2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
36 #include <net/bluetooth/bluetooth.h>
37 #include <net/bluetooth/hci_core.h>
38 #include <net/bluetooth/l2cap.h>
44 #define LE_FLOWCTL_MAX_CREDITS 65535
48 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
50 static LIST_HEAD(chan_list);
51 static DEFINE_RWLOCK(chan_list_lock);
53 static u16 le_max_credits = L2CAP_LE_MAX_CREDITS;
54 static u16 le_default_mps = L2CAP_LE_DEFAULT_MPS;
56 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
57 u8 code, u8 ident, u16 dlen, void *data);
58 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
60 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
61 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
63 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
64 struct sk_buff_head *skbs, u8 event);
66 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
68 if (link_type == LE_LINK) {
69 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
70 return BDADDR_LE_PUBLIC;
72 return BDADDR_LE_RANDOM;
78 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
80 return bdaddr_type(hcon->type, hcon->src_type);
83 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
85 return bdaddr_type(hcon->type, hcon->dst_type);
88 /* ---- L2CAP channels ---- */
90 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
95 list_for_each_entry(c, &conn->chan_l, list) {
102 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
105 struct l2cap_chan *c;
107 list_for_each_entry(c, &conn->chan_l, list) {
114 /* Find channel with given SCID.
115 * Returns locked channel. */
116 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
119 struct l2cap_chan *c;
121 mutex_lock(&conn->chan_lock);
122 c = __l2cap_get_chan_by_scid(conn, cid);
125 mutex_unlock(&conn->chan_lock);
130 /* Find channel with given DCID.
131 * Returns locked channel.
133 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
136 struct l2cap_chan *c;
138 mutex_lock(&conn->chan_lock);
139 c = __l2cap_get_chan_by_dcid(conn, cid);
142 mutex_unlock(&conn->chan_lock);
147 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
150 struct l2cap_chan *c;
152 list_for_each_entry(c, &conn->chan_l, list) {
153 if (c->ident == ident)
159 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
162 struct l2cap_chan *c;
164 mutex_lock(&conn->chan_lock);
165 c = __l2cap_get_chan_by_ident(conn, ident);
168 mutex_unlock(&conn->chan_lock);
173 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
175 struct l2cap_chan *c;
177 list_for_each_entry(c, &chan_list, global_l) {
178 if (c->sport == psm && !bacmp(&c->src, src))
184 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
188 write_lock(&chan_list_lock);
190 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
200 u16 p, start, end, incr;
202 if (chan->src_type == BDADDR_BREDR) {
203 start = L2CAP_PSM_DYN_START;
204 end = L2CAP_PSM_AUTO_END;
207 start = L2CAP_PSM_LE_DYN_START;
208 end = L2CAP_PSM_LE_DYN_END;
213 for (p = start; p <= end; p += incr)
214 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
215 chan->psm = cpu_to_le16(p);
216 chan->sport = cpu_to_le16(p);
223 write_unlock(&chan_list_lock);
226 EXPORT_SYMBOL_GPL(l2cap_add_psm);
228 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
230 write_lock(&chan_list_lock);
232 /* Override the defaults (which are for conn-oriented) */
233 chan->omtu = L2CAP_DEFAULT_MTU;
234 chan->chan_type = L2CAP_CHAN_FIXED;
238 write_unlock(&chan_list_lock);
243 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
247 if (conn->hcon->type == LE_LINK)
248 dyn_end = L2CAP_CID_LE_DYN_END;
250 dyn_end = L2CAP_CID_DYN_END;
252 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
253 if (!__l2cap_get_chan_by_scid(conn, cid))
260 static void l2cap_state_change(struct l2cap_chan *chan, int state)
262 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
263 state_to_string(state));
266 chan->ops->state_change(chan, state, 0);
269 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
273 chan->ops->state_change(chan, chan->state, err);
276 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
278 chan->ops->state_change(chan, chan->state, err);
281 static void __set_retrans_timer(struct l2cap_chan *chan)
283 if (!delayed_work_pending(&chan->monitor_timer) &&
284 chan->retrans_timeout) {
285 l2cap_set_timer(chan, &chan->retrans_timer,
286 msecs_to_jiffies(chan->retrans_timeout));
290 static void __set_monitor_timer(struct l2cap_chan *chan)
292 __clear_retrans_timer(chan);
293 if (chan->monitor_timeout) {
294 l2cap_set_timer(chan, &chan->monitor_timer,
295 msecs_to_jiffies(chan->monitor_timeout));
299 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
304 skb_queue_walk(head, skb) {
305 if (bt_cb(skb)->l2cap.txseq == seq)
312 /* ---- L2CAP sequence number lists ---- */
314 /* For ERTM, ordered lists of sequence numbers must be tracked for
315 * SREJ requests that are received and for frames that are to be
316 * retransmitted. These seq_list functions implement a singly-linked
317 * list in an array, where membership in the list can also be checked
318 * in constant time. Items can also be added to the tail of the list
319 * and removed from the head in constant time, without further memory
323 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
325 size_t alloc_size, i;
327 /* Allocated size is a power of 2 to map sequence numbers
328 * (which may be up to 14 bits) in to a smaller array that is
329 * sized for the negotiated ERTM transmit windows.
331 alloc_size = roundup_pow_of_two(size);
333 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
337 seq_list->mask = alloc_size - 1;
338 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
339 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
340 for (i = 0; i < alloc_size; i++)
341 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
346 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
348 kfree(seq_list->list);
351 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
354 /* Constant-time check for list membership */
355 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
358 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
360 u16 seq = seq_list->head;
361 u16 mask = seq_list->mask;
363 seq_list->head = seq_list->list[seq & mask];
364 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
366 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
367 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
368 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
374 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
378 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
381 for (i = 0; i <= seq_list->mask; i++)
382 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
384 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
385 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
388 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
390 u16 mask = seq_list->mask;
392 /* All appends happen in constant time */
394 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
397 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
398 seq_list->head = seq;
400 seq_list->list[seq_list->tail & mask] = seq;
402 seq_list->tail = seq;
403 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
406 static void l2cap_chan_timeout(struct work_struct *work)
408 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
410 struct l2cap_conn *conn = chan->conn;
413 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
415 mutex_lock(&conn->chan_lock);
416 l2cap_chan_lock(chan);
418 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
419 reason = ECONNREFUSED;
420 else if (chan->state == BT_CONNECT &&
421 chan->sec_level != BT_SECURITY_SDP)
422 reason = ECONNREFUSED;
426 l2cap_chan_close(chan, reason);
428 l2cap_chan_unlock(chan);
430 chan->ops->close(chan);
431 mutex_unlock(&conn->chan_lock);
433 l2cap_chan_put(chan);
436 struct l2cap_chan *l2cap_chan_create(void)
438 struct l2cap_chan *chan;
440 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
444 mutex_init(&chan->lock);
446 /* Set default lock nesting level */
447 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
449 write_lock(&chan_list_lock);
450 list_add(&chan->global_l, &chan_list);
451 write_unlock(&chan_list_lock);
453 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
455 chan->state = BT_OPEN;
457 kref_init(&chan->kref);
459 /* This flag is cleared in l2cap_chan_ready() */
460 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
462 BT_DBG("chan %p", chan);
466 EXPORT_SYMBOL_GPL(l2cap_chan_create);
468 static void l2cap_chan_destroy(struct kref *kref)
470 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
472 BT_DBG("chan %p", chan);
474 write_lock(&chan_list_lock);
475 list_del(&chan->global_l);
476 write_unlock(&chan_list_lock);
481 void l2cap_chan_hold(struct l2cap_chan *c)
483 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
488 void l2cap_chan_put(struct l2cap_chan *c)
490 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
492 kref_put(&c->kref, l2cap_chan_destroy);
494 EXPORT_SYMBOL_GPL(l2cap_chan_put);
496 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
498 chan->fcs = L2CAP_FCS_CRC16;
499 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
500 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
501 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
502 chan->remote_max_tx = chan->max_tx;
503 chan->remote_tx_win = chan->tx_win;
504 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
505 chan->sec_level = BT_SECURITY_LOW;
506 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
507 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
508 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
509 chan->conf_state = 0;
511 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
513 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
515 static void l2cap_le_flowctl_init(struct l2cap_chan *chan)
518 chan->sdu_last_frag = NULL;
520 chan->tx_credits = 0;
521 chan->rx_credits = le_max_credits;
522 chan->mps = min_t(u16, chan->imtu, le_default_mps);
524 skb_queue_head_init(&chan->tx_q);
527 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
529 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
530 __le16_to_cpu(chan->psm), chan->dcid);
532 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
536 switch (chan->chan_type) {
537 case L2CAP_CHAN_CONN_ORIENTED:
538 /* Alloc CID for connection-oriented socket */
539 chan->scid = l2cap_alloc_cid(conn);
540 if (conn->hcon->type == ACL_LINK)
541 chan->omtu = L2CAP_DEFAULT_MTU;
544 case L2CAP_CHAN_CONN_LESS:
545 /* Connectionless socket */
546 chan->scid = L2CAP_CID_CONN_LESS;
547 chan->dcid = L2CAP_CID_CONN_LESS;
548 chan->omtu = L2CAP_DEFAULT_MTU;
551 case L2CAP_CHAN_FIXED:
552 /* Caller will set CID and CID specific MTU values */
556 /* Raw socket can send/recv signalling messages only */
557 chan->scid = L2CAP_CID_SIGNALING;
558 chan->dcid = L2CAP_CID_SIGNALING;
559 chan->omtu = L2CAP_DEFAULT_MTU;
562 chan->local_id = L2CAP_BESTEFFORT_ID;
563 chan->local_stype = L2CAP_SERV_BESTEFFORT;
564 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
565 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
566 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
567 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
569 l2cap_chan_hold(chan);
571 /* Only keep a reference for fixed channels if they requested it */
572 if (chan->chan_type != L2CAP_CHAN_FIXED ||
573 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
574 hci_conn_hold(conn->hcon);
576 list_add(&chan->list, &conn->chan_l);
579 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
581 mutex_lock(&conn->chan_lock);
582 __l2cap_chan_add(conn, chan);
583 mutex_unlock(&conn->chan_lock);
586 void l2cap_chan_del(struct l2cap_chan *chan, int err)
588 struct l2cap_conn *conn = chan->conn;
590 __clear_chan_timer(chan);
592 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
593 state_to_string(chan->state));
595 chan->ops->teardown(chan, err);
598 struct amp_mgr *mgr = conn->hcon->amp_mgr;
599 /* Delete from channel list */
600 list_del(&chan->list);
602 l2cap_chan_put(chan);
606 /* Reference was only held for non-fixed channels or
607 * fixed channels that explicitly requested it using the
608 * FLAG_HOLD_HCI_CONN flag.
610 if (chan->chan_type != L2CAP_CHAN_FIXED ||
611 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
612 hci_conn_drop(conn->hcon);
614 if (mgr && mgr->bredr_chan == chan)
615 mgr->bredr_chan = NULL;
618 if (chan->hs_hchan) {
619 struct hci_chan *hs_hchan = chan->hs_hchan;
621 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
622 amp_disconnect_logical_link(hs_hchan);
625 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
629 case L2CAP_MODE_BASIC:
632 case L2CAP_MODE_LE_FLOWCTL:
633 skb_queue_purge(&chan->tx_q);
636 case L2CAP_MODE_ERTM:
637 __clear_retrans_timer(chan);
638 __clear_monitor_timer(chan);
639 __clear_ack_timer(chan);
641 skb_queue_purge(&chan->srej_q);
643 l2cap_seq_list_free(&chan->srej_list);
644 l2cap_seq_list_free(&chan->retrans_list);
648 case L2CAP_MODE_STREAMING:
649 skb_queue_purge(&chan->tx_q);
655 EXPORT_SYMBOL_GPL(l2cap_chan_del);
657 static void l2cap_conn_update_id_addr(struct work_struct *work)
659 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
660 id_addr_update_work);
661 struct hci_conn *hcon = conn->hcon;
662 struct l2cap_chan *chan;
664 mutex_lock(&conn->chan_lock);
666 list_for_each_entry(chan, &conn->chan_l, list) {
667 l2cap_chan_lock(chan);
668 bacpy(&chan->dst, &hcon->dst);
669 chan->dst_type = bdaddr_dst_type(hcon);
670 l2cap_chan_unlock(chan);
673 mutex_unlock(&conn->chan_lock);
676 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
678 struct l2cap_conn *conn = chan->conn;
679 struct l2cap_le_conn_rsp rsp;
682 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
683 result = L2CAP_CR_AUTHORIZATION;
685 result = L2CAP_CR_BAD_PSM;
687 l2cap_state_change(chan, BT_DISCONN);
689 rsp.dcid = cpu_to_le16(chan->scid);
690 rsp.mtu = cpu_to_le16(chan->imtu);
691 rsp.mps = cpu_to_le16(chan->mps);
692 rsp.credits = cpu_to_le16(chan->rx_credits);
693 rsp.result = cpu_to_le16(result);
695 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
699 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
701 struct l2cap_conn *conn = chan->conn;
702 struct l2cap_conn_rsp rsp;
705 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
706 result = L2CAP_CR_SEC_BLOCK;
708 result = L2CAP_CR_BAD_PSM;
710 l2cap_state_change(chan, BT_DISCONN);
712 rsp.scid = cpu_to_le16(chan->dcid);
713 rsp.dcid = cpu_to_le16(chan->scid);
714 rsp.result = cpu_to_le16(result);
715 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
717 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
720 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
722 struct l2cap_conn *conn = chan->conn;
724 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
726 switch (chan->state) {
728 chan->ops->teardown(chan, 0);
733 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
734 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
735 l2cap_send_disconn_req(chan, reason);
737 l2cap_chan_del(chan, reason);
741 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
742 if (conn->hcon->type == ACL_LINK)
743 l2cap_chan_connect_reject(chan);
744 else if (conn->hcon->type == LE_LINK)
745 l2cap_chan_le_connect_reject(chan);
748 l2cap_chan_del(chan, reason);
753 l2cap_chan_del(chan, reason);
757 chan->ops->teardown(chan, 0);
761 EXPORT_SYMBOL(l2cap_chan_close);
763 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
765 switch (chan->chan_type) {
767 switch (chan->sec_level) {
768 case BT_SECURITY_HIGH:
769 case BT_SECURITY_FIPS:
770 return HCI_AT_DEDICATED_BONDING_MITM;
771 case BT_SECURITY_MEDIUM:
772 return HCI_AT_DEDICATED_BONDING;
774 return HCI_AT_NO_BONDING;
777 case L2CAP_CHAN_CONN_LESS:
778 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
779 if (chan->sec_level == BT_SECURITY_LOW)
780 chan->sec_level = BT_SECURITY_SDP;
782 if (chan->sec_level == BT_SECURITY_HIGH ||
783 chan->sec_level == BT_SECURITY_FIPS)
784 return HCI_AT_NO_BONDING_MITM;
786 return HCI_AT_NO_BONDING;
788 case L2CAP_CHAN_CONN_ORIENTED:
789 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
790 if (chan->sec_level == BT_SECURITY_LOW)
791 chan->sec_level = BT_SECURITY_SDP;
793 if (chan->sec_level == BT_SECURITY_HIGH ||
794 chan->sec_level == BT_SECURITY_FIPS)
795 return HCI_AT_NO_BONDING_MITM;
797 return HCI_AT_NO_BONDING;
801 switch (chan->sec_level) {
802 case BT_SECURITY_HIGH:
803 case BT_SECURITY_FIPS:
804 return HCI_AT_GENERAL_BONDING_MITM;
805 case BT_SECURITY_MEDIUM:
806 return HCI_AT_GENERAL_BONDING;
808 return HCI_AT_NO_BONDING;
814 /* Service level security */
815 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
817 struct l2cap_conn *conn = chan->conn;
820 if (conn->hcon->type == LE_LINK)
821 return smp_conn_security(conn->hcon, chan->sec_level);
823 auth_type = l2cap_get_auth_type(chan);
825 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
829 static u8 l2cap_get_ident(struct l2cap_conn *conn)
833 /* Get next available identificator.
834 * 1 - 128 are used by kernel.
835 * 129 - 199 are reserved.
836 * 200 - 254 are used by utilities like l2ping, etc.
839 mutex_lock(&conn->ident_lock);
841 if (++conn->tx_ident > 128)
846 mutex_unlock(&conn->ident_lock);
851 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
854 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
857 BT_DBG("code 0x%2.2x", code);
862 /* Use NO_FLUSH if supported or we have an LE link (which does
863 * not support auto-flushing packets) */
864 if (lmp_no_flush_capable(conn->hcon->hdev) ||
865 conn->hcon->type == LE_LINK)
866 flags = ACL_START_NO_FLUSH;
870 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
871 skb->priority = HCI_PRIO_MAX;
873 hci_send_acl(conn->hchan, skb, flags);
876 static bool __chan_is_moving(struct l2cap_chan *chan)
878 return chan->move_state != L2CAP_MOVE_STABLE &&
879 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
882 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
884 struct hci_conn *hcon = chan->conn->hcon;
887 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
890 if (chan->hs_hcon && !__chan_is_moving(chan)) {
892 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
899 /* Use NO_FLUSH for LE links (where this is the only option) or
900 * if the BR/EDR link supports it and flushing has not been
901 * explicitly requested (through FLAG_FLUSHABLE).
903 if (hcon->type == LE_LINK ||
904 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
905 lmp_no_flush_capable(hcon->hdev)))
906 flags = ACL_START_NO_FLUSH;
910 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
911 hci_send_acl(chan->conn->hchan, skb, flags);
914 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
916 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
917 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
919 if (enh & L2CAP_CTRL_FRAME_TYPE) {
922 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
923 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
930 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
931 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
938 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
940 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
941 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
943 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
946 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
947 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
954 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
955 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
962 static inline void __unpack_control(struct l2cap_chan *chan,
965 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
966 __unpack_extended_control(get_unaligned_le32(skb->data),
968 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
970 __unpack_enhanced_control(get_unaligned_le16(skb->data),
972 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
976 static u32 __pack_extended_control(struct l2cap_ctrl *control)
980 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
981 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
983 if (control->sframe) {
984 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
985 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
986 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
988 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
989 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
995 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
999 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1000 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1002 if (control->sframe) {
1003 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1004 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1005 packed |= L2CAP_CTRL_FRAME_TYPE;
1007 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1008 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1014 static inline void __pack_control(struct l2cap_chan *chan,
1015 struct l2cap_ctrl *control,
1016 struct sk_buff *skb)
1018 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1019 put_unaligned_le32(__pack_extended_control(control),
1020 skb->data + L2CAP_HDR_SIZE);
1022 put_unaligned_le16(__pack_enhanced_control(control),
1023 skb->data + L2CAP_HDR_SIZE);
1027 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1029 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1030 return L2CAP_EXT_HDR_SIZE;
1032 return L2CAP_ENH_HDR_SIZE;
1035 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1038 struct sk_buff *skb;
1039 struct l2cap_hdr *lh;
1040 int hlen = __ertm_hdr_size(chan);
1042 if (chan->fcs == L2CAP_FCS_CRC16)
1043 hlen += L2CAP_FCS_SIZE;
1045 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1048 return ERR_PTR(-ENOMEM);
1050 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1051 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1052 lh->cid = cpu_to_le16(chan->dcid);
1054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1057 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1059 if (chan->fcs == L2CAP_FCS_CRC16) {
1060 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1061 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1064 skb->priority = HCI_PRIO_MAX;
1068 static void l2cap_send_sframe(struct l2cap_chan *chan,
1069 struct l2cap_ctrl *control)
1071 struct sk_buff *skb;
1074 BT_DBG("chan %p, control %p", chan, control);
1076 if (!control->sframe)
1079 if (__chan_is_moving(chan))
1082 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1086 if (control->super == L2CAP_SUPER_RR)
1087 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1088 else if (control->super == L2CAP_SUPER_RNR)
1089 set_bit(CONN_RNR_SENT, &chan->conn_state);
1091 if (control->super != L2CAP_SUPER_SREJ) {
1092 chan->last_acked_seq = control->reqseq;
1093 __clear_ack_timer(chan);
1096 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1097 control->final, control->poll, control->super);
1099 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1100 control_field = __pack_extended_control(control);
1102 control_field = __pack_enhanced_control(control);
1104 skb = l2cap_create_sframe_pdu(chan, control_field);
1106 l2cap_do_send(chan, skb);
1109 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1111 struct l2cap_ctrl control;
1113 BT_DBG("chan %p, poll %d", chan, poll);
1115 memset(&control, 0, sizeof(control));
1117 control.poll = poll;
1119 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1120 control.super = L2CAP_SUPER_RNR;
1122 control.super = L2CAP_SUPER_RR;
1124 control.reqseq = chan->buffer_seq;
1125 l2cap_send_sframe(chan, &control);
1128 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1130 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1133 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136 static bool __amp_capable(struct l2cap_chan *chan)
1138 struct l2cap_conn *conn = chan->conn;
1139 struct hci_dev *hdev;
1140 bool amp_available = false;
1142 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1145 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1148 read_lock(&hci_dev_list_lock);
1149 list_for_each_entry(hdev, &hci_dev_list, list) {
1150 if (hdev->amp_type != AMP_TYPE_BREDR &&
1151 test_bit(HCI_UP, &hdev->flags)) {
1152 amp_available = true;
1156 read_unlock(&hci_dev_list_lock);
1158 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1159 return amp_available;
1164 static bool l2cap_check_efs(struct l2cap_chan *chan)
1166 /* Check EFS parameters */
1170 void l2cap_send_conn_req(struct l2cap_chan *chan)
1172 struct l2cap_conn *conn = chan->conn;
1173 struct l2cap_conn_req req;
1175 req.scid = cpu_to_le16(chan->scid);
1176 req.psm = chan->psm;
1178 chan->ident = l2cap_get_ident(conn);
1180 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1182 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1185 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1187 struct l2cap_create_chan_req req;
1188 req.scid = cpu_to_le16(chan->scid);
1189 req.psm = chan->psm;
1190 req.amp_id = amp_id;
1192 chan->ident = l2cap_get_ident(chan->conn);
1194 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1198 static void l2cap_move_setup(struct l2cap_chan *chan)
1200 struct sk_buff *skb;
1202 BT_DBG("chan %p", chan);
1204 if (chan->mode != L2CAP_MODE_ERTM)
1207 __clear_retrans_timer(chan);
1208 __clear_monitor_timer(chan);
1209 __clear_ack_timer(chan);
1211 chan->retry_count = 0;
1212 skb_queue_walk(&chan->tx_q, skb) {
1213 if (bt_cb(skb)->l2cap.retries)
1214 bt_cb(skb)->l2cap.retries = 1;
1219 chan->expected_tx_seq = chan->buffer_seq;
1221 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1222 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1223 l2cap_seq_list_clear(&chan->retrans_list);
1224 l2cap_seq_list_clear(&chan->srej_list);
1225 skb_queue_purge(&chan->srej_q);
1227 chan->tx_state = L2CAP_TX_STATE_XMIT;
1228 chan->rx_state = L2CAP_RX_STATE_MOVE;
1230 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1233 static void l2cap_move_done(struct l2cap_chan *chan)
1235 u8 move_role = chan->move_role;
1236 BT_DBG("chan %p", chan);
1238 chan->move_state = L2CAP_MOVE_STABLE;
1239 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1241 if (chan->mode != L2CAP_MODE_ERTM)
1244 switch (move_role) {
1245 case L2CAP_MOVE_ROLE_INITIATOR:
1246 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1247 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1249 case L2CAP_MOVE_ROLE_RESPONDER:
1250 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1255 static void l2cap_chan_ready(struct l2cap_chan *chan)
1257 /* The channel may have already been flagged as connected in
1258 * case of receiving data before the L2CAP info req/rsp
1259 * procedure is complete.
1261 if (chan->state == BT_CONNECTED)
1264 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1265 chan->conf_state = 0;
1266 __clear_chan_timer(chan);
1268 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1269 chan->ops->suspend(chan);
1271 chan->state = BT_CONNECTED;
1273 chan->ops->ready(chan);
1276 static void l2cap_le_connect(struct l2cap_chan *chan)
1278 struct l2cap_conn *conn = chan->conn;
1279 struct l2cap_le_conn_req req;
1281 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1284 req.psm = chan->psm;
1285 req.scid = cpu_to_le16(chan->scid);
1286 req.mtu = cpu_to_le16(chan->imtu);
1287 req.mps = cpu_to_le16(chan->mps);
1288 req.credits = cpu_to_le16(chan->rx_credits);
1290 chan->ident = l2cap_get_ident(conn);
1292 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1296 static void l2cap_le_start(struct l2cap_chan *chan)
1298 struct l2cap_conn *conn = chan->conn;
1300 if (!smp_conn_security(conn->hcon, chan->sec_level))
1304 l2cap_chan_ready(chan);
1308 if (chan->state == BT_CONNECT)
1309 l2cap_le_connect(chan);
1312 static void l2cap_start_connection(struct l2cap_chan *chan)
1314 if (__amp_capable(chan)) {
1315 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1316 a2mp_discover_amp(chan);
1317 } else if (chan->conn->hcon->type == LE_LINK) {
1318 l2cap_le_start(chan);
1320 l2cap_send_conn_req(chan);
1324 static void l2cap_request_info(struct l2cap_conn *conn)
1326 struct l2cap_info_req req;
1328 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1331 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1333 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1334 conn->info_ident = l2cap_get_ident(conn);
1336 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1338 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1342 static void l2cap_do_start(struct l2cap_chan *chan)
1344 struct l2cap_conn *conn = chan->conn;
1346 if (conn->hcon->type == LE_LINK) {
1347 l2cap_le_start(chan);
1351 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1352 l2cap_request_info(conn);
1356 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1359 if (l2cap_chan_check_security(chan, true) &&
1360 __l2cap_no_conn_pending(chan))
1361 l2cap_start_connection(chan);
1364 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1366 u32 local_feat_mask = l2cap_feat_mask;
1368 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1371 case L2CAP_MODE_ERTM:
1372 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1373 case L2CAP_MODE_STREAMING:
1374 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1380 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1382 struct l2cap_conn *conn = chan->conn;
1383 struct l2cap_disconn_req req;
1388 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1389 __clear_retrans_timer(chan);
1390 __clear_monitor_timer(chan);
1391 __clear_ack_timer(chan);
1394 if (chan->scid == L2CAP_CID_A2MP) {
1395 l2cap_state_change(chan, BT_DISCONN);
1399 req.dcid = cpu_to_le16(chan->dcid);
1400 req.scid = cpu_to_le16(chan->scid);
1401 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1404 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1407 /* ---- L2CAP connections ---- */
1408 static void l2cap_conn_start(struct l2cap_conn *conn)
1410 struct l2cap_chan *chan, *tmp;
1412 BT_DBG("conn %p", conn);
1414 mutex_lock(&conn->chan_lock);
1416 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1417 l2cap_chan_lock(chan);
1419 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1420 l2cap_chan_ready(chan);
1421 l2cap_chan_unlock(chan);
1425 if (chan->state == BT_CONNECT) {
1426 if (!l2cap_chan_check_security(chan, true) ||
1427 !__l2cap_no_conn_pending(chan)) {
1428 l2cap_chan_unlock(chan);
1432 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1433 && test_bit(CONF_STATE2_DEVICE,
1434 &chan->conf_state)) {
1435 l2cap_chan_close(chan, ECONNRESET);
1436 l2cap_chan_unlock(chan);
1440 l2cap_start_connection(chan);
1442 } else if (chan->state == BT_CONNECT2) {
1443 struct l2cap_conn_rsp rsp;
1445 rsp.scid = cpu_to_le16(chan->dcid);
1446 rsp.dcid = cpu_to_le16(chan->scid);
1448 if (l2cap_chan_check_security(chan, false)) {
1449 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1450 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1451 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1452 chan->ops->defer(chan);
1455 l2cap_state_change(chan, BT_CONFIG);
1456 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1457 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1460 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1461 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1464 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1467 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1468 rsp.result != L2CAP_CR_SUCCESS) {
1469 l2cap_chan_unlock(chan);
1473 set_bit(CONF_REQ_SENT, &chan->conf_state);
1474 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1475 l2cap_build_conf_req(chan, buf), buf);
1476 chan->num_conf_req++;
1479 l2cap_chan_unlock(chan);
1482 mutex_unlock(&conn->chan_lock);
1485 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1487 struct hci_conn *hcon = conn->hcon;
1488 struct hci_dev *hdev = hcon->hdev;
1490 BT_DBG("%s conn %p", hdev->name, conn);
1492 /* For outgoing pairing which doesn't necessarily have an
1493 * associated socket (e.g. mgmt_pair_device).
1496 smp_conn_security(hcon, hcon->pending_sec_level);
1498 /* For LE slave connections, make sure the connection interval
1499 * is in the range of the minium and maximum interval that has
1500 * been configured for this connection. If not, then trigger
1501 * the connection update procedure.
1503 if (hcon->role == HCI_ROLE_SLAVE &&
1504 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1505 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1506 struct l2cap_conn_param_update_req req;
1508 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1509 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1510 req.latency = cpu_to_le16(hcon->le_conn_latency);
1511 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1513 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1514 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1518 static void l2cap_conn_ready(struct l2cap_conn *conn)
1520 struct l2cap_chan *chan;
1521 struct hci_conn *hcon = conn->hcon;
1523 BT_DBG("conn %p", conn);
1525 if (hcon->type == ACL_LINK)
1526 l2cap_request_info(conn);
1528 mutex_lock(&conn->chan_lock);
1530 list_for_each_entry(chan, &conn->chan_l, list) {
1532 l2cap_chan_lock(chan);
1534 if (chan->scid == L2CAP_CID_A2MP) {
1535 l2cap_chan_unlock(chan);
1539 if (hcon->type == LE_LINK) {
1540 l2cap_le_start(chan);
1541 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1542 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1543 l2cap_chan_ready(chan);
1544 } else if (chan->state == BT_CONNECT) {
1545 l2cap_do_start(chan);
1548 l2cap_chan_unlock(chan);
1551 mutex_unlock(&conn->chan_lock);
1553 if (hcon->type == LE_LINK)
1554 l2cap_le_conn_ready(conn);
1556 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1559 /* Notify sockets that we cannot guaranty reliability anymore */
1560 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1562 struct l2cap_chan *chan;
1564 BT_DBG("conn %p", conn);
1566 mutex_lock(&conn->chan_lock);
1568 list_for_each_entry(chan, &conn->chan_l, list) {
1569 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1570 l2cap_chan_set_err(chan, err);
1573 mutex_unlock(&conn->chan_lock);
1576 static void l2cap_info_timeout(struct work_struct *work)
1578 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1581 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1582 conn->info_ident = 0;
1584 l2cap_conn_start(conn);
1589 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1590 * callback is called during registration. The ->remove callback is called
1591 * during unregistration.
1592 * An l2cap_user object can either be explicitly unregistered or when the
1593 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1594 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1595 * External modules must own a reference to the l2cap_conn object if they intend
1596 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1597 * any time if they don't.
1600 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1602 struct hci_dev *hdev = conn->hcon->hdev;
1605 /* We need to check whether l2cap_conn is registered. If it is not, we
1606 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1607 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1608 * relies on the parent hci_conn object to be locked. This itself relies
1609 * on the hci_dev object to be locked. So we must lock the hci device
1614 if (!list_empty(&user->list)) {
1619 /* conn->hchan is NULL after l2cap_conn_del() was called */
1625 ret = user->probe(conn, user);
1629 list_add(&user->list, &conn->users);
1633 hci_dev_unlock(hdev);
1636 EXPORT_SYMBOL(l2cap_register_user);
1638 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1640 struct hci_dev *hdev = conn->hcon->hdev;
1644 if (list_empty(&user->list))
1647 list_del_init(&user->list);
1648 user->remove(conn, user);
1651 hci_dev_unlock(hdev);
1653 EXPORT_SYMBOL(l2cap_unregister_user);
1655 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1657 struct l2cap_user *user;
1659 while (!list_empty(&conn->users)) {
1660 user = list_first_entry(&conn->users, struct l2cap_user, list);
1661 list_del_init(&user->list);
1662 user->remove(conn, user);
1666 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1668 struct l2cap_conn *conn = hcon->l2cap_data;
1669 struct l2cap_chan *chan, *l;
1674 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1676 kfree_skb(conn->rx_skb);
1678 skb_queue_purge(&conn->pending_rx);
1680 /* We can not call flush_work(&conn->pending_rx_work) here since we
1681 * might block if we are running on a worker from the same workqueue
1682 * pending_rx_work is waiting on.
1684 if (work_pending(&conn->pending_rx_work))
1685 cancel_work_sync(&conn->pending_rx_work);
1687 if (work_pending(&conn->id_addr_update_work))
1688 cancel_work_sync(&conn->id_addr_update_work);
1690 l2cap_unregister_all_users(conn);
1692 /* Force the connection to be immediately dropped */
1693 hcon->disc_timeout = 0;
1695 mutex_lock(&conn->chan_lock);
1698 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1699 l2cap_chan_hold(chan);
1700 l2cap_chan_lock(chan);
1702 l2cap_chan_del(chan, err);
1704 l2cap_chan_unlock(chan);
1706 chan->ops->close(chan);
1707 l2cap_chan_put(chan);
1710 mutex_unlock(&conn->chan_lock);
1712 hci_chan_del(conn->hchan);
1714 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1715 cancel_delayed_work_sync(&conn->info_timer);
1717 hcon->l2cap_data = NULL;
1719 l2cap_conn_put(conn);
1722 static void l2cap_conn_free(struct kref *ref)
1724 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1726 hci_conn_put(conn->hcon);
1730 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1732 kref_get(&conn->ref);
1735 EXPORT_SYMBOL(l2cap_conn_get);
1737 void l2cap_conn_put(struct l2cap_conn *conn)
1739 kref_put(&conn->ref, l2cap_conn_free);
1741 EXPORT_SYMBOL(l2cap_conn_put);
1743 /* ---- Socket interface ---- */
1745 /* Find socket with psm and source / destination bdaddr.
1746 * Returns closest match.
1748 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1753 struct l2cap_chan *c, *c1 = NULL;
1755 read_lock(&chan_list_lock);
1757 list_for_each_entry(c, &chan_list, global_l) {
1758 if (state && c->state != state)
1761 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1764 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1767 if (c->psm == psm) {
1768 int src_match, dst_match;
1769 int src_any, dst_any;
1772 src_match = !bacmp(&c->src, src);
1773 dst_match = !bacmp(&c->dst, dst);
1774 if (src_match && dst_match) {
1776 read_unlock(&chan_list_lock);
1781 src_any = !bacmp(&c->src, BDADDR_ANY);
1782 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1783 if ((src_match && dst_any) || (src_any && dst_match) ||
1784 (src_any && dst_any))
1790 l2cap_chan_hold(c1);
1792 read_unlock(&chan_list_lock);
1797 static void l2cap_monitor_timeout(struct work_struct *work)
1799 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1800 monitor_timer.work);
1802 BT_DBG("chan %p", chan);
1804 l2cap_chan_lock(chan);
1807 l2cap_chan_unlock(chan);
1808 l2cap_chan_put(chan);
1812 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1814 l2cap_chan_unlock(chan);
1815 l2cap_chan_put(chan);
1818 static void l2cap_retrans_timeout(struct work_struct *work)
1820 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1821 retrans_timer.work);
1823 BT_DBG("chan %p", chan);
1825 l2cap_chan_lock(chan);
1828 l2cap_chan_unlock(chan);
1829 l2cap_chan_put(chan);
1833 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1834 l2cap_chan_unlock(chan);
1835 l2cap_chan_put(chan);
1838 static void l2cap_streaming_send(struct l2cap_chan *chan,
1839 struct sk_buff_head *skbs)
1841 struct sk_buff *skb;
1842 struct l2cap_ctrl *control;
1844 BT_DBG("chan %p, skbs %p", chan, skbs);
1846 if (__chan_is_moving(chan))
1849 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1851 while (!skb_queue_empty(&chan->tx_q)) {
1853 skb = skb_dequeue(&chan->tx_q);
1855 bt_cb(skb)->l2cap.retries = 1;
1856 control = &bt_cb(skb)->l2cap;
1858 control->reqseq = 0;
1859 control->txseq = chan->next_tx_seq;
1861 __pack_control(chan, control, skb);
1863 if (chan->fcs == L2CAP_FCS_CRC16) {
1864 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1865 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1868 l2cap_do_send(chan, skb);
1870 BT_DBG("Sent txseq %u", control->txseq);
1872 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1873 chan->frames_sent++;
1877 static int l2cap_ertm_send(struct l2cap_chan *chan)
1879 struct sk_buff *skb, *tx_skb;
1880 struct l2cap_ctrl *control;
1883 BT_DBG("chan %p", chan);
1885 if (chan->state != BT_CONNECTED)
1888 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1891 if (__chan_is_moving(chan))
1894 while (chan->tx_send_head &&
1895 chan->unacked_frames < chan->remote_tx_win &&
1896 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1898 skb = chan->tx_send_head;
1900 bt_cb(skb)->l2cap.retries = 1;
1901 control = &bt_cb(skb)->l2cap;
1903 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1906 control->reqseq = chan->buffer_seq;
1907 chan->last_acked_seq = chan->buffer_seq;
1908 control->txseq = chan->next_tx_seq;
1910 __pack_control(chan, control, skb);
1912 if (chan->fcs == L2CAP_FCS_CRC16) {
1913 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1914 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1917 /* Clone after data has been modified. Data is assumed to be
1918 read-only (for locking purposes) on cloned sk_buffs.
1920 tx_skb = skb_clone(skb, GFP_KERNEL);
1925 __set_retrans_timer(chan);
1927 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1928 chan->unacked_frames++;
1929 chan->frames_sent++;
1932 if (skb_queue_is_last(&chan->tx_q, skb))
1933 chan->tx_send_head = NULL;
1935 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1937 l2cap_do_send(chan, tx_skb);
1938 BT_DBG("Sent txseq %u", control->txseq);
1941 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1942 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1947 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1949 struct l2cap_ctrl control;
1950 struct sk_buff *skb;
1951 struct sk_buff *tx_skb;
1954 BT_DBG("chan %p", chan);
1956 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1959 if (__chan_is_moving(chan))
1962 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1963 seq = l2cap_seq_list_pop(&chan->retrans_list);
1965 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1967 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1972 bt_cb(skb)->l2cap.retries++;
1973 control = bt_cb(skb)->l2cap;
1975 if (chan->max_tx != 0 &&
1976 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1977 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1978 l2cap_send_disconn_req(chan, ECONNRESET);
1979 l2cap_seq_list_clear(&chan->retrans_list);
1983 control.reqseq = chan->buffer_seq;
1984 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1989 if (skb_cloned(skb)) {
1990 /* Cloned sk_buffs are read-only, so we need a
1993 tx_skb = skb_copy(skb, GFP_KERNEL);
1995 tx_skb = skb_clone(skb, GFP_KERNEL);
1999 l2cap_seq_list_clear(&chan->retrans_list);
2003 /* Update skb contents */
2004 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2005 put_unaligned_le32(__pack_extended_control(&control),
2006 tx_skb->data + L2CAP_HDR_SIZE);
2008 put_unaligned_le16(__pack_enhanced_control(&control),
2009 tx_skb->data + L2CAP_HDR_SIZE);
2013 if (chan->fcs == L2CAP_FCS_CRC16) {
2014 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2015 tx_skb->len - L2CAP_FCS_SIZE);
2016 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2020 l2cap_do_send(chan, tx_skb);
2022 BT_DBG("Resent txseq %d", control.txseq);
2024 chan->last_acked_seq = chan->buffer_seq;
2028 static void l2cap_retransmit(struct l2cap_chan *chan,
2029 struct l2cap_ctrl *control)
2031 BT_DBG("chan %p, control %p", chan, control);
2033 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2034 l2cap_ertm_resend(chan);
2037 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2038 struct l2cap_ctrl *control)
2040 struct sk_buff *skb;
2042 BT_DBG("chan %p, control %p", chan, control);
2045 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2047 l2cap_seq_list_clear(&chan->retrans_list);
2049 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2052 if (chan->unacked_frames) {
2053 skb_queue_walk(&chan->tx_q, skb) {
2054 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2055 skb == chan->tx_send_head)
2059 skb_queue_walk_from(&chan->tx_q, skb) {
2060 if (skb == chan->tx_send_head)
2063 l2cap_seq_list_append(&chan->retrans_list,
2064 bt_cb(skb)->l2cap.txseq);
2067 l2cap_ertm_resend(chan);
2071 static void l2cap_send_ack(struct l2cap_chan *chan)
2073 struct l2cap_ctrl control;
2074 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2075 chan->last_acked_seq);
2078 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2079 chan, chan->last_acked_seq, chan->buffer_seq);
2081 memset(&control, 0, sizeof(control));
2084 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2085 chan->rx_state == L2CAP_RX_STATE_RECV) {
2086 __clear_ack_timer(chan);
2087 control.super = L2CAP_SUPER_RNR;
2088 control.reqseq = chan->buffer_seq;
2089 l2cap_send_sframe(chan, &control);
2091 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2092 l2cap_ertm_send(chan);
2093 /* If any i-frames were sent, they included an ack */
2094 if (chan->buffer_seq == chan->last_acked_seq)
2098 /* Ack now if the window is 3/4ths full.
2099 * Calculate without mul or div
2101 threshold = chan->ack_win;
2102 threshold += threshold << 1;
2105 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2108 if (frames_to_ack >= threshold) {
2109 __clear_ack_timer(chan);
2110 control.super = L2CAP_SUPER_RR;
2111 control.reqseq = chan->buffer_seq;
2112 l2cap_send_sframe(chan, &control);
2117 __set_ack_timer(chan);
2121 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2122 struct msghdr *msg, int len,
2123 int count, struct sk_buff *skb)
2125 struct l2cap_conn *conn = chan->conn;
2126 struct sk_buff **frag;
2129 if (copy_from_iter(skb_put(skb, count), count, &msg->msg_iter) != count)
2135 /* Continuation fragments (no L2CAP header) */
2136 frag = &skb_shinfo(skb)->frag_list;
2138 struct sk_buff *tmp;
2140 count = min_t(unsigned int, conn->mtu, len);
2142 tmp = chan->ops->alloc_skb(chan, 0, count,
2143 msg->msg_flags & MSG_DONTWAIT);
2145 return PTR_ERR(tmp);
2149 if (copy_from_iter(skb_put(*frag, count), count,
2150 &msg->msg_iter) != count)
2156 skb->len += (*frag)->len;
2157 skb->data_len += (*frag)->len;
2159 frag = &(*frag)->next;
2165 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2166 struct msghdr *msg, size_t len)
2168 struct l2cap_conn *conn = chan->conn;
2169 struct sk_buff *skb;
2170 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2171 struct l2cap_hdr *lh;
2173 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2174 __le16_to_cpu(chan->psm), len);
2176 count = min_t(unsigned int, (conn->mtu - hlen), len);
2178 skb = chan->ops->alloc_skb(chan, hlen, count,
2179 msg->msg_flags & MSG_DONTWAIT);
2183 /* Create L2CAP header */
2184 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2185 lh->cid = cpu_to_le16(chan->dcid);
2186 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2187 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2189 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2190 if (unlikely(err < 0)) {
2192 return ERR_PTR(err);
2197 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2198 struct msghdr *msg, size_t len)
2200 struct l2cap_conn *conn = chan->conn;
2201 struct sk_buff *skb;
2203 struct l2cap_hdr *lh;
2205 BT_DBG("chan %p len %zu", chan, len);
2207 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2209 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2210 msg->msg_flags & MSG_DONTWAIT);
2214 /* Create L2CAP header */
2215 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2216 lh->cid = cpu_to_le16(chan->dcid);
2217 lh->len = cpu_to_le16(len);
2219 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2220 if (unlikely(err < 0)) {
2222 return ERR_PTR(err);
2227 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2228 struct msghdr *msg, size_t len,
2231 struct l2cap_conn *conn = chan->conn;
2232 struct sk_buff *skb;
2233 int err, count, hlen;
2234 struct l2cap_hdr *lh;
2236 BT_DBG("chan %p len %zu", chan, len);
2239 return ERR_PTR(-ENOTCONN);
2241 hlen = __ertm_hdr_size(chan);
2244 hlen += L2CAP_SDULEN_SIZE;
2246 if (chan->fcs == L2CAP_FCS_CRC16)
2247 hlen += L2CAP_FCS_SIZE;
2249 count = min_t(unsigned int, (conn->mtu - hlen), len);
2251 skb = chan->ops->alloc_skb(chan, hlen, count,
2252 msg->msg_flags & MSG_DONTWAIT);
2256 /* Create L2CAP header */
2257 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2258 lh->cid = cpu_to_le16(chan->dcid);
2259 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2261 /* Control header is populated later */
2262 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2263 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2265 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2268 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2270 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2271 if (unlikely(err < 0)) {
2273 return ERR_PTR(err);
2276 bt_cb(skb)->l2cap.fcs = chan->fcs;
2277 bt_cb(skb)->l2cap.retries = 0;
2281 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2282 struct sk_buff_head *seg_queue,
2283 struct msghdr *msg, size_t len)
2285 struct sk_buff *skb;
2290 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2292 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2293 * so fragmented skbs are not used. The HCI layer's handling
2294 * of fragmented skbs is not compatible with ERTM's queueing.
2297 /* PDU size is derived from the HCI MTU */
2298 pdu_len = chan->conn->mtu;
2300 /* Constrain PDU size for BR/EDR connections */
2302 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2304 /* Adjust for largest possible L2CAP overhead. */
2306 pdu_len -= L2CAP_FCS_SIZE;
2308 pdu_len -= __ertm_hdr_size(chan);
2310 /* Remote device may have requested smaller PDUs */
2311 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2313 if (len <= pdu_len) {
2314 sar = L2CAP_SAR_UNSEGMENTED;
2318 sar = L2CAP_SAR_START;
2323 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2326 __skb_queue_purge(seg_queue);
2327 return PTR_ERR(skb);
2330 bt_cb(skb)->l2cap.sar = sar;
2331 __skb_queue_tail(seg_queue, skb);
2337 if (len <= pdu_len) {
2338 sar = L2CAP_SAR_END;
2341 sar = L2CAP_SAR_CONTINUE;
2348 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2350 size_t len, u16 sdulen)
2352 struct l2cap_conn *conn = chan->conn;
2353 struct sk_buff *skb;
2354 int err, count, hlen;
2355 struct l2cap_hdr *lh;
2357 BT_DBG("chan %p len %zu", chan, len);
2360 return ERR_PTR(-ENOTCONN);
2362 hlen = L2CAP_HDR_SIZE;
2365 hlen += L2CAP_SDULEN_SIZE;
2367 count = min_t(unsigned int, (conn->mtu - hlen), len);
2369 skb = chan->ops->alloc_skb(chan, hlen, count,
2370 msg->msg_flags & MSG_DONTWAIT);
2374 /* Create L2CAP header */
2375 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2376 lh->cid = cpu_to_le16(chan->dcid);
2377 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2380 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2382 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2383 if (unlikely(err < 0)) {
2385 return ERR_PTR(err);
2391 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2392 struct sk_buff_head *seg_queue,
2393 struct msghdr *msg, size_t len)
2395 struct sk_buff *skb;
2399 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2402 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2408 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2410 __skb_queue_purge(seg_queue);
2411 return PTR_ERR(skb);
2414 __skb_queue_tail(seg_queue, skb);
2420 pdu_len += L2CAP_SDULEN_SIZE;
2427 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2429 struct sk_buff *skb;
2431 struct sk_buff_head seg_queue;
2436 /* Connectionless channel */
2437 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2438 skb = l2cap_create_connless_pdu(chan, msg, len);
2440 return PTR_ERR(skb);
2442 /* Channel lock is released before requesting new skb and then
2443 * reacquired thus we need to recheck channel state.
2445 if (chan->state != BT_CONNECTED) {
2450 l2cap_do_send(chan, skb);
2454 switch (chan->mode) {
2455 case L2CAP_MODE_LE_FLOWCTL:
2456 /* Check outgoing MTU */
2457 if (len > chan->omtu)
2460 if (!chan->tx_credits)
2463 __skb_queue_head_init(&seg_queue);
2465 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2467 if (chan->state != BT_CONNECTED) {
2468 __skb_queue_purge(&seg_queue);
2475 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2477 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2478 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2482 if (!chan->tx_credits)
2483 chan->ops->suspend(chan);
2489 case L2CAP_MODE_BASIC:
2490 /* Check outgoing MTU */
2491 if (len > chan->omtu)
2494 /* Create a basic PDU */
2495 skb = l2cap_create_basic_pdu(chan, msg, len);
2497 return PTR_ERR(skb);
2499 /* Channel lock is released before requesting new skb and then
2500 * reacquired thus we need to recheck channel state.
2502 if (chan->state != BT_CONNECTED) {
2507 l2cap_do_send(chan, skb);
2511 case L2CAP_MODE_ERTM:
2512 case L2CAP_MODE_STREAMING:
2513 /* Check outgoing MTU */
2514 if (len > chan->omtu) {
2519 __skb_queue_head_init(&seg_queue);
2521 /* Do segmentation before calling in to the state machine,
2522 * since it's possible to block while waiting for memory
2525 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2527 /* The channel could have been closed while segmenting,
2528 * check that it is still connected.
2530 if (chan->state != BT_CONNECTED) {
2531 __skb_queue_purge(&seg_queue);
2538 if (chan->mode == L2CAP_MODE_ERTM)
2539 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2541 l2cap_streaming_send(chan, &seg_queue);
2545 /* If the skbs were not queued for sending, they'll still be in
2546 * seg_queue and need to be purged.
2548 __skb_queue_purge(&seg_queue);
2552 BT_DBG("bad state %1.1x", chan->mode);
2558 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2560 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2562 struct l2cap_ctrl control;
2565 BT_DBG("chan %p, txseq %u", chan, txseq);
2567 memset(&control, 0, sizeof(control));
2569 control.super = L2CAP_SUPER_SREJ;
2571 for (seq = chan->expected_tx_seq; seq != txseq;
2572 seq = __next_seq(chan, seq)) {
2573 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2574 control.reqseq = seq;
2575 l2cap_send_sframe(chan, &control);
2576 l2cap_seq_list_append(&chan->srej_list, seq);
2580 chan->expected_tx_seq = __next_seq(chan, txseq);
2583 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2585 struct l2cap_ctrl control;
2587 BT_DBG("chan %p", chan);
2589 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2592 memset(&control, 0, sizeof(control));
2594 control.super = L2CAP_SUPER_SREJ;
2595 control.reqseq = chan->srej_list.tail;
2596 l2cap_send_sframe(chan, &control);
2599 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2601 struct l2cap_ctrl control;
2605 BT_DBG("chan %p, txseq %u", chan, txseq);
2607 memset(&control, 0, sizeof(control));
2609 control.super = L2CAP_SUPER_SREJ;
2611 /* Capture initial list head to allow only one pass through the list. */
2612 initial_head = chan->srej_list.head;
2615 seq = l2cap_seq_list_pop(&chan->srej_list);
2616 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2619 control.reqseq = seq;
2620 l2cap_send_sframe(chan, &control);
2621 l2cap_seq_list_append(&chan->srej_list, seq);
2622 } while (chan->srej_list.head != initial_head);
2625 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2627 struct sk_buff *acked_skb;
2630 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2632 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2635 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2636 chan->expected_ack_seq, chan->unacked_frames);
2638 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2639 ackseq = __next_seq(chan, ackseq)) {
2641 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2643 skb_unlink(acked_skb, &chan->tx_q);
2644 kfree_skb(acked_skb);
2645 chan->unacked_frames--;
2649 chan->expected_ack_seq = reqseq;
2651 if (chan->unacked_frames == 0)
2652 __clear_retrans_timer(chan);
2654 BT_DBG("unacked_frames %u", chan->unacked_frames);
2657 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2659 BT_DBG("chan %p", chan);
2661 chan->expected_tx_seq = chan->buffer_seq;
2662 l2cap_seq_list_clear(&chan->srej_list);
2663 skb_queue_purge(&chan->srej_q);
2664 chan->rx_state = L2CAP_RX_STATE_RECV;
2667 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2668 struct l2cap_ctrl *control,
2669 struct sk_buff_head *skbs, u8 event)
2671 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2675 case L2CAP_EV_DATA_REQUEST:
2676 if (chan->tx_send_head == NULL)
2677 chan->tx_send_head = skb_peek(skbs);
2679 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2680 l2cap_ertm_send(chan);
2682 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2683 BT_DBG("Enter LOCAL_BUSY");
2684 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2686 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2687 /* The SREJ_SENT state must be aborted if we are to
2688 * enter the LOCAL_BUSY state.
2690 l2cap_abort_rx_srej_sent(chan);
2693 l2cap_send_ack(chan);
2696 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2697 BT_DBG("Exit LOCAL_BUSY");
2698 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2700 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2701 struct l2cap_ctrl local_control;
2703 memset(&local_control, 0, sizeof(local_control));
2704 local_control.sframe = 1;
2705 local_control.super = L2CAP_SUPER_RR;
2706 local_control.poll = 1;
2707 local_control.reqseq = chan->buffer_seq;
2708 l2cap_send_sframe(chan, &local_control);
2710 chan->retry_count = 1;
2711 __set_monitor_timer(chan);
2712 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2715 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2716 l2cap_process_reqseq(chan, control->reqseq);
2718 case L2CAP_EV_EXPLICIT_POLL:
2719 l2cap_send_rr_or_rnr(chan, 1);
2720 chan->retry_count = 1;
2721 __set_monitor_timer(chan);
2722 __clear_ack_timer(chan);
2723 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2725 case L2CAP_EV_RETRANS_TO:
2726 l2cap_send_rr_or_rnr(chan, 1);
2727 chan->retry_count = 1;
2728 __set_monitor_timer(chan);
2729 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2731 case L2CAP_EV_RECV_FBIT:
2732 /* Nothing to process */
2739 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2740 struct l2cap_ctrl *control,
2741 struct sk_buff_head *skbs, u8 event)
2743 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2747 case L2CAP_EV_DATA_REQUEST:
2748 if (chan->tx_send_head == NULL)
2749 chan->tx_send_head = skb_peek(skbs);
2750 /* Queue data, but don't send. */
2751 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2753 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2754 BT_DBG("Enter LOCAL_BUSY");
2755 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2757 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2758 /* The SREJ_SENT state must be aborted if we are to
2759 * enter the LOCAL_BUSY state.
2761 l2cap_abort_rx_srej_sent(chan);
2764 l2cap_send_ack(chan);
2767 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2768 BT_DBG("Exit LOCAL_BUSY");
2769 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2771 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2772 struct l2cap_ctrl local_control;
2773 memset(&local_control, 0, sizeof(local_control));
2774 local_control.sframe = 1;
2775 local_control.super = L2CAP_SUPER_RR;
2776 local_control.poll = 1;
2777 local_control.reqseq = chan->buffer_seq;
2778 l2cap_send_sframe(chan, &local_control);
2780 chan->retry_count = 1;
2781 __set_monitor_timer(chan);
2782 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2785 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2786 l2cap_process_reqseq(chan, control->reqseq);
2790 case L2CAP_EV_RECV_FBIT:
2791 if (control && control->final) {
2792 __clear_monitor_timer(chan);
2793 if (chan->unacked_frames > 0)
2794 __set_retrans_timer(chan);
2795 chan->retry_count = 0;
2796 chan->tx_state = L2CAP_TX_STATE_XMIT;
2797 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2800 case L2CAP_EV_EXPLICIT_POLL:
2803 case L2CAP_EV_MONITOR_TO:
2804 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2805 l2cap_send_rr_or_rnr(chan, 1);
2806 __set_monitor_timer(chan);
2807 chan->retry_count++;
2809 l2cap_send_disconn_req(chan, ECONNABORTED);
2817 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2818 struct sk_buff_head *skbs, u8 event)
2820 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2821 chan, control, skbs, event, chan->tx_state);
2823 switch (chan->tx_state) {
2824 case L2CAP_TX_STATE_XMIT:
2825 l2cap_tx_state_xmit(chan, control, skbs, event);
2827 case L2CAP_TX_STATE_WAIT_F:
2828 l2cap_tx_state_wait_f(chan, control, skbs, event);
2836 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2837 struct l2cap_ctrl *control)
2839 BT_DBG("chan %p, control %p", chan, control);
2840 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2843 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2844 struct l2cap_ctrl *control)
2846 BT_DBG("chan %p, control %p", chan, control);
2847 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2850 /* Copy frame to all raw sockets on that connection */
2851 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2853 struct sk_buff *nskb;
2854 struct l2cap_chan *chan;
2856 BT_DBG("conn %p", conn);
2858 mutex_lock(&conn->chan_lock);
2860 list_for_each_entry(chan, &conn->chan_l, list) {
2861 if (chan->chan_type != L2CAP_CHAN_RAW)
2864 /* Don't send frame to the channel it came from */
2865 if (bt_cb(skb)->l2cap.chan == chan)
2868 nskb = skb_clone(skb, GFP_KERNEL);
2871 if (chan->ops->recv(chan, nskb))
2875 mutex_unlock(&conn->chan_lock);
2878 /* ---- L2CAP signalling commands ---- */
2879 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2880 u8 ident, u16 dlen, void *data)
2882 struct sk_buff *skb, **frag;
2883 struct l2cap_cmd_hdr *cmd;
2884 struct l2cap_hdr *lh;
2887 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2888 conn, code, ident, dlen);
2890 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2893 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2894 count = min_t(unsigned int, conn->mtu, len);
2896 skb = bt_skb_alloc(count, GFP_KERNEL);
2900 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2901 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2903 if (conn->hcon->type == LE_LINK)
2904 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2906 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2908 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2911 cmd->len = cpu_to_le16(dlen);
2914 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2915 memcpy(skb_put(skb, count), data, count);
2921 /* Continuation fragments (no L2CAP header) */
2922 frag = &skb_shinfo(skb)->frag_list;
2924 count = min_t(unsigned int, conn->mtu, len);
2926 *frag = bt_skb_alloc(count, GFP_KERNEL);
2930 memcpy(skb_put(*frag, count), data, count);
2935 frag = &(*frag)->next;
2945 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2948 struct l2cap_conf_opt *opt = *ptr;
2951 len = L2CAP_CONF_OPT_SIZE + opt->len;
2959 *val = *((u8 *) opt->val);
2963 *val = get_unaligned_le16(opt->val);
2967 *val = get_unaligned_le32(opt->val);
2971 *val = (unsigned long) opt->val;
2975 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2979 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2981 struct l2cap_conf_opt *opt = *ptr;
2983 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2990 *((u8 *) opt->val) = val;
2994 put_unaligned_le16(val, opt->val);
2998 put_unaligned_le32(val, opt->val);
3002 memcpy(opt->val, (void *) val, len);
3006 *ptr += L2CAP_CONF_OPT_SIZE + len;
3009 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
3011 struct l2cap_conf_efs efs;
3013 switch (chan->mode) {
3014 case L2CAP_MODE_ERTM:
3015 efs.id = chan->local_id;
3016 efs.stype = chan->local_stype;
3017 efs.msdu = cpu_to_le16(chan->local_msdu);
3018 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3019 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3020 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3023 case L2CAP_MODE_STREAMING:
3025 efs.stype = L2CAP_SERV_BESTEFFORT;
3026 efs.msdu = cpu_to_le16(chan->local_msdu);
3027 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3036 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3037 (unsigned long) &efs);
3040 static void l2cap_ack_timeout(struct work_struct *work)
3042 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3046 BT_DBG("chan %p", chan);
3048 l2cap_chan_lock(chan);
3050 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3051 chan->last_acked_seq);
3054 l2cap_send_rr_or_rnr(chan, 0);
3056 l2cap_chan_unlock(chan);
3057 l2cap_chan_put(chan);
3060 int l2cap_ertm_init(struct l2cap_chan *chan)
3064 chan->next_tx_seq = 0;
3065 chan->expected_tx_seq = 0;
3066 chan->expected_ack_seq = 0;
3067 chan->unacked_frames = 0;
3068 chan->buffer_seq = 0;
3069 chan->frames_sent = 0;
3070 chan->last_acked_seq = 0;
3072 chan->sdu_last_frag = NULL;
3075 skb_queue_head_init(&chan->tx_q);
3077 chan->local_amp_id = AMP_ID_BREDR;
3078 chan->move_id = AMP_ID_BREDR;
3079 chan->move_state = L2CAP_MOVE_STABLE;
3080 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3082 if (chan->mode != L2CAP_MODE_ERTM)
3085 chan->rx_state = L2CAP_RX_STATE_RECV;
3086 chan->tx_state = L2CAP_TX_STATE_XMIT;
3088 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3089 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3090 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3092 skb_queue_head_init(&chan->srej_q);
3094 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3098 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3100 l2cap_seq_list_free(&chan->srej_list);
3105 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3108 case L2CAP_MODE_STREAMING:
3109 case L2CAP_MODE_ERTM:
3110 if (l2cap_mode_supported(mode, remote_feat_mask))
3114 return L2CAP_MODE_BASIC;
3118 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3120 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3121 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3124 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3126 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3127 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3130 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3131 struct l2cap_conf_rfc *rfc)
3133 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3134 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3136 /* Class 1 devices have must have ERTM timeouts
3137 * exceeding the Link Supervision Timeout. The
3138 * default Link Supervision Timeout for AMP
3139 * controllers is 10 seconds.
3141 * Class 1 devices use 0xffffffff for their
3142 * best-effort flush timeout, so the clamping logic
3143 * will result in a timeout that meets the above
3144 * requirement. ERTM timeouts are 16-bit values, so
3145 * the maximum timeout is 65.535 seconds.
3148 /* Convert timeout to milliseconds and round */
3149 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3151 /* This is the recommended formula for class 2 devices
3152 * that start ERTM timers when packets are sent to the
3155 ertm_to = 3 * ertm_to + 500;
3157 if (ertm_to > 0xffff)
3160 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3161 rfc->monitor_timeout = rfc->retrans_timeout;
3163 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3164 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3168 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3170 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3171 __l2cap_ews_supported(chan->conn)) {
3172 /* use extended control field */
3173 set_bit(FLAG_EXT_CTRL, &chan->flags);
3174 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3176 chan->tx_win = min_t(u16, chan->tx_win,
3177 L2CAP_DEFAULT_TX_WINDOW);
3178 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3180 chan->ack_win = chan->tx_win;
3183 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3185 struct l2cap_conf_req *req = data;
3186 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3187 void *ptr = req->data;
3190 BT_DBG("chan %p", chan);
3192 if (chan->num_conf_req || chan->num_conf_rsp)
3195 switch (chan->mode) {
3196 case L2CAP_MODE_STREAMING:
3197 case L2CAP_MODE_ERTM:
3198 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3201 if (__l2cap_efs_supported(chan->conn))
3202 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3206 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3211 if (chan->imtu != L2CAP_DEFAULT_MTU)
3212 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3214 switch (chan->mode) {
3215 case L2CAP_MODE_BASIC:
3219 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3220 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3223 rfc.mode = L2CAP_MODE_BASIC;
3225 rfc.max_transmit = 0;
3226 rfc.retrans_timeout = 0;
3227 rfc.monitor_timeout = 0;
3228 rfc.max_pdu_size = 0;
3230 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3231 (unsigned long) &rfc);
3234 case L2CAP_MODE_ERTM:
3235 rfc.mode = L2CAP_MODE_ERTM;
3236 rfc.max_transmit = chan->max_tx;
3238 __l2cap_set_ertm_timeouts(chan, &rfc);
3240 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3241 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3243 rfc.max_pdu_size = cpu_to_le16(size);
3245 l2cap_txwin_setup(chan);
3247 rfc.txwin_size = min_t(u16, chan->tx_win,
3248 L2CAP_DEFAULT_TX_WINDOW);
3250 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3251 (unsigned long) &rfc);
3253 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3254 l2cap_add_opt_efs(&ptr, chan);
3256 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3257 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3260 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3261 if (chan->fcs == L2CAP_FCS_NONE ||
3262 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3263 chan->fcs = L2CAP_FCS_NONE;
3264 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3269 case L2CAP_MODE_STREAMING:
3270 l2cap_txwin_setup(chan);
3271 rfc.mode = L2CAP_MODE_STREAMING;
3273 rfc.max_transmit = 0;
3274 rfc.retrans_timeout = 0;
3275 rfc.monitor_timeout = 0;
3277 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3278 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3280 rfc.max_pdu_size = cpu_to_le16(size);
3282 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3283 (unsigned long) &rfc);
3285 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3286 l2cap_add_opt_efs(&ptr, chan);
3288 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3289 if (chan->fcs == L2CAP_FCS_NONE ||
3290 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3291 chan->fcs = L2CAP_FCS_NONE;
3292 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3298 req->dcid = cpu_to_le16(chan->dcid);
3299 req->flags = cpu_to_le16(0);
3304 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3306 struct l2cap_conf_rsp *rsp = data;
3307 void *ptr = rsp->data;
3308 void *req = chan->conf_req;
3309 int len = chan->conf_len;
3310 int type, hint, olen;
3312 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3313 struct l2cap_conf_efs efs;
3315 u16 mtu = L2CAP_DEFAULT_MTU;
3316 u16 result = L2CAP_CONF_SUCCESS;
3319 BT_DBG("chan %p", chan);
3321 while (len >= L2CAP_CONF_OPT_SIZE) {
3322 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3324 hint = type & L2CAP_CONF_HINT;
3325 type &= L2CAP_CONF_MASK;
3328 case L2CAP_CONF_MTU:
3332 case L2CAP_CONF_FLUSH_TO:
3333 chan->flush_to = val;
3336 case L2CAP_CONF_QOS:
3339 case L2CAP_CONF_RFC:
3340 if (olen == sizeof(rfc))
3341 memcpy(&rfc, (void *) val, olen);
3344 case L2CAP_CONF_FCS:
3345 if (val == L2CAP_FCS_NONE)
3346 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3349 case L2CAP_CONF_EFS:
3351 if (olen == sizeof(efs))
3352 memcpy(&efs, (void *) val, olen);
3355 case L2CAP_CONF_EWS:
3356 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3357 return -ECONNREFUSED;
3359 set_bit(FLAG_EXT_CTRL, &chan->flags);
3360 set_bit(CONF_EWS_RECV, &chan->conf_state);
3361 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3362 chan->remote_tx_win = val;
3369 result = L2CAP_CONF_UNKNOWN;
3370 *((u8 *) ptr++) = type;
3375 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3378 switch (chan->mode) {
3379 case L2CAP_MODE_STREAMING:
3380 case L2CAP_MODE_ERTM:
3381 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3382 chan->mode = l2cap_select_mode(rfc.mode,
3383 chan->conn->feat_mask);
3388 if (__l2cap_efs_supported(chan->conn))
3389 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3391 return -ECONNREFUSED;
3394 if (chan->mode != rfc.mode)
3395 return -ECONNREFUSED;
3401 if (chan->mode != rfc.mode) {
3402 result = L2CAP_CONF_UNACCEPT;
3403 rfc.mode = chan->mode;
3405 if (chan->num_conf_rsp == 1)
3406 return -ECONNREFUSED;
3408 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3409 (unsigned long) &rfc);
3412 if (result == L2CAP_CONF_SUCCESS) {
3413 /* Configure output options and let the other side know
3414 * which ones we don't like. */
3416 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3417 result = L2CAP_CONF_UNACCEPT;
3420 set_bit(CONF_MTU_DONE, &chan->conf_state);
3422 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3425 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3426 efs.stype != L2CAP_SERV_NOTRAFIC &&
3427 efs.stype != chan->local_stype) {
3429 result = L2CAP_CONF_UNACCEPT;
3431 if (chan->num_conf_req >= 1)
3432 return -ECONNREFUSED;
3434 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3436 (unsigned long) &efs);
3438 /* Send PENDING Conf Rsp */
3439 result = L2CAP_CONF_PENDING;
3440 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3445 case L2CAP_MODE_BASIC:
3446 chan->fcs = L2CAP_FCS_NONE;
3447 set_bit(CONF_MODE_DONE, &chan->conf_state);
3450 case L2CAP_MODE_ERTM:
3451 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3452 chan->remote_tx_win = rfc.txwin_size;
3454 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3456 chan->remote_max_tx = rfc.max_transmit;
3458 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3459 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3460 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3461 rfc.max_pdu_size = cpu_to_le16(size);
3462 chan->remote_mps = size;
3464 __l2cap_set_ertm_timeouts(chan, &rfc);
3466 set_bit(CONF_MODE_DONE, &chan->conf_state);
3468 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3469 sizeof(rfc), (unsigned long) &rfc);
3471 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3472 chan->remote_id = efs.id;
3473 chan->remote_stype = efs.stype;
3474 chan->remote_msdu = le16_to_cpu(efs.msdu);
3475 chan->remote_flush_to =
3476 le32_to_cpu(efs.flush_to);
3477 chan->remote_acc_lat =
3478 le32_to_cpu(efs.acc_lat);
3479 chan->remote_sdu_itime =
3480 le32_to_cpu(efs.sdu_itime);
3481 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3483 (unsigned long) &efs);
3487 case L2CAP_MODE_STREAMING:
3488 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3489 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3490 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3491 rfc.max_pdu_size = cpu_to_le16(size);
3492 chan->remote_mps = size;
3494 set_bit(CONF_MODE_DONE, &chan->conf_state);
3496 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3497 (unsigned long) &rfc);
3502 result = L2CAP_CONF_UNACCEPT;
3504 memset(&rfc, 0, sizeof(rfc));
3505 rfc.mode = chan->mode;
3508 if (result == L2CAP_CONF_SUCCESS)
3509 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3511 rsp->scid = cpu_to_le16(chan->dcid);
3512 rsp->result = cpu_to_le16(result);
3513 rsp->flags = cpu_to_le16(0);
3518 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3519 void *data, u16 *result)
3521 struct l2cap_conf_req *req = data;
3522 void *ptr = req->data;
3525 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3526 struct l2cap_conf_efs efs;
3528 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3530 while (len >= L2CAP_CONF_OPT_SIZE) {
3531 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3534 case L2CAP_CONF_MTU:
3535 if (val < L2CAP_DEFAULT_MIN_MTU) {
3536 *result = L2CAP_CONF_UNACCEPT;
3537 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3540 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3543 case L2CAP_CONF_FLUSH_TO:
3544 chan->flush_to = val;
3545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3549 case L2CAP_CONF_RFC:
3550 if (olen == sizeof(rfc))
3551 memcpy(&rfc, (void *)val, olen);
3553 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3554 rfc.mode != chan->mode)
3555 return -ECONNREFUSED;
3559 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3560 sizeof(rfc), (unsigned long) &rfc);
3563 case L2CAP_CONF_EWS:
3564 chan->ack_win = min_t(u16, val, chan->ack_win);
3565 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3569 case L2CAP_CONF_EFS:
3570 if (olen == sizeof(efs))
3571 memcpy(&efs, (void *)val, olen);
3573 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3574 efs.stype != L2CAP_SERV_NOTRAFIC &&
3575 efs.stype != chan->local_stype)
3576 return -ECONNREFUSED;
3578 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3579 (unsigned long) &efs);
3582 case L2CAP_CONF_FCS:
3583 if (*result == L2CAP_CONF_PENDING)
3584 if (val == L2CAP_FCS_NONE)
3585 set_bit(CONF_RECV_NO_FCS,
3591 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3592 return -ECONNREFUSED;
3594 chan->mode = rfc.mode;
3596 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3598 case L2CAP_MODE_ERTM:
3599 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3600 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3601 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3602 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3603 chan->ack_win = min_t(u16, chan->ack_win,
3606 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3607 chan->local_msdu = le16_to_cpu(efs.msdu);
3608 chan->local_sdu_itime =
3609 le32_to_cpu(efs.sdu_itime);
3610 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3611 chan->local_flush_to =
3612 le32_to_cpu(efs.flush_to);
3616 case L2CAP_MODE_STREAMING:
3617 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3621 req->dcid = cpu_to_le16(chan->dcid);
3622 req->flags = cpu_to_le16(0);
3627 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3628 u16 result, u16 flags)
3630 struct l2cap_conf_rsp *rsp = data;
3631 void *ptr = rsp->data;
3633 BT_DBG("chan %p", chan);
3635 rsp->scid = cpu_to_le16(chan->dcid);
3636 rsp->result = cpu_to_le16(result);
3637 rsp->flags = cpu_to_le16(flags);
3642 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3644 struct l2cap_le_conn_rsp rsp;
3645 struct l2cap_conn *conn = chan->conn;
3647 BT_DBG("chan %p", chan);
3649 rsp.dcid = cpu_to_le16(chan->scid);
3650 rsp.mtu = cpu_to_le16(chan->imtu);
3651 rsp.mps = cpu_to_le16(chan->mps);
3652 rsp.credits = cpu_to_le16(chan->rx_credits);
3653 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3655 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3659 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3661 struct l2cap_conn_rsp rsp;
3662 struct l2cap_conn *conn = chan->conn;
3666 rsp.scid = cpu_to_le16(chan->dcid);
3667 rsp.dcid = cpu_to_le16(chan->scid);
3668 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3669 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3672 rsp_code = L2CAP_CREATE_CHAN_RSP;
3674 rsp_code = L2CAP_CONN_RSP;
3676 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3678 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3680 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3683 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3684 l2cap_build_conf_req(chan, buf), buf);
3685 chan->num_conf_req++;
3688 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3692 /* Use sane default values in case a misbehaving remote device
3693 * did not send an RFC or extended window size option.
3695 u16 txwin_ext = chan->ack_win;
3696 struct l2cap_conf_rfc rfc = {
3698 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3699 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3700 .max_pdu_size = cpu_to_le16(chan->imtu),
3701 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3704 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3706 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3709 while (len >= L2CAP_CONF_OPT_SIZE) {
3710 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3713 case L2CAP_CONF_RFC:
3714 if (olen == sizeof(rfc))
3715 memcpy(&rfc, (void *)val, olen);
3717 case L2CAP_CONF_EWS:
3724 case L2CAP_MODE_ERTM:
3725 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3726 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3727 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3728 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3729 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3731 chan->ack_win = min_t(u16, chan->ack_win,
3734 case L2CAP_MODE_STREAMING:
3735 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3739 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3740 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3743 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3745 if (cmd_len < sizeof(*rej))
3748 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3751 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3752 cmd->ident == conn->info_ident) {
3753 cancel_delayed_work(&conn->info_timer);
3755 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3756 conn->info_ident = 0;
3758 l2cap_conn_start(conn);
3764 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3765 struct l2cap_cmd_hdr *cmd,
3766 u8 *data, u8 rsp_code, u8 amp_id)
3768 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3769 struct l2cap_conn_rsp rsp;
3770 struct l2cap_chan *chan = NULL, *pchan;
3771 int result, status = L2CAP_CS_NO_INFO;
3773 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3774 __le16 psm = req->psm;
3776 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3778 /* Check if we have socket listening on psm */
3779 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3780 &conn->hcon->dst, ACL_LINK);
3782 result = L2CAP_CR_BAD_PSM;
3786 mutex_lock(&conn->chan_lock);
3787 l2cap_chan_lock(pchan);
3789 /* Check if the ACL is secure enough (if not SDP) */
3790 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3791 !hci_conn_check_link_mode(conn->hcon)) {
3792 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3793 result = L2CAP_CR_SEC_BLOCK;
3797 result = L2CAP_CR_NO_MEM;
3799 /* Check if we already have channel with that dcid */
3800 if (__l2cap_get_chan_by_dcid(conn, scid))
3803 chan = pchan->ops->new_connection(pchan);
3807 /* For certain devices (ex: HID mouse), support for authentication,
3808 * pairing and bonding is optional. For such devices, inorder to avoid
3809 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3810 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3812 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3814 bacpy(&chan->src, &conn->hcon->src);
3815 bacpy(&chan->dst, &conn->hcon->dst);
3816 chan->src_type = bdaddr_src_type(conn->hcon);
3817 chan->dst_type = bdaddr_dst_type(conn->hcon);
3820 chan->local_amp_id = amp_id;
3822 __l2cap_chan_add(conn, chan);
3826 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3828 chan->ident = cmd->ident;
3830 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3831 if (l2cap_chan_check_security(chan, false)) {
3832 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3833 l2cap_state_change(chan, BT_CONNECT2);
3834 result = L2CAP_CR_PEND;
3835 status = L2CAP_CS_AUTHOR_PEND;
3836 chan->ops->defer(chan);
3838 /* Force pending result for AMP controllers.
3839 * The connection will succeed after the
3840 * physical link is up.
3842 if (amp_id == AMP_ID_BREDR) {
3843 l2cap_state_change(chan, BT_CONFIG);
3844 result = L2CAP_CR_SUCCESS;
3846 l2cap_state_change(chan, BT_CONNECT2);
3847 result = L2CAP_CR_PEND;
3849 status = L2CAP_CS_NO_INFO;
3852 l2cap_state_change(chan, BT_CONNECT2);
3853 result = L2CAP_CR_PEND;
3854 status = L2CAP_CS_AUTHEN_PEND;
3857 l2cap_state_change(chan, BT_CONNECT2);
3858 result = L2CAP_CR_PEND;
3859 status = L2CAP_CS_NO_INFO;
3863 l2cap_chan_unlock(pchan);
3864 mutex_unlock(&conn->chan_lock);
3865 l2cap_chan_put(pchan);
3868 rsp.scid = cpu_to_le16(scid);
3869 rsp.dcid = cpu_to_le16(dcid);
3870 rsp.result = cpu_to_le16(result);
3871 rsp.status = cpu_to_le16(status);
3872 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3874 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3875 struct l2cap_info_req info;
3876 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3878 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3879 conn->info_ident = l2cap_get_ident(conn);
3881 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3883 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3884 sizeof(info), &info);
3887 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3888 result == L2CAP_CR_SUCCESS) {
3890 set_bit(CONF_REQ_SENT, &chan->conf_state);
3891 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3892 l2cap_build_conf_req(chan, buf), buf);
3893 chan->num_conf_req++;
3899 static int l2cap_connect_req(struct l2cap_conn *conn,
3900 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3902 struct hci_dev *hdev = conn->hcon->hdev;
3903 struct hci_conn *hcon = conn->hcon;
3905 if (cmd_len < sizeof(struct l2cap_conn_req))
3909 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3910 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3911 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3912 hci_dev_unlock(hdev);
3914 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3918 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3919 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3922 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3923 u16 scid, dcid, result, status;
3924 struct l2cap_chan *chan;
3928 if (cmd_len < sizeof(*rsp))
3931 scid = __le16_to_cpu(rsp->scid);
3932 dcid = __le16_to_cpu(rsp->dcid);
3933 result = __le16_to_cpu(rsp->result);
3934 status = __le16_to_cpu(rsp->status);
3936 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3937 dcid, scid, result, status);
3939 mutex_lock(&conn->chan_lock);
3942 chan = __l2cap_get_chan_by_scid(conn, scid);
3948 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3957 l2cap_chan_lock(chan);
3960 case L2CAP_CR_SUCCESS:
3961 l2cap_state_change(chan, BT_CONFIG);
3964 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3966 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3969 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3970 l2cap_build_conf_req(chan, req), req);
3971 chan->num_conf_req++;
3975 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3979 l2cap_chan_del(chan, ECONNREFUSED);
3983 l2cap_chan_unlock(chan);
3986 mutex_unlock(&conn->chan_lock);
3991 static inline void set_default_fcs(struct l2cap_chan *chan)
3993 /* FCS is enabled only in ERTM or streaming mode, if one or both
3996 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3997 chan->fcs = L2CAP_FCS_NONE;
3998 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
3999 chan->fcs = L2CAP_FCS_CRC16;
4002 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4003 u8 ident, u16 flags)
4005 struct l2cap_conn *conn = chan->conn;
4007 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4010 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4011 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4013 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4014 l2cap_build_conf_rsp(chan, data,
4015 L2CAP_CONF_SUCCESS, flags), data);
4018 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4021 struct l2cap_cmd_rej_cid rej;
4023 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4024 rej.scid = __cpu_to_le16(scid);
4025 rej.dcid = __cpu_to_le16(dcid);
4027 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4030 static inline int l2cap_config_req(struct l2cap_conn *conn,
4031 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4034 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4037 struct l2cap_chan *chan;
4040 if (cmd_len < sizeof(*req))
4043 dcid = __le16_to_cpu(req->dcid);
4044 flags = __le16_to_cpu(req->flags);
4046 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4048 chan = l2cap_get_chan_by_scid(conn, dcid);
4050 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4054 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4055 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4060 /* Reject if config buffer is too small. */
4061 len = cmd_len - sizeof(*req);
4062 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4063 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4064 l2cap_build_conf_rsp(chan, rsp,
4065 L2CAP_CONF_REJECT, flags), rsp);
4070 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4071 chan->conf_len += len;
4073 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4074 /* Incomplete config. Send empty response. */
4075 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4076 l2cap_build_conf_rsp(chan, rsp,
4077 L2CAP_CONF_SUCCESS, flags), rsp);
4081 /* Complete config. */
4082 len = l2cap_parse_conf_req(chan, rsp);
4084 l2cap_send_disconn_req(chan, ECONNRESET);
4088 chan->ident = cmd->ident;
4089 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4090 chan->num_conf_rsp++;
4092 /* Reset config buffer. */
4095 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4098 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4099 set_default_fcs(chan);
4101 if (chan->mode == L2CAP_MODE_ERTM ||
4102 chan->mode == L2CAP_MODE_STREAMING)
4103 err = l2cap_ertm_init(chan);
4106 l2cap_send_disconn_req(chan, -err);
4108 l2cap_chan_ready(chan);
4113 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4115 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4116 l2cap_build_conf_req(chan, buf), buf);
4117 chan->num_conf_req++;
4120 /* Got Conf Rsp PENDING from remote side and assume we sent
4121 Conf Rsp PENDING in the code above */
4122 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4123 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4125 /* check compatibility */
4127 /* Send rsp for BR/EDR channel */
4129 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4131 chan->ident = cmd->ident;
4135 l2cap_chan_unlock(chan);
4139 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4140 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4143 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4144 u16 scid, flags, result;
4145 struct l2cap_chan *chan;
4146 int len = cmd_len - sizeof(*rsp);
4149 if (cmd_len < sizeof(*rsp))
4152 scid = __le16_to_cpu(rsp->scid);
4153 flags = __le16_to_cpu(rsp->flags);
4154 result = __le16_to_cpu(rsp->result);
4156 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4159 chan = l2cap_get_chan_by_scid(conn, scid);
4164 case L2CAP_CONF_SUCCESS:
4165 l2cap_conf_rfc_get(chan, rsp->data, len);
4166 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4169 case L2CAP_CONF_PENDING:
4170 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4172 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4175 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4178 l2cap_send_disconn_req(chan, ECONNRESET);
4182 if (!chan->hs_hcon) {
4183 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4186 if (l2cap_check_efs(chan)) {
4187 amp_create_logical_link(chan);
4188 chan->ident = cmd->ident;
4194 case L2CAP_CONF_UNACCEPT:
4195 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4198 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4199 l2cap_send_disconn_req(chan, ECONNRESET);
4203 /* throw out any old stored conf requests */
4204 result = L2CAP_CONF_SUCCESS;
4205 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4208 l2cap_send_disconn_req(chan, ECONNRESET);
4212 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4213 L2CAP_CONF_REQ, len, req);
4214 chan->num_conf_req++;
4215 if (result != L2CAP_CONF_SUCCESS)
4221 l2cap_chan_set_err(chan, ECONNRESET);
4223 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4224 l2cap_send_disconn_req(chan, ECONNRESET);
4228 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4231 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4233 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4234 set_default_fcs(chan);
4236 if (chan->mode == L2CAP_MODE_ERTM ||
4237 chan->mode == L2CAP_MODE_STREAMING)
4238 err = l2cap_ertm_init(chan);
4241 l2cap_send_disconn_req(chan, -err);
4243 l2cap_chan_ready(chan);
4247 l2cap_chan_unlock(chan);
4251 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4252 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4255 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4256 struct l2cap_disconn_rsp rsp;
4258 struct l2cap_chan *chan;
4260 if (cmd_len != sizeof(*req))
4263 scid = __le16_to_cpu(req->scid);
4264 dcid = __le16_to_cpu(req->dcid);
4266 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4268 mutex_lock(&conn->chan_lock);
4270 chan = __l2cap_get_chan_by_scid(conn, dcid);
4272 mutex_unlock(&conn->chan_lock);
4273 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4277 l2cap_chan_lock(chan);
4279 rsp.dcid = cpu_to_le16(chan->scid);
4280 rsp.scid = cpu_to_le16(chan->dcid);
4281 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4283 chan->ops->set_shutdown(chan);
4285 l2cap_chan_hold(chan);
4286 l2cap_chan_del(chan, ECONNRESET);
4288 l2cap_chan_unlock(chan);
4290 chan->ops->close(chan);
4291 l2cap_chan_put(chan);
4293 mutex_unlock(&conn->chan_lock);
4298 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4299 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4302 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4304 struct l2cap_chan *chan;
4306 if (cmd_len != sizeof(*rsp))
4309 scid = __le16_to_cpu(rsp->scid);
4310 dcid = __le16_to_cpu(rsp->dcid);
4312 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4314 mutex_lock(&conn->chan_lock);
4316 chan = __l2cap_get_chan_by_scid(conn, scid);
4318 mutex_unlock(&conn->chan_lock);
4322 l2cap_chan_lock(chan);
4324 l2cap_chan_hold(chan);
4325 l2cap_chan_del(chan, 0);
4327 l2cap_chan_unlock(chan);
4329 chan->ops->close(chan);
4330 l2cap_chan_put(chan);
4332 mutex_unlock(&conn->chan_lock);
4337 static inline int l2cap_information_req(struct l2cap_conn *conn,
4338 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4341 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4344 if (cmd_len != sizeof(*req))
4347 type = __le16_to_cpu(req->type);
4349 BT_DBG("type 0x%4.4x", type);
4351 if (type == L2CAP_IT_FEAT_MASK) {
4353 u32 feat_mask = l2cap_feat_mask;
4354 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4355 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4356 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4358 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4360 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4361 feat_mask |= L2CAP_FEAT_EXT_FLOW
4362 | L2CAP_FEAT_EXT_WINDOW;
4364 put_unaligned_le32(feat_mask, rsp->data);
4365 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4367 } else if (type == L2CAP_IT_FIXED_CHAN) {
4369 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4371 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4372 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4373 rsp->data[0] = conn->local_fixed_chan;
4374 memset(rsp->data + 1, 0, 7);
4375 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4378 struct l2cap_info_rsp rsp;
4379 rsp.type = cpu_to_le16(type);
4380 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4381 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4388 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4389 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4392 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4395 if (cmd_len < sizeof(*rsp))
4398 type = __le16_to_cpu(rsp->type);
4399 result = __le16_to_cpu(rsp->result);
4401 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4403 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4404 if (cmd->ident != conn->info_ident ||
4405 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4408 cancel_delayed_work(&conn->info_timer);
4410 if (result != L2CAP_IR_SUCCESS) {
4411 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4412 conn->info_ident = 0;
4414 l2cap_conn_start(conn);
4420 case L2CAP_IT_FEAT_MASK:
4421 conn->feat_mask = get_unaligned_le32(rsp->data);
4423 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4424 struct l2cap_info_req req;
4425 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4427 conn->info_ident = l2cap_get_ident(conn);
4429 l2cap_send_cmd(conn, conn->info_ident,
4430 L2CAP_INFO_REQ, sizeof(req), &req);
4432 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4433 conn->info_ident = 0;
4435 l2cap_conn_start(conn);
4439 case L2CAP_IT_FIXED_CHAN:
4440 conn->remote_fixed_chan = rsp->data[0];
4441 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4442 conn->info_ident = 0;
4444 l2cap_conn_start(conn);
4451 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4452 struct l2cap_cmd_hdr *cmd,
4453 u16 cmd_len, void *data)
4455 struct l2cap_create_chan_req *req = data;
4456 struct l2cap_create_chan_rsp rsp;
4457 struct l2cap_chan *chan;
4458 struct hci_dev *hdev;
4461 if (cmd_len != sizeof(*req))
4464 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4467 psm = le16_to_cpu(req->psm);
4468 scid = le16_to_cpu(req->scid);
4470 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4472 /* For controller id 0 make BR/EDR connection */
4473 if (req->amp_id == AMP_ID_BREDR) {
4474 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4479 /* Validate AMP controller id */
4480 hdev = hci_dev_get(req->amp_id);
4484 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4489 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4492 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4493 struct hci_conn *hs_hcon;
4495 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4499 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4504 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4506 mgr->bredr_chan = chan;
4507 chan->hs_hcon = hs_hcon;
4508 chan->fcs = L2CAP_FCS_NONE;
4509 conn->mtu = hdev->block_mtu;
4518 rsp.scid = cpu_to_le16(scid);
4519 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4520 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4522 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4528 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4530 struct l2cap_move_chan_req req;
4533 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4535 ident = l2cap_get_ident(chan->conn);
4536 chan->ident = ident;
4538 req.icid = cpu_to_le16(chan->scid);
4539 req.dest_amp_id = dest_amp_id;
4541 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4544 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4547 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4549 struct l2cap_move_chan_rsp rsp;
4551 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4553 rsp.icid = cpu_to_le16(chan->dcid);
4554 rsp.result = cpu_to_le16(result);
4556 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4560 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4562 struct l2cap_move_chan_cfm cfm;
4564 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4566 chan->ident = l2cap_get_ident(chan->conn);
4568 cfm.icid = cpu_to_le16(chan->scid);
4569 cfm.result = cpu_to_le16(result);
4571 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4574 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4577 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4579 struct l2cap_move_chan_cfm cfm;
4581 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4583 cfm.icid = cpu_to_le16(icid);
4584 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4586 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4590 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4593 struct l2cap_move_chan_cfm_rsp rsp;
4595 BT_DBG("icid 0x%4.4x", icid);
4597 rsp.icid = cpu_to_le16(icid);
4598 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4601 static void __release_logical_link(struct l2cap_chan *chan)
4603 chan->hs_hchan = NULL;
4604 chan->hs_hcon = NULL;
4606 /* Placeholder - release the logical link */
4609 static void l2cap_logical_fail(struct l2cap_chan *chan)
4611 /* Logical link setup failed */
4612 if (chan->state != BT_CONNECTED) {
4613 /* Create channel failure, disconnect */
4614 l2cap_send_disconn_req(chan, ECONNRESET);
4618 switch (chan->move_role) {
4619 case L2CAP_MOVE_ROLE_RESPONDER:
4620 l2cap_move_done(chan);
4621 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4623 case L2CAP_MOVE_ROLE_INITIATOR:
4624 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4625 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4626 /* Remote has only sent pending or
4627 * success responses, clean up
4629 l2cap_move_done(chan);
4632 /* Other amp move states imply that the move
4633 * has already aborted
4635 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4640 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4641 struct hci_chan *hchan)
4643 struct l2cap_conf_rsp rsp;
4645 chan->hs_hchan = hchan;
4646 chan->hs_hcon->l2cap_data = chan->conn;
4648 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4650 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4653 set_default_fcs(chan);
4655 err = l2cap_ertm_init(chan);
4657 l2cap_send_disconn_req(chan, -err);
4659 l2cap_chan_ready(chan);
4663 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4664 struct hci_chan *hchan)
4666 chan->hs_hcon = hchan->conn;
4667 chan->hs_hcon->l2cap_data = chan->conn;
4669 BT_DBG("move_state %d", chan->move_state);
4671 switch (chan->move_state) {
4672 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4673 /* Move confirm will be sent after a success
4674 * response is received
4676 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4678 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4679 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4680 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4681 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4682 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4683 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4684 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4685 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4686 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4690 /* Move was not in expected state, free the channel */
4691 __release_logical_link(chan);
4693 chan->move_state = L2CAP_MOVE_STABLE;
4697 /* Call with chan locked */
4698 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4701 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4704 l2cap_logical_fail(chan);
4705 __release_logical_link(chan);
4709 if (chan->state != BT_CONNECTED) {
4710 /* Ignore logical link if channel is on BR/EDR */
4711 if (chan->local_amp_id != AMP_ID_BREDR)
4712 l2cap_logical_finish_create(chan, hchan);
4714 l2cap_logical_finish_move(chan, hchan);
4718 void l2cap_move_start(struct l2cap_chan *chan)
4720 BT_DBG("chan %p", chan);
4722 if (chan->local_amp_id == AMP_ID_BREDR) {
4723 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4725 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4726 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4727 /* Placeholder - start physical link setup */
4729 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4730 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4732 l2cap_move_setup(chan);
4733 l2cap_send_move_chan_req(chan, 0);
4737 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4738 u8 local_amp_id, u8 remote_amp_id)
4740 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4741 local_amp_id, remote_amp_id);
4743 chan->fcs = L2CAP_FCS_NONE;
4745 /* Outgoing channel on AMP */
4746 if (chan->state == BT_CONNECT) {
4747 if (result == L2CAP_CR_SUCCESS) {
4748 chan->local_amp_id = local_amp_id;
4749 l2cap_send_create_chan_req(chan, remote_amp_id);
4751 /* Revert to BR/EDR connect */
4752 l2cap_send_conn_req(chan);
4758 /* Incoming channel on AMP */
4759 if (__l2cap_no_conn_pending(chan)) {
4760 struct l2cap_conn_rsp rsp;
4762 rsp.scid = cpu_to_le16(chan->dcid);
4763 rsp.dcid = cpu_to_le16(chan->scid);
4765 if (result == L2CAP_CR_SUCCESS) {
4766 /* Send successful response */
4767 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4768 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4770 /* Send negative response */
4771 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4772 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4775 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4778 if (result == L2CAP_CR_SUCCESS) {
4779 l2cap_state_change(chan, BT_CONFIG);
4780 set_bit(CONF_REQ_SENT, &chan->conf_state);
4781 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4783 l2cap_build_conf_req(chan, buf), buf);
4784 chan->num_conf_req++;
4789 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4792 l2cap_move_setup(chan);
4793 chan->move_id = local_amp_id;
4794 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4796 l2cap_send_move_chan_req(chan, remote_amp_id);
4799 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4801 struct hci_chan *hchan = NULL;
4803 /* Placeholder - get hci_chan for logical link */
4806 if (hchan->state == BT_CONNECTED) {
4807 /* Logical link is ready to go */
4808 chan->hs_hcon = hchan->conn;
4809 chan->hs_hcon->l2cap_data = chan->conn;
4810 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4811 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4813 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4815 /* Wait for logical link to be ready */
4816 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4819 /* Logical link not available */
4820 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4824 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4826 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4828 if (result == -EINVAL)
4829 rsp_result = L2CAP_MR_BAD_ID;
4831 rsp_result = L2CAP_MR_NOT_ALLOWED;
4833 l2cap_send_move_chan_rsp(chan, rsp_result);
4836 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4837 chan->move_state = L2CAP_MOVE_STABLE;
4839 /* Restart data transmission */
4840 l2cap_ertm_send(chan);
4843 /* Invoke with locked chan */
4844 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4846 u8 local_amp_id = chan->local_amp_id;
4847 u8 remote_amp_id = chan->remote_amp_id;
4849 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4850 chan, result, local_amp_id, remote_amp_id);
4852 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4853 l2cap_chan_unlock(chan);
4857 if (chan->state != BT_CONNECTED) {
4858 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4859 } else if (result != L2CAP_MR_SUCCESS) {
4860 l2cap_do_move_cancel(chan, result);
4862 switch (chan->move_role) {
4863 case L2CAP_MOVE_ROLE_INITIATOR:
4864 l2cap_do_move_initiate(chan, local_amp_id,
4867 case L2CAP_MOVE_ROLE_RESPONDER:
4868 l2cap_do_move_respond(chan, result);
4871 l2cap_do_move_cancel(chan, result);
4877 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4878 struct l2cap_cmd_hdr *cmd,
4879 u16 cmd_len, void *data)
4881 struct l2cap_move_chan_req *req = data;
4882 struct l2cap_move_chan_rsp rsp;
4883 struct l2cap_chan *chan;
4885 u16 result = L2CAP_MR_NOT_ALLOWED;
4887 if (cmd_len != sizeof(*req))
4890 icid = le16_to_cpu(req->icid);
4892 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4894 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4897 chan = l2cap_get_chan_by_dcid(conn, icid);
4899 rsp.icid = cpu_to_le16(icid);
4900 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4901 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4906 chan->ident = cmd->ident;
4908 if (chan->scid < L2CAP_CID_DYN_START ||
4909 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4910 (chan->mode != L2CAP_MODE_ERTM &&
4911 chan->mode != L2CAP_MODE_STREAMING)) {
4912 result = L2CAP_MR_NOT_ALLOWED;
4913 goto send_move_response;
4916 if (chan->local_amp_id == req->dest_amp_id) {
4917 result = L2CAP_MR_SAME_ID;
4918 goto send_move_response;
4921 if (req->dest_amp_id != AMP_ID_BREDR) {
4922 struct hci_dev *hdev;
4923 hdev = hci_dev_get(req->dest_amp_id);
4924 if (!hdev || hdev->dev_type != HCI_AMP ||
4925 !test_bit(HCI_UP, &hdev->flags)) {
4929 result = L2CAP_MR_BAD_ID;
4930 goto send_move_response;
4935 /* Detect a move collision. Only send a collision response
4936 * if this side has "lost", otherwise proceed with the move.
4937 * The winner has the larger bd_addr.
4939 if ((__chan_is_moving(chan) ||
4940 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4941 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4942 result = L2CAP_MR_COLLISION;
4943 goto send_move_response;
4946 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4947 l2cap_move_setup(chan);
4948 chan->move_id = req->dest_amp_id;
4951 if (req->dest_amp_id == AMP_ID_BREDR) {
4952 /* Moving to BR/EDR */
4953 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4954 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4955 result = L2CAP_MR_PEND;
4957 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4958 result = L2CAP_MR_SUCCESS;
4961 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4962 /* Placeholder - uncomment when amp functions are available */
4963 /*amp_accept_physical(chan, req->dest_amp_id);*/
4964 result = L2CAP_MR_PEND;
4968 l2cap_send_move_chan_rsp(chan, result);
4970 l2cap_chan_unlock(chan);
4975 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4977 struct l2cap_chan *chan;
4978 struct hci_chan *hchan = NULL;
4980 chan = l2cap_get_chan_by_scid(conn, icid);
4982 l2cap_send_move_chan_cfm_icid(conn, icid);
4986 __clear_chan_timer(chan);
4987 if (result == L2CAP_MR_PEND)
4988 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4990 switch (chan->move_state) {
4991 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4992 /* Move confirm will be sent when logical link
4995 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4997 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4998 if (result == L2CAP_MR_PEND) {
5000 } else if (test_bit(CONN_LOCAL_BUSY,
5001 &chan->conn_state)) {
5002 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5004 /* Logical link is up or moving to BR/EDR,
5007 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5008 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5011 case L2CAP_MOVE_WAIT_RSP:
5013 if (result == L2CAP_MR_SUCCESS) {
5014 /* Remote is ready, send confirm immediately
5015 * after logical link is ready
5017 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5019 /* Both logical link and move success
5020 * are required to confirm
5022 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5025 /* Placeholder - get hci_chan for logical link */
5027 /* Logical link not available */
5028 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5032 /* If the logical link is not yet connected, do not
5033 * send confirmation.
5035 if (hchan->state != BT_CONNECTED)
5038 /* Logical link is already ready to go */
5040 chan->hs_hcon = hchan->conn;
5041 chan->hs_hcon->l2cap_data = chan->conn;
5043 if (result == L2CAP_MR_SUCCESS) {
5044 /* Can confirm now */
5045 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5047 /* Now only need move success
5050 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5053 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5056 /* Any other amp move state means the move failed. */
5057 chan->move_id = chan->local_amp_id;
5058 l2cap_move_done(chan);
5059 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5062 l2cap_chan_unlock(chan);
5065 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5068 struct l2cap_chan *chan;
5070 chan = l2cap_get_chan_by_ident(conn, ident);
5072 /* Could not locate channel, icid is best guess */
5073 l2cap_send_move_chan_cfm_icid(conn, icid);
5077 __clear_chan_timer(chan);
5079 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5080 if (result == L2CAP_MR_COLLISION) {
5081 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5083 /* Cleanup - cancel move */
5084 chan->move_id = chan->local_amp_id;
5085 l2cap_move_done(chan);
5089 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5091 l2cap_chan_unlock(chan);
5094 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5095 struct l2cap_cmd_hdr *cmd,
5096 u16 cmd_len, void *data)
5098 struct l2cap_move_chan_rsp *rsp = data;
5101 if (cmd_len != sizeof(*rsp))
5104 icid = le16_to_cpu(rsp->icid);
5105 result = le16_to_cpu(rsp->result);
5107 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5109 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5110 l2cap_move_continue(conn, icid, result);
5112 l2cap_move_fail(conn, cmd->ident, icid, result);
5117 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5118 struct l2cap_cmd_hdr *cmd,
5119 u16 cmd_len, void *data)
5121 struct l2cap_move_chan_cfm *cfm = data;
5122 struct l2cap_chan *chan;
5125 if (cmd_len != sizeof(*cfm))
5128 icid = le16_to_cpu(cfm->icid);
5129 result = le16_to_cpu(cfm->result);
5131 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5133 chan = l2cap_get_chan_by_dcid(conn, icid);
5135 /* Spec requires a response even if the icid was not found */
5136 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5140 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5141 if (result == L2CAP_MC_CONFIRMED) {
5142 chan->local_amp_id = chan->move_id;
5143 if (chan->local_amp_id == AMP_ID_BREDR)
5144 __release_logical_link(chan);
5146 chan->move_id = chan->local_amp_id;
5149 l2cap_move_done(chan);
5152 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5154 l2cap_chan_unlock(chan);
5159 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5160 struct l2cap_cmd_hdr *cmd,
5161 u16 cmd_len, void *data)
5163 struct l2cap_move_chan_cfm_rsp *rsp = data;
5164 struct l2cap_chan *chan;
5167 if (cmd_len != sizeof(*rsp))
5170 icid = le16_to_cpu(rsp->icid);
5172 BT_DBG("icid 0x%4.4x", icid);
5174 chan = l2cap_get_chan_by_scid(conn, icid);
5178 __clear_chan_timer(chan);
5180 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5181 chan->local_amp_id = chan->move_id;
5183 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5184 __release_logical_link(chan);
5186 l2cap_move_done(chan);
5189 l2cap_chan_unlock(chan);
5194 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5195 struct l2cap_cmd_hdr *cmd,
5196 u16 cmd_len, u8 *data)
5198 struct hci_conn *hcon = conn->hcon;
5199 struct l2cap_conn_param_update_req *req;
5200 struct l2cap_conn_param_update_rsp rsp;
5201 u16 min, max, latency, to_multiplier;
5204 if (hcon->role != HCI_ROLE_MASTER)
5207 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5210 req = (struct l2cap_conn_param_update_req *) data;
5211 min = __le16_to_cpu(req->min);
5212 max = __le16_to_cpu(req->max);
5213 latency = __le16_to_cpu(req->latency);
5214 to_multiplier = __le16_to_cpu(req->to_multiplier);
5216 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5217 min, max, latency, to_multiplier);
5219 memset(&rsp, 0, sizeof(rsp));
5221 err = hci_check_conn_params(min, max, latency, to_multiplier);
5223 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5225 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5227 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5233 store_hint = hci_le_conn_update(hcon, min, max, latency,
5235 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5236 store_hint, min, max, latency,
5244 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5245 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5248 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5249 struct hci_conn *hcon = conn->hcon;
5250 u16 dcid, mtu, mps, credits, result;
5251 struct l2cap_chan *chan;
5254 if (cmd_len < sizeof(*rsp))
5257 dcid = __le16_to_cpu(rsp->dcid);
5258 mtu = __le16_to_cpu(rsp->mtu);
5259 mps = __le16_to_cpu(rsp->mps);
5260 credits = __le16_to_cpu(rsp->credits);
5261 result = __le16_to_cpu(rsp->result);
5263 if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
5264 dcid < L2CAP_CID_DYN_START ||
5265 dcid > L2CAP_CID_LE_DYN_END))
5268 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5269 dcid, mtu, mps, credits, result);
5271 mutex_lock(&conn->chan_lock);
5273 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5281 l2cap_chan_lock(chan);
5284 case L2CAP_CR_SUCCESS:
5285 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5293 chan->remote_mps = mps;
5294 chan->tx_credits = credits;
5295 l2cap_chan_ready(chan);
5298 case L2CAP_CR_AUTHENTICATION:
5299 case L2CAP_CR_ENCRYPTION:
5300 /* If we already have MITM protection we can't do
5303 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5304 l2cap_chan_del(chan, ECONNREFUSED);
5308 sec_level = hcon->sec_level + 1;
5309 if (chan->sec_level < sec_level)
5310 chan->sec_level = sec_level;
5312 /* We'll need to send a new Connect Request */
5313 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5315 smp_conn_security(hcon, chan->sec_level);
5319 l2cap_chan_del(chan, ECONNREFUSED);
5323 l2cap_chan_unlock(chan);
5326 mutex_unlock(&conn->chan_lock);
5331 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5332 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5337 switch (cmd->code) {
5338 case L2CAP_COMMAND_REJ:
5339 l2cap_command_rej(conn, cmd, cmd_len, data);
5342 case L2CAP_CONN_REQ:
5343 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5346 case L2CAP_CONN_RSP:
5347 case L2CAP_CREATE_CHAN_RSP:
5348 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5351 case L2CAP_CONF_REQ:
5352 err = l2cap_config_req(conn, cmd, cmd_len, data);
5355 case L2CAP_CONF_RSP:
5356 l2cap_config_rsp(conn, cmd, cmd_len, data);
5359 case L2CAP_DISCONN_REQ:
5360 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5363 case L2CAP_DISCONN_RSP:
5364 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5367 case L2CAP_ECHO_REQ:
5368 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5371 case L2CAP_ECHO_RSP:
5374 case L2CAP_INFO_REQ:
5375 err = l2cap_information_req(conn, cmd, cmd_len, data);
5378 case L2CAP_INFO_RSP:
5379 l2cap_information_rsp(conn, cmd, cmd_len, data);
5382 case L2CAP_CREATE_CHAN_REQ:
5383 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5386 case L2CAP_MOVE_CHAN_REQ:
5387 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5390 case L2CAP_MOVE_CHAN_RSP:
5391 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5394 case L2CAP_MOVE_CHAN_CFM:
5395 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5398 case L2CAP_MOVE_CHAN_CFM_RSP:
5399 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5403 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5411 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5412 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5415 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5416 struct l2cap_le_conn_rsp rsp;
5417 struct l2cap_chan *chan, *pchan;
5418 u16 dcid, scid, credits, mtu, mps;
5422 if (cmd_len != sizeof(*req))
5425 scid = __le16_to_cpu(req->scid);
5426 mtu = __le16_to_cpu(req->mtu);
5427 mps = __le16_to_cpu(req->mps);
5432 if (mtu < 23 || mps < 23)
5435 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5438 /* Check if we have socket listening on psm */
5439 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5440 &conn->hcon->dst, LE_LINK);
5442 result = L2CAP_CR_BAD_PSM;
5447 mutex_lock(&conn->chan_lock);
5448 l2cap_chan_lock(pchan);
5450 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5452 result = L2CAP_CR_AUTHENTICATION;
5454 goto response_unlock;
5457 /* Check for valid dynamic CID range */
5458 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5459 result = L2CAP_CR_INVALID_SCID;
5461 goto response_unlock;
5464 /* Check if we already have channel with that dcid */
5465 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5466 result = L2CAP_CR_SCID_IN_USE;
5468 goto response_unlock;
5471 chan = pchan->ops->new_connection(pchan);
5473 result = L2CAP_CR_NO_MEM;
5474 goto response_unlock;
5477 l2cap_le_flowctl_init(chan);
5479 bacpy(&chan->src, &conn->hcon->src);
5480 bacpy(&chan->dst, &conn->hcon->dst);
5481 chan->src_type = bdaddr_src_type(conn->hcon);
5482 chan->dst_type = bdaddr_dst_type(conn->hcon);
5486 chan->remote_mps = mps;
5487 chan->tx_credits = __le16_to_cpu(req->credits);
5489 __l2cap_chan_add(conn, chan);
5491 credits = chan->rx_credits;
5493 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5495 chan->ident = cmd->ident;
5497 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5498 l2cap_state_change(chan, BT_CONNECT2);
5499 /* The following result value is actually not defined
5500 * for LE CoC but we use it to let the function know
5501 * that it should bail out after doing its cleanup
5502 * instead of sending a response.
5504 result = L2CAP_CR_PEND;
5505 chan->ops->defer(chan);
5507 l2cap_chan_ready(chan);
5508 result = L2CAP_CR_SUCCESS;
5512 l2cap_chan_unlock(pchan);
5513 mutex_unlock(&conn->chan_lock);
5514 l2cap_chan_put(pchan);
5516 if (result == L2CAP_CR_PEND)
5521 rsp.mtu = cpu_to_le16(chan->imtu);
5522 rsp.mps = cpu_to_le16(chan->mps);
5528 rsp.dcid = cpu_to_le16(dcid);
5529 rsp.credits = cpu_to_le16(credits);
5530 rsp.result = cpu_to_le16(result);
5532 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5537 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5538 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5541 struct l2cap_le_credits *pkt;
5542 struct l2cap_chan *chan;
5543 u16 cid, credits, max_credits;
5545 if (cmd_len != sizeof(*pkt))
5548 pkt = (struct l2cap_le_credits *) data;
5549 cid = __le16_to_cpu(pkt->cid);
5550 credits = __le16_to_cpu(pkt->credits);
5552 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5554 chan = l2cap_get_chan_by_dcid(conn, cid);
5558 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5559 if (credits > max_credits) {
5560 BT_ERR("LE credits overflow");
5561 l2cap_send_disconn_req(chan, ECONNRESET);
5562 l2cap_chan_unlock(chan);
5564 /* Return 0 so that we don't trigger an unnecessary
5565 * command reject packet.
5570 chan->tx_credits += credits;
5572 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
5573 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
5577 if (chan->tx_credits)
5578 chan->ops->resume(chan);
5580 l2cap_chan_unlock(chan);
5585 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5586 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5589 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5590 struct l2cap_chan *chan;
5592 if (cmd_len < sizeof(*rej))
5595 mutex_lock(&conn->chan_lock);
5597 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5601 l2cap_chan_lock(chan);
5602 l2cap_chan_del(chan, ECONNREFUSED);
5603 l2cap_chan_unlock(chan);
5606 mutex_unlock(&conn->chan_lock);
5610 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5611 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5616 switch (cmd->code) {
5617 case L2CAP_COMMAND_REJ:
5618 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5621 case L2CAP_CONN_PARAM_UPDATE_REQ:
5622 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5625 case L2CAP_CONN_PARAM_UPDATE_RSP:
5628 case L2CAP_LE_CONN_RSP:
5629 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5632 case L2CAP_LE_CONN_REQ:
5633 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5636 case L2CAP_LE_CREDITS:
5637 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5640 case L2CAP_DISCONN_REQ:
5641 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5644 case L2CAP_DISCONN_RSP:
5645 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5649 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5657 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5658 struct sk_buff *skb)
5660 struct hci_conn *hcon = conn->hcon;
5661 struct l2cap_cmd_hdr *cmd;
5665 if (hcon->type != LE_LINK)
5668 if (skb->len < L2CAP_CMD_HDR_SIZE)
5671 cmd = (void *) skb->data;
5672 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5674 len = le16_to_cpu(cmd->len);
5676 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5678 if (len != skb->len || !cmd->ident) {
5679 BT_DBG("corrupted command");
5683 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5685 struct l2cap_cmd_rej_unk rej;
5687 BT_ERR("Wrong link type (%d)", err);
5689 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5690 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5698 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5699 struct sk_buff *skb)
5701 struct hci_conn *hcon = conn->hcon;
5702 u8 *data = skb->data;
5704 struct l2cap_cmd_hdr cmd;
5707 l2cap_raw_recv(conn, skb);
5709 if (hcon->type != ACL_LINK)
5712 while (len >= L2CAP_CMD_HDR_SIZE) {
5714 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5715 data += L2CAP_CMD_HDR_SIZE;
5716 len -= L2CAP_CMD_HDR_SIZE;
5718 cmd_len = le16_to_cpu(cmd.len);
5720 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5723 if (cmd_len > len || !cmd.ident) {
5724 BT_DBG("corrupted command");
5728 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5730 struct l2cap_cmd_rej_unk rej;
5732 BT_ERR("Wrong link type (%d)", err);
5734 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5735 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5747 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5749 u16 our_fcs, rcv_fcs;
5752 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5753 hdr_size = L2CAP_EXT_HDR_SIZE;
5755 hdr_size = L2CAP_ENH_HDR_SIZE;
5757 if (chan->fcs == L2CAP_FCS_CRC16) {
5758 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5759 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5760 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5762 if (our_fcs != rcv_fcs)
5768 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5770 struct l2cap_ctrl control;
5772 BT_DBG("chan %p", chan);
5774 memset(&control, 0, sizeof(control));
5777 control.reqseq = chan->buffer_seq;
5778 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5780 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5781 control.super = L2CAP_SUPER_RNR;
5782 l2cap_send_sframe(chan, &control);
5785 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5786 chan->unacked_frames > 0)
5787 __set_retrans_timer(chan);
5789 /* Send pending iframes */
5790 l2cap_ertm_send(chan);
5792 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5793 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5794 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5797 control.super = L2CAP_SUPER_RR;
5798 l2cap_send_sframe(chan, &control);
5802 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5803 struct sk_buff **last_frag)
5805 /* skb->len reflects data in skb as well as all fragments
5806 * skb->data_len reflects only data in fragments
5808 if (!skb_has_frag_list(skb))
5809 skb_shinfo(skb)->frag_list = new_frag;
5811 new_frag->next = NULL;
5813 (*last_frag)->next = new_frag;
5814 *last_frag = new_frag;
5816 skb->len += new_frag->len;
5817 skb->data_len += new_frag->len;
5818 skb->truesize += new_frag->truesize;
5821 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5822 struct l2cap_ctrl *control)
5826 switch (control->sar) {
5827 case L2CAP_SAR_UNSEGMENTED:
5831 err = chan->ops->recv(chan, skb);
5834 case L2CAP_SAR_START:
5838 chan->sdu_len = get_unaligned_le16(skb->data);
5839 skb_pull(skb, L2CAP_SDULEN_SIZE);
5841 if (chan->sdu_len > chan->imtu) {
5846 if (skb->len >= chan->sdu_len)
5850 chan->sdu_last_frag = skb;
5856 case L2CAP_SAR_CONTINUE:
5860 append_skb_frag(chan->sdu, skb,
5861 &chan->sdu_last_frag);
5864 if (chan->sdu->len >= chan->sdu_len)
5874 append_skb_frag(chan->sdu, skb,
5875 &chan->sdu_last_frag);
5878 if (chan->sdu->len != chan->sdu_len)
5881 err = chan->ops->recv(chan, chan->sdu);
5884 /* Reassembly complete */
5886 chan->sdu_last_frag = NULL;
5894 kfree_skb(chan->sdu);
5896 chan->sdu_last_frag = NULL;
5903 static int l2cap_resegment(struct l2cap_chan *chan)
5909 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5913 if (chan->mode != L2CAP_MODE_ERTM)
5916 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5917 l2cap_tx(chan, NULL, NULL, event);
5920 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5923 /* Pass sequential frames to l2cap_reassemble_sdu()
5924 * until a gap is encountered.
5927 BT_DBG("chan %p", chan);
5929 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5930 struct sk_buff *skb;
5931 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5932 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5934 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5939 skb_unlink(skb, &chan->srej_q);
5940 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5941 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5946 if (skb_queue_empty(&chan->srej_q)) {
5947 chan->rx_state = L2CAP_RX_STATE_RECV;
5948 l2cap_send_ack(chan);
5954 static void l2cap_handle_srej(struct l2cap_chan *chan,
5955 struct l2cap_ctrl *control)
5957 struct sk_buff *skb;
5959 BT_DBG("chan %p, control %p", chan, control);
5961 if (control->reqseq == chan->next_tx_seq) {
5962 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5963 l2cap_send_disconn_req(chan, ECONNRESET);
5967 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5970 BT_DBG("Seq %d not available for retransmission",
5975 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
5976 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5977 l2cap_send_disconn_req(chan, ECONNRESET);
5981 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5983 if (control->poll) {
5984 l2cap_pass_to_tx(chan, control);
5986 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5987 l2cap_retransmit(chan, control);
5988 l2cap_ertm_send(chan);
5990 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5991 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5992 chan->srej_save_reqseq = control->reqseq;
5995 l2cap_pass_to_tx_fbit(chan, control);
5997 if (control->final) {
5998 if (chan->srej_save_reqseq != control->reqseq ||
5999 !test_and_clear_bit(CONN_SREJ_ACT,
6001 l2cap_retransmit(chan, control);
6003 l2cap_retransmit(chan, control);
6004 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6005 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6006 chan->srej_save_reqseq = control->reqseq;
6012 static void l2cap_handle_rej(struct l2cap_chan *chan,
6013 struct l2cap_ctrl *control)
6015 struct sk_buff *skb;
6017 BT_DBG("chan %p, control %p", chan, control);
6019 if (control->reqseq == chan->next_tx_seq) {
6020 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6021 l2cap_send_disconn_req(chan, ECONNRESET);
6025 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6027 if (chan->max_tx && skb &&
6028 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6029 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6030 l2cap_send_disconn_req(chan, ECONNRESET);
6034 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6036 l2cap_pass_to_tx(chan, control);
6038 if (control->final) {
6039 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6040 l2cap_retransmit_all(chan, control);
6042 l2cap_retransmit_all(chan, control);
6043 l2cap_ertm_send(chan);
6044 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6045 set_bit(CONN_REJ_ACT, &chan->conn_state);
6049 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6051 BT_DBG("chan %p, txseq %d", chan, txseq);
6053 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6054 chan->expected_tx_seq);
6056 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6057 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6059 /* See notes below regarding "double poll" and
6062 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6063 BT_DBG("Invalid/Ignore - after SREJ");
6064 return L2CAP_TXSEQ_INVALID_IGNORE;
6066 BT_DBG("Invalid - in window after SREJ sent");
6067 return L2CAP_TXSEQ_INVALID;
6071 if (chan->srej_list.head == txseq) {
6072 BT_DBG("Expected SREJ");
6073 return L2CAP_TXSEQ_EXPECTED_SREJ;
6076 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6077 BT_DBG("Duplicate SREJ - txseq already stored");
6078 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6081 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6082 BT_DBG("Unexpected SREJ - not requested");
6083 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6087 if (chan->expected_tx_seq == txseq) {
6088 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6090 BT_DBG("Invalid - txseq outside tx window");
6091 return L2CAP_TXSEQ_INVALID;
6094 return L2CAP_TXSEQ_EXPECTED;
6098 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6099 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6100 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6101 return L2CAP_TXSEQ_DUPLICATE;
6104 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6105 /* A source of invalid packets is a "double poll" condition,
6106 * where delays cause us to send multiple poll packets. If
6107 * the remote stack receives and processes both polls,
6108 * sequence numbers can wrap around in such a way that a
6109 * resent frame has a sequence number that looks like new data
6110 * with a sequence gap. This would trigger an erroneous SREJ
6113 * Fortunately, this is impossible with a tx window that's
6114 * less than half of the maximum sequence number, which allows
6115 * invalid frames to be safely ignored.
6117 * With tx window sizes greater than half of the tx window
6118 * maximum, the frame is invalid and cannot be ignored. This
6119 * causes a disconnect.
6122 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6123 BT_DBG("Invalid/Ignore - txseq outside tx window");
6124 return L2CAP_TXSEQ_INVALID_IGNORE;
6126 BT_DBG("Invalid - txseq outside tx window");
6127 return L2CAP_TXSEQ_INVALID;
6130 BT_DBG("Unexpected - txseq indicates missing frames");
6131 return L2CAP_TXSEQ_UNEXPECTED;
6135 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6136 struct l2cap_ctrl *control,
6137 struct sk_buff *skb, u8 event)
6140 bool skb_in_use = false;
6142 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6146 case L2CAP_EV_RECV_IFRAME:
6147 switch (l2cap_classify_txseq(chan, control->txseq)) {
6148 case L2CAP_TXSEQ_EXPECTED:
6149 l2cap_pass_to_tx(chan, control);
6151 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6152 BT_DBG("Busy, discarding expected seq %d",
6157 chan->expected_tx_seq = __next_seq(chan,
6160 chan->buffer_seq = chan->expected_tx_seq;
6163 err = l2cap_reassemble_sdu(chan, skb, control);
6167 if (control->final) {
6168 if (!test_and_clear_bit(CONN_REJ_ACT,
6169 &chan->conn_state)) {
6171 l2cap_retransmit_all(chan, control);
6172 l2cap_ertm_send(chan);
6176 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6177 l2cap_send_ack(chan);
6179 case L2CAP_TXSEQ_UNEXPECTED:
6180 l2cap_pass_to_tx(chan, control);
6182 /* Can't issue SREJ frames in the local busy state.
6183 * Drop this frame, it will be seen as missing
6184 * when local busy is exited.
6186 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6187 BT_DBG("Busy, discarding unexpected seq %d",
6192 /* There was a gap in the sequence, so an SREJ
6193 * must be sent for each missing frame. The
6194 * current frame is stored for later use.
6196 skb_queue_tail(&chan->srej_q, skb);
6198 BT_DBG("Queued %p (queue len %d)", skb,
6199 skb_queue_len(&chan->srej_q));
6201 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6202 l2cap_seq_list_clear(&chan->srej_list);
6203 l2cap_send_srej(chan, control->txseq);
6205 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6207 case L2CAP_TXSEQ_DUPLICATE:
6208 l2cap_pass_to_tx(chan, control);
6210 case L2CAP_TXSEQ_INVALID_IGNORE:
6212 case L2CAP_TXSEQ_INVALID:
6214 l2cap_send_disconn_req(chan, ECONNRESET);
6218 case L2CAP_EV_RECV_RR:
6219 l2cap_pass_to_tx(chan, control);
6220 if (control->final) {
6221 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6223 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6224 !__chan_is_moving(chan)) {
6226 l2cap_retransmit_all(chan, control);
6229 l2cap_ertm_send(chan);
6230 } else if (control->poll) {
6231 l2cap_send_i_or_rr_or_rnr(chan);
6233 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6234 &chan->conn_state) &&
6235 chan->unacked_frames)
6236 __set_retrans_timer(chan);
6238 l2cap_ertm_send(chan);
6241 case L2CAP_EV_RECV_RNR:
6242 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6243 l2cap_pass_to_tx(chan, control);
6244 if (control && control->poll) {
6245 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6246 l2cap_send_rr_or_rnr(chan, 0);
6248 __clear_retrans_timer(chan);
6249 l2cap_seq_list_clear(&chan->retrans_list);
6251 case L2CAP_EV_RECV_REJ:
6252 l2cap_handle_rej(chan, control);
6254 case L2CAP_EV_RECV_SREJ:
6255 l2cap_handle_srej(chan, control);
6261 if (skb && !skb_in_use) {
6262 BT_DBG("Freeing %p", skb);
6269 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6270 struct l2cap_ctrl *control,
6271 struct sk_buff *skb, u8 event)
6274 u16 txseq = control->txseq;
6275 bool skb_in_use = false;
6277 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6281 case L2CAP_EV_RECV_IFRAME:
6282 switch (l2cap_classify_txseq(chan, txseq)) {
6283 case L2CAP_TXSEQ_EXPECTED:
6284 /* Keep frame for reassembly later */
6285 l2cap_pass_to_tx(chan, control);
6286 skb_queue_tail(&chan->srej_q, skb);
6288 BT_DBG("Queued %p (queue len %d)", skb,
6289 skb_queue_len(&chan->srej_q));
6291 chan->expected_tx_seq = __next_seq(chan, txseq);
6293 case L2CAP_TXSEQ_EXPECTED_SREJ:
6294 l2cap_seq_list_pop(&chan->srej_list);
6296 l2cap_pass_to_tx(chan, control);
6297 skb_queue_tail(&chan->srej_q, skb);
6299 BT_DBG("Queued %p (queue len %d)", skb,
6300 skb_queue_len(&chan->srej_q));
6302 err = l2cap_rx_queued_iframes(chan);
6307 case L2CAP_TXSEQ_UNEXPECTED:
6308 /* Got a frame that can't be reassembled yet.
6309 * Save it for later, and send SREJs to cover
6310 * the missing frames.
6312 skb_queue_tail(&chan->srej_q, skb);
6314 BT_DBG("Queued %p (queue len %d)", skb,
6315 skb_queue_len(&chan->srej_q));
6317 l2cap_pass_to_tx(chan, control);
6318 l2cap_send_srej(chan, control->txseq);
6320 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6321 /* This frame was requested with an SREJ, but
6322 * some expected retransmitted frames are
6323 * missing. Request retransmission of missing
6326 skb_queue_tail(&chan->srej_q, skb);
6328 BT_DBG("Queued %p (queue len %d)", skb,
6329 skb_queue_len(&chan->srej_q));
6331 l2cap_pass_to_tx(chan, control);
6332 l2cap_send_srej_list(chan, control->txseq);
6334 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6335 /* We've already queued this frame. Drop this copy. */
6336 l2cap_pass_to_tx(chan, control);
6338 case L2CAP_TXSEQ_DUPLICATE:
6339 /* Expecting a later sequence number, so this frame
6340 * was already received. Ignore it completely.
6343 case L2CAP_TXSEQ_INVALID_IGNORE:
6345 case L2CAP_TXSEQ_INVALID:
6347 l2cap_send_disconn_req(chan, ECONNRESET);
6351 case L2CAP_EV_RECV_RR:
6352 l2cap_pass_to_tx(chan, control);
6353 if (control->final) {
6354 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6356 if (!test_and_clear_bit(CONN_REJ_ACT,
6357 &chan->conn_state)) {
6359 l2cap_retransmit_all(chan, control);
6362 l2cap_ertm_send(chan);
6363 } else if (control->poll) {
6364 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6365 &chan->conn_state) &&
6366 chan->unacked_frames) {
6367 __set_retrans_timer(chan);
6370 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6371 l2cap_send_srej_tail(chan);
6373 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6374 &chan->conn_state) &&
6375 chan->unacked_frames)
6376 __set_retrans_timer(chan);
6378 l2cap_send_ack(chan);
6381 case L2CAP_EV_RECV_RNR:
6382 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6383 l2cap_pass_to_tx(chan, control);
6384 if (control->poll) {
6385 l2cap_send_srej_tail(chan);
6387 struct l2cap_ctrl rr_control;
6388 memset(&rr_control, 0, sizeof(rr_control));
6389 rr_control.sframe = 1;
6390 rr_control.super = L2CAP_SUPER_RR;
6391 rr_control.reqseq = chan->buffer_seq;
6392 l2cap_send_sframe(chan, &rr_control);
6396 case L2CAP_EV_RECV_REJ:
6397 l2cap_handle_rej(chan, control);
6399 case L2CAP_EV_RECV_SREJ:
6400 l2cap_handle_srej(chan, control);
6404 if (skb && !skb_in_use) {
6405 BT_DBG("Freeing %p", skb);
6412 static int l2cap_finish_move(struct l2cap_chan *chan)
6414 BT_DBG("chan %p", chan);
6416 chan->rx_state = L2CAP_RX_STATE_RECV;
6419 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6421 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6423 return l2cap_resegment(chan);
6426 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6427 struct l2cap_ctrl *control,
6428 struct sk_buff *skb, u8 event)
6432 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6438 l2cap_process_reqseq(chan, control->reqseq);
6440 if (!skb_queue_empty(&chan->tx_q))
6441 chan->tx_send_head = skb_peek(&chan->tx_q);
6443 chan->tx_send_head = NULL;
6445 /* Rewind next_tx_seq to the point expected
6448 chan->next_tx_seq = control->reqseq;
6449 chan->unacked_frames = 0;
6451 err = l2cap_finish_move(chan);
6455 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6456 l2cap_send_i_or_rr_or_rnr(chan);
6458 if (event == L2CAP_EV_RECV_IFRAME)
6461 return l2cap_rx_state_recv(chan, control, NULL, event);
6464 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6465 struct l2cap_ctrl *control,
6466 struct sk_buff *skb, u8 event)
6470 if (!control->final)
6473 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6475 chan->rx_state = L2CAP_RX_STATE_RECV;
6476 l2cap_process_reqseq(chan, control->reqseq);
6478 if (!skb_queue_empty(&chan->tx_q))
6479 chan->tx_send_head = skb_peek(&chan->tx_q);
6481 chan->tx_send_head = NULL;
6483 /* Rewind next_tx_seq to the point expected
6486 chan->next_tx_seq = control->reqseq;
6487 chan->unacked_frames = 0;
6490 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6492 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6494 err = l2cap_resegment(chan);
6497 err = l2cap_rx_state_recv(chan, control, skb, event);
6502 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6504 /* Make sure reqseq is for a packet that has been sent but not acked */
6507 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6508 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6511 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6512 struct sk_buff *skb, u8 event)
6516 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6517 control, skb, event, chan->rx_state);
6519 if (__valid_reqseq(chan, control->reqseq)) {
6520 switch (chan->rx_state) {
6521 case L2CAP_RX_STATE_RECV:
6522 err = l2cap_rx_state_recv(chan, control, skb, event);
6524 case L2CAP_RX_STATE_SREJ_SENT:
6525 err = l2cap_rx_state_srej_sent(chan, control, skb,
6528 case L2CAP_RX_STATE_WAIT_P:
6529 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6531 case L2CAP_RX_STATE_WAIT_F:
6532 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6539 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6540 control->reqseq, chan->next_tx_seq,
6541 chan->expected_ack_seq);
6542 l2cap_send_disconn_req(chan, ECONNRESET);
6548 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6549 struct sk_buff *skb)
6551 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6554 if (l2cap_classify_txseq(chan, control->txseq) ==
6555 L2CAP_TXSEQ_EXPECTED) {
6556 l2cap_pass_to_tx(chan, control);
6558 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6559 __next_seq(chan, chan->buffer_seq));
6561 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6563 l2cap_reassemble_sdu(chan, skb, control);
6566 kfree_skb(chan->sdu);
6569 chan->sdu_last_frag = NULL;
6573 BT_DBG("Freeing %p", skb);
6578 chan->last_acked_seq = control->txseq;
6579 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6584 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6586 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6590 __unpack_control(chan, skb);
6595 * We can just drop the corrupted I-frame here.
6596 * Receiver will miss it and start proper recovery
6597 * procedures and ask for retransmission.
6599 if (l2cap_check_fcs(chan, skb))
6602 if (!control->sframe && control->sar == L2CAP_SAR_START)
6603 len -= L2CAP_SDULEN_SIZE;
6605 if (chan->fcs == L2CAP_FCS_CRC16)
6606 len -= L2CAP_FCS_SIZE;
6608 if (len > chan->mps) {
6609 l2cap_send_disconn_req(chan, ECONNRESET);
6613 if (!control->sframe) {
6616 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6617 control->sar, control->reqseq, control->final,
6620 /* Validate F-bit - F=0 always valid, F=1 only
6621 * valid in TX WAIT_F
6623 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6626 if (chan->mode != L2CAP_MODE_STREAMING) {
6627 event = L2CAP_EV_RECV_IFRAME;
6628 err = l2cap_rx(chan, control, skb, event);
6630 err = l2cap_stream_rx(chan, control, skb);
6634 l2cap_send_disconn_req(chan, ECONNRESET);
6636 const u8 rx_func_to_event[4] = {
6637 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6638 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6641 /* Only I-frames are expected in streaming mode */
6642 if (chan->mode == L2CAP_MODE_STREAMING)
6645 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6646 control->reqseq, control->final, control->poll,
6650 BT_ERR("Trailing bytes: %d in sframe", len);
6651 l2cap_send_disconn_req(chan, ECONNRESET);
6655 /* Validate F and P bits */
6656 if (control->final && (control->poll ||
6657 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6660 event = rx_func_to_event[control->super];
6661 if (l2cap_rx(chan, control, skb, event))
6662 l2cap_send_disconn_req(chan, ECONNRESET);
6672 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6674 struct l2cap_conn *conn = chan->conn;
6675 struct l2cap_le_credits pkt;
6678 /* We return more credits to the sender only after the amount of
6679 * credits falls below half of the initial amount.
6681 if (chan->rx_credits >= (le_max_credits + 1) / 2)
6684 return_credits = le_max_credits - chan->rx_credits;
6686 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6688 chan->rx_credits += return_credits;
6690 pkt.cid = cpu_to_le16(chan->scid);
6691 pkt.credits = cpu_to_le16(return_credits);
6693 chan->ident = l2cap_get_ident(conn);
6695 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6698 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6702 if (!chan->rx_credits) {
6703 BT_ERR("No credits to receive LE L2CAP data");
6704 l2cap_send_disconn_req(chan, ECONNRESET);
6708 if (chan->imtu < skb->len) {
6709 BT_ERR("Too big LE L2CAP PDU");
6714 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6716 l2cap_chan_le_send_credits(chan);
6723 sdu_len = get_unaligned_le16(skb->data);
6724 skb_pull(skb, L2CAP_SDULEN_SIZE);
6726 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6727 sdu_len, skb->len, chan->imtu);
6729 if (sdu_len > chan->imtu) {
6730 BT_ERR("Too big LE L2CAP SDU length received");
6735 if (skb->len > sdu_len) {
6736 BT_ERR("Too much LE L2CAP data received");
6741 if (skb->len == sdu_len)
6742 return chan->ops->recv(chan, skb);
6745 chan->sdu_len = sdu_len;
6746 chan->sdu_last_frag = skb;
6751 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6752 chan->sdu->len, skb->len, chan->sdu_len);
6754 if (chan->sdu->len + skb->len > chan->sdu_len) {
6755 BT_ERR("Too much LE L2CAP data received");
6760 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6763 if (chan->sdu->len == chan->sdu_len) {
6764 err = chan->ops->recv(chan, chan->sdu);
6767 chan->sdu_last_frag = NULL;
6775 kfree_skb(chan->sdu);
6777 chan->sdu_last_frag = NULL;
6781 /* We can't return an error here since we took care of the skb
6782 * freeing internally. An error return would cause the caller to
6783 * do a double-free of the skb.
6788 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6789 struct sk_buff *skb)
6791 struct l2cap_chan *chan;
6793 chan = l2cap_get_chan_by_scid(conn, cid);
6795 if (cid == L2CAP_CID_A2MP) {
6796 chan = a2mp_channel_create(conn, skb);
6802 l2cap_chan_lock(chan);
6804 BT_DBG("unknown cid 0x%4.4x", cid);
6805 /* Drop packet and return */
6811 BT_DBG("chan %p, len %d", chan, skb->len);
6813 /* If we receive data on a fixed channel before the info req/rsp
6814 * procdure is done simply assume that the channel is supported
6815 * and mark it as ready.
6817 if (chan->chan_type == L2CAP_CHAN_FIXED)
6818 l2cap_chan_ready(chan);
6820 if (chan->state != BT_CONNECTED)
6823 switch (chan->mode) {
6824 case L2CAP_MODE_LE_FLOWCTL:
6825 if (l2cap_le_data_rcv(chan, skb) < 0)
6830 case L2CAP_MODE_BASIC:
6831 /* If socket recv buffers overflows we drop data here
6832 * which is *bad* because L2CAP has to be reliable.
6833 * But we don't have any other choice. L2CAP doesn't
6834 * provide flow control mechanism. */
6836 if (chan->imtu < skb->len) {
6837 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6841 if (!chan->ops->recv(chan, skb))
6845 case L2CAP_MODE_ERTM:
6846 case L2CAP_MODE_STREAMING:
6847 l2cap_data_rcv(chan, skb);
6851 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6859 l2cap_chan_unlock(chan);
6862 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6863 struct sk_buff *skb)
6865 struct hci_conn *hcon = conn->hcon;
6866 struct l2cap_chan *chan;
6868 if (hcon->type != ACL_LINK)
6871 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6876 BT_DBG("chan %p, len %d", chan, skb->len);
6878 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6881 if (chan->imtu < skb->len)
6884 /* Store remote BD_ADDR and PSM for msg_name */
6885 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6886 bt_cb(skb)->l2cap.psm = psm;
6888 if (!chan->ops->recv(chan, skb)) {
6889 l2cap_chan_put(chan);
6894 l2cap_chan_put(chan);
6899 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6901 struct l2cap_hdr *lh = (void *) skb->data;
6902 struct hci_conn *hcon = conn->hcon;
6906 if (hcon->state != BT_CONNECTED) {
6907 BT_DBG("queueing pending rx skb");
6908 skb_queue_tail(&conn->pending_rx, skb);
6912 skb_pull(skb, L2CAP_HDR_SIZE);
6913 cid = __le16_to_cpu(lh->cid);
6914 len = __le16_to_cpu(lh->len);
6916 if (len != skb->len) {
6921 /* Since we can't actively block incoming LE connections we must
6922 * at least ensure that we ignore incoming data from them.
6924 if (hcon->type == LE_LINK &&
6925 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
6926 bdaddr_dst_type(hcon))) {
6931 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6934 case L2CAP_CID_SIGNALING:
6935 l2cap_sig_channel(conn, skb);
6938 case L2CAP_CID_CONN_LESS:
6939 psm = get_unaligned((__le16 *) skb->data);
6940 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6941 l2cap_conless_channel(conn, psm, skb);
6944 case L2CAP_CID_LE_SIGNALING:
6945 l2cap_le_sig_channel(conn, skb);
6949 l2cap_data_channel(conn, cid, skb);
6954 static void process_pending_rx(struct work_struct *work)
6956 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
6958 struct sk_buff *skb;
6962 while ((skb = skb_dequeue(&conn->pending_rx)))
6963 l2cap_recv_frame(conn, skb);
6966 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
6968 struct l2cap_conn *conn = hcon->l2cap_data;
6969 struct hci_chan *hchan;
6974 hchan = hci_chan_create(hcon);
6978 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
6980 hci_chan_del(hchan);
6984 kref_init(&conn->ref);
6985 hcon->l2cap_data = conn;
6986 conn->hcon = hci_conn_get(hcon);
6987 conn->hchan = hchan;
6989 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
6991 switch (hcon->type) {
6993 if (hcon->hdev->le_mtu) {
6994 conn->mtu = hcon->hdev->le_mtu;
6999 conn->mtu = hcon->hdev->acl_mtu;
7003 conn->feat_mask = 0;
7005 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7007 if (hcon->type == ACL_LINK &&
7008 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7009 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7011 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7012 (bredr_sc_enabled(hcon->hdev) ||
7013 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7014 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7016 mutex_init(&conn->ident_lock);
7017 mutex_init(&conn->chan_lock);
7019 INIT_LIST_HEAD(&conn->chan_l);
7020 INIT_LIST_HEAD(&conn->users);
7022 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7024 skb_queue_head_init(&conn->pending_rx);
7025 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7026 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7028 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7033 static bool is_valid_psm(u16 psm, u8 dst_type) {
7037 if (bdaddr_type_is_le(dst_type))
7038 return (psm <= 0x00ff);
7040 /* PSM must be odd and lsb of upper byte must be 0 */
7041 return ((psm & 0x0101) == 0x0001);
7044 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7045 bdaddr_t *dst, u8 dst_type)
7047 struct l2cap_conn *conn;
7048 struct hci_conn *hcon;
7049 struct hci_dev *hdev;
7052 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7053 dst_type, __le16_to_cpu(psm));
7055 hdev = hci_get_route(dst, &chan->src);
7057 return -EHOSTUNREACH;
7061 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7062 chan->chan_type != L2CAP_CHAN_RAW) {
7067 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7072 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7077 switch (chan->mode) {
7078 case L2CAP_MODE_BASIC:
7080 case L2CAP_MODE_LE_FLOWCTL:
7081 l2cap_le_flowctl_init(chan);
7083 case L2CAP_MODE_ERTM:
7084 case L2CAP_MODE_STREAMING:
7093 switch (chan->state) {
7097 /* Already connecting */
7102 /* Already connected */
7116 /* Set destination address and psm */
7117 bacpy(&chan->dst, dst);
7118 chan->dst_type = dst_type;
7123 if (bdaddr_type_is_le(dst_type)) {
7124 /* Convert from L2CAP channel address type to HCI address type
7126 if (dst_type == BDADDR_LE_PUBLIC)
7127 dst_type = ADDR_LE_DEV_PUBLIC;
7129 dst_type = ADDR_LE_DEV_RANDOM;
7131 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7132 hcon = hci_connect_le(hdev, dst, dst_type,
7134 HCI_LE_CONN_TIMEOUT,
7137 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7139 HCI_LE_CONN_TIMEOUT);
7142 u8 auth_type = l2cap_get_auth_type(chan);
7143 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7147 err = PTR_ERR(hcon);
7151 conn = l2cap_conn_add(hcon);
7153 hci_conn_drop(hcon);
7158 mutex_lock(&conn->chan_lock);
7159 l2cap_chan_lock(chan);
7161 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7162 hci_conn_drop(hcon);
7167 /* Update source addr of the socket */
7168 bacpy(&chan->src, &hcon->src);
7169 chan->src_type = bdaddr_src_type(hcon);
7171 __l2cap_chan_add(conn, chan);
7173 /* l2cap_chan_add takes its own ref so we can drop this one */
7174 hci_conn_drop(hcon);
7176 l2cap_state_change(chan, BT_CONNECT);
7177 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7179 /* Release chan->sport so that it can be reused by other
7180 * sockets (as it's only used for listening sockets).
7182 write_lock(&chan_list_lock);
7184 write_unlock(&chan_list_lock);
7186 if (hcon->state == BT_CONNECTED) {
7187 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7188 __clear_chan_timer(chan);
7189 if (l2cap_chan_check_security(chan, true))
7190 l2cap_state_change(chan, BT_CONNECTED);
7192 l2cap_do_start(chan);
7198 l2cap_chan_unlock(chan);
7199 mutex_unlock(&conn->chan_lock);
7201 hci_dev_unlock(hdev);
7205 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7207 /* ---- L2CAP interface with lower layer (HCI) ---- */
7209 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7211 int exact = 0, lm1 = 0, lm2 = 0;
7212 struct l2cap_chan *c;
7214 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7216 /* Find listening sockets and check their link_mode */
7217 read_lock(&chan_list_lock);
7218 list_for_each_entry(c, &chan_list, global_l) {
7219 if (c->state != BT_LISTEN)
7222 if (!bacmp(&c->src, &hdev->bdaddr)) {
7223 lm1 |= HCI_LM_ACCEPT;
7224 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7225 lm1 |= HCI_LM_MASTER;
7227 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7228 lm2 |= HCI_LM_ACCEPT;
7229 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7230 lm2 |= HCI_LM_MASTER;
7233 read_unlock(&chan_list_lock);
7235 return exact ? lm1 : lm2;
7238 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7239 * from an existing channel in the list or from the beginning of the
7240 * global list (by passing NULL as first parameter).
7242 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7243 struct hci_conn *hcon)
7245 u8 src_type = bdaddr_src_type(hcon);
7247 read_lock(&chan_list_lock);
7250 c = list_next_entry(c, global_l);
7252 c = list_entry(chan_list.next, typeof(*c), global_l);
7254 list_for_each_entry_from(c, &chan_list, global_l) {
7255 if (c->chan_type != L2CAP_CHAN_FIXED)
7257 if (c->state != BT_LISTEN)
7259 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7261 if (src_type != c->src_type)
7265 read_unlock(&chan_list_lock);
7269 read_unlock(&chan_list_lock);
7274 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7276 struct hci_dev *hdev = hcon->hdev;
7277 struct l2cap_conn *conn;
7278 struct l2cap_chan *pchan;
7281 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7284 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7287 l2cap_conn_del(hcon, bt_to_errno(status));
7291 conn = l2cap_conn_add(hcon);
7295 dst_type = bdaddr_dst_type(hcon);
7297 /* If device is blocked, do not create channels for it */
7298 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7301 /* Find fixed channels and notify them of the new connection. We
7302 * use multiple individual lookups, continuing each time where
7303 * we left off, because the list lock would prevent calling the
7304 * potentially sleeping l2cap_chan_lock() function.
7306 pchan = l2cap_global_fixed_chan(NULL, hcon);
7308 struct l2cap_chan *chan, *next;
7310 /* Client fixed channels should override server ones */
7311 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7314 l2cap_chan_lock(pchan);
7315 chan = pchan->ops->new_connection(pchan);
7317 bacpy(&chan->src, &hcon->src);
7318 bacpy(&chan->dst, &hcon->dst);
7319 chan->src_type = bdaddr_src_type(hcon);
7320 chan->dst_type = dst_type;
7322 __l2cap_chan_add(conn, chan);
7325 l2cap_chan_unlock(pchan);
7327 next = l2cap_global_fixed_chan(pchan, hcon);
7328 l2cap_chan_put(pchan);
7332 l2cap_conn_ready(conn);
7335 int l2cap_disconn_ind(struct hci_conn *hcon)
7337 struct l2cap_conn *conn = hcon->l2cap_data;
7339 BT_DBG("hcon %p", hcon);
7342 return HCI_ERROR_REMOTE_USER_TERM;
7343 return conn->disc_reason;
7346 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7348 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7351 BT_DBG("hcon %p reason %d", hcon, reason);
7353 l2cap_conn_del(hcon, bt_to_errno(reason));
7356 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7358 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7361 if (encrypt == 0x00) {
7362 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7363 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7364 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7365 chan->sec_level == BT_SECURITY_FIPS)
7366 l2cap_chan_close(chan, ECONNREFUSED);
7368 if (chan->sec_level == BT_SECURITY_MEDIUM)
7369 __clear_chan_timer(chan);
7373 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7375 struct l2cap_conn *conn = hcon->l2cap_data;
7376 struct l2cap_chan *chan;
7381 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7383 mutex_lock(&conn->chan_lock);
7385 list_for_each_entry(chan, &conn->chan_l, list) {
7386 l2cap_chan_lock(chan);
7388 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7389 state_to_string(chan->state));
7391 if (chan->scid == L2CAP_CID_A2MP) {
7392 l2cap_chan_unlock(chan);
7396 if (!status && encrypt)
7397 chan->sec_level = hcon->sec_level;
7399 if (!__l2cap_no_conn_pending(chan)) {
7400 l2cap_chan_unlock(chan);
7404 if (!status && (chan->state == BT_CONNECTED ||
7405 chan->state == BT_CONFIG)) {
7406 chan->ops->resume(chan);
7407 l2cap_check_encryption(chan, encrypt);
7408 l2cap_chan_unlock(chan);
7412 if (chan->state == BT_CONNECT) {
7414 l2cap_start_connection(chan);
7416 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7417 } else if (chan->state == BT_CONNECT2 &&
7418 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7419 struct l2cap_conn_rsp rsp;
7423 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7424 res = L2CAP_CR_PEND;
7425 stat = L2CAP_CS_AUTHOR_PEND;
7426 chan->ops->defer(chan);
7428 l2cap_state_change(chan, BT_CONFIG);
7429 res = L2CAP_CR_SUCCESS;
7430 stat = L2CAP_CS_NO_INFO;
7433 l2cap_state_change(chan, BT_DISCONN);
7434 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7435 res = L2CAP_CR_SEC_BLOCK;
7436 stat = L2CAP_CS_NO_INFO;
7439 rsp.scid = cpu_to_le16(chan->dcid);
7440 rsp.dcid = cpu_to_le16(chan->scid);
7441 rsp.result = cpu_to_le16(res);
7442 rsp.status = cpu_to_le16(stat);
7443 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7446 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7447 res == L2CAP_CR_SUCCESS) {
7449 set_bit(CONF_REQ_SENT, &chan->conf_state);
7450 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7452 l2cap_build_conf_req(chan, buf),
7454 chan->num_conf_req++;
7458 l2cap_chan_unlock(chan);
7461 mutex_unlock(&conn->chan_lock);
7464 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7466 struct l2cap_conn *conn = hcon->l2cap_data;
7467 struct l2cap_hdr *hdr;
7470 /* For AMP controller do not create l2cap conn */
7471 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
7475 conn = l2cap_conn_add(hcon);
7480 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7484 case ACL_START_NO_FLUSH:
7487 BT_ERR("Unexpected start frame (len %d)", skb->len);
7488 kfree_skb(conn->rx_skb);
7489 conn->rx_skb = NULL;
7491 l2cap_conn_unreliable(conn, ECOMM);
7494 /* Start fragment always begin with Basic L2CAP header */
7495 if (skb->len < L2CAP_HDR_SIZE) {
7496 BT_ERR("Frame is too short (len %d)", skb->len);
7497 l2cap_conn_unreliable(conn, ECOMM);
7501 hdr = (struct l2cap_hdr *) skb->data;
7502 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7504 if (len == skb->len) {
7505 /* Complete frame received */
7506 l2cap_recv_frame(conn, skb);
7510 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7512 if (skb->len > len) {
7513 BT_ERR("Frame is too long (len %d, expected len %d)",
7515 l2cap_conn_unreliable(conn, ECOMM);
7519 /* Allocate skb for the complete frame (with header) */
7520 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7524 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7526 conn->rx_len = len - skb->len;
7530 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7532 if (!conn->rx_len) {
7533 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7534 l2cap_conn_unreliable(conn, ECOMM);
7538 if (skb->len > conn->rx_len) {
7539 BT_ERR("Fragment is too long (len %d, expected %d)",
7540 skb->len, conn->rx_len);
7541 kfree_skb(conn->rx_skb);
7542 conn->rx_skb = NULL;
7544 l2cap_conn_unreliable(conn, ECOMM);
7548 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7550 conn->rx_len -= skb->len;
7552 if (!conn->rx_len) {
7553 /* Complete frame received. l2cap_recv_frame
7554 * takes ownership of the skb so set the global
7555 * rx_skb pointer to NULL first.
7557 struct sk_buff *rx_skb = conn->rx_skb;
7558 conn->rx_skb = NULL;
7559 l2cap_recv_frame(conn, rx_skb);
7568 static struct hci_cb l2cap_cb = {
7570 .connect_cfm = l2cap_connect_cfm,
7571 .disconn_cfm = l2cap_disconn_cfm,
7572 .security_cfm = l2cap_security_cfm,
7575 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7577 struct l2cap_chan *c;
7579 read_lock(&chan_list_lock);
7581 list_for_each_entry(c, &chan_list, global_l) {
7582 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7583 &c->src, c->src_type, &c->dst, c->dst_type,
7584 c->state, __le16_to_cpu(c->psm),
7585 c->scid, c->dcid, c->imtu, c->omtu,
7586 c->sec_level, c->mode);
7589 read_unlock(&chan_list_lock);
7594 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
7596 return single_open(file, l2cap_debugfs_show, inode->i_private);
7599 static const struct file_operations l2cap_debugfs_fops = {
7600 .open = l2cap_debugfs_open,
7602 .llseek = seq_lseek,
7603 .release = single_release,
7606 static struct dentry *l2cap_debugfs;
7608 int __init l2cap_init(void)
7612 err = l2cap_init_sockets();
7616 hci_register_cb(&l2cap_cb);
7618 if (IS_ERR_OR_NULL(bt_debugfs))
7621 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7622 NULL, &l2cap_debugfs_fops);
7624 debugfs_create_u16("l2cap_le_max_credits", 0644, bt_debugfs,
7626 debugfs_create_u16("l2cap_le_default_mps", 0644, bt_debugfs,
7632 void l2cap_exit(void)
7634 debugfs_remove(l2cap_debugfs);
7635 hci_unregister_cb(&l2cap_cb);
7636 l2cap_cleanup_sockets();
7639 module_param(disable_ertm, bool, 0644);
7640 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / cascardo / linux.git / blob