2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
36 #include <net/bluetooth/bluetooth.h>
37 #include <net/bluetooth/hci_core.h>
38 #include <net/bluetooth/l2cap.h>
39 #include <net/bluetooth/smp.h>
40 #include <net/bluetooth/a2mp.h>
41 #include <net/bluetooth/amp.h>
45 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
46 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
48 static LIST_HEAD(chan_list);
49 static DEFINE_RWLOCK(chan_list_lock);
51 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
52 u8 code, u8 ident, u16 dlen, void *data);
53 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
55 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
56 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
58 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
59 struct sk_buff_head *skbs, u8 event);
61 /* ---- L2CAP channels ---- */
63 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
68 list_for_each_entry(c, &conn->chan_l, list) {
75 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
80 list_for_each_entry(c, &conn->chan_l, list) {
87 /* Find channel with given SCID.
88 * Returns locked channel. */
89 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 mutex_lock(&conn->chan_lock);
95 c = __l2cap_get_chan_by_scid(conn, cid);
98 mutex_unlock(&conn->chan_lock);
103 /* Find channel with given DCID.
104 * Returns locked channel.
106 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
109 struct l2cap_chan *c;
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
115 mutex_unlock(&conn->chan_lock);
120 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
123 struct l2cap_chan *c;
125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
132 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
135 struct l2cap_chan *c;
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
141 mutex_unlock(&conn->chan_lock);
146 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
148 struct l2cap_chan *c;
150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
157 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
161 write_lock(&chan_list_lock);
163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
176 for (p = 0x1001; p < 0x1100; p += 2)
177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
186 write_unlock(&chan_list_lock);
190 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
192 write_lock(&chan_list_lock);
196 write_unlock(&chan_list_lock);
201 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
203 u16 cid = L2CAP_CID_DYN_START;
205 for (; cid < L2CAP_CID_DYN_END; cid++) {
206 if (!__l2cap_get_chan_by_scid(conn, cid))
213 static void __l2cap_state_change(struct l2cap_chan *chan, int state)
215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
216 state_to_string(state));
219 chan->ops->state_change(chan, state);
222 static void l2cap_state_change(struct l2cap_chan *chan, int state)
224 struct sock *sk = chan->sk;
227 __l2cap_state_change(chan, state);
231 static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
233 struct sock *sk = chan->sk;
238 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
240 struct sock *sk = chan->sk;
243 __l2cap_chan_set_err(chan, err);
247 static void __set_retrans_timer(struct l2cap_chan *chan)
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
256 static void __set_monitor_timer(struct l2cap_chan *chan)
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
265 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
278 /* ---- L2CAP sequence number lists ---- */
280 /* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
289 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
291 size_t alloc_size, i;
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
297 alloc_size = roundup_pow_of_two(size);
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
312 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
314 kfree(seq_list->list);
317 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
324 static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
326 u16 mask = seq_list->mask;
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
358 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
364 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
378 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
380 u16 mask = seq_list->mask;
382 /* All appends happen in constant time */
384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
390 seq_list->list[seq_list->tail & mask] = seq;
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
396 static void l2cap_chan_timeout(struct work_struct *work)
398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
400 struct l2cap_conn *conn = chan->conn;
403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
405 mutex_lock(&conn->chan_lock);
406 l2cap_chan_lock(chan);
408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
409 reason = ECONNREFUSED;
410 else if (chan->state == BT_CONNECT &&
411 chan->sec_level != BT_SECURITY_SDP)
412 reason = ECONNREFUSED;
416 l2cap_chan_close(chan, reason);
418 l2cap_chan_unlock(chan);
420 chan->ops->close(chan);
421 mutex_unlock(&conn->chan_lock);
423 l2cap_chan_put(chan);
426 struct l2cap_chan *l2cap_chan_create(void)
428 struct l2cap_chan *chan;
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
434 mutex_init(&chan->lock);
436 write_lock(&chan_list_lock);
437 list_add(&chan->global_l, &chan_list);
438 write_unlock(&chan_list_lock);
440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
442 chan->state = BT_OPEN;
444 kref_init(&chan->kref);
446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
449 BT_DBG("chan %p", chan);
454 static void l2cap_chan_destroy(struct kref *kref)
456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
458 BT_DBG("chan %p", chan);
460 write_lock(&chan_list_lock);
461 list_del(&chan->global_l);
462 write_unlock(&chan_list_lock);
467 void l2cap_chan_hold(struct l2cap_chan *c)
469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
474 void l2cap_chan_put(struct l2cap_chan *c)
476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
478 kref_put(&c->kref, l2cap_chan_destroy);
481 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
488 chan->sec_level = BT_SECURITY_LOW;
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
493 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
496 __le16_to_cpu(chan->psm), chan->dcid);
498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
504 if (conn->hcon->type == LE_LINK) {
506 chan->omtu = L2CAP_DEFAULT_MTU;
507 if (chan->dcid == L2CAP_CID_ATT)
508 chan->scid = L2CAP_CID_ATT;
510 chan->scid = l2cap_alloc_cid(conn);
512 /* Alloc CID for connection-oriented socket */
513 chan->scid = l2cap_alloc_cid(conn);
514 chan->omtu = L2CAP_DEFAULT_MTU;
518 case L2CAP_CHAN_CONN_LESS:
519 /* Connectionless socket */
520 chan->scid = L2CAP_CID_CONN_LESS;
521 chan->dcid = L2CAP_CID_CONN_LESS;
522 chan->omtu = L2CAP_DEFAULT_MTU;
525 case L2CAP_CHAN_CONN_FIX_A2MP:
526 chan->scid = L2CAP_CID_A2MP;
527 chan->dcid = L2CAP_CID_A2MP;
528 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
529 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
533 /* Raw socket can send/recv signalling messages only */
534 chan->scid = L2CAP_CID_SIGNALING;
535 chan->dcid = L2CAP_CID_SIGNALING;
536 chan->omtu = L2CAP_DEFAULT_MTU;
539 chan->local_id = L2CAP_BESTEFFORT_ID;
540 chan->local_stype = L2CAP_SERV_BESTEFFORT;
541 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
542 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
543 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
544 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
546 l2cap_chan_hold(chan);
548 hci_conn_hold(conn->hcon);
550 list_add(&chan->list, &conn->chan_l);
553 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
555 mutex_lock(&conn->chan_lock);
556 __l2cap_chan_add(conn, chan);
557 mutex_unlock(&conn->chan_lock);
560 void l2cap_chan_del(struct l2cap_chan *chan, int err)
562 struct l2cap_conn *conn = chan->conn;
564 __clear_chan_timer(chan);
566 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
569 struct amp_mgr *mgr = conn->hcon->amp_mgr;
570 /* Delete from channel list */
571 list_del(&chan->list);
573 l2cap_chan_put(chan);
577 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
578 hci_conn_drop(conn->hcon);
580 if (mgr && mgr->bredr_chan == chan)
581 mgr->bredr_chan = NULL;
584 if (chan->hs_hchan) {
585 struct hci_chan *hs_hchan = chan->hs_hchan;
587 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
588 amp_disconnect_logical_link(hs_hchan);
591 chan->ops->teardown(chan, err);
593 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
597 case L2CAP_MODE_BASIC:
600 case L2CAP_MODE_ERTM:
601 __clear_retrans_timer(chan);
602 __clear_monitor_timer(chan);
603 __clear_ack_timer(chan);
605 skb_queue_purge(&chan->srej_q);
607 l2cap_seq_list_free(&chan->srej_list);
608 l2cap_seq_list_free(&chan->retrans_list);
612 case L2CAP_MODE_STREAMING:
613 skb_queue_purge(&chan->tx_q);
620 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
622 struct l2cap_conn *conn = chan->conn;
623 struct sock *sk = chan->sk;
625 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
628 switch (chan->state) {
630 chan->ops->teardown(chan, 0);
635 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
636 conn->hcon->type == ACL_LINK) {
637 __set_chan_timer(chan, sk->sk_sndtimeo);
638 l2cap_send_disconn_req(chan, reason);
640 l2cap_chan_del(chan, reason);
644 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
645 conn->hcon->type == ACL_LINK) {
646 struct l2cap_conn_rsp rsp;
649 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
650 result = L2CAP_CR_SEC_BLOCK;
652 result = L2CAP_CR_BAD_PSM;
653 l2cap_state_change(chan, BT_DISCONN);
655 rsp.scid = cpu_to_le16(chan->dcid);
656 rsp.dcid = cpu_to_le16(chan->scid);
657 rsp.result = cpu_to_le16(result);
658 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
659 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
663 l2cap_chan_del(chan, reason);
668 l2cap_chan_del(chan, reason);
672 chan->ops->teardown(chan, 0);
677 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
679 if (chan->chan_type == L2CAP_CHAN_RAW) {
680 switch (chan->sec_level) {
681 case BT_SECURITY_HIGH:
682 return HCI_AT_DEDICATED_BONDING_MITM;
683 case BT_SECURITY_MEDIUM:
684 return HCI_AT_DEDICATED_BONDING;
686 return HCI_AT_NO_BONDING;
688 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
689 if (chan->sec_level == BT_SECURITY_LOW)
690 chan->sec_level = BT_SECURITY_SDP;
692 if (chan->sec_level == BT_SECURITY_HIGH)
693 return HCI_AT_NO_BONDING_MITM;
695 return HCI_AT_NO_BONDING;
697 switch (chan->sec_level) {
698 case BT_SECURITY_HIGH:
699 return HCI_AT_GENERAL_BONDING_MITM;
700 case BT_SECURITY_MEDIUM:
701 return HCI_AT_GENERAL_BONDING;
703 return HCI_AT_NO_BONDING;
708 /* Service level security */
709 int l2cap_chan_check_security(struct l2cap_chan *chan)
711 struct l2cap_conn *conn = chan->conn;
714 auth_type = l2cap_get_auth_type(chan);
716 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
719 static u8 l2cap_get_ident(struct l2cap_conn *conn)
723 /* Get next available identificator.
724 * 1 - 128 are used by kernel.
725 * 129 - 199 are reserved.
726 * 200 - 254 are used by utilities like l2ping, etc.
729 spin_lock(&conn->lock);
731 if (++conn->tx_ident > 128)
736 spin_unlock(&conn->lock);
741 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
744 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
747 BT_DBG("code 0x%2.2x", code);
752 if (lmp_no_flush_capable(conn->hcon->hdev))
753 flags = ACL_START_NO_FLUSH;
757 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
758 skb->priority = HCI_PRIO_MAX;
760 hci_send_acl(conn->hchan, skb, flags);
763 static bool __chan_is_moving(struct l2cap_chan *chan)
765 return chan->move_state != L2CAP_MOVE_STABLE &&
766 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
769 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
771 struct hci_conn *hcon = chan->conn->hcon;
774 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
777 if (chan->hs_hcon && !__chan_is_moving(chan)) {
779 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
786 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
787 lmp_no_flush_capable(hcon->hdev))
788 flags = ACL_START_NO_FLUSH;
792 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
793 hci_send_acl(chan->conn->hchan, skb, flags);
796 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
798 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
799 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
801 if (enh & L2CAP_CTRL_FRAME_TYPE) {
804 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
805 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
812 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
813 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
820 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
822 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
823 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
825 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
828 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
829 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
836 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
837 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
844 static inline void __unpack_control(struct l2cap_chan *chan,
847 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
848 __unpack_extended_control(get_unaligned_le32(skb->data),
849 &bt_cb(skb)->control);
850 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
852 __unpack_enhanced_control(get_unaligned_le16(skb->data),
853 &bt_cb(skb)->control);
854 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
858 static u32 __pack_extended_control(struct l2cap_ctrl *control)
862 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
863 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
865 if (control->sframe) {
866 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
867 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
868 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
870 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
871 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
877 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
881 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
882 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
884 if (control->sframe) {
885 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
886 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
887 packed |= L2CAP_CTRL_FRAME_TYPE;
889 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
890 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
896 static inline void __pack_control(struct l2cap_chan *chan,
897 struct l2cap_ctrl *control,
900 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
901 put_unaligned_le32(__pack_extended_control(control),
902 skb->data + L2CAP_HDR_SIZE);
904 put_unaligned_le16(__pack_enhanced_control(control),
905 skb->data + L2CAP_HDR_SIZE);
909 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
911 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
912 return L2CAP_EXT_HDR_SIZE;
914 return L2CAP_ENH_HDR_SIZE;
917 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
921 struct l2cap_hdr *lh;
922 int hlen = __ertm_hdr_size(chan);
924 if (chan->fcs == L2CAP_FCS_CRC16)
925 hlen += L2CAP_FCS_SIZE;
927 skb = bt_skb_alloc(hlen, GFP_KERNEL);
930 return ERR_PTR(-ENOMEM);
932 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
933 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
934 lh->cid = cpu_to_le16(chan->dcid);
936 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
937 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
939 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
941 if (chan->fcs == L2CAP_FCS_CRC16) {
942 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
943 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
946 skb->priority = HCI_PRIO_MAX;
950 static void l2cap_send_sframe(struct l2cap_chan *chan,
951 struct l2cap_ctrl *control)
956 BT_DBG("chan %p, control %p", chan, control);
958 if (!control->sframe)
961 if (__chan_is_moving(chan))
964 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
968 if (control->super == L2CAP_SUPER_RR)
969 clear_bit(CONN_RNR_SENT, &chan->conn_state);
970 else if (control->super == L2CAP_SUPER_RNR)
971 set_bit(CONN_RNR_SENT, &chan->conn_state);
973 if (control->super != L2CAP_SUPER_SREJ) {
974 chan->last_acked_seq = control->reqseq;
975 __clear_ack_timer(chan);
978 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
979 control->final, control->poll, control->super);
981 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
982 control_field = __pack_extended_control(control);
984 control_field = __pack_enhanced_control(control);
986 skb = l2cap_create_sframe_pdu(chan, control_field);
988 l2cap_do_send(chan, skb);
991 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
993 struct l2cap_ctrl control;
995 BT_DBG("chan %p, poll %d", chan, poll);
997 memset(&control, 0, sizeof(control));
1001 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
1002 control.super = L2CAP_SUPER_RNR;
1004 control.super = L2CAP_SUPER_RR;
1006 control.reqseq = chan->buffer_seq;
1007 l2cap_send_sframe(chan, &control);
1010 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1012 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1015 static bool __amp_capable(struct l2cap_chan *chan)
1017 struct l2cap_conn *conn = chan->conn;
1020 hci_amp_capable() &&
1021 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1022 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1028 static bool l2cap_check_efs(struct l2cap_chan *chan)
1030 /* Check EFS parameters */
1034 void l2cap_send_conn_req(struct l2cap_chan *chan)
1036 struct l2cap_conn *conn = chan->conn;
1037 struct l2cap_conn_req req;
1039 req.scid = cpu_to_le16(chan->scid);
1040 req.psm = chan->psm;
1042 chan->ident = l2cap_get_ident(conn);
1044 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1046 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1049 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1051 struct l2cap_create_chan_req req;
1052 req.scid = cpu_to_le16(chan->scid);
1053 req.psm = chan->psm;
1054 req.amp_id = amp_id;
1056 chan->ident = l2cap_get_ident(chan->conn);
1058 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1062 static void l2cap_move_setup(struct l2cap_chan *chan)
1064 struct sk_buff *skb;
1066 BT_DBG("chan %p", chan);
1068 if (chan->mode != L2CAP_MODE_ERTM)
1071 __clear_retrans_timer(chan);
1072 __clear_monitor_timer(chan);
1073 __clear_ack_timer(chan);
1075 chan->retry_count = 0;
1076 skb_queue_walk(&chan->tx_q, skb) {
1077 if (bt_cb(skb)->control.retries)
1078 bt_cb(skb)->control.retries = 1;
1083 chan->expected_tx_seq = chan->buffer_seq;
1085 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1086 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1087 l2cap_seq_list_clear(&chan->retrans_list);
1088 l2cap_seq_list_clear(&chan->srej_list);
1089 skb_queue_purge(&chan->srej_q);
1091 chan->tx_state = L2CAP_TX_STATE_XMIT;
1092 chan->rx_state = L2CAP_RX_STATE_MOVE;
1094 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1097 static void l2cap_move_done(struct l2cap_chan *chan)
1099 u8 move_role = chan->move_role;
1100 BT_DBG("chan %p", chan);
1102 chan->move_state = L2CAP_MOVE_STABLE;
1103 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1105 if (chan->mode != L2CAP_MODE_ERTM)
1108 switch (move_role) {
1109 case L2CAP_MOVE_ROLE_INITIATOR:
1110 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1111 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1113 case L2CAP_MOVE_ROLE_RESPONDER:
1114 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1119 static void l2cap_chan_ready(struct l2cap_chan *chan)
1121 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1122 chan->conf_state = 0;
1123 __clear_chan_timer(chan);
1125 chan->state = BT_CONNECTED;
1127 chan->ops->ready(chan);
1130 static void l2cap_start_connection(struct l2cap_chan *chan)
1132 if (__amp_capable(chan)) {
1133 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1134 a2mp_discover_amp(chan);
1136 l2cap_send_conn_req(chan);
1140 static void l2cap_do_start(struct l2cap_chan *chan)
1142 struct l2cap_conn *conn = chan->conn;
1144 if (conn->hcon->type == LE_LINK) {
1145 l2cap_chan_ready(chan);
1149 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
1150 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1153 if (l2cap_chan_check_security(chan) &&
1154 __l2cap_no_conn_pending(chan)) {
1155 l2cap_start_connection(chan);
1158 struct l2cap_info_req req;
1159 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
1161 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1162 conn->info_ident = l2cap_get_ident(conn);
1164 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1166 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1171 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1173 u32 local_feat_mask = l2cap_feat_mask;
1175 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1178 case L2CAP_MODE_ERTM:
1179 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1180 case L2CAP_MODE_STREAMING:
1181 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1187 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1189 struct sock *sk = chan->sk;
1190 struct l2cap_conn *conn = chan->conn;
1191 struct l2cap_disconn_req req;
1196 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1197 __clear_retrans_timer(chan);
1198 __clear_monitor_timer(chan);
1199 __clear_ack_timer(chan);
1202 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1203 l2cap_state_change(chan, BT_DISCONN);
1207 req.dcid = cpu_to_le16(chan->dcid);
1208 req.scid = cpu_to_le16(chan->scid);
1209 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1213 __l2cap_state_change(chan, BT_DISCONN);
1214 __l2cap_chan_set_err(chan, err);
1218 /* ---- L2CAP connections ---- */
1219 static void l2cap_conn_start(struct l2cap_conn *conn)
1221 struct l2cap_chan *chan, *tmp;
1223 BT_DBG("conn %p", conn);
1225 mutex_lock(&conn->chan_lock);
1227 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1228 struct sock *sk = chan->sk;
1230 l2cap_chan_lock(chan);
1232 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1233 l2cap_chan_unlock(chan);
1237 if (chan->state == BT_CONNECT) {
1238 if (!l2cap_chan_check_security(chan) ||
1239 !__l2cap_no_conn_pending(chan)) {
1240 l2cap_chan_unlock(chan);
1244 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1245 && test_bit(CONF_STATE2_DEVICE,
1246 &chan->conf_state)) {
1247 l2cap_chan_close(chan, ECONNRESET);
1248 l2cap_chan_unlock(chan);
1252 l2cap_start_connection(chan);
1254 } else if (chan->state == BT_CONNECT2) {
1255 struct l2cap_conn_rsp rsp;
1257 rsp.scid = cpu_to_le16(chan->dcid);
1258 rsp.dcid = cpu_to_le16(chan->scid);
1260 if (l2cap_chan_check_security(chan)) {
1262 if (test_bit(BT_SK_DEFER_SETUP,
1263 &bt_sk(sk)->flags)) {
1264 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1265 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1266 chan->ops->defer(chan);
1269 __l2cap_state_change(chan, BT_CONFIG);
1270 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1271 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
1275 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1276 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1279 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1282 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1283 rsp.result != L2CAP_CR_SUCCESS) {
1284 l2cap_chan_unlock(chan);
1288 set_bit(CONF_REQ_SENT, &chan->conf_state);
1289 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1290 l2cap_build_conf_req(chan, buf), buf);
1291 chan->num_conf_req++;
1294 l2cap_chan_unlock(chan);
1297 mutex_unlock(&conn->chan_lock);
1300 /* Find socket with cid and source/destination bdaddr.
1301 * Returns closest match, locked.
1303 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1307 struct l2cap_chan *c, *c1 = NULL;
1309 read_lock(&chan_list_lock);
1311 list_for_each_entry(c, &chan_list, global_l) {
1312 struct sock *sk = c->sk;
1314 if (state && c->state != state)
1317 if (c->scid == cid) {
1318 int src_match, dst_match;
1319 int src_any, dst_any;
1322 src_match = !bacmp(&bt_sk(sk)->src, src);
1323 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1324 if (src_match && dst_match) {
1325 read_unlock(&chan_list_lock);
1330 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1331 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1332 if ((src_match && dst_any) || (src_any && dst_match) ||
1333 (src_any && dst_any))
1338 read_unlock(&chan_list_lock);
1343 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1345 struct sock *parent;
1346 struct l2cap_chan *chan, *pchan;
1350 /* Check if we have socket listening on cid */
1351 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_ATT,
1352 conn->src, conn->dst);
1356 /* Client ATT sockets should override the server one */
1357 if (__l2cap_get_chan_by_dcid(conn, L2CAP_CID_ATT))
1364 chan = pchan->ops->new_connection(pchan);
1368 chan->dcid = L2CAP_CID_ATT;
1370 bacpy(&bt_sk(chan->sk)->src, conn->src);
1371 bacpy(&bt_sk(chan->sk)->dst, conn->dst);
1373 __l2cap_chan_add(conn, chan);
1376 release_sock(parent);
1379 static void l2cap_conn_ready(struct l2cap_conn *conn)
1381 struct l2cap_chan *chan;
1382 struct hci_conn *hcon = conn->hcon;
1384 BT_DBG("conn %p", conn);
1386 /* For outgoing pairing which doesn't necessarily have an
1387 * associated socket (e.g. mgmt_pair_device).
1389 if (hcon->out && hcon->type == LE_LINK)
1390 smp_conn_security(hcon, hcon->pending_sec_level);
1392 mutex_lock(&conn->chan_lock);
1394 if (hcon->type == LE_LINK)
1395 l2cap_le_conn_ready(conn);
1397 list_for_each_entry(chan, &conn->chan_l, list) {
1399 l2cap_chan_lock(chan);
1401 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1402 l2cap_chan_unlock(chan);
1406 if (hcon->type == LE_LINK) {
1407 if (smp_conn_security(hcon, chan->sec_level))
1408 l2cap_chan_ready(chan);
1410 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1411 struct sock *sk = chan->sk;
1412 __clear_chan_timer(chan);
1414 __l2cap_state_change(chan, BT_CONNECTED);
1415 sk->sk_state_change(sk);
1418 } else if (chan->state == BT_CONNECT) {
1419 l2cap_do_start(chan);
1422 l2cap_chan_unlock(chan);
1425 mutex_unlock(&conn->chan_lock);
1428 /* Notify sockets that we cannot guaranty reliability anymore */
1429 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1431 struct l2cap_chan *chan;
1433 BT_DBG("conn %p", conn);
1435 mutex_lock(&conn->chan_lock);
1437 list_for_each_entry(chan, &conn->chan_l, list) {
1438 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1439 l2cap_chan_set_err(chan, err);
1442 mutex_unlock(&conn->chan_lock);
1445 static void l2cap_info_timeout(struct work_struct *work)
1447 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1450 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1451 conn->info_ident = 0;
1453 l2cap_conn_start(conn);
1458 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1459 * callback is called during registration. The ->remove callback is called
1460 * during unregistration.
1461 * An l2cap_user object can either be explicitly unregistered or when the
1462 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1463 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1464 * External modules must own a reference to the l2cap_conn object if they intend
1465 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1466 * any time if they don't.
1469 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1471 struct hci_dev *hdev = conn->hcon->hdev;
1474 /* We need to check whether l2cap_conn is registered. If it is not, we
1475 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1476 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1477 * relies on the parent hci_conn object to be locked. This itself relies
1478 * on the hci_dev object to be locked. So we must lock the hci device
1483 if (user->list.next || user->list.prev) {
1488 /* conn->hchan is NULL after l2cap_conn_del() was called */
1494 ret = user->probe(conn, user);
1498 list_add(&user->list, &conn->users);
1502 hci_dev_unlock(hdev);
1505 EXPORT_SYMBOL(l2cap_register_user);
1507 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1509 struct hci_dev *hdev = conn->hcon->hdev;
1513 if (!user->list.next || !user->list.prev)
1516 list_del(&user->list);
1517 user->list.next = NULL;
1518 user->list.prev = NULL;
1519 user->remove(conn, user);
1522 hci_dev_unlock(hdev);
1524 EXPORT_SYMBOL(l2cap_unregister_user);
1526 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1528 struct l2cap_user *user;
1530 while (!list_empty(&conn->users)) {
1531 user = list_first_entry(&conn->users, struct l2cap_user, list);
1532 list_del(&user->list);
1533 user->list.next = NULL;
1534 user->list.prev = NULL;
1535 user->remove(conn, user);
1539 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1541 struct l2cap_conn *conn = hcon->l2cap_data;
1542 struct l2cap_chan *chan, *l;
1547 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1549 kfree_skb(conn->rx_skb);
1551 l2cap_unregister_all_users(conn);
1553 mutex_lock(&conn->chan_lock);
1556 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1557 l2cap_chan_hold(chan);
1558 l2cap_chan_lock(chan);
1560 l2cap_chan_del(chan, err);
1562 l2cap_chan_unlock(chan);
1564 chan->ops->close(chan);
1565 l2cap_chan_put(chan);
1568 mutex_unlock(&conn->chan_lock);
1570 hci_chan_del(conn->hchan);
1572 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1573 cancel_delayed_work_sync(&conn->info_timer);
1575 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1576 cancel_delayed_work_sync(&conn->security_timer);
1577 smp_chan_destroy(conn);
1580 hcon->l2cap_data = NULL;
1582 l2cap_conn_put(conn);
1585 static void security_timeout(struct work_struct *work)
1587 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1588 security_timer.work);
1590 BT_DBG("conn %p", conn);
1592 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1593 smp_chan_destroy(conn);
1594 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1598 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1600 struct l2cap_conn *conn = hcon->l2cap_data;
1601 struct hci_chan *hchan;
1606 hchan = hci_chan_create(hcon);
1610 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
1612 hci_chan_del(hchan);
1616 kref_init(&conn->ref);
1617 hcon->l2cap_data = conn;
1619 hci_conn_get(conn->hcon);
1620 conn->hchan = hchan;
1622 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1624 switch (hcon->type) {
1626 if (hcon->hdev->le_mtu) {
1627 conn->mtu = hcon->hdev->le_mtu;
1632 conn->mtu = hcon->hdev->acl_mtu;
1636 conn->src = &hcon->hdev->bdaddr;
1637 conn->dst = &hcon->dst;
1639 conn->feat_mask = 0;
1641 spin_lock_init(&conn->lock);
1642 mutex_init(&conn->chan_lock);
1644 INIT_LIST_HEAD(&conn->chan_l);
1645 INIT_LIST_HEAD(&conn->users);
1647 if (hcon->type == LE_LINK)
1648 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1650 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1652 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1657 static void l2cap_conn_free(struct kref *ref)
1659 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1661 hci_conn_put(conn->hcon);
1665 void l2cap_conn_get(struct l2cap_conn *conn)
1667 kref_get(&conn->ref);
1669 EXPORT_SYMBOL(l2cap_conn_get);
1671 void l2cap_conn_put(struct l2cap_conn *conn)
1673 kref_put(&conn->ref, l2cap_conn_free);
1675 EXPORT_SYMBOL(l2cap_conn_put);
1677 /* ---- Socket interface ---- */
1679 /* Find socket with psm and source / destination bdaddr.
1680 * Returns closest match.
1682 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1686 struct l2cap_chan *c, *c1 = NULL;
1688 read_lock(&chan_list_lock);
1690 list_for_each_entry(c, &chan_list, global_l) {
1691 struct sock *sk = c->sk;
1693 if (state && c->state != state)
1696 if (c->psm == psm) {
1697 int src_match, dst_match;
1698 int src_any, dst_any;
1701 src_match = !bacmp(&bt_sk(sk)->src, src);
1702 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1703 if (src_match && dst_match) {
1704 read_unlock(&chan_list_lock);
1709 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1710 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1711 if ((src_match && dst_any) || (src_any && dst_match) ||
1712 (src_any && dst_any))
1717 read_unlock(&chan_list_lock);
1722 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1723 bdaddr_t *dst, u8 dst_type)
1725 struct sock *sk = chan->sk;
1726 bdaddr_t *src = &bt_sk(sk)->src;
1727 struct l2cap_conn *conn;
1728 struct hci_conn *hcon;
1729 struct hci_dev *hdev;
1733 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
1734 dst_type, __le16_to_cpu(psm));
1736 hdev = hci_get_route(dst, src);
1738 return -EHOSTUNREACH;
1742 l2cap_chan_lock(chan);
1744 /* PSM must be odd and lsb of upper byte must be 0 */
1745 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1746 chan->chan_type != L2CAP_CHAN_RAW) {
1751 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1756 switch (chan->mode) {
1757 case L2CAP_MODE_BASIC:
1759 case L2CAP_MODE_ERTM:
1760 case L2CAP_MODE_STREAMING:
1769 switch (chan->state) {
1773 /* Already connecting */
1778 /* Already connected */
1792 /* Set destination address and psm */
1794 bacpy(&bt_sk(sk)->dst, dst);
1800 auth_type = l2cap_get_auth_type(chan);
1802 if (bdaddr_type_is_le(dst_type))
1803 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1804 chan->sec_level, auth_type);
1806 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1807 chan->sec_level, auth_type);
1810 err = PTR_ERR(hcon);
1814 conn = l2cap_conn_add(hcon);
1816 hci_conn_drop(hcon);
1821 if (cid && __l2cap_get_chan_by_dcid(conn, cid)) {
1822 hci_conn_drop(hcon);
1827 /* Update source addr of the socket */
1828 bacpy(src, conn->src);
1830 l2cap_chan_unlock(chan);
1831 l2cap_chan_add(conn, chan);
1832 l2cap_chan_lock(chan);
1834 /* l2cap_chan_add takes its own ref so we can drop this one */
1835 hci_conn_drop(hcon);
1837 l2cap_state_change(chan, BT_CONNECT);
1838 __set_chan_timer(chan, sk->sk_sndtimeo);
1840 if (hcon->state == BT_CONNECTED) {
1841 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1842 __clear_chan_timer(chan);
1843 if (l2cap_chan_check_security(chan))
1844 l2cap_state_change(chan, BT_CONNECTED);
1846 l2cap_do_start(chan);
1852 l2cap_chan_unlock(chan);
1853 hci_dev_unlock(hdev);
1858 int __l2cap_wait_ack(struct sock *sk)
1860 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1861 DECLARE_WAITQUEUE(wait, current);
1865 add_wait_queue(sk_sleep(sk), &wait);
1866 set_current_state(TASK_INTERRUPTIBLE);
1867 while (chan->unacked_frames > 0 && chan->conn) {
1871 if (signal_pending(current)) {
1872 err = sock_intr_errno(timeo);
1877 timeo = schedule_timeout(timeo);
1879 set_current_state(TASK_INTERRUPTIBLE);
1881 err = sock_error(sk);
1885 set_current_state(TASK_RUNNING);
1886 remove_wait_queue(sk_sleep(sk), &wait);
1890 static void l2cap_monitor_timeout(struct work_struct *work)
1892 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1893 monitor_timer.work);
1895 BT_DBG("chan %p", chan);
1897 l2cap_chan_lock(chan);
1900 l2cap_chan_unlock(chan);
1901 l2cap_chan_put(chan);
1905 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1907 l2cap_chan_unlock(chan);
1908 l2cap_chan_put(chan);
1911 static void l2cap_retrans_timeout(struct work_struct *work)
1913 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1914 retrans_timer.work);
1916 BT_DBG("chan %p", chan);
1918 l2cap_chan_lock(chan);
1921 l2cap_chan_unlock(chan);
1922 l2cap_chan_put(chan);
1926 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1927 l2cap_chan_unlock(chan);
1928 l2cap_chan_put(chan);
1931 static void l2cap_streaming_send(struct l2cap_chan *chan,
1932 struct sk_buff_head *skbs)
1934 struct sk_buff *skb;
1935 struct l2cap_ctrl *control;
1937 BT_DBG("chan %p, skbs %p", chan, skbs);
1939 if (__chan_is_moving(chan))
1942 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1944 while (!skb_queue_empty(&chan->tx_q)) {
1946 skb = skb_dequeue(&chan->tx_q);
1948 bt_cb(skb)->control.retries = 1;
1949 control = &bt_cb(skb)->control;
1951 control->reqseq = 0;
1952 control->txseq = chan->next_tx_seq;
1954 __pack_control(chan, control, skb);
1956 if (chan->fcs == L2CAP_FCS_CRC16) {
1957 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1958 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1961 l2cap_do_send(chan, skb);
1963 BT_DBG("Sent txseq %u", control->txseq);
1965 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1966 chan->frames_sent++;
1970 static int l2cap_ertm_send(struct l2cap_chan *chan)
1972 struct sk_buff *skb, *tx_skb;
1973 struct l2cap_ctrl *control;
1976 BT_DBG("chan %p", chan);
1978 if (chan->state != BT_CONNECTED)
1981 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1984 if (__chan_is_moving(chan))
1987 while (chan->tx_send_head &&
1988 chan->unacked_frames < chan->remote_tx_win &&
1989 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1991 skb = chan->tx_send_head;
1993 bt_cb(skb)->control.retries = 1;
1994 control = &bt_cb(skb)->control;
1996 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1999 control->reqseq = chan->buffer_seq;
2000 chan->last_acked_seq = chan->buffer_seq;
2001 control->txseq = chan->next_tx_seq;
2003 __pack_control(chan, control, skb);
2005 if (chan->fcs == L2CAP_FCS_CRC16) {
2006 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2007 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2010 /* Clone after data has been modified. Data is assumed to be
2011 read-only (for locking purposes) on cloned sk_buffs.
2013 tx_skb = skb_clone(skb, GFP_KERNEL);
2018 __set_retrans_timer(chan);
2020 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2021 chan->unacked_frames++;
2022 chan->frames_sent++;
2025 if (skb_queue_is_last(&chan->tx_q, skb))
2026 chan->tx_send_head = NULL;
2028 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2030 l2cap_do_send(chan, tx_skb);
2031 BT_DBG("Sent txseq %u", control->txseq);
2034 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2035 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2040 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2042 struct l2cap_ctrl control;
2043 struct sk_buff *skb;
2044 struct sk_buff *tx_skb;
2047 BT_DBG("chan %p", chan);
2049 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2052 if (__chan_is_moving(chan))
2055 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2056 seq = l2cap_seq_list_pop(&chan->retrans_list);
2058 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2060 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2065 bt_cb(skb)->control.retries++;
2066 control = bt_cb(skb)->control;
2068 if (chan->max_tx != 0 &&
2069 bt_cb(skb)->control.retries > chan->max_tx) {
2070 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2071 l2cap_send_disconn_req(chan, ECONNRESET);
2072 l2cap_seq_list_clear(&chan->retrans_list);
2076 control.reqseq = chan->buffer_seq;
2077 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2082 if (skb_cloned(skb)) {
2083 /* Cloned sk_buffs are read-only, so we need a
2086 tx_skb = skb_copy(skb, GFP_KERNEL);
2088 tx_skb = skb_clone(skb, GFP_KERNEL);
2092 l2cap_seq_list_clear(&chan->retrans_list);
2096 /* Update skb contents */
2097 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2098 put_unaligned_le32(__pack_extended_control(&control),
2099 tx_skb->data + L2CAP_HDR_SIZE);
2101 put_unaligned_le16(__pack_enhanced_control(&control),
2102 tx_skb->data + L2CAP_HDR_SIZE);
2105 if (chan->fcs == L2CAP_FCS_CRC16) {
2106 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2107 put_unaligned_le16(fcs, skb_put(tx_skb,
2111 l2cap_do_send(chan, tx_skb);
2113 BT_DBG("Resent txseq %d", control.txseq);
2115 chan->last_acked_seq = chan->buffer_seq;
2119 static void l2cap_retransmit(struct l2cap_chan *chan,
2120 struct l2cap_ctrl *control)
2122 BT_DBG("chan %p, control %p", chan, control);
2124 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2125 l2cap_ertm_resend(chan);
2128 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2129 struct l2cap_ctrl *control)
2131 struct sk_buff *skb;
2133 BT_DBG("chan %p, control %p", chan, control);
2136 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2138 l2cap_seq_list_clear(&chan->retrans_list);
2140 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2143 if (chan->unacked_frames) {
2144 skb_queue_walk(&chan->tx_q, skb) {
2145 if (bt_cb(skb)->control.txseq == control->reqseq ||
2146 skb == chan->tx_send_head)
2150 skb_queue_walk_from(&chan->tx_q, skb) {
2151 if (skb == chan->tx_send_head)
2154 l2cap_seq_list_append(&chan->retrans_list,
2155 bt_cb(skb)->control.txseq);
2158 l2cap_ertm_resend(chan);
2162 static void l2cap_send_ack(struct l2cap_chan *chan)
2164 struct l2cap_ctrl control;
2165 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2166 chan->last_acked_seq);
2169 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2170 chan, chan->last_acked_seq, chan->buffer_seq);
2172 memset(&control, 0, sizeof(control));
2175 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2176 chan->rx_state == L2CAP_RX_STATE_RECV) {
2177 __clear_ack_timer(chan);
2178 control.super = L2CAP_SUPER_RNR;
2179 control.reqseq = chan->buffer_seq;
2180 l2cap_send_sframe(chan, &control);
2182 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2183 l2cap_ertm_send(chan);
2184 /* If any i-frames were sent, they included an ack */
2185 if (chan->buffer_seq == chan->last_acked_seq)
2189 /* Ack now if the window is 3/4ths full.
2190 * Calculate without mul or div
2192 threshold = chan->ack_win;
2193 threshold += threshold << 1;
2196 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2199 if (frames_to_ack >= threshold) {
2200 __clear_ack_timer(chan);
2201 control.super = L2CAP_SUPER_RR;
2202 control.reqseq = chan->buffer_seq;
2203 l2cap_send_sframe(chan, &control);
2208 __set_ack_timer(chan);
2212 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2213 struct msghdr *msg, int len,
2214 int count, struct sk_buff *skb)
2216 struct l2cap_conn *conn = chan->conn;
2217 struct sk_buff **frag;
2220 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
2226 /* Continuation fragments (no L2CAP header) */
2227 frag = &skb_shinfo(skb)->frag_list;
2229 struct sk_buff *tmp;
2231 count = min_t(unsigned int, conn->mtu, len);
2233 tmp = chan->ops->alloc_skb(chan, count,
2234 msg->msg_flags & MSG_DONTWAIT);
2236 return PTR_ERR(tmp);
2240 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2243 (*frag)->priority = skb->priority;
2248 skb->len += (*frag)->len;
2249 skb->data_len += (*frag)->len;
2251 frag = &(*frag)->next;
2257 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2258 struct msghdr *msg, size_t len,
2261 struct l2cap_conn *conn = chan->conn;
2262 struct sk_buff *skb;
2263 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2264 struct l2cap_hdr *lh;
2266 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
2268 count = min_t(unsigned int, (conn->mtu - hlen), len);
2270 skb = chan->ops->alloc_skb(chan, count + hlen,
2271 msg->msg_flags & MSG_DONTWAIT);
2275 skb->priority = priority;
2277 /* Create L2CAP header */
2278 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2279 lh->cid = cpu_to_le16(chan->dcid);
2280 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2281 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
2283 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2284 if (unlikely(err < 0)) {
2286 return ERR_PTR(err);
2291 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2292 struct msghdr *msg, size_t len,
2295 struct l2cap_conn *conn = chan->conn;
2296 struct sk_buff *skb;
2298 struct l2cap_hdr *lh;
2300 BT_DBG("chan %p len %zu", chan, len);
2302 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2304 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
2305 msg->msg_flags & MSG_DONTWAIT);
2309 skb->priority = priority;
2311 /* Create L2CAP header */
2312 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2313 lh->cid = cpu_to_le16(chan->dcid);
2314 lh->len = cpu_to_le16(len);
2316 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2317 if (unlikely(err < 0)) {
2319 return ERR_PTR(err);
2324 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2325 struct msghdr *msg, size_t len,
2328 struct l2cap_conn *conn = chan->conn;
2329 struct sk_buff *skb;
2330 int err, count, hlen;
2331 struct l2cap_hdr *lh;
2333 BT_DBG("chan %p len %zu", chan, len);
2336 return ERR_PTR(-ENOTCONN);
2338 hlen = __ertm_hdr_size(chan);
2341 hlen += L2CAP_SDULEN_SIZE;
2343 if (chan->fcs == L2CAP_FCS_CRC16)
2344 hlen += L2CAP_FCS_SIZE;
2346 count = min_t(unsigned int, (conn->mtu - hlen), len);
2348 skb = chan->ops->alloc_skb(chan, count + hlen,
2349 msg->msg_flags & MSG_DONTWAIT);
2353 /* Create L2CAP header */
2354 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2355 lh->cid = cpu_to_le16(chan->dcid);
2356 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2358 /* Control header is populated later */
2359 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2360 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2362 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2365 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2367 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2368 if (unlikely(err < 0)) {
2370 return ERR_PTR(err);
2373 bt_cb(skb)->control.fcs = chan->fcs;
2374 bt_cb(skb)->control.retries = 0;
2378 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2379 struct sk_buff_head *seg_queue,
2380 struct msghdr *msg, size_t len)
2382 struct sk_buff *skb;
2387 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2389 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2390 * so fragmented skbs are not used. The HCI layer's handling
2391 * of fragmented skbs is not compatible with ERTM's queueing.
2394 /* PDU size is derived from the HCI MTU */
2395 pdu_len = chan->conn->mtu;
2397 /* Constrain PDU size for BR/EDR connections */
2399 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2401 /* Adjust for largest possible L2CAP overhead. */
2403 pdu_len -= L2CAP_FCS_SIZE;
2405 pdu_len -= __ertm_hdr_size(chan);
2407 /* Remote device may have requested smaller PDUs */
2408 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2410 if (len <= pdu_len) {
2411 sar = L2CAP_SAR_UNSEGMENTED;
2415 sar = L2CAP_SAR_START;
2417 pdu_len -= L2CAP_SDULEN_SIZE;
2421 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2424 __skb_queue_purge(seg_queue);
2425 return PTR_ERR(skb);
2428 bt_cb(skb)->control.sar = sar;
2429 __skb_queue_tail(seg_queue, skb);
2434 pdu_len += L2CAP_SDULEN_SIZE;
2437 if (len <= pdu_len) {
2438 sar = L2CAP_SAR_END;
2441 sar = L2CAP_SAR_CONTINUE;
2448 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2451 struct sk_buff *skb;
2453 struct sk_buff_head seg_queue;
2455 /* Connectionless channel */
2456 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2457 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2459 return PTR_ERR(skb);
2461 l2cap_do_send(chan, skb);
2465 switch (chan->mode) {
2466 case L2CAP_MODE_BASIC:
2467 /* Check outgoing MTU */
2468 if (len > chan->omtu)
2471 /* Create a basic PDU */
2472 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2474 return PTR_ERR(skb);
2476 l2cap_do_send(chan, skb);
2480 case L2CAP_MODE_ERTM:
2481 case L2CAP_MODE_STREAMING:
2482 /* Check outgoing MTU */
2483 if (len > chan->omtu) {
2488 __skb_queue_head_init(&seg_queue);
2490 /* Do segmentation before calling in to the state machine,
2491 * since it's possible to block while waiting for memory
2494 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2496 /* The channel could have been closed while segmenting,
2497 * check that it is still connected.
2499 if (chan->state != BT_CONNECTED) {
2500 __skb_queue_purge(&seg_queue);
2507 if (chan->mode == L2CAP_MODE_ERTM)
2508 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2510 l2cap_streaming_send(chan, &seg_queue);
2514 /* If the skbs were not queued for sending, they'll still be in
2515 * seg_queue and need to be purged.
2517 __skb_queue_purge(&seg_queue);
2521 BT_DBG("bad state %1.1x", chan->mode);
2528 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2530 struct l2cap_ctrl control;
2533 BT_DBG("chan %p, txseq %u", chan, txseq);
2535 memset(&control, 0, sizeof(control));
2537 control.super = L2CAP_SUPER_SREJ;
2539 for (seq = chan->expected_tx_seq; seq != txseq;
2540 seq = __next_seq(chan, seq)) {
2541 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2542 control.reqseq = seq;
2543 l2cap_send_sframe(chan, &control);
2544 l2cap_seq_list_append(&chan->srej_list, seq);
2548 chan->expected_tx_seq = __next_seq(chan, txseq);
2551 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2553 struct l2cap_ctrl control;
2555 BT_DBG("chan %p", chan);
2557 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2560 memset(&control, 0, sizeof(control));
2562 control.super = L2CAP_SUPER_SREJ;
2563 control.reqseq = chan->srej_list.tail;
2564 l2cap_send_sframe(chan, &control);
2567 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2569 struct l2cap_ctrl control;
2573 BT_DBG("chan %p, txseq %u", chan, txseq);
2575 memset(&control, 0, sizeof(control));
2577 control.super = L2CAP_SUPER_SREJ;
2579 /* Capture initial list head to allow only one pass through the list. */
2580 initial_head = chan->srej_list.head;
2583 seq = l2cap_seq_list_pop(&chan->srej_list);
2584 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2587 control.reqseq = seq;
2588 l2cap_send_sframe(chan, &control);
2589 l2cap_seq_list_append(&chan->srej_list, seq);
2590 } while (chan->srej_list.head != initial_head);
2593 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2595 struct sk_buff *acked_skb;
2598 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2600 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2603 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2604 chan->expected_ack_seq, chan->unacked_frames);
2606 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2607 ackseq = __next_seq(chan, ackseq)) {
2609 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2611 skb_unlink(acked_skb, &chan->tx_q);
2612 kfree_skb(acked_skb);
2613 chan->unacked_frames--;
2617 chan->expected_ack_seq = reqseq;
2619 if (chan->unacked_frames == 0)
2620 __clear_retrans_timer(chan);
2622 BT_DBG("unacked_frames %u", chan->unacked_frames);
2625 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2627 BT_DBG("chan %p", chan);
2629 chan->expected_tx_seq = chan->buffer_seq;
2630 l2cap_seq_list_clear(&chan->srej_list);
2631 skb_queue_purge(&chan->srej_q);
2632 chan->rx_state = L2CAP_RX_STATE_RECV;
2635 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2636 struct l2cap_ctrl *control,
2637 struct sk_buff_head *skbs, u8 event)
2639 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2643 case L2CAP_EV_DATA_REQUEST:
2644 if (chan->tx_send_head == NULL)
2645 chan->tx_send_head = skb_peek(skbs);
2647 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2648 l2cap_ertm_send(chan);
2650 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2651 BT_DBG("Enter LOCAL_BUSY");
2652 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2654 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2655 /* The SREJ_SENT state must be aborted if we are to
2656 * enter the LOCAL_BUSY state.
2658 l2cap_abort_rx_srej_sent(chan);
2661 l2cap_send_ack(chan);
2664 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2665 BT_DBG("Exit LOCAL_BUSY");
2666 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2668 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2669 struct l2cap_ctrl local_control;
2671 memset(&local_control, 0, sizeof(local_control));
2672 local_control.sframe = 1;
2673 local_control.super = L2CAP_SUPER_RR;
2674 local_control.poll = 1;
2675 local_control.reqseq = chan->buffer_seq;
2676 l2cap_send_sframe(chan, &local_control);
2678 chan->retry_count = 1;
2679 __set_monitor_timer(chan);
2680 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2683 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2684 l2cap_process_reqseq(chan, control->reqseq);
2686 case L2CAP_EV_EXPLICIT_POLL:
2687 l2cap_send_rr_or_rnr(chan, 1);
2688 chan->retry_count = 1;
2689 __set_monitor_timer(chan);
2690 __clear_ack_timer(chan);
2691 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2693 case L2CAP_EV_RETRANS_TO:
2694 l2cap_send_rr_or_rnr(chan, 1);
2695 chan->retry_count = 1;
2696 __set_monitor_timer(chan);
2697 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2699 case L2CAP_EV_RECV_FBIT:
2700 /* Nothing to process */
2707 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2708 struct l2cap_ctrl *control,
2709 struct sk_buff_head *skbs, u8 event)
2711 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2715 case L2CAP_EV_DATA_REQUEST:
2716 if (chan->tx_send_head == NULL)
2717 chan->tx_send_head = skb_peek(skbs);
2718 /* Queue data, but don't send. */
2719 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2721 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2722 BT_DBG("Enter LOCAL_BUSY");
2723 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2725 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2726 /* The SREJ_SENT state must be aborted if we are to
2727 * enter the LOCAL_BUSY state.
2729 l2cap_abort_rx_srej_sent(chan);
2732 l2cap_send_ack(chan);
2735 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2736 BT_DBG("Exit LOCAL_BUSY");
2737 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2739 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2740 struct l2cap_ctrl local_control;
2741 memset(&local_control, 0, sizeof(local_control));
2742 local_control.sframe = 1;
2743 local_control.super = L2CAP_SUPER_RR;
2744 local_control.poll = 1;
2745 local_control.reqseq = chan->buffer_seq;
2746 l2cap_send_sframe(chan, &local_control);
2748 chan->retry_count = 1;
2749 __set_monitor_timer(chan);
2750 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2753 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2754 l2cap_process_reqseq(chan, control->reqseq);
2758 case L2CAP_EV_RECV_FBIT:
2759 if (control && control->final) {
2760 __clear_monitor_timer(chan);
2761 if (chan->unacked_frames > 0)
2762 __set_retrans_timer(chan);
2763 chan->retry_count = 0;
2764 chan->tx_state = L2CAP_TX_STATE_XMIT;
2765 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2768 case L2CAP_EV_EXPLICIT_POLL:
2771 case L2CAP_EV_MONITOR_TO:
2772 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2773 l2cap_send_rr_or_rnr(chan, 1);
2774 __set_monitor_timer(chan);
2775 chan->retry_count++;
2777 l2cap_send_disconn_req(chan, ECONNABORTED);
2785 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2786 struct sk_buff_head *skbs, u8 event)
2788 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2789 chan, control, skbs, event, chan->tx_state);
2791 switch (chan->tx_state) {
2792 case L2CAP_TX_STATE_XMIT:
2793 l2cap_tx_state_xmit(chan, control, skbs, event);
2795 case L2CAP_TX_STATE_WAIT_F:
2796 l2cap_tx_state_wait_f(chan, control, skbs, event);
2804 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2805 struct l2cap_ctrl *control)
2807 BT_DBG("chan %p, control %p", chan, control);
2808 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2811 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2812 struct l2cap_ctrl *control)
2814 BT_DBG("chan %p, control %p", chan, control);
2815 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2818 /* Copy frame to all raw sockets on that connection */
2819 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2821 struct sk_buff *nskb;
2822 struct l2cap_chan *chan;
2824 BT_DBG("conn %p", conn);
2826 mutex_lock(&conn->chan_lock);
2828 list_for_each_entry(chan, &conn->chan_l, list) {
2829 struct sock *sk = chan->sk;
2830 if (chan->chan_type != L2CAP_CHAN_RAW)
2833 /* Don't send frame to the socket it came from */
2836 nskb = skb_clone(skb, GFP_KERNEL);
2840 if (chan->ops->recv(chan, nskb))
2844 mutex_unlock(&conn->chan_lock);
2847 /* ---- L2CAP signalling commands ---- */
2848 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2849 u8 ident, u16 dlen, void *data)
2851 struct sk_buff *skb, **frag;
2852 struct l2cap_cmd_hdr *cmd;
2853 struct l2cap_hdr *lh;
2856 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2857 conn, code, ident, dlen);
2859 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2862 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2863 count = min_t(unsigned int, conn->mtu, len);
2865 skb = bt_skb_alloc(count, GFP_KERNEL);
2869 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2870 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2872 if (conn->hcon->type == LE_LINK)
2873 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2875 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
2877 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2880 cmd->len = cpu_to_le16(dlen);
2883 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2884 memcpy(skb_put(skb, count), data, count);
2890 /* Continuation fragments (no L2CAP header) */
2891 frag = &skb_shinfo(skb)->frag_list;
2893 count = min_t(unsigned int, conn->mtu, len);
2895 *frag = bt_skb_alloc(count, GFP_KERNEL);
2899 memcpy(skb_put(*frag, count), data, count);
2904 frag = &(*frag)->next;
2914 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2917 struct l2cap_conf_opt *opt = *ptr;
2920 len = L2CAP_CONF_OPT_SIZE + opt->len;
2928 *val = *((u8 *) opt->val);
2932 *val = get_unaligned_le16(opt->val);
2936 *val = get_unaligned_le32(opt->val);
2940 *val = (unsigned long) opt->val;
2944 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2948 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2950 struct l2cap_conf_opt *opt = *ptr;
2952 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2959 *((u8 *) opt->val) = val;
2963 put_unaligned_le16(val, opt->val);
2967 put_unaligned_le32(val, opt->val);
2971 memcpy(opt->val, (void *) val, len);
2975 *ptr += L2CAP_CONF_OPT_SIZE + len;
2978 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2980 struct l2cap_conf_efs efs;
2982 switch (chan->mode) {
2983 case L2CAP_MODE_ERTM:
2984 efs.id = chan->local_id;
2985 efs.stype = chan->local_stype;
2986 efs.msdu = cpu_to_le16(chan->local_msdu);
2987 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2988 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2989 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
2992 case L2CAP_MODE_STREAMING:
2994 efs.stype = L2CAP_SERV_BESTEFFORT;
2995 efs.msdu = cpu_to_le16(chan->local_msdu);
2996 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3005 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3006 (unsigned long) &efs);
3009 static void l2cap_ack_timeout(struct work_struct *work)
3011 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3015 BT_DBG("chan %p", chan);
3017 l2cap_chan_lock(chan);
3019 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3020 chan->last_acked_seq);
3023 l2cap_send_rr_or_rnr(chan, 0);
3025 l2cap_chan_unlock(chan);
3026 l2cap_chan_put(chan);
3029 int l2cap_ertm_init(struct l2cap_chan *chan)
3033 chan->next_tx_seq = 0;
3034 chan->expected_tx_seq = 0;
3035 chan->expected_ack_seq = 0;
3036 chan->unacked_frames = 0;
3037 chan->buffer_seq = 0;
3038 chan->frames_sent = 0;
3039 chan->last_acked_seq = 0;
3041 chan->sdu_last_frag = NULL;
3044 skb_queue_head_init(&chan->tx_q);
3046 chan->local_amp_id = 0;
3048 chan->move_state = L2CAP_MOVE_STABLE;
3049 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3051 if (chan->mode != L2CAP_MODE_ERTM)
3054 chan->rx_state = L2CAP_RX_STATE_RECV;
3055 chan->tx_state = L2CAP_TX_STATE_XMIT;
3057 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3058 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3059 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3061 skb_queue_head_init(&chan->srej_q);
3063 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3067 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3069 l2cap_seq_list_free(&chan->srej_list);
3074 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3077 case L2CAP_MODE_STREAMING:
3078 case L2CAP_MODE_ERTM:
3079 if (l2cap_mode_supported(mode, remote_feat_mask))
3083 return L2CAP_MODE_BASIC;
3087 static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
3089 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3092 static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
3094 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3097 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3098 struct l2cap_conf_rfc *rfc)
3100 if (chan->local_amp_id && chan->hs_hcon) {
3101 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3103 /* Class 1 devices have must have ERTM timeouts
3104 * exceeding the Link Supervision Timeout. The
3105 * default Link Supervision Timeout for AMP
3106 * controllers is 10 seconds.
3108 * Class 1 devices use 0xffffffff for their
3109 * best-effort flush timeout, so the clamping logic
3110 * will result in a timeout that meets the above
3111 * requirement. ERTM timeouts are 16-bit values, so
3112 * the maximum timeout is 65.535 seconds.
3115 /* Convert timeout to milliseconds and round */
3116 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3118 /* This is the recommended formula for class 2 devices
3119 * that start ERTM timers when packets are sent to the
3122 ertm_to = 3 * ertm_to + 500;
3124 if (ertm_to > 0xffff)
3127 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3128 rfc->monitor_timeout = rfc->retrans_timeout;
3130 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3131 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3135 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3137 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3138 __l2cap_ews_supported(chan)) {
3139 /* use extended control field */
3140 set_bit(FLAG_EXT_CTRL, &chan->flags);
3141 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3143 chan->tx_win = min_t(u16, chan->tx_win,
3144 L2CAP_DEFAULT_TX_WINDOW);
3145 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3147 chan->ack_win = chan->tx_win;
3150 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3152 struct l2cap_conf_req *req = data;
3153 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3154 void *ptr = req->data;
3157 BT_DBG("chan %p", chan);
3159 if (chan->num_conf_req || chan->num_conf_rsp)
3162 switch (chan->mode) {
3163 case L2CAP_MODE_STREAMING:
3164 case L2CAP_MODE_ERTM:
3165 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3168 if (__l2cap_efs_supported(chan))
3169 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3173 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3178 if (chan->imtu != L2CAP_DEFAULT_MTU)
3179 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3181 switch (chan->mode) {
3182 case L2CAP_MODE_BASIC:
3183 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3184 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3187 rfc.mode = L2CAP_MODE_BASIC;
3189 rfc.max_transmit = 0;
3190 rfc.retrans_timeout = 0;
3191 rfc.monitor_timeout = 0;
3192 rfc.max_pdu_size = 0;
3194 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3195 (unsigned long) &rfc);
3198 case L2CAP_MODE_ERTM:
3199 rfc.mode = L2CAP_MODE_ERTM;
3200 rfc.max_transmit = chan->max_tx;
3202 __l2cap_set_ertm_timeouts(chan, &rfc);
3204 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3205 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3207 rfc.max_pdu_size = cpu_to_le16(size);
3209 l2cap_txwin_setup(chan);
3211 rfc.txwin_size = min_t(u16, chan->tx_win,
3212 L2CAP_DEFAULT_TX_WINDOW);
3214 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3215 (unsigned long) &rfc);
3217 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3218 l2cap_add_opt_efs(&ptr, chan);
3220 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3221 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3224 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3225 if (chan->fcs == L2CAP_FCS_NONE ||
3226 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3227 chan->fcs = L2CAP_FCS_NONE;
3228 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3233 case L2CAP_MODE_STREAMING:
3234 l2cap_txwin_setup(chan);
3235 rfc.mode = L2CAP_MODE_STREAMING;
3237 rfc.max_transmit = 0;
3238 rfc.retrans_timeout = 0;
3239 rfc.monitor_timeout = 0;
3241 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3242 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3244 rfc.max_pdu_size = cpu_to_le16(size);
3246 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3247 (unsigned long) &rfc);
3249 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3250 l2cap_add_opt_efs(&ptr, chan);
3252 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3253 if (chan->fcs == L2CAP_FCS_NONE ||
3254 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3255 chan->fcs = L2CAP_FCS_NONE;
3256 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3262 req->dcid = cpu_to_le16(chan->dcid);
3263 req->flags = __constant_cpu_to_le16(0);
3268 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3270 struct l2cap_conf_rsp *rsp = data;
3271 void *ptr = rsp->data;
3272 void *req = chan->conf_req;
3273 int len = chan->conf_len;
3274 int type, hint, olen;
3276 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3277 struct l2cap_conf_efs efs;
3279 u16 mtu = L2CAP_DEFAULT_MTU;
3280 u16 result = L2CAP_CONF_SUCCESS;
3283 BT_DBG("chan %p", chan);
3285 while (len >= L2CAP_CONF_OPT_SIZE) {
3286 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3288 hint = type & L2CAP_CONF_HINT;
3289 type &= L2CAP_CONF_MASK;
3292 case L2CAP_CONF_MTU:
3296 case L2CAP_CONF_FLUSH_TO:
3297 chan->flush_to = val;
3300 case L2CAP_CONF_QOS:
3303 case L2CAP_CONF_RFC:
3304 if (olen == sizeof(rfc))
3305 memcpy(&rfc, (void *) val, olen);
3308 case L2CAP_CONF_FCS:
3309 if (val == L2CAP_FCS_NONE)
3310 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3313 case L2CAP_CONF_EFS:
3315 if (olen == sizeof(efs))
3316 memcpy(&efs, (void *) val, olen);
3319 case L2CAP_CONF_EWS:
3321 return -ECONNREFUSED;
3323 set_bit(FLAG_EXT_CTRL, &chan->flags);
3324 set_bit(CONF_EWS_RECV, &chan->conf_state);
3325 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3326 chan->remote_tx_win = val;
3333 result = L2CAP_CONF_UNKNOWN;
3334 *((u8 *) ptr++) = type;
3339 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3342 switch (chan->mode) {
3343 case L2CAP_MODE_STREAMING:
3344 case L2CAP_MODE_ERTM:
3345 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3346 chan->mode = l2cap_select_mode(rfc.mode,
3347 chan->conn->feat_mask);
3352 if (__l2cap_efs_supported(chan))
3353 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3355 return -ECONNREFUSED;
3358 if (chan->mode != rfc.mode)
3359 return -ECONNREFUSED;
3365 if (chan->mode != rfc.mode) {
3366 result = L2CAP_CONF_UNACCEPT;
3367 rfc.mode = chan->mode;
3369 if (chan->num_conf_rsp == 1)
3370 return -ECONNREFUSED;
3372 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3373 (unsigned long) &rfc);
3376 if (result == L2CAP_CONF_SUCCESS) {
3377 /* Configure output options and let the other side know
3378 * which ones we don't like. */
3380 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3381 result = L2CAP_CONF_UNACCEPT;
3384 set_bit(CONF_MTU_DONE, &chan->conf_state);
3386 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3389 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3390 efs.stype != L2CAP_SERV_NOTRAFIC &&
3391 efs.stype != chan->local_stype) {
3393 result = L2CAP_CONF_UNACCEPT;
3395 if (chan->num_conf_req >= 1)
3396 return -ECONNREFUSED;
3398 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3400 (unsigned long) &efs);
3402 /* Send PENDING Conf Rsp */
3403 result = L2CAP_CONF_PENDING;
3404 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3409 case L2CAP_MODE_BASIC:
3410 chan->fcs = L2CAP_FCS_NONE;
3411 set_bit(CONF_MODE_DONE, &chan->conf_state);
3414 case L2CAP_MODE_ERTM:
3415 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3416 chan->remote_tx_win = rfc.txwin_size;
3418 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3420 chan->remote_max_tx = rfc.max_transmit;
3422 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3423 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3424 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3425 rfc.max_pdu_size = cpu_to_le16(size);
3426 chan->remote_mps = size;
3428 __l2cap_set_ertm_timeouts(chan, &rfc);
3430 set_bit(CONF_MODE_DONE, &chan->conf_state);
3432 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3433 sizeof(rfc), (unsigned long) &rfc);
3435 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3436 chan->remote_id = efs.id;
3437 chan->remote_stype = efs.stype;
3438 chan->remote_msdu = le16_to_cpu(efs.msdu);
3439 chan->remote_flush_to =
3440 le32_to_cpu(efs.flush_to);
3441 chan->remote_acc_lat =
3442 le32_to_cpu(efs.acc_lat);
3443 chan->remote_sdu_itime =
3444 le32_to_cpu(efs.sdu_itime);
3445 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3447 (unsigned long) &efs);
3451 case L2CAP_MODE_STREAMING:
3452 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3453 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3454 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3455 rfc.max_pdu_size = cpu_to_le16(size);
3456 chan->remote_mps = size;
3458 set_bit(CONF_MODE_DONE, &chan->conf_state);
3460 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3461 (unsigned long) &rfc);
3466 result = L2CAP_CONF_UNACCEPT;
3468 memset(&rfc, 0, sizeof(rfc));
3469 rfc.mode = chan->mode;
3472 if (result == L2CAP_CONF_SUCCESS)
3473 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3475 rsp->scid = cpu_to_le16(chan->dcid);
3476 rsp->result = cpu_to_le16(result);
3477 rsp->flags = __constant_cpu_to_le16(0);
3482 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3483 void *data, u16 *result)
3485 struct l2cap_conf_req *req = data;
3486 void *ptr = req->data;
3489 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3490 struct l2cap_conf_efs efs;
3492 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3494 while (len >= L2CAP_CONF_OPT_SIZE) {
3495 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3498 case L2CAP_CONF_MTU:
3499 if (val < L2CAP_DEFAULT_MIN_MTU) {
3500 *result = L2CAP_CONF_UNACCEPT;
3501 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3504 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3507 case L2CAP_CONF_FLUSH_TO:
3508 chan->flush_to = val;
3509 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3513 case L2CAP_CONF_RFC:
3514 if (olen == sizeof(rfc))
3515 memcpy(&rfc, (void *)val, olen);
3517 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3518 rfc.mode != chan->mode)
3519 return -ECONNREFUSED;
3523 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3524 sizeof(rfc), (unsigned long) &rfc);
3527 case L2CAP_CONF_EWS:
3528 chan->ack_win = min_t(u16, val, chan->ack_win);
3529 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3533 case L2CAP_CONF_EFS:
3534 if (olen == sizeof(efs))
3535 memcpy(&efs, (void *)val, olen);
3537 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3538 efs.stype != L2CAP_SERV_NOTRAFIC &&
3539 efs.stype != chan->local_stype)
3540 return -ECONNREFUSED;
3542 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3543 (unsigned long) &efs);
3546 case L2CAP_CONF_FCS:
3547 if (*result == L2CAP_CONF_PENDING)
3548 if (val == L2CAP_FCS_NONE)
3549 set_bit(CONF_RECV_NO_FCS,
3555 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3556 return -ECONNREFUSED;
3558 chan->mode = rfc.mode;
3560 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3562 case L2CAP_MODE_ERTM:
3563 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3564 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3565 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3566 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3567 chan->ack_win = min_t(u16, chan->ack_win,
3570 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3571 chan->local_msdu = le16_to_cpu(efs.msdu);
3572 chan->local_sdu_itime =
3573 le32_to_cpu(efs.sdu_itime);
3574 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3575 chan->local_flush_to =
3576 le32_to_cpu(efs.flush_to);
3580 case L2CAP_MODE_STREAMING:
3581 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3585 req->dcid = cpu_to_le16(chan->dcid);
3586 req->flags = __constant_cpu_to_le16(0);
3591 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3592 u16 result, u16 flags)
3594 struct l2cap_conf_rsp *rsp = data;
3595 void *ptr = rsp->data;
3597 BT_DBG("chan %p", chan);
3599 rsp->scid = cpu_to_le16(chan->dcid);
3600 rsp->result = cpu_to_le16(result);
3601 rsp->flags = cpu_to_le16(flags);
3606 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3608 struct l2cap_conn_rsp rsp;
3609 struct l2cap_conn *conn = chan->conn;
3613 rsp.scid = cpu_to_le16(chan->dcid);
3614 rsp.dcid = cpu_to_le16(chan->scid);
3615 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3616 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3619 rsp_code = L2CAP_CREATE_CHAN_RSP;
3621 rsp_code = L2CAP_CONN_RSP;
3623 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3625 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3627 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3630 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3631 l2cap_build_conf_req(chan, buf), buf);
3632 chan->num_conf_req++;
3635 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3639 /* Use sane default values in case a misbehaving remote device
3640 * did not send an RFC or extended window size option.
3642 u16 txwin_ext = chan->ack_win;
3643 struct l2cap_conf_rfc rfc = {
3645 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3646 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3647 .max_pdu_size = cpu_to_le16(chan->imtu),
3648 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3651 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3653 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3656 while (len >= L2CAP_CONF_OPT_SIZE) {
3657 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3660 case L2CAP_CONF_RFC:
3661 if (olen == sizeof(rfc))
3662 memcpy(&rfc, (void *)val, olen);
3664 case L2CAP_CONF_EWS:
3671 case L2CAP_MODE_ERTM:
3672 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3673 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3674 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3675 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3676 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3678 chan->ack_win = min_t(u16, chan->ack_win,
3681 case L2CAP_MODE_STREAMING:
3682 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3686 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3687 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3690 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3692 if (cmd_len < sizeof(*rej))
3695 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3698 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3699 cmd->ident == conn->info_ident) {
3700 cancel_delayed_work(&conn->info_timer);
3702 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3703 conn->info_ident = 0;
3705 l2cap_conn_start(conn);
3711 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3712 struct l2cap_cmd_hdr *cmd,
3713 u8 *data, u8 rsp_code, u8 amp_id)
3715 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3716 struct l2cap_conn_rsp rsp;
3717 struct l2cap_chan *chan = NULL, *pchan;
3718 struct sock *parent, *sk = NULL;
3719 int result, status = L2CAP_CS_NO_INFO;
3721 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3722 __le16 psm = req->psm;
3724 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3726 /* Check if we have socket listening on psm */
3727 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
3729 result = L2CAP_CR_BAD_PSM;
3735 mutex_lock(&conn->chan_lock);
3738 /* Check if the ACL is secure enough (if not SDP) */
3739 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
3740 !hci_conn_check_link_mode(conn->hcon)) {
3741 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3742 result = L2CAP_CR_SEC_BLOCK;
3746 result = L2CAP_CR_NO_MEM;
3748 /* Check if we already have channel with that dcid */
3749 if (__l2cap_get_chan_by_dcid(conn, scid))
3752 chan = pchan->ops->new_connection(pchan);
3758 /* For certain devices (ex: HID mouse), support for authentication,
3759 * pairing and bonding is optional. For such devices, inorder to avoid
3760 * the ACL alive for too long after L2CAP disconnection, reset the ACL
3761 * disc_timeout back to HCI_DISCONN_TIMEOUT during L2CAP connect.
3763 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3765 bacpy(&bt_sk(sk)->src, conn->src);
3766 bacpy(&bt_sk(sk)->dst, conn->dst);
3769 chan->local_amp_id = amp_id;
3771 __l2cap_chan_add(conn, chan);
3775 __set_chan_timer(chan, sk->sk_sndtimeo);
3777 chan->ident = cmd->ident;
3779 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3780 if (l2cap_chan_check_security(chan)) {
3781 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
3782 __l2cap_state_change(chan, BT_CONNECT2);
3783 result = L2CAP_CR_PEND;
3784 status = L2CAP_CS_AUTHOR_PEND;
3785 chan->ops->defer(chan);
3787 /* Force pending result for AMP controllers.
3788 * The connection will succeed after the
3789 * physical link is up.
3792 __l2cap_state_change(chan, BT_CONNECT2);
3793 result = L2CAP_CR_PEND;
3795 __l2cap_state_change(chan, BT_CONFIG);
3796 result = L2CAP_CR_SUCCESS;
3798 status = L2CAP_CS_NO_INFO;
3801 __l2cap_state_change(chan, BT_CONNECT2);
3802 result = L2CAP_CR_PEND;
3803 status = L2CAP_CS_AUTHEN_PEND;
3806 __l2cap_state_change(chan, BT_CONNECT2);
3807 result = L2CAP_CR_PEND;
3808 status = L2CAP_CS_NO_INFO;
3812 release_sock(parent);
3813 mutex_unlock(&conn->chan_lock);
3816 rsp.scid = cpu_to_le16(scid);
3817 rsp.dcid = cpu_to_le16(dcid);
3818 rsp.result = cpu_to_le16(result);
3819 rsp.status = cpu_to_le16(status);
3820 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3822 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3823 struct l2cap_info_req info;
3824 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3826 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3827 conn->info_ident = l2cap_get_ident(conn);
3829 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3831 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3832 sizeof(info), &info);
3835 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3836 result == L2CAP_CR_SUCCESS) {
3838 set_bit(CONF_REQ_SENT, &chan->conf_state);
3839 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3840 l2cap_build_conf_req(chan, buf), buf);
3841 chan->num_conf_req++;
3847 static int l2cap_connect_req(struct l2cap_conn *conn,
3848 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3850 struct hci_dev *hdev = conn->hcon->hdev;
3851 struct hci_conn *hcon = conn->hcon;
3853 if (cmd_len < sizeof(struct l2cap_conn_req))
3857 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3858 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3859 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3860 hcon->dst_type, 0, NULL, 0,
3862 hci_dev_unlock(hdev);
3864 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3868 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3869 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3872 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3873 u16 scid, dcid, result, status;
3874 struct l2cap_chan *chan;
3878 if (cmd_len < sizeof(*rsp))
3881 scid = __le16_to_cpu(rsp->scid);
3882 dcid = __le16_to_cpu(rsp->dcid);
3883 result = __le16_to_cpu(rsp->result);
3884 status = __le16_to_cpu(rsp->status);
3886 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3887 dcid, scid, result, status);
3889 mutex_lock(&conn->chan_lock);
3892 chan = __l2cap_get_chan_by_scid(conn, scid);
3898 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3907 l2cap_chan_lock(chan);
3910 case L2CAP_CR_SUCCESS:
3911 l2cap_state_change(chan, BT_CONFIG);
3914 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3916 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3919 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3920 l2cap_build_conf_req(chan, req), req);
3921 chan->num_conf_req++;
3925 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3929 l2cap_chan_del(chan, ECONNREFUSED);
3933 l2cap_chan_unlock(chan);
3936 mutex_unlock(&conn->chan_lock);
3941 static inline void set_default_fcs(struct l2cap_chan *chan)
3943 /* FCS is enabled only in ERTM or streaming mode, if one or both
3946 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3947 chan->fcs = L2CAP_FCS_NONE;
3948 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
3949 chan->fcs = L2CAP_FCS_CRC16;
3952 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3953 u8 ident, u16 flags)
3955 struct l2cap_conn *conn = chan->conn;
3957 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3960 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3961 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3963 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3964 l2cap_build_conf_rsp(chan, data,
3965 L2CAP_CONF_SUCCESS, flags), data);
3968 static inline int l2cap_config_req(struct l2cap_conn *conn,
3969 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3972 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3975 struct l2cap_chan *chan;
3978 if (cmd_len < sizeof(*req))
3981 dcid = __le16_to_cpu(req->dcid);
3982 flags = __le16_to_cpu(req->flags);
3984 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3986 chan = l2cap_get_chan_by_scid(conn, dcid);
3990 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
3991 struct l2cap_cmd_rej_cid rej;
3993 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
3994 rej.scid = cpu_to_le16(chan->scid);
3995 rej.dcid = cpu_to_le16(chan->dcid);
3997 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
4002 /* Reject if config buffer is too small. */
4003 len = cmd_len - sizeof(*req);
4004 if (chan->conf_len + len > sizeof(chan->conf_req)) {
4005 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4006 l2cap_build_conf_rsp(chan, rsp,
4007 L2CAP_CONF_REJECT, flags), rsp);
4012 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4013 chan->conf_len += len;
4015 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4016 /* Incomplete config. Send empty response. */
4017 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4018 l2cap_build_conf_rsp(chan, rsp,
4019 L2CAP_CONF_SUCCESS, flags), rsp);
4023 /* Complete config. */
4024 len = l2cap_parse_conf_req(chan, rsp);
4026 l2cap_send_disconn_req(chan, ECONNRESET);
4030 chan->ident = cmd->ident;
4031 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4032 chan->num_conf_rsp++;
4034 /* Reset config buffer. */
4037 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4040 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4041 set_default_fcs(chan);
4043 if (chan->mode == L2CAP_MODE_ERTM ||
4044 chan->mode == L2CAP_MODE_STREAMING)
4045 err = l2cap_ertm_init(chan);
4048 l2cap_send_disconn_req(chan, -err);
4050 l2cap_chan_ready(chan);
4055 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4057 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4058 l2cap_build_conf_req(chan, buf), buf);
4059 chan->num_conf_req++;
4062 /* Got Conf Rsp PENDING from remote side and asume we sent
4063 Conf Rsp PENDING in the code above */
4064 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4065 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4067 /* check compatibility */
4069 /* Send rsp for BR/EDR channel */
4071 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4073 chan->ident = cmd->ident;
4077 l2cap_chan_unlock(chan);
4081 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4082 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4085 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4086 u16 scid, flags, result;
4087 struct l2cap_chan *chan;
4088 int len = cmd_len - sizeof(*rsp);
4091 if (cmd_len < sizeof(*rsp))
4094 scid = __le16_to_cpu(rsp->scid);
4095 flags = __le16_to_cpu(rsp->flags);
4096 result = __le16_to_cpu(rsp->result);
4098 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4101 chan = l2cap_get_chan_by_scid(conn, scid);
4106 case L2CAP_CONF_SUCCESS:
4107 l2cap_conf_rfc_get(chan, rsp->data, len);
4108 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4111 case L2CAP_CONF_PENDING:
4112 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4114 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4117 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4120 l2cap_send_disconn_req(chan, ECONNRESET);
4124 if (!chan->hs_hcon) {
4125 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4128 if (l2cap_check_efs(chan)) {
4129 amp_create_logical_link(chan);
4130 chan->ident = cmd->ident;
4136 case L2CAP_CONF_UNACCEPT:
4137 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4140 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4141 l2cap_send_disconn_req(chan, ECONNRESET);
4145 /* throw out any old stored conf requests */
4146 result = L2CAP_CONF_SUCCESS;
4147 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4150 l2cap_send_disconn_req(chan, ECONNRESET);
4154 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4155 L2CAP_CONF_REQ, len, req);
4156 chan->num_conf_req++;
4157 if (result != L2CAP_CONF_SUCCESS)
4163 l2cap_chan_set_err(chan, ECONNRESET);
4165 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4166 l2cap_send_disconn_req(chan, ECONNRESET);
4170 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4173 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4175 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4176 set_default_fcs(chan);
4178 if (chan->mode == L2CAP_MODE_ERTM ||
4179 chan->mode == L2CAP_MODE_STREAMING)
4180 err = l2cap_ertm_init(chan);
4183 l2cap_send_disconn_req(chan, -err);
4185 l2cap_chan_ready(chan);
4189 l2cap_chan_unlock(chan);
4193 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4194 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4197 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4198 struct l2cap_disconn_rsp rsp;
4200 struct l2cap_chan *chan;
4203 if (cmd_len != sizeof(*req))
4206 scid = __le16_to_cpu(req->scid);
4207 dcid = __le16_to_cpu(req->dcid);
4209 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4211 mutex_lock(&conn->chan_lock);
4213 chan = __l2cap_get_chan_by_scid(conn, dcid);
4215 mutex_unlock(&conn->chan_lock);
4219 l2cap_chan_lock(chan);
4223 rsp.dcid = cpu_to_le16(chan->scid);
4224 rsp.scid = cpu_to_le16(chan->dcid);
4225 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4228 sk->sk_shutdown = SHUTDOWN_MASK;
4231 l2cap_chan_hold(chan);
4232 l2cap_chan_del(chan, ECONNRESET);
4234 l2cap_chan_unlock(chan);
4236 chan->ops->close(chan);
4237 l2cap_chan_put(chan);
4239 mutex_unlock(&conn->chan_lock);
4244 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4245 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4248 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4250 struct l2cap_chan *chan;
4252 if (cmd_len != sizeof(*rsp))
4255 scid = __le16_to_cpu(rsp->scid);
4256 dcid = __le16_to_cpu(rsp->dcid);
4258 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4260 mutex_lock(&conn->chan_lock);
4262 chan = __l2cap_get_chan_by_scid(conn, scid);
4264 mutex_unlock(&conn->chan_lock);
4268 l2cap_chan_lock(chan);
4270 l2cap_chan_hold(chan);
4271 l2cap_chan_del(chan, 0);
4273 l2cap_chan_unlock(chan);
4275 chan->ops->close(chan);
4276 l2cap_chan_put(chan);
4278 mutex_unlock(&conn->chan_lock);
4283 static inline int l2cap_information_req(struct l2cap_conn *conn,
4284 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4287 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4290 if (cmd_len != sizeof(*req))
4293 type = __le16_to_cpu(req->type);
4295 BT_DBG("type 0x%4.4x", type);
4297 if (type == L2CAP_IT_FEAT_MASK) {
4299 u32 feat_mask = l2cap_feat_mask;
4300 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4301 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4302 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4304 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4307 feat_mask |= L2CAP_FEAT_EXT_FLOW
4308 | L2CAP_FEAT_EXT_WINDOW;
4310 put_unaligned_le32(feat_mask, rsp->data);
4311 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4313 } else if (type == L2CAP_IT_FIXED_CHAN) {
4315 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4318 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4320 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4322 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4323 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4324 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
4325 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4328 struct l2cap_info_rsp rsp;
4329 rsp.type = cpu_to_le16(type);
4330 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
4331 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4338 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4339 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4342 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4345 if (cmd_len < sizeof(*rsp))
4348 type = __le16_to_cpu(rsp->type);
4349 result = __le16_to_cpu(rsp->result);
4351 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4353 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4354 if (cmd->ident != conn->info_ident ||
4355 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4358 cancel_delayed_work(&conn->info_timer);
4360 if (result != L2CAP_IR_SUCCESS) {
4361 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4362 conn->info_ident = 0;
4364 l2cap_conn_start(conn);
4370 case L2CAP_IT_FEAT_MASK:
4371 conn->feat_mask = get_unaligned_le32(rsp->data);
4373 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4374 struct l2cap_info_req req;
4375 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4377 conn->info_ident = l2cap_get_ident(conn);
4379 l2cap_send_cmd(conn, conn->info_ident,
4380 L2CAP_INFO_REQ, sizeof(req), &req);
4382 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4383 conn->info_ident = 0;
4385 l2cap_conn_start(conn);
4389 case L2CAP_IT_FIXED_CHAN:
4390 conn->fixed_chan_mask = rsp->data[0];
4391 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4392 conn->info_ident = 0;
4394 l2cap_conn_start(conn);
4401 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4402 struct l2cap_cmd_hdr *cmd,
4403 u16 cmd_len, void *data)
4405 struct l2cap_create_chan_req *req = data;
4406 struct l2cap_create_chan_rsp rsp;
4407 struct l2cap_chan *chan;
4408 struct hci_dev *hdev;
4411 if (cmd_len != sizeof(*req))
4417 psm = le16_to_cpu(req->psm);
4418 scid = le16_to_cpu(req->scid);
4420 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4422 /* For controller id 0 make BR/EDR connection */
4423 if (req->amp_id == HCI_BREDR_ID) {
4424 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4429 /* Validate AMP controller id */
4430 hdev = hci_dev_get(req->amp_id);
4434 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4439 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4442 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4443 struct hci_conn *hs_hcon;
4445 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4451 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4453 mgr->bredr_chan = chan;
4454 chan->hs_hcon = hs_hcon;
4455 chan->fcs = L2CAP_FCS_NONE;
4456 conn->mtu = hdev->block_mtu;
4465 rsp.scid = cpu_to_le16(scid);
4466 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4467 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4469 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4475 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4477 struct l2cap_move_chan_req req;
4480 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4482 ident = l2cap_get_ident(chan->conn);
4483 chan->ident = ident;
4485 req.icid = cpu_to_le16(chan->scid);
4486 req.dest_amp_id = dest_amp_id;
4488 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4491 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4494 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4496 struct l2cap_move_chan_rsp rsp;
4498 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4500 rsp.icid = cpu_to_le16(chan->dcid);
4501 rsp.result = cpu_to_le16(result);
4503 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4507 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4509 struct l2cap_move_chan_cfm cfm;
4511 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4513 chan->ident = l2cap_get_ident(chan->conn);
4515 cfm.icid = cpu_to_le16(chan->scid);
4516 cfm.result = cpu_to_le16(result);
4518 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4521 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4524 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4526 struct l2cap_move_chan_cfm cfm;
4528 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4530 cfm.icid = cpu_to_le16(icid);
4531 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4533 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4537 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4540 struct l2cap_move_chan_cfm_rsp rsp;
4542 BT_DBG("icid 0x%4.4x", icid);
4544 rsp.icid = cpu_to_le16(icid);
4545 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4548 static void __release_logical_link(struct l2cap_chan *chan)
4550 chan->hs_hchan = NULL;
4551 chan->hs_hcon = NULL;
4553 /* Placeholder - release the logical link */
4556 static void l2cap_logical_fail(struct l2cap_chan *chan)
4558 /* Logical link setup failed */
4559 if (chan->state != BT_CONNECTED) {
4560 /* Create channel failure, disconnect */
4561 l2cap_send_disconn_req(chan, ECONNRESET);
4565 switch (chan->move_role) {
4566 case L2CAP_MOVE_ROLE_RESPONDER:
4567 l2cap_move_done(chan);
4568 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4570 case L2CAP_MOVE_ROLE_INITIATOR:
4571 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4572 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4573 /* Remote has only sent pending or
4574 * success responses, clean up
4576 l2cap_move_done(chan);
4579 /* Other amp move states imply that the move
4580 * has already aborted
4582 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4587 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4588 struct hci_chan *hchan)
4590 struct l2cap_conf_rsp rsp;
4592 chan->hs_hchan = hchan;
4593 chan->hs_hcon->l2cap_data = chan->conn;
4595 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4597 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4600 set_default_fcs(chan);
4602 err = l2cap_ertm_init(chan);
4604 l2cap_send_disconn_req(chan, -err);
4606 l2cap_chan_ready(chan);
4610 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4611 struct hci_chan *hchan)
4613 chan->hs_hcon = hchan->conn;
4614 chan->hs_hcon->l2cap_data = chan->conn;
4616 BT_DBG("move_state %d", chan->move_state);
4618 switch (chan->move_state) {
4619 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4620 /* Move confirm will be sent after a success
4621 * response is received
4623 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4625 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4626 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4627 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4628 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4629 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4630 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4631 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4632 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4633 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4637 /* Move was not in expected state, free the channel */
4638 __release_logical_link(chan);
4640 chan->move_state = L2CAP_MOVE_STABLE;
4644 /* Call with chan locked */
4645 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4648 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4651 l2cap_logical_fail(chan);
4652 __release_logical_link(chan);
4656 if (chan->state != BT_CONNECTED) {
4657 /* Ignore logical link if channel is on BR/EDR */
4658 if (chan->local_amp_id)
4659 l2cap_logical_finish_create(chan, hchan);
4661 l2cap_logical_finish_move(chan, hchan);
4665 void l2cap_move_start(struct l2cap_chan *chan)
4667 BT_DBG("chan %p", chan);
4669 if (chan->local_amp_id == HCI_BREDR_ID) {
4670 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4672 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4673 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4674 /* Placeholder - start physical link setup */
4676 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4677 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4679 l2cap_move_setup(chan);
4680 l2cap_send_move_chan_req(chan, 0);
4684 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4685 u8 local_amp_id, u8 remote_amp_id)
4687 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4688 local_amp_id, remote_amp_id);
4690 chan->fcs = L2CAP_FCS_NONE;
4692 /* Outgoing channel on AMP */
4693 if (chan->state == BT_CONNECT) {
4694 if (result == L2CAP_CR_SUCCESS) {
4695 chan->local_amp_id = local_amp_id;
4696 l2cap_send_create_chan_req(chan, remote_amp_id);
4698 /* Revert to BR/EDR connect */
4699 l2cap_send_conn_req(chan);
4705 /* Incoming channel on AMP */
4706 if (__l2cap_no_conn_pending(chan)) {
4707 struct l2cap_conn_rsp rsp;
4709 rsp.scid = cpu_to_le16(chan->dcid);
4710 rsp.dcid = cpu_to_le16(chan->scid);
4712 if (result == L2CAP_CR_SUCCESS) {
4713 /* Send successful response */
4714 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4715 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4717 /* Send negative response */
4718 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4719 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4722 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4725 if (result == L2CAP_CR_SUCCESS) {
4726 __l2cap_state_change(chan, BT_CONFIG);
4727 set_bit(CONF_REQ_SENT, &chan->conf_state);
4728 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4730 l2cap_build_conf_req(chan, buf), buf);
4731 chan->num_conf_req++;
4736 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4739 l2cap_move_setup(chan);
4740 chan->move_id = local_amp_id;
4741 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4743 l2cap_send_move_chan_req(chan, remote_amp_id);
4746 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4748 struct hci_chan *hchan = NULL;
4750 /* Placeholder - get hci_chan for logical link */
4753 if (hchan->state == BT_CONNECTED) {
4754 /* Logical link is ready to go */
4755 chan->hs_hcon = hchan->conn;
4756 chan->hs_hcon->l2cap_data = chan->conn;
4757 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4758 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4760 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4762 /* Wait for logical link to be ready */
4763 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4766 /* Logical link not available */
4767 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4771 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4773 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4775 if (result == -EINVAL)
4776 rsp_result = L2CAP_MR_BAD_ID;
4778 rsp_result = L2CAP_MR_NOT_ALLOWED;
4780 l2cap_send_move_chan_rsp(chan, rsp_result);
4783 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4784 chan->move_state = L2CAP_MOVE_STABLE;
4786 /* Restart data transmission */
4787 l2cap_ertm_send(chan);
4790 /* Invoke with locked chan */
4791 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4793 u8 local_amp_id = chan->local_amp_id;
4794 u8 remote_amp_id = chan->remote_amp_id;
4796 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4797 chan, result, local_amp_id, remote_amp_id);
4799 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4800 l2cap_chan_unlock(chan);
4804 if (chan->state != BT_CONNECTED) {
4805 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4806 } else if (result != L2CAP_MR_SUCCESS) {
4807 l2cap_do_move_cancel(chan, result);
4809 switch (chan->move_role) {
4810 case L2CAP_MOVE_ROLE_INITIATOR:
4811 l2cap_do_move_initiate(chan, local_amp_id,
4814 case L2CAP_MOVE_ROLE_RESPONDER:
4815 l2cap_do_move_respond(chan, result);
4818 l2cap_do_move_cancel(chan, result);
4824 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4825 struct l2cap_cmd_hdr *cmd,
4826 u16 cmd_len, void *data)
4828 struct l2cap_move_chan_req *req = data;
4829 struct l2cap_move_chan_rsp rsp;
4830 struct l2cap_chan *chan;
4832 u16 result = L2CAP_MR_NOT_ALLOWED;
4834 if (cmd_len != sizeof(*req))
4837 icid = le16_to_cpu(req->icid);
4839 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4844 chan = l2cap_get_chan_by_dcid(conn, icid);
4846 rsp.icid = cpu_to_le16(icid);
4847 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4848 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4853 chan->ident = cmd->ident;
4855 if (chan->scid < L2CAP_CID_DYN_START ||
4856 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4857 (chan->mode != L2CAP_MODE_ERTM &&
4858 chan->mode != L2CAP_MODE_STREAMING)) {
4859 result = L2CAP_MR_NOT_ALLOWED;
4860 goto send_move_response;
4863 if (chan->local_amp_id == req->dest_amp_id) {
4864 result = L2CAP_MR_SAME_ID;
4865 goto send_move_response;
4868 if (req->dest_amp_id) {
4869 struct hci_dev *hdev;
4870 hdev = hci_dev_get(req->dest_amp_id);
4871 if (!hdev || hdev->dev_type != HCI_AMP ||
4872 !test_bit(HCI_UP, &hdev->flags)) {
4876 result = L2CAP_MR_BAD_ID;
4877 goto send_move_response;
4882 /* Detect a move collision. Only send a collision response
4883 * if this side has "lost", otherwise proceed with the move.
4884 * The winner has the larger bd_addr.
4886 if ((__chan_is_moving(chan) ||
4887 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4888 bacmp(conn->src, conn->dst) > 0) {
4889 result = L2CAP_MR_COLLISION;
4890 goto send_move_response;
4893 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4894 l2cap_move_setup(chan);
4895 chan->move_id = req->dest_amp_id;
4898 if (!req->dest_amp_id) {
4899 /* Moving to BR/EDR */
4900 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4901 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4902 result = L2CAP_MR_PEND;
4904 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4905 result = L2CAP_MR_SUCCESS;
4908 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4909 /* Placeholder - uncomment when amp functions are available */
4910 /*amp_accept_physical(chan, req->dest_amp_id);*/
4911 result = L2CAP_MR_PEND;
4915 l2cap_send_move_chan_rsp(chan, result);
4917 l2cap_chan_unlock(chan);
4922 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4924 struct l2cap_chan *chan;
4925 struct hci_chan *hchan = NULL;
4927 chan = l2cap_get_chan_by_scid(conn, icid);
4929 l2cap_send_move_chan_cfm_icid(conn, icid);
4933 __clear_chan_timer(chan);
4934 if (result == L2CAP_MR_PEND)
4935 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4937 switch (chan->move_state) {
4938 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4939 /* Move confirm will be sent when logical link
4942 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4944 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4945 if (result == L2CAP_MR_PEND) {
4947 } else if (test_bit(CONN_LOCAL_BUSY,
4948 &chan->conn_state)) {
4949 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4951 /* Logical link is up or moving to BR/EDR,
4954 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4955 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4958 case L2CAP_MOVE_WAIT_RSP:
4960 if (result == L2CAP_MR_SUCCESS) {
4961 /* Remote is ready, send confirm immediately
4962 * after logical link is ready
4964 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4966 /* Both logical link and move success
4967 * are required to confirm
4969 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4972 /* Placeholder - get hci_chan for logical link */
4974 /* Logical link not available */
4975 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4979 /* If the logical link is not yet connected, do not
4980 * send confirmation.
4982 if (hchan->state != BT_CONNECTED)
4985 /* Logical link is already ready to go */
4987 chan->hs_hcon = hchan->conn;
4988 chan->hs_hcon->l2cap_data = chan->conn;
4990 if (result == L2CAP_MR_SUCCESS) {
4991 /* Can confirm now */
4992 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4994 /* Now only need move success
4997 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
5000 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
5003 /* Any other amp move state means the move failed. */
5004 chan->move_id = chan->local_amp_id;
5005 l2cap_move_done(chan);
5006 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5009 l2cap_chan_unlock(chan);
5012 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5015 struct l2cap_chan *chan;
5017 chan = l2cap_get_chan_by_ident(conn, ident);
5019 /* Could not locate channel, icid is best guess */
5020 l2cap_send_move_chan_cfm_icid(conn, icid);
5024 __clear_chan_timer(chan);
5026 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5027 if (result == L2CAP_MR_COLLISION) {
5028 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5030 /* Cleanup - cancel move */
5031 chan->move_id = chan->local_amp_id;
5032 l2cap_move_done(chan);
5036 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5038 l2cap_chan_unlock(chan);
5041 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5042 struct l2cap_cmd_hdr *cmd,
5043 u16 cmd_len, void *data)
5045 struct l2cap_move_chan_rsp *rsp = data;
5048 if (cmd_len != sizeof(*rsp))
5051 icid = le16_to_cpu(rsp->icid);
5052 result = le16_to_cpu(rsp->result);
5054 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5056 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5057 l2cap_move_continue(conn, icid, result);
5059 l2cap_move_fail(conn, cmd->ident, icid, result);
5064 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5065 struct l2cap_cmd_hdr *cmd,
5066 u16 cmd_len, void *data)
5068 struct l2cap_move_chan_cfm *cfm = data;
5069 struct l2cap_chan *chan;
5072 if (cmd_len != sizeof(*cfm))
5075 icid = le16_to_cpu(cfm->icid);
5076 result = le16_to_cpu(cfm->result);
5078 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5080 chan = l2cap_get_chan_by_dcid(conn, icid);
5082 /* Spec requires a response even if the icid was not found */
5083 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5087 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5088 if (result == L2CAP_MC_CONFIRMED) {
5089 chan->local_amp_id = chan->move_id;
5090 if (!chan->local_amp_id)
5091 __release_logical_link(chan);
5093 chan->move_id = chan->local_amp_id;
5096 l2cap_move_done(chan);
5099 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5101 l2cap_chan_unlock(chan);
5106 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5107 struct l2cap_cmd_hdr *cmd,
5108 u16 cmd_len, void *data)
5110 struct l2cap_move_chan_cfm_rsp *rsp = data;
5111 struct l2cap_chan *chan;
5114 if (cmd_len != sizeof(*rsp))
5117 icid = le16_to_cpu(rsp->icid);
5119 BT_DBG("icid 0x%4.4x", icid);
5121 chan = l2cap_get_chan_by_scid(conn, icid);
5125 __clear_chan_timer(chan);
5127 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5128 chan->local_amp_id = chan->move_id;
5130 if (!chan->local_amp_id && chan->hs_hchan)
5131 __release_logical_link(chan);
5133 l2cap_move_done(chan);
5136 l2cap_chan_unlock(chan);
5141 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
5146 if (min > max || min < 6 || max > 3200)
5149 if (to_multiplier < 10 || to_multiplier > 3200)
5152 if (max >= to_multiplier * 8)
5155 max_latency = (to_multiplier * 8 / max) - 1;
5156 if (latency > 499 || latency > max_latency)
5162 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5163 struct l2cap_cmd_hdr *cmd,
5166 struct hci_conn *hcon = conn->hcon;
5167 struct l2cap_conn_param_update_req *req;
5168 struct l2cap_conn_param_update_rsp rsp;
5169 u16 min, max, latency, to_multiplier, cmd_len;
5172 if (!(hcon->link_mode & HCI_LM_MASTER))
5175 cmd_len = __le16_to_cpu(cmd->len);
5176 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5179 req = (struct l2cap_conn_param_update_req *) data;
5180 min = __le16_to_cpu(req->min);
5181 max = __le16_to_cpu(req->max);
5182 latency = __le16_to_cpu(req->latency);
5183 to_multiplier = __le16_to_cpu(req->to_multiplier);
5185 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5186 min, max, latency, to_multiplier);
5188 memset(&rsp, 0, sizeof(rsp));
5190 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5192 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5194 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5196 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5200 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5205 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5206 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5211 switch (cmd->code) {
5212 case L2CAP_COMMAND_REJ:
5213 l2cap_command_rej(conn, cmd, cmd_len, data);
5216 case L2CAP_CONN_REQ:
5217 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5220 case L2CAP_CONN_RSP:
5221 case L2CAP_CREATE_CHAN_RSP:
5222 l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5225 case L2CAP_CONF_REQ:
5226 err = l2cap_config_req(conn, cmd, cmd_len, data);
5229 case L2CAP_CONF_RSP:
5230 l2cap_config_rsp(conn, cmd, cmd_len, data);
5233 case L2CAP_DISCONN_REQ:
5234 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5237 case L2CAP_DISCONN_RSP:
5238 l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5241 case L2CAP_ECHO_REQ:
5242 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5245 case L2CAP_ECHO_RSP:
5248 case L2CAP_INFO_REQ:
5249 err = l2cap_information_req(conn, cmd, cmd_len, data);
5252 case L2CAP_INFO_RSP:
5253 l2cap_information_rsp(conn, cmd, cmd_len, data);
5256 case L2CAP_CREATE_CHAN_REQ:
5257 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5260 case L2CAP_MOVE_CHAN_REQ:
5261 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5264 case L2CAP_MOVE_CHAN_RSP:
5265 l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5268 case L2CAP_MOVE_CHAN_CFM:
5269 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5272 case L2CAP_MOVE_CHAN_CFM_RSP:
5273 l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5277 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5285 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5286 struct l2cap_cmd_hdr *cmd, u8 *data)
5288 switch (cmd->code) {
5289 case L2CAP_COMMAND_REJ:
5292 case L2CAP_CONN_PARAM_UPDATE_REQ:
5293 return l2cap_conn_param_update_req(conn, cmd, data);
5295 case L2CAP_CONN_PARAM_UPDATE_RSP:
5299 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5304 static __le16 l2cap_err_to_reason(int err)
5308 return __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
5310 return __constant_cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
5314 return __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5318 static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
5319 struct sk_buff *skb)
5321 struct hci_conn *hcon = conn->hcon;
5322 u8 *data = skb->data;
5324 struct l2cap_cmd_hdr cmd;
5327 l2cap_raw_recv(conn, skb);
5329 if (hcon->type != LE_LINK)
5332 while (len >= L2CAP_CMD_HDR_SIZE) {
5334 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5335 data += L2CAP_CMD_HDR_SIZE;
5336 len -= L2CAP_CMD_HDR_SIZE;
5338 cmd_len = le16_to_cpu(cmd.len);
5340 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5343 if (cmd_len > len || !cmd.ident) {
5344 BT_DBG("corrupted command");
5348 err = l2cap_le_sig_cmd(conn, &cmd, data);
5350 struct l2cap_cmd_rej_unk rej;
5352 BT_ERR("Wrong link type (%d)", err);
5354 rej.reason = l2cap_err_to_reason(err);
5355 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5366 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5367 struct sk_buff *skb)
5369 struct hci_conn *hcon = conn->hcon;
5370 u8 *data = skb->data;
5372 struct l2cap_cmd_hdr cmd;
5375 l2cap_raw_recv(conn, skb);
5377 if (hcon->type != ACL_LINK)
5380 while (len >= L2CAP_CMD_HDR_SIZE) {
5382 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5383 data += L2CAP_CMD_HDR_SIZE;
5384 len -= L2CAP_CMD_HDR_SIZE;
5386 cmd_len = le16_to_cpu(cmd.len);
5388 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5391 if (cmd_len > len || !cmd.ident) {
5392 BT_DBG("corrupted command");
5396 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5398 struct l2cap_cmd_rej_unk rej;
5400 BT_ERR("Wrong link type (%d)", err);
5402 rej.reason = l2cap_err_to_reason(err);
5403 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5414 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5416 u16 our_fcs, rcv_fcs;
5419 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5420 hdr_size = L2CAP_EXT_HDR_SIZE;
5422 hdr_size = L2CAP_ENH_HDR_SIZE;
5424 if (chan->fcs == L2CAP_FCS_CRC16) {
5425 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5426 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5427 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5429 if (our_fcs != rcv_fcs)
5435 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5437 struct l2cap_ctrl control;
5439 BT_DBG("chan %p", chan);
5441 memset(&control, 0, sizeof(control));
5444 control.reqseq = chan->buffer_seq;
5445 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5447 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5448 control.super = L2CAP_SUPER_RNR;
5449 l2cap_send_sframe(chan, &control);
5452 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5453 chan->unacked_frames > 0)
5454 __set_retrans_timer(chan);
5456 /* Send pending iframes */
5457 l2cap_ertm_send(chan);
5459 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5460 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5461 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5464 control.super = L2CAP_SUPER_RR;
5465 l2cap_send_sframe(chan, &control);
5469 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5470 struct sk_buff **last_frag)
5472 /* skb->len reflects data in skb as well as all fragments
5473 * skb->data_len reflects only data in fragments
5475 if (!skb_has_frag_list(skb))
5476 skb_shinfo(skb)->frag_list = new_frag;
5478 new_frag->next = NULL;
5480 (*last_frag)->next = new_frag;
5481 *last_frag = new_frag;
5483 skb->len += new_frag->len;
5484 skb->data_len += new_frag->len;
5485 skb->truesize += new_frag->truesize;
5488 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5489 struct l2cap_ctrl *control)
5493 switch (control->sar) {
5494 case L2CAP_SAR_UNSEGMENTED:
5498 err = chan->ops->recv(chan, skb);
5501 case L2CAP_SAR_START:
5505 chan->sdu_len = get_unaligned_le16(skb->data);
5506 skb_pull(skb, L2CAP_SDULEN_SIZE);
5508 if (chan->sdu_len > chan->imtu) {
5513 if (skb->len >= chan->sdu_len)
5517 chan->sdu_last_frag = skb;
5523 case L2CAP_SAR_CONTINUE:
5527 append_skb_frag(chan->sdu, skb,
5528 &chan->sdu_last_frag);
5531 if (chan->sdu->len >= chan->sdu_len)
5541 append_skb_frag(chan->sdu, skb,
5542 &chan->sdu_last_frag);
5545 if (chan->sdu->len != chan->sdu_len)
5548 err = chan->ops->recv(chan, chan->sdu);
5551 /* Reassembly complete */
5553 chan->sdu_last_frag = NULL;
5561 kfree_skb(chan->sdu);
5563 chan->sdu_last_frag = NULL;
5570 static int l2cap_resegment(struct l2cap_chan *chan)
5576 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5580 if (chan->mode != L2CAP_MODE_ERTM)
5583 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5584 l2cap_tx(chan, NULL, NULL, event);
5587 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5590 /* Pass sequential frames to l2cap_reassemble_sdu()
5591 * until a gap is encountered.
5594 BT_DBG("chan %p", chan);
5596 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5597 struct sk_buff *skb;
5598 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5599 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5601 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5606 skb_unlink(skb, &chan->srej_q);
5607 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5608 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5613 if (skb_queue_empty(&chan->srej_q)) {
5614 chan->rx_state = L2CAP_RX_STATE_RECV;
5615 l2cap_send_ack(chan);
5621 static void l2cap_handle_srej(struct l2cap_chan *chan,
5622 struct l2cap_ctrl *control)
5624 struct sk_buff *skb;
5626 BT_DBG("chan %p, control %p", chan, control);
5628 if (control->reqseq == chan->next_tx_seq) {
5629 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5630 l2cap_send_disconn_req(chan, ECONNRESET);
5634 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5637 BT_DBG("Seq %d not available for retransmission",
5642 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5643 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5644 l2cap_send_disconn_req(chan, ECONNRESET);
5648 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5650 if (control->poll) {
5651 l2cap_pass_to_tx(chan, control);
5653 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5654 l2cap_retransmit(chan, control);
5655 l2cap_ertm_send(chan);
5657 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5658 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5659 chan->srej_save_reqseq = control->reqseq;
5662 l2cap_pass_to_tx_fbit(chan, control);
5664 if (control->final) {
5665 if (chan->srej_save_reqseq != control->reqseq ||
5666 !test_and_clear_bit(CONN_SREJ_ACT,
5668 l2cap_retransmit(chan, control);
5670 l2cap_retransmit(chan, control);
5671 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5672 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5673 chan->srej_save_reqseq = control->reqseq;
5679 static void l2cap_handle_rej(struct l2cap_chan *chan,
5680 struct l2cap_ctrl *control)
5682 struct sk_buff *skb;
5684 BT_DBG("chan %p, control %p", chan, control);
5686 if (control->reqseq == chan->next_tx_seq) {
5687 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5688 l2cap_send_disconn_req(chan, ECONNRESET);
5692 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5694 if (chan->max_tx && skb &&
5695 bt_cb(skb)->control.retries >= chan->max_tx) {
5696 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5697 l2cap_send_disconn_req(chan, ECONNRESET);
5701 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5703 l2cap_pass_to_tx(chan, control);
5705 if (control->final) {
5706 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5707 l2cap_retransmit_all(chan, control);
5709 l2cap_retransmit_all(chan, control);
5710 l2cap_ertm_send(chan);
5711 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5712 set_bit(CONN_REJ_ACT, &chan->conn_state);
5716 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5718 BT_DBG("chan %p, txseq %d", chan, txseq);
5720 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5721 chan->expected_tx_seq);
5723 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5724 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5726 /* See notes below regarding "double poll" and
5729 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5730 BT_DBG("Invalid/Ignore - after SREJ");
5731 return L2CAP_TXSEQ_INVALID_IGNORE;
5733 BT_DBG("Invalid - in window after SREJ sent");
5734 return L2CAP_TXSEQ_INVALID;
5738 if (chan->srej_list.head == txseq) {
5739 BT_DBG("Expected SREJ");
5740 return L2CAP_TXSEQ_EXPECTED_SREJ;
5743 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5744 BT_DBG("Duplicate SREJ - txseq already stored");
5745 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5748 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5749 BT_DBG("Unexpected SREJ - not requested");
5750 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5754 if (chan->expected_tx_seq == txseq) {
5755 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5757 BT_DBG("Invalid - txseq outside tx window");
5758 return L2CAP_TXSEQ_INVALID;
5761 return L2CAP_TXSEQ_EXPECTED;
5765 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
5766 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
5767 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5768 return L2CAP_TXSEQ_DUPLICATE;
5771 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5772 /* A source of invalid packets is a "double poll" condition,
5773 * where delays cause us to send multiple poll packets. If
5774 * the remote stack receives and processes both polls,
5775 * sequence numbers can wrap around in such a way that a
5776 * resent frame has a sequence number that looks like new data
5777 * with a sequence gap. This would trigger an erroneous SREJ
5780 * Fortunately, this is impossible with a tx window that's
5781 * less than half of the maximum sequence number, which allows
5782 * invalid frames to be safely ignored.
5784 * With tx window sizes greater than half of the tx window
5785 * maximum, the frame is invalid and cannot be ignored. This
5786 * causes a disconnect.
5789 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5790 BT_DBG("Invalid/Ignore - txseq outside tx window");
5791 return L2CAP_TXSEQ_INVALID_IGNORE;
5793 BT_DBG("Invalid - txseq outside tx window");
5794 return L2CAP_TXSEQ_INVALID;
5797 BT_DBG("Unexpected - txseq indicates missing frames");
5798 return L2CAP_TXSEQ_UNEXPECTED;
5802 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5803 struct l2cap_ctrl *control,
5804 struct sk_buff *skb, u8 event)
5807 bool skb_in_use = false;
5809 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5813 case L2CAP_EV_RECV_IFRAME:
5814 switch (l2cap_classify_txseq(chan, control->txseq)) {
5815 case L2CAP_TXSEQ_EXPECTED:
5816 l2cap_pass_to_tx(chan, control);
5818 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5819 BT_DBG("Busy, discarding expected seq %d",
5824 chan->expected_tx_seq = __next_seq(chan,
5827 chan->buffer_seq = chan->expected_tx_seq;
5830 err = l2cap_reassemble_sdu(chan, skb, control);
5834 if (control->final) {
5835 if (!test_and_clear_bit(CONN_REJ_ACT,
5836 &chan->conn_state)) {
5838 l2cap_retransmit_all(chan, control);
5839 l2cap_ertm_send(chan);
5843 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5844 l2cap_send_ack(chan);
5846 case L2CAP_TXSEQ_UNEXPECTED:
5847 l2cap_pass_to_tx(chan, control);
5849 /* Can't issue SREJ frames in the local busy state.
5850 * Drop this frame, it will be seen as missing
5851 * when local busy is exited.
5853 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5854 BT_DBG("Busy, discarding unexpected seq %d",
5859 /* There was a gap in the sequence, so an SREJ
5860 * must be sent for each missing frame. The
5861 * current frame is stored for later use.
5863 skb_queue_tail(&chan->srej_q, skb);
5865 BT_DBG("Queued %p (queue len %d)", skb,
5866 skb_queue_len(&chan->srej_q));
5868 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5869 l2cap_seq_list_clear(&chan->srej_list);
5870 l2cap_send_srej(chan, control->txseq);
5872 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5874 case L2CAP_TXSEQ_DUPLICATE:
5875 l2cap_pass_to_tx(chan, control);
5877 case L2CAP_TXSEQ_INVALID_IGNORE:
5879 case L2CAP_TXSEQ_INVALID:
5881 l2cap_send_disconn_req(chan, ECONNRESET);
5885 case L2CAP_EV_RECV_RR:
5886 l2cap_pass_to_tx(chan, control);
5887 if (control->final) {
5888 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5890 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5891 !__chan_is_moving(chan)) {
5893 l2cap_retransmit_all(chan, control);
5896 l2cap_ertm_send(chan);
5897 } else if (control->poll) {
5898 l2cap_send_i_or_rr_or_rnr(chan);
5900 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5901 &chan->conn_state) &&
5902 chan->unacked_frames)
5903 __set_retrans_timer(chan);
5905 l2cap_ertm_send(chan);
5908 case L2CAP_EV_RECV_RNR:
5909 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5910 l2cap_pass_to_tx(chan, control);
5911 if (control && control->poll) {
5912 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5913 l2cap_send_rr_or_rnr(chan, 0);
5915 __clear_retrans_timer(chan);
5916 l2cap_seq_list_clear(&chan->retrans_list);
5918 case L2CAP_EV_RECV_REJ:
5919 l2cap_handle_rej(chan, control);
5921 case L2CAP_EV_RECV_SREJ:
5922 l2cap_handle_srej(chan, control);
5928 if (skb && !skb_in_use) {
5929 BT_DBG("Freeing %p", skb);
5936 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5937 struct l2cap_ctrl *control,
5938 struct sk_buff *skb, u8 event)
5941 u16 txseq = control->txseq;
5942 bool skb_in_use = false;
5944 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5948 case L2CAP_EV_RECV_IFRAME:
5949 switch (l2cap_classify_txseq(chan, txseq)) {
5950 case L2CAP_TXSEQ_EXPECTED:
5951 /* Keep frame for reassembly later */
5952 l2cap_pass_to_tx(chan, control);
5953 skb_queue_tail(&chan->srej_q, skb);
5955 BT_DBG("Queued %p (queue len %d)", skb,
5956 skb_queue_len(&chan->srej_q));
5958 chan->expected_tx_seq = __next_seq(chan, txseq);
5960 case L2CAP_TXSEQ_EXPECTED_SREJ:
5961 l2cap_seq_list_pop(&chan->srej_list);
5963 l2cap_pass_to_tx(chan, control);
5964 skb_queue_tail(&chan->srej_q, skb);
5966 BT_DBG("Queued %p (queue len %d)", skb,
5967 skb_queue_len(&chan->srej_q));
5969 err = l2cap_rx_queued_iframes(chan);
5974 case L2CAP_TXSEQ_UNEXPECTED:
5975 /* Got a frame that can't be reassembled yet.
5976 * Save it for later, and send SREJs to cover
5977 * the missing frames.
5979 skb_queue_tail(&chan->srej_q, skb);
5981 BT_DBG("Queued %p (queue len %d)", skb,
5982 skb_queue_len(&chan->srej_q));
5984 l2cap_pass_to_tx(chan, control);
5985 l2cap_send_srej(chan, control->txseq);
5987 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5988 /* This frame was requested with an SREJ, but
5989 * some expected retransmitted frames are
5990 * missing. Request retransmission of missing
5993 skb_queue_tail(&chan->srej_q, skb);
5995 BT_DBG("Queued %p (queue len %d)", skb,
5996 skb_queue_len(&chan->srej_q));
5998 l2cap_pass_to_tx(chan, control);
5999 l2cap_send_srej_list(chan, control->txseq);
6001 case L2CAP_TXSEQ_DUPLICATE_SREJ:
6002 /* We've already queued this frame. Drop this copy. */
6003 l2cap_pass_to_tx(chan, control);
6005 case L2CAP_TXSEQ_DUPLICATE:
6006 /* Expecting a later sequence number, so this frame
6007 * was already received. Ignore it completely.
6010 case L2CAP_TXSEQ_INVALID_IGNORE:
6012 case L2CAP_TXSEQ_INVALID:
6014 l2cap_send_disconn_req(chan, ECONNRESET);
6018 case L2CAP_EV_RECV_RR:
6019 l2cap_pass_to_tx(chan, control);
6020 if (control->final) {
6021 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6023 if (!test_and_clear_bit(CONN_REJ_ACT,
6024 &chan->conn_state)) {
6026 l2cap_retransmit_all(chan, control);
6029 l2cap_ertm_send(chan);
6030 } else if (control->poll) {
6031 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6032 &chan->conn_state) &&
6033 chan->unacked_frames) {
6034 __set_retrans_timer(chan);
6037 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6038 l2cap_send_srej_tail(chan);
6040 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6041 &chan->conn_state) &&
6042 chan->unacked_frames)
6043 __set_retrans_timer(chan);
6045 l2cap_send_ack(chan);
6048 case L2CAP_EV_RECV_RNR:
6049 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6050 l2cap_pass_to_tx(chan, control);
6051 if (control->poll) {
6052 l2cap_send_srej_tail(chan);
6054 struct l2cap_ctrl rr_control;
6055 memset(&rr_control, 0, sizeof(rr_control));
6056 rr_control.sframe = 1;
6057 rr_control.super = L2CAP_SUPER_RR;
6058 rr_control.reqseq = chan->buffer_seq;
6059 l2cap_send_sframe(chan, &rr_control);
6063 case L2CAP_EV_RECV_REJ:
6064 l2cap_handle_rej(chan, control);
6066 case L2CAP_EV_RECV_SREJ:
6067 l2cap_handle_srej(chan, control);
6071 if (skb && !skb_in_use) {
6072 BT_DBG("Freeing %p", skb);
6079 static int l2cap_finish_move(struct l2cap_chan *chan)
6081 BT_DBG("chan %p", chan);
6083 chan->rx_state = L2CAP_RX_STATE_RECV;
6086 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6088 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6090 return l2cap_resegment(chan);
6093 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6094 struct l2cap_ctrl *control,
6095 struct sk_buff *skb, u8 event)
6099 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6105 l2cap_process_reqseq(chan, control->reqseq);
6107 if (!skb_queue_empty(&chan->tx_q))
6108 chan->tx_send_head = skb_peek(&chan->tx_q);
6110 chan->tx_send_head = NULL;
6112 /* Rewind next_tx_seq to the point expected
6115 chan->next_tx_seq = control->reqseq;
6116 chan->unacked_frames = 0;
6118 err = l2cap_finish_move(chan);
6122 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6123 l2cap_send_i_or_rr_or_rnr(chan);
6125 if (event == L2CAP_EV_RECV_IFRAME)
6128 return l2cap_rx_state_recv(chan, control, NULL, event);
6131 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6132 struct l2cap_ctrl *control,
6133 struct sk_buff *skb, u8 event)
6137 if (!control->final)
6140 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6142 chan->rx_state = L2CAP_RX_STATE_RECV;
6143 l2cap_process_reqseq(chan, control->reqseq);
6145 if (!skb_queue_empty(&chan->tx_q))
6146 chan->tx_send_head = skb_peek(&chan->tx_q);
6148 chan->tx_send_head = NULL;
6150 /* Rewind next_tx_seq to the point expected
6153 chan->next_tx_seq = control->reqseq;
6154 chan->unacked_frames = 0;
6157 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6159 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6161 err = l2cap_resegment(chan);
6164 err = l2cap_rx_state_recv(chan, control, skb, event);
6169 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6171 /* Make sure reqseq is for a packet that has been sent but not acked */
6174 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6175 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6178 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6179 struct sk_buff *skb, u8 event)
6183 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6184 control, skb, event, chan->rx_state);
6186 if (__valid_reqseq(chan, control->reqseq)) {
6187 switch (chan->rx_state) {
6188 case L2CAP_RX_STATE_RECV:
6189 err = l2cap_rx_state_recv(chan, control, skb, event);
6191 case L2CAP_RX_STATE_SREJ_SENT:
6192 err = l2cap_rx_state_srej_sent(chan, control, skb,
6195 case L2CAP_RX_STATE_WAIT_P:
6196 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6198 case L2CAP_RX_STATE_WAIT_F:
6199 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6206 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6207 control->reqseq, chan->next_tx_seq,
6208 chan->expected_ack_seq);
6209 l2cap_send_disconn_req(chan, ECONNRESET);
6215 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6216 struct sk_buff *skb)
6220 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6223 if (l2cap_classify_txseq(chan, control->txseq) ==
6224 L2CAP_TXSEQ_EXPECTED) {
6225 l2cap_pass_to_tx(chan, control);
6227 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6228 __next_seq(chan, chan->buffer_seq));
6230 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6232 l2cap_reassemble_sdu(chan, skb, control);
6235 kfree_skb(chan->sdu);
6238 chan->sdu_last_frag = NULL;
6242 BT_DBG("Freeing %p", skb);
6247 chan->last_acked_seq = control->txseq;
6248 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6253 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6255 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6259 __unpack_control(chan, skb);
6264 * We can just drop the corrupted I-frame here.
6265 * Receiver will miss it and start proper recovery
6266 * procedures and ask for retransmission.
6268 if (l2cap_check_fcs(chan, skb))
6271 if (!control->sframe && control->sar == L2CAP_SAR_START)
6272 len -= L2CAP_SDULEN_SIZE;
6274 if (chan->fcs == L2CAP_FCS_CRC16)
6275 len -= L2CAP_FCS_SIZE;
6277 if (len > chan->mps) {
6278 l2cap_send_disconn_req(chan, ECONNRESET);
6282 if (!control->sframe) {
6285 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6286 control->sar, control->reqseq, control->final,
6289 /* Validate F-bit - F=0 always valid, F=1 only
6290 * valid in TX WAIT_F
6292 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6295 if (chan->mode != L2CAP_MODE_STREAMING) {
6296 event = L2CAP_EV_RECV_IFRAME;
6297 err = l2cap_rx(chan, control, skb, event);
6299 err = l2cap_stream_rx(chan, control, skb);
6303 l2cap_send_disconn_req(chan, ECONNRESET);
6305 const u8 rx_func_to_event[4] = {
6306 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6307 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6310 /* Only I-frames are expected in streaming mode */
6311 if (chan->mode == L2CAP_MODE_STREAMING)
6314 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6315 control->reqseq, control->final, control->poll,
6319 BT_ERR("Trailing bytes: %d in sframe", len);
6320 l2cap_send_disconn_req(chan, ECONNRESET);
6324 /* Validate F and P bits */
6325 if (control->final && (control->poll ||
6326 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6329 event = rx_func_to_event[control->super];
6330 if (l2cap_rx(chan, control, skb, event))
6331 l2cap_send_disconn_req(chan, ECONNRESET);
6341 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6342 struct sk_buff *skb)
6344 struct l2cap_chan *chan;
6346 chan = l2cap_get_chan_by_scid(conn, cid);
6348 if (cid == L2CAP_CID_A2MP) {
6349 chan = a2mp_channel_create(conn, skb);
6355 l2cap_chan_lock(chan);
6357 BT_DBG("unknown cid 0x%4.4x", cid);
6358 /* Drop packet and return */
6364 BT_DBG("chan %p, len %d", chan, skb->len);
6366 if (chan->state != BT_CONNECTED)
6369 switch (chan->mode) {
6370 case L2CAP_MODE_BASIC:
6371 /* If socket recv buffers overflows we drop data here
6372 * which is *bad* because L2CAP has to be reliable.
6373 * But we don't have any other choice. L2CAP doesn't
6374 * provide flow control mechanism. */
6376 if (chan->imtu < skb->len)
6379 if (!chan->ops->recv(chan, skb))
6383 case L2CAP_MODE_ERTM:
6384 case L2CAP_MODE_STREAMING:
6385 l2cap_data_rcv(chan, skb);
6389 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6397 l2cap_chan_unlock(chan);
6400 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6401 struct sk_buff *skb)
6403 struct l2cap_chan *chan;
6405 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
6409 BT_DBG("chan %p, len %d", chan, skb->len);
6411 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6414 if (chan->imtu < skb->len)
6417 if (!chan->ops->recv(chan, skb))
6424 static void l2cap_att_channel(struct l2cap_conn *conn,
6425 struct sk_buff *skb)
6427 struct l2cap_chan *chan;
6429 chan = l2cap_global_chan_by_scid(BT_CONNECTED, L2CAP_CID_ATT,
6430 conn->src, conn->dst);
6434 BT_DBG("chan %p, len %d", chan, skb->len);
6436 if (chan->imtu < skb->len)
6439 if (!chan->ops->recv(chan, skb))
6446 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6448 struct l2cap_hdr *lh = (void *) skb->data;
6452 skb_pull(skb, L2CAP_HDR_SIZE);
6453 cid = __le16_to_cpu(lh->cid);
6454 len = __le16_to_cpu(lh->len);
6456 if (len != skb->len) {
6461 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6464 case L2CAP_CID_LE_SIGNALING:
6465 l2cap_le_sig_channel(conn, skb);
6467 case L2CAP_CID_SIGNALING:
6468 l2cap_sig_channel(conn, skb);
6471 case L2CAP_CID_CONN_LESS:
6472 psm = get_unaligned((__le16 *) skb->data);
6473 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6474 l2cap_conless_channel(conn, psm, skb);
6478 l2cap_att_channel(conn, skb);
6482 if (smp_sig_channel(conn, skb))
6483 l2cap_conn_del(conn->hcon, EACCES);
6487 l2cap_data_channel(conn, cid, skb);
6492 /* ---- L2CAP interface with lower layer (HCI) ---- */
6494 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
6496 int exact = 0, lm1 = 0, lm2 = 0;
6497 struct l2cap_chan *c;
6499 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
6501 /* Find listening sockets and check their link_mode */
6502 read_lock(&chan_list_lock);
6503 list_for_each_entry(c, &chan_list, global_l) {
6504 struct sock *sk = c->sk;
6506 if (c->state != BT_LISTEN)
6509 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
6510 lm1 |= HCI_LM_ACCEPT;
6511 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
6512 lm1 |= HCI_LM_MASTER;
6514 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6515 lm2 |= HCI_LM_ACCEPT;
6516 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
6517 lm2 |= HCI_LM_MASTER;
6520 read_unlock(&chan_list_lock);
6522 return exact ? lm1 : lm2;
6525 void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
6527 struct l2cap_conn *conn;
6529 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
6532 conn = l2cap_conn_add(hcon);
6534 l2cap_conn_ready(conn);
6536 l2cap_conn_del(hcon, bt_to_errno(status));
6540 int l2cap_disconn_ind(struct hci_conn *hcon)
6542 struct l2cap_conn *conn = hcon->l2cap_data;
6544 BT_DBG("hcon %p", hcon);
6547 return HCI_ERROR_REMOTE_USER_TERM;
6548 return conn->disc_reason;
6551 void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
6553 BT_DBG("hcon %p reason %d", hcon, reason);
6555 l2cap_conn_del(hcon, bt_to_errno(reason));
6558 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
6560 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
6563 if (encrypt == 0x00) {
6564 if (chan->sec_level == BT_SECURITY_MEDIUM) {
6565 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
6566 } else if (chan->sec_level == BT_SECURITY_HIGH)
6567 l2cap_chan_close(chan, ECONNREFUSED);
6569 if (chan->sec_level == BT_SECURITY_MEDIUM)
6570 __clear_chan_timer(chan);
6574 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
6576 struct l2cap_conn *conn = hcon->l2cap_data;
6577 struct l2cap_chan *chan;
6582 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
6584 if (hcon->type == LE_LINK) {
6585 if (!status && encrypt)
6586 smp_distribute_keys(conn, 0);
6587 cancel_delayed_work(&conn->security_timer);
6590 mutex_lock(&conn->chan_lock);
6592 list_for_each_entry(chan, &conn->chan_l, list) {
6593 l2cap_chan_lock(chan);
6595 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6596 state_to_string(chan->state));
6598 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6599 l2cap_chan_unlock(chan);
6603 if (chan->scid == L2CAP_CID_ATT) {
6604 if (!status && encrypt) {
6605 chan->sec_level = hcon->sec_level;
6606 l2cap_chan_ready(chan);
6609 l2cap_chan_unlock(chan);
6613 if (!__l2cap_no_conn_pending(chan)) {
6614 l2cap_chan_unlock(chan);
6618 if (!status && (chan->state == BT_CONNECTED ||
6619 chan->state == BT_CONFIG)) {
6620 struct sock *sk = chan->sk;
6622 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
6623 sk->sk_state_change(sk);
6625 l2cap_check_encryption(chan, encrypt);
6626 l2cap_chan_unlock(chan);
6630 if (chan->state == BT_CONNECT) {
6632 l2cap_start_connection(chan);
6634 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
6636 } else if (chan->state == BT_CONNECT2) {
6637 struct sock *sk = chan->sk;
6638 struct l2cap_conn_rsp rsp;
6644 if (test_bit(BT_SK_DEFER_SETUP,
6645 &bt_sk(sk)->flags)) {
6646 res = L2CAP_CR_PEND;
6647 stat = L2CAP_CS_AUTHOR_PEND;
6648 chan->ops->defer(chan);
6650 __l2cap_state_change(chan, BT_CONFIG);
6651 res = L2CAP_CR_SUCCESS;
6652 stat = L2CAP_CS_NO_INFO;
6655 __l2cap_state_change(chan, BT_DISCONN);
6656 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
6657 res = L2CAP_CR_SEC_BLOCK;
6658 stat = L2CAP_CS_NO_INFO;
6663 rsp.scid = cpu_to_le16(chan->dcid);
6664 rsp.dcid = cpu_to_le16(chan->scid);
6665 rsp.result = cpu_to_le16(res);
6666 rsp.status = cpu_to_le16(stat);
6667 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
6670 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6671 res == L2CAP_CR_SUCCESS) {
6673 set_bit(CONF_REQ_SENT, &chan->conf_state);
6674 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6676 l2cap_build_conf_req(chan, buf),
6678 chan->num_conf_req++;
6682 l2cap_chan_unlock(chan);
6685 mutex_unlock(&conn->chan_lock);
6690 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
6692 struct l2cap_conn *conn = hcon->l2cap_data;
6693 struct l2cap_hdr *hdr;
6696 /* For AMP controller do not create l2cap conn */
6697 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6701 conn = l2cap_conn_add(hcon);
6706 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6710 case ACL_START_NO_FLUSH:
6713 BT_ERR("Unexpected start frame (len %d)", skb->len);
6714 kfree_skb(conn->rx_skb);
6715 conn->rx_skb = NULL;
6717 l2cap_conn_unreliable(conn, ECOMM);
6720 /* Start fragment always begin with Basic L2CAP header */
6721 if (skb->len < L2CAP_HDR_SIZE) {
6722 BT_ERR("Frame is too short (len %d)", skb->len);
6723 l2cap_conn_unreliable(conn, ECOMM);
6727 hdr = (struct l2cap_hdr *) skb->data;
6728 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6730 if (len == skb->len) {
6731 /* Complete frame received */
6732 l2cap_recv_frame(conn, skb);
6736 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6738 if (skb->len > len) {
6739 BT_ERR("Frame is too long (len %d, expected len %d)",
6741 l2cap_conn_unreliable(conn, ECOMM);
6745 /* Allocate skb for the complete frame (with header) */
6746 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
6750 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
6752 conn->rx_len = len - skb->len;
6756 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6758 if (!conn->rx_len) {
6759 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6760 l2cap_conn_unreliable(conn, ECOMM);
6764 if (skb->len > conn->rx_len) {
6765 BT_ERR("Fragment is too long (len %d, expected %d)",
6766 skb->len, conn->rx_len);
6767 kfree_skb(conn->rx_skb);
6768 conn->rx_skb = NULL;
6770 l2cap_conn_unreliable(conn, ECOMM);
6774 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
6776 conn->rx_len -= skb->len;
6778 if (!conn->rx_len) {
6779 /* Complete frame received */
6780 l2cap_recv_frame(conn, conn->rx_skb);
6781 conn->rx_skb = NULL;
6791 static int l2cap_debugfs_show(struct seq_file *f, void *p)
6793 struct l2cap_chan *c;
6795 read_lock(&chan_list_lock);
6797 list_for_each_entry(c, &chan_list, global_l) {
6798 struct sock *sk = c->sk;
6800 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6801 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6802 c->state, __le16_to_cpu(c->psm),
6803 c->scid, c->dcid, c->imtu, c->omtu,
6804 c->sec_level, c->mode);
6807 read_unlock(&chan_list_lock);
6812 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6814 return single_open(file, l2cap_debugfs_show, inode->i_private);
6817 static const struct file_operations l2cap_debugfs_fops = {
6818 .open = l2cap_debugfs_open,
6820 .llseek = seq_lseek,
6821 .release = single_release,
6824 static struct dentry *l2cap_debugfs;
6826 int __init l2cap_init(void)
6830 err = l2cap_init_sockets();
6835 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6836 NULL, &l2cap_debugfs_fops);
6838 BT_ERR("Failed to create L2CAP debug file");
6844 void l2cap_exit(void)
6846 debugfs_remove(l2cap_debugfs);
6847 l2cap_cleanup_sockets();
6850 module_param(disable_ertm, bool, 0644);
6851 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / ~andy / linux / blob