2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
54 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
55 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
57 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
58 u8 code, u8 ident, u16 dlen, void *data);
59 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
61 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
62 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
64 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
65 struct sk_buff_head *skbs, u8 event);
67 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
69 if (link_type == LE_LINK) {
70 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
71 return BDADDR_LE_PUBLIC;
73 return BDADDR_LE_RANDOM;
79 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
81 return bdaddr_type(hcon->type, hcon->src_type);
84 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
86 return bdaddr_type(hcon->type, hcon->dst_type);
89 /* ---- L2CAP channels ---- */
91 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
96 list_for_each_entry(c, &conn->chan_l, list) {
103 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
106 struct l2cap_chan *c;
108 list_for_each_entry(c, &conn->chan_l, list) {
115 /* Find channel with given SCID.
116 * Returns locked channel. */
117 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
120 struct l2cap_chan *c;
122 mutex_lock(&conn->chan_lock);
123 c = __l2cap_get_chan_by_scid(conn, cid);
126 mutex_unlock(&conn->chan_lock);
131 /* Find channel with given DCID.
132 * Returns locked channel.
134 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
137 struct l2cap_chan *c;
139 mutex_lock(&conn->chan_lock);
140 c = __l2cap_get_chan_by_dcid(conn, cid);
143 mutex_unlock(&conn->chan_lock);
148 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
151 struct l2cap_chan *c;
153 list_for_each_entry(c, &conn->chan_l, list) {
154 if (c->ident == ident)
160 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
163 struct l2cap_chan *c;
165 mutex_lock(&conn->chan_lock);
166 c = __l2cap_get_chan_by_ident(conn, ident);
169 mutex_unlock(&conn->chan_lock);
174 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
176 struct l2cap_chan *c;
178 list_for_each_entry(c, &chan_list, global_l) {
179 if (c->sport == psm && !bacmp(&c->src, src))
185 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
189 write_lock(&chan_list_lock);
191 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
201 u16 p, start, end, incr;
203 if (chan->src_type == BDADDR_BREDR) {
204 start = L2CAP_PSM_DYN_START;
205 end = L2CAP_PSM_AUTO_END;
208 start = L2CAP_PSM_LE_DYN_START;
209 end = L2CAP_PSM_LE_DYN_END;
214 for (p = start; p <= end; p += incr)
215 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
216 chan->psm = cpu_to_le16(p);
217 chan->sport = cpu_to_le16(p);
224 write_unlock(&chan_list_lock);
227 EXPORT_SYMBOL_GPL(l2cap_add_psm);
229 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
231 write_lock(&chan_list_lock);
233 /* Override the defaults (which are for conn-oriented) */
234 chan->omtu = L2CAP_DEFAULT_MTU;
235 chan->chan_type = L2CAP_CHAN_FIXED;
239 write_unlock(&chan_list_lock);
244 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
248 if (conn->hcon->type == LE_LINK)
249 dyn_end = L2CAP_CID_LE_DYN_END;
251 dyn_end = L2CAP_CID_DYN_END;
253 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
254 if (!__l2cap_get_chan_by_scid(conn, cid))
261 static void l2cap_state_change(struct l2cap_chan *chan, int state)
263 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
264 state_to_string(state));
267 chan->ops->state_change(chan, state, 0);
270 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
274 chan->ops->state_change(chan, chan->state, err);
277 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
279 chan->ops->state_change(chan, chan->state, err);
282 static void __set_retrans_timer(struct l2cap_chan *chan)
284 if (!delayed_work_pending(&chan->monitor_timer) &&
285 chan->retrans_timeout) {
286 l2cap_set_timer(chan, &chan->retrans_timer,
287 msecs_to_jiffies(chan->retrans_timeout));
291 static void __set_monitor_timer(struct l2cap_chan *chan)
293 __clear_retrans_timer(chan);
294 if (chan->monitor_timeout) {
295 l2cap_set_timer(chan, &chan->monitor_timer,
296 msecs_to_jiffies(chan->monitor_timeout));
300 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
305 skb_queue_walk(head, skb) {
306 if (bt_cb(skb)->l2cap.txseq == seq)
313 /* ---- L2CAP sequence number lists ---- */
315 /* For ERTM, ordered lists of sequence numbers must be tracked for
316 * SREJ requests that are received and for frames that are to be
317 * retransmitted. These seq_list functions implement a singly-linked
318 * list in an array, where membership in the list can also be checked
319 * in constant time. Items can also be added to the tail of the list
320 * and removed from the head in constant time, without further memory
324 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
326 size_t alloc_size, i;
328 /* Allocated size is a power of 2 to map sequence numbers
329 * (which may be up to 14 bits) in to a smaller array that is
330 * sized for the negotiated ERTM transmit windows.
332 alloc_size = roundup_pow_of_two(size);
334 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
338 seq_list->mask = alloc_size - 1;
339 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
340 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
341 for (i = 0; i < alloc_size; i++)
342 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
347 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
349 kfree(seq_list->list);
352 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
355 /* Constant-time check for list membership */
356 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
359 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
361 u16 seq = seq_list->head;
362 u16 mask = seq_list->mask;
364 seq_list->head = seq_list->list[seq & mask];
365 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
367 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
368 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
369 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
375 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
379 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
382 for (i = 0; i <= seq_list->mask; i++)
383 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
385 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
386 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
389 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
391 u16 mask = seq_list->mask;
393 /* All appends happen in constant time */
395 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
398 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
399 seq_list->head = seq;
401 seq_list->list[seq_list->tail & mask] = seq;
403 seq_list->tail = seq;
404 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
407 static void l2cap_chan_timeout(struct work_struct *work)
409 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
411 struct l2cap_conn *conn = chan->conn;
414 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
416 mutex_lock(&conn->chan_lock);
417 l2cap_chan_lock(chan);
419 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
420 reason = ECONNREFUSED;
421 else if (chan->state == BT_CONNECT &&
422 chan->sec_level != BT_SECURITY_SDP)
423 reason = ECONNREFUSED;
427 l2cap_chan_close(chan, reason);
429 l2cap_chan_unlock(chan);
431 chan->ops->close(chan);
432 mutex_unlock(&conn->chan_lock);
434 l2cap_chan_put(chan);
437 struct l2cap_chan *l2cap_chan_create(void)
439 struct l2cap_chan *chan;
441 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
445 mutex_init(&chan->lock);
447 /* Set default lock nesting level */
448 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
450 write_lock(&chan_list_lock);
451 list_add(&chan->global_l, &chan_list);
452 write_unlock(&chan_list_lock);
454 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
456 chan->state = BT_OPEN;
458 kref_init(&chan->kref);
460 /* This flag is cleared in l2cap_chan_ready() */
461 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
463 BT_DBG("chan %p", chan);
467 EXPORT_SYMBOL_GPL(l2cap_chan_create);
469 static void l2cap_chan_destroy(struct kref *kref)
471 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
473 BT_DBG("chan %p", chan);
475 write_lock(&chan_list_lock);
476 list_del(&chan->global_l);
477 write_unlock(&chan_list_lock);
482 void l2cap_chan_hold(struct l2cap_chan *c)
484 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
489 void l2cap_chan_put(struct l2cap_chan *c)
491 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
493 kref_put(&c->kref, l2cap_chan_destroy);
495 EXPORT_SYMBOL_GPL(l2cap_chan_put);
497 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
499 chan->fcs = L2CAP_FCS_CRC16;
500 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
501 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
502 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
503 chan->remote_max_tx = chan->max_tx;
504 chan->remote_tx_win = chan->tx_win;
505 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
506 chan->sec_level = BT_SECURITY_LOW;
507 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
508 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
509 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
510 chan->conf_state = 0;
512 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
514 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
516 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
519 chan->sdu_last_frag = NULL;
521 chan->tx_credits = 0;
522 chan->rx_credits = le_max_credits;
523 chan->mps = min_t(u16, chan->imtu, le_default_mps);
525 skb_queue_head_init(&chan->tx_q);
528 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
530 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
531 __le16_to_cpu(chan->psm), chan->dcid);
533 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
537 switch (chan->chan_type) {
538 case L2CAP_CHAN_CONN_ORIENTED:
539 /* Alloc CID for connection-oriented socket */
540 chan->scid = l2cap_alloc_cid(conn);
541 if (conn->hcon->type == ACL_LINK)
542 chan->omtu = L2CAP_DEFAULT_MTU;
545 case L2CAP_CHAN_CONN_LESS:
546 /* Connectionless socket */
547 chan->scid = L2CAP_CID_CONN_LESS;
548 chan->dcid = L2CAP_CID_CONN_LESS;
549 chan->omtu = L2CAP_DEFAULT_MTU;
552 case L2CAP_CHAN_FIXED:
553 /* Caller will set CID and CID specific MTU values */
557 /* Raw socket can send/recv signalling messages only */
558 chan->scid = L2CAP_CID_SIGNALING;
559 chan->dcid = L2CAP_CID_SIGNALING;
560 chan->omtu = L2CAP_DEFAULT_MTU;
563 chan->local_id = L2CAP_BESTEFFORT_ID;
564 chan->local_stype = L2CAP_SERV_BESTEFFORT;
565 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
566 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
567 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
568 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
570 l2cap_chan_hold(chan);
572 /* Only keep a reference for fixed channels if they requested it */
573 if (chan->chan_type != L2CAP_CHAN_FIXED ||
574 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
575 hci_conn_hold(conn->hcon);
577 list_add(&chan->list, &conn->chan_l);
580 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
582 mutex_lock(&conn->chan_lock);
583 __l2cap_chan_add(conn, chan);
584 mutex_unlock(&conn->chan_lock);
587 void l2cap_chan_del(struct l2cap_chan *chan, int err)
589 struct l2cap_conn *conn = chan->conn;
591 __clear_chan_timer(chan);
593 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
594 state_to_string(chan->state));
596 chan->ops->teardown(chan, err);
599 struct amp_mgr *mgr = conn->hcon->amp_mgr;
600 /* Delete from channel list */
601 list_del(&chan->list);
603 l2cap_chan_put(chan);
607 /* Reference was only held for non-fixed channels or
608 * fixed channels that explicitly requested it using the
609 * FLAG_HOLD_HCI_CONN flag.
611 if (chan->chan_type != L2CAP_CHAN_FIXED ||
612 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
613 hci_conn_drop(conn->hcon);
615 if (mgr && mgr->bredr_chan == chan)
616 mgr->bredr_chan = NULL;
619 if (chan->hs_hchan) {
620 struct hci_chan *hs_hchan = chan->hs_hchan;
622 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
623 amp_disconnect_logical_link(hs_hchan);
626 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
630 case L2CAP_MODE_BASIC:
633 case L2CAP_MODE_LE_FLOWCTL:
634 skb_queue_purge(&chan->tx_q);
637 case L2CAP_MODE_ERTM:
638 __clear_retrans_timer(chan);
639 __clear_monitor_timer(chan);
640 __clear_ack_timer(chan);
642 skb_queue_purge(&chan->srej_q);
644 l2cap_seq_list_free(&chan->srej_list);
645 l2cap_seq_list_free(&chan->retrans_list);
649 case L2CAP_MODE_STREAMING:
650 skb_queue_purge(&chan->tx_q);
656 EXPORT_SYMBOL_GPL(l2cap_chan_del);
658 static void l2cap_conn_update_id_addr(struct work_struct *work)
660 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
661 id_addr_update_work);
662 struct hci_conn *hcon = conn->hcon;
663 struct l2cap_chan *chan;
665 mutex_lock(&conn->chan_lock);
667 list_for_each_entry(chan, &conn->chan_l, list) {
668 l2cap_chan_lock(chan);
669 bacpy(&chan->dst, &hcon->dst);
670 chan->dst_type = bdaddr_dst_type(hcon);
671 l2cap_chan_unlock(chan);
674 mutex_unlock(&conn->chan_lock);
677 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
679 struct l2cap_conn *conn = chan->conn;
680 struct l2cap_le_conn_rsp rsp;
683 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
684 result = L2CAP_CR_AUTHORIZATION;
686 result = L2CAP_CR_BAD_PSM;
688 l2cap_state_change(chan, BT_DISCONN);
690 rsp.dcid = cpu_to_le16(chan->scid);
691 rsp.mtu = cpu_to_le16(chan->imtu);
692 rsp.mps = cpu_to_le16(chan->mps);
693 rsp.credits = cpu_to_le16(chan->rx_credits);
694 rsp.result = cpu_to_le16(result);
696 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
700 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
702 struct l2cap_conn *conn = chan->conn;
703 struct l2cap_conn_rsp rsp;
706 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
707 result = L2CAP_CR_SEC_BLOCK;
709 result = L2CAP_CR_BAD_PSM;
711 l2cap_state_change(chan, BT_DISCONN);
713 rsp.scid = cpu_to_le16(chan->dcid);
714 rsp.dcid = cpu_to_le16(chan->scid);
715 rsp.result = cpu_to_le16(result);
716 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
718 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
721 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
723 struct l2cap_conn *conn = chan->conn;
725 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
727 switch (chan->state) {
729 chan->ops->teardown(chan, 0);
734 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
735 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
736 l2cap_send_disconn_req(chan, reason);
738 l2cap_chan_del(chan, reason);
742 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
743 if (conn->hcon->type == ACL_LINK)
744 l2cap_chan_connect_reject(chan);
745 else if (conn->hcon->type == LE_LINK)
746 l2cap_chan_le_connect_reject(chan);
749 l2cap_chan_del(chan, reason);
754 l2cap_chan_del(chan, reason);
758 chan->ops->teardown(chan, 0);
762 EXPORT_SYMBOL(l2cap_chan_close);
764 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
766 switch (chan->chan_type) {
768 switch (chan->sec_level) {
769 case BT_SECURITY_HIGH:
770 case BT_SECURITY_FIPS:
771 return HCI_AT_DEDICATED_BONDING_MITM;
772 case BT_SECURITY_MEDIUM:
773 return HCI_AT_DEDICATED_BONDING;
775 return HCI_AT_NO_BONDING;
778 case L2CAP_CHAN_CONN_LESS:
779 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
780 if (chan->sec_level == BT_SECURITY_LOW)
781 chan->sec_level = BT_SECURITY_SDP;
783 if (chan->sec_level == BT_SECURITY_HIGH ||
784 chan->sec_level == BT_SECURITY_FIPS)
785 return HCI_AT_NO_BONDING_MITM;
787 return HCI_AT_NO_BONDING;
789 case L2CAP_CHAN_CONN_ORIENTED:
790 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
791 if (chan->sec_level == BT_SECURITY_LOW)
792 chan->sec_level = BT_SECURITY_SDP;
794 if (chan->sec_level == BT_SECURITY_HIGH ||
795 chan->sec_level == BT_SECURITY_FIPS)
796 return HCI_AT_NO_BONDING_MITM;
798 return HCI_AT_NO_BONDING;
802 switch (chan->sec_level) {
803 case BT_SECURITY_HIGH:
804 case BT_SECURITY_FIPS:
805 return HCI_AT_GENERAL_BONDING_MITM;
806 case BT_SECURITY_MEDIUM:
807 return HCI_AT_GENERAL_BONDING;
809 return HCI_AT_NO_BONDING;
815 /* Service level security */
816 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
818 struct l2cap_conn *conn = chan->conn;
821 if (conn->hcon->type == LE_LINK)
822 return smp_conn_security(conn->hcon, chan->sec_level);
824 auth_type = l2cap_get_auth_type(chan);
826 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
830 static u8 l2cap_get_ident(struct l2cap_conn *conn)
834 /* Get next available identificator.
835 * 1 - 128 are used by kernel.
836 * 129 - 199 are reserved.
837 * 200 - 254 are used by utilities like l2ping, etc.
840 mutex_lock(&conn->ident_lock);
842 if (++conn->tx_ident > 128)
847 mutex_unlock(&conn->ident_lock);
852 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
855 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
858 BT_DBG("code 0x%2.2x", code);
863 /* Use NO_FLUSH if supported or we have an LE link (which does
864 * not support auto-flushing packets) */
865 if (lmp_no_flush_capable(conn->hcon->hdev) ||
866 conn->hcon->type == LE_LINK)
867 flags = ACL_START_NO_FLUSH;
871 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
872 skb->priority = HCI_PRIO_MAX;
874 hci_send_acl(conn->hchan, skb, flags);
877 static bool __chan_is_moving(struct l2cap_chan *chan)
879 return chan->move_state != L2CAP_MOVE_STABLE &&
880 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
883 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
885 struct hci_conn *hcon = chan->conn->hcon;
888 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
891 if (chan->hs_hcon && !__chan_is_moving(chan)) {
893 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
900 /* Use NO_FLUSH for LE links (where this is the only option) or
901 * if the BR/EDR link supports it and flushing has not been
902 * explicitly requested (through FLAG_FLUSHABLE).
904 if (hcon->type == LE_LINK ||
905 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
906 lmp_no_flush_capable(hcon->hdev)))
907 flags = ACL_START_NO_FLUSH;
911 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
912 hci_send_acl(chan->conn->hchan, skb, flags);
915 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
917 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
918 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
920 if (enh & L2CAP_CTRL_FRAME_TYPE) {
923 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
924 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
931 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
932 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
939 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
941 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
942 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
944 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
947 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
948 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
955 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
956 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
963 static inline void __unpack_control(struct l2cap_chan *chan,
966 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
967 __unpack_extended_control(get_unaligned_le32(skb->data),
969 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
971 __unpack_enhanced_control(get_unaligned_le16(skb->data),
973 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
977 static u32 __pack_extended_control(struct l2cap_ctrl *control)
981 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
982 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
984 if (control->sframe) {
985 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
986 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
987 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
989 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
990 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
996 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1000 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1001 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1003 if (control->sframe) {
1004 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1005 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1006 packed |= L2CAP_CTRL_FRAME_TYPE;
1008 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1009 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1015 static inline void __pack_control(struct l2cap_chan *chan,
1016 struct l2cap_ctrl *control,
1017 struct sk_buff *skb)
1019 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1020 put_unaligned_le32(__pack_extended_control(control),
1021 skb->data + L2CAP_HDR_SIZE);
1023 put_unaligned_le16(__pack_enhanced_control(control),
1024 skb->data + L2CAP_HDR_SIZE);
1028 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1030 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1031 return L2CAP_EXT_HDR_SIZE;
1033 return L2CAP_ENH_HDR_SIZE;
1036 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1039 struct sk_buff *skb;
1040 struct l2cap_hdr *lh;
1041 int hlen = __ertm_hdr_size(chan);
1043 if (chan->fcs == L2CAP_FCS_CRC16)
1044 hlen += L2CAP_FCS_SIZE;
1046 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1049 return ERR_PTR(-ENOMEM);
1051 lh = skb_put(skb, L2CAP_HDR_SIZE);
1052 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1053 lh->cid = cpu_to_le16(chan->dcid);
1055 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1056 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1058 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1060 if (chan->fcs == L2CAP_FCS_CRC16) {
1061 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1062 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1065 skb->priority = HCI_PRIO_MAX;
1069 static void l2cap_send_sframe(struct l2cap_chan *chan,
1070 struct l2cap_ctrl *control)
1072 struct sk_buff *skb;
1075 BT_DBG("chan %p, control %p", chan, control);
1077 if (!control->sframe)
1080 if (__chan_is_moving(chan))
1083 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1087 if (control->super == L2CAP_SUPER_RR)
1088 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1089 else if (control->super == L2CAP_SUPER_RNR)
1090 set_bit(CONN_RNR_SENT, &chan->conn_state);
1092 if (control->super != L2CAP_SUPER_SREJ) {
1093 chan->last_acked_seq = control->reqseq;
1094 __clear_ack_timer(chan);
1097 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1098 control->final, control->poll, control->super);
1100 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1101 control_field = __pack_extended_control(control);
1103 control_field = __pack_enhanced_control(control);
1105 skb = l2cap_create_sframe_pdu(chan, control_field);
1107 l2cap_do_send(chan, skb);
1110 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1112 struct l2cap_ctrl control;
1114 BT_DBG("chan %p, poll %d", chan, poll);
1116 memset(&control, 0, sizeof(control));
1118 control.poll = poll;
1120 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1121 control.super = L2CAP_SUPER_RNR;
1123 control.super = L2CAP_SUPER_RR;
1125 control.reqseq = chan->buffer_seq;
1126 l2cap_send_sframe(chan, &control);
1129 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1131 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1134 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1137 static bool __amp_capable(struct l2cap_chan *chan)
1139 struct l2cap_conn *conn = chan->conn;
1140 struct hci_dev *hdev;
1141 bool amp_available = false;
1143 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1146 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1149 read_lock(&hci_dev_list_lock);
1150 list_for_each_entry(hdev, &hci_dev_list, list) {
1151 if (hdev->amp_type != AMP_TYPE_BREDR &&
1152 test_bit(HCI_UP, &hdev->flags)) {
1153 amp_available = true;
1157 read_unlock(&hci_dev_list_lock);
1159 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1160 return amp_available;
1165 static bool l2cap_check_efs(struct l2cap_chan *chan)
1167 /* Check EFS parameters */
1171 void l2cap_send_conn_req(struct l2cap_chan *chan)
1173 struct l2cap_conn *conn = chan->conn;
1174 struct l2cap_conn_req req;
1176 req.scid = cpu_to_le16(chan->scid);
1177 req.psm = chan->psm;
1179 chan->ident = l2cap_get_ident(conn);
1181 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1183 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1186 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1188 struct l2cap_create_chan_req req;
1189 req.scid = cpu_to_le16(chan->scid);
1190 req.psm = chan->psm;
1191 req.amp_id = amp_id;
1193 chan->ident = l2cap_get_ident(chan->conn);
1195 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1199 static void l2cap_move_setup(struct l2cap_chan *chan)
1201 struct sk_buff *skb;
1203 BT_DBG("chan %p", chan);
1205 if (chan->mode != L2CAP_MODE_ERTM)
1208 __clear_retrans_timer(chan);
1209 __clear_monitor_timer(chan);
1210 __clear_ack_timer(chan);
1212 chan->retry_count = 0;
1213 skb_queue_walk(&chan->tx_q, skb) {
1214 if (bt_cb(skb)->l2cap.retries)
1215 bt_cb(skb)->l2cap.retries = 1;
1220 chan->expected_tx_seq = chan->buffer_seq;
1222 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1223 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1224 l2cap_seq_list_clear(&chan->retrans_list);
1225 l2cap_seq_list_clear(&chan->srej_list);
1226 skb_queue_purge(&chan->srej_q);
1228 chan->tx_state = L2CAP_TX_STATE_XMIT;
1229 chan->rx_state = L2CAP_RX_STATE_MOVE;
1231 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1234 static void l2cap_move_done(struct l2cap_chan *chan)
1236 u8 move_role = chan->move_role;
1237 BT_DBG("chan %p", chan);
1239 chan->move_state = L2CAP_MOVE_STABLE;
1240 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1242 if (chan->mode != L2CAP_MODE_ERTM)
1245 switch (move_role) {
1246 case L2CAP_MOVE_ROLE_INITIATOR:
1247 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1248 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1250 case L2CAP_MOVE_ROLE_RESPONDER:
1251 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1256 static void l2cap_chan_ready(struct l2cap_chan *chan)
1258 /* The channel may have already been flagged as connected in
1259 * case of receiving data before the L2CAP info req/rsp
1260 * procedure is complete.
1262 if (chan->state == BT_CONNECTED)
1265 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1266 chan->conf_state = 0;
1267 __clear_chan_timer(chan);
1269 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1270 chan->ops->suspend(chan);
1272 chan->state = BT_CONNECTED;
1274 chan->ops->ready(chan);
1277 static void l2cap_le_connect(struct l2cap_chan *chan)
1279 struct l2cap_conn *conn = chan->conn;
1280 struct l2cap_le_conn_req req;
1282 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1285 req.psm = chan->psm;
1286 req.scid = cpu_to_le16(chan->scid);
1287 req.mtu = cpu_to_le16(chan->imtu);
1288 req.mps = cpu_to_le16(chan->mps);
1289 req.credits = cpu_to_le16(chan->rx_credits);
1291 chan->ident = l2cap_get_ident(conn);
1293 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1297 static void l2cap_le_start(struct l2cap_chan *chan)
1299 struct l2cap_conn *conn = chan->conn;
1301 if (!smp_conn_security(conn->hcon, chan->sec_level))
1305 l2cap_chan_ready(chan);
1309 if (chan->state == BT_CONNECT)
1310 l2cap_le_connect(chan);
1313 static void l2cap_start_connection(struct l2cap_chan *chan)
1315 if (__amp_capable(chan)) {
1316 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1317 a2mp_discover_amp(chan);
1318 } else if (chan->conn->hcon->type == LE_LINK) {
1319 l2cap_le_start(chan);
1321 l2cap_send_conn_req(chan);
1325 static void l2cap_request_info(struct l2cap_conn *conn)
1327 struct l2cap_info_req req;
1329 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1332 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1334 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1335 conn->info_ident = l2cap_get_ident(conn);
1337 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1339 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1343 static void l2cap_do_start(struct l2cap_chan *chan)
1345 struct l2cap_conn *conn = chan->conn;
1347 if (conn->hcon->type == LE_LINK) {
1348 l2cap_le_start(chan);
1352 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1353 l2cap_request_info(conn);
1357 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1360 if (l2cap_chan_check_security(chan, true) &&
1361 __l2cap_no_conn_pending(chan))
1362 l2cap_start_connection(chan);
1365 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1367 u32 local_feat_mask = l2cap_feat_mask;
1369 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1372 case L2CAP_MODE_ERTM:
1373 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1374 case L2CAP_MODE_STREAMING:
1375 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1381 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1383 struct l2cap_conn *conn = chan->conn;
1384 struct l2cap_disconn_req req;
1389 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1390 __clear_retrans_timer(chan);
1391 __clear_monitor_timer(chan);
1392 __clear_ack_timer(chan);
1395 if (chan->scid == L2CAP_CID_A2MP) {
1396 l2cap_state_change(chan, BT_DISCONN);
1400 req.dcid = cpu_to_le16(chan->dcid);
1401 req.scid = cpu_to_le16(chan->scid);
1402 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1405 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1408 /* ---- L2CAP connections ---- */
1409 static void l2cap_conn_start(struct l2cap_conn *conn)
1411 struct l2cap_chan *chan, *tmp;
1413 BT_DBG("conn %p", conn);
1415 mutex_lock(&conn->chan_lock);
1417 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1418 l2cap_chan_lock(chan);
1420 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1421 l2cap_chan_ready(chan);
1422 l2cap_chan_unlock(chan);
1426 if (chan->state == BT_CONNECT) {
1427 if (!l2cap_chan_check_security(chan, true) ||
1428 !__l2cap_no_conn_pending(chan)) {
1429 l2cap_chan_unlock(chan);
1433 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1434 && test_bit(CONF_STATE2_DEVICE,
1435 &chan->conf_state)) {
1436 l2cap_chan_close(chan, ECONNRESET);
1437 l2cap_chan_unlock(chan);
1441 l2cap_start_connection(chan);
1443 } else if (chan->state == BT_CONNECT2) {
1444 struct l2cap_conn_rsp rsp;
1446 rsp.scid = cpu_to_le16(chan->dcid);
1447 rsp.dcid = cpu_to_le16(chan->scid);
1449 if (l2cap_chan_check_security(chan, false)) {
1450 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1451 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1452 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1453 chan->ops->defer(chan);
1456 l2cap_state_change(chan, BT_CONFIG);
1457 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1458 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1461 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1462 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1465 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1468 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1469 rsp.result != L2CAP_CR_SUCCESS) {
1470 l2cap_chan_unlock(chan);
1474 set_bit(CONF_REQ_SENT, &chan->conf_state);
1475 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1476 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1477 chan->num_conf_req++;
1480 l2cap_chan_unlock(chan);
1483 mutex_unlock(&conn->chan_lock);
1486 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1488 struct hci_conn *hcon = conn->hcon;
1489 struct hci_dev *hdev = hcon->hdev;
1491 BT_DBG("%s conn %p", hdev->name, conn);
1493 /* For outgoing pairing which doesn't necessarily have an
1494 * associated socket (e.g. mgmt_pair_device).
1497 smp_conn_security(hcon, hcon->pending_sec_level);
1499 /* For LE slave connections, make sure the connection interval
1500 * is in the range of the minium and maximum interval that has
1501 * been configured for this connection. If not, then trigger
1502 * the connection update procedure.
1504 if (hcon->role == HCI_ROLE_SLAVE &&
1505 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1506 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1507 struct l2cap_conn_param_update_req req;
1509 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1510 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1511 req.latency = cpu_to_le16(hcon->le_conn_latency);
1512 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1514 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1515 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1519 static void l2cap_conn_ready(struct l2cap_conn *conn)
1521 struct l2cap_chan *chan;
1522 struct hci_conn *hcon = conn->hcon;
1524 BT_DBG("conn %p", conn);
1526 if (hcon->type == ACL_LINK)
1527 l2cap_request_info(conn);
1529 mutex_lock(&conn->chan_lock);
1531 list_for_each_entry(chan, &conn->chan_l, list) {
1533 l2cap_chan_lock(chan);
1535 if (chan->scid == L2CAP_CID_A2MP) {
1536 l2cap_chan_unlock(chan);
1540 if (hcon->type == LE_LINK) {
1541 l2cap_le_start(chan);
1542 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1543 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1544 l2cap_chan_ready(chan);
1545 } else if (chan->state == BT_CONNECT) {
1546 l2cap_do_start(chan);
1549 l2cap_chan_unlock(chan);
1552 mutex_unlock(&conn->chan_lock);
1554 if (hcon->type == LE_LINK)
1555 l2cap_le_conn_ready(conn);
1557 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1560 /* Notify sockets that we cannot guaranty reliability anymore */
1561 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1563 struct l2cap_chan *chan;
1565 BT_DBG("conn %p", conn);
1567 mutex_lock(&conn->chan_lock);
1569 list_for_each_entry(chan, &conn->chan_l, list) {
1570 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1571 l2cap_chan_set_err(chan, err);
1574 mutex_unlock(&conn->chan_lock);
1577 static void l2cap_info_timeout(struct work_struct *work)
1579 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1582 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1583 conn->info_ident = 0;
1585 l2cap_conn_start(conn);
1590 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1591 * callback is called during registration. The ->remove callback is called
1592 * during unregistration.
1593 * An l2cap_user object can either be explicitly unregistered or when the
1594 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1595 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1596 * External modules must own a reference to the l2cap_conn object if they intend
1597 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1598 * any time if they don't.
1601 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1603 struct hci_dev *hdev = conn->hcon->hdev;
1606 /* We need to check whether l2cap_conn is registered. If it is not, we
1607 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1608 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1609 * relies on the parent hci_conn object to be locked. This itself relies
1610 * on the hci_dev object to be locked. So we must lock the hci device
1615 if (!list_empty(&user->list)) {
1620 /* conn->hchan is NULL after l2cap_conn_del() was called */
1626 ret = user->probe(conn, user);
1630 list_add(&user->list, &conn->users);
1634 hci_dev_unlock(hdev);
1637 EXPORT_SYMBOL(l2cap_register_user);
1639 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1641 struct hci_dev *hdev = conn->hcon->hdev;
1645 if (list_empty(&user->list))
1648 list_del_init(&user->list);
1649 user->remove(conn, user);
1652 hci_dev_unlock(hdev);
1654 EXPORT_SYMBOL(l2cap_unregister_user);
1656 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1658 struct l2cap_user *user;
1660 while (!list_empty(&conn->users)) {
1661 user = list_first_entry(&conn->users, struct l2cap_user, list);
1662 list_del_init(&user->list);
1663 user->remove(conn, user);
1667 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1669 struct l2cap_conn *conn = hcon->l2cap_data;
1670 struct l2cap_chan *chan, *l;
1675 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1677 kfree_skb(conn->rx_skb);
1679 skb_queue_purge(&conn->pending_rx);
1681 /* We can not call flush_work(&conn->pending_rx_work) here since we
1682 * might block if we are running on a worker from the same workqueue
1683 * pending_rx_work is waiting on.
1685 if (work_pending(&conn->pending_rx_work))
1686 cancel_work_sync(&conn->pending_rx_work);
1688 if (work_pending(&conn->id_addr_update_work))
1689 cancel_work_sync(&conn->id_addr_update_work);
1691 l2cap_unregister_all_users(conn);
1693 /* Force the connection to be immediately dropped */
1694 hcon->disc_timeout = 0;
1696 mutex_lock(&conn->chan_lock);
1699 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1700 l2cap_chan_hold(chan);
1701 l2cap_chan_lock(chan);
1703 l2cap_chan_del(chan, err);
1705 l2cap_chan_unlock(chan);
1707 chan->ops->close(chan);
1708 l2cap_chan_put(chan);
1711 mutex_unlock(&conn->chan_lock);
1713 hci_chan_del(conn->hchan);
1715 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1716 cancel_delayed_work_sync(&conn->info_timer);
1718 hcon->l2cap_data = NULL;
1720 l2cap_conn_put(conn);
1723 static void l2cap_conn_free(struct kref *ref)
1725 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1727 hci_conn_put(conn->hcon);
1731 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1733 kref_get(&conn->ref);
1736 EXPORT_SYMBOL(l2cap_conn_get);
1738 void l2cap_conn_put(struct l2cap_conn *conn)
1740 kref_put(&conn->ref, l2cap_conn_free);
1742 EXPORT_SYMBOL(l2cap_conn_put);
1744 /* ---- Socket interface ---- */
1746 /* Find socket with psm and source / destination bdaddr.
1747 * Returns closest match.
1749 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1754 struct l2cap_chan *c, *c1 = NULL;
1756 read_lock(&chan_list_lock);
1758 list_for_each_entry(c, &chan_list, global_l) {
1759 if (state && c->state != state)
1762 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1765 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1768 if (c->psm == psm) {
1769 int src_match, dst_match;
1770 int src_any, dst_any;
1773 src_match = !bacmp(&c->src, src);
1774 dst_match = !bacmp(&c->dst, dst);
1775 if (src_match && dst_match) {
1777 read_unlock(&chan_list_lock);
1782 src_any = !bacmp(&c->src, BDADDR_ANY);
1783 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1784 if ((src_match && dst_any) || (src_any && dst_match) ||
1785 (src_any && dst_any))
1791 l2cap_chan_hold(c1);
1793 read_unlock(&chan_list_lock);
1798 static void l2cap_monitor_timeout(struct work_struct *work)
1800 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1801 monitor_timer.work);
1803 BT_DBG("chan %p", chan);
1805 l2cap_chan_lock(chan);
1808 l2cap_chan_unlock(chan);
1809 l2cap_chan_put(chan);
1813 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1815 l2cap_chan_unlock(chan);
1816 l2cap_chan_put(chan);
1819 static void l2cap_retrans_timeout(struct work_struct *work)
1821 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1822 retrans_timer.work);
1824 BT_DBG("chan %p", chan);
1826 l2cap_chan_lock(chan);
1829 l2cap_chan_unlock(chan);
1830 l2cap_chan_put(chan);
1834 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1835 l2cap_chan_unlock(chan);
1836 l2cap_chan_put(chan);
1839 static void l2cap_streaming_send(struct l2cap_chan *chan,
1840 struct sk_buff_head *skbs)
1842 struct sk_buff *skb;
1843 struct l2cap_ctrl *control;
1845 BT_DBG("chan %p, skbs %p", chan, skbs);
1847 if (__chan_is_moving(chan))
1850 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1852 while (!skb_queue_empty(&chan->tx_q)) {
1854 skb = skb_dequeue(&chan->tx_q);
1856 bt_cb(skb)->l2cap.retries = 1;
1857 control = &bt_cb(skb)->l2cap;
1859 control->reqseq = 0;
1860 control->txseq = chan->next_tx_seq;
1862 __pack_control(chan, control, skb);
1864 if (chan->fcs == L2CAP_FCS_CRC16) {
1865 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1866 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1869 l2cap_do_send(chan, skb);
1871 BT_DBG("Sent txseq %u", control->txseq);
1873 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1874 chan->frames_sent++;
1878 static int l2cap_ertm_send(struct l2cap_chan *chan)
1880 struct sk_buff *skb, *tx_skb;
1881 struct l2cap_ctrl *control;
1884 BT_DBG("chan %p", chan);
1886 if (chan->state != BT_CONNECTED)
1889 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1892 if (__chan_is_moving(chan))
1895 while (chan->tx_send_head &&
1896 chan->unacked_frames < chan->remote_tx_win &&
1897 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1899 skb = chan->tx_send_head;
1901 bt_cb(skb)->l2cap.retries = 1;
1902 control = &bt_cb(skb)->l2cap;
1904 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1907 control->reqseq = chan->buffer_seq;
1908 chan->last_acked_seq = chan->buffer_seq;
1909 control->txseq = chan->next_tx_seq;
1911 __pack_control(chan, control, skb);
1913 if (chan->fcs == L2CAP_FCS_CRC16) {
1914 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1915 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1918 /* Clone after data has been modified. Data is assumed to be
1919 read-only (for locking purposes) on cloned sk_buffs.
1921 tx_skb = skb_clone(skb, GFP_KERNEL);
1926 __set_retrans_timer(chan);
1928 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1929 chan->unacked_frames++;
1930 chan->frames_sent++;
1933 if (skb_queue_is_last(&chan->tx_q, skb))
1934 chan->tx_send_head = NULL;
1936 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1938 l2cap_do_send(chan, tx_skb);
1939 BT_DBG("Sent txseq %u", control->txseq);
1942 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1943 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1948 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1950 struct l2cap_ctrl control;
1951 struct sk_buff *skb;
1952 struct sk_buff *tx_skb;
1955 BT_DBG("chan %p", chan);
1957 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1960 if (__chan_is_moving(chan))
1963 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1964 seq = l2cap_seq_list_pop(&chan->retrans_list);
1966 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1968 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1973 bt_cb(skb)->l2cap.retries++;
1974 control = bt_cb(skb)->l2cap;
1976 if (chan->max_tx != 0 &&
1977 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1978 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1979 l2cap_send_disconn_req(chan, ECONNRESET);
1980 l2cap_seq_list_clear(&chan->retrans_list);
1984 control.reqseq = chan->buffer_seq;
1985 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1990 if (skb_cloned(skb)) {
1991 /* Cloned sk_buffs are read-only, so we need a
1994 tx_skb = skb_copy(skb, GFP_KERNEL);
1996 tx_skb = skb_clone(skb, GFP_KERNEL);
2000 l2cap_seq_list_clear(&chan->retrans_list);
2004 /* Update skb contents */
2005 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2006 put_unaligned_le32(__pack_extended_control(&control),
2007 tx_skb->data + L2CAP_HDR_SIZE);
2009 put_unaligned_le16(__pack_enhanced_control(&control),
2010 tx_skb->data + L2CAP_HDR_SIZE);
2014 if (chan->fcs == L2CAP_FCS_CRC16) {
2015 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2016 tx_skb->len - L2CAP_FCS_SIZE);
2017 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2021 l2cap_do_send(chan, tx_skb);
2023 BT_DBG("Resent txseq %d", control.txseq);
2025 chan->last_acked_seq = chan->buffer_seq;
2029 static void l2cap_retransmit(struct l2cap_chan *chan,
2030 struct l2cap_ctrl *control)
2032 BT_DBG("chan %p, control %p", chan, control);
2034 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2035 l2cap_ertm_resend(chan);
2038 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2039 struct l2cap_ctrl *control)
2041 struct sk_buff *skb;
2043 BT_DBG("chan %p, control %p", chan, control);
2046 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2048 l2cap_seq_list_clear(&chan->retrans_list);
2050 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2053 if (chan->unacked_frames) {
2054 skb_queue_walk(&chan->tx_q, skb) {
2055 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2056 skb == chan->tx_send_head)
2060 skb_queue_walk_from(&chan->tx_q, skb) {
2061 if (skb == chan->tx_send_head)
2064 l2cap_seq_list_append(&chan->retrans_list,
2065 bt_cb(skb)->l2cap.txseq);
2068 l2cap_ertm_resend(chan);
2072 static void l2cap_send_ack(struct l2cap_chan *chan)
2074 struct l2cap_ctrl control;
2075 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2076 chan->last_acked_seq);
2079 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2080 chan, chan->last_acked_seq, chan->buffer_seq);
2082 memset(&control, 0, sizeof(control));
2085 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2086 chan->rx_state == L2CAP_RX_STATE_RECV) {
2087 __clear_ack_timer(chan);
2088 control.super = L2CAP_SUPER_RNR;
2089 control.reqseq = chan->buffer_seq;
2090 l2cap_send_sframe(chan, &control);
2092 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2093 l2cap_ertm_send(chan);
2094 /* If any i-frames were sent, they included an ack */
2095 if (chan->buffer_seq == chan->last_acked_seq)
2099 /* Ack now if the window is 3/4ths full.
2100 * Calculate without mul or div
2102 threshold = chan->ack_win;
2103 threshold += threshold << 1;
2106 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2109 if (frames_to_ack >= threshold) {
2110 __clear_ack_timer(chan);
2111 control.super = L2CAP_SUPER_RR;
2112 control.reqseq = chan->buffer_seq;
2113 l2cap_send_sframe(chan, &control);
2118 __set_ack_timer(chan);
2122 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2123 struct msghdr *msg, int len,
2124 int count, struct sk_buff *skb)
2126 struct l2cap_conn *conn = chan->conn;
2127 struct sk_buff **frag;
2130 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2136 /* Continuation fragments (no L2CAP header) */
2137 frag = &skb_shinfo(skb)->frag_list;
2139 struct sk_buff *tmp;
2141 count = min_t(unsigned int, conn->mtu, len);
2143 tmp = chan->ops->alloc_skb(chan, 0, count,
2144 msg->msg_flags & MSG_DONTWAIT);
2146 return PTR_ERR(tmp);
2150 if (!copy_from_iter_full(skb_put(*frag, count), count,
2157 skb->len += (*frag)->len;
2158 skb->data_len += (*frag)->len;
2160 frag = &(*frag)->next;
2166 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2167 struct msghdr *msg, size_t len)
2169 struct l2cap_conn *conn = chan->conn;
2170 struct sk_buff *skb;
2171 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2172 struct l2cap_hdr *lh;
2174 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2175 __le16_to_cpu(chan->psm), len);
2177 count = min_t(unsigned int, (conn->mtu - hlen), len);
2179 skb = chan->ops->alloc_skb(chan, hlen, count,
2180 msg->msg_flags & MSG_DONTWAIT);
2184 /* Create L2CAP header */
2185 lh = skb_put(skb, L2CAP_HDR_SIZE);
2186 lh->cid = cpu_to_le16(chan->dcid);
2187 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2188 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2190 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2191 if (unlikely(err < 0)) {
2193 return ERR_PTR(err);
2198 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2199 struct msghdr *msg, size_t len)
2201 struct l2cap_conn *conn = chan->conn;
2202 struct sk_buff *skb;
2204 struct l2cap_hdr *lh;
2206 BT_DBG("chan %p len %zu", chan, len);
2208 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2210 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2211 msg->msg_flags & MSG_DONTWAIT);
2215 /* Create L2CAP header */
2216 lh = skb_put(skb, L2CAP_HDR_SIZE);
2217 lh->cid = cpu_to_le16(chan->dcid);
2218 lh->len = cpu_to_le16(len);
2220 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2221 if (unlikely(err < 0)) {
2223 return ERR_PTR(err);
2228 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2229 struct msghdr *msg, size_t len,
2232 struct l2cap_conn *conn = chan->conn;
2233 struct sk_buff *skb;
2234 int err, count, hlen;
2235 struct l2cap_hdr *lh;
2237 BT_DBG("chan %p len %zu", chan, len);
2240 return ERR_PTR(-ENOTCONN);
2242 hlen = __ertm_hdr_size(chan);
2245 hlen += L2CAP_SDULEN_SIZE;
2247 if (chan->fcs == L2CAP_FCS_CRC16)
2248 hlen += L2CAP_FCS_SIZE;
2250 count = min_t(unsigned int, (conn->mtu - hlen), len);
2252 skb = chan->ops->alloc_skb(chan, hlen, count,
2253 msg->msg_flags & MSG_DONTWAIT);
2257 /* Create L2CAP header */
2258 lh = skb_put(skb, L2CAP_HDR_SIZE);
2259 lh->cid = cpu_to_le16(chan->dcid);
2260 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2262 /* Control header is populated later */
2263 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2264 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2266 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2269 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2271 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2272 if (unlikely(err < 0)) {
2274 return ERR_PTR(err);
2277 bt_cb(skb)->l2cap.fcs = chan->fcs;
2278 bt_cb(skb)->l2cap.retries = 0;
2282 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2283 struct sk_buff_head *seg_queue,
2284 struct msghdr *msg, size_t len)
2286 struct sk_buff *skb;
2291 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2293 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2294 * so fragmented skbs are not used. The HCI layer's handling
2295 * of fragmented skbs is not compatible with ERTM's queueing.
2298 /* PDU size is derived from the HCI MTU */
2299 pdu_len = chan->conn->mtu;
2301 /* Constrain PDU size for BR/EDR connections */
2303 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2305 /* Adjust for largest possible L2CAP overhead. */
2307 pdu_len -= L2CAP_FCS_SIZE;
2309 pdu_len -= __ertm_hdr_size(chan);
2311 /* Remote device may have requested smaller PDUs */
2312 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2314 if (len <= pdu_len) {
2315 sar = L2CAP_SAR_UNSEGMENTED;
2319 sar = L2CAP_SAR_START;
2324 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2327 __skb_queue_purge(seg_queue);
2328 return PTR_ERR(skb);
2331 bt_cb(skb)->l2cap.sar = sar;
2332 __skb_queue_tail(seg_queue, skb);
2338 if (len <= pdu_len) {
2339 sar = L2CAP_SAR_END;
2342 sar = L2CAP_SAR_CONTINUE;
2349 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2351 size_t len, u16 sdulen)
2353 struct l2cap_conn *conn = chan->conn;
2354 struct sk_buff *skb;
2355 int err, count, hlen;
2356 struct l2cap_hdr *lh;
2358 BT_DBG("chan %p len %zu", chan, len);
2361 return ERR_PTR(-ENOTCONN);
2363 hlen = L2CAP_HDR_SIZE;
2366 hlen += L2CAP_SDULEN_SIZE;
2368 count = min_t(unsigned int, (conn->mtu - hlen), len);
2370 skb = chan->ops->alloc_skb(chan, hlen, count,
2371 msg->msg_flags & MSG_DONTWAIT);
2375 /* Create L2CAP header */
2376 lh = skb_put(skb, L2CAP_HDR_SIZE);
2377 lh->cid = cpu_to_le16(chan->dcid);
2378 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2381 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2383 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2384 if (unlikely(err < 0)) {
2386 return ERR_PTR(err);
2392 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2393 struct sk_buff_head *seg_queue,
2394 struct msghdr *msg, size_t len)
2396 struct sk_buff *skb;
2400 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2403 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2409 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2411 __skb_queue_purge(seg_queue);
2412 return PTR_ERR(skb);
2415 __skb_queue_tail(seg_queue, skb);
2421 pdu_len += L2CAP_SDULEN_SIZE;
2428 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2432 BT_DBG("chan %p", chan);
2434 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2435 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2440 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2441 skb_queue_len(&chan->tx_q));
2444 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2446 struct sk_buff *skb;
2448 struct sk_buff_head seg_queue;
2453 /* Connectionless channel */
2454 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2455 skb = l2cap_create_connless_pdu(chan, msg, len);
2457 return PTR_ERR(skb);
2459 /* Channel lock is released before requesting new skb and then
2460 * reacquired thus we need to recheck channel state.
2462 if (chan->state != BT_CONNECTED) {
2467 l2cap_do_send(chan, skb);
2471 switch (chan->mode) {
2472 case L2CAP_MODE_LE_FLOWCTL:
2473 /* Check outgoing MTU */
2474 if (len > chan->omtu)
2477 __skb_queue_head_init(&seg_queue);
2479 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2481 if (chan->state != BT_CONNECTED) {
2482 __skb_queue_purge(&seg_queue);
2489 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2491 l2cap_le_flowctl_send(chan);
2493 if (!chan->tx_credits)
2494 chan->ops->suspend(chan);
2500 case L2CAP_MODE_BASIC:
2501 /* Check outgoing MTU */
2502 if (len > chan->omtu)
2505 /* Create a basic PDU */
2506 skb = l2cap_create_basic_pdu(chan, msg, len);
2508 return PTR_ERR(skb);
2510 /* Channel lock is released before requesting new skb and then
2511 * reacquired thus we need to recheck channel state.
2513 if (chan->state != BT_CONNECTED) {
2518 l2cap_do_send(chan, skb);
2522 case L2CAP_MODE_ERTM:
2523 case L2CAP_MODE_STREAMING:
2524 /* Check outgoing MTU */
2525 if (len > chan->omtu) {
2530 __skb_queue_head_init(&seg_queue);
2532 /* Do segmentation before calling in to the state machine,
2533 * since it's possible to block while waiting for memory
2536 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2538 /* The channel could have been closed while segmenting,
2539 * check that it is still connected.
2541 if (chan->state != BT_CONNECTED) {
2542 __skb_queue_purge(&seg_queue);
2549 if (chan->mode == L2CAP_MODE_ERTM)
2550 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2552 l2cap_streaming_send(chan, &seg_queue);
2556 /* If the skbs were not queued for sending, they'll still be in
2557 * seg_queue and need to be purged.
2559 __skb_queue_purge(&seg_queue);
2563 BT_DBG("bad state %1.1x", chan->mode);
2569 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2571 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2573 struct l2cap_ctrl control;
2576 BT_DBG("chan %p, txseq %u", chan, txseq);
2578 memset(&control, 0, sizeof(control));
2580 control.super = L2CAP_SUPER_SREJ;
2582 for (seq = chan->expected_tx_seq; seq != txseq;
2583 seq = __next_seq(chan, seq)) {
2584 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2585 control.reqseq = seq;
2586 l2cap_send_sframe(chan, &control);
2587 l2cap_seq_list_append(&chan->srej_list, seq);
2591 chan->expected_tx_seq = __next_seq(chan, txseq);
2594 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2596 struct l2cap_ctrl control;
2598 BT_DBG("chan %p", chan);
2600 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2603 memset(&control, 0, sizeof(control));
2605 control.super = L2CAP_SUPER_SREJ;
2606 control.reqseq = chan->srej_list.tail;
2607 l2cap_send_sframe(chan, &control);
2610 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2612 struct l2cap_ctrl control;
2616 BT_DBG("chan %p, txseq %u", chan, txseq);
2618 memset(&control, 0, sizeof(control));
2620 control.super = L2CAP_SUPER_SREJ;
2622 /* Capture initial list head to allow only one pass through the list. */
2623 initial_head = chan->srej_list.head;
2626 seq = l2cap_seq_list_pop(&chan->srej_list);
2627 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2630 control.reqseq = seq;
2631 l2cap_send_sframe(chan, &control);
2632 l2cap_seq_list_append(&chan->srej_list, seq);
2633 } while (chan->srej_list.head != initial_head);
2636 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2638 struct sk_buff *acked_skb;
2641 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2643 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2646 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2647 chan->expected_ack_seq, chan->unacked_frames);
2649 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2650 ackseq = __next_seq(chan, ackseq)) {
2652 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2654 skb_unlink(acked_skb, &chan->tx_q);
2655 kfree_skb(acked_skb);
2656 chan->unacked_frames--;
2660 chan->expected_ack_seq = reqseq;
2662 if (chan->unacked_frames == 0)
2663 __clear_retrans_timer(chan);
2665 BT_DBG("unacked_frames %u", chan->unacked_frames);
2668 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2670 BT_DBG("chan %p", chan);
2672 chan->expected_tx_seq = chan->buffer_seq;
2673 l2cap_seq_list_clear(&chan->srej_list);
2674 skb_queue_purge(&chan->srej_q);
2675 chan->rx_state = L2CAP_RX_STATE_RECV;
2678 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2679 struct l2cap_ctrl *control,
2680 struct sk_buff_head *skbs, u8 event)
2682 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2686 case L2CAP_EV_DATA_REQUEST:
2687 if (chan->tx_send_head == NULL)
2688 chan->tx_send_head = skb_peek(skbs);
2690 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2691 l2cap_ertm_send(chan);
2693 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2694 BT_DBG("Enter LOCAL_BUSY");
2695 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2697 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2698 /* The SREJ_SENT state must be aborted if we are to
2699 * enter the LOCAL_BUSY state.
2701 l2cap_abort_rx_srej_sent(chan);
2704 l2cap_send_ack(chan);
2707 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2708 BT_DBG("Exit LOCAL_BUSY");
2709 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2711 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2712 struct l2cap_ctrl local_control;
2714 memset(&local_control, 0, sizeof(local_control));
2715 local_control.sframe = 1;
2716 local_control.super = L2CAP_SUPER_RR;
2717 local_control.poll = 1;
2718 local_control.reqseq = chan->buffer_seq;
2719 l2cap_send_sframe(chan, &local_control);
2721 chan->retry_count = 1;
2722 __set_monitor_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2726 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2727 l2cap_process_reqseq(chan, control->reqseq);
2729 case L2CAP_EV_EXPLICIT_POLL:
2730 l2cap_send_rr_or_rnr(chan, 1);
2731 chan->retry_count = 1;
2732 __set_monitor_timer(chan);
2733 __clear_ack_timer(chan);
2734 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2736 case L2CAP_EV_RETRANS_TO:
2737 l2cap_send_rr_or_rnr(chan, 1);
2738 chan->retry_count = 1;
2739 __set_monitor_timer(chan);
2740 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2742 case L2CAP_EV_RECV_FBIT:
2743 /* Nothing to process */
2750 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2751 struct l2cap_ctrl *control,
2752 struct sk_buff_head *skbs, u8 event)
2754 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2758 case L2CAP_EV_DATA_REQUEST:
2759 if (chan->tx_send_head == NULL)
2760 chan->tx_send_head = skb_peek(skbs);
2761 /* Queue data, but don't send. */
2762 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2764 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2765 BT_DBG("Enter LOCAL_BUSY");
2766 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2768 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2769 /* The SREJ_SENT state must be aborted if we are to
2770 * enter the LOCAL_BUSY state.
2772 l2cap_abort_rx_srej_sent(chan);
2775 l2cap_send_ack(chan);
2778 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2779 BT_DBG("Exit LOCAL_BUSY");
2780 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2782 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2783 struct l2cap_ctrl local_control;
2784 memset(&local_control, 0, sizeof(local_control));
2785 local_control.sframe = 1;
2786 local_control.super = L2CAP_SUPER_RR;
2787 local_control.poll = 1;
2788 local_control.reqseq = chan->buffer_seq;
2789 l2cap_send_sframe(chan, &local_control);
2791 chan->retry_count = 1;
2792 __set_monitor_timer(chan);
2793 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2796 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2797 l2cap_process_reqseq(chan, control->reqseq);
2801 case L2CAP_EV_RECV_FBIT:
2802 if (control && control->final) {
2803 __clear_monitor_timer(chan);
2804 if (chan->unacked_frames > 0)
2805 __set_retrans_timer(chan);
2806 chan->retry_count = 0;
2807 chan->tx_state = L2CAP_TX_STATE_XMIT;
2808 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2811 case L2CAP_EV_EXPLICIT_POLL:
2814 case L2CAP_EV_MONITOR_TO:
2815 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2816 l2cap_send_rr_or_rnr(chan, 1);
2817 __set_monitor_timer(chan);
2818 chan->retry_count++;
2820 l2cap_send_disconn_req(chan, ECONNABORTED);
2828 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2829 struct sk_buff_head *skbs, u8 event)
2831 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2832 chan, control, skbs, event, chan->tx_state);
2834 switch (chan->tx_state) {
2835 case L2CAP_TX_STATE_XMIT:
2836 l2cap_tx_state_xmit(chan, control, skbs, event);
2838 case L2CAP_TX_STATE_WAIT_F:
2839 l2cap_tx_state_wait_f(chan, control, skbs, event);
2847 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2848 struct l2cap_ctrl *control)
2850 BT_DBG("chan %p, control %p", chan, control);
2851 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2854 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2855 struct l2cap_ctrl *control)
2857 BT_DBG("chan %p, control %p", chan, control);
2858 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2861 /* Copy frame to all raw sockets on that connection */
2862 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2864 struct sk_buff *nskb;
2865 struct l2cap_chan *chan;
2867 BT_DBG("conn %p", conn);
2869 mutex_lock(&conn->chan_lock);
2871 list_for_each_entry(chan, &conn->chan_l, list) {
2872 if (chan->chan_type != L2CAP_CHAN_RAW)
2875 /* Don't send frame to the channel it came from */
2876 if (bt_cb(skb)->l2cap.chan == chan)
2879 nskb = skb_clone(skb, GFP_KERNEL);
2882 if (chan->ops->recv(chan, nskb))
2886 mutex_unlock(&conn->chan_lock);
2889 /* ---- L2CAP signalling commands ---- */
2890 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2891 u8 ident, u16 dlen, void *data)
2893 struct sk_buff *skb, **frag;
2894 struct l2cap_cmd_hdr *cmd;
2895 struct l2cap_hdr *lh;
2898 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2899 conn, code, ident, dlen);
2901 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2904 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2905 count = min_t(unsigned int, conn->mtu, len);
2907 skb = bt_skb_alloc(count, GFP_KERNEL);
2911 lh = skb_put(skb, L2CAP_HDR_SIZE);
2912 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2914 if (conn->hcon->type == LE_LINK)
2915 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2917 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2919 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2922 cmd->len = cpu_to_le16(dlen);
2925 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2926 skb_put_data(skb, data, count);
2932 /* Continuation fragments (no L2CAP header) */
2933 frag = &skb_shinfo(skb)->frag_list;
2935 count = min_t(unsigned int, conn->mtu, len);
2937 *frag = bt_skb_alloc(count, GFP_KERNEL);
2941 skb_put_data(*frag, data, count);
2946 frag = &(*frag)->next;
2956 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2959 struct l2cap_conf_opt *opt = *ptr;
2962 len = L2CAP_CONF_OPT_SIZE + opt->len;
2970 *val = *((u8 *) opt->val);
2974 *val = get_unaligned_le16(opt->val);
2978 *val = get_unaligned_le32(opt->val);
2982 *val = (unsigned long) opt->val;
2986 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2990 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
2992 struct l2cap_conf_opt *opt = *ptr;
2994 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2996 if (size < L2CAP_CONF_OPT_SIZE + len)
3004 *((u8 *) opt->val) = val;
3008 put_unaligned_le16(val, opt->val);
3012 put_unaligned_le32(val, opt->val);
3016 memcpy(opt->val, (void *) val, len);
3020 *ptr += L2CAP_CONF_OPT_SIZE + len;
3023 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3025 struct l2cap_conf_efs efs;
3027 switch (chan->mode) {
3028 case L2CAP_MODE_ERTM:
3029 efs.id = chan->local_id;
3030 efs.stype = chan->local_stype;
3031 efs.msdu = cpu_to_le16(chan->local_msdu);
3032 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3033 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3034 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3037 case L2CAP_MODE_STREAMING:
3039 efs.stype = L2CAP_SERV_BESTEFFORT;
3040 efs.msdu = cpu_to_le16(chan->local_msdu);
3041 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3050 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3051 (unsigned long) &efs, size);
3054 static void l2cap_ack_timeout(struct work_struct *work)
3056 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3060 BT_DBG("chan %p", chan);
3062 l2cap_chan_lock(chan);
3064 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3065 chan->last_acked_seq);
3068 l2cap_send_rr_or_rnr(chan, 0);
3070 l2cap_chan_unlock(chan);
3071 l2cap_chan_put(chan);
3074 int l2cap_ertm_init(struct l2cap_chan *chan)
3078 chan->next_tx_seq = 0;
3079 chan->expected_tx_seq = 0;
3080 chan->expected_ack_seq = 0;
3081 chan->unacked_frames = 0;
3082 chan->buffer_seq = 0;
3083 chan->frames_sent = 0;
3084 chan->last_acked_seq = 0;
3086 chan->sdu_last_frag = NULL;
3089 skb_queue_head_init(&chan->tx_q);
3091 chan->local_amp_id = AMP_ID_BREDR;
3092 chan->move_id = AMP_ID_BREDR;
3093 chan->move_state = L2CAP_MOVE_STABLE;
3094 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3096 if (chan->mode != L2CAP_MODE_ERTM)
3099 chan->rx_state = L2CAP_RX_STATE_RECV;
3100 chan->tx_state = L2CAP_TX_STATE_XMIT;
3102 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3103 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3104 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3106 skb_queue_head_init(&chan->srej_q);
3108 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3112 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3114 l2cap_seq_list_free(&chan->srej_list);
3119 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3122 case L2CAP_MODE_STREAMING:
3123 case L2CAP_MODE_ERTM:
3124 if (l2cap_mode_supported(mode, remote_feat_mask))
3128 return L2CAP_MODE_BASIC;
3132 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3134 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3135 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3138 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3140 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3141 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3144 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3145 struct l2cap_conf_rfc *rfc)
3147 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3148 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3150 /* Class 1 devices have must have ERTM timeouts
3151 * exceeding the Link Supervision Timeout. The
3152 * default Link Supervision Timeout for AMP
3153 * controllers is 10 seconds.
3155 * Class 1 devices use 0xffffffff for their
3156 * best-effort flush timeout, so the clamping logic
3157 * will result in a timeout that meets the above
3158 * requirement. ERTM timeouts are 16-bit values, so
3159 * the maximum timeout is 65.535 seconds.
3162 /* Convert timeout to milliseconds and round */
3163 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3165 /* This is the recommended formula for class 2 devices
3166 * that start ERTM timers when packets are sent to the
3169 ertm_to = 3 * ertm_to + 500;
3171 if (ertm_to > 0xffff)
3174 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3175 rfc->monitor_timeout = rfc->retrans_timeout;
3177 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3178 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3182 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3184 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3185 __l2cap_ews_supported(chan->conn)) {
3186 /* use extended control field */
3187 set_bit(FLAG_EXT_CTRL, &chan->flags);
3188 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3190 chan->tx_win = min_t(u16, chan->tx_win,
3191 L2CAP_DEFAULT_TX_WINDOW);
3192 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3194 chan->ack_win = chan->tx_win;
3197 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3199 struct l2cap_conf_req *req = data;
3200 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3201 void *ptr = req->data;
3202 void *endptr = data + data_size;
3205 BT_DBG("chan %p", chan);
3207 if (chan->num_conf_req || chan->num_conf_rsp)
3210 switch (chan->mode) {
3211 case L2CAP_MODE_STREAMING:
3212 case L2CAP_MODE_ERTM:
3213 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3216 if (__l2cap_efs_supported(chan->conn))
3217 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3221 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3226 if (chan->imtu != L2CAP_DEFAULT_MTU)
3227 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3229 switch (chan->mode) {
3230 case L2CAP_MODE_BASIC:
3234 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3235 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3238 rfc.mode = L2CAP_MODE_BASIC;
3240 rfc.max_transmit = 0;
3241 rfc.retrans_timeout = 0;
3242 rfc.monitor_timeout = 0;
3243 rfc.max_pdu_size = 0;
3245 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3246 (unsigned long) &rfc, endptr - ptr);
3249 case L2CAP_MODE_ERTM:
3250 rfc.mode = L2CAP_MODE_ERTM;
3251 rfc.max_transmit = chan->max_tx;
3253 __l2cap_set_ertm_timeouts(chan, &rfc);
3255 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3256 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3258 rfc.max_pdu_size = cpu_to_le16(size);
3260 l2cap_txwin_setup(chan);
3262 rfc.txwin_size = min_t(u16, chan->tx_win,
3263 L2CAP_DEFAULT_TX_WINDOW);
3265 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3266 (unsigned long) &rfc, endptr - ptr);
3268 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3269 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3271 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3272 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3273 chan->tx_win, endptr - ptr);
3275 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3276 if (chan->fcs == L2CAP_FCS_NONE ||
3277 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3278 chan->fcs = L2CAP_FCS_NONE;
3279 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3280 chan->fcs, endptr - ptr);
3284 case L2CAP_MODE_STREAMING:
3285 l2cap_txwin_setup(chan);
3286 rfc.mode = L2CAP_MODE_STREAMING;
3288 rfc.max_transmit = 0;
3289 rfc.retrans_timeout = 0;
3290 rfc.monitor_timeout = 0;
3292 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3293 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3295 rfc.max_pdu_size = cpu_to_le16(size);
3297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3298 (unsigned long) &rfc, endptr - ptr);
3300 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3301 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3303 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3304 if (chan->fcs == L2CAP_FCS_NONE ||
3305 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3306 chan->fcs = L2CAP_FCS_NONE;
3307 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3308 chan->fcs, endptr - ptr);
3313 req->dcid = cpu_to_le16(chan->dcid);
3314 req->flags = cpu_to_le16(0);
3319 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3321 struct l2cap_conf_rsp *rsp = data;
3322 void *ptr = rsp->data;
3323 void *endptr = data + data_size;
3324 void *req = chan->conf_req;
3325 int len = chan->conf_len;
3326 int type, hint, olen;
3328 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3329 struct l2cap_conf_efs efs;
3331 u16 mtu = L2CAP_DEFAULT_MTU;
3332 u16 result = L2CAP_CONF_SUCCESS;
3335 BT_DBG("chan %p", chan);
3337 while (len >= L2CAP_CONF_OPT_SIZE) {
3338 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3340 hint = type & L2CAP_CONF_HINT;
3341 type &= L2CAP_CONF_MASK;
3344 case L2CAP_CONF_MTU:
3348 case L2CAP_CONF_FLUSH_TO:
3349 chan->flush_to = val;
3352 case L2CAP_CONF_QOS:
3355 case L2CAP_CONF_RFC:
3356 if (olen == sizeof(rfc))
3357 memcpy(&rfc, (void *) val, olen);
3360 case L2CAP_CONF_FCS:
3361 if (val == L2CAP_FCS_NONE)
3362 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3365 case L2CAP_CONF_EFS:
3366 if (olen == sizeof(efs)) {
3368 memcpy(&efs, (void *) val, olen);
3372 case L2CAP_CONF_EWS:
3373 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3374 return -ECONNREFUSED;
3376 set_bit(FLAG_EXT_CTRL, &chan->flags);
3377 set_bit(CONF_EWS_RECV, &chan->conf_state);
3378 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3379 chan->remote_tx_win = val;
3386 result = L2CAP_CONF_UNKNOWN;
3387 *((u8 *) ptr++) = type;
3392 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3395 switch (chan->mode) {
3396 case L2CAP_MODE_STREAMING:
3397 case L2CAP_MODE_ERTM:
3398 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3399 chan->mode = l2cap_select_mode(rfc.mode,
3400 chan->conn->feat_mask);
3405 if (__l2cap_efs_supported(chan->conn))
3406 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3408 return -ECONNREFUSED;
3411 if (chan->mode != rfc.mode)
3412 return -ECONNREFUSED;
3418 if (chan->mode != rfc.mode) {
3419 result = L2CAP_CONF_UNACCEPT;
3420 rfc.mode = chan->mode;
3422 if (chan->num_conf_rsp == 1)
3423 return -ECONNREFUSED;
3425 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3426 (unsigned long) &rfc, endptr - ptr);
3429 if (result == L2CAP_CONF_SUCCESS) {
3430 /* Configure output options and let the other side know
3431 * which ones we don't like. */
3433 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3434 result = L2CAP_CONF_UNACCEPT;
3437 set_bit(CONF_MTU_DONE, &chan->conf_state);
3439 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3442 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3443 efs.stype != L2CAP_SERV_NOTRAFIC &&
3444 efs.stype != chan->local_stype) {
3446 result = L2CAP_CONF_UNACCEPT;
3448 if (chan->num_conf_req >= 1)
3449 return -ECONNREFUSED;
3451 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3453 (unsigned long) &efs, endptr - ptr);
3455 /* Send PENDING Conf Rsp */
3456 result = L2CAP_CONF_PENDING;
3457 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3462 case L2CAP_MODE_BASIC:
3463 chan->fcs = L2CAP_FCS_NONE;
3464 set_bit(CONF_MODE_DONE, &chan->conf_state);
3467 case L2CAP_MODE_ERTM:
3468 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3469 chan->remote_tx_win = rfc.txwin_size;
3471 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3473 chan->remote_max_tx = rfc.max_transmit;
3475 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3476 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3477 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3478 rfc.max_pdu_size = cpu_to_le16(size);
3479 chan->remote_mps = size;
3481 __l2cap_set_ertm_timeouts(chan, &rfc);
3483 set_bit(CONF_MODE_DONE, &chan->conf_state);
3485 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3486 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3488 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3489 chan->remote_id = efs.id;
3490 chan->remote_stype = efs.stype;
3491 chan->remote_msdu = le16_to_cpu(efs.msdu);
3492 chan->remote_flush_to =
3493 le32_to_cpu(efs.flush_to);
3494 chan->remote_acc_lat =
3495 le32_to_cpu(efs.acc_lat);
3496 chan->remote_sdu_itime =
3497 le32_to_cpu(efs.sdu_itime);
3498 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3500 (unsigned long) &efs, endptr - ptr);
3504 case L2CAP_MODE_STREAMING:
3505 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3506 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3507 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3508 rfc.max_pdu_size = cpu_to_le16(size);
3509 chan->remote_mps = size;
3511 set_bit(CONF_MODE_DONE, &chan->conf_state);
3513 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3514 (unsigned long) &rfc, endptr - ptr);
3519 result = L2CAP_CONF_UNACCEPT;
3521 memset(&rfc, 0, sizeof(rfc));
3522 rfc.mode = chan->mode;
3525 if (result == L2CAP_CONF_SUCCESS)
3526 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3528 rsp->scid = cpu_to_le16(chan->dcid);
3529 rsp->result = cpu_to_le16(result);
3530 rsp->flags = cpu_to_le16(0);
3535 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3536 void *data, size_t size, u16 *result)
3538 struct l2cap_conf_req *req = data;
3539 void *ptr = req->data;
3540 void *endptr = data + size;
3543 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3544 struct l2cap_conf_efs efs;
3546 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3548 while (len >= L2CAP_CONF_OPT_SIZE) {
3549 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3552 case L2CAP_CONF_MTU:
3553 if (val < L2CAP_DEFAULT_MIN_MTU) {
3554 *result = L2CAP_CONF_UNACCEPT;
3555 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3558 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3561 case L2CAP_CONF_FLUSH_TO:
3562 chan->flush_to = val;
3563 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3564 2, chan->flush_to, endptr - ptr);
3567 case L2CAP_CONF_RFC:
3568 if (olen == sizeof(rfc))
3569 memcpy(&rfc, (void *)val, olen);
3571 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3572 rfc.mode != chan->mode)
3573 return -ECONNREFUSED;
3577 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3578 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3581 case L2CAP_CONF_EWS:
3582 chan->ack_win = min_t(u16, val, chan->ack_win);
3583 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3584 chan->tx_win, endptr - ptr);
3587 case L2CAP_CONF_EFS:
3588 if (olen == sizeof(efs)) {
3589 memcpy(&efs, (void *)val, olen);
3591 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3592 efs.stype != L2CAP_SERV_NOTRAFIC &&
3593 efs.stype != chan->local_stype)
3594 return -ECONNREFUSED;
3596 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3597 (unsigned long) &efs, endptr - ptr);
3601 case L2CAP_CONF_FCS:
3602 if (*result == L2CAP_CONF_PENDING)
3603 if (val == L2CAP_FCS_NONE)
3604 set_bit(CONF_RECV_NO_FCS,
3610 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3611 return -ECONNREFUSED;
3613 chan->mode = rfc.mode;
3615 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3617 case L2CAP_MODE_ERTM:
3618 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3619 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3620 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3621 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3622 chan->ack_win = min_t(u16, chan->ack_win,
3625 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3626 chan->local_msdu = le16_to_cpu(efs.msdu);
3627 chan->local_sdu_itime =
3628 le32_to_cpu(efs.sdu_itime);
3629 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3630 chan->local_flush_to =
3631 le32_to_cpu(efs.flush_to);
3635 case L2CAP_MODE_STREAMING:
3636 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3640 req->dcid = cpu_to_le16(chan->dcid);
3641 req->flags = cpu_to_le16(0);
3646 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3647 u16 result, u16 flags)
3649 struct l2cap_conf_rsp *rsp = data;
3650 void *ptr = rsp->data;
3652 BT_DBG("chan %p", chan);
3654 rsp->scid = cpu_to_le16(chan->dcid);
3655 rsp->result = cpu_to_le16(result);
3656 rsp->flags = cpu_to_le16(flags);
3661 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3663 struct l2cap_le_conn_rsp rsp;
3664 struct l2cap_conn *conn = chan->conn;
3666 BT_DBG("chan %p", chan);
3668 rsp.dcid = cpu_to_le16(chan->scid);
3669 rsp.mtu = cpu_to_le16(chan->imtu);
3670 rsp.mps = cpu_to_le16(chan->mps);
3671 rsp.credits = cpu_to_le16(chan->rx_credits);
3672 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3674 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3678 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3680 struct l2cap_conn_rsp rsp;
3681 struct l2cap_conn *conn = chan->conn;
3685 rsp.scid = cpu_to_le16(chan->dcid);
3686 rsp.dcid = cpu_to_le16(chan->scid);
3687 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3688 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3691 rsp_code = L2CAP_CREATE_CHAN_RSP;
3693 rsp_code = L2CAP_CONN_RSP;
3695 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3697 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3699 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3702 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3703 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3704 chan->num_conf_req++;
3707 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3711 /* Use sane default values in case a misbehaving remote device
3712 * did not send an RFC or extended window size option.
3714 u16 txwin_ext = chan->ack_win;
3715 struct l2cap_conf_rfc rfc = {
3717 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3718 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3719 .max_pdu_size = cpu_to_le16(chan->imtu),
3720 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3723 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3725 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3728 while (len >= L2CAP_CONF_OPT_SIZE) {
3729 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3732 case L2CAP_CONF_RFC:
3733 if (olen == sizeof(rfc))
3734 memcpy(&rfc, (void *)val, olen);
3736 case L2CAP_CONF_EWS:
3743 case L2CAP_MODE_ERTM:
3744 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3745 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3746 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3747 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3748 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3750 chan->ack_win = min_t(u16, chan->ack_win,
3753 case L2CAP_MODE_STREAMING:
3754 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3758 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3759 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3762 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3764 if (cmd_len < sizeof(*rej))
3767 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3770 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3771 cmd->ident == conn->info_ident) {
3772 cancel_delayed_work(&conn->info_timer);
3774 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3775 conn->info_ident = 0;
3777 l2cap_conn_start(conn);
3783 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3784 struct l2cap_cmd_hdr *cmd,
3785 u8 *data, u8 rsp_code, u8 amp_id)
3787 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3788 struct l2cap_conn_rsp rsp;
3789 struct l2cap_chan *chan = NULL, *pchan;
3790 int result, status = L2CAP_CS_NO_INFO;
3792 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3793 __le16 psm = req->psm;
3795 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3797 /* Check if we have socket listening on psm */
3798 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3799 &conn->hcon->dst, ACL_LINK);
3801 result = L2CAP_CR_BAD_PSM;
3805 mutex_lock(&conn->chan_lock);
3806 l2cap_chan_lock(pchan);
3808 /* Check if the ACL is secure enough (if not SDP) */
3809 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3810 !hci_conn_check_link_mode(conn->hcon)) {
3811 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3812 result = L2CAP_CR_SEC_BLOCK;
3816 result = L2CAP_CR_NO_MEM;
3818 /* Check if we already have channel with that dcid */
3819 if (__l2cap_get_chan_by_dcid(conn, scid))
3822 chan = pchan->ops->new_connection(pchan);
3826 /* For certain devices (ex: HID mouse), support for authentication,
3827 * pairing and bonding is optional. For such devices, inorder to avoid
3828 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3829 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3831 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3833 bacpy(&chan->src, &conn->hcon->src);
3834 bacpy(&chan->dst, &conn->hcon->dst);
3835 chan->src_type = bdaddr_src_type(conn->hcon);
3836 chan->dst_type = bdaddr_dst_type(conn->hcon);
3839 chan->local_amp_id = amp_id;
3841 __l2cap_chan_add(conn, chan);
3845 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3847 chan->ident = cmd->ident;
3849 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3850 if (l2cap_chan_check_security(chan, false)) {
3851 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3852 l2cap_state_change(chan, BT_CONNECT2);
3853 result = L2CAP_CR_PEND;
3854 status = L2CAP_CS_AUTHOR_PEND;
3855 chan->ops->defer(chan);
3857 /* Force pending result for AMP controllers.
3858 * The connection will succeed after the
3859 * physical link is up.
3861 if (amp_id == AMP_ID_BREDR) {
3862 l2cap_state_change(chan, BT_CONFIG);
3863 result = L2CAP_CR_SUCCESS;
3865 l2cap_state_change(chan, BT_CONNECT2);
3866 result = L2CAP_CR_PEND;
3868 status = L2CAP_CS_NO_INFO;
3871 l2cap_state_change(chan, BT_CONNECT2);
3872 result = L2CAP_CR_PEND;
3873 status = L2CAP_CS_AUTHEN_PEND;
3876 l2cap_state_change(chan, BT_CONNECT2);
3877 result = L2CAP_CR_PEND;
3878 status = L2CAP_CS_NO_INFO;
3882 l2cap_chan_unlock(pchan);
3883 mutex_unlock(&conn->chan_lock);
3884 l2cap_chan_put(pchan);
3887 rsp.scid = cpu_to_le16(scid);
3888 rsp.dcid = cpu_to_le16(dcid);
3889 rsp.result = cpu_to_le16(result);
3890 rsp.status = cpu_to_le16(status);
3891 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3893 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3894 struct l2cap_info_req info;
3895 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3897 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3898 conn->info_ident = l2cap_get_ident(conn);
3900 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3902 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3903 sizeof(info), &info);
3906 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3907 result == L2CAP_CR_SUCCESS) {
3909 set_bit(CONF_REQ_SENT, &chan->conf_state);
3910 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3911 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3912 chan->num_conf_req++;
3918 static int l2cap_connect_req(struct l2cap_conn *conn,
3919 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3921 struct hci_dev *hdev = conn->hcon->hdev;
3922 struct hci_conn *hcon = conn->hcon;
3924 if (cmd_len < sizeof(struct l2cap_conn_req))
3928 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3929 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3930 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3931 hci_dev_unlock(hdev);
3933 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3937 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3938 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3941 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3942 u16 scid, dcid, result, status;
3943 struct l2cap_chan *chan;
3947 if (cmd_len < sizeof(*rsp))
3950 scid = __le16_to_cpu(rsp->scid);
3951 dcid = __le16_to_cpu(rsp->dcid);
3952 result = __le16_to_cpu(rsp->result);
3953 status = __le16_to_cpu(rsp->status);
3955 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3956 dcid, scid, result, status);
3958 mutex_lock(&conn->chan_lock);
3961 chan = __l2cap_get_chan_by_scid(conn, scid);
3967 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3976 l2cap_chan_lock(chan);
3979 case L2CAP_CR_SUCCESS:
3980 l2cap_state_change(chan, BT_CONFIG);
3983 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3985 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3988 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3989 l2cap_build_conf_req(chan, req, sizeof(req)), req);
3990 chan->num_conf_req++;
3994 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3998 l2cap_chan_del(chan, ECONNREFUSED);
4002 l2cap_chan_unlock(chan);
4005 mutex_unlock(&conn->chan_lock);
4010 static inline void set_default_fcs(struct l2cap_chan *chan)
4012 /* FCS is enabled only in ERTM or streaming mode, if one or both
4015 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4016 chan->fcs = L2CAP_FCS_NONE;
4017 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4018 chan->fcs = L2CAP_FCS_CRC16;
4021 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4022 u8 ident, u16 flags)
4024 struct l2cap_conn *conn = chan->conn;
4026 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4029 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4030 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4032 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4033 l2cap_build_conf_rsp(chan, data,
4034 L2CAP_CONF_SUCCESS, flags), data);
4037 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4040 struct l2cap_cmd_rej_cid rej;
4042 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4043 rej.scid = __cpu_to_le16(scid);
4044 rej.dcid = __cpu_to_le16(dcid);
4046 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4049 static inline int l2cap_config_req(struct l2cap_conn *conn,
4050 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4053 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4056 struct l2cap_chan *chan;
4059 if (cmd_len < sizeof(*req))
4062 dcid = __le16_to_cpu(req->dcid);
4063 flags = __le16_to_cpu(req->flags);
4065 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4067 chan = l2cap_get_chan_by_scid(conn, dcid);
4069 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4073 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4074 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4079 /* Reject if config buffer is too small. */
4080 len = cmd_len - sizeof(*req);
4081 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4082 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4083 l2cap_build_conf_rsp(chan, rsp,
4084 L2CAP_CONF_REJECT, flags), rsp);
4089 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4090 chan->conf_len += len;
4092 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4093 /* Incomplete config. Send empty response. */
4094 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4095 l2cap_build_conf_rsp(chan, rsp,
4096 L2CAP_CONF_SUCCESS, flags), rsp);
4100 /* Complete config. */
4101 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4103 l2cap_send_disconn_req(chan, ECONNRESET);
4107 chan->ident = cmd->ident;
4108 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4109 chan->num_conf_rsp++;
4111 /* Reset config buffer. */
4114 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4117 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4118 set_default_fcs(chan);
4120 if (chan->mode == L2CAP_MODE_ERTM ||
4121 chan->mode == L2CAP_MODE_STREAMING)
4122 err = l2cap_ertm_init(chan);
4125 l2cap_send_disconn_req(chan, -err);
4127 l2cap_chan_ready(chan);
4132 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4134 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4135 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4136 chan->num_conf_req++;
4139 /* Got Conf Rsp PENDING from remote side and assume we sent
4140 Conf Rsp PENDING in the code above */
4141 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4142 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4144 /* check compatibility */
4146 /* Send rsp for BR/EDR channel */
4148 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4150 chan->ident = cmd->ident;
4154 l2cap_chan_unlock(chan);
4158 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4159 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4162 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4163 u16 scid, flags, result;
4164 struct l2cap_chan *chan;
4165 int len = cmd_len - sizeof(*rsp);
4168 if (cmd_len < sizeof(*rsp))
4171 scid = __le16_to_cpu(rsp->scid);
4172 flags = __le16_to_cpu(rsp->flags);
4173 result = __le16_to_cpu(rsp->result);
4175 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4178 chan = l2cap_get_chan_by_scid(conn, scid);
4183 case L2CAP_CONF_SUCCESS:
4184 l2cap_conf_rfc_get(chan, rsp->data, len);
4185 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4188 case L2CAP_CONF_PENDING:
4189 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4191 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4194 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4195 buf, sizeof(buf), &result);
4197 l2cap_send_disconn_req(chan, ECONNRESET);
4201 if (!chan->hs_hcon) {
4202 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4205 if (l2cap_check_efs(chan)) {
4206 amp_create_logical_link(chan);
4207 chan->ident = cmd->ident;
4213 case L2CAP_CONF_UNACCEPT:
4214 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4217 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4218 l2cap_send_disconn_req(chan, ECONNRESET);
4222 /* throw out any old stored conf requests */
4223 result = L2CAP_CONF_SUCCESS;
4224 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4225 req, sizeof(req), &result);
4227 l2cap_send_disconn_req(chan, ECONNRESET);
4231 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4232 L2CAP_CONF_REQ, len, req);
4233 chan->num_conf_req++;
4234 if (result != L2CAP_CONF_SUCCESS)
4240 l2cap_chan_set_err(chan, ECONNRESET);
4242 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4243 l2cap_send_disconn_req(chan, ECONNRESET);
4247 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4250 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4252 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4253 set_default_fcs(chan);
4255 if (chan->mode == L2CAP_MODE_ERTM ||
4256 chan->mode == L2CAP_MODE_STREAMING)
4257 err = l2cap_ertm_init(chan);
4260 l2cap_send_disconn_req(chan, -err);
4262 l2cap_chan_ready(chan);
4266 l2cap_chan_unlock(chan);
4270 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4271 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4274 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4275 struct l2cap_disconn_rsp rsp;
4277 struct l2cap_chan *chan;
4279 if (cmd_len != sizeof(*req))
4282 scid = __le16_to_cpu(req->scid);
4283 dcid = __le16_to_cpu(req->dcid);
4285 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4287 mutex_lock(&conn->chan_lock);
4289 chan = __l2cap_get_chan_by_scid(conn, dcid);
4291 mutex_unlock(&conn->chan_lock);
4292 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4296 l2cap_chan_lock(chan);
4298 rsp.dcid = cpu_to_le16(chan->scid);
4299 rsp.scid = cpu_to_le16(chan->dcid);
4300 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4302 chan->ops->set_shutdown(chan);
4304 l2cap_chan_hold(chan);
4305 l2cap_chan_del(chan, ECONNRESET);
4307 l2cap_chan_unlock(chan);
4309 chan->ops->close(chan);
4310 l2cap_chan_put(chan);
4312 mutex_unlock(&conn->chan_lock);
4317 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4318 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4321 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4323 struct l2cap_chan *chan;
4325 if (cmd_len != sizeof(*rsp))
4328 scid = __le16_to_cpu(rsp->scid);
4329 dcid = __le16_to_cpu(rsp->dcid);
4331 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4333 mutex_lock(&conn->chan_lock);
4335 chan = __l2cap_get_chan_by_scid(conn, scid);
4337 mutex_unlock(&conn->chan_lock);
4341 l2cap_chan_lock(chan);
4343 l2cap_chan_hold(chan);
4344 l2cap_chan_del(chan, 0);
4346 l2cap_chan_unlock(chan);
4348 chan->ops->close(chan);
4349 l2cap_chan_put(chan);
4351 mutex_unlock(&conn->chan_lock);
4356 static inline int l2cap_information_req(struct l2cap_conn *conn,
4357 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4360 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4363 if (cmd_len != sizeof(*req))
4366 type = __le16_to_cpu(req->type);
4368 BT_DBG("type 0x%4.4x", type);
4370 if (type == L2CAP_IT_FEAT_MASK) {
4372 u32 feat_mask = l2cap_feat_mask;
4373 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4374 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4375 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4377 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4379 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4380 feat_mask |= L2CAP_FEAT_EXT_FLOW
4381 | L2CAP_FEAT_EXT_WINDOW;
4383 put_unaligned_le32(feat_mask, rsp->data);
4384 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4386 } else if (type == L2CAP_IT_FIXED_CHAN) {
4388 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4390 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4391 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4392 rsp->data[0] = conn->local_fixed_chan;
4393 memset(rsp->data + 1, 0, 7);
4394 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4397 struct l2cap_info_rsp rsp;
4398 rsp.type = cpu_to_le16(type);
4399 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4400 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4407 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4408 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4411 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4414 if (cmd_len < sizeof(*rsp))
4417 type = __le16_to_cpu(rsp->type);
4418 result = __le16_to_cpu(rsp->result);
4420 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4422 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4423 if (cmd->ident != conn->info_ident ||
4424 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4427 cancel_delayed_work(&conn->info_timer);
4429 if (result != L2CAP_IR_SUCCESS) {
4430 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4431 conn->info_ident = 0;
4433 l2cap_conn_start(conn);
4439 case L2CAP_IT_FEAT_MASK:
4440 conn->feat_mask = get_unaligned_le32(rsp->data);
4442 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4443 struct l2cap_info_req req;
4444 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4446 conn->info_ident = l2cap_get_ident(conn);
4448 l2cap_send_cmd(conn, conn->info_ident,
4449 L2CAP_INFO_REQ, sizeof(req), &req);
4451 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4452 conn->info_ident = 0;
4454 l2cap_conn_start(conn);
4458 case L2CAP_IT_FIXED_CHAN:
4459 conn->remote_fixed_chan = rsp->data[0];
4460 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4461 conn->info_ident = 0;
4463 l2cap_conn_start(conn);
4470 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4471 struct l2cap_cmd_hdr *cmd,
4472 u16 cmd_len, void *data)
4474 struct l2cap_create_chan_req *req = data;
4475 struct l2cap_create_chan_rsp rsp;
4476 struct l2cap_chan *chan;
4477 struct hci_dev *hdev;
4480 if (cmd_len != sizeof(*req))
4483 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4486 psm = le16_to_cpu(req->psm);
4487 scid = le16_to_cpu(req->scid);
4489 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4491 /* For controller id 0 make BR/EDR connection */
4492 if (req->amp_id == AMP_ID_BREDR) {
4493 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4498 /* Validate AMP controller id */
4499 hdev = hci_dev_get(req->amp_id);
4503 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4508 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4511 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4512 struct hci_conn *hs_hcon;
4514 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4518 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4523 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4525 mgr->bredr_chan = chan;
4526 chan->hs_hcon = hs_hcon;
4527 chan->fcs = L2CAP_FCS_NONE;
4528 conn->mtu = hdev->block_mtu;
4537 rsp.scid = cpu_to_le16(scid);
4538 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4539 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4541 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4547 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4549 struct l2cap_move_chan_req req;
4552 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4554 ident = l2cap_get_ident(chan->conn);
4555 chan->ident = ident;
4557 req.icid = cpu_to_le16(chan->scid);
4558 req.dest_amp_id = dest_amp_id;
4560 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4563 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4566 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4568 struct l2cap_move_chan_rsp rsp;
4570 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4572 rsp.icid = cpu_to_le16(chan->dcid);
4573 rsp.result = cpu_to_le16(result);
4575 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4579 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4581 struct l2cap_move_chan_cfm cfm;
4583 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4585 chan->ident = l2cap_get_ident(chan->conn);
4587 cfm.icid = cpu_to_le16(chan->scid);
4588 cfm.result = cpu_to_le16(result);
4590 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4593 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4596 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4598 struct l2cap_move_chan_cfm cfm;
4600 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4602 cfm.icid = cpu_to_le16(icid);
4603 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4605 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4609 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4612 struct l2cap_move_chan_cfm_rsp rsp;
4614 BT_DBG("icid 0x%4.4x", icid);
4616 rsp.icid = cpu_to_le16(icid);
4617 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4620 static void __release_logical_link(struct l2cap_chan *chan)
4622 chan->hs_hchan = NULL;
4623 chan->hs_hcon = NULL;
4625 /* Placeholder - release the logical link */
4628 static void l2cap_logical_fail(struct l2cap_chan *chan)
4630 /* Logical link setup failed */
4631 if (chan->state != BT_CONNECTED) {
4632 /* Create channel failure, disconnect */
4633 l2cap_send_disconn_req(chan, ECONNRESET);
4637 switch (chan->move_role) {
4638 case L2CAP_MOVE_ROLE_RESPONDER:
4639 l2cap_move_done(chan);
4640 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4642 case L2CAP_MOVE_ROLE_INITIATOR:
4643 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4644 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4645 /* Remote has only sent pending or
4646 * success responses, clean up
4648 l2cap_move_done(chan);
4651 /* Other amp move states imply that the move
4652 * has already aborted
4654 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4659 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4660 struct hci_chan *hchan)
4662 struct l2cap_conf_rsp rsp;
4664 chan->hs_hchan = hchan;
4665 chan->hs_hcon->l2cap_data = chan->conn;
4667 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4669 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4672 set_default_fcs(chan);
4674 err = l2cap_ertm_init(chan);
4676 l2cap_send_disconn_req(chan, -err);
4678 l2cap_chan_ready(chan);
4682 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4683 struct hci_chan *hchan)
4685 chan->hs_hcon = hchan->conn;
4686 chan->hs_hcon->l2cap_data = chan->conn;
4688 BT_DBG("move_state %d", chan->move_state);
4690 switch (chan->move_state) {
4691 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4692 /* Move confirm will be sent after a success
4693 * response is received
4695 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4697 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4698 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4699 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4700 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4701 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4702 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4703 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4704 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4705 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4709 /* Move was not in expected state, free the channel */
4710 __release_logical_link(chan);
4712 chan->move_state = L2CAP_MOVE_STABLE;
4716 /* Call with chan locked */
4717 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4720 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4723 l2cap_logical_fail(chan);
4724 __release_logical_link(chan);
4728 if (chan->state != BT_CONNECTED) {
4729 /* Ignore logical link if channel is on BR/EDR */
4730 if (chan->local_amp_id != AMP_ID_BREDR)
4731 l2cap_logical_finish_create(chan, hchan);
4733 l2cap_logical_finish_move(chan, hchan);
4737 void l2cap_move_start(struct l2cap_chan *chan)
4739 BT_DBG("chan %p", chan);
4741 if (chan->local_amp_id == AMP_ID_BREDR) {
4742 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4744 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4745 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4746 /* Placeholder - start physical link setup */
4748 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4749 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4751 l2cap_move_setup(chan);
4752 l2cap_send_move_chan_req(chan, 0);
4756 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4757 u8 local_amp_id, u8 remote_amp_id)
4759 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4760 local_amp_id, remote_amp_id);
4762 chan->fcs = L2CAP_FCS_NONE;
4764 /* Outgoing channel on AMP */
4765 if (chan->state == BT_CONNECT) {
4766 if (result == L2CAP_CR_SUCCESS) {
4767 chan->local_amp_id = local_amp_id;
4768 l2cap_send_create_chan_req(chan, remote_amp_id);
4770 /* Revert to BR/EDR connect */
4771 l2cap_send_conn_req(chan);
4777 /* Incoming channel on AMP */
4778 if (__l2cap_no_conn_pending(chan)) {
4779 struct l2cap_conn_rsp rsp;
4781 rsp.scid = cpu_to_le16(chan->dcid);
4782 rsp.dcid = cpu_to_le16(chan->scid);
4784 if (result == L2CAP_CR_SUCCESS) {
4785 /* Send successful response */
4786 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4787 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4789 /* Send negative response */
4790 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4791 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4794 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4797 if (result == L2CAP_CR_SUCCESS) {
4798 l2cap_state_change(chan, BT_CONFIG);
4799 set_bit(CONF_REQ_SENT, &chan->conf_state);
4800 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4802 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4803 chan->num_conf_req++;
4808 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4811 l2cap_move_setup(chan);
4812 chan->move_id = local_amp_id;
4813 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4815 l2cap_send_move_chan_req(chan, remote_amp_id);
4818 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4820 struct hci_chan *hchan = NULL;
4822 /* Placeholder - get hci_chan for logical link */
4825 if (hchan->state == BT_CONNECTED) {
4826 /* Logical link is ready to go */
4827 chan->hs_hcon = hchan->conn;
4828 chan->hs_hcon->l2cap_data = chan->conn;
4829 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4830 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4832 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4834 /* Wait for logical link to be ready */
4835 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4838 /* Logical link not available */
4839 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4843 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4845 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4847 if (result == -EINVAL)
4848 rsp_result = L2CAP_MR_BAD_ID;
4850 rsp_result = L2CAP_MR_NOT_ALLOWED;
4852 l2cap_send_move_chan_rsp(chan, rsp_result);
4855 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4856 chan->move_state = L2CAP_MOVE_STABLE;
4858 /* Restart data transmission */
4859 l2cap_ertm_send(chan);
4862 /* Invoke with locked chan */
4863 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4865 u8 local_amp_id = chan->local_amp_id;
4866 u8 remote_amp_id = chan->remote_amp_id;
4868 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4869 chan, result, local_amp_id, remote_amp_id);
4871 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4872 l2cap_chan_unlock(chan);
4876 if (chan->state != BT_CONNECTED) {
4877 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4878 } else if (result != L2CAP_MR_SUCCESS) {
4879 l2cap_do_move_cancel(chan, result);
4881 switch (chan->move_role) {
4882 case L2CAP_MOVE_ROLE_INITIATOR:
4883 l2cap_do_move_initiate(chan, local_amp_id,
4886 case L2CAP_MOVE_ROLE_RESPONDER:
4887 l2cap_do_move_respond(chan, result);
4890 l2cap_do_move_cancel(chan, result);
4896 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4897 struct l2cap_cmd_hdr *cmd,
4898 u16 cmd_len, void *data)
4900 struct l2cap_move_chan_req *req = data;
4901 struct l2cap_move_chan_rsp rsp;
4902 struct l2cap_chan *chan;
4904 u16 result = L2CAP_MR_NOT_ALLOWED;
4906 if (cmd_len != sizeof(*req))
4909 icid = le16_to_cpu(req->icid);
4911 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4913 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4916 chan = l2cap_get_chan_by_dcid(conn, icid);
4918 rsp.icid = cpu_to_le16(icid);
4919 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4920 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4925 chan->ident = cmd->ident;
4927 if (chan->scid < L2CAP_CID_DYN_START ||
4928 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4929 (chan->mode != L2CAP_MODE_ERTM &&
4930 chan->mode != L2CAP_MODE_STREAMING)) {
4931 result = L2CAP_MR_NOT_ALLOWED;
4932 goto send_move_response;
4935 if (chan->local_amp_id == req->dest_amp_id) {
4936 result = L2CAP_MR_SAME_ID;
4937 goto send_move_response;
4940 if (req->dest_amp_id != AMP_ID_BREDR) {
4941 struct hci_dev *hdev;
4942 hdev = hci_dev_get(req->dest_amp_id);
4943 if (!hdev || hdev->dev_type != HCI_AMP ||
4944 !test_bit(HCI_UP, &hdev->flags)) {
4948 result = L2CAP_MR_BAD_ID;
4949 goto send_move_response;
4954 /* Detect a move collision. Only send a collision response
4955 * if this side has "lost", otherwise proceed with the move.
4956 * The winner has the larger bd_addr.
4958 if ((__chan_is_moving(chan) ||
4959 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4960 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4961 result = L2CAP_MR_COLLISION;
4962 goto send_move_response;
4965 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4966 l2cap_move_setup(chan);
4967 chan->move_id = req->dest_amp_id;
4970 if (req->dest_amp_id == AMP_ID_BREDR) {
4971 /* Moving to BR/EDR */
4972 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4973 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4974 result = L2CAP_MR_PEND;
4976 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4977 result = L2CAP_MR_SUCCESS;
4980 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4981 /* Placeholder - uncomment when amp functions are available */
4982 /*amp_accept_physical(chan, req->dest_amp_id);*/
4983 result = L2CAP_MR_PEND;
4987 l2cap_send_move_chan_rsp(chan, result);
4989 l2cap_chan_unlock(chan);
4994 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4996 struct l2cap_chan *chan;
4997 struct hci_chan *hchan = NULL;
4999 chan = l2cap_get_chan_by_scid(conn, icid);
5001 l2cap_send_move_chan_cfm_icid(conn, icid);
5005 __clear_chan_timer(chan);
5006 if (result == L2CAP_MR_PEND)
5007 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5009 switch (chan->move_state) {
5010 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5011 /* Move confirm will be sent when logical link
5014 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5016 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5017 if (result == L2CAP_MR_PEND) {
5019 } else if (test_bit(CONN_LOCAL_BUSY,
5020 &chan->conn_state)) {
5021 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5023 /* Logical link is up or moving to BR/EDR,
5026 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5027 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5030 case L2CAP_MOVE_WAIT_RSP:
5032 if (result == L2CAP_MR_SUCCESS) {
5033 /* Remote is ready, send confirm immediately
5034 * after logical link is ready
5036 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5038 /* Both logical link and move success
5039 * are required to confirm
5041 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5044 /* Placeholder - get hci_chan for logical link */
5046 /* Logical link not available */
5047 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5051 /* If the logical link is not yet connected, do not
5052 * send confirmation.
5054 if (hchan->state != BT_CONNECTED)
5057 /* Logical link is already ready to go */
5059 chan->hs_hcon = hchan->conn;
5060 chan->hs_hcon->l2cap_data = chan->conn;
5062 if (result == L2CAP_MR_SUCCESS) {
5063 /* Can confirm now */
5064 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5066 /* Now only need move success
5069 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5072 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5075 /* Any other amp move state means the move failed. */
5076 chan->move_id = chan->local_amp_id;
5077 l2cap_move_done(chan);
5078 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5081 l2cap_chan_unlock(chan);
5084 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5087 struct l2cap_chan *chan;
5089 chan = l2cap_get_chan_by_ident(conn, ident);
5091 /* Could not locate channel, icid is best guess */
5092 l2cap_send_move_chan_cfm_icid(conn, icid);
5096 __clear_chan_timer(chan);
5098 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5099 if (result == L2CAP_MR_COLLISION) {
5100 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5102 /* Cleanup - cancel move */
5103 chan->move_id = chan->local_amp_id;
5104 l2cap_move_done(chan);
5108 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5110 l2cap_chan_unlock(chan);
5113 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5114 struct l2cap_cmd_hdr *cmd,
5115 u16 cmd_len, void *data)
5117 struct l2cap_move_chan_rsp *rsp = data;
5120 if (cmd_len != sizeof(*rsp))
5123 icid = le16_to_cpu(rsp->icid);
5124 result = le16_to_cpu(rsp->result);
5126 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5128 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5129 l2cap_move_continue(conn, icid, result);
5131 l2cap_move_fail(conn, cmd->ident, icid, result);
5136 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5137 struct l2cap_cmd_hdr *cmd,
5138 u16 cmd_len, void *data)
5140 struct l2cap_move_chan_cfm *cfm = data;
5141 struct l2cap_chan *chan;
5144 if (cmd_len != sizeof(*cfm))
5147 icid = le16_to_cpu(cfm->icid);
5148 result = le16_to_cpu(cfm->result);
5150 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5152 chan = l2cap_get_chan_by_dcid(conn, icid);
5154 /* Spec requires a response even if the icid was not found */
5155 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5159 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5160 if (result == L2CAP_MC_CONFIRMED) {
5161 chan->local_amp_id = chan->move_id;
5162 if (chan->local_amp_id == AMP_ID_BREDR)
5163 __release_logical_link(chan);
5165 chan->move_id = chan->local_amp_id;
5168 l2cap_move_done(chan);
5171 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5173 l2cap_chan_unlock(chan);
5178 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5179 struct l2cap_cmd_hdr *cmd,
5180 u16 cmd_len, void *data)
5182 struct l2cap_move_chan_cfm_rsp *rsp = data;
5183 struct l2cap_chan *chan;
5186 if (cmd_len != sizeof(*rsp))
5189 icid = le16_to_cpu(rsp->icid);
5191 BT_DBG("icid 0x%4.4x", icid);
5193 chan = l2cap_get_chan_by_scid(conn, icid);
5197 __clear_chan_timer(chan);
5199 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5200 chan->local_amp_id = chan->move_id;
5202 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5203 __release_logical_link(chan);
5205 l2cap_move_done(chan);
5208 l2cap_chan_unlock(chan);
5213 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5214 struct l2cap_cmd_hdr *cmd,
5215 u16 cmd_len, u8 *data)
5217 struct hci_conn *hcon = conn->hcon;
5218 struct l2cap_conn_param_update_req *req;
5219 struct l2cap_conn_param_update_rsp rsp;
5220 u16 min, max, latency, to_multiplier;
5223 if (hcon->role != HCI_ROLE_MASTER)
5226 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5229 req = (struct l2cap_conn_param_update_req *) data;
5230 min = __le16_to_cpu(req->min);
5231 max = __le16_to_cpu(req->max);
5232 latency = __le16_to_cpu(req->latency);
5233 to_multiplier = __le16_to_cpu(req->to_multiplier);
5235 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5236 min, max, latency, to_multiplier);
5238 memset(&rsp, 0, sizeof(rsp));
5240 err = hci_check_conn_params(min, max, latency, to_multiplier);
5242 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5244 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5246 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5252 store_hint = hci_le_conn_update(hcon, min, max, latency,
5254 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5255 store_hint, min, max, latency,
5263 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5264 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5267 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5268 struct hci_conn *hcon = conn->hcon;
5269 u16 dcid, mtu, mps, credits, result;
5270 struct l2cap_chan *chan;
5273 if (cmd_len < sizeof(*rsp))
5276 dcid = __le16_to_cpu(rsp->dcid);
5277 mtu = __le16_to_cpu(rsp->mtu);
5278 mps = __le16_to_cpu(rsp->mps);
5279 credits = __le16_to_cpu(rsp->credits);
5280 result = __le16_to_cpu(rsp->result);
5282 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
5283 dcid < L2CAP_CID_DYN_START ||
5284 dcid > L2CAP_CID_LE_DYN_END))
5287 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5288 dcid, mtu, mps, credits, result);
5290 mutex_lock(&conn->chan_lock);
5292 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5300 l2cap_chan_lock(chan);
5303 case L2CAP_CR_SUCCESS:
5304 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5312 chan->remote_mps = mps;
5313 chan->tx_credits = credits;
5314 l2cap_chan_ready(chan);
5317 case L2CAP_CR_AUTHENTICATION:
5318 case L2CAP_CR_ENCRYPTION:
5319 /* If we already have MITM protection we can't do
5322 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5323 l2cap_chan_del(chan, ECONNREFUSED);
5327 sec_level = hcon->sec_level + 1;
5328 if (chan->sec_level < sec_level)
5329 chan->sec_level = sec_level;
5331 /* We'll need to send a new Connect Request */
5332 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5334 smp_conn_security(hcon, chan->sec_level);
5338 l2cap_chan_del(chan, ECONNREFUSED);
5342 l2cap_chan_unlock(chan);
5345 mutex_unlock(&conn->chan_lock);
5350 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5351 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5356 switch (cmd->code) {
5357 case L2CAP_COMMAND_REJ:
5358 l2cap_command_rej(conn, cmd, cmd_len, data);
5361 case L2CAP_CONN_REQ:
5362 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5365 case L2CAP_CONN_RSP:
5366 case L2CAP_CREATE_CHAN_RSP:
5367 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5370 case L2CAP_CONF_REQ:
5371 err = l2cap_config_req(conn, cmd, cmd_len, data);
5374 case L2CAP_CONF_RSP:
5375 l2cap_config_rsp(conn, cmd, cmd_len, data);
5378 case L2CAP_DISCONN_REQ:
5379 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5382 case L2CAP_DISCONN_RSP:
5383 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5386 case L2CAP_ECHO_REQ:
5387 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5390 case L2CAP_ECHO_RSP:
5393 case L2CAP_INFO_REQ:
5394 err = l2cap_information_req(conn, cmd, cmd_len, data);
5397 case L2CAP_INFO_RSP:
5398 l2cap_information_rsp(conn, cmd, cmd_len, data);
5401 case L2CAP_CREATE_CHAN_REQ:
5402 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5405 case L2CAP_MOVE_CHAN_REQ:
5406 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5409 case L2CAP_MOVE_CHAN_RSP:
5410 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5413 case L2CAP_MOVE_CHAN_CFM:
5414 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5417 case L2CAP_MOVE_CHAN_CFM_RSP:
5418 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5422 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5430 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5431 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5434 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5435 struct l2cap_le_conn_rsp rsp;
5436 struct l2cap_chan *chan, *pchan;
5437 u16 dcid, scid, credits, mtu, mps;
5441 if (cmd_len != sizeof(*req))
5444 scid = __le16_to_cpu(req->scid);
5445 mtu = __le16_to_cpu(req->mtu);
5446 mps = __le16_to_cpu(req->mps);
5451 if (mtu < 23 || mps < 23)
5454 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5457 /* Check if we have socket listening on psm */
5458 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5459 &conn->hcon->dst, LE_LINK);
5461 result = L2CAP_CR_BAD_PSM;
5466 mutex_lock(&conn->chan_lock);
5467 l2cap_chan_lock(pchan);
5469 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5471 result = L2CAP_CR_AUTHENTICATION;
5473 goto response_unlock;
5476 /* Check for valid dynamic CID range */
5477 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5478 result = L2CAP_CR_INVALID_SCID;
5480 goto response_unlock;
5483 /* Check if we already have channel with that dcid */
5484 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5485 result = L2CAP_CR_SCID_IN_USE;
5487 goto response_unlock;
5490 chan = pchan->ops->new_connection(pchan);
5492 result = L2CAP_CR_NO_MEM;
5493 goto response_unlock;
5496 l2cap_le_flowctl_init(chan);
5498 bacpy(&chan->src, &conn->hcon->src);
5499 bacpy(&chan->dst, &conn->hcon->dst);
5500 chan->src_type = bdaddr_src_type(conn->hcon);
5501 chan->dst_type = bdaddr_dst_type(conn->hcon);
5505 chan->remote_mps = mps;
5506 chan->tx_credits = __le16_to_cpu(req->credits);
5508 __l2cap_chan_add(conn, chan);
5510 credits = chan->rx_credits;
5512 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5514 chan->ident = cmd->ident;
5516 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5517 l2cap_state_change(chan, BT_CONNECT2);
5518 /* The following result value is actually not defined
5519 * for LE CoC but we use it to let the function know
5520 * that it should bail out after doing its cleanup
5521 * instead of sending a response.
5523 result = L2CAP_CR_PEND;
5524 chan->ops->defer(chan);
5526 l2cap_chan_ready(chan);
5527 result = L2CAP_CR_SUCCESS;
5531 l2cap_chan_unlock(pchan);
5532 mutex_unlock(&conn->chan_lock);
5533 l2cap_chan_put(pchan);
5535 if (result == L2CAP_CR_PEND)
5540 rsp.mtu = cpu_to_le16(chan->imtu);
5541 rsp.mps = cpu_to_le16(chan->mps);
5547 rsp.dcid = cpu_to_le16(dcid);
5548 rsp.credits = cpu_to_le16(credits);
5549 rsp.result = cpu_to_le16(result);
5551 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5556 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5557 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5560 struct l2cap_le_credits *pkt;
5561 struct l2cap_chan *chan;
5562 u16 cid, credits, max_credits;
5564 if (cmd_len != sizeof(*pkt))
5567 pkt = (struct l2cap_le_credits *) data;
5568 cid = __le16_to_cpu(pkt->cid);
5569 credits = __le16_to_cpu(pkt->credits);
5571 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5573 chan = l2cap_get_chan_by_dcid(conn, cid);
5577 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5578 if (credits > max_credits) {
5579 BT_ERR("LE credits overflow");
5580 l2cap_send_disconn_req(chan, ECONNRESET);
5581 l2cap_chan_unlock(chan);
5583 /* Return 0 so that we don't trigger an unnecessary
5584 * command reject packet.
5589 chan->tx_credits += credits;
5591 /* Resume sending */
5592 l2cap_le_flowctl_send(chan);
5594 if (chan->tx_credits)
5595 chan->ops->resume(chan);
5597 l2cap_chan_unlock(chan);
5602 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5603 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5606 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5607 struct l2cap_chan *chan;
5609 if (cmd_len < sizeof(*rej))
5612 mutex_lock(&conn->chan_lock);
5614 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5618 l2cap_chan_lock(chan);
5619 l2cap_chan_del(chan, ECONNREFUSED);
5620 l2cap_chan_unlock(chan);
5623 mutex_unlock(&conn->chan_lock);
5627 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5628 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5633 switch (cmd->code) {
5634 case L2CAP_COMMAND_REJ:
5635 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5638 case L2CAP_CONN_PARAM_UPDATE_REQ:
5639 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5642 case L2CAP_CONN_PARAM_UPDATE_RSP:
5645 case L2CAP_LE_CONN_RSP:
5646 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5649 case L2CAP_LE_CONN_REQ:
5650 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5653 case L2CAP_LE_CREDITS:
5654 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5657 case L2CAP_DISCONN_REQ:
5658 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5661 case L2CAP_DISCONN_RSP:
5662 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5666 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5674 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5675 struct sk_buff *skb)
5677 struct hci_conn *hcon = conn->hcon;
5678 struct l2cap_cmd_hdr *cmd;
5682 if (hcon->type != LE_LINK)
5685 if (skb->len < L2CAP_CMD_HDR_SIZE)
5688 cmd = (void *) skb->data;
5689 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5691 len = le16_to_cpu(cmd->len);
5693 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5695 if (len != skb->len || !cmd->ident) {
5696 BT_DBG("corrupted command");
5700 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5702 struct l2cap_cmd_rej_unk rej;
5704 BT_ERR("Wrong link type (%d)", err);
5706 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5707 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5715 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5716 struct sk_buff *skb)
5718 struct hci_conn *hcon = conn->hcon;
5719 u8 *data = skb->data;
5721 struct l2cap_cmd_hdr cmd;
5724 l2cap_raw_recv(conn, skb);
5726 if (hcon->type != ACL_LINK)
5729 while (len >= L2CAP_CMD_HDR_SIZE) {
5731 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5732 data += L2CAP_CMD_HDR_SIZE;
5733 len -= L2CAP_CMD_HDR_SIZE;
5735 cmd_len = le16_to_cpu(cmd.len);
5737 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5740 if (cmd_len > len || !cmd.ident) {
5741 BT_DBG("corrupted command");
5745 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5747 struct l2cap_cmd_rej_unk rej;
5749 BT_ERR("Wrong link type (%d)", err);
5751 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5752 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5764 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5766 u16 our_fcs, rcv_fcs;
5769 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5770 hdr_size = L2CAP_EXT_HDR_SIZE;
5772 hdr_size = L2CAP_ENH_HDR_SIZE;
5774 if (chan->fcs == L2CAP_FCS_CRC16) {
5775 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5776 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5777 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5779 if (our_fcs != rcv_fcs)
5785 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5787 struct l2cap_ctrl control;
5789 BT_DBG("chan %p", chan);
5791 memset(&control, 0, sizeof(control));
5794 control.reqseq = chan->buffer_seq;
5795 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5797 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5798 control.super = L2CAP_SUPER_RNR;
5799 l2cap_send_sframe(chan, &control);
5802 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5803 chan->unacked_frames > 0)
5804 __set_retrans_timer(chan);
5806 /* Send pending iframes */
5807 l2cap_ertm_send(chan);
5809 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5810 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5811 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5814 control.super = L2CAP_SUPER_RR;
5815 l2cap_send_sframe(chan, &control);
5819 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5820 struct sk_buff **last_frag)
5822 /* skb->len reflects data in skb as well as all fragments
5823 * skb->data_len reflects only data in fragments
5825 if (!skb_has_frag_list(skb))
5826 skb_shinfo(skb)->frag_list = new_frag;
5828 new_frag->next = NULL;
5830 (*last_frag)->next = new_frag;
5831 *last_frag = new_frag;
5833 skb->len += new_frag->len;
5834 skb->data_len += new_frag->len;
5835 skb->truesize += new_frag->truesize;
5838 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5839 struct l2cap_ctrl *control)
5843 switch (control->sar) {
5844 case L2CAP_SAR_UNSEGMENTED:
5848 err = chan->ops->recv(chan, skb);
5851 case L2CAP_SAR_START:
5855 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5858 chan->sdu_len = get_unaligned_le16(skb->data);
5859 skb_pull(skb, L2CAP_SDULEN_SIZE);
5861 if (chan->sdu_len > chan->imtu) {
5866 if (skb->len >= chan->sdu_len)
5870 chan->sdu_last_frag = skb;
5876 case L2CAP_SAR_CONTINUE:
5880 append_skb_frag(chan->sdu, skb,
5881 &chan->sdu_last_frag);
5884 if (chan->sdu->len >= chan->sdu_len)
5894 append_skb_frag(chan->sdu, skb,
5895 &chan->sdu_last_frag);
5898 if (chan->sdu->len != chan->sdu_len)
5901 err = chan->ops->recv(chan, chan->sdu);
5904 /* Reassembly complete */
5906 chan->sdu_last_frag = NULL;
5914 kfree_skb(chan->sdu);
5916 chan->sdu_last_frag = NULL;
5923 static int l2cap_resegment(struct l2cap_chan *chan)
5929 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5933 if (chan->mode != L2CAP_MODE_ERTM)
5936 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5937 l2cap_tx(chan, NULL, NULL, event);
5940 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5943 /* Pass sequential frames to l2cap_reassemble_sdu()
5944 * until a gap is encountered.
5947 BT_DBG("chan %p", chan);
5949 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5950 struct sk_buff *skb;
5951 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5952 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5954 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5959 skb_unlink(skb, &chan->srej_q);
5960 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5961 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5966 if (skb_queue_empty(&chan->srej_q)) {
5967 chan->rx_state = L2CAP_RX_STATE_RECV;
5968 l2cap_send_ack(chan);
5974 static void l2cap_handle_srej(struct l2cap_chan *chan,
5975 struct l2cap_ctrl *control)
5977 struct sk_buff *skb;
5979 BT_DBG("chan %p, control %p", chan, control);
5981 if (control->reqseq == chan->next_tx_seq) {
5982 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5983 l2cap_send_disconn_req(chan, ECONNRESET);
5987 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5990 BT_DBG("Seq %d not available for retransmission",
5995 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5996 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5997 l2cap_send_disconn_req(chan, ECONNRESET);
6001 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6003 if (control->poll) {
6004 l2cap_pass_to_tx(chan, control);
6006 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6007 l2cap_retransmit(chan, control);
6008 l2cap_ertm_send(chan);
6010 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6011 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6012 chan->srej_save_reqseq = control->reqseq;
6015 l2cap_pass_to_tx_fbit(chan, control);
6017 if (control->final) {
6018 if (chan->srej_save_reqseq != control->reqseq ||
6019 !test_and_clear_bit(CONN_SREJ_ACT,
6021 l2cap_retransmit(chan, control);
6023 l2cap_retransmit(chan, control);
6024 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6025 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6026 chan->srej_save_reqseq = control->reqseq;
6032 static void l2cap_handle_rej(struct l2cap_chan *chan,
6033 struct l2cap_ctrl *control)
6035 struct sk_buff *skb;
6037 BT_DBG("chan %p, control %p", chan, control);
6039 if (control->reqseq == chan->next_tx_seq) {
6040 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6041 l2cap_send_disconn_req(chan, ECONNRESET);
6045 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6047 if (chan->max_tx && skb &&
6048 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6049 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6050 l2cap_send_disconn_req(chan, ECONNRESET);
6054 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6056 l2cap_pass_to_tx(chan, control);
6058 if (control->final) {
6059 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6060 l2cap_retransmit_all(chan, control);
6062 l2cap_retransmit_all(chan, control);
6063 l2cap_ertm_send(chan);
6064 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6065 set_bit(CONN_REJ_ACT, &chan->conn_state);
6069 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6071 BT_DBG("chan %p, txseq %d", chan, txseq);
6073 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6074 chan->expected_tx_seq);
6076 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6077 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6079 /* See notes below regarding "double poll" and
6082 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6083 BT_DBG("Invalid/Ignore - after SREJ");
6084 return L2CAP_TXSEQ_INVALID_IGNORE;
6086 BT_DBG("Invalid - in window after SREJ sent");
6087 return L2CAP_TXSEQ_INVALID;
6091 if (chan->srej_list.head == txseq) {
6092 BT_DBG("Expected SREJ");
6093 return L2CAP_TXSEQ_EXPECTED_SREJ;
6096 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6097 BT_DBG("Duplicate SREJ - txseq already stored");
6098 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6101 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6102 BT_DBG("Unexpected SREJ - not requested");
6103 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6107 if (chan->expected_tx_seq == txseq) {
6108 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6110 BT_DBG("Invalid - txseq outside tx window");
6111 return L2CAP_TXSEQ_INVALID;
6114 return L2CAP_TXSEQ_EXPECTED;
6118 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6119 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6120 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6121 return L2CAP_TXSEQ_DUPLICATE;
6124 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6125 /* A source of invalid packets is a "double poll" condition,
6126 * where delays cause us to send multiple poll packets. If
6127 * the remote stack receives and processes both polls,
6128 * sequence numbers can wrap around in such a way that a
6129 * resent frame has a sequence number that looks like new data
6130 * with a sequence gap. This would trigger an erroneous SREJ
6133 * Fortunately, this is impossible with a tx window that's
6134 * less than half of the maximum sequence number, which allows
6135 * invalid frames to be safely ignored.
6137 * With tx window sizes greater than half of the tx window
6138 * maximum, the frame is invalid and cannot be ignored. This
6139 * causes a disconnect.
6142 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6143 BT_DBG("Invalid/Ignore - txseq outside tx window");
6144 return L2CAP_TXSEQ_INVALID_IGNORE;
6146 BT_DBG("Invalid - txseq outside tx window");
6147 return L2CAP_TXSEQ_INVALID;
6150 BT_DBG("Unexpected - txseq indicates missing frames");
6151 return L2CAP_TXSEQ_UNEXPECTED;
6155 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6156 struct l2cap_ctrl *control,
6157 struct sk_buff *skb, u8 event)
6160 bool skb_in_use = false;
6162 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6166 case L2CAP_EV_RECV_IFRAME:
6167 switch (l2cap_classify_txseq(chan, control->txseq)) {
6168 case L2CAP_TXSEQ_EXPECTED:
6169 l2cap_pass_to_tx(chan, control);
6171 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6172 BT_DBG("Busy, discarding expected seq %d",
6177 chan->expected_tx_seq = __next_seq(chan,
6180 chan->buffer_seq = chan->expected_tx_seq;
6183 err = l2cap_reassemble_sdu(chan, skb, control);
6187 if (control->final) {
6188 if (!test_and_clear_bit(CONN_REJ_ACT,
6189 &chan->conn_state)) {
6191 l2cap_retransmit_all(chan, control);
6192 l2cap_ertm_send(chan);
6196 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6197 l2cap_send_ack(chan);
6199 case L2CAP_TXSEQ_UNEXPECTED:
6200 l2cap_pass_to_tx(chan, control);
6202 /* Can't issue SREJ frames in the local busy state.
6203 * Drop this frame, it will be seen as missing
6204 * when local busy is exited.
6206 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6207 BT_DBG("Busy, discarding unexpected seq %d",
6212 /* There was a gap in the sequence, so an SREJ
6213 * must be sent for each missing frame. The
6214 * current frame is stored for later use.
6216 skb_queue_tail(&chan->srej_q, skb);
6218 BT_DBG("Queued %p (queue len %d)", skb,
6219 skb_queue_len(&chan->srej_q));
6221 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6222 l2cap_seq_list_clear(&chan->srej_list);
6223 l2cap_send_srej(chan, control->txseq);
6225 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6227 case L2CAP_TXSEQ_DUPLICATE:
6228 l2cap_pass_to_tx(chan, control);
6230 case L2CAP_TXSEQ_INVALID_IGNORE:
6232 case L2CAP_TXSEQ_INVALID:
6234 l2cap_send_disconn_req(chan, ECONNRESET);
6238 case L2CAP_EV_RECV_RR:
6239 l2cap_pass_to_tx(chan, control);
6240 if (control->final) {
6241 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6243 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6244 !__chan_is_moving(chan)) {
6246 l2cap_retransmit_all(chan, control);
6249 l2cap_ertm_send(chan);
6250 } else if (control->poll) {
6251 l2cap_send_i_or_rr_or_rnr(chan);
6253 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6254 &chan->conn_state) &&
6255 chan->unacked_frames)
6256 __set_retrans_timer(chan);
6258 l2cap_ertm_send(chan);
6261 case L2CAP_EV_RECV_RNR:
6262 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6263 l2cap_pass_to_tx(chan, control);
6264 if (control && control->poll) {
6265 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6266 l2cap_send_rr_or_rnr(chan, 0);
6268 __clear_retrans_timer(chan);
6269 l2cap_seq_list_clear(&chan->retrans_list);
6271 case L2CAP_EV_RECV_REJ:
6272 l2cap_handle_rej(chan, control);
6274 case L2CAP_EV_RECV_SREJ:
6275 l2cap_handle_srej(chan, control);
6281 if (skb && !skb_in_use) {
6282 BT_DBG("Freeing %p", skb);
6289 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6290 struct l2cap_ctrl *control,
6291 struct sk_buff *skb, u8 event)
6294 u16 txseq = control->txseq;
6295 bool skb_in_use = false;
6297 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6301 case L2CAP_EV_RECV_IFRAME:
6302 switch (l2cap_classify_txseq(chan, txseq)) {
6303 case L2CAP_TXSEQ_EXPECTED:
6304 /* Keep frame for reassembly later */
6305 l2cap_pass_to_tx(chan, control);
6306 skb_queue_tail(&chan->srej_q, skb);
6308 BT_DBG("Queued %p (queue len %d)", skb,
6309 skb_queue_len(&chan->srej_q));
6311 chan->expected_tx_seq = __next_seq(chan, txseq);
6313 case L2CAP_TXSEQ_EXPECTED_SREJ:
6314 l2cap_seq_list_pop(&chan->srej_list);
6316 l2cap_pass_to_tx(chan, control);
6317 skb_queue_tail(&chan->srej_q, skb);
6319 BT_DBG("Queued %p (queue len %d)", skb,
6320 skb_queue_len(&chan->srej_q));
6322 err = l2cap_rx_queued_iframes(chan);
6327 case L2CAP_TXSEQ_UNEXPECTED:
6328 /* Got a frame that can't be reassembled yet.
6329 * Save it for later, and send SREJs to cover
6330 * the missing frames.
6332 skb_queue_tail(&chan->srej_q, skb);
6334 BT_DBG("Queued %p (queue len %d)", skb,
6335 skb_queue_len(&chan->srej_q));
6337 l2cap_pass_to_tx(chan, control);
6338 l2cap_send_srej(chan, control->txseq);
6340 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6341 /* This frame was requested with an SREJ, but
6342 * some expected retransmitted frames are
6343 * missing. Request retransmission of missing
6346 skb_queue_tail(&chan->srej_q, skb);
6348 BT_DBG("Queued %p (queue len %d)", skb,
6349 skb_queue_len(&chan->srej_q));
6351 l2cap_pass_to_tx(chan, control);
6352 l2cap_send_srej_list(chan, control->txseq);
6354 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6355 /* We've already queued this frame. Drop this copy. */
6356 l2cap_pass_to_tx(chan, control);
6358 case L2CAP_TXSEQ_DUPLICATE:
6359 /* Expecting a later sequence number, so this frame
6360 * was already received. Ignore it completely.
6363 case L2CAP_TXSEQ_INVALID_IGNORE:
6365 case L2CAP_TXSEQ_INVALID:
6367 l2cap_send_disconn_req(chan, ECONNRESET);
6371 case L2CAP_EV_RECV_RR:
6372 l2cap_pass_to_tx(chan, control);
6373 if (control->final) {
6374 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6376 if (!test_and_clear_bit(CONN_REJ_ACT,
6377 &chan->conn_state)) {
6379 l2cap_retransmit_all(chan, control);
6382 l2cap_ertm_send(chan);
6383 } else if (control->poll) {
6384 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6385 &chan->conn_state) &&
6386 chan->unacked_frames) {
6387 __set_retrans_timer(chan);
6390 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6391 l2cap_send_srej_tail(chan);
6393 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6394 &chan->conn_state) &&
6395 chan->unacked_frames)
6396 __set_retrans_timer(chan);
6398 l2cap_send_ack(chan);
6401 case L2CAP_EV_RECV_RNR:
6402 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6403 l2cap_pass_to_tx(chan, control);
6404 if (control->poll) {
6405 l2cap_send_srej_tail(chan);
6407 struct l2cap_ctrl rr_control;
6408 memset(&rr_control, 0, sizeof(rr_control));
6409 rr_control.sframe = 1;
6410 rr_control.super = L2CAP_SUPER_RR;
6411 rr_control.reqseq = chan->buffer_seq;
6412 l2cap_send_sframe(chan, &rr_control);
6416 case L2CAP_EV_RECV_REJ:
6417 l2cap_handle_rej(chan, control);
6419 case L2CAP_EV_RECV_SREJ:
6420 l2cap_handle_srej(chan, control);
6424 if (skb && !skb_in_use) {
6425 BT_DBG("Freeing %p", skb);
6432 static int l2cap_finish_move(struct l2cap_chan *chan)
6434 BT_DBG("chan %p", chan);
6436 chan->rx_state = L2CAP_RX_STATE_RECV;
6439 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6441 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6443 return l2cap_resegment(chan);
6446 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6447 struct l2cap_ctrl *control,
6448 struct sk_buff *skb, u8 event)
6452 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6458 l2cap_process_reqseq(chan, control->reqseq);
6460 if (!skb_queue_empty(&chan->tx_q))
6461 chan->tx_send_head = skb_peek(&chan->tx_q);
6463 chan->tx_send_head = NULL;
6465 /* Rewind next_tx_seq to the point expected
6468 chan->next_tx_seq = control->reqseq;
6469 chan->unacked_frames = 0;
6471 err = l2cap_finish_move(chan);
6475 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6476 l2cap_send_i_or_rr_or_rnr(chan);
6478 if (event == L2CAP_EV_RECV_IFRAME)
6481 return l2cap_rx_state_recv(chan, control, NULL, event);
6484 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6485 struct l2cap_ctrl *control,
6486 struct sk_buff *skb, u8 event)
6490 if (!control->final)
6493 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6495 chan->rx_state = L2CAP_RX_STATE_RECV;
6496 l2cap_process_reqseq(chan, control->reqseq);
6498 if (!skb_queue_empty(&chan->tx_q))
6499 chan->tx_send_head = skb_peek(&chan->tx_q);
6501 chan->tx_send_head = NULL;
6503 /* Rewind next_tx_seq to the point expected
6506 chan->next_tx_seq = control->reqseq;
6507 chan->unacked_frames = 0;
6510 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6512 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6514 err = l2cap_resegment(chan);
6517 err = l2cap_rx_state_recv(chan, control, skb, event);
6522 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6524 /* Make sure reqseq is for a packet that has been sent but not acked */
6527 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6528 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6531 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6532 struct sk_buff *skb, u8 event)
6536 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6537 control, skb, event, chan->rx_state);
6539 if (__valid_reqseq(chan, control->reqseq)) {
6540 switch (chan->rx_state) {
6541 case L2CAP_RX_STATE_RECV:
6542 err = l2cap_rx_state_recv(chan, control, skb, event);
6544 case L2CAP_RX_STATE_SREJ_SENT:
6545 err = l2cap_rx_state_srej_sent(chan, control, skb,
6548 case L2CAP_RX_STATE_WAIT_P:
6549 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6551 case L2CAP_RX_STATE_WAIT_F:
6552 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6559 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6560 control->reqseq, chan->next_tx_seq,
6561 chan->expected_ack_seq);
6562 l2cap_send_disconn_req(chan, ECONNRESET);
6568 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6569 struct sk_buff *skb)
6571 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6574 if (l2cap_classify_txseq(chan, control->txseq) ==
6575 L2CAP_TXSEQ_EXPECTED) {
6576 l2cap_pass_to_tx(chan, control);
6578 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6579 __next_seq(chan, chan->buffer_seq));
6581 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6583 l2cap_reassemble_sdu(chan, skb, control);
6586 kfree_skb(chan->sdu);
6589 chan->sdu_last_frag = NULL;
6593 BT_DBG("Freeing %p", skb);
6598 chan->last_acked_seq = control->txseq;
6599 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6604 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6606 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6610 __unpack_control(chan, skb);
6615 * We can just drop the corrupted I-frame here.
6616 * Receiver will miss it and start proper recovery
6617 * procedures and ask for retransmission.
6619 if (l2cap_check_fcs(chan, skb))
6622 if (!control->sframe && control->sar == L2CAP_SAR_START)
6623 len -= L2CAP_SDULEN_SIZE;
6625 if (chan->fcs == L2CAP_FCS_CRC16)
6626 len -= L2CAP_FCS_SIZE;
6628 if (len > chan->mps) {
6629 l2cap_send_disconn_req(chan, ECONNRESET);
6633 if ((chan->mode == L2CAP_MODE_ERTM ||
6634 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6637 if (!control->sframe) {
6640 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6641 control->sar, control->reqseq, control->final,
6644 /* Validate F-bit - F=0 always valid, F=1 only
6645 * valid in TX WAIT_F
6647 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6650 if (chan->mode != L2CAP_MODE_STREAMING) {
6651 event = L2CAP_EV_RECV_IFRAME;
6652 err = l2cap_rx(chan, control, skb, event);
6654 err = l2cap_stream_rx(chan, control, skb);
6658 l2cap_send_disconn_req(chan, ECONNRESET);
6660 const u8 rx_func_to_event[4] = {
6661 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6662 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6665 /* Only I-frames are expected in streaming mode */
6666 if (chan->mode == L2CAP_MODE_STREAMING)
6669 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6670 control->reqseq, control->final, control->poll,
6674 BT_ERR("Trailing bytes: %d in sframe", len);
6675 l2cap_send_disconn_req(chan, ECONNRESET);
6679 /* Validate F and P bits */
6680 if (control->final && (control->poll ||
6681 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6684 event = rx_func_to_event[control->super];
6685 if (l2cap_rx(chan, control, skb, event))
6686 l2cap_send_disconn_req(chan, ECONNRESET);
6696 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6698 struct l2cap_conn *conn = chan->conn;
6699 struct l2cap_le_credits pkt;
6702 /* We return more credits to the sender only after the amount of
6703 * credits falls below half of the initial amount.
6705 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6708 return_credits = le_max_credits - chan->rx_credits;
6710 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6712 chan->rx_credits += return_credits;
6714 pkt.cid = cpu_to_le16(chan->scid);
6715 pkt.credits = cpu_to_le16(return_credits);
6717 chan->ident = l2cap_get_ident(conn);
6719 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6722 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6726 if (!chan->rx_credits) {
6727 BT_ERR("No credits to receive LE L2CAP data");
6728 l2cap_send_disconn_req(chan, ECONNRESET);
6732 if (chan->imtu < skb->len) {
6733 BT_ERR("Too big LE L2CAP PDU");
6738 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6740 l2cap_chan_le_send_credits(chan);
6747 sdu_len = get_unaligned_le16(skb->data);
6748 skb_pull(skb, L2CAP_SDULEN_SIZE);
6750 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6751 sdu_len, skb->len, chan->imtu);
6753 if (sdu_len > chan->imtu) {
6754 BT_ERR("Too big LE L2CAP SDU length received");
6759 if (skb->len > sdu_len) {
6760 BT_ERR("Too much LE L2CAP data received");
6765 if (skb->len == sdu_len)
6766 return chan->ops->recv(chan, skb);
6769 chan->sdu_len = sdu_len;
6770 chan->sdu_last_frag = skb;
6775 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6776 chan->sdu->len, skb->len, chan->sdu_len);
6778 if (chan->sdu->len + skb->len > chan->sdu_len) {
6779 BT_ERR("Too much LE L2CAP data received");
6784 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6787 if (chan->sdu->len == chan->sdu_len) {
6788 err = chan->ops->recv(chan, chan->sdu);
6791 chan->sdu_last_frag = NULL;
6799 kfree_skb(chan->sdu);
6801 chan->sdu_last_frag = NULL;
6805 /* We can't return an error here since we took care of the skb
6806 * freeing internally. An error return would cause the caller to
6807 * do a double-free of the skb.
6812 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6813 struct sk_buff *skb)
6815 struct l2cap_chan *chan;
6817 chan = l2cap_get_chan_by_scid(conn, cid);
6819 if (cid == L2CAP_CID_A2MP) {
6820 chan = a2mp_channel_create(conn, skb);
6826 l2cap_chan_lock(chan);
6828 BT_DBG("unknown cid 0x%4.4x", cid);
6829 /* Drop packet and return */
6835 BT_DBG("chan %p, len %d", chan, skb->len);
6837 /* If we receive data on a fixed channel before the info req/rsp
6838 * procdure is done simply assume that the channel is supported
6839 * and mark it as ready.
6841 if (chan->chan_type == L2CAP_CHAN_FIXED)
6842 l2cap_chan_ready(chan);
6844 if (chan->state != BT_CONNECTED)
6847 switch (chan->mode) {
6848 case L2CAP_MODE_LE_FLOWCTL:
6849 if (l2cap_le_data_rcv(chan, skb) < 0)
6854 case L2CAP_MODE_BASIC:
6855 /* If socket recv buffers overflows we drop data here
6856 * which is *bad* because L2CAP has to be reliable.
6857 * But we don't have any other choice. L2CAP doesn't
6858 * provide flow control mechanism. */
6860 if (chan->imtu < skb->len) {
6861 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6865 if (!chan->ops->recv(chan, skb))
6869 case L2CAP_MODE_ERTM:
6870 case L2CAP_MODE_STREAMING:
6871 l2cap_data_rcv(chan, skb);
6875 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6883 l2cap_chan_unlock(chan);
6886 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6887 struct sk_buff *skb)
6889 struct hci_conn *hcon = conn->hcon;
6890 struct l2cap_chan *chan;
6892 if (hcon->type != ACL_LINK)
6895 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6900 BT_DBG("chan %p, len %d", chan, skb->len);
6902 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6905 if (chan->imtu < skb->len)
6908 /* Store remote BD_ADDR and PSM for msg_name */
6909 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6910 bt_cb(skb)->l2cap.psm = psm;
6912 if (!chan->ops->recv(chan, skb)) {
6913 l2cap_chan_put(chan);
6918 l2cap_chan_put(chan);
6923 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6925 struct l2cap_hdr *lh = (void *) skb->data;
6926 struct hci_conn *hcon = conn->hcon;
6930 if (hcon->state != BT_CONNECTED) {
6931 BT_DBG("queueing pending rx skb");
6932 skb_queue_tail(&conn->pending_rx, skb);
6936 skb_pull(skb, L2CAP_HDR_SIZE);
6937 cid = __le16_to_cpu(lh->cid);
6938 len = __le16_to_cpu(lh->len);
6940 if (len != skb->len) {
6945 /* Since we can't actively block incoming LE connections we must
6946 * at least ensure that we ignore incoming data from them.
6948 if (hcon->type == LE_LINK &&
6949 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6950 bdaddr_dst_type(hcon))) {
6955 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6958 case L2CAP_CID_SIGNALING:
6959 l2cap_sig_channel(conn, skb);
6962 case L2CAP_CID_CONN_LESS:
6963 psm = get_unaligned((__le16 *) skb->data);
6964 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6965 l2cap_conless_channel(conn, psm, skb);
6968 case L2CAP_CID_LE_SIGNALING:
6969 l2cap_le_sig_channel(conn, skb);
6973 l2cap_data_channel(conn, cid, skb);
6978 static void process_pending_rx(struct work_struct *work)
6980 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6982 struct sk_buff *skb;
6986 while ((skb = skb_dequeue(&conn->pending_rx)))
6987 l2cap_recv_frame(conn, skb);
6990 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6992 struct l2cap_conn *conn = hcon->l2cap_data;
6993 struct hci_chan *hchan;
6998 hchan = hci_chan_create(hcon);
7002 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7004 hci_chan_del(hchan);
7008 kref_init(&conn->ref);
7009 hcon->l2cap_data = conn;
7010 conn->hcon = hci_conn_get(hcon);
7011 conn->hchan = hchan;
7013 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7015 switch (hcon->type) {
7017 if (hcon->hdev->le_mtu) {
7018 conn->mtu = hcon->hdev->le_mtu;
7023 conn->mtu = hcon->hdev->acl_mtu;
7027 conn->feat_mask = 0;
7029 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7031 if (hcon->type == ACL_LINK &&
7032 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7033 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7035 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7036 (bredr_sc_enabled(hcon->hdev) ||
7037 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7038 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7040 mutex_init(&conn->ident_lock);
7041 mutex_init(&conn->chan_lock);
7043 INIT_LIST_HEAD(&conn->chan_l);
7044 INIT_LIST_HEAD(&conn->users);
7046 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7048 skb_queue_head_init(&conn->pending_rx);
7049 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7050 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7052 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7057 static bool is_valid_psm(u16 psm, u8 dst_type) {
7061 if (bdaddr_type_is_le(dst_type))
7062 return (psm <= 0x00ff);
7064 /* PSM must be odd and lsb of upper byte must be 0 */
7065 return ((psm & 0x0101) == 0x0001);
7068 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7069 bdaddr_t *dst, u8 dst_type)
7071 struct l2cap_conn *conn;
7072 struct hci_conn *hcon;
7073 struct hci_dev *hdev;
7076 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7077 dst_type, __le16_to_cpu(psm));
7079 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7081 return -EHOSTUNREACH;
7085 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7086 chan->chan_type != L2CAP_CHAN_RAW) {
7091 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7096 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7101 switch (chan->mode) {
7102 case L2CAP_MODE_BASIC:
7104 case L2CAP_MODE_LE_FLOWCTL:
7105 l2cap_le_flowctl_init(chan);
7107 case L2CAP_MODE_ERTM:
7108 case L2CAP_MODE_STREAMING:
7117 switch (chan->state) {
7121 /* Already connecting */
7126 /* Already connected */
7140 /* Set destination address and psm */
7141 bacpy(&chan->dst, dst);
7142 chan->dst_type = dst_type;
7147 if (bdaddr_type_is_le(dst_type)) {
7148 /* Convert from L2CAP channel address type to HCI address type
7150 if (dst_type == BDADDR_LE_PUBLIC)
7151 dst_type = ADDR_LE_DEV_PUBLIC;
7153 dst_type = ADDR_LE_DEV_RANDOM;
7155 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7156 hcon = hci_connect_le(hdev, dst, dst_type,
7158 HCI_LE_CONN_TIMEOUT,
7161 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7163 HCI_LE_CONN_TIMEOUT);
7166 u8 auth_type = l2cap_get_auth_type(chan);
7167 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7171 err = PTR_ERR(hcon);
7175 conn = l2cap_conn_add(hcon);
7177 hci_conn_drop(hcon);
7182 mutex_lock(&conn->chan_lock);
7183 l2cap_chan_lock(chan);
7185 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7186 hci_conn_drop(hcon);
7191 /* Update source addr of the socket */
7192 bacpy(&chan->src, &hcon->src);
7193 chan->src_type = bdaddr_src_type(hcon);
7195 __l2cap_chan_add(conn, chan);
7197 /* l2cap_chan_add takes its own ref so we can drop this one */
7198 hci_conn_drop(hcon);
7200 l2cap_state_change(chan, BT_CONNECT);
7201 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7203 /* Release chan->sport so that it can be reused by other
7204 * sockets (as it's only used for listening sockets).
7206 write_lock(&chan_list_lock);
7208 write_unlock(&chan_list_lock);
7210 if (hcon->state == BT_CONNECTED) {
7211 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7212 __clear_chan_timer(chan);
7213 if (l2cap_chan_check_security(chan, true))
7214 l2cap_state_change(chan, BT_CONNECTED);
7216 l2cap_do_start(chan);
7222 l2cap_chan_unlock(chan);
7223 mutex_unlock(&conn->chan_lock);
7225 hci_dev_unlock(hdev);
7229 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7231 /* ---- L2CAP interface with lower layer (HCI) ---- */
7233 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7235 int exact = 0, lm1 = 0, lm2 = 0;
7236 struct l2cap_chan *c;
7238 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7240 /* Find listening sockets and check their link_mode */
7241 read_lock(&chan_list_lock);
7242 list_for_each_entry(c, &chan_list, global_l) {
7243 if (c->state != BT_LISTEN)
7246 if (!bacmp(&c->src, &hdev->bdaddr)) {
7247 lm1 |= HCI_LM_ACCEPT;
7248 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7249 lm1 |= HCI_LM_MASTER;
7251 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7252 lm2 |= HCI_LM_ACCEPT;
7253 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7254 lm2 |= HCI_LM_MASTER;
7257 read_unlock(&chan_list_lock);
7259 return exact ? lm1 : lm2;
7262 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7263 * from an existing channel in the list or from the beginning of the
7264 * global list (by passing NULL as first parameter).
7266 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7267 struct hci_conn *hcon)
7269 u8 src_type = bdaddr_src_type(hcon);
7271 read_lock(&chan_list_lock);
7274 c = list_next_entry(c, global_l);
7276 c = list_entry(chan_list.next, typeof(*c), global_l);
7278 list_for_each_entry_from(c, &chan_list, global_l) {
7279 if (c->chan_type != L2CAP_CHAN_FIXED)
7281 if (c->state != BT_LISTEN)
7283 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7285 if (src_type != c->src_type)
7289 read_unlock(&chan_list_lock);
7293 read_unlock(&chan_list_lock);
7298 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7300 struct hci_dev *hdev = hcon->hdev;
7301 struct l2cap_conn *conn;
7302 struct l2cap_chan *pchan;
7305 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7308 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7311 l2cap_conn_del(hcon, bt_to_errno(status));
7315 conn = l2cap_conn_add(hcon);
7319 dst_type = bdaddr_dst_type(hcon);
7321 /* If device is blocked, do not create channels for it */
7322 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7325 /* Find fixed channels and notify them of the new connection. We
7326 * use multiple individual lookups, continuing each time where
7327 * we left off, because the list lock would prevent calling the
7328 * potentially sleeping l2cap_chan_lock() function.
7330 pchan = l2cap_global_fixed_chan(NULL, hcon);
7332 struct l2cap_chan *chan, *next;
7334 /* Client fixed channels should override server ones */
7335 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7338 l2cap_chan_lock(pchan);
7339 chan = pchan->ops->new_connection(pchan);
7341 bacpy(&chan->src, &hcon->src);
7342 bacpy(&chan->dst, &hcon->dst);
7343 chan->src_type = bdaddr_src_type(hcon);
7344 chan->dst_type = dst_type;
7346 __l2cap_chan_add(conn, chan);
7349 l2cap_chan_unlock(pchan);
7351 next = l2cap_global_fixed_chan(pchan, hcon);
7352 l2cap_chan_put(pchan);
7356 l2cap_conn_ready(conn);
7359 int l2cap_disconn_ind(struct hci_conn *hcon)
7361 struct l2cap_conn *conn = hcon->l2cap_data;
7363 BT_DBG("hcon %p", hcon);
7366 return HCI_ERROR_REMOTE_USER_TERM;
7367 return conn->disc_reason;
7370 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7372 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7375 BT_DBG("hcon %p reason %d", hcon, reason);
7377 l2cap_conn_del(hcon, bt_to_errno(reason));
7380 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7382 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7385 if (encrypt == 0x00) {
7386 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7387 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7388 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7389 chan->sec_level == BT_SECURITY_FIPS)
7390 l2cap_chan_close(chan, ECONNREFUSED);
7392 if (chan->sec_level == BT_SECURITY_MEDIUM)
7393 __clear_chan_timer(chan);
7397 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7399 struct l2cap_conn *conn = hcon->l2cap_data;
7400 struct l2cap_chan *chan;
7405 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7407 mutex_lock(&conn->chan_lock);
7409 list_for_each_entry(chan, &conn->chan_l, list) {
7410 l2cap_chan_lock(chan);
7412 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7413 state_to_string(chan->state));
7415 if (chan->scid == L2CAP_CID_A2MP) {
7416 l2cap_chan_unlock(chan);
7420 if (!status && encrypt)
7421 chan->sec_level = hcon->sec_level;
7423 if (!__l2cap_no_conn_pending(chan)) {
7424 l2cap_chan_unlock(chan);
7428 if (!status && (chan->state == BT_CONNECTED ||
7429 chan->state == BT_CONFIG)) {
7430 chan->ops->resume(chan);
7431 l2cap_check_encryption(chan, encrypt);
7432 l2cap_chan_unlock(chan);
7436 if (chan->state == BT_CONNECT) {
7438 l2cap_start_connection(chan);
7440 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7441 } else if (chan->state == BT_CONNECT2 &&
7442 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7443 struct l2cap_conn_rsp rsp;
7447 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7448 res = L2CAP_CR_PEND;
7449 stat = L2CAP_CS_AUTHOR_PEND;
7450 chan->ops->defer(chan);
7452 l2cap_state_change(chan, BT_CONFIG);
7453 res = L2CAP_CR_SUCCESS;
7454 stat = L2CAP_CS_NO_INFO;
7457 l2cap_state_change(chan, BT_DISCONN);
7458 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7459 res = L2CAP_CR_SEC_BLOCK;
7460 stat = L2CAP_CS_NO_INFO;
7463 rsp.scid = cpu_to_le16(chan->dcid);
7464 rsp.dcid = cpu_to_le16(chan->scid);
7465 rsp.result = cpu_to_le16(res);
7466 rsp.status = cpu_to_le16(stat);
7467 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7470 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7471 res == L2CAP_CR_SUCCESS) {
7473 set_bit(CONF_REQ_SENT, &chan->conf_state);
7474 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7476 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7478 chan->num_conf_req++;
7482 l2cap_chan_unlock(chan);
7485 mutex_unlock(&conn->chan_lock);
7488 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7490 struct l2cap_conn *conn = hcon->l2cap_data;
7491 struct l2cap_hdr *hdr;
7494 /* For AMP controller do not create l2cap conn */
7495 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7499 conn = l2cap_conn_add(hcon);
7504 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7508 case ACL_START_NO_FLUSH:
7511 BT_ERR("Unexpected start frame (len %d)", skb->len);
7512 kfree_skb(conn->rx_skb);
7513 conn->rx_skb = NULL;
7515 l2cap_conn_unreliable(conn, ECOMM);
7518 /* Start fragment always begin with Basic L2CAP header */
7519 if (skb->len < L2CAP_HDR_SIZE) {
7520 BT_ERR("Frame is too short (len %d)", skb->len);
7521 l2cap_conn_unreliable(conn, ECOMM);
7525 hdr = (struct l2cap_hdr *) skb->data;
7526 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7528 if (len == skb->len) {
7529 /* Complete frame received */
7530 l2cap_recv_frame(conn, skb);
7534 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7536 if (skb->len > len) {
7537 BT_ERR("Frame is too long (len %d, expected len %d)",
7539 l2cap_conn_unreliable(conn, ECOMM);
7543 /* Allocate skb for the complete frame (with header) */
7544 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7548 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7550 conn->rx_len = len - skb->len;
7554 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7556 if (!conn->rx_len) {
7557 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7558 l2cap_conn_unreliable(conn, ECOMM);
7562 if (skb->len > conn->rx_len) {
7563 BT_ERR("Fragment is too long (len %d, expected %d)",
7564 skb->len, conn->rx_len);
7565 kfree_skb(conn->rx_skb);
7566 conn->rx_skb = NULL;
7568 l2cap_conn_unreliable(conn, ECOMM);
7572 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7574 conn->rx_len -= skb->len;
7576 if (!conn->rx_len) {
7577 /* Complete frame received. l2cap_recv_frame
7578 * takes ownership of the skb so set the global
7579 * rx_skb pointer to NULL first.
7581 struct sk_buff *rx_skb = conn->rx_skb;
7582 conn->rx_skb = NULL;
7583 l2cap_recv_frame(conn, rx_skb);
7592 static struct hci_cb l2cap_cb = {
7594 .connect_cfm = l2cap_connect_cfm,
7595 .disconn_cfm = l2cap_disconn_cfm,
7596 .security_cfm = l2cap_security_cfm,
7599 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7601 struct l2cap_chan *c;
7603 read_lock(&chan_list_lock);
7605 list_for_each_entry(c, &chan_list, global_l) {
7606 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7607 &c->src, c->src_type, &c->dst, c->dst_type,
7608 c->state, __le16_to_cpu(c->psm),
7609 c->scid, c->dcid, c->imtu, c->omtu,
7610 c->sec_level, c->mode);
7613 read_unlock(&chan_list_lock);
7618 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7620 return single_open(file, l2cap_debugfs_show, inode->i_private);
7623 static const struct file_operations l2cap_debugfs_fops = {
7624 .open = l2cap_debugfs_open,
7626 .llseek = seq_lseek,
7627 .release = single_release,
7630 static struct dentry *l2cap_debugfs;
7632 int __init l2cap_init(void)
7636 err = l2cap_init_sockets();
7640 hci_register_cb(&l2cap_cb);
7642 if (IS_ERR_OR_NULL(bt_debugfs))
7645 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7646 NULL, &l2cap_debugfs_fops);
7648 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7650 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7656 void l2cap_exit(void)
7658 debugfs_remove(l2cap_debugfs);
7659 hci_unregister_cb(&l2cap_cb);
7660 l2cap_cleanup_sockets();
7663 module_param(disable_ertm, bool, 0644);
7664 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
git.samba.org / sfrench / cifs-2.6.git / blob