2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
54 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
55 u8 code, u8 ident, u16 dlen, void *data);
56 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
58 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
59 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
61 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
62 struct sk_buff_head *skbs, u8 event);
64 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
66 if (link_type == LE_LINK) {
67 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
68 return BDADDR_LE_PUBLIC;
70 return BDADDR_LE_RANDOM;
76 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
78 return bdaddr_type(hcon->type, hcon->src_type);
81 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
83 return bdaddr_type(hcon->type, hcon->dst_type);
86 /* ---- L2CAP channels ---- */
88 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
93 list_for_each_entry(c, &conn->chan_l, list) {
100 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 struct l2cap_chan *c;
105 list_for_each_entry(c, &conn->chan_l, list) {
112 /* Find channel with given SCID.
113 * Returns locked channel. */
114 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
117 struct l2cap_chan *c;
119 mutex_lock(&conn->chan_lock);
120 c = __l2cap_get_chan_by_scid(conn, cid);
123 mutex_unlock(&conn->chan_lock);
128 /* Find channel with given DCID.
129 * Returns locked channel.
131 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
134 struct l2cap_chan *c;
136 mutex_lock(&conn->chan_lock);
137 c = __l2cap_get_chan_by_dcid(conn, cid);
140 mutex_unlock(&conn->chan_lock);
145 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
148 struct l2cap_chan *c;
150 list_for_each_entry(c, &conn->chan_l, list) {
151 if (c->ident == ident)
157 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
160 struct l2cap_chan *c;
162 mutex_lock(&conn->chan_lock);
163 c = __l2cap_get_chan_by_ident(conn, ident);
166 mutex_unlock(&conn->chan_lock);
171 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
173 struct l2cap_chan *c;
175 list_for_each_entry(c, &chan_list, global_l) {
176 if (c->sport == psm && !bacmp(&c->src, src))
182 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
186 write_lock(&chan_list_lock);
188 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
198 u16 p, start, end, incr;
200 if (chan->src_type == BDADDR_BREDR) {
201 start = L2CAP_PSM_DYN_START;
202 end = L2CAP_PSM_AUTO_END;
205 start = L2CAP_PSM_LE_DYN_START;
206 end = L2CAP_PSM_LE_DYN_END;
211 for (p = start; p <= end; p += incr)
212 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
213 chan->psm = cpu_to_le16(p);
214 chan->sport = cpu_to_le16(p);
221 write_unlock(&chan_list_lock);
224 EXPORT_SYMBOL_GPL(l2cap_add_psm);
226 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
228 write_lock(&chan_list_lock);
230 /* Override the defaults (which are for conn-oriented) */
231 chan->omtu = L2CAP_DEFAULT_MTU;
232 chan->chan_type = L2CAP_CHAN_FIXED;
236 write_unlock(&chan_list_lock);
241 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
245 if (conn->hcon->type == LE_LINK)
246 dyn_end = L2CAP_CID_LE_DYN_END;
248 dyn_end = L2CAP_CID_DYN_END;
250 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
251 if (!__l2cap_get_chan_by_scid(conn, cid))
258 static void l2cap_state_change(struct l2cap_chan *chan, int state)
260 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
261 state_to_string(state));
264 chan->ops->state_change(chan, state, 0);
267 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
271 chan->ops->state_change(chan, chan->state, err);
274 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
276 chan->ops->state_change(chan, chan->state, err);
279 static void __set_retrans_timer(struct l2cap_chan *chan)
281 if (!delayed_work_pending(&chan->monitor_timer) &&
282 chan->retrans_timeout) {
283 l2cap_set_timer(chan, &chan->retrans_timer,
284 msecs_to_jiffies(chan->retrans_timeout));
288 static void __set_monitor_timer(struct l2cap_chan *chan)
290 __clear_retrans_timer(chan);
291 if (chan->monitor_timeout) {
292 l2cap_set_timer(chan, &chan->monitor_timer,
293 msecs_to_jiffies(chan->monitor_timeout));
297 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
302 skb_queue_walk(head, skb) {
303 if (bt_cb(skb)->l2cap.txseq == seq)
310 /* ---- L2CAP sequence number lists ---- */
312 /* For ERTM, ordered lists of sequence numbers must be tracked for
313 * SREJ requests that are received and for frames that are to be
314 * retransmitted. These seq_list functions implement a singly-linked
315 * list in an array, where membership in the list can also be checked
316 * in constant time. Items can also be added to the tail of the list
317 * and removed from the head in constant time, without further memory
321 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
323 size_t alloc_size, i;
325 /* Allocated size is a power of 2 to map sequence numbers
326 * (which may be up to 14 bits) in to a smaller array that is
327 * sized for the negotiated ERTM transmit windows.
329 alloc_size = roundup_pow_of_two(size);
331 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
335 seq_list->mask = alloc_size - 1;
336 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
337 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
338 for (i = 0; i < alloc_size; i++)
339 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
344 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
346 kfree(seq_list->list);
349 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
352 /* Constant-time check for list membership */
353 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
356 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
358 u16 seq = seq_list->head;
359 u16 mask = seq_list->mask;
361 seq_list->head = seq_list->list[seq & mask];
362 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
364 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
365 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
366 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
372 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
376 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
379 for (i = 0; i <= seq_list->mask; i++)
380 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
382 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
383 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
386 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
388 u16 mask = seq_list->mask;
390 /* All appends happen in constant time */
392 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
395 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
396 seq_list->head = seq;
398 seq_list->list[seq_list->tail & mask] = seq;
400 seq_list->tail = seq;
401 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
404 static void l2cap_chan_timeout(struct work_struct *work)
406 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
408 struct l2cap_conn *conn = chan->conn;
411 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
413 mutex_lock(&conn->chan_lock);
414 l2cap_chan_lock(chan);
416 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
417 reason = ECONNREFUSED;
418 else if (chan->state == BT_CONNECT &&
419 chan->sec_level != BT_SECURITY_SDP)
420 reason = ECONNREFUSED;
424 l2cap_chan_close(chan, reason);
426 l2cap_chan_unlock(chan);
428 chan->ops->close(chan);
429 mutex_unlock(&conn->chan_lock);
431 l2cap_chan_put(chan);
434 struct l2cap_chan *l2cap_chan_create(void)
436 struct l2cap_chan *chan;
438 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
442 mutex_init(&chan->lock);
444 /* Set default lock nesting level */
445 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
447 write_lock(&chan_list_lock);
448 list_add(&chan->global_l, &chan_list);
449 write_unlock(&chan_list_lock);
451 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
453 chan->state = BT_OPEN;
455 kref_init(&chan->kref);
457 /* This flag is cleared in l2cap_chan_ready() */
458 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
460 BT_DBG("chan %p", chan);
464 EXPORT_SYMBOL_GPL(l2cap_chan_create);
466 static void l2cap_chan_destroy(struct kref *kref)
468 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
470 BT_DBG("chan %p", chan);
472 write_lock(&chan_list_lock);
473 list_del(&chan->global_l);
474 write_unlock(&chan_list_lock);
479 void l2cap_chan_hold(struct l2cap_chan *c)
481 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
486 void l2cap_chan_put(struct l2cap_chan *c)
488 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
490 kref_put(&c->kref, l2cap_chan_destroy);
492 EXPORT_SYMBOL_GPL(l2cap_chan_put);
494 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
496 chan->fcs = L2CAP_FCS_CRC16;
497 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
498 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
499 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
500 chan->remote_max_tx = chan->max_tx;
501 chan->remote_tx_win = chan->tx_win;
502 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
503 chan->sec_level = BT_SECURITY_LOW;
504 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
505 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
506 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
507 chan->conf_state = 0;
509 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
511 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
513 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
516 chan->sdu_last_frag = NULL;
518 chan->tx_credits = tx_credits;
519 /* Derive MPS from connection MTU to stop HCI fragmentation */
520 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
521 /* Give enough credits for a full packet */
522 chan->rx_credits = (chan->imtu / chan->mps) + 1;
524 skb_queue_head_init(&chan->tx_q);
527 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
529 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
530 __le16_to_cpu(chan->psm), chan->dcid);
532 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
536 switch (chan->chan_type) {
537 case L2CAP_CHAN_CONN_ORIENTED:
538 /* Alloc CID for connection-oriented socket */
539 chan->scid = l2cap_alloc_cid(conn);
540 if (conn->hcon->type == ACL_LINK)
541 chan->omtu = L2CAP_DEFAULT_MTU;
544 case L2CAP_CHAN_CONN_LESS:
545 /* Connectionless socket */
546 chan->scid = L2CAP_CID_CONN_LESS;
547 chan->dcid = L2CAP_CID_CONN_LESS;
548 chan->omtu = L2CAP_DEFAULT_MTU;
551 case L2CAP_CHAN_FIXED:
552 /* Caller will set CID and CID specific MTU values */
556 /* Raw socket can send/recv signalling messages only */
557 chan->scid = L2CAP_CID_SIGNALING;
558 chan->dcid = L2CAP_CID_SIGNALING;
559 chan->omtu = L2CAP_DEFAULT_MTU;
562 chan->local_id = L2CAP_BESTEFFORT_ID;
563 chan->local_stype = L2CAP_SERV_BESTEFFORT;
564 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
565 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
566 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
567 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
569 l2cap_chan_hold(chan);
571 /* Only keep a reference for fixed channels if they requested it */
572 if (chan->chan_type != L2CAP_CHAN_FIXED ||
573 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
574 hci_conn_hold(conn->hcon);
576 list_add(&chan->list, &conn->chan_l);
579 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
581 mutex_lock(&conn->chan_lock);
582 __l2cap_chan_add(conn, chan);
583 mutex_unlock(&conn->chan_lock);
586 void l2cap_chan_del(struct l2cap_chan *chan, int err)
588 struct l2cap_conn *conn = chan->conn;
590 __clear_chan_timer(chan);
592 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
593 state_to_string(chan->state));
595 chan->ops->teardown(chan, err);
598 struct amp_mgr *mgr = conn->hcon->amp_mgr;
599 /* Delete from channel list */
600 list_del(&chan->list);
602 l2cap_chan_put(chan);
606 /* Reference was only held for non-fixed channels or
607 * fixed channels that explicitly requested it using the
608 * FLAG_HOLD_HCI_CONN flag.
610 if (chan->chan_type != L2CAP_CHAN_FIXED ||
611 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
612 hci_conn_drop(conn->hcon);
614 if (mgr && mgr->bredr_chan == chan)
615 mgr->bredr_chan = NULL;
618 if (chan->hs_hchan) {
619 struct hci_chan *hs_hchan = chan->hs_hchan;
621 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
622 amp_disconnect_logical_link(hs_hchan);
625 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
629 case L2CAP_MODE_BASIC:
632 case L2CAP_MODE_LE_FLOWCTL:
633 skb_queue_purge(&chan->tx_q);
636 case L2CAP_MODE_ERTM:
637 __clear_retrans_timer(chan);
638 __clear_monitor_timer(chan);
639 __clear_ack_timer(chan);
641 skb_queue_purge(&chan->srej_q);
643 l2cap_seq_list_free(&chan->srej_list);
644 l2cap_seq_list_free(&chan->retrans_list);
648 case L2CAP_MODE_STREAMING:
649 skb_queue_purge(&chan->tx_q);
655 EXPORT_SYMBOL_GPL(l2cap_chan_del);
657 static void l2cap_conn_update_id_addr(struct work_struct *work)
659 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
660 id_addr_update_work);
661 struct hci_conn *hcon = conn->hcon;
662 struct l2cap_chan *chan;
664 mutex_lock(&conn->chan_lock);
666 list_for_each_entry(chan, &conn->chan_l, list) {
667 l2cap_chan_lock(chan);
668 bacpy(&chan->dst, &hcon->dst);
669 chan->dst_type = bdaddr_dst_type(hcon);
670 l2cap_chan_unlock(chan);
673 mutex_unlock(&conn->chan_lock);
676 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
678 struct l2cap_conn *conn = chan->conn;
679 struct l2cap_le_conn_rsp rsp;
682 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
683 result = L2CAP_CR_LE_AUTHORIZATION;
685 result = L2CAP_CR_LE_BAD_PSM;
687 l2cap_state_change(chan, BT_DISCONN);
689 rsp.dcid = cpu_to_le16(chan->scid);
690 rsp.mtu = cpu_to_le16(chan->imtu);
691 rsp.mps = cpu_to_le16(chan->mps);
692 rsp.credits = cpu_to_le16(chan->rx_credits);
693 rsp.result = cpu_to_le16(result);
695 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
699 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
701 struct l2cap_conn *conn = chan->conn;
702 struct l2cap_conn_rsp rsp;
705 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
706 result = L2CAP_CR_SEC_BLOCK;
708 result = L2CAP_CR_BAD_PSM;
710 l2cap_state_change(chan, BT_DISCONN);
712 rsp.scid = cpu_to_le16(chan->dcid);
713 rsp.dcid = cpu_to_le16(chan->scid);
714 rsp.result = cpu_to_le16(result);
715 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
717 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
720 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
722 struct l2cap_conn *conn = chan->conn;
724 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
726 switch (chan->state) {
728 chan->ops->teardown(chan, 0);
733 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
734 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
735 l2cap_send_disconn_req(chan, reason);
737 l2cap_chan_del(chan, reason);
741 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
742 if (conn->hcon->type == ACL_LINK)
743 l2cap_chan_connect_reject(chan);
744 else if (conn->hcon->type == LE_LINK)
745 l2cap_chan_le_connect_reject(chan);
748 l2cap_chan_del(chan, reason);
753 l2cap_chan_del(chan, reason);
757 chan->ops->teardown(chan, 0);
761 EXPORT_SYMBOL(l2cap_chan_close);
763 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
765 switch (chan->chan_type) {
767 switch (chan->sec_level) {
768 case BT_SECURITY_HIGH:
769 case BT_SECURITY_FIPS:
770 return HCI_AT_DEDICATED_BONDING_MITM;
771 case BT_SECURITY_MEDIUM:
772 return HCI_AT_DEDICATED_BONDING;
774 return HCI_AT_NO_BONDING;
777 case L2CAP_CHAN_CONN_LESS:
778 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
779 if (chan->sec_level == BT_SECURITY_LOW)
780 chan->sec_level = BT_SECURITY_SDP;
782 if (chan->sec_level == BT_SECURITY_HIGH ||
783 chan->sec_level == BT_SECURITY_FIPS)
784 return HCI_AT_NO_BONDING_MITM;
786 return HCI_AT_NO_BONDING;
788 case L2CAP_CHAN_CONN_ORIENTED:
789 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
790 if (chan->sec_level == BT_SECURITY_LOW)
791 chan->sec_level = BT_SECURITY_SDP;
793 if (chan->sec_level == BT_SECURITY_HIGH ||
794 chan->sec_level == BT_SECURITY_FIPS)
795 return HCI_AT_NO_BONDING_MITM;
797 return HCI_AT_NO_BONDING;
801 switch (chan->sec_level) {
802 case BT_SECURITY_HIGH:
803 case BT_SECURITY_FIPS:
804 return HCI_AT_GENERAL_BONDING_MITM;
805 case BT_SECURITY_MEDIUM:
806 return HCI_AT_GENERAL_BONDING;
808 return HCI_AT_NO_BONDING;
814 /* Service level security */
815 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
817 struct l2cap_conn *conn = chan->conn;
820 if (conn->hcon->type == LE_LINK)
821 return smp_conn_security(conn->hcon, chan->sec_level);
823 auth_type = l2cap_get_auth_type(chan);
825 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
829 static u8 l2cap_get_ident(struct l2cap_conn *conn)
833 /* Get next available identificator.
834 * 1 - 128 are used by kernel.
835 * 129 - 199 are reserved.
836 * 200 - 254 are used by utilities like l2ping, etc.
839 mutex_lock(&conn->ident_lock);
841 if (++conn->tx_ident > 128)
846 mutex_unlock(&conn->ident_lock);
851 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
854 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
857 BT_DBG("code 0x%2.2x", code);
862 /* Use NO_FLUSH if supported or we have an LE link (which does
863 * not support auto-flushing packets) */
864 if (lmp_no_flush_capable(conn->hcon->hdev) ||
865 conn->hcon->type == LE_LINK)
866 flags = ACL_START_NO_FLUSH;
870 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
871 skb->priority = HCI_PRIO_MAX;
873 hci_send_acl(conn->hchan, skb, flags);
876 static bool __chan_is_moving(struct l2cap_chan *chan)
878 return chan->move_state != L2CAP_MOVE_STABLE &&
879 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
882 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
884 struct hci_conn *hcon = chan->conn->hcon;
887 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
890 if (chan->hs_hcon && !__chan_is_moving(chan)) {
892 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
899 /* Use NO_FLUSH for LE links (where this is the only option) or
900 * if the BR/EDR link supports it and flushing has not been
901 * explicitly requested (through FLAG_FLUSHABLE).
903 if (hcon->type == LE_LINK ||
904 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
905 lmp_no_flush_capable(hcon->hdev)))
906 flags = ACL_START_NO_FLUSH;
910 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
911 hci_send_acl(chan->conn->hchan, skb, flags);
914 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
916 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
917 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
919 if (enh & L2CAP_CTRL_FRAME_TYPE) {
922 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
923 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
930 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
931 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
938 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
940 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
941 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
943 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
946 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
947 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
954 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
955 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
962 static inline void __unpack_control(struct l2cap_chan *chan,
965 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
966 __unpack_extended_control(get_unaligned_le32(skb->data),
968 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
970 __unpack_enhanced_control(get_unaligned_le16(skb->data),
972 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
976 static u32 __pack_extended_control(struct l2cap_ctrl *control)
980 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
981 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
983 if (control->sframe) {
984 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
985 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
986 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
988 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
989 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
995 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
999 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1000 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1002 if (control->sframe) {
1003 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1004 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1005 packed |= L2CAP_CTRL_FRAME_TYPE;
1007 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1008 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1014 static inline void __pack_control(struct l2cap_chan *chan,
1015 struct l2cap_ctrl *control,
1016 struct sk_buff *skb)
1018 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1019 put_unaligned_le32(__pack_extended_control(control),
1020 skb->data + L2CAP_HDR_SIZE);
1022 put_unaligned_le16(__pack_enhanced_control(control),
1023 skb->data + L2CAP_HDR_SIZE);
1027 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1029 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1030 return L2CAP_EXT_HDR_SIZE;
1032 return L2CAP_ENH_HDR_SIZE;
1035 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1038 struct sk_buff *skb;
1039 struct l2cap_hdr *lh;
1040 int hlen = __ertm_hdr_size(chan);
1042 if (chan->fcs == L2CAP_FCS_CRC16)
1043 hlen += L2CAP_FCS_SIZE;
1045 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1048 return ERR_PTR(-ENOMEM);
1050 lh = skb_put(skb, L2CAP_HDR_SIZE);
1051 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1052 lh->cid = cpu_to_le16(chan->dcid);
1054 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1055 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1057 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1059 if (chan->fcs == L2CAP_FCS_CRC16) {
1060 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1061 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1064 skb->priority = HCI_PRIO_MAX;
1068 static void l2cap_send_sframe(struct l2cap_chan *chan,
1069 struct l2cap_ctrl *control)
1071 struct sk_buff *skb;
1074 BT_DBG("chan %p, control %p", chan, control);
1076 if (!control->sframe)
1079 if (__chan_is_moving(chan))
1082 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1086 if (control->super == L2CAP_SUPER_RR)
1087 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1088 else if (control->super == L2CAP_SUPER_RNR)
1089 set_bit(CONN_RNR_SENT, &chan->conn_state);
1091 if (control->super != L2CAP_SUPER_SREJ) {
1092 chan->last_acked_seq = control->reqseq;
1093 __clear_ack_timer(chan);
1096 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1097 control->final, control->poll, control->super);
1099 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1100 control_field = __pack_extended_control(control);
1102 control_field = __pack_enhanced_control(control);
1104 skb = l2cap_create_sframe_pdu(chan, control_field);
1106 l2cap_do_send(chan, skb);
1109 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1111 struct l2cap_ctrl control;
1113 BT_DBG("chan %p, poll %d", chan, poll);
1115 memset(&control, 0, sizeof(control));
1117 control.poll = poll;
1119 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1120 control.super = L2CAP_SUPER_RNR;
1122 control.super = L2CAP_SUPER_RR;
1124 control.reqseq = chan->buffer_seq;
1125 l2cap_send_sframe(chan, &control);
1128 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1130 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1133 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1136 static bool __amp_capable(struct l2cap_chan *chan)
1138 struct l2cap_conn *conn = chan->conn;
1139 struct hci_dev *hdev;
1140 bool amp_available = false;
1142 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1145 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1148 read_lock(&hci_dev_list_lock);
1149 list_for_each_entry(hdev, &hci_dev_list, list) {
1150 if (hdev->amp_type != AMP_TYPE_BREDR &&
1151 test_bit(HCI_UP, &hdev->flags)) {
1152 amp_available = true;
1156 read_unlock(&hci_dev_list_lock);
1158 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1159 return amp_available;
1164 static bool l2cap_check_efs(struct l2cap_chan *chan)
1166 /* Check EFS parameters */
1170 void l2cap_send_conn_req(struct l2cap_chan *chan)
1172 struct l2cap_conn *conn = chan->conn;
1173 struct l2cap_conn_req req;
1175 req.scid = cpu_to_le16(chan->scid);
1176 req.psm = chan->psm;
1178 chan->ident = l2cap_get_ident(conn);
1180 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1182 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1185 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1187 struct l2cap_create_chan_req req;
1188 req.scid = cpu_to_le16(chan->scid);
1189 req.psm = chan->psm;
1190 req.amp_id = amp_id;
1192 chan->ident = l2cap_get_ident(chan->conn);
1194 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1198 static void l2cap_move_setup(struct l2cap_chan *chan)
1200 struct sk_buff *skb;
1202 BT_DBG("chan %p", chan);
1204 if (chan->mode != L2CAP_MODE_ERTM)
1207 __clear_retrans_timer(chan);
1208 __clear_monitor_timer(chan);
1209 __clear_ack_timer(chan);
1211 chan->retry_count = 0;
1212 skb_queue_walk(&chan->tx_q, skb) {
1213 if (bt_cb(skb)->l2cap.retries)
1214 bt_cb(skb)->l2cap.retries = 1;
1219 chan->expected_tx_seq = chan->buffer_seq;
1221 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1222 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1223 l2cap_seq_list_clear(&chan->retrans_list);
1224 l2cap_seq_list_clear(&chan->srej_list);
1225 skb_queue_purge(&chan->srej_q);
1227 chan->tx_state = L2CAP_TX_STATE_XMIT;
1228 chan->rx_state = L2CAP_RX_STATE_MOVE;
1230 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1233 static void l2cap_move_done(struct l2cap_chan *chan)
1235 u8 move_role = chan->move_role;
1236 BT_DBG("chan %p", chan);
1238 chan->move_state = L2CAP_MOVE_STABLE;
1239 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1241 if (chan->mode != L2CAP_MODE_ERTM)
1244 switch (move_role) {
1245 case L2CAP_MOVE_ROLE_INITIATOR:
1246 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1247 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1249 case L2CAP_MOVE_ROLE_RESPONDER:
1250 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1255 static void l2cap_chan_ready(struct l2cap_chan *chan)
1257 /* The channel may have already been flagged as connected in
1258 * case of receiving data before the L2CAP info req/rsp
1259 * procedure is complete.
1261 if (chan->state == BT_CONNECTED)
1264 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1265 chan->conf_state = 0;
1266 __clear_chan_timer(chan);
1268 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1269 chan->ops->suspend(chan);
1271 chan->state = BT_CONNECTED;
1273 chan->ops->ready(chan);
1276 static void l2cap_le_connect(struct l2cap_chan *chan)
1278 struct l2cap_conn *conn = chan->conn;
1279 struct l2cap_le_conn_req req;
1281 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1284 l2cap_le_flowctl_init(chan, 0);
1286 req.psm = chan->psm;
1287 req.scid = cpu_to_le16(chan->scid);
1288 req.mtu = cpu_to_le16(chan->imtu);
1289 req.mps = cpu_to_le16(chan->mps);
1290 req.credits = cpu_to_le16(chan->rx_credits);
1292 chan->ident = l2cap_get_ident(conn);
1294 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1298 static void l2cap_le_start(struct l2cap_chan *chan)
1300 struct l2cap_conn *conn = chan->conn;
1302 if (!smp_conn_security(conn->hcon, chan->sec_level))
1306 l2cap_chan_ready(chan);
1310 if (chan->state == BT_CONNECT)
1311 l2cap_le_connect(chan);
1314 static void l2cap_start_connection(struct l2cap_chan *chan)
1316 if (__amp_capable(chan)) {
1317 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1318 a2mp_discover_amp(chan);
1319 } else if (chan->conn->hcon->type == LE_LINK) {
1320 l2cap_le_start(chan);
1322 l2cap_send_conn_req(chan);
1326 static void l2cap_request_info(struct l2cap_conn *conn)
1328 struct l2cap_info_req req;
1330 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1333 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1335 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1336 conn->info_ident = l2cap_get_ident(conn);
1338 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1340 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1344 static void l2cap_do_start(struct l2cap_chan *chan)
1346 struct l2cap_conn *conn = chan->conn;
1348 if (conn->hcon->type == LE_LINK) {
1349 l2cap_le_start(chan);
1353 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1354 l2cap_request_info(conn);
1358 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1361 if (l2cap_chan_check_security(chan, true) &&
1362 __l2cap_no_conn_pending(chan))
1363 l2cap_start_connection(chan);
1366 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1368 u32 local_feat_mask = l2cap_feat_mask;
1370 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1373 case L2CAP_MODE_ERTM:
1374 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1375 case L2CAP_MODE_STREAMING:
1376 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1382 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1384 struct l2cap_conn *conn = chan->conn;
1385 struct l2cap_disconn_req req;
1390 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1391 __clear_retrans_timer(chan);
1392 __clear_monitor_timer(chan);
1393 __clear_ack_timer(chan);
1396 if (chan->scid == L2CAP_CID_A2MP) {
1397 l2cap_state_change(chan, BT_DISCONN);
1401 req.dcid = cpu_to_le16(chan->dcid);
1402 req.scid = cpu_to_le16(chan->scid);
1403 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1406 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1409 /* ---- L2CAP connections ---- */
1410 static void l2cap_conn_start(struct l2cap_conn *conn)
1412 struct l2cap_chan *chan, *tmp;
1414 BT_DBG("conn %p", conn);
1416 mutex_lock(&conn->chan_lock);
1418 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1419 l2cap_chan_lock(chan);
1421 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1422 l2cap_chan_ready(chan);
1423 l2cap_chan_unlock(chan);
1427 if (chan->state == BT_CONNECT) {
1428 if (!l2cap_chan_check_security(chan, true) ||
1429 !__l2cap_no_conn_pending(chan)) {
1430 l2cap_chan_unlock(chan);
1434 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1435 && test_bit(CONF_STATE2_DEVICE,
1436 &chan->conf_state)) {
1437 l2cap_chan_close(chan, ECONNRESET);
1438 l2cap_chan_unlock(chan);
1442 l2cap_start_connection(chan);
1444 } else if (chan->state == BT_CONNECT2) {
1445 struct l2cap_conn_rsp rsp;
1447 rsp.scid = cpu_to_le16(chan->dcid);
1448 rsp.dcid = cpu_to_le16(chan->scid);
1450 if (l2cap_chan_check_security(chan, false)) {
1451 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1452 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1453 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1454 chan->ops->defer(chan);
1457 l2cap_state_change(chan, BT_CONFIG);
1458 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1459 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1462 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1463 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1466 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1469 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1470 rsp.result != L2CAP_CR_SUCCESS) {
1471 l2cap_chan_unlock(chan);
1475 set_bit(CONF_REQ_SENT, &chan->conf_state);
1476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1477 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1478 chan->num_conf_req++;
1481 l2cap_chan_unlock(chan);
1484 mutex_unlock(&conn->chan_lock);
1487 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1489 struct hci_conn *hcon = conn->hcon;
1490 struct hci_dev *hdev = hcon->hdev;
1492 BT_DBG("%s conn %p", hdev->name, conn);
1494 /* For outgoing pairing which doesn't necessarily have an
1495 * associated socket (e.g. mgmt_pair_device).
1498 smp_conn_security(hcon, hcon->pending_sec_level);
1500 /* For LE slave connections, make sure the connection interval
1501 * is in the range of the minium and maximum interval that has
1502 * been configured for this connection. If not, then trigger
1503 * the connection update procedure.
1505 if (hcon->role == HCI_ROLE_SLAVE &&
1506 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1507 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1508 struct l2cap_conn_param_update_req req;
1510 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1511 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1512 req.latency = cpu_to_le16(hcon->le_conn_latency);
1513 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1515 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1516 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1520 static void l2cap_conn_ready(struct l2cap_conn *conn)
1522 struct l2cap_chan *chan;
1523 struct hci_conn *hcon = conn->hcon;
1525 BT_DBG("conn %p", conn);
1527 if (hcon->type == ACL_LINK)
1528 l2cap_request_info(conn);
1530 mutex_lock(&conn->chan_lock);
1532 list_for_each_entry(chan, &conn->chan_l, list) {
1534 l2cap_chan_lock(chan);
1536 if (chan->scid == L2CAP_CID_A2MP) {
1537 l2cap_chan_unlock(chan);
1541 if (hcon->type == LE_LINK) {
1542 l2cap_le_start(chan);
1543 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1544 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1545 l2cap_chan_ready(chan);
1546 } else if (chan->state == BT_CONNECT) {
1547 l2cap_do_start(chan);
1550 l2cap_chan_unlock(chan);
1553 mutex_unlock(&conn->chan_lock);
1555 if (hcon->type == LE_LINK)
1556 l2cap_le_conn_ready(conn);
1558 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1561 /* Notify sockets that we cannot guaranty reliability anymore */
1562 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1564 struct l2cap_chan *chan;
1566 BT_DBG("conn %p", conn);
1568 mutex_lock(&conn->chan_lock);
1570 list_for_each_entry(chan, &conn->chan_l, list) {
1571 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1572 l2cap_chan_set_err(chan, err);
1575 mutex_unlock(&conn->chan_lock);
1578 static void l2cap_info_timeout(struct work_struct *work)
1580 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1583 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1584 conn->info_ident = 0;
1586 l2cap_conn_start(conn);
1591 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1592 * callback is called during registration. The ->remove callback is called
1593 * during unregistration.
1594 * An l2cap_user object can either be explicitly unregistered or when the
1595 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1596 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1597 * External modules must own a reference to the l2cap_conn object if they intend
1598 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1599 * any time if they don't.
1602 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1604 struct hci_dev *hdev = conn->hcon->hdev;
1607 /* We need to check whether l2cap_conn is registered. If it is not, we
1608 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1609 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1610 * relies on the parent hci_conn object to be locked. This itself relies
1611 * on the hci_dev object to be locked. So we must lock the hci device
1616 if (!list_empty(&user->list)) {
1621 /* conn->hchan is NULL after l2cap_conn_del() was called */
1627 ret = user->probe(conn, user);
1631 list_add(&user->list, &conn->users);
1635 hci_dev_unlock(hdev);
1638 EXPORT_SYMBOL(l2cap_register_user);
1640 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1642 struct hci_dev *hdev = conn->hcon->hdev;
1646 if (list_empty(&user->list))
1649 list_del_init(&user->list);
1650 user->remove(conn, user);
1653 hci_dev_unlock(hdev);
1655 EXPORT_SYMBOL(l2cap_unregister_user);
1657 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1659 struct l2cap_user *user;
1661 while (!list_empty(&conn->users)) {
1662 user = list_first_entry(&conn->users, struct l2cap_user, list);
1663 list_del_init(&user->list);
1664 user->remove(conn, user);
1668 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1670 struct l2cap_conn *conn = hcon->l2cap_data;
1671 struct l2cap_chan *chan, *l;
1676 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1678 kfree_skb(conn->rx_skb);
1680 skb_queue_purge(&conn->pending_rx);
1682 /* We can not call flush_work(&conn->pending_rx_work) here since we
1683 * might block if we are running on a worker from the same workqueue
1684 * pending_rx_work is waiting on.
1686 if (work_pending(&conn->pending_rx_work))
1687 cancel_work_sync(&conn->pending_rx_work);
1689 if (work_pending(&conn->id_addr_update_work))
1690 cancel_work_sync(&conn->id_addr_update_work);
1692 l2cap_unregister_all_users(conn);
1694 /* Force the connection to be immediately dropped */
1695 hcon->disc_timeout = 0;
1697 mutex_lock(&conn->chan_lock);
1700 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1701 l2cap_chan_hold(chan);
1702 l2cap_chan_lock(chan);
1704 l2cap_chan_del(chan, err);
1706 l2cap_chan_unlock(chan);
1708 chan->ops->close(chan);
1709 l2cap_chan_put(chan);
1712 mutex_unlock(&conn->chan_lock);
1714 hci_chan_del(conn->hchan);
1716 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1717 cancel_delayed_work_sync(&conn->info_timer);
1719 hcon->l2cap_data = NULL;
1721 l2cap_conn_put(conn);
1724 static void l2cap_conn_free(struct kref *ref)
1726 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1728 hci_conn_put(conn->hcon);
1732 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1734 kref_get(&conn->ref);
1737 EXPORT_SYMBOL(l2cap_conn_get);
1739 void l2cap_conn_put(struct l2cap_conn *conn)
1741 kref_put(&conn->ref, l2cap_conn_free);
1743 EXPORT_SYMBOL(l2cap_conn_put);
1745 /* ---- Socket interface ---- */
1747 /* Find socket with psm and source / destination bdaddr.
1748 * Returns closest match.
1750 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1755 struct l2cap_chan *c, *c1 = NULL;
1757 read_lock(&chan_list_lock);
1759 list_for_each_entry(c, &chan_list, global_l) {
1760 if (state && c->state != state)
1763 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1766 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1769 if (c->psm == psm) {
1770 int src_match, dst_match;
1771 int src_any, dst_any;
1774 src_match = !bacmp(&c->src, src);
1775 dst_match = !bacmp(&c->dst, dst);
1776 if (src_match && dst_match) {
1778 read_unlock(&chan_list_lock);
1783 src_any = !bacmp(&c->src, BDADDR_ANY);
1784 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1785 if ((src_match && dst_any) || (src_any && dst_match) ||
1786 (src_any && dst_any))
1792 l2cap_chan_hold(c1);
1794 read_unlock(&chan_list_lock);
1799 static void l2cap_monitor_timeout(struct work_struct *work)
1801 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1802 monitor_timer.work);
1804 BT_DBG("chan %p", chan);
1806 l2cap_chan_lock(chan);
1809 l2cap_chan_unlock(chan);
1810 l2cap_chan_put(chan);
1814 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1816 l2cap_chan_unlock(chan);
1817 l2cap_chan_put(chan);
1820 static void l2cap_retrans_timeout(struct work_struct *work)
1822 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1823 retrans_timer.work);
1825 BT_DBG("chan %p", chan);
1827 l2cap_chan_lock(chan);
1830 l2cap_chan_unlock(chan);
1831 l2cap_chan_put(chan);
1835 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1836 l2cap_chan_unlock(chan);
1837 l2cap_chan_put(chan);
1840 static void l2cap_streaming_send(struct l2cap_chan *chan,
1841 struct sk_buff_head *skbs)
1843 struct sk_buff *skb;
1844 struct l2cap_ctrl *control;
1846 BT_DBG("chan %p, skbs %p", chan, skbs);
1848 if (__chan_is_moving(chan))
1851 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1853 while (!skb_queue_empty(&chan->tx_q)) {
1855 skb = skb_dequeue(&chan->tx_q);
1857 bt_cb(skb)->l2cap.retries = 1;
1858 control = &bt_cb(skb)->l2cap;
1860 control->reqseq = 0;
1861 control->txseq = chan->next_tx_seq;
1863 __pack_control(chan, control, skb);
1865 if (chan->fcs == L2CAP_FCS_CRC16) {
1866 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1867 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1870 l2cap_do_send(chan, skb);
1872 BT_DBG("Sent txseq %u", control->txseq);
1874 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1875 chan->frames_sent++;
1879 static int l2cap_ertm_send(struct l2cap_chan *chan)
1881 struct sk_buff *skb, *tx_skb;
1882 struct l2cap_ctrl *control;
1885 BT_DBG("chan %p", chan);
1887 if (chan->state != BT_CONNECTED)
1890 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1893 if (__chan_is_moving(chan))
1896 while (chan->tx_send_head &&
1897 chan->unacked_frames < chan->remote_tx_win &&
1898 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1900 skb = chan->tx_send_head;
1902 bt_cb(skb)->l2cap.retries = 1;
1903 control = &bt_cb(skb)->l2cap;
1905 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1908 control->reqseq = chan->buffer_seq;
1909 chan->last_acked_seq = chan->buffer_seq;
1910 control->txseq = chan->next_tx_seq;
1912 __pack_control(chan, control, skb);
1914 if (chan->fcs == L2CAP_FCS_CRC16) {
1915 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1916 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1919 /* Clone after data has been modified. Data is assumed to be
1920 read-only (for locking purposes) on cloned sk_buffs.
1922 tx_skb = skb_clone(skb, GFP_KERNEL);
1927 __set_retrans_timer(chan);
1929 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1930 chan->unacked_frames++;
1931 chan->frames_sent++;
1934 if (skb_queue_is_last(&chan->tx_q, skb))
1935 chan->tx_send_head = NULL;
1937 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1939 l2cap_do_send(chan, tx_skb);
1940 BT_DBG("Sent txseq %u", control->txseq);
1943 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1944 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1949 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1951 struct l2cap_ctrl control;
1952 struct sk_buff *skb;
1953 struct sk_buff *tx_skb;
1956 BT_DBG("chan %p", chan);
1958 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1961 if (__chan_is_moving(chan))
1964 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1965 seq = l2cap_seq_list_pop(&chan->retrans_list);
1967 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
1969 BT_DBG("Error: Can't retransmit seq %d, frame missing",
1974 bt_cb(skb)->l2cap.retries++;
1975 control = bt_cb(skb)->l2cap;
1977 if (chan->max_tx != 0 &&
1978 bt_cb(skb)->l2cap.retries > chan->max_tx) {
1979 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
1980 l2cap_send_disconn_req(chan, ECONNRESET);
1981 l2cap_seq_list_clear(&chan->retrans_list);
1985 control.reqseq = chan->buffer_seq;
1986 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1991 if (skb_cloned(skb)) {
1992 /* Cloned sk_buffs are read-only, so we need a
1995 tx_skb = skb_copy(skb, GFP_KERNEL);
1997 tx_skb = skb_clone(skb, GFP_KERNEL);
2001 l2cap_seq_list_clear(&chan->retrans_list);
2005 /* Update skb contents */
2006 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2007 put_unaligned_le32(__pack_extended_control(&control),
2008 tx_skb->data + L2CAP_HDR_SIZE);
2010 put_unaligned_le16(__pack_enhanced_control(&control),
2011 tx_skb->data + L2CAP_HDR_SIZE);
2015 if (chan->fcs == L2CAP_FCS_CRC16) {
2016 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2017 tx_skb->len - L2CAP_FCS_SIZE);
2018 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2022 l2cap_do_send(chan, tx_skb);
2024 BT_DBG("Resent txseq %d", control.txseq);
2026 chan->last_acked_seq = chan->buffer_seq;
2030 static void l2cap_retransmit(struct l2cap_chan *chan,
2031 struct l2cap_ctrl *control)
2033 BT_DBG("chan %p, control %p", chan, control);
2035 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2036 l2cap_ertm_resend(chan);
2039 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2040 struct l2cap_ctrl *control)
2042 struct sk_buff *skb;
2044 BT_DBG("chan %p, control %p", chan, control);
2047 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2049 l2cap_seq_list_clear(&chan->retrans_list);
2051 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2054 if (chan->unacked_frames) {
2055 skb_queue_walk(&chan->tx_q, skb) {
2056 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2057 skb == chan->tx_send_head)
2061 skb_queue_walk_from(&chan->tx_q, skb) {
2062 if (skb == chan->tx_send_head)
2065 l2cap_seq_list_append(&chan->retrans_list,
2066 bt_cb(skb)->l2cap.txseq);
2069 l2cap_ertm_resend(chan);
2073 static void l2cap_send_ack(struct l2cap_chan *chan)
2075 struct l2cap_ctrl control;
2076 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2077 chan->last_acked_seq);
2080 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2081 chan, chan->last_acked_seq, chan->buffer_seq);
2083 memset(&control, 0, sizeof(control));
2086 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2087 chan->rx_state == L2CAP_RX_STATE_RECV) {
2088 __clear_ack_timer(chan);
2089 control.super = L2CAP_SUPER_RNR;
2090 control.reqseq = chan->buffer_seq;
2091 l2cap_send_sframe(chan, &control);
2093 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2094 l2cap_ertm_send(chan);
2095 /* If any i-frames were sent, they included an ack */
2096 if (chan->buffer_seq == chan->last_acked_seq)
2100 /* Ack now if the window is 3/4ths full.
2101 * Calculate without mul or div
2103 threshold = chan->ack_win;
2104 threshold += threshold << 1;
2107 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2110 if (frames_to_ack >= threshold) {
2111 __clear_ack_timer(chan);
2112 control.super = L2CAP_SUPER_RR;
2113 control.reqseq = chan->buffer_seq;
2114 l2cap_send_sframe(chan, &control);
2119 __set_ack_timer(chan);
2123 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2124 struct msghdr *msg, int len,
2125 int count, struct sk_buff *skb)
2127 struct l2cap_conn *conn = chan->conn;
2128 struct sk_buff **frag;
2131 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2137 /* Continuation fragments (no L2CAP header) */
2138 frag = &skb_shinfo(skb)->frag_list;
2140 struct sk_buff *tmp;
2142 count = min_t(unsigned int, conn->mtu, len);
2144 tmp = chan->ops->alloc_skb(chan, 0, count,
2145 msg->msg_flags & MSG_DONTWAIT);
2147 return PTR_ERR(tmp);
2151 if (!copy_from_iter_full(skb_put(*frag, count), count,
2158 skb->len += (*frag)->len;
2159 skb->data_len += (*frag)->len;
2161 frag = &(*frag)->next;
2167 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2168 struct msghdr *msg, size_t len)
2170 struct l2cap_conn *conn = chan->conn;
2171 struct sk_buff *skb;
2172 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2173 struct l2cap_hdr *lh;
2175 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2176 __le16_to_cpu(chan->psm), len);
2178 count = min_t(unsigned int, (conn->mtu - hlen), len);
2180 skb = chan->ops->alloc_skb(chan, hlen, count,
2181 msg->msg_flags & MSG_DONTWAIT);
2185 /* Create L2CAP header */
2186 lh = skb_put(skb, L2CAP_HDR_SIZE);
2187 lh->cid = cpu_to_le16(chan->dcid);
2188 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2189 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2191 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2192 if (unlikely(err < 0)) {
2194 return ERR_PTR(err);
2199 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2200 struct msghdr *msg, size_t len)
2202 struct l2cap_conn *conn = chan->conn;
2203 struct sk_buff *skb;
2205 struct l2cap_hdr *lh;
2207 BT_DBG("chan %p len %zu", chan, len);
2209 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2211 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2212 msg->msg_flags & MSG_DONTWAIT);
2216 /* Create L2CAP header */
2217 lh = skb_put(skb, L2CAP_HDR_SIZE);
2218 lh->cid = cpu_to_le16(chan->dcid);
2219 lh->len = cpu_to_le16(len);
2221 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2222 if (unlikely(err < 0)) {
2224 return ERR_PTR(err);
2229 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2230 struct msghdr *msg, size_t len,
2233 struct l2cap_conn *conn = chan->conn;
2234 struct sk_buff *skb;
2235 int err, count, hlen;
2236 struct l2cap_hdr *lh;
2238 BT_DBG("chan %p len %zu", chan, len);
2241 return ERR_PTR(-ENOTCONN);
2243 hlen = __ertm_hdr_size(chan);
2246 hlen += L2CAP_SDULEN_SIZE;
2248 if (chan->fcs == L2CAP_FCS_CRC16)
2249 hlen += L2CAP_FCS_SIZE;
2251 count = min_t(unsigned int, (conn->mtu - hlen), len);
2253 skb = chan->ops->alloc_skb(chan, hlen, count,
2254 msg->msg_flags & MSG_DONTWAIT);
2258 /* Create L2CAP header */
2259 lh = skb_put(skb, L2CAP_HDR_SIZE);
2260 lh->cid = cpu_to_le16(chan->dcid);
2261 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2263 /* Control header is populated later */
2264 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2265 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2267 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2270 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2272 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2273 if (unlikely(err < 0)) {
2275 return ERR_PTR(err);
2278 bt_cb(skb)->l2cap.fcs = chan->fcs;
2279 bt_cb(skb)->l2cap.retries = 0;
2283 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2284 struct sk_buff_head *seg_queue,
2285 struct msghdr *msg, size_t len)
2287 struct sk_buff *skb;
2292 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2294 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2295 * so fragmented skbs are not used. The HCI layer's handling
2296 * of fragmented skbs is not compatible with ERTM's queueing.
2299 /* PDU size is derived from the HCI MTU */
2300 pdu_len = chan->conn->mtu;
2302 /* Constrain PDU size for BR/EDR connections */
2304 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2306 /* Adjust for largest possible L2CAP overhead. */
2308 pdu_len -= L2CAP_FCS_SIZE;
2310 pdu_len -= __ertm_hdr_size(chan);
2312 /* Remote device may have requested smaller PDUs */
2313 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2315 if (len <= pdu_len) {
2316 sar = L2CAP_SAR_UNSEGMENTED;
2320 sar = L2CAP_SAR_START;
2325 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2328 __skb_queue_purge(seg_queue);
2329 return PTR_ERR(skb);
2332 bt_cb(skb)->l2cap.sar = sar;
2333 __skb_queue_tail(seg_queue, skb);
2339 if (len <= pdu_len) {
2340 sar = L2CAP_SAR_END;
2343 sar = L2CAP_SAR_CONTINUE;
2350 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2352 size_t len, u16 sdulen)
2354 struct l2cap_conn *conn = chan->conn;
2355 struct sk_buff *skb;
2356 int err, count, hlen;
2357 struct l2cap_hdr *lh;
2359 BT_DBG("chan %p len %zu", chan, len);
2362 return ERR_PTR(-ENOTCONN);
2364 hlen = L2CAP_HDR_SIZE;
2367 hlen += L2CAP_SDULEN_SIZE;
2369 count = min_t(unsigned int, (conn->mtu - hlen), len);
2371 skb = chan->ops->alloc_skb(chan, hlen, count,
2372 msg->msg_flags & MSG_DONTWAIT);
2376 /* Create L2CAP header */
2377 lh = skb_put(skb, L2CAP_HDR_SIZE);
2378 lh->cid = cpu_to_le16(chan->dcid);
2379 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2382 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2384 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2385 if (unlikely(err < 0)) {
2387 return ERR_PTR(err);
2393 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2394 struct sk_buff_head *seg_queue,
2395 struct msghdr *msg, size_t len)
2397 struct sk_buff *skb;
2401 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2404 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2410 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2412 __skb_queue_purge(seg_queue);
2413 return PTR_ERR(skb);
2416 __skb_queue_tail(seg_queue, skb);
2422 pdu_len += L2CAP_SDULEN_SIZE;
2429 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2433 BT_DBG("chan %p", chan);
2435 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2436 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2441 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2442 skb_queue_len(&chan->tx_q));
2445 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2447 struct sk_buff *skb;
2449 struct sk_buff_head seg_queue;
2454 /* Connectionless channel */
2455 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2456 skb = l2cap_create_connless_pdu(chan, msg, len);
2458 return PTR_ERR(skb);
2460 /* Channel lock is released before requesting new skb and then
2461 * reacquired thus we need to recheck channel state.
2463 if (chan->state != BT_CONNECTED) {
2468 l2cap_do_send(chan, skb);
2472 switch (chan->mode) {
2473 case L2CAP_MODE_LE_FLOWCTL:
2474 /* Check outgoing MTU */
2475 if (len > chan->omtu)
2478 __skb_queue_head_init(&seg_queue);
2480 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2482 if (chan->state != BT_CONNECTED) {
2483 __skb_queue_purge(&seg_queue);
2490 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2492 l2cap_le_flowctl_send(chan);
2494 if (!chan->tx_credits)
2495 chan->ops->suspend(chan);
2501 case L2CAP_MODE_BASIC:
2502 /* Check outgoing MTU */
2503 if (len > chan->omtu)
2506 /* Create a basic PDU */
2507 skb = l2cap_create_basic_pdu(chan, msg, len);
2509 return PTR_ERR(skb);
2511 /* Channel lock is released before requesting new skb and then
2512 * reacquired thus we need to recheck channel state.
2514 if (chan->state != BT_CONNECTED) {
2519 l2cap_do_send(chan, skb);
2523 case L2CAP_MODE_ERTM:
2524 case L2CAP_MODE_STREAMING:
2525 /* Check outgoing MTU */
2526 if (len > chan->omtu) {
2531 __skb_queue_head_init(&seg_queue);
2533 /* Do segmentation before calling in to the state machine,
2534 * since it's possible to block while waiting for memory
2537 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2539 /* The channel could have been closed while segmenting,
2540 * check that it is still connected.
2542 if (chan->state != BT_CONNECTED) {
2543 __skb_queue_purge(&seg_queue);
2550 if (chan->mode == L2CAP_MODE_ERTM)
2551 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2553 l2cap_streaming_send(chan, &seg_queue);
2557 /* If the skbs were not queued for sending, they'll still be in
2558 * seg_queue and need to be purged.
2560 __skb_queue_purge(&seg_queue);
2564 BT_DBG("bad state %1.1x", chan->mode);
2570 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2572 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2574 struct l2cap_ctrl control;
2577 BT_DBG("chan %p, txseq %u", chan, txseq);
2579 memset(&control, 0, sizeof(control));
2581 control.super = L2CAP_SUPER_SREJ;
2583 for (seq = chan->expected_tx_seq; seq != txseq;
2584 seq = __next_seq(chan, seq)) {
2585 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2586 control.reqseq = seq;
2587 l2cap_send_sframe(chan, &control);
2588 l2cap_seq_list_append(&chan->srej_list, seq);
2592 chan->expected_tx_seq = __next_seq(chan, txseq);
2595 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2597 struct l2cap_ctrl control;
2599 BT_DBG("chan %p", chan);
2601 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2604 memset(&control, 0, sizeof(control));
2606 control.super = L2CAP_SUPER_SREJ;
2607 control.reqseq = chan->srej_list.tail;
2608 l2cap_send_sframe(chan, &control);
2611 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2613 struct l2cap_ctrl control;
2617 BT_DBG("chan %p, txseq %u", chan, txseq);
2619 memset(&control, 0, sizeof(control));
2621 control.super = L2CAP_SUPER_SREJ;
2623 /* Capture initial list head to allow only one pass through the list. */
2624 initial_head = chan->srej_list.head;
2627 seq = l2cap_seq_list_pop(&chan->srej_list);
2628 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2631 control.reqseq = seq;
2632 l2cap_send_sframe(chan, &control);
2633 l2cap_seq_list_append(&chan->srej_list, seq);
2634 } while (chan->srej_list.head != initial_head);
2637 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2639 struct sk_buff *acked_skb;
2642 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2644 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2647 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2648 chan->expected_ack_seq, chan->unacked_frames);
2650 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2651 ackseq = __next_seq(chan, ackseq)) {
2653 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2655 skb_unlink(acked_skb, &chan->tx_q);
2656 kfree_skb(acked_skb);
2657 chan->unacked_frames--;
2661 chan->expected_ack_seq = reqseq;
2663 if (chan->unacked_frames == 0)
2664 __clear_retrans_timer(chan);
2666 BT_DBG("unacked_frames %u", chan->unacked_frames);
2669 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2671 BT_DBG("chan %p", chan);
2673 chan->expected_tx_seq = chan->buffer_seq;
2674 l2cap_seq_list_clear(&chan->srej_list);
2675 skb_queue_purge(&chan->srej_q);
2676 chan->rx_state = L2CAP_RX_STATE_RECV;
2679 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2680 struct l2cap_ctrl *control,
2681 struct sk_buff_head *skbs, u8 event)
2683 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2687 case L2CAP_EV_DATA_REQUEST:
2688 if (chan->tx_send_head == NULL)
2689 chan->tx_send_head = skb_peek(skbs);
2691 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2692 l2cap_ertm_send(chan);
2694 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2695 BT_DBG("Enter LOCAL_BUSY");
2696 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2698 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2699 /* The SREJ_SENT state must be aborted if we are to
2700 * enter the LOCAL_BUSY state.
2702 l2cap_abort_rx_srej_sent(chan);
2705 l2cap_send_ack(chan);
2708 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2709 BT_DBG("Exit LOCAL_BUSY");
2710 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2712 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2713 struct l2cap_ctrl local_control;
2715 memset(&local_control, 0, sizeof(local_control));
2716 local_control.sframe = 1;
2717 local_control.super = L2CAP_SUPER_RR;
2718 local_control.poll = 1;
2719 local_control.reqseq = chan->buffer_seq;
2720 l2cap_send_sframe(chan, &local_control);
2722 chan->retry_count = 1;
2723 __set_monitor_timer(chan);
2724 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2727 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2728 l2cap_process_reqseq(chan, control->reqseq);
2730 case L2CAP_EV_EXPLICIT_POLL:
2731 l2cap_send_rr_or_rnr(chan, 1);
2732 chan->retry_count = 1;
2733 __set_monitor_timer(chan);
2734 __clear_ack_timer(chan);
2735 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2737 case L2CAP_EV_RETRANS_TO:
2738 l2cap_send_rr_or_rnr(chan, 1);
2739 chan->retry_count = 1;
2740 __set_monitor_timer(chan);
2741 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2743 case L2CAP_EV_RECV_FBIT:
2744 /* Nothing to process */
2751 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2752 struct l2cap_ctrl *control,
2753 struct sk_buff_head *skbs, u8 event)
2755 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2759 case L2CAP_EV_DATA_REQUEST:
2760 if (chan->tx_send_head == NULL)
2761 chan->tx_send_head = skb_peek(skbs);
2762 /* Queue data, but don't send. */
2763 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2765 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2766 BT_DBG("Enter LOCAL_BUSY");
2767 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2769 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2770 /* The SREJ_SENT state must be aborted if we are to
2771 * enter the LOCAL_BUSY state.
2773 l2cap_abort_rx_srej_sent(chan);
2776 l2cap_send_ack(chan);
2779 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2780 BT_DBG("Exit LOCAL_BUSY");
2781 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2783 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2784 struct l2cap_ctrl local_control;
2785 memset(&local_control, 0, sizeof(local_control));
2786 local_control.sframe = 1;
2787 local_control.super = L2CAP_SUPER_RR;
2788 local_control.poll = 1;
2789 local_control.reqseq = chan->buffer_seq;
2790 l2cap_send_sframe(chan, &local_control);
2792 chan->retry_count = 1;
2793 __set_monitor_timer(chan);
2794 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2797 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2798 l2cap_process_reqseq(chan, control->reqseq);
2802 case L2CAP_EV_RECV_FBIT:
2803 if (control && control->final) {
2804 __clear_monitor_timer(chan);
2805 if (chan->unacked_frames > 0)
2806 __set_retrans_timer(chan);
2807 chan->retry_count = 0;
2808 chan->tx_state = L2CAP_TX_STATE_XMIT;
2809 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2812 case L2CAP_EV_EXPLICIT_POLL:
2815 case L2CAP_EV_MONITOR_TO:
2816 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2817 l2cap_send_rr_or_rnr(chan, 1);
2818 __set_monitor_timer(chan);
2819 chan->retry_count++;
2821 l2cap_send_disconn_req(chan, ECONNABORTED);
2829 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2830 struct sk_buff_head *skbs, u8 event)
2832 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2833 chan, control, skbs, event, chan->tx_state);
2835 switch (chan->tx_state) {
2836 case L2CAP_TX_STATE_XMIT:
2837 l2cap_tx_state_xmit(chan, control, skbs, event);
2839 case L2CAP_TX_STATE_WAIT_F:
2840 l2cap_tx_state_wait_f(chan, control, skbs, event);
2848 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2849 struct l2cap_ctrl *control)
2851 BT_DBG("chan %p, control %p", chan, control);
2852 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2855 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2856 struct l2cap_ctrl *control)
2858 BT_DBG("chan %p, control %p", chan, control);
2859 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2862 /* Copy frame to all raw sockets on that connection */
2863 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2865 struct sk_buff *nskb;
2866 struct l2cap_chan *chan;
2868 BT_DBG("conn %p", conn);
2870 mutex_lock(&conn->chan_lock);
2872 list_for_each_entry(chan, &conn->chan_l, list) {
2873 if (chan->chan_type != L2CAP_CHAN_RAW)
2876 /* Don't send frame to the channel it came from */
2877 if (bt_cb(skb)->l2cap.chan == chan)
2880 nskb = skb_clone(skb, GFP_KERNEL);
2883 if (chan->ops->recv(chan, nskb))
2887 mutex_unlock(&conn->chan_lock);
2890 /* ---- L2CAP signalling commands ---- */
2891 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2892 u8 ident, u16 dlen, void *data)
2894 struct sk_buff *skb, **frag;
2895 struct l2cap_cmd_hdr *cmd;
2896 struct l2cap_hdr *lh;
2899 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2900 conn, code, ident, dlen);
2902 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2905 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2906 count = min_t(unsigned int, conn->mtu, len);
2908 skb = bt_skb_alloc(count, GFP_KERNEL);
2912 lh = skb_put(skb, L2CAP_HDR_SIZE);
2913 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2915 if (conn->hcon->type == LE_LINK)
2916 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2918 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2920 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2923 cmd->len = cpu_to_le16(dlen);
2926 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2927 skb_put_data(skb, data, count);
2933 /* Continuation fragments (no L2CAP header) */
2934 frag = &skb_shinfo(skb)->frag_list;
2936 count = min_t(unsigned int, conn->mtu, len);
2938 *frag = bt_skb_alloc(count, GFP_KERNEL);
2942 skb_put_data(*frag, data, count);
2947 frag = &(*frag)->next;
2957 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2960 struct l2cap_conf_opt *opt = *ptr;
2963 len = L2CAP_CONF_OPT_SIZE + opt->len;
2971 *val = *((u8 *) opt->val);
2975 *val = get_unaligned_le16(opt->val);
2979 *val = get_unaligned_le32(opt->val);
2983 *val = (unsigned long) opt->val;
2987 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2991 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
2993 struct l2cap_conf_opt *opt = *ptr;
2995 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2997 if (size < L2CAP_CONF_OPT_SIZE + len)
3005 *((u8 *) opt->val) = val;
3009 put_unaligned_le16(val, opt->val);
3013 put_unaligned_le32(val, opt->val);
3017 memcpy(opt->val, (void *) val, len);
3021 *ptr += L2CAP_CONF_OPT_SIZE + len;
3024 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3026 struct l2cap_conf_efs efs;
3028 switch (chan->mode) {
3029 case L2CAP_MODE_ERTM:
3030 efs.id = chan->local_id;
3031 efs.stype = chan->local_stype;
3032 efs.msdu = cpu_to_le16(chan->local_msdu);
3033 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3034 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3035 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3038 case L2CAP_MODE_STREAMING:
3040 efs.stype = L2CAP_SERV_BESTEFFORT;
3041 efs.msdu = cpu_to_le16(chan->local_msdu);
3042 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3051 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3052 (unsigned long) &efs, size);
3055 static void l2cap_ack_timeout(struct work_struct *work)
3057 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3061 BT_DBG("chan %p", chan);
3063 l2cap_chan_lock(chan);
3065 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3066 chan->last_acked_seq);
3069 l2cap_send_rr_or_rnr(chan, 0);
3071 l2cap_chan_unlock(chan);
3072 l2cap_chan_put(chan);
3075 int l2cap_ertm_init(struct l2cap_chan *chan)
3079 chan->next_tx_seq = 0;
3080 chan->expected_tx_seq = 0;
3081 chan->expected_ack_seq = 0;
3082 chan->unacked_frames = 0;
3083 chan->buffer_seq = 0;
3084 chan->frames_sent = 0;
3085 chan->last_acked_seq = 0;
3087 chan->sdu_last_frag = NULL;
3090 skb_queue_head_init(&chan->tx_q);
3092 chan->local_amp_id = AMP_ID_BREDR;
3093 chan->move_id = AMP_ID_BREDR;
3094 chan->move_state = L2CAP_MOVE_STABLE;
3095 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3097 if (chan->mode != L2CAP_MODE_ERTM)
3100 chan->rx_state = L2CAP_RX_STATE_RECV;
3101 chan->tx_state = L2CAP_TX_STATE_XMIT;
3103 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3104 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3105 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3107 skb_queue_head_init(&chan->srej_q);
3109 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3113 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3115 l2cap_seq_list_free(&chan->srej_list);
3120 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3123 case L2CAP_MODE_STREAMING:
3124 case L2CAP_MODE_ERTM:
3125 if (l2cap_mode_supported(mode, remote_feat_mask))
3129 return L2CAP_MODE_BASIC;
3133 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3135 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3136 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3139 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3141 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3142 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3145 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3146 struct l2cap_conf_rfc *rfc)
3148 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3149 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3151 /* Class 1 devices have must have ERTM timeouts
3152 * exceeding the Link Supervision Timeout. The
3153 * default Link Supervision Timeout for AMP
3154 * controllers is 10 seconds.
3156 * Class 1 devices use 0xffffffff for their
3157 * best-effort flush timeout, so the clamping logic
3158 * will result in a timeout that meets the above
3159 * requirement. ERTM timeouts are 16-bit values, so
3160 * the maximum timeout is 65.535 seconds.
3163 /* Convert timeout to milliseconds and round */
3164 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3166 /* This is the recommended formula for class 2 devices
3167 * that start ERTM timers when packets are sent to the
3170 ertm_to = 3 * ertm_to + 500;
3172 if (ertm_to > 0xffff)
3175 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3176 rfc->monitor_timeout = rfc->retrans_timeout;
3178 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3179 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3183 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3185 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3186 __l2cap_ews_supported(chan->conn)) {
3187 /* use extended control field */
3188 set_bit(FLAG_EXT_CTRL, &chan->flags);
3189 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3191 chan->tx_win = min_t(u16, chan->tx_win,
3192 L2CAP_DEFAULT_TX_WINDOW);
3193 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3195 chan->ack_win = chan->tx_win;
3198 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3200 struct l2cap_conf_req *req = data;
3201 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3202 void *ptr = req->data;
3203 void *endptr = data + data_size;
3206 BT_DBG("chan %p", chan);
3208 if (chan->num_conf_req || chan->num_conf_rsp)
3211 switch (chan->mode) {
3212 case L2CAP_MODE_STREAMING:
3213 case L2CAP_MODE_ERTM:
3214 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3217 if (__l2cap_efs_supported(chan->conn))
3218 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3222 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3227 if (chan->imtu != L2CAP_DEFAULT_MTU)
3228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3230 switch (chan->mode) {
3231 case L2CAP_MODE_BASIC:
3235 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3236 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3239 rfc.mode = L2CAP_MODE_BASIC;
3241 rfc.max_transmit = 0;
3242 rfc.retrans_timeout = 0;
3243 rfc.monitor_timeout = 0;
3244 rfc.max_pdu_size = 0;
3246 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3247 (unsigned long) &rfc, endptr - ptr);
3250 case L2CAP_MODE_ERTM:
3251 rfc.mode = L2CAP_MODE_ERTM;
3252 rfc.max_transmit = chan->max_tx;
3254 __l2cap_set_ertm_timeouts(chan, &rfc);
3256 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3257 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3259 rfc.max_pdu_size = cpu_to_le16(size);
3261 l2cap_txwin_setup(chan);
3263 rfc.txwin_size = min_t(u16, chan->tx_win,
3264 L2CAP_DEFAULT_TX_WINDOW);
3266 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3267 (unsigned long) &rfc, endptr - ptr);
3269 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3270 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3272 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3273 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3274 chan->tx_win, endptr - ptr);
3276 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3277 if (chan->fcs == L2CAP_FCS_NONE ||
3278 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3279 chan->fcs = L2CAP_FCS_NONE;
3280 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3281 chan->fcs, endptr - ptr);
3285 case L2CAP_MODE_STREAMING:
3286 l2cap_txwin_setup(chan);
3287 rfc.mode = L2CAP_MODE_STREAMING;
3289 rfc.max_transmit = 0;
3290 rfc.retrans_timeout = 0;
3291 rfc.monitor_timeout = 0;
3293 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3294 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3296 rfc.max_pdu_size = cpu_to_le16(size);
3298 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3299 (unsigned long) &rfc, endptr - ptr);
3301 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3302 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3304 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3305 if (chan->fcs == L2CAP_FCS_NONE ||
3306 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3307 chan->fcs = L2CAP_FCS_NONE;
3308 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3309 chan->fcs, endptr - ptr);
3314 req->dcid = cpu_to_le16(chan->dcid);
3315 req->flags = cpu_to_le16(0);
3320 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3322 struct l2cap_conf_rsp *rsp = data;
3323 void *ptr = rsp->data;
3324 void *endptr = data + data_size;
3325 void *req = chan->conf_req;
3326 int len = chan->conf_len;
3327 int type, hint, olen;
3329 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3330 struct l2cap_conf_efs efs;
3332 u16 mtu = L2CAP_DEFAULT_MTU;
3333 u16 result = L2CAP_CONF_SUCCESS;
3336 BT_DBG("chan %p", chan);
3338 while (len >= L2CAP_CONF_OPT_SIZE) {
3339 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3343 hint = type & L2CAP_CONF_HINT;
3344 type &= L2CAP_CONF_MASK;
3347 case L2CAP_CONF_MTU:
3353 case L2CAP_CONF_FLUSH_TO:
3356 chan->flush_to = val;
3359 case L2CAP_CONF_QOS:
3362 case L2CAP_CONF_RFC:
3363 if (olen != sizeof(rfc))
3365 memcpy(&rfc, (void *) val, olen);
3368 case L2CAP_CONF_FCS:
3371 if (val == L2CAP_FCS_NONE)
3372 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3375 case L2CAP_CONF_EFS:
3376 if (olen != sizeof(efs))
3379 memcpy(&efs, (void *) val, olen);
3382 case L2CAP_CONF_EWS:
3385 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3386 return -ECONNREFUSED;
3387 set_bit(FLAG_EXT_CTRL, &chan->flags);
3388 set_bit(CONF_EWS_RECV, &chan->conf_state);
3389 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3390 chan->remote_tx_win = val;
3396 result = L2CAP_CONF_UNKNOWN;
3397 *((u8 *) ptr++) = type;
3402 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3405 switch (chan->mode) {
3406 case L2CAP_MODE_STREAMING:
3407 case L2CAP_MODE_ERTM:
3408 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3409 chan->mode = l2cap_select_mode(rfc.mode,
3410 chan->conn->feat_mask);
3415 if (__l2cap_efs_supported(chan->conn))
3416 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3418 return -ECONNREFUSED;
3421 if (chan->mode != rfc.mode)
3422 return -ECONNREFUSED;
3428 if (chan->mode != rfc.mode) {
3429 result = L2CAP_CONF_UNACCEPT;
3430 rfc.mode = chan->mode;
3432 if (chan->num_conf_rsp == 1)
3433 return -ECONNREFUSED;
3435 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3436 (unsigned long) &rfc, endptr - ptr);
3439 if (result == L2CAP_CONF_SUCCESS) {
3440 /* Configure output options and let the other side know
3441 * which ones we don't like. */
3443 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3444 result = L2CAP_CONF_UNACCEPT;
3447 set_bit(CONF_MTU_DONE, &chan->conf_state);
3449 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3452 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3453 efs.stype != L2CAP_SERV_NOTRAFIC &&
3454 efs.stype != chan->local_stype) {
3456 result = L2CAP_CONF_UNACCEPT;
3458 if (chan->num_conf_req >= 1)
3459 return -ECONNREFUSED;
3461 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3463 (unsigned long) &efs, endptr - ptr);
3465 /* Send PENDING Conf Rsp */
3466 result = L2CAP_CONF_PENDING;
3467 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3472 case L2CAP_MODE_BASIC:
3473 chan->fcs = L2CAP_FCS_NONE;
3474 set_bit(CONF_MODE_DONE, &chan->conf_state);
3477 case L2CAP_MODE_ERTM:
3478 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3479 chan->remote_tx_win = rfc.txwin_size;
3481 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3483 chan->remote_max_tx = rfc.max_transmit;
3485 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3486 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3487 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3488 rfc.max_pdu_size = cpu_to_le16(size);
3489 chan->remote_mps = size;
3491 __l2cap_set_ertm_timeouts(chan, &rfc);
3493 set_bit(CONF_MODE_DONE, &chan->conf_state);
3495 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3496 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3498 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3499 chan->remote_id = efs.id;
3500 chan->remote_stype = efs.stype;
3501 chan->remote_msdu = le16_to_cpu(efs.msdu);
3502 chan->remote_flush_to =
3503 le32_to_cpu(efs.flush_to);
3504 chan->remote_acc_lat =
3505 le32_to_cpu(efs.acc_lat);
3506 chan->remote_sdu_itime =
3507 le32_to_cpu(efs.sdu_itime);
3508 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3510 (unsigned long) &efs, endptr - ptr);
3514 case L2CAP_MODE_STREAMING:
3515 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3516 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3517 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3518 rfc.max_pdu_size = cpu_to_le16(size);
3519 chan->remote_mps = size;
3521 set_bit(CONF_MODE_DONE, &chan->conf_state);
3523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3524 (unsigned long) &rfc, endptr - ptr);
3529 result = L2CAP_CONF_UNACCEPT;
3531 memset(&rfc, 0, sizeof(rfc));
3532 rfc.mode = chan->mode;
3535 if (result == L2CAP_CONF_SUCCESS)
3536 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3538 rsp->scid = cpu_to_le16(chan->dcid);
3539 rsp->result = cpu_to_le16(result);
3540 rsp->flags = cpu_to_le16(0);
3545 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3546 void *data, size_t size, u16 *result)
3548 struct l2cap_conf_req *req = data;
3549 void *ptr = req->data;
3550 void *endptr = data + size;
3553 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3554 struct l2cap_conf_efs efs;
3556 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3558 while (len >= L2CAP_CONF_OPT_SIZE) {
3559 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3564 case L2CAP_CONF_MTU:
3567 if (val < L2CAP_DEFAULT_MIN_MTU) {
3568 *result = L2CAP_CONF_UNACCEPT;
3569 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3572 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3576 case L2CAP_CONF_FLUSH_TO:
3579 chan->flush_to = val;
3580 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3581 chan->flush_to, endptr - ptr);
3584 case L2CAP_CONF_RFC:
3585 if (olen != sizeof(rfc))
3587 memcpy(&rfc, (void *)val, olen);
3588 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3589 rfc.mode != chan->mode)
3590 return -ECONNREFUSED;
3592 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3593 (unsigned long) &rfc, endptr - ptr);
3596 case L2CAP_CONF_EWS:
3599 chan->ack_win = min_t(u16, val, chan->ack_win);
3600 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3601 chan->tx_win, endptr - ptr);
3604 case L2CAP_CONF_EFS:
3605 if (olen != sizeof(efs))
3607 memcpy(&efs, (void *)val, olen);
3608 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3609 efs.stype != L2CAP_SERV_NOTRAFIC &&
3610 efs.stype != chan->local_stype)
3611 return -ECONNREFUSED;
3612 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3613 (unsigned long) &efs, endptr - ptr);
3616 case L2CAP_CONF_FCS:
3619 if (*result == L2CAP_CONF_PENDING)
3620 if (val == L2CAP_FCS_NONE)
3621 set_bit(CONF_RECV_NO_FCS,
3627 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3628 return -ECONNREFUSED;
3630 chan->mode = rfc.mode;
3632 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3634 case L2CAP_MODE_ERTM:
3635 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3636 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3637 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3638 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3639 chan->ack_win = min_t(u16, chan->ack_win,
3642 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3643 chan->local_msdu = le16_to_cpu(efs.msdu);
3644 chan->local_sdu_itime =
3645 le32_to_cpu(efs.sdu_itime);
3646 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3647 chan->local_flush_to =
3648 le32_to_cpu(efs.flush_to);
3652 case L2CAP_MODE_STREAMING:
3653 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3657 req->dcid = cpu_to_le16(chan->dcid);
3658 req->flags = cpu_to_le16(0);
3663 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3664 u16 result, u16 flags)
3666 struct l2cap_conf_rsp *rsp = data;
3667 void *ptr = rsp->data;
3669 BT_DBG("chan %p", chan);
3671 rsp->scid = cpu_to_le16(chan->dcid);
3672 rsp->result = cpu_to_le16(result);
3673 rsp->flags = cpu_to_le16(flags);
3678 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3680 struct l2cap_le_conn_rsp rsp;
3681 struct l2cap_conn *conn = chan->conn;
3683 BT_DBG("chan %p", chan);
3685 rsp.dcid = cpu_to_le16(chan->scid);
3686 rsp.mtu = cpu_to_le16(chan->imtu);
3687 rsp.mps = cpu_to_le16(chan->mps);
3688 rsp.credits = cpu_to_le16(chan->rx_credits);
3689 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3691 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3695 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3697 struct l2cap_conn_rsp rsp;
3698 struct l2cap_conn *conn = chan->conn;
3702 rsp.scid = cpu_to_le16(chan->dcid);
3703 rsp.dcid = cpu_to_le16(chan->scid);
3704 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3705 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3708 rsp_code = L2CAP_CREATE_CHAN_RSP;
3710 rsp_code = L2CAP_CONN_RSP;
3712 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3714 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3716 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3719 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3720 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3721 chan->num_conf_req++;
3724 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3728 /* Use sane default values in case a misbehaving remote device
3729 * did not send an RFC or extended window size option.
3731 u16 txwin_ext = chan->ack_win;
3732 struct l2cap_conf_rfc rfc = {
3734 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3735 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3736 .max_pdu_size = cpu_to_le16(chan->imtu),
3737 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3740 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3742 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3745 while (len >= L2CAP_CONF_OPT_SIZE) {
3746 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3751 case L2CAP_CONF_RFC:
3752 if (olen != sizeof(rfc))
3754 memcpy(&rfc, (void *)val, olen);
3756 case L2CAP_CONF_EWS:
3765 case L2CAP_MODE_ERTM:
3766 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3767 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3768 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3769 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3770 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3772 chan->ack_win = min_t(u16, chan->ack_win,
3775 case L2CAP_MODE_STREAMING:
3776 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3780 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3781 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3784 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3786 if (cmd_len < sizeof(*rej))
3789 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3792 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3793 cmd->ident == conn->info_ident) {
3794 cancel_delayed_work(&conn->info_timer);
3796 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3797 conn->info_ident = 0;
3799 l2cap_conn_start(conn);
3805 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3806 struct l2cap_cmd_hdr *cmd,
3807 u8 *data, u8 rsp_code, u8 amp_id)
3809 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3810 struct l2cap_conn_rsp rsp;
3811 struct l2cap_chan *chan = NULL, *pchan;
3812 int result, status = L2CAP_CS_NO_INFO;
3814 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3815 __le16 psm = req->psm;
3817 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3819 /* Check if we have socket listening on psm */
3820 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3821 &conn->hcon->dst, ACL_LINK);
3823 result = L2CAP_CR_BAD_PSM;
3827 mutex_lock(&conn->chan_lock);
3828 l2cap_chan_lock(pchan);
3830 /* Check if the ACL is secure enough (if not SDP) */
3831 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3832 !hci_conn_check_link_mode(conn->hcon)) {
3833 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3834 result = L2CAP_CR_SEC_BLOCK;
3838 result = L2CAP_CR_NO_MEM;
3840 /* Check for valid dynamic CID range (as per Erratum 3253) */
3841 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3842 result = L2CAP_CR_INVALID_SCID;
3846 /* Check if we already have channel with that dcid */
3847 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3848 result = L2CAP_CR_SCID_IN_USE;
3852 chan = pchan->ops->new_connection(pchan);
3856 /* For certain devices (ex: HID mouse), support for authentication,
3857 * pairing and bonding is optional. For such devices, inorder to avoid
3858 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3859 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3861 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3863 bacpy(&chan->src, &conn->hcon->src);
3864 bacpy(&chan->dst, &conn->hcon->dst);
3865 chan->src_type = bdaddr_src_type(conn->hcon);
3866 chan->dst_type = bdaddr_dst_type(conn->hcon);
3869 chan->local_amp_id = amp_id;
3871 __l2cap_chan_add(conn, chan);
3875 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3877 chan->ident = cmd->ident;
3879 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3880 if (l2cap_chan_check_security(chan, false)) {
3881 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3882 l2cap_state_change(chan, BT_CONNECT2);
3883 result = L2CAP_CR_PEND;
3884 status = L2CAP_CS_AUTHOR_PEND;
3885 chan->ops->defer(chan);
3887 /* Force pending result for AMP controllers.
3888 * The connection will succeed after the
3889 * physical link is up.
3891 if (amp_id == AMP_ID_BREDR) {
3892 l2cap_state_change(chan, BT_CONFIG);
3893 result = L2CAP_CR_SUCCESS;
3895 l2cap_state_change(chan, BT_CONNECT2);
3896 result = L2CAP_CR_PEND;
3898 status = L2CAP_CS_NO_INFO;
3901 l2cap_state_change(chan, BT_CONNECT2);
3902 result = L2CAP_CR_PEND;
3903 status = L2CAP_CS_AUTHEN_PEND;
3906 l2cap_state_change(chan, BT_CONNECT2);
3907 result = L2CAP_CR_PEND;
3908 status = L2CAP_CS_NO_INFO;
3912 l2cap_chan_unlock(pchan);
3913 mutex_unlock(&conn->chan_lock);
3914 l2cap_chan_put(pchan);
3917 rsp.scid = cpu_to_le16(scid);
3918 rsp.dcid = cpu_to_le16(dcid);
3919 rsp.result = cpu_to_le16(result);
3920 rsp.status = cpu_to_le16(status);
3921 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3923 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3924 struct l2cap_info_req info;
3925 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3927 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3928 conn->info_ident = l2cap_get_ident(conn);
3930 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3932 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3933 sizeof(info), &info);
3936 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3937 result == L2CAP_CR_SUCCESS) {
3939 set_bit(CONF_REQ_SENT, &chan->conf_state);
3940 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3941 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3942 chan->num_conf_req++;
3948 static int l2cap_connect_req(struct l2cap_conn *conn,
3949 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3951 struct hci_dev *hdev = conn->hcon->hdev;
3952 struct hci_conn *hcon = conn->hcon;
3954 if (cmd_len < sizeof(struct l2cap_conn_req))
3958 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3959 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3960 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3961 hci_dev_unlock(hdev);
3963 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3967 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3968 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3971 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3972 u16 scid, dcid, result, status;
3973 struct l2cap_chan *chan;
3977 if (cmd_len < sizeof(*rsp))
3980 scid = __le16_to_cpu(rsp->scid);
3981 dcid = __le16_to_cpu(rsp->dcid);
3982 result = __le16_to_cpu(rsp->result);
3983 status = __le16_to_cpu(rsp->status);
3985 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3986 dcid, scid, result, status);
3988 mutex_lock(&conn->chan_lock);
3991 chan = __l2cap_get_chan_by_scid(conn, scid);
3997 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4006 l2cap_chan_lock(chan);
4009 case L2CAP_CR_SUCCESS:
4010 l2cap_state_change(chan, BT_CONFIG);
4013 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4015 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4018 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4019 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4020 chan->num_conf_req++;
4024 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4028 l2cap_chan_del(chan, ECONNREFUSED);
4032 l2cap_chan_unlock(chan);
4035 mutex_unlock(&conn->chan_lock);
4040 static inline void set_default_fcs(struct l2cap_chan *chan)
4042 /* FCS is enabled only in ERTM or streaming mode, if one or both
4045 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4046 chan->fcs = L2CAP_FCS_NONE;
4047 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4048 chan->fcs = L2CAP_FCS_CRC16;
4051 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4052 u8 ident, u16 flags)
4054 struct l2cap_conn *conn = chan->conn;
4056 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4059 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4060 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4062 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4063 l2cap_build_conf_rsp(chan, data,
4064 L2CAP_CONF_SUCCESS, flags), data);
4067 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4070 struct l2cap_cmd_rej_cid rej;
4072 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4073 rej.scid = __cpu_to_le16(scid);
4074 rej.dcid = __cpu_to_le16(dcid);
4076 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4079 static inline int l2cap_config_req(struct l2cap_conn *conn,
4080 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4083 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4086 struct l2cap_chan *chan;
4089 if (cmd_len < sizeof(*req))
4092 dcid = __le16_to_cpu(req->dcid);
4093 flags = __le16_to_cpu(req->flags);
4095 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4097 chan = l2cap_get_chan_by_scid(conn, dcid);
4099 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4103 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4104 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4109 /* Reject if config buffer is too small. */
4110 len = cmd_len - sizeof(*req);
4111 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4112 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4113 l2cap_build_conf_rsp(chan, rsp,
4114 L2CAP_CONF_REJECT, flags), rsp);
4119 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4120 chan->conf_len += len;
4122 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4123 /* Incomplete config. Send empty response. */
4124 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4125 l2cap_build_conf_rsp(chan, rsp,
4126 L2CAP_CONF_SUCCESS, flags), rsp);
4130 /* Complete config. */
4131 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4133 l2cap_send_disconn_req(chan, ECONNRESET);
4137 chan->ident = cmd->ident;
4138 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4139 chan->num_conf_rsp++;
4141 /* Reset config buffer. */
4144 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4147 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4148 set_default_fcs(chan);
4150 if (chan->mode == L2CAP_MODE_ERTM ||
4151 chan->mode == L2CAP_MODE_STREAMING)
4152 err = l2cap_ertm_init(chan);
4155 l2cap_send_disconn_req(chan, -err);
4157 l2cap_chan_ready(chan);
4162 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4164 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4165 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4166 chan->num_conf_req++;
4169 /* Got Conf Rsp PENDING from remote side and assume we sent
4170 Conf Rsp PENDING in the code above */
4171 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4172 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4174 /* check compatibility */
4176 /* Send rsp for BR/EDR channel */
4178 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4180 chan->ident = cmd->ident;
4184 l2cap_chan_unlock(chan);
4188 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4189 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4192 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4193 u16 scid, flags, result;
4194 struct l2cap_chan *chan;
4195 int len = cmd_len - sizeof(*rsp);
4198 if (cmd_len < sizeof(*rsp))
4201 scid = __le16_to_cpu(rsp->scid);
4202 flags = __le16_to_cpu(rsp->flags);
4203 result = __le16_to_cpu(rsp->result);
4205 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4208 chan = l2cap_get_chan_by_scid(conn, scid);
4213 case L2CAP_CONF_SUCCESS:
4214 l2cap_conf_rfc_get(chan, rsp->data, len);
4215 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4218 case L2CAP_CONF_PENDING:
4219 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4221 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4224 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4225 buf, sizeof(buf), &result);
4227 l2cap_send_disconn_req(chan, ECONNRESET);
4231 if (!chan->hs_hcon) {
4232 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4235 if (l2cap_check_efs(chan)) {
4236 amp_create_logical_link(chan);
4237 chan->ident = cmd->ident;
4243 case L2CAP_CONF_UNACCEPT:
4244 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4247 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4248 l2cap_send_disconn_req(chan, ECONNRESET);
4252 /* throw out any old stored conf requests */
4253 result = L2CAP_CONF_SUCCESS;
4254 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4255 req, sizeof(req), &result);
4257 l2cap_send_disconn_req(chan, ECONNRESET);
4261 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4262 L2CAP_CONF_REQ, len, req);
4263 chan->num_conf_req++;
4264 if (result != L2CAP_CONF_SUCCESS)
4271 l2cap_chan_set_err(chan, ECONNRESET);
4273 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4274 l2cap_send_disconn_req(chan, ECONNRESET);
4278 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4281 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4283 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4284 set_default_fcs(chan);
4286 if (chan->mode == L2CAP_MODE_ERTM ||
4287 chan->mode == L2CAP_MODE_STREAMING)
4288 err = l2cap_ertm_init(chan);
4291 l2cap_send_disconn_req(chan, -err);
4293 l2cap_chan_ready(chan);
4297 l2cap_chan_unlock(chan);
4301 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4302 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4305 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4306 struct l2cap_disconn_rsp rsp;
4308 struct l2cap_chan *chan;
4310 if (cmd_len != sizeof(*req))
4313 scid = __le16_to_cpu(req->scid);
4314 dcid = __le16_to_cpu(req->dcid);
4316 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4318 mutex_lock(&conn->chan_lock);
4320 chan = __l2cap_get_chan_by_scid(conn, dcid);
4322 mutex_unlock(&conn->chan_lock);
4323 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4327 l2cap_chan_lock(chan);
4329 rsp.dcid = cpu_to_le16(chan->scid);
4330 rsp.scid = cpu_to_le16(chan->dcid);
4331 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4333 chan->ops->set_shutdown(chan);
4335 l2cap_chan_hold(chan);
4336 l2cap_chan_del(chan, ECONNRESET);
4338 l2cap_chan_unlock(chan);
4340 chan->ops->close(chan);
4341 l2cap_chan_put(chan);
4343 mutex_unlock(&conn->chan_lock);
4348 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4349 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4352 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4354 struct l2cap_chan *chan;
4356 if (cmd_len != sizeof(*rsp))
4359 scid = __le16_to_cpu(rsp->scid);
4360 dcid = __le16_to_cpu(rsp->dcid);
4362 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4364 mutex_lock(&conn->chan_lock);
4366 chan = __l2cap_get_chan_by_scid(conn, scid);
4368 mutex_unlock(&conn->chan_lock);
4372 l2cap_chan_lock(chan);
4374 l2cap_chan_hold(chan);
4375 l2cap_chan_del(chan, 0);
4377 l2cap_chan_unlock(chan);
4379 chan->ops->close(chan);
4380 l2cap_chan_put(chan);
4382 mutex_unlock(&conn->chan_lock);
4387 static inline int l2cap_information_req(struct l2cap_conn *conn,
4388 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4391 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4394 if (cmd_len != sizeof(*req))
4397 type = __le16_to_cpu(req->type);
4399 BT_DBG("type 0x%4.4x", type);
4401 if (type == L2CAP_IT_FEAT_MASK) {
4403 u32 feat_mask = l2cap_feat_mask;
4404 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4405 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4406 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4408 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4410 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4411 feat_mask |= L2CAP_FEAT_EXT_FLOW
4412 | L2CAP_FEAT_EXT_WINDOW;
4414 put_unaligned_le32(feat_mask, rsp->data);
4415 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4417 } else if (type == L2CAP_IT_FIXED_CHAN) {
4419 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4421 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4422 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4423 rsp->data[0] = conn->local_fixed_chan;
4424 memset(rsp->data + 1, 0, 7);
4425 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4428 struct l2cap_info_rsp rsp;
4429 rsp.type = cpu_to_le16(type);
4430 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4431 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4438 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4439 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4442 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4445 if (cmd_len < sizeof(*rsp))
4448 type = __le16_to_cpu(rsp->type);
4449 result = __le16_to_cpu(rsp->result);
4451 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4453 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4454 if (cmd->ident != conn->info_ident ||
4455 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4458 cancel_delayed_work(&conn->info_timer);
4460 if (result != L2CAP_IR_SUCCESS) {
4461 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4462 conn->info_ident = 0;
4464 l2cap_conn_start(conn);
4470 case L2CAP_IT_FEAT_MASK:
4471 conn->feat_mask = get_unaligned_le32(rsp->data);
4473 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4474 struct l2cap_info_req req;
4475 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4477 conn->info_ident = l2cap_get_ident(conn);
4479 l2cap_send_cmd(conn, conn->info_ident,
4480 L2CAP_INFO_REQ, sizeof(req), &req);
4482 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4483 conn->info_ident = 0;
4485 l2cap_conn_start(conn);
4489 case L2CAP_IT_FIXED_CHAN:
4490 conn->remote_fixed_chan = rsp->data[0];
4491 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4492 conn->info_ident = 0;
4494 l2cap_conn_start(conn);
4501 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4502 struct l2cap_cmd_hdr *cmd,
4503 u16 cmd_len, void *data)
4505 struct l2cap_create_chan_req *req = data;
4506 struct l2cap_create_chan_rsp rsp;
4507 struct l2cap_chan *chan;
4508 struct hci_dev *hdev;
4511 if (cmd_len != sizeof(*req))
4514 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4517 psm = le16_to_cpu(req->psm);
4518 scid = le16_to_cpu(req->scid);
4520 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4522 /* For controller id 0 make BR/EDR connection */
4523 if (req->amp_id == AMP_ID_BREDR) {
4524 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4529 /* Validate AMP controller id */
4530 hdev = hci_dev_get(req->amp_id);
4534 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4539 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4542 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4543 struct hci_conn *hs_hcon;
4545 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4549 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4554 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4556 mgr->bredr_chan = chan;
4557 chan->hs_hcon = hs_hcon;
4558 chan->fcs = L2CAP_FCS_NONE;
4559 conn->mtu = hdev->block_mtu;
4568 rsp.scid = cpu_to_le16(scid);
4569 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4570 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4572 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4578 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4580 struct l2cap_move_chan_req req;
4583 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4585 ident = l2cap_get_ident(chan->conn);
4586 chan->ident = ident;
4588 req.icid = cpu_to_le16(chan->scid);
4589 req.dest_amp_id = dest_amp_id;
4591 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4594 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4597 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4599 struct l2cap_move_chan_rsp rsp;
4601 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4603 rsp.icid = cpu_to_le16(chan->dcid);
4604 rsp.result = cpu_to_le16(result);
4606 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4610 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4612 struct l2cap_move_chan_cfm cfm;
4614 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4616 chan->ident = l2cap_get_ident(chan->conn);
4618 cfm.icid = cpu_to_le16(chan->scid);
4619 cfm.result = cpu_to_le16(result);
4621 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4624 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4627 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4629 struct l2cap_move_chan_cfm cfm;
4631 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4633 cfm.icid = cpu_to_le16(icid);
4634 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4636 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4640 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4643 struct l2cap_move_chan_cfm_rsp rsp;
4645 BT_DBG("icid 0x%4.4x", icid);
4647 rsp.icid = cpu_to_le16(icid);
4648 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4651 static void __release_logical_link(struct l2cap_chan *chan)
4653 chan->hs_hchan = NULL;
4654 chan->hs_hcon = NULL;
4656 /* Placeholder - release the logical link */
4659 static void l2cap_logical_fail(struct l2cap_chan *chan)
4661 /* Logical link setup failed */
4662 if (chan->state != BT_CONNECTED) {
4663 /* Create channel failure, disconnect */
4664 l2cap_send_disconn_req(chan, ECONNRESET);
4668 switch (chan->move_role) {
4669 case L2CAP_MOVE_ROLE_RESPONDER:
4670 l2cap_move_done(chan);
4671 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4673 case L2CAP_MOVE_ROLE_INITIATOR:
4674 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4675 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4676 /* Remote has only sent pending or
4677 * success responses, clean up
4679 l2cap_move_done(chan);
4682 /* Other amp move states imply that the move
4683 * has already aborted
4685 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4690 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4691 struct hci_chan *hchan)
4693 struct l2cap_conf_rsp rsp;
4695 chan->hs_hchan = hchan;
4696 chan->hs_hcon->l2cap_data = chan->conn;
4698 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4700 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4703 set_default_fcs(chan);
4705 err = l2cap_ertm_init(chan);
4707 l2cap_send_disconn_req(chan, -err);
4709 l2cap_chan_ready(chan);
4713 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4714 struct hci_chan *hchan)
4716 chan->hs_hcon = hchan->conn;
4717 chan->hs_hcon->l2cap_data = chan->conn;
4719 BT_DBG("move_state %d", chan->move_state);
4721 switch (chan->move_state) {
4722 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4723 /* Move confirm will be sent after a success
4724 * response is received
4726 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4728 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4729 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4730 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4731 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4732 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4733 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4734 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4735 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4736 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4740 /* Move was not in expected state, free the channel */
4741 __release_logical_link(chan);
4743 chan->move_state = L2CAP_MOVE_STABLE;
4747 /* Call with chan locked */
4748 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4751 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4754 l2cap_logical_fail(chan);
4755 __release_logical_link(chan);
4759 if (chan->state != BT_CONNECTED) {
4760 /* Ignore logical link if channel is on BR/EDR */
4761 if (chan->local_amp_id != AMP_ID_BREDR)
4762 l2cap_logical_finish_create(chan, hchan);
4764 l2cap_logical_finish_move(chan, hchan);
4768 void l2cap_move_start(struct l2cap_chan *chan)
4770 BT_DBG("chan %p", chan);
4772 if (chan->local_amp_id == AMP_ID_BREDR) {
4773 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4775 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4776 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4777 /* Placeholder - start physical link setup */
4779 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4780 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4782 l2cap_move_setup(chan);
4783 l2cap_send_move_chan_req(chan, 0);
4787 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4788 u8 local_amp_id, u8 remote_amp_id)
4790 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4791 local_amp_id, remote_amp_id);
4793 chan->fcs = L2CAP_FCS_NONE;
4795 /* Outgoing channel on AMP */
4796 if (chan->state == BT_CONNECT) {
4797 if (result == L2CAP_CR_SUCCESS) {
4798 chan->local_amp_id = local_amp_id;
4799 l2cap_send_create_chan_req(chan, remote_amp_id);
4801 /* Revert to BR/EDR connect */
4802 l2cap_send_conn_req(chan);
4808 /* Incoming channel on AMP */
4809 if (__l2cap_no_conn_pending(chan)) {
4810 struct l2cap_conn_rsp rsp;
4812 rsp.scid = cpu_to_le16(chan->dcid);
4813 rsp.dcid = cpu_to_le16(chan->scid);
4815 if (result == L2CAP_CR_SUCCESS) {
4816 /* Send successful response */
4817 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4818 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4820 /* Send negative response */
4821 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4822 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4825 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4828 if (result == L2CAP_CR_SUCCESS) {
4829 l2cap_state_change(chan, BT_CONFIG);
4830 set_bit(CONF_REQ_SENT, &chan->conf_state);
4831 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4833 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4834 chan->num_conf_req++;
4839 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4842 l2cap_move_setup(chan);
4843 chan->move_id = local_amp_id;
4844 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4846 l2cap_send_move_chan_req(chan, remote_amp_id);
4849 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4851 struct hci_chan *hchan = NULL;
4853 /* Placeholder - get hci_chan for logical link */
4856 if (hchan->state == BT_CONNECTED) {
4857 /* Logical link is ready to go */
4858 chan->hs_hcon = hchan->conn;
4859 chan->hs_hcon->l2cap_data = chan->conn;
4860 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4861 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4863 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4865 /* Wait for logical link to be ready */
4866 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4869 /* Logical link not available */
4870 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4874 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4876 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4878 if (result == -EINVAL)
4879 rsp_result = L2CAP_MR_BAD_ID;
4881 rsp_result = L2CAP_MR_NOT_ALLOWED;
4883 l2cap_send_move_chan_rsp(chan, rsp_result);
4886 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4887 chan->move_state = L2CAP_MOVE_STABLE;
4889 /* Restart data transmission */
4890 l2cap_ertm_send(chan);
4893 /* Invoke with locked chan */
4894 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4896 u8 local_amp_id = chan->local_amp_id;
4897 u8 remote_amp_id = chan->remote_amp_id;
4899 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4900 chan, result, local_amp_id, remote_amp_id);
4902 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4903 l2cap_chan_unlock(chan);
4907 if (chan->state != BT_CONNECTED) {
4908 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4909 } else if (result != L2CAP_MR_SUCCESS) {
4910 l2cap_do_move_cancel(chan, result);
4912 switch (chan->move_role) {
4913 case L2CAP_MOVE_ROLE_INITIATOR:
4914 l2cap_do_move_initiate(chan, local_amp_id,
4917 case L2CAP_MOVE_ROLE_RESPONDER:
4918 l2cap_do_move_respond(chan, result);
4921 l2cap_do_move_cancel(chan, result);
4927 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4928 struct l2cap_cmd_hdr *cmd,
4929 u16 cmd_len, void *data)
4931 struct l2cap_move_chan_req *req = data;
4932 struct l2cap_move_chan_rsp rsp;
4933 struct l2cap_chan *chan;
4935 u16 result = L2CAP_MR_NOT_ALLOWED;
4937 if (cmd_len != sizeof(*req))
4940 icid = le16_to_cpu(req->icid);
4942 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4944 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4947 chan = l2cap_get_chan_by_dcid(conn, icid);
4949 rsp.icid = cpu_to_le16(icid);
4950 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4951 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4956 chan->ident = cmd->ident;
4958 if (chan->scid < L2CAP_CID_DYN_START ||
4959 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4960 (chan->mode != L2CAP_MODE_ERTM &&
4961 chan->mode != L2CAP_MODE_STREAMING)) {
4962 result = L2CAP_MR_NOT_ALLOWED;
4963 goto send_move_response;
4966 if (chan->local_amp_id == req->dest_amp_id) {
4967 result = L2CAP_MR_SAME_ID;
4968 goto send_move_response;
4971 if (req->dest_amp_id != AMP_ID_BREDR) {
4972 struct hci_dev *hdev;
4973 hdev = hci_dev_get(req->dest_amp_id);
4974 if (!hdev || hdev->dev_type != HCI_AMP ||
4975 !test_bit(HCI_UP, &hdev->flags)) {
4979 result = L2CAP_MR_BAD_ID;
4980 goto send_move_response;
4985 /* Detect a move collision. Only send a collision response
4986 * if this side has "lost", otherwise proceed with the move.
4987 * The winner has the larger bd_addr.
4989 if ((__chan_is_moving(chan) ||
4990 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4991 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
4992 result = L2CAP_MR_COLLISION;
4993 goto send_move_response;
4996 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4997 l2cap_move_setup(chan);
4998 chan->move_id = req->dest_amp_id;
5001 if (req->dest_amp_id == AMP_ID_BREDR) {
5002 /* Moving to BR/EDR */
5003 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5004 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5005 result = L2CAP_MR_PEND;
5007 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5008 result = L2CAP_MR_SUCCESS;
5011 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5012 /* Placeholder - uncomment when amp functions are available */
5013 /*amp_accept_physical(chan, req->dest_amp_id);*/
5014 result = L2CAP_MR_PEND;
5018 l2cap_send_move_chan_rsp(chan, result);
5020 l2cap_chan_unlock(chan);
5025 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5027 struct l2cap_chan *chan;
5028 struct hci_chan *hchan = NULL;
5030 chan = l2cap_get_chan_by_scid(conn, icid);
5032 l2cap_send_move_chan_cfm_icid(conn, icid);
5036 __clear_chan_timer(chan);
5037 if (result == L2CAP_MR_PEND)
5038 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5040 switch (chan->move_state) {
5041 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5042 /* Move confirm will be sent when logical link
5045 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5047 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5048 if (result == L2CAP_MR_PEND) {
5050 } else if (test_bit(CONN_LOCAL_BUSY,
5051 &chan->conn_state)) {
5052 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5054 /* Logical link is up or moving to BR/EDR,
5057 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5058 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5061 case L2CAP_MOVE_WAIT_RSP:
5063 if (result == L2CAP_MR_SUCCESS) {
5064 /* Remote is ready, send confirm immediately
5065 * after logical link is ready
5067 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5069 /* Both logical link and move success
5070 * are required to confirm
5072 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5075 /* Placeholder - get hci_chan for logical link */
5077 /* Logical link not available */
5078 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5082 /* If the logical link is not yet connected, do not
5083 * send confirmation.
5085 if (hchan->state != BT_CONNECTED)
5088 /* Logical link is already ready to go */
5090 chan->hs_hcon = hchan->conn;
5091 chan->hs_hcon->l2cap_data = chan->conn;
5093 if (result == L2CAP_MR_SUCCESS) {
5094 /* Can confirm now */
5095 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5097 /* Now only need move success
5100 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5103 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5106 /* Any other amp move state means the move failed. */
5107 chan->move_id = chan->local_amp_id;
5108 l2cap_move_done(chan);
5109 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5112 l2cap_chan_unlock(chan);
5115 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5118 struct l2cap_chan *chan;
5120 chan = l2cap_get_chan_by_ident(conn, ident);
5122 /* Could not locate channel, icid is best guess */
5123 l2cap_send_move_chan_cfm_icid(conn, icid);
5127 __clear_chan_timer(chan);
5129 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5130 if (result == L2CAP_MR_COLLISION) {
5131 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5133 /* Cleanup - cancel move */
5134 chan->move_id = chan->local_amp_id;
5135 l2cap_move_done(chan);
5139 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5141 l2cap_chan_unlock(chan);
5144 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5145 struct l2cap_cmd_hdr *cmd,
5146 u16 cmd_len, void *data)
5148 struct l2cap_move_chan_rsp *rsp = data;
5151 if (cmd_len != sizeof(*rsp))
5154 icid = le16_to_cpu(rsp->icid);
5155 result = le16_to_cpu(rsp->result);
5157 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5159 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5160 l2cap_move_continue(conn, icid, result);
5162 l2cap_move_fail(conn, cmd->ident, icid, result);
5167 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5168 struct l2cap_cmd_hdr *cmd,
5169 u16 cmd_len, void *data)
5171 struct l2cap_move_chan_cfm *cfm = data;
5172 struct l2cap_chan *chan;
5175 if (cmd_len != sizeof(*cfm))
5178 icid = le16_to_cpu(cfm->icid);
5179 result = le16_to_cpu(cfm->result);
5181 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5183 chan = l2cap_get_chan_by_dcid(conn, icid);
5185 /* Spec requires a response even if the icid was not found */
5186 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5190 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5191 if (result == L2CAP_MC_CONFIRMED) {
5192 chan->local_amp_id = chan->move_id;
5193 if (chan->local_amp_id == AMP_ID_BREDR)
5194 __release_logical_link(chan);
5196 chan->move_id = chan->local_amp_id;
5199 l2cap_move_done(chan);
5202 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5204 l2cap_chan_unlock(chan);
5209 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5210 struct l2cap_cmd_hdr *cmd,
5211 u16 cmd_len, void *data)
5213 struct l2cap_move_chan_cfm_rsp *rsp = data;
5214 struct l2cap_chan *chan;
5217 if (cmd_len != sizeof(*rsp))
5220 icid = le16_to_cpu(rsp->icid);
5222 BT_DBG("icid 0x%4.4x", icid);
5224 chan = l2cap_get_chan_by_scid(conn, icid);
5228 __clear_chan_timer(chan);
5230 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5231 chan->local_amp_id = chan->move_id;
5233 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5234 __release_logical_link(chan);
5236 l2cap_move_done(chan);
5239 l2cap_chan_unlock(chan);
5244 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5245 struct l2cap_cmd_hdr *cmd,
5246 u16 cmd_len, u8 *data)
5248 struct hci_conn *hcon = conn->hcon;
5249 struct l2cap_conn_param_update_req *req;
5250 struct l2cap_conn_param_update_rsp rsp;
5251 u16 min, max, latency, to_multiplier;
5254 if (hcon->role != HCI_ROLE_MASTER)
5257 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5260 req = (struct l2cap_conn_param_update_req *) data;
5261 min = __le16_to_cpu(req->min);
5262 max = __le16_to_cpu(req->max);
5263 latency = __le16_to_cpu(req->latency);
5264 to_multiplier = __le16_to_cpu(req->to_multiplier);
5266 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5267 min, max, latency, to_multiplier);
5269 memset(&rsp, 0, sizeof(rsp));
5271 err = hci_check_conn_params(min, max, latency, to_multiplier);
5273 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5275 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5277 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5283 store_hint = hci_le_conn_update(hcon, min, max, latency,
5285 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5286 store_hint, min, max, latency,
5294 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5295 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5298 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5299 struct hci_conn *hcon = conn->hcon;
5300 u16 dcid, mtu, mps, credits, result;
5301 struct l2cap_chan *chan;
5304 if (cmd_len < sizeof(*rsp))
5307 dcid = __le16_to_cpu(rsp->dcid);
5308 mtu = __le16_to_cpu(rsp->mtu);
5309 mps = __le16_to_cpu(rsp->mps);
5310 credits = __le16_to_cpu(rsp->credits);
5311 result = __le16_to_cpu(rsp->result);
5313 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5314 dcid < L2CAP_CID_DYN_START ||
5315 dcid > L2CAP_CID_LE_DYN_END))
5318 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5319 dcid, mtu, mps, credits, result);
5321 mutex_lock(&conn->chan_lock);
5323 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5331 l2cap_chan_lock(chan);
5334 case L2CAP_CR_LE_SUCCESS:
5335 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5343 chan->remote_mps = mps;
5344 chan->tx_credits = credits;
5345 l2cap_chan_ready(chan);
5348 case L2CAP_CR_LE_AUTHENTICATION:
5349 case L2CAP_CR_LE_ENCRYPTION:
5350 /* If we already have MITM protection we can't do
5353 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5354 l2cap_chan_del(chan, ECONNREFUSED);
5358 sec_level = hcon->sec_level + 1;
5359 if (chan->sec_level < sec_level)
5360 chan->sec_level = sec_level;
5362 /* We'll need to send a new Connect Request */
5363 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5365 smp_conn_security(hcon, chan->sec_level);
5369 l2cap_chan_del(chan, ECONNREFUSED);
5373 l2cap_chan_unlock(chan);
5376 mutex_unlock(&conn->chan_lock);
5381 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5382 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5387 switch (cmd->code) {
5388 case L2CAP_COMMAND_REJ:
5389 l2cap_command_rej(conn, cmd, cmd_len, data);
5392 case L2CAP_CONN_REQ:
5393 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5396 case L2CAP_CONN_RSP:
5397 case L2CAP_CREATE_CHAN_RSP:
5398 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5401 case L2CAP_CONF_REQ:
5402 err = l2cap_config_req(conn, cmd, cmd_len, data);
5405 case L2CAP_CONF_RSP:
5406 l2cap_config_rsp(conn, cmd, cmd_len, data);
5409 case L2CAP_DISCONN_REQ:
5410 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5413 case L2CAP_DISCONN_RSP:
5414 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5417 case L2CAP_ECHO_REQ:
5418 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5421 case L2CAP_ECHO_RSP:
5424 case L2CAP_INFO_REQ:
5425 err = l2cap_information_req(conn, cmd, cmd_len, data);
5428 case L2CAP_INFO_RSP:
5429 l2cap_information_rsp(conn, cmd, cmd_len, data);
5432 case L2CAP_CREATE_CHAN_REQ:
5433 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5436 case L2CAP_MOVE_CHAN_REQ:
5437 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5440 case L2CAP_MOVE_CHAN_RSP:
5441 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5444 case L2CAP_MOVE_CHAN_CFM:
5445 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5448 case L2CAP_MOVE_CHAN_CFM_RSP:
5449 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5453 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5461 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5462 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5465 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5466 struct l2cap_le_conn_rsp rsp;
5467 struct l2cap_chan *chan, *pchan;
5468 u16 dcid, scid, credits, mtu, mps;
5472 if (cmd_len != sizeof(*req))
5475 scid = __le16_to_cpu(req->scid);
5476 mtu = __le16_to_cpu(req->mtu);
5477 mps = __le16_to_cpu(req->mps);
5482 if (mtu < 23 || mps < 23)
5485 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5488 /* Check if we have socket listening on psm */
5489 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5490 &conn->hcon->dst, LE_LINK);
5492 result = L2CAP_CR_LE_BAD_PSM;
5497 mutex_lock(&conn->chan_lock);
5498 l2cap_chan_lock(pchan);
5500 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5502 result = L2CAP_CR_LE_AUTHENTICATION;
5504 goto response_unlock;
5507 /* Check for valid dynamic CID range */
5508 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5509 result = L2CAP_CR_LE_INVALID_SCID;
5511 goto response_unlock;
5514 /* Check if we already have channel with that dcid */
5515 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5516 result = L2CAP_CR_LE_SCID_IN_USE;
5518 goto response_unlock;
5521 chan = pchan->ops->new_connection(pchan);
5523 result = L2CAP_CR_LE_NO_MEM;
5524 goto response_unlock;
5527 bacpy(&chan->src, &conn->hcon->src);
5528 bacpy(&chan->dst, &conn->hcon->dst);
5529 chan->src_type = bdaddr_src_type(conn->hcon);
5530 chan->dst_type = bdaddr_dst_type(conn->hcon);
5534 chan->remote_mps = mps;
5536 __l2cap_chan_add(conn, chan);
5538 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5541 credits = chan->rx_credits;
5543 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5545 chan->ident = cmd->ident;
5547 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5548 l2cap_state_change(chan, BT_CONNECT2);
5549 /* The following result value is actually not defined
5550 * for LE CoC but we use it to let the function know
5551 * that it should bail out after doing its cleanup
5552 * instead of sending a response.
5554 result = L2CAP_CR_PEND;
5555 chan->ops->defer(chan);
5557 l2cap_chan_ready(chan);
5558 result = L2CAP_CR_LE_SUCCESS;
5562 l2cap_chan_unlock(pchan);
5563 mutex_unlock(&conn->chan_lock);
5564 l2cap_chan_put(pchan);
5566 if (result == L2CAP_CR_PEND)
5571 rsp.mtu = cpu_to_le16(chan->imtu);
5572 rsp.mps = cpu_to_le16(chan->mps);
5578 rsp.dcid = cpu_to_le16(dcid);
5579 rsp.credits = cpu_to_le16(credits);
5580 rsp.result = cpu_to_le16(result);
5582 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5587 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5588 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5591 struct l2cap_le_credits *pkt;
5592 struct l2cap_chan *chan;
5593 u16 cid, credits, max_credits;
5595 if (cmd_len != sizeof(*pkt))
5598 pkt = (struct l2cap_le_credits *) data;
5599 cid = __le16_to_cpu(pkt->cid);
5600 credits = __le16_to_cpu(pkt->credits);
5602 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5604 chan = l2cap_get_chan_by_dcid(conn, cid);
5608 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5609 if (credits > max_credits) {
5610 BT_ERR("LE credits overflow");
5611 l2cap_send_disconn_req(chan, ECONNRESET);
5612 l2cap_chan_unlock(chan);
5614 /* Return 0 so that we don't trigger an unnecessary
5615 * command reject packet.
5620 chan->tx_credits += credits;
5622 /* Resume sending */
5623 l2cap_le_flowctl_send(chan);
5625 if (chan->tx_credits)
5626 chan->ops->resume(chan);
5628 l2cap_chan_unlock(chan);
5633 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5634 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5637 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5638 struct l2cap_chan *chan;
5640 if (cmd_len < sizeof(*rej))
5643 mutex_lock(&conn->chan_lock);
5645 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5649 l2cap_chan_lock(chan);
5650 l2cap_chan_del(chan, ECONNREFUSED);
5651 l2cap_chan_unlock(chan);
5654 mutex_unlock(&conn->chan_lock);
5658 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5659 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5664 switch (cmd->code) {
5665 case L2CAP_COMMAND_REJ:
5666 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5669 case L2CAP_CONN_PARAM_UPDATE_REQ:
5670 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5673 case L2CAP_CONN_PARAM_UPDATE_RSP:
5676 case L2CAP_LE_CONN_RSP:
5677 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5680 case L2CAP_LE_CONN_REQ:
5681 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5684 case L2CAP_LE_CREDITS:
5685 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5688 case L2CAP_DISCONN_REQ:
5689 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5692 case L2CAP_DISCONN_RSP:
5693 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5697 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5705 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5706 struct sk_buff *skb)
5708 struct hci_conn *hcon = conn->hcon;
5709 struct l2cap_cmd_hdr *cmd;
5713 if (hcon->type != LE_LINK)
5716 if (skb->len < L2CAP_CMD_HDR_SIZE)
5719 cmd = (void *) skb->data;
5720 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5722 len = le16_to_cpu(cmd->len);
5724 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5726 if (len != skb->len || !cmd->ident) {
5727 BT_DBG("corrupted command");
5731 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5733 struct l2cap_cmd_rej_unk rej;
5735 BT_ERR("Wrong link type (%d)", err);
5737 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5738 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5746 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5747 struct sk_buff *skb)
5749 struct hci_conn *hcon = conn->hcon;
5750 u8 *data = skb->data;
5752 struct l2cap_cmd_hdr cmd;
5755 l2cap_raw_recv(conn, skb);
5757 if (hcon->type != ACL_LINK)
5760 while (len >= L2CAP_CMD_HDR_SIZE) {
5762 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5763 data += L2CAP_CMD_HDR_SIZE;
5764 len -= L2CAP_CMD_HDR_SIZE;
5766 cmd_len = le16_to_cpu(cmd.len);
5768 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5771 if (cmd_len > len || !cmd.ident) {
5772 BT_DBG("corrupted command");
5776 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5778 struct l2cap_cmd_rej_unk rej;
5780 BT_ERR("Wrong link type (%d)", err);
5782 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5783 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5795 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5797 u16 our_fcs, rcv_fcs;
5800 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5801 hdr_size = L2CAP_EXT_HDR_SIZE;
5803 hdr_size = L2CAP_ENH_HDR_SIZE;
5805 if (chan->fcs == L2CAP_FCS_CRC16) {
5806 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5807 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5808 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5810 if (our_fcs != rcv_fcs)
5816 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5818 struct l2cap_ctrl control;
5820 BT_DBG("chan %p", chan);
5822 memset(&control, 0, sizeof(control));
5825 control.reqseq = chan->buffer_seq;
5826 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5828 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5829 control.super = L2CAP_SUPER_RNR;
5830 l2cap_send_sframe(chan, &control);
5833 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5834 chan->unacked_frames > 0)
5835 __set_retrans_timer(chan);
5837 /* Send pending iframes */
5838 l2cap_ertm_send(chan);
5840 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5841 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5842 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5845 control.super = L2CAP_SUPER_RR;
5846 l2cap_send_sframe(chan, &control);
5850 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5851 struct sk_buff **last_frag)
5853 /* skb->len reflects data in skb as well as all fragments
5854 * skb->data_len reflects only data in fragments
5856 if (!skb_has_frag_list(skb))
5857 skb_shinfo(skb)->frag_list = new_frag;
5859 new_frag->next = NULL;
5861 (*last_frag)->next = new_frag;
5862 *last_frag = new_frag;
5864 skb->len += new_frag->len;
5865 skb->data_len += new_frag->len;
5866 skb->truesize += new_frag->truesize;
5869 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5870 struct l2cap_ctrl *control)
5874 switch (control->sar) {
5875 case L2CAP_SAR_UNSEGMENTED:
5879 err = chan->ops->recv(chan, skb);
5882 case L2CAP_SAR_START:
5886 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5889 chan->sdu_len = get_unaligned_le16(skb->data);
5890 skb_pull(skb, L2CAP_SDULEN_SIZE);
5892 if (chan->sdu_len > chan->imtu) {
5897 if (skb->len >= chan->sdu_len)
5901 chan->sdu_last_frag = skb;
5907 case L2CAP_SAR_CONTINUE:
5911 append_skb_frag(chan->sdu, skb,
5912 &chan->sdu_last_frag);
5915 if (chan->sdu->len >= chan->sdu_len)
5925 append_skb_frag(chan->sdu, skb,
5926 &chan->sdu_last_frag);
5929 if (chan->sdu->len != chan->sdu_len)
5932 err = chan->ops->recv(chan, chan->sdu);
5935 /* Reassembly complete */
5937 chan->sdu_last_frag = NULL;
5945 kfree_skb(chan->sdu);
5947 chan->sdu_last_frag = NULL;
5954 static int l2cap_resegment(struct l2cap_chan *chan)
5960 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5964 if (chan->mode != L2CAP_MODE_ERTM)
5967 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5968 l2cap_tx(chan, NULL, NULL, event);
5971 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5974 /* Pass sequential frames to l2cap_reassemble_sdu()
5975 * until a gap is encountered.
5978 BT_DBG("chan %p", chan);
5980 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5981 struct sk_buff *skb;
5982 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5983 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5985 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5990 skb_unlink(skb, &chan->srej_q);
5991 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5992 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
5997 if (skb_queue_empty(&chan->srej_q)) {
5998 chan->rx_state = L2CAP_RX_STATE_RECV;
5999 l2cap_send_ack(chan);
6005 static void l2cap_handle_srej(struct l2cap_chan *chan,
6006 struct l2cap_ctrl *control)
6008 struct sk_buff *skb;
6010 BT_DBG("chan %p, control %p", chan, control);
6012 if (control->reqseq == chan->next_tx_seq) {
6013 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6014 l2cap_send_disconn_req(chan, ECONNRESET);
6018 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6021 BT_DBG("Seq %d not available for retransmission",
6026 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6027 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6028 l2cap_send_disconn_req(chan, ECONNRESET);
6032 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6034 if (control->poll) {
6035 l2cap_pass_to_tx(chan, control);
6037 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6038 l2cap_retransmit(chan, control);
6039 l2cap_ertm_send(chan);
6041 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6042 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6043 chan->srej_save_reqseq = control->reqseq;
6046 l2cap_pass_to_tx_fbit(chan, control);
6048 if (control->final) {
6049 if (chan->srej_save_reqseq != control->reqseq ||
6050 !test_and_clear_bit(CONN_SREJ_ACT,
6052 l2cap_retransmit(chan, control);
6054 l2cap_retransmit(chan, control);
6055 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6056 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6057 chan->srej_save_reqseq = control->reqseq;
6063 static void l2cap_handle_rej(struct l2cap_chan *chan,
6064 struct l2cap_ctrl *control)
6066 struct sk_buff *skb;
6068 BT_DBG("chan %p, control %p", chan, control);
6070 if (control->reqseq == chan->next_tx_seq) {
6071 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6072 l2cap_send_disconn_req(chan, ECONNRESET);
6076 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6078 if (chan->max_tx && skb &&
6079 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6080 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6081 l2cap_send_disconn_req(chan, ECONNRESET);
6085 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6087 l2cap_pass_to_tx(chan, control);
6089 if (control->final) {
6090 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6091 l2cap_retransmit_all(chan, control);
6093 l2cap_retransmit_all(chan, control);
6094 l2cap_ertm_send(chan);
6095 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6096 set_bit(CONN_REJ_ACT, &chan->conn_state);
6100 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6102 BT_DBG("chan %p, txseq %d", chan, txseq);
6104 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6105 chan->expected_tx_seq);
6107 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6108 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6110 /* See notes below regarding "double poll" and
6113 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6114 BT_DBG("Invalid/Ignore - after SREJ");
6115 return L2CAP_TXSEQ_INVALID_IGNORE;
6117 BT_DBG("Invalid - in window after SREJ sent");
6118 return L2CAP_TXSEQ_INVALID;
6122 if (chan->srej_list.head == txseq) {
6123 BT_DBG("Expected SREJ");
6124 return L2CAP_TXSEQ_EXPECTED_SREJ;
6127 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6128 BT_DBG("Duplicate SREJ - txseq already stored");
6129 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6132 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6133 BT_DBG("Unexpected SREJ - not requested");
6134 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6138 if (chan->expected_tx_seq == txseq) {
6139 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6141 BT_DBG("Invalid - txseq outside tx window");
6142 return L2CAP_TXSEQ_INVALID;
6145 return L2CAP_TXSEQ_EXPECTED;
6149 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6150 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6151 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6152 return L2CAP_TXSEQ_DUPLICATE;
6155 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6156 /* A source of invalid packets is a "double poll" condition,
6157 * where delays cause us to send multiple poll packets. If
6158 * the remote stack receives and processes both polls,
6159 * sequence numbers can wrap around in such a way that a
6160 * resent frame has a sequence number that looks like new data
6161 * with a sequence gap. This would trigger an erroneous SREJ
6164 * Fortunately, this is impossible with a tx window that's
6165 * less than half of the maximum sequence number, which allows
6166 * invalid frames to be safely ignored.
6168 * With tx window sizes greater than half of the tx window
6169 * maximum, the frame is invalid and cannot be ignored. This
6170 * causes a disconnect.
6173 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6174 BT_DBG("Invalid/Ignore - txseq outside tx window");
6175 return L2CAP_TXSEQ_INVALID_IGNORE;
6177 BT_DBG("Invalid - txseq outside tx window");
6178 return L2CAP_TXSEQ_INVALID;
6181 BT_DBG("Unexpected - txseq indicates missing frames");
6182 return L2CAP_TXSEQ_UNEXPECTED;
6186 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6187 struct l2cap_ctrl *control,
6188 struct sk_buff *skb, u8 event)
6191 bool skb_in_use = false;
6193 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6197 case L2CAP_EV_RECV_IFRAME:
6198 switch (l2cap_classify_txseq(chan, control->txseq)) {
6199 case L2CAP_TXSEQ_EXPECTED:
6200 l2cap_pass_to_tx(chan, control);
6202 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6203 BT_DBG("Busy, discarding expected seq %d",
6208 chan->expected_tx_seq = __next_seq(chan,
6211 chan->buffer_seq = chan->expected_tx_seq;
6214 err = l2cap_reassemble_sdu(chan, skb, control);
6218 if (control->final) {
6219 if (!test_and_clear_bit(CONN_REJ_ACT,
6220 &chan->conn_state)) {
6222 l2cap_retransmit_all(chan, control);
6223 l2cap_ertm_send(chan);
6227 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6228 l2cap_send_ack(chan);
6230 case L2CAP_TXSEQ_UNEXPECTED:
6231 l2cap_pass_to_tx(chan, control);
6233 /* Can't issue SREJ frames in the local busy state.
6234 * Drop this frame, it will be seen as missing
6235 * when local busy is exited.
6237 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6238 BT_DBG("Busy, discarding unexpected seq %d",
6243 /* There was a gap in the sequence, so an SREJ
6244 * must be sent for each missing frame. The
6245 * current frame is stored for later use.
6247 skb_queue_tail(&chan->srej_q, skb);
6249 BT_DBG("Queued %p (queue len %d)", skb,
6250 skb_queue_len(&chan->srej_q));
6252 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6253 l2cap_seq_list_clear(&chan->srej_list);
6254 l2cap_send_srej(chan, control->txseq);
6256 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6258 case L2CAP_TXSEQ_DUPLICATE:
6259 l2cap_pass_to_tx(chan, control);
6261 case L2CAP_TXSEQ_INVALID_IGNORE:
6263 case L2CAP_TXSEQ_INVALID:
6265 l2cap_send_disconn_req(chan, ECONNRESET);
6269 case L2CAP_EV_RECV_RR:
6270 l2cap_pass_to_tx(chan, control);
6271 if (control->final) {
6272 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6274 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6275 !__chan_is_moving(chan)) {
6277 l2cap_retransmit_all(chan, control);
6280 l2cap_ertm_send(chan);
6281 } else if (control->poll) {
6282 l2cap_send_i_or_rr_or_rnr(chan);
6284 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6285 &chan->conn_state) &&
6286 chan->unacked_frames)
6287 __set_retrans_timer(chan);
6289 l2cap_ertm_send(chan);
6292 case L2CAP_EV_RECV_RNR:
6293 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6294 l2cap_pass_to_tx(chan, control);
6295 if (control && control->poll) {
6296 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6297 l2cap_send_rr_or_rnr(chan, 0);
6299 __clear_retrans_timer(chan);
6300 l2cap_seq_list_clear(&chan->retrans_list);
6302 case L2CAP_EV_RECV_REJ:
6303 l2cap_handle_rej(chan, control);
6305 case L2CAP_EV_RECV_SREJ:
6306 l2cap_handle_srej(chan, control);
6312 if (skb && !skb_in_use) {
6313 BT_DBG("Freeing %p", skb);
6320 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6321 struct l2cap_ctrl *control,
6322 struct sk_buff *skb, u8 event)
6325 u16 txseq = control->txseq;
6326 bool skb_in_use = false;
6328 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6332 case L2CAP_EV_RECV_IFRAME:
6333 switch (l2cap_classify_txseq(chan, txseq)) {
6334 case L2CAP_TXSEQ_EXPECTED:
6335 /* Keep frame for reassembly later */
6336 l2cap_pass_to_tx(chan, control);
6337 skb_queue_tail(&chan->srej_q, skb);
6339 BT_DBG("Queued %p (queue len %d)", skb,
6340 skb_queue_len(&chan->srej_q));
6342 chan->expected_tx_seq = __next_seq(chan, txseq);
6344 case L2CAP_TXSEQ_EXPECTED_SREJ:
6345 l2cap_seq_list_pop(&chan->srej_list);
6347 l2cap_pass_to_tx(chan, control);
6348 skb_queue_tail(&chan->srej_q, skb);
6350 BT_DBG("Queued %p (queue len %d)", skb,
6351 skb_queue_len(&chan->srej_q));
6353 err = l2cap_rx_queued_iframes(chan);
6358 case L2CAP_TXSEQ_UNEXPECTED:
6359 /* Got a frame that can't be reassembled yet.
6360 * Save it for later, and send SREJs to cover
6361 * the missing frames.
6363 skb_queue_tail(&chan->srej_q, skb);
6365 BT_DBG("Queued %p (queue len %d)", skb,
6366 skb_queue_len(&chan->srej_q));
6368 l2cap_pass_to_tx(chan, control);
6369 l2cap_send_srej(chan, control->txseq);
6371 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6372 /* This frame was requested with an SREJ, but
6373 * some expected retransmitted frames are
6374 * missing. Request retransmission of missing
6377 skb_queue_tail(&chan->srej_q, skb);
6379 BT_DBG("Queued %p (queue len %d)", skb,
6380 skb_queue_len(&chan->srej_q));
6382 l2cap_pass_to_tx(chan, control);
6383 l2cap_send_srej_list(chan, control->txseq);
6385 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6386 /* We've already queued this frame. Drop this copy. */
6387 l2cap_pass_to_tx(chan, control);
6389 case L2CAP_TXSEQ_DUPLICATE:
6390 /* Expecting a later sequence number, so this frame
6391 * was already received. Ignore it completely.
6394 case L2CAP_TXSEQ_INVALID_IGNORE:
6396 case L2CAP_TXSEQ_INVALID:
6398 l2cap_send_disconn_req(chan, ECONNRESET);
6402 case L2CAP_EV_RECV_RR:
6403 l2cap_pass_to_tx(chan, control);
6404 if (control->final) {
6405 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6407 if (!test_and_clear_bit(CONN_REJ_ACT,
6408 &chan->conn_state)) {
6410 l2cap_retransmit_all(chan, control);
6413 l2cap_ertm_send(chan);
6414 } else if (control->poll) {
6415 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6416 &chan->conn_state) &&
6417 chan->unacked_frames) {
6418 __set_retrans_timer(chan);
6421 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6422 l2cap_send_srej_tail(chan);
6424 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6425 &chan->conn_state) &&
6426 chan->unacked_frames)
6427 __set_retrans_timer(chan);
6429 l2cap_send_ack(chan);
6432 case L2CAP_EV_RECV_RNR:
6433 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6434 l2cap_pass_to_tx(chan, control);
6435 if (control->poll) {
6436 l2cap_send_srej_tail(chan);
6438 struct l2cap_ctrl rr_control;
6439 memset(&rr_control, 0, sizeof(rr_control));
6440 rr_control.sframe = 1;
6441 rr_control.super = L2CAP_SUPER_RR;
6442 rr_control.reqseq = chan->buffer_seq;
6443 l2cap_send_sframe(chan, &rr_control);
6447 case L2CAP_EV_RECV_REJ:
6448 l2cap_handle_rej(chan, control);
6450 case L2CAP_EV_RECV_SREJ:
6451 l2cap_handle_srej(chan, control);
6455 if (skb && !skb_in_use) {
6456 BT_DBG("Freeing %p", skb);
6463 static int l2cap_finish_move(struct l2cap_chan *chan)
6465 BT_DBG("chan %p", chan);
6467 chan->rx_state = L2CAP_RX_STATE_RECV;
6470 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6472 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6474 return l2cap_resegment(chan);
6477 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6478 struct l2cap_ctrl *control,
6479 struct sk_buff *skb, u8 event)
6483 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6489 l2cap_process_reqseq(chan, control->reqseq);
6491 if (!skb_queue_empty(&chan->tx_q))
6492 chan->tx_send_head = skb_peek(&chan->tx_q);
6494 chan->tx_send_head = NULL;
6496 /* Rewind next_tx_seq to the point expected
6499 chan->next_tx_seq = control->reqseq;
6500 chan->unacked_frames = 0;
6502 err = l2cap_finish_move(chan);
6506 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6507 l2cap_send_i_or_rr_or_rnr(chan);
6509 if (event == L2CAP_EV_RECV_IFRAME)
6512 return l2cap_rx_state_recv(chan, control, NULL, event);
6515 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6516 struct l2cap_ctrl *control,
6517 struct sk_buff *skb, u8 event)
6521 if (!control->final)
6524 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6526 chan->rx_state = L2CAP_RX_STATE_RECV;
6527 l2cap_process_reqseq(chan, control->reqseq);
6529 if (!skb_queue_empty(&chan->tx_q))
6530 chan->tx_send_head = skb_peek(&chan->tx_q);
6532 chan->tx_send_head = NULL;
6534 /* Rewind next_tx_seq to the point expected
6537 chan->next_tx_seq = control->reqseq;
6538 chan->unacked_frames = 0;
6541 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6543 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6545 err = l2cap_resegment(chan);
6548 err = l2cap_rx_state_recv(chan, control, skb, event);
6553 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6555 /* Make sure reqseq is for a packet that has been sent but not acked */
6558 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6559 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6562 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6563 struct sk_buff *skb, u8 event)
6567 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6568 control, skb, event, chan->rx_state);
6570 if (__valid_reqseq(chan, control->reqseq)) {
6571 switch (chan->rx_state) {
6572 case L2CAP_RX_STATE_RECV:
6573 err = l2cap_rx_state_recv(chan, control, skb, event);
6575 case L2CAP_RX_STATE_SREJ_SENT:
6576 err = l2cap_rx_state_srej_sent(chan, control, skb,
6579 case L2CAP_RX_STATE_WAIT_P:
6580 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6582 case L2CAP_RX_STATE_WAIT_F:
6583 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6590 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6591 control->reqseq, chan->next_tx_seq,
6592 chan->expected_ack_seq);
6593 l2cap_send_disconn_req(chan, ECONNRESET);
6599 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6600 struct sk_buff *skb)
6602 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6605 if (l2cap_classify_txseq(chan, control->txseq) ==
6606 L2CAP_TXSEQ_EXPECTED) {
6607 l2cap_pass_to_tx(chan, control);
6609 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6610 __next_seq(chan, chan->buffer_seq));
6612 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6614 l2cap_reassemble_sdu(chan, skb, control);
6617 kfree_skb(chan->sdu);
6620 chan->sdu_last_frag = NULL;
6624 BT_DBG("Freeing %p", skb);
6629 chan->last_acked_seq = control->txseq;
6630 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6635 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6637 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6641 __unpack_control(chan, skb);
6646 * We can just drop the corrupted I-frame here.
6647 * Receiver will miss it and start proper recovery
6648 * procedures and ask for retransmission.
6650 if (l2cap_check_fcs(chan, skb))
6653 if (!control->sframe && control->sar == L2CAP_SAR_START)
6654 len -= L2CAP_SDULEN_SIZE;
6656 if (chan->fcs == L2CAP_FCS_CRC16)
6657 len -= L2CAP_FCS_SIZE;
6659 if (len > chan->mps) {
6660 l2cap_send_disconn_req(chan, ECONNRESET);
6664 if ((chan->mode == L2CAP_MODE_ERTM ||
6665 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6668 if (!control->sframe) {
6671 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6672 control->sar, control->reqseq, control->final,
6675 /* Validate F-bit - F=0 always valid, F=1 only
6676 * valid in TX WAIT_F
6678 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6681 if (chan->mode != L2CAP_MODE_STREAMING) {
6682 event = L2CAP_EV_RECV_IFRAME;
6683 err = l2cap_rx(chan, control, skb, event);
6685 err = l2cap_stream_rx(chan, control, skb);
6689 l2cap_send_disconn_req(chan, ECONNRESET);
6691 const u8 rx_func_to_event[4] = {
6692 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6693 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6696 /* Only I-frames are expected in streaming mode */
6697 if (chan->mode == L2CAP_MODE_STREAMING)
6700 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6701 control->reqseq, control->final, control->poll,
6705 BT_ERR("Trailing bytes: %d in sframe", len);
6706 l2cap_send_disconn_req(chan, ECONNRESET);
6710 /* Validate F and P bits */
6711 if (control->final && (control->poll ||
6712 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6715 event = rx_func_to_event[control->super];
6716 if (l2cap_rx(chan, control, skb, event))
6717 l2cap_send_disconn_req(chan, ECONNRESET);
6727 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6729 struct l2cap_conn *conn = chan->conn;
6730 struct l2cap_le_credits pkt;
6733 return_credits = ((chan->imtu / chan->mps) + 1) - chan->rx_credits;
6735 if (!return_credits)
6738 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6740 chan->rx_credits += return_credits;
6742 pkt.cid = cpu_to_le16(chan->scid);
6743 pkt.credits = cpu_to_le16(return_credits);
6745 chan->ident = l2cap_get_ident(conn);
6747 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6750 static int l2cap_le_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6754 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6756 /* Wait recv to confirm reception before updating the credits */
6757 err = chan->ops->recv(chan, skb);
6759 /* Update credits whenever an SDU is received */
6760 l2cap_chan_le_send_credits(chan);
6765 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6769 if (!chan->rx_credits) {
6770 BT_ERR("No credits to receive LE L2CAP data");
6771 l2cap_send_disconn_req(chan, ECONNRESET);
6775 if (chan->imtu < skb->len) {
6776 BT_ERR("Too big LE L2CAP PDU");
6781 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6783 /* Update if remote had run out of credits, this should only happens
6784 * if the remote is not using the entire MPS.
6786 if (!chan->rx_credits)
6787 l2cap_chan_le_send_credits(chan);
6794 sdu_len = get_unaligned_le16(skb->data);
6795 skb_pull(skb, L2CAP_SDULEN_SIZE);
6797 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6798 sdu_len, skb->len, chan->imtu);
6800 if (sdu_len > chan->imtu) {
6801 BT_ERR("Too big LE L2CAP SDU length received");
6806 if (skb->len > sdu_len) {
6807 BT_ERR("Too much LE L2CAP data received");
6812 if (skb->len == sdu_len)
6813 return l2cap_le_recv(chan, skb);
6816 chan->sdu_len = sdu_len;
6817 chan->sdu_last_frag = skb;
6819 /* Detect if remote is not able to use the selected MPS */
6820 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6821 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6823 /* Adjust the number of credits */
6824 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6825 chan->mps = mps_len;
6826 l2cap_chan_le_send_credits(chan);
6832 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6833 chan->sdu->len, skb->len, chan->sdu_len);
6835 if (chan->sdu->len + skb->len > chan->sdu_len) {
6836 BT_ERR("Too much LE L2CAP data received");
6841 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6844 if (chan->sdu->len == chan->sdu_len) {
6845 err = l2cap_le_recv(chan, chan->sdu);
6848 chan->sdu_last_frag = NULL;
6856 kfree_skb(chan->sdu);
6858 chan->sdu_last_frag = NULL;
6862 /* We can't return an error here since we took care of the skb
6863 * freeing internally. An error return would cause the caller to
6864 * do a double-free of the skb.
6869 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6870 struct sk_buff *skb)
6872 struct l2cap_chan *chan;
6874 chan = l2cap_get_chan_by_scid(conn, cid);
6876 if (cid == L2CAP_CID_A2MP) {
6877 chan = a2mp_channel_create(conn, skb);
6883 l2cap_chan_lock(chan);
6885 BT_DBG("unknown cid 0x%4.4x", cid);
6886 /* Drop packet and return */
6892 BT_DBG("chan %p, len %d", chan, skb->len);
6894 /* If we receive data on a fixed channel before the info req/rsp
6895 * procdure is done simply assume that the channel is supported
6896 * and mark it as ready.
6898 if (chan->chan_type == L2CAP_CHAN_FIXED)
6899 l2cap_chan_ready(chan);
6901 if (chan->state != BT_CONNECTED)
6904 switch (chan->mode) {
6905 case L2CAP_MODE_LE_FLOWCTL:
6906 if (l2cap_le_data_rcv(chan, skb) < 0)
6911 case L2CAP_MODE_BASIC:
6912 /* If socket recv buffers overflows we drop data here
6913 * which is *bad* because L2CAP has to be reliable.
6914 * But we don't have any other choice. L2CAP doesn't
6915 * provide flow control mechanism. */
6917 if (chan->imtu < skb->len) {
6918 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6922 if (!chan->ops->recv(chan, skb))
6926 case L2CAP_MODE_ERTM:
6927 case L2CAP_MODE_STREAMING:
6928 l2cap_data_rcv(chan, skb);
6932 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6940 l2cap_chan_unlock(chan);
6943 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6944 struct sk_buff *skb)
6946 struct hci_conn *hcon = conn->hcon;
6947 struct l2cap_chan *chan;
6949 if (hcon->type != ACL_LINK)
6952 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6957 BT_DBG("chan %p, len %d", chan, skb->len);
6959 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6962 if (chan->imtu < skb->len)
6965 /* Store remote BD_ADDR and PSM for msg_name */
6966 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
6967 bt_cb(skb)->l2cap.psm = psm;
6969 if (!chan->ops->recv(chan, skb)) {
6970 l2cap_chan_put(chan);
6975 l2cap_chan_put(chan);
6980 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6982 struct l2cap_hdr *lh = (void *) skb->data;
6983 struct hci_conn *hcon = conn->hcon;
6987 if (hcon->state != BT_CONNECTED) {
6988 BT_DBG("queueing pending rx skb");
6989 skb_queue_tail(&conn->pending_rx, skb);
6993 skb_pull(skb, L2CAP_HDR_SIZE);
6994 cid = __le16_to_cpu(lh->cid);
6995 len = __le16_to_cpu(lh->len);
6997 if (len != skb->len) {
7002 /* Since we can't actively block incoming LE connections we must
7003 * at least ensure that we ignore incoming data from them.
7005 if (hcon->type == LE_LINK &&
7006 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7007 bdaddr_dst_type(hcon))) {
7012 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7015 case L2CAP_CID_SIGNALING:
7016 l2cap_sig_channel(conn, skb);
7019 case L2CAP_CID_CONN_LESS:
7020 psm = get_unaligned((__le16 *) skb->data);
7021 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7022 l2cap_conless_channel(conn, psm, skb);
7025 case L2CAP_CID_LE_SIGNALING:
7026 l2cap_le_sig_channel(conn, skb);
7030 l2cap_data_channel(conn, cid, skb);
7035 static void process_pending_rx(struct work_struct *work)
7037 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7039 struct sk_buff *skb;
7043 while ((skb = skb_dequeue(&conn->pending_rx)))
7044 l2cap_recv_frame(conn, skb);
7047 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7049 struct l2cap_conn *conn = hcon->l2cap_data;
7050 struct hci_chan *hchan;
7055 hchan = hci_chan_create(hcon);
7059 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7061 hci_chan_del(hchan);
7065 kref_init(&conn->ref);
7066 hcon->l2cap_data = conn;
7067 conn->hcon = hci_conn_get(hcon);
7068 conn->hchan = hchan;
7070 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7072 switch (hcon->type) {
7074 if (hcon->hdev->le_mtu) {
7075 conn->mtu = hcon->hdev->le_mtu;
7080 conn->mtu = hcon->hdev->acl_mtu;
7084 conn->feat_mask = 0;
7086 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7088 if (hcon->type == ACL_LINK &&
7089 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7090 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7092 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7093 (bredr_sc_enabled(hcon->hdev) ||
7094 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7095 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7097 mutex_init(&conn->ident_lock);
7098 mutex_init(&conn->chan_lock);
7100 INIT_LIST_HEAD(&conn->chan_l);
7101 INIT_LIST_HEAD(&conn->users);
7103 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7105 skb_queue_head_init(&conn->pending_rx);
7106 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7107 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7109 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7114 static bool is_valid_psm(u16 psm, u8 dst_type) {
7118 if (bdaddr_type_is_le(dst_type))
7119 return (psm <= 0x00ff);
7121 /* PSM must be odd and lsb of upper byte must be 0 */
7122 return ((psm & 0x0101) == 0x0001);
7125 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7126 bdaddr_t *dst, u8 dst_type)
7128 struct l2cap_conn *conn;
7129 struct hci_conn *hcon;
7130 struct hci_dev *hdev;
7133 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7134 dst_type, __le16_to_cpu(psm));
7136 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7138 return -EHOSTUNREACH;
7142 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7143 chan->chan_type != L2CAP_CHAN_RAW) {
7148 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7153 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7158 switch (chan->mode) {
7159 case L2CAP_MODE_BASIC:
7161 case L2CAP_MODE_LE_FLOWCTL:
7163 case L2CAP_MODE_ERTM:
7164 case L2CAP_MODE_STREAMING:
7173 switch (chan->state) {
7177 /* Already connecting */
7182 /* Already connected */
7196 /* Set destination address and psm */
7197 bacpy(&chan->dst, dst);
7198 chan->dst_type = dst_type;
7203 if (bdaddr_type_is_le(dst_type)) {
7204 /* Convert from L2CAP channel address type to HCI address type
7206 if (dst_type == BDADDR_LE_PUBLIC)
7207 dst_type = ADDR_LE_DEV_PUBLIC;
7209 dst_type = ADDR_LE_DEV_RANDOM;
7211 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7212 hcon = hci_connect_le(hdev, dst, dst_type,
7214 HCI_LE_CONN_TIMEOUT,
7215 HCI_ROLE_SLAVE, NULL);
7217 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7219 HCI_LE_CONN_TIMEOUT);
7222 u8 auth_type = l2cap_get_auth_type(chan);
7223 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7227 err = PTR_ERR(hcon);
7231 conn = l2cap_conn_add(hcon);
7233 hci_conn_drop(hcon);
7238 mutex_lock(&conn->chan_lock);
7239 l2cap_chan_lock(chan);
7241 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7242 hci_conn_drop(hcon);
7247 /* Update source addr of the socket */
7248 bacpy(&chan->src, &hcon->src);
7249 chan->src_type = bdaddr_src_type(hcon);
7251 __l2cap_chan_add(conn, chan);
7253 /* l2cap_chan_add takes its own ref so we can drop this one */
7254 hci_conn_drop(hcon);
7256 l2cap_state_change(chan, BT_CONNECT);
7257 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7259 /* Release chan->sport so that it can be reused by other
7260 * sockets (as it's only used for listening sockets).
7262 write_lock(&chan_list_lock);
7264 write_unlock(&chan_list_lock);
7266 if (hcon->state == BT_CONNECTED) {
7267 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7268 __clear_chan_timer(chan);
7269 if (l2cap_chan_check_security(chan, true))
7270 l2cap_state_change(chan, BT_CONNECTED);
7272 l2cap_do_start(chan);
7278 l2cap_chan_unlock(chan);
7279 mutex_unlock(&conn->chan_lock);
7281 hci_dev_unlock(hdev);
7285 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7287 /* ---- L2CAP interface with lower layer (HCI) ---- */
7289 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7291 int exact = 0, lm1 = 0, lm2 = 0;
7292 struct l2cap_chan *c;
7294 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7296 /* Find listening sockets and check their link_mode */
7297 read_lock(&chan_list_lock);
7298 list_for_each_entry(c, &chan_list, global_l) {
7299 if (c->state != BT_LISTEN)
7302 if (!bacmp(&c->src, &hdev->bdaddr)) {
7303 lm1 |= HCI_LM_ACCEPT;
7304 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7305 lm1 |= HCI_LM_MASTER;
7307 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7308 lm2 |= HCI_LM_ACCEPT;
7309 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7310 lm2 |= HCI_LM_MASTER;
7313 read_unlock(&chan_list_lock);
7315 return exact ? lm1 : lm2;
7318 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7319 * from an existing channel in the list or from the beginning of the
7320 * global list (by passing NULL as first parameter).
7322 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7323 struct hci_conn *hcon)
7325 u8 src_type = bdaddr_src_type(hcon);
7327 read_lock(&chan_list_lock);
7330 c = list_next_entry(c, global_l);
7332 c = list_entry(chan_list.next, typeof(*c), global_l);
7334 list_for_each_entry_from(c, &chan_list, global_l) {
7335 if (c->chan_type != L2CAP_CHAN_FIXED)
7337 if (c->state != BT_LISTEN)
7339 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7341 if (src_type != c->src_type)
7345 read_unlock(&chan_list_lock);
7349 read_unlock(&chan_list_lock);
7354 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7356 struct hci_dev *hdev = hcon->hdev;
7357 struct l2cap_conn *conn;
7358 struct l2cap_chan *pchan;
7361 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7364 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7367 l2cap_conn_del(hcon, bt_to_errno(status));
7371 conn = l2cap_conn_add(hcon);
7375 dst_type = bdaddr_dst_type(hcon);
7377 /* If device is blocked, do not create channels for it */
7378 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7381 /* Find fixed channels and notify them of the new connection. We
7382 * use multiple individual lookups, continuing each time where
7383 * we left off, because the list lock would prevent calling the
7384 * potentially sleeping l2cap_chan_lock() function.
7386 pchan = l2cap_global_fixed_chan(NULL, hcon);
7388 struct l2cap_chan *chan, *next;
7390 /* Client fixed channels should override server ones */
7391 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7394 l2cap_chan_lock(pchan);
7395 chan = pchan->ops->new_connection(pchan);
7397 bacpy(&chan->src, &hcon->src);
7398 bacpy(&chan->dst, &hcon->dst);
7399 chan->src_type = bdaddr_src_type(hcon);
7400 chan->dst_type = dst_type;
7402 __l2cap_chan_add(conn, chan);
7405 l2cap_chan_unlock(pchan);
7407 next = l2cap_global_fixed_chan(pchan, hcon);
7408 l2cap_chan_put(pchan);
7412 l2cap_conn_ready(conn);
7415 int l2cap_disconn_ind(struct hci_conn *hcon)
7417 struct l2cap_conn *conn = hcon->l2cap_data;
7419 BT_DBG("hcon %p", hcon);
7422 return HCI_ERROR_REMOTE_USER_TERM;
7423 return conn->disc_reason;
7426 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7428 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7431 BT_DBG("hcon %p reason %d", hcon, reason);
7433 l2cap_conn_del(hcon, bt_to_errno(reason));
7436 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7438 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7441 if (encrypt == 0x00) {
7442 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7443 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7444 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7445 chan->sec_level == BT_SECURITY_FIPS)
7446 l2cap_chan_close(chan, ECONNREFUSED);
7448 if (chan->sec_level == BT_SECURITY_MEDIUM)
7449 __clear_chan_timer(chan);
7453 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7455 struct l2cap_conn *conn = hcon->l2cap_data;
7456 struct l2cap_chan *chan;
7461 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7463 mutex_lock(&conn->chan_lock);
7465 list_for_each_entry(chan, &conn->chan_l, list) {
7466 l2cap_chan_lock(chan);
7468 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7469 state_to_string(chan->state));
7471 if (chan->scid == L2CAP_CID_A2MP) {
7472 l2cap_chan_unlock(chan);
7476 if (!status && encrypt)
7477 chan->sec_level = hcon->sec_level;
7479 if (!__l2cap_no_conn_pending(chan)) {
7480 l2cap_chan_unlock(chan);
7484 if (!status && (chan->state == BT_CONNECTED ||
7485 chan->state == BT_CONFIG)) {
7486 chan->ops->resume(chan);
7487 l2cap_check_encryption(chan, encrypt);
7488 l2cap_chan_unlock(chan);
7492 if (chan->state == BT_CONNECT) {
7494 l2cap_start_connection(chan);
7496 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7497 } else if (chan->state == BT_CONNECT2 &&
7498 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7499 struct l2cap_conn_rsp rsp;
7503 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7504 res = L2CAP_CR_PEND;
7505 stat = L2CAP_CS_AUTHOR_PEND;
7506 chan->ops->defer(chan);
7508 l2cap_state_change(chan, BT_CONFIG);
7509 res = L2CAP_CR_SUCCESS;
7510 stat = L2CAP_CS_NO_INFO;
7513 l2cap_state_change(chan, BT_DISCONN);
7514 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7515 res = L2CAP_CR_SEC_BLOCK;
7516 stat = L2CAP_CS_NO_INFO;
7519 rsp.scid = cpu_to_le16(chan->dcid);
7520 rsp.dcid = cpu_to_le16(chan->scid);
7521 rsp.result = cpu_to_le16(res);
7522 rsp.status = cpu_to_le16(stat);
7523 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7526 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7527 res == L2CAP_CR_SUCCESS) {
7529 set_bit(CONF_REQ_SENT, &chan->conf_state);
7530 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7532 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7534 chan->num_conf_req++;
7538 l2cap_chan_unlock(chan);
7541 mutex_unlock(&conn->chan_lock);
7544 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7546 struct l2cap_conn *conn = hcon->l2cap_data;
7547 struct l2cap_hdr *hdr;
7550 /* For AMP controller do not create l2cap conn */
7551 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7555 conn = l2cap_conn_add(hcon);
7560 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7564 case ACL_START_NO_FLUSH:
7567 BT_ERR("Unexpected start frame (len %d)", skb->len);
7568 kfree_skb(conn->rx_skb);
7569 conn->rx_skb = NULL;
7571 l2cap_conn_unreliable(conn, ECOMM);
7574 /* Start fragment always begin with Basic L2CAP header */
7575 if (skb->len < L2CAP_HDR_SIZE) {
7576 BT_ERR("Frame is too short (len %d)", skb->len);
7577 l2cap_conn_unreliable(conn, ECOMM);
7581 hdr = (struct l2cap_hdr *) skb->data;
7582 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7584 if (len == skb->len) {
7585 /* Complete frame received */
7586 l2cap_recv_frame(conn, skb);
7590 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7592 if (skb->len > len) {
7593 BT_ERR("Frame is too long (len %d, expected len %d)",
7595 l2cap_conn_unreliable(conn, ECOMM);
7599 /* Allocate skb for the complete frame (with header) */
7600 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7604 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7606 conn->rx_len = len - skb->len;
7610 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7612 if (!conn->rx_len) {
7613 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7614 l2cap_conn_unreliable(conn, ECOMM);
7618 if (skb->len > conn->rx_len) {
7619 BT_ERR("Fragment is too long (len %d, expected %d)",
7620 skb->len, conn->rx_len);
7621 kfree_skb(conn->rx_skb);
7622 conn->rx_skb = NULL;
7624 l2cap_conn_unreliable(conn, ECOMM);
7628 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7630 conn->rx_len -= skb->len;
7632 if (!conn->rx_len) {
7633 /* Complete frame received. l2cap_recv_frame
7634 * takes ownership of the skb so set the global
7635 * rx_skb pointer to NULL first.
7637 struct sk_buff *rx_skb = conn->rx_skb;
7638 conn->rx_skb = NULL;
7639 l2cap_recv_frame(conn, rx_skb);
7648 static struct hci_cb l2cap_cb = {
7650 .connect_cfm = l2cap_connect_cfm,
7651 .disconn_cfm = l2cap_disconn_cfm,
7652 .security_cfm = l2cap_security_cfm,
7655 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7657 struct l2cap_chan *c;
7659 read_lock(&chan_list_lock);
7661 list_for_each_entry(c, &chan_list, global_l) {
7662 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7663 &c->src, c->src_type, &c->dst, c->dst_type,
7664 c->state, __le16_to_cpu(c->psm),
7665 c->scid, c->dcid, c->imtu, c->omtu,
7666 c->sec_level, c->mode);
7669 read_unlock(&chan_list_lock);
7674 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7676 static struct dentry *l2cap_debugfs;
7678 int __init l2cap_init(void)
7682 err = l2cap_init_sockets();
7686 hci_register_cb(&l2cap_cb);
7688 if (IS_ERR_OR_NULL(bt_debugfs))
7691 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7692 NULL, &l2cap_debugfs_fops);
7697 void l2cap_exit(void)
7699 debugfs_remove(l2cap_debugfs);
7700 hci_unregister_cb(&l2cap_cb);
7701 l2cap_cleanup_sockets();
7704 module_param(disable_ertm, bool, 0644);
7705 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / linux.git / blob