2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
36 #include <net/bluetooth/bluetooth.h>
37 #include <net/bluetooth/hci_core.h>
38 #include <net/bluetooth/l2cap.h>
44 #define LE_FLOWCTL_MAX_CREDITS 65535
48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50 static LIST_HEAD(chan_list);
51 static DEFINE_RWLOCK(chan_list_lock);
53 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
57 u8 code, u8 ident, u16 dlen, void *data);
58 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
60 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
61 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
63 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
64 struct sk_buff_head *skbs, u8 event);
66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
72 return BDADDR_LE_RANDOM;
78 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
80 return bdaddr_type(hcon->type, hcon->src_type);
83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
85 return bdaddr_type(hcon->type, hcon->dst_type);
88 /* ---- L2CAP channels ---- */
90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
95 list_for_each_entry(c, &conn->chan_l, list) {
102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
105 struct l2cap_chan *c;
107 list_for_each_entry(c, &conn->chan_l, list) {
114 /* Find channel with given SCID.
115 * Returns locked channel. */
116 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
119 struct l2cap_chan *c;
121 mutex_lock(&conn->chan_lock);
122 c = __l2cap_get_chan_by_scid(conn, cid);
125 mutex_unlock(&conn->chan_lock);
130 /* Find channel with given DCID.
131 * Returns locked channel.
133 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
136 struct l2cap_chan *c;
138 mutex_lock(&conn->chan_lock);
139 c = __l2cap_get_chan_by_dcid(conn, cid);
142 mutex_unlock(&conn->chan_lock);
147 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 struct l2cap_chan *c;
152 list_for_each_entry(c, &conn->chan_l, list) {
153 if (c->ident == ident)
159 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
162 struct l2cap_chan *c;
164 mutex_lock(&conn->chan_lock);
165 c = __l2cap_get_chan_by_ident(conn, ident);
168 mutex_unlock(&conn->chan_lock);
173 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
175 struct l2cap_chan *c;
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (c->sport == psm && !bacmp(&c->src, src))
184 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
188 write_lock(&chan_list_lock);
190 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
203 for (p = 0x1001; p < 0x1100; p += 2)
204 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
205 chan->psm = cpu_to_le16(p);
206 chan->sport = cpu_to_le16(p);
213 write_unlock(&chan_list_lock);
216 EXPORT_SYMBOL_GPL(l2cap_add_psm);
218 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
220 write_lock(&chan_list_lock);
222 /* Override the defaults (which are for conn-oriented) */
223 chan->omtu = L2CAP_DEFAULT_MTU;
224 chan->chan_type = L2CAP_CHAN_FIXED;
228 write_unlock(&chan_list_lock);
233 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
237 if (conn->hcon->type == LE_LINK)
238 dyn_end = L2CAP_CID_LE_DYN_END;
240 dyn_end = L2CAP_CID_DYN_END;
242 for (cid = L2CAP_CID_DYN_START; cid < dyn_end; cid++) {
243 if (!__l2cap_get_chan_by_scid(conn, cid))
250 static void l2cap_state_change(struct l2cap_chan *chan, int state)
252 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
253 state_to_string(state));
256 chan->ops->state_change(chan, state, 0);
259 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
263 chan->ops->state_change(chan, chan->state, err);
266 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
268 chan->ops->state_change(chan, chan->state, err);
271 static void __set_retrans_timer(struct l2cap_chan *chan)
273 if (!delayed_work_pending(&chan->monitor_timer) &&
274 chan->retrans_timeout) {
275 l2cap_set_timer(chan, &chan->retrans_timer,
276 msecs_to_jiffies(chan->retrans_timeout));
280 static void __set_monitor_timer(struct l2cap_chan *chan)
282 __clear_retrans_timer(chan);
283 if (chan->monitor_timeout) {
284 l2cap_set_timer(chan, &chan->monitor_timer,
285 msecs_to_jiffies(chan->monitor_timeout));
289 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
294 skb_queue_walk(head, skb) {
295 if (bt_cb(skb)->l2cap.txseq == seq)
302 /* ---- L2CAP sequence number lists ---- */
304 /* For ERTM, ordered lists of sequence numbers must be tracked for
305 * SREJ requests that are received and for frames that are to be
306 * retransmitted. These seq_list functions implement a singly-linked
307 * list in an array, where membership in the list can also be checked
308 * in constant time. Items can also be added to the tail of the list
309 * and removed from the head in constant time, without further memory
313 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
315 size_t alloc_size, i;
317 /* Allocated size is a power of 2 to map sequence numbers
318 * (which may be up to 14 bits) in to a smaller array that is
319 * sized for the negotiated ERTM transmit windows.
321 alloc_size = roundup_pow_of_two(size);
323 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
327 seq_list->mask = alloc_size - 1;
328 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
329 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
330 for (i = 0; i < alloc_size; i++)
331 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
336 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
338 kfree(seq_list->list);
341 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
344 /* Constant-time check for list membership */
345 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
348 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
350 u16 seq = seq_list->head;
351 u16 mask = seq_list->mask;
353 seq_list->head = seq_list->list[seq & mask];
354 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
356 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
357 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
358 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
364 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
378 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
380 u16 mask = seq_list->mask;
382 /* All appends happen in constant time */
384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
390 seq_list->list[seq_list->tail & mask] = seq;
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
396 static void l2cap_chan_timeout(struct work_struct *work)
398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
400 struct l2cap_conn *conn = chan->conn;
403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
405 mutex_lock(&conn->chan_lock);
406 l2cap_chan_lock(chan);
408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
409 reason = ECONNREFUSED;
410 else if (chan->state == BT_CONNECT &&
411 chan->sec_level != BT_SECURITY_SDP)
412 reason = ECONNREFUSED;
416 l2cap_chan_close(chan, reason);
418 l2cap_chan_unlock(chan);
420 chan->ops->close(chan);
421 mutex_unlock(&conn->chan_lock);
423 l2cap_chan_put(chan);
426 struct l2cap_chan *l2cap_chan_create(void)
428 struct l2cap_chan *chan;
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
434 mutex_init(&chan->lock);
436 /* Set default lock nesting level */
437 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
439 write_lock(&chan_list_lock);
440 list_add(&chan->global_l, &chan_list);
441 write_unlock(&chan_list_lock);
443 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
445 chan->state = BT_OPEN;
447 kref_init(&chan->kref);
449 /* This flag is cleared in l2cap_chan_ready() */
450 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
452 BT_DBG("chan %p", chan);
456 EXPORT_SYMBOL_GPL(l2cap_chan_create);
458 static void l2cap_chan_destroy(struct kref *kref)
460 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
462 BT_DBG("chan %p", chan);
464 write_lock(&chan_list_lock);
465 list_del(&chan->global_l);
466 write_unlock(&chan_list_lock);
471 void l2cap_chan_hold(struct l2cap_chan *c)
473 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
478 void l2cap_chan_put(struct l2cap_chan *c)
480 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
482 kref_put(&c->kref, l2cap_chan_destroy);
484 EXPORT_SYMBOL_GPL(l2cap_chan_put);
486 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
488 chan->fcs = L2CAP_FCS_CRC16;
489 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
490 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
491 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
492 chan->remote_max_tx = chan->max_tx;
493 chan->remote_tx_win = chan->tx_win;
494 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
495 chan->sec_level = BT_SECURITY_LOW;
496 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
497 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
498 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
499 chan->conf_state = 0;
501 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
503 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
505 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
508 chan->sdu_last_frag = NULL;
510 chan->tx_credits = 0;
511 chan->rx_credits = le_max_credits;
512 chan->mps = min_t(u16, chan->imtu, le_default_mps);
514 skb_queue_head_init(&chan->tx_q);
517 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
519 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
520 __le16_to_cpu(chan->psm), chan->dcid);
522 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
526 switch (chan->chan_type) {
527 case L2CAP_CHAN_CONN_ORIENTED:
528 /* Alloc CID for connection-oriented socket */
529 chan->scid = l2cap_alloc_cid(conn);
530 if (conn->hcon->type == ACL_LINK)
531 chan->omtu = L2CAP_DEFAULT_MTU;
534 case L2CAP_CHAN_CONN_LESS:
535 /* Connectionless socket */
536 chan->scid = L2CAP_CID_CONN_LESS;
537 chan->dcid = L2CAP_CID_CONN_LESS;
538 chan->omtu = L2CAP_DEFAULT_MTU;
541 case L2CAP_CHAN_FIXED:
542 /* Caller will set CID and CID specific MTU values */
546 /* Raw socket can send/recv signalling messages only */
547 chan->scid = L2CAP_CID_SIGNALING;
548 chan->dcid = L2CAP_CID_SIGNALING;
549 chan->omtu = L2CAP_DEFAULT_MTU;
552 chan->local_id = L2CAP_BESTEFFORT_ID;
553 chan->local_stype = L2CAP_SERV_BESTEFFORT;
554 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
555 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
556 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
557 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
559 l2cap_chan_hold(chan);
561 /* Only keep a reference for fixed channels if they requested it */
562 if (chan->chan_type != L2CAP_CHAN_FIXED ||
563 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
564 hci_conn_hold(conn->hcon);
566 list_add(&chan->list, &conn->chan_l);
569 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
571 mutex_lock(&conn->chan_lock);
572 __l2cap_chan_add(conn, chan);
573 mutex_unlock(&conn->chan_lock);
576 void l2cap_chan_del(struct l2cap_chan *chan, int err)
578 struct l2cap_conn *conn = chan->conn;
580 __clear_chan_timer(chan);
582 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
583 state_to_string(chan->state));
585 chan->ops->teardown(chan, err);
588 struct amp_mgr *mgr = conn->hcon->amp_mgr;
589 /* Delete from channel list */
590 list_del(&chan->list);
592 l2cap_chan_put(chan);
596 /* Reference was only held for non-fixed channels or
597 * fixed channels that explicitly requested it using the
598 * FLAG_HOLD_HCI_CONN flag.
600 if (chan->chan_type != L2CAP_CHAN_FIXED ||
601 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
602 hci_conn_drop(conn->hcon);
604 if (mgr && mgr->bredr_chan == chan)
605 mgr->bredr_chan = NULL;
608 if (chan->hs_hchan) {
609 struct hci_chan *hs_hchan = chan->hs_hchan;
611 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
612 amp_disconnect_logical_link(hs_hchan);
615 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
619 case L2CAP_MODE_BASIC:
622 case L2CAP_MODE_LE_FLOWCTL:
623 skb_queue_purge(&chan->tx_q);
626 case L2CAP_MODE_ERTM:
627 __clear_retrans_timer(chan);
628 __clear_monitor_timer(chan);
629 __clear_ack_timer(chan);
631 skb_queue_purge(&chan->srej_q);
633 l2cap_seq_list_free(&chan->srej_list);
634 l2cap_seq_list_free(&chan->retrans_list);
638 case L2CAP_MODE_STREAMING:
639 skb_queue_purge(&chan->tx_q);
645 EXPORT_SYMBOL_GPL(l2cap_chan_del);
647 static void l2cap_conn_update_id_addr(struct work_struct *work)
649 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
650 id_addr_update_work);
651 struct hci_conn *hcon = conn->hcon;
652 struct l2cap_chan *chan;
654 mutex_lock(&conn->chan_lock);
656 list_for_each_entry(chan, &conn->chan_l, list) {
657 l2cap_chan_lock(chan);
658 bacpy(&chan->dst, &hcon->dst);
659 chan->dst_type = bdaddr_dst_type(hcon);
660 l2cap_chan_unlock(chan);
663 mutex_unlock(&conn->chan_lock);
666 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
668 struct l2cap_conn *conn = chan->conn;
669 struct l2cap_le_conn_rsp rsp;
672 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
673 result = L2CAP_CR_AUTHORIZATION;
675 result = L2CAP_CR_BAD_PSM;
677 l2cap_state_change(chan, BT_DISCONN);
679 rsp.dcid = cpu_to_le16(chan->scid);
680 rsp.mtu = cpu_to_le16(chan->imtu);
681 rsp.mps = cpu_to_le16(chan->mps);
682 rsp.credits = cpu_to_le16(chan->rx_credits);
683 rsp.result = cpu_to_le16(result);
685 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
689 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
691 struct l2cap_conn *conn = chan->conn;
692 struct l2cap_conn_rsp rsp;
695 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
696 result = L2CAP_CR_SEC_BLOCK;
698 result = L2CAP_CR_BAD_PSM;
700 l2cap_state_change(chan, BT_DISCONN);
702 rsp.scid = cpu_to_le16(chan->dcid);
703 rsp.dcid = cpu_to_le16(chan->scid);
704 rsp.result = cpu_to_le16(result);
705 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
707 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
710 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
712 struct l2cap_conn *conn = chan->conn;
714 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
716 switch (chan->state) {
718 chan->ops->teardown(chan, 0);
723 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
724 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
725 l2cap_send_disconn_req(chan, reason);
727 l2cap_chan_del(chan, reason);
731 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
732 if (conn->hcon->type == ACL_LINK)
733 l2cap_chan_connect_reject(chan);
734 else if (conn->hcon->type == LE_LINK)
735 l2cap_chan_le_connect_reject(chan);
738 l2cap_chan_del(chan, reason);
743 l2cap_chan_del(chan, reason);
747 chan->ops->teardown(chan, 0);
751 EXPORT_SYMBOL(l2cap_chan_close);
753 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
755 switch (chan->chan_type) {
757 switch (chan->sec_level) {
758 case BT_SECURITY_HIGH:
759 case BT_SECURITY_FIPS:
760 return HCI_AT_DEDICATED_BONDING_MITM;
761 case BT_SECURITY_MEDIUM:
762 return HCI_AT_DEDICATED_BONDING;
764 return HCI_AT_NO_BONDING;
767 case L2CAP_CHAN_CONN_LESS:
768 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
769 if (chan->sec_level == BT_SECURITY_LOW)
770 chan->sec_level = BT_SECURITY_SDP;
772 if (chan->sec_level == BT_SECURITY_HIGH ||
773 chan->sec_level == BT_SECURITY_FIPS)
774 return HCI_AT_NO_BONDING_MITM;
776 return HCI_AT_NO_BONDING;
778 case L2CAP_CHAN_CONN_ORIENTED:
779 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
780 if (chan->sec_level == BT_SECURITY_LOW)
781 chan->sec_level = BT_SECURITY_SDP;
783 if (chan->sec_level == BT_SECURITY_HIGH ||
784 chan->sec_level == BT_SECURITY_FIPS)
785 return HCI_AT_NO_BONDING_MITM;
787 return HCI_AT_NO_BONDING;
791 switch (chan->sec_level) {
792 case BT_SECURITY_HIGH:
793 case BT_SECURITY_FIPS:
794 return HCI_AT_GENERAL_BONDING_MITM;
795 case BT_SECURITY_MEDIUM:
796 return HCI_AT_GENERAL_BONDING;
798 return HCI_AT_NO_BONDING;
804 /* Service level security */
805 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
807 struct l2cap_conn *conn = chan->conn;
810 if (conn->hcon->type == LE_LINK)
811 return smp_conn_security(conn->hcon, chan->sec_level);
813 auth_type = l2cap_get_auth_type(chan);
815 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
819 static u8 l2cap_get_ident(struct l2cap_conn *conn)
823 /* Get next available identificator.
824 * 1 - 128 are used by kernel.
825 * 129 - 199 are reserved.
826 * 200 - 254 are used by utilities like l2ping, etc.
829 mutex_lock(&conn->ident_lock);
831 if (++conn->tx_ident > 128)
836 mutex_unlock(&conn->ident_lock);
841 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
844 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
847 BT_DBG("code 0x%2.2x", code);
852 /* Use NO_FLUSH if supported or we have an LE link (which does
853 * not support auto-flushing packets) */
854 if (lmp_no_flush_capable(conn->hcon->hdev) ||
855 conn->hcon->type == LE_LINK)
856 flags = ACL_START_NO_FLUSH;
860 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
861 skb->priority = HCI_PRIO_MAX;
863 hci_send_acl(conn->hchan, skb, flags);
866 static bool __chan_is_moving(struct l2cap_chan *chan)
868 return chan->move_state != L2CAP_MOVE_STABLE &&
869 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
872 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
874 struct hci_conn *hcon = chan->conn->hcon;
877 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
880 if (chan->hs_hcon && !__chan_is_moving(chan)) {
882 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
889 /* Use NO_FLUSH for LE links (where this is the only option) or
890 * if the BR/EDR link supports it and flushing has not been
891 * explicitly requested (through FLAG_FLUSHABLE).
893 if (hcon->type == LE_LINK ||
894 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
895 lmp_no_flush_capable(hcon->hdev)))
896 flags = ACL_START_NO_FLUSH;
900 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
901 hci_send_acl(chan->conn->hchan, skb, flags);
904 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
906 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
907 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
909 if (enh & L2CAP_CTRL_FRAME_TYPE) {
912 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
913 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
920 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
921 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
928 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
930 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
931 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
933 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
936 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
937 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
944 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
945 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
952 static inline void __unpack_control(struct l2cap_chan *chan,
955 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
956 __unpack_extended_control(get_unaligned_le32(skb->data),
958 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
960 __unpack_enhanced_control(get_unaligned_le16(skb->data),
962 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
966 static u32 __pack_extended_control(struct l2cap_ctrl *control)
970 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
971 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
973 if (control->sframe) {
974 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
975 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
976 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
978 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
979 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
985 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
989 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
990 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
992 if (control->sframe) {
993 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
994 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
995 packed |= L2CAP_CTRL_FRAME_TYPE;
997 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
998 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1004 static inline void __pack_control(struct l2cap_chan *chan,
1005 struct l2cap_ctrl *control,
1006 struct sk_buff *skb)
1008 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1009 put_unaligned_le32(__pack_extended_control(control),
1010 skb->data + L2CAP_HDR_SIZE);
1012 put_unaligned_le16(__pack_enhanced_control(control),
1013 skb->data + L2CAP_HDR_SIZE);
1017 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1019 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1020 return L2CAP_EXT_HDR_SIZE;
1022 return L2CAP_ENH_HDR_SIZE;
1025 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1028 struct sk_buff *skb;
1029 struct l2cap_hdr *lh;
1030 int hlen = __ertm_hdr_size(chan);
1032 if (chan->fcs == L2CAP_FCS_CRC16)
1033 hlen += L2CAP_FCS_SIZE;
1035 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1038 return ERR_PTR(-ENOMEM);
1040 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1041 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1042 lh->cid = cpu_to_le16(chan->dcid);
1044 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1045 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1047 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1049 if (chan->fcs == L2CAP_FCS_CRC16) {
1050 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1051 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1054 skb->priority = HCI_PRIO_MAX;
1058 static void l2cap_send_sframe(struct l2cap_chan *chan,
1059 struct l2cap_ctrl *control)
1061 struct sk_buff *skb;
1064 BT_DBG("chan %p, control %p", chan, control);
1066 if (!control->sframe)
1069 if (__chan_is_moving(chan))
1072 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1076 if (control->super == L2CAP_SUPER_RR)
1077 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1078 else if (control->super == L2CAP_SUPER_RNR)
1079 set_bit(CONN_RNR_SENT, &chan->conn_state);
1081 if (control->super != L2CAP_SUPER_SREJ) {
1082 chan->last_acked_seq = control->reqseq;
1083 __clear_ack_timer(chan);
1086 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1087 control->final, control->poll, control->super);
1089 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1090 control_field = __pack_extended_control(control);
1092 control_field = __pack_enhanced_control(control);
1094 skb = l2cap_create_sframe_pdu(chan, control_field);
1096 l2cap_do_send(chan, skb);
1099 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1101 struct l2cap_ctrl control;
1103 BT_DBG("chan %p, poll %d", chan, poll);
1105 memset(&control, 0, sizeof(control));
1107 control.poll = poll;
1109 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1110 control.super = L2CAP_SUPER_RNR;
1112 control.super = L2CAP_SUPER_RR;
1114 control.reqseq = chan->buffer_seq;
1115 l2cap_send_sframe(chan, &control);
1118 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1120 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1123 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1126 static bool __amp_capable(struct l2cap_chan *chan)
1128 struct l2cap_conn *conn = chan->conn;
1129 struct hci_dev *hdev;
1130 bool amp_available = false;
1132 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1135 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1138 read_lock(&hci_dev_list_lock);
1139 list_for_each_entry(hdev, &hci_dev_list, list) {
1140 if (hdev->amp_type != AMP_TYPE_BREDR &&
1141 test_bit(HCI_UP, &hdev->flags)) {
1142 amp_available = true;
1146 read_unlock(&hci_dev_list_lock);
1148 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1149 return amp_available;
1154 static bool l2cap_check_efs(struct l2cap_chan *chan)
1156 /* Check EFS parameters */
1160 void l2cap_send_conn_req(struct l2cap_chan *chan)
1162 struct l2cap_conn *conn = chan->conn;
1163 struct l2cap_conn_req req;
1165 req.scid = cpu_to_le16(chan->scid);
1166 req.psm = chan->psm;
1168 chan->ident = l2cap_get_ident(conn);
1170 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1172 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1175 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1177 struct l2cap_create_chan_req req;
1178 req.scid = cpu_to_le16(chan->scid);
1179 req.psm = chan->psm;
1180 req.amp_id = amp_id;
1182 chan->ident = l2cap_get_ident(chan->conn);
1184 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1188 static void l2cap_move_setup(struct l2cap_chan *chan)
1190 struct sk_buff *skb;
1192 BT_DBG("chan %p", chan);
1194 if (chan->mode != L2CAP_MODE_ERTM)
1197 __clear_retrans_timer(chan);
1198 __clear_monitor_timer(chan);
1199 __clear_ack_timer(chan);
1201 chan->retry_count = 0;
1202 skb_queue_walk(&chan->tx_q, skb) {
1203 if (bt_cb(skb)->l2cap.retries)
1204 bt_cb(skb)->l2cap.retries = 1;
1209 chan->expected_tx_seq = chan->buffer_seq;
1211 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1212 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1213 l2cap_seq_list_clear(&chan->retrans_list);
1214 l2cap_seq_list_clear(&chan->srej_list);
1215 skb_queue_purge(&chan->srej_q);
1217 chan->tx_state = L2CAP_TX_STATE_XMIT;
1218 chan->rx_state = L2CAP_RX_STATE_MOVE;
1220 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1223 static void l2cap_move_done(struct l2cap_chan *chan)
1225 u8 move_role = chan->move_role;
1226 BT_DBG("chan %p", chan);
1228 chan->move_state = L2CAP_MOVE_STABLE;
1229 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1231 if (chan->mode != L2CAP_MODE_ERTM)
1234 switch (move_role) {
1235 case L2CAP_MOVE_ROLE_INITIATOR:
1236 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1237 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1239 case L2CAP_MOVE_ROLE_RESPONDER:
1240 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1245 static void l2cap_chan_ready(struct l2cap_chan *chan)
1247 /* The channel may have already been flagged as connected in
1248 * case of receiving data before the L2CAP info req/rsp
1249 * procedure is complete.
1251 if (chan->state == BT_CONNECTED)
1254 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1255 chan->conf_state = 0;
1256 __clear_chan_timer(chan);
1258 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1259 chan->ops->suspend(chan);
1261 chan->state = BT_CONNECTED;
1263 chan->ops->ready(chan);
1266 static void l2cap_le_connect(struct l2cap_chan *chan)
1268 struct l2cap_conn *conn = chan->conn;
1269 struct l2cap_le_conn_req req;
1271 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1274 req.psm = chan->psm;
1275 req.scid = cpu_to_le16(chan->scid);
1276 req.mtu = cpu_to_le16(chan->imtu);
1277 req.mps = cpu_to_le16(chan->mps);
1278 req.credits = cpu_to_le16(chan->rx_credits);
1280 chan->ident = l2cap_get_ident(conn);
1282 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1286 static void l2cap_le_start(struct l2cap_chan *chan)
1288 struct l2cap_conn *conn = chan->conn;
1290 if (!smp_conn_security(conn->hcon, chan->sec_level))
1294 l2cap_chan_ready(chan);
1298 if (chan->state == BT_CONNECT)
1299 l2cap_le_connect(chan);
1302 static void l2cap_start_connection(struct l2cap_chan *chan)
1304 if (__amp_capable(chan)) {
1305 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1306 a2mp_discover_amp(chan);
1307 } else if (chan->conn->hcon->type == LE_LINK) {
1308 l2cap_le_start(chan);
1310 l2cap_send_conn_req(chan);
1314 static void l2cap_request_info(struct l2cap_conn *conn)
1316 struct l2cap_info_req req;
1318 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1321 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1323 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1324 conn->info_ident = l2cap_get_ident(conn);
1326 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1328 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1332 static void l2cap_do_start(struct l2cap_chan *chan)
1334 struct l2cap_conn *conn = chan->conn;
1336 if (conn->hcon->type == LE_LINK) {
1337 l2cap_le_start(chan);
1341 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1342 l2cap_request_info(conn);
1346 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1349 if (l2cap_chan_check_security(chan, true) &&
1350 __l2cap_no_conn_pending(chan))
1351 l2cap_start_connection(chan);
1354 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1356 u32 local_feat_mask = l2cap_feat_mask;
1358 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1361 case L2CAP_MODE_ERTM:
1362 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1363 case L2CAP_MODE_STREAMING:
1364 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1370 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1372 struct l2cap_conn *conn = chan->conn;
1373 struct l2cap_disconn_req req;
1378 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1379 __clear_retrans_timer(chan);
1380 __clear_monitor_timer(chan);
1381 __clear_ack_timer(chan);
1384 if (chan->scid == L2CAP_CID_A2MP) {
1385 l2cap_state_change(chan, BT_DISCONN);
1389 req.dcid = cpu_to_le16(chan->dcid);
1390 req.scid = cpu_to_le16(chan->scid);
1391 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1394 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1397 /* ---- L2CAP connections ---- */
1398 static void l2cap_conn_start(struct l2cap_conn *conn)
1400 struct l2cap_chan *chan, *tmp;
1402 BT_DBG("conn %p", conn);
1404 mutex_lock(&conn->chan_lock);
1406 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1407 l2cap_chan_lock(chan);
1409 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1410 l2cap_chan_ready(chan);
1411 l2cap_chan_unlock(chan);
1415 if (chan->state == BT_CONNECT) {
1416 if (!l2cap_chan_check_security(chan, true) ||
1417 !__l2cap_no_conn_pending(chan)) {
1418 l2cap_chan_unlock(chan);
1422 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1423 && test_bit(CONF_STATE2_DEVICE,
1424 &chan->conf_state)) {
1425 l2cap_chan_close(chan, ECONNRESET);
1426 l2cap_chan_unlock(chan);
1430 l2cap_start_connection(chan);
1432 } else if (chan->state == BT_CONNECT2) {
1433 struct l2cap_conn_rsp rsp;
1435 rsp.scid = cpu_to_le16(chan->dcid);
1436 rsp.dcid = cpu_to_le16(chan->scid);
1438 if (l2cap_chan_check_security(chan, false)) {
1439 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1440 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1441 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1442 chan->ops->defer(chan);
1445 l2cap_state_change(chan, BT_CONFIG);
1446 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1447 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1450 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1451 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1454 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1457 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1458 rsp.result != L2CAP_CR_SUCCESS) {
1459 l2cap_chan_unlock(chan);
1463 set_bit(CONF_REQ_SENT, &chan->conf_state);
1464 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1465 l2cap_build_conf_req(chan, buf), buf);
1466 chan->num_conf_req++;
1469 l2cap_chan_unlock(chan);
1472 mutex_unlock(&conn->chan_lock);
1475 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1477 struct hci_conn *hcon = conn->hcon;
1478 struct hci_dev *hdev = hcon->hdev;
1480 BT_DBG("%s conn %p", hdev->name, conn);
1482 /* For outgoing pairing which doesn't necessarily have an
1483 * associated socket (e.g. mgmt_pair_device).
1486 smp_conn_security(hcon, hcon->pending_sec_level);
1488 /* For LE slave connections, make sure the connection interval
1489 * is in the range of the minium and maximum interval that has
1490 * been configured for this connection. If not, then trigger
1491 * the connection update procedure.
1493 if (hcon->role == HCI_ROLE_SLAVE &&
1494 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1495 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1496 struct l2cap_conn_param_update_req req;
1498 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1499 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1500 req.latency = cpu_to_le16(hcon->le_conn_latency);
1501 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1503 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1504 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1508 static void l2cap_conn_ready(struct l2cap_conn *conn)
1510 struct l2cap_chan *chan;
1511 struct hci_conn *hcon = conn->hcon;
1513 BT_DBG("conn %p", conn);
1515 if (hcon->type == ACL_LINK)
1516 l2cap_request_info(conn);
1518 mutex_lock(&conn->chan_lock);
1520 list_for_each_entry(chan, &conn->chan_l, list) {
1522 l2cap_chan_lock(chan);
1524 if (chan->scid == L2CAP_CID_A2MP) {
1525 l2cap_chan_unlock(chan);
1529 if (hcon->type == LE_LINK) {
1530 l2cap_le_start(chan);
1531 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1532 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1533 l2cap_chan_ready(chan);
1534 } else if (chan->state == BT_CONNECT) {
1535 l2cap_do_start(chan);
1538 l2cap_chan_unlock(chan);
1541 mutex_unlock(&conn->chan_lock);
1543 if (hcon->type == LE_LINK)
1544 l2cap_le_conn_ready(conn);
1546 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1549 /* Notify sockets that we cannot guaranty reliability anymore */
1550 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1552 struct l2cap_chan *chan;
1554 BT_DBG("conn %p", conn);
1556 mutex_lock(&conn->chan_lock);
1558 list_for_each_entry(chan, &conn->chan_l, list) {
1559 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1560 l2cap_chan_set_err(chan, err);
1563 mutex_unlock(&conn->chan_lock);
1566 static void l2cap_info_timeout(struct work_struct *work)
1568 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1571 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1572 conn->info_ident = 0;
1574 l2cap_conn_start(conn);
1579 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1580 * callback is called during registration. The ->remove callback is called
1581 * during unregistration.
1582 * An l2cap_user object can either be explicitly unregistered or when the
1583 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1584 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1585 * External modules must own a reference to the l2cap_conn object if they intend
1586 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1587 * any time if they don't.
1590 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1592 struct hci_dev *hdev = conn->hcon->hdev;
1595 /* We need to check whether l2cap_conn is registered. If it is not, we
1596 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1597 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1598 * relies on the parent hci_conn object to be locked. This itself relies
1599 * on the hci_dev object to be locked. So we must lock the hci device
1604 if (user->list.next || user->list.prev) {
1609 /* conn->hchan is NULL after l2cap_conn_del() was called */
1615 ret = user->probe(conn, user);
1619 list_add(&user->list, &conn->users);
1623 hci_dev_unlock(hdev);
1626 EXPORT_SYMBOL(l2cap_register_user);
1628 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1630 struct hci_dev *hdev = conn->hcon->hdev;
1634 if (!user->list.next || !user->list.prev)
1637 list_del(&user->list);
1638 user->list.next = NULL;
1639 user->list.prev = NULL;
1640 user->remove(conn, user);
1643 hci_dev_unlock(hdev);
1645 EXPORT_SYMBOL(l2cap_unregister_user);
1647 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1649 struct l2cap_user *user;
1651 while (!list_empty(&conn->users)) {
1652 user = list_first_entry(&conn->users, struct l2cap_user, list);
1653 list_del(&user->list);
1654 user->list.next = NULL;
1655 user->list.prev = NULL;
1656 user->remove(conn, user);
1660 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1662 struct l2cap_conn *conn = hcon->l2cap_data;
1663 struct l2cap_chan *chan, *l;
1668 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1670 kfree_skb(conn->rx_skb);
1672 skb_queue_purge(&conn->pending_rx);
1674 /* We can not call flush_work(&conn->pending_rx_work) here since we
1675 * might block if we are running on a worker from the same workqueue
1676 * pending_rx_work is waiting on.
1678 if (work_pending(&conn->pending_rx_work))
1679 cancel_work_sync(&conn->pending_rx_work);
1681 if (work_pending(&conn->id_addr_update_work))
1682 cancel_work_sync(&conn->id_addr_update_work);
1684 l2cap_unregister_all_users(conn);
1686 /* Force the connection to be immediately dropped */
1687 hcon->disc_timeout = 0;
1689 mutex_lock(&conn->chan_lock);
1692 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1693 l2cap_chan_hold(chan);
1694 l2cap_chan_lock(chan);
1696 l2cap_chan_del(chan, err);
1698 l2cap_chan_unlock(chan);
1700 chan->ops->close(chan);
1701 l2cap_chan_put(chan);
1704 mutex_unlock(&conn->chan_lock);
1706 hci_chan_del(conn->hchan);
1708 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1709 cancel_delayed_work_sync(&conn->info_timer);
1711 hcon->l2cap_data = NULL;
1713 l2cap_conn_put(conn);
1716 static void l2cap_conn_free(struct kref *ref)
1718 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1720 hci_conn_put(conn->hcon);
1724 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1726 kref_get(&conn->ref);
1729 EXPORT_SYMBOL(l2cap_conn_get);
1731 void l2cap_conn_put(struct l2cap_conn *conn)
1733 kref_put(&conn->ref, l2cap_conn_free);
1735 EXPORT_SYMBOL(l2cap_conn_put);
1737 /* ---- Socket interface ---- */
1739 /* Find socket with psm and source / destination bdaddr.
1740 * Returns closest match.
1742 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1747 struct l2cap_chan *c, *c1 = NULL;
1749 read_lock(&chan_list_lock);
1751 list_for_each_entry(c, &chan_list, global_l) {
1752 if (state && c->state != state)
1755 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1758 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1761 if (c->psm == psm) {
1762 int src_match, dst_match;
1763 int src_any, dst_any;
1766 src_match = !bacmp(&c->src, src);
1767 dst_match = !bacmp(&c->dst, dst);
1768 if (src_match && dst_match) {
1770 read_unlock(&chan_list_lock);
1775 src_any = !bacmp(&c->src, BDADDR_ANY);
1776 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1777 if ((src_match && dst_any) || (src_any && dst_match) ||
1778 (src_any && dst_any))
1784 l2cap_chan_hold(c1);
1786 read_unlock(&chan_list_lock);
1791 static void l2cap_monitor_timeout(struct work_struct *work)
1793 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1794 monitor_timer.work);
1796 BT_DBG("chan %p", chan);
1798 l2cap_chan_lock(chan);
1801 l2cap_chan_unlock(chan);
1802 l2cap_chan_put(chan);
1806 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1808 l2cap_chan_unlock(chan);
1809 l2cap_chan_put(chan);
1812 static void l2cap_retrans_timeout(struct work_struct *work)
1814 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1815 retrans_timer.work);
1817 BT_DBG("chan %p", chan);
1819 l2cap_chan_lock(chan);
1822 l2cap_chan_unlock(chan);
1823 l2cap_chan_put(chan);
1827 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1828 l2cap_chan_unlock(chan);
1829 l2cap_chan_put(chan);
1832 static void l2cap_streaming_send(struct l2cap_chan *chan,
1833 struct sk_buff_head *skbs)
1835 struct sk_buff *skb;
1836 struct l2cap_ctrl *control;
1838 BT_DBG("chan %p, skbs %p", chan, skbs);
1840 if (__chan_is_moving(chan))
1843 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1845 while (!skb_queue_empty(&chan->tx_q)) {
1847 skb = skb_dequeue(&chan->tx_q);
1849 bt_cb(skb)->l2cap.retries = 1;
1850 control = &bt_cb(skb)->l2cap;
1852 control->reqseq = 0;
1853 control->txseq = chan->next_tx_seq;
1855 __pack_control(chan, control, skb);
1857 if (chan->fcs == L2CAP_FCS_CRC16) {
1858 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1859 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1862 l2cap_do_send(chan, skb);
1864 BT_DBG("Sent txseq %u", control->txseq);
1866 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1867 chan->frames_sent++;
1871 static int l2cap_ertm_send(struct l2cap_chan *chan)
1873 struct sk_buff *skb, *tx_skb;
1874 struct l2cap_ctrl *control;
1877 BT_DBG("chan %p", chan);
1879 if (chan->state != BT_CONNECTED)
1882 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1885 if (__chan_is_moving(chan))
1888 while (chan->tx_send_head &&
1889 chan->unacked_frames < chan->remote_tx_win &&
1890 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1892 skb = chan->tx_send_head;
1894 bt_cb(skb)->l2cap.retries = 1;
1895 control = &bt_cb(skb)->l2cap;
1897 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1900 control->reqseq = chan->buffer_seq;
1901 chan->last_acked_seq = chan->buffer_seq;
1902 control->txseq = chan->next_tx_seq;
1904 __pack_control(chan, control, skb);
1906 if (chan->fcs == L2CAP_FCS_CRC16) {
1907 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1908 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1911 /* Clone after data has been modified. Data is assumed to be
1912 read-only (for locking purposes) on cloned sk_buffs.
1914 tx_skb = skb_clone(skb, GFP_KERNEL);
1919 __set_retrans_timer(chan);
1921 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1922 chan->unacked_frames++;
1923 chan->frames_sent++;
1926 if (skb_queue_is_last(&chan->tx_q, skb))
1927 chan->tx_send_head = NULL;
1929 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1931 l2cap_do_send(chan, tx_skb);
1932 BT_DBG("Sent txseq %u", control->txseq);
1935 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1936 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1941 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1943 struct l2cap_ctrl control;
1944 struct sk_buff *skb;
1945 struct sk_buff *tx_skb;
1948 BT_DBG("chan %p", chan);
1950 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1953 if (__chan_is_moving(chan))
1956 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1957 seq = l2cap_seq_list_pop(&chan->retrans_list);
1959 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1961 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1966 bt_cb(skb)->l2cap.retries++;
1967 control = bt_cb(skb)->l2cap;
1969 if (chan->max_tx != 0 &&
1970 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1971 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1972 l2cap_send_disconn_req(chan, ECONNRESET);
1973 l2cap_seq_list_clear(&chan->retrans_list);
1977 control.reqseq = chan->buffer_seq;
1978 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1983 if (skb_cloned(skb)) {
1984 /* Cloned sk_buffs are read-only, so we need a
1987 tx_skb = skb_copy(skb, GFP_KERNEL);
1989 tx_skb = skb_clone(skb, GFP_KERNEL);
1993 l2cap_seq_list_clear(&chan->retrans_list);
1997 /* Update skb contents */
1998 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1999 put_unaligned_le32(__pack_extended_control(&control),
2000 tx_skb->data + L2CAP_HDR_SIZE);
2002 put_unaligned_le16(__pack_enhanced_control(&control),
2003 tx_skb->data + L2CAP_HDR_SIZE);
2007 if (chan->fcs == L2CAP_FCS_CRC16) {
2008 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2009 tx_skb->len - L2CAP_FCS_SIZE);
2010 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2014 l2cap_do_send(chan, tx_skb);
2016 BT_DBG("Resent txseq %d", control.txseq);
2018 chan->last_acked_seq = chan->buffer_seq;
2022 static void l2cap_retransmit(struct l2cap_chan *chan,
2023 struct l2cap_ctrl *control)
2025 BT_DBG("chan %p, control %p", chan, control);
2027 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2028 l2cap_ertm_resend(chan);
2031 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2032 struct l2cap_ctrl *control)
2034 struct sk_buff *skb;
2036 BT_DBG("chan %p, control %p", chan, control);
2039 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2041 l2cap_seq_list_clear(&chan->retrans_list);
2043 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2046 if (chan->unacked_frames) {
2047 skb_queue_walk(&chan->tx_q, skb) {
2048 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2049 skb == chan->tx_send_head)
2053 skb_queue_walk_from(&chan->tx_q, skb) {
2054 if (skb == chan->tx_send_head)
2057 l2cap_seq_list_append(&chan->retrans_list,
2058 bt_cb(skb)->l2cap.txseq);
2061 l2cap_ertm_resend(chan);
2065 static void l2cap_send_ack(struct l2cap_chan *chan)
2067 struct l2cap_ctrl control;
2068 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2069 chan->last_acked_seq);
2072 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2073 chan, chan->last_acked_seq, chan->buffer_seq);
2075 memset(&control, 0, sizeof(control));
2078 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2079 chan->rx_state == L2CAP_RX_STATE_RECV) {
2080 __clear_ack_timer(chan);
2081 control.super = L2CAP_SUPER_RNR;
2082 control.reqseq = chan->buffer_seq;
2083 l2cap_send_sframe(chan, &control);
2085 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2086 l2cap_ertm_send(chan);
2087 /* If any i-frames were sent, they included an ack */
2088 if (chan->buffer_seq == chan->last_acked_seq)
2092 /* Ack now if the window is 3/4ths full.
2093 * Calculate without mul or div
2095 threshold = chan->ack_win;
2096 threshold += threshold << 1;
2099 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2102 if (frames_to_ack >= threshold) {
2103 __clear_ack_timer(chan);
2104 control.super = L2CAP_SUPER_RR;
2105 control.reqseq = chan->buffer_seq;
2106 l2cap_send_sframe(chan, &control);
2111 __set_ack_timer(chan);
2115 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2116 struct msghdr *msg, int len,
2117 int count, struct sk_buff *skb)
2119 struct l2cap_conn *conn = chan->conn;
2120 struct sk_buff **frag;
2123 if (copy_from_iter(skb_put(skb, count), count, &msg->msg_iter) != count)
2129 /* Continuation fragments (no L2CAP header) */
2130 frag = &skb_shinfo(skb)->frag_list;
2132 struct sk_buff *tmp;
2134 count = min_t(unsigned int, conn->mtu, len);
2136 tmp = chan->ops->alloc_skb(chan, 0, count,
2137 msg->msg_flags & MSG_DONTWAIT);
2139 return PTR_ERR(tmp);
2143 if (copy_from_iter(skb_put(*frag, count), count,
2144 &msg->msg_iter) != count)
2150 skb->len += (*frag)->len;
2151 skb->data_len += (*frag)->len;
2153 frag = &(*frag)->next;
2159 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2160 struct msghdr *msg, size_t len)
2162 struct l2cap_conn *conn = chan->conn;
2163 struct sk_buff *skb;
2164 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2165 struct l2cap_hdr *lh;
2167 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2168 __le16_to_cpu(chan->psm), len);
2170 count = min_t(unsigned int, (conn->mtu - hlen), len);
2172 skb = chan->ops->alloc_skb(chan, hlen, count,
2173 msg->msg_flags & MSG_DONTWAIT);
2177 /* Create L2CAP header */
2178 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2179 lh->cid = cpu_to_le16(chan->dcid);
2180 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2181 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2183 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2184 if (unlikely(err < 0)) {
2186 return ERR_PTR(err);
2191 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2192 struct msghdr *msg, size_t len)
2194 struct l2cap_conn *conn = chan->conn;
2195 struct sk_buff *skb;
2197 struct l2cap_hdr *lh;
2199 BT_DBG("chan %p len %zu", chan, len);
2201 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2203 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2204 msg->msg_flags & MSG_DONTWAIT);
2208 /* Create L2CAP header */
2209 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2210 lh->cid = cpu_to_le16(chan->dcid);
2211 lh->len = cpu_to_le16(len);
2213 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2214 if (unlikely(err < 0)) {
2216 return ERR_PTR(err);
2221 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2222 struct msghdr *msg, size_t len,
2225 struct l2cap_conn *conn = chan->conn;
2226 struct sk_buff *skb;
2227 int err, count, hlen;
2228 struct l2cap_hdr *lh;
2230 BT_DBG("chan %p len %zu", chan, len);
2233 return ERR_PTR(-ENOTCONN);
2235 hlen = __ertm_hdr_size(chan);
2238 hlen += L2CAP_SDULEN_SIZE;
2240 if (chan->fcs == L2CAP_FCS_CRC16)
2241 hlen += L2CAP_FCS_SIZE;
2243 count = min_t(unsigned int, (conn->mtu - hlen), len);
2245 skb = chan->ops->alloc_skb(chan, hlen, count,
2246 msg->msg_flags & MSG_DONTWAIT);
2250 /* Create L2CAP header */
2251 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2252 lh->cid = cpu_to_le16(chan->dcid);
2253 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2255 /* Control header is populated later */
2256 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2257 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2259 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2262 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2264 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2265 if (unlikely(err < 0)) {
2267 return ERR_PTR(err);
2270 bt_cb(skb)->l2cap.fcs = chan->fcs;
2271 bt_cb(skb)->l2cap.retries = 0;
2275 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2276 struct sk_buff_head *seg_queue,
2277 struct msghdr *msg, size_t len)
2279 struct sk_buff *skb;
2284 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2286 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2287 * so fragmented skbs are not used. The HCI layer's handling
2288 * of fragmented skbs is not compatible with ERTM's queueing.
2291 /* PDU size is derived from the HCI MTU */
2292 pdu_len = chan->conn->mtu;
2294 /* Constrain PDU size for BR/EDR connections */
2296 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2298 /* Adjust for largest possible L2CAP overhead. */
2300 pdu_len -= L2CAP_FCS_SIZE;
2302 pdu_len -= __ertm_hdr_size(chan);
2304 /* Remote device may have requested smaller PDUs */
2305 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2307 if (len <= pdu_len) {
2308 sar = L2CAP_SAR_UNSEGMENTED;
2312 sar = L2CAP_SAR_START;
2317 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2320 __skb_queue_purge(seg_queue);
2321 return PTR_ERR(skb);
2324 bt_cb(skb)->l2cap.sar = sar;
2325 __skb_queue_tail(seg_queue, skb);
2331 if (len <= pdu_len) {
2332 sar = L2CAP_SAR_END;
2335 sar = L2CAP_SAR_CONTINUE;
2342 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2344 size_t len, u16 sdulen)
2346 struct l2cap_conn *conn = chan->conn;
2347 struct sk_buff *skb;
2348 int err, count, hlen;
2349 struct l2cap_hdr *lh;
2351 BT_DBG("chan %p len %zu", chan, len);
2354 return ERR_PTR(-ENOTCONN);
2356 hlen = L2CAP_HDR_SIZE;
2359 hlen += L2CAP_SDULEN_SIZE;
2361 count = min_t(unsigned int, (conn->mtu - hlen), len);
2363 skb = chan->ops->alloc_skb(chan, hlen, count,
2364 msg->msg_flags & MSG_DONTWAIT);
2368 /* Create L2CAP header */
2369 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2370 lh->cid = cpu_to_le16(chan->dcid);
2371 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2374 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2376 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2377 if (unlikely(err < 0)) {
2379 return ERR_PTR(err);
2385 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2386 struct sk_buff_head *seg_queue,
2387 struct msghdr *msg, size_t len)
2389 struct sk_buff *skb;
2393 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2396 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2402 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2404 __skb_queue_purge(seg_queue);
2405 return PTR_ERR(skb);
2408 __skb_queue_tail(seg_queue, skb);
2414 pdu_len += L2CAP_SDULEN_SIZE;
2421 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2423 struct sk_buff *skb;
2425 struct sk_buff_head seg_queue;
2430 /* Connectionless channel */
2431 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2432 skb = l2cap_create_connless_pdu(chan, msg, len);
2434 return PTR_ERR(skb);
2436 /* Channel lock is released before requesting new skb and then
2437 * reacquired thus we need to recheck channel state.
2439 if (chan->state != BT_CONNECTED) {
2444 l2cap_do_send(chan, skb);
2448 switch (chan->mode) {
2449 case L2CAP_MODE_LE_FLOWCTL:
2450 /* Check outgoing MTU */
2451 if (len > chan->omtu)
2454 if (!chan->tx_credits)
2457 __skb_queue_head_init(&seg_queue);
2459 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2461 if (chan->state != BT_CONNECTED) {
2462 __skb_queue_purge(&seg_queue);
2469 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2471 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2472 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2476 if (!chan->tx_credits)
2477 chan->ops->suspend(chan);
2483 case L2CAP_MODE_BASIC:
2484 /* Check outgoing MTU */
2485 if (len > chan->omtu)
2488 /* Create a basic PDU */
2489 skb = l2cap_create_basic_pdu(chan, msg, len);
2491 return PTR_ERR(skb);
2493 /* Channel lock is released before requesting new skb and then
2494 * reacquired thus we need to recheck channel state.
2496 if (chan->state != BT_CONNECTED) {
2501 l2cap_do_send(chan, skb);
2505 case L2CAP_MODE_ERTM:
2506 case L2CAP_MODE_STREAMING:
2507 /* Check outgoing MTU */
2508 if (len > chan->omtu) {
2513 __skb_queue_head_init(&seg_queue);
2515 /* Do segmentation before calling in to the state machine,
2516 * since it's possible to block while waiting for memory
2519 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2521 /* The channel could have been closed while segmenting,
2522 * check that it is still connected.
2524 if (chan->state != BT_CONNECTED) {
2525 __skb_queue_purge(&seg_queue);
2532 if (chan->mode == L2CAP_MODE_ERTM)
2533 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2535 l2cap_streaming_send(chan, &seg_queue);
2539 /* If the skbs were not queued for sending, they'll still be in
2540 * seg_queue and need to be purged.
2542 __skb_queue_purge(&seg_queue);
2546 BT_DBG("bad state %1.1x", chan->mode);
2552 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2554 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2556 struct l2cap_ctrl control;
2559 BT_DBG("chan %p, txseq %u", chan, txseq);
2561 memset(&control, 0, sizeof(control));
2563 control.super = L2CAP_SUPER_SREJ;
2565 for (seq = chan->expected_tx_seq; seq != txseq;
2566 seq = __next_seq(chan, seq)) {
2567 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2568 control.reqseq = seq;
2569 l2cap_send_sframe(chan, &control);
2570 l2cap_seq_list_append(&chan->srej_list, seq);
2574 chan->expected_tx_seq = __next_seq(chan, txseq);
2577 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2579 struct l2cap_ctrl control;
2581 BT_DBG("chan %p", chan);
2583 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2586 memset(&control, 0, sizeof(control));
2588 control.super = L2CAP_SUPER_SREJ;
2589 control.reqseq = chan->srej_list.tail;
2590 l2cap_send_sframe(chan, &control);
2593 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2595 struct l2cap_ctrl control;
2599 BT_DBG("chan %p, txseq %u", chan, txseq);
2601 memset(&control, 0, sizeof(control));
2603 control.super = L2CAP_SUPER_SREJ;
2605 /* Capture initial list head to allow only one pass through the list. */
2606 initial_head = chan->srej_list.head;
2609 seq = l2cap_seq_list_pop(&chan->srej_list);
2610 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2613 control.reqseq = seq;
2614 l2cap_send_sframe(chan, &control);
2615 l2cap_seq_list_append(&chan->srej_list, seq);
2616 } while (chan->srej_list.head != initial_head);
2619 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2621 struct sk_buff *acked_skb;
2624 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2626 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2629 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2630 chan->expected_ack_seq, chan->unacked_frames);
2632 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2633 ackseq = __next_seq(chan, ackseq)) {
2635 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2637 skb_unlink(acked_skb, &chan->tx_q);
2638 kfree_skb(acked_skb);
2639 chan->unacked_frames--;
2643 chan->expected_ack_seq = reqseq;
2645 if (chan->unacked_frames == 0)
2646 __clear_retrans_timer(chan);
2648 BT_DBG("unacked_frames %u", chan->unacked_frames);
2651 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2653 BT_DBG("chan %p", chan);
2655 chan->expected_tx_seq = chan->buffer_seq;
2656 l2cap_seq_list_clear(&chan->srej_list);
2657 skb_queue_purge(&chan->srej_q);
2658 chan->rx_state = L2CAP_RX_STATE_RECV;
2661 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2662 struct l2cap_ctrl *control,
2663 struct sk_buff_head *skbs, u8 event)
2665 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2669 case L2CAP_EV_DATA_REQUEST:
2670 if (chan->tx_send_head == NULL)
2671 chan->tx_send_head = skb_peek(skbs);
2673 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2674 l2cap_ertm_send(chan);
2676 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2677 BT_DBG("Enter LOCAL_BUSY");
2678 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2680 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2681 /* The SREJ_SENT state must be aborted if we are to
2682 * enter the LOCAL_BUSY state.
2684 l2cap_abort_rx_srej_sent(chan);
2687 l2cap_send_ack(chan);
2690 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2691 BT_DBG("Exit LOCAL_BUSY");
2692 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2694 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2695 struct l2cap_ctrl local_control;
2697 memset(&local_control, 0, sizeof(local_control));
2698 local_control.sframe = 1;
2699 local_control.super = L2CAP_SUPER_RR;
2700 local_control.poll = 1;
2701 local_control.reqseq = chan->buffer_seq;
2702 l2cap_send_sframe(chan, &local_control);
2704 chan->retry_count = 1;
2705 __set_monitor_timer(chan);
2706 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2709 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2710 l2cap_process_reqseq(chan, control->reqseq);
2712 case L2CAP_EV_EXPLICIT_POLL:
2713 l2cap_send_rr_or_rnr(chan, 1);
2714 chan->retry_count = 1;
2715 __set_monitor_timer(chan);
2716 __clear_ack_timer(chan);
2717 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2719 case L2CAP_EV_RETRANS_TO:
2720 l2cap_send_rr_or_rnr(chan, 1);
2721 chan->retry_count = 1;
2722 __set_monitor_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2725 case L2CAP_EV_RECV_FBIT:
2726 /* Nothing to process */
2733 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2734 struct l2cap_ctrl *control,
2735 struct sk_buff_head *skbs, u8 event)
2737 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2741 case L2CAP_EV_DATA_REQUEST:
2742 if (chan->tx_send_head == NULL)
2743 chan->tx_send_head = skb_peek(skbs);
2744 /* Queue data, but don't send. */
2745 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2747 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2748 BT_DBG("Enter LOCAL_BUSY");
2749 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2751 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2752 /* The SREJ_SENT state must be aborted if we are to
2753 * enter the LOCAL_BUSY state.
2755 l2cap_abort_rx_srej_sent(chan);
2758 l2cap_send_ack(chan);
2761 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2762 BT_DBG("Exit LOCAL_BUSY");
2763 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2765 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2766 struct l2cap_ctrl local_control;
2767 memset(&local_control, 0, sizeof(local_control));
2768 local_control.sframe = 1;
2769 local_control.super = L2CAP_SUPER_RR;
2770 local_control.poll = 1;
2771 local_control.reqseq = chan->buffer_seq;
2772 l2cap_send_sframe(chan, &local_control);
2774 chan->retry_count = 1;
2775 __set_monitor_timer(chan);
2776 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2779 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2780 l2cap_process_reqseq(chan, control->reqseq);
2784 case L2CAP_EV_RECV_FBIT:
2785 if (control && control->final) {
2786 __clear_monitor_timer(chan);
2787 if (chan->unacked_frames > 0)
2788 __set_retrans_timer(chan);
2789 chan->retry_count = 0;
2790 chan->tx_state = L2CAP_TX_STATE_XMIT;
2791 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2794 case L2CAP_EV_EXPLICIT_POLL:
2797 case L2CAP_EV_MONITOR_TO:
2798 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2799 l2cap_send_rr_or_rnr(chan, 1);
2800 __set_monitor_timer(chan);
2801 chan->retry_count++;
2803 l2cap_send_disconn_req(chan, ECONNABORTED);
2811 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2812 struct sk_buff_head *skbs, u8 event)
2814 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2815 chan, control, skbs, event, chan->tx_state);
2817 switch (chan->tx_state) {
2818 case L2CAP_TX_STATE_XMIT:
2819 l2cap_tx_state_xmit(chan, control, skbs, event);
2821 case L2CAP_TX_STATE_WAIT_F:
2822 l2cap_tx_state_wait_f(chan, control, skbs, event);
2830 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2831 struct l2cap_ctrl *control)
2833 BT_DBG("chan %p, control %p", chan, control);
2834 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2837 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2838 struct l2cap_ctrl *control)
2840 BT_DBG("chan %p, control %p", chan, control);
2841 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2844 /* Copy frame to all raw sockets on that connection */
2845 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2847 struct sk_buff *nskb;
2848 struct l2cap_chan *chan;
2850 BT_DBG("conn %p", conn);
2852 mutex_lock(&conn->chan_lock);
2854 list_for_each_entry(chan, &conn->chan_l, list) {
2855 if (chan->chan_type != L2CAP_CHAN_RAW)
2858 /* Don't send frame to the channel it came from */
2859 if (bt_cb(skb)->l2cap.chan == chan)
2862 nskb = skb_clone(skb, GFP_KERNEL);
2865 if (chan->ops->recv(chan, nskb))
2869 mutex_unlock(&conn->chan_lock);
2872 /* ---- L2CAP signalling commands ---- */
2873 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2874 u8 ident, u16 dlen, void *data)
2876 struct sk_buff *skb, **frag;
2877 struct l2cap_cmd_hdr *cmd;
2878 struct l2cap_hdr *lh;
2881 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2882 conn, code, ident, dlen);
2884 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2887 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2888 count = min_t(unsigned int, conn->mtu, len);
2890 skb = bt_skb_alloc(count, GFP_KERNEL);
2894 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2895 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2897 if (conn->hcon->type == LE_LINK)
2898 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2900 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2902 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2905 cmd->len = cpu_to_le16(dlen);
2908 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2909 memcpy(skb_put(skb, count), data, count);
2915 /* Continuation fragments (no L2CAP header) */
2916 frag = &skb_shinfo(skb)->frag_list;
2918 count = min_t(unsigned int, conn->mtu, len);
2920 *frag = bt_skb_alloc(count, GFP_KERNEL);
2924 memcpy(skb_put(*frag, count), data, count);
2929 frag = &(*frag)->next;
2939 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2942 struct l2cap_conf_opt *opt = *ptr;
2945 len = L2CAP_CONF_OPT_SIZE + opt->len;
2953 *val = *((u8 *) opt->val);
2957 *val = get_unaligned_le16(opt->val);
2961 *val = get_unaligned_le32(opt->val);
2965 *val = (unsigned long) opt->val;
2969 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2973 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2975 struct l2cap_conf_opt *opt = *ptr;
2977 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2984 *((u8 *) opt->val) = val;
2988 put_unaligned_le16(val, opt->val);
2992 put_unaligned_le32(val, opt->val);
2996 memcpy(opt->val, (void *) val, len);
3000 *ptr += L2CAP_CONF_OPT_SIZE + len;
3003 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3005 struct l2cap_conf_efs efs;
3007 switch (chan->mode) {
3008 case L2CAP_MODE_ERTM:
3009 efs.id = chan->local_id;
3010 efs.stype = chan->local_stype;
3011 efs.msdu = cpu_to_le16(chan->local_msdu);
3012 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3013 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3014 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3017 case L2CAP_MODE_STREAMING:
3019 efs.stype = L2CAP_SERV_BESTEFFORT;
3020 efs.msdu = cpu_to_le16(chan->local_msdu);
3021 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3030 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3031 (unsigned long) &efs);
3034 static void l2cap_ack_timeout(struct work_struct *work)
3036 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3040 BT_DBG("chan %p", chan);
3042 l2cap_chan_lock(chan);
3044 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3045 chan->last_acked_seq);
3048 l2cap_send_rr_or_rnr(chan, 0);
3050 l2cap_chan_unlock(chan);
3051 l2cap_chan_put(chan);
3054 int l2cap_ertm_init(struct l2cap_chan *chan)
3058 chan->next_tx_seq = 0;
3059 chan->expected_tx_seq = 0;
3060 chan->expected_ack_seq = 0;
3061 chan->unacked_frames = 0;
3062 chan->buffer_seq = 0;
3063 chan->frames_sent = 0;
3064 chan->last_acked_seq = 0;
3066 chan->sdu_last_frag = NULL;
3069 skb_queue_head_init(&chan->tx_q);
3071 chan->local_amp_id = AMP_ID_BREDR;
3072 chan->move_id = AMP_ID_BREDR;
3073 chan->move_state = L2CAP_MOVE_STABLE;
3074 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3076 if (chan->mode != L2CAP_MODE_ERTM)
3079 chan->rx_state = L2CAP_RX_STATE_RECV;
3080 chan->tx_state = L2CAP_TX_STATE_XMIT;
3082 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3083 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3084 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3086 skb_queue_head_init(&chan->srej_q);
3088 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3092 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3094 l2cap_seq_list_free(&chan->srej_list);
3099 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3102 case L2CAP_MODE_STREAMING:
3103 case L2CAP_MODE_ERTM:
3104 if (l2cap_mode_supported(mode, remote_feat_mask))
3108 return L2CAP_MODE_BASIC;
3112 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3114 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3115 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3118 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3120 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3121 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3124 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3125 struct l2cap_conf_rfc *rfc)
3127 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3128 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3130 /* Class 1 devices have must have ERTM timeouts
3131 * exceeding the Link Supervision Timeout. The
3132 * default Link Supervision Timeout for AMP
3133 * controllers is 10 seconds.
3135 * Class 1 devices use 0xffffffff for their
3136 * best-effort flush timeout, so the clamping logic
3137 * will result in a timeout that meets the above
3138 * requirement. ERTM timeouts are 16-bit values, so
3139 * the maximum timeout is 65.535 seconds.
3142 /* Convert timeout to milliseconds and round */
3143 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3145 /* This is the recommended formula for class 2 devices
3146 * that start ERTM timers when packets are sent to the
3149 ertm_to = 3 * ertm_to + 500;
3151 if (ertm_to > 0xffff)
3154 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3155 rfc->monitor_timeout = rfc->retrans_timeout;
3157 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3158 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3162 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3164 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3165 __l2cap_ews_supported(chan->conn)) {
3166 /* use extended control field */
3167 set_bit(FLAG_EXT_CTRL, &chan->flags);
3168 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3170 chan->tx_win = min_t(u16, chan->tx_win,
3171 L2CAP_DEFAULT_TX_WINDOW);
3172 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3174 chan->ack_win = chan->tx_win;
3177 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3179 struct l2cap_conf_req *req = data;
3180 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3181 void *ptr = req->data;
3184 BT_DBG("chan %p", chan);
3186 if (chan->num_conf_req || chan->num_conf_rsp)
3189 switch (chan->mode) {
3190 case L2CAP_MODE_STREAMING:
3191 case L2CAP_MODE_ERTM:
3192 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3195 if (__l2cap_efs_supported(chan->conn))
3196 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3200 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3205 if (chan->imtu != L2CAP_DEFAULT_MTU)
3206 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3208 switch (chan->mode) {
3209 case L2CAP_MODE_BASIC:
3213 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3214 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3217 rfc.mode = L2CAP_MODE_BASIC;
3219 rfc.max_transmit = 0;
3220 rfc.retrans_timeout = 0;
3221 rfc.monitor_timeout = 0;
3222 rfc.max_pdu_size = 0;
3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3225 (unsigned long) &rfc);
3228 case L2CAP_MODE_ERTM:
3229 rfc.mode = L2CAP_MODE_ERTM;
3230 rfc.max_transmit = chan->max_tx;
3232 __l2cap_set_ertm_timeouts(chan, &rfc);
3234 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3235 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3237 rfc.max_pdu_size = cpu_to_le16(size);
3239 l2cap_txwin_setup(chan);
3241 rfc.txwin_size = min_t(u16, chan->tx_win,
3242 L2CAP_DEFAULT_TX_WINDOW);
3244 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3245 (unsigned long) &rfc);
3247 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3248 l2cap_add_opt_efs(&ptr, chan);
3250 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3251 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3254 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3255 if (chan->fcs == L2CAP_FCS_NONE ||
3256 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3257 chan->fcs = L2CAP_FCS_NONE;
3258 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3263 case L2CAP_MODE_STREAMING:
3264 l2cap_txwin_setup(chan);
3265 rfc.mode = L2CAP_MODE_STREAMING;
3267 rfc.max_transmit = 0;
3268 rfc.retrans_timeout = 0;
3269 rfc.monitor_timeout = 0;
3271 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3272 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3274 rfc.max_pdu_size = cpu_to_le16(size);
3276 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3277 (unsigned long) &rfc);
3279 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3280 l2cap_add_opt_efs(&ptr, chan);
3282 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3283 if (chan->fcs == L2CAP_FCS_NONE ||
3284 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3285 chan->fcs = L2CAP_FCS_NONE;
3286 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3292 req->dcid = cpu_to_le16(chan->dcid);
3293 req->flags = cpu_to_le16(0);
3298 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3300 struct l2cap_conf_rsp *rsp = data;
3301 void *ptr = rsp->data;
3302 void *req = chan->conf_req;
3303 int len = chan->conf_len;
3304 int type, hint, olen;
3306 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3307 struct l2cap_conf_efs efs;
3309 u16 mtu = L2CAP_DEFAULT_MTU;
3310 u16 result = L2CAP_CONF_SUCCESS;
3313 BT_DBG("chan %p", chan);
3315 while (len >= L2CAP_CONF_OPT_SIZE) {
3316 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3318 hint = type & L2CAP_CONF_HINT;
3319 type &= L2CAP_CONF_MASK;
3322 case L2CAP_CONF_MTU:
3326 case L2CAP_CONF_FLUSH_TO:
3327 chan->flush_to = val;
3330 case L2CAP_CONF_QOS:
3333 case L2CAP_CONF_RFC:
3334 if (olen == sizeof(rfc))
3335 memcpy(&rfc, (void *) val, olen);
3338 case L2CAP_CONF_FCS:
3339 if (val == L2CAP_FCS_NONE)
3340 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3343 case L2CAP_CONF_EFS:
3345 if (olen == sizeof(efs))
3346 memcpy(&efs, (void *) val, olen);
3349 case L2CAP_CONF_EWS:
3350 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3351 return -ECONNREFUSED;
3353 set_bit(FLAG_EXT_CTRL, &chan->flags);
3354 set_bit(CONF_EWS_RECV, &chan->conf_state);
3355 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3356 chan->remote_tx_win = val;
3363 result = L2CAP_CONF_UNKNOWN;
3364 *((u8 *) ptr++) = type;
3369 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3372 switch (chan->mode) {
3373 case L2CAP_MODE_STREAMING:
3374 case L2CAP_MODE_ERTM:
3375 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3376 chan->mode = l2cap_select_mode(rfc.mode,
3377 chan->conn->feat_mask);
3382 if (__l2cap_efs_supported(chan->conn))
3383 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3385 return -ECONNREFUSED;
3388 if (chan->mode != rfc.mode)
3389 return -ECONNREFUSED;
3395 if (chan->mode != rfc.mode) {
3396 result = L2CAP_CONF_UNACCEPT;
3397 rfc.mode = chan->mode;
3399 if (chan->num_conf_rsp == 1)
3400 return -ECONNREFUSED;
3402 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3403 (unsigned long) &rfc);
3406 if (result == L2CAP_CONF_SUCCESS) {
3407 /* Configure output options and let the other side know
3408 * which ones we don't like. */
3410 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3411 result = L2CAP_CONF_UNACCEPT;
3414 set_bit(CONF_MTU_DONE, &chan->conf_state);
3416 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3419 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3420 efs.stype != L2CAP_SERV_NOTRAFIC &&
3421 efs.stype != chan->local_stype) {
3423 result = L2CAP_CONF_UNACCEPT;
3425 if (chan->num_conf_req >= 1)
3426 return -ECONNREFUSED;
3428 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3430 (unsigned long) &efs);
3432 /* Send PENDING Conf Rsp */
3433 result = L2CAP_CONF_PENDING;
3434 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3439 case L2CAP_MODE_BASIC:
3440 chan->fcs = L2CAP_FCS_NONE;
3441 set_bit(CONF_MODE_DONE, &chan->conf_state);
3444 case L2CAP_MODE_ERTM:
3445 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3446 chan->remote_tx_win = rfc.txwin_size;
3448 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3450 chan->remote_max_tx = rfc.max_transmit;
3452 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3453 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3454 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3455 rfc.max_pdu_size = cpu_to_le16(size);
3456 chan->remote_mps = size;
3458 __l2cap_set_ertm_timeouts(chan, &rfc);
3460 set_bit(CONF_MODE_DONE, &chan->conf_state);
3462 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3463 sizeof(rfc), (unsigned long) &rfc);
3465 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3466 chan->remote_id = efs.id;
3467 chan->remote_stype = efs.stype;
3468 chan->remote_msdu = le16_to_cpu(efs.msdu);
3469 chan->remote_flush_to =
3470 le32_to_cpu(efs.flush_to);
3471 chan->remote_acc_lat =
3472 le32_to_cpu(efs.acc_lat);
3473 chan->remote_sdu_itime =
3474 le32_to_cpu(efs.sdu_itime);
3475 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3477 (unsigned long) &efs);
3481 case L2CAP_MODE_STREAMING:
3482 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3483 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3484 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3485 rfc.max_pdu_size = cpu_to_le16(size);
3486 chan->remote_mps = size;
3488 set_bit(CONF_MODE_DONE, &chan->conf_state);
3490 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3491 (unsigned long) &rfc);
3496 result = L2CAP_CONF_UNACCEPT;
3498 memset(&rfc, 0, sizeof(rfc));
3499 rfc.mode = chan->mode;
3502 if (result == L2CAP_CONF_SUCCESS)
3503 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3505 rsp->scid = cpu_to_le16(chan->dcid);
3506 rsp->result = cpu_to_le16(result);
3507 rsp->flags = cpu_to_le16(0);
3512 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3513 void *data, u16 *result)
3515 struct l2cap_conf_req *req = data;
3516 void *ptr = req->data;
3519 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3520 struct l2cap_conf_efs efs;
3522 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3524 while (len >= L2CAP_CONF_OPT_SIZE) {
3525 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3528 case L2CAP_CONF_MTU:
3529 if (val < L2CAP_DEFAULT_MIN_MTU) {
3530 *result = L2CAP_CONF_UNACCEPT;
3531 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3534 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3537 case L2CAP_CONF_FLUSH_TO:
3538 chan->flush_to = val;
3539 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3543 case L2CAP_CONF_RFC:
3544 if (olen == sizeof(rfc))
3545 memcpy(&rfc, (void *)val, olen);
3547 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3548 rfc.mode != chan->mode)
3549 return -ECONNREFUSED;
3553 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3554 sizeof(rfc), (unsigned long) &rfc);
3557 case L2CAP_CONF_EWS:
3558 chan->ack_win = min_t(u16, val, chan->ack_win);
3559 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3563 case L2CAP_CONF_EFS:
3564 if (olen == sizeof(efs))
3565 memcpy(&efs, (void *)val, olen);
3567 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3568 efs.stype != L2CAP_SERV_NOTRAFIC &&
3569 efs.stype != chan->local_stype)
3570 return -ECONNREFUSED;
3572 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3573 (unsigned long) &efs);
3576 case L2CAP_CONF_FCS:
3577 if (*result == L2CAP_CONF_PENDING)
3578 if (val == L2CAP_FCS_NONE)
3579 set_bit(CONF_RECV_NO_FCS,
3585 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3586 return -ECONNREFUSED;
3588 chan->mode = rfc.mode;
3590 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3592 case L2CAP_MODE_ERTM:
3593 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3594 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3595 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3596 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3597 chan->ack_win = min_t(u16, chan->ack_win,
3600 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3601 chan->local_msdu = le16_to_cpu(efs.msdu);
3602 chan->local_sdu_itime =
3603 le32_to_cpu(efs.sdu_itime);
3604 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3605 chan->local_flush_to =
3606 le32_to_cpu(efs.flush_to);
3610 case L2CAP_MODE_STREAMING:
3611 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3615 req->dcid = cpu_to_le16(chan->dcid);
3616 req->flags = cpu_to_le16(0);
3621 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3622 u16 result, u16 flags)
3624 struct l2cap_conf_rsp *rsp = data;
3625 void *ptr = rsp->data;
3627 BT_DBG("chan %p", chan);
3629 rsp->scid = cpu_to_le16(chan->dcid);
3630 rsp->result = cpu_to_le16(result);
3631 rsp->flags = cpu_to_le16(flags);
3636 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3638 struct l2cap_le_conn_rsp rsp;
3639 struct l2cap_conn *conn = chan->conn;
3641 BT_DBG("chan %p", chan);
3643 rsp.dcid = cpu_to_le16(chan->scid);
3644 rsp.mtu = cpu_to_le16(chan->imtu);
3645 rsp.mps = cpu_to_le16(chan->mps);
3646 rsp.credits = cpu_to_le16(chan->rx_credits);
3647 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3649 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3653 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3655 struct l2cap_conn_rsp rsp;
3656 struct l2cap_conn *conn = chan->conn;
3660 rsp.scid = cpu_to_le16(chan->dcid);
3661 rsp.dcid = cpu_to_le16(chan->scid);
3662 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3663 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3666 rsp_code = L2CAP_CREATE_CHAN_RSP;
3668 rsp_code = L2CAP_CONN_RSP;
3670 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3672 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3674 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3677 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3678 l2cap_build_conf_req(chan, buf), buf);
3679 chan->num_conf_req++;
3682 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3686 /* Use sane default values in case a misbehaving remote device
3687 * did not send an RFC or extended window size option.
3689 u16 txwin_ext = chan->ack_win;
3690 struct l2cap_conf_rfc rfc = {
3692 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3693 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3694 .max_pdu_size = cpu_to_le16(chan->imtu),
3695 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3698 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3700 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3703 while (len >= L2CAP_CONF_OPT_SIZE) {
3704 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3707 case L2CAP_CONF_RFC:
3708 if (olen == sizeof(rfc))
3709 memcpy(&rfc, (void *)val, olen);
3711 case L2CAP_CONF_EWS:
3718 case L2CAP_MODE_ERTM:
3719 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3720 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3721 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3722 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3723 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3725 chan->ack_win = min_t(u16, chan->ack_win,
3728 case L2CAP_MODE_STREAMING:
3729 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3733 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3734 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3737 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3739 if (cmd_len < sizeof(*rej))
3742 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3745 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3746 cmd->ident == conn->info_ident) {
3747 cancel_delayed_work(&conn->info_timer);
3749 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3750 conn->info_ident = 0;
3752 l2cap_conn_start(conn);
3758 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3759 struct l2cap_cmd_hdr *cmd,
3760 u8 *data, u8 rsp_code, u8 amp_id)
3762 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3763 struct l2cap_conn_rsp rsp;
3764 struct l2cap_chan *chan = NULL, *pchan;
3765 int result, status = L2CAP_CS_NO_INFO;
3767 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3768 __le16 psm = req->psm;
3770 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3772 /* Check if we have socket listening on psm */
3773 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3774 &conn->hcon->dst, ACL_LINK);
3776 result = L2CAP_CR_BAD_PSM;
3780 mutex_lock(&conn->chan_lock);
3781 l2cap_chan_lock(pchan);
3783 /* Check if the ACL is secure enough (if not SDP) */
3784 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3785 !hci_conn_check_link_mode(conn->hcon)) {
3786 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3787 result = L2CAP_CR_SEC_BLOCK;
3791 result = L2CAP_CR_NO_MEM;
3793 /* Check if we already have channel with that dcid */
3794 if (__l2cap_get_chan_by_dcid(conn, scid))
3797 chan = pchan->ops->new_connection(pchan);
3801 /* For certain devices (ex: HID mouse), support for authentication,
3802 * pairing and bonding is optional. For such devices, inorder to avoid
3803 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3804 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3806 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3808 bacpy(&chan->src, &conn->hcon->src);
3809 bacpy(&chan->dst, &conn->hcon->dst);
3810 chan->src_type = bdaddr_src_type(conn->hcon);
3811 chan->dst_type = bdaddr_dst_type(conn->hcon);
3814 chan->local_amp_id = amp_id;
3816 __l2cap_chan_add(conn, chan);
3820 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3822 chan->ident = cmd->ident;
3824 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3825 if (l2cap_chan_check_security(chan, false)) {
3826 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3827 l2cap_state_change(chan, BT_CONNECT2);
3828 result = L2CAP_CR_PEND;
3829 status = L2CAP_CS_AUTHOR_PEND;
3830 chan->ops->defer(chan);
3832 /* Force pending result for AMP controllers.
3833 * The connection will succeed after the
3834 * physical link is up.
3836 if (amp_id == AMP_ID_BREDR) {
3837 l2cap_state_change(chan, BT_CONFIG);
3838 result = L2CAP_CR_SUCCESS;
3840 l2cap_state_change(chan, BT_CONNECT2);
3841 result = L2CAP_CR_PEND;
3843 status = L2CAP_CS_NO_INFO;
3846 l2cap_state_change(chan, BT_CONNECT2);
3847 result = L2CAP_CR_PEND;
3848 status = L2CAP_CS_AUTHEN_PEND;
3851 l2cap_state_change(chan, BT_CONNECT2);
3852 result = L2CAP_CR_PEND;
3853 status = L2CAP_CS_NO_INFO;
3857 l2cap_chan_unlock(pchan);
3858 mutex_unlock(&conn->chan_lock);
3859 l2cap_chan_put(pchan);
3862 rsp.scid = cpu_to_le16(scid);
3863 rsp.dcid = cpu_to_le16(dcid);
3864 rsp.result = cpu_to_le16(result);
3865 rsp.status = cpu_to_le16(status);
3866 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3868 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3869 struct l2cap_info_req info;
3870 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3872 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3873 conn->info_ident = l2cap_get_ident(conn);
3875 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3877 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3878 sizeof(info), &info);
3881 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3882 result == L2CAP_CR_SUCCESS) {
3884 set_bit(CONF_REQ_SENT, &chan->conf_state);
3885 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3886 l2cap_build_conf_req(chan, buf), buf);
3887 chan->num_conf_req++;
3893 static int l2cap_connect_req(struct l2cap_conn *conn,
3894 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3896 struct hci_dev *hdev = conn->hcon->hdev;
3897 struct hci_conn *hcon = conn->hcon;
3899 if (cmd_len < sizeof(struct l2cap_conn_req))
3903 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3904 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3905 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3906 hci_dev_unlock(hdev);
3908 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3912 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3913 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3916 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3917 u16 scid, dcid, result, status;
3918 struct l2cap_chan *chan;
3922 if (cmd_len < sizeof(*rsp))
3925 scid = __le16_to_cpu(rsp->scid);
3926 dcid = __le16_to_cpu(rsp->dcid);
3927 result = __le16_to_cpu(rsp->result);
3928 status = __le16_to_cpu(rsp->status);
3930 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3931 dcid, scid, result, status);
3933 mutex_lock(&conn->chan_lock);
3936 chan = __l2cap_get_chan_by_scid(conn, scid);
3942 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3951 l2cap_chan_lock(chan);
3954 case L2CAP_CR_SUCCESS:
3955 l2cap_state_change(chan, BT_CONFIG);
3958 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3960 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3963 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3964 l2cap_build_conf_req(chan, req), req);
3965 chan->num_conf_req++;
3969 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3973 l2cap_chan_del(chan, ECONNREFUSED);
3977 l2cap_chan_unlock(chan);
3980 mutex_unlock(&conn->chan_lock);
3985 static inline void set_default_fcs(struct l2cap_chan *chan)
3987 /* FCS is enabled only in ERTM or streaming mode, if one or both
3990 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3991 chan->fcs = L2CAP_FCS_NONE;
3992 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
3993 chan->fcs = L2CAP_FCS_CRC16;
3996 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3997 u8 ident, u16 flags)
3999 struct l2cap_conn *conn = chan->conn;
4001 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4004 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4005 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4007 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4008 l2cap_build_conf_rsp(chan, data,
4009 L2CAP_CONF_SUCCESS, flags), data);
4012 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4015 struct l2cap_cmd_rej_cid rej;
4017 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4018 rej.scid = __cpu_to_le16(scid);
4019 rej.dcid = __cpu_to_le16(dcid);
4021 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4024 static inline int l2cap_config_req(struct l2cap_conn *conn,
4025 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4028 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4031 struct l2cap_chan *chan;
4034 if (cmd_len < sizeof(*req))
4037 dcid = __le16_to_cpu(req->dcid);
4038 flags = __le16_to_cpu(req->flags);
4040 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4042 chan = l2cap_get_chan_by_scid(conn, dcid);
4044 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4048 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4049 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4054 /* Reject if config buffer is too small. */
4055 len = cmd_len - sizeof(*req);
4056 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4057 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4058 l2cap_build_conf_rsp(chan, rsp,
4059 L2CAP_CONF_REJECT, flags), rsp);
4064 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4065 chan->conf_len += len;
4067 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4068 /* Incomplete config. Send empty response. */
4069 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4070 l2cap_build_conf_rsp(chan, rsp,
4071 L2CAP_CONF_SUCCESS, flags), rsp);
4075 /* Complete config. */
4076 len = l2cap_parse_conf_req(chan, rsp);
4078 l2cap_send_disconn_req(chan, ECONNRESET);
4082 chan->ident = cmd->ident;
4083 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4084 chan->num_conf_rsp++;
4086 /* Reset config buffer. */
4089 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4092 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4093 set_default_fcs(chan);
4095 if (chan->mode == L2CAP_MODE_ERTM ||
4096 chan->mode == L2CAP_MODE_STREAMING)
4097 err = l2cap_ertm_init(chan);
4100 l2cap_send_disconn_req(chan, -err);
4102 l2cap_chan_ready(chan);
4107 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4109 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4110 l2cap_build_conf_req(chan, buf), buf);
4111 chan->num_conf_req++;
4114 /* Got Conf Rsp PENDING from remote side and assume we sent
4115 Conf Rsp PENDING in the code above */
4116 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4117 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4119 /* check compatibility */
4121 /* Send rsp for BR/EDR channel */
4123 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4125 chan->ident = cmd->ident;
4129 l2cap_chan_unlock(chan);
4133 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4134 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4137 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4138 u16 scid, flags, result;
4139 struct l2cap_chan *chan;
4140 int len = cmd_len - sizeof(*rsp);
4143 if (cmd_len < sizeof(*rsp))
4146 scid = __le16_to_cpu(rsp->scid);
4147 flags = __le16_to_cpu(rsp->flags);
4148 result = __le16_to_cpu(rsp->result);
4150 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4153 chan = l2cap_get_chan_by_scid(conn, scid);
4158 case L2CAP_CONF_SUCCESS:
4159 l2cap_conf_rfc_get(chan, rsp->data, len);
4160 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4163 case L2CAP_CONF_PENDING:
4164 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4166 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4169 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4172 l2cap_send_disconn_req(chan, ECONNRESET);
4176 if (!chan->hs_hcon) {
4177 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4180 if (l2cap_check_efs(chan)) {
4181 amp_create_logical_link(chan);
4182 chan->ident = cmd->ident;
4188 case L2CAP_CONF_UNACCEPT:
4189 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4192 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4193 l2cap_send_disconn_req(chan, ECONNRESET);
4197 /* throw out any old stored conf requests */
4198 result = L2CAP_CONF_SUCCESS;
4199 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4202 l2cap_send_disconn_req(chan, ECONNRESET);
4206 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4207 L2CAP_CONF_REQ, len, req);
4208 chan->num_conf_req++;
4209 if (result != L2CAP_CONF_SUCCESS)
4215 l2cap_chan_set_err(chan, ECONNRESET);
4217 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4218 l2cap_send_disconn_req(chan, ECONNRESET);
4222 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4225 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4227 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4228 set_default_fcs(chan);
4230 if (chan->mode == L2CAP_MODE_ERTM ||
4231 chan->mode == L2CAP_MODE_STREAMING)
4232 err = l2cap_ertm_init(chan);
4235 l2cap_send_disconn_req(chan, -err);
4237 l2cap_chan_ready(chan);
4241 l2cap_chan_unlock(chan);
4245 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4246 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4249 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4250 struct l2cap_disconn_rsp rsp;
4252 struct l2cap_chan *chan;
4254 if (cmd_len != sizeof(*req))
4257 scid = __le16_to_cpu(req->scid);
4258 dcid = __le16_to_cpu(req->dcid);
4260 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4262 mutex_lock(&conn->chan_lock);
4264 chan = __l2cap_get_chan_by_scid(conn, dcid);
4266 mutex_unlock(&conn->chan_lock);
4267 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4271 l2cap_chan_lock(chan);
4273 rsp.dcid = cpu_to_le16(chan->scid);
4274 rsp.scid = cpu_to_le16(chan->dcid);
4275 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4277 chan->ops->set_shutdown(chan);
4279 l2cap_chan_hold(chan);
4280 l2cap_chan_del(chan, ECONNRESET);
4282 l2cap_chan_unlock(chan);
4284 chan->ops->close(chan);
4285 l2cap_chan_put(chan);
4287 mutex_unlock(&conn->chan_lock);
4292 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4293 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4296 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4298 struct l2cap_chan *chan;
4300 if (cmd_len != sizeof(*rsp))
4303 scid = __le16_to_cpu(rsp->scid);
4304 dcid = __le16_to_cpu(rsp->dcid);
4306 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4308 mutex_lock(&conn->chan_lock);
4310 chan = __l2cap_get_chan_by_scid(conn, scid);
4312 mutex_unlock(&conn->chan_lock);
4316 l2cap_chan_lock(chan);
4318 l2cap_chan_hold(chan);
4319 l2cap_chan_del(chan, 0);
4321 l2cap_chan_unlock(chan);
4323 chan->ops->close(chan);
4324 l2cap_chan_put(chan);
4326 mutex_unlock(&conn->chan_lock);
4331 static inline int l2cap_information_req(struct l2cap_conn *conn,
4332 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4335 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4338 if (cmd_len != sizeof(*req))
4341 type = __le16_to_cpu(req->type);
4343 BT_DBG("type 0x%4.4x", type);
4345 if (type == L2CAP_IT_FEAT_MASK) {
4347 u32 feat_mask = l2cap_feat_mask;
4348 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4349 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4350 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4352 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4354 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4355 feat_mask |= L2CAP_FEAT_EXT_FLOW
4356 | L2CAP_FEAT_EXT_WINDOW;
4358 put_unaligned_le32(feat_mask, rsp->data);
4359 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4361 } else if (type == L2CAP_IT_FIXED_CHAN) {
4363 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4365 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4366 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4367 rsp->data[0] = conn->local_fixed_chan;
4368 memset(rsp->data + 1, 0, 7);
4369 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4372 struct l2cap_info_rsp rsp;
4373 rsp.type = cpu_to_le16(type);
4374 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4375 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4382 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4383 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4386 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4389 if (cmd_len < sizeof(*rsp))
4392 type = __le16_to_cpu(rsp->type);
4393 result = __le16_to_cpu(rsp->result);
4395 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4397 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4398 if (cmd->ident != conn->info_ident ||
4399 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4402 cancel_delayed_work(&conn->info_timer);
4404 if (result != L2CAP_IR_SUCCESS) {
4405 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4406 conn->info_ident = 0;
4408 l2cap_conn_start(conn);
4414 case L2CAP_IT_FEAT_MASK:
4415 conn->feat_mask = get_unaligned_le32(rsp->data);
4417 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4418 struct l2cap_info_req req;
4419 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4421 conn->info_ident = l2cap_get_ident(conn);
4423 l2cap_send_cmd(conn, conn->info_ident,
4424 L2CAP_INFO_REQ, sizeof(req), &req);
4426 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4427 conn->info_ident = 0;
4429 l2cap_conn_start(conn);
4433 case L2CAP_IT_FIXED_CHAN:
4434 conn->remote_fixed_chan = rsp->data[0];
4435 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4436 conn->info_ident = 0;
4438 l2cap_conn_start(conn);
4445 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4446 struct l2cap_cmd_hdr *cmd,
4447 u16 cmd_len, void *data)
4449 struct l2cap_create_chan_req *req = data;
4450 struct l2cap_create_chan_rsp rsp;
4451 struct l2cap_chan *chan;
4452 struct hci_dev *hdev;
4455 if (cmd_len != sizeof(*req))
4458 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4461 psm = le16_to_cpu(req->psm);
4462 scid = le16_to_cpu(req->scid);
4464 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4466 /* For controller id 0 make BR/EDR connection */
4467 if (req->amp_id == AMP_ID_BREDR) {
4468 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4473 /* Validate AMP controller id */
4474 hdev = hci_dev_get(req->amp_id);
4478 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4483 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4486 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4487 struct hci_conn *hs_hcon;
4489 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4493 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4498 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4500 mgr->bredr_chan = chan;
4501 chan->hs_hcon = hs_hcon;
4502 chan->fcs = L2CAP_FCS_NONE;
4503 conn->mtu = hdev->block_mtu;
4512 rsp.scid = cpu_to_le16(scid);
4513 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4514 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4516 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4522 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4524 struct l2cap_move_chan_req req;
4527 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4529 ident = l2cap_get_ident(chan->conn);
4530 chan->ident = ident;
4532 req.icid = cpu_to_le16(chan->scid);
4533 req.dest_amp_id = dest_amp_id;
4535 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4538 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4541 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4543 struct l2cap_move_chan_rsp rsp;
4545 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4547 rsp.icid = cpu_to_le16(chan->dcid);
4548 rsp.result = cpu_to_le16(result);
4550 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4554 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4556 struct l2cap_move_chan_cfm cfm;
4558 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4560 chan->ident = l2cap_get_ident(chan->conn);
4562 cfm.icid = cpu_to_le16(chan->scid);
4563 cfm.result = cpu_to_le16(result);
4565 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4568 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4571 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4573 struct l2cap_move_chan_cfm cfm;
4575 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4577 cfm.icid = cpu_to_le16(icid);
4578 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4580 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4584 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4587 struct l2cap_move_chan_cfm_rsp rsp;
4589 BT_DBG("icid 0x%4.4x", icid);
4591 rsp.icid = cpu_to_le16(icid);
4592 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4595 static void __release_logical_link(struct l2cap_chan *chan)
4597 chan->hs_hchan = NULL;
4598 chan->hs_hcon = NULL;
4600 /* Placeholder - release the logical link */
4603 static void l2cap_logical_fail(struct l2cap_chan *chan)
4605 /* Logical link setup failed */
4606 if (chan->state != BT_CONNECTED) {
4607 /* Create channel failure, disconnect */
4608 l2cap_send_disconn_req(chan, ECONNRESET);
4612 switch (chan->move_role) {
4613 case L2CAP_MOVE_ROLE_RESPONDER:
4614 l2cap_move_done(chan);
4615 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4617 case L2CAP_MOVE_ROLE_INITIATOR:
4618 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4619 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4620 /* Remote has only sent pending or
4621 * success responses, clean up
4623 l2cap_move_done(chan);
4626 /* Other amp move states imply that the move
4627 * has already aborted
4629 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4634 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4635 struct hci_chan *hchan)
4637 struct l2cap_conf_rsp rsp;
4639 chan->hs_hchan = hchan;
4640 chan->hs_hcon->l2cap_data = chan->conn;
4642 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4644 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4647 set_default_fcs(chan);
4649 err = l2cap_ertm_init(chan);
4651 l2cap_send_disconn_req(chan, -err);
4653 l2cap_chan_ready(chan);
4657 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4658 struct hci_chan *hchan)
4660 chan->hs_hcon = hchan->conn;
4661 chan->hs_hcon->l2cap_data = chan->conn;
4663 BT_DBG("move_state %d", chan->move_state);
4665 switch (chan->move_state) {
4666 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4667 /* Move confirm will be sent after a success
4668 * response is received
4670 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4672 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4673 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4674 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4675 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4676 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4677 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4678 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4679 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4680 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4684 /* Move was not in expected state, free the channel */
4685 __release_logical_link(chan);
4687 chan->move_state = L2CAP_MOVE_STABLE;
4691 /* Call with chan locked */
4692 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4695 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4698 l2cap_logical_fail(chan);
4699 __release_logical_link(chan);
4703 if (chan->state != BT_CONNECTED) {
4704 /* Ignore logical link if channel is on BR/EDR */
4705 if (chan->local_amp_id != AMP_ID_BREDR)
4706 l2cap_logical_finish_create(chan, hchan);
4708 l2cap_logical_finish_move(chan, hchan);
4712 void l2cap_move_start(struct l2cap_chan *chan)
4714 BT_DBG("chan %p", chan);
4716 if (chan->local_amp_id == AMP_ID_BREDR) {
4717 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4719 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4720 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4721 /* Placeholder - start physical link setup */
4723 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4724 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4726 l2cap_move_setup(chan);
4727 l2cap_send_move_chan_req(chan, 0);
4731 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4732 u8 local_amp_id, u8 remote_amp_id)
4734 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4735 local_amp_id, remote_amp_id);
4737 chan->fcs = L2CAP_FCS_NONE;
4739 /* Outgoing channel on AMP */
4740 if (chan->state == BT_CONNECT) {
4741 if (result == L2CAP_CR_SUCCESS) {
4742 chan->local_amp_id = local_amp_id;
4743 l2cap_send_create_chan_req(chan, remote_amp_id);
4745 /* Revert to BR/EDR connect */
4746 l2cap_send_conn_req(chan);
4752 /* Incoming channel on AMP */
4753 if (__l2cap_no_conn_pending(chan)) {
4754 struct l2cap_conn_rsp rsp;
4756 rsp.scid = cpu_to_le16(chan->dcid);
4757 rsp.dcid = cpu_to_le16(chan->scid);
4759 if (result == L2CAP_CR_SUCCESS) {
4760 /* Send successful response */
4761 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4762 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4764 /* Send negative response */
4765 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4766 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4769 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4772 if (result == L2CAP_CR_SUCCESS) {
4773 l2cap_state_change(chan, BT_CONFIG);
4774 set_bit(CONF_REQ_SENT, &chan->conf_state);
4775 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4777 l2cap_build_conf_req(chan, buf), buf);
4778 chan->num_conf_req++;
4783 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4786 l2cap_move_setup(chan);
4787 chan->move_id = local_amp_id;
4788 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4790 l2cap_send_move_chan_req(chan, remote_amp_id);
4793 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4795 struct hci_chan *hchan = NULL;
4797 /* Placeholder - get hci_chan for logical link */
4800 if (hchan->state == BT_CONNECTED) {
4801 /* Logical link is ready to go */
4802 chan->hs_hcon = hchan->conn;
4803 chan->hs_hcon->l2cap_data = chan->conn;
4804 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4805 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4807 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4809 /* Wait for logical link to be ready */
4810 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4813 /* Logical link not available */
4814 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4818 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4820 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4822 if (result == -EINVAL)
4823 rsp_result = L2CAP_MR_BAD_ID;
4825 rsp_result = L2CAP_MR_NOT_ALLOWED;
4827 l2cap_send_move_chan_rsp(chan, rsp_result);
4830 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4831 chan->move_state = L2CAP_MOVE_STABLE;
4833 /* Restart data transmission */
4834 l2cap_ertm_send(chan);
4837 /* Invoke with locked chan */
4838 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4840 u8 local_amp_id = chan->local_amp_id;
4841 u8 remote_amp_id = chan->remote_amp_id;
4843 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4844 chan, result, local_amp_id, remote_amp_id);
4846 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4847 l2cap_chan_unlock(chan);
4851 if (chan->state != BT_CONNECTED) {
4852 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4853 } else if (result != L2CAP_MR_SUCCESS) {
4854 l2cap_do_move_cancel(chan, result);
4856 switch (chan->move_role) {
4857 case L2CAP_MOVE_ROLE_INITIATOR:
4858 l2cap_do_move_initiate(chan, local_amp_id,
4861 case L2CAP_MOVE_ROLE_RESPONDER:
4862 l2cap_do_move_respond(chan, result);
4865 l2cap_do_move_cancel(chan, result);
4871 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4872 struct l2cap_cmd_hdr *cmd,
4873 u16 cmd_len, void *data)
4875 struct l2cap_move_chan_req *req = data;
4876 struct l2cap_move_chan_rsp rsp;
4877 struct l2cap_chan *chan;
4879 u16 result = L2CAP_MR_NOT_ALLOWED;
4881 if (cmd_len != sizeof(*req))
4884 icid = le16_to_cpu(req->icid);
4886 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4888 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4891 chan = l2cap_get_chan_by_dcid(conn, icid);
4893 rsp.icid = cpu_to_le16(icid);
4894 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4895 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4900 chan->ident = cmd->ident;
4902 if (chan->scid < L2CAP_CID_DYN_START ||
4903 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4904 (chan->mode != L2CAP_MODE_ERTM &&
4905 chan->mode != L2CAP_MODE_STREAMING)) {
4906 result = L2CAP_MR_NOT_ALLOWED;
4907 goto send_move_response;
4910 if (chan->local_amp_id == req->dest_amp_id) {
4911 result = L2CAP_MR_SAME_ID;
4912 goto send_move_response;
4915 if (req->dest_amp_id != AMP_ID_BREDR) {
4916 struct hci_dev *hdev;
4917 hdev = hci_dev_get(req->dest_amp_id);
4918 if (!hdev || hdev->dev_type != HCI_AMP ||
4919 !test_bit(HCI_UP, &hdev->flags)) {
4923 result = L2CAP_MR_BAD_ID;
4924 goto send_move_response;
4929 /* Detect a move collision. Only send a collision response
4930 * if this side has "lost", otherwise proceed with the move.
4931 * The winner has the larger bd_addr.
4933 if ((__chan_is_moving(chan) ||
4934 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4935 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4936 result = L2CAP_MR_COLLISION;
4937 goto send_move_response;
4940 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4941 l2cap_move_setup(chan);
4942 chan->move_id = req->dest_amp_id;
4945 if (req->dest_amp_id == AMP_ID_BREDR) {
4946 /* Moving to BR/EDR */
4947 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4948 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4949 result = L2CAP_MR_PEND;
4951 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4952 result = L2CAP_MR_SUCCESS;
4955 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4956 /* Placeholder - uncomment when amp functions are available */
4957 /*amp_accept_physical(chan, req->dest_amp_id);*/
4958 result = L2CAP_MR_PEND;
4962 l2cap_send_move_chan_rsp(chan, result);
4964 l2cap_chan_unlock(chan);
4969 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4971 struct l2cap_chan *chan;
4972 struct hci_chan *hchan = NULL;
4974 chan = l2cap_get_chan_by_scid(conn, icid);
4976 l2cap_send_move_chan_cfm_icid(conn, icid);
4980 __clear_chan_timer(chan);
4981 if (result == L2CAP_MR_PEND)
4982 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4984 switch (chan->move_state) {
4985 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4986 /* Move confirm will be sent when logical link
4989 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4991 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4992 if (result == L2CAP_MR_PEND) {
4994 } else if (test_bit(CONN_LOCAL_BUSY,
4995 &chan->conn_state)) {
4996 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4998 /* Logical link is up or moving to BR/EDR,
5001 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5002 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5005 case L2CAP_MOVE_WAIT_RSP:
5007 if (result == L2CAP_MR_SUCCESS) {
5008 /* Remote is ready, send confirm immediately
5009 * after logical link is ready
5011 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5013 /* Both logical link and move success
5014 * are required to confirm
5016 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5019 /* Placeholder - get hci_chan for logical link */
5021 /* Logical link not available */
5022 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5026 /* If the logical link is not yet connected, do not
5027 * send confirmation.
5029 if (hchan->state != BT_CONNECTED)
5032 /* Logical link is already ready to go */
5034 chan->hs_hcon = hchan->conn;
5035 chan->hs_hcon->l2cap_data = chan->conn;
5037 if (result == L2CAP_MR_SUCCESS) {
5038 /* Can confirm now */
5039 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5041 /* Now only need move success
5044 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5047 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5050 /* Any other amp move state means the move failed. */
5051 chan->move_id = chan->local_amp_id;
5052 l2cap_move_done(chan);
5053 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5056 l2cap_chan_unlock(chan);
5059 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5062 struct l2cap_chan *chan;
5064 chan = l2cap_get_chan_by_ident(conn, ident);
5066 /* Could not locate channel, icid is best guess */
5067 l2cap_send_move_chan_cfm_icid(conn, icid);
5071 __clear_chan_timer(chan);
5073 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5074 if (result == L2CAP_MR_COLLISION) {
5075 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5077 /* Cleanup - cancel move */
5078 chan->move_id = chan->local_amp_id;
5079 l2cap_move_done(chan);
5083 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5085 l2cap_chan_unlock(chan);
5088 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5089 struct l2cap_cmd_hdr *cmd,
5090 u16 cmd_len, void *data)
5092 struct l2cap_move_chan_rsp *rsp = data;
5095 if (cmd_len != sizeof(*rsp))
5098 icid = le16_to_cpu(rsp->icid);
5099 result = le16_to_cpu(rsp->result);
5101 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5103 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5104 l2cap_move_continue(conn, icid, result);
5106 l2cap_move_fail(conn, cmd->ident, icid, result);
5111 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5112 struct l2cap_cmd_hdr *cmd,
5113 u16 cmd_len, void *data)
5115 struct l2cap_move_chan_cfm *cfm = data;
5116 struct l2cap_chan *chan;
5119 if (cmd_len != sizeof(*cfm))
5122 icid = le16_to_cpu(cfm->icid);
5123 result = le16_to_cpu(cfm->result);
5125 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5127 chan = l2cap_get_chan_by_dcid(conn, icid);
5129 /* Spec requires a response even if the icid was not found */
5130 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5134 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5135 if (result == L2CAP_MC_CONFIRMED) {
5136 chan->local_amp_id = chan->move_id;
5137 if (chan->local_amp_id == AMP_ID_BREDR)
5138 __release_logical_link(chan);
5140 chan->move_id = chan->local_amp_id;
5143 l2cap_move_done(chan);
5146 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5148 l2cap_chan_unlock(chan);
5153 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5154 struct l2cap_cmd_hdr *cmd,
5155 u16 cmd_len, void *data)
5157 struct l2cap_move_chan_cfm_rsp *rsp = data;
5158 struct l2cap_chan *chan;
5161 if (cmd_len != sizeof(*rsp))
5164 icid = le16_to_cpu(rsp->icid);
5166 BT_DBG("icid 0x%4.4x", icid);
5168 chan = l2cap_get_chan_by_scid(conn, icid);
5172 __clear_chan_timer(chan);
5174 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5175 chan->local_amp_id = chan->move_id;
5177 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5178 __release_logical_link(chan);
5180 l2cap_move_done(chan);
5183 l2cap_chan_unlock(chan);
5188 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5189 struct l2cap_cmd_hdr *cmd,
5190 u16 cmd_len, u8 *data)
5192 struct hci_conn *hcon = conn->hcon;
5193 struct l2cap_conn_param_update_req *req;
5194 struct l2cap_conn_param_update_rsp rsp;
5195 u16 min, max, latency, to_multiplier;
5198 if (hcon->role != HCI_ROLE_MASTER)
5201 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5204 req = (struct l2cap_conn_param_update_req *) data;
5205 min = __le16_to_cpu(req->min);
5206 max = __le16_to_cpu(req->max);
5207 latency = __le16_to_cpu(req->latency);
5208 to_multiplier = __le16_to_cpu(req->to_multiplier);
5210 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5211 min, max, latency, to_multiplier);
5213 memset(&rsp, 0, sizeof(rsp));
5215 err = hci_check_conn_params(min, max, latency, to_multiplier);
5217 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5219 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5221 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5227 store_hint = hci_le_conn_update(hcon, min, max, latency,
5229 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5230 store_hint, min, max, latency,
5238 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5239 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5242 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5243 struct hci_conn *hcon = conn->hcon;
5244 u16 dcid, mtu, mps, credits, result;
5245 struct l2cap_chan *chan;
5248 if (cmd_len < sizeof(*rsp))
5251 dcid = __le16_to_cpu(rsp->dcid);
5252 mtu = __le16_to_cpu(rsp->mtu);
5253 mps = __le16_to_cpu(rsp->mps);
5254 credits = __le16_to_cpu(rsp->credits);
5255 result = __le16_to_cpu(rsp->result);
5257 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23))
5260 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5261 dcid, mtu, mps, credits, result);
5263 mutex_lock(&conn->chan_lock);
5265 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5273 l2cap_chan_lock(chan);
5276 case L2CAP_CR_SUCCESS:
5280 chan->remote_mps = mps;
5281 chan->tx_credits = credits;
5282 l2cap_chan_ready(chan);
5285 case L2CAP_CR_AUTHENTICATION:
5286 case L2CAP_CR_ENCRYPTION:
5287 /* If we already have MITM protection we can't do
5290 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5291 l2cap_chan_del(chan, ECONNREFUSED);
5295 sec_level = hcon->sec_level + 1;
5296 if (chan->sec_level < sec_level)
5297 chan->sec_level = sec_level;
5299 /* We'll need to send a new Connect Request */
5300 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5302 smp_conn_security(hcon, chan->sec_level);
5306 l2cap_chan_del(chan, ECONNREFUSED);
5310 l2cap_chan_unlock(chan);
5313 mutex_unlock(&conn->chan_lock);
5318 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5319 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5324 switch (cmd->code) {
5325 case L2CAP_COMMAND_REJ:
5326 l2cap_command_rej(conn, cmd, cmd_len, data);
5329 case L2CAP_CONN_REQ:
5330 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5333 case L2CAP_CONN_RSP:
5334 case L2CAP_CREATE_CHAN_RSP:
5335 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5338 case L2CAP_CONF_REQ:
5339 err = l2cap_config_req(conn, cmd, cmd_len, data);
5342 case L2CAP_CONF_RSP:
5343 l2cap_config_rsp(conn, cmd, cmd_len, data);
5346 case L2CAP_DISCONN_REQ:
5347 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5350 case L2CAP_DISCONN_RSP:
5351 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5354 case L2CAP_ECHO_REQ:
5355 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5358 case L2CAP_ECHO_RSP:
5361 case L2CAP_INFO_REQ:
5362 err = l2cap_information_req(conn, cmd, cmd_len, data);
5365 case L2CAP_INFO_RSP:
5366 l2cap_information_rsp(conn, cmd, cmd_len, data);
5369 case L2CAP_CREATE_CHAN_REQ:
5370 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5373 case L2CAP_MOVE_CHAN_REQ:
5374 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5377 case L2CAP_MOVE_CHAN_RSP:
5378 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5381 case L2CAP_MOVE_CHAN_CFM:
5382 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5385 case L2CAP_MOVE_CHAN_CFM_RSP:
5386 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5390 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5398 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5399 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5402 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5403 struct l2cap_le_conn_rsp rsp;
5404 struct l2cap_chan *chan, *pchan;
5405 u16 dcid, scid, credits, mtu, mps;
5409 if (cmd_len != sizeof(*req))
5412 scid = __le16_to_cpu(req->scid);
5413 mtu = __le16_to_cpu(req->mtu);
5414 mps = __le16_to_cpu(req->mps);
5419 if (mtu < 23 || mps < 23)
5422 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5425 /* Check if we have socket listening on psm */
5426 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5427 &conn->hcon->dst, LE_LINK);
5429 result = L2CAP_CR_BAD_PSM;
5434 mutex_lock(&conn->chan_lock);
5435 l2cap_chan_lock(pchan);
5437 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5439 result = L2CAP_CR_AUTHENTICATION;
5441 goto response_unlock;
5444 /* Check if we already have channel with that dcid */
5445 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5446 result = L2CAP_CR_NO_MEM;
5448 goto response_unlock;
5451 chan = pchan->ops->new_connection(pchan);
5453 result = L2CAP_CR_NO_MEM;
5454 goto response_unlock;
5457 l2cap_le_flowctl_init(chan);
5459 bacpy(&chan->src, &conn->hcon->src);
5460 bacpy(&chan->dst, &conn->hcon->dst);
5461 chan->src_type = bdaddr_src_type(conn->hcon);
5462 chan->dst_type = bdaddr_dst_type(conn->hcon);
5466 chan->remote_mps = mps;
5467 chan->tx_credits = __le16_to_cpu(req->credits);
5469 __l2cap_chan_add(conn, chan);
5471 credits = chan->rx_credits;
5473 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5475 chan->ident = cmd->ident;
5477 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5478 l2cap_state_change(chan, BT_CONNECT2);
5479 /* The following result value is actually not defined
5480 * for LE CoC but we use it to let the function know
5481 * that it should bail out after doing its cleanup
5482 * instead of sending a response.
5484 result = L2CAP_CR_PEND;
5485 chan->ops->defer(chan);
5487 l2cap_chan_ready(chan);
5488 result = L2CAP_CR_SUCCESS;
5492 l2cap_chan_unlock(pchan);
5493 mutex_unlock(&conn->chan_lock);
5494 l2cap_chan_put(pchan);
5496 if (result == L2CAP_CR_PEND)
5501 rsp.mtu = cpu_to_le16(chan->imtu);
5502 rsp.mps = cpu_to_le16(chan->mps);
5508 rsp.dcid = cpu_to_le16(dcid);
5509 rsp.credits = cpu_to_le16(credits);
5510 rsp.result = cpu_to_le16(result);
5512 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5517 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5518 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5521 struct l2cap_le_credits *pkt;
5522 struct l2cap_chan *chan;
5523 u16 cid, credits, max_credits;
5525 if (cmd_len != sizeof(*pkt))
5528 pkt = (struct l2cap_le_credits *) data;
5529 cid = __le16_to_cpu(pkt->cid);
5530 credits = __le16_to_cpu(pkt->credits);
5532 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5534 chan = l2cap_get_chan_by_dcid(conn, cid);
5538 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5539 if (credits > max_credits) {
5540 BT_ERR("LE credits overflow");
5541 l2cap_send_disconn_req(chan, ECONNRESET);
5542 l2cap_chan_unlock(chan);
5544 /* Return 0 so that we don't trigger an unnecessary
5545 * command reject packet.
5550 chan->tx_credits += credits;
5552 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5553 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5557 if (chan->tx_credits)
5558 chan->ops->resume(chan);
5560 l2cap_chan_unlock(chan);
5565 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5566 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5569 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5570 struct l2cap_chan *chan;
5572 if (cmd_len < sizeof(*rej))
5575 mutex_lock(&conn->chan_lock);
5577 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5581 l2cap_chan_lock(chan);
5582 l2cap_chan_del(chan, ECONNREFUSED);
5583 l2cap_chan_unlock(chan);
5586 mutex_unlock(&conn->chan_lock);
5590 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5591 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5596 switch (cmd->code) {
5597 case L2CAP_COMMAND_REJ:
5598 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5601 case L2CAP_CONN_PARAM_UPDATE_REQ:
5602 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5605 case L2CAP_CONN_PARAM_UPDATE_RSP:
5608 case L2CAP_LE_CONN_RSP:
5609 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5612 case L2CAP_LE_CONN_REQ:
5613 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5616 case L2CAP_LE_CREDITS:
5617 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5620 case L2CAP_DISCONN_REQ:
5621 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5624 case L2CAP_DISCONN_RSP:
5625 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5629 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5637 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5638 struct sk_buff *skb)
5640 struct hci_conn *hcon = conn->hcon;
5641 struct l2cap_cmd_hdr *cmd;
5645 if (hcon->type != LE_LINK)
5648 if (skb->len < L2CAP_CMD_HDR_SIZE)
5651 cmd = (void *) skb->data;
5652 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5654 len = le16_to_cpu(cmd->len);
5656 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5658 if (len != skb->len || !cmd->ident) {
5659 BT_DBG("corrupted command");
5663 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5665 struct l2cap_cmd_rej_unk rej;
5667 BT_ERR("Wrong link type (%d)", err);
5669 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5670 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5678 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5679 struct sk_buff *skb)
5681 struct hci_conn *hcon = conn->hcon;
5682 u8 *data = skb->data;
5684 struct l2cap_cmd_hdr cmd;
5687 l2cap_raw_recv(conn, skb);
5689 if (hcon->type != ACL_LINK)
5692 while (len >= L2CAP_CMD_HDR_SIZE) {
5694 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5695 data += L2CAP_CMD_HDR_SIZE;
5696 len -= L2CAP_CMD_HDR_SIZE;
5698 cmd_len = le16_to_cpu(cmd.len);
5700 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5703 if (cmd_len > len || !cmd.ident) {
5704 BT_DBG("corrupted command");
5708 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5710 struct l2cap_cmd_rej_unk rej;
5712 BT_ERR("Wrong link type (%d)", err);
5714 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5715 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5727 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5729 u16 our_fcs, rcv_fcs;
5732 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5733 hdr_size = L2CAP_EXT_HDR_SIZE;
5735 hdr_size = L2CAP_ENH_HDR_SIZE;
5737 if (chan->fcs == L2CAP_FCS_CRC16) {
5738 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5739 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5740 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5742 if (our_fcs != rcv_fcs)
5748 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5750 struct l2cap_ctrl control;
5752 BT_DBG("chan %p", chan);
5754 memset(&control, 0, sizeof(control));
5757 control.reqseq = chan->buffer_seq;
5758 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5760 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5761 control.super = L2CAP_SUPER_RNR;
5762 l2cap_send_sframe(chan, &control);
5765 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5766 chan->unacked_frames > 0)
5767 __set_retrans_timer(chan);
5769 /* Send pending iframes */
5770 l2cap_ertm_send(chan);
5772 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5773 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5774 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5777 control.super = L2CAP_SUPER_RR;
5778 l2cap_send_sframe(chan, &control);
5782 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5783 struct sk_buff **last_frag)
5785 /* skb->len reflects data in skb as well as all fragments
5786 * skb->data_len reflects only data in fragments
5788 if (!skb_has_frag_list(skb))
5789 skb_shinfo(skb)->frag_list = new_frag;
5791 new_frag->next = NULL;
5793 (*last_frag)->next = new_frag;
5794 *last_frag = new_frag;
5796 skb->len += new_frag->len;
5797 skb->data_len += new_frag->len;
5798 skb->truesize += new_frag->truesize;
5801 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5802 struct l2cap_ctrl *control)
5806 switch (control->sar) {
5807 case L2CAP_SAR_UNSEGMENTED:
5811 err = chan->ops->recv(chan, skb);
5814 case L2CAP_SAR_START:
5818 chan->sdu_len = get_unaligned_le16(skb->data);
5819 skb_pull(skb, L2CAP_SDULEN_SIZE);
5821 if (chan->sdu_len > chan->imtu) {
5826 if (skb->len >= chan->sdu_len)
5830 chan->sdu_last_frag = skb;
5836 case L2CAP_SAR_CONTINUE:
5840 append_skb_frag(chan->sdu, skb,
5841 &chan->sdu_last_frag);
5844 if (chan->sdu->len >= chan->sdu_len)
5854 append_skb_frag(chan->sdu, skb,
5855 &chan->sdu_last_frag);
5858 if (chan->sdu->len != chan->sdu_len)
5861 err = chan->ops->recv(chan, chan->sdu);
5864 /* Reassembly complete */
5866 chan->sdu_last_frag = NULL;
5874 kfree_skb(chan->sdu);
5876 chan->sdu_last_frag = NULL;
5883 static int l2cap_resegment(struct l2cap_chan *chan)
5889 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5893 if (chan->mode != L2CAP_MODE_ERTM)
5896 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5897 l2cap_tx(chan, NULL, NULL, event);
5900 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5903 /* Pass sequential frames to l2cap_reassemble_sdu()
5904 * until a gap is encountered.
5907 BT_DBG("chan %p", chan);
5909 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5910 struct sk_buff *skb;
5911 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5912 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5914 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5919 skb_unlink(skb, &chan->srej_q);
5920 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5921 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5926 if (skb_queue_empty(&chan->srej_q)) {
5927 chan->rx_state = L2CAP_RX_STATE_RECV;
5928 l2cap_send_ack(chan);
5934 static void l2cap_handle_srej(struct l2cap_chan *chan,
5935 struct l2cap_ctrl *control)
5937 struct sk_buff *skb;
5939 BT_DBG("chan %p, control %p", chan, control);
5941 if (control->reqseq == chan->next_tx_seq) {
5942 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5943 l2cap_send_disconn_req(chan, ECONNRESET);
5947 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5950 BT_DBG("Seq %d not available for retransmission",
5955 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5956 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5957 l2cap_send_disconn_req(chan, ECONNRESET);
5961 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5963 if (control->poll) {
5964 l2cap_pass_to_tx(chan, control);
5966 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5967 l2cap_retransmit(chan, control);
5968 l2cap_ertm_send(chan);
5970 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5971 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5972 chan->srej_save_reqseq = control->reqseq;
5975 l2cap_pass_to_tx_fbit(chan, control);
5977 if (control->final) {
5978 if (chan->srej_save_reqseq != control->reqseq ||
5979 !test_and_clear_bit(CONN_SREJ_ACT,
5981 l2cap_retransmit(chan, control);
5983 l2cap_retransmit(chan, control);
5984 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5985 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5986 chan->srej_save_reqseq = control->reqseq;
5992 static void l2cap_handle_rej(struct l2cap_chan *chan,
5993 struct l2cap_ctrl *control)
5995 struct sk_buff *skb;
5997 BT_DBG("chan %p, control %p", chan, control);
5999 if (control->reqseq == chan->next_tx_seq) {
6000 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6001 l2cap_send_disconn_req(chan, ECONNRESET);
6005 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6007 if (chan->max_tx && skb &&
6008 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6009 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6010 l2cap_send_disconn_req(chan, ECONNRESET);
6014 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6016 l2cap_pass_to_tx(chan, control);
6018 if (control->final) {
6019 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6020 l2cap_retransmit_all(chan, control);
6022 l2cap_retransmit_all(chan, control);
6023 l2cap_ertm_send(chan);
6024 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6025 set_bit(CONN_REJ_ACT, &chan->conn_state);
6029 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6031 BT_DBG("chan %p, txseq %d", chan, txseq);
6033 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6034 chan->expected_tx_seq);
6036 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6037 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6039 /* See notes below regarding "double poll" and
6042 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6043 BT_DBG("Invalid/Ignore - after SREJ");
6044 return L2CAP_TXSEQ_INVALID_IGNORE;
6046 BT_DBG("Invalid - in window after SREJ sent");
6047 return L2CAP_TXSEQ_INVALID;
6051 if (chan->srej_list.head == txseq) {
6052 BT_DBG("Expected SREJ");
6053 return L2CAP_TXSEQ_EXPECTED_SREJ;
6056 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6057 BT_DBG("Duplicate SREJ - txseq already stored");
6058 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6061 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6062 BT_DBG("Unexpected SREJ - not requested");
6063 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6067 if (chan->expected_tx_seq == txseq) {
6068 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6070 BT_DBG("Invalid - txseq outside tx window");
6071 return L2CAP_TXSEQ_INVALID;
6074 return L2CAP_TXSEQ_EXPECTED;
6078 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6079 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6080 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6081 return L2CAP_TXSEQ_DUPLICATE;
6084 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6085 /* A source of invalid packets is a "double poll" condition,
6086 * where delays cause us to send multiple poll packets. If
6087 * the remote stack receives and processes both polls,
6088 * sequence numbers can wrap around in such a way that a
6089 * resent frame has a sequence number that looks like new data
6090 * with a sequence gap. This would trigger an erroneous SREJ
6093 * Fortunately, this is impossible with a tx window that's
6094 * less than half of the maximum sequence number, which allows
6095 * invalid frames to be safely ignored.
6097 * With tx window sizes greater than half of the tx window
6098 * maximum, the frame is invalid and cannot be ignored. This
6099 * causes a disconnect.
6102 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6103 BT_DBG("Invalid/Ignore - txseq outside tx window");
6104 return L2CAP_TXSEQ_INVALID_IGNORE;
6106 BT_DBG("Invalid - txseq outside tx window");
6107 return L2CAP_TXSEQ_INVALID;
6110 BT_DBG("Unexpected - txseq indicates missing frames");
6111 return L2CAP_TXSEQ_UNEXPECTED;
6115 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6116 struct l2cap_ctrl *control,
6117 struct sk_buff *skb, u8 event)
6120 bool skb_in_use = false;
6122 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6126 case L2CAP_EV_RECV_IFRAME:
6127 switch (l2cap_classify_txseq(chan, control->txseq)) {
6128 case L2CAP_TXSEQ_EXPECTED:
6129 l2cap_pass_to_tx(chan, control);
6131 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6132 BT_DBG("Busy, discarding expected seq %d",
6137 chan->expected_tx_seq = __next_seq(chan,
6140 chan->buffer_seq = chan->expected_tx_seq;
6143 err = l2cap_reassemble_sdu(chan, skb, control);
6147 if (control->final) {
6148 if (!test_and_clear_bit(CONN_REJ_ACT,
6149 &chan->conn_state)) {
6151 l2cap_retransmit_all(chan, control);
6152 l2cap_ertm_send(chan);
6156 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6157 l2cap_send_ack(chan);
6159 case L2CAP_TXSEQ_UNEXPECTED:
6160 l2cap_pass_to_tx(chan, control);
6162 /* Can't issue SREJ frames in the local busy state.
6163 * Drop this frame, it will be seen as missing
6164 * when local busy is exited.
6166 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6167 BT_DBG("Busy, discarding unexpected seq %d",
6172 /* There was a gap in the sequence, so an SREJ
6173 * must be sent for each missing frame. The
6174 * current frame is stored for later use.
6176 skb_queue_tail(&chan->srej_q, skb);
6178 BT_DBG("Queued %p (queue len %d)", skb,
6179 skb_queue_len(&chan->srej_q));
6181 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6182 l2cap_seq_list_clear(&chan->srej_list);
6183 l2cap_send_srej(chan, control->txseq);
6185 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6187 case L2CAP_TXSEQ_DUPLICATE:
6188 l2cap_pass_to_tx(chan, control);
6190 case L2CAP_TXSEQ_INVALID_IGNORE:
6192 case L2CAP_TXSEQ_INVALID:
6194 l2cap_send_disconn_req(chan, ECONNRESET);
6198 case L2CAP_EV_RECV_RR:
6199 l2cap_pass_to_tx(chan, control);
6200 if (control->final) {
6201 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6203 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6204 !__chan_is_moving(chan)) {
6206 l2cap_retransmit_all(chan, control);
6209 l2cap_ertm_send(chan);
6210 } else if (control->poll) {
6211 l2cap_send_i_or_rr_or_rnr(chan);
6213 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6214 &chan->conn_state) &&
6215 chan->unacked_frames)
6216 __set_retrans_timer(chan);
6218 l2cap_ertm_send(chan);
6221 case L2CAP_EV_RECV_RNR:
6222 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6223 l2cap_pass_to_tx(chan, control);
6224 if (control && control->poll) {
6225 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6226 l2cap_send_rr_or_rnr(chan, 0);
6228 __clear_retrans_timer(chan);
6229 l2cap_seq_list_clear(&chan->retrans_list);
6231 case L2CAP_EV_RECV_REJ:
6232 l2cap_handle_rej(chan, control);
6234 case L2CAP_EV_RECV_SREJ:
6235 l2cap_handle_srej(chan, control);
6241 if (skb && !skb_in_use) {
6242 BT_DBG("Freeing %p", skb);
6249 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6250 struct l2cap_ctrl *control,
6251 struct sk_buff *skb, u8 event)
6254 u16 txseq = control->txseq;
6255 bool skb_in_use = false;
6257 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6261 case L2CAP_EV_RECV_IFRAME:
6262 switch (l2cap_classify_txseq(chan, txseq)) {
6263 case L2CAP_TXSEQ_EXPECTED:
6264 /* Keep frame for reassembly later */
6265 l2cap_pass_to_tx(chan, control);
6266 skb_queue_tail(&chan->srej_q, skb);
6268 BT_DBG("Queued %p (queue len %d)", skb,
6269 skb_queue_len(&chan->srej_q));
6271 chan->expected_tx_seq = __next_seq(chan, txseq);
6273 case L2CAP_TXSEQ_EXPECTED_SREJ:
6274 l2cap_seq_list_pop(&chan->srej_list);
6276 l2cap_pass_to_tx(chan, control);
6277 skb_queue_tail(&chan->srej_q, skb);
6279 BT_DBG("Queued %p (queue len %d)", skb,
6280 skb_queue_len(&chan->srej_q));
6282 err = l2cap_rx_queued_iframes(chan);
6287 case L2CAP_TXSEQ_UNEXPECTED:
6288 /* Got a frame that can't be reassembled yet.
6289 * Save it for later, and send SREJs to cover
6290 * the missing frames.
6292 skb_queue_tail(&chan->srej_q, skb);
6294 BT_DBG("Queued %p (queue len %d)", skb,
6295 skb_queue_len(&chan->srej_q));
6297 l2cap_pass_to_tx(chan, control);
6298 l2cap_send_srej(chan, control->txseq);
6300 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6301 /* This frame was requested with an SREJ, but
6302 * some expected retransmitted frames are
6303 * missing. Request retransmission of missing
6306 skb_queue_tail(&chan->srej_q, skb);
6308 BT_DBG("Queued %p (queue len %d)", skb,
6309 skb_queue_len(&chan->srej_q));
6311 l2cap_pass_to_tx(chan, control);
6312 l2cap_send_srej_list(chan, control->txseq);
6314 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6315 /* We've already queued this frame. Drop this copy. */
6316 l2cap_pass_to_tx(chan, control);
6318 case L2CAP_TXSEQ_DUPLICATE:
6319 /* Expecting a later sequence number, so this frame
6320 * was already received. Ignore it completely.
6323 case L2CAP_TXSEQ_INVALID_IGNORE:
6325 case L2CAP_TXSEQ_INVALID:
6327 l2cap_send_disconn_req(chan, ECONNRESET);
6331 case L2CAP_EV_RECV_RR:
6332 l2cap_pass_to_tx(chan, control);
6333 if (control->final) {
6334 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6336 if (!test_and_clear_bit(CONN_REJ_ACT,
6337 &chan->conn_state)) {
6339 l2cap_retransmit_all(chan, control);
6342 l2cap_ertm_send(chan);
6343 } else if (control->poll) {
6344 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6345 &chan->conn_state) &&
6346 chan->unacked_frames) {
6347 __set_retrans_timer(chan);
6350 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6351 l2cap_send_srej_tail(chan);
6353 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6354 &chan->conn_state) &&
6355 chan->unacked_frames)
6356 __set_retrans_timer(chan);
6358 l2cap_send_ack(chan);
6361 case L2CAP_EV_RECV_RNR:
6362 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6363 l2cap_pass_to_tx(chan, control);
6364 if (control->poll) {
6365 l2cap_send_srej_tail(chan);
6367 struct l2cap_ctrl rr_control;
6368 memset(&rr_control, 0, sizeof(rr_control));
6369 rr_control.sframe = 1;
6370 rr_control.super = L2CAP_SUPER_RR;
6371 rr_control.reqseq = chan->buffer_seq;
6372 l2cap_send_sframe(chan, &rr_control);
6376 case L2CAP_EV_RECV_REJ:
6377 l2cap_handle_rej(chan, control);
6379 case L2CAP_EV_RECV_SREJ:
6380 l2cap_handle_srej(chan, control);
6384 if (skb && !skb_in_use) {
6385 BT_DBG("Freeing %p", skb);
6392 static int l2cap_finish_move(struct l2cap_chan *chan)
6394 BT_DBG("chan %p", chan);
6396 chan->rx_state = L2CAP_RX_STATE_RECV;
6399 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6401 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6403 return l2cap_resegment(chan);
6406 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6407 struct l2cap_ctrl *control,
6408 struct sk_buff *skb, u8 event)
6412 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6418 l2cap_process_reqseq(chan, control->reqseq);
6420 if (!skb_queue_empty(&chan->tx_q))
6421 chan->tx_send_head = skb_peek(&chan->tx_q);
6423 chan->tx_send_head = NULL;
6425 /* Rewind next_tx_seq to the point expected
6428 chan->next_tx_seq = control->reqseq;
6429 chan->unacked_frames = 0;
6431 err = l2cap_finish_move(chan);
6435 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6436 l2cap_send_i_or_rr_or_rnr(chan);
6438 if (event == L2CAP_EV_RECV_IFRAME)
6441 return l2cap_rx_state_recv(chan, control, NULL, event);
6444 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6445 struct l2cap_ctrl *control,
6446 struct sk_buff *skb, u8 event)
6450 if (!control->final)
6453 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6455 chan->rx_state = L2CAP_RX_STATE_RECV;
6456 l2cap_process_reqseq(chan, control->reqseq);
6458 if (!skb_queue_empty(&chan->tx_q))
6459 chan->tx_send_head = skb_peek(&chan->tx_q);
6461 chan->tx_send_head = NULL;
6463 /* Rewind next_tx_seq to the point expected
6466 chan->next_tx_seq = control->reqseq;
6467 chan->unacked_frames = 0;
6470 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6472 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6474 err = l2cap_resegment(chan);
6477 err = l2cap_rx_state_recv(chan, control, skb, event);
6482 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6484 /* Make sure reqseq is for a packet that has been sent but not acked */
6487 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6488 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6491 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6492 struct sk_buff *skb, u8 event)
6496 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6497 control, skb, event, chan->rx_state);
6499 if (__valid_reqseq(chan, control->reqseq)) {
6500 switch (chan->rx_state) {
6501 case L2CAP_RX_STATE_RECV:
6502 err = l2cap_rx_state_recv(chan, control, skb, event);
6504 case L2CAP_RX_STATE_SREJ_SENT:
6505 err = l2cap_rx_state_srej_sent(chan, control, skb,
6508 case L2CAP_RX_STATE_WAIT_P:
6509 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6511 case L2CAP_RX_STATE_WAIT_F:
6512 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6519 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6520 control->reqseq, chan->next_tx_seq,
6521 chan->expected_ack_seq);
6522 l2cap_send_disconn_req(chan, ECONNRESET);
6528 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6529 struct sk_buff *skb)
6533 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6536 if (l2cap_classify_txseq(chan, control->txseq) ==
6537 L2CAP_TXSEQ_EXPECTED) {
6538 l2cap_pass_to_tx(chan, control);
6540 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6541 __next_seq(chan, chan->buffer_seq));
6543 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6545 l2cap_reassemble_sdu(chan, skb, control);
6548 kfree_skb(chan->sdu);
6551 chan->sdu_last_frag = NULL;
6555 BT_DBG("Freeing %p", skb);
6560 chan->last_acked_seq = control->txseq;
6561 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6566 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6568 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6572 __unpack_control(chan, skb);
6577 * We can just drop the corrupted I-frame here.
6578 * Receiver will miss it and start proper recovery
6579 * procedures and ask for retransmission.
6581 if (l2cap_check_fcs(chan, skb))
6584 if (!control->sframe && control->sar == L2CAP_SAR_START)
6585 len -= L2CAP_SDULEN_SIZE;
6587 if (chan->fcs == L2CAP_FCS_CRC16)
6588 len -= L2CAP_FCS_SIZE;
6590 if (len > chan->mps) {
6591 l2cap_send_disconn_req(chan, ECONNRESET);
6595 if (!control->sframe) {
6598 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6599 control->sar, control->reqseq, control->final,
6602 /* Validate F-bit - F=0 always valid, F=1 only
6603 * valid in TX WAIT_F
6605 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6608 if (chan->mode != L2CAP_MODE_STREAMING) {
6609 event = L2CAP_EV_RECV_IFRAME;
6610 err = l2cap_rx(chan, control, skb, event);
6612 err = l2cap_stream_rx(chan, control, skb);
6616 l2cap_send_disconn_req(chan, ECONNRESET);
6618 const u8 rx_func_to_event[4] = {
6619 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6620 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6623 /* Only I-frames are expected in streaming mode */
6624 if (chan->mode == L2CAP_MODE_STREAMING)
6627 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6628 control->reqseq, control->final, control->poll,
6632 BT_ERR("Trailing bytes: %d in sframe", len);
6633 l2cap_send_disconn_req(chan, ECONNRESET);
6637 /* Validate F and P bits */
6638 if (control->final && (control->poll ||
6639 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6642 event = rx_func_to_event[control->super];
6643 if (l2cap_rx(chan, control, skb, event))
6644 l2cap_send_disconn_req(chan, ECONNRESET);
6654 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6656 struct l2cap_conn *conn = chan->conn;
6657 struct l2cap_le_credits pkt;
6660 /* We return more credits to the sender only after the amount of
6661 * credits falls below half of the initial amount.
6663 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6666 return_credits = le_max_credits - chan->rx_credits;
6668 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6670 chan->rx_credits += return_credits;
6672 pkt.cid = cpu_to_le16(chan->scid);
6673 pkt.credits = cpu_to_le16(return_credits);
6675 chan->ident = l2cap_get_ident(conn);
6677 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6680 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6684 if (!chan->rx_credits) {
6685 BT_ERR("No credits to receive LE L2CAP data");
6686 l2cap_send_disconn_req(chan, ECONNRESET);
6690 if (chan->imtu < skb->len) {
6691 BT_ERR("Too big LE L2CAP PDU");
6696 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6698 l2cap_chan_le_send_credits(chan);
6705 sdu_len = get_unaligned_le16(skb->data);
6706 skb_pull(skb, L2CAP_SDULEN_SIZE);
6708 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6709 sdu_len, skb->len, chan->imtu);
6711 if (sdu_len > chan->imtu) {
6712 BT_ERR("Too big LE L2CAP SDU length received");
6717 if (skb->len > sdu_len) {
6718 BT_ERR("Too much LE L2CAP data received");
6723 if (skb->len == sdu_len)
6724 return chan->ops->recv(chan, skb);
6727 chan->sdu_len = sdu_len;
6728 chan->sdu_last_frag = skb;
6733 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6734 chan->sdu->len, skb->len, chan->sdu_len);
6736 if (chan->sdu->len + skb->len > chan->sdu_len) {
6737 BT_ERR("Too much LE L2CAP data received");
6742 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6745 if (chan->sdu->len == chan->sdu_len) {
6746 err = chan->ops->recv(chan, chan->sdu);
6749 chan->sdu_last_frag = NULL;
6757 kfree_skb(chan->sdu);
6759 chan->sdu_last_frag = NULL;
6763 /* We can't return an error here since we took care of the skb
6764 * freeing internally. An error return would cause the caller to
6765 * do a double-free of the skb.
6770 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6771 struct sk_buff *skb)
6773 struct l2cap_chan *chan;
6775 chan = l2cap_get_chan_by_scid(conn, cid);
6777 if (cid == L2CAP_CID_A2MP) {
6778 chan = a2mp_channel_create(conn, skb);
6784 l2cap_chan_lock(chan);
6786 BT_DBG("unknown cid 0x%4.4x", cid);
6787 /* Drop packet and return */
6793 BT_DBG("chan %p, len %d", chan, skb->len);
6795 /* If we receive data on a fixed channel before the info req/rsp
6796 * procdure is done simply assume that the channel is supported
6797 * and mark it as ready.
6799 if (chan->chan_type == L2CAP_CHAN_FIXED)
6800 l2cap_chan_ready(chan);
6802 if (chan->state != BT_CONNECTED)
6805 switch (chan->mode) {
6806 case L2CAP_MODE_LE_FLOWCTL:
6807 if (l2cap_le_data_rcv(chan, skb) < 0)
6812 case L2CAP_MODE_BASIC:
6813 /* If socket recv buffers overflows we drop data here
6814 * which is *bad* because L2CAP has to be reliable.
6815 * But we don't have any other choice. L2CAP doesn't
6816 * provide flow control mechanism. */
6818 if (chan->imtu < skb->len) {
6819 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6823 if (!chan->ops->recv(chan, skb))
6827 case L2CAP_MODE_ERTM:
6828 case L2CAP_MODE_STREAMING:
6829 l2cap_data_rcv(chan, skb);
6833 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6841 l2cap_chan_unlock(chan);
6844 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6845 struct sk_buff *skb)
6847 struct hci_conn *hcon = conn->hcon;
6848 struct l2cap_chan *chan;
6850 if (hcon->type != ACL_LINK)
6853 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6858 BT_DBG("chan %p, len %d", chan, skb->len);
6860 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6863 if (chan->imtu < skb->len)
6866 /* Store remote BD_ADDR and PSM for msg_name */
6867 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6868 bt_cb(skb)->l2cap.psm = psm;
6870 if (!chan->ops->recv(chan, skb)) {
6871 l2cap_chan_put(chan);
6876 l2cap_chan_put(chan);
6881 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6883 struct l2cap_hdr *lh = (void *) skb->data;
6884 struct hci_conn *hcon = conn->hcon;
6888 if (hcon->state != BT_CONNECTED) {
6889 BT_DBG("queueing pending rx skb");
6890 skb_queue_tail(&conn->pending_rx, skb);
6894 skb_pull(skb, L2CAP_HDR_SIZE);
6895 cid = __le16_to_cpu(lh->cid);
6896 len = __le16_to_cpu(lh->len);
6898 if (len != skb->len) {
6903 /* Since we can't actively block incoming LE connections we must
6904 * at least ensure that we ignore incoming data from them.
6906 if (hcon->type == LE_LINK &&
6907 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6908 bdaddr_dst_type(hcon))) {
6913 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6916 case L2CAP_CID_SIGNALING:
6917 l2cap_sig_channel(conn, skb);
6920 case L2CAP_CID_CONN_LESS:
6921 psm = get_unaligned((__le16 *) skb->data);
6922 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6923 l2cap_conless_channel(conn, psm, skb);
6926 case L2CAP_CID_LE_SIGNALING:
6927 l2cap_le_sig_channel(conn, skb);
6931 l2cap_data_channel(conn, cid, skb);
6936 static void process_pending_rx(struct work_struct *work)
6938 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6940 struct sk_buff *skb;
6944 while ((skb = skb_dequeue(&conn->pending_rx)))
6945 l2cap_recv_frame(conn, skb);
6948 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6950 struct l2cap_conn *conn = hcon->l2cap_data;
6951 struct hci_chan *hchan;
6956 hchan = hci_chan_create(hcon);
6960 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6962 hci_chan_del(hchan);
6966 kref_init(&conn->ref);
6967 hcon->l2cap_data = conn;
6968 conn->hcon = hci_conn_get(hcon);
6969 conn->hchan = hchan;
6971 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6973 switch (hcon->type) {
6975 if (hcon->hdev->le_mtu) {
6976 conn->mtu = hcon->hdev->le_mtu;
6981 conn->mtu = hcon->hdev->acl_mtu;
6985 conn->feat_mask = 0;
6987 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
6989 if (hcon->type == ACL_LINK &&
6990 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
6991 conn->local_fixed_chan |= L2CAP_FC_A2MP;
6993 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
6994 (bredr_sc_enabled(hcon->hdev) ||
6995 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
6996 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
6998 mutex_init(&conn->ident_lock);
6999 mutex_init(&conn->chan_lock);
7001 INIT_LIST_HEAD(&conn->chan_l);
7002 INIT_LIST_HEAD(&conn->users);
7004 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7006 skb_queue_head_init(&conn->pending_rx);
7007 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7008 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7010 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7015 static bool is_valid_psm(u16 psm, u8 dst_type) {
7019 if (bdaddr_type_is_le(dst_type))
7020 return (psm <= 0x00ff);
7022 /* PSM must be odd and lsb of upper byte must be 0 */
7023 return ((psm & 0x0101) == 0x0001);
7026 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7027 bdaddr_t *dst, u8 dst_type)
7029 struct l2cap_conn *conn;
7030 struct hci_conn *hcon;
7031 struct hci_dev *hdev;
7034 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7035 dst_type, __le16_to_cpu(psm));
7037 hdev = hci_get_route(dst, &chan->src);
7039 return -EHOSTUNREACH;
7043 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7044 chan->chan_type != L2CAP_CHAN_RAW) {
7049 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7054 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7059 switch (chan->mode) {
7060 case L2CAP_MODE_BASIC:
7062 case L2CAP_MODE_LE_FLOWCTL:
7063 l2cap_le_flowctl_init(chan);
7065 case L2CAP_MODE_ERTM:
7066 case L2CAP_MODE_STREAMING:
7075 switch (chan->state) {
7079 /* Already connecting */
7084 /* Already connected */
7098 /* Set destination address and psm */
7099 bacpy(&chan->dst, dst);
7100 chan->dst_type = dst_type;
7105 if (bdaddr_type_is_le(dst_type)) {
7108 /* Convert from L2CAP channel address type to HCI address type
7110 if (dst_type == BDADDR_LE_PUBLIC)
7111 dst_type = ADDR_LE_DEV_PUBLIC;
7113 dst_type = ADDR_LE_DEV_RANDOM;
7115 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7116 role = HCI_ROLE_SLAVE;
7118 role = HCI_ROLE_MASTER;
7120 hcon = hci_connect_le(hdev, dst, dst_type, chan->sec_level,
7121 HCI_LE_CONN_TIMEOUT, role);
7123 u8 auth_type = l2cap_get_auth_type(chan);
7124 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7128 err = PTR_ERR(hcon);
7132 conn = l2cap_conn_add(hcon);
7134 hci_conn_drop(hcon);
7139 mutex_lock(&conn->chan_lock);
7140 l2cap_chan_lock(chan);
7142 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7143 hci_conn_drop(hcon);
7148 /* Update source addr of the socket */
7149 bacpy(&chan->src, &hcon->src);
7150 chan->src_type = bdaddr_src_type(hcon);
7152 __l2cap_chan_add(conn, chan);
7154 /* l2cap_chan_add takes its own ref so we can drop this one */
7155 hci_conn_drop(hcon);
7157 l2cap_state_change(chan, BT_CONNECT);
7158 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7160 /* Release chan->sport so that it can be reused by other
7161 * sockets (as it's only used for listening sockets).
7163 write_lock(&chan_list_lock);
7165 write_unlock(&chan_list_lock);
7167 if (hcon->state == BT_CONNECTED) {
7168 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7169 __clear_chan_timer(chan);
7170 if (l2cap_chan_check_security(chan, true))
7171 l2cap_state_change(chan, BT_CONNECTED);
7173 l2cap_do_start(chan);
7179 l2cap_chan_unlock(chan);
7180 mutex_unlock(&conn->chan_lock);
7182 hci_dev_unlock(hdev);
7186 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7188 /* ---- L2CAP interface with lower layer (HCI) ---- */
7190 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7192 int exact = 0, lm1 = 0, lm2 = 0;
7193 struct l2cap_chan *c;
7195 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7197 /* Find listening sockets and check their link_mode */
7198 read_lock(&chan_list_lock);
7199 list_for_each_entry(c, &chan_list, global_l) {
7200 if (c->state != BT_LISTEN)
7203 if (!bacmp(&c->src, &hdev->bdaddr)) {
7204 lm1 |= HCI_LM_ACCEPT;
7205 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7206 lm1 |= HCI_LM_MASTER;
7208 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7209 lm2 |= HCI_LM_ACCEPT;
7210 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7211 lm2 |= HCI_LM_MASTER;
7214 read_unlock(&chan_list_lock);
7216 return exact ? lm1 : lm2;
7219 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7220 * from an existing channel in the list or from the beginning of the
7221 * global list (by passing NULL as first parameter).
7223 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7224 struct hci_conn *hcon)
7226 u8 src_type = bdaddr_src_type(hcon);
7228 read_lock(&chan_list_lock);
7231 c = list_next_entry(c, global_l);
7233 c = list_entry(chan_list.next, typeof(*c), global_l);
7235 list_for_each_entry_from(c, &chan_list, global_l) {
7236 if (c->chan_type != L2CAP_CHAN_FIXED)
7238 if (c->state != BT_LISTEN)
7240 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7242 if (src_type != c->src_type)
7246 read_unlock(&chan_list_lock);
7250 read_unlock(&chan_list_lock);
7255 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7257 struct hci_dev *hdev = hcon->hdev;
7258 struct l2cap_conn *conn;
7259 struct l2cap_chan *pchan;
7262 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7265 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7268 l2cap_conn_del(hcon, bt_to_errno(status));
7272 conn = l2cap_conn_add(hcon);
7276 dst_type = bdaddr_dst_type(hcon);
7278 /* If device is blocked, do not create channels for it */
7279 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7282 /* Find fixed channels and notify them of the new connection. We
7283 * use multiple individual lookups, continuing each time where
7284 * we left off, because the list lock would prevent calling the
7285 * potentially sleeping l2cap_chan_lock() function.
7287 pchan = l2cap_global_fixed_chan(NULL, hcon);
7289 struct l2cap_chan *chan, *next;
7291 /* Client fixed channels should override server ones */
7292 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7295 l2cap_chan_lock(pchan);
7296 chan = pchan->ops->new_connection(pchan);
7298 bacpy(&chan->src, &hcon->src);
7299 bacpy(&chan->dst, &hcon->dst);
7300 chan->src_type = bdaddr_src_type(hcon);
7301 chan->dst_type = dst_type;
7303 __l2cap_chan_add(conn, chan);
7306 l2cap_chan_unlock(pchan);
7308 next = l2cap_global_fixed_chan(pchan, hcon);
7309 l2cap_chan_put(pchan);
7313 l2cap_conn_ready(conn);
7316 int l2cap_disconn_ind(struct hci_conn *hcon)
7318 struct l2cap_conn *conn = hcon->l2cap_data;
7320 BT_DBG("hcon %p", hcon);
7323 return HCI_ERROR_REMOTE_USER_TERM;
7324 return conn->disc_reason;
7327 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7329 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7332 BT_DBG("hcon %p reason %d", hcon, reason);
7334 l2cap_conn_del(hcon, bt_to_errno(reason));
7337 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7339 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7342 if (encrypt == 0x00) {
7343 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7344 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7345 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7346 chan->sec_level == BT_SECURITY_FIPS)
7347 l2cap_chan_close(chan, ECONNREFUSED);
7349 if (chan->sec_level == BT_SECURITY_MEDIUM)
7350 __clear_chan_timer(chan);
7354 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7356 struct l2cap_conn *conn = hcon->l2cap_data;
7357 struct l2cap_chan *chan;
7362 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7364 mutex_lock(&conn->chan_lock);
7366 list_for_each_entry(chan, &conn->chan_l, list) {
7367 l2cap_chan_lock(chan);
7369 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7370 state_to_string(chan->state));
7372 if (chan->scid == L2CAP_CID_A2MP) {
7373 l2cap_chan_unlock(chan);
7377 if (!status && encrypt)
7378 chan->sec_level = hcon->sec_level;
7380 if (!__l2cap_no_conn_pending(chan)) {
7381 l2cap_chan_unlock(chan);
7385 if (!status && (chan->state == BT_CONNECTED ||
7386 chan->state == BT_CONFIG)) {
7387 chan->ops->resume(chan);
7388 l2cap_check_encryption(chan, encrypt);
7389 l2cap_chan_unlock(chan);
7393 if (chan->state == BT_CONNECT) {
7395 l2cap_start_connection(chan);
7397 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7398 } else if (chan->state == BT_CONNECT2 &&
7399 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7400 struct l2cap_conn_rsp rsp;
7404 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7405 res = L2CAP_CR_PEND;
7406 stat = L2CAP_CS_AUTHOR_PEND;
7407 chan->ops->defer(chan);
7409 l2cap_state_change(chan, BT_CONFIG);
7410 res = L2CAP_CR_SUCCESS;
7411 stat = L2CAP_CS_NO_INFO;
7414 l2cap_state_change(chan, BT_DISCONN);
7415 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7416 res = L2CAP_CR_SEC_BLOCK;
7417 stat = L2CAP_CS_NO_INFO;
7420 rsp.scid = cpu_to_le16(chan->dcid);
7421 rsp.dcid = cpu_to_le16(chan->scid);
7422 rsp.result = cpu_to_le16(res);
7423 rsp.status = cpu_to_le16(stat);
7424 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7427 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7428 res == L2CAP_CR_SUCCESS) {
7430 set_bit(CONF_REQ_SENT, &chan->conf_state);
7431 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7433 l2cap_build_conf_req(chan, buf),
7435 chan->num_conf_req++;
7439 l2cap_chan_unlock(chan);
7442 mutex_unlock(&conn->chan_lock);
7445 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7447 struct l2cap_conn *conn = hcon->l2cap_data;
7448 struct l2cap_hdr *hdr;
7451 /* For AMP controller do not create l2cap conn */
7452 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7456 conn = l2cap_conn_add(hcon);
7461 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7465 case ACL_START_NO_FLUSH:
7468 BT_ERR("Unexpected start frame (len %d)", skb->len);
7469 kfree_skb(conn->rx_skb);
7470 conn->rx_skb = NULL;
7472 l2cap_conn_unreliable(conn, ECOMM);
7475 /* Start fragment always begin with Basic L2CAP header */
7476 if (skb->len < L2CAP_HDR_SIZE) {
7477 BT_ERR("Frame is too short (len %d)", skb->len);
7478 l2cap_conn_unreliable(conn, ECOMM);
7482 hdr = (struct l2cap_hdr *) skb->data;
7483 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7485 if (len == skb->len) {
7486 /* Complete frame received */
7487 l2cap_recv_frame(conn, skb);
7491 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7493 if (skb->len > len) {
7494 BT_ERR("Frame is too long (len %d, expected len %d)",
7496 l2cap_conn_unreliable(conn, ECOMM);
7500 /* Allocate skb for the complete frame (with header) */
7501 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7505 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7507 conn->rx_len = len - skb->len;
7511 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7513 if (!conn->rx_len) {
7514 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7515 l2cap_conn_unreliable(conn, ECOMM);
7519 if (skb->len > conn->rx_len) {
7520 BT_ERR("Fragment is too long (len %d, expected %d)",
7521 skb->len, conn->rx_len);
7522 kfree_skb(conn->rx_skb);
7523 conn->rx_skb = NULL;
7525 l2cap_conn_unreliable(conn, ECOMM);
7529 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7531 conn->rx_len -= skb->len;
7533 if (!conn->rx_len) {
7534 /* Complete frame received. l2cap_recv_frame
7535 * takes ownership of the skb so set the global
7536 * rx_skb pointer to NULL first.
7538 struct sk_buff *rx_skb = conn->rx_skb;
7539 conn->rx_skb = NULL;
7540 l2cap_recv_frame(conn, rx_skb);
7550 static struct hci_cb l2cap_cb = {
7552 .connect_cfm = l2cap_connect_cfm,
7553 .disconn_cfm = l2cap_disconn_cfm,
7554 .security_cfm = l2cap_security_cfm,
7557 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7559 struct l2cap_chan *c;
7561 read_lock(&chan_list_lock);
7563 list_for_each_entry(c, &chan_list, global_l) {
7564 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7565 &c->src, c->src_type, &c->dst, c->dst_type,
7566 c->state, __le16_to_cpu(c->psm),
7567 c->scid, c->dcid, c->imtu, c->omtu,
7568 c->sec_level, c->mode);
7571 read_unlock(&chan_list_lock);
7576 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7578 return single_open(file, l2cap_debugfs_show, inode->i_private);
7581 static const struct file_operations l2cap_debugfs_fops = {
7582 .open = l2cap_debugfs_open,
7584 .llseek = seq_lseek,
7585 .release = single_release,
7588 static struct dentry *l2cap_debugfs;
7590 int __init l2cap_init(void)
7594 err = l2cap_init_sockets();
7598 hci_register_cb(&l2cap_cb);
7600 if (IS_ERR_OR_NULL(bt_debugfs))
7603 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7604 NULL, &l2cap_debugfs_fops);
7606 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7608 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7614 void l2cap_exit(void)
7616 debugfs_remove(l2cap_debugfs);
7617 hci_unregister_cb(&l2cap_cb);
7618 l2cap_cleanup_sockets();
7621 module_param(disable_ertm, bool, 0644);
7622 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
Code Review / kvmfornfv.git / blob