2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
50 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
52 static LIST_HEAD(chan_list);
53 static DEFINE_RWLOCK(chan_list_lock);
55 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
65 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67 if (link_type == LE_LINK) {
68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
69 return BDADDR_LE_PUBLIC;
71 return BDADDR_LE_RANDOM;
77 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79 return bdaddr_type(hcon->type, hcon->src_type);
82 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84 return bdaddr_type(hcon->type, hcon->dst_type);
87 /* ---- L2CAP channels ---- */
89 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
94 list_for_each_entry(c, &conn->chan_l, list) {
101 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
104 struct l2cap_chan *c;
106 list_for_each_entry(c, &conn->chan_l, list) {
113 /* Find channel with given SCID.
114 * Returns locked channel. */
115 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 struct l2cap_chan *c;
120 mutex_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
124 mutex_unlock(&conn->chan_lock);
129 /* Find channel with given DCID.
130 * Returns locked channel.
132 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
135 struct l2cap_chan *c;
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_dcid(conn, cid);
141 mutex_unlock(&conn->chan_lock);
146 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
149 struct l2cap_chan *c;
151 list_for_each_entry(c, &conn->chan_l, list) {
152 if (c->ident == ident)
158 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
161 struct l2cap_chan *c;
163 mutex_lock(&conn->chan_lock);
164 c = __l2cap_get_chan_by_ident(conn, ident);
167 mutex_unlock(&conn->chan_lock);
172 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
175 struct l2cap_chan *c;
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
181 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
184 if (c->sport == psm && !bacmp(&c->src, src))
190 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
194 write_lock(&chan_list_lock);
196 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
206 u16 p, start, end, incr;
208 if (chan->src_type == BDADDR_BREDR) {
209 start = L2CAP_PSM_DYN_START;
210 end = L2CAP_PSM_AUTO_END;
213 start = L2CAP_PSM_LE_DYN_START;
214 end = L2CAP_PSM_LE_DYN_END;
219 for (p = start; p <= end; p += incr)
220 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
222 chan->psm = cpu_to_le16(p);
223 chan->sport = cpu_to_le16(p);
230 write_unlock(&chan_list_lock);
233 EXPORT_SYMBOL_GPL(l2cap_add_psm);
235 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
237 write_lock(&chan_list_lock);
239 /* Override the defaults (which are for conn-oriented) */
240 chan->omtu = L2CAP_DEFAULT_MTU;
241 chan->chan_type = L2CAP_CHAN_FIXED;
245 write_unlock(&chan_list_lock);
250 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
254 if (conn->hcon->type == LE_LINK)
255 dyn_end = L2CAP_CID_LE_DYN_END;
257 dyn_end = L2CAP_CID_DYN_END;
259 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
260 if (!__l2cap_get_chan_by_scid(conn, cid))
267 static void l2cap_state_change(struct l2cap_chan *chan, int state)
269 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
270 state_to_string(state));
273 chan->ops->state_change(chan, state, 0);
276 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
280 chan->ops->state_change(chan, chan->state, err);
283 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
285 chan->ops->state_change(chan, chan->state, err);
288 static void __set_retrans_timer(struct l2cap_chan *chan)
290 if (!delayed_work_pending(&chan->monitor_timer) &&
291 chan->retrans_timeout) {
292 l2cap_set_timer(chan, &chan->retrans_timer,
293 msecs_to_jiffies(chan->retrans_timeout));
297 static void __set_monitor_timer(struct l2cap_chan *chan)
299 __clear_retrans_timer(chan);
300 if (chan->monitor_timeout) {
301 l2cap_set_timer(chan, &chan->monitor_timer,
302 msecs_to_jiffies(chan->monitor_timeout));
306 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
311 skb_queue_walk(head, skb) {
312 if (bt_cb(skb)->l2cap.txseq == seq)
319 /* ---- L2CAP sequence number lists ---- */
321 /* For ERTM, ordered lists of sequence numbers must be tracked for
322 * SREJ requests that are received and for frames that are to be
323 * retransmitted. These seq_list functions implement a singly-linked
324 * list in an array, where membership in the list can also be checked
325 * in constant time. Items can also be added to the tail of the list
326 * and removed from the head in constant time, without further memory
330 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
332 size_t alloc_size, i;
334 /* Allocated size is a power of 2 to map sequence numbers
335 * (which may be up to 14 bits) in to a smaller array that is
336 * sized for the negotiated ERTM transmit windows.
338 alloc_size = roundup_pow_of_two(size);
340 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
344 seq_list->mask = alloc_size - 1;
345 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
346 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
347 for (i = 0; i < alloc_size; i++)
348 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
353 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
355 kfree(seq_list->list);
358 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
361 /* Constant-time check for list membership */
362 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
365 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
367 u16 seq = seq_list->head;
368 u16 mask = seq_list->mask;
370 seq_list->head = seq_list->list[seq & mask];
371 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
373 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
381 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
395 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
397 u16 mask = seq_list->mask;
399 /* All appends happen in constant time */
401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
407 seq_list->list[seq_list->tail & mask] = seq;
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
413 static void l2cap_chan_timeout(struct work_struct *work)
415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
417 struct l2cap_conn *conn = chan->conn;
420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
422 mutex_lock(&conn->chan_lock);
423 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
424 * this work. No need to call l2cap_chan_hold(chan) here again.
426 l2cap_chan_lock(chan);
428 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
429 reason = ECONNREFUSED;
430 else if (chan->state == BT_CONNECT &&
431 chan->sec_level != BT_SECURITY_SDP)
432 reason = ECONNREFUSED;
436 l2cap_chan_close(chan, reason);
438 chan->ops->close(chan);
440 l2cap_chan_unlock(chan);
441 l2cap_chan_put(chan);
443 mutex_unlock(&conn->chan_lock);
446 struct l2cap_chan *l2cap_chan_create(void)
448 struct l2cap_chan *chan;
450 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
454 skb_queue_head_init(&chan->tx_q);
455 skb_queue_head_init(&chan->srej_q);
456 mutex_init(&chan->lock);
458 /* Set default lock nesting level */
459 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
461 write_lock(&chan_list_lock);
462 list_add(&chan->global_l, &chan_list);
463 write_unlock(&chan_list_lock);
465 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
467 chan->state = BT_OPEN;
469 kref_init(&chan->kref);
471 /* This flag is cleared in l2cap_chan_ready() */
472 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
474 BT_DBG("chan %p", chan);
478 EXPORT_SYMBOL_GPL(l2cap_chan_create);
480 static void l2cap_chan_destroy(struct kref *kref)
482 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
484 BT_DBG("chan %p", chan);
486 write_lock(&chan_list_lock);
487 list_del(&chan->global_l);
488 write_unlock(&chan_list_lock);
493 void l2cap_chan_hold(struct l2cap_chan *c)
495 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
500 void l2cap_chan_put(struct l2cap_chan *c)
502 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
504 kref_put(&c->kref, l2cap_chan_destroy);
506 EXPORT_SYMBOL_GPL(l2cap_chan_put);
508 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
510 chan->fcs = L2CAP_FCS_CRC16;
511 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
512 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
513 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
514 chan->remote_max_tx = chan->max_tx;
515 chan->remote_tx_win = chan->tx_win;
516 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
517 chan->sec_level = BT_SECURITY_LOW;
518 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
519 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
520 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
522 chan->conf_state = 0;
523 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
525 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
527 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
529 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
532 chan->sdu_last_frag = NULL;
534 chan->tx_credits = tx_credits;
535 /* Derive MPS from connection MTU to stop HCI fragmentation */
536 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
537 /* Give enough credits for a full packet */
538 chan->rx_credits = (chan->imtu / chan->mps) + 1;
540 skb_queue_head_init(&chan->tx_q);
543 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
545 l2cap_le_flowctl_init(chan, tx_credits);
547 /* L2CAP implementations shall support a minimum MPS of 64 octets */
548 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
549 chan->mps = L2CAP_ECRED_MIN_MPS;
550 chan->rx_credits = (chan->imtu / chan->mps) + 1;
554 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
556 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
557 __le16_to_cpu(chan->psm), chan->dcid);
559 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
563 switch (chan->chan_type) {
564 case L2CAP_CHAN_CONN_ORIENTED:
565 /* Alloc CID for connection-oriented socket */
566 chan->scid = l2cap_alloc_cid(conn);
567 if (conn->hcon->type == ACL_LINK)
568 chan->omtu = L2CAP_DEFAULT_MTU;
571 case L2CAP_CHAN_CONN_LESS:
572 /* Connectionless socket */
573 chan->scid = L2CAP_CID_CONN_LESS;
574 chan->dcid = L2CAP_CID_CONN_LESS;
575 chan->omtu = L2CAP_DEFAULT_MTU;
578 case L2CAP_CHAN_FIXED:
579 /* Caller will set CID and CID specific MTU values */
583 /* Raw socket can send/recv signalling messages only */
584 chan->scid = L2CAP_CID_SIGNALING;
585 chan->dcid = L2CAP_CID_SIGNALING;
586 chan->omtu = L2CAP_DEFAULT_MTU;
589 chan->local_id = L2CAP_BESTEFFORT_ID;
590 chan->local_stype = L2CAP_SERV_BESTEFFORT;
591 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
592 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
593 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
594 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
596 l2cap_chan_hold(chan);
598 /* Only keep a reference for fixed channels if they requested it */
599 if (chan->chan_type != L2CAP_CHAN_FIXED ||
600 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
601 hci_conn_hold(conn->hcon);
603 list_add(&chan->list, &conn->chan_l);
606 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
608 mutex_lock(&conn->chan_lock);
609 __l2cap_chan_add(conn, chan);
610 mutex_unlock(&conn->chan_lock);
613 void l2cap_chan_del(struct l2cap_chan *chan, int err)
615 struct l2cap_conn *conn = chan->conn;
617 __clear_chan_timer(chan);
619 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
620 state_to_string(chan->state));
622 chan->ops->teardown(chan, err);
625 struct amp_mgr *mgr = conn->hcon->amp_mgr;
626 /* Delete from channel list */
627 list_del(&chan->list);
629 l2cap_chan_put(chan);
633 /* Reference was only held for non-fixed channels or
634 * fixed channels that explicitly requested it using the
635 * FLAG_HOLD_HCI_CONN flag.
637 if (chan->chan_type != L2CAP_CHAN_FIXED ||
638 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
639 hci_conn_drop(conn->hcon);
641 if (mgr && mgr->bredr_chan == chan)
642 mgr->bredr_chan = NULL;
645 if (chan->hs_hchan) {
646 struct hci_chan *hs_hchan = chan->hs_hchan;
648 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
649 amp_disconnect_logical_link(hs_hchan);
652 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
655 switch (chan->mode) {
656 case L2CAP_MODE_BASIC:
659 case L2CAP_MODE_LE_FLOWCTL:
660 case L2CAP_MODE_EXT_FLOWCTL:
661 skb_queue_purge(&chan->tx_q);
664 case L2CAP_MODE_ERTM:
665 __clear_retrans_timer(chan);
666 __clear_monitor_timer(chan);
667 __clear_ack_timer(chan);
669 skb_queue_purge(&chan->srej_q);
671 l2cap_seq_list_free(&chan->srej_list);
672 l2cap_seq_list_free(&chan->retrans_list);
675 case L2CAP_MODE_STREAMING:
676 skb_queue_purge(&chan->tx_q);
680 EXPORT_SYMBOL_GPL(l2cap_chan_del);
682 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
685 struct l2cap_chan *chan;
687 list_for_each_entry(chan, &conn->chan_l, list) {
692 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
698 mutex_lock(&conn->chan_lock);
699 __l2cap_chan_list(conn, func, data);
700 mutex_unlock(&conn->chan_lock);
703 EXPORT_SYMBOL_GPL(l2cap_chan_list);
705 static void l2cap_conn_update_id_addr(struct work_struct *work)
707 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
708 id_addr_update_work);
709 struct hci_conn *hcon = conn->hcon;
710 struct l2cap_chan *chan;
712 mutex_lock(&conn->chan_lock);
714 list_for_each_entry(chan, &conn->chan_l, list) {
715 l2cap_chan_lock(chan);
716 bacpy(&chan->dst, &hcon->dst);
717 chan->dst_type = bdaddr_dst_type(hcon);
718 l2cap_chan_unlock(chan);
721 mutex_unlock(&conn->chan_lock);
724 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
726 struct l2cap_conn *conn = chan->conn;
727 struct l2cap_le_conn_rsp rsp;
730 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
731 result = L2CAP_CR_LE_AUTHORIZATION;
733 result = L2CAP_CR_LE_BAD_PSM;
735 l2cap_state_change(chan, BT_DISCONN);
737 rsp.dcid = cpu_to_le16(chan->scid);
738 rsp.mtu = cpu_to_le16(chan->imtu);
739 rsp.mps = cpu_to_le16(chan->mps);
740 rsp.credits = cpu_to_le16(chan->rx_credits);
741 rsp.result = cpu_to_le16(result);
743 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
747 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
749 struct l2cap_conn *conn = chan->conn;
750 struct l2cap_ecred_conn_rsp rsp;
753 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
754 result = L2CAP_CR_LE_AUTHORIZATION;
756 result = L2CAP_CR_LE_BAD_PSM;
758 l2cap_state_change(chan, BT_DISCONN);
760 memset(&rsp, 0, sizeof(rsp));
762 rsp.result = cpu_to_le16(result);
764 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
768 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
770 struct l2cap_conn *conn = chan->conn;
771 struct l2cap_conn_rsp rsp;
774 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
775 result = L2CAP_CR_SEC_BLOCK;
777 result = L2CAP_CR_BAD_PSM;
779 l2cap_state_change(chan, BT_DISCONN);
781 rsp.scid = cpu_to_le16(chan->dcid);
782 rsp.dcid = cpu_to_le16(chan->scid);
783 rsp.result = cpu_to_le16(result);
784 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
786 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
789 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
791 struct l2cap_conn *conn = chan->conn;
793 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
795 switch (chan->state) {
797 chan->ops->teardown(chan, 0);
802 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
803 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
804 l2cap_send_disconn_req(chan, reason);
806 l2cap_chan_del(chan, reason);
810 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
811 if (conn->hcon->type == ACL_LINK)
812 l2cap_chan_connect_reject(chan);
813 else if (conn->hcon->type == LE_LINK) {
814 switch (chan->mode) {
815 case L2CAP_MODE_LE_FLOWCTL:
816 l2cap_chan_le_connect_reject(chan);
818 case L2CAP_MODE_EXT_FLOWCTL:
819 l2cap_chan_ecred_connect_reject(chan);
825 l2cap_chan_del(chan, reason);
830 l2cap_chan_del(chan, reason);
834 chan->ops->teardown(chan, 0);
838 EXPORT_SYMBOL(l2cap_chan_close);
840 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
842 switch (chan->chan_type) {
844 switch (chan->sec_level) {
845 case BT_SECURITY_HIGH:
846 case BT_SECURITY_FIPS:
847 return HCI_AT_DEDICATED_BONDING_MITM;
848 case BT_SECURITY_MEDIUM:
849 return HCI_AT_DEDICATED_BONDING;
851 return HCI_AT_NO_BONDING;
854 case L2CAP_CHAN_CONN_LESS:
855 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
856 if (chan->sec_level == BT_SECURITY_LOW)
857 chan->sec_level = BT_SECURITY_SDP;
859 if (chan->sec_level == BT_SECURITY_HIGH ||
860 chan->sec_level == BT_SECURITY_FIPS)
861 return HCI_AT_NO_BONDING_MITM;
863 return HCI_AT_NO_BONDING;
865 case L2CAP_CHAN_CONN_ORIENTED:
866 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
867 if (chan->sec_level == BT_SECURITY_LOW)
868 chan->sec_level = BT_SECURITY_SDP;
870 if (chan->sec_level == BT_SECURITY_HIGH ||
871 chan->sec_level == BT_SECURITY_FIPS)
872 return HCI_AT_NO_BONDING_MITM;
874 return HCI_AT_NO_BONDING;
879 switch (chan->sec_level) {
880 case BT_SECURITY_HIGH:
881 case BT_SECURITY_FIPS:
882 return HCI_AT_GENERAL_BONDING_MITM;
883 case BT_SECURITY_MEDIUM:
884 return HCI_AT_GENERAL_BONDING;
886 return HCI_AT_NO_BONDING;
892 /* Service level security */
893 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
895 struct l2cap_conn *conn = chan->conn;
898 if (conn->hcon->type == LE_LINK)
899 return smp_conn_security(conn->hcon, chan->sec_level);
901 auth_type = l2cap_get_auth_type(chan);
903 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
907 static u8 l2cap_get_ident(struct l2cap_conn *conn)
911 /* Get next available identificator.
912 * 1 - 128 are used by kernel.
913 * 129 - 199 are reserved.
914 * 200 - 254 are used by utilities like l2ping, etc.
917 mutex_lock(&conn->ident_lock);
919 if (++conn->tx_ident > 128)
924 mutex_unlock(&conn->ident_lock);
929 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
932 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
935 BT_DBG("code 0x%2.2x", code);
940 /* Use NO_FLUSH if supported or we have an LE link (which does
941 * not support auto-flushing packets) */
942 if (lmp_no_flush_capable(conn->hcon->hdev) ||
943 conn->hcon->type == LE_LINK)
944 flags = ACL_START_NO_FLUSH;
948 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
949 skb->priority = HCI_PRIO_MAX;
951 hci_send_acl(conn->hchan, skb, flags);
954 static bool __chan_is_moving(struct l2cap_chan *chan)
956 return chan->move_state != L2CAP_MOVE_STABLE &&
957 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
960 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
962 struct hci_conn *hcon = chan->conn->hcon;
965 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
968 if (chan->hs_hcon && !__chan_is_moving(chan)) {
970 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
977 /* Use NO_FLUSH for LE links (where this is the only option) or
978 * if the BR/EDR link supports it and flushing has not been
979 * explicitly requested (through FLAG_FLUSHABLE).
981 if (hcon->type == LE_LINK ||
982 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
983 lmp_no_flush_capable(hcon->hdev)))
984 flags = ACL_START_NO_FLUSH;
988 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
989 hci_send_acl(chan->conn->hchan, skb, flags);
992 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
994 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
995 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
997 if (enh & L2CAP_CTRL_FRAME_TYPE) {
1000 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
1001 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1007 control->sframe = 0;
1008 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1009 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1016 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1018 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1019 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1021 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1023 control->sframe = 1;
1024 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1025 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1031 control->sframe = 0;
1032 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1033 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1040 static inline void __unpack_control(struct l2cap_chan *chan,
1041 struct sk_buff *skb)
1043 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1044 __unpack_extended_control(get_unaligned_le32(skb->data),
1045 &bt_cb(skb)->l2cap);
1046 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1048 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1049 &bt_cb(skb)->l2cap);
1050 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1054 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1058 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1059 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1061 if (control->sframe) {
1062 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1063 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1064 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1066 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1067 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1073 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1077 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1078 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1080 if (control->sframe) {
1081 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1082 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1083 packed |= L2CAP_CTRL_FRAME_TYPE;
1085 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1086 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1092 static inline void __pack_control(struct l2cap_chan *chan,
1093 struct l2cap_ctrl *control,
1094 struct sk_buff *skb)
1096 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1097 put_unaligned_le32(__pack_extended_control(control),
1098 skb->data + L2CAP_HDR_SIZE);
1100 put_unaligned_le16(__pack_enhanced_control(control),
1101 skb->data + L2CAP_HDR_SIZE);
1105 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1107 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1108 return L2CAP_EXT_HDR_SIZE;
1110 return L2CAP_ENH_HDR_SIZE;
1113 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1116 struct sk_buff *skb;
1117 struct l2cap_hdr *lh;
1118 int hlen = __ertm_hdr_size(chan);
1120 if (chan->fcs == L2CAP_FCS_CRC16)
1121 hlen += L2CAP_FCS_SIZE;
1123 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1126 return ERR_PTR(-ENOMEM);
1128 lh = skb_put(skb, L2CAP_HDR_SIZE);
1129 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1130 lh->cid = cpu_to_le16(chan->dcid);
1132 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1133 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1135 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1137 if (chan->fcs == L2CAP_FCS_CRC16) {
1138 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1139 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1142 skb->priority = HCI_PRIO_MAX;
1146 static void l2cap_send_sframe(struct l2cap_chan *chan,
1147 struct l2cap_ctrl *control)
1149 struct sk_buff *skb;
1152 BT_DBG("chan %p, control %p", chan, control);
1154 if (!control->sframe)
1157 if (__chan_is_moving(chan))
1160 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1164 if (control->super == L2CAP_SUPER_RR)
1165 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1166 else if (control->super == L2CAP_SUPER_RNR)
1167 set_bit(CONN_RNR_SENT, &chan->conn_state);
1169 if (control->super != L2CAP_SUPER_SREJ) {
1170 chan->last_acked_seq = control->reqseq;
1171 __clear_ack_timer(chan);
1174 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1175 control->final, control->poll, control->super);
1177 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1178 control_field = __pack_extended_control(control);
1180 control_field = __pack_enhanced_control(control);
1182 skb = l2cap_create_sframe_pdu(chan, control_field);
1184 l2cap_do_send(chan, skb);
1187 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1189 struct l2cap_ctrl control;
1191 BT_DBG("chan %p, poll %d", chan, poll);
1193 memset(&control, 0, sizeof(control));
1195 control.poll = poll;
1197 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1198 control.super = L2CAP_SUPER_RNR;
1200 control.super = L2CAP_SUPER_RR;
1202 control.reqseq = chan->buffer_seq;
1203 l2cap_send_sframe(chan, &control);
1206 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1208 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1211 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1214 static bool __amp_capable(struct l2cap_chan *chan)
1216 struct l2cap_conn *conn = chan->conn;
1217 struct hci_dev *hdev;
1218 bool amp_available = false;
1220 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1223 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1226 read_lock(&hci_dev_list_lock);
1227 list_for_each_entry(hdev, &hci_dev_list, list) {
1228 if (hdev->amp_type != AMP_TYPE_BREDR &&
1229 test_bit(HCI_UP, &hdev->flags)) {
1230 amp_available = true;
1234 read_unlock(&hci_dev_list_lock);
1236 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1237 return amp_available;
1242 static bool l2cap_check_efs(struct l2cap_chan *chan)
1244 /* Check EFS parameters */
1248 void l2cap_send_conn_req(struct l2cap_chan *chan)
1250 struct l2cap_conn *conn = chan->conn;
1251 struct l2cap_conn_req req;
1253 req.scid = cpu_to_le16(chan->scid);
1254 req.psm = chan->psm;
1256 chan->ident = l2cap_get_ident(conn);
1258 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1260 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1263 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1265 struct l2cap_create_chan_req req;
1266 req.scid = cpu_to_le16(chan->scid);
1267 req.psm = chan->psm;
1268 req.amp_id = amp_id;
1270 chan->ident = l2cap_get_ident(chan->conn);
1272 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1276 static void l2cap_move_setup(struct l2cap_chan *chan)
1278 struct sk_buff *skb;
1280 BT_DBG("chan %p", chan);
1282 if (chan->mode != L2CAP_MODE_ERTM)
1285 __clear_retrans_timer(chan);
1286 __clear_monitor_timer(chan);
1287 __clear_ack_timer(chan);
1289 chan->retry_count = 0;
1290 skb_queue_walk(&chan->tx_q, skb) {
1291 if (bt_cb(skb)->l2cap.retries)
1292 bt_cb(skb)->l2cap.retries = 1;
1297 chan->expected_tx_seq = chan->buffer_seq;
1299 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1300 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1301 l2cap_seq_list_clear(&chan->retrans_list);
1302 l2cap_seq_list_clear(&chan->srej_list);
1303 skb_queue_purge(&chan->srej_q);
1305 chan->tx_state = L2CAP_TX_STATE_XMIT;
1306 chan->rx_state = L2CAP_RX_STATE_MOVE;
1308 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1311 static void l2cap_move_done(struct l2cap_chan *chan)
1313 u8 move_role = chan->move_role;
1314 BT_DBG("chan %p", chan);
1316 chan->move_state = L2CAP_MOVE_STABLE;
1317 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1319 if (chan->mode != L2CAP_MODE_ERTM)
1322 switch (move_role) {
1323 case L2CAP_MOVE_ROLE_INITIATOR:
1324 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1325 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1327 case L2CAP_MOVE_ROLE_RESPONDER:
1328 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1333 static void l2cap_chan_ready(struct l2cap_chan *chan)
1335 /* The channel may have already been flagged as connected in
1336 * case of receiving data before the L2CAP info req/rsp
1337 * procedure is complete.
1339 if (chan->state == BT_CONNECTED)
1342 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1343 chan->conf_state = 0;
1344 __clear_chan_timer(chan);
1346 switch (chan->mode) {
1347 case L2CAP_MODE_LE_FLOWCTL:
1348 case L2CAP_MODE_EXT_FLOWCTL:
1349 if (!chan->tx_credits)
1350 chan->ops->suspend(chan);
1354 chan->state = BT_CONNECTED;
1356 chan->ops->ready(chan);
1359 static void l2cap_le_connect(struct l2cap_chan *chan)
1361 struct l2cap_conn *conn = chan->conn;
1362 struct l2cap_le_conn_req req;
1364 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1368 chan->imtu = chan->conn->mtu;
1370 l2cap_le_flowctl_init(chan, 0);
1372 req.psm = chan->psm;
1373 req.scid = cpu_to_le16(chan->scid);
1374 req.mtu = cpu_to_le16(chan->imtu);
1375 req.mps = cpu_to_le16(chan->mps);
1376 req.credits = cpu_to_le16(chan->rx_credits);
1378 chan->ident = l2cap_get_ident(conn);
1380 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1384 struct l2cap_ecred_conn_data {
1386 struct l2cap_ecred_conn_req req;
1389 struct l2cap_chan *chan;
1394 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1396 struct l2cap_ecred_conn_data *conn = data;
1399 if (chan == conn->chan)
1402 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1405 pid = chan->ops->get_peer_pid(chan);
1407 /* Only add deferred channels with the same PID/PSM */
1408 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1409 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1412 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1415 l2cap_ecred_init(chan, 0);
1417 /* Set the same ident so we can match on the rsp */
1418 chan->ident = conn->chan->ident;
1420 /* Include all channels deferred */
1421 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1426 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1428 struct l2cap_conn *conn = chan->conn;
1429 struct l2cap_ecred_conn_data data;
1431 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1434 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1437 l2cap_ecred_init(chan, 0);
1439 data.pdu.req.psm = chan->psm;
1440 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1441 data.pdu.req.mps = cpu_to_le16(chan->mps);
1442 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1443 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1445 chan->ident = l2cap_get_ident(conn);
1446 data.pid = chan->ops->get_peer_pid(chan);
1450 data.pid = chan->ops->get_peer_pid(chan);
1452 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1454 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1455 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1459 static void l2cap_le_start(struct l2cap_chan *chan)
1461 struct l2cap_conn *conn = chan->conn;
1463 if (!smp_conn_security(conn->hcon, chan->sec_level))
1467 l2cap_chan_ready(chan);
1471 if (chan->state == BT_CONNECT) {
1472 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1473 l2cap_ecred_connect(chan);
1475 l2cap_le_connect(chan);
1479 static void l2cap_start_connection(struct l2cap_chan *chan)
1481 if (__amp_capable(chan)) {
1482 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1483 a2mp_discover_amp(chan);
1484 } else if (chan->conn->hcon->type == LE_LINK) {
1485 l2cap_le_start(chan);
1487 l2cap_send_conn_req(chan);
1491 static void l2cap_request_info(struct l2cap_conn *conn)
1493 struct l2cap_info_req req;
1495 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1498 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1500 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1501 conn->info_ident = l2cap_get_ident(conn);
1503 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1505 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1509 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1511 /* The minimum encryption key size needs to be enforced by the
1512 * host stack before establishing any L2CAP connections. The
1513 * specification in theory allows a minimum of 1, but to align
1514 * BR/EDR and LE transports, a minimum of 7 is chosen.
1516 * This check might also be called for unencrypted connections
1517 * that have no key size requirements. Ensure that the link is
1518 * actually encrypted before enforcing a key size.
1520 int min_key_size = hcon->hdev->min_enc_key_size;
1522 /* On FIPS security level, key size must be 16 bytes */
1523 if (hcon->sec_level == BT_SECURITY_FIPS)
1526 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1527 hcon->enc_key_size >= min_key_size);
1530 static void l2cap_do_start(struct l2cap_chan *chan)
1532 struct l2cap_conn *conn = chan->conn;
1534 if (conn->hcon->type == LE_LINK) {
1535 l2cap_le_start(chan);
1539 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1540 l2cap_request_info(conn);
1544 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1547 if (!l2cap_chan_check_security(chan, true) ||
1548 !__l2cap_no_conn_pending(chan))
1551 if (l2cap_check_enc_key_size(conn->hcon))
1552 l2cap_start_connection(chan);
1554 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1557 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1559 u32 local_feat_mask = l2cap_feat_mask;
1561 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1564 case L2CAP_MODE_ERTM:
1565 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1566 case L2CAP_MODE_STREAMING:
1567 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1573 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1575 struct l2cap_conn *conn = chan->conn;
1576 struct l2cap_disconn_req req;
1581 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1582 __clear_retrans_timer(chan);
1583 __clear_monitor_timer(chan);
1584 __clear_ack_timer(chan);
1587 if (chan->scid == L2CAP_CID_A2MP) {
1588 l2cap_state_change(chan, BT_DISCONN);
1592 req.dcid = cpu_to_le16(chan->dcid);
1593 req.scid = cpu_to_le16(chan->scid);
1594 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1597 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1600 /* ---- L2CAP connections ---- */
1601 static void l2cap_conn_start(struct l2cap_conn *conn)
1603 struct l2cap_chan *chan, *tmp;
1605 BT_DBG("conn %p", conn);
1607 mutex_lock(&conn->chan_lock);
1609 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1610 l2cap_chan_lock(chan);
1612 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1613 l2cap_chan_ready(chan);
1614 l2cap_chan_unlock(chan);
1618 if (chan->state == BT_CONNECT) {
1619 if (!l2cap_chan_check_security(chan, true) ||
1620 !__l2cap_no_conn_pending(chan)) {
1621 l2cap_chan_unlock(chan);
1625 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1626 && test_bit(CONF_STATE2_DEVICE,
1627 &chan->conf_state)) {
1628 l2cap_chan_close(chan, ECONNRESET);
1629 l2cap_chan_unlock(chan);
1633 if (l2cap_check_enc_key_size(conn->hcon))
1634 l2cap_start_connection(chan);
1636 l2cap_chan_close(chan, ECONNREFUSED);
1638 } else if (chan->state == BT_CONNECT2) {
1639 struct l2cap_conn_rsp rsp;
1641 rsp.scid = cpu_to_le16(chan->dcid);
1642 rsp.dcid = cpu_to_le16(chan->scid);
1644 if (l2cap_chan_check_security(chan, false)) {
1645 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1646 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1647 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1648 chan->ops->defer(chan);
1651 l2cap_state_change(chan, BT_CONFIG);
1652 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1653 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1656 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1657 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1660 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1663 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1664 rsp.result != L2CAP_CR_SUCCESS) {
1665 l2cap_chan_unlock(chan);
1669 set_bit(CONF_REQ_SENT, &chan->conf_state);
1670 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1671 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1672 chan->num_conf_req++;
1675 l2cap_chan_unlock(chan);
1678 mutex_unlock(&conn->chan_lock);
1681 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1683 struct hci_conn *hcon = conn->hcon;
1684 struct hci_dev *hdev = hcon->hdev;
1686 BT_DBG("%s conn %p", hdev->name, conn);
1688 /* For outgoing pairing which doesn't necessarily have an
1689 * associated socket (e.g. mgmt_pair_device).
1692 smp_conn_security(hcon, hcon->pending_sec_level);
1694 /* For LE peripheral connections, make sure the connection interval
1695 * is in the range of the minimum and maximum interval that has
1696 * been configured for this connection. If not, then trigger
1697 * the connection update procedure.
1699 if (hcon->role == HCI_ROLE_SLAVE &&
1700 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1701 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1702 struct l2cap_conn_param_update_req req;
1704 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1705 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1706 req.latency = cpu_to_le16(hcon->le_conn_latency);
1707 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1709 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1710 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1714 static void l2cap_conn_ready(struct l2cap_conn *conn)
1716 struct l2cap_chan *chan;
1717 struct hci_conn *hcon = conn->hcon;
1719 BT_DBG("conn %p", conn);
1721 if (hcon->type == ACL_LINK)
1722 l2cap_request_info(conn);
1724 mutex_lock(&conn->chan_lock);
1726 list_for_each_entry(chan, &conn->chan_l, list) {
1728 l2cap_chan_lock(chan);
1730 if (chan->scid == L2CAP_CID_A2MP) {
1731 l2cap_chan_unlock(chan);
1735 if (hcon->type == LE_LINK) {
1736 l2cap_le_start(chan);
1737 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1738 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1739 l2cap_chan_ready(chan);
1740 } else if (chan->state == BT_CONNECT) {
1741 l2cap_do_start(chan);
1744 l2cap_chan_unlock(chan);
1747 mutex_unlock(&conn->chan_lock);
1749 if (hcon->type == LE_LINK)
1750 l2cap_le_conn_ready(conn);
1752 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1755 /* Notify sockets that we cannot guaranty reliability anymore */
1756 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1758 struct l2cap_chan *chan;
1760 BT_DBG("conn %p", conn);
1762 mutex_lock(&conn->chan_lock);
1764 list_for_each_entry(chan, &conn->chan_l, list) {
1765 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1766 l2cap_chan_set_err(chan, err);
1769 mutex_unlock(&conn->chan_lock);
1772 static void l2cap_info_timeout(struct work_struct *work)
1774 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1777 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1778 conn->info_ident = 0;
1780 l2cap_conn_start(conn);
1785 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1786 * callback is called during registration. The ->remove callback is called
1787 * during unregistration.
1788 * An l2cap_user object can either be explicitly unregistered or when the
1789 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1790 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1791 * External modules must own a reference to the l2cap_conn object if they intend
1792 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1793 * any time if they don't.
1796 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1798 struct hci_dev *hdev = conn->hcon->hdev;
1801 /* We need to check whether l2cap_conn is registered. If it is not, we
1802 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1803 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1804 * relies on the parent hci_conn object to be locked. This itself relies
1805 * on the hci_dev object to be locked. So we must lock the hci device
1810 if (!list_empty(&user->list)) {
1815 /* conn->hchan is NULL after l2cap_conn_del() was called */
1821 ret = user->probe(conn, user);
1825 list_add(&user->list, &conn->users);
1829 hci_dev_unlock(hdev);
1832 EXPORT_SYMBOL(l2cap_register_user);
1834 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1836 struct hci_dev *hdev = conn->hcon->hdev;
1840 if (list_empty(&user->list))
1843 list_del_init(&user->list);
1844 user->remove(conn, user);
1847 hci_dev_unlock(hdev);
1849 EXPORT_SYMBOL(l2cap_unregister_user);
1851 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1853 struct l2cap_user *user;
1855 while (!list_empty(&conn->users)) {
1856 user = list_first_entry(&conn->users, struct l2cap_user, list);
1857 list_del_init(&user->list);
1858 user->remove(conn, user);
1862 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1864 struct l2cap_conn *conn = hcon->l2cap_data;
1865 struct l2cap_chan *chan, *l;
1870 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1872 kfree_skb(conn->rx_skb);
1874 skb_queue_purge(&conn->pending_rx);
1876 /* We can not call flush_work(&conn->pending_rx_work) here since we
1877 * might block if we are running on a worker from the same workqueue
1878 * pending_rx_work is waiting on.
1880 if (work_pending(&conn->pending_rx_work))
1881 cancel_work_sync(&conn->pending_rx_work);
1883 if (work_pending(&conn->id_addr_update_work))
1884 cancel_work_sync(&conn->id_addr_update_work);
1886 l2cap_unregister_all_users(conn);
1888 /* Force the connection to be immediately dropped */
1889 hcon->disc_timeout = 0;
1891 mutex_lock(&conn->chan_lock);
1894 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1895 l2cap_chan_hold(chan);
1896 l2cap_chan_lock(chan);
1898 l2cap_chan_del(chan, err);
1900 chan->ops->close(chan);
1902 l2cap_chan_unlock(chan);
1903 l2cap_chan_put(chan);
1906 mutex_unlock(&conn->chan_lock);
1908 hci_chan_del(conn->hchan);
1910 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1911 cancel_delayed_work_sync(&conn->info_timer);
1913 hcon->l2cap_data = NULL;
1915 l2cap_conn_put(conn);
1918 static void l2cap_conn_free(struct kref *ref)
1920 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1922 hci_conn_put(conn->hcon);
1926 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1928 kref_get(&conn->ref);
1931 EXPORT_SYMBOL(l2cap_conn_get);
1933 void l2cap_conn_put(struct l2cap_conn *conn)
1935 kref_put(&conn->ref, l2cap_conn_free);
1937 EXPORT_SYMBOL(l2cap_conn_put);
1939 /* ---- Socket interface ---- */
1941 /* Find socket with psm and source / destination bdaddr.
1942 * Returns closest match.
1944 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1949 struct l2cap_chan *c, *c1 = NULL;
1951 read_lock(&chan_list_lock);
1953 list_for_each_entry(c, &chan_list, global_l) {
1954 if (state && c->state != state)
1957 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1960 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1963 if (c->psm == psm) {
1964 int src_match, dst_match;
1965 int src_any, dst_any;
1968 src_match = !bacmp(&c->src, src);
1969 dst_match = !bacmp(&c->dst, dst);
1970 if (src_match && dst_match) {
1972 read_unlock(&chan_list_lock);
1977 src_any = !bacmp(&c->src, BDADDR_ANY);
1978 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1979 if ((src_match && dst_any) || (src_any && dst_match) ||
1980 (src_any && dst_any))
1986 l2cap_chan_hold(c1);
1988 read_unlock(&chan_list_lock);
1993 static void l2cap_monitor_timeout(struct work_struct *work)
1995 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1996 monitor_timer.work);
1998 BT_DBG("chan %p", chan);
2000 l2cap_chan_lock(chan);
2003 l2cap_chan_unlock(chan);
2004 l2cap_chan_put(chan);
2008 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2010 l2cap_chan_unlock(chan);
2011 l2cap_chan_put(chan);
2014 static void l2cap_retrans_timeout(struct work_struct *work)
2016 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2017 retrans_timer.work);
2019 BT_DBG("chan %p", chan);
2021 l2cap_chan_lock(chan);
2024 l2cap_chan_unlock(chan);
2025 l2cap_chan_put(chan);
2029 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2030 l2cap_chan_unlock(chan);
2031 l2cap_chan_put(chan);
2034 static void l2cap_streaming_send(struct l2cap_chan *chan,
2035 struct sk_buff_head *skbs)
2037 struct sk_buff *skb;
2038 struct l2cap_ctrl *control;
2040 BT_DBG("chan %p, skbs %p", chan, skbs);
2042 if (__chan_is_moving(chan))
2045 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2047 while (!skb_queue_empty(&chan->tx_q)) {
2049 skb = skb_dequeue(&chan->tx_q);
2051 bt_cb(skb)->l2cap.retries = 1;
2052 control = &bt_cb(skb)->l2cap;
2054 control->reqseq = 0;
2055 control->txseq = chan->next_tx_seq;
2057 __pack_control(chan, control, skb);
2059 if (chan->fcs == L2CAP_FCS_CRC16) {
2060 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2061 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2064 l2cap_do_send(chan, skb);
2066 BT_DBG("Sent txseq %u", control->txseq);
2068 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2069 chan->frames_sent++;
2073 static int l2cap_ertm_send(struct l2cap_chan *chan)
2075 struct sk_buff *skb, *tx_skb;
2076 struct l2cap_ctrl *control;
2079 BT_DBG("chan %p", chan);
2081 if (chan->state != BT_CONNECTED)
2084 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2087 if (__chan_is_moving(chan))
2090 while (chan->tx_send_head &&
2091 chan->unacked_frames < chan->remote_tx_win &&
2092 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2094 skb = chan->tx_send_head;
2096 bt_cb(skb)->l2cap.retries = 1;
2097 control = &bt_cb(skb)->l2cap;
2099 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2102 control->reqseq = chan->buffer_seq;
2103 chan->last_acked_seq = chan->buffer_seq;
2104 control->txseq = chan->next_tx_seq;
2106 __pack_control(chan, control, skb);
2108 if (chan->fcs == L2CAP_FCS_CRC16) {
2109 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2110 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2113 /* Clone after data has been modified. Data is assumed to be
2114 read-only (for locking purposes) on cloned sk_buffs.
2116 tx_skb = skb_clone(skb, GFP_KERNEL);
2121 __set_retrans_timer(chan);
2123 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2124 chan->unacked_frames++;
2125 chan->frames_sent++;
2128 if (skb_queue_is_last(&chan->tx_q, skb))
2129 chan->tx_send_head = NULL;
2131 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2133 l2cap_do_send(chan, tx_skb);
2134 BT_DBG("Sent txseq %u", control->txseq);
2137 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2138 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2143 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2145 struct l2cap_ctrl control;
2146 struct sk_buff *skb;
2147 struct sk_buff *tx_skb;
2150 BT_DBG("chan %p", chan);
2152 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2155 if (__chan_is_moving(chan))
2158 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2159 seq = l2cap_seq_list_pop(&chan->retrans_list);
2161 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2163 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2168 bt_cb(skb)->l2cap.retries++;
2169 control = bt_cb(skb)->l2cap;
2171 if (chan->max_tx != 0 &&
2172 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2173 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2174 l2cap_send_disconn_req(chan, ECONNRESET);
2175 l2cap_seq_list_clear(&chan->retrans_list);
2179 control.reqseq = chan->buffer_seq;
2180 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2185 if (skb_cloned(skb)) {
2186 /* Cloned sk_buffs are read-only, so we need a
2189 tx_skb = skb_copy(skb, GFP_KERNEL);
2191 tx_skb = skb_clone(skb, GFP_KERNEL);
2195 l2cap_seq_list_clear(&chan->retrans_list);
2199 /* Update skb contents */
2200 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2201 put_unaligned_le32(__pack_extended_control(&control),
2202 tx_skb->data + L2CAP_HDR_SIZE);
2204 put_unaligned_le16(__pack_enhanced_control(&control),
2205 tx_skb->data + L2CAP_HDR_SIZE);
2209 if (chan->fcs == L2CAP_FCS_CRC16) {
2210 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2211 tx_skb->len - L2CAP_FCS_SIZE);
2212 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2216 l2cap_do_send(chan, tx_skb);
2218 BT_DBG("Resent txseq %d", control.txseq);
2220 chan->last_acked_seq = chan->buffer_seq;
2224 static void l2cap_retransmit(struct l2cap_chan *chan,
2225 struct l2cap_ctrl *control)
2227 BT_DBG("chan %p, control %p", chan, control);
2229 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2230 l2cap_ertm_resend(chan);
2233 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2234 struct l2cap_ctrl *control)
2236 struct sk_buff *skb;
2238 BT_DBG("chan %p, control %p", chan, control);
2241 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2243 l2cap_seq_list_clear(&chan->retrans_list);
2245 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2248 if (chan->unacked_frames) {
2249 skb_queue_walk(&chan->tx_q, skb) {
2250 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2251 skb == chan->tx_send_head)
2255 skb_queue_walk_from(&chan->tx_q, skb) {
2256 if (skb == chan->tx_send_head)
2259 l2cap_seq_list_append(&chan->retrans_list,
2260 bt_cb(skb)->l2cap.txseq);
2263 l2cap_ertm_resend(chan);
2267 static void l2cap_send_ack(struct l2cap_chan *chan)
2269 struct l2cap_ctrl control;
2270 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2271 chan->last_acked_seq);
2274 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2275 chan, chan->last_acked_seq, chan->buffer_seq);
2277 memset(&control, 0, sizeof(control));
2280 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2281 chan->rx_state == L2CAP_RX_STATE_RECV) {
2282 __clear_ack_timer(chan);
2283 control.super = L2CAP_SUPER_RNR;
2284 control.reqseq = chan->buffer_seq;
2285 l2cap_send_sframe(chan, &control);
2287 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2288 l2cap_ertm_send(chan);
2289 /* If any i-frames were sent, they included an ack */
2290 if (chan->buffer_seq == chan->last_acked_seq)
2294 /* Ack now if the window is 3/4ths full.
2295 * Calculate without mul or div
2297 threshold = chan->ack_win;
2298 threshold += threshold << 1;
2301 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2304 if (frames_to_ack >= threshold) {
2305 __clear_ack_timer(chan);
2306 control.super = L2CAP_SUPER_RR;
2307 control.reqseq = chan->buffer_seq;
2308 l2cap_send_sframe(chan, &control);
2313 __set_ack_timer(chan);
2317 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2318 struct msghdr *msg, int len,
2319 int count, struct sk_buff *skb)
2321 struct l2cap_conn *conn = chan->conn;
2322 struct sk_buff **frag;
2325 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2331 /* Continuation fragments (no L2CAP header) */
2332 frag = &skb_shinfo(skb)->frag_list;
2334 struct sk_buff *tmp;
2336 count = min_t(unsigned int, conn->mtu, len);
2338 tmp = chan->ops->alloc_skb(chan, 0, count,
2339 msg->msg_flags & MSG_DONTWAIT);
2341 return PTR_ERR(tmp);
2345 if (!copy_from_iter_full(skb_put(*frag, count), count,
2352 skb->len += (*frag)->len;
2353 skb->data_len += (*frag)->len;
2355 frag = &(*frag)->next;
2361 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2362 struct msghdr *msg, size_t len)
2364 struct l2cap_conn *conn = chan->conn;
2365 struct sk_buff *skb;
2366 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2367 struct l2cap_hdr *lh;
2369 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2370 __le16_to_cpu(chan->psm), len);
2372 count = min_t(unsigned int, (conn->mtu - hlen), len);
2374 skb = chan->ops->alloc_skb(chan, hlen, count,
2375 msg->msg_flags & MSG_DONTWAIT);
2379 /* Create L2CAP header */
2380 lh = skb_put(skb, L2CAP_HDR_SIZE);
2381 lh->cid = cpu_to_le16(chan->dcid);
2382 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2383 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2385 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2386 if (unlikely(err < 0)) {
2388 return ERR_PTR(err);
2393 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2394 struct msghdr *msg, size_t len)
2396 struct l2cap_conn *conn = chan->conn;
2397 struct sk_buff *skb;
2399 struct l2cap_hdr *lh;
2401 BT_DBG("chan %p len %zu", chan, len);
2403 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2405 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2406 msg->msg_flags & MSG_DONTWAIT);
2410 /* Create L2CAP header */
2411 lh = skb_put(skb, L2CAP_HDR_SIZE);
2412 lh->cid = cpu_to_le16(chan->dcid);
2413 lh->len = cpu_to_le16(len);
2415 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2416 if (unlikely(err < 0)) {
2418 return ERR_PTR(err);
2423 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2424 struct msghdr *msg, size_t len,
2427 struct l2cap_conn *conn = chan->conn;
2428 struct sk_buff *skb;
2429 int err, count, hlen;
2430 struct l2cap_hdr *lh;
2432 BT_DBG("chan %p len %zu", chan, len);
2435 return ERR_PTR(-ENOTCONN);
2437 hlen = __ertm_hdr_size(chan);
2440 hlen += L2CAP_SDULEN_SIZE;
2442 if (chan->fcs == L2CAP_FCS_CRC16)
2443 hlen += L2CAP_FCS_SIZE;
2445 count = min_t(unsigned int, (conn->mtu - hlen), len);
2447 skb = chan->ops->alloc_skb(chan, hlen, count,
2448 msg->msg_flags & MSG_DONTWAIT);
2452 /* Create L2CAP header */
2453 lh = skb_put(skb, L2CAP_HDR_SIZE);
2454 lh->cid = cpu_to_le16(chan->dcid);
2455 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2457 /* Control header is populated later */
2458 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2459 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2461 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2464 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2466 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2467 if (unlikely(err < 0)) {
2469 return ERR_PTR(err);
2472 bt_cb(skb)->l2cap.fcs = chan->fcs;
2473 bt_cb(skb)->l2cap.retries = 0;
2477 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2478 struct sk_buff_head *seg_queue,
2479 struct msghdr *msg, size_t len)
2481 struct sk_buff *skb;
2486 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2488 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2489 * so fragmented skbs are not used. The HCI layer's handling
2490 * of fragmented skbs is not compatible with ERTM's queueing.
2493 /* PDU size is derived from the HCI MTU */
2494 pdu_len = chan->conn->mtu;
2496 /* Constrain PDU size for BR/EDR connections */
2498 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2500 /* Adjust for largest possible L2CAP overhead. */
2502 pdu_len -= L2CAP_FCS_SIZE;
2504 pdu_len -= __ertm_hdr_size(chan);
2506 /* Remote device may have requested smaller PDUs */
2507 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2509 if (len <= pdu_len) {
2510 sar = L2CAP_SAR_UNSEGMENTED;
2514 sar = L2CAP_SAR_START;
2519 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2522 __skb_queue_purge(seg_queue);
2523 return PTR_ERR(skb);
2526 bt_cb(skb)->l2cap.sar = sar;
2527 __skb_queue_tail(seg_queue, skb);
2533 if (len <= pdu_len) {
2534 sar = L2CAP_SAR_END;
2537 sar = L2CAP_SAR_CONTINUE;
2544 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2546 size_t len, u16 sdulen)
2548 struct l2cap_conn *conn = chan->conn;
2549 struct sk_buff *skb;
2550 int err, count, hlen;
2551 struct l2cap_hdr *lh;
2553 BT_DBG("chan %p len %zu", chan, len);
2556 return ERR_PTR(-ENOTCONN);
2558 hlen = L2CAP_HDR_SIZE;
2561 hlen += L2CAP_SDULEN_SIZE;
2563 count = min_t(unsigned int, (conn->mtu - hlen), len);
2565 skb = chan->ops->alloc_skb(chan, hlen, count,
2566 msg->msg_flags & MSG_DONTWAIT);
2570 /* Create L2CAP header */
2571 lh = skb_put(skb, L2CAP_HDR_SIZE);
2572 lh->cid = cpu_to_le16(chan->dcid);
2573 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2576 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2578 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2579 if (unlikely(err < 0)) {
2581 return ERR_PTR(err);
2587 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2588 struct sk_buff_head *seg_queue,
2589 struct msghdr *msg, size_t len)
2591 struct sk_buff *skb;
2595 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2598 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2604 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2606 __skb_queue_purge(seg_queue);
2607 return PTR_ERR(skb);
2610 __skb_queue_tail(seg_queue, skb);
2616 pdu_len += L2CAP_SDULEN_SIZE;
2623 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2627 BT_DBG("chan %p", chan);
2629 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2630 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2635 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2636 skb_queue_len(&chan->tx_q));
2639 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2641 struct sk_buff *skb;
2643 struct sk_buff_head seg_queue;
2648 /* Connectionless channel */
2649 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2650 skb = l2cap_create_connless_pdu(chan, msg, len);
2652 return PTR_ERR(skb);
2654 /* Channel lock is released before requesting new skb and then
2655 * reacquired thus we need to recheck channel state.
2657 if (chan->state != BT_CONNECTED) {
2662 l2cap_do_send(chan, skb);
2666 switch (chan->mode) {
2667 case L2CAP_MODE_LE_FLOWCTL:
2668 case L2CAP_MODE_EXT_FLOWCTL:
2669 /* Check outgoing MTU */
2670 if (len > chan->omtu)
2673 __skb_queue_head_init(&seg_queue);
2675 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2677 if (chan->state != BT_CONNECTED) {
2678 __skb_queue_purge(&seg_queue);
2685 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2687 l2cap_le_flowctl_send(chan);
2689 if (!chan->tx_credits)
2690 chan->ops->suspend(chan);
2696 case L2CAP_MODE_BASIC:
2697 /* Check outgoing MTU */
2698 if (len > chan->omtu)
2701 /* Create a basic PDU */
2702 skb = l2cap_create_basic_pdu(chan, msg, len);
2704 return PTR_ERR(skb);
2706 /* Channel lock is released before requesting new skb and then
2707 * reacquired thus we need to recheck channel state.
2709 if (chan->state != BT_CONNECTED) {
2714 l2cap_do_send(chan, skb);
2718 case L2CAP_MODE_ERTM:
2719 case L2CAP_MODE_STREAMING:
2720 /* Check outgoing MTU */
2721 if (len > chan->omtu) {
2726 __skb_queue_head_init(&seg_queue);
2728 /* Do segmentation before calling in to the state machine,
2729 * since it's possible to block while waiting for memory
2732 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2734 /* The channel could have been closed while segmenting,
2735 * check that it is still connected.
2737 if (chan->state != BT_CONNECTED) {
2738 __skb_queue_purge(&seg_queue);
2745 if (chan->mode == L2CAP_MODE_ERTM)
2746 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2748 l2cap_streaming_send(chan, &seg_queue);
2752 /* If the skbs were not queued for sending, they'll still be in
2753 * seg_queue and need to be purged.
2755 __skb_queue_purge(&seg_queue);
2759 BT_DBG("bad state %1.1x", chan->mode);
2765 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2767 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2769 struct l2cap_ctrl control;
2772 BT_DBG("chan %p, txseq %u", chan, txseq);
2774 memset(&control, 0, sizeof(control));
2776 control.super = L2CAP_SUPER_SREJ;
2778 for (seq = chan->expected_tx_seq; seq != txseq;
2779 seq = __next_seq(chan, seq)) {
2780 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2781 control.reqseq = seq;
2782 l2cap_send_sframe(chan, &control);
2783 l2cap_seq_list_append(&chan->srej_list, seq);
2787 chan->expected_tx_seq = __next_seq(chan, txseq);
2790 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2792 struct l2cap_ctrl control;
2794 BT_DBG("chan %p", chan);
2796 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2799 memset(&control, 0, sizeof(control));
2801 control.super = L2CAP_SUPER_SREJ;
2802 control.reqseq = chan->srej_list.tail;
2803 l2cap_send_sframe(chan, &control);
2806 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2808 struct l2cap_ctrl control;
2812 BT_DBG("chan %p, txseq %u", chan, txseq);
2814 memset(&control, 0, sizeof(control));
2816 control.super = L2CAP_SUPER_SREJ;
2818 /* Capture initial list head to allow only one pass through the list. */
2819 initial_head = chan->srej_list.head;
2822 seq = l2cap_seq_list_pop(&chan->srej_list);
2823 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2826 control.reqseq = seq;
2827 l2cap_send_sframe(chan, &control);
2828 l2cap_seq_list_append(&chan->srej_list, seq);
2829 } while (chan->srej_list.head != initial_head);
2832 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2834 struct sk_buff *acked_skb;
2837 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2839 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2842 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2843 chan->expected_ack_seq, chan->unacked_frames);
2845 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2846 ackseq = __next_seq(chan, ackseq)) {
2848 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2850 skb_unlink(acked_skb, &chan->tx_q);
2851 kfree_skb(acked_skb);
2852 chan->unacked_frames--;
2856 chan->expected_ack_seq = reqseq;
2858 if (chan->unacked_frames == 0)
2859 __clear_retrans_timer(chan);
2861 BT_DBG("unacked_frames %u", chan->unacked_frames);
2864 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2866 BT_DBG("chan %p", chan);
2868 chan->expected_tx_seq = chan->buffer_seq;
2869 l2cap_seq_list_clear(&chan->srej_list);
2870 skb_queue_purge(&chan->srej_q);
2871 chan->rx_state = L2CAP_RX_STATE_RECV;
2874 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2875 struct l2cap_ctrl *control,
2876 struct sk_buff_head *skbs, u8 event)
2878 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2882 case L2CAP_EV_DATA_REQUEST:
2883 if (chan->tx_send_head == NULL)
2884 chan->tx_send_head = skb_peek(skbs);
2886 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2887 l2cap_ertm_send(chan);
2889 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2890 BT_DBG("Enter LOCAL_BUSY");
2891 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2893 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2894 /* The SREJ_SENT state must be aborted if we are to
2895 * enter the LOCAL_BUSY state.
2897 l2cap_abort_rx_srej_sent(chan);
2900 l2cap_send_ack(chan);
2903 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2904 BT_DBG("Exit LOCAL_BUSY");
2905 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2907 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2908 struct l2cap_ctrl local_control;
2910 memset(&local_control, 0, sizeof(local_control));
2911 local_control.sframe = 1;
2912 local_control.super = L2CAP_SUPER_RR;
2913 local_control.poll = 1;
2914 local_control.reqseq = chan->buffer_seq;
2915 l2cap_send_sframe(chan, &local_control);
2917 chan->retry_count = 1;
2918 __set_monitor_timer(chan);
2919 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2922 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2923 l2cap_process_reqseq(chan, control->reqseq);
2925 case L2CAP_EV_EXPLICIT_POLL:
2926 l2cap_send_rr_or_rnr(chan, 1);
2927 chan->retry_count = 1;
2928 __set_monitor_timer(chan);
2929 __clear_ack_timer(chan);
2930 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2932 case L2CAP_EV_RETRANS_TO:
2933 l2cap_send_rr_or_rnr(chan, 1);
2934 chan->retry_count = 1;
2935 __set_monitor_timer(chan);
2936 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2938 case L2CAP_EV_RECV_FBIT:
2939 /* Nothing to process */
2946 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2947 struct l2cap_ctrl *control,
2948 struct sk_buff_head *skbs, u8 event)
2950 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2954 case L2CAP_EV_DATA_REQUEST:
2955 if (chan->tx_send_head == NULL)
2956 chan->tx_send_head = skb_peek(skbs);
2957 /* Queue data, but don't send. */
2958 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2960 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2961 BT_DBG("Enter LOCAL_BUSY");
2962 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2964 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2965 /* The SREJ_SENT state must be aborted if we are to
2966 * enter the LOCAL_BUSY state.
2968 l2cap_abort_rx_srej_sent(chan);
2971 l2cap_send_ack(chan);
2974 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2975 BT_DBG("Exit LOCAL_BUSY");
2976 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2978 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2979 struct l2cap_ctrl local_control;
2980 memset(&local_control, 0, sizeof(local_control));
2981 local_control.sframe = 1;
2982 local_control.super = L2CAP_SUPER_RR;
2983 local_control.poll = 1;
2984 local_control.reqseq = chan->buffer_seq;
2985 l2cap_send_sframe(chan, &local_control);
2987 chan->retry_count = 1;
2988 __set_monitor_timer(chan);
2989 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2992 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2993 l2cap_process_reqseq(chan, control->reqseq);
2996 case L2CAP_EV_RECV_FBIT:
2997 if (control && control->final) {
2998 __clear_monitor_timer(chan);
2999 if (chan->unacked_frames > 0)
3000 __set_retrans_timer(chan);
3001 chan->retry_count = 0;
3002 chan->tx_state = L2CAP_TX_STATE_XMIT;
3003 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
3006 case L2CAP_EV_EXPLICIT_POLL:
3009 case L2CAP_EV_MONITOR_TO:
3010 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3011 l2cap_send_rr_or_rnr(chan, 1);
3012 __set_monitor_timer(chan);
3013 chan->retry_count++;
3015 l2cap_send_disconn_req(chan, ECONNABORTED);
3023 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3024 struct sk_buff_head *skbs, u8 event)
3026 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3027 chan, control, skbs, event, chan->tx_state);
3029 switch (chan->tx_state) {
3030 case L2CAP_TX_STATE_XMIT:
3031 l2cap_tx_state_xmit(chan, control, skbs, event);
3033 case L2CAP_TX_STATE_WAIT_F:
3034 l2cap_tx_state_wait_f(chan, control, skbs, event);
3042 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3043 struct l2cap_ctrl *control)
3045 BT_DBG("chan %p, control %p", chan, control);
3046 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3049 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3050 struct l2cap_ctrl *control)
3052 BT_DBG("chan %p, control %p", chan, control);
3053 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3056 /* Copy frame to all raw sockets on that connection */
3057 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3059 struct sk_buff *nskb;
3060 struct l2cap_chan *chan;
3062 BT_DBG("conn %p", conn);
3064 mutex_lock(&conn->chan_lock);
3066 list_for_each_entry(chan, &conn->chan_l, list) {
3067 if (chan->chan_type != L2CAP_CHAN_RAW)
3070 /* Don't send frame to the channel it came from */
3071 if (bt_cb(skb)->l2cap.chan == chan)
3074 nskb = skb_clone(skb, GFP_KERNEL);
3077 if (chan->ops->recv(chan, nskb))
3081 mutex_unlock(&conn->chan_lock);
3084 /* ---- L2CAP signalling commands ---- */
3085 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3086 u8 ident, u16 dlen, void *data)
3088 struct sk_buff *skb, **frag;
3089 struct l2cap_cmd_hdr *cmd;
3090 struct l2cap_hdr *lh;
3093 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3094 conn, code, ident, dlen);
3096 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3099 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3100 count = min_t(unsigned int, conn->mtu, len);
3102 skb = bt_skb_alloc(count, GFP_KERNEL);
3106 lh = skb_put(skb, L2CAP_HDR_SIZE);
3107 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3109 if (conn->hcon->type == LE_LINK)
3110 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3112 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3114 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3117 cmd->len = cpu_to_le16(dlen);
3120 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3121 skb_put_data(skb, data, count);
3127 /* Continuation fragments (no L2CAP header) */
3128 frag = &skb_shinfo(skb)->frag_list;
3130 count = min_t(unsigned int, conn->mtu, len);
3132 *frag = bt_skb_alloc(count, GFP_KERNEL);
3136 skb_put_data(*frag, data, count);
3141 frag = &(*frag)->next;
3151 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3154 struct l2cap_conf_opt *opt = *ptr;
3157 len = L2CAP_CONF_OPT_SIZE + opt->len;
3165 *val = *((u8 *) opt->val);
3169 *val = get_unaligned_le16(opt->val);
3173 *val = get_unaligned_le32(opt->val);
3177 *val = (unsigned long) opt->val;
3181 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3185 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3187 struct l2cap_conf_opt *opt = *ptr;
3189 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3191 if (size < L2CAP_CONF_OPT_SIZE + len)
3199 *((u8 *) opt->val) = val;
3203 put_unaligned_le16(val, opt->val);
3207 put_unaligned_le32(val, opt->val);
3211 memcpy(opt->val, (void *) val, len);
3215 *ptr += L2CAP_CONF_OPT_SIZE + len;
3218 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3220 struct l2cap_conf_efs efs;
3222 switch (chan->mode) {
3223 case L2CAP_MODE_ERTM:
3224 efs.id = chan->local_id;
3225 efs.stype = chan->local_stype;
3226 efs.msdu = cpu_to_le16(chan->local_msdu);
3227 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3228 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3229 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3232 case L2CAP_MODE_STREAMING:
3234 efs.stype = L2CAP_SERV_BESTEFFORT;
3235 efs.msdu = cpu_to_le16(chan->local_msdu);
3236 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3245 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3246 (unsigned long) &efs, size);
3249 static void l2cap_ack_timeout(struct work_struct *work)
3251 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3255 BT_DBG("chan %p", chan);
3257 l2cap_chan_lock(chan);
3259 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3260 chan->last_acked_seq);
3263 l2cap_send_rr_or_rnr(chan, 0);
3265 l2cap_chan_unlock(chan);
3266 l2cap_chan_put(chan);
3269 int l2cap_ertm_init(struct l2cap_chan *chan)
3273 chan->next_tx_seq = 0;
3274 chan->expected_tx_seq = 0;
3275 chan->expected_ack_seq = 0;
3276 chan->unacked_frames = 0;
3277 chan->buffer_seq = 0;
3278 chan->frames_sent = 0;
3279 chan->last_acked_seq = 0;
3281 chan->sdu_last_frag = NULL;
3284 skb_queue_head_init(&chan->tx_q);
3286 chan->local_amp_id = AMP_ID_BREDR;
3287 chan->move_id = AMP_ID_BREDR;
3288 chan->move_state = L2CAP_MOVE_STABLE;
3289 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3291 if (chan->mode != L2CAP_MODE_ERTM)
3294 chan->rx_state = L2CAP_RX_STATE_RECV;
3295 chan->tx_state = L2CAP_TX_STATE_XMIT;
3297 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3298 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3299 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3301 skb_queue_head_init(&chan->srej_q);
3303 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3307 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3309 l2cap_seq_list_free(&chan->srej_list);
3314 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3317 case L2CAP_MODE_STREAMING:
3318 case L2CAP_MODE_ERTM:
3319 if (l2cap_mode_supported(mode, remote_feat_mask))
3323 return L2CAP_MODE_BASIC;
3327 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3329 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3330 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3333 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3335 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3336 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3339 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3340 struct l2cap_conf_rfc *rfc)
3342 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3343 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3345 /* Class 1 devices have must have ERTM timeouts
3346 * exceeding the Link Supervision Timeout. The
3347 * default Link Supervision Timeout for AMP
3348 * controllers is 10 seconds.
3350 * Class 1 devices use 0xffffffff for their
3351 * best-effort flush timeout, so the clamping logic
3352 * will result in a timeout that meets the above
3353 * requirement. ERTM timeouts are 16-bit values, so
3354 * the maximum timeout is 65.535 seconds.
3357 /* Convert timeout to milliseconds and round */
3358 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3360 /* This is the recommended formula for class 2 devices
3361 * that start ERTM timers when packets are sent to the
3364 ertm_to = 3 * ertm_to + 500;
3366 if (ertm_to > 0xffff)
3369 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3370 rfc->monitor_timeout = rfc->retrans_timeout;
3372 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3373 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3377 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3379 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3380 __l2cap_ews_supported(chan->conn)) {
3381 /* use extended control field */
3382 set_bit(FLAG_EXT_CTRL, &chan->flags);
3383 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3385 chan->tx_win = min_t(u16, chan->tx_win,
3386 L2CAP_DEFAULT_TX_WINDOW);
3387 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3389 chan->ack_win = chan->tx_win;
3392 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3394 struct hci_conn *conn = chan->conn->hcon;
3396 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3398 /* The 2-DH1 packet has between 2 and 56 information bytes
3399 * (including the 2-byte payload header)
3401 if (!(conn->pkt_type & HCI_2DH1))
3404 /* The 3-DH1 packet has between 2 and 85 information bytes
3405 * (including the 2-byte payload header)
3407 if (!(conn->pkt_type & HCI_3DH1))
3410 /* The 2-DH3 packet has between 2 and 369 information bytes
3411 * (including the 2-byte payload header)
3413 if (!(conn->pkt_type & HCI_2DH3))
3416 /* The 3-DH3 packet has between 2 and 554 information bytes
3417 * (including the 2-byte payload header)
3419 if (!(conn->pkt_type & HCI_3DH3))
3422 /* The 2-DH5 packet has between 2 and 681 information bytes
3423 * (including the 2-byte payload header)
3425 if (!(conn->pkt_type & HCI_2DH5))
3428 /* The 3-DH5 packet has between 2 and 1023 information bytes
3429 * (including the 2-byte payload header)
3431 if (!(conn->pkt_type & HCI_3DH5))
3435 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3437 struct l2cap_conf_req *req = data;
3438 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3439 void *ptr = req->data;
3440 void *endptr = data + data_size;
3443 BT_DBG("chan %p", chan);
3445 if (chan->num_conf_req || chan->num_conf_rsp)
3448 switch (chan->mode) {
3449 case L2CAP_MODE_STREAMING:
3450 case L2CAP_MODE_ERTM:
3451 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3454 if (__l2cap_efs_supported(chan->conn))
3455 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3459 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3464 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3466 l2cap_mtu_auto(chan);
3467 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3471 switch (chan->mode) {
3472 case L2CAP_MODE_BASIC:
3476 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3477 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3480 rfc.mode = L2CAP_MODE_BASIC;
3482 rfc.max_transmit = 0;
3483 rfc.retrans_timeout = 0;
3484 rfc.monitor_timeout = 0;
3485 rfc.max_pdu_size = 0;
3487 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3488 (unsigned long) &rfc, endptr - ptr);
3491 case L2CAP_MODE_ERTM:
3492 rfc.mode = L2CAP_MODE_ERTM;
3493 rfc.max_transmit = chan->max_tx;
3495 __l2cap_set_ertm_timeouts(chan, &rfc);
3497 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3498 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3500 rfc.max_pdu_size = cpu_to_le16(size);
3502 l2cap_txwin_setup(chan);
3504 rfc.txwin_size = min_t(u16, chan->tx_win,
3505 L2CAP_DEFAULT_TX_WINDOW);
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3508 (unsigned long) &rfc, endptr - ptr);
3510 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3511 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3513 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3514 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3515 chan->tx_win, endptr - ptr);
3517 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3518 if (chan->fcs == L2CAP_FCS_NONE ||
3519 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3520 chan->fcs = L2CAP_FCS_NONE;
3521 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3522 chan->fcs, endptr - ptr);
3526 case L2CAP_MODE_STREAMING:
3527 l2cap_txwin_setup(chan);
3528 rfc.mode = L2CAP_MODE_STREAMING;
3530 rfc.max_transmit = 0;
3531 rfc.retrans_timeout = 0;
3532 rfc.monitor_timeout = 0;
3534 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3535 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3537 rfc.max_pdu_size = cpu_to_le16(size);
3539 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3540 (unsigned long) &rfc, endptr - ptr);
3542 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3543 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3545 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3546 if (chan->fcs == L2CAP_FCS_NONE ||
3547 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3548 chan->fcs = L2CAP_FCS_NONE;
3549 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3550 chan->fcs, endptr - ptr);
3555 req->dcid = cpu_to_le16(chan->dcid);
3556 req->flags = cpu_to_le16(0);
3561 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3563 struct l2cap_conf_rsp *rsp = data;
3564 void *ptr = rsp->data;
3565 void *endptr = data + data_size;
3566 void *req = chan->conf_req;
3567 int len = chan->conf_len;
3568 int type, hint, olen;
3570 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3571 struct l2cap_conf_efs efs;
3573 u16 mtu = L2CAP_DEFAULT_MTU;
3574 u16 result = L2CAP_CONF_SUCCESS;
3577 BT_DBG("chan %p", chan);
3579 while (len >= L2CAP_CONF_OPT_SIZE) {
3580 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3584 hint = type & L2CAP_CONF_HINT;
3585 type &= L2CAP_CONF_MASK;
3588 case L2CAP_CONF_MTU:
3594 case L2CAP_CONF_FLUSH_TO:
3597 chan->flush_to = val;
3600 case L2CAP_CONF_QOS:
3603 case L2CAP_CONF_RFC:
3604 if (olen != sizeof(rfc))
3606 memcpy(&rfc, (void *) val, olen);
3609 case L2CAP_CONF_FCS:
3612 if (val == L2CAP_FCS_NONE)
3613 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3616 case L2CAP_CONF_EFS:
3617 if (olen != sizeof(efs))
3620 memcpy(&efs, (void *) val, olen);
3623 case L2CAP_CONF_EWS:
3626 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3627 return -ECONNREFUSED;
3628 set_bit(FLAG_EXT_CTRL, &chan->flags);
3629 set_bit(CONF_EWS_RECV, &chan->conf_state);
3630 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3631 chan->remote_tx_win = val;
3637 result = L2CAP_CONF_UNKNOWN;
3638 l2cap_add_conf_opt(&ptr, (u8)type, sizeof(u8), type, endptr - ptr);
3643 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3646 switch (chan->mode) {
3647 case L2CAP_MODE_STREAMING:
3648 case L2CAP_MODE_ERTM:
3649 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3650 chan->mode = l2cap_select_mode(rfc.mode,
3651 chan->conn->feat_mask);
3656 if (__l2cap_efs_supported(chan->conn))
3657 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3659 return -ECONNREFUSED;
3662 if (chan->mode != rfc.mode)
3663 return -ECONNREFUSED;
3669 if (chan->mode != rfc.mode) {
3670 result = L2CAP_CONF_UNACCEPT;
3671 rfc.mode = chan->mode;
3673 if (chan->num_conf_rsp == 1)
3674 return -ECONNREFUSED;
3676 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3677 (unsigned long) &rfc, endptr - ptr);
3680 if (result == L2CAP_CONF_SUCCESS) {
3681 /* Configure output options and let the other side know
3682 * which ones we don't like. */
3684 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3685 result = L2CAP_CONF_UNACCEPT;
3688 set_bit(CONF_MTU_DONE, &chan->conf_state);
3690 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3693 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3694 efs.stype != L2CAP_SERV_NOTRAFIC &&
3695 efs.stype != chan->local_stype) {
3697 result = L2CAP_CONF_UNACCEPT;
3699 if (chan->num_conf_req >= 1)
3700 return -ECONNREFUSED;
3702 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3704 (unsigned long) &efs, endptr - ptr);
3706 /* Send PENDING Conf Rsp */
3707 result = L2CAP_CONF_PENDING;
3708 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3713 case L2CAP_MODE_BASIC:
3714 chan->fcs = L2CAP_FCS_NONE;
3715 set_bit(CONF_MODE_DONE, &chan->conf_state);
3718 case L2CAP_MODE_ERTM:
3719 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3720 chan->remote_tx_win = rfc.txwin_size;
3722 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3724 chan->remote_max_tx = rfc.max_transmit;
3726 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3727 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3728 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3729 rfc.max_pdu_size = cpu_to_le16(size);
3730 chan->remote_mps = size;
3732 __l2cap_set_ertm_timeouts(chan, &rfc);
3734 set_bit(CONF_MODE_DONE, &chan->conf_state);
3736 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3737 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3739 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3740 chan->remote_id = efs.id;
3741 chan->remote_stype = efs.stype;
3742 chan->remote_msdu = le16_to_cpu(efs.msdu);
3743 chan->remote_flush_to =
3744 le32_to_cpu(efs.flush_to);
3745 chan->remote_acc_lat =
3746 le32_to_cpu(efs.acc_lat);
3747 chan->remote_sdu_itime =
3748 le32_to_cpu(efs.sdu_itime);
3749 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3751 (unsigned long) &efs, endptr - ptr);
3755 case L2CAP_MODE_STREAMING:
3756 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3757 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3758 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3759 rfc.max_pdu_size = cpu_to_le16(size);
3760 chan->remote_mps = size;
3762 set_bit(CONF_MODE_DONE, &chan->conf_state);
3764 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3765 (unsigned long) &rfc, endptr - ptr);
3770 result = L2CAP_CONF_UNACCEPT;
3772 memset(&rfc, 0, sizeof(rfc));
3773 rfc.mode = chan->mode;
3776 if (result == L2CAP_CONF_SUCCESS)
3777 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3779 rsp->scid = cpu_to_le16(chan->dcid);
3780 rsp->result = cpu_to_le16(result);
3781 rsp->flags = cpu_to_le16(0);
3786 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3787 void *data, size_t size, u16 *result)
3789 struct l2cap_conf_req *req = data;
3790 void *ptr = req->data;
3791 void *endptr = data + size;
3794 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3795 struct l2cap_conf_efs efs;
3797 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3799 while (len >= L2CAP_CONF_OPT_SIZE) {
3800 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3805 case L2CAP_CONF_MTU:
3808 if (val < L2CAP_DEFAULT_MIN_MTU) {
3809 *result = L2CAP_CONF_UNACCEPT;
3810 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3813 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3817 case L2CAP_CONF_FLUSH_TO:
3820 chan->flush_to = val;
3821 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3822 chan->flush_to, endptr - ptr);
3825 case L2CAP_CONF_RFC:
3826 if (olen != sizeof(rfc))
3828 memcpy(&rfc, (void *)val, olen);
3829 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3830 rfc.mode != chan->mode)
3831 return -ECONNREFUSED;
3833 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3834 (unsigned long) &rfc, endptr - ptr);
3837 case L2CAP_CONF_EWS:
3840 chan->ack_win = min_t(u16, val, chan->ack_win);
3841 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3842 chan->tx_win, endptr - ptr);
3845 case L2CAP_CONF_EFS:
3846 if (olen != sizeof(efs))
3848 memcpy(&efs, (void *)val, olen);
3849 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3850 efs.stype != L2CAP_SERV_NOTRAFIC &&
3851 efs.stype != chan->local_stype)
3852 return -ECONNREFUSED;
3853 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3854 (unsigned long) &efs, endptr - ptr);
3857 case L2CAP_CONF_FCS:
3860 if (*result == L2CAP_CONF_PENDING)
3861 if (val == L2CAP_FCS_NONE)
3862 set_bit(CONF_RECV_NO_FCS,
3868 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3869 return -ECONNREFUSED;
3871 chan->mode = rfc.mode;
3873 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3875 case L2CAP_MODE_ERTM:
3876 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3877 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3878 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3879 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3880 chan->ack_win = min_t(u16, chan->ack_win,
3883 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3884 chan->local_msdu = le16_to_cpu(efs.msdu);
3885 chan->local_sdu_itime =
3886 le32_to_cpu(efs.sdu_itime);
3887 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3888 chan->local_flush_to =
3889 le32_to_cpu(efs.flush_to);
3893 case L2CAP_MODE_STREAMING:
3894 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3898 req->dcid = cpu_to_le16(chan->dcid);
3899 req->flags = cpu_to_le16(0);
3904 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3905 u16 result, u16 flags)
3907 struct l2cap_conf_rsp *rsp = data;
3908 void *ptr = rsp->data;
3910 BT_DBG("chan %p", chan);
3912 rsp->scid = cpu_to_le16(chan->dcid);
3913 rsp->result = cpu_to_le16(result);
3914 rsp->flags = cpu_to_le16(flags);
3919 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3921 struct l2cap_le_conn_rsp rsp;
3922 struct l2cap_conn *conn = chan->conn;
3924 BT_DBG("chan %p", chan);
3926 rsp.dcid = cpu_to_le16(chan->scid);
3927 rsp.mtu = cpu_to_le16(chan->imtu);
3928 rsp.mps = cpu_to_le16(chan->mps);
3929 rsp.credits = cpu_to_le16(chan->rx_credits);
3930 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3932 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3936 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3939 struct l2cap_ecred_conn_rsp rsp;
3942 struct l2cap_conn *conn = chan->conn;
3943 u16 ident = chan->ident;
3949 BT_DBG("chan %p ident %d", chan, ident);
3951 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3952 pdu.rsp.mps = cpu_to_le16(chan->mps);
3953 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3954 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3956 mutex_lock(&conn->chan_lock);
3958 list_for_each_entry(chan, &conn->chan_l, list) {
3959 if (chan->ident != ident)
3962 /* Reset ident so only one response is sent */
3965 /* Include all channels pending with the same ident */
3966 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3969 mutex_unlock(&conn->chan_lock);
3971 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3972 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3975 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3977 struct l2cap_conn_rsp rsp;
3978 struct l2cap_conn *conn = chan->conn;
3982 rsp.scid = cpu_to_le16(chan->dcid);
3983 rsp.dcid = cpu_to_le16(chan->scid);
3984 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3985 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3988 rsp_code = L2CAP_CREATE_CHAN_RSP;
3990 rsp_code = L2CAP_CONN_RSP;
3992 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3994 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3996 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3999 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4000 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4001 chan->num_conf_req++;
4004 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
4008 /* Use sane default values in case a misbehaving remote device
4009 * did not send an RFC or extended window size option.
4011 u16 txwin_ext = chan->ack_win;
4012 struct l2cap_conf_rfc rfc = {
4014 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4015 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4016 .max_pdu_size = cpu_to_le16(chan->imtu),
4017 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4020 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4022 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4025 while (len >= L2CAP_CONF_OPT_SIZE) {
4026 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4031 case L2CAP_CONF_RFC:
4032 if (olen != sizeof(rfc))
4034 memcpy(&rfc, (void *)val, olen);
4036 case L2CAP_CONF_EWS:
4045 case L2CAP_MODE_ERTM:
4046 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4047 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4048 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4049 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4050 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4052 chan->ack_win = min_t(u16, chan->ack_win,
4055 case L2CAP_MODE_STREAMING:
4056 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4060 static inline int l2cap_command_rej(struct l2cap_conn *conn,
4061 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4064 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4066 if (cmd_len < sizeof(*rej))
4069 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4072 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4073 cmd->ident == conn->info_ident) {
4074 cancel_delayed_work(&conn->info_timer);
4076 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4077 conn->info_ident = 0;
4079 l2cap_conn_start(conn);
4085 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4086 struct l2cap_cmd_hdr *cmd,
4087 u8 *data, u8 rsp_code, u8 amp_id)
4089 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4090 struct l2cap_conn_rsp rsp;
4091 struct l2cap_chan *chan = NULL, *pchan;
4092 int result, status = L2CAP_CS_NO_INFO;
4094 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4095 __le16 psm = req->psm;
4097 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4099 /* Check if we have socket listening on psm */
4100 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4101 &conn->hcon->dst, ACL_LINK);
4103 result = L2CAP_CR_BAD_PSM;
4107 mutex_lock(&conn->chan_lock);
4108 l2cap_chan_lock(pchan);
4110 /* Check if the ACL is secure enough (if not SDP) */
4111 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4112 !hci_conn_check_link_mode(conn->hcon)) {
4113 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4114 result = L2CAP_CR_SEC_BLOCK;
4118 result = L2CAP_CR_NO_MEM;
4120 /* Check for valid dynamic CID range (as per Erratum 3253) */
4121 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4122 result = L2CAP_CR_INVALID_SCID;
4126 /* Check if we already have channel with that dcid */
4127 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4128 result = L2CAP_CR_SCID_IN_USE;
4132 chan = pchan->ops->new_connection(pchan);
4136 /* For certain devices (ex: HID mouse), support for authentication,
4137 * pairing and bonding is optional. For such devices, inorder to avoid
4138 * the ACL alive for too long after L2CAP disconnection, reset the ACL
4139 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
4141 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4143 bacpy(&chan->src, &conn->hcon->src);
4144 bacpy(&chan->dst, &conn->hcon->dst);
4145 chan->src_type = bdaddr_src_type(conn->hcon);
4146 chan->dst_type = bdaddr_dst_type(conn->hcon);
4149 chan->local_amp_id = amp_id;
4151 __l2cap_chan_add(conn, chan);
4155 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4157 chan->ident = cmd->ident;
4159 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4160 if (l2cap_chan_check_security(chan, false)) {
4161 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4162 l2cap_state_change(chan, BT_CONNECT2);
4163 result = L2CAP_CR_PEND;
4164 status = L2CAP_CS_AUTHOR_PEND;
4165 chan->ops->defer(chan);
4167 /* Force pending result for AMP controllers.
4168 * The connection will succeed after the
4169 * physical link is up.
4171 if (amp_id == AMP_ID_BREDR) {
4172 l2cap_state_change(chan, BT_CONFIG);
4173 result = L2CAP_CR_SUCCESS;
4175 l2cap_state_change(chan, BT_CONNECT2);
4176 result = L2CAP_CR_PEND;
4178 status = L2CAP_CS_NO_INFO;
4181 l2cap_state_change(chan, BT_CONNECT2);
4182 result = L2CAP_CR_PEND;
4183 status = L2CAP_CS_AUTHEN_PEND;
4186 l2cap_state_change(chan, BT_CONNECT2);
4187 result = L2CAP_CR_PEND;
4188 status = L2CAP_CS_NO_INFO;
4192 l2cap_chan_unlock(pchan);
4193 mutex_unlock(&conn->chan_lock);
4194 l2cap_chan_put(pchan);
4197 rsp.scid = cpu_to_le16(scid);
4198 rsp.dcid = cpu_to_le16(dcid);
4199 rsp.result = cpu_to_le16(result);
4200 rsp.status = cpu_to_le16(status);
4201 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4203 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4204 struct l2cap_info_req info;
4205 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4207 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4208 conn->info_ident = l2cap_get_ident(conn);
4210 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4212 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4213 sizeof(info), &info);
4216 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4217 result == L2CAP_CR_SUCCESS) {
4219 set_bit(CONF_REQ_SENT, &chan->conf_state);
4220 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4221 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4222 chan->num_conf_req++;
4228 static int l2cap_connect_req(struct l2cap_conn *conn,
4229 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4231 struct hci_dev *hdev = conn->hcon->hdev;
4232 struct hci_conn *hcon = conn->hcon;
4234 if (cmd_len < sizeof(struct l2cap_conn_req))
4238 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4239 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4240 mgmt_device_connected(hdev, hcon, NULL, 0);
4241 hci_dev_unlock(hdev);
4243 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4247 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4248 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4251 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4252 u16 scid, dcid, result, status;
4253 struct l2cap_chan *chan;
4257 if (cmd_len < sizeof(*rsp))
4260 scid = __le16_to_cpu(rsp->scid);
4261 dcid = __le16_to_cpu(rsp->dcid);
4262 result = __le16_to_cpu(rsp->result);
4263 status = __le16_to_cpu(rsp->status);
4265 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4266 dcid, scid, result, status);
4268 mutex_lock(&conn->chan_lock);
4271 chan = __l2cap_get_chan_by_scid(conn, scid);
4277 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4286 l2cap_chan_lock(chan);
4289 case L2CAP_CR_SUCCESS:
4290 l2cap_state_change(chan, BT_CONFIG);
4293 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4295 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4298 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4299 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4300 chan->num_conf_req++;
4304 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4308 l2cap_chan_del(chan, ECONNREFUSED);
4312 l2cap_chan_unlock(chan);
4315 mutex_unlock(&conn->chan_lock);
4320 static inline void set_default_fcs(struct l2cap_chan *chan)
4322 /* FCS is enabled only in ERTM or streaming mode, if one or both
4325 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4326 chan->fcs = L2CAP_FCS_NONE;
4327 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4328 chan->fcs = L2CAP_FCS_CRC16;
4331 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4332 u8 ident, u16 flags)
4334 struct l2cap_conn *conn = chan->conn;
4336 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4339 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4340 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4342 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4343 l2cap_build_conf_rsp(chan, data,
4344 L2CAP_CONF_SUCCESS, flags), data);
4347 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4350 struct l2cap_cmd_rej_cid rej;
4352 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4353 rej.scid = __cpu_to_le16(scid);
4354 rej.dcid = __cpu_to_le16(dcid);
4356 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4359 static inline int l2cap_config_req(struct l2cap_conn *conn,
4360 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4363 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4366 struct l2cap_chan *chan;
4369 if (cmd_len < sizeof(*req))
4372 dcid = __le16_to_cpu(req->dcid);
4373 flags = __le16_to_cpu(req->flags);
4375 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4377 chan = l2cap_get_chan_by_scid(conn, dcid);
4379 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4383 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4384 chan->state != BT_CONNECTED) {
4385 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4390 /* Reject if config buffer is too small. */
4391 len = cmd_len - sizeof(*req);
4392 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4393 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4394 l2cap_build_conf_rsp(chan, rsp,
4395 L2CAP_CONF_REJECT, flags), rsp);
4400 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4401 chan->conf_len += len;
4403 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4404 /* Incomplete config. Send empty response. */
4405 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4406 l2cap_build_conf_rsp(chan, rsp,
4407 L2CAP_CONF_SUCCESS, flags), rsp);
4411 /* Complete config. */
4412 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4414 l2cap_send_disconn_req(chan, ECONNRESET);
4418 chan->ident = cmd->ident;
4419 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4420 chan->num_conf_rsp++;
4422 /* Reset config buffer. */
4425 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4428 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4429 set_default_fcs(chan);
4431 if (chan->mode == L2CAP_MODE_ERTM ||
4432 chan->mode == L2CAP_MODE_STREAMING)
4433 err = l2cap_ertm_init(chan);
4436 l2cap_send_disconn_req(chan, -err);
4438 l2cap_chan_ready(chan);
4443 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4445 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4446 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4447 chan->num_conf_req++;
4450 /* Got Conf Rsp PENDING from remote side and assume we sent
4451 Conf Rsp PENDING in the code above */
4452 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4453 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4455 /* check compatibility */
4457 /* Send rsp for BR/EDR channel */
4459 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4461 chan->ident = cmd->ident;
4465 l2cap_chan_unlock(chan);
4469 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4470 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4473 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4474 u16 scid, flags, result;
4475 struct l2cap_chan *chan;
4476 int len = cmd_len - sizeof(*rsp);
4479 if (cmd_len < sizeof(*rsp))
4482 scid = __le16_to_cpu(rsp->scid);
4483 flags = __le16_to_cpu(rsp->flags);
4484 result = __le16_to_cpu(rsp->result);
4486 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4489 chan = l2cap_get_chan_by_scid(conn, scid);
4494 case L2CAP_CONF_SUCCESS:
4495 l2cap_conf_rfc_get(chan, rsp->data, len);
4496 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4499 case L2CAP_CONF_PENDING:
4500 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4502 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4505 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4506 buf, sizeof(buf), &result);
4508 l2cap_send_disconn_req(chan, ECONNRESET);
4512 if (!chan->hs_hcon) {
4513 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4516 if (l2cap_check_efs(chan)) {
4517 amp_create_logical_link(chan);
4518 chan->ident = cmd->ident;
4524 case L2CAP_CONF_UNKNOWN:
4525 case L2CAP_CONF_UNACCEPT:
4526 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4529 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4530 l2cap_send_disconn_req(chan, ECONNRESET);
4534 /* throw out any old stored conf requests */
4535 result = L2CAP_CONF_SUCCESS;
4536 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4537 req, sizeof(req), &result);
4539 l2cap_send_disconn_req(chan, ECONNRESET);
4543 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4544 L2CAP_CONF_REQ, len, req);
4545 chan->num_conf_req++;
4546 if (result != L2CAP_CONF_SUCCESS)
4553 l2cap_chan_set_err(chan, ECONNRESET);
4555 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4556 l2cap_send_disconn_req(chan, ECONNRESET);
4560 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4563 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4565 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4566 set_default_fcs(chan);
4568 if (chan->mode == L2CAP_MODE_ERTM ||
4569 chan->mode == L2CAP_MODE_STREAMING)
4570 err = l2cap_ertm_init(chan);
4573 l2cap_send_disconn_req(chan, -err);
4575 l2cap_chan_ready(chan);
4579 l2cap_chan_unlock(chan);
4583 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4584 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4587 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4588 struct l2cap_disconn_rsp rsp;
4590 struct l2cap_chan *chan;
4592 if (cmd_len != sizeof(*req))
4595 scid = __le16_to_cpu(req->scid);
4596 dcid = __le16_to_cpu(req->dcid);
4598 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4600 mutex_lock(&conn->chan_lock);
4602 chan = __l2cap_get_chan_by_scid(conn, dcid);
4604 mutex_unlock(&conn->chan_lock);
4605 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4609 l2cap_chan_hold(chan);
4610 l2cap_chan_lock(chan);
4612 rsp.dcid = cpu_to_le16(chan->scid);
4613 rsp.scid = cpu_to_le16(chan->dcid);
4614 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4616 chan->ops->set_shutdown(chan);
4618 l2cap_chan_del(chan, ECONNRESET);
4620 chan->ops->close(chan);
4622 l2cap_chan_unlock(chan);
4623 l2cap_chan_put(chan);
4625 mutex_unlock(&conn->chan_lock);
4630 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4631 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4634 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4636 struct l2cap_chan *chan;
4638 if (cmd_len != sizeof(*rsp))
4641 scid = __le16_to_cpu(rsp->scid);
4642 dcid = __le16_to_cpu(rsp->dcid);
4644 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4646 mutex_lock(&conn->chan_lock);
4648 chan = __l2cap_get_chan_by_scid(conn, scid);
4650 mutex_unlock(&conn->chan_lock);
4654 l2cap_chan_hold(chan);
4655 l2cap_chan_lock(chan);
4657 if (chan->state != BT_DISCONN) {
4658 l2cap_chan_unlock(chan);
4659 l2cap_chan_put(chan);
4660 mutex_unlock(&conn->chan_lock);
4664 l2cap_chan_del(chan, 0);
4666 chan->ops->close(chan);
4668 l2cap_chan_unlock(chan);
4669 l2cap_chan_put(chan);
4671 mutex_unlock(&conn->chan_lock);
4676 static inline int l2cap_information_req(struct l2cap_conn *conn,
4677 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4680 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4683 if (cmd_len != sizeof(*req))
4686 type = __le16_to_cpu(req->type);
4688 BT_DBG("type 0x%4.4x", type);
4690 if (type == L2CAP_IT_FEAT_MASK) {
4692 u32 feat_mask = l2cap_feat_mask;
4693 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4694 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4695 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4697 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4699 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4700 feat_mask |= L2CAP_FEAT_EXT_FLOW
4701 | L2CAP_FEAT_EXT_WINDOW;
4703 put_unaligned_le32(feat_mask, rsp->data);
4704 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4706 } else if (type == L2CAP_IT_FIXED_CHAN) {
4708 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4710 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4711 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4712 rsp->data[0] = conn->local_fixed_chan;
4713 memset(rsp->data + 1, 0, 7);
4714 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4717 struct l2cap_info_rsp rsp;
4718 rsp.type = cpu_to_le16(type);
4719 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4720 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4727 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4728 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4731 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4734 if (cmd_len < sizeof(*rsp))
4737 type = __le16_to_cpu(rsp->type);
4738 result = __le16_to_cpu(rsp->result);
4740 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4742 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4743 if (cmd->ident != conn->info_ident ||
4744 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4747 cancel_delayed_work(&conn->info_timer);
4749 if (result != L2CAP_IR_SUCCESS) {
4750 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4751 conn->info_ident = 0;
4753 l2cap_conn_start(conn);
4759 case L2CAP_IT_FEAT_MASK:
4760 conn->feat_mask = get_unaligned_le32(rsp->data);
4762 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4763 struct l2cap_info_req req;
4764 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4766 conn->info_ident = l2cap_get_ident(conn);
4768 l2cap_send_cmd(conn, conn->info_ident,
4769 L2CAP_INFO_REQ, sizeof(req), &req);
4771 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4772 conn->info_ident = 0;
4774 l2cap_conn_start(conn);
4778 case L2CAP_IT_FIXED_CHAN:
4779 conn->remote_fixed_chan = rsp->data[0];
4780 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4781 conn->info_ident = 0;
4783 l2cap_conn_start(conn);
4790 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4791 struct l2cap_cmd_hdr *cmd,
4792 u16 cmd_len, void *data)
4794 struct l2cap_create_chan_req *req = data;
4795 struct l2cap_create_chan_rsp rsp;
4796 struct l2cap_chan *chan;
4797 struct hci_dev *hdev;
4800 if (cmd_len != sizeof(*req))
4803 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4806 psm = le16_to_cpu(req->psm);
4807 scid = le16_to_cpu(req->scid);
4809 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4811 /* For controller id 0 make BR/EDR connection */
4812 if (req->amp_id == AMP_ID_BREDR) {
4813 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4818 /* Validate AMP controller id */
4819 hdev = hci_dev_get(req->amp_id);
4823 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4828 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4831 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4832 struct hci_conn *hs_hcon;
4834 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4838 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4843 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4845 mgr->bredr_chan = chan;
4846 chan->hs_hcon = hs_hcon;
4847 chan->fcs = L2CAP_FCS_NONE;
4848 conn->mtu = hdev->block_mtu;
4857 rsp.scid = cpu_to_le16(scid);
4858 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4859 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4861 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4867 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4869 struct l2cap_move_chan_req req;
4872 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4874 ident = l2cap_get_ident(chan->conn);
4875 chan->ident = ident;
4877 req.icid = cpu_to_le16(chan->scid);
4878 req.dest_amp_id = dest_amp_id;
4880 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4883 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4886 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4888 struct l2cap_move_chan_rsp rsp;
4890 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4892 rsp.icid = cpu_to_le16(chan->dcid);
4893 rsp.result = cpu_to_le16(result);
4895 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4899 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4901 struct l2cap_move_chan_cfm cfm;
4903 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4905 chan->ident = l2cap_get_ident(chan->conn);
4907 cfm.icid = cpu_to_le16(chan->scid);
4908 cfm.result = cpu_to_le16(result);
4910 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4913 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4916 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4918 struct l2cap_move_chan_cfm cfm;
4920 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4922 cfm.icid = cpu_to_le16(icid);
4923 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4925 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4929 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4932 struct l2cap_move_chan_cfm_rsp rsp;
4934 BT_DBG("icid 0x%4.4x", icid);
4936 rsp.icid = cpu_to_le16(icid);
4937 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4940 static void __release_logical_link(struct l2cap_chan *chan)
4942 chan->hs_hchan = NULL;
4943 chan->hs_hcon = NULL;
4945 /* Placeholder - release the logical link */
4948 static void l2cap_logical_fail(struct l2cap_chan *chan)
4950 /* Logical link setup failed */
4951 if (chan->state != BT_CONNECTED) {
4952 /* Create channel failure, disconnect */
4953 l2cap_send_disconn_req(chan, ECONNRESET);
4957 switch (chan->move_role) {
4958 case L2CAP_MOVE_ROLE_RESPONDER:
4959 l2cap_move_done(chan);
4960 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4962 case L2CAP_MOVE_ROLE_INITIATOR:
4963 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4964 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4965 /* Remote has only sent pending or
4966 * success responses, clean up
4968 l2cap_move_done(chan);
4971 /* Other amp move states imply that the move
4972 * has already aborted
4974 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4979 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4980 struct hci_chan *hchan)
4982 struct l2cap_conf_rsp rsp;
4984 chan->hs_hchan = hchan;
4985 chan->hs_hcon->l2cap_data = chan->conn;
4987 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4989 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4992 set_default_fcs(chan);
4994 err = l2cap_ertm_init(chan);
4996 l2cap_send_disconn_req(chan, -err);
4998 l2cap_chan_ready(chan);
5002 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
5003 struct hci_chan *hchan)
5005 chan->hs_hcon = hchan->conn;
5006 chan->hs_hcon->l2cap_data = chan->conn;
5008 BT_DBG("move_state %d", chan->move_state);
5010 switch (chan->move_state) {
5011 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5012 /* Move confirm will be sent after a success
5013 * response is received
5015 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5017 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5018 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5019 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5020 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5021 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5022 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5023 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5024 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5025 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5029 /* Move was not in expected state, free the channel */
5030 __release_logical_link(chan);
5032 chan->move_state = L2CAP_MOVE_STABLE;
5036 /* Call with chan locked */
5037 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5040 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5043 l2cap_logical_fail(chan);
5044 __release_logical_link(chan);
5048 if (chan->state != BT_CONNECTED) {
5049 /* Ignore logical link if channel is on BR/EDR */
5050 if (chan->local_amp_id != AMP_ID_BREDR)
5051 l2cap_logical_finish_create(chan, hchan);
5053 l2cap_logical_finish_move(chan, hchan);
5057 void l2cap_move_start(struct l2cap_chan *chan)
5059 BT_DBG("chan %p", chan);
5061 if (chan->local_amp_id == AMP_ID_BREDR) {
5062 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5064 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5065 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5066 /* Placeholder - start physical link setup */
5068 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5069 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5071 l2cap_move_setup(chan);
5072 l2cap_send_move_chan_req(chan, 0);
5076 static void l2cap_do_create(struct l2cap_chan *chan, int result,
5077 u8 local_amp_id, u8 remote_amp_id)
5079 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5080 local_amp_id, remote_amp_id);
5082 chan->fcs = L2CAP_FCS_NONE;
5084 /* Outgoing channel on AMP */
5085 if (chan->state == BT_CONNECT) {
5086 if (result == L2CAP_CR_SUCCESS) {
5087 chan->local_amp_id = local_amp_id;
5088 l2cap_send_create_chan_req(chan, remote_amp_id);
5090 /* Revert to BR/EDR connect */
5091 l2cap_send_conn_req(chan);
5097 /* Incoming channel on AMP */
5098 if (__l2cap_no_conn_pending(chan)) {
5099 struct l2cap_conn_rsp rsp;
5101 rsp.scid = cpu_to_le16(chan->dcid);
5102 rsp.dcid = cpu_to_le16(chan->scid);
5104 if (result == L2CAP_CR_SUCCESS) {
5105 /* Send successful response */
5106 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5107 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5109 /* Send negative response */
5110 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5111 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5114 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5117 if (result == L2CAP_CR_SUCCESS) {
5118 l2cap_state_change(chan, BT_CONFIG);
5119 set_bit(CONF_REQ_SENT, &chan->conf_state);
5120 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5122 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5123 chan->num_conf_req++;
5128 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5131 l2cap_move_setup(chan);
5132 chan->move_id = local_amp_id;
5133 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5135 l2cap_send_move_chan_req(chan, remote_amp_id);
5138 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5140 struct hci_chan *hchan = NULL;
5142 /* Placeholder - get hci_chan for logical link */
5145 if (hchan->state == BT_CONNECTED) {
5146 /* Logical link is ready to go */
5147 chan->hs_hcon = hchan->conn;
5148 chan->hs_hcon->l2cap_data = chan->conn;
5149 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5150 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5152 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5154 /* Wait for logical link to be ready */
5155 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5158 /* Logical link not available */
5159 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5163 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5165 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5167 if (result == -EINVAL)
5168 rsp_result = L2CAP_MR_BAD_ID;
5170 rsp_result = L2CAP_MR_NOT_ALLOWED;
5172 l2cap_send_move_chan_rsp(chan, rsp_result);
5175 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5176 chan->move_state = L2CAP_MOVE_STABLE;
5178 /* Restart data transmission */
5179 l2cap_ertm_send(chan);
5182 /* Invoke with locked chan */
5183 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5185 u8 local_amp_id = chan->local_amp_id;
5186 u8 remote_amp_id = chan->remote_amp_id;
5188 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5189 chan, result, local_amp_id, remote_amp_id);
5191 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5194 if (chan->state != BT_CONNECTED) {
5195 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5196 } else if (result != L2CAP_MR_SUCCESS) {
5197 l2cap_do_move_cancel(chan, result);
5199 switch (chan->move_role) {
5200 case L2CAP_MOVE_ROLE_INITIATOR:
5201 l2cap_do_move_initiate(chan, local_amp_id,
5204 case L2CAP_MOVE_ROLE_RESPONDER:
5205 l2cap_do_move_respond(chan, result);
5208 l2cap_do_move_cancel(chan, result);
5214 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5215 struct l2cap_cmd_hdr *cmd,
5216 u16 cmd_len, void *data)
5218 struct l2cap_move_chan_req *req = data;
5219 struct l2cap_move_chan_rsp rsp;
5220 struct l2cap_chan *chan;
5222 u16 result = L2CAP_MR_NOT_ALLOWED;
5224 if (cmd_len != sizeof(*req))
5227 icid = le16_to_cpu(req->icid);
5229 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5231 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5234 chan = l2cap_get_chan_by_dcid(conn, icid);
5236 rsp.icid = cpu_to_le16(icid);
5237 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5238 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5243 chan->ident = cmd->ident;
5245 if (chan->scid < L2CAP_CID_DYN_START ||
5246 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5247 (chan->mode != L2CAP_MODE_ERTM &&
5248 chan->mode != L2CAP_MODE_STREAMING)) {
5249 result = L2CAP_MR_NOT_ALLOWED;
5250 goto send_move_response;
5253 if (chan->local_amp_id == req->dest_amp_id) {
5254 result = L2CAP_MR_SAME_ID;
5255 goto send_move_response;
5258 if (req->dest_amp_id != AMP_ID_BREDR) {
5259 struct hci_dev *hdev;
5260 hdev = hci_dev_get(req->dest_amp_id);
5261 if (!hdev || hdev->dev_type != HCI_AMP ||
5262 !test_bit(HCI_UP, &hdev->flags)) {
5266 result = L2CAP_MR_BAD_ID;
5267 goto send_move_response;
5272 /* Detect a move collision. Only send a collision response
5273 * if this side has "lost", otherwise proceed with the move.
5274 * The winner has the larger bd_addr.
5276 if ((__chan_is_moving(chan) ||
5277 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5278 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5279 result = L2CAP_MR_COLLISION;
5280 goto send_move_response;
5283 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5284 l2cap_move_setup(chan);
5285 chan->move_id = req->dest_amp_id;
5287 if (req->dest_amp_id == AMP_ID_BREDR) {
5288 /* Moving to BR/EDR */
5289 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5290 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5291 result = L2CAP_MR_PEND;
5293 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5294 result = L2CAP_MR_SUCCESS;
5297 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5298 /* Placeholder - uncomment when amp functions are available */
5299 /*amp_accept_physical(chan, req->dest_amp_id);*/
5300 result = L2CAP_MR_PEND;
5304 l2cap_send_move_chan_rsp(chan, result);
5306 l2cap_chan_unlock(chan);
5311 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5313 struct l2cap_chan *chan;
5314 struct hci_chan *hchan = NULL;
5316 chan = l2cap_get_chan_by_scid(conn, icid);
5318 l2cap_send_move_chan_cfm_icid(conn, icid);
5322 __clear_chan_timer(chan);
5323 if (result == L2CAP_MR_PEND)
5324 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5326 switch (chan->move_state) {
5327 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5328 /* Move confirm will be sent when logical link
5331 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5333 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5334 if (result == L2CAP_MR_PEND) {
5336 } else if (test_bit(CONN_LOCAL_BUSY,
5337 &chan->conn_state)) {
5338 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5340 /* Logical link is up or moving to BR/EDR,
5343 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5344 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5347 case L2CAP_MOVE_WAIT_RSP:
5349 if (result == L2CAP_MR_SUCCESS) {
5350 /* Remote is ready, send confirm immediately
5351 * after logical link is ready
5353 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5355 /* Both logical link and move success
5356 * are required to confirm
5358 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5361 /* Placeholder - get hci_chan for logical link */
5363 /* Logical link not available */
5364 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5368 /* If the logical link is not yet connected, do not
5369 * send confirmation.
5371 if (hchan->state != BT_CONNECTED)
5374 /* Logical link is already ready to go */
5376 chan->hs_hcon = hchan->conn;
5377 chan->hs_hcon->l2cap_data = chan->conn;
5379 if (result == L2CAP_MR_SUCCESS) {
5380 /* Can confirm now */
5381 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5383 /* Now only need move success
5386 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5389 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5392 /* Any other amp move state means the move failed. */
5393 chan->move_id = chan->local_amp_id;
5394 l2cap_move_done(chan);
5395 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5398 l2cap_chan_unlock(chan);
5401 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5404 struct l2cap_chan *chan;
5406 chan = l2cap_get_chan_by_ident(conn, ident);
5408 /* Could not locate channel, icid is best guess */
5409 l2cap_send_move_chan_cfm_icid(conn, icid);
5413 __clear_chan_timer(chan);
5415 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5416 if (result == L2CAP_MR_COLLISION) {
5417 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5419 /* Cleanup - cancel move */
5420 chan->move_id = chan->local_amp_id;
5421 l2cap_move_done(chan);
5425 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5427 l2cap_chan_unlock(chan);
5430 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5431 struct l2cap_cmd_hdr *cmd,
5432 u16 cmd_len, void *data)
5434 struct l2cap_move_chan_rsp *rsp = data;
5437 if (cmd_len != sizeof(*rsp))
5440 icid = le16_to_cpu(rsp->icid);
5441 result = le16_to_cpu(rsp->result);
5443 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5445 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5446 l2cap_move_continue(conn, icid, result);
5448 l2cap_move_fail(conn, cmd->ident, icid, result);
5453 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5454 struct l2cap_cmd_hdr *cmd,
5455 u16 cmd_len, void *data)
5457 struct l2cap_move_chan_cfm *cfm = data;
5458 struct l2cap_chan *chan;
5461 if (cmd_len != sizeof(*cfm))
5464 icid = le16_to_cpu(cfm->icid);
5465 result = le16_to_cpu(cfm->result);
5467 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5469 chan = l2cap_get_chan_by_dcid(conn, icid);
5471 /* Spec requires a response even if the icid was not found */
5472 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5476 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5477 if (result == L2CAP_MC_CONFIRMED) {
5478 chan->local_amp_id = chan->move_id;
5479 if (chan->local_amp_id == AMP_ID_BREDR)
5480 __release_logical_link(chan);
5482 chan->move_id = chan->local_amp_id;
5485 l2cap_move_done(chan);
5488 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5490 l2cap_chan_unlock(chan);
5495 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5496 struct l2cap_cmd_hdr *cmd,
5497 u16 cmd_len, void *data)
5499 struct l2cap_move_chan_cfm_rsp *rsp = data;
5500 struct l2cap_chan *chan;
5503 if (cmd_len != sizeof(*rsp))
5506 icid = le16_to_cpu(rsp->icid);
5508 BT_DBG("icid 0x%4.4x", icid);
5510 chan = l2cap_get_chan_by_scid(conn, icid);
5514 __clear_chan_timer(chan);
5516 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5517 chan->local_amp_id = chan->move_id;
5519 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5520 __release_logical_link(chan);
5522 l2cap_move_done(chan);
5525 l2cap_chan_unlock(chan);
5530 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5531 struct l2cap_cmd_hdr *cmd,
5532 u16 cmd_len, u8 *data)
5534 struct hci_conn *hcon = conn->hcon;
5535 struct l2cap_conn_param_update_req *req;
5536 struct l2cap_conn_param_update_rsp rsp;
5537 u16 min, max, latency, to_multiplier;
5540 if (hcon->role != HCI_ROLE_MASTER)
5543 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5546 req = (struct l2cap_conn_param_update_req *) data;
5547 min = __le16_to_cpu(req->min);
5548 max = __le16_to_cpu(req->max);
5549 latency = __le16_to_cpu(req->latency);
5550 to_multiplier = __le16_to_cpu(req->to_multiplier);
5552 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5553 min, max, latency, to_multiplier);
5555 memset(&rsp, 0, sizeof(rsp));
5557 err = hci_check_conn_params(min, max, latency, to_multiplier);
5559 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5561 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5563 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5569 store_hint = hci_le_conn_update(hcon, min, max, latency,
5571 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5572 store_hint, min, max, latency,
5580 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5581 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5584 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5585 struct hci_conn *hcon = conn->hcon;
5586 u16 dcid, mtu, mps, credits, result;
5587 struct l2cap_chan *chan;
5590 if (cmd_len < sizeof(*rsp))
5593 dcid = __le16_to_cpu(rsp->dcid);
5594 mtu = __le16_to_cpu(rsp->mtu);
5595 mps = __le16_to_cpu(rsp->mps);
5596 credits = __le16_to_cpu(rsp->credits);
5597 result = __le16_to_cpu(rsp->result);
5599 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5600 dcid < L2CAP_CID_DYN_START ||
5601 dcid > L2CAP_CID_LE_DYN_END))
5604 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5605 dcid, mtu, mps, credits, result);
5607 mutex_lock(&conn->chan_lock);
5609 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5617 l2cap_chan_lock(chan);
5620 case L2CAP_CR_LE_SUCCESS:
5621 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5629 chan->remote_mps = mps;
5630 chan->tx_credits = credits;
5631 l2cap_chan_ready(chan);
5634 case L2CAP_CR_LE_AUTHENTICATION:
5635 case L2CAP_CR_LE_ENCRYPTION:
5636 /* If we already have MITM protection we can't do
5639 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5640 l2cap_chan_del(chan, ECONNREFUSED);
5644 sec_level = hcon->sec_level + 1;
5645 if (chan->sec_level < sec_level)
5646 chan->sec_level = sec_level;
5648 /* We'll need to send a new Connect Request */
5649 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5651 smp_conn_security(hcon, chan->sec_level);
5655 l2cap_chan_del(chan, ECONNREFUSED);
5659 l2cap_chan_unlock(chan);
5662 mutex_unlock(&conn->chan_lock);
5667 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5668 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5673 switch (cmd->code) {
5674 case L2CAP_COMMAND_REJ:
5675 l2cap_command_rej(conn, cmd, cmd_len, data);
5678 case L2CAP_CONN_REQ:
5679 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5682 case L2CAP_CONN_RSP:
5683 case L2CAP_CREATE_CHAN_RSP:
5684 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5687 case L2CAP_CONF_REQ:
5688 err = l2cap_config_req(conn, cmd, cmd_len, data);
5691 case L2CAP_CONF_RSP:
5692 l2cap_config_rsp(conn, cmd, cmd_len, data);
5695 case L2CAP_DISCONN_REQ:
5696 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5699 case L2CAP_DISCONN_RSP:
5700 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5703 case L2CAP_ECHO_REQ:
5704 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5707 case L2CAP_ECHO_RSP:
5710 case L2CAP_INFO_REQ:
5711 err = l2cap_information_req(conn, cmd, cmd_len, data);
5714 case L2CAP_INFO_RSP:
5715 l2cap_information_rsp(conn, cmd, cmd_len, data);
5718 case L2CAP_CREATE_CHAN_REQ:
5719 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5722 case L2CAP_MOVE_CHAN_REQ:
5723 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5726 case L2CAP_MOVE_CHAN_RSP:
5727 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5730 case L2CAP_MOVE_CHAN_CFM:
5731 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5734 case L2CAP_MOVE_CHAN_CFM_RSP:
5735 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5739 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5747 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5748 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5751 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5752 struct l2cap_le_conn_rsp rsp;
5753 struct l2cap_chan *chan, *pchan;
5754 u16 dcid, scid, credits, mtu, mps;
5758 if (cmd_len != sizeof(*req))
5761 scid = __le16_to_cpu(req->scid);
5762 mtu = __le16_to_cpu(req->mtu);
5763 mps = __le16_to_cpu(req->mps);
5768 if (mtu < 23 || mps < 23)
5771 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5774 /* Check if we have socket listening on psm */
5775 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5776 &conn->hcon->dst, LE_LINK);
5778 result = L2CAP_CR_LE_BAD_PSM;
5783 mutex_lock(&conn->chan_lock);
5784 l2cap_chan_lock(pchan);
5786 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5788 result = L2CAP_CR_LE_AUTHENTICATION;
5790 goto response_unlock;
5793 /* Check for valid dynamic CID range */
5794 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5795 result = L2CAP_CR_LE_INVALID_SCID;
5797 goto response_unlock;
5800 /* Check if we already have channel with that dcid */
5801 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5802 result = L2CAP_CR_LE_SCID_IN_USE;
5804 goto response_unlock;
5807 chan = pchan->ops->new_connection(pchan);
5809 result = L2CAP_CR_LE_NO_MEM;
5810 goto response_unlock;
5813 bacpy(&chan->src, &conn->hcon->src);
5814 bacpy(&chan->dst, &conn->hcon->dst);
5815 chan->src_type = bdaddr_src_type(conn->hcon);
5816 chan->dst_type = bdaddr_dst_type(conn->hcon);
5820 chan->remote_mps = mps;
5822 __l2cap_chan_add(conn, chan);
5824 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5827 credits = chan->rx_credits;
5829 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5831 chan->ident = cmd->ident;
5833 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5834 l2cap_state_change(chan, BT_CONNECT2);
5835 /* The following result value is actually not defined
5836 * for LE CoC but we use it to let the function know
5837 * that it should bail out after doing its cleanup
5838 * instead of sending a response.
5840 result = L2CAP_CR_PEND;
5841 chan->ops->defer(chan);
5843 l2cap_chan_ready(chan);
5844 result = L2CAP_CR_LE_SUCCESS;
5848 l2cap_chan_unlock(pchan);
5849 mutex_unlock(&conn->chan_lock);
5850 l2cap_chan_put(pchan);
5852 if (result == L2CAP_CR_PEND)
5857 rsp.mtu = cpu_to_le16(chan->imtu);
5858 rsp.mps = cpu_to_le16(chan->mps);
5864 rsp.dcid = cpu_to_le16(dcid);
5865 rsp.credits = cpu_to_le16(credits);
5866 rsp.result = cpu_to_le16(result);
5868 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5873 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5874 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5877 struct l2cap_le_credits *pkt;
5878 struct l2cap_chan *chan;
5879 u16 cid, credits, max_credits;
5881 if (cmd_len != sizeof(*pkt))
5884 pkt = (struct l2cap_le_credits *) data;
5885 cid = __le16_to_cpu(pkt->cid);
5886 credits = __le16_to_cpu(pkt->credits);
5888 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5890 chan = l2cap_get_chan_by_dcid(conn, cid);
5894 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5895 if (credits > max_credits) {
5896 BT_ERR("LE credits overflow");
5897 l2cap_send_disconn_req(chan, ECONNRESET);
5898 l2cap_chan_unlock(chan);
5900 /* Return 0 so that we don't trigger an unnecessary
5901 * command reject packet.
5906 chan->tx_credits += credits;
5908 /* Resume sending */
5909 l2cap_le_flowctl_send(chan);
5911 if (chan->tx_credits)
5912 chan->ops->resume(chan);
5914 l2cap_chan_unlock(chan);
5919 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5920 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5923 struct l2cap_ecred_conn_req *req = (void *) data;
5925 struct l2cap_ecred_conn_rsp rsp;
5926 __le16 dcid[L2CAP_ECRED_MAX_CID];
5928 struct l2cap_chan *chan, *pchan;
5938 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5939 result = L2CAP_CR_LE_INVALID_PARAMS;
5943 cmd_len -= sizeof(*req);
5944 num_scid = cmd_len / sizeof(u16);
5946 if (num_scid > ARRAY_SIZE(pdu.dcid)) {
5947 result = L2CAP_CR_LE_INVALID_PARAMS;
5951 mtu = __le16_to_cpu(req->mtu);
5952 mps = __le16_to_cpu(req->mps);
5954 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5955 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5961 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5963 memset(&pdu, 0, sizeof(pdu));
5965 /* Check if we have socket listening on psm */
5966 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5967 &conn->hcon->dst, LE_LINK);
5969 result = L2CAP_CR_LE_BAD_PSM;
5973 mutex_lock(&conn->chan_lock);
5974 l2cap_chan_lock(pchan);
5976 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5978 result = L2CAP_CR_LE_AUTHENTICATION;
5982 result = L2CAP_CR_LE_SUCCESS;
5984 for (i = 0; i < num_scid; i++) {
5985 u16 scid = __le16_to_cpu(req->scid[i]);
5987 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5989 pdu.dcid[i] = 0x0000;
5990 len += sizeof(*pdu.dcid);
5992 /* Check for valid dynamic CID range */
5993 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5994 result = L2CAP_CR_LE_INVALID_SCID;
5998 /* Check if we already have channel with that dcid */
5999 if (__l2cap_get_chan_by_dcid(conn, scid)) {
6000 result = L2CAP_CR_LE_SCID_IN_USE;
6004 chan = pchan->ops->new_connection(pchan);
6006 result = L2CAP_CR_LE_NO_MEM;
6010 bacpy(&chan->src, &conn->hcon->src);
6011 bacpy(&chan->dst, &conn->hcon->dst);
6012 chan->src_type = bdaddr_src_type(conn->hcon);
6013 chan->dst_type = bdaddr_dst_type(conn->hcon);
6017 chan->remote_mps = mps;
6019 __l2cap_chan_add(conn, chan);
6021 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6024 if (!pdu.rsp.credits) {
6025 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6026 pdu.rsp.mps = cpu_to_le16(chan->mps);
6027 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6030 pdu.dcid[i] = cpu_to_le16(chan->scid);
6032 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6034 chan->ident = cmd->ident;
6036 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6037 l2cap_state_change(chan, BT_CONNECT2);
6039 chan->ops->defer(chan);
6041 l2cap_chan_ready(chan);
6046 l2cap_chan_unlock(pchan);
6047 mutex_unlock(&conn->chan_lock);
6048 l2cap_chan_put(pchan);
6051 pdu.rsp.result = cpu_to_le16(result);
6056 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6057 sizeof(pdu.rsp) + len, &pdu);
6062 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6063 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6066 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6067 struct hci_conn *hcon = conn->hcon;
6068 u16 mtu, mps, credits, result;
6069 struct l2cap_chan *chan, *tmp;
6070 int err = 0, sec_level;
6073 if (cmd_len < sizeof(*rsp))
6076 mtu = __le16_to_cpu(rsp->mtu);
6077 mps = __le16_to_cpu(rsp->mps);
6078 credits = __le16_to_cpu(rsp->credits);
6079 result = __le16_to_cpu(rsp->result);
6081 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6084 mutex_lock(&conn->chan_lock);
6086 cmd_len -= sizeof(*rsp);
6088 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6091 if (chan->ident != cmd->ident ||
6092 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6093 chan->state == BT_CONNECTED)
6096 l2cap_chan_lock(chan);
6098 /* Check that there is a dcid for each pending channel */
6099 if (cmd_len < sizeof(dcid)) {
6100 l2cap_chan_del(chan, ECONNREFUSED);
6101 l2cap_chan_unlock(chan);
6105 dcid = __le16_to_cpu(rsp->dcid[i++]);
6106 cmd_len -= sizeof(u16);
6108 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6110 /* Check if dcid is already in use */
6111 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6112 /* If a device receives a
6113 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
6114 * already-assigned Destination CID, then both the
6115 * original channel and the new channel shall be
6116 * immediately discarded and not used.
6118 l2cap_chan_del(chan, ECONNREFUSED);
6119 l2cap_chan_unlock(chan);
6120 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6121 l2cap_chan_lock(chan);
6122 l2cap_chan_del(chan, ECONNRESET);
6123 l2cap_chan_unlock(chan);
6128 case L2CAP_CR_LE_AUTHENTICATION:
6129 case L2CAP_CR_LE_ENCRYPTION:
6130 /* If we already have MITM protection we can't do
6133 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6134 l2cap_chan_del(chan, ECONNREFUSED);
6138 sec_level = hcon->sec_level + 1;
6139 if (chan->sec_level < sec_level)
6140 chan->sec_level = sec_level;
6142 /* We'll need to send a new Connect Request */
6143 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6145 smp_conn_security(hcon, chan->sec_level);
6148 case L2CAP_CR_LE_BAD_PSM:
6149 l2cap_chan_del(chan, ECONNREFUSED);
6153 /* If dcid was not set it means channels was refused */
6155 l2cap_chan_del(chan, ECONNREFUSED);
6162 chan->remote_mps = mps;
6163 chan->tx_credits = credits;
6164 l2cap_chan_ready(chan);
6168 l2cap_chan_unlock(chan);
6171 mutex_unlock(&conn->chan_lock);
6176 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6177 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6180 struct l2cap_ecred_reconf_req *req = (void *) data;
6181 struct l2cap_ecred_reconf_rsp rsp;
6182 u16 mtu, mps, result;
6183 struct l2cap_chan *chan;
6189 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6190 result = L2CAP_CR_LE_INVALID_PARAMS;
6194 mtu = __le16_to_cpu(req->mtu);
6195 mps = __le16_to_cpu(req->mps);
6197 BT_DBG("mtu %u mps %u", mtu, mps);
6199 if (mtu < L2CAP_ECRED_MIN_MTU) {
6200 result = L2CAP_RECONF_INVALID_MTU;
6204 if (mps < L2CAP_ECRED_MIN_MPS) {
6205 result = L2CAP_RECONF_INVALID_MPS;
6209 cmd_len -= sizeof(*req);
6210 num_scid = cmd_len / sizeof(u16);
6211 result = L2CAP_RECONF_SUCCESS;
6213 for (i = 0; i < num_scid; i++) {
6216 scid = __le16_to_cpu(req->scid[i]);
6220 chan = __l2cap_get_chan_by_dcid(conn, scid);
6224 /* If the MTU value is decreased for any of the included
6225 * channels, then the receiver shall disconnect all
6226 * included channels.
6228 if (chan->omtu > mtu) {
6229 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6231 result = L2CAP_RECONF_INVALID_MTU;
6235 chan->remote_mps = mps;
6239 rsp.result = cpu_to_le16(result);
6241 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6247 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6248 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6251 struct l2cap_chan *chan, *tmp;
6252 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6255 if (cmd_len < sizeof(*rsp))
6258 result = __le16_to_cpu(rsp->result);
6260 BT_DBG("result 0x%4.4x", rsp->result);
6265 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6266 if (chan->ident != cmd->ident)
6269 l2cap_chan_del(chan, ECONNRESET);
6275 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6276 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6279 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6280 struct l2cap_chan *chan;
6282 if (cmd_len < sizeof(*rej))
6285 mutex_lock(&conn->chan_lock);
6287 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6291 l2cap_chan_lock(chan);
6292 l2cap_chan_del(chan, ECONNREFUSED);
6293 l2cap_chan_unlock(chan);
6296 mutex_unlock(&conn->chan_lock);
6300 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6301 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6306 switch (cmd->code) {
6307 case L2CAP_COMMAND_REJ:
6308 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6311 case L2CAP_CONN_PARAM_UPDATE_REQ:
6312 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6315 case L2CAP_CONN_PARAM_UPDATE_RSP:
6318 case L2CAP_LE_CONN_RSP:
6319 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6322 case L2CAP_LE_CONN_REQ:
6323 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6326 case L2CAP_LE_CREDITS:
6327 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6330 case L2CAP_ECRED_CONN_REQ:
6331 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6334 case L2CAP_ECRED_CONN_RSP:
6335 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6338 case L2CAP_ECRED_RECONF_REQ:
6339 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6342 case L2CAP_ECRED_RECONF_RSP:
6343 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6346 case L2CAP_DISCONN_REQ:
6347 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6350 case L2CAP_DISCONN_RSP:
6351 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6355 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6363 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6364 struct sk_buff *skb)
6366 struct hci_conn *hcon = conn->hcon;
6367 struct l2cap_cmd_hdr *cmd;
6371 if (hcon->type != LE_LINK)
6374 if (skb->len < L2CAP_CMD_HDR_SIZE)
6377 cmd = (void *) skb->data;
6378 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6380 len = le16_to_cpu(cmd->len);
6382 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6384 if (len != skb->len || !cmd->ident) {
6385 BT_DBG("corrupted command");
6389 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6391 struct l2cap_cmd_rej_unk rej;
6393 BT_ERR("Wrong link type (%d)", err);
6395 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6396 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6404 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6405 struct sk_buff *skb)
6407 struct hci_conn *hcon = conn->hcon;
6408 struct l2cap_cmd_hdr *cmd;
6411 l2cap_raw_recv(conn, skb);
6413 if (hcon->type != ACL_LINK)
6416 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6419 cmd = (void *) skb->data;
6420 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6422 len = le16_to_cpu(cmd->len);
6424 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6427 if (len > skb->len || !cmd->ident) {
6428 BT_DBG("corrupted command");
6432 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6434 struct l2cap_cmd_rej_unk rej;
6436 BT_ERR("Wrong link type (%d)", err);
6438 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6439 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6450 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6452 u16 our_fcs, rcv_fcs;
6455 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6456 hdr_size = L2CAP_EXT_HDR_SIZE;
6458 hdr_size = L2CAP_ENH_HDR_SIZE;
6460 if (chan->fcs == L2CAP_FCS_CRC16) {
6461 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6462 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6463 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6465 if (our_fcs != rcv_fcs)
6471 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6473 struct l2cap_ctrl control;
6475 BT_DBG("chan %p", chan);
6477 memset(&control, 0, sizeof(control));
6480 control.reqseq = chan->buffer_seq;
6481 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6483 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6484 control.super = L2CAP_SUPER_RNR;
6485 l2cap_send_sframe(chan, &control);
6488 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6489 chan->unacked_frames > 0)
6490 __set_retrans_timer(chan);
6492 /* Send pending iframes */
6493 l2cap_ertm_send(chan);
6495 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6496 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6497 /* F-bit wasn't sent in an s-frame or i-frame yet, so
6500 control.super = L2CAP_SUPER_RR;
6501 l2cap_send_sframe(chan, &control);
6505 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6506 struct sk_buff **last_frag)
6508 /* skb->len reflects data in skb as well as all fragments
6509 * skb->data_len reflects only data in fragments
6511 if (!skb_has_frag_list(skb))
6512 skb_shinfo(skb)->frag_list = new_frag;
6514 new_frag->next = NULL;
6516 (*last_frag)->next = new_frag;
6517 *last_frag = new_frag;
6519 skb->len += new_frag->len;
6520 skb->data_len += new_frag->len;
6521 skb->truesize += new_frag->truesize;
6524 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6525 struct l2cap_ctrl *control)
6529 switch (control->sar) {
6530 case L2CAP_SAR_UNSEGMENTED:
6534 err = chan->ops->recv(chan, skb);
6537 case L2CAP_SAR_START:
6541 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6544 chan->sdu_len = get_unaligned_le16(skb->data);
6545 skb_pull(skb, L2CAP_SDULEN_SIZE);
6547 if (chan->sdu_len > chan->imtu) {
6552 if (skb->len >= chan->sdu_len)
6556 chan->sdu_last_frag = skb;
6562 case L2CAP_SAR_CONTINUE:
6566 append_skb_frag(chan->sdu, skb,
6567 &chan->sdu_last_frag);
6570 if (chan->sdu->len >= chan->sdu_len)
6580 append_skb_frag(chan->sdu, skb,
6581 &chan->sdu_last_frag);
6584 if (chan->sdu->len != chan->sdu_len)
6587 err = chan->ops->recv(chan, chan->sdu);
6590 /* Reassembly complete */
6592 chan->sdu_last_frag = NULL;
6600 kfree_skb(chan->sdu);
6602 chan->sdu_last_frag = NULL;
6609 static int l2cap_resegment(struct l2cap_chan *chan)
6615 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6619 if (chan->mode != L2CAP_MODE_ERTM)
6622 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6623 l2cap_tx(chan, NULL, NULL, event);
6626 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6629 /* Pass sequential frames to l2cap_reassemble_sdu()
6630 * until a gap is encountered.
6633 BT_DBG("chan %p", chan);
6635 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6636 struct sk_buff *skb;
6637 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6638 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6640 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6645 skb_unlink(skb, &chan->srej_q);
6646 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6647 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6652 if (skb_queue_empty(&chan->srej_q)) {
6653 chan->rx_state = L2CAP_RX_STATE_RECV;
6654 l2cap_send_ack(chan);
6660 static void l2cap_handle_srej(struct l2cap_chan *chan,
6661 struct l2cap_ctrl *control)
6663 struct sk_buff *skb;
6665 BT_DBG("chan %p, control %p", chan, control);
6667 if (control->reqseq == chan->next_tx_seq) {
6668 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6669 l2cap_send_disconn_req(chan, ECONNRESET);
6673 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6676 BT_DBG("Seq %d not available for retransmission",
6681 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6682 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6683 l2cap_send_disconn_req(chan, ECONNRESET);
6687 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6689 if (control->poll) {
6690 l2cap_pass_to_tx(chan, control);
6692 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6693 l2cap_retransmit(chan, control);
6694 l2cap_ertm_send(chan);
6696 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6697 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6698 chan->srej_save_reqseq = control->reqseq;
6701 l2cap_pass_to_tx_fbit(chan, control);
6703 if (control->final) {
6704 if (chan->srej_save_reqseq != control->reqseq ||
6705 !test_and_clear_bit(CONN_SREJ_ACT,
6707 l2cap_retransmit(chan, control);
6709 l2cap_retransmit(chan, control);
6710 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6711 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6712 chan->srej_save_reqseq = control->reqseq;
6718 static void l2cap_handle_rej(struct l2cap_chan *chan,
6719 struct l2cap_ctrl *control)
6721 struct sk_buff *skb;
6723 BT_DBG("chan %p, control %p", chan, control);
6725 if (control->reqseq == chan->next_tx_seq) {
6726 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6727 l2cap_send_disconn_req(chan, ECONNRESET);
6731 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6733 if (chan->max_tx && skb &&
6734 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6735 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6736 l2cap_send_disconn_req(chan, ECONNRESET);
6740 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6742 l2cap_pass_to_tx(chan, control);
6744 if (control->final) {
6745 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6746 l2cap_retransmit_all(chan, control);
6748 l2cap_retransmit_all(chan, control);
6749 l2cap_ertm_send(chan);
6750 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6751 set_bit(CONN_REJ_ACT, &chan->conn_state);
6755 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6757 BT_DBG("chan %p, txseq %d", chan, txseq);
6759 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6760 chan->expected_tx_seq);
6762 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6763 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6765 /* See notes below regarding "double poll" and
6768 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6769 BT_DBG("Invalid/Ignore - after SREJ");
6770 return L2CAP_TXSEQ_INVALID_IGNORE;
6772 BT_DBG("Invalid - in window after SREJ sent");
6773 return L2CAP_TXSEQ_INVALID;
6777 if (chan->srej_list.head == txseq) {
6778 BT_DBG("Expected SREJ");
6779 return L2CAP_TXSEQ_EXPECTED_SREJ;
6782 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6783 BT_DBG("Duplicate SREJ - txseq already stored");
6784 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6787 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6788 BT_DBG("Unexpected SREJ - not requested");
6789 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6793 if (chan->expected_tx_seq == txseq) {
6794 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6796 BT_DBG("Invalid - txseq outside tx window");
6797 return L2CAP_TXSEQ_INVALID;
6800 return L2CAP_TXSEQ_EXPECTED;
6804 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6805 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6806 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6807 return L2CAP_TXSEQ_DUPLICATE;
6810 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6811 /* A source of invalid packets is a "double poll" condition,
6812 * where delays cause us to send multiple poll packets. If
6813 * the remote stack receives and processes both polls,
6814 * sequence numbers can wrap around in such a way that a
6815 * resent frame has a sequence number that looks like new data
6816 * with a sequence gap. This would trigger an erroneous SREJ
6819 * Fortunately, this is impossible with a tx window that's
6820 * less than half of the maximum sequence number, which allows
6821 * invalid frames to be safely ignored.
6823 * With tx window sizes greater than half of the tx window
6824 * maximum, the frame is invalid and cannot be ignored. This
6825 * causes a disconnect.
6828 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6829 BT_DBG("Invalid/Ignore - txseq outside tx window");
6830 return L2CAP_TXSEQ_INVALID_IGNORE;
6832 BT_DBG("Invalid - txseq outside tx window");
6833 return L2CAP_TXSEQ_INVALID;
6836 BT_DBG("Unexpected - txseq indicates missing frames");
6837 return L2CAP_TXSEQ_UNEXPECTED;
6841 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6842 struct l2cap_ctrl *control,
6843 struct sk_buff *skb, u8 event)
6846 bool skb_in_use = false;
6848 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6852 case L2CAP_EV_RECV_IFRAME:
6853 switch (l2cap_classify_txseq(chan, control->txseq)) {
6854 case L2CAP_TXSEQ_EXPECTED:
6855 l2cap_pass_to_tx(chan, control);
6857 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6858 BT_DBG("Busy, discarding expected seq %d",
6863 chan->expected_tx_seq = __next_seq(chan,
6866 chan->buffer_seq = chan->expected_tx_seq;
6869 err = l2cap_reassemble_sdu(chan, skb, control);
6873 if (control->final) {
6874 if (!test_and_clear_bit(CONN_REJ_ACT,
6875 &chan->conn_state)) {
6877 l2cap_retransmit_all(chan, control);
6878 l2cap_ertm_send(chan);
6882 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6883 l2cap_send_ack(chan);
6885 case L2CAP_TXSEQ_UNEXPECTED:
6886 l2cap_pass_to_tx(chan, control);
6888 /* Can't issue SREJ frames in the local busy state.
6889 * Drop this frame, it will be seen as missing
6890 * when local busy is exited.
6892 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6893 BT_DBG("Busy, discarding unexpected seq %d",
6898 /* There was a gap in the sequence, so an SREJ
6899 * must be sent for each missing frame. The
6900 * current frame is stored for later use.
6902 skb_queue_tail(&chan->srej_q, skb);
6904 BT_DBG("Queued %p (queue len %d)", skb,
6905 skb_queue_len(&chan->srej_q));
6907 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6908 l2cap_seq_list_clear(&chan->srej_list);
6909 l2cap_send_srej(chan, control->txseq);
6911 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6913 case L2CAP_TXSEQ_DUPLICATE:
6914 l2cap_pass_to_tx(chan, control);
6916 case L2CAP_TXSEQ_INVALID_IGNORE:
6918 case L2CAP_TXSEQ_INVALID:
6920 l2cap_send_disconn_req(chan, ECONNRESET);
6924 case L2CAP_EV_RECV_RR:
6925 l2cap_pass_to_tx(chan, control);
6926 if (control->final) {
6927 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6929 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6930 !__chan_is_moving(chan)) {
6932 l2cap_retransmit_all(chan, control);
6935 l2cap_ertm_send(chan);
6936 } else if (control->poll) {
6937 l2cap_send_i_or_rr_or_rnr(chan);
6939 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6940 &chan->conn_state) &&
6941 chan->unacked_frames)
6942 __set_retrans_timer(chan);
6944 l2cap_ertm_send(chan);
6947 case L2CAP_EV_RECV_RNR:
6948 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6949 l2cap_pass_to_tx(chan, control);
6950 if (control && control->poll) {
6951 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6952 l2cap_send_rr_or_rnr(chan, 0);
6954 __clear_retrans_timer(chan);
6955 l2cap_seq_list_clear(&chan->retrans_list);
6957 case L2CAP_EV_RECV_REJ:
6958 l2cap_handle_rej(chan, control);
6960 case L2CAP_EV_RECV_SREJ:
6961 l2cap_handle_srej(chan, control);
6967 if (skb && !skb_in_use) {
6968 BT_DBG("Freeing %p", skb);
6975 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6976 struct l2cap_ctrl *control,
6977 struct sk_buff *skb, u8 event)
6980 u16 txseq = control->txseq;
6981 bool skb_in_use = false;
6983 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6987 case L2CAP_EV_RECV_IFRAME:
6988 switch (l2cap_classify_txseq(chan, txseq)) {
6989 case L2CAP_TXSEQ_EXPECTED:
6990 /* Keep frame for reassembly later */
6991 l2cap_pass_to_tx(chan, control);
6992 skb_queue_tail(&chan->srej_q, skb);
6994 BT_DBG("Queued %p (queue len %d)", skb,
6995 skb_queue_len(&chan->srej_q));
6997 chan->expected_tx_seq = __next_seq(chan, txseq);
6999 case L2CAP_TXSEQ_EXPECTED_SREJ:
7000 l2cap_seq_list_pop(&chan->srej_list);
7002 l2cap_pass_to_tx(chan, control);
7003 skb_queue_tail(&chan->srej_q, skb);
7005 BT_DBG("Queued %p (queue len %d)", skb,
7006 skb_queue_len(&chan->srej_q));
7008 err = l2cap_rx_queued_iframes(chan);
7013 case L2CAP_TXSEQ_UNEXPECTED:
7014 /* Got a frame that can't be reassembled yet.
7015 * Save it for later, and send SREJs to cover
7016 * the missing frames.
7018 skb_queue_tail(&chan->srej_q, skb);
7020 BT_DBG("Queued %p (queue len %d)", skb,
7021 skb_queue_len(&chan->srej_q));
7023 l2cap_pass_to_tx(chan, control);
7024 l2cap_send_srej(chan, control->txseq);
7026 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7027 /* This frame was requested with an SREJ, but
7028 * some expected retransmitted frames are
7029 * missing. Request retransmission of missing
7032 skb_queue_tail(&chan->srej_q, skb);
7034 BT_DBG("Queued %p (queue len %d)", skb,
7035 skb_queue_len(&chan->srej_q));
7037 l2cap_pass_to_tx(chan, control);
7038 l2cap_send_srej_list(chan, control->txseq);
7040 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7041 /* We've already queued this frame. Drop this copy. */
7042 l2cap_pass_to_tx(chan, control);
7044 case L2CAP_TXSEQ_DUPLICATE:
7045 /* Expecting a later sequence number, so this frame
7046 * was already received. Ignore it completely.
7049 case L2CAP_TXSEQ_INVALID_IGNORE:
7051 case L2CAP_TXSEQ_INVALID:
7053 l2cap_send_disconn_req(chan, ECONNRESET);
7057 case L2CAP_EV_RECV_RR:
7058 l2cap_pass_to_tx(chan, control);
7059 if (control->final) {
7060 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7062 if (!test_and_clear_bit(CONN_REJ_ACT,
7063 &chan->conn_state)) {
7065 l2cap_retransmit_all(chan, control);
7068 l2cap_ertm_send(chan);
7069 } else if (control->poll) {
7070 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7071 &chan->conn_state) &&
7072 chan->unacked_frames) {
7073 __set_retrans_timer(chan);
7076 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7077 l2cap_send_srej_tail(chan);
7079 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7080 &chan->conn_state) &&
7081 chan->unacked_frames)
7082 __set_retrans_timer(chan);
7084 l2cap_send_ack(chan);
7087 case L2CAP_EV_RECV_RNR:
7088 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7089 l2cap_pass_to_tx(chan, control);
7090 if (control->poll) {
7091 l2cap_send_srej_tail(chan);
7093 struct l2cap_ctrl rr_control;
7094 memset(&rr_control, 0, sizeof(rr_control));
7095 rr_control.sframe = 1;
7096 rr_control.super = L2CAP_SUPER_RR;
7097 rr_control.reqseq = chan->buffer_seq;
7098 l2cap_send_sframe(chan, &rr_control);
7102 case L2CAP_EV_RECV_REJ:
7103 l2cap_handle_rej(chan, control);
7105 case L2CAP_EV_RECV_SREJ:
7106 l2cap_handle_srej(chan, control);
7110 if (skb && !skb_in_use) {
7111 BT_DBG("Freeing %p", skb);
7118 static int l2cap_finish_move(struct l2cap_chan *chan)
7120 BT_DBG("chan %p", chan);
7122 chan->rx_state = L2CAP_RX_STATE_RECV;
7125 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7127 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7129 return l2cap_resegment(chan);
7132 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7133 struct l2cap_ctrl *control,
7134 struct sk_buff *skb, u8 event)
7138 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7144 l2cap_process_reqseq(chan, control->reqseq);
7146 if (!skb_queue_empty(&chan->tx_q))
7147 chan->tx_send_head = skb_peek(&chan->tx_q);
7149 chan->tx_send_head = NULL;
7151 /* Rewind next_tx_seq to the point expected
7154 chan->next_tx_seq = control->reqseq;
7155 chan->unacked_frames = 0;
7157 err = l2cap_finish_move(chan);
7161 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7162 l2cap_send_i_or_rr_or_rnr(chan);
7164 if (event == L2CAP_EV_RECV_IFRAME)
7167 return l2cap_rx_state_recv(chan, control, NULL, event);
7170 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7171 struct l2cap_ctrl *control,
7172 struct sk_buff *skb, u8 event)
7176 if (!control->final)
7179 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7181 chan->rx_state = L2CAP_RX_STATE_RECV;
7182 l2cap_process_reqseq(chan, control->reqseq);
7184 if (!skb_queue_empty(&chan->tx_q))
7185 chan->tx_send_head = skb_peek(&chan->tx_q);
7187 chan->tx_send_head = NULL;
7189 /* Rewind next_tx_seq to the point expected
7192 chan->next_tx_seq = control->reqseq;
7193 chan->unacked_frames = 0;
7196 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7198 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7200 err = l2cap_resegment(chan);
7203 err = l2cap_rx_state_recv(chan, control, skb, event);
7208 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7210 /* Make sure reqseq is for a packet that has been sent but not acked */
7213 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7214 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7217 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7218 struct sk_buff *skb, u8 event)
7222 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7223 control, skb, event, chan->rx_state);
7225 if (__valid_reqseq(chan, control->reqseq)) {
7226 switch (chan->rx_state) {
7227 case L2CAP_RX_STATE_RECV:
7228 err = l2cap_rx_state_recv(chan, control, skb, event);
7230 case L2CAP_RX_STATE_SREJ_SENT:
7231 err = l2cap_rx_state_srej_sent(chan, control, skb,
7234 case L2CAP_RX_STATE_WAIT_P:
7235 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7237 case L2CAP_RX_STATE_WAIT_F:
7238 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7245 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7246 control->reqseq, chan->next_tx_seq,
7247 chan->expected_ack_seq);
7248 l2cap_send_disconn_req(chan, ECONNRESET);
7254 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7255 struct sk_buff *skb)
7257 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7260 if (l2cap_classify_txseq(chan, control->txseq) ==
7261 L2CAP_TXSEQ_EXPECTED) {
7262 l2cap_pass_to_tx(chan, control);
7264 BT_DBG("buffer_seq %u->%u", chan->buffer_seq,
7265 __next_seq(chan, chan->buffer_seq));
7267 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7269 l2cap_reassemble_sdu(chan, skb, control);
7272 kfree_skb(chan->sdu);
7275 chan->sdu_last_frag = NULL;
7279 BT_DBG("Freeing %p", skb);
7284 chan->last_acked_seq = control->txseq;
7285 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7290 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7292 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7296 __unpack_control(chan, skb);
7301 * We can just drop the corrupted I-frame here.
7302 * Receiver will miss it and start proper recovery
7303 * procedures and ask for retransmission.
7305 if (l2cap_check_fcs(chan, skb))
7308 if (!control->sframe && control->sar == L2CAP_SAR_START)
7309 len -= L2CAP_SDULEN_SIZE;
7311 if (chan->fcs == L2CAP_FCS_CRC16)
7312 len -= L2CAP_FCS_SIZE;
7314 if (len > chan->mps) {
7315 l2cap_send_disconn_req(chan, ECONNRESET);
7319 if (chan->ops->filter) {
7320 if (chan->ops->filter(chan, skb))
7324 if (!control->sframe) {
7327 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7328 control->sar, control->reqseq, control->final,
7331 /* Validate F-bit - F=0 always valid, F=1 only
7332 * valid in TX WAIT_F
7334 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7337 if (chan->mode != L2CAP_MODE_STREAMING) {
7338 event = L2CAP_EV_RECV_IFRAME;
7339 err = l2cap_rx(chan, control, skb, event);
7341 err = l2cap_stream_rx(chan, control, skb);
7345 l2cap_send_disconn_req(chan, ECONNRESET);
7347 const u8 rx_func_to_event[4] = {
7348 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7349 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7352 /* Only I-frames are expected in streaming mode */
7353 if (chan->mode == L2CAP_MODE_STREAMING)
7356 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7357 control->reqseq, control->final, control->poll,
7361 BT_ERR("Trailing bytes: %d in sframe", len);
7362 l2cap_send_disconn_req(chan, ECONNRESET);
7366 /* Validate F and P bits */
7367 if (control->final && (control->poll ||
7368 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7371 event = rx_func_to_event[control->super];
7372 if (l2cap_rx(chan, control, skb, event))
7373 l2cap_send_disconn_req(chan, ECONNRESET);
7383 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7385 struct l2cap_conn *conn = chan->conn;
7386 struct l2cap_le_credits pkt;
7389 return_credits = (chan->imtu / chan->mps) + 1;
7391 if (chan->rx_credits >= return_credits)
7394 return_credits -= chan->rx_credits;
7396 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7398 chan->rx_credits += return_credits;
7400 pkt.cid = cpu_to_le16(chan->scid);
7401 pkt.credits = cpu_to_le16(return_credits);
7403 chan->ident = l2cap_get_ident(conn);
7405 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7408 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7412 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7414 /* Wait recv to confirm reception before updating the credits */
7415 err = chan->ops->recv(chan, skb);
7417 /* Update credits whenever an SDU is received */
7418 l2cap_chan_le_send_credits(chan);
7423 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7427 if (!chan->rx_credits) {
7428 BT_ERR("No credits to receive LE L2CAP data");
7429 l2cap_send_disconn_req(chan, ECONNRESET);
7433 if (chan->imtu < skb->len) {
7434 BT_ERR("Too big LE L2CAP PDU");
7439 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7441 /* Update if remote had run out of credits, this should only happens
7442 * if the remote is not using the entire MPS.
7444 if (!chan->rx_credits)
7445 l2cap_chan_le_send_credits(chan);
7452 sdu_len = get_unaligned_le16(skb->data);
7453 skb_pull(skb, L2CAP_SDULEN_SIZE);
7455 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7456 sdu_len, skb->len, chan->imtu);
7458 if (sdu_len > chan->imtu) {
7459 BT_ERR("Too big LE L2CAP SDU length received");
7464 if (skb->len > sdu_len) {
7465 BT_ERR("Too much LE L2CAP data received");
7470 if (skb->len == sdu_len)
7471 return l2cap_ecred_recv(chan, skb);
7474 chan->sdu_len = sdu_len;
7475 chan->sdu_last_frag = skb;
7477 /* Detect if remote is not able to use the selected MPS */
7478 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7479 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7481 /* Adjust the number of credits */
7482 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7483 chan->mps = mps_len;
7484 l2cap_chan_le_send_credits(chan);
7490 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7491 chan->sdu->len, skb->len, chan->sdu_len);
7493 if (chan->sdu->len + skb->len > chan->sdu_len) {
7494 BT_ERR("Too much LE L2CAP data received");
7499 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7502 if (chan->sdu->len == chan->sdu_len) {
7503 err = l2cap_ecred_recv(chan, chan->sdu);
7506 chan->sdu_last_frag = NULL;
7514 kfree_skb(chan->sdu);
7516 chan->sdu_last_frag = NULL;
7520 /* We can't return an error here since we took care of the skb
7521 * freeing internally. An error return would cause the caller to
7522 * do a double-free of the skb.
7527 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7528 struct sk_buff *skb)
7530 struct l2cap_chan *chan;
7532 chan = l2cap_get_chan_by_scid(conn, cid);
7534 if (cid == L2CAP_CID_A2MP) {
7535 chan = a2mp_channel_create(conn, skb);
7541 l2cap_chan_lock(chan);
7543 BT_DBG("unknown cid 0x%4.4x", cid);
7544 /* Drop packet and return */
7550 BT_DBG("chan %p, len %d", chan, skb->len);
7552 /* If we receive data on a fixed channel before the info req/rsp
7553 * procedure is done simply assume that the channel is supported
7554 * and mark it as ready.
7556 if (chan->chan_type == L2CAP_CHAN_FIXED)
7557 l2cap_chan_ready(chan);
7559 if (chan->state != BT_CONNECTED)
7562 switch (chan->mode) {
7563 case L2CAP_MODE_LE_FLOWCTL:
7564 case L2CAP_MODE_EXT_FLOWCTL:
7565 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7570 case L2CAP_MODE_BASIC:
7571 /* If socket recv buffers overflows we drop data here
7572 * which is *bad* because L2CAP has to be reliable.
7573 * But we don't have any other choice. L2CAP doesn't
7574 * provide flow control mechanism. */
7576 if (chan->imtu < skb->len) {
7577 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7581 if (!chan->ops->recv(chan, skb))
7585 case L2CAP_MODE_ERTM:
7586 case L2CAP_MODE_STREAMING:
7587 l2cap_data_rcv(chan, skb);
7591 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7599 l2cap_chan_unlock(chan);
7602 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7603 struct sk_buff *skb)
7605 struct hci_conn *hcon = conn->hcon;
7606 struct l2cap_chan *chan;
7608 if (hcon->type != ACL_LINK)
7611 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7616 BT_DBG("chan %p, len %d", chan, skb->len);
7618 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7621 if (chan->imtu < skb->len)
7624 /* Store remote BD_ADDR and PSM for msg_name */
7625 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7626 bt_cb(skb)->l2cap.psm = psm;
7628 if (!chan->ops->recv(chan, skb)) {
7629 l2cap_chan_put(chan);
7634 l2cap_chan_put(chan);
7639 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7641 struct l2cap_hdr *lh = (void *) skb->data;
7642 struct hci_conn *hcon = conn->hcon;
7646 if (hcon->state != BT_CONNECTED) {
7647 BT_DBG("queueing pending rx skb");
7648 skb_queue_tail(&conn->pending_rx, skb);
7652 skb_pull(skb, L2CAP_HDR_SIZE);
7653 cid = __le16_to_cpu(lh->cid);
7654 len = __le16_to_cpu(lh->len);
7656 if (len != skb->len) {
7661 /* Since we can't actively block incoming LE connections we must
7662 * at least ensure that we ignore incoming data from them.
7664 if (hcon->type == LE_LINK &&
7665 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst,
7666 bdaddr_dst_type(hcon))) {
7671 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7674 case L2CAP_CID_SIGNALING:
7675 l2cap_sig_channel(conn, skb);
7678 case L2CAP_CID_CONN_LESS:
7679 psm = get_unaligned((__le16 *) skb->data);
7680 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7681 l2cap_conless_channel(conn, psm, skb);
7684 case L2CAP_CID_LE_SIGNALING:
7685 l2cap_le_sig_channel(conn, skb);
7689 l2cap_data_channel(conn, cid, skb);
7694 static void process_pending_rx(struct work_struct *work)
7696 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7698 struct sk_buff *skb;
7702 while ((skb = skb_dequeue(&conn->pending_rx)))
7703 l2cap_recv_frame(conn, skb);
7706 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7708 struct l2cap_conn *conn = hcon->l2cap_data;
7709 struct hci_chan *hchan;
7714 hchan = hci_chan_create(hcon);
7718 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7720 hci_chan_del(hchan);
7724 kref_init(&conn->ref);
7725 hcon->l2cap_data = conn;
7726 conn->hcon = hci_conn_get(hcon);
7727 conn->hchan = hchan;
7729 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7731 switch (hcon->type) {
7733 if (hcon->hdev->le_mtu) {
7734 conn->mtu = hcon->hdev->le_mtu;
7739 conn->mtu = hcon->hdev->acl_mtu;
7743 conn->feat_mask = 0;
7745 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7747 if (hcon->type == ACL_LINK &&
7748 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7749 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7751 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7752 (bredr_sc_enabled(hcon->hdev) ||
7753 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7754 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7756 mutex_init(&conn->ident_lock);
7757 mutex_init(&conn->chan_lock);
7759 INIT_LIST_HEAD(&conn->chan_l);
7760 INIT_LIST_HEAD(&conn->users);
7762 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7764 skb_queue_head_init(&conn->pending_rx);
7765 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7766 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7768 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7773 static bool is_valid_psm(u16 psm, u8 dst_type)
7778 if (bdaddr_type_is_le(dst_type))
7779 return (psm <= 0x00ff);
7781 /* PSM must be odd and lsb of upper byte must be 0 */
7782 return ((psm & 0x0101) == 0x0001);
7785 struct l2cap_chan_data {
7786 struct l2cap_chan *chan;
7791 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7793 struct l2cap_chan_data *d = data;
7796 if (chan == d->chan)
7799 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7802 pid = chan->ops->get_peer_pid(chan);
7804 /* Only count deferred channels with the same PID/PSM */
7805 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7806 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7812 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7813 bdaddr_t *dst, u8 dst_type)
7815 struct l2cap_conn *conn;
7816 struct hci_conn *hcon;
7817 struct hci_dev *hdev;
7820 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7821 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7823 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7825 return -EHOSTUNREACH;
7829 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7830 chan->chan_type != L2CAP_CHAN_RAW) {
7835 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7840 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7845 switch (chan->mode) {
7846 case L2CAP_MODE_BASIC:
7848 case L2CAP_MODE_LE_FLOWCTL:
7850 case L2CAP_MODE_EXT_FLOWCTL:
7851 if (!enable_ecred) {
7856 case L2CAP_MODE_ERTM:
7857 case L2CAP_MODE_STREAMING:
7866 switch (chan->state) {
7870 /* Already connecting */
7875 /* Already connected */
7889 /* Set destination address and psm */
7890 bacpy(&chan->dst, dst);
7891 chan->dst_type = dst_type;
7896 if (bdaddr_type_is_le(dst_type)) {
7897 /* Convert from L2CAP channel address type to HCI address type
7899 if (dst_type == BDADDR_LE_PUBLIC)
7900 dst_type = ADDR_LE_DEV_PUBLIC;
7902 dst_type = ADDR_LE_DEV_RANDOM;
7904 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7905 hcon = hci_connect_le(hdev, dst, dst_type,
7907 HCI_LE_CONN_TIMEOUT,
7908 HCI_ROLE_SLAVE, NULL);
7910 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7912 HCI_LE_CONN_TIMEOUT,
7913 CONN_REASON_L2CAP_CHAN);
7916 u8 auth_type = l2cap_get_auth_type(chan);
7917 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7918 CONN_REASON_L2CAP_CHAN);
7922 err = PTR_ERR(hcon);
7926 conn = l2cap_conn_add(hcon);
7928 hci_conn_drop(hcon);
7933 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7934 struct l2cap_chan_data data;
7937 data.pid = chan->ops->get_peer_pid(chan);
7940 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7942 /* Check if there isn't too many channels being connected */
7943 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7944 hci_conn_drop(hcon);
7950 mutex_lock(&conn->chan_lock);
7951 l2cap_chan_lock(chan);
7953 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7954 hci_conn_drop(hcon);
7959 /* Update source addr of the socket */
7960 bacpy(&chan->src, &hcon->src);
7961 chan->src_type = bdaddr_src_type(hcon);
7963 __l2cap_chan_add(conn, chan);
7965 /* l2cap_chan_add takes its own ref so we can drop this one */
7966 hci_conn_drop(hcon);
7968 l2cap_state_change(chan, BT_CONNECT);
7969 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7971 /* Release chan->sport so that it can be reused by other
7972 * sockets (as it's only used for listening sockets).
7974 write_lock(&chan_list_lock);
7976 write_unlock(&chan_list_lock);
7978 if (hcon->state == BT_CONNECTED) {
7979 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7980 __clear_chan_timer(chan);
7981 if (l2cap_chan_check_security(chan, true))
7982 l2cap_state_change(chan, BT_CONNECTED);
7984 l2cap_do_start(chan);
7990 l2cap_chan_unlock(chan);
7991 mutex_unlock(&conn->chan_lock);
7993 hci_dev_unlock(hdev);
7997 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7999 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
8001 struct l2cap_conn *conn = chan->conn;
8003 struct l2cap_ecred_reconf_req req;
8007 pdu.req.mtu = cpu_to_le16(chan->imtu);
8008 pdu.req.mps = cpu_to_le16(chan->mps);
8009 pdu.scid = cpu_to_le16(chan->scid);
8011 chan->ident = l2cap_get_ident(conn);
8013 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
8017 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8019 if (chan->imtu > mtu)
8022 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8026 l2cap_ecred_reconfigure(chan);
8031 /* ---- L2CAP interface with lower layer (HCI) ---- */
8033 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8035 int exact = 0, lm1 = 0, lm2 = 0;
8036 struct l2cap_chan *c;
8038 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8040 /* Find listening sockets and check their link_mode */
8041 read_lock(&chan_list_lock);
8042 list_for_each_entry(c, &chan_list, global_l) {
8043 if (c->state != BT_LISTEN)
8046 if (!bacmp(&c->src, &hdev->bdaddr)) {
8047 lm1 |= HCI_LM_ACCEPT;
8048 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8049 lm1 |= HCI_LM_MASTER;
8051 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8052 lm2 |= HCI_LM_ACCEPT;
8053 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8054 lm2 |= HCI_LM_MASTER;
8057 read_unlock(&chan_list_lock);
8059 return exact ? lm1 : lm2;
8062 /* Find the next fixed channel in BT_LISTEN state, continue iteration
8063 * from an existing channel in the list or from the beginning of the
8064 * global list (by passing NULL as first parameter).
8066 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8067 struct hci_conn *hcon)
8069 u8 src_type = bdaddr_src_type(hcon);
8071 read_lock(&chan_list_lock);
8074 c = list_next_entry(c, global_l);
8076 c = list_entry(chan_list.next, typeof(*c), global_l);
8078 list_for_each_entry_from(c, &chan_list, global_l) {
8079 if (c->chan_type != L2CAP_CHAN_FIXED)
8081 if (c->state != BT_LISTEN)
8083 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8085 if (src_type != c->src_type)
8089 read_unlock(&chan_list_lock);
8093 read_unlock(&chan_list_lock);
8098 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8100 struct hci_dev *hdev = hcon->hdev;
8101 struct l2cap_conn *conn;
8102 struct l2cap_chan *pchan;
8105 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8108 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8111 l2cap_conn_del(hcon, bt_to_errno(status));
8115 conn = l2cap_conn_add(hcon);
8119 dst_type = bdaddr_dst_type(hcon);
8121 /* If device is blocked, do not create channels for it */
8122 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type))
8125 /* Find fixed channels and notify them of the new connection. We
8126 * use multiple individual lookups, continuing each time where
8127 * we left off, because the list lock would prevent calling the
8128 * potentially sleeping l2cap_chan_lock() function.
8130 pchan = l2cap_global_fixed_chan(NULL, hcon);
8132 struct l2cap_chan *chan, *next;
8134 /* Client fixed channels should override server ones */
8135 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8138 l2cap_chan_lock(pchan);
8139 chan = pchan->ops->new_connection(pchan);
8141 bacpy(&chan->src, &hcon->src);
8142 bacpy(&chan->dst, &hcon->dst);
8143 chan->src_type = bdaddr_src_type(hcon);
8144 chan->dst_type = dst_type;
8146 __l2cap_chan_add(conn, chan);
8149 l2cap_chan_unlock(pchan);
8151 next = l2cap_global_fixed_chan(pchan, hcon);
8152 l2cap_chan_put(pchan);
8156 l2cap_conn_ready(conn);
8159 int l2cap_disconn_ind(struct hci_conn *hcon)
8161 struct l2cap_conn *conn = hcon->l2cap_data;
8163 BT_DBG("hcon %p", hcon);
8166 return HCI_ERROR_REMOTE_USER_TERM;
8167 return conn->disc_reason;
8170 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8172 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8175 BT_DBG("hcon %p reason %d", hcon, reason);
8177 l2cap_conn_del(hcon, bt_to_errno(reason));
8180 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8182 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8185 if (encrypt == 0x00) {
8186 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8187 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8188 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8189 chan->sec_level == BT_SECURITY_FIPS)
8190 l2cap_chan_close(chan, ECONNREFUSED);
8192 if (chan->sec_level == BT_SECURITY_MEDIUM)
8193 __clear_chan_timer(chan);
8197 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8199 struct l2cap_conn *conn = hcon->l2cap_data;
8200 struct l2cap_chan *chan;
8205 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8207 mutex_lock(&conn->chan_lock);
8209 list_for_each_entry(chan, &conn->chan_l, list) {
8210 l2cap_chan_lock(chan);
8212 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8213 state_to_string(chan->state));
8215 if (chan->scid == L2CAP_CID_A2MP) {
8216 l2cap_chan_unlock(chan);
8220 if (!status && encrypt)
8221 chan->sec_level = hcon->sec_level;
8223 if (!__l2cap_no_conn_pending(chan)) {
8224 l2cap_chan_unlock(chan);
8228 if (!status && (chan->state == BT_CONNECTED ||
8229 chan->state == BT_CONFIG)) {
8230 chan->ops->resume(chan);
8231 l2cap_check_encryption(chan, encrypt);
8232 l2cap_chan_unlock(chan);
8236 if (chan->state == BT_CONNECT) {
8237 if (!status && l2cap_check_enc_key_size(hcon))
8238 l2cap_start_connection(chan);
8240 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8241 } else if (chan->state == BT_CONNECT2 &&
8242 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8243 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8244 struct l2cap_conn_rsp rsp;
8247 if (!status && l2cap_check_enc_key_size(hcon)) {
8248 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8249 res = L2CAP_CR_PEND;
8250 stat = L2CAP_CS_AUTHOR_PEND;
8251 chan->ops->defer(chan);
8253 l2cap_state_change(chan, BT_CONFIG);
8254 res = L2CAP_CR_SUCCESS;
8255 stat = L2CAP_CS_NO_INFO;
8258 l2cap_state_change(chan, BT_DISCONN);
8259 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8260 res = L2CAP_CR_SEC_BLOCK;
8261 stat = L2CAP_CS_NO_INFO;
8264 rsp.scid = cpu_to_le16(chan->dcid);
8265 rsp.dcid = cpu_to_le16(chan->scid);
8266 rsp.result = cpu_to_le16(res);
8267 rsp.status = cpu_to_le16(stat);
8268 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8271 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8272 res == L2CAP_CR_SUCCESS) {
8274 set_bit(CONF_REQ_SENT, &chan->conf_state);
8275 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8277 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8279 chan->num_conf_req++;
8283 l2cap_chan_unlock(chan);
8286 mutex_unlock(&conn->chan_lock);
8289 /* Append fragment into frame respecting the maximum len of rx_skb */
8290 static int l2cap_recv_frag(struct l2cap_conn *conn, struct sk_buff *skb,
8293 if (!conn->rx_skb) {
8294 /* Allocate skb for the complete frame (with header) */
8295 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8302 /* Copy as much as the rx_skb can hold */
8303 len = min_t(u16, len, skb->len);
8304 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, len), len);
8306 conn->rx_len -= len;
8311 static int l2cap_recv_len(struct l2cap_conn *conn, struct sk_buff *skb)
8313 struct sk_buff *rx_skb;
8316 /* Append just enough to complete the header */
8317 len = l2cap_recv_frag(conn, skb, L2CAP_LEN_SIZE - conn->rx_skb->len);
8319 /* If header could not be read just continue */
8320 if (len < 0 || conn->rx_skb->len < L2CAP_LEN_SIZE)
8323 rx_skb = conn->rx_skb;
8324 len = get_unaligned_le16(rx_skb->data);
8326 /* Check if rx_skb has enough space to received all fragments */
8327 if (len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE) <= skb_tailroom(rx_skb)) {
8328 /* Update expected len */
8329 conn->rx_len = len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE);
8330 return L2CAP_LEN_SIZE;
8333 /* Reset conn->rx_skb since it will need to be reallocated in order to
8334 * fit all fragments.
8336 conn->rx_skb = NULL;
8338 /* Reallocates rx_skb using the exact expected length */
8339 len = l2cap_recv_frag(conn, rx_skb,
8340 len + (L2CAP_HDR_SIZE - L2CAP_LEN_SIZE));
8346 static void l2cap_recv_reset(struct l2cap_conn *conn)
8348 kfree_skb(conn->rx_skb);
8349 conn->rx_skb = NULL;
8353 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8355 struct l2cap_conn *conn = hcon->l2cap_data;
8358 /* For AMP controller do not create l2cap conn */
8359 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8363 conn = l2cap_conn_add(hcon);
8368 BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
8372 case ACL_START_NO_FLUSH:
8375 BT_ERR("Unexpected start frame (len %d)", skb->len);
8376 l2cap_recv_reset(conn);
8377 l2cap_conn_unreliable(conn, ECOMM);
8380 /* Start fragment may not contain the L2CAP length so just
8381 * copy the initial byte when that happens and use conn->mtu as
8384 if (skb->len < L2CAP_LEN_SIZE) {
8385 if (l2cap_recv_frag(conn, skb, conn->mtu) < 0)
8390 len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE;
8392 if (len == skb->len) {
8393 /* Complete frame received */
8394 l2cap_recv_frame(conn, skb);
8398 BT_DBG("Start: total len %d, frag len %u", len, skb->len);
8400 if (skb->len > len) {
8401 BT_ERR("Frame is too long (len %u, expected len %d)",
8403 l2cap_conn_unreliable(conn, ECOMM);
8407 /* Append fragment into frame (with header) */
8408 if (l2cap_recv_frag(conn, skb, len) < 0)
8414 BT_DBG("Cont: frag len %u (expecting %u)", skb->len, conn->rx_len);
8416 if (!conn->rx_skb) {
8417 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8418 l2cap_conn_unreliable(conn, ECOMM);
8422 /* Complete the L2CAP length if it has not been read */
8423 if (conn->rx_skb->len < L2CAP_LEN_SIZE) {
8424 if (l2cap_recv_len(conn, skb) < 0) {
8425 l2cap_conn_unreliable(conn, ECOMM);
8429 /* Header still could not be read just continue */
8430 if (conn->rx_skb->len < L2CAP_LEN_SIZE)
8434 if (skb->len > conn->rx_len) {
8435 BT_ERR("Fragment is too long (len %u, expected %u)",
8436 skb->len, conn->rx_len);
8437 l2cap_recv_reset(conn);
8438 l2cap_conn_unreliable(conn, ECOMM);
8442 /* Append fragment into frame (with header) */
8443 l2cap_recv_frag(conn, skb, skb->len);
8445 if (!conn->rx_len) {
8446 /* Complete frame received. l2cap_recv_frame
8447 * takes ownership of the skb so set the global
8448 * rx_skb pointer to NULL first.
8450 struct sk_buff *rx_skb = conn->rx_skb;
8451 conn->rx_skb = NULL;
8452 l2cap_recv_frame(conn, rx_skb);
8461 static struct hci_cb l2cap_cb = {
8463 .connect_cfm = l2cap_connect_cfm,
8464 .disconn_cfm = l2cap_disconn_cfm,
8465 .security_cfm = l2cap_security_cfm,
8468 static int l2cap_debugfs_show(struct seq_file *f, void *p)
8470 struct l2cap_chan *c;
8472 read_lock(&chan_list_lock);
8474 list_for_each_entry(c, &chan_list, global_l) {
8475 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8476 &c->src, c->src_type, &c->dst, c->dst_type,
8477 c->state, __le16_to_cpu(c->psm),
8478 c->scid, c->dcid, c->imtu, c->omtu,
8479 c->sec_level, c->mode);
8482 read_unlock(&chan_list_lock);
8487 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8489 static struct dentry *l2cap_debugfs;
8491 int __init l2cap_init(void)
8495 err = l2cap_init_sockets();
8499 hci_register_cb(&l2cap_cb);
8501 if (IS_ERR_OR_NULL(bt_debugfs))
8504 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8505 NULL, &l2cap_debugfs_fops);
8510 void l2cap_exit(void)
8512 debugfs_remove(l2cap_debugfs);
8513 hci_unregister_cb(&l2cap_cb);
8514 l2cap_cleanup_sockets();
8517 module_param(disable_ertm, bool, 0644);
8518 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8520 module_param(enable_ecred, bool, 0644);
8521 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
projects / linux-2.6-microblaze.git / blob