2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
7 Copyright (c) 2012 Code Aurora Forum. All rights reserved.
9 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License version 2 as
13 published by the Free Software Foundation;
15 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
16 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
18 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
19 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
20 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
25 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
26 SOFTWARE IS DISCLAIMED.
29 /* Bluetooth L2CAP core. */
31 #include <linux/module.h>
33 #include <linux/debugfs.h>
34 #include <linux/crc16.h>
36 #include <net/bluetooth/bluetooth.h>
37 #include <net/bluetooth/hci_core.h>
38 #include <net/bluetooth/l2cap.h>
39 #include <net/bluetooth/smp.h>
40 #include <net/bluetooth/a2mp.h>
41 #include <net/bluetooth/amp.h>
45 static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
46 static u8 l2cap_fixed_chan[8] = { L2CAP_FC_L2CAP, };
48 static LIST_HEAD(chan_list);
49 static DEFINE_RWLOCK(chan_list_lock);
51 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
52 u8 code, u8 ident, u16 dlen, void *data);
53 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
55 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
56 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
58 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
59 struct sk_buff_head *skbs, u8 event);
61 /* ---- L2CAP channels ---- */
63 static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
68 list_for_each_entry(c, &conn->chan_l, list) {
75 static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
80 list_for_each_entry(c, &conn->chan_l, list) {
87 /* Find channel with given SCID.
88 * Returns locked channel. */
89 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
94 mutex_lock(&conn->chan_lock);
95 c = __l2cap_get_chan_by_scid(conn, cid);
98 mutex_unlock(&conn->chan_lock);
103 /* Find channel with given DCID.
104 * Returns locked channel.
106 static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
109 struct l2cap_chan *c;
111 mutex_lock(&conn->chan_lock);
112 c = __l2cap_get_chan_by_dcid(conn, cid);
115 mutex_unlock(&conn->chan_lock);
120 static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
123 struct l2cap_chan *c;
125 list_for_each_entry(c, &conn->chan_l, list) {
126 if (c->ident == ident)
132 static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
135 struct l2cap_chan *c;
137 mutex_lock(&conn->chan_lock);
138 c = __l2cap_get_chan_by_ident(conn, ident);
141 mutex_unlock(&conn->chan_lock);
146 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
148 struct l2cap_chan *c;
150 list_for_each_entry(c, &chan_list, global_l) {
151 if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
157 int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
161 write_lock(&chan_list_lock);
163 if (psm && __l2cap_global_chan_by_addr(psm, src)) {
176 for (p = 0x1001; p < 0x1100; p += 2)
177 if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
178 chan->psm = cpu_to_le16(p);
179 chan->sport = cpu_to_le16(p);
186 write_unlock(&chan_list_lock);
190 int l2cap_add_scid(struct l2cap_chan *chan, __u16 scid)
192 write_lock(&chan_list_lock);
196 write_unlock(&chan_list_lock);
201 static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
203 u16 cid = L2CAP_CID_DYN_START;
205 for (; cid < L2CAP_CID_DYN_END; cid++) {
206 if (!__l2cap_get_chan_by_scid(conn, cid))
213 static void __l2cap_state_change(struct l2cap_chan *chan, int state)
215 BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
216 state_to_string(state));
219 chan->ops->state_change(chan, state);
222 static void l2cap_state_change(struct l2cap_chan *chan, int state)
224 struct sock *sk = chan->sk;
227 __l2cap_state_change(chan, state);
231 static inline void __l2cap_chan_set_err(struct l2cap_chan *chan, int err)
233 struct sock *sk = chan->sk;
238 static inline void l2cap_chan_set_err(struct l2cap_chan *chan, int err)
240 struct sock *sk = chan->sk;
243 __l2cap_chan_set_err(chan, err);
247 static void __set_retrans_timer(struct l2cap_chan *chan)
249 if (!delayed_work_pending(&chan->monitor_timer) &&
250 chan->retrans_timeout) {
251 l2cap_set_timer(chan, &chan->retrans_timer,
252 msecs_to_jiffies(chan->retrans_timeout));
256 static void __set_monitor_timer(struct l2cap_chan *chan)
258 __clear_retrans_timer(chan);
259 if (chan->monitor_timeout) {
260 l2cap_set_timer(chan, &chan->monitor_timer,
261 msecs_to_jiffies(chan->monitor_timeout));
265 static struct sk_buff *l2cap_ertm_seq_in_queue(struct sk_buff_head *head,
270 skb_queue_walk(head, skb) {
271 if (bt_cb(skb)->control.txseq == seq)
278 /* ---- L2CAP sequence number lists ---- */
280 /* For ERTM, ordered lists of sequence numbers must be tracked for
281 * SREJ requests that are received and for frames that are to be
282 * retransmitted. These seq_list functions implement a singly-linked
283 * list in an array, where membership in the list can also be checked
284 * in constant time. Items can also be added to the tail of the list
285 * and removed from the head in constant time, without further memory
289 static int l2cap_seq_list_init(struct l2cap_seq_list *seq_list, u16 size)
291 size_t alloc_size, i;
293 /* Allocated size is a power of 2 to map sequence numbers
294 * (which may be up to 14 bits) in to a smaller array that is
295 * sized for the negotiated ERTM transmit windows.
297 alloc_size = roundup_pow_of_two(size);
299 seq_list->list = kmalloc(sizeof(u16) * alloc_size, GFP_KERNEL);
303 seq_list->mask = alloc_size - 1;
304 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
305 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
306 for (i = 0; i < alloc_size; i++)
307 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
312 static inline void l2cap_seq_list_free(struct l2cap_seq_list *seq_list)
314 kfree(seq_list->list);
317 static inline bool l2cap_seq_list_contains(struct l2cap_seq_list *seq_list,
320 /* Constant-time check for list membership */
321 return seq_list->list[seq & seq_list->mask] != L2CAP_SEQ_LIST_CLEAR;
324 static u16 l2cap_seq_list_remove(struct l2cap_seq_list *seq_list, u16 seq)
326 u16 mask = seq_list->mask;
328 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR) {
329 /* In case someone tries to pop the head of an empty list */
330 return L2CAP_SEQ_LIST_CLEAR;
331 } else if (seq_list->head == seq) {
332 /* Head can be removed in constant time */
333 seq_list->head = seq_list->list[seq & mask];
334 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
336 if (seq_list->head == L2CAP_SEQ_LIST_TAIL) {
337 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
338 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
341 /* Walk the list to find the sequence number */
342 u16 prev = seq_list->head;
343 while (seq_list->list[prev & mask] != seq) {
344 prev = seq_list->list[prev & mask];
345 if (prev == L2CAP_SEQ_LIST_TAIL)
346 return L2CAP_SEQ_LIST_CLEAR;
349 /* Unlink the number from the list and clear it */
350 seq_list->list[prev & mask] = seq_list->list[seq & mask];
351 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_CLEAR;
352 if (seq_list->tail == seq)
353 seq_list->tail = prev;
358 static inline u16 l2cap_seq_list_pop(struct l2cap_seq_list *seq_list)
360 /* Remove the head in constant time */
361 return l2cap_seq_list_remove(seq_list, seq_list->head);
364 static void l2cap_seq_list_clear(struct l2cap_seq_list *seq_list)
368 if (seq_list->head == L2CAP_SEQ_LIST_CLEAR)
371 for (i = 0; i <= seq_list->mask; i++)
372 seq_list->list[i] = L2CAP_SEQ_LIST_CLEAR;
374 seq_list->head = L2CAP_SEQ_LIST_CLEAR;
375 seq_list->tail = L2CAP_SEQ_LIST_CLEAR;
378 static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
380 u16 mask = seq_list->mask;
382 /* All appends happen in constant time */
384 if (seq_list->list[seq & mask] != L2CAP_SEQ_LIST_CLEAR)
387 if (seq_list->tail == L2CAP_SEQ_LIST_CLEAR)
388 seq_list->head = seq;
390 seq_list->list[seq_list->tail & mask] = seq;
392 seq_list->tail = seq;
393 seq_list->list[seq & mask] = L2CAP_SEQ_LIST_TAIL;
396 static void l2cap_chan_timeout(struct work_struct *work)
398 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
400 struct l2cap_conn *conn = chan->conn;
403 BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
405 mutex_lock(&conn->chan_lock);
406 l2cap_chan_lock(chan);
408 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
409 reason = ECONNREFUSED;
410 else if (chan->state == BT_CONNECT &&
411 chan->sec_level != BT_SECURITY_SDP)
412 reason = ECONNREFUSED;
416 l2cap_chan_close(chan, reason);
418 l2cap_chan_unlock(chan);
420 chan->ops->close(chan);
421 mutex_unlock(&conn->chan_lock);
423 l2cap_chan_put(chan);
426 struct l2cap_chan *l2cap_chan_create(void)
428 struct l2cap_chan *chan;
430 chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
434 mutex_init(&chan->lock);
436 write_lock(&chan_list_lock);
437 list_add(&chan->global_l, &chan_list);
438 write_unlock(&chan_list_lock);
440 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
442 chan->state = BT_OPEN;
444 kref_init(&chan->kref);
446 /* This flag is cleared in l2cap_chan_ready() */
447 set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
449 BT_DBG("chan %p", chan);
454 static void l2cap_chan_destroy(struct kref *kref)
456 struct l2cap_chan *chan = container_of(kref, struct l2cap_chan, kref);
458 BT_DBG("chan %p", chan);
460 write_lock(&chan_list_lock);
461 list_del(&chan->global_l);
462 write_unlock(&chan_list_lock);
467 void l2cap_chan_hold(struct l2cap_chan *c)
469 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
474 void l2cap_chan_put(struct l2cap_chan *c)
476 BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount));
478 kref_put(&c->kref, l2cap_chan_destroy);
481 void l2cap_chan_set_defaults(struct l2cap_chan *chan)
483 chan->fcs = L2CAP_FCS_CRC16;
484 chan->max_tx = L2CAP_DEFAULT_MAX_TX;
485 chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
486 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
487 chan->ack_win = L2CAP_DEFAULT_TX_WINDOW;
488 chan->sec_level = BT_SECURITY_LOW;
490 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
493 void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
495 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
496 __le16_to_cpu(chan->psm), chan->dcid);
498 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
502 switch (chan->chan_type) {
503 case L2CAP_CHAN_CONN_ORIENTED:
504 if (conn->hcon->type == LE_LINK) {
506 chan->omtu = L2CAP_DEFAULT_MTU;
507 chan->scid = L2CAP_CID_LE_DATA;
508 chan->dcid = L2CAP_CID_LE_DATA;
510 /* Alloc CID for connection-oriented socket */
511 chan->scid = l2cap_alloc_cid(conn);
512 chan->omtu = L2CAP_DEFAULT_MTU;
516 case L2CAP_CHAN_CONN_LESS:
517 /* Connectionless socket */
518 chan->scid = L2CAP_CID_CONN_LESS;
519 chan->dcid = L2CAP_CID_CONN_LESS;
520 chan->omtu = L2CAP_DEFAULT_MTU;
523 case L2CAP_CHAN_CONN_FIX_A2MP:
524 chan->scid = L2CAP_CID_A2MP;
525 chan->dcid = L2CAP_CID_A2MP;
526 chan->omtu = L2CAP_A2MP_DEFAULT_MTU;
527 chan->imtu = L2CAP_A2MP_DEFAULT_MTU;
531 /* Raw socket can send/recv signalling messages only */
532 chan->scid = L2CAP_CID_SIGNALING;
533 chan->dcid = L2CAP_CID_SIGNALING;
534 chan->omtu = L2CAP_DEFAULT_MTU;
537 chan->local_id = L2CAP_BESTEFFORT_ID;
538 chan->local_stype = L2CAP_SERV_BESTEFFORT;
539 chan->local_msdu = L2CAP_DEFAULT_MAX_SDU_SIZE;
540 chan->local_sdu_itime = L2CAP_DEFAULT_SDU_ITIME;
541 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
542 chan->local_flush_to = L2CAP_EFS_DEFAULT_FLUSH_TO;
544 l2cap_chan_hold(chan);
546 list_add(&chan->list, &conn->chan_l);
549 void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
551 mutex_lock(&conn->chan_lock);
552 __l2cap_chan_add(conn, chan);
553 mutex_unlock(&conn->chan_lock);
556 void l2cap_chan_del(struct l2cap_chan *chan, int err)
558 struct l2cap_conn *conn = chan->conn;
560 __clear_chan_timer(chan);
562 BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
565 struct amp_mgr *mgr = conn->hcon->amp_mgr;
566 /* Delete from channel list */
567 list_del(&chan->list);
569 l2cap_chan_put(chan);
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_drop(conn->hcon);
576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL;
580 if (chan->hs_hchan) {
581 struct hci_chan *hs_hchan = chan->hs_hchan;
583 BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
584 amp_disconnect_logical_link(hs_hchan);
587 chan->ops->teardown(chan, err);
589 if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
593 case L2CAP_MODE_BASIC:
596 case L2CAP_MODE_ERTM:
597 __clear_retrans_timer(chan);
598 __clear_monitor_timer(chan);
599 __clear_ack_timer(chan);
601 skb_queue_purge(&chan->srej_q);
603 l2cap_seq_list_free(&chan->srej_list);
604 l2cap_seq_list_free(&chan->retrans_list);
608 case L2CAP_MODE_STREAMING:
609 skb_queue_purge(&chan->tx_q);
616 void l2cap_chan_close(struct l2cap_chan *chan, int reason)
618 struct l2cap_conn *conn = chan->conn;
619 struct sock *sk = chan->sk;
621 BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
624 switch (chan->state) {
626 chan->ops->teardown(chan, 0);
631 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
632 conn->hcon->type == ACL_LINK) {
633 __set_chan_timer(chan, sk->sk_sndtimeo);
634 l2cap_send_disconn_req(chan, reason);
636 l2cap_chan_del(chan, reason);
640 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
641 conn->hcon->type == ACL_LINK) {
642 struct l2cap_conn_rsp rsp;
645 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
646 result = L2CAP_CR_SEC_BLOCK;
648 result = L2CAP_CR_BAD_PSM;
649 l2cap_state_change(chan, BT_DISCONN);
651 rsp.scid = cpu_to_le16(chan->dcid);
652 rsp.dcid = cpu_to_le16(chan->scid);
653 rsp.result = cpu_to_le16(result);
654 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
655 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
659 l2cap_chan_del(chan, reason);
664 l2cap_chan_del(chan, reason);
668 chan->ops->teardown(chan, 0);
673 static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
675 if (chan->chan_type == L2CAP_CHAN_RAW) {
676 switch (chan->sec_level) {
677 case BT_SECURITY_HIGH:
678 return HCI_AT_DEDICATED_BONDING_MITM;
679 case BT_SECURITY_MEDIUM:
680 return HCI_AT_DEDICATED_BONDING;
682 return HCI_AT_NO_BONDING;
684 } else if (chan->psm == __constant_cpu_to_le16(L2CAP_PSM_SDP)) {
685 if (chan->sec_level == BT_SECURITY_LOW)
686 chan->sec_level = BT_SECURITY_SDP;
688 if (chan->sec_level == BT_SECURITY_HIGH)
689 return HCI_AT_NO_BONDING_MITM;
691 return HCI_AT_NO_BONDING;
693 switch (chan->sec_level) {
694 case BT_SECURITY_HIGH:
695 return HCI_AT_GENERAL_BONDING_MITM;
696 case BT_SECURITY_MEDIUM:
697 return HCI_AT_GENERAL_BONDING;
699 return HCI_AT_NO_BONDING;
704 /* Service level security */
705 int l2cap_chan_check_security(struct l2cap_chan *chan)
707 struct l2cap_conn *conn = chan->conn;
710 auth_type = l2cap_get_auth_type(chan);
712 return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
715 static u8 l2cap_get_ident(struct l2cap_conn *conn)
719 /* Get next available identificator.
720 * 1 - 128 are used by kernel.
721 * 129 - 199 are reserved.
722 * 200 - 254 are used by utilities like l2ping, etc.
725 spin_lock(&conn->lock);
727 if (++conn->tx_ident > 128)
732 spin_unlock(&conn->lock);
737 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
740 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
743 BT_DBG("code 0x%2.2x", code);
748 if (lmp_no_flush_capable(conn->hcon->hdev))
749 flags = ACL_START_NO_FLUSH;
753 bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
754 skb->priority = HCI_PRIO_MAX;
756 hci_send_acl(conn->hchan, skb, flags);
759 static bool __chan_is_moving(struct l2cap_chan *chan)
761 return chan->move_state != L2CAP_MOVE_STABLE &&
762 chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
765 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
767 struct hci_conn *hcon = chan->conn->hcon;
770 BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
773 if (chan->hs_hcon && !__chan_is_moving(chan)) {
775 hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
782 if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
783 lmp_no_flush_capable(hcon->hdev))
784 flags = ACL_START_NO_FLUSH;
788 bt_cb(skb)->force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags);
789 hci_send_acl(chan->conn->hchan, skb, flags);
792 static void __unpack_enhanced_control(u16 enh, struct l2cap_ctrl *control)
794 control->reqseq = (enh & L2CAP_CTRL_REQSEQ) >> L2CAP_CTRL_REQSEQ_SHIFT;
795 control->final = (enh & L2CAP_CTRL_FINAL) >> L2CAP_CTRL_FINAL_SHIFT;
797 if (enh & L2CAP_CTRL_FRAME_TYPE) {
800 control->poll = (enh & L2CAP_CTRL_POLL) >> L2CAP_CTRL_POLL_SHIFT;
801 control->super = (enh & L2CAP_CTRL_SUPERVISE) >> L2CAP_CTRL_SUPER_SHIFT;
808 control->sar = (enh & L2CAP_CTRL_SAR) >> L2CAP_CTRL_SAR_SHIFT;
809 control->txseq = (enh & L2CAP_CTRL_TXSEQ) >> L2CAP_CTRL_TXSEQ_SHIFT;
816 static void __unpack_extended_control(u32 ext, struct l2cap_ctrl *control)
818 control->reqseq = (ext & L2CAP_EXT_CTRL_REQSEQ) >> L2CAP_EXT_CTRL_REQSEQ_SHIFT;
819 control->final = (ext & L2CAP_EXT_CTRL_FINAL) >> L2CAP_EXT_CTRL_FINAL_SHIFT;
821 if (ext & L2CAP_EXT_CTRL_FRAME_TYPE) {
824 control->poll = (ext & L2CAP_EXT_CTRL_POLL) >> L2CAP_EXT_CTRL_POLL_SHIFT;
825 control->super = (ext & L2CAP_EXT_CTRL_SUPERVISE) >> L2CAP_EXT_CTRL_SUPER_SHIFT;
832 control->sar = (ext & L2CAP_EXT_CTRL_SAR) >> L2CAP_EXT_CTRL_SAR_SHIFT;
833 control->txseq = (ext & L2CAP_EXT_CTRL_TXSEQ) >> L2CAP_EXT_CTRL_TXSEQ_SHIFT;
840 static inline void __unpack_control(struct l2cap_chan *chan,
843 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
844 __unpack_extended_control(get_unaligned_le32(skb->data),
845 &bt_cb(skb)->control);
846 skb_pull(skb, L2CAP_EXT_CTRL_SIZE);
848 __unpack_enhanced_control(get_unaligned_le16(skb->data),
849 &bt_cb(skb)->control);
850 skb_pull(skb, L2CAP_ENH_CTRL_SIZE);
854 static u32 __pack_extended_control(struct l2cap_ctrl *control)
858 packed = control->reqseq << L2CAP_EXT_CTRL_REQSEQ_SHIFT;
859 packed |= control->final << L2CAP_EXT_CTRL_FINAL_SHIFT;
861 if (control->sframe) {
862 packed |= control->poll << L2CAP_EXT_CTRL_POLL_SHIFT;
863 packed |= control->super << L2CAP_EXT_CTRL_SUPER_SHIFT;
864 packed |= L2CAP_EXT_CTRL_FRAME_TYPE;
866 packed |= control->sar << L2CAP_EXT_CTRL_SAR_SHIFT;
867 packed |= control->txseq << L2CAP_EXT_CTRL_TXSEQ_SHIFT;
873 static u16 __pack_enhanced_control(struct l2cap_ctrl *control)
877 packed = control->reqseq << L2CAP_CTRL_REQSEQ_SHIFT;
878 packed |= control->final << L2CAP_CTRL_FINAL_SHIFT;
880 if (control->sframe) {
881 packed |= control->poll << L2CAP_CTRL_POLL_SHIFT;
882 packed |= control->super << L2CAP_CTRL_SUPER_SHIFT;
883 packed |= L2CAP_CTRL_FRAME_TYPE;
885 packed |= control->sar << L2CAP_CTRL_SAR_SHIFT;
886 packed |= control->txseq << L2CAP_CTRL_TXSEQ_SHIFT;
892 static inline void __pack_control(struct l2cap_chan *chan,
893 struct l2cap_ctrl *control,
896 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
897 put_unaligned_le32(__pack_extended_control(control),
898 skb->data + L2CAP_HDR_SIZE);
900 put_unaligned_le16(__pack_enhanced_control(control),
901 skb->data + L2CAP_HDR_SIZE);
905 static inline unsigned int __ertm_hdr_size(struct l2cap_chan *chan)
907 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
908 return L2CAP_EXT_HDR_SIZE;
910 return L2CAP_ENH_HDR_SIZE;
913 static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
917 struct l2cap_hdr *lh;
918 int hlen = __ertm_hdr_size(chan);
920 if (chan->fcs == L2CAP_FCS_CRC16)
921 hlen += L2CAP_FCS_SIZE;
923 skb = bt_skb_alloc(hlen, GFP_KERNEL);
926 return ERR_PTR(-ENOMEM);
928 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
929 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
930 lh->cid = cpu_to_le16(chan->dcid);
932 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
933 put_unaligned_le32(control, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
935 put_unaligned_le16(control, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
937 if (chan->fcs == L2CAP_FCS_CRC16) {
938 u16 fcs = crc16(0, (u8 *)skb->data, skb->len);
939 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
942 skb->priority = HCI_PRIO_MAX;
946 static void l2cap_send_sframe(struct l2cap_chan *chan,
947 struct l2cap_ctrl *control)
952 BT_DBG("chan %p, control %p", chan, control);
954 if (!control->sframe)
957 if (__chan_is_moving(chan))
960 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
964 if (control->super == L2CAP_SUPER_RR)
965 clear_bit(CONN_RNR_SENT, &chan->conn_state);
966 else if (control->super == L2CAP_SUPER_RNR)
967 set_bit(CONN_RNR_SENT, &chan->conn_state);
969 if (control->super != L2CAP_SUPER_SREJ) {
970 chan->last_acked_seq = control->reqseq;
971 __clear_ack_timer(chan);
974 BT_DBG("reqseq %d, final %d, poll %d, super %d", control->reqseq,
975 control->final, control->poll, control->super);
977 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
978 control_field = __pack_extended_control(control);
980 control_field = __pack_enhanced_control(control);
982 skb = l2cap_create_sframe_pdu(chan, control_field);
984 l2cap_do_send(chan, skb);
987 static void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, bool poll)
989 struct l2cap_ctrl control;
991 BT_DBG("chan %p, poll %d", chan, poll);
993 memset(&control, 0, sizeof(control));
997 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
998 control.super = L2CAP_SUPER_RNR;
1000 control.super = L2CAP_SUPER_RR;
1002 control.reqseq = chan->buffer_seq;
1003 l2cap_send_sframe(chan, &control);
1006 static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
1008 return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
1011 static bool __amp_capable(struct l2cap_chan *chan)
1013 struct l2cap_conn *conn = chan->conn;
1016 hci_amp_capable() &&
1017 chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
1018 conn->fixed_chan_mask & L2CAP_FC_A2MP)
1024 static bool l2cap_check_efs(struct l2cap_chan *chan)
1026 /* Check EFS parameters */
1030 void l2cap_send_conn_req(struct l2cap_chan *chan)
1032 struct l2cap_conn *conn = chan->conn;
1033 struct l2cap_conn_req req;
1035 req.scid = cpu_to_le16(chan->scid);
1036 req.psm = chan->psm;
1038 chan->ident = l2cap_get_ident(conn);
1040 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
1042 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
1045 static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
1047 struct l2cap_create_chan_req req;
1048 req.scid = cpu_to_le16(chan->scid);
1049 req.psm = chan->psm;
1050 req.amp_id = amp_id;
1052 chan->ident = l2cap_get_ident(chan->conn);
1054 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
1058 static void l2cap_move_setup(struct l2cap_chan *chan)
1060 struct sk_buff *skb;
1062 BT_DBG("chan %p", chan);
1064 if (chan->mode != L2CAP_MODE_ERTM)
1067 __clear_retrans_timer(chan);
1068 __clear_monitor_timer(chan);
1069 __clear_ack_timer(chan);
1071 chan->retry_count = 0;
1072 skb_queue_walk(&chan->tx_q, skb) {
1073 if (bt_cb(skb)->control.retries)
1074 bt_cb(skb)->control.retries = 1;
1079 chan->expected_tx_seq = chan->buffer_seq;
1081 clear_bit(CONN_REJ_ACT, &chan->conn_state);
1082 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
1083 l2cap_seq_list_clear(&chan->retrans_list);
1084 l2cap_seq_list_clear(&chan->srej_list);
1085 skb_queue_purge(&chan->srej_q);
1087 chan->tx_state = L2CAP_TX_STATE_XMIT;
1088 chan->rx_state = L2CAP_RX_STATE_MOVE;
1090 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
1093 static void l2cap_move_done(struct l2cap_chan *chan)
1095 u8 move_role = chan->move_role;
1096 BT_DBG("chan %p", chan);
1098 chan->move_state = L2CAP_MOVE_STABLE;
1099 chan->move_role = L2CAP_MOVE_ROLE_NONE;
1101 if (chan->mode != L2CAP_MODE_ERTM)
1104 switch (move_role) {
1105 case L2CAP_MOVE_ROLE_INITIATOR:
1106 l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
1107 chan->rx_state = L2CAP_RX_STATE_WAIT_F;
1109 case L2CAP_MOVE_ROLE_RESPONDER:
1110 chan->rx_state = L2CAP_RX_STATE_WAIT_P;
1115 static void l2cap_chan_ready(struct l2cap_chan *chan)
1117 /* This clears all conf flags, including CONF_NOT_COMPLETE */
1118 chan->conf_state = 0;
1119 __clear_chan_timer(chan);
1121 chan->state = BT_CONNECTED;
1123 chan->ops->ready(chan);
1126 static void l2cap_start_connection(struct l2cap_chan *chan)
1128 if (__amp_capable(chan)) {
1129 BT_DBG("chan %p AMP capable: discover AMPs", chan);
1130 a2mp_discover_amp(chan);
1132 l2cap_send_conn_req(chan);
1136 static void l2cap_do_start(struct l2cap_chan *chan)
1138 struct l2cap_conn *conn = chan->conn;
1140 if (conn->hcon->type == LE_LINK) {
1141 l2cap_chan_ready(chan);
1145 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
1146 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
1149 if (l2cap_chan_check_security(chan) &&
1150 __l2cap_no_conn_pending(chan)) {
1151 l2cap_start_connection(chan);
1154 struct l2cap_info_req req;
1155 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
1157 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
1158 conn->info_ident = l2cap_get_ident(conn);
1160 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
1162 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
1167 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
1169 u32 local_feat_mask = l2cap_feat_mask;
1171 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
1174 case L2CAP_MODE_ERTM:
1175 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
1176 case L2CAP_MODE_STREAMING:
1177 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
1183 static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err)
1185 struct sock *sk = chan->sk;
1186 struct l2cap_conn *conn = chan->conn;
1187 struct l2cap_disconn_req req;
1192 if (chan->mode == L2CAP_MODE_ERTM && chan->state == BT_CONNECTED) {
1193 __clear_retrans_timer(chan);
1194 __clear_monitor_timer(chan);
1195 __clear_ack_timer(chan);
1198 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1199 l2cap_state_change(chan, BT_DISCONN);
1203 req.dcid = cpu_to_le16(chan->dcid);
1204 req.scid = cpu_to_le16(chan->scid);
1205 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
1209 __l2cap_state_change(chan, BT_DISCONN);
1210 __l2cap_chan_set_err(chan, err);
1214 /* ---- L2CAP connections ---- */
1215 static void l2cap_conn_start(struct l2cap_conn *conn)
1217 struct l2cap_chan *chan, *tmp;
1219 BT_DBG("conn %p", conn);
1221 mutex_lock(&conn->chan_lock);
1223 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
1224 struct sock *sk = chan->sk;
1226 l2cap_chan_lock(chan);
1228 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1229 l2cap_chan_unlock(chan);
1233 if (chan->state == BT_CONNECT) {
1234 if (!l2cap_chan_check_security(chan) ||
1235 !__l2cap_no_conn_pending(chan)) {
1236 l2cap_chan_unlock(chan);
1240 if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
1241 && test_bit(CONF_STATE2_DEVICE,
1242 &chan->conf_state)) {
1243 l2cap_chan_close(chan, ECONNRESET);
1244 l2cap_chan_unlock(chan);
1248 l2cap_start_connection(chan);
1250 } else if (chan->state == BT_CONNECT2) {
1251 struct l2cap_conn_rsp rsp;
1253 rsp.scid = cpu_to_le16(chan->dcid);
1254 rsp.dcid = cpu_to_le16(chan->scid);
1256 if (l2cap_chan_check_security(chan)) {
1258 if (test_bit(BT_SK_DEFER_SETUP,
1259 &bt_sk(sk)->flags)) {
1260 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1261 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
1262 chan->ops->defer(chan);
1265 __l2cap_state_change(chan, BT_CONFIG);
1266 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
1267 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
1271 rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
1272 rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
1275 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
1278 if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
1279 rsp.result != L2CAP_CR_SUCCESS) {
1280 l2cap_chan_unlock(chan);
1284 set_bit(CONF_REQ_SENT, &chan->conf_state);
1285 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
1286 l2cap_build_conf_req(chan, buf), buf);
1287 chan->num_conf_req++;
1290 l2cap_chan_unlock(chan);
1293 mutex_unlock(&conn->chan_lock);
1296 /* Find socket with cid and source/destination bdaddr.
1297 * Returns closest match, locked.
1299 static struct l2cap_chan *l2cap_global_chan_by_scid(int state, u16 cid,
1303 struct l2cap_chan *c, *c1 = NULL;
1305 read_lock(&chan_list_lock);
1307 list_for_each_entry(c, &chan_list, global_l) {
1308 struct sock *sk = c->sk;
1310 if (state && c->state != state)
1313 if (c->scid == cid) {
1314 int src_match, dst_match;
1315 int src_any, dst_any;
1318 src_match = !bacmp(&bt_sk(sk)->src, src);
1319 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1320 if (src_match && dst_match) {
1321 read_unlock(&chan_list_lock);
1326 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1327 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1328 if ((src_match && dst_any) || (src_any && dst_match) ||
1329 (src_any && dst_any))
1334 read_unlock(&chan_list_lock);
1339 static void l2cap_le_conn_ready(struct l2cap_conn *conn)
1341 struct sock *parent, *sk;
1342 struct l2cap_chan *chan, *pchan;
1346 /* Check if we have socket listening on cid */
1347 pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
1348 conn->src, conn->dst);
1356 chan = pchan->ops->new_connection(pchan);
1362 hci_conn_hold(conn->hcon);
1363 conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
1365 bacpy(&bt_sk(sk)->src, conn->src);
1366 bacpy(&bt_sk(sk)->dst, conn->dst);
1368 l2cap_chan_add(conn, chan);
1370 l2cap_chan_ready(chan);
1373 release_sock(parent);
1376 static void l2cap_conn_ready(struct l2cap_conn *conn)
1378 struct l2cap_chan *chan;
1379 struct hci_conn *hcon = conn->hcon;
1381 BT_DBG("conn %p", conn);
1383 if (!hcon->out && hcon->type == LE_LINK)
1384 l2cap_le_conn_ready(conn);
1386 if (hcon->out && hcon->type == LE_LINK)
1387 smp_conn_security(hcon, hcon->pending_sec_level);
1389 mutex_lock(&conn->chan_lock);
1391 list_for_each_entry(chan, &conn->chan_l, list) {
1393 l2cap_chan_lock(chan);
1395 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
1396 l2cap_chan_unlock(chan);
1400 if (hcon->type == LE_LINK) {
1401 if (smp_conn_security(hcon, chan->sec_level))
1402 l2cap_chan_ready(chan);
1404 } else if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1405 struct sock *sk = chan->sk;
1406 __clear_chan_timer(chan);
1408 __l2cap_state_change(chan, BT_CONNECTED);
1409 sk->sk_state_change(sk);
1412 } else if (chan->state == BT_CONNECT)
1413 l2cap_do_start(chan);
1415 l2cap_chan_unlock(chan);
1418 mutex_unlock(&conn->chan_lock);
1421 /* Notify sockets that we cannot guaranty reliability anymore */
1422 static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
1424 struct l2cap_chan *chan;
1426 BT_DBG("conn %p", conn);
1428 mutex_lock(&conn->chan_lock);
1430 list_for_each_entry(chan, &conn->chan_l, list) {
1431 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1432 l2cap_chan_set_err(chan, err);
1435 mutex_unlock(&conn->chan_lock);
1438 static void l2cap_info_timeout(struct work_struct *work)
1440 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1443 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1444 conn->info_ident = 0;
1446 l2cap_conn_start(conn);
1451 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1452 * callback is called during registration. The ->remove callback is called
1453 * during unregistration.
1454 * An l2cap_user object can either be explicitly unregistered or when the
1455 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1456 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1457 * External modules must own a reference to the l2cap_conn object if they intend
1458 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1459 * any time if they don't.
1462 int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1464 struct hci_dev *hdev = conn->hcon->hdev;
1467 /* We need to check whether l2cap_conn is registered. If it is not, we
1468 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1469 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1470 * relies on the parent hci_conn object to be locked. This itself relies
1471 * on the hci_dev object to be locked. So we must lock the hci device
1476 if (user->list.next || user->list.prev) {
1481 /* conn->hchan is NULL after l2cap_conn_del() was called */
1487 ret = user->probe(conn, user);
1491 list_add(&user->list, &conn->users);
1495 hci_dev_unlock(hdev);
1498 EXPORT_SYMBOL(l2cap_register_user);
1500 void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1502 struct hci_dev *hdev = conn->hcon->hdev;
1506 if (!user->list.next || !user->list.prev)
1509 list_del(&user->list);
1510 user->list.next = NULL;
1511 user->list.prev = NULL;
1512 user->remove(conn, user);
1515 hci_dev_unlock(hdev);
1517 EXPORT_SYMBOL(l2cap_unregister_user);
1519 static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1521 struct l2cap_user *user;
1523 while (!list_empty(&conn->users)) {
1524 user = list_first_entry(&conn->users, struct l2cap_user, list);
1525 list_del(&user->list);
1526 user->list.next = NULL;
1527 user->list.prev = NULL;
1528 user->remove(conn, user);
1532 static void l2cap_conn_del(struct hci_conn *hcon, int err)
1534 struct l2cap_conn *conn = hcon->l2cap_data;
1535 struct l2cap_chan *chan, *l;
1540 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
1542 kfree_skb(conn->rx_skb);
1544 l2cap_unregister_all_users(conn);
1546 mutex_lock(&conn->chan_lock);
1549 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1550 l2cap_chan_hold(chan);
1551 l2cap_chan_lock(chan);
1553 l2cap_chan_del(chan, err);
1555 l2cap_chan_unlock(chan);
1557 chan->ops->close(chan);
1558 l2cap_chan_put(chan);
1561 mutex_unlock(&conn->chan_lock);
1563 hci_chan_del(conn->hchan);
1565 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1566 cancel_delayed_work_sync(&conn->info_timer);
1568 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
1569 cancel_delayed_work_sync(&conn->security_timer);
1570 smp_chan_destroy(conn);
1573 hcon->l2cap_data = NULL;
1575 l2cap_conn_put(conn);
1578 static void security_timeout(struct work_struct *work)
1580 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1581 security_timer.work);
1583 BT_DBG("conn %p", conn);
1585 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1586 smp_chan_destroy(conn);
1587 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1591 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1593 struct l2cap_conn *conn = hcon->l2cap_data;
1594 struct hci_chan *hchan;
1599 hchan = hci_chan_create(hcon);
1603 conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
1605 hci_chan_del(hchan);
1609 kref_init(&conn->ref);
1610 hcon->l2cap_data = conn;
1612 hci_conn_get(conn->hcon);
1613 conn->hchan = hchan;
1615 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
1617 switch (hcon->type) {
1619 if (hcon->hdev->le_mtu) {
1620 conn->mtu = hcon->hdev->le_mtu;
1625 conn->mtu = hcon->hdev->acl_mtu;
1629 conn->src = &hcon->hdev->bdaddr;
1630 conn->dst = &hcon->dst;
1632 conn->feat_mask = 0;
1634 spin_lock_init(&conn->lock);
1635 mutex_init(&conn->chan_lock);
1637 INIT_LIST_HEAD(&conn->chan_l);
1638 INIT_LIST_HEAD(&conn->users);
1640 if (hcon->type == LE_LINK)
1641 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1643 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1645 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1650 static void l2cap_conn_free(struct kref *ref)
1652 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1654 hci_conn_put(conn->hcon);
1658 void l2cap_conn_get(struct l2cap_conn *conn)
1660 kref_get(&conn->ref);
1662 EXPORT_SYMBOL(l2cap_conn_get);
1664 void l2cap_conn_put(struct l2cap_conn *conn)
1666 kref_put(&conn->ref, l2cap_conn_free);
1668 EXPORT_SYMBOL(l2cap_conn_put);
1670 /* ---- Socket interface ---- */
1672 /* Find socket with psm and source / destination bdaddr.
1673 * Returns closest match.
1675 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
1679 struct l2cap_chan *c, *c1 = NULL;
1681 read_lock(&chan_list_lock);
1683 list_for_each_entry(c, &chan_list, global_l) {
1684 struct sock *sk = c->sk;
1686 if (state && c->state != state)
1689 if (c->psm == psm) {
1690 int src_match, dst_match;
1691 int src_any, dst_any;
1694 src_match = !bacmp(&bt_sk(sk)->src, src);
1695 dst_match = !bacmp(&bt_sk(sk)->dst, dst);
1696 if (src_match && dst_match) {
1697 read_unlock(&chan_list_lock);
1702 src_any = !bacmp(&bt_sk(sk)->src, BDADDR_ANY);
1703 dst_any = !bacmp(&bt_sk(sk)->dst, BDADDR_ANY);
1704 if ((src_match && dst_any) || (src_any && dst_match) ||
1705 (src_any && dst_any))
1710 read_unlock(&chan_list_lock);
1715 int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1716 bdaddr_t *dst, u8 dst_type)
1718 struct sock *sk = chan->sk;
1719 bdaddr_t *src = &bt_sk(sk)->src;
1720 struct l2cap_conn *conn;
1721 struct hci_conn *hcon;
1722 struct hci_dev *hdev;
1726 BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
1727 dst_type, __le16_to_cpu(psm));
1729 hdev = hci_get_route(dst, src);
1731 return -EHOSTUNREACH;
1735 l2cap_chan_lock(chan);
1737 /* PSM must be odd and lsb of upper byte must be 0 */
1738 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1739 chan->chan_type != L2CAP_CHAN_RAW) {
1744 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1749 switch (chan->mode) {
1750 case L2CAP_MODE_BASIC:
1752 case L2CAP_MODE_ERTM:
1753 case L2CAP_MODE_STREAMING:
1762 switch (chan->state) {
1766 /* Already connecting */
1771 /* Already connected */
1785 /* Set destination address and psm */
1787 bacpy(&bt_sk(sk)->dst, dst);
1793 auth_type = l2cap_get_auth_type(chan);
1795 if (chan->dcid == L2CAP_CID_LE_DATA)
1796 hcon = hci_connect(hdev, LE_LINK, dst, dst_type,
1797 chan->sec_level, auth_type);
1799 hcon = hci_connect(hdev, ACL_LINK, dst, dst_type,
1800 chan->sec_level, auth_type);
1803 err = PTR_ERR(hcon);
1807 conn = l2cap_conn_add(hcon);
1809 hci_conn_drop(hcon);
1814 if (hcon->type == LE_LINK) {
1817 if (!list_empty(&conn->chan_l)) {
1819 hci_conn_drop(hcon);
1826 /* Update source addr of the socket */
1827 bacpy(src, conn->src);
1829 l2cap_chan_unlock(chan);
1830 l2cap_chan_add(conn, chan);
1831 l2cap_chan_lock(chan);
1833 l2cap_state_change(chan, BT_CONNECT);
1834 __set_chan_timer(chan, sk->sk_sndtimeo);
1836 if (hcon->state == BT_CONNECTED) {
1837 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1838 __clear_chan_timer(chan);
1839 if (l2cap_chan_check_security(chan))
1840 l2cap_state_change(chan, BT_CONNECTED);
1842 l2cap_do_start(chan);
1848 l2cap_chan_unlock(chan);
1849 hci_dev_unlock(hdev);
1854 int __l2cap_wait_ack(struct sock *sk)
1856 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
1857 DECLARE_WAITQUEUE(wait, current);
1861 add_wait_queue(sk_sleep(sk), &wait);
1862 set_current_state(TASK_INTERRUPTIBLE);
1863 while (chan->unacked_frames > 0 && chan->conn) {
1867 if (signal_pending(current)) {
1868 err = sock_intr_errno(timeo);
1873 timeo = schedule_timeout(timeo);
1875 set_current_state(TASK_INTERRUPTIBLE);
1877 err = sock_error(sk);
1881 set_current_state(TASK_RUNNING);
1882 remove_wait_queue(sk_sleep(sk), &wait);
1886 static void l2cap_monitor_timeout(struct work_struct *work)
1888 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1889 monitor_timer.work);
1891 BT_DBG("chan %p", chan);
1893 l2cap_chan_lock(chan);
1896 l2cap_chan_unlock(chan);
1897 l2cap_chan_put(chan);
1901 l2cap_tx(chan, NULL, NULL, L2CAP_EV_MONITOR_TO);
1903 l2cap_chan_unlock(chan);
1904 l2cap_chan_put(chan);
1907 static void l2cap_retrans_timeout(struct work_struct *work)
1909 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1910 retrans_timer.work);
1912 BT_DBG("chan %p", chan);
1914 l2cap_chan_lock(chan);
1917 l2cap_chan_unlock(chan);
1918 l2cap_chan_put(chan);
1922 l2cap_tx(chan, NULL, NULL, L2CAP_EV_RETRANS_TO);
1923 l2cap_chan_unlock(chan);
1924 l2cap_chan_put(chan);
1927 static void l2cap_streaming_send(struct l2cap_chan *chan,
1928 struct sk_buff_head *skbs)
1930 struct sk_buff *skb;
1931 struct l2cap_ctrl *control;
1933 BT_DBG("chan %p, skbs %p", chan, skbs);
1935 if (__chan_is_moving(chan))
1938 skb_queue_splice_tail_init(skbs, &chan->tx_q);
1940 while (!skb_queue_empty(&chan->tx_q)) {
1942 skb = skb_dequeue(&chan->tx_q);
1944 bt_cb(skb)->control.retries = 1;
1945 control = &bt_cb(skb)->control;
1947 control->reqseq = 0;
1948 control->txseq = chan->next_tx_seq;
1950 __pack_control(chan, control, skb);
1952 if (chan->fcs == L2CAP_FCS_CRC16) {
1953 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
1954 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
1957 l2cap_do_send(chan, skb);
1959 BT_DBG("Sent txseq %u", control->txseq);
1961 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
1962 chan->frames_sent++;
1966 static int l2cap_ertm_send(struct l2cap_chan *chan)
1968 struct sk_buff *skb, *tx_skb;
1969 struct l2cap_ctrl *control;
1972 BT_DBG("chan %p", chan);
1974 if (chan->state != BT_CONNECTED)
1977 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
1980 if (__chan_is_moving(chan))
1983 while (chan->tx_send_head &&
1984 chan->unacked_frames < chan->remote_tx_win &&
1985 chan->tx_state == L2CAP_TX_STATE_XMIT) {
1987 skb = chan->tx_send_head;
1989 bt_cb(skb)->control.retries = 1;
1990 control = &bt_cb(skb)->control;
1992 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
1995 control->reqseq = chan->buffer_seq;
1996 chan->last_acked_seq = chan->buffer_seq;
1997 control->txseq = chan->next_tx_seq;
1999 __pack_control(chan, control, skb);
2001 if (chan->fcs == L2CAP_FCS_CRC16) {
2002 u16 fcs = crc16(0, (u8 *) skb->data, skb->len);
2003 put_unaligned_le16(fcs, skb_put(skb, L2CAP_FCS_SIZE));
2006 /* Clone after data has been modified. Data is assumed to be
2007 read-only (for locking purposes) on cloned sk_buffs.
2009 tx_skb = skb_clone(skb, GFP_KERNEL);
2014 __set_retrans_timer(chan);
2016 chan->next_tx_seq = __next_seq(chan, chan->next_tx_seq);
2017 chan->unacked_frames++;
2018 chan->frames_sent++;
2021 if (skb_queue_is_last(&chan->tx_q, skb))
2022 chan->tx_send_head = NULL;
2024 chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
2026 l2cap_do_send(chan, tx_skb);
2027 BT_DBG("Sent txseq %u", control->txseq);
2030 BT_DBG("Sent %d, %u unacked, %u in ERTM queue", sent,
2031 chan->unacked_frames, skb_queue_len(&chan->tx_q));
2036 static void l2cap_ertm_resend(struct l2cap_chan *chan)
2038 struct l2cap_ctrl control;
2039 struct sk_buff *skb;
2040 struct sk_buff *tx_skb;
2043 BT_DBG("chan %p", chan);
2045 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2048 if (__chan_is_moving(chan))
2051 while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
2052 seq = l2cap_seq_list_pop(&chan->retrans_list);
2054 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
2056 BT_DBG("Error: Can't retransmit seq %d, frame missing",
2061 bt_cb(skb)->control.retries++;
2062 control = bt_cb(skb)->control;
2064 if (chan->max_tx != 0 &&
2065 bt_cb(skb)->control.retries > chan->max_tx) {
2066 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
2067 l2cap_send_disconn_req(chan, ECONNRESET);
2068 l2cap_seq_list_clear(&chan->retrans_list);
2072 control.reqseq = chan->buffer_seq;
2073 if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state))
2078 if (skb_cloned(skb)) {
2079 /* Cloned sk_buffs are read-only, so we need a
2082 tx_skb = skb_copy(skb, GFP_KERNEL);
2084 tx_skb = skb_clone(skb, GFP_KERNEL);
2088 l2cap_seq_list_clear(&chan->retrans_list);
2092 /* Update skb contents */
2093 if (test_bit(FLAG_EXT_CTRL, &chan->flags)) {
2094 put_unaligned_le32(__pack_extended_control(&control),
2095 tx_skb->data + L2CAP_HDR_SIZE);
2097 put_unaligned_le16(__pack_enhanced_control(&control),
2098 tx_skb->data + L2CAP_HDR_SIZE);
2101 if (chan->fcs == L2CAP_FCS_CRC16) {
2102 u16 fcs = crc16(0, (u8 *) tx_skb->data, tx_skb->len);
2103 put_unaligned_le16(fcs, skb_put(tx_skb,
2107 l2cap_do_send(chan, tx_skb);
2109 BT_DBG("Resent txseq %d", control.txseq);
2111 chan->last_acked_seq = chan->buffer_seq;
2115 static void l2cap_retransmit(struct l2cap_chan *chan,
2116 struct l2cap_ctrl *control)
2118 BT_DBG("chan %p, control %p", chan, control);
2120 l2cap_seq_list_append(&chan->retrans_list, control->reqseq);
2121 l2cap_ertm_resend(chan);
2124 static void l2cap_retransmit_all(struct l2cap_chan *chan,
2125 struct l2cap_ctrl *control)
2127 struct sk_buff *skb;
2129 BT_DBG("chan %p, control %p", chan, control);
2132 set_bit(CONN_SEND_FBIT, &chan->conn_state);
2134 l2cap_seq_list_clear(&chan->retrans_list);
2136 if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
2139 if (chan->unacked_frames) {
2140 skb_queue_walk(&chan->tx_q, skb) {
2141 if (bt_cb(skb)->control.txseq == control->reqseq ||
2142 skb == chan->tx_send_head)
2146 skb_queue_walk_from(&chan->tx_q, skb) {
2147 if (skb == chan->tx_send_head)
2150 l2cap_seq_list_append(&chan->retrans_list,
2151 bt_cb(skb)->control.txseq);
2154 l2cap_ertm_resend(chan);
2158 static void l2cap_send_ack(struct l2cap_chan *chan)
2160 struct l2cap_ctrl control;
2161 u16 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
2162 chan->last_acked_seq);
2165 BT_DBG("chan %p last_acked_seq %d buffer_seq %d",
2166 chan, chan->last_acked_seq, chan->buffer_seq);
2168 memset(&control, 0, sizeof(control));
2171 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
2172 chan->rx_state == L2CAP_RX_STATE_RECV) {
2173 __clear_ack_timer(chan);
2174 control.super = L2CAP_SUPER_RNR;
2175 control.reqseq = chan->buffer_seq;
2176 l2cap_send_sframe(chan, &control);
2178 if (!test_bit(CONN_REMOTE_BUSY, &chan->conn_state)) {
2179 l2cap_ertm_send(chan);
2180 /* If any i-frames were sent, they included an ack */
2181 if (chan->buffer_seq == chan->last_acked_seq)
2185 /* Ack now if the window is 3/4ths full.
2186 * Calculate without mul or div
2188 threshold = chan->ack_win;
2189 threshold += threshold << 1;
2192 BT_DBG("frames_to_ack %u, threshold %d", frames_to_ack,
2195 if (frames_to_ack >= threshold) {
2196 __clear_ack_timer(chan);
2197 control.super = L2CAP_SUPER_RR;
2198 control.reqseq = chan->buffer_seq;
2199 l2cap_send_sframe(chan, &control);
2204 __set_ack_timer(chan);
2208 static inline int l2cap_skbuff_fromiovec(struct l2cap_chan *chan,
2209 struct msghdr *msg, int len,
2210 int count, struct sk_buff *skb)
2212 struct l2cap_conn *conn = chan->conn;
2213 struct sk_buff **frag;
2216 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
2222 /* Continuation fragments (no L2CAP header) */
2223 frag = &skb_shinfo(skb)->frag_list;
2225 struct sk_buff *tmp;
2227 count = min_t(unsigned int, conn->mtu, len);
2229 tmp = chan->ops->alloc_skb(chan, count,
2230 msg->msg_flags & MSG_DONTWAIT);
2232 return PTR_ERR(tmp);
2236 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
2239 (*frag)->priority = skb->priority;
2244 skb->len += (*frag)->len;
2245 skb->data_len += (*frag)->len;
2247 frag = &(*frag)->next;
2253 static struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan,
2254 struct msghdr *msg, size_t len,
2257 struct l2cap_conn *conn = chan->conn;
2258 struct sk_buff *skb;
2259 int err, count, hlen = L2CAP_HDR_SIZE + L2CAP_PSMLEN_SIZE;
2260 struct l2cap_hdr *lh;
2262 BT_DBG("chan %p len %zu priority %u", chan, len, priority);
2264 count = min_t(unsigned int, (conn->mtu - hlen), len);
2266 skb = chan->ops->alloc_skb(chan, count + hlen,
2267 msg->msg_flags & MSG_DONTWAIT);
2271 skb->priority = priority;
2273 /* Create L2CAP header */
2274 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2275 lh->cid = cpu_to_le16(chan->dcid);
2276 lh->len = cpu_to_le16(len + L2CAP_PSMLEN_SIZE);
2277 put_unaligned(chan->psm, skb_put(skb, L2CAP_PSMLEN_SIZE));
2279 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2280 if (unlikely(err < 0)) {
2282 return ERR_PTR(err);
2287 static struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan,
2288 struct msghdr *msg, size_t len,
2291 struct l2cap_conn *conn = chan->conn;
2292 struct sk_buff *skb;
2294 struct l2cap_hdr *lh;
2296 BT_DBG("chan %p len %zu", chan, len);
2298 count = min_t(unsigned int, (conn->mtu - L2CAP_HDR_SIZE), len);
2300 skb = chan->ops->alloc_skb(chan, count + L2CAP_HDR_SIZE,
2301 msg->msg_flags & MSG_DONTWAIT);
2305 skb->priority = priority;
2307 /* Create L2CAP header */
2308 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2309 lh->cid = cpu_to_le16(chan->dcid);
2310 lh->len = cpu_to_le16(len);
2312 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2313 if (unlikely(err < 0)) {
2315 return ERR_PTR(err);
2320 static struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan,
2321 struct msghdr *msg, size_t len,
2324 struct l2cap_conn *conn = chan->conn;
2325 struct sk_buff *skb;
2326 int err, count, hlen;
2327 struct l2cap_hdr *lh;
2329 BT_DBG("chan %p len %zu", chan, len);
2332 return ERR_PTR(-ENOTCONN);
2334 hlen = __ertm_hdr_size(chan);
2337 hlen += L2CAP_SDULEN_SIZE;
2339 if (chan->fcs == L2CAP_FCS_CRC16)
2340 hlen += L2CAP_FCS_SIZE;
2342 count = min_t(unsigned int, (conn->mtu - hlen), len);
2344 skb = chan->ops->alloc_skb(chan, count + hlen,
2345 msg->msg_flags & MSG_DONTWAIT);
2349 /* Create L2CAP header */
2350 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2351 lh->cid = cpu_to_le16(chan->dcid);
2352 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
2354 /* Control header is populated later */
2355 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
2356 put_unaligned_le32(0, skb_put(skb, L2CAP_EXT_CTRL_SIZE));
2358 put_unaligned_le16(0, skb_put(skb, L2CAP_ENH_CTRL_SIZE));
2361 put_unaligned_le16(sdulen, skb_put(skb, L2CAP_SDULEN_SIZE));
2363 err = l2cap_skbuff_fromiovec(chan, msg, len, count, skb);
2364 if (unlikely(err < 0)) {
2366 return ERR_PTR(err);
2369 bt_cb(skb)->control.fcs = chan->fcs;
2370 bt_cb(skb)->control.retries = 0;
2374 static int l2cap_segment_sdu(struct l2cap_chan *chan,
2375 struct sk_buff_head *seg_queue,
2376 struct msghdr *msg, size_t len)
2378 struct sk_buff *skb;
2383 BT_DBG("chan %p, msg %p, len %zu", chan, msg, len);
2385 /* It is critical that ERTM PDUs fit in a single HCI fragment,
2386 * so fragmented skbs are not used. The HCI layer's handling
2387 * of fragmented skbs is not compatible with ERTM's queueing.
2390 /* PDU size is derived from the HCI MTU */
2391 pdu_len = chan->conn->mtu;
2393 /* Constrain PDU size for BR/EDR connections */
2395 pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
2397 /* Adjust for largest possible L2CAP overhead. */
2399 pdu_len -= L2CAP_FCS_SIZE;
2401 pdu_len -= __ertm_hdr_size(chan);
2403 /* Remote device may have requested smaller PDUs */
2404 pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
2406 if (len <= pdu_len) {
2407 sar = L2CAP_SAR_UNSEGMENTED;
2411 sar = L2CAP_SAR_START;
2413 pdu_len -= L2CAP_SDULEN_SIZE;
2417 skb = l2cap_create_iframe_pdu(chan, msg, pdu_len, sdu_len);
2420 __skb_queue_purge(seg_queue);
2421 return PTR_ERR(skb);
2424 bt_cb(skb)->control.sar = sar;
2425 __skb_queue_tail(seg_queue, skb);
2430 pdu_len += L2CAP_SDULEN_SIZE;
2433 if (len <= pdu_len) {
2434 sar = L2CAP_SAR_END;
2437 sar = L2CAP_SAR_CONTINUE;
2444 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
2447 struct sk_buff *skb;
2449 struct sk_buff_head seg_queue;
2451 /* Connectionless channel */
2452 if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
2453 skb = l2cap_create_connless_pdu(chan, msg, len, priority);
2455 return PTR_ERR(skb);
2457 l2cap_do_send(chan, skb);
2461 switch (chan->mode) {
2462 case L2CAP_MODE_BASIC:
2463 /* Check outgoing MTU */
2464 if (len > chan->omtu)
2467 /* Create a basic PDU */
2468 skb = l2cap_create_basic_pdu(chan, msg, len, priority);
2470 return PTR_ERR(skb);
2472 l2cap_do_send(chan, skb);
2476 case L2CAP_MODE_ERTM:
2477 case L2CAP_MODE_STREAMING:
2478 /* Check outgoing MTU */
2479 if (len > chan->omtu) {
2484 __skb_queue_head_init(&seg_queue);
2486 /* Do segmentation before calling in to the state machine,
2487 * since it's possible to block while waiting for memory
2490 err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
2492 /* The channel could have been closed while segmenting,
2493 * check that it is still connected.
2495 if (chan->state != BT_CONNECTED) {
2496 __skb_queue_purge(&seg_queue);
2503 if (chan->mode == L2CAP_MODE_ERTM)
2504 l2cap_tx(chan, NULL, &seg_queue, L2CAP_EV_DATA_REQUEST);
2506 l2cap_streaming_send(chan, &seg_queue);
2510 /* If the skbs were not queued for sending, they'll still be in
2511 * seg_queue and need to be purged.
2513 __skb_queue_purge(&seg_queue);
2517 BT_DBG("bad state %1.1x", chan->mode);
2524 static void l2cap_send_srej(struct l2cap_chan *chan, u16 txseq)
2526 struct l2cap_ctrl control;
2529 BT_DBG("chan %p, txseq %u", chan, txseq);
2531 memset(&control, 0, sizeof(control));
2533 control.super = L2CAP_SUPER_SREJ;
2535 for (seq = chan->expected_tx_seq; seq != txseq;
2536 seq = __next_seq(chan, seq)) {
2537 if (!l2cap_ertm_seq_in_queue(&chan->srej_q, seq)) {
2538 control.reqseq = seq;
2539 l2cap_send_sframe(chan, &control);
2540 l2cap_seq_list_append(&chan->srej_list, seq);
2544 chan->expected_tx_seq = __next_seq(chan, txseq);
2547 static void l2cap_send_srej_tail(struct l2cap_chan *chan)
2549 struct l2cap_ctrl control;
2551 BT_DBG("chan %p", chan);
2553 if (chan->srej_list.tail == L2CAP_SEQ_LIST_CLEAR)
2556 memset(&control, 0, sizeof(control));
2558 control.super = L2CAP_SUPER_SREJ;
2559 control.reqseq = chan->srej_list.tail;
2560 l2cap_send_sframe(chan, &control);
2563 static void l2cap_send_srej_list(struct l2cap_chan *chan, u16 txseq)
2565 struct l2cap_ctrl control;
2569 BT_DBG("chan %p, txseq %u", chan, txseq);
2571 memset(&control, 0, sizeof(control));
2573 control.super = L2CAP_SUPER_SREJ;
2575 /* Capture initial list head to allow only one pass through the list. */
2576 initial_head = chan->srej_list.head;
2579 seq = l2cap_seq_list_pop(&chan->srej_list);
2580 if (seq == txseq || seq == L2CAP_SEQ_LIST_CLEAR)
2583 control.reqseq = seq;
2584 l2cap_send_sframe(chan, &control);
2585 l2cap_seq_list_append(&chan->srej_list, seq);
2586 } while (chan->srej_list.head != initial_head);
2589 static void l2cap_process_reqseq(struct l2cap_chan *chan, u16 reqseq)
2591 struct sk_buff *acked_skb;
2594 BT_DBG("chan %p, reqseq %u", chan, reqseq);
2596 if (chan->unacked_frames == 0 || reqseq == chan->expected_ack_seq)
2599 BT_DBG("expected_ack_seq %u, unacked_frames %u",
2600 chan->expected_ack_seq, chan->unacked_frames);
2602 for (ackseq = chan->expected_ack_seq; ackseq != reqseq;
2603 ackseq = __next_seq(chan, ackseq)) {
2605 acked_skb = l2cap_ertm_seq_in_queue(&chan->tx_q, ackseq);
2607 skb_unlink(acked_skb, &chan->tx_q);
2608 kfree_skb(acked_skb);
2609 chan->unacked_frames--;
2613 chan->expected_ack_seq = reqseq;
2615 if (chan->unacked_frames == 0)
2616 __clear_retrans_timer(chan);
2618 BT_DBG("unacked_frames %u", chan->unacked_frames);
2621 static void l2cap_abort_rx_srej_sent(struct l2cap_chan *chan)
2623 BT_DBG("chan %p", chan);
2625 chan->expected_tx_seq = chan->buffer_seq;
2626 l2cap_seq_list_clear(&chan->srej_list);
2627 skb_queue_purge(&chan->srej_q);
2628 chan->rx_state = L2CAP_RX_STATE_RECV;
2631 static void l2cap_tx_state_xmit(struct l2cap_chan *chan,
2632 struct l2cap_ctrl *control,
2633 struct sk_buff_head *skbs, u8 event)
2635 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2639 case L2CAP_EV_DATA_REQUEST:
2640 if (chan->tx_send_head == NULL)
2641 chan->tx_send_head = skb_peek(skbs);
2643 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2644 l2cap_ertm_send(chan);
2646 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2647 BT_DBG("Enter LOCAL_BUSY");
2648 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2650 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2651 /* The SREJ_SENT state must be aborted if we are to
2652 * enter the LOCAL_BUSY state.
2654 l2cap_abort_rx_srej_sent(chan);
2657 l2cap_send_ack(chan);
2660 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2661 BT_DBG("Exit LOCAL_BUSY");
2662 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2664 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2665 struct l2cap_ctrl local_control;
2667 memset(&local_control, 0, sizeof(local_control));
2668 local_control.sframe = 1;
2669 local_control.super = L2CAP_SUPER_RR;
2670 local_control.poll = 1;
2671 local_control.reqseq = chan->buffer_seq;
2672 l2cap_send_sframe(chan, &local_control);
2674 chan->retry_count = 1;
2675 __set_monitor_timer(chan);
2676 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2679 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2680 l2cap_process_reqseq(chan, control->reqseq);
2682 case L2CAP_EV_EXPLICIT_POLL:
2683 l2cap_send_rr_or_rnr(chan, 1);
2684 chan->retry_count = 1;
2685 __set_monitor_timer(chan);
2686 __clear_ack_timer(chan);
2687 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2689 case L2CAP_EV_RETRANS_TO:
2690 l2cap_send_rr_or_rnr(chan, 1);
2691 chan->retry_count = 1;
2692 __set_monitor_timer(chan);
2693 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2695 case L2CAP_EV_RECV_FBIT:
2696 /* Nothing to process */
2703 static void l2cap_tx_state_wait_f(struct l2cap_chan *chan,
2704 struct l2cap_ctrl *control,
2705 struct sk_buff_head *skbs, u8 event)
2707 BT_DBG("chan %p, control %p, skbs %p, event %d", chan, control, skbs,
2711 case L2CAP_EV_DATA_REQUEST:
2712 if (chan->tx_send_head == NULL)
2713 chan->tx_send_head = skb_peek(skbs);
2714 /* Queue data, but don't send. */
2715 skb_queue_splice_tail_init(skbs, &chan->tx_q);
2717 case L2CAP_EV_LOCAL_BUSY_DETECTED:
2718 BT_DBG("Enter LOCAL_BUSY");
2719 set_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2721 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
2722 /* The SREJ_SENT state must be aborted if we are to
2723 * enter the LOCAL_BUSY state.
2725 l2cap_abort_rx_srej_sent(chan);
2728 l2cap_send_ack(chan);
2731 case L2CAP_EV_LOCAL_BUSY_CLEAR:
2732 BT_DBG("Exit LOCAL_BUSY");
2733 clear_bit(CONN_LOCAL_BUSY, &chan->conn_state);
2735 if (test_bit(CONN_RNR_SENT, &chan->conn_state)) {
2736 struct l2cap_ctrl local_control;
2737 memset(&local_control, 0, sizeof(local_control));
2738 local_control.sframe = 1;
2739 local_control.super = L2CAP_SUPER_RR;
2740 local_control.poll = 1;
2741 local_control.reqseq = chan->buffer_seq;
2742 l2cap_send_sframe(chan, &local_control);
2744 chan->retry_count = 1;
2745 __set_monitor_timer(chan);
2746 chan->tx_state = L2CAP_TX_STATE_WAIT_F;
2749 case L2CAP_EV_RECV_REQSEQ_AND_FBIT:
2750 l2cap_process_reqseq(chan, control->reqseq);
2754 case L2CAP_EV_RECV_FBIT:
2755 if (control && control->final) {
2756 __clear_monitor_timer(chan);
2757 if (chan->unacked_frames > 0)
2758 __set_retrans_timer(chan);
2759 chan->retry_count = 0;
2760 chan->tx_state = L2CAP_TX_STATE_XMIT;
2761 BT_DBG("recv fbit tx_state 0x2.2%x", chan->tx_state);
2764 case L2CAP_EV_EXPLICIT_POLL:
2767 case L2CAP_EV_MONITOR_TO:
2768 if (chan->max_tx == 0 || chan->retry_count < chan->max_tx) {
2769 l2cap_send_rr_or_rnr(chan, 1);
2770 __set_monitor_timer(chan);
2771 chan->retry_count++;
2773 l2cap_send_disconn_req(chan, ECONNABORTED);
2781 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
2782 struct sk_buff_head *skbs, u8 event)
2784 BT_DBG("chan %p, control %p, skbs %p, event %d, state %d",
2785 chan, control, skbs, event, chan->tx_state);
2787 switch (chan->tx_state) {
2788 case L2CAP_TX_STATE_XMIT:
2789 l2cap_tx_state_xmit(chan, control, skbs, event);
2791 case L2CAP_TX_STATE_WAIT_F:
2792 l2cap_tx_state_wait_f(chan, control, skbs, event);
2800 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
2801 struct l2cap_ctrl *control)
2803 BT_DBG("chan %p, control %p", chan, control);
2804 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_REQSEQ_AND_FBIT);
2807 static void l2cap_pass_to_tx_fbit(struct l2cap_chan *chan,
2808 struct l2cap_ctrl *control)
2810 BT_DBG("chan %p, control %p", chan, control);
2811 l2cap_tx(chan, control, NULL, L2CAP_EV_RECV_FBIT);
2814 /* Copy frame to all raw sockets on that connection */
2815 static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2817 struct sk_buff *nskb;
2818 struct l2cap_chan *chan;
2820 BT_DBG("conn %p", conn);
2822 mutex_lock(&conn->chan_lock);
2824 list_for_each_entry(chan, &conn->chan_l, list) {
2825 struct sock *sk = chan->sk;
2826 if (chan->chan_type != L2CAP_CHAN_RAW)
2829 /* Don't send frame to the socket it came from */
2832 nskb = skb_clone(skb, GFP_KERNEL);
2836 if (chan->ops->recv(chan, nskb))
2840 mutex_unlock(&conn->chan_lock);
2843 /* ---- L2CAP signalling commands ---- */
2844 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
2845 u8 ident, u16 dlen, void *data)
2847 struct sk_buff *skb, **frag;
2848 struct l2cap_cmd_hdr *cmd;
2849 struct l2cap_hdr *lh;
2852 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
2853 conn, code, ident, dlen);
2855 if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
2858 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2859 count = min_t(unsigned int, conn->mtu, len);
2861 skb = bt_skb_alloc(count, GFP_KERNEL);
2865 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
2866 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
2868 if (conn->hcon->type == LE_LINK)
2869 lh->cid = __constant_cpu_to_le16(L2CAP_CID_LE_SIGNALING);
2871 lh->cid = __constant_cpu_to_le16(L2CAP_CID_SIGNALING);
2873 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2876 cmd->len = cpu_to_le16(dlen);
2879 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2880 memcpy(skb_put(skb, count), data, count);
2886 /* Continuation fragments (no L2CAP header) */
2887 frag = &skb_shinfo(skb)->frag_list;
2889 count = min_t(unsigned int, conn->mtu, len);
2891 *frag = bt_skb_alloc(count, GFP_KERNEL);
2895 memcpy(skb_put(*frag, count), data, count);
2900 frag = &(*frag)->next;
2910 static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
2913 struct l2cap_conf_opt *opt = *ptr;
2916 len = L2CAP_CONF_OPT_SIZE + opt->len;
2924 *val = *((u8 *) opt->val);
2928 *val = get_unaligned_le16(opt->val);
2932 *val = get_unaligned_le32(opt->val);
2936 *val = (unsigned long) opt->val;
2940 BT_DBG("type 0x%2.2x len %u val 0x%lx", *type, opt->len, *val);
2944 static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2946 struct l2cap_conf_opt *opt = *ptr;
2948 BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
2955 *((u8 *) opt->val) = val;
2959 put_unaligned_le16(val, opt->val);
2963 put_unaligned_le32(val, opt->val);
2967 memcpy(opt->val, (void *) val, len);
2971 *ptr += L2CAP_CONF_OPT_SIZE + len;
2974 static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
2976 struct l2cap_conf_efs efs;
2978 switch (chan->mode) {
2979 case L2CAP_MODE_ERTM:
2980 efs.id = chan->local_id;
2981 efs.stype = chan->local_stype;
2982 efs.msdu = cpu_to_le16(chan->local_msdu);
2983 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
2984 efs.acc_lat = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
2985 efs.flush_to = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
2988 case L2CAP_MODE_STREAMING:
2990 efs.stype = L2CAP_SERV_BESTEFFORT;
2991 efs.msdu = cpu_to_le16(chan->local_msdu);
2992 efs.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
3001 l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
3002 (unsigned long) &efs);
3005 static void l2cap_ack_timeout(struct work_struct *work)
3007 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
3011 BT_DBG("chan %p", chan);
3013 l2cap_chan_lock(chan);
3015 frames_to_ack = __seq_offset(chan, chan->buffer_seq,
3016 chan->last_acked_seq);
3019 l2cap_send_rr_or_rnr(chan, 0);
3021 l2cap_chan_unlock(chan);
3022 l2cap_chan_put(chan);
3025 int l2cap_ertm_init(struct l2cap_chan *chan)
3029 chan->next_tx_seq = 0;
3030 chan->expected_tx_seq = 0;
3031 chan->expected_ack_seq = 0;
3032 chan->unacked_frames = 0;
3033 chan->buffer_seq = 0;
3034 chan->frames_sent = 0;
3035 chan->last_acked_seq = 0;
3037 chan->sdu_last_frag = NULL;
3040 skb_queue_head_init(&chan->tx_q);
3042 chan->local_amp_id = 0;
3044 chan->move_state = L2CAP_MOVE_STABLE;
3045 chan->move_role = L2CAP_MOVE_ROLE_NONE;
3047 if (chan->mode != L2CAP_MODE_ERTM)
3050 chan->rx_state = L2CAP_RX_STATE_RECV;
3051 chan->tx_state = L2CAP_TX_STATE_XMIT;
3053 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
3054 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
3055 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
3057 skb_queue_head_init(&chan->srej_q);
3059 err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
3063 err = l2cap_seq_list_init(&chan->retrans_list, chan->remote_tx_win);
3065 l2cap_seq_list_free(&chan->srej_list);
3070 static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
3073 case L2CAP_MODE_STREAMING:
3074 case L2CAP_MODE_ERTM:
3075 if (l2cap_mode_supported(mode, remote_feat_mask))
3079 return L2CAP_MODE_BASIC;
3083 static inline bool __l2cap_ews_supported(struct l2cap_chan *chan)
3085 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_WINDOW;
3088 static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
3090 return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
3093 static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
3094 struct l2cap_conf_rfc *rfc)
3096 if (chan->local_amp_id && chan->hs_hcon) {
3097 u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
3099 /* Class 1 devices have must have ERTM timeouts
3100 * exceeding the Link Supervision Timeout. The
3101 * default Link Supervision Timeout for AMP
3102 * controllers is 10 seconds.
3104 * Class 1 devices use 0xffffffff for their
3105 * best-effort flush timeout, so the clamping logic
3106 * will result in a timeout that meets the above
3107 * requirement. ERTM timeouts are 16-bit values, so
3108 * the maximum timeout is 65.535 seconds.
3111 /* Convert timeout to milliseconds and round */
3112 ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
3114 /* This is the recommended formula for class 2 devices
3115 * that start ERTM timers when packets are sent to the
3118 ertm_to = 3 * ertm_to + 500;
3120 if (ertm_to > 0xffff)
3123 rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
3124 rfc->monitor_timeout = rfc->retrans_timeout;
3126 rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
3127 rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
3131 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
3133 if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
3134 __l2cap_ews_supported(chan)) {
3135 /* use extended control field */
3136 set_bit(FLAG_EXT_CTRL, &chan->flags);
3137 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3139 chan->tx_win = min_t(u16, chan->tx_win,
3140 L2CAP_DEFAULT_TX_WINDOW);
3141 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
3143 chan->ack_win = chan->tx_win;
3146 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
3148 struct l2cap_conf_req *req = data;
3149 struct l2cap_conf_rfc rfc = { .mode = chan->mode };
3150 void *ptr = req->data;
3153 BT_DBG("chan %p", chan);
3155 if (chan->num_conf_req || chan->num_conf_rsp)
3158 switch (chan->mode) {
3159 case L2CAP_MODE_STREAMING:
3160 case L2CAP_MODE_ERTM:
3161 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state))
3164 if (__l2cap_efs_supported(chan))
3165 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3169 chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
3174 if (chan->imtu != L2CAP_DEFAULT_MTU)
3175 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3177 switch (chan->mode) {
3178 case L2CAP_MODE_BASIC:
3179 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
3180 !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
3183 rfc.mode = L2CAP_MODE_BASIC;
3185 rfc.max_transmit = 0;
3186 rfc.retrans_timeout = 0;
3187 rfc.monitor_timeout = 0;
3188 rfc.max_pdu_size = 0;
3190 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3191 (unsigned long) &rfc);
3194 case L2CAP_MODE_ERTM:
3195 rfc.mode = L2CAP_MODE_ERTM;
3196 rfc.max_transmit = chan->max_tx;
3198 __l2cap_set_ertm_timeouts(chan, &rfc);
3200 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3201 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3203 rfc.max_pdu_size = cpu_to_le16(size);
3205 l2cap_txwin_setup(chan);
3207 rfc.txwin_size = min_t(u16, chan->tx_win,
3208 L2CAP_DEFAULT_TX_WINDOW);
3210 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3211 (unsigned long) &rfc);
3213 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3214 l2cap_add_opt_efs(&ptr, chan);
3216 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3217 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3220 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3221 if (chan->fcs == L2CAP_FCS_NONE ||
3222 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3223 chan->fcs = L2CAP_FCS_NONE;
3224 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3229 case L2CAP_MODE_STREAMING:
3230 l2cap_txwin_setup(chan);
3231 rfc.mode = L2CAP_MODE_STREAMING;
3233 rfc.max_transmit = 0;
3234 rfc.retrans_timeout = 0;
3235 rfc.monitor_timeout = 0;
3237 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
3238 L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
3240 rfc.max_pdu_size = cpu_to_le16(size);
3242 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3243 (unsigned long) &rfc);
3245 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
3246 l2cap_add_opt_efs(&ptr, chan);
3248 if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
3249 if (chan->fcs == L2CAP_FCS_NONE ||
3250 test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
3251 chan->fcs = L2CAP_FCS_NONE;
3252 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
3258 req->dcid = cpu_to_le16(chan->dcid);
3259 req->flags = __constant_cpu_to_le16(0);
3264 static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
3266 struct l2cap_conf_rsp *rsp = data;
3267 void *ptr = rsp->data;
3268 void *req = chan->conf_req;
3269 int len = chan->conf_len;
3270 int type, hint, olen;
3272 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3273 struct l2cap_conf_efs efs;
3275 u16 mtu = L2CAP_DEFAULT_MTU;
3276 u16 result = L2CAP_CONF_SUCCESS;
3279 BT_DBG("chan %p", chan);
3281 while (len >= L2CAP_CONF_OPT_SIZE) {
3282 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
3284 hint = type & L2CAP_CONF_HINT;
3285 type &= L2CAP_CONF_MASK;
3288 case L2CAP_CONF_MTU:
3292 case L2CAP_CONF_FLUSH_TO:
3293 chan->flush_to = val;
3296 case L2CAP_CONF_QOS:
3299 case L2CAP_CONF_RFC:
3300 if (olen == sizeof(rfc))
3301 memcpy(&rfc, (void *) val, olen);
3304 case L2CAP_CONF_FCS:
3305 if (val == L2CAP_FCS_NONE)
3306 set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
3309 case L2CAP_CONF_EFS:
3311 if (olen == sizeof(efs))
3312 memcpy(&efs, (void *) val, olen);
3315 case L2CAP_CONF_EWS:
3317 return -ECONNREFUSED;
3319 set_bit(FLAG_EXT_CTRL, &chan->flags);
3320 set_bit(CONF_EWS_RECV, &chan->conf_state);
3321 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
3322 chan->remote_tx_win = val;
3329 result = L2CAP_CONF_UNKNOWN;
3330 *((u8 *) ptr++) = type;
3335 if (chan->num_conf_rsp || chan->num_conf_req > 1)
3338 switch (chan->mode) {
3339 case L2CAP_MODE_STREAMING:
3340 case L2CAP_MODE_ERTM:
3341 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
3342 chan->mode = l2cap_select_mode(rfc.mode,
3343 chan->conn->feat_mask);
3348 if (__l2cap_efs_supported(chan))
3349 set_bit(FLAG_EFS_ENABLE, &chan->flags);
3351 return -ECONNREFUSED;
3354 if (chan->mode != rfc.mode)
3355 return -ECONNREFUSED;
3361 if (chan->mode != rfc.mode) {
3362 result = L2CAP_CONF_UNACCEPT;
3363 rfc.mode = chan->mode;
3365 if (chan->num_conf_rsp == 1)
3366 return -ECONNREFUSED;
3368 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3369 (unsigned long) &rfc);
3372 if (result == L2CAP_CONF_SUCCESS) {
3373 /* Configure output options and let the other side know
3374 * which ones we don't like. */
3376 if (mtu < L2CAP_DEFAULT_MIN_MTU)
3377 result = L2CAP_CONF_UNACCEPT;
3380 set_bit(CONF_MTU_DONE, &chan->conf_state);
3382 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
3385 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3386 efs.stype != L2CAP_SERV_NOTRAFIC &&
3387 efs.stype != chan->local_stype) {
3389 result = L2CAP_CONF_UNACCEPT;
3391 if (chan->num_conf_req >= 1)
3392 return -ECONNREFUSED;
3394 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3396 (unsigned long) &efs);
3398 /* Send PENDING Conf Rsp */
3399 result = L2CAP_CONF_PENDING;
3400 set_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3405 case L2CAP_MODE_BASIC:
3406 chan->fcs = L2CAP_FCS_NONE;
3407 set_bit(CONF_MODE_DONE, &chan->conf_state);
3410 case L2CAP_MODE_ERTM:
3411 if (!test_bit(CONF_EWS_RECV, &chan->conf_state))
3412 chan->remote_tx_win = rfc.txwin_size;
3414 rfc.txwin_size = L2CAP_DEFAULT_TX_WINDOW;
3416 chan->remote_max_tx = rfc.max_transmit;
3418 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3419 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3420 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3421 rfc.max_pdu_size = cpu_to_le16(size);
3422 chan->remote_mps = size;
3424 __l2cap_set_ertm_timeouts(chan, &rfc);
3426 set_bit(CONF_MODE_DONE, &chan->conf_state);
3428 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3429 sizeof(rfc), (unsigned long) &rfc);
3431 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3432 chan->remote_id = efs.id;
3433 chan->remote_stype = efs.stype;
3434 chan->remote_msdu = le16_to_cpu(efs.msdu);
3435 chan->remote_flush_to =
3436 le32_to_cpu(efs.flush_to);
3437 chan->remote_acc_lat =
3438 le32_to_cpu(efs.acc_lat);
3439 chan->remote_sdu_itime =
3440 le32_to_cpu(efs.sdu_itime);
3441 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
3443 (unsigned long) &efs);
3447 case L2CAP_MODE_STREAMING:
3448 size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
3449 chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
3450 L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
3451 rfc.max_pdu_size = cpu_to_le16(size);
3452 chan->remote_mps = size;
3454 set_bit(CONF_MODE_DONE, &chan->conf_state);
3456 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
3457 (unsigned long) &rfc);
3462 result = L2CAP_CONF_UNACCEPT;
3464 memset(&rfc, 0, sizeof(rfc));
3465 rfc.mode = chan->mode;
3468 if (result == L2CAP_CONF_SUCCESS)
3469 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3471 rsp->scid = cpu_to_le16(chan->dcid);
3472 rsp->result = cpu_to_le16(result);
3473 rsp->flags = __constant_cpu_to_le16(0);
3478 static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
3479 void *data, u16 *result)
3481 struct l2cap_conf_req *req = data;
3482 void *ptr = req->data;
3485 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
3486 struct l2cap_conf_efs efs;
3488 BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
3490 while (len >= L2CAP_CONF_OPT_SIZE) {
3491 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3494 case L2CAP_CONF_MTU:
3495 if (val < L2CAP_DEFAULT_MIN_MTU) {
3496 *result = L2CAP_CONF_UNACCEPT;
3497 chan->imtu = L2CAP_DEFAULT_MIN_MTU;
3500 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
3503 case L2CAP_CONF_FLUSH_TO:
3504 chan->flush_to = val;
3505 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
3509 case L2CAP_CONF_RFC:
3510 if (olen == sizeof(rfc))
3511 memcpy(&rfc, (void *)val, olen);
3513 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
3514 rfc.mode != chan->mode)
3515 return -ECONNREFUSED;
3519 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
3520 sizeof(rfc), (unsigned long) &rfc);
3523 case L2CAP_CONF_EWS:
3524 chan->ack_win = min_t(u16, val, chan->ack_win);
3525 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
3529 case L2CAP_CONF_EFS:
3530 if (olen == sizeof(efs))
3531 memcpy(&efs, (void *)val, olen);
3533 if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
3534 efs.stype != L2CAP_SERV_NOTRAFIC &&
3535 efs.stype != chan->local_stype)
3536 return -ECONNREFUSED;
3538 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
3539 (unsigned long) &efs);
3542 case L2CAP_CONF_FCS:
3543 if (*result == L2CAP_CONF_PENDING)
3544 if (val == L2CAP_FCS_NONE)
3545 set_bit(CONF_RECV_NO_FCS,
3551 if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
3552 return -ECONNREFUSED;
3554 chan->mode = rfc.mode;
3556 if (*result == L2CAP_CONF_SUCCESS || *result == L2CAP_CONF_PENDING) {
3558 case L2CAP_MODE_ERTM:
3559 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3560 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3561 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3562 if (!test_bit(FLAG_EXT_CTRL, &chan->flags))
3563 chan->ack_win = min_t(u16, chan->ack_win,
3566 if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
3567 chan->local_msdu = le16_to_cpu(efs.msdu);
3568 chan->local_sdu_itime =
3569 le32_to_cpu(efs.sdu_itime);
3570 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
3571 chan->local_flush_to =
3572 le32_to_cpu(efs.flush_to);
3576 case L2CAP_MODE_STREAMING:
3577 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3581 req->dcid = cpu_to_le16(chan->dcid);
3582 req->flags = __constant_cpu_to_le16(0);
3587 static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
3588 u16 result, u16 flags)
3590 struct l2cap_conf_rsp *rsp = data;
3591 void *ptr = rsp->data;
3593 BT_DBG("chan %p", chan);
3595 rsp->scid = cpu_to_le16(chan->dcid);
3596 rsp->result = cpu_to_le16(result);
3597 rsp->flags = cpu_to_le16(flags);
3602 void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
3604 struct l2cap_conn_rsp rsp;
3605 struct l2cap_conn *conn = chan->conn;
3609 rsp.scid = cpu_to_le16(chan->dcid);
3610 rsp.dcid = cpu_to_le16(chan->scid);
3611 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
3612 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
3615 rsp_code = L2CAP_CREATE_CHAN_RSP;
3617 rsp_code = L2CAP_CONN_RSP;
3619 BT_DBG("chan %p rsp_code %u", chan, rsp_code);
3621 l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
3623 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3626 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3627 l2cap_build_conf_req(chan, buf), buf);
3628 chan->num_conf_req++;
3631 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3635 /* Use sane default values in case a misbehaving remote device
3636 * did not send an RFC or extended window size option.
3638 u16 txwin_ext = chan->ack_win;
3639 struct l2cap_conf_rfc rfc = {
3641 .retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO),
3642 .monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO),
3643 .max_pdu_size = cpu_to_le16(chan->imtu),
3644 .txwin_size = min_t(u16, chan->ack_win, L2CAP_DEFAULT_TX_WINDOW),
3647 BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
3649 if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
3652 while (len >= L2CAP_CONF_OPT_SIZE) {
3653 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3656 case L2CAP_CONF_RFC:
3657 if (olen == sizeof(rfc))
3658 memcpy(&rfc, (void *)val, olen);
3660 case L2CAP_CONF_EWS:
3667 case L2CAP_MODE_ERTM:
3668 chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
3669 chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
3670 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3671 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
3672 chan->ack_win = min_t(u16, chan->ack_win, txwin_ext);
3674 chan->ack_win = min_t(u16, chan->ack_win,
3677 case L2CAP_MODE_STREAMING:
3678 chan->mps = le16_to_cpu(rfc.max_pdu_size);
3682 static inline int l2cap_command_rej(struct l2cap_conn *conn,
3683 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3686 struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
3688 if (cmd_len < sizeof(*rej))
3691 if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
3694 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
3695 cmd->ident == conn->info_ident) {
3696 cancel_delayed_work(&conn->info_timer);
3698 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3699 conn->info_ident = 0;
3701 l2cap_conn_start(conn);
3707 static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
3708 struct l2cap_cmd_hdr *cmd,
3709 u8 *data, u8 rsp_code, u8 amp_id)
3711 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
3712 struct l2cap_conn_rsp rsp;
3713 struct l2cap_chan *chan = NULL, *pchan;
3714 struct sock *parent, *sk = NULL;
3715 int result, status = L2CAP_CS_NO_INFO;
3717 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
3718 __le16 psm = req->psm;
3720 BT_DBG("psm 0x%2.2x scid 0x%4.4x", __le16_to_cpu(psm), scid);
3722 /* Check if we have socket listening on psm */
3723 pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src, conn->dst);
3725 result = L2CAP_CR_BAD_PSM;
3731 mutex_lock(&conn->chan_lock);
3734 /* Check if the ACL is secure enough (if not SDP) */
3735 if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
3736 !hci_conn_check_link_mode(conn->hcon)) {
3737 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
3738 result = L2CAP_CR_SEC_BLOCK;
3742 result = L2CAP_CR_NO_MEM;
3744 /* Check if we already have channel with that dcid */
3745 if (__l2cap_get_chan_by_dcid(conn, scid))
3748 chan = pchan->ops->new_connection(pchan);
3754 hci_conn_hold(conn->hcon);
3756 bacpy(&bt_sk(sk)->src, conn->src);
3757 bacpy(&bt_sk(sk)->dst, conn->dst);
3760 chan->local_amp_id = amp_id;
3762 __l2cap_chan_add(conn, chan);
3766 __set_chan_timer(chan, sk->sk_sndtimeo);
3768 chan->ident = cmd->ident;
3770 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
3771 if (l2cap_chan_check_security(chan)) {
3772 if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
3773 __l2cap_state_change(chan, BT_CONNECT2);
3774 result = L2CAP_CR_PEND;
3775 status = L2CAP_CS_AUTHOR_PEND;
3776 chan->ops->defer(chan);
3778 /* Force pending result for AMP controllers.
3779 * The connection will succeed after the
3780 * physical link is up.
3783 __l2cap_state_change(chan, BT_CONNECT2);
3784 result = L2CAP_CR_PEND;
3786 __l2cap_state_change(chan, BT_CONFIG);
3787 result = L2CAP_CR_SUCCESS;
3789 status = L2CAP_CS_NO_INFO;
3792 __l2cap_state_change(chan, BT_CONNECT2);
3793 result = L2CAP_CR_PEND;
3794 status = L2CAP_CS_AUTHEN_PEND;
3797 __l2cap_state_change(chan, BT_CONNECT2);
3798 result = L2CAP_CR_PEND;
3799 status = L2CAP_CS_NO_INFO;
3803 release_sock(parent);
3804 mutex_unlock(&conn->chan_lock);
3807 rsp.scid = cpu_to_le16(scid);
3808 rsp.dcid = cpu_to_le16(dcid);
3809 rsp.result = cpu_to_le16(result);
3810 rsp.status = cpu_to_le16(status);
3811 l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
3813 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
3814 struct l2cap_info_req info;
3815 info.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
3817 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
3818 conn->info_ident = l2cap_get_ident(conn);
3820 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
3822 l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
3823 sizeof(info), &info);
3826 if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
3827 result == L2CAP_CR_SUCCESS) {
3829 set_bit(CONF_REQ_SENT, &chan->conf_state);
3830 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3831 l2cap_build_conf_req(chan, buf), buf);
3832 chan->num_conf_req++;
3838 static int l2cap_connect_req(struct l2cap_conn *conn,
3839 struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
3841 struct hci_dev *hdev = conn->hcon->hdev;
3842 struct hci_conn *hcon = conn->hcon;
3844 if (cmd_len < sizeof(struct l2cap_conn_req))
3848 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
3849 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
3850 mgmt_device_connected(hdev, &hcon->dst, hcon->type,
3851 hcon->dst_type, 0, NULL, 0,
3853 hci_dev_unlock(hdev);
3855 l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
3859 static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
3860 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3863 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
3864 u16 scid, dcid, result, status;
3865 struct l2cap_chan *chan;
3869 if (cmd_len < sizeof(*rsp))
3872 scid = __le16_to_cpu(rsp->scid);
3873 dcid = __le16_to_cpu(rsp->dcid);
3874 result = __le16_to_cpu(rsp->result);
3875 status = __le16_to_cpu(rsp->status);
3877 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
3878 dcid, scid, result, status);
3880 mutex_lock(&conn->chan_lock);
3883 chan = __l2cap_get_chan_by_scid(conn, scid);
3889 chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
3898 l2cap_chan_lock(chan);
3901 case L2CAP_CR_SUCCESS:
3902 l2cap_state_change(chan, BT_CONFIG);
3905 clear_bit(CONF_CONNECT_PEND, &chan->conf_state);
3907 if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
3910 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3911 l2cap_build_conf_req(chan, req), req);
3912 chan->num_conf_req++;
3916 set_bit(CONF_CONNECT_PEND, &chan->conf_state);
3920 l2cap_chan_del(chan, ECONNREFUSED);
3924 l2cap_chan_unlock(chan);
3927 mutex_unlock(&conn->chan_lock);
3932 static inline void set_default_fcs(struct l2cap_chan *chan)
3934 /* FCS is enabled only in ERTM or streaming mode, if one or both
3937 if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
3938 chan->fcs = L2CAP_FCS_NONE;
3939 else if (!test_bit(CONF_RECV_NO_FCS, &chan->conf_state))
3940 chan->fcs = L2CAP_FCS_CRC16;
3943 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
3944 u8 ident, u16 flags)
3946 struct l2cap_conn *conn = chan->conn;
3948 BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
3951 clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
3952 set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
3954 l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
3955 l2cap_build_conf_rsp(chan, data,
3956 L2CAP_CONF_SUCCESS, flags), data);
3959 static inline int l2cap_config_req(struct l2cap_conn *conn,
3960 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
3963 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3966 struct l2cap_chan *chan;
3969 if (cmd_len < sizeof(*req))
3972 dcid = __le16_to_cpu(req->dcid);
3973 flags = __le16_to_cpu(req->flags);
3975 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3977 chan = l2cap_get_chan_by_scid(conn, dcid);
3981 if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
3982 struct l2cap_cmd_rej_cid rej;
3984 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_INVALID_CID);
3985 rej.scid = cpu_to_le16(chan->scid);
3986 rej.dcid = cpu_to_le16(chan->dcid);
3988 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3993 /* Reject if config buffer is too small. */
3994 len = cmd_len - sizeof(*req);
3995 if (chan->conf_len + len > sizeof(chan->conf_req)) {
3996 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3997 l2cap_build_conf_rsp(chan, rsp,
3998 L2CAP_CONF_REJECT, flags), rsp);
4003 memcpy(chan->conf_req + chan->conf_len, req->data, len);
4004 chan->conf_len += len;
4006 if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
4007 /* Incomplete config. Send empty response. */
4008 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
4009 l2cap_build_conf_rsp(chan, rsp,
4010 L2CAP_CONF_SUCCESS, flags), rsp);
4014 /* Complete config. */
4015 len = l2cap_parse_conf_req(chan, rsp);
4017 l2cap_send_disconn_req(chan, ECONNRESET);
4021 chan->ident = cmd->ident;
4022 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
4023 chan->num_conf_rsp++;
4025 /* Reset config buffer. */
4028 if (!test_bit(CONF_OUTPUT_DONE, &chan->conf_state))
4031 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4032 set_default_fcs(chan);
4034 if (chan->mode == L2CAP_MODE_ERTM ||
4035 chan->mode == L2CAP_MODE_STREAMING)
4036 err = l2cap_ertm_init(chan);
4039 l2cap_send_disconn_req(chan, -err);
4041 l2cap_chan_ready(chan);
4046 if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
4048 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
4049 l2cap_build_conf_req(chan, buf), buf);
4050 chan->num_conf_req++;
4053 /* Got Conf Rsp PENDING from remote side and asume we sent
4054 Conf Rsp PENDING in the code above */
4055 if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
4056 test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4058 /* check compatibility */
4060 /* Send rsp for BR/EDR channel */
4062 l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
4064 chan->ident = cmd->ident;
4068 l2cap_chan_unlock(chan);
4072 static inline int l2cap_config_rsp(struct l2cap_conn *conn,
4073 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4076 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
4077 u16 scid, flags, result;
4078 struct l2cap_chan *chan;
4079 int len = cmd_len - sizeof(*rsp);
4082 if (cmd_len < sizeof(*rsp))
4085 scid = __le16_to_cpu(rsp->scid);
4086 flags = __le16_to_cpu(rsp->flags);
4087 result = __le16_to_cpu(rsp->result);
4089 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x len %d", scid, flags,
4092 chan = l2cap_get_chan_by_scid(conn, scid);
4097 case L2CAP_CONF_SUCCESS:
4098 l2cap_conf_rfc_get(chan, rsp->data, len);
4099 clear_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4102 case L2CAP_CONF_PENDING:
4103 set_bit(CONF_REM_CONF_PEND, &chan->conf_state);
4105 if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
4108 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4111 l2cap_send_disconn_req(chan, ECONNRESET);
4115 if (!chan->hs_hcon) {
4116 l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
4119 if (l2cap_check_efs(chan)) {
4120 amp_create_logical_link(chan);
4121 chan->ident = cmd->ident;
4127 case L2CAP_CONF_UNACCEPT:
4128 if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
4131 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
4132 l2cap_send_disconn_req(chan, ECONNRESET);
4136 /* throw out any old stored conf requests */
4137 result = L2CAP_CONF_SUCCESS;
4138 len = l2cap_parse_conf_rsp(chan, rsp->data, len,
4141 l2cap_send_disconn_req(chan, ECONNRESET);
4145 l2cap_send_cmd(conn, l2cap_get_ident(conn),
4146 L2CAP_CONF_REQ, len, req);
4147 chan->num_conf_req++;
4148 if (result != L2CAP_CONF_SUCCESS)
4154 l2cap_chan_set_err(chan, ECONNRESET);
4156 __set_chan_timer(chan, L2CAP_DISC_REJ_TIMEOUT);
4157 l2cap_send_disconn_req(chan, ECONNRESET);
4161 if (flags & L2CAP_CONF_FLAG_CONTINUATION)
4164 set_bit(CONF_INPUT_DONE, &chan->conf_state);
4166 if (test_bit(CONF_OUTPUT_DONE, &chan->conf_state)) {
4167 set_default_fcs(chan);
4169 if (chan->mode == L2CAP_MODE_ERTM ||
4170 chan->mode == L2CAP_MODE_STREAMING)
4171 err = l2cap_ertm_init(chan);
4174 l2cap_send_disconn_req(chan, -err);
4176 l2cap_chan_ready(chan);
4180 l2cap_chan_unlock(chan);
4184 static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
4185 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4188 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
4189 struct l2cap_disconn_rsp rsp;
4191 struct l2cap_chan *chan;
4194 if (cmd_len != sizeof(*req))
4197 scid = __le16_to_cpu(req->scid);
4198 dcid = __le16_to_cpu(req->dcid);
4200 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
4202 mutex_lock(&conn->chan_lock);
4204 chan = __l2cap_get_chan_by_scid(conn, dcid);
4206 mutex_unlock(&conn->chan_lock);
4210 l2cap_chan_lock(chan);
4214 rsp.dcid = cpu_to_le16(chan->scid);
4215 rsp.scid = cpu_to_le16(chan->dcid);
4216 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
4219 sk->sk_shutdown = SHUTDOWN_MASK;
4222 l2cap_chan_hold(chan);
4223 l2cap_chan_del(chan, ECONNRESET);
4225 l2cap_chan_unlock(chan);
4227 chan->ops->close(chan);
4228 l2cap_chan_put(chan);
4230 mutex_unlock(&conn->chan_lock);
4235 static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
4236 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4239 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
4241 struct l2cap_chan *chan;
4243 if (cmd_len != sizeof(*rsp))
4246 scid = __le16_to_cpu(rsp->scid);
4247 dcid = __le16_to_cpu(rsp->dcid);
4249 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
4251 mutex_lock(&conn->chan_lock);
4253 chan = __l2cap_get_chan_by_scid(conn, scid);
4255 mutex_unlock(&conn->chan_lock);
4259 l2cap_chan_lock(chan);
4261 l2cap_chan_hold(chan);
4262 l2cap_chan_del(chan, 0);
4264 l2cap_chan_unlock(chan);
4266 chan->ops->close(chan);
4267 l2cap_chan_put(chan);
4269 mutex_unlock(&conn->chan_lock);
4274 static inline int l2cap_information_req(struct l2cap_conn *conn,
4275 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4278 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
4281 if (cmd_len != sizeof(*req))
4284 type = __le16_to_cpu(req->type);
4286 BT_DBG("type 0x%4.4x", type);
4288 if (type == L2CAP_IT_FEAT_MASK) {
4290 u32 feat_mask = l2cap_feat_mask;
4291 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4292 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
4293 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4295 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
4298 feat_mask |= L2CAP_FEAT_EXT_FLOW
4299 | L2CAP_FEAT_EXT_WINDOW;
4301 put_unaligned_le32(feat_mask, rsp->data);
4302 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4304 } else if (type == L2CAP_IT_FIXED_CHAN) {
4306 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
4309 l2cap_fixed_chan[0] |= L2CAP_FC_A2MP;
4311 l2cap_fixed_chan[0] &= ~L2CAP_FC_A2MP;
4313 rsp->type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4314 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
4315 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
4316 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
4319 struct l2cap_info_rsp rsp;
4320 rsp.type = cpu_to_le16(type);
4321 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
4322 l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
4329 static inline int l2cap_information_rsp(struct l2cap_conn *conn,
4330 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
4333 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
4336 if (cmd_len < sizeof(*rsp))
4339 type = __le16_to_cpu(rsp->type);
4340 result = __le16_to_cpu(rsp->result);
4342 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
4344 /* L2CAP Info req/rsp are unbound to channels, add extra checks */
4345 if (cmd->ident != conn->info_ident ||
4346 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
4349 cancel_delayed_work(&conn->info_timer);
4351 if (result != L2CAP_IR_SUCCESS) {
4352 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4353 conn->info_ident = 0;
4355 l2cap_conn_start(conn);
4361 case L2CAP_IT_FEAT_MASK:
4362 conn->feat_mask = get_unaligned_le32(rsp->data);
4364 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
4365 struct l2cap_info_req req;
4366 req.type = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
4368 conn->info_ident = l2cap_get_ident(conn);
4370 l2cap_send_cmd(conn, conn->info_ident,
4371 L2CAP_INFO_REQ, sizeof(req), &req);
4373 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4374 conn->info_ident = 0;
4376 l2cap_conn_start(conn);
4380 case L2CAP_IT_FIXED_CHAN:
4381 conn->fixed_chan_mask = rsp->data[0];
4382 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
4383 conn->info_ident = 0;
4385 l2cap_conn_start(conn);
4392 static int l2cap_create_channel_req(struct l2cap_conn *conn,
4393 struct l2cap_cmd_hdr *cmd,
4394 u16 cmd_len, void *data)
4396 struct l2cap_create_chan_req *req = data;
4397 struct l2cap_create_chan_rsp rsp;
4398 struct l2cap_chan *chan;
4399 struct hci_dev *hdev;
4402 if (cmd_len != sizeof(*req))
4408 psm = le16_to_cpu(req->psm);
4409 scid = le16_to_cpu(req->scid);
4411 BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
4413 /* For controller id 0 make BR/EDR connection */
4414 if (req->amp_id == HCI_BREDR_ID) {
4415 l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4420 /* Validate AMP controller id */
4421 hdev = hci_dev_get(req->amp_id);
4425 if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
4430 chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
4433 struct amp_mgr *mgr = conn->hcon->amp_mgr;
4434 struct hci_conn *hs_hcon;
4436 hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
4442 BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
4444 mgr->bredr_chan = chan;
4445 chan->hs_hcon = hs_hcon;
4446 chan->fcs = L2CAP_FCS_NONE;
4447 conn->mtu = hdev->block_mtu;
4456 rsp.scid = cpu_to_le16(scid);
4457 rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
4458 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4460 l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
4466 static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
4468 struct l2cap_move_chan_req req;
4471 BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
4473 ident = l2cap_get_ident(chan->conn);
4474 chan->ident = ident;
4476 req.icid = cpu_to_le16(chan->scid);
4477 req.dest_amp_id = dest_amp_id;
4479 l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
4482 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4485 static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
4487 struct l2cap_move_chan_rsp rsp;
4489 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4491 rsp.icid = cpu_to_le16(chan->dcid);
4492 rsp.result = cpu_to_le16(result);
4494 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
4498 static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
4500 struct l2cap_move_chan_cfm cfm;
4502 BT_DBG("chan %p, result 0x%4.4x", chan, result);
4504 chan->ident = l2cap_get_ident(chan->conn);
4506 cfm.icid = cpu_to_le16(chan->scid);
4507 cfm.result = cpu_to_le16(result);
4509 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
4512 __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
4515 static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
4517 struct l2cap_move_chan_cfm cfm;
4519 BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
4521 cfm.icid = cpu_to_le16(icid);
4522 cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
4524 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
4528 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
4531 struct l2cap_move_chan_cfm_rsp rsp;
4533 BT_DBG("icid 0x%4.4x", icid);
4535 rsp.icid = cpu_to_le16(icid);
4536 l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
4539 static void __release_logical_link(struct l2cap_chan *chan)
4541 chan->hs_hchan = NULL;
4542 chan->hs_hcon = NULL;
4544 /* Placeholder - release the logical link */
4547 static void l2cap_logical_fail(struct l2cap_chan *chan)
4549 /* Logical link setup failed */
4550 if (chan->state != BT_CONNECTED) {
4551 /* Create channel failure, disconnect */
4552 l2cap_send_disconn_req(chan, ECONNRESET);
4556 switch (chan->move_role) {
4557 case L2CAP_MOVE_ROLE_RESPONDER:
4558 l2cap_move_done(chan);
4559 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
4561 case L2CAP_MOVE_ROLE_INITIATOR:
4562 if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
4563 chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
4564 /* Remote has only sent pending or
4565 * success responses, clean up
4567 l2cap_move_done(chan);
4570 /* Other amp move states imply that the move
4571 * has already aborted
4573 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4578 static void l2cap_logical_finish_create(struct l2cap_chan *chan,
4579 struct hci_chan *hchan)
4581 struct l2cap_conf_rsp rsp;
4583 chan->hs_hchan = hchan;
4584 chan->hs_hcon->l2cap_data = chan->conn;
4586 l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
4588 if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
4591 set_default_fcs(chan);
4593 err = l2cap_ertm_init(chan);
4595 l2cap_send_disconn_req(chan, -err);
4597 l2cap_chan_ready(chan);
4601 static void l2cap_logical_finish_move(struct l2cap_chan *chan,
4602 struct hci_chan *hchan)
4604 chan->hs_hcon = hchan->conn;
4605 chan->hs_hcon->l2cap_data = chan->conn;
4607 BT_DBG("move_state %d", chan->move_state);
4609 switch (chan->move_state) {
4610 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4611 /* Move confirm will be sent after a success
4612 * response is received
4614 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4616 case L2CAP_MOVE_WAIT_LOGICAL_CFM:
4617 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4618 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4619 } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
4620 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4621 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4622 } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4623 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4624 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4628 /* Move was not in expected state, free the channel */
4629 __release_logical_link(chan);
4631 chan->move_state = L2CAP_MOVE_STABLE;
4635 /* Call with chan locked */
4636 void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
4639 BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
4642 l2cap_logical_fail(chan);
4643 __release_logical_link(chan);
4647 if (chan->state != BT_CONNECTED) {
4648 /* Ignore logical link if channel is on BR/EDR */
4649 if (chan->local_amp_id)
4650 l2cap_logical_finish_create(chan, hchan);
4652 l2cap_logical_finish_move(chan, hchan);
4656 void l2cap_move_start(struct l2cap_chan *chan)
4658 BT_DBG("chan %p", chan);
4660 if (chan->local_amp_id == HCI_BREDR_ID) {
4661 if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
4663 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4664 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4665 /* Placeholder - start physical link setup */
4667 chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
4668 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4670 l2cap_move_setup(chan);
4671 l2cap_send_move_chan_req(chan, 0);
4675 static void l2cap_do_create(struct l2cap_chan *chan, int result,
4676 u8 local_amp_id, u8 remote_amp_id)
4678 BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
4679 local_amp_id, remote_amp_id);
4681 chan->fcs = L2CAP_FCS_NONE;
4683 /* Outgoing channel on AMP */
4684 if (chan->state == BT_CONNECT) {
4685 if (result == L2CAP_CR_SUCCESS) {
4686 chan->local_amp_id = local_amp_id;
4687 l2cap_send_create_chan_req(chan, remote_amp_id);
4689 /* Revert to BR/EDR connect */
4690 l2cap_send_conn_req(chan);
4696 /* Incoming channel on AMP */
4697 if (__l2cap_no_conn_pending(chan)) {
4698 struct l2cap_conn_rsp rsp;
4700 rsp.scid = cpu_to_le16(chan->dcid);
4701 rsp.dcid = cpu_to_le16(chan->scid);
4703 if (result == L2CAP_CR_SUCCESS) {
4704 /* Send successful response */
4705 rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
4706 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4708 /* Send negative response */
4709 rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
4710 rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
4713 l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
4716 if (result == L2CAP_CR_SUCCESS) {
4717 __l2cap_state_change(chan, BT_CONFIG);
4718 set_bit(CONF_REQ_SENT, &chan->conf_state);
4719 l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
4721 l2cap_build_conf_req(chan, buf), buf);
4722 chan->num_conf_req++;
4727 static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
4730 l2cap_move_setup(chan);
4731 chan->move_id = local_amp_id;
4732 chan->move_state = L2CAP_MOVE_WAIT_RSP;
4734 l2cap_send_move_chan_req(chan, remote_amp_id);
4737 static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
4739 struct hci_chan *hchan = NULL;
4741 /* Placeholder - get hci_chan for logical link */
4744 if (hchan->state == BT_CONNECTED) {
4745 /* Logical link is ready to go */
4746 chan->hs_hcon = hchan->conn;
4747 chan->hs_hcon->l2cap_data = chan->conn;
4748 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4749 l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
4751 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4753 /* Wait for logical link to be ready */
4754 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4757 /* Logical link not available */
4758 l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
4762 static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
4764 if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
4766 if (result == -EINVAL)
4767 rsp_result = L2CAP_MR_BAD_ID;
4769 rsp_result = L2CAP_MR_NOT_ALLOWED;
4771 l2cap_send_move_chan_rsp(chan, rsp_result);
4774 chan->move_role = L2CAP_MOVE_ROLE_NONE;
4775 chan->move_state = L2CAP_MOVE_STABLE;
4777 /* Restart data transmission */
4778 l2cap_ertm_send(chan);
4781 /* Invoke with locked chan */
4782 void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
4784 u8 local_amp_id = chan->local_amp_id;
4785 u8 remote_amp_id = chan->remote_amp_id;
4787 BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
4788 chan, result, local_amp_id, remote_amp_id);
4790 if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
4791 l2cap_chan_unlock(chan);
4795 if (chan->state != BT_CONNECTED) {
4796 l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
4797 } else if (result != L2CAP_MR_SUCCESS) {
4798 l2cap_do_move_cancel(chan, result);
4800 switch (chan->move_role) {
4801 case L2CAP_MOVE_ROLE_INITIATOR:
4802 l2cap_do_move_initiate(chan, local_amp_id,
4805 case L2CAP_MOVE_ROLE_RESPONDER:
4806 l2cap_do_move_respond(chan, result);
4809 l2cap_do_move_cancel(chan, result);
4815 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
4816 struct l2cap_cmd_hdr *cmd,
4817 u16 cmd_len, void *data)
4819 struct l2cap_move_chan_req *req = data;
4820 struct l2cap_move_chan_rsp rsp;
4821 struct l2cap_chan *chan;
4823 u16 result = L2CAP_MR_NOT_ALLOWED;
4825 if (cmd_len != sizeof(*req))
4828 icid = le16_to_cpu(req->icid);
4830 BT_DBG("icid 0x%4.4x, dest_amp_id %d", icid, req->dest_amp_id);
4835 chan = l2cap_get_chan_by_dcid(conn, icid);
4837 rsp.icid = cpu_to_le16(icid);
4838 rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
4839 l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
4844 chan->ident = cmd->ident;
4846 if (chan->scid < L2CAP_CID_DYN_START ||
4847 chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
4848 (chan->mode != L2CAP_MODE_ERTM &&
4849 chan->mode != L2CAP_MODE_STREAMING)) {
4850 result = L2CAP_MR_NOT_ALLOWED;
4851 goto send_move_response;
4854 if (chan->local_amp_id == req->dest_amp_id) {
4855 result = L2CAP_MR_SAME_ID;
4856 goto send_move_response;
4859 if (req->dest_amp_id) {
4860 struct hci_dev *hdev;
4861 hdev = hci_dev_get(req->dest_amp_id);
4862 if (!hdev || hdev->dev_type != HCI_AMP ||
4863 !test_bit(HCI_UP, &hdev->flags)) {
4867 result = L2CAP_MR_BAD_ID;
4868 goto send_move_response;
4873 /* Detect a move collision. Only send a collision response
4874 * if this side has "lost", otherwise proceed with the move.
4875 * The winner has the larger bd_addr.
4877 if ((__chan_is_moving(chan) ||
4878 chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
4879 bacmp(conn->src, conn->dst) > 0) {
4880 result = L2CAP_MR_COLLISION;
4881 goto send_move_response;
4884 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
4885 l2cap_move_setup(chan);
4886 chan->move_id = req->dest_amp_id;
4889 if (!req->dest_amp_id) {
4890 /* Moving to BR/EDR */
4891 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
4892 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4893 result = L2CAP_MR_PEND;
4895 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
4896 result = L2CAP_MR_SUCCESS;
4899 chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
4900 /* Placeholder - uncomment when amp functions are available */
4901 /*amp_accept_physical(chan, req->dest_amp_id);*/
4902 result = L2CAP_MR_PEND;
4906 l2cap_send_move_chan_rsp(chan, result);
4908 l2cap_chan_unlock(chan);
4913 static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
4915 struct l2cap_chan *chan;
4916 struct hci_chan *hchan = NULL;
4918 chan = l2cap_get_chan_by_scid(conn, icid);
4920 l2cap_send_move_chan_cfm_icid(conn, icid);
4924 __clear_chan_timer(chan);
4925 if (result == L2CAP_MR_PEND)
4926 __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
4928 switch (chan->move_state) {
4929 case L2CAP_MOVE_WAIT_LOGICAL_COMP:
4930 /* Move confirm will be sent when logical link
4933 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4935 case L2CAP_MOVE_WAIT_RSP_SUCCESS:
4936 if (result == L2CAP_MR_PEND) {
4938 } else if (test_bit(CONN_LOCAL_BUSY,
4939 &chan->conn_state)) {
4940 chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
4942 /* Logical link is up or moving to BR/EDR,
4945 chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
4946 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4949 case L2CAP_MOVE_WAIT_RSP:
4951 if (result == L2CAP_MR_SUCCESS) {
4952 /* Remote is ready, send confirm immediately
4953 * after logical link is ready
4955 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
4957 /* Both logical link and move success
4958 * are required to confirm
4960 chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
4963 /* Placeholder - get hci_chan for logical link */
4965 /* Logical link not available */
4966 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
4970 /* If the logical link is not yet connected, do not
4971 * send confirmation.
4973 if (hchan->state != BT_CONNECTED)
4976 /* Logical link is already ready to go */
4978 chan->hs_hcon = hchan->conn;
4979 chan->hs_hcon->l2cap_data = chan->conn;
4981 if (result == L2CAP_MR_SUCCESS) {
4982 /* Can confirm now */
4983 l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
4985 /* Now only need move success
4988 chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
4991 l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
4994 /* Any other amp move state means the move failed. */
4995 chan->move_id = chan->local_amp_id;
4996 l2cap_move_done(chan);
4997 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5000 l2cap_chan_unlock(chan);
5003 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
5006 struct l2cap_chan *chan;
5008 chan = l2cap_get_chan_by_ident(conn, ident);
5010 /* Could not locate channel, icid is best guess */
5011 l2cap_send_move_chan_cfm_icid(conn, icid);
5015 __clear_chan_timer(chan);
5017 if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
5018 if (result == L2CAP_MR_COLLISION) {
5019 chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
5021 /* Cleanup - cancel move */
5022 chan->move_id = chan->local_amp_id;
5023 l2cap_move_done(chan);
5027 l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
5029 l2cap_chan_unlock(chan);
5032 static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
5033 struct l2cap_cmd_hdr *cmd,
5034 u16 cmd_len, void *data)
5036 struct l2cap_move_chan_rsp *rsp = data;
5039 if (cmd_len != sizeof(*rsp))
5042 icid = le16_to_cpu(rsp->icid);
5043 result = le16_to_cpu(rsp->result);
5045 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5047 if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
5048 l2cap_move_continue(conn, icid, result);
5050 l2cap_move_fail(conn, cmd->ident, icid, result);
5055 static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
5056 struct l2cap_cmd_hdr *cmd,
5057 u16 cmd_len, void *data)
5059 struct l2cap_move_chan_cfm *cfm = data;
5060 struct l2cap_chan *chan;
5063 if (cmd_len != sizeof(*cfm))
5066 icid = le16_to_cpu(cfm->icid);
5067 result = le16_to_cpu(cfm->result);
5069 BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
5071 chan = l2cap_get_chan_by_dcid(conn, icid);
5073 /* Spec requires a response even if the icid was not found */
5074 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5078 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
5079 if (result == L2CAP_MC_CONFIRMED) {
5080 chan->local_amp_id = chan->move_id;
5081 if (!chan->local_amp_id)
5082 __release_logical_link(chan);
5084 chan->move_id = chan->local_amp_id;
5087 l2cap_move_done(chan);
5090 l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
5092 l2cap_chan_unlock(chan);
5097 static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
5098 struct l2cap_cmd_hdr *cmd,
5099 u16 cmd_len, void *data)
5101 struct l2cap_move_chan_cfm_rsp *rsp = data;
5102 struct l2cap_chan *chan;
5105 if (cmd_len != sizeof(*rsp))
5108 icid = le16_to_cpu(rsp->icid);
5110 BT_DBG("icid 0x%4.4x", icid);
5112 chan = l2cap_get_chan_by_scid(conn, icid);
5116 __clear_chan_timer(chan);
5118 if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
5119 chan->local_amp_id = chan->move_id;
5121 if (!chan->local_amp_id && chan->hs_hchan)
5122 __release_logical_link(chan);
5124 l2cap_move_done(chan);
5127 l2cap_chan_unlock(chan);
5132 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
5137 if (min > max || min < 6 || max > 3200)
5140 if (to_multiplier < 10 || to_multiplier > 3200)
5143 if (max >= to_multiplier * 8)
5146 max_latency = (to_multiplier * 8 / max) - 1;
5147 if (latency > 499 || latency > max_latency)
5153 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
5154 struct l2cap_cmd_hdr *cmd,
5157 struct hci_conn *hcon = conn->hcon;
5158 struct l2cap_conn_param_update_req *req;
5159 struct l2cap_conn_param_update_rsp rsp;
5160 u16 min, max, latency, to_multiplier, cmd_len;
5163 if (!(hcon->link_mode & HCI_LM_MASTER))
5166 cmd_len = __le16_to_cpu(cmd->len);
5167 if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
5170 req = (struct l2cap_conn_param_update_req *) data;
5171 min = __le16_to_cpu(req->min);
5172 max = __le16_to_cpu(req->max);
5173 latency = __le16_to_cpu(req->latency);
5174 to_multiplier = __le16_to_cpu(req->to_multiplier);
5176 BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
5177 min, max, latency, to_multiplier);
5179 memset(&rsp, 0, sizeof(rsp));
5181 err = l2cap_check_conn_param(min, max, latency, to_multiplier);
5183 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
5185 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
5187 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
5191 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
5196 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
5197 struct l2cap_cmd_hdr *cmd, u16 cmd_len,
5202 switch (cmd->code) {
5203 case L2CAP_COMMAND_REJ:
5204 l2cap_command_rej(conn, cmd, cmd_len, data);
5207 case L2CAP_CONN_REQ:
5208 err = l2cap_connect_req(conn, cmd, cmd_len, data);
5211 case L2CAP_CONN_RSP:
5212 case L2CAP_CREATE_CHAN_RSP:
5213 err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
5216 case L2CAP_CONF_REQ:
5217 err = l2cap_config_req(conn, cmd, cmd_len, data);
5220 case L2CAP_CONF_RSP:
5221 err = l2cap_config_rsp(conn, cmd, cmd_len, data);
5224 case L2CAP_DISCONN_REQ:
5225 err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
5228 case L2CAP_DISCONN_RSP:
5229 err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
5232 case L2CAP_ECHO_REQ:
5233 l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
5236 case L2CAP_ECHO_RSP:
5239 case L2CAP_INFO_REQ:
5240 err = l2cap_information_req(conn, cmd, cmd_len, data);
5243 case L2CAP_INFO_RSP:
5244 err = l2cap_information_rsp(conn, cmd, cmd_len, data);
5247 case L2CAP_CREATE_CHAN_REQ:
5248 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
5251 case L2CAP_MOVE_CHAN_REQ:
5252 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
5255 case L2CAP_MOVE_CHAN_RSP:
5256 err = l2cap_move_channel_rsp(conn, cmd, cmd_len, data);
5259 case L2CAP_MOVE_CHAN_CFM:
5260 err = l2cap_move_channel_confirm(conn, cmd, cmd_len, data);
5263 case L2CAP_MOVE_CHAN_CFM_RSP:
5264 err = l2cap_move_channel_confirm_rsp(conn, cmd, cmd_len, data);
5268 BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
5276 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
5277 struct l2cap_cmd_hdr *cmd, u8 *data)
5279 switch (cmd->code) {
5280 case L2CAP_COMMAND_REJ:
5283 case L2CAP_CONN_PARAM_UPDATE_REQ:
5284 return l2cap_conn_param_update_req(conn, cmd, data);
5286 case L2CAP_CONN_PARAM_UPDATE_RSP:
5290 BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
5295 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
5296 struct sk_buff *skb)
5298 u8 *data = skb->data;
5300 struct l2cap_cmd_hdr cmd;
5303 l2cap_raw_recv(conn, skb);
5305 while (len >= L2CAP_CMD_HDR_SIZE) {
5307 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
5308 data += L2CAP_CMD_HDR_SIZE;
5309 len -= L2CAP_CMD_HDR_SIZE;
5311 cmd_len = le16_to_cpu(cmd.len);
5313 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
5316 if (cmd_len > len || !cmd.ident) {
5317 BT_DBG("corrupted command");
5321 if (conn->hcon->type == LE_LINK)
5322 err = l2cap_le_sig_cmd(conn, &cmd, data);
5324 err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
5327 struct l2cap_cmd_rej_unk rej;
5329 BT_ERR("Wrong link type (%d)", err);
5331 /* FIXME: Map err to a valid reason */
5332 rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
5333 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
5344 static int l2cap_check_fcs(struct l2cap_chan *chan, struct sk_buff *skb)
5346 u16 our_fcs, rcv_fcs;
5349 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
5350 hdr_size = L2CAP_EXT_HDR_SIZE;
5352 hdr_size = L2CAP_ENH_HDR_SIZE;
5354 if (chan->fcs == L2CAP_FCS_CRC16) {
5355 skb_trim(skb, skb->len - L2CAP_FCS_SIZE);
5356 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
5357 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
5359 if (our_fcs != rcv_fcs)
5365 static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
5367 struct l2cap_ctrl control;
5369 BT_DBG("chan %p", chan);
5371 memset(&control, 0, sizeof(control));
5374 control.reqseq = chan->buffer_seq;
5375 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5377 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5378 control.super = L2CAP_SUPER_RNR;
5379 l2cap_send_sframe(chan, &control);
5382 if (test_and_clear_bit(CONN_REMOTE_BUSY, &chan->conn_state) &&
5383 chan->unacked_frames > 0)
5384 __set_retrans_timer(chan);
5386 /* Send pending iframes */
5387 l2cap_ertm_send(chan);
5389 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state) &&
5390 test_bit(CONN_SEND_FBIT, &chan->conn_state)) {
5391 /* F-bit wasn't sent in an s-frame or i-frame yet, so
5394 control.super = L2CAP_SUPER_RR;
5395 l2cap_send_sframe(chan, &control);
5399 static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
5400 struct sk_buff **last_frag)
5402 /* skb->len reflects data in skb as well as all fragments
5403 * skb->data_len reflects only data in fragments
5405 if (!skb_has_frag_list(skb))
5406 skb_shinfo(skb)->frag_list = new_frag;
5408 new_frag->next = NULL;
5410 (*last_frag)->next = new_frag;
5411 *last_frag = new_frag;
5413 skb->len += new_frag->len;
5414 skb->data_len += new_frag->len;
5415 skb->truesize += new_frag->truesize;
5418 static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
5419 struct l2cap_ctrl *control)
5423 switch (control->sar) {
5424 case L2CAP_SAR_UNSEGMENTED:
5428 err = chan->ops->recv(chan, skb);
5431 case L2CAP_SAR_START:
5435 chan->sdu_len = get_unaligned_le16(skb->data);
5436 skb_pull(skb, L2CAP_SDULEN_SIZE);
5438 if (chan->sdu_len > chan->imtu) {
5443 if (skb->len >= chan->sdu_len)
5447 chan->sdu_last_frag = skb;
5453 case L2CAP_SAR_CONTINUE:
5457 append_skb_frag(chan->sdu, skb,
5458 &chan->sdu_last_frag);
5461 if (chan->sdu->len >= chan->sdu_len)
5471 append_skb_frag(chan->sdu, skb,
5472 &chan->sdu_last_frag);
5475 if (chan->sdu->len != chan->sdu_len)
5478 err = chan->ops->recv(chan, chan->sdu);
5481 /* Reassembly complete */
5483 chan->sdu_last_frag = NULL;
5491 kfree_skb(chan->sdu);
5493 chan->sdu_last_frag = NULL;
5500 static int l2cap_resegment(struct l2cap_chan *chan)
5506 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
5510 if (chan->mode != L2CAP_MODE_ERTM)
5513 event = busy ? L2CAP_EV_LOCAL_BUSY_DETECTED : L2CAP_EV_LOCAL_BUSY_CLEAR;
5514 l2cap_tx(chan, NULL, NULL, event);
5517 static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
5520 /* Pass sequential frames to l2cap_reassemble_sdu()
5521 * until a gap is encountered.
5524 BT_DBG("chan %p", chan);
5526 while (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5527 struct sk_buff *skb;
5528 BT_DBG("Searching for skb with txseq %d (queue len %d)",
5529 chan->buffer_seq, skb_queue_len(&chan->srej_q));
5531 skb = l2cap_ertm_seq_in_queue(&chan->srej_q, chan->buffer_seq);
5536 skb_unlink(skb, &chan->srej_q);
5537 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
5538 err = l2cap_reassemble_sdu(chan, skb, &bt_cb(skb)->control);
5543 if (skb_queue_empty(&chan->srej_q)) {
5544 chan->rx_state = L2CAP_RX_STATE_RECV;
5545 l2cap_send_ack(chan);
5551 static void l2cap_handle_srej(struct l2cap_chan *chan,
5552 struct l2cap_ctrl *control)
5554 struct sk_buff *skb;
5556 BT_DBG("chan %p, control %p", chan, control);
5558 if (control->reqseq == chan->next_tx_seq) {
5559 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5560 l2cap_send_disconn_req(chan, ECONNRESET);
5564 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5567 BT_DBG("Seq %d not available for retransmission",
5572 if (chan->max_tx != 0 && bt_cb(skb)->control.retries >= chan->max_tx) {
5573 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5574 l2cap_send_disconn_req(chan, ECONNRESET);
5578 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5580 if (control->poll) {
5581 l2cap_pass_to_tx(chan, control);
5583 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5584 l2cap_retransmit(chan, control);
5585 l2cap_ertm_send(chan);
5587 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5588 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5589 chan->srej_save_reqseq = control->reqseq;
5592 l2cap_pass_to_tx_fbit(chan, control);
5594 if (control->final) {
5595 if (chan->srej_save_reqseq != control->reqseq ||
5596 !test_and_clear_bit(CONN_SREJ_ACT,
5598 l2cap_retransmit(chan, control);
5600 l2cap_retransmit(chan, control);
5601 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F) {
5602 set_bit(CONN_SREJ_ACT, &chan->conn_state);
5603 chan->srej_save_reqseq = control->reqseq;
5609 static void l2cap_handle_rej(struct l2cap_chan *chan,
5610 struct l2cap_ctrl *control)
5612 struct sk_buff *skb;
5614 BT_DBG("chan %p, control %p", chan, control);
5616 if (control->reqseq == chan->next_tx_seq) {
5617 BT_DBG("Invalid reqseq %d, disconnecting", control->reqseq);
5618 l2cap_send_disconn_req(chan, ECONNRESET);
5622 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, control->reqseq);
5624 if (chan->max_tx && skb &&
5625 bt_cb(skb)->control.retries >= chan->max_tx) {
5626 BT_DBG("Retry limit exceeded (%d)", chan->max_tx);
5627 l2cap_send_disconn_req(chan, ECONNRESET);
5631 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5633 l2cap_pass_to_tx(chan, control);
5635 if (control->final) {
5636 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state))
5637 l2cap_retransmit_all(chan, control);
5639 l2cap_retransmit_all(chan, control);
5640 l2cap_ertm_send(chan);
5641 if (chan->tx_state == L2CAP_TX_STATE_WAIT_F)
5642 set_bit(CONN_REJ_ACT, &chan->conn_state);
5646 static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
5648 BT_DBG("chan %p, txseq %d", chan, txseq);
5650 BT_DBG("last_acked_seq %d, expected_tx_seq %d", chan->last_acked_seq,
5651 chan->expected_tx_seq);
5653 if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
5654 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5656 /* See notes below regarding "double poll" and
5659 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5660 BT_DBG("Invalid/Ignore - after SREJ");
5661 return L2CAP_TXSEQ_INVALID_IGNORE;
5663 BT_DBG("Invalid - in window after SREJ sent");
5664 return L2CAP_TXSEQ_INVALID;
5668 if (chan->srej_list.head == txseq) {
5669 BT_DBG("Expected SREJ");
5670 return L2CAP_TXSEQ_EXPECTED_SREJ;
5673 if (l2cap_ertm_seq_in_queue(&chan->srej_q, txseq)) {
5674 BT_DBG("Duplicate SREJ - txseq already stored");
5675 return L2CAP_TXSEQ_DUPLICATE_SREJ;
5678 if (l2cap_seq_list_contains(&chan->srej_list, txseq)) {
5679 BT_DBG("Unexpected SREJ - not requested");
5680 return L2CAP_TXSEQ_UNEXPECTED_SREJ;
5684 if (chan->expected_tx_seq == txseq) {
5685 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
5687 BT_DBG("Invalid - txseq outside tx window");
5688 return L2CAP_TXSEQ_INVALID;
5691 return L2CAP_TXSEQ_EXPECTED;
5695 if (__seq_offset(chan, txseq, chan->last_acked_seq) <
5696 __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
5697 BT_DBG("Duplicate - expected_tx_seq later than txseq");
5698 return L2CAP_TXSEQ_DUPLICATE;
5701 if (__seq_offset(chan, txseq, chan->last_acked_seq) >= chan->tx_win) {
5702 /* A source of invalid packets is a "double poll" condition,
5703 * where delays cause us to send multiple poll packets. If
5704 * the remote stack receives and processes both polls,
5705 * sequence numbers can wrap around in such a way that a
5706 * resent frame has a sequence number that looks like new data
5707 * with a sequence gap. This would trigger an erroneous SREJ
5710 * Fortunately, this is impossible with a tx window that's
5711 * less than half of the maximum sequence number, which allows
5712 * invalid frames to be safely ignored.
5714 * With tx window sizes greater than half of the tx window
5715 * maximum, the frame is invalid and cannot be ignored. This
5716 * causes a disconnect.
5719 if (chan->tx_win <= ((chan->tx_win_max + 1) >> 1)) {
5720 BT_DBG("Invalid/Ignore - txseq outside tx window");
5721 return L2CAP_TXSEQ_INVALID_IGNORE;
5723 BT_DBG("Invalid - txseq outside tx window");
5724 return L2CAP_TXSEQ_INVALID;
5727 BT_DBG("Unexpected - txseq indicates missing frames");
5728 return L2CAP_TXSEQ_UNEXPECTED;
5732 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
5733 struct l2cap_ctrl *control,
5734 struct sk_buff *skb, u8 event)
5737 bool skb_in_use = 0;
5739 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5743 case L2CAP_EV_RECV_IFRAME:
5744 switch (l2cap_classify_txseq(chan, control->txseq)) {
5745 case L2CAP_TXSEQ_EXPECTED:
5746 l2cap_pass_to_tx(chan, control);
5748 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5749 BT_DBG("Busy, discarding expected seq %d",
5754 chan->expected_tx_seq = __next_seq(chan,
5757 chan->buffer_seq = chan->expected_tx_seq;
5760 err = l2cap_reassemble_sdu(chan, skb, control);
5764 if (control->final) {
5765 if (!test_and_clear_bit(CONN_REJ_ACT,
5766 &chan->conn_state)) {
5768 l2cap_retransmit_all(chan, control);
5769 l2cap_ertm_send(chan);
5773 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
5774 l2cap_send_ack(chan);
5776 case L2CAP_TXSEQ_UNEXPECTED:
5777 l2cap_pass_to_tx(chan, control);
5779 /* Can't issue SREJ frames in the local busy state.
5780 * Drop this frame, it will be seen as missing
5781 * when local busy is exited.
5783 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
5784 BT_DBG("Busy, discarding unexpected seq %d",
5789 /* There was a gap in the sequence, so an SREJ
5790 * must be sent for each missing frame. The
5791 * current frame is stored for later use.
5793 skb_queue_tail(&chan->srej_q, skb);
5795 BT_DBG("Queued %p (queue len %d)", skb,
5796 skb_queue_len(&chan->srej_q));
5798 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
5799 l2cap_seq_list_clear(&chan->srej_list);
5800 l2cap_send_srej(chan, control->txseq);
5802 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
5804 case L2CAP_TXSEQ_DUPLICATE:
5805 l2cap_pass_to_tx(chan, control);
5807 case L2CAP_TXSEQ_INVALID_IGNORE:
5809 case L2CAP_TXSEQ_INVALID:
5811 l2cap_send_disconn_req(chan, ECONNRESET);
5815 case L2CAP_EV_RECV_RR:
5816 l2cap_pass_to_tx(chan, control);
5817 if (control->final) {
5818 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5820 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
5821 !__chan_is_moving(chan)) {
5823 l2cap_retransmit_all(chan, control);
5826 l2cap_ertm_send(chan);
5827 } else if (control->poll) {
5828 l2cap_send_i_or_rr_or_rnr(chan);
5830 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5831 &chan->conn_state) &&
5832 chan->unacked_frames)
5833 __set_retrans_timer(chan);
5835 l2cap_ertm_send(chan);
5838 case L2CAP_EV_RECV_RNR:
5839 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5840 l2cap_pass_to_tx(chan, control);
5841 if (control && control->poll) {
5842 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5843 l2cap_send_rr_or_rnr(chan, 0);
5845 __clear_retrans_timer(chan);
5846 l2cap_seq_list_clear(&chan->retrans_list);
5848 case L2CAP_EV_RECV_REJ:
5849 l2cap_handle_rej(chan, control);
5851 case L2CAP_EV_RECV_SREJ:
5852 l2cap_handle_srej(chan, control);
5858 if (skb && !skb_in_use) {
5859 BT_DBG("Freeing %p", skb);
5866 static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
5867 struct l2cap_ctrl *control,
5868 struct sk_buff *skb, u8 event)
5871 u16 txseq = control->txseq;
5872 bool skb_in_use = 0;
5874 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
5878 case L2CAP_EV_RECV_IFRAME:
5879 switch (l2cap_classify_txseq(chan, txseq)) {
5880 case L2CAP_TXSEQ_EXPECTED:
5881 /* Keep frame for reassembly later */
5882 l2cap_pass_to_tx(chan, control);
5883 skb_queue_tail(&chan->srej_q, skb);
5885 BT_DBG("Queued %p (queue len %d)", skb,
5886 skb_queue_len(&chan->srej_q));
5888 chan->expected_tx_seq = __next_seq(chan, txseq);
5890 case L2CAP_TXSEQ_EXPECTED_SREJ:
5891 l2cap_seq_list_pop(&chan->srej_list);
5893 l2cap_pass_to_tx(chan, control);
5894 skb_queue_tail(&chan->srej_q, skb);
5896 BT_DBG("Queued %p (queue len %d)", skb,
5897 skb_queue_len(&chan->srej_q));
5899 err = l2cap_rx_queued_iframes(chan);
5904 case L2CAP_TXSEQ_UNEXPECTED:
5905 /* Got a frame that can't be reassembled yet.
5906 * Save it for later, and send SREJs to cover
5907 * the missing frames.
5909 skb_queue_tail(&chan->srej_q, skb);
5911 BT_DBG("Queued %p (queue len %d)", skb,
5912 skb_queue_len(&chan->srej_q));
5914 l2cap_pass_to_tx(chan, control);
5915 l2cap_send_srej(chan, control->txseq);
5917 case L2CAP_TXSEQ_UNEXPECTED_SREJ:
5918 /* This frame was requested with an SREJ, but
5919 * some expected retransmitted frames are
5920 * missing. Request retransmission of missing
5923 skb_queue_tail(&chan->srej_q, skb);
5925 BT_DBG("Queued %p (queue len %d)", skb,
5926 skb_queue_len(&chan->srej_q));
5928 l2cap_pass_to_tx(chan, control);
5929 l2cap_send_srej_list(chan, control->txseq);
5931 case L2CAP_TXSEQ_DUPLICATE_SREJ:
5932 /* We've already queued this frame. Drop this copy. */
5933 l2cap_pass_to_tx(chan, control);
5935 case L2CAP_TXSEQ_DUPLICATE:
5936 /* Expecting a later sequence number, so this frame
5937 * was already received. Ignore it completely.
5940 case L2CAP_TXSEQ_INVALID_IGNORE:
5942 case L2CAP_TXSEQ_INVALID:
5944 l2cap_send_disconn_req(chan, ECONNRESET);
5948 case L2CAP_EV_RECV_RR:
5949 l2cap_pass_to_tx(chan, control);
5950 if (control->final) {
5951 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5953 if (!test_and_clear_bit(CONN_REJ_ACT,
5954 &chan->conn_state)) {
5956 l2cap_retransmit_all(chan, control);
5959 l2cap_ertm_send(chan);
5960 } else if (control->poll) {
5961 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5962 &chan->conn_state) &&
5963 chan->unacked_frames) {
5964 __set_retrans_timer(chan);
5967 set_bit(CONN_SEND_FBIT, &chan->conn_state);
5968 l2cap_send_srej_tail(chan);
5970 if (test_and_clear_bit(CONN_REMOTE_BUSY,
5971 &chan->conn_state) &&
5972 chan->unacked_frames)
5973 __set_retrans_timer(chan);
5975 l2cap_send_ack(chan);
5978 case L2CAP_EV_RECV_RNR:
5979 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
5980 l2cap_pass_to_tx(chan, control);
5981 if (control->poll) {
5982 l2cap_send_srej_tail(chan);
5984 struct l2cap_ctrl rr_control;
5985 memset(&rr_control, 0, sizeof(rr_control));
5986 rr_control.sframe = 1;
5987 rr_control.super = L2CAP_SUPER_RR;
5988 rr_control.reqseq = chan->buffer_seq;
5989 l2cap_send_sframe(chan, &rr_control);
5993 case L2CAP_EV_RECV_REJ:
5994 l2cap_handle_rej(chan, control);
5996 case L2CAP_EV_RECV_SREJ:
5997 l2cap_handle_srej(chan, control);
6001 if (skb && !skb_in_use) {
6002 BT_DBG("Freeing %p", skb);
6009 static int l2cap_finish_move(struct l2cap_chan *chan)
6011 BT_DBG("chan %p", chan);
6013 chan->rx_state = L2CAP_RX_STATE_RECV;
6016 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6018 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6020 return l2cap_resegment(chan);
6023 static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
6024 struct l2cap_ctrl *control,
6025 struct sk_buff *skb, u8 event)
6029 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6035 l2cap_process_reqseq(chan, control->reqseq);
6037 if (!skb_queue_empty(&chan->tx_q))
6038 chan->tx_send_head = skb_peek(&chan->tx_q);
6040 chan->tx_send_head = NULL;
6042 /* Rewind next_tx_seq to the point expected
6045 chan->next_tx_seq = control->reqseq;
6046 chan->unacked_frames = 0;
6048 err = l2cap_finish_move(chan);
6052 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6053 l2cap_send_i_or_rr_or_rnr(chan);
6055 if (event == L2CAP_EV_RECV_IFRAME)
6058 return l2cap_rx_state_recv(chan, control, NULL, event);
6061 static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
6062 struct l2cap_ctrl *control,
6063 struct sk_buff *skb, u8 event)
6067 if (!control->final)
6070 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6072 chan->rx_state = L2CAP_RX_STATE_RECV;
6073 l2cap_process_reqseq(chan, control->reqseq);
6075 if (!skb_queue_empty(&chan->tx_q))
6076 chan->tx_send_head = skb_peek(&chan->tx_q);
6078 chan->tx_send_head = NULL;
6080 /* Rewind next_tx_seq to the point expected
6083 chan->next_tx_seq = control->reqseq;
6084 chan->unacked_frames = 0;
6087 chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
6089 chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
6091 err = l2cap_resegment(chan);
6094 err = l2cap_rx_state_recv(chan, control, skb, event);
6099 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
6101 /* Make sure reqseq is for a packet that has been sent but not acked */
6104 unacked = __seq_offset(chan, chan->next_tx_seq, chan->expected_ack_seq);
6105 return __seq_offset(chan, chan->next_tx_seq, reqseq) <= unacked;
6108 static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6109 struct sk_buff *skb, u8 event)
6113 BT_DBG("chan %p, control %p, skb %p, event %d, state %d", chan,
6114 control, skb, event, chan->rx_state);
6116 if (__valid_reqseq(chan, control->reqseq)) {
6117 switch (chan->rx_state) {
6118 case L2CAP_RX_STATE_RECV:
6119 err = l2cap_rx_state_recv(chan, control, skb, event);
6121 case L2CAP_RX_STATE_SREJ_SENT:
6122 err = l2cap_rx_state_srej_sent(chan, control, skb,
6125 case L2CAP_RX_STATE_WAIT_P:
6126 err = l2cap_rx_state_wait_p(chan, control, skb, event);
6128 case L2CAP_RX_STATE_WAIT_F:
6129 err = l2cap_rx_state_wait_f(chan, control, skb, event);
6136 BT_DBG("Invalid reqseq %d (next_tx_seq %d, expected_ack_seq %d",
6137 control->reqseq, chan->next_tx_seq,
6138 chan->expected_ack_seq);
6139 l2cap_send_disconn_req(chan, ECONNRESET);
6145 static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
6146 struct sk_buff *skb)
6150 BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb,
6153 if (l2cap_classify_txseq(chan, control->txseq) ==
6154 L2CAP_TXSEQ_EXPECTED) {
6155 l2cap_pass_to_tx(chan, control);
6157 BT_DBG("buffer_seq %d->%d", chan->buffer_seq,
6158 __next_seq(chan, chan->buffer_seq));
6160 chan->buffer_seq = __next_seq(chan, chan->buffer_seq);
6162 l2cap_reassemble_sdu(chan, skb, control);
6165 kfree_skb(chan->sdu);
6168 chan->sdu_last_frag = NULL;
6172 BT_DBG("Freeing %p", skb);
6177 chan->last_acked_seq = control->txseq;
6178 chan->expected_tx_seq = __next_seq(chan, control->txseq);
6183 static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
6185 struct l2cap_ctrl *control = &bt_cb(skb)->control;
6189 __unpack_control(chan, skb);
6194 * We can just drop the corrupted I-frame here.
6195 * Receiver will miss it and start proper recovery
6196 * procedures and ask for retransmission.
6198 if (l2cap_check_fcs(chan, skb))
6201 if (!control->sframe && control->sar == L2CAP_SAR_START)
6202 len -= L2CAP_SDULEN_SIZE;
6204 if (chan->fcs == L2CAP_FCS_CRC16)
6205 len -= L2CAP_FCS_SIZE;
6207 if (len > chan->mps) {
6208 l2cap_send_disconn_req(chan, ECONNRESET);
6212 if (!control->sframe) {
6215 BT_DBG("iframe sar %d, reqseq %d, final %d, txseq %d",
6216 control->sar, control->reqseq, control->final,
6219 /* Validate F-bit - F=0 always valid, F=1 only
6220 * valid in TX WAIT_F
6222 if (control->final && chan->tx_state != L2CAP_TX_STATE_WAIT_F)
6225 if (chan->mode != L2CAP_MODE_STREAMING) {
6226 event = L2CAP_EV_RECV_IFRAME;
6227 err = l2cap_rx(chan, control, skb, event);
6229 err = l2cap_stream_rx(chan, control, skb);
6233 l2cap_send_disconn_req(chan, ECONNRESET);
6235 const u8 rx_func_to_event[4] = {
6236 L2CAP_EV_RECV_RR, L2CAP_EV_RECV_REJ,
6237 L2CAP_EV_RECV_RNR, L2CAP_EV_RECV_SREJ
6240 /* Only I-frames are expected in streaming mode */
6241 if (chan->mode == L2CAP_MODE_STREAMING)
6244 BT_DBG("sframe reqseq %d, final %d, poll %d, super %d",
6245 control->reqseq, control->final, control->poll,
6249 BT_ERR("Trailing bytes: %d in sframe", len);
6250 l2cap_send_disconn_req(chan, ECONNRESET);
6254 /* Validate F and P bits */
6255 if (control->final && (control->poll ||
6256 chan->tx_state != L2CAP_TX_STATE_WAIT_F))
6259 event = rx_func_to_event[control->super];
6260 if (l2cap_rx(chan, control, skb, event))
6261 l2cap_send_disconn_req(chan, ECONNRESET);
6271 static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
6272 struct sk_buff *skb)
6274 struct l2cap_chan *chan;
6276 chan = l2cap_get_chan_by_scid(conn, cid);
6278 if (cid == L2CAP_CID_A2MP) {
6279 chan = a2mp_channel_create(conn, skb);
6285 l2cap_chan_lock(chan);
6287 BT_DBG("unknown cid 0x%4.4x", cid);
6288 /* Drop packet and return */
6294 BT_DBG("chan %p, len %d", chan, skb->len);
6296 if (chan->state != BT_CONNECTED)
6299 switch (chan->mode) {
6300 case L2CAP_MODE_BASIC:
6301 /* If socket recv buffers overflows we drop data here
6302 * which is *bad* because L2CAP has to be reliable.
6303 * But we don't have any other choice. L2CAP doesn't
6304 * provide flow control mechanism. */
6306 if (chan->imtu < skb->len)
6309 if (!chan->ops->recv(chan, skb))
6313 case L2CAP_MODE_ERTM:
6314 case L2CAP_MODE_STREAMING:
6315 l2cap_data_rcv(chan, skb);
6319 BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
6327 l2cap_chan_unlock(chan);
6330 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
6331 struct sk_buff *skb)
6333 struct l2cap_chan *chan;
6335 chan = l2cap_global_chan_by_psm(0, psm, conn->src, conn->dst);
6339 BT_DBG("chan %p, len %d", chan, skb->len);
6341 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6344 if (chan->imtu < skb->len)
6347 if (!chan->ops->recv(chan, skb))
6354 static void l2cap_att_channel(struct l2cap_conn *conn,
6355 struct sk_buff *skb)
6357 struct l2cap_chan *chan;
6359 chan = l2cap_global_chan_by_scid(0, L2CAP_CID_LE_DATA,
6360 conn->src, conn->dst);
6364 BT_DBG("chan %p, len %d", chan, skb->len);
6366 if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)
6369 if (chan->imtu < skb->len)
6372 if (!chan->ops->recv(chan, skb))
6379 static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
6381 struct l2cap_hdr *lh = (void *) skb->data;
6385 skb_pull(skb, L2CAP_HDR_SIZE);
6386 cid = __le16_to_cpu(lh->cid);
6387 len = __le16_to_cpu(lh->len);
6389 if (len != skb->len) {
6394 BT_DBG("len %d, cid 0x%4.4x", len, cid);
6397 case L2CAP_CID_LE_SIGNALING:
6398 case L2CAP_CID_SIGNALING:
6399 l2cap_sig_channel(conn, skb);
6402 case L2CAP_CID_CONN_LESS:
6403 psm = get_unaligned((__le16 *) skb->data);
6404 skb_pull(skb, L2CAP_PSMLEN_SIZE);
6405 l2cap_conless_channel(conn, psm, skb);
6408 case L2CAP_CID_LE_DATA:
6409 l2cap_att_channel(conn, skb);
6413 if (smp_sig_channel(conn, skb))
6414 l2cap_conn_del(conn->hcon, EACCES);
6418 l2cap_data_channel(conn, cid, skb);
6423 /* ---- L2CAP interface with lower layer (HCI) ---- */
6425 int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
6427 int exact = 0, lm1 = 0, lm2 = 0;
6428 struct l2cap_chan *c;
6430 BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
6432 /* Find listening sockets and check their link_mode */
6433 read_lock(&chan_list_lock);
6434 list_for_each_entry(c, &chan_list, global_l) {
6435 struct sock *sk = c->sk;
6437 if (c->state != BT_LISTEN)
6440 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
6441 lm1 |= HCI_LM_ACCEPT;
6442 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
6443 lm1 |= HCI_LM_MASTER;
6445 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
6446 lm2 |= HCI_LM_ACCEPT;
6447 if (test_bit(FLAG_ROLE_SWITCH, &c->flags))
6448 lm2 |= HCI_LM_MASTER;
6451 read_unlock(&chan_list_lock);
6453 return exact ? lm1 : lm2;
6456 void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
6458 struct l2cap_conn *conn;
6460 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
6463 conn = l2cap_conn_add(hcon);
6465 l2cap_conn_ready(conn);
6467 l2cap_conn_del(hcon, bt_to_errno(status));
6471 int l2cap_disconn_ind(struct hci_conn *hcon)
6473 struct l2cap_conn *conn = hcon->l2cap_data;
6475 BT_DBG("hcon %p", hcon);
6478 return HCI_ERROR_REMOTE_USER_TERM;
6479 return conn->disc_reason;
6482 void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
6484 BT_DBG("hcon %p reason %d", hcon, reason);
6486 l2cap_conn_del(hcon, bt_to_errno(reason));
6489 static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
6491 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED)
6494 if (encrypt == 0x00) {
6495 if (chan->sec_level == BT_SECURITY_MEDIUM) {
6496 __set_chan_timer(chan, L2CAP_ENC_TIMEOUT);
6497 } else if (chan->sec_level == BT_SECURITY_HIGH)
6498 l2cap_chan_close(chan, ECONNREFUSED);
6500 if (chan->sec_level == BT_SECURITY_MEDIUM)
6501 __clear_chan_timer(chan);
6505 int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
6507 struct l2cap_conn *conn = hcon->l2cap_data;
6508 struct l2cap_chan *chan;
6513 BT_DBG("conn %p status 0x%2.2x encrypt %u", conn, status, encrypt);
6515 if (hcon->type == LE_LINK) {
6516 if (!status && encrypt)
6517 smp_distribute_keys(conn, 0);
6518 cancel_delayed_work(&conn->security_timer);
6521 mutex_lock(&conn->chan_lock);
6523 list_for_each_entry(chan, &conn->chan_l, list) {
6524 l2cap_chan_lock(chan);
6526 BT_DBG("chan %p scid 0x%4.4x state %s", chan, chan->scid,
6527 state_to_string(chan->state));
6529 if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
6530 l2cap_chan_unlock(chan);
6534 if (chan->scid == L2CAP_CID_LE_DATA) {
6535 if (!status && encrypt) {
6536 chan->sec_level = hcon->sec_level;
6537 l2cap_chan_ready(chan);
6540 l2cap_chan_unlock(chan);
6544 if (!__l2cap_no_conn_pending(chan)) {
6545 l2cap_chan_unlock(chan);
6549 if (!status && (chan->state == BT_CONNECTED ||
6550 chan->state == BT_CONFIG)) {
6551 struct sock *sk = chan->sk;
6553 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
6554 sk->sk_state_change(sk);
6556 l2cap_check_encryption(chan, encrypt);
6557 l2cap_chan_unlock(chan);
6561 if (chan->state == BT_CONNECT) {
6563 l2cap_start_connection(chan);
6565 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
6567 } else if (chan->state == BT_CONNECT2) {
6568 struct sock *sk = chan->sk;
6569 struct l2cap_conn_rsp rsp;
6575 if (test_bit(BT_SK_DEFER_SETUP,
6576 &bt_sk(sk)->flags)) {
6577 res = L2CAP_CR_PEND;
6578 stat = L2CAP_CS_AUTHOR_PEND;
6579 chan->ops->defer(chan);
6581 __l2cap_state_change(chan, BT_CONFIG);
6582 res = L2CAP_CR_SUCCESS;
6583 stat = L2CAP_CS_NO_INFO;
6586 __l2cap_state_change(chan, BT_DISCONN);
6587 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
6588 res = L2CAP_CR_SEC_BLOCK;
6589 stat = L2CAP_CS_NO_INFO;
6594 rsp.scid = cpu_to_le16(chan->dcid);
6595 rsp.dcid = cpu_to_le16(chan->scid);
6596 rsp.result = cpu_to_le16(res);
6597 rsp.status = cpu_to_le16(stat);
6598 l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
6601 if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
6602 res == L2CAP_CR_SUCCESS) {
6604 set_bit(CONF_REQ_SENT, &chan->conf_state);
6605 l2cap_send_cmd(conn, l2cap_get_ident(conn),
6607 l2cap_build_conf_req(chan, buf),
6609 chan->num_conf_req++;
6613 l2cap_chan_unlock(chan);
6616 mutex_unlock(&conn->chan_lock);
6621 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
6623 struct l2cap_conn *conn = hcon->l2cap_data;
6624 struct l2cap_hdr *hdr;
6627 /* For AMP controller do not create l2cap conn */
6628 if (!conn && hcon->hdev->dev_type != HCI_BREDR)
6632 conn = l2cap_conn_add(hcon);
6637 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
6641 case ACL_START_NO_FLUSH:
6644 BT_ERR("Unexpected start frame (len %d)", skb->len);
6645 kfree_skb(conn->rx_skb);
6646 conn->rx_skb = NULL;
6648 l2cap_conn_unreliable(conn, ECOMM);
6651 /* Start fragment always begin with Basic L2CAP header */
6652 if (skb->len < L2CAP_HDR_SIZE) {
6653 BT_ERR("Frame is too short (len %d)", skb->len);
6654 l2cap_conn_unreliable(conn, ECOMM);
6658 hdr = (struct l2cap_hdr *) skb->data;
6659 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
6661 if (len == skb->len) {
6662 /* Complete frame received */
6663 l2cap_recv_frame(conn, skb);
6667 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
6669 if (skb->len > len) {
6670 BT_ERR("Frame is too long (len %d, expected len %d)",
6672 l2cap_conn_unreliable(conn, ECOMM);
6676 /* Allocate skb for the complete frame (with header) */
6677 conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
6681 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
6683 conn->rx_len = len - skb->len;
6687 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
6689 if (!conn->rx_len) {
6690 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
6691 l2cap_conn_unreliable(conn, ECOMM);
6695 if (skb->len > conn->rx_len) {
6696 BT_ERR("Fragment is too long (len %d, expected %d)",
6697 skb->len, conn->rx_len);
6698 kfree_skb(conn->rx_skb);
6699 conn->rx_skb = NULL;
6701 l2cap_conn_unreliable(conn, ECOMM);
6705 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
6707 conn->rx_len -= skb->len;
6709 if (!conn->rx_len) {
6710 /* Complete frame received */
6711 l2cap_recv_frame(conn, conn->rx_skb);
6712 conn->rx_skb = NULL;
6722 static int l2cap_debugfs_show(struct seq_file *f, void *p)
6724 struct l2cap_chan *c;
6726 read_lock(&chan_list_lock);
6728 list_for_each_entry(c, &chan_list, global_l) {
6729 struct sock *sk = c->sk;
6731 seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
6732 &bt_sk(sk)->src, &bt_sk(sk)->dst,
6733 c->state, __le16_to_cpu(c->psm),
6734 c->scid, c->dcid, c->imtu, c->omtu,
6735 c->sec_level, c->mode);
6738 read_unlock(&chan_list_lock);
6743 static int l2cap_debugfs_open(struct inode *inode, struct file *file)
6745 return single_open(file, l2cap_debugfs_show, inode->i_private);
6748 static const struct file_operations l2cap_debugfs_fops = {
6749 .open = l2cap_debugfs_open,
6751 .llseek = seq_lseek,
6752 .release = single_release,
6755 static struct dentry *l2cap_debugfs;
6757 int __init l2cap_init(void)
6761 err = l2cap_init_sockets();
6766 l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
6767 NULL, &l2cap_debugfs_fops);
6769 BT_ERR("Failed to create L2CAP debug file");
6775 void l2cap_exit(void)
6777 debugfs_remove(l2cap_debugfs);
6778 l2cap_cleanup_sockets();
6781 module_param(disable_ertm, bool, 0644);
6782 MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
projects / firefly-linux-kernel-4.4.55.git / blob