2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
35 #include <linux/filter.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
39 #include <net/bluetooth/l2cap.h>
45 #define LE_FLOWCTL_MAX_CREDITS 65535
49 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN | L2CAP_FEAT_UCD;
51 static LIST_HEAD(chan_list);
52 static DEFINE_RWLOCK(chan_list_lock);
54 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
55 u8 code, u8 ident, u16 dlen, void *data);
56 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
58 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
59 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
61 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
62 struct sk_buff_head *skbs, u8 event);
64 static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
66 if (link_type == LE_LINK) {
67 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
68 return BDADDR_LE_PUBLIC;
70 return BDADDR_LE_RANDOM;
76 static inline u8 bdaddr_src_type(struct hci_conn *hcon)
78 return bdaddr_type(hcon->type, hcon->src_type);
81 static inline u8 bdaddr_dst_type(struct hci_conn *hcon)
83 return bdaddr_type(hcon->type, hcon->dst_type);
86 /* ---- L2CAP channels ---- */
88 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
93 list_for_each_entry(c, &conn->chan_l, list) {
100 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
103 struct l2cap_chan *c;
105 list_for_each_entry(c, &conn->chan_l, list) {
112 /* Find channel with given SCID.
113 * Returns locked channel. */
114 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
117 struct l2cap_chan *c;
119 mutex_lock(&conn->chan_lock);
120 c = __l2cap_get_chan_by_scid(conn, cid);
123 mutex_unlock(&conn->chan_lock);
128 /* Find channel with given DCID.
129 * Returns locked channel.
131 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
134 struct l2cap_chan *c;
136 mutex_lock(&conn->chan_lock);
137 c = __l2cap_get_chan_by_dcid(conn, cid);
140 mutex_unlock(&conn->chan_lock);
145 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
148 struct l2cap_chan *c;
150 list_for_each_entry(c, &conn->chan_l, list) {
151 if (c->ident == ident)
157 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
160 struct l2cap_chan *c;
162 mutex_lock(&conn->chan_lock);
163 c = __l2cap_get_chan_by_ident(conn, ident);
166 mutex_unlock(&conn->chan_lock);
171 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src,
174 struct l2cap_chan *c;
176 list_for_each_entry(c, &chan_list, global_l) {
177 if (src_type == BDADDR_BREDR && c->src_type != BDADDR_BREDR)
180 if (src_type != BDADDR_BREDR && c->src_type == BDADDR_BREDR)
183 if (c->sport == psm && !bacmp(&c->src, src))
189 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
193 write_lock(&chan_list_lock);
195 if (psm && __l2cap_global_chan_by_addr(psm, src, chan->src_type)) {
205 u16 p, start, end, incr;
207 if (chan->src_type == BDADDR_BREDR) {
208 start = L2CAP_PSM_DYN_START;
209 end = L2CAP_PSM_AUTO_END;
212 start = L2CAP_PSM_LE_DYN_START;
213 end = L2CAP_PSM_LE_DYN_END;
218 for (p = start; p <= end; p += incr)
219 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src,
221 chan->psm = cpu_to_le16(p);
222 chan->sport = cpu_to_le16(p);
229 write_unlock(&chan_list_lock);
232 EXPORT_SYMBOL_GPL(l2cap_add_psm);
234 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
236 write_lock(&chan_list_lock);
238 /* Override the defaults (which are for conn-oriented) */
239 chan->omtu = L2CAP_DEFAULT_MTU;
240 chan->chan_type = L2CAP_CHAN_FIXED;
244 write_unlock(&chan_list_lock);
249 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
253 if (conn->hcon->type == LE_LINK)
254 dyn_end = L2CAP_CID_LE_DYN_END;
256 dyn_end = L2CAP_CID_DYN_END;
258 for (cid = L2CAP_CID_DYN_START; cid <= dyn_end; cid++) {
259 if (!__l2cap_get_chan_by_scid(conn, cid))
266 static void l2cap_state_change(struct l2cap_chan *chan, int state)
268 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
269 state_to_string(state));
272 chan->ops->state_change(chan, state, 0);
275 static inline void l2cap_state_change_and_error(struct l2cap_chan *chan,
279 chan->ops->state_change(chan, chan->state, err);
282 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
284 chan->ops->state_change(chan, chan->state, err);
287 static void __set_retrans_timer(struct l2cap_chan *chan)
289 if (!delayed_work_pending(&chan->monitor_timer) &&
290 chan->retrans_timeout) {
291 l2cap_set_timer(chan, &chan->retrans_timer,
292 msecs_to_jiffies(chan->retrans_timeout));
296 static void __set_monitor_timer(struct l2cap_chan *chan)
298 __clear_retrans_timer(chan);
299 if (chan->monitor_timeout) {
300 l2cap_set_timer(chan, &chan->monitor_timer,
301 msecs_to_jiffies(chan->monitor_timeout));
305 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
310 skb_queue_walk(head, skb) {
311 if (bt_cb(skb)->l2cap.txseq == seq)
318 /* ---- L2CAP sequence number lists ---- */
320 /* For ERTM, ordered lists of sequence numbers must be tracked for
321 * SREJ requests that are received and for frames that are to be
322 * retransmitted. These seq_list functions implement a singly-linked
323 * list in an array, where membership in the list can also be checked
324 * in constant time. Items can also be added to the tail of the list
325 * and removed from the head in constant time, without further memory
329 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
331 size_t alloc_size, i;
333 /* Allocated size is a power of 2 to map sequence numbers
334 * (which may be up to 14 bits) in to a smaller array that is
335 * sized for the negotiated ERTM transmit windows.
337 alloc_size = roundup_pow_of_two(size);
339 seq_list->list = kmalloc_array(alloc_size, sizeof(u16), GFP_KERNEL);
343 seq_list->mask = alloc_size - 1;
344 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
345 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
346 for (i = 0; i < alloc_size; i++)
347 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
352 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
354 kfree(seq_list->list);
357 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
360 /* Constant-time check for list membership */
361 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
364 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
366 u16 seq = seq_list->head;
367 u16 mask = seq_list->mask;
369 seq_list->head = seq_list->list[seq & mask];
370 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
372 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
373 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
374 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
380 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
384 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
387 for (i = 0; i <= seq_list->mask; i++)
388 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
390 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
391 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
394 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
396 u16 mask = seq_list->mask;
398 /* All appends happen in constant time */
400 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
403 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
404 seq_list->head = seq;
406 seq_list->list[seq_list->tail & mask] = seq;
408 seq_list->tail = seq;
409 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
412 static void l2cap_chan_timeout(struct work_struct *work)
414 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
416 struct l2cap_conn *conn = chan->conn;
419 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
421 mutex_lock(&conn->chan_lock);
422 l2cap_chan_lock(chan);
424 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
425 reason = ECONNREFUSED;
426 else if (chan->state == BT_CONNECT &&
427 chan->sec_level != BT_SECURITY_SDP)
428 reason = ECONNREFUSED;
432 l2cap_chan_close(chan, reason);
434 l2cap_chan_unlock(chan);
436 chan->ops->close(chan);
437 mutex_unlock(&conn->chan_lock);
439 l2cap_chan_put(chan);
442 struct l2cap_chan *l2cap_chan_create(void)
444 struct l2cap_chan *chan;
446 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
450 mutex_init(&chan->lock);
452 /* Set default lock nesting level */
453 atomic_set(&chan->nesting, L2CAP_NESTING_NORMAL);
455 write_lock(&chan_list_lock);
456 list_add(&chan->global_l, &chan_list);
457 write_unlock(&chan_list_lock);
459 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
461 chan->state = BT_OPEN;
463 kref_init(&chan->kref);
465 /* This flag is cleared in l2cap_chan_ready() */
466 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
468 BT_DBG("chan %p", chan);
472 EXPORT_SYMBOL_GPL(l2cap_chan_create);
474 static void l2cap_chan_destroy(struct kref *kref)
476 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
478 BT_DBG("chan %p", chan);
480 write_lock(&chan_list_lock);
481 list_del(&chan->global_l);
482 write_unlock(&chan_list_lock);
487 void l2cap_chan_hold(struct l2cap_chan *c)
489 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
494 void l2cap_chan_put(struct l2cap_chan *c)
496 BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
498 kref_put(&c->kref, l2cap_chan_destroy);
500 EXPORT_SYMBOL_GPL(l2cap_chan_put);
502 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
504 chan->fcs = L2CAP_FCS_CRC16;
505 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
506 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
507 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
508 chan->remote_max_tx = chan->max_tx;
509 chan->remote_tx_win = chan->tx_win;
510 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
511 chan->sec_level = BT_SECURITY_LOW;
512 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
513 chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
514 chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
515 chan->conf_state = 0;
517 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
519 EXPORT_SYMBOL_GPL(l2cap_chan_set_defaults);
521 static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
524 chan->sdu_last_frag = NULL;
526 chan->tx_credits = tx_credits;
527 /* Derive MPS from connection MTU to stop HCI fragmentation */
528 chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
529 /* Give enough credits for a full packet */
530 chan->rx_credits = (chan->imtu / chan->mps) + 1;
532 skb_queue_head_init(&chan->tx_q);
535 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
537 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
538 __le16_to_cpu(chan->psm), chan->dcid);
540 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
544 switch (chan->chan_type) {
545 case L2CAP_CHAN_CONN_ORIENTED:
546 /* Alloc CID for connection-oriented socket */
547 chan->scid = l2cap_alloc_cid(conn);
548 if (conn->hcon->type == ACL_LINK)
549 chan->omtu = L2CAP_DEFAULT_MTU;
552 case L2CAP_CHAN_CONN_LESS:
553 /* Connectionless socket */
554 chan->scid = L2CAP_CID_CONN_LESS;
555 chan->dcid = L2CAP_CID_CONN_LESS;
556 chan->omtu = L2CAP_DEFAULT_MTU;
559 case L2CAP_CHAN_FIXED:
560 /* Caller will set CID and CID specific MTU values */
564 /* Raw socket can send/recv signalling messages only */
565 chan->scid = L2CAP_CID_SIGNALING;
566 chan->dcid = L2CAP_CID_SIGNALING;
567 chan->omtu = L2CAP_DEFAULT_MTU;
570 chan->local_id = L2CAP_BESTEFFORT_ID;
571 chan->local_stype = L2CAP_SERV_BESTEFFORT;
572 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
573 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
574 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
575 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
577 l2cap_chan_hold(chan);
579 /* Only keep a reference for fixed channels if they requested it */
580 if (chan->chan_type != L2CAP_CHAN_FIXED ||
581 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
582 hci_conn_hold(conn->hcon);
584 list_add(&chan->list, &conn->chan_l);
587 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
589 mutex_lock(&conn->chan_lock);
590 __l2cap_chan_add(conn, chan);
591 mutex_unlock(&conn->chan_lock);
594 void l2cap_chan_del(struct l2cap_chan *chan, int err)
596 struct l2cap_conn *conn = chan->conn;
598 __clear_chan_timer(chan);
600 BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
601 state_to_string(chan->state));
603 chan->ops->teardown(chan, err);
606 struct amp_mgr *mgr = conn->hcon->amp_mgr;
607 /* Delete from channel list */
608 list_del(&chan->list);
610 l2cap_chan_put(chan);
614 /* Reference was only held for non-fixed channels or
615 * fixed channels that explicitly requested it using the
616 * FLAG_HOLD_HCI_CONN flag.
618 if (chan->chan_type != L2CAP_CHAN_FIXED ||
619 test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
620 hci_conn_drop(conn->hcon);
622 if (mgr && mgr->bredr_chan == chan)
623 mgr->bredr_chan = NULL;
626 if (chan->hs_hchan) {
627 struct hci_chan *hs_hchan = chan->hs_hchan;
629 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
630 amp_disconnect_logical_link(hs_hchan);
633 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
637 case L2CAP_MODE_BASIC:
640 case L2CAP_MODE_LE_FLOWCTL:
641 skb_queue_purge(&chan->tx_q);
644 case L2CAP_MODE_ERTM:
645 __clear_retrans_timer(chan);
646 __clear_monitor_timer(chan);
647 __clear_ack_timer(chan);
649 skb_queue_purge(&chan->srej_q);
651 l2cap_seq_list_free(&chan->srej_list);
652 l2cap_seq_list_free(&chan->retrans_list);
656 case L2CAP_MODE_STREAMING:
657 skb_queue_purge(&chan->tx_q);
663 EXPORT_SYMBOL_GPL(l2cap_chan_del);
665 static void l2cap_conn_update_id_addr(struct work_struct *work)
667 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
668 id_addr_update_work);
669 struct hci_conn *hcon = conn->hcon;
670 struct l2cap_chan *chan;
672 mutex_lock(&conn->chan_lock);
674 list_for_each_entry(chan, &conn->chan_l, list) {
675 l2cap_chan_lock(chan);
676 bacpy(&chan->dst, &hcon->dst);
677 chan->dst_type = bdaddr_dst_type(hcon);
678 l2cap_chan_unlock(chan);
681 mutex_unlock(&conn->chan_lock);
684 static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
686 struct l2cap_conn *conn = chan->conn;
687 struct l2cap_le_conn_rsp rsp;
690 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
691 result = L2CAP_CR_LE_AUTHORIZATION;
693 result = L2CAP_CR_LE_BAD_PSM;
695 l2cap_state_change(chan, BT_DISCONN);
697 rsp.dcid = cpu_to_le16(chan->scid);
698 rsp.mtu = cpu_to_le16(chan->imtu);
699 rsp.mps = cpu_to_le16(chan->mps);
700 rsp.credits = cpu_to_le16(chan->rx_credits);
701 rsp.result = cpu_to_le16(result);
703 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
707 static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
709 struct l2cap_conn *conn = chan->conn;
710 struct l2cap_conn_rsp rsp;
713 if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
714 result = L2CAP_CR_SEC_BLOCK;
716 result = L2CAP_CR_BAD_PSM;
718 l2cap_state_change(chan, BT_DISCONN);
720 rsp.scid = cpu_to_le16(chan->dcid);
721 rsp.dcid = cpu_to_le16(chan->scid);
722 rsp.result = cpu_to_le16(result);
723 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
725 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
728 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
730 struct l2cap_conn *conn = chan->conn;
732 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
734 switch (chan->state) {
736 chan->ops->teardown(chan, 0);
741 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
742 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
743 l2cap_send_disconn_req(chan, reason);
745 l2cap_chan_del(chan, reason);
749 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED) {
750 if (conn->hcon->type == ACL_LINK)
751 l2cap_chan_connect_reject(chan);
752 else if (conn->hcon->type == LE_LINK)
753 l2cap_chan_le_connect_reject(chan);
756 l2cap_chan_del(chan, reason);
761 l2cap_chan_del(chan, reason);
765 chan->ops->teardown(chan, 0);
769 EXPORT_SYMBOL(l2cap_chan_close);
771 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
773 switch (chan->chan_type) {
775 switch (chan->sec_level) {
776 case BT_SECURITY_HIGH:
777 case BT_SECURITY_FIPS:
778 return HCI_AT_DEDICATED_BONDING_MITM;
779 case BT_SECURITY_MEDIUM:
780 return HCI_AT_DEDICATED_BONDING;
782 return HCI_AT_NO_BONDING;
785 case L2CAP_CHAN_CONN_LESS:
786 if (chan->psm == cpu_to_le16(L2CAP_PSM_3DSP)) {
787 if (chan->sec_level == BT_SECURITY_LOW)
788 chan->sec_level = BT_SECURITY_SDP;
790 if (chan->sec_level == BT_SECURITY_HIGH ||
791 chan->sec_level == BT_SECURITY_FIPS)
792 return HCI_AT_NO_BONDING_MITM;
794 return HCI_AT_NO_BONDING;
796 case L2CAP_CHAN_CONN_ORIENTED:
797 if (chan->psm == cpu_to_le16(L2CAP_PSM_SDP)) {
798 if (chan->sec_level == BT_SECURITY_LOW)
799 chan->sec_level = BT_SECURITY_SDP;
801 if (chan->sec_level == BT_SECURITY_HIGH ||
802 chan->sec_level == BT_SECURITY_FIPS)
803 return HCI_AT_NO_BONDING_MITM;
805 return HCI_AT_NO_BONDING;
809 switch (chan->sec_level) {
810 case BT_SECURITY_HIGH:
811 case BT_SECURITY_FIPS:
812 return HCI_AT_GENERAL_BONDING_MITM;
813 case BT_SECURITY_MEDIUM:
814 return HCI_AT_GENERAL_BONDING;
816 return HCI_AT_NO_BONDING;
822 /* Service level security */
823 int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
825 struct l2cap_conn *conn = chan->conn;
828 if (conn->hcon->type == LE_LINK)
829 return smp_conn_security(conn->hcon, chan->sec_level);
831 auth_type = l2cap_get_auth_type(chan);
833 return hci_conn_security(conn->hcon, chan->sec_level, auth_type,
837 static u8 l2cap_get_ident(struct l2cap_conn *conn)
841 /* Get next available identificator.
842 * 1 - 128 are used by kernel.
843 * 129 - 199 are reserved.
844 * 200 - 254 are used by utilities like l2ping, etc.
847 mutex_lock(&conn->ident_lock);
849 if (++conn->tx_ident > 128)
854 mutex_unlock(&conn->ident_lock);
859 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
862 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
865 BT_DBG("code 0x%2.2x", code);
870 /* Use NO_FLUSH if supported or we have an LE link (which does
871 * not support auto-flushing packets) */
872 if (lmp_no_flush_capable(conn->hcon->hdev) ||
873 conn->hcon->type == LE_LINK)
874 flags = ACL_START_NO_FLUSH;
878 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
879 skb->priority = HCI_PRIO_MAX;
881 hci_send_acl(conn->hchan, skb, flags);
884 static bool __chan_is_moving(struct l2cap_chan *chan)
886 return chan->move_state != L2CAP_MOVE_STABLE &&
887 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
890 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
892 struct hci_conn *hcon = chan->conn->hcon;
895 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
898 if (chan->hs_hcon && !__chan_is_moving(chan)) {
900 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
907 /* Use NO_FLUSH for LE links (where this is the only option) or
908 * if the BR/EDR link supports it and flushing has not been
909 * explicitly requested (through FLAG_FLUSHABLE).
911 if (hcon->type == LE_LINK ||
912 (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
913 lmp_no_flush_capable(hcon->hdev)))
914 flags = ACL_START_NO_FLUSH;
918 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
919 hci_send_acl(chan->conn->hchan, skb, flags);
922 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
924 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
925 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
927 if (enh & L2CAP_CTRL_FRAME_TYPE) {
930 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
931 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
938 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
939 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
946 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
948 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
949 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
951 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
954 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
955 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
962 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
963 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
970 static inline void __unpack_control(struct l2cap_chan *chan,
973 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
974 __unpack_extended_control(get_unaligned_le32(skb->data),
976 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
978 __unpack_enhanced_control(get_unaligned_le16(skb->data),
980 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
984 static u32 __pack_extended_control(struct l2cap_ctrl *control)
988 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
989 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
991 if (control->sframe) {
992 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
993 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
994 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
996 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
997 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
1003 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
1007 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
1008 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
1010 if (control->sframe) {
1011 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
1012 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
1013 packed |= L2CAP_CTRL_FRAME_TYPE;
1015 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
1016 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
1022 static inline void __pack_control(struct l2cap_chan *chan,
1023 struct l2cap_ctrl *control,
1024 struct sk_buff *skb)
1026 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
1027 put_unaligned_le32(__pack_extended_control(control),
1028 skb->data + L2CAP_HDR_SIZE);
1030 put_unaligned_le16(__pack_enhanced_control(control),
1031 skb->data + L2CAP_HDR_SIZE);
1035 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
1037 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1038 return L2CAP_EXT_HDR_SIZE;
1040 return L2CAP_ENH_HDR_SIZE;
1043 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
1046 struct sk_buff *skb;
1047 struct l2cap_hdr *lh;
1048 int hlen = __ertm_hdr_size(chan);
1050 if (chan->fcs == L2CAP_FCS_CRC16)
1051 hlen += L2CAP_FCS_SIZE;
1053 skb = bt_skb_alloc(hlen, GFP_KERNEL);
1056 return ERR_PTR(-ENOMEM);
1058 lh = skb_put(skb, L2CAP_HDR_SIZE);
1059 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1060 lh->cid = cpu_to_le16(chan->dcid);
1062 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1063 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
1065 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
1067 if (chan->fcs == L2CAP_FCS_CRC16) {
1068 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
1069 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1072 skb->priority = HCI_PRIO_MAX;
1076 static void l2cap_send_sframe(struct l2cap_chan *chan,
1077 struct l2cap_ctrl *control)
1079 struct sk_buff *skb;
1082 BT_DBG("chan %p, control %p", chan, control);
1084 if (!control->sframe)
1087 if (__chan_is_moving(chan))
1090 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
1094 if (control->super == L2CAP_SUPER_RR)
1095 clear_bit(CONN_RNR_SENT, &chan->conn_state);
1096 else if (control->super == L2CAP_SUPER_RNR)
1097 set_bit(CONN_RNR_SENT, &chan->conn_state);
1099 if (control->super != L2CAP_SUPER_SREJ) {
1100 chan->last_acked_seq = control->reqseq;
1101 __clear_ack_timer(chan);
1104 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
1105 control->final, control->poll, control->super);
1107 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
1108 control_field = __pack_extended_control(control);
1110 control_field = __pack_enhanced_control(control);
1112 skb = l2cap_create_sframe_pdu(chan, control_field);
1114 l2cap_do_send(chan, skb);
1117 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
1119 struct l2cap_ctrl control;
1121 BT_DBG("chan %p, poll %d", chan, poll);
1123 memset(&control, 0, sizeof(control));
1125 control.poll = poll;
1127 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1128 control.super = L2CAP_SUPER_RNR;
1130 control.super = L2CAP_SUPER_RR;
1132 control.reqseq = chan->buffer_seq;
1133 l2cap_send_sframe(chan, &control);
1136 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1138 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
1141 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1144 static bool __amp_capable(struct l2cap_chan *chan)
1146 struct l2cap_conn *conn = chan->conn;
1147 struct hci_dev *hdev;
1148 bool amp_available = false;
1150 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
1153 if (!(conn->remote_fixed_chan & L2CAP_FC_A2MP))
1156 read_lock(&hci_dev_list_lock);
1157 list_for_each_entry(hdev, &hci_dev_list, list) {
1158 if (hdev->amp_type != AMP_TYPE_BREDR &&
1159 test_bit(HCI_UP, &hdev->flags)) {
1160 amp_available = true;
1164 read_unlock(&hci_dev_list_lock);
1166 if (chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED)
1167 return amp_available;
1172 static bool l2cap_check_efs(struct l2cap_chan *chan)
1174 /* Check EFS parameters */
1178 void l2cap_send_conn_req(struct l2cap_chan *chan)
1180 struct l2cap_conn *conn = chan->conn;
1181 struct l2cap_conn_req req;
1183 req.scid = cpu_to_le16(chan->scid);
1184 req.psm = chan->psm;
1186 chan->ident = l2cap_get_ident(conn);
1188 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1190 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1193 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1195 struct l2cap_create_chan_req req;
1196 req.scid = cpu_to_le16(chan->scid);
1197 req.psm = chan->psm;
1198 req.amp_id = amp_id;
1200 chan->ident = l2cap_get_ident(chan->conn);
1202 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1206 static void l2cap_move_setup(struct l2cap_chan *chan)
1208 struct sk_buff *skb;
1210 BT_DBG("chan %p", chan);
1212 if (chan->mode != L2CAP_MODE_ERTM)
1215 __clear_retrans_timer(chan);
1216 __clear_monitor_timer(chan);
1217 __clear_ack_timer(chan);
1219 chan->retry_count = 0;
1220 skb_queue_walk(&chan->tx_q, skb) {
1221 if (bt_cb(skb)->l2cap.retries)
1222 bt_cb(skb)->l2cap.retries = 1;
1227 chan->expected_tx_seq = chan->buffer_seq;
1229 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1230 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1231 l2cap_seq_list_clear(&chan->retrans_list);
1232 l2cap_seq_list_clear(&chan->srej_list);
1233 skb_queue_purge(&chan->srej_q);
1235 chan->tx_state = L2CAP_TX_STATE_XMIT;
1236 chan->rx_state = L2CAP_RX_STATE_MOVE;
1238 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1241 static void l2cap_move_done(struct l2cap_chan *chan)
1243 u8 move_role = chan->move_role;
1244 BT_DBG("chan %p", chan);
1246 chan->move_state = L2CAP_MOVE_STABLE;
1247 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1249 if (chan->mode != L2CAP_MODE_ERTM)
1252 switch (move_role) {
1253 case L2CAP_MOVE_ROLE_INITIATOR:
1254 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1255 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1257 case L2CAP_MOVE_ROLE_RESPONDER:
1258 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1263 static void l2cap_chan_ready(struct l2cap_chan *chan)
1265 /* The channel may have already been flagged as connected in
1266 * case of receiving data before the L2CAP info req/rsp
1267 * procedure is complete.
1269 if (chan->state == BT_CONNECTED)
1272 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1273 chan->conf_state = 0;
1274 __clear_chan_timer(chan);
1276 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && !chan->tx_credits)
1277 chan->ops->suspend(chan);
1279 chan->state = BT_CONNECTED;
1281 chan->ops->ready(chan);
1284 static void l2cap_le_connect(struct l2cap_chan *chan)
1286 struct l2cap_conn *conn = chan->conn;
1287 struct l2cap_le_conn_req req;
1289 if (test_and_set_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags))
1292 l2cap_le_flowctl_init(chan, 0);
1294 req.psm = chan->psm;
1295 req.scid = cpu_to_le16(chan->scid);
1296 req.mtu = cpu_to_le16(chan->imtu);
1297 req.mps = cpu_to_le16(chan->mps);
1298 req.credits = cpu_to_le16(chan->rx_credits);
1300 chan->ident = l2cap_get_ident(conn);
1302 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_REQ,
1306 static void l2cap_le_start(struct l2cap_chan *chan)
1308 struct l2cap_conn *conn = chan->conn;
1310 if (!smp_conn_security(conn->hcon, chan->sec_level))
1314 l2cap_chan_ready(chan);
1318 if (chan->state == BT_CONNECT)
1319 l2cap_le_connect(chan);
1322 static void l2cap_start_connection(struct l2cap_chan *chan)
1324 if (__amp_capable(chan)) {
1325 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1326 a2mp_discover_amp(chan);
1327 } else if (chan->conn->hcon->type == LE_LINK) {
1328 l2cap_le_start(chan);
1330 l2cap_send_conn_req(chan);
1334 static void l2cap_request_info(struct l2cap_conn *conn)
1336 struct l2cap_info_req req;
1338 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1341 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
1343 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1344 conn->info_ident = l2cap_get_ident(conn);
1346 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1348 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1352 static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
1354 /* The minimum encryption key size needs to be enforced by the
1355 * host stack before establishing any L2CAP connections. The
1356 * specification in theory allows a minimum of 1, but to align
1357 * BR/EDR and LE transports, a minimum of 7 is chosen.
1359 * This check might also be called for unencrypted connections
1360 * that have no key size requirements. Ensure that the link is
1361 * actually encrypted before enforcing a key size.
1363 return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
1364 hcon->enc_key_size >= hcon->hdev->min_enc_key_size);
1367 static void l2cap_do_start(struct l2cap_chan *chan)
1369 struct l2cap_conn *conn = chan->conn;
1371 if (conn->hcon->type == LE_LINK) {
1372 l2cap_le_start(chan);
1376 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)) {
1377 l2cap_request_info(conn);
1381 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1384 if (!l2cap_chan_check_security(chan, true) ||
1385 !__l2cap_no_conn_pending(chan))
1388 if (l2cap_check_enc_key_size(conn->hcon))
1389 l2cap_start_connection(chan);
1391 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
1394 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1396 u32 local_feat_mask = l2cap_feat_mask;
1398 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1401 case L2CAP_MODE_ERTM:
1402 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1403 case L2CAP_MODE_STREAMING:
1404 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1410 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1412 struct l2cap_conn *conn = chan->conn;
1413 struct l2cap_disconn_req req;
1418 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1419 __clear_retrans_timer(chan);
1420 __clear_monitor_timer(chan);
1421 __clear_ack_timer(chan);
1424 if (chan->scid == L2CAP_CID_A2MP) {
1425 l2cap_state_change(chan, BT_DISCONN);
1429 req.dcid = cpu_to_le16(chan->dcid);
1430 req.scid = cpu_to_le16(chan->scid);
1431 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1434 l2cap_state_change_and_error(chan, BT_DISCONN, err);
1437 /* ---- L2CAP connections ---- */
1438 static void l2cap_conn_start(struct l2cap_conn *conn)
1440 struct l2cap_chan *chan, *tmp;
1442 BT_DBG("conn %p", conn);
1444 mutex_lock(&conn->chan_lock);
1446 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1447 l2cap_chan_lock(chan);
1449 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1450 l2cap_chan_ready(chan);
1451 l2cap_chan_unlock(chan);
1455 if (chan->state == BT_CONNECT) {
1456 if (!l2cap_chan_check_security(chan, true) ||
1457 !__l2cap_no_conn_pending(chan)) {
1458 l2cap_chan_unlock(chan);
1462 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1463 && test_bit(CONF_STATE2_DEVICE,
1464 &chan->conf_state)) {
1465 l2cap_chan_close(chan, ECONNRESET);
1466 l2cap_chan_unlock(chan);
1470 if (l2cap_check_enc_key_size(conn->hcon))
1471 l2cap_start_connection(chan);
1473 l2cap_chan_close(chan, ECONNREFUSED);
1475 } else if (chan->state == BT_CONNECT2) {
1476 struct l2cap_conn_rsp rsp;
1478 rsp.scid = cpu_to_le16(chan->dcid);
1479 rsp.dcid = cpu_to_le16(chan->scid);
1481 if (l2cap_chan_check_security(chan, false)) {
1482 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
1483 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1484 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1485 chan->ops->defer(chan);
1488 l2cap_state_change(chan, BT_CONFIG);
1489 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1490 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1493 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
1494 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1497 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1500 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1501 rsp.result != L2CAP_CR_SUCCESS) {
1502 l2cap_chan_unlock(chan);
1506 set_bit(CONF_REQ_SENT, &chan->conf_state);
1507 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1508 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
1509 chan->num_conf_req++;
1512 l2cap_chan_unlock(chan);
1515 mutex_unlock(&conn->chan_lock);
1518 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1520 struct hci_conn *hcon = conn->hcon;
1521 struct hci_dev *hdev = hcon->hdev;
1523 BT_DBG("%s conn %p", hdev->name, conn);
1525 /* For outgoing pairing which doesn't necessarily have an
1526 * associated socket (e.g. mgmt_pair_device).
1529 smp_conn_security(hcon, hcon->pending_sec_level);
1531 /* For LE slave connections, make sure the connection interval
1532 * is in the range of the minium and maximum interval that has
1533 * been configured for this connection. If not, then trigger
1534 * the connection update procedure.
1536 if (hcon->role == HCI_ROLE_SLAVE &&
1537 (hcon->le_conn_interval < hcon->le_conn_min_interval ||
1538 hcon->le_conn_interval > hcon->le_conn_max_interval)) {
1539 struct l2cap_conn_param_update_req req;
1541 req.min = cpu_to_le16(hcon->le_conn_min_interval);
1542 req.max = cpu_to_le16(hcon->le_conn_max_interval);
1543 req.latency = cpu_to_le16(hcon->le_conn_latency);
1544 req.to_multiplier = cpu_to_le16(hcon->le_supv_timeout);
1546 l2cap_send_cmd(conn, l2cap_get_ident(conn),
1547 L2CAP_CONN_PARAM_UPDATE_REQ, sizeof(req), &req);
1551 static void l2cap_conn_ready(struct l2cap_conn *conn)
1553 struct l2cap_chan *chan;
1554 struct hci_conn *hcon = conn->hcon;
1556 BT_DBG("conn %p", conn);
1558 if (hcon->type == ACL_LINK)
1559 l2cap_request_info(conn);
1561 mutex_lock(&conn->chan_lock);
1563 list_for_each_entry(chan, &conn->chan_l, list) {
1565 l2cap_chan_lock(chan);
1567 if (chan->scid == L2CAP_CID_A2MP) {
1568 l2cap_chan_unlock(chan);
1572 if (hcon->type == LE_LINK) {
1573 l2cap_le_start(chan);
1574 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1575 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
1576 l2cap_chan_ready(chan);
1577 } else if (chan->state == BT_CONNECT) {
1578 l2cap_do_start(chan);
1581 l2cap_chan_unlock(chan);
1584 mutex_unlock(&conn->chan_lock);
1586 if (hcon->type == LE_LINK)
1587 l2cap_le_conn_ready(conn);
1589 queue_work(hcon->hdev->workqueue, &conn->pending_rx_work);
1592 /* Notify sockets that we cannot guaranty reliability anymore */
1593 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1595 struct l2cap_chan *chan;
1597 BT_DBG("conn %p", conn);
1599 mutex_lock(&conn->chan_lock);
1601 list_for_each_entry(chan, &conn->chan_l, list) {
1602 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1603 l2cap_chan_set_err(chan, err);
1606 mutex_unlock(&conn->chan_lock);
1609 static void l2cap_info_timeout(struct work_struct *work)
1611 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1614 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1615 conn->info_ident = 0;
1617 l2cap_conn_start(conn);
1622 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1623 * callback is called during registration. The ->remove callback is called
1624 * during unregistration.
1625 * An l2cap_user object can either be explicitly unregistered or when the
1626 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1627 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1628 * External modules must own a reference to the l2cap_conn object if they intend
1629 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1630 * any time if they don't.
1633 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1635 struct hci_dev *hdev = conn->hcon->hdev;
1638 /* We need to check whether l2cap_conn is registered. If it is not, we
1639 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1640 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1641 * relies on the parent hci_conn object to be locked. This itself relies
1642 * on the hci_dev object to be locked. So we must lock the hci device
1647 if (!list_empty(&user->list)) {
1652 /* conn->hchan is NULL after l2cap_conn_del() was called */
1658 ret = user->probe(conn, user);
1662 list_add(&user->list, &conn->users);
1666 hci_dev_unlock(hdev);
1669 EXPORT_SYMBOL(l2cap_register_user);
1671 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1673 struct hci_dev *hdev = conn->hcon->hdev;
1677 if (list_empty(&user->list))
1680 list_del_init(&user->list);
1681 user->remove(conn, user);
1684 hci_dev_unlock(hdev);
1686 EXPORT_SYMBOL(l2cap_unregister_user);
1688 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1690 struct l2cap_user *user;
1692 while (!list_empty(&conn->users)) {
1693 user = list_first_entry(&conn->users, struct l2cap_user, list);
1694 list_del_init(&user->list);
1695 user->remove(conn, user);
1699 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1701 struct l2cap_conn *conn = hcon->l2cap_data;
1702 struct l2cap_chan *chan, *l;
1707 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1709 kfree_skb(conn->rx_skb);
1711 skb_queue_purge(&conn->pending_rx);
1713 /* We can not call flush_work(&conn->pending_rx_work) here since we
1714 * might block if we are running on a worker from the same workqueue
1715 * pending_rx_work is waiting on.
1717 if (work_pending(&conn->pending_rx_work))
1718 cancel_work_sync(&conn->pending_rx_work);
1720 if (work_pending(&conn->id_addr_update_work))
1721 cancel_work_sync(&conn->id_addr_update_work);
1723 l2cap_unregister_all_users(conn);
1725 /* Force the connection to be immediately dropped */
1726 hcon->disc_timeout = 0;
1728 mutex_lock(&conn->chan_lock);
1731 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1732 l2cap_chan_hold(chan);
1733 l2cap_chan_lock(chan);
1735 l2cap_chan_del(chan, err);
1737 l2cap_chan_unlock(chan);
1739 chan->ops->close(chan);
1740 l2cap_chan_put(chan);
1743 mutex_unlock(&conn->chan_lock);
1745 hci_chan_del(conn->hchan);
1747 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1748 cancel_delayed_work_sync(&conn->info_timer);
1750 hcon->l2cap_data = NULL;
1752 l2cap_conn_put(conn);
1755 static void l2cap_conn_free(struct kref *ref)
1757 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1759 hci_conn_put(conn->hcon);
1763 struct l2cap_conn *l2cap_conn_get(struct l2cap_conn *conn)
1765 kref_get(&conn->ref);
1768 EXPORT_SYMBOL(l2cap_conn_get);
1770 void l2cap_conn_put(struct l2cap_conn *conn)
1772 kref_put(&conn->ref, l2cap_conn_free);
1774 EXPORT_SYMBOL(l2cap_conn_put);
1776 /* ---- Socket interface ---- */
1778 /* Find socket with psm and source / destination bdaddr.
1779 * Returns closest match.
1781 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1786 struct l2cap_chan *c, *c1 = NULL;
1788 read_lock(&chan_list_lock);
1790 list_for_each_entry(c, &chan_list, global_l) {
1791 if (state && c->state != state)
1794 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR)
1797 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
1800 if (c->psm == psm) {
1801 int src_match, dst_match;
1802 int src_any, dst_any;
1805 src_match = !bacmp(&c->src, src);
1806 dst_match = !bacmp(&c->dst, dst);
1807 if (src_match && dst_match) {
1809 read_unlock(&chan_list_lock);
1814 src_any = !bacmp(&c->src, BDADDR_ANY);
1815 dst_any = !bacmp(&c->dst, BDADDR_ANY);
1816 if ((src_match && dst_any) || (src_any && dst_match) ||
1817 (src_any && dst_any))
1823 l2cap_chan_hold(c1);
1825 read_unlock(&chan_list_lock);
1830 static void l2cap_monitor_timeout(struct work_struct *work)
1832 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1833 monitor_timer.work);
1835 BT_DBG("chan %p", chan);
1837 l2cap_chan_lock(chan);
1840 l2cap_chan_unlock(chan);
1841 l2cap_chan_put(chan);
1845 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1847 l2cap_chan_unlock(chan);
1848 l2cap_chan_put(chan);
1851 static void l2cap_retrans_timeout(struct work_struct *work)
1853 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1854 retrans_timer.work);
1856 BT_DBG("chan %p", chan);
1858 l2cap_chan_lock(chan);
1861 l2cap_chan_unlock(chan);
1862 l2cap_chan_put(chan);
1866 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1867 l2cap_chan_unlock(chan);
1868 l2cap_chan_put(chan);
1871 static void l2cap_streaming_send(struct l2cap_chan *chan,
1872 struct sk_buff_head *skbs)
1874 struct sk_buff *skb;
1875 struct l2cap_ctrl *control;
1877 BT_DBG("chan %p, skbs %p", chan, skbs);
1879 if (__chan_is_moving(chan))
1882 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1884 while (!skb_queue_empty(&chan->tx_q)) {
1886 skb = skb_dequeue(&chan->tx_q);
1888 bt_cb(skb)->l2cap.retries = 1;
1889 control = &bt_cb(skb)->l2cap;
1891 control->reqseq = 0;
1892 control->txseq = chan->next_tx_seq;
1894 __pack_control(chan, control, skb);
1896 if (chan->fcs == L2CAP_FCS_CRC16) {
1897 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1898 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1901 l2cap_do_send(chan, skb);
1903 BT_DBG("Sent txseq %u", control->txseq);
1905 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1906 chan->frames_sent++;
1910 static int l2cap_ertm_send(struct l2cap_chan *chan)
1912 struct sk_buff *skb, *tx_skb;
1913 struct l2cap_ctrl *control;
1916 BT_DBG("chan %p", chan);
1918 if (chan->state != BT_CONNECTED)
1921 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1924 if (__chan_is_moving(chan))
1927 while (chan->tx_send_head &&
1928 chan->unacked_frames < chan->remote_tx_win &&
1929 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1931 skb = chan->tx_send_head;
1933 bt_cb(skb)->l2cap.retries = 1;
1934 control = &bt_cb(skb)->l2cap;
1936 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1939 control->reqseq = chan->buffer_seq;
1940 chan->last_acked_seq = chan->buffer_seq;
1941 control->txseq = chan->next_tx_seq;
1943 __pack_control(chan, control, skb);
1945 if (chan->fcs == L2CAP_FCS_CRC16) {
1946 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1947 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1950 /* Clone after data has been modified. Data is assumed to be
1951 read-only (for locking purposes) on cloned sk_buffs.
1953 tx_skb = skb_clone(skb, GFP_KERNEL);
1958 __set_retrans_timer(chan);
1960 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1961 chan->unacked_frames++;
1962 chan->frames_sent++;
1965 if (skb_queue_is_last(&chan->tx_q, skb))
1966 chan->tx_send_head = NULL;
1968 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
1970 l2cap_do_send(chan, tx_skb);
1971 BT_DBG("Sent txseq %u", control->txseq);
1974 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
1975 chan->unacked_frames, skb_queue_len(&chan->tx_q));
1980 static void l2cap_ertm_resend(struct l2cap_chan *chan)
1982 struct l2cap_ctrl control;
1983 struct sk_buff *skb;
1984 struct sk_buff *tx_skb;
1987 BT_DBG("chan %p", chan);
1989 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1992 if (__chan_is_moving(chan))
1995 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
1996 seq = l2cap_seq_list_pop(&chan->retrans_list);
1998 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2000 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2005 bt_cb(skb)->l2cap.retries++;
2006 control = bt_cb(skb)->l2cap;
2008 if (chan->max_tx != 0 &&
2009 bt_cb(skb)->l2cap.retries > chan->max_tx) {
2010 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2011 l2cap_send_disconn_req(chan, ECONNRESET);
2012 l2cap_seq_list_clear(&chan->retrans_list);
2016 control.reqseq = chan->buffer_seq;
2017 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2022 if (skb_cloned(skb)) {
2023 /* Cloned sk_buffs are read-only, so we need a
2026 tx_skb = skb_copy(skb, GFP_KERNEL);
2028 tx_skb = skb_clone(skb, GFP_KERNEL);
2032 l2cap_seq_list_clear(&chan->retrans_list);
2036 /* Update skb contents */
2037 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2038 put_unaligned_le32(__pack_extended_control(&control),
2039 tx_skb->data + L2CAP_HDR_SIZE);
2041 put_unaligned_le16(__pack_enhanced_control(&control),
2042 tx_skb->data + L2CAP_HDR_SIZE);
2046 if (chan->fcs == L2CAP_FCS_CRC16) {
2047 u16 fcs = crc16(0, (u8 *) tx_skb->data,
2048 tx_skb->len - L2CAP_FCS_SIZE);
2049 put_unaligned_le16(fcs, skb_tail_pointer(tx_skb) -
2053 l2cap_do_send(chan, tx_skb);
2055 BT_DBG("Resent txseq %d", control.txseq);
2057 chan->last_acked_seq = chan->buffer_seq;
2061 static void l2cap_retransmit(struct l2cap_chan *chan,
2062 struct l2cap_ctrl *control)
2064 BT_DBG("chan %p, control %p", chan, control);
2066 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2067 l2cap_ertm_resend(chan);
2070 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2071 struct l2cap_ctrl *control)
2073 struct sk_buff *skb;
2075 BT_DBG("chan %p, control %p", chan, control);
2078 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2080 l2cap_seq_list_clear(&chan->retrans_list);
2082 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2085 if (chan->unacked_frames) {
2086 skb_queue_walk(&chan->tx_q, skb) {
2087 if (bt_cb(skb)->l2cap.txseq == control->reqseq ||
2088 skb == chan->tx_send_head)
2092 skb_queue_walk_from(&chan->tx_q, skb) {
2093 if (skb == chan->tx_send_head)
2096 l2cap_seq_list_append(&chan->retrans_list,
2097 bt_cb(skb)->l2cap.txseq);
2100 l2cap_ertm_resend(chan);
2104 static void l2cap_send_ack(struct l2cap_chan *chan)
2106 struct l2cap_ctrl control;
2107 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2108 chan->last_acked_seq);
2111 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2112 chan, chan->last_acked_seq, chan->buffer_seq);
2114 memset(&control, 0, sizeof(control));
2117 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2118 chan->rx_state == L2CAP_RX_STATE_RECV) {
2119 __clear_ack_timer(chan);
2120 control.super = L2CAP_SUPER_RNR;
2121 control.reqseq = chan->buffer_seq;
2122 l2cap_send_sframe(chan, &control);
2124 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2125 l2cap_ertm_send(chan);
2126 /* If any i-frames were sent, they included an ack */
2127 if (chan->buffer_seq == chan->last_acked_seq)
2131 /* Ack now if the window is 3/4ths full.
2132 * Calculate without mul or div
2134 threshold = chan->ack_win;
2135 threshold += threshold << 1;
2138 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2141 if (frames_to_ack >= threshold) {
2142 __clear_ack_timer(chan);
2143 control.super = L2CAP_SUPER_RR;
2144 control.reqseq = chan->buffer_seq;
2145 l2cap_send_sframe(chan, &control);
2150 __set_ack_timer(chan);
2154 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2155 struct msghdr *msg, int len,
2156 int count, struct sk_buff *skb)
2158 struct l2cap_conn *conn = chan->conn;
2159 struct sk_buff **frag;
2162 if (!copy_from_iter_full(skb_put(skb, count), count, &msg->msg_iter))
2168 /* Continuation fragments (no L2CAP header) */
2169 frag = &skb_shinfo(skb)->frag_list;
2171 struct sk_buff *tmp;
2173 count = min_t(unsigned int, conn->mtu, len);
2175 tmp = chan->ops->alloc_skb(chan, 0, count,
2176 msg->msg_flags & MSG_DONTWAIT);
2178 return PTR_ERR(tmp);
2182 if (!copy_from_iter_full(skb_put(*frag, count), count,
2189 skb->len += (*frag)->len;
2190 skb->data_len += (*frag)->len;
2192 frag = &(*frag)->next;
2198 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2199 struct msghdr *msg, size_t len)
2201 struct l2cap_conn *conn = chan->conn;
2202 struct sk_buff *skb;
2203 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2204 struct l2cap_hdr *lh;
2206 BT_DBG("chan %p psm 0x%2.2x len %zu", chan,
2207 __le16_to_cpu(chan->psm), len);
2209 count = min_t(unsigned int, (conn->mtu - hlen), len);
2211 skb = chan->ops->alloc_skb(chan, hlen, count,
2212 msg->msg_flags & MSG_DONTWAIT);
2216 /* Create L2CAP header */
2217 lh = skb_put(skb, L2CAP_HDR_SIZE);
2218 lh->cid = cpu_to_le16(chan->dcid);
2219 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2220 put_unaligned(chan->psm, (__le16 *) skb_put(skb, L2CAP_PSMLEN_SIZE));
2222 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2223 if (unlikely(err < 0)) {
2225 return ERR_PTR(err);
2230 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2231 struct msghdr *msg, size_t len)
2233 struct l2cap_conn *conn = chan->conn;
2234 struct sk_buff *skb;
2236 struct l2cap_hdr *lh;
2238 BT_DBG("chan %p len %zu", chan, len);
2240 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2242 skb = chan->ops->alloc_skb(chan, L2CAP_HDR_SIZE, count,
2243 msg->msg_flags & MSG_DONTWAIT);
2247 /* Create L2CAP header */
2248 lh = skb_put(skb, L2CAP_HDR_SIZE);
2249 lh->cid = cpu_to_le16(chan->dcid);
2250 lh->len = cpu_to_le16(len);
2252 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2253 if (unlikely(err < 0)) {
2255 return ERR_PTR(err);
2260 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2261 struct msghdr *msg, size_t len,
2264 struct l2cap_conn *conn = chan->conn;
2265 struct sk_buff *skb;
2266 int err, count, hlen;
2267 struct l2cap_hdr *lh;
2269 BT_DBG("chan %p len %zu", chan, len);
2272 return ERR_PTR(-ENOTCONN);
2274 hlen = __ertm_hdr_size(chan);
2277 hlen += L2CAP_SDULEN_SIZE;
2279 if (chan->fcs == L2CAP_FCS_CRC16)
2280 hlen += L2CAP_FCS_SIZE;
2282 count = min_t(unsigned int, (conn->mtu - hlen), len);
2284 skb = chan->ops->alloc_skb(chan, hlen, count,
2285 msg->msg_flags & MSG_DONTWAIT);
2289 /* Create L2CAP header */
2290 lh = skb_put(skb, L2CAP_HDR_SIZE);
2291 lh->cid = cpu_to_le16(chan->dcid);
2292 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2294 /* Control header is populated later */
2295 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2296 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2298 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2301 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2303 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2304 if (unlikely(err < 0)) {
2306 return ERR_PTR(err);
2309 bt_cb(skb)->l2cap.fcs = chan->fcs;
2310 bt_cb(skb)->l2cap.retries = 0;
2314 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2315 struct sk_buff_head *seg_queue,
2316 struct msghdr *msg, size_t len)
2318 struct sk_buff *skb;
2323 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2325 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2326 * so fragmented skbs are not used. The HCI layer's handling
2327 * of fragmented skbs is not compatible with ERTM's queueing.
2330 /* PDU size is derived from the HCI MTU */
2331 pdu_len = chan->conn->mtu;
2333 /* Constrain PDU size for BR/EDR connections */
2335 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2337 /* Adjust for largest possible L2CAP overhead. */
2339 pdu_len -= L2CAP_FCS_SIZE;
2341 pdu_len -= __ertm_hdr_size(chan);
2343 /* Remote device may have requested smaller PDUs */
2344 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2346 if (len <= pdu_len) {
2347 sar = L2CAP_SAR_UNSEGMENTED;
2351 sar = L2CAP_SAR_START;
2356 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2359 __skb_queue_purge(seg_queue);
2360 return PTR_ERR(skb);
2363 bt_cb(skb)->l2cap.sar = sar;
2364 __skb_queue_tail(seg_queue, skb);
2370 if (len <= pdu_len) {
2371 sar = L2CAP_SAR_END;
2374 sar = L2CAP_SAR_CONTINUE;
2381 static struct sk_buff *l2cap_create_le_flowctl_pdu(struct l2cap_chan *chan,
2383 size_t len, u16 sdulen)
2385 struct l2cap_conn *conn = chan->conn;
2386 struct sk_buff *skb;
2387 int err, count, hlen;
2388 struct l2cap_hdr *lh;
2390 BT_DBG("chan %p len %zu", chan, len);
2393 return ERR_PTR(-ENOTCONN);
2395 hlen = L2CAP_HDR_SIZE;
2398 hlen += L2CAP_SDULEN_SIZE;
2400 count = min_t(unsigned int, (conn->mtu - hlen), len);
2402 skb = chan->ops->alloc_skb(chan, hlen, count,
2403 msg->msg_flags & MSG_DONTWAIT);
2407 /* Create L2CAP header */
2408 lh = skb_put(skb, L2CAP_HDR_SIZE);
2409 lh->cid = cpu_to_le16(chan->dcid);
2410 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2413 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2415 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2416 if (unlikely(err < 0)) {
2418 return ERR_PTR(err);
2424 static int l2cap_segment_le_sdu(struct l2cap_chan *chan,
2425 struct sk_buff_head *seg_queue,
2426 struct msghdr *msg, size_t len)
2428 struct sk_buff *skb;
2432 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2435 pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE;
2441 skb = l2cap_create_le_flowctl_pdu(chan, msg, pdu_len, sdu_len);
2443 __skb_queue_purge(seg_queue);
2444 return PTR_ERR(skb);
2447 __skb_queue_tail(seg_queue, skb);
2453 pdu_len += L2CAP_SDULEN_SIZE;
2460 static void l2cap_le_flowctl_send(struct l2cap_chan *chan)
2464 BT_DBG("chan %p", chan);
2466 while (chan->tx_credits && !skb_queue_empty(&chan->tx_q)) {
2467 l2cap_do_send(chan, skb_dequeue(&chan->tx_q));
2472 BT_DBG("Sent %d credits %u queued %u", sent, chan->tx_credits,
2473 skb_queue_len(&chan->tx_q));
2476 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
2478 struct sk_buff *skb;
2480 struct sk_buff_head seg_queue;
2485 /* Connectionless channel */
2486 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2487 skb = l2cap_create_connless_pdu(chan, msg, len);
2489 return PTR_ERR(skb);
2491 /* Channel lock is released before requesting new skb and then
2492 * reacquired thus we need to recheck channel state.
2494 if (chan->state != BT_CONNECTED) {
2499 l2cap_do_send(chan, skb);
2503 switch (chan->mode) {
2504 case L2CAP_MODE_LE_FLOWCTL:
2505 /* Check outgoing MTU */
2506 if (len > chan->omtu)
2509 __skb_queue_head_init(&seg_queue);
2511 err = l2cap_segment_le_sdu(chan, &seg_queue, msg, len);
2513 if (chan->state != BT_CONNECTED) {
2514 __skb_queue_purge(&seg_queue);
2521 skb_queue_splice_tail_init(&seg_queue, &chan->tx_q);
2523 l2cap_le_flowctl_send(chan);
2525 if (!chan->tx_credits)
2526 chan->ops->suspend(chan);
2532 case L2CAP_MODE_BASIC:
2533 /* Check outgoing MTU */
2534 if (len > chan->omtu)
2537 /* Create a basic PDU */
2538 skb = l2cap_create_basic_pdu(chan, msg, len);
2540 return PTR_ERR(skb);
2542 /* Channel lock is released before requesting new skb and then
2543 * reacquired thus we need to recheck channel state.
2545 if (chan->state != BT_CONNECTED) {
2550 l2cap_do_send(chan, skb);
2554 case L2CAP_MODE_ERTM:
2555 case L2CAP_MODE_STREAMING:
2556 /* Check outgoing MTU */
2557 if (len > chan->omtu) {
2562 __skb_queue_head_init(&seg_queue);
2564 /* Do segmentation before calling in to the state machine,
2565 * since it's possible to block while waiting for memory
2568 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2570 /* The channel could have been closed while segmenting,
2571 * check that it is still connected.
2573 if (chan->state != BT_CONNECTED) {
2574 __skb_queue_purge(&seg_queue);
2581 if (chan->mode == L2CAP_MODE_ERTM)
2582 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2584 l2cap_streaming_send(chan, &seg_queue);
2588 /* If the skbs were not queued for sending, they'll still be in
2589 * seg_queue and need to be purged.
2591 __skb_queue_purge(&seg_queue);
2595 BT_DBG("bad state %1.1x", chan->mode);
2601 EXPORT_SYMBOL_GPL(l2cap_chan_send);
2603 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2605 struct l2cap_ctrl control;
2608 BT_DBG("chan %p, txseq %u", chan, txseq);
2610 memset(&control, 0, sizeof(control));
2612 control.super = L2CAP_SUPER_SREJ;
2614 for (seq = chan->expected_tx_seq; seq != txseq;
2615 seq = __next_seq(chan, seq)) {
2616 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2617 control.reqseq = seq;
2618 l2cap_send_sframe(chan, &control);
2619 l2cap_seq_list_append(&chan->srej_list, seq);
2623 chan->expected_tx_seq = __next_seq(chan, txseq);
2626 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2628 struct l2cap_ctrl control;
2630 BT_DBG("chan %p", chan);
2632 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2635 memset(&control, 0, sizeof(control));
2637 control.super = L2CAP_SUPER_SREJ;
2638 control.reqseq = chan->srej_list.tail;
2639 l2cap_send_sframe(chan, &control);
2642 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2644 struct l2cap_ctrl control;
2648 BT_DBG("chan %p, txseq %u", chan, txseq);
2650 memset(&control, 0, sizeof(control));
2652 control.super = L2CAP_SUPER_SREJ;
2654 /* Capture initial list head to allow only one pass through the list. */
2655 initial_head = chan->srej_list.head;
2658 seq = l2cap_seq_list_pop(&chan->srej_list);
2659 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2662 control.reqseq = seq;
2663 l2cap_send_sframe(chan, &control);
2664 l2cap_seq_list_append(&chan->srej_list, seq);
2665 } while (chan->srej_list.head != initial_head);
2668 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2670 struct sk_buff *acked_skb;
2673 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2675 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2678 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2679 chan->expected_ack_seq, chan->unacked_frames);
2681 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2682 ackseq = __next_seq(chan, ackseq)) {
2684 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2686 skb_unlink(acked_skb, &chan->tx_q);
2687 kfree_skb(acked_skb);
2688 chan->unacked_frames--;
2692 chan->expected_ack_seq = reqseq;
2694 if (chan->unacked_frames == 0)
2695 __clear_retrans_timer(chan);
2697 BT_DBG("unacked_frames %u", chan->unacked_frames);
2700 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2702 BT_DBG("chan %p", chan);
2704 chan->expected_tx_seq = chan->buffer_seq;
2705 l2cap_seq_list_clear(&chan->srej_list);
2706 skb_queue_purge(&chan->srej_q);
2707 chan->rx_state = L2CAP_RX_STATE_RECV;
2710 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2711 struct l2cap_ctrl *control,
2712 struct sk_buff_head *skbs, u8 event)
2714 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2718 case L2CAP_EV_DATA_REQUEST:
2719 if (chan->tx_send_head == NULL)
2720 chan->tx_send_head = skb_peek(skbs);
2722 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2723 l2cap_ertm_send(chan);
2725 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2726 BT_DBG("Enter LOCAL_BUSY");
2727 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2729 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2730 /* The SREJ_SENT state must be aborted if we are to
2731 * enter the LOCAL_BUSY state.
2733 l2cap_abort_rx_srej_sent(chan);
2736 l2cap_send_ack(chan);
2739 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2740 BT_DBG("Exit LOCAL_BUSY");
2741 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2743 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2744 struct l2cap_ctrl local_control;
2746 memset(&local_control, 0, sizeof(local_control));
2747 local_control.sframe = 1;
2748 local_control.super = L2CAP_SUPER_RR;
2749 local_control.poll = 1;
2750 local_control.reqseq = chan->buffer_seq;
2751 l2cap_send_sframe(chan, &local_control);
2753 chan->retry_count = 1;
2754 __set_monitor_timer(chan);
2755 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2758 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2759 l2cap_process_reqseq(chan, control->reqseq);
2761 case L2CAP_EV_EXPLICIT_POLL:
2762 l2cap_send_rr_or_rnr(chan, 1);
2763 chan->retry_count = 1;
2764 __set_monitor_timer(chan);
2765 __clear_ack_timer(chan);
2766 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2768 case L2CAP_EV_RETRANS_TO:
2769 l2cap_send_rr_or_rnr(chan, 1);
2770 chan->retry_count = 1;
2771 __set_monitor_timer(chan);
2772 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2774 case L2CAP_EV_RECV_FBIT:
2775 /* Nothing to process */
2782 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2783 struct l2cap_ctrl *control,
2784 struct sk_buff_head *skbs, u8 event)
2786 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2790 case L2CAP_EV_DATA_REQUEST:
2791 if (chan->tx_send_head == NULL)
2792 chan->tx_send_head = skb_peek(skbs);
2793 /* Queue data, but don't send. */
2794 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2796 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2797 BT_DBG("Enter LOCAL_BUSY");
2798 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2800 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2801 /* The SREJ_SENT state must be aborted if we are to
2802 * enter the LOCAL_BUSY state.
2804 l2cap_abort_rx_srej_sent(chan);
2807 l2cap_send_ack(chan);
2810 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2811 BT_DBG("Exit LOCAL_BUSY");
2812 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2814 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2815 struct l2cap_ctrl local_control;
2816 memset(&local_control, 0, sizeof(local_control));
2817 local_control.sframe = 1;
2818 local_control.super = L2CAP_SUPER_RR;
2819 local_control.poll = 1;
2820 local_control.reqseq = chan->buffer_seq;
2821 l2cap_send_sframe(chan, &local_control);
2823 chan->retry_count = 1;
2824 __set_monitor_timer(chan);
2825 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2828 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2829 l2cap_process_reqseq(chan, control->reqseq);
2833 case L2CAP_EV_RECV_FBIT:
2834 if (control && control->final) {
2835 __clear_monitor_timer(chan);
2836 if (chan->unacked_frames > 0)
2837 __set_retrans_timer(chan);
2838 chan->retry_count = 0;
2839 chan->tx_state = L2CAP_TX_STATE_XMIT;
2840 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2843 case L2CAP_EV_EXPLICIT_POLL:
2846 case L2CAP_EV_MONITOR_TO:
2847 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2848 l2cap_send_rr_or_rnr(chan, 1);
2849 __set_monitor_timer(chan);
2850 chan->retry_count++;
2852 l2cap_send_disconn_req(chan, ECONNABORTED);
2860 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2861 struct sk_buff_head *skbs, u8 event)
2863 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2864 chan, control, skbs, event, chan->tx_state);
2866 switch (chan->tx_state) {
2867 case L2CAP_TX_STATE_XMIT:
2868 l2cap_tx_state_xmit(chan, control, skbs, event);
2870 case L2CAP_TX_STATE_WAIT_F:
2871 l2cap_tx_state_wait_f(chan, control, skbs, event);
2879 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2880 struct l2cap_ctrl *control)
2882 BT_DBG("chan %p, control %p", chan, control);
2883 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2886 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2887 struct l2cap_ctrl *control)
2889 BT_DBG("chan %p, control %p", chan, control);
2890 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2893 /* Copy frame to all raw sockets on that connection */
2894 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2896 struct sk_buff *nskb;
2897 struct l2cap_chan *chan;
2899 BT_DBG("conn %p", conn);
2901 mutex_lock(&conn->chan_lock);
2903 list_for_each_entry(chan, &conn->chan_l, list) {
2904 if (chan->chan_type != L2CAP_CHAN_RAW)
2907 /* Don't send frame to the channel it came from */
2908 if (bt_cb(skb)->l2cap.chan == chan)
2911 nskb = skb_clone(skb, GFP_KERNEL);
2914 if (chan->ops->recv(chan, nskb))
2918 mutex_unlock(&conn->chan_lock);
2921 /* ---- L2CAP signalling commands ---- */
2922 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2923 u8 ident, u16 dlen, void *data)
2925 struct sk_buff *skb, **frag;
2926 struct l2cap_cmd_hdr *cmd;
2927 struct l2cap_hdr *lh;
2930 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2931 conn, code, ident, dlen);
2933 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2936 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2937 count = min_t(unsigned int, conn->mtu, len);
2939 skb = bt_skb_alloc(count, GFP_KERNEL);
2943 lh = skb_put(skb, L2CAP_HDR_SIZE);
2944 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2946 if (conn->hcon->type == LE_LINK)
2947 lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2949 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
2951 cmd = skb_put(skb, L2CAP_CMD_HDR_SIZE);
2954 cmd->len = cpu_to_le16(dlen);
2957 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2958 skb_put_data(skb, data, count);
2964 /* Continuation fragments (no L2CAP header) */
2965 frag = &skb_shinfo(skb)->frag_list;
2967 count = min_t(unsigned int, conn->mtu, len);
2969 *frag = bt_skb_alloc(count, GFP_KERNEL);
2973 skb_put_data(*frag, data, count);
2978 frag = &(*frag)->next;
2988 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2991 struct l2cap_conf_opt *opt = *ptr;
2994 len = L2CAP_CONF_OPT_SIZE + opt->len;
3002 *val = *((u8 *) opt->val);
3006 *val = get_unaligned_le16(opt->val);
3010 *val = get_unaligned_le32(opt->val);
3014 *val = (unsigned long) opt->val;
3018 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
3022 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
3024 struct l2cap_conf_opt *opt = *ptr;
3026 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
3028 if (size < L2CAP_CONF_OPT_SIZE + len)
3036 *((u8 *) opt->val) = val;
3040 put_unaligned_le16(val, opt->val);
3044 put_unaligned_le32(val, opt->val);
3048 memcpy(opt->val, (void *) val, len);
3052 *ptr += L2CAP_CONF_OPT_SIZE + len;
3055 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
3057 struct l2cap_conf_efs efs;
3059 switch (chan->mode) {
3060 case L2CAP_MODE_ERTM:
3061 efs.id = chan->local_id;
3062 efs.stype = chan->local_stype;
3063 efs.msdu = cpu_to_le16(chan->local_msdu);
3064 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3065 efs.acc_lat = cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
3066 efs.flush_to = cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
3069 case L2CAP_MODE_STREAMING:
3071 efs.stype = L2CAP_SERV_BESTEFFORT;
3072 efs.msdu = cpu_to_le16(chan->local_msdu);
3073 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3082 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3083 (unsigned long) &efs, size);
3086 static void l2cap_ack_timeout(struct work_struct *work)
3088 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3092 BT_DBG("chan %p", chan);
3094 l2cap_chan_lock(chan);
3096 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3097 chan->last_acked_seq);
3100 l2cap_send_rr_or_rnr(chan, 0);
3102 l2cap_chan_unlock(chan);
3103 l2cap_chan_put(chan);
3106 int l2cap_ertm_init(struct l2cap_chan *chan)
3110 chan->next_tx_seq = 0;
3111 chan->expected_tx_seq = 0;
3112 chan->expected_ack_seq = 0;
3113 chan->unacked_frames = 0;
3114 chan->buffer_seq = 0;
3115 chan->frames_sent = 0;
3116 chan->last_acked_seq = 0;
3118 chan->sdu_last_frag = NULL;
3121 skb_queue_head_init(&chan->tx_q);
3123 chan->local_amp_id = AMP_ID_BREDR;
3124 chan->move_id = AMP_ID_BREDR;
3125 chan->move_state = L2CAP_MOVE_STABLE;
3126 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3128 if (chan->mode != L2CAP_MODE_ERTM)
3131 chan->rx_state = L2CAP_RX_STATE_RECV;
3132 chan->tx_state = L2CAP_TX_STATE_XMIT;
3134 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3135 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3136 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3138 skb_queue_head_init(&chan->srej_q);
3140 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3144 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3146 l2cap_seq_list_free(&chan->srej_list);
3151 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3154 case L2CAP_MODE_STREAMING:
3155 case L2CAP_MODE_ERTM:
3156 if (l2cap_mode_supported(mode, remote_feat_mask))
3160 return L2CAP_MODE_BASIC;
3164 static inline bool __l2cap_ews_supported(struct l2cap_conn *conn)
3166 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3167 (conn->feat_mask & L2CAP_FEAT_EXT_WINDOW));
3170 static inline bool __l2cap_efs_supported(struct l2cap_conn *conn)
3172 return ((conn->local_fixed_chan & L2CAP_FC_A2MP) &&
3173 (conn->feat_mask & L2CAP_FEAT_EXT_FLOW));
3176 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3177 struct l2cap_conf_rfc *rfc)
3179 if (chan->local_amp_id != AMP_ID_BREDR && chan->hs_hcon) {
3180 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3182 /* Class 1 devices have must have ERTM timeouts
3183 * exceeding the Link Supervision Timeout. The
3184 * default Link Supervision Timeout for AMP
3185 * controllers is 10 seconds.
3187 * Class 1 devices use 0xffffffff for their
3188 * best-effort flush timeout, so the clamping logic
3189 * will result in a timeout that meets the above
3190 * requirement. ERTM timeouts are 16-bit values, so
3191 * the maximum timeout is 65.535 seconds.
3194 /* Convert timeout to milliseconds and round */
3195 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3197 /* This is the recommended formula for class 2 devices
3198 * that start ERTM timers when packets are sent to the
3201 ertm_to = 3 * ertm_to + 500;
3203 if (ertm_to > 0xffff)
3206 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3207 rfc->monitor_timeout = rfc->retrans_timeout;
3209 rfc->retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3210 rfc->monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3214 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3216 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3217 __l2cap_ews_supported(chan->conn)) {
3218 /* use extended control field */
3219 set_bit(FLAG_EXT_CTRL, &chan->flags);
3220 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3222 chan->tx_win = min_t(u16, chan->tx_win,
3223 L2CAP_DEFAULT_TX_WINDOW);
3224 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3226 chan->ack_win = chan->tx_win;
3229 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3231 struct l2cap_conf_req *req = data;
3232 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3233 void *ptr = req->data;
3234 void *endptr = data + data_size;
3237 BT_DBG("chan %p", chan);
3239 if (chan->num_conf_req || chan->num_conf_rsp)
3242 switch (chan->mode) {
3243 case L2CAP_MODE_STREAMING:
3244 case L2CAP_MODE_ERTM:
3245 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3248 if (__l2cap_efs_supported(chan->conn))
3249 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3253 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3258 if (chan->imtu != L2CAP_DEFAULT_MTU)
3259 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
3261 switch (chan->mode) {
3262 case L2CAP_MODE_BASIC:
3266 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3267 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3270 rfc.mode = L2CAP_MODE_BASIC;
3272 rfc.max_transmit = 0;
3273 rfc.retrans_timeout = 0;
3274 rfc.monitor_timeout = 0;
3275 rfc.max_pdu_size = 0;
3277 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3278 (unsigned long) &rfc, endptr - ptr);
3281 case L2CAP_MODE_ERTM:
3282 rfc.mode = L2CAP_MODE_ERTM;
3283 rfc.max_transmit = chan->max_tx;
3285 __l2cap_set_ertm_timeouts(chan, &rfc);
3287 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3288 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3290 rfc.max_pdu_size = cpu_to_le16(size);
3292 l2cap_txwin_setup(chan);
3294 rfc.txwin_size = min_t(u16, chan->tx_win,
3295 L2CAP_DEFAULT_TX_WINDOW);
3297 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3298 (unsigned long) &rfc, endptr - ptr);
3300 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3301 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3303 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3304 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3305 chan->tx_win, endptr - ptr);
3307 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3308 if (chan->fcs == L2CAP_FCS_NONE ||
3309 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3310 chan->fcs = L2CAP_FCS_NONE;
3311 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3312 chan->fcs, endptr - ptr);
3316 case L2CAP_MODE_STREAMING:
3317 l2cap_txwin_setup(chan);
3318 rfc.mode = L2CAP_MODE_STREAMING;
3320 rfc.max_transmit = 0;
3321 rfc.retrans_timeout = 0;
3322 rfc.monitor_timeout = 0;
3324 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3325 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3327 rfc.max_pdu_size = cpu_to_le16(size);
3329 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3330 (unsigned long) &rfc, endptr - ptr);
3332 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3333 l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
3335 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3336 if (chan->fcs == L2CAP_FCS_NONE ||
3337 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3338 chan->fcs = L2CAP_FCS_NONE;
3339 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3340 chan->fcs, endptr - ptr);
3345 req->dcid = cpu_to_le16(chan->dcid);
3346 req->flags = cpu_to_le16(0);
3351 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
3353 struct l2cap_conf_rsp *rsp = data;
3354 void *ptr = rsp->data;
3355 void *endptr = data + data_size;
3356 void *req = chan->conf_req;
3357 int len = chan->conf_len;
3358 int type, hint, olen;
3360 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3361 struct l2cap_conf_efs efs;
3363 u16 mtu = L2CAP_DEFAULT_MTU;
3364 u16 result = L2CAP_CONF_SUCCESS;
3367 BT_DBG("chan %p", chan);
3369 while (len >= L2CAP_CONF_OPT_SIZE) {
3370 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3374 hint = type & L2CAP_CONF_HINT;
3375 type &= L2CAP_CONF_MASK;
3378 case L2CAP_CONF_MTU:
3384 case L2CAP_CONF_FLUSH_TO:
3387 chan->flush_to = val;
3390 case L2CAP_CONF_QOS:
3393 case L2CAP_CONF_RFC:
3394 if (olen != sizeof(rfc))
3396 memcpy(&rfc, (void *) val, olen);
3399 case L2CAP_CONF_FCS:
3402 if (val == L2CAP_FCS_NONE)
3403 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3406 case L2CAP_CONF_EFS:
3407 if (olen != sizeof(efs))
3410 memcpy(&efs, (void *) val, olen);
3413 case L2CAP_CONF_EWS:
3416 if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
3417 return -ECONNREFUSED;
3418 set_bit(FLAG_EXT_CTRL, &chan->flags);
3419 set_bit(CONF_EWS_RECV, &chan->conf_state);
3420 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3421 chan->remote_tx_win = val;
3427 result = L2CAP_CONF_UNKNOWN;
3428 *((u8 *) ptr++) = type;
3433 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3436 switch (chan->mode) {
3437 case L2CAP_MODE_STREAMING:
3438 case L2CAP_MODE_ERTM:
3439 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3440 chan->mode = l2cap_select_mode(rfc.mode,
3441 chan->conn->feat_mask);
3446 if (__l2cap_efs_supported(chan->conn))
3447 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3449 return -ECONNREFUSED;
3452 if (chan->mode != rfc.mode)
3453 return -ECONNREFUSED;
3459 if (chan->mode != rfc.mode) {
3460 result = L2CAP_CONF_UNACCEPT;
3461 rfc.mode = chan->mode;
3463 if (chan->num_conf_rsp == 1)
3464 return -ECONNREFUSED;
3466 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3467 (unsigned long) &rfc, endptr - ptr);
3470 if (result == L2CAP_CONF_SUCCESS) {
3471 /* Configure output options and let the other side know
3472 * which ones we don't like. */
3474 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3475 result = L2CAP_CONF_UNACCEPT;
3478 set_bit(CONF_MTU_DONE, &chan->conf_state);
3480 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
3483 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3484 efs.stype != L2CAP_SERV_NOTRAFIC &&
3485 efs.stype != chan->local_stype) {
3487 result = L2CAP_CONF_UNACCEPT;
3489 if (chan->num_conf_req >= 1)
3490 return -ECONNREFUSED;
3492 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3494 (unsigned long) &efs, endptr - ptr);
3496 /* Send PENDING Conf Rsp */
3497 result = L2CAP_CONF_PENDING;
3498 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3503 case L2CAP_MODE_BASIC:
3504 chan->fcs = L2CAP_FCS_NONE;
3505 set_bit(CONF_MODE_DONE, &chan->conf_state);
3508 case L2CAP_MODE_ERTM:
3509 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3510 chan->remote_tx_win = rfc.txwin_size;
3512 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3514 chan->remote_max_tx = rfc.max_transmit;
3516 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3517 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3518 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3519 rfc.max_pdu_size = cpu_to_le16(size);
3520 chan->remote_mps = size;
3522 __l2cap_set_ertm_timeouts(chan, &rfc);
3524 set_bit(CONF_MODE_DONE, &chan->conf_state);
3526 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3527 sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
3529 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3530 chan->remote_id = efs.id;
3531 chan->remote_stype = efs.stype;
3532 chan->remote_msdu = le16_to_cpu(efs.msdu);
3533 chan->remote_flush_to =
3534 le32_to_cpu(efs.flush_to);
3535 chan->remote_acc_lat =
3536 le32_to_cpu(efs.acc_lat);
3537 chan->remote_sdu_itime =
3538 le32_to_cpu(efs.sdu_itime);
3539 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3541 (unsigned long) &efs, endptr - ptr);
3545 case L2CAP_MODE_STREAMING:
3546 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3547 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3548 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3549 rfc.max_pdu_size = cpu_to_le16(size);
3550 chan->remote_mps = size;
3552 set_bit(CONF_MODE_DONE, &chan->conf_state);
3554 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3555 (unsigned long) &rfc, endptr - ptr);
3560 result = L2CAP_CONF_UNACCEPT;
3562 memset(&rfc, 0, sizeof(rfc));
3563 rfc.mode = chan->mode;
3566 if (result == L2CAP_CONF_SUCCESS)
3567 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3569 rsp->scid = cpu_to_le16(chan->dcid);
3570 rsp->result = cpu_to_le16(result);
3571 rsp->flags = cpu_to_le16(0);
3576 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3577 void *data, size_t size, u16 *result)
3579 struct l2cap_conf_req *req = data;
3580 void *ptr = req->data;
3581 void *endptr = data + size;
3584 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3585 struct l2cap_conf_efs efs;
3587 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3589 while (len >= L2CAP_CONF_OPT_SIZE) {
3590 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3595 case L2CAP_CONF_MTU:
3598 if (val < L2CAP_DEFAULT_MIN_MTU) {
3599 *result = L2CAP_CONF_UNACCEPT;
3600 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3603 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
3607 case L2CAP_CONF_FLUSH_TO:
3610 chan->flush_to = val;
3611 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
3612 chan->flush_to, endptr - ptr);
3615 case L2CAP_CONF_RFC:
3616 if (olen != sizeof(rfc))
3618 memcpy(&rfc, (void *)val, olen);
3619 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3620 rfc.mode != chan->mode)
3621 return -ECONNREFUSED;
3623 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3624 (unsigned long) &rfc, endptr - ptr);
3627 case L2CAP_CONF_EWS:
3630 chan->ack_win = min_t(u16, val, chan->ack_win);
3631 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3632 chan->tx_win, endptr - ptr);
3635 case L2CAP_CONF_EFS:
3636 if (olen != sizeof(efs))
3638 memcpy(&efs, (void *)val, olen);
3639 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3640 efs.stype != L2CAP_SERV_NOTRAFIC &&
3641 efs.stype != chan->local_stype)
3642 return -ECONNREFUSED;
3643 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3644 (unsigned long) &efs, endptr - ptr);
3647 case L2CAP_CONF_FCS:
3650 if (*result == L2CAP_CONF_PENDING)
3651 if (val == L2CAP_FCS_NONE)
3652 set_bit(CONF_RECV_NO_FCS,
3658 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3659 return -ECONNREFUSED;
3661 chan->mode = rfc.mode;
3663 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3665 case L2CAP_MODE_ERTM:
3666 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3667 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3668 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3669 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3670 chan->ack_win = min_t(u16, chan->ack_win,
3673 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3674 chan->local_msdu = le16_to_cpu(efs.msdu);
3675 chan->local_sdu_itime =
3676 le32_to_cpu(efs.sdu_itime);
3677 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3678 chan->local_flush_to =
3679 le32_to_cpu(efs.flush_to);
3683 case L2CAP_MODE_STREAMING:
3684 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3688 req->dcid = cpu_to_le16(chan->dcid);
3689 req->flags = cpu_to_le16(0);
3694 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3695 u16 result, u16 flags)
3697 struct l2cap_conf_rsp *rsp = data;
3698 void *ptr = rsp->data;
3700 BT_DBG("chan %p", chan);
3702 rsp->scid = cpu_to_le16(chan->dcid);
3703 rsp->result = cpu_to_le16(result);
3704 rsp->flags = cpu_to_le16(flags);
3709 void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
3711 struct l2cap_le_conn_rsp rsp;
3712 struct l2cap_conn *conn = chan->conn;
3714 BT_DBG("chan %p", chan);
3716 rsp.dcid = cpu_to_le16(chan->scid);
3717 rsp.mtu = cpu_to_le16(chan->imtu);
3718 rsp.mps = cpu_to_le16(chan->mps);
3719 rsp.credits = cpu_to_le16(chan->rx_credits);
3720 rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
3722 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
3726 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3728 struct l2cap_conn_rsp rsp;
3729 struct l2cap_conn *conn = chan->conn;
3733 rsp.scid = cpu_to_le16(chan->dcid);
3734 rsp.dcid = cpu_to_le16(chan->scid);
3735 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
3736 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
3739 rsp_code = L2CAP_CREATE_CHAN_RSP;
3741 rsp_code = L2CAP_CONN_RSP;
3743 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3745 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3747 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3750 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3751 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3752 chan->num_conf_req++;
3755 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3759 /* Use sane default values in case a misbehaving remote device
3760 * did not send an RFC or extended window size option.
3762 u16 txwin_ext = chan->ack_win;
3763 struct l2cap_conf_rfc rfc = {
3765 .retrans_timeout = cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3766 .monitor_timeout = cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3767 .max_pdu_size = cpu_to_le16(chan->imtu),
3768 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3771 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3773 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3776 while (len >= L2CAP_CONF_OPT_SIZE) {
3777 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3782 case L2CAP_CONF_RFC:
3783 if (olen != sizeof(rfc))
3785 memcpy(&rfc, (void *)val, olen);
3787 case L2CAP_CONF_EWS:
3796 case L2CAP_MODE_ERTM:
3797 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3798 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3799 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3800 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3801 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3803 chan->ack_win = min_t(u16, chan->ack_win,
3806 case L2CAP_MODE_STREAMING:
3807 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3811 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3812 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3815 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3817 if (cmd_len < sizeof(*rej))
3820 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3823 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3824 cmd->ident == conn->info_ident) {
3825 cancel_delayed_work(&conn->info_timer);
3827 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3828 conn->info_ident = 0;
3830 l2cap_conn_start(conn);
3836 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3837 struct l2cap_cmd_hdr *cmd,
3838 u8 *data, u8 rsp_code, u8 amp_id)
3840 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3841 struct l2cap_conn_rsp rsp;
3842 struct l2cap_chan *chan = NULL, *pchan;
3843 int result, status = L2CAP_CS_NO_INFO;
3845 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3846 __le16 psm = req->psm;
3848 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3850 /* Check if we have socket listening on psm */
3851 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
3852 &conn->hcon->dst, ACL_LINK);
3854 result = L2CAP_CR_BAD_PSM;
3858 mutex_lock(&conn->chan_lock);
3859 l2cap_chan_lock(pchan);
3861 /* Check if the ACL is secure enough (if not SDP) */
3862 if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
3863 !hci_conn_check_link_mode(conn->hcon)) {
3864 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3865 result = L2CAP_CR_SEC_BLOCK;
3869 result = L2CAP_CR_NO_MEM;
3871 /* Check for valid dynamic CID range (as per Erratum 3253) */
3872 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_DYN_END) {
3873 result = L2CAP_CR_INVALID_SCID;
3877 /* Check if we already have channel with that dcid */
3878 if (__l2cap_get_chan_by_dcid(conn, scid)) {
3879 result = L2CAP_CR_SCID_IN_USE;
3883 chan = pchan->ops->new_connection(pchan);
3887 /* For certain devices (ex: HID mouse), support for authentication,
3888 * pairing and bonding is optional. For such devices, inorder to avoid
3889 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3890 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3892 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3894 bacpy(&chan->src, &conn->hcon->src);
3895 bacpy(&chan->dst, &conn->hcon->dst);
3896 chan->src_type = bdaddr_src_type(conn->hcon);
3897 chan->dst_type = bdaddr_dst_type(conn->hcon);
3900 chan->local_amp_id = amp_id;
3902 __l2cap_chan_add(conn, chan);
3906 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
3908 chan->ident = cmd->ident;
3910 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3911 if (l2cap_chan_check_security(chan, false)) {
3912 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
3913 l2cap_state_change(chan, BT_CONNECT2);
3914 result = L2CAP_CR_PEND;
3915 status = L2CAP_CS_AUTHOR_PEND;
3916 chan->ops->defer(chan);
3918 /* Force pending result for AMP controllers.
3919 * The connection will succeed after the
3920 * physical link is up.
3922 if (amp_id == AMP_ID_BREDR) {
3923 l2cap_state_change(chan, BT_CONFIG);
3924 result = L2CAP_CR_SUCCESS;
3926 l2cap_state_change(chan, BT_CONNECT2);
3927 result = L2CAP_CR_PEND;
3929 status = L2CAP_CS_NO_INFO;
3932 l2cap_state_change(chan, BT_CONNECT2);
3933 result = L2CAP_CR_PEND;
3934 status = L2CAP_CS_AUTHEN_PEND;
3937 l2cap_state_change(chan, BT_CONNECT2);
3938 result = L2CAP_CR_PEND;
3939 status = L2CAP_CS_NO_INFO;
3943 l2cap_chan_unlock(pchan);
3944 mutex_unlock(&conn->chan_lock);
3945 l2cap_chan_put(pchan);
3948 rsp.scid = cpu_to_le16(scid);
3949 rsp.dcid = cpu_to_le16(dcid);
3950 rsp.result = cpu_to_le16(result);
3951 rsp.status = cpu_to_le16(status);
3952 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3954 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3955 struct l2cap_info_req info;
3956 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3958 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3959 conn->info_ident = l2cap_get_ident(conn);
3961 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3963 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3964 sizeof(info), &info);
3967 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3968 result == L2CAP_CR_SUCCESS) {
3970 set_bit(CONF_REQ_SENT, &chan->conf_state);
3971 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3972 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
3973 chan->num_conf_req++;
3979 static int l2cap_connect_req(struct l2cap_conn *conn,
3980 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3982 struct hci_dev *hdev = conn->hcon->hdev;
3983 struct hci_conn *hcon = conn->hcon;
3985 if (cmd_len < sizeof(struct l2cap_conn_req))
3989 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3990 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3991 mgmt_device_connected(hdev, hcon, 0, NULL, 0);
3992 hci_dev_unlock(hdev);
3994 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3998 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3999 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4002 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
4003 u16 scid, dcid, result, status;
4004 struct l2cap_chan *chan;
4008 if (cmd_len < sizeof(*rsp))
4011 scid = __le16_to_cpu(rsp->scid);
4012 dcid = __le16_to_cpu(rsp->dcid);
4013 result = __le16_to_cpu(rsp->result);
4014 status = __le16_to_cpu(rsp->status);
4016 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
4017 dcid, scid, result, status);
4019 mutex_lock(&conn->chan_lock);
4022 chan = __l2cap_get_chan_by_scid(conn, scid);
4028 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
4037 l2cap_chan_lock(chan);
4040 case L2CAP_CR_SUCCESS:
4041 l2cap_state_change(chan, BT_CONFIG);
4044 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
4046 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
4049 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4050 l2cap_build_conf_req(chan, req, sizeof(req)), req);
4051 chan->num_conf_req++;
4055 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
4059 l2cap_chan_del(chan, ECONNREFUSED);
4063 l2cap_chan_unlock(chan);
4066 mutex_unlock(&conn->chan_lock);
4071 static inline void set_default_fcs(struct l2cap_chan *chan)
4073 /* FCS is enabled only in ERTM or streaming mode, if one or both
4076 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
4077 chan->fcs = L2CAP_FCS_NONE;
4078 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
4079 chan->fcs = L2CAP_FCS_CRC16;
4082 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
4083 u8 ident, u16 flags)
4085 struct l2cap_conn *conn = chan->conn;
4087 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
4090 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
4091 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
4093 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
4094 l2cap_build_conf_rsp(chan, data,
4095 L2CAP_CONF_SUCCESS, flags), data);
4098 static void cmd_reject_invalid_cid(struct l2cap_conn *conn, u8 ident,
4101 struct l2cap_cmd_rej_cid rej;
4103 rej.reason = cpu_to_le16(L2CAP_REJ_INVALID_CID);
4104 rej.scid = __cpu_to_le16(scid);
4105 rej.dcid = __cpu_to_le16(dcid);
4107 l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
4110 static inline int l2cap_config_req(struct l2cap_conn *conn,
4111 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4114 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
4117 struct l2cap_chan *chan;
4120 if (cmd_len < sizeof(*req))
4123 dcid = __le16_to_cpu(req->dcid);
4124 flags = __le16_to_cpu(req->flags);
4126 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
4128 chan = l2cap_get_chan_by_scid(conn, dcid);
4130 cmd_reject_invalid_cid(conn, cmd->ident, dcid, 0);
4134 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
4135 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4140 /* Reject if config buffer is too small. */
4141 len = cmd_len - sizeof(*req);
4142 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4143 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4144 l2cap_build_conf_rsp(chan, rsp,
4145 L2CAP_CONF_REJECT, flags), rsp);
4150 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4151 chan->conf_len += len;
4153 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4154 /* Incomplete config. Send empty response. */
4155 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4156 l2cap_build_conf_rsp(chan, rsp,
4157 L2CAP_CONF_SUCCESS, flags), rsp);
4161 /* Complete config. */
4162 len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
4164 l2cap_send_disconn_req(chan, ECONNRESET);
4168 chan->ident = cmd->ident;
4169 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4170 chan->num_conf_rsp++;
4172 /* Reset config buffer. */
4175 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4178 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4179 set_default_fcs(chan);
4181 if (chan->mode == L2CAP_MODE_ERTM ||
4182 chan->mode == L2CAP_MODE_STREAMING)
4183 err = l2cap_ertm_init(chan);
4186 l2cap_send_disconn_req(chan, -err);
4188 l2cap_chan_ready(chan);
4193 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4195 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4196 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4197 chan->num_conf_req++;
4200 /* Got Conf Rsp PENDING from remote side and assume we sent
4201 Conf Rsp PENDING in the code above */
4202 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4203 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4205 /* check compatibility */
4207 /* Send rsp for BR/EDR channel */
4209 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4211 chan->ident = cmd->ident;
4215 l2cap_chan_unlock(chan);
4219 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4220 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4223 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4224 u16 scid, flags, result;
4225 struct l2cap_chan *chan;
4226 int len = cmd_len - sizeof(*rsp);
4229 if (cmd_len < sizeof(*rsp))
4232 scid = __le16_to_cpu(rsp->scid);
4233 flags = __le16_to_cpu(rsp->flags);
4234 result = __le16_to_cpu(rsp->result);
4236 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4239 chan = l2cap_get_chan_by_scid(conn, scid);
4244 case L2CAP_CONF_SUCCESS:
4245 l2cap_conf_rfc_get(chan, rsp->data, len);
4246 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4249 case L2CAP_CONF_PENDING:
4250 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4252 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4255 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4256 buf, sizeof(buf), &result);
4258 l2cap_send_disconn_req(chan, ECONNRESET);
4262 if (!chan->hs_hcon) {
4263 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4266 if (l2cap_check_efs(chan)) {
4267 amp_create_logical_link(chan);
4268 chan->ident = cmd->ident;
4274 case L2CAP_CONF_UNACCEPT:
4275 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4278 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4279 l2cap_send_disconn_req(chan, ECONNRESET);
4283 /* throw out any old stored conf requests */
4284 result = L2CAP_CONF_SUCCESS;
4285 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4286 req, sizeof(req), &result);
4288 l2cap_send_disconn_req(chan, ECONNRESET);
4292 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4293 L2CAP_CONF_REQ, len, req);
4294 chan->num_conf_req++;
4295 if (result != L2CAP_CONF_SUCCESS)
4302 l2cap_chan_set_err(chan, ECONNRESET);
4304 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4305 l2cap_send_disconn_req(chan, ECONNRESET);
4309 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4312 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4314 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4315 set_default_fcs(chan);
4317 if (chan->mode == L2CAP_MODE_ERTM ||
4318 chan->mode == L2CAP_MODE_STREAMING)
4319 err = l2cap_ertm_init(chan);
4322 l2cap_send_disconn_req(chan, -err);
4324 l2cap_chan_ready(chan);
4328 l2cap_chan_unlock(chan);
4332 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4333 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4336 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4337 struct l2cap_disconn_rsp rsp;
4339 struct l2cap_chan *chan;
4341 if (cmd_len != sizeof(*req))
4344 scid = __le16_to_cpu(req->scid);
4345 dcid = __le16_to_cpu(req->dcid);
4347 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4349 mutex_lock(&conn->chan_lock);
4351 chan = __l2cap_get_chan_by_scid(conn, dcid);
4353 mutex_unlock(&conn->chan_lock);
4354 cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
4358 l2cap_chan_lock(chan);
4360 rsp.dcid = cpu_to_le16(chan->scid);
4361 rsp.scid = cpu_to_le16(chan->dcid);
4362 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4364 chan->ops->set_shutdown(chan);
4366 l2cap_chan_hold(chan);
4367 l2cap_chan_del(chan, ECONNRESET);
4369 l2cap_chan_unlock(chan);
4371 chan->ops->close(chan);
4372 l2cap_chan_put(chan);
4374 mutex_unlock(&conn->chan_lock);
4379 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4380 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4383 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4385 struct l2cap_chan *chan;
4387 if (cmd_len != sizeof(*rsp))
4390 scid = __le16_to_cpu(rsp->scid);
4391 dcid = __le16_to_cpu(rsp->dcid);
4393 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4395 mutex_lock(&conn->chan_lock);
4397 chan = __l2cap_get_chan_by_scid(conn, scid);
4399 mutex_unlock(&conn->chan_lock);
4403 l2cap_chan_lock(chan);
4405 if (chan->state != BT_DISCONN) {
4406 l2cap_chan_unlock(chan);
4407 mutex_unlock(&conn->chan_lock);
4411 l2cap_chan_hold(chan);
4412 l2cap_chan_del(chan, 0);
4414 l2cap_chan_unlock(chan);
4416 chan->ops->close(chan);
4417 l2cap_chan_put(chan);
4419 mutex_unlock(&conn->chan_lock);
4424 static inline int l2cap_information_req(struct l2cap_conn *conn,
4425 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4428 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4431 if (cmd_len != sizeof(*req))
4434 type = __le16_to_cpu(req->type);
4436 BT_DBG("type 0x%4.4x", type);
4438 if (type == L2CAP_IT_FEAT_MASK) {
4440 u32 feat_mask = l2cap_feat_mask;
4441 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4442 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
4443 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4445 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4447 if (conn->local_fixed_chan & L2CAP_FC_A2MP)
4448 feat_mask |= L2CAP_FEAT_EXT_FLOW
4449 | L2CAP_FEAT_EXT_WINDOW;
4451 put_unaligned_le32(feat_mask, rsp->data);
4452 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4454 } else if (type == L2CAP_IT_FIXED_CHAN) {
4456 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4458 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4459 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
4460 rsp->data[0] = conn->local_fixed_chan;
4461 memset(rsp->data + 1, 0, 7);
4462 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4465 struct l2cap_info_rsp rsp;
4466 rsp.type = cpu_to_le16(type);
4467 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
4468 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4475 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4476 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4479 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4482 if (cmd_len < sizeof(*rsp))
4485 type = __le16_to_cpu(rsp->type);
4486 result = __le16_to_cpu(rsp->result);
4488 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4490 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4491 if (cmd->ident != conn->info_ident ||
4492 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4495 cancel_delayed_work(&conn->info_timer);
4497 if (result != L2CAP_IR_SUCCESS) {
4498 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4499 conn->info_ident = 0;
4501 l2cap_conn_start(conn);
4507 case L2CAP_IT_FEAT_MASK:
4508 conn->feat_mask = get_unaligned_le32(rsp->data);
4510 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4511 struct l2cap_info_req req;
4512 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4514 conn->info_ident = l2cap_get_ident(conn);
4516 l2cap_send_cmd(conn, conn->info_ident,
4517 L2CAP_INFO_REQ, sizeof(req), &req);
4519 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4520 conn->info_ident = 0;
4522 l2cap_conn_start(conn);
4526 case L2CAP_IT_FIXED_CHAN:
4527 conn->remote_fixed_chan = rsp->data[0];
4528 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4529 conn->info_ident = 0;
4531 l2cap_conn_start(conn);
4538 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4539 struct l2cap_cmd_hdr *cmd,
4540 u16 cmd_len, void *data)
4542 struct l2cap_create_chan_req *req = data;
4543 struct l2cap_create_chan_rsp rsp;
4544 struct l2cap_chan *chan;
4545 struct hci_dev *hdev;
4548 if (cmd_len != sizeof(*req))
4551 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4554 psm = le16_to_cpu(req->psm);
4555 scid = le16_to_cpu(req->scid);
4557 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4559 /* For controller id 0 make BR/EDR connection */
4560 if (req->amp_id == AMP_ID_BREDR) {
4561 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4566 /* Validate AMP controller id */
4567 hdev = hci_dev_get(req->amp_id);
4571 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4576 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4579 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4580 struct hci_conn *hs_hcon;
4582 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK,
4586 cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
4591 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4593 mgr->bredr_chan = chan;
4594 chan->hs_hcon = hs_hcon;
4595 chan->fcs = L2CAP_FCS_NONE;
4596 conn->mtu = hdev->block_mtu;
4605 rsp.scid = cpu_to_le16(scid);
4606 rsp.result = cpu_to_le16(L2CAP_CR_BAD_AMP);
4607 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4609 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4615 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4617 struct l2cap_move_chan_req req;
4620 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4622 ident = l2cap_get_ident(chan->conn);
4623 chan->ident = ident;
4625 req.icid = cpu_to_le16(chan->scid);
4626 req.dest_amp_id = dest_amp_id;
4628 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4631 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4634 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4636 struct l2cap_move_chan_rsp rsp;
4638 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4640 rsp.icid = cpu_to_le16(chan->dcid);
4641 rsp.result = cpu_to_le16(result);
4643 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4647 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4649 struct l2cap_move_chan_cfm cfm;
4651 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4653 chan->ident = l2cap_get_ident(chan->conn);
4655 cfm.icid = cpu_to_le16(chan->scid);
4656 cfm.result = cpu_to_le16(result);
4658 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4661 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4664 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4666 struct l2cap_move_chan_cfm cfm;
4668 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4670 cfm.icid = cpu_to_le16(icid);
4671 cfm.result = cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4673 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4677 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4680 struct l2cap_move_chan_cfm_rsp rsp;
4682 BT_DBG("icid 0x%4.4x", icid);
4684 rsp.icid = cpu_to_le16(icid);
4685 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4688 static void __release_logical_link(struct l2cap_chan *chan)
4690 chan->hs_hchan = NULL;
4691 chan->hs_hcon = NULL;
4693 /* Placeholder - release the logical link */
4696 static void l2cap_logical_fail(struct l2cap_chan *chan)
4698 /* Logical link setup failed */
4699 if (chan->state != BT_CONNECTED) {
4700 /* Create channel failure, disconnect */
4701 l2cap_send_disconn_req(chan, ECONNRESET);
4705 switch (chan->move_role) {
4706 case L2CAP_MOVE_ROLE_RESPONDER:
4707 l2cap_move_done(chan);
4708 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4710 case L2CAP_MOVE_ROLE_INITIATOR:
4711 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4712 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4713 /* Remote has only sent pending or
4714 * success responses, clean up
4716 l2cap_move_done(chan);
4719 /* Other amp move states imply that the move
4720 * has already aborted
4722 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4727 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4728 struct hci_chan *hchan)
4730 struct l2cap_conf_rsp rsp;
4732 chan->hs_hchan = hchan;
4733 chan->hs_hcon->l2cap_data = chan->conn;
4735 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4737 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4740 set_default_fcs(chan);
4742 err = l2cap_ertm_init(chan);
4744 l2cap_send_disconn_req(chan, -err);
4746 l2cap_chan_ready(chan);
4750 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4751 struct hci_chan *hchan)
4753 chan->hs_hcon = hchan->conn;
4754 chan->hs_hcon->l2cap_data = chan->conn;
4756 BT_DBG("move_state %d", chan->move_state);
4758 switch (chan->move_state) {
4759 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4760 /* Move confirm will be sent after a success
4761 * response is received
4763 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4765 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4766 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4767 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4768 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4769 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4770 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4771 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4772 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4773 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4777 /* Move was not in expected state, free the channel */
4778 __release_logical_link(chan);
4780 chan->move_state = L2CAP_MOVE_STABLE;
4784 /* Call with chan locked */
4785 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4788 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4791 l2cap_logical_fail(chan);
4792 __release_logical_link(chan);
4796 if (chan->state != BT_CONNECTED) {
4797 /* Ignore logical link if channel is on BR/EDR */
4798 if (chan->local_amp_id != AMP_ID_BREDR)
4799 l2cap_logical_finish_create(chan, hchan);
4801 l2cap_logical_finish_move(chan, hchan);
4805 void l2cap_move_start(struct l2cap_chan *chan)
4807 BT_DBG("chan %p", chan);
4809 if (chan->local_amp_id == AMP_ID_BREDR) {
4810 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4812 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4813 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4814 /* Placeholder - start physical link setup */
4816 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4817 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4819 l2cap_move_setup(chan);
4820 l2cap_send_move_chan_req(chan, 0);
4824 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4825 u8 local_amp_id, u8 remote_amp_id)
4827 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4828 local_amp_id, remote_amp_id);
4830 chan->fcs = L2CAP_FCS_NONE;
4832 /* Outgoing channel on AMP */
4833 if (chan->state == BT_CONNECT) {
4834 if (result == L2CAP_CR_SUCCESS) {
4835 chan->local_amp_id = local_amp_id;
4836 l2cap_send_create_chan_req(chan, remote_amp_id);
4838 /* Revert to BR/EDR connect */
4839 l2cap_send_conn_req(chan);
4845 /* Incoming channel on AMP */
4846 if (__l2cap_no_conn_pending(chan)) {
4847 struct l2cap_conn_rsp rsp;
4849 rsp.scid = cpu_to_le16(chan->dcid);
4850 rsp.dcid = cpu_to_le16(chan->scid);
4852 if (result == L2CAP_CR_SUCCESS) {
4853 /* Send successful response */
4854 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
4855 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4857 /* Send negative response */
4858 rsp.result = cpu_to_le16(L2CAP_CR_NO_MEM);
4859 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
4862 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4865 if (result == L2CAP_CR_SUCCESS) {
4866 l2cap_state_change(chan, BT_CONFIG);
4867 set_bit(CONF_REQ_SENT, &chan->conf_state);
4868 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4870 l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
4871 chan->num_conf_req++;
4876 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4879 l2cap_move_setup(chan);
4880 chan->move_id = local_amp_id;
4881 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4883 l2cap_send_move_chan_req(chan, remote_amp_id);
4886 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4888 struct hci_chan *hchan = NULL;
4890 /* Placeholder - get hci_chan for logical link */
4893 if (hchan->state == BT_CONNECTED) {
4894 /* Logical link is ready to go */
4895 chan->hs_hcon = hchan->conn;
4896 chan->hs_hcon->l2cap_data = chan->conn;
4897 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4898 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4900 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4902 /* Wait for logical link to be ready */
4903 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4906 /* Logical link not available */
4907 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4911 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4913 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4915 if (result == -EINVAL)
4916 rsp_result = L2CAP_MR_BAD_ID;
4918 rsp_result = L2CAP_MR_NOT_ALLOWED;
4920 l2cap_send_move_chan_rsp(chan, rsp_result);
4923 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4924 chan->move_state = L2CAP_MOVE_STABLE;
4926 /* Restart data transmission */
4927 l2cap_ertm_send(chan);
4930 /* Invoke with locked chan */
4931 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4933 u8 local_amp_id = chan->local_amp_id;
4934 u8 remote_amp_id = chan->remote_amp_id;
4936 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4937 chan, result, local_amp_id, remote_amp_id);
4939 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4940 l2cap_chan_unlock(chan);
4944 if (chan->state != BT_CONNECTED) {
4945 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4946 } else if (result != L2CAP_MR_SUCCESS) {
4947 l2cap_do_move_cancel(chan, result);
4949 switch (chan->move_role) {
4950 case L2CAP_MOVE_ROLE_INITIATOR:
4951 l2cap_do_move_initiate(chan, local_amp_id,
4954 case L2CAP_MOVE_ROLE_RESPONDER:
4955 l2cap_do_move_respond(chan, result);
4958 l2cap_do_move_cancel(chan, result);
4964 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4965 struct l2cap_cmd_hdr *cmd,
4966 u16 cmd_len, void *data)
4968 struct l2cap_move_chan_req *req = data;
4969 struct l2cap_move_chan_rsp rsp;
4970 struct l2cap_chan *chan;
4972 u16 result = L2CAP_MR_NOT_ALLOWED;
4974 if (cmd_len != sizeof(*req))
4977 icid = le16_to_cpu(req->icid);
4979 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4981 if (!(conn->local_fixed_chan & L2CAP_FC_A2MP))
4984 chan = l2cap_get_chan_by_dcid(conn, icid);
4986 rsp.icid = cpu_to_le16(icid);
4987 rsp.result = cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4988 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4993 chan->ident = cmd->ident;
4995 if (chan->scid < L2CAP_CID_DYN_START ||
4996 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4997 (chan->mode != L2CAP_MODE_ERTM &&
4998 chan->mode != L2CAP_MODE_STREAMING)) {
4999 result = L2CAP_MR_NOT_ALLOWED;
5000 goto send_move_response;
5003 if (chan->local_amp_id == req->dest_amp_id) {
5004 result = L2CAP_MR_SAME_ID;
5005 goto send_move_response;
5008 if (req->dest_amp_id != AMP_ID_BREDR) {
5009 struct hci_dev *hdev;
5010 hdev = hci_dev_get(req->dest_amp_id);
5011 if (!hdev || hdev->dev_type != HCI_AMP ||
5012 !test_bit(HCI_UP, &hdev->flags)) {
5016 result = L2CAP_MR_BAD_ID;
5017 goto send_move_response;
5022 /* Detect a move collision. Only send a collision response
5023 * if this side has "lost", otherwise proceed with the move.
5024 * The winner has the larger bd_addr.
5026 if ((__chan_is_moving(chan) ||
5027 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
5028 bacmp(&conn->hcon->src, &conn->hcon->dst) > 0) {
5029 result = L2CAP_MR_COLLISION;
5030 goto send_move_response;
5033 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5034 l2cap_move_setup(chan);
5035 chan->move_id = req->dest_amp_id;
5038 if (req->dest_amp_id == AMP_ID_BREDR) {
5039 /* Moving to BR/EDR */
5040 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5041 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5042 result = L2CAP_MR_PEND;
5044 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
5045 result = L2CAP_MR_SUCCESS;
5048 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
5049 /* Placeholder - uncomment when amp functions are available */
5050 /*amp_accept_physical(chan, req->dest_amp_id);*/
5051 result = L2CAP_MR_PEND;
5055 l2cap_send_move_chan_rsp(chan, result);
5057 l2cap_chan_unlock(chan);
5062 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
5064 struct l2cap_chan *chan;
5065 struct hci_chan *hchan = NULL;
5067 chan = l2cap_get_chan_by_scid(conn, icid);
5069 l2cap_send_move_chan_cfm_icid(conn, icid);
5073 __clear_chan_timer(chan);
5074 if (result == L2CAP_MR_PEND)
5075 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
5077 switch (chan->move_state) {
5078 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
5079 /* Move confirm will be sent when logical link
5082 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5084 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
5085 if (result == L2CAP_MR_PEND) {
5087 } else if (test_bit(CONN_LOCAL_BUSY,
5088 &chan->conn_state)) {
5089 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
5091 /* Logical link is up or moving to BR/EDR,
5094 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
5095 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5098 case L2CAP_MOVE_WAIT_RSP:
5100 if (result == L2CAP_MR_SUCCESS) {
5101 /* Remote is ready, send confirm immediately
5102 * after logical link is ready
5104 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
5106 /* Both logical link and move success
5107 * are required to confirm
5109 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
5112 /* Placeholder - get hci_chan for logical link */
5114 /* Logical link not available */
5115 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5119 /* If the logical link is not yet connected, do not
5120 * send confirmation.
5122 if (hchan->state != BT_CONNECTED)
5125 /* Logical link is already ready to go */
5127 chan->hs_hcon = hchan->conn;
5128 chan->hs_hcon->l2cap_data = chan->conn;
5130 if (result == L2CAP_MR_SUCCESS) {
5131 /* Can confirm now */
5132 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
5134 /* Now only need move success
5137 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5140 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5143 /* Any other amp move state means the move failed. */
5144 chan->move_id = chan->local_amp_id;
5145 l2cap_move_done(chan);
5146 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5149 l2cap_chan_unlock(chan);
5152 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5155 struct l2cap_chan *chan;
5157 chan = l2cap_get_chan_by_ident(conn, ident);
5159 /* Could not locate channel, icid is best guess */
5160 l2cap_send_move_chan_cfm_icid(conn, icid);
5164 __clear_chan_timer(chan);
5166 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5167 if (result == L2CAP_MR_COLLISION) {
5168 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5170 /* Cleanup - cancel move */
5171 chan->move_id = chan->local_amp_id;
5172 l2cap_move_done(chan);
5176 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5178 l2cap_chan_unlock(chan);
5181 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5182 struct l2cap_cmd_hdr *cmd,
5183 u16 cmd_len, void *data)
5185 struct l2cap_move_chan_rsp *rsp = data;
5188 if (cmd_len != sizeof(*rsp))
5191 icid = le16_to_cpu(rsp->icid);
5192 result = le16_to_cpu(rsp->result);
5194 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5196 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5197 l2cap_move_continue(conn, icid, result);
5199 l2cap_move_fail(conn, cmd->ident, icid, result);
5204 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5205 struct l2cap_cmd_hdr *cmd,
5206 u16 cmd_len, void *data)
5208 struct l2cap_move_chan_cfm *cfm = data;
5209 struct l2cap_chan *chan;
5212 if (cmd_len != sizeof(*cfm))
5215 icid = le16_to_cpu(cfm->icid);
5216 result = le16_to_cpu(cfm->result);
5218 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5220 chan = l2cap_get_chan_by_dcid(conn, icid);
5222 /* Spec requires a response even if the icid was not found */
5223 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5227 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5228 if (result == L2CAP_MC_CONFIRMED) {
5229 chan->local_amp_id = chan->move_id;
5230 if (chan->local_amp_id == AMP_ID_BREDR)
5231 __release_logical_link(chan);
5233 chan->move_id = chan->local_amp_id;
5236 l2cap_move_done(chan);
5239 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5241 l2cap_chan_unlock(chan);
5246 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5247 struct l2cap_cmd_hdr *cmd,
5248 u16 cmd_len, void *data)
5250 struct l2cap_move_chan_cfm_rsp *rsp = data;
5251 struct l2cap_chan *chan;
5254 if (cmd_len != sizeof(*rsp))
5257 icid = le16_to_cpu(rsp->icid);
5259 BT_DBG("icid 0x%4.4x", icid);
5261 chan = l2cap_get_chan_by_scid(conn, icid);
5265 __clear_chan_timer(chan);
5267 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5268 chan->local_amp_id = chan->move_id;
5270 if (chan->local_amp_id == AMP_ID_BREDR && chan->hs_hchan)
5271 __release_logical_link(chan);
5273 l2cap_move_done(chan);
5276 l2cap_chan_unlock(chan);
5281 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5282 struct l2cap_cmd_hdr *cmd,
5283 u16 cmd_len, u8 *data)
5285 struct hci_conn *hcon = conn->hcon;
5286 struct l2cap_conn_param_update_req *req;
5287 struct l2cap_conn_param_update_rsp rsp;
5288 u16 min, max, latency, to_multiplier;
5291 if (hcon->role != HCI_ROLE_MASTER)
5294 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5297 req = (struct l2cap_conn_param_update_req *) data;
5298 min = __le16_to_cpu(req->min);
5299 max = __le16_to_cpu(req->max);
5300 latency = __le16_to_cpu(req->latency);
5301 to_multiplier = __le16_to_cpu(req->to_multiplier);
5303 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5304 min, max, latency, to_multiplier);
5306 memset(&rsp, 0, sizeof(rsp));
5308 err = hci_check_conn_params(min, max, latency, to_multiplier);
5310 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5312 rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5314 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5320 store_hint = hci_le_conn_update(hcon, min, max, latency,
5322 mgmt_new_conn_param(hcon->hdev, &hcon->dst, hcon->dst_type,
5323 store_hint, min, max, latency,
5331 static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
5332 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5335 struct l2cap_le_conn_rsp *rsp = (struct l2cap_le_conn_rsp *) data;
5336 struct hci_conn *hcon = conn->hcon;
5337 u16 dcid, mtu, mps, credits, result;
5338 struct l2cap_chan *chan;
5341 if (cmd_len < sizeof(*rsp))
5344 dcid = __le16_to_cpu(rsp->dcid);
5345 mtu = __le16_to_cpu(rsp->mtu);
5346 mps = __le16_to_cpu(rsp->mps);
5347 credits = __le16_to_cpu(rsp->credits);
5348 result = __le16_to_cpu(rsp->result);
5350 if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
5351 dcid < L2CAP_CID_DYN_START ||
5352 dcid > L2CAP_CID_LE_DYN_END))
5355 BT_DBG("dcid 0x%4.4x mtu %u mps %u credits %u result 0x%2.2x",
5356 dcid, mtu, mps, credits, result);
5358 mutex_lock(&conn->chan_lock);
5360 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5368 l2cap_chan_lock(chan);
5371 case L2CAP_CR_LE_SUCCESS:
5372 if (__l2cap_get_chan_by_dcid(conn, dcid)) {
5380 chan->remote_mps = mps;
5381 chan->tx_credits = credits;
5382 l2cap_chan_ready(chan);
5385 case L2CAP_CR_LE_AUTHENTICATION:
5386 case L2CAP_CR_LE_ENCRYPTION:
5387 /* If we already have MITM protection we can't do
5390 if (hcon->sec_level > BT_SECURITY_MEDIUM) {
5391 l2cap_chan_del(chan, ECONNREFUSED);
5395 sec_level = hcon->sec_level + 1;
5396 if (chan->sec_level < sec_level)
5397 chan->sec_level = sec_level;
5399 /* We'll need to send a new Connect Request */
5400 clear_bit(FLAG_LE_CONN_REQ_SENT, &chan->flags);
5402 smp_conn_security(hcon, chan->sec_level);
5406 l2cap_chan_del(chan, ECONNREFUSED);
5410 l2cap_chan_unlock(chan);
5413 mutex_unlock(&conn->chan_lock);
5418 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5419 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5424 switch (cmd->code) {
5425 case L2CAP_COMMAND_REJ:
5426 l2cap_command_rej(conn, cmd, cmd_len, data);
5429 case L2CAP_CONN_REQ:
5430 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5433 case L2CAP_CONN_RSP:
5434 case L2CAP_CREATE_CHAN_RSP:
5435 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5438 case L2CAP_CONF_REQ:
5439 err = l2cap_config_req(conn, cmd, cmd_len, data);
5442 case L2CAP_CONF_RSP:
5443 l2cap_config_rsp(conn, cmd, cmd_len, data);
5446 case L2CAP_DISCONN_REQ:
5447 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5450 case L2CAP_DISCONN_RSP:
5451 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5454 case L2CAP_ECHO_REQ:
5455 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5458 case L2CAP_ECHO_RSP:
5461 case L2CAP_INFO_REQ:
5462 err = l2cap_information_req(conn, cmd, cmd_len, data);
5465 case L2CAP_INFO_RSP:
5466 l2cap_information_rsp(conn, cmd, cmd_len, data);
5469 case L2CAP_CREATE_CHAN_REQ:
5470 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5473 case L2CAP_MOVE_CHAN_REQ:
5474 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5477 case L2CAP_MOVE_CHAN_RSP:
5478 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5481 case L2CAP_MOVE_CHAN_CFM:
5482 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5485 case L2CAP_MOVE_CHAN_CFM_RSP:
5486 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5490 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5498 static int l2cap_le_connect_req(struct l2cap_conn *conn,
5499 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5502 struct l2cap_le_conn_req *req = (struct l2cap_le_conn_req *) data;
5503 struct l2cap_le_conn_rsp rsp;
5504 struct l2cap_chan *chan, *pchan;
5505 u16 dcid, scid, credits, mtu, mps;
5509 if (cmd_len != sizeof(*req))
5512 scid = __le16_to_cpu(req->scid);
5513 mtu = __le16_to_cpu(req->mtu);
5514 mps = __le16_to_cpu(req->mps);
5519 if (mtu < 23 || mps < 23)
5522 BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
5525 /* Check if we have socket listening on psm */
5526 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
5527 &conn->hcon->dst, LE_LINK);
5529 result = L2CAP_CR_LE_BAD_PSM;
5534 mutex_lock(&conn->chan_lock);
5535 l2cap_chan_lock(pchan);
5537 if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
5539 result = L2CAP_CR_LE_AUTHENTICATION;
5541 goto response_unlock;
5544 /* Check for valid dynamic CID range */
5545 if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
5546 result = L2CAP_CR_LE_INVALID_SCID;
5548 goto response_unlock;
5551 /* Check if we already have channel with that dcid */
5552 if (__l2cap_get_chan_by_dcid(conn, scid)) {
5553 result = L2CAP_CR_LE_SCID_IN_USE;
5555 goto response_unlock;
5558 chan = pchan->ops->new_connection(pchan);
5560 result = L2CAP_CR_LE_NO_MEM;
5561 goto response_unlock;
5564 bacpy(&chan->src, &conn->hcon->src);
5565 bacpy(&chan->dst, &conn->hcon->dst);
5566 chan->src_type = bdaddr_src_type(conn->hcon);
5567 chan->dst_type = bdaddr_dst_type(conn->hcon);
5571 chan->remote_mps = mps;
5573 __l2cap_chan_add(conn, chan);
5575 l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
5578 credits = chan->rx_credits;
5580 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
5582 chan->ident = cmd->ident;
5584 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
5585 l2cap_state_change(chan, BT_CONNECT2);
5586 /* The following result value is actually not defined
5587 * for LE CoC but we use it to let the function know
5588 * that it should bail out after doing its cleanup
5589 * instead of sending a response.
5591 result = L2CAP_CR_PEND;
5592 chan->ops->defer(chan);
5594 l2cap_chan_ready(chan);
5595 result = L2CAP_CR_LE_SUCCESS;
5599 l2cap_chan_unlock(pchan);
5600 mutex_unlock(&conn->chan_lock);
5601 l2cap_chan_put(pchan);
5603 if (result == L2CAP_CR_PEND)
5608 rsp.mtu = cpu_to_le16(chan->imtu);
5609 rsp.mps = cpu_to_le16(chan->mps);
5615 rsp.dcid = cpu_to_le16(dcid);
5616 rsp.credits = cpu_to_le16(credits);
5617 rsp.result = cpu_to_le16(result);
5619 l2cap_send_cmd(conn, cmd->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), &rsp);
5624 static inline int l2cap_le_credits(struct l2cap_conn *conn,
5625 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5628 struct l2cap_le_credits *pkt;
5629 struct l2cap_chan *chan;
5630 u16 cid, credits, max_credits;
5632 if (cmd_len != sizeof(*pkt))
5635 pkt = (struct l2cap_le_credits *) data;
5636 cid = __le16_to_cpu(pkt->cid);
5637 credits = __le16_to_cpu(pkt->credits);
5639 BT_DBG("cid 0x%4.4x credits 0x%4.4x", cid, credits);
5641 chan = l2cap_get_chan_by_dcid(conn, cid);
5645 max_credits = LE_FLOWCTL_MAX_CREDITS - chan->tx_credits;
5646 if (credits > max_credits) {
5647 BT_ERR("LE credits overflow");
5648 l2cap_send_disconn_req(chan, ECONNRESET);
5649 l2cap_chan_unlock(chan);
5651 /* Return 0 so that we don't trigger an unnecessary
5652 * command reject packet.
5657 chan->tx_credits += credits;
5659 /* Resume sending */
5660 l2cap_le_flowctl_send(chan);
5662 if (chan->tx_credits)
5663 chan->ops->resume(chan);
5665 l2cap_chan_unlock(chan);
5670 static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
5671 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5674 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
5675 struct l2cap_chan *chan;
5677 if (cmd_len < sizeof(*rej))
5680 mutex_lock(&conn->chan_lock);
5682 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
5686 l2cap_chan_lock(chan);
5687 l2cap_chan_del(chan, ECONNREFUSED);
5688 l2cap_chan_unlock(chan);
5691 mutex_unlock(&conn->chan_lock);
5695 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5696 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5701 switch (cmd->code) {
5702 case L2CAP_COMMAND_REJ:
5703 l2cap_le_command_rej(conn, cmd, cmd_len, data);
5706 case L2CAP_CONN_PARAM_UPDATE_REQ:
5707 err = l2cap_conn_param_update_req(conn, cmd, cmd_len, data);
5710 case L2CAP_CONN_PARAM_UPDATE_RSP:
5713 case L2CAP_LE_CONN_RSP:
5714 l2cap_le_connect_rsp(conn, cmd, cmd_len, data);
5717 case L2CAP_LE_CONN_REQ:
5718 err = l2cap_le_connect_req(conn, cmd, cmd_len, data);
5721 case L2CAP_LE_CREDITS:
5722 err = l2cap_le_credits(conn, cmd, cmd_len, data);
5725 case L2CAP_DISCONN_REQ:
5726 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5729 case L2CAP_DISCONN_RSP:
5730 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5734 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5742 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5743 struct sk_buff *skb)
5745 struct hci_conn *hcon = conn->hcon;
5746 struct l2cap_cmd_hdr *cmd;
5750 if (hcon->type != LE_LINK)
5753 if (skb->len < L2CAP_CMD_HDR_SIZE)
5756 cmd = (void *) skb->data;
5757 skb_pull(skb, L2CAP_CMD_HDR_SIZE);
5759 len = le16_to_cpu(cmd->len);
5761 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd->code, len, cmd->ident);
5763 if (len != skb->len || !cmd->ident) {
5764 BT_DBG("corrupted command");
5768 err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
5770 struct l2cap_cmd_rej_unk rej;
5772 BT_ERR("Wrong link type (%d)", err);
5774 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5775 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
5783 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5784 struct sk_buff *skb)
5786 struct hci_conn *hcon = conn->hcon;
5787 u8 *data = skb->data;
5789 struct l2cap_cmd_hdr cmd;
5792 l2cap_raw_recv(conn, skb);
5794 if (hcon->type != ACL_LINK)
5797 while (len >= L2CAP_CMD_HDR_SIZE) {
5799 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5800 data += L2CAP_CMD_HDR_SIZE;
5801 len -= L2CAP_CMD_HDR_SIZE;
5803 cmd_len = le16_to_cpu(cmd.len);
5805 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5808 if (cmd_len > len || !cmd.ident) {
5809 BT_DBG("corrupted command");
5813 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5815 struct l2cap_cmd_rej_unk rej;
5817 BT_ERR("Wrong link type (%d)", err);
5819 rej.reason = cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5820 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5832 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5834 u16 our_fcs, rcv_fcs;
5837 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5838 hdr_size = L2CAP_EXT_HDR_SIZE;
5840 hdr_size = L2CAP_ENH_HDR_SIZE;
5842 if (chan->fcs == L2CAP_FCS_CRC16) {
5843 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5844 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5845 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5847 if (our_fcs != rcv_fcs)
5853 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5855 struct l2cap_ctrl control;
5857 BT_DBG("chan %p", chan);
5859 memset(&control, 0, sizeof(control));
5862 control.reqseq = chan->buffer_seq;
5863 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5865 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5866 control.super = L2CAP_SUPER_RNR;
5867 l2cap_send_sframe(chan, &control);
5870 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5871 chan->unacked_frames > 0)
5872 __set_retrans_timer(chan);
5874 /* Send pending iframes */
5875 l2cap_ertm_send(chan);
5877 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5878 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5879 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5882 control.super = L2CAP_SUPER_RR;
5883 l2cap_send_sframe(chan, &control);
5887 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5888 struct sk_buff **last_frag)
5890 /* skb->len reflects data in skb as well as all fragments
5891 * skb->data_len reflects only data in fragments
5893 if (!skb_has_frag_list(skb))
5894 skb_shinfo(skb)->frag_list = new_frag;
5896 new_frag->next = NULL;
5898 (*last_frag)->next = new_frag;
5899 *last_frag = new_frag;
5901 skb->len += new_frag->len;
5902 skb->data_len += new_frag->len;
5903 skb->truesize += new_frag->truesize;
5906 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5907 struct l2cap_ctrl *control)
5911 switch (control->sar) {
5912 case L2CAP_SAR_UNSEGMENTED:
5916 err = chan->ops->recv(chan, skb);
5919 case L2CAP_SAR_START:
5923 if (!pskb_may_pull(skb, L2CAP_SDULEN_SIZE))
5926 chan->sdu_len = get_unaligned_le16(skb->data);
5927 skb_pull(skb, L2CAP_SDULEN_SIZE);
5929 if (chan->sdu_len > chan->imtu) {
5934 if (skb->len >= chan->sdu_len)
5938 chan->sdu_last_frag = skb;
5944 case L2CAP_SAR_CONTINUE:
5948 append_skb_frag(chan->sdu, skb,
5949 &chan->sdu_last_frag);
5952 if (chan->sdu->len >= chan->sdu_len)
5962 append_skb_frag(chan->sdu, skb,
5963 &chan->sdu_last_frag);
5966 if (chan->sdu->len != chan->sdu_len)
5969 err = chan->ops->recv(chan, chan->sdu);
5972 /* Reassembly complete */
5974 chan->sdu_last_frag = NULL;
5982 kfree_skb(chan->sdu);
5984 chan->sdu_last_frag = NULL;
5991 static int l2cap_resegment(struct l2cap_chan *chan)
5997 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
6001 if (chan->mode != L2CAP_MODE_ERTM)
6004 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
6005 l2cap_tx(chan, NULL, NULL, event);
6008 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
6011 /* Pass sequential frames to l2cap_reassemble_sdu()
6012 * until a gap is encountered.
6015 BT_DBG("chan %p", chan);
6017 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6018 struct sk_buff *skb;
6019 BT_DBG("Searching for skb with txseq %d (queue len %d)",
6020 chan->buffer_seq, skb_queue_len(&chan->srej_q));
6022 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
6027 skb_unlink(skb, &chan->srej_q);
6028 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6029 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->l2cap);
6034 if (skb_queue_empty(&chan->srej_q)) {
6035 chan->rx_state = L2CAP_RX_STATE_RECV;
6036 l2cap_send_ack(chan);
6042 static void l2cap_handle_srej(struct l2cap_chan *chan,
6043 struct l2cap_ctrl *control)
6045 struct sk_buff *skb;
6047 BT_DBG("chan %p, control %p", chan, control);
6049 if (control->reqseq == chan->next_tx_seq) {
6050 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6051 l2cap_send_disconn_req(chan, ECONNRESET);
6055 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6058 BT_DBG("Seq %d not available for retransmission",
6063 if (chan->max_tx != 0 && bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6064 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6065 l2cap_send_disconn_req(chan, ECONNRESET);
6069 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6071 if (control->poll) {
6072 l2cap_pass_to_tx(chan, control);
6074 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6075 l2cap_retransmit(chan, control);
6076 l2cap_ertm_send(chan);
6078 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6079 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6080 chan->srej_save_reqseq = control->reqseq;
6083 l2cap_pass_to_tx_fbit(chan, control);
6085 if (control->final) {
6086 if (chan->srej_save_reqseq != control->reqseq ||
6087 !test_and_clear_bit(CONN_SREJ_ACT,
6089 l2cap_retransmit(chan, control);
6091 l2cap_retransmit(chan, control);
6092 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
6093 set_bit(CONN_SREJ_ACT, &chan->conn_state);
6094 chan->srej_save_reqseq = control->reqseq;
6100 static void l2cap_handle_rej(struct l2cap_chan *chan,
6101 struct l2cap_ctrl *control)
6103 struct sk_buff *skb;
6105 BT_DBG("chan %p, control %p", chan, control);
6107 if (control->reqseq == chan->next_tx_seq) {
6108 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
6109 l2cap_send_disconn_req(chan, ECONNRESET);
6113 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
6115 if (chan->max_tx && skb &&
6116 bt_cb(skb)->l2cap.retries >= chan->max_tx) {
6117 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
6118 l2cap_send_disconn_req(chan, ECONNRESET);
6122 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6124 l2cap_pass_to_tx(chan, control);
6126 if (control->final) {
6127 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
6128 l2cap_retransmit_all(chan, control);
6130 l2cap_retransmit_all(chan, control);
6131 l2cap_ertm_send(chan);
6132 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
6133 set_bit(CONN_REJ_ACT, &chan->conn_state);
6137 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
6139 BT_DBG("chan %p, txseq %d", chan, txseq);
6141 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
6142 chan->expected_tx_seq);
6144 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
6145 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6147 /* See notes below regarding "double poll" and
6150 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6151 BT_DBG("Invalid/Ignore - after SREJ");
6152 return L2CAP_TXSEQ_INVALID_IGNORE;
6154 BT_DBG("Invalid - in window after SREJ sent");
6155 return L2CAP_TXSEQ_INVALID;
6159 if (chan->srej_list.head == txseq) {
6160 BT_DBG("Expected SREJ");
6161 return L2CAP_TXSEQ_EXPECTED_SREJ;
6164 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
6165 BT_DBG("Duplicate SREJ - txseq already stored");
6166 return L2CAP_TXSEQ_DUPLICATE_SREJ;
6169 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
6170 BT_DBG("Unexpected SREJ - not requested");
6171 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
6175 if (chan->expected_tx_seq == txseq) {
6176 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
6178 BT_DBG("Invalid - txseq outside tx window");
6179 return L2CAP_TXSEQ_INVALID;
6182 return L2CAP_TXSEQ_EXPECTED;
6186 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
6187 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
6188 BT_DBG("Duplicate - expected_tx_seq later than txseq");
6189 return L2CAP_TXSEQ_DUPLICATE;
6192 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
6193 /* A source of invalid packets is a "double poll" condition,
6194 * where delays cause us to send multiple poll packets. If
6195 * the remote stack receives and processes both polls,
6196 * sequence numbers can wrap around in such a way that a
6197 * resent frame has a sequence number that looks like new data
6198 * with a sequence gap. This would trigger an erroneous SREJ
6201 * Fortunately, this is impossible with a tx window that's
6202 * less than half of the maximum sequence number, which allows
6203 * invalid frames to be safely ignored.
6205 * With tx window sizes greater than half of the tx window
6206 * maximum, the frame is invalid and cannot be ignored. This
6207 * causes a disconnect.
6210 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
6211 BT_DBG("Invalid/Ignore - txseq outside tx window");
6212 return L2CAP_TXSEQ_INVALID_IGNORE;
6214 BT_DBG("Invalid - txseq outside tx window");
6215 return L2CAP_TXSEQ_INVALID;
6218 BT_DBG("Unexpected - txseq indicates missing frames");
6219 return L2CAP_TXSEQ_UNEXPECTED;
6223 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6224 struct l2cap_ctrl *control,
6225 struct sk_buff *skb, u8 event)
6228 bool skb_in_use = false;
6230 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6234 case L2CAP_EV_RECV_IFRAME:
6235 switch (l2cap_classify_txseq(chan, control->txseq)) {
6236 case L2CAP_TXSEQ_EXPECTED:
6237 l2cap_pass_to_tx(chan, control);
6239 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6240 BT_DBG("Busy, discarding expected seq %d",
6245 chan->expected_tx_seq = __next_seq(chan,
6248 chan->buffer_seq = chan->expected_tx_seq;
6251 err = l2cap_reassemble_sdu(chan, skb, control);
6255 if (control->final) {
6256 if (!test_and_clear_bit(CONN_REJ_ACT,
6257 &chan->conn_state)) {
6259 l2cap_retransmit_all(chan, control);
6260 l2cap_ertm_send(chan);
6264 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6265 l2cap_send_ack(chan);
6267 case L2CAP_TXSEQ_UNEXPECTED:
6268 l2cap_pass_to_tx(chan, control);
6270 /* Can't issue SREJ frames in the local busy state.
6271 * Drop this frame, it will be seen as missing
6272 * when local busy is exited.
6274 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6275 BT_DBG("Busy, discarding unexpected seq %d",
6280 /* There was a gap in the sequence, so an SREJ
6281 * must be sent for each missing frame. The
6282 * current frame is stored for later use.
6284 skb_queue_tail(&chan->srej_q, skb);
6286 BT_DBG("Queued %p (queue len %d)", skb,
6287 skb_queue_len(&chan->srej_q));
6289 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6290 l2cap_seq_list_clear(&chan->srej_list);
6291 l2cap_send_srej(chan, control->txseq);
6293 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6295 case L2CAP_TXSEQ_DUPLICATE:
6296 l2cap_pass_to_tx(chan, control);
6298 case L2CAP_TXSEQ_INVALID_IGNORE:
6300 case L2CAP_TXSEQ_INVALID:
6302 l2cap_send_disconn_req(chan, ECONNRESET);
6306 case L2CAP_EV_RECV_RR:
6307 l2cap_pass_to_tx(chan, control);
6308 if (control->final) {
6309 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6311 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6312 !__chan_is_moving(chan)) {
6314 l2cap_retransmit_all(chan, control);
6317 l2cap_ertm_send(chan);
6318 } else if (control->poll) {
6319 l2cap_send_i_or_rr_or_rnr(chan);
6321 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6322 &chan->conn_state) &&
6323 chan->unacked_frames)
6324 __set_retrans_timer(chan);
6326 l2cap_ertm_send(chan);
6329 case L2CAP_EV_RECV_RNR:
6330 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6331 l2cap_pass_to_tx(chan, control);
6332 if (control && control->poll) {
6333 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6334 l2cap_send_rr_or_rnr(chan, 0);
6336 __clear_retrans_timer(chan);
6337 l2cap_seq_list_clear(&chan->retrans_list);
6339 case L2CAP_EV_RECV_REJ:
6340 l2cap_handle_rej(chan, control);
6342 case L2CAP_EV_RECV_SREJ:
6343 l2cap_handle_srej(chan, control);
6349 if (skb && !skb_in_use) {
6350 BT_DBG("Freeing %p", skb);
6357 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
6358 struct l2cap_ctrl *control,
6359 struct sk_buff *skb, u8 event)
6362 u16 txseq = control->txseq;
6363 bool skb_in_use = false;
6365 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6369 case L2CAP_EV_RECV_IFRAME:
6370 switch (l2cap_classify_txseq(chan, txseq)) {
6371 case L2CAP_TXSEQ_EXPECTED:
6372 /* Keep frame for reassembly later */
6373 l2cap_pass_to_tx(chan, control);
6374 skb_queue_tail(&chan->srej_q, skb);
6376 BT_DBG("Queued %p (queue len %d)", skb,
6377 skb_queue_len(&chan->srej_q));
6379 chan->expected_tx_seq = __next_seq(chan, txseq);
6381 case L2CAP_TXSEQ_EXPECTED_SREJ:
6382 l2cap_seq_list_pop(&chan->srej_list);
6384 l2cap_pass_to_tx(chan, control);
6385 skb_queue_tail(&chan->srej_q, skb);
6387 BT_DBG("Queued %p (queue len %d)", skb,
6388 skb_queue_len(&chan->srej_q));
6390 err = l2cap_rx_queued_iframes(chan);
6395 case L2CAP_TXSEQ_UNEXPECTED:
6396 /* Got a frame that can't be reassembled yet.
6397 * Save it for later, and send SREJs to cover
6398 * the missing frames.
6400 skb_queue_tail(&chan->srej_q, skb);
6402 BT_DBG("Queued %p (queue len %d)", skb,
6403 skb_queue_len(&chan->srej_q));
6405 l2cap_pass_to_tx(chan, control);
6406 l2cap_send_srej(chan, control->txseq);
6408 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
6409 /* This frame was requested with an SREJ, but
6410 * some expected retransmitted frames are
6411 * missing. Request retransmission of missing
6414 skb_queue_tail(&chan->srej_q, skb);
6416 BT_DBG("Queued %p (queue len %d)", skb,
6417 skb_queue_len(&chan->srej_q));
6419 l2cap_pass_to_tx(chan, control);
6420 l2cap_send_srej_list(chan, control->txseq);
6422 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6423 /* We've already queued this frame. Drop this copy. */
6424 l2cap_pass_to_tx(chan, control);
6426 case L2CAP_TXSEQ_DUPLICATE:
6427 /* Expecting a later sequence number, so this frame
6428 * was already received. Ignore it completely.
6431 case L2CAP_TXSEQ_INVALID_IGNORE:
6433 case L2CAP_TXSEQ_INVALID:
6435 l2cap_send_disconn_req(chan, ECONNRESET);
6439 case L2CAP_EV_RECV_RR:
6440 l2cap_pass_to_tx(chan, control);
6441 if (control->final) {
6442 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6444 if (!test_and_clear_bit(CONN_REJ_ACT,
6445 &chan->conn_state)) {
6447 l2cap_retransmit_all(chan, control);
6450 l2cap_ertm_send(chan);
6451 } else if (control->poll) {
6452 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6453 &chan->conn_state) &&
6454 chan->unacked_frames) {
6455 __set_retrans_timer(chan);
6458 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6459 l2cap_send_srej_tail(chan);
6461 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6462 &chan->conn_state) &&
6463 chan->unacked_frames)
6464 __set_retrans_timer(chan);
6466 l2cap_send_ack(chan);
6469 case L2CAP_EV_RECV_RNR:
6470 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6471 l2cap_pass_to_tx(chan, control);
6472 if (control->poll) {
6473 l2cap_send_srej_tail(chan);
6475 struct l2cap_ctrl rr_control;
6476 memset(&rr_control, 0, sizeof(rr_control));
6477 rr_control.sframe = 1;
6478 rr_control.super = L2CAP_SUPER_RR;
6479 rr_control.reqseq = chan->buffer_seq;
6480 l2cap_send_sframe(chan, &rr_control);
6484 case L2CAP_EV_RECV_REJ:
6485 l2cap_handle_rej(chan, control);
6487 case L2CAP_EV_RECV_SREJ:
6488 l2cap_handle_srej(chan, control);
6492 if (skb && !skb_in_use) {
6493 BT_DBG("Freeing %p", skb);
6500 static int l2cap_finish_move(struct l2cap_chan *chan)
6502 BT_DBG("chan %p", chan);
6504 chan->rx_state = L2CAP_RX_STATE_RECV;
6507 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6509 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6511 return l2cap_resegment(chan);
6514 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6515 struct l2cap_ctrl *control,
6516 struct sk_buff *skb, u8 event)
6520 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6526 l2cap_process_reqseq(chan, control->reqseq);
6528 if (!skb_queue_empty(&chan->tx_q))
6529 chan->tx_send_head = skb_peek(&chan->tx_q);
6531 chan->tx_send_head = NULL;
6533 /* Rewind next_tx_seq to the point expected
6536 chan->next_tx_seq = control->reqseq;
6537 chan->unacked_frames = 0;
6539 err = l2cap_finish_move(chan);
6543 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6544 l2cap_send_i_or_rr_or_rnr(chan);
6546 if (event == L2CAP_EV_RECV_IFRAME)
6549 return l2cap_rx_state_recv(chan, control, NULL, event);
6552 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6553 struct l2cap_ctrl *control,
6554 struct sk_buff *skb, u8 event)
6558 if (!control->final)
6561 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6563 chan->rx_state = L2CAP_RX_STATE_RECV;
6564 l2cap_process_reqseq(chan, control->reqseq);
6566 if (!skb_queue_empty(&chan->tx_q))
6567 chan->tx_send_head = skb_peek(&chan->tx_q);
6569 chan->tx_send_head = NULL;
6571 /* Rewind next_tx_seq to the point expected
6574 chan->next_tx_seq = control->reqseq;
6575 chan->unacked_frames = 0;
6578 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6580 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6582 err = l2cap_resegment(chan);
6585 err = l2cap_rx_state_recv(chan, control, skb, event);
6590 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6592 /* Make sure reqseq is for a packet that has been sent but not acked */
6595 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6596 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6599 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6600 struct sk_buff *skb, u8 event)
6604 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6605 control, skb, event, chan->rx_state);
6607 if (__valid_reqseq(chan, control->reqseq)) {
6608 switch (chan->rx_state) {
6609 case L2CAP_RX_STATE_RECV:
6610 err = l2cap_rx_state_recv(chan, control, skb, event);
6612 case L2CAP_RX_STATE_SREJ_SENT:
6613 err = l2cap_rx_state_srej_sent(chan, control, skb,
6616 case L2CAP_RX_STATE_WAIT_P:
6617 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6619 case L2CAP_RX_STATE_WAIT_F:
6620 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6627 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6628 control->reqseq, chan->next_tx_seq,
6629 chan->expected_ack_seq);
6630 l2cap_send_disconn_req(chan, ECONNRESET);
6636 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6637 struct sk_buff *skb)
6639 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6642 if (l2cap_classify_txseq(chan, control->txseq) ==
6643 L2CAP_TXSEQ_EXPECTED) {
6644 l2cap_pass_to_tx(chan, control);
6646 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6647 __next_seq(chan, chan->buffer_seq));
6649 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6651 l2cap_reassemble_sdu(chan, skb, control);
6654 kfree_skb(chan->sdu);
6657 chan->sdu_last_frag = NULL;
6661 BT_DBG("Freeing %p", skb);
6666 chan->last_acked_seq = control->txseq;
6667 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6672 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6674 struct l2cap_ctrl *control = &bt_cb(skb)->l2cap;
6678 __unpack_control(chan, skb);
6683 * We can just drop the corrupted I-frame here.
6684 * Receiver will miss it and start proper recovery
6685 * procedures and ask for retransmission.
6687 if (l2cap_check_fcs(chan, skb))
6690 if (!control->sframe && control->sar == L2CAP_SAR_START)
6691 len -= L2CAP_SDULEN_SIZE;
6693 if (chan->fcs == L2CAP_FCS_CRC16)
6694 len -= L2CAP_FCS_SIZE;
6696 if (len > chan->mps) {
6697 l2cap_send_disconn_req(chan, ECONNRESET);
6701 if ((chan->mode == L2CAP_MODE_ERTM ||
6702 chan->mode == L2CAP_MODE_STREAMING) && sk_filter(chan->data, skb))
6705 if (!control->sframe) {
6708 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6709 control->sar, control->reqseq, control->final,
6712 /* Validate F-bit - F=0 always valid, F=1 only
6713 * valid in TX WAIT_F
6715 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6718 if (chan->mode != L2CAP_MODE_STREAMING) {
6719 event = L2CAP_EV_RECV_IFRAME;
6720 err = l2cap_rx(chan, control, skb, event);
6722 err = l2cap_stream_rx(chan, control, skb);
6726 l2cap_send_disconn_req(chan, ECONNRESET);
6728 const u8 rx_func_to_event[4] = {
6729 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6730 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6733 /* Only I-frames are expected in streaming mode */
6734 if (chan->mode == L2CAP_MODE_STREAMING)
6737 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6738 control->reqseq, control->final, control->poll,
6742 BT_ERR("Trailing bytes: %d in sframe", len);
6743 l2cap_send_disconn_req(chan, ECONNRESET);
6747 /* Validate F and P bits */
6748 if (control->final && (control->poll ||
6749 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6752 event = rx_func_to_event[control->super];
6753 if (l2cap_rx(chan, control, skb, event))
6754 l2cap_send_disconn_req(chan, ECONNRESET);
6764 static void l2cap_chan_le_send_credits(struct l2cap_chan *chan)
6766 struct l2cap_conn *conn = chan->conn;
6767 struct l2cap_le_credits pkt;
6770 return_credits = ((chan->imtu / chan->mps) + 1) - chan->rx_credits;
6772 if (!return_credits)
6775 BT_DBG("chan %p returning %u credits to sender", chan, return_credits);
6777 chan->rx_credits += return_credits;
6779 pkt.cid = cpu_to_le16(chan->scid);
6780 pkt.credits = cpu_to_le16(return_credits);
6782 chan->ident = l2cap_get_ident(conn);
6784 l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
6787 static int l2cap_le_recv(struct l2cap_chan *chan, struct sk_buff *skb)
6791 BT_DBG("SDU reassemble complete: chan %p skb->len %u", chan, skb->len);
6793 /* Wait recv to confirm reception before updating the credits */
6794 err = chan->ops->recv(chan, skb);
6796 /* Update credits whenever an SDU is received */
6797 l2cap_chan_le_send_credits(chan);
6802 static int l2cap_le_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6806 if (!chan->rx_credits) {
6807 BT_ERR("No credits to receive LE L2CAP data");
6808 l2cap_send_disconn_req(chan, ECONNRESET);
6812 if (chan->imtu < skb->len) {
6813 BT_ERR("Too big LE L2CAP PDU");
6818 BT_DBG("rx_credits %u -> %u", chan->rx_credits + 1, chan->rx_credits);
6820 /* Update if remote had run out of credits, this should only happens
6821 * if the remote is not using the entire MPS.
6823 if (!chan->rx_credits)
6824 l2cap_chan_le_send_credits(chan);
6831 sdu_len = get_unaligned_le16(skb->data);
6832 skb_pull(skb, L2CAP_SDULEN_SIZE);
6834 BT_DBG("Start of new SDU. sdu_len %u skb->len %u imtu %u",
6835 sdu_len, skb->len, chan->imtu);
6837 if (sdu_len > chan->imtu) {
6838 BT_ERR("Too big LE L2CAP SDU length received");
6843 if (skb->len > sdu_len) {
6844 BT_ERR("Too much LE L2CAP data received");
6849 if (skb->len == sdu_len)
6850 return l2cap_le_recv(chan, skb);
6853 chan->sdu_len = sdu_len;
6854 chan->sdu_last_frag = skb;
6856 /* Detect if remote is not able to use the selected MPS */
6857 if (skb->len + L2CAP_SDULEN_SIZE < chan->mps) {
6858 u16 mps_len = skb->len + L2CAP_SDULEN_SIZE;
6860 /* Adjust the number of credits */
6861 BT_DBG("chan->mps %u -> %u", chan->mps, mps_len);
6862 chan->mps = mps_len;
6863 l2cap_chan_le_send_credits(chan);
6869 BT_DBG("SDU fragment. chan->sdu->len %u skb->len %u chan->sdu_len %u",
6870 chan->sdu->len, skb->len, chan->sdu_len);
6872 if (chan->sdu->len + skb->len > chan->sdu_len) {
6873 BT_ERR("Too much LE L2CAP data received");
6878 append_skb_frag(chan->sdu, skb, &chan->sdu_last_frag);
6881 if (chan->sdu->len == chan->sdu_len) {
6882 err = l2cap_le_recv(chan, chan->sdu);
6885 chan->sdu_last_frag = NULL;
6893 kfree_skb(chan->sdu);
6895 chan->sdu_last_frag = NULL;
6899 /* We can't return an error here since we took care of the skb
6900 * freeing internally. An error return would cause the caller to
6901 * do a double-free of the skb.
6906 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6907 struct sk_buff *skb)
6909 struct l2cap_chan *chan;
6911 chan = l2cap_get_chan_by_scid(conn, cid);
6913 if (cid == L2CAP_CID_A2MP) {
6914 chan = a2mp_channel_create(conn, skb);
6920 l2cap_chan_lock(chan);
6922 BT_DBG("unknown cid 0x%4.4x", cid);
6923 /* Drop packet and return */
6929 BT_DBG("chan %p, len %d", chan, skb->len);
6931 /* If we receive data on a fixed channel before the info req/rsp
6932 * procdure is done simply assume that the channel is supported
6933 * and mark it as ready.
6935 if (chan->chan_type == L2CAP_CHAN_FIXED)
6936 l2cap_chan_ready(chan);
6938 if (chan->state != BT_CONNECTED)
6941 switch (chan->mode) {
6942 case L2CAP_MODE_LE_FLOWCTL:
6943 if (l2cap_le_data_rcv(chan, skb) < 0)
6948 case L2CAP_MODE_BASIC:
6949 /* If socket recv buffers overflows we drop data here
6950 * which is *bad* because L2CAP has to be reliable.
6951 * But we don't have any other choice. L2CAP doesn't
6952 * provide flow control mechanism. */
6954 if (chan->imtu < skb->len) {
6955 BT_ERR("Dropping L2CAP data: receive buffer overflow");
6959 if (!chan->ops->recv(chan, skb))
6963 case L2CAP_MODE_ERTM:
6964 case L2CAP_MODE_STREAMING:
6965 l2cap_data_rcv(chan, skb);
6969 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6977 l2cap_chan_unlock(chan);
6980 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6981 struct sk_buff *skb)
6983 struct hci_conn *hcon = conn->hcon;
6984 struct l2cap_chan *chan;
6986 if (hcon->type != ACL_LINK)
6989 chan = l2cap_global_chan_by_psm(0, psm, &hcon->src, &hcon->dst,
6994 BT_DBG("chan %p, len %d", chan, skb->len);
6996 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6999 if (chan->imtu < skb->len)
7002 /* Store remote BD_ADDR and PSM for msg_name */
7003 bacpy(&bt_cb(skb)->l2cap.bdaddr, &hcon->dst);
7004 bt_cb(skb)->l2cap.psm = psm;
7006 if (!chan->ops->recv(chan, skb)) {
7007 l2cap_chan_put(chan);
7012 l2cap_chan_put(chan);
7017 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
7019 struct l2cap_hdr *lh = (void *) skb->data;
7020 struct hci_conn *hcon = conn->hcon;
7024 if (hcon->state != BT_CONNECTED) {
7025 BT_DBG("queueing pending rx skb");
7026 skb_queue_tail(&conn->pending_rx, skb);
7030 skb_pull(skb, L2CAP_HDR_SIZE);
7031 cid = __le16_to_cpu(lh->cid);
7032 len = __le16_to_cpu(lh->len);
7034 if (len != skb->len) {
7039 /* Since we can't actively block incoming LE connections we must
7040 * at least ensure that we ignore incoming data from them.
7042 if (hcon->type == LE_LINK &&
7043 hci_bdaddr_list_lookup(&hcon->hdev->blacklist, &hcon->dst,
7044 bdaddr_dst_type(hcon))) {
7049 BT_DBG("len %d, cid 0x%4.4x", len, cid);
7052 case L2CAP_CID_SIGNALING:
7053 l2cap_sig_channel(conn, skb);
7056 case L2CAP_CID_CONN_LESS:
7057 psm = get_unaligned((__le16 *) skb->data);
7058 skb_pull(skb, L2CAP_PSMLEN_SIZE);
7059 l2cap_conless_channel(conn, psm, skb);
7062 case L2CAP_CID_LE_SIGNALING:
7063 l2cap_le_sig_channel(conn, skb);
7067 l2cap_data_channel(conn, cid, skb);
7072 static void process_pending_rx(struct work_struct *work)
7074 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
7076 struct sk_buff *skb;
7080 while ((skb = skb_dequeue(&conn->pending_rx)))
7081 l2cap_recv_frame(conn, skb);
7084 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
7086 struct l2cap_conn *conn = hcon->l2cap_data;
7087 struct hci_chan *hchan;
7092 hchan = hci_chan_create(hcon);
7096 conn = kzalloc(sizeof(*conn), GFP_KERNEL);
7098 hci_chan_del(hchan);
7102 kref_init(&conn->ref);
7103 hcon->l2cap_data = conn;
7104 conn->hcon = hci_conn_get(hcon);
7105 conn->hchan = hchan;
7107 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
7109 switch (hcon->type) {
7111 if (hcon->hdev->le_mtu) {
7112 conn->mtu = hcon->hdev->le_mtu;
7117 conn->mtu = hcon->hdev->acl_mtu;
7121 conn->feat_mask = 0;
7123 conn->local_fixed_chan = L2CAP_FC_SIG_BREDR | L2CAP_FC_CONNLESS;
7125 if (hcon->type == ACL_LINK &&
7126 hci_dev_test_flag(hcon->hdev, HCI_HS_ENABLED))
7127 conn->local_fixed_chan |= L2CAP_FC_A2MP;
7129 if (hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED) &&
7130 (bredr_sc_enabled(hcon->hdev) ||
7131 hci_dev_test_flag(hcon->hdev, HCI_FORCE_BREDR_SMP)))
7132 conn->local_fixed_chan |= L2CAP_FC_SMP_BREDR;
7134 mutex_init(&conn->ident_lock);
7135 mutex_init(&conn->chan_lock);
7137 INIT_LIST_HEAD(&conn->chan_l);
7138 INIT_LIST_HEAD(&conn->users);
7140 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
7142 skb_queue_head_init(&conn->pending_rx);
7143 INIT_WORK(&conn->pending_rx_work, process_pending_rx);
7144 INIT_WORK(&conn->id_addr_update_work, l2cap_conn_update_id_addr);
7146 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
7151 static bool is_valid_psm(u16 psm, u8 dst_type) {
7155 if (bdaddr_type_is_le(dst_type))
7156 return (psm <= 0x00ff);
7158 /* PSM must be odd and lsb of upper byte must be 0 */
7159 return ((psm & 0x0101) == 0x0001);
7162 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
7163 bdaddr_t *dst, u8 dst_type)
7165 struct l2cap_conn *conn;
7166 struct hci_conn *hcon;
7167 struct hci_dev *hdev;
7170 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", &chan->src, dst,
7171 dst_type, __le16_to_cpu(psm));
7173 hdev = hci_get_route(dst, &chan->src, chan->src_type);
7175 return -EHOSTUNREACH;
7179 if (!is_valid_psm(__le16_to_cpu(psm), dst_type) && !cid &&
7180 chan->chan_type != L2CAP_CHAN_RAW) {
7185 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !psm) {
7190 if (chan->chan_type == L2CAP_CHAN_FIXED && !cid) {
7195 switch (chan->mode) {
7196 case L2CAP_MODE_BASIC:
7198 case L2CAP_MODE_LE_FLOWCTL:
7200 case L2CAP_MODE_ERTM:
7201 case L2CAP_MODE_STREAMING:
7210 switch (chan->state) {
7214 /* Already connecting */
7219 /* Already connected */
7233 /* Set destination address and psm */
7234 bacpy(&chan->dst, dst);
7235 chan->dst_type = dst_type;
7240 if (bdaddr_type_is_le(dst_type)) {
7241 /* Convert from L2CAP channel address type to HCI address type
7243 if (dst_type == BDADDR_LE_PUBLIC)
7244 dst_type = ADDR_LE_DEV_PUBLIC;
7246 dst_type = ADDR_LE_DEV_RANDOM;
7248 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7249 hcon = hci_connect_le(hdev, dst, dst_type,
7251 HCI_LE_CONN_TIMEOUT,
7252 HCI_ROLE_SLAVE, NULL);
7254 hcon = hci_connect_le_scan(hdev, dst, dst_type,
7256 HCI_LE_CONN_TIMEOUT);
7259 u8 auth_type = l2cap_get_auth_type(chan);
7260 hcon = hci_connect_acl(hdev, dst, chan->sec_level, auth_type);
7264 err = PTR_ERR(hcon);
7268 conn = l2cap_conn_add(hcon);
7270 hci_conn_drop(hcon);
7275 mutex_lock(&conn->chan_lock);
7276 l2cap_chan_lock(chan);
7278 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
7279 hci_conn_drop(hcon);
7284 /* Update source addr of the socket */
7285 bacpy(&chan->src, &hcon->src);
7286 chan->src_type = bdaddr_src_type(hcon);
7288 __l2cap_chan_add(conn, chan);
7290 /* l2cap_chan_add takes its own ref so we can drop this one */
7291 hci_conn_drop(hcon);
7293 l2cap_state_change(chan, BT_CONNECT);
7294 __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
7296 /* Release chan->sport so that it can be reused by other
7297 * sockets (as it's only used for listening sockets).
7299 write_lock(&chan_list_lock);
7301 write_unlock(&chan_list_lock);
7303 if (hcon->state == BT_CONNECTED) {
7304 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
7305 __clear_chan_timer(chan);
7306 if (l2cap_chan_check_security(chan, true))
7307 l2cap_state_change(chan, BT_CONNECTED);
7309 l2cap_do_start(chan);
7315 l2cap_chan_unlock(chan);
7316 mutex_unlock(&conn->chan_lock);
7318 hci_dev_unlock(hdev);
7322 EXPORT_SYMBOL_GPL(l2cap_chan_connect);
7324 /* ---- L2CAP interface with lower layer (HCI) ---- */
7326 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
7328 int exact = 0, lm1 = 0, lm2 = 0;
7329 struct l2cap_chan *c;
7331 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
7333 /* Find listening sockets and check their link_mode */
7334 read_lock(&chan_list_lock);
7335 list_for_each_entry(c, &chan_list, global_l) {
7336 if (c->state != BT_LISTEN)
7339 if (!bacmp(&c->src, &hdev->bdaddr)) {
7340 lm1 |= HCI_LM_ACCEPT;
7341 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7342 lm1 |= HCI_LM_MASTER;
7344 } else if (!bacmp(&c->src, BDADDR_ANY)) {
7345 lm2 |= HCI_LM_ACCEPT;
7346 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
7347 lm2 |= HCI_LM_MASTER;
7350 read_unlock(&chan_list_lock);
7352 return exact ? lm1 : lm2;
7355 /* Find the next fixed channel in BT_LISTEN state, continue iteration
7356 * from an existing channel in the list or from the beginning of the
7357 * global list (by passing NULL as first parameter).
7359 static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c,
7360 struct hci_conn *hcon)
7362 u8 src_type = bdaddr_src_type(hcon);
7364 read_lock(&chan_list_lock);
7367 c = list_next_entry(c, global_l);
7369 c = list_entry(chan_list.next, typeof(*c), global_l);
7371 list_for_each_entry_from(c, &chan_list, global_l) {
7372 if (c->chan_type != L2CAP_CHAN_FIXED)
7374 if (c->state != BT_LISTEN)
7376 if (bacmp(&c->src, &hcon->src) && bacmp(&c->src, BDADDR_ANY))
7378 if (src_type != c->src_type)
7382 read_unlock(&chan_list_lock);
7386 read_unlock(&chan_list_lock);
7391 static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
7393 struct hci_dev *hdev = hcon->hdev;
7394 struct l2cap_conn *conn;
7395 struct l2cap_chan *pchan;
7398 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7401 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
7404 l2cap_conn_del(hcon, bt_to_errno(status));
7408 conn = l2cap_conn_add(hcon);
7412 dst_type = bdaddr_dst_type(hcon);
7414 /* If device is blocked, do not create channels for it */
7415 if (hci_bdaddr_list_lookup(&hdev->blacklist, &hcon->dst, dst_type))
7418 /* Find fixed channels and notify them of the new connection. We
7419 * use multiple individual lookups, continuing each time where
7420 * we left off, because the list lock would prevent calling the
7421 * potentially sleeping l2cap_chan_lock() function.
7423 pchan = l2cap_global_fixed_chan(NULL, hcon);
7425 struct l2cap_chan *chan, *next;
7427 /* Client fixed channels should override server ones */
7428 if (__l2cap_get_chan_by_dcid(conn, pchan->scid))
7431 l2cap_chan_lock(pchan);
7432 chan = pchan->ops->new_connection(pchan);
7434 bacpy(&chan->src, &hcon->src);
7435 bacpy(&chan->dst, &hcon->dst);
7436 chan->src_type = bdaddr_src_type(hcon);
7437 chan->dst_type = dst_type;
7439 __l2cap_chan_add(conn, chan);
7442 l2cap_chan_unlock(pchan);
7444 next = l2cap_global_fixed_chan(pchan, hcon);
7445 l2cap_chan_put(pchan);
7449 l2cap_conn_ready(conn);
7452 int l2cap_disconn_ind(struct hci_conn *hcon)
7454 struct l2cap_conn *conn = hcon->l2cap_data;
7456 BT_DBG("hcon %p", hcon);
7459 return HCI_ERROR_REMOTE_USER_TERM;
7460 return conn->disc_reason;
7463 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
7465 if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
7468 BT_DBG("hcon %p reason %d", hcon, reason);
7470 l2cap_conn_del(hcon, bt_to_errno(reason));
7473 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
7475 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
7478 if (encrypt == 0x00) {
7479 if (chan->sec_level == BT_SECURITY_MEDIUM) {
7480 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
7481 } else if (chan->sec_level == BT_SECURITY_HIGH ||
7482 chan->sec_level == BT_SECURITY_FIPS)
7483 l2cap_chan_close(chan, ECONNREFUSED);
7485 if (chan->sec_level == BT_SECURITY_MEDIUM)
7486 __clear_chan_timer(chan);
7490 static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
7492 struct l2cap_conn *conn = hcon->l2cap_data;
7493 struct l2cap_chan *chan;
7498 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
7500 mutex_lock(&conn->chan_lock);
7502 list_for_each_entry(chan, &conn->chan_l, list) {
7503 l2cap_chan_lock(chan);
7505 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
7506 state_to_string(chan->state));
7508 if (chan->scid == L2CAP_CID_A2MP) {
7509 l2cap_chan_unlock(chan);
7513 if (!status && encrypt)
7514 chan->sec_level = hcon->sec_level;
7516 if (!__l2cap_no_conn_pending(chan)) {
7517 l2cap_chan_unlock(chan);
7521 if (!status && (chan->state == BT_CONNECTED ||
7522 chan->state == BT_CONFIG)) {
7523 chan->ops->resume(chan);
7524 l2cap_check_encryption(chan, encrypt);
7525 l2cap_chan_unlock(chan);
7529 if (chan->state == BT_CONNECT) {
7530 if (!status && l2cap_check_enc_key_size(hcon))
7531 l2cap_start_connection(chan);
7533 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7534 } else if (chan->state == BT_CONNECT2 &&
7535 chan->mode != L2CAP_MODE_LE_FLOWCTL) {
7536 struct l2cap_conn_rsp rsp;
7539 if (!status && l2cap_check_enc_key_size(hcon)) {
7540 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
7541 res = L2CAP_CR_PEND;
7542 stat = L2CAP_CS_AUTHOR_PEND;
7543 chan->ops->defer(chan);
7545 l2cap_state_change(chan, BT_CONFIG);
7546 res = L2CAP_CR_SUCCESS;
7547 stat = L2CAP_CS_NO_INFO;
7550 l2cap_state_change(chan, BT_DISCONN);
7551 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
7552 res = L2CAP_CR_SEC_BLOCK;
7553 stat = L2CAP_CS_NO_INFO;
7556 rsp.scid = cpu_to_le16(chan->dcid);
7557 rsp.dcid = cpu_to_le16(chan->scid);
7558 rsp.result = cpu_to_le16(res);
7559 rsp.status = cpu_to_le16(stat);
7560 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
7563 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
7564 res == L2CAP_CR_SUCCESS) {
7566 set_bit(CONF_REQ_SENT, &chan->conf_state);
7567 l2cap_send_cmd(conn, l2cap_get_ident(conn),
7569 l2cap_build_conf_req(chan, buf, sizeof(buf)),
7571 chan->num_conf_req++;
7575 l2cap_chan_unlock(chan);
7578 mutex_unlock(&conn->chan_lock);
7581 void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
7583 struct l2cap_conn *conn = hcon->l2cap_data;
7584 struct l2cap_hdr *hdr;
7587 /* For AMP controller do not create l2cap conn */
7588 if (!conn && hcon->hdev->dev_type != HCI_PRIMARY)
7592 conn = l2cap_conn_add(hcon);
7597 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
7601 case ACL_START_NO_FLUSH:
7604 BT_ERR("Unexpected start frame (len %d)", skb->len);
7605 kfree_skb(conn->rx_skb);
7606 conn->rx_skb = NULL;
7608 l2cap_conn_unreliable(conn, ECOMM);
7611 /* Start fragment always begin with Basic L2CAP header */
7612 if (skb->len < L2CAP_HDR_SIZE) {
7613 BT_ERR("Frame is too short (len %d)", skb->len);
7614 l2cap_conn_unreliable(conn, ECOMM);
7618 hdr = (struct l2cap_hdr *) skb->data;
7619 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
7621 if (len == skb->len) {
7622 /* Complete frame received */
7623 l2cap_recv_frame(conn, skb);
7627 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
7629 if (skb->len > len) {
7630 BT_ERR("Frame is too long (len %d, expected len %d)",
7632 l2cap_conn_unreliable(conn, ECOMM);
7636 /* Allocate skb for the complete frame (with header) */
7637 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
7641 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7643 conn->rx_len = len - skb->len;
7647 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
7649 if (!conn->rx_len) {
7650 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
7651 l2cap_conn_unreliable(conn, ECOMM);
7655 if (skb->len > conn->rx_len) {
7656 BT_ERR("Fragment is too long (len %d, expected %d)",
7657 skb->len, conn->rx_len);
7658 kfree_skb(conn->rx_skb);
7659 conn->rx_skb = NULL;
7661 l2cap_conn_unreliable(conn, ECOMM);
7665 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
7667 conn->rx_len -= skb->len;
7669 if (!conn->rx_len) {
7670 /* Complete frame received. l2cap_recv_frame
7671 * takes ownership of the skb so set the global
7672 * rx_skb pointer to NULL first.
7674 struct sk_buff *rx_skb = conn->rx_skb;
7675 conn->rx_skb = NULL;
7676 l2cap_recv_frame(conn, rx_skb);
7685 static struct hci_cb l2cap_cb = {
7687 .connect_cfm = l2cap_connect_cfm,
7688 .disconn_cfm = l2cap_disconn_cfm,
7689 .security_cfm = l2cap_security_cfm,
7692 static int l2cap_debugfs_show(struct seq_file *f, void *p)
7694 struct l2cap_chan *c;
7696 read_lock(&chan_list_lock);
7698 list_for_each_entry(c, &chan_list, global_l) {
7699 seq_printf(f, "%pMR (%u) %pMR (%u) %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
7700 &c->src, c->src_type, &c->dst, c->dst_type,
7701 c->state, __le16_to_cpu(c->psm),
7702 c->scid, c->dcid, c->imtu, c->omtu,
7703 c->sec_level, c->mode);
7706 read_unlock(&chan_list_lock);
7711 DEFINE_SHOW_ATTRIBUTE(l2cap_debugfs);
7713 static struct dentry *l2cap_debugfs;
7715 int __init l2cap_init(void)
7719 err = l2cap_init_sockets();
7723 hci_register_cb(&l2cap_cb);
7725 if (IS_ERR_OR_NULL(bt_debugfs))
7728 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
7729 NULL, &l2cap_debugfs_fops);
7734 void l2cap_exit(void)
7736 debugfs_remove(l2cap_debugfs);
7737 hci_unregister_cb(&l2cap_cb);
7738 l2cap_cleanup_sockets();
7741 module_param(disable_ertm, bool, 0644);
7742 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / librecmc / linux-libre.git / blob