2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
50 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
52 static LIST_HEAD(chan_list);
53 static DEFINE_RWLOCK(chan_list_lock);
55 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
56 u8 code, u8 ident, u16 dlen, void *data);
57 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
59 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
60 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
62 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
63 struct sk_buff_head *skbs, u8 event);
64 static void l2cap_retrans_timeout(struct work_struct *work);
65 static void l2cap_monitor_timeout(struct work_struct *work);
66 static void l2cap_ack_timeout(struct work_struct *work);
68 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
70 if (link_type == LE_LINK) {
71 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
72 return BDADDR_LE_PUBLIC;
74 return BDADDR_LE_RANDOM;
80 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
82 return bdaddr_type(hcon->type, hcon->src_type);
85 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
87 return bdaddr_type(hcon->type, hcon->dst_type);
90 /* ---- L2CAP channels ---- */
92 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
97 list_for_each_entry(c, &conn->chan_l, list) {
104 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
107 struct l2cap_chan *c;
109 list_for_each_entry(c, &conn->chan_l, list) {
116 /* Find channel with given SCID.
117 * Returns a reference locked channel.
119 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
122 struct l2cap_chan *c;
124 mutex_lock(&conn->chan_lock);
125 c = __l2cap_get_chan_by_scid(conn, cid);
127 /* Only lock if chan reference is not 0 */
128 c = l2cap_chan_hold_unless_zero(c);
132 mutex_unlock(&conn->chan_lock);
137 /* Find channel with given DCID.
138 * Returns a reference locked channel.
140 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
143 struct l2cap_chan *c;
145 mutex_lock(&conn->chan_lock);
146 c = __l2cap_get_chan_by_dcid(conn, cid);
148 /* Only lock if chan reference is not 0 */
149 c = l2cap_chan_hold_unless_zero(c);
153 mutex_unlock(&conn->chan_lock);
158 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
161 struct l2cap_chan *c;
163 list_for_each_entry(c, &conn->chan_l, list) {
164 if (c->ident == ident)
170 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
173 struct l2cap_chan *c;
175 mutex_lock(&conn->chan_lock);
176 c = __l2cap_get_chan_by_ident(conn, ident);
178 /* Only lock if chan reference is not 0 */
179 c = l2cap_chan_hold_unless_zero(c);
183 mutex_unlock(&conn->chan_lock);
188 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
191 struct l2cap_chan *c;
193 list_for_each_entry(c, &chan_list, global_l) {
194 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
197 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
200 if (c->sport == psm && !bacmp(&c->src, src))
206 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
210 write_lock(&chan_list_lock);
212 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
222 u16 p, start, end, incr;
224 if (chan->src_type == BDADDR_BREDR) {
225 start = L2CAP_PSM_DYN_START;
226 end = L2CAP_PSM_AUTO_END;
229 start = L2CAP_PSM_LE_DYN_START;
230 end = L2CAP_PSM_LE_DYN_END;
235 for (p = start; p <= end; p += incr)
236 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
238 chan->psm = cpu_to_le16(p);
239 chan->sport = cpu_to_le16(p);
246 write_unlock(&chan_list_lock);
249 EXPORT_SYMBOL_GPL(l2cap_add_psm);
251 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
253 write_lock(&chan_list_lock);
255 /* Override the defaults (which are for conn-oriented) */
256 chan->omtu = L2CAP_DEFAULT_MTU;
257 chan->chan_type = L2CAP_CHAN_FIXED;
261 write_unlock(&chan_list_lock);
266 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
270 if (conn->hcon->type == LE_LINK)
271 dyn_end = L2CAP_CID_LE_DYN_END;
273 dyn_end = L2CAP_CID_DYN_END;
275 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
276 if (!__l2cap_get_chan_by_scid(conn, cid))
283 static void l2cap_state_change(struct l2cap_chan *chan, int state)
285 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
286 state_to_string(state));
289 chan->ops->state_change(chan, state, 0);
292 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
296 chan->ops->state_change(chan, chan->state, err);
299 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
301 chan->ops->state_change(chan, chan->state, err);
304 static void __set_retrans_timer(struct l2cap_chan *chan)
306 if (!delayed_work_pending(&chan->monitor_timer) &&
307 chan->retrans_timeout) {
308 l2cap_set_timer(chan, &chan->retrans_timer,
309 msecs_to_jiffies(chan->retrans_timeout));
313 static void __set_monitor_timer(struct l2cap_chan *chan)
315 __clear_retrans_timer(chan);
316 if (chan->monitor_timeout) {
317 l2cap_set_timer(chan, &chan->monitor_timer,
318 msecs_to_jiffies(chan->monitor_timeout));
322 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
327 skb_queue_walk(head, skb) {
328 if (bt_cb(skb)->l2cap.txseq == seq)
335 /* ---- L2CAP sequence number lists ---- */
337 /* For ERTM, ordered lists of sequence numbers must be tracked for
338 * SREJ requests that are received and for frames that are to be
339 * retransmitted. These seq_list functions implement a singly-linked
340 * list in an array, where membership in the list can also be checked
341 * in constant time. Items can also be added to the tail of the list
342 * and removed from the head in constant time, without further memory
346 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
348 size_t alloc_size, i;
350 /* Allocated size is a power of 2 to map sequence numbers
351 * (which may be up to 14 bits) in to a smaller array that is
352 * sized for the negotiated ERTM transmit windows.
354 alloc_size = roundup_pow_of_two(size);
356 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
360 seq_list->mask = alloc_size - 1;
361 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
362 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
363 for (i = 0; i < alloc_size; i++)
364 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
369 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
371 kfree(seq_list->list);
374 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
377 /* Constant-time check for list membership */
378 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
381 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
383 u16 seq = seq_list->head;
384 u16 mask = seq_list->mask;
386 seq_list->head = seq_list->list[seq & mask];
387 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
389 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
390 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
391 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
397 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
401 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
404 for (i = 0; i <= seq_list->mask; i++)
405 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
407 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
408 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
411 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
413 u16 mask = seq_list->mask;
415 /* All appends happen in constant time */
417 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
420 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
421 seq_list->head = seq;
423 seq_list->list[seq_list->tail & mask] = seq;
425 seq_list->tail = seq;
426 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
429 static void l2cap_chan_timeout(struct work_struct *work)
431 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
433 struct l2cap_conn *conn = chan->conn;
436 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
438 mutex_lock(&conn->chan_lock);
439 /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
440 * this work. No need to call l2cap_chan_hold(chan) here again.
442 l2cap_chan_lock(chan);
444 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
445 reason = ECONNREFUSED;
446 else if (chan->state == BT_CONNECT &&
447 chan->sec_level != BT_SECURITY_SDP)
448 reason = ECONNREFUSED;
452 l2cap_chan_close(chan, reason);
454 chan->ops->close(chan);
456 l2cap_chan_unlock(chan);
457 l2cap_chan_put(chan);
459 mutex_unlock(&conn->chan_lock);
462 struct l2cap_chan *l2cap_chan_create(void)
464 struct l2cap_chan *chan;
466 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
470 skb_queue_head_init(&chan->tx_q);
471 skb_queue_head_init(&chan->srej_q);
472 mutex_init(&chan->lock);
474 /* Set default lock nesting level */
475 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
477 write_lock(&chan_list_lock);
478 list_add(&chan->global_l, &chan_list);
479 write_unlock(&chan_list_lock);
481 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
482 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
483 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
484 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
486 chan->state = BT_OPEN;
488 kref_init(&chan->kref);
490 /* This flag is cleared in l2cap_chan_ready() */
491 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
493 BT_DBG("chan %p", chan);
497 EXPORT_SYMBOL_GPL(l2cap_chan_create);
499 static void l2cap_chan_destroy(struct kref *kref)
501 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
503 BT_DBG("chan %p", chan);
505 write_lock(&chan_list_lock);
506 list_del(&chan->global_l);
507 write_unlock(&chan_list_lock);
512 void l2cap_chan_hold(struct l2cap_chan *c)
514 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
519 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)
521 BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
523 if (!kref_get_unless_zero(&c->kref))
529 void l2cap_chan_put(struct l2cap_chan *c)
531 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
533 kref_put(&c->kref, l2cap_chan_destroy);
535 EXPORT_SYMBOL_GPL(l2cap_chan_put);
537 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
539 chan->fcs = L2CAP_FCS_CRC16;
540 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
541 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
542 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
543 chan->remote_max_tx = chan->max_tx;
544 chan->remote_tx_win = chan->tx_win;
545 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
546 chan->sec_level = BT_SECURITY_LOW;
547 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
548 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
549 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
551 chan->conf_state = 0;
552 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
554 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
556 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
558 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
561 chan->sdu_last_frag = NULL;
563 chan->tx_credits = tx_credits;
564 /* Derive MPS from connection MTU to stop HCI fragmentation */
565 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
566 /* Give enough credits for a full packet */
567 chan->rx_credits = (chan->imtu / chan->mps) + 1;
569 skb_queue_head_init(&chan->tx_q);
572 static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
574 l2cap_le_flowctl_init(chan, tx_credits);
576 /* L2CAP implementations shall support a minimum MPS of 64 octets */
577 if (chan->mps < L2CAP_ECRED_MIN_MPS) {
578 chan->mps = L2CAP_ECRED_MIN_MPS;
579 chan->rx_credits = (chan->imtu / chan->mps) + 1;
583 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
585 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
586 __le16_to_cpu(chan->psm), chan->dcid);
588 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
592 switch (chan->chan_type) {
593 case L2CAP_CHAN_CONN_ORIENTED:
594 /* Alloc CID for connection-oriented socket */
595 chan->scid = l2cap_alloc_cid(conn);
596 if (conn->hcon->type == ACL_LINK)
597 chan->omtu = L2CAP_DEFAULT_MTU;
600 case L2CAP_CHAN_CONN_LESS:
601 /* Connectionless socket */
602 chan->scid = L2CAP_CID_CONN_LESS;
603 chan->dcid = L2CAP_CID_CONN_LESS;
604 chan->omtu = L2CAP_DEFAULT_MTU;
607 case L2CAP_CHAN_FIXED:
608 /* Caller will set CID and CID specific MTU values */
612 /* Raw socket can send/recv signalling messages only */
613 chan->scid = L2CAP_CID_SIGNALING;
614 chan->dcid = L2CAP_CID_SIGNALING;
615 chan->omtu = L2CAP_DEFAULT_MTU;
618 chan->local_id = L2CAP_BESTEFFORT_ID;
619 chan->local_stype = L2CAP_SERV_BESTEFFORT;
620 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
621 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
622 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
623 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
625 l2cap_chan_hold(chan);
627 /* Only keep a reference for fixed channels if they requested it */
628 if (chan->chan_type != L2CAP_CHAN_FIXED ||
629 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
630 hci_conn_hold(conn->hcon);
632 list_add(&chan->list, &conn->chan_l);
635 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
637 mutex_lock(&conn->chan_lock);
638 __l2cap_chan_add(conn, chan);
639 mutex_unlock(&conn->chan_lock);
642 void l2cap_chan_del(struct l2cap_chan *chan, int err)
644 struct l2cap_conn *conn = chan->conn;
646 __clear_chan_timer(chan);
648 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
649 state_to_string(chan->state));
651 chan->ops->teardown(chan, err);
654 struct amp_mgr *mgr = conn->hcon->amp_mgr;
655 /* Delete from channel list */
656 list_del(&chan->list);
658 l2cap_chan_put(chan);
662 /* Reference was only held for non-fixed channels or
663 * fixed channels that explicitly requested it using the
664 * FLAG_HOLD_HCI_CONN flag.
666 if (chan->chan_type != L2CAP_CHAN_FIXED ||
667 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
668 hci_conn_drop(conn->hcon);
670 if (mgr && mgr->bredr_chan == chan)
671 mgr->bredr_chan = NULL;
674 if (chan->hs_hchan) {
675 struct hci_chan *hs_hchan = chan->hs_hchan;
677 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
678 amp_disconnect_logical_link(hs_hchan);
681 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
685 case L2CAP_MODE_BASIC:
688 case L2CAP_MODE_LE_FLOWCTL:
689 case L2CAP_MODE_EXT_FLOWCTL:
690 skb_queue_purge(&chan->tx_q);
693 case L2CAP_MODE_ERTM:
694 __clear_retrans_timer(chan);
695 __clear_monitor_timer(chan);
696 __clear_ack_timer(chan);
698 skb_queue_purge(&chan->srej_q);
700 l2cap_seq_list_free(&chan->srej_list);
701 l2cap_seq_list_free(&chan->retrans_list);
704 case L2CAP_MODE_STREAMING:
705 skb_queue_purge(&chan->tx_q);
711 EXPORT_SYMBOL_GPL(l2cap_chan_del);
713 static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
716 struct l2cap_chan *chan;
718 list_for_each_entry(chan, &conn->chan_l, list) {
723 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
729 mutex_lock(&conn->chan_lock);
730 __l2cap_chan_list(conn, func, data);
731 mutex_unlock(&conn->chan_lock);
734 EXPORT_SYMBOL_GPL(l2cap_chan_list);
736 static void l2cap_conn_update_id_addr(struct work_struct *work)
738 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
739 id_addr_update_work);
740 struct hci_conn *hcon = conn->hcon;
741 struct l2cap_chan *chan;
743 mutex_lock(&conn->chan_lock);
745 list_for_each_entry(chan, &conn->chan_l, list) {
746 l2cap_chan_lock(chan);
747 bacpy(&chan->dst, &hcon->dst);
748 chan->dst_type = bdaddr_dst_type(hcon);
749 l2cap_chan_unlock(chan);
752 mutex_unlock(&conn->chan_lock);
755 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
757 struct l2cap_conn *conn = chan->conn;
758 struct l2cap_le_conn_rsp rsp;
761 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
762 result = L2CAP_CR_LE_AUTHORIZATION;
764 result = L2CAP_CR_LE_BAD_PSM;
766 l2cap_state_change(chan, BT_DISCONN);
768 rsp.dcid = cpu_to_le16(chan->scid);
769 rsp.mtu = cpu_to_le16(chan->imtu);
770 rsp.mps = cpu_to_le16(chan->mps);
771 rsp.credits = cpu_to_le16(chan->rx_credits);
772 rsp.result = cpu_to_le16(result);
774 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
778 static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
780 struct l2cap_conn *conn = chan->conn;
781 struct l2cap_ecred_conn_rsp rsp;
784 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
785 result = L2CAP_CR_LE_AUTHORIZATION;
787 result = L2CAP_CR_LE_BAD_PSM;
789 l2cap_state_change(chan, BT_DISCONN);
791 memset(&rsp, 0, sizeof(rsp));
793 rsp.result = cpu_to_le16(result);
795 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
799 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
801 struct l2cap_conn *conn = chan->conn;
802 struct l2cap_conn_rsp rsp;
805 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
806 result = L2CAP_CR_SEC_BLOCK;
808 result = L2CAP_CR_BAD_PSM;
810 l2cap_state_change(chan, BT_DISCONN);
812 rsp.scid = cpu_to_le16(chan->dcid);
813 rsp.dcid = cpu_to_le16(chan->scid);
814 rsp.result = cpu_to_le16(result);
815 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
817 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
820 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
822 struct l2cap_conn *conn = chan->conn;
824 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
826 switch (chan->state) {
828 chan->ops->teardown(chan, 0);
833 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
834 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
835 l2cap_send_disconn_req(chan, reason);
837 l2cap_chan_del(chan, reason);
841 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
842 if (conn->hcon->type == ACL_LINK)
843 l2cap_chan_connect_reject(chan);
844 else if (conn->hcon->type == LE_LINK) {
845 switch (chan->mode) {
846 case L2CAP_MODE_LE_FLOWCTL:
847 l2cap_chan_le_connect_reject(chan);
849 case L2CAP_MODE_EXT_FLOWCTL:
850 l2cap_chan_ecred_connect_reject(chan);
856 l2cap_chan_del(chan, reason);
861 l2cap_chan_del(chan, reason);
865 chan->ops->teardown(chan, 0);
869 EXPORT_SYMBOL(l2cap_chan_close);
871 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
873 switch (chan->chan_type) {
875 switch (chan->sec_level) {
876 case BT_SECURITY_HIGH:
877 case BT_SECURITY_FIPS:
878 return HCI_AT_DEDICATED_BONDING_MITM;
879 case BT_SECURITY_MEDIUM:
880 return HCI_AT_DEDICATED_BONDING;
882 return HCI_AT_NO_BONDING;
885 case L2CAP_CHAN_CONN_LESS:
886 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
887 if (chan->sec_level == BT_SECURITY_LOW)
888 chan->sec_level = BT_SECURITY_SDP;
890 if (chan->sec_level == BT_SECURITY_HIGH ||
891 chan->sec_level == BT_SECURITY_FIPS)
892 return HCI_AT_NO_BONDING_MITM;
894 return HCI_AT_NO_BONDING;
896 case L2CAP_CHAN_CONN_ORIENTED:
897 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
898 if (chan->sec_level == BT_SECURITY_LOW)
899 chan->sec_level = BT_SECURITY_SDP;
901 if (chan->sec_level == BT_SECURITY_HIGH ||
902 chan->sec_level == BT_SECURITY_FIPS)
903 return HCI_AT_NO_BONDING_MITM;
905 return HCI_AT_NO_BONDING;
910 switch (chan->sec_level) {
911 case BT_SECURITY_HIGH:
912 case BT_SECURITY_FIPS:
913 return HCI_AT_GENERAL_BONDING_MITM;
914 case BT_SECURITY_MEDIUM:
915 return HCI_AT_GENERAL_BONDING;
917 return HCI_AT_NO_BONDING;
923 /* Service level security */
924 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
926 struct l2cap_conn *conn = chan->conn;
929 if (conn->hcon->type == LE_LINK)
930 return smp_conn_security(conn->hcon, chan->sec_level);
932 auth_type = l2cap_get_auth_type(chan);
934 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
938 static u8 l2cap_get_ident(struct l2cap_conn *conn)
942 /* Get next available identificator.
943 * 1 - 128 are used by kernel.
944 * 129 - 199 are reserved.
945 * 200 - 254 are used by utilities like l2ping, etc.
948 mutex_lock(&conn->ident_lock);
950 if (++conn->tx_ident > 128)
955 mutex_unlock(&conn->ident_lock);
960 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
963 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
966 BT_DBG("code 0x%2.2x", code);
971 /* Use NO_FLUSH if supported or we have an LE link (which does
972 * not support auto-flushing packets) */
973 if (lmp_no_flush_capable(conn->hcon->hdev) ||
974 conn->hcon->type == LE_LINK)
975 flags = ACL_START_NO_FLUSH;
979 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
980 skb->priority = HCI_PRIO_MAX;
982 hci_send_acl(conn->hchan, skb, flags);
985 static bool __chan_is_moving(struct l2cap_chan *chan)
987 return chan->move_state != L2CAP_MOVE_STABLE &&
988 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
991 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
993 struct hci_conn *hcon = chan->conn->hcon;
996 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
999 if (chan->hs_hcon && !__chan_is_moving(chan)) {
1001 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
1008 /* Use NO_FLUSH for LE links (where this is the only option) or
1009 * if the BR/EDR link supports it and flushing has not been
1010 * explicitly requested (through FLAG_FLUSHABLE).
1012 if (hcon->type == LE_LINK ||
1013 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
1014 lmp_no_flush_capable(hcon->hdev)))
1015 flags = ACL_START_NO_FLUSH;
1019 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1020 hci_send_acl(chan->conn->hchan, skb, flags);
1023 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
1025 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
1026 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
1028 if (enh & L2CAP_CTRL_FRAME_TYPE) {
1030 control->sframe = 1;
1031 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
1032 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
1038 control->sframe = 0;
1039 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
1040 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
1047 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
1049 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1050 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
1052 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
1054 control->sframe = 1;
1055 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
1056 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
1062 control->sframe = 0;
1063 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
1064 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1071 static inline void __unpack_control(struct l2cap_chan *chan,
1072 struct sk_buff *skb)
1074 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1075 __unpack_extended_control(get_unaligned_le32(skb->data),
1076 &bt_cb(skb)->l2cap);
1077 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
1079 __unpack_enhanced_control(get_unaligned_le16(skb->data),
1080 &bt_cb(skb)->l2cap);
1081 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
1085 static u32 __pack_extended_control(struct l2cap_ctrl *control)
1089 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
1090 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
1092 if (control->sframe) {
1093 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
1094 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
1095 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
1097 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
1098 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1104 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1108 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1109 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1111 if (control->sframe) {
1112 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1113 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1114 packed |= L2CAP_CTRL_FRAME_TYPE;
1116 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1117 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1123 static inline void __pack_control(struct l2cap_chan *chan,
1124 struct l2cap_ctrl *control,
1125 struct sk_buff *skb)
1127 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1128 put_unaligned_le32(__pack_extended_control(control),
1129 skb->data + L2CAP_HDR_SIZE);
1131 put_unaligned_le16(__pack_enhanced_control(control),
1132 skb->data + L2CAP_HDR_SIZE);
1136 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1138 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1139 return L2CAP_EXT_HDR_SIZE;
1141 return L2CAP_ENH_HDR_SIZE;
1144 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1147 struct sk_buff *skb;
1148 struct l2cap_hdr *lh;
1149 int hlen = __ertm_hdr_size(chan);
1151 if (chan->fcs == L2CAP_FCS_CRC16)
1152 hlen += L2CAP_FCS_SIZE;
1154 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1157 return ERR_PTR(-ENOMEM);
1159 lh = skb_put(skb, L2CAP_HDR_SIZE);
1160 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1161 lh->cid = cpu_to_le16(chan->dcid);
1163 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1164 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1166 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1168 if (chan->fcs == L2CAP_FCS_CRC16) {
1169 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1170 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1173 skb->priority = HCI_PRIO_MAX;
1177 static void l2cap_send_sframe(struct l2cap_chan *chan,
1178 struct l2cap_ctrl *control)
1180 struct sk_buff *skb;
1183 BT_DBG("chan %p, control %p", chan, control);
1185 if (!control->sframe)
1188 if (__chan_is_moving(chan))
1191 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1195 if (control->super == L2CAP_SUPER_RR)
1196 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1197 else if (control->super == L2CAP_SUPER_RNR)
1198 set_bit(CONN_RNR_SENT, &chan->conn_state);
1200 if (control->super != L2CAP_SUPER_SREJ) {
1201 chan->last_acked_seq = control->reqseq;
1202 __clear_ack_timer(chan);
1205 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1206 control->final, control->poll, control->super);
1208 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1209 control_field = __pack_extended_control(control);
1211 control_field = __pack_enhanced_control(control);
1213 skb = l2cap_create_sframe_pdu(chan, control_field);
1215 l2cap_do_send(chan, skb);
1218 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1220 struct l2cap_ctrl control;
1222 BT_DBG("chan %p, poll %d", chan, poll);
1224 memset(&control, 0, sizeof(control));
1226 control.poll = poll;
1228 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1229 control.super = L2CAP_SUPER_RNR;
1231 control.super = L2CAP_SUPER_RR;
1233 control.reqseq = chan->buffer_seq;
1234 l2cap_send_sframe(chan, &control);
1237 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1239 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1242 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1245 static bool __amp_capable(struct l2cap_chan *chan)
1247 struct l2cap_conn *conn = chan->conn;
1248 struct hci_dev *hdev;
1249 bool amp_available = false;
1251 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1254 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1257 read_lock(&hci_dev_list_lock);
1258 list_for_each_entry(hdev, &hci_dev_list, list) {
1259 if (hdev->amp_type != AMP_TYPE_BREDR &&
1260 test_bit(HCI_UP, &hdev->flags)) {
1261 amp_available = true;
1265 read_unlock(&hci_dev_list_lock);
1267 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1268 return amp_available;
1273 static bool l2cap_check_efs(struct l2cap_chan *chan)
1275 /* Check EFS parameters */
1279 void l2cap_send_conn_req(struct l2cap_chan *chan)
1281 struct l2cap_conn *conn = chan->conn;
1282 struct l2cap_conn_req req;
1284 req.scid = cpu_to_le16(chan->scid);
1285 req.psm = chan->psm;
1287 chan->ident = l2cap_get_ident(conn);
1289 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1291 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1294 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1296 struct l2cap_create_chan_req req;
1297 req.scid = cpu_to_le16(chan->scid);
1298 req.psm = chan->psm;
1299 req.amp_id = amp_id;
1301 chan->ident = l2cap_get_ident(chan->conn);
1303 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1307 static void l2cap_move_setup(struct l2cap_chan *chan)
1309 struct sk_buff *skb;
1311 BT_DBG("chan %p", chan);
1313 if (chan->mode != L2CAP_MODE_ERTM)
1316 __clear_retrans_timer(chan);
1317 __clear_monitor_timer(chan);
1318 __clear_ack_timer(chan);
1320 chan->retry_count = 0;
1321 skb_queue_walk(&chan->tx_q, skb) {
1322 if (bt_cb(skb)->l2cap.retries)
1323 bt_cb(skb)->l2cap.retries = 1;
1328 chan->expected_tx_seq = chan->buffer_seq;
1330 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1331 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1332 l2cap_seq_list_clear(&chan->retrans_list);
1333 l2cap_seq_list_clear(&chan->srej_list);
1334 skb_queue_purge(&chan->srej_q);
1336 chan->tx_state = L2CAP_TX_STATE_XMIT;
1337 chan->rx_state = L2CAP_RX_STATE_MOVE;
1339 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1342 static void l2cap_move_done(struct l2cap_chan *chan)
1344 u8 move_role = chan->move_role;
1345 BT_DBG("chan %p", chan);
1347 chan->move_state = L2CAP_MOVE_STABLE;
1348 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1350 if (chan->mode != L2CAP_MODE_ERTM)
1353 switch (move_role) {
1354 case L2CAP_MOVE_ROLE_INITIATOR:
1355 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1356 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1358 case L2CAP_MOVE_ROLE_RESPONDER:
1359 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1364 static void l2cap_chan_ready(struct l2cap_chan *chan)
1366 /* The channel may have already been flagged as connected in
1367 * case of receiving data before the L2CAP info req/rsp
1368 * procedure is complete.
1370 if (chan->state == BT_CONNECTED)
1373 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1374 chan->conf_state = 0;
1375 __clear_chan_timer(chan);
1377 switch (chan->mode) {
1378 case L2CAP_MODE_LE_FLOWCTL:
1379 case L2CAP_MODE_EXT_FLOWCTL:
1380 if (!chan->tx_credits)
1381 chan->ops->suspend(chan);
1385 chan->state = BT_CONNECTED;
1387 chan->ops->ready(chan);
1390 static void l2cap_le_connect(struct l2cap_chan *chan)
1392 struct l2cap_conn *conn = chan->conn;
1393 struct l2cap_le_conn_req req;
1395 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1399 chan->imtu = chan->conn->mtu;
1401 l2cap_le_flowctl_init(chan, 0);
1403 req.psm = chan->psm;
1404 req.scid = cpu_to_le16(chan->scid);
1405 req.mtu = cpu_to_le16(chan->imtu);
1406 req.mps = cpu_to_le16(chan->mps);
1407 req.credits = cpu_to_le16(chan->rx_credits);
1409 chan->ident = l2cap_get_ident(conn);
1411 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1415 struct l2cap_ecred_conn_data {
1417 struct l2cap_ecred_conn_req req;
1420 struct l2cap_chan *chan;
1425 static void l2cap_ecred_defer_connect(struct l2cap_chan *chan, void *data)
1427 struct l2cap_ecred_conn_data *conn = data;
1430 if (chan == conn->chan)
1433 if (!test_and_clear_bit(FLAG_DEFER_SETUP, &chan->flags))
1436 pid = chan->ops->get_peer_pid(chan);
1438 /* Only add deferred channels with the same PID/PSM */
1439 if (conn->pid != pid || chan->psm != conn->chan->psm || chan->ident ||
1440 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
1443 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1446 l2cap_ecred_init(chan, 0);
1448 /* Set the same ident so we can match on the rsp */
1449 chan->ident = conn->chan->ident;
1451 /* Include all channels deferred */
1452 conn->pdu.scid[conn->count] = cpu_to_le16(chan->scid);
1457 static void l2cap_ecred_connect(struct l2cap_chan *chan)
1459 struct l2cap_conn *conn = chan->conn;
1460 struct l2cap_ecred_conn_data data;
1462 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
1465 if (test_and_set_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
1468 l2cap_ecred_init(chan, 0);
1470 memset(&data, 0, sizeof(data));
1471 data.pdu.req.psm = chan->psm;
1472 data.pdu.req.mtu = cpu_to_le16(chan->imtu);
1473 data.pdu.req.mps = cpu_to_le16(chan->mps);
1474 data.pdu.req.credits = cpu_to_le16(chan->rx_credits);
1475 data.pdu.scid[0] = cpu_to_le16(chan->scid);
1477 chan->ident = l2cap_get_ident(conn);
1478 data.pid = chan->ops->get_peer_pid(chan);
1482 data.pid = chan->ops->get_peer_pid(chan);
1484 __l2cap_chan_list(conn, l2cap_ecred_defer_connect, &data);
1486 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_CONN_REQ,
1487 sizeof(data.pdu.req) + data.count * sizeof(__le16),
1491 static void l2cap_le_start(struct l2cap_chan *chan)
1493 struct l2cap_conn *conn = chan->conn;
1495 if (!smp_conn_security(conn->hcon, chan->sec_level))
1499 l2cap_chan_ready(chan);
1503 if (chan->state == BT_CONNECT) {
1504 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL)
1505 l2cap_ecred_connect(chan);
1507 l2cap_le_connect(chan);
1511 static void l2cap_start_connection(struct l2cap_chan *chan)
1513 if (__amp_capable(chan)) {
1514 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1515 a2mp_discover_amp(chan);
1516 } else if (chan->conn->hcon->type == LE_LINK) {
1517 l2cap_le_start(chan);
1519 l2cap_send_conn_req(chan);
1523 static void l2cap_request_info(struct l2cap_conn *conn)
1525 struct l2cap_info_req req;
1527 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1530 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1532 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1533 conn->info_ident = l2cap_get_ident(conn);
1535 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1537 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1541 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1543 /* The minimum encryption key size needs to be enforced by the
1544 * host stack before establishing any L2CAP connections. The
1545 * specification in theory allows a minimum of 1, but to align
1546 * BR/EDR and LE transports, a minimum of 7 is chosen.
1548 * This check might also be called for unencrypted connections
1549 * that have no key size requirements. Ensure that the link is
1550 * actually encrypted before enforcing a key size.
1552 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1553 hcon->enc_key_size >= hcon->hdev->min_enc_key_size);
1556 static void l2cap_do_start(struct l2cap_chan *chan)
1558 struct l2cap_conn *conn = chan->conn;
1560 if (conn->hcon->type == LE_LINK) {
1561 l2cap_le_start(chan);
1565 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1566 l2cap_request_info(conn);
1570 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1573 if (!l2cap_chan_check_security(chan, true) ||
1574 !__l2cap_no_conn_pending(chan))
1577 if (l2cap_check_enc_key_size(conn->hcon))
1578 l2cap_start_connection(chan);
1580 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1583 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1585 u32 local_feat_mask = l2cap_feat_mask;
1587 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1590 case L2CAP_MODE_ERTM:
1591 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1592 case L2CAP_MODE_STREAMING:
1593 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1599 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1601 struct l2cap_conn *conn = chan->conn;
1602 struct l2cap_disconn_req req;
1607 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1608 __clear_retrans_timer(chan);
1609 __clear_monitor_timer(chan);
1610 __clear_ack_timer(chan);
1613 if (chan->scid == L2CAP_CID_A2MP) {
1614 l2cap_state_change(chan, BT_DISCONN);
1618 req.dcid = cpu_to_le16(chan->dcid);
1619 req.scid = cpu_to_le16(chan->scid);
1620 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1623 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1626 /* ---- L2CAP connections ---- */
1627 static void l2cap_conn_start(struct l2cap_conn *conn)
1629 struct l2cap_chan *chan, *tmp;
1631 BT_DBG("conn %p", conn);
1633 mutex_lock(&conn->chan_lock);
1635 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1636 l2cap_chan_lock(chan);
1638 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1639 l2cap_chan_ready(chan);
1640 l2cap_chan_unlock(chan);
1644 if (chan->state == BT_CONNECT) {
1645 if (!l2cap_chan_check_security(chan, true) ||
1646 !__l2cap_no_conn_pending(chan)) {
1647 l2cap_chan_unlock(chan);
1651 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1652 && test_bit(CONF_STATE2_DEVICE,
1653 &chan->conf_state)) {
1654 l2cap_chan_close(chan, ECONNRESET);
1655 l2cap_chan_unlock(chan);
1659 if (l2cap_check_enc_key_size(conn->hcon))
1660 l2cap_start_connection(chan);
1662 l2cap_chan_close(chan, ECONNREFUSED);
1664 } else if (chan->state == BT_CONNECT2) {
1665 struct l2cap_conn_rsp rsp;
1667 rsp.scid = cpu_to_le16(chan->dcid);
1668 rsp.dcid = cpu_to_le16(chan->scid);
1670 if (l2cap_chan_check_security(chan, false)) {
1671 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1672 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1673 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1674 chan->ops->defer(chan);
1677 l2cap_state_change(chan, BT_CONFIG);
1678 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1679 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1682 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1683 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1686 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1689 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1690 rsp.result != L2CAP_CR_SUCCESS) {
1691 l2cap_chan_unlock(chan);
1695 set_bit(CONF_REQ_SENT, &chan->conf_state);
1696 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1697 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1698 chan->num_conf_req++;
1701 l2cap_chan_unlock(chan);
1704 mutex_unlock(&conn->chan_lock);
1707 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1709 struct hci_conn *hcon = conn->hcon;
1710 struct hci_dev *hdev = hcon->hdev;
1712 BT_DBG("%s conn %p", hdev->name, conn);
1714 /* For outgoing pairing which doesn't necessarily have an
1715 * associated socket (e.g. mgmt_pair_device).
1718 smp_conn_security(hcon, hcon->pending_sec_level);
1720 /* For LE peripheral connections, make sure the connection interval
1721 * is in the range of the minimum and maximum interval that has
1722 * been configured for this connection. If not, then trigger
1723 * the connection update procedure.
1725 if (hcon->role == HCI_ROLE_SLAVE &&
1726 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1727 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1728 struct l2cap_conn_param_update_req req;
1730 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1731 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1732 req.latency = cpu_to_le16(hcon->le_conn_latency);
1733 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1735 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1736 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1740 static void l2cap_conn_ready(struct l2cap_conn *conn)
1742 struct l2cap_chan *chan;
1743 struct hci_conn *hcon = conn->hcon;
1745 BT_DBG("conn %p", conn);
1747 if (hcon->type == ACL_LINK)
1748 l2cap_request_info(conn);
1750 mutex_lock(&conn->chan_lock);
1752 list_for_each_entry(chan, &conn->chan_l, list) {
1754 l2cap_chan_lock(chan);
1756 if (chan->scid == L2CAP_CID_A2MP) {
1757 l2cap_chan_unlock(chan);
1761 if (hcon->type == LE_LINK) {
1762 l2cap_le_start(chan);
1763 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1764 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1765 l2cap_chan_ready(chan);
1766 } else if (chan->state == BT_CONNECT) {
1767 l2cap_do_start(chan);
1770 l2cap_chan_unlock(chan);
1773 mutex_unlock(&conn->chan_lock);
1775 if (hcon->type == LE_LINK)
1776 l2cap_le_conn_ready(conn);
1778 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1781 /* Notify sockets that we cannot guaranty reliability anymore */
1782 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1784 struct l2cap_chan *chan;
1786 BT_DBG("conn %p", conn);
1788 mutex_lock(&conn->chan_lock);
1790 list_for_each_entry(chan, &conn->chan_l, list) {
1791 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1792 l2cap_chan_set_err(chan, err);
1795 mutex_unlock(&conn->chan_lock);
1798 static void l2cap_info_timeout(struct work_struct *work)
1800 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1803 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1804 conn->info_ident = 0;
1806 l2cap_conn_start(conn);
1811 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1812 * callback is called during registration. The ->remove callback is called
1813 * during unregistration.
1814 * An l2cap_user object can either be explicitly unregistered or when the
1815 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1816 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1817 * External modules must own a reference to the l2cap_conn object if they intend
1818 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1819 * any time if they don't.
1822 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1824 struct hci_dev *hdev = conn->hcon->hdev;
1827 /* We need to check whether l2cap_conn is registered. If it is not, we
1828 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1829 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1830 * relies on the parent hci_conn object to be locked. This itself relies
1831 * on the hci_dev object to be locked. So we must lock the hci device
1836 if (!list_empty(&user->list)) {
1841 /* conn->hchan is NULL after l2cap_conn_del() was called */
1847 ret = user->probe(conn, user);
1851 list_add(&user->list, &conn->users);
1855 hci_dev_unlock(hdev);
1858 EXPORT_SYMBOL(l2cap_register_user);
1860 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1862 struct hci_dev *hdev = conn->hcon->hdev;
1866 if (list_empty(&user->list))
1869 list_del_init(&user->list);
1870 user->remove(conn, user);
1873 hci_dev_unlock(hdev);
1875 EXPORT_SYMBOL(l2cap_unregister_user);
1877 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1879 struct l2cap_user *user;
1881 while (!list_empty(&conn->users)) {
1882 user = list_first_entry(&conn->users, struct l2cap_user, list);
1883 list_del_init(&user->list);
1884 user->remove(conn, user);
1888 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1890 struct l2cap_conn *conn = hcon->l2cap_data;
1891 struct l2cap_chan *chan, *l;
1896 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1898 kfree_skb(conn->rx_skb);
1900 skb_queue_purge(&conn->pending_rx);
1902 /* We can not call flush_work(&conn->pending_rx_work) here since we
1903 * might block if we are running on a worker from the same workqueue
1904 * pending_rx_work is waiting on.
1906 if (work_pending(&conn->pending_rx_work))
1907 cancel_work_sync(&conn->pending_rx_work);
1909 if (work_pending(&conn->id_addr_update_work))
1910 cancel_work_sync(&conn->id_addr_update_work);
1912 l2cap_unregister_all_users(conn);
1914 /* Force the connection to be immediately dropped */
1915 hcon->disc_timeout = 0;
1917 mutex_lock(&conn->chan_lock);
1920 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1921 l2cap_chan_hold(chan);
1922 l2cap_chan_lock(chan);
1924 l2cap_chan_del(chan, err);
1926 chan->ops->close(chan);
1928 l2cap_chan_unlock(chan);
1929 l2cap_chan_put(chan);
1932 mutex_unlock(&conn->chan_lock);
1934 hci_chan_del(conn->hchan);
1936 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1937 cancel_delayed_work_sync(&conn->info_timer);
1939 hcon->l2cap_data = NULL;
1941 l2cap_conn_put(conn);
1944 static void l2cap_conn_free(struct kref *ref)
1946 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1948 hci_conn_put(conn->hcon);
1952 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1954 kref_get(&conn->ref);
1957 EXPORT_SYMBOL(l2cap_conn_get);
1959 void l2cap_conn_put(struct l2cap_conn *conn)
1961 kref_put(&conn->ref, l2cap_conn_free);
1963 EXPORT_SYMBOL(l2cap_conn_put);
1965 /* ---- Socket interface ---- */
1967 /* Find socket with psm and source / destination bdaddr.
1968 * Returns closest match.
1970 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1975 struct l2cap_chan *c, *tmp, *c1 = NULL;
1977 read_lock(&chan_list_lock);
1979 list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
1980 if (state && c->state != state)
1983 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1986 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1989 if (c->psm == psm) {
1990 int src_match, dst_match;
1991 int src_any, dst_any;
1994 src_match = !bacmp(&c->src, src);
1995 dst_match = !bacmp(&c->dst, dst);
1996 if (src_match && dst_match) {
1997 if (!l2cap_chan_hold_unless_zero(c))
2000 read_unlock(&chan_list_lock);
2005 src_any = !bacmp(&c->src, BDADDR_ANY);
2006 dst_any = !bacmp(&c->dst, BDADDR_ANY);
2007 if ((src_match && dst_any) || (src_any && dst_match) ||
2008 (src_any && dst_any))
2014 c1 = l2cap_chan_hold_unless_zero(c1);
2016 read_unlock(&chan_list_lock);
2021 static void l2cap_monitor_timeout(struct work_struct *work)
2023 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2024 monitor_timer.work);
2026 BT_DBG("chan %p", chan);
2028 l2cap_chan_lock(chan);
2031 l2cap_chan_unlock(chan);
2032 l2cap_chan_put(chan);
2036 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
2038 l2cap_chan_unlock(chan);
2039 l2cap_chan_put(chan);
2042 static void l2cap_retrans_timeout(struct work_struct *work)
2044 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
2045 retrans_timer.work);
2047 BT_DBG("chan %p", chan);
2049 l2cap_chan_lock(chan);
2052 l2cap_chan_unlock(chan);
2053 l2cap_chan_put(chan);
2057 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
2058 l2cap_chan_unlock(chan);
2059 l2cap_chan_put(chan);
2062 static void l2cap_streaming_send(struct l2cap_chan *chan,
2063 struct sk_buff_head *skbs)
2065 struct sk_buff *skb;
2066 struct l2cap_ctrl *control;
2068 BT_DBG("chan %p, skbs %p", chan, skbs);
2070 if (__chan_is_moving(chan))
2073 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2075 while (!skb_queue_empty(&chan->tx_q)) {
2077 skb = skb_dequeue(&chan->tx_q);
2079 bt_cb(skb)->l2cap.retries = 1;
2080 control = &bt_cb(skb)->l2cap;
2082 control->reqseq = 0;
2083 control->txseq = chan->next_tx_seq;
2085 __pack_control(chan, control, skb);
2087 if (chan->fcs == L2CAP_FCS_CRC16) {
2088 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2089 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2092 l2cap_do_send(chan, skb);
2094 BT_DBG("Sent txseq %u", control->txseq);
2096 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2097 chan->frames_sent++;
2101 static int l2cap_ertm_send(struct l2cap_chan *chan)
2103 struct sk_buff *skb, *tx_skb;
2104 struct l2cap_ctrl *control;
2107 BT_DBG("chan %p", chan);
2109 if (chan->state != BT_CONNECTED)
2112 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2115 if (__chan_is_moving(chan))
2118 while (chan->tx_send_head &&
2119 chan->unacked_frames < chan->remote_tx_win &&
2120 chan->tx_state == L2CAP_TX_STATE_XMIT) {
2122 skb = chan->tx_send_head;
2124 bt_cb(skb)->l2cap.retries = 1;
2125 control = &bt_cb(skb)->l2cap;
2127 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2130 control->reqseq = chan->buffer_seq;
2131 chan->last_acked_seq = chan->buffer_seq;
2132 control->txseq = chan->next_tx_seq;
2134 __pack_control(chan, control, skb);
2136 if (chan->fcs == L2CAP_FCS_CRC16) {
2137 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2138 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2141 /* Clone after data has been modified. Data is assumed to be
2142 read-only (for locking purposes) on cloned sk_buffs.
2144 tx_skb = skb_clone(skb, GFP_KERNEL);
2149 __set_retrans_timer(chan);
2151 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2152 chan->unacked_frames++;
2153 chan->frames_sent++;
2156 if (skb_queue_is_last(&chan->tx_q, skb))
2157 chan->tx_send_head = NULL;
2159 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2161 l2cap_do_send(chan, tx_skb);
2162 BT_DBG("Sent txseq %u", control->txseq);
2165 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2166 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2171 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2173 struct l2cap_ctrl control;
2174 struct sk_buff *skb;
2175 struct sk_buff *tx_skb;
2178 BT_DBG("chan %p", chan);
2180 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2183 if (__chan_is_moving(chan))
2186 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2187 seq = l2cap_seq_list_pop(&chan->retrans_list);
2189 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2191 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2196 bt_cb(skb)->l2cap.retries++;
2197 control = bt_cb(skb)->l2cap;
2199 if (chan->max_tx != 0 &&
2200 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2201 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2202 l2cap_send_disconn_req(chan, ECONNRESET);
2203 l2cap_seq_list_clear(&chan->retrans_list);
2207 control.reqseq = chan->buffer_seq;
2208 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2213 if (skb_cloned(skb)) {
2214 /* Cloned sk_buffs are read-only, so we need a
2217 tx_skb = skb_copy(skb, GFP_KERNEL);
2219 tx_skb = skb_clone(skb, GFP_KERNEL);
2223 l2cap_seq_list_clear(&chan->retrans_list);
2227 /* Update skb contents */
2228 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2229 put_unaligned_le32(__pack_extended_control(&control),
2230 tx_skb->data + L2CAP_HDR_SIZE);
2232 put_unaligned_le16(__pack_enhanced_control(&control),
2233 tx_skb->data + L2CAP_HDR_SIZE);
2237 if (chan->fcs == L2CAP_FCS_CRC16) {
2238 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2239 tx_skb->len - L2CAP_FCS_SIZE);
2240 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2244 l2cap_do_send(chan, tx_skb);
2246 BT_DBG("Resent txseq %d", control.txseq);
2248 chan->last_acked_seq = chan->buffer_seq;
2252 static void l2cap_retransmit(struct l2cap_chan *chan,
2253 struct l2cap_ctrl *control)
2255 BT_DBG("chan %p, control %p", chan, control);
2257 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2258 l2cap_ertm_resend(chan);
2261 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2262 struct l2cap_ctrl *control)
2264 struct sk_buff *skb;
2266 BT_DBG("chan %p, control %p", chan, control);
2269 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2271 l2cap_seq_list_clear(&chan->retrans_list);
2273 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2276 if (chan->unacked_frames) {
2277 skb_queue_walk(&chan->tx_q, skb) {
2278 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2279 skb == chan->tx_send_head)
2283 skb_queue_walk_from(&chan->tx_q, skb) {
2284 if (skb == chan->tx_send_head)
2287 l2cap_seq_list_append(&chan->retrans_list,
2288 bt_cb(skb)->l2cap.txseq);
2291 l2cap_ertm_resend(chan);
2295 static void l2cap_send_ack(struct l2cap_chan *chan)
2297 struct l2cap_ctrl control;
2298 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2299 chan->last_acked_seq);
2302 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2303 chan, chan->last_acked_seq, chan->buffer_seq);
2305 memset(&control, 0, sizeof(control));
2308 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2309 chan->rx_state == L2CAP_RX_STATE_RECV) {
2310 __clear_ack_timer(chan);
2311 control.super = L2CAP_SUPER_RNR;
2312 control.reqseq = chan->buffer_seq;
2313 l2cap_send_sframe(chan, &control);
2315 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2316 l2cap_ertm_send(chan);
2317 /* If any i-frames were sent, they included an ack */
2318 if (chan->buffer_seq == chan->last_acked_seq)
2322 /* Ack now if the window is 3/4ths full.
2323 * Calculate without mul or div
2325 threshold = chan->ack_win;
2326 threshold += threshold << 1;
2329 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2332 if (frames_to_ack >= threshold) {
2333 __clear_ack_timer(chan);
2334 control.super = L2CAP_SUPER_RR;
2335 control.reqseq = chan->buffer_seq;
2336 l2cap_send_sframe(chan, &control);
2341 __set_ack_timer(chan);
2345 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2346 struct msghdr *msg, int len,
2347 int count, struct sk_buff *skb)
2349 struct l2cap_conn *conn = chan->conn;
2350 struct sk_buff **frag;
2353 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2359 /* Continuation fragments (no L2CAP header) */
2360 frag = &skb_shinfo(skb)->frag_list;
2362 struct sk_buff *tmp;
2364 count = min_t(unsigned int, conn->mtu, len);
2366 tmp = chan->ops->alloc_skb(chan, 0, count,
2367 msg->msg_flags & MSG_DONTWAIT);
2369 return PTR_ERR(tmp);
2373 if (!copy_from_iter_full(skb_put(*frag, count), count,
2380 skb->len += (*frag)->len;
2381 skb->data_len += (*frag)->len;
2383 frag = &(*frag)->next;
2389 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2390 struct msghdr *msg, size_t len)
2392 struct l2cap_conn *conn = chan->conn;
2393 struct sk_buff *skb;
2394 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2395 struct l2cap_hdr *lh;
2397 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2398 __le16_to_cpu(chan->psm), len);
2400 count = min_t(unsigned int, (conn->mtu - hlen), len);
2402 skb = chan->ops->alloc_skb(chan, hlen, count,
2403 msg->msg_flags & MSG_DONTWAIT);
2407 /* Create L2CAP header */
2408 lh = skb_put(skb, L2CAP_HDR_SIZE);
2409 lh->cid = cpu_to_le16(chan->dcid);
2410 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2411 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2413 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2414 if (unlikely(err < 0)) {
2416 return ERR_PTR(err);
2421 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2422 struct msghdr *msg, size_t len)
2424 struct l2cap_conn *conn = chan->conn;
2425 struct sk_buff *skb;
2427 struct l2cap_hdr *lh;
2429 BT_DBG("chan %p len %zu", chan, len);
2431 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2433 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2434 msg->msg_flags & MSG_DONTWAIT);
2438 /* Create L2CAP header */
2439 lh = skb_put(skb, L2CAP_HDR_SIZE);
2440 lh->cid = cpu_to_le16(chan->dcid);
2441 lh->len = cpu_to_le16(len);
2443 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2444 if (unlikely(err < 0)) {
2446 return ERR_PTR(err);
2451 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2452 struct msghdr *msg, size_t len,
2455 struct l2cap_conn *conn = chan->conn;
2456 struct sk_buff *skb;
2457 int err, count, hlen;
2458 struct l2cap_hdr *lh;
2460 BT_DBG("chan %p len %zu", chan, len);
2463 return ERR_PTR(-ENOTCONN);
2465 hlen = __ertm_hdr_size(chan);
2468 hlen += L2CAP_SDULEN_SIZE;
2470 if (chan->fcs == L2CAP_FCS_CRC16)
2471 hlen += L2CAP_FCS_SIZE;
2473 count = min_t(unsigned int, (conn->mtu - hlen), len);
2475 skb = chan->ops->alloc_skb(chan, hlen, count,
2476 msg->msg_flags & MSG_DONTWAIT);
2480 /* Create L2CAP header */
2481 lh = skb_put(skb, L2CAP_HDR_SIZE);
2482 lh->cid = cpu_to_le16(chan->dcid);
2483 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2485 /* Control header is populated later */
2486 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2487 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2489 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2492 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2494 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2495 if (unlikely(err < 0)) {
2497 return ERR_PTR(err);
2500 bt_cb(skb)->l2cap.fcs = chan->fcs;
2501 bt_cb(skb)->l2cap.retries = 0;
2505 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2506 struct sk_buff_head *seg_queue,
2507 struct msghdr *msg, size_t len)
2509 struct sk_buff *skb;
2514 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2516 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2517 * so fragmented skbs are not used. The HCI layer's handling
2518 * of fragmented skbs is not compatible with ERTM's queueing.
2521 /* PDU size is derived from the HCI MTU */
2522 pdu_len = chan->conn->mtu;
2524 /* Constrain PDU size for BR/EDR connections */
2526 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2528 /* Adjust for largest possible L2CAP overhead. */
2530 pdu_len -= L2CAP_FCS_SIZE;
2532 pdu_len -= __ertm_hdr_size(chan);
2534 /* Remote device may have requested smaller PDUs */
2535 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2537 if (len <= pdu_len) {
2538 sar = L2CAP_SAR_UNSEGMENTED;
2542 sar = L2CAP_SAR_START;
2547 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2550 __skb_queue_purge(seg_queue);
2551 return PTR_ERR(skb);
2554 bt_cb(skb)->l2cap.sar = sar;
2555 __skb_queue_tail(seg_queue, skb);
2561 if (len <= pdu_len) {
2562 sar = L2CAP_SAR_END;
2565 sar = L2CAP_SAR_CONTINUE;
2572 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2574 size_t len, u16 sdulen)
2576 struct l2cap_conn *conn = chan->conn;
2577 struct sk_buff *skb;
2578 int err, count, hlen;
2579 struct l2cap_hdr *lh;
2581 BT_DBG("chan %p len %zu", chan, len);
2584 return ERR_PTR(-ENOTCONN);
2586 hlen = L2CAP_HDR_SIZE;
2589 hlen += L2CAP_SDULEN_SIZE;
2591 count = min_t(unsigned int, (conn->mtu - hlen), len);
2593 skb = chan->ops->alloc_skb(chan, hlen, count,
2594 msg->msg_flags & MSG_DONTWAIT);
2598 /* Create L2CAP header */
2599 lh = skb_put(skb, L2CAP_HDR_SIZE);
2600 lh->cid = cpu_to_le16(chan->dcid);
2601 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2604 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2606 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2607 if (unlikely(err < 0)) {
2609 return ERR_PTR(err);
2615 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2616 struct sk_buff_head *seg_queue,
2617 struct msghdr *msg, size_t len)
2619 struct sk_buff *skb;
2623 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2626 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2632 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2634 __skb_queue_purge(seg_queue);
2635 return PTR_ERR(skb);
2638 __skb_queue_tail(seg_queue, skb);
2644 pdu_len += L2CAP_SDULEN_SIZE;
2651 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2655 BT_DBG("chan %p", chan);
2657 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2658 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2663 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2664 skb_queue_len(&chan->tx_q));
2667 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2669 struct sk_buff *skb;
2671 struct sk_buff_head seg_queue;
2676 /* Connectionless channel */
2677 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2678 skb = l2cap_create_connless_pdu(chan, msg, len);
2680 return PTR_ERR(skb);
2682 /* Channel lock is released before requesting new skb and then
2683 * reacquired thus we need to recheck channel state.
2685 if (chan->state != BT_CONNECTED) {
2690 l2cap_do_send(chan, skb);
2694 switch (chan->mode) {
2695 case L2CAP_MODE_LE_FLOWCTL:
2696 case L2CAP_MODE_EXT_FLOWCTL:
2697 /* Check outgoing MTU */
2698 if (len > chan->omtu)
2701 __skb_queue_head_init(&seg_queue);
2703 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2705 if (chan->state != BT_CONNECTED) {
2706 __skb_queue_purge(&seg_queue);
2713 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2715 l2cap_le_flowctl_send(chan);
2717 if (!chan->tx_credits)
2718 chan->ops->suspend(chan);
2724 case L2CAP_MODE_BASIC:
2725 /* Check outgoing MTU */
2726 if (len > chan->omtu)
2729 /* Create a basic PDU */
2730 skb = l2cap_create_basic_pdu(chan, msg, len);
2732 return PTR_ERR(skb);
2734 /* Channel lock is released before requesting new skb and then
2735 * reacquired thus we need to recheck channel state.
2737 if (chan->state != BT_CONNECTED) {
2742 l2cap_do_send(chan, skb);
2746 case L2CAP_MODE_ERTM:
2747 case L2CAP_MODE_STREAMING:
2748 /* Check outgoing MTU */
2749 if (len > chan->omtu) {
2754 __skb_queue_head_init(&seg_queue);
2756 /* Do segmentation before calling in to the state machine,
2757 * since it's possible to block while waiting for memory
2760 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2762 /* The channel could have been closed while segmenting,
2763 * check that it is still connected.
2765 if (chan->state != BT_CONNECTED) {
2766 __skb_queue_purge(&seg_queue);
2773 if (chan->mode == L2CAP_MODE_ERTM)
2774 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2776 l2cap_streaming_send(chan, &seg_queue);
2780 /* If the skbs were not queued for sending, they'll still be in
2781 * seg_queue and need to be purged.
2783 __skb_queue_purge(&seg_queue);
2787 BT_DBG("bad state %1.1x", chan->mode);
2793 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2795 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2797 struct l2cap_ctrl control;
2800 BT_DBG("chan %p, txseq %u", chan, txseq);
2802 memset(&control, 0, sizeof(control));
2804 control.super = L2CAP_SUPER_SREJ;
2806 for (seq = chan->expected_tx_seq; seq != txseq;
2807 seq = __next_seq(chan, seq)) {
2808 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2809 control.reqseq = seq;
2810 l2cap_send_sframe(chan, &control);
2811 l2cap_seq_list_append(&chan->srej_list, seq);
2815 chan->expected_tx_seq = __next_seq(chan, txseq);
2818 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2820 struct l2cap_ctrl control;
2822 BT_DBG("chan %p", chan);
2824 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2827 memset(&control, 0, sizeof(control));
2829 control.super = L2CAP_SUPER_SREJ;
2830 control.reqseq = chan->srej_list.tail;
2831 l2cap_send_sframe(chan, &control);
2834 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2836 struct l2cap_ctrl control;
2840 BT_DBG("chan %p, txseq %u", chan, txseq);
2842 memset(&control, 0, sizeof(control));
2844 control.super = L2CAP_SUPER_SREJ;
2846 /* Capture initial list head to allow only one pass through the list. */
2847 initial_head = chan->srej_list.head;
2850 seq = l2cap_seq_list_pop(&chan->srej_list);
2851 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2854 control.reqseq = seq;
2855 l2cap_send_sframe(chan, &control);
2856 l2cap_seq_list_append(&chan->srej_list, seq);
2857 } while (chan->srej_list.head != initial_head);
2860 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2862 struct sk_buff *acked_skb;
2865 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2867 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2870 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2871 chan->expected_ack_seq, chan->unacked_frames);
2873 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2874 ackseq = __next_seq(chan, ackseq)) {
2876 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2878 skb_unlink(acked_skb, &chan->tx_q);
2879 kfree_skb(acked_skb);
2880 chan->unacked_frames--;
2884 chan->expected_ack_seq = reqseq;
2886 if (chan->unacked_frames == 0)
2887 __clear_retrans_timer(chan);
2889 BT_DBG("unacked_frames %u", chan->unacked_frames);
2892 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2894 BT_DBG("chan %p", chan);
2896 chan->expected_tx_seq = chan->buffer_seq;
2897 l2cap_seq_list_clear(&chan->srej_list);
2898 skb_queue_purge(&chan->srej_q);
2899 chan->rx_state = L2CAP_RX_STATE_RECV;
2902 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2903 struct l2cap_ctrl *control,
2904 struct sk_buff_head *skbs, u8 event)
2906 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2910 case L2CAP_EV_DATA_REQUEST:
2911 if (chan->tx_send_head == NULL)
2912 chan->tx_send_head = skb_peek(skbs);
2914 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2915 l2cap_ertm_send(chan);
2917 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2918 BT_DBG("Enter LOCAL_BUSY");
2919 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2921 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2922 /* The SREJ_SENT state must be aborted if we are to
2923 * enter the LOCAL_BUSY state.
2925 l2cap_abort_rx_srej_sent(chan);
2928 l2cap_send_ack(chan);
2931 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2932 BT_DBG("Exit LOCAL_BUSY");
2933 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2935 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2936 struct l2cap_ctrl local_control;
2938 memset(&local_control, 0, sizeof(local_control));
2939 local_control.sframe = 1;
2940 local_control.super = L2CAP_SUPER_RR;
2941 local_control.poll = 1;
2942 local_control.reqseq = chan->buffer_seq;
2943 l2cap_send_sframe(chan, &local_control);
2945 chan->retry_count = 1;
2946 __set_monitor_timer(chan);
2947 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2950 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2951 l2cap_process_reqseq(chan, control->reqseq);
2953 case L2CAP_EV_EXPLICIT_POLL:
2954 l2cap_send_rr_or_rnr(chan, 1);
2955 chan->retry_count = 1;
2956 __set_monitor_timer(chan);
2957 __clear_ack_timer(chan);
2958 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2960 case L2CAP_EV_RETRANS_TO:
2961 l2cap_send_rr_or_rnr(chan, 1);
2962 chan->retry_count = 1;
2963 __set_monitor_timer(chan);
2964 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2966 case L2CAP_EV_RECV_FBIT:
2967 /* Nothing to process */
2974 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2975 struct l2cap_ctrl *control,
2976 struct sk_buff_head *skbs, u8 event)
2978 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2982 case L2CAP_EV_DATA_REQUEST:
2983 if (chan->tx_send_head == NULL)
2984 chan->tx_send_head = skb_peek(skbs);
2985 /* Queue data, but don't send. */
2986 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2988 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2989 BT_DBG("Enter LOCAL_BUSY");
2990 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2992 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2993 /* The SREJ_SENT state must be aborted if we are to
2994 * enter the LOCAL_BUSY state.
2996 l2cap_abort_rx_srej_sent(chan);
2999 l2cap_send_ack(chan);
3002 case L2CAP_EV_LOCAL_BUSY_CLEAR:
3003 BT_DBG("Exit LOCAL_BUSY");
3004 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
3006 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
3007 struct l2cap_ctrl local_control;
3008 memset(&local_control, 0, sizeof(local_control));
3009 local_control.sframe = 1;
3010 local_control.super = L2CAP_SUPER_RR;
3011 local_control.poll = 1;
3012 local_control.reqseq = chan->buffer_seq;
3013 l2cap_send_sframe(chan, &local_control);
3015 chan->retry_count = 1;
3016 __set_monitor_timer(chan);
3017 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
3020 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
3021 l2cap_process_reqseq(chan, control->reqseq);
3024 case L2CAP_EV_RECV_FBIT:
3025 if (control && control->final) {
3026 __clear_monitor_timer(chan);
3027 if (chan->unacked_frames > 0)
3028 __set_retrans_timer(chan);
3029 chan->retry_count = 0;
3030 chan->tx_state = L2CAP_TX_STATE_XMIT;
3031 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
3034 case L2CAP_EV_EXPLICIT_POLL:
3037 case L2CAP_EV_MONITOR_TO:
3038 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
3039 l2cap_send_rr_or_rnr(chan, 1);
3040 __set_monitor_timer(chan);
3041 chan->retry_count++;
3043 l2cap_send_disconn_req(chan, ECONNABORTED);
3051 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
3052 struct sk_buff_head *skbs, u8 event)
3054 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
3055 chan, control, skbs, event, chan->tx_state);
3057 switch (chan->tx_state) {
3058 case L2CAP_TX_STATE_XMIT:
3059 l2cap_tx_state_xmit(chan, control, skbs, event);
3061 case L2CAP_TX_STATE_WAIT_F:
3062 l2cap_tx_state_wait_f(chan, control, skbs, event);
3070 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
3071 struct l2cap_ctrl *control)
3073 BT_DBG("chan %p, control %p", chan, control);
3074 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
3077 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
3078 struct l2cap_ctrl *control)
3080 BT_DBG("chan %p, control %p", chan, control);
3081 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
3084 /* Copy frame to all raw sockets on that connection */
3085 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
3087 struct sk_buff *nskb;
3088 struct l2cap_chan *chan;
3090 BT_DBG("conn %p", conn);
3092 mutex_lock(&conn->chan_lock);
3094 list_for_each_entry(chan, &conn->chan_l, list) {
3095 if (chan->chan_type != L2CAP_CHAN_RAW)
3098 /* Don't send frame to the channel it came from */
3099 if (bt_cb(skb)->l2cap.chan == chan)
3102 nskb = skb_clone(skb, GFP_KERNEL);
3105 if (chan->ops->recv(chan, nskb))
3109 mutex_unlock(&conn->chan_lock);
3112 /* ---- L2CAP signalling commands ---- */
3113 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
3114 u8 ident, u16 dlen, void *data)
3116 struct sk_buff *skb, **frag;
3117 struct l2cap_cmd_hdr *cmd;
3118 struct l2cap_hdr *lh;
3121 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
3122 conn, code, ident, dlen);
3124 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
3127 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
3128 count = min_t(unsigned int, conn->mtu, len);
3130 skb = bt_skb_alloc(count, GFP_KERNEL);
3134 lh = skb_put(skb, L2CAP_HDR_SIZE);
3135 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
3137 if (conn->hcon->type == LE_LINK)
3138 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
3140 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
3142 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
3145 cmd->len = cpu_to_le16(dlen);
3148 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
3149 skb_put_data(skb, data, count);
3155 /* Continuation fragments (no L2CAP header) */
3156 frag = &skb_shinfo(skb)->frag_list;
3158 count = min_t(unsigned int, conn->mtu, len);
3160 *frag = bt_skb_alloc(count, GFP_KERNEL);
3164 skb_put_data(*frag, data, count);
3169 frag = &(*frag)->next;
3179 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
3182 struct l2cap_conf_opt *opt = *ptr;
3185 len = L2CAP_CONF_OPT_SIZE + opt->len;
3193 *val = *((u8 *) opt->val);
3197 *val = get_unaligned_le16(opt->val);
3201 *val = get_unaligned_le32(opt->val);
3205 *val = (unsigned long) opt->val;
3209 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3213 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3215 struct l2cap_conf_opt *opt = *ptr;
3217 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3219 if (size < L2CAP_CONF_OPT_SIZE + len)
3227 *((u8 *) opt->val) = val;
3231 put_unaligned_le16(val, opt->val);
3235 put_unaligned_le32(val, opt->val);
3239 memcpy(opt->val, (void *) val, len);
3243 *ptr += L2CAP_CONF_OPT_SIZE + len;
3246 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3248 struct l2cap_conf_efs efs;
3250 switch (chan->mode) {
3251 case L2CAP_MODE_ERTM:
3252 efs.id = chan->local_id;
3253 efs.stype = chan->local_stype;
3254 efs.msdu = cpu_to_le16(chan->local_msdu);
3255 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3256 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3257 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3260 case L2CAP_MODE_STREAMING:
3262 efs.stype = L2CAP_SERV_BESTEFFORT;
3263 efs.msdu = cpu_to_le16(chan->local_msdu);
3264 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3273 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3274 (unsigned long) &efs, size);
3277 static void l2cap_ack_timeout(struct work_struct *work)
3279 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3283 BT_DBG("chan %p", chan);
3285 l2cap_chan_lock(chan);
3287 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3288 chan->last_acked_seq);
3291 l2cap_send_rr_or_rnr(chan, 0);
3293 l2cap_chan_unlock(chan);
3294 l2cap_chan_put(chan);
3297 int l2cap_ertm_init(struct l2cap_chan *chan)
3301 chan->next_tx_seq = 0;
3302 chan->expected_tx_seq = 0;
3303 chan->expected_ack_seq = 0;
3304 chan->unacked_frames = 0;
3305 chan->buffer_seq = 0;
3306 chan->frames_sent = 0;
3307 chan->last_acked_seq = 0;
3309 chan->sdu_last_frag = NULL;
3312 skb_queue_head_init(&chan->tx_q);
3314 chan->local_amp_id = AMP_ID_BREDR;
3315 chan->move_id = AMP_ID_BREDR;
3316 chan->move_state = L2CAP_MOVE_STABLE;
3317 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3319 if (chan->mode != L2CAP_MODE_ERTM)
3322 chan->rx_state = L2CAP_RX_STATE_RECV;
3323 chan->tx_state = L2CAP_TX_STATE_XMIT;
3325 skb_queue_head_init(&chan->srej_q);
3327 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3331 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3333 l2cap_seq_list_free(&chan->srej_list);
3338 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3341 case L2CAP_MODE_STREAMING:
3342 case L2CAP_MODE_ERTM:
3343 if (l2cap_mode_supported(mode, remote_feat_mask))
3347 return L2CAP_MODE_BASIC;
3351 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3353 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3354 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3357 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3359 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3360 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3363 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3364 struct l2cap_conf_rfc *rfc)
3366 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3367 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3369 /* Class 1 devices have must have ERTM timeouts
3370 * exceeding the Link Supervision Timeout. The
3371 * default Link Supervision Timeout for AMP
3372 * controllers is 10 seconds.
3374 * Class 1 devices use 0xffffffff for their
3375 * best-effort flush timeout, so the clamping logic
3376 * will result in a timeout that meets the above
3377 * requirement. ERTM timeouts are 16-bit values, so
3378 * the maximum timeout is 65.535 seconds.
3381 /* Convert timeout to milliseconds and round */
3382 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3384 /* This is the recommended formula for class 2 devices
3385 * that start ERTM timers when packets are sent to the
3388 ertm_to = 3 * ertm_to + 500;
3390 if (ertm_to > 0xffff)
3393 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3394 rfc->monitor_timeout = rfc->retrans_timeout;
3396 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3397 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3401 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3403 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3404 __l2cap_ews_supported(chan->conn)) {
3405 /* use extended control field */
3406 set_bit(FLAG_EXT_CTRL, &chan->flags);
3407 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3409 chan->tx_win = min_t(u16, chan->tx_win,
3410 L2CAP_DEFAULT_TX_WINDOW);
3411 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3413 chan->ack_win = chan->tx_win;
3416 static void l2cap_mtu_auto(struct l2cap_chan *chan)
3418 struct hci_conn *conn = chan->conn->hcon;
3420 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3422 /* The 2-DH1 packet has between 2 and 56 information bytes
3423 * (including the 2-byte payload header)
3425 if (!(conn->pkt_type & HCI_2DH1))
3428 /* The 3-DH1 packet has between 2 and 85 information bytes
3429 * (including the 2-byte payload header)
3431 if (!(conn->pkt_type & HCI_3DH1))
3434 /* The 2-DH3 packet has between 2 and 369 information bytes
3435 * (including the 2-byte payload header)
3437 if (!(conn->pkt_type & HCI_2DH3))
3440 /* The 3-DH3 packet has between 2 and 554 information bytes
3441 * (including the 2-byte payload header)
3443 if (!(conn->pkt_type & HCI_3DH3))
3446 /* The 2-DH5 packet has between 2 and 681 information bytes
3447 * (including the 2-byte payload header)
3449 if (!(conn->pkt_type & HCI_2DH5))
3452 /* The 3-DH5 packet has between 2 and 1023 information bytes
3453 * (including the 2-byte payload header)
3455 if (!(conn->pkt_type & HCI_3DH5))
3459 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3461 struct l2cap_conf_req *req = data;
3462 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3463 void *ptr = req->data;
3464 void *endptr = data + data_size;
3467 BT_DBG("chan %p", chan);
3469 if (chan->num_conf_req || chan->num_conf_rsp)
3472 switch (chan->mode) {
3473 case L2CAP_MODE_STREAMING:
3474 case L2CAP_MODE_ERTM:
3475 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3478 if (__l2cap_efs_supported(chan->conn))
3479 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3483 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3488 if (chan->imtu != L2CAP_DEFAULT_MTU) {
3490 l2cap_mtu_auto(chan);
3491 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3495 switch (chan->mode) {
3496 case L2CAP_MODE_BASIC:
3500 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3501 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3504 rfc.mode = L2CAP_MODE_BASIC;
3506 rfc.max_transmit = 0;
3507 rfc.retrans_timeout = 0;
3508 rfc.monitor_timeout = 0;
3509 rfc.max_pdu_size = 0;
3511 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3512 (unsigned long) &rfc, endptr - ptr);
3515 case L2CAP_MODE_ERTM:
3516 rfc.mode = L2CAP_MODE_ERTM;
3517 rfc.max_transmit = chan->max_tx;
3519 __l2cap_set_ertm_timeouts(chan, &rfc);
3521 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3522 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3524 rfc.max_pdu_size = cpu_to_le16(size);
3526 l2cap_txwin_setup(chan);
3528 rfc.txwin_size = min_t(u16, chan->tx_win,
3529 L2CAP_DEFAULT_TX_WINDOW);
3531 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3532 (unsigned long) &rfc, endptr - ptr);
3534 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3535 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3537 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3538 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3539 chan->tx_win, endptr - ptr);
3541 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3542 if (chan->fcs == L2CAP_FCS_NONE ||
3543 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3544 chan->fcs = L2CAP_FCS_NONE;
3545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3546 chan->fcs, endptr - ptr);
3550 case L2CAP_MODE_STREAMING:
3551 l2cap_txwin_setup(chan);
3552 rfc.mode = L2CAP_MODE_STREAMING;
3554 rfc.max_transmit = 0;
3555 rfc.retrans_timeout = 0;
3556 rfc.monitor_timeout = 0;
3558 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3559 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3561 rfc.max_pdu_size = cpu_to_le16(size);
3563 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3564 (unsigned long) &rfc, endptr - ptr);
3566 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3567 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3569 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3570 if (chan->fcs == L2CAP_FCS_NONE ||
3571 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3572 chan->fcs = L2CAP_FCS_NONE;
3573 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3574 chan->fcs, endptr - ptr);
3579 req->dcid = cpu_to_le16(chan->dcid);
3580 req->flags = cpu_to_le16(0);
3585 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3587 struct l2cap_conf_rsp *rsp = data;
3588 void *ptr = rsp->data;
3589 void *endptr = data + data_size;
3590 void *req = chan->conf_req;
3591 int len = chan->conf_len;
3592 int type, hint, olen;
3594 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3595 struct l2cap_conf_efs efs;
3597 u16 mtu = L2CAP_DEFAULT_MTU;
3598 u16 result = L2CAP_CONF_SUCCESS;
3601 BT_DBG("chan %p", chan);
3603 while (len >= L2CAP_CONF_OPT_SIZE) {
3604 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3608 hint = type & L2CAP_CONF_HINT;
3609 type &= L2CAP_CONF_MASK;
3612 case L2CAP_CONF_MTU:
3618 case L2CAP_CONF_FLUSH_TO:
3621 chan->flush_to = val;
3624 case L2CAP_CONF_QOS:
3627 case L2CAP_CONF_RFC:
3628 if (olen != sizeof(rfc))
3630 memcpy(&rfc, (void *) val, olen);
3633 case L2CAP_CONF_FCS:
3636 if (val == L2CAP_FCS_NONE)
3637 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3640 case L2CAP_CONF_EFS:
3641 if (olen != sizeof(efs))
3644 memcpy(&efs, (void *) val, olen);
3647 case L2CAP_CONF_EWS:
3650 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3651 return -ECONNREFUSED;
3652 set_bit(FLAG_EXT_CTRL, &chan->flags);
3653 set_bit(CONF_EWS_RECV, &chan->conf_state);
3654 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3655 chan->remote_tx_win = val;
3661 result = L2CAP_CONF_UNKNOWN;
3662 *((u8 *) ptr++) = type;
3667 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3670 switch (chan->mode) {
3671 case L2CAP_MODE_STREAMING:
3672 case L2CAP_MODE_ERTM:
3673 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3674 chan->mode = l2cap_select_mode(rfc.mode,
3675 chan->conn->feat_mask);
3680 if (__l2cap_efs_supported(chan->conn))
3681 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3683 return -ECONNREFUSED;
3686 if (chan->mode != rfc.mode)
3687 return -ECONNREFUSED;
3693 if (chan->mode != rfc.mode) {
3694 result = L2CAP_CONF_UNACCEPT;
3695 rfc.mode = chan->mode;
3697 if (chan->num_conf_rsp == 1)
3698 return -ECONNREFUSED;
3700 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3701 (unsigned long) &rfc, endptr - ptr);
3704 if (result == L2CAP_CONF_SUCCESS) {
3705 /* Configure output options and let the other side know
3706 * which ones we don't like. */
3708 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3709 result = L2CAP_CONF_UNACCEPT;
3712 set_bit(CONF_MTU_DONE, &chan->conf_state);
3714 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3717 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3718 efs.stype != L2CAP_SERV_NOTRAFIC &&
3719 efs.stype != chan->local_stype) {
3721 result = L2CAP_CONF_UNACCEPT;
3723 if (chan->num_conf_req >= 1)
3724 return -ECONNREFUSED;
3726 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3728 (unsigned long) &efs, endptr - ptr);
3730 /* Send PENDING Conf Rsp */
3731 result = L2CAP_CONF_PENDING;
3732 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3737 case L2CAP_MODE_BASIC:
3738 chan->fcs = L2CAP_FCS_NONE;
3739 set_bit(CONF_MODE_DONE, &chan->conf_state);
3742 case L2CAP_MODE_ERTM:
3743 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3744 chan->remote_tx_win = rfc.txwin_size;
3746 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3748 chan->remote_max_tx = rfc.max_transmit;
3750 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3751 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3752 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3753 rfc.max_pdu_size = cpu_to_le16(size);
3754 chan->remote_mps = size;
3756 __l2cap_set_ertm_timeouts(chan, &rfc);
3758 set_bit(CONF_MODE_DONE, &chan->conf_state);
3760 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3761 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3763 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3764 chan->remote_id = efs.id;
3765 chan->remote_stype = efs.stype;
3766 chan->remote_msdu = le16_to_cpu(efs.msdu);
3767 chan->remote_flush_to =
3768 le32_to_cpu(efs.flush_to);
3769 chan->remote_acc_lat =
3770 le32_to_cpu(efs.acc_lat);
3771 chan->remote_sdu_itime =
3772 le32_to_cpu(efs.sdu_itime);
3773 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3775 (unsigned long) &efs, endptr - ptr);
3779 case L2CAP_MODE_STREAMING:
3780 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3781 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3782 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3783 rfc.max_pdu_size = cpu_to_le16(size);
3784 chan->remote_mps = size;
3786 set_bit(CONF_MODE_DONE, &chan->conf_state);
3788 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3789 (unsigned long) &rfc, endptr - ptr);
3794 result = L2CAP_CONF_UNACCEPT;
3796 memset(&rfc, 0, sizeof(rfc));
3797 rfc.mode = chan->mode;
3800 if (result == L2CAP_CONF_SUCCESS)
3801 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3803 rsp->scid = cpu_to_le16(chan->dcid);
3804 rsp->result = cpu_to_le16(result);
3805 rsp->flags = cpu_to_le16(0);
3810 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3811 void *data, size_t size, u16 *result)
3813 struct l2cap_conf_req *req = data;
3814 void *ptr = req->data;
3815 void *endptr = data + size;
3818 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3819 struct l2cap_conf_efs efs;
3821 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3823 while (len >= L2CAP_CONF_OPT_SIZE) {
3824 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3829 case L2CAP_CONF_MTU:
3832 if (val < L2CAP_DEFAULT_MIN_MTU) {
3833 *result = L2CAP_CONF_UNACCEPT;
3834 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3837 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3841 case L2CAP_CONF_FLUSH_TO:
3844 chan->flush_to = val;
3845 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3846 chan->flush_to, endptr - ptr);
3849 case L2CAP_CONF_RFC:
3850 if (olen != sizeof(rfc))
3852 memcpy(&rfc, (void *)val, olen);
3853 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3854 rfc.mode != chan->mode)
3855 return -ECONNREFUSED;
3857 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3858 (unsigned long) &rfc, endptr - ptr);
3861 case L2CAP_CONF_EWS:
3864 chan->ack_win = min_t(u16, val, chan->ack_win);
3865 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3866 chan->tx_win, endptr - ptr);
3869 case L2CAP_CONF_EFS:
3870 if (olen != sizeof(efs))
3872 memcpy(&efs, (void *)val, olen);
3873 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3874 efs.stype != L2CAP_SERV_NOTRAFIC &&
3875 efs.stype != chan->local_stype)
3876 return -ECONNREFUSED;
3877 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3878 (unsigned long) &efs, endptr - ptr);
3881 case L2CAP_CONF_FCS:
3884 if (*result == L2CAP_CONF_PENDING)
3885 if (val == L2CAP_FCS_NONE)
3886 set_bit(CONF_RECV_NO_FCS,
3892 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3893 return -ECONNREFUSED;
3895 chan->mode = rfc.mode;
3897 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3899 case L2CAP_MODE_ERTM:
3900 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3901 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3902 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3903 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3904 chan->ack_win = min_t(u16, chan->ack_win,
3907 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3908 chan->local_msdu = le16_to_cpu(efs.msdu);
3909 chan->local_sdu_itime =
3910 le32_to_cpu(efs.sdu_itime);
3911 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3912 chan->local_flush_to =
3913 le32_to_cpu(efs.flush_to);
3917 case L2CAP_MODE_STREAMING:
3918 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3922 req->dcid = cpu_to_le16(chan->dcid);
3923 req->flags = cpu_to_le16(0);
3928 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3929 u16 result, u16 flags)
3931 struct l2cap_conf_rsp *rsp = data;
3932 void *ptr = rsp->data;
3934 BT_DBG("chan %p", chan);
3936 rsp->scid = cpu_to_le16(chan->dcid);
3937 rsp->result = cpu_to_le16(result);
3938 rsp->flags = cpu_to_le16(flags);
3943 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3945 struct l2cap_le_conn_rsp rsp;
3946 struct l2cap_conn *conn = chan->conn;
3948 BT_DBG("chan %p", chan);
3950 rsp.dcid = cpu_to_le16(chan->scid);
3951 rsp.mtu = cpu_to_le16(chan->imtu);
3952 rsp.mps = cpu_to_le16(chan->mps);
3953 rsp.credits = cpu_to_le16(chan->rx_credits);
3954 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3956 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3960 void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
3963 struct l2cap_ecred_conn_rsp rsp;
3966 struct l2cap_conn *conn = chan->conn;
3967 u16 ident = chan->ident;
3973 BT_DBG("chan %p ident %d", chan, ident);
3975 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
3976 pdu.rsp.mps = cpu_to_le16(chan->mps);
3977 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
3978 pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3980 mutex_lock(&conn->chan_lock);
3982 list_for_each_entry(chan, &conn->chan_l, list) {
3983 if (chan->ident != ident)
3986 /* Reset ident so only one response is sent */
3989 /* Include all channels pending with the same ident */
3990 pdu.dcid[i++] = cpu_to_le16(chan->scid);
3993 mutex_unlock(&conn->chan_lock);
3995 l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
3996 sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
3999 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
4001 struct l2cap_conn_rsp rsp;
4002 struct l2cap_conn *conn = chan->conn;
4006 rsp.scid = cpu_to_le16(chan->dcid);
4007 rsp.dcid = cpu_to_le16(chan->scid);
4008 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4009 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4012 rsp_code = L2CAP_CREATE_CHAN_RSP;
4014 rsp_code = L2CAP_CONN_RSP;
4016 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
4018 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
4020 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4023 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4024 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4025 chan->num_conf_req++;
4028 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
4032 /* Use sane default values in case a misbehaving remote device
4033 * did not send an RFC or extended window size option.
4035 u16 txwin_ext = chan->ack_win;
4036 struct l2cap_conf_rfc rfc = {
4038 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
4039 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
4040 .max_pdu_size = cpu_to_le16(chan->imtu),
4041 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
4044 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
4046 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
4049 while (len >= L2CAP_CONF_OPT_SIZE) {
4050 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
4055 case L2CAP_CONF_RFC:
4056 if (olen != sizeof(rfc))
4058 memcpy(&rfc, (void *)val, olen);
4060 case L2CAP_CONF_EWS:
4069 case L2CAP_MODE_ERTM:
4070 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
4071 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
4072 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4073 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
4074 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
4076 chan->ack_win = min_t(u16, chan->ack_win,
4079 case L2CAP_MODE_STREAMING:
4080 chan->mps = le16_to_cpu(rfc.max_pdu_size);
4084 static inline int l2cap_command_rej(struct l2cap_conn *conn,
4085 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4088 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
4090 if (cmd_len < sizeof(*rej))
4093 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
4096 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
4097 cmd->ident == conn->info_ident) {
4098 cancel_delayed_work(&conn->info_timer);
4100 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4101 conn->info_ident = 0;
4103 l2cap_conn_start(conn);
4109 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
4110 struct l2cap_cmd_hdr *cmd,
4111 u8 *data, u8 rsp_code, u8 amp_id)
4113 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
4114 struct l2cap_conn_rsp rsp;
4115 struct l2cap_chan *chan = NULL, *pchan;
4116 int result, status = L2CAP_CS_NO_INFO;
4118 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
4119 __le16 psm = req->psm;
4121 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
4123 /* Check if we have socket listening on psm */
4124 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
4125 &conn->hcon->dst, ACL_LINK);
4127 result = L2CAP_CR_BAD_PSM;
4131 mutex_lock(&conn->chan_lock);
4132 l2cap_chan_lock(pchan);
4134 /* Check if the ACL is secure enough (if not SDP) */
4135 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
4136 !hci_conn_check_link_mode(conn->hcon)) {
4137 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
4138 result = L2CAP_CR_SEC_BLOCK;
4142 result = L2CAP_CR_NO_MEM;
4144 /* Check for valid dynamic CID range (as per Erratum 3253) */
4145 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
4146 result = L2CAP_CR_INVALID_SCID;
4150 /* Check if we already have channel with that dcid */
4151 if (__l2cap_get_chan_by_dcid(conn, scid)) {
4152 result = L2CAP_CR_SCID_IN_USE;
4156 chan = pchan->ops->new_connection(pchan);
4160 /* For certain devices (ex: HID mouse), support for authentication,
4161 * pairing and bonding is optional. For such devices, inorder to avoid
4162 * the ACL alive for too long after L2CAP disconnection, reset the ACL
4163 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
4165 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4167 bacpy(&chan->src, &conn->hcon->src);
4168 bacpy(&chan->dst, &conn->hcon->dst);
4169 chan->src_type = bdaddr_src_type(conn->hcon);
4170 chan->dst_type = bdaddr_dst_type(conn->hcon);
4173 chan->local_amp_id = amp_id;
4175 __l2cap_chan_add(conn, chan);
4179 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
4181 chan->ident = cmd->ident;
4183 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
4184 if (l2cap_chan_check_security(chan, false)) {
4185 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
4186 l2cap_state_change(chan, BT_CONNECT2);
4187 result = L2CAP_CR_PEND;
4188 status = L2CAP_CS_AUTHOR_PEND;
4189 chan->ops->defer(chan);
4191 /* Force pending result for AMP controllers.
4192 * The connection will succeed after the
4193 * physical link is up.
4195 if (amp_id == AMP_ID_BREDR) {
4196 l2cap_state_change(chan, BT_CONFIG);
4197 result = L2CAP_CR_SUCCESS;
4199 l2cap_state_change(chan, BT_CONNECT2);
4200 result = L2CAP_CR_PEND;
4202 status = L2CAP_CS_NO_INFO;
4205 l2cap_state_change(chan, BT_CONNECT2);
4206 result = L2CAP_CR_PEND;
4207 status = L2CAP_CS_AUTHEN_PEND;
4210 l2cap_state_change(chan, BT_CONNECT2);
4211 result = L2CAP_CR_PEND;
4212 status = L2CAP_CS_NO_INFO;
4216 l2cap_chan_unlock(pchan);
4217 mutex_unlock(&conn->chan_lock);
4218 l2cap_chan_put(pchan);
4221 rsp.scid = cpu_to_le16(scid);
4222 rsp.dcid = cpu_to_le16(dcid);
4223 rsp.result = cpu_to_le16(result);
4224 rsp.status = cpu_to_le16(status);
4225 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
4227 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
4228 struct l2cap_info_req info;
4229 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4231 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
4232 conn->info_ident = l2cap_get_ident(conn);
4234 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
4236 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
4237 sizeof(info), &info);
4240 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
4241 result == L2CAP_CR_SUCCESS) {
4243 set_bit(CONF_REQ_SENT, &chan->conf_state);
4244 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4245 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4246 chan->num_conf_req++;
4252 static int l2cap_connect_req(struct l2cap_conn *conn,
4253 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
4255 struct hci_dev *hdev = conn->hcon->hdev;
4256 struct hci_conn *hcon = conn->hcon;
4258 if (cmd_len < sizeof(struct l2cap_conn_req))
4262 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
4263 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
4264 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
4265 hci_dev_unlock(hdev);
4267 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
4271 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
4272 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4275 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4276 u16 scid, dcid, result, status;
4277 struct l2cap_chan *chan;
4281 if (cmd_len < sizeof(*rsp))
4284 scid = __le16_to_cpu(rsp->scid);
4285 dcid = __le16_to_cpu(rsp->dcid);
4286 result = __le16_to_cpu(rsp->result);
4287 status = __le16_to_cpu(rsp->status);
4289 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4290 dcid, scid, result, status);
4292 mutex_lock(&conn->chan_lock);
4295 chan = __l2cap_get_chan_by_scid(conn, scid);
4301 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4308 chan = l2cap_chan_hold_unless_zero(chan);
4316 l2cap_chan_lock(chan);
4319 case L2CAP_CR_SUCCESS:
4320 l2cap_state_change(chan, BT_CONFIG);
4323 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4325 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4328 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4329 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4330 chan->num_conf_req++;
4334 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4338 l2cap_chan_del(chan, ECONNREFUSED);
4342 l2cap_chan_unlock(chan);
4343 l2cap_chan_put(chan);
4346 mutex_unlock(&conn->chan_lock);
4351 static inline void set_default_fcs(struct l2cap_chan *chan)
4353 /* FCS is enabled only in ERTM or streaming mode, if one or both
4356 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4357 chan->fcs = L2CAP_FCS_NONE;
4358 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4359 chan->fcs = L2CAP_FCS_CRC16;
4362 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4363 u8 ident, u16 flags)
4365 struct l2cap_conn *conn = chan->conn;
4367 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4370 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4371 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4373 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4374 l2cap_build_conf_rsp(chan, data,
4375 L2CAP_CONF_SUCCESS, flags), data);
4378 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4381 struct l2cap_cmd_rej_cid rej;
4383 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4384 rej.scid = __cpu_to_le16(scid);
4385 rej.dcid = __cpu_to_le16(dcid);
4387 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4390 static inline int l2cap_config_req(struct l2cap_conn *conn,
4391 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4394 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4397 struct l2cap_chan *chan;
4400 if (cmd_len < sizeof(*req))
4403 dcid = __le16_to_cpu(req->dcid);
4404 flags = __le16_to_cpu(req->flags);
4406 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4408 chan = l2cap_get_chan_by_scid(conn, dcid);
4410 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4414 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
4415 chan->state != BT_CONNECTED) {
4416 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4421 /* Reject if config buffer is too small. */
4422 len = cmd_len - sizeof(*req);
4423 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4424 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4425 l2cap_build_conf_rsp(chan, rsp,
4426 L2CAP_CONF_REJECT, flags), rsp);
4431 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4432 chan->conf_len += len;
4434 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4435 /* Incomplete config. Send empty response. */
4436 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4437 l2cap_build_conf_rsp(chan, rsp,
4438 L2CAP_CONF_SUCCESS, flags), rsp);
4442 /* Complete config. */
4443 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4445 l2cap_send_disconn_req(chan, ECONNRESET);
4449 chan->ident = cmd->ident;
4450 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4451 chan->num_conf_rsp++;
4453 /* Reset config buffer. */
4456 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4459 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4460 set_default_fcs(chan);
4462 if (chan->mode == L2CAP_MODE_ERTM ||
4463 chan->mode == L2CAP_MODE_STREAMING)
4464 err = l2cap_ertm_init(chan);
4467 l2cap_send_disconn_req(chan, -err);
4469 l2cap_chan_ready(chan);
4474 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4476 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4477 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4478 chan->num_conf_req++;
4481 /* Got Conf Rsp PENDING from remote side and assume we sent
4482 Conf Rsp PENDING in the code above */
4483 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4484 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4486 /* check compatibility */
4488 /* Send rsp for BR/EDR channel */
4490 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4492 chan->ident = cmd->ident;
4496 l2cap_chan_unlock(chan);
4497 l2cap_chan_put(chan);
4501 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4502 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4505 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4506 u16 scid, flags, result;
4507 struct l2cap_chan *chan;
4508 int len = cmd_len - sizeof(*rsp);
4511 if (cmd_len < sizeof(*rsp))
4514 scid = __le16_to_cpu(rsp->scid);
4515 flags = __le16_to_cpu(rsp->flags);
4516 result = __le16_to_cpu(rsp->result);
4518 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4521 chan = l2cap_get_chan_by_scid(conn, scid);
4526 case L2CAP_CONF_SUCCESS:
4527 l2cap_conf_rfc_get(chan, rsp->data, len);
4528 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4531 case L2CAP_CONF_PENDING:
4532 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4534 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4537 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4538 buf, sizeof(buf), &result);
4540 l2cap_send_disconn_req(chan, ECONNRESET);
4544 if (!chan->hs_hcon) {
4545 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4548 if (l2cap_check_efs(chan)) {
4549 amp_create_logical_link(chan);
4550 chan->ident = cmd->ident;
4556 case L2CAP_CONF_UNACCEPT:
4557 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4560 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4561 l2cap_send_disconn_req(chan, ECONNRESET);
4565 /* throw out any old stored conf requests */
4566 result = L2CAP_CONF_SUCCESS;
4567 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4568 req, sizeof(req), &result);
4570 l2cap_send_disconn_req(chan, ECONNRESET);
4574 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4575 L2CAP_CONF_REQ, len, req);
4576 chan->num_conf_req++;
4577 if (result != L2CAP_CONF_SUCCESS)
4584 l2cap_chan_set_err(chan, ECONNRESET);
4586 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4587 l2cap_send_disconn_req(chan, ECONNRESET);
4591 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4594 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4596 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4597 set_default_fcs(chan);
4599 if (chan->mode == L2CAP_MODE_ERTM ||
4600 chan->mode == L2CAP_MODE_STREAMING)
4601 err = l2cap_ertm_init(chan);
4604 l2cap_send_disconn_req(chan, -err);
4606 l2cap_chan_ready(chan);
4610 l2cap_chan_unlock(chan);
4611 l2cap_chan_put(chan);
4615 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4616 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4619 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4620 struct l2cap_disconn_rsp rsp;
4622 struct l2cap_chan *chan;
4624 if (cmd_len != sizeof(*req))
4627 scid = __le16_to_cpu(req->scid);
4628 dcid = __le16_to_cpu(req->dcid);
4630 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4632 mutex_lock(&conn->chan_lock);
4634 chan = __l2cap_get_chan_by_scid(conn, dcid);
4636 mutex_unlock(&conn->chan_lock);
4637 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4641 l2cap_chan_hold(chan);
4642 l2cap_chan_lock(chan);
4644 rsp.dcid = cpu_to_le16(chan->scid);
4645 rsp.scid = cpu_to_le16(chan->dcid);
4646 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4648 chan->ops->set_shutdown(chan);
4650 l2cap_chan_del(chan, ECONNRESET);
4652 chan->ops->close(chan);
4654 l2cap_chan_unlock(chan);
4655 l2cap_chan_put(chan);
4657 mutex_unlock(&conn->chan_lock);
4662 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4663 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4666 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4668 struct l2cap_chan *chan;
4670 if (cmd_len != sizeof(*rsp))
4673 scid = __le16_to_cpu(rsp->scid);
4674 dcid = __le16_to_cpu(rsp->dcid);
4676 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4678 mutex_lock(&conn->chan_lock);
4680 chan = __l2cap_get_chan_by_scid(conn, scid);
4682 mutex_unlock(&conn->chan_lock);
4686 l2cap_chan_hold(chan);
4687 l2cap_chan_lock(chan);
4689 if (chan->state != BT_DISCONN) {
4690 l2cap_chan_unlock(chan);
4691 l2cap_chan_put(chan);
4692 mutex_unlock(&conn->chan_lock);
4696 l2cap_chan_del(chan, 0);
4698 chan->ops->close(chan);
4700 l2cap_chan_unlock(chan);
4701 l2cap_chan_put(chan);
4703 mutex_unlock(&conn->chan_lock);
4708 static inline int l2cap_information_req(struct l2cap_conn *conn,
4709 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4712 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4715 if (cmd_len != sizeof(*req))
4718 type = __le16_to_cpu(req->type);
4720 BT_DBG("type 0x%4.4x", type);
4722 if (type == L2CAP_IT_FEAT_MASK) {
4724 u32 feat_mask = l2cap_feat_mask;
4725 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4726 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4727 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4729 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4731 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4732 feat_mask |= L2CAP_FEAT_EXT_FLOW
4733 | L2CAP_FEAT_EXT_WINDOW;
4735 put_unaligned_le32(feat_mask, rsp->data);
4736 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4738 } else if (type == L2CAP_IT_FIXED_CHAN) {
4740 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4742 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4743 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4744 rsp->data[0] = conn->local_fixed_chan;
4745 memset(rsp->data + 1, 0, 7);
4746 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4749 struct l2cap_info_rsp rsp;
4750 rsp.type = cpu_to_le16(type);
4751 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4752 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4759 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4760 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4763 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4766 if (cmd_len < sizeof(*rsp))
4769 type = __le16_to_cpu(rsp->type);
4770 result = __le16_to_cpu(rsp->result);
4772 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4774 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4775 if (cmd->ident != conn->info_ident ||
4776 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4779 cancel_delayed_work(&conn->info_timer);
4781 if (result != L2CAP_IR_SUCCESS) {
4782 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4783 conn->info_ident = 0;
4785 l2cap_conn_start(conn);
4791 case L2CAP_IT_FEAT_MASK:
4792 conn->feat_mask = get_unaligned_le32(rsp->data);
4794 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4795 struct l2cap_info_req req;
4796 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4798 conn->info_ident = l2cap_get_ident(conn);
4800 l2cap_send_cmd(conn, conn->info_ident,
4801 L2CAP_INFO_REQ, sizeof(req), &req);
4803 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4804 conn->info_ident = 0;
4806 l2cap_conn_start(conn);
4810 case L2CAP_IT_FIXED_CHAN:
4811 conn->remote_fixed_chan = rsp->data[0];
4812 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4813 conn->info_ident = 0;
4815 l2cap_conn_start(conn);
4822 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4823 struct l2cap_cmd_hdr *cmd,
4824 u16 cmd_len, void *data)
4826 struct l2cap_create_chan_req *req = data;
4827 struct l2cap_create_chan_rsp rsp;
4828 struct l2cap_chan *chan;
4829 struct hci_dev *hdev;
4832 if (cmd_len != sizeof(*req))
4835 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4838 psm = le16_to_cpu(req->psm);
4839 scid = le16_to_cpu(req->scid);
4841 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4843 /* For controller id 0 make BR/EDR connection */
4844 if (req->amp_id == AMP_ID_BREDR) {
4845 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4850 /* Validate AMP controller id */
4851 hdev = hci_dev_get(req->amp_id);
4855 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4860 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4863 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4864 struct hci_conn *hs_hcon;
4866 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4870 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4875 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4877 mgr->bredr_chan = chan;
4878 chan->hs_hcon = hs_hcon;
4879 chan->fcs = L2CAP_FCS_NONE;
4880 conn->mtu = hdev->block_mtu;
4889 rsp.scid = cpu_to_le16(scid);
4890 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4891 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4893 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4899 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4901 struct l2cap_move_chan_req req;
4904 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4906 ident = l2cap_get_ident(chan->conn);
4907 chan->ident = ident;
4909 req.icid = cpu_to_le16(chan->scid);
4910 req.dest_amp_id = dest_amp_id;
4912 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4915 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4918 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4920 struct l2cap_move_chan_rsp rsp;
4922 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4924 rsp.icid = cpu_to_le16(chan->dcid);
4925 rsp.result = cpu_to_le16(result);
4927 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4931 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4933 struct l2cap_move_chan_cfm cfm;
4935 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4937 chan->ident = l2cap_get_ident(chan->conn);
4939 cfm.icid = cpu_to_le16(chan->scid);
4940 cfm.result = cpu_to_le16(result);
4942 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4945 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4948 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4950 struct l2cap_move_chan_cfm cfm;
4952 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4954 cfm.icid = cpu_to_le16(icid);
4955 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4957 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4961 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4964 struct l2cap_move_chan_cfm_rsp rsp;
4966 BT_DBG("icid 0x%4.4x", icid);
4968 rsp.icid = cpu_to_le16(icid);
4969 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4972 static void __release_logical_link(struct l2cap_chan *chan)
4974 chan->hs_hchan = NULL;
4975 chan->hs_hcon = NULL;
4977 /* Placeholder - release the logical link */
4980 static void l2cap_logical_fail(struct l2cap_chan *chan)
4982 /* Logical link setup failed */
4983 if (chan->state != BT_CONNECTED) {
4984 /* Create channel failure, disconnect */
4985 l2cap_send_disconn_req(chan, ECONNRESET);
4989 switch (chan->move_role) {
4990 case L2CAP_MOVE_ROLE_RESPONDER:
4991 l2cap_move_done(chan);
4992 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4994 case L2CAP_MOVE_ROLE_INITIATOR:
4995 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4996 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4997 /* Remote has only sent pending or
4998 * success responses, clean up
5000 l2cap_move_done(chan);
5003 /* Other amp move states imply that the move
5004 * has already aborted
5006 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5011 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
5012 struct hci_chan *hchan)
5014 struct l2cap_conf_rsp rsp;
5016 chan->hs_hchan = hchan;
5017 chan->hs_hcon->l2cap_data = chan->conn;
5019 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
5021 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
5024 set_default_fcs(chan);
5026 err = l2cap_ertm_init(chan);
5028 l2cap_send_disconn_req(chan, -err);
5030 l2cap_chan_ready(chan);
5034 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
5035 struct hci_chan *hchan)
5037 chan->hs_hcon = hchan->conn;
5038 chan->hs_hcon->l2cap_data = chan->conn;
5040 BT_DBG("move_state %d", chan->move_state);
5042 switch (chan->move_state) {
5043 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5044 /* Move confirm will be sent after a success
5045 * response is received
5047 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5049 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
5050 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5051 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5052 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5053 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5054 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5055 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5056 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5057 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5061 /* Move was not in expected state, free the channel */
5062 __release_logical_link(chan);
5064 chan->move_state = L2CAP_MOVE_STABLE;
5068 /* Call with chan locked */
5069 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
5072 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
5075 l2cap_logical_fail(chan);
5076 __release_logical_link(chan);
5080 if (chan->state != BT_CONNECTED) {
5081 /* Ignore logical link if channel is on BR/EDR */
5082 if (chan->local_amp_id != AMP_ID_BREDR)
5083 l2cap_logical_finish_create(chan, hchan);
5085 l2cap_logical_finish_move(chan, hchan);
5089 void l2cap_move_start(struct l2cap_chan *chan)
5091 BT_DBG("chan %p", chan);
5093 if (chan->local_amp_id == AMP_ID_BREDR) {
5094 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
5096 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5097 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5098 /* Placeholder - start physical link setup */
5100 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
5101 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5103 l2cap_move_setup(chan);
5104 l2cap_send_move_chan_req(chan, 0);
5108 static void l2cap_do_create(struct l2cap_chan *chan, int result,
5109 u8 local_amp_id, u8 remote_amp_id)
5111 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
5112 local_amp_id, remote_amp_id);
5114 chan->fcs = L2CAP_FCS_NONE;
5116 /* Outgoing channel on AMP */
5117 if (chan->state == BT_CONNECT) {
5118 if (result == L2CAP_CR_SUCCESS) {
5119 chan->local_amp_id = local_amp_id;
5120 l2cap_send_create_chan_req(chan, remote_amp_id);
5122 /* Revert to BR/EDR connect */
5123 l2cap_send_conn_req(chan);
5129 /* Incoming channel on AMP */
5130 if (__l2cap_no_conn_pending(chan)) {
5131 struct l2cap_conn_rsp rsp;
5133 rsp.scid = cpu_to_le16(chan->dcid);
5134 rsp.dcid = cpu_to_le16(chan->scid);
5136 if (result == L2CAP_CR_SUCCESS) {
5137 /* Send successful response */
5138 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
5139 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5141 /* Send negative response */
5142 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
5143 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
5146 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
5149 if (result == L2CAP_CR_SUCCESS) {
5150 l2cap_state_change(chan, BT_CONFIG);
5151 set_bit(CONF_REQ_SENT, &chan->conf_state);
5152 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
5154 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
5155 chan->num_conf_req++;
5160 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
5163 l2cap_move_setup(chan);
5164 chan->move_id = local_amp_id;
5165 chan->move_state = L2CAP_MOVE_WAIT_RSP;
5167 l2cap_send_move_chan_req(chan, remote_amp_id);
5170 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
5172 struct hci_chan *hchan = NULL;
5174 /* Placeholder - get hci_chan for logical link */
5177 if (hchan->state == BT_CONNECTED) {
5178 /* Logical link is ready to go */
5179 chan->hs_hcon = hchan->conn;
5180 chan->hs_hcon->l2cap_data = chan->conn;
5181 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5182 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
5184 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5186 /* Wait for logical link to be ready */
5187 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5190 /* Logical link not available */
5191 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
5195 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
5197 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
5199 if (result == -EINVAL)
5200 rsp_result = L2CAP_MR_BAD_ID;
5202 rsp_result = L2CAP_MR_NOT_ALLOWED;
5204 l2cap_send_move_chan_rsp(chan, rsp_result);
5207 chan->move_role = L2CAP_MOVE_ROLE_NONE;
5208 chan->move_state = L2CAP_MOVE_STABLE;
5210 /* Restart data transmission */
5211 l2cap_ertm_send(chan);
5214 /* Invoke with locked chan */
5215 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
5217 u8 local_amp_id = chan->local_amp_id;
5218 u8 remote_amp_id = chan->remote_amp_id;
5220 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
5221 chan, result, local_amp_id, remote_amp_id);
5223 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
5226 if (chan->state != BT_CONNECTED) {
5227 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
5228 } else if (result != L2CAP_MR_SUCCESS) {
5229 l2cap_do_move_cancel(chan, result);
5231 switch (chan->move_role) {
5232 case L2CAP_MOVE_ROLE_INITIATOR:
5233 l2cap_do_move_initiate(chan, local_amp_id,
5236 case L2CAP_MOVE_ROLE_RESPONDER:
5237 l2cap_do_move_respond(chan, result);
5240 l2cap_do_move_cancel(chan, result);
5246 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
5247 struct l2cap_cmd_hdr *cmd,
5248 u16 cmd_len, void *data)
5250 struct l2cap_move_chan_req *req = data;
5251 struct l2cap_move_chan_rsp rsp;
5252 struct l2cap_chan *chan;
5254 u16 result = L2CAP_MR_NOT_ALLOWED;
5256 if (cmd_len != sizeof(*req))
5259 icid = le16_to_cpu(req->icid);
5261 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
5263 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
5266 chan = l2cap_get_chan_by_dcid(conn, icid);
5268 rsp.icid = cpu_to_le16(icid);
5269 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
5270 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
5275 chan->ident = cmd->ident;
5277 if (chan->scid < L2CAP_CID_DYN_START ||
5278 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
5279 (chan->mode != L2CAP_MODE_ERTM &&
5280 chan->mode != L2CAP_MODE_STREAMING)) {
5281 result = L2CAP_MR_NOT_ALLOWED;
5282 goto send_move_response;
5285 if (chan->local_amp_id == req->dest_amp_id) {
5286 result = L2CAP_MR_SAME_ID;
5287 goto send_move_response;
5290 if (req->dest_amp_id != AMP_ID_BREDR) {
5291 struct hci_dev *hdev;
5292 hdev = hci_dev_get(req->dest_amp_id);
5293 if (!hdev || hdev->dev_type != HCI_AMP ||
5294 !test_bit(HCI_UP, &hdev->flags)) {
5298 result = L2CAP_MR_BAD_ID;
5299 goto send_move_response;
5304 /* Detect a move collision. Only send a collision response
5305 * if this side has "lost", otherwise proceed with the move.
5306 * The winner has the larger bd_addr.
5308 if ((__chan_is_moving(chan) ||
5309 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5310 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5311 result = L2CAP_MR_COLLISION;
5312 goto send_move_response;
5315 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5316 l2cap_move_setup(chan);
5317 chan->move_id = req->dest_amp_id;
5319 if (req->dest_amp_id == AMP_ID_BREDR) {
5320 /* Moving to BR/EDR */
5321 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5322 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5323 result = L2CAP_MR_PEND;
5325 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5326 result = L2CAP_MR_SUCCESS;
5329 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5330 /* Placeholder - uncomment when amp functions are available */
5331 /*amp_accept_physical(chan, req->dest_amp_id);*/
5332 result = L2CAP_MR_PEND;
5336 l2cap_send_move_chan_rsp(chan, result);
5338 l2cap_chan_unlock(chan);
5339 l2cap_chan_put(chan);
5344 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5346 struct l2cap_chan *chan;
5347 struct hci_chan *hchan = NULL;
5349 chan = l2cap_get_chan_by_scid(conn, icid);
5351 l2cap_send_move_chan_cfm_icid(conn, icid);
5355 __clear_chan_timer(chan);
5356 if (result == L2CAP_MR_PEND)
5357 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5359 switch (chan->move_state) {
5360 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5361 /* Move confirm will be sent when logical link
5364 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5366 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5367 if (result == L2CAP_MR_PEND) {
5369 } else if (test_bit(CONN_LOCAL_BUSY,
5370 &chan->conn_state)) {
5371 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5373 /* Logical link is up or moving to BR/EDR,
5376 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5377 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5380 case L2CAP_MOVE_WAIT_RSP:
5382 if (result == L2CAP_MR_SUCCESS) {
5383 /* Remote is ready, send confirm immediately
5384 * after logical link is ready
5386 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5388 /* Both logical link and move success
5389 * are required to confirm
5391 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5394 /* Placeholder - get hci_chan for logical link */
5396 /* Logical link not available */
5397 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5401 /* If the logical link is not yet connected, do not
5402 * send confirmation.
5404 if (hchan->state != BT_CONNECTED)
5407 /* Logical link is already ready to go */
5409 chan->hs_hcon = hchan->conn;
5410 chan->hs_hcon->l2cap_data = chan->conn;
5412 if (result == L2CAP_MR_SUCCESS) {
5413 /* Can confirm now */
5414 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5416 /* Now only need move success
5419 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5422 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5425 /* Any other amp move state means the move failed. */
5426 chan->move_id = chan->local_amp_id;
5427 l2cap_move_done(chan);
5428 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5431 l2cap_chan_unlock(chan);
5432 l2cap_chan_put(chan);
5435 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5438 struct l2cap_chan *chan;
5440 chan = l2cap_get_chan_by_ident(conn, ident);
5442 /* Could not locate channel, icid is best guess */
5443 l2cap_send_move_chan_cfm_icid(conn, icid);
5447 __clear_chan_timer(chan);
5449 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5450 if (result == L2CAP_MR_COLLISION) {
5451 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5453 /* Cleanup - cancel move */
5454 chan->move_id = chan->local_amp_id;
5455 l2cap_move_done(chan);
5459 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5461 l2cap_chan_unlock(chan);
5462 l2cap_chan_put(chan);
5465 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5466 struct l2cap_cmd_hdr *cmd,
5467 u16 cmd_len, void *data)
5469 struct l2cap_move_chan_rsp *rsp = data;
5472 if (cmd_len != sizeof(*rsp))
5475 icid = le16_to_cpu(rsp->icid);
5476 result = le16_to_cpu(rsp->result);
5478 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5480 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5481 l2cap_move_continue(conn, icid, result);
5483 l2cap_move_fail(conn, cmd->ident, icid, result);
5488 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5489 struct l2cap_cmd_hdr *cmd,
5490 u16 cmd_len, void *data)
5492 struct l2cap_move_chan_cfm *cfm = data;
5493 struct l2cap_chan *chan;
5496 if (cmd_len != sizeof(*cfm))
5499 icid = le16_to_cpu(cfm->icid);
5500 result = le16_to_cpu(cfm->result);
5502 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5504 chan = l2cap_get_chan_by_dcid(conn, icid);
5506 /* Spec requires a response even if the icid was not found */
5507 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5511 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5512 if (result == L2CAP_MC_CONFIRMED) {
5513 chan->local_amp_id = chan->move_id;
5514 if (chan->local_amp_id == AMP_ID_BREDR)
5515 __release_logical_link(chan);
5517 chan->move_id = chan->local_amp_id;
5520 l2cap_move_done(chan);
5523 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5525 l2cap_chan_unlock(chan);
5526 l2cap_chan_put(chan);
5531 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5532 struct l2cap_cmd_hdr *cmd,
5533 u16 cmd_len, void *data)
5535 struct l2cap_move_chan_cfm_rsp *rsp = data;
5536 struct l2cap_chan *chan;
5539 if (cmd_len != sizeof(*rsp))
5542 icid = le16_to_cpu(rsp->icid);
5544 BT_DBG("icid 0x%4.4x", icid);
5546 chan = l2cap_get_chan_by_scid(conn, icid);
5550 __clear_chan_timer(chan);
5552 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5553 chan->local_amp_id = chan->move_id;
5555 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5556 __release_logical_link(chan);
5558 l2cap_move_done(chan);
5561 l2cap_chan_unlock(chan);
5562 l2cap_chan_put(chan);
5567 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5568 struct l2cap_cmd_hdr *cmd,
5569 u16 cmd_len, u8 *data)
5571 struct hci_conn *hcon = conn->hcon;
5572 struct l2cap_conn_param_update_req *req;
5573 struct l2cap_conn_param_update_rsp rsp;
5574 u16 min, max, latency, to_multiplier;
5577 if (hcon->role != HCI_ROLE_MASTER)
5580 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5583 req = (struct l2cap_conn_param_update_req *) data;
5584 min = __le16_to_cpu(req->min);
5585 max = __le16_to_cpu(req->max);
5586 latency = __le16_to_cpu(req->latency);
5587 to_multiplier = __le16_to_cpu(req->to_multiplier);
5589 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5590 min, max, latency, to_multiplier);
5592 memset(&rsp, 0, sizeof(rsp));
5594 err = hci_check_conn_params(min, max, latency, to_multiplier);
5596 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5598 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5600 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5606 store_hint = hci_le_conn_update(hcon, min, max, latency,
5608 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5609 store_hint, min, max, latency,
5617 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5618 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5621 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5622 struct hci_conn *hcon = conn->hcon;
5623 u16 dcid, mtu, mps, credits, result;
5624 struct l2cap_chan *chan;
5627 if (cmd_len < sizeof(*rsp))
5630 dcid = __le16_to_cpu(rsp->dcid);
5631 mtu = __le16_to_cpu(rsp->mtu);
5632 mps = __le16_to_cpu(rsp->mps);
5633 credits = __le16_to_cpu(rsp->credits);
5634 result = __le16_to_cpu(rsp->result);
5636 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5637 dcid < L2CAP_CID_DYN_START ||
5638 dcid > L2CAP_CID_LE_DYN_END))
5641 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5642 dcid, mtu, mps, credits, result);
5644 mutex_lock(&conn->chan_lock);
5646 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5654 l2cap_chan_lock(chan);
5657 case L2CAP_CR_LE_SUCCESS:
5658 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5666 chan->remote_mps = mps;
5667 chan->tx_credits = credits;
5668 l2cap_chan_ready(chan);
5671 case L2CAP_CR_LE_AUTHENTICATION:
5672 case L2CAP_CR_LE_ENCRYPTION:
5673 /* If we already have MITM protection we can't do
5676 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5677 l2cap_chan_del(chan, ECONNREFUSED);
5681 sec_level = hcon->sec_level + 1;
5682 if (chan->sec_level < sec_level)
5683 chan->sec_level = sec_level;
5685 /* We'll need to send a new Connect Request */
5686 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5688 smp_conn_security(hcon, chan->sec_level);
5692 l2cap_chan_del(chan, ECONNREFUSED);
5696 l2cap_chan_unlock(chan);
5699 mutex_unlock(&conn->chan_lock);
5704 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5705 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5710 switch (cmd->code) {
5711 case L2CAP_COMMAND_REJ:
5712 l2cap_command_rej(conn, cmd, cmd_len, data);
5715 case L2CAP_CONN_REQ:
5716 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5719 case L2CAP_CONN_RSP:
5720 case L2CAP_CREATE_CHAN_RSP:
5721 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5724 case L2CAP_CONF_REQ:
5725 err = l2cap_config_req(conn, cmd, cmd_len, data);
5728 case L2CAP_CONF_RSP:
5729 l2cap_config_rsp(conn, cmd, cmd_len, data);
5732 case L2CAP_DISCONN_REQ:
5733 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5736 case L2CAP_DISCONN_RSP:
5737 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5740 case L2CAP_ECHO_REQ:
5741 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5744 case L2CAP_ECHO_RSP:
5747 case L2CAP_INFO_REQ:
5748 err = l2cap_information_req(conn, cmd, cmd_len, data);
5751 case L2CAP_INFO_RSP:
5752 l2cap_information_rsp(conn, cmd, cmd_len, data);
5755 case L2CAP_CREATE_CHAN_REQ:
5756 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5759 case L2CAP_MOVE_CHAN_REQ:
5760 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5763 case L2CAP_MOVE_CHAN_RSP:
5764 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5767 case L2CAP_MOVE_CHAN_CFM:
5768 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5771 case L2CAP_MOVE_CHAN_CFM_RSP:
5772 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5776 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5784 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5785 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5788 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5789 struct l2cap_le_conn_rsp rsp;
5790 struct l2cap_chan *chan, *pchan;
5791 u16 dcid, scid, credits, mtu, mps;
5795 if (cmd_len != sizeof(*req))
5798 scid = __le16_to_cpu(req->scid);
5799 mtu = __le16_to_cpu(req->mtu);
5800 mps = __le16_to_cpu(req->mps);
5805 if (mtu < 23 || mps < 23)
5808 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5811 /* Check if we have socket listening on psm */
5812 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5813 &conn->hcon->dst, LE_LINK);
5815 result = L2CAP_CR_LE_BAD_PSM;
5820 mutex_lock(&conn->chan_lock);
5821 l2cap_chan_lock(pchan);
5823 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5825 result = L2CAP_CR_LE_AUTHENTICATION;
5827 goto response_unlock;
5830 /* Check for valid dynamic CID range */
5831 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5832 result = L2CAP_CR_LE_INVALID_SCID;
5834 goto response_unlock;
5837 /* Check if we already have channel with that dcid */
5838 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5839 result = L2CAP_CR_LE_SCID_IN_USE;
5841 goto response_unlock;
5844 chan = pchan->ops->new_connection(pchan);
5846 result = L2CAP_CR_LE_NO_MEM;
5847 goto response_unlock;
5850 bacpy(&chan->src, &conn->hcon->src);
5851 bacpy(&chan->dst, &conn->hcon->dst);
5852 chan->src_type = bdaddr_src_type(conn->hcon);
5853 chan->dst_type = bdaddr_dst_type(conn->hcon);
5857 chan->remote_mps = mps;
5859 __l2cap_chan_add(conn, chan);
5861 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5864 credits = chan->rx_credits;
5866 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5868 chan->ident = cmd->ident;
5870 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5871 l2cap_state_change(chan, BT_CONNECT2);
5872 /* The following result value is actually not defined
5873 * for LE CoC but we use it to let the function know
5874 * that it should bail out after doing its cleanup
5875 * instead of sending a response.
5877 result = L2CAP_CR_PEND;
5878 chan->ops->defer(chan);
5880 l2cap_chan_ready(chan);
5881 result = L2CAP_CR_LE_SUCCESS;
5885 l2cap_chan_unlock(pchan);
5886 mutex_unlock(&conn->chan_lock);
5887 l2cap_chan_put(pchan);
5889 if (result == L2CAP_CR_PEND)
5894 rsp.mtu = cpu_to_le16(chan->imtu);
5895 rsp.mps = cpu_to_le16(chan->mps);
5901 rsp.dcid = cpu_to_le16(dcid);
5902 rsp.credits = cpu_to_le16(credits);
5903 rsp.result = cpu_to_le16(result);
5905 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5910 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5911 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5914 struct l2cap_le_credits *pkt;
5915 struct l2cap_chan *chan;
5916 u16 cid, credits, max_credits;
5918 if (cmd_len != sizeof(*pkt))
5921 pkt = (struct l2cap_le_credits *) data;
5922 cid = __le16_to_cpu(pkt->cid);
5923 credits = __le16_to_cpu(pkt->credits);
5925 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5927 chan = l2cap_get_chan_by_dcid(conn, cid);
5931 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5932 if (credits > max_credits) {
5933 BT_ERR("LE credits overflow");
5934 l2cap_send_disconn_req(chan, ECONNRESET);
5936 /* Return 0 so that we don't trigger an unnecessary
5937 * command reject packet.
5942 chan->tx_credits += credits;
5944 /* Resume sending */
5945 l2cap_le_flowctl_send(chan);
5947 if (chan->tx_credits)
5948 chan->ops->resume(chan);
5951 l2cap_chan_unlock(chan);
5952 l2cap_chan_put(chan);
5957 static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
5958 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5961 struct l2cap_ecred_conn_req *req = (void *) data;
5963 struct l2cap_ecred_conn_rsp rsp;
5966 struct l2cap_chan *chan, *pchan;
5976 if (cmd_len < sizeof(*req) || (cmd_len - sizeof(*req)) % sizeof(u16)) {
5977 result = L2CAP_CR_LE_INVALID_PARAMS;
5981 mtu = __le16_to_cpu(req->mtu);
5982 mps = __le16_to_cpu(req->mps);
5984 if (mtu < L2CAP_ECRED_MIN_MTU || mps < L2CAP_ECRED_MIN_MPS) {
5985 result = L2CAP_CR_LE_UNACCEPT_PARAMS;
5991 BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
5993 memset(&pdu, 0, sizeof(pdu));
5995 /* Check if we have socket listening on psm */
5996 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5997 &conn->hcon->dst, LE_LINK);
5999 result = L2CAP_CR_LE_BAD_PSM;
6003 mutex_lock(&conn->chan_lock);
6004 l2cap_chan_lock(pchan);
6006 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
6008 result = L2CAP_CR_LE_AUTHENTICATION;
6012 result = L2CAP_CR_LE_SUCCESS;
6013 cmd_len -= sizeof(*req);
6014 num_scid = cmd_len / sizeof(u16);
6016 for (i = 0; i < num_scid; i++) {
6017 u16 scid = __le16_to_cpu(req->scid[i]);
6019 BT_DBG("scid[%d] 0x%4.4x", i, scid);
6021 pdu.dcid[i] = 0x0000;
6022 len += sizeof(*pdu.dcid);
6024 /* Check for valid dynamic CID range */
6025 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
6026 result = L2CAP_CR_LE_INVALID_SCID;
6030 /* Check if we already have channel with that dcid */
6031 if (__l2cap_get_chan_by_dcid(conn, scid)) {
6032 result = L2CAP_CR_LE_SCID_IN_USE;
6036 chan = pchan->ops->new_connection(pchan);
6038 result = L2CAP_CR_LE_NO_MEM;
6042 bacpy(&chan->src, &conn->hcon->src);
6043 bacpy(&chan->dst, &conn->hcon->dst);
6044 chan->src_type = bdaddr_src_type(conn->hcon);
6045 chan->dst_type = bdaddr_dst_type(conn->hcon);
6049 chan->remote_mps = mps;
6051 __l2cap_chan_add(conn, chan);
6053 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
6056 if (!pdu.rsp.credits) {
6057 pdu.rsp.mtu = cpu_to_le16(chan->imtu);
6058 pdu.rsp.mps = cpu_to_le16(chan->mps);
6059 pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
6062 pdu.dcid[i] = cpu_to_le16(chan->scid);
6064 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
6066 chan->ident = cmd->ident;
6068 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
6069 l2cap_state_change(chan, BT_CONNECT2);
6071 chan->ops->defer(chan);
6073 l2cap_chan_ready(chan);
6078 l2cap_chan_unlock(pchan);
6079 mutex_unlock(&conn->chan_lock);
6080 l2cap_chan_put(pchan);
6083 pdu.rsp.result = cpu_to_le16(result);
6088 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_CONN_RSP,
6089 sizeof(pdu.rsp) + len, &pdu);
6094 static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
6095 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6098 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6099 struct hci_conn *hcon = conn->hcon;
6100 u16 mtu, mps, credits, result;
6101 struct l2cap_chan *chan, *tmp;
6102 int err = 0, sec_level;
6105 if (cmd_len < sizeof(*rsp))
6108 mtu = __le16_to_cpu(rsp->mtu);
6109 mps = __le16_to_cpu(rsp->mps);
6110 credits = __le16_to_cpu(rsp->credits);
6111 result = __le16_to_cpu(rsp->result);
6113 BT_DBG("mtu %u mps %u credits %u result 0x%4.4x", mtu, mps, credits,
6116 mutex_lock(&conn->chan_lock);
6118 cmd_len -= sizeof(*rsp);
6120 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6123 if (chan->ident != cmd->ident ||
6124 chan->mode != L2CAP_MODE_EXT_FLOWCTL ||
6125 chan->state == BT_CONNECTED)
6128 l2cap_chan_lock(chan);
6130 /* Check that there is a dcid for each pending channel */
6131 if (cmd_len < sizeof(dcid)) {
6132 l2cap_chan_del(chan, ECONNREFUSED);
6133 l2cap_chan_unlock(chan);
6137 dcid = __le16_to_cpu(rsp->dcid[i++]);
6138 cmd_len -= sizeof(u16);
6140 BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
6142 /* Check if dcid is already in use */
6143 if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
6144 /* If a device receives a
6145 * L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
6146 * already-assigned Destination CID, then both the
6147 * original channel and the new channel shall be
6148 * immediately discarded and not used.
6150 l2cap_chan_del(chan, ECONNREFUSED);
6151 l2cap_chan_unlock(chan);
6152 chan = __l2cap_get_chan_by_dcid(conn, dcid);
6153 l2cap_chan_lock(chan);
6154 l2cap_chan_del(chan, ECONNRESET);
6155 l2cap_chan_unlock(chan);
6160 case L2CAP_CR_LE_AUTHENTICATION:
6161 case L2CAP_CR_LE_ENCRYPTION:
6162 /* If we already have MITM protection we can't do
6165 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
6166 l2cap_chan_del(chan, ECONNREFUSED);
6170 sec_level = hcon->sec_level + 1;
6171 if (chan->sec_level < sec_level)
6172 chan->sec_level = sec_level;
6174 /* We'll need to send a new Connect Request */
6175 clear_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags);
6177 smp_conn_security(hcon, chan->sec_level);
6180 case L2CAP_CR_LE_BAD_PSM:
6181 l2cap_chan_del(chan, ECONNREFUSED);
6185 /* If dcid was not set it means channels was refused */
6187 l2cap_chan_del(chan, ECONNREFUSED);
6194 chan->remote_mps = mps;
6195 chan->tx_credits = credits;
6196 l2cap_chan_ready(chan);
6200 l2cap_chan_unlock(chan);
6203 mutex_unlock(&conn->chan_lock);
6208 static inline int l2cap_ecred_reconf_req(struct l2cap_conn *conn,
6209 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6212 struct l2cap_ecred_reconf_req *req = (void *) data;
6213 struct l2cap_ecred_reconf_rsp rsp;
6214 u16 mtu, mps, result;
6215 struct l2cap_chan *chan;
6221 if (cmd_len < sizeof(*req) || cmd_len - sizeof(*req) % sizeof(u16)) {
6222 result = L2CAP_CR_LE_INVALID_PARAMS;
6226 mtu = __le16_to_cpu(req->mtu);
6227 mps = __le16_to_cpu(req->mps);
6229 BT_DBG("mtu %u mps %u", mtu, mps);
6231 if (mtu < L2CAP_ECRED_MIN_MTU) {
6232 result = L2CAP_RECONF_INVALID_MTU;
6236 if (mps < L2CAP_ECRED_MIN_MPS) {
6237 result = L2CAP_RECONF_INVALID_MPS;
6241 cmd_len -= sizeof(*req);
6242 num_scid = cmd_len / sizeof(u16);
6243 result = L2CAP_RECONF_SUCCESS;
6245 for (i = 0; i < num_scid; i++) {
6248 scid = __le16_to_cpu(req->scid[i]);
6252 chan = __l2cap_get_chan_by_dcid(conn, scid);
6256 /* If the MTU value is decreased for any of the included
6257 * channels, then the receiver shall disconnect all
6258 * included channels.
6260 if (chan->omtu > mtu) {
6261 BT_ERR("chan %p decreased MTU %u -> %u", chan,
6263 result = L2CAP_RECONF_INVALID_MTU;
6267 chan->remote_mps = mps;
6271 rsp.result = cpu_to_le16(result);
6273 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECRED_RECONF_RSP, sizeof(rsp),
6279 static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
6280 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6283 struct l2cap_chan *chan, *tmp;
6284 struct l2cap_ecred_conn_rsp *rsp = (void *) data;
6287 if (cmd_len < sizeof(*rsp))
6290 result = __le16_to_cpu(rsp->result);
6292 BT_DBG("result 0x%4.4x", rsp->result);
6297 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
6298 if (chan->ident != cmd->ident)
6301 l2cap_chan_del(chan, ECONNRESET);
6307 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
6308 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6311 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
6312 struct l2cap_chan *chan;
6314 if (cmd_len < sizeof(*rej))
6317 mutex_lock(&conn->chan_lock);
6319 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
6323 l2cap_chan_lock(chan);
6324 l2cap_chan_del(chan, ECONNREFUSED);
6325 l2cap_chan_unlock(chan);
6328 mutex_unlock(&conn->chan_lock);
6332 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
6333 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
6338 switch (cmd->code) {
6339 case L2CAP_COMMAND_REJ:
6340 l2cap_le_command_rej(conn, cmd, cmd_len, data);
6343 case L2CAP_CONN_PARAM_UPDATE_REQ:
6344 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
6347 case L2CAP_CONN_PARAM_UPDATE_RSP:
6350 case L2CAP_LE_CONN_RSP:
6351 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
6354 case L2CAP_LE_CONN_REQ:
6355 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
6358 case L2CAP_LE_CREDITS:
6359 err = l2cap_le_credits(conn, cmd, cmd_len, data);
6362 case L2CAP_ECRED_CONN_REQ:
6363 err = l2cap_ecred_conn_req(conn, cmd, cmd_len, data);
6366 case L2CAP_ECRED_CONN_RSP:
6367 err = l2cap_ecred_conn_rsp(conn, cmd, cmd_len, data);
6370 case L2CAP_ECRED_RECONF_REQ:
6371 err = l2cap_ecred_reconf_req(conn, cmd, cmd_len, data);
6374 case L2CAP_ECRED_RECONF_RSP:
6375 err = l2cap_ecred_reconf_rsp(conn, cmd, cmd_len, data);
6378 case L2CAP_DISCONN_REQ:
6379 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
6382 case L2CAP_DISCONN_RSP:
6383 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
6387 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
6395 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
6396 struct sk_buff *skb)
6398 struct hci_conn *hcon = conn->hcon;
6399 struct l2cap_cmd_hdr *cmd;
6403 if (hcon->type != LE_LINK)
6406 if (skb->len < L2CAP_CMD_HDR_SIZE)
6409 cmd = (void *) skb->data;
6410 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6412 len = le16_to_cpu(cmd->len);
6414 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
6416 if (len != skb->len || !cmd->ident) {
6417 BT_DBG("corrupted command");
6421 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
6423 struct l2cap_cmd_rej_unk rej;
6425 BT_ERR("Wrong link type (%d)", err);
6427 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6428 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6436 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
6437 struct sk_buff *skb)
6439 struct hci_conn *hcon = conn->hcon;
6440 struct l2cap_cmd_hdr *cmd;
6443 l2cap_raw_recv(conn, skb);
6445 if (hcon->type != ACL_LINK)
6448 while (skb->len >= L2CAP_CMD_HDR_SIZE) {
6451 cmd = (void *) skb->data;
6452 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
6454 len = le16_to_cpu(cmd->len);
6456 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len,
6459 if (len > skb->len || !cmd->ident) {
6460 BT_DBG("corrupted command");
6464 err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data);
6466 struct l2cap_cmd_rej_unk rej;
6468 BT_ERR("Wrong link type (%d)", err);
6470 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
6471 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
6482 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
6484 u16 our_fcs, rcv_fcs;
6487 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
6488 hdr_size = L2CAP_EXT_HDR_SIZE;
6490 hdr_size = L2CAP_ENH_HDR_SIZE;
6492 if (chan->fcs == L2CAP_FCS_CRC16) {
6493 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
6494 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
6495 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
6497 if (our_fcs != rcv_fcs)
6503 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
6505 struct l2cap_ctrl control;
6507 BT_DBG("chan %p", chan);
6509 memset(&control, 0, sizeof(control));
6512 control.reqseq = chan->buffer_seq;
6513 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6515 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6516 control.super = L2CAP_SUPER_RNR;
6517 l2cap_send_sframe(chan, &control);
6520 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
6521 chan->unacked_frames > 0)
6522 __set_retrans_timer(chan);
6524 /* Send pending iframes */
6525 l2cap_ertm_send(chan);
6527 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
6528 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
6529 /* F-bit wasn't sent in an s-frame or i-frame yet, so
6532 control.super = L2CAP_SUPER_RR;
6533 l2cap_send_sframe(chan, &control);
6537 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
6538 struct sk_buff **last_frag)
6540 /* skb->len reflects data in skb as well as all fragments
6541 * skb->data_len reflects only data in fragments
6543 if (!skb_has_frag_list(skb))
6544 skb_shinfo(skb)->frag_list = new_frag;
6546 new_frag->next = NULL;
6548 (*last_frag)->next = new_frag;
6549 *last_frag = new_frag;
6551 skb->len += new_frag->len;
6552 skb->data_len += new_frag->len;
6553 skb->truesize += new_frag->truesize;
6556 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
6557 struct l2cap_ctrl *control)
6561 switch (control->sar) {
6562 case L2CAP_SAR_UNSEGMENTED:
6566 err = chan->ops->recv(chan, skb);
6569 case L2CAP_SAR_START:
6573 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
6576 chan->sdu_len = get_unaligned_le16(skb->data);
6577 skb_pull(skb, L2CAP_SDULEN_SIZE);
6579 if (chan->sdu_len > chan->imtu) {
6584 if (skb->len >= chan->sdu_len)
6588 chan->sdu_last_frag = skb;
6594 case L2CAP_SAR_CONTINUE:
6598 append_skb_frag(chan->sdu, skb,
6599 &chan->sdu_last_frag);
6602 if (chan->sdu->len >= chan->sdu_len)
6612 append_skb_frag(chan->sdu, skb,
6613 &chan->sdu_last_frag);
6616 if (chan->sdu->len != chan->sdu_len)
6619 err = chan->ops->recv(chan, chan->sdu);
6622 /* Reassembly complete */
6624 chan->sdu_last_frag = NULL;
6632 kfree_skb(chan->sdu);
6634 chan->sdu_last_frag = NULL;
6641 static int l2cap_resegment(struct l2cap_chan *chan)
6647 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6651 if (chan->mode != L2CAP_MODE_ERTM)
6654 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6655 l2cap_tx(chan, NULL, NULL, event);
6658 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6661 /* Pass sequential frames to l2cap_reassemble_sdu()
6662 * until a gap is encountered.
6665 BT_DBG("chan %p", chan);
6667 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6668 struct sk_buff *skb;
6669 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6670 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6672 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6677 skb_unlink(skb, &chan->srej_q);
6678 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6679 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6684 if (skb_queue_empty(&chan->srej_q)) {
6685 chan->rx_state = L2CAP_RX_STATE_RECV;
6686 l2cap_send_ack(chan);
6692 static void l2cap_handle_srej(struct l2cap_chan *chan,
6693 struct l2cap_ctrl *control)
6695 struct sk_buff *skb;
6697 BT_DBG("chan %p, control %p", chan, control);
6699 if (control->reqseq == chan->next_tx_seq) {
6700 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6701 l2cap_send_disconn_req(chan, ECONNRESET);
6705 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6708 BT_DBG("Seq %d not available for retransmission",
6713 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6714 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6715 l2cap_send_disconn_req(chan, ECONNRESET);
6719 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6721 if (control->poll) {
6722 l2cap_pass_to_tx(chan, control);
6724 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6725 l2cap_retransmit(chan, control);
6726 l2cap_ertm_send(chan);
6728 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6729 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6730 chan->srej_save_reqseq = control->reqseq;
6733 l2cap_pass_to_tx_fbit(chan, control);
6735 if (control->final) {
6736 if (chan->srej_save_reqseq != control->reqseq ||
6737 !test_and_clear_bit(CONN_SREJ_ACT,
6739 l2cap_retransmit(chan, control);
6741 l2cap_retransmit(chan, control);
6742 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6743 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6744 chan->srej_save_reqseq = control->reqseq;
6750 static void l2cap_handle_rej(struct l2cap_chan *chan,
6751 struct l2cap_ctrl *control)
6753 struct sk_buff *skb;
6755 BT_DBG("chan %p, control %p", chan, control);
6757 if (control->reqseq == chan->next_tx_seq) {
6758 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6759 l2cap_send_disconn_req(chan, ECONNRESET);
6763 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6765 if (chan->max_tx && skb &&
6766 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6767 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6768 l2cap_send_disconn_req(chan, ECONNRESET);
6772 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6774 l2cap_pass_to_tx(chan, control);
6776 if (control->final) {
6777 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6778 l2cap_retransmit_all(chan, control);
6780 l2cap_retransmit_all(chan, control);
6781 l2cap_ertm_send(chan);
6782 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6783 set_bit(CONN_REJ_ACT, &chan->conn_state);
6787 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6789 BT_DBG("chan %p, txseq %d", chan, txseq);
6791 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6792 chan->expected_tx_seq);
6794 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6795 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6797 /* See notes below regarding "double poll" and
6800 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6801 BT_DBG("Invalid/Ignore - after SREJ");
6802 return L2CAP_TXSEQ_INVALID_IGNORE;
6804 BT_DBG("Invalid - in window after SREJ sent");
6805 return L2CAP_TXSEQ_INVALID;
6809 if (chan->srej_list.head == txseq) {
6810 BT_DBG("Expected SREJ");
6811 return L2CAP_TXSEQ_EXPECTED_SREJ;
6814 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6815 BT_DBG("Duplicate SREJ - txseq already stored");
6816 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6819 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6820 BT_DBG("Unexpected SREJ - not requested");
6821 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6825 if (chan->expected_tx_seq == txseq) {
6826 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6828 BT_DBG("Invalid - txseq outside tx window");
6829 return L2CAP_TXSEQ_INVALID;
6832 return L2CAP_TXSEQ_EXPECTED;
6836 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6837 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6838 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6839 return L2CAP_TXSEQ_DUPLICATE;
6842 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6843 /* A source of invalid packets is a "double poll" condition,
6844 * where delays cause us to send multiple poll packets. If
6845 * the remote stack receives and processes both polls,
6846 * sequence numbers can wrap around in such a way that a
6847 * resent frame has a sequence number that looks like new data
6848 * with a sequence gap. This would trigger an erroneous SREJ
6851 * Fortunately, this is impossible with a tx window that's
6852 * less than half of the maximum sequence number, which allows
6853 * invalid frames to be safely ignored.
6855 * With tx window sizes greater than half of the tx window
6856 * maximum, the frame is invalid and cannot be ignored. This
6857 * causes a disconnect.
6860 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6861 BT_DBG("Invalid/Ignore - txseq outside tx window");
6862 return L2CAP_TXSEQ_INVALID_IGNORE;
6864 BT_DBG("Invalid - txseq outside tx window");
6865 return L2CAP_TXSEQ_INVALID;
6868 BT_DBG("Unexpected - txseq indicates missing frames");
6869 return L2CAP_TXSEQ_UNEXPECTED;
6873 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6874 struct l2cap_ctrl *control,
6875 struct sk_buff *skb, u8 event)
6878 bool skb_in_use = false;
6880 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6884 case L2CAP_EV_RECV_IFRAME:
6885 switch (l2cap_classify_txseq(chan, control->txseq)) {
6886 case L2CAP_TXSEQ_EXPECTED:
6887 l2cap_pass_to_tx(chan, control);
6889 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6890 BT_DBG("Busy, discarding expected seq %d",
6895 chan->expected_tx_seq = __next_seq(chan,
6898 chan->buffer_seq = chan->expected_tx_seq;
6901 err = l2cap_reassemble_sdu(chan, skb, control);
6905 if (control->final) {
6906 if (!test_and_clear_bit(CONN_REJ_ACT,
6907 &chan->conn_state)) {
6909 l2cap_retransmit_all(chan, control);
6910 l2cap_ertm_send(chan);
6914 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6915 l2cap_send_ack(chan);
6917 case L2CAP_TXSEQ_UNEXPECTED:
6918 l2cap_pass_to_tx(chan, control);
6920 /* Can't issue SREJ frames in the local busy state.
6921 * Drop this frame, it will be seen as missing
6922 * when local busy is exited.
6924 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6925 BT_DBG("Busy, discarding unexpected seq %d",
6930 /* There was a gap in the sequence, so an SREJ
6931 * must be sent for each missing frame. The
6932 * current frame is stored for later use.
6934 skb_queue_tail(&chan->srej_q, skb);
6936 BT_DBG("Queued %p (queue len %d)", skb,
6937 skb_queue_len(&chan->srej_q));
6939 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6940 l2cap_seq_list_clear(&chan->srej_list);
6941 l2cap_send_srej(chan, control->txseq);
6943 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6945 case L2CAP_TXSEQ_DUPLICATE:
6946 l2cap_pass_to_tx(chan, control);
6948 case L2CAP_TXSEQ_INVALID_IGNORE:
6950 case L2CAP_TXSEQ_INVALID:
6952 l2cap_send_disconn_req(chan, ECONNRESET);
6956 case L2CAP_EV_RECV_RR:
6957 l2cap_pass_to_tx(chan, control);
6958 if (control->final) {
6959 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6961 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6962 !__chan_is_moving(chan)) {
6964 l2cap_retransmit_all(chan, control);
6967 l2cap_ertm_send(chan);
6968 } else if (control->poll) {
6969 l2cap_send_i_or_rr_or_rnr(chan);
6971 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6972 &chan->conn_state) &&
6973 chan->unacked_frames)
6974 __set_retrans_timer(chan);
6976 l2cap_ertm_send(chan);
6979 case L2CAP_EV_RECV_RNR:
6980 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6981 l2cap_pass_to_tx(chan, control);
6982 if (control && control->poll) {
6983 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6984 l2cap_send_rr_or_rnr(chan, 0);
6986 __clear_retrans_timer(chan);
6987 l2cap_seq_list_clear(&chan->retrans_list);
6989 case L2CAP_EV_RECV_REJ:
6990 l2cap_handle_rej(chan, control);
6992 case L2CAP_EV_RECV_SREJ:
6993 l2cap_handle_srej(chan, control);
6999 if (skb && !skb_in_use) {
7000 BT_DBG("Freeing %p", skb);
7007 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
7008 struct l2cap_ctrl *control,
7009 struct sk_buff *skb, u8 event)
7012 u16 txseq = control->txseq;
7013 bool skb_in_use = false;
7015 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7019 case L2CAP_EV_RECV_IFRAME:
7020 switch (l2cap_classify_txseq(chan, txseq)) {
7021 case L2CAP_TXSEQ_EXPECTED:
7022 /* Keep frame for reassembly later */
7023 l2cap_pass_to_tx(chan, control);
7024 skb_queue_tail(&chan->srej_q, skb);
7026 BT_DBG("Queued %p (queue len %d)", skb,
7027 skb_queue_len(&chan->srej_q));
7029 chan->expected_tx_seq = __next_seq(chan, txseq);
7031 case L2CAP_TXSEQ_EXPECTED_SREJ:
7032 l2cap_seq_list_pop(&chan->srej_list);
7034 l2cap_pass_to_tx(chan, control);
7035 skb_queue_tail(&chan->srej_q, skb);
7037 BT_DBG("Queued %p (queue len %d)", skb,
7038 skb_queue_len(&chan->srej_q));
7040 err = l2cap_rx_queued_iframes(chan);
7045 case L2CAP_TXSEQ_UNEXPECTED:
7046 /* Got a frame that can't be reassembled yet.
7047 * Save it for later, and send SREJs to cover
7048 * the missing frames.
7050 skb_queue_tail(&chan->srej_q, skb);
7052 BT_DBG("Queued %p (queue len %d)", skb,
7053 skb_queue_len(&chan->srej_q));
7055 l2cap_pass_to_tx(chan, control);
7056 l2cap_send_srej(chan, control->txseq);
7058 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
7059 /* This frame was requested with an SREJ, but
7060 * some expected retransmitted frames are
7061 * missing. Request retransmission of missing
7064 skb_queue_tail(&chan->srej_q, skb);
7066 BT_DBG("Queued %p (queue len %d)", skb,
7067 skb_queue_len(&chan->srej_q));
7069 l2cap_pass_to_tx(chan, control);
7070 l2cap_send_srej_list(chan, control->txseq);
7072 case L2CAP_TXSEQ_DUPLICATE_SREJ:
7073 /* We've already queued this frame. Drop this copy. */
7074 l2cap_pass_to_tx(chan, control);
7076 case L2CAP_TXSEQ_DUPLICATE:
7077 /* Expecting a later sequence number, so this frame
7078 * was already received. Ignore it completely.
7081 case L2CAP_TXSEQ_INVALID_IGNORE:
7083 case L2CAP_TXSEQ_INVALID:
7085 l2cap_send_disconn_req(chan, ECONNRESET);
7089 case L2CAP_EV_RECV_RR:
7090 l2cap_pass_to_tx(chan, control);
7091 if (control->final) {
7092 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7094 if (!test_and_clear_bit(CONN_REJ_ACT,
7095 &chan->conn_state)) {
7097 l2cap_retransmit_all(chan, control);
7100 l2cap_ertm_send(chan);
7101 } else if (control->poll) {
7102 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7103 &chan->conn_state) &&
7104 chan->unacked_frames) {
7105 __set_retrans_timer(chan);
7108 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7109 l2cap_send_srej_tail(chan);
7111 if (test_and_clear_bit(CONN_REMOTE_BUSY,
7112 &chan->conn_state) &&
7113 chan->unacked_frames)
7114 __set_retrans_timer(chan);
7116 l2cap_send_ack(chan);
7119 case L2CAP_EV_RECV_RNR:
7120 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7121 l2cap_pass_to_tx(chan, control);
7122 if (control->poll) {
7123 l2cap_send_srej_tail(chan);
7125 struct l2cap_ctrl rr_control;
7126 memset(&rr_control, 0, sizeof(rr_control));
7127 rr_control.sframe = 1;
7128 rr_control.super = L2CAP_SUPER_RR;
7129 rr_control.reqseq = chan->buffer_seq;
7130 l2cap_send_sframe(chan, &rr_control);
7134 case L2CAP_EV_RECV_REJ:
7135 l2cap_handle_rej(chan, control);
7137 case L2CAP_EV_RECV_SREJ:
7138 l2cap_handle_srej(chan, control);
7142 if (skb && !skb_in_use) {
7143 BT_DBG("Freeing %p", skb);
7150 static int l2cap_finish_move(struct l2cap_chan *chan)
7152 BT_DBG("chan %p", chan);
7154 chan->rx_state = L2CAP_RX_STATE_RECV;
7157 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7159 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7161 return l2cap_resegment(chan);
7164 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
7165 struct l2cap_ctrl *control,
7166 struct sk_buff *skb, u8 event)
7170 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
7176 l2cap_process_reqseq(chan, control->reqseq);
7178 if (!skb_queue_empty(&chan->tx_q))
7179 chan->tx_send_head = skb_peek(&chan->tx_q);
7181 chan->tx_send_head = NULL;
7183 /* Rewind next_tx_seq to the point expected
7186 chan->next_tx_seq = control->reqseq;
7187 chan->unacked_frames = 0;
7189 err = l2cap_finish_move(chan);
7193 set_bit(CONN_SEND_FBIT, &chan->conn_state);
7194 l2cap_send_i_or_rr_or_rnr(chan);
7196 if (event == L2CAP_EV_RECV_IFRAME)
7199 return l2cap_rx_state_recv(chan, control, NULL, event);
7202 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
7203 struct l2cap_ctrl *control,
7204 struct sk_buff *skb, u8 event)
7208 if (!control->final)
7211 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
7213 chan->rx_state = L2CAP_RX_STATE_RECV;
7214 l2cap_process_reqseq(chan, control->reqseq);
7216 if (!skb_queue_empty(&chan->tx_q))
7217 chan->tx_send_head = skb_peek(&chan->tx_q);
7219 chan->tx_send_head = NULL;
7221 /* Rewind next_tx_seq to the point expected
7224 chan->next_tx_seq = control->reqseq;
7225 chan->unacked_frames = 0;
7228 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
7230 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
7232 err = l2cap_resegment(chan);
7235 err = l2cap_rx_state_recv(chan, control, skb, event);
7240 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
7242 /* Make sure reqseq is for a packet that has been sent but not acked */
7245 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
7246 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
7249 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7250 struct sk_buff *skb, u8 event)
7254 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
7255 control, skb, event, chan->rx_state);
7257 if (__valid_reqseq(chan, control->reqseq)) {
7258 switch (chan->rx_state) {
7259 case L2CAP_RX_STATE_RECV:
7260 err = l2cap_rx_state_recv(chan, control, skb, event);
7262 case L2CAP_RX_STATE_SREJ_SENT:
7263 err = l2cap_rx_state_srej_sent(chan, control, skb,
7266 case L2CAP_RX_STATE_WAIT_P:
7267 err = l2cap_rx_state_wait_p(chan, control, skb, event);
7269 case L2CAP_RX_STATE_WAIT_F:
7270 err = l2cap_rx_state_wait_f(chan, control, skb, event);
7277 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
7278 control->reqseq, chan->next_tx_seq,
7279 chan->expected_ack_seq);
7280 l2cap_send_disconn_req(chan, ECONNRESET);
7286 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
7287 struct sk_buff *skb)
7289 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
7292 if (l2cap_classify_txseq(chan, control->txseq) ==
7293 L2CAP_TXSEQ_EXPECTED) {
7294 l2cap_pass_to_tx(chan, control);
7296 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
7297 __next_seq(chan, chan->buffer_seq));
7299 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
7301 l2cap_reassemble_sdu(chan, skb, control);
7304 kfree_skb(chan->sdu);
7307 chan->sdu_last_frag = NULL;
7311 BT_DBG("Freeing %p", skb);
7316 chan->last_acked_seq = control->txseq;
7317 chan->expected_tx_seq = __next_seq(chan, control->txseq);
7322 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7324 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
7328 __unpack_control(chan, skb);
7333 * We can just drop the corrupted I-frame here.
7334 * Receiver will miss it and start proper recovery
7335 * procedures and ask for retransmission.
7337 if (l2cap_check_fcs(chan, skb))
7340 if (!control->sframe && control->sar == L2CAP_SAR_START)
7341 len -= L2CAP_SDULEN_SIZE;
7343 if (chan->fcs == L2CAP_FCS_CRC16)
7344 len -= L2CAP_FCS_SIZE;
7346 if (len > chan->mps) {
7347 l2cap_send_disconn_req(chan, ECONNRESET);
7351 if (chan->ops->filter) {
7352 if (chan->ops->filter(chan, skb))
7356 if (!control->sframe) {
7359 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
7360 control->sar, control->reqseq, control->final,
7363 /* Validate F-bit - F=0 always valid, F=1 only
7364 * valid in TX WAIT_F
7366 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
7369 if (chan->mode != L2CAP_MODE_STREAMING) {
7370 event = L2CAP_EV_RECV_IFRAME;
7371 err = l2cap_rx(chan, control, skb, event);
7373 err = l2cap_stream_rx(chan, control, skb);
7377 l2cap_send_disconn_req(chan, ECONNRESET);
7379 const u8 rx_func_to_event[4] = {
7380 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
7381 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
7384 /* Only I-frames are expected in streaming mode */
7385 if (chan->mode == L2CAP_MODE_STREAMING)
7388 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
7389 control->reqseq, control->final, control->poll,
7393 BT_ERR("Trailing bytes: %d in sframe", len);
7394 l2cap_send_disconn_req(chan, ECONNRESET);
7398 /* Validate F and P bits */
7399 if (control->final && (control->poll ||
7400 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
7403 event = rx_func_to_event[control->super];
7404 if (l2cap_rx(chan, control, skb, event))
7405 l2cap_send_disconn_req(chan, ECONNRESET);
7415 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
7417 struct l2cap_conn *conn = chan->conn;
7418 struct l2cap_le_credits pkt;
7421 return_credits = (chan->imtu / chan->mps) + 1;
7423 if (chan->rx_credits >= return_credits)
7426 return_credits -= chan->rx_credits;
7428 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
7430 chan->rx_credits += return_credits;
7432 pkt.cid = cpu_to_le16(chan->scid);
7433 pkt.credits = cpu_to_le16(return_credits);
7435 chan->ident = l2cap_get_ident(conn);
7437 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
7440 static int l2cap_ecred_recv(struct l2cap_chan *chan, struct sk_buff *skb)
7444 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
7446 /* Wait recv to confirm reception before updating the credits */
7447 err = chan->ops->recv(chan, skb);
7449 /* Update credits whenever an SDU is received */
7450 l2cap_chan_le_send_credits(chan);
7455 static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
7459 if (!chan->rx_credits) {
7460 BT_ERR("No credits to receive LE L2CAP data");
7461 l2cap_send_disconn_req(chan, ECONNRESET);
7465 if (chan->imtu < skb->len) {
7466 BT_ERR("Too big LE L2CAP PDU");
7471 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
7473 /* Update if remote had run out of credits, this should only happens
7474 * if the remote is not using the entire MPS.
7476 if (!chan->rx_credits)
7477 l2cap_chan_le_send_credits(chan);
7484 sdu_len = get_unaligned_le16(skb->data);
7485 skb_pull(skb, L2CAP_SDULEN_SIZE);
7487 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
7488 sdu_len, skb->len, chan->imtu);
7490 if (sdu_len > chan->imtu) {
7491 BT_ERR("Too big LE L2CAP SDU length received");
7496 if (skb->len > sdu_len) {
7497 BT_ERR("Too much LE L2CAP data received");
7502 if (skb->len == sdu_len)
7503 return l2cap_ecred_recv(chan, skb);
7506 chan->sdu_len = sdu_len;
7507 chan->sdu_last_frag = skb;
7509 /* Detect if remote is not able to use the selected MPS */
7510 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
7511 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
7513 /* Adjust the number of credits */
7514 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
7515 chan->mps = mps_len;
7516 l2cap_chan_le_send_credits(chan);
7522 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
7523 chan->sdu->len, skb->len, chan->sdu_len);
7525 if (chan->sdu->len + skb->len > chan->sdu_len) {
7526 BT_ERR("Too much LE L2CAP data received");
7531 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
7534 if (chan->sdu->len == chan->sdu_len) {
7535 err = l2cap_ecred_recv(chan, chan->sdu);
7538 chan->sdu_last_frag = NULL;
7546 kfree_skb(chan->sdu);
7548 chan->sdu_last_frag = NULL;
7552 /* We can't return an error here since we took care of the skb
7553 * freeing internally. An error return would cause the caller to
7554 * do a double-free of the skb.
7559 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
7560 struct sk_buff *skb)
7562 struct l2cap_chan *chan;
7564 chan = l2cap_get_chan_by_scid(conn, cid);
7566 if (cid == L2CAP_CID_A2MP) {
7567 chan = a2mp_channel_create(conn, skb);
7573 l2cap_chan_lock(chan);
7575 BT_DBG("unknown cid 0x%4.4x", cid);
7576 /* Drop packet and return */
7582 BT_DBG("chan %p, len %d", chan, skb->len);
7584 /* If we receive data on a fixed channel before the info req/rsp
7585 * procedure is done simply assume that the channel is supported
7586 * and mark it as ready.
7588 if (chan->chan_type == L2CAP_CHAN_FIXED)
7589 l2cap_chan_ready(chan);
7591 if (chan->state != BT_CONNECTED)
7594 switch (chan->mode) {
7595 case L2CAP_MODE_LE_FLOWCTL:
7596 case L2CAP_MODE_EXT_FLOWCTL:
7597 if (l2cap_ecred_data_rcv(chan, skb) < 0)
7602 case L2CAP_MODE_BASIC:
7603 /* If socket recv buffers overflows we drop data here
7604 * which is *bad* because L2CAP has to be reliable.
7605 * But we don't have any other choice. L2CAP doesn't
7606 * provide flow control mechanism. */
7608 if (chan->imtu < skb->len) {
7609 BT_ERR("Dropping L2CAP data: receive buffer overflow");
7613 if (!chan->ops->recv(chan, skb))
7617 case L2CAP_MODE_ERTM:
7618 case L2CAP_MODE_STREAMING:
7619 l2cap_data_rcv(chan, skb);
7623 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
7631 l2cap_chan_unlock(chan);
7632 l2cap_chan_put(chan);
7635 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
7636 struct sk_buff *skb)
7638 struct hci_conn *hcon = conn->hcon;
7639 struct l2cap_chan *chan;
7641 if (hcon->type != ACL_LINK)
7644 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
7649 BT_DBG("chan %p, len %d", chan, skb->len);
7651 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
7654 if (chan->imtu < skb->len)
7657 /* Store remote BD_ADDR and PSM for msg_name */
7658 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7659 bt_cb(skb)->l2cap.psm = psm;
7661 if (!chan->ops->recv(chan, skb)) {
7662 l2cap_chan_put(chan);
7667 l2cap_chan_put(chan);
7672 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7674 struct l2cap_hdr *lh = (void *) skb->data;
7675 struct hci_conn *hcon = conn->hcon;
7679 if (hcon->state != BT_CONNECTED) {
7680 BT_DBG("queueing pending rx skb");
7681 skb_queue_tail(&conn->pending_rx, skb);
7685 skb_pull(skb, L2CAP_HDR_SIZE);
7686 cid = __le16_to_cpu(lh->cid);
7687 len = __le16_to_cpu(lh->len);
7689 if (len != skb->len) {
7694 /* Since we can't actively block incoming LE connections we must
7695 * at least ensure that we ignore incoming data from them.
7697 if (hcon->type == LE_LINK &&
7698 hci_bdaddr_list_lookup(&hcon->hdev->reject_list, &hcon->dst,
7699 bdaddr_dst_type(hcon))) {
7704 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7707 case L2CAP_CID_SIGNALING:
7708 l2cap_sig_channel(conn, skb);
7711 case L2CAP_CID_CONN_LESS:
7712 psm = get_unaligned((__le16 *) skb->data);
7713 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7714 l2cap_conless_channel(conn, psm, skb);
7717 case L2CAP_CID_LE_SIGNALING:
7718 l2cap_le_sig_channel(conn, skb);
7722 l2cap_data_channel(conn, cid, skb);
7727 static void process_pending_rx(struct work_struct *work)
7729 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7731 struct sk_buff *skb;
7735 while ((skb = skb_dequeue(&conn->pending_rx)))
7736 l2cap_recv_frame(conn, skb);
7739 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7741 struct l2cap_conn *conn = hcon->l2cap_data;
7742 struct hci_chan *hchan;
7747 hchan = hci_chan_create(hcon);
7751 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7753 hci_chan_del(hchan);
7757 kref_init(&conn->ref);
7758 hcon->l2cap_data = conn;
7759 conn->hcon = hci_conn_get(hcon);
7760 conn->hchan = hchan;
7762 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7764 switch (hcon->type) {
7766 if (hcon->hdev->le_mtu) {
7767 conn->mtu = hcon->hdev->le_mtu;
7772 conn->mtu = hcon->hdev->acl_mtu;
7776 conn->feat_mask = 0;
7778 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7780 if (hcon->type == ACL_LINK &&
7781 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7782 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7784 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7785 (bredr_sc_enabled(hcon->hdev) ||
7786 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7787 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7789 mutex_init(&conn->ident_lock);
7790 mutex_init(&conn->chan_lock);
7792 INIT_LIST_HEAD(&conn->chan_l);
7793 INIT_LIST_HEAD(&conn->users);
7795 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7797 skb_queue_head_init(&conn->pending_rx);
7798 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7799 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7801 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7806 static bool is_valid_psm(u16 psm, u8 dst_type) {
7810 if (bdaddr_type_is_le(dst_type))
7811 return (psm <= 0x00ff);
7813 /* PSM must be odd and lsb of upper byte must be 0 */
7814 return ((psm & 0x0101) == 0x0001);
7817 struct l2cap_chan_data {
7818 struct l2cap_chan *chan;
7823 static void l2cap_chan_by_pid(struct l2cap_chan *chan, void *data)
7825 struct l2cap_chan_data *d = data;
7828 if (chan == d->chan)
7831 if (!test_bit(FLAG_DEFER_SETUP, &chan->flags))
7834 pid = chan->ops->get_peer_pid(chan);
7836 /* Only count deferred channels with the same PID/PSM */
7837 if (d->pid != pid || chan->psm != d->chan->psm || chan->ident ||
7838 chan->mode != L2CAP_MODE_EXT_FLOWCTL || chan->state != BT_CONNECT)
7844 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7845 bdaddr_t *dst, u8 dst_type)
7847 struct l2cap_conn *conn;
7848 struct hci_conn *hcon;
7849 struct hci_dev *hdev;
7852 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src,
7853 dst, dst_type, __le16_to_cpu(psm), chan->mode);
7855 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7857 return -EHOSTUNREACH;
7861 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7862 chan->chan_type != L2CAP_CHAN_RAW) {
7867 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7872 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7877 switch (chan->mode) {
7878 case L2CAP_MODE_BASIC:
7880 case L2CAP_MODE_LE_FLOWCTL:
7882 case L2CAP_MODE_EXT_FLOWCTL:
7883 if (!enable_ecred) {
7888 case L2CAP_MODE_ERTM:
7889 case L2CAP_MODE_STREAMING:
7898 switch (chan->state) {
7902 /* Already connecting */
7907 /* Already connected */
7921 /* Set destination address and psm */
7922 bacpy(&chan->dst, dst);
7923 chan->dst_type = dst_type;
7928 if (bdaddr_type_is_le(dst_type)) {
7929 /* Convert from L2CAP channel address type to HCI address type
7931 if (dst_type == BDADDR_LE_PUBLIC)
7932 dst_type = ADDR_LE_DEV_PUBLIC;
7934 dst_type = ADDR_LE_DEV_RANDOM;
7936 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7937 hcon = hci_connect_le(hdev, dst, dst_type,
7939 HCI_LE_CONN_TIMEOUT,
7940 HCI_ROLE_SLAVE, NULL);
7942 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7944 HCI_LE_CONN_TIMEOUT,
7945 CONN_REASON_L2CAP_CHAN);
7948 u8 auth_type = l2cap_get_auth_type(chan);
7949 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type,
7950 CONN_REASON_L2CAP_CHAN);
7954 err = PTR_ERR(hcon);
7958 conn = l2cap_conn_add(hcon);
7960 hci_conn_drop(hcon);
7965 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL) {
7966 struct l2cap_chan_data data;
7969 data.pid = chan->ops->get_peer_pid(chan);
7972 l2cap_chan_list(conn, l2cap_chan_by_pid, &data);
7974 /* Check if there isn't too many channels being connected */
7975 if (data.count > L2CAP_ECRED_CONN_SCID_MAX) {
7976 hci_conn_drop(hcon);
7982 mutex_lock(&conn->chan_lock);
7983 l2cap_chan_lock(chan);
7985 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7986 hci_conn_drop(hcon);
7991 /* Update source addr of the socket */
7992 bacpy(&chan->src, &hcon->src);
7993 chan->src_type = bdaddr_src_type(hcon);
7995 __l2cap_chan_add(conn, chan);
7997 /* l2cap_chan_add takes its own ref so we can drop this one */
7998 hci_conn_drop(hcon);
8000 l2cap_state_change(chan, BT_CONNECT);
8001 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
8003 /* Release chan->sport so that it can be reused by other
8004 * sockets (as it's only used for listening sockets).
8006 write_lock(&chan_list_lock);
8008 write_unlock(&chan_list_lock);
8010 if (hcon->state == BT_CONNECTED) {
8011 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
8012 __clear_chan_timer(chan);
8013 if (l2cap_chan_check_security(chan, true))
8014 l2cap_state_change(chan, BT_CONNECTED);
8016 l2cap_do_start(chan);
8022 l2cap_chan_unlock(chan);
8023 mutex_unlock(&conn->chan_lock);
8025 hci_dev_unlock(hdev);
8029 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
8031 static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
8033 struct l2cap_conn *conn = chan->conn;
8035 struct l2cap_ecred_reconf_req req;
8039 pdu.req.mtu = cpu_to_le16(chan->imtu);
8040 pdu.req.mps = cpu_to_le16(chan->mps);
8041 pdu.scid = cpu_to_le16(chan->scid);
8043 chan->ident = l2cap_get_ident(conn);
8045 l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
8049 int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
8051 if (chan->imtu > mtu)
8054 BT_DBG("chan %p mtu 0x%4.4x", chan, mtu);
8058 l2cap_ecred_reconfigure(chan);
8063 /* ---- L2CAP interface with lower layer (HCI) ---- */
8065 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
8067 int exact = 0, lm1 = 0, lm2 = 0;
8068 struct l2cap_chan *c;
8070 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
8072 /* Find listening sockets and check their link_mode */
8073 read_lock(&chan_list_lock);
8074 list_for_each_entry(c, &chan_list, global_l) {
8075 if (c->state != BT_LISTEN)
8078 if (!bacmp(&c->src, &hdev->bdaddr)) {
8079 lm1 |= HCI_LM_ACCEPT;
8080 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8081 lm1 |= HCI_LM_MASTER;
8083 } else if (!bacmp(&c->src, BDADDR_ANY)) {
8084 lm2 |= HCI_LM_ACCEPT;
8085 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
8086 lm2 |= HCI_LM_MASTER;
8089 read_unlock(&chan_list_lock);
8091 return exact ? lm1 : lm2;
8094 /* Find the next fixed channel in BT_LISTEN state, continue iteration
8095 * from an existing channel in the list or from the beginning of the
8096 * global list (by passing NULL as first parameter).
8098 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
8099 struct hci_conn *hcon)
8101 u8 src_type = bdaddr_src_type(hcon);
8103 read_lock(&chan_list_lock);
8106 c = list_next_entry(c, global_l);
8108 c = list_entry(chan_list.next, typeof(*c), global_l);
8110 list_for_each_entry_from(c, &chan_list, global_l) {
8111 if (c->chan_type != L2CAP_CHAN_FIXED)
8113 if (c->state != BT_LISTEN)
8115 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
8117 if (src_type != c->src_type)
8120 c = l2cap_chan_hold_unless_zero(c);
8121 read_unlock(&chan_list_lock);
8125 read_unlock(&chan_list_lock);
8130 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
8132 struct hci_dev *hdev = hcon->hdev;
8133 struct l2cap_conn *conn;
8134 struct l2cap_chan *pchan;
8137 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8140 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
8143 l2cap_conn_del(hcon, bt_to_errno(status));
8147 conn = l2cap_conn_add(hcon);
8151 dst_type = bdaddr_dst_type(hcon);
8153 /* If device is blocked, do not create channels for it */
8154 if (hci_bdaddr_list_lookup(&hdev->reject_list, &hcon->dst, dst_type))
8157 /* Find fixed channels and notify them of the new connection. We
8158 * use multiple individual lookups, continuing each time where
8159 * we left off, because the list lock would prevent calling the
8160 * potentially sleeping l2cap_chan_lock() function.
8162 pchan = l2cap_global_fixed_chan(NULL, hcon);
8164 struct l2cap_chan *chan, *next;
8166 /* Client fixed channels should override server ones */
8167 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
8170 l2cap_chan_lock(pchan);
8171 chan = pchan->ops->new_connection(pchan);
8173 bacpy(&chan->src, &hcon->src);
8174 bacpy(&chan->dst, &hcon->dst);
8175 chan->src_type = bdaddr_src_type(hcon);
8176 chan->dst_type = dst_type;
8178 __l2cap_chan_add(conn, chan);
8181 l2cap_chan_unlock(pchan);
8183 next = l2cap_global_fixed_chan(pchan, hcon);
8184 l2cap_chan_put(pchan);
8188 l2cap_conn_ready(conn);
8191 int l2cap_disconn_ind(struct hci_conn *hcon)
8193 struct l2cap_conn *conn = hcon->l2cap_data;
8195 BT_DBG("hcon %p", hcon);
8198 return HCI_ERROR_REMOTE_USER_TERM;
8199 return conn->disc_reason;
8202 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
8204 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
8207 BT_DBG("hcon %p reason %d", hcon, reason);
8209 l2cap_conn_del(hcon, bt_to_errno(reason));
8212 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
8214 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
8217 if (encrypt == 0x00) {
8218 if (chan->sec_level == BT_SECURITY_MEDIUM) {
8219 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
8220 } else if (chan->sec_level == BT_SECURITY_HIGH ||
8221 chan->sec_level == BT_SECURITY_FIPS)
8222 l2cap_chan_close(chan, ECONNREFUSED);
8224 if (chan->sec_level == BT_SECURITY_MEDIUM)
8225 __clear_chan_timer(chan);
8229 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
8231 struct l2cap_conn *conn = hcon->l2cap_data;
8232 struct l2cap_chan *chan;
8237 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
8239 mutex_lock(&conn->chan_lock);
8241 list_for_each_entry(chan, &conn->chan_l, list) {
8242 l2cap_chan_lock(chan);
8244 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
8245 state_to_string(chan->state));
8247 if (chan->scid == L2CAP_CID_A2MP) {
8248 l2cap_chan_unlock(chan);
8252 if (!status && encrypt)
8253 chan->sec_level = hcon->sec_level;
8255 if (!__l2cap_no_conn_pending(chan)) {
8256 l2cap_chan_unlock(chan);
8260 if (!status && (chan->state == BT_CONNECTED ||
8261 chan->state == BT_CONFIG)) {
8262 chan->ops->resume(chan);
8263 l2cap_check_encryption(chan, encrypt);
8264 l2cap_chan_unlock(chan);
8268 if (chan->state == BT_CONNECT) {
8269 if (!status && l2cap_check_enc_key_size(hcon))
8270 l2cap_start_connection(chan);
8272 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8273 } else if (chan->state == BT_CONNECT2 &&
8274 !(chan->mode == L2CAP_MODE_EXT_FLOWCTL ||
8275 chan->mode == L2CAP_MODE_LE_FLOWCTL)) {
8276 struct l2cap_conn_rsp rsp;
8279 if (!status && l2cap_check_enc_key_size(hcon)) {
8280 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
8281 res = L2CAP_CR_PEND;
8282 stat = L2CAP_CS_AUTHOR_PEND;
8283 chan->ops->defer(chan);
8285 l2cap_state_change(chan, BT_CONFIG);
8286 res = L2CAP_CR_SUCCESS;
8287 stat = L2CAP_CS_NO_INFO;
8290 l2cap_state_change(chan, BT_DISCONN);
8291 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
8292 res = L2CAP_CR_SEC_BLOCK;
8293 stat = L2CAP_CS_NO_INFO;
8296 rsp.scid = cpu_to_le16(chan->dcid);
8297 rsp.dcid = cpu_to_le16(chan->scid);
8298 rsp.result = cpu_to_le16(res);
8299 rsp.status = cpu_to_le16(stat);
8300 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
8303 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
8304 res == L2CAP_CR_SUCCESS) {
8306 set_bit(CONF_REQ_SENT, &chan->conf_state);
8307 l2cap_send_cmd(conn, l2cap_get_ident(conn),
8309 l2cap_build_conf_req(chan, buf, sizeof(buf)),
8311 chan->num_conf_req++;
8315 l2cap_chan_unlock(chan);
8318 mutex_unlock(&conn->chan_lock);
8321 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
8323 struct l2cap_conn *conn = hcon->l2cap_data;
8324 struct l2cap_hdr *hdr;
8327 /* For AMP controller do not create l2cap conn */
8328 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
8332 conn = l2cap_conn_add(hcon);
8337 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
8341 case ACL_START_NO_FLUSH:
8344 BT_ERR("Unexpected start frame (len %d)", skb->len);
8345 kfree_skb(conn->rx_skb);
8346 conn->rx_skb = NULL;
8348 l2cap_conn_unreliable(conn, ECOMM);
8351 /* Start fragment always begin with Basic L2CAP header */
8352 if (skb->len < L2CAP_HDR_SIZE) {
8353 BT_ERR("Frame is too short (len %d)", skb->len);
8354 l2cap_conn_unreliable(conn, ECOMM);
8358 hdr = (struct l2cap_hdr *) skb->data;
8359 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
8361 if (len == skb->len) {
8362 /* Complete frame received */
8363 l2cap_recv_frame(conn, skb);
8367 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
8369 if (skb->len > len) {
8370 BT_ERR("Frame is too long (len %d, expected len %d)",
8372 l2cap_conn_unreliable(conn, ECOMM);
8376 /* Allocate skb for the complete frame (with header) */
8377 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
8381 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8383 conn->rx_len = len - skb->len;
8387 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
8389 if (!conn->rx_len) {
8390 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
8391 l2cap_conn_unreliable(conn, ECOMM);
8395 if (skb->len > conn->rx_len) {
8396 BT_ERR("Fragment is too long (len %d, expected %d)",
8397 skb->len, conn->rx_len);
8398 kfree_skb(conn->rx_skb);
8399 conn->rx_skb = NULL;
8401 l2cap_conn_unreliable(conn, ECOMM);
8405 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
8407 conn->rx_len -= skb->len;
8409 if (!conn->rx_len) {
8410 /* Complete frame received. l2cap_recv_frame
8411 * takes ownership of the skb so set the global
8412 * rx_skb pointer to NULL first.
8414 struct sk_buff *rx_skb = conn->rx_skb;
8415 conn->rx_skb = NULL;
8416 l2cap_recv_frame(conn, rx_skb);
8425 static struct hci_cb l2cap_cb = {
8427 .connect_cfm = l2cap_connect_cfm,
8428 .disconn_cfm = l2cap_disconn_cfm,
8429 .security_cfm = l2cap_security_cfm,
8432 static int l2cap_debugfs_show(struct seq_file *f, void *p)
8434 struct l2cap_chan *c;
8436 read_lock(&chan_list_lock);
8438 list_for_each_entry(c, &chan_list, global_l) {
8439 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
8440 &c->src, c->src_type, &c->dst, c->dst_type,
8441 c->state, __le16_to_cpu(c->psm),
8442 c->scid, c->dcid, c->imtu, c->omtu,
8443 c->sec_level, c->mode);
8446 read_unlock(&chan_list_lock);
8451 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
8453 static struct dentry *l2cap_debugfs;
8455 int __init l2cap_init(void)
8459 err = l2cap_init_sockets();
8463 hci_register_cb(&l2cap_cb);
8465 if (IS_ERR_OR_NULL(bt_debugfs))
8468 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
8469 NULL, &l2cap_debugfs_fops);
8474 void l2cap_exit(void)
8476 debugfs_remove(l2cap_debugfs);
8477 hci_unregister_cb(&l2cap_cb);
8478 l2cap_cleanup_sockets();
8481 module_param(disable_ertm, bool, 0644);
8482 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
8484 module_param(enable_ecred, bool, 0644);
8485 MODULE_PARM_DESC(enable_ecred, "Enable enhanced credit flow control mode");
projects / releases.git / blob