2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
54 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
55 u8 code, u8 ident, u16 dlen, void *data);
56 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
58 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
59 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
61 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
62 struct sk_buff_head *skbs, u8 event);
64 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
66 if (link_type == LE_LINK) {
67 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
68 return BDADDR_LE_PUBLIC;
70 return BDADDR_LE_RANDOM;
76 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
78 return bdaddr_type(hcon->type, hcon->src_type);
81 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
83 return bdaddr_type(hcon->type, hcon->dst_type);
86 /* ---- L2CAP channels ---- */
88 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
93 list_for_each_entry(c, &conn->chan_l, list) {
100 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 struct l2cap_chan *c;
105 list_for_each_entry(c, &conn->chan_l, list) {
112 /* Find channel with given SCID.
113 * Returns locked channel. */
114 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
117 struct l2cap_chan *c;
119 mutex_lock(&conn->chan_lock);
120 c = __l2cap_get_chan_by_scid(conn, cid);
123 mutex_unlock(&conn->chan_lock);
128 /* Find channel with given DCID.
129 * Returns locked channel.
131 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
134 struct l2cap_chan *c;
136 mutex_lock(&conn->chan_lock);
137 c = __l2cap_get_chan_by_dcid(conn, cid);
140 mutex_unlock(&conn->chan_lock);
145 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
148 struct l2cap_chan *c;
150 list_for_each_entry(c, &conn->chan_l, list) {
151 if (c->ident == ident)
157 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
160 struct l2cap_chan *c;
162 mutex_lock(&conn->chan_lock);
163 c = __l2cap_get_chan_by_ident(conn, ident);
166 mutex_unlock(&conn->chan_lock);
171 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
174 struct l2cap_chan *c;
176 list_for_each_entry(c, &chan_list, global_l) {
177 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
180 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
183 if (c->sport == psm && !bacmp(&c->src, src))
189 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
193 write_lock(&chan_list_lock);
195 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
205 u16 p, start, end, incr;
207 if (chan->src_type == BDADDR_BREDR) {
208 start = L2CAP_PSM_DYN_START;
209 end = L2CAP_PSM_AUTO_END;
212 start = L2CAP_PSM_LE_DYN_START;
213 end = L2CAP_PSM_LE_DYN_END;
218 for (p = start; p <= end; p += incr)
219 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
221 chan->psm = cpu_to_le16(p);
222 chan->sport = cpu_to_le16(p);
229 write_unlock(&chan_list_lock);
232 EXPORT_SYMBOL_GPL(l2cap_add_psm);
234 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
236 write_lock(&chan_list_lock);
238 /* Override the defaults (which are for conn-oriented) */
239 chan->omtu = L2CAP_DEFAULT_MTU;
240 chan->chan_type = L2CAP_CHAN_FIXED;
244 write_unlock(&chan_list_lock);
249 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
253 if (conn->hcon->type == LE_LINK)
254 dyn_end = L2CAP_CID_LE_DYN_END;
256 dyn_end = L2CAP_CID_DYN_END;
258 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
259 if (!__l2cap_get_chan_by_scid(conn, cid))
266 static void l2cap_state_change(struct l2cap_chan *chan, int state)
268 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
269 state_to_string(state));
272 chan->ops->state_change(chan, state, 0);
275 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
279 chan->ops->state_change(chan, chan->state, err);
282 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
284 chan->ops->state_change(chan, chan->state, err);
287 static void __set_retrans_timer(struct l2cap_chan *chan)
289 if (!delayed_work_pending(&chan->monitor_timer) &&
290 chan->retrans_timeout) {
291 l2cap_set_timer(chan, &chan->retrans_timer,
292 msecs_to_jiffies(chan->retrans_timeout));
296 static void __set_monitor_timer(struct l2cap_chan *chan)
298 __clear_retrans_timer(chan);
299 if (chan->monitor_timeout) {
300 l2cap_set_timer(chan, &chan->monitor_timer,
301 msecs_to_jiffies(chan->monitor_timeout));
305 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
310 skb_queue_walk(head, skb) {
311 if (bt_cb(skb)->l2cap.txseq == seq)
318 /* ---- L2CAP sequence number lists ---- */
320 /* For ERTM, ordered lists of sequence numbers must be tracked for
321 * SREJ requests that are received and for frames that are to be
322 * retransmitted. These seq_list functions implement a singly-linked
323 * list in an array, where membership in the list can also be checked
324 * in constant time. Items can also be added to the tail of the list
325 * and removed from the head in constant time, without further memory
329 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
331 size_t alloc_size, i;
333 /* Allocated size is a power of 2 to map sequence numbers
334 * (which may be up to 14 bits) in to a smaller array that is
335 * sized for the negotiated ERTM transmit windows.
337 alloc_size = roundup_pow_of_two(size);
339 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
343 seq_list->mask = alloc_size - 1;
344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
346 for (i = 0; i < alloc_size; i++)
347 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
352 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
354 kfree(seq_list->list);
357 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
360 /* Constant-time check for list membership */
361 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
364 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
366 u16 seq = seq_list->head;
367 u16 mask = seq_list->mask;
369 seq_list->head = seq_list->list[seq & mask];
370 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
372 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
373 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
374 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
380 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
384 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
387 for (i = 0; i <= seq_list->mask; i++)
388 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
390 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
391 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
394 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
396 u16 mask = seq_list->mask;
398 /* All appends happen in constant time */
400 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
403 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
404 seq_list->head = seq;
406 seq_list->list[seq_list->tail & mask] = seq;
408 seq_list->tail = seq;
409 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
412 static void l2cap_chan_timeout(struct work_struct *work)
414 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
416 struct l2cap_conn *conn = chan->conn;
419 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
421 mutex_lock(&conn->chan_lock);
422 l2cap_chan_lock(chan);
424 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
425 reason = ECONNREFUSED;
426 else if (chan->state == BT_CONNECT &&
427 chan->sec_level != BT_SECURITY_SDP)
428 reason = ECONNREFUSED;
432 l2cap_chan_close(chan, reason);
434 l2cap_chan_unlock(chan);
436 chan->ops->close(chan);
437 mutex_unlock(&conn->chan_lock);
439 l2cap_chan_put(chan);
442 struct l2cap_chan *l2cap_chan_create(void)
444 struct l2cap_chan *chan;
446 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
450 mutex_init(&chan->lock);
452 /* Set default lock nesting level */
453 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
455 write_lock(&chan_list_lock);
456 list_add(&chan->global_l, &chan_list);
457 write_unlock(&chan_list_lock);
459 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
461 chan->state = BT_OPEN;
463 kref_init(&chan->kref);
465 /* This flag is cleared in l2cap_chan_ready() */
466 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
468 BT_DBG("chan %p", chan);
472 EXPORT_SYMBOL_GPL(l2cap_chan_create);
474 static void l2cap_chan_destroy(struct kref *kref)
476 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
478 BT_DBG("chan %p", chan);
480 write_lock(&chan_list_lock);
481 list_del(&chan->global_l);
482 write_unlock(&chan_list_lock);
487 void l2cap_chan_hold(struct l2cap_chan *c)
489 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
494 void l2cap_chan_put(struct l2cap_chan *c)
496 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
498 kref_put(&c->kref, l2cap_chan_destroy);
500 EXPORT_SYMBOL_GPL(l2cap_chan_put);
502 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
504 chan->fcs = L2CAP_FCS_CRC16;
505 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
506 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
507 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
508 chan->remote_max_tx = chan->max_tx;
509 chan->remote_tx_win = chan->tx_win;
510 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
511 chan->sec_level = BT_SECURITY_LOW;
512 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
513 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
514 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
515 chan->conf_state = 0;
517 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
519 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
521 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
524 chan->sdu_last_frag = NULL;
526 chan->tx_credits = tx_credits;
527 /* Derive MPS from connection MTU to stop HCI fragmentation */
528 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
529 /* Give enough credits for a full packet */
530 chan->rx_credits = (chan->imtu / chan->mps) + 1;
532 skb_queue_head_init(&chan->tx_q);
535 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
537 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
538 __le16_to_cpu(chan->psm), chan->dcid);
540 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
544 switch (chan->chan_type) {
545 case L2CAP_CHAN_CONN_ORIENTED:
546 /* Alloc CID for connection-oriented socket */
547 chan->scid = l2cap_alloc_cid(conn);
548 if (conn->hcon->type == ACL_LINK)
549 chan->omtu = L2CAP_DEFAULT_MTU;
552 case L2CAP_CHAN_CONN_LESS:
553 /* Connectionless socket */
554 chan->scid = L2CAP_CID_CONN_LESS;
555 chan->dcid = L2CAP_CID_CONN_LESS;
556 chan->omtu = L2CAP_DEFAULT_MTU;
559 case L2CAP_CHAN_FIXED:
560 /* Caller will set CID and CID specific MTU values */
564 /* Raw socket can send/recv signalling messages only */
565 chan->scid = L2CAP_CID_SIGNALING;
566 chan->dcid = L2CAP_CID_SIGNALING;
567 chan->omtu = L2CAP_DEFAULT_MTU;
570 chan->local_id = L2CAP_BESTEFFORT_ID;
571 chan->local_stype = L2CAP_SERV_BESTEFFORT;
572 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
573 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
574 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
575 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
577 l2cap_chan_hold(chan);
579 /* Only keep a reference for fixed channels if they requested it */
580 if (chan->chan_type != L2CAP_CHAN_FIXED ||
581 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
582 hci_conn_hold(conn->hcon);
584 list_add(&chan->list, &conn->chan_l);
587 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
589 mutex_lock(&conn->chan_lock);
590 __l2cap_chan_add(conn, chan);
591 mutex_unlock(&conn->chan_lock);
594 void l2cap_chan_del(struct l2cap_chan *chan, int err)
596 struct l2cap_conn *conn = chan->conn;
598 __clear_chan_timer(chan);
600 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
601 state_to_string(chan->state));
603 chan->ops->teardown(chan, err);
606 struct amp_mgr *mgr = conn->hcon->amp_mgr;
607 /* Delete from channel list */
608 list_del(&chan->list);
610 l2cap_chan_put(chan);
614 /* Reference was only held for non-fixed channels or
615 * fixed channels that explicitly requested it using the
616 * FLAG_HOLD_HCI_CONN flag.
618 if (chan->chan_type != L2CAP_CHAN_FIXED ||
619 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
620 hci_conn_drop(conn->hcon);
622 if (mgr && mgr->bredr_chan == chan)
623 mgr->bredr_chan = NULL;
626 if (chan->hs_hchan) {
627 struct hci_chan *hs_hchan = chan->hs_hchan;
629 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
630 amp_disconnect_logical_link(hs_hchan);
633 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
637 case L2CAP_MODE_BASIC:
640 case L2CAP_MODE_LE_FLOWCTL:
641 skb_queue_purge(&chan->tx_q);
644 case L2CAP_MODE_ERTM:
645 __clear_retrans_timer(chan);
646 __clear_monitor_timer(chan);
647 __clear_ack_timer(chan);
649 skb_queue_purge(&chan->srej_q);
651 l2cap_seq_list_free(&chan->srej_list);
652 l2cap_seq_list_free(&chan->retrans_list);
656 case L2CAP_MODE_STREAMING:
657 skb_queue_purge(&chan->tx_q);
663 EXPORT_SYMBOL_GPL(l2cap_chan_del);
665 static void l2cap_conn_update_id_addr(struct work_struct *work)
667 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
668 id_addr_update_work);
669 struct hci_conn *hcon = conn->hcon;
670 struct l2cap_chan *chan;
672 mutex_lock(&conn->chan_lock);
674 list_for_each_entry(chan, &conn->chan_l, list) {
675 l2cap_chan_lock(chan);
676 bacpy(&chan->dst, &hcon->dst);
677 chan->dst_type = bdaddr_dst_type(hcon);
678 l2cap_chan_unlock(chan);
681 mutex_unlock(&conn->chan_lock);
684 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
686 struct l2cap_conn *conn = chan->conn;
687 struct l2cap_le_conn_rsp rsp;
690 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
691 result = L2CAP_CR_LE_AUTHORIZATION;
693 result = L2CAP_CR_LE_BAD_PSM;
695 l2cap_state_change(chan, BT_DISCONN);
697 rsp.dcid = cpu_to_le16(chan->scid);
698 rsp.mtu = cpu_to_le16(chan->imtu);
699 rsp.mps = cpu_to_le16(chan->mps);
700 rsp.credits = cpu_to_le16(chan->rx_credits);
701 rsp.result = cpu_to_le16(result);
703 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
707 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
709 struct l2cap_conn *conn = chan->conn;
710 struct l2cap_conn_rsp rsp;
713 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
714 result = L2CAP_CR_SEC_BLOCK;
716 result = L2CAP_CR_BAD_PSM;
718 l2cap_state_change(chan, BT_DISCONN);
720 rsp.scid = cpu_to_le16(chan->dcid);
721 rsp.dcid = cpu_to_le16(chan->scid);
722 rsp.result = cpu_to_le16(result);
723 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
725 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
728 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
730 struct l2cap_conn *conn = chan->conn;
732 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
734 switch (chan->state) {
736 chan->ops->teardown(chan, 0);
741 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
742 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
743 l2cap_send_disconn_req(chan, reason);
745 l2cap_chan_del(chan, reason);
749 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
750 if (conn->hcon->type == ACL_LINK)
751 l2cap_chan_connect_reject(chan);
752 else if (conn->hcon->type == LE_LINK)
753 l2cap_chan_le_connect_reject(chan);
756 l2cap_chan_del(chan, reason);
761 l2cap_chan_del(chan, reason);
765 chan->ops->teardown(chan, 0);
769 EXPORT_SYMBOL(l2cap_chan_close);
771 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
773 switch (chan->chan_type) {
775 switch (chan->sec_level) {
776 case BT_SECURITY_HIGH:
777 case BT_SECURITY_FIPS:
778 return HCI_AT_DEDICATED_BONDING_MITM;
779 case BT_SECURITY_MEDIUM:
780 return HCI_AT_DEDICATED_BONDING;
782 return HCI_AT_NO_BONDING;
785 case L2CAP_CHAN_CONN_LESS:
786 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
787 if (chan->sec_level == BT_SECURITY_LOW)
788 chan->sec_level = BT_SECURITY_SDP;
790 if (chan->sec_level == BT_SECURITY_HIGH ||
791 chan->sec_level == BT_SECURITY_FIPS)
792 return HCI_AT_NO_BONDING_MITM;
794 return HCI_AT_NO_BONDING;
796 case L2CAP_CHAN_CONN_ORIENTED:
797 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
798 if (chan->sec_level == BT_SECURITY_LOW)
799 chan->sec_level = BT_SECURITY_SDP;
801 if (chan->sec_level == BT_SECURITY_HIGH ||
802 chan->sec_level == BT_SECURITY_FIPS)
803 return HCI_AT_NO_BONDING_MITM;
805 return HCI_AT_NO_BONDING;
809 switch (chan->sec_level) {
810 case BT_SECURITY_HIGH:
811 case BT_SECURITY_FIPS:
812 return HCI_AT_GENERAL_BONDING_MITM;
813 case BT_SECURITY_MEDIUM:
814 return HCI_AT_GENERAL_BONDING;
816 return HCI_AT_NO_BONDING;
822 /* Service level security */
823 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
825 struct l2cap_conn *conn = chan->conn;
828 if (conn->hcon->type == LE_LINK)
829 return smp_conn_security(conn->hcon, chan->sec_level);
831 auth_type = l2cap_get_auth_type(chan);
833 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
837 static u8 l2cap_get_ident(struct l2cap_conn *conn)
841 /* Get next available identificator.
842 * 1 - 128 are used by kernel.
843 * 129 - 199 are reserved.
844 * 200 - 254 are used by utilities like l2ping, etc.
847 mutex_lock(&conn->ident_lock);
849 if (++conn->tx_ident > 128)
854 mutex_unlock(&conn->ident_lock);
859 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
862 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
865 BT_DBG("code 0x%2.2x", code);
870 /* Use NO_FLUSH if supported or we have an LE link (which does
871 * not support auto-flushing packets) */
872 if (lmp_no_flush_capable(conn->hcon->hdev) ||
873 conn->hcon->type == LE_LINK)
874 flags = ACL_START_NO_FLUSH;
878 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
879 skb->priority = HCI_PRIO_MAX;
881 hci_send_acl(conn->hchan, skb, flags);
884 static bool __chan_is_moving(struct l2cap_chan *chan)
886 return chan->move_state != L2CAP_MOVE_STABLE &&
887 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
890 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
892 struct hci_conn *hcon = chan->conn->hcon;
895 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
898 if (chan->hs_hcon && !__chan_is_moving(chan)) {
900 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
907 /* Use NO_FLUSH for LE links (where this is the only option) or
908 * if the BR/EDR link supports it and flushing has not been
909 * explicitly requested (through FLAG_FLUSHABLE).
911 if (hcon->type == LE_LINK ||
912 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
913 lmp_no_flush_capable(hcon->hdev)))
914 flags = ACL_START_NO_FLUSH;
918 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
919 hci_send_acl(chan->conn->hchan, skb, flags);
922 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
924 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
925 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
927 if (enh & L2CAP_CTRL_FRAME_TYPE) {
930 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
931 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
938 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
939 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
946 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
948 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
949 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
951 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
954 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
955 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
962 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
963 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
970 static inline void __unpack_control(struct l2cap_chan *chan,
973 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
974 __unpack_extended_control(get_unaligned_le32(skb->data),
976 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
978 __unpack_enhanced_control(get_unaligned_le16(skb->data),
980 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
984 static u32 __pack_extended_control(struct l2cap_ctrl *control)
988 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
989 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
991 if (control->sframe) {
992 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
993 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
994 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
996 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
997 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1003 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1007 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1008 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1010 if (control->sframe) {
1011 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1012 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1013 packed |= L2CAP_CTRL_FRAME_TYPE;
1015 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1016 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1022 static inline void __pack_control(struct l2cap_chan *chan,
1023 struct l2cap_ctrl *control,
1024 struct sk_buff *skb)
1026 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1027 put_unaligned_le32(__pack_extended_control(control),
1028 skb->data + L2CAP_HDR_SIZE);
1030 put_unaligned_le16(__pack_enhanced_control(control),
1031 skb->data + L2CAP_HDR_SIZE);
1035 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1037 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1038 return L2CAP_EXT_HDR_SIZE;
1040 return L2CAP_ENH_HDR_SIZE;
1043 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1046 struct sk_buff *skb;
1047 struct l2cap_hdr *lh;
1048 int hlen = __ertm_hdr_size(chan);
1050 if (chan->fcs == L2CAP_FCS_CRC16)
1051 hlen += L2CAP_FCS_SIZE;
1053 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1056 return ERR_PTR(-ENOMEM);
1058 lh = skb_put(skb, L2CAP_HDR_SIZE);
1059 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1060 lh->cid = cpu_to_le16(chan->dcid);
1062 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1063 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1065 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1067 if (chan->fcs == L2CAP_FCS_CRC16) {
1068 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1069 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1072 skb->priority = HCI_PRIO_MAX;
1076 static void l2cap_send_sframe(struct l2cap_chan *chan,
1077 struct l2cap_ctrl *control)
1079 struct sk_buff *skb;
1082 BT_DBG("chan %p, control %p", chan, control);
1084 if (!control->sframe)
1087 if (__chan_is_moving(chan))
1090 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1094 if (control->super == L2CAP_SUPER_RR)
1095 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1096 else if (control->super == L2CAP_SUPER_RNR)
1097 set_bit(CONN_RNR_SENT, &chan->conn_state);
1099 if (control->super != L2CAP_SUPER_SREJ) {
1100 chan->last_acked_seq = control->reqseq;
1101 __clear_ack_timer(chan);
1104 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1105 control->final, control->poll, control->super);
1107 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1108 control_field = __pack_extended_control(control);
1110 control_field = __pack_enhanced_control(control);
1112 skb = l2cap_create_sframe_pdu(chan, control_field);
1114 l2cap_do_send(chan, skb);
1117 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1119 struct l2cap_ctrl control;
1121 BT_DBG("chan %p, poll %d", chan, poll);
1123 memset(&control, 0, sizeof(control));
1125 control.poll = poll;
1127 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1128 control.super = L2CAP_SUPER_RNR;
1130 control.super = L2CAP_SUPER_RR;
1132 control.reqseq = chan->buffer_seq;
1133 l2cap_send_sframe(chan, &control);
1136 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1141 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1144 static bool __amp_capable(struct l2cap_chan *chan)
1146 struct l2cap_conn *conn = chan->conn;
1147 struct hci_dev *hdev;
1148 bool amp_available = false;
1150 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1153 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1156 read_lock(&hci_dev_list_lock);
1157 list_for_each_entry(hdev, &hci_dev_list, list) {
1158 if (hdev->amp_type != AMP_TYPE_BREDR &&
1159 test_bit(HCI_UP, &hdev->flags)) {
1160 amp_available = true;
1164 read_unlock(&hci_dev_list_lock);
1166 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1167 return amp_available;
1172 static bool l2cap_check_efs(struct l2cap_chan *chan)
1174 /* Check EFS parameters */
1178 void l2cap_send_conn_req(struct l2cap_chan *chan)
1180 struct l2cap_conn *conn = chan->conn;
1181 struct l2cap_conn_req req;
1183 req.scid = cpu_to_le16(chan->scid);
1184 req.psm = chan->psm;
1186 chan->ident = l2cap_get_ident(conn);
1188 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1190 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1193 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1195 struct l2cap_create_chan_req req;
1196 req.scid = cpu_to_le16(chan->scid);
1197 req.psm = chan->psm;
1198 req.amp_id = amp_id;
1200 chan->ident = l2cap_get_ident(chan->conn);
1202 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1206 static void l2cap_move_setup(struct l2cap_chan *chan)
1208 struct sk_buff *skb;
1210 BT_DBG("chan %p", chan);
1212 if (chan->mode != L2CAP_MODE_ERTM)
1215 __clear_retrans_timer(chan);
1216 __clear_monitor_timer(chan);
1217 __clear_ack_timer(chan);
1219 chan->retry_count = 0;
1220 skb_queue_walk(&chan->tx_q, skb) {
1221 if (bt_cb(skb)->l2cap.retries)
1222 bt_cb(skb)->l2cap.retries = 1;
1227 chan->expected_tx_seq = chan->buffer_seq;
1229 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1230 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1231 l2cap_seq_list_clear(&chan->retrans_list);
1232 l2cap_seq_list_clear(&chan->srej_list);
1233 skb_queue_purge(&chan->srej_q);
1235 chan->tx_state = L2CAP_TX_STATE_XMIT;
1236 chan->rx_state = L2CAP_RX_STATE_MOVE;
1238 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1241 static void l2cap_move_done(struct l2cap_chan *chan)
1243 u8 move_role = chan->move_role;
1244 BT_DBG("chan %p", chan);
1246 chan->move_state = L2CAP_MOVE_STABLE;
1247 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1249 if (chan->mode != L2CAP_MODE_ERTM)
1252 switch (move_role) {
1253 case L2CAP_MOVE_ROLE_INITIATOR:
1254 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1255 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1257 case L2CAP_MOVE_ROLE_RESPONDER:
1258 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1263 static void l2cap_chan_ready(struct l2cap_chan *chan)
1265 /* The channel may have already been flagged as connected in
1266 * case of receiving data before the L2CAP info req/rsp
1267 * procedure is complete.
1269 if (chan->state == BT_CONNECTED)
1272 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1273 chan->conf_state = 0;
1274 __clear_chan_timer(chan);
1276 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1277 chan->ops->suspend(chan);
1279 chan->state = BT_CONNECTED;
1281 chan->ops->ready(chan);
1284 static void l2cap_le_connect(struct l2cap_chan *chan)
1286 struct l2cap_conn *conn = chan->conn;
1287 struct l2cap_le_conn_req req;
1289 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1292 l2cap_le_flowctl_init(chan, 0);
1294 req.psm = chan->psm;
1295 req.scid = cpu_to_le16(chan->scid);
1296 req.mtu = cpu_to_le16(chan->imtu);
1297 req.mps = cpu_to_le16(chan->mps);
1298 req.credits = cpu_to_le16(chan->rx_credits);
1300 chan->ident = l2cap_get_ident(conn);
1302 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1306 static void l2cap_le_start(struct l2cap_chan *chan)
1308 struct l2cap_conn *conn = chan->conn;
1310 if (!smp_conn_security(conn->hcon, chan->sec_level))
1314 l2cap_chan_ready(chan);
1318 if (chan->state == BT_CONNECT)
1319 l2cap_le_connect(chan);
1322 static void l2cap_start_connection(struct l2cap_chan *chan)
1324 if (__amp_capable(chan)) {
1325 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1326 a2mp_discover_amp(chan);
1327 } else if (chan->conn->hcon->type == LE_LINK) {
1328 l2cap_le_start(chan);
1330 l2cap_send_conn_req(chan);
1334 static void l2cap_request_info(struct l2cap_conn *conn)
1336 struct l2cap_info_req req;
1338 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1341 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1343 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1344 conn->info_ident = l2cap_get_ident(conn);
1346 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1348 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1352 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1354 /* The minimum encryption key size needs to be enforced by the
1355 * host stack before establishing any L2CAP connections. The
1356 * specification in theory allows a minimum of 1, but to align
1357 * BR/EDR and LE transports, a minimum of 7 is chosen.
1359 * This check might also be called for unencrypted connections
1360 * that have no key size requirements. Ensure that the link is
1361 * actually encrypted before enforcing a key size.
1363 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1364 hcon->enc_key_size >= HCI_MIN_ENC_KEY_SIZE);
1367 static void l2cap_do_start(struct l2cap_chan *chan)
1369 struct l2cap_conn *conn = chan->conn;
1371 if (conn->hcon->type == LE_LINK) {
1372 l2cap_le_start(chan);
1376 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1377 l2cap_request_info(conn);
1381 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1384 if (!l2cap_chan_check_security(chan, true) ||
1385 !__l2cap_no_conn_pending(chan))
1388 if (l2cap_check_enc_key_size(conn->hcon))
1389 l2cap_start_connection(chan);
1391 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1394 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1396 u32 local_feat_mask = l2cap_feat_mask;
1398 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1401 case L2CAP_MODE_ERTM:
1402 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1403 case L2CAP_MODE_STREAMING:
1404 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1410 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1412 struct l2cap_conn *conn = chan->conn;
1413 struct l2cap_disconn_req req;
1418 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1419 __clear_retrans_timer(chan);
1420 __clear_monitor_timer(chan);
1421 __clear_ack_timer(chan);
1424 if (chan->scid == L2CAP_CID_A2MP) {
1425 l2cap_state_change(chan, BT_DISCONN);
1429 req.dcid = cpu_to_le16(chan->dcid);
1430 req.scid = cpu_to_le16(chan->scid);
1431 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1434 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1437 /* ---- L2CAP connections ---- */
1438 static void l2cap_conn_start(struct l2cap_conn *conn)
1440 struct l2cap_chan *chan, *tmp;
1442 BT_DBG("conn %p", conn);
1444 mutex_lock(&conn->chan_lock);
1446 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1447 l2cap_chan_lock(chan);
1449 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1450 l2cap_chan_ready(chan);
1451 l2cap_chan_unlock(chan);
1455 if (chan->state == BT_CONNECT) {
1456 if (!l2cap_chan_check_security(chan, true) ||
1457 !__l2cap_no_conn_pending(chan)) {
1458 l2cap_chan_unlock(chan);
1462 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1463 && test_bit(CONF_STATE2_DEVICE,
1464 &chan->conf_state)) {
1465 l2cap_chan_close(chan, ECONNRESET);
1466 l2cap_chan_unlock(chan);
1470 if (l2cap_check_enc_key_size(conn->hcon))
1471 l2cap_start_connection(chan);
1473 l2cap_chan_close(chan, ECONNREFUSED);
1475 } else if (chan->state == BT_CONNECT2) {
1476 struct l2cap_conn_rsp rsp;
1478 rsp.scid = cpu_to_le16(chan->dcid);
1479 rsp.dcid = cpu_to_le16(chan->scid);
1481 if (l2cap_chan_check_security(chan, false)) {
1482 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1483 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1484 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1485 chan->ops->defer(chan);
1488 l2cap_state_change(chan, BT_CONFIG);
1489 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1490 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1493 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1494 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1497 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1500 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1501 rsp.result != L2CAP_CR_SUCCESS) {
1502 l2cap_chan_unlock(chan);
1506 set_bit(CONF_REQ_SENT, &chan->conf_state);
1507 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1508 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1509 chan->num_conf_req++;
1512 l2cap_chan_unlock(chan);
1515 mutex_unlock(&conn->chan_lock);
1518 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1520 struct hci_conn *hcon = conn->hcon;
1521 struct hci_dev *hdev = hcon->hdev;
1523 BT_DBG("%s conn %p", hdev->name, conn);
1525 /* For outgoing pairing which doesn't necessarily have an
1526 * associated socket (e.g. mgmt_pair_device).
1529 smp_conn_security(hcon, hcon->pending_sec_level);
1531 /* For LE slave connections, make sure the connection interval
1532 * is in the range of the minium and maximum interval that has
1533 * been configured for this connection. If not, then trigger
1534 * the connection update procedure.
1536 if (hcon->role == HCI_ROLE_SLAVE &&
1537 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1538 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1539 struct l2cap_conn_param_update_req req;
1541 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1542 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1543 req.latency = cpu_to_le16(hcon->le_conn_latency);
1544 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1546 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1547 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1551 static void l2cap_conn_ready(struct l2cap_conn *conn)
1553 struct l2cap_chan *chan;
1554 struct hci_conn *hcon = conn->hcon;
1556 BT_DBG("conn %p", conn);
1558 if (hcon->type == ACL_LINK)
1559 l2cap_request_info(conn);
1561 mutex_lock(&conn->chan_lock);
1563 list_for_each_entry(chan, &conn->chan_l, list) {
1565 l2cap_chan_lock(chan);
1567 if (chan->scid == L2CAP_CID_A2MP) {
1568 l2cap_chan_unlock(chan);
1572 if (hcon->type == LE_LINK) {
1573 l2cap_le_start(chan);
1574 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1575 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1576 l2cap_chan_ready(chan);
1577 } else if (chan->state == BT_CONNECT) {
1578 l2cap_do_start(chan);
1581 l2cap_chan_unlock(chan);
1584 mutex_unlock(&conn->chan_lock);
1586 if (hcon->type == LE_LINK)
1587 l2cap_le_conn_ready(conn);
1589 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1592 /* Notify sockets that we cannot guaranty reliability anymore */
1593 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1595 struct l2cap_chan *chan;
1597 BT_DBG("conn %p", conn);
1599 mutex_lock(&conn->chan_lock);
1601 list_for_each_entry(chan, &conn->chan_l, list) {
1602 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1603 l2cap_chan_set_err(chan, err);
1606 mutex_unlock(&conn->chan_lock);
1609 static void l2cap_info_timeout(struct work_struct *work)
1611 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1614 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1615 conn->info_ident = 0;
1617 l2cap_conn_start(conn);
1622 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1623 * callback is called during registration. The ->remove callback is called
1624 * during unregistration.
1625 * An l2cap_user object can either be explicitly unregistered or when the
1626 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1627 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1628 * External modules must own a reference to the l2cap_conn object if they intend
1629 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1630 * any time if they don't.
1633 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1635 struct hci_dev *hdev = conn->hcon->hdev;
1638 /* We need to check whether l2cap_conn is registered. If it is not, we
1639 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1640 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1641 * relies on the parent hci_conn object to be locked. This itself relies
1642 * on the hci_dev object to be locked. So we must lock the hci device
1647 if (!list_empty(&user->list)) {
1652 /* conn->hchan is NULL after l2cap_conn_del() was called */
1658 ret = user->probe(conn, user);
1662 list_add(&user->list, &conn->users);
1666 hci_dev_unlock(hdev);
1669 EXPORT_SYMBOL(l2cap_register_user);
1671 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1673 struct hci_dev *hdev = conn->hcon->hdev;
1677 if (list_empty(&user->list))
1680 list_del_init(&user->list);
1681 user->remove(conn, user);
1684 hci_dev_unlock(hdev);
1686 EXPORT_SYMBOL(l2cap_unregister_user);
1688 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1690 struct l2cap_user *user;
1692 while (!list_empty(&conn->users)) {
1693 user = list_first_entry(&conn->users, struct l2cap_user, list);
1694 list_del_init(&user->list);
1695 user->remove(conn, user);
1699 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1701 struct l2cap_conn *conn = hcon->l2cap_data;
1702 struct l2cap_chan *chan, *l;
1707 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1709 kfree_skb(conn->rx_skb);
1711 skb_queue_purge(&conn->pending_rx);
1713 /* We can not call flush_work(&conn->pending_rx_work) here since we
1714 * might block if we are running on a worker from the same workqueue
1715 * pending_rx_work is waiting on.
1717 if (work_pending(&conn->pending_rx_work))
1718 cancel_work_sync(&conn->pending_rx_work);
1720 if (work_pending(&conn->id_addr_update_work))
1721 cancel_work_sync(&conn->id_addr_update_work);
1723 l2cap_unregister_all_users(conn);
1725 /* Force the connection to be immediately dropped */
1726 hcon->disc_timeout = 0;
1728 mutex_lock(&conn->chan_lock);
1731 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1732 l2cap_chan_hold(chan);
1733 l2cap_chan_lock(chan);
1735 l2cap_chan_del(chan, err);
1737 l2cap_chan_unlock(chan);
1739 chan->ops->close(chan);
1740 l2cap_chan_put(chan);
1743 mutex_unlock(&conn->chan_lock);
1745 hci_chan_del(conn->hchan);
1747 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1748 cancel_delayed_work_sync(&conn->info_timer);
1750 hcon->l2cap_data = NULL;
1752 l2cap_conn_put(conn);
1755 static void l2cap_conn_free(struct kref *ref)
1757 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1759 hci_conn_put(conn->hcon);
1763 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1765 kref_get(&conn->ref);
1768 EXPORT_SYMBOL(l2cap_conn_get);
1770 void l2cap_conn_put(struct l2cap_conn *conn)
1772 kref_put(&conn->ref, l2cap_conn_free);
1774 EXPORT_SYMBOL(l2cap_conn_put);
1776 /* ---- Socket interface ---- */
1778 /* Find socket with psm and source / destination bdaddr.
1779 * Returns closest match.
1781 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1786 struct l2cap_chan *c, *c1 = NULL;
1788 read_lock(&chan_list_lock);
1790 list_for_each_entry(c, &chan_list, global_l) {
1791 if (state && c->state != state)
1794 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1797 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1800 if (c->psm == psm) {
1801 int src_match, dst_match;
1802 int src_any, dst_any;
1805 src_match = !bacmp(&c->src, src);
1806 dst_match = !bacmp(&c->dst, dst);
1807 if (src_match && dst_match) {
1809 read_unlock(&chan_list_lock);
1814 src_any = !bacmp(&c->src, BDADDR_ANY);
1815 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1816 if ((src_match && dst_any) || (src_any && dst_match) ||
1817 (src_any && dst_any))
1823 l2cap_chan_hold(c1);
1825 read_unlock(&chan_list_lock);
1830 static void l2cap_monitor_timeout(struct work_struct *work)
1832 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1833 monitor_timer.work);
1835 BT_DBG("chan %p", chan);
1837 l2cap_chan_lock(chan);
1840 l2cap_chan_unlock(chan);
1841 l2cap_chan_put(chan);
1845 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1847 l2cap_chan_unlock(chan);
1848 l2cap_chan_put(chan);
1851 static void l2cap_retrans_timeout(struct work_struct *work)
1853 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1854 retrans_timer.work);
1856 BT_DBG("chan %p", chan);
1858 l2cap_chan_lock(chan);
1861 l2cap_chan_unlock(chan);
1862 l2cap_chan_put(chan);
1866 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1867 l2cap_chan_unlock(chan);
1868 l2cap_chan_put(chan);
1871 static void l2cap_streaming_send(struct l2cap_chan *chan,
1872 struct sk_buff_head *skbs)
1874 struct sk_buff *skb;
1875 struct l2cap_ctrl *control;
1877 BT_DBG("chan %p, skbs %p", chan, skbs);
1879 if (__chan_is_moving(chan))
1882 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1884 while (!skb_queue_empty(&chan->tx_q)) {
1886 skb = skb_dequeue(&chan->tx_q);
1888 bt_cb(skb)->l2cap.retries = 1;
1889 control = &bt_cb(skb)->l2cap;
1891 control->reqseq = 0;
1892 control->txseq = chan->next_tx_seq;
1894 __pack_control(chan, control, skb);
1896 if (chan->fcs == L2CAP_FCS_CRC16) {
1897 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1898 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1901 l2cap_do_send(chan, skb);
1903 BT_DBG("Sent txseq %u", control->txseq);
1905 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1906 chan->frames_sent++;
1910 static int l2cap_ertm_send(struct l2cap_chan *chan)
1912 struct sk_buff *skb, *tx_skb;
1913 struct l2cap_ctrl *control;
1916 BT_DBG("chan %p", chan);
1918 if (chan->state != BT_CONNECTED)
1921 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1924 if (__chan_is_moving(chan))
1927 while (chan->tx_send_head &&
1928 chan->unacked_frames < chan->remote_tx_win &&
1929 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1931 skb = chan->tx_send_head;
1933 bt_cb(skb)->l2cap.retries = 1;
1934 control = &bt_cb(skb)->l2cap;
1936 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1939 control->reqseq = chan->buffer_seq;
1940 chan->last_acked_seq = chan->buffer_seq;
1941 control->txseq = chan->next_tx_seq;
1943 __pack_control(chan, control, skb);
1945 if (chan->fcs == L2CAP_FCS_CRC16) {
1946 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1947 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1950 /* Clone after data has been modified. Data is assumed to be
1951 read-only (for locking purposes) on cloned sk_buffs.
1953 tx_skb = skb_clone(skb, GFP_KERNEL);
1958 __set_retrans_timer(chan);
1960 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1961 chan->unacked_frames++;
1962 chan->frames_sent++;
1965 if (skb_queue_is_last(&chan->tx_q, skb))
1966 chan->tx_send_head = NULL;
1968 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1970 l2cap_do_send(chan, tx_skb);
1971 BT_DBG("Sent txseq %u", control->txseq);
1974 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1975 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1980 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1982 struct l2cap_ctrl control;
1983 struct sk_buff *skb;
1984 struct sk_buff *tx_skb;
1987 BT_DBG("chan %p", chan);
1989 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1992 if (__chan_is_moving(chan))
1995 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1996 seq = l2cap_seq_list_pop(&chan->retrans_list);
1998 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2000 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2005 bt_cb(skb)->l2cap.retries++;
2006 control = bt_cb(skb)->l2cap;
2008 if (chan->max_tx != 0 &&
2009 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2010 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2011 l2cap_send_disconn_req(chan, ECONNRESET);
2012 l2cap_seq_list_clear(&chan->retrans_list);
2016 control.reqseq = chan->buffer_seq;
2017 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2022 if (skb_cloned(skb)) {
2023 /* Cloned sk_buffs are read-only, so we need a
2026 tx_skb = skb_copy(skb, GFP_KERNEL);
2028 tx_skb = skb_clone(skb, GFP_KERNEL);
2032 l2cap_seq_list_clear(&chan->retrans_list);
2036 /* Update skb contents */
2037 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2038 put_unaligned_le32(__pack_extended_control(&control),
2039 tx_skb->data + L2CAP_HDR_SIZE);
2041 put_unaligned_le16(__pack_enhanced_control(&control),
2042 tx_skb->data + L2CAP_HDR_SIZE);
2046 if (chan->fcs == L2CAP_FCS_CRC16) {
2047 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2048 tx_skb->len - L2CAP_FCS_SIZE);
2049 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2053 l2cap_do_send(chan, tx_skb);
2055 BT_DBG("Resent txseq %d", control.txseq);
2057 chan->last_acked_seq = chan->buffer_seq;
2061 static void l2cap_retransmit(struct l2cap_chan *chan,
2062 struct l2cap_ctrl *control)
2064 BT_DBG("chan %p, control %p", chan, control);
2066 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2067 l2cap_ertm_resend(chan);
2070 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2071 struct l2cap_ctrl *control)
2073 struct sk_buff *skb;
2075 BT_DBG("chan %p, control %p", chan, control);
2078 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2080 l2cap_seq_list_clear(&chan->retrans_list);
2082 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2085 if (chan->unacked_frames) {
2086 skb_queue_walk(&chan->tx_q, skb) {
2087 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2088 skb == chan->tx_send_head)
2092 skb_queue_walk_from(&chan->tx_q, skb) {
2093 if (skb == chan->tx_send_head)
2096 l2cap_seq_list_append(&chan->retrans_list,
2097 bt_cb(skb)->l2cap.txseq);
2100 l2cap_ertm_resend(chan);
2104 static void l2cap_send_ack(struct l2cap_chan *chan)
2106 struct l2cap_ctrl control;
2107 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2108 chan->last_acked_seq);
2111 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2112 chan, chan->last_acked_seq, chan->buffer_seq);
2114 memset(&control, 0, sizeof(control));
2117 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2118 chan->rx_state == L2CAP_RX_STATE_RECV) {
2119 __clear_ack_timer(chan);
2120 control.super = L2CAP_SUPER_RNR;
2121 control.reqseq = chan->buffer_seq;
2122 l2cap_send_sframe(chan, &control);
2124 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2125 l2cap_ertm_send(chan);
2126 /* If any i-frames were sent, they included an ack */
2127 if (chan->buffer_seq == chan->last_acked_seq)
2131 /* Ack now if the window is 3/4ths full.
2132 * Calculate without mul or div
2134 threshold = chan->ack_win;
2135 threshold += threshold << 1;
2138 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2141 if (frames_to_ack >= threshold) {
2142 __clear_ack_timer(chan);
2143 control.super = L2CAP_SUPER_RR;
2144 control.reqseq = chan->buffer_seq;
2145 l2cap_send_sframe(chan, &control);
2150 __set_ack_timer(chan);
2154 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2155 struct msghdr *msg, int len,
2156 int count, struct sk_buff *skb)
2158 struct l2cap_conn *conn = chan->conn;
2159 struct sk_buff **frag;
2162 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2168 /* Continuation fragments (no L2CAP header) */
2169 frag = &skb_shinfo(skb)->frag_list;
2171 struct sk_buff *tmp;
2173 count = min_t(unsigned int, conn->mtu, len);
2175 tmp = chan->ops->alloc_skb(chan, 0, count,
2176 msg->msg_flags & MSG_DONTWAIT);
2178 return PTR_ERR(tmp);
2182 if (!copy_from_iter_full(skb_put(*frag, count), count,
2189 skb->len += (*frag)->len;
2190 skb->data_len += (*frag)->len;
2192 frag = &(*frag)->next;
2198 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2199 struct msghdr *msg, size_t len)
2201 struct l2cap_conn *conn = chan->conn;
2202 struct sk_buff *skb;
2203 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2204 struct l2cap_hdr *lh;
2206 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2207 __le16_to_cpu(chan->psm), len);
2209 count = min_t(unsigned int, (conn->mtu - hlen), len);
2211 skb = chan->ops->alloc_skb(chan, hlen, count,
2212 msg->msg_flags & MSG_DONTWAIT);
2216 /* Create L2CAP header */
2217 lh = skb_put(skb, L2CAP_HDR_SIZE);
2218 lh->cid = cpu_to_le16(chan->dcid);
2219 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2220 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2222 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2223 if (unlikely(err < 0)) {
2225 return ERR_PTR(err);
2230 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2231 struct msghdr *msg, size_t len)
2233 struct l2cap_conn *conn = chan->conn;
2234 struct sk_buff *skb;
2236 struct l2cap_hdr *lh;
2238 BT_DBG("chan %p len %zu", chan, len);
2240 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2242 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2243 msg->msg_flags & MSG_DONTWAIT);
2247 /* Create L2CAP header */
2248 lh = skb_put(skb, L2CAP_HDR_SIZE);
2249 lh->cid = cpu_to_le16(chan->dcid);
2250 lh->len = cpu_to_le16(len);
2252 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2253 if (unlikely(err < 0)) {
2255 return ERR_PTR(err);
2260 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2261 struct msghdr *msg, size_t len,
2264 struct l2cap_conn *conn = chan->conn;
2265 struct sk_buff *skb;
2266 int err, count, hlen;
2267 struct l2cap_hdr *lh;
2269 BT_DBG("chan %p len %zu", chan, len);
2272 return ERR_PTR(-ENOTCONN);
2274 hlen = __ertm_hdr_size(chan);
2277 hlen += L2CAP_SDULEN_SIZE;
2279 if (chan->fcs == L2CAP_FCS_CRC16)
2280 hlen += L2CAP_FCS_SIZE;
2282 count = min_t(unsigned int, (conn->mtu - hlen), len);
2284 skb = chan->ops->alloc_skb(chan, hlen, count,
2285 msg->msg_flags & MSG_DONTWAIT);
2289 /* Create L2CAP header */
2290 lh = skb_put(skb, L2CAP_HDR_SIZE);
2291 lh->cid = cpu_to_le16(chan->dcid);
2292 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2294 /* Control header is populated later */
2295 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2296 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2298 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2301 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2303 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2304 if (unlikely(err < 0)) {
2306 return ERR_PTR(err);
2309 bt_cb(skb)->l2cap.fcs = chan->fcs;
2310 bt_cb(skb)->l2cap.retries = 0;
2314 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2315 struct sk_buff_head *seg_queue,
2316 struct msghdr *msg, size_t len)
2318 struct sk_buff *skb;
2323 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2325 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2326 * so fragmented skbs are not used. The HCI layer's handling
2327 * of fragmented skbs is not compatible with ERTM's queueing.
2330 /* PDU size is derived from the HCI MTU */
2331 pdu_len = chan->conn->mtu;
2333 /* Constrain PDU size for BR/EDR connections */
2335 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2337 /* Adjust for largest possible L2CAP overhead. */
2339 pdu_len -= L2CAP_FCS_SIZE;
2341 pdu_len -= __ertm_hdr_size(chan);
2343 /* Remote device may have requested smaller PDUs */
2344 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2346 if (len <= pdu_len) {
2347 sar = L2CAP_SAR_UNSEGMENTED;
2351 sar = L2CAP_SAR_START;
2356 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2359 __skb_queue_purge(seg_queue);
2360 return PTR_ERR(skb);
2363 bt_cb(skb)->l2cap.sar = sar;
2364 __skb_queue_tail(seg_queue, skb);
2370 if (len <= pdu_len) {
2371 sar = L2CAP_SAR_END;
2374 sar = L2CAP_SAR_CONTINUE;
2381 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2383 size_t len, u16 sdulen)
2385 struct l2cap_conn *conn = chan->conn;
2386 struct sk_buff *skb;
2387 int err, count, hlen;
2388 struct l2cap_hdr *lh;
2390 BT_DBG("chan %p len %zu", chan, len);
2393 return ERR_PTR(-ENOTCONN);
2395 hlen = L2CAP_HDR_SIZE;
2398 hlen += L2CAP_SDULEN_SIZE;
2400 count = min_t(unsigned int, (conn->mtu - hlen), len);
2402 skb = chan->ops->alloc_skb(chan, hlen, count,
2403 msg->msg_flags & MSG_DONTWAIT);
2407 /* Create L2CAP header */
2408 lh = skb_put(skb, L2CAP_HDR_SIZE);
2409 lh->cid = cpu_to_le16(chan->dcid);
2410 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2413 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2415 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2416 if (unlikely(err < 0)) {
2418 return ERR_PTR(err);
2424 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2425 struct sk_buff_head *seg_queue,
2426 struct msghdr *msg, size_t len)
2428 struct sk_buff *skb;
2432 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2435 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2441 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2443 __skb_queue_purge(seg_queue);
2444 return PTR_ERR(skb);
2447 __skb_queue_tail(seg_queue, skb);
2453 pdu_len += L2CAP_SDULEN_SIZE;
2460 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2464 BT_DBG("chan %p", chan);
2466 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2467 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2472 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2473 skb_queue_len(&chan->tx_q));
2476 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2478 struct sk_buff *skb;
2480 struct sk_buff_head seg_queue;
2485 /* Connectionless channel */
2486 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2487 skb = l2cap_create_connless_pdu(chan, msg, len);
2489 return PTR_ERR(skb);
2491 /* Channel lock is released before requesting new skb and then
2492 * reacquired thus we need to recheck channel state.
2494 if (chan->state != BT_CONNECTED) {
2499 l2cap_do_send(chan, skb);
2503 switch (chan->mode) {
2504 case L2CAP_MODE_LE_FLOWCTL:
2505 /* Check outgoing MTU */
2506 if (len > chan->omtu)
2509 __skb_queue_head_init(&seg_queue);
2511 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2513 if (chan->state != BT_CONNECTED) {
2514 __skb_queue_purge(&seg_queue);
2521 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2523 l2cap_le_flowctl_send(chan);
2525 if (!chan->tx_credits)
2526 chan->ops->suspend(chan);
2532 case L2CAP_MODE_BASIC:
2533 /* Check outgoing MTU */
2534 if (len > chan->omtu)
2537 /* Create a basic PDU */
2538 skb = l2cap_create_basic_pdu(chan, msg, len);
2540 return PTR_ERR(skb);
2542 /* Channel lock is released before requesting new skb and then
2543 * reacquired thus we need to recheck channel state.
2545 if (chan->state != BT_CONNECTED) {
2550 l2cap_do_send(chan, skb);
2554 case L2CAP_MODE_ERTM:
2555 case L2CAP_MODE_STREAMING:
2556 /* Check outgoing MTU */
2557 if (len > chan->omtu) {
2562 __skb_queue_head_init(&seg_queue);
2564 /* Do segmentation before calling in to the state machine,
2565 * since it's possible to block while waiting for memory
2568 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2570 /* The channel could have been closed while segmenting,
2571 * check that it is still connected.
2573 if (chan->state != BT_CONNECTED) {
2574 __skb_queue_purge(&seg_queue);
2581 if (chan->mode == L2CAP_MODE_ERTM)
2582 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2584 l2cap_streaming_send(chan, &seg_queue);
2588 /* If the skbs were not queued for sending, they'll still be in
2589 * seg_queue and need to be purged.
2591 __skb_queue_purge(&seg_queue);
2595 BT_DBG("bad state %1.1x", chan->mode);
2601 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2603 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2605 struct l2cap_ctrl control;
2608 BT_DBG("chan %p, txseq %u", chan, txseq);
2610 memset(&control, 0, sizeof(control));
2612 control.super = L2CAP_SUPER_SREJ;
2614 for (seq = chan->expected_tx_seq; seq != txseq;
2615 seq = __next_seq(chan, seq)) {
2616 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2617 control.reqseq = seq;
2618 l2cap_send_sframe(chan, &control);
2619 l2cap_seq_list_append(&chan->srej_list, seq);
2623 chan->expected_tx_seq = __next_seq(chan, txseq);
2626 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2628 struct l2cap_ctrl control;
2630 BT_DBG("chan %p", chan);
2632 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2635 memset(&control, 0, sizeof(control));
2637 control.super = L2CAP_SUPER_SREJ;
2638 control.reqseq = chan->srej_list.tail;
2639 l2cap_send_sframe(chan, &control);
2642 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2644 struct l2cap_ctrl control;
2648 BT_DBG("chan %p, txseq %u", chan, txseq);
2650 memset(&control, 0, sizeof(control));
2652 control.super = L2CAP_SUPER_SREJ;
2654 /* Capture initial list head to allow only one pass through the list. */
2655 initial_head = chan->srej_list.head;
2658 seq = l2cap_seq_list_pop(&chan->srej_list);
2659 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2662 control.reqseq = seq;
2663 l2cap_send_sframe(chan, &control);
2664 l2cap_seq_list_append(&chan->srej_list, seq);
2665 } while (chan->srej_list.head != initial_head);
2668 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2670 struct sk_buff *acked_skb;
2673 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2675 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2678 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2679 chan->expected_ack_seq, chan->unacked_frames);
2681 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2682 ackseq = __next_seq(chan, ackseq)) {
2684 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2686 skb_unlink(acked_skb, &chan->tx_q);
2687 kfree_skb(acked_skb);
2688 chan->unacked_frames--;
2692 chan->expected_ack_seq = reqseq;
2694 if (chan->unacked_frames == 0)
2695 __clear_retrans_timer(chan);
2697 BT_DBG("unacked_frames %u", chan->unacked_frames);
2700 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2702 BT_DBG("chan %p", chan);
2704 chan->expected_tx_seq = chan->buffer_seq;
2705 l2cap_seq_list_clear(&chan->srej_list);
2706 skb_queue_purge(&chan->srej_q);
2707 chan->rx_state = L2CAP_RX_STATE_RECV;
2710 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2711 struct l2cap_ctrl *control,
2712 struct sk_buff_head *skbs, u8 event)
2714 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2718 case L2CAP_EV_DATA_REQUEST:
2719 if (chan->tx_send_head == NULL)
2720 chan->tx_send_head = skb_peek(skbs);
2722 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2723 l2cap_ertm_send(chan);
2725 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2726 BT_DBG("Enter LOCAL_BUSY");
2727 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2729 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2730 /* The SREJ_SENT state must be aborted if we are to
2731 * enter the LOCAL_BUSY state.
2733 l2cap_abort_rx_srej_sent(chan);
2736 l2cap_send_ack(chan);
2739 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2740 BT_DBG("Exit LOCAL_BUSY");
2741 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2743 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2744 struct l2cap_ctrl local_control;
2746 memset(&local_control, 0, sizeof(local_control));
2747 local_control.sframe = 1;
2748 local_control.super = L2CAP_SUPER_RR;
2749 local_control.poll = 1;
2750 local_control.reqseq = chan->buffer_seq;
2751 l2cap_send_sframe(chan, &local_control);
2753 chan->retry_count = 1;
2754 __set_monitor_timer(chan);
2755 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2758 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2759 l2cap_process_reqseq(chan, control->reqseq);
2761 case L2CAP_EV_EXPLICIT_POLL:
2762 l2cap_send_rr_or_rnr(chan, 1);
2763 chan->retry_count = 1;
2764 __set_monitor_timer(chan);
2765 __clear_ack_timer(chan);
2766 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2768 case L2CAP_EV_RETRANS_TO:
2769 l2cap_send_rr_or_rnr(chan, 1);
2770 chan->retry_count = 1;
2771 __set_monitor_timer(chan);
2772 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2774 case L2CAP_EV_RECV_FBIT:
2775 /* Nothing to process */
2782 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2783 struct l2cap_ctrl *control,
2784 struct sk_buff_head *skbs, u8 event)
2786 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2790 case L2CAP_EV_DATA_REQUEST:
2791 if (chan->tx_send_head == NULL)
2792 chan->tx_send_head = skb_peek(skbs);
2793 /* Queue data, but don't send. */
2794 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2796 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2797 BT_DBG("Enter LOCAL_BUSY");
2798 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2800 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2801 /* The SREJ_SENT state must be aborted if we are to
2802 * enter the LOCAL_BUSY state.
2804 l2cap_abort_rx_srej_sent(chan);
2807 l2cap_send_ack(chan);
2810 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2811 BT_DBG("Exit LOCAL_BUSY");
2812 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2814 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2815 struct l2cap_ctrl local_control;
2816 memset(&local_control, 0, sizeof(local_control));
2817 local_control.sframe = 1;
2818 local_control.super = L2CAP_SUPER_RR;
2819 local_control.poll = 1;
2820 local_control.reqseq = chan->buffer_seq;
2821 l2cap_send_sframe(chan, &local_control);
2823 chan->retry_count = 1;
2824 __set_monitor_timer(chan);
2825 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2828 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2829 l2cap_process_reqseq(chan, control->reqseq);
2833 case L2CAP_EV_RECV_FBIT:
2834 if (control && control->final) {
2835 __clear_monitor_timer(chan);
2836 if (chan->unacked_frames > 0)
2837 __set_retrans_timer(chan);
2838 chan->retry_count = 0;
2839 chan->tx_state = L2CAP_TX_STATE_XMIT;
2840 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2843 case L2CAP_EV_EXPLICIT_POLL:
2846 case L2CAP_EV_MONITOR_TO:
2847 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2848 l2cap_send_rr_or_rnr(chan, 1);
2849 __set_monitor_timer(chan);
2850 chan->retry_count++;
2852 l2cap_send_disconn_req(chan, ECONNABORTED);
2860 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2861 struct sk_buff_head *skbs, u8 event)
2863 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2864 chan, control, skbs, event, chan->tx_state);
2866 switch (chan->tx_state) {
2867 case L2CAP_TX_STATE_XMIT:
2868 l2cap_tx_state_xmit(chan, control, skbs, event);
2870 case L2CAP_TX_STATE_WAIT_F:
2871 l2cap_tx_state_wait_f(chan, control, skbs, event);
2879 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2880 struct l2cap_ctrl *control)
2882 BT_DBG("chan %p, control %p", chan, control);
2883 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2886 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2887 struct l2cap_ctrl *control)
2889 BT_DBG("chan %p, control %p", chan, control);
2890 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2893 /* Copy frame to all raw sockets on that connection */
2894 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2896 struct sk_buff *nskb;
2897 struct l2cap_chan *chan;
2899 BT_DBG("conn %p", conn);
2901 mutex_lock(&conn->chan_lock);
2903 list_for_each_entry(chan, &conn->chan_l, list) {
2904 if (chan->chan_type != L2CAP_CHAN_RAW)
2907 /* Don't send frame to the channel it came from */
2908 if (bt_cb(skb)->l2cap.chan == chan)
2911 nskb = skb_clone(skb, GFP_KERNEL);
2914 if (chan->ops->recv(chan, nskb))
2918 mutex_unlock(&conn->chan_lock);
2921 /* ---- L2CAP signalling commands ---- */
2922 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2923 u8 ident, u16 dlen, void *data)
2925 struct sk_buff *skb, **frag;
2926 struct l2cap_cmd_hdr *cmd;
2927 struct l2cap_hdr *lh;
2930 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2931 conn, code, ident, dlen);
2933 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2936 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2937 count = min_t(unsigned int, conn->mtu, len);
2939 skb = bt_skb_alloc(count, GFP_KERNEL);
2943 lh = skb_put(skb, L2CAP_HDR_SIZE);
2944 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2946 if (conn->hcon->type == LE_LINK)
2947 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2949 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2951 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2954 cmd->len = cpu_to_le16(dlen);
2957 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2958 skb_put_data(skb, data, count);
2964 /* Continuation fragments (no L2CAP header) */
2965 frag = &skb_shinfo(skb)->frag_list;
2967 count = min_t(unsigned int, conn->mtu, len);
2969 *frag = bt_skb_alloc(count, GFP_KERNEL);
2973 skb_put_data(*frag, data, count);
2978 frag = &(*frag)->next;
2988 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2991 struct l2cap_conf_opt *opt = *ptr;
2994 len = L2CAP_CONF_OPT_SIZE + opt->len;
3002 *val = *((u8 *) opt->val);
3006 *val = get_unaligned_le16(opt->val);
3010 *val = get_unaligned_le32(opt->val);
3014 *val = (unsigned long) opt->val;
3018 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3022 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3024 struct l2cap_conf_opt *opt = *ptr;
3026 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3028 if (size < L2CAP_CONF_OPT_SIZE + len)
3036 *((u8 *) opt->val) = val;
3040 put_unaligned_le16(val, opt->val);
3044 put_unaligned_le32(val, opt->val);
3048 memcpy(opt->val, (void *) val, len);
3052 *ptr += L2CAP_CONF_OPT_SIZE + len;
3055 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3057 struct l2cap_conf_efs efs;
3059 switch (chan->mode) {
3060 case L2CAP_MODE_ERTM:
3061 efs.id = chan->local_id;
3062 efs.stype = chan->local_stype;
3063 efs.msdu = cpu_to_le16(chan->local_msdu);
3064 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3065 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3066 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3069 case L2CAP_MODE_STREAMING:
3071 efs.stype = L2CAP_SERV_BESTEFFORT;
3072 efs.msdu = cpu_to_le16(chan->local_msdu);
3073 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3082 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3083 (unsigned long) &efs, size);
3086 static void l2cap_ack_timeout(struct work_struct *work)
3088 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3092 BT_DBG("chan %p", chan);
3094 l2cap_chan_lock(chan);
3096 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3097 chan->last_acked_seq);
3100 l2cap_send_rr_or_rnr(chan, 0);
3102 l2cap_chan_unlock(chan);
3103 l2cap_chan_put(chan);
3106 int l2cap_ertm_init(struct l2cap_chan *chan)
3110 chan->next_tx_seq = 0;
3111 chan->expected_tx_seq = 0;
3112 chan->expected_ack_seq = 0;
3113 chan->unacked_frames = 0;
3114 chan->buffer_seq = 0;
3115 chan->frames_sent = 0;
3116 chan->last_acked_seq = 0;
3118 chan->sdu_last_frag = NULL;
3121 skb_queue_head_init(&chan->tx_q);
3123 chan->local_amp_id = AMP_ID_BREDR;
3124 chan->move_id = AMP_ID_BREDR;
3125 chan->move_state = L2CAP_MOVE_STABLE;
3126 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3128 if (chan->mode != L2CAP_MODE_ERTM)
3131 chan->rx_state = L2CAP_RX_STATE_RECV;
3132 chan->tx_state = L2CAP_TX_STATE_XMIT;
3134 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3135 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3136 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3138 skb_queue_head_init(&chan->srej_q);
3140 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3144 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3146 l2cap_seq_list_free(&chan->srej_list);
3151 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3154 case L2CAP_MODE_STREAMING:
3155 case L2CAP_MODE_ERTM:
3156 if (l2cap_mode_supported(mode, remote_feat_mask))
3160 return L2CAP_MODE_BASIC;
3164 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3166 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3167 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3170 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3172 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3173 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3176 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3177 struct l2cap_conf_rfc *rfc)
3179 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3180 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3182 /* Class 1 devices have must have ERTM timeouts
3183 * exceeding the Link Supervision Timeout. The
3184 * default Link Supervision Timeout for AMP
3185 * controllers is 10 seconds.
3187 * Class 1 devices use 0xffffffff for their
3188 * best-effort flush timeout, so the clamping logic
3189 * will result in a timeout that meets the above
3190 * requirement. ERTM timeouts are 16-bit values, so
3191 * the maximum timeout is 65.535 seconds.
3194 /* Convert timeout to milliseconds and round */
3195 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3197 /* This is the recommended formula for class 2 devices
3198 * that start ERTM timers when packets are sent to the
3201 ertm_to = 3 * ertm_to + 500;
3203 if (ertm_to > 0xffff)
3206 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3207 rfc->monitor_timeout = rfc->retrans_timeout;
3209 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3210 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3214 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3216 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3217 __l2cap_ews_supported(chan->conn)) {
3218 /* use extended control field */
3219 set_bit(FLAG_EXT_CTRL, &chan->flags);
3220 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3222 chan->tx_win = min_t(u16, chan->tx_win,
3223 L2CAP_DEFAULT_TX_WINDOW);
3224 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3226 chan->ack_win = chan->tx_win;
3229 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3231 struct l2cap_conf_req *req = data;
3232 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3233 void *ptr = req->data;
3234 void *endptr = data + data_size;
3237 BT_DBG("chan %p", chan);
3239 if (chan->num_conf_req || chan->num_conf_rsp)
3242 switch (chan->mode) {
3243 case L2CAP_MODE_STREAMING:
3244 case L2CAP_MODE_ERTM:
3245 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3248 if (__l2cap_efs_supported(chan->conn))
3249 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3253 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3258 if (chan->imtu != L2CAP_DEFAULT_MTU)
3259 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3261 switch (chan->mode) {
3262 case L2CAP_MODE_BASIC:
3266 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3267 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3270 rfc.mode = L2CAP_MODE_BASIC;
3272 rfc.max_transmit = 0;
3273 rfc.retrans_timeout = 0;
3274 rfc.monitor_timeout = 0;
3275 rfc.max_pdu_size = 0;
3277 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3278 (unsigned long) &rfc, endptr - ptr);
3281 case L2CAP_MODE_ERTM:
3282 rfc.mode = L2CAP_MODE_ERTM;
3283 rfc.max_transmit = chan->max_tx;
3285 __l2cap_set_ertm_timeouts(chan, &rfc);
3287 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3288 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3290 rfc.max_pdu_size = cpu_to_le16(size);
3292 l2cap_txwin_setup(chan);
3294 rfc.txwin_size = min_t(u16, chan->tx_win,
3295 L2CAP_DEFAULT_TX_WINDOW);
3297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3298 (unsigned long) &rfc, endptr - ptr);
3300 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3301 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3303 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3304 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3305 chan->tx_win, endptr - ptr);
3307 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3308 if (chan->fcs == L2CAP_FCS_NONE ||
3309 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3310 chan->fcs = L2CAP_FCS_NONE;
3311 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3312 chan->fcs, endptr - ptr);
3316 case L2CAP_MODE_STREAMING:
3317 l2cap_txwin_setup(chan);
3318 rfc.mode = L2CAP_MODE_STREAMING;
3320 rfc.max_transmit = 0;
3321 rfc.retrans_timeout = 0;
3322 rfc.monitor_timeout = 0;
3324 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3325 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3327 rfc.max_pdu_size = cpu_to_le16(size);
3329 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3330 (unsigned long) &rfc, endptr - ptr);
3332 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3333 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3335 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3336 if (chan->fcs == L2CAP_FCS_NONE ||
3337 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3338 chan->fcs = L2CAP_FCS_NONE;
3339 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3340 chan->fcs, endptr - ptr);
3345 req->dcid = cpu_to_le16(chan->dcid);
3346 req->flags = cpu_to_le16(0);
3351 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3353 struct l2cap_conf_rsp *rsp = data;
3354 void *ptr = rsp->data;
3355 void *endptr = data + data_size;
3356 void *req = chan->conf_req;
3357 int len = chan->conf_len;
3358 int type, hint, olen;
3360 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3361 struct l2cap_conf_efs efs;
3363 u16 mtu = L2CAP_DEFAULT_MTU;
3364 u16 result = L2CAP_CONF_SUCCESS;
3367 BT_DBG("chan %p", chan);
3369 while (len >= L2CAP_CONF_OPT_SIZE) {
3370 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3374 hint = type & L2CAP_CONF_HINT;
3375 type &= L2CAP_CONF_MASK;
3378 case L2CAP_CONF_MTU:
3384 case L2CAP_CONF_FLUSH_TO:
3387 chan->flush_to = val;
3390 case L2CAP_CONF_QOS:
3393 case L2CAP_CONF_RFC:
3394 if (olen != sizeof(rfc))
3396 memcpy(&rfc, (void *) val, olen);
3399 case L2CAP_CONF_FCS:
3402 if (val == L2CAP_FCS_NONE)
3403 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3406 case L2CAP_CONF_EFS:
3407 if (olen != sizeof(efs))
3410 memcpy(&efs, (void *) val, olen);
3413 case L2CAP_CONF_EWS:
3416 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3417 return -ECONNREFUSED;
3418 set_bit(FLAG_EXT_CTRL, &chan->flags);
3419 set_bit(CONF_EWS_RECV, &chan->conf_state);
3420 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3421 chan->remote_tx_win = val;
3427 result = L2CAP_CONF_UNKNOWN;
3428 *((u8 *) ptr++) = type;
3433 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3436 switch (chan->mode) {
3437 case L2CAP_MODE_STREAMING:
3438 case L2CAP_MODE_ERTM:
3439 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3440 chan->mode = l2cap_select_mode(rfc.mode,
3441 chan->conn->feat_mask);
3446 if (__l2cap_efs_supported(chan->conn))
3447 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3449 return -ECONNREFUSED;
3452 if (chan->mode != rfc.mode)
3453 return -ECONNREFUSED;
3459 if (chan->mode != rfc.mode) {
3460 result = L2CAP_CONF_UNACCEPT;
3461 rfc.mode = chan->mode;
3463 if (chan->num_conf_rsp == 1)
3464 return -ECONNREFUSED;
3466 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3467 (unsigned long) &rfc, endptr - ptr);
3470 if (result == L2CAP_CONF_SUCCESS) {
3471 /* Configure output options and let the other side know
3472 * which ones we don't like. */
3474 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3475 result = L2CAP_CONF_UNACCEPT;
3478 set_bit(CONF_MTU_DONE, &chan->conf_state);
3480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3483 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3484 efs.stype != L2CAP_SERV_NOTRAFIC &&
3485 efs.stype != chan->local_stype) {
3487 result = L2CAP_CONF_UNACCEPT;
3489 if (chan->num_conf_req >= 1)
3490 return -ECONNREFUSED;
3492 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3494 (unsigned long) &efs, endptr - ptr);
3496 /* Send PENDING Conf Rsp */
3497 result = L2CAP_CONF_PENDING;
3498 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3503 case L2CAP_MODE_BASIC:
3504 chan->fcs = L2CAP_FCS_NONE;
3505 set_bit(CONF_MODE_DONE, &chan->conf_state);
3508 case L2CAP_MODE_ERTM:
3509 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3510 chan->remote_tx_win = rfc.txwin_size;
3512 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3514 chan->remote_max_tx = rfc.max_transmit;
3516 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3517 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3518 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3519 rfc.max_pdu_size = cpu_to_le16(size);
3520 chan->remote_mps = size;
3522 __l2cap_set_ertm_timeouts(chan, &rfc);
3524 set_bit(CONF_MODE_DONE, &chan->conf_state);
3526 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3527 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3529 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3530 chan->remote_id = efs.id;
3531 chan->remote_stype = efs.stype;
3532 chan->remote_msdu = le16_to_cpu(efs.msdu);
3533 chan->remote_flush_to =
3534 le32_to_cpu(efs.flush_to);
3535 chan->remote_acc_lat =
3536 le32_to_cpu(efs.acc_lat);
3537 chan->remote_sdu_itime =
3538 le32_to_cpu(efs.sdu_itime);
3539 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3541 (unsigned long) &efs, endptr - ptr);
3545 case L2CAP_MODE_STREAMING:
3546 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3547 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3548 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3549 rfc.max_pdu_size = cpu_to_le16(size);
3550 chan->remote_mps = size;
3552 set_bit(CONF_MODE_DONE, &chan->conf_state);
3554 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3555 (unsigned long) &rfc, endptr - ptr);
3560 result = L2CAP_CONF_UNACCEPT;
3562 memset(&rfc, 0, sizeof(rfc));
3563 rfc.mode = chan->mode;
3566 if (result == L2CAP_CONF_SUCCESS)
3567 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3569 rsp->scid = cpu_to_le16(chan->dcid);
3570 rsp->result = cpu_to_le16(result);
3571 rsp->flags = cpu_to_le16(0);
3576 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3577 void *data, size_t size, u16 *result)
3579 struct l2cap_conf_req *req = data;
3580 void *ptr = req->data;
3581 void *endptr = data + size;
3584 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3585 struct l2cap_conf_efs efs;
3587 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3589 while (len >= L2CAP_CONF_OPT_SIZE) {
3590 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3595 case L2CAP_CONF_MTU:
3598 if (val < L2CAP_DEFAULT_MIN_MTU) {
3599 *result = L2CAP_CONF_UNACCEPT;
3600 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3603 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3607 case L2CAP_CONF_FLUSH_TO:
3610 chan->flush_to = val;
3611 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3612 chan->flush_to, endptr - ptr);
3615 case L2CAP_CONF_RFC:
3616 if (olen != sizeof(rfc))
3618 memcpy(&rfc, (void *)val, olen);
3619 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3620 rfc.mode != chan->mode)
3621 return -ECONNREFUSED;
3623 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3624 (unsigned long) &rfc, endptr - ptr);
3627 case L2CAP_CONF_EWS:
3630 chan->ack_win = min_t(u16, val, chan->ack_win);
3631 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3632 chan->tx_win, endptr - ptr);
3635 case L2CAP_CONF_EFS:
3636 if (olen != sizeof(efs))
3638 memcpy(&efs, (void *)val, olen);
3639 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3640 efs.stype != L2CAP_SERV_NOTRAFIC &&
3641 efs.stype != chan->local_stype)
3642 return -ECONNREFUSED;
3643 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3644 (unsigned long) &efs, endptr - ptr);
3647 case L2CAP_CONF_FCS:
3650 if (*result == L2CAP_CONF_PENDING)
3651 if (val == L2CAP_FCS_NONE)
3652 set_bit(CONF_RECV_NO_FCS,
3658 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3659 return -ECONNREFUSED;
3661 chan->mode = rfc.mode;
3663 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3665 case L2CAP_MODE_ERTM:
3666 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3667 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3668 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3669 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3670 chan->ack_win = min_t(u16, chan->ack_win,
3673 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3674 chan->local_msdu = le16_to_cpu(efs.msdu);
3675 chan->local_sdu_itime =
3676 le32_to_cpu(efs.sdu_itime);
3677 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3678 chan->local_flush_to =
3679 le32_to_cpu(efs.flush_to);
3683 case L2CAP_MODE_STREAMING:
3684 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3688 req->dcid = cpu_to_le16(chan->dcid);
3689 req->flags = cpu_to_le16(0);
3694 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3695 u16 result, u16 flags)
3697 struct l2cap_conf_rsp *rsp = data;
3698 void *ptr = rsp->data;
3700 BT_DBG("chan %p", chan);
3702 rsp->scid = cpu_to_le16(chan->dcid);
3703 rsp->result = cpu_to_le16(result);
3704 rsp->flags = cpu_to_le16(flags);
3709 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3711 struct l2cap_le_conn_rsp rsp;
3712 struct l2cap_conn *conn = chan->conn;
3714 BT_DBG("chan %p", chan);
3716 rsp.dcid = cpu_to_le16(chan->scid);
3717 rsp.mtu = cpu_to_le16(chan->imtu);
3718 rsp.mps = cpu_to_le16(chan->mps);
3719 rsp.credits = cpu_to_le16(chan->rx_credits);
3720 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3722 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3726 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3728 struct l2cap_conn_rsp rsp;
3729 struct l2cap_conn *conn = chan->conn;
3733 rsp.scid = cpu_to_le16(chan->dcid);
3734 rsp.dcid = cpu_to_le16(chan->scid);
3735 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3736 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3739 rsp_code = L2CAP_CREATE_CHAN_RSP;
3741 rsp_code = L2CAP_CONN_RSP;
3743 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3745 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3747 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3750 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3751 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3752 chan->num_conf_req++;
3755 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3759 /* Use sane default values in case a misbehaving remote device
3760 * did not send an RFC or extended window size option.
3762 u16 txwin_ext = chan->ack_win;
3763 struct l2cap_conf_rfc rfc = {
3765 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3766 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3767 .max_pdu_size = cpu_to_le16(chan->imtu),
3768 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3771 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3773 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3776 while (len >= L2CAP_CONF_OPT_SIZE) {
3777 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3782 case L2CAP_CONF_RFC:
3783 if (olen != sizeof(rfc))
3785 memcpy(&rfc, (void *)val, olen);
3787 case L2CAP_CONF_EWS:
3796 case L2CAP_MODE_ERTM:
3797 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3798 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3799 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3800 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3801 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3803 chan->ack_win = min_t(u16, chan->ack_win,
3806 case L2CAP_MODE_STREAMING:
3807 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3811 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3812 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3815 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3817 if (cmd_len < sizeof(*rej))
3820 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3823 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3824 cmd->ident == conn->info_ident) {
3825 cancel_delayed_work(&conn->info_timer);
3827 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3828 conn->info_ident = 0;
3830 l2cap_conn_start(conn);
3836 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3837 struct l2cap_cmd_hdr *cmd,
3838 u8 *data, u8 rsp_code, u8 amp_id)
3840 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3841 struct l2cap_conn_rsp rsp;
3842 struct l2cap_chan *chan = NULL, *pchan;
3843 int result, status = L2CAP_CS_NO_INFO;
3845 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3846 __le16 psm = req->psm;
3848 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3850 /* Check if we have socket listening on psm */
3851 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3852 &conn->hcon->dst, ACL_LINK);
3854 result = L2CAP_CR_BAD_PSM;
3858 mutex_lock(&conn->chan_lock);
3859 l2cap_chan_lock(pchan);
3861 /* Check if the ACL is secure enough (if not SDP) */
3862 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3863 !hci_conn_check_link_mode(conn->hcon)) {
3864 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3865 result = L2CAP_CR_SEC_BLOCK;
3869 result = L2CAP_CR_NO_MEM;
3871 /* Check for valid dynamic CID range (as per Erratum 3253) */
3872 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3873 result = L2CAP_CR_INVALID_SCID;
3877 /* Check if we already have channel with that dcid */
3878 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3879 result = L2CAP_CR_SCID_IN_USE;
3883 chan = pchan->ops->new_connection(pchan);
3887 /* For certain devices (ex: HID mouse), support for authentication,
3888 * pairing and bonding is optional. For such devices, inorder to avoid
3889 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3890 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3892 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3894 bacpy(&chan->src, &conn->hcon->src);
3895 bacpy(&chan->dst, &conn->hcon->dst);
3896 chan->src_type = bdaddr_src_type(conn->hcon);
3897 chan->dst_type = bdaddr_dst_type(conn->hcon);
3900 chan->local_amp_id = amp_id;
3902 __l2cap_chan_add(conn, chan);
3906 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3908 chan->ident = cmd->ident;
3910 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3911 if (l2cap_chan_check_security(chan, false)) {
3912 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3913 l2cap_state_change(chan, BT_CONNECT2);
3914 result = L2CAP_CR_PEND;
3915 status = L2CAP_CS_AUTHOR_PEND;
3916 chan->ops->defer(chan);
3918 /* Force pending result for AMP controllers.
3919 * The connection will succeed after the
3920 * physical link is up.
3922 if (amp_id == AMP_ID_BREDR) {
3923 l2cap_state_change(chan, BT_CONFIG);
3924 result = L2CAP_CR_SUCCESS;
3926 l2cap_state_change(chan, BT_CONNECT2);
3927 result = L2CAP_CR_PEND;
3929 status = L2CAP_CS_NO_INFO;
3932 l2cap_state_change(chan, BT_CONNECT2);
3933 result = L2CAP_CR_PEND;
3934 status = L2CAP_CS_AUTHEN_PEND;
3937 l2cap_state_change(chan, BT_CONNECT2);
3938 result = L2CAP_CR_PEND;
3939 status = L2CAP_CS_NO_INFO;
3943 l2cap_chan_unlock(pchan);
3944 mutex_unlock(&conn->chan_lock);
3945 l2cap_chan_put(pchan);
3948 rsp.scid = cpu_to_le16(scid);
3949 rsp.dcid = cpu_to_le16(dcid);
3950 rsp.result = cpu_to_le16(result);
3951 rsp.status = cpu_to_le16(status);
3952 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3954 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3955 struct l2cap_info_req info;
3956 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3958 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3959 conn->info_ident = l2cap_get_ident(conn);
3961 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3963 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3964 sizeof(info), &info);
3967 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3968 result == L2CAP_CR_SUCCESS) {
3970 set_bit(CONF_REQ_SENT, &chan->conf_state);
3971 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3972 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3973 chan->num_conf_req++;
3979 static int l2cap_connect_req(struct l2cap_conn *conn,
3980 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3982 struct hci_dev *hdev = conn->hcon->hdev;
3983 struct hci_conn *hcon = conn->hcon;
3985 if (cmd_len < sizeof(struct l2cap_conn_req))
3989 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3990 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3991 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3992 hci_dev_unlock(hdev);
3994 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3998 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3999 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4002 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4003 u16 scid, dcid, result, status;
4004 struct l2cap_chan *chan;
4008 if (cmd_len < sizeof(*rsp))
4011 scid = __le16_to_cpu(rsp->scid);
4012 dcid = __le16_to_cpu(rsp->dcid);
4013 result = __le16_to_cpu(rsp->result);
4014 status = __le16_to_cpu(rsp->status);
4016 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4017 dcid, scid, result, status);
4019 mutex_lock(&conn->chan_lock);
4022 chan = __l2cap_get_chan_by_scid(conn, scid);
4028 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4037 l2cap_chan_lock(chan);
4040 case L2CAP_CR_SUCCESS:
4041 l2cap_state_change(chan, BT_CONFIG);
4044 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4046 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4049 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4050 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4051 chan->num_conf_req++;
4055 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4059 l2cap_chan_del(chan, ECONNREFUSED);
4063 l2cap_chan_unlock(chan);
4066 mutex_unlock(&conn->chan_lock);
4071 static inline void set_default_fcs(struct l2cap_chan *chan)
4073 /* FCS is enabled only in ERTM or streaming mode, if one or both
4076 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4077 chan->fcs = L2CAP_FCS_NONE;
4078 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4079 chan->fcs = L2CAP_FCS_CRC16;
4082 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4083 u8 ident, u16 flags)
4085 struct l2cap_conn *conn = chan->conn;
4087 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4090 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4091 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4093 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4094 l2cap_build_conf_rsp(chan, data,
4095 L2CAP_CONF_SUCCESS, flags), data);
4098 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4101 struct l2cap_cmd_rej_cid rej;
4103 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4104 rej.scid = __cpu_to_le16(scid);
4105 rej.dcid = __cpu_to_le16(dcid);
4107 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4110 static inline int l2cap_config_req(struct l2cap_conn *conn,
4111 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4114 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4117 struct l2cap_chan *chan;
4120 if (cmd_len < sizeof(*req))
4123 dcid = __le16_to_cpu(req->dcid);
4124 flags = __le16_to_cpu(req->flags);
4126 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4128 chan = l2cap_get_chan_by_scid(conn, dcid);
4130 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4134 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4135 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4140 /* Reject if config buffer is too small. */
4141 len = cmd_len - sizeof(*req);
4142 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4143 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4144 l2cap_build_conf_rsp(chan, rsp,
4145 L2CAP_CONF_REJECT, flags), rsp);
4150 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4151 chan->conf_len += len;
4153 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4154 /* Incomplete config. Send empty response. */
4155 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4156 l2cap_build_conf_rsp(chan, rsp,
4157 L2CAP_CONF_SUCCESS, flags), rsp);
4161 /* Complete config. */
4162 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4164 l2cap_send_disconn_req(chan, ECONNRESET);
4168 chan->ident = cmd->ident;
4169 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4170 chan->num_conf_rsp++;
4172 /* Reset config buffer. */
4175 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4178 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4179 set_default_fcs(chan);
4181 if (chan->mode == L2CAP_MODE_ERTM ||
4182 chan->mode == L2CAP_MODE_STREAMING)
4183 err = l2cap_ertm_init(chan);
4186 l2cap_send_disconn_req(chan, -err);
4188 l2cap_chan_ready(chan);
4193 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4195 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4196 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4197 chan->num_conf_req++;
4200 /* Got Conf Rsp PENDING from remote side and assume we sent
4201 Conf Rsp PENDING in the code above */
4202 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4203 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4205 /* check compatibility */
4207 /* Send rsp for BR/EDR channel */
4209 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4211 chan->ident = cmd->ident;
4215 l2cap_chan_unlock(chan);
4219 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4220 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4223 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4224 u16 scid, flags, result;
4225 struct l2cap_chan *chan;
4226 int len = cmd_len - sizeof(*rsp);
4229 if (cmd_len < sizeof(*rsp))
4232 scid = __le16_to_cpu(rsp->scid);
4233 flags = __le16_to_cpu(rsp->flags);
4234 result = __le16_to_cpu(rsp->result);
4236 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4239 chan = l2cap_get_chan_by_scid(conn, scid);
4244 case L2CAP_CONF_SUCCESS:
4245 l2cap_conf_rfc_get(chan, rsp->data, len);
4246 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4249 case L2CAP_CONF_PENDING:
4250 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4252 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4255 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4256 buf, sizeof(buf), &result);
4258 l2cap_send_disconn_req(chan, ECONNRESET);
4262 if (!chan->hs_hcon) {
4263 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4266 if (l2cap_check_efs(chan)) {
4267 amp_create_logical_link(chan);
4268 chan->ident = cmd->ident;
4274 case L2CAP_CONF_UNACCEPT:
4275 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4278 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4279 l2cap_send_disconn_req(chan, ECONNRESET);
4283 /* throw out any old stored conf requests */
4284 result = L2CAP_CONF_SUCCESS;
4285 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4286 req, sizeof(req), &result);
4288 l2cap_send_disconn_req(chan, ECONNRESET);
4292 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4293 L2CAP_CONF_REQ, len, req);
4294 chan->num_conf_req++;
4295 if (result != L2CAP_CONF_SUCCESS)
4302 l2cap_chan_set_err(chan, ECONNRESET);
4304 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4305 l2cap_send_disconn_req(chan, ECONNRESET);
4309 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4312 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4314 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4315 set_default_fcs(chan);
4317 if (chan->mode == L2CAP_MODE_ERTM ||
4318 chan->mode == L2CAP_MODE_STREAMING)
4319 err = l2cap_ertm_init(chan);
4322 l2cap_send_disconn_req(chan, -err);
4324 l2cap_chan_ready(chan);
4328 l2cap_chan_unlock(chan);
4332 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4333 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4336 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4337 struct l2cap_disconn_rsp rsp;
4339 struct l2cap_chan *chan;
4341 if (cmd_len != sizeof(*req))
4344 scid = __le16_to_cpu(req->scid);
4345 dcid = __le16_to_cpu(req->dcid);
4347 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4349 mutex_lock(&conn->chan_lock);
4351 chan = __l2cap_get_chan_by_scid(conn, dcid);
4353 mutex_unlock(&conn->chan_lock);
4354 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4358 l2cap_chan_lock(chan);
4360 rsp.dcid = cpu_to_le16(chan->scid);
4361 rsp.scid = cpu_to_le16(chan->dcid);
4362 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4364 chan->ops->set_shutdown(chan);
4366 l2cap_chan_hold(chan);
4367 l2cap_chan_del(chan, ECONNRESET);
4369 l2cap_chan_unlock(chan);
4371 chan->ops->close(chan);
4372 l2cap_chan_put(chan);
4374 mutex_unlock(&conn->chan_lock);
4379 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4380 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4383 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4385 struct l2cap_chan *chan;
4387 if (cmd_len != sizeof(*rsp))
4390 scid = __le16_to_cpu(rsp->scid);
4391 dcid = __le16_to_cpu(rsp->dcid);
4393 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4395 mutex_lock(&conn->chan_lock);
4397 chan = __l2cap_get_chan_by_scid(conn, scid);
4399 mutex_unlock(&conn->chan_lock);
4403 l2cap_chan_lock(chan);
4405 if (chan->state != BT_DISCONN) {
4406 l2cap_chan_unlock(chan);
4407 mutex_unlock(&conn->chan_lock);
4411 l2cap_chan_hold(chan);
4412 l2cap_chan_del(chan, 0);
4414 l2cap_chan_unlock(chan);
4416 chan->ops->close(chan);
4417 l2cap_chan_put(chan);
4419 mutex_unlock(&conn->chan_lock);
4424 static inline int l2cap_information_req(struct l2cap_conn *conn,
4425 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4428 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4431 if (cmd_len != sizeof(*req))
4434 type = __le16_to_cpu(req->type);
4436 BT_DBG("type 0x%4.4x", type);
4438 if (type == L2CAP_IT_FEAT_MASK) {
4440 u32 feat_mask = l2cap_feat_mask;
4441 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4442 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4443 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4445 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4447 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4448 feat_mask |= L2CAP_FEAT_EXT_FLOW
4449 | L2CAP_FEAT_EXT_WINDOW;
4451 put_unaligned_le32(feat_mask, rsp->data);
4452 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4454 } else if (type == L2CAP_IT_FIXED_CHAN) {
4456 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4458 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4459 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4460 rsp->data[0] = conn->local_fixed_chan;
4461 memset(rsp->data + 1, 0, 7);
4462 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4465 struct l2cap_info_rsp rsp;
4466 rsp.type = cpu_to_le16(type);
4467 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4468 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4475 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4476 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4479 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4482 if (cmd_len < sizeof(*rsp))
4485 type = __le16_to_cpu(rsp->type);
4486 result = __le16_to_cpu(rsp->result);
4488 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4490 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4491 if (cmd->ident != conn->info_ident ||
4492 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4495 cancel_delayed_work(&conn->info_timer);
4497 if (result != L2CAP_IR_SUCCESS) {
4498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4499 conn->info_ident = 0;
4501 l2cap_conn_start(conn);
4507 case L2CAP_IT_FEAT_MASK:
4508 conn->feat_mask = get_unaligned_le32(rsp->data);
4510 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4511 struct l2cap_info_req req;
4512 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4514 conn->info_ident = l2cap_get_ident(conn);
4516 l2cap_send_cmd(conn, conn->info_ident,
4517 L2CAP_INFO_REQ, sizeof(req), &req);
4519 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4520 conn->info_ident = 0;
4522 l2cap_conn_start(conn);
4526 case L2CAP_IT_FIXED_CHAN:
4527 conn->remote_fixed_chan = rsp->data[0];
4528 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4529 conn->info_ident = 0;
4531 l2cap_conn_start(conn);
4538 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4539 struct l2cap_cmd_hdr *cmd,
4540 u16 cmd_len, void *data)
4542 struct l2cap_create_chan_req *req = data;
4543 struct l2cap_create_chan_rsp rsp;
4544 struct l2cap_chan *chan;
4545 struct hci_dev *hdev;
4548 if (cmd_len != sizeof(*req))
4551 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4554 psm = le16_to_cpu(req->psm);
4555 scid = le16_to_cpu(req->scid);
4557 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4559 /* For controller id 0 make BR/EDR connection */
4560 if (req->amp_id == AMP_ID_BREDR) {
4561 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4566 /* Validate AMP controller id */
4567 hdev = hci_dev_get(req->amp_id);
4571 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4576 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4579 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4580 struct hci_conn *hs_hcon;
4582 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4586 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4591 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4593 mgr->bredr_chan = chan;
4594 chan->hs_hcon = hs_hcon;
4595 chan->fcs = L2CAP_FCS_NONE;
4596 conn->mtu = hdev->block_mtu;
4605 rsp.scid = cpu_to_le16(scid);
4606 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4607 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4609 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4615 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4617 struct l2cap_move_chan_req req;
4620 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4622 ident = l2cap_get_ident(chan->conn);
4623 chan->ident = ident;
4625 req.icid = cpu_to_le16(chan->scid);
4626 req.dest_amp_id = dest_amp_id;
4628 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4631 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4634 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4636 struct l2cap_move_chan_rsp rsp;
4638 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4640 rsp.icid = cpu_to_le16(chan->dcid);
4641 rsp.result = cpu_to_le16(result);
4643 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4647 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4649 struct l2cap_move_chan_cfm cfm;
4651 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4653 chan->ident = l2cap_get_ident(chan->conn);
4655 cfm.icid = cpu_to_le16(chan->scid);
4656 cfm.result = cpu_to_le16(result);
4658 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4661 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4664 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4666 struct l2cap_move_chan_cfm cfm;
4668 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4670 cfm.icid = cpu_to_le16(icid);
4671 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4673 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4677 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4680 struct l2cap_move_chan_cfm_rsp rsp;
4682 BT_DBG("icid 0x%4.4x", icid);
4684 rsp.icid = cpu_to_le16(icid);
4685 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4688 static void __release_logical_link(struct l2cap_chan *chan)
4690 chan->hs_hchan = NULL;
4691 chan->hs_hcon = NULL;
4693 /* Placeholder - release the logical link */
4696 static void l2cap_logical_fail(struct l2cap_chan *chan)
4698 /* Logical link setup failed */
4699 if (chan->state != BT_CONNECTED) {
4700 /* Create channel failure, disconnect */
4701 l2cap_send_disconn_req(chan, ECONNRESET);
4705 switch (chan->move_role) {
4706 case L2CAP_MOVE_ROLE_RESPONDER:
4707 l2cap_move_done(chan);
4708 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4710 case L2CAP_MOVE_ROLE_INITIATOR:
4711 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4712 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4713 /* Remote has only sent pending or
4714 * success responses, clean up
4716 l2cap_move_done(chan);
4719 /* Other amp move states imply that the move
4720 * has already aborted
4722 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4727 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4728 struct hci_chan *hchan)
4730 struct l2cap_conf_rsp rsp;
4732 chan->hs_hchan = hchan;
4733 chan->hs_hcon->l2cap_data = chan->conn;
4735 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4737 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4740 set_default_fcs(chan);
4742 err = l2cap_ertm_init(chan);
4744 l2cap_send_disconn_req(chan, -err);
4746 l2cap_chan_ready(chan);
4750 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4751 struct hci_chan *hchan)
4753 chan->hs_hcon = hchan->conn;
4754 chan->hs_hcon->l2cap_data = chan->conn;
4756 BT_DBG("move_state %d", chan->move_state);
4758 switch (chan->move_state) {
4759 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4760 /* Move confirm will be sent after a success
4761 * response is received
4763 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4765 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4766 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4767 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4768 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4769 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4770 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4771 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4772 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4773 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4777 /* Move was not in expected state, free the channel */
4778 __release_logical_link(chan);
4780 chan->move_state = L2CAP_MOVE_STABLE;
4784 /* Call with chan locked */
4785 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4788 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4791 l2cap_logical_fail(chan);
4792 __release_logical_link(chan);
4796 if (chan->state != BT_CONNECTED) {
4797 /* Ignore logical link if channel is on BR/EDR */
4798 if (chan->local_amp_id != AMP_ID_BREDR)
4799 l2cap_logical_finish_create(chan, hchan);
4801 l2cap_logical_finish_move(chan, hchan);
4805 void l2cap_move_start(struct l2cap_chan *chan)
4807 BT_DBG("chan %p", chan);
4809 if (chan->local_amp_id == AMP_ID_BREDR) {
4810 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4812 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4813 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4814 /* Placeholder - start physical link setup */
4816 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4817 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4819 l2cap_move_setup(chan);
4820 l2cap_send_move_chan_req(chan, 0);
4824 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4825 u8 local_amp_id, u8 remote_amp_id)
4827 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4828 local_amp_id, remote_amp_id);
4830 chan->fcs = L2CAP_FCS_NONE;
4832 /* Outgoing channel on AMP */
4833 if (chan->state == BT_CONNECT) {
4834 if (result == L2CAP_CR_SUCCESS) {
4835 chan->local_amp_id = local_amp_id;
4836 l2cap_send_create_chan_req(chan, remote_amp_id);
4838 /* Revert to BR/EDR connect */
4839 l2cap_send_conn_req(chan);
4845 /* Incoming channel on AMP */
4846 if (__l2cap_no_conn_pending(chan)) {
4847 struct l2cap_conn_rsp rsp;
4849 rsp.scid = cpu_to_le16(chan->dcid);
4850 rsp.dcid = cpu_to_le16(chan->scid);
4852 if (result == L2CAP_CR_SUCCESS) {
4853 /* Send successful response */
4854 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4855 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4857 /* Send negative response */
4858 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4859 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4862 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4865 if (result == L2CAP_CR_SUCCESS) {
4866 l2cap_state_change(chan, BT_CONFIG);
4867 set_bit(CONF_REQ_SENT, &chan->conf_state);
4868 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4870 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4871 chan->num_conf_req++;
4876 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4879 l2cap_move_setup(chan);
4880 chan->move_id = local_amp_id;
4881 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4883 l2cap_send_move_chan_req(chan, remote_amp_id);
4886 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4888 struct hci_chan *hchan = NULL;
4890 /* Placeholder - get hci_chan for logical link */
4893 if (hchan->state == BT_CONNECTED) {
4894 /* Logical link is ready to go */
4895 chan->hs_hcon = hchan->conn;
4896 chan->hs_hcon->l2cap_data = chan->conn;
4897 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4898 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4900 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4902 /* Wait for logical link to be ready */
4903 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4906 /* Logical link not available */
4907 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4911 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4913 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4915 if (result == -EINVAL)
4916 rsp_result = L2CAP_MR_BAD_ID;
4918 rsp_result = L2CAP_MR_NOT_ALLOWED;
4920 l2cap_send_move_chan_rsp(chan, rsp_result);
4923 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4924 chan->move_state = L2CAP_MOVE_STABLE;
4926 /* Restart data transmission */
4927 l2cap_ertm_send(chan);
4930 /* Invoke with locked chan */
4931 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4933 u8 local_amp_id = chan->local_amp_id;
4934 u8 remote_amp_id = chan->remote_amp_id;
4936 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4937 chan, result, local_amp_id, remote_amp_id);
4939 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4940 l2cap_chan_unlock(chan);
4944 if (chan->state != BT_CONNECTED) {
4945 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4946 } else if (result != L2CAP_MR_SUCCESS) {
4947 l2cap_do_move_cancel(chan, result);
4949 switch (chan->move_role) {
4950 case L2CAP_MOVE_ROLE_INITIATOR:
4951 l2cap_do_move_initiate(chan, local_amp_id,
4954 case L2CAP_MOVE_ROLE_RESPONDER:
4955 l2cap_do_move_respond(chan, result);
4958 l2cap_do_move_cancel(chan, result);
4964 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4965 struct l2cap_cmd_hdr *cmd,
4966 u16 cmd_len, void *data)
4968 struct l2cap_move_chan_req *req = data;
4969 struct l2cap_move_chan_rsp rsp;
4970 struct l2cap_chan *chan;
4972 u16 result = L2CAP_MR_NOT_ALLOWED;
4974 if (cmd_len != sizeof(*req))
4977 icid = le16_to_cpu(req->icid);
4979 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4981 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4984 chan = l2cap_get_chan_by_dcid(conn, icid);
4986 rsp.icid = cpu_to_le16(icid);
4987 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4988 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4993 chan->ident = cmd->ident;
4995 if (chan->scid < L2CAP_CID_DYN_START ||
4996 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4997 (chan->mode != L2CAP_MODE_ERTM &&
4998 chan->mode != L2CAP_MODE_STREAMING)) {
4999 result = L2CAP_MR_NOT_ALLOWED;
5000 goto send_move_response;
5003 if (chan->local_amp_id == req->dest_amp_id) {
5004 result = L2CAP_MR_SAME_ID;
5005 goto send_move_response;
5008 if (req->dest_amp_id != AMP_ID_BREDR) {
5009 struct hci_dev *hdev;
5010 hdev = hci_dev_get(req->dest_amp_id);
5011 if (!hdev || hdev->dev_type != HCI_AMP ||
5012 !test_bit(HCI_UP, &hdev->flags)) {
5016 result = L2CAP_MR_BAD_ID;
5017 goto send_move_response;
5022 /* Detect a move collision. Only send a collision response
5023 * if this side has "lost", otherwise proceed with the move.
5024 * The winner has the larger bd_addr.
5026 if ((__chan_is_moving(chan) ||
5027 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5028 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5029 result = L2CAP_MR_COLLISION;
5030 goto send_move_response;
5033 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5034 l2cap_move_setup(chan);
5035 chan->move_id = req->dest_amp_id;
5038 if (req->dest_amp_id == AMP_ID_BREDR) {
5039 /* Moving to BR/EDR */
5040 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5041 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5042 result = L2CAP_MR_PEND;
5044 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5045 result = L2CAP_MR_SUCCESS;
5048 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5049 /* Placeholder - uncomment when amp functions are available */
5050 /*amp_accept_physical(chan, req->dest_amp_id);*/
5051 result = L2CAP_MR_PEND;
5055 l2cap_send_move_chan_rsp(chan, result);
5057 l2cap_chan_unlock(chan);
5062 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5064 struct l2cap_chan *chan;
5065 struct hci_chan *hchan = NULL;
5067 chan = l2cap_get_chan_by_scid(conn, icid);
5069 l2cap_send_move_chan_cfm_icid(conn, icid);
5073 __clear_chan_timer(chan);
5074 if (result == L2CAP_MR_PEND)
5075 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5077 switch (chan->move_state) {
5078 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5079 /* Move confirm will be sent when logical link
5082 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5084 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5085 if (result == L2CAP_MR_PEND) {
5087 } else if (test_bit(CONN_LOCAL_BUSY,
5088 &chan->conn_state)) {
5089 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5091 /* Logical link is up or moving to BR/EDR,
5094 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5095 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5098 case L2CAP_MOVE_WAIT_RSP:
5100 if (result == L2CAP_MR_SUCCESS) {
5101 /* Remote is ready, send confirm immediately
5102 * after logical link is ready
5104 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5106 /* Both logical link and move success
5107 * are required to confirm
5109 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5112 /* Placeholder - get hci_chan for logical link */
5114 /* Logical link not available */
5115 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5119 /* If the logical link is not yet connected, do not
5120 * send confirmation.
5122 if (hchan->state != BT_CONNECTED)
5125 /* Logical link is already ready to go */
5127 chan->hs_hcon = hchan->conn;
5128 chan->hs_hcon->l2cap_data = chan->conn;
5130 if (result == L2CAP_MR_SUCCESS) {
5131 /* Can confirm now */
5132 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5134 /* Now only need move success
5137 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5140 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5143 /* Any other amp move state means the move failed. */
5144 chan->move_id = chan->local_amp_id;
5145 l2cap_move_done(chan);
5146 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5149 l2cap_chan_unlock(chan);
5152 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5155 struct l2cap_chan *chan;
5157 chan = l2cap_get_chan_by_ident(conn, ident);
5159 /* Could not locate channel, icid is best guess */
5160 l2cap_send_move_chan_cfm_icid(conn, icid);
5164 __clear_chan_timer(chan);
5166 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5167 if (result == L2CAP_MR_COLLISION) {
5168 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5170 /* Cleanup - cancel move */
5171 chan->move_id = chan->local_amp_id;
5172 l2cap_move_done(chan);
5176 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5178 l2cap_chan_unlock(chan);
5181 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5182 struct l2cap_cmd_hdr *cmd,
5183 u16 cmd_len, void *data)
5185 struct l2cap_move_chan_rsp *rsp = data;
5188 if (cmd_len != sizeof(*rsp))
5191 icid = le16_to_cpu(rsp->icid);
5192 result = le16_to_cpu(rsp->result);
5194 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5196 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5197 l2cap_move_continue(conn, icid, result);
5199 l2cap_move_fail(conn, cmd->ident, icid, result);
5204 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5205 struct l2cap_cmd_hdr *cmd,
5206 u16 cmd_len, void *data)
5208 struct l2cap_move_chan_cfm *cfm = data;
5209 struct l2cap_chan *chan;
5212 if (cmd_len != sizeof(*cfm))
5215 icid = le16_to_cpu(cfm->icid);
5216 result = le16_to_cpu(cfm->result);
5218 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5220 chan = l2cap_get_chan_by_dcid(conn, icid);
5222 /* Spec requires a response even if the icid was not found */
5223 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5227 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5228 if (result == L2CAP_MC_CONFIRMED) {
5229 chan->local_amp_id = chan->move_id;
5230 if (chan->local_amp_id == AMP_ID_BREDR)
5231 __release_logical_link(chan);
5233 chan->move_id = chan->local_amp_id;
5236 l2cap_move_done(chan);
5239 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5241 l2cap_chan_unlock(chan);
5246 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5247 struct l2cap_cmd_hdr *cmd,
5248 u16 cmd_len, void *data)
5250 struct l2cap_move_chan_cfm_rsp *rsp = data;
5251 struct l2cap_chan *chan;
5254 if (cmd_len != sizeof(*rsp))
5257 icid = le16_to_cpu(rsp->icid);
5259 BT_DBG("icid 0x%4.4x", icid);
5261 chan = l2cap_get_chan_by_scid(conn, icid);
5265 __clear_chan_timer(chan);
5267 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5268 chan->local_amp_id = chan->move_id;
5270 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5271 __release_logical_link(chan);
5273 l2cap_move_done(chan);
5276 l2cap_chan_unlock(chan);
5281 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5282 struct l2cap_cmd_hdr *cmd,
5283 u16 cmd_len, u8 *data)
5285 struct hci_conn *hcon = conn->hcon;
5286 struct l2cap_conn_param_update_req *req;
5287 struct l2cap_conn_param_update_rsp rsp;
5288 u16 min, max, latency, to_multiplier;
5291 if (hcon->role != HCI_ROLE_MASTER)
5294 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5297 req = (struct l2cap_conn_param_update_req *) data;
5298 min = __le16_to_cpu(req->min);
5299 max = __le16_to_cpu(req->max);
5300 latency = __le16_to_cpu(req->latency);
5301 to_multiplier = __le16_to_cpu(req->to_multiplier);
5303 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5304 min, max, latency, to_multiplier);
5306 memset(&rsp, 0, sizeof(rsp));
5308 if (min < hcon->le_conn_min_interval ||
5309 max > hcon->le_conn_max_interval) {
5310 BT_DBG("requested connection interval exceeds current bounds.");
5313 err = hci_check_conn_params(min, max, latency, to_multiplier);
5317 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5319 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5321 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5327 store_hint = hci_le_conn_update(hcon, min, max, latency,
5329 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5330 store_hint, min, max, latency,
5338 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5339 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5342 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5343 struct hci_conn *hcon = conn->hcon;
5344 u16 dcid, mtu, mps, credits, result;
5345 struct l2cap_chan *chan;
5348 if (cmd_len < sizeof(*rsp))
5351 dcid = __le16_to_cpu(rsp->dcid);
5352 mtu = __le16_to_cpu(rsp->mtu);
5353 mps = __le16_to_cpu(rsp->mps);
5354 credits = __le16_to_cpu(rsp->credits);
5355 result = __le16_to_cpu(rsp->result);
5357 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5358 dcid < L2CAP_CID_DYN_START ||
5359 dcid > L2CAP_CID_LE_DYN_END))
5362 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5363 dcid, mtu, mps, credits, result);
5365 mutex_lock(&conn->chan_lock);
5367 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5375 l2cap_chan_lock(chan);
5378 case L2CAP_CR_LE_SUCCESS:
5379 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5387 chan->remote_mps = mps;
5388 chan->tx_credits = credits;
5389 l2cap_chan_ready(chan);
5392 case L2CAP_CR_LE_AUTHENTICATION:
5393 case L2CAP_CR_LE_ENCRYPTION:
5394 /* If we already have MITM protection we can't do
5397 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5398 l2cap_chan_del(chan, ECONNREFUSED);
5402 sec_level = hcon->sec_level + 1;
5403 if (chan->sec_level < sec_level)
5404 chan->sec_level = sec_level;
5406 /* We'll need to send a new Connect Request */
5407 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5409 smp_conn_security(hcon, chan->sec_level);
5413 l2cap_chan_del(chan, ECONNREFUSED);
5417 l2cap_chan_unlock(chan);
5420 mutex_unlock(&conn->chan_lock);
5425 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5426 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5431 switch (cmd->code) {
5432 case L2CAP_COMMAND_REJ:
5433 l2cap_command_rej(conn, cmd, cmd_len, data);
5436 case L2CAP_CONN_REQ:
5437 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5440 case L2CAP_CONN_RSP:
5441 case L2CAP_CREATE_CHAN_RSP:
5442 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5445 case L2CAP_CONF_REQ:
5446 err = l2cap_config_req(conn, cmd, cmd_len, data);
5449 case L2CAP_CONF_RSP:
5450 l2cap_config_rsp(conn, cmd, cmd_len, data);
5453 case L2CAP_DISCONN_REQ:
5454 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5457 case L2CAP_DISCONN_RSP:
5458 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5461 case L2CAP_ECHO_REQ:
5462 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5465 case L2CAP_ECHO_RSP:
5468 case L2CAP_INFO_REQ:
5469 err = l2cap_information_req(conn, cmd, cmd_len, data);
5472 case L2CAP_INFO_RSP:
5473 l2cap_information_rsp(conn, cmd, cmd_len, data);
5476 case L2CAP_CREATE_CHAN_REQ:
5477 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5480 case L2CAP_MOVE_CHAN_REQ:
5481 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5484 case L2CAP_MOVE_CHAN_RSP:
5485 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5488 case L2CAP_MOVE_CHAN_CFM:
5489 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5492 case L2CAP_MOVE_CHAN_CFM_RSP:
5493 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5497 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5505 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5506 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5509 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5510 struct l2cap_le_conn_rsp rsp;
5511 struct l2cap_chan *chan, *pchan;
5512 u16 dcid, scid, credits, mtu, mps;
5516 if (cmd_len != sizeof(*req))
5519 scid = __le16_to_cpu(req->scid);
5520 mtu = __le16_to_cpu(req->mtu);
5521 mps = __le16_to_cpu(req->mps);
5526 if (mtu < 23 || mps < 23)
5529 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5532 /* Check if we have socket listening on psm */
5533 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5534 &conn->hcon->dst, LE_LINK);
5536 result = L2CAP_CR_LE_BAD_PSM;
5541 mutex_lock(&conn->chan_lock);
5542 l2cap_chan_lock(pchan);
5544 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5546 result = L2CAP_CR_LE_AUTHENTICATION;
5548 goto response_unlock;
5551 /* Check for valid dynamic CID range */
5552 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5553 result = L2CAP_CR_LE_INVALID_SCID;
5555 goto response_unlock;
5558 /* Check if we already have channel with that dcid */
5559 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5560 result = L2CAP_CR_LE_SCID_IN_USE;
5562 goto response_unlock;
5565 chan = pchan->ops->new_connection(pchan);
5567 result = L2CAP_CR_LE_NO_MEM;
5568 goto response_unlock;
5571 bacpy(&chan->src, &conn->hcon->src);
5572 bacpy(&chan->dst, &conn->hcon->dst);
5573 chan->src_type = bdaddr_src_type(conn->hcon);
5574 chan->dst_type = bdaddr_dst_type(conn->hcon);
5578 chan->remote_mps = mps;
5580 __l2cap_chan_add(conn, chan);
5582 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5585 credits = chan->rx_credits;
5587 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5589 chan->ident = cmd->ident;
5591 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5592 l2cap_state_change(chan, BT_CONNECT2);
5593 /* The following result value is actually not defined
5594 * for LE CoC but we use it to let the function know
5595 * that it should bail out after doing its cleanup
5596 * instead of sending a response.
5598 result = L2CAP_CR_PEND;
5599 chan->ops->defer(chan);
5601 l2cap_chan_ready(chan);
5602 result = L2CAP_CR_LE_SUCCESS;
5606 l2cap_chan_unlock(pchan);
5607 mutex_unlock(&conn->chan_lock);
5608 l2cap_chan_put(pchan);
5610 if (result == L2CAP_CR_PEND)
5615 rsp.mtu = cpu_to_le16(chan->imtu);
5616 rsp.mps = cpu_to_le16(chan->mps);
5622 rsp.dcid = cpu_to_le16(dcid);
5623 rsp.credits = cpu_to_le16(credits);
5624 rsp.result = cpu_to_le16(result);
5626 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5631 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5632 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5635 struct l2cap_le_credits *pkt;
5636 struct l2cap_chan *chan;
5637 u16 cid, credits, max_credits;
5639 if (cmd_len != sizeof(*pkt))
5642 pkt = (struct l2cap_le_credits *) data;
5643 cid = __le16_to_cpu(pkt->cid);
5644 credits = __le16_to_cpu(pkt->credits);
5646 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5648 chan = l2cap_get_chan_by_dcid(conn, cid);
5652 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5653 if (credits > max_credits) {
5654 BT_ERR("LE credits overflow");
5655 l2cap_send_disconn_req(chan, ECONNRESET);
5656 l2cap_chan_unlock(chan);
5658 /* Return 0 so that we don't trigger an unnecessary
5659 * command reject packet.
5664 chan->tx_credits += credits;
5666 /* Resume sending */
5667 l2cap_le_flowctl_send(chan);
5669 if (chan->tx_credits)
5670 chan->ops->resume(chan);
5672 l2cap_chan_unlock(chan);
5677 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5678 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5681 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5682 struct l2cap_chan *chan;
5684 if (cmd_len < sizeof(*rej))
5687 mutex_lock(&conn->chan_lock);
5689 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5693 l2cap_chan_lock(chan);
5694 l2cap_chan_del(chan, ECONNREFUSED);
5695 l2cap_chan_unlock(chan);
5698 mutex_unlock(&conn->chan_lock);
5702 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5703 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5708 switch (cmd->code) {
5709 case L2CAP_COMMAND_REJ:
5710 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5713 case L2CAP_CONN_PARAM_UPDATE_REQ:
5714 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5717 case L2CAP_CONN_PARAM_UPDATE_RSP:
5720 case L2CAP_LE_CONN_RSP:
5721 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5724 case L2CAP_LE_CONN_REQ:
5725 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5728 case L2CAP_LE_CREDITS:
5729 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5732 case L2CAP_DISCONN_REQ:
5733 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5736 case L2CAP_DISCONN_RSP:
5737 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5741 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5749 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5750 struct sk_buff *skb)
5752 struct hci_conn *hcon = conn->hcon;
5753 struct l2cap_cmd_hdr *cmd;
5757 if (hcon->type != LE_LINK)
5760 if (skb->len < L2CAP_CMD_HDR_SIZE)
5763 cmd = (void *) skb->data;
5764 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5766 len = le16_to_cpu(cmd->len);
5768 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5770 if (len != skb->len || !cmd->ident) {
5771 BT_DBG("corrupted command");
5775 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5777 struct l2cap_cmd_rej_unk rej;
5779 BT_ERR("Wrong link type (%d)", err);
5781 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5782 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5790 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5791 struct sk_buff *skb)
5793 struct hci_conn *hcon = conn->hcon;
5794 u8 *data = skb->data;
5796 struct l2cap_cmd_hdr cmd;
5799 l2cap_raw_recv(conn, skb);
5801 if (hcon->type != ACL_LINK)
5804 while (len >= L2CAP_CMD_HDR_SIZE) {
5806 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5807 data += L2CAP_CMD_HDR_SIZE;
5808 len -= L2CAP_CMD_HDR_SIZE;
5810 cmd_len = le16_to_cpu(cmd.len);
5812 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5815 if (cmd_len > len || !cmd.ident) {
5816 BT_DBG("corrupted command");
5820 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5822 struct l2cap_cmd_rej_unk rej;
5824 BT_ERR("Wrong link type (%d)", err);
5826 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5827 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5839 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5841 u16 our_fcs, rcv_fcs;
5844 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5845 hdr_size = L2CAP_EXT_HDR_SIZE;
5847 hdr_size = L2CAP_ENH_HDR_SIZE;
5849 if (chan->fcs == L2CAP_FCS_CRC16) {
5850 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5851 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5852 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5854 if (our_fcs != rcv_fcs)
5860 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5862 struct l2cap_ctrl control;
5864 BT_DBG("chan %p", chan);
5866 memset(&control, 0, sizeof(control));
5869 control.reqseq = chan->buffer_seq;
5870 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5872 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5873 control.super = L2CAP_SUPER_RNR;
5874 l2cap_send_sframe(chan, &control);
5877 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5878 chan->unacked_frames > 0)
5879 __set_retrans_timer(chan);
5881 /* Send pending iframes */
5882 l2cap_ertm_send(chan);
5884 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5885 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5886 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5889 control.super = L2CAP_SUPER_RR;
5890 l2cap_send_sframe(chan, &control);
5894 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5895 struct sk_buff **last_frag)
5897 /* skb->len reflects data in skb as well as all fragments
5898 * skb->data_len reflects only data in fragments
5900 if (!skb_has_frag_list(skb))
5901 skb_shinfo(skb)->frag_list = new_frag;
5903 new_frag->next = NULL;
5905 (*last_frag)->next = new_frag;
5906 *last_frag = new_frag;
5908 skb->len += new_frag->len;
5909 skb->data_len += new_frag->len;
5910 skb->truesize += new_frag->truesize;
5913 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5914 struct l2cap_ctrl *control)
5918 switch (control->sar) {
5919 case L2CAP_SAR_UNSEGMENTED:
5923 err = chan->ops->recv(chan, skb);
5926 case L2CAP_SAR_START:
5930 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5933 chan->sdu_len = get_unaligned_le16(skb->data);
5934 skb_pull(skb, L2CAP_SDULEN_SIZE);
5936 if (chan->sdu_len > chan->imtu) {
5941 if (skb->len >= chan->sdu_len)
5945 chan->sdu_last_frag = skb;
5951 case L2CAP_SAR_CONTINUE:
5955 append_skb_frag(chan->sdu, skb,
5956 &chan->sdu_last_frag);
5959 if (chan->sdu->len >= chan->sdu_len)
5969 append_skb_frag(chan->sdu, skb,
5970 &chan->sdu_last_frag);
5973 if (chan->sdu->len != chan->sdu_len)
5976 err = chan->ops->recv(chan, chan->sdu);
5979 /* Reassembly complete */
5981 chan->sdu_last_frag = NULL;
5989 kfree_skb(chan->sdu);
5991 chan->sdu_last_frag = NULL;
5998 static int l2cap_resegment(struct l2cap_chan *chan)
6004 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6008 if (chan->mode != L2CAP_MODE_ERTM)
6011 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6012 l2cap_tx(chan, NULL, NULL, event);
6015 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6018 /* Pass sequential frames to l2cap_reassemble_sdu()
6019 * until a gap is encountered.
6022 BT_DBG("chan %p", chan);
6024 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6025 struct sk_buff *skb;
6026 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6027 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6029 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6034 skb_unlink(skb, &chan->srej_q);
6035 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6036 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6041 if (skb_queue_empty(&chan->srej_q)) {
6042 chan->rx_state = L2CAP_RX_STATE_RECV;
6043 l2cap_send_ack(chan);
6049 static void l2cap_handle_srej(struct l2cap_chan *chan,
6050 struct l2cap_ctrl *control)
6052 struct sk_buff *skb;
6054 BT_DBG("chan %p, control %p", chan, control);
6056 if (control->reqseq == chan->next_tx_seq) {
6057 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6058 l2cap_send_disconn_req(chan, ECONNRESET);
6062 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6065 BT_DBG("Seq %d not available for retransmission",
6070 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6071 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6072 l2cap_send_disconn_req(chan, ECONNRESET);
6076 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6078 if (control->poll) {
6079 l2cap_pass_to_tx(chan, control);
6081 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6082 l2cap_retransmit(chan, control);
6083 l2cap_ertm_send(chan);
6085 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6086 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6087 chan->srej_save_reqseq = control->reqseq;
6090 l2cap_pass_to_tx_fbit(chan, control);
6092 if (control->final) {
6093 if (chan->srej_save_reqseq != control->reqseq ||
6094 !test_and_clear_bit(CONN_SREJ_ACT,
6096 l2cap_retransmit(chan, control);
6098 l2cap_retransmit(chan, control);
6099 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6100 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6101 chan->srej_save_reqseq = control->reqseq;
6107 static void l2cap_handle_rej(struct l2cap_chan *chan,
6108 struct l2cap_ctrl *control)
6110 struct sk_buff *skb;
6112 BT_DBG("chan %p, control %p", chan, control);
6114 if (control->reqseq == chan->next_tx_seq) {
6115 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6116 l2cap_send_disconn_req(chan, ECONNRESET);
6120 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6122 if (chan->max_tx && skb &&
6123 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6124 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6125 l2cap_send_disconn_req(chan, ECONNRESET);
6129 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6131 l2cap_pass_to_tx(chan, control);
6133 if (control->final) {
6134 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6135 l2cap_retransmit_all(chan, control);
6137 l2cap_retransmit_all(chan, control);
6138 l2cap_ertm_send(chan);
6139 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6140 set_bit(CONN_REJ_ACT, &chan->conn_state);
6144 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6146 BT_DBG("chan %p, txseq %d", chan, txseq);
6148 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6149 chan->expected_tx_seq);
6151 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6152 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6154 /* See notes below regarding "double poll" and
6157 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6158 BT_DBG("Invalid/Ignore - after SREJ");
6159 return L2CAP_TXSEQ_INVALID_IGNORE;
6161 BT_DBG("Invalid - in window after SREJ sent");
6162 return L2CAP_TXSEQ_INVALID;
6166 if (chan->srej_list.head == txseq) {
6167 BT_DBG("Expected SREJ");
6168 return L2CAP_TXSEQ_EXPECTED_SREJ;
6171 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6172 BT_DBG("Duplicate SREJ - txseq already stored");
6173 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6176 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6177 BT_DBG("Unexpected SREJ - not requested");
6178 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6182 if (chan->expected_tx_seq == txseq) {
6183 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6185 BT_DBG("Invalid - txseq outside tx window");
6186 return L2CAP_TXSEQ_INVALID;
6189 return L2CAP_TXSEQ_EXPECTED;
6193 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6194 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6195 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6196 return L2CAP_TXSEQ_DUPLICATE;
6199 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6200 /* A source of invalid packets is a "double poll" condition,
6201 * where delays cause us to send multiple poll packets. If
6202 * the remote stack receives and processes both polls,
6203 * sequence numbers can wrap around in such a way that a
6204 * resent frame has a sequence number that looks like new data
6205 * with a sequence gap. This would trigger an erroneous SREJ
6208 * Fortunately, this is impossible with a tx window that's
6209 * less than half of the maximum sequence number, which allows
6210 * invalid frames to be safely ignored.
6212 * With tx window sizes greater than half of the tx window
6213 * maximum, the frame is invalid and cannot be ignored. This
6214 * causes a disconnect.
6217 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6218 BT_DBG("Invalid/Ignore - txseq outside tx window");
6219 return L2CAP_TXSEQ_INVALID_IGNORE;
6221 BT_DBG("Invalid - txseq outside tx window");
6222 return L2CAP_TXSEQ_INVALID;
6225 BT_DBG("Unexpected - txseq indicates missing frames");
6226 return L2CAP_TXSEQ_UNEXPECTED;
6230 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6231 struct l2cap_ctrl *control,
6232 struct sk_buff *skb, u8 event)
6235 bool skb_in_use = false;
6237 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6241 case L2CAP_EV_RECV_IFRAME:
6242 switch (l2cap_classify_txseq(chan, control->txseq)) {
6243 case L2CAP_TXSEQ_EXPECTED:
6244 l2cap_pass_to_tx(chan, control);
6246 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6247 BT_DBG("Busy, discarding expected seq %d",
6252 chan->expected_tx_seq = __next_seq(chan,
6255 chan->buffer_seq = chan->expected_tx_seq;
6258 err = l2cap_reassemble_sdu(chan, skb, control);
6262 if (control->final) {
6263 if (!test_and_clear_bit(CONN_REJ_ACT,
6264 &chan->conn_state)) {
6266 l2cap_retransmit_all(chan, control);
6267 l2cap_ertm_send(chan);
6271 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6272 l2cap_send_ack(chan);
6274 case L2CAP_TXSEQ_UNEXPECTED:
6275 l2cap_pass_to_tx(chan, control);
6277 /* Can't issue SREJ frames in the local busy state.
6278 * Drop this frame, it will be seen as missing
6279 * when local busy is exited.
6281 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6282 BT_DBG("Busy, discarding unexpected seq %d",
6287 /* There was a gap in the sequence, so an SREJ
6288 * must be sent for each missing frame. The
6289 * current frame is stored for later use.
6291 skb_queue_tail(&chan->srej_q, skb);
6293 BT_DBG("Queued %p (queue len %d)", skb,
6294 skb_queue_len(&chan->srej_q));
6296 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6297 l2cap_seq_list_clear(&chan->srej_list);
6298 l2cap_send_srej(chan, control->txseq);
6300 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6302 case L2CAP_TXSEQ_DUPLICATE:
6303 l2cap_pass_to_tx(chan, control);
6305 case L2CAP_TXSEQ_INVALID_IGNORE:
6307 case L2CAP_TXSEQ_INVALID:
6309 l2cap_send_disconn_req(chan, ECONNRESET);
6313 case L2CAP_EV_RECV_RR:
6314 l2cap_pass_to_tx(chan, control);
6315 if (control->final) {
6316 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6318 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6319 !__chan_is_moving(chan)) {
6321 l2cap_retransmit_all(chan, control);
6324 l2cap_ertm_send(chan);
6325 } else if (control->poll) {
6326 l2cap_send_i_or_rr_or_rnr(chan);
6328 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6329 &chan->conn_state) &&
6330 chan->unacked_frames)
6331 __set_retrans_timer(chan);
6333 l2cap_ertm_send(chan);
6336 case L2CAP_EV_RECV_RNR:
6337 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6338 l2cap_pass_to_tx(chan, control);
6339 if (control && control->poll) {
6340 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6341 l2cap_send_rr_or_rnr(chan, 0);
6343 __clear_retrans_timer(chan);
6344 l2cap_seq_list_clear(&chan->retrans_list);
6346 case L2CAP_EV_RECV_REJ:
6347 l2cap_handle_rej(chan, control);
6349 case L2CAP_EV_RECV_SREJ:
6350 l2cap_handle_srej(chan, control);
6356 if (skb && !skb_in_use) {
6357 BT_DBG("Freeing %p", skb);
6364 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6365 struct l2cap_ctrl *control,
6366 struct sk_buff *skb, u8 event)
6369 u16 txseq = control->txseq;
6370 bool skb_in_use = false;
6372 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6376 case L2CAP_EV_RECV_IFRAME:
6377 switch (l2cap_classify_txseq(chan, txseq)) {
6378 case L2CAP_TXSEQ_EXPECTED:
6379 /* Keep frame for reassembly later */
6380 l2cap_pass_to_tx(chan, control);
6381 skb_queue_tail(&chan->srej_q, skb);
6383 BT_DBG("Queued %p (queue len %d)", skb,
6384 skb_queue_len(&chan->srej_q));
6386 chan->expected_tx_seq = __next_seq(chan, txseq);
6388 case L2CAP_TXSEQ_EXPECTED_SREJ:
6389 l2cap_seq_list_pop(&chan->srej_list);
6391 l2cap_pass_to_tx(chan, control);
6392 skb_queue_tail(&chan->srej_q, skb);
6394 BT_DBG("Queued %p (queue len %d)", skb,
6395 skb_queue_len(&chan->srej_q));
6397 err = l2cap_rx_queued_iframes(chan);
6402 case L2CAP_TXSEQ_UNEXPECTED:
6403 /* Got a frame that can't be reassembled yet.
6404 * Save it for later, and send SREJs to cover
6405 * the missing frames.
6407 skb_queue_tail(&chan->srej_q, skb);
6409 BT_DBG("Queued %p (queue len %d)", skb,
6410 skb_queue_len(&chan->srej_q));
6412 l2cap_pass_to_tx(chan, control);
6413 l2cap_send_srej(chan, control->txseq);
6415 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6416 /* This frame was requested with an SREJ, but
6417 * some expected retransmitted frames are
6418 * missing. Request retransmission of missing
6421 skb_queue_tail(&chan->srej_q, skb);
6423 BT_DBG("Queued %p (queue len %d)", skb,
6424 skb_queue_len(&chan->srej_q));
6426 l2cap_pass_to_tx(chan, control);
6427 l2cap_send_srej_list(chan, control->txseq);
6429 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6430 /* We've already queued this frame. Drop this copy. */
6431 l2cap_pass_to_tx(chan, control);
6433 case L2CAP_TXSEQ_DUPLICATE:
6434 /* Expecting a later sequence number, so this frame
6435 * was already received. Ignore it completely.
6438 case L2CAP_TXSEQ_INVALID_IGNORE:
6440 case L2CAP_TXSEQ_INVALID:
6442 l2cap_send_disconn_req(chan, ECONNRESET);
6446 case L2CAP_EV_RECV_RR:
6447 l2cap_pass_to_tx(chan, control);
6448 if (control->final) {
6449 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6451 if (!test_and_clear_bit(CONN_REJ_ACT,
6452 &chan->conn_state)) {
6454 l2cap_retransmit_all(chan, control);
6457 l2cap_ertm_send(chan);
6458 } else if (control->poll) {
6459 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6460 &chan->conn_state) &&
6461 chan->unacked_frames) {
6462 __set_retrans_timer(chan);
6465 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6466 l2cap_send_srej_tail(chan);
6468 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6469 &chan->conn_state) &&
6470 chan->unacked_frames)
6471 __set_retrans_timer(chan);
6473 l2cap_send_ack(chan);
6476 case L2CAP_EV_RECV_RNR:
6477 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6478 l2cap_pass_to_tx(chan, control);
6479 if (control->poll) {
6480 l2cap_send_srej_tail(chan);
6482 struct l2cap_ctrl rr_control;
6483 memset(&rr_control, 0, sizeof(rr_control));
6484 rr_control.sframe = 1;
6485 rr_control.super = L2CAP_SUPER_RR;
6486 rr_control.reqseq = chan->buffer_seq;
6487 l2cap_send_sframe(chan, &rr_control);
6491 case L2CAP_EV_RECV_REJ:
6492 l2cap_handle_rej(chan, control);
6494 case L2CAP_EV_RECV_SREJ:
6495 l2cap_handle_srej(chan, control);
6499 if (skb && !skb_in_use) {
6500 BT_DBG("Freeing %p", skb);
6507 static int l2cap_finish_move(struct l2cap_chan *chan)
6509 BT_DBG("chan %p", chan);
6511 chan->rx_state = L2CAP_RX_STATE_RECV;
6514 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6516 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6518 return l2cap_resegment(chan);
6521 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6522 struct l2cap_ctrl *control,
6523 struct sk_buff *skb, u8 event)
6527 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6533 l2cap_process_reqseq(chan, control->reqseq);
6535 if (!skb_queue_empty(&chan->tx_q))
6536 chan->tx_send_head = skb_peek(&chan->tx_q);
6538 chan->tx_send_head = NULL;
6540 /* Rewind next_tx_seq to the point expected
6543 chan->next_tx_seq = control->reqseq;
6544 chan->unacked_frames = 0;
6546 err = l2cap_finish_move(chan);
6550 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6551 l2cap_send_i_or_rr_or_rnr(chan);
6553 if (event == L2CAP_EV_RECV_IFRAME)
6556 return l2cap_rx_state_recv(chan, control, NULL, event);
6559 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6560 struct l2cap_ctrl *control,
6561 struct sk_buff *skb, u8 event)
6565 if (!control->final)
6568 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6570 chan->rx_state = L2CAP_RX_STATE_RECV;
6571 l2cap_process_reqseq(chan, control->reqseq);
6573 if (!skb_queue_empty(&chan->tx_q))
6574 chan->tx_send_head = skb_peek(&chan->tx_q);
6576 chan->tx_send_head = NULL;
6578 /* Rewind next_tx_seq to the point expected
6581 chan->next_tx_seq = control->reqseq;
6582 chan->unacked_frames = 0;
6585 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6587 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6589 err = l2cap_resegment(chan);
6592 err = l2cap_rx_state_recv(chan, control, skb, event);
6597 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6599 /* Make sure reqseq is for a packet that has been sent but not acked */
6602 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6603 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6606 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6607 struct sk_buff *skb, u8 event)
6611 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6612 control, skb, event, chan->rx_state);
6614 if (__valid_reqseq(chan, control->reqseq)) {
6615 switch (chan->rx_state) {
6616 case L2CAP_RX_STATE_RECV:
6617 err = l2cap_rx_state_recv(chan, control, skb, event);
6619 case L2CAP_RX_STATE_SREJ_SENT:
6620 err = l2cap_rx_state_srej_sent(chan, control, skb,
6623 case L2CAP_RX_STATE_WAIT_P:
6624 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6626 case L2CAP_RX_STATE_WAIT_F:
6627 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6634 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6635 control->reqseq, chan->next_tx_seq,
6636 chan->expected_ack_seq);
6637 l2cap_send_disconn_req(chan, ECONNRESET);
6643 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6644 struct sk_buff *skb)
6646 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6649 if (l2cap_classify_txseq(chan, control->txseq) ==
6650 L2CAP_TXSEQ_EXPECTED) {
6651 l2cap_pass_to_tx(chan, control);
6653 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6654 __next_seq(chan, chan->buffer_seq));
6656 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6658 l2cap_reassemble_sdu(chan, skb, control);
6661 kfree_skb(chan->sdu);
6664 chan->sdu_last_frag = NULL;
6668 BT_DBG("Freeing %p", skb);
6673 chan->last_acked_seq = control->txseq;
6674 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6679 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6681 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6685 __unpack_control(chan, skb);
6690 * We can just drop the corrupted I-frame here.
6691 * Receiver will miss it and start proper recovery
6692 * procedures and ask for retransmission.
6694 if (l2cap_check_fcs(chan, skb))
6697 if (!control->sframe && control->sar == L2CAP_SAR_START)
6698 len -= L2CAP_SDULEN_SIZE;
6700 if (chan->fcs == L2CAP_FCS_CRC16)
6701 len -= L2CAP_FCS_SIZE;
6703 if (len > chan->mps) {
6704 l2cap_send_disconn_req(chan, ECONNRESET);
6708 if ((chan->mode == L2CAP_MODE_ERTM ||
6709 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6712 if (!control->sframe) {
6715 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6716 control->sar, control->reqseq, control->final,
6719 /* Validate F-bit - F=0 always valid, F=1 only
6720 * valid in TX WAIT_F
6722 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6725 if (chan->mode != L2CAP_MODE_STREAMING) {
6726 event = L2CAP_EV_RECV_IFRAME;
6727 err = l2cap_rx(chan, control, skb, event);
6729 err = l2cap_stream_rx(chan, control, skb);
6733 l2cap_send_disconn_req(chan, ECONNRESET);
6735 const u8 rx_func_to_event[4] = {
6736 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6737 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6740 /* Only I-frames are expected in streaming mode */
6741 if (chan->mode == L2CAP_MODE_STREAMING)
6744 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6745 control->reqseq, control->final, control->poll,
6749 BT_ERR("Trailing bytes: %d in sframe", len);
6750 l2cap_send_disconn_req(chan, ECONNRESET);
6754 /* Validate F and P bits */
6755 if (control->final && (control->poll ||
6756 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6759 event = rx_func_to_event[control->super];
6760 if (l2cap_rx(chan, control, skb, event))
6761 l2cap_send_disconn_req(chan, ECONNRESET);
6771 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6773 struct l2cap_conn *conn = chan->conn;
6774 struct l2cap_le_credits pkt;
6777 return_credits = ((chan->imtu / chan->mps) + 1) - chan->rx_credits;
6779 if (!return_credits)
6782 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6784 chan->rx_credits += return_credits;
6786 pkt.cid = cpu_to_le16(chan->scid);
6787 pkt.credits = cpu_to_le16(return_credits);
6789 chan->ident = l2cap_get_ident(conn);
6791 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6794 static int l2cap_le_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6798 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6800 /* Wait recv to confirm reception before updating the credits */
6801 err = chan->ops->recv(chan, skb);
6803 /* Update credits whenever an SDU is received */
6804 l2cap_chan_le_send_credits(chan);
6809 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6813 if (!chan->rx_credits) {
6814 BT_ERR("No credits to receive LE L2CAP data");
6815 l2cap_send_disconn_req(chan, ECONNRESET);
6819 if (chan->imtu < skb->len) {
6820 BT_ERR("Too big LE L2CAP PDU");
6825 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6827 /* Update if remote had run out of credits, this should only happens
6828 * if the remote is not using the entire MPS.
6830 if (!chan->rx_credits)
6831 l2cap_chan_le_send_credits(chan);
6838 sdu_len = get_unaligned_le16(skb->data);
6839 skb_pull(skb, L2CAP_SDULEN_SIZE);
6841 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6842 sdu_len, skb->len, chan->imtu);
6844 if (sdu_len > chan->imtu) {
6845 BT_ERR("Too big LE L2CAP SDU length received");
6850 if (skb->len > sdu_len) {
6851 BT_ERR("Too much LE L2CAP data received");
6856 if (skb->len == sdu_len)
6857 return l2cap_le_recv(chan, skb);
6860 chan->sdu_len = sdu_len;
6861 chan->sdu_last_frag = skb;
6863 /* Detect if remote is not able to use the selected MPS */
6864 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6865 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6867 /* Adjust the number of credits */
6868 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6869 chan->mps = mps_len;
6870 l2cap_chan_le_send_credits(chan);
6876 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6877 chan->sdu->len, skb->len, chan->sdu_len);
6879 if (chan->sdu->len + skb->len > chan->sdu_len) {
6880 BT_ERR("Too much LE L2CAP data received");
6885 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6888 if (chan->sdu->len == chan->sdu_len) {
6889 err = l2cap_le_recv(chan, chan->sdu);
6892 chan->sdu_last_frag = NULL;
6900 kfree_skb(chan->sdu);
6902 chan->sdu_last_frag = NULL;
6906 /* We can't return an error here since we took care of the skb
6907 * freeing internally. An error return would cause the caller to
6908 * do a double-free of the skb.
6913 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6914 struct sk_buff *skb)
6916 struct l2cap_chan *chan;
6918 chan = l2cap_get_chan_by_scid(conn, cid);
6920 if (cid == L2CAP_CID_A2MP) {
6921 chan = a2mp_channel_create(conn, skb);
6927 l2cap_chan_lock(chan);
6929 BT_DBG("unknown cid 0x%4.4x", cid);
6930 /* Drop packet and return */
6936 BT_DBG("chan %p, len %d", chan, skb->len);
6938 /* If we receive data on a fixed channel before the info req/rsp
6939 * procdure is done simply assume that the channel is supported
6940 * and mark it as ready.
6942 if (chan->chan_type == L2CAP_CHAN_FIXED)
6943 l2cap_chan_ready(chan);
6945 if (chan->state != BT_CONNECTED)
6948 switch (chan->mode) {
6949 case L2CAP_MODE_LE_FLOWCTL:
6950 if (l2cap_le_data_rcv(chan, skb) < 0)
6955 case L2CAP_MODE_BASIC:
6956 /* If socket recv buffers overflows we drop data here
6957 * which is *bad* because L2CAP has to be reliable.
6958 * But we don't have any other choice. L2CAP doesn't
6959 * provide flow control mechanism. */
6961 if (chan->imtu < skb->len) {
6962 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6966 if (!chan->ops->recv(chan, skb))
6970 case L2CAP_MODE_ERTM:
6971 case L2CAP_MODE_STREAMING:
6972 l2cap_data_rcv(chan, skb);
6976 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6984 l2cap_chan_unlock(chan);
6987 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6988 struct sk_buff *skb)
6990 struct hci_conn *hcon = conn->hcon;
6991 struct l2cap_chan *chan;
6993 if (hcon->type != ACL_LINK)
6996 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7001 BT_DBG("chan %p, len %d", chan, skb->len);
7003 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7006 if (chan->imtu < skb->len)
7009 /* Store remote BD_ADDR and PSM for msg_name */
7010 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7011 bt_cb(skb)->l2cap.psm = psm;
7013 if (!chan->ops->recv(chan, skb)) {
7014 l2cap_chan_put(chan);
7019 l2cap_chan_put(chan);
7024 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7026 struct l2cap_hdr *lh = (void *) skb->data;
7027 struct hci_conn *hcon = conn->hcon;
7031 if (hcon->state != BT_CONNECTED) {
7032 BT_DBG("queueing pending rx skb");
7033 skb_queue_tail(&conn->pending_rx, skb);
7037 skb_pull(skb, L2CAP_HDR_SIZE);
7038 cid = __le16_to_cpu(lh->cid);
7039 len = __le16_to_cpu(lh->len);
7041 if (len != skb->len) {
7046 /* Since we can't actively block incoming LE connections we must
7047 * at least ensure that we ignore incoming data from them.
7049 if (hcon->type == LE_LINK &&
7050 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7051 bdaddr_dst_type(hcon))) {
7056 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7059 case L2CAP_CID_SIGNALING:
7060 l2cap_sig_channel(conn, skb);
7063 case L2CAP_CID_CONN_LESS:
7064 psm = get_unaligned((__le16 *) skb->data);
7065 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7066 l2cap_conless_channel(conn, psm, skb);
7069 case L2CAP_CID_LE_SIGNALING:
7070 l2cap_le_sig_channel(conn, skb);
7074 l2cap_data_channel(conn, cid, skb);
7079 static void process_pending_rx(struct work_struct *work)
7081 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7083 struct sk_buff *skb;
7087 while ((skb = skb_dequeue(&conn->pending_rx)))
7088 l2cap_recv_frame(conn, skb);
7091 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7093 struct l2cap_conn *conn = hcon->l2cap_data;
7094 struct hci_chan *hchan;
7099 hchan = hci_chan_create(hcon);
7103 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7105 hci_chan_del(hchan);
7109 kref_init(&conn->ref);
7110 hcon->l2cap_data = conn;
7111 conn->hcon = hci_conn_get(hcon);
7112 conn->hchan = hchan;
7114 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7116 switch (hcon->type) {
7118 if (hcon->hdev->le_mtu) {
7119 conn->mtu = hcon->hdev->le_mtu;
7124 conn->mtu = hcon->hdev->acl_mtu;
7128 conn->feat_mask = 0;
7130 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7132 if (hcon->type == ACL_LINK &&
7133 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7134 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7136 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7137 (bredr_sc_enabled(hcon->hdev) ||
7138 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7139 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7141 mutex_init(&conn->ident_lock);
7142 mutex_init(&conn->chan_lock);
7144 INIT_LIST_HEAD(&conn->chan_l);
7145 INIT_LIST_HEAD(&conn->users);
7147 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7149 skb_queue_head_init(&conn->pending_rx);
7150 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7151 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7153 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7158 static bool is_valid_psm(u16 psm, u8 dst_type) {
7162 if (bdaddr_type_is_le(dst_type))
7163 return (psm <= 0x00ff);
7165 /* PSM must be odd and lsb of upper byte must be 0 */
7166 return ((psm & 0x0101) == 0x0001);
7169 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7170 bdaddr_t *dst, u8 dst_type)
7172 struct l2cap_conn *conn;
7173 struct hci_conn *hcon;
7174 struct hci_dev *hdev;
7177 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7178 dst_type, __le16_to_cpu(psm));
7180 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7182 return -EHOSTUNREACH;
7186 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7187 chan->chan_type != L2CAP_CHAN_RAW) {
7192 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7197 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7202 switch (chan->mode) {
7203 case L2CAP_MODE_BASIC:
7205 case L2CAP_MODE_LE_FLOWCTL:
7207 case L2CAP_MODE_ERTM:
7208 case L2CAP_MODE_STREAMING:
7217 switch (chan->state) {
7221 /* Already connecting */
7226 /* Already connected */
7240 /* Set destination address and psm */
7241 bacpy(&chan->dst, dst);
7242 chan->dst_type = dst_type;
7247 if (bdaddr_type_is_le(dst_type)) {
7248 /* Convert from L2CAP channel address type to HCI address type
7250 if (dst_type == BDADDR_LE_PUBLIC)
7251 dst_type = ADDR_LE_DEV_PUBLIC;
7253 dst_type = ADDR_LE_DEV_RANDOM;
7255 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7256 hcon = hci_connect_le(hdev, dst, dst_type,
7258 HCI_LE_CONN_TIMEOUT,
7259 HCI_ROLE_SLAVE, NULL);
7261 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7263 HCI_LE_CONN_TIMEOUT);
7266 u8 auth_type = l2cap_get_auth_type(chan);
7267 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7271 err = PTR_ERR(hcon);
7275 conn = l2cap_conn_add(hcon);
7277 hci_conn_drop(hcon);
7282 mutex_lock(&conn->chan_lock);
7283 l2cap_chan_lock(chan);
7285 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7286 hci_conn_drop(hcon);
7291 /* Update source addr of the socket */
7292 bacpy(&chan->src, &hcon->src);
7293 chan->src_type = bdaddr_src_type(hcon);
7295 __l2cap_chan_add(conn, chan);
7297 /* l2cap_chan_add takes its own ref so we can drop this one */
7298 hci_conn_drop(hcon);
7300 l2cap_state_change(chan, BT_CONNECT);
7301 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7303 /* Release chan->sport so that it can be reused by other
7304 * sockets (as it's only used for listening sockets).
7306 write_lock(&chan_list_lock);
7308 write_unlock(&chan_list_lock);
7310 if (hcon->state == BT_CONNECTED) {
7311 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7312 __clear_chan_timer(chan);
7313 if (l2cap_chan_check_security(chan, true))
7314 l2cap_state_change(chan, BT_CONNECTED);
7316 l2cap_do_start(chan);
7322 l2cap_chan_unlock(chan);
7323 mutex_unlock(&conn->chan_lock);
7325 hci_dev_unlock(hdev);
7329 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7331 /* ---- L2CAP interface with lower layer (HCI) ---- */
7333 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7335 int exact = 0, lm1 = 0, lm2 = 0;
7336 struct l2cap_chan *c;
7338 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7340 /* Find listening sockets and check their link_mode */
7341 read_lock(&chan_list_lock);
7342 list_for_each_entry(c, &chan_list, global_l) {
7343 if (c->state != BT_LISTEN)
7346 if (!bacmp(&c->src, &hdev->bdaddr)) {
7347 lm1 |= HCI_LM_ACCEPT;
7348 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7349 lm1 |= HCI_LM_MASTER;
7351 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7352 lm2 |= HCI_LM_ACCEPT;
7353 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7354 lm2 |= HCI_LM_MASTER;
7357 read_unlock(&chan_list_lock);
7359 return exact ? lm1 : lm2;
7362 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7363 * from an existing channel in the list or from the beginning of the
7364 * global list (by passing NULL as first parameter).
7366 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7367 struct hci_conn *hcon)
7369 u8 src_type = bdaddr_src_type(hcon);
7371 read_lock(&chan_list_lock);
7374 c = list_next_entry(c, global_l);
7376 c = list_entry(chan_list.next, typeof(*c), global_l);
7378 list_for_each_entry_from(c, &chan_list, global_l) {
7379 if (c->chan_type != L2CAP_CHAN_FIXED)
7381 if (c->state != BT_LISTEN)
7383 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7385 if (src_type != c->src_type)
7389 read_unlock(&chan_list_lock);
7393 read_unlock(&chan_list_lock);
7398 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7400 struct hci_dev *hdev = hcon->hdev;
7401 struct l2cap_conn *conn;
7402 struct l2cap_chan *pchan;
7405 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7408 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7411 l2cap_conn_del(hcon, bt_to_errno(status));
7415 conn = l2cap_conn_add(hcon);
7419 dst_type = bdaddr_dst_type(hcon);
7421 /* If device is blocked, do not create channels for it */
7422 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7425 /* Find fixed channels and notify them of the new connection. We
7426 * use multiple individual lookups, continuing each time where
7427 * we left off, because the list lock would prevent calling the
7428 * potentially sleeping l2cap_chan_lock() function.
7430 pchan = l2cap_global_fixed_chan(NULL, hcon);
7432 struct l2cap_chan *chan, *next;
7434 /* Client fixed channels should override server ones */
7435 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7438 l2cap_chan_lock(pchan);
7439 chan = pchan->ops->new_connection(pchan);
7441 bacpy(&chan->src, &hcon->src);
7442 bacpy(&chan->dst, &hcon->dst);
7443 chan->src_type = bdaddr_src_type(hcon);
7444 chan->dst_type = dst_type;
7446 __l2cap_chan_add(conn, chan);
7449 l2cap_chan_unlock(pchan);
7451 next = l2cap_global_fixed_chan(pchan, hcon);
7452 l2cap_chan_put(pchan);
7456 l2cap_conn_ready(conn);
7459 int l2cap_disconn_ind(struct hci_conn *hcon)
7461 struct l2cap_conn *conn = hcon->l2cap_data;
7463 BT_DBG("hcon %p", hcon);
7466 return HCI_ERROR_REMOTE_USER_TERM;
7467 return conn->disc_reason;
7470 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7472 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7475 BT_DBG("hcon %p reason %d", hcon, reason);
7477 l2cap_conn_del(hcon, bt_to_errno(reason));
7480 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7482 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7485 if (encrypt == 0x00) {
7486 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7487 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7488 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7489 chan->sec_level == BT_SECURITY_FIPS)
7490 l2cap_chan_close(chan, ECONNREFUSED);
7492 if (chan->sec_level == BT_SECURITY_MEDIUM)
7493 __clear_chan_timer(chan);
7497 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7499 struct l2cap_conn *conn = hcon->l2cap_data;
7500 struct l2cap_chan *chan;
7505 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7507 mutex_lock(&conn->chan_lock);
7509 list_for_each_entry(chan, &conn->chan_l, list) {
7510 l2cap_chan_lock(chan);
7512 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7513 state_to_string(chan->state));
7515 if (chan->scid == L2CAP_CID_A2MP) {
7516 l2cap_chan_unlock(chan);
7520 if (!status && encrypt)
7521 chan->sec_level = hcon->sec_level;
7523 if (!__l2cap_no_conn_pending(chan)) {
7524 l2cap_chan_unlock(chan);
7528 if (!status && (chan->state == BT_CONNECTED ||
7529 chan->state == BT_CONFIG)) {
7530 chan->ops->resume(chan);
7531 l2cap_check_encryption(chan, encrypt);
7532 l2cap_chan_unlock(chan);
7536 if (chan->state == BT_CONNECT) {
7537 if (!status && l2cap_check_enc_key_size(hcon))
7538 l2cap_start_connection(chan);
7540 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7541 } else if (chan->state == BT_CONNECT2 &&
7542 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7543 struct l2cap_conn_rsp rsp;
7546 if (!status && l2cap_check_enc_key_size(hcon)) {
7547 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7548 res = L2CAP_CR_PEND;
7549 stat = L2CAP_CS_AUTHOR_PEND;
7550 chan->ops->defer(chan);
7552 l2cap_state_change(chan, BT_CONFIG);
7553 res = L2CAP_CR_SUCCESS;
7554 stat = L2CAP_CS_NO_INFO;
7557 l2cap_state_change(chan, BT_DISCONN);
7558 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7559 res = L2CAP_CR_SEC_BLOCK;
7560 stat = L2CAP_CS_NO_INFO;
7563 rsp.scid = cpu_to_le16(chan->dcid);
7564 rsp.dcid = cpu_to_le16(chan->scid);
7565 rsp.result = cpu_to_le16(res);
7566 rsp.status = cpu_to_le16(stat);
7567 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7570 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7571 res == L2CAP_CR_SUCCESS) {
7573 set_bit(CONF_REQ_SENT, &chan->conf_state);
7574 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7576 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7578 chan->num_conf_req++;
7582 l2cap_chan_unlock(chan);
7585 mutex_unlock(&conn->chan_lock);
7588 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7590 struct l2cap_conn *conn = hcon->l2cap_data;
7591 struct l2cap_hdr *hdr;
7594 /* For AMP controller do not create l2cap conn */
7595 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7599 conn = l2cap_conn_add(hcon);
7604 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7608 case ACL_START_NO_FLUSH:
7611 BT_ERR("Unexpected start frame (len %d)", skb->len);
7612 kfree_skb(conn->rx_skb);
7613 conn->rx_skb = NULL;
7615 l2cap_conn_unreliable(conn, ECOMM);
7618 /* Start fragment always begin with Basic L2CAP header */
7619 if (skb->len < L2CAP_HDR_SIZE) {
7620 BT_ERR("Frame is too short (len %d)", skb->len);
7621 l2cap_conn_unreliable(conn, ECOMM);
7625 hdr = (struct l2cap_hdr *) skb->data;
7626 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7628 if (len == skb->len) {
7629 /* Complete frame received */
7630 l2cap_recv_frame(conn, skb);
7634 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7636 if (skb->len > len) {
7637 BT_ERR("Frame is too long (len %d, expected len %d)",
7639 l2cap_conn_unreliable(conn, ECOMM);
7643 /* Allocate skb for the complete frame (with header) */
7644 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7648 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7650 conn->rx_len = len - skb->len;
7654 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7656 if (!conn->rx_len) {
7657 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7658 l2cap_conn_unreliable(conn, ECOMM);
7662 if (skb->len > conn->rx_len) {
7663 BT_ERR("Fragment is too long (len %d, expected %d)",
7664 skb->len, conn->rx_len);
7665 kfree_skb(conn->rx_skb);
7666 conn->rx_skb = NULL;
7668 l2cap_conn_unreliable(conn, ECOMM);
7672 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7674 conn->rx_len -= skb->len;
7676 if (!conn->rx_len) {
7677 /* Complete frame received. l2cap_recv_frame
7678 * takes ownership of the skb so set the global
7679 * rx_skb pointer to NULL first.
7681 struct sk_buff *rx_skb = conn->rx_skb;
7682 conn->rx_skb = NULL;
7683 l2cap_recv_frame(conn, rx_skb);
7692 static struct hci_cb l2cap_cb = {
7694 .connect_cfm = l2cap_connect_cfm,
7695 .disconn_cfm = l2cap_disconn_cfm,
7696 .security_cfm = l2cap_security_cfm,
7699 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7701 struct l2cap_chan *c;
7703 read_lock(&chan_list_lock);
7705 list_for_each_entry(c, &chan_list, global_l) {
7706 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7707 &c->src, c->src_type, &c->dst, c->dst_type,
7708 c->state, __le16_to_cpu(c->psm),
7709 c->scid, c->dcid, c->imtu, c->omtu,
7710 c->sec_level, c->mode);
7713 read_unlock(&chan_list_lock);
7718 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7720 static struct dentry *l2cap_debugfs;
7722 int __init l2cap_init(void)
7726 err = l2cap_init_sockets();
7730 hci_register_cb(&l2cap_cb);
7732 if (IS_ERR_OR_NULL(bt_debugfs))
7735 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7736 NULL, &l2cap_debugfs_fops);
7741 void l2cap_exit(void)
7743 debugfs_remove(l2cap_debugfs);
7744 hci_unregister_cb(&l2cap_cb);
7745 l2cap_cleanup_sockets();
7748 module_param(disable_ertm, bool, 0644);
7749 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / linux-2.6-block.git / blob