2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
50 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
52 static LIST_HEAD(chan_list);
53 static DEFINE_RWLOCK(chan_list_lock);
55 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
65 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
67 if (link_type == LE_LINK) {
68 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
69 return BDADDR_LE_PUBLIC;
71 return BDADDR_LE_RANDOM;
77 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
79 return bdaddr_type(hcon->type, hcon->src_type);
82 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
84 return bdaddr_type(hcon->type, hcon->dst_type);
87 /* ---- L2CAP channels ---- */
89 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
94 list_for_each_entry(c, &conn->chan_l, list) {
101 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
104 struct l2cap_chan *c;
106 list_for_each_entry(c, &conn->chan_l, list) {
113 /* Find channel with given SCID.
114 * Returns locked channel. */
115 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
118 struct l2cap_chan *c;
120 mutex_lock(&conn->chan_lock);
121 c = __l2cap_get_chan_by_scid(conn, cid);
124 mutex_unlock(&conn->chan_lock);
129 /* Find channel with given DCID.
130 * Returns locked channel.
132 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
135 struct l2cap_chan *c;
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_dcid(conn, cid);
141 mutex_unlock(&conn->chan_lock);
146 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
149 struct l2cap_chan *c;
151 list_for_each_entry(c, &conn->chan_l, list) {
152 if (c->ident == ident)
158 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
161 struct l2cap_chan *c;
163 mutex_lock(&conn->chan_lock);
164 c = __l2cap_get_chan_by_ident(conn, ident);
167 mutex_unlock(&conn->chan_lock);
172 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
175 struct l2cap_chan *c;
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
181 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
184 if (c->sport == psm && !bacmp(&c->src, src))
190 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
194 write_lock(&chan_list_lock);
196 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
206 u16 p, start, end, incr;
208 if (chan->src_type == BDADDR_BREDR) {
209 start = L2CAP_PSM_DYN_START;
210 end = L2CAP_PSM_AUTO_END;
213 start = L2CAP_PSM_LE_DYN_START;
214 end = L2CAP_PSM_LE_DYN_END;
219 for (p = start; p <= end; p += incr)
220 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
222 chan->psm = cpu_to_le16(p);
223 chan->sport = cpu_to_le16(p);
230 write_unlock(&chan_list_lock);
233 EXPORT_SYMBOL_GPL(l2cap_add_psm);
235 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
237 write_lock(&chan_list_lock);
239 /* Override the defaults (which are for conn-oriented) */
240 chan->omtu = L2CAP_DEFAULT_MTU;
241 chan->chan_type = L2CAP_CHAN_FIXED;
245 write_unlock(&chan_list_lock);
250 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
254 if (conn->hcon->type == LE_LINK)
255 dyn_end = L2CAP_CID_LE_DYN_END;
257 dyn_end = L2CAP_CID_DYN_END;
259 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
260 if (!__l2cap_get_chan_by_scid(conn, cid))
267 static void l2cap_state_change(struct l2cap_chan *chan, int state)
269 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
270 state_to_string(state));
273 chan->ops->state_change(chan, state, 0);
276 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
280 chan->ops->state_change(chan, chan->state, err);
283 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
285 chan->ops->state_change(chan, chan->state, err);
288 static void __set_retrans_timer(struct l2cap_chan *chan)
290 if (!delayed_work_pending(&chan->monitor_timer) &&
291 chan->retrans_timeout) {
292 l2cap_set_timer(chan, &chan->retrans_timer,
293 msecs_to_jiffies(chan->retrans_timeout));
297 static void __set_monitor_timer(struct l2cap_chan *chan)
299 __clear_retrans_timer(chan);
300 if (chan->monitor_timeout) {
301 l2cap_set_timer(chan, &chan->monitor_timer,
302 msecs_to_jiffies(chan->monitor_timeout));
306 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
311 skb_queue_walk(head, skb) {
312 if (bt_cb(skb)->l2cap.txseq == seq)
319 /* ---- L2CAP sequence number lists ---- */
321 /* For ERTM, ordered lists of sequence numbers must be tracked for
322 * SREJ requests that are received and for frames that are to be
323 * retransmitted. These seq_list functions implement a singly-linked
324 * list in an array, where membership in the list can also be checked
325 * in constant time. Items can also be added to the tail of the list
326 * and removed from the head in constant time, without further memory
330 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
332 size_t alloc_size, i;
334 /* Allocated size is a power of 2 to map sequence numbers
335 * (which may be up to 14 bits) in to a smaller array that is
336 * sized for the negotiated ERTM transmit windows.
338 alloc_size = roundup_pow_of_two(size);
340 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
344 seq_list->mask = alloc_size - 1;
345 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
346 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
347 for (i = 0; i < alloc_size; i++)
348 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
353 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
355 kfree(seq_list->list);
358 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
361 /* Constant-time check for list membership */
362 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
365 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
367 u16 seq = seq_list->head;
368 u16 mask = seq_list->mask;
370 seq_list->head = seq_list->list[seq & mask];
371 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
373 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
381 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
385 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
388 for (i = 0; i <= seq_list->mask; i++)
389 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
391 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
392 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
395 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
397 u16 mask = seq_list->mask;
399 /* All appends happen in constant time */
401 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
404 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
405 seq_list->head = seq;
407 seq_list->list[seq_list->tail & mask] = seq;
409 seq_list->tail = seq;
410 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
413 static void l2cap_chan_timeout(struct work_struct *work)
415 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
417 struct l2cap_conn *conn = chan->conn;
420 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
422 mutex_lock(&conn->chan_lock);
423 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
424 * this work. No need to call l2cap_chan_hold(chan) here again.
426 l2cap_chan_lock(chan);
428 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
429 reason = ECONNREFUSED;
430 else if (chan->state == BT_CONNECT &&
431 chan->sec_level != BT_SECURITY_SDP)
432 reason = ECONNREFUSED;
436 l2cap_chan_close(chan, reason);
438 chan->ops->close(chan);
440 l2cap_chan_unlock(chan);
441 l2cap_chan_put(chan);
443 mutex_unlock(&conn->chan_lock);
446 struct l2cap_chan *l2cap_chan_create(void)
448 struct l2cap_chan *chan;
450 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
454 mutex_init(&chan->lock);
456 /* Set default lock nesting level */
457 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
459 write_lock(&chan_list_lock);
460 list_add(&chan->global_l, &chan_list);
461 write_unlock(&chan_list_lock);
463 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
465 chan->state = BT_OPEN;
467 kref_init(&chan->kref);
469 /* This flag is cleared in l2cap_chan_ready() */
470 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
472 BT_DBG("chan %p", chan);
476 EXPORT_SYMBOL_GPL(l2cap_chan_create);
478 static void l2cap_chan_destroy(struct kref *kref)
480 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
482 BT_DBG("chan %p", chan);
484 write_lock(&chan_list_lock);
485 list_del(&chan->global_l);
486 write_unlock(&chan_list_lock);
491 void l2cap_chan_hold(struct l2cap_chan *c)
493 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
498 void l2cap_chan_put(struct l2cap_chan *c)
500 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
502 kref_put(&c->kref, l2cap_chan_destroy);
504 EXPORT_SYMBOL_GPL(l2cap_chan_put);
506 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
508 chan->fcs = L2CAP_FCS_CRC16;
509 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
510 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
511 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
512 chan->remote_max_tx = chan->max_tx;
513 chan->remote_tx_win = chan->tx_win;
514 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
515 chan->sec_level = BT_SECURITY_LOW;
516 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
517 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
518 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
519 chan->conf_state = 0;
521 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
523 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
525 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
528 chan->sdu_last_frag = NULL;
530 chan->tx_credits = tx_credits;
531 /* Derive MPS from connection MTU to stop HCI fragmentation */
532 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
533 /* Give enough credits for a full packet */
534 chan->rx_credits = (chan->imtu / chan->mps) + 1;
536 skb_queue_head_init(&chan->tx_q);
539 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
541 l2cap_le_flowctl_init(chan, tx_credits);
543 /* L2CAP implementations shall support a minimum MPS of 64 octets */
544 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
545 chan->mps = L2CAP_ECRED_MIN_MPS;
546 chan->rx_credits = (chan->imtu / chan->mps) + 1;
550 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
552 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
553 __le16_to_cpu(chan->psm), chan->dcid);
555 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
559 switch (chan->chan_type) {
560 case L2CAP_CHAN_CONN_ORIENTED:
561 /* Alloc CID for connection-oriented socket */
562 chan->scid = l2cap_alloc_cid(conn);
563 if (conn->hcon->type == ACL_LINK)
564 chan->omtu = L2CAP_DEFAULT_MTU;
567 case L2CAP_CHAN_CONN_LESS:
568 /* Connectionless socket */
569 chan->scid = L2CAP_CID_CONN_LESS;
570 chan->dcid = L2CAP_CID_CONN_LESS;
571 chan->omtu = L2CAP_DEFAULT_MTU;
574 case L2CAP_CHAN_FIXED:
575 /* Caller will set CID and CID specific MTU values */
579 /* Raw socket can send/recv signalling messages only */
580 chan->scid = L2CAP_CID_SIGNALING;
581 chan->dcid = L2CAP_CID_SIGNALING;
582 chan->omtu = L2CAP_DEFAULT_MTU;
585 chan->local_id = L2CAP_BESTEFFORT_ID;
586 chan->local_stype = L2CAP_SERV_BESTEFFORT;
587 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
588 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
589 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
590 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
592 l2cap_chan_hold(chan);
594 /* Only keep a reference for fixed channels if they requested it */
595 if (chan->chan_type != L2CAP_CHAN_FIXED ||
596 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
597 hci_conn_hold(conn->hcon);
599 list_add(&chan->list, &conn->chan_l);
602 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
604 mutex_lock(&conn->chan_lock);
605 __l2cap_chan_add(conn, chan);
606 mutex_unlock(&conn->chan_lock);
609 void l2cap_chan_del(struct l2cap_chan *chan, int err)
611 struct l2cap_conn *conn = chan->conn;
613 __clear_chan_timer(chan);
615 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
616 state_to_string(chan->state));
618 chan->ops->teardown(chan, err);
621 struct amp_mgr *mgr = conn->hcon->amp_mgr;
622 /* Delete from channel list */
623 list_del(&chan->list);
625 l2cap_chan_put(chan);
629 /* Reference was only held for non-fixed channels or
630 * fixed channels that explicitly requested it using the
631 * FLAG_HOLD_HCI_CONN flag.
633 if (chan->chan_type != L2CAP_CHAN_FIXED ||
634 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
635 hci_conn_drop(conn->hcon);
637 if (mgr && mgr->bredr_chan == chan)
638 mgr->bredr_chan = NULL;
641 if (chan->hs_hchan) {
642 struct hci_chan *hs_hchan = chan->hs_hchan;
644 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
645 amp_disconnect_logical_link(hs_hchan);
648 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
652 case L2CAP_MODE_BASIC:
655 case L2CAP_MODE_LE_FLOWCTL:
656 case L2CAP_MODE_EXT_FLOWCTL:
657 skb_queue_purge(&chan->tx_q);
660 case L2CAP_MODE_ERTM:
661 __clear_retrans_timer(chan);
662 __clear_monitor_timer(chan);
663 __clear_ack_timer(chan);
665 skb_queue_purge(&chan->srej_q);
667 l2cap_seq_list_free(&chan->srej_list);
668 l2cap_seq_list_free(&chan->retrans_list);
672 case L2CAP_MODE_STREAMING:
673 skb_queue_purge(&chan->tx_q);
679 EXPORT_SYMBOL_GPL(l2cap_chan_del);
681 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
684 struct l2cap_chan *chan;
686 list_for_each_entry(chan, &conn->chan_l, list) {
691 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
697 mutex_lock(&conn->chan_lock);
698 __l2cap_chan_list(conn, func, data);
699 mutex_unlock(&conn->chan_lock);
702 EXPORT_SYMBOL_GPL(l2cap_chan_list);
704 static void l2cap_conn_update_id_addr(struct work_struct *work)
706 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
707 id_addr_update_work);
708 struct hci_conn *hcon = conn->hcon;
709 struct l2cap_chan *chan;
711 mutex_lock(&conn->chan_lock);
713 list_for_each_entry(chan, &conn->chan_l, list) {
714 l2cap_chan_lock(chan);
715 bacpy(&chan->dst, &hcon->dst);
716 chan->dst_type = bdaddr_dst_type(hcon);
717 l2cap_chan_unlock(chan);
720 mutex_unlock(&conn->chan_lock);
723 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
725 struct l2cap_conn *conn = chan->conn;
726 struct l2cap_le_conn_rsp rsp;
729 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
730 result = L2CAP_CR_LE_AUTHORIZATION;
732 result = L2CAP_CR_LE_BAD_PSM;
734 l2cap_state_change(chan, BT_DISCONN);
736 rsp.dcid = cpu_to_le16(chan->scid);
737 rsp.mtu = cpu_to_le16(chan->imtu);
738 rsp.mps = cpu_to_le16(chan->mps);
739 rsp.credits = cpu_to_le16(chan->rx_credits);
740 rsp.result = cpu_to_le16(result);
742 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
746 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
748 struct l2cap_conn *conn = chan->conn;
749 struct l2cap_ecred_conn_rsp rsp;
752 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
753 result = L2CAP_CR_LE_AUTHORIZATION;
755 result = L2CAP_CR_LE_BAD_PSM;
757 l2cap_state_change(chan, BT_DISCONN);
759 memset(&rsp, 0, sizeof(rsp));
761 rsp.result = cpu_to_le16(result);
763 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
767 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
769 struct l2cap_conn *conn = chan->conn;
770 struct l2cap_conn_rsp rsp;
773 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
774 result = L2CAP_CR_SEC_BLOCK;
776 result = L2CAP_CR_BAD_PSM;
778 l2cap_state_change(chan, BT_DISCONN);
780 rsp.scid = cpu_to_le16(chan->dcid);
781 rsp.dcid = cpu_to_le16(chan->scid);
782 rsp.result = cpu_to_le16(result);
783 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
785 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
788 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
790 struct l2cap_conn *conn = chan->conn;
792 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
794 switch (chan->state) {
796 chan->ops->teardown(chan, 0);
801 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
802 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
803 l2cap_send_disconn_req(chan, reason);
805 l2cap_chan_del(chan, reason);
809 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
810 if (conn->hcon->type == ACL_LINK)
811 l2cap_chan_connect_reject(chan);
812 else if (conn->hcon->type == LE_LINK) {
813 switch (chan->mode) {
814 case L2CAP_MODE_LE_FLOWCTL:
815 l2cap_chan_le_connect_reject(chan);
817 case L2CAP_MODE_EXT_FLOWCTL:
818 l2cap_chan_ecred_connect_reject(chan);
824 l2cap_chan_del(chan, reason);
829 l2cap_chan_del(chan, reason);
833 chan->ops->teardown(chan, 0);
837 EXPORT_SYMBOL(l2cap_chan_close);
839 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
841 switch (chan->chan_type) {
843 switch (chan->sec_level) {
844 case BT_SECURITY_HIGH:
845 case BT_SECURITY_FIPS:
846 return HCI_AT_DEDICATED_BONDING_MITM;
847 case BT_SECURITY_MEDIUM:
848 return HCI_AT_DEDICATED_BONDING;
850 return HCI_AT_NO_BONDING;
853 case L2CAP_CHAN_CONN_LESS:
854 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
855 if (chan->sec_level == BT_SECURITY_LOW)
856 chan->sec_level = BT_SECURITY_SDP;
858 if (chan->sec_level == BT_SECURITY_HIGH ||
859 chan->sec_level == BT_SECURITY_FIPS)
860 return HCI_AT_NO_BONDING_MITM;
862 return HCI_AT_NO_BONDING;
864 case L2CAP_CHAN_CONN_ORIENTED:
865 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
866 if (chan->sec_level == BT_SECURITY_LOW)
867 chan->sec_level = BT_SECURITY_SDP;
869 if (chan->sec_level == BT_SECURITY_HIGH ||
870 chan->sec_level == BT_SECURITY_FIPS)
871 return HCI_AT_NO_BONDING_MITM;
873 return HCI_AT_NO_BONDING;
877 switch (chan->sec_level) {
878 case BT_SECURITY_HIGH:
879 case BT_SECURITY_FIPS:
880 return HCI_AT_GENERAL_BONDING_MITM;
881 case BT_SECURITY_MEDIUM:
882 return HCI_AT_GENERAL_BONDING;
884 return HCI_AT_NO_BONDING;
890 /* Service level security */
891 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
893 struct l2cap_conn *conn = chan->conn;
896 if (conn->hcon->type == LE_LINK)
897 return smp_conn_security(conn->hcon, chan->sec_level);
899 auth_type = l2cap_get_auth_type(chan);
901 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
905 static u8 l2cap_get_ident(struct l2cap_conn *conn)
909 /* Get next available identificator.
910 * 1 - 128 are used by kernel.
911 * 129 - 199 are reserved.
912 * 200 - 254 are used by utilities like l2ping, etc.
915 mutex_lock(&conn->ident_lock);
917 if (++conn->tx_ident > 128)
922 mutex_unlock(&conn->ident_lock);
927 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
930 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
933 BT_DBG("code 0x%2.2x", code);
938 /* Use NO_FLUSH if supported or we have an LE link (which does
939 * not support auto-flushing packets) */
940 if (lmp_no_flush_capable(conn->hcon->hdev) ||
941 conn->hcon->type == LE_LINK)
942 flags = ACL_START_NO_FLUSH;
946 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
947 skb->priority = HCI_PRIO_MAX;
949 hci_send_acl(conn->hchan, skb, flags);
952 static bool __chan_is_moving(struct l2cap_chan *chan)
954 return chan->move_state != L2CAP_MOVE_STABLE &&
955 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
958 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
960 struct hci_conn *hcon = chan->conn->hcon;
963 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
966 if (chan->hs_hcon && !__chan_is_moving(chan)) {
968 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
975 /* Use NO_FLUSH for LE links (where this is the only option) or
976 * if the BR/EDR link supports it and flushing has not been
977 * explicitly requested (through FLAG_FLUSHABLE).
979 if (hcon->type == LE_LINK ||
980 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
981 lmp_no_flush_capable(hcon->hdev)))
982 flags = ACL_START_NO_FLUSH;
986 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
987 hci_send_acl(chan->conn->hchan, skb, flags);
990 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
992 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
993 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
995 if (enh & L2CAP_CTRL_FRAME_TYPE) {
998 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
999 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1005 control->sframe = 0;
1006 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1007 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1014 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1016 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1017 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1019 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1021 control->sframe = 1;
1022 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1023 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1029 control->sframe = 0;
1030 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1031 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1038 static inline void __unpack_control(struct l2cap_chan *chan,
1039 struct sk_buff *skb)
1041 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1042 __unpack_extended_control(get_unaligned_le32(skb->data),
1043 &bt_cb(skb)->l2cap);
1044 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1046 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1047 &bt_cb(skb)->l2cap);
1048 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1052 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1056 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1057 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1059 if (control->sframe) {
1060 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1061 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1062 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1064 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1065 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1071 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1075 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1076 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1078 if (control->sframe) {
1079 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1080 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1081 packed |= L2CAP_CTRL_FRAME_TYPE;
1083 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1084 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1090 static inline void __pack_control(struct l2cap_chan *chan,
1091 struct l2cap_ctrl *control,
1092 struct sk_buff *skb)
1094 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1095 put_unaligned_le32(__pack_extended_control(control),
1096 skb->data + L2CAP_HDR_SIZE);
1098 put_unaligned_le16(__pack_enhanced_control(control),
1099 skb->data + L2CAP_HDR_SIZE);
1103 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1105 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1106 return L2CAP_EXT_HDR_SIZE;
1108 return L2CAP_ENH_HDR_SIZE;
1111 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1114 struct sk_buff *skb;
1115 struct l2cap_hdr *lh;
1116 int hlen = __ertm_hdr_size(chan);
1118 if (chan->fcs == L2CAP_FCS_CRC16)
1119 hlen += L2CAP_FCS_SIZE;
1121 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1124 return ERR_PTR(-ENOMEM);
1126 lh = skb_put(skb, L2CAP_HDR_SIZE);
1127 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1128 lh->cid = cpu_to_le16(chan->dcid);
1130 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1131 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1133 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1135 if (chan->fcs == L2CAP_FCS_CRC16) {
1136 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1137 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1140 skb->priority = HCI_PRIO_MAX;
1144 static void l2cap_send_sframe(struct l2cap_chan *chan,
1145 struct l2cap_ctrl *control)
1147 struct sk_buff *skb;
1150 BT_DBG("chan %p, control %p", chan, control);
1152 if (!control->sframe)
1155 if (__chan_is_moving(chan))
1158 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1162 if (control->super == L2CAP_SUPER_RR)
1163 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1164 else if (control->super == L2CAP_SUPER_RNR)
1165 set_bit(CONN_RNR_SENT, &chan->conn_state);
1167 if (control->super != L2CAP_SUPER_SREJ) {
1168 chan->last_acked_seq = control->reqseq;
1169 __clear_ack_timer(chan);
1172 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1173 control->final, control->poll, control->super);
1175 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1176 control_field = __pack_extended_control(control);
1178 control_field = __pack_enhanced_control(control);
1180 skb = l2cap_create_sframe_pdu(chan, control_field);
1182 l2cap_do_send(chan, skb);
1185 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1187 struct l2cap_ctrl control;
1189 BT_DBG("chan %p, poll %d", chan, poll);
1191 memset(&control, 0, sizeof(control));
1193 control.poll = poll;
1195 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1196 control.super = L2CAP_SUPER_RNR;
1198 control.super = L2CAP_SUPER_RR;
1200 control.reqseq = chan->buffer_seq;
1201 l2cap_send_sframe(chan, &control);
1204 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1206 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1209 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1212 static bool __amp_capable(struct l2cap_chan *chan)
1214 struct l2cap_conn *conn = chan->conn;
1215 struct hci_dev *hdev;
1216 bool amp_available = false;
1218 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1221 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1224 read_lock(&hci_dev_list_lock);
1225 list_for_each_entry(hdev, &hci_dev_list, list) {
1226 if (hdev->amp_type != AMP_TYPE_BREDR &&
1227 test_bit(HCI_UP, &hdev->flags)) {
1228 amp_available = true;
1232 read_unlock(&hci_dev_list_lock);
1234 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1235 return amp_available;
1240 static bool l2cap_check_efs(struct l2cap_chan *chan)
1242 /* Check EFS parameters */
1246 void l2cap_send_conn_req(struct l2cap_chan *chan)
1248 struct l2cap_conn *conn = chan->conn;
1249 struct l2cap_conn_req req;
1251 req.scid = cpu_to_le16(chan->scid);
1252 req.psm = chan->psm;
1254 chan->ident = l2cap_get_ident(conn);
1256 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1258 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1261 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1263 struct l2cap_create_chan_req req;
1264 req.scid = cpu_to_le16(chan->scid);
1265 req.psm = chan->psm;
1266 req.amp_id = amp_id;
1268 chan->ident = l2cap_get_ident(chan->conn);
1270 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1274 static void l2cap_move_setup(struct l2cap_chan *chan)
1276 struct sk_buff *skb;
1278 BT_DBG("chan %p", chan);
1280 if (chan->mode != L2CAP_MODE_ERTM)
1283 __clear_retrans_timer(chan);
1284 __clear_monitor_timer(chan);
1285 __clear_ack_timer(chan);
1287 chan->retry_count = 0;
1288 skb_queue_walk(&chan->tx_q, skb) {
1289 if (bt_cb(skb)->l2cap.retries)
1290 bt_cb(skb)->l2cap.retries = 1;
1295 chan->expected_tx_seq = chan->buffer_seq;
1297 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1298 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1299 l2cap_seq_list_clear(&chan->retrans_list);
1300 l2cap_seq_list_clear(&chan->srej_list);
1301 skb_queue_purge(&chan->srej_q);
1303 chan->tx_state = L2CAP_TX_STATE_XMIT;
1304 chan->rx_state = L2CAP_RX_STATE_MOVE;
1306 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1309 static void l2cap_move_done(struct l2cap_chan *chan)
1311 u8 move_role = chan->move_role;
1312 BT_DBG("chan %p", chan);
1314 chan->move_state = L2CAP_MOVE_STABLE;
1315 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1317 if (chan->mode != L2CAP_MODE_ERTM)
1320 switch (move_role) {
1321 case L2CAP_MOVE_ROLE_INITIATOR:
1322 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1323 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1325 case L2CAP_MOVE_ROLE_RESPONDER:
1326 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1331 static void l2cap_chan_ready(struct l2cap_chan *chan)
1333 /* The channel may have already been flagged as connected in
1334 * case of receiving data before the L2CAP info req/rsp
1335 * procedure is complete.
1337 if (chan->state == BT_CONNECTED)
1340 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1341 chan->conf_state = 0;
1342 __clear_chan_timer(chan);
1344 switch (chan->mode) {
1345 case L2CAP_MODE_LE_FLOWCTL:
1346 case L2CAP_MODE_EXT_FLOWCTL:
1347 if (!chan->tx_credits)
1348 chan->ops->suspend(chan);
1352 chan->state = BT_CONNECTED;
1354 chan->ops->ready(chan);
1357 static void l2cap_le_connect(struct l2cap_chan *chan)
1359 struct l2cap_conn *conn = chan->conn;
1360 struct l2cap_le_conn_req req;
1362 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1366 chan->imtu = chan->conn->mtu;
1368 l2cap_le_flowctl_init(chan, 0);
1370 req.psm = chan->psm;
1371 req.scid = cpu_to_le16(chan->scid);
1372 req.mtu = cpu_to_le16(chan->imtu);
1373 req.mps = cpu_to_le16(chan->mps);
1374 req.credits = cpu_to_le16(chan->rx_credits);
1376 chan->ident = l2cap_get_ident(conn);
1378 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1382 struct l2cap_ecred_conn_data {
1384 struct l2cap_ecred_conn_req req;
1387 struct l2cap_chan *chan;
1392 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1394 struct l2cap_ecred_conn_data *conn = data;
1397 if (chan == conn->chan)
1400 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1403 pid = chan->ops->get_peer_pid(chan);
1405 /* Only add deferred channels with the same PID/PSM */
1406 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1407 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1410 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1413 l2cap_ecred_init(chan, 0);
1415 /* Set the same ident so we can match on the rsp */
1416 chan->ident = conn->chan->ident;
1418 /* Include all channels deferred */
1419 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1424 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1426 struct l2cap_conn *conn = chan->conn;
1427 struct l2cap_ecred_conn_data data;
1429 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1432 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1435 l2cap_ecred_init(chan, 0);
1437 data.pdu.req.psm = chan->psm;
1438 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1439 data.pdu.req.mps = cpu_to_le16(chan->mps);
1440 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1441 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1443 chan->ident = l2cap_get_ident(conn);
1444 data.pid = chan->ops->get_peer_pid(chan);
1448 data.pid = chan->ops->get_peer_pid(chan);
1450 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1452 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1453 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1457 static void l2cap_le_start(struct l2cap_chan *chan)
1459 struct l2cap_conn *conn = chan->conn;
1461 if (!smp_conn_security(conn->hcon, chan->sec_level))
1465 l2cap_chan_ready(chan);
1469 if (chan->state == BT_CONNECT) {
1470 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1471 l2cap_ecred_connect(chan);
1473 l2cap_le_connect(chan);
1477 static void l2cap_start_connection(struct l2cap_chan *chan)
1479 if (__amp_capable(chan)) {
1480 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1481 a2mp_discover_amp(chan);
1482 } else if (chan->conn->hcon->type == LE_LINK) {
1483 l2cap_le_start(chan);
1485 l2cap_send_conn_req(chan);
1489 static void l2cap_request_info(struct l2cap_conn *conn)
1491 struct l2cap_info_req req;
1493 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1496 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1499 conn->info_ident = l2cap_get_ident(conn);
1501 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1503 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1507 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1509 /* The minimum encryption key size needs to be enforced by the
1510 * host stack before establishing any L2CAP connections. The
1511 * specification in theory allows a minimum of 1, but to align
1512 * BR/EDR and LE transports, a minimum of 7 is chosen.
1514 * This check might also be called for unencrypted connections
1515 * that have no key size requirements. Ensure that the link is
1516 * actually encrypted before enforcing a key size.
1518 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1519 hcon->enc_key_size >= hcon->hdev->min_enc_key_size);
1522 static void l2cap_do_start(struct l2cap_chan *chan)
1524 struct l2cap_conn *conn = chan->conn;
1526 if (conn->hcon->type == LE_LINK) {
1527 l2cap_le_start(chan);
1531 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1532 l2cap_request_info(conn);
1536 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1539 if (!l2cap_chan_check_security(chan, true) ||
1540 !__l2cap_no_conn_pending(chan))
1543 if (l2cap_check_enc_key_size(conn->hcon))
1544 l2cap_start_connection(chan);
1546 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1549 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1551 u32 local_feat_mask = l2cap_feat_mask;
1553 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1556 case L2CAP_MODE_ERTM:
1557 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1558 case L2CAP_MODE_STREAMING:
1559 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1565 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1567 struct l2cap_conn *conn = chan->conn;
1568 struct l2cap_disconn_req req;
1573 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1574 __clear_retrans_timer(chan);
1575 __clear_monitor_timer(chan);
1576 __clear_ack_timer(chan);
1579 if (chan->scid == L2CAP_CID_A2MP) {
1580 l2cap_state_change(chan, BT_DISCONN);
1584 req.dcid = cpu_to_le16(chan->dcid);
1585 req.scid = cpu_to_le16(chan->scid);
1586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1589 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1592 /* ---- L2CAP connections ---- */
1593 static void l2cap_conn_start(struct l2cap_conn *conn)
1595 struct l2cap_chan *chan, *tmp;
1597 BT_DBG("conn %p", conn);
1599 mutex_lock(&conn->chan_lock);
1601 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1602 l2cap_chan_lock(chan);
1604 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1605 l2cap_chan_ready(chan);
1606 l2cap_chan_unlock(chan);
1610 if (chan->state == BT_CONNECT) {
1611 if (!l2cap_chan_check_security(chan, true) ||
1612 !__l2cap_no_conn_pending(chan)) {
1613 l2cap_chan_unlock(chan);
1617 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1618 && test_bit(CONF_STATE2_DEVICE,
1619 &chan->conf_state)) {
1620 l2cap_chan_close(chan, ECONNRESET);
1621 l2cap_chan_unlock(chan);
1625 if (l2cap_check_enc_key_size(conn->hcon))
1626 l2cap_start_connection(chan);
1628 l2cap_chan_close(chan, ECONNREFUSED);
1630 } else if (chan->state == BT_CONNECT2) {
1631 struct l2cap_conn_rsp rsp;
1633 rsp.scid = cpu_to_le16(chan->dcid);
1634 rsp.dcid = cpu_to_le16(chan->scid);
1636 if (l2cap_chan_check_security(chan, false)) {
1637 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1638 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1639 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1640 chan->ops->defer(chan);
1643 l2cap_state_change(chan, BT_CONFIG);
1644 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1645 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1648 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1649 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1652 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1655 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1656 rsp.result != L2CAP_CR_SUCCESS) {
1657 l2cap_chan_unlock(chan);
1661 set_bit(CONF_REQ_SENT, &chan->conf_state);
1662 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1663 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1664 chan->num_conf_req++;
1667 l2cap_chan_unlock(chan);
1670 mutex_unlock(&conn->chan_lock);
1673 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1675 struct hci_conn *hcon = conn->hcon;
1676 struct hci_dev *hdev = hcon->hdev;
1678 BT_DBG("%s conn %p", hdev->name, conn);
1680 /* For outgoing pairing which doesn't necessarily have an
1681 * associated socket (e.g. mgmt_pair_device).
1684 smp_conn_security(hcon, hcon->pending_sec_level);
1686 /* For LE slave connections, make sure the connection interval
1687 * is in the range of the minium and maximum interval that has
1688 * been configured for this connection. If not, then trigger
1689 * the connection update procedure.
1691 if (hcon->role == HCI_ROLE_SLAVE &&
1692 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1693 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1694 struct l2cap_conn_param_update_req req;
1696 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1697 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1698 req.latency = cpu_to_le16(hcon->le_conn_latency);
1699 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1701 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1702 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1706 static void l2cap_conn_ready(struct l2cap_conn *conn)
1708 struct l2cap_chan *chan;
1709 struct hci_conn *hcon = conn->hcon;
1711 BT_DBG("conn %p", conn);
1713 if (hcon->type == ACL_LINK)
1714 l2cap_request_info(conn);
1716 mutex_lock(&conn->chan_lock);
1718 list_for_each_entry(chan, &conn->chan_l, list) {
1720 l2cap_chan_lock(chan);
1722 if (chan->scid == L2CAP_CID_A2MP) {
1723 l2cap_chan_unlock(chan);
1727 if (hcon->type == LE_LINK) {
1728 l2cap_le_start(chan);
1729 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1730 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1731 l2cap_chan_ready(chan);
1732 } else if (chan->state == BT_CONNECT) {
1733 l2cap_do_start(chan);
1736 l2cap_chan_unlock(chan);
1739 mutex_unlock(&conn->chan_lock);
1741 if (hcon->type == LE_LINK)
1742 l2cap_le_conn_ready(conn);
1744 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1747 /* Notify sockets that we cannot guaranty reliability anymore */
1748 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1750 struct l2cap_chan *chan;
1752 BT_DBG("conn %p", conn);
1754 mutex_lock(&conn->chan_lock);
1756 list_for_each_entry(chan, &conn->chan_l, list) {
1757 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1758 l2cap_chan_set_err(chan, err);
1761 mutex_unlock(&conn->chan_lock);
1764 static void l2cap_info_timeout(struct work_struct *work)
1766 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1769 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1770 conn->info_ident = 0;
1772 l2cap_conn_start(conn);
1777 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1778 * callback is called during registration. The ->remove callback is called
1779 * during unregistration.
1780 * An l2cap_user object can either be explicitly unregistered or when the
1781 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1782 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1783 * External modules must own a reference to the l2cap_conn object if they intend
1784 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1785 * any time if they don't.
1788 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1790 struct hci_dev *hdev = conn->hcon->hdev;
1793 /* We need to check whether l2cap_conn is registered. If it is not, we
1794 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1795 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1796 * relies on the parent hci_conn object to be locked. This itself relies
1797 * on the hci_dev object to be locked. So we must lock the hci device
1802 if (!list_empty(&user->list)) {
1807 /* conn->hchan is NULL after l2cap_conn_del() was called */
1813 ret = user->probe(conn, user);
1817 list_add(&user->list, &conn->users);
1821 hci_dev_unlock(hdev);
1824 EXPORT_SYMBOL(l2cap_register_user);
1826 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1828 struct hci_dev *hdev = conn->hcon->hdev;
1832 if (list_empty(&user->list))
1835 list_del_init(&user->list);
1836 user->remove(conn, user);
1839 hci_dev_unlock(hdev);
1841 EXPORT_SYMBOL(l2cap_unregister_user);
1843 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1845 struct l2cap_user *user;
1847 while (!list_empty(&conn->users)) {
1848 user = list_first_entry(&conn->users, struct l2cap_user, list);
1849 list_del_init(&user->list);
1850 user->remove(conn, user);
1854 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1856 struct l2cap_conn *conn = hcon->l2cap_data;
1857 struct l2cap_chan *chan, *l;
1862 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1864 kfree_skb(conn->rx_skb);
1866 skb_queue_purge(&conn->pending_rx);
1868 /* We can not call flush_work(&conn->pending_rx_work) here since we
1869 * might block if we are running on a worker from the same workqueue
1870 * pending_rx_work is waiting on.
1872 if (work_pending(&conn->pending_rx_work))
1873 cancel_work_sync(&conn->pending_rx_work);
1875 if (work_pending(&conn->id_addr_update_work))
1876 cancel_work_sync(&conn->id_addr_update_work);
1878 l2cap_unregister_all_users(conn);
1880 /* Force the connection to be immediately dropped */
1881 hcon->disc_timeout = 0;
1883 mutex_lock(&conn->chan_lock);
1886 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1887 l2cap_chan_hold(chan);
1888 l2cap_chan_lock(chan);
1890 l2cap_chan_del(chan, err);
1892 chan->ops->close(chan);
1894 l2cap_chan_unlock(chan);
1895 l2cap_chan_put(chan);
1898 mutex_unlock(&conn->chan_lock);
1900 hci_chan_del(conn->hchan);
1902 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1903 cancel_delayed_work_sync(&conn->info_timer);
1905 hcon->l2cap_data = NULL;
1907 l2cap_conn_put(conn);
1910 static void l2cap_conn_free(struct kref *ref)
1912 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1914 hci_conn_put(conn->hcon);
1918 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1920 kref_get(&conn->ref);
1923 EXPORT_SYMBOL(l2cap_conn_get);
1925 void l2cap_conn_put(struct l2cap_conn *conn)
1927 kref_put(&conn->ref, l2cap_conn_free);
1929 EXPORT_SYMBOL(l2cap_conn_put);
1931 /* ---- Socket interface ---- */
1933 /* Find socket with psm and source / destination bdaddr.
1934 * Returns closest match.
1936 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1941 struct l2cap_chan *c, *c1 = NULL;
1943 read_lock(&chan_list_lock);
1945 list_for_each_entry(c, &chan_list, global_l) {
1946 if (state && c->state != state)
1949 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1952 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1955 if (c->psm == psm) {
1956 int src_match, dst_match;
1957 int src_any, dst_any;
1960 src_match = !bacmp(&c->src, src);
1961 dst_match = !bacmp(&c->dst, dst);
1962 if (src_match && dst_match) {
1964 read_unlock(&chan_list_lock);
1969 src_any = !bacmp(&c->src, BDADDR_ANY);
1970 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1971 if ((src_match && dst_any) || (src_any && dst_match) ||
1972 (src_any && dst_any))
1978 l2cap_chan_hold(c1);
1980 read_unlock(&chan_list_lock);
1985 static void l2cap_monitor_timeout(struct work_struct *work)
1987 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1988 monitor_timer.work);
1990 BT_DBG("chan %p", chan);
1992 l2cap_chan_lock(chan);
1995 l2cap_chan_unlock(chan);
1996 l2cap_chan_put(chan);
2000 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2002 l2cap_chan_unlock(chan);
2003 l2cap_chan_put(chan);
2006 static void l2cap_retrans_timeout(struct work_struct *work)
2008 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2009 retrans_timer.work);
2011 BT_DBG("chan %p", chan);
2013 l2cap_chan_lock(chan);
2016 l2cap_chan_unlock(chan);
2017 l2cap_chan_put(chan);
2021 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2022 l2cap_chan_unlock(chan);
2023 l2cap_chan_put(chan);
2026 static void l2cap_streaming_send(struct l2cap_chan *chan,
2027 struct sk_buff_head *skbs)
2029 struct sk_buff *skb;
2030 struct l2cap_ctrl *control;
2032 BT_DBG("chan %p, skbs %p", chan, skbs);
2034 if (__chan_is_moving(chan))
2037 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2039 while (!skb_queue_empty(&chan->tx_q)) {
2041 skb = skb_dequeue(&chan->tx_q);
2043 bt_cb(skb)->l2cap.retries = 1;
2044 control = &bt_cb(skb)->l2cap;
2046 control->reqseq = 0;
2047 control->txseq = chan->next_tx_seq;
2049 __pack_control(chan, control, skb);
2051 if (chan->fcs == L2CAP_FCS_CRC16) {
2052 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2053 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2056 l2cap_do_send(chan, skb);
2058 BT_DBG("Sent txseq %u", control->txseq);
2060 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2061 chan->frames_sent++;
2065 static int l2cap_ertm_send(struct l2cap_chan *chan)
2067 struct sk_buff *skb, *tx_skb;
2068 struct l2cap_ctrl *control;
2071 BT_DBG("chan %p", chan);
2073 if (chan->state != BT_CONNECTED)
2076 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2079 if (__chan_is_moving(chan))
2082 while (chan->tx_send_head &&
2083 chan->unacked_frames < chan->remote_tx_win &&
2084 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2086 skb = chan->tx_send_head;
2088 bt_cb(skb)->l2cap.retries = 1;
2089 control = &bt_cb(skb)->l2cap;
2091 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2094 control->reqseq = chan->buffer_seq;
2095 chan->last_acked_seq = chan->buffer_seq;
2096 control->txseq = chan->next_tx_seq;
2098 __pack_control(chan, control, skb);
2100 if (chan->fcs == L2CAP_FCS_CRC16) {
2101 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2102 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2105 /* Clone after data has been modified. Data is assumed to be
2106 read-only (for locking purposes) on cloned sk_buffs.
2108 tx_skb = skb_clone(skb, GFP_KERNEL);
2113 __set_retrans_timer(chan);
2115 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2116 chan->unacked_frames++;
2117 chan->frames_sent++;
2120 if (skb_queue_is_last(&chan->tx_q, skb))
2121 chan->tx_send_head = NULL;
2123 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2125 l2cap_do_send(chan, tx_skb);
2126 BT_DBG("Sent txseq %u", control->txseq);
2129 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2130 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2135 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2137 struct l2cap_ctrl control;
2138 struct sk_buff *skb;
2139 struct sk_buff *tx_skb;
2142 BT_DBG("chan %p", chan);
2144 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2147 if (__chan_is_moving(chan))
2150 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2151 seq = l2cap_seq_list_pop(&chan->retrans_list);
2153 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2155 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2160 bt_cb(skb)->l2cap.retries++;
2161 control = bt_cb(skb)->l2cap;
2163 if (chan->max_tx != 0 &&
2164 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2165 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2166 l2cap_send_disconn_req(chan, ECONNRESET);
2167 l2cap_seq_list_clear(&chan->retrans_list);
2171 control.reqseq = chan->buffer_seq;
2172 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2177 if (skb_cloned(skb)) {
2178 /* Cloned sk_buffs are read-only, so we need a
2181 tx_skb = skb_copy(skb, GFP_KERNEL);
2183 tx_skb = skb_clone(skb, GFP_KERNEL);
2187 l2cap_seq_list_clear(&chan->retrans_list);
2191 /* Update skb contents */
2192 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2193 put_unaligned_le32(__pack_extended_control(&control),
2194 tx_skb->data + L2CAP_HDR_SIZE);
2196 put_unaligned_le16(__pack_enhanced_control(&control),
2197 tx_skb->data + L2CAP_HDR_SIZE);
2201 if (chan->fcs == L2CAP_FCS_CRC16) {
2202 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2203 tx_skb->len - L2CAP_FCS_SIZE);
2204 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2208 l2cap_do_send(chan, tx_skb);
2210 BT_DBG("Resent txseq %d", control.txseq);
2212 chan->last_acked_seq = chan->buffer_seq;
2216 static void l2cap_retransmit(struct l2cap_chan *chan,
2217 struct l2cap_ctrl *control)
2219 BT_DBG("chan %p, control %p", chan, control);
2221 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2222 l2cap_ertm_resend(chan);
2225 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2226 struct l2cap_ctrl *control)
2228 struct sk_buff *skb;
2230 BT_DBG("chan %p, control %p", chan, control);
2233 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2235 l2cap_seq_list_clear(&chan->retrans_list);
2237 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2240 if (chan->unacked_frames) {
2241 skb_queue_walk(&chan->tx_q, skb) {
2242 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2243 skb == chan->tx_send_head)
2247 skb_queue_walk_from(&chan->tx_q, skb) {
2248 if (skb == chan->tx_send_head)
2251 l2cap_seq_list_append(&chan->retrans_list,
2252 bt_cb(skb)->l2cap.txseq);
2255 l2cap_ertm_resend(chan);
2259 static void l2cap_send_ack(struct l2cap_chan *chan)
2261 struct l2cap_ctrl control;
2262 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2263 chan->last_acked_seq);
2266 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2267 chan, chan->last_acked_seq, chan->buffer_seq);
2269 memset(&control, 0, sizeof(control));
2272 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2273 chan->rx_state == L2CAP_RX_STATE_RECV) {
2274 __clear_ack_timer(chan);
2275 control.super = L2CAP_SUPER_RNR;
2276 control.reqseq = chan->buffer_seq;
2277 l2cap_send_sframe(chan, &control);
2279 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2280 l2cap_ertm_send(chan);
2281 /* If any i-frames were sent, they included an ack */
2282 if (chan->buffer_seq == chan->last_acked_seq)
2286 /* Ack now if the window is 3/4ths full.
2287 * Calculate without mul or div
2289 threshold = chan->ack_win;
2290 threshold += threshold << 1;
2293 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2296 if (frames_to_ack >= threshold) {
2297 __clear_ack_timer(chan);
2298 control.super = L2CAP_SUPER_RR;
2299 control.reqseq = chan->buffer_seq;
2300 l2cap_send_sframe(chan, &control);
2305 __set_ack_timer(chan);
2309 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2310 struct msghdr *msg, int len,
2311 int count, struct sk_buff *skb)
2313 struct l2cap_conn *conn = chan->conn;
2314 struct sk_buff **frag;
2317 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2323 /* Continuation fragments (no L2CAP header) */
2324 frag = &skb_shinfo(skb)->frag_list;
2326 struct sk_buff *tmp;
2328 count = min_t(unsigned int, conn->mtu, len);
2330 tmp = chan->ops->alloc_skb(chan, 0, count,
2331 msg->msg_flags & MSG_DONTWAIT);
2333 return PTR_ERR(tmp);
2337 if (!copy_from_iter_full(skb_put(*frag, count), count,
2344 skb->len += (*frag)->len;
2345 skb->data_len += (*frag)->len;
2347 frag = &(*frag)->next;
2353 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2354 struct msghdr *msg, size_t len)
2356 struct l2cap_conn *conn = chan->conn;
2357 struct sk_buff *skb;
2358 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2359 struct l2cap_hdr *lh;
2361 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2362 __le16_to_cpu(chan->psm), len);
2364 count = min_t(unsigned int, (conn->mtu - hlen), len);
2366 skb = chan->ops->alloc_skb(chan, hlen, count,
2367 msg->msg_flags & MSG_DONTWAIT);
2371 /* Create L2CAP header */
2372 lh = skb_put(skb, L2CAP_HDR_SIZE);
2373 lh->cid = cpu_to_le16(chan->dcid);
2374 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2375 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2377 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2378 if (unlikely(err < 0)) {
2380 return ERR_PTR(err);
2385 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2386 struct msghdr *msg, size_t len)
2388 struct l2cap_conn *conn = chan->conn;
2389 struct sk_buff *skb;
2391 struct l2cap_hdr *lh;
2393 BT_DBG("chan %p len %zu", chan, len);
2395 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2397 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2398 msg->msg_flags & MSG_DONTWAIT);
2402 /* Create L2CAP header */
2403 lh = skb_put(skb, L2CAP_HDR_SIZE);
2404 lh->cid = cpu_to_le16(chan->dcid);
2405 lh->len = cpu_to_le16(len);
2407 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2408 if (unlikely(err < 0)) {
2410 return ERR_PTR(err);
2415 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2416 struct msghdr *msg, size_t len,
2419 struct l2cap_conn *conn = chan->conn;
2420 struct sk_buff *skb;
2421 int err, count, hlen;
2422 struct l2cap_hdr *lh;
2424 BT_DBG("chan %p len %zu", chan, len);
2427 return ERR_PTR(-ENOTCONN);
2429 hlen = __ertm_hdr_size(chan);
2432 hlen += L2CAP_SDULEN_SIZE;
2434 if (chan->fcs == L2CAP_FCS_CRC16)
2435 hlen += L2CAP_FCS_SIZE;
2437 count = min_t(unsigned int, (conn->mtu - hlen), len);
2439 skb = chan->ops->alloc_skb(chan, hlen, count,
2440 msg->msg_flags & MSG_DONTWAIT);
2444 /* Create L2CAP header */
2445 lh = skb_put(skb, L2CAP_HDR_SIZE);
2446 lh->cid = cpu_to_le16(chan->dcid);
2447 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2449 /* Control header is populated later */
2450 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2451 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2453 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2456 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2458 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2459 if (unlikely(err < 0)) {
2461 return ERR_PTR(err);
2464 bt_cb(skb)->l2cap.fcs = chan->fcs;
2465 bt_cb(skb)->l2cap.retries = 0;
2469 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2470 struct sk_buff_head *seg_queue,
2471 struct msghdr *msg, size_t len)
2473 struct sk_buff *skb;
2478 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2480 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2481 * so fragmented skbs are not used. The HCI layer's handling
2482 * of fragmented skbs is not compatible with ERTM's queueing.
2485 /* PDU size is derived from the HCI MTU */
2486 pdu_len = chan->conn->mtu;
2488 /* Constrain PDU size for BR/EDR connections */
2490 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2492 /* Adjust for largest possible L2CAP overhead. */
2494 pdu_len -= L2CAP_FCS_SIZE;
2496 pdu_len -= __ertm_hdr_size(chan);
2498 /* Remote device may have requested smaller PDUs */
2499 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2501 if (len <= pdu_len) {
2502 sar = L2CAP_SAR_UNSEGMENTED;
2506 sar = L2CAP_SAR_START;
2511 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2514 __skb_queue_purge(seg_queue);
2515 return PTR_ERR(skb);
2518 bt_cb(skb)->l2cap.sar = sar;
2519 __skb_queue_tail(seg_queue, skb);
2525 if (len <= pdu_len) {
2526 sar = L2CAP_SAR_END;
2529 sar = L2CAP_SAR_CONTINUE;
2536 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2538 size_t len, u16 sdulen)
2540 struct l2cap_conn *conn = chan->conn;
2541 struct sk_buff *skb;
2542 int err, count, hlen;
2543 struct l2cap_hdr *lh;
2545 BT_DBG("chan %p len %zu", chan, len);
2548 return ERR_PTR(-ENOTCONN);
2550 hlen = L2CAP_HDR_SIZE;
2553 hlen += L2CAP_SDULEN_SIZE;
2555 count = min_t(unsigned int, (conn->mtu - hlen), len);
2557 skb = chan->ops->alloc_skb(chan, hlen, count,
2558 msg->msg_flags & MSG_DONTWAIT);
2562 /* Create L2CAP header */
2563 lh = skb_put(skb, L2CAP_HDR_SIZE);
2564 lh->cid = cpu_to_le16(chan->dcid);
2565 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2568 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2570 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2571 if (unlikely(err < 0)) {
2573 return ERR_PTR(err);
2579 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2580 struct sk_buff_head *seg_queue,
2581 struct msghdr *msg, size_t len)
2583 struct sk_buff *skb;
2587 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2590 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2596 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2598 __skb_queue_purge(seg_queue);
2599 return PTR_ERR(skb);
2602 __skb_queue_tail(seg_queue, skb);
2608 pdu_len += L2CAP_SDULEN_SIZE;
2615 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2619 BT_DBG("chan %p", chan);
2621 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2622 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2627 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2628 skb_queue_len(&chan->tx_q));
2631 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2633 struct sk_buff *skb;
2635 struct sk_buff_head seg_queue;
2640 /* Connectionless channel */
2641 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2642 skb = l2cap_create_connless_pdu(chan, msg, len);
2644 return PTR_ERR(skb);
2646 /* Channel lock is released before requesting new skb and then
2647 * reacquired thus we need to recheck channel state.
2649 if (chan->state != BT_CONNECTED) {
2654 l2cap_do_send(chan, skb);
2658 switch (chan->mode) {
2659 case L2CAP_MODE_LE_FLOWCTL:
2660 case L2CAP_MODE_EXT_FLOWCTL:
2661 /* Check outgoing MTU */
2662 if (len > chan->omtu)
2665 __skb_queue_head_init(&seg_queue);
2667 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2669 if (chan->state != BT_CONNECTED) {
2670 __skb_queue_purge(&seg_queue);
2677 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2679 l2cap_le_flowctl_send(chan);
2681 if (!chan->tx_credits)
2682 chan->ops->suspend(chan);
2688 case L2CAP_MODE_BASIC:
2689 /* Check outgoing MTU */
2690 if (len > chan->omtu)
2693 /* Create a basic PDU */
2694 skb = l2cap_create_basic_pdu(chan, msg, len);
2696 return PTR_ERR(skb);
2698 /* Channel lock is released before requesting new skb and then
2699 * reacquired thus we need to recheck channel state.
2701 if (chan->state != BT_CONNECTED) {
2706 l2cap_do_send(chan, skb);
2710 case L2CAP_MODE_ERTM:
2711 case L2CAP_MODE_STREAMING:
2712 /* Check outgoing MTU */
2713 if (len > chan->omtu) {
2718 __skb_queue_head_init(&seg_queue);
2720 /* Do segmentation before calling in to the state machine,
2721 * since it's possible to block while waiting for memory
2724 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2726 /* The channel could have been closed while segmenting,
2727 * check that it is still connected.
2729 if (chan->state != BT_CONNECTED) {
2730 __skb_queue_purge(&seg_queue);
2737 if (chan->mode == L2CAP_MODE_ERTM)
2738 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2740 l2cap_streaming_send(chan, &seg_queue);
2744 /* If the skbs were not queued for sending, they'll still be in
2745 * seg_queue and need to be purged.
2747 __skb_queue_purge(&seg_queue);
2751 BT_DBG("bad state %1.1x", chan->mode);
2757 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2759 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2761 struct l2cap_ctrl control;
2764 BT_DBG("chan %p, txseq %u", chan, txseq);
2766 memset(&control, 0, sizeof(control));
2768 control.super = L2CAP_SUPER_SREJ;
2770 for (seq = chan->expected_tx_seq; seq != txseq;
2771 seq = __next_seq(chan, seq)) {
2772 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2773 control.reqseq = seq;
2774 l2cap_send_sframe(chan, &control);
2775 l2cap_seq_list_append(&chan->srej_list, seq);
2779 chan->expected_tx_seq = __next_seq(chan, txseq);
2782 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2784 struct l2cap_ctrl control;
2786 BT_DBG("chan %p", chan);
2788 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2791 memset(&control, 0, sizeof(control));
2793 control.super = L2CAP_SUPER_SREJ;
2794 control.reqseq = chan->srej_list.tail;
2795 l2cap_send_sframe(chan, &control);
2798 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2800 struct l2cap_ctrl control;
2804 BT_DBG("chan %p, txseq %u", chan, txseq);
2806 memset(&control, 0, sizeof(control));
2808 control.super = L2CAP_SUPER_SREJ;
2810 /* Capture initial list head to allow only one pass through the list. */
2811 initial_head = chan->srej_list.head;
2814 seq = l2cap_seq_list_pop(&chan->srej_list);
2815 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2818 control.reqseq = seq;
2819 l2cap_send_sframe(chan, &control);
2820 l2cap_seq_list_append(&chan->srej_list, seq);
2821 } while (chan->srej_list.head != initial_head);
2824 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2826 struct sk_buff *acked_skb;
2829 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2831 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2834 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2835 chan->expected_ack_seq, chan->unacked_frames);
2837 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2838 ackseq = __next_seq(chan, ackseq)) {
2840 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2842 skb_unlink(acked_skb, &chan->tx_q);
2843 kfree_skb(acked_skb);
2844 chan->unacked_frames--;
2848 chan->expected_ack_seq = reqseq;
2850 if (chan->unacked_frames == 0)
2851 __clear_retrans_timer(chan);
2853 BT_DBG("unacked_frames %u", chan->unacked_frames);
2856 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2858 BT_DBG("chan %p", chan);
2860 chan->expected_tx_seq = chan->buffer_seq;
2861 l2cap_seq_list_clear(&chan->srej_list);
2862 skb_queue_purge(&chan->srej_q);
2863 chan->rx_state = L2CAP_RX_STATE_RECV;
2866 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2867 struct l2cap_ctrl *control,
2868 struct sk_buff_head *skbs, u8 event)
2870 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2874 case L2CAP_EV_DATA_REQUEST:
2875 if (chan->tx_send_head == NULL)
2876 chan->tx_send_head = skb_peek(skbs);
2878 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2879 l2cap_ertm_send(chan);
2881 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2882 BT_DBG("Enter LOCAL_BUSY");
2883 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2885 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2886 /* The SREJ_SENT state must be aborted if we are to
2887 * enter the LOCAL_BUSY state.
2889 l2cap_abort_rx_srej_sent(chan);
2892 l2cap_send_ack(chan);
2895 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2896 BT_DBG("Exit LOCAL_BUSY");
2897 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2899 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2900 struct l2cap_ctrl local_control;
2902 memset(&local_control, 0, sizeof(local_control));
2903 local_control.sframe = 1;
2904 local_control.super = L2CAP_SUPER_RR;
2905 local_control.poll = 1;
2906 local_control.reqseq = chan->buffer_seq;
2907 l2cap_send_sframe(chan, &local_control);
2909 chan->retry_count = 1;
2910 __set_monitor_timer(chan);
2911 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2914 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2915 l2cap_process_reqseq(chan, control->reqseq);
2917 case L2CAP_EV_EXPLICIT_POLL:
2918 l2cap_send_rr_or_rnr(chan, 1);
2919 chan->retry_count = 1;
2920 __set_monitor_timer(chan);
2921 __clear_ack_timer(chan);
2922 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2924 case L2CAP_EV_RETRANS_TO:
2925 l2cap_send_rr_or_rnr(chan, 1);
2926 chan->retry_count = 1;
2927 __set_monitor_timer(chan);
2928 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2930 case L2CAP_EV_RECV_FBIT:
2931 /* Nothing to process */
2938 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2939 struct l2cap_ctrl *control,
2940 struct sk_buff_head *skbs, u8 event)
2942 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2946 case L2CAP_EV_DATA_REQUEST:
2947 if (chan->tx_send_head == NULL)
2948 chan->tx_send_head = skb_peek(skbs);
2949 /* Queue data, but don't send. */
2950 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2952 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2953 BT_DBG("Enter LOCAL_BUSY");
2954 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2956 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2957 /* The SREJ_SENT state must be aborted if we are to
2958 * enter the LOCAL_BUSY state.
2960 l2cap_abort_rx_srej_sent(chan);
2963 l2cap_send_ack(chan);
2966 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2967 BT_DBG("Exit LOCAL_BUSY");
2968 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2970 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2971 struct l2cap_ctrl local_control;
2972 memset(&local_control, 0, sizeof(local_control));
2973 local_control.sframe = 1;
2974 local_control.super = L2CAP_SUPER_RR;
2975 local_control.poll = 1;
2976 local_control.reqseq = chan->buffer_seq;
2977 l2cap_send_sframe(chan, &local_control);
2979 chan->retry_count = 1;
2980 __set_monitor_timer(chan);
2981 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2984 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2985 l2cap_process_reqseq(chan, control->reqseq);
2989 case L2CAP_EV_RECV_FBIT:
2990 if (control && control->final) {
2991 __clear_monitor_timer(chan);
2992 if (chan->unacked_frames > 0)
2993 __set_retrans_timer(chan);
2994 chan->retry_count = 0;
2995 chan->tx_state = L2CAP_TX_STATE_XMIT;
2996 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2999 case L2CAP_EV_EXPLICIT_POLL:
3002 case L2CAP_EV_MONITOR_TO:
3003 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3004 l2cap_send_rr_or_rnr(chan, 1);
3005 __set_monitor_timer(chan);
3006 chan->retry_count++;
3008 l2cap_send_disconn_req(chan, ECONNABORTED);
3016 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3017 struct sk_buff_head *skbs, u8 event)
3019 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3020 chan, control, skbs, event, chan->tx_state);
3022 switch (chan->tx_state) {
3023 case L2CAP_TX_STATE_XMIT:
3024 l2cap_tx_state_xmit(chan, control, skbs, event);
3026 case L2CAP_TX_STATE_WAIT_F:
3027 l2cap_tx_state_wait_f(chan, control, skbs, event);
3035 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3036 struct l2cap_ctrl *control)
3038 BT_DBG("chan %p, control %p", chan, control);
3039 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3042 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3043 struct l2cap_ctrl *control)
3045 BT_DBG("chan %p, control %p", chan, control);
3046 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3049 /* Copy frame to all raw sockets on that connection */
3050 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3052 struct sk_buff *nskb;
3053 struct l2cap_chan *chan;
3055 BT_DBG("conn %p", conn);
3057 mutex_lock(&conn->chan_lock);
3059 list_for_each_entry(chan, &conn->chan_l, list) {
3060 if (chan->chan_type != L2CAP_CHAN_RAW)
3063 /* Don't send frame to the channel it came from */
3064 if (bt_cb(skb)->l2cap.chan == chan)
3067 nskb = skb_clone(skb, GFP_KERNEL);
3070 if (chan->ops->recv(chan, nskb))
3074 mutex_unlock(&conn->chan_lock);
3077 /* ---- L2CAP signalling commands ---- */
3078 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3079 u8 ident, u16 dlen, void *data)
3081 struct sk_buff *skb, **frag;
3082 struct l2cap_cmd_hdr *cmd;
3083 struct l2cap_hdr *lh;
3086 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3087 conn, code, ident, dlen);
3089 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3092 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3093 count = min_t(unsigned int, conn->mtu, len);
3095 skb = bt_skb_alloc(count, GFP_KERNEL);
3099 lh = skb_put(skb, L2CAP_HDR_SIZE);
3100 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3102 if (conn->hcon->type == LE_LINK)
3103 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3105 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3107 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3110 cmd->len = cpu_to_le16(dlen);
3113 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3114 skb_put_data(skb, data, count);
3120 /* Continuation fragments (no L2CAP header) */
3121 frag = &skb_shinfo(skb)->frag_list;
3123 count = min_t(unsigned int, conn->mtu, len);
3125 *frag = bt_skb_alloc(count, GFP_KERNEL);
3129 skb_put_data(*frag, data, count);
3134 frag = &(*frag)->next;
3144 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3147 struct l2cap_conf_opt *opt = *ptr;
3150 len = L2CAP_CONF_OPT_SIZE + opt->len;
3158 *val = *((u8 *) opt->val);
3162 *val = get_unaligned_le16(opt->val);
3166 *val = get_unaligned_le32(opt->val);
3170 *val = (unsigned long) opt->val;
3174 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3178 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3180 struct l2cap_conf_opt *opt = *ptr;
3182 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3184 if (size < L2CAP_CONF_OPT_SIZE + len)
3192 *((u8 *) opt->val) = val;
3196 put_unaligned_le16(val, opt->val);
3200 put_unaligned_le32(val, opt->val);
3204 memcpy(opt->val, (void *) val, len);
3208 *ptr += L2CAP_CONF_OPT_SIZE + len;
3211 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3213 struct l2cap_conf_efs efs;
3215 switch (chan->mode) {
3216 case L2CAP_MODE_ERTM:
3217 efs.id = chan->local_id;
3218 efs.stype = chan->local_stype;
3219 efs.msdu = cpu_to_le16(chan->local_msdu);
3220 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3221 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3222 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3225 case L2CAP_MODE_STREAMING:
3227 efs.stype = L2CAP_SERV_BESTEFFORT;
3228 efs.msdu = cpu_to_le16(chan->local_msdu);
3229 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3238 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3239 (unsigned long) &efs, size);
3242 static void l2cap_ack_timeout(struct work_struct *work)
3244 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3248 BT_DBG("chan %p", chan);
3250 l2cap_chan_lock(chan);
3252 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3253 chan->last_acked_seq);
3256 l2cap_send_rr_or_rnr(chan, 0);
3258 l2cap_chan_unlock(chan);
3259 l2cap_chan_put(chan);
3262 int l2cap_ertm_init(struct l2cap_chan *chan)
3266 chan->next_tx_seq = 0;
3267 chan->expected_tx_seq = 0;
3268 chan->expected_ack_seq = 0;
3269 chan->unacked_frames = 0;
3270 chan->buffer_seq = 0;
3271 chan->frames_sent = 0;
3272 chan->last_acked_seq = 0;
3274 chan->sdu_last_frag = NULL;
3277 skb_queue_head_init(&chan->tx_q);
3279 chan->local_amp_id = AMP_ID_BREDR;
3280 chan->move_id = AMP_ID_BREDR;
3281 chan->move_state = L2CAP_MOVE_STABLE;
3282 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3284 if (chan->mode != L2CAP_MODE_ERTM)
3287 chan->rx_state = L2CAP_RX_STATE_RECV;
3288 chan->tx_state = L2CAP_TX_STATE_XMIT;
3290 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3291 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3292 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3294 skb_queue_head_init(&chan->srej_q);
3296 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3300 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3302 l2cap_seq_list_free(&chan->srej_list);
3307 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3310 case L2CAP_MODE_STREAMING:
3311 case L2CAP_MODE_ERTM:
3312 if (l2cap_mode_supported(mode, remote_feat_mask))
3316 return L2CAP_MODE_BASIC;
3320 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3322 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3323 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3326 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3328 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3329 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3332 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3333 struct l2cap_conf_rfc *rfc)
3335 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3336 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3338 /* Class 1 devices have must have ERTM timeouts
3339 * exceeding the Link Supervision Timeout. The
3340 * default Link Supervision Timeout for AMP
3341 * controllers is 10 seconds.
3343 * Class 1 devices use 0xffffffff for their
3344 * best-effort flush timeout, so the clamping logic
3345 * will result in a timeout that meets the above
3346 * requirement. ERTM timeouts are 16-bit values, so
3347 * the maximum timeout is 65.535 seconds.
3350 /* Convert timeout to milliseconds and round */
3351 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3353 /* This is the recommended formula for class 2 devices
3354 * that start ERTM timers when packets are sent to the
3357 ertm_to = 3 * ertm_to + 500;
3359 if (ertm_to > 0xffff)
3362 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3363 rfc->monitor_timeout = rfc->retrans_timeout;
3365 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3366 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3370 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3372 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3373 __l2cap_ews_supported(chan->conn)) {
3374 /* use extended control field */
3375 set_bit(FLAG_EXT_CTRL, &chan->flags);
3376 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3378 chan->tx_win = min_t(u16, chan->tx_win,
3379 L2CAP_DEFAULT_TX_WINDOW);
3380 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3382 chan->ack_win = chan->tx_win;
3385 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3387 struct hci_conn *conn = chan->conn->hcon;
3389 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3391 /* The 2-DH1 packet has between 2 and 56 information bytes
3392 * (including the 2-byte payload header)
3394 if (!(conn->pkt_type & HCI_2DH1))
3397 /* The 3-DH1 packet has between 2 and 85 information bytes
3398 * (including the 2-byte payload header)
3400 if (!(conn->pkt_type & HCI_3DH1))
3403 /* The 2-DH3 packet has between 2 and 369 information bytes
3404 * (including the 2-byte payload header)
3406 if (!(conn->pkt_type & HCI_2DH3))
3409 /* The 3-DH3 packet has between 2 and 554 information bytes
3410 * (including the 2-byte payload header)
3412 if (!(conn->pkt_type & HCI_3DH3))
3415 /* The 2-DH5 packet has between 2 and 681 information bytes
3416 * (including the 2-byte payload header)
3418 if (!(conn->pkt_type & HCI_2DH5))
3421 /* The 3-DH5 packet has between 2 and 1023 information bytes
3422 * (including the 2-byte payload header)
3424 if (!(conn->pkt_type & HCI_3DH5))
3428 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3430 struct l2cap_conf_req *req = data;
3431 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3432 void *ptr = req->data;
3433 void *endptr = data + data_size;
3436 BT_DBG("chan %p", chan);
3438 if (chan->num_conf_req || chan->num_conf_rsp)
3441 switch (chan->mode) {
3442 case L2CAP_MODE_STREAMING:
3443 case L2CAP_MODE_ERTM:
3444 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3447 if (__l2cap_efs_supported(chan->conn))
3448 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3452 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3457 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3459 l2cap_mtu_auto(chan);
3460 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3464 switch (chan->mode) {
3465 case L2CAP_MODE_BASIC:
3469 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3470 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3473 rfc.mode = L2CAP_MODE_BASIC;
3475 rfc.max_transmit = 0;
3476 rfc.retrans_timeout = 0;
3477 rfc.monitor_timeout = 0;
3478 rfc.max_pdu_size = 0;
3480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3481 (unsigned long) &rfc, endptr - ptr);
3484 case L2CAP_MODE_ERTM:
3485 rfc.mode = L2CAP_MODE_ERTM;
3486 rfc.max_transmit = chan->max_tx;
3488 __l2cap_set_ertm_timeouts(chan, &rfc);
3490 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3491 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3493 rfc.max_pdu_size = cpu_to_le16(size);
3495 l2cap_txwin_setup(chan);
3497 rfc.txwin_size = min_t(u16, chan->tx_win,
3498 L2CAP_DEFAULT_TX_WINDOW);
3500 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3501 (unsigned long) &rfc, endptr - ptr);
3503 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3504 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3506 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3507 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3508 chan->tx_win, endptr - ptr);
3510 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3511 if (chan->fcs == L2CAP_FCS_NONE ||
3512 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3513 chan->fcs = L2CAP_FCS_NONE;
3514 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3515 chan->fcs, endptr - ptr);
3519 case L2CAP_MODE_STREAMING:
3520 l2cap_txwin_setup(chan);
3521 rfc.mode = L2CAP_MODE_STREAMING;
3523 rfc.max_transmit = 0;
3524 rfc.retrans_timeout = 0;
3525 rfc.monitor_timeout = 0;
3527 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3528 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3530 rfc.max_pdu_size = cpu_to_le16(size);
3532 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3533 (unsigned long) &rfc, endptr - ptr);
3535 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3536 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3538 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3539 if (chan->fcs == L2CAP_FCS_NONE ||
3540 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3541 chan->fcs = L2CAP_FCS_NONE;
3542 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3543 chan->fcs, endptr - ptr);
3548 req->dcid = cpu_to_le16(chan->dcid);
3549 req->flags = cpu_to_le16(0);
3554 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3556 struct l2cap_conf_rsp *rsp = data;
3557 void *ptr = rsp->data;
3558 void *endptr = data + data_size;
3559 void *req = chan->conf_req;
3560 int len = chan->conf_len;
3561 int type, hint, olen;
3563 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3564 struct l2cap_conf_efs efs;
3566 u16 mtu = L2CAP_DEFAULT_MTU;
3567 u16 result = L2CAP_CONF_SUCCESS;
3570 BT_DBG("chan %p", chan);
3572 while (len >= L2CAP_CONF_OPT_SIZE) {
3573 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3577 hint = type & L2CAP_CONF_HINT;
3578 type &= L2CAP_CONF_MASK;
3581 case L2CAP_CONF_MTU:
3587 case L2CAP_CONF_FLUSH_TO:
3590 chan->flush_to = val;
3593 case L2CAP_CONF_QOS:
3596 case L2CAP_CONF_RFC:
3597 if (olen != sizeof(rfc))
3599 memcpy(&rfc, (void *) val, olen);
3602 case L2CAP_CONF_FCS:
3605 if (val == L2CAP_FCS_NONE)
3606 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3609 case L2CAP_CONF_EFS:
3610 if (olen != sizeof(efs))
3613 memcpy(&efs, (void *) val, olen);
3616 case L2CAP_CONF_EWS:
3619 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3620 return -ECONNREFUSED;
3621 set_bit(FLAG_EXT_CTRL, &chan->flags);
3622 set_bit(CONF_EWS_RECV, &chan->conf_state);
3623 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3624 chan->remote_tx_win = val;
3630 result = L2CAP_CONF_UNKNOWN;
3631 *((u8 *) ptr++) = type;
3636 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3639 switch (chan->mode) {
3640 case L2CAP_MODE_STREAMING:
3641 case L2CAP_MODE_ERTM:
3642 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3643 chan->mode = l2cap_select_mode(rfc.mode,
3644 chan->conn->feat_mask);
3649 if (__l2cap_efs_supported(chan->conn))
3650 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3652 return -ECONNREFUSED;
3655 if (chan->mode != rfc.mode)
3656 return -ECONNREFUSED;
3662 if (chan->mode != rfc.mode) {
3663 result = L2CAP_CONF_UNACCEPT;
3664 rfc.mode = chan->mode;
3666 if (chan->num_conf_rsp == 1)
3667 return -ECONNREFUSED;
3669 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3670 (unsigned long) &rfc, endptr - ptr);
3673 if (result == L2CAP_CONF_SUCCESS) {
3674 /* Configure output options and let the other side know
3675 * which ones we don't like. */
3677 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3678 result = L2CAP_CONF_UNACCEPT;
3681 set_bit(CONF_MTU_DONE, &chan->conf_state);
3683 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3686 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3687 efs.stype != L2CAP_SERV_NOTRAFIC &&
3688 efs.stype != chan->local_stype) {
3690 result = L2CAP_CONF_UNACCEPT;
3692 if (chan->num_conf_req >= 1)
3693 return -ECONNREFUSED;
3695 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3697 (unsigned long) &efs, endptr - ptr);
3699 /* Send PENDING Conf Rsp */
3700 result = L2CAP_CONF_PENDING;
3701 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3706 case L2CAP_MODE_BASIC:
3707 chan->fcs = L2CAP_FCS_NONE;
3708 set_bit(CONF_MODE_DONE, &chan->conf_state);
3711 case L2CAP_MODE_ERTM:
3712 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3713 chan->remote_tx_win = rfc.txwin_size;
3715 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3717 chan->remote_max_tx = rfc.max_transmit;
3719 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3720 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3721 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3722 rfc.max_pdu_size = cpu_to_le16(size);
3723 chan->remote_mps = size;
3725 __l2cap_set_ertm_timeouts(chan, &rfc);
3727 set_bit(CONF_MODE_DONE, &chan->conf_state);
3729 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3730 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3732 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3733 chan->remote_id = efs.id;
3734 chan->remote_stype = efs.stype;
3735 chan->remote_msdu = le16_to_cpu(efs.msdu);
3736 chan->remote_flush_to =
3737 le32_to_cpu(efs.flush_to);
3738 chan->remote_acc_lat =
3739 le32_to_cpu(efs.acc_lat);
3740 chan->remote_sdu_itime =
3741 le32_to_cpu(efs.sdu_itime);
3742 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3744 (unsigned long) &efs, endptr - ptr);
3748 case L2CAP_MODE_STREAMING:
3749 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3750 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3751 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3752 rfc.max_pdu_size = cpu_to_le16(size);
3753 chan->remote_mps = size;
3755 set_bit(CONF_MODE_DONE, &chan->conf_state);
3757 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3758 (unsigned long) &rfc, endptr - ptr);
3763 result = L2CAP_CONF_UNACCEPT;
3765 memset(&rfc, 0, sizeof(rfc));
3766 rfc.mode = chan->mode;
3769 if (result == L2CAP_CONF_SUCCESS)
3770 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3772 rsp->scid = cpu_to_le16(chan->dcid);
3773 rsp->result = cpu_to_le16(result);
3774 rsp->flags = cpu_to_le16(0);
3779 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3780 void *data, size_t size, u16 *result)
3782 struct l2cap_conf_req *req = data;
3783 void *ptr = req->data;
3784 void *endptr = data + size;
3787 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3788 struct l2cap_conf_efs efs;
3790 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3792 while (len >= L2CAP_CONF_OPT_SIZE) {
3793 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3798 case L2CAP_CONF_MTU:
3801 if (val < L2CAP_DEFAULT_MIN_MTU) {
3802 *result = L2CAP_CONF_UNACCEPT;
3803 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3806 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3810 case L2CAP_CONF_FLUSH_TO:
3813 chan->flush_to = val;
3814 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3815 chan->flush_to, endptr - ptr);
3818 case L2CAP_CONF_RFC:
3819 if (olen != sizeof(rfc))
3821 memcpy(&rfc, (void *)val, olen);
3822 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3823 rfc.mode != chan->mode)
3824 return -ECONNREFUSED;
3826 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3827 (unsigned long) &rfc, endptr - ptr);
3830 case L2CAP_CONF_EWS:
3833 chan->ack_win = min_t(u16, val, chan->ack_win);
3834 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3835 chan->tx_win, endptr - ptr);
3838 case L2CAP_CONF_EFS:
3839 if (olen != sizeof(efs))
3841 memcpy(&efs, (void *)val, olen);
3842 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3843 efs.stype != L2CAP_SERV_NOTRAFIC &&
3844 efs.stype != chan->local_stype)
3845 return -ECONNREFUSED;
3846 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3847 (unsigned long) &efs, endptr - ptr);
3850 case L2CAP_CONF_FCS:
3853 if (*result == L2CAP_CONF_PENDING)
3854 if (val == L2CAP_FCS_NONE)
3855 set_bit(CONF_RECV_NO_FCS,
3861 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3862 return -ECONNREFUSED;
3864 chan->mode = rfc.mode;
3866 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3868 case L2CAP_MODE_ERTM:
3869 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3870 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3871 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3872 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3873 chan->ack_win = min_t(u16, chan->ack_win,
3876 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3877 chan->local_msdu = le16_to_cpu(efs.msdu);
3878 chan->local_sdu_itime =
3879 le32_to_cpu(efs.sdu_itime);
3880 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3881 chan->local_flush_to =
3882 le32_to_cpu(efs.flush_to);
3886 case L2CAP_MODE_STREAMING:
3887 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3891 req->dcid = cpu_to_le16(chan->dcid);
3892 req->flags = cpu_to_le16(0);
3897 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3898 u16 result, u16 flags)
3900 struct l2cap_conf_rsp *rsp = data;
3901 void *ptr = rsp->data;
3903 BT_DBG("chan %p", chan);
3905 rsp->scid = cpu_to_le16(chan->dcid);
3906 rsp->result = cpu_to_le16(result);
3907 rsp->flags = cpu_to_le16(flags);
3912 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3914 struct l2cap_le_conn_rsp rsp;
3915 struct l2cap_conn *conn = chan->conn;
3917 BT_DBG("chan %p", chan);
3919 rsp.dcid = cpu_to_le16(chan->scid);
3920 rsp.mtu = cpu_to_le16(chan->imtu);
3921 rsp.mps = cpu_to_le16(chan->mps);
3922 rsp.credits = cpu_to_le16(chan->rx_credits);
3923 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3925 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3929 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3932 struct l2cap_ecred_conn_rsp rsp;
3935 struct l2cap_conn *conn = chan->conn;
3936 u16 ident = chan->ident;
3942 BT_DBG("chan %p ident %d", chan, ident);
3944 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3945 pdu.rsp.mps = cpu_to_le16(chan->mps);
3946 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3947 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3949 mutex_lock(&conn->chan_lock);
3951 list_for_each_entry(chan, &conn->chan_l, list) {
3952 if (chan->ident != ident)
3955 /* Reset ident so only one response is sent */
3958 /* Include all channels pending with the same ident */
3959 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3962 mutex_unlock(&conn->chan_lock);
3964 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3965 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3968 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3970 struct l2cap_conn_rsp rsp;
3971 struct l2cap_conn *conn = chan->conn;
3975 rsp.scid = cpu_to_le16(chan->dcid);
3976 rsp.dcid = cpu_to_le16(chan->scid);
3977 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3978 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3981 rsp_code = L2CAP_CREATE_CHAN_RSP;
3983 rsp_code = L2CAP_CONN_RSP;
3985 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3987 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3989 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3992 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3993 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3994 chan->num_conf_req++;
3997 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
4001 /* Use sane default values in case a misbehaving remote device
4002 * did not send an RFC or extended window size option.
4004 u16 txwin_ext = chan->ack_win;
4005 struct l2cap_conf_rfc rfc = {
4007 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4008 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4009 .max_pdu_size = cpu_to_le16(chan->imtu),
4010 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4013 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4015 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4018 while (len >= L2CAP_CONF_OPT_SIZE) {
4019 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4024 case L2CAP_CONF_RFC:
4025 if (olen != sizeof(rfc))
4027 memcpy(&rfc, (void *)val, olen);
4029 case L2CAP_CONF_EWS:
4038 case L2CAP_MODE_ERTM:
4039 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4040 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4041 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4042 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4043 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4045 chan->ack_win = min_t(u16, chan->ack_win,
4048 case L2CAP_MODE_STREAMING:
4049 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4053 static inline int l2cap_command_rej(struct l2cap_conn *conn,
4054 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4057 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4059 if (cmd_len < sizeof(*rej))
4062 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4065 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4066 cmd->ident == conn->info_ident) {
4067 cancel_delayed_work(&conn->info_timer);
4069 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4070 conn->info_ident = 0;
4072 l2cap_conn_start(conn);
4078 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4079 struct l2cap_cmd_hdr *cmd,
4080 u8 *data, u8 rsp_code, u8 amp_id)
4082 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4083 struct l2cap_conn_rsp rsp;
4084 struct l2cap_chan *chan = NULL, *pchan;
4085 int result, status = L2CAP_CS_NO_INFO;
4087 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4088 __le16 psm = req->psm;
4090 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4092 /* Check if we have socket listening on psm */
4093 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4094 &conn->hcon->dst, ACL_LINK);
4096 result = L2CAP_CR_BAD_PSM;
4100 mutex_lock(&conn->chan_lock);
4101 l2cap_chan_lock(pchan);
4103 /* Check if the ACL is secure enough (if not SDP) */
4104 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4105 !hci_conn_check_link_mode(conn->hcon)) {
4106 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4107 result = L2CAP_CR_SEC_BLOCK;
4111 result = L2CAP_CR_NO_MEM;
4113 /* Check for valid dynamic CID range (as per Erratum 3253) */
4114 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4115 result = L2CAP_CR_INVALID_SCID;
4119 /* Check if we already have channel with that dcid */
4120 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4121 result = L2CAP_CR_SCID_IN_USE;
4125 chan = pchan->ops->new_connection(pchan);
4129 /* For certain devices (ex: HID mouse), support for authentication,
4130 * pairing and bonding is optional. For such devices, inorder to avoid
4131 * the ACL alive for too long after L2CAP disconnection, reset the ACL
4132 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
4134 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4136 bacpy(&chan->src, &conn->hcon->src);
4137 bacpy(&chan->dst, &conn->hcon->dst);
4138 chan->src_type = bdaddr_src_type(conn->hcon);
4139 chan->dst_type = bdaddr_dst_type(conn->hcon);
4142 chan->local_amp_id = amp_id;
4144 __l2cap_chan_add(conn, chan);
4148 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4150 chan->ident = cmd->ident;
4152 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4153 if (l2cap_chan_check_security(chan, false)) {
4154 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4155 l2cap_state_change(chan, BT_CONNECT2);
4156 result = L2CAP_CR_PEND;
4157 status = L2CAP_CS_AUTHOR_PEND;
4158 chan->ops->defer(chan);
4160 /* Force pending result for AMP controllers.
4161 * The connection will succeed after the
4162 * physical link is up.
4164 if (amp_id == AMP_ID_BREDR) {
4165 l2cap_state_change(chan, BT_CONFIG);
4166 result = L2CAP_CR_SUCCESS;
4168 l2cap_state_change(chan, BT_CONNECT2);
4169 result = L2CAP_CR_PEND;
4171 status = L2CAP_CS_NO_INFO;
4174 l2cap_state_change(chan, BT_CONNECT2);
4175 result = L2CAP_CR_PEND;
4176 status = L2CAP_CS_AUTHEN_PEND;
4179 l2cap_state_change(chan, BT_CONNECT2);
4180 result = L2CAP_CR_PEND;
4181 status = L2CAP_CS_NO_INFO;
4185 l2cap_chan_unlock(pchan);
4186 mutex_unlock(&conn->chan_lock);
4187 l2cap_chan_put(pchan);
4190 rsp.scid = cpu_to_le16(scid);
4191 rsp.dcid = cpu_to_le16(dcid);
4192 rsp.result = cpu_to_le16(result);
4193 rsp.status = cpu_to_le16(status);
4194 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4196 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4197 struct l2cap_info_req info;
4198 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4200 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4201 conn->info_ident = l2cap_get_ident(conn);
4203 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4205 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4206 sizeof(info), &info);
4209 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4210 result == L2CAP_CR_SUCCESS) {
4212 set_bit(CONF_REQ_SENT, &chan->conf_state);
4213 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4214 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4215 chan->num_conf_req++;
4221 static int l2cap_connect_req(struct l2cap_conn *conn,
4222 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4224 struct hci_dev *hdev = conn->hcon->hdev;
4225 struct hci_conn *hcon = conn->hcon;
4227 if (cmd_len < sizeof(struct l2cap_conn_req))
4231 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4232 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4233 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
4234 hci_dev_unlock(hdev);
4236 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4240 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4241 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4244 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4245 u16 scid, dcid, result, status;
4246 struct l2cap_chan *chan;
4250 if (cmd_len < sizeof(*rsp))
4253 scid = __le16_to_cpu(rsp->scid);
4254 dcid = __le16_to_cpu(rsp->dcid);
4255 result = __le16_to_cpu(rsp->result);
4256 status = __le16_to_cpu(rsp->status);
4258 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4259 dcid, scid, result, status);
4261 mutex_lock(&conn->chan_lock);
4264 chan = __l2cap_get_chan_by_scid(conn, scid);
4270 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4279 l2cap_chan_lock(chan);
4282 case L2CAP_CR_SUCCESS:
4283 l2cap_state_change(chan, BT_CONFIG);
4286 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4288 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4291 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4292 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4293 chan->num_conf_req++;
4297 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4301 l2cap_chan_del(chan, ECONNREFUSED);
4305 l2cap_chan_unlock(chan);
4308 mutex_unlock(&conn->chan_lock);
4313 static inline void set_default_fcs(struct l2cap_chan *chan)
4315 /* FCS is enabled only in ERTM or streaming mode, if one or both
4318 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4319 chan->fcs = L2CAP_FCS_NONE;
4320 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4321 chan->fcs = L2CAP_FCS_CRC16;
4324 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4325 u8 ident, u16 flags)
4327 struct l2cap_conn *conn = chan->conn;
4329 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4332 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4333 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4335 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4336 l2cap_build_conf_rsp(chan, data,
4337 L2CAP_CONF_SUCCESS, flags), data);
4340 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4343 struct l2cap_cmd_rej_cid rej;
4345 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4346 rej.scid = __cpu_to_le16(scid);
4347 rej.dcid = __cpu_to_le16(dcid);
4349 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4352 static inline int l2cap_config_req(struct l2cap_conn *conn,
4353 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4356 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4359 struct l2cap_chan *chan;
4362 if (cmd_len < sizeof(*req))
4365 dcid = __le16_to_cpu(req->dcid);
4366 flags = __le16_to_cpu(req->flags);
4368 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4370 chan = l2cap_get_chan_by_scid(conn, dcid);
4372 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4376 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4377 chan->state != BT_CONNECTED) {
4378 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4383 /* Reject if config buffer is too small. */
4384 len = cmd_len - sizeof(*req);
4385 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4386 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4387 l2cap_build_conf_rsp(chan, rsp,
4388 L2CAP_CONF_REJECT, flags), rsp);
4393 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4394 chan->conf_len += len;
4396 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4397 /* Incomplete config. Send empty response. */
4398 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4399 l2cap_build_conf_rsp(chan, rsp,
4400 L2CAP_CONF_SUCCESS, flags), rsp);
4404 /* Complete config. */
4405 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4407 l2cap_send_disconn_req(chan, ECONNRESET);
4411 chan->ident = cmd->ident;
4412 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4413 chan->num_conf_rsp++;
4415 /* Reset config buffer. */
4418 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4421 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4422 set_default_fcs(chan);
4424 if (chan->mode == L2CAP_MODE_ERTM ||
4425 chan->mode == L2CAP_MODE_STREAMING)
4426 err = l2cap_ertm_init(chan);
4429 l2cap_send_disconn_req(chan, -err);
4431 l2cap_chan_ready(chan);
4436 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4438 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4439 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4440 chan->num_conf_req++;
4443 /* Got Conf Rsp PENDING from remote side and assume we sent
4444 Conf Rsp PENDING in the code above */
4445 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4446 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4448 /* check compatibility */
4450 /* Send rsp for BR/EDR channel */
4452 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4454 chan->ident = cmd->ident;
4458 l2cap_chan_unlock(chan);
4462 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4463 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4466 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4467 u16 scid, flags, result;
4468 struct l2cap_chan *chan;
4469 int len = cmd_len - sizeof(*rsp);
4472 if (cmd_len < sizeof(*rsp))
4475 scid = __le16_to_cpu(rsp->scid);
4476 flags = __le16_to_cpu(rsp->flags);
4477 result = __le16_to_cpu(rsp->result);
4479 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4482 chan = l2cap_get_chan_by_scid(conn, scid);
4487 case L2CAP_CONF_SUCCESS:
4488 l2cap_conf_rfc_get(chan, rsp->data, len);
4489 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4492 case L2CAP_CONF_PENDING:
4493 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4495 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4498 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4499 buf, sizeof(buf), &result);
4501 l2cap_send_disconn_req(chan, ECONNRESET);
4505 if (!chan->hs_hcon) {
4506 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4509 if (l2cap_check_efs(chan)) {
4510 amp_create_logical_link(chan);
4511 chan->ident = cmd->ident;
4517 case L2CAP_CONF_UNACCEPT:
4518 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4521 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4522 l2cap_send_disconn_req(chan, ECONNRESET);
4526 /* throw out any old stored conf requests */
4527 result = L2CAP_CONF_SUCCESS;
4528 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4529 req, sizeof(req), &result);
4531 l2cap_send_disconn_req(chan, ECONNRESET);
4535 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4536 L2CAP_CONF_REQ, len, req);
4537 chan->num_conf_req++;
4538 if (result != L2CAP_CONF_SUCCESS)
4545 l2cap_chan_set_err(chan, ECONNRESET);
4547 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4548 l2cap_send_disconn_req(chan, ECONNRESET);
4552 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4555 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4557 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4558 set_default_fcs(chan);
4560 if (chan->mode == L2CAP_MODE_ERTM ||
4561 chan->mode == L2CAP_MODE_STREAMING)
4562 err = l2cap_ertm_init(chan);
4565 l2cap_send_disconn_req(chan, -err);
4567 l2cap_chan_ready(chan);
4571 l2cap_chan_unlock(chan);
4575 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4576 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4579 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4580 struct l2cap_disconn_rsp rsp;
4582 struct l2cap_chan *chan;
4584 if (cmd_len != sizeof(*req))
4587 scid = __le16_to_cpu(req->scid);
4588 dcid = __le16_to_cpu(req->dcid);
4590 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4592 mutex_lock(&conn->chan_lock);
4594 chan = __l2cap_get_chan_by_scid(conn, dcid);
4596 mutex_unlock(&conn->chan_lock);
4597 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4601 l2cap_chan_hold(chan);
4602 l2cap_chan_lock(chan);
4604 rsp.dcid = cpu_to_le16(chan->scid);
4605 rsp.scid = cpu_to_le16(chan->dcid);
4606 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4608 chan->ops->set_shutdown(chan);
4610 l2cap_chan_del(chan, ECONNRESET);
4612 chan->ops->close(chan);
4614 l2cap_chan_unlock(chan);
4615 l2cap_chan_put(chan);
4617 mutex_unlock(&conn->chan_lock);
4622 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4623 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4626 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4628 struct l2cap_chan *chan;
4630 if (cmd_len != sizeof(*rsp))
4633 scid = __le16_to_cpu(rsp->scid);
4634 dcid = __le16_to_cpu(rsp->dcid);
4636 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4638 mutex_lock(&conn->chan_lock);
4640 chan = __l2cap_get_chan_by_scid(conn, scid);
4642 mutex_unlock(&conn->chan_lock);
4646 l2cap_chan_hold(chan);
4647 l2cap_chan_lock(chan);
4649 if (chan->state != BT_DISCONN) {
4650 l2cap_chan_unlock(chan);
4651 l2cap_chan_put(chan);
4652 mutex_unlock(&conn->chan_lock);
4656 l2cap_chan_del(chan, 0);
4658 chan->ops->close(chan);
4660 l2cap_chan_unlock(chan);
4661 l2cap_chan_put(chan);
4663 mutex_unlock(&conn->chan_lock);
4668 static inline int l2cap_information_req(struct l2cap_conn *conn,
4669 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4672 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4675 if (cmd_len != sizeof(*req))
4678 type = __le16_to_cpu(req->type);
4680 BT_DBG("type 0x%4.4x", type);
4682 if (type == L2CAP_IT_FEAT_MASK) {
4684 u32 feat_mask = l2cap_feat_mask;
4685 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4686 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4687 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4689 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4691 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4692 feat_mask |= L2CAP_FEAT_EXT_FLOW
4693 | L2CAP_FEAT_EXT_WINDOW;
4695 put_unaligned_le32(feat_mask, rsp->data);
4696 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4698 } else if (type == L2CAP_IT_FIXED_CHAN) {
4700 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4702 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4703 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4704 rsp->data[0] = conn->local_fixed_chan;
4705 memset(rsp->data + 1, 0, 7);
4706 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4709 struct l2cap_info_rsp rsp;
4710 rsp.type = cpu_to_le16(type);
4711 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4712 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4719 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4720 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4723 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4726 if (cmd_len < sizeof(*rsp))
4729 type = __le16_to_cpu(rsp->type);
4730 result = __le16_to_cpu(rsp->result);
4732 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4734 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4735 if (cmd->ident != conn->info_ident ||
4736 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4739 cancel_delayed_work(&conn->info_timer);
4741 if (result != L2CAP_IR_SUCCESS) {
4742 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4743 conn->info_ident = 0;
4745 l2cap_conn_start(conn);
4751 case L2CAP_IT_FEAT_MASK:
4752 conn->feat_mask = get_unaligned_le32(rsp->data);
4754 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4755 struct l2cap_info_req req;
4756 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4758 conn->info_ident = l2cap_get_ident(conn);
4760 l2cap_send_cmd(conn, conn->info_ident,
4761 L2CAP_INFO_REQ, sizeof(req), &req);
4763 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4764 conn->info_ident = 0;
4766 l2cap_conn_start(conn);
4770 case L2CAP_IT_FIXED_CHAN:
4771 conn->remote_fixed_chan = rsp->data[0];
4772 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4773 conn->info_ident = 0;
4775 l2cap_conn_start(conn);
4782 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4783 struct l2cap_cmd_hdr *cmd,
4784 u16 cmd_len, void *data)
4786 struct l2cap_create_chan_req *req = data;
4787 struct l2cap_create_chan_rsp rsp;
4788 struct l2cap_chan *chan;
4789 struct hci_dev *hdev;
4792 if (cmd_len != sizeof(*req))
4795 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4798 psm = le16_to_cpu(req->psm);
4799 scid = le16_to_cpu(req->scid);
4801 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4803 /* For controller id 0 make BR/EDR connection */
4804 if (req->amp_id == AMP_ID_BREDR) {
4805 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4810 /* Validate AMP controller id */
4811 hdev = hci_dev_get(req->amp_id);
4815 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4820 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4823 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4824 struct hci_conn *hs_hcon;
4826 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4830 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4835 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4837 mgr->bredr_chan = chan;
4838 chan->hs_hcon = hs_hcon;
4839 chan->fcs = L2CAP_FCS_NONE;
4840 conn->mtu = hdev->block_mtu;
4849 rsp.scid = cpu_to_le16(scid);
4850 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4851 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4853 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4859 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4861 struct l2cap_move_chan_req req;
4864 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4866 ident = l2cap_get_ident(chan->conn);
4867 chan->ident = ident;
4869 req.icid = cpu_to_le16(chan->scid);
4870 req.dest_amp_id = dest_amp_id;
4872 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4875 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4878 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4880 struct l2cap_move_chan_rsp rsp;
4882 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4884 rsp.icid = cpu_to_le16(chan->dcid);
4885 rsp.result = cpu_to_le16(result);
4887 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4891 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4893 struct l2cap_move_chan_cfm cfm;
4895 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4897 chan->ident = l2cap_get_ident(chan->conn);
4899 cfm.icid = cpu_to_le16(chan->scid);
4900 cfm.result = cpu_to_le16(result);
4902 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4905 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4908 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4910 struct l2cap_move_chan_cfm cfm;
4912 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4914 cfm.icid = cpu_to_le16(icid);
4915 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4917 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4921 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4924 struct l2cap_move_chan_cfm_rsp rsp;
4926 BT_DBG("icid 0x%4.4x", icid);
4928 rsp.icid = cpu_to_le16(icid);
4929 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4932 static void __release_logical_link(struct l2cap_chan *chan)
4934 chan->hs_hchan = NULL;
4935 chan->hs_hcon = NULL;
4937 /* Placeholder - release the logical link */
4940 static void l2cap_logical_fail(struct l2cap_chan *chan)
4942 /* Logical link setup failed */
4943 if (chan->state != BT_CONNECTED) {
4944 /* Create channel failure, disconnect */
4945 l2cap_send_disconn_req(chan, ECONNRESET);
4949 switch (chan->move_role) {
4950 case L2CAP_MOVE_ROLE_RESPONDER:
4951 l2cap_move_done(chan);
4952 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4954 case L2CAP_MOVE_ROLE_INITIATOR:
4955 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4956 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4957 /* Remote has only sent pending or
4958 * success responses, clean up
4960 l2cap_move_done(chan);
4963 /* Other amp move states imply that the move
4964 * has already aborted
4966 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4971 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4972 struct hci_chan *hchan)
4974 struct l2cap_conf_rsp rsp;
4976 chan->hs_hchan = hchan;
4977 chan->hs_hcon->l2cap_data = chan->conn;
4979 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4981 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4984 set_default_fcs(chan);
4986 err = l2cap_ertm_init(chan);
4988 l2cap_send_disconn_req(chan, -err);
4990 l2cap_chan_ready(chan);
4994 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4995 struct hci_chan *hchan)
4997 chan->hs_hcon = hchan->conn;
4998 chan->hs_hcon->l2cap_data = chan->conn;
5000 BT_DBG("move_state %d", chan->move_state);
5002 switch (chan->move_state) {
5003 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5004 /* Move confirm will be sent after a success
5005 * response is received
5007 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5009 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5010 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5011 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5012 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5013 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5014 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5015 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5016 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5017 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5021 /* Move was not in expected state, free the channel */
5022 __release_logical_link(chan);
5024 chan->move_state = L2CAP_MOVE_STABLE;
5028 /* Call with chan locked */
5029 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5032 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5035 l2cap_logical_fail(chan);
5036 __release_logical_link(chan);
5040 if (chan->state != BT_CONNECTED) {
5041 /* Ignore logical link if channel is on BR/EDR */
5042 if (chan->local_amp_id != AMP_ID_BREDR)
5043 l2cap_logical_finish_create(chan, hchan);
5045 l2cap_logical_finish_move(chan, hchan);
5049 void l2cap_move_start(struct l2cap_chan *chan)
5051 BT_DBG("chan %p", chan);
5053 if (chan->local_amp_id == AMP_ID_BREDR) {
5054 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5056 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5057 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5058 /* Placeholder - start physical link setup */
5060 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5061 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5063 l2cap_move_setup(chan);
5064 l2cap_send_move_chan_req(chan, 0);
5068 static void l2cap_do_create(struct l2cap_chan *chan, int result,
5069 u8 local_amp_id, u8 remote_amp_id)
5071 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5072 local_amp_id, remote_amp_id);
5074 chan->fcs = L2CAP_FCS_NONE;
5076 /* Outgoing channel on AMP */
5077 if (chan->state == BT_CONNECT) {
5078 if (result == L2CAP_CR_SUCCESS) {
5079 chan->local_amp_id = local_amp_id;
5080 l2cap_send_create_chan_req(chan, remote_amp_id);
5082 /* Revert to BR/EDR connect */
5083 l2cap_send_conn_req(chan);
5089 /* Incoming channel on AMP */
5090 if (__l2cap_no_conn_pending(chan)) {
5091 struct l2cap_conn_rsp rsp;
5093 rsp.scid = cpu_to_le16(chan->dcid);
5094 rsp.dcid = cpu_to_le16(chan->scid);
5096 if (result == L2CAP_CR_SUCCESS) {
5097 /* Send successful response */
5098 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5099 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5101 /* Send negative response */
5102 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5103 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5106 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5109 if (result == L2CAP_CR_SUCCESS) {
5110 l2cap_state_change(chan, BT_CONFIG);
5111 set_bit(CONF_REQ_SENT, &chan->conf_state);
5112 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5114 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5115 chan->num_conf_req++;
5120 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5123 l2cap_move_setup(chan);
5124 chan->move_id = local_amp_id;
5125 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5127 l2cap_send_move_chan_req(chan, remote_amp_id);
5130 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5132 struct hci_chan *hchan = NULL;
5134 /* Placeholder - get hci_chan for logical link */
5137 if (hchan->state == BT_CONNECTED) {
5138 /* Logical link is ready to go */
5139 chan->hs_hcon = hchan->conn;
5140 chan->hs_hcon->l2cap_data = chan->conn;
5141 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5142 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5144 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5146 /* Wait for logical link to be ready */
5147 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5150 /* Logical link not available */
5151 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5155 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5157 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5159 if (result == -EINVAL)
5160 rsp_result = L2CAP_MR_BAD_ID;
5162 rsp_result = L2CAP_MR_NOT_ALLOWED;
5164 l2cap_send_move_chan_rsp(chan, rsp_result);
5167 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5168 chan->move_state = L2CAP_MOVE_STABLE;
5170 /* Restart data transmission */
5171 l2cap_ertm_send(chan);
5174 /* Invoke with locked chan */
5175 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5177 u8 local_amp_id = chan->local_amp_id;
5178 u8 remote_amp_id = chan->remote_amp_id;
5180 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5181 chan, result, local_amp_id, remote_amp_id);
5183 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5186 if (chan->state != BT_CONNECTED) {
5187 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5188 } else if (result != L2CAP_MR_SUCCESS) {
5189 l2cap_do_move_cancel(chan, result);
5191 switch (chan->move_role) {
5192 case L2CAP_MOVE_ROLE_INITIATOR:
5193 l2cap_do_move_initiate(chan, local_amp_id,
5196 case L2CAP_MOVE_ROLE_RESPONDER:
5197 l2cap_do_move_respond(chan, result);
5200 l2cap_do_move_cancel(chan, result);
5206 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5207 struct l2cap_cmd_hdr *cmd,
5208 u16 cmd_len, void *data)
5210 struct l2cap_move_chan_req *req = data;
5211 struct l2cap_move_chan_rsp rsp;
5212 struct l2cap_chan *chan;
5214 u16 result = L2CAP_MR_NOT_ALLOWED;
5216 if (cmd_len != sizeof(*req))
5219 icid = le16_to_cpu(req->icid);
5221 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5223 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5226 chan = l2cap_get_chan_by_dcid(conn, icid);
5228 rsp.icid = cpu_to_le16(icid);
5229 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5230 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5235 chan->ident = cmd->ident;
5237 if (chan->scid < L2CAP_CID_DYN_START ||
5238 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5239 (chan->mode != L2CAP_MODE_ERTM &&
5240 chan->mode != L2CAP_MODE_STREAMING)) {
5241 result = L2CAP_MR_NOT_ALLOWED;
5242 goto send_move_response;
5245 if (chan->local_amp_id == req->dest_amp_id) {
5246 result = L2CAP_MR_SAME_ID;
5247 goto send_move_response;
5250 if (req->dest_amp_id != AMP_ID_BREDR) {
5251 struct hci_dev *hdev;
5252 hdev = hci_dev_get(req->dest_amp_id);
5253 if (!hdev || hdev->dev_type != HCI_AMP ||
5254 !test_bit(HCI_UP, &hdev->flags)) {
5258 result = L2CAP_MR_BAD_ID;
5259 goto send_move_response;
5264 /* Detect a move collision. Only send a collision response
5265 * if this side has "lost", otherwise proceed with the move.
5266 * The winner has the larger bd_addr.
5268 if ((__chan_is_moving(chan) ||
5269 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5270 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5271 result = L2CAP_MR_COLLISION;
5272 goto send_move_response;
5275 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5276 l2cap_move_setup(chan);
5277 chan->move_id = req->dest_amp_id;
5279 if (req->dest_amp_id == AMP_ID_BREDR) {
5280 /* Moving to BR/EDR */
5281 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5282 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5283 result = L2CAP_MR_PEND;
5285 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5286 result = L2CAP_MR_SUCCESS;
5289 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5290 /* Placeholder - uncomment when amp functions are available */
5291 /*amp_accept_physical(chan, req->dest_amp_id);*/
5292 result = L2CAP_MR_PEND;
5296 l2cap_send_move_chan_rsp(chan, result);
5298 l2cap_chan_unlock(chan);
5303 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5305 struct l2cap_chan *chan;
5306 struct hci_chan *hchan = NULL;
5308 chan = l2cap_get_chan_by_scid(conn, icid);
5310 l2cap_send_move_chan_cfm_icid(conn, icid);
5314 __clear_chan_timer(chan);
5315 if (result == L2CAP_MR_PEND)
5316 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5318 switch (chan->move_state) {
5319 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5320 /* Move confirm will be sent when logical link
5323 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5325 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5326 if (result == L2CAP_MR_PEND) {
5328 } else if (test_bit(CONN_LOCAL_BUSY,
5329 &chan->conn_state)) {
5330 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5332 /* Logical link is up or moving to BR/EDR,
5335 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5336 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5339 case L2CAP_MOVE_WAIT_RSP:
5341 if (result == L2CAP_MR_SUCCESS) {
5342 /* Remote is ready, send confirm immediately
5343 * after logical link is ready
5345 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5347 /* Both logical link and move success
5348 * are required to confirm
5350 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5353 /* Placeholder - get hci_chan for logical link */
5355 /* Logical link not available */
5356 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5360 /* If the logical link is not yet connected, do not
5361 * send confirmation.
5363 if (hchan->state != BT_CONNECTED)
5366 /* Logical link is already ready to go */
5368 chan->hs_hcon = hchan->conn;
5369 chan->hs_hcon->l2cap_data = chan->conn;
5371 if (result == L2CAP_MR_SUCCESS) {
5372 /* Can confirm now */
5373 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5375 /* Now only need move success
5378 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5381 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5384 /* Any other amp move state means the move failed. */
5385 chan->move_id = chan->local_amp_id;
5386 l2cap_move_done(chan);
5387 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5390 l2cap_chan_unlock(chan);
5393 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5396 struct l2cap_chan *chan;
5398 chan = l2cap_get_chan_by_ident(conn, ident);
5400 /* Could not locate channel, icid is best guess */
5401 l2cap_send_move_chan_cfm_icid(conn, icid);
5405 __clear_chan_timer(chan);
5407 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5408 if (result == L2CAP_MR_COLLISION) {
5409 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5411 /* Cleanup - cancel move */
5412 chan->move_id = chan->local_amp_id;
5413 l2cap_move_done(chan);
5417 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5419 l2cap_chan_unlock(chan);
5422 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5423 struct l2cap_cmd_hdr *cmd,
5424 u16 cmd_len, void *data)
5426 struct l2cap_move_chan_rsp *rsp = data;
5429 if (cmd_len != sizeof(*rsp))
5432 icid = le16_to_cpu(rsp->icid);
5433 result = le16_to_cpu(rsp->result);
5435 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5437 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5438 l2cap_move_continue(conn, icid, result);
5440 l2cap_move_fail(conn, cmd->ident, icid, result);
5445 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5446 struct l2cap_cmd_hdr *cmd,
5447 u16 cmd_len, void *data)
5449 struct l2cap_move_chan_cfm *cfm = data;
5450 struct l2cap_chan *chan;
5453 if (cmd_len != sizeof(*cfm))
5456 icid = le16_to_cpu(cfm->icid);
5457 result = le16_to_cpu(cfm->result);
5459 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5461 chan = l2cap_get_chan_by_dcid(conn, icid);
5463 /* Spec requires a response even if the icid was not found */
5464 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5468 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5469 if (result == L2CAP_MC_CONFIRMED) {
5470 chan->local_amp_id = chan->move_id;
5471 if (chan->local_amp_id == AMP_ID_BREDR)
5472 __release_logical_link(chan);
5474 chan->move_id = chan->local_amp_id;
5477 l2cap_move_done(chan);
5480 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5482 l2cap_chan_unlock(chan);
5487 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5488 struct l2cap_cmd_hdr *cmd,
5489 u16 cmd_len, void *data)
5491 struct l2cap_move_chan_cfm_rsp *rsp = data;
5492 struct l2cap_chan *chan;
5495 if (cmd_len != sizeof(*rsp))
5498 icid = le16_to_cpu(rsp->icid);
5500 BT_DBG("icid 0x%4.4x", icid);
5502 chan = l2cap_get_chan_by_scid(conn, icid);
5506 __clear_chan_timer(chan);
5508 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5509 chan->local_amp_id = chan->move_id;
5511 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5512 __release_logical_link(chan);
5514 l2cap_move_done(chan);
5517 l2cap_chan_unlock(chan);
5522 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5523 struct l2cap_cmd_hdr *cmd,
5524 u16 cmd_len, u8 *data)
5526 struct hci_conn *hcon = conn->hcon;
5527 struct l2cap_conn_param_update_req *req;
5528 struct l2cap_conn_param_update_rsp rsp;
5529 u16 min, max, latency, to_multiplier;
5532 if (hcon->role != HCI_ROLE_MASTER)
5535 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5538 req = (struct l2cap_conn_param_update_req *) data;
5539 min = __le16_to_cpu(req->min);
5540 max = __le16_to_cpu(req->max);
5541 latency = __le16_to_cpu(req->latency);
5542 to_multiplier = __le16_to_cpu(req->to_multiplier);
5544 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5545 min, max, latency, to_multiplier);
5547 memset(&rsp, 0, sizeof(rsp));
5549 err = hci_check_conn_params(min, max, latency, to_multiplier);
5551 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5553 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5555 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5561 store_hint = hci_le_conn_update(hcon, min, max, latency,
5563 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5564 store_hint, min, max, latency,
5572 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5573 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5576 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5577 struct hci_conn *hcon = conn->hcon;
5578 u16 dcid, mtu, mps, credits, result;
5579 struct l2cap_chan *chan;
5582 if (cmd_len < sizeof(*rsp))
5585 dcid = __le16_to_cpu(rsp->dcid);
5586 mtu = __le16_to_cpu(rsp->mtu);
5587 mps = __le16_to_cpu(rsp->mps);
5588 credits = __le16_to_cpu(rsp->credits);
5589 result = __le16_to_cpu(rsp->result);
5591 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5592 dcid < L2CAP_CID_DYN_START ||
5593 dcid > L2CAP_CID_LE_DYN_END))
5596 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5597 dcid, mtu, mps, credits, result);
5599 mutex_lock(&conn->chan_lock);
5601 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5609 l2cap_chan_lock(chan);
5612 case L2CAP_CR_LE_SUCCESS:
5613 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5621 chan->remote_mps = mps;
5622 chan->tx_credits = credits;
5623 l2cap_chan_ready(chan);
5626 case L2CAP_CR_LE_AUTHENTICATION:
5627 case L2CAP_CR_LE_ENCRYPTION:
5628 /* If we already have MITM protection we can't do
5631 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5632 l2cap_chan_del(chan, ECONNREFUSED);
5636 sec_level = hcon->sec_level + 1;
5637 if (chan->sec_level < sec_level)
5638 chan->sec_level = sec_level;
5640 /* We'll need to send a new Connect Request */
5641 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5643 smp_conn_security(hcon, chan->sec_level);
5647 l2cap_chan_del(chan, ECONNREFUSED);
5651 l2cap_chan_unlock(chan);
5654 mutex_unlock(&conn->chan_lock);
5659 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5660 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5665 switch (cmd->code) {
5666 case L2CAP_COMMAND_REJ:
5667 l2cap_command_rej(conn, cmd, cmd_len, data);
5670 case L2CAP_CONN_REQ:
5671 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5674 case L2CAP_CONN_RSP:
5675 case L2CAP_CREATE_CHAN_RSP:
5676 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5679 case L2CAP_CONF_REQ:
5680 err = l2cap_config_req(conn, cmd, cmd_len, data);
5683 case L2CAP_CONF_RSP:
5684 l2cap_config_rsp(conn, cmd, cmd_len, data);
5687 case L2CAP_DISCONN_REQ:
5688 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5691 case L2CAP_DISCONN_RSP:
5692 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5695 case L2CAP_ECHO_REQ:
5696 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5699 case L2CAP_ECHO_RSP:
5702 case L2CAP_INFO_REQ:
5703 err = l2cap_information_req(conn, cmd, cmd_len, data);
5706 case L2CAP_INFO_RSP:
5707 l2cap_information_rsp(conn, cmd, cmd_len, data);
5710 case L2CAP_CREATE_CHAN_REQ:
5711 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5714 case L2CAP_MOVE_CHAN_REQ:
5715 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5718 case L2CAP_MOVE_CHAN_RSP:
5719 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5722 case L2CAP_MOVE_CHAN_CFM:
5723 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5726 case L2CAP_MOVE_CHAN_CFM_RSP:
5727 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5731 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5739 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5740 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5743 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5744 struct l2cap_le_conn_rsp rsp;
5745 struct l2cap_chan *chan, *pchan;
5746 u16 dcid, scid, credits, mtu, mps;
5750 if (cmd_len != sizeof(*req))
5753 scid = __le16_to_cpu(req->scid);
5754 mtu = __le16_to_cpu(req->mtu);
5755 mps = __le16_to_cpu(req->mps);
5760 if (mtu < 23 || mps < 23)
5763 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5766 /* Check if we have socket listening on psm */
5767 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5768 &conn->hcon->dst, LE_LINK);
5770 result = L2CAP_CR_LE_BAD_PSM;
5775 mutex_lock(&conn->chan_lock);
5776 l2cap_chan_lock(pchan);
5778 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5780 result = L2CAP_CR_LE_AUTHENTICATION;
5782 goto response_unlock;
5785 /* Check for valid dynamic CID range */
5786 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5787 result = L2CAP_CR_LE_INVALID_SCID;
5789 goto response_unlock;
5792 /* Check if we already have channel with that dcid */
5793 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5794 result = L2CAP_CR_LE_SCID_IN_USE;
5796 goto response_unlock;
5799 chan = pchan->ops->new_connection(pchan);
5801 result = L2CAP_CR_LE_NO_MEM;
5802 goto response_unlock;
5805 bacpy(&chan->src, &conn->hcon->src);
5806 bacpy(&chan->dst, &conn->hcon->dst);
5807 chan->src_type = bdaddr_src_type(conn->hcon);
5808 chan->dst_type = bdaddr_dst_type(conn->hcon);
5812 chan->remote_mps = mps;
5814 __l2cap_chan_add(conn, chan);
5816 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5819 credits = chan->rx_credits;
5821 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5823 chan->ident = cmd->ident;
5825 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5826 l2cap_state_change(chan, BT_CONNECT2);
5827 /* The following result value is actually not defined
5828 * for LE CoC but we use it to let the function know
5829 * that it should bail out after doing its cleanup
5830 * instead of sending a response.
5832 result = L2CAP_CR_PEND;
5833 chan->ops->defer(chan);
5835 l2cap_chan_ready(chan);
5836 result = L2CAP_CR_LE_SUCCESS;
5840 l2cap_chan_unlock(pchan);
5841 mutex_unlock(&conn->chan_lock);
5842 l2cap_chan_put(pchan);
5844 if (result == L2CAP_CR_PEND)
5849 rsp.mtu = cpu_to_le16(chan->imtu);
5850 rsp.mps = cpu_to_le16(chan->mps);
5856 rsp.dcid = cpu_to_le16(dcid);
5857 rsp.credits = cpu_to_le16(credits);
5858 rsp.result = cpu_to_le16(result);
5860 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5865 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5866 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5869 struct l2cap_le_credits *pkt;
5870 struct l2cap_chan *chan;
5871 u16 cid, credits, max_credits;
5873 if (cmd_len != sizeof(*pkt))
5876 pkt = (struct l2cap_le_credits *) data;
5877 cid = __le16_to_cpu(pkt->cid);
5878 credits = __le16_to_cpu(pkt->credits);
5880 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5882 chan = l2cap_get_chan_by_dcid(conn, cid);
5886 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5887 if (credits > max_credits) {
5888 BT_ERR("LE credits overflow");
5889 l2cap_send_disconn_req(chan, ECONNRESET);
5890 l2cap_chan_unlock(chan);
5892 /* Return 0 so that we don't trigger an unnecessary
5893 * command reject packet.
5898 chan->tx_credits += credits;
5900 /* Resume sending */
5901 l2cap_le_flowctl_send(chan);
5903 if (chan->tx_credits)
5904 chan->ops->resume(chan);
5906 l2cap_chan_unlock(chan);
5911 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5912 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5915 struct l2cap_ecred_conn_req *req = (void *) data;
5917 struct l2cap_ecred_conn_rsp rsp;
5920 struct l2cap_chan *chan, *pchan;
5930 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
5931 result = L2CAP_CR_LE_INVALID_PARAMS;
5935 mtu = __le16_to_cpu(req->mtu);
5936 mps = __le16_to_cpu(req->mps);
5938 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5939 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5945 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5947 memset(&pdu, 0, sizeof(pdu));
5949 /* Check if we have socket listening on psm */
5950 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5951 &conn->hcon->dst, LE_LINK);
5953 result = L2CAP_CR_LE_BAD_PSM;
5957 mutex_lock(&conn->chan_lock);
5958 l2cap_chan_lock(pchan);
5960 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5962 result = L2CAP_CR_LE_AUTHENTICATION;
5966 result = L2CAP_CR_LE_SUCCESS;
5967 cmd_len -= sizeof(req);
5968 num_scid = cmd_len / sizeof(u16);
5970 for (i = 0; i < num_scid; i++) {
5971 u16 scid = __le16_to_cpu(req->scid[i]);
5973 BT_DBG("scid[%d] 0x%4.4x", i, scid);
5975 pdu.dcid[i] = 0x0000;
5976 len += sizeof(*pdu.dcid);
5978 /* Check for valid dynamic CID range */
5979 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5980 result = L2CAP_CR_LE_INVALID_SCID;
5984 /* Check if we already have channel with that dcid */
5985 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5986 result = L2CAP_CR_LE_SCID_IN_USE;
5990 chan = pchan->ops->new_connection(pchan);
5992 result = L2CAP_CR_LE_NO_MEM;
5996 bacpy(&chan->src, &conn->hcon->src);
5997 bacpy(&chan->dst, &conn->hcon->dst);
5998 chan->src_type = bdaddr_src_type(conn->hcon);
5999 chan->dst_type = bdaddr_dst_type(conn->hcon);
6003 chan->remote_mps = mps;
6005 __l2cap_chan_add(conn, chan);
6007 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6010 if (!pdu.rsp.credits) {
6011 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6012 pdu.rsp.mps = cpu_to_le16(chan->mps);
6013 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6016 pdu.dcid[i] = cpu_to_le16(chan->scid);
6018 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6020 chan->ident = cmd->ident;
6022 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6023 l2cap_state_change(chan, BT_CONNECT2);
6025 chan->ops->defer(chan);
6027 l2cap_chan_ready(chan);
6032 l2cap_chan_unlock(pchan);
6033 mutex_unlock(&conn->chan_lock);
6034 l2cap_chan_put(pchan);
6037 pdu.rsp.result = cpu_to_le16(result);
6042 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6043 sizeof(pdu.rsp) + len, &pdu);
6048 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6049 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6052 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6053 struct hci_conn *hcon = conn->hcon;
6054 u16 mtu, mps, credits, result;
6055 struct l2cap_chan *chan;
6056 int err = 0, sec_level;
6059 if (cmd_len < sizeof(*rsp))
6062 mtu = __le16_to_cpu(rsp->mtu);
6063 mps = __le16_to_cpu(rsp->mps);
6064 credits = __le16_to_cpu(rsp->credits);
6065 result = __le16_to_cpu(rsp->result);
6067 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6070 mutex_lock(&conn->chan_lock);
6072 cmd_len -= sizeof(*rsp);
6074 list_for_each_entry(chan, &conn->chan_l, list) {
6077 if (chan->ident != cmd->ident ||
6078 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6079 chan->state == BT_CONNECTED)
6082 l2cap_chan_lock(chan);
6084 /* Check that there is a dcid for each pending channel */
6085 if (cmd_len < sizeof(dcid)) {
6086 l2cap_chan_del(chan, ECONNREFUSED);
6087 l2cap_chan_unlock(chan);
6091 dcid = __le16_to_cpu(rsp->dcid[i++]);
6092 cmd_len -= sizeof(u16);
6094 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6096 /* Check if dcid is already in use */
6097 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6098 /* If a device receives a
6099 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
6100 * already-assigned Destination CID, then both the
6101 * original channel and the new channel shall be
6102 * immediately discarded and not used.
6104 l2cap_chan_del(chan, ECONNREFUSED);
6105 l2cap_chan_unlock(chan);
6106 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6107 l2cap_chan_lock(chan);
6108 l2cap_chan_del(chan, ECONNRESET);
6109 l2cap_chan_unlock(chan);
6114 case L2CAP_CR_LE_AUTHENTICATION:
6115 case L2CAP_CR_LE_ENCRYPTION:
6116 /* If we already have MITM protection we can't do
6119 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6120 l2cap_chan_del(chan, ECONNREFUSED);
6124 sec_level = hcon->sec_level + 1;
6125 if (chan->sec_level < sec_level)
6126 chan->sec_level = sec_level;
6128 /* We'll need to send a new Connect Request */
6129 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6131 smp_conn_security(hcon, chan->sec_level);
6134 case L2CAP_CR_LE_BAD_PSM:
6135 l2cap_chan_del(chan, ECONNREFUSED);
6139 /* If dcid was not set it means channels was refused */
6141 l2cap_chan_del(chan, ECONNREFUSED);
6148 chan->remote_mps = mps;
6149 chan->tx_credits = credits;
6150 l2cap_chan_ready(chan);
6154 l2cap_chan_unlock(chan);
6157 mutex_unlock(&conn->chan_lock);
6162 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6163 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6166 struct l2cap_ecred_reconf_req *req = (void *) data;
6167 struct l2cap_ecred_reconf_rsp rsp;
6168 u16 mtu, mps, result;
6169 struct l2cap_chan *chan;
6175 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6176 result = L2CAP_CR_LE_INVALID_PARAMS;
6180 mtu = __le16_to_cpu(req->mtu);
6181 mps = __le16_to_cpu(req->mps);
6183 BT_DBG("mtu %u mps %u", mtu, mps);
6185 if (mtu < L2CAP_ECRED_MIN_MTU) {
6186 result = L2CAP_RECONF_INVALID_MTU;
6190 if (mps < L2CAP_ECRED_MIN_MPS) {
6191 result = L2CAP_RECONF_INVALID_MPS;
6195 cmd_len -= sizeof(*req);
6196 num_scid = cmd_len / sizeof(u16);
6197 result = L2CAP_RECONF_SUCCESS;
6199 for (i = 0; i < num_scid; i++) {
6202 scid = __le16_to_cpu(req->scid[i]);
6206 chan = __l2cap_get_chan_by_dcid(conn, scid);
6210 /* If the MTU value is decreased for any of the included
6211 * channels, then the receiver shall disconnect all
6212 * included channels.
6214 if (chan->omtu > mtu) {
6215 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6217 result = L2CAP_RECONF_INVALID_MTU;
6221 chan->remote_mps = mps;
6225 rsp.result = cpu_to_le16(result);
6227 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6233 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6234 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6237 struct l2cap_chan *chan;
6238 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6241 if (cmd_len < sizeof(*rsp))
6244 result = __le16_to_cpu(rsp->result);
6246 BT_DBG("result 0x%4.4x", rsp->result);
6251 list_for_each_entry(chan, &conn->chan_l, list) {
6252 if (chan->ident != cmd->ident)
6255 l2cap_chan_del(chan, ECONNRESET);
6261 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6262 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6265 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6266 struct l2cap_chan *chan;
6268 if (cmd_len < sizeof(*rej))
6271 mutex_lock(&conn->chan_lock);
6273 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6277 l2cap_chan_lock(chan);
6278 l2cap_chan_del(chan, ECONNREFUSED);
6279 l2cap_chan_unlock(chan);
6282 mutex_unlock(&conn->chan_lock);
6286 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6287 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6292 switch (cmd->code) {
6293 case L2CAP_COMMAND_REJ:
6294 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6297 case L2CAP_CONN_PARAM_UPDATE_REQ:
6298 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6301 case L2CAP_CONN_PARAM_UPDATE_RSP:
6304 case L2CAP_LE_CONN_RSP:
6305 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6308 case L2CAP_LE_CONN_REQ:
6309 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6312 case L2CAP_LE_CREDITS:
6313 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6316 case L2CAP_ECRED_CONN_REQ:
6317 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6320 case L2CAP_ECRED_CONN_RSP:
6321 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6324 case L2CAP_ECRED_RECONF_REQ:
6325 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6328 case L2CAP_ECRED_RECONF_RSP:
6329 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6332 case L2CAP_DISCONN_REQ:
6333 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6336 case L2CAP_DISCONN_RSP:
6337 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6341 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6349 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6350 struct sk_buff *skb)
6352 struct hci_conn *hcon = conn->hcon;
6353 struct l2cap_cmd_hdr *cmd;
6357 if (hcon->type != LE_LINK)
6360 if (skb->len < L2CAP_CMD_HDR_SIZE)
6363 cmd = (void *) skb->data;
6364 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6366 len = le16_to_cpu(cmd->len);
6368 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6370 if (len != skb->len || !cmd->ident) {
6371 BT_DBG("corrupted command");
6375 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6377 struct l2cap_cmd_rej_unk rej;
6379 BT_ERR("Wrong link type (%d)", err);
6381 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6382 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6390 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6391 struct sk_buff *skb)
6393 struct hci_conn *hcon = conn->hcon;
6394 struct l2cap_cmd_hdr *cmd;
6397 l2cap_raw_recv(conn, skb);
6399 if (hcon->type != ACL_LINK)
6402 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6405 cmd = (void *) skb->data;
6406 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6408 len = le16_to_cpu(cmd->len);
6410 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6413 if (len > skb->len || !cmd->ident) {
6414 BT_DBG("corrupted command");
6418 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6420 struct l2cap_cmd_rej_unk rej;
6422 BT_ERR("Wrong link type (%d)", err);
6424 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6425 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6436 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6438 u16 our_fcs, rcv_fcs;
6441 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6442 hdr_size = L2CAP_EXT_HDR_SIZE;
6444 hdr_size = L2CAP_ENH_HDR_SIZE;
6446 if (chan->fcs == L2CAP_FCS_CRC16) {
6447 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6448 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6449 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6451 if (our_fcs != rcv_fcs)
6457 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6459 struct l2cap_ctrl control;
6461 BT_DBG("chan %p", chan);
6463 memset(&control, 0, sizeof(control));
6466 control.reqseq = chan->buffer_seq;
6467 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6469 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6470 control.super = L2CAP_SUPER_RNR;
6471 l2cap_send_sframe(chan, &control);
6474 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6475 chan->unacked_frames > 0)
6476 __set_retrans_timer(chan);
6478 /* Send pending iframes */
6479 l2cap_ertm_send(chan);
6481 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6482 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6483 /* F-bit wasn't sent in an s-frame or i-frame yet, so
6486 control.super = L2CAP_SUPER_RR;
6487 l2cap_send_sframe(chan, &control);
6491 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6492 struct sk_buff **last_frag)
6494 /* skb->len reflects data in skb as well as all fragments
6495 * skb->data_len reflects only data in fragments
6497 if (!skb_has_frag_list(skb))
6498 skb_shinfo(skb)->frag_list = new_frag;
6500 new_frag->next = NULL;
6502 (*last_frag)->next = new_frag;
6503 *last_frag = new_frag;
6505 skb->len += new_frag->len;
6506 skb->data_len += new_frag->len;
6507 skb->truesize += new_frag->truesize;
6510 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6511 struct l2cap_ctrl *control)
6515 switch (control->sar) {
6516 case L2CAP_SAR_UNSEGMENTED:
6520 err = chan->ops->recv(chan, skb);
6523 case L2CAP_SAR_START:
6527 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6530 chan->sdu_len = get_unaligned_le16(skb->data);
6531 skb_pull(skb, L2CAP_SDULEN_SIZE);
6533 if (chan->sdu_len > chan->imtu) {
6538 if (skb->len >= chan->sdu_len)
6542 chan->sdu_last_frag = skb;
6548 case L2CAP_SAR_CONTINUE:
6552 append_skb_frag(chan->sdu, skb,
6553 &chan->sdu_last_frag);
6556 if (chan->sdu->len >= chan->sdu_len)
6566 append_skb_frag(chan->sdu, skb,
6567 &chan->sdu_last_frag);
6570 if (chan->sdu->len != chan->sdu_len)
6573 err = chan->ops->recv(chan, chan->sdu);
6576 /* Reassembly complete */
6578 chan->sdu_last_frag = NULL;
6586 kfree_skb(chan->sdu);
6588 chan->sdu_last_frag = NULL;
6595 static int l2cap_resegment(struct l2cap_chan *chan)
6601 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6605 if (chan->mode != L2CAP_MODE_ERTM)
6608 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6609 l2cap_tx(chan, NULL, NULL, event);
6612 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6615 /* Pass sequential frames to l2cap_reassemble_sdu()
6616 * until a gap is encountered.
6619 BT_DBG("chan %p", chan);
6621 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6622 struct sk_buff *skb;
6623 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6624 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6626 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6631 skb_unlink(skb, &chan->srej_q);
6632 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6633 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6638 if (skb_queue_empty(&chan->srej_q)) {
6639 chan->rx_state = L2CAP_RX_STATE_RECV;
6640 l2cap_send_ack(chan);
6646 static void l2cap_handle_srej(struct l2cap_chan *chan,
6647 struct l2cap_ctrl *control)
6649 struct sk_buff *skb;
6651 BT_DBG("chan %p, control %p", chan, control);
6653 if (control->reqseq == chan->next_tx_seq) {
6654 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6655 l2cap_send_disconn_req(chan, ECONNRESET);
6659 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6662 BT_DBG("Seq %d not available for retransmission",
6667 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6668 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6669 l2cap_send_disconn_req(chan, ECONNRESET);
6673 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6675 if (control->poll) {
6676 l2cap_pass_to_tx(chan, control);
6678 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6679 l2cap_retransmit(chan, control);
6680 l2cap_ertm_send(chan);
6682 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6683 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6684 chan->srej_save_reqseq = control->reqseq;
6687 l2cap_pass_to_tx_fbit(chan, control);
6689 if (control->final) {
6690 if (chan->srej_save_reqseq != control->reqseq ||
6691 !test_and_clear_bit(CONN_SREJ_ACT,
6693 l2cap_retransmit(chan, control);
6695 l2cap_retransmit(chan, control);
6696 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6697 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6698 chan->srej_save_reqseq = control->reqseq;
6704 static void l2cap_handle_rej(struct l2cap_chan *chan,
6705 struct l2cap_ctrl *control)
6707 struct sk_buff *skb;
6709 BT_DBG("chan %p, control %p", chan, control);
6711 if (control->reqseq == chan->next_tx_seq) {
6712 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6713 l2cap_send_disconn_req(chan, ECONNRESET);
6717 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6719 if (chan->max_tx && skb &&
6720 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6721 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6722 l2cap_send_disconn_req(chan, ECONNRESET);
6726 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6728 l2cap_pass_to_tx(chan, control);
6730 if (control->final) {
6731 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6732 l2cap_retransmit_all(chan, control);
6734 l2cap_retransmit_all(chan, control);
6735 l2cap_ertm_send(chan);
6736 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6737 set_bit(CONN_REJ_ACT, &chan->conn_state);
6741 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6743 BT_DBG("chan %p, txseq %d", chan, txseq);
6745 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6746 chan->expected_tx_seq);
6748 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6749 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6751 /* See notes below regarding "double poll" and
6754 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6755 BT_DBG("Invalid/Ignore - after SREJ");
6756 return L2CAP_TXSEQ_INVALID_IGNORE;
6758 BT_DBG("Invalid - in window after SREJ sent");
6759 return L2CAP_TXSEQ_INVALID;
6763 if (chan->srej_list.head == txseq) {
6764 BT_DBG("Expected SREJ");
6765 return L2CAP_TXSEQ_EXPECTED_SREJ;
6768 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6769 BT_DBG("Duplicate SREJ - txseq already stored");
6770 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6773 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6774 BT_DBG("Unexpected SREJ - not requested");
6775 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6779 if (chan->expected_tx_seq == txseq) {
6780 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6782 BT_DBG("Invalid - txseq outside tx window");
6783 return L2CAP_TXSEQ_INVALID;
6786 return L2CAP_TXSEQ_EXPECTED;
6790 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6791 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6792 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6793 return L2CAP_TXSEQ_DUPLICATE;
6796 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6797 /* A source of invalid packets is a "double poll" condition,
6798 * where delays cause us to send multiple poll packets. If
6799 * the remote stack receives and processes both polls,
6800 * sequence numbers can wrap around in such a way that a
6801 * resent frame has a sequence number that looks like new data
6802 * with a sequence gap. This would trigger an erroneous SREJ
6805 * Fortunately, this is impossible with a tx window that's
6806 * less than half of the maximum sequence number, which allows
6807 * invalid frames to be safely ignored.
6809 * With tx window sizes greater than half of the tx window
6810 * maximum, the frame is invalid and cannot be ignored. This
6811 * causes a disconnect.
6814 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6815 BT_DBG("Invalid/Ignore - txseq outside tx window");
6816 return L2CAP_TXSEQ_INVALID_IGNORE;
6818 BT_DBG("Invalid - txseq outside tx window");
6819 return L2CAP_TXSEQ_INVALID;
6822 BT_DBG("Unexpected - txseq indicates missing frames");
6823 return L2CAP_TXSEQ_UNEXPECTED;
6827 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6828 struct l2cap_ctrl *control,
6829 struct sk_buff *skb, u8 event)
6832 bool skb_in_use = false;
6834 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6838 case L2CAP_EV_RECV_IFRAME:
6839 switch (l2cap_classify_txseq(chan, control->txseq)) {
6840 case L2CAP_TXSEQ_EXPECTED:
6841 l2cap_pass_to_tx(chan, control);
6843 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6844 BT_DBG("Busy, discarding expected seq %d",
6849 chan->expected_tx_seq = __next_seq(chan,
6852 chan->buffer_seq = chan->expected_tx_seq;
6855 err = l2cap_reassemble_sdu(chan, skb, control);
6859 if (control->final) {
6860 if (!test_and_clear_bit(CONN_REJ_ACT,
6861 &chan->conn_state)) {
6863 l2cap_retransmit_all(chan, control);
6864 l2cap_ertm_send(chan);
6868 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6869 l2cap_send_ack(chan);
6871 case L2CAP_TXSEQ_UNEXPECTED:
6872 l2cap_pass_to_tx(chan, control);
6874 /* Can't issue SREJ frames in the local busy state.
6875 * Drop this frame, it will be seen as missing
6876 * when local busy is exited.
6878 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6879 BT_DBG("Busy, discarding unexpected seq %d",
6884 /* There was a gap in the sequence, so an SREJ
6885 * must be sent for each missing frame. The
6886 * current frame is stored for later use.
6888 skb_queue_tail(&chan->srej_q, skb);
6890 BT_DBG("Queued %p (queue len %d)", skb,
6891 skb_queue_len(&chan->srej_q));
6893 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6894 l2cap_seq_list_clear(&chan->srej_list);
6895 l2cap_send_srej(chan, control->txseq);
6897 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6899 case L2CAP_TXSEQ_DUPLICATE:
6900 l2cap_pass_to_tx(chan, control);
6902 case L2CAP_TXSEQ_INVALID_IGNORE:
6904 case L2CAP_TXSEQ_INVALID:
6906 l2cap_send_disconn_req(chan, ECONNRESET);
6910 case L2CAP_EV_RECV_RR:
6911 l2cap_pass_to_tx(chan, control);
6912 if (control->final) {
6913 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6915 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6916 !__chan_is_moving(chan)) {
6918 l2cap_retransmit_all(chan, control);
6921 l2cap_ertm_send(chan);
6922 } else if (control->poll) {
6923 l2cap_send_i_or_rr_or_rnr(chan);
6925 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6926 &chan->conn_state) &&
6927 chan->unacked_frames)
6928 __set_retrans_timer(chan);
6930 l2cap_ertm_send(chan);
6933 case L2CAP_EV_RECV_RNR:
6934 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6935 l2cap_pass_to_tx(chan, control);
6936 if (control && control->poll) {
6937 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6938 l2cap_send_rr_or_rnr(chan, 0);
6940 __clear_retrans_timer(chan);
6941 l2cap_seq_list_clear(&chan->retrans_list);
6943 case L2CAP_EV_RECV_REJ:
6944 l2cap_handle_rej(chan, control);
6946 case L2CAP_EV_RECV_SREJ:
6947 l2cap_handle_srej(chan, control);
6953 if (skb && !skb_in_use) {
6954 BT_DBG("Freeing %p", skb);
6961 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6962 struct l2cap_ctrl *control,
6963 struct sk_buff *skb, u8 event)
6966 u16 txseq = control->txseq;
6967 bool skb_in_use = false;
6969 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6973 case L2CAP_EV_RECV_IFRAME:
6974 switch (l2cap_classify_txseq(chan, txseq)) {
6975 case L2CAP_TXSEQ_EXPECTED:
6976 /* Keep frame for reassembly later */
6977 l2cap_pass_to_tx(chan, control);
6978 skb_queue_tail(&chan->srej_q, skb);
6980 BT_DBG("Queued %p (queue len %d)", skb,
6981 skb_queue_len(&chan->srej_q));
6983 chan->expected_tx_seq = __next_seq(chan, txseq);
6985 case L2CAP_TXSEQ_EXPECTED_SREJ:
6986 l2cap_seq_list_pop(&chan->srej_list);
6988 l2cap_pass_to_tx(chan, control);
6989 skb_queue_tail(&chan->srej_q, skb);
6991 BT_DBG("Queued %p (queue len %d)", skb,
6992 skb_queue_len(&chan->srej_q));
6994 err = l2cap_rx_queued_iframes(chan);
6999 case L2CAP_TXSEQ_UNEXPECTED:
7000 /* Got a frame that can't be reassembled yet.
7001 * Save it for later, and send SREJs to cover
7002 * the missing frames.
7004 skb_queue_tail(&chan->srej_q, skb);
7006 BT_DBG("Queued %p (queue len %d)", skb,
7007 skb_queue_len(&chan->srej_q));
7009 l2cap_pass_to_tx(chan, control);
7010 l2cap_send_srej(chan, control->txseq);
7012 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7013 /* This frame was requested with an SREJ, but
7014 * some expected retransmitted frames are
7015 * missing. Request retransmission of missing
7018 skb_queue_tail(&chan->srej_q, skb);
7020 BT_DBG("Queued %p (queue len %d)", skb,
7021 skb_queue_len(&chan->srej_q));
7023 l2cap_pass_to_tx(chan, control);
7024 l2cap_send_srej_list(chan, control->txseq);
7026 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7027 /* We've already queued this frame. Drop this copy. */
7028 l2cap_pass_to_tx(chan, control);
7030 case L2CAP_TXSEQ_DUPLICATE:
7031 /* Expecting a later sequence number, so this frame
7032 * was already received. Ignore it completely.
7035 case L2CAP_TXSEQ_INVALID_IGNORE:
7037 case L2CAP_TXSEQ_INVALID:
7039 l2cap_send_disconn_req(chan, ECONNRESET);
7043 case L2CAP_EV_RECV_RR:
7044 l2cap_pass_to_tx(chan, control);
7045 if (control->final) {
7046 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7048 if (!test_and_clear_bit(CONN_REJ_ACT,
7049 &chan->conn_state)) {
7051 l2cap_retransmit_all(chan, control);
7054 l2cap_ertm_send(chan);
7055 } else if (control->poll) {
7056 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7057 &chan->conn_state) &&
7058 chan->unacked_frames) {
7059 __set_retrans_timer(chan);
7062 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7063 l2cap_send_srej_tail(chan);
7065 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7066 &chan->conn_state) &&
7067 chan->unacked_frames)
7068 __set_retrans_timer(chan);
7070 l2cap_send_ack(chan);
7073 case L2CAP_EV_RECV_RNR:
7074 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7075 l2cap_pass_to_tx(chan, control);
7076 if (control->poll) {
7077 l2cap_send_srej_tail(chan);
7079 struct l2cap_ctrl rr_control;
7080 memset(&rr_control, 0, sizeof(rr_control));
7081 rr_control.sframe = 1;
7082 rr_control.super = L2CAP_SUPER_RR;
7083 rr_control.reqseq = chan->buffer_seq;
7084 l2cap_send_sframe(chan, &rr_control);
7088 case L2CAP_EV_RECV_REJ:
7089 l2cap_handle_rej(chan, control);
7091 case L2CAP_EV_RECV_SREJ:
7092 l2cap_handle_srej(chan, control);
7096 if (skb && !skb_in_use) {
7097 BT_DBG("Freeing %p", skb);
7104 static int l2cap_finish_move(struct l2cap_chan *chan)
7106 BT_DBG("chan %p", chan);
7108 chan->rx_state = L2CAP_RX_STATE_RECV;
7111 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7113 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7115 return l2cap_resegment(chan);
7118 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7119 struct l2cap_ctrl *control,
7120 struct sk_buff *skb, u8 event)
7124 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7130 l2cap_process_reqseq(chan, control->reqseq);
7132 if (!skb_queue_empty(&chan->tx_q))
7133 chan->tx_send_head = skb_peek(&chan->tx_q);
7135 chan->tx_send_head = NULL;
7137 /* Rewind next_tx_seq to the point expected
7140 chan->next_tx_seq = control->reqseq;
7141 chan->unacked_frames = 0;
7143 err = l2cap_finish_move(chan);
7147 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7148 l2cap_send_i_or_rr_or_rnr(chan);
7150 if (event == L2CAP_EV_RECV_IFRAME)
7153 return l2cap_rx_state_recv(chan, control, NULL, event);
7156 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7157 struct l2cap_ctrl *control,
7158 struct sk_buff *skb, u8 event)
7162 if (!control->final)
7165 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7167 chan->rx_state = L2CAP_RX_STATE_RECV;
7168 l2cap_process_reqseq(chan, control->reqseq);
7170 if (!skb_queue_empty(&chan->tx_q))
7171 chan->tx_send_head = skb_peek(&chan->tx_q);
7173 chan->tx_send_head = NULL;
7175 /* Rewind next_tx_seq to the point expected
7178 chan->next_tx_seq = control->reqseq;
7179 chan->unacked_frames = 0;
7182 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7184 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7186 err = l2cap_resegment(chan);
7189 err = l2cap_rx_state_recv(chan, control, skb, event);
7194 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7196 /* Make sure reqseq is for a packet that has been sent but not acked */
7199 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7200 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7203 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7204 struct sk_buff *skb, u8 event)
7208 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7209 control, skb, event, chan->rx_state);
7211 if (__valid_reqseq(chan, control->reqseq)) {
7212 switch (chan->rx_state) {
7213 case L2CAP_RX_STATE_RECV:
7214 err = l2cap_rx_state_recv(chan, control, skb, event);
7216 case L2CAP_RX_STATE_SREJ_SENT:
7217 err = l2cap_rx_state_srej_sent(chan, control, skb,
7220 case L2CAP_RX_STATE_WAIT_P:
7221 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7223 case L2CAP_RX_STATE_WAIT_F:
7224 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7231 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7232 control->reqseq, chan->next_tx_seq,
7233 chan->expected_ack_seq);
7234 l2cap_send_disconn_req(chan, ECONNRESET);
7240 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7241 struct sk_buff *skb)
7243 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7246 if (l2cap_classify_txseq(chan, control->txseq) ==
7247 L2CAP_TXSEQ_EXPECTED) {
7248 l2cap_pass_to_tx(chan, control);
7250 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
7251 __next_seq(chan, chan->buffer_seq));
7253 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7255 l2cap_reassemble_sdu(chan, skb, control);
7258 kfree_skb(chan->sdu);
7261 chan->sdu_last_frag = NULL;
7265 BT_DBG("Freeing %p", skb);
7270 chan->last_acked_seq = control->txseq;
7271 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7276 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7278 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7282 __unpack_control(chan, skb);
7287 * We can just drop the corrupted I-frame here.
7288 * Receiver will miss it and start proper recovery
7289 * procedures and ask for retransmission.
7291 if (l2cap_check_fcs(chan, skb))
7294 if (!control->sframe && control->sar == L2CAP_SAR_START)
7295 len -= L2CAP_SDULEN_SIZE;
7297 if (chan->fcs == L2CAP_FCS_CRC16)
7298 len -= L2CAP_FCS_SIZE;
7300 if (len > chan->mps) {
7301 l2cap_send_disconn_req(chan, ECONNRESET);
7305 if ((chan->mode == L2CAP_MODE_ERTM ||
7306 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
7309 if (!control->sframe) {
7312 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7313 control->sar, control->reqseq, control->final,
7316 /* Validate F-bit - F=0 always valid, F=1 only
7317 * valid in TX WAIT_F
7319 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7322 if (chan->mode != L2CAP_MODE_STREAMING) {
7323 event = L2CAP_EV_RECV_IFRAME;
7324 err = l2cap_rx(chan, control, skb, event);
7326 err = l2cap_stream_rx(chan, control, skb);
7330 l2cap_send_disconn_req(chan, ECONNRESET);
7332 const u8 rx_func_to_event[4] = {
7333 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7334 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7337 /* Only I-frames are expected in streaming mode */
7338 if (chan->mode == L2CAP_MODE_STREAMING)
7341 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7342 control->reqseq, control->final, control->poll,
7346 BT_ERR("Trailing bytes: %d in sframe", len);
7347 l2cap_send_disconn_req(chan, ECONNRESET);
7351 /* Validate F and P bits */
7352 if (control->final && (control->poll ||
7353 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7356 event = rx_func_to_event[control->super];
7357 if (l2cap_rx(chan, control, skb, event))
7358 l2cap_send_disconn_req(chan, ECONNRESET);
7368 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7370 struct l2cap_conn *conn = chan->conn;
7371 struct l2cap_le_credits pkt;
7374 return_credits = (chan->imtu / chan->mps) + 1;
7376 if (chan->rx_credits >= return_credits)
7379 return_credits -= chan->rx_credits;
7381 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7383 chan->rx_credits += return_credits;
7385 pkt.cid = cpu_to_le16(chan->scid);
7386 pkt.credits = cpu_to_le16(return_credits);
7388 chan->ident = l2cap_get_ident(conn);
7390 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7393 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7397 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7399 /* Wait recv to confirm reception before updating the credits */
7400 err = chan->ops->recv(chan, skb);
7402 /* Update credits whenever an SDU is received */
7403 l2cap_chan_le_send_credits(chan);
7408 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7412 if (!chan->rx_credits) {
7413 BT_ERR("No credits to receive LE L2CAP data");
7414 l2cap_send_disconn_req(chan, ECONNRESET);
7418 if (chan->imtu < skb->len) {
7419 BT_ERR("Too big LE L2CAP PDU");
7424 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7426 /* Update if remote had run out of credits, this should only happens
7427 * if the remote is not using the entire MPS.
7429 if (!chan->rx_credits)
7430 l2cap_chan_le_send_credits(chan);
7437 sdu_len = get_unaligned_le16(skb->data);
7438 skb_pull(skb, L2CAP_SDULEN_SIZE);
7440 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7441 sdu_len, skb->len, chan->imtu);
7443 if (sdu_len > chan->imtu) {
7444 BT_ERR("Too big LE L2CAP SDU length received");
7449 if (skb->len > sdu_len) {
7450 BT_ERR("Too much LE L2CAP data received");
7455 if (skb->len == sdu_len)
7456 return l2cap_ecred_recv(chan, skb);
7459 chan->sdu_len = sdu_len;
7460 chan->sdu_last_frag = skb;
7462 /* Detect if remote is not able to use the selected MPS */
7463 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7464 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7466 /* Adjust the number of credits */
7467 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7468 chan->mps = mps_len;
7469 l2cap_chan_le_send_credits(chan);
7475 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7476 chan->sdu->len, skb->len, chan->sdu_len);
7478 if (chan->sdu->len + skb->len > chan->sdu_len) {
7479 BT_ERR("Too much LE L2CAP data received");
7484 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7487 if (chan->sdu->len == chan->sdu_len) {
7488 err = l2cap_ecred_recv(chan, chan->sdu);
7491 chan->sdu_last_frag = NULL;
7499 kfree_skb(chan->sdu);
7501 chan->sdu_last_frag = NULL;
7505 /* We can't return an error here since we took care of the skb
7506 * freeing internally. An error return would cause the caller to
7507 * do a double-free of the skb.
7512 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7513 struct sk_buff *skb)
7515 struct l2cap_chan *chan;
7517 chan = l2cap_get_chan_by_scid(conn, cid);
7519 if (cid == L2CAP_CID_A2MP) {
7520 chan = a2mp_channel_create(conn, skb);
7526 l2cap_chan_lock(chan);
7528 BT_DBG("unknown cid 0x%4.4x", cid);
7529 /* Drop packet and return */
7535 BT_DBG("chan %p, len %d", chan, skb->len);
7537 /* If we receive data on a fixed channel before the info req/rsp
7538 * procdure is done simply assume that the channel is supported
7539 * and mark it as ready.
7541 if (chan->chan_type == L2CAP_CHAN_FIXED)
7542 l2cap_chan_ready(chan);
7544 if (chan->state != BT_CONNECTED)
7547 switch (chan->mode) {
7548 case L2CAP_MODE_LE_FLOWCTL:
7549 case L2CAP_MODE_EXT_FLOWCTL:
7550 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7555 case L2CAP_MODE_BASIC:
7556 /* If socket recv buffers overflows we drop data here
7557 * which is *bad* because L2CAP has to be reliable.
7558 * But we don't have any other choice. L2CAP doesn't
7559 * provide flow control mechanism. */
7561 if (chan->imtu < skb->len) {
7562 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7566 if (!chan->ops->recv(chan, skb))
7570 case L2CAP_MODE_ERTM:
7571 case L2CAP_MODE_STREAMING:
7572 l2cap_data_rcv(chan, skb);
7576 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7584 l2cap_chan_unlock(chan);
7587 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7588 struct sk_buff *skb)
7590 struct hci_conn *hcon = conn->hcon;
7591 struct l2cap_chan *chan;
7593 if (hcon->type != ACL_LINK)
7596 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7601 BT_DBG("chan %p, len %d", chan, skb->len);
7603 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7606 if (chan->imtu < skb->len)
7609 /* Store remote BD_ADDR and PSM for msg_name */
7610 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7611 bt_cb(skb)->l2cap.psm = psm;
7613 if (!chan->ops->recv(chan, skb)) {
7614 l2cap_chan_put(chan);
7619 l2cap_chan_put(chan);
7624 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7626 struct l2cap_hdr *lh = (void *) skb->data;
7627 struct hci_conn *hcon = conn->hcon;
7631 if (hcon->state != BT_CONNECTED) {
7632 BT_DBG("queueing pending rx skb");
7633 skb_queue_tail(&conn->pending_rx, skb);
7637 skb_pull(skb, L2CAP_HDR_SIZE);
7638 cid = __le16_to_cpu(lh->cid);
7639 len = __le16_to_cpu(lh->len);
7641 if (len != skb->len) {
7646 /* Since we can't actively block incoming LE connections we must
7647 * at least ensure that we ignore incoming data from them.
7649 if (hcon->type == LE_LINK &&
7650 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7651 bdaddr_dst_type(hcon))) {
7656 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7659 case L2CAP_CID_SIGNALING:
7660 l2cap_sig_channel(conn, skb);
7663 case L2CAP_CID_CONN_LESS:
7664 psm = get_unaligned((__le16 *) skb->data);
7665 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7666 l2cap_conless_channel(conn, psm, skb);
7669 case L2CAP_CID_LE_SIGNALING:
7670 l2cap_le_sig_channel(conn, skb);
7674 l2cap_data_channel(conn, cid, skb);
7679 static void process_pending_rx(struct work_struct *work)
7681 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7683 struct sk_buff *skb;
7687 while ((skb = skb_dequeue(&conn->pending_rx)))
7688 l2cap_recv_frame(conn, skb);
7691 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7693 struct l2cap_conn *conn = hcon->l2cap_data;
7694 struct hci_chan *hchan;
7699 hchan = hci_chan_create(hcon);
7703 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7705 hci_chan_del(hchan);
7709 kref_init(&conn->ref);
7710 hcon->l2cap_data = conn;
7711 conn->hcon = hci_conn_get(hcon);
7712 conn->hchan = hchan;
7714 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7716 switch (hcon->type) {
7718 if (hcon->hdev->le_mtu) {
7719 conn->mtu = hcon->hdev->le_mtu;
7724 conn->mtu = hcon->hdev->acl_mtu;
7728 conn->feat_mask = 0;
7730 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7732 if (hcon->type == ACL_LINK &&
7733 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7734 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7736 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7737 (bredr_sc_enabled(hcon->hdev) ||
7738 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7739 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7741 mutex_init(&conn->ident_lock);
7742 mutex_init(&conn->chan_lock);
7744 INIT_LIST_HEAD(&conn->chan_l);
7745 INIT_LIST_HEAD(&conn->users);
7747 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7749 skb_queue_head_init(&conn->pending_rx);
7750 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7751 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7753 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7758 static bool is_valid_psm(u16 psm, u8 dst_type) {
7762 if (bdaddr_type_is_le(dst_type))
7763 return (psm <= 0x00ff);
7765 /* PSM must be odd and lsb of upper byte must be 0 */
7766 return ((psm & 0x0101) == 0x0001);
7769 struct l2cap_chan_data {
7770 struct l2cap_chan *chan;
7775 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7777 struct l2cap_chan_data *d = data;
7780 if (chan == d->chan)
7783 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7786 pid = chan->ops->get_peer_pid(chan);
7788 /* Only count deferred channels with the same PID/PSM */
7789 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7790 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7796 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7797 bdaddr_t *dst, u8 dst_type)
7799 struct l2cap_conn *conn;
7800 struct hci_conn *hcon;
7801 struct hci_dev *hdev;
7804 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7805 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7807 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7809 return -EHOSTUNREACH;
7813 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7814 chan->chan_type != L2CAP_CHAN_RAW) {
7819 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7824 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7829 switch (chan->mode) {
7830 case L2CAP_MODE_BASIC:
7832 case L2CAP_MODE_LE_FLOWCTL:
7834 case L2CAP_MODE_EXT_FLOWCTL:
7835 if (!enable_ecred) {
7840 case L2CAP_MODE_ERTM:
7841 case L2CAP_MODE_STREAMING:
7850 switch (chan->state) {
7854 /* Already connecting */
7859 /* Already connected */
7873 /* Set destination address and psm */
7874 bacpy(&chan->dst, dst);
7875 chan->dst_type = dst_type;
7880 if (bdaddr_type_is_le(dst_type)) {
7881 /* Convert from L2CAP channel address type to HCI address type
7883 if (dst_type == BDADDR_LE_PUBLIC)
7884 dst_type = ADDR_LE_DEV_PUBLIC;
7886 dst_type = ADDR_LE_DEV_RANDOM;
7888 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7889 hcon = hci_connect_le(hdev, dst, dst_type,
7891 HCI_LE_CONN_TIMEOUT,
7892 HCI_ROLE_SLAVE, NULL);
7894 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7896 HCI_LE_CONN_TIMEOUT);
7899 u8 auth_type = l2cap_get_auth_type(chan);
7900 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7904 err = PTR_ERR(hcon);
7908 conn = l2cap_conn_add(hcon);
7910 hci_conn_drop(hcon);
7915 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7916 struct l2cap_chan_data data;
7919 data.pid = chan->ops->get_peer_pid(chan);
7922 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7924 /* Check if there isn't too many channels being connected */
7925 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7926 hci_conn_drop(hcon);
7932 mutex_lock(&conn->chan_lock);
7933 l2cap_chan_lock(chan);
7935 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7936 hci_conn_drop(hcon);
7941 /* Update source addr of the socket */
7942 bacpy(&chan->src, &hcon->src);
7943 chan->src_type = bdaddr_src_type(hcon);
7945 __l2cap_chan_add(conn, chan);
7947 /* l2cap_chan_add takes its own ref so we can drop this one */
7948 hci_conn_drop(hcon);
7950 l2cap_state_change(chan, BT_CONNECT);
7951 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7953 /* Release chan->sport so that it can be reused by other
7954 * sockets (as it's only used for listening sockets).
7956 write_lock(&chan_list_lock);
7958 write_unlock(&chan_list_lock);
7960 if (hcon->state == BT_CONNECTED) {
7961 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7962 __clear_chan_timer(chan);
7963 if (l2cap_chan_check_security(chan, true))
7964 l2cap_state_change(chan, BT_CONNECTED);
7966 l2cap_do_start(chan);
7972 l2cap_chan_unlock(chan);
7973 mutex_unlock(&conn->chan_lock);
7975 hci_dev_unlock(hdev);
7979 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7981 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
7983 struct l2cap_conn *conn = chan->conn;
7985 struct l2cap_ecred_reconf_req req;
7989 pdu.req.mtu = cpu_to_le16(chan->imtu);
7990 pdu.req.mps = cpu_to_le16(chan->mps);
7991 pdu.scid = cpu_to_le16(chan->scid);
7993 chan->ident = l2cap_get_ident(conn);
7995 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
7999 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8001 if (chan->imtu > mtu)
8004 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8008 l2cap_ecred_reconfigure(chan);
8013 /* ---- L2CAP interface with lower layer (HCI) ---- */
8015 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8017 int exact = 0, lm1 = 0, lm2 = 0;
8018 struct l2cap_chan *c;
8020 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8022 /* Find listening sockets and check their link_mode */
8023 read_lock(&chan_list_lock);
8024 list_for_each_entry(c, &chan_list, global_l) {
8025 if (c->state != BT_LISTEN)
8028 if (!bacmp(&c->src, &hdev->bdaddr)) {
8029 lm1 |= HCI_LM_ACCEPT;
8030 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8031 lm1 |= HCI_LM_MASTER;
8033 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8034 lm2 |= HCI_LM_ACCEPT;
8035 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8036 lm2 |= HCI_LM_MASTER;
8039 read_unlock(&chan_list_lock);
8041 return exact ? lm1 : lm2;
8044 /* Find the next fixed channel in BT_LISTEN state, continue iteration
8045 * from an existing channel in the list or from the beginning of the
8046 * global list (by passing NULL as first parameter).
8048 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8049 struct hci_conn *hcon)
8051 u8 src_type = bdaddr_src_type(hcon);
8053 read_lock(&chan_list_lock);
8056 c = list_next_entry(c, global_l);
8058 c = list_entry(chan_list.next, typeof(*c), global_l);
8060 list_for_each_entry_from(c, &chan_list, global_l) {
8061 if (c->chan_type != L2CAP_CHAN_FIXED)
8063 if (c->state != BT_LISTEN)
8065 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8067 if (src_type != c->src_type)
8071 read_unlock(&chan_list_lock);
8075 read_unlock(&chan_list_lock);
8080 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8082 struct hci_dev *hdev = hcon->hdev;
8083 struct l2cap_conn *conn;
8084 struct l2cap_chan *pchan;
8087 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8090 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8093 l2cap_conn_del(hcon, bt_to_errno(status));
8097 conn = l2cap_conn_add(hcon);
8101 dst_type = bdaddr_dst_type(hcon);
8103 /* If device is blocked, do not create channels for it */
8104 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
8107 /* Find fixed channels and notify them of the new connection. We
8108 * use multiple individual lookups, continuing each time where
8109 * we left off, because the list lock would prevent calling the
8110 * potentially sleeping l2cap_chan_lock() function.
8112 pchan = l2cap_global_fixed_chan(NULL, hcon);
8114 struct l2cap_chan *chan, *next;
8116 /* Client fixed channels should override server ones */
8117 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8120 l2cap_chan_lock(pchan);
8121 chan = pchan->ops->new_connection(pchan);
8123 bacpy(&chan->src, &hcon->src);
8124 bacpy(&chan->dst, &hcon->dst);
8125 chan->src_type = bdaddr_src_type(hcon);
8126 chan->dst_type = dst_type;
8128 __l2cap_chan_add(conn, chan);
8131 l2cap_chan_unlock(pchan);
8133 next = l2cap_global_fixed_chan(pchan, hcon);
8134 l2cap_chan_put(pchan);
8138 l2cap_conn_ready(conn);
8141 int l2cap_disconn_ind(struct hci_conn *hcon)
8143 struct l2cap_conn *conn = hcon->l2cap_data;
8145 BT_DBG("hcon %p", hcon);
8148 return HCI_ERROR_REMOTE_USER_TERM;
8149 return conn->disc_reason;
8152 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8154 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8157 BT_DBG("hcon %p reason %d", hcon, reason);
8159 l2cap_conn_del(hcon, bt_to_errno(reason));
8162 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8164 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8167 if (encrypt == 0x00) {
8168 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8169 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8170 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8171 chan->sec_level == BT_SECURITY_FIPS)
8172 l2cap_chan_close(chan, ECONNREFUSED);
8174 if (chan->sec_level == BT_SECURITY_MEDIUM)
8175 __clear_chan_timer(chan);
8179 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8181 struct l2cap_conn *conn = hcon->l2cap_data;
8182 struct l2cap_chan *chan;
8187 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8189 mutex_lock(&conn->chan_lock);
8191 list_for_each_entry(chan, &conn->chan_l, list) {
8192 l2cap_chan_lock(chan);
8194 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8195 state_to_string(chan->state));
8197 if (chan->scid == L2CAP_CID_A2MP) {
8198 l2cap_chan_unlock(chan);
8202 if (!status && encrypt)
8203 chan->sec_level = hcon->sec_level;
8205 if (!__l2cap_no_conn_pending(chan)) {
8206 l2cap_chan_unlock(chan);
8210 if (!status && (chan->state == BT_CONNECTED ||
8211 chan->state == BT_CONFIG)) {
8212 chan->ops->resume(chan);
8213 l2cap_check_encryption(chan, encrypt);
8214 l2cap_chan_unlock(chan);
8218 if (chan->state == BT_CONNECT) {
8219 if (!status && l2cap_check_enc_key_size(hcon))
8220 l2cap_start_connection(chan);
8222 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8223 } else if (chan->state == BT_CONNECT2 &&
8224 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8225 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8226 struct l2cap_conn_rsp rsp;
8229 if (!status && l2cap_check_enc_key_size(hcon)) {
8230 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8231 res = L2CAP_CR_PEND;
8232 stat = L2CAP_CS_AUTHOR_PEND;
8233 chan->ops->defer(chan);
8235 l2cap_state_change(chan, BT_CONFIG);
8236 res = L2CAP_CR_SUCCESS;
8237 stat = L2CAP_CS_NO_INFO;
8240 l2cap_state_change(chan, BT_DISCONN);
8241 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8242 res = L2CAP_CR_SEC_BLOCK;
8243 stat = L2CAP_CS_NO_INFO;
8246 rsp.scid = cpu_to_le16(chan->dcid);
8247 rsp.dcid = cpu_to_le16(chan->scid);
8248 rsp.result = cpu_to_le16(res);
8249 rsp.status = cpu_to_le16(stat);
8250 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8253 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8254 res == L2CAP_CR_SUCCESS) {
8256 set_bit(CONF_REQ_SENT, &chan->conf_state);
8257 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8259 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8261 chan->num_conf_req++;
8265 l2cap_chan_unlock(chan);
8268 mutex_unlock(&conn->chan_lock);
8271 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8273 struct l2cap_conn *conn = hcon->l2cap_data;
8274 struct l2cap_hdr *hdr;
8277 /* For AMP controller do not create l2cap conn */
8278 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8282 conn = l2cap_conn_add(hcon);
8287 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
8291 case ACL_START_NO_FLUSH:
8294 BT_ERR("Unexpected start frame (len %d)", skb->len);
8295 kfree_skb(conn->rx_skb);
8296 conn->rx_skb = NULL;
8298 l2cap_conn_unreliable(conn, ECOMM);
8301 /* Start fragment always begin with Basic L2CAP header */
8302 if (skb->len < L2CAP_HDR_SIZE) {
8303 BT_ERR("Frame is too short (len %d)", skb->len);
8304 l2cap_conn_unreliable(conn, ECOMM);
8308 hdr = (struct l2cap_hdr *) skb->data;
8309 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
8311 if (len == skb->len) {
8312 /* Complete frame received */
8313 l2cap_recv_frame(conn, skb);
8317 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
8319 if (skb->len > len) {
8320 BT_ERR("Frame is too long (len %d, expected len %d)",
8322 l2cap_conn_unreliable(conn, ECOMM);
8326 /* Allocate skb for the complete frame (with header) */
8327 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8331 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8333 conn->rx_len = len - skb->len;
8337 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
8339 if (!conn->rx_len) {
8340 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8341 l2cap_conn_unreliable(conn, ECOMM);
8345 if (skb->len > conn->rx_len) {
8346 BT_ERR("Fragment is too long (len %d, expected %d)",
8347 skb->len, conn->rx_len);
8348 kfree_skb(conn->rx_skb);
8349 conn->rx_skb = NULL;
8351 l2cap_conn_unreliable(conn, ECOMM);
8355 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8357 conn->rx_len -= skb->len;
8359 if (!conn->rx_len) {
8360 /* Complete frame received. l2cap_recv_frame
8361 * takes ownership of the skb so set the global
8362 * rx_skb pointer to NULL first.
8364 struct sk_buff *rx_skb = conn->rx_skb;
8365 conn->rx_skb = NULL;
8366 l2cap_recv_frame(conn, rx_skb);
8375 static struct hci_cb l2cap_cb = {
8377 .connect_cfm = l2cap_connect_cfm,
8378 .disconn_cfm = l2cap_disconn_cfm,
8379 .security_cfm = l2cap_security_cfm,
8382 static int l2cap_debugfs_show(struct seq_file *f, void *p)
8384 struct l2cap_chan *c;
8386 read_lock(&chan_list_lock);
8388 list_for_each_entry(c, &chan_list, global_l) {
8389 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8390 &c->src, c->src_type, &c->dst, c->dst_type,
8391 c->state, __le16_to_cpu(c->psm),
8392 c->scid, c->dcid, c->imtu, c->omtu,
8393 c->sec_level, c->mode);
8396 read_unlock(&chan_list_lock);
8401 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8403 static struct dentry *l2cap_debugfs;
8405 int __init l2cap_init(void)
8409 err = l2cap_init_sockets();
8413 hci_register_cb(&l2cap_cb);
8415 if (IS_ERR_OR_NULL(bt_debugfs))
8418 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8419 NULL, &l2cap_debugfs_fops);
8424 void l2cap_exit(void)
8426 debugfs_remove(l2cap_debugfs);
8427 hci_unregister_cb(&l2cap_cb);
8428 l2cap_cleanup_sockets();
8431 module_param(disable_ertm, bool, 0644);
8432 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8434 module_param(enable_ecred, bool, 0644);
8435 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
OSDN Git Service
