct l2cap_ctrl rr_control;
6418 memset(&rr_control, 0, sizeof(rr_control));
6419 rr_control.sframe = 1;
6420 rr_control.super = L2CAP_SUPER_RR;
6421 rr_control.reqseq = chan->buffer_seq;
6422 l2cap_send_sframe(chan, &rr_control);
6426 case L2CAP_EV_RECV_REJ:
6427 l2cap_handle_rej(chan, control);
6429 case L2CAP_EV_RECV_SREJ:
6430 l2cap_handle_srej(chan, control);
6434 if (skb && !skb_in_use) {
6435 BT_DBG("Freeing %p", skb);
6442 static int l2cap_finish_move(struct l2cap_chan *chan)
6444 BT_DBG("chan %p", chan);
6446 chan->rx_state = L2CAP_RX_STATE_RECV;
6449 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6451 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6453 return l2cap_resegment(chan);
6456 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6457 struct l2cap_ctrl *control,
6458 struct sk_buff *skb, u8 event)
6462 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6468 l2cap_process_reqseq(chan, control->reqseq);
6470 if (!skb_queue_empty(&chan->tx_q))
6471 chan->tx_send_head = skb_peek(&chan->tx_q);
6473 chan->tx_send_head = NULL;
6475 /* Rewind next_tx_seq to the point expected
6478 chan->next_tx_seq = control->reqseq;
6479 chan->unacked_frames = 0;
6481 err = l2cap_finish_move(chan);
6485 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6486 l2cap_send_i_or_rr_or_rnr(chan);
6488 if (event == L2CAP_EV_RECV_IFRAME)
6491 return l2cap_rx_state_recv(chan, control, NULL, event);
6494 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6495 struct l2cap_ctrl *control,
6496 struct sk_buff *skb, u8 event)
6500 if (!control->final)
6503 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6505 chan->rx_state = L2CAP_RX_STATE_RECV;
6506 l2cap_process_reqseq(chan, control->reqseq);
6508 if (!skb_queue_empty(&chan->tx_q))
6509 chan->tx_send_head = skb_peek(&chan->tx_q);
6511 chan->tx_send_head = NULL;
6513 /* Rewind next_tx_seq to the point expected
6516 chan->next_tx_seq = control->reqseq;
6517 chan->unacked_frames = 0;
6520 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6522 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6524 err = l2cap_resegment(chan);
6527 err = l2cap_rx_state_recv(chan, control, skb, event);
6532 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6534 /* Make sure reqseq is for a packet that has been sent but not acked */
6537 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6538 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6541 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6542 struct sk_buff *skb, u8 event)
6546 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6547 control, skb, event, chan->rx_state);
6549 if (__valid_reqseq(chan, control->reqseq)) {
6550 switch (chan->rx_state) {
6551 case L2CAP_RX_STATE_RECV:
6552 err = l2cap_rx_state_recv(chan, control, skb, event);
6554 case L2CAP_RX_STATE_SREJ_SENT:
6555 err = l2cap_rx_state_srej_sent(chan, control, skb,
6558 case L2CAP_RX_STATE_WAIT_P:
6559 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6561 case L2CAP_RX_STATE_WAIT_F:
6562 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6569 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6570 control->reqseq, chan->next_tx_seq,
6571 chan->expected_ack_seq);
6572 l2cap_send_disconn_req(chan, ECONNRESET);
6578 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6579 struct sk_buff *skb)
6581 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6584 if (l2cap_classify_txseq(chan, control->txseq) ==
6585 L2CAP_TXSEQ_EXPECTED) {
6586 l2cap_pass_to_tx(chan, control);
6588 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6589 __next_seq(chan, chan->buffer_seq));
6591 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6593 l2cap_reassemble_sdu(chan, skb, control);
6596 kfree_skb(chan->sdu);
6599 chan->sdu_last_frag = NULL;
6603 BT_DBG("Freeing %p", skb);
6608 chan->last_acked_seq = control->txseq;
6609 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6614 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6616 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6620 __unpack_control(chan, skb);
6625 * We can just drop the corrupted I-frame here.
6626 * Receiver will miss it and start proper recovery
6627 * procedures and ask for retransmission.
6629 if (l2cap_check_fcs(chan, skb))
6632 if (!control->sframe && control->sar == L2CAP_SAR_START)
6633 len -= L2CAP_SDULEN_SIZE;
6635 if (chan->fcs == L2CAP_FCS_CRC16)
6636 len -= L2CAP_FCS_SIZE;
6638 if (len > chan->mps) {
6639 l2cap_send_disconn_req(chan, ECONNRESET);
6643 if ((chan->mode == L2CAP_MODE_ERTM ||
6644 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6647 if (!control->sframe) {
6650 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6651 control->sar, control->reqseq, control->final,
6654 /* Validate F-bit - F=0 always valid, F=1 only
6655 * valid in TX WAIT_F
6657 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6660 if (chan->mode != L2CAP_MODE_STREAMING) {
6661 event = L2CAP_EV_RECV_IFRAME;
6662 err = l2cap_rx(chan, control, skb, event);
6664 err = l2cap_stream_rx(chan, control, skb);
6668 l2cap_send_disconn_req(chan, ECONNRESET);
6670 const u8 rx_func_to_event[4] = {
6671 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6672 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6675 /* Only I-frames are expected in streaming mode */
6676 if (chan->mode == L2CAP_MODE_STREAMING)
6679 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6680 control->reqseq, control->final, control->poll,
6684 BT_ERR("Trailing bytes: %d in sframe", len);
6685 l2cap_send_disconn_req(chan, ECONNRESET);
6689 /* Validate F and P bits */
6690 if (control->final && (control->poll ||
6691 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6694 event = rx_func_to_event[control->super];
6695 if (l2cap_rx(chan, control, skb, event))
6696 l2cap_send_disconn_req(chan, ECONNRESET);
6706 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6708 struct l2cap_conn *conn = chan->conn;
6709 struct l2cap_le_credits pkt;
6712 return_credits = ((chan->imtu / chan->mps) + 1) - chan->rx_credits;
6714 if (!return_credits)
6717 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6719 chan->rx_credits += return_credits;
6721 pkt.cid = cpu_to_le16(chan->scid);
6722 pkt.credits = cpu_to_le16(return_credits);
6724 chan->ident = l2cap_get_ident(conn);
6726 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6729 static int l2cap_le_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6733 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6735 /* Wait recv to confirm reception before updating the credits */
6736 err = chan->ops->recv(chan, skb);
6738 /* Update credits whenever an SDU is received */
6739 l2cap_chan_le_send_credits(chan);
6744 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6748 if (!chan->rx_credits) {
6749 BT_ERR("No credits to receive LE L2CAP data");
6750 l2cap_send_disconn_req(chan, ECONNRESET);
6754 if (chan->imtu < skb->len) {
6755 BT_ERR("Too big LE L2CAP PDU");
6760 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6762 /* Update if remote had run out of credits, this should only happens
6763 * if the remote is not using the entire MPS.
6765 if (!chan->rx_credits)
6766 l2cap_chan_le_send_credits(chan);
6773 sdu_len = get_unaligned_le16(skb->data);
6774 skb_pull(skb, L2CAP_SDULEN_SIZE);
6776 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6777 sdu_len, skb->len, chan->imtu);
6779 if (sdu_len > chan->imtu) {
6780 BT_ERR("Too big LE L2CAP SDU length received");
6785 if (skb->len > sdu_len) {
6786 BT_ERR("Too much LE L2CAP data received");
6791 if (skb->len == sdu_len)
6792 return l2cap_le_recv(chan, skb);
6795 chan->sdu_len = sdu_len;
6796 chan->sdu_last_frag = skb;
6798 /* Detect if remote is not able to use the selected MPS */
6799 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6800 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6802 /* Adjust the number of credits */
6803 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6804 chan->mps = mps_len;
6805 l2cap_chan_le_send_credits(chan);
6811 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6812 chan->sdu->len, skb->len, chan->sdu_len);
6814 if (chan->sdu->len + skb->len > chan->sdu_len) {
6815 BT_ERR("Too much LE L2CAP data received");
6820 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6823 if (chan->sdu->len == chan->sdu_len) {
6824 err = l2cap_le_recv(chan, chan->sdu);
6827 chan->sdu_last_frag = NULL;
6835 kfree_skb(chan->sdu);
6837 chan->sdu_last_frag = NULL;
6841 /* We can't return an error here since we took care of the skb
6842 * freeing internally. An error return would cause the caller to
6843 * do a double-free of the skb.
6848 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6849 struct sk_buff *skb)
6851 struct l2cap_chan *chan;
6853 chan = l2cap_get_chan_by_scid(conn, cid);
6855 if (cid == L2CAP_CID_A2MP) {
6856 chan = a2mp_channel_create(conn, skb);
6862 l2cap_chan_lock(chan);
6864 BT_DBG("unknown cid 0x%4.4x", cid);
6865 /* Drop packet and return */
6871 BT_DBG("chan %p, len %d", chan, skb->len);
6873 /* If we receive data on a fixed channel before the info req/rsp
6874 * procdure is done simply assume that the channel is supported
6875 * and mark it as ready.
6877 if (chan->chan_type == L2CAP_CHAN_FIXED)
6878 l2cap_chan_ready(chan);
6880 if (chan->state != BT_CONNECTED)
6883 switch (chan->mode) {
6884 case L2CAP_MODE_LE_FLOWCTL:
6885 if (l2cap_le_data_rcv(chan, skb) < 0)
6890 case L2CAP_MODE_BASIC:
6891 /* If socket recv buffers overflows we drop data here
6892 * which is *bad* because L2CAP has to be reliable.
6893 * But we don't have any other choice. L2CAP doesn't
6894 * provide flow control mechanism. */
6896 if (chan->imtu < skb->len) {
6897 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6901 if (!chan->ops->recv(chan, skb))
6905 case L2CAP_MODE_ERTM:
6906 case L2CAP_MODE_STREAMING:
6907 l2cap_data_rcv(chan, skb);
6911 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6919 l2cap_chan_unlock(chan);
6922 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6923 struct sk_buff *skb)
6925 struct hci_conn *hcon = conn->hcon;
6926 struct l2cap_chan *chan;
6928 if (hcon->type != ACL_LINK)
6931 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6936 BT_DBG("chan %p, len %d", chan, skb->len);
6938 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6941 if (chan->imtu < skb->len)
6944 /* Store remote BD_ADDR and PSM for msg_name */
6945 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6946 bt_cb(skb)->l2cap.psm = psm;
6948 if (!chan->ops->recv(chan, skb)) {
6949 l2cap_chan_put(chan);
6954 l2cap_chan_put(chan);
6959 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6961 struct l2cap_hdr *lh = (void *) skb->data;
6962 struct hci_conn *hcon = conn->hcon;
6966 if (hcon->state != BT_CONNECTED) {
6967 BT_DBG("queueing pending rx skb");
6968 skb_queue_tail(&conn->pending_rx, skb);
6972 skb_pull(skb, L2CAP_HDR_SIZE);
6973 cid = __le16_to_cpu(lh->cid);
6974 len = __le16_to_cpu(lh->len);
6976 if (len != skb->len) {
6981 /* Since we can't actively block incoming LE connections we must
6982 * at least ensure that we ignore incoming data from them.
6984 if (hcon->type == LE_LINK &&
6985 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6986 bdaddr_dst_type(hcon))) {
6991 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6994 case L2CAP_CID_SIGNALING:
6995 l2cap_sig_channel(conn, skb);
6998 case L2CAP_CID_CONN_LESS:
6999 psm = get_unaligned((__le16 *) skb->data);
7000 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7001 l2cap_conless_channel(conn, psm, skb);
7004 case L2CAP_CID_LE_SIGNALING:
7005 l2cap_le_sig_channel(conn, skb);
7009 l2cap_data_channel(conn, cid, skb);
7014 static void process_pending_rx(struct work_struct *work)
7016 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7018 struct sk_buff *skb;
7022 while ((skb = skb_dequeue(&conn->pending_rx)))
7023 l2cap_recv_frame(conn, skb);
7026 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7028 struct l2cap_conn *conn = hcon->l2cap_data;
7029 struct hci_chan *hchan;
7034 hchan = hci_chan_create(hcon);
7038 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7040 hci_chan_del(hchan);
7044 kref_init(&conn->ref);
7045 hcon->l2cap_data = conn;
7046 conn->hcon = hci_conn_get(hcon);
7047 conn->hchan = hchan;
7049 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7051 switch (hcon->type) {
7053 if (hcon->hdev->le_mtu) {
7054 conn->mtu = hcon->hdev->le_mtu;
7059 conn->mtu = hcon->hdev->acl_mtu;
7063 conn->feat_mask = 0;
7065 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7067 if (hcon->type == ACL_LINK &&
7068 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7069 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7071 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7072 (bredr_sc_enabled(hcon->hdev) ||
7073 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7074 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7076 mutex_init(&conn->ident_lock);
7077 mutex_init(&conn->chan_lock);
7079 INIT_LIST_HEAD(&conn->chan_l);
7080 INIT_LIST_HEAD(&conn->users);
7082 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7084 skb_queue_head_init(&conn->pending_rx);
7085 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7086 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7088 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7093 static bool is_valid_psm(u16 psm, u8 dst_type) {
7097 if (bdaddr_type_is_le(dst_type))
7098 return (psm <= 0x00ff);
7100 /* PSM must be odd and lsb of upper byte must be 0 */
7101 return ((psm & 0x0101) == 0x0001);
7104 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7105 bdaddr_t *dst, u8 dst_type)
7107 struct l2cap_conn *conn;
7108 struct hci_conn *hcon;
7109 struct hci_dev *hdev;
7112 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7113 dst_type, __le16_to_cpu(psm));
7115 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7117 return -EHOSTUNREACH;
7121 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7122 chan->chan_type != L2CAP_CHAN_RAW) {
7127 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7132 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7137 switch (chan->mode) {
7138 case L2CAP_MODE_BASIC:
7140 case L2CAP_MODE_LE_FLOWCTL:
7142 case L2CAP_MODE_ERTM:
7143 case L2CAP_MODE_STREAMING:
7152 switch (chan->state) {
7156 /* Already connecting */
7161 /* Already connected */
7175 /* Set destination address and psm */
7176 bacpy(&chan->dst, dst);
7177 chan->dst_type = dst_type;
7182 if (bdaddr_type_is_le(dst_type)) {
7183 /* Convert from L2CAP channel address type to HCI address type
7185 if (dst_type == BDADDR_LE_PUBLIC)
7186 dst_type = ADDR_LE_DEV_PUBLIC;
7188 dst_type = ADDR_LE_DEV_RANDOM;
7190 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7191 hcon = hci_connect_le(hdev, dst, dst_type,
7193 HCI_LE_CONN_TIMEOUT,
7194 HCI_ROLE_SLAVE, NULL);
7196 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7198 HCI_LE_CONN_TIMEOUT);
7201 u8 auth_type = l2cap_get_auth_type(chan);
7202 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7206 err = PTR_ERR(hcon);
7210 conn = l2cap_conn_add(hcon);
7212 hci_conn_drop(hcon);
7217 mutex_lock(&conn->chan_lock);
7218 l2cap_chan_lock(chan);
7220 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7221 hci_conn_drop(hcon);
7226 /* Update source addr of the socket */
7227 bacpy(&chan->src, &hcon->src);
7228 chan->src_type = bdaddr_src_type(hcon);
7230 __l2cap_chan_add(conn, chan);
7232 /* l2cap_chan_add takes its own ref so we can drop this one */
7233 hci_conn_drop(hcon);
7235 l2cap_state_change(chan, BT_CONNECT);
7236 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7238 /* Release chan->sport so that it can be reused by other
7239 * sockets (as it's only used for listening sockets).
7241 write_lock(&chan_list_lock);
7243 write_unlock(&chan_list_lock);
7245 if (hcon->state == BT_CONNECTED) {
7246 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7247 __clear_chan_timer(chan);
7248 if (l2cap_chan_check_security(chan, true))
7249 l2cap_state_change(chan, BT_CONNECTED);
7251 l2cap_do_start(chan);
7257 l2cap_chan_unlock(chan);
7258 mutex_unlock(&conn->chan_lock);
7260 hci_dev_unlock(hdev);
7264 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7266 /* ---- L2CAP interface with lower layer (HCI) ---- */
7268 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7270 int exact = 0, lm1 = 0, lm2 = 0;
7271 struct l2cap_chan *c;
7273 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7275 /* Find listening sockets and check their link_mode */
7276 read_lock(&chan_list_lock);
7277 list_for_each_entry(c, &chan_list, global_l) {
7278 if (c->state != BT_LISTEN)
7281 if (!bacmp(&c->src, &hdev->bdaddr)) {
7282 lm1 |= HCI_LM_ACCEPT;
7283 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7284 lm1 |= HCI_LM_MASTER;
7286 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7287 lm2 |= HCI_LM_ACCEPT;
7288 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7289 lm2 |= HCI_LM_MASTER;
7292 read_unlock(&chan_list_lock);
7294 return exact ? lm1 : lm2;
7297 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7298 * from an existing channel in the list or from the beginning of the
7299 * global list (by passing NULL as first parameter).
7301 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7302 struct hci_conn *hcon)
7304 u8 src_type = bdaddr_src_type(hcon);
7306 read_lock(&chan_list_lock);
7309 c = list_next_entry(c, global_l);
7311 c = list_entry(chan_list.next, typeof(*c), global_l);
7313 list_for_each_entry_from(c, &chan_list, global_l) {
7314 if (c->chan_type != L2CAP_CHAN_FIXED)
7316 if (c->state != BT_LISTEN)
7318 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7320 if (src_type != c->src_type)
7324 read_unlock(&chan_list_lock);
7328 read_unlock(&chan_list_lock);
7333 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7335 struct hci_dev *hdev = hcon->hdev;
7336 struct l2cap_conn *conn;
7337 struct l2cap_chan *pchan;
7340 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7343 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7346 l2cap_conn_del(hcon, bt_to_errno(status));
7350 conn = l2cap_conn_add(hcon);
7354 dst_type = bdaddr_dst_type(hcon);
7356 /* If device is blocked, do not create channels for it */
7357 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7360 /* Find fixed channels and notify them of the new connection. We
7361 * use multiple individual lookups, continuing each time where
7362 * we left off, because the list lock would prevent calling the
7363 * potentially sleeping l2cap_chan_lock() function.
7365 pchan = l2cap_global_fixed_chan(NULL, hcon);
7367 struct l2cap_chan *chan, *next;
7369 /* Client fixed channels should override server ones */
7370 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7373 l2cap_chan_lock(pchan);
7374 chan = pchan->ops->new_connection(pchan);
7376 bacpy(&chan->src, &hcon->src);
7377 bacpy(&chan->dst, &hcon->dst);
7378 chan->src_type = bdaddr_src_type(hcon);
7379 chan->dst_type = dst_type;
7381 __l2cap_chan_add(conn, chan);
7384 l2cap_chan_unlock(pchan);
7386 next = l2cap_global_fixed_chan(pchan, hcon);
7387 l2cap_chan_put(pchan);
7391 l2cap_conn_ready(conn);
7394 int l2cap_disconn_ind(struct hci_conn *hcon)
7396 struct l2cap_conn *conn = hcon->l2cap_data;
7398 BT_DBG("hcon %p", hcon);
7401 return HCI_ERROR_REMOTE_USER_TERM;
7402 return conn->disc_reason;
7405 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7407 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7410 BT_DBG("hcon %p reason %d", hcon, reason);
7412 l2cap_conn_del(hcon, bt_to_errno(reason));
7415 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7417 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7420 if (encrypt == 0x00) {
7421 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7422 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7423 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7424 chan->sec_level == BT_SECURITY_FIPS)
7425 l2cap_chan_close(chan, ECONNREFUSED);
7427 if (chan->sec_level == BT_SECURITY_MEDIUM)
7428 __clear_chan_timer(chan);
7432 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7434 struct l2cap_conn *conn = hcon->l2cap_data;
7435 struct l2cap_chan *chan;
7440 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7442 mutex_lock(&conn->chan_lock);
7444 list_for_each_entry(chan, &conn->chan_l, list) {
7445 l2cap_chan_lock(chan);
7447 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7448 state_to_string(chan->state));
7450 if (chan->scid == L2CAP_CID_A2MP) {
7451 l2cap_chan_unlock(chan);
7455 if (!status && encrypt)
7456 chan->sec_level = hcon->sec_level;
7458 if (!__l2cap_no_conn_pending(chan)) {
7459 l2cap_chan_unlock(chan);
7463 if (!status && (chan->state == BT_CONNECTED ||
7464 chan->state == BT_CONFIG)) {
7465 chan->ops->resume(chan);
7466 l2cap_check_encryption(chan, encrypt);
7467 l2cap_chan_unlock(chan);
7471 if (chan->state == BT_CONNECT) {
7473 l2cap_start_connection(chan);
7475 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7476 } else if (chan->state == BT_CONNECT2 &&
7477 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7478 struct l2cap_conn_rsp rsp;
7482 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7483 res = L2CAP_CR_PEND;
7484 stat = L2CAP_CS_AUTHOR_PEND;
7485 chan->ops->defer(chan);
7487 l2cap_state_change(chan, BT_CONFIG);
7488 res = L2CAP_CR_SUCCESS;
7489 stat = L2CAP_CS_NO_INFO;
7492 l2cap_state_change(chan, BT_DISCONN);
7493 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7494 res = L2CAP_CR_SEC_BLOCK;
7495 stat = L2CAP_CS_NO_INFO;
7498 rsp.scid = cpu_to_le16(chan->dcid);
7499 rsp.dcid = cpu_to_le16(chan->scid);
7500 rsp.result = cpu_to_le16(res);
7501 rsp.status = cpu_to_le16(stat);
7502 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7505 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7506 res == L2CAP_CR_SUCCESS) {
7508 set_bit(CONF_REQ_SENT, &chan->conf_state);
7509 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7511 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7513 chan->num_conf_req++;
7517 l2cap_chan_unlock(chan);
7520 mutex_unlock(&conn->chan_lock);
7523 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7525 struct l2cap_conn *conn = hcon->l2cap_data;
7526 struct l2cap_hdr *hdr;
7529 /* For AMP controller do not create l2cap conn */
7530 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7534 conn = l2cap_conn_add(hcon);
7539 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7543 case ACL_START_NO_FLUSH:
7546 BT_ERR("Unexpected start frame (len %d)", skb->len);
7547 kfree_skb(conn->rx_skb);
7548 conn->rx_skb = NULL;
7550 l2cap_conn_unreliable(conn, ECOMM);
7553 /* Start fragment always begin with Basic L2CAP header */
7554 if (skb->len < L2CAP_HDR_SIZE) {
7555 BT_ERR("Frame is too short (len %d)", skb->len);
7556 l2cap_conn_unreliable(conn, ECOMM);
7560 hdr = (struct l2cap_hdr *) skb->data;
7561 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7563 if (len == skb->len) {
7564 /* Complete frame received */
7565 l2cap_recv_frame(conn, skb);
7569 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7571 if (skb->len > len) {
7572 BT_ERR("Frame is too long (len %d, expected len %d)",
7574 l2cap_conn_unreliable(conn, ECOMM);
7578 /* Allocate skb for the complete frame (with header) */
7579 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7583 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7585 conn->rx_len = len - skb->len;
7589 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7591 if (!conn->rx_len) {
7592 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7593 l2cap_conn_unreliable(conn, ECOMM);
7597 if (skb->len > conn->rx_len) {
7598 BT_ERR("Fragment is too long (len %d, expected %d)",
7599 skb->len, conn->rx_len);
7600 kfree_skb(conn->rx_skb);
7601 conn->rx_skb = NULL;
7603 l2cap_conn_unreliable(conn, ECOMM);
7607 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7609 conn->rx_len -= skb->len;
7611 if (!conn->rx_len) {
7612 /* Complete frame received. l2cap_recv_frame
7613 * takes ownership of the skb so set the global
7614 * rx_skb pointer to NULL first.
7616 struct sk_buff *rx_skb = conn->rx_skb;
7617 conn->rx_skb = NULL;
7618 l2cap_recv_frame(conn, rx_skb);
7627 static struct hci_cb l2cap_cb = {
7629 .connect_cfm = l2cap_connect_cfm,
7630 .disconn_cfm = l2cap_disconn_cfm,
7631 .security_cfm = l2cap_security_cfm,
7634 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7636 struct l2cap_chan *c;
7638 read_lock(&chan_list_lock);
7640 list_for_each_entry(c, &chan_list, global_l) {
7641 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7642 &c->src, c->src_type, &c->dst, c->dst_type,
7643 c->state, __le16_to_cpu(c->psm),
7644 c->scid, c->dcid, c->imtu, c->omtu,
7645 c->sec_level, c->mode);
7648 read_unlock(&chan_list_lock);
7653 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7655 return single_open(file, l2cap_debugfs_show, inode->i_private);
7658 static const struct file_operations l2cap_debugfs_fops = {
7659 .open = l2cap_debugfs_open,
7661 .llseek = seq_lseek,
7662 .release = single_release,
7665 static struct dentry *l2cap_debugfs;
7667 int __init l2cap_init(void)
7671 err = l2cap_init_sockets();
7675 hci_register_cb(&l2cap_cb);
7677 if (IS_ERR_OR_NULL(bt_debugfs))
7680 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7681 NULL, &l2cap_debugfs_fops);
7686 void l2cap_exit(void)
7688 debugfs_remove(l2cap_debugfs);
7689 hci_unregister_cb(&l2cap_cb);
7690 l2cap_cleanup_sockets();
7693 module_param(disable_ertm, bool, 0644);
7694 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / linux-2.6-microblaze.git / blob